From 5ea3021e827f2186731e04b9805ae3a31482e47f Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Tue, 16 May 2017 11:24:50 +0200
Subject: add ownership transfer corollary

---
 doc/paper/taler.tex | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'doc/paper')

diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 9fc5df4f1..9d787bede 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -1422,10 +1422,10 @@ exchange.
 
 \begin{theorem}
 Let $C$ denote a coin controlled by users Alice and Bob.
-Suppose Bob creates a coin $C'$ from $C$ using the refresh protocol.
+Suppose Bob creates a coin $C'$ from $C$ following the refresh protocol.
 Assuming the exchange and Bob operated the refresh protocol correctly,
-and that they continue to operate the linking protocol
- \S\ref{subsec:linking} correctly,
+and that the exchange continues to operate the linking protocol
+(\S\ref{subsec:linking}) correctly,
 then Alice can gain control of $C'$ using the linking protocol.
 \end{theorem}
 
@@ -1442,7 +1442,10 @@ for the residual value on $C'$ and runs the linking protocol to
 determine if it was refreshed too.
 \end{proof}
 
-At a result, there is no way for a user to loose control over a coin,
+\begin{corollary}
+  Abusing the refresh protocol to transfer ownership has an
+  expected loss of $1 - \frac{1}{\kappa}$ of the transaction value.
+\end{corollary}
 
 
 \section{Privacy arguments}
-- 
cgit v1.2.3