Security Proof Improvements

[nothingmuch]

We have a few gaps in the security proofs that should ideally be closed

• MAC_GGM security is based on stronger assumptions than standard ones, and precludes adaptive adversaries, see @AdamISZ's blog post for more discussion
• proof of unlinkability between issuance and presentation for serial number with Ruben's optimization, this should be trivial with the same approach as the proof of unlinkability in CPZ19
• proof that the serial number is binding, again this seems straight forward
• proof of unlinkability of amounts, see Jonas's attack (Clarifying the Balance Proof #40)

is any other formalism needed for privacy?

[seresistvanandras]

I have an upcoming deadline at the end of February, but I would also like to spend some time on these questions afterwards. Especially, MAC_GGM bugs me. It would be super cool if we could base the security of our used MAC not on the generic group model (GGM), but on a more solid cryptographic assumption. Certain constructions proven to be secure in the GGM can turn out to be really just snake-oil. Generally speaking, security proofs in the GGM should be taken with a grain of salt.