2017-05-15 15:40:12 +02:00
|
|
|
|
----------------------- REVIEW 1 ---------------------
|
|
|
|
|
TITLE: Refreshing Coins for Giving Change and Refunds in Chaum-style Anonymous Payment Systems
|
|
|
|
|
|
|
|
|
|
----------- Overall evaluation -----------
|
2017-05-17 14:55:30 +02:00
|
|
|
|
This paper proposes an anonymous payment system called Taler, based on the
|
|
|
|
|
Chaum’s blind signature scheme. Taler employs a new refresh protocol that
|
|
|
|
|
allows fractional payments and refunds while providing the unlinkability and
|
|
|
|
|
untraceability. The refresh protocol uses the cut-and-choose technique to
|
2017-05-18 09:35:16 +02:00
|
|
|
|
assure that the protocol is not abused for evading taxation.
|
2017-05-15 15:40:12 +02:00
|
|
|
|
|
2017-05-17 14:55:30 +02:00
|
|
|
|
Comment: The correctness of the refresh protocol does not hold. The \bar{B(i)}
|
|
|
|
|
computed by the exchange is not equal to B(i) computed by the honest customer,
|
|
|
|
|
as \bar{Cp(i)} is not equal to FDHK(Cp(i)).
|
2017-05-15 15:40:12 +02:00
|
|
|
|
|
2017-05-17 14:55:30 +02:00
|
|
|
|
> This was a simple typo that is fixed now
|
|
|
|
|
|
|
|
|
|
This paper does not provide a security proof or even an informal security
|
|
|
|
|
analysis for the proposed anonymous payment system Taler, such that Taler may
|
|
|
|
|
be insecure.
|
|
|
|
|
|
|
|
|
|
> We added a section with proofs
|
|
|
|
|
|
|
|
|
|
I find two (possible) attacks against the refresh protocol. As the
|
2017-05-18 15:05:28 +02:00
|
|
|
|
exchange does not check the validity of the public key Cp', the attacker can
|
2017-05-17 14:55:30 +02:00
|
|
|
|
send an arbitrary public key to the exchange that will accept, and obtain a
|
|
|
|
|
fresh coin. The attacker can spend partially a coin multiple times via
|
|
|
|
|
refreshing the coin and obtaining a fresh coin in turn, as the refresh protocol
|
|
|
|
|
only transforms a dirty coin into a fresh coin with the same denomination. The
|
|
|
|
|
misbehavior will not be detected by the exchange, as the fresh coin is
|
|
|
|
|
unlinkable to the original coin.
|
|
|
|
|
|
2017-05-18 14:50:06 +02:00
|
|
|
|
> When refreshing a coin, the old coin is obviously marked as spent.
|
2017-05-17 14:55:30 +02:00
|
|
|
|
> This attack is based on a misunderstanding of refreshing.
|
|
|
|
|
|
|
|
|
|
The implementation of Taler in this paper is
|
|
|
|
|
unclear. For example! , the security level, the RSA modulus, and the elliptic
|
2017-05-17 15:17:53 +02:00
|
|
|
|
curve etc. are not described.
|
|
|
|
|
|
2017-05-18 09:35:16 +02:00
|
|
|
|
> The RSA modulus length is freely configurable, the specific RSA modulus
|
|
|
|
|
> (n) will change between different denominations. For the experiments
|
|
|
|
|
> we used RSA 1024, but there keys only live for like a week; for deployments
|
|
|
|
|
> with a longer lifetime, it likely makes sense to use a larger key size.
|
|
|
|
|
> The elliptic curves are given and referenced in the paper, namely Ed25519
|
|
|
|
|
> (used for all signatures) and Curve25519 (ECDHE, in refreshing).
|
2017-05-17 15:17:53 +02:00
|
|
|
|
|
|
|
|
|
Moreover, the average time of the withdrawal, spending, refreshing protocols
|
|
|
|
|
are not provided. The authors also do not compare Taler with other known
|
2017-05-18 09:35:16 +02:00
|
|
|
|
anonymous payment systems. Thus, the efficiency of Taler is unclear.
|
2017-05-17 15:17:53 +02:00
|
|
|
|
|
|
|
|
|
> In our "Experimental Results" section we mention that local processing
|
|
|
|
|
> of requests happens in the order of a few milliseconds.
|
|
|
|
|
> Comparing Taler to other e-cash systems experimentally is impossible,
|
|
|
|
|
> since their implementation is not available.
|
2017-05-18 09:35:16 +02:00
|
|
|
|
> Comparing Taler to blockchain-based solutions is comparing apples and
|
|
|
|
|
> oranges, and blockchain-based solutions are many (10^8?) orders of magnitude
|
|
|
|
|
> slower.
|
2017-05-17 14:55:30 +02:00
|
|
|
|
|
|
|
|
|
Additional Comment: The description of the protocols of Taler omits many
|
|
|
|
|
details. In particular, the authors should describe in detail how the refunds
|
|
|
|
|
are executed using the refresh protocol, as the authors claim that the refresh
|
2017-05-17 15:23:26 +02:00
|
|
|
|
protocol allows refunds as a contribution.
|
|
|
|
|
|
|
|
|
|
> We added more material on refunds
|
|
|
|
|
|
|
|
|
|
Furthermore, the authors should interpret the notation FDHK, and cite the
|
2017-05-18 09:35:16 +02:00
|
|
|
|
reference for EdDSA.
|
|
|
|
|
|
|
|
|
|
> We added FDH_K to the notation list.
|
|
|
|
|
> We added citations for EdDSA.
|
|
|
|
|
|
|
|
|
|
The title of Subsection 3.1 may be misleading, as this
|
2017-05-17 15:23:26 +02:00
|
|
|
|
subsection does not describe the security model. The authors should rename the
|
2017-05-18 09:35:16 +02:00
|
|
|
|
title.
|
|
|
|
|
|
|
|
|
|
> We changed the title.
|
|
|
|
|
|
|
|
|
|
The “We have computed Li…” in Subsection 4.3 should be L(i).
|
2017-05-17 15:23:26 +02:00
|
|
|
|
|
2017-05-18 09:35:16 +02:00
|
|
|
|
> Li-typo was fixed.
|
2017-05-15 15:40:12 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
----------------------- REVIEW 2 ---------------------
|
|
|
|
|
TITLE: Refreshing Coins for Giving Change and Refunds in Chaum-style Anonymous Payment Systems
|
|
|
|
|
|
|
|
|
|
----------- Overall evaluation -----------
|
2017-05-17 14:55:30 +02:00
|
|
|
|
This paper proposes a new e-cash, named Taler, where the bank (or else called
|
|
|
|
|
exchange) is online during the spending protocol to allow for double-spending
|
|
|
|
|
detection. Taler allows for spending coins of various denominations by allowing
|
|
|
|
|
a user to only spend a value v1<V (where V is the value of the withdrawn coin)
|
|
|
|
|
and then exchange the remaining value for a new, fresh coin, of value V-v1. The
|
|
|
|
|
proposed scheme is different compared to Chaum e-cash: in Taler coins are pairs
|
|
|
|
|
of pk/sk keys where the public key has been signed by the bank/exchange while
|
|
|
|
|
in typical Chaum e-cash coins are represented by unique serial numbers.
|
2017-05-15 15:40:12 +02:00
|
|
|
|
|
|
|
|
|
|
2017-05-17 14:55:30 +02:00
|
|
|
|
Although the proposed system is hiding some interesting ideas, I think it
|
|
|
|
|
cannot be accepted for publication at the moment. First and most importantly
|
|
|
|
|
the current version of the paper lacks any level of analysis (not even
|
|
|
|
|
informal) of the security level that system achieves. In fact, what security
|
|
|
|
|
means has not been defined even in an informal lever. Moreover, as I better
|
|
|
|
|
explain in my specific comments below there seem to be some issues with both
|
|
|
|
|
security and anonymity (linking different uses of same coin, ensuring coin
|
|
|
|
|
refreshing happens for the correct value). Finally, the description of the
|
|
|
|
|
protocols has quite a few inconsistencies (details below): there are parts that
|
|
|
|
|
seem unnecessary and others that are not properly defined/explained, notation
|
|
|
|
|
is also very overloaded (there is a 2 page notation table!).
|
2017-05-15 15:40:12 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Specific comments:
|
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- I would expect the “Security Model” section (Section 1.3) to actually explain
|
|
|
|
|
(even in an informal way) the desired properties of the proposed scheme.
|
|
|
|
|
These should include double-spending detection security, unforgeability, user
|
|
|
|
|
anonymity and more importantly the new type of security introduced by coin
|
|
|
|
|
refresh (this should be a property that guarantees that a user cannot re-fresh
|
|
|
|
|
a coin for value more than the one that the “dirty” coin is carrying) Instead
|
|
|
|
|
it just mentions some of the tools used in the proposed scheme (i.e. FDH
|
|
|
|
|
signatures, cut-and-choose and what kind of security they offer).
|
|
|
|
|
|
2017-05-17 16:14:53 +02:00
|
|
|
|
> We added a section with that goes deeper into properties and proofs
|
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Related work missing: there has been previous work in “payments with
|
|
|
|
|
refunds”. Please look at Rupp et al “P4R: Privacy-Preserving Pre-Payments
|
|
|
|
|
with Refunds for Transportation Systems” where instead of refreshing coins, the
|
|
|
|
|
unused amount is accumulated in some token that can later be used. How would
|
|
|
|
|
you compare with that system?
|
|
|
|
|
|
2017-05-17 16:14:53 +02:00
|
|
|
|
> We added this to the related work, main problem with this work is that it is
|
2017-05-18 09:35:16 +02:00
|
|
|
|
> limited to/meant for public transportation systems. For general payments,
|
2017-05-17 16:14:53 +02:00
|
|
|
|
> their refund can be abused to create transactions that are not
|
|
|
|
|
> taxable.
|
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Found the discussion on Bitcoin too long and unnecessary - the proposed
|
|
|
|
|
system is not decentralized anyway
|
|
|
|
|
|
2017-05-18 09:35:16 +02:00
|
|
|
|
> Correct, but we constantly find people thinking Taler is a crypto-currency,
|
|
|
|
|
> so for some readers it is important to point out the differences.
|
|
|
|
|
> We have tried to keep the discussion short.
|
2017-05-17 16:14:53 +02:00
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Referencing a system (Goldberg’s HINDE) that is not published makes
|
2017-05-18 09:35:16 +02:00
|
|
|
|
impossible for the reviewer to check any arguments.
|
2017-05-17 15:25:25 +02:00
|
|
|
|
|
2017-05-17 16:14:53 +02:00
|
|
|
|
> In an earlier submission, a reviever insisted that this reference
|
|
|
|
|
> be added.
|
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Section 4.1, step 1: is W_p = w_s * G? Also where is blinding factor b
|
|
|
|
|
selected from? What does it mean to “commit to disk”? The customer commits
|
|
|
|
|
and keeps the commitment local? Where is this used?
|
|
|
|
|
|
2017-05-17 16:31:41 +02:00
|
|
|
|
> Yes, juxtaposition denotes multiplication. "commit to disk" has been
|
|
|
|
|
> changed to "persist", the customer must persis the value before making the
|
|
|
|
|
> bank transaction, so that they don't lose their reserve key should the system
|
2017-05-18 14:24:22 +02:00
|
|
|
|
> crash.
|
|
|
|
|
> We added some clarification about to where random values are selected from.
|
2017-05-17 16:31:41 +02:00
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Section 4.1, step 3, what is the key K used in FDH? Also is S_w(B) a standard
|
|
|
|
|
signature?
|
|
|
|
|
|
2017-05-17 17:02:32 +02:00
|
|
|
|
> The "K" here means that the domain of the full domain hash is the
|
2017-05-18 14:50:06 +02:00
|
|
|
|
> modulus of the RSA public key K_v of the key pair K.
|
2017-05-17 17:02:32 +02:00
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Section 4.1, step 4, How can the exchange know that this was indeed a new
|
|
|
|
|
withdrawal request? If a new blinding factor b is used, then a customer can
|
|
|
|
|
create multiple “freshly” looking requests for the same C_p. (Also a minor
|
|
|
|
|
point: 2nd line also reads as “if the same withdrawal request was issued before
|
|
|
|
|
the exchange will send S_K(B)”
|
|
|
|
|
|
2017-05-17 16:53:36 +02:00
|
|
|
|
> We added some clarification that the exchange looks up if the request
|
|
|
|
|
> already exists in their database.
|
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Section 4.2, it seems that a customer can use a coin of value say $10 to
|
|
|
|
|
multiple transactions of <= $10 in total. I.e. it can first a pay a merchant
|
|
|
|
|
M1 $2 and then a merchant M2 another $5 dollars. In that case the exchange can
|
|
|
|
|
link those two payments together. Sure, it might not know who is the owner of
|
|
|
|
|
the coin (i.e. cannot link with withdrawal) but this is still an anonymity
|
|
|
|
|
problem.
|
|
|
|
|
|
2017-05-18 14:50:06 +02:00
|
|
|
|
> Yes, this is why the wallet refreshes a partially spend coin before
|
|
|
|
|
> reusing it, although a user who did not care about their anonymity
|
|
|
|
|
> could change that.
|
2017-05-17 17:02:32 +02:00
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Section 4.3, doesn’t seem very fair to compare with Zcash or at least it
|
|
|
|
|
should be highlighted that a quite weaker level of anonymity is achieved.
|
|
|
|
|
|
2017-05-18 14:50:06 +02:00
|
|
|
|
> We added remarks on the level of anonymity that Zerocash achieves.
|
|
|
|
|
> We suspect Zerocash's inherent scaling issues limit its anonymity
|
|
|
|
|
> for normal purchases, as compaired to that a large Taler exchange
|
|
|
|
|
> provides. We mention that Zerocash is likely to provide better
|
|
|
|
|
> anonymtiy for large transactions that do not need to be cashed out.
|
2017-05-17 16:14:53 +02:00
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Section 4.3, step 1, where is the key t_s^(i) selected from? What does S_{C’}
|
|
|
|
|
denotes? Is that a commitment (as noted in the text) or a signature (as noted
|
2017-05-18 09:35:16 +02:00
|
|
|
|
in notation table?).
|
2017-05-17 15:25:25 +02:00
|
|
|
|
|
2017-05-18 14:24:22 +02:00
|
|
|
|
> We clarified what t_s^(i) is.
|
2017-05-17 17:02:32 +02:00
|
|
|
|
> S_{C’} is a signature made with private key C’_p, what we sign
|
|
|
|
|
> over is the commitment.
|
|
|
|
|
|
2017-05-17 15:25:25 +02:00
|
|
|
|
- Section 4.3 In this protocol I would expect the customer to somehow “prove”
|
|
|
|
|
to the exchange what is the remaining value of the dirty coin. I do not see
|
|
|
|
|
this happening. How does this part of the protocol ensure that a user cannot
|
|
|
|
|
just refresh a coin for one of a much bigger value than the remaining one?
|
2017-05-15 15:40:12 +02:00
|
|
|
|
|
2017-05-17 16:14:53 +02:00
|
|
|
|
> The exchange records spent coins (with the amount spent) in it's database.
|
|
|
|
|
> When refreshing a coin, the customer must reveal the coin's (unblinded)
|
|
|
|
|
> public key to the exchange, which will then set the remaining value
|
|
|
|
|
> of the coin to zero in it's database. The new coin is now allowed
|
|
|
|
|
> to exceed the old coin in value.
|
|
|
|
|
|
2017-05-15 15:40:12 +02:00
|
|
|
|
|
|
|
|
|
----------------------- REVIEW 3 ---------------------
|
|
|
|
|
PAPER: 46
|
|
|
|
|
TITLE: Refreshing Coins for Giving Change and Refunds in Chaum-style Anonymous Payment Systems
|
|
|
|
|
|
|
|
|
|
----------- Overall evaluation -----------
|
|
|
|
|
The paper introduces a variant's of Chaum's e-cash scheme (with an
|
|
|
|
|
on-line bank); the main novelty is a "refresh" protocol which enables
|
|
|
|
|
a user to exchange a coin for a new blinded one. The reason for
|
|
|
|
|
wanting this features is that it enables refunds from a merchant that
|
|
|
|
|
later can be refreshed into "clean" coins that are unlinkable to the
|
|
|
|
|
refunded coins. The protocol is based on what appears to be a standard
|
|
|
|
|
cut-and-choose approach, which does not appear to be particularly
|
2020-07-22 23:56:52 +02:00
|
|
|
|
novel. On the positive side, the problem appears a natural and if it
|
2017-05-15 15:40:12 +02:00
|
|
|
|
hasn't been done before certainly useful. On the negative side, since
|
|
|
|
|
the paper does not contain any formal definitions, or even semi-formal
|
|
|
|
|
specifications of the desiderata, it is very hard to understand what
|
2020-07-22 23:56:52 +02:00
|
|
|
|
actually is achieved. Furthermore, no proofs of security are given,
|
2017-05-15 15:40:12 +02:00
|
|
|
|
and even the protocol is hard to fully understand. As such, I would
|
|
|
|
|
suggest the authors to first formalize their approach and
|
|
|
|
|
resubmitting.
|
2017-05-17 16:14:53 +02:00
|
|
|
|
|
|
|
|
|
> We added a section with proofs
|