exchange/doc/paper/taler.tex

1455 lines
75 KiB
TeX
Raw Normal View History

2015-09-26 16:57:16 +02:00
% RMS wrote:
%The text does not mention GNU anywhere. This paper is an opportunity
%to make people aware of GNU, but the current text fails to use the
%opportunity.
%
%It should say that Taler is a GNU package.
%
%I suggest using the term "GNU Taler" in the title, once in the
%abstract, and the first time the name is mentioned in the body text.
%In the body text, it can have a footnote with more information
%including a reference to http://gnu.org/gnu/the-gnu-project.html.
%
%At the top of page 3, where it says "a free software implementation",
%it should add "(free as in freedom)", with a reference to
%http://gnu.org/philosophy/free-sw.html and
%http://gnu.org/philosophy/free-software-even-more-important.html.
%
%Would you please include these things in every article or posting?
%
% CG adds:
% We SHOULD do this for the FINAL paper, not for the anon submission.
2015-01-08 18:37:20 +01:00
\documentclass{llncs}
%\usepackage[margin=1in,a4paper]{geometry}
\usepackage[T1]{fontenc}
\usepackage{palatino}
\usepackage{xspace}
\usepackage{microtype}
2015-09-24 12:26:08 +02:00
\usepackage{tikz,eurosym}
2015-01-08 18:37:20 +01:00
\usepackage{amsmath,amssymb}
\usepackage{enumitem}
\usetikzlibrary{shapes,arrows}
\usetikzlibrary{positioning}
\usetikzlibrary{calc}
2015-09-16 09:37:47 +02:00
% Relate to:
% http://fc14.ifca.ai/papers/fc14_submission_124.pdf
2015-01-08 18:37:20 +01:00
% Terminology:
% - SEPA-transfer -- avoid 'SEPA transaction' as we use
% 'transaction' already when we talk about taxable
% transfers of Taler coins and database 'transactions'.
% - wallet = coins at customer
2016-03-01 15:21:30 +01:00
% - reserve = currency entrusted to exchange waiting for withdrawal
% - deposit = SEPA to exchange
% - withdrawal = exchange to customer
2015-01-08 18:37:20 +01:00
% - spending = customer to merchant
2016-03-01 15:21:30 +01:00
% - redeeming = merchant to exchange (and then exchange SEPA to merchant)
% - refreshing = customer-exchange-customer
2015-01-08 18:37:20 +01:00
% - dirty coin = coin with exposed public key
% - fresh coin = coin that was refreshed or is new
2016-03-01 15:21:30 +01:00
% - coin signing key = exchange's online key used to (blindly) sign coin
% - message signing key = exchange's online key to sign exchange messages
% - exchange master key = exchange's key used to sign other exchange keys
2015-01-08 18:37:20 +01:00
% - owner = entity that knows coin private key
% - transaction = coin ownership transfer that should be taxed
% - sharing = coin copying that should not be taxed
\title{Taler: Taxable Anonymous Libre Electronic Reserves}
\begin{document}
\mainmatter
%\author{Florian Dold \and Sree Harsha Totakura \and Benedikt M\"uller \and Christian Grothoff}
%\institute{The GNUnet Project}
\maketitle
\begin{abstract}
This paper introduces Taler, a Chaum-style digital currency using
blind signatures that enables anonymous payments while ensuring that
entities that receive payments are auditable and thus taxable. Taler
differs from Chaum's original proposal in that customers can never
defraud anyone, merchants can only fail to deliver the merchandise to
2016-03-01 15:21:30 +01:00
the customer, and exchanges can be fully audited. Consequently,
enforcement of honest behavior is better and more timely than with
Chaum, and is at least as strict as with legacy credit card payment
systems that do not provide for privacy. Furthermore, Taler allows
fractional payments, and even in this case is still able to guarantee
unlinkability of transactions via a new coin refreshing protocol. We
argue that Taler provides a secure digital currency for modern liberal
societies as it is a flexible, libre and efficient protocol and
adequately balances the state's need for monetary control with the
citizen's needs for private economic activity.
2015-01-08 18:37:20 +01:00
\end{abstract}
\section{Introduction}
The design of payment systems shapes economies and societies.
Strong, developed nation states are evolving towards transparent
payment systems, such as the MasterCard and VisaCard credit card
schemes and computerized bank transactions such as SWIFT.
These systems enable mass surveillance by both governments and
private companies, chilling customer activity \cite{???}.
Aspects of this government control benifit the economy, by enabling
taxation. Also, bribery and corruption are limited to elites who
can afford to escape the dragnet.
At the other extreme, weaker developing nation states have economic
activity based largely on coins, paper money or even barter.
Here, the state is often unable to effectively monitor or tax economic
activity, and this limits the ability of the state to shape the society.
As bribery is virtually impossible to detect, corruption is widespread
and not limited to social elites.
%
2015-01-08 18:37:20 +01:00
ZeroCoin~\cite{miers2013zerocoin} is an example for translating such
an economy into the digital realm.
% FIXME: Unclear referee comment :
% I didnt understand why ZeroCoin is particularly suited for
% developing nations?
2015-01-08 18:37:20 +01:00
This paper describes Taler, a simple and practical payment system for
2015-09-28 15:49:38 +02:00
a modern social-liberal society, which is not being served well by
current payment systems which enable either an authoritarian state in
total control of the population, or create weak states with almost
anarchistic economies.
The Taler protocol is heavily based on ideas from
2015-09-24 12:26:08 +02:00
Chaum~\cite{chaum1983blind} and also follows Chaum's basic architecture of
customer, merchant and exchange (Figure~\ref{fig:cmm}),
which Chaum termed the mint.
The two designs share the key first step where the {\em customer}
withdraws digital {\em coins} from the {\em exchange} with unlinkability
provided via blind signatures. The coins can then be spent at a
{\em merchant} who {\em deposits} them at the exchange.
Taler uses online detection of double-spending, thus assuring the merchant
instantly that a transaction is valid.
\begin{figure}[h]
\centering
\begin{tikzpicture}
\tikzstyle{def} = [node distance= 5em and 7em, inner sep=1em, outer sep=.3em];
\node (origin) at (0,0) {};
2016-03-01 15:21:30 +01:00
\node (exchange) [def,above=of origin,draw]{Exchange};
\node (customer) [def, draw, below left=of origin] {Customer};
\node (merchant) [def, draw, below right=of origin] {Merchant};
\node (auditor) [def, draw, above right=of origin]{Auditor};
\tikzstyle{C} = [color=black, line width=1pt]
2016-03-01 15:21:30 +01:00
\draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins};
\draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins};
\draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins};
2016-03-01 15:21:30 +01:00
\draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify};
\end{tikzpicture}
\caption{Taler's system model for the payment system is based on Chaum~\cite{chaum1983blind}.}
\label{fig:cmm}
\end{figure}
Taler was designed for use in a modern social-liberal society, which we
believe needs a payment system with the following properties:
2015-01-08 18:37:20 +01:00
\begin{description}
2015-10-08 20:47:17 +02:00
\item[Customer Anonymity]
2016-03-01 15:21:30 +01:00
It must be impossible for exchanges, merchants and even a global active
2015-10-08 20:47:17 +02:00
adversary, to trace the spending behavior of a customer.
\item[Unlinkability]
As a strong form of customer anonymity, it must be infeasible to
link a set of transactions to the same (anonymous) customer.
%, even when taking aborted transactions into account.
2015-10-08 20:47:17 +02:00
\item[Taxability]
In many current legal systems, it is the responsibility of the merchant
to deduct sales taxes from purchases made by customers, or for workers
to pay income taxes for payments received for work.
%Taxation is necessary for the state to
2015-01-08 18:37:20 +01:00
%provide legitimate social functions, such as education. Thus, a payment
%system must facilitate sales, income and transaction taxes.
2015-10-08 20:47:17 +02:00
This requires that merchants are easily identifiable and that
an audit trail is always generated, so that the state can ensure that its
taxation regime is obeyed.
2015-10-08 20:47:17 +02:00
\item[Verifiability]
The payment system should try to minimize the trust necessary between
the participants. In particular, digital signatures should be used,
2015-10-08 20:47:17 +02:00
and retained, whenever they would play a role in resolving disputes. % between the involved parties.
Nevertheless, customers must never be able to defraud anyone, and
merchants must at best be able to defraud their customers by not
delivering on the agreed contract. Neither merchants nor customers
should ever be able to commit fraud against the exchange.
In addition, both customers and merchants should receive cryptographic
proofs of bad behavior in case of protocol violations by the exchange.
In this way, only the exchange needs be tightly audited and regulated.
2016-03-01 15:21:30 +01:00
The design must make it easy to audit the finances of the exchange.
% \item[Ease of Deployment] %The system should be easy to deploy for
2015-01-08 18:37:20 +01:00
% real-world applications. In order to lower the entry barrier and
% acceptance of the system, a gateway to the existing financial
% system should be provided, i.e. by integrating internet-banking
% protocols such as HBCI/FinTAN.
% The protocol should
% be able to run easily over HTTP(S).
\item[No speculation] % It's actually "Specualtion not required"
The digital coins should be denominated in existing currencies,
such as EUR or USD, to avoid exposing citizens to unnecessary risks
from currency fluctuations.
Moreover, the system must have an open protocol specification and
a free software reference implementation.
2015-10-08 20:47:17 +02:00
\item[Low resource consumption]
In order to minimize the operating costs and environmental impact of
the payment system, it should avoid the reliance on expensive or
``wasteful'' computations, such as proof-of-work.
2015-10-08 20:47:17 +02:00
\item[Fractional payments]
The payment system needs to handle both small and large payments in
an efficient and reliable manner. It is inefficient to simply issue
coins in the smallest unit of currency, so instead a mechanism to
give {\em change} should be provided to ensure that customers with
sufficient total funds can always spend them.
2015-01-08 18:37:20 +01:00
\end{description}
%
We give a concise example of how these properties interact:
2015-10-08 20:47:17 +02:00
A customer may want to pay \EUR{49,99} using a \EUR{100,00} coin.
the system must thus support giving change in the form of spendable coins,
2015-10-08 20:47:17 +02:00
say a \EUR{0,01} coin and a \EUR{50,00} coin.
2015-10-13 18:39:43 +02:00
A merchant cannot simply give the customer their coins in another transaction;
however, as this reverses the role of merchant and customer, and
our taxability requirement would deanonymize the customer.
Also, the customer cannot withdraw exact change from his account with
the exchange, as doing so deanonymizes her through a corrolation attack.
Instead, the customer should obtain new freshly anonymized coins that cannot be
linked with this transaction, the original \EUR{100,00} coin, or each other.
2015-10-08 20:47:17 +02:00
Instead of using cryptographic methods like $k$-show
signatures~\cite{brands1993efficient} to achieve divisibility,
Taler's fractional payments use a simpler, more powerful mechanism.
In Taler, a coin is not simply a signed unique random token, but signature
over the hash of a public key where the private key is only known to the owner
of the coin.
A customer transfers currency from a coin to a merchant by cryptographically
signing a deposit message with this private key. This deposit message
2015-10-08 20:47:17 +02:00
specifies the fraction of the coin's value to be paid to the merchant.
A key contribution of Taler is the {\em refresh} protocol, which enables
a customer to exchange the residual value of the exchanged coin for
2015-10-26 12:06:25 +01:00
unlinkable freshly anonymized change.
2015-10-08 20:47:17 +02:00
2016-03-01 15:21:30 +01:00
Taler exchanges ensure that all transactions involving the same coin
2015-10-08 20:47:17 +02:00
do not exceed the total value of the coin simply by
2016-03-01 15:21:30 +01:00
requiring that merchants clear transactions immediately with the exchange.
This improves dramatically on systems that support offline merchants with
cryptographic threats to deanonymizing customers who double-spend, like
2015-10-08 20:47:17 +02:00
restrictive blind signatures~\cite{brands1993efficient}.
In such schemes, if a transaction is interrupted, then any coins sent to
2015-10-08 20:47:17 +02:00
the merchant become tainted, but may never arrive or be spent.
It becomes tricky to extract the value of the tainted coins without linking
to the aborted transaction and risking deanonymization.
As with support for fractional payments, Taler addresses these problems by
allowing customers to refresh tainted coins, thereby destroying the link
2015-10-26 12:06:25 +01:00
between the refunded or aborted transaction and the new coin.
Taler ensures that the {\em entity} owning the new coin is
the same as the entity of the user owning the old coin, thus making
sure that the refreshing protocol cannot be abused for money
laundering or other illicit transactions.
2015-01-08 18:37:20 +01:00
\section{Related Work}
\subsection{Blockchain-based currencies}
In recent years, a class of decentralized electronic payment systems,
based on collectively recorded and verified append-only public
ledgers, have gained immense popularity. The most well-known protocol
in this class is Bitcoin~\cite{nakamoto2008bitcoin}. An initial
concern with Bitcoin was the lack of anonymity, as all Bitcoin
transactions are recorded for eternity, which can enable
identification of users. In theory, this concern has been addressed
with the Zerocoin extension to the protocol~\cite{miers2013zerocoin}.
These protocols do dispense with the need for a central, trusted
authority, while providing a useful measure of pseudonymity.
Yet, there are several major irredeemable problems inherent in their designs:
2015-01-08 18:37:20 +01:00
\begin{itemize}
\item The computational puzzles solved by Bitcoin nodes with the purpose
of securing the block chain consume a considerable amount of computational
resources and energy. So Bitcoin is not an environmentally responsible
2015-01-08 18:37:20 +01:00
design.
\item Bitcoin transactions have pseduononymous recipients, making taxation
problematic, and leading to legal hurdles.
The Zerocoin extension would only make this worse.
\item Bitcoin seemingly requires speculation to offset the mining cost,
creating fluctuations in value, and making it hard to bind to national
currencies. These fluctuations may be desirable in a high-risk investment
instrument, but they make Bitcoin unsuitable as a medium of exchange.
\item Anyone can start an alternative Bitcoin transaction chain,
called an AltCoin, and, if successful, reap the benefits of the low
cost to initially create coins via computation. As participants are
de facto investors, these become a form of ponzi scheme.
% As a result, dozens of
% AltCoins have been created, often without any significant changes to the
% technology. A large number of AltCoins creates additional overheads for
% currency exchange and exacerbates the problems with currency fluctuations.
2015-01-08 18:37:20 +01:00
\end{itemize}
GreenCoinX\footnote{\url{https://www.greencoinx.com/}} is a more
recent AltCoin where the company promises to identify the owner of
each coin via e-mail addresses and phone numbers. While it is unclear
from their technical description how this identification would be
enforced against a determined adversary, the resulting payment system
would also merely impose a totalitarian financial panopticon on a
BitCoin-style money supply and transaction model, thus largely
combining what we would consider to be the drawbacks of these existing
systems.
2015-01-08 18:37:20 +01:00
\subsection{Chaum-style electronic cash}
Taler builds on ideas from Chaum~\cite{chaum1983blind}, who proposed a
digital payment system that would provide some customer anonymity
while disclosing the identity of the merchants. Chaum's digital cash
system DigiCash had some limitations and ultimately failed to be widely
adopted. In our assessment, key reasons for DigiCash's failure that
Taler avoids include:
\begin{itemize}
\item The use of patents to protect the technology; a payment system
should be free software (libre) to have a chance for widespread adoption.
\item Support for payments to off-line merchants, and thus deferred
detection of double-spending, requires the exchange to attempt to
recover funds from delinquent customers via the legal system.
Any system like this that fails to be self-enforcing creates a major
business risk for the exchange. In 1983, there were merchants without
network connectivity
need to have
been a necessary feature.
However, today requiring network connectivity is feasible and avoids the business
risks associated with deferred fraud detection.
\item % In addition to the risk of legal disputes with fraudulent
% merchants and customers,
Chaum's published design does not clearly
2016-03-01 15:21:30 +01:00
limit the financial damage a exchange might suffer from the
disclosure of its private online signing key.
\item Chaum did not support fractional payments or refunds without
breaking customer anonymity.
%, and Brand's
% extensions for fractional payments broke unlinkability and thus
% limited anonymity.
% \item Chaum's system was implemented at a time where the US market
% was still dominated by paper checks and the European market was
% fragmented into dozens of currencies. Today, SEPA provides a
% unified currency and currency transfer method for most of Europe,
% significantly lowering the barrier to entry into this domain for
% a larger market.
\end{itemize}
2015-01-08 18:37:20 +01:00
Chaum's original digital cash system~\cite{chaum1983blind} was
extended by Brands~\cite{brands1993efficient} with the ability to {\em
divide} coins and thus spend certain fractions of a coin using
restrictive blind signatures. Compared to Taler, performing
fractional payments is cryptographically way more expensive and
moreover the transactions performed with ``divisions'' from the same
coin do become linkable.
2015-01-08 18:37:20 +01:00
%
%Some argue that the focus on technically perfect but overwhelmingly
%complex protocols, as well as the the lack of usable, practical
%solutions lead to an abandonment of these ideas by
%practitioners~\cite{selby2004analyzing}.
%
2015-01-08 18:37:20 +01:00
To our knowledge, the only publicly available effort to implement
Chaum's idea is Opencoin~\cite{dent2008extensions}. However, Opencoin
seems to be neither actively developed nor used, and it is not clear
to what degree the implementation is even complete. Only a partial
description of the Opencoin protocol is available to date.
2015-01-08 18:37:20 +01:00
\subsection{Peppercoin}
Peppercoin~\cite{rivest2004peppercoin} is a microdonation protocol.
The main idea of the protocol is to reduce transaction costs by
minimizing the number of transactions that are processed directly by
2016-03-01 15:21:30 +01:00
the exchange. Instead of always paying, the customer ``gambles'' with the
2015-01-08 18:37:20 +01:00
merchant for each microdonation. Only if the merchant wins, the
microdonation is upgraded to a macropayment to be deposited at the
2016-03-01 15:21:30 +01:00
exchange. Peppercoin does not provide customer-anonymity. The proposed
statistical method by which exchanges detect fraudulent cooperation between
customers and merchants at the expense of the exchange not only creates
legal risks for the exchange, but would also require that the exchange learns
2015-10-08 20:47:17 +02:00
about microdonations where the merchant did not get upgraded to a
macropayment. It is therefore unclear how Peppercoin would actually
2016-03-01 15:21:30 +01:00
reduce the computational burden on the exchange.
2015-01-08 18:37:20 +01:00
\section{Design}
The payment system we propose is built on the blind signature
primitive proposed by Chaum, but extended with additional
constructions to provide unlinkability, online fraud detection and
taxability.
As with Chaum, the Taler system comprises three principal types of
actors (Figure~\ref{fig:cmm}): The \emph{customer} is interested in
receiving goods or services from the \emph{merchant} in exchange for
payment. When making a transaction, both the customer and the
2016-03-01 15:21:30 +01:00
merchant must agree on the same \emph{exchange}, which serves as an
intermediary for the financial transaction between the two. The exchange
is responsible for allowing the customer to obtain the anonymous
digital currency and for enabling the merchant to convert the
digital coins back to some traditional currency. The \emph{auditor}
2016-03-01 15:21:30 +01:00
assures customers and merchants that the exchange operates correctly.
2015-01-08 18:37:20 +01:00
\subsection{Security model}
Taler's security model assumes that cryptographic primitives are
secure and that each participant is under full control of his system.
2016-03-01 15:21:30 +01:00
The contact information of the exchange is known to both customer and
merchant from the start.
We further assume that the customer can authenticate the merchant,
such as by using X.509 certificates~\cite{rfc5280}. % or Tor hidden services.
Finally, we assume that customer has an anonymous, reliable bi-directional
communication channel to both the exchange and the merchant, such as Tor.
% even without hidden services.
2015-01-08 18:37:20 +01:00
2016-03-01 15:21:30 +01:00
The exchange is trusted to hold funds of its customers and to forward them
2015-01-08 18:37:20 +01:00
when receiving the respective deposit instructions from the merchants.
2016-03-01 15:21:30 +01:00
Customer and merchant can have some assurances about the exchange's
liquidity and operation, as the exchange has proven reserves, is subject
2015-10-08 02:43:42 +02:00
to the law, and can have its business regularly audited
by a government or third party.
2016-03-01 15:21:30 +01:00
Regular audits of the exchange's accounts should reveal any possible fraud
before the exchange is allowed to destroy the corresponding accumulated
cryptographic proofs and book its fees as profits.
2015-01-08 18:37:20 +01:00
%
The merchant is trusted to deliver the service or goods to the
customer upon receiving payment. The customer can seek legal relief
to achieve this, as he must get cryptographic proofs of the contract
and that he paid his obligations.
%
Neither the merchant nor the customer may have any ability to {\em
2016-03-01 15:21:30 +01:00
effectively} defraud the exchange or the state collecting taxes. Here,
2015-01-08 18:37:20 +01:00
``effectively'' means that the expected return for fraud is negative.
In particular, Taler employs a full domain hash (FDH) with RSA signatures
so that ``one-more forgery'' is hard assuming the RSA known-target
inversion problem is hard.\cite[Theorem12]{RSA-HDF-KTIvCTI}
% \cite[Theorem 6.2]{OneMoreInversion}
2015-01-08 18:37:20 +01:00
Note that customers do not need to be trusted in any way, and that in
particular it is never necessary for anyone to try to recover funds
from customers using legal means.
2015-01-08 18:37:20 +01:00
\subsection{Taxability and Entities}
2015-10-08 02:43:42 +02:00
As electronic coins are trivially copied between machines, we should
2015-01-08 18:37:20 +01:00
clarify what kinds of operations can even be expected to be taxed.
After all, without intrusive measures to take away control of the
2015-01-08 18:37:20 +01:00
computing platform from its users, copying an electronic wallet from
one computer to another can hardly be prevented by a payment system.
Furthermore, it would also hardly be appropriate to tax the moving of
funds between two computers owned by the same entity. We thus
2015-01-08 18:37:20 +01:00
need to clarify which kinds of transfers we expect to tax.
Taler is supposed to ensure that the state can tax {\em transactions}.
A {\em transaction} is a transfer where it is assured that one entity
gains control over funds while at the same time another entity looses
control over those funds. We further restrict transactions to apply
only to the transfer of funds between {\em mutually distrustful}
entities. Two entities are assumed to be mutually distrustful if they
are unwilling to share control over coins. If a private key is shared
between two entities, then both entities have equal access to the
credentials represented by the private key. In a payment system this
means that either entity could spent the associated funds. Assuming
the payment system has effective double-spending detection, this means
that either entity has to constantly fear that the funds might no
2015-10-08 02:43:42 +02:00
longer be available to it. It follows that sharing coins by copying
a private key implies mutual trust between the two parties, in which
2015-10-08 20:47:17 +02:00
case Taler will treat them as the same entity.
2015-10-08 02:43:42 +02:00
In Taler, making funds available by copying a private key and thus
2015-10-08 20:47:17 +02:00
sharing control is {\bf not} considered a {\em transaction} and
2015-10-08 02:43:42 +02:00
thus {\bf not} recorded for taxation.
Taler ensures taxability only when some entity acquires exclusive
control over the value of digital coins, which requires an interaction
2016-03-01 15:21:30 +01:00
with the exchange. For such transactions, the state can obtain information
from the exchange, or a bank, that identifies the entity that received the
2015-10-08 20:47:17 +02:00
digital coins as well as the exact value of those coins.
2016-03-01 15:21:30 +01:00
Taler also allows the exchange, and hence the state, to learn the value of
2015-10-08 02:43:42 +02:00
digital coins withdrawn by a customer---but not how, where, or when
they were spent.
2015-01-08 18:37:20 +01:00
\subsection{Anonymity}
2015-10-08 02:43:42 +02:00
An anonymous communication channel such as Tor~\cite{tor-design} is
2015-01-08 18:37:20 +01:00
used for all communication between the customer and the merchant.
2015-10-08 02:43:42 +02:00
Ideally, the customer's anonymity is limited only by this channel;
however, the payment system does additionally reveal that the customer
2016-03-01 15:21:30 +01:00
is one of the patrons of the exchange.
2015-10-08 20:47:17 +02:00
There are naturally risks that the customer-merchant business operation
2015-10-08 02:43:42 +02:00
may leak identifying information about the customer. At least, customers
have some options to defend their privacy against nosey merchants however,
possibly even when dealing with physical goods \cite{apod}.
We consider information leakage specific to the business logic to be
outside of the scope of the design of Taler.
2015-10-08 20:47:17 +02:00
Ideally, customer should use an anonymous communication channel with
2016-03-01 15:21:30 +01:00
the exchange to avoid leaking IP address information; however, the exchange
2015-10-08 02:43:42 +02:00
would typically learn the customer's identity from the wire transfer
2015-10-08 20:47:17 +02:00
that funds the customer's withdraw anonymous digital coins.
2015-10-08 02:43:42 +02:00
In fact, this is desirable as there might be rules and regulations
designed to limit the amount of anonymous digital cash that an
individual customer can withdraw in a given time period, similar to
how states today sometimes impose limits on cash
2015-10-08 20:47:17 +02:00
withdrawals~\cite{france2015cash,greece2015cash}.
2016-03-01 15:21:30 +01:00
Taler is only anonymous with respect to {\em payments}, as the exchange
2015-10-08 02:43:42 +02:00
will be unable to link the known identity of the customer that withdrew
anonymous digital currency to the {\em purchase} performed later at the
merchant. In this respect, Taler provides exactly the same scheme for
unconditional anonymous payments as was proposed by
Chaum~\cite{chaum1983blind,chaum1990untraceable} over 30 years ago.
2015-01-08 18:37:20 +01:00
2016-03-01 15:21:30 +01:00
While the customer thus has anonymity for purchases, the exchange will
always learn the merchant's identity in order to credit the merchant's
account. This is simply necessary for taxation, as Taler is supposed
to make information about funds received by any entity transparent
to the state.
2015-01-08 18:37:20 +01:00
% Technically, the merchant could still
2016-03-01 15:21:30 +01:00
%use an anonymous communication channel to communicate with the exchange.
%However, in order to receive the traditional currency the exchange will
2015-01-08 18:37:20 +01:00
%require (SEPA) account details for the deposit.
2016-03-01 15:21:30 +01:00
%As both the initial transaction between the customer and the exchange as
%well as the transactions between the merchant and the exchange do not have
2015-01-08 18:37:20 +01:00
%to be done anonymously, there might be a formal business contract
2016-03-01 15:21:30 +01:00
%between the customer and the exchange and the merchant and the exchange. Such
2015-01-08 18:37:20 +01:00
%a contract may provide customers and merchants some assurance that
2016-03-01 15:21:30 +01:00
%they will actually receive the traditional currency from the exchange
2015-01-08 18:37:20 +01:00
%given cryptographic proof about the validity of the transaction(s).
%However, given the business overheads for establishing such contracts
2016-03-01 15:21:30 +01:00
%and the natural goal for the exchange to establish a reputation and to
%minimize cost, it is more likely that the exchange will advertise its
2015-01-08 18:37:20 +01:00
%external auditors and proven reserves and thereby try to convince
%customers and merchants to trust it without a formal contract.
\subsection{Coins}
A \emph{coin} in Taler is a public-private key pair which derives its
2016-03-01 15:21:30 +01:00
financial value from a signature over the coin's public key by a exchange.
The exchange is expected to have multiple {\em coin signing key} pairs
available for signing, each representing a different coin
denomination.
2015-01-08 18:37:20 +01:00
2015-10-08 02:43:42 +02:00
These coin signing keys have an expiration date, before which any coins
2016-03-01 15:21:30 +01:00
signed with it must be spent or refreshed. This allows the exchange to
2015-10-08 02:43:42 +02:00
eventually discard records of old transactions, thus limiting the
2016-03-01 15:21:30 +01:00
records that the exchange must retain and search to detect double-spending
attempts. Furthermore, the exchange is expected to use each coin signing
2015-10-08 02:43:42 +02:00
key only for a limited number of coins.
2015-10-08 20:47:17 +02:00
% for example by limiting its use to sign coins to a week or a month.
2015-10-08 02:43:42 +02:00
In this way, if a private coin signing key were to be compromised,
2016-03-01 15:21:30 +01:00
the exchange would detect this once more coins were redeemed than the total
2015-10-08 20:47:17 +02:00
that was signed into existence using that coin signing key.
2016-03-01 15:21:30 +01:00
In this case, the exchange could allow authentic customers to exchange their
2015-10-08 20:47:17 +02:00
unspent coins that were signed with the compromised private key,
while refusing further anonymous transactions involving those coins.
2015-10-08 02:43:42 +02:00
As a result, the financial damage of losing a private signing key can be
2015-01-08 18:37:20 +01:00
limited to at most twice the amount originally signed with that key.
2016-03-01 15:21:30 +01:00
To ensure that the exchange does not enable deanonymization of users by
signing each coin with a fresh coin signing key, the exchange must publicly
2015-10-08 02:43:42 +02:00
announce the coin signing keys in advance. Those announcements are
expected to be signed with an off-line long-term private {\em master
2016-03-01 15:21:30 +01:00
signing key} of the exchange and the auditor.
2015-10-08 02:43:42 +02:00
2016-03-01 15:21:30 +01:00
Before a customer can withdraw a coin from the exchange,
he has to pay the exchange the value of the coin, as well as processing fees.
2015-10-08 02:43:42 +02:00
This is done using other means of payments, such as wire transfers or
2016-03-01 15:21:30 +01:00
by having a personal {\em reserve} at the exchange,
2015-10-08 20:47:17 +02:00
which is equivalent to a bank account with a positive balance.
2015-10-08 02:43:42 +02:00
Taler assumes that the customer has a {\em withdrawal authorization key}
2015-10-08 20:47:17 +02:00
to identify himself as authorized to withdraw funds from the reserve.
By signing the withdrawal request messages using this withdrawal
2016-03-01 15:21:30 +01:00
authorization key, the customer can prove to the exchange that he is the
2015-10-08 02:43:42 +02:00
individual authorized to withdraw anonymous digital coins from his reserve.
2016-03-01 15:21:30 +01:00
The exchange will record the withdrawal messages with the reserve record as
2015-09-09 20:33:34 +02:00
proof that the anonymous digital coin was created for the correct
2015-10-08 20:47:17 +02:00
customer. We note that the specifics of how the customer authenticates
2016-03-01 15:21:30 +01:00
to the exchange are orthogonal to the rest of the system, and
2015-10-08 02:43:42 +02:00
multiple methods can be supported.
%To put it differently, unlike
%modern cryptocurrencies like BitCoin, Taler's design simply
%acknowledges that primitive accumulation~\cite{engels1844} predates
%the system and that a secure method to authenticate owners exists.
2015-01-08 18:37:20 +01:00
2016-03-01 15:21:30 +01:00
After a coin is exchanged, the customer is the only entity that knows the
2015-10-08 20:47:17 +02:00
private key of the coin, making him the \emph{owner} of the coin.
2016-03-01 15:21:30 +01:00
The coin can be identified by the exchange by its public key; however, due
to the use of blind signatures, the exchange does not learn the public key
during the exchange process. Knowledge of the private key of the coin
2015-01-08 18:37:20 +01:00
enables the owner to spent the coin. If the private key is shared
with others, they also become owners of the coin.
\subsection{Coin spending}
2015-04-22 18:41:50 +02:00
To spend a coin, the coin's owner needs to sign a {\em deposit
2015-01-08 18:37:20 +01:00
request} specifying the amount, the merchant's account information
and a {\em business transaction-specific hash} using the coin's
private key. A merchant can then transfer this permission of the
2016-03-01 15:21:30 +01:00
coin's owner to the exchange to obtain the amount in traditional currency.
If the customer is cheating and the coin was already spent, the exchange
2015-01-08 18:37:20 +01:00
provides cryptographic proof of the fraud to the merchant, who will
2016-03-01 15:21:30 +01:00
then refuse the transaction. The exchange is typically expected to
2015-09-09 20:33:34 +02:00
transfer the funds to the merchant using a wire transfer or by
crediting the merchant's individual account, depending on what is
appropriate to the domain of the traditional currency.
2015-01-08 18:37:20 +01:00
To allow exact payments without requiring the customer to keep a large
amount of ``change'' in stock and possibly perform thousands of
signatures for larger transactions, the payment systems allows partial
spending where just a fraction of a coin's total value is transferred.
2016-03-01 15:21:30 +01:00
Consequently, the exchange the must not only store the identifiers of
spent coins, but also the fraction of the coin that has been spent.
2015-01-08 18:37:20 +01:00
\subsection{Refreshing Coins}
In this and other scenarios it is thus possible that a customer has
revealed the public key of a coin to a merchant, but not ultimately
signed over the full value of the coin. If the customer then
continues to directly use the coin in other transactions, merchants
2016-03-01 15:21:30 +01:00
and the exchange could link the various transactions as they all share the
same public key for the coin.
2015-01-08 18:37:20 +01:00
2015-10-08 02:43:42 +02:00
The owner of such a {\em dirty} coin might therefore want to exchange it
for a {\em fresh} coin to ensure unlinkability with future transactions.
2015-10-08 20:47:17 +02:00
% with the previous operation.
2015-10-08 02:43:42 +02:00
Even if a coin is not dirty, the owner of a coin may want to exchange it
if the respective coin signing key is about to expire. All of these
operations are supported with the {\em coin refreshing protocol}, which
allows the owner of a coin to {\em melt} it for fresh coins of the same
value with a new public-private key pairs. Refreshing does not use the
ordinary spending operation as the owner of a coin should not have to
pay taxes on this operation. Because of this, the refreshing protocol
2015-10-08 20:47:17 +02:00
must assure that owner stays the same.
2015-10-08 02:43:42 +02:00
% After all, the coin refreshing protocol must not be usable for transactions, as
% transactions in Taler must be taxable.
2015-10-08 20:47:17 +02:00
% Meh, this paragraph sucks :
2015-10-08 02:43:42 +02:00
We therefore demand two main properties from the refresh protocol:
2016-03-01 15:21:30 +01:00
First, the exchange must not be able to link the fresh coin's public key to
the public key of the dirty coin. Second, the exchange can ensure that the
2015-10-08 02:43:42 +02:00
owner of the dirty coin can determine the private key of the
fresh coin, thereby preventing the refresh protocol from being used to
construct a transaction.
2015-01-08 18:37:20 +01:00
%As with other operations, the refreshing protocol must also protect
2016-03-01 15:21:30 +01:00
%the exchange from double-spending; similarly, the customer has to have
%cryptographic evidence if there is any misbehavior by the exchange.
%Finally, the exchange may choose to charge a transaction fee for
%refreshing by reducing the value of the generated fresh coins
%in relation to the value of the melted coins.
%
2015-01-08 18:37:20 +01:00
%Naturally, all such transaction fees should be clearly stated as part
2016-03-01 15:21:30 +01:00
%of the business contract offered by the exchange to customers and
2015-01-08 18:37:20 +01:00
%merchants.
\section{Taler's Cryptographic Protocols}
% In this section, we describe the protocols for Taler in detail.
2016-03-01 15:21:30 +01:00
We shall assume for the sake of brevity that a recipient of a signed
2015-10-13 18:39:43 +02:00
message always first checks that the signature is valid, aborting the
operation if not. Additionally, we assume that the receiver of a
signed message is either told the public key, or knows it from the
context, and that the signature contains additional identification as
to the purpose of the signature, making it impossible to use a signature
in a different context.
2016-03-01 15:21:30 +01:00
The exchange has an {\em online message signing key} used for signing
messages, as opposed to coins. The exchange's long-term offline key is used
2015-10-13 18:39:43 +02:00
to certify both the coin signing keys and the online message signing key
2016-03-01 15:21:30 +01:00
of the exchange. The exchange's long-term offline key is assumed to be known to
2015-10-13 18:39:43 +02:00
both customers and merchants and is certified by the auditors.
2015-01-08 18:37:20 +01:00
2015-09-09 20:33:34 +02:00
As we are dealing with financial transactions, we explicitly describe
2015-01-08 18:37:20 +01:00
whenever entities need to safely commit data to persistent storage.
As long as those commitments persist, the protocol can be safely
resumed at any step. Commitments to disk are cumulative, that is an
2015-01-08 18:37:20 +01:00
additional commitment does not erase the previously committed
information. Keys and thus coins always have a well-known expiration
date; information committed to disk can be discarded after the
expiration date of the respective public key. Customers can also
discard information once the respective coins have been fully spent,
2016-03-01 15:21:30 +01:00
and merchants may discard information once payments from the exchange have
2015-10-13 18:39:43 +02:00
been received, assuming the records are also no longer needed for tax
2016-03-01 15:21:30 +01:00
purposes. The exchange's bank transfers dealing in traditional currency
2015-10-13 18:39:43 +02:00
are expected to be recorded for tax authorities to ensure taxability.
2015-01-08 18:37:20 +01:00
\subsection{Withdrawal}
Let $G$ be the generator of an elliptic curve. To withdraw anonymous
digital coins, the customer performs the following interaction with
2016-03-01 15:21:30 +01:00
the exchange:
2015-01-08 18:37:20 +01:00
\begin{enumerate}
2016-03-01 15:21:30 +01:00
\item The customer identifies a exchange with an auditor-approved
2015-01-08 18:37:20 +01:00
coin signing public-private key pair $K := (K_s, K_p)$
and randomly generates:
\begin{itemize}
\item withdrawal key $W := (w_s,W_p)$ with private key $w_s$ and public key $W_p$,
\item coin key $C := (c_s,C_p)$ with private key $c_s$ and public key $C_p := c_s G$,
2015-09-24 17:32:55 +02:00
\item blinding factor $b$, and commits $\langle W, C, b \rangle$ to disk.
2015-01-08 18:37:20 +01:00
\end{itemize}
2016-03-01 15:21:30 +01:00
\item The customer transfers an amount of money corresponding to at least $K_p$ to the exchange, with $W_p$ in the subject line of the transaction.
\item The exchange receives the transaction and credits the $W_p$ reserve with the respective amount in its database.
\item The customer sends $S_W(B_b(C_p))$ to the exchange to request withdrawal of $C$; here, $B_b$ denotes Chaum-style blinding with blinding factor $b$.
\item The exchange checks if the same withdrawal request was issued before; in this case, it sends $S_{K}(B_b(C_p))$ to the customer.\footnote{Here $S_K$
2015-01-08 18:37:20 +01:00
denotes a Chaum-style blind signature with private key $K_s$.}
2016-03-01 15:21:30 +01:00
If this is a fresh withdrawal request, the exchange performs the following transaction:
2015-01-08 18:37:20 +01:00
\begin{enumerate}
\item checks if the reserve $W_p$ has sufficient funds for a coin of value corresponding to $K_p$
\item stores the withdrawal request and response $\langle S_W(B_b(C_p)), S_K(B_b(C_p)) \rangle$ in its database for future reference,
2015-01-08 18:37:20 +01:00
\item deducts the amount corresponding to $K_p$ from the reserve,
\end{enumerate}
and then sends $S_{K}(B_b(C_p))$ to the customer.
2016-03-01 15:21:30 +01:00
If the guards for the transaction fail, the exchange sends a descriptive error back to the customer,
2015-10-13 18:39:43 +02:00
with proof that it operated correctly.
Assuming the signature was valid, this would involve showing the transaction history for the reserve.
\item The customer computes and verifies the unblinded signature $S_K(C_p) = U_b(S_K(B_b(C_p)))$.
The customer saves the coin $\langle S_K(C_p), c_s \rangle$ to local wallet on disk.
2015-01-08 18:37:20 +01:00
\end{enumerate}
2015-09-24 17:32:55 +02:00
We note that the authorization to create and access a reserve using a
withdrawal key $W$ is just one way to establish that the customer is
2016-03-01 15:21:30 +01:00
authorized to withdraw funds. If a exchange has other ways to securely
2015-09-24 17:32:55 +02:00
authenticate customers and establish that they are authorized to
withdraw funds, those can also be used with Taler.
2015-01-08 18:37:20 +01:00
2015-05-09 22:51:12 +02:00
\subsection{Exact and partial spending}
2015-01-08 18:37:20 +01:00
A customer can spend coins at a merchant, under the condition that the
2016-03-01 15:21:30 +01:00
merchant trusts the specific exchange that exchanged the coin. Merchants are
2015-09-28 12:05:20 +02:00
identified by their key $M := (m_s, M_p)$ where the public key $M_p$
must be known to the customer a priori.
2015-01-08 18:37:20 +01:00
2016-03-01 15:21:30 +01:00
We now describe the protocol between the customer, merchant, and exchange
2015-10-13 18:39:43 +02:00
for a transaction in which the customer spends a coin $C := (c_s, C_p)$
with signature $\widetilde{C} := S_K(C_p)$
2016-03-01 15:21:30 +01:00
where $K$ is the exchange's demonination key.
2015-01-08 18:37:20 +01:00
\begin{enumerate}
2015-10-13 18:39:43 +02:00
\item\label{contract}
2016-03-01 15:21:30 +01:00
Let $\vec{D} := D_1, \ldots, D_n$ be the list of exchanges accepted by
the merchant where each $D_j$ is a exchange's public key.
2015-10-13 18:39:43 +02:00
The merchant creates a digitally signed contract
$\mathcal{A} := S_M(m, f, a, H(p, r), \vec{D})$
where $m$ is an identifier for this transaction, $a$ is data relevant
to the contract indicating which services or goods the merchant will
deliver to the customer, $f$ is the price of the offer, and
$p$ is the merchant's payment information (e.g. his IBAN number), and
$r$ is a random nonce. The merchant commits $\langle \mathcal{A} \rangle$
to disk and sends $\mathcal{A}$ to the customer.
2016-03-01 15:21:30 +01:00
\item\label{deposit}
The customer should already possess a coin exchanged by a exchange that is
2015-10-13 18:39:43 +02:00
accepted by the merchant, meaning $K$ should be publicly signed by
2016-03-01 15:21:30 +01:00
some $D_j \in \{D_1, D_2, \ldots, D_n\}$, and has a value $\geq f$.
2015-10-13 18:39:43 +02:00
\item The customer generates a \emph{deposit-permission} $\mathcal{D} :=
S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$
and sends $\langle \mathcal{D}, D_j\rangle$ to the merchant,
2016-03-01 15:21:30 +01:00
where $D_j$ is the exchange which signed $K$.
\item The merchant gives $(\mathcal{D}, p, r)$ to the exchange, revealing $p$
only to the exchange.
\item The exchange validates $\mathcal{D}$ and checks for double spending.
2015-09-28 08:53:01 +02:00
If the coin has been involved in previous transactions and the new
one would exceed its remaining value, it sends an error
2015-05-09 22:51:12 +02:00
with the records from the previous transactions back to the merchant.
2015-09-24 17:32:55 +02:00
%
2016-03-01 15:21:30 +01:00
If double spending is not found, the exchange commits $\langle \mathcal{D} \rangle$ to disk
2015-09-24 17:32:55 +02:00
and notifies the merchant that the deposit operation was successful.
2016-03-01 15:21:30 +01:00
\item The merchant commits and forwards the notification from the exchange to the
2015-10-13 18:39:43 +02:00
customer, confirming the success or failure of the operation.
2015-05-09 22:51:12 +02:00
\end{enumerate}
2015-01-08 18:37:20 +01:00
2015-10-13 18:39:43 +02:00
We have simplified the exposition by assuming that one coin suffices, but
2016-03-01 15:21:30 +01:00
in practice a customer can use multiple coins from the same exchange where
2015-10-13 18:39:43 +02:00
the total value adds up to $f$ by running the following steps for
each of the coins. There is a risk of metadata leakage if a customer
acquires a coin in responce to the merchant, or if a customer uses
2016-03-01 15:21:30 +01:00
coings issued by multiple exchanges together.
2015-10-13 18:39:43 +02:00
2015-09-24 17:32:55 +02:00
If a transaction is aborted after Step~\ref{deposit},
subsequent transactions with the same coin could be linked to the coin,
2015-05-09 22:51:12 +02:00
but not directly to the coin's owner. The same applies to partially
2015-10-13 18:39:43 +02:00
spent coins where $f$ is smaller than the actual value of the coin.
2015-05-09 22:51:12 +02:00
To unlink subsequent transactions from a coin, the customer has to
2016-03-01 15:21:30 +01:00
execute the coin refreshing protocol with the exchange.
2015-01-08 18:37:20 +01:00
%\begin{figure}[h]
%\centering
%\begin{tikzpicture}
%
%\tikzstyle{def} = [node distance= 1em, inner sep=.5em, outer sep=.3em];
%\node (origin) at (0,0) {};
%\node (offer) [def,below=of origin]{make offer (merchant $\rightarrow$ customer)};
%\node (A) [def,below=of offer]{permit lock (customer $\rightarrow$ merchant)};
2016-03-01 15:21:30 +01:00
%\node (B) [def,below=of A]{apply lock (merchant $\rightarrow$ exchange)};
%\node (C) [def,below=of B]{confirm (or refuse) lock (exchange $\rightarrow$ merchant)};
2015-01-08 18:37:20 +01:00
%\node (D) [def,below=of C]{sign contract (merchant $\rightarrow$ customer)};
%\node (E) [def,below=of D]{permit deposit (customer $\rightarrow$ merchant)};
2016-03-01 15:21:30 +01:00
%\node (F) [def,below=of E]{make deposit (merchant $\rightarrow$ exchange)};
%\node (G) [def,below=of F]{transfer confirmation (exchange $\rightarrow$ merchant)};
2015-01-08 18:37:20 +01:00
%
%\tikzstyle{C} = [color=black, line width=1pt]
%\draw [->,C](offer) -- (A);
%\draw [->,C](A) -- (B);
%\draw [->,C](B) -- (C);
%\draw [->,C](C) -- (D);
%\draw [->,C](D) -- (E);
%\draw [->,C](E) -- (F);
%\draw [->,C](F) -- (G);
%
%\draw [->,C, bend right, shorten <=2mm] (E.east)
% to[out=-135,in=-45,distance=3.8cm] node[left] {aggregate} (D.east);
%\end{tikzpicture}
2016-03-01 15:21:30 +01:00
%\caption{Interactions between a customer, merchant and exchange in the coin spending
2015-01-08 18:37:20 +01:00
% protocol}
%\label{fig:spending_protocol_interactions}
%\end{figure}
2015-09-09 20:33:34 +02:00
\subsection{Refreshing} \label{sec:refreshing}
2015-01-08 18:37:20 +01:00
2016-03-01 15:21:30 +01:00
We now describe the refresh protocol whereby a dirty coin $C'$ of
2015-10-13 18:39:43 +02:00
denomination $K$ is melted to obtain a fresh coin $\widetilde{C}$
with the same denomination. In practice, Taler uses a natural
2015-09-24 17:32:55 +02:00
extension where multiple fresh coins are generated a the same time to
2016-03-01 15:21:30 +01:00
enable giving precise change matching any amount.
2015-10-13 18:39:43 +02:00
In the protocol, $\kappa \ge 3$ is a security parameter and $G$ is the
2015-09-24 17:32:55 +02:00
generator of the elliptic curve.
2015-01-08 18:37:20 +01:00
\begin{enumerate}
2015-10-05 00:35:02 +02:00
\item For each $i = 1,\ldots,\kappa$, the customer randomly generates
2015-01-08 18:37:20 +01:00
\begin{itemize}
2015-10-13 18:39:43 +02:00
\item transfer key $T^{(i)} := \left(t^{(i)}_s,T^{(i)}_p\right)$
where $T^{(i)}_p := t^{(i)}_s G$,
\item coin key pair $C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$
where $C^{(i)}_p := c^{(i)}_s G$, and
2015-10-05 00:35:02 +02:00
\item blinding factors $b^{(i)}$.
2015-01-08 18:37:20 +01:00
\end{itemize}
2015-10-13 18:39:43 +02:00
The customer then computes
$E^{(i)} := E_{K_i}\left(c_s^{(i)}, b^{(i)}\right)$
where $K_i := H(c'_s T_p^{(i)})$, and
commits $\langle C', \vec{T}, \vec{C}, \vec{b} \rangle$ to disk.
2015-10-26 11:49:08 +01:00
Our computation of $K_i$ is effectively a Diffie-Hellman operation
2015-10-13 18:39:43 +02:00
between the private key $c'_s$ of the original coin with
2015-10-26 11:49:08 +01:00
the public transfer key $T_p^{(i)}$.
\item The customer computes $B^{(i)} := B_{b^{(i)}}(C^{(i)}_p)$ for $i \in \{1,\ldots,\kappa\}$ and sends a commitment
2016-03-01 15:21:30 +01:00
$S_{C'}(\vec{E}, \vec{B}, \vec{T_p})$ to the exchange.
\item The exchange generates a random $\gamma$ with $1 \le \gamma \le \kappa$ and
2015-01-08 18:37:20 +01:00
marks $C'_p$ as spent by committing
2015-10-26 11:49:08 +01:00
$\langle C', \gamma, S_{C'}(\vec{E}, \vec{B}, \vec{T_p}) \rangle$ to disk.
2015-10-13 18:39:43 +02:00
Auditing processes should assure that $\gamma$ is unpredictable until
2016-03-01 15:21:30 +01:00
this time to prevent the exchange from assisting tax evasion.
\item The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where
$K'$ is the exchange's message signing key.
2015-01-08 18:37:20 +01:00
\item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
\item The customer computes $\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$
2016-03-01 15:21:30 +01:00
and sends $S_{C'}(\mathfrak{R})$ to the exchange.
\item \label{step:refresh-ccheck} The exchange checks whether $\mathfrak{R}$ is consistent with the commitments;
2015-09-24 17:32:55 +02:00
specifically, it computes for $i \not= \gamma$:
\vspace{-2ex}
\begin{minipage}{5cm}
\begin{align*}
\overline{K}_i :&= H(t_s^{(i)} C_p'), \\
(\overline{c}_s^{(i)}, \overline{b_i}) :&= D_{\overline{K}_i}(E^{(i)}), \\
\overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G,
2015-09-24 17:32:55 +02:00
\end{align*}
\end{minipage}
\begin{minipage}{5cm}
\begin{align*}
\overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\
\overline{B^{(i)}} :&= B_{\overline{b_i}}(\overline{C_p^{(i)}}),
2015-09-24 17:32:55 +02:00
\end{align*}
\end{minipage}
and checks if $\overline{B^{(i)}} = B^{(i)}$
and $\overline{T^{(i)}_p} = T^{(i)}_p$.
2015-01-08 18:37:20 +01:00
2015-05-09 22:51:12 +02:00
\item \label{step:refresh-done} If the commitments were consistent,
2016-03-01 15:21:30 +01:00
the exchange sends the blind signature $\widetilde{C} :=
S_{K}(B^{(\gamma)})$ to the customer. Otherwise, the exchange responds
2015-09-28 12:05:20 +02:00
with an error indicating the location of the failure.
2015-01-08 18:37:20 +01:00
\end{enumerate}
%\subsection{N-to-M Refreshing}
%
%TODO: Explain, especially subtleties regarding session key / the spoofing attack that requires signature.
\subsection{Linking}
2016-03-01 15:21:30 +01:00
For a coin that was successfully refreshed, the exchange responds to a
2015-09-28 16:00:14 +02:00
request $S_{C'}(\mathtt{link})$ with $(T^{(\gamma)}_p$, $E^{(\gamma)},
\widetilde{C})$.
2015-09-24 17:32:55 +02:00
%
2015-09-24 17:43:20 +02:00
This allows the owner of the melted coin to also obtain the private
key of the new coin, even if the refreshing protocol was illicitly
2015-10-26 11:49:08 +01:00
executed with the help of another party who generated $\vec{c_s}$ and only
2015-09-28 12:01:37 +02:00
provided $\vec{C_p}$ and other required information to the old owner.
2016-03-01 15:21:30 +01:00
As a result, linking ensures that access to the new coins exchanged by
2015-09-24 17:43:20 +02:00
the refresh protocol is always {\em shared} with the owner of the
melted coins. This makes it impossible to abuse the refresh protocol
for {\em transactions}.
The linking request is not expected to be used at all during ordinary
operation of Taler. If the refresh protocol is used by Alice to
obtain change as designed, she already knows all of the information
and thus has little reason to request it via the linking protocol.
2016-03-01 15:21:30 +01:00
The fundamental reason why the exchange must provide the link protocol is
simply to provide a threat: if Bob were to use the refresh protocol
for a transaction of funds from Alice to him, Alice may use a link
request to gain shared access to Bob's coins. Thus, this threat
2015-09-24 17:43:20 +02:00
prevents Alice and Bob from abusing the refresh protocol to evade
taxation on transactions. If Bob trusts Alice to not execute the link
protocol, then they can already conspire to evade taxation by simply
exchanging the original private coin keys. This is permitted in our
taxation model as with such trust they are assumed to be the same
entity.
2016-03-01 15:21:30 +01:00
The auditor can anonymously check if the exchange correctly implements the
link request, thus preventing the exchange operator from legally disabling
this protocol component. Without the link operation, Taler would
devolve into a payment system where both sides can be anonymous, and
thus no longer provide taxability.
\subsection{Error handling}
During operation, there are three main types of errors that are
expected. First, in the case of faulty clients, the responding server
will generate an error message with detailed cryptographic proofs
demonstrating that the client was faulty, for example by providing
proof of double-spending or providing the previous commit and the
location of the missmatch in the case of the reveal step in the
refresh protocol. It is also possible that the server may claim that
the client has been violating the protocol. In these cases, the
clients should verify any proofs provided and if they are acceptable,
2015-09-24 17:43:20 +02:00
notify the user that they are somehow faulty. Similar, if the
server indicates that the client is violating the protocol, the
client should record the interaction and enable the user to file a
2015-09-24 17:43:20 +02:00
bug report.
2016-03-01 15:21:30 +01:00
The second case is a faulty exchange service provider. Such faults will
2015-10-13 18:39:43 +02:00
be detected because of protocol violations, such as providing
a faulty proof or no proof. In this case, the client is expected to
notify the auditor, providing a transcript of the interaction. The
2015-10-13 18:39:43 +02:00
auditor can then anonymously replay the transaction, and either
provide the now correct response to the client or take appropriate
legal action against the faulty provider.
The third case are transient failures, such as network failures or
2016-03-01 15:21:30 +01:00
temporary hardware failures at the exchange service provider. Here, the
2015-10-13 18:39:43 +02:00
client may receive an explicit protocol indication, such as an HTTP
response code 500 ``internal server error'' or simply no response.
The appropriate behavior for the client is to automatically retry
2016-03-01 15:21:30 +01:00
after 1s, and twice more at randomized times within 1 minute.
2015-10-13 18:39:43 +02:00
If those three attempts fail, the user should be informed about the
delay. The client should then retry another three times within the
next 24h, and after that time the auditor be informed about the outage.
Using this process, short term failures should be effectively obscured
from the user, while malicious behavior is reported to the auditor who
2015-10-13 18:39:43 +02:00
can then presumably rectify the situation, such as by shutting down
2016-03-01 15:21:30 +01:00
the operator and helping customers to regain refunds for coins in
2015-10-13 18:39:43 +02:00
their wallets. To ensure that such refunds are possible, the operator
is expected to always provide adequate securities for the amount of
coins in circulation as part of the certification process.
2015-01-08 18:37:20 +01:00
2015-09-09 20:33:34 +02:00
\subsection{Refunds}
The refresh protocol offers an easy way to enable refunds to
customers, even if they are anonymous. Refunds can be supported
by including a public signing key of the merchant in the transaction
2015-09-09 20:33:34 +02:00
details, and having the customer keep the private key of the spent
coins on file.
Given this, the merchant can simply sign a {\em refund confirmation}
2016-03-01 15:21:30 +01:00
and share it with the exchange and the customer. Assuming the exchange has
2015-10-13 18:39:43 +02:00
a way to recover the funds from the merchant, or has not yet performed
2016-03-01 15:21:30 +01:00
the wire transfer, the exchange can simply add the value of the refunded
transaction back to the original coin, re-enabling those funds to be
2015-10-13 18:39:43 +02:00
spent again by the original customer.
2015-09-09 20:33:34 +02:00
2015-10-13 18:39:43 +02:00
This anonymous customer can then use the refresh protocol to melt the
2016-03-01 15:21:30 +01:00
refunded coin and create a fresh coin that is unlinkable to the
2015-10-13 18:39:43 +02:00
refunded transaction.
2015-09-09 20:33:34 +02:00
2015-01-08 18:37:20 +01:00
\section{Discussion}
2015-09-24 12:22:20 +02:00
Taler's security is largely equivalent to that of Chaum's original
2015-10-13 18:39:43 +02:00
design without online checks or the cut-and-choose revelation of
2016-03-01 15:21:30 +01:00
double-spending customers for offline spending.
We specifically note that the digital equivalent of the ``Columbian
Black Market Exchange''~\cite{fatf1997} is a theoretical problem for
2015-10-13 18:39:43 +02:00
both Chaum and Taler, as individuals with a strong mutual trust
2016-03-01 15:21:30 +01:00
foundation can simply copy electronic coins and thereby establish a
2015-10-13 18:39:43 +02:00
limited form of black transfers. However, unlike the situation with
physical checks with blank recipients in the Columbian black market,
the transitivity is limited as each participant can deposit the electronic
2015-09-24 12:22:20 +02:00
coins and thereby cheat any other participant, while in the Columbian
black market each participant only needs to trust the issuer of the
check and not also all previous owners of the physical check.
As with any unconditionally anonymous payment system, the ``Perfect
Crime'' attack~\cite{solms1992perfect} where blackmail is used to
2016-03-01 15:21:30 +01:00
force the exchange to issue anonymous coins also continues to apply in
principle. However, as mentioned Taler does facilitate limits on
2015-09-24 12:22:20 +02:00
withdrawals, which we believe is a better trade-off than the
problematic escrow systems where the necessary intransparency
2016-03-01 15:21:30 +01:00
actually facilitates voluntary cooperation between the exchange and
2015-09-24 12:22:20 +02:00
criminals~\cite{sander1999escrow} and where state can selectively
deanonymize activists to support the deep state's quest for absolute
security.
2015-01-08 18:37:20 +01:00
\subsection{Offline Payments}
2015-09-09 20:33:34 +02:00
Chaum's original proposals for anonymous digital cash avoided the need
2016-03-01 15:21:30 +01:00
for online interactions with the exchange to detect double spending by
2015-01-08 18:37:20 +01:00
providing a means to deanonymize customers involved in
2016-03-01 15:21:30 +01:00
double-spending. We believe that this is problematic as the exchange or
2015-01-08 18:37:20 +01:00
the merchant will then still need out-of-band means to recover funds
from the customer, which may be impossible in practice. In contrast,
2016-03-01 15:21:30 +01:00
in our design only the exchange may try to defraud the other participants
2015-09-09 20:33:34 +02:00
and disappear. While this is still a risk, and regular financial
audits are required to protect against it, this is more manageable and
significantly cheaper compared to recovering funds via the court
system from customers.
Chaum's method for offline payments would also be incompatible with
the refreshing protocol (Section~\ref{sec:refreshing}) which enables
the crucial feature of giving unlinkable change. The reason is that
if the owner's identity were embedded in coins, it would be leaked to
2016-03-01 15:21:30 +01:00
the exchange as part of the reveal operation in the cut-and-choose
2015-09-09 20:33:34 +02:00
operation of the refreshing protocol.
2015-01-08 18:37:20 +01:00
%\subsection{Merchant Tax Audits}
%
2016-03-01 15:21:30 +01:00
%For a tax audit on the merchant, the exchange includes the business
%transaction-specific hash in the transfer of the traditional
%currency. A tax auditor can then request the merchant to reveal
%(meaningful) details about the business transaction ($\mathcal{D}$,
%$a$, $p$, $r$), including proof that applicable taxes were paid.
%
%If a merchant is not able to provide theses values, he can be
%subjected to financial penalties by the state in relation to the
%amount transferred by the traditional currency transfer.
\subsection{Cryptographic proof vs. evidence}
In this paper we have use the term ``proof'' in many places as the
protocol provides cryptographic proofs of which parties behave
correctly or incorrectly. However, as~\cite{fc2014murdoch} point out,
in practice financial systems need to provide evidence that holds up
in courts. Taler's implementation is designed to export evidence and
upholds the core principles described in~\cite{fc2014murdoch}. In
particular, in providing the cryptographic proofs as evidence none of
the participants have to disclose their core secrets, the process is
covered by standard testing procedures, and the full trusted
computing base (TCB) is public and free software.
%\subsection{System Performance}
%
%We performed some initial performance measurements for the various
2016-03-01 15:21:30 +01:00
%operations on our exchange implementation. The main conclusion was that
%the computational and bandwidth cost for transactions described in
%this paper is smaller than $10^{-3}$ cent/transaction, and thus
2016-03-01 15:21:30 +01:00
%dwarfed by the other business costs for the exchange. However, this
%figure excludes the cost of currency transfers using traditional
2016-03-01 15:21:30 +01:00
%banking, which a exchange operator would ultimately have to interact with.
%Here, exchange operators should be able to reduce their expenses by
%aggregating multiple transfers to the same merchant.
%\section{Conclusion}
%We have presented an efficient electronic payment system that
%simultaneously addresses the conflicting objectives created by the
%citizen's need for privacy and the state's need for taxation. The
%coin refreshing protocol makes the design flexible and enables a
%variety of payment methods. The current balance and profits of the
2016-03-01 15:21:30 +01:00
%exchange are also easily determined, thus audits can be used to ensure
%that the exchange operates correctly. The libre implementation and open
%protocol may finally enable modern society to upgrade to proper
%electronic wallets with efficient, secure and privacy-preserving
%transactions.
2015-01-08 18:37:20 +01:00
2015-09-09 20:35:27 +02:00
% commented out for anonymized submission
%\subsection*{Acknowledgements}
2015-09-09 20:35:27 +02:00
%This work was supported by a grant from the Renewable Freedom Foundation.
% FIXME: ARED?
2015-09-28 12:01:37 +02:00
%We thank Tanja Lange, Dan Bernstein, Luis Ressel and Fabian Kirsch for feedback on an earlier
2015-09-09 20:35:27 +02:00
%version of this paper, Nicolas Fournier for implementing and running
%some performance benchmarks, and Richard Stallman, Hellekin Wolf,
%Jacob Appelbaum for productive discussions and support.
2015-01-08 18:37:20 +01:00
\bibliographystyle{alpha}
\bibliography{taler,rfc}
2015-05-09 22:51:12 +02:00
\newpage
2015-05-09 22:51:12 +02:00
\appendix
\section{Optional features}
In this appendix we detail various optional features that can
be added to the basic protocol to reduce transaction costs for
certain interactions.
2015-05-09 22:51:12 +02:00
2015-09-09 20:33:34 +02:00
However, we note that Taler's transaction costs are expected to be so
low that these features are likely not particularly useful in
practice: When we performed some initial performance measurements for
2016-03-01 15:21:30 +01:00
the various operations on our exchange implementation, the main conclusion
was that the computational and bandwidth cost for transactions
described in this paper is smaller than $10^{-3}$ cent/transaction,
2016-03-01 15:21:30 +01:00
and thus dwarfed by the other business costs for the exchange. We note
that the $10^{-3}$ cent/transaction estimate excludes the cost of wire
2016-03-01 15:21:30 +01:00
transfers using traditional banking, which a exchange operator would
ultimately have to interact with. Here, exchange operators should be able
to reduce their expenses by aggregating multiple transfers to the same
merchant.
2016-03-01 15:21:30 +01:00
As a result of the low cost of the interaction with the exchange in Taler
today, we expect that transactions with amounts below Taler's internal
transaction costs to be economically meaningless. Nevertheless, we
document various ways how such transactions could be achieved within
Taler.
2015-05-09 22:51:12 +02:00
2015-05-17 18:13:54 +02:00
2015-05-09 22:51:12 +02:00
\subsection{Incremental spending}
For services that include pay-as-you-go billing, customers can over
time sign deposit permissions for an increasing fraction of the value
of a coin to be paid to a particular merchant. As checking with the
2016-03-01 15:21:30 +01:00
exchange for each increment might be expensive, the coin's owner can
2015-05-09 22:51:12 +02:00
instead sign a {\em lock permission}, which allows the merchant to get
an exclusive right to redeem deposit permissions for the coin for a
limited duration. The merchant uses the lock permission to determine
if the coin has already been spent and to ensure that it cannot be
spent by another merchant for the {\em duration} of the lock as
2015-09-28 08:53:01 +02:00
specified in the lock permission. If the coin has insufficient funds
because too much has been spent or is
2016-03-01 15:21:30 +01:00
already locked, the exchange provides the owner's deposit or locking
2015-05-09 22:51:12 +02:00
request and signature to prove the attempted fraud by the customer.
2016-03-01 15:21:30 +01:00
Otherwise, the exchange locks the coin for the expected duration of the
2015-05-09 22:51:12 +02:00
transaction (and remembers the lock permission). The merchant and the
customer can then finalize the business transaction, possibly
exchanging a series of incremental payment permissions for services.
2016-03-01 15:21:30 +01:00
Finally, the merchant then redeems the coin at the exchange before the
2015-09-28 11:47:42 +02:00
lock permission expires to ensure that no other merchant redeems the
2015-05-09 22:51:12 +02:00
coin first.
\begin{enumerate}
\item\label{offer2} The merchant sends an \emph{offer:} $\langle S_M(m, f),
\vec{D} \rangle$ containing the price of the offer $f$, a transaction
2016-03-01 15:21:30 +01:00
ID $m$ and the list of exchanges $D_1, \ldots, D_n$ accepted by the merchant
where each $D_j$ is a exchange's public key.
\item\label{lock2} The customer must possess or acquire a coin $\widetilde{C}$
2016-03-01 15:21:30 +01:00
signed by a exchange that is
2015-09-28 11:47:42 +02:00
accepted by the merchant, i.e. $K$ should be signed by some $D_j
2015-05-09 22:51:12 +02:00
\in \{D_1, D_2, \ldots, D_n\}$, and has a value $\geq f$.
Customer then generates a \emph{lock-permission} $\mathcal{L} :=
S_c(\widetilde{C}, t, m, f, M_p)$ where $t$ specifies the time until which the
lock is valid and sends $\langle \mathcal{L}, D_j\rangle$ to the merchant,
2016-03-01 15:21:30 +01:00
where $D_j$ is the exchange which signed $K$.
\item The merchant asks the exchange to apply the lock by sending $\langle
\mathcal{L} \rangle$ to the exchange.
\item The exchange validates $\widetilde{C}$ and detects double spending
in the form of existing \emph{deposit-permission} or
2015-09-28 11:47:42 +02:00
lock-permission records for $\widetilde{C}$. If such records exist
2016-03-01 15:21:30 +01:00
and indicate that insufficient funds are left, the exchange sends those
2015-09-28 12:05:20 +02:00
records to the merchant, who can then use the records to prove the double
2015-09-28 11:47:42 +02:00
spending to the customer.
If double spending is not found,
2016-03-01 15:21:30 +01:00
the exchange commits $\langle \mathcal{L} \rangle$ to disk
2015-05-09 22:51:12 +02:00
and notifies the merchant that locking was successful.
\item\label{contract2} The merchant creates a digitally signed contract
$\mathcal{A} := S_M(m, f, a, H(p, r))$ where $a$ is data relevant to the contract
indicating which services or goods the merchant will deliver to the customer, and $p$ is the
merchant's payment information (e.g. his IBAN number) and $r$ is an random nonce.
2015-05-09 22:51:12 +02:00
The merchant commits $\langle \mathcal{A} \rangle$ to disk and sends it to the customer.
\item The customer creates a
2015-09-28 11:47:42 +02:00
\emph{deposit-permission} $\mathcal{D} := S_c(\widetilde{C}, \widetilde{L}, f, m, M_p, H(a), H(p, r))$, commits
2015-05-09 22:51:12 +02:00
$\langle \mathcal{A}, \mathcal{D} \rangle$ to disk and sends $\mathcal{D}$ to the merchant.
\item\label{invoice_paid2} The merchant commits the received $\langle \mathcal{D} \rangle$ to disk.
2016-03-01 15:21:30 +01:00
\item The merchant gives $(\mathcal{D}, p, r)$ to the exchange, revealing his
2015-05-09 22:51:12 +02:00
payment information.
2016-03-01 15:21:30 +01:00
\item The exchange verifies $(\mathcal{D}, p, r)$ for its validity and
2015-09-28 11:47:42 +02:00
checks against double spending, while of
course permitting the merchant to withdraw funds from the amount that
had been locked for this merchant.
\item If $\widetilde{C}$ is valid and no equivalent \emph{deposit-permission} for $\widetilde{C}$ and $\widetilde{L}$ exists on disk, the
2016-03-01 15:21:30 +01:00
exchange performs the following transaction:
2015-05-09 22:51:12 +02:00
\begin{enumerate}
2015-09-28 11:47:42 +02:00
\item $\langle \mathcal{D}, p, r \rangle$ is committed to disk.
2015-05-09 22:51:12 +02:00
\item\label{transfer2} transfers an amount of $f$ to the merchant's bank account
given in $p$. The subject line of the transaction to $p$ must contain
$H(\mathcal{D})$.
\end{enumerate}
2016-03-01 15:21:30 +01:00
Finally, the exchange sends a confirmation to the merchant.
2015-09-28 11:47:42 +02:00
\item If the deposit record $\langle \mathcal{D}, p, r \rangle$ already exists,
2016-03-01 15:21:30 +01:00
the exchange sends the confirmation to the merchant,
2015-09-28 11:47:42 +02:00
but does not transfer money to $p$ again.
2015-05-09 22:51:12 +02:00
\end{enumerate}
To facilitate incremental spending of a coin $C$ in a single transaction, the
merchant makes an offer in Step~\ref{offer2} with a maximum amount $f_{max}$ he
is willing to charge in this transaction from the coin $C$. After obtaining the
lock on $C$ for $f_{max}$, the merchant makes a contract in Step~\ref{contract2}
with an amount $f \leq f_{max}$. The protocol follows with the following steps
repeated after Step~\ref{invoice_paid2} whenever the merchant wants to charge an
incremental amount up to $f_{max}$:
\begin{enumerate}
\setcounter{enumi}{4}
\item The merchant generates a new contract $ \mathcal{A}' := S_M(m, f', a', H(p,
r)) $ after obtaining the deposit-permission for a previous contract. Here
$f'$ is the accumulated sum the merchant is charging the customer, of which
the merchant has received a deposit-permission for $f$ from the previous
contract \textit{i.e.}~$f <f' \leq f_{max}$. Similarly $a'$ is the new
contract data appended to older contract data $a$.
The merchant commits $\langle \mathcal{A}' \rangle$ to disk and sends it to the customer.
\item Customer commits $\langle \mathcal{A}' \rangle$ to disk, creates
2015-09-28 11:47:42 +02:00
$\mathcal{D}' := S_c(\widetilde{C}, \mathcal{L}, f', m, M_p, H(a'), H(p, r))$, commits
2015-05-09 22:51:12 +02:00
$\langle \mathcal{D'} \rangle$ and sends it to the merchant.
\item The merchant commits the received $\langle \mathcal{D'} \rangle$ and
2015-09-28 11:47:42 +02:00
deletes the older $\mathcal{D}$.
2015-05-09 22:51:12 +02:00
\end{enumerate}
%Figure~\ref{fig:spending_protocol_interactions} summarizes the interactions of the
%coin spending protocol.
2015-09-28 11:47:42 +02:00
For transactions with multiple coins, the steps of the protocol are
executed in parallel for each coin. During the time a coin is locked,
the locked fraction may not be spent at a different merchant or via a
2016-03-01 15:21:30 +01:00
deposit permission that does not contain $\mathcal{L}$. The exchange will
2015-09-28 11:47:42 +02:00
release the locks when they expire or are used in a deposit operation.
Thus the coins can be used with other merchants once their locks
expire, even if the original merchant never executed any deposit for
the coin. However, doing so may link the new transaction to older
transaction.
Similarly, if a transaction is aborted after Step 2, subsequent
transactions with the same coin can be linked to the coin, but not
directly to the coin's owner. The same applies to partially spent
coins. Thus, to unlink subsequent transactions from a coin, the
2016-03-01 15:21:30 +01:00
customer has to execute the coin refreshing protocol with the exchange.
2015-05-09 22:51:12 +02:00
%\begin{figure}[h]
%\centering
%\begin{tikzpicture}
%
%\tikzstyle{def} = [node distance= 1em, inner sep=.5em, outer sep=.3em];
%\node (origin) at (0,0) {};
%\node (offer) [def,below=of origin]{make offer (merchant $\rightarrow$ customer)};
%\node (A) [def,below=of offer]{permit lock (customer $\rightarrow$ merchant)};
2016-03-01 15:21:30 +01:00
%\node (B) [def,below=of A]{apply lock (merchant $\rightarrow$ exchange)};
%\node (C) [def,below=of B]{confirm (or refuse) lock (exchange $\rightarrow$ merchant)};
2015-05-09 22:51:12 +02:00
%\node (D) [def,below=of C]{sign contract (merchant $\rightarrow$ customer)};
%\node (E) [def,below=of D]{permit deposit (customer $\rightarrow$ merchant)};
2016-03-01 15:21:30 +01:00
%\node (F) [def,below=of E]{make deposit (merchant $\rightarrow$ exchange)};
%\node (G) [def,below=of F]{transfer confirmation (exchange $\rightarrow$ merchant)};
2015-05-09 22:51:12 +02:00
%
%\tikzstyle{C} = [color=black, line width=1pt]
%\draw [->,C](offer) -- (A);
%\draw [->,C](A) -- (B);
%\draw [->,C](B) -- (C);
%\draw [->,C](C) -- (D);
%\draw [->,C](D) -- (E);
%\draw [->,C](E) -- (F);
%\draw [->,C](F) -- (G);
%
%\draw [->,C, bend right, shorten <=2mm] (E.east)
% to[out=-135,in=-45,distance=3.8cm] node[left] {aggregate} (D.east);
%\end{tikzpicture}
2016-03-01 15:21:30 +01:00
%\caption{Interactions between a customer, merchant and exchange in the coin spending
2015-05-09 22:51:12 +02:00
% protocol}
%\label{fig:spending_protocol_interactions}
%\end{figure}
2015-05-17 18:13:54 +02:00
\subsection{Probabilistic donations}
Similar to Peppercoin, Taler supports probabilistic {\em micro}donations of coins to
support cost-effective transactions for small amounts. We consider
amounts to be ``micro'' if the value of the transaction is close or
2016-03-01 15:21:30 +01:00
even below the business cost of an individual transaction to the exchange.
2015-05-17 18:13:54 +02:00
To support microdonations, an ordinary transaction is performed based
on the result of a biased coin flip with a probability related to the
desired transaction amount in relation to the value of the coin. More
specifically, a microdonation of value $\epsilon$ is upgraded to a
macropayment of value $m$ with a probability of $\frac{\epsilon}{m}$.
Here, $m$ is chosen such that the business transaction cost at the
2016-03-01 15:21:30 +01:00
exchange is small in relation to $m$. The exchange is only involved in the
2015-05-17 18:13:54 +02:00
tiny fraction of transactions that are upgraded. On average both
customers and merchants end up paying (or receiving) the expected
amount $\epsilon$ per microdonation.
Unlike Peppercoin, in Taler either the merchant wins and the customer
looses the coin, or the merchant looses and the customer keeps the
coin. Thus, there is no opportunity for the merchant and the customer
2016-03-01 15:21:30 +01:00
to conspire against the exchange. To determine if the coin is to be
2015-05-17 18:13:54 +02:00
transferred, merchant and customer execute a secure coin flipping
protocol~\cite{blum1981}. The commit values are included in the
business contract and are revealed after the contract has been signed
using the private key of the coin. If the coin flip is decided in
2016-03-01 15:21:30 +01:00
favor of the merchant, the merchant can redeem the coin at the exchange.
2015-05-09 22:51:12 +02:00
One issue in this protocol is that the customer may use a worthless
coin by offering a coin that has already been spent. This kind of
fraud would only be detected if the customer actually lost the coin
flip, and at this point the merchant might not be able to recover from
the loss. A fraudulent anonymous customer may run the protocol using
already spent coins until the coin flip is in his favor.
2015-05-17 18:13:54 +02:00
As with incremental spending, lock permissions could be used to ensure
that the customer cannot defraud the merchant by offering a coin that
2016-03-01 15:21:30 +01:00
has already been spent. However, as this means involving the exchange
2015-05-17 18:13:54 +02:00
even if the merchant looses the coin flip, such a scheme is unsuitable
2016-03-01 15:21:30 +01:00
for microdonations as the transaction costs from involving the exchange
2015-05-17 18:13:54 +02:00
might be disproportionate to the value of the transaction, and thus
with locking the probabilistic scheme has no advantage over simply
using fractional payments.
Hence, Taler uses probabilistic transactions {\em without} online
2015-05-09 22:51:12 +02:00
double-spending detection. This enables the customer to defraud the
merchant by paying with a coin that was already spent. However, as,
by definition, such microdonations are for tiny amounts, the incentive
2015-05-17 18:13:54 +02:00
for customers to pursue this kind of fraud is limited. Still, to
clarify that the customer must be honest, we prefer the term
micro{\em donations} over micro{\em payments} for this scheme.
2015-05-09 22:51:12 +02:00
The following steps are executed for microdonations with upgrade probability $p$:
\begin{enumerate}
\item The merchant sends an offer to the customer.
\item The customer sends a commitment $H(r_c)$ to a random
value $r_c \in [0,2^R)$, where $R$ is a system parameter.
\item The merchant sends random $r_m \in [0,2^R)$ to the customer.
\item The customer computes $p' := (|r_c - r_m|) / (2^R)$.
If $p' < p$, the customer sends a coin with deposit-permission to the merchant.
Otherwise, the customer sends $r_c$ to the merchant.
\item The merchant deposits the coin, or checks if $r_c$ is consistent
with $H(r_c)$.
\end{enumerate}
2015-09-09 20:33:34 +02:00
Evidently the customer can ``cheat'' by aborting the transaction in
Step 3 of the microdonation protocol if the outcome is unfavorable ---
2015-09-09 20:33:34 +02:00
and repeat until he wins. This is why Taler is suitable for
microdonations --- where the customer voluntarily contributes ---
and not for micropayments.
Naturally, if the donations requested are small, the incentive to
cheat for minimal gain should be quite low. Payment software could
embrace this fact by providing an appeal to conscience in form of an
option labeled ``I am unethical and want to cheat'', which executes
the dishonest version of the payment protocol.
If an organization detects that it cannot support itself with
microdonations, it can always choose to switch to the macropayment
system with slightly higher transaction costs to remain in business.
\newpage
\section{Notation summary}
The paper uses the subscript $p$ to indicate public keys and $s$ to
indicate secret (private) keys. For keys, we also use small letters
for scalars and capital letters for points on an elliptic curve. The
capital letter without the subscript $p$ stands for the key pair. The
superscript $(i)$ is used to indicate one of the elements of a vector
during the cut-and-choose protocol. Bold-face is used to indicate a
vector over these elements. A line above indicates a value computed
by the verifier during the cut-and-choose operation. We use $f()$ to
2015-10-26 12:22:24 +01:00
indicate the application of a function $f$ to one or more arguments. Records of
data being committed to disk are represented in between $\langle\rangle$.
\begin{description}
2016-03-01 15:21:30 +01:00
\item[$K_s$]{Private (RSA) key of the exchange used for coin signing}
\item[$K_p$]{Public (RSA) key corresponding to $K_s$}
\item[$K$]{Public-priate (RSA) coin signing key pair $K := (K_s, K_p)$}
\item[$b$]{RSA blinding factor for RSA-style blind signatures}
\item[$B_b()$]{RSA blinding over the argument using blinding factor $b$}
\item[$U_b()$]{RSA unblinding of the argument using blinding factor $b$}
2015-10-01 18:38:22 +02:00
\item[$S_K()$]{Chaum-style RSA signature, $S_K(C) = U_b(S_K(B_b(C)))$}
\item[$w_s$]{Private key from customer for authentication}
\item[$W_p$]{Public key corresponding to $w_s$}
\item[$W$]{Public-private customer authentication key pair $W := (w_s, W_p)$}
\item[$S_W()$]{Signature over the argument(s) involving key $W$}
\item[$m_s$]{Private key from merchant for authentication}
\item[$M_p$]{Public key corresponding to $m_s$}
\item[$M$]{Public-private merchant authentication key pair $M := (m_s, M_p)$}
\item[$S_M()$]{Signature over the argument(s) involving key $M$}
\item[$G$]{Generator of the elliptic curve}
\item[$c_s$]{Secret key corresponding to a coin, scalar on a curve}
\item[$C_p$]{Public key corresponding to $c_s$, point on a curve}
\item[$C$]{Public-private coin key pair $C := (c_s, C_p)$}
\item[$S_{C}()$]{Signature over the argument(s) involving key $C$ (using EdDSA)}
\item[$c_s'$]{Private key of a ``dirty'' coin (otherwise like $c_s$)}
\item[$C_p'$]{Public key of a ``dirty'' coin (otherwise like $C_p$)}
\item[$C'$]{Dirty coin (otherwise like $C$)}
2016-03-01 15:21:30 +01:00
\item[$\widetilde{C}$]{Exchange signature $S_K(C_p)$ indicating validity of a fresh coin (with key $C$)}
\item[$n$]{Number of exchanges accepted by a merchant}
\item[$j$]{Index into a set of accepted exchanges, $i \in \{1,\ldots,n\}$}
\item[$D_j$]{Public key of a exchange (not used to sign coins)}
\item[$\vec{D}$]{Vector of $D_j$ signifying exchanges accepted by a merchant}
\item[$a$]{Complete text of a contract between customer and merchant}
\item[$f$]{Amount a customer agrees to pay to a merchant for a contract}
\item[$m$]{Unique transaction identifier chosen by the merchant}
\item[$H()$]{Hash function}
\item[$p$]{Payment details of a merchant (i.e. wire transfer details for a bank transfer)}
\item[$r$]{Random nonce}
\item[${\cal A}$]{Complete contract signed by the merchant}
\item[${\cal D}$]{Deposit permission, signing over a certain amount of coin to the merchant as payment and to signify acceptance of a particular contract}
\item[$\kappa$]{Security parameter $\ge 3$}
\item[$i$]{Index over cut-and-choose set, $i \in \{1,\ldots,\kappa\}$}
\item[$\gamma$]{Selected index in cut-and-choose protocol, $\gamma \in \{1,\ldots,\kappa\}$}
\item[$t^{(i)}_s$]{private transfer key, a scalar}
2015-10-26 12:22:24 +01:00
\item[$T^{(i)}_p$]{public transfer key, point on a curve (same curve must be used for $C_p$)}
\item[$T^{(i)}$]{public-private transfer key pair $T^{(i)} := (t^{(i)}_s,T^{(i)}_s)$}
\item[$\vec{T}$]{Vector of $T^{(i)}$}
\item[$c_s^{(i)}$]{Secret key corresponding to a fresh coin, scalar on a curve}
\item[$C_p^{(i)}$]{Public key corresponding to $c_s^{(i)}$, point on a curve}
\item[$C^{(i)}$]{Public-private coin key pair $C^{(i)} := (c_s^{(i)}, C_p^{(i)})$}
\item[$\vec{C}$]{Vector of $C^{(i)}$ (public and private keys)}
\item[$b^{(i)}$]{Blinding factor for RSA-style blind signatures}
\item[$\vec{b}$]{Vector of $b^{(i)}$}
2015-10-26 12:22:24 +01:00
\item[$B^{(i)}$]{Blinding of $C_p^{(i)}$}
\item[$\vec{B}$]{Vector of $B^{(i)}$}
\item[$K_i$]{Symmetric encryption key derived from ECDH operation via hashing}
\item[$E_{K_i}()$]{Symmetric encryption using key $K_i$}
\item[$E^{(i)}$]{$i$-th encryption of the private information $(c_s^{(i)}, b_i)$}
\item[$\vec{E}$]{Vector of $E^{(i)}$}
\item[$\cal{R}$]{Tuple of revealed vectors in cut-and-choose protocol,
where the vectors exclude the selected index $\gamma$}
\item[$\overline{K_i}$]{Encryption keys derived by the verifier from DH}
\item[$\overline{B^{(i)}}$]{Blinded values derived by the verifier}
\item[$\overline{T_p^{(i)}}$]{Public transfer keys derived by the verifier from revealed private keys}
\item[$\overline{c_s^{(i)}}$]{Private keys obtained from decryption by the verifier}
\item[$\overline{b_s^{(i)}}$]{Blinding factors obtained from decryption by the verifier}
\item[$\overline{C^{(i)}_p}$]{Public coin keys computed from $\overline{c_s^{(i)}}$ by the verifier}
\end{description}
2015-01-08 18:37:20 +01:00
\end{document}