taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

-more typos

Browse Source
This commit is contained in:
Christian Grothoff 2022-06-26 15:05:37 +02:00
parent 3b9e9eed11
commit 07be0fd21d
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
10 changed files with 55 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/cs/ads/glossary.tex
View File

@ -6,7 +6,7 @@
% %
% %
% Glossareintraege --> referenz, name, beschreibung % Glossareintraege --> reference, name, beschreibung
% Aufruf mit \gls{...} % Aufruf mit \gls{...}
% %
% \newglossaryentry{non-repudiation}{name={non-repudiation},plural={non-repudiation},description={After a message is signed, one can not dispute that a message was signed}} % \newglossaryentry{non-repudiation}{name={non-repudiation},plural={non-repudiation},description={After a message is signed, one can not dispute that a message was signed}}

2
doc/cs/content/1_introduction.tex
View File

@ -51,7 +51,7 @@ In scope are all necessary changes on the protocol(s) and components for the fol
\item design and implement a protocol where the user proves to the exchange the knowledge of the coin that is to be signed (optional) \item design and implement a protocol where the user proves to the exchange the knowledge of the coin that is to be signed (optional)
\end{itemize} \end{itemize}
Out of scope is production readyness of the implementation. Out of scope is production readiness of the implementation.
This is because changes in the protocos and code need to be thoroughly vetted to ensure that no weaknesses or security vulnerabilities were introduced. This is because changes in the protocos and code need to be thoroughly vetted to ensure that no weaknesses or security vulnerabilities were introduced.
Such an audit is out of scope for the thesis and is recommended to be performed in the future. Such an audit is out of scope for the thesis and is recommended to be performed in the future.
The iOS wallet will not be considered in this work. The iOS wallet will not be considered in this work.

18
doc/cs/content/3_preliminaries.tex
View File

@ -141,7 +141,6 @@ This can be used to detect compromised signing keys or a malicious exchange.
\subsection{Properties} \subsection{Properties}
\label{sec:taler-properties} \label{sec:taler-properties}
%Alle Taler Eigenschaften die wir angreifen wollen auflisten und bezug nehmen wie diese erreicht werden
This section describes Taler's properties. This section describes Taler's properties.
\subsubsection{Free Software} \subsubsection{Free Software}
@ -299,7 +298,7 @@ If verification is successful, only Alice knows her private key and Bob uses Ali
A digital signature scheme has a message space M, a signature space S and three algorithms: A digital signature scheme has a message space M, a signature space S and three algorithms:
\begin{itemize} \begin{itemize}
\item Key generation: $(pk,sk) \gets keyGen()$ \item Key generation: $(pk,sk) \gets keyGen()$
\item Signatue generation: $s \gets $sign$_sk(m)$ \item Signature generation: $s \gets $sign$_sk(m)$
\item Verification: $ v \gets $verify$_pk(m,s)$ where $v \in {0,1}$ \item Verification: $ v \gets $verify$_pk(m,s)$ where $v \in {0,1}$
\end{itemize} \end{itemize}
If the result of the verification algorithm equals 1, a signature for m is called valid. If the result of the verification algorithm equals 1, a signature for m is called valid.
@ -783,7 +782,7 @@ A good introduction to cut and choose protocols gives the Paper from Claude Cré
The expression cut-and-choose was later introduced by David Chaum in analogy to a popular cake sharing problem: The expression cut-and-choose was later introduced by David Chaum in analogy to a popular cake sharing problem:
Given a complete cake to be shared among two parties distrusting of each other (for reasons of serious appetite). Given a complete cake to be shared among two parties distrusting of each other (for reasons of serious appetite).
A fair way for them to share the cake is to have one of them cut the cake in two equals hares, and let the other one choose his favourite share. A fair way for them to share the cake is to have one of them cut the cake in two equals hares, and let the other one choose his favourite share.
This solution guarantes that it is in the formers best interest to cut the shares as evenly as possible." This solution guarantees that it is in the formers best interest to cut the shares as evenly as possible."
} }
\end{center} \end{center}
@ -870,10 +869,10 @@ Figure \ref{fig:withdraw-loophole-exploit} explains how such a payment would wor
Note that we omitted the parts leading up to the coin creation (contract, agreement of price, number of coins and their denominations). Note that we omitted the parts leading up to the coin creation (contract, agreement of price, number of coins and their denominations).
This is how it works on a high level: This is how it works on a high level:
\begin{enumerate} \begin{enumerate}
\item The malicous merchant generates and blinds coins, which are then transmitted to the customer \item The malicious merchant generates and blinds coins, which are then transmitted to the customer
\item The customer authorizes the withdraw from his reserve by signing the blinded coins with the private key of his reserve, thus generating withdraw confirmations. \item The customer authorizes the withdraw from his reserve by signing the blinded coins with the private key of his reserve, thus generating withdraw confirmations.
\item The withdraw confirmations are transmitted to the exchange, which generates the signatures and returns them to the malicous merchant. \item The withdraw confirmations are transmitted to the exchange, which generates the signatures and returns them to the malicious merchant.
\item The malicous merchant unblinds the signatures. \item The malicious merchant unblinds the signatures.
He is now in possession of the coin, thus the payment is completed. He is now in possession of the coin, thus the payment is completed.
\end{enumerate} \end{enumerate}
@ -882,7 +881,7 @@ This is how it works on a high level:
\resizebox{1.0\textwidth}{!}{$\displaystyle \resizebox{1.0\textwidth}{!}{$\displaystyle
\begin{array}{ l c l} \begin{array}{ l c l}
% preliminaries % preliminaries
\textbf{Customer} & & \textbf{malicous Merchant} \textbf{Customer} & & \textbf{malicious Merchant}
\\ \text{knows:} & & \text{knows:} \\ \text{knows:} & & \text{knows:}
\\ \text{reserve keys } w_s, W_p \\ \text{reserve keys } w_s, W_p
\\ \text{denomination public key } D_p = \langle e, N \rangle & & \text{denomination public key } D_p = \langle e, N \rangle \\ \text{denomination public key } D_p = \langle e, N \rangle & & \text{denomination public key } D_p = \langle e, N \rangle
@ -903,7 +902,7 @@ This is how it works on a high level:
\\ \\
\hline \hline
\\ \\
\textbf{malicous Merchant} & & \textbf{Exchange} \textbf{malicious Merchant} & & \textbf{Exchange}
\\\text{knows:} & & \text{knows:} \\\text{knows:} & & \text{knows:}
\\& & \text{reserve public key } W_p \\& & \text{reserve public key } W_p
\\ \text{denomination public key } D_p = \langle e, N \rangle & & \text{denomination keys } d_s, D_p \\ \text{denomination public key } D_p = \langle e, N \rangle & & \text{denomination keys } d_s, D_p
@ -949,7 +948,6 @@ Chapter 4.1.4 describes more general aspects as well as the contract header and
\subsubsection{Spend Protocol} \subsubsection{Spend Protocol}
The payment process begins when a customer submits a shopping cart (one or more items to buy) and commits his intent to buy them. The payment process begins when a customer submits a shopping cart (one or more items to buy) and commits his intent to buy them.
The merchant has a key pair skM, pkM of which the customer knows the public key. The merchant has a key pair skM, pkM of which the customer knows the public key.
% besseres Wort als commit?
Note that certain details contained in contract header or deposit permission like merchant \ac{KYC} information, deposit and refund deadlines and fees are left out. Note that certain details contained in contract header or deposit permission like merchant \ac{KYC} information, deposit and refund deadlines and fees are left out.
The deposit state machine can be seen in figure \ref{fig:deposit:states}. The deposit state machine can be seen in figure \ref{fig:deposit:states}.
\begin{figure}[htp] \begin{figure}[htp]
@ -1033,7 +1031,7 @@ In cases where there are multiple deposit permissions (meaning that multiple coi
\item Is the signature of the coin valid? \item Is the signature of the coin valid?
\item Is $ f $ (the value to be spent) smaller or equal the residual value of the coin (check for overspending attempt)? \item Is $ f $ (the value to be spent) smaller or equal the residual value of the coin (check for overspending attempt)?
\end{itemize} \end{itemize}
If all checks are successful, the exchange saves the deposit record containing the deposit permission and its signature in a database, substracts the spent value from the residual value of the coin and schedules the money transfer to the merchant's account $ A_m $ (grouping payments is done to reduce payment fees). If all checks are successful, the exchange saves the deposit record containing the deposit permission and its signature in a database, subtracts the spent value from the residual value of the coin and schedules the money transfer to the merchant's account $ A_m $ (grouping payments is done to reduce payment fees).
\\The exchange calculates a deposit confirmation signature $ \sigma_{DC} $ for the deposit permission with the exchange signing private key and returns them to the merchant. \\The exchange calculates a deposit confirmation signature $ \sigma_{DC} $ for the deposit permission with the exchange signing private key and returns them to the merchant.
\\This signature is also used to prove that a merchant was the first to receive payment from a certain coin. \\This signature is also used to prove that a merchant was the first to receive payment from a certain coin.
Without this, an evil exchange could later deny confirming a payment and claim double spending. Without this, an evil exchange could later deny confirming a payment and claim double spending.

4
doc/cs/content/4_2_specification.tex
View File

@ -370,7 +370,7 @@ GNUNET_CRYPTO_cs_unblind (
struct GNUNET_CRYPTO_CsS *signature_scalar); struct GNUNET_CRYPTO_CsS *signature_scalar);
\end{lstlisting} \end{lstlisting}
The verify API takes the message and its signature with the public key and returns GNUNET\_OK for a valid signature and GNUNET\_SYSERR otherwhise. The verify API takes the message and its signature with the public key and returns GNUNET\_OK for a valid signature and GNUNET\_SYSERR otherwise.
See listing \ref{lst:crypto-verify-api}. See listing \ref{lst:crypto-verify-api}.
\begin{lstlisting}[style=bfh-c,language=C,, caption={GNUnet verify API}, label={lst:crypto-verify-api}] \begin{lstlisting}[style=bfh-c,language=C,, caption={GNUnet verify API}, label={lst:crypto-verify-api}]
@ -411,7 +411,7 @@ In crypto.c many utility functions are provided to create planchets (for planche
One difference between \gls{RSABS} and \gls{CSBS} is, that the coin private key and RSA blinding secret can be created at the same point in time, since the RSA blinding secret is created randomly. One difference between \gls{RSABS} and \gls{CSBS} is, that the coin private key and RSA blinding secret can be created at the same point in time, since the RSA blinding secret is created randomly.
However, for Clause Blind Schnorr secrets an additional step is needed, the public $R_0$ and $R_1$ are required to calculate the blinding seed to derive the secrets. However, for Clause Blind Schnorr secrets an additional step is needed, the public $R_0$ and $R_1$ are required to calculate the blinding seed to derive the secrets.
A planchet in the Clause Blind Schnorr Signature Scheme can be created as followed (implementation details ommited). A planchet in the Clause Blind Schnorr Signature Scheme can be created as followed (implementation details omitted).
\begin{enumerate} \begin{enumerate}
\item Create planchet with new \ac{EdDSA} private key \item Create planchet with new \ac{EdDSA} private key

4
doc/cs/content/4_3_implementation.tex
View File

@ -94,8 +94,8 @@ The corresponding crypto helper, that talks with the security module, and its te
\item \texttt{src/util/test\_helper\_cs.c}: Tests and benchmarks for the \gls{CSBS} crypto helper \item \texttt{src/util/test\_helper\_cs.c}: Tests and benchmarks for the \gls{CSBS} crypto helper
\end{itemize} \end{itemize}
% Crypto API offene Punkte: % Crypto API offene Punkte:
%Input-Validierung von Punkten und Skalar %Input-validation of points and scalars:
% Clamping beschreiben: https://neilmadden.blog/2020/05/28/whats-the-curve25519-clamping-all-about/ % describe clamping: https://neilmadden.blog/2020/05/28/whats-the-curve25519-clamping-all-about/
% Testing: inverse operations, blinded signature test % Testing: inverse operations, blinded signature test

8
doc/cs/content/5_discussion.tex
View File

@ -112,7 +112,7 @@ RSA 1024 is in some situations faster than the \gls{CSBS} implementation.
Note that 1024 bit keys are not recommended for many use cases, but the highest currently known RSA factorization done is 829 bits \cite{enwiki:1055393696}. Note that 1024 bit keys are not recommended for many use cases, but the highest currently known RSA factorization done is 829 bits \cite{enwiki:1055393696}.
The following section \ref{sec:disc-risk} explains the risk running RSA 1024 or \gls{CSBS} denominations further.\\ The following section \ref{sec:disc-risk} explains the risk running RSA 1024 or \gls{CSBS} denominations further.\\
The blind and unblind operations are running in a wallet implementation, therefore the comparison with RSA 1024 is very interesting for devices with less CPU power. The blind and unblind operations are running in a wallet implementation, therefore the comparison with RSA 1024 is very interesting for devices with less CPU power.
Comparison of such hardware can be found in appendix \ref{chap:app-perf}, these comparison results come to the same conlcusion.\\ Comparison of such hardware can be found in appendix \ref{chap:app-perf}, these comparison results come to the same conclusion.\\
Although RSA 1024 bit is much faster in the blinding operation, \gls{CSBS} still perform better when calculating the blinding and unblinding operations together. Although RSA 1024 bit is much faster in the blinding operation, \gls{CSBS} still perform better when calculating the blinding and unblinding operations together.
\gls{CSBS} unblinding computes only an addition of two scalars $s + \alpha \mod p$, while RSA computes $s * r^{-1}$. \gls{CSBS} unblinding computes only an addition of two scalars $s + \alpha \mod p$, while RSA computes $s * r^{-1}$.
To conclude, \gls{CSBS} are faster than RSA 1024 bit and provide a better level of security. To conclude, \gls{CSBS} are faster than RSA 1024 bit and provide a better level of security.
@ -205,7 +205,7 @@ The disk space comparison for a wallet can be found in \ref{tab:comp-wallet-spac
These are theoretical calculations, implementations may choose to persist additional values. These are theoretical calculations, implementations may choose to persist additional values.
\end{bfhWarnBox} \end{bfhWarnBox}
The reasons that \gls{CSBS} use less bandwidth is mostly because the signature/key sizes are much smaller. The reasons that \gls{CSBS} use less bandwidth is mostly because the signature/key sizes are much smaller.
The bandwith improvements for the \texttt{/keys} API is the same as specified in the table with disk space comparison \ref{tab:comp-sign-space}. The bandwidth improvements for the \texttt{/keys} API is the same as specified in the table with disk space comparison \ref{tab:comp-sign-space}.
For \gls{CSBS} many calculations are performed twice, therefore also two values are submitted. For \gls{CSBS} many calculations are performed twice, therefore also two values are submitted.
Table \ref{tab:comp-band-withd} compares the bandwidth used in a withdrawal. Table \ref{tab:comp-band-withd} compares the bandwidth used in a withdrawal.
The 32 byte values $2 * n_w, 2 * D_p, R_0, R_1, s,W_p, c_0, c_1, \sigma_W$ as well as an integer $b$ are transmitted for \gls{CSBS}.\\ The 32 byte values $2 * n_w, 2 * D_p, R_0, R_1, s,W_p, c_0, c_1, \sigma_W$ as well as an integer $b$ are transmitted for \gls{CSBS}.\\
@ -222,14 +222,14 @@ Depending on the hash size another 32 byte (or 64 byte) value is transmitted.
\setupBfhTabular \setupBfhTabular
\begin{tabular}{lccr} \begin{tabular}{lccr}
\rowcolor{BFH-tablehead} \rowcolor{BFH-tablehead}
\textbf{Signature Scheme} & \textbf{Bandwith used} & \textbf{Factor} & \textbf{1M coins}\\\hline \textbf{Signature Scheme} & \textbf{Bandwidth used} & \textbf{Factor} & \textbf{1M coins}\\\hline
CS 256 bits & 356 bytes & 1x & 324 MB\\\hline CS 256 bits & 356 bytes & 1x & 324 MB\\\hline
RSA 1024 bit & 448 bytes & 1.3x & 448 MB \\\hline RSA 1024 bit & 448 bytes & 1.3x & 448 MB \\\hline
RSA 2048 bit & 832 bytes & 2.5x & 832 MB\\\hline RSA 2048 bit & 832 bytes & 2.5x & 832 MB\\\hline
RSA 3072 bit & 1216 bytes & 3.75x & 1216 MB\\\hline RSA 3072 bit & 1216 bytes & 3.75x & 1216 MB\\\hline
RSA 4096 bit & 1600 bytes & 4.9x & 1600 MB\\\hline RSA 4096 bit & 1600 bytes & 4.9x & 1600 MB\\\hline
\end{tabular} \end{tabular}
\caption{Bandwith comparison withdrawal} \caption{Bandwidth comparison withdrawal}
\label{tab:comp-band-withd} \label{tab:comp-band-withd}
\end{table} \end{table}

4
doc/cs/content/6_conclusion.tex
View File

@ -25,7 +25,7 @@ The thesis provides several results to add support for Schnorr's blind signature
\end{itemize} \end{itemize}
\item Comparison and Analysis \item Comparison and Analysis
\begin{itemize} \begin{itemize}
\item Performance (speed, space, latency \& bandwith) \item Performance (speed, space, latency \& bandwidth)
\item Security \item Security
\item Scheme Comparison \item Scheme Comparison
\end{itemize} \end{itemize}
@ -58,7 +58,7 @@ A security audit should always be made when implementing big changes like these.
As mentioned in the scope section, the optional goal to find and implement a good solution for the withdraw loophole was dropped. As mentioned in the scope section, the optional goal to find and implement a good solution for the withdraw loophole was dropped.
This was due to the scope shift and because the analysis of the problem showed that finding a good solution needs more research and is a whole project in itself (see \ref{sec:scope} for more information).\\ This was due to the scope shift and because the analysis of the problem showed that finding a good solution needs more research and is a whole project in itself (see \ref{sec:scope} for more information).\\
Furthermore, \gls{CSBS} could be implemented on other curves. Furthermore, \gls{CSBS} could be implemented on other curves.
For example Curve448 \cite{cryptoeprint:2015:625} could be used, as it provides 224 bits of security, wheras \gls{25519} \cite{bern:curve25519} provides about 128 bits of security. For example Curve448 \cite{cryptoeprint:2015:625} could be used, as it provides 224 bits of security, whereas \gls{25519} \cite{bern:curve25519} provides about 128 bits of security.
Curve secp256k1 could further improve \gls{CSBS} performance. Curve secp256k1 could further improve \gls{CSBS} performance.
While providing support for Curve448 should not be problematic, a potential implementation for secp256k1 needs further analysis (see \cite{bernlange:safecurves} and \cite{bip:schnorr-bitc} for more information). While providing support for Curve448 should not be problematic, a potential implementation for secp256k1 needs further analysis (see \cite{bernlange:safecurves} and \cite{bip:schnorr-bitc} for more information).

3
src/auditor/auditor-basedb.sql
View File

@ -1442,7 +1442,7 @@ BEGIN
PERFORM create_partitioned_table( PERFORM create_partitioned_table(
'CREATE TABLE IF NOT EXISTS %I' 'CREATE TABLE IF NOT EXISTS %I'
'(aggregation_serial_id BIGINT GENERATED BY DEFAULT AS IDENTITY' -- UNIQUE' '(aggregation_serial_id BIGINT GENERATED BY DEFAULT AS IDENTITY' -- UNIQUE'
',deposit_serial_id INT8 PRIMARY KEY' -- REFERENCES deposits (deposit_serial_id) ON DELETE CASCADE' -- FIXME chnage to coint_pub + deposit_serial_id for more efficient depost -- or something else ??? ',deposit_serial_id INT8 PRIMARY KEY' -- REFERENCES deposits (deposit_serial_id) ON DELETE CASCADE' -- FIXME change to coint_pub + deposit_serial_id for more efficient depost -- or something else ???
',wtid_raw BYTEA NOT NULL' -- CONSTRAINT wire_out_ref REFERENCES wire_out(wtid_raw) ON DELETE CASCADE DEFERRABLE' ',wtid_raw BYTEA NOT NULL' -- CONSTRAINT wire_out_ref REFERENCES wire_out(wtid_raw) ON DELETE CASCADE DEFERRABLE'
') %s ;' ') %s ;'
,table_name ,table_name
@ -16989,4 +16989,3 @@ ALTER TABLE ONLY public.signkey_revocations
-- --
-- PostgreSQL database dump complete -- PostgreSQL database dump complete
-- --

3
src/auditor/revoke-basedb.sql
View File

@ -1442,7 +1442,7 @@ BEGIN
PERFORM create_partitioned_table( PERFORM create_partitioned_table(
'CREATE TABLE IF NOT EXISTS %I' 'CREATE TABLE IF NOT EXISTS %I'
'(aggregation_serial_id BIGINT GENERATED BY DEFAULT AS IDENTITY' -- UNIQUE' '(aggregation_serial_id BIGINT GENERATED BY DEFAULT AS IDENTITY' -- UNIQUE'
',deposit_serial_id INT8 PRIMARY KEY' -- REFERENCES deposits (deposit_serial_id) ON DELETE CASCADE' -- FIXME chnage to coint_pub + deposit_serial_id for more efficient depost -- or something else ??? ',deposit_serial_id INT8 PRIMARY KEY' -- REFERENCES deposits (deposit_serial_id) ON DELETE CASCADE' -- FIXME change to coint_pub + deposit_serial_id for more efficient depost -- or something else ???
',wtid_raw BYTEA NOT NULL' -- CONSTRAINT wire_out_ref REFERENCES wire_out(wtid_raw) ON DELETE CASCADE DEFERRABLE' ',wtid_raw BYTEA NOT NULL' -- CONSTRAINT wire_out_ref REFERENCES wire_out(wtid_raw) ON DELETE CASCADE DEFERRABLE'
') %s ;' ') %s ;'
,table_name ,table_name
@ -17001,4 +17001,3 @@ ALTER TABLE ONLY public.signkey_revocations
-- --
-- PostgreSQL database dump complete -- PostgreSQL database dump complete
-- --

2
src/testing/testing_api_cmd_reserve_purse.c
View File

@ -103,7 +103,7 @@ struct ReservePurseState
json_t *contract_terms; json_t *contract_terms;
/** /**
* Refernece to the reserve, or NULL (!). * Reference to the reserve, or NULL (!).
*/ */
const char *reserve_ref; const char *reserve_ref;