Spelling
This commit is contained in:
parent
7ec6f729fc
commit
0cf241041e
@ -1377,8 +1377,8 @@ data being persisted are represented in between $\langle\rangle$.
|
|||||||
\section{Taxability arguments}
|
\section{Taxability arguments}
|
||||||
|
|
||||||
We assume the exchange operates honestly when discussing taxability.
|
We assume the exchange operates honestly when discussing taxability.
|
||||||
We feel this assumption is warratned mostly because a Taler exchange
|
We feel this assumption is warranted mostly because a Taler exchange
|
||||||
requires liscenses to operate as a financial institution, which it
|
requires licenses to operate as a financial institution, which it
|
||||||
risks loosing if it knowingly facilitates tax evasion.
|
risks loosing if it knowingly facilitates tax evasion.
|
||||||
We also expect an auditor monitors the exchange similarly to how
|
We also expect an auditor monitors the exchange similarly to how
|
||||||
government regulators monitor financial institutions.
|
government regulators monitor financial institutions.
|
||||||
@ -1389,15 +1389,15 @@ which expands its power over conventional auditors.
|
|||||||
\begin{proposition}
|
\begin{proposition}
|
||||||
Assuming the exchange operates the refresh protocol honestly,
|
Assuming the exchange operates the refresh protocol honestly,
|
||||||
a customer operating the refresh protocol dishonestly expects to
|
a customer operating the refresh protocol dishonestly expects to
|
||||||
loose $1 - {1 \over \kappa}$ of the value of thei coins.
|
loose $1 - {1 \over \kappa}$ of the value of their coins.
|
||||||
\end{proposition}
|
\end{proposition}
|
||||||
|
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
An honest esxchange keeps any funds being refreshed if the reveal
|
An honest exchange keeps any funds being refreshed if the reveal
|
||||||
phase is never carried out, does not match the commitment, or shows
|
phase is never carried out, does not match the commitment, or shows
|
||||||
an incorrect commitment. As a result, a customer dishonestly
|
an incorrect commitment. As a result, a customer dishonestly
|
||||||
refreshing a coin looses their money if they have more than one
|
refreshing a coin looses their money if they have more than one
|
||||||
dishonet commitment. They have a $1 \over \kappa$ chance of their
|
dishonest commitment. They have a $1 \over \kappa$ chance of their
|
||||||
dishonest commitment being selected for the refresh.
|
dishonest commitment being selected for the refresh.
|
||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
@ -1428,7 +1428,7 @@ then Alice can gain control of $C'$ using the linking protocol.
|
|||||||
|
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
Alice may run the linking protocol to obtain all transfer keys $T^i$,
|
Alice may run the linking protocol to obtain all transfer keys $T^i$,
|
||||||
blindings $B^i$ associated to $C$, and those coins denominations,
|
bindings $B^i$ associated to $C$, and those coins denominations,
|
||||||
including the $T'$ for $C'$.
|
including the $T'$ for $C'$.
|
||||||
|
|
||||||
We assumed both the exchange and Bob operated the refresh protocol
|
We assumed both the exchange and Bob operated the refresh protocol
|
||||||
@ -1445,26 +1445,26 @@ At a result, there is no way for a user to loose control over a coin,
|
|||||||
\section{Privacy arguments}
|
\section{Privacy arguments}
|
||||||
|
|
||||||
The {\em linking problem} for blind signature is,
|
The {\em linking problem} for blind signature is,
|
||||||
if given coin creation transcrips and possibly fewer
|
if given coin creation transcripts and possibly fewer
|
||||||
coin deposit transcripts for coins from the creation transcripts,
|
coin deposit transcripts for coins from the creation transcripts,
|
||||||
then produce a corresponding creation and deposit transcript.
|
then produce a corresponding creation and deposit transcript.
|
||||||
|
|
||||||
We say a probabilistic polynomial time (PPT) adversary $A$
|
We say a probabilistic polynomial time (PPT) adversary $A$
|
||||||
{\em links} coins if it has a non-negligable advantage in
|
{\em links} coins if it has a non-negligible advantage in
|
||||||
solving the linking problem, when given the private keys
|
solving the linking problem, when given the private keys
|
||||||
of the exchange.
|
of the exchange.
|
||||||
|
|
||||||
In Taler, there are two forms of coin creation transcrips,
|
In Taler, there are two forms of coin creation transcripts,
|
||||||
withdrawal and refresh.
|
withdrawal and refresh.
|
||||||
|
|
||||||
\begin{lemma}
|
\begin{lemma}
|
||||||
If there are no refresh operations, any adversary with an
|
If there are no refresh operations, any adversary with an
|
||||||
advantage in linking coins is polynomially equivelent to an
|
advantage in linking coins is polynomially equivalent to an
|
||||||
advantage with the same advantage in recognizing blinding factors.
|
advantage with the same advantage in recognizing blinding factors.
|
||||||
\end{lemma}
|
\end{lemma}
|
||||||
|
|
||||||
\begin{proof}
|
\begin{proof}
|
||||||
Let $n$ denote the RSA modulous of the denomination key.
|
Let $n$ denote the RSA modulus of the denomination key.
|
||||||
Also let $d$ and $e$ denote the private and public exponents, respectively.
|
Also let $d$ and $e$ denote the private and public exponents, respectively.
|
||||||
In effect, coin withdrawal transcripts consist of numbers
|
In effect, coin withdrawal transcripts consist of numbers
|
||||||
$b m^d \mod n$ where $m$ is the FDH of the coin's public key
|
$b m^d \mod n$ where $m$ is the FDH of the coin's public key
|
||||||
@ -1478,10 +1478,10 @@ first computing $b_{i,j} = b_i m_i^d / m_j^d \mod n$ for all $i,j$.
|
|||||||
\end{proof}
|
\end{proof}
|
||||||
|
|
||||||
We now know the following because Taler used SHA512 adopted to be
|
We now know the following because Taler used SHA512 adopted to be
|
||||||
a FDH to breat the blinding factor.
|
a FDH to be the blinding factor.
|
||||||
|
|
||||||
\begin{corollary}
|
\begin{corollary}
|
||||||
Assuming no refresh opeeration,
|
Assuming no refresh operation,
|
||||||
any PPT adversary with an advantage for linking Taler coins gives
|
any PPT adversary with an advantage for linking Taler coins gives
|
||||||
rise to an adversary with an advantage for recognizing SHA512 output.
|
rise to an adversary with an advantage for recognizing SHA512 output.
|
||||||
\end{corollary}
|
\end{corollary}
|
||||||
@ -1507,11 +1507,10 @@ Diffie-Hellman key exchange on curve25519.
|
|||||||
\end{theorem}
|
\end{theorem}
|
||||||
|
|
||||||
We do not distinguish between information known by the exchange and
|
We do not distinguish between information known by the exchange and
|
||||||
information known by the merchant in the abose. As a result, this
|
information known by the merchant in the above. As a result, this
|
||||||
proves that out linking protocol \S\ref{subsec:linking} does not
|
proves that out linking protocol \S\ref{subsec:linking} does not
|
||||||
degrade privacy.
|
degrade privacy.
|
||||||
|
|
||||||
\end{document}
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user