taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix misc typos

Browse Source
This commit is contained in:
Christian Grothoff 2020-07-22 23:56:52 +02:00
parent c8a370d911
commit 0e808b648a
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
26 changed files with 73 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
contrib/exchange-template/config/exchange-common.conf
View File

@ -64,7 +64,7 @@ ENABLE_CREDIT = YES
# Wire fees are specified by wire method, NOT by wire plugin. # Wire fees are specified by wire method, NOT by wire plugin.
[fees-x-taler-bank] [fees-x-taler-bank]
# Fees for the forseeable future... # Fees for the foreseeable future...
# If you see this after 2018, update to match the next 10 years... # If you see this after 2018, update to match the next 10 years...
WIRE-FEE-2018 = EUR:0.01 WIRE-FEE-2018 = EUR:0.01
WIRE-FEE-2019 = EUR:0.01 WIRE-FEE-2019 = EUR:0.01
@ -89,7 +89,7 @@ CLOSING-FEE-2026 = EUR:0.01
CLOSING-FEE-2027 = EUR:0.01 CLOSING-FEE-2027 = EUR:0.01
[fees-sepa] [fees-sepa]
# Fees for the forseeable future... # Fees for the foreseeable future...
# If you see this after 2018, update to match the next 10 years... # If you see this after 2018, update to match the next 10 years...
WIRE-FEE-2018 = EUR:0.01 WIRE-FEE-2018 = EUR:0.01
WIRE-FEE-2019 = EUR:0.01 WIRE-FEE-2019 = EUR:0.01

2
contrib/gana

@ -1 +1 @@
Subproject commit 0a9293b4cf1df97c395dc96d7a8ba96cc1fb4664 Subproject commit a4f1ad6f6c27a874d2170beedf15bcba11323a62

2
contrib/uncrustify-mode.el
View File

@ -114,7 +114,7 @@
(message "uncrustify error: <%s> <%s>" ret (buffer-string))) (message "uncrustify error: <%s> <%s>" ret (buffer-string)))
nil)))))) nil))))))
;; This goto-line is outside the save-excursion becuase it'd get ;; This goto-line is outside the save-excursion because it'd get
;; removed otherwise. I hate this bug. It makes things so ugly. ;; removed otherwise. I hate this bug. It makes things so ugly.
(goto-line original-line) (goto-line original-line)
(not result))) (not result)))

2
contrib/uncrustify_precommit
View File

@ -30,6 +30,6 @@ if [ $RET = 1 ];
then then
echo "Run" echo "Run"
echo "uncrustify --no-backup -c uncrustify.cfg ${crustified}" echo "uncrustify --no-backup -c uncrustify.cfg ${crustified}"
echo "before commiting." echo "before committing."
fi fi
exit $RET exit $RET

4
doc/paper/figs/refresh.tex
View File

@ -134,7 +134,7 @@
\item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$ \item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$
\item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip \item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip
\item[$Z$] Cut-and-choose missmatch information \item[$Z$] Cut-and-choose mismatch information
\end{description} \end{description}
\end{minipage} \end{minipage}
\end{figure} \end{figure}
@ -165,7 +165,7 @@
minimum height = 10cm minimum height = 10cm
] (h2) at (4, 0) {}; ] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Customer}; \node[above = 0cm of h1] {Customer};
\node[above = 0cm of h2] {Exchagne}; \node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth] \path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge (-5, 4.5) edge

10
doc/paper/offline.tex
View File

@ -74,11 +74,11 @@ $n_\mu$ denote the maximum number of coins returned by a refresh.
\smallskip \smallskip
Let $\iota$ denote a coin idetity paramater that Let $\iota$ denote a coin idetity parameter that
links together the different commitments but must reemain secret links together the different commitments but must reemain secret
from the exchange. from the exchange.
Let $n_\nu$ denote the identity security paramater. Let $n_\nu$ denote the identity security parameter.
An online coin's identity commitment $\Nu$ is the empty string. An online coin's identity commitment $\Nu$ is the empty string.
In the offline coin case, we begin with a reserve public key $R$ In the offline coin case, we begin with a reserve public key $R$
and a private identity commitment seed $\nu$. and a private identity commitment seed $\nu$.
@ -97,8 +97,8 @@ A coin $(C,\Nu,S)$ consists of
an optional set of offline identity commitments $\Nu = \{\Nu_k | k \in \Gamma \}$ an optional set of offline identity commitments $\Nu = \{\Nu_k | k \in \Gamma \}$
an RSA-FDH signature $S = S_d(\FDH(C) * \Pi_{k \in \Gamma} \FDH(\Nu_k))$ by a denomination key $d$. an RSA-FDH signature $S = S_d(\FDH(C) * \Pi_{k \in \Gamma} \FDH(\Nu_k))$ by a denomination key $d$.
A coin is spent by signing a contract with $C$. The contract must A coin is spent by signing a contract with $C$. The contract must
specify the recipiant merchant and what portion of the value denoted specify the recipient merchant and what portion of the value denoted
by the denomination $d$ they recieve. by the denomination $d$ they receive.
There was of course a blinding factor $b$ used in the creation of There was of course a blinding factor $b$ used in the creation of
the coin's signature $S$. In addition, there was a private seed $s$ the coin's signature $S$. In addition, there was a private seed $s$
@ -114,7 +114,7 @@ We generate $\nu = H("Offline" || s)$ from $s$ as well,
We begin refresh with a possibly tainted coin $(C,S)$ whose value We begin refresh with a possibly tainted coin $(C,S)$ whose value
we wish to save by refreshing it into untainted coins. we wish to save by refreshing it into untainted coins.
In the change sitaution, our coin $(C,\Nu,S)$ was partially spent and In the change situation, our coin $(C,\Nu,S)$ was partially spent and
retains only a part of the value determined by the denominaton $d$. retains only a part of the value determined by the denominaton $d$.
For $x$ amongst the symbols $c$, $C$, $b$, and $s$, For $x$ amongst the symbols $c$, $C$, $b$, and $s$,

60
doc/paper/postquantum.tex
View File

@ -95,7 +95,7 @@ when coins are double spent \cite{B??}.
Importantly, there are reasons why exchanges must replace coins that Importantly, there are reasons why exchanges must replace coins that
do not involve actual financial transactons, like to reissue a coin do not involve actual financial transactons, like to reissue a coin
before the exchange rotates the denomination key that signed it, or before the exchange rotates the denomination key that signed it, or
protect users' anonymity after a merchant recieves a coin, but fails protect users' anonymity after a merchant receives a coin, but fails
to process it or deliver good. to process it or deliver good.
In Taler, coins can be partially spent by signing with the coin's key In Taler, coins can be partially spent by signing with the coin's key
@ -111,7 +111,7 @@ as well as for coin replacement due to denomination key roration.
If this protocol were simply a second transaction, then customers If this protocol were simply a second transaction, then customers
would retain information theoreticaly secure anonymity. would retain information theoreticaly secure anonymity.
In Taler however, we require that the exchange learns acurate income In Taler however, we require that the exchange learns accurate income
information for merchants. If we use a regular transaction, then information for merchants. If we use a regular transaction, then
a customer could conspire to help the merchant hide their income a customer could conspire to help the merchant hide their income
\cite[]{Taler??}. \cite[]{Taler??}.
@ -138,14 +138,14 @@ These provide strong post-quantum security so long as the underlying
scheme remains secure; however, these schemes' youth leaves them scheme remains secure; however, these schemes' youth leaves them
relatively untested. relatively untested.
Second, we propose a hash based scheme whose anonymity garentee needs Second, we propose a hash based scheme whose anonymity guarantee needs
only the one-way assumption on our hash function. In this scheme, only the one-way assumption on our hash function. In this scheme,
the vible security paramater is numerically far smaller than in the the vible security parameter is numerically far smaller than in the
key exchange systems, but covers query complexity which we believe key exchange systems, but covers query complexity which we believe
suffices. suffices.
We describe this hash based proof-of-encryption-to-self scheme to We describe this hash based proof-of-encryption-to-self scheme to
align the discription of all our schemes. align the description of all our schemes.
... ...
@ -191,9 +191,9 @@ We label place holders $\eta$, $\lambda$, $\Lambda$, $\mu$, and $\Mu$
for key material involved in post-quantum operations. for key material involved in post-quantum operations.
We view $\Lambda$ and $\Mu$ as public keys with respective We view $\Lambda$ and $\Mu$ as public keys with respective
private keys $\lambda$ and $\mu$, and private keys $\lambda$ and $\mu$, and
$\eta$ as the symetric key resulting from the key exchange between them. $\eta$ as the symmetric key resulting from the key exchange between them.
We need effeciently computable functions We need efficiently computable functions
$\CPK$, $\CSK$, $\LPK$, $\LSK$, $\KEX_2$ and $\KEX_3$ such that $\CPK$, $\CSK$, $\LPK$, $\LSK$, $\KEX_2$ and $\KEX_3$ such that
\begin{itemize} \begin{itemize}
\item $\mu = \CSK(s)$ for a random bitstring $s$, \item $\mu = \CSK(s)$ for a random bitstring $s$,
@ -216,10 +216,10 @@ A coin $(C,\Mu,S)$ consists of
a post-quantum public key $\Mu$, and a post-quantum public key $\Mu$, and
an RSA-FDH signature $S = S_d(C || \Mu)$ by a denomination key $d$. an RSA-FDH signature $S = S_d(C || \Mu)$ by a denomination key $d$.
A coin is spent by signing a contract with $C$. The contract must A coin is spent by signing a contract with $C$. The contract must
specify the recipiant merchant and what portion of the value denoted specify the recipient merchant and what portion of the value denoted
by the denomination $d$ they recieve. by the denomination $d$ they receive.
If $\Mu$ is large, we may replace it by $H(C || \Mu)$ to make signing If $\Mu$ is large, we may replace it by $H(C || \Mu)$ to make signing
contracts more efficent. contracts more efficient.
There was of course a blinding factor $b$ used in the creation of There was of course a blinding factor $b$ used in the creation of
the coin's signature $S$. In addition, there was a private seed $s$ the coin's signature $S$. In addition, there was a private seed $s$
@ -234,7 +234,7 @@ $$ c = H(\textrm{"Ed25519"} || s)
We begin refresh with a possibly tainted coin $(C,\Mu,S)$ that We begin refresh with a possibly tainted coin $(C,\Mu,S)$ that
we wish to refresh into $n \le \theta$ untainted coins. we wish to refresh into $n \le \theta$ untainted coins.
In the change sitaution, our coin $(C,\Mu,S)$ was partially spent and In the change situation, our coin $(C,\Mu,S)$ was partially spent and
retains only a part of the value determined by the denominaton $d$. retains only a part of the value determined by the denominaton $d$.
There is usually no denomination that matchets this risidual value There is usually no denomination that matchets this risidual value
so we must refresh from one coin into $n \le \theta$. so we must refresh from one coin into $n \le \theta$.
@ -291,8 +291,8 @@ In other words, $c'$, $\mu'$, and $b_j$ are derived from $s_j$,
\item For $j = 1 \cdots \kappa$ except $\gamma$: \item For $j = 1 \cdots \kappa$ except $\gamma$:
\begin{itemize} \begin{itemize}
\item Create a proof $\lambda_j^{\textrm{proof}}$ that \item Create a proof $\lambda_j^{\textrm{proof}}$ that
$\lambda_j$ is compatable with $\Lambda_j$ and $\Mu$. $\lambda_j$ is compatible with $\Lambda_j$ and $\Mu$.
\item Set a responce tuple \item Set a response tuple
$R_j = (\zeta_j,l_j,\lambda_j,\lambda_j^{\textrm{proof}})$. $R_j = (\zeta_j,l_j,\lambda_j,\lambda_j^{\textrm{proof}})$.
\end{itemize} \end{itemize}
\item Send $S_C(R_j \quad\textrm{for}\quad j \ne \gamma )$. \item Send $S_C(R_j \quad\textrm{for}\quad j \ne \gamma )$.
@ -321,7 +321,7 @@ We could optionally save long-term storage space by
replacing $\Gamma_*$ with both $\Gamma_{\gamma,0}$ and replacing $\Gamma_*$ with both $\Gamma_{\gamma,0}$ and
$S_C(\Eta_{j,i} \quad\textrm{for}\quad j \ne \gamma )$. $S_C(\Eta_{j,i} \quad\textrm{for}\quad j \ne \gamma )$.
It's clear this requires the wallet send that signature in some phase, It's clear this requires the wallet send that signature in some phase,
but also the wallet must accept a phase 2 responce to a phase 1 request. but also the wallet must accept a phase 2 response to a phase 1 request.
\smallskip \smallskip
@ -356,7 +356,7 @@ This rigidity makes constructing signature schemes with SIDH hard
\cite{??SIDHsig??}, but does not impact our use case. \cite{??SIDHsig??}, but does not impact our use case.
We let $\mu$ and $\Mu$ be the SIDH 2-torsion private and public keys, We let $\mu$ and $\Mu$ be the SIDH 2-torsion private and public keys,
repectively. We simlarly let $\lambda$ and $\Lambda$ be the respectively. We similarly let $\lambda$ and $\Lambda$ be the
SIDH 3-torsion private and public keys. SIDH 3-torsion private and public keys.
We envision the 2-torsion secret key generation function $\CSK(s)$ We envision the 2-torsion secret key generation function $\CSK(s)$
@ -396,7 +396,7 @@ groups \cite{??,??}, but also a reasuring relationship with NP-hard
problems. problems.
We again let $\mu$ and $\Mu$ denote the Alice (initator) side the We again let $\mu$ and $\Mu$ denote the Alice (initator) side the
private and public keys, repectively. We likewise let $\lambda$ private and public keys, respectively. We likewise let $\lambda$
and $\Lambda$ be the Bob (respondent) private and public keys. and $\Lambda$ be the Bob (respondent) private and public keys.
% DO IT? % DO IT?
Again now, $\CPK$, $\CSK$, $\LPK$, $\LSK$, $\KEX_2$ and $\KEX_3$ Again now, $\CPK$, $\CSK$, $\LPK$, $\LSK$, $\KEX_2$ and $\KEX_3$
@ -407,12 +407,12 @@ the Ring-LWE key exchange itself being broken because $\lambda_j$
and $\Lambda_j$ are constructed using the public key $\Mu$. and $\Lambda_j$ are constructed using the public key $\Mu$.
First, the polynomial $a$ commonly depends upon $\Mu$, like in First, the polynomial $a$ commonly depends upon $\Mu$, like in
\cite{NewHope}, so unlinkability explicity depends upon the Ring-LWE \cite{NewHope}, so unlinkability explicitly depends upon the Ring-LWE
problem\cite{}. [[ PROOF ??? ]] problem\cite{}. [[ PROOF ??? ]]
Second, the reconciliation information in $\Lambda$ might leak Second, the reconciliation information in $\Lambda$ might leak
additional information about $\lambda$. additional information about $\lambda$.
[[ LITTERATURE ADDRESSES THIS POINT ??? ]] [[ LITERATURE ADDRESSES THIS POINT ??? ]]
Ring-LWE key exchanges require that both Alice and Bob's keys be Ring-LWE key exchanges require that both Alice and Bob's keys be
ephemeral because the success or failure of the key exchange ephemeral because the success or failure of the key exchange
@ -423,7 +423,7 @@ schemes\cite{??RLWEsig??}, and this situation impacts us as well.
A Taler wallet should control both sides during the refresh protocol, A Taler wallet should control both sides during the refresh protocol,
which produces an interesting connundrum. which produces an interesting connundrum.
An honest wallet could ensure that the key exchange always succeeds. An honest wallet could ensure that the key exchange always succeeds.
If wallets were honest, then one could tune the Ring-LWE paramaters If wallets were honest, then one could tune the Ring-LWE parameters
to leave the probability of failure rather high, to leave the probability of failure rather high,
saving the exchange bandwidth, storage, and verification time. saving the exchange bandwidth, storage, and verification time.
A dishonest wallet and merchant could conversely search the key space A dishonest wallet and merchant could conversely search the key space
@ -432,25 +432,25 @@ merchant in tax evasion.
[[ IS THE FOLLOWING IMPOSSIBLE ??? ]] [[ IS THE FOLLOWING IMPOSSIBLE ??? ]]
If possible, we should tune the Ring-LWE paramaters to reduce costs If possible, we should tune the Ring-LWE parameters to reduce costs
to the exchange, and boost the unlinkability for the users, while to the exchange, and boost the unlinkability for the users, while
simultaniously simultaniously
% \smallskip % \smallskip
% \subsection{Comparson} % \subsection{Comparson}
At present, the SIDH implemention in \cite{SIDH16} requires about At present, the SIDH implementation in \cite{SIDH16} requires about
one third the key material and 100?? times as much CPU time as the one third the key material and 100?? times as much CPU time as the
Ring-LWE implemention in \cite{NewHope}. Ring-LWE implementation in \cite{NewHope}.
[[ We believe this provides a strong reason to continue exploring [[ We believe this provides a strong reason to continue exploring
paramater choices for Ring-LWE key exchange along with protocol tweaks. parameter choices for Ring-LWE key exchange along with protocol tweaks.
... ]] ... ]]
\section{Hashed-based one-sided public keys} \section{Hashed-based one-sided public keys}
We now define our hash-based encryption scheme. We now define our hash-based encryption scheme.
Let $\delta$ denote our query security paramater and Let $\delta$ denote our query security parameter and
let $\mu$ be a bit string. let $\mu$ be a bit string.
For $j \le \kappa$, we define a Merkle tree $T_j$ of height $\delta$ For $j \le \kappa$, we define a Merkle tree $T_j$ of height $\delta$
with leaves $\eta_j = H(\mu || "YeyCoins!" || t || j)$ with leaves $\eta_j = H(\mu || "YeyCoins!" || t || j)$
@ -500,8 +500,8 @@ an attacker to pursue $\eta_j$ alone unless they expect to break
curve25519 in the future, either through mathematical advances or curve25519 in the future, either through mathematical advances or
by building a quantum computer. by building a quantum computer.
We therefore view $\delta$ as a query complexity paramater whose We therefore view $\delta$ as a query complexity parameter whose
optimial setting depends upo nthe strength of the overall protocoll. optimial setting depends upo nthe strength of the overall protocol.
\smallskip \smallskip
@ -510,7 +510,7 @@ We can magnify the effective $\delta$ by using multiple $\eta_j$.
... analysis ... ... analysis ...
% multiple withdrawals % multiple withdrawals
We believe this provides sufficent post-quantum security for We believe this provides sufficient post-quantum security for
refreshing change. refreshing change.
@ -518,11 +518,11 @@ refreshing change.
We noted in \S\ref{subsec:withdrawal} above that exchange might We noted in \S\ref{subsec:withdrawal} above that exchange might
require that initial withdrawals employs a refresh-like operation. require that initial withdrawals employs a refresh-like operation.
In this scenarion, we refresh from a pseudo-coin $(C,\Mu)$ where In this scenario, we refresh from a pseudo-coin $(C,\Mu)$ where
$C$ is the user's reserve key \cite[??]{Taler} and $C$ is the user's reserve key \cite[??]{Taler} and
$\Mu$ s a post-quantum public key kept with $C$. $\Mu$ s a post-quantum public key kept with $C$.
As a result, our hash-based scheme should increase the security As a result, our hash-based scheme should increase the security
paramater $\delta$ to allow a query for every withdrawal operation. parameter $\delta$ to allow a query for every withdrawal operation.
Instead, ... Instead, ...
[[ ??? we propose using a Merkle tree of Alice side Ring-LWE keys, [[ ??? we propose using a Merkle tree of Alice side Ring-LWE keys,
@ -565,7 +565,7 @@ Crazy pants ideas :
Use a larger Mrkle tree with start points seeded throughout Use a larger Mrkle tree with start points seeded throughout
Use a Merkle tree of SWIFFT hash functions becuase Use a Merkle tree of SWIFFT hash functions because
their additive homomorphic property lets you keep the form of a polynomial their additive homomorphic property lets you keep the form of a polynomial

2
doc/paper/taler.bib
View File

@ -413,7 +413,7 @@ issn="1432-1378",
volume="16", volume="16",
number="3", number="3",
pages="185--215", pages="185--215",
abstract="We introduce a new class of computational problems which we call the ``one-more-RSA-inversion'' problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems, respectively, have polynomially equivalent computational complexity. We show how this leads to a proof of security for Chaum's RSA-based blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for ``one-more-discrete-logarithm'' problems. Since the appearence of the preliminary version of this paper, the new problems we have introduced have found other uses as well.", abstract="We introduce a new class of computational problems which we call the ``one-more-RSA-inversion'' problems. Our main result is that two problems in this class, which we call the chosen-target and known-target inversion problems, respectively, have polynomially equivalent computational complexity. We show how this leads to a proof of security for Chaum's RSA-based blind signature scheme in the random oracle model based on the assumed hardness of either of these problems. We define and prove analogous results for ``one-more-discrete-logarithm'' problems. Since the appearance of the preliminary version of this paper, the new problems we have introduced have found other uses as well.",
issn="1432-1378", issn="1432-1378",
doi="10.1007/s00145-002-0120-1", doi="10.1007/s00145-002-0120-1",
doi_url="http://dx.doi.org/10.1007/s00145-002-0120-1", doi_url="http://dx.doi.org/10.1007/s00145-002-0120-1",

4
doc/paper/taler.tex
View File

@ -1243,7 +1243,7 @@ certification process.
We assume the exchange operates honestly when discussing taxability. We assume the exchange operates honestly when discussing taxability.
We feel this assumption is warranted mostly because a Taler exchange We feel this assumption is warranted mostly because a Taler exchange
requires licenses to operate as a financial institution, which it requires licenses to operate as a financial institution, which it
risks loosing if it knowingly facilitates tax evasion. risks losing if it knowingly facilitates tax evasion.
We also expect an auditor monitors the exchange similarly to how We also expect an auditor monitors the exchange similarly to how
government regulators monitor financial institutions. government regulators monitor financial institutions.
In fact, our auditor software component gives the auditor read access In fact, our auditor software component gives the auditor read access
@ -1772,7 +1772,7 @@ currency. A tax auditor can then request the merchant to reveal
(meaningful) details about the business transaction ($\mathcal{D}$, (meaningful) details about the business transaction ($\mathcal{D}$,
$a$, $p$, $r$), including proof that applicable taxes were paid. $a$, $p$, $r$), including proof that applicable taxes were paid.
If a merchant is not able to provide theses values, they can be If a merchant is not able to provide these values, they can be
subjected to financial penalties by the state in relation to the subjected to financial penalties by the state in relation to the
amount transferred by the traditional currency transfer. amount transferred by the traditional currency transfer.

4
doc/paper/taler_FC2016.txt
View File

@ -118,7 +118,7 @@ is less a currency and more an open protocol for creating new
currencies. So what? And why do altcoins become a ponzi scheme? (Noting currencies. So what? And why do altcoins become a ponzi scheme? (Noting
that you do not say that they might become one, rather that they do). that you do not say that they might become one, rather that they do).
> We have adjusted that langauge, as some like Dogecoin have removed > We have adjusted that language, as some like Dogecoin have removed
> the 21 billion BTC cap to reduce the ponzi-like tendencies. > the 21 billion BTC cap to reduce the ponzi-like tendencies.
> There remains a large trend towards ponzi schemes in the altcoin > There remains a large trend towards ponzi schemes in the altcoin
> world however, amusingly noted by https://ponzico.win/ and > world however, amusingly noted by https://ponzico.win/ and
@ -307,7 +307,7 @@ scheme suggests that a any transfers of value should be taxed. However,
the issuing protocol in 4.1 can be abused to transfer a coin, without the issuing protocol in 4.1 can be abused to transfer a coin, without
paying tax, and in an unlikable manner. paying tax, and in an unlikable manner.
> Technically 4.1 is not transfering a coin, as it is issuing a coin. > Technically 4.1 is not transferring a coin, as it is issuing a coin.
> Again, the loophole is/was discussed in the paper. > Again, the loophole is/was discussed in the paper.
The party withdrawing the coin The party withdrawing the coin

4
doc/paper/taler_FC2017.txt
View File

@ -220,11 +220,11 @@ wanting this features is that it enables refunds from a merchant that
later can be refreshed into "clean" coins that are unlinkable to the later can be refreshed into "clean" coins that are unlinkable to the
refunded coins. The protocol is based on what appears to be a standard refunded coins. The protocol is based on what appears to be a standard
cut-and-choose approach, which does not appear to be particularly cut-and-choose approach, which does not appear to be particularly
novel. On the postive side, the problem appears a natural and if it novel. On the positive side, the problem appears a natural and if it
hasn't been done before certainly useful. On the negative side, since hasn't been done before certainly useful. On the negative side, since
the paper does not contain any formal definitions, or even semi-formal the paper does not contain any formal definitions, or even semi-formal
specifications of the desiderata, it is very hard to understand what specifications of the desiderata, it is very hard to understand what
actually is acheived. Furthermore, no proofs of security are given, actually is achieved. Furthermore, no proofs of security are given,
and even the protocol is hard to fully understand. As such, I would and even the protocol is hard to fully understand. As such, I would
suggest the authors to first formalize their approach and suggest the authors to first formalize their approach and
resubmitting. resubmitting.

2
doc/system/conclusions.tex
View File

@ -74,7 +74,7 @@ online, as the discretion of parents.
% %
%\subsection*{NFC Wallet} %\subsection*{NFC Wallet}
% %
%\subsection*{large, scaleable deployment} %\subsection*{large, scalable deployment}
%I.e. sharding, db replication, load balancer(s) %I.e. sharding, db replication, load balancer(s)
% %
%\subsection*{Hardware security module for exchange} %\subsection*{Hardware security module for exchange}

2
doc/system/introduction.tex
View File

@ -108,7 +108,7 @@ supports the more highly ranked goal is preferred:
%Especially if a payment system is to be used for microtransactions for online %Especially if a payment system is to be used for microtransactions for online
%content, the privacy of buyers becomes important: if micropayments were more %content, the privacy of buyers becomes important: if micropayments were more
%commonplace, the transaction data could be used to collect extremely detailled %commonplace, the transaction data could be used to collect extremely detailed
%profiles of users. Unfortunately practically no commercially used payment %profiles of users. Unfortunately practically no commercially used payment
%system has strong anonymity guarantees. %system has strong anonymity guarantees.

10
doc/system/taler/design.tex
View File

@ -309,7 +309,7 @@ For purposes of anti-money-laundering and taxation, a more detailed audit of
the merchant's transactions can be desirable. A government tax authority can the merchant's transactions can be desirable. A government tax authority can
request the merchant to reveal the business agreement details that match the request the merchant to reveal the business agreement details that match the
contract terms hash recorded with the exchange. If a merchant is not able to contract terms hash recorded with the exchange. If a merchant is not able to
provide theses values, they can be subjected to financial penalties by the provide these values, they can be subjected to financial penalties by the
state in relation to the amount transferred by the traditional currency state in relation to the amount transferred by the traditional currency
transfer. transfer.
@ -398,7 +398,7 @@ Yet another type of fee are the \emph{wire transfer fees}, which are charged
by the exchange for every wire transfer to a merchant in order to compensate for by the exchange for every wire transfer to a merchant in order to compensate for
the cost of making a transaction in the underlying bank system. The wire the cost of making a transaction in the underlying bank system. The wire
transfer fees encourage merchants to choose longer aggregation periods, as the transfer fees encourage merchants to choose longer aggregation periods, as the
fee is charged per transaction and independant of the amount. fee is charged per transaction and independent of the amount.
Merchants can also specify the maximum wire fee they are willing to cover for Merchants can also specify the maximum wire fee they are willing to cover for
customers, along with an \emph{amortization rate} for the wire fees. In case customers, along with an \emph{amortization rate} for the wire fees. In case
@ -752,7 +752,7 @@ fails to do so, coins may {\em expire}, resulting in a loss for the coin's
owner. Dirty coins can also expire. In practice, this happens if the melt fee owner. Dirty coins can also expire. In practice, this happens if the melt fee
exceeds the residual value of the dirty coin. To {\em melt} a coin, the exceeds the residual value of the dirty coin. To {\em melt} a coin, the
wallet must commit to one or more {\em planchets} and then demonstrate honesty wallet must commit to one or more {\em planchets} and then demonstrate honesty
when the committment made for the {\em refresh session} is checked during the when the commitment made for the {\em refresh session} is checked during the
{\em reveal} step. If the wallet was honest, {\em reveal} yields {\em fresh {\em reveal} step. If the wallet was honest, {\em reveal} yields {\em fresh
coins}. coins}.
@ -1029,7 +1029,7 @@ GNU Taler
by giving change online (Onl.) or by divisible coins that support offline by giving change online (Onl.) or by divisible coins that support offline
operation (Off.)? operation (Off.)?
\item \textbf{Receipts \& Refunds.} \item \textbf{Receipts \& Refunds.}
The customer either can prove that they payed for The customer either can prove that they paid for
a contract, or they can get their (unlinkable) money back. a contract, or they can get their (unlinkable) money back.
Also merchants can issue refunds for completed transactions. Also merchants can issue refunds for completed transactions.
These operations must not introduce linkability or otherwise These operations must not introduce linkability or otherwise
@ -1121,7 +1121,7 @@ Some of the most important decisions for the design of blockchains are the follo
consensus protocols. Their proposed system does not have any incentives consensus protocols. Their proposed system does not have any incentives
for validators. for validators.
Avalance \cite{rocket2018snowflake} has been proposed as a scalable Avalanche \cite{rocket2018snowflake} has been proposed as a scalable
Byzantine Consensus algorithm for use with blockchains. It is based on a Byzantine Consensus algorithm for use with blockchains. It is based on a
gossip protocol and is only shown to work in the synchronous model. gossip protocol and is only shown to work in the synchronous model.

4
doc/system/taler/implementation.tex
View File

@ -577,7 +577,7 @@ We now define a fallback, which is transparently implemented in the reference me
In addition to indicating that a payment is required for a resource in the HTTP status code and header, In addition to indicating that a payment is required for a resource in the HTTP status code and header,
the merchant includes a fallback URL in the body of the ``402 Payment Required'' response. This URL must have the custom URL scheme the merchant includes a fallback URL in the body of the ``402 Payment Required'' response. This URL must have the custom URL scheme
\texttt{taler}, and contains the contract terms URL (and other Taler-specific settings normally specified in headers) \texttt{taler}, and contains the contract terms URL (and other Taler-specific settings normally specified in headers)
as parameters. The above payment would include a link (labled, e.g., ``Pay with GNU Taler'') to the following URL, encoding as parameters. The above payment would include a link (labeled, e.g., ``Pay with GNU Taler'') to the following URL, encoding
the same information as the headers: the same information as the headers:
\begin{lstlisting}[style=myhttp] \begin{lstlisting}[style=myhttp]
taler:pay?*\break\contl*contract_url=*\break\contl*https%3A%2F%2Falice-shop.example.com%2Fcontract%3Fproduct%3Dessay-24.pdf*\break\contl*&resource_url=*\break\contl*https%3A%2F%2Falice-shop.example.com%2Fessay-24.pdf taler:pay?*\break\contl*contract_url=*\break\contl*https%3A%2F%2Falice-shop.example.com%2Fcontract%3Fproduct%3Dessay-24.pdf*\break\contl*&resource_url=*\break\contl*https%3A%2F%2Falice-shop.example.com%2Fessay-24.pdf
@ -908,7 +908,7 @@ The following APIs are offered by the exchange:
the merchant additionally can use the exchange's \texttt{/transfers/\$WTID} API that returns the list of deposits for a wire transfer the merchant additionally can use the exchange's \texttt{/transfers/\$WTID} API that returns the list of deposits for a wire transfer
identifier (WTID) included in the wire transfer to the merchant, as well as the \texttt{/deposits/\$H\_WIRE/\$MERCHANT\_PUB/\$H\_CONTRACT\_TERMS/\$COIN\_PUB} API to look up identifier (WTID) included in the wire transfer to the merchant, as well as the \texttt{/deposits/\$H\_WIRE/\$MERCHANT\_PUB/\$H\_CONTRACT\_TERMS/\$COIN\_PUB} API to look up
which wire transfer included the payment for a given deposit. which wire transfer included the payment for a given deposit.
\item[Refresh] Refreshing consists of two stages. First, using \texttt{/coins/\$COIN\_PUB/melt} an old, possibly dirty coin is melted and thus devaluted. The committment made by the wallet during the melt and the resulting $\gamma$-challenge from the exchange are associated with a {\em refresh session}. Then, using \texttt{/refreshes/\$RCH/reveal} the wallet can answer the challenge and obtain fresh coins as change. Finally, \texttt{/coins/\$COIN\_PUB/link} provides the link deterrent against refresh abuse. \item[Refresh] Refreshing consists of two stages. First, using \texttt{/coins/\$COIN\_PUB/melt} an old, possibly dirty coin is melted and thus devaluted. The commitment made by the wallet during the melt and the resulting $\gamma$-challenge from the exchange are associated with a {\em refresh session}. Then, using \texttt{/refreshes/\$RCH/reveal} the wallet can answer the challenge and obtain fresh coins as change. Finally, \texttt{/coins/\$COIN\_PUB/link} provides the link deterrent against refresh abuse.
\item[Refunds] The refund API (\texttt{/coins/\$COIN\_PUB/refund}) can ``undo'' a deposit if the merchant gave their signature, and the aggregation deadline \item[Refunds] The refund API (\texttt{/coins/\$COIN\_PUB/refund}) can ``undo'' a deposit if the merchant gave their signature, and the aggregation deadline
for the payment has not occurred yet. for the payment has not occurred yet.
\item[Recoup] The recoup API (\texttt{/coins/\$COIN\_PUB/recoup}) allows customers to be compensated \item[Recoup] The recoup API (\texttt{/coins/\$COIN\_PUB/recoup}) allows customers to be compensated

4
doc/system/taler/security.tex
View File

@ -759,7 +759,7 @@ Taler. Similar to \cite{bellare2006code} we assume that the game and adversary
terminate in finite time, and thus random choices made by the challenger and terminate in finite time, and thus random choices made by the challenger and
adversary can be taken from a finite sample space. adversary can be taken from a finite sample space.
All games except income transpacency return $1$ to indicate that the adversary All games except income transparency return $1$ to indicate that the adversary
has won and $0$ to indicate that the adversary has lost. The income has won and $0$ to indicate that the adversary has lost. The income
transparency game returns $0$ if the adversary has lost, and a positive transparency game returns $0$ if the adversary has lost, and a positive
``laundering ratio'' if the adversary won. ``laundering ratio'' if the adversary won.
@ -1666,7 +1666,7 @@ In particular, the following features are left out of the formal discussion:
behalf of the merchant to obtain proof of their on-time payment, which can behalf of the merchant to obtain proof of their on-time payment, which can
be used in a later arbitration if necessary. Alternatively, the customer be used in a later arbitration if necessary. Alternatively, the customer
can ask the exchange to undo the partial payments, though this requires the can ask the exchange to undo the partial payments, though this requires the
exchange to know (or learn from the customer) the exact amount to be payed exchange to know (or learn from the customer) the exact amount to be paid
for the contract. for the contract.
%A complication in practice is that merchants may not want to reveal their %A complication in practice is that merchants may not want to reveal their

2
src/auditor/report-lib.c
View File

@ -572,7 +572,7 @@ TALER_ARL_amount_subtract_ (struct TALER_Amount *diff,
/** /**
* Perform subtraction of amounts. Negative results should be signalled by the * Perform subtraction of amounts. Negative results should be signalled by the
* return value (leaving @a diff set to 'invalid'). If the subtraction fails * return value (leaving @a diff set to 'invalid'). If the subtraction fails
* for other reasons (currency missmatch, normalization failure), logs a * for other reasons (currency mismatch, normalization failure), logs a
* detailed error and calls exit() to terminate the process (!). * detailed error and calls exit() to terminate the process (!).
* *
* Do not call this function directly, use #TALER_ARL_amount_subtract_neg(). * Do not call this function directly, use #TALER_ARL_amount_subtract_neg().

4
src/auditor/report-lib.h
View File

@ -247,7 +247,7 @@ enum TALER_ARL_SubtractionResult
/** /**
* Perform subtraction of amounts. Negative results should be signalled by the * Perform subtraction of amounts. Negative results should be signalled by the
* return value (leaving @a diff set to 'invalid'). If the subtraction fails * return value (leaving @a diff set to 'invalid'). If the subtraction fails
* for other reasons (currency missmatch, normalization failure), logs a * for other reasons (currency mismatch, normalization failure), logs a
* detailed error and calls exit() to terminate the process (!). * detailed error and calls exit() to terminate the process (!).
* *
* Do not call this function directly, use #TALER_ARL_amount_subtract_neg(). * Do not call this function directly, use #TALER_ARL_amount_subtract_neg().
@ -274,7 +274,7 @@ TALER_ARL_amount_subtract_neg_ (struct TALER_Amount *diff,
/** /**
* Perform subtraction of amounts. Negative results should be signalled by * Perform subtraction of amounts. Negative results should be signalled by
* the return value (leaving @a diff set to 'invalid'). If the subtraction * the return value (leaving @a diff set to 'invalid'). If the subtraction
* fails for other reasons (currency missmatch, normalization failure), logs a * fails for other reasons (currency mismatch, normalization failure), logs a
* detailed error and calls exit() to terminate the process (!). * detailed error and calls exit() to terminate the process (!).
* *
* @param[out] diff where to store (@a a1 - @a a2) * @param[out] diff where to store (@a a1 - @a a2)

4
src/exchange/test_taler_exchange_httpd.conf
View File

@ -1,5 +1,5 @@
[PATHS] [PATHS]
# Persistant data storage for the testcase # Persistent data storage for the testcase
TALER_TEST_HOME = test_taler_exchange_httpd_home/ TALER_TEST_HOME = test_taler_exchange_httpd_home/
[taler] [taler]
@ -76,7 +76,7 @@ WIRE_GATEWAY_URL = "http://localhost:8082/3/"
# Wire fees are specified by wire method # Wire fees are specified by wire method
[fees-x-taler-bank] [fees-x-taler-bank]
# Fees for the forseeable future... # Fees for the foreseeable future...
# If you see this after 2018, update to match the next 10 years... # If you see this after 2018, update to match the next 10 years...
WIRE-FEE-2018 = EUR:0.01 WIRE-FEE-2018 = EUR:0.01
WIRE-FEE-2019 = EUR:0.01 WIRE-FEE-2019 = EUR:0.01

2
src/exchangedb/test_exchangedb.c
View File

@ -191,7 +191,7 @@ struct DenomKeyPair
/** /**
* Destroy a denomination key pair. The key is not necessarily removed from the DB. * Destroy a denomination key pair. The key is not necessarily removed from the DB.
* *
* @param dkp the keypair to destroy * @param dkp the key pair to destroy
*/ */
static void static void
destroy_denom_key_pair (struct DenomKeyPair *dkp) destroy_denom_key_pair (struct DenomKeyPair *dkp)

2
src/include/taler_auditor_service.h
View File

@ -309,7 +309,7 @@ struct TALER_AUDITOR_ExchangeInfo
/** /**
* Function called with the result from /exchagnes. * Function called with the result from /exchanges.
* *
* @param cls closure * @param cls closure
* @param hr HTTP response data * @param hr HTTP response data

2
src/include/taler_mhd_lib.h
View File

@ -330,7 +330,7 @@ TALER_MHD_parse_json_array (struct MHD_Connection *connection,
/** /**
* Extraxt fixed-size base32crockford encoded data from request. * Extract fixed-size base32crockford encoded data from request.
* *
* Queues an error response to the connection if the parameter is missing or * Queues an error response to the connection if the parameter is missing or
* invalid. * invalid.

2
src/lib/exchange_api_handle.c
View File

@ -1499,7 +1499,7 @@ parse_date_string (const char *date,
/** /**
* Function called for each header in the HTTP /keys response. * Function called for each header in the HTTP /keys response.
* Finds the "Expire:" header and parses it, storing the result * Finds the "Expire:" header and parses it, storing the result
* in the "expire" field fo the keys request. * in the "expire" field of the keys request.
* *
* @param buffer header data received * @param buffer header data received
* @param size size of an item in @a buffer * @param size size of an item in @a buffer

3
src/testing/test_exchange_api_twisted.c
View File

@ -153,8 +153,7 @@ run (void *cls,
* NOTE: not all CMDs actually need the twister, * NOTE: not all CMDs actually need the twister,
* so it may be better to move those into the "main" * so it may be better to move those into the "main"
* lib test suite. * lib test suite.
*/ */struct TALER_TESTING_Command refund[] = {
struct TALER_TESTING_Command refund[] = {
CMD_TRANSFER_TO_EXCHANGE ("create-reserve-r1", CMD_TRANSFER_TO_EXCHANGE ("create-reserve-r1",
"EUR:5.01"), "EUR:5.01"),
CMD_EXEC_WIREWATCH ("wirewatch-r1"), CMD_EXEC_WIREWATCH ("wirewatch-r1"),

4
src/testing/test_exchange_api_twisted.conf
View File

@ -2,7 +2,7 @@
# #
[PATHS] [PATHS]
# Persistant data storage for the testcase # Persistent data storage for the testcase
TALER_TEST_HOME = test_exchange_api_home/ TALER_TEST_HOME = test_exchange_api_home/
@ -109,7 +109,7 @@ UNIX_MATCH_GID = YES
[fees-x-taler-bank] [fees-x-taler-bank]
# Fees for the forseeable future... # Fees for the foreseeable future...
# If you see this after 2017, update to match the next 10 years... # If you see this after 2017, update to match the next 10 years...
WIRE-FEE-2018 = EUR:0.01 WIRE-FEE-2018 = EUR:0.01
WIRE-FEE-2019 = EUR:0.01 WIRE-FEE-2019 = EUR:0.01

2
src/testing/testing_api_cmd_serialize_keys.c
View File

@ -39,7 +39,7 @@ struct SerializeKeysState
/** /**
* Exchange URL. Needed because the exchange gets disconnected * Exchange URL. Needed because the exchange gets disconnected
* from, after keys serialization. This value is then needed by * from, after keys serialization. This value is then needed by
* subsequent commands that have to reconnect to the exchagne. * subsequent commands that have to reconnect to the exchange.
*/ */
char *exchange_url; char *exchange_url;
}; };