more paper edits and claifications

This commit is contained in:
Christian Grothoff 2015-09-24 17:43:20 +02:00
parent 851a727b69
commit 18d3c5efa5

View File

@ -842,13 +842,14 @@ For a coin that was successfully refreshed, the mint responds to a
request $S_{C'}(\mathtt{link})$ with $(T^{(\gamma)}_p$, $E_{\gamma}, request $S_{C'}(\mathtt{link})$ with $(T^{(\gamma)}_p$, $E_{\gamma},
\widetilde{C})$. \widetilde{C})$.
% %
This allows the owner of the old coin to also obtain the private key This allows the owner of the melted coin to also obtain the private
of the new coin, even if the refreshing protocol was illicitly key of the new coin, even if the refreshing protocol was illicitly
executed by another party who learned $C'_s$ from the old owner. As a executed with the help of another party who generated $C'_s$ and only
result, linking ensures that access to the new coins minted by the provided $\vec{C'_p}$ and other required information to the old owner.
refresh protocol is always {\em shared} with the owner of the melted As a result, linking ensures that access to the new coins minted by
coins. This makes it impossible to abuse the refresh protocol for the refresh protocol is always {\em shared} with the owner of the
{\em transactions}. melted coins. This makes it impossible to abuse the refresh protocol
for {\em transactions}.
The linking request is not expected to be used at all during ordinary The linking request is not expected to be used at all during ordinary
operation of Taler. If the refresh protocol is used by Alice to operation of Taler. If the refresh protocol is used by Alice to
@ -858,8 +859,12 @@ The fundamental reason why the mint must provide the link protocol is
simply to provide a threat: if Bob were to use the refresh protocol simply to provide a threat: if Bob were to use the refresh protocol
for a transaction of funds from Alice to him, Alice may use a link for a transaction of funds from Alice to him, Alice may use a link
request to gain shared access to Bob's coins. Thus, this threat request to gain shared access to Bob's coins. Thus, this threat
prevents Bob from abusing the refresh protocol to evade taxation on prevents Alice and Bob from abusing the refresh protocol to evade
transactions. taxation on transactions. If Bob trusts Alice to not execute the link
protocol, then they can already conspire to evade taxation by simply
exchanging the original private coin keys. This is permitted in our
taxation model as with such trust they are assumed to be the same
entity.
The auditor can anonymously check if the mint correctly implements the The auditor can anonymously check if the mint correctly implements the
link request, thus preventing the mint operator from legally disabling link request, thus preventing the mint operator from legally disabling
@ -879,10 +884,10 @@ location of the missmatch in the case of the reveal step in the
refresh protocol. It is also possible that the server may claim that refresh protocol. It is also possible that the server may claim that
the client has been violating the protocol. In these cases, the the client has been violating the protocol. In these cases, the
clients should verify any proofs provided and if they are acceptable, clients should verify any proofs provided and if they are acceptable,
notify the user that they are somehow ``faulty''. Similar, if the notify the user that they are somehow faulty. Similar, if the
server indicates that the client is violating the protocol, the server indicates that the client is violating the protocol, the
client should record the interaction and enable the user to file a client should record the interaction and enable the user to file a
bug report with the developer. bug report.
The second case is a faulty mint service provider. Such faults will The second case is a faulty mint service provider. Such faults will
be detected because of protocol violations (for example, by providing be detected because of protocol violations (for example, by providing