taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Correctons to section 3

Browse Source
This commit is contained in:
Jeff Burdges 2015-10-08 02:43:42 +02:00
parent 2863132570
commit 2ce2c1dac7
1 changed files with 93 additions and 93 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

186
doc/paper/taler.tex
View File

@ -389,18 +389,18 @@ Taler's security model assumes that cryptographic primitives are
secure and that each participant is under full control of his system. secure and that each participant is under full control of his system.
The contact information of the mint is known to both customer and The contact information of the mint is known to both customer and
merchant from the start. Furthermore, the merchant communication's merchant from the start. Furthermore, the merchant communication's
authenticity is assured to the customer (for example using X.509 authenticity is assured to the customer, such as by using X.509
certificates~\cite{rfc5280}) and we assume that an anonymous, reliable certificates~\cite{rfc5280}, and we assume that an anonymous, reliable
bi-directional communication channel can be established by the bi-directional communication channel can be established by the
customer to both the mint and the merchant. customer to both the mint and the merchant, such as by using Tor.
The mint is trusted to hold funds of its customers and to forward them The mint is trusted to hold funds of its customers and to forward them
when receiving the respective deposit instructions from the merchants. when receiving the respective deposit instructions from the merchants.
Customer and merchant can have some assurances about the mint's Customer and merchant can have some assurances about the mint's
liquidity and operation, as the mint has proven reserves, is subject liquidity and operation, as the mint has proven reserves, is subject
to the law, and can have its business regularly audited (for to the law, and can have its business regularly audited
example, by the government or a trusted third party auditor). by a government or third party.
Regular audits of the mint's accounts must reveal any possible fraud Regular audits of the mint's accounts should reveal any possible fraud
before the mint is allowed to destroy the corresponding accumulated before the mint is allowed to destroy the corresponding accumulated
cryptographic proofs and book its fees as profits. cryptographic proofs and book its fees as profits.
% %
@ -419,7 +419,7 @@ from customers using legal means.
\subsection{Taxability and Entities} \subsection{Taxability and Entities}
Electronic coins are trivially copied between machines. Thus, we must As electronic coins are trivially copied between machines, we should
clarify what kinds of operations can even be expected to be taxed. clarify what kinds of operations can even be expected to be taxed.
After all, without intrusive measures to take away control of the After all, without intrusive measures to take away control of the
computing platform from its users, copying an electronic wallet from computing platform from its users, copying an electronic wallet from
@ -440,48 +440,48 @@ credentials represented by the private key. In a payment system this
means that either entity could spent the associated funds. Assuming means that either entity could spent the associated funds. Assuming
the payment system has effective double-spending detection, this means the payment system has effective double-spending detection, this means
that either entity has to constantly fear that the funds might no that either entity has to constantly fear that the funds might no
longer be available to it. Thus, sharing coins by copying a private longer be available to it. It follows that sharing coins by copying
key implies mutual trust between the two parties, in which case Taler a private key implies mutual trust between the two parties, in which
will treat them as the same entity. In Taler, making funds available case Taler will treat them as the same entity.
by copying a private key and thus sharing control is {\bf not} In Taler, making funds available by copying a private key and thus
considered a {\em transaction} and thus {\bf not} recorded for sharing control is {\bf not} considered a {\em transaction} and
taxation. thus {\bf not} recorded for taxation.
Taler ensures taxability only when some entity acquires exclusive Taler ensures taxability only when some entity acquires exclusive
control over the value of digital coins, which requires an interaction control over the value of digital coins, which requires an interaction
with the mint. For such transactions, the state can obtain with the mint. For such transactions, the state can obtain information
information from the mint (or the bank) that identifies the entity from the mint, or a bank, that identifies the entity that received the
that received the digital coins as well as the exact value of those digital coins as well as the exact value of those coins.
coins. Taler also allows the mint (and thus the state) to learn the Taler also allows the mint, and hence the state, to learn the value of
value of digital coins withdrawn by a customer --- but not how, where digital coins withdrawn by a customer---but not how, where, or when
or when they were spent. they were spent.
\subsection{Anonymity} \subsection{Anonymity}
An anonymous communication channel (e.g. via Tor~\cite{tor-design}) is An anonymous communication channel such as Tor~\cite{tor-design} is
used for all communication between the customer and the merchant. used for all communication between the customer and the merchant.
Thus, the customer can remain anonymous limited only by the anonymous Ideally, the customer's anonymity is limited only by this channel;
communication channel; however, the payment system does additionally however, the payment system does additionally reveal that the customer
reveal that the customer is one of the patrons of the mint. is one of the patrons of the mint.
Naturally, the customer-merchant business operation might leak other There are naturally risks that the customer-merchant business operation
information about the customer, such as a shipping address. may leak identifying information about the customer. At least, customers
Information leakage from shipping is in theory avoidable~\cite{apod}. have some options to defend their privacy against nosey merchants however,
Nevertheless, for Taler as a payment system, information leakage possibly even when dealing with physical goods \cite{apod}.
specific to the business logic is outside of the scope of the design. We consider information leakage specific to the business logic to be
outside of the scope of the design of Taler.
The customer may use an anonymous communication channel for the Ideally, customer should use an anonymous communication channel with
communication with the mint to avoid leaking IP address information; the mint to avoid leaking IP address information; however, the mint
however, the mint will anyway be able to determine the customer's would typically learn the customer's identity from the wire transfer
identity from the wire transfer or some other authentication process that funds the customer's withdraw anonymous digital coins.
that the customer initiates to withdraw anonymous digital cash. In In fact, this is desirable as there might be rules and regulations
fact, this is desirable as there might be rules and regulations
designed to limit the amount of anonymous digital cash that an designed to limit the amount of anonymous digital cash that an
individual customer can withdraw in a given time period, similar to individual customer can withdraw in a given time period, similar to
how states today sometimes impose limits on cash how states today sometimes impose limits on cash
withdrawals~\cite{france2015cash,greece2015cash}. Taler is only withdrawals~\cite{france2015cash,greece2015cash}.
anonymous with respect to {\em payments}, as the mint will be unable Taler is only anonymous with respect to {\em payments}, as the mint
to link the known identity of the customer that withdrew anonymous will be unable to link the known identity of the customer that withdrew
digital currency to the {\em purchase} performed later at the anonymous digital currency to the {\em purchase} performed later at the
merchant. In this respect, Taler provides exactly the same scheme for merchant. In this respect, Taler provides exactly the same scheme for
unconditional anonymous payments as was proposed by unconditional anonymous payments as was proposed by
Chaum~\cite{chaum1983blind,chaum1990untraceable} over 30 years ago. Chaum~\cite{chaum1983blind,chaum1990untraceable} over 30 years ago.
@ -518,51 +518,51 @@ The mint is expected to have multiple {\em coin signing key} pairs
available for signing, each representing a different coin available for signing, each representing a different coin
denomination. denomination.
The coin signing keys have an expiration date (typically measured in These coin signing keys have an expiration date, before which any coins
years), and coins signed with a coin signing key must be spent (or signed with it must be spent or refreshed. It follows the mint can
exchanged for new coins) before that expiration date. This allows the eventually discard records of old transactions, thus limiting the
mint to limit the amount of state it needs to keep to detect records that the mint must retain and search to detect double-spending
double spending attempts. Furthermore, the mint is expected to use each coin attempts. Furthermore, the mint is expected to use each coin signing
signing key only for a limited number of coins, for example by key only for a limited number of coins.
limiting its use to sign coins to a week or a month. That way, if the % for example by limiting its use to sign coins to a week or a month.
private coin signing key were to be compromised, the mint can detect In this way, if a private coin signing key were to be compromised,
this once more coins are redeemed than the total that was signed into the mint would detect this once more coins were redeemed than the total
existence using the respective coin signing key. In this case, the that was signed into existence using that coin signing key.
mint can allow the original set of customers to exchange the coins In this case, the mint could allow authentic customers to exchange their
that were signed with the compromised private key, while refusing unspent coins that were signed with the compromised private key,
further transactions from merchants if they involve those coins. As a while refusing further anonymous transactions involving those coins.
result, the financial damage of losing a private signing key can be As a result, the financial damage of losing a private signing key can be
limited to at most twice the amount originally signed with that key. limited to at most twice the amount originally signed with that key.
To ensure that the mint does not enable deanonymization of users by To ensure that the mint does not enable deanonymization of users by
signing each coin with a fresh coin signing key, the mint must signing each coin with a fresh coin signing key, the mint must publicly
publicly announce the coin signing keys in advance. Those announce the coin signing keys in advance. Those announcements are
announcements are expected to be signed with an off-line long-term expected to be signed with an off-line long-term private {\em master
private {\em master signing key} of the mint and the auditor. signing key} of the mint and the auditor.
Before a customer can withdraw a coin from the mint, he has to pay the Before a customer can withdraw a coin from the mint,
mint the value of the coin, as well as processing fees. This is done he has to pay the mint the value of the coin, as well as processing fees.
using other means of payments, such as wire transfers or This is done using other means of payments, such as wire transfers or
by having a personal {\em reserve} at the mint (which is equivalent to by having a personal {\em reserve} at the mint,
a bank account with a positive balance). Taler assumes that the which is equivalent to a bank account with a positive balance.
customer has a {\em withdrawal authorization key} to identify himself Taler assumes that the customer has a {\em withdrawal authorization key}
as authorized to withdraw funds from the reserve. By signing the to identify himself as authorized to withdraw funds from the reserve.
withdrawal request messages using the withdrawal authorization key, By signing the withdrawal request messages using this withdrawal
the customer can prove to the mint that he is the individual authorization key, the customer can prove to the mint that he is the
authorized to withdraw anonymous digital coins from the reserve. The individual authorized to withdraw anonymous digital coins from his reserve.
mint will record the withdrawal messages with the reserve record as The mint will record the withdrawal messages with the reserve record as
proof that the anonymous digital coin was created for the correct proof that the anonymous digital coin was created for the correct
customer. We note that the specifics of how the customer customer. We note that the specifics of how the customer authenticates
authenticates to the mint are orthogonal to the rest of the system, to the mint are orthogonal to the rest of the system, and
and multiple methods can be supported. multiple methods can be supported.
%To put it differently, unlike %To put it differently, unlike
%modern cryptocurrencies like BitCoin, Taler's design simply %modern cryptocurrencies like BitCoin, Taler's design simply
%acknowledges that primitive accumulation~\cite{engels1844} predates %acknowledges that primitive accumulation~\cite{engels1844} predates
%the system and that a secure method to authenticate owners exists. %the system and that a secure method to authenticate owners exists.
After a coin is minted, the customer is the only entity that knows the After a coin is minted, the customer is the only entity that knows the
private key of the coin, making him the \emph{owner} of the coin. The private key of the coin, making him the \emph{owner} of the coin.
coin can be identified by the mint by its public key; however, due to The coin can be identified by the mint by its public key; however, due
the use of blind signatures, the mint does not learn the public key to the use of blind signatures, the mint does not learn the public key
during the minting process. Knowledge of the private key of the coin during the minting process. Knowledge of the private key of the coin
enables the owner to spent the coin. If the private key is shared enables the owner to spent the coin. If the private key is shared
with others, they also become owners of the coin. with others, they also become owners of the coin.
@ -598,27 +598,27 @@ continues to directly use the coin in other transactions, merchants
and the mint could link the various transactions as they all share the and the mint could link the various transactions as they all share the
same public key for the coin. same public key for the coin.
Thus, the owner might want to exchange such a {\em dirty} coin for a The owner of such a {\em dirty} coin might therefore want to exchange it
{\em fresh} coin to ensure unlinkability of future transactions with for a {\em fresh} coin to ensure unlinkability with future transactions.
the previous operation. Even if a coin is not dirty, the owner of a % with the previous operation.
coin may want to exchange a coin if the respective coin signing key is Even if a coin is not dirty, the owner of a coin may want to exchange it
about to expire. All of these operations are supported with the {\em if the respective coin signing key is about to expire. All of these
coin refreshing protocol}, which allows the owner of a coin to {\em operations are supported with the {\em coin refreshing protocol}, which
melt} existing coins (redeeming their remaining value) for fresh allows the owner of a coin to {\em melt} it for fresh coins of the same
coins with a new public-private key pairs. Refreshing does not use value with a new public-private key pairs. Refreshing does not use the
the ordinary spending operation as the owner of a coin should not have ordinary spending operation as the owner of a coin should not have to
to pay taxes on this operation. Because of this, the refreshing pay taxes on this operation. Because of this, the refreshing protocol
protocol must assure that owner stays the same. After all, the coin must assure that owner stays the same.
refreshing protocol must not be usable for transactions, as % After all, the coin refreshing protocol must not be usable for transactions, as
transactions in Taler must be taxable. % transactions in Taler must be taxable.
Thus, one main goal of the refreshing protocol is that the mint must % Meh, this paragraph sucks :
not be able to link the fresh coin's public key to the public key of We therefore demand two main properties from the refresh protocol:
the dirty coin. The second main goal is to enable the mint to ensure First, the mint must not be able to link the fresh coin's public key to
that the owner of the dirty coin can determine the private key of the the public key of the dirty coin. Second, the mint can ensure that the
fresh coin. This way, refreshing cannot be used to construct a owner of the dirty coin can determine the private key of the
transaction --- the owner of the dirty coin remains in control of the fresh coin, thereby preventing the refresh protocol from being used to
fresh coin. construct a transaction.
%As with other operations, the refreshing protocol must also protect %As with other operations, the refreshing protocol must also protect
%the mint from double-spending; similarly, the customer has to have %the mint from double-spending; similarly, the customer has to have