From 41126e6d2423ef4ca945d6b080a289fae94efda2 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sun, 4 Oct 2015 12:35:05 +0200 Subject: [PATCH] fix inconsistency in reveal step formulation, now matches implementation --- doc/paper/taler.tex | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex index e3d595ecb..babc895ea 100644 --- a/doc/paper/taler.tex +++ b/doc/paper/taler.tex @@ -820,7 +820,7 @@ generator of the elliptic curve. and commits $\langle C', \vec{T}, \vec{C}, \vec{b} \rangle$ to disk. \item The customer computes $B^{(i)} := B_{b^{(i)}}(C^{(i)}_p)$ for $i \in \{1,\ldots,\kappa\}$ and sends a commitment $S_{C'}(\vec{E}, \vec{B}, \vec{T_p}))$ to the mint. - \item The mint generates a random\footnote{Auditing processes need to assure $\gamma$ is unpredictable until this time to + \item The mint generates a random\footnote{Auditing processes need to assure $\gamma$ is unpredictable until this time to prevent the mint from assisting tax evasion.} $\gamma$ with $1 \le \gamma \le \kappa$ and marks $C'_p$ as spent by committing $\langle C', \gamma, S_{C'}(\vec{E}, \vec{B}, \vec{T}) \rangle$ to disk. @@ -828,7 +828,7 @@ generator of the elliptic curve. possible to use any equivalent mint signing key known to the customer here, as $K$ merely serves as proof to the customer that the mint selected this particular $\gamma$.} \item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk. - \item The customer computes $\mathfrak{R} := \left(t_s^{(i)}, C_p^{(i)}, b^{(i)}\right)_{i \ne \gamma}$ + \item The customer computes $\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$ and sends $S_{C'}(\mathfrak{R})$ to the mint. \item \label{step:refresh-ccheck} The mint checks whether $\mathfrak{R}$ is consistent with the commitments; specifically, it computes for $i \not= \gamma$: @@ -837,20 +837,21 @@ generator of the elliptic curve. \begin{minipage}{5cm} \begin{align*} \overline{K}_i :&= H(t_s^{(i)} C_p'), \\ - (\overline{c}_s^{(i)}, \overline{b}_i) :&= D_{\overline{K}_i}(E^{(i)}), \\ + (\overline{c}_s^{(i)}, \overline{b_i}) :&= D_{\overline{K}_i}(E^{(i)}), \\ \overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G, \end{align*} \end{minipage} \begin{minipage}{5cm} \begin{align*} \overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\ - \overline{B^{(i)}} :&= B_{b^{(i)}}(\overline{C_p^{(i)}}), + \overline{B^{(i)}} :&= B_{\overline{b_i}}(\overline{C_p^{(i)}}), \end{align*} \end{minipage} and checks if $\overline{B^{(i)}} = B^{(i)}$ and $\overline{T^{(i)}_p} = T^{(i)}_p$. + \item \label{step:refresh-done} If the commitments were consistent, the mint sends the blind signature $\widetilde{C} := S_{K}(B^{(\gamma)})$ to the customer. Otherwise, the mint responds @@ -1132,7 +1133,7 @@ coin first. \vec{D} \rangle$ containing the price of the offer $f$, a transaction ID $m$ and the list of mints $D_1, \ldots, D_n$ accepted by the merchant where each $D_j$ is a mint's public key. -\item\label{lock2} The customer must possess or acquire a coin $\widetilde{C}$ +\item\label{lock2} The customer must possess or acquire a coin $\widetilde{C}$ signed by a mint that is accepted by the merchant, i.e. $K$ should be signed by some $D_j \in \{D_1, D_2, \ldots, D_n\}$, and has a value $\geq f$. @@ -1144,13 +1145,13 @@ coin first. \item The merchant asks the mint to apply the lock by sending $\langle \mathcal{L} \rangle$ to the mint. \item The mint validates $\widetilde{C}$ and detects double spending - in the form of existing \emph{deposit-permission} or + in the form of existing \emph{deposit-permission} or lock-permission records for $\widetilde{C}$. If such records exist and indicate that insufficient funds are left, the mint sends those records to the merchant, who can then use the records to prove the double spending to the customer. - If double spending is not found, + If double spending is not found, the mint commits $\langle \mathcal{L} \rangle$ to disk and notifies the merchant that locking was successful. \item\label{contract2} The merchant creates a digitally signed contract @@ -1161,7 +1162,7 @@ coin first. \item The customer creates a \emph{deposit-permission} $\mathcal{D} := S_c(\widetilde{C}, \widetilde{L}, f, m, M_p, H(a), H(p, r))$, commits $\langle \mathcal{A}, \mathcal{D} \rangle$ to disk and sends $\mathcal{D}$ to the merchant. -\item\label{invoice_paid2} The merchant commits the received $\langle \mathcal{D} \rangle$ to disk. +\item\label{invoice_paid2} The merchant commits the received $\langle \mathcal{D} \rangle$ to disk. \item The merchant gives $(\mathcal{D}, p, r)$ to the mint, revealing his payment information. \item The mint verifies $(\mathcal{D}, p, r)$ for its validity and @@ -1178,7 +1179,7 @@ coin first. \end{enumerate} Finally, the mint sends a confirmation to the merchant. \item If the deposit record $\langle \mathcal{D}, p, r \rangle$ already exists, - the mint sends the confirmation to the merchant, + the mint sends the confirmation to the merchant, but does not transfer money to $p$ again. \end{enumerate}