From 49f590d8dc88260741f035b7b1858e4e74d5ea45 Mon Sep 17 00:00:00 2001 From: Florian Dold Date: Mon, 15 May 2017 15:40:12 +0200 Subject: [PATCH] fc17 reviews --- doc/paper/taler_FC2017.txt | 86 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 doc/paper/taler_FC2017.txt diff --git a/doc/paper/taler_FC2017.txt b/doc/paper/taler_FC2017.txt new file mode 100644 index 000000000..7724bef58 --- /dev/null +++ b/doc/paper/taler_FC2017.txt @@ -0,0 +1,86 @@ +----------------------- REVIEW 1 --------------------- +PAPER: 46 +TITLE: Refreshing Coins for Giving Change and Refunds in Chaum-style Anonymous Payment Systems +AUTHORS: Florian Dold, Sree Harsha Totakura, Benedikt Müller, Jeff Burdges and Christian Grothoff + +Overall evaluation: -2 + +----------- Overall evaluation ----------- +This paper proposes an anonymous payment system called Taler, based on the Chaum’s blind signature scheme. Taler employs a new refresh protocol that allows fractional payments and refunds while providing the unlinkability and untraceability. The refresh protocol uses the cut-and-choose technique to assure that the protocol is not abused for evading taxation. + +Comment: The correctness of the refresh protocol does not hold. The \bar{B(i)} computed by the exchange is not equal to B(i) computed by the honest customer, as \bar{Cp(i)} is not equal to FDHK(Cp(i)). This paper does not provide a security proof or even an informal security analysis for the proposed anonymous payment system Taler, such that Taler may be insecure. I find two (possible) attacks against the refresh protocol. As the exchange does not check the validity of the public key Cp′ , the attacker can send an arbitrary public key to the exchange that will accept, and obtain a fresh coin. The attacker can spend partially a coin multiple times via refreshing the coin and obtaining a fresh coin in turn, as the refresh protocol only transforms a dirty coin into a fresh coin with the same denomination. The misbehavior will not be detected by the exchange, as the fresh coin is unlinkable to the original coin. The implementation of Taler in this paper is unclear. For example! + , the security level, the RSA modulus, and the elliptic curve etc. are not described. Moreover, the average time of the withdrawal, spending, refreshing protocols are not provided. The authors also do not compare Taler with other known anonymous payment systems. Thus, the efficiency of Taler is unclear. + +Additional Comment: The description of the protocols of Taler omits many details. In particular, the authors should describe in detail how the refunds are executed using the refresh protocol, as the authors claim that the refresh protocol allows refunds as a contribution. Furthermore, the authors should interpret the notation FDHK, and cite the reference for EdDSA. The title of Subsection 3.1 may be misleading, as this subsection does not describe the security model. The authors should rename the title. The “We have computed Li…” in Subsection 4.3 should be L(i). + + +----------------------- REVIEW 2 --------------------- +PAPER: 46 +TITLE: Refreshing Coins for Giving Change and Refunds in Chaum-style Anonymous Payment Systems +AUTHORS: Florian Dold, Sree Harsha Totakura, Benedikt Müller, Jeff Burdges and Christian Grothoff + +Overall evaluation: -2 + +----------- Overall evaluation ----------- +This paper proposes a new e-cash, named Taler, where the bank (or else called exchange) is online during the spending protocol to allow for double-spending detection. Taler allows for spending coins of various denominations by allowing a user to only spend a value v1 cryptographically +Sec 4.2, Step 1 “a exchange” -> an exchange +Sec 4.3, 3rd line should be -> at the same time + + +----------------------- REVIEW 3 --------------------- +PAPER: 46 +TITLE: Refreshing Coins for Giving Change and Refunds in Chaum-style Anonymous Payment Systems +AUTHORS: Florian Dold, Sree Harsha Totakura, Benedikt Müller, Jeff Burdges and Christian Grothoff + +Overall evaluation: -1 + +----------- Overall evaluation ----------- +The paper introduces a variant's of Chaum's e-cash scheme (with an +on-line bank); the main novelty is a "refresh" protocol which enables +a user to exchange a coin for a new blinded one. The reason for +wanting this features is that it enables refunds from a merchant that +later can be refreshed into "clean" coins that are unlinkable to the +refunded coins. The protocol is based on what appears to be a standard +cut-and-choose approach, which does not appear to be particularly +novel. On the postive side, the problem appears a natural and if it +hasn't been done before certainly useful. On the negative side, since +the paper does not contain any formal definitions, or even semi-formal +specifications of the desiderata, it is very hard to understand what +actually is acheived. Furthermore, no proofs of security are given, +and even the protocol is hard to fully understand. As such, I would +suggest the authors to first formalize their approach and +resubmitting.