more figures
This commit is contained in:
parent
4cfcf842fe
commit
4c1c8e405b
47
doc/system/taler/coin.dot
Normal file
47
doc/system/taler/coin.dot
Normal file
@ -0,0 +1,47 @@
|
|||||||
|
digraph Coin {
|
||||||
|
|
||||||
|
planchet [color=blue, shape="box"];
|
||||||
|
fresh [color=blue, label="fresh coin", shape="box"];
|
||||||
|
rs [color=blue, label="refresh session", shape="box"];
|
||||||
|
partial [color=blue, label="dirty coin", shape="box"];
|
||||||
|
revoked [color=blue, label="revoked coin", shape="box"];
|
||||||
|
zombie [color=blue, label="zombie coin", shape="box"];
|
||||||
|
spent [color=blue, label="spent coin", shape="doublecircle"];
|
||||||
|
expired [color=blue, label="expired coin", shape="doublecircle"];
|
||||||
|
|
||||||
|
subgraph {
|
||||||
|
rank = same; spent; expired;
|
||||||
|
}
|
||||||
|
|
||||||
|
subgraph {
|
||||||
|
withdraw; melt;
|
||||||
|
}
|
||||||
|
|
||||||
|
subgraph {
|
||||||
|
rank = same; melt; reveal; rs;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
planchet->withdraw;
|
||||||
|
planchet->melt;
|
||||||
|
withdraw->fresh;
|
||||||
|
fresh->deposit;
|
||||||
|
fresh->melt;
|
||||||
|
deposit->partial;
|
||||||
|
deposit->spent;
|
||||||
|
melt->rs;
|
||||||
|
rs->reveal;
|
||||||
|
reveal->fresh;
|
||||||
|
melt->partial;
|
||||||
|
melt->spent;
|
||||||
|
spent->refund;
|
||||||
|
refund->partial;
|
||||||
|
partial->expired [style=dotted];
|
||||||
|
partial->melt;
|
||||||
|
partial->deposit [color=red];
|
||||||
|
fresh->expired [style=dotted];
|
||||||
|
fresh->revoked [style=dotted];
|
||||||
|
revoked->recoup;
|
||||||
|
recoup->zombie;
|
||||||
|
zombie->melt;
|
||||||
|
}
|
BIN
doc/system/taler/coin.pdf
Normal file
BIN
doc/system/taler/coin.pdf
Normal file
Binary file not shown.
31
doc/system/taler/deposit.dot
Normal file
31
doc/system/taler/deposit.dot
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
digraph Deposit {
|
||||||
|
|
||||||
|
deposited [color=blue, label="deposit created", shape="box"];
|
||||||
|
ready [color=blue, label="deposit ready", shape="box"];
|
||||||
|
due [color=blue, label="deposit due", shape="box"];
|
||||||
|
tiny [color=blue, label="deposit tiny", shape="box"];
|
||||||
|
done [color=blue, label="deposit done", shape="doublecircle"];
|
||||||
|
wtid [color=blue, label="pending transfer", shape="box"];
|
||||||
|
finished [color=blue, label="finished transfer", shape="doublecircle"];
|
||||||
|
|
||||||
|
subgraph {
|
||||||
|
rank = same; due; tiny;
|
||||||
|
}
|
||||||
|
|
||||||
|
pay->deposited;
|
||||||
|
deposited->ready [style=dotted];
|
||||||
|
deposited->refund;
|
||||||
|
refund->deposited;
|
||||||
|
refund->ready;
|
||||||
|
refund->done;
|
||||||
|
ready->due [style=dotted];
|
||||||
|
ready->refund;
|
||||||
|
aggregate->tiny;
|
||||||
|
due->aggregate;
|
||||||
|
ready->aggregate;
|
||||||
|
tiny->aggregate;
|
||||||
|
aggregate->done;
|
||||||
|
aggregate->wtid;
|
||||||
|
wtid->transfer;
|
||||||
|
transfer->finished;
|
||||||
|
}
|
BIN
doc/system/taler/deposit.pdf
Normal file
BIN
doc/system/taler/deposit.pdf
Normal file
Binary file not shown.
@ -150,16 +150,19 @@ funds. If a wire transfer to the exchange does not include a valid reserve publ
|
|||||||
the exchange transfers the money back to the sender.
|
the exchange transfers the money back to the sender.
|
||||||
|
|
||||||
Figure~\ref{fig:reserve:state} illustrates the state machine for a reserve.
|
Figure~\ref{fig:reserve:state} illustrates the state machine for a reserve.
|
||||||
Long-terms states are shown in boxes, while actions are in circles. The
|
Long-terms states are shown in boxes, while actions are in circles. The final
|
||||||
final state is in a double-circle.
|
state is in a double-circle. A reserve is first {\em filled} by a wire
|
||||||
A reserve is first {\em filled} by a wire transfer. The amount in it is reduced
|
transfer. The amount in it is reduced by withdraw operations. If the balance
|
||||||
by withdraw operations. If the balance reaches zero, the reserve is
|
reaches zero, the reserve is {\em drained}. If a reserve is not drained after
|
||||||
{\em drained}. If a reserve is not drained after a certain amount of time,
|
a certain amount of time, it is automatically closed. A reserve can also be
|
||||||
it is automatically closed. A reserve can also be filled via a recoup
|
filled via a recoup action (see Section~\ref{sec:revocation-recoup}) in case
|
||||||
action in case that the denomination of an unspent coin that was
|
that the denomination of an unspent coin that was withdrawn from the reserve
|
||||||
withdrawn from the reserve is revoked.
|
is revoked.
|
||||||
|
|
||||||
\begin{figure}
|
\begin{figure}
|
||||||
\includegraphics{reserve.pdf}
|
\begin{center}
|
||||||
|
\includegraphics{taler/reserve.pdf}
|
||||||
|
\end{center}
|
||||||
\caption{State machine of a reserve.}
|
\caption{State machine of a reserve.}
|
||||||
\label{fig:reserve:states}
|
\label{fig:reserve:states}
|
||||||
\end{figure}
|
\end{figure}
|
||||||
@ -261,11 +264,13 @@ deposit confirmation or an error that indicates double spending.
|
|||||||
When a coin is used in a completed or attempted/aborted payment, the coin's
|
When a coin is used in a completed or attempted/aborted payment, the coin's
|
||||||
public key is revealed to the merchant/exchange, and further payments with the
|
public key is revealed to the merchant/exchange, and further payments with the
|
||||||
remaining amount would be linkable to the first spending event. To obtain
|
remaining amount would be linkable to the first spending event. To obtain
|
||||||
unlinkable change for a partially spent (or otherwise revealed coin), GNU Taler
|
unlinkable change for a partially spent (or otherwise revealed coin), GNU
|
||||||
introduces a \emph{refresh protocol}. The refresh protocol allows the customer
|
Taler introduces the \emph{refresh protocol}, which consists of three steps:
|
||||||
to obtain new coins for the remaining amount on a coin. The old coin is marked
|
\emph{melt}, \emph{reveal} and \emph{link}. The refresh protocol allows the
|
||||||
as spent after it has been refreshed into new coins. Using blind signatures to
|
customer to obtain new coins for the remaining amount on a coin. The old coin
|
||||||
withdraw the refreshed coins makes them unlinkable from the old coin.
|
is marked as spent after it has been melted, while the reveal step generates
|
||||||
|
the fresh coins. Using blind signatures to withdraw the refreshed coins makes
|
||||||
|
them unlinkable from the old coin.
|
||||||
|
|
||||||
% FIXME: talk about logarithmic time, simulation
|
% FIXME: talk about logarithmic time, simulation
|
||||||
|
|
||||||
@ -317,6 +322,7 @@ over the funds. A useful application for sharing are peer-to-peer payments
|
|||||||
between mutually trusting parties, such as families and friends.
|
between mutually trusting parties, such as families and friends.
|
||||||
|
|
||||||
\subsection{Aggregation}
|
\subsection{Aggregation}
|
||||||
|
|
||||||
For each payment, the merchant can specify a deadline before which the exchange
|
For each payment, the merchant can specify a deadline before which the exchange
|
||||||
must issue a wire transfer to the merchant's bank account. Before this
|
must issue a wire transfer to the merchant's bank account. Before this
|
||||||
deadline occurs, multiple payments from deposited coins to the same merchant
|
deadline occurs, multiple payments from deposited coins to the same merchant
|
||||||
@ -326,8 +332,38 @@ transaction. To incentivize merchants to choose a longer wire transfer
|
|||||||
deadline, the exchange can charge the merchant a fee per aggregated wire
|
deadline, the exchange can charge the merchant a fee per aggregated wire
|
||||||
transfer.
|
transfer.
|
||||||
|
|
||||||
|
Figure~\ref{fig:deposit:states} illustrates the state machine for processing
|
||||||
|
deposits. Long-terms states are shown in boxes, while actions are in circles.
|
||||||
|
The final state is in a double-circle. Dashed arrows show transitions based
|
||||||
|
on timing and not external actions. A deposit is first {\em created} when a
|
||||||
|
wallet makes a payment. A deposit comes with a {\em refund deadline}, and the
|
||||||
|
wire transfer must not happen before that deadline. Once the refund deadline
|
||||||
|
has passed, the deposit becomes {\em ready}. Even if a deposit is ready, it
|
||||||
|
is not automatically wired. In fact, deposits may still be {\em refunded} in
|
||||||
|
this state. A refund may be full (resulting in the deposit being {\em done})
|
||||||
|
or partial, in which case the remaining value is left in the same deposit
|
||||||
|
state. A deposit comes with a second deadline, the {\em wire deadline}. Once
|
||||||
|
that deadline has passed, the deposit is {\em due} and must be {\em
|
||||||
|
aggregated}. Aggregation combines {\bf all} deposits that are {\em due},
|
||||||
|
{\em tiny} or {\em ready} into one wire transfer. However, the amount of even
|
||||||
|
an aggregated deposit may be too small to be executed by the banking
|
||||||
|
system. In this case, the deposit transitions into the special state {\em
|
||||||
|
tiny} until the aggregated amount meets the amount threshold. Once
|
||||||
|
aggregated, the deposits are {\em done}. A wire transfer is first prepared
|
||||||
|
and then {\em pending}. The transfer is {\em finished} once the bank has
|
||||||
|
confirmed the {\em transfer}.
|
||||||
|
|
||||||
|
\begin{figure}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.8]{taler/deposit.pdf}
|
||||||
|
\end{center}
|
||||||
|
\caption{State machine of a deposit.}
|
||||||
|
\label{fig:deposit:states}
|
||||||
|
\end{figure}
|
||||||
|
|
||||||
|
|
||||||
\subsection{Refunds}
|
\subsection{Refunds}
|
||||||
|
|
||||||
The aggregation period also opens the opportunity for cheap \emph{refunds}. If
|
The aggregation period also opens the opportunity for cheap \emph{refunds}. If
|
||||||
a customer is not happy with their product, the merchant can instruct the
|
a customer is not happy with their product, the merchant can instruct the
|
||||||
exchange to give the customer a refund before the wire transfer deadline has
|
exchange to give the customer a refund before the wire transfer deadline has
|
||||||
@ -335,10 +371,10 @@ occurred. This effectively ``undoes'' the deposit of the coin, and restores the
|
|||||||
available amount left on it. The refresh protocol is then used by the customer
|
available amount left on it. The refresh protocol is then used by the customer
|
||||||
on the coins involved in a refund, so that payments remain unlinkable.
|
on the coins involved in a refund, so that payments remain unlinkable.
|
||||||
|
|
||||||
|
|
||||||
% FIXME: mention EU customer laws / 14 weeks?
|
% FIXME: mention EU customer laws / 14 weeks?
|
||||||
|
|
||||||
\subsection{Fees}
|
\subsection{Fees}
|
||||||
|
|
||||||
In order to subsidize the operation of the exchange and enable a sustainable
|
In order to subsidize the operation of the exchange and enable a sustainable
|
||||||
business model, the exchange can charge fees for most operations. For
|
business model, the exchange can charge fees for most operations. For
|
||||||
withdrawal, refreshing, deposit and refunds, the fee is dependent on the denomination,
|
withdrawal, refreshing, deposit and refunds, the fee is dependent on the denomination,
|
||||||
@ -374,6 +410,7 @@ the total expected amount that it needs to pay for wire fees.
|
|||||||
|
|
||||||
|
|
||||||
\subsection{The Withdraw Loophole and Tipping}\label{taler:design:tipping}
|
\subsection{The Withdraw Loophole and Tipping}\label{taler:design:tipping}
|
||||||
|
|
||||||
The withdraw protocol can be (ab)used to illicitly transfer money, when the
|
The withdraw protocol can be (ab)used to illicitly transfer money, when the
|
||||||
receiver generates the coin's secret key, and gives the public key to the party
|
receiver generates the coin's secret key, and gives the public key to the party
|
||||||
executing the withdraw protocol. We call this the ``withdraw loophole''. This
|
executing the withdraw protocol. We call this the ``withdraw loophole''. This
|
||||||
@ -437,12 +474,14 @@ financial regulator, fulfilling the following functionality:
|
|||||||
% FIXME: discuss indian merchant scenario
|
% FIXME: discuss indian merchant scenario
|
||||||
|
|
||||||
\subsection{Exchange Compromise Modes}
|
\subsection{Exchange Compromise Modes}
|
||||||
|
|
||||||
The exchange is an attractive target for hackers and insider threats. We now
|
The exchange is an attractive target for hackers and insider threats. We now
|
||||||
discuss different ways that the exchange can be compromised, how to reduce the
|
discuss different ways that the exchange can be compromised, how to reduce the
|
||||||
likelihood of such a compromise, and how to detect and react to such an event
|
likelihood of such a compromise, and how to detect and react to such an event
|
||||||
if it happens.
|
if it happens.
|
||||||
|
|
||||||
\subsubsection{Compromise of Denomination Keys and Revocation}\label{sec:revocation-recoup}
|
\subsubsection{Compromise of Denomination Keys and Revocation}\label{sec:revocation-recoup}
|
||||||
|
|
||||||
When a denomination key pair is compromised, an attacker can ``print money'' by
|
When a denomination key pair is compromised, an attacker can ``print money'' by
|
||||||
using it to sign coins of that denomination. An exchange (or its auditor) can
|
using it to sign coins of that denomination. An exchange (or its auditor) can
|
||||||
detect this when the number of deposits for a certain denomination exceed the
|
detect this when the number of deposits for a certain denomination exceed the
|
||||||
@ -512,7 +551,10 @@ pre-programmed with a limit on the number of signatures it can produce. This
|
|||||||
might be mandated by certain auditors, who will also audit the operational
|
might be mandated by certain auditors, who will also audit the operational
|
||||||
security of an exchange as part of the certification process.
|
security of an exchange as part of the certification process.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
\subsubsection{Compromise of Signing Keys}
|
\subsubsection{Compromise of Signing Keys}
|
||||||
|
|
||||||
When a signing key is compromised, the attacker can pretend to be a
|
When a signing key is compromised, the attacker can pretend to be a
|
||||||
merchant and forge deposit confirmations. To forge a deposit
|
merchant and forge deposit confirmations. To forge a deposit
|
||||||
confirmation, the attacker also needs to get a customer to sign a
|
confirmation, the attacker also needs to get a customer to sign a
|
||||||
@ -594,6 +636,7 @@ probabilistic deposit auditing, and honest merchants have proper
|
|||||||
incentives to participate in the process.
|
incentives to participate in the process.
|
||||||
|
|
||||||
\subsubsection{Compromise of the Database}
|
\subsubsection{Compromise of the Database}
|
||||||
|
|
||||||
If an adversary would be able to modify the exchange, this would be detected
|
If an adversary would be able to modify the exchange, this would be detected
|
||||||
rather quickly by the auditor, provided that the database has appropriate
|
rather quickly by the auditor, provided that the database has appropriate
|
||||||
integrity mechanisms. An attacker could also prevent database updates to block
|
integrity mechanisms. An attacker could also prevent database updates to block
|
||||||
@ -602,6 +645,7 @@ equivalent to the compromise of signing keys, and can be detected with the same
|
|||||||
strategies.
|
strategies.
|
||||||
|
|
||||||
\subsubsection{Compromise of the Master Key}
|
\subsubsection{Compromise of the Master Key}
|
||||||
|
|
||||||
If the master key was compromised, an attacker could de-anonymize customers by
|
If the master key was compromised, an attacker could de-anonymize customers by
|
||||||
announcing different sets of denomination keys to each of them. If the
|
announcing different sets of denomination keys to each of them. If the
|
||||||
exchange was audited, this would be detected quickly, as these denominations
|
exchange was audited, this would be detected quickly, as these denominations
|
||||||
@ -669,6 +713,57 @@ that they cannot immediately spend. Unfortunately our approach is limited to a
|
|||||||
kidnapping scenario, and not applicable in those blackmail scenarios where the
|
kidnapping scenario, and not applicable in those blackmail scenarios where the
|
||||||
attacker can do damage after they find out that their funds have been erased.
|
attacker can do damage after they find out that their funds have been erased.
|
||||||
|
|
||||||
|
\subsection{Summary}
|
||||||
|
|
||||||
|
Figure~\ref{fig:coin:states} illustrates the overall state machine for processing
|
||||||
|
coins. Long-terms states are shown in boxes, while actions are in circles.
|
||||||
|
The final state is in a double-circle. Dashed arrows show transitions based
|
||||||
|
on timing and not external actions. The red arrow shows an action that is
|
||||||
|
allowed by the exchange but should never be done by wallets as it would
|
||||||
|
break unlinkability.
|
||||||
|
|
||||||
|
A coin begins as an unsigned {\em planchet}, which is either signed as part of
|
||||||
|
the {\em withdraw} protocol or the refresh protocol. The most common scenario
|
||||||
|
is that the {\em fresh coin} is {\em deposited}. This payment creates a
|
||||||
|
deposit (see Figure~\ref{fig:deposit:states}) and either a {\em dirty coin}
|
||||||
|
(if the payment was for a fraction of the coin's value) or a {\em spent coin}.
|
||||||
|
A spent coin can be {\em refunded} by the merchant (until the deposit is due),
|
||||||
|
creating a {\em dirty coin}.
|
||||||
|
|
||||||
|
A {\em fresh coin} may also be subject to key {\em revocation}, at which point
|
||||||
|
the wallet ends up with a {\em revoked coin}. At this point, the wallet can
|
||||||
|
use the {\em recoup} protocol to recover the value of the coin. If the coin
|
||||||
|
originated from a {\em withdraw} operation, the value is added back into the
|
||||||
|
reserve, which is {\em filled} in the process (see
|
||||||
|
Figure~\ref{fig:reserve:states}). If the coin originated from the {\em
|
||||||
|
refresh} operation, this results in the old coin turning into a {\em zombie
|
||||||
|
coin}, which can be refreshed again.
|
||||||
|
|
||||||
|
Dirty coins and fresh coins can be {\em melted}. Dirty coins should always be
|
||||||
|
melted automatically by the wallet as soon as possible as this is the only
|
||||||
|
good way to use them while preserving unlinkability. A wallet should also
|
||||||
|
automatically {\em melt} any {\em fresh coins} that are in danger of their
|
||||||
|
denomination key nearing its (deposit) {\em expiration} time. If a wallet
|
||||||
|
fails to do so, coins may {\em expire}, resulting in a loss for the coin's
|
||||||
|
owner. Dirty coins can also expire. In practice, this happens if the melt fee
|
||||||
|
exceeds the residual value of the dirty coin. To {\em melt} a coin, the
|
||||||
|
wallet must commit to one or more {\em planchets} and then demonstrate honesty
|
||||||
|
when the committment made for the {\em refresh session} is checked during the
|
||||||
|
{\em reveal} step. If the wallet was honest, {\em reveal} yields {\em fresh
|
||||||
|
coins}.
|
||||||
|
|
||||||
|
\begin{figure}
|
||||||
|
\begin{center}
|
||||||
|
\includegraphics[scale=0.75]{taler/coin.pdf}
|
||||||
|
\end{center}
|
||||||
|
\caption{State machine of a coin.}
|
||||||
|
\label{fig:coin:states}
|
||||||
|
\end{figure}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
\section{Related Work}
|
\section{Related Work}
|
||||||
% FIXME: Stuff to review/include:
|
% FIXME: Stuff to review/include:
|
||||||
% Blindly Signed Contracts: Anonymous On-Blockchain and Off-Blockchain Bitcoin Transactions
|
% Blindly Signed Contracts: Anonymous On-Blockchain and Off-Blockchain Bitcoin Transactions
|
||||||
|
@ -907,7 +907,7 @@ The following APIs are offered by the exchange:
|
|||||||
the merchant additionally can use the exchange's \texttt{/transfers/\$WTID} API that returns the list of deposits for a wire transfer
|
the merchant additionally can use the exchange's \texttt{/transfers/\$WTID} API that returns the list of deposits for a wire transfer
|
||||||
identifier (WTID) included in the wire transfer to the merchant, as well as the \texttt{/deposits/\$H\_WIRE/\$MERCHANT\_PUB/\$H\_CONTRACT\_TERMS/\$COIN\_PUB} API to look up
|
identifier (WTID) included in the wire transfer to the merchant, as well as the \texttt{/deposits/\$H\_WIRE/\$MERCHANT\_PUB/\$H\_CONTRACT\_TERMS/\$COIN\_PUB} API to look up
|
||||||
which wire transfer included the payment for a given deposit.
|
which wire transfer included the payment for a given deposit.
|
||||||
\item[Refresh] Refreshing consists of two stages. First, using \texttt{/coins/\$COIN\_PUB/melt} an old, possibly dirty coin is melted and thus devaluted. The committment made by the wallet during the melt and the resulting $\gamma$-challenge from the exchange are associated with a {\em refresh session}. Then, using \texttt{/refreshes/$RCH/reveal} the wallet can answer the challenge and obtain fresh coins as change. Finally, \texttt{/coins/\$COIN\_PUB/link} provides the link deterrent against refresh abuse.
|
\item[Refresh] Refreshing consists of two stages. First, using \texttt{/coins/\$COIN\_PUB/melt} an old, possibly dirty coin is melted and thus devaluted. The committment made by the wallet during the melt and the resulting $\gamma$-challenge from the exchange are associated with a {\em refresh session}. Then, using \texttt{/refreshes/\$RCH/reveal} the wallet can answer the challenge and obtain fresh coins as change. Finally, \texttt{/coins/\$COIN\_PUB/link} provides the link deterrent against refresh abuse.
|
||||||
\item[Refunds] The refund API (\texttt{/coins/\$COIN\_PUB/refund}) can ``undo'' a deposit if the merchant gave their signature, and the aggregation deadline
|
\item[Refunds] The refund API (\texttt{/coins/\$COIN\_PUB/refund}) can ``undo'' a deposit if the merchant gave their signature, and the aggregation deadline
|
||||||
for the payment has not occurred yet.
|
for the payment has not occurred yet.
|
||||||
\item[Recoup] The recoup API (\texttt{/coins/\$COIN\_PUB/recoup}) allows customers to be compensated
|
\item[Recoup] The recoup API (\texttt{/coins/\$COIN\_PUB/recoup}) allows customers to be compensated
|
||||||
|
Loading…
Reference in New Issue
Block a user