From 4f6e71a842c07682351ac78a903c4c82ee26ffc1 Mon Sep 17 00:00:00 2001 From: Jeffrey Burdges Date: Thu, 11 May 2017 21:41:23 +0200 Subject: [PATCH] Just a start on taxability text, breaks the latex run probably --- doc/paper/taler.tex | 86 ++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 1 deletion(-) diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex index 9b2bb8993..1d1c5dbab 100644 --- a/doc/paper/taler.tex +++ b/doc/paper/taler.tex @@ -991,7 +991,7 @@ than the comparable use of zk-SNARKs in ZeroCash~\cite{zerocash}. % %TODO: Explain, especially subtleties regarding session key / the spoofing attack that requires signature. -\subsection{Linking} +\subsection{Linking}\label{subsec:linking} % FIXME: What is \mathtt{link} ? @@ -1374,6 +1374,90 @@ data being persisted are represented in between $\langle\rangle$. \end{description} +\section{Taxability arguments} + +\begin{proposition} +An auditor can detect an exchange operating either the refresh or +linking protocol dishonestly. +\end{proposition} + +\begin{proof} +.. Not sure about this one .. +\end{proof} + +\begin{proposition} +If the exchange operates the refresh protocol honestly, then +a dishonest wallet looses $1 - {1 \over \kappa}$ of the value +of the coins it refreshes dishonestly. +\end{proposition} + +\begin{proof} +.. Can we reference something about cut and choose protocols? Or must we work this all out? .. +\end{proof} + +We say a coin is {\em controlled} by a user if the user's wallet knows +its secret scalar $c_s$, the signature $S$ of the appropriate denomination +key on its public key $C_s$, and the residual value of the coin. + +We assume the wallet cannot loose knowledge of a particular coin's +key material, and the wallet can query the exchange to learn the +residual value of the coin, so a wallet cannot loose control of +a coin. A wallet may loose the monetary value associated with a coin +if another wallet spends it however. + +We say a user Alice {\em owns} a coin $C$ if only Alice's wallets can +gain control of $C$ using standard interactions with the exchange. +In other words, ownership means exclusive control not just in the +present, but in the future even if another user interacts with the +exchange. + +\begin{theorem} +Let $C$ denote a coin controlled by users Alice and Bob. +Suppose Bob creates a coin $C'$ from $C$ using the refresh protocol. +Assuming the exchange and Bob operated the refresh protocol correctly, +and that they continue to operate the linking protocol + \S\ref{subsec:linking} correctly, +then Alice can gain control of $C'$ using the linking protocol. +\end{theorem} + +\begin{proof} +Alice may run the linking protocol to obtain all transfer keys $T^i$, +blindings $B^i$ associated to $C$, and those coins denominations, +including the $T'$ for $C'$. + +We assumed both the exchange and Bob operated the refresh protocol +correctly, so now $c_s T'$ is the seed from which $C'$ was generated. +Alice rederives both $c_s$ and the blinding factor to unblind the +denomination key signature on $C'$. Alice finally asks the exchange +for the residual value on $C'$ and runs the linking protocol to +determine if it was refreshed too. +\end{proof} + + +\section{Privacy arguments} + +We consider two coins $C_1$ and $C_2$ created by the same withdrawal +or refresh operation. We say they are {\em linkable} if +some probabilistic polynomial time adversary has a non-negligible +advantage in guessing which two of $\{ C_0, C_1, C_2 \}$ were +created together, where $C_0$ is an unrelated third coin. + +% TODO: Compare this definition with some from the literature + +.. reference literate about withdrawal .. + +\begin{proposition} +If two coins created by refresh are linkable, then some +probabilistic polynomial time adversary has a non-negligible +advantage in determining that their seeds ... +... +\end{proposition} + +\begin{proof} +... random oracle .. +\end{proof} + + \end{document}