taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixing typos

Browse Source
This commit is contained in:
Christian Grothoff 2016-11-12 13:26:07 +01:00
parent ffdb5b52e9
commit 5e5d6b9bf5
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
1 changed files with 24 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
doc/paper/taler.tex
View File

@ -212,7 +212,7 @@ major irredeemable problems inherent in their designs:
\item The computational puzzles solved by Bitcoin nodes with the purpose \item The computational puzzles solved by Bitcoin nodes with the purpose
of securing the blockchain consume a considerable amount of energy. of securing the blockchain consume a considerable amount of energy.
So Bitcoin is an environmentally irresponsible design. So Bitcoin is an environmentally irresponsible design.
\item Bitcoin transactions have pseduononymous recipients, making taxation \item Bitcoin transactions have pseudonymous recipients, making taxation
hard to systematically enforce. hard to systematically enforce.
\item Bitcoin introduces a new currency, creating additional \item Bitcoin introduces a new currency, creating additional
financial risks from currency fluctuation. financial risks from currency fluctuation.
@ -221,7 +221,7 @@ major irredeemable problems inherent in their designs:
cost to initially create coins cheaply as the proof-of-work cost to initially create coins cheaply as the proof-of-work
difficulty adjusts to the computation power of all difficulty adjusts to the computation power of all
miners in the network. As participants are miners in the network. As participants are
de facto investors, AltCoins become a form of ponzi scheme. de facto investors, AltCoins become a form of Ponzi scheme.
% As a result, dozens of % As a result, dozens of
% AltCoins have been created, often without any significant changes to the % AltCoins have been created, often without any significant changes to the
% technology. A large number of AltCoins creates additional overheads for % technology. A large number of AltCoins creates additional overheads for
@ -230,7 +230,7 @@ major irredeemable problems inherent in their designs:
Bitcoin also lacks anonymity, as all Bitcoin transactions are recorded Bitcoin also lacks anonymity, as all Bitcoin transactions are recorded
for eternity, which can enable identification of users. Anonymous for eternity, which can enable identification of users. Anonymous
payment systems based on BitCoin such as CryptoNote~\cite{cryptonote} payment systems based on Bitcoin such as CryptoNote~\cite{cryptonote}
(Monero), Zerocash~\cite{zerocash} (ZCash) and BOLT~\cite{BOLT} (Monero), Zerocash~\cite{zerocash} (ZCash) and BOLT~\cite{BOLT}
exacerbate the design issues we mention above. These systems exploit the exacerbate the design issues we mention above. These systems exploit the
blockchain's decentralized nature to escape anti-money laundering blockchain's decentralized nature to escape anti-money laundering
@ -242,7 +242,7 @@ disintermediated transactions.
%each coin via e-mail addresses and phone numbers. While it is unclear %each coin via e-mail addresses and phone numbers. While it is unclear
%from their technical description how this identification would be %from their technical description how this identification would be
%enforced against a determined adversary, the resulting payment system %enforced against a determined adversary, the resulting payment system
%would also merely impose a financial panopticon on a BitCoin-style %would also merely impose a financial panopticon on a Bitcoin-style
%money supply and transaction model. %money supply and transaction model.
%\subsection{Chaum-style electronic cash} %\subsection{Chaum-style electronic cash}
@ -265,7 +265,7 @@ key reasons for DigiCash's failure include:
% feature relevant, but today network connectivity is feasible for most % feature relevant, but today network connectivity is feasible for most
% merchants, and saves both the exchange and merchants the business risks % merchants, and saves both the exchange and merchants the business risks
% associated with deferred fraud detection. % associated with deferred fraud detection.
\item % In addition to the risk of legal disputes with fraudulent \item % In addition to the risk of legal disputes wh fraudulent
% merchants and customers, % merchants and customers,
Chaum's published design does not clearly Chaum's published design does not clearly
limit the financial damage a exchange might suffer from the limit the financial damage a exchange might suffer from the
@ -313,7 +313,7 @@ rather expensive.
In pure blind signature based schemes like Taler, withdrawal and spend In pure blind signature based schemes like Taler, withdrawal and spend
operations require bandwidth logarithmic in the value being withdrawn operations require bandwidth logarithmic in the value being withdrawn
or spent. In~\cite{Camenisch05compacte-cash}, there is a zero-knoledge or spent. In~\cite{Camenisch05compacte-cash}, there is a zero-knowledge
scheme that improves upon this, requiring only constant bandwidth for scheme that improves upon this, requiring only constant bandwidth for
withdrawals and spend operations, but unfortunately the exchanges' storage and withdrawals and spend operations, but unfortunately the exchanges' storage and
search costs become linear in the total value of all transactions. search costs become linear in the total value of all transactions.
@ -321,11 +321,11 @@ search costs become linear in the total value of all transactions.
%an open problem stated already in~\cite{Camenisch05compacte-cash}. %an open problem stated already in~\cite{Camenisch05compacte-cash}.
% NO: he cannot give change, so that does not really work! % NO: he cannot give change, so that does not really work!
As described, the scheme employs offline double spending protection, As described, the scheme employs offline double spending protection,
which inherently makes it fragile and creates an unneccessary which inherently makes it fragile and creates an unnecessary
deanonymization risk (see Section~\ref{sec:offline}). deanonymization risk (see Section~\ref{sec:offline}).
%We believe the offline protection from double %We believe the offline protection from double
%spending could be removed, thus switching the scheme to only protection %spending could be removed, thus switching the scheme to only protection
%against online doulbe spending, like Taler. %against online double spending, like Taler.
% TOO much detail... % TOO much detail...
% %
%Along with fixing these two issues, an interesting applied research project %Along with fixing these two issues, an interesting applied research project
@ -334,13 +334,13 @@ deanonymization risk (see Section~\ref{sec:offline}).
%unacceptable financial risks to the exchange, due to underdeveloped %unacceptable financial risks to the exchange, due to underdeveloped
%implementation practice. %implementation practice.
% %
% SHORTER: Maybe some of the abbove could be thinned since % SHORTER: Maybe some of the above could be thinned since
% they do not know much about Taler's refresh protcol yet. % they do not know much about Taler's refresh protocol yet.
% -- yeah, in particular the feeling/speculative parts are not needed... % -- yeah, in particular the feeling/speculative parts are not needed...
%In this vein, there are pure also zero-knoledge proof based schemes %In this vein, there are pure also zero-knowledge proof based schemes
%like~\cite{ST99}, and subsequently Zerocash~\cite{zerocash}, and maybe %like~\cite{ST99}, and subsequently Zerocash~\cite{zerocash}, and maybe
%varations on BOLT~\cite{BOLT}, that avoid using any denomination-like %variations on BOLT~\cite{BOLT}, that avoid using any denomination-like
%constructs, slightly reducing metadata leakage. At present, these all %constructs, slightly reducing metadata leakage. At present, these all
%incur excessive bandwidth or computational costs however. %incur excessive bandwidth or computational costs however.
% -- commented out, seems excessive. % -- commented out, seems excessive.
@ -354,7 +354,7 @@ deanonymization risk (see Section~\ref{sec:offline}).
% FIXME: If we ever add peppercoin stuff, cite Matt Green paper % FIXME: If we ever add peppercoin stuff, cite Matt Green paper
% and talk about economics when encoding a punishment-coin % and talk about economics when encoding a punishment-coin
% as the identity, whith limited ticket lifespan % as the identity, with limited ticket lifespan
%\subsection{Peppercoin} %\subsection{Peppercoin}
@ -423,7 +423,7 @@ violating the customers anonymity cryptographily requires recognizing
a random blinding factor from a random element of the group of a random blinding factor from a random element of the group of
integers modulo the denomination key's RSA modulus, which appears integers modulo the denomination key's RSA modulus, which appears
impossible even with a quantum computers. For a refreshed coin, impossible even with a quantum computers. For a refreshed coin,
unlinkabiltiy requires the hardness of the discrete logarithm for unlinkability requires the hardness of the discrete logarithm for
Curve25519. Curve25519.
The cut-and-choose protocol prevents merchants and customers from The cut-and-choose protocol prevents merchants and customers from
@ -547,7 +547,7 @@ exposes these events as anchors for tax audits on income.
A \emph{coin} in Taler is a public-private key pair where the private A \emph{coin} in Taler is a public-private key pair where the private
key is only known to the owner of the coin. A coin derives its key is only known to the owner of the coin. A coin derives its
financial value from an RSA signature over the full doman hash (FDH) financial value from an RSA signature over the full domain hash (FDH)
of the coin's public key. The exchange has multiple RSA of the coin's public key. The exchange has multiple RSA
{\em denomination key} pairs available for blind-signing coins of {\em denomination key} pairs available for blind-signing coins of
different values. different values.
@ -672,7 +672,7 @@ protocol messages; denomination keys are used for blind-signing coins.
The exchange's long-term offline key is assumed to be known to both The exchange's long-term offline key is assumed to be known to both
customers and merchants and is certified by the auditors. customers and merchants and is certified by the auditors.
We avoid asking either customers or merchants to make trust desissions We avoid asking either customers or merchants to make trust decisions
about individual exchanges. Instead, they need only select the auditors. about individual exchanges. Instead, they need only select the auditors.
Auditors must sign all the exchange's keys including, the individual Auditors must sign all the exchange's keys including, the individual
denomination keys. denomination keys.
@ -694,7 +694,7 @@ are expected to be recorded for tax authorities to ensure taxability.
% FIXME: Auditor? % FIXME: Auditor?
$S_K$ denotes RSA signing with denomination key $K$ and EdDSA $S_K$ denotes RSA signing with denomination key $K$ and EdDSA
over eliptic curve $\mathbb{E}$ for other types of keys. over elliptic curve $\mathbb{E}$ for other types of keys.
$G$ denotes the generator of elliptic curve $\mathbb{E}$. $G$ denotes the generator of elliptic curve $\mathbb{E}$.
\subsection{Withdrawal} \subsection{Withdrawal}
@ -706,7 +706,7 @@ We let $K_s$ denote the exchange's private key corresponding to $K_p$.
Now the customer carries out the following interaction with the exchange: Now the customer carries out the following interaction with the exchange:
% FIXME: These steps occur at very different points in time, so probably % FIXME: These steps occur at very different points in time, so probably
% they should be restructured into more of a protocol discription. % they should be restructured into more of a protocol description.
% It does create some confusion, like is a reserve key semi-ephemeral % It does create some confusion, like is a reserve key semi-ephemeral
% like a linking key? % like a linking key?
@ -758,14 +758,14 @@ A customer can spend coins at a merchant, under the condition that the
merchant trusts the exchange that issued the coin. merchant trusts the exchange that issued the coin.
% FIXME: Auditor here? % FIXME: Auditor here?
Merchants are identified by their public key $M_p$ which the Merchants are identified by their public key $M_p$ which the
customer's wallet learns through the merchant's webpage, which itself customer's wallet learns through the merchant's Web page, which itself
should be authenticated with X.509c. should be authenticated with X.509c.
% FIXME: Is this correct? % FIXME: Is this correct?
We now describe the protocol between the customer, merchant, and exchange We now describe the protocol between the customer, merchant, and exchange
for a transaction in which the customer spends a coin $C := (c_s, C_p)$ for a transaction in which the customer spends a coin $C := (c_s, C_p)$
with signature $\widetilde{C} := S_K(\FDH_K(C_p))$ with signature $\widetilde{C} := S_K(\FDH_K(C_p))$
where $K$ is the exchange's demonination key. where $K$ is the exchange's denomination key.
% FIXME: Again, these steps occur at different points in time, maybe % FIXME: Again, these steps occur at different points in time, maybe
% that's okay, but refresh is slightly different. % that's okay, but refresh is slightly different.
@ -915,7 +915,7 @@ than the comparable use of zk-SNARKs in ZeroCash~\cite{zerocash}.
this time to prevent the exchange from assisting tax evasion. \\ this time to prevent the exchange from assisting tax evasion. \\
% %
The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where
$K'$ is the exchange's message signing key, thereby commmitting the exchange to $\gamma$. $K'$ is the exchange's message signing key, thereby committing the exchange to $\gamma$.
\item % [POST {\tt /refresh/reveal}] \item % [POST {\tt /refresh/reveal}]
The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk. The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
Also, the customer assembles Also, the customer assembles
@ -1004,7 +1004,7 @@ expected. First, in the case of faulty clients, the responding server
will generate an error message with detailed cryptographic proofs will generate an error message with detailed cryptographic proofs
demonstrating that the client was faulty, for example by providing demonstrating that the client was faulty, for example by providing
proof of double-spending or providing the previous commit and the proof of double-spending or providing the previous commit and the
location of the missmatch in the case of the reveal step in the location of the mismatch in the case of the reveal step in the
refresh protocol. It is also possible that the server may claim that refresh protocol. It is also possible that the server may claim that
the client has been violating the protocol. In these cases, the the client has been violating the protocol. In these cases, the
clients should verify any proofs provided and if they are acceptable, clients should verify any proofs provided and if they are acceptable,
@ -1175,7 +1175,7 @@ deanonymize citizens.
\subsection{Offline Payments} \label{sec:offline} \subsection{Offline Payments} \label{sec:offline}
Anonymous digital cash schemes since Chaum were frequently designed Anonymous digital cash schemes since Chaum were frequently designed
to allow the merchant to be offline during the transaction, to allow the merchant to be offline during the transaction,
by providing a means to deanonymize customers involved in by providing a means to deanonymize customers involved in
double-spending. We consider this problematic as either the double-spending. We consider this problematic as either the
exchange or the merchant still requires an out-of-band exchange or the merchant still requires an out-of-band
@ -1648,7 +1648,7 @@ provides a payment system with the following key properties:
delivering on the agreed contract. Neither merchants nor customers delivering on the agreed contract. Neither merchants nor customers
are able to commit fraud against the exchange. are able to commit fraud against the exchange.
Only the exchange needs be tightly audited and regulated. Only the exchange needs be tightly audited and regulated.
\item[No speculation] % It's actually "Specualtion not required" \item[No speculation] % It's actually "Speculation not required"
The digital coins are denominated in existing currencies, The digital coins are denominated in existing currencies,
such as EUR or USD. This avoids exposing citizens to unnecessary risks such as EUR or USD. This avoids exposing citizens to unnecessary risks
from currency fluctuations. from currency fluctuations.