taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

more responses for fc17

Browse Source
This commit is contained in:
Florian Dold 2017-05-17 17:02:32 +02:00
parent e53a736dca
commit 744d81b5ac
No known key found for this signature in database
GPG Key ID: D2E4F00F29D02A4B
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/paper/taler_FC2017.txt
View File

@ -144,6 +144,9 @@ Specific comments:
- Section 4.1, step 3, what is the key K used in FDH? Also is S_w(B) a standard - Section 4.1, step 3, what is the key K used in FDH? Also is S_w(B) a standard
signature? signature?
> The "K" here means that the domain of the full domain hash is the
> modulus of the public key K_v of the key pair K.
- Section 4.1, step 4, How can the exchange know that this was indeed a new - Section 4.1, step 4, How can the exchange know that this was indeed a new
withdrawal request? If a new blinding factor b is used, then a customer can withdrawal request? If a new blinding factor b is used, then a customer can
create multiple “freshly” looking requests for the same C_p. (Also a minor create multiple “freshly” looking requests for the same C_p. (Also a minor
@ -160,6 +163,9 @@ Specific comments:
the coin (i.e. cannot link with withdrawal) but this is still an anonymity the coin (i.e. cannot link with withdrawal) but this is still an anonymity
problem. problem.
> Yes, this is why the user has to refresh a partially spend coin
> before reusing it, unless they don't care about their anonymity.
- Section 4.3, doesnt seem very fair to compare with Zcash or at least it - Section 4.3, doesnt seem very fair to compare with Zcash or at least it
should be highlighted that a quite weaker level of anonymity is achieved. should be highlighted that a quite weaker level of anonymity is achieved.
@ -169,6 +175,11 @@ Specific comments:
denotes? Is that a commitment (as noted in the text) or a signature (as noted denotes? Is that a commitment (as noted in the text) or a signature (as noted
in notation table?). in notation table?).
> We multiply t_s^(i) with G, so the only reasonable domain is
> [1,n] where n is the order of the elliptic curve we use.
> S_{C} is a signature made with private key C_p, what we sign
> over is the commitment.
- Section 4.3 In this protocol I would expect the customer to somehow “prove” - Section 4.3 In this protocol I would expect the customer to somehow “prove”
to the exchange what is the remaining value of the dirty coin. I do not see to the exchange what is the remaining value of the dirty coin. I do not see
this happening. How does this part of the protocol ensure that a user cannot this happening. How does this part of the protocol ensure that a user cannot