From 7b4b0f38ffd212587ac46ff035e1ac3573bd104a Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Tue, 16 May 2017 13:34:17 +0200
Subject: [PATCH 1/2] english, linking

---
 doc/paper/taler.tex | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index c32adc1b9..8b48ad82f 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -1492,29 +1492,35 @@ any PPT adversary with an advantage for linking Taler coins gives
 rise to an adversary with an advantage for recognizing SHA512 output.
 \end{corollary}
 
-There was an earlier encryption-based version of the Taler protocol
-in which refresh operated consisted of $\kappa$ normal coin withdrawals
-encrypted using the secret $t^{(i)} C$ where $C = c G$ is the coin being
-refreshed and $T^{(i)} = t^{(i)} G$ is the transfer key.
+We will now consider the impact of the refresh operation.  For the
+sake of the argument, we will first consider an earlier
+encryption-based version of the protocol in which refresh operated
+consisted of $\kappa$ normal coin withdrawals where the commitment
+consisted of the blinding factors and private keys of the fresh coins
+encrypted using the secret $t^{(i)} C_s$ where $C_s = c_s G$ of the
+dirty coin $C$ being refreshed and $T^{(i)} = t^{(i)} G$ is the
+transfer key.\footnote{We abandoned that version as it required
+  slightly more storage space and the additional encryption
+  primitive.}
 
 \begin{proposition}
 Assuming the encryption used is ??? secure, and that
- the independence of $c$, $t$, and the new coins key materials, then
+ the independence of $c_s$, $t$, and the new coins' key materials, then
 any PPT adversary with an advantage for linking Taler coins gives
 rise to an adversary with an advantage for recognizing SHA512 output.
 \end{proposition}
 
 % TODO: Is independence here too strong?
 
-We may now remove the encrpytion by appealing to the random oracle model
-\cite{BR-RandomOracles}.
+We may now remove the encrpytion by appealing to the random oracle
+model~\cite{BR-RandomOracles}.
 
 \begin{lemma}[\cite{??}]
 Consider a protocol that commits to random data by encrypting it
 using a secret derived from a Diffe-Hellman key exchange.
 In the random oracle model, we may replace this encryption with
-a hash function derives the random data by applying hash functions
-to the same secret.
+a hash function which derives the random data by applying hash
+functions to the same secret.
 \end{lemma}
 
 \begin{proof}
@@ -1541,7 +1547,13 @@ Diffie-Hellman key exchange on Curve25519.
 We do not distinguish between information known by the exchange and
 information known by the merchant in the above.  As a result, this
 proves that out linking protocol \S\ref{subsec:linking} does not
-degrade privacy.
+degrade privacy.  We note that the exchange could lie in the linking
+protocol about the transfer public key to generate coins that it can
+link (at a financial loss to the exchange that it would have to square
+with its auditor).  However, in the normal course of payments the link
+protocol is never used.  Furthermore, if a customer needs to recover
+control over a coin using the linking protocol, they can use the
+refresh protocol on the result to again obtain an unlinkable coin.
 
 
 

From 7ce67006be0f4ca8e26e1e35d5751cbc4af40cb9 Mon Sep 17 00:00:00 2001
From: Florian Dold <florian.dold@gmail.com>
Date: Tue, 16 May 2017 13:39:12 +0200
Subject: [PATCH 2/2] use ACM sigconf format for 2017

---
 doc/paper/taler.tex | 140 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 106 insertions(+), 34 deletions(-)

diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 8b48ad82f..9cff69e93 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -20,25 +20,6 @@
 % CG adds:
 % We SHOULD do this for the FINAL paper, not for the anon submission.
 
-\documentclass{llncs}
-%\usepackage[margin=1in,a4paper]{geometry}
-\usepackage[T1]{fontenc}
-\usepackage{palatino}
-\usepackage{xspace}
-\usepackage{microtype}
-\usepackage{amsmath,amssymb,eurosym}
-\usepackage[dvipsnames]{xcolor}
-\usepackage{tikz}
-\usetikzlibrary{shapes,arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
-% \usepackage{enumitem}
-\usepackage{caption}
-%\usepackage{subcaption}
-\usepackage{subfig}
-% \usepackage{sidecap}
-% \usepackage{wrapfig}
-
 % Relate to:
 % http://fc14.ifca.ai/papers/fc14_submission_124.pdf
 
@@ -63,23 +44,70 @@
 % - transaction = coin ownership transfer that should be taxed
 % - sharing = coin copying that should not be taxed
 
-
-\title{Refreshing Coins for Giving Change and Refunds \\ in Chaum-style Anonymous Payment Systems}
-
-\begin{document}
-\mainmatter
-
-%\author{Florian Dold \and Sree Harsha Totakura \and Benedikt M\"uller \and Jeff Burdges \and Christian Grothoff}
-%\institute{The GNUnet Project}
-
-
-\maketitle
-
 % FIXME: As a general comment, I think we're mixing the crypto stuff and the systems
 %        stuff too much.  It might be more appropriate to have to systems stuff in a separate
 %        section, and the "pure" crypto stuff for the crypto people?
 
 
+\documentclass[sigconf, authordraft]{acmart}
+
+\usepackage{booktabs} % For formal tables
+\usepackage{tikz}
+\usetikzlibrary{shapes,arrows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+\usepackage{eurosym}
+
+
+% Copyright
+%\setcopyright{none}
+%\setcopyright{acmcopyright}
+%\setcopyright{acmlicensed}
+\setcopyright{rightsretained}
+%\setcopyright{usgov}
+%\setcopyright{usgovmixed}
+%\setcopyright{cagov}
+%\setcopyright{cagovmixed}
+
+
+% DOI
+\acmDOI{10.475/123_4}
+
+% ISBN
+\acmISBN{123-4567-24-567/08/06}
+
+%Conference
+\acmConference[WOODSTOCK'97]{ACM Woodstock conference}{July 1997}{El
+  Paso, Texas USA} 
+\acmYear{1997}
+\copyrightyear{2016}
+
+\acmPrice{15.00}
+
+\acmSubmissionID{123-A12-B3}
+
+\begin{document}
+\title{Refreshing Coins for Giving Change and Refunds \\ in Chaum-style Anonymous Payment Systems}
+\subtitle{Authors' names blinded for review}
+
+
+%\author{Ben Trovato}
+%\authornote{Dr.~Trovato insisted his name be first.}
+%\orcid{1234-5678-9012}
+%\affiliation{%
+%  \institution{Institute for Clarity in Documentation}
+%  \streetaddress{P.O. Box 1212}
+%  \city{Dublin} 
+%  \state{Ohio} 
+%  \postcode{43017-6221}
+%}
+%\email{trovato@corporation.com}
+
+
+% The default list of authors is too long for headers}
+%\renewcommand{\shortauthors}{B. Trovato et al.}
+
+
 \begin{abstract}
 This paper introduces {\em Taler}, a Chaum-style digital payment system that
 enables anonymous payments while ensuring that entities that receive
@@ -106,6 +134,46 @@ and adequately balances the state's need for monetary control with the
 citizen's needs for private economic activity.
 \end{abstract}
 
+%
+% The code below should be generated by the tool at
+% http://dl.acm.org/ccs.cfm
+% Please copy and paste the code instead of the example below. 
+%
+\begin{CCSXML}
+<ccs2012>
+ <concept>
+  <concept_id>10010520.10010553.10010562</concept_id>
+  <concept_desc>Computer systems organization~Embedded systems</concept_desc>
+  <concept_significance>500</concept_significance>
+ </concept>
+ <concept>
+  <concept_id>10010520.10010575.10010755</concept_id>
+  <concept_desc>Computer systems organization~Redundancy</concept_desc>
+  <concept_significance>300</concept_significance>
+ </concept>
+ <concept>
+  <concept_id>10010520.10010553.10010554</concept_id>
+  <concept_desc>Computer systems organization~Robotics</concept_desc>
+  <concept_significance>100</concept_significance>
+ </concept>
+ <concept>
+  <concept_id>10003033.10003083.10003095</concept_id>
+  <concept_desc>Networks~Network reliability</concept_desc>
+  <concept_significance>100</concept_significance>
+ </concept>
+</ccs2012>  
+\end{CCSXML}
+
+\ccsdesc[500]{Computer systems organization~Embedded systems}
+\ccsdesc[300]{Computer systems organization~Redundancy}
+\ccsdesc{Computer systems organization~Robotics}
+\ccsdesc[100]{Networks~Network reliability}
+
+
+\keywords{ACM proceedings, \LaTeX, text tagging}
+
+\maketitle
+
 \section{Introduction}
 
 The design of payment systems shapes economies and societies.  Strong,
@@ -151,7 +219,7 @@ provides fair exchange and exculpability via cryptographic proofs.
 \begin{figure}[h]
 \centering
 \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1em and 11em, inner sep=1em, outer sep=.3em];
+ \tikzstyle{def} = [node distance= 2em and 6.5em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (exchange) [def,above=of origin,draw]{Exchange};
  \node (customer) [def, draw, below left=of origin] {Customer};
@@ -193,6 +261,7 @@ which owned the original coin.
 
 
 %\vspace{-0.3cm}
+
 \section{Related Work}
 %\vspace{-0.3cm}
 
@@ -1284,8 +1353,10 @@ We thank people (anonymized).
 %Jacob Appelbaum for productive discussions and support.
 \newpage
 
-\bibliographystyle{alpha}
-\bibliography{taler,rfc}
+\bibliographystyle{ACM-Reference-Format}
+\bibliography{taler} 
+
+\end{document}
 
 %\vfill
 %\begin{center}
@@ -1875,3 +1946,4 @@ provides a payment system with the following key properties:
     The payment system handles both small and large payments in
     an efficient and reliable manner.
 \end{description}
+