Start making the protocol more explicit
This commit is contained in:
parent
b1ec11e492
commit
937d7f48b9
62
doc/paper/figs/deposit.tex
Normal file
62
doc/paper/figs/deposit.tex
Normal file
@ -0,0 +1,62 @@
|
|||||||
|
|
||||||
|
\begin{figure}[th]
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\begin{center}
|
||||||
|
\begin{tikzpicture}[scale = 0.4,
|
||||||
|
transform shape,
|
||||||
|
msglabel/.style = { text = Black, yshift = .3cm,
|
||||||
|
sloped, midway },
|
||||||
|
okmsg/.style = { ->, color = MidnightBlue, thick,
|
||||||
|
>=stealth },
|
||||||
|
rstmsg/.style = { ->, color = BrickRed, thick,
|
||||||
|
>=stealth }
|
||||||
|
]
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h1) at (-4, 0) {};
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h2) at (4, 0) {};
|
||||||
|
\node[above = 0cm of h1] {Merchant};
|
||||||
|
\node[above = 0cm of h2] {Exchange};
|
||||||
|
|
||||||
|
\path[->, color = MidnightBlue, very thick, >=stealth]
|
||||||
|
(-5, 4.5) edge
|
||||||
|
node[rotate=90, text = Black, yshift = .3cm] {Time}
|
||||||
|
(-5, -4.5);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h1.east)+(0,3)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {$S_{DK}(C), S_{c}(D)$}
|
||||||
|
($(h2.west)+(0,2)$);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h2.west)+(0,0.5)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$}
|
||||||
|
($(h1.east)+(0,-0.5)$);
|
||||||
|
\path[rstmsg]
|
||||||
|
($(h2.west)+(0, -2.5)$) edge
|
||||||
|
node[msglabel] {409 CONFLICT: $S_{c}(D')$}
|
||||||
|
($(h1.east)+(0, -3.5)$);
|
||||||
|
\node at (5.3, 0) {};
|
||||||
|
\end{tikzpicture}
|
||||||
|
\end{center}
|
||||||
|
\end{minipage}
|
||||||
|
\hspace{0.5cm}
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\tiny
|
||||||
|
\begin{description}
|
||||||
|
\item[$DK$] Denomination key
|
||||||
|
\item[$S_{DK}()$] RSA-FDH signature using $DK$
|
||||||
|
\item[$c$] Private coin key, $C := cG$.
|
||||||
|
\item[$S_{C}()$] EdDSA signature using $c$
|
||||||
|
\item[$D$] Deposit details
|
||||||
|
\item[$SK$] Exchange's signing key
|
||||||
|
\item[$S_{SK}()$] EdDSA signature using $SK$
|
||||||
|
\item[$D'$] Conficting deposit details $D' \not= D$
|
||||||
|
\end{description}
|
||||||
|
\end{minipage}
|
||||||
|
\end{figure}
|
||||||
|
|
54
doc/paper/figs/keys.tex
Normal file
54
doc/paper/figs/keys.tex
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
\begin{figure}[th]
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\begin{center}
|
||||||
|
\begin{tikzpicture}[scale = 0.4,
|
||||||
|
transform shape,
|
||||||
|
msglabel/.style = { text = Black, yshift = .3cm,
|
||||||
|
sloped, midway },
|
||||||
|
okmsg/.style = { ->, color = MidnightBlue, thick,
|
||||||
|
>=stealth },
|
||||||
|
rstmsg/.style = { ->, color = BrickRed, thick,
|
||||||
|
>=stealth }
|
||||||
|
]
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h1) at (-4, 0) {};
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h2) at (4, 0) {};
|
||||||
|
\node[above = 0cm of h1] {Wallet};
|
||||||
|
\node[above = 0cm of h2] {Exchange};
|
||||||
|
|
||||||
|
\path[->, color = MidnightBlue, very thick, >=stealth]
|
||||||
|
(-5, 4.5) edge
|
||||||
|
node[rotate=90, text = Black, yshift = .3cm] {Time}
|
||||||
|
(-5, -4.5);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h1.east)+(0,3)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {GET {\tt /keys}}
|
||||||
|
($(h2.west)+(0,2)$);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h2.west)+(0,0.5)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_T(DK,A_{DK},M), S_M(SK)$}
|
||||||
|
($(h1.east)+(0,-0.5)$);
|
||||||
|
\node at (5.3, 0) {};
|
||||||
|
\end{tikzpicture}
|
||||||
|
\end{center}
|
||||||
|
\end{minipage}
|
||||||
|
\hspace{0.4cm}
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\tiny
|
||||||
|
\begin{description}
|
||||||
|
\item[$T$] financial regulator key Necessarily pinned
|
||||||
|
\item[$DK$] RSA public key (``denomination key'')
|
||||||
|
\item[$A_{DK}$] Value of coins signed by $DK$
|
||||||
|
\item[$M$] Offline master key of exchange
|
||||||
|
\item[$SK$] Online signing key of exchange
|
||||||
|
\end{description}
|
||||||
|
\end{minipage}
|
||||||
|
\end{figure}
|
||||||
|
|
200
doc/paper/figs/refresh.tex
Normal file
200
doc/paper/figs/refresh.tex
Normal file
@ -0,0 +1,200 @@
|
|||||||
|
\begin{frame}{Taler {\tt /refresh/melt}}
|
||||||
|
\begin{figure}[th]
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\begin{center}
|
||||||
|
\begin{tikzpicture}[scale = 0.4,
|
||||||
|
transform shape,
|
||||||
|
msglabel/.style = { text = Black, yshift = .3cm,
|
||||||
|
sloped, midway },
|
||||||
|
okmsg/.style = { ->, color = MidnightBlue, thick,
|
||||||
|
>=stealth },
|
||||||
|
rstmsg/.style = { ->, color = BrickRed, thick,
|
||||||
|
>=stealth }
|
||||||
|
]
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h1) at (-4, 0) {};
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h2) at (4, 0) {};
|
||||||
|
\node[above = 0cm of h1] {Customer};
|
||||||
|
\node[above = 0cm of h2] {Exchange};
|
||||||
|
|
||||||
|
\path[->, color = MidnightBlue, very thick, >=stealth]
|
||||||
|
(-5, 4.5) edge
|
||||||
|
node[rotate=90, text = Black, yshift = .3cm] {Time}
|
||||||
|
(-5, -4.5);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h1.east)+(0,3)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$}
|
||||||
|
($(h2.west)+(0,2)$);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h2.west)+(0,0.5)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$}
|
||||||
|
($(h1.east)+(0,-0.5)$);
|
||||||
|
\path[rstmsg]
|
||||||
|
($(h2.west)+(0, -2.5)$) edge
|
||||||
|
node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$}
|
||||||
|
($(h1.east)+(0, -3.5)$);
|
||||||
|
\node at (5.3, 0) {};
|
||||||
|
\end{tikzpicture}
|
||||||
|
\end{center}
|
||||||
|
\end{minipage}
|
||||||
|
\hspace{0.5cm}
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\tiny
|
||||||
|
\begin{description}
|
||||||
|
\item[$\kappa$] System-wide security parameter, usually 3.
|
||||||
|
\\ \smallskip
|
||||||
|
\item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\
|
||||||
|
$D + \sum_i A_{DK^{(i)}} < A_{DK}$
|
||||||
|
\item[$t_j$] Random scalar for $j<\kappa$
|
||||||
|
\item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$
|
||||||
|
\item[$k_j$] $:= c T_j = t_j C$ is an ECDHE
|
||||||
|
\item[$b_j^{(i)}$] $:= \texttt{KDFb}(k_j,i)$ % blinding factor
|
||||||
|
\item[$c_j^{(i)}$] $:= \texttt{KDFc}(k_j,i)$ % coin secret keys
|
||||||
|
\item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys
|
||||||
|
\item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\
|
||||||
|
$\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$
|
||||||
|
\\ \smallskip
|
||||||
|
\item[$\gamma$] Random value in $[0,\kappa)$
|
||||||
|
% \\ \smallskip
|
||||||
|
% \item[$X$] Deposit or refresh
|
||||||
|
\end{description}
|
||||||
|
\end{minipage}
|
||||||
|
\end{figure}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}{Taler {\tt /refresh/reveal}}
|
||||||
|
\begin{figure}[th]
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\begin{center}
|
||||||
|
\begin{tikzpicture}[scale = 0.4,
|
||||||
|
transform shape,
|
||||||
|
msglabel/.style = { text = Black, yshift = .3cm,
|
||||||
|
sloped, midway },
|
||||||
|
okmsg/.style = { ->, color = MidnightBlue, thick,
|
||||||
|
>=stealth },
|
||||||
|
rstmsg/.style = { ->, color = BrickRed, thick,
|
||||||
|
>=stealth }
|
||||||
|
]
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h1) at (-4, 0) {};
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h2) at (4, 0) {};
|
||||||
|
\node[above = 0cm of h1] {Customer};
|
||||||
|
\node[above = 0cm of h2] {Exchange};
|
||||||
|
|
||||||
|
\path[->, color = MidnightBlue, very thick, >=stealth]
|
||||||
|
(-5, 4.5) edge
|
||||||
|
node[rotate=90, text = Black, yshift = .3cm] {Time}
|
||||||
|
(-5, -4.5);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h1.east)+(0,3)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$}
|
||||||
|
($(h2.west)+(0,2)$);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h2.west)+(0,0.5)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$}
|
||||||
|
($(h1.east)+(0,-0.5)$);
|
||||||
|
\path[rstmsg]
|
||||||
|
($(h2.west)+(0, -2.5)$) edge
|
||||||
|
node[msglabel] {400 BAD REQUEST: $Z$}
|
||||||
|
($(h1.east)+(0, -3.5)$);
|
||||||
|
\node at (5.3, 0) {};
|
||||||
|
\end{tikzpicture}
|
||||||
|
\end{center}
|
||||||
|
\end{minipage}
|
||||||
|
\hspace{0.5cm}
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\tiny
|
||||||
|
\begin{description}
|
||||||
|
\item[$\cal DK$] $:= [DK^{(i)}]_i$
|
||||||
|
\item[$t_j$] .. \\ \smallskip
|
||||||
|
|
||||||
|
\item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip
|
||||||
|
|
||||||
|
\item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$
|
||||||
|
\item[$b_\gamma^{(i)}$] $:= \texttt{KDFb}(k_\gamma,i)$
|
||||||
|
\item[$c_\gamma^{(i)}$] $:= \texttt{KDFc}(k_\gamma,i)$
|
||||||
|
\item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$
|
||||||
|
|
||||||
|
\item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$
|
||||||
|
\item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$
|
||||||
|
\item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip
|
||||||
|
|
||||||
|
\item[$Z$] Cut-and-choose missmatch information
|
||||||
|
\end{description}
|
||||||
|
\end{minipage}
|
||||||
|
\end{figure}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{frame}{Taler {\tt /refresh/link}}
|
||||||
|
\begin{figure}[th]
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\begin{center}
|
||||||
|
\begin{tikzpicture}[scale = 0.4,
|
||||||
|
transform shape,
|
||||||
|
msglabel/.style = { text = Black, yshift = .3cm,
|
||||||
|
sloped, midway },
|
||||||
|
okmsg/.style = { ->, color = MidnightBlue, thick,
|
||||||
|
>=stealth },
|
||||||
|
rstmsg/.style = { ->, color = BrickRed, thick,
|
||||||
|
>=stealth }
|
||||||
|
]
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h1) at (-4, 0) {};
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h2) at (4, 0) {};
|
||||||
|
\node[above = 0cm of h1] {Customer};
|
||||||
|
\node[above = 0cm of h2] {Exchagne};
|
||||||
|
|
||||||
|
\path[->, color = MidnightBlue, very thick, >=stealth]
|
||||||
|
(-5, 4.5) edge
|
||||||
|
node[rotate=90, text = Black, yshift = .3cm] {Time}
|
||||||
|
(-5, -4.5);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h1.east)+(0,3)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$}
|
||||||
|
($(h2.west)+(0,2)$);
|
||||||
|
\path[->, color = MidnightBlue, thick, >=stealth]
|
||||||
|
($(h2.west)+(0,0.5)$) edge
|
||||||
|
node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$}
|
||||||
|
($(h1.east)+(0,-0.5)$);
|
||||||
|
\path[rstmsg]
|
||||||
|
($(h2.west)+(0, -2.5)$) edge
|
||||||
|
node[msglabel] {404 NOT FOUND}
|
||||||
|
($(h1.east)+(0, -3.5)$);
|
||||||
|
\node at (5.3, 0) {};
|
||||||
|
\end{tikzpicture}
|
||||||
|
\end{center}
|
||||||
|
\end{minipage}
|
||||||
|
\hspace{0.5cm}
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\tiny
|
||||||
|
\begin{description}
|
||||||
|
\item[$C$] Old coind public key \\ \smallskip
|
||||||
|
\item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$
|
||||||
|
\end{description}
|
||||||
|
\end{minipage}
|
||||||
|
\end{figure}
|
||||||
|
\end{frame}
|
||||||
|
|
49
doc/paper/figs/withdraw.tex
Normal file
49
doc/paper/figs/withdraw.tex
Normal file
@ -0,0 +1,49 @@
|
|||||||
|
\begin{SCfigure}
|
||||||
|
\begin{minipage}[b]{0.45\linewidth}
|
||||||
|
\begin{tikzpicture}[scale = 0.4,
|
||||||
|
transform shape,
|
||||||
|
msglabel/.style = { text = Black, yshift = .3cm,
|
||||||
|
sloped, midway },
|
||||||
|
okmsg/.style = { ->, color = MidnightBlue, thick,
|
||||||
|
>=stealth },
|
||||||
|
rstmsg/.style = { ->, color = BrickRed, thick,
|
||||||
|
>=stealth }
|
||||||
|
]
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h1) at (-4, 0) {};
|
||||||
|
\node[draw = MidnightBlue,
|
||||||
|
fill = CornflowerBlue,
|
||||||
|
minimum width = .3cm,
|
||||||
|
minimum height = 10cm
|
||||||
|
] (h2) at (4, 0) {};
|
||||||
|
\node[above = 0cm of h1] {Wallet};
|
||||||
|
\node[above = 0cm of h2] {Exchange};
|
||||||
|
|
||||||
|
\path[->, color = MidnightBlue, very thick, >=stealth]
|
||||||
|
(-5, 4.5) edge
|
||||||
|
node[rotate=90, text = Black, yshift = .3cm] {Time}
|
||||||
|
(-5, -4.5);
|
||||||
|
\path[okmsg, dashed]
|
||||||
|
($(h1.east)+(0, 4.0)+(0, -1.0)$) edge
|
||||||
|
node[msglabel] {SEPA(RK,A)}
|
||||||
|
($(h2.west)+(0, 3.5)+(0, -1.0)$);
|
||||||
|
\path[okmsg]
|
||||||
|
($(h1.east)+(0, -1.0)$) edge
|
||||||
|
node[msglabel] {$S_{RK}(DK, B_b(C))$}
|
||||||
|
($(h2.west)+(0, -1.5)$);
|
||||||
|
\path[okmsg]
|
||||||
|
($(h2.west)+(0, -2.0)$) edge
|
||||||
|
node[msglabel] {200 OK: $S_{DK}(B_b(C))$)}
|
||||||
|
($(h1.east)+(0, -2.5)$);
|
||||||
|
\path[rstmsg]
|
||||||
|
($(h2.west)+(0, -3.5)$) edge
|
||||||
|
node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)}
|
||||||
|
($(h1.east)+(0, -4)$);
|
||||||
|
\node at (5.3, 0) {};
|
||||||
|
\end{tikzpicture}
|
||||||
|
\end{minipage}
|
||||||
|
\end{SCfigure}
|
||||||
|
|
@ -26,15 +26,18 @@
|
|||||||
\usepackage{palatino}
|
\usepackage{palatino}
|
||||||
\usepackage{xspace}
|
\usepackage{xspace}
|
||||||
\usepackage{microtype}
|
\usepackage{microtype}
|
||||||
\usepackage{tikz,eurosym}
|
\usepackage{amsmath,amssymb,eurosym}
|
||||||
\usepackage{amsmath,amssymb}
|
\usepackage[dvipsnames]{xcolor}
|
||||||
\usepackage{enumitem}
|
\usepackage{tikz}
|
||||||
\usetikzlibrary{shapes,arrows}
|
\usetikzlibrary{shapes,arrows}
|
||||||
\usetikzlibrary{positioning}
|
\usetikzlibrary{positioning}
|
||||||
\usetikzlibrary{calc}
|
\usetikzlibrary{calc}
|
||||||
|
% \usepackage{enumitem}
|
||||||
\usepackage{caption}
|
\usepackage{caption}
|
||||||
\usepackage{subcaption}
|
\usepackage{subcaption}
|
||||||
\usepackage{subfig}
|
\usepackage{subfig}
|
||||||
|
% \usepackage{sidecap}
|
||||||
|
% \usepackage{wrapfig}
|
||||||
|
|
||||||
% Relate to:
|
% Relate to:
|
||||||
% http://fc14.ifca.ai/papers/fc14_submission_124.pdf
|
% http://fc14.ifca.ai/papers/fc14_submission_124.pdf
|
||||||
@ -607,7 +610,6 @@ We use RSA for denomination keys and EdDSA over some eliptic curve
|
|||||||
$\mathbb{E}$ for all other keys. Let $G$ denote the generator of
|
$\mathbb{E}$ for all other keys. Let $G$ denote the generator of
|
||||||
our elliptic curve $\mathbb{E}$.
|
our elliptic curve $\mathbb{E}$.
|
||||||
|
|
||||||
|
|
||||||
\subsection{Withdrawal}
|
\subsection{Withdrawal}
|
||||||
|
|
||||||
To withdraw anonymous digital coins, the customer first selects an
|
To withdraw anonymous digital coins, the customer first selects an
|
||||||
@ -624,23 +626,28 @@ Now the customer carries out the following interaction with the exchange:
|
|||||||
% It does create some confusion, like is a withdrawal key semi-ephemeral
|
% It does create some confusion, like is a withdrawal key semi-ephemeral
|
||||||
% like a linking key?
|
% like a linking key?
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{description}
|
||||||
\item The customer randomly generates:
|
\item[Setup] The customer randomly generates:
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item withdrawal key $W := (w_s,W_p)$ with private key $w_s$ and public key $W_p$,
|
\item withdrawal key $W := (w_s,W_p)$ with private key $w_s$ and public key $W_p$,
|
||||||
\item coin key $C := (c_s,C_p)$ with private key $c_s$ and public key $C_p := c_s G$,
|
\item coin key $C := (c_s,C_p)$ with private key $c_s$ and public key $C_p := c_s G$,
|
||||||
\item blinding factor $b$, and commits $\langle W, C, b \rangle$ to disk.
|
\item blinding factor $b$, and commits $\langle W, C, b \rangle$ to disk.
|
||||||
\end{itemize}
|
\end{itemize}
|
||||||
\item The customer transfers an amount of money corresponding to at least $K_v$
|
\item[SEPA Send]
|
||||||
to the exchange, with $W_p$ in the subject line of the transaction.
|
The customer transfers an amount of money corresponding to
|
||||||
\item The exchange receives the transaction and credits the $W_p$ reserve with
|
at least $K_v$ to the exchange, with $W_p$ in the subject line
|
||||||
the respective amount in its database.
|
of the transaction.
|
||||||
\item The customer sends $S_W(B)$ where $B := B_b(\FDH_K(C_p))$ to the exchange
|
\item[SEPA Recieve]
|
||||||
to request withdrawal of $C$; here, $B_b$ denotes Chaum-style blinding with
|
The exchange receives the transaction and credits the reserve $W_p$
|
||||||
blinding factor $b$.
|
with the respective amount in its database.
|
||||||
\item The exchange checks if the same withdrawal request was issued before;
|
\item[POST {\tt /withdraw/sign}]
|
||||||
in this case, it sends $S_K(B)$ to the customer.%
|
The customer sends $S_W(B)$ where $B := B_b(\FDH_K(C_p))$ to
|
||||||
\footnote{$S_K$ denotes a Chaum-style blind signature with private key $K_s$.}
|
the exchange to request withdrawal of $C$; here, $B_b$ denotes
|
||||||
|
Chaum-style blinding with blinding factor $b$.
|
||||||
|
\item[200 OK / 402 PAYMENT REQUIRED]
|
||||||
|
The exchange checks if the same withdrawal request was issued before;
|
||||||
|
in this case, it sends a Chaum-style blind signature $S_K(B)$ with
|
||||||
|
private key $K_s$ to the customer. \\
|
||||||
If this is a fresh withdrawal request, the exchange performs the following transaction:
|
If this is a fresh withdrawal request, the exchange performs the following transaction:
|
||||||
\begin{enumerate}
|
\begin{enumerate}
|
||||||
\item checks if the reserve $W_p$ has sufficient funds
|
\item checks if the reserve $W_p$ has sufficient funds
|
||||||
@ -656,11 +663,11 @@ Now the customer carries out the following interaction with the exchange:
|
|||||||
Assuming the signature was valid, this would involve showing the transaction
|
Assuming the signature was valid, this would involve showing the transaction
|
||||||
history for the reserve.
|
history for the reserve.
|
||||||
% FIXME: Is it really the whole history?
|
% FIXME: Is it really the whole history?
|
||||||
\item The customer computes and verifies the unblinded signature
|
\item[Done] The customer computes and verifies the unblinded signature
|
||||||
$S_K(\FDH_K{C_p}) = U_b(S_K(B))$.
|
$S_K(\FDH_K{C_p}) = U_b(S_K(B))$.
|
||||||
Finally the customer saves the coin $\langle S_K(\FDH_K(C_p)), c_s \rangle$
|
Finally the customer saves the coin $\langle S_K(\FDH_K(C_p)), c_s \rangle$
|
||||||
to their local wallet on disk.
|
to their local wallet on disk.
|
||||||
\end{enumerate}
|
\end{description}
|
||||||
|
|
||||||
|
|
||||||
\subsection{Exact and partial spending}
|
\subsection{Exact and partial spending}
|
||||||
@ -681,11 +688,13 @@ with signature $\widetilde{C} := S_K(\FDH_K(C_p))$
|
|||||||
% FIXME: Again, these steps occur at different points in time, maybe
|
% FIXME: Again, these steps occur at different points in time, maybe
|
||||||
% that's okay, but refresh is slightly different.
|
% that's okay, but refresh is slightly different.
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{description}
|
||||||
\item\label{contract}
|
\item[Merchant Setup] % \label{contract}
|
||||||
Let $\vec{X} := \langle X_1, \ldots, X_n \rangle$ denote the list of
|
Let $\vec{X} := \langle X_1, \ldots, X_n \rangle$ denote the list of
|
||||||
exchanges accepted by the merchant where each $X_j$ is a exchange's
|
exchanges accepted by the merchant where each $X_j$ is a exchange's
|
||||||
public key. The merchant creates a digitally signed contract
|
public key.
|
||||||
|
\item[Proposal]
|
||||||
|
The merchant creates a digitally signed contract
|
||||||
$\mathcal{A} := S_M(m, f, a, H(p, r), \vec{X})$
|
$\mathcal{A} := S_M(m, f, a, H(p, r), \vec{X})$
|
||||||
where $m$ is an identifier for this transaction, $a$ is data relevant
|
where $m$ is an identifier for this transaction, $a$ is data relevant
|
||||||
to the contract indicating which services or goods the merchant will
|
to the contract indicating which services or goods the merchant will
|
||||||
@ -693,26 +702,30 @@ with signature $\widetilde{C} := S_K(\FDH_K(C_p))$
|
|||||||
$p$ is the merchant's payment information (e.g. his IBAN number), and
|
$p$ is the merchant's payment information (e.g. his IBAN number), and
|
||||||
$r$ is a random nonce. The merchant commits $\langle \mathcal{A} \rangle$
|
$r$ is a random nonce. The merchant commits $\langle \mathcal{A} \rangle$
|
||||||
to disk and sends $\mathcal{A}$ to the customer.
|
to disk and sends $\mathcal{A}$ to the customer.
|
||||||
\item\label{deposit}
|
\item[Customer Setup] % \label{deposit}
|
||||||
The customer should already possess a coin issued by a exchange that is
|
The customer should already possess a coin issued by a exchange that is
|
||||||
accepted by the merchant, meaning $K$ should be publicly signed by
|
accepted by the merchant, meaning $K$ should be publicly signed by
|
||||||
some $X_j$ from $\vec{X}$, and has a value $\geq f$.
|
some $X_j$ from $\vec{X}$, and has a value $\geq f$.
|
||||||
\item The customer generates a \emph{deposit-permission} $\mathcal{D} :=
|
\item[POST {\tt /???}]
|
||||||
S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$
|
The customer generates a \emph{deposit-permission}
|
||||||
|
$\mathcal{D} := S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$
|
||||||
and sends $\langle \mathcal{D}, X_j\rangle$ to the merchant,
|
and sends $\langle \mathcal{D}, X_j\rangle$ to the merchant,
|
||||||
where $X_j$ is the exchange which signed $K$.
|
where $X_j$ is the exchange which signed $K$.
|
||||||
\item The merchant gives $(\mathcal{D}, p, r)$ to the exchange, thereby
|
\item[POST {\tt/deposit}]
|
||||||
|
The merchant gives $(\mathcal{D}, p, r)$ to the exchange, thereby
|
||||||
revealing $p$ only to the exchange.
|
revealing $p$ only to the exchange.
|
||||||
\item The exchange validates $\mathcal{D}$ and checks for double spending.
|
\item[200 OK / 409 CONFLICT]
|
||||||
|
The exchange validates $\mathcal{D}$ and checks for double spending.
|
||||||
If the coin has been involved in previous transactions and the new
|
If the coin has been involved in previous transactions and the new
|
||||||
one would exceed its remaining value, it sends an error
|
one would exceed its remaining value, it sends an error
|
||||||
with the records from the previous transactions back to the merchant.
|
with the records from the previous transactions back to the merchant. \\
|
||||||
%
|
%
|
||||||
If double spending is not found, the exchange commits $\langle \mathcal{D} \rangle$ to disk
|
If double spending is not found, the exchange commits $\langle \mathcal{D} \rangle$ to disk
|
||||||
and notifies the merchant that the deposit operation was successful.
|
and notifies the merchant that the deposit operation was successful.
|
||||||
\item The merchant commits and forwards the notification from the exchange to the
|
\item[200 OK / ???]
|
||||||
|
The merchant commits and forwards the notification from the exchange to the
|
||||||
customer, confirming the success or failure of the operation.
|
customer, confirming the success or failure of the operation.
|
||||||
\end{enumerate}
|
\end{description}
|
||||||
|
|
||||||
We have simplified the exposition by assuming that one coin suffices,
|
We have simplified the exposition by assuming that one coin suffices,
|
||||||
but in practice a customer can use multiple coins from the same
|
but in practice a customer can use multiple coins from the same
|
||||||
@ -771,8 +784,9 @@ generator of the elliptic curve.
|
|||||||
|
|
||||||
% FIXME: I'm explicit about the rounds in postquantum.tex
|
% FIXME: I'm explicit about the rounds in postquantum.tex
|
||||||
|
|
||||||
\begin{enumerate}
|
\begin{description}
|
||||||
\item For each $i = 1,\ldots,\kappa$, the customer randomly generates
|
\item[POST {\tt /refresh/melt}]
|
||||||
|
For each $i = 1,\ldots,\kappa$, the customer randomly generates
|
||||||
a transfer private key $t^{(i)}_s$ and computes
|
a transfer private key $t^{(i)}_s$ and computes
|
||||||
\begin{itemize}
|
\begin{itemize}
|
||||||
\item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and
|
\item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and
|
||||||
@ -800,19 +814,21 @@ generator of the elliptic curve.
|
|||||||
The customer computes $B^{(i)} := B_{b^{(i)}}(\FDH_K(C^{(i)}_p))$
|
The customer computes $B^{(i)} := B_{b^{(i)}}(\FDH_K(C^{(i)}_p))$
|
||||||
for $i \in \{1,\ldots,\kappa\}$ and sends a commitment
|
for $i \in \{1,\ldots,\kappa\}$ and sends a commitment
|
||||||
$S_{C'}(\vec{B}, \vec{T_p})$ to the exchange.
|
$S_{C'}(\vec{B}, \vec{T_p})$ to the exchange.
|
||||||
\item The exchange generates a random $\gamma$ with $1 \le \gamma \le \kappa$ and
|
\item[200 OK / 409 CONFLICT]
|
||||||
|
The exchange generates a random $\gamma$ with $1 \le \gamma \le \kappa$ and
|
||||||
marks $C'_p$ as spent by committing
|
marks $C'_p$ as spent by committing
|
||||||
$\langle C', \gamma, S_{C'}(\vec{B}, \vec{T_p}) \rangle$ to disk.
|
$\langle C', \gamma, S_{C'}(\vec{B}, \vec{T_p}) \rangle$ to disk.
|
||||||
Auditing processes should assure that $\gamma$ is unpredictable until
|
Auditing processes should assure that $\gamma$ is unpredictable until
|
||||||
this time to prevent the exchange from assisting tax evasion.
|
this time to prevent the exchange from assisting tax evasion. \\
|
||||||
\item The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where
|
%
|
||||||
|
The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where
|
||||||
$K'$ is the exchange's message signing key.
|
$K'$ is the exchange's message signing key.
|
||||||
\item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
|
\item[POST {\tt /refresh/reveal}]
|
||||||
|
The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
|
||||||
% \item
|
Also, the customer assembles
|
||||||
Also, the customer assembles $\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$
|
$\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$
|
||||||
and sends $S_{C'}(\mathfrak{R})$ to the exchange.
|
and sends $S_{C'}(\mathfrak{R})$ to the exchange.
|
||||||
\item \label{step:refresh-ccheck}
|
\item[200 OK / 400 BAD REQUEST] % \label{step:refresh-ccheck}
|
||||||
The exchange checks whether $\mathfrak{R}$ is consistent with
|
The exchange checks whether $\mathfrak{R}$ is consistent with
|
||||||
the commitments; specifically, it computes for $i \not= \gamma$:
|
the commitments; specifically, it computes for $i \not= \gamma$:
|
||||||
|
|
||||||
@ -835,12 +851,12 @@ generator of the elliptic curve.
|
|||||||
and checks if $\overline{B^{(i)}} = B^{(i)}$
|
and checks if $\overline{B^{(i)}} = B^{(i)}$
|
||||||
and $\overline{T^{(i)}_p} = T^{(i)}_p$.
|
and $\overline{T^{(i)}_p} = T^{(i)}_p$.
|
||||||
|
|
||||||
\item \label{step:refresh-done}
|
% \item[200 OK / 409 CONFLICT] % \label{step:refresh-done}
|
||||||
If the commitments were consistent, the exchange sends the
|
If the commitments were consistent, the exchange sends the
|
||||||
blind signature $\widetilde{C} := S_{K}(B^{(\gamma)})$ to the customer.
|
blind signature $\widetilde{C} := S_{K}(B^{(\gamma)})$ to the customer.
|
||||||
Otherwise, the exchange responds with an error indicating
|
Otherwise, the exchange responds with an error indicating
|
||||||
the location of the failure.
|
the location of the failure.
|
||||||
\end{enumerate}
|
\end{description}
|
||||||
|
|
||||||
%\subsection{N-to-M Refreshing}
|
%\subsection{N-to-M Refreshing}
|
||||||
%
|
%
|
||||||
|
Loading…
Reference in New Issue
Block a user