taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Section 3 cahnges

Browse Source
This commit is contained in:
Jeff Burdges 2016-05-22 16:52:56 +02:00
parent 69cb4882fa
commit 9a0fb5c7e2
1 changed files with 84 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
doc/paper/taler.tex
View File

@ -384,21 +384,21 @@ reduce the computational burden on the exchange.
\section{Design} \section{Design}
The payment system we propose is built on the blind signature We have built a payment system based on the blind signature primitive
primitive proposed by Chaum, but extended with additional discovered by Chaum, but extended with additional constructions to
constructions to provide unlinkability, online fraud detection and provide unlinkabile chain, online fraud detection and taxability.
taxability.
As with Chaum, the Taler system comprises three principal types of As with Chaum, the Taler system comprises three principal types of
actors (Figure~\ref{fig:cmm}): The \emph{customer} is interested in actors (Figure~\ref{fig:cmm}): The \emph{customer} is interested in
receiving goods or services from the \emph{merchant} in exchange for receiving goods or services from the \emph{merchant} in exchange for
payment. When making a transaction, both the customer and the payment. When making a transaction, both the customer and the
merchant must agree on the same \emph{exchange}, which serves as an merchant use the same \emph{exchange}, known as the mint in Chaum's
intermediary for the financial transaction between the two. The exchange work, which serves as an intermediary for the financial transaction
is responsible for allowing the customer to obtain the anonymous between the two. The exchange is responsible for allowing the customer
digital currency and for enabling the merchant to convert the to obtain the anonymous digital currency and for enabling the merchant
digital coins back to some traditional currency. The \emph{auditor} to convert the digital coins back to some traditional currency.
assures customers and merchants that the exchange operates correctly. In addition, we describe an \emph{auditor} who assures customers and
merchants that the exchange operates correctly.
\subsection{Security model} \subsection{Security model}
@ -414,77 +414,78 @@ communication channel to both the exchange and the merchant, such as Tor.
The exchange is trusted to hold funds of its customers and to forward them The exchange is trusted to hold funds of its customers and to forward them
when receiving the respective deposit instructions from the merchants. when receiving the respective deposit instructions from the merchants.
Customer and merchant can have some assurances about the exchange's Customer and merchant can have assurances about the exchange's liquidity
liquidity and operation, as the exchange has proven reserves, is subject and operation though published audits by government or third parties.
to the law, and can have its business regularly audited If sufficently regular, audits of the exchange's accounts should reveal any
by a government or third party. possible fraud before the exchange is allowed to destroy the corresponding
Regular audits of the exchange's accounts should reveal any possible fraud accumulated cryptographic proofs and book its fees as profits.
before the exchange is allowed to destroy the corresponding accumulated
cryptographic proofs and book its fees as profits.
%
The merchant is trusted to deliver the service or goods to the The merchant is trusted to deliver the service or goods to the
customer upon receiving payment. The customer can seek legal relief customer upon receiving payment. The customer can seek legal relief
to achieve this, as he must get cryptographic proofs of the contract to achieve this, as he must get cryptographic proofs of the contract
and that he paid his obligations. and that he paid his obligations.
Neither the merchant nor the customer have any ability to {\em effectively}
defraud the exchange or the state collecting taxes. Here, ``effectively''
means that the expected return for fraud is negative.
% %
Neither the merchant nor the customer may have any ability to {\em
effectively} defraud the exchange or the state collecting taxes. Here,
``effectively'' means that the expected return for fraud is negative.
In particular, Taler employs a full domain hash (FDH) with RSA signatures
so that ``one-more forgery'' is hard assuming the RSA known-target
inversion problem is hard.\cite[Theorem12]{RSA-HDF-KTIvCTI}
% \cite[Theorem 6.2]{OneMoreInversion}
Note that customers do not need to be trusted in any way, and that in Note that customers do not need to be trusted in any way, and that in
particular it is never necessary for anyone to try to recover funds particular it is never necessary for anyone to try to recover funds
from customers using legal means. from customers using legal means.
\subsection{Taxability and Entities} \subsection{Taxability and Entities}
As electronic coins are trivially copied between machines, we should Taler is supposed to ensure that the state can tax appropriate
clarify what kinds of operations can even be expected to be taxed. {\em transactions}. We must therefore clarify what constitutes a
After all, without intrusive measures to take away control of the transactions that can be expected to be taxed.
computing platform from its users, copying an electronic wallet from
one computer to another can hardly be prevented by a payment system. We necessarily assume both that coins can freely be copied between
Furthermore, it would also hardly be appropriate to tax the moving of machines, and that coin deletion cannot be verified.
funds between two computers owned by the same entity. We thus Avoiding these assumptions would require extreme measures, like custom
hardware supplied by the exchange, and tends to be incompatable with
our annonymity. Furthermore, it would inappropriate to tax the moving
of funds between two computers owned by the same entity. We thus
need to clarify which kinds of transfers we expect to tax. need to clarify which kinds of transfers we expect to tax.
Taler is supposed to ensure that the state can tax {\em transactions}. We view ownership of a coin's private key as a ``capability'' to spend
A {\em transaction} is a transfer where it is assured that one entity the funds. A transaction occurs when a merchant entity gains control
gains control over funds while at the same time another entity looses over the funds while at the same time a customer entity looses control
control over those funds. We further restrict transactions to apply over the funds in a manor verifiable to the merchant. In other words,
only to the transfer of funds between {\em mutually distrustful} we restrict transactions to those transfer of funds where the recipient
entities. Two entities are assumed to be mutually distrustful if they merchant is distrustful of the spending customer, and requires
are unwilling to share control over coins. If a private key is shared verification that they lost the capability to spend the funds.
between two entities, then both entities have equal access to the
credentials represented by the private key. In a payment system this Conversely, if a coin's private key is shared between two entities,
means that either entity could spent the associated funds. Assuming then both entities have equal access to the credentials represented by
the payment system has effective double-spending detection, this means the private key. In a payment system, this means that either entity
that either entity has to constantly fear that the funds might no could spent the associated funds.
longer be available to it. It follows that sharing coins by copying Assuming the payment system has effective double-spending detection,
a private key implies mutual trust between the two parties, in which this means that either entity has to constantly fear that the funds
case Taler will treat them as the same entity. might no longer be available to it.
It follows that sharing coins by copying a private key implies mutual
trust between the two parties, in which case Taler will treat them
as the same entity.
In Taler, making funds available by copying a private key and thus In Taler, making funds available by copying a private key and thus
sharing control is {\bf not} considered a {\em transaction} and sharing control is {\bf not} considered a {\em transaction} and
thus {\bf not} recorded for taxation. thus {\bf not} recorded for taxation.
Taler does however ensure taxability only when a merchant entity
Taler ensures taxability only when some entity acquires exclusive acquires exclusive control over the value represented by a digital
control over the value of digital coins, which requires an interaction coins, which requires an interaction with the exchange.
with the exchange. For such transactions, the state can obtain information In these taxable transactions,
from the exchange, or a bank, that identifies the entity that received the For such transactions, the state can obtain information from the
exchange, or a bank, that identifies the entity that received the
digital coins as well as the exact value of those coins. digital coins as well as the exact value of those coins.
Taler also allows the exchange, and hence the state, to learn the value of Taler also allows the exchange, and hence the state, to learn the value
digital coins withdrawn by a customer---but not how, where, or when of digital coins withdrawn by a customer---but not how, where, or when
they were spent. they were spent.
\subsection{Anonymity} \subsection{Anonymity}
An anonymous communication channel such as Tor~\cite{tor-design} is An anonymous communication channel such as Tor~\cite{tor-design} is
used for all communication between the customer and the merchant. used for all communication between the customer and the merchant,
as well as for refreshing tainted coins with the exchange and for
retrieving the exchange's denomination key.
Ideally, the customer's anonymity is limited only by this channel; Ideally, the customer's anonymity is limited only by this channel;
however, the payment system does additionally reveal that the customer however, the payment system does additionally reveal that the customer
is one of the patrons of the exchange. is one of the patrons of the exchange.
@ -495,15 +496,15 @@ possibly even when dealing with physical goods \cite{apod}.
We consider information leakage specific to the business logic to be We consider information leakage specific to the business logic to be
outside of the scope of the design of Taler. outside of the scope of the design of Taler.
Ideally, customer should use an anonymous communication channel with Aside from refreshing and obtaining denomination key, the customer
the exchange to avoid leaking IP address information; however, the exchange should ideally use an anonymous communication channel with the exchange
would typically learn the customer's identity from the wire transfer to obscure their IP address for location privacy, but naturally
that funds the customer's withdraw anonymous digital coins. the exchange would typically learn the customer's identity from the wire
In fact, this is desirable as there might be rules and regulations transfer that funds the customer's withdrawal of anonymous digital coins.
designed to limit the amount of anonymous digital cash that an We believe this is desirable as there might be laws, or bank policies,
individual customer can withdraw in a given time period, similar to that limit the amount of anonymous digital cash that an individual
how states today sometimes impose limits on cash customer can withdraw in a given time period, similar to how states today
withdrawals~\cite{france2015cash,greece2015cash}. sometimes impose limits on cash withdrawals~\cite{france2015cash,greece2015cash}.
Taler is only anonymous with respect to {\em payments}, as the exchange Taler is only anonymous with respect to {\em payments}, as the exchange
will be unable to link the known identity of the customer that withdrew will be unable to link the known identity of the customer that withdrew
anonymous digital currency to the {\em purchase} performed later at the anonymous digital currency to the {\em purchase} performed later at the
@ -550,6 +551,7 @@ records that the exchange must retain and search to detect double-spending
attempts. Furthermore, the exchange is expected to use each coin signing attempts. Furthermore, the exchange is expected to use each coin signing
key only for a limited number of coins. key only for a limited number of coins.
% for example by limiting its use to sign coins to a week or a month. % for example by limiting its use to sign coins to a week or a month.
In this way, if a private coin signing key were to be compromised, In this way, if a private coin signing key were to be compromised,
the exchange would detect this once more coins were redeemed than the total the exchange would detect this once more coins were redeemed than the total
that was signed into existence using that coin signing key. that was signed into existence using that coin signing key.
@ -558,11 +560,19 @@ unspent coins that were signed with the compromised private key,
while refusing further anonymous transactions involving those coins. while refusing further anonymous transactions involving those coins.
As a result, the financial damage of losing a private signing key can be As a result, the financial damage of losing a private signing key can be
limited to at most twice the amount originally signed with that key. limited to at most twice the amount originally signed with that key.
To ensure that the exchange does not enable deanonymization of users by
signing each coin with a fresh coin signing key, the exchange must publicly As a technical matter, Taler employs a full domain hash (FDH) with
announce the coin signing keys in advance. Those announcements are RSA signatures so that ``one-more forgery'' is provably hard assuming the
expected to be signed with an off-line long-term private {\em master RSA known-target inversion problem is hard \cite[Theorem 12]{RSA-HDF-KTIvCTI}.
signing key} of the exchange and the auditor. % \cite[Theorem 6.2]{OneMoreInversion}
We must also ensure that the exchange cannot deanonymize users by
signing each coin with a fresh denomination key. For this, we require
that exchanges publicly announce their denomination keys in advance.
These announcements are expected to be signed with an off-line
long-term private {\em master signing key} of the exchange and the
auditor. We additionally presume that customers should obtain these
announcements using Tor.
Before a customer can withdraw a coin from the exchange, Before a customer can withdraw a coin from the exchange,
he has to pay the exchange the value of the coin, as well as processing fees. he has to pay the exchange the value of the coin, as well as processing fees.
@ -592,6 +602,7 @@ during the exchange process. Knowledge of the private key of the coin
enables the owner to spent the coin. If the private key is shared enables the owner to spent the coin. If the private key is shared
with others, they also become owners of the coin. with others, they also become owners of the coin.
\subsection{Coin spending} \subsection{Coin spending}
To spend a coin, the coin's owner needs to sign a {\em deposit To spend a coin, the coin's owner needs to sign a {\em deposit