taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

add citation to cryptonote, fix Jeff's typos, cut down politics, reduce verbosity, address some of the fixmes

Browse Source
This commit is contained in:
Christian Grothoff 2016-11-09 11:30:22 +01:00
parent 1d2897cccc
commit cac7961c3d
No known key found for this signature in database
GPG Key ID: 939E6BE1E29FC3CC
2 changed files with 78 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/paper/taler.bib
View File

@ -70,6 +70,16 @@
pages = {581--583}, pages = {581--583},
} }
@unpublished{cryptonote,
author = {van Saberhagen, Nicolas},
month = oct,
posted-at = {2016-09-18 11:44:05},
priority = {2},
title = {{CryptoNote v 2.0}},
url = {https://cryptonote.org/whitepaper.pdf},
year = {2013}
}
@inproceedings{chaum1990untraceable, @inproceedings{chaum1990untraceable,
title={Untraceable electronic cash}, title={Untraceable electronic cash},
author={Chaum, David and Fiat, Amos and Naor, Moni}, author={Chaum, David and Fiat, Amos and Naor, Moni},
@ -265,6 +275,3 @@
doi_url="http://dx.doi.org/10.1007/3-540-44598-6_14", doi_url="http://dx.doi.org/10.1007/3-540-44598-6_14",
url="https://www.iacr.org/archive/crypto2000/18800229/18800229.pdf" url="https://www.iacr.org/archive/crypto2000/18800229/18800229.pdf"
} }

108
doc/paper/taler.tex
View File

@ -115,39 +115,38 @@ bank transactions such as SWIFT. These systems enable mass surveillance
by both governments and private companies. Aspects of this surveillance by both governments and private companies. Aspects of this surveillance
sometimes benefit society by providing information about tax evasion or sometimes benefit society by providing information about tax evasion or
crimes like extortion. crimes like extortion.
% FIXME: reads too much like political propaganda %
In particular, bribery and corruption are limited to elites who can %In particular, bribery and corruption are limited to elites who can
afford to escape the dragnet. %afford to escape the dragnet.
% %
At the other extreme, weaker developing nation states have economic At the other extreme, weaker developing nation states have economic
activity based largely on coins, paper money or even barter. Here, activity based largely on coins, paper money or even barter. Here,
the state is often unable to effectively monitor or tax economic the state is often unable to effectively monitor or tax economic
activity, and this limits the ability of the state to shape the activity, and this limits the ability of the state to shape the
society. As bribery is virtually impossible to detect, corruption is society.
widespread and not limited to social elites. % If we remove the sentence above, this one also needs to go as it
% is the dual...
% As bribery is virtually impossible to detect, corruption is
% widespread and not limited to social elites.
%
% %
% SHORTER: Zerocash need not be mentioned so early? % SHORTER: Zerocash need not be mentioned so early?
% Zerocash~\cite{zerocash} is an example for translating an % Zerocash~\cite{zerocash} is an example for translating an
% anarchistic economy into the digital realm. % anarchistic economy into the digital realm.
This paper describes Taler, a simple and practical payment system for This paper describes Taler, a simple and practical payment system
a social-liberal society, which is underserved by which balances accountability and privacy.
current payment systems.
The Taler protocol is influenced by ideas from The Taler protocol is an improvement over Chaum's original
Chaum~\cite{chaum1983blind} and also follows Chaum's basic design~\cite{chaum1983blind} and also follows Chaum's basic
architecture of customer, merchant and exchange architecture of customer, merchant and exchange
(Figure~\ref{fig:cmm}). (Figure~\ref{fig:cmm}). The two designs share the key first step
% FIXME: Our design is an improvement on top of Chaums stuff,
% this reads like it's completely new, which makes it sound
% too much like marketing for an academic paper
The two designs share the key first step
where the {\em customer} withdraws digital {\em coins} from the {\em where the {\em customer} withdraws digital {\em coins} from the {\em
exchange} with unlinkability provided via blind signatures. The exchange} with unlinkability provided via blind signatures. The
coins can then be spent at a {\em merchant} who {\em deposits} them at coins can then be spent at a {\em merchant} who {\em deposits} them at
the exchange. Taler uses online detection of double-spending and the exchange. Taler uses online detection of double-spending and
provides exculpability via cryptographic proofs. Thus merchants are provides fair exchange and exculpability via cryptographic proofs.
instantly assured that a transaction is valid. % Thus merchants are instantly assured that a transaction is valid.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
@ -204,8 +203,7 @@ ledgers, have gained immense popularity. The most well-known protocol
in this class is Bitcoin~\cite{nakamoto2008bitcoin}. An initial in this class is Bitcoin~\cite{nakamoto2008bitcoin}. An initial
concern with Bitcoin was the lack of anonymity, as all Bitcoin concern with Bitcoin was the lack of anonymity, as all Bitcoin
transactions are recorded for eternity, which can enable transactions are recorded for eternity, which can enable
identification of users. In theory, this concern has been addressed identification of users.
in the alternative Zerocash protocol~\cite{zerocash}.
The key contribution of blockchain-based protocols is that The key contribution of blockchain-based protocols is that
they dispense with the need for a central, trusted they dispense with the need for a central, trusted
@ -218,7 +216,6 @@ Yet, there are several major irredeemable problems inherent in their designs:
So Bitcoin is an environmentally irresponsible design. So Bitcoin is an environmentally irresponsible design.
\item Bitcoin transactions have pseduononymous recipients, making taxation \item Bitcoin transactions have pseduononymous recipients, making taxation
hard to systematically enforce. hard to systematically enforce.
The Zerocash extension makes this worse.
\item Bitcoin introduces a new currency, creating additional \item Bitcoin introduces a new currency, creating additional
financial risks from currency fluctuation. financial risks from currency fluctuation.
\item Anyone can start an alternative Bitcoin transaction chain, \item Anyone can start an alternative Bitcoin transaction chain,
@ -233,15 +230,11 @@ Yet, there are several major irredeemable problems inherent in their designs:
% currency exchange and exacerbates the problems with currency fluctuations. % currency exchange and exacerbates the problems with currency fluctuations.
\end{itemize} \end{itemize}
Anonymous alternatives to BitCoin such as Monero~\cite{??}, Anonymous payment systems based on BitCoin such as
Zerocash~\cite{zerocash}, its predecessor Zerocoin~\cite{miers2013zerocoin}, CryptoNote~\cite{cryptonote} (aka Monero) and Zerocash~\cite{zerocash} (aka
and the recently proposed BOLT~\cite{BOLT} each have different technical ZCash) exacerbate these issues. These systems mainly exploit the
limitations. Yet, all exacerbate BitCoin's inherent issues with blockchain's decentralized nature to escape anti-money laundering
transaction certenty and performance by require excessive regulation as they provide anonymous, disintermediated transactions.
computation, more blockchain transactions, etc. By comparison,
Taler's refresh protocol handles aborted transactions with minimal
overhead, and ensures that aborts cannot be used to attack the
privacy assurances of the system.
%GreenCoinX\footnote{\url{https://www.greencoinx.com/}} is a more %GreenCoinX\footnote{\url{https://www.greencoinx.com/}} is a more
%recent AltCoin where the company promises to identify the owner of %recent AltCoin where the company promises to identify the owner of
@ -290,6 +283,13 @@ include:
% a larger market. % a larger market.
\end{itemize} \end{itemize}
To our knowledge, the only publicly available effort to implement
Chaum's idea is Opencoin~\cite{dent2008extensions}. However, Opencoin
is neither actively developed nor used, and it is not clear
to what degree the implementation is even complete. Only a partial
description of the Opencoin protocol is available to date.
% FIXME: ask OpenCoin dev's about this! Then make statement firmer!
Chaum's original digital cash system~\cite{chaum1983blind} was Chaum's original digital cash system~\cite{chaum1983blind} was
extended by Brands~\cite{brands1993efficient} with the ability to {\em extended by Brands~\cite{brands1993efficient} with the ability to {\em
divide} coins and thus spend certain fractions of a coin using divide} coins and thus spend certain fractions of a coin using
@ -311,47 +311,49 @@ rather expensive.
In pure blind signature based schemes like Taler, withdrawal and spend In pure blind signature based schemes like Taler, withdrawal and spend
operations require bandwidth logarithmic in the value being withdrawn operations require bandwidth logarithmic in the value being withdrawn
or spent. In \cite{Camenisch05compacte-cash}, there is a zero-knoledge or spent. In~\cite{Camenisch05compacte-cash}, there is a zero-knoledge
scheme that improves upon this, requiring only constant bandwidth for scheme that improves upon this, requiring only constant bandwidth for
withdrawals and spend operations, but unfortunately the exchanges' storage and withdrawals and spend operations, but unfortunately the exchanges' storage and
search costs become linear in the total value of all transactions. search costs become linear in the total value of all transactions.
In principle, one could correct this by adding multiple denominations, %In principle, one could correct this by adding multiple denominations,
an open problem stated already in \cite{Camenisch05compacte-cash}. %an open problem stated already in~\cite{Camenisch05compacte-cash}.
% NO: he cannot give change, so that does not really work!
As described, the scheme employs offline double spending protection, As described, the scheme employs offline double spending protection,
which inherently makes it fragile and create an wholey unneccasry which inherently makes it fragile and creates an unneccessary
deanonymization risk. We believe the offline protection from double deanonymization risk.
spending could be removed, thus switching the scheme to only protection %We believe the offline protection from double
against online doulbe spending, like Taler. %spending could be removed, thus switching the scheme to only protection
%against online doulbe spending, like Taler.
% TOO much detail...
% FIXME: this doesn't belong in an introduction % FIXME: this doesn't belong in an introduction
% -- it's in related work, I see no problem. -CG
% FIXME: also mention the practical divisible ecash stuff % FIXME: also mention the practical divisible ecash stuff
% FIXME: mention storage costs and computation cost for exchange (still 2^n for 2^n coins) % FIXME: mention storage costs and computation cost for exchange (still 2^n for 2^n coins)
% and customer (has to do ZKPs) % and customer (has to do ZKPs)
Along with fixing these two issues, an interesting applied research project % -- eh, he says ``storage and search costs become linear''.
would be to add partial spending and a form of Taler's refresh protocol. %
At present, we feel these relatively new cryptographic techniques incur %Along with fixing these two issues, an interesting applied research project
unacceptable financial risks to the exchange, due to underdeveloped %would be to add partial spending and a form of Taler's refresh protocol.
implementation practice. %At present, we feel these relatively new cryptographic techniques incur
%unacceptable financial risks to the exchange, due to underdeveloped
%implementation practice.
%
% SHORTER: Maybe some of the abbove could be thinned since % SHORTER: Maybe some of the abbove could be thinned since
% they do not know much about Taler's refresh protcol yet. % they do not know much about Taler's refresh protcol yet.
% -- yeah, in particular the feeling/speculative parts are not needed...
In this vein, there are pure also zero-knoledge proof based schemes %In this vein, there are pure also zero-knoledge proof based schemes
like \cite{ST99}, and subsequently Zerocash~\cite{zerocash}, and maybe %like~\cite{ST99}, and subsequently Zerocash~\cite{zerocash}, and maybe
varations on BOLT~\cite{BOLT}, that avoid using any denomination-like %varations on BOLT~\cite{BOLT}, that avoid using any denomination-like
constructs, slightly reducing metadata leakage. At present, these all %constructs, slightly reducing metadata leakage. At present, these all
incur excessive bandwidth or computational costs however. %incur excessive bandwidth or computational costs however.
% -- commented out, seems excessive.
%Some argue that the focus on technically perfect but overwhelmingly %Some argue that the focus on technically perfect but overwhelmingly
%complex protocols, as well as the the lack of usable, practical %complex protocols, as well as the the lack of usable, practical
%solutions lead to an abandonment of these ideas by %solutions lead to an abandonment of these ideas by
%practitioners~\cite{selby2004analyzing}. %practitioners~\cite{selby2004analyzing}.
% FIXME: Move to top of section?
% FIXME: ask OpenCoin dev's about this! Then make statement firmer!
To our knowledge, the only publicly available effort to implement
Chaum's idea is Opencoin~\cite{dent2008extensions}. However, Opencoin
is neither actively developed nor used, and it is not clear
to what degree the implementation is even complete. Only a partial
description of the Opencoin protocol is available to date.
% FIXME: If we ever add peppercoin stuff, cite Matt Green paper % FIXME: If we ever add peppercoin stuff, cite Matt Green paper