add citation to cryptonote, fix Jeff's typos, cut down politics, reduce verbosity, address some of the fixmes
This commit is contained in:
Christian Grothoff
parent
1d2897cccc
commit
cac7961c3d
@ -70,6 +70,16 @@
|
||||
pages = {581--583},
|
||||
}
|
||||
|
||||
@unpublished{cryptonote,
|
||||
author = {van Saberhagen, Nicolas},
|
||||
month = oct,
|
||||
posted-at = {2016-09-18 11:44:05},
|
||||
priority = {2},
|
||||
title = {{CryptoNote v 2.0}},
|
||||
url = {https://cryptonote.org/whitepaper.pdf},
|
||||
year = {2013}
|
||||
}
|
||||
|
||||
@inproceedings{chaum1990untraceable,
|
||||
title={Untraceable electronic cash},
|
||||
author={Chaum, David and Fiat, Amos and Naor, Moni},
|
||||
@ -265,6 +275,3 @@
|
||||
doi_url="http://dx.doi.org/10.1007/3-540-44598-6_14",
|
||||
url="https://www.iacr.org/archive/crypto2000/18800229/18800229.pdf"
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
@ -115,39 +115,38 @@ bank transactions such as SWIFT. These systems enable mass surveillance
|
||||
by both governments and private companies. Aspects of this surveillance
|
||||
sometimes benefit society by providing information about tax evasion or
|
||||
crimes like extortion.
|
||||
% FIXME: reads too much like political propaganda
|
||||
In particular, bribery and corruption are limited to elites who can
|
||||
afford to escape the dragnet.
|
||||
%
|
||||
%In particular, bribery and corruption are limited to elites who can
|
||||
%afford to escape the dragnet.
|
||||
%
|
||||
At the other extreme, weaker developing nation states have economic
|
||||
activity based largely on coins, paper money or even barter. Here,
|
||||
the state is often unable to effectively monitor or tax economic
|
||||
activity, and this limits the ability of the state to shape the
|
||||
society. As bribery is virtually impossible to detect, corruption is
|
||||
widespread and not limited to social elites.
|
||||
society.
|
||||
% If we remove the sentence above, this one also needs to go as it
|
||||
% is the dual...
|
||||
% As bribery is virtually impossible to detect, corruption is
|
||||
% widespread and not limited to social elites.
|
||||
%
|
||||
%
|
||||
% SHORTER: Zerocash need not be mentioned so early?
|
||||
% Zerocash~\cite{zerocash} is an example for translating an
|
||||
% anarchistic economy into the digital realm.
|
||||
|
||||
This paper describes Taler, a simple and practical payment system for
|
||||
a social-liberal society, which is underserved by
|
||||
current payment systems.
|
||||
This paper describes Taler, a simple and practical payment system
|
||||
which balances accountability and privacy.
|
||||
|
||||
The Taler protocol is influenced by ideas from
|
||||
Chaum~\cite{chaum1983blind} and also follows Chaum's basic
|
||||
The Taler protocol is an improvement over Chaum's original
|
||||
design~\cite{chaum1983blind} and also follows Chaum's basic
|
||||
architecture of customer, merchant and exchange
|
||||
(Figure~\ref{fig:cmm}).
|
||||
% FIXME: Our design is an improvement on top of Chaums stuff,
|
||||
% this reads like it's completely new, which makes it sound
|
||||
% too much like marketing for an academic paper
|
||||
The two designs share the key first step
|
||||
(Figure~\ref{fig:cmm}). The two designs share the key first step
|
||||
where the {\em customer} withdraws digital {\em coins} from the {\em
|
||||
exchange} with unlinkability provided via blind signatures. The
|
||||
coins can then be spent at a {\em merchant} who {\em deposits} them at
|
||||
the exchange. Taler uses online detection of double-spending and
|
||||
provides exculpability via cryptographic proofs. Thus merchants are
|
||||
instantly assured that a transaction is valid.
|
||||
provides fair exchange and exculpability via cryptographic proofs.
|
||||
% Thus merchants are instantly assured that a transaction is valid.
|
||||
|
||||
\begin{figure}[h]
|
||||
\centering
|
||||
@ -204,8 +203,7 @@ ledgers, have gained immense popularity. The most well-known protocol
|
||||
in this class is Bitcoin~\cite{nakamoto2008bitcoin}. An initial
|
||||
concern with Bitcoin was the lack of anonymity, as all Bitcoin
|
||||
transactions are recorded for eternity, which can enable
|
||||
identification of users. In theory, this concern has been addressed
|
||||
in the alternative Zerocash protocol~\cite{zerocash}.
|
||||
identification of users.
|
||||
|
||||
The key contribution of blockchain-based protocols is that
|
||||
they dispense with the need for a central, trusted
|
||||
@ -218,7 +216,6 @@ Yet, there are several major irredeemable problems inherent in their designs:
|
||||
So Bitcoin is an environmentally irresponsible design.
|
||||
\item Bitcoin transactions have pseduononymous recipients, making taxation
|
||||
hard to systematically enforce.
|
||||
The Zerocash extension makes this worse.
|
||||
\item Bitcoin introduces a new currency, creating additional
|
||||
financial risks from currency fluctuation.
|
||||
\item Anyone can start an alternative Bitcoin transaction chain,
|
||||
@ -233,15 +230,11 @@ Yet, there are several major irredeemable problems inherent in their designs:
|
||||
% currency exchange and exacerbates the problems with currency fluctuations.
|
||||
\end{itemize}
|
||||
|
||||
Anonymous alternatives to BitCoin such as Monero~\cite{??},
|
||||
Zerocash~\cite{zerocash}, its predecessor Zerocoin~\cite{miers2013zerocoin},
|
||||
and the recently proposed BOLT~\cite{BOLT} each have different technical
|
||||
limitations. Yet, all exacerbate BitCoin's inherent issues with
|
||||
transaction certenty and performance by require excessive
|
||||
computation, more blockchain transactions, etc. By comparison,
|
||||
Taler's refresh protocol handles aborted transactions with minimal
|
||||
overhead, and ensures that aborts cannot be used to attack the
|
||||
privacy assurances of the system.
|
||||
Anonymous payment systems based on BitCoin such as
|
||||
CryptoNote~\cite{cryptonote} (aka Monero) and Zerocash~\cite{zerocash} (aka
|
||||
ZCash) exacerbate these issues. These systems mainly exploit the
|
||||
blockchain's decentralized nature to escape anti-money laundering
|
||||
regulation as they provide anonymous, disintermediated transactions.
|
||||
|
||||
%GreenCoinX\footnote{\url{https://www.greencoinx.com/}} is a more
|
||||
%recent AltCoin where the company promises to identify the owner of
|
||||
@ -290,6 +283,13 @@ include:
|
||||
% a larger market.
|
||||
\end{itemize}
|
||||
|
||||
To our knowledge, the only publicly available effort to implement
|
||||
Chaum's idea is Opencoin~\cite{dent2008extensions}. However, Opencoin
|
||||
is neither actively developed nor used, and it is not clear
|
||||
to what degree the implementation is even complete. Only a partial
|
||||
description of the Opencoin protocol is available to date.
|
||||
% FIXME: ask OpenCoin dev's about this! Then make statement firmer!
|
||||
|
||||
Chaum's original digital cash system~\cite{chaum1983blind} was
|
||||
extended by Brands~\cite{brands1993efficient} with the ability to {\em
|
||||
divide} coins and thus spend certain fractions of a coin using
|
||||
@ -311,47 +311,49 @@ rather expensive.
|
||||
|
||||
In pure blind signature based schemes like Taler, withdrawal and spend
|
||||
operations require bandwidth logarithmic in the value being withdrawn
|
||||
or spent. In \cite{Camenisch05compacte-cash}, there is a zero-knoledge
|
||||
or spent. In~\cite{Camenisch05compacte-cash}, there is a zero-knoledge
|
||||
scheme that improves upon this, requiring only constant bandwidth for
|
||||
withdrawals and spend operations, but unfortunately the exchanges' storage and
|
||||
search costs become linear in the total value of all transactions.
|
||||
In principle, one could correct this by adding multiple denominations,
|
||||
an open problem stated already in \cite{Camenisch05compacte-cash}.
|
||||
%In principle, one could correct this by adding multiple denominations,
|
||||
%an open problem stated already in~\cite{Camenisch05compacte-cash}.
|
||||
% NO: he cannot give change, so that does not really work!
|
||||
As described, the scheme employs offline double spending protection,
|
||||
which inherently makes it fragile and create an wholey unneccasry
|
||||
deanonymization risk. We believe the offline protection from double
|
||||
spending could be removed, thus switching the scheme to only protection
|
||||
against online doulbe spending, like Taler.
|
||||
which inherently makes it fragile and creates an unneccessary
|
||||
deanonymization risk.
|
||||
%We believe the offline protection from double
|
||||
%spending could be removed, thus switching the scheme to only protection
|
||||
%against online doulbe spending, like Taler.
|
||||
% TOO much detail...
|
||||
% FIXME: this doesn't belong in an introduction
|
||||
% -- it's in related work, I see no problem. -CG
|
||||
% FIXME: also mention the practical divisible ecash stuff
|
||||
% FIXME: mention storage costs and computation cost for exchange (still 2^n for 2^n coins)
|
||||
% and customer (has to do ZKPs)
|
||||
Along with fixing these two issues, an interesting applied research project
|
||||
would be to add partial spending and a form of Taler's refresh protocol.
|
||||
At present, we feel these relatively new cryptographic techniques incur
|
||||
unacceptable financial risks to the exchange, due to underdeveloped
|
||||
implementation practice.
|
||||
% -- eh, he says ``storage and search costs become linear''.
|
||||
%
|
||||
%Along with fixing these two issues, an interesting applied research project
|
||||
%would be to add partial spending and a form of Taler's refresh protocol.
|
||||
%At present, we feel these relatively new cryptographic techniques incur
|
||||
%unacceptable financial risks to the exchange, due to underdeveloped
|
||||
%implementation practice.
|
||||
%
|
||||
% SHORTER: Maybe some of the abbove could be thinned since
|
||||
% they do not know much about Taler's refresh protcol yet.
|
||||
% -- yeah, in particular the feeling/speculative parts are not needed...
|
||||
|
||||
In this vein, there are pure also zero-knoledge proof based schemes
|
||||
like \cite{ST99}, and subsequently Zerocash~\cite{zerocash}, and maybe
|
||||
varations on BOLT~\cite{BOLT}, that avoid using any denomination-like
|
||||
constructs, slightly reducing metadata leakage. At present, these all
|
||||
incur excessive bandwidth or computational costs however.
|
||||
%In this vein, there are pure also zero-knoledge proof based schemes
|
||||
%like~\cite{ST99}, and subsequently Zerocash~\cite{zerocash}, and maybe
|
||||
%varations on BOLT~\cite{BOLT}, that avoid using any denomination-like
|
||||
%constructs, slightly reducing metadata leakage. At present, these all
|
||||
%incur excessive bandwidth or computational costs however.
|
||||
% -- commented out, seems excessive.
|
||||
|
||||
%Some argue that the focus on technically perfect but overwhelmingly
|
||||
%complex protocols, as well as the the lack of usable, practical
|
||||
%solutions lead to an abandonment of these ideas by
|
||||
%practitioners~\cite{selby2004analyzing}.
|
||||
|
||||
% FIXME: Move to top of section?
|
||||
% FIXME: ask OpenCoin dev's about this! Then make statement firmer!
|
||||
To our knowledge, the only publicly available effort to implement
|
||||
Chaum's idea is Opencoin~\cite{dent2008extensions}. However, Opencoin
|
||||
is neither actively developed nor used, and it is not clear
|
||||
to what degree the implementation is even complete. Only a partial
|
||||
description of the Opencoin protocol is available to date.
|
||||
|
||||
|
||||
% FIXME: If we ever add peppercoin stuff, cite Matt Green paper
|
||||
|
||||
Loading…
Reference in New Issue
Block a user