minor edits to the paper, moving refresh around, etc.
This commit is contained in:
parent
709e53be6e
commit
cddce0fd6f
@ -665,6 +665,8 @@ spending operation as the owner of a coin should not have to pay
|
||||
not used for money laundering or tax evasion, the refreshing protocol
|
||||
assures that the owner stays the same.
|
||||
|
||||
% FIXME: This paragraph could likely be removed and be replaced
|
||||
% by the proof if we have space.
|
||||
The refresh protocol has two key properties: First, the exchange is
|
||||
unable to link the fresh coin's public key to the public key of the
|
||||
dirty coin. Second, it is assured that the owner of the dirty coin
|
||||
@ -696,8 +698,7 @@ customers and merchants and is certified by the auditors.
|
||||
|
||||
We avoid asking either customers or merchants to make trust decisions
|
||||
about individual exchanges. Instead, they need only select the auditors.
|
||||
Auditors must sign all the exchange's keys including, the individual
|
||||
denomination keys.
|
||||
Auditors must sign all the exchange's public keys.
|
||||
|
||||
As we are dealing with financial transactions, we explicitly describe
|
||||
whenever entities need to safely write data to persistent storage.
|
||||
@ -886,7 +887,8 @@ We now describe the refresh protocol whereby a dirty coin $C'$ of
|
||||
denomination $K$ is melted to obtain a fresh coin $\widetilde{C}$. To
|
||||
simplify the description, this section describes the case where one
|
||||
{\em unspent} dirty coin (for example, from an aborted transaction) is
|
||||
exchanged for a fresh coin of the same denomination. In practice,
|
||||
exchanged for a fresh coin of the same denomination. We have again
|
||||
simplified the exposition by creating only one fresh coin. In practice,
|
||||
Taler uses a natural extension where multiple fresh coins of possibly
|
||||
many different denominations are generated at the same time. For this,
|
||||
the wallet simply specifies an array of coins wherever the protocol
|
||||
@ -1029,6 +1031,25 @@ devolve into a payment system where both sides can be anonymous, and
|
||||
thus no longer provide taxability.
|
||||
|
||||
|
||||
\subsection{Refunds}
|
||||
|
||||
The refresh protocol offers an easy way to enable refunds to
|
||||
customers, even if they are anonymous. Refunds are supported
|
||||
by including a public signing key of the merchant in the transaction
|
||||
details, and having the customer keep the private key of the spent
|
||||
coins on file.
|
||||
|
||||
Given this, the merchant can simply sign a {\em refund confirmation}
|
||||
and share it with the exchange and the customer. Assuming the
|
||||
exchange has a way to recover the funds from the merchant, or has not
|
||||
yet performed the wire transfer, the exchange can simply add the value
|
||||
of the refunded transaction back to the original coin, re-enabling
|
||||
those funds to be spent again by the original customer. This customer
|
||||
can then use the refresh protocol to anonymously melt the refunded
|
||||
coin and create a fresh coin that is unlinkable to the refunded
|
||||
transaction.
|
||||
|
||||
|
||||
\subsection{Error handling}
|
||||
|
||||
During operation, there are three main types of errors that are
|
||||
@ -1054,21 +1075,20 @@ response to the client or take appropriate legal action against the
|
||||
faulty exchange.
|
||||
|
||||
The third case are transient failures, such as network failures or
|
||||
temporary hardware failures at the exchange service provider. Here, the
|
||||
client may receive an explicit protocol indication, such as an HTTP
|
||||
response code ``500 INTERNAL SERVER ERROR'' or simply no response.
|
||||
The appropriate behavior for the client is to automatically retry
|
||||
after 1s, and twice more at randomized times within 1 minute.
|
||||
If those three attempts fail, the user should be informed about the
|
||||
delay. The client should then retry another three times within the
|
||||
next 24h, and after that time the auditor should be informed about the outage.
|
||||
Using this process, short term failures should be effectively obscured
|
||||
from the user, while malicious behavior is reported to the auditor who
|
||||
can then presumably rectify the situation, using methods such as
|
||||
shutting down the operator and helping customers to regain refunds for
|
||||
coins in their wallets. To ensure that such refunds are possible, the
|
||||
operator is expected to always provide adequate securities for the
|
||||
amount of coins in circulation as part of the certification process.
|
||||
temporary hardware failures at the exchange service provider. Here,
|
||||
the client may receive an explicit protocol indication, or simply no
|
||||
response. The appropriate behavior for the client is to automatically
|
||||
retry a few times with back-off. If this still fails, the user can,
|
||||
depending on the type of operation, either attempt to recover the now
|
||||
dirty coin using the refresh protocol, or notify the auditor about the
|
||||
outage. Using this process, short term failures should be effectively
|
||||
obscured from the user, while malicious behavior is reported to the
|
||||
auditor who can then presumably rectify the situation, using methods
|
||||
such as shutting down the operator and helping customers to regain
|
||||
refunds for coins in their wallets. To ensure that such refunds are
|
||||
possible, the operator is expected to always provide adequate
|
||||
securities for the amount of coins in circulation as part of the
|
||||
certification process.
|
||||
|
||||
|
||||
%As with support for fractional payments, Taler addresses these
|
||||
@ -1077,24 +1097,6 @@ amount of coins in circulation as part of the certification process.
|
||||
%the new coin.
|
||||
|
||||
|
||||
\subsection{Refunds}
|
||||
|
||||
The refresh protocol offers an easy way to enable refunds to
|
||||
customers, even if they are anonymous. Refunds are supported
|
||||
by including a public signing key of the merchant in the transaction
|
||||
details, and having the customer keep the private key of the spent
|
||||
coins on file.
|
||||
|
||||
Given this, the merchant can simply sign a {\em refund confirmation}
|
||||
and share it with the exchange and the customer. Assuming the
|
||||
exchange has a way to recover the funds from the merchant, or has not
|
||||
yet performed the wire transfer, the exchange can simply add the value
|
||||
of the refunded transaction back to the original coin, re-enabling
|
||||
those funds to be spent again by the original customer. This customer
|
||||
can then use the refresh protocol to anonymously melt the refunded
|
||||
coin and create a fresh coin that is unlinkable to the refunded
|
||||
transaction.
|
||||
|
||||
\section{Experimental results}
|
||||
|
||||
%\begin{figure}[b!]
|
||||
@ -1373,7 +1375,7 @@ data being persisted are represented in between $\langle\rangle$.
|
||||
\item[$\overline{C^{(i)}_p}$]{Public coin keys computed from $\overline{c_s^{(i)}}$ by the verifier}
|
||||
\end{description}
|
||||
|
||||
|
||||
\newpage
|
||||
\section{Taxability arguments}
|
||||
|
||||
We assume the exchange operates honestly when discussing taxability.
|
||||
@ -1397,11 +1399,12 @@ An honest exchange keeps any funds being refreshed if the reveal
|
||||
phase is never carried out, does not match the commitment, or shows
|
||||
an incorrect commitment. As a result, a customer dishonestly
|
||||
refreshing a coin looses their money if they have more than one
|
||||
dishonest commitment. They have a $1 \over \kappa$ chance of their
|
||||
dishonest commitment. If they make exactly one dishonest
|
||||
commitment, they have a $1 \over \kappa$ chance of their
|
||||
dishonest commitment being selected for the refresh.
|
||||
\end{proof}
|
||||
|
||||
We say a coin is {\em controlled} by a user if the user's wallet knows
|
||||
We say a coin $C$ is {\em controlled} by a user if the user's wallet knows
|
||||
its secret scalar $c_s$, the signature $S$ of the appropriate denomination
|
||||
key on its public key $C_s$, and the residual value of the coin.
|
||||
|
||||
@ -1469,7 +1472,7 @@ Also let $d$ and $e$ denote the private and public exponents, respectively.
|
||||
In effect, coin withdrawal transcripts consist of numbers
|
||||
$b m^d \mod n$ where $m$ is the FDH of the coin's public key
|
||||
and $b$ is the blinding factor, while coin deposits transcripts
|
||||
consist of only $m^d \mon n$.
|
||||
consist of only $m^d \mod n$.
|
||||
|
||||
Of course, if the adversary can link coins then they can compute
|
||||
the blinding factors as $b m^d / m^d \mod n$. Conversely, if the
|
||||
@ -1503,7 +1506,7 @@ rise to an adversary with an advantage for recognizing SHA512 output.
|
||||
We may now remove the encrpytion by appealing to the random oracle model
|
||||
\cite{BR-RandomOracles}.
|
||||
|
||||
\begin{lemma}[\cite[??]{??}]
|
||||
\begin{lemma}[\cite{??}]
|
||||
Consider a protocol that commits to random data by encrypting it
|
||||
using a secret derived from a Diffe-Hellman key exchange.
|
||||
In the random oracle model, we may replace this encryption with
|
||||
@ -1538,6 +1541,7 @@ proves that out linking protocol \S\ref{subsec:linking} does not
|
||||
degrade privacy.
|
||||
|
||||
|
||||
|
||||
\end{document}
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user