From e00fb6751b9b01c42c90a9aaaf8fe5c769622269 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Tue, 25 Oct 2016 14:37:07 +0200 Subject: [PATCH] clarify losses from DK compromise --- doc/paper/taler.tex | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex index 9f8ee8239..9c4e49263 100644 --- a/doc/paper/taler.tex +++ b/doc/paper/taler.tex @@ -485,20 +485,21 @@ Denomination keys have an expiration date, before which any coins signed with it must be spent or refreshed. This allows the exchange to eventually discard records of old transactions, thus limiting the records that the exchange must retain and search to detect -double-spending attempts. Furthermore, the exchange uses each -denomination key only for a limited number of coins. In this way, if -a private denomination key were to be compromised, the exchange would -detect this once more coins were redeemed than the total that was -signed into existence using that denomination key. In this case, the -exchange can allow authentic customers to exchange their unspent -coins that were signed with the compromised private key, while -refusing further anonymous transactions involving those coins. As a -result, the financial damage of losing a private signing key can be -limited to at most twice the amount originally signed with that key. +double-spending attempts. If a private denomination key were to be +compromised, the exchange can detect this once more coins are redeemed +than the total that was signed into existence using that denomination +key. In this case, the exchange can allow authentic customers to +redeem their unspent coins that were signed with the compromised +private key, while refusing further deposits involving coins signed by +the compromised denomination key. As a result, the financial damage +of losing a private signing key is limited to at most the amount +originally signed with that key, and denomination key rotation can be +used to bound that risk. -We also ensure that the exchange cannot deanonymize users by signing +We ensure that the exchange cannot deanonymize users by signing each coin with a fresh denomination key. For this, exchanges are -required to publicly announce their denomination keys in advance. +required to publicly announce their denomination keys in advance +with validity periods that imply sufficiently strong anonymity sets. These announcements are expected to be signed with an off-line long-term private {\em master signing key} of the exchange and the auditor. Additionally, customers should obtain these announcements