taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

clarify losses from DK compromise

Browse Source
This commit is contained in:
Christian Grothoff 2016-10-25 14:37:07 +02:00
parent eab6bf0f07
commit e00fb6751b
1 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
doc/paper/taler.tex
View File

@ -485,20 +485,21 @@ Denomination keys have an expiration date, before which any coins
signed with it must be spent or refreshed. This allows the exchange signed with it must be spent or refreshed. This allows the exchange
to eventually discard records of old transactions, thus limiting the to eventually discard records of old transactions, thus limiting the
records that the exchange must retain and search to detect records that the exchange must retain and search to detect
double-spending attempts. Furthermore, the exchange uses each double-spending attempts. If a private denomination key were to be
denomination key only for a limited number of coins. In this way, if compromised, the exchange can detect this once more coins are redeemed
a private denomination key were to be compromised, the exchange would than the total that was signed into existence using that denomination
detect this once more coins were redeemed than the total that was key. In this case, the exchange can allow authentic customers to
signed into existence using that denomination key. In this case, the redeem their unspent coins that were signed with the compromised
exchange can allow authentic customers to exchange their unspent private key, while refusing further deposits involving coins signed by
coins that were signed with the compromised private key, while the compromised denomination key. As a result, the financial damage
refusing further anonymous transactions involving those coins. As a of losing a private signing key is limited to at most the amount
result, the financial damage of losing a private signing key can be originally signed with that key, and denomination key rotation can be
limited to at most twice the amount originally signed with that key. used to bound that risk.
We also ensure that the exchange cannot deanonymize users by signing We ensure that the exchange cannot deanonymize users by signing
each coin with a fresh denomination key. For this, exchanges are each coin with a fresh denomination key. For this, exchanges are
required to publicly announce their denomination keys in advance. required to publicly announce their denomination keys in advance
with validity periods that imply sufficiently strong anonymity sets.
These announcements are expected to be signed with an off-line These announcements are expected to be signed with an off-line
long-term private {\em master signing key} of the exchange and the long-term private {\em master signing key} of the exchange and the
auditor. Additionally, customers should obtain these announcements auditor. Additionally, customers should obtain these announcements