taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

misc minor edits, and a FIXME for Jeff

Browse Source
This commit is contained in:
Christian Grothoff 2016-10-25 14:01:20 +02:00
parent ddb5987c66
commit e6267e61d5
2 changed files with 62 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/paper/taler.bib
View File

@ -19,6 +19,13 @@
pages = {11-15}, pages = {11-15},
} }
@misc{BOLT,
author = {Matthew Green and Ian Miers},
title = {Bolt: Anonymous Payment Channels for Decentralized Currencies},
howpublished = {Cryptology ePrint Archive, Report 2016/701},
year = {2016},
note = {\url{http://eprint.iacr.org/2016/701}},
}
@Misc{greece2015cash, @Misc{greece2015cash,
author = {Reuters}, author = {Reuters},

102
doc/paper/taler.tex
View File

@ -77,7 +77,7 @@
\begin{abstract} \begin{abstract}
This paper introduces {\em Taler}, a Chaum-style digital currency that This paper introduces {\em Taler}, a Chaum-style digital currency that
enables anonymous payments while ensuring that entities that receive enables anonymous payments while ensuring that entities that receive
payments are auditable and thus taxable. In Taler, customers can payments are auditable. In Taler, customers can
never defraud anyone, merchants can only fail to deliver the never defraud anyone, merchants can only fail to deliver the
merchandise to the customer, and payment service providers can be merchandise to the customer, and payment service providers can be
fully audited. All parties receive cryptographic evidence for all fully audited. All parties receive cryptographic evidence for all
@ -88,10 +88,10 @@ systems that do not provide for privacy.
The key technical contribution underpinning Taler is a new {\em The key technical contribution underpinning Taler is a new {\em
refresh protocol} which allows fractional payments and refunds while refresh protocol} which allows fractional payments and refunds while
maintaining anonymity of the customer and unlinkability of maintaining untraceability of the customer and unlinkability of
transactions. The refresh protocol combines an efficient transactions. The refresh protocol combines an
cut-and-choose mechanism with a {\em link} step to ensure that efficient cut-and-choose mechanism with a {\em link} step to ensure
refreshing is not abused for transactional payments. that refreshing is not abused for transactional payments.
We argue that Taler provides a secure digital currency for modern We argue that Taler provides a secure digital currency for modern
liberal societies as it is a flexible, libre and efficient protocol liberal societies as it is a flexible, libre and efficient protocol
@ -106,11 +106,11 @@ developed nation states have adopted highly transparent payment systems,
such as the MasterCard and VisaCard credit card schemes and computerized such as the MasterCard and VisaCard credit card schemes and computerized
bank transactions such as SWIFT. These systems enable mass surveillance bank transactions such as SWIFT. These systems enable mass surveillance
by both governments and private companies. Aspects of this surveillance by both governments and private companies. Aspects of this surveillance
sometimes benifit society by providing information about tax evasion or sometimes benefit society by providing information about tax evasion or
crimes like extortion. % TODO : anti-money laundering later? crimes like extortion. % TODO : anti-money laundering later?
In particular, bribery and corruption are limited to elites who can In particular, bribery and corruption are limited to elites who can
afford to escape the dragnet. afford to escape the dragnet.
%
At the other extreme, weaker developing nation states have economic At the other extreme, weaker developing nation states have economic
activity based largely on coins, paper money or even barter. Here, activity based largely on coins, paper money or even barter. Here,
the state is often unable to effectively monitor or tax economic the state is often unable to effectively monitor or tax economic
@ -122,20 +122,19 @@ ZeroCoin~\cite{miers2013zerocoin} is an example for translating an
anarchistic economy into the digital realm. anarchistic economy into the digital realm.
This paper describes Taler, a simple and practical payment system for This paper describes Taler, a simple and practical payment system for
a modern social-liberal society, which is not being served well by a social-liberal society, which is underserved by
current payment systems which enable either an authoritarian state in current payment systems.
total control of the population, or create weak states with almost
anarchistic economies.
The Taler protocol is influenced by ideas from The Taler protocol is influenced by ideas from
Chaum~\cite{chaum1983blind} and also follows Chaum's basic architecture of Chaum~\cite{chaum1983blind} and also follows Chaum's basic
customer, merchant and exchange (Figure~\ref{fig:cmm}). architecture of customer, merchant and exchange
The two designs share the key first step where the {\em customer} (Figure~\ref{fig:cmm}). The two designs share the key first step
withdraws digital {\em coins} from the {\em exchange} with unlinkability where the {\em customer} withdraws digital {\em coins} from the {\em
provided via blind signatures. The coins can then be spent at a exchange} with unlinkability provided via blind signatures. The
{\em merchant} who {\em deposits} them at the exchange. coins can then be spent at a {\em merchant} who {\em deposits} them at
Taler uses online detection of double-spending, thus assuring the merchant the exchange. Taler uses online detection of double-spending and
instantly that a transaction is valid. provides excuplability via cryptographic proofs. Thus merchants are
instantly assured that a transaction is valid.
\begin{figure}[h] \begin{figure}[h]
\centering \centering
@ -159,16 +158,14 @@ instantly that a transaction is valid.
\label{fig:cmm} \label{fig:cmm}
\end{figure} \end{figure}
A key issue for an efficient Chaumian digital payment system is the A key issue for an efficient Chaumian digital payment system is the
need to provide change. For example, a customer may want to pay need to provide change. For example, a customer may want to pay
\EUR{49,99}, but has withdrawn a \EUR{100,00} coin. Withdrawng 10,000 \EUR{49,99}, but has withdrawn a \EUR{100,00} coin. Withdrawing 10,000
pieces with a denomination of \EUR{0,01} and transferring 4,999 would coins with a denomination of \EUR{0,01} and transferring 4,999 coins would
be too inefficient, even for modern systems. The customer should not be too inefficient. The customer should not
withdraw exact change from her account, as doing so reduces anonymity withdraw exact change from her account, as doing so reduces anonymity
due to the obvious corrolation. A practical payment system must thus due to the obvious correlation. A practical payment system must thus
support giving change in the form of spendable coins, say a \EUR{0,01} support giving change.
coin and a \EUR{50,00} coin.
Taler solves the problem of giving change by introducing a new Taler solves the problem of giving change by introducing a new
{\em refresh protocol}. Using this protocol, a customer can obtain {\em refresh protocol}. Using this protocol, a customer can obtain
@ -216,6 +213,15 @@ Yet, there are several major irredeemable problems inherent in their designs:
% currency exchange and exacerbates the problems with currency fluctuations. % currency exchange and exacerbates the problems with currency fluctuations.
\end{itemize} \end{itemize}
Anonymity extensions for BitCoin such as ZeroCoin~\cite{miers2013zerocoin}
and BOLT~\cite{BOLT} are also limited to transactions with coins
of fixed discrete value, creating problems with giving change we
outlined in the introduction. Furthermore, these extensions have
problems with aborted transactions, which can reduce the anonymity
set. Taler's refresh protocol also addresses the problem of aborted
transactions, ensuring that aborts cannot be used to attack the
privacy assurances of the system.
%GreenCoinX\footnote{\url{https://www.greencoinx.com/}} is a more %GreenCoinX\footnote{\url{https://www.greencoinx.com/}} is a more
%recent AltCoin where the company promises to identify the owner of %recent AltCoin where the company promises to identify the owner of
%each coin via e-mail addresses and phone numbers. While it is unclear %each coin via e-mail addresses and phone numbers. While it is unclear
@ -318,19 +324,22 @@ description of the Opencoin protocol is available to date.
The Taler system comprises three principal types of actors The Taler system comprises three principal types of actors
(Figure~\ref{fig:cmm}): The \emph{customer} is interested in receiving (Figure~\ref{fig:cmm}): The \emph{customer} is interested in receiving
goods or services from the \emph{merchant} in exchange for payment. goods or services from the \emph{merchant} in exchange for payment.
When making a transaction, both the customer and the merchant use the To pay, the customer {\em spends} digital coins at the merchant. When
same \emph{exchange}, which serves as a payment service provider for making a transaction, both the customer and the merchant use the same
the financial transaction between the two. The exchange is \emph{exchange}, which serves as a payment service provider for the
responsible for allowing the customer to convert financial reserves to financial transaction between the two. The exchange is responsible
the anonymous digital coins, and for enabling the merchant to convert for allowing the customer to withdraw anonymous digital coins from the
spent digital coins back to funds in a financial reserve. In customer's financial reserves, and for enabling the merchant to
addition, we describe an \emph{auditor} who assures customers and deposit digital coins in return for receiving credit at the merchant's
merchants that the exchange operates correctly. financial reserve. In addition, Taler includes an \emph{auditor} who
assures customers and merchants that the exchange operates correctly.
\subsection{Security model} \subsection{Security model}
Taler's security model assumes that cryptographic primitives are Taler's security model assumes that cryptographic primitives are
secure and that each participant is under full control of his system. secure and that each participant is under full control of his system.
% FIXME: Jeff, can you concisely state the precise assumpitons?
% (i.e. hardness of EC-DLOG for refresh, RSA assumption, hash collision resistance (?))
The contact information of the exchange is known to both customer and The contact information of the exchange is known to both customer and
merchant from the start. We further assume that the customer can merchant from the start. We further assume that the customer can
authenticate the merchant, e.g. using X.509 authenticate the merchant, e.g. using X.509
@ -342,10 +351,9 @@ The exchange is trusted to hold funds of its customers and to forward
them when receiving the respective deposit instructions from the them when receiving the respective deposit instructions from the
merchants. Customer and merchant can have assurances about the merchants. Customer and merchant can have assurances about the
exchange's liquidity and operation though published audits by exchange's liquidity and operation though published audits by
financial regulators or other trusted third parties. If sufficently financial regulators or other trusted third parties.
regular, audits of the exchange's accounts should reveal any possible Online signing keys expire regularly, allowing the exchange to
fraud. Online signing keys expire regularly, allowing the exchange to eventually destroy the corresponding accumulated cryptographic proofs.
destroy the corresponding accumulated cryptographic proofs.
The merchant is trusted to deliver the service or goods to the The merchant is trusted to deliver the service or goods to the
customer upon receiving payment. The customer can seek legal relief customer upon receiving payment. The customer can seek legal relief
@ -356,9 +364,9 @@ Neither the merchant nor the customer have any ability to {\em effectively}
defraud the exchange or the state collecting taxes. Here, ``effectively'' defraud the exchange or the state collecting taxes. Here, ``effectively''
means that the expected return for fraud is negative. means that the expected return for fraud is negative.
% %
Note that customers do not need to be trusted in any way, and that in %Note that customers do not need to be trusted in any way, and that in
particular it is never necessary for anyone to try to recover funds %particular it is never necessary for anyone to try to recover funds
from customers using legal coersion. %from customers using legal coersion.
\subsection{Taxability and Entities} \subsection{Taxability and Entities}
@ -439,7 +447,7 @@ is unable to link the known identity of the customer that withdrew
anonymous digital coins to the {\em purchase} performed later at the anonymous digital coins to the {\em purchase} performed later at the
merchant. merchant.
While the customer thus has anonymity for purchases, the exchange will While the customer thus has untraceability for purchases, the exchange will
always learn the merchant's identity in order to credit the merchant's always learn the merchant's identity in order to credit the merchant's
account. This is also necessary for taxation, as Taler deliberately account. This is also necessary for taxation, as Taler deliberately
exposes these events as anchors for tax audits on income. exposes these events as anchors for tax audits on income.
@ -1167,11 +1175,11 @@ the participants have to disclose their core secrets.
\bibliographystyle{alpha} \bibliographystyle{alpha}
\bibliography{taler,rfc} \bibliography{taler,rfc}
\vfill %\vfill
\begin{center} %\begin{center}
\Large Demonstration available at \url{https://demo.taler.net/} % \Large Demonstration available at \url{https://demo.taler.net/}
\end{center} %\end{center}
\vfill %\vfill
\newpage \newpage
\appendix \appendix