diff --git a/doc/system/taler/design.tex b/doc/system/taler/design.tex index 8ee3ff3c9..36d167742 100644 --- a/doc/system/taler/design.tex +++ b/doc/system/taler/design.tex @@ -140,7 +140,7 @@ creates a new reserve, but making another wire transfer with the same reserve public key simply adds funds to the existing reserve. Even after all funds have been withdrawn from a reserve, customers should keep the reserve key pair until all coins from the corresponding reserve have been spent, as in the event -of a denomination key revocation (see Section \ref{sec:revocation-payback}) the +of a denomination key revocation (see Section \ref{sec:revocation-recoup}) the customer needs this key to recover coins of revoked denominations. The exchange automatically transfers back to the customer's bank account any @@ -206,7 +206,7 @@ once more coins are redeemed than the total that was signed into existence using that denomination key. Should such an incident occur, the exchange can allow authentic customers to redeem their unspent coins that were signed with the compromised private key, while refusing further deposits involving coins signed by the -compromised denomination key (see Section~\ref{sec:revocation-payback}). As a result, the +compromised denomination key (see Section~\ref{sec:revocation-recoup}). As a result, the financial damage of losing a private signing key is limited to at most the amount originally signed with that key, and denomination key rotation can be used to bound that risk. @@ -428,7 +428,7 @@ discuss different ways that the exchange can be compromised, how to reduce the likelihood of such a compromise, and how to detect and react to such an event if it happens. -\subsubsection{Compromise of Denomination Keys and Revocation}\label{sec:revocation-payback} +\subsubsection{Compromise of Denomination Keys and Revocation}\label{sec:revocation-recoup} When a denomination key pair is compromised, an attacker can ``print money'' by using it to sign coins of that denomination. An exchange (or its auditor) can detect this when the number of deposits for a certain denomination exceed the @@ -437,14 +437,14 @@ number of withdrawals for that same denomination. We allow the exchange to revoke denomination keys, and wallets periodically check for such revocations. We call a coin of a revoked denomination a revoked coin. If a denomination key has been revoked, the wallets use the -\emph{payback} protocol to recover funds from coins of revoked denominations. +\emph{recoup} protocol to recover funds from coins of revoked denominations. Once a denomination is revoked, new coins of this denomination can't be withdrawn or used as the target denomination for a refresh operation. A revoked coin cannot be spent, and can only be refreshed if its public key was recorded in the exchange's database (as spending/refresh operations) before it was revoked. -The following cases are possible for payback: +The following cases are possible for recoup: \begin{enumerate} \item The revoked coin has never been seen by the exchange before, but the customer can prove via a withdraw protocol transcript and blinding factor @@ -472,12 +472,12 @@ legitimate users $n$ times. As soon as the exchange sees more than $n$ pairwise different $D$-coins, it must immediately revoke $D$. An attacker can thus at most gain $nv$ by either refreshing into other non-revoked denominations or spending the forged $D$-coins. -The legitimate users can then request a payback for their coins, resulting in +The legitimate users can then request a recoup for their coins, resulting in a total financial damage of at most $2nv$. -With one rare exception, the payback protocol does not negatively impact the +With one rare exception, the recoup protocol does not negatively impact the anonymity of customers. We show this by looking at the three different cases -for payback on a revoked coin. Specifically, in case (1), the coin obtained +for recoup on a revoked coin. Specifically, in case (1), the coin obtained from the credited reserve is blindly signed, in case (2) the refresh protocol guarantees unlinkability of the non-revoked change, and in case (3) the revoked coin $C_R$ is assumed to be fresh. If $C_R$ from case (3) has been seen by a @@ -487,7 +487,7 @@ aborted transaction coincides with revoked denomination, which should be rare in practice. Unlike most other operations, the -payback protocol does not incur any transaction fees. The primary use of the +recoup protocol does not incur any transaction fees. The primary use of the protocol is to limit the financial loss in cases where an audit reveals that the exchange's private keys were compromised, and to automatically pay back balances held in a customers' wallet if an exchange ever goes out of business. @@ -622,7 +622,7 @@ The following modifications are made: This change is necessary to preserve anonymity in face of the second modification, but increases storage requirements and latency. - \item The payback protocol is changed so that a coin obtained + \item The recoup protocol is changed so that a coin obtained via refreshing must be recovered differently when revoked: to recover a revoked coin obtained via refreshing, the customer needs to show the transcripts for the chain of all refresh operations and the initial withdrawal operation @@ -633,9 +633,9 @@ The following modifications are made: After an attacker has been paid ransom, the exchange simply revokes all currently offered denominations and registers a new set of denomination with the auditor. Reserves used to pay the attacker are marked as blocked in the exchange's -database. Normal users can use the payback protocol to obtain back the money +database. Normal users can use the recoup protocol to obtain back the money they've previously had in revoked denominations. The attacker can try to -recover funds via the (now modified) payback protocol, but this attempt will +recover funds via the (now modified) recoup protocol, but this attempt will not be successful, as the initial reserve is blocked. The criminal could also try to spend the e-cash anonymously before it is revoked, but this is likely difficult for large amounts, and furthermore due to income transparency all @@ -643,7 +643,7 @@ transactions made between the payment of the ransom and the revocation can be traced back to merchants that might be complicit in laundering the ransom payment. -Honest customers can always use the payback protocol to transfer the funds to +Honest customers can always use the recoup protocol to transfer the funds to the initial reserve. Due to modification (1), unlinkability of transactions is not affected, as only coins that were purely used for refreshing can now be correlated. diff --git a/doc/system/taler/implementation.tex b/doc/system/taler/implementation.tex index 4aa1679fc..e9fdf7991 100644 --- a/doc/system/taler/implementation.tex +++ b/doc/system/taler/implementation.tex @@ -894,18 +894,23 @@ The following APIs are offered by the exchange: supported bank accounts, revoked keys and other general information needed to use the exchange's services via the \texttt{/keys} and \texttt{/wire} APIs. + \item[Obtaining entropy] As we cannot be sure that all client-devices have + an adequate random number generator, the exchange offers the \texttt{/seed} + endpoint to download some high-entropy value. Clients should mix this + seed with their own, locally-generated entropy into an entropy pool. \item[Reserve status and withdrawal] After having wired money to the exchange, - the status of the reserve can be checked via the \texttt{/reserve/status} API. Since + the status of the reserve can be checked via the \texttt{/reserve/\$RESERVE\_PUB/status} API. Since the wire transfer usually takes some time to arrive at the exchange, wallets should periodically - poll this API, and initiate a withdrawal with \texttt{/reserve/withdraw} once the exchange received the funds. + poll this API, and initiate a withdrawal with \texttt{/reserve/\$RESERVE\_PUB/withdraw} once the exchange received the funds. \item[Deposits and tracking] Merchants transmit deposit permissions they have received from customers - to the exchange via the \texttt{/deposit} API. Since multiple deposits are aggregated into one wire transfer, - the merchant additionally can use the exchange's \texttt{/track/transfer} API that returns the list of deposits for an - identifier included in the wire transfer to the merchant, as well as the \texttt{/track/transaction} API to look up + to the exchange via the \texttt{/coins/\$COIN\_PUB/deposit} API. Since multiple deposits are aggregated into one wire transfer, + the merchant additionally can use the exchange's \texttt{/transfers/\$WTID} API that returns the list of deposits for a wire transfer + identifier (WTID) included in the wire transfer to the merchant, as well as the \texttt{/deposits/\$H\_WIRE/\$MERCHANT\_PUB/\$H\_CONTRACT\_TERMS/\$COIN\_PUB} API to look up which wire transfer included the payment for a given deposit. - \item[Refunds] The refund API (\texttt{/refund}) can ``undo'' a deposit if the merchant gave their signature, and the aggregation deadline + \item[Refresh] Refreshing consists of two stages. First, using \texttt{/coins/\$COIN\_PUB/melt} an old, possibly dirty coin is melted and thus devaluted. The committment made by the wallet during the melt and the resulting $\gamma$-challenge from the exchange are associated with a {\em refresh session}. Then, using \texttt{/refreshes/$RCH/reveal} the wallet can answer the challenge and obtain fresh coins as change. Finally, \texttt{/coins/\$COIN\_PUB/link} provides the link deterrent against refresh abuse. + \item[Refunds] The refund API (\texttt{/coins/\$COIN\_PUB/refund}) can ``undo'' a deposit if the merchant gave their signature, and the aggregation deadline for the payment has not occurred yet. - \item[Emergency payback] The emergency payback API (\texttt{/payback}) allows customers to be compensated + \item[Recoup] The recoup API (\texttt{/coins/\$COIN\_PUB/recoup}) allows customers to be compensated for coins whose denomination key has been revoked. Customers must send either a full withdrawal transcript that includes their private blinding factor, or a refresh transcript (of a refresh that had the revoked denominations as one of the targets) that includes blinding factors. In the former case, the reserve is credited, in the latter case, the source coin of the