From fe51219d5873d4559d8421289ef7506d3e05fe0c Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sat, 9 May 2015 22:51:12 +0200 Subject: [PATCH] slight improvements --- doc/paper/taler.tex | 451 ++++++++++++++++++++++++++------------------ 1 file changed, 272 insertions(+), 179 deletions(-) diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex index 0b23cfa38..96f074058 100644 --- a/doc/paper/taler.tex +++ b/doc/paper/taler.tex @@ -522,67 +522,6 @@ been spent. %deposit permission signed by the coin's owner with the mint, and then %proceeds with the contract. -\paragraph{Incremental payments.} - -For services that include pay-as-you-go billing, customers can over -time sign deposit permissions for an increasing fraction of the value -of a coin to be paid to a particular merchant. As checking with the -mint for each increment might be expensive, the coin's owner can -instead sign a {\em lock permission}, which allows the merchant to get -an exclusive right to redeem deposit permissions for the coin for a -limited duration. The merchant uses the lock permission to determine -if the coin has already been spent and to ensure that it cannot be -spent by another merchant for the {\em duration} of the lock as -specified in the lock permission. If the coin has been spent or is -already locked, the mint provides the owner's deposit or locking -request and signature to prove the attempted fraud by the customer. -Otherwise, the mint locks the coin for the expected duration of the -transaction (and remembers the lock permission). The merchant and the -customer can then finalize the business transaction, possibly -exchanging a series of incremental payment permissions for services. -Finally, the merchant then redeems the coin at the mint before the -lock permission expires to ensure that no other merchant spends the -coin first. - - -\paragraph{Probabilistic spending.} - -Similar to Peppercoin, Taler supports probabilistic spending of coins to -support cost-effective transactions for small amounts. Here, an -ordinary transaction is performed based on the result of a biased coin -flip with a probability related to the desired transaction amount in -relation to the value of the coin. Unlike Peppercoin, in Taler either -the merchant wins and the customer looses the coin, or the merchant -looses and the customer keeps the coin. Thus, there is no opportunity -for the merchant and the customer to conspire against the mint. To -determine if the coin is to be transferred, merchant and customer -execute a secure coin flipping protocol~\cite{blum1981}. The commit -values are included in the business contract and are revealed after -the contract has been signed using the private key of the coin. If -the coin flip is decided in favor of the merchant, the merchant can -redeem the coin at the mint. - -One issue in this protocol is that the customer may use a worthless -coin by offering a coin that has already been spent. This kind of -fraud would only be detected if the customer actually lost the coin -flip, and at this point the merchant might not be able to recover from -the loss. A fradulent anonymous customer may run the protocol using -already spent coins until the coin flip is in his favor. As with -incremental spending, lock permissions could be used to ensure that -the customer cannot defraud the merchant by offering a coin that has -already been spent. However, as this means involving the mint even if -the merchant looses the coin flip, such a scheme is unsuitable for -microdonations as the transaction costs from involving the mint might -be disproportionate to the value of the transaction, and thus with -locking the probabilistic scheme has no advantage over simply using -fractional payments. - -Hence, Taler uses probabilistic transactions {\em without} the online -double-spending detection. This enables the customer to defraud the -merchant by paying with a coin that was already spent. However, as, -by definition, such microdonations are for tiny amounts, the incentive -for customers to pursue this kind of fraud is limited. - \subsection{Refreshing Coins} @@ -694,7 +633,8 @@ following interaction with the mint: local wallet) for future use. \end{enumerate} -\subsection{Exact, partial and incremental spending} + +\subsection{Exact and partial spending} A customer can spend coins at a merchant, under the condition that the merchant trusts the mint that minted the coin. Merchants are @@ -707,103 +647,47 @@ by a mint's denomination key $K$, i.e. the customer posses $\widetilde{C} := S_K(C_p)$: \begin{enumerate} -\item\label{offer} The merchant sends an \emph{offer:} $\langle S_M(m, f), - \vec{D} \rangle$ containing the price of the offer $f$, a transaction - ID $m$ and the list of mints $D_1, \ldots, D_n$ accepted by the merchant - where each $D_i$ is a mint's public key. -\item\label{lock} The customer must possess or acquire a coin minted by a mint that is +\item\label{contract} Let $\vec{D} := D_1, \ldots, D_n$ be the list of + mints accepted by the merchant where each $D_i$ is a mint's public + key. The merchant creates a digitally signed contract $\mathcal{A} + := S_M(m, f, a, H(p, r), \vec{D})$ where $a$ is data relevant to the + contract indicating which services or goods the merchant will + deliver to the customer, $f$ is the price of the offer, and $p$ is + the merchant's payment information (e.g. his IBAN number) and $r$ is + an random nounce. The merchant commits $\langle \mathcal{A} + \rangle$ to disk and sends $\mathcal{A}$ it to the customer. +\item\label{deposit} The customer must possess or acquire a coin minted by a mint that is accepted by the merchant, i.e. $K$ should be publicly signed by some $D_i - \in \{D_1, D_2, \ldots, D_n\}$, and has a value $\geq f$. + \in \{D_1, D_2, \ldots, D_n\}$, and has a value $\geq f$. (The customer + can of course also use multiple coins where the total value adds up to + the cost of the transaction and run the following steps for each of + the coins. However, for simplicity of the description here we will + assume that one coin is sufficient.) - Customer then generates a \emph{lock-permission} $\mathcal{L} := - S_c(\widetilde{C}, t, m, f, M_p)$ where $t$ specifies the time until which the - lock is valid and sends $\langle \mathcal{L}, D_i\rangle$ to the merchant, + The customer then generates a \emph{deposit-permission} $\mathcal{D} := + S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$ + and sends $\langle \mathcal{D}, D_i\rangle$ to the merchant, where $D_i$ is the mint which signed $K$. -\item The merchant asks the mint to apply the lock by sending $\langle - \mathcal{L} \rangle$ to the mint. -\item The mint validates $\widetilde{C}$ and detects double spending if there is - a lock-permission record $S_c(\widetilde{C}, t', m', f', M_p')$ where $(t', - m', f', M_p') \neq (t, m, f, M_p)$ or a \emph{deposit-permission} record for - $C$ and sends it to the merchant, who can then use it prove to the customer - and subsequently ask the customer to issue a new lock-permission. - - If double spending is not found, the mint commits $\langle \mathcal{L} \rangle$ to disk - and notifies the merchant that locking was successful. -\item\label{contract} The merchant creates a digitally signed contract - $\mathcal{A} := S_M(m, f, a, H(p, r))$ where $a$ is data relevant to the contract - indicating which services or goods the merchant will deliver to the customer, and $p$ is the - merchant's payment information (e.g. his IBAN number) and $r$ is an random nounce. - The merchant commits $\langle \mathcal{A} \rangle$ to disk and sends it to the customer. -\item The customer creates a - \emph{deposit-permission} $\mathcal{D} := S_c(\widetilde{C}, f, m, M_p, H(a), H(p, r))$, commits - $\langle \mathcal{A}, \mathcal{D} \rangle$ to disk and sends $\mathcal{D}$ to the merchant. -\item\label{invoice_paid} The merchant commits the received $\langle \mathcal{D} \rangle$ to disk. \item The merchant gives $(\mathcal{D}, p, r)$ to the mint, revealing his payment information. -\item The mint verifies $(\mathcal{D}, p, r)$ for its validity. A - \emph{deposit-permission} for a coin $C$ is valid if: - \begin{itemize} - \item $C$ is not refreshed already - \item there exists no other \emph{deposit-permission} on disk for \\ - $\mathcal{D'} := S_c(\widetilde{C}, f', m', M_p', H(a'), H(p', r'))$ for $C$ - such that \\ $(f', m',M_p', H(a')) \neq (f, m, M_p, H(a))$ - \item $H(p, r) := H(p', r')$ - \end{itemize} - If $C$ is valid and no other \emph{deposit-permission} for $C$ exists on disk, the - mint does the following: - \begin{enumerate} - \item if a \emph{lock-permission} exists for $C$, it is deleted from disk - \item\label{transfer} transfers an amount of $f$ to the merchant's bank account - given in $p$. The subject line of the transaction to $p$ must contain - $H(\mathcal{D})$. - \item $\langle \mathcal{D}, p, r \rangle$ is commited to disk. - \end{enumerate} - If the deposit record $\langle \mathcal{D}, p, r \rangle$ already exists, - the mint sends it to the merchant, but does not transfer money to $p$ again. + +\item The mint validates $\mathcal{D}$ and detects double spending. + If the coin has been involved in previous transactions, it sends an error + with the records from the previous transactions back to the merchant. + + If double spending is not found, the mint commits $\langle \mathcal{D} \rangle$ to disk + and notifies the merchant that deposit operation was successful. + +\item The merchant commits and forwards the notification from the mint to the + customer, confirming the success or failure of the operation. \end{enumerate} -To facilitate incremental spending of a coin $C$ in a single transaction, the -merchant makes an offer in Step~\ref{offer} with a maximum amount $f_{max}$ he -is willing to charge in this transaction from the coin $C$. After obtaining the -lock on $C$ for $f_{max}$, the merchant makes a contract in Step~\ref{contract} -with an amount $f \leq f_{max}$. The protocol follows with the following steps -repeated after Step~\ref{invoice_paid} whenever the merchant wants to charge an -incremental amount up to $f_{max}$: - -\begin{enumerate} - \setcounter{enumi}{4} -\item The merchant generates a new contract $ \mathcal{A}' := S_M(m, f', a', H(p, - r)) $ after obtaining the deposit-permission for a previous contract. Here - $f'$ is the accumulated sum the merchant is charging the customer, of which - the merchant has received a deposit-permission for $f$ from the previous - contract \textit{i.e.}~$f ,C](offer) -- (A); +%\draw [->,C](A) -- (B); +%\draw [->,C](B) -- (C); +%\draw [->,C](C) -- (D); +%\draw [->,C](D) -- (E); +%\draw [->,C](E) -- (F); +%\draw [->,C](F) -- (G); +% +%\draw [->,C, bend right, shorten <=2mm] (E.east) +% to[out=-135,in=-45,distance=3.8cm] node[left] {aggregate} (D.east); +%\end{tikzpicture} +%\caption{Interactions between a customer, merchant and mint in the coin spending +% protocol} +%\label{fig:spending_protocol_interactions} +%\end{figure} + + + +\subsection{Probabilistic spending} + +Similar to Peppercoin, Taler supports probabilistic spending of coins to +support cost-effective transactions for small amounts. Here, an +ordinary transaction is performed based on the result of a biased coin +flip with a probability related to the desired transaction amount in +relation to the value of the coin. Unlike Peppercoin, in Taler either +the merchant wins and the customer looses the coin, or the merchant +looses and the customer keeps the coin. Thus, there is no opportunity +for the merchant and the customer to conspire against the mint. To +determine if the coin is to be transferred, merchant and customer +execute a secure coin flipping protocol~\cite{blum1981}. The commit +values are included in the business contract and are revealed after +the contract has been signed using the private key of the coin. If +the coin flip is decided in favor of the merchant, the merchant can +redeem the coin at the mint. + +One issue in this protocol is that the customer may use a worthless +coin by offering a coin that has already been spent. This kind of +fraud would only be detected if the customer actually lost the coin +flip, and at this point the merchant might not be able to recover from +the loss. A fradulent anonymous customer may run the protocol using +already spent coins until the coin flip is in his favor. As with +incremental spending, lock permissions could be used to ensure that +the customer cannot defraud the merchant by offering a coin that has +already been spent. However, as this means involving the mint even if +the merchant looses the coin flip, such a scheme is unsuitable for +microdonations as the transaction costs from involving the mint might +be disproportionate to the value of the transaction, and thus with +locking the probabilistic scheme has no advantage over simply using +fractional payments. + +Hence, Taler uses probabilistic transactions {\em without} the online +double-spending detection. This enables the customer to defraud the +merchant by paying with a coin that was already spent. However, as, +by definition, such microdonations are for tiny amounts, the incentive +for customers to pursue this kind of fraud is limited. + + + +The following steps are executed for microdonations with upgrade probability $p$: +\begin{enumerate} + \item The merchant sends an offer to the customer. + \item The customer sends a commitment $H(r_c)$ to a random + value $r_c \in [0,2^R)$, where $R$ is a system parameter. + \item The merchant sends random $r_m \in [0,2^R)$ to the customer. + \item The customer computes $p' := (|r_c - r_m|) / (2^R)$. + If $p' < p$, the customer sends a coin with deposit-permission to the merchant. + Otherwise, the customer sends $r_c$ to the merchant. + \item The merchant deposits the coin, or checks if $r_c$ is consistent + with $H(r_c)$. +\end{enumerate} + + + \end{document}