aboutsummaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorJeffrey Burdges <burdges@gnunet.org>2017-05-11 21:41:23 +0200
committerJeffrey Burdges <burdges@gnunet.org>2017-05-12 02:19:08 +0200
commit4f6e71a842c07682351ac78a903c4c82ee26ffc1 (patch)
treee6d404828f0086776bca125ccc35f91f0f46afa0 /doc
parent93edc84e601d2f813572b8f849fa2ccaa2a96fa5 (diff)
Just a start on taxability text, breaks the latex run probably
Diffstat (limited to 'doc')
-rw-r--r--doc/paper/taler.tex86
1 files changed, 85 insertions, 1 deletions
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 9b2bb8993..1d1c5dbab 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -991,7 +991,7 @@ than the comparable use of zk-SNARKs in ZeroCash~\cite{zerocash}.
%
%TODO: Explain, especially subtleties regarding session key / the spoofing attack that requires signature.
-\subsection{Linking}
+\subsection{Linking}\label{subsec:linking}
% FIXME: What is \mathtt{link} ?
@@ -1374,6 +1374,90 @@ data being persisted are represented in between $\langle\rangle$.
\end{description}
+\section{Taxability arguments}
+
+\begin{proposition}
+An auditor can detect an exchange operating either the refresh or
+linking protocol dishonestly.
+\end{proposition}
+
+\begin{proof}
+.. Not sure about this one ..
+\end{proof}
+
+\begin{proposition}
+If the exchange operates the refresh protocol honestly, then
+a dishonest wallet looses $1 - {1 \over \kappa}$ of the value
+of the coins it refreshes dishonestly.
+\end{proposition}
+
+\begin{proof}
+.. Can we reference something about cut and choose protocols? Or must we work this all out? ..
+\end{proof}
+
+We say a coin is {\em controlled} by a user if the user's wallet knows
+its secret scalar $c_s$, the signature $S$ of the appropriate denomination
+key on its public key $C_s$, and the residual value of the coin.
+
+We assume the wallet cannot loose knowledge of a particular coin's
+key material, and the wallet can query the exchange to learn the
+residual value of the coin, so a wallet cannot loose control of
+a coin. A wallet may loose the monetary value associated with a coin
+if another wallet spends it however.
+
+We say a user Alice {\em owns} a coin $C$ if only Alice's wallets can
+gain control of $C$ using standard interactions with the exchange.
+In other words, ownership means exclusive control not just in the
+present, but in the future even if another user interacts with the
+exchange.
+
+\begin{theorem}
+Let $C$ denote a coin controlled by users Alice and Bob.
+Suppose Bob creates a coin $C'$ from $C$ using the refresh protocol.
+Assuming the exchange and Bob operated the refresh protocol correctly,
+and that they continue to operate the linking protocol
+ \S\ref{subsec:linking} correctly,
+then Alice can gain control of $C'$ using the linking protocol.
+\end{theorem}
+
+\begin{proof}
+Alice may run the linking protocol to obtain all transfer keys $T^i$,
+blindings $B^i$ associated to $C$, and those coins denominations,
+including the $T'$ for $C'$.
+
+We assumed both the exchange and Bob operated the refresh protocol
+correctly, so now $c_s T'$ is the seed from which $C'$ was generated.
+Alice rederives both $c_s$ and the blinding factor to unblind the
+denomination key signature on $C'$. Alice finally asks the exchange
+for the residual value on $C'$ and runs the linking protocol to
+determine if it was refreshed too.
+\end{proof}
+
+
+\section{Privacy arguments}
+
+We consider two coins $C_1$ and $C_2$ created by the same withdrawal
+or refresh operation. We say they are {\em linkable} if
+some probabilistic polynomial time adversary has a non-negligible
+advantage in guessing which two of $\{ C_0, C_1, C_2 \}$ were
+created together, where $C_0$ is an unrelated third coin.
+
+% TODO: Compare this definition with some from the literature
+
+.. reference literate about withdrawal ..
+
+\begin{proposition}
+If two coins created by refresh are linkable, then some
+probabilistic polynomial time adversary has a non-negligible
+advantage in determining that their seeds ...
+...
+\end{proposition}
+
+\begin{proof}
+... random oracle ..
+\end{proof}
+
+
\end{document}