diff options
-rw-r--r-- | doc/paper/taler.tex | 29 |
1 files changed, 14 insertions, 15 deletions
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex index c549a20dd..70378d4f2 100644 --- a/doc/paper/taler.tex +++ b/doc/paper/taler.tex @@ -1377,8 +1377,8 @@ data being persisted are represented in between $\langle\rangle$. \section{Taxability arguments} We assume the exchange operates honestly when discussing taxability. -We feel this assumption is warratned mostly because a Taler exchange -requires liscenses to operate as a financial institution, which it +We feel this assumption is warranted mostly because a Taler exchange +requires licenses to operate as a financial institution, which it risks loosing if it knowingly facilitates tax evasion. We also expect an auditor monitors the exchange similarly to how government regulators monitor financial institutions. @@ -1389,15 +1389,15 @@ which expands its power over conventional auditors. \begin{proposition} Assuming the exchange operates the refresh protocol honestly, a customer operating the refresh protocol dishonestly expects to -loose $1 - {1 \over \kappa}$ of the value of thei coins. +loose $1 - {1 \over \kappa}$ of the value of their coins. \end{proposition} \begin{proof} -An honest esxchange keeps any funds being refreshed if the reveal +An honest exchange keeps any funds being refreshed if the reveal phase is never carried out, does not match the commitment, or shows an incorrect commitment. As a result, a customer dishonestly refreshing a coin looses their money if they have more than one -dishonet commitment. They have a $1 \over \kappa$ chance of their +dishonest commitment. They have a $1 \over \kappa$ chance of their dishonest commitment being selected for the refresh. \end{proof} @@ -1428,7 +1428,7 @@ then Alice can gain control of $C'$ using the linking protocol. \begin{proof} Alice may run the linking protocol to obtain all transfer keys $T^i$, -blindings $B^i$ associated to $C$, and those coins denominations, +bindings $B^i$ associated to $C$, and those coins denominations, including the $T'$ for $C'$. We assumed both the exchange and Bob operated the refresh protocol @@ -1445,26 +1445,26 @@ At a result, there is no way for a user to loose control over a coin, \section{Privacy arguments} The {\em linking problem} for blind signature is, -if given coin creation transcrips and possibly fewer +if given coin creation transcripts and possibly fewer coin deposit transcripts for coins from the creation transcripts, then produce a corresponding creation and deposit transcript. We say a probabilistic polynomial time (PPT) adversary $A$ -{\em links} coins if it has a non-negligable advantage in +{\em links} coins if it has a non-negligible advantage in solving the linking problem, when given the private keys of the exchange. -In Taler, there are two forms of coin creation transcrips, +In Taler, there are two forms of coin creation transcripts, withdrawal and refresh. \begin{lemma} If there are no refresh operations, any adversary with an -advantage in linking coins is polynomially equivelent to an +advantage in linking coins is polynomially equivalent to an advantage with the same advantage in recognizing blinding factors. \end{lemma} \begin{proof} -Let $n$ denote the RSA modulous of the denomination key. +Let $n$ denote the RSA modulus of the denomination key. Also let $d$ and $e$ denote the private and public exponents, respectively. In effect, coin withdrawal transcripts consist of numbers $b m^d \mod n$ where $m$ is the FDH of the coin's public key @@ -1478,10 +1478,10 @@ first computing $b_{i,j} = b_i m_i^d / m_j^d \mod n$ for all $i,j$. \end{proof} We now know the following because Taler used SHA512 adopted to be - a FDH to breat the blinding factor. + a FDH to be the blinding factor. \begin{corollary} -Assuming no refresh opeeration, +Assuming no refresh operation, any PPT adversary with an advantage for linking Taler coins gives rise to an adversary with an advantage for recognizing SHA512 output. \end{corollary} @@ -1507,11 +1507,10 @@ Diffie-Hellman key exchange on curve25519. \end{theorem} We do not distinguish between information known by the exchange and -information known by the merchant in the abose. As a result, this +information known by the merchant in the above. As a result, this proves that out linking protocol \S\ref{subsec:linking} does not degrade privacy. -\end{document} |