aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/paper/taler.tex29
1 files changed, 14 insertions, 15 deletions
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index c549a20dd..70378d4f2 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -1377,8 +1377,8 @@ data being persisted are represented in between $\langle\rangle$.
\section{Taxability arguments}
We assume the exchange operates honestly when discussing taxability.
-We feel this assumption is warratned mostly because a Taler exchange
-requires liscenses to operate as a financial institution, which it
+We feel this assumption is warranted mostly because a Taler exchange
+requires licenses to operate as a financial institution, which it
risks loosing if it knowingly facilitates tax evasion.
We also expect an auditor monitors the exchange similarly to how
government regulators monitor financial institutions.
@@ -1389,15 +1389,15 @@ which expands its power over conventional auditors.
\begin{proposition}
Assuming the exchange operates the refresh protocol honestly,
a customer operating the refresh protocol dishonestly expects to
-loose $1 - {1 \over \kappa}$ of the value of thei coins.
+loose $1 - {1 \over \kappa}$ of the value of their coins.
\end{proposition}
\begin{proof}
-An honest esxchange keeps any funds being refreshed if the reveal
+An honest exchange keeps any funds being refreshed if the reveal
phase is never carried out, does not match the commitment, or shows
an incorrect commitment. As a result, a customer dishonestly
refreshing a coin looses their money if they have more than one
-dishonet commitment. They have a $1 \over \kappa$ chance of their
+dishonest commitment. They have a $1 \over \kappa$ chance of their
dishonest commitment being selected for the refresh.
\end{proof}
@@ -1428,7 +1428,7 @@ then Alice can gain control of $C'$ using the linking protocol.
\begin{proof}
Alice may run the linking protocol to obtain all transfer keys $T^i$,
-blindings $B^i$ associated to $C$, and those coins denominations,
+bindings $B^i$ associated to $C$, and those coins denominations,
including the $T'$ for $C'$.
We assumed both the exchange and Bob operated the refresh protocol
@@ -1445,26 +1445,26 @@ At a result, there is no way for a user to loose control over a coin,
\section{Privacy arguments}
The {\em linking problem} for blind signature is,
-if given coin creation transcrips and possibly fewer
+if given coin creation transcripts and possibly fewer
coin deposit transcripts for coins from the creation transcripts,
then produce a corresponding creation and deposit transcript.
We say a probabilistic polynomial time (PPT) adversary $A$
-{\em links} coins if it has a non-negligable advantage in
+{\em links} coins if it has a non-negligible advantage in
solving the linking problem, when given the private keys
of the exchange.
-In Taler, there are two forms of coin creation transcrips,
+In Taler, there are two forms of coin creation transcripts,
withdrawal and refresh.
\begin{lemma}
If there are no refresh operations, any adversary with an
-advantage in linking coins is polynomially equivelent to an
+advantage in linking coins is polynomially equivalent to an
advantage with the same advantage in recognizing blinding factors.
\end{lemma}
\begin{proof}
-Let $n$ denote the RSA modulous of the denomination key.
+Let $n$ denote the RSA modulus of the denomination key.
Also let $d$ and $e$ denote the private and public exponents, respectively.
In effect, coin withdrawal transcripts consist of numbers
$b m^d \mod n$ where $m$ is the FDH of the coin's public key
@@ -1478,10 +1478,10 @@ first computing $b_{i,j} = b_i m_i^d / m_j^d \mod n$ for all $i,j$.
\end{proof}
We now know the following because Taler used SHA512 adopted to be
- a FDH to breat the blinding factor.
+ a FDH to be the blinding factor.
\begin{corollary}
-Assuming no refresh opeeration,
+Assuming no refresh operation,
any PPT adversary with an advantage for linking Taler coins gives
rise to an adversary with an advantage for recognizing SHA512 output.
\end{corollary}
@@ -1507,11 +1507,10 @@ Diffie-Hellman key exchange on curve25519.
\end{theorem}
We do not distinguish between information known by the exchange and
-information known by the merchant in the abose. As a result, this
+information known by the merchant in the above. As a result, this
proves that out linking protocol \S\ref{subsec:linking} does not
degrade privacy.
-\end{document}