aboutsummaryrefslogtreecommitdiff
path: root/doc/paper
diff options
context:
space:
mode:
Diffstat (limited to 'doc/paper')
-rw-r--r--doc/paper/taler.tex153
1 files changed, 117 insertions, 36 deletions
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index a84962dd2..361efadde 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -647,34 +647,35 @@ taxability.
\subsection{Withdrawal}
-To withdraw anonymous digital coins, the customer performs the
-following interaction with the mint:
+Let $G$ be the generator of an elliptic curve. To withdraw anonymous
+digital coins, the customer performs the following interaction with
+the mint:
\begin{enumerate}
\item The customer identifies a mint with an auditor-approved
coin signing public-private key pair $K := (K_s, K_p)$
and randomly generates:
\begin{itemize}
- \item withdrawal key $W := (W_s,W_p)$ with private key $W_s$ and public key $W_p$,
- \item coin key $C := (C_s,C_p)$ with private key $C_s$ and public key $C_p$,
+ \item withdrawal key $W := (w_s,W_p)$ with private key $w_s$ and public key $W_p$,
+ \item coin key $C := (c_s,C_p)$ with private key $c_s$ and public key $C_p := c_s G$,
\item blinding factor $b$, and commits $\langle W, C, b \rangle$ to disk.
\end{itemize}
\item The customer transfers an amount of money corresponding to (at least) $K_p$ to the mint, with $W_p$ in the subject line of the transaction.
\item The mint receives the transaction and credits the $W_p$ reserve with the respective amount in its database.
- \item The customer sends $S_W(E_b(C_p))$ to the mint to request withdrawal of $C$; here, $E_b$ denotes Chaum-style blinding with blinding factor $b$.
- \item The mint checks if the same withdrawal request was issued before; in this case, it sends $S_{K}(E_b(C_p))$ to the customer.\footnote{Here $S_K$
+ \item The customer sends $S_W(B_b(C_p))$ to the mint to request withdrawal of $C$; here, $B_b$ denotes Chaum-style blinding with blinding factor $b$.
+ \item The mint checks if the same withdrawal request was issued before; in this case, it sends $S_{K}(B_b(C_p))$ to the customer.\footnote{Here $S_K$
denotes a Chaum-style blind signature with private key $K_s$.}
If this is a fresh withdrawal request, the mint performs the following transaction:
\begin{enumerate}
\item checks if the reserve $W_p$ has sufficient funds for a coin of value corresponding to $K_p$
- \item stores the withdrawal request $\langle S_W(E_b(C_p)), S_K(E_b(C_p)) \rangle$ in its database for future reference,
+ \item stores the withdrawal request and response $\langle S_W(B_b(C_p)), S_K(B_b(C_p)) \rangle$ in its database for future reference,
\item deducts the amount corresponding to $K_p$ from the reserve,
- \item and sends $S_{K}(E_b(C_p))$ to the customer.
\end{enumerate}
+ and then sends $S_{K}(B_b(C_p))$ to the customer.
If the guards for the transaction fail, the mint sends a descriptive error back to the customer,
with proof that it operated correctly (i.e. by showing the transaction history for the reserve).
- \item The customer computes (and verifies) the unblinded signature $S_K(C_p) = D_b(S_K(E_b(C_p)))$.
- The customer writes $\langle S_K(C_p), C_s \rangle$ to disk (effectively adding the coin to the
+ \item The customer computes (and verifies) the unblinded signature $S_K(C_p) = B^{-1}_b(S_K(B_b(C_p)))$.
+ The customer writes $\langle S_K(C_p), c_s \rangle$ to disk (effectively adding the coin to the
local wallet) for future use.
\end{enumerate}
We note that the authorization to create and access a reserve using a
@@ -688,17 +689,17 @@ withdraw funds, those can also be used with Taler.
A customer can spend coins at a merchant, under the condition that the
merchant trusts the specific mint that minted the coin. Merchants are
-identified by their public key $M := (M_s, M_p)$, which must be known
+identified by their public key $M := (m_s, M_p)$, which must be known
to the customer apriori.
The following steps describe the protocol between customer, merchant and mint
-for a transaction involving a coin $C := (C_s, C_p)$, which was previously signed
+for a transaction involving a coin $C := (c_s, C_p)$, which was previously signed
by a mint's denomination key $K$, i.e. the customer posses
$\widetilde{C} := S_K(C_p)$:
\begin{enumerate}
\item\label{contract} Let $\vec{D} := D_1, \ldots, D_n$ be the list of
- mints accepted by the merchant where each $D_i$ is a mint's public
+ mints accepted by the merchant where each $D_j$ is a mint's public
key. The merchant creates a digitally signed contract $\mathcal{A}
:= S_M(m, f, a, H(p, r), \vec{D})$ where $m$ is an identifier for this
transaction, $a$ is data relevant to the contract indicating which services
@@ -707,7 +708,7 @@ $\widetilde{C} := S_K(C_p)$:
a random nounce. The merchant commits $\langle \mathcal{A}
\rangle$ to disk and sends $\mathcal{A}$ it to the customer.
\item\label{deposit} The customer must possess or acquire a coin minted by a mint that is
- accepted by the merchant, i.e. $K$ should be publicly signed by some $D_i
+ accepted by the merchant, i.e. $K$ should be publicly signed by some $D_j
\in \{D_1, D_2, \ldots, D_n\}$, and has a value $\geq f$. (The customer
can of course also use multiple coins where the total value adds up to
the cost of the transaction and run the following steps for each of
@@ -716,8 +717,8 @@ $\widetilde{C} := S_K(C_p)$:
%
The customer then generates a \emph{deposit-permission} $\mathcal{D} :=
S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$
- and sends $\langle \mathcal{D}, D_i\rangle$ to the merchant,
- where $D_i$ is the mint which signed $K$.
+ and sends $\langle \mathcal{D}, D_j\rangle$ to the merchant,
+ where $D_j$ is the mint which signed $K$.
\item The merchant gives $(\mathcal{D}, p, r)$ to the mint, revealing $p$
only to the mint.
@@ -787,15 +788,14 @@ generator of the elliptic curve.
\begin{itemize}
\item randomly generates transfer key $T^{(i)} := \left(t^{(i)}_s,T^{(i)}_p\right)$ where $T^{(i)}_p := t^{(i)}_s G$,
\item randomly generates coin key pair \\ $C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$ where $C^{(i)}_p := c^{(i)}_s G$,
- \item randomly generates blinding factors $b_i$,
- \item computes $E_i := E_{K_i}\left(c_s^{(i)}, b_i\right)$ where $K_i := H(c'_s T_p^{(i)})$. (The encryption key $K_i$ is
+ \item randomly generates blinding factors $b^{(i)}$,
+ \item computes $E^{(i)} := E_{K_i}\left(c_s^{(i)}, b^{(i)}\right)$ where $K_i := H(c'_s T_p^{(i)})$. (The encryption key $K_i$ is
computed by multiplying the private key $c'_s$ of the original coin with the point on the curve
that represents the public key $T^{(i)}_p$ of the transfer key $T^{(i)}$. This is basically DH between coin and transfer key.),
\end{itemize}
and commits $\langle C', \vec{T}, \vec{C}, \vec{b} \rangle$ to disk.
- \item The customer computes $B_i := E_{b_i}(C^{(i)}_p)$ for $i=1,\ldots,\kappa$ and sends a commitment
- $S_{C'}(\vec{E}, \vec{B}, \vec{T_p}))$ to the mint;
- here $E_{b_i}$ denotes Chaum-style blinding with blinding factor $b_i$.
+ \item The customer computes $B^{(i)} := B_{b^{(i)}}(C^{(i)}_p)$ for $i \in 1,\ldots,\kappa$ and sends a commitment
+ $S_{C'}(\vec{E}, \vec{B}, \vec{T_p}))$ to the mint.
\item The mint generates a random $\gamma$ with $1 \le \gamma \le \kappa$ and
marks $C'_p$ as spent by committing
$\langle C', \gamma, S_{C'}(\vec{E}, \vec{B}, \vec{T}) \rangle$ to disk.
@@ -803,7 +803,7 @@ generator of the elliptic curve.
possible to use any equivalent mint signing key known to the customer here, as $K$ merely
serves as proof to the customer that the mint selected this particular $\gamma$.}
\item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
- \item The customer computes $\mathfrak{R} := \left(t_s^{(i)}, C_p^{(i)}, b_i\right)_{i \ne \gamma}$
+ \item The customer computes $\mathfrak{R} := \left(t_s^{(i)}, C_p^{(i)}, b^{(i)}\right)_{i \ne \gamma}$
and sends $S_{C'}(\mathfrak{R})$ to the mint.
\item \label{step:refresh-ccheck} The mint checks whether $\mathfrak{R}$ is consistent with the commitments;
specifically, it computes for $i \not= \gamma$:
@@ -812,23 +812,23 @@ generator of the elliptic curve.
\begin{minipage}{5cm}
\begin{align*}
\overline{K}_i :&= H(t_s^{(i)} C_p'), \\
- (\overline{c}_s^{(i)}, \overline{b}_i) :&= D_{\overline{K}_i}(E_i), \\
- \overline{C}^{(i)}_p :&= \overline{c}_s^{(i)} G,
+ (\overline{c}_s^{(i)}, \overline{b}_i) :&= D_{\overline{K}_i}(E^{(i)}), \\
+ \overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G,
\end{align*}
\end{minipage}
\begin{minipage}{5cm}
\begin{align*}
- \overline{B}_i :&= E_{b_i}(C_p^{(i)}), \\
- \overline{T}_i :&= t_s^{(i)} G, \\
+ \overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\
+ \overline{B^{(i)}} :&= B_{b^{(i)}}(\overline{C_p^{(i)}}),
\end{align*}
\end{minipage}
- and checks if $\overline{C}^{(i)}_p = C^{(i)}_p$ and $H(E_i, \overline{B}_i, \overline{T}^{(i)}_p) = H(E_i, B_i, T^{(i)}_p)$
- and $\overline{T}_i = T_i$.
+ and checks if $\overline{B^{(i)}} = B^{(i)}$
+ and $\overline{T^{(i)}_p} = T^{(i)}_p$.
\item \label{step:refresh-done} If the commitments were consistent,
the mint sends the blind signature $\widetilde{C} :=
- S_{K}(B_\gamma)$ to the customer. Otherwise, the mint responds
+ S_{K}(B^{(\gamma)})$ to the customer. Otherwise, the mint responds
with an error the value of $C'$.
\end{enumerate}
@@ -839,7 +839,7 @@ generator of the elliptic curve.
\subsection{Linking}
For a coin that was successfully refreshed, the mint responds to a
-request $S_{C'}(\mathtt{link})$ with $(T^{(\gamma)}_p$, $E_{\gamma},
+request $S_{C'}(\mathtt{link})$ with $(T^{(\gamma)}_p$, $B^{(\gamma)},
\widetilde{C})$.
%
This allows the owner of the melted coin to also obtain the private
@@ -1040,7 +1040,7 @@ computing base (TCB) is public and free software.
%This work was supported by a grant from the Renewable Freedom Foundation.
% FIXME: ARED?
-%We thank Tanja Lange and Dan Bernstein for feedback on an earlier
+%We thank Tanja Lange, Dan Bernstein and Fabian Kirsch for feedback on an earlier
%version of this paper, Nicolas Fournier for implementing and running
%some performance benchmarks, and Richard Stallman, Hellekin Wolf,
%Jacob Appelbaum for productive discussions and support.
@@ -1105,15 +1105,15 @@ coin first.
\item\label{offer2} The merchant sends an \emph{offer:} $\langle S_M(m, f),
\vec{D} \rangle$ containing the price of the offer $f$, a transaction
ID $m$ and the list of mints $D_1, \ldots, D_n$ accepted by the merchant
- where each $D_i$ is a mint's public key.
+ where each $D_j$ is a mint's public key.
\item\label{lock2} The customer must possess or acquire a coin minted by a mint that is
- accepted by the merchant, i.e. $K$ should be publicly signed by some $D_i
+ accepted by the merchant, i.e. $K$ should be publicly signed by some $D_j
\in \{D_1, D_2, \ldots, D_n\}$, and has a value $\geq f$.
Customer then generates a \emph{lock-permission} $\mathcal{L} :=
S_c(\widetilde{C}, t, m, f, M_p)$ where $t$ specifies the time until which the
- lock is valid and sends $\langle \mathcal{L}, D_i\rangle$ to the merchant,
- where $D_i$ is the mint which signed $K$.
+ lock is valid and sends $\langle \mathcal{L}, D_j\rangle$ to the merchant,
+ where $D_j$ is the mint which signed $K$.
\item The merchant asks the mint to apply the lock by sending $\langle
\mathcal{L} \rangle$ to the mint.
\item The mint validates $\widetilde{C}$ and detects double spending if there is
@@ -1127,7 +1127,7 @@ coin first.
\item\label{contract2} The merchant creates a digitally signed contract
$\mathcal{A} := S_M(m, f, a, H(p, r))$ where $a$ is data relevant to the contract
indicating which services or goods the merchant will deliver to the customer, and $p$ is the
- merchant's payment information (e.g. his IBAN number) and $r$ is an random nounce.
+ merchant's payment information (e.g. his IBAN number) and $r$ is an random nonce.
The merchant commits $\langle \mathcal{A} \rangle$ to disk and sends it to the customer.
\item The customer creates a
\emph{deposit-permission} $\mathcal{D} := S_c(\widetilde{C}, f, m, M_p, H(a), H(p, r))$, commits
@@ -1315,4 +1315,85 @@ If an organization detects that it cannot support itself with
microdonations, it can always choose to switch to the macropayment
system with slightly higher transaction costs to remain in business.
+\newpage
+\section{Notation summary}
+
+The paper uses the subscript $p$ to indicate public keys and $s$ to
+indicate secret (private) keys. For keys, we also use small letters
+for scalars and capital letters for points on an elliptic curve. The
+capital letter without the subscript $p$ stands for the key pair. The
+superscript $(i)$ is used to indicate one of the elements of a vector
+during the cut-and-choose protocol. Bold-face is used to indicate a
+vector over these elements. A line above indicates a value computed
+by the verifier during the cut-and-choose operation. We use $f()$ to
+indicate the application of a function $f$ to one or more arguments.
+
+\begin{description}
+ \item[$K_s$]{Private (RSA) key of the mint used for coin signing}
+ \item[$K_p$]{Public (RSA) key corresponding to $K_s$}
+ \item[$K$]{Public-priate (RSA) coin signing key pair $K := (K_s, K_p)$}
+ \item[$b$]{RSA blinding factor for RSA-style blind signatures}
+ \item[$B_b()$]{RSA blinding over the argument using blinding factor $b$}
+ \item[$B^{-1}_b()$]{RSA unblinding of the argument using blinding factor $b$, inverse of $B_b()$}
+ \item[$S_K()$]{Chaum-style RSA signature, commutes with blinding operation $B_b()$}
+ \item[$w_s$]{Private key from customer for authentication}
+ \item[$W_p$]{Public key corresponding to $w_s$}
+ \item[$W$]{Public-private customer authentication key pair $W := (w_s, W_p)$}
+ \item[$S_W()$]{Signature over the argument(s) involving key $W$}
+ \item[$m_s$]{Private key from merchant for authentication}
+ \item[$M_p$]{Public key corresponding to $m_s$}
+ \item[$M$]{Public-private merchant authentication key pair $M := (m_s, M_p)$}
+ \item[$S_M()$]{Signature over the argument(s) involving key $M$}
+ \item[$G$]{Generator of the elliptic curve}
+ \item[$c_s$]{Secret key corresponding to a coin, scalar on a curve}
+ \item[$C_p$]{Public key corresponding to $c_s$, point on a curve}
+ \item[$C$]{Public-private coin key pair $C := (c_s, C_p)$}
+ \item[$S_{C}()$]{Signature over the argument(s) involving key $C$ (using EdDSA)}
+ \item[$c_s'$]{Private key of a ``dirty'' coin (otherwise like $c_s$)}
+ \item[$C_p'$]{Public key of a ``dirty'' coin (otherwise like $C_p$)}
+ \item[$C'$]{Dirty coin (otherwise like $C$)}
+ \item[$\widetilde{C}$]{Mint signature $S_K(C_p)$ indicating validity of a fresh coin (with key $C$)}
+ \item[$n$]{Number of mints accepted by a merchant}
+ \item[$j$]{Index into a set of accepted mints, $i \in \{1,\ldots,n\}$}
+ \item[$D_j$]{Public key of a mint (not used to sign coins)}
+ \item[$\vec{D}$]{Vector of $D_j$ signifying mints accepted by a merchant}
+ \item[$a$]{Complete text of a contract between customer and merchant}
+ \item[$f$]{Amount a customer agrees to pay to a merchant for a contract}
+ \item[$m$]{Unique transaction identifier chosen by the merchant}
+ \item[$H()$]{Hash function}
+ \item[$p$]{Payment details of a merchant (i.e. wire transfer details for a bank transfer)}
+ \item[$r$]{Random nonce}
+ \item[${\cal A}$]{Complete contract signed by the merchant}
+ \item[${\cal D}$]{Deposit permission, signing over a certain amount of coin to the merchant as payment and to signify acceptance of a particular contract}
+ \item[$\kappa$]{Security parameter $\ge 3$}
+ \item[$i$]{Index over cut-and-choose set, $i \in \{1,\ldots,\kappa\}$}
+ \item[$\gamma$]{Selected index in cut-and-choose protocol, $\gamma \in \{1,\ldots,\kappa\}$}
+ \item[$t^{(i)}_s$]{private transfer key, a scalar}
+ \item[$T^{(i)}_s$]{private transfer key, point on a curve (same curve must be used for $C_p$)}
+ \item[$T^{(i)}$]{public-private transfer key pair $T^{(i)} := (t^{(i)}_s,T^{(i)}_s)$}
+ \item[$\vec{T}$]{Vector of $T^{(i)}$}
+ \item[$c_s^{(i)}$]{Secret key corresponding to a fresh coin, scalar on a curve}
+ \item[$C_p^{(i)}$]{Public key corresponding to $c_s^{(i)}$, point on a curve}
+ \item[$C^{(i)}$]{Public-private coin key pair $C^{(i)} := (c_s^{(i)}, C_p^{(i)})$}
+ \item[$\vec{C}$]{Vector of $C^{(i)}$ (public and private keys)}
+ \item[$b^{(i)}$]{Blinding factor for RSA-style blind signatures}
+ \item[$\vec{b}$]{Vector of $b^{(i)}$}
+ \item[$B^(i)$]{Blinding of $C_p^{(i)}$}
+ \item[$\vec{B}$]{Vector of $B^{(i)}$}
+ \item[$K_i$]{Symmetric encryption key derived from ECDH operation via hashing}
+ \item[$E_{K_i}()$]{Symmetric encryption using key $K_i$}
+ \item[$E^{(i)}$]{$i$-th encryption of the private information $(c_s^{(i)}, b_i)$}
+ \item[$\vec{E}$]{Vector of $E^{(i)}$}
+ \item[$\cal{R}$]{Tuple of revealed vectors in cut-and-choose protocol,
+ where the vectors exclude the selected index $\gamma$}
+ \item[$\overline{K_i}$]{Encryption keys derived by the verifier from DH}
+ \item[$\overline{B^{(i)}}$]{Blinded values derived by the verifier}
+ \item[$\overline{T_p^{(i)}}$]{Public transfer keys derived by the verifier from revealed private keys}
+ \item[$\overline{c_s^{(i)}}$]{Private keys obtained from decryption by the verifier}
+ \item[$\overline{b_s^{(i)}}$]{Blinding factors obtained from decryption by the verifier}
+ \item[$\overline{C^{(i)}_p}$]{Public coin keys computed from $\overline{c_s^{(i)}}$ by the verifier}
+\end{description}
+
+
+
\end{document}