[GNUnet-SVN] [taler-exchange] branch master updated (f6f4b07 -> 4f6e71a)

[gnunet]

This is an automated email from the git hooks/post-receive script.

burdges pushed a change to branch master
in repository exchange.

    from f6f4b07  clean up debug logic
     new d8eebc6  Improve abstract
     new 93edc84  Introduction does not know where it's going towards the end, 
but
     new 4f6e71a  Just a start on taxability text, breaks the latex run probably

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 doc/paper/postquantum.tex | 31 ++++++-----------
 doc/paper/taler.tex       | 86 ++++++++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 96 insertions(+), 21 deletions(-)

diff --git a/doc/paper/postquantum.tex b/doc/paper/postquantum.tex
index 4312479..9a4f2e9 100644
--- a/doc/paper/postquantum.tex
+++ b/doc/paper/postquantum.tex
@@ -49,12 +49,12 @@
 \begin{abstract}
 David Chaum's original RSA blind sgnatures provide information theoretic
 anonymity for customers' purchases.  In practice, there are many schemes
-that weaken this to provide properties.  We describe a refresh protocol
-for Taler that provides customers with post-quantum anonymity.
-It replaces an elliptic curve Diffe-Hellman operation with a unique
-hash-based encryption scheme for the proof-of-trust via key knoledge
-property that Taler requires to distinguish untaxable operations from
-taxable purchases. 
+that weaken this to provide properties, such as offline transactions or
+taxability in Taler.  We describe a refresh protocol for Taler that
+provides customers with post-quantum anonymity.  It replaces an elliptic
+curve Diffe-Hellman operation with a hash-based encryption scheme for
+the proof-of-trust via key knoledge property that Taler requires to
+distinguish untaxable operations from taxable purchases. 
 \end{abstract}
 
 
@@ -135,7 +135,7 @@ First, we describe attaching contemporary post-quantum key 
exchanges,
 based on either super-singular eliptic curve isogenies \cite{SIDH} or
 ring learning with errors (Ring-LWE) \cite{Peikert14,NewHope}.
 These provide strong post-quantum security so long as the underlying
-scheme remains secure; however, these schemes youth leaves them
+scheme remains secure; however, these schemes' youth leaves them
 relatively untested.
 
 Second, we propose a hash based scheme whose anonymity garentee needs
@@ -144,24 +144,15 @@ the vible security paramater is numerically far smaller 
than in the
 key exchange systems, but covers query complexity which we believe
 suffices.
 
-We describe this hash based proof-of-encryption-to-self scheme in
-parallel with the 
-As is the practice with hash based signature schemes 
-
-
-
-
-In this paper, we describe a post-quantum 
-
-It replaces an elliptic curve Diffe-Hellman operation with a unique
-hash-based encryption scheme for the proof-of-trust via key knoledge
-property that Taler requires to distinguish untaxable operations from
-taxable purchases. 
+We describe this hash based proof-of-encryption-to-self scheme to
+align the discription of all our schemes.
 
 ...
 
 \smallskip
 
+%TODO : What is this part for?
+
 We observe that several elliptic curve blind signature schemes provide
 information theoreticly secure blinding as well, but 
  Schnorr sgnatures require an extra round trip \cite{??}, and
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 9b2bb89..1d1c5db 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -991,7 +991,7 @@ than the comparable use of zk-SNARKs in 
ZeroCash~\cite{zerocash}.
 %
 %TODO: Explain, especially subtleties regarding session key / the spoofing 
attack that requires signature.
 
-\subsection{Linking}
+\subsection{Linking}\label{subsec:linking}
 
 % FIXME: What is \mathtt{link} ?
 
@@ -1374,6 +1374,90 @@ data being persisted are represented in between 
$\langle\rangle$.
 \end{description}
 
 
+\section{Taxability arguments}
+
+\begin{proposition}
+An auditor can detect an exchange operating either the refresh or
+linking protocol dishonestly.
+\end{proposition}
+
+\begin{proof}
+.. Not sure about this one ..
+\end{proof}
+
+\begin{proposition}
+If the exchange operates the refresh protocol honestly, then
+a dishonest wallet looses $1 - {1 \over \kappa}$ of the value
+of the coins it refreshes dishonestly.
+\end{proposition}
+
+\begin{proof}
+.. Can we reference something about cut and choose protocols?  Or must we work 
this all out? ..
+\end{proof}
+
+We say a coin is {\em controlled} by a user if the user's wallet knows
+its secret scalar $c_s$, the signature $S$ of the appropriate denomination
+key on its public key $C_s$, and the residual value of the coin. 
+
+We assume the wallet cannot loose knowledge of a particular coin's
+key material, and the wallet can query the exchange to learn the
+residual value of the coin, so a wallet cannot loose control of
+a coin.  A wallet may loose the monetary value associated with a coin
+if another wallet spends it however.
+
+We say a user Alice {\em owns} a coin $C$ if only Alice's wallets can
+gain control of $C$ using standard interactions with the exchange. 
+In other words, ownership means exclusive control not just in the
+present, but in the future even if another user interacts with the
+exchange.
+
+\begin{theorem}
+Let $C$ denote a coin controlled by users Alice and Bob. 
+Suppose Bob creates a coin $C'$ from $C$ using the refresh protocol.
+Assuming the exchange and Bob operated the refresh protocol correctly,
+and that they continue to operate the linking protocol
+ \S\ref{subsec:linking} correctly,
+then Alice can gain control of $C'$ using the linking protocol.
+\end{theorem}
+
+\begin{proof}
+Alice may run the linking protocol to obtain all transfer keys $T^i$,
+blindings $B^i$ associated to $C$, and those coins denominations,
+including the $T'$ for $C'$. 
+
+We assumed both the exchange and Bob operated the refresh protocol
+correctly, so now $c_s T'$ is the seed from which $C'$ was generated.
+Alice rederives both $c_s$ and the blinding factor to unblind the
+denomination key signature on $C'$.  Alice finally asks the exchange
+for the residual value on $C'$ and runs the linking protocol to
+determine if it was refreshed too.
+\end{proof}
+
+
+\section{Privacy arguments}
+
+We consider two coins $C_1$ and $C_2$ created by the same withdrawal
+or refresh operation.  We say they are {\em linkable} if
+some probabilistic polynomial time adversary has a non-negligible
+advantage in guessing which two of $\{ C_0, C_1, C_2 \}$ were
+created together, where $C_0$ is an unrelated third coin.
+
+% TODO: Compare this definition with some from the literature
+
+.. reference literate about withdrawal ..
+
+\begin{proposition}
+If two coins created by refresh are linkable, then some 
+probabilistic polynomial time adversary has a non-negligible
+advantage in determining that their seeds ...
+...
+\end{proposition}
+
+\begin{proof}
+... random oracle ..
+\end{proof}
+
+
 
 \end{document}
 

-- 
To stop receiving notification emails like this one, please contact
address@hidden