gnunet-svn
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-donau] branch master updated: first major editing pass, changing


From: gnunet
Subject: [taler-donau] branch master updated: first major editing pass, changing a lot...
Date: Thu, 09 Jan 2025 21:10:14 +0100

This is an automated email from the git hooks/post-receive script.

grothoff pushed a commit to branch master
in repository donau.

The following commit(s) were added to refs/heads/master by this push:
     new 01df577  first major editing pass, changing a lot...
01df577 is described below

commit 01df577236a34202e9a400f6064354331b4b963b
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Thu Jan 9 21:10:11 2025 +0100

    first major editing pass, changing a lot...
---
 doc/usenix-security-2025/paper/bibliography.bib    |  12 +-
 doc/usenix-security-2025/paper/discussion.tex      | 122 ++--
 doc/usenix-security-2025/paper/donau-paper.bib     |  13 +
 doc/usenix-security-2025/paper/donau-paper.pdf     | Bin 851790 -> 202584 bytes
 doc/usenix-security-2025/paper/donau-paper.tex     |  50 +-
 doc/usenix-security-2025/paper/implementation.tex  |  43 +-
 doc/usenix-security-2025/paper/intro.tex           | 321 ++++++----
 doc/usenix-security-2025/paper/requirements.tex    | 701 ++++++++++++---------
 doc/usenix-security-2025/paper/technicaldesign.tex |  26 +-
 9 files changed, 719 insertions(+), 569 deletions(-)

diff --git a/doc/usenix-security-2025/paper/bibliography.bib 
b/doc/usenix-security-2025/paper/bibliography.bib
index 687fafb..cdcb8df 100644
--- a/doc/usenix-security-2025/paper/bibliography.bib
+++ b/doc/usenix-security-2025/paper/bibliography.bib
@@ -52,6 +52,16 @@
       keywords = {Cryptography},
 }
 
+@article{
+       Chaum89,
+       author = {David Chaum},
+       title = {Blind Signatures for Untraceable Payments},
+       journal = {Advances in Cryptology},
+       volume = {Proceedings of Crypto82},
+       year = {1989},
+       DOI = {10.1007/978-1-4757-0602-4_18}
+}
+
 @misc{DemHeuz2022,
       author = {Gian Demarmels, Lucien Heuzeveld},
       title = {Adding {Schnorr’s} Blind Signature in {Taler}},
@@ -119,5 +129,3 @@
       year={2022},
       howpublished = {\url{https://taler.net/papers/cs-thesis.pdf}},
 }
-
-
diff --git a/doc/usenix-security-2025/paper/discussion.tex 
b/doc/usenix-security-2025/paper/discussion.tex
index efd5eb4..b50f66d 100644
--- a/doc/usenix-security-2025/paper/discussion.tex
+++ b/doc/usenix-security-2025/paper/discussion.tex
@@ -1,29 +1,17 @@
-\section{Discussion}
+\section{Discussion} \label{discussion}
 
-This chapter compares the Donau design with the requirements and desired
-optional features and discusses threat models.
+In this section we first show how the presented design relates to the
+various requirements discussed in Section~\ref{sec:optionalfeatures}
+and what extensions could be made to address almost all of them.
 
-\subsection{Optional features and the Donau design} 
\label{sec:discussionfeatures}
-
-Sections~\ref{technical} and \ref{implementation} presented a complete
-design and implementation of a donation system that achieves confidentiality of
-donations while permitting donors to prove how much they donated to registered
-charities.
-
-In this section we first show how the presented design and
-implementation could be made to fit the other features discussed in
-section~\ref{sec:optionalfeatures} and which ones it addresses already.
-
-
-
-\subsubsection{Feature: Provide fiscal statement}
+\subsection{Feature: Provide fiscal statement}
 
 Both the individual donation receipts and the annual donation statement
 provided by Donau satisfy the requirement of providing a fiscal statement.
 In general, the annual donation statement is more user-friendly and more
 privacy-friendly as it only contains the total amount and is more compact.
 
-\subsubsection{Feature: Proof of registration}\label{discussion:registration}
+\subsection{Feature: Proof of registration}\label{discussion:registration}
 
 In the Donau protocol, the donor is identified using a unique donor
 identifier. The format of the identifier is not fixed by the protocol,
@@ -37,7 +25,7 @@ deductable donations.
 If the purpose of the registration is to limit charities to only accept money
 from registered donors additional components need to be added. The
 cryptographic concept of attribute-based credentials can be used to build a
-suitable functionality. 
+suitable functionality.
 When a donor registers, they are provided a credential to prove that they are
 registered. When donating to a
 charity, the donor uses their credential to sign their donation. The charity 
checks
@@ -48,14 +36,14 @@ attribute-based credentials and features differ between 
them. To keep the
 privacy guarantees of the Donau protocol and only add donor registration, the
 system should be unlinkable and anonymous.
 
-We acknowledge that this design does not provide a link between the donor
-identity $\DI$ used in the BKP and the donor registration as that is
-incompatible with the property of providing anonymity to the donor. A 
registered
-donor with a valid credential may choose to submit BKPs that
-include invalid $\DI$s or somebody else's $\DI$. However, the design gives a
-proof to the charity that the payment they receive comes from a registered
-donor. See section~\ref{sec:discussion:threats} later for a discussion of
-threats. 
+We acknowledge that this design does not provide a link between the
+donor identity $\DI$ used in the BKP and the donor registration as
+that is incompatible with the property of providing anonymity to the
+donor. A registered donor with a valid credential may choose to submit
+BKPs that include invalid $\DI$s or somebody else's $\DI$. However,
+the design gives a proof to the charity that the payment they receive
+comes from a registered donor. (See Section~\ref{sec:threats} for
+a discussion of threats.)
 
 Given that only few countries require donor registration and we
 consider this a requirement that hampers charities, we chose not to include
@@ -63,14 +51,14 @@ this feature in our design.
 
 
 
-\subsubsection{Feature: Configurable pledge}
+\subsection{Feature: Configurable pledge}
 
 The Donau protocol is expected to be integrated with a payment process,
 such as the GNU Taler payment protocol. Here, the actual payment would
 sign over contract terms between the donor and the charity. The pledge
 can be easily integrated into these contract terms.
 
-\subsubsection{Feature: Cumulative donation counter from same donor to same
+\subsection{Feature: Cumulative donation counter from same donor to same
 cause}\label{discussion:limit}
 
 Limiting donations per donor is difficult when donations are supposed
@@ -91,13 +79,13 @@ pseudonym derived from the donor's main identity. The 
unlinkable
 pseudonym could be unique to the donor, charity and time period.
 By signing the donation process with such an unlinkable pseudonym
 it is possible to prevent smurfing donations, alas at the expense
-of reducing anonymity to pseudonymity. 
+of reducing anonymity to pseudonymity.
 
 As discussed above in section~\ref{discussion:registration}, the signature on
 the donation does not guarantee that the $\DI$ hidden in the BKPs matches that
 of the signer.
 
-\subsubsection{Feature: Notarized affidavit}
+\subsection{Feature: Notarized affidavit}
 
 GNU Taler already supports privacy-preserving age-restrictions on
 payments, thus it would be trivial to prove that the donor is of
@@ -110,17 +98,17 @@ other types of attestations would require building the 
corresponding
 certification infrastructure.
 
 
-\subsubsection{Feature: Unique ID for donor advised decisions}
+\subsection{Feature: Unique ID for donor advised decisions}
 
 Issuing tokens to advise decisions would be part of the donation contract.
 The donation process could return such a token in addition to the donation
 receipt to enable the donor to vote, similar to the discount and subscription
-tokens already proposed for GNU Taler. 
+tokens already proposed for GNU Taler.
 
 An inherent feature of the Donau protocol is that the
 donor has the private keys of the coins used to make a donation,
 and thus inherently a feature that could be used to advise
-decisions. 
+decisions.
 
 Limiting decisions to one per donor
 instead of proportional to the amount donated is more complex,
@@ -130,7 +118,7 @@ donor as discussed in section~\ref{discussion:limit}.
 The main challenge in both scenarios would be to find a way to inform
 the anonymous donors when their input is solicited.
 
-\subsubsection{Feature: Compound weighted donation}
+\subsection{Feature: Compound weighted donation}
 
 In general, the simplest way to do a compound weighted donation
 would be to break up the donation into multiple donations at
@@ -141,7 +129,7 @@ be enhanced with escrow functionalities that would allow the
 donation to be split up according to a given set of weights
 which is only provided after the donation was made.
 
-\subsubsection{Feature: Cost transparency}
+\subsection{Feature: Cost transparency}
 
 Fees in the GNU Taler system are given as part of the protocol
 and always shown to the payer, ensuring cost transparency. The
@@ -150,12 +138,12 @@ the payment system, donor and charity.  If fundraising 
parties
 are involved as well, their cuts could be easily made transparent
 in the GNU Taler contract terms used in the donation payment.
 
-\subsubsection{Feature: Staged donation}\label{discussion:staged}
+\subsection{Feature: Staged donation}\label{discussion:staged}
 
 Staged donations would require the payment service to hold funds in
 escrow until certain conditions are met (or refund them).  GNU Taler
 can already do refunds, and escrow of funds is a feature planned for
-the future. 
+the future.
 %TL: that is always a problem and not changed by using our solution.
 % One difficulty would be to establish an authority
 % that decides whether the conditions are met.
@@ -163,18 +151,18 @@ the future.
 The blinded donation receipts could similarly be held in escrow, released only
 when the next stage of funding is reached and the donation is released. A
 problem, however, is that the donor is anonymous and thus cannot be reached
-at the time that later goals are met. 
+at the time that later goals are met.
 
 A solution is for the charity to further blind or encrypt the Donau signatures
 and to publicly post the keys when the next stage of funding is reached and the
 donation becomes effective. In the following we assume that the donation is
 split up by funding stage and that the donor submitted an array of BKPs per
-funding stage, so 
-$\vec{\mu_j} = (\bar{\mu}_{j1}, \bar{\mu}_{j2}, \ldots)$ is the array of BKPs 
for 
+funding stage, so
+$\vec{\mu_j} = (\bar{\mu}_{j1}, \bar{\mu}_{j2}, \ldots)$ is the array of BKPs 
for
 funding stage $j$.
 To make the multitude of keys manageable, the charity uses a random string
-$t_j$ per funding stage and {\em encrypts} the Donau response 
-$(\beta_{j1}, \beta_{j2}, \ldots)$ for the stage $j$ payments 
+$t_j$ per funding stage and {\em encrypts} the Donau response
+$(\beta_{j1}, \beta_{j2}, \ldots)$ for the stage $j$ payments
 with $H(t_j, \vec{\mu_j})$. The encrypted Donau responses (one per stage) are
 returned to the donor at the time of donation instead of the plaintext Donau
 response.
@@ -189,14 +177,14 @@ but charities soliciting staged donations typically post 
extensive progress
 reports justifying them declaring success on the previous stage and this report
 should then link to the key $t_j$.
 
-\subsubsection{Feature: Bandwidth donations}
+\subsection{Feature: Bandwidth donations}
 
-If the donated amount is to shrink based on certain conditions the design 
+If the donated amount is to shrink based on certain conditions the design
 discussed in section~\ref{discussion:staged} can be adopted. Here is a simple
 example where the final contribution of each donor is proportional to their
 maximum pledge: Each
 donation is composed of some fixed number $N$ of equal shares. During the
-period that the charity is soliciting funding all donations are held in 
escrow. 
+period that the charity is soliciting funding all donations are held in escrow.
 Donors receive $N$ encrypted Donau responses (one per share). Once the funding
 period ends, the total sum of pledges is known. Let the fraction $a/N$ of the
 total suffice for the funding goal of the charity. The charity then posts the
@@ -205,18 +193,18 @@ donated part, and receives the share of $a/N$ of the 
pledged donations from
 escrow. The remaining $(N-a)/N$ shares of the donations are returned to the
 donors, e.g., by voiding the contracts that spent them.
 
-\subsubsection{Feature: Code of conduct}
+\subsection{Feature: Code of conduct}
 
 A code of conduct could easily be integrated into the contract
 terms for of the payment process.
 
-\subsubsection{Feature: Restricted access mechanism}
+\subsection{Feature: Restricted access mechanism}
 
 The envisioned discount token and subscription extensions of the
 GNU Taler protocol could be used to return to the donor a token that
 would grant them access to additional information.
 
-\subsubsection{Feature: Unlock thank you artwork}
+\subsection{Feature: Unlock thank you artwork}
 
 The GNU Taler protocol can already be used to buy digital goods.
 While we are usually thinking about newspaper articles or videos,
@@ -229,7 +217,7 @@ compatible with the anonymity feature. However, there is 
nothing in the design
 that stops the charity and donor from exchanging address information during the
 donation process.
 
-\subsubsection{Feature: Donation matching with a reference}
+\subsection{Feature: Donation matching with a reference}
 
 Donation matching is an agreement between the charity and a matching donor.
 The charity can show proof of the payments received; if these are done using
@@ -246,10 +234,10 @@ Both donor and match funder can in principle share their
 donation receipts publicly to advertise their good deed, but they then of 
course
 void their anonymity.
 
-\subsubsection{Feature: Anonymous donation matching by employer}
+\subsection{Feature: Anonymous donation matching by employer}
 
 Technical solutions can be similar to what is discussed in
-section~\ref{discussion:registration}. 
+section~\ref{discussion:registration}.
 
 A simple solution if the match funder is a company with a taxpayer ID known to
 their employees and the match funder knows the donors' taxpayer IDs (as is
@@ -264,33 +252,3 @@ funder. The match funder can verify validity of both 
receipts and that the
 proportion of their match is correct. They then refund the amount that was 
donated
 on their behalf to the employee and use the donation receipt for their {\tt
 TAXID} when filing their tax statement.
-
-\subsection{Threats}\label{sec:discussion:threats}
-
-The presented protocol is using similar cryptographic constructions
-as the GNU Taler payment system itself, primarily blind signatures
-and regular signatures. However, it does not use the ``refresh''
-protocol of GNU Taler, as there is no need to render change.
-As a result, the Donau protocol suffers from a subset of
-the threats from quantum computing detailed in deliverable D5.3 
~\cite{pqtaler2024}
-on the impact of quantum computers on GNU Taler.
-
-A new Donau-specific threat is that donations could be used for
-laundering criminal assets. This does not mean that we expect
-charities themselves to play foul, but tax benefits that could be
-transferred to someone else would indirectly represent actual value
-(even commercially tradeable): donations from someone paying lower tax
-rates could be used to artificially lower the income of a person
-paying a higher rate. The money going to the charity would essentially
-be used to trigger a laundered partial payout in the legitimate world.
-The Donau protocol does not prove that the donor identification $\DI$ used in
-the $\UDI$s inside the BKPs is that of the actual donor, as that is
-incompatible with the anonymity and confidentiality guarantees of the system.
-In practice, we expect this threat to be largely theoretical: 
-the hypothetical money launderer would need to take a significant
-loss (depending on the tax rate, but generally probably more than
-half, given that common effective tax rates are rarely above 50\%).
-Thus, the costs of laundering money with this method would most
-likely substantially exceed the cost of other methods to launder
-criminal assets.
-
diff --git a/doc/usenix-security-2025/paper/donau-paper.bib 
b/doc/usenix-security-2025/paper/donau-paper.bib
index 7acf540..edfc7f7 100644
--- a/doc/usenix-security-2025/paper/donau-paper.bib
+++ b/doc/usenix-security-2025/paper/donau-paper.bib
@@ -17,6 +17,19 @@
    note         = {\url{https://taler.net/papers/donau-thesis.pdf}},
    url          = {https://taler.net/papers/donau-thesis.pdf}
 }
+
+
+
+@Unpublished{lange2024,
+  author =       {Tanja Lange and Jonathan Levin},
+  title =        {Impact of Quantum Computers on {GNU Taler}},
+  note =         {Available upon request},
+  OPTkey =       {},
+  month =     {November},
+  year =      {2024},
+  OPTannote =    {}
+}
+
 @article{DBLP:journals/jce/BernsteinDLSY12,
   author       = {Daniel J. Bernstein and
                   Niels Duif and
diff --git a/doc/usenix-security-2025/paper/donau-paper.pdf 
b/doc/usenix-security-2025/paper/donau-paper.pdf
index f96fe73..5fe950c 100644
Binary files a/doc/usenix-security-2025/paper/donau-paper.pdf and 
b/doc/usenix-security-2025/paper/donau-paper.pdf differ
diff --git a/doc/usenix-security-2025/paper/donau-paper.tex 
b/doc/usenix-security-2025/paper/donau-paper.tex
index f0df673..9efc523 100644
--- a/doc/usenix-security-2025/paper/donau-paper.tex
+++ b/doc/usenix-security-2025/paper/donau-paper.tex
@@ -1,5 +1,5 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-% TODO : 
+% TODO :
 % - Reduce the size to 13 pages for the main text (excluding
 % bibliography)
 % - Add some bibliographical references (for the motivation).
@@ -19,41 +19,35 @@
 \usepackage{listings}
 \usepackage{graphicx}
 \begin{document}
-%\doccode{D3.4}
-%\wpcontrib{WP3}
-%don't want date printed
 \date{}
 \title{\Large \bf Design of a privacy friendly tax deduction system for 
donations}
-%\duedate{30 November 2024}
-%\actualdate{\today}
-%\version{Revision 1.0}
-%\dissemination{PU}
 
-% \author{Bob Goudriaan, Christian Grothoff, Tanja Lange, Michiel
-%   Leenaars, Jonathan Levin}
+% \author{Emmanuel Benoist, Johannes Casaba, Bob Goudriaan,
+% Christian Grothoff, Tanja Lange, Michiel Leenaars,
+% Jonathan Levin, Lukas Matyja}
 
 \author{
 {\rm Anonymous}\\
 Anonymized Institution
-\and 
+\and
 {\rm Anonymous}\\
 Anonymized Institution
-\and 
+\and
 {\rm Anonymous}\\
 Anonymized Institution
-\and 
+\and
 {\rm Anonymous}\\
 Anonymized Institution
-\and 
+\and
 {\rm Anonymous}\\
 Anonymized Institution
-\and 
+\and
 {\rm Anonymous}\\
 Anonymized Institution
-\and 
+\and
 {\rm Anonymous}\\
 Anonymized Institution
-\and 
+\and
 {\rm Anonymous}\\
 Anonymized Institution
 }
@@ -63,8 +57,8 @@ Anonymized Institution
 % \author{
 % {\rm Bob Goudriaan}\\
 % NLnet Foundation
-% \and 
-% {\rm Chrsitian Grothoff}\\
+% \and
+% {\rm Christian Grothoff}\\
 % Bern University of Applied Sciences
 % \and
 % {\rm Tanja Lange}\\
@@ -103,10 +97,24 @@ Anonymized Institution
 \input{requirements} % Michiel's part can go in this file
 \input{technicaldesign}
 \input{discussion}
+\input{threats}
+
+\section*{Acknowledgements}
+
+This work was funded by ANONYMIZED.
+%in part by the European Commision through the
+%Horizon Europe program under project number 101135475 (TALER). It also
+%has received funding from the Swiss State Secretariat for Education,
+%Research and Innovation (SERI).
+%
+We thank the tax authority of ANONYMIZED for an extensive and
+constructive discussion on the subject.
 
 \bibliographystyle{plain}
 \bibliography{donau-paper,bibliography}
-\appendix
-\input{implementation}
+
+% Maybe for camera-ready?
+%\appendix
+%\input{implementation}
 
 \end{document}
diff --git a/doc/usenix-security-2025/paper/implementation.tex 
b/doc/usenix-security-2025/paper/implementation.tex
index 23ab3f6..b97ca41 100644
--- a/doc/usenix-security-2025/paper/implementation.tex
+++ b/doc/usenix-security-2025/paper/implementation.tex
@@ -1,24 +1,22 @@
 \section{Implementation}\label{implementation}
 
-This appendix is heavily based on (and often a verbatim
-reproduction of) the thesis~\cite{donau} by Johannes Casaba and Lukas
-Matyja supervised by Emmanuel Benoist and Christian Grothoff.  We
-thank Johannes Casaba and Lukas Matyja for their significant
-contributions.
+This appendix describes the current implementation of the Donau, which
+consists of a REST API, an Android verification app, and the Donau
+database.  The Donau is written in C, as it reuses parts of the
+codebase from GNU Taler exchange component.  The Donau has a similar
+architecture and uses cryptographic blinded signatures in a similar
+way as the GNU Taler exchange does.
 
-This appendix describes the current implementation of the Donau,
-which consists of a REST API, an Android verification app, and the Donau 
database.
-The Donau is written in C, as it reuses parts of the codebase from the 
exchange of GNU Taler.
-The Donau has a similar architecture and uses
-cryptographic blinded signatures in a similar way as the exchange does.
-
-On the user side, donation receipts are collected in a wallet; the wallet takes
-the users taxpayer ID and picks its own salt to create the Donor Identifier 
\DI.
+On the user side, donation receipts are collected in a wallet; the
+wallet takes the users taxpayer ID and picks its own salt to create
+the Donor Identifier \DI.
 
 \subsection{REST API} \label{rest_api}
-The detailed REST API specification of the Donau back-end is publicly available
-under the following URL: \url{https://docs.taler.net/core/api-donau.html}. The
-following are the main API endpoints:
+
+The detailed REST API specification of the Donau back-end is publicly
+available under the following URL:
+\url{https://docs.taler.net/core/api-donau.html}. The following are
+the main API endpoints:
 
 \subsubsection{\texttt{/keys}}
 The \texttt{GET /keys} request returns all valid donation unit public keys
@@ -73,11 +71,14 @@ the three dots '\texttt{...}') to make them more readable.
 \end{verbatim}
 
 \subsubsection{\texttt{/charities}}
-In order for a charity to be able to issue receipts by a specific Donau it 
must be registered by this Donau.
-The Donau provides an API to manage charities.
-By default only the Donau administrator can change the list of registered 
charities.
-The charity itself is able to request a donation report to keep track of their 
total donations in the current year.
-The response includes the maximum donation amount and the current donated 
amount for the charity of the current year.
+
+In order for a charity to be able to issue receipts by a specific
+Donau it must be registered by this Donau.  The Donau provides an API
+to manage charities.  By default only the Donau administrator can
+change the list of registered charities.  The charity itself is able
+to request a donation report to keep track of their total donations in
+the current year.  The response includes the maximum donation amount
+and the current donated amount for the charity of the current year.
 
 \begin{figure}[ht]
 \includegraphics[width=0.5\textwidth]{donau_flow_register_charity}
diff --git a/doc/usenix-security-2025/paper/intro.tex 
b/doc/usenix-security-2025/paper/intro.tex
index 045550e..429edad 100644
--- a/doc/usenix-security-2025/paper/intro.tex
+++ b/doc/usenix-security-2025/paper/intro.tex
@@ -1,168 +1,211 @@
 \section{Introduction}\label{intro}
 
-The scope of this document is to provide an overview of potential technical
-requirements and desiderata for donation systems that wish to offer a
-technical solution in which donors can make donations to registered charities
-and then receive a tax benefit from the tax authorities when filing their tax
-statement. The document also provides a detailed technical design and
-implementation for privacy-preserving donations, developed in the 
-thesis~\cite{donau} by Johannes Casaba and Lukas Matyja supervised by 
-Emmanuel Benoist and Christian Grothoff.
-The design provides a solution for a relevant subset of the requirements. 
-We also discuss extensions and adaptations for covering other requirements.
-
-This document is written in the context of the \href{https://ngi.taler.net}{NGI
-TALER} project, which is based around the electronic payment system GNU Taler.
-As may be obvious from the underlying acronym "Taxable Anonymous Libre
-Electronic Resources", GNU TALER bridges two seemingly opposite requirements:
-providing privacy to citizens with regards to how they spend their money in the
-digital realm, while at the same time creating a system for organizations which
-handle financial transactions that is transparent and auditable. The latter 
prevents
-fraud and keeps taxation as a basic mechanism to take action in the common
-interest and fund public services. To the citizens it offers the same
-privacy properties we are used to with traditional cash payments.
+This paper presents the design and implementation of a protocol for
+donation receipts that satisfies a broad range of potential technical
+requirements and desiderata for donation systems.  The system enables
+donors to make anonymous donations to registered charities and still
+receive a tax benefit from the tax authorities when filing their tax
+statement while preventing fraud.
+
+Donating is an important way for people to empower causes they believe
+in, and facilitate collective action. In many countries, there is
+explicit recognition of the public benefit of such generosity: a
+friendly tax treatment of donations. It makes sense: money you
+immediately give away to a recognized good cause is not income that
+will be converted by you into private consumption. So conceptually it
+deserves a different tax treatment.
+
+Donations have many causes, but quite often they are an obvious
+expression of the human right towards the freedom of thought,
+conscience and religion. Individual spending can be very intimate and
+personal, and even aggregate spending habits can reveal a great deal
+about people. This holds even more so for donating.
+
+Protecting donation confidentiality is therefore important to protect
+those freedoms. We have to recognize that in some situations the mere
+fact hat someone has -- in private -- donated to some cause at some
+point in their life, can put them at risk in another context. The
+right to privacy is another critical aspect of donating. International
+human rights law provides a non-ambiguous responsibility to promote
+and protect the right to privacy.
+
+Both these rights---towards freedom of thought and to privacy---are
+anchored in key international treaties and covenants such as the
+Universal Declaration on Human Rights (Article 12), the European
+Convention for the Protection of Human Rights and Fundamental Freedoms
+(Article 8) and many more.
 
-GNU Taler is a {\em digital commons}, based on free software and advanced
-cryptography. This means that -- unlike proprietary products -- the software
-can be adjusted by all stakeholders to carry the properties it should have.
 
-\subsection{Donations in a human rights perspective}
+\subsection{Protection towards all sides}
 
-Donating is an important way for people to empower causes they believe in, and 
facilitate collective action. In many countries, there is explicit recognition 
of the public benefit of such generosity: a friendly tax treatment of 
donations. It makes sense: money you immediately give away to a recognized good 
cause is not income that will be converted by you into private consumption. So 
conceptually it deserves a different tax treatment.
+Privacy threats not only exist on the outside. Not many people are
+aware that while the causes they support may be worthwhile, not all
+philanthropies play as nice as one would expect them to towards
+donors. This happens in particular when such organizations employ
+third party (often commercial) agencies to help ``yield'' more
+donations on a commission basis or as ``fund raisers''.  Especially
+for-profit fund raising agencies tend to resort to questionable social
+engineering approaches. One common scenario is that after a first
+donation, such bad actors start to aggressively pressure a particular
+donor for more -- with personalized emails, letters, phone calls and
+even in person visits. This may happen beyond a single good cause:
+people that donate are known to be susceptible to a certain
+proposition, resulting in an avalanche of follow up demanding
+requests.
+
+In the era of data driven donations and corporate social media
+surveillance, this kind of behavior has unfortunately become so easy
+that there are not just pro bono but even paid services (source in the
+Netherlands:
+\href{https://www.donateursbelangen.nl/opzegservice}{Stichting
+  Donateursbelangen}) to de-register and exercise the ``right to be
+forgotten'' after donating.
 
-Donations have many causes, but quite often they are an obvious expression of 
the human right towards the freedom of thought, conscience and religion. 
Individual spending can be very intimate and personal, and even aggregate 
spending habits can reveal a great deal about people. This holds even more so 
for donating.
+Even without such excesses, there are many circumstances when people
+like to donate something to their preferred causes without revealing
+their identity.  Some people just prefer to stay anonymous because of
+personal beliefs or even religious requirements, or simply do not want
+to have publicity which might lead to a cascade of efforts from fund
+raisers.
 
-Protecting donation confidentiality is therefore important to protect those 
freedoms. We have to recognize that in some situations the mere fact hat 
someone has -- in private -- donated to some cause at some point in their life, 
can put them at risk in another context. The right to privacy is another 
critical aspect of donating. International human rights law provides a 
non-ambiguous responsibility to promote and protect the right to privacy.
+\subsection{Donation confidentiality}
 
-Both these rights---towards freedom of thought and to privacy---are anchored 
in key international treaties and covenants such as the Universal Declaration 
on Human Rights (Article 12), the European Convention for the Protection of 
Human Rights and Fundamental Freedoms (Article 8) and many more.
+Making a financial donation is a deeply personal choice to share part
+of one's wealth in order to benefit a cause one cares about. Some
+traditional ways of donating (for instance passing around baskets or
+even plates in a religious gathering) are vulnerable to group
+pressure, and door to door fundraising is also confrontational and
+puts people on the spot.
+
+When donations are devoid of such pressures and there is no need for,
+e.g., virtue signaling, donation confidentiality comes into
+play. Historically, people wanting to make an anonymous donation might
+have an envelope with cash or a box of goods delivered. Obviously,
+this was never compatible with providing tax benefits. Alternatively,
+they might arrange for an expensive intermediary like a notary
+(although that would not be fully anonymous, and depend on the
+discretion of the notary).
+
+Technically guaranteed donation confidentiality is certainly
+non-trivial to implement in the digital payment era. What you donate
+to and why may be strictly personal, but due to the nature of the
+banking system along the financial pipeline there is an uncomfortable
+number of actors handling sensitive data that allows for profiling and
+targeted discrimination on grounds. And there are even more that later
+on may have access to it. Digital payments are logged and made
+accessible to many different actors, and reporting donations to tax
+authorities adds yet (at least) one more actor to the pipeline.  It is
+the scope of this document to try and solve this issue and finally
+introduce donation confidentiality which adheres to ``privacy by
+design''.
 
-\subsection{Protection towards all sides}
 
-Privacy threats not only exist on the outside. Not many people are aware that
-while the causes they support may be worthwhile, not all philanthropies play as
-nice as one would expect them to towards donors. This happens in particular
-when such organizations employ third party (often commercial) agencies to help
-``yield'' more donations on a commission basis or as ``fund raisers''.
-Especially for-profit fund raising agencies tend to resort to questionable
-social engineering approaches. One common scenario is that after a first
-donation, such bad actors start to aggressively pressure a particular donor for
-more -- with personalized emails, letters, phone calls and even in person
-visits. This may happen beyond a single good cause: people that donate are
-known to be susceptible to a certain proposition, resulting in an avalanche of
-follow up demanding requests.
-
-In the era of data driven donations and corporate social media surveillance,
-this kind of behavior has unfortunately become so easy that there are not just
-pro bono but even paid services (source in the Netherlands:
-\href{https://www.donateursbelangen.nl/opzegservice}{Stichting
-Donateursbelangen}) to de-register and exercise the ``right to be forgotten''
-after donating.
+\subsection{Overview of the requirements analysis}
 
-Even without such excesses, there are many circumstances when people like to
-donate something to their preferred causes without revealing their identity.
-Some people just prefer to stay anonymous because of personal beliefs or even
-religious requirements, or simply do not want to have publicity which might
-lead to a cascade of efforts from fund raisers.
+There are two types of donations we will consider. The first is {\em
+  ad hoc} or {\em informal donations}, which are made from individual
+to individual as {\em one time gifts} typically in appreciation of the
+work being done by an individual or collective. The second category is
+{\em regulated donations} involving at least one {\em recognized}
+philanthropic organization or charity.  Both involve voluntary
+transferal of some financial assets for which no products or services
+are rendered in return.
+% NOTE[oec]: what types of donations are _not_ considered, and why?
 
-\subsection{Donation confidentiality}
+In the design requirements we will mostly cover donations to charities
+that offer a tax benefit as that triggers the most complex
+requirements.
 
-Making a financial donation is a deeply personal choice to share part of one's 
wealth in order to benefit a cause one cares about. Some traditional ways of 
donating (for instance passing around baskets or even plates in a religious 
gathering) are vulnerable to group pressure, and door to door fundraising is 
also confrontational and puts people on the spot.
+As part of their regular operations as well as their recognition as
+public benefit organizations, registered charities are already subject
+to a variety of audits as well as strict regulatory and fiscal
+scrutiny. Good causes that do not adhere to these rules are stripped
+from any fiscal benefits. At least donations to recognized public
+benefit organizations may therefore be confidential: donors should be
+able to freely choose whichever of the approved philanthropies they
+donate to, without disclosing which.
 
-When donations are devoid of such pressures and there is no need for, e.g., 
virtue signaling, donation confidentiality comes into play. Historically, 
people wanting to make an anonymous donation might have an envelope with cash 
or a box of goods delivered. Obviously, this was never compatible with 
providing tax benefits. Alternatively, they might arrange for an expensive 
intermediary like a notary (although that would not be fully anonymous, and 
depend on the discretion of the notary).
+In cases where donation confidentiality is not (yet) feasible, we will
+try and provide fallbacks that best serve the interest of donors, give
+them choice and respect their privacy as least as well as the current
+system in place.
 
-Technically guaranteed donation confidentiality is certainly non-trivial to
-implement in the digital payment era. What you donate to and why may be
-strictly personal, but due to the nature of the banking system along the
-financial pipeline there is an uncomfortable number of actors handling
-sensitive data that allows for profiling and targeted discrimination on
-grounds. And there are even more that later on may have access to it. Digital
-payments are logged and made accessible to many different actors, and reporting
-donations to tax authorities adds yet (at least) one more actor to the 
pipeline.
-It is the scope of this document to try and solve this issue and finally
-introduce donation confidentiality which adheres to ``privacy by design''.
 
 
-\subsection{Overview of the requirements analysis}
-There are two types of donations we will consider. The first is {\em ad hoc} or
-{\em informal donations}, which are made from individual to individual as {\em
-one time gifts} typically in appreciation of the work being done by an
-individual or collective. The second category is {\em regulated donations}
-involving at least one {\em recognized} philanthropic organization or charity.
-Both involve voluntary transferal of some financial assets for which no
-products or services are rendered in return.
-% NOTE[oec]: what types of donations are _not_ considered, and why?
+\subsection{Digital Cash}
+
+Digital cash~\cite{Chaum89} implemented by tokens issued using blind
+signatures~\cite{DemHeuz2022} provides a foundation for donations where
+the donor remains anonymous while the recipient is easily identified by
+the payment service provider. Payment systems based on digital
+cash are thus an adequate foundation for anonymous donations, as the
+donor is not inherently traceable via the underlying payment.
+
+This paper presents the design and implementation of a donation
+protocol producing digitally signed proofs of donation that are linked
+to the donor but unlinkable to the charity on top of the GNU
+Taler~\cite{Taler} payment system.  GNU Taler is a {\em digital
+  commons}, based on free software and advanced cryptography. This
+means that -- unlike proprietary products -- anyone can easily extend
+and customize the core system.
 
-In the design requirements we will mostly cover donations to charities that
-offer a tax benefit as that triggers the most complex requirements.
-
-As part of their regular operations as well as their recognition as public
-benefit organizations, registered charities are already subject to a variety of
-audits as well as strict regulatory and fiscal scrutiny. Good causes that do 
not adhere to these rules are stripped from any fiscal benefits. At least 
donations to recognized public benefit organizations may therefore be 
confidential: donors should be able to freely choose whichever of the approved 
philanthropies they donate to, without disclosing which.
-
-In cases where donation confidentiality is not (yet) feasible, we will try and 
provide fallbacks that best serve the interest of donors, give them choice and 
respect their privacy as least as well as the current system in place.
-
-\subsection{Overview of the technical solution and implementation}
-On the technical side, this report presents the Donau protocol~\cite{donau} 
-for making privacy-preserving donations.
-
-In the current way that donations are handled, the charities are in charge of
-issuing donation receipts to the donor and thus must know the donor's identity
-and address. The donor has to include the donation receipts in their tax
-declaration; this means the tax authority not only learns the amount that the
-tax payer donated to charitable organizations but also how much they gave to
-which.
-
-The Donau protocol makes it possible for the donor to give an unforgeable proof
-of the combined amount they donated to registered charities, without the
-charities or the tax authorities learning who donated to whom. The privacy
-features obviously require that there is more than one charity and more than
-one donor. The Donau protocol is oblivious to how the donation payment
-happens. If the donor chooses to donate by credit card or bank transfer then
-their identity becomes known to the charity through the payment.
+As may be obvious from the underlying acronym "Taxable Anonymous Libre
+Electronic Resources", GNU Taler bridges two seemingly opposite
+requirements: providing privacy to citizens with regards to how they
+spend their money in the digital realm, while at the same time
+creating a system for organizations which handle financial
+transactions that is transparent and auditable.  These high-level
+objectives philosophically match nicely with our objective of
+achieving privacy-preserving donations with tax-deductability.
+
+
+\subsection{Approach}
+
+Today, charities issuing donation receipts which generally bear the
+name of the charity.  The donor often has to include the donation
+receipts in their tax declaration; this means the tax authority not
+only learns the amount that the tax payer donated to charitable
+organizations but also how much they gave to which.
+
+Our {\em Donau} protocol makes it possible for the donor to give an
+unforgeable proof of the combined amount they donated to registered
+charities, without the charities or the tax authorities learning who
+donated to whom. The privacy features obviously require that there is
+more than one charity and more than one donor. The Donau protocol
+itself is actually oblivious to how the payment underlying the
+donation happens. If the donor chooses to donate by credit card or
+bank transfer, then their identity may becomes known to the charity
+through the payment process.
 %
-However, a relevant feature of the protocol is that the charity does not need
-to learn the identity of the donor. Hence, payments can be made with GNU Taler
-keeping full anonymity of the donor.
+However, a relevant feature of the protocol is that the charity does
+not need to learn the identity of the donor. Hence, payments can be
+made with GNU Taler, and in this case the Donau protocol will preserve
+the privacy properties of the GNU Taler payment system.
 
 The design requires the creation of a Donation Authority (Donau), an
 additional service separate from the charities and the payment system.
 The Donau is responsible for recognizing charitable organizations and
 tracking the total amount of donation receipts each charity is issuing
 for the charitable contributions the charity is receiving.  It is
-typically be expected that the tax authority would operate it.  We
-note that the Donau does not receive sensitive private information
-about donors: privacy is achieved using cryptography to unlink proofs
-of donations from the actual donation process.
+typically be expected that each competent tax authority would operate
+a Donau for the taxpayers in its domain.  We note that the Donau does
+not receive sensitive private information about donors: privacy is
+achieved using cryptography to unlink proofs of donations from the
+actual donation process.
+
 
+\subsection{Structure of the paper}
 
-\subsection{Structure of this report}
-The next section reflects on the requirements that donations need to satisfy.
-There are many aspects to donations and for the technical design and
+Section~\ref{requirements} provides some deeper analysis on the
+various requirements that donation systems may need to satisfy.  There
+are many aspects to donations and for the technical design and
 implementation we chose to focus on a design that provides privacy for
-donations.
-Section~\ref{technical} shows the technical details of the design including
-the cryptographic building blocks used in the system. The following section 
reports
-on the implementation. Finally we consider various extensions of the
-presented approach that could be added to satisfy requirements currently
-not met by the core design. Many of these extensions are simply a matter
-of proper integration and user interface design, while a few presume the
-existence of a widely available digital identity system providing a single
+donations.  Section~\ref{technical} provides technical details on the
+core design of the Donau protocol, while ignoring some of the more
+complex use-cases from Section~\ref{requirements}.  Finally,
+Section~\ref{discussion} explains extensions of the core design that
+could be used to address all of the main use-cases.  Many of these
+extensions are simply a matter of proper integration and user
+interface design, while a few presume the existence of a widely
+available digital identity system~\cite{FIXME} providing a single
 unlinkable pseudonym for each citizen per charity.
-
-\subsection{What this document is not}
-
-This document is not in any way an overview of current legal requirements 
across
-the world on how taxation on donations work.  Taxation is predictably unpopular
-despite its clear essential function in how modern societies work, and
-therefore a very political topic that is subject to frequent change. Whether it
-is taxation on labor and profits, on property, on inheritance, on income from
-investment or gambling, or on consumption of products or services -- there is
-no global universally agreed standard on whether these should be taxed and how
-that is to be done. Ad hoc regulation as part of political shifts makes
-taxation very context-specific and temporal. We are unaware of any attempt at
-creating such an overview as a public resource, and the cost of creating and
-subsequently maintaining such an effort would be prohibitive.
-
-Instead the focus of this document is on providing an overview of generic 
requirements that could be made to a donation flow in order to comply with 
regulation.
-
-One should note that, in many jurisdictions, recipients of donations do not 
necessarily have the same protections. Donations should be given without return 
consideration, but of course there are many financial transactions (such as 
gifts or donations from business or lobby groups to political parties) that are 
not as clean in this respect.
diff --git a/doc/usenix-security-2025/paper/requirements.tex 
b/doc/usenix-security-2025/paper/requirements.tex
index ca57d13..9ce7a9c 100644
--- a/doc/usenix-security-2025/paper/requirements.tex
+++ b/doc/usenix-security-2025/paper/requirements.tex
@@ -1,67 +1,111 @@
 \section{Requirements Analysis}\label{requirements}
 
-The starting point of this document is to create an initial overview of 
requirements to provide donors with donation privacy and tax authorities with 
adequate proof that a donation was indeed clean and made according to the rules 
for donations in their region of operation.
+This section provides an initial overview of requirements to provide
+donors with donation privacy and tax authorities with adequate proof
+that a donation was indeed clean and made according to the rules for
+donations in their region of operation.
+
+Tax authorities are creative, and taxation is an ever evolving area of
+complexity. We will therefore not claim to provide the definitive
+overview, but to provide a good start for bootstrapping a donation
+ecosystem in the full knowledge that this will need to be updated.
+
+In particular, this section should not be misunderstood as an overview
+of current {\em legal requirements} across the world on how taxation
+on donations work.  Taxation is predictably unpopular despite its
+clear essential function in how modern societies work, and therefore a
+very political topic that is subject to frequent change. Whether it is
+taxation on labor and profits, on property, on inheritance, on income
+from investment or gambling, or on consumption of products or services
+--- there is no global universally agreed standard on whether these
+should be taxed and how that is to be done. Ad hoc regulation as part
+of political shifts makes taxation very context-specific and
+temporal. We are unaware of any attempt at creating such an overview
+as a public resource, and the cost of creating and subsequently
+maintaining such an effort would likely be prohibitive.
+
+Instead the focus of this section is only on providing an overview of
+generic requirements that {\em could} be made to a donation flow in
+order to comply with regulation.
+
+One should note that, in many jurisdictions, recipients of donations
+do not necessarily have the same protections. Donations should be
+given without return consideration, but of course there are many
+financial transactions (such as gifts or donations from business or
+lobby groups to political parties) that are not as clean in this
+respect.
 
-Tax authorities are creative, and taxation is an ever evolving area of 
complexity. We will therefore not claim to provide the definitive overview, but 
to provide a good start for bootstrapping a donation ecosystem in the full 
knowledge that this will need to be updated.
 
 \subsection{Assumptions}
 
 The basic assumptions when defining requirements for a donation flow are as 
follows:
 
 \begin{itemize}
-\item A donor donates from their {\em own assets}, and is willing to go on 
record (by means of a self-declaration) as acting on their own accord. 
Violation of this principle would then constitute fraud at their end.
-\item A tax authority wants to assert that a donation comes from the legitimate
-donor, and is not made by some third party on their behalf.
-\item There is no inverse relationship between the donor and donee, where the 
donor stands to receive money back from the donee in some concrete (in)direct 
way as result of the donation.
-\item Donors are willing and able to provide privacy-preserving attestation of
-some unique and non-falsifiable personal or organizational property (such as a
-tax identification number) {\em at the time of donation} in order to be able to
-add up multiple donations within a single tax reporting period and validate
-that these do not extend beyond a threshold set by the tax authority or other 
regulators
+\item A donor donates from their {\em own assets}, and is willing to
+  go on record (by means of a self-declaration) as acting on their own
+  accord. Violation of this principle would then constitute fraud at
+  their end.
+\item A tax authority wants to assert that a donation comes from the
+  legitimate donor, and is not made by some third party on their
+  behalf.
+\item There is no inverse relationship between the donor and donee,
+  where the donor stands to receive money back from the donee in some
+  concrete (in)direct way as result of the donation.
+\item Donors are willing and able to provide privacy-preserving
+  attestation of some unique and non-falsifiable personal or
+  organizational property (such as a tax identification number) {\em
+    at the time of donation} in order to be able to add up multiple
+  donations within a single tax reporting period and validate that
+  these do not extend beyond a threshold set by the tax authority or
+  other regulators
 \item The philanthropies or charities are subject to {\em regulatory
-oversight}, {\em proper governance} and {\em regular audits}, so that money
-laundering is not relevant
-\item It is acceptable for some third party to be involved, but only based on
-  Free/Libre Open Source software (FLOSS) and on a zero knowledge basis
+  oversight}, {\em proper governance} and {\em regular audits}, so
+  that money laundering is not relevant
+\item It is acceptable for some third party to be involved, but only
+  based on Free/Libre Open Source software (FLOSS) and on a zero
+  knowledge basis
 %- philanthropies are able to provide valid digital signatures
-\item All parties involved own and can operate digital devices so that they can
-store digital identifiers, cryptographic keys, and donation receipts or
-records
-\item Donors are expected to have a device that can hold a wallet for 
permanent 
-storage of donation receipts.
+\item All parties involved own and can operate digital devices so that
+  they can store digital identifiers, cryptographic keys, and donation
+  receipts or records
+\item Donors are expected to have a device that can hold a wallet for
+  permanent storage of donation receipts.
 \item Charities and tax authorities are willing and able to run basic
-infrastructure.
+  infrastructure.
 \end{itemize}
 
-\subsection{Design goals} \label{sec:designgoals}
+\subsection{Central Design Goals} \label{sec:designgoals}
 
-The following design goals hold:
+The central design goals for the Donau protocol are the following:
 
 \begin{itemize}
-\item Accommodate a donor's wish to remain fully anonymous, also towards the
-organization(s) donated to.
-\item The donor should be able to claim the tax benefits they are entitled to
-without having to disclose any of the organization(s) donated to to the tax
-authority.
-\item The donor may accumulate any number of smaller or larger donations
-towards different eligible organizations (ideally even cross-border, in the
-presence of suitable fiscal arrangements such as within the European Union).
-\item Since donations are cumulative and often spontaneous, a donor should not
-have to decide upfront whether they will request tax benefits for their
-donations later on. Hence, all donations to suitable registered charities
-should result in a form of donation receipt.
+\item Accommodate a donor's wish to remain fully anonymous, also
+  towards the organization(s) donated to.
+\item The donor should be able to claim the tax benefits they are
+  entitled to without having to disclose any of the organization(s)
+  donated to to the tax authority.
+\item The donor may accumulate any number of smaller or larger
+  donations towards different eligible organizations (ideally even
+  cross-border, in the presence of suitable fiscal arrangements such
+  as within the European Union).
+\item Since donations are cumulative and often spontaneous, a donor
+  should not have to decide upfront whether they will request tax
+  benefits for their donations later on. Hence, all donations to
+  suitable registered charities should result in a form of donation
+  receipt.
 \item At the same time, the wallet of a donor should offer plausible 
deniability
 of any specific donations.
 \end{itemize}
 
 \subsection{Optional Features} \label{sec:optionalfeatures}
 
-The following list of optional features of a donation system would allow for a
-maximum fit with as many fiscal regimes as possible for both informal and
-regulated donations, while at the same time serving the interest of the donors
-in question in the best possible manner. Specific realizations may weigh these
-differently based on local regulations and capabilities, but most need to be be
-provided in some form.
+The following list of optional features of a donation system would
+allow for a maximum fit with as many fiscal regimes as possible for
+both informal and regulated donations, while at the same time serving
+the interest of the donors in question in the best possible
+manner. Specific realizations may weigh these differently based on
+local regulations and capabilities, but most need to be be provided in
+some form.
 
 \begin{itemize}
 \item Provide fiscal statement
@@ -77,7 +121,7 @@ provided in some form.
 \item Codes of conduct
 \item Restricted access mechanism
 \item Donation matching with a reference
-\item Anonymous donation matching by employer 
+\item Anonymous donation matching by employer
 \end{itemize}
 
 \noindent
@@ -85,373 +129,456 @@ We will elaborate on each of these features below.
 
 \subsubsection{Feature: Provide fiscal statement}
 
-The ability to provide a fiscal statement from the receiving charity linked to 
the donation is the starting point for most regulated donations, in order to 
comply to current practices.
-For example, with a time-stamped and printable fiscal statement of the amount, 
digitally
-signed by the charity, a donor can prove their donations in person to a tax 
authority.
-
-It should be possible to obtain this statement at the time of donation, and
-ideally within a reasonable period afterwards -- in both cases without having 
to expose any additional information to anyone (such as an IP address which is 
typically visible when downloading a document via the web).
-
-There might be a need to include personal data/attributes in the attestation 
(e.g. a name, password ID, etc). There is no need for the charity itself to 
have any knowledge about such information, so it may be included encrypted with 
a key accessible exclusively to the donor/the tax authority/an auditor or other 
suitable independent third party.
-
-The information should be configurable, and it should be clear which 
information is somehow independently validated.
+The ability to provide a fiscal statement from the receiving charity
+linked to the donation is the starting point for most regulated
+donations, in order to comply to current practices.  For example, with
+a time-stamped and printable fiscal statement of the amount, digitally
+signed by the charity, a donor can prove their donations in person to
+a tax authority.
+
+It should be possible to obtain this statement at the time of
+donation, and ideally within a reasonable period afterwards -- in both
+cases without having to expose any additional information to anyone
+(such as an IP address which is typically visible when downloading a
+document via the web).
+
+There might be a need to include personal data/attributes in the
+attestation (e.g. a name, password ID, etc). There is no need for the
+charity itself to have any knowledge about such information, so it may
+be included encrypted with a key accessible exclusively to the
+donor/the tax authority/an auditor or other suitable independent third
+party.
+
+The information should be configurable, and it should be clear which
+information is somehow independently validated.
 
 \subsubsection{Feature: Proof of registration}
 
-In some countries (e.g. Belgium) donors are required to register themselves
-with the tax authority before making a donation. While we believe that to be an
-anti-feature, it should be possible to include a checksummed code provided by
-the tax authority or a charity that makes sure that only registered donors can 
donate.
+In some countries (e.g. Belgium) donors are required to register
+themselves with the tax authority before making a donation. While we
+believe that to be an anti-feature, it should be possible to include a
+checksummed code provided by the tax authority or a charity that makes
+sure that only registered donors can donate.
 
 \subsubsection{Feature: Configurable pledge}
 
-It may be necessary for the donor to testify (prior to the donation) that they
-comply with some legislative or regulatory requirement, or agree with a policy
-set by the charity in question.
-       
-As a generic requirement, this translates to a configurable pledge by the donor
-(e.g. ``I am not an employee or grantee of the organization I am donating to,
-and am acting on my own accord. I stand to make no direct financial gains from
-making this donation'').
+It may be necessary for the donor to testify (prior to the donation)
+that they comply with some legislative or regulatory requirement, or
+agree with a policy set by the charity in question.
+
+As a generic requirement, this translates to a configurable pledge by
+the donor (e.g. ``I am not an employee or grantee of the organization
+I am donating to, and am acting on my own accord. I stand to make no
+direct financial gains from making this donation'').
 
-The potential for abuse of donations to regulated charities is very limited.
-Such a self-testimony will allow the default to be to treat donations in a
-``good faith'' manner rather than with a top-heavy and restrictive
-one-size-fits-all method.
+The potential for abuse of donations to regulated charities is very
+limited.  Such a self-testimony will allow the default to be to treat
+donations in a ``good faith'' manner rather than with a top-heavy and
+restrictive one-size-fits-all method.
 
 \subsubsection{Feature: Cumulative donation counter from same donor to same
 cause}
 
-One way to bypass restrictions in terms of allowed donation sizes before
-possible ``Know Your Donor'' requirements kick in, is to split up donations. If
-limits per donor are in place it becomes necessary to be able to assert that
-cumulative donations from a donor stay below a set threshold, where the
-threshold might have a temporal aspect (per year, per quarter, per two years).
+One way to bypass restrictions in terms of allowed donation sizes
+before possible ``Know Your Donor'' requirements kick in, is to split
+up donations. If limits per donor are in place it becomes necessary to
+be able to assert that cumulative donations from a donor stay below a
+set threshold, where the threshold might have a temporal aspect (per
+year, per quarter, per two years).
 
 \subsubsection{Feature: Notarized affidavit}
 
-More generically---for instance when there is a minimum age for donations to 
certain class of causes---a privacy-preserving solution might be to have a 
notarized affidavit independently asserting the requirements have been met to 
be included in the metadata of the payment.
+More generically---for instance when there is a minimum age for
+donations to certain class of causes---a privacy-preserving solution
+might be to have a notarized affidavit independently asserting the
+requirements have been met to be included in the metadata of the
+payment.
 
 Such a privacy-preserving affidavit would not be traceable back to any
-underlying private information of the donor or to the charity in question.
-It might contain a counter or append-only record, and a date stamp with an
-accuracy no more precise than a calendar week (to avoid correlation attacks).
-
-It is better for this affidavit not to be provided by individual charities but
-by trusted third parties otherwise ignorant of the transactions in questions:
-it involves an isolated task which can easily be outsourced to an independent
-service. That independent service only needs to perform this singular task
-based on having access to the proof/attribute(s) in question and does not need
-to have any further knowledge of any of the actors. The latter assumes that any
-unique identifier in the affidavit is uniquely linked to the donor so that they
-cannot circumvent limits by going via different third parties.
-
-As long as the affidavit is non-falsifiable and irrevocable, it should suffice 
to assert uniqueness and allow to prove that the required conditions were met.
+underlying private information of the donor or to the charity in
+question.  It might contain a counter or append-only record, and a
+date stamp with an accuracy no more precise than a calendar week (to
+avoid correlation attacks).
+
+It is better for this affidavit not to be provided by individual
+charities but by trusted third parties otherwise ignorant of the
+transactions in questions: it involves an isolated task which can
+easily be outsourced to an independent service. That independent
+service only needs to perform this singular task based on having
+access to the proof/attribute(s) in question and does not need to have
+any further knowledge of any of the actors. The latter assumes that
+any unique identifier in the affidavit is uniquely linked to the donor
+so that they cannot circumvent limits by going via different third
+parties.
+
+As long as the affidavit is non-falsifiable and irrevocable, it should
+suffice to assert uniqueness and allow to prove that the required
+conditions were met.
 
 \subsubsection{Feature: Unique ID for donor advised decisions}
 
-Also from the side of a donor, there might be a need for having a unique ID for
-voting. In the same vein as Donor Advised Funds, a crowd-sourced version could
-be Donor Advised Choices where donors can vote on specific options (``Shall we
-prioritize stretch goal A or B'', or ``We see a new opportunity, is it okay to
-replace some stated work with something else'') -- either on a weighted variant
-(larger donation gives more weight) or on a one person, one vote (all unique
+Also from the side of a donor, there might be a need for having a
+unique ID for voting. In the same vein as Donor Advised Funds, a
+crowd-sourced version could be Donor Advised Choices where donors can
+vote on specific options (``Shall we prioritize stretch goal A or B'',
+or ``We see a new opportunity, is it okay to replace some stated work
+with something else'') -- either on a weighted variant (larger
+donation gives more weight) or on a one person, one vote (all unique
 donors get the same one vote each).
 
-Alternatively, a preference vote encoded inside the payment (based on e.g. 
Condorcet voting) could provide a one-time donor advised voting mechanism.
+Alternatively, a preference vote encoded inside the payment (based on
+e.g. Condorcet voting) could provide a one-time donor advised voting
+mechanism.
 
 \subsubsection{Feature: Compound weighted donation}
 
-The general idea is that donors can make a single donation, but this consists 
of multiple payments to multiple recipients. This is particularly relevant for 
informal donations to the developers of free and open source projects that do 
not make use of a fiscal host. In such a situation, the donations may be 
divided across the individual developers with a certain weight. Each of the 
recipients receives a direct donation from the donor, which typically will be 
far below the threshold for taxation.
+The general idea is that donors can make a single donation, but this
+consists of multiple payments to multiple recipients. This is
+particularly relevant for informal donations to the developers of free
+and open source projects that do not make use of a fiscal host. In
+such a situation, the donations may be divided across the individual
+developers with a certain weight. Each of the recipients receives a
+direct donation from the donor, which typically will be far below the
+threshold for taxation.
 
-There can be a suggested/default weight, but the donor should be able to tweak 
the relative weights and/or block specific recipients.
+There can be a suggested/default weight, but the donor should be able
+to tweak the relative weights and/or block specific recipients.
 
 \subsubsection{Feature: Cost transparency}
 
-It should be transparent to the donor what percentage of their donation
-is actually used for the effort for which funds are being raised. In particular
-it should be possible for the {\em cost for fundraising} to be made explicit,
-especially if this involves third parties. It should be possible to choose to
-donate without paying for fundraising.
+It should be transparent to the donor what percentage of their
+donation is actually used for the effort for which funds are being
+raised. In particular it should be possible for the {\em cost for
+  fundraising} to be made explicit, especially if this involves third
+parties. It should be possible to choose to donate without paying for
+fundraising.
 
-(This might use the features from compound weighted donation)
+(This might use the features from compound weighted donation.)
 
 \subsubsection{Feature:  Staged donation}
 
-This is a feature that works along the lines of so-called smart contracts. As
-goals are incrementally met by the project, donated funds are released. If the
-goals are not met according to the preset stages, the part of the money that is
-concerned with work that is not delivered is not paid and may ultimately be
-restored to its rightful owner, the donor.
+This is a feature that works along the lines of so-called smart
+contracts. As goals are incrementally met by the project, donated
+funds are released. If the goals are not met according to the preset
+stages, the part of the money that is concerned with work that is not
+delivered is not paid and may ultimately be restored to its rightful
+owner, the donor.
 
 \subsubsection{Feature: Bandwidth donations}
 
-When people are pooling together resources to make some goal possible, in order
-to stimulate the broadest possible donations, the amount donated can be made
-flexible (within a certain {\em donation bandwidth}). Instead of stretching
-goals (which donors might not agree with) and promoting freeloading, the size
-of individual donations could shrink as well. This would stimulate to share the
+When people are pooling together resources to make some goal possible,
+in order to stimulate the broadest possible donations, the amount
+donated can be made flexible (within a certain {\em donation
+  bandwidth}). Instead of stretching goals (which donors might not
+agree with) and promoting freeloading, the size of individual
+donations could shrink as well. This would stimulate to share the
 collective load.
 
 \subsubsection{Feature: Code of conduct}
 
-Donors transfer part of their (sometimes scarce) earthly possessions to 
support the good work of a cause they believe in, and it is only logical that 
this altruism comes with certain expectations in terms of how the organization 
receiving that money will subsequently spend it.
-
-A {\em Code of Conduct} is the equivalent of the product warranty, where
-charities declare themselves accountable and promise to uphold certain best
-practices and adhere to public scrutiny -- and are subsequently held to their
-promise by stakeholder organizations like Donateursbelangen.
-
-An example of such a Code of Conduct public benefit organizations can subscribe
-to is the \href{https://www.donateursbelangen.nl/de-donateursbelofte}{Donor 
Pledge}
-(``Donateursbelofte'' in Dutch). It should be possible for a charity to adhere
-to multiple such Code of Conducts and offer them as part of their donation
-portal.
-
-Similarly, there are certification schemes for charities qualifying as public
-benefit organizations. These offer a reverse link from the certifying
-organization to the charity. It should be possible to include the certification
-conditions and this reverse link alongside the payment.
+Donors transfer part of their (sometimes scarce) earthly possessions
+to support the good work of a cause they believe in, and it is only
+logical that this altruism comes with certain expectations in terms of
+how the organization receiving that money will subsequently spend it.
+
+A {\em Code of Conduct} is the equivalent of the product warranty,
+where charities declare themselves accountable and promise to uphold
+certain best practices and adhere to public scrutiny -- and are
+subsequently held to their promise by stakeholder organizations like
+Donateursbelangen.
+
+An example of such a Code of Conduct public benefit organizations can
+subscribe to is the
+\href{https://www.donateursbelangen.nl/de-donateursbelofte}{Donor
+  Pledge} (``Donateursbelofte'' in Dutch). It should be possible for a
+charity to adhere to multiple such Code of Conducts and offer them as
+part of their donation portal.
+
+Similarly, there are certification schemes for charities qualifying as
+public benefit organizations. These offer a reverse link from the
+certifying organization to the charity. It should be possible to
+include the certification conditions and this reverse link alongside
+the payment.
 
 \subsubsection{Feature: Restricted access mechanism}
 
-In order to engage donors with the work being done, philanthropies might want
-to give ``behind the scenes'' access to ongoing work to their donors. In order
-for that to happen, it should be possible to provide (limited) access to
-restricted materials for donors only. On a technical level, this could be
-handing out {\em One Time Passwords} or other forms of proof of donation that
-will allow donors to get access to restricted areas.
+In order to engage donors with the work being done, philanthropies
+might want to give ``behind the scenes'' access to ongoing work to
+their donors. In order for that to happen, it should be possible to
+provide (limited) access to restricted materials for donors only. On a
+technical level, this could be handing out {\em One Time Passwords} or
+other forms of proof of donation that will allow donors to get access
+to restricted areas.
 
 \subsubsection{Feature: Unlock thank you artwork}
 
-Making a donation is not just a clinical financial transaction where money is 
transferred from A to B, but something that also has emotional weight: the 
donor has taken a step they may have pondered about for a long time. 
Celebrating this altruistic win is part of the donation experience. ``Thank 
you'' artwork consists of images, video and/or audio used to enliven the 
financial transaction.
+Making a donation is not just a clinical financial transaction where
+money is transferred from A to B, but something that also has
+emotional weight: the donor has taken a step they may have pondered
+about for a long time. Celebrating this altruistic win is part of the
+donation experience. ``Thank you'' artwork consists of images, video
+and/or audio used to enliven the financial transaction.
 
-In some cases artists or other creatives might donate a work to the charity in
-question for this purpose, in other cases a charity might use photos of their
-day to day work or other personal tokens.
+In some cases artists or other creatives might donate a work to the
+charity in question for this purpose, in other cases a charity might
+use photos of their day to day work or other personal tokens.
 
-For transferring physical objects, the donor would need to be identifiable as
-such. At the same time, it should be possible for a donor to decline receiving
-such gifts and retain their anonymity, to the extent that this does not
-conflict with other regulations.
+For transferring physical objects, the donor would need to be
+identifiable as such. At the same time, it should be possible for a
+donor to decline receiving such gifts and retain their anonymity, to
+the extent that this does not conflict with other regulations.
 
 \subsubsection{Feature: Donation matching with a reference}
 
-In some cases, a benefactor will want to incentivize others contemplating a
-donation to a specific good cause to go ahead. That is not necessarily
-something that needs privacy: some people and organizations use donations to
-publicly profile themselves. A common mechanism to incentivize others is to
-promise to match their donations to the organization in question, which is
-frequently done by announcing a period in which other people's donations will 
be
-``matched'' (as in: donor A promises to donate as much as all other donations 
in that
-time period combined).
+In some cases, a benefactor will want to incentivize others
+contemplating a donation to a specific good cause to go ahead. That is
+not necessarily something that needs privacy: some people and
+organizations use donations to publicly profile themselves. A common
+mechanism to incentivize others is to promise to match their donations
+to the organization in question, which is frequently done by
+announcing a period in which other people's donations will be
+``matched'' (as in: donor A promises to donate as much as all other
+donations in that time period combined).
 
 However, this is obviously a very crude mechanism, only suitable for
-benefactors with very deep pockets. It also does not give much opportunity for
-the benefactor to explain why they do this (and, let us be realistic, get some 
PR out of it as well).
+benefactors with very deep pockets. It also does not give much
+opportunity for the benefactor to explain why they do this (and, let
+us be realistic, get some PR out of it as well).
 
-By allowing the donor to include a reference to e.g. a social media post or
-blog post announcing the matching and requesting other donors to include that
-reference when making their donations, the donor providing the matching can
-`see' that they are being heard/are getting PR mileage out of their donation.
+By allowing the donor to include a reference to e.g. a social media
+post or blog post announcing the matching and requesting other donors
+to include that reference when making their donations, the donor
+providing the matching can `see' that they are being heard/are getting
+PR mileage out of their donation.
 
 \subsubsection{Feature: Anonymous donation matching by employer }
 
-Quite a few large employers do donation matching as part of their corporate
-responsibility or human resource management (HRM) efforts. This is typically
-not tied to a single cause.  Many larger employers sponsor such matching gift
-programs, either by themselves (such as the U.S. Office of Personnel
-Management's \href{https://givecfc.org}{Give CFC}) or via (currently expensive)
-third party organizations such as Benevity, Submittable, WeSpire, Goodera, etc.
-
-In many cases, this practice is rather privacy-invasive. If you donate to,
-e.g., a reproductive rights organization, an NGO promoting climate justice, or 
a
-digital rights organization, an employer might want to find out from whom that
-donation originated. This makes it attractive for the donor to have a
-chance to stay anonymous while nevertheless ensuring that their donation is
-matched as one done by an employee of the company.
-This would require a mechanism where charities could prove to an employer that
-some eligible person (typically an employee or retiree) has donated money which
-needs to be matched -- obviously, without disclosing anything else.
+Quite a few large employers do donation matching as part of their
+corporate responsibility or human resource management (HRM)
+efforts. This is typically not tied to a single cause.  Many larger
+employers sponsor such matching gift programs, either by themselves
+(such as the U.S. Office of Personnel Management's
+\href{https://givecfc.org}{Give CFC}) or via (currently expensive)
+third party organizations such as Benevity, Submittable, WeSpire,
+Goodera, etc.
+
+In many cases, this practice is rather privacy-invasive. If you donate
+to, e.g., a reproductive rights organization, an NGO promoting climate
+justice, or a digital rights organization, an employer might want to
+find out from whom that donation originated. This makes it attractive
+for the donor to have a chance to stay anonymous while nevertheless
+ensuring that their donation is matched as one done by an employee of
+the company.  This would require a mechanism where charities could
+prove to an employer that some eligible person (typically an employee
+or retiree) has donated money which needs to be matched -- obviously,
+without disclosing anything else.
 
 
 \subsection{General background information}
 
 This section contains general background information pertaining donations.
 
+% FIXME: make this less EU-specific for USENIX???
+
 \subsubsection{General Regulatory Framework}
 
-European Union (EU) member states regulate donations through a blend of EU-wide
-directives and country-specific laws. While there is no uniform regulation that
-applies to all donations in Europe, certain EU directives and principles affect
-donation practices, particularly those related to transparency, anti-money
-laundering (AML), tax compliance, and donor data protection.
+European Union (EU) member states regulate donations through a blend
+of EU-wide directives and country-specific laws. While there is no
+uniform regulation that applies to all donations in Europe, certain EU
+directives and principles affect donation practices, particularly
+those related to transparency, anti-money laundering (AML), tax
+compliance, and donor data protection.
 
 \subsubsection{Transparency and Accountability}
 
-Transparency in charitable donations is crucial to maintain public trust and 
deter financial misuse. European countries typically require organizations that 
receive donations to adhere to transparency measures, including:
+Transparency in charitable donations is crucial to maintain public
+trust and deter financial misuse. European countries typically require
+organizations that receive donations to adhere to transparency
+measures, including:
 
 \begin{itemize}
-\item {\bf Public Financial Reporting:} Most European countries mandate that
-charities, nonprofits, and similar organizations publish annual financial
-reports. These reports generally include detailed breakdowns of income sources,
-donation amounts, and expenditures.
-\item {\bf Disclosures for Large Donations:} In some countries, large donations
-must be reported to regulatory authorities. This threshold and the specific
-requirements vary by country. For example, Germany requires registration for
-organizations receiving public donations, while the UK mandates certain
-reporting for donations above a particular threshold.
-\item {\bf Third-Party Audit Requirements:} To verify the financial integrity
-of charitable organizations, many countries mandate independent audits for
-organizations surpassing specific revenue thresholds.
+\item {\bf Public Financial Reporting:} Most European countries
+  mandate that charities, nonprofits, and similar organizations
+  publish annual financial reports. These reports generally include
+  detailed breakdowns of income sources, donation amounts, and
+  expenditures.
+\item {\bf Disclosures for Large Donations:} In some countries, large
+  donations must be reported to regulatory authorities. This threshold
+  and the specific requirements vary by country. For example, Germany
+  requires registration for organizations receiving public donations,
+  while the UK mandates certain reporting for donations above a
+  particular threshold.
+\item {\bf Third-Party Audit Requirements:} To verify the financial
+  integrity of charitable organizations, many countries mandate
+  independent audits for organizations surpassing specific revenue
+  thresholds.
 \end{itemize}
 
 \subsubsection{Anti-Money Laundering (AML) and Counter-Terrorism Financing 
(CTF)}
-Given the potential for abuse of charitable donations for money laundering and
-financing illegal activities, EU-wide Anti-Money Laundering Directives (such as
-the AMLD5) require organizations to implement stringent controls.
+
+Given the potential for abuse of charitable donations for money
+laundering and financing illegal activities, EU-wide Anti-Money
+Laundering Directives (such as the AMLD5) require organizations to
+implement stringent controls.
 
 \begin{itemize}
-\item {\bf Know Your Donor (KYD):} Similar to the Know Your Customer (KYC)
-practices in the financial sector, some countries require organizations to
-verify the identity of donors making significant contributions. This
-requirement is typically tied to AML laws.
-\item {\bf Transaction Monitoring and Reporting:} Charitable organizations must
-monitor donation transactions and report any suspicious activities to relevant
-national authorities.
-\item {\bf Registration with Financial Intelligence Units (FIUs):} Nonprofits
-are encouraged, and sometimes required, to register with FIUs in certain EU
-countries to facilitate AML compliance.
+\item {\bf Know Your Donor (KYD):} Similar to the Know Your Customer
+  (KYC) practices in the financial sector, some countries require
+  organizations to verify the identity of donors making significant
+  contributions. This requirement is typically tied to AML laws.
+\item {\bf Transaction Monitoring and Reporting:} Charitable
+  organizations must monitor donation transactions and report any
+  suspicious activities to relevant national authorities.
+\item {\bf Registration with Financial Intelligence Units (FIUs):}
+  Nonprofits are encouraged, and sometimes required, to register with
+  FIUs in certain EU countries to facilitate AML compliance.
 \end{itemize}
 
 \subsubsection{Taxation and Deductibility}
 
-The tax treatment of donations varies across Europe, but many countries provide
-tax incentives to encourage charitable giving. Donations to qualifying
-nonprofit organizations are often tax-deductible, either partially or fully,
-depending on local laws.
+The tax treatment of donations varies across Europe, but many
+countries provide tax incentives to encourage charitable
+giving. Donations to qualifying nonprofit organizations are often
+tax-deductible, either partially or fully, depending on local laws.
 
 \begin{itemize}
-\item {\bf Eligibility of Donors and Organizations:} Both the donor and the
-recipient organization usually need to meet specific criteria. For instance,
-only donations to accredited charities registered with national authorities are
-often eligible for tax relief.
-
-\item {\bf Limits on Deductions:} Most countries place caps on deductible
-donations, typically as a percentage of the donor’s income. For example, France
-allows deductions up to 20\% of taxable income, whereas Germany permits
-deductions up to 20\% of annual income or corporate profits.
+\item {\bf Eligibility of Donors and Organizations:} Both the donor
+  and the recipient organization usually need to meet specific
+  criteria. For instance, only donations to accredited charities
+  registered with national authorities are often eligible for tax
+  relief.
+\item {\bf Limits on Deductions:} Most countries place caps on
+  deductible donations, typically as a percentage of the donor’s
+  income. For example, France allows deductions up to 20\% of taxable
+  income, whereas Germany permits deductions up to 20\% of annual
+  income or corporate profits.
 \item {\bf Cross-Border Donations and Tax Relief:} The EU's ``Stauffer
-doctrine'' principle requires member states to treat cross-border donations
-similarly to domestic donations if the recipient organization meets equivalent
-standards, which facilitates cross-border charitable giving across the EU.
+  doctrine'' principle requires member states to treat cross-border
+  donations similarly to domestic donations if the recipient
+  organization meets equivalent standards, which facilitates
+  cross-border charitable giving across the EU.
 \end{itemize}
 
 \subsubsection{Data Protection and Privacy (GDPR)}
 
-The General Data Protection Regulation (GDPR) is a significant EU law that
-affects how personal data is collected, stored, and managed, including for
-donations.
+The General Data Protection Regulation (GDPR) is a significant EU law
+that affects how personal data is collected, stored, and managed,
+including for donations.
 
 \begin{itemize}
-\item {\bf Consent for Data Collection:} Donors must be informed of how their
-personal data will be used, and organizations must obtain explicit consent if
-data will be used for purposes beyond the donation transaction itself, such as
-marketing.
-\item {\bf Data Minimization and Retention:} Organizations are expected to
-collect only the data necessary for processing the donation, retain it only as
-long as necessary, and ensure proper data deletion practices.
-\item {\bf Right to Access and Erasure:} Donors have the right to request
-access to their personal data held by an organization and can request deletion
-or correction of their data under specific circumstances.
+\item {\bf Consent for Data Collection:} Donors must be informed of
+  how their personal data will be used, and organizations must obtain
+  explicit consent if data will be used for purposes beyond the
+  donation transaction itself, such as marketing.
+\item {\bf Data Minimization and Retention:} Organizations are
+  expected to collect only the data necessary for processing the
+  donation, retain it only as long as necessary, and ensure proper
+  data deletion practices.
+\item {\bf Right to Access and Erasure:} Donors have the right to
+  request access to their personal data held by an organization and
+  can request deletion or correction of their data under specific
+  circumstances.
 \end{itemize}
 
 \subsubsection{Corporate Donations and Sponsorships}
-Corporate donations are also regulated, particularly when related to tax
-deductibility, disclosures, and compliance requirements.
+
+Corporate donations are also regulated, particularly when related to
+tax deductibility, disclosures, and compliance requirements.
 
 \begin{itemize}
-\item {\bf Transparency in Corporate Sponsorships:} European countries may
-require public disclosure of corporate donations or sponsorship arrangements,
-especially when public funds are involved. Many countries also enforce rules
-against donations that may appear to be intended for influencing legislation or
-government actions.
-\item {\bf Limits on Corporate Donations:} Some countries impose caps on
-corporate donations eligible for tax relief to prevent excessive deductions and
-potential misuse.
+\item {\bf Transparency in Corporate Sponsorships:} European countries
+  may require public disclosure of corporate donations or sponsorship
+  arrangements, especially when public funds are involved. Many
+  countries also enforce rules against donations that may appear to be
+  intended for influencing legislation or government actions.
+\item {\bf Limits on Corporate Donations:} Some countries impose caps
+  on corporate donations eligible for tax relief to prevent excessive
+  deductions and potential misuse.
 \end{itemize}
 
 \subsubsection{Cross-Border Giving and EU Philanthropy Initiatives}
-The European Union encourages philanthropy across borders within Europe, but
-the process is still complex due to varying national tax and legal frameworks.
+
+The European Union encourages philanthropy across borders within
+Europe, but the process is still complex due to varying national tax
+and legal frameworks.
 
 \begin{itemize}
-\item {\bf European Foundation Statute and the European Philanthropy 
Manifesto:}
-These initiatives aim to harmonize cross-border philanthropy regulations. The
-proposed European Foundation Statute, for instance, would create a legal form
-of a foundation operating across the EU.
-\item {\bf Transnational Requirements for Nonprofits:} Nonprofits must navigate
-both the tax and regulatory requirements of each country in which they operate
-or fundraise, including any special registrations, tax filings, or
-documentation for cross-border transactions.
+\item {\bf European Foundation Statute and the European Philanthropy
+  Manifesto:} These initiatives aim to harmonize cross-border
+  philanthropy regulations. The proposed European Foundation Statute,
+  for instance, would create a legal form of a foundation operating
+  across the EU.
+\item {\bf Transnational Requirements for Nonprofits:} Nonprofits must
+  navigate both the tax and regulatory requirements of each country in
+  which they operate or fundraise, including any special
+  registrations, tax filings, or documentation for cross-border
+  transactions.
 \end{itemize}
 
 \subsubsection{Ethical Standards and Codes of Conduct}
 
-Some European countries have established or encouraged adoption of ethical
-standards or codes of conduct for fundraising activities. Examples include:
+Some countries have established or encouraged adoption of ethical
+standards or codes of conduct for fundraising activities. Examples
+include:
 
 \begin{itemize}
-\item {\bf Code of Conduct for Fundraising:} Many countries have adopted codes
-of conduct, which may govern methods for soliciting donations, advertising
-practices, and donor interaction protocols. There are also private initiatives
-such as the Donor Pledge from the Dutch foundation Donateursbelangen (``Donor
-Interest Foundation'').
-\item {\bf Charity Commissions and Regulatory Bodies:} Several European
-countries have independent regulatory bodies that oversee charitable
-organizations, such as the Charity Commission in the UK, to ensure compliance
-and ethical conduct in donations.
+\item {\bf Code of Conduct for Fundraising:} Many countries have
+  adopted codes of conduct, which may govern methods for soliciting
+  donations, advertising practices, and donor interaction
+  protocols. There are also private initiatives such as the Donor
+  Pledge from the Dutch foundation Donateursbelangen (``Donor Interest
+  Foundation'').
+\item {\bf Charity Commissions and Regulatory Bodies:} Several
+  European countries have independent regulatory bodies that oversee
+  charitable organizations, such as the Charity Commission in the UK,
+  to ensure compliance and ethical conduct in donations.
 \end{itemize}
 
 \subsection{Country-Specific Considerations}
 
-While EU-wide directives provide a framework, each country has unique laws.
-Here are a few examples:
+While EU-wide directives provide a framework, each country has unique
+laws.  Here are a few examples:
 
 \begin{itemize}
 \item {\bf Germany:} Nonprofit organizations must register with local
-authorities to receive tax exemptions, and donations exceeding 10\,000 EUR 
must be
-reported.
-\item {\bf France:} Nonprofits must adhere to the ``Loi de 1901'' and comply
-with annual reporting requirements to remain eligible for public donations.
-\item {\bf Italy:} Nonprofits are eligible for tax incentives if they register
-as ONLUS (Organizzazione Non Lucrativa di Utilità Sociale) or a similar
-designation under Italian law.
+  authorities to receive tax exemptions, and donations exceeding
+  10\,000 EUR must be reported.
+\item {\bf France:} Nonprofits must adhere to the ``Loi de 1901'' and
+  comply with annual reporting requirements to remain eligible for
+  public donations.
+\item {\bf Italy:} Nonprofits are eligible for tax incentives if they
+  register as ONLUS (Organizzazione Non Lucrativa di Utilità Sociale)
+  or a similar designation under Italian law.
 \end{itemize}
 
-\subsection{Conclusion}
+\subsection{Summary}
 
-Navigating donation regulations in Europe involves adhering to EU directives on
-transparency, AML, tax compliance, and data protection while also meeting
-specific requirements in individual countries. Compliance ensures trust in the
-philanthropic sector, promoting ethical giving practices and cross-border
-donations within the EU’s regulatory landscape.
+Navigating donation regulations involves adhering to a multitude of
+directives on transparency, anti-money laundering, tax compliance, and
+data protection while also meeting specific requirements in individual
+countries. Compliance ensures trust in the philanthropic sector,
+promoting ethical giving practices within a complex regulatory
+landscape.  Cross-border donations are particularly challenging.
 
 
 \ifodd0
 Some bits of thoughts
 
-Article 56 TFEU guarantees free movement of services throughout the EU.
-In particular, this obliges each EU country to recognize the charitable
-organizations that are registered in other countries, as confirmed by
-the following decision of the Court of Justice of the European Union:
+Article 56 TFEU guarantees free movement of services throughout the
+EU.  In particular, this obliges each EU country to recognize the
+charitable organizations that are registered in other countries, as
+confirmed by the following decision of the Court of Justice of the
+European Union:
 
 
\url{https://op.europa.eu/en/publication-detail/-/publication/d3892f27-39b1-4a26-98b3-451a7ffb101d/language-en}
 
 
 
 \subsection{Yearly Donation Limit}
-In some tax jurisdictions, the tax authority may set a limit on the total 
amount of donations
-that a charity may receive in a given tax year. %XXX ~\cite{?}
-A Donation Authority must enable tracking and enforcement of such a limit.
+
+In some tax jurisdictions, the tax authority may set a limit on the
+total amount of donations that a charity may receive in a given tax
+year.
+%XXX ~\cite{?}  A Donation Authority must enable tracking and enforcement of 
such a limit.
+
 \fi
diff --git a/doc/usenix-security-2025/paper/technicaldesign.tex 
b/doc/usenix-security-2025/paper/technicaldesign.tex
index 164552d..bf14ef6 100644
--- a/doc/usenix-security-2025/paper/technicaldesign.tex
+++ b/doc/usenix-security-2025/paper/technicaldesign.tex
@@ -9,19 +9,19 @@
 
 \section{Protocol Description}\label{technical}
 
-The previous section identified several requirements and desired features 
-that a donation system must or should satisfy.  
+The previous section identified several requirements and desired features
+that a donation system must or should satisfy.
 The technically most challenging part is to permit donors
 to stay anonymous towards the charity they are donating to and to keep private
 from the tax authorities which charities they donated to.
 The protocol presented in this section addresses this
 challenge and all of the design goals from
 Section~\ref{sec:designgoals}. In
-Section~\ref{sec:discussionfeatures} we discuss how
+Section~\ref{discussion} we discuss how
 the various optional capabilities could be achieved on
 top of this core protocol design.
 
-%Some of these are 
+%Some of these are
 %contradictory and any deployment needs to prioritize compliance with local
 %laws and regulations.
 % CG: not sure they are actually contradictory, modulo if
@@ -29,13 +29,6 @@ top of this core protocol design.
 % here you're only linkable across donations to the same
 % charity, which is probably OK.
 
-The Donau protocol, developed for this project by Johannes Casaba and Lukas
-Matyja under the supervision of Emmanuel Benoist and Christian Grothoff,
-provides a solution for both of these challenges.
-This section follows closely and often is a verbatim reproduction of the
-thesis~\cite{donau} by Casaba and Matyja. We thank them for their significant
-contributions.
-
 This section provides a technical overview of the Donau protocol, starting with
 some cryptographic background followed by the setup and usage.
 
@@ -105,8 +98,10 @@ apply and $K_x^{\pub}$ the public key that was used for 
signing.
 
 \subsection{Key generation and initial 
setup}\label{key_generation_and_initial_setup}
 
-Taler makes heavy use of blind signatures to issue coins; in the context of
-donations, blind signatures are issued by the donation authority Donau.
+Digital cash makes use of blind signatures to issue
+tokens~\cite{Chaum89}. Our design uses the same mechansim to unlink the
+donation process from the issued donation receipts, thus preserving
+the anonymity properties of the digital cash used to make a donation.
 
 \subsubsection{Donau key generation}\label{donau_key_generation}
 \begin{enumerate}
@@ -115,9 +110,6 @@ donations, blind signatures are issued by the donation 
authority Donau.
   \item The Donau also generates a set of \textbf{Donation Unit} keypairs
 $(K_x^{\pub}, K_x^{\priv})$ for blind signatures, corresponding to different
 currency denominations $x$ that a donation can be composed of.
-The blind signature scheme used is either blind
-RSA~\cite{DBLP:conf/crypto/Chaum82} or blind
-Schnorr~\cite{DBLP:conf/eurocrypt/FuchsbauerPS20}.
 \end{enumerate}
 
 \subsubsection{Charity key generation}\label{charity_key_generation}
@@ -305,7 +297,7 @@ D^{\priv})
 
 \subsection{Donor sends final statement to a 
validator}\label{donor_sends_final_statement_to_a_validator}
 Finally, to claim their deduction, the donor includes their donation statement
-in their tax declaration. The implementation detailed in the next section 
+in their tax declaration. The implementation detailed in the next section
 chooses to represent this information as a QR-Code
 \begin{align*}
   \texttt{QR} = (\texttt{TAXID}, S, \textsf{year}, \textsf{amount}_{\sf

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]