Re: [Taler] latest draft on the Taler cryptography [re-re-send]

[Luis Ressel]

I've got some remarks about the incremental spending protocol in A.1:

* Why is the f (price) parameter included in a lock permission? This
  would make sense if it were possible to place multiple concurrent
  locks on fractions of a coin's value, but this is not the case.

* The last item in step 9 probably shouldn't be a separate item (also
  it should be '=' instead of ':=')

* I don't understand the exact purpose of the comparison between
  deposit permissions in step 9.

* Also in step 9, the mint needs to check whether there's an active lock
  permission (and if the parameters match those of the deposit
  permission).

* If the customer signs multiple incremental deposit permissions, the
  protocol has to make sure that the merchant can't defraud by sending
  several of those deposit permissions to the mint. I don't understand
  how this is supposed to work.


That's it for the incremental spending. Further questions:

* In the "normal" spending protocol (4.2), step 4 says "If the coin has
been involved in previous transactions, [the mint] sends an error". But
shouldn't it be possible to use a coin for multiple transactions if the
combined f's stay below the denomination of K?

* In the linking protocol (4.4), why does the mint's response include
  B^\gamma? Shouldn't that be E^\gamma?

* The explanatory text in the first paragraph of 4.4 doesn't make
  sense, it should be C instead of C'. 

* In 2.1 "Related Work", why is the GreenCoinX reference given as a
  footnote instead of a bibliography reference? (Just a minor style
  issue, obviously)

* The third paragraph on page 3 starts with "Online fraud detection can
  create problems if the network fails during the initial steps of a
  transaction.", but the two following examples don't involve any
  network failure.


I also found some typos. For two of those, I wasn't sure how to fix
them:

* On page 13, in step 8 of the refreshing protocol: "Otherwise, the
  mint responds with an error the value of C'."

* On page 18, in step 4 of the incremental spending protocol: "who can
  then use it prove to the customer"

* Not exactly a typo, but this phrase on page 11 is a bit weird:
  "Merchants are identified by their public key $M := (m_s, M_p)$" --
  technically, M isn't a _public_ key, so I'd write either "by their
  key M" or "by their public key M_p".


For the other typos, I've attached a git patch fixing them. (The patch
can be applied using 'git am'.)

By the way, you could add *.bbl and *.blg to the .gitignore file (those
files are generated by bibtex).


Regards,
Luis Ressel