[GNUnet-SVN] [taler-exchange] 03/03: Just a start on taxability text, br

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-SVN] [taler-exchange] 03/03: Just a start on taxability text, br

From:	gnunet
Subject:	[GNUnet-SVN] [taler-exchange] 03/03: Just a start on taxability text, breaks the latex run probably
Date:	Fri, 12 May 2017 02:21:00 +0200

This is an automated email from the git hooks/post-receive script.

burdges pushed a commit to branch master
in repository exchange.

commit 4f6e71a842c07682351ac78a903c4c82ee26ffc1
Author: Jeffrey Burdges <address@hidden>
AuthorDate: Thu May 11 21:41:23 2017 +0200

    Just a start on taxability text, breaks the latex run probably
---
 doc/paper/taler.tex | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 85 insertions(+), 1 deletion(-)

diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index 9b2bb89..1d1c5db 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -991,7 +991,7 @@ than the comparable use of zk-SNARKs in 
ZeroCash~\cite{zerocash}.
 %
 %TODO: Explain, especially subtleties regarding session key / the spoofing 
attack that requires signature.
 
-\subsection{Linking}
+\subsection{Linking}\label{subsec:linking}
 
 % FIXME: What is \mathtt{link} ?
 
@@ -1374,6 +1374,90 @@ data being persisted are represented in between 
$\langle\rangle$.
 \end{description}
 
 
+\section{Taxability arguments}
+
+\begin{proposition}
+An auditor can detect an exchange operating either the refresh or
+linking protocol dishonestly.
+\end{proposition}
+
+\begin{proof}
+.. Not sure about this one ..
+\end{proof}
+
+\begin{proposition}
+If the exchange operates the refresh protocol honestly, then
+a dishonest wallet looses $1 - {1 \over \kappa}$ of the value
+of the coins it refreshes dishonestly.
+\end{proposition}
+
+\begin{proof}
+.. Can we reference something about cut and choose protocols?  Or must we work 
this all out? ..
+\end{proof}
+
+We say a coin is {\em controlled} by a user if the user's wallet knows
+its secret scalar $c_s$, the signature $S$ of the appropriate denomination
+key on its public key $C_s$, and the residual value of the coin. 
+
+We assume the wallet cannot loose knowledge of a particular coin's
+key material, and the wallet can query the exchange to learn the
+residual value of the coin, so a wallet cannot loose control of
+a coin.  A wallet may loose the monetary value associated with a coin
+if another wallet spends it however.
+
+We say a user Alice {\em owns} a coin $C$ if only Alice's wallets can
+gain control of $C$ using standard interactions with the exchange. 
+In other words, ownership means exclusive control not just in the
+present, but in the future even if another user interacts with the
+exchange.
+
+\begin{theorem}
+Let $C$ denote a coin controlled by users Alice and Bob. 
+Suppose Bob creates a coin $C'$ from $C$ using the refresh protocol.
+Assuming the exchange and Bob operated the refresh protocol correctly,
+and that they continue to operate the linking protocol
+ \S\ref{subsec:linking} correctly,
+then Alice can gain control of $C'$ using the linking protocol.
+\end{theorem}
+
+\begin{proof}
+Alice may run the linking protocol to obtain all transfer keys $T^i$,
+blindings $B^i$ associated to $C$, and those coins denominations,
+including the $T'$ for $C'$. 
+
+We assumed both the exchange and Bob operated the refresh protocol
+correctly, so now $c_s T'$ is the seed from which $C'$ was generated.
+Alice rederives both $c_s$ and the blinding factor to unblind the
+denomination key signature on $C'$.  Alice finally asks the exchange
+for the residual value on $C'$ and runs the linking protocol to
+determine if it was refreshed too.
+\end{proof}
+
+
+\section{Privacy arguments}
+
+We consider two coins $C_1$ and $C_2$ created by the same withdrawal
+or refresh operation.  We say they are {\em linkable} if
+some probabilistic polynomial time adversary has a non-negligible
+advantage in guessing which two of $\{ C_0, C_1, C_2 \}$ were
+created together, where $C_0$ is an unrelated third coin.
+
+% TODO: Compare this definition with some from the literature
+
+.. reference literate about withdrawal ..
+
+\begin{proposition}
+If two coins created by refresh are linkable, then some 
+probabilistic polynomial time adversary has a non-negligible
+advantage in determining that their seeds ...
+...
+\end{proposition}
+
+\begin{proof}
+... random oracle ..
+\end{proof}
+
+
 
 \end{document}
 

-- 
To stop receiving notification emails like this one, please contact
address@hidden

[Prev in Thread]

Current Thread

[Next in Thread]

[GNUnet-SVN] [taler-exchange] branch master updated (f6f4b07 -> 4f6e71a), gnunet, 2017/05/11
- [GNUnet-SVN] [taler-exchange] 02/03: Introduction does not know where it's going towards the end, but, gnunet, 2017/05/11
- [GNUnet-SVN] [taler-exchange] 03/03: Just a start on taxability text, breaks the latex run probably, gnunet <=
- [GNUnet-SVN] [taler-exchange] 01/03: Improve abstract, gnunet, 2017/05/11

Prev by Date: [GNUnet-SVN] [taler-exchange] 02/03: Introduction does not know where it's going towards the end, but
Next by Date: [GNUnet-SVN] [taler-exchange] branch master updated (f6f4b07 -> 4f6e71a)
Previous by thread: [GNUnet-SVN] [taler-exchange] 02/03: Introduction does not know where it's going towards the end, but
Next by thread: [GNUnet-SVN] [taler-exchange] 01/03: Improve abstract
Index(es):
- Date
- Thread