diff options
| -rw-r--r-- | doc/thesis/chapters/protocol/details.tex | 271 | ||||
| -rw-r--r-- | doc/thesis/thesis.pdf | bin | 1473135 -> 1468569 bytes | |||
| -rw-r--r-- | doc/thesis/thesis.tex | 4 |
3 files changed, 132 insertions, 143 deletions
diff --git a/doc/thesis/chapters/protocol/details.tex b/doc/thesis/chapters/protocol/details.tex index 33ebf82..47096c0 100644 --- a/doc/thesis/chapters/protocol/details.tex +++ b/doc/thesis/chapters/protocol/details.tex @@ -1,177 +1,166 @@ -\section{Protocol Detail} +\section{Protocol Details} \subsection{Key generation and initial setup} -\subsubsection{Initial Donau setup} -\begin{enumerate} - \item The Donau generates a public key $D^{pub}$ and private key $D^{priv}$ for EdDSA signing. - - \item The Donau generates the \textbf{Donation Units} consisting of $K_x^{pub}$ and $K_x^{priv}$ where $x$ is the associated value. -\end{enumerate} -\subsubsection{Charity setup (Charity side and Donau side)} +\subsubsection{Donau key generation} \begin{enumerate} - \item The \textbf{Charity} generates a public key $(C^{pub}$ and private key $C^{priv})$ and fetches the \textbf{Donation Unit} public keys from the Donau. - - \item The \textbf{Charity} transmits $C^{pub}$ and the desired yearly donation limit to the party which maintains the Donau (e.g tax office) using a \textbf{secure channel}. - - \item The party in charge of Donau administration ensures that the applying charity is authentic and publicly recognized as charity organisation. Furthermore, it ensures that all eventual checks required by law are done. After the verification was successful the Charity public key $C^{pub}$ and requested yearly donation limit are registered. + \item The Donau generates a Donau public key $D^{pub}$ and private key $D^{priv}$ for EdDSA signing. + \item The Donau generates the \textbf{Donation Units} consisting of a public key $K_x^{pub}$ and private key $K_x^{priv}$ where $x$ is the associated value. \end{enumerate} - -\subsection{During tax period} - -\subsubsection{Donor donates to charity and transmits \textbf{Unique Donor identifiers} (future donation receipts)} +\subsubsection{Charity key generation} \begin{enumerate} - \item The donor downloads the \textbf{Donation Unit} public keys $K_x^{pub}$ from the Donau for the current year. - - \item The donor splits the donation amount into a sum of \textbf{Donation Units} offered by the Donau. + \item The Charity generates a charity public key $(C^{pub}$ and private key $C^{priv})$ and fetches the \textbf{Donation Unit} public keys from the Donau. + \item The Charity transmits its public key $C^{pub}$ and the requested yearly donation limit to the party controlling the Donau (e.g the local tax authority) using a \textbf{secure channel}. + \item The party in charge of Donau administration ensures that the applying charity is authentic and publicly recognized as a charitable organisation. Furthermore, it ensures that all eventual restrictions by law are followed. After the verification was successful the Charity public key $C^{pub}$ together with its requested yearly donation limit are registered in the Donau database. +\end{enumerate} - \emph{Example: With \textbf{Donation units} $\{1,2,4\}$ beeing available, and a donation of $7$, the donation amount is split into the valus $4$, $2$ and $1$.} +\subsection{Donating to a charity} +% \subsubsection{Donor donates to charity and transmits \textbf{Unique Donor identifiers} (future donation receipts)} +In order to make a donation the donor has to first download the \textbf{Donation Unit} public keys $K_x^{pub}$ from the Donau for the current year. +After that the donor generates his \textbf{Donor Identifier} which is a salted hash of his tax number. +As each \textbf{Donation Unit} holds a specific value the donor has to splits the donation amount into a sum of \textbf{Donation Units} offered by the Donau. - \item The donor generates as many \textbf{Unique Donor Identifiers} as there are terms in the calculated sum. +Donor Identifier $i$: +\begin{align*} + i := H(\texttt{TAXID, S}) +\end{align*} - \emph{In our example, there are $3$ \textbf{Unique Donor Identifiers}: one per \textbf{Donation Unit}}. \footnote{If one Donation Unit is present more than once, then there is more than one Unique Donor Identifier required for said Donation Unit. This depends upon the offered Donation Units.} +\emph{Example: With \textbf{Donation units} $\{1,2,4\}$ beeing available, and a donation of $7$, the donation amount is split into the valus $4$, $2$ and $1$.} - \begin{align*} - i :&= H(\texttt{TAXID, S})\\\\ - u_1 :&= \langle i, \texttt{N}_1 \rangle \\ - u_2 :&= \langle i, \texttt{N}_2 \rangle \\ - u_3 :&= \langle i, \texttt{N}_3 \rangle - \end{align*} - where $S$ is the salt and $N$ a Nonce. +For every \textbf{Donation unit} the donor generates a \textbf{Unique Donor Identifier} by adding a nonce to his \textbf{Donor Identifier} $i$. +If one \textbf{Donation Unit} of the same value is present more than once, then there needs to be a \textbf{Unique Donor Identifier} for each of the \textbf{Donation Units}. - \item The donor blinds the \textbf{Unique Donor Identifiers} using a \emph{different} blinding factor $b$ for every \textbf{Unique Donor Identifier}. +\emph{In our example, there are $3$ \textbf{Unique Donor Identifiers}: one per \textbf{Donation Unit}}. - \begin{align*} - \overline u_1 :&= blind (u_1, b_1, K_1^{pub}) \\ - \overline u_2 :&= blind (u_2, b_2, K_2^{pub}) \\ - \overline u_3 :&= blind (u_3, b_3, K_4^{pub}) - \end{align*} +Unique Donor Identifiers $u_1, u_2, u_3$: +\begin{align*} + u_1 :&= \langle i, \texttt{N}_1 \rangle \\ + u_2 :&= \langle i, \texttt{N}_2 \rangle \\ + u_3 :&= \langle i, \texttt{N}_3 \rangle +\end{align*} +where $S$ is the salt and $N$ a Nonce. - \item So far, the \textbf{Unique Donor Identifiers} do not carry information about their value. The \emph{intended effective value is now indicated} by grouping each \textbf{Unique Donor Identifier} with the according hash of the \textbf{Donation Unit} public key $K^{pub}_x$. +In a next step the donor needs to blind the \textbf{Unique Donor Identifiers} using a \emph{different} blinding factor $b$ for every \textbf{Unique Donor Identifier}. +This ensures that no identifiable information is leaked to a third party including the Donau and charity. This results in a \textbf{Blinded Unique Donor Identifier}. - Resulting in a \textbf{Blinded Unique Donor Identifier Key Pair} or \textbf{BKP} for short. +Blinded Unique Donor Identifiers $\overline u_1, \overline u_2, \overline u_3$ +\begin{align*} + \overline u_1 :&= blind (u_1, b_1, K_1^{pub}) \\ + \overline u_2 :&= blind (u_2, b_2, K_2^{pub}) \\ + \overline u_3 :&= blind (u_3, b_3, K_4^{pub}) +\end{align*} - It is only the \emph{intended effective} value because the value will only be attributed later on with the signature of the Donau. +So far, the \textbf{Blinded Unique Donor Identifiers} do not carry information about their value. The \emph{intended effective value is now indicated} by grouping each \textbf{Unique Donor Identifier} with the according hash of the \textbf{Donation Unit} public key $K^{pub}_x$. Resulting in a \textbf{Blinded Unique Donor Identifier Key Pair} (\textbf{BKP}) - \emph{Note: The public key is not in relation with the sequential index of the \textbf{BKP}, it only relates to the value of the pair!} +It is only the \emph{intended effective} value because the value will only be attributed later on with the signature of the Donau. - \begin{align*} - \overline \mu_1 :&= \langle \overline u_1, h({K^{pub}_1}) \rangle \\ - \overline \mu_2 :&= \langle \overline u_2, h({K^{pub}_2}) \rangle \\ - \overline \mu_3 :&= \langle \overline u_3, h({K^{pub}_4}) \rangle - \end{align*} - \begin{align*} - \vec{\mu} :&= \langle \overline \mu_1, - \overline \mu_2,\overline \mu_3 - \rangle - \end{align*} - \item The donor sends all \textbf{BKP}'s $\vec{\mu}$ as well as the corresponding \textbf{payment} to the charity. +\emph{Note: The public key is not in relation with the sequential index of the \textbf{BKP}, it only relates to the value of the pair!} -\end{enumerate} +Blinded Unique Donor Identifier Key Pairs $\overline mu_1, \overline mu_2, \overline mu_3$ +\begin{align*} + \overline \mu_1 :&= \langle \overline u_1, h({K^{pub}_1}) \rangle \\ + \overline \mu_2 :&= \langle \overline u_2, h({K^{pub}_2}) \rangle \\ + \overline \mu_3 :&= \langle \overline u_3, h({K^{pub}_4}) \rangle +\end{align*} -\subsubsection{Charity sends signed \textbf{BKP}'s to Donau} -\begin{enumerate} - \item The charity verifies that the amount requested (based on the \textbf{Donation Unit} public key hash $h(K_x^{pub})$) for signing is \textbf{lower or equal} to the effective amount of the donation. +These individual \textbf{BKP}'s are then put in an array of \textbf{BKP}'s $\vec{\mu}$ +\begin{align*} + \vec{\mu} :&= \langle \overline \mu_1, + \overline \mu_2,\overline \mu_3 + \rangle +\end{align*} - \item The charity signs (using EdDSA) a structure containing all unsigned $BKP$'s coming from the donor. +The donor sends the array of \textbf{BKP}'s $\vec{\mu}$ as well as the corresponding \textbf{payment} to the charity. - \begin{align*} - \sigma_c = sign(\vec{\mu}, C^{priv}) - \end{align*} +\subsection{Charity receives Donation} +Upon receiving the \textbf{BKP}'s $\vec{\mu}$ with the corresponding payment the charity has to verify that the amount requested (based on the \textbf{Donation Unit} public key hash $h(K_x^{pub})$) for signing is \textbf{lower or equal} to the effective amount of the donation. - \item The charity sends this structure $\vec{\mu}$ and the signature $\sigma_c$ to the Donau. -\end{enumerate} +If the payment was successful with the correct amount present, the charity signs (using EdDSA) a structure containing all unsigned \textbf{BKP}'s $\vec{\mu}$ coming from the donor. -\subsubsection{Donau sends back the blind signed \textbf{UDI}'s to charity} -\begin{enumerate} - \item The Donau: - \begin{enumerate} - \item verifies the signature $\sigma_c$ on the structure. +Signing the array of BKP's: +\begin{align*} + \sigma_c = sign(\vec{\mu}, C^{priv}) +\end{align*} - \begin{align*} - verify(\vec{\mu},\sigma_c, C^{pub}) - \end{align*} +The charity sends the \textbf{BKP}'s $\vec{\mu}$ and the signature $\sigma_c$ to the Donau. - \item increments the current amount of donations received per year of the charity. This value is increased by the total amount of the \textbf{Blinded Unique Donor Identifier (BUDI)}'s, if the increment does not exceed the annual limit. +\subsection{Donau creates Donation receipt material} +The Donau now has received the \textbf{BKP}'s $\vec{\mu}$ previously sent by the charity. The Donau must ensure that the charity signature is valid. - \item blind signs all the \textbf{BUDI}'s using the \textbf{Donation Unit} private keys $K_x^{priv}$ matching the public keys used in the hash $h(K^{pub})$ which was inturn used in the \textbf{BKP}'s. +Verifing the charity signature $\sigma_c$: +\begin{align*} + verify(\vec{\mu},\sigma_c, C^{pub}) +\end{align*} - \begin{align*} - \overline{\beta_1} = blind\_sign(\overline u_1, K_1^{priv}) \\ - \overline{\beta_2} = blind\_sign(\overline u_2, K_2^{priv}) \\ - \overline{\beta_3} = blind\_sign(\overline u_3, K_4^{priv}) - \end{align*} +Once verified the Donau has to check for any legal restrictions such as the yearly donation limit. Then the Donau increments the current amount of the donations received per year of the charity. This value is increased by the total amount of the \textbf{Blinded Unique Donor Identifier (BUDI)}'s, if the increment does not exceed the annual limit. - \item sends back all created blind signatures - $\overline{\beta_1}, \overline{\beta_2}, \overline{\beta_3}$ to the charity. - \end{enumerate} +After that the Donau blind signs all the \textbf{BUDI}'s using the \textbf{Donation Unit} private keys $K_x^{priv}$ matching the public keys used in the hash $h(K^{pub})$ which was inturn used in the \textbf{BKP}'s. - \item The charity forwards the blind signatures to the donor. +Donau blind signing Blinded Unique Donor Identifiers $\overline u_1, \overline u_2, \overline u_3$: +\begin{align*} + \overline{\beta_1} = blind\_sign(\overline u_1, K_1^{priv}) \\ + \overline{\beta_2} = blind\_sign(\overline u_2, K_2^{priv}) \\ + \overline{\beta_3} = blind\_sign(\overline u_3, K_4^{priv}) +\end{align*} - \item The donor verifies the signatures. +The signatures $\overline{\beta_1}, \overline{\beta_2}, \overline{\beta_3}$ are then sent back to the charity which inturn forwards them to the donor. This is done out of simplicity as the charity has already a secure channel open with the donor, elmination the need to open another channel. - \begin{align*} +\subsection{Donor receives Donation receipt material} +Upon receiving the Donau signatures $\overline{\beta_1}, \overline{\beta_2}, \overline{\beta_3}$ via the charity, the Donor checks if the blind signatures over the \textbf{Blinded Unique Donor Identifiers} $\overline u_1, \overline u_2, \overline u_3$ is valid: +\begin{align*} verify\_blind(u_1,\overline{\beta_1}, K_1^{pub}) \\ verify\_blind(u_2,\overline{\beta_2}, K_2^{pub}) \\ verify\_blind(u_3,\overline{\beta_3}, K_4^{pub}) - \end{align*} - -\item The donor unblinds the signatures of the \textbf{BUDI}'s to get the signatures of the \textbf{Unique Donor Identifier (UDI)}'s. This results in a collection of \textbf{Donation Receipt (DR)}'s each consisting of the \textbf{UDI}, the signature $\beta$ and the hash of the \textbf{Donation Unit} public key $h(K_x^{pub})$. - - \begin{align*} - \beta_1 &= unblind(\overline{\beta_1}, b_1, K_1^{pub}) \\ - \beta_2 &= unblind(\overline{\beta_2}, b_2, K_2^{pub}) \\ - \beta_3 &= unblind(\overline{\beta_3}, b_3, K_4^{pub}) - \end{align*} - \begin{align*} - r_1 &= \langle UDI_1, \beta_1, h(K_1^{pub}) \rangle \\ - r_2 &= \langle UDI_2, \beta_2, h(K_2^{pub}) - \rangle \\ - r_3 &= \langle UDI_3, \beta_3, h(K_4^{pub}) \rangle - \end{align*} -\end{enumerate} - -\subsection{After effective tax period: get tax statement for period from Donau} - -\subsubsection{Donor sends the \textbf{Donation Receipts} to the Donau to get the final \textbf{Donation Statement}.} -\begin{enumerate} - \item The donor sends the collection of all \textbf{Donation Receipts} $\{r_1, r_2, r_3\}$ to the Donau. This happens \textbf{manually} once per period. - - It is not done continuously to obtain \emph{unlinkability} between the \emph{issuance} of the \textbf{Donation Receipts} (which happens upon donation) and their \emph{submission} for the \textbf{Donation Statement}. - - \item For each \textbf{Donation Receipt} the Donau: - \begin{itemize} - \item checks that $K_x^{pub}$ is known. - - \item verifies that the signature $\beta$ is correct using the corresponding public key $K_x^{pub}$. - - \item verifies that the \textbf{Donor Identifier} is the same as in other \textbf{Donation Receipts}.\footnote{With multiple wallets each wallet must simply obtain a separate \textbf{Donation Statement}!} - - \item verifies that the $\texttt{nonce}$ is unique and was not used before by the donor for the corresponding year. - \end{itemize} - - \item The Donau signs over the total \texttt{amount} donated by the donor, \texttt{year} and \textbf{Donor Identifier} and sends the signature and the total amount back to the donor. - - This results in a final signature called the \textbf{Donation Statement}. +\end{align*} + +Once verified the donor unblinds the signatures of the \textbf{BUDI}'s to get the signatures over the \textbf{Unique Donor Identifier (UDI)}'s. This results in a collection of \textbf{Donation Receipt (DR)}'s each consisting of the \textbf{UDI}, the signature $\beta$ and the hash of the \textbf{Donation Unit} public key $h(K_x^{pub})$. + +Donor unblinds Donau signatures $\overline{\beta_1}, \overline{\beta_2}, \overline{\beta_3}$: +\begin{align*} + \beta_1 &= unblind(\overline{\beta_1}, b_1, K_1^{pub}) \\ + \beta_2 &= unblind(\overline{\beta_2}, b_2, K_2^{pub}) \\ + \beta_3 &= unblind(\overline{\beta_3}, b_3, K_4^{pub}) +\end{align*} + +Donor creates the final Donation Receipts $r_1, r_2, r_3$ +\begin{align*} + r_1 &= \langle UDI_1, \beta_1, h(K_1^{pub}) \rangle \\ + r_2 &= \langle UDI_2, \beta_2, h(K_2^{pub}) \rangle \\ + r_3 &= \langle UDI_3, \beta_3, h(K_4^{pub}) \rangle +\end{align*} + +These \textbf{Donation Receipt (DR)} are then stored on the donors device. + +\subsection{Donor requests a Donation Statement from the Donau} +To make the donations tax deductable the donor needs to have a final \textbf{Donation Statement} which can be sent to the tax authority. To get the \textbf{Donation Statement} the donor sends the \textbf{Donation Receipts} $\{r_1, r_2, r_3\}$ accumulated throughout the year to the Donau. +This can be done multiple times during the year. It is not done automatically as to obtain \emph{unlinkability} between the \emph{issuance} of the \textbf{Donation Receipts} (which happens upon donation) and their \emph{submission} for the \textbf{Donation Statement}. + +Once the Donau receives the \textbf{Donation Receipts} $\{r_1, r_2, r_3\}$ it has to check that for each \textbf{Donation Receipt}: +\begin{itemize} + \item the public key $K_x^{pub}$ is known. + \item the signature $\beta$ is correct using the corresponding public key $K_x^{pub}$. + \item the \textbf{Donor Identifier} is the same as in other \textbf{Donation Receipts}. (With multiple wallets each wallet must simply obtain a separate \textbf{Donation Statement}) + \item the $\texttt{nonce}$ is unique and was not used before by the donor for the corresponding year. +\end{itemize} + +The Donau then signs over the total \texttt{amount} donated by the donor, the current \texttt{year} and the \textbf{Donor Identifier}. This results in a final signature called the \textbf{Donation Statement} which is then sent back to the donor. + +Donau creates Donation Statement $\sigma_s$: +\begin{align*} + \sigma_s = sign(\langle i, \texttt{amount}_{Total}, \texttt{year}) \rangle, D^{priv}) +\end{align*} + +\subsection{Donor sends final statement to a validator} +The Donor uses the \textbf{Donation Statement} $\sigma_s$ to create a QR-Code which then can be included in the tax declaration. + +Donor generates a \texttt{QR} code which contains the following: +\begin{align*} + \texttt{QR} = \langle \texttt{taxid}, \texttt{salt}, \texttt{year}, \texttt{amount}, \sigma_s \rangle +\end{align*} + +The validator at the tax office then scans the QR code and verifies the \textbf{Donation Statement} $\sigma_s$. +\begin{align*} + verify(\langle i, \texttt{amount}_{Total}, \texttt{year}) \rangle,\sigma_s, D^{pub}) +\end{align*} - \begin{align*} - \sigma_s = sign(\langle i, \texttt{amount}_{Total}, \texttt{year}) \rangle, D^{priv}) - \end{align*} - -\end{enumerate} - -\subsubsection{Donor sends the QR Code to a validator (e.g. tax office)} -\begin{enumerate} - \item The donor generates a QR code which contains the following: - \begin{align*} - \texttt{QR} = \langle \texttt{taxid}, \texttt{salt}, \texttt{year}, \texttt{amount}, \text{$\sigma_s$} \rangle - \end{align*} - - \item The validator scans the QR code and verifies the \textbf{Donation Statement} $\sigma_s$. - - \begin{align*} - verify(\langle i, \texttt{amount}_{Total}, \texttt{year}) \rangle,\sigma_s, D^{pub}) - \end{align*} - -\end{enumerate} diff --git a/doc/thesis/thesis.pdf b/doc/thesis/thesis.pdf Binary files differindex 590a3c2..e82b580 100644 --- a/doc/thesis/thesis.pdf +++ b/doc/thesis/thesis.pdf diff --git a/doc/thesis/thesis.tex b/doc/thesis/thesis.tex index c61e50e..5382007 100644 --- a/doc/thesis/thesis.tex +++ b/doc/thesis/thesis.tex @@ -7,7 +7,7 @@ \title{\Huge\textsf{\textbf{DONAU}}\\ \vspace{30px} -\large{Tax-deductable Donations for GNU Taler}} +\huge{Tax-deductable Donations}} \author{Johannes Casaburi \and Lukas Matyja\\ \vspace{5px} \and Advisor: Prof. Dr. Christian Grothoff \and Advisor: Prof. Dr. Emmanuel Benoist \\ Expert: Daniel Voisard} @@ -21,7 +21,7 @@ \chapter{Introduction} \input{chapters/intro/introduction} -\chapter{Donau Overview} +\chapter{Overview} \input{chapters/overview/overview} \chapter{Cryptographic Preliminaries} |