1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
|
\section{Notation \& Definitions }
\subsection{Notation}
\begin{itemize}
\item $\langle a, b, ... \rangle$ : Pair/tuple
\end{itemize}
\subsection{Definitions}
\begin{itemize}
\item \textbf{Cryptographic Hash Function}
\begin{displaymath}
h := H(m)
\end{displaymath}
where $m$ is a message and $h$ the resulting hash.
\item \textbf{Blinding Function}
\begin{displaymath}
\overline{u} := blind(u, b, K_x^{pub})
\end{displaymath}
where $u$ is the value to blind, $b$ the blinding factor to apply and $K_x^{pub}$ the public key of the Donation Unit that will be used for signing.
The blinding can be done with either the \textbf{RSA} blind signature scheme or the Blinded \textbf{Clause-Schnorr} signature scheme.
\item \textbf{Unblinding Function}
\begin{displaymath}
\beta := unblind(\overline{\beta}, b, K_x^{pub})
\end{displaymath}
where $\overline{\beta}$ is the value to unblind, $b$ the blinding factor to apply and $K_x^{pub}$ the public key of the Donation Unit that was used for signing.
The unblinding must be carried out using the \textbf{same} signature scheme that has already been used for the blinding.
\item \textbf{Donation Unit Key generation}
\begin{displaymath}
\langle K_x^{pub}, K_x^{priv} \rangle := Keygen^B(\omega)
\end{displaymath}
where $\omega$ is a source of entropy. The resulting key pair represents a \textbf{Donation Unit}. The result is a public key $K_x^{pub}$ and private key $K_x^{priv}$. The equivalent used in Taler system is a \texttt{Denomination}.
\item \textbf{Donau Key generation}
\begin{displaymath}
\langle D^{pub}, D^{priv} \rangle := Keygen^D(\omega)
\end{displaymath}
where $D^{pub}$ and $D^{priv}$ are the respective public and private Donau keys.
\item \textbf{Charity Key generation}
\begin{displaymath}
\langle C^{pub}, C^{priv} \rangle := Keygen^C(\omega)
\end{displaymath}
where $C^{pub}$ and $C^{priv}$ are the respective public and private Charity keys.
\item \textbf{Donation Unit (DU)}
\begin{displaymath}
\langle K_x^{pub}, K_x^{priv} \rangle
\end{displaymath}
A Donation Unit consists of a public and private key where $x$ is the associated value (e.g. 2 EUR).
\item \textbf{Donor Identifier (DI)}
\begin{displaymath}
i := H(\texttt{TAXID}, S)
\end{displaymath}
where $S$ is a random salt with sufficient entropy to prevent guessing attacks to invert the hash function.
\item \textbf{Unique Donor Identifier (UDI)}
\begin{displaymath}
u := \langle i, N \rangle
\end{displaymath}
where $N$ is a high-entropy nonce to make the resulting hash \textbf{unique} per donation.
\item \textbf{Blinded Unique Donor Identifier (BUDI)}
\begin{displaymath}
\overline{u} := blind( u, b, K_x^{pub} )
\end{displaymath}
A \textbf{BUDI} is the result of blinding a Unique Donor Identifier $u$ where $b$ is the blinding factor and $K_x^{pub}$ the associated Key. The blinding is done to protect the privacy of the donor.
\item \textbf{Blinded Unique Donor Identifier Key Pair (BKP)}
\begin{displaymath}
p := \langle \overline{u}, H(K_x^{pub}) \rangle
\end{displaymath}
A \textbf{Blinded Unique Donor Identifier Key Pair} is the result of adding the corresponding hash of the \textbf{Donation Unit} public key to the \textbf{Blinded Unique Donor Identifier} $\overline{u}$ where $H(K_x^{pub})$ is the hash of the \textbf{Donation Unit} public key.
\item \textbf{Signing}
\begin{itemize}
\item \textbf{Normal signing (e.g. EdDSA):}
\begin{align}
\fbox{$s := sign(m,k^{priv})$}
\end{align}
where $m$ is a message and $k^{priv}$ is the private key used to sign the message, for example the Donau private key $D^{priv}$ or the Charity private key $C^{priv}$.\\
Applications:
\begin{itemize}
\item Signatures over a \textbf{Blinded Unique Donor Identifier Key Pair}:
\begin{align}
\fbox{$\vec{\mu}_s := sign(\vec{p},C^{priv})$}
\end{align}
where $H(K_x^{pub})$ indicates which \textbf{Donation Unit} key should be used by the Donau to sign the resulting \textbf{Donation Receipt}. Thus, this hash carries the information about the exact value, the final Donation Receipt should carry.
A charity signs a collection of \textbf{Blinded Unique Donor Identifier Key Pairs} before transfering them to the Donau to issue the \textbf{Donation Receipts}
\item Generation of the \textbf{Donation Statement}
\end{itemize}
\item \textbf{Blind signing(e.g. RSA/CS):}
\begin{align}
\fbox{$\overline{\beta} := blind\_sign(\overline{u},K_x^{priv})$}
\end{align}
where $\overline{u}$ is a blinded value and $K_x^{priv}$ is the private key used to blind sign the message.\\
Application:
\begin{itemize}
\item The Donau blind signs \textbf{Blinded Unique Donor Identifiers} received from the Charity with the private key matching the public key in the received \textbf{Blinded Unique Donor Identifier Key Pair}
\end{itemize}
\end{itemize}
\item \textbf{Verify Functions}
To verify the signatures $m$ corresponds to the message and $s$ to the signature:
\begin{itemize}
\item \textbf{normal verify}
\begin{displaymath}
verify(m,s, P^{pub})
\end{displaymath}
where $P^{pub}$ can be the Donau public key $D^{pub}$ or Charity public key $C^{pub}$.
\item \textbf{blind verify}
\begin{displaymath}
verify\_blind(m,s,K_x^{pub})
\end{displaymath}
verify a signature that was made blind and made with a Donation Unit private key $K_x^{priv}$.
\end{itemize}
\item \textbf{Donation Receipt}
\begin{displaymath}
r := \langle u, \beta, H(K_x^{pub}) \rangle
\end{displaymath}
where $\beta$ is the unblinded signature sent to the Donau to get the \textbf{Donation Statement}.
\item \textbf{Donation Statement}
\begin{displaymath}
\sigma := sign(\langle i, \Sigma{\vec{r}}, \texttt{Year}\rangle, D^{priv})
\end{displaymath}
The \textbf{Donation Statement} is the signature over the sum (amount donated) of all the \textbf{Donation Receitps} $\Sigma{\vec{r}}$, that a donor has received from donating throughout the year where $i$ is the \textbf{Donor Identifier}.
These signatures attest the amount donated in a particular year by a specific donor.
\end{itemize}
|
