summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
authorChristian Grothoff <christian@grothoff.org>2016-11-09 14:13:21 +0100
committerChristian Grothoff <christian@grothoff.org>2016-11-09 14:13:21 +0100
commitd9b9132deefede2eb4c3a9e5e88b8a50ad987913 (patch)
tree50b703604d63f3e023b531cc4c17bd4d077ce9e0 /doc
parentcac7961c3dfca13e0062ea46e336faa0d624cca8 (diff)
downloadexchange-d9b9132deefede2eb4c3a9e5e88b8a50ad987913.tar.gz
exchange-d9b9132deefede2eb4c3a9e5e88b8a50ad987913.tar.bz2
exchange-d9b9132deefede2eb4c3a9e5e88b8a50ad987913.zip
address FIXMEs, add more refs
Diffstat (limited to 'doc')
-rw-r--r--doc/paper/taler.tex71
1 files changed, 34 insertions, 37 deletions
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index da233bf30..991267953 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -84,9 +84,8 @@ This paper introduces {\em Taler}, a Chaum-style digital payment system that
enables anonymous payments while ensuring that entities that receive
payments are auditable. In Taler, customers can
never defraud anyone, merchants can only fail to deliver the
-merchandise to the customer, and payment service providers can be
-fully audited.
-% FIXME: above, we're still using auditor
+merchandise to the customer, and payment service providers are
+audited.
All parties receive cryptographic evidence for all
transactions; still, each party only receives the minimum information
required to execute transactions. Enforcement of honest behavior is
@@ -171,27 +170,27 @@ provides fair exchange and exculpability via cryptographic proofs.
\end{figure}
A key issue for an efficient Chaumian digital payment system is the
-need to provide change. For example, a customer may want to pay
-\EUR{49,99}, but has withdrawn a \EUR{100,00} coin. Withdrawing 10,000
-coins with a denomination of \EUR{0,01} and transferring 4,999 coins would
-be too inefficient. The customer should not
-withdraw exact change from her account, as doing so reduces anonymity
-due to the obvious correlation. A practical payment system must thus
-support giving change.
-
-% FIXME: make the connection to Camenisch's fair exchange paper here,
-% since refresh solves the same problem in a much more elegant way
-Taler solves the problem of giving change by introducing a new
-{\em refresh protocol}. Using this protocol, a customer can obtain
-change or refunds in the form of fresh coins that other parties cannot
-link to the original transaction, the original coin, or each other.
-Additionally, the refresh protocol ensures that the change is owned by
-the same entity which owned the original coin.
-
-
-\vspace{-0.3cm}
+need to provide change and existing systems for ``practical
+divisible'' electronic cash have transaction costs that are linear in
+the amount of value being transacted, sometimes hidden in the double
+spending detection logic of the payment service
+provider~\cite{martens2015practical}. The customer should also not be
+expected to withdraw exact change, as doing so reduces anonymity due
+to the obvious correlation.
+
+Taler solves the problem of giving change by introducing a new {\em
+ refresh protocol} allowing for ``divisible'' transactions with
+amortized costs logarithmic in the amount of value being transacted.
+Using this protocol, a customer can obtain change or refunds in the
+form of fresh coins that other parties cannot link to the original
+transaction, the original coin, or each other. Additionally, the
+refresh protocol ensures that the change is owned by the same entity
+which owned the original coin.
+
+
+%\vspace{-0.3cm}
\section{Related Work}
-\vspace{-0.3cm}
+%\vspace{-0.3cm}
%\subsection{Blockchain-based currencies}
@@ -200,15 +199,10 @@ the same entity which owned the original coin.
In recent years, a class of decentralized electronic payment systems,
based on collectively recorded and verified append-only public
ledgers, have gained immense popularity. The most well-known protocol
-in this class is Bitcoin~\cite{nakamoto2008bitcoin}. An initial
-concern with Bitcoin was the lack of anonymity, as all Bitcoin
-transactions are recorded for eternity, which can enable
-identification of users.
-
-The key contribution of blockchain-based protocols is that
-they dispense with the need for a central, trusted
-authority.
-Yet, there are several major irredeemable problems inherent in their designs:
+in this class is Bitcoin~\cite{nakamoto2008bitcoin}. The key
+contribution of blockchain-based protocols is that they dispense with
+the need for a central, trusted authority. Yet, there are several
+major irredeemable problems inherent in their designs:
\begin{itemize}
\item The computational puzzles solved by Bitcoin nodes with the purpose
@@ -230,11 +224,14 @@ Yet, there are several major irredeemable problems inherent in their designs:
% currency exchange and exacerbates the problems with currency fluctuations.
\end{itemize}
-Anonymous payment systems based on BitCoin such as
-CryptoNote~\cite{cryptonote} (aka Monero) and Zerocash~\cite{zerocash} (aka
-ZCash) exacerbate these issues. These systems mainly exploit the
+Bitcoin also lacks anonymity, as all Bitcoin transactions are recorded
+for eternity, which can enable identification of users. Anonymous
+payment systems based on BitCoin such as CryptoNote~\cite{cryptonote}
+(Monero), Zerocash~\cite{zerocash} (ZCash) and BOLOT~\cite{BOLT}
+exacerbate Bitcoin's design issues. These systems exploit the
blockchain's decentralized nature to escape anti-money laundering
-regulation as they provide anonymous, disintermediated transactions.
+regulation~\cite{molander1998cyberpayments} as they provide anonymous,
+disintermediated transactions.
%GreenCoinX\footnote{\url{https://www.greencoinx.com/}} is a more
%recent AltCoin where the company promises to identify the owner of
@@ -303,7 +300,7 @@ Ian Goldberg's HINDE system allowed the merchant to provide change,
but the mechanism could be abused to hide income from
taxation.\footnote{Description based on personal communication. HINDE
was never published.}
-In \cite{brands1993efficient}, $k$-show signatures were proposed to
+In~\cite{brands1993efficient}, $k$-show signatures were proposed to
achieve divisibility for coins. However, with $k$-show signatures
multiple transactions can be linked to each other.
Performing fractional payments using $k$-show signatures is also