summaryrefslogtreecommitdiff
path: root/doc/system/conclusions.tex
blob: c6ec87914541d22ef0c303c983baba9d9268f682 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
\chapter{Future Work}\label{chapter:future-work}
We now discuss future work that builds upon the results presented so far.


\subsection*{Standard Model}
Our current instantiation of the Taler protocol relies heavily on hash
functions.  Since the result by Canetti and others \cite{canetti2004random}
about the theoretical impossibility of securely instantiating protocols that
rely on the random oracle assumption for their security, a vast amount of
literature has been devoted to find instantiations of interesting protocols in
the standard model \cite{koblitz2015random}.  The Taler protocol syntax could
likely be also instantiated securely in the standard model, based existing on
blind signature schemes in the standard model.  The trade-off however is that
while removing the random oracle assumption, typically other less well known
assumptions must be made.

\subsection*{Post-Quantum security}
The possibility of post-quantum computers breaking the security of established
cryptographic primitives has lately received a lot of attention from
cryptographers.  While currently most schemes with post-quantum security are impractical,
it might be worthwhile to further investigate their application to e-cash, based
on existing work such as \cite{zhang2018new}.

\subsection*{Applications to network incentives}
Some peer-to-peer networking protocols (such as onion routing
\cite{dingledine2004tor}) do not have inherent incentives and rely on
volunteers to provide infrastructure.  In future work, we want to look at
adding incentives in the form of Taler payments to a peer-to-peer networking
platform such as GNUnet.

\subsection*{Smart(er) Contracts and Auctions}
Contract terms in Taler are relatively limited.  There are some interesting
secure multiparty computations, such as privacy-preserving auctions
\cite{brandt2006obtain} that could be offered by exchanges as a fixed smart
contract.  This would allow a full privacy-preserving auction platform, as
current auction protocols only output the winner of a privacy-preserving
auction but do not address the required anonymous payments.


\subsection*{Backup and Sync}\label{sec:future-work-backup-sync}
Synchronization of wallets between multiple devices is a useful feature, but a
na\"ive implementation endangers privacy.  A carefully designed protocol for
backup and synchronization must make sure that the hosting service for the
wallet's data cannot collaborate with the exchange and merchants to deanonymize
users or transactions.  Thus when spending coins for a payment, devices should
not have to synchronously talk to their backup/sync provider.  This creates the
challenge of allocating the total available balance to individual devices in a
way that fits the customer's spending pattern, and only require synchronous
communication at fixed intervals or when really necessary to re-allocate coins.

Another possible approach might be to use Private Information Retrieval (PIR)
\cite{goldberg2007improving} to access backup and synchronization information.


\subsection*{Machine-Verified Proofs}
We currently model only a subset of the GNU Taler protocol formally, and proofs
are handwritten and verified by humans.  A tool such as CryptoVerif
\cite{blanchet2007cryptoverif} can allow a higher coverage and computer-checked
proofs, and would allow protocol changes to be validated in shorter time.

\subsection*{Coin Restrictions / ``Taler for Children''}
By designating certain denominations for different purposes, GNU Taler could be
used to implement a very simple form of anonymous credentials
\cite{paquin2011u,camenisch2004signature}, which then could be used to
implement a Taler wallet specifically aimed at children, in order to teach them
responsible and autonomous spending behavior, while granting them privacy and
at the same time preventing them from making age-inappropriate purchases
online, as the discretion of parents.

%\subsection*{gnunet-blockchain / deployment of the full stack payment system}
%=> no, talk more about integration with real banks, KYC
%
%\subsection*{P2P payments}
%
%\subsection*{NFC Wallet}
%
%\subsection*{large, scalable deployment}
%I.e. sharding, db replication, load balancer(s)
%
%\subsection*{Hardware security module for exchange}
%
%\subsection*{Bitcoin/Blockchain integration}
%
%\subsection*{UX study and improvements}
%(including tracking/planning of spending)
%
%\subsection*{News Distribution}

\chapter{Conclusion}\label{chapter:conclusion}

% sources and inspirations
% https://www.bis.org/publ/arpdf/ar2018e5.pdf
% https://www.bis.org/publ/qtrpdf/r_qt1709f.pdf
% http://andolfatto.blogspot.com/2015/02/fedcoin-on-desirability-of-government.html

This book presented GNU Taler, an efficient protocol for
value-based electronic payment systems with focus on security and
privacy.  While we believe our approach to be socially and economically beneficial, a
technological impact analysis is in order prior to adopting new
systems that have broad economic and socio-political implications.

Currencies serve three key functions in society:~\cite{mankiw2010macroeconomics}
\begin{enumerate}
\item As a unit for measurement of value,
\item a medium of exchange, and
\item a store of value.
\end{enumerate}
How do the various methods measure up to these requirements?

\section{Cryptocurrencies vs. Central-Bank-Issued Currencies}

\begin{figure}
\centering
\includegraphics[width=\textwidth]{diagrams/bitcoin-market-price.png}
  \caption[Historical market price of Bitcoin.]{Historical market price (in
  USD) of Bitcoin across major exchanges (Source:~\url{https://blockchain.com}).}
\label{fig:volatility}
\end{figure}

Cryptocurrencies generally fail to achieve the required stability to serve as a
reasonable unit of measurement (Figure~\ref{fig:volatility}).  The volatility
of cyptocurrencies is caused by a combination of a lack of institutions that
could intervene to dampen fluctuations and a comparatively limited liquidity
in the respective
markets.  The latter is exacerbated by the limited ability of decentralized
cryptocurrencies to handle large transaction volumes, despite their extreme
levels of resource consumption.  As a result, the utility of decentralized
cryptocurrencies is limited to highly speculative investments and to the
facilitation of criminal transactions.

With respect to privacy, completely decentralized cryptocurrencies
provide either too much or too little anonymity.  Transparent
cryptocurrencies create the spectre of discriminatory pricing, while
especially for privacy-enhanced cryptocurrencies the lack of
regulation creates an attractive environment for fraud and criminal
activity from tax evasion to financing of terrorism.

These problems are easily addressed by combining the register (or
ledger) with a central bank providing a regulatory framework and
monetary policy, including anti-money-laundering and
know-your-customer enforcement.

\section{Electronic Payments}

Day-to-day payments using registers are expensive and inconvenient.
Using a register requires users to {\em identify} themselves to {\em
  authorize} transactions, and the use of register-based banking
systems tends to be more expensive than the direct exchange of
physical cash.  However, with the ongoing digitalization of daily life
where a significant number of transactions is realized over networks,
some form of electronic payments remain inevitable.

The current alternative to (centrally banked) electronic cash are a
payment systems under full control of oligopoly companies such as
Google, Apple, Facebook or Visa.  The resulting oligopolies are
anti-competitive. In addition to excessive fees, they sometimes even
refuse to process payments with certain types of legal businesses,
which then are often ruined due to lack of alternatives.  Combining
payment services with companies where the core business model is
advertising is also particularly damaging for privacy.  Finally, the
sheer size of these companies creates systemic risks, just as their
global scale creates challenges for regulation.

As GNU Taler is free software, even without backing by a central bank,
Taler would not suffer from these drawbacks arising from the use of
proprietary technology.

Furthermore, Taler-style electronic cash comes
with some unique benefits:
\begin{itemize}
  \item improved income transparency compared to cash and traditional
    Chaum-style e-cash,
  \item anonymity for payers,
  \item avoidance of enticement towards consumer debt --- especially
    compared to credit cards, and
  \item support of new business models and Internet security
    mechanisms which require (anonymous) micro-transactions.
\end{itemize}

Central banks are carefully considering what might be the right
technology to implement an electronic version of their centrally
banked currency, and with Taler we hope to address most of their concerns.
Nevertheless, all electronic payment systems, including Taler even
when backed by central-bank-issued currencies, come with their own
inherent set of risks:~\cite{riksbank2017riksbank}

\begin{itemize}
  \item increased risk of a bank run: in a banking crisis,
    as it is easier to withdraw large amounts of digital
    cash quickly --- even from remote locations;
  \item increased volatility due to foreign holdings that would
    not be as easily possible with physical cash;
  \item increased risk of theft and disruption: while physical
    cash can also be stolen (and likely with much less effort), it is
    difficult to transport in volume~\cite{force2015money}, the
    risk is increased with computers because attacks scale \cite{hammer2018billion}, and
    generally many small incidents are socially preferable over a
    tiny number of very large-scale incidents; and
  \item unavailability in crisis situations without electricity and Internet
    connectivity.
\end{itemize}


We believe that in the case of Taler, some of the risks mentioned
above can be mitigated:
\begin{itemize}
 \item Volatility due to foreign holdings and the resulting increased
   risk of bank runs can be reduced by putting limits on the amount of
   electronic coins that customers can withdraw.  Limiting the
   validity periods of coins is another method that can help
   disincentivize the use of Taler as a value store.
 \item The use of open standards and reference implementations enables
   white-hat security research around GNU Taler, which together with
   good operational security procedures and the possibility of
   competing providers should reduce the risks from attacks.
 \item GNU Taler can co-exist with physical cash, and might even
   help revive the use of cash if it succeeds in reducing credit
   card use online thereby eliminating a key reason for people to
   have credit cards.
\end{itemize}

Unlike cryptocurrencies, Taler does not prescribe a solution for monetary
policy or just taxation, as we believe these issues need to be subject to
continuous political debate and cannot be ``solved'' by simplistic algorithms.
What we offer to society is an open and free (as in free speech) system with
mechanisms to audit merchants' income, instead of proprietary systems
controlled by a few oligopoly companies.