summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFlorian Dold <florian.dold@gmail.com>2018-09-01 21:52:14 +0200
committerFlorian Dold <florian.dold@gmail.com>2018-09-01 21:52:14 +0200
commit7b705246a655c719cfd4248d80e3e625918bb07e (patch)
tree1dd1332cdaec3255f0b2f059bd6fdb513335ee30
parent43e10c3cab7ebd5cd009a6ca8afc56a2e3010569 (diff)
downloadpapers-7b705246a655c719cfd4248d80e3e625918bb07e.tar.gz
papers-7b705246a655c719cfd4248d80e3e625918bb07e.tar.bz2
papers-7b705246a655c719cfd4248d80e3e625918bb07e.zip
abstract, fix up bib
-rw-r--r--taler-fc19/paper.tex102
-rw-r--r--taler-fc19/ref.bib43
2 files changed, 47 insertions, 98 deletions
diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex
index e5f59b5..05e808e 100644
--- a/taler-fc19/paper.tex
+++ b/taler-fc19/paper.tex
@@ -5,6 +5,7 @@
\documentclass[runningheads]{llncs}
%
\usepackage{graphicx}
+%\usepackage{hyperref}
\usepackage{amsmath,amssymb}
% Used for displaying a sample figure. If possible, figure files should
% be included in EPS format.
@@ -21,16 +22,23 @@
\begin{abstract}
Traditional security definitions for anonymous e-cash omit properties that
- are vital for practical deployments.
-
- We argue that a protocol for unlinkable change is necessary even in schemes
- that provide divisibility. As a naive implementation of a change protocol
- opens
+ are vital for practical deployments conducting real economic transactions.
+ First, they do not protect against economic losses when protocols are aborted.
+ Second, they do not require that customers have cryptographic evidence that they
+ spent e-cash on a particular business transaction. We introduce \emph{conservation}
+ as an additional security property to anonymity and unforgeability.
+
+ Another omission of many existing e-cash schemes and their security
+ definitions is they do not provide anonymity when wallets are restored from
+ backup or synchronized with other devices. We argue from this position that
+ a protocol for unlinkable change is necessary even in schemes that provide
+ divisibility. As a naive implementation of a change protocol opens up the
+ possibility of misusing it for tax evasion, we define an income transparency
+ security property.
We furthermore show that an e-cash protocol that fulfills these properties
can be used to implement Camenisch-style fair exchange, tick payments, and
can be used to provide anonymous refunds.
-
\keywords{First keyword \and Second keyword \and Another keyword.}
\end{abstract}
@@ -103,20 +111,21 @@ charged by the exchange.
The spending of multiple coins is modeled non-atomically: to spend (fractions
of) multiple coins, they must be spent one-by-one. The individual
spend/deposit operations are correlated by a unique identifier for the
-transaction. In practice this identifier is the hash $\V{transactionId} =
-H(\V{contractTerms})$ of the contract terms\footnote{The contract terms
-are a digital representation of an individual offer for a certain product or service the merchant sells
-for a certain price.}. Contract terms include a nonce to make them
-unique, that merchant and customer agreed upon. Note that this transaction
-identifier and the correlation between multiple spend operations for one
-payment need not be disclosed to the exchange (it might, however, be necessary
-to reveal during a detailed tax audit of the merchant): When spending the $i$-th coin
-for the transaction with the identifier $\V{transactionId}$, messages to the
-exchange would only contain $H(i \Vert \V{transactionId})$. This is preferable
-for merchants that might not want to disclose to the exchange the individual
-prices of products they sell to customers, but only the total transaction
-volume over time. For simplicity, we do not include this extra feature in our
-model.
+transaction.
+%In practice this identifier is the hash $\V{transactionId} =
+%H(\V{contractTerms})$ of the contract terms\footnote{The contract terms
+%are a digital representation of an individual offer for a certain product or service the merchant sells
+%for a certain price.}. Contract terms include a nonce to make them
+%unique, that merchant and customer agreed upon. Note that this transaction
+%identifier and the correlation between multiple spend operations for one
+%payment need not be disclosed to the exchange (it might, however, be necessary
+%to reveal during a detailed tax audit of the merchant): When spending the $i$-th coin
+%for the transaction with the identifier $\V{transactionId}$, messages to the
+%exchange would only contain $H(i \Vert \V{transactionId})$. This is preferable
+%for merchants that might not want to disclose to the exchange the individual
+%prices of products they sell to customers, but only the total transaction
+%volume over time. For simplicity, we do not include this extra feature in our
+%model.
Customers are identified by their public key $\V{pkCustomer}$. Every customer
keeps track of the following data:
@@ -534,7 +543,6 @@ in $\mathfrak{R}$.
\begin{figure}
\fbox{\begin{minipage}{\textwidth}
\small
-\bigskip
\noindent $\mathit{Exp}_{\prt{A}}^{anon}(1^\lambda, 1^\kappa, b)$:
\vspace{-0.5\topsep}
\begin{enumerate}
@@ -581,7 +589,9 @@ money.
Let $\oraSet{Conserv} := \oraSet{Taler} - \{\ora{Share}\}$ stand for access to the
all Taler oracles except the sharing oracle.
-\bigskip
+\begin{figure}
+\fbox{\begin{minipage}{\textwidth}
+\small
\noindent $\mathit{Exp}_{\cal A}^{conserv}(1^\lambda, 1^\kappa)$:
\vspace{-0.5\topsep}
\begin{enumerate}
@@ -598,6 +608,8 @@ all Taler oracles except the sharing oracle.
Let $v_{S}$ be the total financial value of contracts in $\V{acceptedContracts}[\V{pkCustomer}]$.
\item Return $1$ if $\V{withdrawn}[\V{pkCustomer}] > v_{C} + v_{S}$.
\end{enumerate}
+\end{minipage}}
+\end{figure}
Hence we ensure that:
\begin{itemize}
@@ -624,7 +636,9 @@ they legitimately withdraw.
Let $\oraSet{Forge} := \oraSet{Taler}$ stand for access to the all Taler
oracles.
-\bigskip
+\begin{figure}
+\fbox{\begin{minipage}{\textwidth}
+\small
\noindent $\mathit{Exp}_{\cal A}^{forge}(1^\lambda, 1^\kappa)$:
\vspace{-0.5\topsep}
\begin{enumerate}
@@ -637,6 +651,8 @@ oracles.
\dots, C_\ell$ exceeds the amount withdrawn by corrupted
customers, return $0$ otherwise.
\end{enumerate}
+\end{minipage}}
+\end{figure}
\subsection{Income Transparency}
@@ -658,7 +674,9 @@ without being visible as income to the exchange.
Let $\oraSet{Income} := \oraSet{Taler}$ stand for access to the
all Taler oracles.
-\bigskip
+\begin{figure}
+\fbox{\begin{minipage}{\textwidth}
+\small
\noindent $\mathit{Exp}_{\cal A}^{income}(1^\lambda, 1^\kappa)$:
\vspace{-0.5\topsep}
\begin{enumerate}
@@ -682,6 +700,8 @@ all Taler oracles.
$b := w - s$ gives the coins lost during refresh, that is the losses incurred attempting to hide income.
\item If $b+p \ne 0$, return $p \over b + p$, i.e. the laundering ratio for attempting to obtain untaxed income. Otherwise return $0$.
\end{enumerate}
+\end{minipage}}
+\end{figure}
\section{Security Definitions}\label{sec:security-properties}
@@ -1087,39 +1107,10 @@ deposit permissions for the locked coins. On aborted fair exchanges,
the customer refreshes to obtain unlinkable coins.
+\bibliographystyle{splncs04}
+\bibliography{ref}
-
-%
-% ---- Bibliography ----
-%
-% BibTeX users should specify bibliography style 'splncs04'.
-% References will then be sorted and formatted in the correct style.
-%
-% \bibliographystyle{splncs04}
-% \bibliography{mybibliography}
-%
-\begin{thebibliography}{8}
-\bibitem{ref_article1}
-Author, F.: Article title. Journal \textbf{2}(5), 99--110 (2016)
-
-\bibitem{ref_lncs1}
-Author, F., Author, S.: Title of a proceedings paper. In: Editor,
-F., Editor, S. (eds.) CONFERENCE 2016, LNCS, vol. 9999, pp. 1--13.
-Springer, Heidelberg (2016). \doi{10.10007/1234567890}
-
-\bibitem{ref_book1}
-Author, F., Author, S., Author, T.: Book title. 2nd edn. Publisher,
-Location (1999)
-
-\bibitem{ref_proc1}
-Author, A.-B.: Contribution title. In: 9th International Proceedings
-on Proceedings, pp. 1--2. Publisher, Location (2010)
-
-\bibitem{ref_url1}
-LNCS Homepage, \url{http://www.springer.com/lncs}. Last accessed 4
-Oct 2017
-\end{thebibliography}
\end{document}
@@ -1446,3 +1437,4 @@ As for $F = \emptyset$, the return value of the game must be $0$, we conclude
%
%From \cite{bellare2003onemore}. Assumption to prove security of RSA blind signatures. Equivalent to RSA-CTI.
+
diff --git a/taler-fc19/ref.bib b/taler-fc19/ref.bib
index 5a5f9b2..4fda028 100644
--- a/taler-fc19/ref.bib
+++ b/taler-fc19/ref.bib
@@ -40,8 +40,6 @@
isbn = {978-3-319-12279-3},
pages = {127--142},
numpages = {16},
- url = {http://dx.doi.org/10.1007/978-3-319-12280-9_9},
- doi = {10.1007/978-3-319-12280-9_9},
acmid = {2769431},
publisher = {Springer-Verlag New York, Inc.},
address = {New York, NY, USA},
@@ -380,8 +378,6 @@
pages="33--47",
abstract="It is now recognized that the Consensus problem is a fundamental problem when one has to design and implement reliable asynchronous distributed systems. This chapter is on the Consensus problem. It studies Consensus in two failure models, namely, the Crash/no Recovery model and the Crash/Recovery model. The assumptions related to the detection of failures that are required to solve Consensus in a given model are particularly emphasized.",
isbn="978-3-540-46475-4",
- doi="10.1007/3-540-46475-1_2",
- url="https://doi.org/10.1007/3-540-46475-1_2"
}
@@ -497,8 +493,6 @@
pages="300--316",
abstract="Pedersen designed the first scheme for generating Discrete- Log keys without any trusted dealer in 1991. As this protocol is simple and efficient, it appeared to be very attractive. For a long time, this robust algorithm has been trusted as being secure. However, in 1999, Gennaro et al. proved that one of the requirements is not guaranteed : more precisely, the property that the key is uniformly distributed in the key space. Their main objective was to repair the security flaw without sacrificing on efficiency. As a result, the protocol became secure but somehow unpractical. In particular, the ``complaint phase'', in which cheaters are thrown out, makes the scheme overly complex and difficult to deal with in practical situations. In order to avoid this phase and other drawbacks such as the initialization phase where private channels have to be created, we present a one round scheme which generates a discrete-log key with public channels only. Finally, we show how to improve the efficiency of our algorithm when the number of servers increases.",
isbn="978-3-540-44586-9",
- doi="10.1007/3-540-44586-2_22",
- url="https://doi.org/10.1007/3-540-44586-2_22"
}
@@ -726,8 +720,6 @@
pages="24--44",
abstract="Secure multi-party computation (MPC) allows multiple parties to compute a known function over inputs held by each party, without any party having to reveal its private input. Unfortunately, traditional MPC algorithms do not scale well to large numbers of parties. In this paper, we describe several recent MPC algorithms that are designed to handle large networks. All of these algorithms rely on recent techniques from the Byzantine agreement literature on forming and using quorums. Informally, a quorum is a small set of parties, most of which are trustworthy. We describe the advantages and disadvantages of these scalable algorithms, and we propose new ideas for improving practicality of current techniques. Finally, we conduct simulations to measure bandwidth cost for several current MPC algorithms.",
isbn="978-3-662-46078-8",
- doi="10.1007/978-3-662-46078-8_3",
- url="https://doi.org/10.1007/978-3-662-46078-8_3"
}
@@ -835,8 +827,6 @@
pages="281--310",
abstract="Bitcoin is the first and most popular decentralized cryptocurrency to date. In this work, we extract and analyze the core of the Bitcoin protocol, which we term the Bitcoin backbone, and prove two of its fundamental properties which we call common prefix and chain quality in the static setting where the number of players remains fixed. Our proofs hinge on appropriate and novel assumptions on the ``hashing power'' of the adversary relative to network synchronicity; we show our results to be tight under high synchronization.",
isbn="978-3-662-46803-6",
- doi="10.1007/978-3-662-46803-6_10",
- url="https://doi.org/10.1007/978-3-662-46803-6_10"
}
@@ -1061,9 +1051,7 @@
volume={7741},
series={Lecture Notes in Computer Science},
editor={van Emde Boas, Peter and Groen, FransC.A. and Italiano, GiuseppeF. and Nawrocki, Jerzy and Sack, Harald},
- doi={10.1007/978-3-642-35843-2_31},
title={Mixed Hypergraphs for Linear-Time Construction of Denser Hashing-Based Data Structures},
- url={http://dx.doi.org/10.1007/978-3-642-35843-2_31},
publisher={Springer Berlin Heidelberg},
author={Rink, Michael},
pages={356-368},
@@ -1147,8 +1135,6 @@
isbn = {978-3-642-03548-7},
pages = {325--343},
numpages = {19},
- url = {http://dx.doi.org/10.1007/978-3-642-03549-4_20},
- doi = {10.1007/978-3-642-03549-4_20},
acmid = {1602018},
publisher = {Springer-Verlag},
address = {Berlin, Heidelberg},
@@ -1185,8 +1171,6 @@
location = {Tenerife, Spain},
pages = {336--342},
numpages = {7},
- doi_url = {http://dx.doi.org/10.1007/978-3-642-14577-3_27},
- doi = {10.1007/978-3-642-14577-3_27},
acmid = {2163598},
publisher = {Springer-Verlag},
address = {Berlin, Heidelberg},
@@ -1207,8 +1191,6 @@
pages="314--332",
abstract="Off-line e-cash systems are the digital analogue of regular cash. One of the main desirable properties is anonymity: spending a coin should not reveal the identity of the spender and, at the same time, users should not be able to double-spend coins without being detected. Compact e-cash systems make it possible to store a wallet of O(2 L ) coins using O(L{\thinspace}+{\thinspace}$\lambda$) bits, where $\lambda$ is the security parameter. They are called divisible whenever the user has the flexibility of spending an amount of 2ℓ, for some ℓ{\thinspace}≤{\thinspace}L, more efficiently than by repeatedly spending individual coins. This paper presents the first construction of divisible e-cash in the standard model (i.e., without the random oracle heuristic). The scheme allows a user to obtain a wallet of 2 L coins by running a withdrawal protocol with the bank. Our construction is built on the traditional binary tree approach, where the wallet is organized in such a way that the monetary value of a coin depends on how deep the coin is in the tree.",
isbn="978-3-642-36334-4",
- doi="10.1007/978-3-642-36334-4_20",
- url="https://doi.org/10.1007/978-3-642-36334-4_20"
}
@@ -1272,8 +1254,6 @@ url="https://doi.org/10.1007/s00145-002-0120-1"
pages="61--90",
abstract="Divisible e-cash, proposed in 1991 by Okamoto and Ohta, addresses a practical concern of electronic money, the problem of paying the exact amount. Users of such systems can indeed withdraw coins of a large value N and then divide it into many pieces of any desired values {\$}{\$}V{\backslash}le N{\$}{\$} . Such a primitive therefore allows to avoid the use of several denominations or change issues. Since its introduction, many constructions have been proposed but all of them make use of the same framework: they associate each coin with a binary tree, which implies, at least, a logarithmic complexity for the spendings.",
isbn="978-3-662-54365-8",
- doi="10.1007/978-3-662-54365-8_4",
- url="https://doi.org/10.1007/978-3-662-54365-8_4"
}
@@ -1292,8 +1272,6 @@ url="https://doi.org/10.1007/s00145-002-0120-1"
pages="77--100",
abstract="Divisible E-cash systems allow users to withdraw a unique coin of value {\$}{\$}2^n{\$}{\$} from a bank, but then to spend it in several times to distinct merchants. In such a system, whereas users want anonymity of their transactions, the bank wants to prevent, or at least detect, double-spending, and trace the defrauders. While this primitive was introduced two decades ago, quite a few (really) anonymous constructions have been introduced. In addition, all but one were just proven secure in the random oracle model, but still with either weak security models or quite complex settings and thus costly constructions. The unique proposal, secure in the standard model, appeared recently and is unpractical. As evidence, the authors left the construction of an efficient scheme secure in this model as an open problem.",
isbn="978-3-662-46447-2",
- doi="10.1007/978-3-662-46447-2_4",
- url="https://doi.org/10.1007/978-3-662-46447-2_4"
}
@@ -1310,8 +1288,6 @@ url="https://doi.org/10.1007/s00145-002-0120-1"
address="Berlin, Heidelberg",
pages="302--321",
isbn="978-3-540-32055-5",
- doi="10.1007/11426639_18",
- url="https://doi.org/10.1007/11426639_18"
}
@@ -1340,8 +1316,6 @@ address="Cham",
pages="287--306",
abstract="Divisible E-cash has been introduced twenty years ago but no construction is both fully secure in the standard model and efficiently scalable. In this paper, we fill this gap by providing an anonymous divisible E-cash construction with constant-time withdrawal and spending protocols. Moreover, the deposit protocol is constant-time for the merchant, whatever the spent value is. It just has to compute and store {\$}{\$}2^l{\$}{\$} serial numbers when a value {\$}{\$}2^l{\$}{\$} is deposited, compared to {\$}{\$}2^n{\$}{\$} serial numbers whatever the spent amount (where {\$}{\$}2^n{\$}{\$} is the global value of the coin) in the recent state-of-the-art paper. This makes a very huge difference when coins are spent in several times.",
isbn="978-3-319-28166-7",
-doi="10.1007/978-3-319-28166-7_14",
-url="https://doi.org/10.1007/978-3-319-28166-7_14"
}
@@ -1358,15 +1332,12 @@ address="Berlin, Heidelberg",
pages="438--451",
abstract="Recently, several ``divisible'' untraceable off-line electronic cash schemes have been presented [8, 11, 19, 20]. This paper presents the first practical ``divisible'' untraceable1 off-line cash scheme that is ``single-term''2 in which every procedure can be executed in the order of log N, where N is the precision of divisibility, i.e., N = (the total coin value)/(minimum divisible unit value). Therefore, our ``divisible'' off-line cash scheme is more efficient and practical than the previous schemes. For example, when N = 217 (e.g., the total value is about {\$} 1000, and the minimum divisible unit is 1 cent), our scheme requires only about 1 Kbyte of data be transfered from a customer to a shop for one payment and about 20 modular exponentiations for one payment, while all previous divisible cash schemes require more than several Kbytes of transfered data and more than 200 modular exponentiations for one payment.",
isbn="978-3-540-44750-4",
-doi="10.1007/3-540-44750-4_35",
-url="https://doi.org/10.1007/3-540-44750-4_35"
}
@techreport{brands1993efficient,
author = {Brands, Stefan A.},
title = {An Efficient Off-line Electronic Cash System Based On The Representation Problem.},
year = {1993},
- source = {http://www.ncstrl.org:8900/ncstrl/servlet/search?formname=detail\&id=oai%3Ancstrlh%3Aercim_cwi%3Aercim.cwi%2F%2FCS-R9323},
publisher = {CWI (Centre for Mathematics and Computer Science)},
address = {Amsterdam, The Netherlands, The Netherlands},
}
@@ -1424,8 +1395,6 @@ url="https://doi.org/10.1007/3-540-44750-4_35"
pages="199--203",
abstract="Automation of the way we pay for goods and services is already underway, as can be seen by the variety and growth of electronic banking services available to consumers. The ultimate structure of the new electronic payments system may have a substantial impact on personal privacy as well as on the nature and extent of criminal use of payments. Ideally a new payments system should address both of these seemingly conflicting sets of concerns.",
isbn="978-1-4757-0602-4",
- doi="10.1007/978-1-4757-0602-4_18",
- url="https://doi.org/10.1007/978-1-4757-0602-4_18"
}
@@ -1443,8 +1412,6 @@ url="https://doi.org/10.1007/3-540-44750-4_35"
pages="319--327",
abstract="The use of credit cards today is an act of faith on the part of all concerned. Each party is vulnerable to fraud by the others, and the cardholder in particular has no protection against surveillance.",
isbn="978-0-387-34799-8",
- doi="10.1007/0-387-34799-2_25",
- url="https://doi.org/10.1007/0-387-34799-2_25"
}
@@ -1516,8 +1483,6 @@ url="https://doi.org/10.1007/3-540-44750-4_35"
address="Berlin, Heidelberg",
pages="319--338",
isbn="978-3-540-46088-6",
- doi="10.1007/3-540-46088-8_25",
- url="https://www.di.ens.fr/~pointche/Documents/Papers/2001_fcA.pdf"
}
@misc{LightningNetwork,
@@ -1545,7 +1510,6 @@ url="https://doi.org/10.1007/3-540-44750-4_35"
day = {5},
year = {2015},
note = {\url{https://arstechnica.com/tech-policy/2015/05/cryptocurrency-maker-ripple-labs-fined-700k-for-flouting-financial-regs/}},
- url_coindesk = {http://www.coindesk.com/fincen-fines-ripple-labs-700000-bank-secrecy-act/}
}
@misc{RippleFined:CoinDesk,
@@ -1599,8 +1563,6 @@ url="https://doi.org/10.1007/3-540-44750-4_35"
year = {2005},
pages = {302--321},
publisher = {Springer-Verlag},
- url = {http://cs.brown.edu/~anna/papers/chl05-full.pdf},
- url_citeseerx = {http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.136.4640}
}
@@ -1714,11 +1676,6 @@ url="https://doi.org/10.1007/3-540-44750-4_35"
booktitle = {Proceedings of the 13th USENIX Security Symposium},
year = {2004},
month = {8},
- www_important = {1},
- www_tags = {selected},
- www_html_url = {https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.html},
- www_pdf_url = {https://www.torproject.org/svn/trunk/doc/design-paper/tor-design.pdf},
- www_section = {Anonymous communication},
}