commit 699b37391afa34dd7d16185fdfcd2d3ca74639c6
parent ece72a6c576ad8e502f77c7c103e8d1617b5abf4
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Tue, 3 Oct 2023 09:36:38 +0200
reiew
Diffstat:
1 file changed, 28 insertions(+), 22 deletions(-)
diff --git a/doc/flows/main.tex b/doc/flows/main.tex
@@ -46,42 +46,46 @@ The NONCE is used to uniquely distinguish DU of the same value ("create a fresh
\section{Overview}
\includegraphics[width=\textwidth]{overview}
+% FIXME: step 0 lacks DONAU key generation (keys for blind signatures, signing keys) and distribution
\subsection{Step 0: Initial setup}
\begin{enumerate}
\item The charity generates their own key pair.
\item The DONAU administrator registers the public key of the charity and sets the yearly donation limit for the charities.
\end{enumerate}
+% Group steps 1-3, they are really one sub-protocol altogether!
\subsection{Step 1: Donor donates to charity}
\begin{enumerate}
\item The donor downloads the DU public keys for the corresponding year from the DONAU.
- \item To donate 5 Euros the donor has to generate 2 DUs (a 1 Euro and 4 Euro DU). The donor generates DUs $DU1$ and $DU2$ which include a salted hash of the tax number (here TAXID) and a NONCE.
+ \item To donate 5 Euros the donor has to generate 2 DUs (a 1 Euro and 4 Euro DU). The donor generates DUs $DU1$ and $DU2$ which include a salted hash of the tax number (here TAXID) and a NONCE. % not DUs, DRs!
\begin{align}
- DU1 = \langle H(TAXID, SALT), NONCE_1 \rangle \\
- DU2 = \langle H(TAXID, SALT), NONCE_2 \rangle
+ DU1 = \langle H(TAXID, SALT), NONCE_1 \rangle \\ % These are (prototypes) for DRs! DUs are the 1 EUR and 4 EUR!
+ DU2 = \langle H(TAXID, SALT), NONCE_2 \rangle % Maybe call these UDIDs? (Unique Donor Ids)
\end{align}
\item The donor blinds the DUs using two different blinding factors $b_1, b_2$.
\begin{align}
- BDU1 = BDU1 \cdot b_1^{e_{1EUR}} \mod n_{1EUR} \\
- BDU2 = BDU2 \cdot b_2^{e_{4EUR}} \mod n_{4EUR}
+ BDU1 = BDU1 \cdot b_1^{e_{1EUR}} \mod n_{1EUR} \\ % BDR!
+ BDU2 = BDU2 \cdot b_2^{e_{4EUR}} \mod n_{4EUR} % This is RSA-style blinding, in the abstract just use "blind(b_1,UDID)"
\end{align}
- \item The Donor signs the DUs using the correct DONAU public keys. This gives the DUs their respective value.
+\item The Donor signs the DUs using the correct DONAU public keys. This gives the DUs their respective value.
+ % Eh, the DONOR never signs anything. Why should they. The DONAU does the signing! This is very wrong!
\begin{align}
- BS1_{pk/k1} = sign_{pk/k1}(BDU1) \\
- BS2_{pk/k4} = sign_{pk/k4}(BDU2)
+ BS1_{pk/k1} = sign_{pk/k1}(BDU1) \\
+ BS2_{pk/k4} = sign_{pk/k4}(BDU2)
\end{align}
- \item The donor sends the blinded DUs (BDR) $BDU1$ and $BDU2$ as well as the signatures $BS1_{pk/k1}$ and $BS2_{pk/k4}$ to the charity in addition to the payment of 5 Euros.
+\item The donor sends the blinded DUs (BDR) $BDU1$ and $BDU2$ as well as the signatures $BS1_{pk/k1}$ and $BS2_{pk/k4}$ to the charity in addition to the payment of 5 Euros.
+ % No BS1/BS2: those are *returned* from DONAU!
\end{enumerate}
\subsection{Step 2: Charity sends signed DUs to DONAU}
\begin{enumerate}
\item The charity verifies that the amount requested for signing is lower or equal to the effective amount of the donation.
- \item The charity signs (using EdDSA) a structure containing all unsigned DUs coming from the donor.
+ \item The charity signs (using EdDSA) a structure containing all unsigned DUs coming from the donor. % Exactly: unsigned!
\item The charity sends this structure and the signature to the DONAU.
\end{enumerate}
@@ -90,11 +94,11 @@ The NONCE is used to uniquely distinguish DU of the same value ("create a fresh
\item The DONAU:
\begin{enumerate}
\item verifies the charity Signature on the structure.
- \item verifies the signature of every DU with it's private keys.
+ \item verifies the signature of every DU with it's private keys. % Back to crypto course for you. Which key does one verify signatures with?
\item increments the current year amount of the charity by the total amount of the BDR, if the increment does not exceed the annual limit.
\item blind signs (using RSA/Schnorr) all the DUs
\begin{align}
- BS1_{sk/k1} = BDU1^{(d_{E1})} \emph{mod ?} \\
+ BS1_{sk/k1} = BDU1^{(d_{E1})} \emph{mod ?} \\ % Yes, but do more abstract signing (blind-sign) here, not necessarily RSA
BS2_{sk/k4} = BDU2^{(d_{E4})} \emph{mod ?}
\end{align}
\item sends back the blind signed DUs to the charity
@@ -102,28 +106,29 @@ The NONCE is used to uniquely distinguish DU of the same value ("create a fresh
\item The charity transmits the blind signed DUs to the donor.
\item The donor unblinds the signatures.
\begin{align}
- S1_{sk/k1} = BS1_{sk/k1} \cdot b^{-1} \mod n_1 \\
+ S1_{sk/k1} = BS1_{sk/k1} \cdot b^{-1} \mod n_1 \\ % again, ideally more abstract
S2_{sk/k4} = BS2_{sk/k4} \cdot b^{-1} \mod n_2
\end{align}
\end{enumerate}
+
\subsection{Step 4: Donor sends DR to DONAU, DONAU sends back donation statement (DS)}
\begin{enumerate}
- \item The donor sends the collection of all $(DUi, Si, kj)$ to the DONAU. The DR is always sent to the DONAU right after the donor has unblinded the DUs. The corresponding year is sent with.
+ \item The donor sends the collection of all $(DUi, Si, kj)$ to the DONAU. The DR is always sent to the DONAU right after the donor has unblinded the DUs. The corresponding year is sent with. % Not sure we need the year!
\item For each $(DUi, Si, kj)$ The DONAU...
\begin{itemize}
- \item verifies that $kj$ is one of the valid public keys corresponding to the year indicated.
+ \item verifies that $kj$ is one of the valid public keys corresponding to the year indicated. % Why not simply lookup year from key?
\item verifies if $Si$ is a correct signature with the corresponding secret key.
- \item verifies that the hash of the TAXID and the salt is the same as in other DUs (how to solve the problem with multiple wallets?)
+ \item verifies that the hash of the TAXID and the salt is the same as in other DUs (how to solve the problem with multiple wallets?) % => Each wallet must simply obtain a separate DS!
\item verifies that the nonce is different from each ever used nonce of this donor for the corresponding year.
\item if all of this is the case, it adds the amount corresponding to the public key to the total donation amount for the year.
\end{itemize}
-
- \item The DONAU then signs over the amount, year and hashed TAXID+salt and sends signature and the total amount so far back to the donor.
+ \item The DONAU then signs over the amount, % => total
+ year and hashed TAXID+salt and sends signature and the total amount so far back to the donor.
\begin{align}
- sign(total amount, year, hash(TAXID, salt))
+ sign(total amount, year, hash(TAXID, salt)) % Call the result *something*. (DS)?
\end{align}
\end{enumerate}
@@ -134,13 +139,14 @@ The NONCE is used to uniquely distinguish DU of the same value ("create a fresh
\begin{itemize}
\item TAXID
\item salt
- \item signature received from the DONAU
+ \item signature received from the DONAU % DS?
\item year
\item amount for the year
- \item version of the protocol(one byte)
+ \item version of the protocol (one byte) % probably should be first ;-)
\end{itemize}
- \item The validator scans the QR code and validates that the signature corresponds to the current DONAU DS signing key.
+\item The validator scans the QR code and validates that the signature corresponds to the current DONAU DS signing key.
+ % => step 0 lacked DONAU DS signing key setup & distribution ...
\end{enumerate}
\end{document}
