donau

Donation authority for GNU Taler (experimental)
Log | Files | Refs | Submodules | README | LICENSE
commit 70cbe3ae5c477e015dc5e6a94b122e1b35620b23
parent 262d08a7b452f30a64c2d8b8bb73d8ae47e43ed7
Author: Casaburi Johannes <johannes.casaburi@students.bfh.ch>
Date:   Mon, 16 Oct 2023 21:13:08 +0200

[doc] major rewrite

Diffstat:

Mdoc/flows/main.tex | 165++++++++++++++++++++++++++++++++++++++++---------------------------------------


1 file changed, 83 insertions(+), 82 deletions(-)

diff --git a/doc/flows/main.tex b/doc/flows/main.tex
@@ -12,7 +12,7 @@
 % Colour table cells
 \usepackage[table]{xcolor}
 
-\title{DONAU protocol overview}
+\title{Donau protocol overview}
 \author{Johannes Casaburi \and Pius Loosli \and Lukas Matyja}
 \date{\today}
 
@@ -21,130 +21,131 @@
 
 \section{Definitions}
 \begin{itemize}
-\item $DU :=$ \textbf{donation unit} = Smallest structure representing a donation confirmation unit, i.e. accepted values that compose a donation (examples: CHF1, CHF2, EUR1, EUR2). Equivalent in Taler is "denomination".
-  \item $UDID := $ \textbf{unique donor identifier} of a donor by tax ID, made unique per donation to obtain unique $DR$s per donation
-  \item $BDID :=$ blinded $UDID$, blinded for privacy of the donor
-  \item $BS :=$ BDU blinded signature made with a donation unit secret key (from DONAU)
-  \item $S :=$ unblinded BS
-  \item $DR :=$ \textbf{donation receipt} = $UDID$ with $S$ signature of DONAU affirming donation over the respectiv amount as given by the DU associated with the signature
-  \item $DRs :=$ collection of $DR$s
-  \item $DS_{year} :=$ \textbf{donation statement} = confirmation over the total amount of DRs produced for a specific year and specific donor (DID)
-  \item $b :=$ blinding factor
-  \item $H :=$ cryptographic hash function
-  \item $DUi, Si, DRi, \ldots$ := number entities if there are more than one e.g. $DU1$, $DU2$ ...
-  \item $BS_{kj}$ or $S_{kj} \Rightarrow kj$ := specific DONAU public key used to attribute a specific value to a DU, e.g. k1 gives the DU a value of 1, k2 a value of 2...
-\end{itemize}
+  \item \textbf{Cryptographic Hash Function} $H$
+
+  \item \textbf{Signing Function} $Sign$
+
+  \item \textbf{Blind Signing Function} $BSign$
+
+  \item \textbf{Signature} $S$
+
+  \item \textbf{Blind Signature} $B$
 
-\subsection{Unique Donor ID (UDID)}
+  \item \textbf{Blinding Factor} $b$
 
-The NONCE is used to uniquely distinguish donor IDs of the same value
-("create a fresh donor ID").  Otherwise the DONAU would refuse DUs
-containing donations of equal amount to the same charity, since this
-would be seen as "double spending" (or rather, double claiming of
-tax deduction for the same donation). 
+  \item \textbf{Donation Unit} $DU = (K_{pub}, K_{priv})$: Smallest structure representing a donation confirmation unit. Consists of a Public key $K_{pub}$ and Private key $K_{priv}$. Equivalent in Taler is "denomination".
 
-\begin{align}
-  UDID := \langle H(TAXID, SALT), NONCE \rangle
-\end{align}
+  \item \textbf{Unique Donor Identifier} $UDI = \langle H(TAXID, SALT), NONCE \rangle$
+
+  \item \textbf{Blinded Unique Donor Identifier} $BUDI = \langle B_{UDI}, H(K_{pub}) \rangle$, blinded to protect the privacy of the donor
+
+  \item \textbf{Donation Receipt} $DR = \langle UDI, S_{UDI}, H(K_{pub}) \rangle$
+
+  \item \textbf{Donation Statement} $DS$: Signature to attest the amount donated in a particular year by a specific donor.
+
+\end{itemize}
 
 \section{Overview}
 \includegraphics[width=\textwidth]{overview}
 
-\subsection{Step 0: Initial setup}
+\subsection{Step 0: Key generation and Initial setup}
 \begin{enumerate}
-  \item Key generation for blind signatures and statement signing by the DONAU. Distribution of the keys to charities, donors and tax authorities (possibly on-demand via REST API). Let $ki$ be the private key for $i$ DU and $Pi$ be the corresponding public key. 
-  \item The charity generates their own key pair (charity pub/priv).
-  \item The DONAU administrator registers the public key of the charity and sets the yearly donation limit for the charities.
+  \item The Donau generates a public key $D_{pub}$ and private key $D_{priv}$.
+
+  \item The Donau generates the donation units ($DU$'s) consisting of $K_{pub}^x$ and $K_{priv}^x$ where $x$ is the associated value.
+
+  \item The charity generates the key pair $(C_{pub}, C_{priv})$.
+
+  \item The Donau administrator registers the public key $C_{pub}$ and sets the yearly donation limit for the charities.
 \end{enumerate}
 
 \subsection{Step 1: Attest donation}
 \subsubsection{Donor donates to charity}
 \begin{enumerate}
-  \item The donor downloads the DU public keys $P1, P4$ for the corresponding year from the DONAU.
+  \item The donor downloads the $DU$'s public keys $K_{pub}^x$ for the corresponding year from the Donau.
 
-  \item To donate 5 Euros the donor has to generate 2 UDIDs (for 1 Euro and 4 Euro DU).
-    The donor generates UDIDs $U1$ and $U2$ which include a salted hash of the tax number
-    (here TAXID) and a NONCE.
+  \item The donor generates a $UDI = \langle H(TAXID, SALT), NONCE \rangle$ for every $DU$.
 
-  \begin{align}
-    U1 = \langle H(TAXID, SALT), NONCE_1 \rangle \\
-    U2 = \langle H(TAXID, SALT), NONCE_2 \rangle
-  \end{align}
+  \item The donor blinds the $UDI$'s using a \textbf{different} blinding factor $b$ for every $UDI$.
 
-  \item The donor blinds the UDIDs using two different blinding factors $b_1, b_2$.
   \begin{align}
-    BU1 = \langle blind(b_1,U1, P1), H(P1) \rangle \\
-    BU2 = \langle blind(b_2,U2, P4), H(P4) \rangle
+      B_{UDI} &= BSign(b,UDI, K_{pub}) \\
+      BUDI &= \langle B_{UDI}, H(K_{priv}) \rangle
   \end{align}
 
-\item The donor sends the blinded UDIDs (BDIDs) $BU1$ and $BU2$ as well as the payment of 5 Euros.
-
+\item The donor sends the $BUDI$'s as well as the corresponding payment to the charity.
 \end{enumerate}
 
-\subsubsection{Charity sends signed BDIDs to DONAU}
+\subsubsection{Charity sends signed $BUDI$'s to Donau}
 \begin{enumerate}
-\item The charity verifies that the amount requested (based on the $H(Pi)$)
-      for signing is lower or equal to the effective amount of the donation.
-  \item The charity signs (using EdDSA) a structure containing all unsigned BDIDs coming from the donor.
-  \item The charity sends this structure and the signature to the DONAU.
+  \item The charity verifies that the amount requested (based on the $H(K_{pub})$) for signing is lower or equal to the effective amount of the donation.
+
+  \item The charity signs (using EdDSA) a structure containing all unsigned $BUDI$'s coming from the donor.
+
+  \begin{align}
+      S_C = Sign(\langle BUDI_1, BDUI_2, .. \rangle, C_{priv})
+  \end{align}
+
+  \item The charity sends this structure and the signature $S_C$ to the Donau.
 \end{enumerate}
 
-\subsubsection{DONAU sends back blind signed UDIDs to charity}
+\subsubsection{Donau sends back the blind signed $UDI$'s to charity}
 \begin{enumerate}
-  \item The DONAU:
+  \item The Donau:
     \begin{enumerate}
-      \item verifies the charity signature on the structure.
-      \item increments the current year amount of the charity by the total amount of the BDIDs, if the increment does not exceed the annual limit.
-      \item blind signs all the BDIDs using the private keys $k_i$ matching the public keys $H(Pi)$.
+      \item verifies the signature $S_C$ on the structure.
+
+      \item increments the current amount of donations received per year of the charity. This value is increased by the total amount of the $BUDI$'s, if the increment does not exceed the annual limit.
+
+      \item blind signs all the $BUDI$'s using the $DU$ private keys $K_{priv}$ matching the public keys used in $H(K_{pub})$.
+
         \begin{align}
-          BS1 &:= sign(BU1, k_1) \\
-          BS2 &:= sign(BU2, k_4)
+            S_D = Sign(BUDI, K_{priv})
         \end{align}
-      \item sends back the blind signatures to the charity.
+
+    \item sends back the blind signatures ($S_D$'s) to the charity.
     \end{enumerate}
+
   \item The charity transmits the blind signatures to the donor.
-  \item The donor unblinds the signatures.
+
+  \item The donor unblinds the $BUDI$'s to get the signed $UDI$'s. This results in the \textbf{Donation Receipt} $DR$ consisting of the $UDI$, the signature $S_{UDI}$ and the Hash of the $DU$ public key $H(K_{pub})$.
+
   \begin{align}
-    S1_{k1} &= unblind(BS1, b_1) \\
-    S2_{k4} &= unblind(BS2, b_2)
+      S_{UDI} &= B^{-1}(BUDI, S_D, b) \\
+      DR &= \langle UDI, S_{UDI}, H(K_{pub}) \rangle
   \end{align}
 \end{enumerate}
 
-
-\subsection{Step 2: Donor sends DRs to DONAU, DONAU sends back donation statement (DS)}
+\subsection{Step 2: Donor sends the $DR$'s to the Donau to get the \textbf{Donation Statement} $DS$.}
 \begin{enumerate}
-  \item The donor sends the collection of all $\langle DUi, Si, H(Pj) \rangle$, also called DRs, to the DONAU. The DRs are sent manually once a year.
-  \item For each $\langle DUi, Si, H(Pj) \rangle$ The DONAU...
-
+  \item The donor sends the collection of all $DR$'s, to the Donau. The $DR$'s are sent manually once a year.
+  \item For each $DR$ the Donau:
   \begin{itemize}
-    \item check if $Pj$ is stored and get the corresponding year and donation unit (amount donated).
-    \item verifies if $Si$ is a correct signature with the corresponding public key $Pj$.
-    \item verifies that the hash of the TAXID and the salt is the same as in other DRs (With multiple wallets each wallet must simply obtain a separate DS!).
-    \item verifies that the nonce is different from each ever used nonce of this donor for the corresponding year.
-    \item if all of this is the case, it adds the amount corresponding to the public key to the total donation amount for the year.
+    \item checks that $K_{pub}$ is valid.
+
+    \item verifies that the signature $S_{UDI}$ is correct using the corresponding public key $K_{pub}$.
+
+    \item verifies that the hash of the $TAXID$ and the $SALT$ is the same as in other $DR$'s (With multiple wallets each wallet must simply obtain a separate $DS$!).
+
+    \item verifies that the $NONCE$ is unique and was not used before by the donor for the corresponding year.
   \end{itemize}
-  \item The DONAU then signs over the total amount,
-  year and hashed TAXID+salt and sends signature and the total amount so far back to the donor.
 
-  \begin{align}
-    DS := sign(total amount, year, H(TAXID, salt))
-  \end{align}
+  \item The Donau signs over the total amount,
+      year and $H(TAXID, SALT)$ and sends the signature and the total amount so far back to the donor. This results in the \textbf{Donation Statement} $DS$.
 
+    \begin{align}
+        DS = Sign(\langle AMOUNT_{Total}, YEAR, H(TAXID, SALT) \rangle, D_{priv})
+    \end{align}
 \end{enumerate}
 
-\subsection{Step 3: Donor sends QR Code to validator (tax office)}
+\subsection{Step 3: Donor sends the QR Code to a validator (tax office)}
 \begin{enumerate}
-  \item The donor generates a QR code containing the following and sends it to the validator/tax office:
-  \begin{itemize}
-    \item version of the protocol (one byte)
-    \item TAXID
-    \item salt
-    \item DS received from the DONAU
-    \item year
-    \item amount for the year
-  \end{itemize}
+  \item The donor generates a QR code:
+    \begin{align}
+      QR = \langle TAXID, SALT, DS, YEAR, AMOUNT \rangle
+    \end{align}
 
-\item The validator scans the QR code and validates that the signature corresponds to the current DONAU DS signing key.
+  \item The validator scans the QR code and verifies the signature in the $DS$.
 \end{enumerate}
 
 \end{document}