commit 735fbb3e482b3b9e0fb66abac57f60d01883b964
parent 498424ac65b95065081844dc0c6c654ee9d4bd90
Author: Christian Grothoff <christian@grothoff.org>
Date: Wed, 22 Jan 2025 16:57:41 +0100
minor edits to sec #3
Diffstat:
1 file changed, 24 insertions(+), 15 deletions(-)
diff --git a/doc/usenix-security-2025/paper/technicaldesign.tex b/doc/usenix-security-2025/paper/technicaldesign.tex
@@ -118,8 +118,10 @@ initial setup steps.
$(K_x^{\pub}, K_x^{\priv})$ for blind signatures, corresponding to different
currency denominations $x$ that a donation can be composed of.
\end{enumerate}
+The Donau publishes all public keys over an authenticated channel.
+It uses fresh Donation Unit keys for each tax period.
-\subsubsection{Charity key generation}\label{charity_key_generation}
+\subsubsection{Charity key generation and registration}\label{charity_key_generation}
\begin{enumerate}
\item Each charity generates its own Ed25519 {\bf Charity Key} $( C^{\pub},
C^{\priv} )$.
@@ -133,33 +135,38 @@ $C^{\pub}$ is registered in the Donau database.
\end{enumerate}
\subsubsection{Donor Identifier generation}
-Each donor generates a personal \textbf{Donor Identifier} by computing a salted
-hash of their taxpayer ID.
+
A donor uses their Donor Identifier every time they
make a donation and again when requesting a donation receipt from the Donau.
-The donor computes their Donor Identifier $\DI$ as the hash
+Each donor generates a personal \textbf{Donor Identifier} $\DI$ by
+computing a salted hash of their taxpayer ID
\begin{align*}
\DI = H(\texttt{TAXID}, S)
\end{align*}
-where $S$ is a random salt and {\tt TAXID} is their taxpayer ID.
+where $S$ is a random salt with sufficient entropy to
+prevent guessing attacks and {\tt TAXID} is their taxpayer ID.
The donor stores the salt $S$ along with their $\DI$.
-They need to use the salt to link the Donation Identifier to their tax ID and claim
-the tax benefits for their donation. The use of the salt means the $\DI$ cannot
-be linked to the donor by anybody without $S$, even if they know {\tt TAXID}.
+
+They need to use the salt to link the Donation Identifier to their tax
+ID and claim the tax benefits for their donation. The use of the salt
+ensures that the $\DI$ cannot be linked to the donor by anybody
+without $S$, even if they know {\tt TAXID}.
\subsection{Donating to a charity}\label{donating_to_a_charity}
% \subsection{Donor donates to charity and transmits \textbf{Unique Donor identifiers} (future donation receipts)}
When a donor wishes to donate to a charity, they first retrieve the Donau's Donation Unit
-public keys $K_x^{\pub}$ for the current year.
+public keys $K_x^{\pub}$ for the current tax period.
The donor then represents their donation as a sum of the Donation Units offered by the Donau.
\emph{Example: Assuming the Donau publishes the Donation units $\{1,2,4,8\}$, a donation of $7$ would be split into 1 unit each of the values $4$, $2$ and $1$.}
For each necessary Donation Unit the donor generates a \textbf{Unique Donor
-Identifier (UDI)} by appending a random nonce to the value $\DI$.
-If multiple instances of the same Donation Unit are needed to represent the target sum, the donor creates a different nonce for each instance of that Donation Unit.
+Identifier (UDI)} by appending a random nonce $N_i$ to the value $\DI$.
+If multiple instances of the same Donation Unit are needed to represent
+the target sum, the donor creates a different nonce $N_i$ for each instance $i$
+of that Donation Unit.
The donor must remember all UDIs.
\emph{In our example, there are $3$ Unique Donor Identifiers needed to represent the donated value of $7$. We can write them as:}
@@ -267,9 +274,11 @@ These donation receipts are stored on the donor's device.
\subsection{Donor requests an annual donation statement from Donau}\label{donor_requests_a_donation_statement_from_the_donau}
In order for the donor to claim a tax deduction,
the donor needs to obtain a final donation statement which can be sent to the tax authority.
-The donor sends their saved donation receipts $\{r_1, \ldots, r_k\}$, accumulated throughout the year, to the Donau.
-This can be done multiple times during the year, but the receipts are not automatically in order to achieve
-\emph{unlinkability} between the \emph{issuance} of the receipts (which happens at the time of donation) and their \emph{submission} for the Donation Statement.
+The donor sends their saved donation receipts $\{r_1, \ldots, r_k\}$, accumulated throughout the tax period, to the Donau.
+This can in principle be done multiple times during the tax period;
+however, the receipts must not be submitted at a time strongly correlated with the donation to achieve
+\emph{unlinkability} between the \emph{issuance} of the receipts (which happens at the time of donation)
+and their \emph{submission} for the Donation Statement.
Remember that each $\UDI$ is the concatenation of the donor identifier $\DI$ and
a random nonce, i.e., they all start with the same $\DI$.
@@ -290,7 +299,7 @@ donated to, so it does not know where the donor spent money.
They also only see a collection of common denominations, so they are unable to correlate total donation amounts per charity.
Finally, the receipts are unblinded, so they are unlinkable to any signature the Donau has seen before.
-The Donau then generates a signature over the total \texttt{amount} of all receipts, the current \texttt{year} and the Donor Identifier.
+The Donau then generates a signature over the total \texttt{amount} of all receipts, the current tax period (\texttt{year}) and the Donor Identifier.
This results in a final signature called the \textbf{Donation Statement}, which the Donau returns to the donor:
\begin{align*}
\sigma_s = \sign(( \DI, \textsf{amount}_{\sf Total}, \textsf{year}) ),
