commit 786cf42cfd28a2f0d16fe02bcbb24c7208ff5227
parent 918f7f9c4c83e7a790a0b5d6302776b5e7850556
Author: Tanja Lange <tanja@hyperelliptic.org>
Date: Wed, 22 Jan 2025 22:31:08 +0100
changed to donau service and agreed on removing tax authority when not needed
Diffstat:
1 file changed, 34 insertions(+), 32 deletions(-)
diff --git a/doc/usenix-security-2025/paper/technicaldesign.tex b/doc/usenix-security-2025/paper/technicaldesign.tex
@@ -31,6 +31,7 @@ top of this core protocol design.
This section provides a technical overview of our Donau protocol, starting with
some cryptographic background followed by the setup and usage.
+The Donau service is typically run by the tax authority but can be an independent entity.
% The first section introduces some notation and definitions used later on in the protocol description.
% Concepts from cryptography are also explained when necessary.
@@ -118,29 +119,30 @@ by unblinding $s'$ by computing $s'/r \bmod n$.
\subsection{Key generation and initial setup}\label{key_generation_and_initial_setup}
Before incognito donations to charities can be executed, all participants in
-the donation system (i.e., the Donau, charities, and donors) must perform some
+the donation system (i.e., the Donau service, charities, and donors) must perform some
initial setup steps.
-\subsubsection{Donau key generation}\label{donau_key_generation}
+\subsubsection{Donau service key generation}\label{donau_key_generation}
\begin{enumerate}
-\item The Donau generates an Ed25519~\cite{DBLP:journals/jce/BernsteinDLSY12} keypair
+\item The Donau service generates an Ed25519~\cite{DBLP:journals/jce/BernsteinDLSY12} keypair
$(D^{\pub}$, $D^{\priv})$, called the {\bf Donau Key}, for digital signatures.
- \item The Donau also generates a set of \textbf{Donation Unit} keypairs
+ \item The Donau service also generates a set of \textbf{Donation Unit} keypairs
$(K_x^{\pub}, K_x^{\priv})$ for blind signatures, corresponding to different
currency denominations $x$ that a donation can be composed of.
\end{enumerate}
-The Donau publishes all public keys over an authenticated channel.
+The Donau service publishes all public keys over an authenticated channel.
It uses fresh Donation Unit keys for each tax period.
\subsubsection{Charity key generation and registration}\label{charity_key_generation}
\begin{enumerate}
\item Each charity generates its own Ed25519 {\bf Charity Key} $( C^{\pub},
C^{\priv} )$.
- \item The charity also fetches the Donation Unit public keys from the Donau.
- \item The charity transmits its public key $C^{\pub}$ to the party controlling the Donau (e.g the
-local tax authority) using an authenticated channel.
- \item The party in charge of Donau administration (usually the relevant tax
-authority) ensures that the charity is authentic and a legally recognized
+ \item The charity also fetches the Donation Unit public keys from the
+Donau service.
+ \item The charity transmits its public key $C^{\pub}$ to the party controlling the Donau service
+using an authenticated channel.
+ \item The party in charge of Donau service administration
+validates that the charity is authentic and a legally recognized
charitable organization. After successful verification, the charity public key
$C^{\pub}$ is registered in the Donau database.
\end{enumerate}
@@ -158,7 +160,7 @@ prevent guessing attacks, and {\tt TAXID} is their taxpayer ID.
The donor stores the salt $S$ along with their $\DI$.
A donor uses their Donor Identifier every time they
-make a donation and again when requesting a donation receipt from the Donau.
+make a donation and again when requesting a donation receipt from the Donau service.
They need to use the salt to link the Donation Identifier to their tax
ID and claim the tax benefits for their donation. The use of the salt
@@ -168,11 +170,11 @@ without $S$, even if they know {\tt TAXID}.
\subsection{Donating to a charity}\label{donating_to_a_charity}
% \subsection{Donor donates to charity and transmits \textbf{Unique Donor identifiers} (future donation receipts)}
-When a donor wishes to donate to a charity, they first retrieve the Donau's Donation Unit
+When a donor wishes to donate to a charity, they first retrieve the Donau service's Donation Unit
public keys $K_x^{\pub}$ for the current tax period.
-The donor then represents their donation as a sum of the Donation Units offered by the Donau.
+The donor then represents their donation as a sum of the Donation Units offered by the Donaus ervice.
-\emph{Example: Assuming the Donau publishes the Donation units $\{1,2,4,8\}$, a donation of $7$ would be split into 1 unit each of the values $4$, $2$ and $1$.}
+\emph{Example: Assuming the Donau service publishes the Donation units $\{1,2,4,8\}$, a donation of $7$ would be split into 1 unit each of the values $4$, $2$ and $1$.}
For each necessary Donation Unit the donor generates a \textbf{Unique Donor
Identifier (UDI)} by appending a random nonce $N_i$ to the value $\DI$.
@@ -191,7 +193,7 @@ The donor must remember all UDIs.
Next the donor blinds the Unique Donor Identifiers using a unique blinding factor for each one.
This hides the information in the UDIs from third parties, including the Donau
-and charity, and protects against linkability. The result is a set of {\bf Blinded Unique Donor Identifiers (BUDIs)}.
+service and charity, and protects against linkability. The result is a set of {\bf Blinded Unique Donor Identifiers (BUDIs)}.
{\em In our example, the Blinded Unique Donor Identifiers would be}
\begin{align*}
@@ -205,7 +207,7 @@ So far, the \textbf{Blinded Unique Donor Identifiers} do not carry information a
The \emph{intended effective value is indicated} by grouping each Unique Donor Identifier with
the hash of its respective Donation Unit public key $K^{\pub}_x$.
We call this pair a \textbf{Blinded Unique Donor Identifier Key Pair} (\textbf{BKP}).
-It is only the \emph{intended effective} value because their value is zero until they are signed by the Donau.
+It is only the \emph{intended effective} value because their value is zero until they are signed by the Donau service.
Note that they must be signed with the matching Donation Unit key as the
blinding and unblinding operations rely strongly on the public key.
@@ -240,37 +242,37 @@ That is, it computes
\begin{align*}
\sigma_c = \sign(\vec{\mu}, C^{\priv})
\end{align*}
-The charity sends the array $\vec{\mu}$ of BKPs and their signature $\sigma_c$ to the Donau to generate a receipt.
+The charity sends the array $\vec{\mu}$ of BKPs and their signature $\sigma_c$ to the Donau service to generate a receipt.
-\subsection{Donau generates donation receipt}\label{donau_creates_donation_receipt}
-When the Donau receives a signed set of BKPs from a charity, it verifies the charity's signature.
+\subsection{Donau service generates donation receipt}\label{donau_creates_donation_receipt}
+When the Donau service receives a signed set of BKPs from a charity, it verifies the charity's signature.
It then checks that no legal restrictions are being violated.
-If none are, the Donau increments its record of the charity's total receipts by the
+If none are, the Donau service increments its record of the charity's total receipts by the
total amount of the donation, i.e., the sum of the denominations used in the
BKPs.
-The Donau then blindly signs all BUDIs using the Donation Unit private keys
+The Donau service then blindly signs all BUDIs using the Donation Unit private keys
$K_x^{\priv}$
that correspond to the public keys hashed in the BKPs.
-{\em In our example, the Donau blindly signs the three BUDIs submitted by the charity}
+{\em In our example, the Donau service blindly signs the three BUDIs submitted by the charity}
\begin{align*}
\overline{\beta_1} = \blind\_\sign(\overline u_1, K_1^{\priv}) \\
\overline{\beta_2} = \blind\_\sign(\overline u_2, K_2^{\priv}) \\
\overline{\beta_3} = \blind\_\sign(\overline u_3, K_4^{\priv})
\end{align*}
-These signatures constitute a blinded donation receipt from the Donau, and the Donau sends these back to the charity,
+These signatures constitute a blinded donation receipt from the Donau service, and the Donau s ervice sends these back to the charity,
which in turn forwards them to the donor.
\subsection{Donor receives donation receipt}\label{donor_receives_donation_receipt}
-Upon receiving the blinded donation receipt from the Donau via the charity,
+Upon receiving the blinded donation receipt from the Donau service via the charity,
the donor verifies the blind signatures over the BUDIs.
If they verify, the donor then unblinds them to obtain signatures over the original UDIs.
These UDIs, their unblinded signatures, and their respective hashed Donation Unit public keys
constitute a collection of donation receipts.
These donation receipts are stored on the donor's device.
-{\em In our example: the donor unblinds the Donau signatures $\overline{\beta_1}, \overline{\beta_2}, \overline{\beta_3}$, obtaining:}
+{\em In our example: the donor unblinds the Donau service signatures $\overline{\beta_1}, \overline{\beta_2}, \overline{\beta_3}$, obtaining:}
\begin{align*}
\beta_1 &= \unblind(\overline{\beta_1}, b_1, K_1^{\pub}) \\
\beta_2 &= \unblind(\overline{\beta_2}, b_2, K_2^{\pub}) \\
@@ -283,10 +285,10 @@ These donation receipts are stored on the donor's device.
r_3 &= ( \UDI_3, \beta_3, h(K_4^{\pub}) )
\end{align*}
-\subsection{Donor requests an annual donation statement from Donau}\label{donor_requests_a_donation_statement_from_the_donau}
+\subsection{Donor requests an annual donation statement from Donau service}\label{donor_requests_a_donation_statement_from_the_donau}
In order for the donor to claim a tax deduction,
the donor needs to obtain a final donation statement which can be sent to the tax authority.
-The donor sends their saved donation receipts $\{r_1, \ldots, r_k\}$, accumulated throughout the tax period, to the Donau.
+The donor sends their saved donation receipts $\{r_1, \ldots, r_k\}$, accumulated throughout the tax period, to the Donau service.
This can in principle be done multiple times during the tax period;
however, the receipts must not be submitted at a time strongly correlated with the donation to achieve
\emph{unlinkability} between the \emph{issuance} of the receipts (which happens at the time of donation)
@@ -295,7 +297,7 @@ and their \emph{submission} for the Donation Statement.
Remember that each $\UDI$ is the concatenation of the donor identifier $\DI$ and
a random nonce, i.e., they all start with the same $\DI$.
-Once the Donau receives the donor's donation receipts, it checks that for each receipt:
+Once the Donau service receives the donor's donation receipts, it checks that for each receipt:
\begin{itemize}
\item the public key $K_x^{\pub}$ is known.
\item the signature $\beta$ is correct using the corresponding public key
@@ -306,13 +308,13 @@ $K_x^{\pub}$.
identified as $\DI$.
\end{itemize}
-Importantly, the Donau does not see signatures of the charities the donor
+Importantly, the Donau service does not see signatures of the charities the donor
donated to, so it does not know where the donor spent money.
They also only see a collection of common denominations, so they are unable to correlate total donation amounts per charity.
-Finally, the receipts are unblinded, so they are unlinkable to any signature the Donau has seen before.
+Finally, the receipts are unblinded, so they are unlinkable to any signature the Donau service has seen before.
-The Donau then generates a signature over the total \texttt{amount} of all receipts, the current tax period (\texttt{year}) and the Donor Identifier.
-This results in a final signature called the \textbf{Donation Statement}, which the Donau returns to the donor:
+The Donau service then generates a signature over the total \texttt{amount} of all receipts, the current tax period (\texttt{year}) and the Donor Identifier.
+This results in a final signature called the \textbf{Donation Statement}, which the Donau service returns to the donor:
\begin{align*}
\sigma_s = \sign(( \DI, \textsf{amount}_{\sf Total}, \textsf{year}) ),
D^{\priv})
