commit 8e2c7d055926e7929b93edc80a9a1f5f77b2f853
parent 4cd32677f418b43449f1448436d7b6a2e66e33cb
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Tue, 3 Oct 2023 15:12:32 +0200
edits
Diffstat:
| M | doc/flows/main.tex | | | 86 | +++++++++++++++++++++++++++++++++++++++++++------------------------------------ |
1 file changed, 47 insertions(+), 39 deletions(-)
diff --git a/doc/flows/main.tex b/doc/flows/main.tex
@@ -21,24 +21,30 @@
\section{Definitions}
\begin{itemize}
- \item $DU :=$ \textbf{donation unit} = Smallest structure representing a donation confirmation unit, e.g. receipt for CHF1, CHF2. Equivalent in Taler is "coin".
- \item $BDU :=$ blinded DU
- \item $DR :=$ \textbf{donation receipt} = collection of DUs for one donation
- \item $BDR :=$ collection of BDUs
- \item $DS_{year} :=$ \textbf{donation statement} = sum of DRs for one specific year and specific donor
- \item $b :=$ blinding factor
- \item $H :=$ cryptographic hash function
+\item $DU :=$ \textbf{donation unit} = Smallest structure representing a donation confirmation unit, e.g. receipt for CHF1, CHF2. Equivalent in Taler is "denomination".
+ \item $UDID := $ unique identifier of a donor by tax ID, made unique per donation to obtain unique $DR$s per donation
+ \item $BDID :=$ blinded $UDID$, blinded for privacy of the donor
\item $BS :=$ BDU blinded signature made with a donation unit secret key (from DONAU)
\item $S :=$ unblinded BS
- \item $DUi, Si, DRi...$ := number entities if there are more than one eg. DU1,DU2...
+ \item $DR :=$ \textbf{donation receipt} = $UDID$ with $S$ signature of DONAU affirming donation over the respectiv amount as given by the DU associated with the signature
+ \item $DRs :=$ collection of $DR$s
+ \item $DS_{year} :=$ \textbf{donation statement} = confirmation over the total amount of DRs produced for a specific year and specific donor (DID)
+ \item $b :=$ blinding factor
+ \item $H :=$ cryptographic hash function
+ \item $DUi, Si, DRi, \ldots$ := number entities if there are more than one e.g. $DU1$, $DU2$ ...
\item $BS_{kj}$ or $S_{kj} \Rightarrow kj$ := specific DONAU public key used to attribute a specific value to a DU, e.g. k1 gives the DU a value of 1, k2 a value of 2...
\end{itemize}
-\subsection{Donation Unit (DU)}
-The NONCE is used to uniquely distinguish DU of the same value ("create a fresh DU"). Otherwise the DONAU would refuse DUs containing donations of equal amount to the same charity, since this would be seen as "double spending". To simplify the thought process, the NONCE can be thought of as a "DU ID".
+\subsection{Unique Donor ID (UDID)}
+
+The NONCE is used to uniquely distinguish donor IDs of the same value
+("create a fresh donor ID"). Otherwise the DONAU would refuse DUs
+containing donations of equal amount to the same charity, since this
+would be seen as "double spending" (or rather, double claiming of
+tax deduction for the same donation).
\begin{align}
- DU := \langle H(TAXID, SALT), NONCE \rangle
+ UDID := \langle H(TAXID, SALT), NONCE \rangle
\end{align}
\section{Overview}
@@ -46,70 +52,73 @@ The NONCE is used to uniquely distinguish DU of the same value ("create a fresh
\subsection{Step 0: Initial setup}
\begin{enumerate}
- \item key generation for blind signatures and statement signing. Distribute the keys.
- \item The charity generates their own key pair.
+ \item Key generation for blind signatures and statement signing by the DONAU. Distribution of the keys to charities, donors and tax authorities (possibly on-demand via REST API). Let $ki$ be the private key for $i$ DU and $Pi$ be the corresponding public key.
+ \item The charity generates their own key pair (charity pub/priv).
\item The DONAU administrator registers the public key of the charity and sets the yearly donation limit for the charities.
\end{enumerate}
\subsection{Attest donation}
\subsubsection{Step 1: Donor donates to charity}
\begin{enumerate}
- \item The donor downloads the DU public keys for the corresponding year from the DONAU.
+ \item The donor downloads the DU public keys $P1, P4$ for the corresponding year from the DONAU.
- \item To donate 5 Euros the donor has to generate 2 DUs (a 1 Euro and 4 Euro DU). The donor generates DUs $DU1$ and $DU2$ which include a salted hash of the tax number (here TAXID) and a NONCE. % not DUs, DRs!
+ \item To donate 5 Euros the donor has to generate 2 UDIDs (for 1 Euro and 4 Euro DU).
+ The donor generates UDIDs $U1$ and $U2$ which include a salted hash of the tax number
+ (here TAXID) and a NONCE.
\begin{align}
- DU1 = \langle H(TAXID, SALT), NONCE_1 \rangle \\ % These are (prototypes) for DRs! DUs are the 1 EUR and 4 EUR!
- DU2 = \langle H(TAXID, SALT), NONCE_2 \rangle % Maybe call these UDIDs? (Unique Donor Ids)
+ U1 = \langle H(TAXID, SALT), NONCE_1 \rangle \\ % These are (prototypes) for DRs! DUs are the 1 EUR and 4 EUR!
+ U2 = \langle H(TAXID, SALT), NONCE_2 \rangle % Maybe call these UDIDs? (Unique Donor Ids)
\end{align}
\item The donor blinds the DUs using two different blinding factors $b_1, b_2$.
\begin{align}
- BDU1 = blind(b_1,DU1) \\ % BDR!
- BDU2 = blind(b_2,DU2) % This is RSA-style blinding, in the abstract just use "blind(b_1,UDID)"
+ BU1 = \langle blind(b_1,U1, P1), H(P1) \rangle \\ % BDR!
+ BU2 = \langle blind(b_2,U2, P4), H(P4) \rangle
\end{align}
-\item The donor sends the blinded DUs (BDR) $BDU1$ and $BDU2$ as well as the payment of 5 Euros.
+\item The donor sends the blinded UDIDs (BDIDs) $BU1$ and $BU2$ as well as the payment of 5 Euros.
\end{enumerate}
-\subsubsection{Charity sends signed DUs to DONAU}
+\subsubsection{Charity sends signed BDIDs to DONAU}
\begin{enumerate}
- \item The charity verifies that the amount requested for signing is lower or equal to the effective amount of the donation.
- \item The charity signs (using EdDSA) a structure containing all unsigned DUs coming from the donor. % Exactly: unsigned!
+\item The charity verifies that the amount requested (based on the $H(Px)$)
+ for signing is lower or equal to the effective amount of the donation.
+ \item The charity signs (using EdDSA) a structure containing all unsigned BDIDs coming from the donor.
\item The charity sends this structure and the signature to the DONAU.
\end{enumerate}
-\subsubsection{DONAU sends back blind signed DUs to charity}
+\subsubsection{DONAU sends back blind signed UDIDs to charity}
\begin{enumerate}
\item The DONAU:
\begin{enumerate}
- \item verifies the charity Signature on the structure.
- \item increments the current year amount of the charity by the total amount of the BDR, if the increment does not exceed the annual limit.
- \item blind signs (using RSA/Schnorr) all the DUs
+ \item verifies the charity signature on the structure.
+ \item increments the current year amount of the charity by the total amount of the BDIDs, if the increment does not exceed the annual limit.
+ \item blind signs all the BDIDs using the private keys $k_i$ matching the public keys $H(Pi)$
\begin{align}
- BS1_{k1} = sign(BDU1, k1)
- BS2_{k4} = sign(BDU2, k4)
+ BS1 &:= sign(BU1, k_1) \\
+ BS2 &:= sign(BU2, k_4)
\end{align}
- \item sends back the blind signed DUs to the charity
+ \item sends back the blind signatures to the charity
\end{enumerate}
- \item The charity transmits the blind signed DUs to the donor.
+ \item The charity transmits the blind signatures to the donor.
\item The donor unblinds the signatures.
\begin{align}
- S1_{k1} = unblind(BS1_{k1}, b_1) \\
- S2_{k4} = unblind(BS2_{k4}, b_2)
+ S1_{k1} &= unblind(BS1, b_1) \\
+ S2_{k4} &= unblind(BS2, b_2)
\end{align}
\end{enumerate}
\subsection{Step 2: Donor sends DR to DONAU, DONAU sends back donation statement (DS)}
\begin{enumerate}
- \item The donor sends the collection of all $(DUi, Si, kj)$ to the DONAU. The DR is always sent to the DONAU right after the donor has unblinded the DUs.
- \item For each $(DUi, Si, kj)$ The DONAU...
+ \item The donor sends the collection of all $\langle BDUIi, Si, H(Pj) \rangle$ to the DONAU. The DR is always sent to the DONAU right after the donor has unblinded the DUs.
+ \item For each $\langle DUi, Si, H(Pj) \rangle$ The DONAU...
\begin{itemize}
- \item check if $kj$ is stored and get the corresponding year.
- \item verifies if $Si$ is a correct signature with the corresponding secret key.
+ \item check if $Pj$ is stored and get the corresponding year and donation unit (amount donated).
+ \item verifies if $Si$ is a correct signature with the corresponding public key $Pj$.
\item verifies that the hash of the TAXID and the salt is the same as in other DUs (how to solve the problem with multiple wallets?) % => Each wallet must simply obtain a separate DS!
\item verifies that the nonce is different from each ever used nonce of this donor for the corresponding year.
\item if all of this is the case, it adds the amount corresponding to the public key to the total donation amount for the year.
@@ -118,7 +127,7 @@ The NONCE is used to uniquely distinguish DU of the same value ("create a fresh
year and hashed TAXID+salt and sends signature and the total amount so far back to the donor.
\begin{align}
- DS = sign(total amount, year, hash(TAXID, salt))
+ DS := sign(total amount, year, H(TAXID, salt))
\end{align}
\end{enumerate}
@@ -133,7 +142,6 @@ The NONCE is used to uniquely distinguish DU of the same value ("create a fresh
\item DS received from the DONAU
\item year
\item amount for the year
-
\end{itemize}
\item The validator scans the QR code and validates that the signature corresponds to the current DONAU DS signing key.
