commit d797ff8b1101953416dc13657a750b6e1c4451ef
parent 1d1fd4d2ab2e0c132b7c738c2f58d6d7e69a81f8
Author: Casaburi Johannes <johannes.casaburi@students.bfh.ch>
Date: Wed, 12 Jun 2024 18:41:41 +0200
small changes in doc (first part)
Diffstat:
14 files changed, 295 insertions(+), 78 deletions(-)
diff --git a/doc/thesis/abstract.tex b/doc/thesis/abstract.tex
@@ -5,7 +5,6 @@ system. The central entity in the design is the donation authority
GNU Taler project. While implemented primarily for GNU Taler, the
system could in principle work with other payment systems.
-%mention donation fraud
The Donau would be operated by a tax authority. The Donau backend
implements a REST API used primarily by charities and donors. It
maintains a list of recognized charities, enabling tax authorities to
@@ -13,7 +12,7 @@ audit the total amount of donation receipts each charity is
issuing. Upon making a donation to one of the charities the donor
receives a \textit{donation receipt} which will be stored locally on
the donor’s device. Throughout this process neither the charity nor
-the Donau obtains any identifiable information on about the donor,
+the Donau obtains any identifiable information about the donor,
thus enabling anonymous donations. To simplify the verification for
the tax authority, the donor needs to submit their donation receipts
to the Donau at the end of the year. At that time, the Donau can
@@ -21,4 +20,7 @@ combine the individual donation receipts in one final annual
\textit{donation statement}. Upon request of the tax authority, the
donor can provide this donation statement to the tax authority which
can check its validity and can then approve the tax deduction.
+
+%motivation
+
\end{abstract}
diff --git a/doc/thesis/chapters/acknowledgements/acknowledgements.tex b/doc/thesis/chapters/acknowledgements/acknowledgements.tex
@@ -1,4 +1,3 @@
-%\section{Acknowledgements}
First and foremost, we would like to thank Christian Grothoff and Emmanuel Benoist for their continued support and feedback throughout the project.
A special thank to Michiel Leenaars from the NLnet foundation who had the initial idea for the project.
We would also like to thank our expert Daniel Voisard for his feedback during the project.
diff --git a/doc/thesis/chapters/approach/concept.tex b/doc/thesis/chapters/approach/concept.tex
@@ -1,7 +1,8 @@
The Donau environment includes three stakeholders.
-Donors, charities and the tax authority. The Donau itself is operated by the tax authority while maintaining a list of verified charities.
-Each charity maintains a backend solution that allows it to communicate with the Donau and the donors.
-See Figure \ref{fig:stakeholders} \pageref{fig:stakeholders}
+Donors, charities and the tax authority (See figure \ref{fig:stakeholders}).
+The Donau itself is operated by the tax authority while maintaining a list of
+verified charities. Each charity maintains a backend solution that allows it
+to communicate with the Donau and the donors.
\begin{figure}[ht]
\begin{center}
@@ -27,17 +28,33 @@ See Figure \ref{fig:stakeholders} \pageref{fig:stakeholders}
\end{figure}
\section{Issuing Donation Receipts} \label{issuing_donation_receipts}
-When donating to a charity the donor sends the payment together with a receipt request to the charity.
-In order to link the donation to the donor so that the donation receipt cannot be used by someone else, the donor's unique tax identification number is part of the receipt request.
-The tax ID does not cause a problem for anonymity as the whole receipt with the tax ID is blinded (see section \ref{blind_signatures}).
-In the figure \ref{fig:issue receipt request} \pageref{fig:issue receipt request} the blinded receipt is illustrated as an envelope.
-The charity must verify if the payment was successful and if the amount written in the receipt request is lower or equal the amount donated.
-Next, if the charity approves the receipt request, it signs the unmodified request and forwards the request to the Donau.
-The Donau accepts only issued requests from recognized charities. For a charity to be recognized, it must first register by the relevant Donau. When the Donau receives an issue receipt request from a charity, it checks the validity of the charity signature before the Donau issues the actual donation receipt by signing the request.
-This is different from current systems where the charity usually issues the receipt.
-By shifting this task to the Donau, the receipts can easily be verified and unlink the donor from the charity.
-Because the Donau does only know the amount and the charity it is signing for, this first step of issuing receipts anonymizes the data and provides privacy for the donor.
-If the payment process also provides anonymity (as the case is with GNU Taler) the donations are fully anonymous.
+When donating to a charity the donor sends the payment together with a receipt
+request to the charity.
+In order to link the donation to the donor so that the donation receipt cannot
+be used by someone else, the donor's unique tax identification number is part
+of the receipt request.
+This tax ID does not cause a problem for anonymity as the whole receipt
+including the tax ID is blinded (See section \ref{blind_signatures}).
+
+In figure \ref{fig:issue receipt request} the blinded receipt is illustrated as
+an envelope. The charity must verify if the payment was successful and if the
+amount written in the receipt request is lower or equal the amount donated.
+
+Next, if the charity approves the receipt request, it signs the unmodified
+request and forwards the request to the Donau.
+The Donau accepts only issued requests from recognized charities. For a charity
+to be recognized, it must first be registered in the relevant Donau.
+When the Donau receives an issue receipt request from a charity, it checks the
+validity of the charity signature before the Donau issues the actual donation
+receipt by signing the request.
+
+This is different from current systems where the charity usually issues the
+receipt. By shifting this task to the Donau, the receipts can easily be
+verified and unlink the donor from the charity.
+Because the Donau does only know the amount and the charity it is signing for,
+this first step of issuing receipts anonymizes the data and provides privacy
+for the donor. If the payment process also provides anonymity (as is the case
+with GNU Taler) the donations are fully anonymous.
\begin{figure}[ht]
\begin{center}
@@ -60,11 +77,17 @@ If the payment process also provides anonymity (as the case is with GNU Taler) t
\caption{issue receipt request} \label{fig:issue receipt request}
\end{figure}
-Upon receiving the signed issue request from the charity, the Donau must verify the charity signature and checks that the yearly donation limit of a charity is not exceeded.
-After successful verification the Donau blind signs the donation receipt which is then sent via the charity back to the Donor (see figure: \ref{fig:issue receipt response} \pageref{fig:issue receipt response}).
-The donor now unblinds the signature from the Donau to make it valid for the unblinded receipt (see section \ref{blind_signatures}).
+Upon receiving the signed issue request from the charity, the Donau must verify
+the charity signature and check that the yearly donation limit of the charity
+is not exceeded.
+After successful verification the Donau blind signs the donation receipt which
+is then sent via the charity back to the Donor (See figure: \ref{fig:issue
+receipt response}).
+The donor now unblinds the signature from the Donau to make it valid for the
+unblinded receipt (for more information on blind signatures see section \ref{blind_signatures}).
The unblinded receipt gets saved locally on the donors device for later.
-This process repeats for every donation. At the end of the year the donor may have accumulated any number of these donation receipts.
+This process repeats for every donation. At the end of the year the donor may
+have accumulated any number of these donation receipts.
\begin{figure}[ht]
\begin{center}
@@ -88,13 +111,24 @@ This process repeats for every donation. At the end of the year the donor may ha
\end{figure}
\section{Summarize the Receipts}\label{summarize_the_receipts}
-When it is time for the tax declaration (usually at the beginning of the next year) the donor has to request a final donation statement signature from the Donau, summarizing all the donation receipts of a year (see figure: \ref{fig:summarize receipts} \pageref{fig:summarize receipts}).
-This step combines the amounts of the donation receipts in a single total amount.
-This further protects the privacy of the donor as the individual donations could be enough information to link with specific donations to their corresponding charity and donor.
-Merging donation receipts reduces the time and effort for the manual verification of the tax authority as the donor generates a single QR-Code containing the donation statement containing the total amount donated, the year and the tax ID and the signature over all of these values.
+When it is time for the tax declaration (usually at the beginning of the next
+year) the donor has to request a final donation statement signature from the
+Donau, summarizing all the donation receipts of a year (see figure:
+\ref{fig:summarize receipts}).
+This step combines the amounts of the donation receipts in a single total
+amount.
+This further protects the privacy of the donor as the individual donations
+could be enough information to link up the specific donations to their
+corresponding charity and donor.
+Merging donation receipts also reduces the time and effort for the manual
+verification of the tax authority as the donor generates a single QR-Code
+containing the donation statement. This statement contains the total amount
+donated, year, tax ID and the signature over all of these values.
This signature is used to verify the donation statement by the tax authority.
-The donation statement can be requested multiple times during the year for save keeping the donation receipts.
-The latest donation statement will always contain all the receipts of a year - the old receipts (from previous statements of the year) and the new donation receipts.
+The donation statement can be requested multiple times during the year for save
+keeping. The latest donation statement will always contain all the receipts of
+a year - the old receipts (from previous statements of the year) and the new
+donation receipts.
\begin{figure}[ht]
\begin{center}
@@ -130,10 +164,12 @@ The latest donation statement will always contain all the receipts of a year - t
\end{figure}
\section{Validation}\label{validation}
-Once the donor has received the donation statement signature, he can summarize them in a QR code.
-The donor must submit the QR-Code with his tax documents, in order to claim the tax reduction (see figure:\ref{fig:validation} \pageref{fig:validation}).
-The final check is made by the tax authority, by checking the donation statement signature.
-If the signature is valid, this is the proof that the specified donor indeed has donated the claimed amount in the indicated year.
+Once the donor has received the donation statement signature, he can summarize
+them in a QR code. The donor must submit the QR-Code with his tax documents,
+in order to claim the tax reduction (see figure:\ref{fig:validation}).
+The final check is made by the tax authority, by checking the donation
+statement signature. If the signature is valid, this is the proof that the
+specified donor indeed has donated the claimed amount in the indicated year.
\begin{figure}[ht]
\begin{center}
@@ -159,16 +195,25 @@ If the signature is valid, this is the proof that the specified donor indeed has
\caption{validation} \label{fig:validation}
\end{figure}
-The tax authority will not have any information to which charity the donor has donated money.
-The tax authority only knows total donated amount and that every donation was made to one of the recognized charities in the specified year.
-This way the donor could make an anonymous donation and still have enough proof to deduct the amount from taxes.
-The Donau should keep track of the total amount of the donation receipts issued for each charity, to enforce donation limits according to local law and to prevent donation fraud.
+The tax authority will not have any information to which charity the donor
+has donated money. The tax authority only knows the total donated amount and
+that every donation was made to one of the recognized charities in the
+specified year.
+This way the donor could make an anonymous donation and still have enough proof
+to deduct the amount from taxes.
+The Donau will keep track of the total amount of the donation receipts issued
+for each charity, to enforce donation limits according to local law and
+to prevent donation fraud.
\section{Incorporating the Donau}\label{incorporating_the_donau}
-Every donor is related to only one specific Donau of his location where he is able to issue and submit donation receipts for deducting taxes.
-If a charity wants to be accepted in multiple tax areas, it has to be registered by all the corresponding donation authorities.
+Every donor is delegated to only one specific Donau of his location where he is
+able to issue and submit donation receipts for deducting taxes.
+If a charity wants to be accepted in multiple tax areas, it has to be
+registered by all the corresponding donation authorities.
To do so, the charities has to apply to the tax authorities.
-The region for which a Donau is responsible depends on the tax area of the tax authority and their reglementation of what is charitable.
-A Donau is maybe responsible for a geographical area like a canton, a country or even a confederation of states.
+The region for which a Donau is responsible depends on the tax area of the tax
+authority and their reglementation of what is charitable.
+One Donau could be responsible for a geographical area like a canton, a country
+or even a confederation of states.
diff --git a/doc/thesis/chapters/background/blindsign.tex b/doc/thesis/chapters/background/blindsign.tex
@@ -1,11 +1,51 @@
\section{Blind Signatures}\label{blind_signatures}
-One important cryptographic scheme used by the Donau is the blind signature scheme. It is an extension of digital signatures which provides besides authenticity and non-repudiation privacy by allowing a user to obtain a signature for a message, without revealing the contents of the message to the signer. All cryptographic elements used by the Donau where privided by the GNU Taler libraries. Even blind signatures are slightly slower than normal signatutes this does not result in a performance issue this project on GNU Taler shows: \url{https://taler.net/en/news/2022-06.html}.
+One important cryptographic scheme used by the Donau is the blind signature
+scheme. It is an extension of digital signatures which provides, besides
+authenticity and non-repudiation, privacy by allowing a user to obtain a
+signature for a message, without revealing the contents of the message to the
+signer. All cryptographic elements used by the Donau where privided by the GNU
+Taler libraries. Blind signatures are slightly slower than the normal
+signatutes, this does not result in a performance issue as this project on GNU
+Taler shows: \url{https://taler.net/en/news/2022-06.html}.
-This section only provides an overview of blinded signatures. Detailed information about blinded signature can be found at \url{https://taler.net/papers/cs-thesis.pdf}. Blinded signatures are the key elements to reach privacy for the donor (see chapter \ref{issuing_donation_receipts}). With blinded signatures a blinded unrecognizable message was signed. Only the creator of the blinded message is able to unblind the signature and therefore to receive a valid signature for the unblinded message. The Donau system uses blinded signatures to bind the identity to a donation receipt while hiding the identity of the donor. As a result of the property of blindness, the blind signer Donau is not able to link the cleartext message with the made blind signature or the blind with the unblind signature \cite[p.12]{cryptoeprint:2019/877}. There are multiple blind signature schemes. The Donau distinguishes the following two equivalent blind signature schemes:
+This section only provides an overview of blinded signatures. Detailed
+information about blinded signatures can be found at
+\url{https://taler.net/papers/cs-thesis.pdf}. Blinded signatures are the key
+elements to reach privacy for the donor (see section
+\ref{issuing_donation_receipts}). With blinded signatures a blinded
+unrecognizable message was signed. Only the creator of the blinded message is
+able to unblind the signature and therefore to receive a valid signature for
+the unblinded message. The Donau system uses blinded signatures to bind the
+identity to a donation receipt while hiding the identity of the donor. As a
+result of the property of blindness, the blind signer (in this case the Donau)
+is not able to link the cleartext message with the made blind signature
+or the blind signature with the unblind signature \cite[p.12]{cryptoeprint:2019/877}.
+
+There are multiple blind signature schemes. The Donau distinguishes
+the following two equivalent blind signature schemes:
\subsection{RSA}\label{rsa}
-Concrete the RSA-FDH blind signatures are used. Before blinding, to eliminate certain attacks, a Full-Domain Hash on the message is applied. Full-Domain means the hash has the same size as the RSA modulus. The blind signature scheme is similar to the normal RSA signatur scheme. In addition to the normal scheme, the message is blinded with an private and random value. Practically the length of the modulus and therefore for the key size, signature size and the security level is variable. The scheme only has one round trip.\cite{nigelcrypto:2016}
+Concrete the RSA-FDH blind signatures are used. Before blinding, to eliminate
+certain attacks, a Full-Domain Hash (FDH) is applied on the message.
+Full-Domain means the hash has the same size as the RSA modulus. The blind
+signature scheme is similar to the normal RSA signatur scheme. In addition to
+the normal scheme, the message is blinded with a private and random value.
+Practically the length of the modulus and therefore for the key size, signature
+size and the security level is variable. The scheme only has one round trip.\cite{nigelcrypto:2016}
\subsection{Clause Schnorr (CS)}\label{cs}
-The Clause Schnorr Signature Scheme differs from the RSA scheme. Initially the blinder needs two random values from the signer party. One random value from the signer and two random private values are required to blind the message once. This process is repeated and the two blinded messages are sent to the signer, who randomly selects a blinded message for blinding. Two blinded messages are needed to prevent an certain type of attack. In comparision to the RSA scheme, the Clause Schnorr Scheme needs an additional round trip to get the inital nonces from the signer. However, the individual crypto operations are so much faster than the operations from the RSA scheme that the additional round trip is no longer significant. See the measurements for this [p.107-121] \cite{DemHeuz2022}. Because clause schnorr signatures are based on elliptic curves, smaller keys can be used. GNU Taler supports one fixed 256 bit key size, which provides an security level of 128 bits.
+The Clause Schnorr Signature Scheme differs from the RSA scheme. Initially the
+blinder needs two random values from the signer party. One random value from
+the signer and two random private values are required to blind the message
+once. This process is repeated and the two blinded messages are sent to the
+signer, who randomly selects a blinded message for blinding. Two blinded
+messages are needed to prevent an certain type of attack. In comparision to the
+RSA scheme, the Clause Schnorr Scheme needs an additional round trip to get the
+inital nonces from the signer. However, the individual crypto operations are so
+much faster than the operations from the RSA scheme that the additional round
+trip is no longer significant.\cite{DemHeuz2022}
+
+Because clause schnorr signatures are based on elliptic curves, smaller keys
+can be used. GNU Taler supports one fixed 256 bit key size, which provides an
+security level of 128 bits.
diff --git a/doc/thesis/chapters/background/eddsa.tex b/doc/thesis/chapters/background/eddsa.tex
@@ -1,3 +1,10 @@
\section{EdDSA Signatures}\label{eddsa}
-With signatures authenticity and non-repudiation want to be achieved. In this context hashes and public key cryptography are used.\cite{hash2012} For this purpose the Donau uses EdDSA signatures. The Edwards-curve Digital Signature Algorithm or for short EdDSA is a scheme for digital signatures based on the twisted Edwards elliptic curves and the Schnorr signature scheme. EdDSA signatures using the curve Curve25519 are also called Ed25519. The Donau only uses Ed25519. Whether Curve25519 or the Edwards-curve, the scheme is very efficient and secure.\cite{BernsteinEd25519}
+With signatures, authenticity and non-repudiation want to be achieved. In this
+context hashes and public key cryptography are used.\cite{hash2012} For this
+purpose the Donau uses EdDSA signatures. The Edwards-curve Digital Signature
+Algorithm or for short EdDSA is a scheme for digital signatures based on the
+twisted Edwards elliptic curves and the Schnorr signature scheme. EdDSA
+signatures using the curve Curve25519 are also called Ed25519. The Donau only
+uses Ed25519. Whether Curve25519 or the Edwards-curve, the scheme is very
+efficient and secure.\cite{BernsteinEd25519}
diff --git a/doc/thesis/chapters/background/hash.tex b/doc/thesis/chapters/background/hash.tex
@@ -1,7 +1,28 @@
-The project is based on existing cryptography. This chapter describes only the crucial cryptographic elements used by the Donau.
-
\section{Hash Functions}\label{hash}
-Hash functions are used to compress input values to a fixed output size. Hash function are deterministic. The same input leads to the same output. The Donau uses hash functions to compress data in order to record less data in the database or to send less data over the network. To be able to clearly recognize the corresponding data from the hash, the hash function has to second-preimage resistant or better collision resistant. With second-preimage resistance no equivalent hash for any input $x'$ to a given hash $h(x)$ with $x \neq x'$ can be found in a reasonable time. Collision resistance is the stronger assumption and even prevents to find $h(x) = h(x')$ with $x \neq x'$. A further important assumption is the Avalanche Criterion. The property defines that a small change in the hash input message leads to a substantially change in the output hash. This criteria makes it hard to guess the input even if a part of the input is known.\cite{hash2012} To protect the donor, his identity is represented as salted hash of the tax identifiaction number. The salt is a small value with high entropy to make it more difficult to guess the hashed value. \\
+Hash functions are used to compress input values to a fixed output size.
+They are deterministic. The same input leads to the same output. The Donau
+uses hash functions to compress data in order to record less data in the
+database or to send less data over the network.
+
+An important property of a hash functions is preimage and second
+preimage resistance. Second preimage resistance prevents an attacker from
+finding a different input that produces the same hash value as a
+given input, which is crucial for maintaining data integrity and security in
+applications like digital signatures and file verification which are used in
+the Donau.
+
+With second-preimage resistance no equivalent hash for any input $x'$ to a
+given hash $h(x)$ with $x \neq x'$ can be found in a reasonable time.
+Collision resistance is the stronger assumption and even prevents to find
+$h(x) = h(x')$ with $x \neq x'$. A further important
+assumption is the Avalanche Criterion. The property defines that a small change
+in the hash input message leads to a substantial change in the output hash.
+This criteria makes it hard to guess the input even if a part of the input is
+known.\cite{hash2012} To protect the donor, their identity is represented as a
+salted hash of the tax identifiaction number. The salt is a small high entropy
+value, to make it more difficult to guess the hashed value.
-The Donau uses the SHA-512 hash function. SHA-512 is part of the SHA-2 family and provides a 256 bit security level for collision resistance. The security of the hash function is mathematically approved.\cite{hash-nist}
+The Donau uses the SHA-512 hash function. SHA-512 is part of the SHA-2 family
+and provides a 256 bit security level for collision resistance. The security of
+the hash function is mathematically approved.\cite{hash-nist}
diff --git a/doc/thesis/chapters/background/interview.tex b/doc/thesis/chapters/background/interview.tex
@@ -0,0 +1,18 @@
+%The project is based on existing cryptography. This chapter describes only the crucial cryptographic elements used by the Donau.
+
+\section{How donations are currently verified}\label{current_system}
+%TODO link to appendix
+In order to find out how the tax authorities nowadays verify donations for
+donation deduction an interview with the tax authority Zürich was held.
+Currently the tax authority Zürich verifies donations by hand. The
+verification process is intentionaly kept simple as donation fraud does not
+seem to be a big problem. Other ways to conduct fraud, are more likely and
+profitable with less legal risk attached. There is no known data that contains
+how much money the state has lost with donation fraud.
+
+If the amount donated is unusually high further proof is needed. The tax
+authority will check if the donor is financially capable of donating this
+amount. Bank transaction receipts may be requested as proof. In extreme cases
+it is brought to court, in which case the donor needs to proof that the
+donation is indeed valid and was made by them.
+
diff --git a/doc/thesis/chapters/background/taler.tex b/doc/thesis/chapters/background/taler.tex
@@ -1,8 +1,16 @@
\section{GNU Taler}\label{taler}
-GNU Taler is an open protocol for electronic payment system using blind signatures to protect the privacy of the customer.
-One key component of the GNU Taler payment system is the exchange which is responsible for exchanging existing money into electronic money. Customers can retrieve funds from the exchange to make anonymous payments. The merchant is not anonymous and thus can not hide the income. This helps to avoid tax evasion and money laundering \cite{Taler}.
+GNU Taler is an open protocol for electronic payment system using blind
+signatures to protect the privacy of the customer.
+One key component of the GNU Taler payment system is the exchange which is
+responsible for exchanging existing money into electronic money. Customers can
+retrieve funds from the exchange to make anonymous payments. The merchant is
+not anonymous and thus can not hide the income. This helps to avoid tax evasion
+and money laundering \cite{Taler}.
-GNU Taler uses denominations to represent the values of a coins. A denomination contains the unit of currency and the face value of a given coin. Each denomination contains a cryptographic public key used by the exchange to verify the denomination.
-%...maybe not in background but intro?->no too technical, better here
-The Donau is based on the exchange and requires some of its parts to function. The concept of the denomination was adapted into the donation units, which are used to represent the face value of a donation.
+GNU Taler uses denominations to represent the values of a coins. A denomination
+contains the unit of currency and the face value of a given coin. Each
+denomination contains a cryptographic public key used by the exchange to verify
+the denomination. The Donau is based on the exchange and requires some of its
+parts to work. The concept of the denomination was adapted into the donation
+units, which are used to represent the value of a donation.
diff --git a/doc/thesis/chapters/introduction/goals.tex b/doc/thesis/chapters/introduction/goals.tex
@@ -1,19 +1,36 @@
\section{Goals}\label{goals}
-The goal of this thesis is to assess how donations currently work, and to develop and implement a protocol, that aims to improve and standardize how donations are verified and conducted. The Donau system should be implemented as free software.
+The goal of this thesis is to assess how donations currently work, and to
+develop and implement a protocol, that aims to improve and standardize how
+donations are verified and conducted. The Donau system should be implemented as
+free software.
-One of the main goals the Donau aims to protect the donors privacy while he should still being able to deduct his donations from taxes. The donor should be able to do so without revealing more information than needed to the tax authority.
+One of the main goals of the Donau is to protect the donor's privacy, while
+they should still be able to deduct their donations from taxes. The donor
+should be able to do so without revealing more information than needed to the
+tax authority.
-The tax authority should be able to easly verify all donations from a donor by scanning a QR-Code.
-This QR-Code is generated by the donor and should contain all the proof needed to deduct all donations of the year from taxes.
-Because the receipts are centralized in one place of the donors wallet, the donor does not have to worry about storing or loosing the receipts. In addition, by submitting the donation receipts to the Donau the donation receipts should be stored by the Donau. This should be a significant impovement in user convienience for both the donor and tax authority.
+The tax authority should be able to easily verify all donations from a donor by
+scanning a QR-Code.
+This QR-Code is generated by the donor and should contain all the proof needed
+to deduct all donations of the year from taxes.
+Because the receipts are centralized in one place, in the donor's wallet, the
+donor does not have to worry about storing or loosing the receipts. In
+addition, by submitting the donation receipts to the Donau the donation
+receipts will be stored by the Donau. This should be a significant impovement
+in user convenience for both the donor and tax authority.
-The Donau should prevent donation fraud with fake, expired or third-party donations. It should maintain a list of recognized charities, in order to prevent donations from non charitable organizations. The Donau should keep track of the total amount of the donation receipts issued for each charity, to enforce donation limits according to local law and to prevent donation fraud.
+The Donau should prevent donation fraud with fake, expired or third-party
+donations. As it should maintain a list of recognized charities, in order to
+prevent donations from non charitable organizations. The Donau should keep
+track of the total amount of the donation receipts issued for each charity, to
+enforce donation limits according to local law and to prevent donation fraud.
The goals described above boil down to the following:
\begin{itemize}
- \item Protect the donors privacy and still be able to deduct the amount from the taxes.
+ \item Protect the donors privacy and still be able to deduct the amount from
+ the taxes.
\item Make donations verfiable by simply scanning a QR-Code.
- \item Improve the user convienience for both the donor and tax authorities.
+ \item Improve the user convenience for both the donor and tax authorities.
\item Prevent donation fraud with fake, expired or third-party donations.
\end{itemize}
diff --git a/doc/thesis/chapters/introduction/motivation.tex b/doc/thesis/chapters/introduction/motivation.tex
@@ -1,12 +1,35 @@
\section{Motivation}\label{motivation}
-To be able to donate to a charity and deduct that donation from taxes, it is often required to provide evidence. The donor would have to present said evidence in form of a donation receipt which would include information about both the donor and the charity. The donor may want to keep this information private and only provide a receipt that proves that a certain amount was indeed donated to a recognized charity.
+To be able to donate to a charity and deduct that donation from taxes, it is
+often required to provide evidence. The donor would have to present said
+evidence in form of a donation receipt which would include information about
+both the donor and the charity. The donor may want to keep this information
+private and only provide a receipt that proves that a certain amount was indeed
+donated to a recognized charity.
%privacy
-There are many reasons why such information can be sensitive and should be hidden from third parties. Both personally and politically this information could be harmful to individuals if not handeled responsably. To remain anonymous donors would have to keep their donation receipts, which would not allow them to deduct the donation from taxes. It is best to reduce and anonymize this information as much as possible, while still having all the necessary information to verify donations and prevent illegal practices.
+There are many reasons why such information can be sensitive and should be
+hidden from third parties. Both personally and politically this information
+could be harmful to individuals if not handeled responsably. To remain
+anonymous donors would have to keep their donation receipts, which would not
+allow them to deduct the donation from taxes. It is best to reduce and
+anonymize this information as much as possible, while still having all the
+necessary information to verify donations and prevent illegal practices.
%simplicity
-Tax authorities may have to verify donations manually which can be time consuming and involves a disproportionate amount of effort for the tax authorities. The donor on the other hand has to keep track of the donation receipts. It is not unheard of, that these receipts get lost or forgotten by the time the tax declaration is submitted.
+Tax authorities may have to verify donations manually which can be time
+consuming and involves a disproportionate amount of effort for the tax
+authority. The donor on the other hand has to keep track of the donation
+receipts. It is not unheard of, that these receipts get lost or forgotten by
+the time the tax declaration is submitted.
%standardisation
-For every donation the donor wants the donation to be tax deductible, the adressed charity has to be recognized by the local tax authority. However, it can happen that donations to unrecognized charities are mistakenly deducted or that donations to recognized charities abroad are not deducted. This misconduct has found attention by Michiel Leenaars from the NLnet Foundation\footnote{see \url{https://nlnet.nl/}}. He has noticed that donations to their organization from other countries are sometimes not deducted from the taxes of their donors, although this should be the case in the european union according to the article 63 of \cite{eulaw}.
+For every donation the donor wants the donation to be tax deductible. The
+adressed charity has to be recognized by the local tax authority. However, it
+can happen that donations to unrecognized charities are mistakenly deducted or
+that donations to recognized charities abroad are not deducted. This misconduct
+has found attention by Michiel Leenaars from the NLnet Foundation\footnote{see
+\url{https://nlnet.nl/}}. He has noticed that donations to their organization
+from other countries are sometimes not deducted from the taxes of their donors,
+although this should be the case in the European Union according to the article
+63 of \cite{eulaw}.
diff --git a/doc/thesis/chapters/introduction/scope.tex b/doc/thesis/chapters/introduction/scope.tex
@@ -1,12 +1,25 @@
\section{Scope}\label{scope}
-At the start of the project the REST API specifications together with the database schema and Donau protocol was written.
-While implementing, the Donau API and DB tests were written to ensure that the endpoints and database work correctly.
-During the project the code was documented and various other documents like presentations and project summaries were created.
-This included a short video presenting the Donau.
-To demonstrate the Donau an Android application was developped that can verify donations by scanning a QR-Code.
+At the start of the project the REST API specifications together with the
+database schema and Donau protocol was written.
+While implementing, the Donau API and DB tests were written to ensure that the
+endpoints and database work correctly.
+During the project the code was documented and various other documents like
+presentations and project summaries were created.
+This included a short video, presenting the Donau.
+%To demonstrate the Donau an Android application was developped that can verify
+%donations by scanning a QR-Code.
+%TODO
-An interview was also held with the tax authority Zürich, which has provided valuable insight in how donations are verified and important aspects that a system like the Donau should fulfill.
+An interview was held with the tax authority Zürich, which has provided
+valuable insight in how donations are verified and important aspects that a
+system like the Donau should fulfill.
-Out of scope was the charity implementation which would have been integrated into the Taler merchant and the donor client implementation which would have been integrated into the Taler wallet. Unlike the charity integration, the donor part of the taler wallet is payment system dependent.
-In other words, since the taler wallet can only make donations with the taler payment system, it could only receive donation receipts for this. The administrator interface was also not realized, which would have provided a user-friendly interface to manage the charities.
+Out of scope was the charity implementation which would have been integrated
+into the Taler merchant and the donor client implementation which would have
+been integrated into the Taler wallet. Unlike the charity integration, the
+donor part of the taler wallet is payment system dependent.
+In other words, since the taler wallet can only make donations with the taler
+payment system, it could only receive donation receipts for this. The
+administrator interface was also not realized, which would have provided a
+user-friendly interface to manage the charities.
diff --git a/doc/thesis/chapters/results/results.tex b/doc/thesis/chapters/results/results.tex
@@ -1,8 +1,31 @@
\section{Results}\label{results}
-Currently the Donau REST API is fully implemented. The Donau can manage any number of charities using the \texttt{/charities} endpoint.
-All the keys used for signing and blind signing are managed by the Donau thogether with the Secmod helpers.
-Overall the Donau is able to issue donation receipts and provide the necessary donation statement to the donor, all while keeping the data anonymized and protecting the privacy of the donor. It is also worth mentioning that the unusual cryptography of blinded signatures does not effect the performance.
-With the binding of the tax number to the donation receipts and the signature of the tax authority with year-dependent keys, the receipts are absolutely bound to a donor and to a year and cannot be falsified or imitated without falsifying the signature. Therefore donation fraud can be prevented. By summarizing the receipts into one single QR-Code, the user convienience for the tax authority and for the donor could be improved.
+Currently the Donau REST API is fully implemented. The Donau can manage any
+number of charities using the \texttt{/charities} endpoint.
+All the keys used for signing and blind signing are managed by the Donau
+thogether with the Secmod helpers.
-Important components that are needed to operate the Donau are not yet implemented. This includes the charity side and donor client side. Although test where written to ensure that the Donau endpoints operate as expected, there are still some bugs and most likely also unknown bugs, not yet found.
+Overall the Donau is able to issue donation receipts and provide the necessary
+donation statement to the donor, all while keeping the data anonymized and
+protecting the privacy of the donor. It is also worth mentioning that the
+unusual cryptography of blinded signatures does not effect the performance.
+With the binding of the tax number to the donation receipts and the signature
+of the tax authority with year-dependent keys, the receipts are absolutely
+bound to a donor and to a year and cannot be falsified or imitated without
+falsifying the signature. Therefore donation fraud can be prevented. By
+summarizing the receipts into one single QR-Code, the user convienience for the
+tax authority and for the donor could be improved.
+
+Important components that are needed to operate the Donau are not yet
+implemented. This includes the charity side and donor client side. Although
+test where written to ensure that the Donau endpoints operate as expected,
+there are still some bugs and most likely also unknown bugs, not yet found.
+
+The tax authority emphasises user convenience and simplicity in a system like
+the Donau. The tax authority also mentioned the challanges that arise when
+operating such a system in the federalism. Each party often has different
+requirements that a system like the Donau should fulfill.
+
+Although the Donau is in its early stages and the prototype has not yet been
+deployed, the tax authority Zürich definitely sees potential in the user
+convenience side of the Donau.
diff --git a/doc/thesis/thesis.pdf b/doc/thesis/thesis.pdf
Binary files differ.
diff --git a/doc/thesis/thesis.tex b/doc/thesis/thesis.tex
@@ -27,6 +27,7 @@
\input{chapters/introduction/scope}
\chapter{Background}
+\input{chapters/background/interview}
\input{chapters/background/hash}
\input{chapters/background/eddsa}
\input{chapters/background/blindsign}
