-fixes - donau - Donation authority for GNU Taler (experimental)

commit de2204f122a52145a9c67e79b3dc19f779e8c1c4
parent d8577c4c2a98ef5b8ea3c526d1d4a46853ce700a
Author: Christian Grothoff <christian@grothoff.org>
Date:   Tue, 31 Oct 2023 10:54:33 +0100

-fixes

Diffstat:
M doc/flows/definitions.tex  | 81 +++++++++++++++++++++++++++++++++++++++++--------------------------------------
M doc/flows/main.tex  | 22 +++++++++++-----------

2 files changed, 53 insertions(+), 50 deletions(-)
diff --git a/doc/flows/definitions.tex b/doc/flows/definitions.tex
@@ -6,67 +6,70 @@
 
 \subsection{Definitions}
 \begin{itemize}
-  \item \textbf{Cryptographic Hash Function} $H(m) := h$ where $m$ is a message and $h$ the resulting hash.
+  \item \textbf{Cryptographic Hash Function} $h := H(m)$ where $m$ is a message and $h$ the resulting hash.
   
-  \item \textbf{Blinding function} $blind(m, b)$ where $m$ is the message to blind and $b$ the blinding factor to apply. The blinding can be done with either the RSA blind signature scheme or the Blinded Clause-Schnorr signature scheme.
-  
-  \item \textbf{Keygen} TODO
+  \item \textbf{BlindKeygen} $\langle K_x^{pub}, K_x^{priv} \rangle := Keygen^B(\omega)$ where $\omega$ is a source of entropy and $x$ is the associated value (e.g. 2 EUR).
+    The resulting key pair represents a donation unit. The result is a public key $K_x^{pub}$ and private key $K_x^{priv}$. The equivalent in Taler is a "denomination".
+
+  \item \textbf{DonauKeygen} $\langle D^{pub}, D^{priv} \rangle := Keygen^D(\omega)$
+
+  \item \textbf{CharityKeygen} $\langle C^{pub}, C^{priv} \rangle := Keygen^C(\omega)$
+
+  \item \textbf{Donor Identifier} $i := H(\texttt{taxid}, s)$ where $s$ is a random salt with sufficient entropy to prevent guessing attacks to invert the hash function.
+    
+  \item \textbf{Unique Donor Identifier} $u := \langle i, n \rangle$ where $n$ is a high-entropy nonce to make the resulting hash unique per donation.
+
+  \item \textbf{Blinding function} $\overline{u} := blind(u, b, K_x^{pub})$ where $u$ is the value to blind, $b$ the blinding factor to apply and $K_x^{pub}$ the public key of
+    the donation unit that will be used for signing. The blinding can be done with either the RSA blind signature scheme or the Blinded Clause-Schnorr signature scheme.
+    The $\overline{u}$ is a blinded unique donor identifier which is blinded to protect the privacy of the donor.  
 
   \item \textbf{Signing}
     \begin{itemize}
       \item \textbf{Classic/lightweight signing (e.g. EdDSA):} 
       \begin{align}
-        \fbox{$\sigma := sign(m,k)$}
+        \fbox{$s := sign(m,k^{priv})$}
       \end{align}
-      where $m$ is a message and $k$ is the private key used to sign the message.\\
+      where $m$ is a message and $k^{priv}$ is the private key used to sign the message, for example $k^{priv} = D^{priv}$ or $k^{priv} = C^{priv}$.\\
       Applications:
       \begin{itemize}
-        \item A charity signs a collection of \emph{BUDI-key-pair} before transfering them to the Donau to issue \emph{Donation Receipts}
-        \item The Donau computes the \emph{donation statement signature} for a donor for a specific year
+      \item Signatures over \textbf{Blinded Unique Donor Identifier-key-pair} or \textbf{BUDI-key-pairs}:
+        \begin{align}
+          \fbox{$\mu := \langle \overline{u}, H(K_x^{pub}) \rangle$} \\
+          \vec{\mu}_s := sign(\vec{\mu},C^{priv})
+        \end{align}
+        where $H(K_x^{pub})$ indicates which donation unit key should be used by the Donau to sign the resulting donation receipt. Thus, this hash carries the information about the exact value the final donation receipt should carry.
+
+        A charity signs a collection of \emph{BUDI-key-pair} before transfering them to the Donau to issue \emph{Donation Receipts}
+      \item Signing over \textbf{Donation Statement signatures}:
+        \begin{align}
+          \sigma := \langle i, a_\Sigma, \texttt{year} \rangle \\
+          \fbox{$\sigma_s := sign(\sigma, D^{priv})$}
+        \end{align}
+        where $D^{priv}$ is the private key from the Donau.
+        These signatures attest the amount donated in a particular year by a specific donor.
+
+        The Donau computes the \emph{donation statement signature} for a donor for a specific year
       \end{itemize}
       
       \item \textbf{Blind signing(e.g. RSA/CS):}
-      \begin{align}
-        \fbox{$\overline{\beta} := blind\_sign(\overline{m},k)$}
+        \begin{align}
+        \fbox{$\overline{\beta} := blind\_sign(\overline{u},K_x^{priv})$}
       \end{align}
-      where $\overline{m}$ is a blinded message and $k$ is the private key used to blind sign the message.\\
+      where $\overline{u}$ is a blinded value and $K_x^{priv}$ is the private key used to blind sign the message.\\
       Application:
       \begin{itemize}
         \item The Donau blind signs \emph{Blinded Unique Donor Identifier}s received from the charity with the private key matching the public key in the received \emph{BUDI-key-pair}
       \end{itemize}
     \end{itemize}
-
-  \item \textbf{Donation Unit} $ := (K_x^{pub}, K_x^{priv})$ where $x$ is the associated value (e.g. 2EUR):
-    Smallest structure representing a donation confirmation unit.
-    Consists of a Public key $K_x^{pub}$ and Private key $K_x^{priv}$. Equivalent in Taler is "denomination".
-
-  \item \textbf{Donor Identifier} $i := H(\texttt{taxid}, \texttt{salt})$
-    
-  \item \textbf{Unique Donor Identifier} $u := \langle i, \texttt{nonce} \rangle$
-  where \texttt{nonce} ...%TODO
-
-  \item \textbf{Blinded Unique Donor Identifier} 
-  \begin{align}
-    \fbox{$\overline{u} := blind(u)$}
-  \end{align}
-  blinded to protect the privacy of the donor
   
-  \begin{itemize}
-   \item \textbf{Blinded Unique Donor Identifier-key-pair} or \textbf{BUDI-key-pair}
-  \begin{align}
-      \fbox{$\mu := \langle \overline{u}, H(K_x^{pub}) \rangle$}
-  \end{align}
-where $H(K_x^{pub})$ indicates which donation unit key should be used by the Donau to sign the resulting donation receipt. Thus, this hash carries the information about the exact value the final donation receipt should carry.
-  \end{itemize}
 
+  \item UNBLINDING!
+
+  \item Verify (blind + unblind versions)!
 
+  \item Charity signing request.
+    
   \item \textbf{Donation Receipt} $r := \langle u, \beta, H(K_x^{pub}) \rangle$ where $\beta$ is the unblinded signature: Sent to the Donau to get the donation Statement.
 
-  \item \textbf{Donation Statement signature}
-  Signature to attest the amount donated in a particular year by a specific donor.
-  \begin{align}
-\fbox{$\sigma_s := sign(\langle i, \texttt{amount}_{total}, \texttt{year} \rangle, D^{priv})$}
-\end{align}
-where $D^{priv}$ is the private key from the Donau.
 
 \end{itemize}
diff --git a/doc/flows/main.tex b/doc/flows/main.tex
@@ -64,18 +64,18 @@
 %   TODO make footnote out of this
   (if one donation unit is present more than once in the sum, then there is more than one unique donor identifier required for said donation unit. This depnds upon the offered donation units.)}
     \begin{align}
-      i &= H(\texttt{taxid, salt})\\ 
-      u_1 &= \langle i, \texttt{nonce}_1 \rangle \\
-      u_2 &= \langle i, \texttt{nonce}_2 \rangle \\
-      u_3 &= \langle i, \texttt{nonce}_3 \rangle \\
+        i :&= H(\texttt{taxid, salt})\\ 
+      u_1 :&= \langle i, \texttt{nonce}_1 \rangle \\
+      u_2 :&= \langle i, \texttt{nonce}_2 \rangle \\
+      u_3 :&= \langle i, \texttt{nonce}_3 \rangle 
     \end{align}
 
   \item The donor blinds the \emph{unique donor identifiers} using a \textbf{different} blinding factor $b$ for every \emph{unique donor identifier}.\\
   \emph{Example:}
   \begin{align}
-    \overline u_1 &= blind (u_1, b_1) \\
-    \overline u_2 &= blind (u_2, b_2) \\
-    \overline u_3 &= blind (u_3, b_3) \\
+    \overline u_1 :&= blind (u_1, b_1) \\
+    \overline u_2 :&= blind (u_2, b_2) \\
+    \overline u_3 :&= blind (u_3, b_3) 
   \end{align}
   
   \item So far, the \emph{unique donor identifiers} do not carry information about their value. The \textbf{intended effective value is now indicated} by grouping each \emph{unique donor identifier} with the according (hash of the) \emph{donation unit} public key $P^{pub}_x$. \\
@@ -85,12 +85,12 @@
   
   \emph{Example: Note: The public key is not in relation with the sequential index of the budi-key-pair, it only relates to the value of the pair!}
   \begin{align}
-       \overline \mu_1 &= \langle \overline u_1, \color{red}{P^{pub}_1}\color{black}{} \rangle \\
-       \overline \mu_2 &= \langle \overline u_2, \color{red}{P^{pub}_2}\color{black}{} \rangle \\
-       \overline \mu_3 &= \langle \overline u_3, \color{red}{P^{pub}_4}\color{black}{} \rangle \\
+       \overline \mu_1 :&= \langle \overline u_1, H(\color{red}{K^{pub}_1}\color{black}{}) \rangle \\
+       \overline \mu_2 :&= \langle \overline u_2, H(\color{red}{K^{pub}_2}\color{black}{}) \rangle \\
+       \overline \mu_3 :&= \langle \overline u_3, H(\color{red}{K^{pub}_4}\color{black}{}) \rangle 
   \end{align}
 
-  \item The donor sends the $BKP$'s as well as the corresponding payment to the charity.
+  \item The donor sends the $\vec{\mu}$ as well as the corresponding payment to the charity.
 \end{enumerate}
 
 \subsubsection{Charity sends signed $BKP$'s to Donau}

	donau Donation authority for GNU Taler (experimental)
	Log \| Files \| Refs \| Submodules \| README \| LICENSE

M	doc/flows/definitions.tex	\|	81	+++++++++++++++++++++++++++++++++++++++++--------------------------------------
M	doc/flows/main.tex	\|	22	+++++++++++-----------