commit 13e1b363be75d9577fd19724bedd6325b189c9ee
parent 2d8cc709d85aa34794a6e4c8b3ec5d8db66dd89c
Author: Christian Grothoff <christian@grothoff.org>
Date: Mon, 13 May 2019 14:43:51 +0200
feedback integration
Diffstat:
1 file changed, 11 insertions(+), 10 deletions(-)
diff --git a/presentations/comprehensive/bankademia.tex b/presentations/comprehensive/bankademia.tex
@@ -513,14 +513,14 @@ But of course we use modern instantiations.
\begin{frame}{Warranting deposit safety}
- Exchange has {\em another} online signing key $O = oG$:
+ Exchange has {\em another} online signing key $W = wG$:
\begin{center}
- Sends $E$, $EdDSA_o(M,H(D),FDH(C))$ to the merchant.
+ Sends $E$, $EdDSA_w(M,H(D),FDH(C))$ to the merchant.
\end{center}
This signature means that $M$ was the {\em first} to deposit
$C$ and that the exchange thus must pay $M$.
\begin{center}
- Without this, an evil exchange could reneg on the deposit
+ Without this, an evil exchange could renege on the deposit
confirmation and claim double-spending if a coin were
deposited twice, and then not pay either merchant!
\end{center}
@@ -529,8 +529,8 @@ But of course we use modern instantiations.
\begin{frame}{Online keys}
\begin{itemize}
-\item The exchange needs $d$ and $o$ to be available for online signing.
-\item The corresponding public keys $O$ and $(e,n)$ are certified using
+\item The exchange needs $d$ and $w$ to be available for online signing.
+\item The corresponding public keys $W$ and $(e,n)$ are certified using
Taler's public key infrastructure (which uses offline-only keys).
\end{itemize}
\begin{center}
@@ -565,13 +565,13 @@ But of course we use modern instantiations.
\end{frame}
-\begin{frame}{Online signing key $O$ compromise}
+\begin{frame}{Online signing key $W$ compromise}
\begin{itemize}
-\item An attacker who learns $o$ can sign deposit confirmations.
+\item An attacker who learns $w$ can sign deposit confirmations.
\item Attacker sets up two (or more) merchants and customer(s) which double-spend
legitimate coins at both merchants.
\item The merchants only deposit each coin once at the exchange and get paid once.
-\item The attacker then uses $o$ to fake deposit confirmations for the double-spent
+\item The attacker then uses $w$ to fake deposit confirmations for the double-spent
transactions.
\item The attacker uses the faked deposit confirmations to complain to the auditor
that the exchange did not honor the (faked) deposit confirmations.
@@ -581,7 +581,7 @@ and (likely) would presume an evil exchange, forcing it to pay both merchants.
\end{frame}
-\begin{frame}{Detecting online signing key $O$ compromise}
+\begin{frame}{Detecting online signing key $W$ compromise}
\begin{itemize}
\item Merchants are required to {\em probabilistically} report
signed deposit confirmations to the auditor.
@@ -592,7 +592,8 @@ and (likely) would presume an evil exchange, forcing it to pay both merchants.
to the auditor {\em and} those without proof of double-spending
{\em and} those merchants reported to the auditor.
\item[$\Rightarrow$] Merchants that do not participate in reporting
- to the auditor risk their deposit permissions being voided.
+ to the auditor risk their deposit permissions being voided in
+ cases of an exchange's private key being compromised.
\end{itemize}
\end{frame}
