commit 9f86e98f75b28f3e461062f3c08e64404e239e09
parent 6c3201ab787edb1a64c31361e1cd8f673844fce9
Author: Christian Grothoff <christian@grothoff.org>
Date: Fri, 26 Jun 2020 09:17:21 +0200
fix typo, add missing slides
Diffstat:
1 file changed, 88 insertions(+), 0 deletions(-)
diff --git a/presentations/comprehensive/main.tex b/presentations/comprehensive/main.tex
@@ -1183,6 +1183,94 @@ But of course we use modern instantiations.
+\begin{frame}{Warranting deposit safety}
+ Exchange has {\em another} online signing key $W = wG$:
+ \begin{center}
+ Sends $EdDSA_w(M,H(D),FDH(C))$ to the merchant.
+ \end{center}
+ This signature means that $M$ was the {\em first} to deposit
+ $C$ and that the exchange thus must pay $M$.
+ \begin{center}
+ Without this, an evil exchange could renege on the deposit
+ confirmation and claim double-spending if a coin were
+ deposited twice, and then not pay either merchant!
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{Online keys}
+\begin{itemize}
+\item The exchange needs $d$ and $w$ to be available for online signing.
+\item The corresponding public keys $W$ and $(e,n)$ are certified using
+ Taler's public key infrastructure (which uses offline-only keys).
+\end{itemize}
+\begin{center}
+\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png}
+\end{center}
+\vfill
+\begin{center}
+{\bf What happens if those private keys are compromised?}
+\end{center}
+\vfill
+\end{frame}
+
+
+\begin{frame}{Denomination key $(e,n)$ compromise}
+\begin{itemize}
+\item An attacker who learns $d$ can sign an arbitrary number of illicit coins
+ into existence and deposit them.
+\item Auditor and exchange can detect this once the total number of deposits
+ (illicit and legitimate) exceeds the number of legitimate coins the
+ exchange created.
+\item At this point, $(e,n)$ is {\em revoked}. Users of {\em unspent}
+ legitimate coins reveal $b$ from their withdrawal operation and
+ obtain a {\em refund}.
+\item The financial loss of the exchange is {\em bounded} by the number of
+ legitimate coins signed with $d$.
+\item[$\Rightarrow$] Taler frequently rotates denomination signing keys and
+ deletes $d$ after the signing period of the respective key expires.
+\end{itemize}
+\begin{center}
+\includegraphics[width=0.5\textwidth]{taler-diagram-denom-expiration.png}
+\end{center}
+\end{frame}
+
+
+\begin{frame}{Online signing key $W$ compromise}
+\begin{itemize}
+\item An attacker who learns $w$ can sign deposit confirmations.
+\item Attacker sets up two (or more) merchants and customer(s) which double-spend
+ legitimate coins at both merchants.
+\item The merchants only deposit each coin once at the exchange and get paid once.
+\item The attacker then uses $w$ to fake deposit confirmations for the double-spent
+ transactions.
+\item The attacker uses the faked deposit confirmations to complain to the auditor
+ that the exchange did not honor the (faked) deposit confirmations.
+\end{itemize}
+The auditor can then detect the double-spending, but cannot tell who is to blame,
+and (likely) would presume an evil exchange, forcing it to pay both merchants.
+\end{frame}
+
+
+\begin{frame}{Detecting online signing key $W$ compromise}
+\begin{itemize}
+\item Merchants are required to {\em probabilistically} report
+ signed deposit confirmations to the auditor.
+\item Auditor can thus detect exchanges not reporting signed
+ deposit confirmations.
+\item[$\Rightarrow$] Exchange can rekey if illicit key use is detected,
+ then only has to honor deposit confirmations it already provided
+ to the auditor {\em and} those without proof of double-spending
+ {\em and} those merchants reported to the auditor.
+\item[$\Rightarrow$] Merchants that do not participate in reporting
+ to the auditor risk their deposit permissions being voided in
+ cases of an exchange's private key being compromised.
+\end{itemize}
+\end{frame}
+
+
+
+
\section{Competitor analysis}
\begin{frame}{Competitor comparison}
\begin{center} \small
