[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-donau] branch master updated: [doc] Clarification of protocol def
|
From: |
gnunet |
|
Subject: |
[taler-donau] branch master updated: [doc] Clarification of protocol definitions and examples, separate definitions file |
|
Date: |
Tue, 31 Oct 2023 00:46:40 +0100 |
This is an automated email from the git hooks/post-receive script.
pius-loosli pushed a commit to branch master
in repository donau.
The following commit(s) were added to refs/heads/master by this push:
new 49ef33e [doc] Clarification of protocol definitions and examples,
separate definitions file
49ef33e is described below
commit 49ef33e206538eb4ca6d59e2cb1d13d95357c049
Author: Pius Loosli <loosp2@bfh.ch>
AuthorDate: Tue Oct 31 00:45:32 2023 +0100
[doc] Clarification of protocol definitions and examples, separate
definitions file
---
doc/flows/definitions.tex | 72 ++++++++++++++++++++++
doc/flows/main.tex | 153 ++++++++++++++++++++--------------------------
2 files changed, 139 insertions(+), 86 deletions(-)
diff --git a/doc/flows/definitions.tex b/doc/flows/definitions.tex
new file mode 100644
index 0000000..61dfd46
--- /dev/null
+++ b/doc/flows/definitions.tex
@@ -0,0 +1,72 @@
+\section{Notation \& Definitions }
+\subsection{Notation}
+\begin{itemize}
+ \item $\langle a, b, ... \rangle$ : Pair/tuple
+\end{itemize}
+
+\subsection{Definitions}
+\begin{itemize}
+ \item \textbf{Cryptographic Hash Function} $H(m) = h$ where $m$ is a message
and $h$ the resulting hash.
+
+ \item \textbf{Blinding function} $blind(m, b)$ where $m$ is the message to
blind and $b$ the blinding factor to apply. The blinding can be done with
either the RSA blind signature scheme or the Blinded Clause-Schnorr signature
scheme.
+
+ \item \textbf{Keygen} TODO
+
+ \item \textbf{Signing}
+ \begin{itemize}
+ \item \textbf{Classic/lightweight signing (e.g. EdDSA):}
+ \begin{align}
+ \fbox{$\sigma := sign(m,k)$}
+ \end{align}
+ where $m$ is a message and $k$ is the private key used to sign the
message.\\
+ Applications:
+ \begin{itemize}
+ \item A charity signs a collection of \emph{BUDI-key-pair} before
transfering them to the Donau to issue \emph{Donation Receipts}
+ \item The Donau computes the \emph{donation statement signature} for a
donor for a specific year
+ \end{itemize}
+
+ \item \textbf{Blind signing(e.g. RSA/CS):}
+ \begin{align}
+ \fbox{$\overline{\beta} := blind\_sign(\overline{m},k)$}
+ \end{align}
+ where $\overline{m}$ is a blinded message and $k$ is the private key
used to blind sign the message.\\
+ Application:
+ \begin{itemize}
+ \item The Donau blind signs \emph{Blinded Unique Donor Identifier}s
received from the charity with the private key matching the public key in the
received \emph{BUDI-key-pair}
+ \end{itemize}
+ \end{itemize}
+
+ \item \textbf{Donation Unit} $ = (K_x^{pub}, K_x^{priv})$ where $x$ is the
associated value (e.g. 2EUR):
+ Smallest structure representing a donation confirmation unit.
+ Consists of a Public key $K_x^{pub}$ and Private key $K_x^{priv}$.
Equivalent in Taler is "denomination".
+
+ \item \textbf{Donor Identifier} $i = H(\texttt{taxid}, \texttt{salt})$
+
+ \item \textbf{Unique Donor Identifier} $u := \langle i, \texttt{nonce}
\rangle$
+ where \texttt{nonce} ...%TODO
+
+ \item \textbf{Blinded Unique Donor Identifier}
+ \begin{align}
+ \fbox{$\overline{u} := blind(u)$}
+ \end{align}
+ blinded to protect the privacy of the donor
+
+ \begin{itemize}
+ \item \textbf{Blinded Unique Donor Identifier-key-pair} or
\textbf{BUDI-key-pair}
+ \begin{align}
+ \fbox{$\mu := \langle \overline{u}, H(K_x^{pub}) \rangle$}
+ \end{align}
+where $H(K_x^{pub})$ indicates which donation unit key should be used by the
Donau to sign the resulting donation receipt. Thus, this hash carries the
information about the exact value the final donation receipt should carry.
+ \end{itemize}
+
+
+ \item \textbf{Donation Receipt} $r = \langle u, \beta, H(K_x^{pub}) \rangle$
where $\beta$ is the unblinded signature: Sent to the Donau to get the donation
Statement.
+
+ \item \textbf{Donation Statement signature}
+ Signature to attest the amount donated in a particular year by a specific
donor.
+ \begin{align}
+\fbox{$\sigma_s = sign(\langle i, \texttt{amount}_{total}, \texttt{year}
\rangle, D^{priv})$}
+\end{align}
+where $D^{priv}$ is the private key from the Donau.
+
+\end{itemize}
diff --git a/doc/flows/main.tex b/doc/flows/main.tex
index fa06efb..224d330 100644
--- a/doc/flows/main.tex
+++ b/doc/flows/main.tex
@@ -20,101 +20,77 @@
\maketitle
\newpage
-\section{Notation \& Definitions }
-\subsection{Notation}
-\begin{itemize}
- \item $\langle a, b, ... \rangle$ : Pair/tuple
-\end{itemize}
-
-\subsection{Definitions}
-\begin{itemize}
- \item \textbf{Cryptographic Hash Function} $H(m) = h$ where $m$ is a message
and $h$ the resulting hash.
-
- \item \textbf{Blinding function} $blind(m, b)$ where $m$ is the message to
blind and $b$ the blinding factor to apply. The blinding can be done with
either the RSA blind signature scheme or the Blinded Clause-Schnorr signature
scheme.
-
- \item \textbf{Keygen} TODO
-
- \item \textbf{Signing}
- \begin{itemize}
- \item \textbf{Classic/lightweight signing (e.g. EdDSA):}
- \begin{align}
- \fbox{$\sigma := sign(m,k)$}
- \end{align}
- where $m$ is a message and $k$ is the private key used to sign the
message.\\
- Applications:
- \begin{itemize}
- \item A charity signs a collection of \emph{BUDI-key-pair} before
transfering them to the Donau to issue \emph{Donation Receipts}
- \item The Donau computes the \emph{donation statement signature} for a
donor for a specific year
- \end{itemize}
-
- \item \textbf{Blind signing(e.g. RSA/CS):}
- \begin{align}
- \fbox{$\overline{\beta} := blind\_sign(\overline{m},k)$}
- \end{align}
- where $\overline{m}$ is a blinded message and $k$ is the private key
used to blind sign the message.\\
- Application:
- \begin{itemize}
- \item The Donau blind signs \emph{Blinded Unique Donor Identifier}s
received from the charity with the private key matching the public key in the
received \emph{BUDI-key-pair}
- \end{itemize}
- \end{itemize}
-
- \item \textbf{Donation Unit} $ = (K_x^{pub}, K_x^{priv})$ where $x$ is the
associated value (e.g. 2EUR):
- Smallest structure representing a donation confirmation unit.
- Consists of a Public key $K_x^{pub}$ and Private key $K_x^{priv}$.
Equivalent in Taler is "denomination".
-
- \item \textbf{Donor Identifier} $i = H(\texttt{taxid}, \texttt{salt})$
-
- \item \textbf{Unique Donor Identifier} $u := \langle i, \texttt{nonce}
\rangle$
- where \texttt{nonce} ...%TODO
-
- \item \textbf{Blinded Unique Donor Identifier} $\overline{u} := blind(u)$,
blinded to protect the privacy of the donor
-
- \begin{itemize}
- \item \textbf{BUDI-key-pair} $\mu := \langle \overline{u}, H(K_x^{pub})
\rangle$ where $H(K_x^{pub})$ indicates which donation unit key should be used
by the Donau to sign the resulting donation receipt. Thus, this hash carries
the information about the exact value the final donation receipt should carry.
- \end{itemize}
-
-
- \item \textbf{Donation Receipt} $r = \langle u, \beta, H(K_x^{pub}) \rangle$
where $\beta$ is the unblinded signature: Sent to the Donau to get the donation
Statement.
- \item \textbf{Donation Statement} $\sigma_s = sign(\langle i,
\texttt{amount}_{total}, \texttt{year} \rangle, D^{priv})$ where $D^{priv}$ is
the private key from the Donau: Signature to attest the amount donated in a
particular year by a specific donor.
+\input{definitions.tex}
-\end{itemize}
\section{Overview}
\includegraphics[width=\textwidth]{overview}
-\subsection{Step 0: Key generation and Initial setup}
+\newpage
+\section{Protocol Detail}
+
+\subsection{Key generation and initial setup}
+\subsubsection{Initial Donau setup}
\begin{enumerate}
\item The Donau generates a public key $D^{pub}$ and private key $D^{priv}$.
\item The Donau generates the \emph{donation units} consisting of
$K_x^{pub}$ and $K_x^{priv}$ where $x$ is the associated value.
+\end{enumerate}
- \item The charity generates the key pair $(C^{pub}, C^{priv})$ and downloads
the \emph{donation units} from the donau.
-
- \item The Donau administrator registers the public key $C_{pub}$ and sets
the yearly donation limit for the charities.
+\subsubsection{Charity setup (Charity side and Donau side)}
+\begin{enumerate}
+ \item The \textbf{charity} generates the key pair $(C^{pub}, C^{priv})$ and
downloads the \emph{donation units} from the donau.
+
+ \item The \textbf{charity} transmits $C^{pub}$ to the party responsible for
Donau administration using a \textbf{secure channel}.
+
+ \item The party in charge of \textbf{Donau administration} ensures that the
applying party is authentic and if it is publicly recognized as charity
organisation. Furthermore, it ensures that all eventual other checks required
by law are done. If everything is clear, it registers the public key $C^{pub}$
and sets the yearly donation limit for the charitiy.
\end{enumerate}
-\subsection{Step 1: Attest donation}
-\subsubsection{Donor donates to charity}
+
+\subsection{Continuously during tax period: get donation receipts}
+\subsubsection{Overview}
+
+
+\subsubsection{Donor donates to charity and transmits unique donor ids (future
donation receipts)}
\begin{enumerate}
- \item The donor downloads the $DU$'s public keys $K_x^{pub}$ for the
corresponding year from the Donau.
+ \item The donor downloads the \emph{donation unit} public keys $K_x^{pub}$
for the corresponding year from the Donau. (if not already done)
+
+ \item The donor splits the donation amount into a sum of \emph{donation
units} offered by the Donau. \\
+ \emph{Example: With donation units \{1,2,4\} available, and a donation with
a total value of 7, the donation amount is split into the sum 4+2+1.}
- \item The donor generates a unique donor identifier $UDI$ for every $DU$.
For every $DU$ the donor generates:
+ \item The donor generates as many \emph{unique donor identifiers} as there
are terms in the calculated sum.
+ \emph{Example: In our example, there will be 3 unique donor identifiers: one
per donation unit, so one for the value 4, one for the value 2, one for the
value 1.\\
+% TODO make footnote out of this
+ (if one donation unit is present more than once in the sum, then there is
more than one unique donor identifier required for said donation unit. This
depnds upon the offered donation units.)}
\begin{align}
- UDI_1 &= \langle H(\texttt{TAXID}, \texttt{SALT}), \texttt{NONCE}_1
\rangle \\
- ... \\
- UDI_i &= \langle H(\texttt{TAXID}, \texttt{SALT}), \texttt{NONCE}_i
\rangle
+ i &= H(\texttt{taxid, salt})\\
+ u_1 &= \langle i, \texttt{nonce}_1 \rangle \\
+ u_2 &= \langle i, \texttt{nonce}_2 \rangle \\
+ u_3 &= \langle i, \texttt{nonce}_3 \rangle \\
\end{align}
- \item The donor blinds the $UDI$'s using a \textbf{different} blinding
factor $b$ for every $UDI$.
-
+ \item The donor blinds the \emph{unique donor identifiers} using a
\textbf{different} blinding factor $b$ for every \emph{unique donor
identifier}.\\
+ \emph{Example:}
\begin{align}
- BKP_1 &= \langle Blind(BUDI_1, K_x^{pub}, b_1), H(K_x^{pub}) \rangle \\
- ... \\
- BKP_i &= \langle Blind(BUDI_i, K_x^{pub}, b_i), H(K_x^{pub}) \rangle
+ \overline u_1 &= blind (u_1, b_1) \\
+ \overline u_2 &= blind (u_2, b_2) \\
+ \overline u_3 &= blind (u_3, b_3) \\
+ \end{align}
+
+ \item So far, the \emph{unique donor identifiers} do not carry information
about their value. The \textbf{intended effective value is now indicated} by
grouping each \emph{unique donor identifier} with the according (hash of the)
\emph{donation unit} public key $P^{pub}_x$. \\
+ We call these pairs \emph{blinded unique donor identifier-key-pair}, or
\emph{budi-key-pair} for short\\
+ \\
+ It is only the \textbf{intended effective} value because the value will only
be attributed later on with the signature of the Donau.
+
+ \emph{Example: Note: The public key is not in relation with the sequential
index of the budi-key-pair, it only relates to the value of the pair!}
+ \begin{align}
+ \overline \mu_1 &= \langle \overline u_1,
\color{red}{P^{pub}_1}\color{black}{} \rangle \\
+ \overline \mu_2 &= \langle \overline u_2,
\color{red}{P^{pub}_2}\color{black}{} \rangle \\
+ \overline \mu_3 &= \langle \overline u_3,
\color{red}{P^{pub}_4}\color{black}{} \rangle \\
\end{align}
-\item The donor sends the $BKP$'s as well as the corresponding payment to the
charity.
+ \item The donor sends the $BKP$'s as well as the corresponding payment to
the charity.
\end{enumerate}
\subsubsection{Charity sends signed $BKP$'s to Donau}
@@ -165,36 +141,41 @@
\end{align}
\end{enumerate}
-\subsection{Step 2: Donor sends the $DR$'s to the Donau to get the
\textbf{Donation Statement} $DS$.}
+\subsection{After effective tax period: get tax statement for period from
Donau}
+
+\subsubsection{Donor sends the \emph{Donation receipts} to the Donau to get
the \emph{Donation Statement}.}
\begin{enumerate}
- \item The donor sends the collection of all $DR$'s, to the Donau. The $DR$'s
are sent manually once a year.
- \item For each $DR$ the Donau:
+ \item The donor sends the collection of all \emph{donation receipts r} to
the Donau. This happens manually once per period.\\\
+ It is not done continuously to obtain \emph{unlinkability} between the
\textbf{issuance} of the donation receipts (which happens upon donation) and
their \textbf{submission} for the \emph{donation statement}.
+ \item For each \emph{donation receipt} the Donau:
\begin{itemize}
\item checks that $K_x^{pub}$ is known.
\item verifies that the signature $\beta$ is correct using the
corresponding public key $K_x^{pub}$.
- \item verifies that the hash of the $\texttt{TAXID}$ and the
$\texttt{SALT}$ is the same as in other $DR$'s (With multiple wallets each
wallet must simply obtain a separate $DS$!).
+ \item verifies that the \emph{donor identifier} is the same as in other
\emph{donation receipts}
+% TODO: put this as footnote
+ (With multiple wallets each wallet must simply obtain a separate
\emph{donation statement}!).
- \item verifies that the $\texttt{NONCE}$ is unique and was not used before
by the donor for the corresponding year.
+ \item verifies that the $\texttt{nonce}$ is unique and was not used before
by the donor for the corresponding year.
\end{itemize}
- \item The Donau signs over the total amount,
- year and $H(\texttt{TAXID}, \texttt{SALT})$ and sends the signature and
the total amount so far back to the donor. This results in a final signature
called the \textbf{Donation Statement} $DS$.
+ \item The Donau signs over the total \texttt{amount},
+ \texttt{year} and \emph{donor identifier} and sends the signature and
the total amount so far back to the donor. This results in a final signature
called the \textbf{\emph{Donation Statement signature}}.
\begin{align}
- DS = \Sigma(\langle \texttt{AMOUNT}_{Total}, \texttt{YEAR},
H(\texttt{TAXID}, \texttt{SALT}) \rangle, D^{priv})
+ \sigma_s = sign(\langle i, \texttt{amount}_{Total}, \texttt{year})
\rangle, D^{priv})
\end{align}
\end{enumerate}
-\subsection{Step 3: Donor sends the QR Code to a validator (tax office)}
+\subsubsection{Donor sends the QR Code to a validator (tax office)}
\begin{enumerate}
- \item The donor generates a QR code:
+ \item The donor generates a QR code which contains the following:
\begin{align}
- \texttt{QR} = \langle \texttt{TAXID}, \texttt{SALT}, \texttt{DS},
\texttt{YEAR}, \texttt{AMOUNT} \rangle
+ \texttt{QR} = \langle \texttt{taxid}, \texttt{salt}, \texttt{year},
\texttt{amount}, \text{$\sigma_s$} \rangle
\end{align}
- \item The validator scans the QR code and verifies the signature $DS$.
+ \item The validator scans the QR code and verifies the signature $\sigma_s$.
\end{enumerate}
\end{document}
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-donau] branch master updated: [doc] Clarification of protocol definitions and examples, separate definitions file,
gnunet <=