[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-marketing] branch master updated: fix typo, add missing slides
|
From: |
gnunet |
|
Subject: |
[taler-marketing] branch master updated: fix typo, add missing slides |
|
Date: |
Fri, 26 Jun 2020 09:17:35 +0200 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository marketing.
The following commit(s) were added to refs/heads/master by this push:
new 9f86e98 fix typo, add missing slides
new c329b2d Merge branch 'master' of git+ssh://git.taler.net/marketing
9f86e98 is described below
commit 9f86e98f75b28f3e461062f3c08e64404e239e09
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Fri Jun 26 09:17:21 2020 +0200
fix typo, add missing slides
---
presentations/comprehensive/main.tex | 88 ++++++++++++++++++++++++++++++++++++
1 file changed, 88 insertions(+)
diff --git a/presentations/comprehensive/main.tex
b/presentations/comprehensive/main.tex
index 90ad1a6..3d55926 100644
--- a/presentations/comprehensive/main.tex
+++ b/presentations/comprehensive/main.tex
@@ -1183,6 +1183,94 @@ But of course we use modern instantiations.
+\begin{frame}{Warranting deposit safety}
+ Exchange has {\em another} online signing key $W = wG$:
+ \begin{center}
+ Sends $EdDSA_w(M,H(D),FDH(C))$ to the merchant.
+ \end{center}
+ This signature means that $M$ was the {\em first} to deposit
+ $C$ and that the exchange thus must pay $M$.
+ \begin{center}
+ Without this, an evil exchange could renege on the deposit
+ confirmation and claim double-spending if a coin were
+ deposited twice, and then not pay either merchant!
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{Online keys}
+\begin{itemize}
+\item The exchange needs $d$ and $w$ to be available for online signing.
+\item The corresponding public keys $W$ and $(e,n)$ are certified using
+ Taler's public key infrastructure (which uses offline-only keys).
+\end{itemize}
+\begin{center}
+\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png}
+\end{center}
+\vfill
+\begin{center}
+{\bf What happens if those private keys are compromised?}
+\end{center}
+\vfill
+\end{frame}
+
+
+\begin{frame}{Denomination key $(e,n)$ compromise}
+\begin{itemize}
+\item An attacker who learns $d$ can sign an arbitrary number of illicit coins
+ into existence and deposit them.
+\item Auditor and exchange can detect this once the total number of deposits
+ (illicit and legitimate) exceeds the number of legitimate coins the
+ exchange created.
+\item At this point, $(e,n)$ is {\em revoked}. Users of {\em unspent}
+ legitimate coins reveal $b$ from their withdrawal operation and
+ obtain a {\em refund}.
+\item The financial loss of the exchange is {\em bounded} by the number of
+ legitimate coins signed with $d$.
+\item[$\Rightarrow$] Taler frequently rotates denomination signing keys and
+ deletes $d$ after the signing period of the respective key expires.
+\end{itemize}
+\begin{center}
+\includegraphics[width=0.5\textwidth]{taler-diagram-denom-expiration.png}
+\end{center}
+\end{frame}
+
+
+\begin{frame}{Online signing key $W$ compromise}
+\begin{itemize}
+\item An attacker who learns $w$ can sign deposit confirmations.
+\item Attacker sets up two (or more) merchants and customer(s) which
double-spend
+ legitimate coins at both merchants.
+\item The merchants only deposit each coin once at the exchange and get paid
once.
+\item The attacker then uses $w$ to fake deposit confirmations for the
double-spent
+ transactions.
+\item The attacker uses the faked deposit confirmations to complain to the
auditor
+ that the exchange did not honor the (faked) deposit confirmations.
+\end{itemize}
+The auditor can then detect the double-spending, but cannot tell who is to
blame,
+and (likely) would presume an evil exchange, forcing it to pay both merchants.
+\end{frame}
+
+
+\begin{frame}{Detecting online signing key $W$ compromise}
+\begin{itemize}
+\item Merchants are required to {\em probabilistically} report
+ signed deposit confirmations to the auditor.
+\item Auditor can thus detect exchanges not reporting signed
+ deposit confirmations.
+\item[$\Rightarrow$] Exchange can rekey if illicit key use is detected,
+ then only has to honor deposit confirmations it already provided
+ to the auditor {\em and} those without proof of double-spending
+ {\em and} those merchants reported to the auditor.
+\item[$\Rightarrow$] Merchants that do not participate in reporting
+ to the auditor risk their deposit permissions being voided in
+ cases of an exchange's private key being compromised.
+\end{itemize}
+\end{frame}
+
+
+
+
\section{Competitor analysis}
\begin{frame}{Competitor comparison}
\begin{center} \small
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-marketing] branch master updated: fix typo, add missing slides,
gnunet <=