black404notfound

GNUTalerATechnologicalOptiontoSaveourDemocracyandEconomyfrom"Cashless"TotalitarianismJ.
Burdges,F.
Dold,C.
Grotho,M.
StanisciInstitutNationaldeRechercheenInformatiqueetenAutomatique(Inria)TheGNUProjectAshokaFellow14.
12.
2016"Ithinkoneofthebigthingsthatweneedtodo,isweneedtogetawayfromtrue-namepaymentsontheInternet.
Thecreditcardpaymentsystemisoneoftheworstthingsthathappenedfortheuser,intermsofbeingabletodivorcetheiraccessfromtheiridentity.
"–EdwardSnowden,IETF93(2015)MotivationModerneconomiesneedcurrency.
.
.
ThiswasaquestionposedtoRANDresearchersin1971:"SupposeyouwereanadvisortotheheadoftheKGB,theSovietSecretPolice.
Supposeyouaregiventheas-signmentofdesigningasystemforthesurveillanceofallcitizensandvisitorswithintheboundariesoftheUSSR.
Thesystemisnottobetooobtrusiveorobvious.
Whatwouldbeyourdecision"ThiswasaquestionposedtoRANDresearchersin1971:"SupposeyouwereanadvisortotheheadoftheKGB,theSovietSecretPolice.
Supposeyouaregiventheas-signmentofdesigningasystemforthesurveillanceofallcitizensandvisitorswithintheboundariesoftheUSSR.
Thesystemisnottobetooobtrusiveorobvious.
Whatwouldbeyourdecision"Mastercard/Visaaretootransparent.
BitcoinUnregulatedpaymentsystemandcurrency:lackofregulationisafeature!
ImplementedinfreesoftwareDecentralisedpeer-to-peersystemBitcoinUnregulatedpaymentsystemandcurrency:lackofregulationisafeature!
ImplementedinfreesoftwareDecentralisedpeer-to-peersystemDecentralisedbankingrequiressolvingByzantineconsensusCreativesolution:tieinitialaccumulationtosolvingconsensusBitcoinUnregulatedpaymentsystemandcurrency:lackofregulationisafeature!
ImplementedinfreesoftwareDecentralisedpeer-to-peersystemDecentralisedbankingrequiressolvingByzantineconsensusCreativesolution:tieinitialaccumulationtosolvingconsensusProof-of-workadvancesledgerVeryexpensivebankingCurrentaveragetransactionvalue:≈1000USDCryptographyisratherprimitive:AllBitcointransactionsarepublicandlinkable!
noprivacyguaranteesenhancedwith"laundering"servicesZeroCoin,CryptoNote(Monero)andZeroCash(ZCoin)oeranonymity.
IssocietyreadyforananarchisticeconomyGNUTalerDigitalcash,madesociallyresponsible.
Taxable,Anonymous,Libre,Practical,ResourceFriendlyArchitectureofGNUTalerExchangeCustomerMerchantAuditorwithdrawcoinsdepositcoinsspendcoinsverifyUsabilityofTalerhttps://demo.
taler.
net/1.
InstallChromeextension.
2.
Visitthebank.
demo.
taler.
nettowithdrawcoins.
3.
Visittheshop.
demo.
taler.
nettospendcoins.
Valueproposition:CustomerConvenient:paywithoneclickGuaranteed:neverfearbeingrejectedbyfalse-positivesinthefrauddetectionSecure:likecash,exceptnoworriesaboutcounterfeitPrivacy-preserving:paymentrequiresnopersonalinformationStable:nocurrencyuctuations,payintraditionalcurrenciesFreesoftware:nohidden"gadgets",thirdpartiescanverifyValueproposition:MerchantFast:transactionsatWeb-speedSecure:signedcontracts,nolegitimatecustomerrejectedbyfrauddecectionFreesoftware:competitivepricingandsupportLowfees:ecientprotocol+nofraud=lowcostsFlexible:anycurrency,anyamountEthical:nouctuationrisk,nopyramidscheme,notsuitableforillegalbusinessLegal:complieswithRegulation(EU)2016/679(GDPR)11RequiresprivacybydesignanddataminimizationforalldataprocessinginEuropeafter25.
5.
2018.
Valueproposition:GovernmentFreesoftware=commons:nomonopoly,preserveindependenceTaxabiliy:reducesblackmarketsEciency:hightransactioncostshurttheeconomySecurity:signedcontracts,nocounterfeitAudited:nobadbanksPrivacy:protectionagainstforeignespionageTaxabilityWesayTaleristaxablebecause:Merchant'sincomeisvisiblefromdeposits.
Hashofcontractispartofdepositdata.
Statecantraceincomeandenforcetaxation.
TaxabilityWesayTaleristaxablebecause:Merchant'sincomeisvisiblefromdeposits.
Hashofcontractispartofdepositdata.
Statecantraceincomeandenforcetaxation.
Limitations:withdrawloopholesharingcoinsamongfamilyandfriendsMerchantIntegration:WalletDetectiontaler.
onPresent(()=>{alert("Talerwalletisinstalled");});taler.
onAbsent(()=>{alert("Talerwalletisnotinstalled");});MerchantIntegration:PaymentRequestHTTP/1.
1402PaymentRequiredContent-Type:text/html;charset=UTF-8X-Taler-Contract-Url:https://shop/generate-contract/42YoudonotseemtohaveTalerinstalled,hereareotherpaymentoptions.
.
.
MerchantIntegration:Contract{"H_wire":"YTH0C4QBCQ10VDNTJN0DCTTV2Z6JHT5NF43F0RQHZ8JYB5NG4W4G.
.
.
","amount":{"currency":"EUR","fraction":1,"value":0},"auditors":[{"auditor_pub":"42V6TH91Q83FB846DK1GW3JQ5E8DS273W4.
.
.
"}],"exchanges":[{"master_pub":"1T5FA8VQHMMKBHDMYPRZA2ZFK2S63AKF0Y.
.
.
","url":"https://exchange/"}],"expiry":"/Date(1480119270)/","fulfillment_url":"https://shop/article/42tid=249&time=14714744","max_fee":{"currency":"EUR","fraction":01,"value":0},"merchant":{"address":"Mailbox4242","jurisdiction":"Jersey","name":"ShopInc.
"},"merchant_pub":"Y1ZAR5346J3ZTEXJCHQY9NJN78EZ2HSKZK8M0MYTNRJG5N.
.
.
","products":[{"description":"Essay:TheGNUProject","price":{"currency":"EUR","fraction":1,"value":0},"product_id":42,"quantity":1}],"refund_deadline":"/Date(1471522470)/","timestamp":"/Date(1471479270)/","transaction_id":249960194066269}HowdoesitworkWeuseafewancientconstructions:Cryptographichashfunction(1989)Blindsignature(1983)Schnorrsignature(1989)Die-Hellmankeyexchange(1976)Cut-and-choosezero-knowledgeproof(1985)Butofcourseweusemoderninstantiations.
Globalsetup:PickanEllipticcurveNeed:GgeneratorinECCcurve,apointosizeofECCgroup,o:=|G|,oprimeNowwecan,forexample,compute:A=G+G=2GB=A+G=3GC=cGforc∈ZNote:G=(o+1)GExchangesetup:Createadenominationkey(RSA)1.
Pickrandomprimesp,q.
2.
Computen:=pq,φ(n)=(p1)(q1)3.
Picksmalle<φ(n)suchthatd:=e1modφ(n)exists.
4.
Publishpublickey(e,n).
(p,q)Merchant:Createasigningkey(EdDSA)pickrandommmodoasprivatekeyM=mGpublickeymMCapability:mCustomer:Createaplanchet(EdDSA)PickrandomcmodoprivatekeyC=cGpublickeycCapability:cCustomer:Blindplanchet(RSA)1.
Obtainpublickey(e,n)2.
Computem:=FDH(C),m3.
Pickblindingfactorb∈Zn4.
Transmitm:=mbemodnbExchangetransmitExchange:Blindsign(RSA)1.
Receivem.
2.
Computes:=mdmodn.
3.
Sendsignatures.
CustomertransmitCustomer:Unblindcoin(RSA)1.
Receives.
2.
Computes:=sb1modn.
bWithdrawingcoinsontheWebCustomer:BuildshoppingcartMerchanttransmitMerchant:Proposecontract(EdDSA)1.
CompleteproposalD.
2.
SendD,EdDSAm(D)CustomermtransmitCustomer:Spendcoin(EdDSA)1.
ReceiveproposalD,EdDSAm(D).
2.
Sends,C,EdDSAc(D)cMerchanttransmittransmitMerchantandExchange:Verifycoin(RSA)se≡mmodnPaymentprocessingwithTalerGivingchangeItwouldbeinecienttopayEUR100with1centcoins!
Denominationkeyrepresentsvalueofacoin.
Exchangemayoervariousdenominationsforcoins.
Walletmaynothaveexactchange!
Usabilityrequiresabilitytopaygivensucienttotalfunds.
GivingchangeItwouldbeinecienttopayEUR100with1centcoins!
Denominationkeyrepresentsvalueofacoin.
Exchangemayoervariousdenominationsforcoins.
Walletmaynothaveexactchange!
Usabilityrequiresabilitytopaygivensucienttotalfunds.
Keygoals:maintainunlinkabilitymaintaintaxabilityoftransactionsGivingchangeItwouldbeinecienttopayEUR100with1centcoins!
Denominationkeyrepresentsvalueofacoin.
Exchangemayoervariousdenominationsforcoins.
Walletmaynothaveexactchange!
Usabilityrequiresabilitytopaygivensucienttotalfunds.
Keygoals:maintainunlinkabilitymaintaintaxabilityoftransactionsMethod:Contractcanspecifytoonlypaypartialvalueofacoin.
Exchangeallowswallettoobtainunlinkablechangeforremainingcoinvalue.
StrawmansolutionGivenpartiallyspentprivatecoinkeycold:1.
Pickrandomcnewmodoprivatekey2.
Cnew=cnewGpublickey3.
Pickrandombnew4.
Computemnew:=FDH(Cnew),m5.
Transmitmnew:=mnewbenewmodn.
.
.
andsignrequestforchangewithcold.
cnewbnewExchangetransmitStrawmansolutionGivenpartiallyspentprivatecoinkeycold:1.
Pickrandomcnewmodoprivatekey2.
Cnew=cnewGpublickey3.
Pickrandombnew4.
Computemnew:=FDH(Cnew),m5.
Transmitmnew:=mnewbenewmodn.
.
.
andsignrequestforchangewithcold.
cnewbnewExchangetransmitProblem:Ownerofcnewmaydierfromownerofcold!
Die-Hellman(ECDH)1.
Createprivatekeysd,hmodo2.
DeneD=dG3.
DeneH=hG4.
ComputeDH:=d(hD)=h(dH)hdCustomer:Transferkeysetup(ECDH)Givenpartiallyspentprivatecoinkeycold:1.
LetCold:=coldG(asbefore)2.
Createrandomprivatetransferkeytmodo3.
ComputeT:=tG4.
ComputeX:=cold(tG)=t(coldG)=tCold5.
DerivecnewandbnewfromX6.
ComputeCnew:=cnewG7.
Computemnew:=FDH(Cnew)8.
Transmitmnew:=mnewbenewtcoldcnewbnewExchangetransmitCut-and-Chooset1coldcnew,1bnew,1Exchangetransmitt2coldcnew,2bnew,2Exchangetransmitt3coldcnew,3bnew,3ExchangetransmitExchange:Choose!
Exchangesendsbackrandomγ∈{1,2,3}tothecustomer.
Customer:Reveal1.
Ifγ=1,sendt2,t3toexchange2.
Ifγ=2,sendt1,t3toexchange3.
Ifγ=3,sendt1,t2toexchangeExchange:Verify(γ=2)t1Coldcnew,1bnew,1t3Coldcnew,3bnew,3Exchange:Blindsignchange(RSA)1.
Takemnew,γ.
2.
Computes:=mdnew,γmodn.
3.
Sendsignatures.
CustomertransmitCustomer:Unblindchange(RSA)1.
Receives.
2.
Computes:=sb1new,γmodn.
bnew,γExchange:AllowlinkingchangeGivenColdreturnTγ,s:=sb1new,γmodn.
ColdTγCustomerlinklinkCustomer:Link(threat!
)1.
Havecold.
2.
ObtainTγ,sfromexchange3.
ComputeXγ=coldTγ4.
Derivecnew,γandbnew,γfromXγ5.
Unblinds:=sb1new,γmodnTγExchangebnew,γcoldcnew,γlinklinkRefreshprotocolsummaryCustomerasksexchangetoconvertoldcointonewcoinProtocolensuresnewcoinscanberecoveredfromoldcoinNewcoinsareownedbythesameentity!
Thus,therefreshprotocolallows:Togiveunlinkablechange.
Togiverefundstoananonymouscustomer.
Toexpireoldkeysandmigratecoinstonewones.
Transactionsviarefreshareequivalenttosharingawallet.
OperationalsecurityWalletBrowserWebshopTalerbackend(4)signedcontract(signal)(signal)(5)signedcoins(3,6)custom(HTTPS)(HTTPS)(1)proposedcontract/(7)signedcoins(2)signedcontract/(8)conrmation(HTTPS)CompetitorcomparisonCashBitcoinZerocoinCreditcardGNUTalerOnlineOineTrans.
costSpeedo++TaxationPayer-anon++oPayee-anon++oSecurityoo++ConversionLibreCurrenttechnicaldevelopmentsImprovingwallet(errorhandling,features,browsersupport)OngoingworkonexchangeauditingTutorialformerchantsTutorialforWebshopintegrationhttps://api.
taler.
net/HowcanyouhelpCurrentwalletonlyworksforbrowsersandtheWeb.
ProtocolshouldworknealsooverNFC.
WriteAppformobilephonesanddoPOSintegration!
HowcanyouhelpCurrentwalletonlyworksforbrowsersandtheWeb.
ProtocolshouldworknealsooverNFC.
WriteAppformobilephonesanddoPOSintegration!
ExistingWebshopssupportmostlyonlycreditcardsWritepaymentpluginsforGNUTaler!
HowcanyouhelpCurrentwalletonlyworksforbrowsersandtheWeb.
ProtocolshouldworknealsooverNFC.
WriteAppformobilephonesanddoPOSintegration!
ExistingWebshopssupportmostlyonlycreditcardsWritepaymentpluginsforGNUTaler!
CurrentdocumentationismostlyinEnglish.
Joinourteamandhelpwithtranslations!
HowcanyouhelpCurrentwalletonlyworksforbrowsersandtheWeb.
ProtocolshouldworknealsooverNFC.
WriteAppformobilephonesanddoPOSintegration!
ExistingWebshopssupportmostlyonlycreditcardsWritepaymentpluginsforGNUTaler!
CurrentdocumentationismostlyinEnglish.
Joinourteamandhelpwithtranslations!
Exchangeneedstobealegal(!
)businesstooperate.
Exchangeoperatorincomeisfromtransactionfees.
Findfundingandcreateastartup!
ConclusionWhatcanwedoSuermass-surveillanceenabledbycreditcardoligopolieswithhighfees,andEngageinarmsracewithdeliberatelyunregulatableblockchains,andEnjoythe"benets"ofcashOREstablishfreesoftwarealternativebalancingsocialgoals!
DoyouhaveanyquestionsReferences:1.
ChristianGrotho,BartPolotandCarlovonLoesch.
TheInternetisbroken:IdealisticIdeasforBuildingaGNUNetwork.
W3C/IABWorkshoponStrengtheningtheInternetAgainstPervasiveMonitoring(STRINT),2014.
2.
JereyBurdges,FlorianDold,ChristianGrothoandMarcelloStanisci.
EnablingSecureWebPaymentswithGNUTaler.
SPACE2016.
3.
FlorianDold,SreeHarshaTotakura,BenediktM¨uller,JereyBurdgesandChristianGrotho.
Taler:TaxableAnonymousLibreElectronicReserves.
Availableuponrequest.
2016.
4.
EliBen-Sasson,AlessandroChiesa,ChristinaGarman,MatthewGreen,IanMiers,EranTromerandMadarsVirza.
Zerocash:DecentralizedAnonymousPaymentsfromBitcoin.
IEEESymposiumonSecurity&Privacy,2016.
5.
DavidChaum,AmosFiatandMoniNaor.
Untraceableelectroniccash.
ProceedingsonAdvancesinCryptology,1990.
6.
PhillipRogaway.
TheMoralCharacterofCryptographicWork.
Asiacrypt,2015.
Letmoneyfacilitatetrade;butensurecapitalservessociety.
Taler/withdraw/signWalletExchangeTimeSEPA(RK,A)POST/withdraw/signSRK(DK,Bb(C))200OK:SDK(Bb(C)))402PAYMENTREQUIRED:SRK(DK,Bb(C)))Result:c,SDK(C).
ASomeamount,A≥ADKRKReservekeyDKDenominationkeybBlindingfactorBb()RSA-FDHblindingCCoinpublickeyC:=cGSRK()EdDSAsignatureSDK()RSA-FDHsignatureTaler/depositMerchantandexchangeseeonlythepubliccoinC,SDK(C).
MerchantExchangeTimePOST/depositSDK(C),Sc(D)200OK:SSK(Sc(D))409CONFLICT:Sc(D)DKDenominationkeySDK()RSA-FDHsignatureusingDKcPrivatecoinkey,C:=cG.
SC()EdDSAsignatureusingcDDepositdetailsSKExchange'ssigningkeySSK()EdDSAsignatureusingSKDConctingdepositdetailsD=DTaler/refresh/meltCustomerExchangeTimePOST/refresh/meltSDK(C),Sc(DK,T,B)200OK:SSK(H(T,B),γ)409CONFLICT:SC(X),.
.
.
κSystem-widesecurityparameter,usually3.
DK:=[DK(i)]iListofdenominationkeysD+iADK(i).
T:=[tj|j∈κ,j=γ]kγ:=cTγ=tγCb(i)γ:=KDFb(kγ,i)c(i)γ:=KDFc(kγ,i)C(i)γ:=c(i)γGB(i)γ:=Bb(i)γ(C(i)γ)βγ:=B(i)γiS:=SDK(i)(B(i)γ)iZCut-and-choosemissmatchinformationTaler/refresh/linkCustomerExchagneTimePOST/refresh/linkC200OK:Tγ404NOTFOUNDCOldcoindpublickeyTγLinkagedataLatγ