Re: [Taler] reduce attack surface (Case 2)

[Florian Dold]

Hi Fabian,

thanks for the suggestion, maybe we should include some clarification
for this case in the paper.

Here is why I don't think the attack on taxability you described is
viable:  The mint has incentives to provide a fake hint, since if a
customer can't reveal the values for some index, the mint gets to keep
the money for the coin.  It would be too risky for the mint to sign the
hint in any way (so that an illicit buyer/seller can prove to other
illicit buyers/seller that the mint cheats at cheating), since once this
signature finds its way to the auditors, the mint would be punished.

Similarly, the mint could make it look like the illicit buyer is the
sole owning entity of a coin, while the illicit seller actually can
still link to it.

The trust necessary among all three parties (mint, illicit seller,
illicit buyer) in this kind of transaction is so high that it might be
easier to just do a transaction-by-sharing in the first place.

Cheers,
Florian

On 09/27/2015 12:23 AM, Fabian Kirsch wrote:
> Dear all,
> 
> in the refreshing process the link creation relies on the customer to
> provide the correct E_\gamma.
> This is because only E_i (i \neq \gamma) gets checked.
> 
> So the mint could earn some black market money by providing hints on
> gamma or even predictable gamma selection.
> The customer can therefore use a foreign Cp(gamma) for which he does not
> know Cs(gamma)
> Then the customer can provide correct E_i for all i \neq \gamma.
> The mint has clean records for the audits.
> The customer successfully broke the link and performed a hidden
> transaction to the owner of Cs(gamma)
> 
> We have to find a source for the selection of gamma which is not in the
> hands of a possible tax evader.
> 
> Greetings
>   Fabian
>