taler
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] reduce attack surface (Case 1)

From: Florian Dold
Subject: Re: [Taler] reduce attack surface (Case 1)
Date: Sun, 27 Sep 2015 18:25:00 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 
Hi Fabian,

I don't think your alternative suggestion would fix this issue, ommiting
the blind signature part of withdrawal does in no way guarantee that the
entity who owns the wire transfer account knows the private key of the
coin (the "dope-buyer" in your case could just provide Cp and S_C( K ) ).

The answer might be that we have to live with this problem, but it is
not as bad as one might think:  When spending the coin again, the
"dope-buyer" still has to pay taxes (well except when he sets up some
money laundering non-profic organization, but that's out of scope ...).
  Also this loophole is only possible when converting Euros into
Taler-Euros, it still does not allow black economies within Taler (like
Bitcoin would allow).

Cheers,
Florian

On 09/26/2015 11:41 PM, Fabian Kirsch wrote:
> Dear all,
> 
> as the "tax evasion transaction" is a very new thread concept i want to
> suggest a slight protocol change
> in order to reduce attack surface:
> 
> Redesign the withdrawel to create one single coin, without blinding,
> without anonymity.
> The anonymity and the splitting can than be achieved by "refreshing"
> which has to be implemented anyway.
> 
> So
> 1.) customer creates <Cs, Cp>
> 2.) customer chooses coin-signer K
> 3.) customer signs S_C( K )
> 4.) customer makes wire transfer with subject <Cp, S_C( K, CoinValue )>
> and Amount=CoinValue+Fees
> 5.) mint signs S_K(Cp) if it agrees, otherwise the wiretransfer is
> bounced back
> A) this coin is now legally traceable connected to the wire transfer
> 
> proposed Attack on current protocol:
> 1.) the dope-seller creates (Cs,Cp)
> 2.) the dope-buyer receives (Cs,Cp) from the the dope-seller.
> 3.) the dope-buyer transfers value from its reserve Wp to the sellers Coin
> A) because of the blinding, there is no linkable record of this transaction
> B) dope-seller and dope-buyer can both check the signature S_K(Cp),
> which is proof of their hidden transaction
> C) Cs is not shared
> 
> Greetings
>  Fabian
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]