[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Taler] Fwd: Re: reduce attack surface (Case 2)
|
From: |
Florian Dold |
|
Subject: |
[Taler] Fwd: Re: reduce attack surface (Case 2) |
|
Date: |
Sun, 27 Sep 2015 20:06:57 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0 |
-------- Forwarded Message --------
Subject: Re: [Taler] reduce attack surface (Case 2)
Date: Sun, 27 Sep 2015 10:30:06 +0200
From: Christian Grothoff <address@hidden>
To: address@hidden
Well, yes, that's another minor issue that exists. I had thought about
various simple fixes for this:
1) The mint is operated by the government (that'd better anyway,
we do have governments operate mints for physical coins already),
or at least this part is somehow outsourced to trustworthy
party (which is given the commitment, combines with a secret
key and signs the result; gamma with the signature goes into
the mint's database)
2) The auditor checks that gammas are generated at random
and not messed with (auditing the implementation)
I figured that (2) should suffice, as a conspiracy between mint,
customer and merchant against the government that could be
detected by an audit ("who manipulated this logic?") would seem rather
risky for a mint operator to perform. But, of course, we know today's
banks do consider tax evasion a business service .
So (1) is the killer-option as it removes the (slight) conflict
of interest, (2) adds yet another party ("gamma-generation service") or
audited software so that the conspiracy would have to grow from three to
four participants (gamma-service or auditor also conspire).
I'm happy to hear better suggestions on this, but again I don't think
it is a big issue.
Happy hacking!
-Christian
On 09/27/2015 12:23 AM, Fabian Kirsch wrote:
> Dear all,
>
> in the refreshing process the link creation relies on the customer to
> provide the correct E_\gamma.
> This is because only E_i (i \neq \gamma) gets checked.
>
> So the mint could earn some black market money by providing hints on
> gamma or even predictable gamma selection.
> The customer can therefore use a foreign Cp(gamma) for which he does not
> know Cs(gamma)
> Then the customer can provide correct E_i for all i \neq \gamma.
> The mint has clean records for the audits.
> The customer successfully broke the link and performed a hidden
> transaction to the owner of Cs(gamma)
>
> We have to find a source for the selection of gamma which is not in the
> hands of a possible tax evader.
>
> Greetings
> Fabian
>
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Taler] Fwd: Re: reduce attack surface (Case 2),
Florian Dold <=