Re: [Taler] denomination manipulation

[Florian Dold]

On 11/26/2015 07:32 AM, Jeff Burdges wrote:
> Customers could anonymously publish their withdraw operations like I
> mentioned in my post-quantum Taler note, but that's easy for an
> adversary to manipulate too.

The time-stamped list of denomination keys currently offered by the mint
is signed by the mint's master key.  Each individual denomination key is
also signed by the master key, including other information such as
expiration dates.

If you query the list of keys via some anonymous means, the mint
wouldn't be able to target individuals.

Even if you don't do that, customers can always compare the list of keys
the received (via the /keys request to the mint).  Should there be any
inconsistencies, they can prove them by showing the lists signed by the
mint.

> An aspect of this question is : Who choses the denominations?  Does the
> customer's wallet or does the mint?  

The customer tells the mint the denomination key (chosen from the list
of keys published by the mint) that should be used.

So it's not "I want to withdraw EUR10.50, give me my coins" but it's
more like "I want to withdraw coins with denomination keys K1,K1,K1,K2,K3".

> Mints could be identified by the hash of their public key concatenated
> with their public JavaScript that selects denominations based upon an
> input JSON concatenated with a signature over the first two fields by
> their public key.

I don't see how this gives us any advantages as opposed to just signing
the list of keys.  I'm not sure what you mean by identifying the mint by
that hash; currently the mint is identified by it's master public key.

- Florian