Re: [Taler] Support for payer-trustlessness and merchant-auditing

[Rune K. Svendsen]

Hi Jeff,

 

>         You cannot naively use multi-signature bitcoin wallets with
>         Taler
>         because they would break the anonymity and increase costs.
>
>
> Can you expand on this a bit? What I don't understand is that if we
> assume that the customer starts out by sending funds to the exchange's
> Bitcoin address (non-multisignature) as an initial deposit, surely it
> would need to reference this account/address when later making
> payments, otherwise the exchange wouldn't be able to know whether the
> customer in question actually has any funds to spend, right?

You can fund a Taler withdrawal with a multi-signature transaction of
course, but you gain no benefit by doing so.

  

The idea behind using a multi-signature transaction between the customer and the exchange is that it enables storing the funds on the user's own device until they are sent to a merchant, as opposed to handing everything over to the exchange. So, rather than sending everything to the exchange -- and receiving back tokens which can hopefully either be redeemed by the merchant at a later date or refunded to the customer -- the customer would store funds in a multi-signature address with the exchange, and only transfer -- to the exchange -- the funds required to complete a single transaction with a merchant.

So the customer would start out by sending e.g. 100 EUR-equivalent of bitcoins to a 2-of-2 multi-signature address, where one key is owned by the customer and the second key by the exchange. When the customer is ready to pay a merchant, the customer transfers exactly the amount it wishes to pay the merchant to the exchange, who then responds with a token of that value that the customer can use to pay the merchant.

Have you considered a simpler design, where no blind signatures are used, but the customer simply connects to the exchange via Tor, in order to conceal its IP-address (in case it wants to maintain privacy)? In this way, the only information the exchange gains is the ability to group transactions by customer -- it learns nothing about the customer itself except a source Bitcoin address (from which funds are sent to the customer/exchange multi-sig address).

It seems to me that, with the design you propose, you're asking the customer to value private information (which merchants the customer uses) higher than private property (customer funds). Because, while you enable almost complete anonymity between customer and exchange, the tradeoff is the customer needing to trust the exchange with its funds. So, in the end, the tradeoff is between a) the exchange being able to group transactions by customer but the customer staying in control of its own funds versus b) the exchange losing the ability to group transactions by customer but the customer losing control of its own funds.