[Taler] Protecting coins (was Re: Taler and UBI)

[Özgür Kesim]

Thus spake Özgür Kesim (oec-taler@kesim.org):

> Thus spake Christian Grothoff (grothoff@gnunet.org):
> 
> > OTOH, assuming every individual's wallet is somehow registered as eligible
> > for UBI, it should be trivial to distribute UBI to Taler wallets, and then
> > one could spend that with privacy.
> 
> That being said, it would change the threat model for the wallet
> significantly.  So far we operate under the assumption that the usual
> amounts people will carry in their Taler wallets are small and losses of
> wallets are bearable.

That made me think of the following idea:

We could optionally protect individual coins from abuse by theft by
binding a coin to a secret PIN (or fingerprint), which must not be saved
by the Taler wallet.  Using the coin for purchase or refresh would
require the PIN/fingerprint to be entered.

Technically, we can bind the PIN to the coin the same way we bind age
commitment to a coin.  But here we would use something like 
        P := HMAC(coin_priv, PIN)
as the (coin-individual) commitment and let the exchange blindly sign
        FDH(C_p, P).
Here, C_p is the public key of the coin.

However, in contrast to age restriction, there would not be any
cut-and-choose protocol involved for this feature during a refresh - it
is completely up to the owner of the wallet to decide to enable
protection or continue to protect a coin during refresh.  Also, we could
easily make this compatible with age restriction.

If I'm not mistaken, this would give us the following benefits:

 - lost or stolen coins can be restored via Anastasis and 

 - a thief or finder of a wallet could not use the coins without
   knowledge of the PIN,

 - anonymity and unlinkability of purchases are still preserved,

 - the user experience should be still acceptible as one would only need
   to enter the PIN/fingerprint once for a transaction.


Cheers,
  oec