taler
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Taler] presenting refreshment (was: G the generator)


From: Fabian Kirsch
Subject: [Taler] presenting refreshment (was: G the generator)
Date: Tue, 06 Oct 2015 00:13:10 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.7.0

Hi Christian

first: about the term 'identity', which was quite a bad choice.
what about 'unminted coins' vs. 'minted coins'?
a keypair whose public key wasn't signed yet by the mint is unminted.
so
1.) the customer provides unminted coins with corresponding links and commits to them,
2.) the mint chooses one of the links to go unchecked,
3.) the customer prooves his fairplay by revealing the unchoosen links
4.) the satisfied mint makes the chosen coin a minted coin by signing it.


about the nature of the link:
> reveal [..] mint must be able to verify that the decryption works without learning the private key of the old coin,

yes. "revealing" means the customer reveals the "plaintext" of the link.
anybody can check that the decryption works by just encrypting the plaintext again (IF its a nonprobabilistic encryption). SHOULD the encryption be probabilistic (which it is in the current implementation) THEN the random element has to be revealed
as well in order to check the decryptability by encrypting again.
And sugar on top: revealing the random element often makes the plaintext easily recoverable which saves some transfers.

> customer performing linking must be able to do it without knowing the private transfer key.

yes. encrypting anything with the old coin's public key allows the customer (who knows the old coin's private key) to decrypt it.

> DH satisfies this,

so DH is sufficient (which i never questioned), but it is not necessary, and there is no written comparison to other options. I don't question the DH+Enc_K to be a good choice. I really don't like it presented as if there was no choice at all.

> So yes, there are arguments for this.

greetings Fabian



reply via email to

[Prev in Thread] Current Thread [Next in Thread]