[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Taler] Hello

From: Christian Grothoff
Subject: Re: [Taler] Hello
Date: Fri, 30 Dec 2016 02:39:13 +0100
User-agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.2.0

On 12/07/2016 11:55 PM, Joerg Baach wrote:
>> You're missing that linking the refresh to the spending is not an issue,
>> running the refresh operation is just part of the overall spending
>> transaction, that does by itself not deanonymize you, as long as refresh
>> does not require you to disclose your identity. Hence exposing your IP
>> during refresh is the only issue, and for that Tor fixes it nicely.
> My point is not about really about anonymity of the customer or the
> merchant, it is about the untraceability of the transaction itself. Or
> you could say: it is about prevent leaking metadata about the
> transaction, which connects Alice to Bob. In my understanding the whole
> point of blind signatures is to prevent the central issuer / exchange /
> bank gaining knowledge about transactions. The central instance can't
> learn about the transaction by protocol design - you would need an
> 'network observer' to learn about the transactions (which is given, you
> could argue, bit I think that the central instance and the three letter
> agencies play on different levels).
> In taler, if Alice asks for a specific amount to be refreshed that
> matches Bobs deposit, the transaction itself becomes visible to the
> central entity (the exchange).  Taler then relies on tor etc. to
> 'disconnect' the entities from the transaction, by tor providing anonymity.
> In my point of view (if I understand it correctly) the ability to
> refresh parts of a coin is a trade-off. You loose the untraceability of
> transactions, but win the comfort of not needing to have proper change
> before doing a transaction.

This is not correct; refresh does not cause us to loose the
untraceability of transactions, because the exchange does NOT know that
it is Alice who asks for the refresh. In fact, for NFC, Alice is likely
to route the refresh request via Bob as Bob has the network connection,
thus masking Alice's network identifier from the exchange.

I suspect you are missing the point that the refresh request is signed
by the (old) coin, and not by Alice's reserve key.

> In opencoin we have a mechanism to always equip the wallets with the
> right change to be able to do a transaction of any value (<= the sum of
> coins in the wallet). One can then delay preparation of the wallet and
> the transaction itself, leaving no traces of the transaction to the
> central issuer. If this is a desired property of the system is another
> question :-)

That's interesting, could you elaborate on this? I don't see how you can
do this _efficiently_, especially as withdrawing EUR 40.52 in advance of
an EUR 40.52 transaction would obviously seriously reduce my anonymity
set.  So please elaborate on your solution, I'm really curious.

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]