[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Taler] reduce attack surface (Case 1)
|
From: |
Fabian Kirsch |
|
Subject: |
[Taler] reduce attack surface (Case 1) |
|
Date: |
Sat, 26 Sep 2015 23:41:59 +0200 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.7.0 |
Dear all,
as the "tax evasion transaction" is a very new thread concept i want to
suggest a slight protocol change
in order to reduce attack surface:
Redesign the withdrawel to create one single coin, without blinding,
without anonymity.
The anonymity and the splitting can than be achieved by "refreshing"
which has to be implemented anyway.
So
1.) customer creates <Cs, Cp>
2.) customer chooses coin-signer K
3.) customer signs S_C( K )
4.) customer makes wire transfer with subject <Cp, S_C( K, CoinValue )>
and Amount=CoinValue+Fees
5.) mint signs S_K(Cp) if it agrees, otherwise the wiretransfer is
bounced back
A) this coin is now legally traceable connected to the wire transfer
proposed Attack on current protocol:
1.) the dope-seller creates (Cs,Cp)
2.) the dope-buyer receives (Cs,Cp) from the the dope-seller.
3.) the dope-buyer transfers value from its reserve Wp to the sellers Coin
A) because of the blinding, there is no linkable record of this transaction
B) dope-seller and dope-buyer can both check the signature S_K(Cp),
which is proof of their hidden transaction
C) Cs is not shared
Greetings
Fabian
- [Taler] reduce attack surface (Case 1),
Fabian Kirsch <=