[Taler] denomination manipulation

[Jeff Burdges]

What prevents mints from subtly manipulating denominations to expose
interesting customers' spending? 


I think denomination keys are signed by the auditor, yes?  How does
that process go?  I'm slightly doubtful that auditors could detect
anomalous denomination keys, but regardless the auditors should
themselves be assumed malicious in customer deanonymization scenarios. 

There are some soft protections like merchants could warn customers
when they've only rarely seen a particular valid denomination, but the
merchants could be malicious too here. 

Customers could anonymously publish their withdraw operations like I
mentioned in my post-quantum Taler note, but that's easy for an
adversary to manipulate too.

An aspect of this question is : Who choses the denominations?  Does the
customer's wallet or does the mint?  

At present, it appears to be the mint because this gives the mint the
greatest flexibility and a prettier user interface, but it definitely
expands the mint's ability to manipulate the customers denominations
too.


There is at least one approach that both gives the mint extreme
flexibility and gives the wallet final decision making powers :  

Mints could be identified by the hash of their public key concatenated
with their public JavaScript that selects denominations based upon an
input JSON concatenated with a signature over the first two fields by
their public key. 

In this way, mints must change their public identifier to change their
algorithm for assigning denominations, maybe breaking all their
merchant relationships.  

There is nothing that prevents a mint from saying "We'll tell you what
bills to take" but such a mint will be viewed as insecure once
deanonymization attacks progress. 

Thoughts?
Jeff

signature.asc
Description: This is a digitally signed message part