Re: [Taler] denomination manipulation

[Jeff Burdges]

On Thu, 2015-11-26 at 10:18 +0100, Florian Dold wrote:
> The time-stamped list of denomination keys currently offered by the
> mint is signed by the mint's master key.  Each individual 
> denomination key is also signed by the master key, including other 
> information such as expiration dates.

A signed list is good, but I'm envisioning attacks that manipulate the
legitimate list of denomination keys.

There is a target list of mint customers the political police want
investigated.  Mint adds a few extra legitimate denomination that it
uses only for targets.  

These extra denomination keys need not be as suspicious as repeats of
existing denominations, try :
- Half steps between existing denominations.  If asked, the mint says
it's doing A/B testing to determine if they can offer lower transaction
costs with more keys. 
- Mint adds a few extra legitimate tiny denomination keys that it uses
during issue for targets, but says are only meant for refresh.  

In fact, there is no need for the mint to add any extra denominations
if they're only looking for repeated spending patterns, like an
activist buying web hosting.

> Even if you don't do that, customers can always compare the list of 
> keys the received (via the /keys request to the mint).  Should there 
> be any inconsistencies, they can prove them by showing the lists 
> signed by the mint.

This helps, but does not eliminate the attacks I described.  And we've
no good method for doing this comparison.  Our political police could
simply avoid placing users savvy enough to compare onto their targets
list.

> The customer tells the mint the denomination key (chosen from the
> list of keys published by the mint) that should be used.
> 
> So it's not "I want to withdraw EUR10.50, give me my coins" but it's
> more like "I want to withdraw coins with denomination keys
> K1,K1,K1,K2,K3".

Yes, that's the mint's API, but who actually chooses them?  Does the
mint make suggestions to the customer?  Or does the wallet have an
algorithm for this?

There might be a canonical algorithm that's best for the customer who
expects uniformly distributed prices or prices that obey certain
distributions, like clusters in the ranges of x+(-0.9,0) and
x+(0.40,0.50). 

> I don't see how this gives us any advantages as opposed to just 
> signing the list of keys.  I'm not sure what you mean by identifying 
> the mint by that hash; currently the mint is identified by it's
> master public key.

If mints can influence what denominations the wallet withdraws, then the mint 
should be prevented from making that influence different for different 
customers.

Jeff

signature.asc
Description: This is a digitally signed message part