[Cryptography] GNU's "anonymous-but-taxable electronic payments system" Heh.

Jeff Burdges burdges at gnunet.org
Sat Jun 11 20:01:41 EDT 2016

On Sat, 2016-06-11 at 12:48 -0400, Jerry Leichter wrote:
> It's curious, BTW, that those who reject solutions with many good
> properties "because they can be used to enforce DRM" are perfectly
> happy to accept solutions that allow for, say, truly anonymous
> extortion. 

Interestingly, blind signatures need not favor extortion, or the black
market, at least not as strongly as bitcoin does.  Customers can
deanonymize merchants! 

If Eve attempts to extort coins Alice withdraws honestly, then Alice can
simply report those coins to the cops/exchange in advance, and they can
pursue Even when she deposits them.  If Eve attempts to refresh the
coins, then Alice can trace the refresh to the new coin, or give the
cops the coin's private key so they can do it. 

Instead, Eve must make Alice run a modified Taler wallet that does an
initial withdrawal operation from Alice's reserve (bank account) using
coins Even blinded.  And one could evade taxes in the same way.  In the
tax case, it's unlikely the bad customer trusts the bad merchant with
their reserve, so you're basically doing ordinary SEPA/ACH wire
transfers and lying about account owners.

If extortion becomes an issue for Taler, then we would upgrade the
existing withdrawal protocol to use a variant of the refresh protocol.
We simply replace the coin signing key in the refresh protocol with the
reserve key, and take the value for the issued coins form the reserve
instead of another coin.  Now anyone could trace all the coins created
from their reserve!  

Our extortionist Even could still operate by creating Alice's reserve
for her and making her fund it with a wire transfer.  In principle, we
could prevent this by imposing restrictions on the creation of reserves.
At the extreme, maybe even asking customers to generate their reserve
key pair when physically in their bank branch office.  

We're now back to your trusted hardware dongle for preventing extorion,
except the honest customer retains their anonymity.  

In any case, we envision Taler withdrawals being regulated like ATM
withdrawals, meaning you cannot extort that money that quickly


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160612/6b62ab57/attachment.sig>

More information about the cryptography mailing list