GNU Taler begins operating in Switzerland, distributed by the Taler Operations AG. Gnu Taler aims to be a “digital wallet” and has been used by the swiss national bank as well as the european national bank as a example for how a digital currency handed out by the state could work. It aims to be as privacy preserving as cash for the buyer while not allowing the seller to evade taxes.
Currently the Taler is brought out by a special organisation, the “Taler Operations AG”, and not the national bank, although both the national bank as well as the Taler Team have shown interest in a official digial currency by the national bank based on the Taler. But we need to relativate as the national council has stated that the introduction of a digital currency would probably take relatively major legislative changes and therefore take a bit of time.
How would one acquire tokens anonymously but in a way that you can verify that you acquired genuine tokens, and what keeps those tokens from being given to multiple people? This is really where the privacy aspects fall down. It’s a hard problem to solve in Bitcoin, but at least you can have Bitcoin ATMs that you can verify that you received the funds.
A Taler ATM it seems could issue invalid tokens or issue the same tokens to every client and there would be no way to know until you tried to spend it or deposit it in your account (thus defeating the anonymity).
I’m not 100% deep on the crypto, but my understanding is they use blind signatures (which have been around for a long time) to do their issuing. If you’re unfamiliar, these are kinda like an envelope with a hole cut in it, so you can put a document in it with a hidden unique key, and they can see some info through the hole, and can stamp their signature through the hole to validate that it’s legit without knowing the hidden info.
Then the user can remove it from the envelope (unblind) and now have a certified valid coin without the issuer knowing which coin is theirs.
So in the context of an ATM, the ATM wouldn’t “issue” coins, it would be given a request for coins from your wallet, it would certify the validity of that request, and then give your wallet back that certification in such a way that the wallet could unblind it and have the anonymous secret. So ultimately your wallet is the one that’s in charge of producing the unique parts.
It seems there’s also a system for making sure you don’t produce bad transactions by asking you to generate N, promping you to unwrap a bunch of them to prove there’s nothing weird about them, and then signing one of the remaining ones under the assumption it’s also legit. At least it sounds like it, but I’m even less familiar with that part. But even if you did spoof someone else’s secrets… it doesn’t allow you to steal their money I don’t think… because in order to have your transaction validated in the first place you had to truly give the ATM your money… so you could I guess pay $10 to screw over your friend for $10 because it’ll look like they spent money they didn’t… but you still spent $10… so it’s less like stealing their money and more like paying to throw their wallet off a bridge? You don’t gain anything, but they lose something? Maybe there’s another exploit I don’t know about in the like “renewal” or “refund” or “transfer” protocols that make that more important.
Anyway, I’m still not a Taler fan, but in this case I think it’s possible to do what they claim. Now, if the bank or ATM or whatever asks for ID or an account to use their services, they could track that you withdrew money, and how much. That’s data they can collect. The anonymous buyer part just means they can’t tie the coin they issued you to a spent deposit they receive later. So they know you got $10 out, and they can assume you probably spent it, but they can’t know what you spent it on.
Very interesting thanks for the explanation.
I think that makes some sense to me. I’m moderately familiar with signatures and encryption. I’m going to do some more research into blind signatures now since that’s one thing I have never had to implement.
Without doing that research, I still feel that the bank or whatever could store the signature info at the time of signing with the account that requested it, but perhaps the blind signing even protects against that if the verification process is done in some way that the original signing request info isn’t present in the same form.
Anyway, thanks for the response!
ETA:
Oh the other hole in the ATMs I was talking about assuming a malicious ATM. Since the coin can only be verified by depositing it, (without doing more research on this) I still don’t see a way to verify that the ATM actually gave you a valid signature. Maybe it’s possible to validate the signature before unwrapping the coin, then impossible to validate the unwrapped coin that is given to the merchant. I could see that.
Also presumably these could be bank ATMs and not sketchy Bitcoin ATMs so maybe the malicious case isn’t as much to worry about.