From 3174aff1df3f657d2b73b6ab606bd8dcd8fba9aa Mon Sep 17 00:00:00 2001 From: Özgür Kesim Date: Tue, 12 Oct 2021 16:14:45 +0200 Subject: Initial upload of the age-restriction design document --- design-documents/024-age-restriction.rst | 192 +++++++++++++++++++++++++++++++ design-documents/index.rst | 1 + 2 files changed, 193 insertions(+) create mode 100644 design-documents/024-age-restriction.rst diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst new file mode 100644 index 00000000..b6ce1687 --- /dev/null +++ b/design-documents/024-age-restriction.rst @@ -0,0 +1,192 @@ +DD 024: Anonymous Age Restriction Extension for GNU Taler +######################################################### + +Summary +======= + +This document presents and discusses an extension to GNU Taler that provides +anonymous age-restriction. + +Motivation +========== + +Merchants are legally obliged to perform age verification of customers when +they buy certain goods and services. Current mechanisms for age verification +are either ID-based or require the usage of credit/debit cards. In all cases +sensitive private information is disclosed. + +We want to offer a better mechanism for age-restriction with GNU Taler that + +* ensures anonymity and unlinkability of purchases +* can be set to particular age groups by parents/wardens at withdrawal +* is bound to particular coins/tokens +* can be verified by the merchant at purchase time +* persists even after refresh + +The mechanism is presented as an 'extension' to GNU Taler, that is, as an +optional feature that can be switched on by the exchange operator. + +Requirements +============ + +TODO + +* legal requirements for merchants must allow for this kind of mechanism + + +Proposed Solution +================= + +We propose an extension to GNU Taler for age-restriction that can be enabled +optionally by an Exchange¹). + +Once enabled, coins with age restrictions can be withdrawn by parents/warden +who can choose to **commit** the coins to a certain maximum age out of a +predefined list of age groups. + +The minors/wards receive those coins and can now **attest** a required minimum +age (provided that age is less or equal to the committed age of the coins) to +merchants, who can **verify** the minimum age. + +For the rest values (change) after an transaction, the minor/ward can +**derive** new age-restricted coins. The exchange can **compare** the equality +of the age-restriction of the old coin with the new coin (in a zero-knowledge +protocol, that gives the minor/ward a 1/κ chance to raise the minimum age for +the new coin). + +The proposed solution maintains the guarantees of GNU Taler with respect to +anonymity and unlinkability. (TODO: refer to the paper, once published) + +¹) Once the feature is enabled and the age groups are defined, the exchange has +to stick to that decision until the support for age groups are disabled. We +might reconsider this design decision at some point. + + +Building Blocks +^^^^^^^^^^^^^^^ + +TODO: Summarize the design based on the five functions ``Commit()``, +``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``. + + +Changes in the Exchange +^^^^^^^^^^^^^^^^^^^^^^^ + +The necessary changes in the exchange involve + +* indication of support for age restriction +* modification of the refresh protocol (both, commit and reveal phase) +* modification of the deposit protocol + + +Support for Age Restriction +--------------------------- + +The exchange indicates support for age-restriction in response to ``/keys`` in +an optional field ``'age_restriction`` with new type ``AgeRestriction``: + +.. ts:def:: AgeRestriction + + interface AgeRestriction { + // Representation of the age groups as comma separated edges: Increasing + // from left to right, the values mark the begining of an age group up + // to, but not including the next value. The initial age group starts at + // 0 and is not listed. Example: "8:10:12:14:16:18:21". + // This field is mandatory and binding in the sense that its hash value + // is taken into consideration when signing the denominations below. + age_groups: string; + + // List of denominations that support age-restriction with the age groups + // given in ``age_groups``. The data structure is the same as for the + // denominations in ``ExchangeKeysResponse.denoms``. + // **However**, the following differences apply for each denomination in + // the list: + // + // 1. The value of ``TALER_DenominationKeyValidityPS.denom_hash`` + // is taken over the public key of the denomination __and__ the + // string in ``age_groups``. + // + // 2. The value of ``TALER_DenominationKeyValidityPS.purpose`` is set to + // TALER_SIGNATURE_MASTER_AGE_RESTRICTED_DENOMINATION_KEY_VALIDITY + denoms: Denom[]; + + // Same role as ``ExchangeKeysResponse.eddsa_sig``, but only for the + // denominations listed in ``denoms`` above for age restriction. The public + // EdDSA key of the exchange that was used to generate the signature is the + // same as ``ExchangeKeysResponse.eddsa_pub``. + eddsa_sig: EddsaSignature; + } + + +Refresh +------- + +TODO: Extension of the cut'n-choose-protocol. + + +Deposit +------- + +TODO: Add opaque hash value of the commitments to the protocol + +Changes in the Merchant +^^^^^^^^^^^^^^^^^^^^^^^ + +TODO + +* Spending protocol + + +Changes in the Wallet +^^^^^^^^^^^^^^^^^^^^^ + +TODO. + +* choosing age-restriction during withdrawal coins from denominations with + support for age restriction. +* Define protocol to pass denominations to child/ward. + + + +Alternatives +============ + +TODO. + +* ID-based systems +* credit/debit card based systems + + +Drawbacks +========= + +TODO. + +* age groups, once defined, are set permanently +* age restricted coins are basically shared between ward and warden. + +Also discuss: +* storage overhead +* computational overhead +* bandwidth overhead +* legal issues? + +Discussion / Q&A +================ + +We had some very engaged discussions on the GNU Taler mailing list +``: + +* Money with capabilities + ``_ + + +* On age-restriction (was: online games in China) + ``_ + +* Age-restriction is about coins, not currencies + ``_ + + +The upcoming paper on anonymous age-restriction for GNU Taler from Özgür Kesim +and Christian Grothoff will be cited here, once it is published. diff --git a/design-documents/index.rst b/design-documents/index.rst index f97117ef..e5cd09e6 100644 --- a/design-documents/index.rst +++ b/design-documents/index.rst @@ -31,4 +31,5 @@ and protocol. 021-exchange-key-continuity 022-wallet-auditor-reports 023-taler-kyc + 024-age-restriction 999-template -- cgit v1.2.3