diff options
author | Christian Grothoff <christian@grothoff.org> | 2021-05-15 18:48:12 +0200 |
---|---|---|
committer | Christian Grothoff <christian@grothoff.org> | 2021-05-15 18:48:12 +0200 |
commit | 4e5c6a9f79476bf7b986f526aec9a1b4cbcbe6e0 (patch) | |
tree | 12b1f1004110de9e1f6cd10b5014715a7719b655 /presentations/comprehensive/nyc.tex | |
parent | 1df389ba188ec71c23e24b7bb7059d0fc81b8708 (diff) | |
download | marketing-4e5c6a9f79476bf7b986f526aec9a1b4cbcbe6e0.tar.gz marketing-4e5c6a9f79476bf7b986f526aec9a1b4cbcbe6e0.tar.bz2 marketing-4e5c6a9f79476bf7b986f526aec9a1b4cbcbe6e0.zip |
NYC edition
Diffstat (limited to 'presentations/comprehensive/nyc.tex')
-rw-r--r-- | presentations/comprehensive/nyc.tex | 2131 |
1 files changed, 2131 insertions, 0 deletions
diff --git a/presentations/comprehensive/nyc.tex b/presentations/comprehensive/nyc.tex new file mode 100644 index 0000000..3f671f0 --- /dev/null +++ b/presentations/comprehensive/nyc.tex @@ -0,0 +1,2131 @@ +\pdfminorversion=3 +\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer} +\usepackage{amsmath} +\usepackage{multimedia} +\usepackage[utf8]{inputenc} +\usepackage{framed,color,ragged2e} +\usepackage[absolute,overlay]{textpos} +\definecolor{shadecolor}{rgb}{0.8,0.8,0.8} +\usetheme{boxes} +\setbeamertemplate{navigation symbols}{} +\usepackage{xcolor} +\usepackage{tikz,eurosym} +\usepackage[normalem]{ulem} +\usepackage{listings} +\usepackage{adjustbox} + +% CSS +\lstdefinelanguage{CSS}{ + basicstyle=\ttfamily\scriptsize, + keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function}, + sensitive=true, + morecomment=[l]{//}, + morecomment=[s]{/*}{*/}, + morestring=[b]', + morestring=[b]", + alsoletter={:}, + alsodigit={-} +} + +% JavaScript +\lstdefinelanguage{JavaScript}{ + basicstyle=\ttfamily\scriptsize, + morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, + morecomment=[s]{/*}{*/}, + morecomment=[l]//, + morestring=[b]", + morestring=[b]' +} + +\lstdefinelanguage{HTML5}{ + basicstyle=\ttfamily\scriptsize, + language=html, + sensitive=true, + alsoletter={<>=-}, + morecomment=[s]{<!-}{-->}, + tag=[s], + otherkeywords={ + % General + >, + % Standard tags + <!DOCTYPE, + </html, <html, <head, <title, </title, <style, </style, <link, </head, <meta, />, + % body + </body, <body, + % Divs + </div, <div, </div>, + % Paragraphs + </p, <p, </p>, + % scripts + </script, <script, + % More tags... + <canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video, <source, <iframe, </iframe>, </video>, <image, </image> + }, + ndkeywords={ + % General + =, + % HTML attributes + charset=, src=, id=, width=, height=, style=, type=, rel=, href=, + % SVG attributes + fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=, + % CSS properties + margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:, + % CSS3 properties + transform:, -moz-transform:, -webkit-transform:, + animation:, -webkit-animation:, + transition:, transition-duration:, transition-property:, transition-timing-function:, + } +} + +\lstdefinelanguage{JavaScript}{ + basicstyle=\ttfamily\scriptsize, + keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for}, + keywordstyle=\color{blue}\bfseries, + ndkeywords={class, export, boolean, throw, implements, import, this}, + ndkeywordstyle=\color{darkgray}\bfseries, + identifierstyle=\color{black}, + sensitive=false, + comment=[l]{//}, + morecomment=[s]{/*}{*/}, + commentstyle=\color{purple}\ttfamily, + stringstyle=\color{red}\ttfamily, + morestring=[b]', + morestring=[b]" +} + +\usetikzlibrary{shapes,arrows} +\usetikzlibrary{positioning} +\usetikzlibrary{calc} + +\title{GNU Taler} +%\subtitle{} + +\setbeamertemplate{navigation symbols}{\includegraphics[width=1cm]{inria.pdf} \includegraphics[width=2.3cm]{bfh.png} \includegraphics[width=1.6cm]{fub.pdf} \includegraphics[width=0.4cm]{ashoka.png} \includegraphics[width=0.4cm]{gnu.png} \includegraphics[width=1cm]{logo-2020.jpg} \hfill} +%\setbeamercovered{transparent=1} + +\author[C. Grothoff]{J. Burdges, F. Dold, {\bf C. Grothoff}, M. Stanisci} +\date{\today} +\institute{The GNU Project} + + +\begin{document} + +\justifying + +\begin{frame} + \begin{center} + \LARGE {\bf GNU} + + \vfill +% \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf} + \includegraphics[width=0.66\textwidth]{logo-2020.jpg} + \end{center} +\begin{textblock*}{6cm}(.5cm,7.7cm) % {block width} (coords) + {\Large {\bf \href{https://taler.net/}{taler.net}} \\ + \href{https://twitter.com/taler}{taler@twitter} \\ + \href{https://taler-systems.com/}{taler-systems.com}} +\end{textblock*} + +% Substitute based on who is giving the talk! + \begin{textblock*}{6cm}(6.7cm,7.7cm) % {block width} (coords) + {\hfill {\Large {\bf Florian Dold \&} \\ + \hfill {\bf Christian Grothoff}} \\ + \hfill \{dold,grothoff\}@taler.net } +\end{textblock*} + +\end{frame} + + +\section{What is Taler?} +\begin{frame}{What is Taler?} + \begin{center} +Taler is an electronic instant payment system. + \end{center} + \begin{itemize} + \item Uses electronic coins stored in {\bf wallets} on customer's device + \item Like {\bf cash} + \item Pay in {\bf existing currencies} (i.e. EUR, USD, BTC), \\ + or use it to create new {\bf regional currencies} + \end{itemize} + \vfill + \pause + \noindent + However, Taler is + \begin{itemize} + \item \emph{not} a currency + \item \emph{not} a long-term store of value + \item \emph{not} a network or instance of a system + \item \emph{not} decentralized + \item \emph{not} based on proof-of-work or proof-of-stake + \item \emph{not} a speculative asset / ``get-rich-quick scheme'' + \end{itemize} +\end{frame} + + +\begin{frame}{Design principles} + \framesubtitle{https://taler.net/en/principles.html} +GNU Taler must ... +\begin{enumerate} + \item {... be implemented as {\bf free software}.} + \item {... protect the {\bf privacy of buyers}.} + \item {... must enable the state to {\bf tax income} and crack down on + illegal business activities.} + \item {... prevent payment fraud.} + \item {... only {\bf disclose the minimal amount of information + necessary}.} + \item {... be usable.} + \item {... be efficient.} + \item {... avoid single points of failure.} + \item {... foster {\bf competition}.} +\end{enumerate} +\end{frame} + + +\begin{frame} +\frametitle{Taler Overview} +\begin{center} +\begin{tikzpicture} + \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em]; + \node (origin) at (0,0) {}; + \node (exchange) [def,above=of origin,draw]{Exchange}; + \node (customer) [def, draw, below left=of origin] {Customer}; + \node (merchant) [def, draw, below right=of origin] {Merchant}; + \node (auditor) [def, draw, above right=of origin]{Auditor}; +% \node (regulator) [def, draw, above=of auditor]{CSSF}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins}; + \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins}; + \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins}; + \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify}; +% \draw [<-, C] (regulator) -- (auditor) node [midway, above, sloped] (TextNode) {report}; + +\end{tikzpicture} +\end{center} +\end{frame} + +\begin{frame} + % TODO: replace with simplified NEW architecture picture! +\frametitle{Architecture of Taler} +\begin{center} + \includegraphics[width=1\textwidth]{operations.png} +\end{center} +\end{frame} + + +\begin{frame}{The Taler Software Ecosystem} + \framesubtitle{\url{https://taler.net/en/docs.html}} + Taler is based on modular components that work together to provide a + complete payment system: + \vfill + \begin{itemize} + \item {\bf Exchange:} Service provider for digital cash + \begin{itemize} + \item Core exchange software (cryptography, database) + \item Air-gapped key management, real-time {\bf auditing} + \item LibEuFin: Modular integration with banking systems + \end{itemize} + \item {\bf Merchant:} Integration service for existing businesses + \begin{itemize} + \item Core merchant backend software (cryptography, database) + \item Back-office interface for staff + \item Frontend integration (E-commerce, Point-of-sale) + \end{itemize} + \item {\bf Wallet:} Consumer-controlled applications for e-cash + \begin{itemize} + \item Multi-platform wallet software (for browsers \& mobile phones) + \item Wallet backup storage providers + \item {\bf Anastasis}: Recovery of lost wallets based on secret splitting + \end{itemize} + \end{itemize} +\end{frame} + + +\begin{frame}[fragile]{Taler: Bank Perspective} +\begin{adjustbox}{max totalsize={.9\textwidth}{.7\textheight},center} +\begin{tikzpicture} + \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em]; + \node (origin) at (0,0) {}; + \node (exchange) [def,above=of origin,draw]{Exchange}; + \node (nexus) [def, draw, below right=of exchange] {Nexus}; + \node (corebanking) [def, draw, below left=of nexus] {Core Banking}; + \node (nginx) [def, draw, above=of exchange]{Nginx}; + \node (postgres) [def, draw, below left=of exchange]{Postgres}; + \node (postgres-nexus) [def, draw, below right=of nexus]{Postgres}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (exchange) -- (nginx) node [midway, above, sloped] (TextNode) {REST API}; + \draw [<-, C] (postgres) -- (exchange) node [midway, above, sloped] (TextNode) {SQL}; + \draw [<-, C] (postgres-nexus) -- (nexus) node [midway, above, sloped] (TextNode) {SQL}; + \draw [<-, C] (nexus) -- (exchange) node [midway, above, sloped] (TextNode) {Internal REST API}; + \draw [<-, C] (corebanking) -- (nexus) node [midway, above, sloped] (TextNode) {EBICS/FinTS}; + +\end{tikzpicture} +\end{adjustbox} +\end{frame} + + +\begin{frame} +\frametitle{Taler: Auditor Perspective} +\begin{center} +\begin{tikzpicture} + \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em]; + \node (origin) at (0,0) {}; + \node (httpd) [def,above left=of origin,draw]{auditor-httpd}; + \node (report) [def,above right=of origin,draw]{auditor-report}; + \node (postgres-A) [def, draw, below=of origin] {Postgres (Auditor)}; + \node (postgres-E) [def, draw, below=of postgres-A] {Postgres (Bank)}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [->, C] (postgres-E) -- (postgres-A) node [midway, above, sloped] (TextNode) {sync}; + \draw [<->, C] (httpd) -- (postgres-A) node [midway, above, sloped] (TextNode) {}; + \draw [<->, C] (report) -- (postgres-A) node [midway, above, sloped] (TextNode) {}; +\end{tikzpicture} +\end{center} +\end{frame} + + +\begin{frame} +\frametitle{Taler: Merchant Perspective} +\begin{center} +\begin{tikzpicture} + \tikzstyle{def} = [node distance= 3.5em and 2em, inner sep=1em, outer sep=.3em]; + \node (origin) at (0,0) {}; + \node (backend) [def,above=of origin,draw]{{\tiny taler-merchant-httpd}}; + \node (frontend) [def,above left=of backend,draw]{{\tiny E-commerce Frontend}}; + \node (backoffice) [def,above right=of backend,draw]{Backoffice}; + \node (postgres) [def, draw, below left=of backend] {Postgres}; + \node (sqlite) [def, draw, below=of backend] {Sqlite}; + \node (alt) [def, draw, below right=of backend] {...}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [->, C] (frontend) -- (backend) node [midway, above, sloped] (TextNode) {REST API}; + \draw [->, C] (backoffice) -- (backend) node [midway, above, sloped] (TextNode) {REST API}; + \draw [<->, C] (backend) -- (postgres) node [midway, above, sloped] (TextNode) {SQL}; + \draw [<->, C] (backend) -- (sqlite) node [midway, above, sloped] (TextNode) {SQL}; + \draw [<->, C] (backend) -- (alt) node [midway, above, sloped] (TextNode) {SQL}; +\end{tikzpicture} +\end{center} +\end{frame} + + +\begin{frame}{Usability of Taler} + \vfill + \begin{center} + \url{https://demo.taler.net/} + \end{center} + \begin{enumerate} + \item Install browser extension. + \item Visit the {\tt bank.demo.taler.net} to withdraw coins. + \item Visit the {\tt shop.demo.taler.net} to spend coins. + \end{enumerate} + \vfill +\end{frame} + + +\begin{frame}{Social Impact of Taler} + \framesubtitle{For CBDC impact analysis, see: \url{https://www.snb.ch/en/mmr/papers/id/working_paper_2021_03}} + \begin{center} + \includegraphics[height=0.9\textheight]{../../social-impact.pdf} + \end{center} +\end{frame} + + +\begin{frame}{Use Case: Journalism} + Today: + \begin{itemize} + \item Corporate structure % ($\Rightarrow$ filter) + \item Advertising primary revenue % ($\Rightarrow$ dependence) + \item Tracking readers critical for business success + \item Journalism and marketing hard to distinguish + \end{itemize}\vfill\pause + With GNU Taler: + \begin{itemize} + \item One-click micropayments per article + \item Hosting requires no expertise % (no PCI DSS) + \item Reader-funded reporting separated from marketing + \item Readers can remain anonymous + \end{itemize} +\end{frame} + + +\begin{frame}{Use Cases: Refugee Camps} + Today: + \begin{itemize} + \item Non-bankable + \item Direct distribution of goods to population + \item Limited economic activity in camps + \item High level of economic dependence + \end{itemize}\vfill\pause + With GNU Taler: + \begin{itemize} + \item Local currency issued as basic income backed by aid + \item Taxation possible based on economic status + \item Local governance enabled by local taxes + \item Increased economic independence and political participation + \end{itemize} +\end{frame} + + +\begin{frame}{Use Case: Anti-Spam} + \framesubtitle{Background: \url{https://pep.security/}} + Today, p$\equiv$p provides authenticated encryption for e-mail: + \begin{itemize} + \item Free software + \item Easy to use opportunistic encryption + \item Available for Outlook, Android, Enigmail + \item Spies \& spam filters can no longer inspect content + \end{itemize}\vfill\pause + With GNU Taler: + \begin{itemize} + \item Peer-to-peer payments via e-mail + \item If unsolicited sender, hide messages from user \& + automatically request payment from sender + \item Sender can attach payment to be moved to inbox + \item Receiver may grant refund to sender + \end{itemize} +\end{frame} + + + + +\begin{frame}[c]{Example: The Taler Snack Machine\footnote{By M. Boss and D. Hofer}} + \framesubtitle{Integration of a MDB/ICP to Taler gateway.\\Implementation of a NFC or QR-Code to Taler wallet interface.} + \vfill + \begin{figure} + \centering + \includegraphics[width=1.0\textwidth]{design} + \end{figure} +\end{frame} + + +\begin{frame}[t]{Software architecture for the Taler Snack Machine} + \framesubtitle{Code at \url{https://git.taler.net/taler-mdb}} + \begin{figure} + \centering + \includegraphics[width=.9\textwidth]{software_stack} + \end{figure} +\end{frame} + + +\begin{frame}[c]{User story: Install App on Android} +\framesubtitle{\url{https://wallet.taler.net/}} + \begin{figure} + \includegraphics[width=0.9\textwidth]{download_wallet.png} + \end{figure} +\end{frame} + +\begin{frame}{User story: Withdraw e-cash} + \begin{figure} + \includegraphics[width=0.9\textwidth]{get_taler_coins.png} + \end{figure} +\end{frame} + +\begin{frame}{User story: Use machine!} + \begin{figure} + \includegraphics[width=0.9\textwidth]{get_snacks.png} + \end{figure} +\end{frame} + + +\begin{frame}{How does it work?} +We use a few ancient constructions: + \begin{itemize} + \item Cryptographic hash function (1989) + \item Blind signature (1983) + \item Schnorr signature (1989) + \item Diffie-Hellman key exchange (1976) + \item Cut-and-choose zero-knowledge proof (1985) + \end{itemize} +But of course we use modern instantiations. +\end{frame} + + +\begin{frame}{Definition: Taxability} + We say Taler is taxable because: + \begin{itemize} + \item Merchant's income is visible from deposits. + \item Hash of contract is part of deposit data. + \item State can trace income and enforce taxation. + \end{itemize}\pause + Limitations: + \begin{itemize} + \item withdraw loophole + \item {\em sharing} coins among family and friends + \end{itemize} +\end{frame} + + +\begin{frame}{Exchange setup: Create a denomination key (RSA)} + \begin{minipage}{6cm} + \begin{enumerate} + \item Pick random primes $p,q$. + \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$ + \item Pick small $e < \phi(n)$ such that + $d := e^{-1} \mod \phi(n)$ exists. + \item Publish public key $(e,n)$. + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em]; + \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$}; + \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}}; + \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {}; + \end{tikzpicture} +% \includegraphics[width=0.4\textwidth]{seal.pdf} + \end{minipage} +\end{frame} + + +\begin{frame}{Merchant: Create a signing key (EdDSA)} + \begin{minipage}{6cm} + \begin{itemize} + \item pick random $m \mod o$ as private key + \item $M = mG$ public key + \end{itemize} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; + \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (m) [draw=none, below = of origin] at (0,0) {$m$}; + \node (seal) [draw=none, below=of m]{M}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; + \end{tikzpicture} + \end{minipage} + \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ } + \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}} +\end{frame} + + +\begin{frame}{Customer: Create a planchet (EdDSA)} + \begin{minipage}{8cm} + \begin{itemize} + \item Pick random $c \mod o$ private key + \item $C = cG$ public key + \end{itemize} + \end{minipage} + \begin{minipage}{4cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; + \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (c) [draw=none, below = of origin] at (0,0) {$c$}; + \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {}; + \end{tikzpicture} + \end{minipage} + \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ } + \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}} +\end{frame} + + +\begin{frame}{Customer: Blind planchet (RSA)} + \begin{minipage}{6cm} + \begin{enumerate} + \item Obtain public key $(e,n)$ + \item Compute $f := FDH(C)$, $f < n$. + \item Pick blinding factor $b \in \mathbb Z_n$ + \item Transmit $f' := f b^e \mod n$ + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$}; + \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}}; + \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}}; + \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Exchange: Blind sign (RSA)} + \begin{minipage}{6cm} + \begin{enumerate} + \item Receive $f'$. + \item Compute $s' := f'^d \mod n$. + \item Send signature $s'$. + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; + \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; + \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Customer: Unblind coin (RSA)} + \begin{minipage}{6cm} + \begin{enumerate} + \item Receive $s'$. + \item Compute $s := s' b^{-1} \mod n$ % \\ + % ($(f')^d = (f b^e)^d = f^d b$). + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (b) [def, draw=none] at (0,0) {$b$}; + \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; + \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; + \end{tikzpicture} + \end{minipage} +\end{frame} + +\begin{frame}{Withdrawing coins on the Web} + \begin{center} + \includegraphics[height=0.9\textheight]{figs/taler-withdraw.pdf} + \end{center} +\end{frame} + + +\begin{frame}{Customer: Build shopping cart} + \begin{center} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; + \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{shop.pdf}}; + \node (cart) [draw=none, below=of m]{\includegraphics[width=0.2\textwidth]{cart.pdf}}; + \node (merchant) [node distance=4em and 0.5em, draw, below =of cart]{Merchant}; + \tikzstyle{C} = [color=black, line width=1pt]; + \draw [<-, C] (cart) -- (origin) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (merchant) -- (cart) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{center} +\end{frame} + + +\begin{frame}{Merchant Integration: Payment Request} +% \begin{figure}[p!] + \lstset{language=HTML5} + \lstinputlisting{figs/taler-402.html} +% \caption{Sample HTTP response to prompt the wallet to show an offer.} +% \label{listing:http-contract} +% \end{figure} + +% \begin{figure*}[p!] +% \lstset{language=HTML5} +% \lstinputlisting{figs/taler-contract.html} +% \caption{Sample JavaScript code to prompt the wallet to show an offer. +% Here, the contract is fetched on-demand from the server. +% The {\tt taler\_pay()} function needs to be invoked +% when the user triggers the checkout.} +% \label{listing:contract} +% \end{figure*} +\end{frame} + + +\begin{frame}{Merchant Integration: Contract} + % \begin{figure*}[t!] + {\tiny + \lstset{language=JavaScript} + \lstinputlisting{figs/taler-contract.json} +% \caption{Minimal Taler contract over a digital article with a value of \EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash over the wire transfer information was truncated to make it fit to the page.} +% \label{listing:json-contract} + % \end{figure*} + } +\end{frame} + + +\begin{frame}{Merchant: Propose contract (EdDSA)} + \begin{minipage}{6cm} + \begin{enumerate} + \item Complete proposal $D$. + \item Send $D$, $EdDSA_m(D)$ + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}}; + \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}}; + \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer}; + \tikzstyle{C} = [color=black, line width=1pt]; + \node (sign) [def, draw=none, above right=of proposal] {$m$}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Customer: Spend coin (EdDSA)} + \begin{minipage}{6cm} + \begin{enumerate} + \item Receive proposal $D$, $EdDSA_m(D)$. + \item Send $s$, $C$, $EdDSA_c(D)$ + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer sep=.3em]; + \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}}; + \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}}; + \node (c) [def, draw=none, above=of contract] {$c$}; + \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant}; + \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Merchant and Exchange: Verify coin (RSA)} + \begin{minipage}{6cm} + \begin{equation*} + s^e \stackrel{?}{\equiv} FDH(C) \mod n + \end{equation*} + \end{minipage} + \begin{minipage}{6cm} + \begin{minipage}{0.2\textwidth} + \includegraphics[width=\textwidth]{coin.pdf} + \end{minipage} + $\stackrel{?}{\Leftrightarrow}$ + \begin{minipage}{0.2\textwidth} + \includegraphics[width=\textwidth]{seal.pdf} + \end{minipage} + \end{minipage} + \vfill + The exchange does not only verify the signature, but also + checks that the coin was not double-spent. + \vfill + \pause + \begin{center} + {\bf Taler is an online payment system.} + \end{center} + \vfill +\end{frame} + + +\begin{frame}{Requirements: Online vs. Offline Digital Currencies} +\framesubtitle{\url{https://taler.net/papers/euro-bearer-online-2021.pdf}} +\begin{itemize} + \item Offline capabilities are sometimes cited as a requirement for digital payment solutions + \item All implementations must either use restrictive hardware elements and/or introduce + counterparty risk. + \item[$\Rightarrow$] Permanent offline features weaken a digital payment solution (privacy, security) + \item[$\Rightarrow$] Introduces unwarranted competition for physical cash (endangers emergency-preparedness). + \end{itemize} + We recommend a tiered approach: + \begin{enumerate} + \item Online-first, bearer-based digital currency with Taler + \item (Optional:) Limited offline mode for network outages + \item Physical cash for emergencies (power outage, catastrophic cyber incidents) + \end{enumerate} +\end{frame} + + +\begin{frame}{Payment processing with Taler} + \begin{center} + \includegraphics[height=0.9\textheight]{figs/taler-pay.pdf} + \end{center} +\end{frame} + + +\begin{frame}{Giving change} + It would be inefficient to pay EUR 100 with 1 cent coins! + \begin{itemize} + \item Denomination key represents value of a coin. + \item Exchange may offer various denominations for coins. + \item Wallet may not have exact change! + \item Usability requires ability to pay given sufficient total funds. + \end{itemize}\pause + Key goals: + \begin{itemize} + \item maintain unlinkability + \item maintain taxability of transactions + \end{itemize}\pause + Method: + \begin{itemize} + \item Contract can specify to only pay {\em partial value} of a coin. + \item Exchange allows wallet to obtain {\em unlinkable change} + for remaining coin value. + \end{itemize} +\end{frame} + + +\begin{frame}{Diffie-Hellman (ECDH)} + \begin{minipage}{8cm} + \begin{enumerate} + \item Create private keys $c,t \mod o$ + \item Define $C = cG$ + \item Define $T = tG$ + \item Compute DH \\ $cT = c(tG) = t(cG) = tC$ + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (t) [def, draw=none] at (0,0) {$t$}; + \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}}; + \node (c) [def, draw=none, above left= of ct] {$c$}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Strawman solution} + \begin{minipage}{8cm} + Given partially spent private coin key $c_{old}$: + \begin{enumerate} +% \item Let $C_{old} := c_{old}G$ (as before) + \item Pick random $c_{new} \mod o$ private key + \item $C_{new} = c_{new}G$ public key + \item Pick random $b_{new}$ + \item Compute $f_{new} := FDH(C_{new})$, $m < n$. + \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$ + \end{enumerate} + ... and sign request for change with $c_{old}$. + \end{minipage} + \begin{minipage}{4cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + \node (planchet) [def, draw=none, above left= of blinded] {\includegraphics[width=0.15\textwidth]{planchet.pdf}}; + \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$}; + \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$}; + \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} + \pause + \vfill + {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!} +\end{frame} + + +\begin{frame}{Customer: Transfer key setup (ECDH)} + \begin{minipage}{8cm} + Given partially spent private coin key $c_{old}$: + \begin{enumerate} + \item Let $C_{old} := c_{old}G$ (as before) + \item Create random private transfer key $t \mod o$ + \item Compute $T := tG$ + \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$ + \item Derive $c_{new}$ and $b_{new}$ from $X$ + \item Compute $C_{new} := c_{new}G$ + \item Compute $f_{new} := FDH(C_{new})$ + \item Transmit $f_{new}' := f_{new} b_{new}^e$ + \end{enumerate} + \end{minipage} + \begin{minipage}{4cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (t) [def, draw=none] at (0,0) {$t$}; + \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; + \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; + \node (cp) [def, draw=none, below left= of dh] {$c_{new}$}; + \node (bp) [def, draw=none, below right= of dh] {$b_{new}$}; + \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Cut-and-Choose} + \begin{minipage}{4cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (t) [def, draw=none] at (0,0) {$t_1$}; + \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; + \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; + \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; + \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; + \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} + \begin{minipage}{4cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (t) [def, draw=none] at (0,0) {$t_2$}; + \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; + \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; + \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$}; + \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$}; + \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} + \begin{minipage}{4cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (t) [def, draw=none] at (0,0) {$t_3$}; + \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; + \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; + \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; + \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; + \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; + \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Exchange: Choose!} + \begin{center} + \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer. + \end{center} +\end{frame} + + +\begin{frame}{Customer: Reveal} + \begin{enumerate} + \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange + \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange + \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange + \end{enumerate} +\end{frame} + + +\begin{frame}{Exchange: Verify ($\gamma = 2$)} + \begin{minipage}{4cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (h) [def, draw=none] at (0,0) {$t_1$}; + \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; + \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; + \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; + \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; + \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; + \end{tikzpicture} + \end{minipage} + \begin{minipage}{4cm} + \ + \end{minipage} + \begin{minipage}{4cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (h) [def, draw=none] at (0,0) {$t_3$}; + \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; + \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; + \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; + \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; + \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Exchange: Blind sign change (RSA)} + \begin{minipage}{6cm} + \begin{enumerate} + \item Take $f_{new,\gamma}'$. + \item Compute $s' := f_{new,\gamma}'^d \mod n$. + \item Send signature $s'$. + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; + \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; + \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; + \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Customer: Unblind change (RSA)} + \begin{minipage}{6cm} + \begin{enumerate} + \item Receive $s'$. + \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$. + \end{enumerate} + \end{minipage} + \begin{minipage}{6cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$}; + \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; + \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Exchange: Allow linking change} + \begin{minipage}{7cm} + \begin{center} + Given $C_{old}$ + + \vspace{1cm} + + return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$. + \end{center} + \end{minipage} + \begin{minipage}{5cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em]; + \node (co) [def, draw=none] at (0,0) {$C_{old}$}; + \node (T) [def, draw=none, below left=of co]{$T_\gamma$}; + \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; + \node (customer) [def, draw, below right=of T] {Customer}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link}; + \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Customer: Link (threat!)} + \begin{minipage}{6.3cm} + \begin{enumerate} + \item Have $c_{old}$. + \item Obtain $T_\gamma$, $s$ from exchange + \item Compute $X_\gamma = c_{old}T_\gamma$ + \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$ + \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$ + \end{enumerate} + + \end{minipage} + \begin{minipage}{5.7cm} + \begin{tikzpicture} + \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; + \node (T) [def, draw=none] at (0,0) {$T_\gamma$}; + \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange}; + \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; + \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; + \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$}; + \node (co) [def, draw=none, above right= of dh] {$c_{old}$}; + \node (cp) [def, draw=none, below= of dh] {$c_{new,\gamma}$}; + \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; + \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}}; + + \tikzstyle{C} = [color=black, line width=1pt] + + \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {}; + \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link}; + \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link}; + \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {}; + \end{tikzpicture} + \end{minipage} +\end{frame} + + +\begin{frame}{Refresh protocol summary} + \begin{itemize} + \item Customer asks exchange to convert old coin to new coin + \item Protocol ensures new coins can be recovered from old coin + \item[$\Rightarrow$] New coins are owned by the same entity! + \end{itemize} + Thus, the refresh protocol allows: + \begin{itemize} + \item To give unlinkable change. + \item To give refunds to an anonymous customer. + \item To expire old keys and migrate coins to new ones. + \item To handle protocol aborts. + \end{itemize} + \noindent + \begin{center} + \bf + Transactions via refresh are equivalent to {\em sharing} a wallet. +\end{center} +\end{frame} + + + +\begin{frame}{Warranting deposit safety} + Exchange has {\em another} online signing key $W = wG$: + \begin{center} + Sends $EdDSA_w(M,H(D),FDH(C))$ to the merchant. + \end{center} + This signature means that $M$ was the {\em first} to deposit + $C$ and that the exchange thus must pay $M$. + \vfill + \begin{center} + Without this, an evil exchange could renege on the deposit + confirmation and claim double-spending if a coin were + deposited twice, and then not pay either merchant! + \end{center} +\end{frame} + + +\begin{frame}{Online keys} +\begin{itemize} +\item The exchange needs $d$ and $w$ to be available for online signing. +\item The corresponding public keys $W$ and $(e,n)$ are certified using + Taler's public key infrastructure (which uses offline-only keys). +\end{itemize} +\begin{center} +\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png} +\end{center} +\vfill +\begin{center} +{\bf What happens if those private keys are compromised?} +\end{center} +\vfill +\end{frame} + + +\begin{frame}{Denomination key $(e,n)$ compromise} +\begin{itemize} +\item An attacker who learns $d$ can sign an arbitrary number of illicit coins + into existence and deposit them. +\item Auditor and exchange can detect this once the total number of deposits + (illicit and legitimate) exceeds the number of legitimate coins the + exchange created. +\item At this point, $(e,n)$ is {\em revoked}. Users of {\em unspent} + legitimate coins reveal $b$ from their withdrawal operation and + obtain a {\em refund}. +\item The financial loss of the exchange is {\em bounded} by the number of + legitimate coins signed with $d$. +\item[$\Rightarrow$] Taler frequently rotates denomination signing keys and + deletes $d$ after the signing period of the respective key expires. +\end{itemize} +\begin{center} +\includegraphics[width=0.5\textwidth]{taler-diagram-denom-expiration.png} +\end{center} +\end{frame} + + +\begin{frame}{Online signing key $W$ compromise} +\begin{itemize} +\item An attacker who learns $w$ can sign deposit confirmations. +\item Attacker sets up two (or more) merchants and customer(s) which double-spend + legitimate coins at both merchants. +\item The merchants only deposit each coin once at the exchange and get paid once. +\item The attacker then uses $w$ to fake deposit confirmations for the double-spent + transactions. +\item The attacker uses the faked deposit confirmations to complain to the auditor + that the exchange did not honor the (faked) deposit confirmations. +\end{itemize} +The auditor can then detect the double-spending, but cannot tell who is to blame, +and (likely) would presume an evil exchange, forcing it to pay both merchants. +\end{frame} + + +\begin{frame}{Detecting online signing key $W$ compromise} +\begin{itemize} +\item Merchants are required to {\em probabilistically} report + signed deposit confirmations to the auditor. +\item Auditor can thus detect exchanges not reporting signed + deposit confirmations. +\item[$\Rightarrow$] Exchange can rekey if illicit key use is detected, + then only has to honor deposit confirmations it already provided + to the auditor {\em and} those without proof of double-spending + {\em and} those merchants reported to the auditor. +\item[$\Rightarrow$] Merchants that do not participate in reporting + to the auditor risk their deposit permissions being voided in + cases of an exchange's private key being compromised. +\end{itemize} +\end{frame} + + + + +\section{Competitor analysis} +\begin{frame}{Competitor comparison} + \begin{center} \small + \begin{tabular}{l||c|c|c|c|c} + & Cash & Bitcoin & Zerocoin & Creditcard & GNU Taler \\ \hline \hline + Online &$-$$-$$-$ & ++ & ++ & + & +++ \\ \hline + Offline & +++ & $-$$-$ & $-$$-$ & + & $-$$-$ \\ \hline + Trans. cost & + & $-$$-$$-$ & $-$$-$$-$ & $-$ & ++ \\ \hline + Speed & + & $-$$-$$-$ & $-$$-$$-$ & o & ++ \\ \hline + Taxation & $-$ & $-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline + Payer-anon & ++ & o & ++ & $-$$-$$-$ & +++ \\ \hline + Payee-anon & ++ & o & ++ & $-$$-$$-$ & $-$$-$$-$ \\ \hline + Security & $-$ & o & o & $-$$-$ & ++ \\ \hline + Conversion & +++ & $-$$-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline + Libre & $-$ & +++ & +++ & $-$ $-$ $-$ & +++ \\ + \end{tabular} + \end{center} +\end{frame} + + +\begin{frame}{Taler: Project Status} +\framesubtitle{\url{https://docs.taler.net/}} +\begin{itemize} + \item Cryptographic protocols and core exchange component are stable + \item Current focus: Merchant integration, settlement integration, wallet backup + \item Pilot project at Bern University of Applied Sciences cafeteria + \item Internal alpha deployment with a commercial bank in progress + \end{itemize} +\end{frame} + + +\begin{frame}{Next Steps: Possible Projects and Collaborations} + \vfill +\begin{center} +\includegraphics[width=1.0\textwidth]{taler-in-use.png} +\end{center} +\end{frame} + + +\begin{frame}{Area I: System Integration and Partnerships} + \framesubtitle{\url{https://lists.gnu.org/mailman/listinfo/taler}} + Pilots with banking organizations could: + \begin{itemize} + \item Study integration with the underlying RTGS layer: + \begin{itemize} + \item Develop standardized operational procedures + \item Assess transaction performance at scale + \item Perform cost analysis in banking environment + \item Assess effort for integration with commercial banks + \end{itemize} + \item Analyze regulatory considerations for different legislations + \item Perform independent security audits of Taler components + \end{itemize} + In general, a major task is faciltation of integration at retailers: + \begin{itemize} + \item Hardware and software support + \item Integration into off-the-self E-commerce systems + \end{itemize} +\end{frame} + + +\begin{frame}{Area II: Development/Research Extensions} + \framesubtitle{Background: \url{https://myoralvillage.org/}} +We have ideas for protocol extensions and ``programmable money'': + \begin{itemize} + \item Mediated wallet-to-wallet payments (instead of customer-to-merchant) + \item Privacy-preserving auctions (trading, currency exchange) + \item Age-restricted private payments for children (youth protection) + \end{itemize} +Public funding could be used to improve: + \begin{itemize} + \item General digital wallet usability and availability + \item Accessibility features for illiterate and innumerate users + \item Protocol extensions for automated tax reporting + \end{itemize} +\end{frame} + + +\begin{frame}{How to support?} + \begin{description} + \item[Join:] {\small \url{https://lists.gnu.org/mailman/listinfo/taler}}, \\ + \url{irc://irc.freenode.net/\#taler} + \item[Develop:] \url{https://bugs.taler.net/}, \url{https://git.taler.net/} + \item[Translate:] \url{https://weblate.taler.net/}, \url{translation-volunteer@taler.net} + \item[Integrate:] \url{https://docs.taler.net/} + \item[Donate:] \url{https://gnunet.org/ev} + \item[Invest:] \url{https://taler-systems.com/} + \end{description} +\end{frame} + + +\begin{frame} +\frametitle{Do you have any questions?} +\vfill +References: +{\tiny + \begin{enumerate} + \item{David Chaum, Christian Grothoff and Thomas Moser. + {\em How to issue a central bank digital currency}. + {\bf SNB Working Papers, 2021}.} + \item{Christian Grothoff, Bart Polot and Carlo von Loesch. + {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}. + {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.} + \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci. + {\em Enabling Secure Web Payments with GNU Taler}. + {\bf SPACE 2016}.} + \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff. + {\em Taler: Taxable Anonymous Libre Electronic Reserves}. + Available upon request. 2016.} + \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza. + {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}. + {\bf IEEE Symposium on Security \& Privacy, 2016}.} + \item{David Chaum, Amos Fiat and Moni Naor. + {\em Untraceable electronic cash}. + {\bf Proceedings on Advances in Cryptology, 1990}.} + \item{Phillip Rogaway. + {\em The Moral Character of Cryptographic Work}. + {\bf Asiacrypt}, 2015.} \label{bib:rogaway} +\end{enumerate} +} +\begin{center} + {\bf Let money facilitate trade; but ensure capital serves society.} +\end{center} +\end{frame} + + +\section{Integration with the core banking system} + +\begin{frame} + \vfill + \begin{center} + {\bf Part II: Integration with the core banking system} + \end{center} + \vfill +\end{frame} + + +\begin{frame} +\frametitle{High-level Deployment Recipe} +\dots as a bank +\begin{enumerate} + \item Create an escrow bank account for the exchange with EBICS access + \item Provision offline signing machine (or account during testing) + \item Provision two PostgreSQL databases (for LibEuFin Nexus and exchange) + \item Provision user-facing exchange service and secmod processes + \item Provision LibEuFin Nexus (connected to escrow account and providing + an internal API to the exchange) + \item Test using the ``taler-wallet-cli`` +\end{enumerate} +\end{frame} + + +\begin{frame}{Exchange escrow account access} +The Taler exchange needs to communicate with the core banking system \dots +\begin{itemize} + \item to query for transactions into the exchange's escrow account + \item to initiate payments of aggregated Taler deposits to merchants +\end{itemize} + +In a Taler deployment, the \emph{Taler Wire Gateway} provides an API to the exchange +for Taler-specific access to the Exchange's escrow account. Multiple implementations +of the Taler Wire Gateway exist: + +\begin{itemize} + \item a self-contained play money demo bank + \item LibEuFin, an adapter to EBICS and other protocols +\end{itemize} + +\end{frame} + +\begin{frame}{LibEuFin} + LibEuFin is a standalone project that provides adapters to bank account + access APIs. + + \begin{itemize} + \item LibEuFin provides both a generic access layer and an + implementation of the Taler Wire Gateway API for the exchange + \item currently, only EBICS 2.5 is supported + \item other APIs such as FinTS or PSD2-style XS2A APIs can be added + without requiring changes to the Exchange + \item tested with a GLS business account + \end{itemize} +\end{frame} + +\begin{frame}{LibEuFin Concepts} + \begin{itemize} + \item A LibEuFin \emph{bank connection} is a set of credentials and parameters + to talk to the bank's account access API. + \item A LibEuFin \emph{bank account} is the information about a bank + account (balances, transactions, payment initiations) stored locally + within the LibEuFin service. A LibEuFin bank account has a default Bank + Connection that is used to communicate with the bank's API. + \item A \emph{facade} provides a domain-specific access layer to bank accounts + and connections. The \emph{Taler Wire Gateway Facade} implements the + API required by the Taler exchange and translates it to operations on the + underlying account/connection. + \end{itemize} +\end{frame} + +\begin{frame}{LibEuFin Tooling} + \begin{itemize} + \item \texttt{libeufin-nexus} is the main service + \item Almost all configuration (except DB credentials) + is stored in the database and managed via a RESTful HTTP API + \item \texttt{libeufin-sandbox} implements a toy EBICS host for protocol + testing + \item \texttt{libeufin-cli} is client for the HTTP API (only implements a subset + of available functionality) + \end{itemize} +\end{frame} + +\begin{frame}{LibEuFin Setup Overview} + \begin{itemize} + \item Obtain EBICS subscriber configuration (host URL, host ID, user ID, + partner ID) for the Exchange's escrow account + \item Deploy the LibEuFin Nexus service + \item Create a new LibEuFin bank connection (of type \texttt{ebics}) + \item Export and back up the key material for the bank connection (contains + EBICS subscriber configuration and private keys) + \item Send subscriber initialization to the EBICS host (electronically) + \item Export key letter and activate subscriber in the EBICS host (manually) + \item Synchronize the bank connection + \item Import the account into LibEuFin + \item Create a Taler Wire Gateway facade + \item Set up scheduled tasks for ingesting new transactions / sending payment + initiations + \end{itemize} +\end{frame} + + + +\begin{frame}{LibEuFin Implementation Limitations} + \begin{itemize} + \item LibEuFin is less stable than other Taler components, and future + updates might contain breaking changes (tooling, APIs and database + schema) + \item Error handling and recovery is still rather primitive + \item The Taler Wire Gateway does not yet implement automatic return + transactions when transactions with a malformed subject (i.e. no reserve + public key) are received + \end{itemize} +\end{frame} + +\begin{frame}{LibEuFin EBICS Limitations} + The GLS accounts with EBICS access that we have access to have some limitations: + \begin{itemize} + \item SEPA Instant Credit Transfers aren't supported yet + \item Erroneous payment initiations are accepted by the GLS EBICS host, + but an error message is later sent only by paper mail (and not reported + by the CRZ download request) + \item Limited access to transaction history (3 months) + \end{itemize} +\end{frame} + +\begin{frame}[fragile]{LibEuFin Setup Guide} +\vfill +\begin{center} +\url{https://docs.taler.net/libeufin/nexus-tutorial.html} +\end{center} +\vfill +\end{frame} + + +\section{Operator security considerations} + +\begin{frame} + \vfill + \begin{center} + {\bf Part III: Operator security considerations} + \end{center} + \vfill +\end{frame} + + +\begin{frame}{Key management} +Taler has many types of keys: +\begin{itemize} +\item Coin keys +\item Denomination keys +\item Online message signing keys +\item Offline key signing keys +\item Merchant keys +\item Auditor key +\item Security module keys +\item Transfer keys +\item Wallet keys +\item {\em TLS keys, DNSSEC keys} +\end{itemize} +\end{frame} + + +\begin{frame}{Offline keys} +Both exchange and auditor use offline keys. +\begin{itemize} +\item Those keys must be backed up and remain highly confidential! +\item We recommend that computers that have ever had access to those + keys to NEVER again go online. +\item We recommend using a Raspberry Pi for offline key operations. + Store it in a safe under multiple locks and keys. +\item Apply full-disk encryption on offline-key signing systems. +\item Have 3--5 full-disk backups of offline-key signing systems. +\end{itemize} +\begin{center} +\includegraphics[scale=0.1]{pi.png} +\end{center} +\end{frame} + + +\begin{frame}{Online keys} +The exchange needs RSA and EdDSA keys to be available for online signing. +\begin{itemize} +\item Knowledge of these private keys will allow an adversary to + mint digital cash, possibly resulting in huge financial losses + (eventually, this will be detected by the auditor, but only + after some financial losses have been irrevocably incurred). +\item The corresponding public keys are certified using + Taler's public key infrastructure (which uses offline-only keys). +\end{itemize} +\begin{center} +\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png} +\end{center} +\vfill +{\tt taler-exchange-offline} can also be used to {\bf revoke} the +online signing keys, if we find they have been compromised. +\vfill +\end{frame} + + +\begin{frame}{Protecting online keys} +The exchange needs RSA and EdDSA keys to be available for online signing. +\begin{itemize} +\item {\tt taler-exchange-secmod-rsa} and {\tt taler-exchange-secmod-eddsa} + are the only processes that must have access to the private keys. +\item The secmod processes should run under a different UID, but share + the same GID with the exchange. +\item The secmods generate the keys, allow {\tt taler-exchange-httpd} to sign with + them, and eventually delete the private keys. +\item Communication between secmods and {\tt taler-exchange-httpd} is via + a UNIX domain socket. +\item Online private keys are stored on disk (not in database!) and should + NOT be backed up (RAID should suffice). If disk is lost, we can always + create fresh replacement keys! +\end{itemize} +\end{frame} + + +\begin{frame}{Database} +The exchange needs the database to detect double spending. +\begin{itemize} +\item Loss of the database will allow technically skilled people + to double-spend their digital cash, possibly resulting in + significant financial losses. +\item The database contains total amounts customers withdrew and + merchants received, so sensitive private banking data. It + must also not become public. +\item The auditor must have a (current) copy. Asynchronous replication + is considered sufficient. This copy could also be used as an + additional (off-site?) backup. +\end{itemize} +\end{frame} + + +\begin{frame}{taler-exchange-wirewatch} +{\tt taler-exchange-wirewatch} needs credentials to access data about +incoming wire transfers from the Nexus. +\begin{itemize} +\item This tool should run as a separate UID and GID (from + {\tt taler-exchange-httpd}). +\item It must have access to the Postgres database (SELECT + INSERT). +\item Its configuration file contains the credentials to talk to Nexus. +\item[$\Rightarrow$] Configuration should be separate from {\tt taler-exchange-httpd}. +\end{itemize} +\end{frame} + + +\begin{frame}{taler-exchange-transfer} +Only {\tt taler-exchange-transfer} needs credentials to initiate wire +transfers using the Nexus. +\begin{itemize} +\item This tool should run as a separate UID and GID (from + {\tt taler-exchange-httpd}). +\item It must have access to the Postgres database (SELECT + INSERT). +\item Its configuration file contains the credentials to talk to Nexus. +\item[$\Rightarrow$] Configuration should be separate from {\tt taler-exchange-httpd}. +\end{itemize} +\end{frame} + + +\begin{frame}{Nexus} +The Nexus has to be able to interact with the escrow account of the bank. +\begin{itemize} +\item It must have the private keys to sign EBICS/FinTS messages. +\item It also has its own local database. +\item The Nexus user and database should be kept separate from + the other exchange users and the Taler exchange database. +\end{itemize} +\end{frame} + + +\begin{frame}{Hardware} +General notions: +\begin{itemize} +\item Platforms with disabled Intel ME \& disabled remote administration are safer. +\item VMs are not a security mechanism. Side-channel attacks abound. Avoid running any + Taler component in a virtual machine ``for security''. +\end{itemize} +\end{frame} + + +\begin{frame}{Operating system} +General notions: +\begin{itemize} +\item It should be safe to run the different Taler components (including Nginx, Nexus + and Postgres) all on the same physical hardware (under different UIDs/GIDs). + We would separate them onto different physical machines during scale-out, but not + necessarily for ``basic'' security. +\item Limiting and auditing system administrator access will be crucial. +\item We recommend to {\bf not} use any anti-virus. +\item We recommend using a well-supported GNU/Linux operating system (such as + Debian or Ubuntu). +\end{itemize} +\end{frame} + + +\begin{frame}{Network} +\begin{itemize} +\item We recommend to {\bf not} use any host-based firewall. + Taler components can use UNIX domain sockets (or bind to localhost). +\item A network-based + firewall is not required, but as long as TCP 80/443 are open Taler should + work fine. +\item Any firewall must be configured to permit connection to Auditor + for database synchronization. +\item We recommend running the Taler exchange behind an Nginx or Apache + proxy for TLS termination. +\item We recommend using static IP address configurations (IPv4 and IPv6). +\item We recommend using DNSSEC with DANE in addition to TLS certificates. +\item We recommend auditing the TLS setup using \url{https://observatory.mozilla.org}. +\end{itemize} +\end{frame} + + +\section{Integration considerations} + +\begin{frame} + \vfill + \begin{center} + {\bf Part IV: Integration considerations} + \end{center} + \vfill +\end{frame} + + +\begin{frame}[fragile]{RFC 8905: \texttt{payto:} Uniform Identifiers for Payments and Accounts} + \vfill + Like \texttt{mailto:}, but for bank accounts instead of email accounts! + \vfill + \begin{verbatim} + payto://<PAYMENT-METHOD>/<ACCOUNT-NR> + ?subject=InvoiceNr42 + &amount=EUR:12.50 + \end{verbatim} + \vfill + Default action: Open app to review and confirm payment. + \vfill +\includegraphics[width=0.25\textwidth]{einzahlschein-ch.jpeg} +\hfill +\includegraphics[width=0.2\textwidth]{de-ueberweisungsformular.png} + \vfill +\end{frame} + + +\begin{frame}[fragile]{Benefits of {\tt payto://}} + \begin{itemize} + \item Standardized way to represent financial resources (bank account, bitcoin wallet) + and payments to them + \item Useful on the client-side on the Web and for FinTech backend applications + \item Payment methods (such as IBAN, ACH, Bitcoin) are registered with + IANA and allow extra options + \end{itemize} + \begin{center} + {\bf Taler wallet can generate payto://-URI for withdraw!} + \end{center} +\end{frame} + + + +\end{document} + + + + +\begin{frame}{Taler {\tt /withdraw/sign}} +% Customer withdrawing coins with blind signatures +% \bigskip + \begin{figure}[th] + \begin{minipage}[b]{0.45\linewidth} + \begin{center} + \begin{tikzpicture}[scale = 0.4, + transform shape, + msglabel/.style = { text = Black, yshift = .3cm, + sloped, midway }, + okmsg/.style = { ->, color = MidnightBlue, thick, + >=stealth }, + rstmsg/.style = { ->, color = BrickRed, thick, + >=stealth } + ] + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h1) at (-4, 0) {}; + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h2) at (4, 0) {}; + \node[above = 0cm of h1] {Wallet}; + \node[above = 0cm of h2] {Exchange}; + + \path[->, color = MidnightBlue, very thick, >=stealth] + (-5, 4.5) edge + node[rotate=90, text = Black, yshift = .3cm] {Time} + (-5, -4.5); + \path[okmsg, dashed] + ($(h1.east)+(0, 4.0)+(0, -1.0)$) edge + node[msglabel] {SEPA(RK,A)} + ($(h2.west)+(0, 3.5)+(0, -1.0)$); + \path[okmsg] + ($(h1.east)+(0, -1.0)$) edge + node[msglabel] {POST {\tt /withdraw/sign} $S_{RK}(DK, B_b(C))$} + ($(h2.west)+(0, -1.5)$); + \path[okmsg] + ($(h2.west)+(0, -2.0)$) edge + node[msglabel] {200 OK: $S_{DK}(B_b(C))$)} + ($(h1.east)+(0, -2.5)$); + \path[rstmsg] + ($(h2.west)+(0, -3.5)$) edge + node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)} + ($(h1.east)+(0, -4)$); + \node at (5.3, 0) {}; + \end{tikzpicture} + \end{center} + Result: $\langle c, S_{DK}(C) \rangle$. + \end{minipage} + \hspace{0.5cm} + \begin{minipage}[b]{0.45\linewidth} + \tiny + \begin{description} + \item[$A$] Some amount, $A \ge A_{DK}$ + \item[$RK$] Reserve key + \item[$DK$] Denomination key + \item[$b$] Blinding factor + \item[$B_b()$] RSA-FDH blinding % DK supressed + \item[$C$] Coin public key $C := cG$ + \item[$S_{RK}()$] EdDSA signature + \item[$S_{DK}()$] RSA-FDH signature + \end{description} + \end{minipage} + \end{figure} +\end{frame} + + +\begin{frame}[t]{Taler {\tt /deposit}} +Merchant and exchange see only the public coin $\langle C, S_{DK}(C) \rangle$. +\bigskip + \begin{figure}[th] + \begin{minipage}[b]{0.45\linewidth} + \begin{center} + \begin{tikzpicture}[scale = 0.4, + transform shape, + msglabel/.style = { text = Black, yshift = .3cm, + sloped, midway }, + okmsg/.style = { ->, color = MidnightBlue, thick, + >=stealth }, + rstmsg/.style = { ->, color = BrickRed, thick, + >=stealth } + ] + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h1) at (-4, 0) {}; + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h2) at (4, 0) {}; + \node[above = 0cm of h1] {Merchant}; + \node[above = 0cm of h2] {Exchange}; + + \path[->, color = MidnightBlue, very thick, >=stealth] + (-5, 4.5) edge + node[rotate=90, text = Black, yshift = .3cm] {Time} + (-5, -4.5); + \path[->, color = MidnightBlue, thick, >=stealth] + ($(h1.east)+(0,3)$) edge + node[text = Black, yshift = .3cm, sloped] {POST {\tt /deposit} $S_{DK}(C), S_{c}(D)$} + ($(h2.west)+(0,2)$); + \path[->, color = MidnightBlue, thick, >=stealth] + ($(h2.west)+(0,0.5)$) edge + node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$} + ($(h1.east)+(0,-0.5)$); + \path[rstmsg] + ($(h2.west)+(0, -2.5)$) edge + node[msglabel] {409 CONFLICT: $S_{c}(D')$} + ($(h1.east)+(0, -3.5)$); + \node at (5.3, 0) {}; + \end{tikzpicture} + \end{center} + \end{minipage} + \hspace{0.5cm} + \begin{minipage}[b]{0.45\linewidth} + \tiny + \begin{description} + \item[$DK$] Denomination key + \item[$S_{DK}()$] RSA-FDH signature using $DK$ + \item[$c$] Private coin key, $C := cG$. + \item[$S_{C}()$] EdDSA signature using $c$ + \item[$D$] Deposit details + \item[$SK$] Exchange's signing key + \item[$S_{SK}()$] EdDSA signature using $SK$ + \item[$D'$] Conficting deposit details $D' \not= D$ + \end{description} + \end{minipage} + \end{figure} +\end{frame} + + +\begin{frame}{Taler {\tt /refresh/melt}} + \begin{figure}[th] + \begin{minipage}[b]{0.45\linewidth} + \begin{center} + \begin{tikzpicture}[scale = 0.4, + transform shape, + msglabel/.style = { text = Black, yshift = .3cm, + sloped, midway }, + okmsg/.style = { ->, color = MidnightBlue, thick, + >=stealth }, + rstmsg/.style = { ->, color = BrickRed, thick, + >=stealth } + ] + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h1) at (-4, 0) {}; + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h2) at (4, 0) {}; + \node[above = 0cm of h1] {Customer}; + \node[above = 0cm of h2] {Exchange}; + + \path[->, color = MidnightBlue, very thick, >=stealth] + (-5, 4.5) edge + node[rotate=90, text = Black, yshift = .3cm] {Time} + (-5, -4.5); + \path[->, color = MidnightBlue, thick, >=stealth] + ($(h1.east)+(0,3)$) edge + node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$} + ($(h2.west)+(0,2)$); + \path[->, color = MidnightBlue, thick, >=stealth] + ($(h2.west)+(0,0.5)$) edge + node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$} + ($(h1.east)+(0,-0.5)$); + \path[rstmsg] + ($(h2.west)+(0, -2.5)$) edge + node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$} + ($(h1.east)+(0, -3.5)$); + \node at (5.3, 0) {}; + \end{tikzpicture} + \end{center} + \end{minipage} + \hspace{0.5cm} + \begin{minipage}[b]{0.45\linewidth} + \tiny + \begin{description} + \item[$\kappa$] System-wide security parameter, usually 3. + \\ \smallskip + \item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\ + $D + \sum_i A_{DK^{(i)}} < A_{DK}$ + \item[$t_j$] Random scalar for $j<\kappa$ + \item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$ + \item[$k_j$] $:= c T_j = t_j C$ is an ECDHE + \item[$b_j^{(i)}$] $:= KDF_b(k_j,i)$ % blinding factor + \item[$c_j^{(i)}$] $:= KDF_c(k_j,i)$ % coin secret keys + \item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys + \item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\ + $\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$ + \\ \smallskip + \item[$\gamma$] Random value in $[0,\kappa)$ +% \\ \smallskip +% \item[$X$] Deposit or refresh + \end{description} + \end{minipage} + \end{figure} +\end{frame} + + +\begin{frame}{Taler {\tt /refresh/reveal}} + \begin{figure}[th] + \begin{minipage}[b]{0.45\linewidth} + \begin{center} + \begin{tikzpicture}[scale = 0.4, + transform shape, + msglabel/.style = { text = Black, yshift = .3cm, + sloped, midway }, + okmsg/.style = { ->, color = MidnightBlue, thick, + >=stealth }, + rstmsg/.style = { ->, color = BrickRed, thick, + >=stealth } + ] + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h1) at (-4, 0) {}; + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h2) at (4, 0) {}; + \node[above = 0cm of h1] {Customer}; + \node[above = 0cm of h2] {Exchange}; + + \path[->, color = MidnightBlue, very thick, >=stealth] + (-5, 4.5) edge + node[rotate=90, text = Black, yshift = .3cm] {Time} + (-5, -4.5); + \path[->, color = MidnightBlue, thick, >=stealth] + ($(h1.east)+(0,3)$) edge + node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$} + ($(h2.west)+(0,2)$); + \path[->, color = MidnightBlue, thick, >=stealth] + ($(h2.west)+(0,0.5)$) edge + node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$} + ($(h1.east)+(0,-0.5)$); + \path[rstmsg] + ($(h2.west)+(0, -2.5)$) edge + node[msglabel] {400 BAD REQUEST: $Z$} + ($(h1.east)+(0, -3.5)$); + \node at (5.3, 0) {}; + \end{tikzpicture} + \end{center} + \end{minipage} + \hspace{0.5cm} + \begin{minipage}[b]{0.45\linewidth} + \tiny + \begin{description} + \item[$\cal DK$] $:= [DK^{(i)}]_i$ + \item[$t_j$] .. \\ \smallskip + + \item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip + + \item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$ + \item[$b_\gamma^{(i)}$] $:= KDF_b(k_\gamma,i)$ + \item[$c_\gamma^{(i)}$] $:= KDF_c(k_\gamma,i)$ + \item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$ + + \item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$ + \item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$ + \item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip + + \item[$Z$] Cut-and-choose missmatch information + \end{description} + \end{minipage} + \end{figure} +\end{frame} + + +\begin{frame}{Taler {\tt /refresh/link}} + \begin{figure}[th] + \begin{minipage}[b]{0.45\linewidth} + \begin{center} + \begin{tikzpicture}[scale = 0.4, + transform shape, + msglabel/.style = { text = Black, yshift = .3cm, + sloped, midway }, + okmsg/.style = { ->, color = MidnightBlue, thick, + >=stealth }, + rstmsg/.style = { ->, color = BrickRed, thick, + >=stealth } + ] + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h1) at (-4, 0) {}; + \node[draw = MidnightBlue, + fill = CornflowerBlue, + minimum width = .3cm, + minimum height = 10cm + ] (h2) at (4, 0) {}; + \node[above = 0cm of h1] {Customer}; + \node[above = 0cm of h2] {Exchagne}; + + \path[->, color = MidnightBlue, very thick, >=stealth] + (-5, 4.5) edge + node[rotate=90, text = Black, yshift = .3cm] {Time} + (-5, -4.5); + \path[->, color = MidnightBlue, thick, >=stealth] + ($(h1.east)+(0,3)$) edge + node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$} + ($(h2.west)+(0,2)$); + \path[->, color = MidnightBlue, thick, >=stealth] + ($(h2.west)+(0,0.5)$) edge + node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$} + ($(h1.east)+(0,-0.5)$); + \path[rstmsg] + ($(h2.west)+(0, -2.5)$) edge + node[msglabel] {404 NOT FOUND} + ($(h1.east)+(0, -3.5)$); + \node at (5.3, 0) {}; + \end{tikzpicture} + \end{center} + \end{minipage} + \hspace{0.5cm} + \begin{minipage}[b]{0.45\linewidth} + \tiny + \begin{description} + \item[$C$] Old coind public key \\ \smallskip + \item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$ + \end{description} + \end{minipage} + \end{figure} +\end{frame} + + +\begin{frame}{Operational security} + \begin{center} + \resizebox{\textwidth}{!}{ +\begin{tikzpicture}[ + font=\sffamily, + every matrix/.style={ampersand replacement=\&,column sep=2cm,row sep=2cm}, + source/.style={draw,thick,rounded corners,fill=green!20,inner sep=.3cm}, + process/.style={draw,thick,circle,fill=blue!20}, + sink/.style={source,fill=green!20}, + datastore/.style={draw,very thick,shape=datastore,inner sep=.3cm}, + dots/.style={gray,scale=2}, + to/.style={->,>=stealth',shorten >=1pt,semithick,font=\sffamily\footnotesize}, + every node/.style={align=center}] + + % Position the nodes using a matrix layout + \matrix{ + \node[source] (wallet) {Wallet}; + \& \node[process] (browser) {Browser}; + \& \node[process] (shop) {Web shop}; + \& \node[sink] (backend) {Taler backend}; \\ + }; + + % Draw the arrows between the nodes and label them. + \draw[to] (browser) to[bend right=50] node[midway,above] {(4) signed contract} + node[midway,below] {(signal)} (wallet); + \draw[to] (wallet) to[bend right=50] node[midway,above] {(signal)} + node[midway,below] {(5) signed coins} (browser); + \draw[<->] (browser) -- node[midway,above] {(3,6) custom} + node[midway,below] {(HTTPS)} (shop); + \draw[to] (shop) to[bend right=50] node[midway,above] {(HTTPS)} + node[midway,below] {(1) proposed contract / (7) signed coins} (backend); + \draw[to] (backend) to[bend right=50] node[midway,above] {(2) signed contract / (8) confirmation} + node[midway,below] {(HTTPS)} (shop); +\end{tikzpicture} +} +\end{center} +\end{frame} |