\pdfminorversion=3 \documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer} \usepackage{amsmath} \usepackage{multimedia} \usepackage[utf8]{inputenc} \usepackage{framed,color,ragged2e} \usepackage[absolute,overlay]{textpos} \definecolor{shadecolor}{rgb}{0.8,0.8,0.8} \usetheme{boxes} \setbeamertemplate{navigation symbols}{} \usepackage{xcolor} \usepackage{tikz,eurosym} \usepackage[normalem]{ulem} \usepackage{listings} % CSS \lstdefinelanguage{CSS}{ basicstyle=\ttfamily\scriptsize, keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function}, sensitive=true, morecomment=[l]{//}, morecomment=[s]{/*}{*/}, morestring=[b]', morestring=[b]", alsoletter={:}, alsodigit={-} } % JavaScript \lstdefinelanguage{JavaScript}{ basicstyle=\ttfamily\scriptsize, morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, morecomment=[s]{/*}{*/}, morecomment=[l]//, morestring=[b]", morestring=[b]' } \lstdefinelanguage{HTML5}{ basicstyle=\ttfamily\scriptsize, language=html, sensitive=true, alsoletter={<>=-}, morecomment=[s]{}, tag=[s], otherkeywords={ % General >, % Standard tags , % body , % Paragraphs , % scripts , , , , , }, ndkeywords={ % General =, % HTML attributes charset=, src=, id=, width=, height=, style=, type=, rel=, href=, % SVG attributes fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=, % CSS properties margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:, % CSS3 properties transform:, -moz-transform:, -webkit-transform:, animation:, -webkit-animation:, transition:, transition-duration:, transition-property:, transition-timing-function:, } } \lstdefinelanguage{JavaScript}{ basicstyle=\ttfamily\scriptsize, keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for}, keywordstyle=\color{blue}\bfseries, ndkeywords={class, export, boolean, throw, implements, import, this}, ndkeywordstyle=\color{darkgray}\bfseries, identifierstyle=\color{black}, sensitive=false, comment=[l]{//}, morecomment=[s]{/*}{*/}, commentstyle=\color{purple}\ttfamily, stringstyle=\color{red}\ttfamily, morestring=[b]', morestring=[b]" } \usetikzlibrary{shapes,arrows} \usetikzlibrary{positioning} \usetikzlibrary{calc} \title{Surviving Private Key Compromise in Electronic Payment Systems} %\subtitle{} \setbeamertemplate{navigation symbols}{\includegraphics[width=1cm]{inria.pdf} \includegraphics[width=0.5cm]{gnu.png} \includegraphics[width=3cm]{bfh.png}\hfill} %\setbeamercovered{transparent=1} \author[C. Grothoff]{J. Burdges, F. Dold, {\bf C. Grothoff}, M. Stanisci} \date{\today} \institute{The GNU Project} \begin{document} \justifying \begin{frame} \begin{center} {\bf Surviving Private Key Compromise in Electronic Payment Systems} \vfill \LARGE {\bf GNU} \vfill % \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf} \includegraphics[width=0.66\textwidth]{taler-logo-2018.pdf} \vfill \vfill \end{center} \begin{textblock*}{4cm}(.5cm,6.5cm) % {block width} (coords) {\Large {\bf \url{taler.net}} \\ IRC{\bf \#taler} \\ {\small (on freenode)} \\ twitter@taler \\ mail@taler.net } \end{textblock*} % Substitute based on who is giving the talk! \begin{textblock*}{6cm}(6.7cm,7.7cm) % {block width} (coords) {\hfill {\Large {\bf Florian Dold \&} \\ \hfill {\bf Christian Grothoff}} \\ \hfill \{dold,grothoff\}@taler.net } \end{textblock*} \end{frame} \section{payto://} \begin{frame}{Prelude: \texttt{draft-dold-payto}} \vfill \begin{center} {\huge payto://} \end{center} \vfill {\small See also: \\ \url{https://www.iana.org/assignments/uri-schemes/uri-schemes.xhtml}} \vfill \end{frame} \begin{frame}{} \vfill \includegraphics[width=0.5\textwidth]{einzahlschein-ch.jpeg} \hfill \includegraphics[width=0.4\textwidth]{de-ueberweisungsformular.png} \vfill \end{frame} % FIXME: Start with payto:// (warm-up!) \begin{frame}[fragile]{\texttt{payto:} Uniform Identifiers for Payments and Accounts} \vfill Like \texttt{mailto:}, but for bank accounts instead of email accounts! \vfill \begin{verbatim} payto:/// ?subject=InvoiceNr42 &amount=EUR:12.50 \end{verbatim} \vfill Default action: Open app to review and confirm payment. \vfill \end{frame} \begin{frame}[fragile]{Benefits of Payto} \begin{itemize} \item Standardized way to represent financial resources (bank account, bitcoin wallet) and payments to them \item Useful on the client-side on the Web and for FinTech backend applications \item Payment methods (such as IBAN, ACH, Bitcoin) are registered with IANA and allow extra options \end{itemize} \end{frame} \begin{frame}{GNU Taler} \vfill \begin{center} {\huge {\bf Digital} cash, made \textbf{socially responsible}.} \end{center} \vfill \begin{center} \includegraphics[scale=1.5]{taler-logo-2018.pdf} \end{center} \vfill \begin{center} Privacy-Preserving, Practical, Taxable, Free Software, Efficient \end{center} \vfill \vfill \ % \end{frame} \section{What is Taler?} \begin{frame}{What is Taler?} \vfill \begin{center} Taler is an electronic instant payment system suitable for a CBEC. \end{center} \begin{itemize} \item Uses electronic coins stored in {\bf wallets} on customer's device \item Like {\bf cash} \item Pay in {\bf existing currencies} (i.e. EUR, USD, BTC) \end{itemize} \vfill \end{frame} \begin{frame} \frametitle{Taler Overview} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em]; \node (origin) at (0,0) {}; \node (exchange) [def,above=of origin,draw]{Exchange}; \node (customer) [def, draw, below left=of origin] {Customer}; \node (merchant) [def, draw, below right=of origin] {Merchant}; \node (auditor) [def, draw, above right=of origin]{Auditor}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins}; \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins}; \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins}; \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify}; \end{tikzpicture} \end{center} \end{frame} \begin{frame} \frametitle{Architecture of Taler} \begin{center} \includegraphics[width=0.9\textwidth]{operations.png} $\Rightarrow$ Convenient, taxable, privacy-enhancing, \& resource friendly! \end{center} \end{frame} \begin{frame}{How does it work?} We use a few ancient constructions: \begin{itemize} \item Cryptographic hash function (1989) \item Blind signature (1983) \item Schnorr signature (1989) \item Diffie-Hellman key exchange (1976) \item Cut-and-choose zero-knowledge proof (1985) \end{itemize} But of course we use modern instantiations. \end{frame} \begin{frame}{Exchange setup: Create a denomination key (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Pick random primes $p,q$. \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$ \item Pick small $e < \phi(n)$ such that $d := e^{-1} \mod \phi(n)$ exists. \item Publish public key $(e,n)$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$}; \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}}; \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} % \includegraphics[width=0.4\textwidth]{seal.pdf} \end{minipage} \end{frame} \begin{frame}{Merchant: Create a signing key (EdDSA)} \begin{minipage}{6cm} \begin{itemize} \item pick random $m \mod o$ as private key \item $M = mG$ public key \end{itemize} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (m) [draw=none, below = of origin] at (0,0) {$m$}; \node (seal) [draw=none, below=of m]{M}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ } \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}} \end{frame} \begin{frame}{Customer: Create a planchet (EdDSA)} \begin{minipage}{8cm} \begin{itemize} \item Pick random $c \mod o$ private key \item $C = cG$ public key \end{itemize} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (c) [draw=none, below = of origin] at (0,0) {$c$}; \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ } \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}} \end{frame} \begin{frame}{Customer: Blind planchet (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Obtain public key $(e,n)$ \item Compute $f := FDH(C)$, $f < n$. \item Pick blinding factor $b \in \mathbb Z_n$ \item Transmit $f' := f b^e \mod n$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$}; \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}}; \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Blind sign (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $f'$. \item Compute $s' := f'^d \mod n$. \item Send signature $s'$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Unblind coin (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $s'$. \item Compute $s := s' b^{-1} \mod n$ % \\ % ($(f')^d = (f b^e)^d = f^d b$). \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (b) [def, draw=none] at (0,0) {$b$}; \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Build shopping cart} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{shop.pdf}}; \node (cart) [draw=none, below=of m]{\includegraphics[width=0.2\textwidth]{cart.pdf}}; \node (merchant) [node distance=4em and 0.5em, draw, below =of cart]{Merchant}; \tikzstyle{C} = [color=black, line width=1pt]; \draw [<-, C] (cart) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (merchant) -- (cart) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{center} \end{frame} \begin{frame}{Merchant: Propose contract (EdDSA)} \begin{minipage}{6cm} \begin{enumerate} \item Complete proposal $D$. \item Send $D$, $EdDSA_m(D)$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}}; \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer}; \tikzstyle{C} = [color=black, line width=1pt]; \node (sign) [def, draw=none, above right=of proposal] {$m$}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Spend coin (EdDSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive proposal $D$, $EdDSA_m(D)$. \item Send $s$, $C$, $EdDSA_c(D)$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer sep=.3em]; \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}}; \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}}; \node (c) [def, draw=none, above=of contract] {$c$}; \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant}; \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}}; \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Merchant and Exchange: Verify coin (RSA)} \begin{minipage}{6cm} \begin{equation*} s^e \stackrel{?}{\equiv} FDH(C) \mod n \end{equation*} \end{minipage} \begin{minipage}{6cm} \begin{minipage}{0.2\textwidth} \includegraphics[width=\textwidth]{coin.pdf} \end{minipage} $\stackrel{?}{\Leftrightarrow}$ \begin{minipage}{0.2\textwidth} \includegraphics[width=\textwidth]{seal.pdf} \end{minipage} \end{minipage} \end{frame} \begin{frame}{Warranting deposit safety} Exchange has {\em another} online signing key $W = wG$: \begin{center} Sends $E$, $EdDSA_w(M,H(D),FDH(C))$ to the merchant. \end{center} This signature means that $M$ was the {\em first} to deposit $C$ and that the exchange thus must pay $M$. \begin{center} Without this, an evil exchange could renege on the deposit confirmation and claim double-spending if a coin were deposited twice, and then not pay either merchant! \end{center} \end{frame} \begin{frame}{Online keys} \begin{itemize} \item The exchange needs $d$ and $w$ to be available for online signing. \item The corresponding public keys $W$ and $(e,n)$ are certified using Taler's public key infrastructure (which uses offline-only keys). \end{itemize} \begin{center} \includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png} \end{center} \vfill \begin{center} {\bf What happens if those private keys are compromised?} \end{center} \vfill \end{frame} \begin{frame}{Denomination key $(e,n)$ compromise} \begin{itemize} \item An attacker who learns $d$ can sign an arbitrary number of illicit coins into existence and deposit them. \item Auditor and exchange can detect this once the total number of deposits (illicit and legitimate) exceeds the number of legitimate coins the exchange created. \item At this point, $(e,n)$ is {\em revoked}. Users of {\em unspent} legitimate coins reveal $b$ from their withdrawal operation and obtain a {\em refund}. \item The financial loss of the exchange is {\em bounded} by the number of legitimate coins signed with $d$. \item[$\Rightarrow$] Taler frequently rotates denomination signing keys and deletes $d$ after the signing period of the respective key expires. \end{itemize} \begin{center} \includegraphics[width=0.5\textwidth]{taler-diagram-denom-expiration.png} \end{center} \end{frame} \begin{frame}{Online signing key $W$ compromise} \begin{itemize} \item An attacker who learns $w$ can sign deposit confirmations. \item Attacker sets up two (or more) merchants and customer(s) which double-spend legitimate coins at both merchants. \item The merchants only deposit each coin once at the exchange and get paid once. \item The attacker then uses $w$ to fake deposit confirmations for the double-spent transactions. \item The attacker uses the faked deposit confirmations to complain to the auditor that the exchange did not honor the (faked) deposit confirmations. \end{itemize} The auditor can then detect the double-spending, but cannot tell who is to blame, and (likely) would presume an evil exchange, forcing it to pay both merchants. \end{frame} \begin{frame}{Detecting online signing key $W$ compromise} \begin{itemize} \item Merchants are required to {\em probabilistically} report signed deposit confirmations to the auditor. \item Auditor can thus detect exchanges not reporting signed deposit confirmations. \item[$\Rightarrow$] Exchange can rekey if illicit key use is detected, then only has to honor deposit confirmations it already provided to the auditor {\em and} those without proof of double-spending {\em and} those merchants reported to the auditor. \item[$\Rightarrow$] Merchants that do not participate in reporting to the auditor risk their deposit permissions being voided in cases of an exchange's private key being compromised. \end{itemize} \end{frame} \begin{frame}{Summary and further reading} \begin{itemize} \item We can design protocols that fail {\em soft}. \item GNU Taler's design limits financial damage even in the case private keys are compromised. \item GNU Taler does more: \begin{itemize} \item Gives change, can provide refunds \item Integrates nicely with HTTP, handles network failures \item High performance \item Free Software \item Formal security proofs \end{itemize} \begin{center} \includegraphics[width=0.5\textwidth]{provable-security.png} \end{center} \item More information at \url{https://taler.net/}. \end{itemize} \end{frame} \begin{frame}{How to support?} \begin{itemize} \item GNU, TUM, INRIA and BFH are {\em not} banks. \item We created Taler Systems SA for commercial support and development of GNU Taler. \item We are in discussions with central banks, commercial banks, suppliers, merchants and various Free Software projects to get GNU Taler into operation. \item More banking partners and venture capital would be welcome. \end{itemize} \begin{center} Talk to us! \end{center} \end{frame} \begin{frame} \frametitle{Do you have any questions?} \vfill References: {\tiny \begin{enumerate} \item{Christian Grothoff, Bart Polot and Carlo von Loesch. {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}. {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.} \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci. {\em Enabling Secure Web Payments with GNU Taler}. {\bf SPACE 2016}.} \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff. {\em Taler: Taxable Anonymous Libre Electronic Reserves}. Available upon request. 2016.} \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza. {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}. {\bf IEEE Symposium on Security \& Privacy, 2016}.} \item{David Chaum, Amos Fiat and Moni Naor. {\em Untraceable electronic cash}. {\bf Proceedings on Advances in Cryptology, 1990}.} \item{Phillip Rogaway. {\em The Moral Character of Cryptographic Work}. {\bf Asiacrypt}, 2015.} \label{bib:rogaway} \item{Florian Dold. {\em The GNU Taler System: Practical and Provably Secure Electronic Payments}. {\bf PhD thesis. University of Rennes 1}, 2019.} \label{bib:dold} \end{enumerate} } \end{frame} \end{document} \begin{frame}{Taler {\tt /withdraw/sign}} % Customer withdrawing coins with blind signatures % \bigskip \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Wallet}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[okmsg, dashed] ($(h1.east)+(0, 4.0)+(0, -1.0)$) edge node[msglabel] {SEPA(RK,A)} ($(h2.west)+(0, 3.5)+(0, -1.0)$); \path[okmsg] ($(h1.east)+(0, -1.0)$) edge node[msglabel] {POST {\tt /withdraw/sign} $S_{RK}(DK, B_b(C))$} ($(h2.west)+(0, -1.5)$); \path[okmsg] ($(h2.west)+(0, -2.0)$) edge node[msglabel] {200 OK: $S_{DK}(B_b(C))$)} ($(h1.east)+(0, -2.5)$); \path[rstmsg] ($(h2.west)+(0, -3.5)$) edge node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)} ($(h1.east)+(0, -4)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} Result: $\langle c, S_{DK}(C) \rangle$. \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$A$] Some amount, $A \ge A_{DK}$ \item[$RK$] Reserve key \item[$DK$] Denomination key \item[$b$] Blinding factor \item[$B_b()$] RSA-FDH blinding % DK supressed \item[$C$] Coin public key $C := cG$ \item[$S_{RK}()$] EdDSA signature \item[$S_{DK}()$] RSA-FDH signature \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}[t]{Taler {\tt /deposit}} Merchant and exchange see only the public coin $\langle C, S_{DK}(C) \rangle$. \bigskip \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Merchant}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /deposit} $S_{DK}(C), S_{c}(D)$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {409 CONFLICT: $S_{c}(D')$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$DK$] Denomination key \item[$S_{DK}()$] RSA-FDH signature using $DK$ \item[$c$] Private coin key, $C := cG$. \item[$S_{C}()$] EdDSA signature using $c$ \item[$D$] Deposit details \item[$SK$] Exchange's signing key \item[$S_{SK}()$] EdDSA signature using $SK$ \item[$D'$] Conficting deposit details $D' \not= D$ \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/melt}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$\kappa$] System-wide security parameter, usually 3. \\ \smallskip \item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\ $D + \sum_i A_{DK^{(i)}} < A_{DK}$ \item[$t_j$] Random scalar for $j<\kappa$ \item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$ \item[$k_j$] $:= c T_j = t_j C$ is an ECDHE \item[$b_j^{(i)}$] $:= KDF_b(k_j,i)$ % blinding factor \item[$c_j^{(i)}$] $:= KDF_c(k_j,i)$ % coin secret keys \item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys \item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\ $\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$ \\ \smallskip \item[$\gamma$] Random value in $[0,\kappa)$ % \\ \smallskip % \item[$X$] Deposit or refresh \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/reveal}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {400 BAD REQUEST: $Z$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$\cal DK$] $:= [DK^{(i)}]_i$ \item[$t_j$] .. \\ \smallskip \item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip \item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$ \item[$b_\gamma^{(i)}$] $:= KDF_b(k_\gamma,i)$ \item[$c_\gamma^{(i)}$] $:= KDF_c(k_\gamma,i)$ \item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$ \item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$ \item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$ \item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip \item[$Z$] Cut-and-choose missmatch information \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/link}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchagne}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {404 NOT FOUND} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$C$] Old coind public key \\ \smallskip \item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$ \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Operational security} \begin{center} \resizebox{\textwidth}{!}{ \begin{tikzpicture}[ font=\sffamily, every matrix/.style={ampersand replacement=\&,column sep=2cm,row sep=2cm}, source/.style={draw,thick,rounded corners,fill=green!20,inner sep=.3cm}, process/.style={draw,thick,circle,fill=blue!20}, sink/.style={source,fill=green!20}, datastore/.style={draw,very thick,shape=datastore,inner sep=.3cm}, dots/.style={gray,scale=2}, to/.style={->,>=stealth',shorten >=1pt,semithick,font=\sffamily\footnotesize}, every node/.style={align=center}] % Position the nodes using a matrix layout \matrix{ \node[source] (wallet) {Wallet}; \& \node[process] (browser) {Browser}; \& \node[process] (shop) {Web shop}; \& \node[sink] (backend) {Taler backend}; \\ }; % Draw the arrows between the nodes and label them. \draw[to] (browser) to[bend right=50] node[midway,above] {(4) signed contract} node[midway,below] {(signal)} (wallet); \draw[to] (wallet) to[bend right=50] node[midway,above] {(signal)} node[midway,below] {(5) signed coins} (browser); \draw[<->] (browser) -- node[midway,above] {(3,6) custom} node[midway,below] {(HTTPS)} (shop); \draw[to] (shop) to[bend right=50] node[midway,above] {(HTTPS)} node[midway,below] {(1) proposed contract / (7) signed coins} (backend); \draw[to] (backend) to[bend right=50] node[midway,above] {(2) signed contract / (8) confirmation} node[midway,below] {(HTTPS)} (shop); \end{tikzpicture} } \end{center} \end{frame}