\documentclass[fleqn,xcolor={usenames,dvipsnames},aspectratio=169]{beamer} \usepackage{amsmath} \usepackage{multimedia} \usepackage[utf8]{inputenc} \usepackage{framed,color,ragged2e} \usepackage[absolute,overlay]{textpos} \definecolor{shadecolor}{rgb}{0.8,0.8,0.8} \usetheme{boxes} \setbeamertemplate{navigation symbols}{} \usepackage{xcolor} \usepackage{tikz,eurosym} %\usepackage[normalem]{ulem} \usepackage{listings} % CSS \lstdefinelanguage{CSS}{ basicstyle=\ttfamily\scriptsize, keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function}, sensitive=true, morecomment=[l]{//}, morecomment=[s]{/*}{*/}, morestring=[b]', morestring=[b]", alsoletter={:}, alsodigit={-} } % JavaScript \lstdefinelanguage{JavaScript}{ basicstyle=\ttfamily\scriptsize, morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, morecomment=[s]{/*}{*/}, morecomment=[l]//, morestring=[b]", morestring=[b]' } \lstdefinelanguage{HTML5}{ basicstyle=\ttfamily\scriptsize, language=html, sensitive=true, alsoletter={<>=-}, morecomment=[s]{}, tag=[s], otherkeywords={ % General >, % Standard tags , % body , % Paragraphs , % scripts , , , , , }, ndkeywords={ % General =, % HTML attributes charset=, src=, id=, width=, height=, style=, type=, rel=, href=, % SVG attributes fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=, % CSS properties margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:, % CSS3 properties transform:, -moz-transform:, -webkit-transform:, animation:, -webkit-animation:, transition:, transition-duration:, transition-property:, transition-timing-function:, } } \lstdefinelanguage{JavaScript}{ basicstyle=\ttfamily\scriptsize, keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for}, keywordstyle=\color{blue}\bfseries, ndkeywords={class, export, boolean, throw, implements, import, this}, ndkeywordstyle=\color{darkgray}\bfseries, identifierstyle=\color{black}, sensitive=false, comment=[l]{//}, morecomment=[s]{/*}{*/}, commentstyle=\color{purple}\ttfamily, stringstyle=\color{red}\ttfamily, morestring=[b]', morestring=[b]" } \usetikzlibrary{shapes,arrows} \usetikzlibrary{positioning} \usetikzlibrary{calc} \title{GNU Taler} %\subtitle{} \setbeamertemplate{navigation symbols}{\includegraphics[width=2cm]{bfh.png} \includegraphics[width=1cm]{inria.pdf} \includegraphics[width=0.5cm]{gnu.png} \includegraphics[width=0.5cm]{ashoka.png}\hfill} %\setbeamercovered{transparent=1} \author[C. Grothoff]{J. Burdges, F. Dold, {\bf C. Grothoff}, M. Stanisci} \date{\today} \institute{The GNU Project} \begin{document} \justifying \begin{frame} \begin{center} \LARGE {\bf GNU Taler} \vfill % \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf} \includegraphics[width=0.66\textwidth]{taler-logo-2018.pdf} \end{center} \begin{textblock*}{4cm}(.5cm,7.2cm) % {block width} (coords) {\Large {\bf \url{taler.net}} \\ twitter@taler } \end{textblock*} % Substitute based on who is giving the talk! \begin{textblock*}{6cm}(9.2cm,7.2cm) % {block width} (coords) {\hfill {\Large {\bf Christian Grothoff}} \\ \hfill grothoff@taler.net } \end{textblock*} \end{frame} \section{The Bank's Online Payment Problem} \begin{frame}{The Bank's Online Payment Problem} 3D secure (``verified by visa'') is a nightmare: \begin{minipage}{5cm} \begin{itemize} \item Complicated process \item Shifts liability to consumer \item Significant latency \item Can refuse valid requests \item Legal vendors excluded \item No privacy for buyers \end{itemize} \end{minipage} \begin{minipage}{5cm} \includegraphics[width=\textwidth]{illustrations/cc3ds.pdf} \end{minipage} \vfill Online credit card payments will be replaced, but with what? \end{frame} \begin{frame}{The Bank's Online Payment Problem} \vfill \begin{textblock*}{12cm}(0.5cm,1cm) % {block width} (coords) \begin{itemize} \item Global tech companies push oligopolies \item Privacy and federated finance are at risk % \item 30\% fees are conceivable \item Economic sovereingity is in danger \end{itemize} \end{textblock*} \begin{textblock*}{4cm}(3.5cm,5.2cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/amazon.png}} \end{textblock*} \begin{textblock*}{2cm}(7cm,3cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/alipay.jpeg}} \end{textblock*} \begin{textblock*}{2cm}(3cm,3.5cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/paypal.jpeg}} \end{textblock*} \begin{textblock*}{2cm}(9cm,5cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/applepay.jpeg}} \end{textblock*} \begin{textblock*}{2cm}(7.5cm,5.9cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/samsungpay.jpeg}} \end{textblock*} \begin{textblock*}{1cm}(9.5cm,6.3cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/android_pay.png}} \end{textblock*} \vfill \end{frame} \begin{frame}{The Distraction: Bitcoin} \begin{itemize} \item Unregulated payment system and currency: \item[] $\Rightarrow$ lack of regulation is a feature! \item Implemented in free software \item Decentralised peer-to-peer system \pause \item Decentralised banking requires solving Byzantine consensus \item Creative solution: tie initial accumulation to solving consensus \pause \item[] $\Rightarrow$ Proof-of-work advances ledger \item[] $\Rightarrow$ Very expensive banking \end{itemize} \end{frame} \begin{frame} \frametitle{\includegraphics[height=0.5cm]{pics/bitcoin.jpeg}?} \centering \noindent \includegraphics[width=\textwidth]{pics/btc-transaction-cost.pdf} Average transaction value: $\approx$ 4215 USD (on 9.8.2018) \end{frame} \begin{frame} \frametitle{\includegraphics[height=0.5cm]{pics/zerocoin.png}?} Cryptography is rather primitive: \begin{center} {\bf All Bitcoin transactions are public and linkable!} \end{center} \begin{itemize} \item[] $\Rightarrow$ no privacy guarantees \item[] $\Rightarrow$ enhanced with ``laundering'' services \end{itemize} ZeroCoin, CryptoNote (Monero) and ZeroCash (ZCash) offer anonymity. \end{frame} \begin{frame} \vfill \begin{center} {\bf Do you want to have a libertarian economy?} \end{center} \vfill \begin{center} {\bf Do you want to live under total surveillance?} \end{center} \vfill \end{frame} \begin{frame}{GNU Taler} \vfill \begin{center} {\huge {\bf Digital} cash, made \textbf{socially responsible}.} \end{center} \vfill \begin{center} \includegraphics[scale=1.5]{taler-logo-2018.pdf} \end{center} \vfill \begin{center} Privacy-Preserving, Practical, Taxable, Free Software, Efficient \end{center} \vfill \vfill \ % \end{frame} \section{What is Taler?} \begin{frame}{What is Taler?} \vfill \begin{center} Taler is an electronic instant payment system. \end{center} \begin{itemize} \item Uses electronic coins stored in {\bf wallets} on customer's device \item Like {\bf cash} \item Pay in {\bf existing currencies} (i.e. EUR, USD, BTC), \\ or use it to create new {\bf regional currencies} \end{itemize} \vfill \end{frame} \begin{frame} \frametitle{Taler Overview} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em]; \node (origin) at (0,0) {}; \node (exchange) [def,above=of origin,draw]{Exchange}; \node (customer) [def, draw, below left=of origin] {Customer}; \node (merchant) [def, draw, below right=of origin] {Merchant}; \node (auditor) [def, draw, above right=of origin]{Auditor}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins}; \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins}; \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins}; \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify}; \end{tikzpicture} \end{center} \end{frame} \begin{frame} % TODO: replace with simplified NEW architecture picture! \frametitle{Architecture of Taler} \begin{center} \includegraphics[width=0.9\textwidth]{illustrations/taler-arch-full.pdf} $\Rightarrow$ Convenient, taxable, privacy-enhancing, \& resource friendly! \end{center} \end{frame} \begin{frame}{Usability of Taler} \vfill \begin{center} \url{https://demo.taler.net/} \end{center} \begin{enumerate} \item Install Browser extension. \item Visit the {\tt bank.demo.taler.net} to withdraw coins. \item Visit the {\tt shop.demo.taler.net} to spend coins. \end{enumerate} \vfill \end{frame} \begin{frame}{Use Case: Journalism} Today: \begin{itemize} \item Corporate structure % ($\Rightarrow$ filter) \item Advertising primary revenue % ($\Rightarrow$ dependence) \item Tracking readers critical for business success \item Journalism and marketing hard to distinguish \end{itemize}\vfill\pause With GNU Taler: \begin{itemize} \item One-click micropayments per article \item Hosting requires no expertise % (no PCI DSS) \item Reader-funded reporting separated from marketing \item Readers can remain anonymous \end{itemize} \end{frame} \begin{frame}{Use Case: Anti-Spam} Today, p$\equiv$p provides authenticated encryption for e-mail: \begin{itemize} \item Free software \item Easy to use opportunistic encryption \item Available for Outlook, Android, Enigmail \item Spies \& spam filters can no longer inspect content \end{itemize}\vfill\pause With GNU Taler: \begin{itemize} \item Peer-to-peer payments via e-mail \item If unsolicited sender, hide messages from user \& automatically request payment from sender \item Sender can attach payment to be moved to inbox \item Receiver may grant refund to sender \end{itemize} \end{frame} \begin{frame}{Social Impact of Taler} \begin{center} \includegraphics[height=1.2\textheight]{../../social-impact.pdf} \end{center} \end{frame} \begin{frame}{Taxability} We say Taler is taxable because: \begin{itemize} \item Merchant's income is visible from deposits. \item Hash of contract is part of deposit data. \item State can trace income and enforce taxation. \end{itemize}%\pause % Limitations: % \begin{itemize} % \item withdraw loophole % \item {\em sharing} coins among family and friends % \end{itemize} \end{frame} \begin{frame}{How does it work?} We use a few ancient constructions: \begin{itemize} \item Cryptographic hash function (1989) \item Blind signature (1983) \item Schnorr signature (1989) \item Diffie-Hellman key exchange (1976) \item Cut-and-choose zero-knowledge proof (1985) \end{itemize} But of course we use modern instantiations. \end{frame} \begin{frame}{Exchange setup: Create a denomination key (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Pick random primes $p,q$. \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$ \item Pick small $e < \phi(n)$ such that $d := e^{-1} \mod \phi(n)$ exists. \item Publish public key $(e,n)$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$}; \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}}; \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} % \includegraphics[width=0.4\textwidth]{seal.pdf} \end{minipage} \end{frame} \begin{frame}{Merchant: Create a signing key (EdDSA)} \begin{minipage}{9cm} \begin{itemize} \item pick random $m \mod o$ as private key \item $M = mG$ public key \end{itemize} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (m) [draw=none, below = of origin] at (0,0) {$m$}; \node (seal) [draw=none, below=of m]{M}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ } \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}} \end{frame} \begin{frame}{Customer: Create a planchet (EdDSA)} \begin{minipage}{9cm} \begin{itemize} \item Pick random $c \mod o$ private key \item $C = cG$ public key \end{itemize} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (c) [draw=none, below = of origin] at (0,0) {$c$}; \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ } \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}} \end{frame} \begin{frame}{Customer: Blind planchet (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Obtain public key $(e,n)$ \item Compute $f := FDH(C)$, $f < n$. \item Pick blinding factor $b \in \mathbb Z_n$ \item Transmit $f' := f b^e \mod n$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$}; \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}}; \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Blind sign (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $f'$. \item Compute $s' := f'^d \mod n$. \item Send signature $s'$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Unblind coin (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $s'$. \item Compute $s := s' b^{-1} \mod n$ % \\ % ($(f')^d = (f b^e)^d = f^d b$). \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (b) [def, draw=none] at (0,0) {$b$}; \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Withdrawing coins on the Web} \begin{center} \includegraphics[height=0.9\textheight]{figs/taler-withdraw.pdf} \end{center} \end{frame} \begin{frame}{Customer: Build shopping cart} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 2em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{shop.pdf}}; \node (cart) [draw=none, right=of origin]{\includegraphics[width=0.2\textwidth]{cart.pdf}}; \node (merchant) [node distance=4em and 4em, draw, right =of cart]{Merchant}; \tikzstyle{C} = [color=black, line width=1pt]; \draw [<-, C] (cart) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (merchant) -- (cart) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{center} \end{frame} \begin{frame}{Merchant Integration: Wallet Detection} \lstset{language=JavaScript} \lstinputlisting{figs/taler-presence-js.html} % \caption{Sample code to detect the Taler wallet. Allowing the % Web site to detect the presence of the wallet leaks one bit % of information about the user. The above logic also works % if the wallet is installed while the page is open.} % \label{listing:presence} \end{frame} \begin{frame}{Merchant Integration: Payment Request} % \begin{figure}[p!] \lstset{language=HTML5} \lstinputlisting{figs/taler-402.html} % \caption{Sample HTTP response to prompt the wallet to show an offer.} % \label{listing:http-contract} % \end{figure} % \begin{figure*}[p!] % \lstset{language=HTML5} % \lstinputlisting{figs/taler-contract.html} % \caption{Sample JavaScript code to prompt the wallet to show an offer. % Here, the contract is fetched on-demand from the server. % The {\tt taler\_pay()} function needs to be invoked % when the user triggers the checkout.} % \label{listing:contract} % \end{figure*} \end{frame} \begin{frame}{Merchant Integration: Contract} % \begin{figure*}[t!] {\tiny \lstset{language=JavaScript} \lstinputlisting{figs/taler-contract.json} % \caption{Minimal Taler contract over a digital article with a value of \EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash over the wire transfer information was truncated to make it fit to the page.} % \label{listing:json-contract} % \end{figure*} } \end{frame} \begin{frame}{Merchant: Propose contract (EdDSA)} \begin{minipage}{6cm} \begin{enumerate} \item Complete proposal $D$. \item Send $D$, $EdDSA_m(D)$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}}; \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer}; \tikzstyle{C} = [color=black, line width=1pt]; \node (sign) [def, draw=none, above right=of proposal] {$m$}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Spend coin (EdDSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive proposal $D$, $EdDSA_m(D)$. \item Send $s$, $C$, $EdDSA_c(D)$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer sep=.3em]; \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}}; \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}}; \node (c) [def, draw=none, above=of contract] {$c$}; \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant}; \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}}; \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Merchant and Exchange: Verify coin (RSA)} \begin{minipage}{6cm} \begin{equation*} s^e \stackrel{?}{\equiv} FDH(C) \mod n \end{equation*} \end{minipage} \begin{minipage}{6cm} \begin{minipage}{0.2\textwidth} \includegraphics[width=\textwidth]{coin.pdf} \end{minipage} $\stackrel{?}{\Leftrightarrow}$ \begin{minipage}{0.2\textwidth} \includegraphics[width=\textwidth]{seal.pdf} \end{minipage} \end{minipage} \end{frame} \begin{frame}{Payment processing with Taler} \begin{center} \includegraphics[height=0.9\textheight]{figs/taler-pay.pdf} \end{center} \end{frame} \begin{frame}{Giving change} It would be inefficient to pay EUR 100 with 1 cent coins! \begin{itemize} \item Denomination key represents value of a coin. \item Exchange may offer various denominations for coins. \item Wallet may not have exact change! \item Usability requires ability to pay given sufficient total funds. \end{itemize}\pause Key goals: \begin{itemize} \item maintain unlinkability \item maintain taxability of transactions \end{itemize}\pause Method: \begin{itemize} \item Contract can specify to only pay {\em partial value} of a coin. \item Exchange allows wallet to obtain {\em unlinkable change} for remaining coin value. \end{itemize} \end{frame} \begin{frame}{Diffie-Hellman (ECDH)} \begin{minipage}{8cm} \begin{enumerate} \item Create private keys $c,t \mod o$ \item Define $C = cG$ \item Define $T = tG$ \item Compute DH \\ $cT = c(tG) = t(cG) = tC$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t$}; \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}}; \node (c) [def, draw=none, above left= of ct] {$c$}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Strawman solution} \begin{minipage}{8cm} Given partially spent private coin key $c_{old}$: \begin{enumerate} % \item Let $C_{old} := c_{old}G$ (as before) \item Pick random $c_{new} \mod o$ private key \item $C_{new} = c_{new}G$ public key \item Pick random $b_{new}$ \item Compute $f_{new} := FDH(C_{new})$, $m < n$. \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$ \end{enumerate} ... and sign request for change with $c_{old}$. \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (planchet) [def, draw=none, above left= of blinded] {\includegraphics[width=0.15\textwidth]{planchet.pdf}}; \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$}; \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$}; \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \pause \vfill {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!} \end{frame} \begin{frame}{Customer: Transfer key setup (ECDH)} \begin{minipage}{8cm} Given partially spent private coin key $c_{old}$: \begin{enumerate} \item Let $C_{old} := c_{old}G$ (as before) \item Create random private transfer key $t \mod o$ \item Compute $T := tG$ \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$ \item Derive $c_{new}$ and $b_{new}$ from $X$ \item Compute $C_{new} := c_{new}G$ \item Compute $f_{new} := FDH(C_{new})$ \item Transmit $f_{new}' := f_{new} b_{new}^e$ \end{enumerate} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Cut-and-Choose} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_1$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_2$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_3$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Choose!} \begin{center} \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer. \end{center} \end{frame} \begin{frame}{Customer: Reveal} \begin{enumerate} \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange \end{enumerate} \end{frame} \begin{frame}{Exchange: Verify ($\gamma = 2$)} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (h) [def, draw=none] at (0,0) {$t_1$}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \ \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (h) [def, draw=none] at (0,0) {$t_3$}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Blind sign change (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Take $f_{new,\gamma}'$. \item Compute $s' := f_{new,\gamma}'^d \mod n$. \item Send signature $s'$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Unblind change (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $s'$. \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$}; \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Allow linking change} \begin{minipage}{7cm} \begin{center} Given $C_{old}$ \vspace{1cm} return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$. \end{center} \end{minipage} \begin{minipage}{5cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em]; \node (co) [def, draw=none] at (0,0) {$C_{old}$}; \node (T) [def, draw=none, below left=of co]{$T_\gamma$}; \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \node (customer) [def, draw, below right=of T] {Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link}; \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Link (threat!)} \begin{minipage}{6.3cm} \begin{enumerate} \item Have $c_{old}$. \item Obtain $T_\gamma$, $s$ from exchange \item Compute $X_\gamma = c_{old}T_\gamma$ \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$ \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$ \end{enumerate} \end{minipage} \begin{minipage}{5.7cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (T) [def, draw=none] at (0,0) {$T_\gamma$}; \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange}; \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$}; \node (co) [def, draw=none, above right= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below= of dh] {$c_{new,\gamma}$}; \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link}; \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link}; \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Refresh protocol summary} \begin{itemize} \item Customer asks exchange to convert old coin to new coin \item Protocol ensures new coins can be recovered from old coin \item[$\Rightarrow$] New coins are owned by the same entity! \end{itemize} Thus, the refresh protocol allows: \begin{itemize} \item To give unlinkable change. \item To give refunds to an anonymous customer. \item To expire old keys and migrate coins to new ones. \item To handle protocol aborts. \end{itemize} \end{frame} \section{Competitor analysis} \begin{frame}{Performance: \texttt{taler-exchange-benchmark}} \begin{minipage}{7cm} {\bf Setup:} \begin{itemize} \item AMD 1950X CPU \item Debian GNU/Linux \item Postgres 10.4 \item Compiled with $-O0 -g$ \mbox{(except for libgcrypt)} \item 800 parallel ``clients'' \mbox{(on loopback)} \item 60 reserves per client \item 15 coins per reserve \item RSA-2048 \item No network latency \item No auditor \item[] \item[] \item[] \end{itemize} \end{minipage} \begin{minipage}{7cm} {\bf Results:} \begin{itemize} \item 30\% CPU Taler exchange \item 60\% CPU Taler ``clients'' \item 3\% CPU Postgres database \item $\approx$ 4 ms / coin (withdraw, deposit, 10\% refresh chance) \item[] $\Rightarrow$ $\approx$ {\bf 250 transactions/s} \end{itemize} {\bf Caveats:} \begin{itemize} \item {\bf 2/3rds for clients} \item HTTP Keep-Alive diabled \mbox{(for load-balancing)} \item Used HTTP, not HTTPS \item No outgoing wire transfers \end{itemize} \end{minipage} \end{frame} \section{Competitor analysis} \begin{frame}{Competitor comparison} \begin{center} \small \begin{tabular}{l||c|c|c|c|c} & Cash & Bitcoin & Zerocoin & Creditcard & GNU Taler \\ \hline \hline Online &$-$$-$$-$ & ++ & ++ & + & +++ \\ \hline Offline & +++ & $-$$-$ & $-$$-$ & + & $-$$-$ \\ \hline Trans. cost & + & $-$$-$$-$ & $-$$-$$-$ & $-$ & ++ \\ \hline Speed & + & $-$$-$$-$ & $-$$-$$-$ & o & ++ \\ \hline Taxation & $-$ & $-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline Payer-anon & ++ & o & ++ & $-$$-$$-$ & +++ \\ \hline Payee-anon & ++ & o & ++ & $-$$-$$-$ & $-$$-$$-$ \\ \hline Security & $-$ & o & o & $-$$-$ & ++ \\ \hline Conversion & +++ & $-$$-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline Libre & $-$ & +++ & +++ & $-$ $-$ $-$ & +++ \\ \end{tabular} \end{center} \end{frame} \begin{frame}[fragile]{\texttt{payto:} Uniform Identifiers for Payments and Accounts} \vfill Like \texttt{mailto:}, but for bank accounts instead of email accounts! \vfill \begin{verbatim} payto:/// ?subject=InvoiceNr42 &amount=EUR:12.50 \end{verbatim} \vfill Default action: Open app to review and confirm payment. \vfill \end{frame} \begin{frame}[fragile]{Benefits of \texttt{payto://}} \begin{itemize} \item Standardized way to represent financial resources (bank account, bitcoin wallet) and payments to them \item Useful on the client-side on the Web and for FinTech backend applications \item Payment methods (such as SEPA, ACH, Bitcoin) are registered with IANA and allow extra options \item Under standardization with IETF as \texttt{draft-dold-payto} \end{itemize} \begin{center} Please voice your support! \end{center} \end{frame} \begin{frame}{How to support?} \begin{itemize} \item Join: \href{https://lists.gnu.org/mailman/listinfo/taler}{taler@gnu.org}, \href{irc://irc.freenode.net/\#taler}{\#taler} \item Coding \& design: \url{https://gnunet.org/bugs/} \item Translation: \url{https://git.taler.net/www.git/tree/locale/fr/LC_MESSAGES/messages.po} \item Integration: \url{https://docs.taler.net/} \item Donations: \url{https://gnunet.org/ev} \item Funding: \url{https://taler.net/en/investors.html} \end{itemize} \vfill \begin{center} {\bf And of course we are looking for banks as partners!} \end{center} \end{frame} \begin{frame} \frametitle{Team \hfill \& \hfill Advisory Board \hfill} \begin{minipage}{5cm} \begin{description} \item[Leon Schumacher]\ \\ co-founder \item[Dr. Christian Grothoff]\ \\ co-founder \item[Michael Widmer]\ \\ Jurist \item[Dr. Jeff Burdges]\ \\ PostDoc \item[Florian Dold]\ \\ PhD Student \end{description} \end{minipage} \begin{minipage}{5.5cm} {\tiny \begin{description} \item[Prof. Mikhail Atallah] \ \\ Cryptographer, co-founder Arxan Technologies Inc. \item[Prof. Roberto Di Cosmo] \ \\ Director IRILL \item[Greg Framke] \ \\ CIO Manulife, \\ former COO Etrade \item[Ante Gulam] \ \\ Global Head of Information Security --- CISO \\ MetaPack Group \item[Dr. Richard Stallman]\ \\ Founder of the \\ \mbox{Free Software movement} \item[Chris Pagett] \ \\ former Group Head Security/ \ \\ Fraud/Geo Risk HSBC \item[Prof. Alex Pentland] \ \\ MIT Media Lab \end{description} } \end{minipage} \vfill \includegraphics[height=0.1\textwidth]{../investors/team-images/leon-schumacher.jpg} \hfill \includegraphics[height=0.1\textwidth]{../investors/team-images/christian-grothoff.jpg}\hfill \includegraphics[height=0.1\textwidth]{../investors/team-images/michael-widmer.jpg}\hfill \includegraphics[height=0.1\textwidth]{../investors/team-images/jeff-burdges.jpg}\hfill \includegraphics[height=0.1\textwidth]{../investors/team-images/florian-dold.jpg}\hfill \includegraphics[height=0.1\textwidth]{../investors/board-images/mja.jpg} \hfill \includegraphics[height=0.1\textwidth]{../investors/board-images/roberto-di-cosmo.jpg} \hfill \includegraphics[height=0.1\textwidth]{../investors/board-images/greg-framke.jpg} \hfill \includegraphics[height=0.1\textwidth]{../investors/board-images/ante-gulam.jpg} \hfill \includegraphics[height=0.1\textwidth]{../investors/board-images/alex-pentland.jpg} %\note{Advisory board still under construction.} \end{frame} \begin{frame}{Conclusion} \begin{center} {\bf What can we do?} \end{center} \vfill \begin{itemize} \item{Suffer mass-surveillance enabled by credit card oligopolies with high fees, and} \item{Engage in arms race with deliberately unregulatable blockchains, and} \item{Enjoy the ``benefits'' of cash \\ \hfill \includegraphics[height=0.3\textheight]{atm-rupee.jpg} \hfill} \end{itemize} \vfill \begin{center} {\bf OR} \end{center} \vfill \begin{itemize} \item{Establish free software alternative balancing social goals!} \end{itemize} \vfill \end{frame} \begin{frame} \frametitle{Do you have any questions?} \vfill References: {\tiny \begin{enumerate} \item{Christian Grothoff, Bart Polot and Carlo von Loesch. {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}. {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.} \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci. {\em Enabling Secure Web Payments with GNU Taler}. {\bf SPACE 2016}.} \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff. {\em Taler: Taxable Anonymous Libre Electronic Reserves}. Available upon request. 2016.} \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza. {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}. {\bf IEEE Symposium on Security \& Privacy, 2016}.} \item{David Chaum, Amos Fiat and Moni Naor. {\em Untraceable electronic cash}. {\bf Proceedings on Advances in Cryptology, 1990}.} \item{Phillip Rogaway. {\em The Moral Character of Cryptographic Work}. {\bf Asiacrypt}, 2015.} \label{bib:rogaway} \end{enumerate} } \begin{center} {\bf Let money facilitate trade; but ensure capital serves society.} \end{center} \end{frame} \end{document} \begin{frame}{Taler {\tt /withdraw/sign}} % Customer withdrawing coins with blind signatures % \bigskip \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Wallet}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[okmsg, dashed] ($(h1.east)+(0, 4.0)+(0, -1.0)$) edge node[msglabel] {SEPA(RK,A)} ($(h2.west)+(0, 3.5)+(0, -1.0)$); \path[okmsg] ($(h1.east)+(0, -1.0)$) edge node[msglabel] {POST {\tt /withdraw/sign} $S_{RK}(DK, B_b(C))$} ($(h2.west)+(0, -1.5)$); \path[okmsg] ($(h2.west)+(0, -2.0)$) edge node[msglabel] {200 OK: $S_{DK}(B_b(C))$)} ($(h1.east)+(0, -2.5)$); \path[rstmsg] ($(h2.west)+(0, -3.5)$) edge node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)} ($(h1.east)+(0, -4)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} Result: $\langle c, S_{DK}(C) \rangle$. \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$A$] Some amount, $A \ge A_{DK}$ \item[$RK$] Reserve key \item[$DK$] Denomination key \item[$b$] Blinding factor \item[$B_b()$] RSA-FDH blinding % DK supressed \item[$C$] Coin public key $C := cG$ \item[$S_{RK}()$] EdDSA signature \item[$S_{DK}()$] RSA-FDH signature \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}[t]{Taler {\tt /deposit}} Merchant and exchange see only the public coin $\langle C, S_{DK}(C) \rangle$. \bigskip \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Merchant}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /deposit} $S_{DK}(C), S_{c}(D)$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {409 CONFLICT: $S_{c}(D')$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$DK$] Denomination key \item[$S_{DK}()$] RSA-FDH signature using $DK$ \item[$c$] Private coin key, $C := cG$. \item[$S_{C}()$] EdDSA signature using $c$ \item[$D$] Deposit details \item[$SK$] Exchange's signing key \item[$S_{SK}()$] EdDSA signature using $SK$ \item[$D'$] Conficting deposit details $D' \not= D$ \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/melt}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$\kappa$] System-wide security parameter, usually 3. \\ \smallskip \item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\ $D + \sum_i A_{DK^{(i)}} < A_{DK}$ \item[$t_j$] Random scalar for $j<\kappa$ \item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$ \item[$k_j$] $:= c T_j = t_j C$ is an ECDHE \item[$b_j^{(i)}$] $:= KDF_b(k_j,i)$ % blinding factor \item[$c_j^{(i)}$] $:= KDF_c(k_j,i)$ % coin secret keys \item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys \item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\ $\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$ \\ \smallskip \item[$\gamma$] Random value in $[0,\kappa)$ % \\ \smallskip % \item[$X$] Deposit or refresh \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/reveal}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {400 BAD REQUEST: $Z$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$\cal DK$] $:= [DK^{(i)}]_i$ \item[$t_j$] .. \\ \smallskip \item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip \item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$ \item[$b_\gamma^{(i)}$] $:= KDF_b(k_\gamma,i)$ \item[$c_\gamma^{(i)}$] $:= KDF_c(k_\gamma,i)$ \item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$ \item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$ \item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$ \item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip \item[$Z$] Cut-and-choose missmatch information \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/link}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchagne}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {404 NOT FOUND} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$C$] Old coind public key \\ \smallskip \item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$ \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Operational security} \begin{center} \resizebox{\textwidth}{!}{ \begin{tikzpicture}[ font=\sffamily, every matrix/.style={ampersand replacement=\&,column sep=2cm,row sep=2cm}, source/.style={draw,thick,rounded corners,fill=green!20,inner sep=.3cm}, process/.style={draw,thick,circle,fill=blue!20}, sink/.style={source,fill=green!20}, datastore/.style={draw,very thick,shape=datastore,inner sep=.3cm}, dots/.style={gray,scale=2}, to/.style={->,>=stealth',shorten >=1pt,semithick,font=\sffamily\footnotesize}, every node/.style={align=center}] % Position the nodes using a matrix layout \matrix{ \node[source] (wallet) {Wallet}; \& \node[process] (browser) {Browser}; \& \node[process] (shop) {Web shop}; \& \node[sink] (backend) {Taler backend}; \\ }; % Draw the arrows between the nodes and label them. \draw[to] (browser) to[bend right=50] node[midway,above] {(4) signed contract} node[midway,below] {(signal)} (wallet); \draw[to] (wallet) to[bend right=50] node[midway,above] {(signal)} node[midway,below] {(5) signed coins} (browser); \draw[<->] (browser) -- node[midway,above] {(3,6) custom} node[midway,below] {(HTTPS)} (shop); \draw[to] (shop) to[bend right=50] node[midway,above] {(HTTPS)} node[midway,below] {(1) proposed contract / (7) signed coins} (backend); \draw[to] (backend) to[bend right=50] node[midway,above] {(2) signed contract / (8) confirmation} node[midway,below] {(HTTPS)} (shop); \end{tikzpicture} } \end{center} \end{frame} \begin{frame}{Diffie-Hellman (ECDH)} \begin{minipage}{8cm} \begin{enumerate} \item Create private keys $c,t \mod o$ \item Define $C = cG$ \item Define $T = tG$ \item Compute DH \\ $cT = c(tG) = t(cG) = tC$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t$}; \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}}; \node (c) [def, draw=none, above left= of ct] {$c$}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Strawman solution} \begin{minipage}{8cm} Given partially spent private coin key $c_{old}$: \begin{enumerate} % \item Let $C_{old} := c_{old}G$ (as before) \item Pick random $c_{new} \mod o$ private key \item $C_{new} = c_{new}G$ public key \item Pick random $b_{new}$ \item Compute $f_{new} := FDH(C_{new})$, $m < n$. \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$ \end{enumerate} ... and sign request for change with $c_{old}$. \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (planchet) [def, draw=none, above left= of blinded] {\includegraphics[width=0.15\textwidth]{planchet.pdf}}; \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$}; \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$}; \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \pause \vfill {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!} \end{frame} \begin{frame}{Customer: Transfer key setup (ECDH)} \begin{minipage}{8cm} Given partially spent private coin key $c_{old}$: \begin{enumerate} \item Let $C_{old} := c_{old}G$ (as before) \item Create random private transfer key $t \mod o$ \item Compute $T := tG$ \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$ \item Derive $c_{new}$ and $b_{new}$ from $X$ \item Compute $C_{new} := c_{new}G$ \item Compute $f_{new} := FDH(C_{new})$ \item Transmit $f_{new}' := f_{new} b_{new}^e$ \end{enumerate} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Cut-and-Choose} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_1$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_2$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_3$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Choose!} \begin{center} \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer. \end{center} \end{frame} \begin{frame}{Customer: Reveal} \begin{enumerate} \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange \end{enumerate} \end{frame} \begin{frame}{Exchange: Verify ($\gamma = 2$)} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (h) [def, draw=none] at (0,0) {$t_1$}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \ \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (h) [def, draw=none] at (0,0) {$t_3$}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Blind sign change (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Take $f_{new,\gamma}'$. \item Compute $s' := f_{new,\gamma}'^d \mod n$. \item Send signature $s'$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Unblind change (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $s'$. \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$}; \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Allow linking change} \begin{minipage}{7cm} \begin{center} Given $C_{old}$ \vspace{1cm} return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$. \end{center} \end{minipage} \begin{minipage}{5cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em]; \node (co) [def, draw=none] at (0,0) {$C_{old}$}; \node (T) [def, draw=none, below left=of co]{$T_\gamma$}; \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \node (customer) [def, draw, below right=of T] {Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link}; \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Link (threat!)} \begin{minipage}{6.3cm} \begin{enumerate} \item Have $c_{old}$. \item Obtain $T_\gamma$, $s$ from exchange \item Compute $X_\gamma = c_{old}T_\gamma$ \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$ \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$ \end{enumerate} \end{minipage} \begin{minipage}{5.7cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (T) [def, draw=none] at (0,0) {$T_\gamma$}; \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange}; \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$}; \node (co) [def, draw=none, above right= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below= of dh] {$c_{new,\gamma}$}; \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link}; \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link}; \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Use Cases: Refugee Camps} Today: \begin{itemize} \item Non-bankable \item Direct distribution of goods to population \item Limited economic activity in camps \item High level of economic dependence \end{itemize}\vfill\pause With GNU Taler: \begin{itemize} \item Local currency issued as basic income backed by aid \item Taxation possible based on economic status \item Local governance enabled by local taxes \item Increased economic independence and political participation \end{itemize} \end{frame}