\pdfminorversion=3 \documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer} \usepackage{amsmath} \usepackage{multimedia} \usepackage[utf8]{inputenc} \usepackage{framed,color,ragged2e} \usepackage[absolute,overlay]{textpos} \definecolor{shadecolor}{rgb}{0.8,0.8,0.8} \usetheme{boxes} \setbeamertemplate{navigation symbols}{} \usepackage{xcolor} \usepackage{tikz,eurosym} \usepackage[normalem]{ulem} \usepackage{listings} \usepackage{adjustbox} % CSS \lstdefinelanguage{CSS}{ basicstyle=\ttfamily\scriptsize, keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function}, sensitive=true, morecomment=[l]{//}, morecomment=[s]{/*}{*/}, morestring=[b]', morestring=[b]", alsoletter={:}, alsodigit={-} } % JavaScript \lstdefinelanguage{JavaScript}{ basicstyle=\ttfamily\scriptsize, morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, morecomment=[s]{/*}{*/}, morecomment=[l]//, morestring=[b]", morestring=[b]' } \lstdefinelanguage{HTML5}{ basicstyle=\ttfamily\scriptsize, language=html, sensitive=true, alsoletter={<>=-}, morecomment=[s]{}, tag=[s], otherkeywords={ % General >, % Standard tags , % body , % Paragraphs , % scripts , , , , , }, ndkeywords={ % General =, % HTML attributes charset=, src=, id=, width=, height=, style=, type=, rel=, href=, % SVG attributes fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=, % CSS properties margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:, % CSS3 properties transform:, -moz-transform:, -webkit-transform:, animation:, -webkit-animation:, transition:, transition-duration:, transition-property:, transition-timing-function:, } } \lstdefinelanguage{JavaScript}{ basicstyle=\ttfamily\scriptsize, keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for}, keywordstyle=\color{blue}\bfseries, ndkeywords={class, export, boolean, throw, implements, import, this}, ndkeywordstyle=\color{darkgray}\bfseries, identifierstyle=\color{black}, sensitive=false, comment=[l]{//}, morecomment=[s]{/*}{*/}, commentstyle=\color{purple}\ttfamily, stringstyle=\color{red}\ttfamily, morestring=[b]', morestring=[b]" } \usetikzlibrary{shapes,arrows} \usetikzlibrary{positioning} \usetikzlibrary{calc} \title{GNU Taler} %\subtitle{} \setbeamertemplate{navigation symbols}{\includegraphics[width=1cm]{inria.pdf} \includegraphics[width=2.3cm]{bfh.png} \includegraphics[width=1.6cm]{fub.pdf} \includegraphics[width=0.4cm]{ashoka.png} \includegraphics[width=0.4cm]{gnu.png} \includegraphics[width=1cm]{logo-2020.jpg} \hfill} %\setbeamercovered{transparent=1} \author[C. Grothoff]{J. Burdges, F. Dold, {\bf C. Grothoff}, M. Stanisci} \date{\today} \institute{The GNU Project} \begin{document} \justifying \begin{frame} \begin{center} \LARGE {\bf GNU} \vfill % \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf} \includegraphics[width=0.66\textwidth]{logo-2020.jpg} \end{center} \begin{textblock*}{6cm}(.5cm,7.7cm) % {block width} (coords) {\Large {\bf \href{https://taler.net/}{taler.net}} \\ \href{https://twitter.com/taler}{taler@twitter} \\ \href{https://taler-systems.com/}{taler-systems.com}} \end{textblock*} % Substitute based on who is giving the talk! \begin{textblock*}{6cm}(6.7cm,7.7cm) % {block width} (coords) {\hfill {\Large {\bf Florian Dold \&} \\ \hfill {\bf Christian Grothoff}} \\ \hfill \{dold,grothoff\}@taler.net } \end{textblock*} \end{frame} \begin{frame}{A Social Problem} % \vfill This was a question posed to RAND researchers in 1971: \begin{quote} ``Suppose you were an advisor to the head of the KGB, the Soviet Secret Police. Suppose you are given the assignment of designing a system for the surveillance of all citizens and visitors within the boundaries of the USSR. The system is not to be too obtrusive or obvious. What would be your decision?'' \end{quote} %The result: an electronic funds transfer system that looks %strikingly similar today's debit card system. \pause \begin{center} \Large \textbf{Mastercard/Visa are too transparent.} \end{center} \vfill \begin{center} ``I think one of the big things that we need to do, is we need to get a way from true-name payments on the Internet. The credit card payment system is one of the worst things that happened for the user, in terms of being able to divorce their access from their identity.'' \hfill --Edward Snowden, IETF 93 (2015) \end{center} \end{frame} \section{The Bank's Problem} \begin{frame}{The Bank's Problem} 3D secure (``verified by visa'') is a nightmare: \begin{minipage}{5cm} \begin{itemize} \item Complicated process \item Shifts liability to consumer \item Significant latency \item Can refuse valid requests \item Legal vendors excluded \item No privacy for buyers \end{itemize} \end{minipage} \begin{minipage}{5cm} \includegraphics[width=\textwidth]{illustrations/cc3ds.pdf} \end{minipage} \vfill Online credit card payments will be replaced, but with what? \end{frame} \begin{frame}{The Bank's Problem} \vfill \begin{textblock*}{12cm}(0.5cm,1cm) % {block width} (coords) \begin{itemize} \item Global tech companies push oligopolies \item Privacy and federated finance are at risk % \item 30\% fees are conceivable \item Economic sovereingity is in danger \end{itemize} \end{textblock*} \begin{textblock*}{4cm}(3.5cm,5.2cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/amazon.png}} \end{textblock*} \begin{textblock*}{2cm}(7cm,3cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/alipay.jpeg}} \end{textblock*} \begin{textblock*}{2cm}(3cm,3.5cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/paypal.jpeg}} \end{textblock*} \begin{textblock*}{2cm}(9cm,5cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/applepay.jpeg}} \end{textblock*} \begin{textblock*}{2cm}(7.5cm,5.9cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/samsungpay.jpeg}} \end{textblock*} \begin{textblock*}{1cm}(9.5cm,6.3cm) % {block width} (coords) {\includegraphics[width=\textwidth]{../investors/competitor-logos/android_pay.png}} \end{textblock*} \vfill \end{frame} \begin{frame}{The Distraction: Bitcoin} \begin{itemize} \item Unregulated payment system and currency: \item[] $\Rightarrow$ lack of regulation is a feature! \item Implemented in free software \item Decentralised peer-to-peer system \pause \item Decentralised banking requires solving Byzantine consensus \item Creative solution: tie initial accumulation to solving consensus \pause \item[] $\Rightarrow$ Proof-of-work advances ledger \item[] $\Rightarrow$ Very expensive banking \end{itemize} \end{frame} \begin{frame} \frametitle{\includegraphics[height=0.5cm]{pics/bitcoin.png}?} \framesubtitle{Background: \url{https://blockchain.com/charts/}} \centering \noindent \includegraphics[width=\textwidth]{pics/btc-transaction-cost.png} Current average transaction value: $\approx$ 1000 USD \end{frame} \begin{frame} \frametitle{\includegraphics[height=0.5cm]{pics/zerocoin.png}?} Cryptography is rather primitive: \begin{center} {\bf All Bitcoin transactions are public and linkable!} \end{center} \begin{itemize} \item[] $\Rightarrow$ no privacy guarantees \item[] $\Rightarrow$ enhanced with ``laundering'' services \end{itemize} ZeroCoin, CryptoNote (Monero) and ZeroCash (ZCash) offer anonymity. \end{frame} \begin{frame} \vfill \begin{center} {\bf Do you want to have a libertarian economy?} \end{center} \vfill \begin{center} {\bf Do you want to live under total surveillance?} \end{center} \vfill \end{frame} \begin{frame}{GNU Taler} \vfill \begin{center} {\huge {\bf Digital} cash, made \textbf{socially responsible}.} \end{center} \vfill \begin{center} \includegraphics[scale=1]{logo-2020.jpg} \end{center} \vfill \begin{center} Privacy-Preserving, Practical, Taxable, Free Software, Efficient \end{center} \vfill \vfill \ % \end{frame} \section{What is Taler?} \begin{frame}{What is Taler?} \begin{center} Taler is an electronic instant payment system. \end{center} \begin{itemize} \item Uses electronic coins stored in {\bf wallets} on customer's device \item Like {\bf cash} \item Pay in {\bf existing currencies} (i.e. EUR, USD, BTC), \\ or use it to create new {\bf regional currencies} \end{itemize} \vfill \pause \noindent However, Taler is \begin{itemize} \item \emph{not} a currency \item \emph{not} a long-term store of value \item \emph{not} a network or instance of a system \item \emph{not} decentralized \item \emph{not} based on proof-of-work or proof-of-stake \item \emph{not} a speculative asset / ``get-rich-quick scheme'' \end{itemize} \end{frame} \begin{frame}{Design principles} \framesubtitle{https://taler.net/en/principles.html} GNU Taler must ... \begin{enumerate} \item {... be implemented as {\bf free software}.} \item {... protect the {\bf privacy of buyers}.} \item {... must enable the state to {\bf tax income} and crack down on illegal business activities.} \item {... prevent payment fraud.} \item {... only {\bf disclose the minimal amount of information necessary}.} \item {... be usable.} \item {... be efficient.} \item {... avoid single points of failure.} \item {... foster {\bf competition}.} \end{enumerate} \end{frame} \begin{frame} \frametitle{Taler Overview} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em]; \node (origin) at (0,0) {}; \node (exchange) [def,above=of origin,draw]{Exchange}; \node (customer) [def, draw, below left=of origin] {Customer}; \node (merchant) [def, draw, below right=of origin] {Merchant}; \node (auditor) [def, draw, above right=of origin]{Auditor}; % \node (regulator) [def, draw, above=of auditor]{CSSF}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins}; \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins}; \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins}; \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify}; % \draw [<-, C] (regulator) -- (auditor) node [midway, above, sloped] (TextNode) {report}; \end{tikzpicture} \end{center} \end{frame} \begin{frame}{The Taler Software Ecosystem} \framesubtitle{\url{https://taler.net/en/docs.html}} Taler is based on modular components that work together to provide a complete payment system: \vfill \begin{itemize} \item {\bf Exchange:} Service provider for digital cash \begin{itemize} \item Core exchange software (cryptography, database) \item Air-gapped key management, real-time {\bf auditing} \item LibEuFin: Modular integration with banking systems \end{itemize} \item {\bf Merchant:} Integration service for existing businesses \begin{itemize} \item Core merchant backend software (cryptography, database) \item Back-office interface for staff \item Frontend integration (E-commerce, Point-of-sale) \end{itemize} \item {\bf Wallet:} Consumer-controlled applications for e-cash \begin{itemize} \item Multi-platform wallet software (for browsers \& mobile phones) \item Wallet backup storage providers \item {\bf Anastasis}: Recovery of lost wallets based on secret splitting \end{itemize} \end{itemize} \end{frame} \begin{frame} % TODO: replace with simplified NEW architecture picture! \frametitle{Architecture of Taler} \begin{center} \includegraphics[width=1\textwidth]{operations.png} \end{center} \end{frame} \begin{frame}[fragile]{Taler: Bank Perspective} \begin{adjustbox}{max totalsize={.9\textwidth}{.7\textheight},center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em]; \node (origin) at (0,0) {}; \node (exchange) [def,above=of origin,draw]{Exchange}; \node (nexus) [def, draw, below right=of exchange] {Nexus}; \node (corebanking) [def, draw, below left=of nexus] {Core Banking}; \node (nginx) [def, draw, above=of exchange]{Nginx}; \node (postgres) [def, draw, below left=of exchange]{Postgres}; \node (postgres-nexus) [def, draw, below right=of nexus]{Postgres}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (exchange) -- (nginx) node [midway, above, sloped] (TextNode) {REST API}; \draw [<-, C] (postgres) -- (exchange) node [midway, above, sloped] (TextNode) {SQL}; \draw [<-, C] (postgres-nexus) -- (nexus) node [midway, above, sloped] (TextNode) {SQL}; \draw [<-, C] (nexus) -- (exchange) node [midway, above, sloped] (TextNode) {Internal REST API}; \draw [<-, C] (corebanking) -- (nexus) node [midway, above, sloped] (TextNode) {EBICS/FinTS}; \end{tikzpicture} \end{adjustbox} \end{frame} \begin{frame}{Taler: Exchange Architecture} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em]; \node (origin) at (0,0) {}; \node (httpd) [def,above=of origin,draw]{httpd}; \node (secmod-rsa) [def, draw, right=of httpd] {secmod-rsa}; \node (secmod-eddsa) [def, draw, left=of httpd] {secmod-eddsa}; \node (postgres) [def, draw, below=of httpd]{Postgres}; \node (aggregator) [def, draw, right=of postgres]{aggregator}; \node (transfer) [def, draw, below left=of postgres]{transfer}; \node (wirewatch) [def, draw, below right=of postgres]{wirewatch}; \node (nexus) [def, draw, below=of postgres]{Nexus}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<->, C] (httpd) -- (postgres) node [midway, above, sloped] (TextNode) {}; \draw [<->, C] (httpd) -- (secmod-rsa) node [midway, above, sloped] (TextNode) {}; \draw [<->, C] (httpd) -- (secmod-eddsa) node [midway, above, sloped] (TextNode) {}; \draw [<->, C] (aggregator) -- (postgres) node [midway, above, sloped] (TextNode) {}; \draw [<->, C] (wirewatch) -- (postgres) node [midway, above, sloped] (TextNode) {}; \draw [<->, C] (transfer) -- (postgres) node [midway, above, sloped] (TextNode) {}; \draw [->, C] (transfer) -- (nexus) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (wirewatch) -- (nexus) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{center} \end{frame} \begin{frame} \frametitle{Taler: Auditor Perspective} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em]; \node (origin) at (0,0) {}; \node (httpd) [def,above left=of origin,draw]{auditor-httpd}; \node (report) [def,above right=of origin,draw]{auditor-report}; \node (postgres-A) [def, draw, below=of origin] {Postgres (Auditor)}; \node (postgres-E) [def, draw, below=of postgres-A] {Postgres (Bank)}; \tikzstyle{C} = [color=black, line width=1pt] \draw [->, C] (postgres-E) -- (postgres-A) node [midway, above, sloped] (TextNode) {sync}; \draw [<->, C] (httpd) -- (postgres-A) node [midway, above, sloped] (TextNode) {}; \draw [<->, C] (report) -- (postgres-A) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{center} \end{frame} \begin{frame} \frametitle{Taler: Merchant Perspective} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 3.5em and 2em, inner sep=1em, outer sep=.3em]; \node (origin) at (0,0) {}; \node (backend) [def,above=of origin,draw]{{\tiny taler-merchant-httpd}}; \node (frontend) [def,above left=of backend,draw]{{\tiny E-commerce Frontend}}; \node (backoffice) [def,above right=of backend,draw]{Backoffice}; \node (postgres) [def, draw, below left=of backend] {Postgres}; \node (sqlite) [def, draw, below=of backend] {Sqlite}; \node (alt) [def, draw, below right=of backend] {...}; \tikzstyle{C} = [color=black, line width=1pt] \draw [->, C] (frontend) -- (backend) node [midway, above, sloped] (TextNode) {REST API}; \draw [->, C] (backoffice) -- (backend) node [midway, above, sloped] (TextNode) {REST API}; \draw [<->, C] (backend) -- (postgres) node [midway, above, sloped] (TextNode) {SQL}; \draw [<->, C] (backend) -- (sqlite) node [midway, above, sloped] (TextNode) {SQL}; \draw [<->, C] (backend) -- (alt) node [midway, above, sloped] (TextNode) {SQL}; \end{tikzpicture} \end{center} \end{frame} \begin{frame} \frametitle{Taler: Wallet Architecture} \framesubtitle{Background: \url{https://anastasis.lu/}} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 5em and 4.5em, inner sep=1em, outer sep=.3em]; \node (origin) at (0,0) {}; \node (gui) [def,above=of origin,draw]{wallet-gui}; \node (core) [def,below=of gui,draw]{wallet-core}; \node (sync) [def, draw, below left=of core] {Sync}; \node (taler) [def, draw, below right=of core] {Taler}; \node (anastasis) [def, draw, below=of core] {Anastasis}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<->, C] (gui) -- (core) node [midway, above, sloped] (TextNode) {}; \draw [<->, C] (core) -- (sync) node [midway, above, sloped] (TextNode) {Backup}; \draw [<->, C] (core) -- (taler) node [midway, above, sloped] (TextNode) {Payment}; \draw [<->, C] (core) -- (anastasis) node [midway, above, sloped] (TextNode) {Key Escrow}; \end{tikzpicture} \end{center} \end{frame} \begin{frame}{Taler: Unique Regulatory Features for Central Banks} \framesubtitle{\url{https://www.snb.ch/en/mmr/papers/id/working_paper_2021_03}} \begin{itemize} \item Central bank issues digital coins equivalent to issuing cash \\ $\Rightarrow$ monetary policy remains under CB control \item Architecture with consumer accounts at commercial banks \\ $\Rightarrow$ no competition for commercial banking (S\&L) \\ $\Rightarrow$ CB does not have to manage KYC, customer support \item Withdrawal limits and denomination expiration \\ $\Rightarrow$ protects against bank runs and hoarding \item Income transparency and possibility to set fees \\ $\Rightarrow$ additional insights into economy and new policy options \item Revocation protocols and loss limitations \\ $\Rightarrow$ exit strategy and handles catastrophic security incidents \item Privacy by cryptographic design not organizational compliance \\ $\Rightarrow$ CB cannot be forced to facilitate mass-surveillance \end{itemize} \end{frame} \begin{frame}{Usability of Taler} \vfill \begin{center} \url{https://demo.taler.net/} \end{center} \begin{enumerate} \item Install browser extension. \item Visit the {\tt bank.demo.taler.net} to withdraw coins. \item Visit the {\tt shop.demo.taler.net} to spend coins. \end{enumerate} \vfill \end{frame} \begin{frame}{Social Impact of Taler} \begin{center} \includegraphics[height=0.9\textheight]{../../social-impact.pdf} \end{center} \end{frame} \begin{frame}{Use Case: Journalism} Today: \begin{itemize} \item Corporate structure % ($\Rightarrow$ filter) \item Advertising primary revenue % ($\Rightarrow$ dependence) \item Tracking readers critical for business success \item Journalism and marketing hard to distinguish \end{itemize}\vfill\pause With GNU Taler: \begin{itemize} \item One-click micropayments per article \item Hosting requires no expertise % (no PCI DSS) \item Reader-funded reporting separated from marketing \item Readers can remain anonymous \end{itemize} \end{frame} \begin{frame}{Use Cases: Refugee Camps} Today: \begin{itemize} \item Non-bankable \item Direct distribution of goods to population \item Limited economic activity in camps \item High level of economic dependence \end{itemize}\vfill\pause With GNU Taler: \begin{itemize} \item Local currency issued as basic income backed by aid \item Taxation possible based on economic status \item Local governance enabled by local taxes \item Increased economic independence and political participation \end{itemize} \end{frame} \begin{frame}{Use Case: Anti-Spam} \framesubtitle{Background: \url{https://pep.security/}} Today, p$\equiv$p provides authenticated encryption for e-mail: \begin{itemize} \item Free software \item Easy to use opportunistic encryption \item Available for Outlook, Android, Enigmail \item Spies \& spam filters can no longer inspect content \end{itemize}\vfill\pause With GNU Taler: \begin{itemize} \item Peer-to-peer payments via e-mail \item If unsolicited sender, hide messages from user \& automatically request payment from sender \item Sender can attach payment to be moved to inbox \item Receiver may grant refund to sender \end{itemize} \end{frame} \begin{frame}[c]{Example: The Taler Snack Machine\footnote{by M. Boss and D. Hofer}} \framesubtitle{Integration of a MDB/ICP to Taler gateway.\\Implementation of a NFC or QR-Code to Taler wallet interface.} \vfill \begin{figure} \centering \includegraphics[width=1.0\textwidth]{design} \end{figure} \end{frame} \begin{frame}[t]{Software architecture for the Taler Snack Machine} \framesubtitle{Code at \url{https://git.taler.net/taler-mdb}} \begin{figure} \centering \includegraphics[width=.9\textwidth]{software_stack} \end{figure} \end{frame} \begin{frame}[c]{User story: Install App on Android} \framesubtitle{\url{https://wallet.taler.net/}} \begin{figure} \includegraphics[width=0.9\textwidth]{download_wallet.png} \end{figure} \end{frame} \begin{frame}{User story: Withdraw e-cash} \begin{figure} \includegraphics[width=0.9\textwidth]{get_taler_coins.png} \end{figure} \end{frame} \begin{frame}{User story: Use machine!} \begin{figure} \includegraphics[width=0.9\textwidth]{get_snacks.png} \end{figure} \end{frame} \begin{frame}{How does it work?} We use a few ancient constructions: \begin{itemize} \item Cryptographic hash function (1989) \item Blind signature (1983) \item Schnorr signature (1989) \item Diffie-Hellman key exchange (1976) \item Cut-and-choose zero-knowledge proof (1985) \end{itemize} But of course we use modern instantiations. \end{frame} \begin{frame}{Definition: Taxability} We say Taler is taxable because: \begin{itemize} \item Merchant's income is visible from deposits. \item Hash of contract is part of deposit data. \item State can trace income and enforce taxation. \end{itemize}\pause Limitations: \begin{itemize} \item withdraw loophole \item {\em sharing} coins among family and friends \end{itemize} \end{frame} \begin{frame}{Exchange setup: Create a denomination key (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Pick random primes $p,q$. \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$ \item Pick small $e < \phi(n)$ such that $d := e^{-1} \mod \phi(n)$ exists. \item Publish public key $(e,n)$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$}; \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}}; \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} % \includegraphics[width=0.4\textwidth]{seal.pdf} \end{minipage} \end{frame} \begin{frame}{Merchant: Create a signing key (EdDSA)} \begin{minipage}{6cm} \begin{itemize} \item pick random $m \mod o$ as private key \item $M = mG$ public key \end{itemize} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (m) [draw=none, below = of origin] at (0,0) {$m$}; \node (seal) [draw=none, below=of m]{M}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ } \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}} \end{frame} \begin{frame}{Customer: Create a planchet (EdDSA)} \begin{minipage}{8cm} \begin{itemize} \item Pick random $c \mod o$ private key \item $C = cG$ public key \end{itemize} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (c) [draw=none, below = of origin] at (0,0) {$c$}; \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ } \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}} \end{frame} \begin{frame}{Customer: Blind planchet (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Obtain public key $(e,n)$ \item Compute $f := FDH(C)$, $f < n$. \item Pick blinding factor $b \in \mathbb Z_n$ \item Transmit $f' := f b^e \mod n$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$}; \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}}; \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Blind sign (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $f'$. \item Compute $s' := f'^d \mod n$. \item Send signature $s'$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Unblind coin (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $s'$. \item Compute $s := s' b^{-1} \mod n$ % \\ % ($(f')^d = (f b^e)^d = f^d b$). \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (b) [def, draw=none] at (0,0) {$b$}; \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Withdrawing coins on the Web} \begin{center} \includegraphics[height=0.9\textheight]{figs/taler-withdraw.pdf} \end{center} \end{frame} \begin{frame}{Customer: Build shopping cart} \begin{center} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{shop.pdf}}; \node (cart) [draw=none, below=of m]{\includegraphics[width=0.2\textwidth]{cart.pdf}}; \node (merchant) [node distance=4em and 0.5em, draw, below =of cart]{Merchant}; \tikzstyle{C} = [color=black, line width=1pt]; \draw [<-, C] (cart) -- (origin) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (merchant) -- (cart) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{center} \end{frame} \begin{frame}{Merchant Integration: Payment Request} % \begin{figure}[p!] \lstset{language=HTML5} \lstinputlisting{figs/taler-402.html} % \caption{Sample HTTP response to prompt the wallet to show an offer.} % \label{listing:http-contract} % \end{figure} % \begin{figure*}[p!] % \lstset{language=HTML5} % \lstinputlisting{figs/taler-contract.html} % \caption{Sample JavaScript code to prompt the wallet to show an offer. % Here, the contract is fetched on-demand from the server. % The {\tt taler\_pay()} function needs to be invoked % when the user triggers the checkout.} % \label{listing:contract} % \end{figure*} \end{frame} \begin{frame}{Merchant Integration: Contract} % \begin{figure*}[t!] {\tiny \lstset{language=JavaScript} \lstinputlisting{figs/taler-contract.json} % \caption{Minimal Taler contract over a digital article with a value of \EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash over the wire transfer information was truncated to make it fit to the page.} % \label{listing:json-contract} % \end{figure*} } \end{frame} \begin{frame}{Merchant: Propose contract (EdDSA)} \begin{minipage}{6cm} \begin{enumerate} \item Complete proposal $D$. \item Send $D$, $EdDSA_m(D)$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}}; \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer}; \tikzstyle{C} = [color=black, line width=1pt]; \node (sign) [def, draw=none, above right=of proposal] {$m$}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Spend coin (EdDSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive proposal $D$, $EdDSA_m(D)$. \item Send $s$, $C$, $EdDSA_c(D)$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer sep=.3em]; \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}}; \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}}; \node (c) [def, draw=none, above=of contract] {$c$}; \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant}; \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}}; \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Merchant and Exchange: Verify coin (RSA)} \begin{minipage}{6cm} \begin{equation*} s^e \stackrel{?}{\equiv} FDH(C) \mod n \end{equation*} \end{minipage} \begin{minipage}{6cm} \begin{minipage}{0.2\textwidth} \includegraphics[width=\textwidth]{coin.pdf} \end{minipage} $\stackrel{?}{\Leftrightarrow}$ \begin{minipage}{0.2\textwidth} \includegraphics[width=\textwidth]{seal.pdf} \end{minipage} \end{minipage} \vfill The exchange does not only verify the signature, but also checks that the coin was not double-spent. \vfill \pause \begin{center} {\bf Taler is an online payment system.} \end{center} \vfill \end{frame} \begin{frame}{Requirements: Online vs. Offline Digital Currencies} \framesubtitle{\url{https://taler.net/papers/euro-bearer-online-2021.pdf}} \begin{itemize} \item Offline capabilities are sometimes cited as a requirement for digital payment solutions \item All implementations must either use restrictive hardware elements and/or introduce counterparty risk. \item[$\Rightarrow$] Permanent offline features weaken a digital payment solution (privacy, security) \item[$\Rightarrow$] Introduces unwarranted competition for physical cash (endangers emergency-preparedness). \end{itemize} We recommend a tiered approach: \begin{enumerate} \item Online-first, bearer-based digital currency with Taler \item (Optional:) Limited offline mode for network outages \item Physical cash for emergencies (power outage, catastrophic cyber incidents) \end{enumerate} \end{frame} \begin{frame}{Payment processing with Taler} \begin{center} \includegraphics[height=0.9\textheight]{figs/taler-pay.pdf} \end{center} \end{frame} \begin{frame}{Giving change} It would be inefficient to pay EUR 100 with 1 cent coins! \begin{itemize} \item Denomination key represents value of a coin. \item Exchange may offer various denominations for coins. \item Wallet may not have exact change! \item Usability requires ability to pay given sufficient total funds. \end{itemize}\pause Key goals: \begin{itemize} \item maintain unlinkability \item maintain taxability of transactions \end{itemize}\pause Method: \begin{itemize} \item Contract can specify to only pay {\em partial value} of a coin. \item Exchange allows wallet to obtain {\em unlinkable change} for remaining coin value. \end{itemize} \end{frame} \begin{frame}{Diffie-Hellman (ECDH)} \begin{minipage}{8cm} \begin{enumerate} \item Create private keys $c,t \mod o$ \item Define $C = cG$ \item Define $T = tG$ \item Compute DH \\ $cT = c(tG) = t(cG) = tC$ \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t$}; \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}}; \node (c) [def, draw=none, above left= of ct] {$c$}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Strawman solution} \begin{minipage}{8cm} Given partially spent private coin key $c_{old}$: \begin{enumerate} % \item Let $C_{old} := c_{old}G$ (as before) \item Pick random $c_{new} \mod o$ private key \item $C_{new} = c_{new}G$ public key \item Pick random $b_{new}$ \item Compute $f_{new} := FDH(C_{new})$, $m < n$. \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$ \end{enumerate} ... and sign request for change with $c_{old}$. \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (planchet) [def, draw=none, above left= of blinded] {\includegraphics[width=0.15\textwidth]{planchet.pdf}}; \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$}; \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$}; \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \pause \vfill {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!} \end{frame} \begin{frame}{Customer: Transfer key setup (ECDH)} \begin{minipage}{8cm} Given partially spent private coin key $c_{old}$: \begin{enumerate} \item Let $C_{old} := c_{old}G$ (as before) \item Create random private transfer key $t \mod o$ \item Compute $T := tG$ \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$ \item Derive $c_{new}$ and $b_{new}$ from $X$ \item Compute $C_{new} := c_{new}G$ \item Compute $f_{new} := FDH(C_{new})$ \item Transmit $f_{new}' := f_{new} b_{new}^e$ \end{enumerate} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Cut-and-Choose} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_1$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_2$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (t) [def, draw=none] at (0,0) {$t_3$}; \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Choose!} \begin{center} \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer. \end{center} \end{frame} \begin{frame}{Customer: Reveal} \begin{enumerate} \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange \end{enumerate} \end{frame} \begin{frame}{Exchange: Verify ($\gamma = 2$)} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (h) [def, draw=none] at (0,0) {$t_1$}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \begin{minipage}{4cm} \ \end{minipage} \begin{minipage}{4cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (h) [def, draw=none] at (0,0) {$t_3$}; \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Blind sign change (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Take $f_{new,\gamma}'$. \item Compute $s' := f_{new,\gamma}'^d \mod n$. \item Send signature $s'$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Unblind change (RSA)} \begin{minipage}{6cm} \begin{enumerate} \item Receive $s'$. \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$. \end{enumerate} \end{minipage} \begin{minipage}{6cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$}; \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Exchange: Allow linking change} \begin{minipage}{7cm} \begin{center} Given $C_{old}$ \vspace{1cm} return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$. \end{center} \end{minipage} \begin{minipage}{5cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em]; \node (co) [def, draw=none] at (0,0) {$C_{old}$}; \node (T) [def, draw=none, below left=of co]{$T_\gamma$}; \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \node (customer) [def, draw, below right=of T] {Customer}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link}; \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Customer: Link (threat!)} \begin{minipage}{6.3cm} \begin{enumerate} \item Have $c_{old}$. \item Obtain $T_\gamma$, $s$ from exchange \item Compute $X_\gamma = c_{old}T_\gamma$ \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$ \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$ \end{enumerate} \end{minipage} \begin{minipage}{5.7cm} \begin{tikzpicture} \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; \node (T) [def, draw=none] at (0,0) {$T_\gamma$}; \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange}; \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$}; \node (co) [def, draw=none, above right= of dh] {$c_{old}$}; \node (cp) [def, draw=none, below= of dh] {$c_{new,\gamma}$}; \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}}; \tikzstyle{C} = [color=black, line width=1pt] \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {}; \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link}; \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link}; \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {}; \end{tikzpicture} \end{minipage} \end{frame} \begin{frame}{Refresh protocol summary} \begin{itemize} \item Customer asks exchange to convert old coin to new coin \item Protocol ensures new coins can be recovered from old coin \item[$\Rightarrow$] New coins are owned by the same entity! \end{itemize} Thus, the refresh protocol allows: \begin{itemize} \item To give unlinkable change. \item To give refunds to an anonymous customer. \item To expire old keys and migrate coins to new ones. \item To handle protocol aborts. \end{itemize} \noindent \begin{center} \bf Transactions via refresh are equivalent to {\em sharing} a wallet. \end{center} \end{frame} \begin{frame}{Warranting deposit safety} Exchange has {\em another} online signing key $W = wG$: \begin{center} Sends $EdDSA_w(M,H(D),FDH(C))$ to the merchant. \end{center} This signature means that $M$ was the {\em first} to deposit $C$ and that the exchange thus must pay $M$. \vfill \begin{center} Without this, an evil exchange could renege on the deposit confirmation and claim double-spending if a coin were deposited twice, and then not pay either merchant! \end{center} \end{frame} \begin{frame}{Online keys} \begin{itemize} \item The exchange needs $d$ and $w$ to be available for online signing. \item The corresponding public keys $W$ and $(e,n)$ are certified using Taler's public key infrastructure (which uses offline-only keys). \end{itemize} \begin{center} \includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png} \end{center} \vfill \begin{center} {\bf What happens if those private keys are compromised?} \end{center} \vfill \end{frame} \begin{frame}{Denomination key $(e,n)$ compromise} \begin{itemize} \item An attacker who learns $d$ can sign an arbitrary number of illicit coins into existence and deposit them. \item Auditor and exchange can detect this once the total number of deposits (illicit and legitimate) exceeds the number of legitimate coins the exchange created. \item At this point, $(e,n)$ is {\em revoked}. Users of {\em unspent} legitimate coins reveal $b$ from their withdrawal operation and obtain a {\em refund}. \item The financial loss of the exchange is {\em bounded} by the number of legitimate coins signed with $d$. \item[$\Rightarrow$] Taler frequently rotates denomination signing keys and deletes $d$ after the signing period of the respective key expires. \end{itemize} \begin{center} \includegraphics[width=0.5\textwidth]{taler-diagram-denom-expiration.png} \end{center} \end{frame} \begin{frame}{Online signing key $W$ compromise} \begin{itemize} \item An attacker who learns $w$ can sign deposit confirmations. \item Attacker sets up two (or more) merchants and customer(s) which double-spend legitimate coins at both merchants. \item The merchants only deposit each coin once at the exchange and get paid once. \item The attacker then uses $w$ to fake deposit confirmations for the double-spent transactions. \item The attacker uses the faked deposit confirmations to complain to the auditor that the exchange did not honor the (faked) deposit confirmations. \end{itemize} The auditor can then detect the double-spending, but cannot tell who is to blame, and (likely) would presume an evil exchange, forcing it to pay both merchants. \end{frame} \begin{frame}{Detecting online signing key $W$ compromise} \begin{itemize} \item Merchants are required to {\em probabilistically} report signed deposit confirmations to the auditor. \item Auditor can thus detect exchanges not reporting signed deposit confirmations. \item[$\Rightarrow$] Exchange can rekey if illicit key use is detected, then only has to honor deposit confirmations it already provided to the auditor {\em and} those without proof of double-spending {\em and} those merchants reported to the auditor. \item[$\Rightarrow$] Merchants that do not participate in reporting to the auditor risk their deposit permissions being voided in cases of an exchange's private key being compromised. \end{itemize} \end{frame} \section{Competitor analysis} \begin{frame}{Competitor comparison} \begin{center} \small \begin{tabular}{l||c|c|c|c|c} & Cash & Bitcoin & Zerocoin & Creditcard & GNU Taler \\ \hline \hline Online &$-$$-$$-$ & ++ & ++ & + & +++ \\ \hline Offline & +++ & $-$$-$ & $-$$-$ & + & $-$$-$ \\ \hline Trans. cost & + & $-$$-$$-$ & $-$$-$$-$ & $-$ & ++ \\ \hline Speed & + & $-$$-$$-$ & $-$$-$$-$ & o & ++ \\ \hline Taxation & $-$ & $-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline Payer-anon & ++ & o & ++ & $-$$-$$-$ & +++ \\ \hline Payee-anon & ++ & o & ++ & $-$$-$$-$ & $-$$-$$-$ \\ \hline Security & $-$ & o & o & $-$$-$ & ++ \\ \hline Conversion & +++ & $-$$-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline Libre & $-$ & +++ & +++ & $-$ $-$ $-$ & +++ \\ \end{tabular} \end{center} \end{frame} \begin{frame}{Taler: Project Status} \framesubtitle{\url{https://docs.taler.net/}} \begin{itemize} \item Cryptographic protocols and core exchange component are stable \item Current focus: Merchant integration, settlement integration, wallet backup \item Pilot project at Bern University of Applied Sciences cafeteria \item Internal alpha deployment with a commercial bank in progress \end{itemize} \end{frame} \begin{frame}{Next Steps: Possible Projects and Collaborations} \vfill \begin{center} \includegraphics[width=1.0\textwidth]{taler-in-use.png} \end{center} \end{frame} \begin{frame}{Area I: System Integration and Partnerships} \framesubtitle{\url{https://lists.gnu.org/mailman/listinfo/taler}} Pilots with banking organizations could: \begin{itemize} \item Study integration with the underlying RTGS layer: \begin{itemize} \item Develop standardized operational procedures \item Assess transaction performance at scale \item Perform cost analysis in banking environment \item Assess effort for integration with commercial banks \end{itemize} \item Analyze regulatory considerations for different legislations % \item Building awareness of Taler as a bearer-based retail CBDC \item Perform independent security audits of Taler components \item Determine and possibly close gaps in the existing solution \end{itemize} \end{frame} \begin{frame}{Area II: Development/Research Extensions} \framesubtitle{Background: \url{https://myoralvillage.org/}} We have ideas for protocol extensions and ``programmable money'': \begin{itemize} \item Mediated wallet-to-wallet payments (instead of customer-to-merchant) \item Privacy-preserving auctions (trading, currency exchange) \item Age-restricted private payments for children (youth protection) \end{itemize} Central banks should also consider funding research to improve: \begin{itemize} \item General digital wallet usability and availability \item Accessibility features for illiterate and innumerate users \item Projects that facilitate integration at retailers \begin{itemize} \item Hardware and software support for embedded systems \item Integration into off-the-self E-commerce systems \end{itemize} \item Protocol extensions for automated tax reporting \end{itemize} \end{frame} \begin{frame}{How to support?} \begin{description} \item[Join:] {\small \url{https://lists.gnu.org/mailman/listinfo/taler}}, \\ \url{irc://irc.freenode.net/\#taler} \item[Develop:] \url{https://bugs.taler.net/}, \url{https://git.taler.net/} \item[Translate:] \url{https://weblate.taler.net/}, \url{translation-volunteer@taler.net} \item[Integrate:] \url{https://docs.taler.net/} \item[Donate:] \url{https://gnunet.org/ev} \item[Invest:] \url{https://taler-systems.com/} \end{description} \end{frame} \begin{frame}{Conclusion} \begin{center} {\bf What can we do?} \end{center} \vfill \begin{itemize} \item{Suffer mass-surveillance enabled by credit card oligopolies with high fees, and} \item{Engage in arms race with deliberately unregulatable blockchains} % \item{Enjoy the ``benefits'' of cash \\ % \hfill \includegraphics[height=0.3\textheight]{atm-rupee.jpg} \hfill} \end{itemize} \vfill \begin{center} {\bf OR} \end{center} \vfill \begin{itemize} \item{Establish free software alternative balancing social goals!} \end{itemize} \vfill \end{frame} \begin{frame} \frametitle{Do you have any questions?} \vfill References: {\tiny \begin{enumerate} \item{David Chaum, Christian Grothoff and Thomas Moser. {\em How to issue a central bank digital currency}. {\bf SNB Working Papers, 2021}.} \item{Christian Grothoff, Bart Polot and Carlo von Loesch. {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}. {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.} \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci. {\em Enabling Secure Web Payments with GNU Taler}. {\bf SPACE 2016}.} \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff. {\em Taler: Taxable Anonymous Libre Electronic Reserves}. Available upon request. 2016.} \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza. {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}. {\bf IEEE Symposium on Security \& Privacy, 2016}.} \item{David Chaum, Amos Fiat and Moni Naor. {\em Untraceable electronic cash}. {\bf Proceedings on Advances in Cryptology, 1990}.} \item{Phillip Rogaway. {\em The Moral Character of Cryptographic Work}. {\bf Asiacrypt}, 2015.} \label{bib:rogaway} \end{enumerate} } \begin{center} {\bf Let money facilitate trade; but ensure capital serves society.} \end{center} \end{frame} \section{Integration with the core banking system} \begin{frame} \vfill \begin{center} {\bf Part II: Integration with the core banking system} \end{center} \vfill \end{frame} \begin{frame} \frametitle{High-level Deployment Recipe} \dots as a bank \begin{enumerate} \item Create an escrow bank account for the exchange with EBICS access \item Provision offline signing machine (or account during testing) \item Provision two PostgreSQL databases (for LibEuFin Nexus and exchange) \item Provision user-facing exchange service and secmod processes \item Provision LibEuFin Nexus (connected to escrow account and providing an internal API to the exchange) \item Test using the ``taler-wallet-cli`` \end{enumerate} \end{frame} \begin{frame}{Exchange escrow account access} The Taler exchange needs to communicate with the core banking system \dots \begin{itemize} \item to query for transactions into the exchange's escrow account \item to initiate payments of aggregated Taler deposits to merchants \end{itemize} In a Taler deployment, the \emph{Taler Wire Gateway} provides an API to the exchange for Taler-specific access to the Exchange's escrow account. Multiple implementations of the Taler Wire Gateway exist: \begin{itemize} \item a self-contained play money demo bank \item LibEuFin, an adapter to EBICS and other protocols \end{itemize} \end{frame} \begin{frame}{LibEuFin} LibEuFin is a standalone project that provides adapters to bank account access APIs. \begin{itemize} \item LibEuFin provides both a generic access layer and an implementation of the Taler Wire Gateway API for the exchange \item currently, only EBICS 2.5 is supported \item other APIs such as FinTS or PSD2-style XS2A APIs can be added without requiring changes to the Exchange \item tested with a GLS business account \end{itemize} \end{frame} \begin{frame}{LibEuFin Concepts} \begin{itemize} \item A LibEuFin \emph{bank connection} is a set of credentials and parameters to talk to the bank's account access API. \item A LibEuFin \emph{bank account} is the information about a bank account (balances, transactions, payment initiations) stored locally within the LibEuFin service. A LibEuFin bank account has a default Bank Connection that is used to communicate with the bank's API. \item A \emph{facade} provides a domain-specific access layer to bank accounts and connections. The \emph{Taler Wire Gateway Facade} implements the API required by the Taler exchange and translates it to operations on the underlying account/connection. \end{itemize} \end{frame} \begin{frame}{LibEuFin Tooling} \begin{itemize} \item \texttt{libeufin-nexus} is the main service \item Almost all configuration (except DB credentials) is stored in the database and managed via a RESTful HTTP API \item \texttt{libeufin-sandbox} implements a toy EBICS host for protocol testing \item \texttt{libeufin-cli} is client for the HTTP API (only implements a subset of available functionality) \end{itemize} \end{frame} \begin{frame}{LibEuFin Setup Overview} \begin{itemize} \item Obtain EBICS subscriber configuration (host URL, host ID, user ID, partner ID) for the Exchange's escrow account \item Deploy the LibEuFin Nexus service \item Create a new LibEuFin bank connection (of type \texttt{ebics}) \item Export and back up the key material for the bank connection (contains EBICS subscriber configuration and private keys) \item Send subscriber initialization to the EBICS host (electronically) \item Export key letter and activate subscriber in the EBICS host (manually) \item Synchronize the bank connection \item Import the account into LibEuFin \item Create a Taler Wire Gateway facade \item Set up scheduled tasks for ingesting new transactions / sending payment initiations \end{itemize} \end{frame} \begin{frame}{LibEuFin Implementation Limitations} \begin{itemize} \item LibEuFin is less stable than other Taler components, and future updates might contain breaking changes (tooling, APIs and database schema) \item Error handling and recovery is still rather primitive \item The Taler Wire Gateway does not yet implement automatic return transactions when transactions with a malformed subject (i.e. no reserve public key) are received \end{itemize} \end{frame} \begin{frame}{LibEuFin EBICS Limitations} The GLS accounts with EBICS access that we have access to have some limitations: \begin{itemize} \item SEPA Instant Credit Transfers aren't supported yet \item Erroneous payment initiations are accepted by the GLS EBICS host, but an error message is later sent only by paper mail (and not reported by the CRZ download request) \item Limited access to transaction history (3 months) \end{itemize} \end{frame} \begin{frame}[fragile]{LibEuFin Setup Guide} \vfill \begin{center} \url{https://docs.taler.net/libeufin/nexus-tutorial.html} \end{center} \vfill \end{frame} \section{Operator security considerations} \begin{frame} \vfill \begin{center} {\bf Part III: Operator security considerations} \end{center} \vfill \end{frame} \begin{frame}{Key management} Taler has many types of keys: \begin{itemize} \item Coin keys \item Denomination keys \item Online message signing keys \item Offline key signing keys \item Merchant keys \item Auditor key \item Security module keys \item Transfer keys \item Wallet keys \item {\em TLS keys, DNSSEC keys} \end{itemize} \end{frame} \begin{frame}{Offline keys} Both exchange and auditor use offline keys. \begin{itemize} \item Those keys must be backed up and remain highly confidential! \item We recommend that computers that have ever had access to those keys to NEVER again go online. \item We recommend using a Raspberry Pi for offline key operations. Store it in a safe under multiple locks and keys. \item Apply full-disk encryption on offline-key signing systems. \item Have 3--5 full-disk backups of offline-key signing systems. \end{itemize} \begin{center} \includegraphics[scale=0.1]{pi.png} \end{center} \end{frame} \begin{frame}{Online keys} The exchange needs RSA and EdDSA keys to be available for online signing. \begin{itemize} \item Knowledge of these private keys will allow an adversary to mint digital cash, possibly resulting in huge financial losses (eventually, this will be detected by the auditor, but only after some financial losses have been irrevocably incurred). \item The corresponding public keys are certified using Taler's public key infrastructure (which uses offline-only keys). \end{itemize} \begin{center} \includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png} \end{center} \vfill {\tt taler-exchange-offline} can also be used to {\bf revoke} the online signing keys, if we find they have been compromised. \vfill \end{frame} \begin{frame}{Protecting online keys} The exchange needs RSA and EdDSA keys to be available for online signing. \begin{itemize} \item {\tt taler-exchange-secmod-rsa} and {\tt taler-exchange-secmod-eddsa} are the only processes that must have access to the private keys. \item The secmod processes should run under a different UID, but share the same GID with the exchange. \item The secmods generate the keys, allow {\tt taler-exchange-httpd} to sign with them, and eventually delete the private keys. \item Communication between secmods and {\tt taler-exchange-httpd} is via a UNIX domain socket. \item Online private keys are stored on disk (not in database!) and should NOT be backed up (RAID should suffice). If disk is lost, we can always create fresh replacement keys! \end{itemize} \end{frame} \begin{frame}{Database} The exchange needs the database to detect double spending. \begin{itemize} \item Loss of the database will allow technically skilled people to double-spend their digital cash, possibly resulting in significant financial losses. \item The database contains total amounts customers withdrew and merchants received, so sensitive private banking data. It must also not become public. \item The auditor must have a (current) copy. Asynchronous replication is considered sufficient. This copy could also be used as an additional (off-site?) backup. \end{itemize} \end{frame} \begin{frame}{taler-exchange-wirewatch} {\tt taler-exchange-wirewatch} needs credentials to access data about incoming wire transfers from the Nexus. \begin{itemize} \item This tool should run as a separate UID and GID (from {\tt taler-exchange-httpd}). \item It must have access to the Postgres database (SELECT + INSERT). \item Its configuration file contains the credentials to talk to Nexus. \item[$\Rightarrow$] Configuration should be separate from {\tt taler-exchange-httpd}. \end{itemize} \end{frame} \begin{frame}{taler-exchange-transfer} Only {\tt taler-exchange-transfer} needs credentials to initiate wire transfers using the Nexus. \begin{itemize} \item This tool should run as a separate UID and GID (from {\tt taler-exchange-httpd}). \item It must have access to the Postgres database (SELECT + INSERT). \item Its configuration file contains the credentials to talk to Nexus. \item[$\Rightarrow$] Configuration should be separate from {\tt taler-exchange-httpd}. \end{itemize} \end{frame} \begin{frame}{Nexus} The Nexus has to be able to interact with the escrow account of the bank. \begin{itemize} \item It must have the private keys to sign EBICS/FinTS messages. \item It also has its own local database. \item The Nexus user and database should be kept separate from the other exchange users and the Taler exchange database. \end{itemize} \end{frame} \begin{frame}{Hardware} General notions: \begin{itemize} \item Platforms with disabled Intel ME \& disabled remote administration are safer. \item VMs are not a security mechanism. Side-channel attacks abound. Avoid running any Taler component in a virtual machine ``for security''. \end{itemize} \end{frame} \begin{frame}{Operating system} General notions: \begin{itemize} \item It should be safe to run the different Taler components (including Nginx, Nexus and Postgres) all on the same physical hardware (under different UIDs/GIDs). We would separate them onto different physical machines during scale-out, but not necessarily for ``basic'' security. \item Limiting and auditing system administrator access will be crucial. \item We recommend to {\bf not} use any anti-virus. \item We recommend using a well-supported GNU/Linux operating system (such as Debian or Ubuntu). \end{itemize} \end{frame} \begin{frame}{Network} \begin{itemize} \item We recommend to {\bf not} use any host-based firewall. Taler components can use UNIX domain sockets (or bind to localhost). \item A network-based firewall is not required, but as long as TCP 80/443 are open Taler should work fine. \item Any firewall must be configured to permit connection to Auditor for database synchronization. \item We recommend running the Taler exchange behind an Nginx or Apache proxy for TLS termination. \item We recommend using static IP address configurations (IPv4 and IPv6). \item We recommend using DNSSEC with DANE in addition to TLS certificates. \item We recommend auditing the TLS setup using \url{https://observatory.mozilla.org}. \end{itemize} \end{frame} \section{Integration considerations} \begin{frame} \vfill \begin{center} {\bf Part IV: Integration considerations} \end{center} \vfill \end{frame} \begin{frame}[fragile]{RFC 8905: \texttt{payto:} Uniform Identifiers for Payments and Accounts} \vfill Like \texttt{mailto:}, but for bank accounts instead of email accounts! \vfill \begin{verbatim} payto:/// ?subject=InvoiceNr42 &amount=EUR:12.50 \end{verbatim} \vfill Default action: Open app to review and confirm payment. \vfill \includegraphics[width=0.25\textwidth]{einzahlschein-ch.jpeg} \hfill \includegraphics[width=0.2\textwidth]{de-ueberweisungsformular.png} \vfill \end{frame} \begin{frame}[fragile]{Benefits of {\tt payto://}} \begin{itemize} \item Standardized way to represent financial resources (bank account, bitcoin wallet) and payments to them \item Useful on the client-side on the Web and for FinTech backend applications \item Payment methods (such as IBAN, ACH, Bitcoin) are registered with IANA and allow extra options \end{itemize} \begin{center} {\bf Taler wallet can generate payto://-URI for withdraw!} \end{center} \end{frame} \end{document} \begin{frame}{Taler {\tt /withdraw/sign}} % Customer withdrawing coins with blind signatures % \bigskip \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Wallet}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[okmsg, dashed] ($(h1.east)+(0, 4.0)+(0, -1.0)$) edge node[msglabel] {SEPA(RK,A)} ($(h2.west)+(0, 3.5)+(0, -1.0)$); \path[okmsg] ($(h1.east)+(0, -1.0)$) edge node[msglabel] {POST {\tt /withdraw/sign} $S_{RK}(DK, B_b(C))$} ($(h2.west)+(0, -1.5)$); \path[okmsg] ($(h2.west)+(0, -2.0)$) edge node[msglabel] {200 OK: $S_{DK}(B_b(C))$)} ($(h1.east)+(0, -2.5)$); \path[rstmsg] ($(h2.west)+(0, -3.5)$) edge node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)} ($(h1.east)+(0, -4)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} Result: $\langle c, S_{DK}(C) \rangle$. \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$A$] Some amount, $A \ge A_{DK}$ \item[$RK$] Reserve key \item[$DK$] Denomination key \item[$b$] Blinding factor \item[$B_b()$] RSA-FDH blinding % DK supressed \item[$C$] Coin public key $C := cG$ \item[$S_{RK}()$] EdDSA signature \item[$S_{DK}()$] RSA-FDH signature \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}[t]{Taler {\tt /deposit}} Merchant and exchange see only the public coin $\langle C, S_{DK}(C) \rangle$. \bigskip \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Merchant}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /deposit} $S_{DK}(C), S_{c}(D)$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {409 CONFLICT: $S_{c}(D')$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$DK$] Denomination key \item[$S_{DK}()$] RSA-FDH signature using $DK$ \item[$c$] Private coin key, $C := cG$. \item[$S_{C}()$] EdDSA signature using $c$ \item[$D$] Deposit details \item[$SK$] Exchange's signing key \item[$S_{SK}()$] EdDSA signature using $SK$ \item[$D'$] Conficting deposit details $D' \not= D$ \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/melt}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$\kappa$] System-wide security parameter, usually 3. \\ \smallskip \item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\ $D + \sum_i A_{DK^{(i)}} < A_{DK}$ \item[$t_j$] Random scalar for $j<\kappa$ \item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$ \item[$k_j$] $:= c T_j = t_j C$ is an ECDHE \item[$b_j^{(i)}$] $:= KDF_b(k_j,i)$ % blinding factor \item[$c_j^{(i)}$] $:= KDF_c(k_j,i)$ % coin secret keys \item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys \item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\ $\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$ \\ \smallskip \item[$\gamma$] Random value in $[0,\kappa)$ % \\ \smallskip % \item[$X$] Deposit or refresh \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/reveal}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchange}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {400 BAD REQUEST: $Z$} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$\cal DK$] $:= [DK^{(i)}]_i$ \item[$t_j$] .. \\ \smallskip \item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip \item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$ \item[$b_\gamma^{(i)}$] $:= KDF_b(k_\gamma,i)$ \item[$c_\gamma^{(i)}$] $:= KDF_c(k_\gamma,i)$ \item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$ \item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$ \item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$ \item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip \item[$Z$] Cut-and-choose missmatch information \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Taler {\tt /refresh/link}} \begin{figure}[th] \begin{minipage}[b]{0.45\linewidth} \begin{center} \begin{tikzpicture}[scale = 0.4, transform shape, msglabel/.style = { text = Black, yshift = .3cm, sloped, midway }, okmsg/.style = { ->, color = MidnightBlue, thick, >=stealth }, rstmsg/.style = { ->, color = BrickRed, thick, >=stealth } ] \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h1) at (-4, 0) {}; \node[draw = MidnightBlue, fill = CornflowerBlue, minimum width = .3cm, minimum height = 10cm ] (h2) at (4, 0) {}; \node[above = 0cm of h1] {Customer}; \node[above = 0cm of h2] {Exchagne}; \path[->, color = MidnightBlue, very thick, >=stealth] (-5, 4.5) edge node[rotate=90, text = Black, yshift = .3cm] {Time} (-5, -4.5); \path[->, color = MidnightBlue, thick, >=stealth] ($(h1.east)+(0,3)$) edge node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$} ($(h2.west)+(0,2)$); \path[->, color = MidnightBlue, thick, >=stealth] ($(h2.west)+(0,0.5)$) edge node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$} ($(h1.east)+(0,-0.5)$); \path[rstmsg] ($(h2.west)+(0, -2.5)$) edge node[msglabel] {404 NOT FOUND} ($(h1.east)+(0, -3.5)$); \node at (5.3, 0) {}; \end{tikzpicture} \end{center} \end{minipage} \hspace{0.5cm} \begin{minipage}[b]{0.45\linewidth} \tiny \begin{description} \item[$C$] Old coind public key \\ \smallskip \item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$ \end{description} \end{minipage} \end{figure} \end{frame} \begin{frame}{Operational security} \begin{center} \resizebox{\textwidth}{!}{ \begin{tikzpicture}[ font=\sffamily, every matrix/.style={ampersand replacement=\&,column sep=2cm,row sep=2cm}, source/.style={draw,thick,rounded corners,fill=green!20,inner sep=.3cm}, process/.style={draw,thick,circle,fill=blue!20}, sink/.style={source,fill=green!20}, datastore/.style={draw,very thick,shape=datastore,inner sep=.3cm}, dots/.style={gray,scale=2}, to/.style={->,>=stealth',shorten >=1pt,semithick,font=\sffamily\footnotesize}, every node/.style={align=center}] % Position the nodes using a matrix layout \matrix{ \node[source] (wallet) {Wallet}; \& \node[process] (browser) {Browser}; \& \node[process] (shop) {Web shop}; \& \node[sink] (backend) {Taler backend}; \\ }; % Draw the arrows between the nodes and label them. \draw[to] (browser) to[bend right=50] node[midway,above] {(4) signed contract} node[midway,below] {(signal)} (wallet); \draw[to] (wallet) to[bend right=50] node[midway,above] {(signal)} node[midway,below] {(5) signed coins} (browser); \draw[<->] (browser) -- node[midway,above] {(3,6) custom} node[midway,below] {(HTTPS)} (shop); \draw[to] (shop) to[bend right=50] node[midway,above] {(HTTPS)} node[midway,below] {(1) proposed contract / (7) signed coins} (backend); \draw[to] (backend) to[bend right=50] node[midway,above] {(2) signed contract / (8) confirmation} node[midway,below] {(HTTPS)} (shop); \end{tikzpicture} } \end{center} \end{frame}