commit 1612630809c6bc5ac39a5805c67bbd26081b75dc
parent 18d6fd2dac478ace16212b6137911f048fab0445
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Tue, 25 Oct 2022 11:26:35 +0200
update comprehensive presentation; especially include age restrictions
Diffstat:
12 files changed, 1649 insertions(+), 289 deletions(-)
diff --git a/presentations/bank/intro.tex b/presentations/bank/intro.tex
@@ -235,7 +235,7 @@ GNU Taler must ...
\begin{itemize}
\item Commercial bank payments
\item Central bank digital currency
- \item Tokenization of digital assets
+ \item Tokenization of assets
\item Layer-2 solution for crypto-currencies
\end{itemize}
\end{frame}
diff --git a/presentations/comprehensive/bis-cbdc.mp4 b/presentations/comprehensive/bis-cbdc.mp4
Binary files differ.
diff --git a/presentations/comprehensive/ca.png b/presentations/comprehensive/ca.png
Binary files differ.
diff --git a/presentations/comprehensive/emergencyact.mp4 b/presentations/comprehensive/emergencyact.mp4
Binary files differ.
diff --git a/presentations/comprehensive/main.tex b/presentations/comprehensive/main.tex
@@ -9,10 +9,18 @@
\usetheme{boxes}
\setbeamertemplate{navigation symbols}{}
\usepackage{xcolor}
-\usepackage{tikz,eurosym}
\usepackage[normalem]{ulem}
\usepackage{listings}
\usepackage{adjustbox}
+\usepackage{array}
+\usepackage{bbding}
+\usepackage{relsize}
+\usepackage{graphicx}
+\usepackage{tikz,eurosym,calc}
+\usetikzlibrary{tikzmark}
+\usetikzlibrary{shapes,arrows,arrows.meta}
+\usetikzlibrary{positioning,fit,patterns}
+\usetikzlibrary{calc}
% CSS
\lstdefinelanguage{CSS}{
@@ -93,9 +101,101 @@
morestring=[b]"
}
-\usetikzlibrary{shapes,arrows}
-\usetikzlibrary{positioning}
-\usetikzlibrary{calc}
+\setbeamersize{description width=1em}
+
+\definecolor{blue}{rgb}{0,0,0.7}
+\newcommand{\orange}[1]{{\color{orange}#1}}
+\newcommand{\blue}[1]{{\color{blue}#1}}
+\newcommand{\red}[1]{{\color{red}#1}}
+\newcommand{\Guardian}{\mathcal{G}}
+\newcommand{\Child}{\mathcal{C}}
+\newcommand{\Customer}{\mathcal{C}}
+\newcommand{\Merchant}{\mathcal{M}}
+\newcommand{\Exchange}{\mathcal{E}}
+
+\newcommand{\Commit}{\mathsf{Commit}}
+\newcommand{\Attest}{\mathsf{Attest}}
+\newcommand{\Verify}{\mathsf{Verify}}
+\newcommand{\Derive}{\mathsf{Derive}}
+\newcommand{\DeriveCompare}{\mathsf{DeriveCompare_\kappa}}
+\newcommand{\Compare}{\mathsf{Compare}}
+\newcommand{\AgeVer}{\mathsf{AgeVer}}
+
+\newcommand{\HashF}{\mathsf{H}}
+\newcommand{\Hash}{\mathsf{H}}
+\newcommand{\Block}{\mathbb{B}}
+\newcommand{\Pub}{\mathsf{Pub}}
+\newcommand{\Sign}{\mathsf{Sig}}
+\newcommand{\Ver}{\mathsf{Ver}}
+\newcommand{\Encoding}{\mathsf{Encoding}}
+\newcommand{\ECDSA}{\mathsf{ECDSA}}
+\newcommand{\Null}{\mathcal{O}}
+\newcommand{\EC}{\mathrm{ec}}
+\newcommand{\Curve}{\mathsf{Curve25519}}
+\newcommand{\SHA}{\mathsf{SHA256}}
+\newcommand{\SHAF}{\mathsf{SHA252}}
+\newcommand{\FDH}{\mathsf{FDH}}
+
+\newcommand{\negl}{\epsilon}
+
+\newcommand{\rand}{\mathsf{rand}}
+\newcommand{\age}{\mathsf{a}}
+\newcommand{\Age}{\mathsf{M}}
+\newcommand{\bage}{\mathsf{b}}
+\newcommand{\minage}{\mathsf{m}}
+\newcommand{\attest}{\mathsf{T}}
+\newcommand{\commitment}{\mathsf{Q}}
+\newcommand{\pruf}{\mathsf{P}}
+\newcommand{\Vcommitment}{\vec{\mathsf{Q}}}
+\newcommand{\Vpruf}{\vec{\mathsf{P}}}
+\newcommand{\blinding}{\beta}
+
+\newcommand{\ZN}{\mathbb{Z}_N}
+\newcommand{\Z}{\mathbb{Z}}
+\newcommand{\N}{\mathbb{N}}
+\newcommand{\A}{\mathbb{A}}
+\newcommand{\E}{\mathbb{E}}
+\newcommand{\F}{\mathbb{F}}
+\newcommand{\seck}{\mathsf{s}}
+\newcommand{\pubk}{\mathsf{P}}
+\renewcommand{\H}{\mathbb{H}}
+\newcommand{\K}{\mathbb{K}}
+\newcommand{\Proofs}{\mathbb{P}}
+\newcommand{\Commitments}{\mathbb{O}}
+\newcommand{\Attests}{\mathbb{T}}
+\newcommand{\Blindings}{\mathbb{B}}
+\newcommand{\Nil}{\perp}
+
+\newcommand{\p}{\mathsf{p}}
+\newcommand{\com}{\mathsf{com}}
+\newcommand{\prf}{\mathsf{prf}}
+
+\newcommand{\Adv}{\mathcal{A}}
+\newcommand{\PPT}{\mathfrak{A}}
+\newcommand{\Probability}{\mathrm{Pr}}
+\newcommand{\Algorithm}{f}
+\renewcommand{\Game}[1]{G_\Adv^\mathsf{#1}}
+
+\DeclareMathOperator{\Image}{Im}
+\DeclareMathOperator{\Mod}{mod}
+
+\newcommand{\Encode}[1]{\overbracket[0.5pt][2pt]{\,#1\,}}
+\newcommand{\Decode}[1]{\underbracket[0.5pt][3pt]{\,#1\,}}
+\newcommand{\FDHg}[1]{[#1]_g\,}
+\newcommand{\logg}{{\breve{g}}}
+
+
+\newcommand{\drawfrom}{\xleftarrow{\$}}
+\newcommand\Exists{%
+ \mathop{\lower0.75ex\hbox{\ensuremath{%
+ \mathlarger{\mathlarger{\mathlarger{\mathlarger{\exists}}}}}}}%
+ \limits}
+
+\newcommand\Forall{%
+ \mathop{\lower0.75ex\hbox{\ensuremath{%
+ \mathlarger{\mathlarger{\mathlarger{\mathlarger{\forall}}}}}}}%
+ \limits}
+
\title{GNU Taler}
%\subtitle{}
@@ -147,7 +247,7 @@
%strikingly similar today's debit card system.
\pause
\begin{center}
- \Large \textbf{Mastercard/Visa are too transparent.}
+ \includegraphics[height=2cm]{pics/nsa_spy.jpg}
\end{center}
\vfill
\begin{center}
@@ -272,6 +372,36 @@ ZeroCoin, CryptoNote (Monero) and ZeroCash (ZCash) offer anonymity.
\end{frame}
+
+\begin{frame}{The Bank of International Settlements}
+ \begin{center}
+ \movie[%scale=0.6,
+ autostart,
+ poster]
+ {
+ \includegraphics[height=0.6\textwidth,width=0.8\textwidth]{white.png}
+ }
+ {bis-cbdc.mp4}
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{The Emergency Act of Canada\footnote{Speech by Premier Kenney, Alberta, February 2022}}
+ \begin{center}
+ \movie[%scale=0.6,
+ autostart,
+ poster]
+ {
+ \includegraphics[height=0.6\textwidth,width=0.8\textwidth]{ca.png}
+ }
+ {emergencyact.mp4}
+
+ {\tiny \url{https://www.youtube.com/watch?v=NehMAj492SA} (2'2022)}
+ \end{center}
+\end{frame}
+
+
+
\begin{frame}{GNU Taler}
\vfill
\begin{center}
@@ -293,18 +423,17 @@ ZeroCoin, CryptoNote (Monero) and ZeroCash (ZCash) offer anonymity.
\section{What is Taler?}
\begin{frame}{What is Taler?}
- \begin{center}
-Taler is an electronic instant payment system.
- \end{center}
+ \framesubtitle{\url{https://taler.net/en/features.html}} \noindent
+Taler is
+ \vfill
\begin{itemize}
- \item Uses electronic coins stored in {\bf wallets} on customer's device
- \item Like {\bf cash}
- \item Pay in {\bf existing currencies} (i.e. EUR, USD, BTC), \\
- or use it to create new {\bf regional currencies}
+ \item a Free/Libre software \emph{payment system} infrastructure project
+ \item ... with a surrounding software ecosystem
+ \item ... and a company (Taler Systems S.A.) and community that wants to deploy it
+ as widely as possible.
\end{itemize}
\vfill
- \pause
- \noindent
+\noindent
However, Taler is
\begin{itemize}
\item \emph{not} a currency
@@ -312,7 +441,6 @@ Taler is an electronic instant payment system.
\item \emph{not} a network or instance of a system
\item \emph{not} decentralized
\item \emph{not} based on proof-of-work or proof-of-stake
- \item \emph{not} a speculative asset / ``get-rich-quick scheme''
\end{itemize}
\end{frame}
@@ -397,129 +525,6 @@ GNU Taler must ...
\end{frame}
-\begin{frame}[fragile]{Taler: Bank Perspective}
-\begin{adjustbox}{max totalsize={.9\textwidth}{.7\textheight},center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em];
- \node (origin) at (0,0) {};
- \node (exchange) [def,above=of origin,draw]{Exchange};
- \node (nexus) [def, draw, below right=of exchange] {Nexus};
- \node (corebanking) [def, draw, below left=of nexus] {Core Banking};
- \node (nginx) [def, draw, above=of exchange]{Nginx};
- \node (postgres) [def, draw, below left=of exchange]{Postgres};
- \node (postgres-nexus) [def, draw, below right=of nexus]{Postgres};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (exchange) -- (nginx) node [midway, above, sloped] (TextNode) {REST API};
- \draw [<-, C] (postgres) -- (exchange) node [midway, above, sloped] (TextNode) {SQL};
- \draw [<-, C] (postgres-nexus) -- (nexus) node [midway, above, sloped] (TextNode) {SQL};
- \draw [<-, C] (nexus) -- (exchange) node [midway, above, sloped] (TextNode) {Internal REST API};
- \draw [<-, C] (corebanking) -- (nexus) node [midway, above, sloped] (TextNode) {EBICS/FinTS};
-
-\end{tikzpicture}
-\end{adjustbox}
-\end{frame}
-
-
-\begin{frame}{Taler: Exchange Architecture}
-\begin{center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em];
- \node (origin) at (0,0) {};
- \node (httpd) [def,above=of origin,draw]{httpd};
- \node (secmod-rsa) [def, draw, right=of httpd] {secmod-rsa};
- \node (secmod-eddsa) [def, draw, left=of httpd] {secmod-eddsa};
- \node (postgres) [def, draw, below=of httpd]{Postgres};
- \node (aggregator) [def, draw, right=of postgres]{aggregator};
- \node (transfer) [def, draw, below left=of postgres]{transfer};
- \node (wirewatch) [def, draw, below right=of postgres]{wirewatch};
- \node (nexus) [def, draw, below=of postgres]{Nexus};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<->, C] (httpd) -- (postgres) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (httpd) -- (secmod-rsa) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (httpd) -- (secmod-eddsa) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (aggregator) -- (postgres) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (wirewatch) -- (postgres) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (transfer) -- (postgres) node [midway, above, sloped] (TextNode) {};
- \draw [->, C] (transfer) -- (nexus) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (wirewatch) -- (nexus) node [midway, above, sloped] (TextNode) {};
-\end{tikzpicture}
-\end{center}
-\end{frame}
-
-
-\begin{frame}
-\frametitle{Taler: Auditor Perspective}
-\begin{center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em];
- \node (origin) at (0,0) {};
- \node (httpd) [def,above left=of origin,draw]{auditor-httpd};
- \node (report) [def,above right=of origin,draw]{auditor-report};
- \node (postgres-A) [def, draw, below=of origin] {Postgres (Auditor)};
- \node (postgres-E) [def, draw, below=of postgres-A] {Postgres (Bank)};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [->, C] (postgres-E) -- (postgres-A) node [midway, above, sloped] (TextNode) {sync};
- \draw [<->, C] (httpd) -- (postgres-A) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (report) -- (postgres-A) node [midway, above, sloped] (TextNode) {};
-\end{tikzpicture}
-\end{center}
-\end{frame}
-
-
-\begin{frame}
-\frametitle{Taler: Merchant Perspective}
-\begin{center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 3.5em and 2em, inner sep=1em, outer sep=.3em];
- \node (origin) at (0,0) {};
- \node (backend) [def,above=of origin,draw]{{\tiny taler-merchant-httpd}};
- \node (frontend) [def,above left=of backend,draw]{{\tiny E-commerce Frontend}};
- \node (backoffice) [def,above right=of backend,draw]{Backoffice};
- \node (postgres) [def, draw, below left=of backend] {Postgres};
- \node (sqlite) [def, draw, below=of backend] {Sqlite};
- \node (alt) [def, draw, below right=of backend] {...};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [->, C] (frontend) -- (backend) node [midway, above, sloped] (TextNode) {REST API};
- \draw [->, C] (backoffice) -- (backend) node [midway, above, sloped] (TextNode) {REST API};
- \draw [<->, C] (backend) -- (postgres) node [midway, above, sloped] (TextNode) {SQL};
- \draw [<->, C] (backend) -- (sqlite) node [midway, above, sloped] (TextNode) {SQL};
- \draw [<->, C] (backend) -- (alt) node [midway, above, sloped] (TextNode) {SQL};
-\end{tikzpicture}
-\end{center}
-\end{frame}
-
-
-\begin{frame}
-\frametitle{Taler: Wallet Architecture}
- \framesubtitle{Background: \url{https://anastasis.lu/}}
-\begin{center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 5em and 4.5em, inner sep=1em, outer sep=.3em];
- \node (origin) at (0,0) {};
- \node (gui) [def,above=of origin,draw]{wallet-gui};
- \node (core) [def,below=of gui,draw]{wallet-core};
- \node (sync) [def, draw, below left=of core] {Sync};
- \node (taler) [def, draw, below right=of core] {Taler};
- \node (anastasis) [def, draw, below=of core] {Anastasis};
-
- \tikzstyle{C} = [color=black, line width=1pt]
- \draw [<->, C] (gui) -- (core) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (core) -- (sync) node [midway, above, sloped] (TextNode) {Backup};
- \draw [<->, C] (core) -- (taler) node [midway, above, sloped] (TextNode) {Payment};
- \draw [<->, C] (core) -- (anastasis) node [midway, above, sloped] (TextNode) {Key Escrow};
-\end{tikzpicture}
-\end{center}
-\end{frame}
-
-
\begin{frame}{Taler: Unique Regulatory Features for Central Banks}
\framesubtitle{\url{https://www.snb.ch/en/mmr/papers/id/working_paper_2021_03}}
\begin{itemize}
@@ -880,17 +885,6 @@ But of course we use modern instantiations.
\end{frame}
-\begin{frame}{Merchant Integration: Contract}
- % \begin{figure*}[t!]
- {\tiny
- \lstset{language=JavaScript}
- \lstinputlisting{figs/taler-contract.json}
-% \caption{Minimal Taler contract over a digital article with a value of \EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash over the wire transfer information was truncated to make it fit to the page.}
-% \label{listing:json-contract}
- % \end{figure*}
- }
-\end{frame}
-
\begin{frame}{Merchant: Propose contract (EdDSA)}
\begin{minipage}{6cm}
@@ -1486,170 +1480,890 @@ and (likely) would presume an evil exchange, forcing it to pay both merchants.
\end{frame}
+\section{Age restrictions}
-
-\section{Competitor analysis}
-\begin{frame}{Competitor comparison}
- \begin{center} \small
- \begin{tabular}{l||c|c|c|c|c}
- & Cash & Bitcoin & Zerocoin & Creditcard & GNU Taler \\ \hline \hline
- Online &$-$$-$$-$ & ++ & ++ & + & +++ \\ \hline
- Offline & +++ & $-$$-$ & $-$$-$ & + & $-$$-$ \\ \hline
- Trans. cost & + & $-$$-$$-$ & $-$$-$$-$ & $-$ & ++ \\ \hline
- Speed & + & $-$$-$$-$ & $-$$-$$-$ & o & ++ \\ \hline
- Taxation & $-$ & $-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline
- Payer-anon & ++ & o & ++ & $-$$-$$-$ & +++ \\ \hline
- Payee-anon & ++ & o & ++ & $-$$-$$-$ & $-$$-$$-$ \\ \hline
- Security & $-$ & o & o & $-$$-$ & ++ \\ \hline
- Conversion & +++ & $-$$-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline
- Libre & $-$ & +++ & +++ & $-$ $-$ $-$ & +++ \\
- \end{tabular}
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Part II: Age restrictions}
\end{center}
+ \vfill
\end{frame}
-\begin{frame}{Taler: Project Status}
-\framesubtitle{\url{https://docs.taler.net/}}
-\begin{itemize}
- \item Cryptographic protocols and core exchange component are stable
- \item Current focus: Merchant integration, settlement integration, wallet backup
- \item Pilot project at Bern University of Applied Sciences cafeteria
- \item Internal alpha deployment with a commercial bank in progress
- \end{itemize}
+\begin{frame}{Age restriction in E-commerce}
+
+ \begin{description}
+ \item[Problem:]~\\[1em]
+ Verification of minimum age requirements in e-commerce.\\[2em]
+
+ \item[Common solutions:]
+
+\begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
+ & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
+ 1. ID Verification & bad & required & \\[\medskipamount]
+ 2. Restricted Accounts & bad & required & \\[\medskipamount]
+ 3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount]
+\end{tabular}
+ \end{description}
+
+\uncover<4->{
+ \begin{tikzpicture}[overlay,remember picture]
+ \draw[orange,thick,rounded corners]
+ ($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
+ \end{tikzpicture}
+ \begin{center}
+ \bf Principle of Subsidiarity is violated
+ \end{center}
+}
\end{frame}
-\begin{frame}{Next Steps: Possible Projects and Collaborations}
- \vfill
-\begin{center}
-\includegraphics[width=1.0\textwidth]{taler-in-use.png}
+\begin{frame}{Principle of Subsidiarity}
+\begin{center} \Large
+ Functions of government---such as granting and restricting
+ rights---should be performed\\
+ {\it at the lowest level of authority possible},\\
+ as long as they can be performed {\it adequately}.
\end{center}
+\vfill
+\uncover<2->{
+ For age-restriction, the lowest level of authority is:\\
+ \begin{center}\Large
+ Parents, guardians and caretakers
+ \end{center}
+}
\end{frame}
-\begin{frame}{Area I: System Integration and Partnerships}
- \framesubtitle{\url{https://lists.gnu.org/mailman/listinfo/taler}}
- Pilots with banking organizations could:
- \begin{itemize}
- \item Study integration with the underlying RTGS layer:
- \begin{itemize}
- \item Develop standardized operational procedures
- \item Assess transaction performance at scale
- \item Perform cost analysis in banking environment
- \item Assess effort for integration with commercial banks
- \end{itemize}
- \item Analyze regulatory considerations for different legislations
-% \item Building awareness of Taler as a bearer-based retail CBDC
- \item Perform independent security audits of Taler components
- \item Determine and possibly close gaps in the existing solution
- \end{itemize}
-\end{frame}
+\begin{frame}{Age restriction design for GNU Taler}
+Design and implementation of an age restriction scheme\\
+with the following goals:
+\begin{enumerate}
+\item It ties age restriction to the \textbf{ability to pay} (not to ID's)
+\item maintains \textbf{anonymity of buyers}
+\item maintains \textbf{unlinkability of transactions}
+\item aligns with \textbf{principle of subsidiartiy}
+\item is \textbf{practical and efficient}
+\end{enumerate}
-\begin{frame}{Area II: Development/Research Extensions}
- \framesubtitle{Background: \url{https://myoralvillage.org/}}
-We have ideas for protocol extensions and ``programmable money'':
- \begin{itemize}
- \item Mediated wallet-to-wallet payments (instead of customer-to-merchant)
- \item Privacy-preserving auctions (trading, currency exchange)
- \item Age-restricted private payments for children (youth protection)
- \end{itemize}
-Central banks should also consider funding research to improve:
- \begin{itemize}
- \item General digital wallet usability and availability
- \item Accessibility features for illiterate and innumerate users
- \item Projects that facilitate integration at retailers
- \begin{itemize}
- \item Hardware and software support for embedded systems
- \item Integration into off-the-self E-commerce systems
- \end{itemize}
- \item Protocol extensions for automated tax reporting
- \end{itemize}
\end{frame}
-\begin{frame}{How to support?}
- \begin{description}
- \item[Join:] {\small \url{https://lists.gnu.org/mailman/listinfo/taler}}, \\
- \url{https://libera.chat/\#taler}
- \item[Develop:] \url{https://bugs.taler.net/}, \url{https://git.taler.net/}
- \item[Translate:] \url{https://weblate.taler.net/}, \url{translation-volunteer@taler.net}
- \item[Integrate:] \url{https://docs.taler.net/}
- \item[Donate:] \url{https://gnunet.org/ev}
- \item[Invest:] \url{https://taler-systems.com/}
- \end{description}
+\begin{frame}{Age restriction}
+ \framesubtitle{Assumptions and scenario}
+
+ \begin{columns}
+ \column{7.5cm}
+ \begin{itemize}
+ \item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
+ \item<2-> \textit{Guardians} \textbf{commit} to an maximum age
+ \item<3-> \textit{Minors} \textbf{attest} their adequate age
+ \item<4-> \textit{Merchants} \textbf{verify} the attestations
+ \item<5-> Minors \textbf{derive} age commitments from existing ones
+ \item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
+ \end{itemize}
+ \column{5cm}
+ \uncover<7->
+ {
+ \begin{center}
+ \fontsize{7pt}{7pt}\selectfont
+ \begin{tikzpicture}[scale=.5]
+ \node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+ \node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
+ \node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
+
+ \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
+ {$\Commit$} (Guardian);
+ \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
+ {\blue{$\Attest$}} (Client);
+ \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
+ {\blue{$\Verify$}} (Merchant);
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
+ {\orange{$\Derive$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+ {\orange{$\Compare$}} (Exchange);
+
+ \draw[orange,|->] (Client) to node[sloped,above,align=left]
+ {\orange{\scriptsize }} (Exchange);
+ \draw[blue,|->] (Client) to node[sloped, above]
+ {\blue{\scriptsize }} (Merchant);
+ \draw[,|->] (Guardian) to node[above,sloped,align=left]
+ {{\scriptsize }} (Client);
+ \end{tikzpicture}
+ \end{center}
+ }
+ \end{columns}
+ \vfill
+ \uncover<7->{Note: Scheme is independent of payment service protocol.}
+\end{frame}
+
+
+\begin{frame}{Formal Function Signatures}
+\small
+Searching for functions \uncover<2->{with the following signatures}
+\begin{align*}
+ &\bf \Commit\uncover<2->{:
+ &(\age, \omega) &\mapsto (\commitment, \pruf)
+ &\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
+ }
+ \\
+ &\bf \Attest\uncover<3->{:
+ &(\minage, \commitment, \pruf) &\mapsto \attest
+ &\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
+ }
+ \\
+ &\bf \Verify\uncover<4->{:
+ &(\minage, \commitment, \attest) &\mapsto b
+ &\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
+ }
+ \\
+ &\bf \Derive\uncover<5->{:
+ &(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
+ &\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
+ }
+ \\
+ &\bf \Compare\uncover<6->{:
+ &(\commitment, \commitment', \blinding) &\mapsto b
+ &\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
+ }
+\end{align*}
+ \uncover<7->{
+ with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
+ sufficiently large sets.\\[1em]
+ Basic and security requirements are defined later.\\[2em]
+ }
+
+ \scriptsize
+ \uncover<2->{
+ Mnemonics:\\
+ $\Commitments=$ \textit{c$\Commitments$mmitments},
+ $\commitment=$ \textit{Q-mitment} (commitment),
+ $\Proofs=$ \textit{$\Proofs$roofs},
+ }
+ \uncover<3->{
+ $\pruf=$ \textit{$\pruf$roof},\\
+ $\Attests=$ \textit{a$\Attests$testations},
+ $\attest=$ \textit{a$\attest$testation},
+ }
+ \uncover<5->{
+ $\Blindings=$ \textit{$\Blindings$lindings},
+ $\blinding=$ \textit{$\blinding$linding}.
+ }
+\end{frame}
+
+\begin{frame}{Age restriction}
+ \framesubtitle{Naïve scheme}
+ \begin{center}
+ \begin{tikzpicture}[scale=.85]
+ \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+ \node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
+ \node[circle,minimum size=20pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
+
+ \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
+ {$\Commit$} (Guardian);
+ \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
+ {\blue{$\Attest$}} (Client);
+ \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
+ {\blue{$\Verify$}} (Merchant);
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
+ {\orange{$\Derive$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+ {\orange{$\Compare$}} (Exchange);
+
+ \draw[orange,|->] (Client) to node[sloped,above,align=left]
+ {\orange{\scriptsize }} (Exchange);
+ \draw[blue,|->] (Client) to node[sloped, above]
+ {\blue{\scriptsize }} (Merchant);
+ \draw[,|->] (Guardian) to node[above,sloped,align=left]
+ {{\scriptsize }} (Client);
+ \end{tikzpicture}
+ \end{center}
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+ \begin{columns}
+ \column{3cm}
+ \begin{center}
+ \fontsize{8pt}{9pt}\selectfont
+ \begin{tikzpicture}[scale=.65]
+ \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
+ {\orange{$\footnotesize \Derive()$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+ {\orange{$\footnotesize \Compare()$}} (Exchange);
+
+ \draw[orange,|->] (Client) to node[sloped,above,align=left]
+ {\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
+ \end{tikzpicture}
+ \end{center}
+
+ \column{9cm}
+ Simple use of $\Derive()$ and $\Compare()$ is problematic.
+
+ \begin{itemize}
+ \item<2-> Calling $\Derive()$ iteratively generates sequence
+ $(\commitment_0, \commitment_1, \dots)$ of commitments.
+ \item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$
+ \item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
+ \item[$\implies$]\uncover<3->{\bf Unlinkability broken}
+ \end{itemize}
+ \end{columns}
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+ Define cut\&choose protocol \orange{$\DeriveCompare$},
+ using $\Derive()$ and $\Compare()$.\\[0.5em]
+ \uncover<2->{
+ Sketch:
+ \small
+ \begin{enumerate}
+ \item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
+ from $\commitment_0$ \\
+ by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
+ \item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
+ \item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
+ \item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
+ \item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
+ \item $\Exchange$ compares $h_0$ and
+ $H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
+ and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
+ \end{enumerate}
+ \vfill
+ Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
+ }
\end{frame}
+\begin{frame}{Achieving Unlinkability}
+ With \orange{$\DeriveCompare$}
+ \begin{itemize}
+ \item $\Exchange$ learns nothing about $\commitment_\gamma$,
+ \item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
+ \item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
+ \end{itemize}
+ \vfill
+ Note: Still need Derive and Compare to be defined.
+\end{frame}
+
+\begin{frame}{Refined scheme}
+
+ \begin{tikzpicture}[scale=.8]
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
+ \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
+
+ \draw[orange,<->] (Client) to node[sloped,below,align=center]
+ {\orange{$\DeriveCompare$}} (Exchange);
+ \draw[blue,->] (Client) to node[sloped, below]
+ {\blue{$(\attest_\minage, \commitment)$}} (Merchant);
+
+ \draw[->] (Guardian) to [out=150,in=70, loop] node[above]
+ {$\Commit(\age)$} (Guardian);
+ \draw[->] (Guardian) to node[below,sloped]
+ {($\commitment$, $\pruf_\age$)} (Client);
+ \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
+ \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
+ \end{tikzpicture}
+\end{frame}
-\begin{frame}{Conclusion}
- \begin{center}
- {\bf What can we do?}
- \end{center}
- \vfill
-\begin{itemize}
- \item{Suffer mass-surveillance enabled by credit card oligopolies with high fees, and}
- \item{Engage in arms race with deliberately unregulatable blockchains}
-% \item{Enjoy the ``benefits'' of cash \\
-% \hfill \includegraphics[height=0.3\textheight]{atm-rupee.jpg} \hfill}
-\end{itemize}
-\vfill
-\begin{center}
- {\bf OR}
-\end{center}
-\vfill
-\begin{itemize}
- \item{Establish free software alternative balancing social goals!}
-\end{itemize}
-\vfill
+% \begin{frame}{Achieving Unlinkability}
+% \scriptsize
+% $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
+% \vfill
+% $\DeriveCompare(\commitment, \pruf, \omega) =$
+% \begin{itemize}
+% \it
+% \itemsep0.5em
+% \item[$\Child$:]
+% \begin{enumerate}
+% \scriptsize
+% \itemsep0.3em
+% \item for all $i \in \{1,\dots,\kappa\}:
+% (\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
+% \item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
+% \item send $(\commitment, h)$ to $\Exchange$
+% \end{enumerate}
+% \item[$\Exchange$:]
+% \begin{enumerate}
+% \setcounter{enumi}{4}
+% \scriptsize
+% \itemsep0.3em
+% \item save $(\commitment, h)$ \label{st:hash}
+% \item $\gamma \drawfrom \{1,\dots ,\kappa\}$
+% \item send $\gamma$ to $\Child$
+% \end{enumerate}
+% \item[$\Child$:]
+% \begin{enumerate}
+% \setcounter{enumi}{7}
+%
+% \scriptsize
+% \itemsep0.3em
+% \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
+% \item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
+% (\commitment_{\gamma-1}, \beta_{\gamma-1}),
+% \Nil,
+% (\commitment_{\gamma+1}, \beta_{\gamma+1}),
+% \dots,(\commitment_\kappa, \beta_\kappa)\big]$
+% \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
+% \end{enumerate}
+% \item[$\Exchange$:]
+% \begin{enumerate}
+% \setcounter{enumi}{10}
+% \scriptsize
+% \itemsep0.3em
+% \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
+% \item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
+% \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
+% if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
+% \item return 1
+% \end{enumerate}
+% \end{itemize}
+% \end{frame}
+
+\begin{frame}{Basic Requirements}
+
+ Candidate functions
+ \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
+ must first meet \textit{basic} requirements:
+
+ \begin{itemize}
+ \item Existence of attestations
+ \item Efficacy of attestations
+ \item Derivability of commitments and attestations
+ \end{itemize}
+\end{frame}
+
+\begin{frame}{Basic Requirements}
+ \framesubtitle{Formal Details}
+
+ \begin{description}
+ \item[Existence of attestations]
+ {\scriptsize
+ \begin{align*}
+ \Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
+ \Commit(\age, \omega) =: (\commitment, \pruf)
+ \implies
+ \Attest(\minage, \commitment, \pruf) =
+ \begin{cases}
+ \attest \in \Attests, \text{ if } \minage \leq \age\\
+ \Nil \text{ otherwise}
+ \end{cases}
+ \end{align*}}
+ \item[Efficacy of attestations]
+ {\scriptsize
+ \begin{align*}
+ \Verify(\minage, \commitment, \attest) = \
+ \begin{cases}
+ 1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
+ 0 \text{ otherwise}
+ \end{cases}
+ \end{align*}}
+
+ {\scriptsize
+ \begin{align*}
+ \forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
+ \end{align*}}
+ \item[etc.]
+ \end{description}
+\end{frame}
+
+%\begin{frame}{Requirements}
+% \framesubtitle{Details}
+%
+% \begin{description}
+% \item[Derivability of commitments and proofs:]~\\[0.1em]
+% {\scriptsize
+% Let \begin{align*}
+% \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
+% (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
+% (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1).
+% \end{align*}
+% We require
+% \begin{align*}
+% \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
+% \end{align*}
+% and for all $n\leq\age$:
+% \begin{align*}
+% \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
+% =
+% \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0))
+% \end{align*}}
+% \end{description}
+%\end{frame}
+
+\begin{frame}{Security Requirements}
+ Candidate functions must also meet \textit{security} requirements.
+ Those are defined via security games:
+ \begin{itemize}
+ \item Game: Age disclosure by commitment or attestation
+ \item[$\leftrightarrow$] Requirement: Non-disclosure of age
+ \vfill
+
+ \item Game: Forging attestation
+ \item[$\leftrightarrow$] Requirement: Unforgeability of
+ minimum age
+ \vfill
+
+ \item Game: Distinguishing derived commitments and attestations
+ \item[$\leftrightarrow$] Requirement: Unlinkability of
+ commitments and attestations
+
+ \end{itemize}
+ \vfill
+
+ Meeting the security requirements means that adversaries can win
+ those games only with negligible advantage.
+ \vfill
+ Adversaries are arbitrary polynomial-time algorithms, acting on all
+ relevant input.
+\end{frame}
+
+\begin{frame}{Security Requirements}
+ \framesubtitle{Simplified Example}
+
+ \begin{description}
+ \item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
+ {\small
+ \begin{enumerate}
+ \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $
+ \item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $
+ \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
+ \item Return 0 if $\minage \leq \age$
+ \item Return $\Verify(\minage,\commitment,\attest)$
+ \end{enumerate}
+ }
+ \vfill
+ \item[Requirement: Unforgeability of minimum age]
+ {\small
+ \begin{equation*}
+ \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
+ \Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
+ \end{equation*}
+ }
+ \end{description}
+\end{frame}
+
+
+\begin{frame}{Solution: Instantiation with ECDSA}
+% \framesubtitle{Definition of Commit}
+
+ \begin{description}
+ \item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
+ \begin{enumerate}
+ \item<2-> Guardian generates ECDSA-keypairs, one per age (group):
+ \[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
+ \item<3-> Guardian then \textbf{drops} all private keys
+ $p_i$ for $i > \age$:
+ \[\Big \langle(q_1, p_1),\dots,
+ (q_\age, p_\age),
+ (q_{\age +1}, \red{\Nil}),\dots,
+ (q_\Age, \red{\Nil})\Big\rangle\]
+
+ \begin{itemize}
+ \item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
+ \item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
+ \end{itemize}
+ \vfill
+ \item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
+ \vfill
+ \end{enumerate}
+ \end{description}
+\end{frame}
+
+\begin{frame}{Instantiation with ECDSA}
+ \framesubtitle{Definitions of Attest and Verify}
+
+ Child has
+ \begin{itemize}
+ \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
+ \item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
+ \end{itemize}
+ \begin{description}
+ \item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
+ Sign a message with ECDSA using private key $p_\blue{\minage}$
+ \end{description}
+
+ \vfill
+
+ \uncover<3->{
+ Merchant gets
+ \begin{itemize}
+ \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
+ \item Signature $\sigma$
+ \end{itemize}
+ \begin{description}
+ \item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
+ Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
+ \end{description}
+ }
+ \vfill
\end{frame}
+\begin{frame}{Instantiation with ECDSA}
+ \framesubtitle{Definitions of Derive and Compare}
+ Child has
+ $\Vcommitment = (q_1, \dots, q_\Age) $ and
+ $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
+ \begin{description}
+ \item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
+ Choose random $\beta\in\Z_g$ and calculate
+ \small
+ \begin{align*}
+ \Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
+ \Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
+ \end{align*}
+ Note: $ (\beta p_i)*G = \beta*(p_i*G) = \beta*q_i$\\
+ \scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
+ \end{description}
+
+ \vfill
+ \uncover<3->{
+ Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
+ \begin{description}
+ \item[To \blue{Compare}, calculate:]
+ \small
+ $(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
+ \end{description}
+ \vfill
+ }
+\end{frame}
+
+\begin{frame}{Instantiation with ECDSA}
+
+ Functions
+ (Commit, Attest, Verify, Derive, Compare)\\
+ as defined in the instantiation with ECDSA\\[0.5em]
+ \begin{itemize}
+ \item meet the basic requirements,\\[0.5em]
+ \item also meet all security requirements.\\
+ Proofs by security reduction, details are in the paper.
+ \end{itemize}
+
+\end{frame}
+
+
+% \begin{frame}{Instantiation with ECDSA}
+% \framesubtitle{Full definitions}
+% \scriptsize
+%
+% \begin{align*}
+% \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
+% \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
+% \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
+% \Big\rangle\\
+% \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
+% \begin{cases}
+% \attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
+% \Nil & \text{otherwise}
+% \end{cases}\\
+% %
+% \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
+% %
+% \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
+% \Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
+% (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
+% & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
+% %
+% \Compare_E(\Vcommitment, \Vcommitment', \beta) &:=
+% \begin{cases}
+% 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
+% 0 & \text{otherwise}
+% \end{cases}
+% \end{align*}
+% \end{frame}
+
+
+\begin{frame}{Reminder: GNU Taler Fundamentals}
+ \begin{center}
+ \begin{tikzpicture}[scale=.55]
+ \node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
+ \node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
+ \node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
+
+ \draw[<->] (Customer) to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
+ \draw[<->] (Customer) to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
+ \draw[<->] (Customer) to node[sloped, below] {\sf purchase} (Merchant);
+ \draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
+ \end{tikzpicture}
+ \end{center}
-\begin{frame}
-\frametitle{Do you have any questions?}
-\vfill
-References:
-{\tiny
- \begin{enumerate}
- \item{David Chaum, Christian Grothoff and Thomas Moser.
- {\em How to issue a central bank digital currency}.
- {\bf SNB Working Papers, 2021}.}
- \item{Christian Grothoff, Bart Polot and Carlo von Loesch.
- {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}.
- {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.}
- \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci.
- {\em Enabling Secure Web Payments with GNU Taler}.
- {\bf SPACE 2016}.}
- \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff.
- {\em Taler: Taxable Anonymous Libre Electronic Reserves}.
- Available upon request. 2016.}
- \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza.
- {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}.
- {\bf IEEE Symposium on Security \& Privacy, 2016}.}
- \item{David Chaum, Amos Fiat and Moni Naor.
- {\em Untraceable electronic cash}.
- {\bf Proceedings on Advances in Cryptology, 1990}.}
- \item{Phillip Rogaway.
- {\em The Moral Character of Cryptographic Work}.
- {\bf Asiacrypt}, 2015.} \label{bib:rogaway}
-\end{enumerate}
-}
-\begin{center}
- {\bf Let money facilitate trade; but ensure capital serves society.}
-\end{center}
+ \vfill
+ \begin{itemize}
+ \item Coins are public-/private key-pairs $(C_p, c_s)$.
+ \item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
+ \item Verification:
+ \begin{eqnarray*}
+ 1 &\stackrel{?}{=}&
+ \mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
+ \end{eqnarray*}
+ \scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
+
+ \end{itemize}
+\end{frame}
+
+\begin{frame}{Integration with GNU Taler}
+ \framesubtitle{Binding age restriction to coins}
+
+ To bind an age commitment $\commitment$ to a coin $C_p$, instead of
+ signing $\FDH(C_p)$, $\Exchange$ now blindly signs
+ \begin{center}
+ $\FDH(C_p, \orange{H(\commitment)})$
+ \end{center}
+
+ \vfill
+ Verfication of a coin now requires $H(\commitment)$, too:
+ \begin{center}
+ $1 \stackrel{?}{=}
+ \mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
+ \end{center}
+ \vfill
+\end{frame}
+
+\begin{frame}{Integration with GNU Taler}
+ \framesubtitle{Integrated schemes}
+ \fontsize{8pt}{9pt}\selectfont
+ \begin{tikzpicture}[scale=.9]
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
+ \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
+
+ \draw[<->] (Guardian) to node[sloped,above,align=center]
+ {{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
+ \draw[<->] (Client) to node[sloped,below,align=center]
+ {{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
+ \draw[<->] (Client) to node[sloped, below]
+ {{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
+ \draw[<->] (Merchant) to node[sloped, above]
+ {{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
+
+ \draw[->] (Guardian) to [out=70,in=150, loop] node[above]
+ {$\Commit(\age)$} (Guardian);
+ \draw[->] (Guardian) to node[below,sloped]
+ {($\commitment$, $\pruf_\age$)} (Client);
+ \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
+ \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
+ \end{tikzpicture}
+\end{frame}
+
+\begin{frame}{Instantiation with Edx25519}
+ Paper also formally defines another signature scheme: Edx25519.\\[1em]
+
+ \begin{itemize}
+ \item Scheme already in use in GNUnet,
+ \item based on EdDSA (Bernstein et al.),
+ \item generates compatible signatures and
+ \item allows for key derivation from both, private and public keys, independently.
+ \end{itemize}~\\[1em]
+
+ Current implementation of age restriction in GNU Taler uses Edx25519.
+\end{frame}
+
+
+\begin{frame}{Discussion}
+ \begin{itemize}
+ \item Our solution can in principle be used with any token-based payment scheme
+ \item GNU Taler best aligned with our design goals (security, privacy and efficiency)
+ \item Subsidiarity requires bank accounts being owned by adults
+ \begin{itemize}
+ \item Scheme can be adapted to case where minors have bank accounts
+ \begin{itemize}
+ \item Assumption: banks provide minimum age
+ information during bank
+ transactions.
+ \item Child and Exchange execute a variant of
+ the cut\&choose protocol.
+ \end{itemize}
+ \end{itemize}
+ \item Our scheme offers an alternative to identity management systems (IMS)
+ \end{itemize}
+\end{frame}
+\begin{frame}{Related Work}
+ \begin{itemize}
+ \item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
+ \item Attribute-based approach lacks support:
+ \begin{itemize}
+ \item Complex for consumers and retailers
+ \item Requires trusted third authority
+ \end{itemize}
+ \vfill
+ \item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
+ \begin{itemize}
+ \item Advantage: mandatory to payment process
+ \item Not privacy friendly
+ \end{itemize}
+ \end{itemize}
\end{frame}
+\begin{frame}{Conclusion}
+ Age restriction is a technical, ethical and legal challenge.
+
+ Existing solutions are
+ \begin{itemize}
+ \item without strong protection of privacy or
+ \item based on identity management systems (IMS)
+ \end{itemize}
+ \vfill
+
+ Our scheme offers a solution that is
+ \begin{itemize}
+ \item based on subsidiarity
+ \item privacy preserving
+ \item efficient
+ \item an alternative to IMS
+ \end{itemize}
+\end{frame}
+
+
+
+
+
+% FIXME: age restriction slides here!
\section{Integration with the core banking system}
\begin{frame}
\vfill
\begin{center}
- {\bf Part II: Integration with the core banking system}
+ {\bf Part III: Integration with the core banking system}
\end{center}
\vfill
\end{frame}
+\begin{frame}[fragile]{Taler: Bank Perspective}
+\begin{adjustbox}{max totalsize={.9\textwidth}{.7\textheight},center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (exchange) [def,above=of origin,draw]{Exchange};
+ \node (nexus) [def, draw, below right=of exchange] {Nexus};
+ \node (corebanking) [def, draw, below left=of nexus] {Core Banking};
+ \node (nginx) [def, draw, above=of exchange]{Nginx};
+ \node (postgres) [def, draw, below left=of exchange]{Postgres};
+ \node (postgres-nexus) [def, draw, below right=of nexus]{Postgres};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (exchange) -- (nginx) node [midway, above, sloped] (TextNode) {REST API};
+ \draw [<-, C] (postgres) -- (exchange) node [midway, above, sloped] (TextNode) {SQL};
+ \draw [<-, C] (postgres-nexus) -- (nexus) node [midway, above, sloped] (TextNode) {SQL};
+ \draw [<-, C] (nexus) -- (exchange) node [midway, above, sloped] (TextNode) {Internal REST API};
+ \draw [<-, C] (corebanking) -- (nexus) node [midway, above, sloped] (TextNode) {EBICS/FinTS};
+
+\end{tikzpicture}
+\end{adjustbox}
+\end{frame}
+
+
+\begin{frame}{Taler: Exchange Architecture}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (httpd) [def,above=of origin,draw]{httpd};
+ \node (secmod-rsa) [def, draw, right=of httpd] {secmod-rsa};
+ \node (secmod-eddsa) [def, draw, left=of httpd] {secmod-eddsa};
+ \node (postgres) [def, draw, below=of httpd]{Postgres};
+ \node (aggregator) [def, draw, right=of postgres]{aggregator};
+ \node (transfer) [def, draw, below left=of postgres]{transfer};
+ \node (wirewatch) [def, draw, below right=of postgres]{wirewatch};
+ \node (nexus) [def, draw, below=of postgres]{Nexus};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<->, C] (httpd) -- (postgres) node [midway, above, sloped] (TextNode) {};
+ \draw [<->, C] (httpd) -- (secmod-rsa) node [midway, above, sloped] (TextNode) {};
+ \draw [<->, C] (httpd) -- (secmod-eddsa) node [midway, above, sloped] (TextNode) {};
+ \draw [<->, C] (aggregator) -- (postgres) node [midway, above, sloped] (TextNode) {};
+ \draw [<->, C] (wirewatch) -- (postgres) node [midway, above, sloped] (TextNode) {};
+ \draw [<->, C] (transfer) -- (postgres) node [midway, above, sloped] (TextNode) {};
+ \draw [->, C] (transfer) -- (nexus) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (wirewatch) -- (nexus) node [midway, above, sloped] (TextNode) {};
+\end{tikzpicture}
+\end{center}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Taler: Auditor Perspective}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (httpd) [def,above left=of origin,draw]{auditor-httpd};
+ \node (report) [def,above right=of origin,draw]{auditor-report};
+ \node (postgres-A) [def, draw, below=of origin] {Postgres (Auditor)};
+ \node (postgres-E) [def, draw, below=of postgres-A] {Postgres (Bank)};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [->, C] (postgres-E) -- (postgres-A) node [midway, above, sloped] (TextNode) {sync};
+ \draw [<->, C] (httpd) -- (postgres-A) node [midway, above, sloped] (TextNode) {};
+ \draw [<->, C] (report) -- (postgres-A) node [midway, above, sloped] (TextNode) {};
+\end{tikzpicture}
+\end{center}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Taler: Merchant Perspective}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 3.5em and 2em, inner sep=1em, outer sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (backend) [def,above=of origin,draw]{{\tiny taler-merchant-httpd}};
+ \node (frontend) [def,above left=of backend,draw]{{\tiny E-commerce Frontend}};
+ \node (backoffice) [def,above right=of backend,draw]{Backoffice};
+ \node (postgres) [def, draw, below left=of backend] {Postgres};
+ \node (sqlite) [def, draw, below=of backend] {Sqlite};
+ \node (alt) [def, draw, below right=of backend] {...};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [->, C] (frontend) -- (backend) node [midway, above, sloped] (TextNode) {REST API};
+ \draw [->, C] (backoffice) -- (backend) node [midway, above, sloped] (TextNode) {REST API};
+ \draw [<->, C] (backend) -- (postgres) node [midway, above, sloped] (TextNode) {SQL};
+ \draw [<->, C] (backend) -- (sqlite) node [midway, above, sloped] (TextNode) {SQL};
+ \draw [<->, C] (backend) -- (alt) node [midway, above, sloped] (TextNode) {SQL};
+\end{tikzpicture}
+\end{center}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Taler: Wallet Architecture}
+ \framesubtitle{Background: \url{https://anastasis.lu/}}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 5em and 4.5em, inner sep=1em, outer sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (gui) [def,above=of origin,draw]{wallet-gui};
+ \node (core) [def,below=of gui,draw]{wallet-core};
+ \node (sync) [def, draw, below left=of core] {Sync};
+ \node (taler) [def, draw, below right=of core] {Taler};
+ \node (anastasis) [def, draw, below=of core] {Anastasis};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+ \draw [<->, C] (gui) -- (core) node [midway, above, sloped] (TextNode) {};
+ \draw [<->, C] (core) -- (sync) node [midway, above, sloped] (TextNode) {Backup};
+ \draw [<->, C] (core) -- (taler) node [midway, above, sloped] (TextNode) {Payment};
+ \draw [<->, C] (core) -- (anastasis) node [midway, above, sloped] (TextNode) {Key Escrow};
+\end{tikzpicture}
+\end{center}
+\end{frame}
+
+
\begin{frame}
\frametitle{High-level Deployment Recipe}
\dots as a bank
@@ -1776,17 +2490,6 @@ of the Taler Wire Gateway exist:
\end{frame}
-\section{Operator security considerations}
-
-\begin{frame}
- \vfill
- \begin{center}
- {\bf Part III: Operator security considerations}
- \end{center}
- \vfill
-\end{frame}
-
-
\begin{frame}{Key management}
Taler has many types of keys:
\begin{itemize}
@@ -1955,6 +2658,7 @@ General notions:
\end{frame}
+
\section{Integration considerations}
\begin{frame}
@@ -1999,6 +2703,662 @@ General notions:
\end{frame}
+\begin{frame}{Merchant Integration: Contract}
+ % \begin{figure*}[t!]
+ {\tiny
+ \lstset{language=JavaScript}
+ \lstinputlisting{figs/taler-contract.json}
+% \caption{Minimal Taler contract over a digital article with a value of \EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash over the wire transfer information was truncated to make it fit to the page.}
+% \label{listing:json-contract}
+ % \end{figure*}
+ }
+\end{frame}
+
+
+\begin{frame}{Blockchain based cryptocurrencies}
+ \begin{tikzpicture}[remember picture,overlay]
+ \node (N1)[above right=5mm and 25mm of current page.center] {\includegraphics[width=34mm]{media/news1.png}};
+ \node (N0)[below=-3mm of N1] {\includegraphics[width=34mm]{media/news0.png}};
+ \node (N2)[below left=-26mm and -2.5mm of N1] {\includegraphics[width=34mm]{media/news2.png}};
+ \end{tikzpicture}
+ \begin{block}{Biggest cryptocurrencies}
+ \begin{itemize}
+ \item \textbf{BTC} Bitcoin
+ \item \textbf{ETH} Ethereum
+ \end{itemize}
+ \end{block}
+ \begin{block}{Common blockchain limitations}
+ \begin{itemize}
+ \item \textbf{Delay} block and confirmation delay
+ \item \textbf{Cost} transaction fees
+ \item \textbf{Scalability} limited amount of transaction per second
+ \item \textbf{Ecological impact} computation redundancy
+ \item \textbf{Privacy}
+ \item \textbf{Regulatory risk}
+ \end{itemize}
+ \end{block}
+\end{frame}
+
+\begin{frame}{Taler}{Architecture}
+ \begin{columns}
+ \column{0.5\paperwidth}
+ \begin{tikzpicture}[
+ rect/.style={circle, draw=black},
+ sym/.style={-stealth, shorten >= 2pt, shorten <= 2pt}
+ ]
+ % Taler payment system
+ \node[rect](1) {Exchange};
+ \node[rect,below left=1.5cm and 0.7cm of 1](2) {Customer};
+ \node[rect,below right=1.5cm and 0.7cm of 1](3) {Merchant};
+
+ \draw[sym] (1) -- node [midway, above, sloped] {\tiny Withdraw coins} (2);
+ \draw[sym] (2) -- node [midway, above, sloped] {\tiny Spend coins} (3);
+ \draw[sym] (3) -- node [midway, above, sloped] {\tiny Deposit coins} (1);
+
+ % Settlement layer
+ \node[left=2cm of 1](E1){};
+ \node[right=2cm of 1](E2){};
+ \draw[sym] (E1) -- node [midway, above] {\tiny Deposit money} (1);
+ \draw[sym] (1) -- node [midway, above] {\tiny Withdraw money} (E2);
+
+ % Auditor
+ \node[above= of 1](A){Auditor};
+ \draw[sym] (A) -- node [midway, right] {\tiny Verify} (1);
+
+ % Separator
+ \node[below=1mm of E1] (S1S) {};
+ \node[below=1mm of E2] (S1E) {};
+ \node[above=6mm of E1] (S2S) {};
+ \node[above=6mm of E2] (S2E) {};
+
+ \draw[dotted] (S1S) -- (S1E);
+ \draw[dotted] (S2S) -- (S2E);
+
+ \node[below right=-2mm and -1.5mm of S2S] {\tiny{\emph{Settlement Layer}}};
+ \node[below right=-2mm and -1.5mm of S1S] {\tiny{\emph{Taler payment system}}};
+ \end{tikzpicture}
+ \column{0.47\paperwidth}
+ \begin{block}{Settlement layer}
+ \begin{itemize}
+ \item This work, Blockchain!
+ \end{itemize}
+ \end{block}
+ \begin{block}{Taler payment system}
+ \begin{itemize}
+ \item Realtime transactions, 1 RTT
+ \item Scalable microtransactions
+ \item Blind signatures (privacy)
+ \end{itemize}
+ \end{block}
+
+ \end{columns}
+\end{frame}
+
+\begin{frame}{Taler}{Blockchain settlement layer}
+ \begin{center}
+ \begin{tikzpicture}[
+ rect/.style={rectangle, draw=black, minimum width=30mm},
+ sym/.style={stealth-stealth, shorten >= 2pt, shorten <= 2pt},
+ block/.style={rectangle,draw=black,fill=black!10,minimum size=7mm},
+ ]
+
+ %% Architecture
+ \node(Tt){Taler};
+ \node[rect,below=0cm of Tt](Tc){Exchange};
+ \node[rect,fit={(Tt) (Tc)}](T){};
+
+ \node[rect,below=7mm of Tc](D) {\textbf{Depolymerization}};
+
+ \node[rect,below=7mm of D](Bc){Node};
+ \node[below=0cm of Bc](Bt){Blockchain};
+ \node[rect,fit={(Bt) (Bc)}](B){};
+
+ \draw[sym] (T) -- (D);
+ \draw[sym] (D) -- (B);
+
+ %% Blockchain
+ \node[block,right=8mm of B] (1){};
+ \node[block,right=4mm of 1] (2){};
+ \node[block,right=4mm of 2] (3){};
+ \node[block,right=4mm of 3] (4){};
+ \node[block,right=4mm of 4] (5){};
+ \node[block,right=4mm of 5] (6){};
+ \draw[-stealth] (1) -- (2);
+ \draw[-stealth] (2) -- (3);
+ \draw[-stealth] (3) -- (4);
+ \draw[-stealth] (4) -- (5);
+ \draw[-stealth] (5) -- (6);
+
+ \node[left=4mm of 1] (S){};
+ \node[right=4mm of 6] (E){};
+ \draw[-stealth] (S) -- (1);
+ \draw[-stealth] (6) -- (E);
+
+ %% Taler
+ \node[block, below right=-7.5mm and 20.5mm of T] (off){Off-chain transactions};
+ \node[above=-0.5mm of off] {\includegraphics[height=7mm]{media/taler.png}};
+
+ %% Depolymerization
+ \node[right=11mm of D] {\small{Credit}};
+ \node[right=50mm of D] {\small{Debit}};
+ \draw[dashed,-stealth] (1.north) |- (off.west);
+ \draw[dashed,-stealth] (off.east) -| (6.north);
+ \end{tikzpicture}
+ \end{center}
+\end{frame}
+
+\begin{frame}{Challenges}
+ \begin{block}{Taler Metadata}
+ \begin{itemize}
+ \item Metadata are required to link a wallet to credits and
+ allow merchant to link deposits to debits
+ \item Putting metadata in blockchain transactions can be tricky
+ \end{itemize}
+ \end{block}
+ \begin{block}{Blockchain based cryptocurrencies}
+ \begin{itemize}
+ \item Blockchain transactions lack finality (fork)
+ \item Transactions can be stuck for a long time (mempool)
+ \end{itemize}
+ \end{block}
+\end{frame}
+
+\begin{frame}{Blockchain challenges}{Chain reorganization}
+ \begin{center}
+ \begin{tikzpicture}[
+ block/.style={rectangle,draw=black,fill=black!10,minimum size=7mm},
+ ar/.style={-stealth}
+ ]
+ % Common
+ \node[block](1){};
+ \node[block,right=5mm of 1](2){$D_0$};
+ \node[block,right=5mm of 2](3){};
+ \draw[ar] (1) -- (2);
+ \draw[ar] (2) -- (3);
+
+ % Current
+ \node [block,right=5mm of 3](4){};
+ \node[block,right=5mm of 4](5){};
+ \node[block,right=5mm of 5](6){$D_1$};
+ \draw[ar] (3) -- (4);
+ \draw[ar] (4) -- (5);
+ \draw[ar] (5) -- (6);
+
+ % Fork
+ \node [block,above=7mm of 4](4p){};
+ \node[block,right=5mm of 4p](5p){$D_2$};
+ \node[block,right=5mm of 5p](6p){};
+ \node[block,right=5mm of 6p](7p){};
+ \draw[ar] (3.east) -- (4p.west);
+ \draw[ar] (4p) -- (5p);
+ \draw[ar] (5p) -- (6p);
+ \draw[ar] (6p) -- (7p);
+
+ % Indication
+ \node [right=5mm of 7p]{\emph{fork}};
+ \node [right=17mm of 6]{\emph{active}};
+ \end{tikzpicture}
+ \end{center}
+ A fork is when concurrent blockchain states coexist. Nodes will follow
+ the longest chain, replacing recent blocks if necessary during a
+ blockchain reorganization. If a deposit transaction disappears from the
+ blockchain, an irrevocable withdraw transactions would no longer be backed
+ by credit.
+\end{frame}
+
+\begin{frame}{Blockchain challenges}{Stuck transactions}
+ We want confirmed debits within a limited time frame.
+ \begin{figure}
+ \centering
+ \only<1> {
+ \begin{tikzpicture}[
+ dot/.style={circle,fill,inner sep=1pt,}
+ ]
+ \node (I) {\includegraphics[width=\textwidth]{media/fee.png}};
+ \node [below left=-2.5mm and -1.5cm of I] (Tx) {\small Tx};
+ \node [dot,above=8.4mm of Tx](D) {};
+ \draw [dotted,thick] (Tx) -- (D);
+ \node [left=-4.5cm of Tx] (C) {\small conf};
+ \node [dot,above=8.4mm of C](D1) {};
+ \draw [dotted,thick] (C) -- (D1);
+ \end{tikzpicture}
+ }
+ \only<2> {
+ \includegraphics[width=\textwidth]{media/fee_var.png}
+ \caption{Bitcoin average transaction fee over 6 months {\tiny (ychart)}}
+ }
+ \end{figure}
+ \only<1>{When we trigger a debit with a fee too small, it may not be
+ confirmed in a timely fashion.}
+ \only<2>{However, transaction fees are unpredictable.}
+\end{frame}
+
+
+\begin{frame}{Depolymerization}{Architecture}
+ \begin{center}
+ \begin{tikzpicture}[
+ rect/.style={rectangle, draw=black, minimum height=6mm, minimum width=28mm},
+ sym/.style={stealth-stealth, shorten >= 2pt, shorten <= 2pt}
+ ]
+ \node[rect](1) {Taler Exchange};
+ \node[rect,below=of 1](2) {Wire Gateway};
+ \node[rect,right=of 2](3) {PostgreSQL};
+ \node[rect,right=of 3](4) {DLT Adapter};
+ \node[rect,above=of 4](5) {DLT Full Node};
+
+ \draw[sym] (1) -- node [midway,right] {\tiny HTTP} (2);
+ \draw[sym] (2) -- node [midway,above] {\tiny SQL} (3);
+ \draw[sym] (3) -- node [midway,above] {\tiny SQL} (4);
+ \draw[sym] (4) -- node [midway,left ] {\tiny RPC} (5);
+
+
+ \node[above= 2mm of 1]{\small{\emph{Wire Gateway API}}};
+ \node[above= 2mm of 5]{\small{\emph{DLT specific}}};
+ \node[above=22mm of 3](T) {};
+ \draw[dotted] (3) -- (T);
+ \end{tikzpicture}
+ \end{center}
+ \begin{itemize}
+ \item Common database to store transactions state and communicate
+ with notifications
+ \item Wire Gateway for Taler API compatibility
+ \item DLT specific adapter
+ \end{itemize}
+\end{frame}
+
+\begin{frame}{Storing metadata}{Bitcoin}
+ \begin{block}{Bitcoin - Credit}
+ \begin{itemize}
+ \item Transactions from code
+ \item Only 32B + URI
+ \item \textbf{OP\_RETURN}
+ \end{itemize}
+ \end{block}
+ \begin{block}{Bitcoin - Debit}
+ \begin{itemize}
+ \item Transactions from common wallet software
+ \item Only 32B
+ \item \textbf{Fake Segwit Addresses}
+ \end{itemize}
+ \end{block}
+\end{frame}
+\begin{frame}{Storing metadata}{Ethereum}
+ \begin{block}{Smart contract ?}
+ \begin{itemize}
+ \item Logs in smart contract is the recommend way {\tiny (ethereum.org)}
+ \item Expensive (additional storage and execution fees)
+ \item Avoidable attack surface (error prone)
+ \end{itemize}
+ \end{block}
+ \begin{block}{Custom input format}
+ Use input data in transactions, usually used to call smart contract, to
+ store our metadata.
+ \end{block}
+\end{frame}
+
+\begin{frame}{Handling blockchain reorganization}
+ \begin{center}
+ \begin{tikzpicture}[
+ block/.style={rectangle,draw=black,fill=black!10,minimum size=7mm},
+ conf/.style={draw=black!60!green,fill=black!60!green!10},
+ nconf/.style={dotted},
+ err/.style={draw=black!60!red,fill=black!60!red!10},
+ ar/.style={-stealth}
+ ]
+ % Common
+ \node[block,conf](1){};
+ \node[block,conf,right=5mm of 1](2){$D_0$};
+ \node[block,conf,right=5mm of 2](3){};
+ \draw[ar] (1) -- (2);
+ \draw[ar] (2) -- (3);
+
+ % Current
+ \only<1>{
+ \node [block,nconf,right=5mm of 3](4){};
+ }
+ \only<2->{
+ \node [block,conf,right=5mm of 3](4){\only<3>{$D_3$}};
+ }
+ \node[block,nconf,right=5mm of 4](5){};
+ \node[block,nconf,right=5mm of 5](6){$D_1$};
+ \draw[ar] (3) -- (4);
+ \draw[ar] (4) -- (5);
+ \draw[ar] (5) -- (6);
+
+ % Fork
+ \only<-2>{
+ \node [block,nconf,above=7mm of 4](4p){};
+ }
+ \only<3>{
+ \node [block,dashed,err,above=7mm of 4](4p){$D_3'$};
+ }
+ \node[block,nconf,right=5mm of 4p](5p){$D_2$};
+ \node[block,nconf,right=5mm of 5p](6p){};
+ \node[block,nconf,right=5mm of 6p](7p){};
+ \draw[ar] (3.east) -- (4p.west);
+ \draw[ar] (4p) -- (5p);
+ \draw[ar] (5p) -- (6p);
+ \draw[ar] (6p) -- (7p);
+
+ % Indication
+ \node [right=5mm of 7p]{\emph{fork}};
+ \node [right=17mm of 6]{\emph{active}};
+ \end{tikzpicture}
+ \end{center}
+ \only<1>{As small reorganizations are common, Satoshi already recommended to
+ apply a confirmation delay to handle most disturbances and attacks.}
+ \only<2>{If a reorganization longer than the confirmation delay happens,
+ but it did not remove credits, Depolymerizer is safe and automatically
+ resumes.}
+ \only<3>{If a fork removed a confirmed debit, an attacker may create a
+ conflicting transaction. Depolymerizer suspends operation until lost
+ credits reappear.}
+\end{frame}
+
+\begin{frame}{Adaptive confirmation}
+ \begin{center}
+ \begin{tikzpicture}[
+ block/.style={rectangle,draw=black,fill=black!10,minimum size=7mm},
+ conf/.style={draw=black!60!green,fill=black!60!green!10},
+ nconf/.style={dotted},
+ conft/.style={text=black!60!green},
+ confl/.style={draw=black!60!green},
+ ar/.style={-stealth}
+ ]
+ % Common
+ \node(0){};
+ \node[block,conf,right=5mm of 0](1){};
+ \node[block,conf,right=5mm of 1](2){};
+ \draw[ar] (0) -- (1);
+ \draw[ar] (1) -- (2);
+
+ % Current
+ \node[block,conf,right=5mm of 2](3){};
+ \node[block,nconf,right=5mm of 3](4){};
+ \node[block,nconf,right=5mm of 4](5){};
+ \node[block,nconf,right=5mm of 5](6){};
+ \draw[ar] (2) -- (3);
+ \draw[ar] (3) -- (4);
+ \draw[ar] (4) -- (5);
+ \draw[ar] (5) -- (6);
+
+ % Fork
+ \node[block,nconf,above=7mm of 3](3p){};
+ \node[block,nconf,right=5mm of 3p](4p){};
+ \node[block,nconf,right=5mm of 4p](5p){};
+ \node[block,nconf,right=5mm of 5p](6p){};
+ \node[block,nconf,right=5mm of 6p](7p){};
+ \draw[ar] (2.east) -- (3p.west);
+ \draw[ar] (3p) -- (4p);
+ \draw[ar] (4p) -- (5p);
+ \draw[ar] (5p) -- (6p);
+ \draw[ar] (6p) -- (7p);
+
+ % Indication
+ \node[right=5mm of 7p]{\emph{fork}};
+ \node[right=17mm of 6]{\emph{active}};
+
+ % Confirmation
+ \path (0) -- (1) node[conft,midway, below=6mm] (M) {Max};
+ \path (2) -- (3) node[conft,midway, below=6mm] (N) {New};
+ \path (3) -- (4) node[conft,midway, below=6mm] (I) {Initial};
+ \node[above=25mm of M] (Mp) {};
+ \node[above=25mm of N] (Np) {};
+ \node[above=25mm of I] (Ip) {};
+ \draw[confl,thick,dotted](M) -- (Mp);
+ \draw[confl](N) -- (Np);
+ \draw[confl,thick,dotted](I) -- (Ip);
+ \end{tikzpicture}
+ \end{center}
+ If we experience a reorganization once, its dangerously likely for another
+ one of a similar scope to happen again. Depolymerizer learns from reorganizations
+ by increasing its confirmation delay.
+\end{frame}
+
+
+
+\begin{frame}{DLT Adapter}{Architecture}
+ \begin{block}{Event system}
+ \begin{itemize}
+ \item \textbf{Watcher} watch and notify for new blocks with credits
+ \item \textbf{Wire Gateway} notify requested debits
+ \item \textbf{Worker} operates on notifications updating state
+ \end{itemize}
+ \end{block}
+\end{frame}
+
+
+\begin{frame}{DLT Adapter state machine}
+ \begin{columns}
+ \column{0.5\paperwidth}
+ \begin{figure}
+ \begin{tikzpicture}[
+ rect/.style={rectangle, draw=black, minimum height=6mm, minimum width=50mm},
+ ]
+
+ \node[rect](wo1) {Wait for notifications};
+ \node[rect, below=4mm of wo1](wo2) {Reconcile local DB with DLT};
+ \node[rect, below=4mm of wo2](wo3) {Trigger debits};
+ \node[rect, below=4mm of wo3](wo4) {Reissue stuck debits};
+ \node[rect, below=4mm of wo4](wo5) {Bounce malformed credits};
+ \draw[-stealth] (wo1) -- (wo2);
+ \draw[-stealth] (wo2) -- (wo3);
+ \draw[-stealth] (wo3) -- (wo4);
+ \draw[-stealth] (wo4) -- (wo5);
+ \draw[-stealth] (wo5) .. controls ([xshift=-0.4cm] wo5.west) and ([xshift=-0.4cm] wo1.west) .. (wo1);
+ \end{tikzpicture}
+ \caption{Worker loop}
+ \end{figure}
+ \column{0.47\paperwidth}
+ \begin{block}{DLT reconcialisation}
+ \begin{itemize}
+ \item List new and removed transactions since last reconciliation
+ \item Check for confirmed credits removal
+ \item Register new credits
+ \item Recover lost debits
+ \end{itemize}
+ \end{block}
+ \end{columns}
+\end{frame}
+
+\begin{frame}{Related work}
+ \begin{block}{Centralization - Coinbase off-chain sending}
+ \begin{itemize}
+ \item [$+$] Fast and cheap: off chain transaction
+ \item [$-$] Trust in Coinbase: privacy, security \& transparency
+ \end{itemize}
+ \end{block}
+ \begin{block}{Layering - Lightning Network}
+ \begin{itemize}
+ \item [$+$] Fast and cheap: off-chain transactions
+ \item [$-$] Requires setting up bidirectional payment channels
+ \item [$-$] Fraud attempts are mitigated via a complex penalty system
+ \end{itemize}
+ \end{block}
+\end{frame}
+
+\begin{frame}{Conclusion}
+ Blockchains can be used as a settlement layer for GNU Taler
+ with Depolymerizer.
+
+ \begin{itemize}
+ \item [$-$] Trust exchange operator or auditors
+ \item [$+$] Fast and cheap
+ \item [$+$] Realtime, ms latency
+ \item [$+$] Linear scalability
+ \item [$+$] Ecological
+ \item [$+$] Privacy when it can, transparency when it must (avoid tax evasion and money laundering)
+ \end{itemize}
+Future work:
+ \begin{itemize}
+ \item Universal auditability, using sharded transactions history
+ \item Smarter analysis, update confirmation delay based on currency network behavior
+ \item Multisig by multiple operator for transactions validation
+ \end{itemize}
+\end{frame}
+
+
+\section{Conclusion}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Part V: Conclusion}
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{Taler: Project Status}
+\framesubtitle{\url{https://docs.taler.net/}}
+\begin{itemize}
+ \item Cryptographic protocols and core exchange component are stable
+ \item Current focus: Merchant integration, settlement integration, wallet backup
+ \item Pilot project at Bern University of Applied Sciences cafeteria
+ \item Internal alpha deployment with a commercial bank in progress
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Competitor comparison}
+ \begin{center} \small
+ \begin{tabular}{l||c|c|c|c|c}
+ & Cash & Bitcoin & Zerocoin & Creditcard & GNU Taler \\ \hline \hline
+ Online &$-$$-$$-$ & ++ & ++ & + & +++ \\ \hline
+ Offline & +++ & $-$$-$ & $-$$-$ & + & $-$$-$ \\ \hline
+ Trans. cost & + & $-$$-$$-$ & $-$$-$$-$ & $-$ & ++ \\ \hline
+ Speed & + & $-$$-$$-$ & $-$$-$$-$ & o & ++ \\ \hline
+ Taxation & $-$ & $-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline
+ Payer-anon & ++ & o & ++ & $-$$-$$-$ & +++ \\ \hline
+ Payee-anon & ++ & o & ++ & $-$$-$$-$ & $-$$-$$-$ \\ \hline
+ Security & $-$ & o & o & $-$$-$ & ++ \\ \hline
+ Conversion & +++ & $-$$-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline
+ Libre & $-$ & +++ & +++ & $-$ $-$ $-$ & +++ \\
+ \end{tabular}
+ \end{center}
+\end{frame}
+
+
+
+\begin{frame}{Next Steps: Possible Projects and Collaborations}
+ \vfill
+\begin{center}
+\includegraphics[width=1.0\textwidth]{taler-in-use.png}
+\end{center}
+\end{frame}
+
+
+\begin{frame}{Area I: System Integration and Partnerships}
+ \framesubtitle{\url{https://lists.gnu.org/mailman/listinfo/taler}}
+ Pilots with banking organizations could:
+ \begin{itemize}
+ \item Study integration with the underlying RTGS layer:
+ \begin{itemize}
+ \item Develop standardized operational procedures
+ \item Assess transaction performance at scale
+ \item Perform cost analysis in banking environment
+ \item Assess effort for integration with commercial banks
+ \end{itemize}
+ \item Analyze regulatory considerations for different legislations
+% \item Building awareness of Taler as a bearer-based retail CBDC
+ \item Perform independent security audits of Taler components
+ \item Determine and possibly close gaps in the existing solution
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Area II: Development/Research Extensions}
+ \framesubtitle{Background: \url{https://myoralvillage.org/}}
+We have ideas for protocol extensions and ``programmable money'':
+ \begin{itemize}
+ \item Privacy-preserving auctions (trading, currency exchange)
+ \end{itemize}
+Central banks should also consider funding research to improve:
+ \begin{itemize}
+ \item General digital wallet usability and availability
+ \item Accessibility features for illiterate and innumerate users
+ \item Projects that facilitate integration at retailers
+ \begin{itemize}
+ \item Hardware and software support for embedded systems
+ \item Integration into off-the-self E-commerce systems
+ \end{itemize}
+ \item Protocol extensions for automated tax reporting
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{How to support?}
+ \begin{description}
+ \item[Join:] {\small \url{https://lists.gnu.org/mailman/listinfo/taler}}, \\
+ \url{https://libera.chat/\#taler}
+ \item[Develop:] \url{https://bugs.taler.net/}, \url{https://git.taler.net/}
+ \item[Translate:] \url{https://weblate.taler.net/}, \url{translation-volunteer@taler.net}
+ \item[Integrate:] \url{https://docs.taler.net/}
+ \item[Donate:] \url{https://gnunet.org/ev}
+ \item[Invest:] \url{https://taler-systems.com/}
+ \end{description}
+\end{frame}
+
+
+\begin{frame}{Conclusion}
+ \begin{center}
+ {\bf What can we do?}
+ \end{center}
+ \vfill
+\begin{itemize}
+ \item{Suffer mass-surveillance enabled by credit card oligopolies with high fees, and}
+ \item{Engage in arms race with deliberately unregulatable blockchains}
+% \item{Enjoy the ``benefits'' of cash \\
+% \hfill \includegraphics[height=0.3\textheight]{atm-rupee.jpg} \hfill}
+\end{itemize}
+\vfill
+\begin{center}
+ {\bf OR}
+\end{center}
+\vfill
+\begin{itemize}
+ \item{Establish free software alternative balancing social goals!}
+\end{itemize}
+\vfill
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Do you have any questions?}
+\vfill
+References:
+{\tiny
+ \begin{enumerate}
+ \item{David Chaum, Christian Grothoff and Thomas Moser.
+ {\em How to issue a central bank digital currency}.
+ {\bf SNB Working Papers, 2021}.}
+ \item{Christian Grothoff, Bart Polot and Carlo von Loesch.
+ {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}.
+ {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.}
+ \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci.
+ {\em Enabling Secure Web Payments with GNU Taler}.
+ {\bf SPACE 2016}.}
+ \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff.
+ {\em Taler: Taxable Anonymous Libre Electronic Reserves}.
+ Available upon request. 2016.}
+ \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza.
+ {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}.
+ {\bf IEEE Symposium on Security \& Privacy, 2016}.}
+ \item{David Chaum, Amos Fiat and Moni Naor.
+ {\em Untraceable electronic cash}.
+ {\bf Proceedings on Advances in Cryptology, 1990}.}
+ \item{Phillip Rogaway.
+ {\em The Moral Character of Cryptographic Work}.
+ {\bf Asiacrypt}, 2015.} \label{bib:rogaway}
+\end{enumerate}
+}
+\begin{center}
+ {\bf Let money facilitate trade; but ensure capital serves society.}
+\end{center}
+\end{frame}
+
+
+
\end{document}
diff --git a/presentations/comprehensive/media/fee.png b/presentations/comprehensive/media/fee.png
Binary files differ.
diff --git a/presentations/comprehensive/media/fee_var.png b/presentations/comprehensive/media/fee_var.png
Binary files differ.
diff --git a/presentations/comprehensive/media/news0.png b/presentations/comprehensive/media/news0.png
Binary files differ.
diff --git a/presentations/comprehensive/media/news1.png b/presentations/comprehensive/media/news1.png
Binary files differ.
diff --git a/presentations/comprehensive/media/news2.png b/presentations/comprehensive/media/news2.png
Binary files differ.
diff --git a/presentations/comprehensive/media/taler.png b/presentations/comprehensive/media/taler.png
Binary files differ.
diff --git a/presentations/comprehensive/white.png b/presentations/comprehensive/white.png
Binary files differ.
