commit 310b8871d453281e3fd1f634624e44198e9d0a5a
parent d262d9cf1f563cc5e1604d25b226ea0364c53309
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Tue, 18 Nov 2025 17:06:20 +0100
restructure includes
Diffstat:
1 file changed, 4 insertions(+), 1721 deletions(-)
diff --git a/presentations/comprehensive/main.tex b/presentations/comprehensive/main.tex
@@ -1164,828 +1164,10 @@ positives in fraud detection
\end{frame}
+\input protocol-basics.tex
-\section{Protocol Basics}
-
-\begin{frame}
- \vfill
- \begin{center}
- {\bf Protocol Basics}
- \end{center}
- \vfill
-\end{frame}
-
-\begin{frame}[plain]
- \begin{tikzpicture}[remember picture,overlay]
- \node[anchor=south west, inner sep=0pt] at (current page.south west) {%
- \movie[height = \paperheight, width = \paperwidth, poster, showcontrols] {BFH Bachelor's thesis video}{cs-movie.mp4}%
- };
- \end{tikzpicture}
-\end{frame}
-
-\begin{frame}{How does it work?}
-We use a few ancient constructions:
- \begin{itemize}
- \item Cryptographic hash function (1989)
- \item Blind signature (1983)
- \item Schnorr signature (1989)
- \item \sout{Diffie-Hellman key exchange (1976)} Deterministic signatures (1977) % 1977: RSA, 2008: EdDSA
- \item Cut-and-choose zero-knowledge proof (1985)
- \end{itemize}
-But of course we use modern instantiations.
-\end{frame}
-
-
-\begin{frame}{Definition: Taxability}
- We say Taler is taxable because:
- \begin{itemize}
- \item Merchant's income is visible from deposits.
- \item Hash of contract is part of deposit data.
- \item State can trace income and enforce taxation.
- \end{itemize}\pause
- Limitations:
- \begin{itemize}
- \item withdraw loophole
- \item {\em sharing} coins among family and friends
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}{Exchange setup: Create a denomination key (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Generate random primes $p,q$.
- \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$
- \item Pick small $e < \phi(n)$ such that
- $d := e^{-1} \mod \phi(n)$ exists.
- \item Publish public key $(e,n)$.
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em];
- \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$};
- \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}};
- \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
-% \includegraphics[width=0.4\textwidth]{seal.pdf}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Merchant: Create a signing key (EdDSA)}
- \begin{minipage}{6cm}
- \begin{itemize}
- \item Generate random number $m \mod o$ as private key
- \item Compute public key $M := mG$
- \end{itemize}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
- \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (m) [draw=none, below = of origin] at (0,0) {$m$};
- \node (seal) [draw=none, below=of m]{M};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ }
- \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}}
-\end{frame}
-
-
-\begin{frame}{Customer: Create a planchet (EdDSA)}
- \begin{minipage}{8cm}
- \begin{itemize}
- \item Generate random number $c \mod o$ as private key
- \item Compute public key $C := cG$
- \end{itemize}
- \end{minipage}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
- \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (c) [draw=none, below = of origin] at (0,0) {$c$};
- \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ }
- \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}}
-\end{frame}
-
-
-\begin{frame}{Customer: Blind planchet (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Obtain public key $(e,n)$
- \item Compute $f := FDH(C)$, $f < n$.
- \item Generate random blinding factor $b \in \mathbb Z_n$
- \item Transmit $f' := f b^e \mod n$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$};
- \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}};
- \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Exchange: Blind sign (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Receive $f'$.
- \item Compute $s' := f'^d \mod n$.
- \item Send signature $s'$.
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
- \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
- \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Customer: Unblind coin (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Receive $s'$.
- \item Compute $s := s' b^{-1} \mod n$ % \\
- % ($(f')^d = (f b^e)^d = f^d b$).
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (b) [def, draw=none] at (0,0) {$b$};
- \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-\begin{frame}{Withdrawing coins on the Web}
- \begin{center}
- \includegraphics[height=0.9\textheight]{figs/taler-withdraw.pdf}
- \end{center}
-\end{frame}
-
-
-\begin{frame}{Customer: Build shopping cart}
- \begin{center}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
- \node (origin) [draw=none] at (0,0) {\includegraphics[width=0.1\textwidth]{cart.pdf}};
- \node (merchant) [node distance=4em and 0.5em, draw, below =of origin]{\includegraphics[width=0.1\textwidth]{shop.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt];
- \draw [<-, C] (merchant) -- (origin) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{center}
-\end{frame}
-
-
-\begin{frame}{Merchant Integration: Contract}
- % \begin{figure*}[t!]
- {\tiny
- \lstset{language=JavaScript}
- \lstinputlisting{figs/taler-contract.json}
-% \caption{Minimal Taler contract over a digital article with a value of \EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash over the wire transfer information was truncated to make it fit to the page.}
-% \label{listing:json-contract}
- % \end{figure*}
- }
-\end{frame}
-
-
-\begin{frame}{Merchant Integration: Payment Request}
-% \begin{figure}[p!]
- \lstset{language=HTML5}
- \lstinputlisting{figs/taler-402.html}
-% \caption{Sample HTTP response to prompt the wallet to show an offer.}
-% \label{listing:http-contract}
-% \end{figure}
-
-% \begin{figure*}[p!]
-% \lstset{language=HTML5}
-% \lstinputlisting{figs/taler-contract.html}
-% \caption{Sample JavaScript code to prompt the wallet to show an offer.
-% Here, the contract is fetched on-demand from the server.
-% The {\tt taler\_pay()} function needs to be invoked
-% when the user triggers the checkout.}
-% \label{listing:contract}
-% \end{figure*}
-\end{frame}
-
-
-
-\begin{frame}{Merchant: Propose contract (EdDSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Complete proposal $D$.
- \item Send $D$, $EdDSA_m(D)$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}};
- \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{merchant_propose.pdf}};
- \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer};
- \tikzstyle{C} = [color=black, line width=1pt];
- \node (sign) [def, draw=none, above right=of proposal] {$m$};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (customer) -- (proposal) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Customer: Spend coin (EdDSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Receive proposal $D$, $EdDSA_m(D)$.
- \item Send $s$, $C$, $EdDSA_c(D)$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance=1.5em and 0.4em, inner sep=0em, outer sep=.3em];
- \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
- \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
- \node (c) [def, draw=none, above=of contract] {$c$};
- \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant};
- \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}};
- \draw [<-, C] (merchant) -- (coin) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Merchant and Exchange: Verify coin (RSA)}
- \begin{minipage}{6cm}
- \begin{equation*}
- s^e \stackrel{?}{\equiv} FDH(C) \mod n
- \end{equation*}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{minipage}{0.2\textwidth}
- \includegraphics[width=\textwidth]{coin.pdf}
- \end{minipage}
- $\stackrel{?}{\Leftrightarrow}$
- \begin{minipage}{0.2\textwidth}
- \includegraphics[width=\textwidth]{seal.pdf}
- \end{minipage}
- \end{minipage}
- \vfill
- The exchange does not only verify the signature, but also
- checks that the coin was not double-spent.
- \vfill
- \pause
- \begin{center}
- {\bf Taler is an online payment system.}
- \end{center}
- \vfill
-\end{frame}
-
-
-\begin{frame}{Payment processing with Taler}
- \begin{center}
- \includegraphics[height=0.9\textheight]{figs/taler-pay.pdf}
- \end{center}
-\end{frame}
-
-
-\begin{frame}{Giving change}
- It would be inefficient to pay EUR 100 with 1 cent coins!
- \begin{itemize}
- \item Denomination key represents value of a coin.
- \item Exchange may offer various denominations for coins.
- \item Wallet may not have exact change!
- \item Usability requires ability to pay given sufficient total funds.
- \end{itemize}\pause
- Key goals:
- \begin{itemize}
- \item maintain unlinkability
- \item maintain taxability of transactions
- \end{itemize}\pause
- Method:
- \begin{itemize}
- \item Contract can specify to only pay {\em partial value} of a coin.
- \item Exchange allows wallet to obtain {\em unlinkable change}
- for remaining coin value.
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}{Deterministic Signatures}
- \vfill
- \begin{minipage}{8cm}
- \begin{itemize}
- \item Some public key operations depend on a nonce or ``random'' value
- \begin{itemize}
- \item Example: ElGamal (encryption), DSA/ECDSA (signing)
- \item[+] same plaintext, different ciphertext
- \item[-] security may break on nonce-reuse
- \end{itemize}
- \item Generating the nonce deterministically by hashing all inputs
- (see also: Fiat-Shamir transformation) can make these algorithms
- {\bf deterministic}
- \begin{itemize}
- \item Example: EdDSA
- \end{itemize}
- \end{itemize}
- \end{minipage}
- \begin{minipage}{5cm}
- Deterministic signatures:
- \begin{center}
- \includegraphics[width=0.6\textwidth]{ecollect.jpeg}
-
- $=$
-
- \includegraphics[width=0.6\textwidth]{detsig.pdf}
- \end{center}
- \end{minipage}
- \vfill
- \note[item]{Before we can introduce the change protocol, we need to consider that
- not all cryptographic signatures are deterministic.}
- \note[item]{Following modern approach to e-collecting, we will use the image on
- the right to illustrate {\bf deterministic} signatures.}
- \note[item]{Replacing random inputs or nonces with hashes is a common trick to
- make signature algorithms deterministic.}
-\end{frame}
-
-\begin{frame}{Strawman solution}
- \begin{minipage}{8cm}
- Given partially spent private coin key $c_{old}$:
- \begin{enumerate}
-% \item Let $C_{old} := c_{old}G$ (as before)
- \item Generate random $c_{new} \mod o$ as private key
- \item Compute public key $C_{new} = c_{new}G$
- \item Generate random $b_{new}$
- \item Compute $f_{new} := FDH(C_{new})$, $m < n$.
- \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$
- \end{enumerate}
- ... and sign request for change with $c_{old}$.
- \end{minipage}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (planchet) [def, draw=none, above left= of blinded] {\includegraphics[width=0.15\textwidth]{planchet.pdf}};
- \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$};
- \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$};
- \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Problem}
-\vfill
-\begin{center}
- Owner of $c_{new}$ may differ from owner of $c_{old}$!
-\end{center}
-\vfill
-\end{frame}
-
-
-\begin{frame}{Customer: Transfer setup (DETSIG)}
- \begin{minipage}{10cm}
- Given partially spent private coin key $c_{old}$:
- \begin{enumerate}
- \item Let $C_{old} := c_{old}G$ (as before)
- \item Create random nonce $t$
- \item Compute deterministic signature $X := DETSIG_{c_{old}}(t)$
- \item Derive $c_{new}$ and $b_{new}$ from $X$ using HKDF
- \item Compute $C_{new} := c_{new}G$
- \item Compute $f_{new} := FDH(C_{new})$
- \item Transmit $f_{new}' := f_{new} b_{new}^e$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t$};
- \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (X) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf}};
- \node (d) [def, draw=none, above left= of X] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of X] {$c_{new}$};
- \node (bp) [def, draw=none, below right= of X] {$b_{new}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [def, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (X) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (X) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (X) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (X) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{In this construction, we {\em derive} the blinding factor $b_{new}$ and
- the private key of the new coin $c_{new}$ from the DH of the $c_{old}$ and a newly
- created transfer key $t$. Note that it is a bit unusual but perfectly find that
- we here have {\bf both} private keys to compute the DH.}
- \note[item]{The resulting blinded public key of the new coin
- (public key derivation and blinding are elided to keep the diagram concise) is
- then signed with $c_{old}$ to request change.}
- \note[item]{This approach has an obvious problem: from the perspective of the
- Exchange, we cannot even tell that the user followed this procedure as the
- resulting request with the blinded coin is indistinguishable from the previous
- construction.}
-\end{frame}
-
-
-\begin{frame}{Cut-and-Choose}
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_1$};
- \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_1$)};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [def, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \hfill
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_2$};
- \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_2$)};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [def, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \hfill
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_3$};
- \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_3$)};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [def, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{This DH-construction thus obviously does not work, so in the usual
- approach of an insane person, we don't just do it once, but three times
- using three different transfer keys $t_1$, $t_2$, and $t_3$ instead of just $t$.}
- \note[item]{Now, before you decide that we have just gone mad, this is actually
- a well-known technique called {\bf cut-and-choose}. Here, we do a protocol
- step multiple times to basically be able to {\bf burn} some of these iterations
- to {\bf prove} our honesty.}
- \note[item]{There are also {\bf non-interactive} cut-and-choose protocols, but
- this one is a simple interactive one.}
-\end{frame}
-
-
-\begin{frame}{Exchange: Choose!}
- \begin{center}
- \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer.
- \end{center}
-\end{frame}
-
-
-\begin{frame}{Customer: Reveal}
- \vfill
- \begin{enumerate}
- \item If $\gamma = 1$, send $\langle t_2, X_2 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
- \item If $\gamma = 2$, send $\langle t_1, X_1 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
- \item If $\gamma = 3$, send $\langle t_1, X_1 \rangle$, $\langle t_2, X_2 \rangle$ to exchange
- \end{enumerate}
- \vfill
- \note[item]{So given the $\gamma$ challenge value, the wallet
- has to send back the $t_i$ values for $i\not=\gamma$.}
-\end{frame}
-
-
-\begin{frame}{Exchange: Verify ($\gamma = 2$)}
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (h) [def, draw=none] at (0,0) {$t_1$};
- \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{detverify.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \hfill
- \begin{minipage}{3cm}
- \
- \end{minipage}
- \hfill
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (h) [def, draw=none] at (0,0) {$t_3$};
- \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{detverify.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{Given those two values the exchange can {\bf validate} the
- construction as it can compute the DH from the {\bf transfer private keys} $t_i$
- and the {\bf coin public key} $C_{old}$.}
- \note[item]{If the result matches with the original request from the wallet,
- the exchange has established that with $\frac{2}{3}$ probability the wallet
- made an honest request for change following the prescribed construction.}
- \note[item]{If the wallet is unable (or unwilling) to produce the required
- $t_i$ values, or if the resulting blinded values do not match, the entire
- change is forfeit, and the customer looses their money.}
- \note[item]{Thus, trying to cheat on income-transparency is punished with
- what amounts to a {\bf 66.67\% tax}. Thus, a security level of $\kappa$
- is sufficient as long as the {\em effective} income tax (after deductions,
- on the full income) is below $\frac{\kappa - 1}{\kappa}$.
- Taler always uses $\kappa=3$.}
-\end{frame}
-
-
-\begin{frame}{Exchange: Blind sign change (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Take $f_{new,\gamma}'$.
- \item Compute $s' := f_{new,\gamma}'^d \mod n$.
- \item Send signature $s'$.
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
- \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
- \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Customer: Unblind change (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Receive $s'$.
- \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
- \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Exchange: Allow linking change}
- \begin{minipage}{5cm}
- \begin{center}
- Given $C_{old}$
-
- \vspace{1cm}
-
- return $t_\gamma$ and
- \begin{equation*}
- s := s' b_{new,\gamma}^{-1} \mod n.
- \end{equation*}
- \end{center}
- \end{minipage}
- \begin{minipage}{5cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em];
- \node (co) [def, draw=none] at (0,0) {$C_{old}$};
- \node (T) [def, draw=none, below left=of co]{$t_\gamma$};
- \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \node (customer) [def, draw, below right=of T] {Customer};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link};
- \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{But, how does this address the issue that $c_{old}$ may have a different
- owner from $c_{new,\gamma}$? Well, so far it does not! In principle, the envelope can
- easily be constructed by someone who was not the original owner of $c_{old}$.}
- \note[item]{So how does this help? Well, the exchange has one more sub-protocol,
- which is the {\bf link} protocol. Given the old coin's public key, $C_{old}$,
- it returns $t_\gamma$, the {\bf public transfer key}, and the blind signature
- over the new coin that was rendered as change.}
- \note[item]{Note that this is a request that the owner of $c_{old}$ can always
- trivially make, as they know $C_{old}$.}
- \note[item]{So how does that help?}
-\end{frame}
-
-
-\begin{frame}{Customer: Link (threat!)}
- \begin{minipage}{6.5cm}
- \begin{enumerate}
- \item Have $c_{old}$.
- \item Obtain $T_\gamma$, $s$ from exchange
- \item Compute $X_\gamma = DETSIG_{c_{old}}(t_\gamma)$
- \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
- \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6.5cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 0.75em and 1em, inner sep=0em, outer sep=.3em];
- \node (T) [def, draw=none] at (0,0) {$t_\gamma$};
- \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
- \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_\gamma$)};
- \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$};
- \node (co) [def, draw=none, above right= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below right= of dh] {$c_{new,\gamma}$};
- \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \node (psign) [def, node distance=1.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link};
- \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link};
- \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{Well, given these two values, the owner of the original $c_{old}$ can
- {\bf again} compute the DETSIG (from $c_{old}$ and $t_\gamma$), and then
- also derive $c_{new,\gamma}$ and also unblind the exchange's signature using $b_{new,\gamma}$.}
- \note[item]{As a result, the owner of the old coin can always compute the change,
- and thus is effectively {\bf also} always an owner of the change rendered!}
- \note[item]{Thus, we have {\bf reduced} the possibility of abusing the change
- protocol for a transaction that would result in a {\bf mutually exclusive transfer
- of ownership} to the case where the ownership of the change is {\bf shared}.}
- \note[item]{But, we previously explained that {\bf sharing} is not something we can
- or would care to prevent, so the change protocol does not weaken income transparency.}
-\end{frame}
-
-
-\begin{frame}{Refresh protocol summary}
- \begin{itemize}
- \item Customer asks exchange to convert old coin to new coin
- \item Protocol ensures new coins can be recovered from old coin
- \item[$\Rightarrow$] New coins are owned by the same entity!
- \end{itemize}
- Thus, the refresh protocol allows:
- \begin{itemize}
- \item To give unlinkable change.
- \item To give refunds to an anonymous customer.
- \item To expire old keys and migrate coins to new ones.
- \item To handle protocol aborts.
- \end{itemize}
- \noindent
- \begin{center}
- \bf
- Transactions via refresh are equivalent to {\em sharing} a wallet.
-\end{center}
-\end{frame}
-
+\input refresh.tex
\section{Attacks \& Defenses}
@@ -2255,908 +1437,9 @@ General notions:
\end{frame}
+\input offline.tex
-
-\section{Offline payments}
-
-\begin{frame}
- \vfill
- \begin{center}
- {\bf Offline payments}
- \end{center}
- \vfill
-\end{frame}
-
-
-\begin{frame}{Requirements: Online vs. Offline Digital Currencies}
-\framesubtitle{\url{https://taler.net/papers/euro-bearer-online-2021.pdf}}
-\begin{itemize}
- \item Offline capabilities are sometimes cited as a requirement for digital payment solutions
- \item All implementations must either use restrictive hardware elements and/or introduce
- counterparty risk.
- \item[$\Rightarrow$] Permanent offline features weaken a digital payment solution (privacy, security)
- \item[$\Rightarrow$] Introduces unwarranted competition for physical cash (endangers emergency-preparedness).
- \end{itemize}
- We recommend a tiered approach:
- \begin{enumerate}
- \item Online-first, bearer-based digital currency with Taler
- \item (Optional:) Limited offline mode for network outages
- \item Physical cash for emergencies (power outage, catastrophic cyber incidents)
- \end{enumerate}
-\end{frame}
-
-
-\begin{frame}{Fully Offline Payments}
-\framesubtitle{\url{https://docs.taler.net/design-documents/030-offline-payments.html}}
-Many central banks today demand offline capabilities for digital payment solutions.
-\vfill
-\noindent
-Three possible approaches:
-\begin{enumerate}
- \item Trust-based offline payments (has counterparty and/or privacy risks)
- \item Full HSM Taler wallet (has hardware costs)
- \item Light-weight HSM balance register
-\end{enumerate}
-\vfill
-\end{frame}
-
-
-\begin{frame}{A Scenario}
-{God is offline, but customer pays online}
-\begin{center}
- \includegraphics[height=0.4\textwidth]{shrine.jpg}
-\end{center}
-\end{frame}
-
-\begin{frame}{Typical Payment Process}{All equivalent: Twint, PayPal, AliPay, PayTM}
-\begin{center}
- \movie[%scale=0.6,
- autostart,
- poster]
- {
- \includegraphics[height=0.3\textwidth,width=0.4\textwidth]{white.png}
- }
- {twint.mkv}
-
- {\tiny (C) Twint, 2023}
-\end{center}
-\end{frame}
-
-
-\begin{frame}{Secure Payment ...}{Everything green?}
-\begin{center}
- \includegraphics[height=0.3\textwidth]{paymentTwint-screen_25.png}
-\end{center}
-\end{frame}
-
-\begin{frame}{Exploit ``Code''}{Programming optional}
-\begin{center}
- \includegraphics[height=0.3\textwidth]{paymentTwint-screen.png}
-\end{center}
-\end{frame}
-
-\begin{frame}{``Customers'' {\em love} Twint ...}{Daily non-business for shops}
-\begin{center}
- \includegraphics[height=0.3\textwidth]{paymentTwint-screen_50.png}
-\end{center}
-\end{frame}
-
-
-\begin{frame}{Partially Offline Payments with GNU Taler\footnote{Joint work with Emmanuel Benoist, Priscilla Huang and Sebastian Marchano}}
-
-\begin{center}
-\resizebox{8cm}{6cm}{
-\begin{sequencediagram}
- \newinst{pos}{\shortstack{PoS \\
- \\ \begin{tikzpicture}
- \node [fill=gray!20,draw=black,thick ,align=center] {PoS key \\ PoS ID};
- \end{tikzpicture}
- }}
- \newinst[2]{customer}{\shortstack{Customer \\
- \\ \begin{tikzpicture}
- \node [fill=gray!20,draw=black,thick ,align=center] {Digital \\ Wallet};
- \end{tikzpicture}
- }}
- \newinst[2]{backend}{\shortstack{Merchant Backend \\
- \\ \begin{tikzpicture}[shape aspect=.5]
- \tikzset{every node/.style={cylinder, shape border rotate=90, draw,fill=gray!25}}
- \node at (1.5,0) {\shortstack{{\tiny PoS key} \\ {\tiny PoS ID}}};
- \end{tikzpicture}
- }}
- \postlevel
- \mess[0]{pos}{PoS ID}{customer}
- \begin{sdblock}{optional}{}
- \begin{callself}{customer}{Amount}{}
- \end{callself}
- \end{sdblock}
- \prelevel
- \prelevel
- \prelevel
- \prelevel
- \prelevel
- \begin{sdblock}{optional}{}
- \begin{callself}{pos}{Amount}{}
- \end{callself}
- \end{sdblock}
- \postlevel
- \mess[0]{customer}{PoS ID, [Amount]?}{backend}
- \mess[0]{backend}{Contract}{customer}
- \postlevel
- \mess[0]{customer}{Payment}{backend}
- \begin{callself}{pos}{OTP(PoS key)}{}
- \end{callself}
- \prelevel
- \prelevel
- \begin{callself}{backend}{OTP(PoS key)}{}
- \end{callself}
- \mess[0]{backend}{OTP code}{customer}
- \postlevel
- \mess[0]{customer}{OTP code}{pos}
-\end{sequencediagram}
-}
-\end{center}
-\end{frame}
-
-
-
-\section{Programmable money: Age restrictions}
-
-\begin{frame}
- \vfill
- \begin{center}
- {\bf Programmable money: Age restrictions}
- \end{center}
- \vfill
-\end{frame}
-
-
-\begin{frame}{Age restriction in E-commerce}
-
- \begin{description}
- \item[Problem:]~\\[1em]
- Verification of minimum age requirements in e-commerce.\\[2em]
-
- \item[Common solutions:]
-
-\begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
- & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
- 1. ID Verification & bad & required & \\[\medskipamount]
- 2. Restricted Accounts & bad & required & \\[\medskipamount]
- 3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount]
-\end{tabular}
- \end{description}
-
-\uncover<4->{
- \begin{tikzpicture}[overlay,remember picture]
- \draw[orange,thick,rounded corners]
- ($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
- \end{tikzpicture}
- \begin{center}
- \bf Principle of Subsidiarity is violated
- \end{center}
-}
-\end{frame}
-
-
-\begin{frame}{Principle of Subsidiarity}
-\begin{center} \Large
- Functions of government---such as granting and restricting
- rights---should be performed\\
- {\it at the lowest level of authority possible},\\
- as long as they can be performed {\it adequately}.
-\end{center}
-\vfill
-\uncover<2->{
- For age-restriction, the lowest level of authority is:\\
- \begin{center}\Large
- Parents, guardians and caretakers
- \end{center}
-}
-\end{frame}
-
-
-\begin{frame}{Age restriction design for GNU Taler}
-Design and implementation of an age restriction scheme\\
-with the following goals:
-
-\begin{enumerate}
-\item It ties age restriction to the \textbf{ability to pay} (not to ID's)
-\item maintains \textbf{anonymity of buyers}
-\item maintains \textbf{unlinkability of transactions}
-\item aligns with \textbf{principle of subsidiartiy}
-\item is \textbf{practical and efficient}
-\end{enumerate}
-
-\end{frame}
-
-
-\begin{frame}{Age restriction}
- \framesubtitle{Assumptions and scenario}
-
- \begin{columns}
- \column{7.5cm}
- \begin{itemize}
- \item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
- \item<2-> \textit{Guardians} \textbf{commit} to an maximum age
- \item<3-> \textit{Minors} \textbf{attest} their adequate age
- \item<4-> \textit{Merchants} \textbf{verify} the attestations
- \item<5-> Minors \textbf{derive} age commitments from existing ones
- \item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
- \end{itemize}
- \column{5cm}
- \uncover<7->
- {
- \begin{center}
- \fontsize{7pt}{7pt}\selectfont
- \begin{tikzpicture}[scale=.5]
- \node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
- \node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
- \node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
- \node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
-
- \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
- {$\Commit$} (Guardian);
- \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
- {\blue{$\Attest$}} (Client);
- \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
- {\blue{$\Verify$}} (Merchant);
- \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
- {\orange{$\Derive$}} (Client);
- \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
- {\orange{$\Compare$}} (Exchange);
-
- \draw[orange,|->] (Client) to node[sloped,above,align=left]
- {\orange{\scriptsize }} (Exchange);
- \draw[blue,|->] (Client) to node[sloped, above]
- {\blue{\scriptsize }} (Merchant);
- \draw[,|->] (Guardian) to node[above,sloped,align=left]
- {{\scriptsize }} (Client);
- \end{tikzpicture}
- \end{center}
- }
- \end{columns}
- \vfill
- \uncover<7->{Note: Scheme is independent of payment service protocol.}
-\end{frame}
-
-
-\begin{frame}{Formal Function Signatures}
-\small
-Searching for functions \uncover<2->{with the following signatures}
-\begin{align*}
- &\bf \Commit\uncover<2->{:
- &(\age, \omega) &\mapsto (\commitment, \pruf)
- &\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
- }
- \\
- &\bf \Attest\uncover<3->{:
- &(\minage, \commitment, \pruf) &\mapsto \attest
- &\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
- }
- \\
- &\bf \Verify\uncover<4->{:
- &(\minage, \commitment, \attest) &\mapsto b
- &\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
- }
- \\
- &\bf \Derive\uncover<5->{:
- &(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
- &\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
- }
- \\
- &\bf \Compare\uncover<6->{:
- &(\commitment, \commitment', \blinding) &\mapsto b
- &\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
- }
-\end{align*}
- \uncover<7->{
- with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
- sufficiently large sets.\\[1em]
- Basic and security requirements are defined later.\\[2em]
- }
-
- \scriptsize
- \uncover<2->{
- Mnemonics:\\
- $\Commitments=$ \textit{c$\Commitments$mmitments},
- $\commitment=$ \textit{Q-mitment} (commitment),
- $\Proofs=$ \textit{$\Proofs$roofs},
- }
- \uncover<3->{
- $\pruf=$ \textit{$\pruf$roof},\\
- $\Attests=$ \textit{a$\Attests$testations},
- $\attest=$ \textit{a$\attest$testation},
- }
- \uncover<5->{
- $\Blindings=$ \textit{$\Blindings$lindings},
- $\blinding=$ \textit{$\blinding$linding}.
- }
-\end{frame}
-
-\begin{frame}{Age restriction}
- \framesubtitle{Naïve scheme}
- \begin{center}
- \begin{tikzpicture}[scale=.85]
- \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
- \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
- \node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
- \node[circle,minimum size=20pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
-
- \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
- {$\Commit$} (Guardian);
- \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
- {\blue{$\Attest$}} (Client);
- \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
- {\blue{$\Verify$}} (Merchant);
- \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
- {\orange{$\Derive$}} (Client);
- \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
- {\orange{$\Compare$}} (Exchange);
-
- \draw[orange,|->] (Client) to node[sloped,above,align=left]
- {\orange{\scriptsize }} (Exchange);
- \draw[blue,|->] (Client) to node[sloped, above]
- {\blue{\scriptsize }} (Merchant);
- \draw[,|->] (Guardian) to node[above,sloped,align=left]
- {{\scriptsize }} (Client);
- \end{tikzpicture}
- \end{center}
-\end{frame}
-
-\begin{frame}{Achieving Unlinkability}
- \begin{columns}
- \column{3cm}
- \begin{center}
- \fontsize{8pt}{9pt}\selectfont
- \begin{tikzpicture}[scale=.65]
- \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
- \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
-
- \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
- {\orange{$\footnotesize \Derive()$}} (Client);
- \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
- {\orange{$\footnotesize \Compare()$}} (Exchange);
-
- \draw[orange,|->] (Client) to node[sloped,above,align=left]
- {\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
- \end{tikzpicture}
- \end{center}
-
- \column{9cm}
- Simple use of $\Derive()$ and $\Compare()$ is problematic.
-
- \begin{itemize}
- \item<2-> Calling $\Derive()$ iteratively generates sequence
- $(\commitment_0, \commitment_1, \dots)$ of commitments.
- \item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$
- \item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
- \item[$\implies$]\uncover<3->{\bf Unlinkability broken}
- \end{itemize}
- \end{columns}
-\end{frame}
-
-\begin{frame}{Achieving Unlinkability}
- Define cut\&choose protocol \orange{$\DeriveCompare$},
- using $\Derive()$ and $\Compare()$.\\[0.5em]
- \uncover<2->{
- Sketch:
- \small
- \begin{enumerate}
- \item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
- from $\commitment_0$ \\
- by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
- \item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
- \item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
- \item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
- \item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
- \item $\Exchange$ compares $h_0$ and
- $H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
- and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
- \end{enumerate}
- \vfill
- Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
- }
-\end{frame}
-
-\begin{frame}{Achieving Unlinkability}
- With \orange{$\DeriveCompare$}
- \begin{itemize}
- \item $\Exchange$ learns nothing about $\commitment_\gamma$,
- \item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
- \item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
- \end{itemize}
- \vfill
- Note: Still need Derive and Compare to be defined.
-\end{frame}
-
-\begin{frame}{Refined scheme}
-
- \begin{tikzpicture}[scale=.8]
- \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
- \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
- \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
- \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
-
- \draw[orange,<->] (Client) to node[sloped,below,align=center]
- {\orange{$\DeriveCompare$}} (Exchange);
- \draw[blue,->] (Client) to node[sloped, below]
- {\blue{$(\attest_\minage, \commitment)$}} (Merchant);
-
- \draw[->] (Guardian) to [out=150,in=70, loop] node[above]
- {$\Commit(\age)$} (Guardian);
- \draw[->] (Guardian) to node[below,sloped]
- {($\commitment$, $\pruf_\age$)} (Client);
- \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
- {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
- \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
- {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
- \end{tikzpicture}
-\end{frame}
-
- \begin{frame}{Achieving Unlinkability}
- \scriptsize
- $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
- \vfill
- $\DeriveCompare(\commitment, \pruf, \omega) =$
- \begin{itemize}
- \it
- \itemsep0.5em
- \item[$\Child$:]
- \begin{enumerate}
- \scriptsize
- \itemsep0.3em
- \item for all $i \in \{1,\dots,\kappa\}:
- (\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
- \item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
- \item send $(\commitment, h)$ to $\Exchange$
- \end{enumerate}
- \item[$\Exchange$:]
- \begin{enumerate}
- \setcounter{enumi}{3}
- \scriptsize
- \itemsep0.3em
- \item save $(\commitment, h)$ \label{st:hash}
- \item $\gamma \drawfrom \{1,\dots ,\kappa\}$
- \item send $\gamma$ to $\Child$
- \end{enumerate}
- \item[$\Child$:]
- \begin{enumerate}
- \setcounter{enumi}{6}
-
- \scriptsize
- \itemsep0.3em
- \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
- \item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
- (\commitment_{\gamma-1}, \beta_{\gamma-1}),
- \Nil,
- (\commitment_{\gamma+1}, \beta_{\gamma+1}),
- \dots,(\commitment_\kappa, \beta_\kappa)\big]$
- \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
- \end{enumerate}
- \item[$\Exchange$:]
- \begin{enumerate}
- \setcounter{enumi}{9}
- \scriptsize
- \itemsep0.3em
- \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
- \item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
- \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
- if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
- \item return 1
- \end{enumerate}
- \end{itemize}
- \end{frame}
-
-\begin{frame}{Basic Requirements}
-
- Candidate functions
- \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
- must first meet \textit{basic} requirements:
-
- \begin{itemize}
- \item Existence of attestations
- \item Efficacy of attestations
- \item Derivability of commitments and attestations
- \end{itemize}
-\end{frame}
-
-\begin{frame}{Basic Requirements}
- \framesubtitle{Formal Details}
-
- \begin{description}
- \item[Existence of attestations]
- {\scriptsize
- \begin{align*}
- \Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
- \Commit(\age, \omega) =: (\commitment, \pruf)
- \implies
- \Attest(\minage, \commitment, \pruf) =
- \begin{cases}
- \attest \in \Attests, \text{ if } \minage \leq \age\\
- \Nil \text{ otherwise}
- \end{cases}
- \end{align*}}
- \item[Efficacy of attestations]
- {\scriptsize
- \begin{align*}
- \Verify(\minage, \commitment, \attest) = \
- \begin{cases}
- 1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
- 0 \text{ otherwise}
- \end{cases}
- \end{align*}}
-
- {\scriptsize
- \begin{align*}
- \forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
- \end{align*}}
- \item[etc.]
- \end{description}
-\end{frame}
-
-\begin{frame}{Requirements}
- \framesubtitle{Details}
-
- \begin{description}
- \item[Derivability of commitments and proofs:]~\\[0.1em]
- {\scriptsize
- Let \begin{align*}
- \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
- (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
- (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1).
- \end{align*}
- We require
- \begin{align*}
- \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
- \end{align*}
- and for all $n\leq\age$:
- \begin{align*}
- \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
- =
- \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0))
- \end{align*}}
- \end{description}
-\end{frame}
-
-\begin{frame}{Security Requirements}
- Candidate functions must also meet \textit{security} requirements.
- Those are defined via security games:
- \begin{itemize}
- \item Game: Age disclosure by commitment or attestation
- \item[$\leftrightarrow$] Requirement: Non-disclosure of age
- \vfill
-
- \item Game: Forging attestation
- \item[$\leftrightarrow$] Requirement: Unforgeability of
- minimum age
- \vfill
-
- \item Game: Distinguishing derived commitments and attestations
- \item[$\leftrightarrow$] Requirement: Unlinkability of
- commitments and attestations
-
- \end{itemize}
- \vfill
-
- Meeting the security requirements means that adversaries can win
- those games only with negligible advantage.
- \vfill
- Adversaries are arbitrary polynomial-time algorithms, acting on all
- relevant input.
-\end{frame}
-
-\begin{frame}{Security Requirements}
- \framesubtitle{Simplified Example}
-
- \begin{description}
- \item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
- {\small
- \begin{enumerate}
- \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $
- \item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $
- \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
- \item Return 0 if $\minage \leq \age$
- \item Return $\Verify(\minage,\commitment,\attest)$
- \end{enumerate}
- }
- \vfill
- \item[Requirement: Unforgeability of minimum age]
- {\small
- \begin{equation*}
- \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
- \Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
- \end{equation*}
- }
- \end{description}
-\end{frame}
-
-
-\begin{frame}{Solution: Instantiation with ECDSA}
-% \framesubtitle{Definition of Commit}
-
- \begin{description}
- \item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
- \begin{enumerate}
- \item<2-> Guardian generates ECDSA-keypairs, one per age (group):
- \[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
- \item<3-> Guardian then \textbf{drops} all private keys
- $p_i$ for $i > \age$:
- \[\Big \langle(q_1, p_1),\dots,
- (q_\age, p_\age),
- (q_{\age +1}, \red{\Nil}),\dots,
- (q_\Age, \red{\Nil})\Big\rangle\]
-
- \begin{itemize}
- \item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
- \item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
- \end{itemize}
- \vfill
- \item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
- \vfill
- \end{enumerate}
- \end{description}
-\end{frame}
-
-\begin{frame}{Instantiation with ECDSA}
- \framesubtitle{Definitions of Attest and Verify}
-
- Child has
- \begin{itemize}
- \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
- \item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
- \end{itemize}
- \begin{description}
- \item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
- Sign a message with ECDSA using private key $p_\blue{\minage}$
- \end{description}
-
- \vfill
-
- \uncover<3->{
- Merchant gets
- \begin{itemize}
- \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
- \item Signature $\sigma$
- \end{itemize}
- \begin{description}
- \item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
- Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
- \end{description}
- }
- \vfill
-\end{frame}
-
-\begin{frame}{Instantiation with ECDSA}
- \framesubtitle{Definitions of Derive and Compare}
- Child has
- $\Vcommitment = (q_1, \dots, q_\Age) $ and
- $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
- \begin{description}
- \item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
- Choose random $\beta\in\Z_g$ and calculate
- \small
- \begin{align*}
- \Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
- \Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
- \end{align*}
- Note: $ (\beta p_i)*G = \beta*(p_i*G) = \beta*q_i$\\
- \scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
- \end{description}
-
- \vfill
- \uncover<3->{
- Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
- \begin{description}
- \item[To \blue{Compare}, calculate:]
- \small
- $(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
- \end{description}
- \vfill
- }
-\end{frame}
-
-\begin{frame}{Instantiation with ECDSA}
-
- Functions
- (Commit, Attest, Verify, Derive, Compare)\\
- as defined in the instantiation with ECDSA\\[0.5em]
- \begin{itemize}
- \item meet the basic requirements,\\[0.5em]
- \item also meet all security requirements.\\
- Proofs by security reduction, details are in the paper.
- \end{itemize}
-
-\end{frame}
-
-
-\begin{frame}{Instantiation with ECDSA}
- \framesubtitle{Full definitions}
- \scriptsize
-
- \begin{align*}
- \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
- \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
- \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
- \Big\rangle\\
- \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
- \begin{cases}
- \attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
- \Nil & \text{otherwise}
- \end{cases}\\
- %
- \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
- %
- \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
- \Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
- (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
- & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
- %
- \Compare_E(\Vcommitment, \Vcommitment', \beta) &:=
- \begin{cases}
- 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
- 0 & \text{otherwise}
- \end{cases}
- \end{align*}
-\end{frame}
-
-
-\begin{frame}{Reminder: GNU Taler Fundamentals}
- \begin{center}
- \begin{tikzpicture}[scale=.55]
- \node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
- \node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
- \node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
-
- \draw[<->] (Customer) to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
- \draw[<->] (Customer) to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
- \draw[<->] (Customer) to node[sloped, below] {\sf purchase} (Merchant);
- \draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
- \end{tikzpicture}
- \end{center}
-
- \vfill
- \begin{itemize}
- \item Coins are public-/private key-pairs $(C_p, c_s)$.
- \item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
- \item Verification:
- \begin{eqnarray*}
- 1 &\stackrel{?}{=}&
- \mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
- \end{eqnarray*}
- \scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
-
- \end{itemize}
-\end{frame}
-
-\begin{frame}{Integration with GNU Taler}
- \framesubtitle{Binding age restriction to coins}
-
- To bind an age commitment $\commitment$ to a coin $C_p$, instead of
- signing $\FDH(C_p)$, $\Exchange$ now blindly signs
- \begin{center}
- $\FDH(C_p, \orange{H(\commitment)})$
- \end{center}
-
- \vfill
- Verfication of a coin now requires $H(\commitment)$, too:
- \begin{center}
- $1 \stackrel{?}{=}
- \mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
- \end{center}
- \vfill
-\end{frame}
-
-\begin{frame}{Integration with GNU Taler}
- \framesubtitle{Integrated schemes}
- \fontsize{8pt}{9pt}\selectfont
- \begin{tikzpicture}[scale=.9]
- \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
- \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
- \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
- \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
-
- \draw[<->] (Guardian) to node[sloped,above,align=center]
- {{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
- \draw[<->] (Client) to node[sloped,below,align=center]
- {{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
- \draw[<->] (Client) to node[sloped, below]
- {{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
- \draw[<->] (Merchant) to node[sloped, above]
- {{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
-
- \draw[->] (Guardian) to [out=70,in=150, loop] node[above]
- {$\Commit(\age)$} (Guardian);
- \draw[->] (Guardian) to node[below,sloped]
- {($\commitment$, $\pruf_\age$)} (Client);
- \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
- {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
- \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
- {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
- \end{tikzpicture}
-\end{frame}
-
-\begin{frame}{Instantiation with Edx25519}
- Paper also formally defines another signature scheme: Edx25519.\\[1em]
-
- \begin{itemize}
- \item Scheme already in use in GNUnet,
- \item based on EdDSA (Bernstein et al.),
- \item generates compatible signatures and
- \item allows for key derivation from both, private and public keys, independently.
- \end{itemize}~\\[1em]
-
- Current implementation of age restriction in GNU Taler uses Edx25519.
-\end{frame}
-
-
-\begin{frame}{Age Restrictions based on KYC}
- Subsidiarity requires bank accounts being owned by adults.
- \begin{itemize}
- \item Scheme can be adapted to case where minors have bank accounts
- \begin{itemize}
- \item Assumption: banks provide minimum age
- information during bank
- transactions.
- \item Child and Exchange execute a variant of
- the cut\&choose protocol.
- \end{itemize}
- \end{itemize}
-\end{frame}
-
-\begin{frame}{Discussion}
- \begin{itemize}
- \item Our solution can in principle be used with any token-based payment scheme
- \item GNU Taler best aligned with our design goals (security, privacy and efficiency)
- \item Subsidiarity requires bank accounts being owned by adults
- \begin{itemize}
- \item Scheme can be adapted to case where minors have bank accounts
- \begin{itemize}
- \item Assumption: banks provide minimum age
- information during bank
- transactions.
- \item Child and Exchange execute a variant of
- the cut\&choose protocol.
- \end{itemize}
- \end{itemize}
- \item Our scheme offers an alternative to identity management systems (IMS)
- \end{itemize}
-\end{frame}
-\begin{frame}{Related Work}
- \begin{itemize}
- \item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
- \item Attribute-based approach lacks support:
- \begin{itemize}
- \item Complex for consumers and retailers
- \item Requires trusted third authority
- \end{itemize}
- \vfill
- \item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
- \begin{itemize}
- \item Advantage: mandatory to payment process
- \item Not privacy friendly
- \end{itemize}
- \end{itemize}
-\end{frame}
-
-\begin{frame}{Conclusion}
- Age restriction is a technical, ethical and legal challenge.
-
- Existing solutions are
- \begin{itemize}
- \item without strong protection of privacy or
- \item based on identity management systems (IMS)
- \end{itemize}
- \vfill
-
- Our scheme offers a solution that is
- \begin{itemize}
- \item based on subsidiarity
- \item privacy preserving
- \item efficient
- \item an alternative to IMS
- \end{itemize}
-\end{frame}
-
+\input age.tex
\section{Software development \& deployment}
