commit 5e30f0e03db3e574fe0310f7ce4c78ca5c046834
parent 6b95610c7bb7b0e3a895a9f5e8c436bc2b377951
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Sun, 5 Oct 2025 18:20:04 +0200
ethz draft
Diffstat:
2 files changed, 3075 insertions(+), 1 deletion(-)
diff --git a/presentations/comprehensive/2025-ethz.tex b/presentations/comprehensive/2025-ethz.tex
@@ -0,0 +1,2665 @@
+\pdfminorversion=3
+\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer}
+\usepackage{amsmath}
+\usepackage{multimedia}
+\usepackage[utf8]{inputenc}
+\usepackage{framed,color,ragged2e}
+\usepackage[absolute,overlay]{textpos}
+\definecolor{shadecolor}{rgb}{0.8,0.8,0.8}
+\usetheme{boxes}
+\setbeamertemplate{navigation symbols}{}
+\usepackage{xcolor}
+\usepackage[normalem]{ulem}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usepackage{array}
+\usepackage{bbding}
+\usepackage{relsize}
+\usepackage{graphicx}
+\usepackage{tikz,eurosym,calc}
+\usetikzlibrary{tikzmark}
+\usetikzlibrary{shapes,arrows,arrows.meta}
+\usetikzlibrary{positioning,fit,patterns}
+\usetikzlibrary{calc}
+\usepackage{multicol}
+\usepackage{pgf-umlsd}
+\usepackage{relsize}
+
+
+% "The GNU Taler Payment System", including
+% an introduction to our objectives,
+% background on the technology,
+% demonstration of the system,
+% social implications and open issues.
+
+% CSS
+\lstdefinelanguage{CSS}{
+ basicstyle=\ttfamily\scriptsize,
+ keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[s]{/*}{*/},
+ morestring=[b]',
+ morestring=[b]",
+ alsoletter={:},
+ alsodigit={-}
+}
+
+% JavaScript
+\lstdefinelanguage{JavaScript}{
+ basicstyle=\ttfamily\scriptsize,
+ morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
+ morecomment=[s]{/*}{*/},
+ morecomment=[l]//,
+ morestring=[b]",
+ morestring=[b]'
+}
+
+\lstdefinelanguage{HTML5}{
+ basicstyle=\ttfamily\scriptsize,
+ language=html,
+ sensitive=true,
+ alsoletter={<>=-},
+ morecomment=[s]{<!-}{-->},
+ tag=[s],
+ otherkeywords={
+ % General
+ >,
+ % Standard tags
+ <!DOCTYPE,
+ </html, <html, <head, <title, </title, <style, </style, <link, </head, <meta, />,
+ % body
+ </body, <body,
+ % Divs
+ </div, <div, </div>,
+ % Paragraphs
+ </p, <p, </p>,
+ % scripts
+ </script, <script,
+ % More tags...
+ <canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video, <source, <iframe, </iframe>, </video>, <image, </image>
+ },
+ ndkeywords={
+ % General
+ =,
+ % HTML attributes
+ charset=, src=, id=, width=, height=, style=, type=, rel=, href=,
+ % SVG attributes
+ fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=,
+ % CSS properties
+ margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:,
+ % CSS3 properties
+ transform:, -moz-transform:, -webkit-transform:,
+ animation:, -webkit-animation:,
+ transition:, transition-duration:, transition-property:, transition-timing-function:,
+ }
+}
+
+\lstdefinelanguage{JavaScript}{
+ basicstyle=\ttfamily\scriptsize,
+ keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for},
+ keywordstyle=\color{blue}\bfseries,
+ ndkeywords={class, export, boolean, throw, implements, import, this},
+ ndkeywordstyle=\color{darkgray}\bfseries,
+ identifierstyle=\color{black},
+ sensitive=false,
+ comment=[l]{//},
+ morecomment=[s]{/*}{*/},
+ commentstyle=\color{purple}\ttfamily,
+ stringstyle=\color{red}\ttfamily,
+ morestring=[b]',
+ morestring=[b]"
+}
+
+\setbeamersize{description width=1em}
+
+\definecolor{blue}{rgb}{0,0,0.7}
+\newcommand{\orange}[1]{{\color{orange}#1}}
+\newcommand{\blue}[1]{{\color{blue}#1}}
+\newcommand{\red}[1]{{\color{red}#1}}
+\newcommand{\Guardian}{\mathcal{G}}
+\newcommand{\Child}{\mathcal{C}}
+\newcommand{\Customer}{\mathcal{C}}
+\newcommand{\Merchant}{\mathcal{M}}
+\newcommand{\Exchange}{\mathcal{E}}
+
+\newcommand{\Commit}{\mathsf{Commit}}
+\newcommand{\Attest}{\mathsf{Attest}}
+\newcommand{\Verify}{\mathsf{Verify}}
+\newcommand{\Derive}{\mathsf{Derive}}
+\newcommand{\DeriveCompare}{\mathsf{DeriveCompare_\kappa}}
+\newcommand{\Compare}{\mathsf{Compare}}
+\newcommand{\AgeVer}{\mathsf{AgeVer}}
+
+\newcommand{\HashF}{\mathsf{H}}
+\newcommand{\Hash}{\mathsf{H}}
+\newcommand{\Block}{\mathbb{B}}
+\newcommand{\Pub}{\mathsf{Pub}}
+\newcommand{\Sign}{\mathsf{Sig}}
+\newcommand{\Ver}{\mathsf{Ver}}
+\newcommand{\Encoding}{\mathsf{Encoding}}
+\newcommand{\ECDSA}{\mathsf{ECDSA}}
+\newcommand{\Null}{\mathcal{O}}
+\newcommand{\EC}{\mathrm{ec}}
+\newcommand{\Curve}{\mathsf{Curve25519}}
+\newcommand{\SHA}{\mathsf{SHA256}}
+\newcommand{\SHAF}{\mathsf{SHA252}}
+\newcommand{\FDH}{\mathsf{FDH}}
+
+\newcommand{\negl}{\epsilon}
+
+\newcommand{\rand}{\mathsf{rand}}
+\newcommand{\age}{\mathsf{a}}
+\newcommand{\Age}{\mathsf{M}}
+\newcommand{\bage}{\mathsf{b}}
+\newcommand{\minage}{\mathsf{m}}
+\newcommand{\attest}{\mathsf{T}}
+\newcommand{\commitment}{\mathsf{Q}}
+\newcommand{\pruf}{\mathsf{P}}
+\newcommand{\Vcommitment}{\vec{\mathsf{Q}}}
+\newcommand{\Vpruf}{\vec{\mathsf{P}}}
+\newcommand{\blinding}{\beta}
+
+\newcommand{\ZN}{\mathbb{Z}_N}
+\newcommand{\Z}{\mathbb{Z}}
+\newcommand{\N}{\mathbb{N}}
+\newcommand{\A}{\mathbb{A}}
+\newcommand{\E}{\mathbb{E}}
+\newcommand{\F}{\mathbb{F}}
+\newcommand{\seck}{\mathsf{s}}
+\newcommand{\pubk}{\mathsf{P}}
+\renewcommand{\H}{\mathbb{H}}
+\newcommand{\K}{\mathbb{K}}
+\newcommand{\Proofs}{\mathbb{P}}
+\newcommand{\Commitments}{\mathbb{O}}
+\newcommand{\Attests}{\mathbb{T}}
+\newcommand{\Blindings}{\mathbb{B}}
+\newcommand{\Nil}{\perp}
+
+\newcommand{\p}{\mathsf{p}}
+\newcommand{\com}{\mathsf{com}}
+\newcommand{\prf}{\mathsf{prf}}
+
+\newcommand{\Adv}{\mathcal{A}}
+\newcommand{\PPT}{\mathfrak{A}}
+\newcommand{\Probability}{\mathrm{Pr}}
+\newcommand{\Algorithm}{f}
+\renewcommand{\Game}[1]{G_\Adv^\mathsf{#1}}
+
+\DeclareMathOperator{\Image}{Im}
+\DeclareMathOperator{\Mod}{mod}
+
+\newcommand{\Encode}[1]{\overbracket[0.5pt][2pt]{\,#1\,}}
+\newcommand{\Decode}[1]{\underbracket[0.5pt][3pt]{\,#1\,}}
+\newcommand{\FDHg}[1]{[#1]_g\,}
+\newcommand{\logg}{{\breve{g}}}
+
+
+\newcommand{\drawfrom}{\xleftarrow{\$}}
+\newcommand\Exists{%
+ \mathop{\lower0.75ex\hbox{\ensuremath{%
+ \mathlarger{\mathlarger{\mathlarger{\mathlarger{\exists}}}}}}}%
+ \limits}
+
+\newcommand\Forall{%
+ \mathop{\lower0.75ex\hbox{\ensuremath{%
+ \mathlarger{\mathlarger{\mathlarger{\mathlarger{\forall}}}}}}}%
+ \limits}
+
+
+\title{GNU Taler}
+%\subtitle{}
+
+\setbeamertemplate{navigation symbols}{ \includegraphics[width=1cm]{tud-logo.pdf} \includegraphics[width=0.4cm]{logo-esen.pdf} \includegraphics[width=1cm]{logo-GlsBank.pdf} \includegraphics[width=0.6cm]{logo-MagNetBank.pdf} \includegraphics[width=0.4cm]{logo-ps.pdf} \includegraphics[width=0.4cm]{logo-nlnet.pdf} \includegraphics[width=0.4cm]{logo-HomoDigitalis.pdf} \includegraphics[width=0.4cm]{logo-codeblau.pdf} \includegraphics[width=1.4cm]{logo-tue.pdf} \includegraphics[width=0.6cm]{logo-visualvest.pdf} \includegraphics[width=1cm]{inria.pdf} \includegraphics[width=0.4cm]{logo-bfh.pdf} \includegraphics[width=1.6cm]{fub.pdf} \includegraphics[width=0.4cm]{ashoka.png} \includegraphics[width=0.4cm]{gnu.png} \includegraphics[width=1cm]{taler-logo-2021-inkscape.pdf} \hfill}
+%\setbeamercovered{transparent=1}
+
+\author[C. Grothoff]{C. Grothoff}
+\date{\today}
+\institute{The GNU Project}
+
+
+\begin{document}
+
+\justifying
+
+\begin{frame}
+ \begin{center}
+ \LARGE {\bf GNU}
+
+ \vfill
+% \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf}
+ \includegraphics[width=0.66\textwidth]{taler-logo-2021-inkscape.pdf}
+ \end{center}
+
+ \begin{center}
+ \includegraphics[width=0.15\textwidth]{logo-EU.pdf}
+ \includegraphics[width=0.15\textwidth]{logo-SBFI.pdf}
+ \end{center}
+
+\begin{textblock*}{6cm}(.5cm,7.7cm) % {block width} (coords)
+ {\Large {\bf \href{https://taler.net/}{taler.net}} \\
+ \href{https://twitter.com/taler}{taler@twitter}}
+\end{textblock*}
+
+% Substitute based on who is giving the talk!
+ \begin{textblock*}{6cm}(6.5cm,7.7cm) % {block width} (coords)
+ {\hfill {\bf Christian Grothoff} \\
+ \hfill grothoff@taler.net }
+\end{textblock*}
+
+\end{frame}
+
+\setbeamertemplate{navigation symbols}{\hfill \includegraphics[width=1cm]{taler-logo-2021-inkscape.pdf}}
+
+
+
+\begin{frame}{Agenda}
+ \tableofcontents
+\end{frame}
+
+\section{Motivation \& Background}
+
+
+\begin{frame}{A Social Problem}
+% \vfill
+ This was a question posed to RAND researchers in 1971:
+
+\begin{quote}
+ ``Suppose you were an advisor to the head of the KGB, the Soviet Secret Police. Suppose you are given the assignment of designing a system for the surveillance of all citizens and visitors within the boundaries of the USSR. The system is not to be too obtrusive or obvious. What would be your decision?''
+\end{quote}
+%The result: an electronic funds transfer system that looks
+%strikingly similar today's debit card system.
+\pause
+ \begin{center}
+ \includegraphics[height=1cm]{pics/nsa_spy.jpg}
+ \end{center}
+\vfill
+ \begin{center}
+``I think one of the big things that we need to do, is we need
+to get away from true-name payments on the Internet. The credit
+card payment system is one of the worst things that happened for the
+user, in terms of being able to divorce their access from their
+identity.'' \hfill --Edward Snowden, IETF 93 (2015)
+\end{center}
+
+\end{frame}
+
+
+\begin{frame}{Banks have Problems, too!}
+
+ 3D secure (``verified by visa'') is a nightmare:
+
+ \begin{minipage}{5cm}
+ \begin{itemize}
+ \item Complicated process
+ \item Shifts liability to consumer
+ \item Significant latency
+ \item Can refuse valid requests
+ \item Legal vendors excluded
+ \item No privacy for buyers
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \includegraphics[width=\textwidth]{illustrations/cc3ds.pdf}
+ \end{minipage}
+ \vfill
+ Online credit card payments will be replaced, but with what?
+\end{frame}
+
+
+\begin{frame}{The Bank's Problem}
+\vfill
+ \begin{textblock*}{12cm}(0.5cm,1cm) % {block width} (coords)
+ \begin{itemize}
+ \item Global tech companies push oligopolies
+ \item Privacy and federated finance are at risk
+% \item 30\% fees are conceivable
+ \item Economic sovereignty is in danger
+ \end{itemize}
+\end{textblock*}
+\begin{textblock*}{4cm}(3.5cm,5.2cm) % {block width} (coords)
+ {\includegraphics[width=\textwidth]{../investors/competitor-logos/amazon.png}}
+\end{textblock*}
+\begin{textblock*}{2cm}(7cm,3cm) % {block width} (coords)
+ {\includegraphics[width=\textwidth]{../investors/competitor-logos/alipay.jpeg}}
+\end{textblock*}
+\begin{textblock*}{2cm}(3cm,3.5cm) % {block width} (coords)
+ {\includegraphics[width=\textwidth]{../investors/competitor-logos/paypal.jpeg}}
+\end{textblock*}
+\begin{textblock*}{2cm}(9cm,5cm) % {block width} (coords)
+ {\includegraphics[width=\textwidth]{../investors/competitor-logos/applepay.jpeg}}
+\end{textblock*}
+\begin{textblock*}{2cm}(7.5cm,5.9cm) % {block width} (coords)
+ {\includegraphics[width=\textwidth]{../investors/competitor-logos/samsungpay.jpeg}}
+\end{textblock*}
+\begin{textblock*}{1cm}(9.5cm,6.3cm) % {block width} (coords)
+ {\includegraphics[width=\textwidth]{../investors/competitor-logos/android_pay.png}}
+\end{textblock*}
+\vfill
+\end{frame}
+
+
+\begin{frame}{Predicting the Future}
+ \begin{itemize}
+ \item Google and Apple will be your bank and run your payment system
+ \item They can target advertising based on your purchase history, location and
+ your ability to pay
+ \item They will provide more usable, faster and broadly available
+ payment solutions; our federated banking system will be history
+% just like SMTP is now Gmail.
+ \item After they dominate the payment sector, they will start to charge fees
+ befitting their oligopoly size
+ \item Competitors and vendors not aligning with their corporate ``values''
+ will be excluded by policy and go bankrupt
+ \item The imperium will have another major tool for its financial warfare
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{The Bank of International Settlements}
+ \framesubtitle{Central Bank Digital Currency vs. Cash}
+ \begin{center}
+ \movie[%scale=0.6,
+ autostart,
+ poster]
+ {
+ \includegraphics[height=0.6\textwidth,width=0.8\textwidth]{white.png}
+ }
+ {bis-cbdc.mp4}
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{The Emergency Act of Canada\footnote{Speech by Premier Kenney, Alberta, February 2022}}
+ \begin{center}
+ \movie[%scale=0.6,
+ autostart,
+ poster]
+ {
+ \includegraphics[height=0.6\textwidth,width=0.8\textwidth]{ca.png}
+ }
+ {emergencyact.mp4}
+
+ {\tiny \url{https://www.youtube.com/watch?v=NehMAj492SA} (2'2022)}
+ \end{center}
+\end{frame}
+
+
+\section{GNU Taler: Introduction}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf GNU Taler: Introduction}
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{GNU Taler}
+ \vfill
+ \begin{center}
+ {\huge {\bf Digital} cash, made \textbf{socially responsible}.}
+ \end{center}
+ \vfill
+ \begin{center}
+ \includegraphics[scale=0.3]{taler-logo-2021-inkscape.pdf}
+ \end{center}
+ \vfill
+ \begin{center}
+ Privacy-Preserving, Practical, Taxable, Free Software, Efficient
+ \end{center}
+ \vfill
+ \vfill
+\ %
+\end{frame}
+
+
+\begin{frame}{What is Taler?}
+ \framesubtitle{\url{https://taler.net/en/features.html}} \noindent
+Taler is
+ \vfill
+ \begin{itemize}
+ \item a Free/Libre software \emph{payment system} infrastructure project
+ \item ... with a surrounding software ecosystem
+ \item ... and a company (Taler Systems S.A.) and community that wants to deploy it
+ as widely as possible.
+ \end{itemize}
+ \vfill
+\noindent
+ However, Taler is
+ \begin{itemize}
+ \item \emph{not} a currency or speculative asset
+ \item \emph{not} a long-term store of value
+ \item \emph{not} a network or instance of a system
+ \item \emph{not} decentralized
+ \item \emph{not} based on proof-of-work or proof-of-stake
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Design principles}
+ \framesubtitle{https://taler.net/en/principles.html}
+GNU Taler must ...
+\begin{enumerate}
+ \item {... be implemented as {\bf free software}.}
+ \item {... protect the {\bf privacy of buyers}.}
+ \item {... enable the state to {\bf tax income} and crack down on
+ illegal business activities.}
+ \item {... prevent payment fraud.}
+ \item {... only {\bf disclose the minimal amount of information
+ necessary}.}
+ \item {... be usable.}
+ \item {... be efficient.}
+ \item {... avoid single points of failure.}
+ \item {... foster {\bf competition}.}
+\end{enumerate}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Taler Overview}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (exchange) [def,above=of origin,draw]{Exchange};
+ \node (customer) [def, draw, below left=of origin] {Customer};
+ \node (merchant) [def, draw, below right=of origin] {Merchant};
+ \node (auditor) [def, draw, above right=of origin]{Auditor};
+% \node (regulator) [def, draw, above=of auditor]{CSSF};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins};
+ \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins};
+ \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins};
+ \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify};
+% \draw [<-, C] (regulator) -- (auditor) node [midway, above, sloped] (TextNode) {report};
+
+\end{tikzpicture}
+\end{center}
+\end{frame}
+
+
+
+\begin{frame}
+\frametitle{Architecture of Taler}
+\begin{center}
+ \includegraphics[width=1\textwidth]{operations.png}
+\end{center}
+\end{frame}
+
+
+\begin{frame}{Consumer Impact of Taler}
+\begin{itemize}
+\item {\bf Convenient:} pay with one click instantly --– in Euro,
+Dollar, Yen or Bitcoin
+\item {\bf Friction-free security:} Payments do not require sign-up,
+login or multi-factor authentication
+\item {\bf Privacy-preserving:} payment requires/shares no personal information
+\item {\bf Bank account:} not required
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Merchant Impact of Taler}
+\begin{itemize}
+\item {\bf Instant clearance:} one-click transactions and instant clearance at par
+\item {\bf Easy \& compliant:} GDPR \& PCI-DSS compliance-free and without any effort
+\item {\bf Major profit increase:} efficient protocol $+$ no fraud $=$ extremely low costs
+\item {\bf 1-click checkout:} without Amazon and without false
+positives in fraud detection
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Usability of Taler}
+ \vfill
+ \begin{center}
+ \url{https://demo.taler.net/}
+ \end{center}
+ \begin{enumerate}
+ \item Install browser extension.
+ \item Visit the {\tt bank.demo.taler.net} to withdraw coins.
+ \item Visit the {\tt shop.demo.taler.net} to spend coins.
+ \end{enumerate}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{Real-world use}
+\vfill
+\begin{center}
+\includegraphics[width=1.0\textwidth]{taler-in-use.png}
+\end{center}
+\vfill
+\end{frame}
+
+
+\section{Component Zoo}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Component Zoo}
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{The Taler Software Ecosystem: Overview}
+ \framesubtitle{\url{https://taler.net/en/docs.html}}
+ Taler is based on modular components that work together to provide a
+ complete payment system:
+ \vfill
+ \begin{itemize}
+ \item {\bf Exchange:} Service provider for digital cash
+ \begin{itemize}
+ \item Core exchange software (cryptography, database)
+ \item Air-gapped key management, real-time {\bf auditing}
+ \item {\bf libeufin}: Modular integration with banking systems
+ \item {\bf challenger}: KYC service with OAuth 2.0 API
+ \end{itemize}
+ \item {\bf Merchant:} Integration service for existing businesses
+ \begin{itemize}
+ \item Core merchant backend software (cryptography, database)
+ \item {\bf Back-office interface} for staff
+ \item {\bf Frontend integration} (E-commerce, Point-of-sale)
+ \end{itemize}
+ \item {\bf Wallet:} Consumer-controlled applications for e-cash
+ \begin{itemize}
+ \item Multi-platform wallet software (for browsers \& mobile phones)
+ \item Wallet backup storage providers ({\bf sync} \& {\bf Anastasis})
+ \end{itemize}
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Taler Exchange}
+ The {\bf Exchange} is the core logic of the payment system.
+
+ \begin{itemize}
+ \item One exchange at minimum must be operated per currency
+ \item Offers a REST API for merchants and customers
+ \item Uses several helper processes for configuration and to
+ interact with RTGS and cryptography
+ \item KYC support via OAuth 2.0, KycAID or Persona APIs
+ \item Implemented in C on top of GNU libmicrohttpd
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Taler Merchant}
+ The {\bf Merchant} is the software run by merchants to accept\\
+ GNU Taler payments.
+
+ \begin{minipage}{6cm}
+ \begin{itemize}
+ \item REST API for integration with e-commerce
+ \item SPA provides Web interface for administration
+ \item Features include:
+ \begin{itemize}
+ \item Multi-tenant support
+ \item Refunds
+ \item Templates
+ \item Webhooks
+ \item Inventory management (optional)
+ \end{itemize}
+ \item Implemented in C on top of GNU libmicrohttpd
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \includegraphics[width=5cm]{screenshots/merchant-spa-settings}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Taler Wallet}
+ The {\bf Wallet} is the software run by consumers to store
+ their digital cash and authorize transactions.
+
+ \begin{minipage}{8cm}
+ \begin{itemize}
+ \item {\bf wallet-core} is the logic shared by all interfaces
+ \item Works on Android, F-Droid, iOS, Ubuntu Touch,
+ WebExtension (Chrome, Chromium, Firefox, etc.)
+ \item Features include:
+ \begin{itemize}
+ \item Multi-currency support
+ \item Wallet-to-wallet payments (NFC or QR code)
+ \item CRDT-like data model
+ \end{itemize}
+ \item {\bf wallet-core} implemented in TypeScript
+ \end{itemize}
+ Can be integrated into other Apps if desired.
+ \end{minipage}
+ \begin{minipage}{3cm}
+ \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103520.png}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Taler Auditor}
+ The {\bf Auditor} is the software run by an independent auditor
+ to validate the operation of an Exchange.
+
+ \begin{itemize}
+ \item REST API for additional report inputs by merchants (optional)
+ \item Secure database replication logic
+ \item Implemented in C on top of GNU libmicrohttpd
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{libeufin-nexus}
+ libeufin-nexus allows Taler components to interact with a core banking system. It:
+
+ \begin{itemize}
+ \item provides an implementation of the Wire Gateway for the exchange
+ \item supports EBICS 2.5 and 3.0
+ \item other APIs such as FinTS or PSD2-style XS2A APIs can be added
+ without requiring changes to the Exchange
+ \item was tested with GLS Bank (DE) and Postfinance (CH) accounts and real EUR/CHF
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{libeufin-bank}
+ libeufin-bank implements a standalone bank with a Web interface. It:
+
+ \begin{itemize}
+ \item provides the Taler Core Bank API for RESTful online banking
+ using a Web interface (with multi-factor authentication)
+ \item includes a Taler Wire Gateway for the exchange
+ \item offers the Taler Bank Integration API to allow wallets
+ to easily withdraw digital cash
+ \item optionally provides the Taler Conversion Info API for currency
+ conversion between fiat and regional currencies
+ \item optionally integrates with libeufin-nexus to interact with
+ a core banking system
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Challenger}
+ Challenger allows clients to obtain validated address (KYC) data about
+ users:
+
+ \begin{itemize}
+ \item Customizable Web-based process for address validation
+ \item Can validate phone numbers, e-mail addresses or physical mailing addresses
+ \item Provides an exchange-compatible OAuth 2.0 API
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Depolymerization}
+ Depolymerization is a bridge between GNU Taler and blockchains,
+ making Taler a layer 2 system for crypto-currencies (like Lightning).
+
+ \begin{itemize}
+ \item provides an implementation of the Wire Gateway for the exchange
+ \item Works on top of Bitcoin and Ethereum
+ crypto-currencies, with the DLTs as the ``RTGS''
+ \item Provides same API to Exchange as libeufin-nexus
+ \item Implemented in Rust
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Pretix Taler payment plugin}
+\begin{center}
+\includegraphics[width=0.5\textwidth]{screenshots/pretix.png}
+\end{center}
+
+ Pretix is a ticket sales system.
+
+ \begin{itemize}
+ \item Pretix payment plugin enables payments via GNU Taler
+ \item Developed by Pretix.eu for \EUR{3,000} on behalf of Taler Systems SA
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{WooCommerce Taler payment plugin}
+\begin{minipage}{6cm}
+ \begin{itemize}
+ \item WooCommerce is an e-commerce plugin for WordPress.
+ \item WooCommerce payment plugin enables payments via GNU Taler
+ \item Features include:
+ \begin{itemize}
+ \item Trivial configuration
+ \item Support for refunds
+ \item Full internationalization
+ \end{itemize}
+ \item WooCommerce and its plugins are implemented in PHP
+ \end{itemize}
+\end{minipage}
+\begin{minipage}{5cm}
+ \includegraphics[width=4cm]{screenshots/woocommerce-cart.png}
+ \includegraphics[width=4cm]{screenshots/woocommerce-settings.png}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Joomla! Taler payment plugin}
+\begin{minipage}{6cm}
+ \begin{itemize}
+ \item Joomla! is an e-commerce platform
+ \item Joomla! payment plugin enables payments via GNU Taler
+ \item Features include:
+ \begin{itemize}
+ \item Trivial configuration
+ \item Support for refunds
+ \item Full internationalization
+ \end{itemize}
+ \item Joomla! and its plugins are implemented in PHP
+ \end{itemize}
+\end{minipage}
+% FIXME: add screenshots
+%\begin{minipage}{5cm}
+% \includegraphics[width=4cm]{screenshots/woocommerce-cart.png}
+% \includegraphics[width=4cm]{screenshots/woocommerce-settings.png}
+% \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Point-of-Sale App for Android}
+
+\begin{minipage}{7cm}
+ \begin{itemize}
+ \item Allows merchant to generate orders against Taler backend
+ and display QR code to enable customer to pay in person
+ \item Patterned after ViewTouch restaurant UI
+ \item Features include:
+ \begin{itemize}
+ \item Internet-based configuration
+ \item Products sorted by categories
+ \item Easy undo of every operation
+ \item Manages multiple concurrent orders
+ \end{itemize}
+ \item The Point-of-Sale App is implemented in Kotlin
+ \end{itemize}
+\end{minipage}
+\begin{minipage}{4cm}
+ \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194112.jpg}
+ \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194119.jpg}
+ \includegraphics[width=4cm]{screenshots/Screenshot_20230224-195348.jpg}
+\end{minipage}
+\end{frame}
+
+
+
+\section{Protocol Basics}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Protocol Basics}
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{A Bachelor's Thesis Video}
+ \begin{center}
+ \movie[%scale=0.6,
+ autostart,
+ poster]
+ {
+ \includegraphics[height=0.6\textwidth,width=0.8\textwidth]{white.png}
+ }
+ {cs-movie.mp4}
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{How does it work?}
+We use a few ancient constructions:
+ \begin{itemize}
+ \item Cryptographic hash function (1989)
+ \item Blind signature (1983)
+ \item Schnorr signature (1989)
+ \item {\sout Diffie-Hellman key exchange (1976)} Deterministic signatures (??)
+ \item Cut-and-choose zero-knowledge proof (1985)
+ \end{itemize}
+But of course we use modern instantiations.
+\end{frame}
+
+
+\begin{frame}{Definition: Taxability}
+ We say Taler is taxable because:
+ \begin{itemize}
+ \item Merchant's income is visible from deposits.
+ \item Hash of contract is part of deposit data.
+ \item State can trace income and enforce taxation.
+ \end{itemize}\pause
+ Limitations:
+ \begin{itemize}
+ \item withdraw loophole
+ \item {\em sharing} coins among family and friends
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Exchange setup: Create a denomination key (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Generate random primes $p,q$.
+ \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$
+ \item Pick small $e < \phi(n)$ such that
+ $d := e^{-1} \mod \phi(n)$ exists.
+ \item Publish public key $(e,n)$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$};
+ \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}};
+ \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+% \includegraphics[width=0.4\textwidth]{seal.pdf}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Merchant: Create a signing key (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{itemize}
+ \item Generate random number $m \mod o$ as private key
+ \item Compute public key $M := mG$
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (m) [draw=none, below = of origin] at (0,0) {$m$};
+ \node (seal) [draw=none, below=of m]{M};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ }
+ \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}}
+\end{frame}
+
+
+\begin{frame}{Customer: Create a planchet (EdDSA)}
+ \begin{minipage}{8cm}
+ \begin{itemize}
+ \item Generate random number $c \mod o$ as private key
+ \item Compute public key $C := cG$
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (c) [draw=none, below = of origin] at (0,0) {$c$};
+ \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ }
+ \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}}
+\end{frame}
+
+
+\begin{frame}{Customer: Blind planchet (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Obtain public key $(e,n)$
+ \item Compute $f := FDH(C)$, $f < n$.
+ \item Generate random blinding factor $b \in \mathbb Z_n$
+ \item Transmit $f' := f b^e \mod n$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$};
+ \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}};
+ \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Exchange: Blind sign (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Receive $f'$.
+ \item Compute $s' := f'^d \mod n$.
+ \item Send signature $s'$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
+ \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
+ \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Customer: Unblind coin (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Receive $s'$.
+ \item Compute $s := s' b^{-1} \mod n$ % \\
+ % ($(f')^d = (f b^e)^d = f^d b$).
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (b) [def, draw=none] at (0,0) {$b$};
+ \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Customer: Build shopping cart}
+ \begin{center}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
+ \node (origin) [draw=none] at (0,0) {\includegraphics[width=0.2\textwidth]{cart.pdf}};
+ \node (merchant) [node distance=4em and 0.5em, draw, below =of origin]{\includegraphics[width=0.2\textwidth]{shop.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt];
+ \draw [<-, C] (merchant) -- (origin) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{Merchant: Propose contract (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Complete proposal $D$.
+ \item Send $D$, $EdDSA_m(D)$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}};
+ \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}};
+ \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer};
+ \tikzstyle{C} = [color=black, line width=1pt];
+ \node (sign) [def, draw=none, above right=of proposal] {$m$};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Customer: Spend coin (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Receive proposal $D$, $EdDSA_m(D)$.
+ \item Send $s$, $C$, $EdDSA_c(D)$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer sep=.3em];
+ \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
+ \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
+ \node (c) [def, draw=none, above=of contract] {$c$};
+ \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant};
+ \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Merchant and Exchange: Verify coin (RSA)}
+ \begin{minipage}{6cm}
+ \begin{equation*}
+ s^e \stackrel{?}{\equiv} FDH(C) \mod n
+ \end{equation*}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{minipage}{0.2\textwidth}
+ \includegraphics[width=\textwidth]{coin.pdf}
+ \end{minipage}
+ $\stackrel{?}{\Leftrightarrow}$
+ \begin{minipage}{0.2\textwidth}
+ \includegraphics[width=\textwidth]{seal.pdf}
+ \end{minipage}
+ \end{minipage}
+ \vfill
+ The exchange does not only verify the signature, but also
+ checks that the coin was not double-spent.
+ \vfill
+ \pause
+ \begin{center}
+ {\bf Taler is an online payment system.}
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{Giving change}
+ It would be inefficient to pay EUR 100 with 1 cent coins!
+ \begin{itemize}
+ \item Denomination key represents value of a coin.
+ \item Exchange may offer various denominations for coins.
+ \item Wallet may not have exact change!
+ \item Usability requires ability to pay given sufficient total funds.
+ \end{itemize}\pause
+ Key goals:
+ \begin{itemize}
+ \item maintain unlinkability
+ \item maintain taxability of transactions
+ \end{itemize}\pause
+ Method:
+ \begin{itemize}
+ \item Contract can specify to only pay {\em partial value} of a coin.
+ \item Exchange allows wallet to obtain {\em unlinkable change}
+ for remaining coin value.
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Deterministic Signatures}
+ \vfill
+ \begin{minipage}{8cm}
+ \begin{itemize}
+ \item Some public key operations depend on a nonce or ``random'' value
+ \begin{itemize}
+ \item Example: ElGamal (encryption), DSA/ECDSA (signing)
+ \item[+] same plaintext, different ciphertext
+ \item[-] security may break on nonce-reuse
+ \end{itemize}
+ \item Generating the nonce deterministically by hashing all inputs
+ (see also: Fiat-Shamir transformation) can make these algorithms
+ {\bf deterministic}
+ \begin{itemize}
+ \item Example: EdDSA
+ \end{itemize}
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ Deterministic signatures:
+ \begin{center}
+ \includegraphics[width=0.6\textwidth]{ecollect.jpeg}
+
+ $=$
+
+ \includegraphics[width=0.6\textwidth]{detsig.pdf}
+ \end{center}
+ \end{minipage}
+ \vfill
+ \note[item]{Before we can introduce the change protocol, we need to consider that
+ not all cryptographic signatures are deterministic.}
+ \note[item]{Following modern approach to e-collecting, we will use the image on
+ the right to illustrate {\bf deterministic} signatures.}
+ \note[item]{Replacing random inputs or nonces with hashes is a common trick to
+ make signature algorithms deterministic.}
+\end{frame}
+
+
+\begin{frame}{Strawman solution}
+ \begin{minipage}{8cm}
+ Given partially spent private coin key $c_{old}$:
+ \begin{enumerate}
+% \item Let $C_{old} := c_{old}G$ (as before)
+ \item Generate random $c_{new} \mod o$ as private key
+ \item Compute public key $C_{new} = c_{new}G$
+ \item Generate random $b_{new}$
+ \item Compute $f_{new} := FDH(C_{new})$, $m < n$.
+ \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$
+ \end{enumerate}
+ ... and sign request for change with $c_{old}$.
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (planchet) [def, draw=none, above left= of blinded] {\includegraphics[width=0.15\textwidth]{planchet.pdf}};
+ \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$};
+ \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$};
+ \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \pause
+ \vfill
+ {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!}
+\end{frame}
+
+
+\begin{frame}{Customer: Transfer setup (DETSIG)}
+ \begin{minipage}{10cm}
+ Given partially spent private coin key $c_{old}$:
+ \begin{enumerate}
+ \item Let $C_{old} := c_{old}G$ (as before)
+ \item Create random nonce $t$
+ \item Compute deterministic signature $X := DETSIG_{c_{old}}(t)$
+ \item Derive $c_{new}$ and $b_{new}$ from $X$ using HKDF
+ \item Compute $C_{new} := c_{new}G$
+ \item Compute $f_{new} := FDH(C_{new})$
+ \item Transmit $f_{new}' := f_{new} b_{new}^e$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t$};
+ \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (X) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf}};
+ \node (d) [def, draw=none, above left= of X] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of X] {$c_{new}$};
+ \node (bp) [def, draw=none, below right= of X] {$b_{new}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [def, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (X) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (X) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (X) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (X) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{In this construction, we {\em derive} the blinding factor $b_{new}$ and
+ the private key of the new coin $c_{new}$ from the DH of the $c_{old}$ and a newly
+ created transfer key $t$. Note that it is a bit unusual but perfectly find that
+ we here have {\bf both} private keys to compute the DH.}
+ \note[item]{The resulting blinded public key of the new coin
+ (public key derivation and blinding are elided to keep the diagram concise) is
+ then signed with $c_{old}$ to request change.}
+ \note[item]{This approach has an obvious problem: from the perspective of the
+ Exchange, we cannot even tell that the user followed this procedure as the
+ resulting request with the blinded coin is indistinguishable from the previous
+ construction.}
+\end{frame}
+
+
+\begin{frame}{Cut-and-Choose}
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_1$};
+ \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_1$)};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [def, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \hfill
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_2$};
+ \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_2$)};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [def, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \hfill
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_3$};
+ \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_3$)};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [def, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{This DH-construction thus obviously does not work, so in the usual
+ approach of an insane person, we don't just do it once, but three times
+ using three different transfer keys $t_1$, $t_2$, and $t_3$ instead of just $t$.}
+ \note[item]{Now, before you decide that we have just gone mad, this is actually
+ a well-known technique called {\bf cut-and-choose}. Here, we do a protocol
+ step multiple times to basically be able to {\bf burn} some of these iterations
+ to {\bf prove} our honesty.}
+ \note[item]{There are also {\bf non-interactive} cut-and-choose protocols, but
+ this one is a simple interactive one.}
+\end{frame}
+
+
+\begin{frame}{Exchange: Choose!}
+ \begin{center}
+ \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer.
+ \end{center}
+ \note[item]{This is the typical interaction: the Exchange picks one of the
+ three at random, basically deciding on which iterations to challenge the
+ wallet's honesty.}
+ \note[item]{$\gamma$ primarily needs to be {\bf unpredictable} for the wallet.}
+ \note[item]{Note that the protocol has a security parameter $\kappa=3$, and
+ so the wallet could guess correctly in $\frac{1}{3}$ of the cases. Usually
+ in security we would think of this to be way too low, and you will see much
+ higher values in other cut-and-choose protocols. But, we will see why
+ $\kappa=3$ is actually enough for GNU Taler!}
+\end{frame}
+
+
+\begin{frame}{Customer: Reveal}
+ \vfill
+ \begin{enumerate}
+ \item If $\gamma = 1$, send $\langle t_2, X_2 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
+ \item If $\gamma = 2$, send $\langle t_1, X_1 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
+ \item If $\gamma = 3$, send $\langle t_1, X_1 \rangle$, $\langle t_2, X_2 \rangle$ to exchange
+ \end{enumerate}
+ \vfill
+ \note[item]{So given the $\gamma$ challenge value, the wallet
+ has to send back the $t_i$ values for $i\not=\gamma$.}
+\end{frame}
+
+
+\begin{frame}{Exchange: Verify ($\gamma = 2$)}
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (h) [def, draw=none] at (0,0) {$t_1$};
+ \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{detverify.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \hfill
+ \begin{minipage}{3cm}
+ \
+ \end{minipage}
+ \hfill
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (h) [def, draw=none] at (0,0) {$t_3$};
+ \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{detverify.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{Given those two values the exchange can {\bf validate} the
+ construction as it can compute the DH from the {\bf transfer private keys} $t_i$
+ and the {\bf coin public key} $C_{old}$.}
+ \note[item]{If the result matches with the original request from the wallet,
+ the exchange has established that with $\frac{2}{3}$ probability the wallet
+ made an honest request for change following the prescribed construction.}
+ \note[item]{If the wallet is unable (or unwilling) to produce the required
+ $t_i$ values, or if the resulting blinded values do not match, the entire
+ change is forfeit, and the customer looses their money.}
+ \note[item]{Thus, trying to cheat on income-transparency is punished with
+ what amounts to a {\bf 66.67\% tax}. Thus, a security level of $\kappa$
+ is sufficient as long as the {\em effective} income tax (after deductions,
+ on the full income) is below $\frac{\kappa - 1}{\kappa}$.
+ Taler always uses $\kappa=3$.}
+\end{frame}
+
+
+\begin{frame}{Exchange: Blind sign change (RSA)}
+ \begin{minipage}{5cm}
+ \begin{enumerate}
+ \item Take $f_{new,\gamma}'$.
+ \item Compute \\
+ $s' := f_{new,\gamma}'^d \mod n$.
+ \item Return signature $s'$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
+ \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
+ \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (customer) -- (signed) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{If the customer's request did follow the DH-construction, the exchange takes the
+ third envelope, the one where $t_\gamma$ was not disclosed, and signs this one to issue the
+ change.}
+\end{frame}
+
+
+\begin{frame}{Customer: Unblind change (RSA)}
+ \vfill
+ \begin{minipage}{8cm}
+ \begin{enumerate}
+ \item Receive $s'$.
+ \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
+ \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \vfill
+ \note[item]{As with the ordinary blind-signature based withdraw, the customer can
+ then unblind the signature and has a valid coin.}
+ \note[item]{Without knowledge of $c_{old}$ or $t_\gamma$, the coins derived from this
+ process are indistinguishable from coins that were withdrawn directly from an account.}
+ \note[item]{Most importantly, without knowledge of $t_\gamma$ or $c_{old}$,
+ the $c_{new}$ is unlinkable to $c_{old}$.}
+\end{frame}
+
+\begin{frame}{Exchange: Allow linking change}
+ \begin{minipage}{5cm}
+ \begin{center}
+ Given $C_{old}$
+
+ \vspace{1cm}
+
+ return $t_\gamma$ and
+ \begin{equation*}
+ s := s' b_{new,\gamma}^{-1} \mod n.
+ \end{equation*}
+ \end{center}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em];
+ \node (co) [def, draw=none] at (0,0) {$C_{old}$};
+ \node (T) [def, draw=none, below left=of co]{$t_\gamma$};
+ \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \node (customer) [def, draw, below right=of T] {Customer};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link};
+ \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{But, how does this address the issue that $c_{old}$ may have a different
+ owner from $c_{new,\gamma}$? Well, so far it does not! In principle, the envelope can
+ easily be constructed by someone who was not the original owner of $c_{old}$.}
+ \note[item]{So how does this help? Well, the exchange has one more sub-protocol,
+ which is the {\bf link} protocol. Given the old coin's public key, $C_{old}$,
+ it returns $t_\gamma$, the {\bf public transfer key}, and the blind signature
+ over the new coin that was rendered as change.}
+ \note[item]{Note that this is a request that the owner of $c_{old}$ can always
+ trivially make, as they know $C_{old}$.}
+ \note[item]{So how does that help?}
+\end{frame}
+
+
+\begin{frame}{Customer: Link (threat!)}
+ \begin{minipage}{6.5cm}
+ \begin{enumerate}
+ \item Have $c_{old}$.
+ \item Obtain $T_\gamma$, $s$ from exchange
+ \item Compute $X_\gamma = DETSIG_{c_{old}}(t_\gamma)$
+ \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
+ \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6.5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 0.75em and 1em, inner sep=0em, outer sep=.3em];
+ \node (T) [def, draw=none] at (0,0) {$t_\gamma$};
+ \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
+ \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_\gamma$)};
+ \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$};
+ \node (co) [def, draw=none, above right= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below right= of dh] {$c_{new,\gamma}$};
+ \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \node (psign) [def, node distance=1.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link};
+ \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link};
+ \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{Well, given these two values, the owner of the original $c_{old}$ can
+ {\bf again} compute the DETSIG (from $c_{old}$ and $t_\gamma$), and then
+ also derive $c_{new,\gamma}$ and also unblind the exchange's signature using $b_{new,\gamma}$.}
+ \note[item]{As a result, the owner of the old coin can always compute the change,
+ and thus is effectively {\bf also} always an owner of the change rendered!}
+ \note[item]{Thus, we have {\bf reduced} the possibility of abusing the change
+ protocol for a transaction that would result in a {\bf mutually exclusive transfer
+ of ownership} to the case where the ownership of the change is {\bf shared}.}
+ \note[item]{But, we previously explained that {\bf sharing} is not something we can
+ or would care to prevent, so the change protocol does not weaken income transparency.}
+\end{frame}
+
+
+\begin{frame}{Refresh protocol summary}
+ \begin{itemize}
+ \item Customer asks exchange to convert old coin to new coin
+ \item Protocol ensures new coins can be recovered from old coin
+ \item[$\Rightarrow$] New coins are owned by the same entity!
+ \end{itemize}
+ Thus, the refresh protocol allows:
+ \begin{itemize}
+ \item To give unlinkable change.
+ \item To give refunds to an anonymous customer.
+ \item To expire old keys and migrate coins to new ones.
+ \item To handle protocol aborts.
+ \end{itemize}
+ \noindent
+ \begin{center}
+ \bf
+ Transactions via refresh are equivalent to {\em sharing} a wallet.
+\end{center}
+\end{frame}
+
+
+\section{Offline payments}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Offline payments}
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{Requirements: Online vs. Offline Digital Currencies}
+\framesubtitle{\url{https://taler.net/papers/euro-bearer-online-2021.pdf}}
+\begin{itemize}
+ \item Offline capabilities are sometimes cited as a requirement for digital payment solutions
+ \item All implementations must either use restrictive hardware elements and/or introduce
+ counterparty risk.
+ \item[$\Rightarrow$] Permanent offline features weaken a digital payment solution (privacy, security)
+ \item[$\Rightarrow$] Introduces unwarranted competition for physical cash (endangers emergency-preparedness).
+ \end{itemize}
+ We recommend a tiered approach:
+ \begin{enumerate}
+ \item Online-first, bearer-based digital currency with Taler
+ \item (Optional:) Limited offline mode for network outages
+ \item Physical cash for emergencies (power outage, catastrophic cyber incidents)
+ \end{enumerate}
+\end{frame}
+
+
+% FIXME: replace by Hardwaresec slide from Mikolai!
+\begin{frame}{Fully Offline Payments {\bf (WiP)}}
+\framesubtitle{\url{https://docs.taler.net/design-documents/030-offline-payments.html}}
+Many central banks today demand offline capabilities for digital payment solutions.
+\vfill
+\noindent
+Three possible approaches:
+\begin{enumerate}
+ \item Trust-based offline payments (has counterparty and/or privacy risks)
+ \item Full HSM Taler wallet (has hardware costs)
+ \item Light-weight HSM balance register
+\end{enumerate}
+\vfill
+\end{frame}
+
+
+\begin{frame}{A Scenario}
+{God is offline, but customer pays online}
+\begin{center}
+ \includegraphics[height=0.4\textwidth]{shrine.jpg}
+\end{center}
+\end{frame}
+
+\begin{frame}{Typical Payment Process}{All equivalent: Twint, PayPal, AliPay, PayTM}
+\begin{center}
+ \movie[%scale=0.6,
+ autostart,
+ poster]
+ {
+ \includegraphics[height=0.3\textwidth,width=0.4\textwidth]{white.png}
+ }
+ {twint.mkv}
+
+ {\tiny (C) Twint, 2023}
+\end{center}
+\end{frame}
+
+
+\begin{frame}{Secure Payment ...}{Everything green?}
+\begin{center}
+ \includegraphics[height=0.3\textwidth]{paymentTwint-screen_25.png}
+\end{center}
+\end{frame}
+
+\begin{frame}{Exploit ``Code''}{Programming optional}
+\begin{center}
+ \includegraphics[height=0.3\textwidth]{paymentTwint-screen.png}
+\end{center}
+\end{frame}
+
+\begin{frame}{``Customers'' {\em love} Twint ...}{Daily non-business for shops}
+\begin{center}
+ \includegraphics[height=0.3\textwidth]{paymentTwint-screen_50.png}
+\end{center}
+\end{frame}
+
+
+\begin{frame}{Partially Offline Payments with GNU Taler\footnote{Joint work with Emmanuel Benoist, Priscilla Huang and Sebastian Marchano}}
+
+\begin{center}
+\resizebox{8cm}{7cm}{
+\begin{sequencediagram}
+ \newinst{pos}{\shortstack{PoS \\
+ \\ \begin{tikzpicture}
+ \node [fill=gray!20,draw=black,thick ,align=center] {PoS key \\ PoS ID};
+ \end{tikzpicture}
+ }}
+ \newinst[2]{customer}{\shortstack{Customer \\
+ \\ \begin{tikzpicture}
+ \node [fill=gray!20,draw=black,thick ,align=center] {Digital \\ Wallet};
+ \end{tikzpicture}
+ }}
+ \newinst[2]{backend}{\shortstack{Merchant Backend \\
+ \\ \begin{tikzpicture}[shape aspect=.5]
+ \tikzset{every node/.style={cylinder, shape border rotate=90, draw,fill=gray!25}}
+ \node at (1.5,0) {\shortstack{{\tiny PoS key} \\ {\tiny PoS ID}}};
+ \end{tikzpicture}
+ }}
+ \postlevel
+ \mess[0]{pos}{PoS ID}{customer}
+ \begin{sdblock}{optional}{}
+ \begin{callself}{customer}{Amount}{}
+ \end{callself}
+ \end{sdblock}
+ \prelevel
+ \prelevel
+ \prelevel
+ \prelevel
+ \prelevel
+ \begin{sdblock}{optional}{}
+ \begin{callself}{pos}{Amount}{}
+ \end{callself}
+ \end{sdblock}
+ \postlevel
+ \mess[0]{customer}{PoS ID, [Amount]?}{backend}
+ \mess[0]{backend}{Contract}{customer}
+ \postlevel
+ \mess[0]{customer}{Payment}{backend}
+ \begin{callself}{pos}{OTP(PoS key)}{}
+ \end{callself}
+ \prelevel
+ \prelevel
+ \begin{callself}{backend}{OTP(PoS key)}{}
+ \end{callself}
+ \mess[0]{backend}{OTP code}{customer}
+ \postlevel
+ \mess[0]{customer}{OTP code}{pos}
+\end{sequencediagram}
+}
+\end{center}
+\end{frame}
+
+
+
+\section{Programmable money: Age restrictions}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Programmable money: Age restrictions}
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{Age restriction in E-commerce}
+
+ \begin{description}
+ \item[Problem:]~\\[1em]
+ Verification of minimum age requirements in e-commerce.\\[2em]
+
+ \item[Common solutions:]
+
+\begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
+ & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
+ 1. ID Verification & bad & required & \\[\medskipamount]
+ 2. Restricted Accounts & bad & required & \\[\medskipamount]
+ 3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount]
+\end{tabular}
+ \end{description}
+
+\uncover<4->{
+ \begin{tikzpicture}[overlay,remember picture]
+ \draw[orange,thick,rounded corners]
+ ($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
+ \end{tikzpicture}
+ \begin{center}
+ \bf Principle of Subsidiarity is violated
+ \end{center}
+}
+\end{frame}
+
+
+\begin{frame}{Principle of Subsidiarity}
+\begin{center} \Large
+ Functions of government---such as granting and restricting
+ rights---should be performed\\
+ {\it at the lowest level of authority possible},\\
+ as long as they can be performed {\it adequately}.
+\end{center}
+\vfill
+\uncover<2->{
+ For age-restriction, the lowest level of authority is:\\
+ \begin{center}\Large
+ Parents, guardians and caretakers
+ \end{center}
+}
+\end{frame}
+
+
+\begin{frame}{Age restriction design for GNU Taler}
+Design and implementation of an age restriction scheme\\
+with the following goals:
+
+\begin{enumerate}
+\item It ties age restriction to the \textbf{ability to pay} (not to ID's)
+\item maintains \textbf{anonymity of buyers}
+\item maintains \textbf{unlinkability of transactions}
+\item aligns with \textbf{principle of subsidiartiy}
+\item is \textbf{practical and efficient}
+\end{enumerate}
+
+\end{frame}
+
+
+\begin{frame}{Age restriction}
+ \framesubtitle{Assumptions and scenario}
+
+ \begin{columns}
+ \column{7.5cm}
+ \begin{itemize}
+ \item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
+ \item<2-> \textit{Guardians} \textbf{commit} to an maximum age
+ \item<3-> \textit{Minors} \textbf{attest} their adequate age
+ \item<4-> \textit{Merchants} \textbf{verify} the attestations
+ \item<5-> Minors \textbf{derive} age commitments from existing ones
+ \item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
+ \end{itemize}
+ \column{5cm}
+ \uncover<7->
+ {
+ \begin{center}
+ \fontsize{7pt}{7pt}\selectfont
+ \begin{tikzpicture}[scale=.5]
+ \node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+ \node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
+ \node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
+
+ \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
+ {$\Commit$} (Guardian);
+ \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
+ {\blue{$\Attest$}} (Client);
+ \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
+ {\blue{$\Verify$}} (Merchant);
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
+ {\orange{$\Derive$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+ {\orange{$\Compare$}} (Exchange);
+
+ \draw[orange,|->] (Client) to node[sloped,above,align=left]
+ {\orange{\scriptsize }} (Exchange);
+ \draw[blue,|->] (Client) to node[sloped, above]
+ {\blue{\scriptsize }} (Merchant);
+ \draw[,|->] (Guardian) to node[above,sloped,align=left]
+ {{\scriptsize }} (Client);
+ \end{tikzpicture}
+ \end{center}
+ }
+ \end{columns}
+ \vfill
+ \uncover<7->{Note: Scheme is independent of payment service protocol.}
+\end{frame}
+
+
+\begin{frame}{Formal Function Signatures}
+\small
+Searching for functions \uncover<2->{with the following signatures}
+\begin{align*}
+ &\bf \Commit\uncover<2->{:
+ &(\age, \omega) &\mapsto (\commitment, \pruf)
+ &\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
+ }
+ \\
+ &\bf \Attest\uncover<3->{:
+ &(\minage, \commitment, \pruf) &\mapsto \attest
+ &\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
+ }
+ \\
+ &\bf \Verify\uncover<4->{:
+ &(\minage, \commitment, \attest) &\mapsto b
+ &\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
+ }
+ \\
+ &\bf \Derive\uncover<5->{:
+ &(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
+ &\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
+ }
+ \\
+ &\bf \Compare\uncover<6->{:
+ &(\commitment, \commitment', \blinding) &\mapsto b
+ &\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
+ }
+\end{align*}
+ \uncover<7->{
+ with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
+ sufficiently large sets.\\[1em]
+ Basic and security requirements are defined later.\\[2em]
+ }
+
+ \scriptsize
+ \uncover<2->{
+ Mnemonics:\\
+ $\Commitments=$ \textit{c$\Commitments$mmitments},
+ $\commitment=$ \textit{Q-mitment} (commitment),
+ $\Proofs=$ \textit{$\Proofs$roofs},
+ }
+ \uncover<3->{
+ $\pruf=$ \textit{$\pruf$roof},\\
+ $\Attests=$ \textit{a$\Attests$testations},
+ $\attest=$ \textit{a$\attest$testation},
+ }
+ \uncover<5->{
+ $\Blindings=$ \textit{$\Blindings$lindings},
+ $\blinding=$ \textit{$\blinding$linding}.
+ }
+\end{frame}
+
+\begin{frame}{Age restriction}
+ \framesubtitle{Naïve scheme}
+ \begin{center}
+ \begin{tikzpicture}[scale=.85]
+ \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+ \node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
+ \node[circle,minimum size=20pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
+
+ \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
+ {$\Commit$} (Guardian);
+ \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
+ {\blue{$\Attest$}} (Client);
+ \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
+ {\blue{$\Verify$}} (Merchant);
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
+ {\orange{$\Derive$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+ {\orange{$\Compare$}} (Exchange);
+
+ \draw[orange,|->] (Client) to node[sloped,above,align=left]
+ {\orange{\scriptsize }} (Exchange);
+ \draw[blue,|->] (Client) to node[sloped, above]
+ {\blue{\scriptsize }} (Merchant);
+ \draw[,|->] (Guardian) to node[above,sloped,align=left]
+ {{\scriptsize }} (Client);
+ \end{tikzpicture}
+ \end{center}
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+ \begin{columns}
+ \column{3cm}
+ \begin{center}
+ \fontsize{8pt}{9pt}\selectfont
+ \begin{tikzpicture}[scale=.65]
+ \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
+ {\orange{$\footnotesize \Derive()$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+ {\orange{$\footnotesize \Compare()$}} (Exchange);
+
+ \draw[orange,|->] (Client) to node[sloped,above,align=left]
+ {\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
+ \end{tikzpicture}
+ \end{center}
+
+ \column{9cm}
+ Simple use of $\Derive()$ and $\Compare()$ is problematic.
+
+ \begin{itemize}
+ \item<2-> Calling $\Derive()$ iteratively generates sequence
+ $(\commitment_0, \commitment_1, \dots)$ of commitments.
+ \item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$
+ \item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
+ \item[$\implies$]\uncover<3->{\bf Unlinkability broken}
+ \end{itemize}
+ \end{columns}
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+ Define cut\&choose protocol \orange{$\DeriveCompare$},
+ using $\Derive()$ and $\Compare()$.\\[0.5em]
+ \uncover<2->{
+ Sketch:
+ \small
+ \begin{enumerate}
+ \item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
+ from $\commitment_0$ \\
+ by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
+ \item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
+ \item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
+ \item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
+ \item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
+ \item $\Exchange$ compares $h_0$ and
+ $H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
+ and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
+ \end{enumerate}
+ \vfill
+ Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
+ }
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+ With \orange{$\DeriveCompare$}
+ \begin{itemize}
+ \item $\Exchange$ learns nothing about $\commitment_\gamma$,
+ \item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
+ \item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
+ \end{itemize}
+ \vfill
+ Note: Still need Derive and Compare to be defined.
+\end{frame}
+
+\begin{frame}{Refined scheme}
+
+ \begin{tikzpicture}[scale=.8]
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
+ \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
+
+ \draw[orange,<->] (Client) to node[sloped,below,align=center]
+ {\orange{$\DeriveCompare$}} (Exchange);
+ \draw[blue,->] (Client) to node[sloped, below]
+ {\blue{$(\attest_\minage, \commitment)$}} (Merchant);
+
+ \draw[->] (Guardian) to [out=150,in=70, loop] node[above]
+ {$\Commit(\age)$} (Guardian);
+ \draw[->] (Guardian) to node[below,sloped]
+ {($\commitment$, $\pruf_\age$)} (Client);
+ \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
+ \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
+ \end{tikzpicture}
+\end{frame}
+
+ \begin{frame}{Achieving Unlinkability}
+ \scriptsize
+ $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
+ \vfill
+ $\DeriveCompare(\commitment, \pruf, \omega) =$
+ \begin{itemize}
+ \it
+ \itemsep0.5em
+ \item[$\Child$:]
+ \begin{enumerate}
+ \scriptsize
+ \itemsep0.3em
+ \item for all $i \in \{1,\dots,\kappa\}:
+ (\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
+ \item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
+ \item send $(\commitment, h)$ to $\Exchange$
+ \end{enumerate}
+ \item[$\Exchange$:]
+ \begin{enumerate}
+ \setcounter{enumi}{4}
+ \scriptsize
+ \itemsep0.3em
+ \item save $(\commitment, h)$ \label{st:hash}
+ \item $\gamma \drawfrom \{1,\dots ,\kappa\}$
+ \item send $\gamma$ to $\Child$
+ \end{enumerate}
+ \item[$\Child$:]
+ \begin{enumerate}
+ \setcounter{enumi}{7}
+
+ \scriptsize
+ \itemsep0.3em
+ \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
+ \item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
+ (\commitment_{\gamma-1}, \beta_{\gamma-1}),
+ \Nil,
+ (\commitment_{\gamma+1}, \beta_{\gamma+1}),
+ \dots,(\commitment_\kappa, \beta_\kappa)\big]$
+ \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
+ \end{enumerate}
+ \item[$\Exchange$:]
+ \begin{enumerate}
+ \setcounter{enumi}{10}
+ \scriptsize
+ \itemsep0.3em
+ \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
+ \item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
+ \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
+ if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
+ \item return 1
+ \end{enumerate}
+ \end{itemize}
+ \end{frame}
+
+\begin{frame}{Basic Requirements}
+
+ Candidate functions
+ \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
+ must first meet \textit{basic} requirements:
+
+ \begin{itemize}
+ \item Existence of attestations
+ \item Efficacy of attestations
+ \item Derivability of commitments and attestations
+ \end{itemize}
+\end{frame}
+
+\begin{frame}{Basic Requirements}
+ \framesubtitle{Formal Details}
+
+ \begin{description}
+ \item[Existence of attestations]
+ {\scriptsize
+ \begin{align*}
+ \Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
+ \Commit(\age, \omega) =: (\commitment, \pruf)
+ \implies
+ \Attest(\minage, \commitment, \pruf) =
+ \begin{cases}
+ \attest \in \Attests, \text{ if } \minage \leq \age\\
+ \Nil \text{ otherwise}
+ \end{cases}
+ \end{align*}}
+ \item[Efficacy of attestations]
+ {\scriptsize
+ \begin{align*}
+ \Verify(\minage, \commitment, \attest) = \
+ \begin{cases}
+ 1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
+ 0 \text{ otherwise}
+ \end{cases}
+ \end{align*}}
+
+ {\scriptsize
+ \begin{align*}
+ \forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
+ \end{align*}}
+ \item[etc.]
+ \end{description}
+\end{frame}
+
+\begin{frame}{Requirements}
+ \framesubtitle{Details}
+
+ \begin{description}
+ \item[Derivability of commitments and proofs:]~\\[0.1em]
+ {\scriptsize
+ Let \begin{align*}
+ \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
+ (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
+ (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1).
+ \end{align*}
+ We require
+ \begin{align*}
+ \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
+ \end{align*}
+ and for all $n\leq\age$:
+ \begin{align*}
+ \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
+ =
+ \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0))
+ \end{align*}}
+ \end{description}
+\end{frame}
+
+\begin{frame}{Security Requirements}
+ Candidate functions must also meet \textit{security} requirements.
+ Those are defined via security games:
+ \begin{itemize}
+ \item Game: Age disclosure by commitment or attestation
+ \item[$\leftrightarrow$] Requirement: Non-disclosure of age
+ \vfill
+
+ \item Game: Forging attestation
+ \item[$\leftrightarrow$] Requirement: Unforgeability of
+ minimum age
+ \vfill
+
+ \item Game: Distinguishing derived commitments and attestations
+ \item[$\leftrightarrow$] Requirement: Unlinkability of
+ commitments and attestations
+
+ \end{itemize}
+ \vfill
+
+ Meeting the security requirements means that adversaries can win
+ those games only with negligible advantage.
+ \vfill
+ Adversaries are arbitrary polynomial-time algorithms, acting on all
+ relevant input.
+\end{frame}
+
+\begin{frame}{Security Requirements}
+ \framesubtitle{Simplified Example}
+
+ \begin{description}
+ \item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
+ {\small
+ \begin{enumerate}
+ \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $
+ \item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $
+ \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
+ \item Return 0 if $\minage \leq \age$
+ \item Return $\Verify(\minage,\commitment,\attest)$
+ \end{enumerate}
+ }
+ \vfill
+ \item[Requirement: Unforgeability of minimum age]
+ {\small
+ \begin{equation*}
+ \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
+ \Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
+ \end{equation*}
+ }
+ \end{description}
+\end{frame}
+
+
+\begin{frame}{Solution: Instantiation with ECDSA}
+% \framesubtitle{Definition of Commit}
+
+ \begin{description}
+ \item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
+ \begin{enumerate}
+ \item<2-> Guardian generates ECDSA-keypairs, one per age (group):
+ \[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
+ \item<3-> Guardian then \textbf{drops} all private keys
+ $p_i$ for $i > \age$:
+ \[\Big \langle(q_1, p_1),\dots,
+ (q_\age, p_\age),
+ (q_{\age +1}, \red{\Nil}),\dots,
+ (q_\Age, \red{\Nil})\Big\rangle\]
+
+ \begin{itemize}
+ \item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
+ \item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
+ \end{itemize}
+ \vfill
+ \item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
+ \vfill
+ \end{enumerate}
+ \end{description}
+\end{frame}
+
+\begin{frame}{Instantiation with ECDSA}
+ \framesubtitle{Definitions of Attest and Verify}
+
+ Child has
+ \begin{itemize}
+ \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
+ \item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
+ \end{itemize}
+ \begin{description}
+ \item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
+ Sign a message with ECDSA using private key $p_\blue{\minage}$
+ \end{description}
+
+ \vfill
+
+ \uncover<3->{
+ Merchant gets
+ \begin{itemize}
+ \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
+ \item Signature $\sigma$
+ \end{itemize}
+ \begin{description}
+ \item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
+ Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
+ \end{description}
+ }
+ \vfill
+\end{frame}
+
+\begin{frame}{Instantiation with ECDSA}
+ \framesubtitle{Definitions of Derive and Compare}
+ Child has
+ $\Vcommitment = (q_1, \dots, q_\Age) $ and
+ $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
+ \begin{description}
+ \item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
+ Choose random $\beta\in\Z_g$ and calculate
+ \small
+ \begin{align*}
+ \Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
+ \Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
+ \end{align*}
+ Note: $ (\beta p_i)*G = \beta*(p_i*G) = \beta*q_i$\\
+ \scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
+ \end{description}
+
+ \vfill
+ \uncover<3->{
+ Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
+ \begin{description}
+ \item[To \blue{Compare}, calculate:]
+ \small
+ $(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
+ \end{description}
+ \vfill
+ }
+\end{frame}
+
+\begin{frame}{Instantiation with ECDSA}
+
+ Functions
+ (Commit, Attest, Verify, Derive, Compare)\\
+ as defined in the instantiation with ECDSA\\[0.5em]
+ \begin{itemize}
+ \item meet the basic requirements,\\[0.5em]
+ \item also meet all security requirements.\\
+ Proofs by security reduction, details are in the paper.
+ \end{itemize}
+
+\end{frame}
+
+
+\begin{frame}{Instantiation with ECDSA}
+ \framesubtitle{Full definitions}
+ \scriptsize
+
+ \begin{align*}
+ \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
+ \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
+ \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
+ \Big\rangle\\
+ \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
+ \begin{cases}
+ \attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
+ \Nil & \text{otherwise}
+ \end{cases}\\
+ %
+ \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
+ %
+ \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
+ \Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
+ (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
+ & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
+ %
+ \Compare_E(\Vcommitment, \Vcommitment', \beta) &:=
+ \begin{cases}
+ 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
+ 0 & \text{otherwise}
+ \end{cases}
+ \end{align*}
+\end{frame}
+
+
+\begin{frame}{Reminder: GNU Taler Fundamentals}
+ \begin{center}
+ \begin{tikzpicture}[scale=.55]
+ \node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
+ \node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
+ \node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
+
+ \draw[<->] (Customer) to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
+ \draw[<->] (Customer) to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
+ \draw[<->] (Customer) to node[sloped, below] {\sf purchase} (Merchant);
+ \draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
+ \end{tikzpicture}
+ \end{center}
+
+ \vfill
+ \begin{itemize}
+ \item Coins are public-/private key-pairs $(C_p, c_s)$.
+ \item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
+ \item Verification:
+ \begin{eqnarray*}
+ 1 &\stackrel{?}{=}&
+ \mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
+ \end{eqnarray*}
+ \scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
+
+ \end{itemize}
+\end{frame}
+
+\begin{frame}{Integration with GNU Taler}
+ \framesubtitle{Binding age restriction to coins}
+
+ To bind an age commitment $\commitment$ to a coin $C_p$, instead of
+ signing $\FDH(C_p)$, $\Exchange$ now blindly signs
+ \begin{center}
+ $\FDH(C_p, \orange{H(\commitment)})$
+ \end{center}
+
+ \vfill
+ Verfication of a coin now requires $H(\commitment)$, too:
+ \begin{center}
+ $1 \stackrel{?}{=}
+ \mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
+ \end{center}
+ \vfill
+\end{frame}
+
+\begin{frame}{Integration with GNU Taler}
+ \framesubtitle{Integrated schemes}
+ \fontsize{8pt}{9pt}\selectfont
+ \begin{tikzpicture}[scale=.9]
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
+ \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
+
+ \draw[<->] (Guardian) to node[sloped,above,align=center]
+ {{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
+ \draw[<->] (Client) to node[sloped,below,align=center]
+ {{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
+ \draw[<->] (Client) to node[sloped, below]
+ {{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
+ \draw[<->] (Merchant) to node[sloped, above]
+ {{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
+
+ \draw[->] (Guardian) to [out=70,in=150, loop] node[above]
+ {$\Commit(\age)$} (Guardian);
+ \draw[->] (Guardian) to node[below,sloped]
+ {($\commitment$, $\pruf_\age$)} (Client);
+ \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
+ \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
+ \end{tikzpicture}
+\end{frame}
+
+\begin{frame}{Instantiation with Edx25519}
+ Paper also formally defines another signature scheme: Edx25519.\\[1em]
+
+ \begin{itemize}
+ \item Scheme already in use in GNUnet,
+ \item based on EdDSA (Bernstein et al.),
+ \item generates compatible signatures and
+ \item allows for key derivation from both, private and public keys, independently.
+ \end{itemize}~\\[1em]
+
+ Current implementation of age restriction in GNU Taler uses Edx25519.
+\end{frame}
+
+
+\begin{frame}{Age Restrictions based on KYC}
+ Subsidiarity requires bank accounts being owned by adults.
+ \begin{itemize}
+ \item Scheme can be adapted to case where minors have bank accounts
+ \begin{itemize}
+ \item Assumption: banks provide minimum age
+ information during bank
+ transactions.
+ \item Child and Exchange execute a variant of
+ the cut\&choose protocol.
+ \end{itemize}
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Discussion}
+ \begin{itemize}
+ \item Our solution can in principle be used with any token-based payment scheme
+ \item GNU Taler best aligned with our design goals (security, privacy and efficiency)
+ \item Subsidiarity requires bank accounts being owned by adults
+ \begin{itemize}
+ \item Scheme can be adapted to case where minors have bank accounts
+ \begin{itemize}
+ \item Assumption: banks provide minimum age
+ information during bank
+ transactions.
+ \item Child and Exchange execute a variant of
+ the cut\&choose protocol.
+ \end{itemize}
+ \end{itemize}
+ \item Our scheme offers an alternative to identity management systems (IMS)
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Related Work}
+ \begin{itemize}
+ \item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
+ \item Attribute-based approach lacks support:
+ \begin{itemize}
+ \item Complex for consumers and retailers
+ \item Requires trusted third authority
+ \end{itemize}
+ \vfill
+ \item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
+ \begin{itemize}
+ \item Advantage: mandatory to payment process
+ \item Not privacy friendly
+ \end{itemize}
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Conclusion}
+ Age restriction is a technical, ethical and legal challenge.
+
+ Existing solutions are
+ \begin{itemize}
+ \item without strong protection of privacy or
+ \item based on identity management systems (IMS)
+ \end{itemize}
+ \vfill
+
+ Our scheme offers a solution that is
+ \begin{itemize}
+ \item based on subsidiarity
+ \item privacy preserving
+ \item efficient
+ \item an alternative to IMS
+ \end{itemize}
+\end{frame}
+
+
+\section{Future Work \& Conclusion}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Future Work \& Conclusion}
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{Use Case: Journalism}
+ Today:
+ \begin{itemize}
+ \item Corporate structure % ($\Rightarrow$ filter)
+ \item Advertising primary revenue % ($\Rightarrow$ dependence)
+ \item Tracking readers critical for business success
+ \item Journalism and marketing hard to distinguish
+ \end{itemize}\vfill\pause
+ With GNU Taler:
+ \begin{itemize}
+ \item One-click micropayments per article
+ \item Hosting requires no expertise % (no PCI DSS)
+ \item Reader-funded reporting separated from marketing
+ \item Readers can remain anonymous
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Taler: Project Status}
+\framesubtitle{\url{https://docs.taler.net/}}
+\begin{itemize}
+ \item Cryptographic protocols and core exchange component are stable
+ \item Pilot project at Bern University of Applied Sciences cafeteria
+ \item Netzbon (regional currency) in Basel launched
+ \item Taler Operations AG live Swiss-wide
+ \item Internal alpha deployment with GLS Bank (Germany)
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Competitor comparison}
+ \begin{center} \small
+ \begin{tabular}{l||c|c|c|c|c}
+ & Cash & Bitcoin & Zerocoin & Creditcard & GNU Taler \\ \hline \hline
+ Online &$-$$-$$-$ & ++ & ++ & + & +++ \\ \hline
+ Offline & +++ & $-$$-$ & $-$$-$ & + & $+$$+$ \\ \hline
+ Trans. cost & + & $-$$-$$-$ & $-$$-$$-$ & $-$ & ++ \\ \hline
+ Speed & + & $-$$-$$-$ & $-$$-$$-$ & o & ++ \\ \hline
+ Taxation & $-$ & $-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline
+ Payer-anon & ++ & o & ++ & $-$$-$$-$ & +++ \\ \hline
+ Payee-anon & ++ & o & ++ & $-$$-$$-$ & $-$$-$$-$ \\ \hline
+ Security & $-$ & o & o & $-$$-$ & ++ \\ \hline
+ Conversion & +++ & $-$$-$$-$ & $-$$-$$-$ & +++ & +++ \\ \hline
+ Libre & $-$ & +++ & +++ & $-$ $-$ $-$& +++ \\
+ \end{tabular}
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{Other ongoing developments}
+ \begin{itemize}
+ \item Privacy-preserving auctions (trading, currency exchange) ({\tt oezguer@taler.net})
+ \item Hardware and software support for embedded systems ({\tt mikolai@taler.net})
+ \item Tax-deductable receipts for donations to charities (donau.git)
+ \item Unlinkable anonymous subscriptions and discount tokens ({\tt ivan@taler.net})
+ \item Support for illiterate and innumerate users\footnote{Background: \url{https://myoralvillage.org/}}
+ ({\tt marc@taler.net})
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Future work}
+ \begin{itemize}
+ \item Performance improvements for RSA in FLOSS crypto libraries
+ \item Integrate with e-ID for easier \& cheaper KYC
+ \item Buy anonymous pre-paid debit cards on-demand with Taler wallet
+ \item Implement PQC across the stack (with cipher agility, where possible with additive security)
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Open Challanges}
+ \begin{itemize}
+ \item Try to explain this to lawyers and AML staff of banks
+ \item What are convincing arguments for citizens to switch?
+ \item How to address anti-competitive cash-back from card payments?
+ \item
+ \item
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{How to support?}
+ \begin{description}
+ \item[Join:] {\small \url{https://lists.gnu.org/mailman/listinfo/taler}}
+ \item[Discuss:] {\small \url{https://ich.taler.net/}}
+ \item[Develop:] \url{https://bugs.taler.net/}, \url{https://git.taler.net/}
+ \item[Apply:] \url{https://nlnet.nl/propose}, \url{https://nlnet.nl/taler}
+ \item[Translate:] \url{https://weblate.taler.net/}, \url{translation-volunteer@taler.net}
+ \item[Integrate:] \url{https://docs.taler.net/}
+ \item[Donate:] \url{https://gnunet.org/ev}
+ \item[Partner:] \url{https://taler-systems.com/}
+ \end{description}
+\end{frame}
+
+
+\begin{frame}{Conclusion}
+ \begin{center}
+ {\bf What can we do?}
+ \end{center}
+ \vfill
+\begin{itemize}
+ \item{Suffer mass-surveillance enabled by credit card oligopolies with high fees, and}
+ \item{Engage in arms race with deliberately unregulatable blockchains}
+% \item{Enjoy the ``benefits'' of cash \\
+% \hfill \includegraphics[height=0.3\textheight]{atm-rupee.jpg} \hfill}
+\end{itemize}
+\vfill
+\begin{center}
+ {\bf OR}
+\end{center}
+\vfill
+\begin{itemize}
+ \item{Establish free software alternative balancing social goals!}
+\end{itemize}
+\vfill
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Do you have any questions?}
+\vfill
+References:
+{\tiny
+ \begin{enumerate}
+ \item{Özgür Kesim, Christian Grothoff, Florian Dold and Martin Schanzenbach.
+ {\em Zero-Knowledge Age Restriction for GNU Taler}.
+ {\bf 27th European Symposium on Research in Computer Security (ESORICS), 2022}.}
+ \item{David Chaum, Christian Grothoff and Thomas Moser.
+ {\em How to issue a central bank digital currency}.
+ {\bf SNB Working Papers, 2021}.}
+ \item{Christian Grothoff, Bart Polot and Carlo von Loesch.
+ {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}.
+ {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.}
+ \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci.
+ {\em Enabling Secure Web Payments with GNU Taler}.
+ {\bf SPACE 2016}.}
+ \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff.
+ {\em Taler: Taxable Anonymous Libre Electronic Reserves}.
+ Available upon request. 2016.}
+ \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza.
+ {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}.
+ {\bf IEEE Symposium on Security \& Privacy, 2016}.}
+ \item{David Chaum, Amos Fiat and Moni Naor.
+ {\em Untraceable electronic cash}.
+ {\bf Proceedings on Advances in Cryptology, 1990}.}
+ \item{Phillip Rogaway.
+ {\em The Moral Character of Cryptographic Work}.
+ {\bf Asiacrypt}, 2015.} \label{bib:rogaway}
+\end{enumerate}
+}
+\begin{center}
+ {\bf Let money facilitate trade; but ensure capital serves society.}
+\end{center}
+\end{frame}
+
+
+\end{document}
+
diff --git a/presentations/comprehensive/main.tex b/presentations/comprehensive/main.tex
@@ -207,7 +207,8 @@
\setbeamertemplate{navigation symbols}{ \includegraphics[width=1cm]{tud-logo.pdf} \includegraphics[width=0.4cm]{logo-esen.pdf} \includegraphics[width=1cm]{logo-GlsBank.pdf} \includegraphics[width=0.6cm]{logo-MagNetBank.pdf} \includegraphics[width=0.4cm]{logo-ps.pdf} \includegraphics[width=0.4cm]{logo-nlnet.pdf} \includegraphics[width=0.4cm]{logo-HomoDigitalis.pdf} \includegraphics[width=0.4cm]{logo-codeblau.pdf} \includegraphics[width=1.4cm]{logo-tue.pdf} \includegraphics[width=0.6cm]{logo-visualvest.pdf} \includegraphics[width=1cm]{inria.pdf} \includegraphics[width=0.4cm]{logo-bfh.pdf} \includegraphics[width=1.6cm]{fub.pdf} \includegraphics[width=0.4cm]{ashoka.png} \includegraphics[width=0.4cm]{gnu.png} \includegraphics[width=1cm]{taler-logo-2021-inkscape.pdf} \hfill}
%\setbeamercovered{transparent=1}
-\author[C. Grothoff]{J. Burdges, F. Dold, {\bf C. Grothoff}, M. Stanisci}
+% NOTE: adjust as needed!
+\author[C. Grothoff]{F. Dold, C. Grothoff}
\date{\today}
\institute{The GNU Project}
@@ -1533,6 +1534,8 @@ But of course we use modern instantiations.
\end{frame}
+
+
\begin{frame}{Diffie-Hellman (ECDH)}
\begin{minipage}{8cm}
\begin{enumerate}
@@ -1557,6 +1560,7 @@ But of course we use modern instantiations.
\end{frame}
+
\begin{frame}{Strawman solution}
\begin{minipage}{8cm}
Given partially spent private coin key $c_{old}$:
@@ -1597,6 +1601,32 @@ But of course we use modern instantiations.
\end{frame}
+
+
+\begin{frame}{Diffie-Hellman (ECDH)}
+ \begin{minipage}{8cm}
+ \begin{enumerate}
+ \item Create private keys $c,t \mod o$
+ \item Compute $C := cG$
+ \item Compute $T := tG$
+ \item Compute DH \\ $cT = c(tG) = t(cG) = tC$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t$};
+ \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}};
+ \node (c) [def, draw=none, above left= of ct] {$c$};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
\begin{frame}{Customer: Transfer key setup (ECDH)}
\begin{minipage}{8cm}
Given partially spent private coin key $c_{old}$:
@@ -1893,6 +1923,385 @@ But of course we use modern instantiations.
\end{frame}
+\begin{frame}{Customer: Transfer setup (DETSIG)}
+ \begin{minipage}{10cm}
+ Given partially spent private coin key $c_{old}$:
+ \begin{enumerate}
+ \item Let $C_{old} := c_{old}G$ (as before)
+ \item Create random nonce $t$
+ \item Compute deterministic signature $X := DETSIG_{c_{old}}(t)$
+ \item Derive $c_{new}$ and $b_{new}$ from $X$ using HKDF
+ \item Compute $C_{new} := c_{new}G$
+ \item Compute $f_{new} := FDH(C_{new})$
+ \item Transmit $f_{new}' := f_{new} b_{new}^e$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t$};
+ \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (X) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf}};
+ \node (d) [def, draw=none, above left= of X] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of X] {$c_{new}$};
+ \node (bp) [def, draw=none, below right= of X] {$b_{new}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [def, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (X) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (X) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (X) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (X) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{In this construction, we {\em derive} the blinding factor $b_{new}$ and
+ the private key of the new coin $c_{new}$ from the DH of the $c_{old}$ and a newly
+ created transfer key $t$. Note that it is a bit unusual but perfectly find that
+ we here have {\bf both} private keys to compute the DH.}
+ \note[item]{The resulting blinded public key of the new coin
+ (public key derivation and blinding are elided to keep the diagram concise) is
+ then signed with $c_{old}$ to request change.}
+ \note[item]{This approach has an obvious problem: from the perspective of the
+ Exchange, we cannot even tell that the user followed this procedure as the
+ resulting request with the blinded coin is indistinguishable from the previous
+ construction.}
+\end{frame}
+
+
+\begin{frame}{Cut-and-Choose}
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_1$};
+ \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_1$)};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [def, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \hfill
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_2$};
+ \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_2$)};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [def, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \hfill
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_3$};
+ \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_3$)};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [def, draw, below =of blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{This DH-construction thus obviously does not work, so in the usual
+ approach of an insane person, we don't just do it once, but three times
+ using three different transfer keys $t_1$, $t_2$, and $t_3$ instead of just $t$.}
+ \note[item]{Now, before you decide that we have just gone mad, this is actually
+ a well-known technique called {\bf cut-and-choose}. Here, we do a protocol
+ step multiple times to basically be able to {\bf burn} some of these iterations
+ to {\bf prove} our honesty.}
+ \note[item]{There are also {\bf non-interactive} cut-and-choose protocols, but
+ this one is a simple interactive one.}
+\end{frame}
+
+
+\begin{frame}{Exchange: Choose!}
+ \begin{center}
+ \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer.
+ \end{center}
+ \note[item]{This is the typical interaction: the Exchange picks one of the
+ three at random, basically deciding on which iterations to challenge the
+ wallet's honesty.}
+ \note[item]{$\gamma$ primarily needs to be {\bf unpredictable} for the wallet.}
+ \note[item]{Note that the protocol has a security parameter $\kappa=3$, and
+ so the wallet could guess correctly in $\frac{1}{3}$ of the cases. Usually
+ in security we would think of this to be way too low, and you will see much
+ higher values in other cut-and-choose protocols. But, we will see why
+ $\kappa=3$ is actually enough for GNU Taler!}
+\end{frame}
+
+
+\begin{frame}{Customer: Reveal}
+ \vfill
+ \begin{enumerate}
+ \item If $\gamma = 1$, send $\langle t_2, X_2 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
+ \item If $\gamma = 2$, send $\langle t_1, X_1 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
+ \item If $\gamma = 3$, send $\langle t_1, X_1 \rangle$, $\langle t_2, X_2 \rangle$ to exchange
+ \end{enumerate}
+ \vfill
+ \note[item]{So given the $\gamma$ challenge value, the wallet
+ has to send back the $t_i$ values for $i\not=\gamma$.}
+\end{frame}
+
+
+\begin{frame}{Exchange: Verify ($\gamma = 2$)}
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (h) [def, draw=none] at (0,0) {$t_1$};
+ \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{detverify.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \hfill
+ \begin{minipage}{3cm}
+ \
+ \end{minipage}
+ \hfill
+ \begin{minipage}{3cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (h) [def, draw=none] at (0,0) {$t_3$};
+ \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{detverify.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
+ \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{Given those two values the exchange can {\bf validate} the
+ construction as it can compute the DH from the {\bf transfer private keys} $t_i$
+ and the {\bf coin public key} $C_{old}$.}
+ \note[item]{If the result matches with the original request from the wallet,
+ the exchange has established that with $\frac{2}{3}$ probability the wallet
+ made an honest request for change following the prescribed construction.}
+ \note[item]{If the wallet is unable (or unwilling) to produce the required
+ $t_i$ values, or if the resulting blinded values do not match, the entire
+ change is forfeit, and the customer looses their money.}
+ \note[item]{Thus, trying to cheat on income-transparency is punished with
+ what amounts to a {\bf 66.67\% tax}. Thus, a security level of $\kappa$
+ is sufficient as long as the {\em effective} income tax (after deductions,
+ on the full income) is below $\frac{\kappa - 1}{\kappa}$.
+ Taler always uses $\kappa=3$.}
+\end{frame}
+
+
+\begin{frame}{Exchange: Blind sign change (RSA)}
+ \begin{minipage}{5cm}
+ \begin{enumerate}
+ \item Take $f_{new,\gamma}'$.
+ \item Compute \\
+ $s' := f_{new,\gamma}'^d \mod n$.
+ \item Return signature $s'$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
+ \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
+ \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (customer) -- (signed) node [midway, right] (TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{If the customer's request did follow the DH-construction, the exchange takes the
+ third envelope, the one where $t_\gamma$ was not disclosed, and signs this one to issue the
+ change.}
+\end{frame}
+
+
+\begin{frame}{Customer: Unblind change (RSA)}
+ \vfill
+ \begin{minipage}{8cm}
+ \begin{enumerate}
+ \item Receive $s'$.
+ \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
+ \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \vfill
+ \note[item]{As with the ordinary blind-signature based withdraw, the customer can
+ then unblind the signature and has a valid coin.}
+ \note[item]{Without knowledge of $c_{old}$ or $t_\gamma$, the coins derived from this
+ process are indistinguishable from coins that were withdrawn directly from an account.}
+ \note[item]{Most importantly, without knowledge of $t_\gamma$ or $c_{old}$,
+ the $c_{new}$ is unlinkable to $c_{old}$.}
+\end{frame}
+
+\begin{frame}{Exchange: Allow linking change}
+ \begin{minipage}{5cm}
+ \begin{center}
+ Given $C_{old}$
+
+ \vspace{1cm}
+
+ return $t_\gamma$ and
+ \begin{equation*}
+ s := s' b_{new,\gamma}^{-1} \mod n.
+ \end{equation*}
+ \end{center}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em];
+ \node (co) [def, draw=none] at (0,0) {$C_{old}$};
+ \node (T) [def, draw=none, below left=of co]{$t_\gamma$};
+ \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \node (customer) [def, draw, below right=of T] {Customer};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link};
+ \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{But, how does this address the issue that $c_{old}$ may have a different
+ owner from $c_{new,\gamma}$? Well, so far it does not! In principle, the envelope can
+ easily be constructed by someone who was not the original owner of $c_{old}$.}
+ \note[item]{So how does this help? Well, the exchange has one more sub-protocol,
+ which is the {\bf link} protocol. Given the old coin's public key, $C_{old}$,
+ it returns $t_\gamma$, the {\bf public transfer key}, and the blind signature
+ over the new coin that was rendered as change.}
+ \note[item]{Note that this is a request that the owner of $c_{old}$ can always
+ trivially make, as they know $C_{old}$.}
+ \note[item]{So how does that help?}
+\end{frame}
+
+
+\begin{frame}{Customer: Link (threat!)}
+ \begin{minipage}{6.5cm}
+ \begin{enumerate}
+ \item Have $c_{old}$.
+ \item Obtain $T_\gamma$, $s$ from exchange
+ \item Compute $X_\gamma = DETSIG_{c_{old}}(t_\gamma)$
+ \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
+ \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6.5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 0.75em and 1em, inner sep=0em, outer sep=.3em];
+ \node (T) [def, draw=none] at (0,0) {$t_\gamma$};
+ \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
+ \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_\gamma$)};
+ \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$};
+ \node (co) [def, draw=none, above right= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below right= of dh] {$c_{new,\gamma}$};
+ \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \node (psign) [def, node distance=1.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link};
+ \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link};
+ \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \note[item]{Well, given these two values, the owner of the original $c_{old}$ can
+ {\bf again} compute the DETSIG (from $c_{old}$ and $t_\gamma$), and then
+ also derive $c_{new,\gamma}$ and also unblind the exchange's signature using $b_{new,\gamma}$.}
+ \note[item]{As a result, the owner of the old coin can always compute the change,
+ and thus is effectively {\bf also} always an owner of the change rendered!}
+ \note[item]{Thus, we have {\bf reduced} the possibility of abusing the change
+ protocol for a transaction that would result in a {\bf mutually exclusive transfer
+ of ownership} to the case where the ownership of the change is {\bf shared}.}
+ \note[item]{But, we previously explained that {\bf sharing} is not something we can
+ or would care to prevent, so the change protocol does not weaken income transparency.}
+\end{frame}
+
+
\begin{frame}{Refresh protocol summary}
\begin{itemize}
\item Customer asks exchange to convert old coin to new coin
