commit b58d4d15ab55577df05066f2f903fef2f9d72e58
parent 0ecadc374ddd01950649d813f9a7fb8a4fa3884b
Author: Christian Grothoff <christian@grothoff.org>
Date: Mon, 24 Nov 2025 17:03:27 +0100
sliding done
Diffstat:
4 files changed, 119 insertions(+), 118 deletions(-)
diff --git a/presentations/comprehensive/2025-munich.tex b/presentations/comprehensive/2025-munich.tex
@@ -6,7 +6,7 @@
\newcommand{\AUTHOR}{Christian Grothoff}
\newcommand{\SPEAKER}{Christian Grothoff}
\newcommand{\INST}{The GNU Project}
-\newcommand{\DATE}{Traffic Seminar --- ETHZ}
+\newcommand{\DATE}{December 2025}
% Do not edit this part
\title{\TITLE}
diff --git a/presentations/comprehensive/main.tex b/presentations/comprehensive/main.tex
@@ -224,7 +224,7 @@
% NOTE: adjust as needed!
\author[C. Grothoff]{F. Dold, C. Grothoff}
-\date{\today}
+\date{}
\institute{The GNU Project}
@@ -267,18 +267,14 @@
\end{quote}
%The result: an electronic funds transfer system that looks
%strikingly similar today's debit card system.
-\pause
-\begin{minipage}{2cm}
-\includegraphics[width=2cm]{pics/nsa_spy.jpg}
-\end{minipage}
-\begin{minipage}{12cm}
+\end{frame}
+
+\begin{frame}{A Social Problem}
``I think one of the big things that we need to do, is we need
to get away from true-name payments on the Internet. The credit
card payment system is one of the worst things that happened for the
user, in terms of being able to divorce their access from their
identity.'' \hfill --Edward Snowden, IETF 93 (2015)
-\end{minipage}
-
\end{frame}
@@ -317,22 +313,20 @@ identity.'' \hfill --Edward Snowden, IETF 93 (2015)
\begin{frame}{The Bank's Problem}
-\vfill
- \begin{textblock*}{12cm}(0.5cm,1cm) % {block width} (coords)
- \begin{itemize}
+ \begin{itemize}
\item Global tech companies push oligopolies
\item Privacy and federated finance are at risk
% \item 30\% fees are conceivable
\item Economic sovereignty is in danger
- \end{itemize}
-\end{textblock*}
-\begin{textblock*}{4cm}(3.5cm,5.2cm) % {block width} (coords)
+ \end{itemize}
+\vfill
+\begin{textblock*}{4cm}(3.5cm,6.5cm) % {block width} (coords)
{\includegraphics[width=\textwidth]{../investors/competitor-logos/amazon.png}}
\end{textblock*}
-\begin{textblock*}{2cm}(7cm,3cm) % {block width} (coords)
+\begin{textblock*}{2cm}(7cm,8cm) % {block width} (coords)
{\includegraphics[width=\textwidth]{../investors/competitor-logos/alipay.jpeg}}
\end{textblock*}
-\begin{textblock*}{2cm}(3cm,3.5cm) % {block width} (coords)
+\begin{textblock*}{2cm}(1cm,5.5cm) % {block width} (coords)
{\includegraphics[width=\textwidth]{../investors/competitor-logos/paypal.jpeg}}
\end{textblock*}
\begin{textblock*}{2cm}(9cm,5cm) % {block width} (coords)
@@ -344,7 +338,6 @@ identity.'' \hfill --Edward Snowden, IETF 93 (2015)
\begin{textblock*}{1cm}(9.5cm,6.3cm) % {block width} (coords)
{\includegraphics[width=\textwidth]{../investors/competitor-logos/android_pay.png}}
\end{textblock*}
-\vfill
\end{frame}
@@ -534,12 +527,12 @@ GNU Taler must ...
\frametitle{Taler Overview}
\begin{center}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em];
+ \tikzstyle{def} = [node distance= 5em and 5em, inner sep=1em, outer sep=.3em];
\node (origin) at (0,0) {};
\node (exchange) [def,above=of origin,draw]{Exchange};
\node (customer) [def, draw, below left=of origin] {Customer};
\node (merchant) [def, draw, below right=of origin] {Merchant};
- \node (auditor) [def, draw, above right=of origin]{Auditor};
+ \node (auditor) [def, node distance=5em and 6em, draw, above right=of origin]{Auditor};
% \node (regulator) [def, draw, above=of auditor]{CSSF};
\tikzstyle{C} = [color=black, line width=1pt]
@@ -587,22 +580,22 @@ positives in fraud detection
\end{frame}
-\begin{frame}{Taler: Unique Regulatory Features for Central Banks}
- \framesubtitle{\url{https://www.snb.ch/en/mmr/papers/id/working_paper_2021_03}}
+\begin{frame}{Taler for retail CBDCs}
+ \framesubtitle{{\tiny \url{https://www.snb.ch/en/mmr/papers/id/working_paper_2021_03}}}
\begin{itemize}
- \item Central bank issues digital coins equivalent to issuing cash \\
+ \item Privacy by cryptographic design \\
+ $\Rightarrow$ Design does not facilitate mass-surveillance
+ \item Digital coins equivalent to issuing cash \\
$\Rightarrow$ monetary policy remains under CB control
- \item Architecture with consumer accounts at commercial banks \\
- $\Rightarrow$ no competition for commercial banking (S\&L) \\
- $\Rightarrow$ CB does not have to manage KYC, customer support
+ \item Consumer accounts only at retail banks \\
+ $\Rightarrow$ no competition for retail banking (S\&L) \\
+ $\Rightarrow$ commercial banks do KYC, customer support
\item Withdrawal limits and denomination expiration \\
$\Rightarrow$ protects against bank runs and hoarding
\item Income transparency and possibility to set fees \\
- $\Rightarrow$ additional insights into economy and new policy options
+ $\Rightarrow$ insights into economy and policy options
\item Revocation protocols and loss limitations \\
- $\Rightarrow$ exit strategy and handles catastrophic security incidents
- \item Privacy by cryptographic design not organizational compliance \\
- $\Rightarrow$ CB cannot be forced to facilitate mass-surveillance
+ $\Rightarrow$ exit strategy for catastrophic security incidents
\end{itemize}
\end{frame}
@@ -646,41 +639,43 @@ positives in fraud detection
\end{frame}
-\begin{frame}[c]{Example: The Taler Snack Machine\footnote{by M. Boss and D. Hofer}}
- \framesubtitle{Integration of a MDB/ICP to Taler gateway.\\Implementation of a NFC or QR-Code to Taler wallet interface.}
- \vfill
- \begin{figure}
+\begin{frame}[c]{Example: The Taler Snack Machine}
+ Integration of a MDB/ICP to Taler gateway with
+ NFC or QR-Code to Taler wallet interface by M. Boss and D. Hofer:
+ \begin{figure}
\centering
- \includegraphics[width=1.0\textwidth]{design}
+ \includegraphics[width=0.7\textwidth]{design}
\end{figure}
\end{frame}
\begin{frame}[t]{Software architecture for the Taler Snack Machine}
- \framesubtitle{Code at \url{https://git.taler.net/taler-mdb}}
\begin{figure}
\centering
- \includegraphics[width=.9\textwidth]{software_stack}
+ \includegraphics[width=.7\textwidth]{software_stack}
\end{figure}
+ \begin{center}
+ Code at \url{https://git.taler.net/taler-mdb}
+ \end{center}
\end{frame}
\begin{frame}[c]{User story: Install App on Android}
\framesubtitle{\url{https://wallet.taler.net/}}
\begin{figure}
- \includegraphics[width=0.9\textwidth]{download_wallet.png}
+ \includegraphics[width=0.7\textwidth]{download_wallet.png}
\end{figure}
\end{frame}
\begin{frame}{User story: Withdraw e-cash}
\begin{figure}
- \includegraphics[width=0.9\textwidth]{get_taler_coins.png}
+ \includegraphics[width=0.7\textwidth]{get_taler_coins.png}
\end{figure}
\end{frame}
\begin{frame}{User story: Use machine!}
\begin{figure}
- \includegraphics[width=0.9\textwidth]{get_snacks.png}
+ \includegraphics[width=0.7\textwidth]{get_snacks.png}
\end{figure}
\end{frame}
@@ -742,7 +737,6 @@ positives in fraud detection
\item Uses several helper processes for configuration and to
interact with RTGS and cryptography
\item KYC support via OAuth 2.0, KycAID or Persona APIs
- \item Implemented in C on top of GNU libmicrohttpd
\end{itemize}
\end{frame}
@@ -792,7 +786,6 @@ positives in fraud detection
\item Webhooks
\item Inventory management (optional)
\end{itemize}
- \item Implemented in C on top of GNU libmicrohttpd
\end{itemize}
\end{minipage}
\begin{minipage}{5cm}
@@ -839,12 +832,10 @@ positives in fraud detection
\item Features include:
\begin{itemize}
\item Multi-currency support
- \item Wallet-to-wallet payments (NFC or QR code)
+ \item Wallet-to-wallet payments
\item CRDT-like data model
\end{itemize}
- \item {\bf wallet-core} implemented in TypeScript
\end{itemize}
- Can be integrated into other Apps if desired.
\end{minipage}
\begin{minipage}{3cm}
\includegraphics[width=3cm]{screenshots/Screenshot_20230225-103520.png}
@@ -857,23 +848,23 @@ positives in fraud detection
\framesubtitle{Background: \url{https://anastasis.lu/}}
\begin{center}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 5em and 4.5em, inner sep=1em, outer sep=.3em];
+ \tikzstyle{def} = [node distance= 3.5em and 5em, inner sep=1em, outer sep=.3em];
\node (origin) at (0,0) {};
\node (guia) [def,above left=of origin,draw]{Android};
\node (guii) [def,above right=of origin,draw]{iOS};
\node (guiw) [def,above=of origin,draw]{WebExtension};
\node (core) [def,below=of guiw,draw]{wallet-core};
- \node (sync) [def, draw, below left=of core] {Sync};
+ \node (sync) [def, draw, below=of core] {Sync};
\node (taler) [def, draw, below right=of core] {Taler};
- \node (anastasis) [def, draw, below=of core] {Anastasis};
+ \node (anastasis) [def, draw, below left=of core] {Anastasis};
\tikzstyle{C} = [color=black, line width=1pt]
\draw [<->, C] (guia) -- (core) node [midway, above, sloped] (TextNode) {};
\draw [<->, C] (guii) -- (core) node [midway, above, sloped] (TextNode) {};
\draw [<->, C] (guiw) -- (core) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (core) -- (sync) node [midway, above, sloped] (TextNode) {Backup};
- \draw [<->, C] (core) -- (taler) node [midway, above, sloped] (TextNode) {Payment};
\draw [<->, C] (core) -- (anastasis) node [midway, above, sloped] (TextNode) {Key Escrow};
+ \draw [<->, C] (core) -- (taler) node [midway, above, sloped] (TextNode) {Payment};
+ \draw [<->, C] (core) -- (sync) node [midway, right] (TextNode) {Backup};
\end{tikzpicture}
\end{center}
\end{frame}
@@ -919,7 +910,6 @@ positives in fraud detection
\begin{itemize}
\item REST API for additional report inputs by merchants (optional)
\item Secure database replication logic
- \item Implemented in C on top of GNU libmicrohttpd
\end{itemize}
\end{frame}
@@ -928,25 +918,25 @@ positives in fraud detection
\frametitle{Taler: Auditor Perspective}
\begin{center}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance=3em and 2.5em, inner sep=1em, outer sep=.3em];
+ \tikzstyle{def} = [node distance=3em and 2em, inner sep=1em, outer sep=.3em];
\node (origin) at (0,0) {Postgres (Auditor)};
\node (httpd) [def,above=of origin,draw]{auditor-httpd};
\node (spa) [def,above right=of origin,draw]{auditor-spa};
\node (merchant) [def,above left=of origin,draw]{merchant};
\node (report) [def,left=of origin,draw]{a-h-*};
\node (wirereport) [def,right=of origin,draw]{a-h-wire-*};
- \node (postgres-E) [def, draw, below=of origin] {Postgres (Exchange)};
+ \node (postgres-E) [def, draw, below=of report] {Postgres (Exchange)};
\node (postgres-B) [def, draw, right=of postgres-E] {Postgres (Bank)};
\tikzstyle{C} = [color=black, line width=1pt]
- \draw [->, C] (postgres-E) -- (origin) node [midway, above, sloped] (TextNode) {sync};
+ \draw [->, C] (postgres-E) -- (origin) node [midway, left] (TextNode) {sync};
\draw [<->, C] (httpd) -- (origin) node [midway, above, sloped] (TextNode) {};
\draw [<->, C] (httpd) -- (spa) node [midway, above, sloped] (TextNode) {};
\draw [->, C] (merchant) -- (httpd) node [midway, above, sloped] (TextNode) {};
\draw [<->, C] (report) -- (origin) node [midway, above, sloped] (TextNode) {};
\draw [<->, C] (wirereport) -- (origin) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (wirereport) -- (postgres-B) node [midway, above, sloped] (TextNode) {nexus};
+ \draw [<->, C] (wirereport) -- (postgres-B) node [midway, right] (TextNode) {nexus};
\end{tikzpicture}
\end{center}
\end{frame}
@@ -1028,7 +1018,6 @@ positives in fraud detection
\item Works on top of Bitcoin and Ethereum
crypto-currencies, with the DLTs as the ``RTGS''
\item Provides same API to Exchange as libeufin-nexus
- \item Implemented in Rust
\end{itemize}
\begin{center}
\url{https://bitcoin.ice.bfh.ch/}
@@ -1202,13 +1191,13 @@ Taler has many types of keys:
\begin{frame}{Offline keys}
Both exchange and auditor use offline keys.
\begin{itemize}
-\item Those keys must be backed up and remain highly confidential!
+\item Those keys must be backed up and remain confidential!
\item We recommend that computers that have ever had access to those
keys to NEVER again go online.
\item We recommend using a Raspberry Pi for offline key operations.
- Store it in a safe under multiple locks and keys.
+ Store it in a safe under multiple locks.
\item Apply full-disk encryption on offline-key signing systems.
-\item Have 3--5 full-disk backups of offline-key signing systems.
+\item Have 3--5 full-disk backups.
\end{itemize}
\begin{center}
\includegraphics[scale=0.1]{pi.png}
@@ -1224,14 +1213,18 @@ The exchange needs RSA and EdDSA keys to be available for online signing.
(eventually, this will be detected by the auditor, but only
after some financial losses have been irrevocably incurred).
\item The corresponding public keys are certified using
- Taler's public key infrastructure (which uses offline-only keys).
+ Taler's public key infrastructure (which uses offline-only keys).
\end{itemize}
-\begin{center}
-\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png}
-\end{center}
-\vfill
{\tt taler-exchange-offline} can also be used to {\bf revoke} the
online signing keys, if we find they have been compromised.
+\end{frame}
+
+
+\begin{frame}{Key architecture}
+\vfill
+\begin{center}
+\includegraphics[width=0.75\textwidth]{taler-diagram-signatures.png}
+\end{center}
\vfill
\end{frame}
@@ -1248,9 +1241,9 @@ The exchange needs RSA and EdDSA keys to be available for online signing.
\item Communication between secmods and {\tt taler-exchange-httpd} is via
a UNIX domain socket.
\item Online private keys are stored on disk (not in database!) and should
- NOT be backed up (RAID should suffice). If disk is lost, we can always
- create fresh replacement keys!
+ NOT be backed up.
\end{itemize}
+\note[item]{If disk is lost, we can always create fresh replacement keys!}
\end{frame}
@@ -1283,11 +1276,14 @@ The exchange needs RSA and EdDSA keys to be available for online signing.
obtain a {\em refund}.
\item The financial loss of the exchange is {\em bounded} by the number of
legitimate coins signed with $d$.
-\item[$\Rightarrow$] Taler frequently rotates denomination signing keys and
- deletes $d$ after the signing period of the respective key expires.
\end{itemize}
+\end{frame}
+
+\begin{frame}{Key rotation}
+Taler frequently rotates denomination signing keys and
+deletes $d$ after the signing period of the respective key expires:
\begin{center}
-\includegraphics[width=0.5\textwidth]{taler-diagram-denom-expiration.png}
+\includegraphics[width=0.7\textwidth]{taler-diagram-denom-expiration.png}
\end{center}
\end{frame}
@@ -1303,8 +1299,8 @@ The exchange needs RSA and EdDSA keys to be available for online signing.
\item The attacker uses the faked deposit confirmations to complain to the auditor
that the exchange did not honor the (faked) deposit confirmations.
\end{itemize}
-The auditor can then detect the double-spending, but cannot tell who is to blame,
-and (likely) would presume an evil exchange, forcing it to pay both merchants.
+\note[item]{The auditor can then detect the double-spending, but cannot tell who is to blame,
+ and (likely) would presume an evil exchange, forcing it to pay both merchants.}
\end{frame}
@@ -1428,11 +1424,11 @@ General notions:
work fine.
\item Any firewall must be configured to permit connection to Auditor
for database synchronization.
-\item We recommend running the Taler exchange behind an Nginx or Apache
+\item Run Taler exchange behind an Nginx or Apache
proxy for TLS termination.
-\item We recommend using static IP address configurations (IPv4 and IPv6).
-\item We recommend using DNSSEC with DANE in addition to TLS certificates.
-\item We recommend auditing the TLS setup using \url{https://observatory.mozilla.org}.
+\item Use static IP address configurations (IPv4 and IPv6).
+\item Use DNSSEC with DANE.
+\item Use \url{https://observatory.mozilla.org}, etc.!
\end{itemize}
\end{frame}
diff --git a/presentations/comprehensive/protocol-basics.tex b/presentations/comprehensive/protocol-basics.tex
@@ -24,7 +24,7 @@ We use a few ancient constructions:
\item Cryptographic hash function (1989)
\item Blind signature (1983)
\item Schnorr signature (1989)
- \item \sout{Diffie-Hellman key exchange (1976)} Deterministic signatures (1977) % 1977: RSA, 2008: EdDSA
+ \item Diffie-Hellman key exchange (1976) or Unique signatures (1977) or VRF (1999) % 1977: RSA
\item Cut-and-choose zero-knowledge proof (1985)
\end{itemize}
But of course we use modern instantiations.
@@ -145,7 +145,7 @@ But of course we use modern instantiations.
\draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
\draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
\draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
\end{tikzpicture}
\end{minipage}
\end{frame}
@@ -170,7 +170,7 @@ But of course we use modern instantiations.
\draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
\draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \draw [<-, C] (customer) -- (signed) node [midway, right] (TextNode) {{\small transmit}};
\end{tikzpicture}
\end{minipage}
\end{frame}
@@ -221,7 +221,7 @@ But of course we use modern instantiations.
\end{minipage}
\begin{minipage}{6cm}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em];
+ \tikzstyle{def} = [node distance=1.5em and 0.5em, inner sep=0em, outer sep=.3em];
\node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}};
\node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{merchant_propose.pdf}};
\node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer};
@@ -246,7 +246,7 @@ But of course we use modern instantiations.
\end{minipage}
\begin{minipage}{6cm}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance=1.5em and 0.4em, inner sep=0em, outer sep=.3em];
+ \tikzstyle{def} = [node distance=1.3em and 0.4em, inner sep=0em, outer sep=.3em];
\node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
\node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
\node (c) [def, draw=none, above=of contract] {$c$};
@@ -256,7 +256,7 @@ But of course we use modern instantiations.
\draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
\draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \draw [<-, C] (merchant) -- (contract) node [midway, left] (TextNode) {{\small transmit}};
\draw [<-, C] (merchant) -- (coin) node [midway, right] (TextNode) {{\small transmit}};
\end{tikzpicture}
\end{minipage}
diff --git a/presentations/comprehensive/refresh.tex b/presentations/comprehensive/refresh.tex
@@ -6,9 +6,9 @@
\note[item]{We want to avoid cryptographic expenses linear in the amount being paid!}
\begin{itemize}
\item Denomination key represents value of a coin.
- \item Exchange may offer various denominations for coins.
+ \item Exchange may offer various denominations.
\item Wallet may not have exact change!
- \item Usability requires ability to pay given sufficient total funds.
+ \item Must be able to pay given sufficient total funds.
\end{itemize}\pause
Key goals:
\begin{itemize}
@@ -17,9 +17,8 @@
\end{itemize}\pause
Method:
\begin{itemize}
- \item Contract can specify to only pay {\em partial value} of a coin.
- \item Exchange allows wallet to obtain {\em unlinkable change}
- for remaining coin value.
+ \item Contract can specify to pay {\em partial value} of a coin.
+ \item Allow wallet to obtain {\em unlinkable change}.
\end{itemize}
\note[item]{Thus we need a way to get change, but doing so must not void our security
assurances, specifically unlinkability (and anonymity) for the payer, and income
@@ -39,7 +38,7 @@
\begin{itemize}
\item Some public key operations depend on a nonce or ``random'' value
\begin{itemize}
- \item Example: ElGamal (encryption), DSA/ECDSA (signing)
+ \item Ex.: DSA/ECDSA (signing)
\item[+] same plaintext, different ciphertext
\item[-] security may break on nonce-reuse
\end{itemize}
@@ -47,23 +46,23 @@
(see also: Fiat-Shamir transformation) can make these algorithms
{\bf deterministic}
\begin{itemize}
- \item Example: EdDSA
+ \item Ex.: EdDSA
\end{itemize}
\item If only one form of a valid signature exists and the verifier
can check this, a signature is {\bf unique}.
\begin{itemize}
- \item Example: RSA, Verifiable Random Functions (VRF)
+ \item Ex.: RSA, Verifiable Random Func.
\end{itemize}
\end{itemize}
\end{minipage}
- \begin{minipage}{5cm}
- Unique signatures:
+ \begin{minipage}{4cm}
+ {\small Unique signatures:}
\begin{center}
- \includegraphics[width=0.6\textwidth]{ecollect.jpeg}
+ \includegraphics[width=0.5\textwidth]{ecollect.jpeg}
$=$
- \includegraphics[width=0.6\textwidth]{unisig.pdf}
+ \includegraphics[width=0.5\textwidth]{unisig.pdf}
\end{center}
\end{minipage}
\vfill
@@ -80,10 +79,11 @@
Micali, Rabin, \& Vadhan (1999) proposed verifiable random functions.
\vfill
-
+
Let $M$ be some input.
\begin{itemize}
\item $(sk,pk) := VRF_{keygen}()$
+ \item {\em Verifier} picks $M$
\item $(v,p) := VRF_{sign}(M, sk)$
\item $v$ is deterministic, unpredictable and high-entropy
for any $M$ and $sk$, and $(v,p)$ can only be computed with $sk$
@@ -91,15 +91,19 @@
\item $sk$ cannot be derived from $M$, $pk$, $v$ and $p$
\end{itemize}
\vfill
- \note[item]{A VRF is largely equivalent to a unique signature: only
- the signer can produce it, the verifier can check but not compute it.}
+ \note[item]{A VRF is equivalent to a unique signature: only
+ the signer can produce it, the verifier can check but not compute it.
+ The only differences are that with a unique signature
+ usually the signer picks $M$, and the signature is not
+ then hashed to produced pseudo-random data. But one can
+ always use a unique signature to construct a VRF and vice-versa.}
\end{frame}
\begin{frame}{Straw-man solution}
- \begin{minipage}{10cm}
- Given partially spent private coin key $c_{old}$:
+ \begin{minipage}{7.5cm}
+ {\small Given partially spent private coin key $c_{old}$:}
\begin{enumerate}
% \item Let $C_{old} := c_{old}G$ (as before)
\item Pick random $c_{new} \mod o$ private key
@@ -141,8 +145,8 @@
\begin{frame}{Customer: Transfer setup (UNISIG)} \label{page:transfersetup}
- \begin{minipage}{10cm}
- Given partially spent private coin key $c_{old}$:
+ \begin{minipage}{7.5cm}
+ {\small Given partially spent private coin key $c_{old}$:}
\begin{enumerate}
\item Let $C_{old} := c_{old}G$ (as before)
\item Create random nonce $t$
@@ -194,13 +198,13 @@
\begin{frame}{Cut-and-Choose}
\begin{minipage}{3cm}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \tikzstyle{def} = [node distance= 1.5em and 0.05em, inner sep=0em, outer sep=.3em];
\node (t) [def, draw=none] at (0,0) {$t_1$};
\node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
\node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{unisig.pdf} ($X_1$)};
\node (d) [def, draw=none, above left= of dh] {$c_{old}$};
\node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
+ \node (bp) [def, draw, below right= of dh, draw=none, align=left] {$\hspace{-1.5em}b_{new,1}$};
\node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
\node (exchange) [def, draw, below =of blinded]{Exchange};
@@ -219,13 +223,13 @@
\hfill
\begin{minipage}{3cm}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \tikzstyle{def} = [node distance= 1.5em and 0.05em, inner sep=0em, outer sep=.3em];
\node (t) [def, draw=none] at (0,0) {$t_2$};
\node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
\node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{unisig.pdf} ($X_2$)};
\node (d) [def, draw=none, above left= of dh] {$c_{old}$};
\node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$};
+ \node (bp) [def, draw, below right= of dh, draw=none, align=left] {$\hspace{-1.5em}b_{new,2}$};
\node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
\node (exchange) [def, draw, below =of blinded]{Exchange};
@@ -244,13 +248,13 @@
\hfill
\begin{minipage}{3cm}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \tikzstyle{def} = [node distance= 1.5em and 0.05em, inner sep=0em, outer sep=.3em];
\node (t) [def, draw=none] at (0,0) {$t_3$};
\node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
\node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{unisig.pdf} ($X_3$)};
\node (d) [def, draw=none, above left= of dh] {$c_{old}$};
\node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
+ \node (bp) [def, draw, below right= of dh, draw=none, align=left] {$\hspace{-1.5em}b_{new,3}$};
\node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
\node (exchange) [def, draw, below =of blinded]{Exchange};
@@ -401,7 +405,7 @@
\begin{frame}{Customer: Unblind change (RSA)}
\vfill
- \begin{minipage}{8cm}
+ \begin{minipage}{7cm}
\begin{enumerate}
\item Receive $s'$.
\item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
@@ -519,14 +523,16 @@
\end{frame}
-\begin{frame}{VRF via Diffie-Hellman (ECDH)}
- \begin{minipage}{5cm}
+\begin{frame}{VRF vs. Dold'19 with Diffie-Hellman (ECDH)}
+ VRF/unique signatures are {\em slightly} stronger than required!
+
+ \begin{minipage}{7cm}
\begin{enumerate}
\item Create private keys $c,t \mod o$
\item Define $C = cG$
\item Define $T = tG$
\item Compute DH \\ $cT = c(tG) = t(cG) = tC$
- \item Sign $T$ with EdDSA $\Rightarrow$ DH + EdDSA $\equiv$ VRF:
+ \item Sign $T$ with EdDSA:
DH is unique, with EdDSA we have a signature,
$t$ allows verifier to check!
\end{enumerate}
@@ -548,10 +554,9 @@
\end{frame}
-\begin{frame}{Transfer setup with ECDH-based VRF}
- This is the VRF replacement for slide~\pageref{page:transfersetup}.
- \begin{minipage}{7cm}
- Given partially spent private coin key $c_{old}$:
+\begin{frame}{Transfer setup with ECDH-based Refresh}
+ \begin{minipage}{7.5cm}
+ {\small Given partially spent private coin key $c_{old}$:}
\begin{enumerate}
\item Let $C_{old} := c_{old}G$ (as before)
\item Create random private transfer key $t \mod o$
@@ -565,7 +570,7 @@
\end{minipage}
\begin{minipage}{3cm}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
+ \tikzstyle{def} = [node distance= 1em and 0.5em, inner sep=0em, outer sep=.3em];
\node (t) [def, draw=none] at (0,0) {$t$};
\node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
\node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
@@ -573,7 +578,7 @@
\node (cp) [def, draw=none, below left= of dh] {$c_{new}$};
\node (bp) [def, draw=none, below right= of dh] {$b_{new}$};
\node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
+ \node (exchange) [node distance=1.5em and 0.5em, draw, below =of blinded]{Exchange};
\tikzstyle{C} = [color=black, line width=1pt]
@@ -584,9 +589,10 @@
\draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
\draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
\draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
\end{tikzpicture}
\end{minipage}
+ \note[item]{This is the Dold'19 replacement for slide~\pageref{page:transfersetup}.}
\end{frame}
@@ -625,4 +631,3 @@
remain unlinkable (and that the merchant cannot deposit the coin later), the
wallet can again use the refresh protocol.}
\end{frame}
-
