commit c37b69df4521bdbb2c0f23ab3b11fdf88e38543f parent 9b4fdf0297974082665028bcf61a24f89472b6b7 Author: Gian Demarmels <gian@demarmels.org> Date: Sun, 13 Feb 2022 22:40:40 +0100 presentation and poster for clause schnorr implementation Diffstat:
28 files changed, 1507 insertions(+), 0 deletions(-)
diff --git a/presentations/2022-cs/content/1-goals-projectmgmt.tex b/presentations/2022-cs/content/1-goals-projectmgmt.tex @@ -0,0 +1,54 @@ +\section{\faIcon{flag-checkered} Goals \& Project Management} + +\begin{frame}{\faIcon{flag-checkered} Motivation} + %TODO: Page should be more motivating!! + \begin{itemize} + \item \faIcon{feather} Elliptic curve cryptography allows smaller keys + \item \faIcon{bolt} Leads to huge performance benefits + \item \faIcon{lock} Cipher agility % Taler nicht abhängig von einem Schema, macht Taler Protokolle stabiler und unabhängiger + \item \faIcon{newspaper} Recent topic + \end{itemize} + % Recent topic - Bitcoin added support for Schnorr signatures in 2021 +\end{frame} + +\begin{frame}{\faIcon{flag-checkered} Goals} + Our goal is to add support for Schnorr's Blind Signature scheme to GNU Taler.\newline + \begin{itemize} + \item \faIcon{glasses} Analyze current state of research + \item \faIcon{pencil-alt} Redesign Taler's protocols + \item \faIcon{code} Implementation of redesigned protocols + \item \faIcon{eye} Comparison with RSA Blind Signatures + \end{itemize} +\end{frame} + + +\begin{frame}{\faIcon{project-diagram} Project Management} + \begin{columns}[T] % align columns + \begin{column}{.48 \textwidth} + Project Management: + \begin{itemize} + \item Waterfall vs. Agile % Explain that we used waterfall on a high-level and agile on proposal or on + \item Project Analysis % SWOT, requirements + \item ClickUp with Kanban-Boards and Gantt-Chart % Git für Thesis, deliverables etc. + \item Git to manage code and deliverables + \item Markdown notes for meetings, thoughts, etc. + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + Project Phases: + \begin{itemize} + \item Phase 1: Initiation + \item Phase 2: Planning + \item Phase 3: Execution + \begin{itemize} + \item a) Design Phase + \item b) Specification Phase + \item c) Implementation Phase + \end{itemize} + \item Phase 4: Discussion + \item Phase 5: Closure + \end{itemize} + \end{column}% + \end{columns} +\end{frame} diff --git a/presentations/2022-cs/content/2-preliminaries.tex b/presentations/2022-cs/content/2-preliminaries.tex @@ -0,0 +1,591 @@ +\section{\faIcon{coins} Preliminaries} +% Taler Intro, protocols + +% abort-idempotency, Blind Signatures, HKDF, CS scheme, ROS problem Chap 3 +\begin{frame}{\faIcon{coins} GNU Taler Overview} + \framesubtitle{A privacy-preserving, fast and intuitive payment system} + % Protokolle (achtung Flughöhe, Zeit) + \begin{columns}[c] % align columns + \begin{column}{.48\textwidth} + \includegraphics[width=6.3cm]{images/diagram-simple.png} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + Taler Components + \begin{itemize} + \item \faIcon{piggy-bank} Exchange \\ + Payment service provider between customer and merchant + \item \faIcon{shopping-basket} Merchant \\ + Accepts payments with Taler in exchange for goods and services + \item \faIcon{wallet} Wallet \\ + A customer holds coins in his electronic wallet + \item \faIcon{eye} Auditor \\ + The auditors (financial regulators) monitor the exchanges behaviour + \end{itemize} + \end{column}% + \end{columns} + {\tiny graphics source: \url{https://taler.net/images/diagram-simple.png}} +\end{frame} + +\begin{frame}{\faIcon{coins} GNU Taler properties} + % Important because our redesigned protocols need to fulfill all of them! + % Income Transparency + \begin{columns}[T] % align columns + \begin{column}{.48\textwidth} + Properties: + \begin{itemize} + \item \faIcon{hand-holding-heart} Free Software + \item \faIcon{user-secret} Buyer Privacy Protection + \item \faIcon{coins} Merchant Taxability + \item \faIcon{eye} Auditability - Income Transparency % Compliant to regulations AML/CFT/KYC + \item \faIcon{shield-alt} Prevent payment fraud + \end{itemize} + \end{column} + \hfill + \begin{column}{.48\textwidth} + \begin{itemize} + \item \faIcon{user-shield} Privacy by design + \item \faIcon{user} Easy to use + \item \faIcon{bolt} Efficient - Even more efficient with our improvements! \faIcon{rocket} + \item \faIcon{anchor} Fault-tolerant design + \item \faIcon{briefcase} Foster competition + \end{itemize} + \end{column} + \end{columns} + \vspace{1cm} + {\scriptsize More details on \url{https://taler.net/en/principles.html}} +\end{frame} + +\begin{frame}{\faIcon{code} Abort-Idempotency} + + \begin{itemize} + \item \textbf{Idempotency} + \\ Idempotency ensures that the state of a system will not change, no matter how many times the same request was made. + \\In other words: The same request will receive the same response.\\ + \item \textbf{Abort-Idempotency} + \\ Abort-Idempotency also ensures Idempotency in every abort scenario. + \end{itemize} +\end{frame} + +% \begin{frame}{\faIcon{coins} Taler PKI} +% \begin{center} +% \includegraphics[width=11cm]{images/taler-pki.png} +% \end{center} +% {\tiny graphics source: \url{https://taler.net/papers/thesis-dold-phd-2019.pdf}} +% \end{frame} + + +\begin{frame}{\faIcon{coins} HKDF RFC5869} + %Can be used as PRNG + \framesubtitle{The HMAC-based Extract-and-Expand Key Derivation Function} + \begin{itemize} + \item HKDF can be used as a pseudo-random function, a deterministic function whose output appears to be random + \item follows the \textbf{extract-then-expand} paradigm + \item A fixed-length high-entropy key $K$ is \textbf{extracted} from potentially weaker input keying material + \item The key $K$ is then \textbf{expanded} to output a variable-length, pseudo-random key + %\item HKDF makes use of HMAC instantiated with a hash function together with a salt, the input keying material, output length and optional info + \end{itemize} + +\end{frame} + +\begin{frame}{\faIcon{coins} Curve25519} + \begin{columns}[T] % align columns + \begin{column}{.48\textwidth} + Curve25519: + \begin{itemize} + \item Curve25519 is a Montgomery-Curve over prime field $2^{255} - 19$ + \item Provides 128 bits of security + \item Well-known and trusted + \item Good choice in terms of security \& speed + \end{itemize} + Alternatives: + \begin{itemize} + \item Curve448-Goldilocks + \item Secp256k1 ("Bitcoin curve") + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + \begin{figure} + \includegraphics[width=6.3cm]{images/curve25519.png} + \caption{\footnotesize Abbild der elliptischen Kurve $y2 = x3 + 486662x2 + x $} + \end{figure} + \end{column}% + \end{columns} + {\vspace{1cm}\tiny graphics source: \url{https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/1/4/5/9/6/8/9/curve25519-5b8d94dd2448661c.png}} +\end{frame} + +\begin{frame}{\faIcon{coins} EdDSA} + \begin{columns}[c] % align columns + \begin{column}{.48\textwidth} + \begin{itemize} + \item The coin is a EdDSA keypair + \item Uses Curve25519 + \item Public key is the planchet to be signed by the exchange + \item The coin can be spent by signing a contract with the coin's private key + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + \begin{center} + \includegraphics[height=4cm]{images/planchet.png} + \end{center} + \end{column}% + \end{columns} + {\vspace{1cm}\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} +\end{frame} + +\begin{frame}{\faIcon{coins} Blind Signatures} + % Was ist eine blinde Signatur? + % Was bringen einem blinde Signaturen? + % Zentral für Taler + % Privacy preserving + \framesubtitle{RSA Blind Signatures in Taler} + \begin{columns}[t] + \begin{column}{.33\textwidth} + \begin{center} + Customer:\\ + \includegraphics[width=2.6cm]{images/blind-coin.png} + \end{center} + \end{column} + \begin{column}{.33\textwidth} + \begin{center} + Exchange: + \includegraphics[width=3cm]{images/blind-sign.png} + \end{center} + \end{column} + \begin{column}{.33\textwidth} + \begin{center} + Customer: + \includegraphics[width=3cm]{images/unblind-coin.png} + \end{center} + \end{column} + \end{columns} + \vspace{0.8cm} + {\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} + % RSA blind signature scheme (, Nachteile von RSA) +\end{frame} + +\begin{frame}{\faIcon{coins} RSA Blind Signatures} + \begin{center} + \resizebox{0.8\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{figure} + \begin{equation*} + \begin{array}{ l c l } + \text{Alice} & & \text{Bob} + \\ \text{knows:} & & \text{knows:} + \\ \text{RSA public key } D_B = e, N & & \text{RSA keys } d_B, D_B + \\ \text{message } m & & + \\ & & + \\ f = FDH(m) & & + \\ & & + \\ \text{blind:} & & + \\ r \leftarrow random \in \mathbb{Z}_N^* & & + \\ f' = f*r^{e} \mod N & & + \\ & \xrightarrow[\rule{2.5cm}{0pt}]{f'} & + \\ & & \text{sign:} + \\ & & s' = (f')^{d_B} \mod N + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{s'} & + \\ \text{unblind:}& & + \\ s = s'*r^{-1} & & + \end{array} + \end{equation*} + \end{figure} + \end{minipage}} + \end{center} +\end{frame} + +\begin{frame}{\faIcon{coins} Schnorr Signature Scheme} + \begin{center} + \resizebox{0.83\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{figure} + \begin{equation*} + \begin{array}{ l c l } + % preliminaries + \text{User} & & \text{Signer} + \\ \text{knows:} & \text{public parameters:} & \text{knows:} + \\ \text{public key } X & \langle p, \mathbb{G}, G, H\rangle & \text{private signing key } x, X := xG + \\ & & r \leftarrow random \in \mathbb{Z}_p + \\ & & R := rG + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{R} & + \\ c := H(R,m) + \\ & \xrightarrow[\rule{2.5cm}{0pt}]{c} & + \\ & & s := r + cx \mod p + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{s} & + \\ \text{check } sG = R + cX + \\ \sigma := \langle R,s \rangle + \end{array} + \end{equation*} + \end{figure} + \end{minipage}} + \end{center} +\end{frame} + +\begin{frame}{\faIcon{coins} The (broken) Blind Schnorr Signature Scheme} + \begin{center} + \resizebox{0.83\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{figure}[htp] + \begin{equation*} + \begin{array}{ l c l } + % preliminaries + \text{User} & & \text{Signer} + \\ \text{knows:} & \text{public parameters:} & \text{knows:} + \\ \text{public key } X & \langle p, \mathbb{G}, G, H\rangle & \text{private signing key } x, X := xG + \\ & & r \leftarrow random \in \mathbb{Z}_p + \\ & & R := rG + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{R} & + \\ \alpha, \beta \leftarrow random \in \mathbb{Z}_p + \\ R' := R + \alpha G + \beta X + \\ c' := H(R',m) + \\ c := c' + \beta \mod p + \\ & \xrightarrow[\rule{2.5cm}{0pt}]{c} & + \\ & & s := r+cx \mod p + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{s} & + \\ \text{check } sG = R + cX + \\ s' := s + \alpha \mod p + \\ \sigma := \langle R',s' \rangle + \end{array} + \end{equation*} + \end{figure} + \end{minipage}} + \end{center} +\end{frame} + +\begin{frame}{\faIcon{coins} ROS problem - (informally)} + \framesubtitle{Random inhomogeneities in an Overdetermined, Solvable system of linear + equations} + \begin{columns}[T] % align columns + \begin{column}{.48\textwidth} + ROS problem: + \begin{itemize} + \item ROS depends on group order $p$, parameterized with integer $\ell$ + \item An adversary can produce $\ell + 1$ valid signatures after $\ell > \log_2(p)$ parallel sessions by solving a linear equation system + \item $ \sum_{j=1}^{\ell} \rho_{i,j} c_j = H_{ros}(\overrightarrow{p}_i), i \in [\ell + 1]$ + \item There exist a polynomial-time attack against $ROS_\ell$ when $\ell > \log_2(p)$ + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + Modified ROS: + \begin{itemize} + \item Does not apply to the modified ROS problem + \item Queries oracle with two vectors instead of one + \item The signer returns a signature by randomly flipping a bit $b$ + \item Only the $c_b$ is signed and returned + \item An adversary would need to commit to $c_b$ before learning about $b$ + \end{itemize} + \end{column}% + \end{columns} + \vspace{1cm} + {\tiny See: Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model} {\tiny (\url{https://eprint.iacr.org/2019/877.pdf})\\} + {\tiny See: On the (in)security of ROS } + {\tiny (\url{https://eprint.iacr.org/2020/945})} +\end{frame} + +\begin{frame}{\faIcon{coins} Clause Blind Schnorr Signature Scheme} + \begin{center} + \resizebox{0.65\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{figure} + \begin{equation*} + \begin{array}{ l c l } + % preliminaries + \text{User} & & \text{Signer} + \\ \text{knows:} & \text{public parameters:} & \text{knows:} + \\ \text{public key } X & \langle p, \mathbb{G}, G, H\rangle & \text{private signing key } x, X := xG + \\ & & r_0, r_1 \leftarrow random \in \mathbb{Z}_p + \\ & & R_0 := r_0G + \\ & & R_1 := r_1G + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{R_0, R_1} & + \\ \alpha_0, \alpha_1, \beta_0, \beta_1 \leftarrow random \in \mathbb{Z}_p + \\ R_0' := R_0 + \alpha_0 G + \beta_0 X + \\ R_1' := R_1 + \alpha_1 G + \beta_1 X + \\ c_0' := H(R_0',m) + \\ c_1' := H(R_1',m) + \\ c_0 := c_0' + \beta_0 \mod p + \\ c_1 := c_1' + \beta_1 \mod p + \\ & \xrightarrow[\rule{2.5cm}{0pt}]{c_0, c_1} & + \\ & & b \leftarrow random \in \{ 0,1\} + \\ & & s := r_b+c_bx \mod p + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{b, s} & + \\ \text{check } sG = R + cX + \\ s' := s + \alpha_b \mod p + \\ \sigma := \langle R_b',s' \rangle + \end{array} + \end{equation*} + \end{figure} + \end{minipage}} + \end{center} +\end{frame} + +\begin{frame}{\faIcon{coins} Taler Protocols} + \begin{columns}[T] % align columns + \begin{column}{.25\textwidth} + Protocols: + \begin{itemize} + \item \faIcon{money-bill-alt} Withdrawal + \item \faIcon{sync-alt} Refresh + \item \faIcon{shopping-bag} Spend + \item \faIcon{piggy-bank} Deposit + \item \faIcon{gift} Tipping + \item \faIcon{hand-holding-usd} Payback + \item \faIcon{undo} Recoup + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.60\textwidth} + \includegraphics[width=6.3cm]{images/diagram-simple.png} + {\\\tiny graphics source: \url{https://taler.net/images/diagram-simple.png}} + \end{column}% + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{coins} Withdrawal Protocol} + \begin{center} + \resizebox{0.64\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{figure}[htp] + \begin{equation*} + \resizebox{1.0\textwidth}{!}{$\displaystyle + \begin{array}{ l c l } + \text{Customer} & & \text{Exchange} + \\ \text{reserve keys } w_s, W_p & & \text{reserve public key } W_p + \\ \text{denomination public key } D_p = e, N & & \text{denomination keys } d_s, D_p + \\ & & + \\\text{generate coin key pair:} & & + \\ c_s, C_p \leftarrow Ed25519.KeyGen() & & + \\ \text{blind:} & & + \\ r \leftarrow random \in \mathbb{Z}_N^* & & + \\ m' = \text{FDH}(N, C_p)*r^{e} \mod N & & + \\ \text{sign with reserve private key:} & & + \\ \rho_W = D_p, m' & & + \\ \sigma_W = \text{Ed25519.Sign}(w_s, \rho_W) & & + \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho = W_p, \sigma_W, \rho_W} & + \\ & & \text{verify if denomination public key} + \\ & & \text{is valid} + \\ & & \text{check } \text{Ed25519.Verify}(W_p, \rho_W, \sigma_W) + \\ & & \text{decrease balance if sufficient} + \\ & & \text{sign:} + \\ & & \sigma'_c = (m')^{d_s} \mod N + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\sigma'_c} & + \\ \text{unblind:}& & + \\ \sigma_c = \sigma'_c*r^{-1} & & + \\ \text{verify signature:}& & + \\ \text{check } \sigma_c^{e} = \text{FDH}(N, C_p) & & + \\ \text{resulting coin: } c_s, C_p, \sigma_c, D_p & & + \end{array}$ + } + \end{equation*} + \end{figure} + \end{minipage}} + \end{center} +\end{frame} + + +\begin{frame}{\faIcon{coins} Refresh Protocol - DH-Lock} + \begin{columns}[c] % align columns + \begin{column}{.48\textwidth} + Diffie-Hellman Lock: + \begin{itemize} + \item keypairs $C = cG$ and $T = tG$ + \item Both keys can unlock the lock: $k = tC = cT$ + \end{itemize} + \begin{center} + \includegraphics[width=2.6cm]{images/dh-lock.png} + \end{center} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + \includegraphics[width=5cm]{images/refresh-derive-rsa.png} + \end{column}% + \end{columns} + {\vspace{0.2cm}\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} +\end{frame} + +\begin{frame}{\faIcon{coins} Refresh Protocol - Cut and Choose} + \begin{itemize} + \item Customer sets up $k$ DH-Locks + \item Exchange sends back random $\gamma \in \{1,\dots,k\}$ + \item Customer reveals transfer private keys, except $t_\gamma$ + \item Exchange can detect fraud attempts with a probability of $1/k$ + \end{itemize} + \begin{center} + \includegraphics[width=7cm]{images/cutandchose.png} + \end{center} + {\vspace{-0.2cm}\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} +\end{frame} + +\begin{frame}{\faIcon{coins} Refresh Protocol Commit Phase} + \begin{columns}[c] % align columns + \begin{column}{.43\textwidth} + \begin{itemize} + \item Customer creates $k$ RefreshDerives (DH-Locks) + \item Customer commits by calculating a commit hash \\ + $h_T := H(T_1, \dots,T_k)$ \\ + $h_{\overline{m}} := H(\overline{m}_1, \dots,\overline{m}_k)$ \\ + $h_C := H(h_T,h_{\overline{m}} )$ + \item The exchange answers with a random $\gamma \in \{1,\dots,k\}$ + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.53\textwidth} + \begin{center} + \vspace{-1cm} + \begin{figure} + \begin{equation*} + \resizebox{1.0\textwidth}{!}{$\displaystyle + \begin{array}{ l c l } + \text{Customer} & & \text{Exchange} + \\ \text{denomination public key } D_{p(i)} & & \text{denomination keys } d_{s(i)}, D_{p(i)} + \\ \text{coin}_0 = \langle D_{p(0)}, c_s^{(0)}, C_p^{(0)}, \sigma_c^{(0)} \rangle & & + % refresh request + \\ \text{Select} \langle N_t, e_t\rangle := D_{p(t)} \in D_{p(i)} + \\ \textbf{for } i = 1, \dots, \kappa: % generate k derives + \\ s_i \rightarrow \{0,1\}^{256} % seed generation + \\ X_i := \text{RefreshDerive}(s_i, D_{p(t)}, C_p^{(0)}) + \\ (t_i, T_i, x_i, c_s^{(i)}, C_p^{(i)}, \overline{m}_i) := X_i + \\ \textbf{endfor} + \\ h_T := H(T_1, \dots, T_k) + \\ h_{\overline{m}} := H(\overline{m}_1, \dots, \overline{m}_k) + \\ h_C := H(h_t, h_{\overline{m}}) + \\ \rho_{RC} := \langle h_C, D_{p(t)}, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} \rangle + \\ \sigma_{RC} := \text{Ed25519.Sign}(c_s^{(0), \rho_{RC}}) + \\ \text{Persist refresh-request} \langle \rho_{RC}, \sigma_{RC} \rangle + \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RC}, \sigma_{RC}} & + % Exchange checks refresh request + \\ & & (h_C, D_{p(t)}, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} = \rho_{RC}) + \\ & & \textbf{check} \text{Ed25519.Verify}(C_p^{(0)}, \sigma_{RC}, \rho_{RC}) + \\ & & x \rightarrow \text{GetOldRefresh}(\rho_{RC}) + \\ & & \textbf{Comment: }\text{GetOldRefresh} \\ &&(\rho_{RC} \mapsto \{\bot,\gamma\}) + \\ & & \pcif x = \bot + \\ & & v := D(D_{p(t)}) + \\ & & \langle e_0, N_0 \rangle := D_{p(0)} + \\ & & \textbf{check } \text{IsOverspending}(C_p^{(0)}, D_ {p(0)}, v) + \\ & & \textbf{check } D_{p(t)} \in \{D_{p(i)}\} + \\ & & \textbf{check } \text{FDH}(N_0, C_p^{(0)}) \equiv_{N_0} (\sigma_0^{(0)})^{e_0} + \\ & & \text{MarkFractionalSpend}(C_p^{(0)}, v) + \\ & & \gamma \leftarrow \{1, \dots, \kappa\} + \\ & & \text{Persist refresh-record } \langle \rho_{RC},\gamma \rangle + \\ & & \pcelse + \\ & & \gamma := x + \\ & & \textbf{endif} + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\gamma} & + \end{array}$ + } + \end{equation*} + \end{figure} + \end{center} + \end{column}% + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{coins} Refresh Protocol Reveal Phase} + \begin{columns}[c] % align columns + \begin{column}{.43\textwidth} + \begin{itemize} + \item Customer reveals every transfer key (seed), except $t_\gamma$ + \item The exchange now proves if the customer is honest by recalculating the RefreshDerives + \item If the check succeeds, the exchange returns the signature of the new coin + \item Fraud attempts are detected with probability of $1/k$ + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.53\textwidth} + \begin{center} + \begin{figure} + \begin{equation*} + \resizebox{1.0\textwidth}{!}{$\displaystyle + \begin{array}{ l c l } + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\gamma} & + \\ \textbf{check } \text{IsConsistentChallenge}(\rho_{RC}, \gamma) + \\ \textbf{Comment: } \text{IsConsistentChallenge}\\(\rho_{RC}, \gamma) \mapsto \{ \bot,\top \} + \\ + \\ \text{Persist refresh-challenge} \langle \rho_{RC}, \gamma \rangle + \\ S := \langle s_1, \dots, s_{\gamma-1}, s_{\gamma+1}, \dots,s_x \rangle % all seeds without the gamma seed + \\ \rho_L = \langle C_p^{(0)}, D_{p(t)}, T_{\gamma},\overline{m}_\gamma \rangle + \\ \rho_{RR} = \langle T_\gamma, \overline{m}_\gamma, S \rangle + \\ \sigma_{L} = \text{Ed25519.Sign}(c_s^{(0)}, \rho_{L}) + \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} & + % check revealed msgs and sign coin + \\ & & \langle T'_\gamma, \overline{m}'_\gamma, S \rangle := \rho_{RR} + \\ & & \langle s_1,\dots,s_{\gamma-1},s_{\gamma+1},\dots,s_\kappa \rangle ) := S + \\ & & \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \sigma_L, \rho_L) + \\ & & \pcfor i = 1,\dots, \gamma-1, \gamma+1,\dots, \kappa + \\ & & X_i := \text{RefreshDerive}(s_i, D_{p(t)}, C_p^{(0)}) + \\ & & \langle t_i, T_i, x_i, c_s^{(i)}, C_p^{(i)}, \overline{m}_i \rangle := X_i + \\ & & \textbf{endfor} + \\ & & h_T' = H(T_1,\dots,T_{\gamma-1},T'_{\gamma},T_{\gamma+1},\dots,T_\kappa) + \\ & & h_{\overline{m}}' = H(\overline{m}_1,\dots,\overline{m}_{\gamma-1},\overline{m}'_{\gamma},\overline{m}_{\gamma+1},\dots,\overline{m}_\kappa) + \\ & & h_C' = H(h_T', h_{\overline{m}}') + \\ & & \textbf{check } h_C = h_C' + \\ & & \overline{\sigma}_C^{(\gamma)} := \overline{m}^{d_{s(t)}} + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\overline{\sigma}_C^{(\gamma)}} & + % Check coin signature and persist coin + \\ \sigma_C^{(\gamma)} := r^{-1}\overline{\sigma}_C^{(\gamma)} + \\ \textbf{check } (\sigma_C^{(\gamma)})^{e_t} \equiv_{N_t} C_p^{(\gamma)} + \\ \text{Persist coin} \langle D_{p(t)}, c_s^{(\gamma)}, C_p^{(\gamma)}, \sigma_C^{(\gamma)} \rangle + \end{array}$ + } + \end{equation*} + \end{figure} + \end{center} + \end{column}% + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{coins} Link Protocol} + % Money Laundring + \begin{columns}[c] % align columns + \begin{column}{.43\textwidth} + \begin{itemize} + \item Threat: An evil customer sends the old coins private key to a third party. + \item The third party refreshes the coin and receives a new coin. + \item Solution: re-obtain refreshed coin with link protocol from $c_{s(old)}$ + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.53\textwidth} + \begin{center} + \begin{figure} + \begin{equation*} + \resizebox{1.0\textwidth}{!}{$\displaystyle + \begin{array}{ l c l } + % preliminaries + \text{Customer} & & \text{Exchange} + \\ \text{knows:} & & \text{knows:} + \\ \text{coin}_0 = \langle D_{p(0)}, c_s^{(0)}, C_p^{(0)}, \sigma_{C}^{(0)} \rangle + \\ & \xrightarrow[\rule{2.5cm}{0pt}]{C_{p(0)}} & + \\ & & L := \text{LookupLink}(C_{p(0)}) + \\ & & \textbf{Comment: } \text{LookupLink}(C_p) \mapsto \{\langle \rho_L^{(i)}, + \\ & & \sigma_L^{(i)}, \overline{\sigma}_C^{(i)} \rangle\} + \\ & \xleftarrow[\rule{2.5cm}{0pt}]{L} & + \\ \pcfor \langle \rho_{L}^{(i)}, \overline{\sigma}_L^{(i)}, \sigma_C^{(i)} \rangle \in L + \\ \langle \hat{C}_p^{(i)}, D_{p(t)}^{(i)}, T_\gamma^{(i)}, \overline{m}_\gamma^{(i)} \rangle := \rho_L^{(i)} + \\ \langle e_t^{(i)}, N_t^{(i)} \rangle := D_{p(t)}^{(i)} + \\ \textbf{check } \hat{C}_p^{(i)} \equiv C_p^{(0)} + \\ \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \rho_{L}^{(i)}, \sigma_L^{(i)}) + \\ x_i := \text{ECDH}(c_s^{(0)}, T_{\gamma}^{(i)}) + \\ r_i := \text{SelectSeeded}(x_i,\mathbb{Z}^*_{N_t}) + \\ c_s^{(i)} := \text{HKDF}(256,x_i,"c") + \\ C_p^{(i)} := \text{Ed25519.GetPub}(c_s^{(i)}) + \\ \sigma_C^{(i)} := (r_i)^{-1} \cdot \overline{m}_\gamma^{(i)} + \\ \textbf{check } (\sigma_C^{(i)})^{e_t^{(i)}} \equiv_{N_t^{(i)}} C_p^{(i)} + \\ \text{(Re-)obtain coin} \langle D_{p(t)}^{(i)},c_s^{(i)}, C_p^{(i)}, \sigma_C^{(i)} \rangle + \end{array}$ + } + \end{equation*} + \end{figure} + \end{center} + \end{column}% + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{coins} Challenges} + \begin{itemize} + \item \faIcon{hashtag} Two blinding factors + \item \faIcon{exchange-alt} Additional request + \item \faIcon{calculator} Many calculations are done twice + \item \faIcon{dice} Many random elements - What about Abort-Idempotency? + \end{itemize} + \vspace{1cm} + How can we redesign Taler's protocols to work with the Clause Blind Schnorr signature scheme while still preserving all properties? +\end{frame} + diff --git a/presentations/2022-cs/content/3-protocol-redesign.tex b/presentations/2022-cs/content/3-protocol-redesign.tex @@ -0,0 +1,162 @@ +\section{\faIcon{clipboard-list} Protocol Redesign} + +\begin{frame}{\faIcon{clipboard-list} Protocol Redesign} + \begin{itemize} + \item \faIcon{eye} Analyze Taler protocols + \item \faIcon{user-secret} Integrate where blind signatures are used + \item \faIcon{scroll} Proposal + % FIXME: begin very early in the thesis + \item \faIcon{comments} Rounds of Feedback + \end{itemize} +\end{frame} + +% CS R +\begin{frame}{\faIcon{clipboard-list} CS R} + \begin{itemize} + \item Additional Request during signature creation + \item Introduces complexity + \item Challenge regarding abort-idempotency + \item Vanilla Clause Blind Schnorr Signature Scheme: \\ + \begin{itemize} + \item $ r_0 \leftarrow random $ + \item $ R_0 := rG $ + \end{itemize} + \item Our Changes: \\ + \begin{itemize} + \item Introduces Nonce $ n $ used for Derivation + \item Derives R: \\ + $ r_0 := \text{HKDF}(256,n || d_s, " \text{r} 0 ") $ \\ + $ R_0 := r_0G $ + \item Denomination private key as long-term secret + % FIXME: Payback Protocol + \end{itemize} + \end{itemize} +\end{frame} + +% Withdraw +\begin{frame}{\faIcon{clipboard-list} Withdraw Protocol} + \begin{itemize} + \item Signature scheme related operations replaced + \item Additional round-trip introduced + \item Extensively uses HKDF to achieve abort-idempotency + \item Randomness in CS replaced with derivation $ \rightarrow $ unpredictable + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{clipboard-list} Withdraw Protocol} + \framesubtitle{Protocol Changes} + \begin{columns}[c] + \begin{column}{.48\textwidth} + \begin{itemize} + \item Withdraw Nonce (Wallet): \\ + $ c_s, C_p \leftarrow \text{Ed25519.KeyGen}() $ \\ + $ n_w := \text{HKDF}(256, c_s, "\text{n}") $ + \item Request R + \item Derive R (Exchange) + \item Derive Blinding Secrets (Wallet): \\ + $ b_s := \text{HKDF}(256, c_s || R_0 || R_1,"\text{b-seed}") $ \\ + $ \alpha_0 := \text{HKDF}(256, b_s, "\text{a}0") $ \\ + $ \dots $ \\ + $ \beta_1 := \text{HKDF}(256, b_s, "\text{b}1") $ + % FIXME: Advantages for Payback + \end{itemize} + \end{column} + \hfill + \begin{column}{.48\textwidth} + \includegraphics[width=6.5cm]{images/withdraw1.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{clipboard-list} Withdraw Protocol} + \framesubtitle{Protocol Changes} + \begin{columns}[c] + \begin{column}{.48\textwidth} + \begin{itemize} + \item Derive $b$ (exchange): \\ + $ b := \text{HKDF}(1,n_w || d_s, "\text{b}") $ + \item Re-derive $ r_b $ + \item Calculate signature scalar + \item Unblind, construct signature $ \langle R_b', s' \rangle $ + \end{itemize} + \end{column} + \hfill + \begin{column}{.48\textwidth} + \includegraphics[width=6.5cm]{images/withdraw2.png} + \end{column} + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{clipboard-list} Withdraw Protocol} + \framesubtitle{Nonce Check} + \begin{itemize} + \item Is this safe? (without nonce reuse check) \\ + $ r_0 := \text{HKDF}(256,n || d_s, " \text{r} 0 ") $ + \item (Hint $ \rightarrow $ no): + \begin{itemize} + \item $ s_2 - s_1 = d_s (c_1' - c_2') - (r_1 - r_2) $ + \item if $ r_1 = r_2 $: \\ + $ s_2 - s_1 = d_s (c_1' - c_2') $ + \item Allows private key recovery + \item Happened before (Bitcoin, PlayStation 3) + \end{itemize} + \item Prevent $ r $ reuse $ \rightarrow $ do not allow nonce reuse (per denomination) + \item Applies to withdraw AND refresh + \end{itemize} +\end{frame} + +% Spend +\begin{frame}{\faIcon{clipboard-list} Deposit Protocol} + \begin{itemize} + \item Only coin signature verification changes: \\ + \begin{align*} + s'G & = R' + c' D_p + \\ &= R' + H(R', C_p) D_p + \end{align*} + \end{itemize} +\end{frame} + +% Refresh +\begin{frame}{\faIcon{clipboard-list} Refresh and Linking} + \begin{columns}[c] + \begin{column}{.48\textwidth} + \begin{itemize} + \item Integration similar to withdraw (additional round trip, derivation, etc.) + \item Introduced new random refresh secret + \begin{itemize} + \item Transfer secret + \item Refresh nonce + \end{itemize} + \item Nonce check + \item Two commit hashes instead of one + \end{itemize} + \end{column} + \hfill + \begin{column}{.48\textwidth} + \includegraphics[width=4.5cm]{images/refresh-derive.png} + \end{column} + \end{columns} +\end{frame} + +% Tipping +\begin{frame}{\faIcon{clipboard-list} Tipping} + \begin{itemize} + \item Wallet: same changes as Withdraw + \item Merchant: Only message signed by merchant's reserve private key changes + \end{itemize} +\end{frame} + +% Payback +\begin{frame}{\faIcon{clipboard-list} Payback Protocol} + \begin{itemize} + \item Three different cases: + \begin{itemize} + \item \textbf{Revoked coin has never been seen by exchange}: \\ + Adjust Withdraw Transcript + \item \textbf{Coin partially spent}: \\ + Invoke Refresh Protocol + \item \textbf{Coin resulted from refresh, has never been seen}: \\ + Adjust refresh transcript + \end{itemize} + \end{itemize} +\end{frame} diff --git a/presentations/2022-cs/content/4-implementation.tex b/presentations/2022-cs/content/4-implementation.tex @@ -0,0 +1,451 @@ +\section{\faIcon{code} Specification \& Implementation} + +\begin{frame}{\faIcon{code} Overview} + % Implemented, tested and reviewed -> good state, but needs sec audit + \begin{columns}[T] + \begin{column}{.48\textwidth} + Implemented \& Tested: + \begin{itemize} + \item Cryptographic routines in GNUnet + \item Cryptographic utilities in the Exchange + \item Security Module for CS and crypto-helper + \item Key Management + \item New Endpoint to get $R_0,R_1$ + \item Withdraw protocol + \item Deposit protocol + \end{itemize} + \end{column} + \hfill + \begin{column}{.48\textwidth} + Not Implemented: + \begin{itemize} + \item Merchant (primarily Spend Protocol) + \item Wallet support for two denomination types + \item Tipping protocol + \end{itemize} + \end{column} + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{code} Testing} + \begin{itemize} + \item Specification and test implementation hand in hand + \item Cryptographic routines: unit tests, benchmark, test vectors + \item Taler cryptographic utilities: unit tests + \item CS security module: functionality tests, benchmark + \item Exchange HTTP server: functionality tests (simulate wallet) + \end{itemize} +\end{frame} + + + +% Übersicht allgemein (was implementiert, wie implementiert, wie getestet) +% GNUnet +% Testing, Test vectors, benchmarks +% API, Data Types, special stuff + +% Taler cryptographic utilities +\begin{frame}{\faIcon{code} Implementation of cryptographic routines} + \framesubtitle{Cryptographic routines in GNUnet} + % Implementation Signaturschema: GNUnet, free software, libsodium + \begin{columns}[T] % align columns + \begin{column}{.74\textwidth} + \vspace{0.5cm} + Cryptographic routines for Clause Blind Schnorr signatures: + \begin{itemize} + \item Programming language: C + \item Implemented as free software in the GNUnet project + \item Implemented on Curve25519 + \item Libsodium is used for group operations + \item Implemented including testing, benchmarks and test-vector generator + \item Other primitives from GNUnet reused + \begin{itemize} + \item HKDF + \item KDF mod + \item Hash functions + \end{itemize} + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.25\textwidth} + \vspace{2cm} + \includegraphics[height=2cm]{images/gnunet-logo.png} + \end{column}% + \end{columns} + \vspace{0.2cm} + {\tiny graphics source: https://www.gnunet.org/images/gnunet-logo-dark-no-text.png} +\end{frame} + +\begin{frame}{\faIcon{code} Implementation of cryptographic routines} + \framesubtitle{Implementation details} + \begin{columns}[T] + \begin{column}{.48\textwidth} + \resizebox{0.58\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{table} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{ll} + \rowcolor{BFH-tablehead} + \textbf{Operation} & \textbf{API} \\\hline + Key Generation & {\footnotesize GNUNET\_CRYPTO\_cs\_private\_key\_generate()} \\\hline + Get public key & {\footnotesize GNUNET\_CRYPTO\_cs\_private\_key\_get\_public($sk$)} \\\hline + Derive $r_0,r_1$ & {\footnotesize GNUNET\_CRYPTO\_cs\_derive\_r(nonce, lts, $r$[2])} \\\hline + Get public $R$ & {\footnotesize GNUNET\_CRYPTO\_cs\_r\_get\_public($r$)} \\\hline + Derive blinding secrets (bs) & {\footnotesize GNUNET\_CRYPTO\_cs\_blinding\_secrets\_derive(seed)} \\\hline + Calculate blinded $c$ & {\footnotesize GNUNET\_CRYPTO\_cs\_calc\_blinded\_c(bs, $R$[2], $pk$, msg)} \\\hline + Sign and get $b$ & {\footnotesize GNUNET\_CRYPTO\_cs\_sign\_derive($sk$, $r$[2], $c$[2], nonce)} \\\hline + Unblind & {\footnotesize GNUNET\_CRYPTO\_cs\_unblind(blind\_sig, $pk$, msg)} \\\hline + Verify & {\footnotesize GNUNET\_CRYPTO\_cs\_verify(sig, $pk$, msg)} \\\hline + \end{tabular} + \end{table} + \begin{itemize} + \item {\normalsize API designed to prevent misuse} + \item {\normalsize API includes "Clause" part} + \item {\normalsize Internal functionality: CS-FDH, clamping} + \end{itemize} + \end{minipage}} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + \hspace{1cm} + \resizebox{0.52\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{table} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{ll} + \rowcolor{BFH-tablehead} + \textbf{Values} & \textbf{Data Structure} \\\hline + Curve25519 Scalar & {\small GNUNET\_CRYPTO\_Cs25519Scalar} \\\hline + Curve25519 Point & {\small GNUNET\_CRYPTO\_Cs25519Point} \\\hline + Private Key & {\small GNUNET\_CRYPTO\_CsPrivateKey} \\\hline + Public Key & {\small GNUNET\_CRYPTO\_CsPublicKey} \\\hline + $\alpha, \beta$ & {\small GNUNET\_CRYPTO\_CsBlindingSecret} \\\hline + $r$ & {\small GNUNET\_CRYPTO\_CsRSecret} \\\hline + $R$ & {\small GNUNET\_CRYPTO\_CsRPublic} \\\hline + $c$ & {\small GNUNET\_CRYPTO\_CsC} \\\hline + $s$ & {\small GNUNET\_CRYPTO\_CsBlindS} \\\hline + $s'$ & {\small GNUNET\_CRYPTO\_CsS} \\\hline + $\sigma := \langle s',R' \rangle$ & {\small GNUNET\_CRYPTO\_CsSignature} \\\hline + Nonce & {\small GNUNET\_CRYPTO\_CsNonce} \\\hline + \end{tabular} + \end{table} + \end{minipage}} + \end{column}% + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{code} Exchange Architecture} + % Exchange Architektur + \begin{center} + \includegraphics[width=8cm]{images/architecture-exchange.jpg} + \end{center} + {\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} +\end{frame} + +\begin{frame}{\faIcon{code} Taler cryptographic utilities} + \framesubtitle{Cryptographic utilities around crypto routines and planchets} + \begin{columns}[T] % align columns + \begin{column}{.48\textwidth} + Cryptographic utilities to use the crypto routines + \begin{itemize} + \item sign + \item blind + \item unblind + \item key generation + \item derive\_r + \item various utility functions + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + Utility functions around planchets + \begin{itemize} + \item derive/generate nonce + \item blinding secrets + \item planchet setup \& prepare + \item planchet to coin + \item coin ev hash + \end{itemize} + \end{column}% + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{code} CS Security Module} + \framesubtitle{CS Security Module \& corresponding crypto helper} + \begin{columns}[T] % align columns + \begin{column}{.48\textwidth} + CS Security Module: + \begin{itemize} + \item Standalone process + \item The CS Security Module have sole access to the denomination private key + %on httpd compromise attacker has no access to priv key + % But can sign arbitrary messages + \item All operations requiring the private key are done by the secuity module + \begin{itemize} + \item Generate new keypair + \item Sign a message + \item Revoke keys + \item Derive private $r$ + \end{itemize} + \item API can use fixed-length structs (compared to RSA) + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + CS Crypto Helper: + \begin{itemize} + \item Talks to the security module for operations requiring the denominations private key + \item Is part of the httpd service + \item Unix Domain Sockets are used for Inter-Process Communication with the security module + \end{itemize} + \end{column}% + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{code} Key Management} + \begin{itemize} + \item Collect new denominations, security module public key from CS security module + \item {\color{blue}\texttt{GET /management/keys}}: Offer future keys to exchange-offline + % FIXME: not yet signed + \item {\color{blue}\texttt{POST /management/keys}}: Return signatures created with offline-signing key + \item {\color{blue}\texttt{GET /keys}}: Make new denominations available for wallet: + \item Currently requires both RSA and CS security modules to be running + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{code} Endpoint for $ R $} + \begin{itemize} + \item New endpoint used for withdraw and refresh protocols + \item Available under {\color{blue}\texttt{POST /csr}} + \item Request: \\ + \begin{table}[ht] + \hspace{-1.5cm} + \resizebox{0.9\textwidth}{!}{\begin{minipage}{\textwidth} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lll} + \rowcolor{BFH-tablehead} + \textbf{Field} & \textbf{Type} & \textbf{Value} \\ + nonce & String & 32 Bytes encoded in Crockford base32 Hex \\ + denom\_pub\_hash & String & Denomination Public Key encoded in Crockford base32 Hex \\ + \end{tabular} + \end{minipage}} + \end{table} + \item Exchange checks denomination (including cipher type) + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{code} Endpoint for $ R $} + \begin{itemize} + \item Exchange derives $ R $ based on supplied nonce and denomination + \item Request passed down to security module + \item No persistence necessary + \item Response: \\ + \begin{table}[ht] + \hspace{-1.5cm} + \resizebox{0.9\textwidth}{!}{\begin{minipage}{\textwidth} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lll} + \rowcolor{BFH-tablehead} + \textbf{Field} & \textbf{Type} & \textbf{Value} \\ + r\_pub\_0 & String & 32 Bytes encoded in Crockford base32 Hex \\ + r\_pub\_1 & String & 32 Bytes encoded in Crockford base32 Hex \\ + \end{tabular} + \end{minipage}} + \end{table} + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{code} Withdraw Protocol} + \begin{columns}[c] + \begin{column}{.48\textwidth} + \begin{itemize} + \item Available under {\color{blue}\texttt{POST /reserves/[reserve]/withdraw}} + \item Request data: \\ + \begin{table}[ht] + \hspace{-3cm} + \resizebox{0.55\textwidth}{!}{\begin{minipage}{\textwidth} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{ll} + \rowcolor{BFH-tablehead} + \textbf{Field} & \textbf{Value} \\ + denom\_pub\_hash & Denomination Public Key \\ + coin\_ev & RSA blinded coin public key \\ + reserve\_sig & Signature over the request using the reserve's private key \\ + \end{tabular} + \end{minipage}} + \end{table} + \item Adjusted coin\_ev field (RSA): \\ + \begin{table}[ht] + \hspace{-3cm} + \resizebox{0.58\textwidth}{!}{\begin{minipage}{\textwidth} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lll} + \rowcolor{BFH-tablehead} + \textbf{Field} & \textbf{Type} & \textbf{Value} \\ + cipher & Integer & Denomination cipher: 1 stands for RSA \\ + rsa\_blinded\_planchet & String & RSA blinded coin public key \\ + \end{tabular} + \end{minipage}} + \end{table} + \end{itemize} + \end{column} + \hfill + \begin{column}{.48\textwidth} + \begin{itemize} + \item CS coin\_ev field: \\ + \begin{table}[ht] + \hspace{-3cm} + \resizebox{0.55\textwidth}{!}{\begin{minipage}{\textwidth} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lll} + \rowcolor{BFH-tablehead} + \textbf{Field} & \textbf{Type} & \textbf{Value} \\ + cipher & Integer & Denomination cipher: 2 stands for CS \\ + cs\_nonce & String & 32 Bytes encoded in Crockford base32 Hex \\ + cs\_blinded\_c0 & String & 32 Bytes encoded in Crockford base32 Hex \\ + cs\_blinded\_c1 & String & 32 Bytes encoded in Crockford base32 Hex \\ + \end{tabular} + \end{minipage}} + \end{table} + \item Response: \\ + \begin{table}[ht] + \hspace{-3.5cm} + \resizebox{0.5\textwidth}{!}{\begin{minipage}{\textwidth} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lll} + \rowcolor{BFH-tablehead} + \textbf{Field} & \textbf{Type} & \textbf{Value} \\ + cipher & Integer & Denomination cipher: 2 stands for CS \\ + b & Integer & CS signature session identifier (either 0 or 1) \\ + s & String & signature scalar (32 Bytes encoded in Crockford base32 Hex) \\ + \end{tabular} + \end{minipage}} + \end{table} + \end{itemize} + \end{column} + \end{columns} +\end{frame} + +\begin{frame}{\faIcon{code} Withdraw Protocol} + \framesubtitle{Implementation details} + \begin{itemize} + \item Idempotency check - has the coin already been withdrawn? + \begin{itemize} + \item RSA: Hash over message (blinded coin) + \item CS: Hash over nonce and denomination public key + \end{itemize} + \item Additional denomination cipher check + \item Various changes related to parsing, persistence and response + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{code} Minor Security Fix} + \begin{itemize} + \item Recap: RSA idempotency check uses blinded coin hash + \item Issue: + \begin{itemize} + \item Wallet withdraws a coin + \item Withdraw same coin referencing different denomination + \item Exchange returns signature of first withdraw due to idempotency check + \item Invalid signature - open complaint at auditor + \item Auditor is able to disprove + \end{itemize} + \item Solution: add denomination to coin hash + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{code} Deposit Protocol} + \begin{columns}[c] + \begin{column}{.48\textwidth} + \begin{itemize} + \item Available under {\color{blue}\texttt{POST /coins/[coin public key]/deposit}} + \item Request: many fields, only coin\_sig relevant for CS + \item Content (RSA): \\ + \begin{table}[ht] + \hspace{-2cm} + \resizebox{0.65\textwidth}{!}{\begin{minipage}{\textwidth} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lll} + \rowcolor{BFH-tablehead} + \textbf{Field} & \textbf{Type} & \textbf{Value} \\ + cipher & Integer & Denomination cipher: 1 stands for RSA \\ + rsa\_signature & String & Unblinded RSA signature \\ + \end{tabular} + \end{minipage}} + \end{table} + \end{itemize} + \end{column} + \hfill + \begin{column}{.48\textwidth} + \begin{itemize} + \item coin\_sig content for CS: \\ + \begin{table}[ht] + \hspace{-3.3cm} + \resizebox{0.45\textwidth}{!}{\begin{minipage}{\textwidth} + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lll} + \rowcolor{BFH-tablehead} + \textbf{Field} & \textbf{Type} & \textbf{Value} \\ + cipher & Integer & Denomination cipher: 2 stands for CS \\ + cs\_signature\_r & String & Curve point $ R' $ (32 Bytes encoded in Crockford base32 Hex) \\ + cs\_signature\_s & String & Signature scalar (32 Bytes encoded in Crockford base32 Hex) \\ + \end{tabular} + \end{minipage}} + \end{table} + \item Add denomination cipher check + \item Signature verification (CS security module) + \item Adjusted persistence + \end{itemize} + \end{column} + \end{columns} +\end{frame} + + +% TODO: Refresh + + +% Wallet +\begin{frame}{\faIcon{wallet} {\color{red} \textit{New:} } Wallet Cryptographic Routines} + \framesubtitle{Wallet Implementation} + \begin{columns}[T] % align columns + \begin{column}{.48\textwidth} + \begin{itemize} + \item Programming language: Typescript + \item libsodium.js for group operations + \item cryptographic routines implemented + \item tested with test vectors from C implementation + \end{itemize} + + Missing: + \begin{itemize} + \item Add support for two denomination types (together with Taler team) + \item integration test with exchange + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.48\textwidth} + \begin{center} + \includegraphics[width=4.8cm]{images/stock1s.jpg} + \end{center} + {\tiny graphics source: \url{https://taler.net/images/stock1s.jpg}} + \end{column}% + \end{columns} +\end{frame} diff --git a/presentations/2022-cs/content/5-results.tex b/presentations/2022-cs/content/5-results.tex @@ -0,0 +1,150 @@ +\section{\faIcon{gem} Results} +% Discussion +\begin{frame}{\faIcon{gem} Security Assumptions} + \framesubtitle{RSA Blind Signature's \& Clause Blind Schnorr Signature's} + Scheme comparison: + \begin{itemize} + \item \faIcon{hashtag} Number of blinding secrets + \item \faIcon{exchange-alt} Number of round trips + \item \faIcon{calculator} CS signatures do most computations twice + \end{itemize} + Security assumptions + \begin{itemize} + \item Both Schemes are considered \textbf{perfectly blind} + \item RSA depends on factoring large numbers being hard. + \item Schnorr Signatures depends on computing the discrete logarithm being hard + \item Clause Blind Schnorr Signatures additionally rely on the modified ROS problem being hard + \item ROS is a recent research topic, and not as well researched + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{gem} CPU Performance} + \begin{center} + \resizebox{0.7\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{bfhBox}[BFH-MediumBlue]{Setup} + CPU: 8-core AMD Ryzen 7 PRO 5850U \\ + OS: Ubuntu 21.10 Linux 5.13.0-25-generic \\ + \end{bfhBox} + \end{minipage}} + \resizebox{0.8\textwidth}{!}{\begin{minipage}{\textwidth} + \vspace{0.5cm} + \begin{table}[ht] + \centering + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lrrr} + \rowcolor{BFH-tablehead} + \textbf{Operation} & \textbf{CS} & \textbf{RSA 1024 bit} & \textbf{RSA 3072 bit} \\\hline + 10x key generation & 0.204 ms & 126 ms & 2684 ms \\\hline + 10x blind & 3.870 ms & 1.282 ms & 5 ms \\\hline + 10x signing & 0.077 ms & 7 ms & 86 ms \\\hline + 10x unblinding & 0.001 ms & 2.991 ms & 24 ms \\\hline + 10x verifying & 1.358 ms & 0.876 ms & 3.075 ms \\\hline + \end{tabular} + \end{table} + \end{minipage}} + \end{center} +\end{frame} + +\begin{frame}{\faIcon{gem} Disk Space \& Bandwidth} + \begin{center} + Signatures: {\footnotesize $\langle s,R \rangle$}\\ + + \vspace{0.2cm} + \resizebox{0.65\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{table}[ht] + \centering + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lccr} + \rowcolor{BFH-tablehead} + \textbf{Signature Scheme} & \textbf{Disk Space} & \textbf{Factor} & \textbf{Disk Space 1M signatures} \\\hline + CS & 512 bits & 1x & 64 MB \\\hline + RSA 1024 bit & 1024 bits & 2x & 128 MB \\\hline + RSA 2048 bit & 2048 bits & 4x & 256 MB \\\hline + RSA 3072 bit & 3072 bits & 6x & 384 MB \\\hline + RSA 4096 bit & 4096 bits & 8x & 512 MB \\\hline + \end{tabular} + \end{table} + \end{minipage}} + \\Wallet disk space: {\footnotesize $\langle c_s,s,R_0,R_1,D_p \rangle$}\\ + + \vspace{0.2cm} + \resizebox{0.65\textwidth}{!}{\begin{minipage}{\textwidth} + \begin{table}[ht] + \centering + \colorlet{BFH-table}{BFH-MediumBlue!10} + \colorlet{BFH-tablehead}{BFH-MediumBlue!50} + \setupBfhTabular + \begin{tabular}{lccr} + \rowcolor{BFH-tablehead} + \textbf{Signature Scheme} & \textbf{Disk Space} & \textbf{Factor} & \textbf{Disk Space 1M coins} \\\hline + CS 256 bits & 150 bytes & 1x & 160 MB \\\hline + RSA 1024 bit & 416 bytes & 2.6x & 416 MB \\\hline + RSA 2048 bit & 800 bits & 5x & 800 MB \\\hline + RSA 3072 bit & 1184 bits & 7.4x & 1184 MB \\\hline + RSA 4096 bit & 1568 bits & 9.8x & 1568 MB \\\hline + \end{tabular} + \end{table} + \end{minipage}} + \end{center} +\end{frame} + +\begin{frame}{\faIcon{gem} Latency} + \begin{itemize} + \item CS introduces an additional round trip + \item A coin should not be spent immediately after withdrawal or refresh + \item Additional round trip is therefore \textit{negligible} + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{gem} Comparison Conclusion} + \begin{itemize} + \item \faIcon{bolt} CS has overall better performance regarding speed, disk space and bandwidth + \item \faIcon{exchange-alt} Additional round-trip is negligible + \item \faIcon{calculator} CS has an additional, newer security assumption called ROS + \item \faIcon{bomb} Risk can be calculated and capped by denomination key lifetime + \end{itemize} + % Risk etc. + % better overall +\end{frame} + +\begin{frame}{\faIcon{gem} Acknowledgement} + \begin{itemize} + \item Christian Grothoff + \item Jeffrey Burdges + \item Jacob Appelbaum + \item Florian Dold + \vspace{0.5cm} + {\\We would also like to thank Mr. Benoist and Mr. Voisard for the guidance during our thesis.} + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{gem} Future Work} + \begin{itemize} + \item Refresh and other protocols (tipping, deposit, refund, etc.) + \item Wallet + \item Merchant + \item Security Audit + \item CS implementation on other curves + \item Exchange API documentation + \item Exchange operator guideline for when to use CS + \end{itemize} +\end{frame} + +\begin{frame}{\faIcon{gem} Personal Conclusion} + \begin{itemize} + \item \faIcon{sort-amount-down-alt} From high-level down to code + \item \faIcon{swimmer} Challenging at times, pushed through with persistence + \item \faIcon{wind} Motivation grew with every completed step + \item \faIcon{code} C: + \begin{itemize} + \item Respect from it, but went well (cough macros cough) + \item Well designed APIs + \item Integrate new variables without RSA-counterpart + \end{itemize} + \item \faIcon{piggy-bank} Hope to pay with own code in the future! + \end{itemize} +\end{frame} diff --git a/presentations/2022-cs/images/architecture-exchange.jpg b/presentations/2022-cs/images/architecture-exchange.jpg Binary files differ. diff --git a/presentations/2022-cs/images/blind-coin.png b/presentations/2022-cs/images/blind-coin.png Binary files differ. diff --git a/presentations/2022-cs/images/blind-sign.png b/presentations/2022-cs/images/blind-sign.png Binary files differ. diff --git a/presentations/2022-cs/images/coins.jpg b/presentations/2022-cs/images/coins.jpg Binary files differ. diff --git a/presentations/2022-cs/images/curve25519.png b/presentations/2022-cs/images/curve25519.png Binary files differ. diff --git a/presentations/2022-cs/images/cutandchose.png b/presentations/2022-cs/images/cutandchose.png Binary files differ. diff --git a/presentations/2022-cs/images/dh-lock.png b/presentations/2022-cs/images/dh-lock.png Binary files differ. diff --git a/presentations/2022-cs/images/diagram-simple.png b/presentations/2022-cs/images/diagram-simple.png Binary files differ. diff --git a/presentations/2022-cs/images/final.JPG b/presentations/2022-cs/images/final.JPG Binary files differ. diff --git a/presentations/2022-cs/images/gnunet-logo.png b/presentations/2022-cs/images/gnunet-logo.png Binary files differ. diff --git a/presentations/2022-cs/images/logo-2021.png b/presentations/2022-cs/images/logo-2021.png Binary files differ. diff --git a/presentations/2022-cs/images/planchet.png b/presentations/2022-cs/images/planchet.png Binary files differ. diff --git a/presentations/2022-cs/images/refresh-derive-rsa.png b/presentations/2022-cs/images/refresh-derive-rsa.png Binary files differ. diff --git a/presentations/2022-cs/images/refresh-derive.png b/presentations/2022-cs/images/refresh-derive.png Binary files differ. diff --git a/presentations/2022-cs/images/stock1s.jpg b/presentations/2022-cs/images/stock1s.jpg Binary files differ. diff --git a/presentations/2022-cs/images/taler-pki.png b/presentations/2022-cs/images/taler-pki.png Binary files differ. diff --git a/presentations/2022-cs/images/unblind-coin.png b/presentations/2022-cs/images/unblind-coin.png Binary files differ. diff --git a/presentations/2022-cs/images/withdraw1.png b/presentations/2022-cs/images/withdraw1.png Binary files differ. diff --git a/presentations/2022-cs/images/withdraw2.png b/presentations/2022-cs/images/withdraw2.png Binary files differ. diff --git a/presentations/2022-cs/poster/Plakat Bachelorthesis.pdf b/presentations/2022-cs/poster/Plakat Bachelorthesis.pdf Binary files differ. diff --git a/presentations/2022-cs/poster/Plakat Bachelorthesis.pptx b/presentations/2022-cs/poster/Plakat Bachelorthesis.pptx Binary files differ. diff --git a/presentations/2022-cs/presentation.pdf b/presentations/2022-cs/presentation.pdf Binary files differ. diff --git a/presentations/2022-cs/presentation.tex b/presentations/2022-cs/presentation.tex @@ -0,0 +1,99 @@ +\documentclass[ + english,%globale Übergabe der Hauptsprache + aspectratio=169,%Beamer eigene Option zum Umschalten des Formates + % logofile=logo-2021, %Falls die Logo Dateien nicht vorliegen + authorontitle=true, +]{bfhbeamer} + +%will also be acessible via option sidebar=true/false +\useoutertheme{BFH-sidebar} + +\version{1.0} + +\usepackage[main=ngerman]{babel} +% To use icons +\usepackage{fontawesome5} + +% Der folgende Block ist nur bei pdfTeX auf Versionen vor April 2018 notwendig +\usepackage{iftex} +\ifPDFTeX +\usepackage[utf8]{inputenc}%kompatibilität mit TeX Versionen vor April 2018 +\fi + +%Crypto Grafiken +\usepackage{cryptocode} +%\usepackage{amsmath} + +%BFH Boxes +% see BFH example for usage, looks nice!<< +\LoadBFHModule{listings,terminal,boxes} + +\usepackage{tikz} +%Makros für Formatierungen der Doku +%Im Allgemeinen nicht notwendig! +\let\code\texttt + +\title{Adding Schnorr’s blind signature in Taler - Defence} +% \subtitle{} +\author{Gian Demarmels \and Lucien Heuzeveldt {\tiny\\ Advisor: Prof. Dr. Emmanuel Benoist\newline Expert: Elektronikingenieur HTL Daniel Voisard}} +\titlegraphic*{\includegraphics{images/logo-2021.png}}%is only used with BFH-graphic and BFH-fullgraphic + +%Activate the output of a frame number: +\setbeamertemplate{page number in head/foot}[framenumber] +\setbeamertemplate{author in sidebar} + +% automatisch am Anfang einer Section eine Section-Folie anzeigen +\AtBeginSection{\sectionpage} +\setbeamertemplate{section page}[BFH-ruled] + + +\begin{document} + +% Aufhänger - Welche der beiden Münzen wollt ihr lieber in eurer Brieftasche herumtragen? +% In den nächsten 15 Minuten erzählen wir euch, wie wir in Taler Unterstützung für Clause Blind Schnorr Signaturen eingeführt haben und was das für Taler bedeutet. +% Mit diesen Signaturen erreichen wir unter anderem eine leichtgewichtigere Münze + +% Zeit: 1min + +\setbeamertemplate{title page}[BFH-graphic] +\maketitle + +\begin{frame}{\faIcon{bars} Content} + \begin{columns}[c] % align columns + \begin{column}{.45 \textwidth} + \begin{itemize} + \item \faIcon{flag-checkered} Goals \& Project Management % Chap 1,2 + \item \faIcon{coins} Preliminaries % Chap 3 + \item \faIcon{clipboard-list} Protocol Redesign % Chap 4 + \item \faIcon{code} Specification \& Implementation % Chap 5,6 + \item \faIcon{gem} Results % Chap 7,8 + \end{itemize} + \end{column}% + \hfill% + \begin{column}{.58\textwidth} + \includegraphics[width=6.9cm]{images/coins.jpg} + \end{column}% + \end{columns} +\end{frame} + +% Gian +\input{content/1-goals-projectmgmt.tex} + +% Gian +\input{content/2-preliminaries.tex} + +% Lucien +\input{content/3-protocol-redesign.tex} + +% beide +\input{content/4-implementation.tex} + +% beide +\input{content/5-results.tex} + +\begin{frame}{\faIcon{comments} Let's talk!} + \begin{center} + \includegraphics[width=10.5cm]{images/final.JPG} + \end{center} +\end{frame} +\end{document}
