commit d456bd738bc0f1f49054ca32750c65c935de2a10
parent 310b8871d453281e3fd1f634624e44198e9d0a5a
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Tue, 18 Nov 2025 17:09:24 +0100
refactor TeX structure
Diffstat:
5 files changed, 1 insertion(+), 505 deletions(-)
diff --git a/presentations/comprehensive/2025-ethz.tex b/presentations/comprehensive/2025-ethz.tex
@@ -789,511 +789,7 @@ But of course we use modern instantiations.
\vfill
\end{frame}
-
-\begin{frame}{Giving change}
- It would be inefficient to pay EUR 100 with 1 cent coins!
- \begin{itemize}
- \item Denomination key represents value of a coin.
- \item Exchange may offer various denominations for coins.
- \item Wallet may not have exact change!
- \item Usability requires ability to pay given sufficient total funds.
- \end{itemize}\pause
- Key goals:
- \begin{itemize}
- \item maintain unlinkability
- \item maintain taxability of transactions
- \end{itemize}\pause
- Method:
- \begin{itemize}
- \item Contract can specify to only pay {\em partial value} of a coin.
- \item Exchange allows wallet to obtain {\em unlinkable change}
- for remaining coin value.
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}{Deterministic Signatures}
- \vfill
- \begin{minipage}{8cm}
- \begin{itemize}
- \item Some public key operations depend on a nonce or ``random'' value
- \begin{itemize}
- \item Example: ElGamal (encryption), DSA/ECDSA (signing)
- \item[+] same plaintext, different ciphertext
- \item[-] security may break on nonce-reuse
- \end{itemize}
- \item Generating the nonce deterministically by hashing all inputs
- (see also: Fiat-Shamir transformation) can make these algorithms
- {\bf deterministic}
- \begin{itemize}
- \item Example: EdDSA
- \end{itemize}
- \end{itemize}
- \end{minipage}
- \begin{minipage}{5cm}
- Deterministic signatures:
- \begin{center}
- \includegraphics[width=0.6\textwidth]{ecollect.jpeg}
-
- $=$
-
- \includegraphics[width=0.6\textwidth]{detsig.pdf}
- \end{center}
- \end{minipage}
- \vfill
- \note[item]{Before we can introduce the change protocol, we need to consider that
- not all cryptographic signatures are deterministic.}
- \note[item]{Following modern approach to e-collecting, we will use the image on
- the right to illustrate {\bf deterministic} signatures.}
- \note[item]{Replacing random inputs or nonces with hashes is a common trick to
- make signature algorithms deterministic.}
-\end{frame}
-
-
-\begin{frame}{Strawman solution}
- \begin{minipage}{8cm}
- Given partially spent private coin key $c_{old}$:
- \begin{enumerate}
-% \item Let $C_{old} := c_{old}G$ (as before)
- \item Generate random $c_{new} \mod o$ as private key
- \item Compute public key $C_{new} = c_{new}G$
- \item Generate random $b_{new}$
- \item Compute $f_{new} := FDH(C_{new})$, $m < n$.
- \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$
- \end{enumerate}
- ... and sign request for change with $c_{old}$.
- \end{minipage}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (planchet) [def, draw=none, above left= of blinded] {\includegraphics[width=0.15\textwidth]{planchet.pdf}};
- \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$};
- \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$};
- \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Problem}
-\vfill
-\begin{center}
- Owner of $c_{new}$ may differ from owner of $c_{old}$!
-\end{center}
-\vfill
-\end{frame}
-
-
-\begin{frame}{Customer: Transfer setup (DETSIG)}
- \begin{minipage}{10cm}
- Given partially spent private coin key $c_{old}$:
- \begin{enumerate}
- \item Let $C_{old} := c_{old}G$ (as before)
- \item Create random nonce $t$
- \item Compute deterministic signature $X := DETSIG_{c_{old}}(t)$
- \item Derive $c_{new}$ and $b_{new}$ from $X$ using HKDF
- \item Compute $C_{new} := c_{new}G$
- \item Compute $f_{new} := FDH(C_{new})$
- \item Transmit $f_{new}' := f_{new} b_{new}^e$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t$};
- \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (X) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf}};
- \node (d) [def, draw=none, above left= of X] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of X] {$c_{new}$};
- \node (bp) [def, draw=none, below right= of X] {$b_{new}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [def, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (X) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (X) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (X) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (X) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{In this construction, we {\em derive} the blinding factor $b_{new}$ and
- the private key of the new coin $c_{new}$ from the DH of the $c_{old}$ and a newly
- created transfer key $t$. Note that it is a bit unusual but perfectly find that
- we here have {\bf both} private keys to compute the DH.}
- \note[item]{The resulting blinded public key of the new coin
- (public key derivation and blinding are elided to keep the diagram concise) is
- then signed with $c_{old}$ to request change.}
- \note[item]{This approach has an obvious problem: from the perspective of the
- Exchange, we cannot even tell that the user followed this procedure as the
- resulting request with the blinded coin is indistinguishable from the previous
- construction.}
-\end{frame}
-
-
-\begin{frame}{Cut-and-Choose}
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_1$};
- \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_1$)};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [def, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \hfill
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_2$};
- \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_2$)};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [def, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \hfill
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_3$};
- \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_3$)};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [def, draw, below =of blinded]{Exchange};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{This DH-construction thus obviously does not work, so in the usual
- approach of an insane person, we don't just do it once, but three times
- using three different transfer keys $t_1$, $t_2$, and $t_3$ instead of just $t$.}
- \note[item]{Now, before you decide that we have just gone mad, this is actually
- a well-known technique called {\bf cut-and-choose}. Here, we do a protocol
- step multiple times to basically be able to {\bf burn} some of these iterations
- to {\bf prove} our honesty.}
- \note[item]{There are also {\bf non-interactive} cut-and-choose protocols, but
- this one is a simple interactive one.}
-\end{frame}
-
-
-\begin{frame}{Exchange: Choose!}
- \begin{center}
- \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer.
- \end{center}
- \note[item]{This is the typical interaction: the Exchange picks one of the
- three at random, basically deciding on which iterations to challenge the
- wallet's honesty.}
- \note[item]{$\gamma$ primarily needs to be {\bf unpredictable} for the wallet.}
- \note[item]{Note that the protocol has a security parameter $\kappa=3$, and
- so the wallet could guess correctly in $\frac{1}{3}$ of the cases. Usually
- in security we would think of this to be way too low, and you will see much
- higher values in other cut-and-choose protocols. But, we will see why
- $\kappa=3$ is actually enough for GNU Taler!}
-\end{frame}
-
-
-\begin{frame}{Customer: Reveal}
- \vfill
- \begin{enumerate}
- \item If $\gamma = 1$, send $\langle t_2, X_2 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
- \item If $\gamma = 2$, send $\langle t_1, X_1 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
- \item If $\gamma = 3$, send $\langle t_1, X_1 \rangle$, $\langle t_2, X_2 \rangle$ to exchange
- \end{enumerate}
- \vfill
- \note[item]{So given the $\gamma$ challenge value, the wallet
- has to send back the $t_i$ values for $i\not=\gamma$.}
-\end{frame}
-
-
-\begin{frame}{Exchange: Verify ($\gamma = 2$)}
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (h) [def, draw=none] at (0,0) {$t_1$};
- \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{detverify.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \hfill
- \begin{minipage}{3cm}
- \
- \end{minipage}
- \hfill
- \begin{minipage}{3cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (h) [def, draw=none] at (0,0) {$t_3$};
- \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{detverify.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
- \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{Given those two values the exchange can {\bf validate} the
- construction as it can compute the DH from the {\bf transfer private keys} $t_i$
- and the {\bf coin public key} $C_{old}$.}
- \note[item]{If the result matches with the original request from the wallet,
- the exchange has established that with $\frac{2}{3}$ probability the wallet
- made an honest request for change following the prescribed construction.}
- \note[item]{If the wallet is unable (or unwilling) to produce the required
- $t_i$ values, or if the resulting blinded values do not match, the entire
- change is forfeit, and the customer looses their money.}
- \note[item]{Thus, trying to cheat on income-transparency is punished with
- what amounts to a {\bf 66.67\% tax}. Thus, a security level of $\kappa$
- is sufficient as long as the {\em effective} income tax (after deductions,
- on the full income) is below $\frac{\kappa - 1}{\kappa}$.
- Taler always uses $\kappa=3$.}
-\end{frame}
-
-
-\begin{frame}{Exchange: Blind sign change (RSA)}
- \begin{minipage}{5cm}
- \begin{enumerate}
- \item Take $f_{new,\gamma}'$.
- \item Compute \\
- $s' := f_{new,\gamma}'^d \mod n$.
- \item Return signature $s'$.
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{5cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
- \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
- \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (customer) -- (signed) node [midway, right] (TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{If the customer's request did follow the DH-construction, the exchange takes the
- third envelope, the one where $t_\gamma$ was not disclosed, and signs this one to issue the
- change.}
-\end{frame}
-
-
-\begin{frame}{Customer: Unblind change (RSA)}
- \vfill
- \begin{minipage}{8cm}
- \begin{enumerate}
- \item Receive $s'$.
- \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{5cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
- \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
- \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \vfill
- \note[item]{As with the ordinary blind-signature based withdraw, the customer can
- then unblind the signature and has a valid coin.}
- \note[item]{Without knowledge of $c_{old}$ or $t_\gamma$, the coins derived from this
- process are indistinguishable from coins that were withdrawn directly from an account.}
- \note[item]{Most importantly, without knowledge of $t_\gamma$ or $c_{old}$,
- the $c_{new}$ is unlinkable to $c_{old}$.}
-\end{frame}
-
-\begin{frame}{Exchange: Allow linking change}
- \begin{minipage}{5cm}
- \begin{center}
- Given $C_{old}$
-
- \vspace{1cm}
-
- return $t_\gamma$ and
- \begin{equation*}
- s := s' b_{new,\gamma}^{-1} \mod n.
- \end{equation*}
- \end{center}
- \end{minipage}
- \begin{minipage}{5cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em];
- \node (co) [def, draw=none] at (0,0) {$C_{old}$};
- \node (T) [def, draw=none, below left=of co]{$t_\gamma$};
- \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \node (customer) [def, draw, below right=of T] {Customer};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link};
- \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{But, how does this address the issue that $c_{old}$ may have a different
- owner from $c_{new,\gamma}$? Well, so far it does not! In principle, the envelope can
- easily be constructed by someone who was not the original owner of $c_{old}$.}
- \note[item]{So how does this help? Well, the exchange has one more sub-protocol,
- which is the {\bf link} protocol. Given the old coin's public key, $C_{old}$,
- it returns $t_\gamma$, the {\bf public transfer key}, and the blind signature
- over the new coin that was rendered as change.}
- \note[item]{Note that this is a request that the owner of $c_{old}$ can always
- trivially make, as they know $C_{old}$.}
- \note[item]{So how does that help?}
-\end{frame}
-
-
-\begin{frame}{Customer: Link (threat!)}
- \begin{minipage}{6.5cm}
- \begin{enumerate}
- \item Have $c_{old}$.
- \item Obtain $T_\gamma$, $s$ from exchange
- \item Compute $X_\gamma = DETSIG_{c_{old}}(t_\gamma)$
- \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
- \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6.5cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 0.75em and 1em, inner sep=0em, outer sep=.3em];
- \node (T) [def, draw=none] at (0,0) {$t_\gamma$};
- \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
- \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{detsig.pdf} ($X_\gamma$)};
- \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$};
- \node (co) [def, draw=none, above right= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below right= of dh] {$c_{new,\gamma}$};
- \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \node (psign) [def, node distance=1.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
-
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link};
- \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link};
- \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \note[item]{Well, given these two values, the owner of the original $c_{old}$ can
- {\bf again} compute the DETSIG (from $c_{old}$ and $t_\gamma$), and then
- also derive $c_{new,\gamma}$ and also unblind the exchange's signature using $b_{new,\gamma}$.}
- \note[item]{As a result, the owner of the old coin can always compute the change,
- and thus is effectively {\bf also} always an owner of the change rendered!}
- \note[item]{Thus, we have {\bf reduced} the possibility of abusing the change
- protocol for a transaction that would result in a {\bf mutually exclusive transfer
- of ownership} to the case where the ownership of the change is {\bf shared}.}
- \note[item]{But, we previously explained that {\bf sharing} is not something we can
- or would care to prevent, so the change protocol does not weaken income transparency.}
-\end{frame}
-
-
-\begin{frame}{Refresh protocol summary}
- \begin{itemize}
- \item Customer asks exchange to convert old coin to new coin
- \item Protocol ensures new coins can be recovered from old coin
- \item[$\Rightarrow$] New coins are owned by the same entity!
- \end{itemize}
- Thus, the refresh protocol allows:
- \begin{itemize}
- \item To give unlinkable change.
- \item To give refunds to an anonymous customer.
- \item To expire old keys and migrate coins to new ones.
- \item To handle protocol aborts.
- \end{itemize}
- \noindent
- \begin{center}
- \bf
- Transactions via refresh are equivalent to {\em sharing} a wallet.
-\end{center}
-\end{frame}
+\input refresh.tex
\section{Component Zoo}
diff --git a/presentations/comprehensive/detsig.pdf b/presentations/comprehensive/unisig.pdf
Binary files differ.
diff --git a/presentations/comprehensive/detsig.svg b/presentations/comprehensive/unisig.svg
diff --git a/presentations/comprehensive/detverify.pdf b/presentations/comprehensive/univerify.pdf
Binary files differ.
diff --git a/presentations/comprehensive/detverify.svg b/presentations/comprehensive/univerify.svg
