marketing

esorics2022.tex (27554B)

---

 %\pdfminorversion=3
 \documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer}
 \include{setup}
 
 \title{Zero-Knowledge Age Restriction for GNU Taler}
 %\subtitle{}
 
 \setbeamertemplate{navigation symbols}{%
 	\includegraphics[width=1.6cm]{images/fub.pdf}
 	\hspace{1em}
 	\includegraphics[width=2.3cm]{images/bfh.png}
 	\includegraphics[width=1cm]{images/taler-logo-2020.jpg}
 	\includegraphics[width=1cm]{images/fraunhofer.png}
 	\hfill%
 }
 %\setbeamercovered{transparent=1}
 
 \author[Özgür Kesim]{{\bf Özgür Kesim}, Christian Grothoff,\\ Florian Dold, Martin Schanzenbach}
 \date{September 26, 2022\\
 	\includegraphics[width=4cm]{images/esorics2022.png}}
 \institute{FU Berlin, BFH Bern, Taler Systems SA, Fraunhofer AISEC}
 
 
 \begin{document}
 
 \justifying
 
 \begin{frame}
   \titlepage
 \end{frame}
 
 %\begin{frame}
 %  \begin{center}
 %    \LARGE {\bf Zero-Knowledge Age Restriction\\for GNU Taler}
 %
 %    \vfill
 %  \end{center}
 % Substitute based on who is giving the talk!
 %  \vfill
 %	\begin{tabular}{rl}
 %		\bf Özgür Kesim\href{mailto:o.kesim@fu-berlin.de}{\small \Envelope} & \small Freie Universität Berlin, Germany \\
 %		Christian Grothoff & \small Bern University of Applied Sciences, Switzerland \\
 %		Florian Dold & \small Taler Systems SA, Luxembourg \\
 %		Martin Schanzenbach &\small  Fraunhofer AISEC, Germany \\
 %	\end{tabular}
 %\end{frame}
 
 \section{Introduction}
 
 \begin{frame}{Age restriction in E-commerce}
 
 	\begin{description}
 		\item[Problem:]~\\[1em]
 			Verification of minimum age requirements in e-commerce.\\[2em]
 
 		\item[Common solutions:]
 
 \begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
 	& \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
 	1. ID Verification     & bad   & required & \\[\medskipamount]
 	2. Restricted Accounts & bad   & required & \\[\medskipamount]
 	3. Attribute-based     & good  & required &\tikzmark{bottomau} \\[\medskipamount]
 \end{tabular}
 	\end{description}
 
 \uncover<4->{
 	\begin{tikzpicture}[overlay,remember picture]
 	\draw[orange,thick,rounded corners]
 		($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
 	\end{tikzpicture}
 	\begin{center}
 	\bf Principle of Subsidiarity is violated
 	\end{center}
 }
 \end{frame}
 
 
 \begin{frame}{Principle of Subsidiarity}
 \begin{center} \Large
 	Functions of government---such as granting and restricting
 	rights---should be performed\\
 	{\it at the lowest level of authority possible},\\
 	as long as they can be performed {\it adequately}.
 \end{center}
 \vfill
 \uncover<2->{
 	For age-restriction, the lowest level of authority is:\\
 	\begin{center}\Large
 	Parents, guardians and caretakers
 	\end{center}
 }
 \end{frame}
 
 \begin{frame}{Our contribution}
 Design and implementation of an age restriction scheme\\
 with the following goals:
 
 \begin{enumerate}
 \item It ties age restriction to the \textbf{ability to pay} (not to ID's)
 \item maintains \textbf{anonymity of buyers}
 \item maintains \textbf{unlinkability of transactions}
 \item aligns with \textbf{principle of subsidiartiy}
 \item is \textbf{practical and efficient}
 \end{enumerate}
 
 \end{frame}
 
 
 \section{Age Restriction}
 
 \begin{frame}{Age restriction}
 	\framesubtitle{Assumptions and scenario}
 
 	\begin{columns}
 		\column{7.5cm}
 	\begin{itemize}
 		\item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
 		\item<2-> \textit{Guardians} \textbf{commit} to an maximum age
 		\item<3-> \textit{Minors} \textbf{attest} their adequate age
 		\item<4-> \textit{Merchants} \textbf{verify} the attestations
 		\item<5-> Minors \textbf{derive} age commitments from existing ones
 		\item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
 	\end{itemize}
 		\column{5cm}
 		\uncover<7->
 		{
 		\begin{center}
 		\fontsize{7pt}{7pt}\selectfont
 	\begin{tikzpicture}[scale=.5]
 		\node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=15pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 		\node[circle,minimum size=15pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=15pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
 
 		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
 			{$\Commit$} (Guardian);
 		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
 			{\blue{$\Attest$}} (Client);
 		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
 			{\blue{$\Verify$}} (Merchant);
 		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 			{\orange{$\Derive$}} (Client);
 		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 			{\orange{$\Compare$}} (Exchange);
 
 		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 			{\orange{\scriptsize }} (Exchange);
 		\draw[blue,|->] (Client)   to node[sloped, above]
 			{\blue{\scriptsize }} (Merchant);
 		\draw[,|->] (Guardian) to node[above,sloped,align=left]
 			{{\scriptsize }} (Client);
 	\end{tikzpicture}
 		\end{center}
 		}
 	\end{columns}
 	\vfill
 	\uncover<7->{Note: Scheme is independent of payment service protocol.}
 \end{frame}
 
 
 \begin{frame}{Formal Function Signatures}
 \small 
 Searching for functions \uncover<2->{with the following signatures}
 \begin{align*}
 	&\bf \Commit\uncover<2->{:
 		&(\age, \omega) &\mapsto (\commitment, \pruf)
 		&\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
 		}
 	\\
 	&\bf \Attest\uncover<3->{:
 		&(\minage, \commitment, \pruf) &\mapsto \attest
 		&\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
 		}
 	\\
 	&\bf \Verify\uncover<4->{:
 		&(\minage, \commitment, \attest) &\mapsto b
 		&\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
 		}
 	\\
 	&\bf \Derive\uncover<5->{:
 		&(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
 		&\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
 		}
 	\\
 	&\bf \Compare\uncover<6->{:
 		&(\commitment, \commitment', \blinding) &\mapsto b
 		&\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
 		}
 \end{align*}
 	\uncover<7->{
 		with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
 		sufficiently large sets.\\[1em]
 		Basic and security requirements are defined later.\\[2em]
 	}
 
 		\scriptsize
 	\uncover<2->{
 		Mnemonics:\\
 		$\Commitments=$ \textit{c$\Commitments$mmitments},
 		$\commitment=$ \textit{Q-mitment} (commitment),
 		$\Proofs=$ \textit{$\Proofs$roofs},
 	}
 	\uncover<3->{
 		$\pruf=$ \textit{$\pruf$roof},\\
 		$\Attests=$ \textit{a$\Attests$testations},
 		$\attest=$ \textit{a$\attest$testation},
 	}
 	\uncover<5->{
 		$\Blindings=$ \textit{$\Blindings$lindings},
 		$\blinding=$ \textit{$\blinding$linding}.
 	}
 \end{frame}
 
 \begin{frame}{Age restriction}
 	\framesubtitle{Naïve scheme}
 	\begin{center}
 	\begin{tikzpicture}[scale=.85]
 		\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 		\node[circle,minimum size=20pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=20pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
 
 		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
 			{$\Commit$} (Guardian);
 		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
 			{\blue{$\Attest$}} (Client);
 		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
 			{\blue{$\Verify$}} (Merchant);
 		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 			{\orange{$\Derive$}} (Client);
 		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 			{\orange{$\Compare$}} (Exchange);
 
 		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 			{\orange{\scriptsize }} (Exchange);
 		\draw[blue,|->] (Client)   to node[sloped, above]
 			{\blue{\scriptsize }} (Merchant);
 		\draw[,|->] (Guardian) to node[above,sloped,align=left]
 			{{\scriptsize }} (Client);
 	\end{tikzpicture}
 	\end{center}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	\begin{columns}
 		\column{3cm}
 		\begin{center}
 		\fontsize{8pt}{9pt}\selectfont
 		\begin{tikzpicture}[scale=.65]
 			\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 			\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 
 			\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 				{\orange{$\footnotesize \Derive()$}} (Client);
 			\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 				{\orange{$\footnotesize \Compare()$}} (Exchange);
 
 			\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 				{\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
 		\end{tikzpicture}
 		\end{center}
 
 		\column{9cm}
 	Simple use of $\Derive()$ and $\Compare()$ is problematic.
 
 	\begin{itemize}
 		\item<2-> Calling $\Derive()$ iteratively generates sequence 
 			$(\commitment_0, \commitment_1, \dots)$ of commitments.
 		\item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$ 
 		\item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
 		\item[$\implies$]\uncover<3->{\bf Unlinkability broken}
 	\end{itemize}
 	\end{columns}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	Define cut\&choose protocol \orange{$\DeriveCompare$},
 	using $\Derive()$ and $\Compare()$.\\[0.5em]
 	\uncover<2->{
 	Sketch:
 	\small
 	\begin{enumerate}
 		\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$ 
 			from $\commitment_0$ \\
 			by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
 		\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
 		\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
 		\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
 		\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
 		\item $\Exchange$ compares $h_0$ and 
 			$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
 			and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
 	\end{enumerate}
 	\vfill
 	Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
 	}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	With \orange{$\DeriveCompare$}
 	\begin{itemize}
 		\item $\Exchange$ learns nothing about $\commitment_\gamma$,
 		\item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
 		\item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
 	\end{itemize}
 	\vfill
 	Note: Still need Derive and Compare to be defined.
 \end{frame}
 
 \begin{frame}{Refined scheme}
 
 	\begin{tikzpicture}[scale=.8]
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
 		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
 
 		\draw[orange,<->] (Client)   to node[sloped,below,align=center]
 			{\orange{$\DeriveCompare$}} (Exchange);
 		\draw[blue,->] (Client)   to node[sloped, below]
 			{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
 
 		\draw[->] (Guardian)   to [out=150,in=70, loop] node[above]
 			{$\Commit(\age)$} (Guardian);
 		\draw[->] (Guardian)   to node[below,sloped]
 			{($\commitment$, $\pruf_\age$)} (Client);
 		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
 		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
 	\end{tikzpicture}
 \end{frame}
 
 % \begin{frame}{Achieving Unlinkability}
 % 	\scriptsize
 % 	$\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
 % 	\vfill
 % 	$\DeriveCompare(\commitment, \pruf, \omega) =$
 % \begin{itemize}
 % \it
 % 	\itemsep0.5em
 % 	\item[$\Child$:]
 % 		\begin{enumerate}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item for all $i \in \{1,\dots,\kappa\}:
 % 				(\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
 % 			\item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
 % 			\item send $(\commitment, h)$ to $\Exchange$
 % 		\end{enumerate}
 % 	\item[$\Exchange$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{4}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item save $(\commitment, h)$ \label{st:hash}
 % 			\item $\gamma \drawfrom \{1,\dots ,\kappa\}$
 % 			\item send $\gamma$ to $\Child$
 % 		\end{enumerate}
 % 	\item[$\Child$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{7}
 % 
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
 % 			\item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
 % 				(\commitment_{\gamma-1}, \beta_{\gamma-1}),
 % 				\Nil,
 % 				(\commitment_{\gamma+1}, \beta_{\gamma+1}),
 % 				\dots,(\commitment_\kappa, \beta_\kappa)\big]$
 % 			\item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
 % 		\end{enumerate}
 % 	\item[$\Exchange$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{10}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
 % 			\item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
 % 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
 % 				if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
 % 			\item return 1
 % 		\end{enumerate}
 % \end{itemize}
 % \end{frame}
 
 \begin{frame}{Basic Requirements}
 
 	Candidate functions 
 	\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
 	must first meet \textit{basic} requirements:
 
 	\begin{itemize}
 		\item Existence of attestations
 		\item Efficacy of attestations
 		\item Derivability of commitments and attestations
 	\end{itemize}
 \end{frame}
 
 \begin{frame}{Basic Requirements}
 	\framesubtitle{Formal Details}
 
 	\begin{description}
 		\item[Existence of attestations]
 			{\scriptsize
 			\begin{align*}
 				\Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
 				\Commit(\age, \omega) =: (\commitment, \pruf)
 				\implies 
 				\Attest(\minage, \commitment, \pruf) =
 				\begin{cases}
 					\attest \in \Attests, \text{ if } \minage \leq \age\\
 					\Nil \text{ otherwise}
 				\end{cases}
 			\end{align*}}
 		\item[Efficacy of attestations]
 			{\scriptsize
 			\begin{align*}
 				\Verify(\minage, \commitment, \attest) = \
 				\begin{cases}
 					1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
 					0 \text{ otherwise}
 				\end{cases}
 			\end{align*}}
 
 			{\scriptsize
 			\begin{align*}
 				\forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
 			\end{align*}}
 		\item[etc.]
 	\end{description}
 \end{frame}
 
 %\begin{frame}{Requirements}
 %	\framesubtitle{Details}
 %
 %	\begin{description}
 %		\item[Derivability of commitments and proofs:]~\\[0.1em]
 %		{\scriptsize
 %		Let \begin{align*}
 %			\age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
 %			(\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
 %			(\commitment_1, \pruf_1, \blinding) & \leftarrow  \Derive(\commitment_0, \pruf_0, \omega_1).
 %		\end{align*}
 %		We require
 %		\begin{align*}
 %			\Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
 %		\end{align*}
 %		and for all $n\leq\age$:
 %		\begin{align*}
 %					\Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
 %					=
 %					\Verify(n, \commitment_0,  \Attest(n, \commitment_0,  \pruf_0))
 %		\end{align*}}
 %	\end{description}
 %\end{frame}
 
 \begin{frame}{Security Requirements}
 	Candidate functions must also meet \textit{security} requirements.
 	Those are defined via security games:
 	\begin{itemize}
 		\item Game: Age disclosure by commitment or attestation
 		\item[$\leftrightarrow$] Requirement: Non-disclosure of age
 			\vfill
 
 		\item Game: Forging attestation
 		\item[$\leftrightarrow$] Requirement: Unforgeability of
 			minimum age
 			\vfill
 
 		\item Game: Distinguishing derived commitments and attestations
 		\item[$\leftrightarrow$] Requirement: Unlinkability of
 			commitments and attestations
 
 	\end{itemize}
 	\vfill
 
 	Meeting the security requirements means that adversaries can win
 	those games only with negligible advantage.
 	\vfill
 	Adversaries are arbitrary polynomial-time algorithms, acting on all
 	relevant input.
 \end{frame}
 
 \begin{frame}{Security Requirements}
 	\framesubtitle{Simplified Example}
 
 	\begin{description}
 		\item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
 	{\small
 	\begin{enumerate}
 		\item $ (\age, \omega)	\drawfrom	\N_{\Age-1}\times\Omega $
 		\item $ (\commitment, \pruf)	\leftarrow	\Commit(\age, \omega) $
 		\item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
 		\item Return 0 if $\minage \leq \age$
 		\item Return $\Verify(\minage,\commitment,\attest)$
 	\end{enumerate}
 	}
 	\vfill
 	\item[Requirement: Unforgeability of minimum age]
 		{\small
 	\begin{equation*}
 		\Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
 		\Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
 	\end{equation*}
 	}
 	\end{description}
 \end{frame}
 
 \section{Solution/Instantiation}
 
 \begin{frame}{Solution: Instantiation with ECDSA}
 %	\framesubtitle{Definition of Commit}
 
 	\begin{description}
 		\item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
 		\begin{enumerate}
 			\item<2-> Guardian generates ECDSA-keypairs, one per age (group):
 				\[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
 			\item<3-> Guardian then \textbf{drops} all private keys
 				$p_i$ for $i > \age$:
 				\[\Big \langle(q_1, p_1),\dots, 
 					(q_\age, p_\age), 
 					(q_{\age +1}, \red{\Nil}),\dots, 
 					(q_\Age, \red{\Nil})\Big\rangle\]
 
 				\begin{itemize}
 					\item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
 					\item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
 				\end{itemize}
 				\vfill
 			\item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
 				\vfill
 		\end{enumerate}
 	\end{description}
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 	\framesubtitle{Definitions of Attest and Verify}
 
 	Child has 
 	\begin{itemize}
 		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
 		\item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
 	\end{itemize}
 	\begin{description}
 		\item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
 			Sign a message with ECDSA using private key $p_\blue{\minage}$
 	\end{description}
 
 	\vfill
 
 	\uncover<3->{
 	Merchant gets 
 	\begin{itemize}
 		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
 		\item Signature $\sigma$
 	\end{itemize}
 	\begin{description}
 		\item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
 			Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
 	\end{description}
 	}
 	\vfill
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 	\framesubtitle{Definitions of Derive and Compare}
 	Child has 
 	$\Vcommitment = (q_1, \dots, q_\Age) $ and 
 	$\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
 	\begin{description}
 		\item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
 			Choose random $\beta\in\Z_g$ and calculate
 			\small
 			\begin{align*}
 				\Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
 				\Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
 			\end{align*}
 			Note: $ (\beta p_i)*G = \beta*(p_i*G)  = \beta*q_i$\\
 			\scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
 	\end{description}
 
 		\vfill
 	\uncover<3->{
 		Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
 	\begin{description}
 		\item[To \blue{Compare}, calculate:]
 			\small
 		$(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
 	\end{description}
 	\vfill
 	}
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 
 	Functions
 	(Commit, Attest, Verify, Derive, Compare)\\
 	as defined in the instantiation with ECDSA\\[0.5em]
 	\begin{itemize}
 		\item meet the basic requirements,\\[0.5em]
 		\item also meet all security requirements.\\
 		Proofs by security reduction, details are in the paper.
 	\end{itemize}
 
 \end{frame}
 
 
 % \begin{frame}{Instantiation with ECDSA}
 % 	\framesubtitle{Full definitions}
 % 	\scriptsize
 % 
 % \begin{align*}
 % 	\Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
 % 		\overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
 % 		\overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
 % 		\Big\rangle\\
 % 	\Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
 % 		\begin{cases}
 % 			\attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
 % 			\Nil & \text{otherwise}
 % 		\end{cases}\\
 % %
 % 	\Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
 % %
 % 	\Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
 % 		\Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
 % 		     (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
 % 		     & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
 % %
 % 	\Compare_E(\Vcommitment, \Vcommitment', \beta)	&:=
 % 		\begin{cases}
 % 			1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
 % 			0 & \text{otherwise}
 % 		\end{cases}
 % \end{align*}
 % \end{frame}
 
 \section{Integration with GNU Taler}
 
 \begin{frame}{GNU Taler}
 	\framesubtitle{https://www.taler.net}
 	\begin{columns}
 		\column{4cm}
 		\fontsize{8pt}{9pt}\selectfont
 	\begin{tikzpicture}[scale=.55]
 		\node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
 		\node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
 		\node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
 
 		\draw[<->] (Customer)   to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
 		\draw[<->] (Customer)   to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
 		\draw[<->] (Customer)   to node[sloped, below] {\sf purchase} (Merchant);
 		\draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
 	\end{tikzpicture}
 		\column{8cm}
 		\begin{itemize}
 			\item Protocol suite for online payment services
 			\item Based on Chaum's blind signatures
 			% \item Taxable, efficient, free software
 			\item Allows for change and refund (F. Dold)
 			\item Privacy preserving: anonymous and unlinkable payments
 		\end{itemize}
 	\end{columns}
 
 	\vfill
 	\uncover<2->{
 	\begin{itemize}
 		\item Coins are public-/private key-pairs $(C_p, c_s)$.
 		\item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
 		\item Verification:
 		\begin{eqnarray*}
 			1  &\stackrel{?}{=}&
 			\mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
 		\end{eqnarray*}
 		\scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
 
 	\end{itemize}
 	}
 \end{frame}
 
 \begin{frame}{Integration with GNU Taler}
 	\framesubtitle{Binding age restriction to coins}
 
 	To bind an age commitment $\commitment$ to a coin $C_p$, instead of
 	signing $\FDH(C_p)$, $\Exchange$ now blindly signs 
 	\begin{center}
 		$\FDH(C_p, \orange{H(\commitment)})$
 	\end{center}
 
 	\vfill
 	Verfication of a coin now requires $H(\commitment)$, too:
 	\begin{center}
 		$1  \stackrel{?}{=}
 		\mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
 	\end{center}
 	\vfill
 \end{frame}
 
 \begin{frame}{Integration with GNU Taler}
 	\framesubtitle{Integrated schemes}
 	\fontsize{8pt}{9pt}\selectfont
 	\begin{tikzpicture}[scale=.9]
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
 		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
 
 		\draw[<->] (Guardian)   to  node[sloped,above,align=center]
 			{{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
 		\draw[<->] (Client)   to node[sloped,below,align=center]
 			{{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
 		\draw[<->] (Client)   to node[sloped, below]
 			{{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
 		\draw[<->] (Merchant) to node[sloped, above]
 			{{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
 
 		\draw[->] (Guardian)   to [out=70,in=150, loop] node[above]
 			{$\Commit(\age)$} (Guardian);
 		\draw[->] (Guardian)   to node[below,sloped]
 			{($\commitment$, $\pruf_\age$)} (Client);
 		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
 		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
 	\end{tikzpicture}
 \end{frame}
 
 \begin{frame}{Instantiation with Edx25519}
 	Paper also formally defines another signature scheme: Edx25519.\\[1em]
 
 	\begin{itemize}
 		\item Scheme already in use in GNUnet,
 		\item based on EdDSA (Bernstein et al.),
 		\item generates compatible signatures and
 		\item allows for key derivation from both, private and public keys, independently.
 	\end{itemize}~\\[1em]
 
 	Current implementation of age restriction in GNU Taler uses Edx25519.
 \end{frame}
 
 \section{Discussion, Related Work, Conclusion}
 
 \begin{frame}{Discussion}
 	\begin{itemize}
 		\item Our solution can in principle be used with any token-based payment scheme
 		\item GNU Taler best aligned with our design goals (security, privacy and efficiency)
 		\item Subsidiarity requires bank accounts being owned by adults
 			\begin{itemize}
 			\item Scheme can be adapted to case where minors have bank accounts
 				\begin{itemize}
 					\item Assumption: banks provide minimum age
 						information during bank
 						transactions.
 					\item Child and Exchange execute a variant of
 						the cut\&choose protocol.
 				\end{itemize}
 			\end{itemize}
 		\item Our scheme offers an alternative to identity management systems (IMS)
 	\end{itemize}
 \end{frame}
 \begin{frame}{Related Work}
 	\begin{itemize}
 		\item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
 		\item Attribute-based approach lacks support: 
 			\begin{itemize}
 				\item Complex for consumers and retailers
 				\item Requires trusted third authority
 			\end{itemize}
 		\vfill
 		\item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
 			\begin{itemize}
 				\item Advantage: mandatory to payment process
 				\item Not privacy friendly
 			\end{itemize}
 	\end{itemize}
 \end{frame}
 
 \begin{frame}{Conclusion}
 	Age restriction is a technical, ethical and legal challenge.
 
 	Existing solutions are
 	\begin{itemize}
 		\item without strong protection of privacy or
 		\item based on identity management systems (IMS)
 	\end{itemize}
 	\vfill
 
 	Our scheme offers a solution that is
 	\begin{itemize}
 		\item based on subsidiarity
 		\item privacy preserving
 		\item efficient
 		\item an alternative to IMS
 	\end{itemize}
 \end{frame}
 
 
 \end{document}