oenb.tex (49720B)
1 \pdfminorversion=3 2 \documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer} 3 \usepackage{amsmath} 4 \usepackage{multimedia} 5 \usepackage[utf8]{inputenc} 6 \usepackage{framed,color,ragged2e} 7 \usepackage[absolute,overlay]{textpos} 8 \definecolor{shadecolor}{rgb}{0.8,0.8,0.8} 9 \usetheme{boxes} 10 \setbeamertemplate{navigation symbols}{} 11 \usepackage{xcolor} 12 \usepackage{tikz,eurosym} 13 \usepackage[normalem]{ulem} 14 \usepackage{listings} 15 \usepackage{adjustbox} 16 17 % CSS 18 \lstdefinelanguage{CSS}{ 19 basicstyle=\ttfamily\scriptsize, 20 keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function}, 21 sensitive=true, 22 morecomment=[l]{//}, 23 morecomment=[s]{/*}{*/}, 24 morestring=[b]', 25 morestring=[b]", 26 alsoletter={:}, 27 alsodigit={-} 28 } 29 30 % JavaScript 31 \lstdefinelanguage{JavaScript}{ 32 basicstyle=\ttfamily\scriptsize, 33 morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break}, 34 morecomment=[s]{/*}{*/}, 35 morecomment=[l]//, 36 morestring=[b]", 37 morestring=[b]' 38 } 39 40 \lstdefinelanguage{HTML5}{ 41 basicstyle=\ttfamily\scriptsize, 42 language=html, 43 sensitive=true, 44 alsoletter={<>=-}, 45 morecomment=[s]{<!-}{-->}, 46 tag=[s], 47 otherkeywords={ 48 % General 49 >, 50 % Standard tags 51 <!DOCTYPE, 52 </html, <html, <head, <title, </title, <style, </style, <link, </head, <meta, />, 53 % body 54 </body, <body, 55 % Divs 56 </div, <div, </div>, 57 % Paragraphs 58 </p, <p, </p>, 59 % scripts 60 </script, <script, 61 % More tags... 62 <canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video, <source, <iframe, </iframe>, </video>, <image, </image> 63 }, 64 ndkeywords={ 65 % General 66 =, 67 % HTML attributes 68 charset=, src=, id=, width=, height=, style=, type=, rel=, href=, 69 % SVG attributes 70 fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=, 71 % CSS properties 72 margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:, 73 % CSS3 properties 74 transform:, -moz-transform:, -webkit-transform:, 75 animation:, -webkit-animation:, 76 transition:, transition-duration:, transition-property:, transition-timing-function:, 77 } 78 } 79 80 \lstdefinelanguage{JavaScript}{ 81 basicstyle=\ttfamily\scriptsize, 82 keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for}, 83 keywordstyle=\color{blue}\bfseries, 84 ndkeywords={class, export, boolean, throw, implements, import, this}, 85 ndkeywordstyle=\color{darkgray}\bfseries, 86 identifierstyle=\color{black}, 87 sensitive=false, 88 comment=[l]{//}, 89 morecomment=[s]{/*}{*/}, 90 commentstyle=\color{purple}\ttfamily, 91 stringstyle=\color{red}\ttfamily, 92 morestring=[b]', 93 morestring=[b]" 94 } 95 96 \usetikzlibrary{shapes,arrows} 97 \usetikzlibrary{positioning} 98 \usetikzlibrary{calc} 99 100 \title{GNU Taler as a Retail CBDC} 101 %\subtitle{} 102 103 \setbeamertemplate{navigation symbols}{\includegraphics[width=1cm]{inria.pdf} \includegraphics[width=2.3cm]{bfh.png} \includegraphics[width=1.6cm]{fub.pdf} \includegraphics[width=0.4cm]{ashoka.png} \includegraphics[width=0.4cm]{gnu.png} \includegraphics[width=1cm]{logo-2020.jpg} \hfill} 104 %\setbeamercovered{transparent=1} 105 106 \author[C. Grothoff]{{\bf C. Grothoff}} 107 \date{17.12.2021} 108 \institute{Taler Systems SA} 109 110 111 \begin{document} 112 113 \justifying 114 115 \begin{frame} 116 \begin{center} 117 \LARGE {\bf GNU} 118 119 \vfill 120 % \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf} 121 \includegraphics[width=0.66\textwidth]{logo-2020.jpg} 122 123 as a Retail CBDC 124 \vfill 125 \end{center} 126 \begin{textblock*}{6cm}(.5cm,7.7cm) % {block width} (coords) 127 {\Large {\bf \href{https://taler.net/}{taler.net}} \\ 128 \href{https://twitter.com/taler}{taler@twitter} \\ 129 \href{https://taler-systems.com/}{taler-systems.com}} 130 \end{textblock*} 131 132 % Substitute based on who is giving the talk! 133 \begin{textblock*}{6cm}(6.7cm,7.7cm) % {block width} (coords) 134 {%\hfill {\Large {\bf Florian Dold \&} \\ 135 \hfill {\bf Christian Grothoff} \\ 136 \hfill grothoff@taler.net } 137 \end{textblock*} 138 139 \end{frame} 140 141 \section{Introduction} 142 143 \begin{frame}{Main Points} 144 \framesubtitle{\url{https://taler.net/}} 145 Our CBDC: 146 \begin{itemize} 147 \item is token-based (no accounts), centrally issued (not DLT); as efficient and cost-effective 148 as modern real-time gross settlement (RTGS) systems operated by central banks; 149 \item is designed to provide an electronic equivalent to banknotes, therefore no material 150 impact on monetary policy and/or financial stability expected; 151 \item guarantees privacy for the payer, combined with KYC/AML/CFT compliance and 152 income transparency to ensure taxes are paid; 153 \item is implemented as Free/Libre and Open Source Software (FLOSS) to provide 154 transparency, accountability, and security (part of the GNU project). 155 \end{itemize} 156 \end{frame} 157 158 159 \begin{frame}{Payment Systems: Accounts vs. Tokens} 160 Two types of payment systems: 161 \begin{enumerate} 162 \item {\bf account-based system}: transfer occurs by charging the payer’s account and crediting 163 the payee’s account (e.g., bank deposits) 164 \item {\bf token-based (value-based) system}: transfer occurs by transferring the value itself, or a 165 token that represents the monetary asset (e.g., banknotes) 166 \end{enumerate} 167 Key Difference is the information carried by the information asset: 168 \begin{itemize} 169 \item account (assets): associated with a transaction history 170 \item token (assets): carry information about value and entity that issued the token 171 \end{itemize} 172 Bitcoin, and Distributed Ledger Technologies (DLTs) in general, are account-based systems! 173 Novelty is that the ledger is distributed (decentralized). 174 \end{frame} 175 176 177 \begin{frame}{Simplistic CBDC Designs} 178 \framesubtitle{\url{https://edwardsnowden.substack.com/p/cbdcs}} 179 \begin{itemize} 180 \item Account-based CBDC (e.g., Bindseil 2020, Berentsen and Schär 2018): 181 \begin{itemize} 182 \item simplest solution: central bank account for all 183 \item responsibility to perform KYC and ensure AML/CFT (could be outsourced); 184 \item potential for mass-surveillance (threat to CB independence); 185 \item in direct competition with commercial banks 186 \end{itemize} \pause 187 \item Token-based CBDC: 188 \begin{itemize} 189 \item requires a system to ensure that electronic tokens are not easily copied 190 (hardware-based or software-based) \\ $\rightarrow$ double-spending problem 191 \item KYC and AML/CFT compliance? 192 \end{itemize} 193 \end{itemize} 194 \end{frame} 195 196 197 \section{What is Taler?} 198 \begin{frame}{What is Taler?} 199 \begin{center} 200 Taler is an electronic instant payment system based on tokens. 201 \end{center} 202 \begin{itemize} 203 \item Uses electronic coins stored in {\bf wallets} on customer's device 204 \item Like {\bf cash} 205 \item Pay in {\bf existing currencies} (i.e. CHF, EUR, USD) 206 \end{itemize} 207 \vfill 208 \pause 209 \noindent 210 However, Taler is 211 \begin{itemize} 212 \item \emph{not} a currency 213 \item \emph{not} a long-term store of value 214 \item \emph{not} a network or instance of a system 215 \item \emph{not} decentralized 216 \item \emph{not} based on proof-of-work or proof-of-stake 217 \item \emph{not} a speculative asset / ``get-rich-quick scheme'' 218 \end{itemize} 219 \end{frame} 220 221 222 \begin{frame}{Some of the people behind GNU Taler} 223 {\tiny 224 \begin{itemize} 225 \item Prof. David Chaum (original research) 226 \item Dr. Florian Dold (cryptography, systems engineering) 227 \item Dr. Belén Barros Pena (UX design, accessibility) 228 \item Prof. Christian Grothoff (research \& development) 229 \item Prof. Andreas Habegger (research, hardware) 230 \item Dr. Thomas Moser (economics) 231 \item Dr. Richard Stallman (advisory) 232 \item Leon Schumacher, MBA (business) 233 \item Prof. Hansj\"urg Wenger (research, deployment) 234 \item Dr. Michael Widmer, MBA (legal) 235 \item Jonathan (iOS wallet) 236 \item Marcello (bank integration) 237 \item Marco (scalability, snack machine) 238 \item \"Ozg\"ur (security audit, age restrictions) 239 \item Sebastian (Web interface) 240 \item Stefan (documentation, project management) 241 \item Torsten (Andorid wallet) 242 \end{itemize} 243 } 244 \end{frame} 245 246 247 \begin{frame}{Design Principles} 248 \framesubtitle{https://taler.net/en/principles.html} 249 GNU Taler must ... 250 \begin{enumerate} 251 \item {... be implemented as {\bf free software}.} 252 \item {... protect the {\bf privacy of buyers}.} 253 \item {... must enable the state to {\bf tax income} and crack down on 254 illegal business activities.} 255 \item {... prevent payment fraud.} 256 \item {... only {\bf disclose the minimal amount of information 257 necessary}.} 258 \item {... be usable.} 259 \item {... be efficient.} 260 \item {... avoid single points of failure.} 261 \item {... foster {\bf competition}.} 262 \end{enumerate} 263 \end{frame} 264 265 266 \begin{frame}{The Big Picture} 267 \begin{center} 268 \includegraphics[width=0.8\textwidth]{bp.png} 269 \end{center} 270 \end{frame} 271 272 273 \begin{frame}{Taler: Unique Regulatory Features for CBs} 274 \framesubtitle{\url{https://www.snb.ch/en/mmr/papers/id/working_paper_2021_03}} 275 \begin{itemize} 276 \item Central bank issues digital coins equivalent to issuing cash \\ 277 $\Rightarrow$ monetary policy remains under CB control 278 \item Architecture with consumer accounts at commercial banks \\ 279 $\Rightarrow$ no competition for commercial banking (S\&L) \\ 280 $\Rightarrow$ CB does not have to manage KYC, customer support 281 \item Withdrawal limits and denomination expiration \\ 282 $\Rightarrow$ protects against bank runs and hoarding 283 \item Income transparency and possibility to set fees \\ 284 $\Rightarrow$ additional insights into economy and new policy options 285 \item Revocation protocols and loss limitations \\ 286 $\Rightarrow$ exit strategy and handles catastrophic security incidents 287 \item Privacy by cryptographic design not organizational compliance \\ 288 $\Rightarrow$ CB cannot be forced to facilitate mass-surveillance 289 \end{itemize} 290 \end{frame} 291 292 293 \begin{frame} 294 \frametitle{Taler Core Components} 295 \framesubtitle{\url{https://taler.net/en/docs.html}} 296 \begin{center} 297 \scalebox{0.3}{ 298 \begin{tikzpicture} 299 \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em]; 300 \node (origin) at (0,0) {}; 301 \node (exchange) [def,above=of origin,draw]{Exchange}; 302 \node (customer) [def, draw, below left=of origin] {Customer}; 303 \node (merchant) [def, draw, below right=of origin] {Merchant}; 304 \node (auditor) [def, draw, above right=of origin]{Auditor}; 305 % \node (regulator) [def, draw, above=of auditor]{CSSF}; 306 307 \tikzstyle{C} = [color=black, line width=1pt] 308 309 \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins}; 310 \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins}; 311 \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins}; 312 \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify}; 313 % \draw [<-, C] (regulator) -- (auditor) node [midway, above, sloped] (TextNode) {report}; 314 315 \end{tikzpicture} 316 } 317 \end{center} 318 {%\tiny 319 \begin{itemize} 320 \item {\bf Exchange:} Service provider for digital cash 321 \begin{itemize} 322 \item Core exchange software (cryptography, database) 323 \item Air-gapped key management, real-time {\bf auditing} 324 \end{itemize} 325 \item {\bf Merchant:} Integration service for existing businesses 326 \begin{itemize} 327 \item Core merchant backend software (cryptography, database) 328 \item Back-office interface for staff 329 \item Frontend integration (E-commerce, Point-of-sale) 330 \end{itemize} 331 \item {\bf Wallet:} Consumer-controlled applications for e-cash 332 \begin{itemize} 333 \item Multi-platform wallet software (for browsers \& mobile phones) 334 \item Wallet backup storage providers 335 \end{itemize} 336 \end{itemize} 337 } 338 \end{frame} 339 340 341 \begin{frame}{Usability of Taler} 342 \vfill 343 \begin{center} 344 \url{https://demo.taler.net/} 345 \end{center} 346 \begin{enumerate} 347 \item Install browser extension. 348 \item Visit the {\tt bank.demo.taler.net} to withdraw coins. 349 \item Visit the {\tt shop.demo.taler.net} to spend coins. 350 \end{enumerate} 351 \vfill 352 \end{frame} 353 354 355 356 \begin{frame}{How does it work?} 357 \framesubtitle{\url{https://taler.net/papers/thesis-dold-phd-2019.pdf}} 358 We use a few ancient constructions: 359 \begin{itemize} 360 \item Cryptographic hash function (1989) 361 \item Blind signature (1983) 362 \item Schnorr signature (1989) 363 \item Diffie-Hellman key exchange (1976) 364 \item Cut-and-choose zero-knowledge proof (1985) 365 \end{itemize} 366 But of course we use modern instantiations. 367 \end{frame} 368 369 370 \begin{frame}{Definition: Taxability} 371 We say Taler is taxable because: 372 \begin{itemize} 373 \item Merchant's income is visible from deposits. 374 \item Hash of contract is part of deposit data. 375 \item State can trace income and enforce taxation. 376 \end{itemize}\pause 377 Limitations: 378 \begin{itemize} 379 \item withdraw loophole 380 \item {\em sharing} coins among family and friends 381 \end{itemize} 382 \end{frame} 383 384 385 \begin{frame}{Exchange setup: Create a denomination key (RSA)} 386 \begin{minipage}{6cm} 387 \begin{enumerate} 388 \item Pick random primes $p,q$. 389 \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$ 390 \item Pick small $e < \phi(n)$ such that 391 $d := e^{-1} \mod \phi(n)$ exists. 392 \item Publish public key $(e,n)$. 393 \end{enumerate} 394 \end{minipage} 395 \begin{minipage}{6cm} 396 \begin{tikzpicture} 397 \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em]; 398 \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; 399 \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$}; 400 \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}}; 401 \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}}; 402 403 \tikzstyle{C} = [color=black, line width=1pt] 404 405 \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {}; 406 \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; 407 \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {}; 408 \end{tikzpicture} 409 % \includegraphics[width=0.4\textwidth]{seal.pdf} 410 \end{minipage} 411 \end{frame} 412 413 414 \begin{frame}{Merchant: Create a signing key (EdDSA)} 415 \begin{minipage}{6cm} 416 \begin{itemize} 417 \item pick random $m \mod o$ as private key 418 \item $M = mG$ public key 419 \end{itemize} 420 \end{minipage} 421 \begin{minipage}{6cm} 422 \begin{tikzpicture} 423 \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; 424 \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; 425 \node (m) [draw=none, below = of origin] at (0,0) {$m$}; 426 \node (seal) [draw=none, below=of m]{M}; 427 \tikzstyle{C} = [color=black, line width=1pt] 428 429 \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {}; 430 \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {}; 431 \end{tikzpicture} 432 \end{minipage} 433 \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ } 434 \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}} 435 \end{frame} 436 437 438 \begin{frame}{Customer: Create a planchet (EdDSA)} 439 \begin{minipage}{8cm} 440 \begin{itemize} 441 \item Pick random $c \mod o$ private key 442 \item $C = cG$ public key 443 \end{itemize} 444 \end{minipage} 445 \begin{minipage}{4cm} 446 \begin{tikzpicture} 447 \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; 448 \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; 449 \node (c) [draw=none, below = of origin] at (0,0) {$c$}; 450 \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}}; 451 \tikzstyle{C} = [color=black, line width=1pt] 452 453 \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {}; 454 \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {}; 455 \end{tikzpicture} 456 \end{minipage} 457 \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ } 458 \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}} 459 \end{frame} 460 461 462 \begin{frame}{Customer: Blind planchet (RSA)} 463 \begin{minipage}{6cm} 464 \begin{enumerate} 465 \item Obtain public key $(e,n)$ 466 \item Compute $f := FDH(C)$, $f < n$. 467 \item Pick blinding factor $b \in \mathbb Z_n$ 468 \item Transmit $f' := f b^e \mod n$ 469 \end{enumerate} 470 \end{minipage} 471 \begin{minipage}{6cm} 472 \begin{tikzpicture} 473 \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; 474 \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}}; 475 \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$}; 476 \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}}; 477 \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}}; 478 \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; 479 \tikzstyle{C} = [color=black, line width=1pt] 480 481 \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {}; 482 \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; 483 \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {}; 484 \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; 485 \end{tikzpicture} 486 \end{minipage} 487 \end{frame} 488 489 490 \begin{frame}{Exchange: Blind sign (RSA)} 491 \begin{minipage}{6cm} 492 \begin{enumerate} 493 \item Receive $f'$. 494 \item Compute $s' := f'^d \mod n$. 495 \item Send signature $s'$. 496 \end{enumerate} 497 \end{minipage} 498 \begin{minipage}{6cm} 499 \begin{tikzpicture} 500 \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; 501 \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; 502 \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; 503 \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 504 \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; 505 \tikzstyle{C} = [color=black, line width=1pt] 506 507 \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; 508 \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; 509 \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; 510 \end{tikzpicture} 511 \end{minipage} 512 \end{frame} 513 514 515 \begin{frame}{Customer: Unblind coin (RSA)} 516 \begin{minipage}{6cm} 517 \begin{enumerate} 518 \item Receive $s'$. 519 \item Compute $s := s' b^{-1} \mod n$ % \\ 520 % ($(f')^d = (f b^e)^d = f^d b$). 521 \end{enumerate} 522 \end{minipage} 523 \begin{minipage}{6cm} 524 \begin{tikzpicture} 525 \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; 526 \node (b) [def, draw=none] at (0,0) {$b$}; 527 \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; 528 \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; 529 \tikzstyle{C} = [color=black, line width=1pt] 530 531 \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; 532 \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; 533 \end{tikzpicture} 534 \end{minipage} 535 \end{frame} 536 537 \begin{frame}{Withdrawing coins on the Web} 538 \begin{center} 539 \includegraphics[height=0.9\textheight]{figs/taler-withdraw.pdf} 540 \end{center} 541 \end{frame} 542 543 544 \begin{frame}{Customer: Build shopping cart} 545 \begin{center} 546 \begin{tikzpicture} 547 \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em]; 548 \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{shop.pdf}}; 549 \node (cart) [draw=none, below=of m]{\includegraphics[width=0.2\textwidth]{cart.pdf}}; 550 \node (merchant) [node distance=4em and 0.5em, draw, below =of cart]{Merchant}; 551 \tikzstyle{C} = [color=black, line width=1pt]; 552 \draw [<-, C] (cart) -- (origin) node [midway, above, sloped] (TextNode) {}; 553 \draw [<-, C] (merchant) -- (cart) node [midway, above, sloped] (TextNode) {{\small transmit}}; 554 \end{tikzpicture} 555 \end{center} 556 \end{frame} 557 558 559 \begin{frame}{Merchant Integration: Payment Request} 560 % \begin{figure}[p!] 561 \lstset{language=HTML5} 562 \lstinputlisting{figs/taler-402.html} 563 % \caption{Sample HTTP response to prompt the wallet to show an offer.} 564 % \label{listing:http-contract} 565 \end{frame} 566 567 % \begin{figure*}[p!] 568 % \lstset{language=HTML5} 569 % \lstinputlisting{figs/taler-contract.html} 570 % \caption{Sample JavaScript code to prompt the wallet to show an offer. 571 % Here, the contract is fetched on-demand from the server. 572 % The {\tt taler\_pay()} function needs to be invoked 573 % when the user triggers the checkout.} 574 % \label{listing:contract} 575 % \end{figure*} 576 %\end{frame} 577 578 579 %\begin{frame}{Merchant Integration: Contract} 580 % \begin{figure*}[t!] 581 % {\tiny 582 % \lstset{language=JavaScript} 583 % \lstinputlisting{figs/taler-contract.json} 584 % \caption{Minimal Taler contract over a digital article with a value of \EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash over the wire transfer information was truncated to make it fit to the page.} 585 % \label{listing:json-contract} 586 % \end{figure*} 587 % } 588 %\end{frame} 589 590 591 \begin{frame}{Merchant: Propose contract (EdDSA)} 592 \begin{minipage}{6cm} 593 \begin{enumerate} 594 \item Complete proposal $D$. 595 \item Send $D$, $EdDSA_m(D)$ 596 \end{enumerate} 597 \end{minipage} 598 \begin{minipage}{6cm} 599 \begin{tikzpicture} 600 \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em]; 601 \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}}; 602 \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}}; 603 \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer}; 604 \tikzstyle{C} = [color=black, line width=1pt]; 605 \node (sign) [def, draw=none, above right=of proposal] {$m$}; 606 \tikzstyle{C} = [color=black, line width=1pt] 607 608 \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {}; 609 \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {}; 610 \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped] (TextNode) {{\small transmit}}; 611 \end{tikzpicture} 612 \end{minipage} 613 \end{frame} 614 615 616 \begin{frame}{Customer: Spend coin (EdDSA)} 617 \begin{minipage}{6cm} 618 \begin{enumerate} 619 \item Receive proposal $D$, $EdDSA_m(D)$. 620 \item Send $s$, $C$, $EdDSA_c(D)$ 621 \end{enumerate} 622 \end{minipage} 623 \begin{minipage}{6cm} 624 \begin{tikzpicture} 625 \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer sep=.3em]; 626 \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}}; 627 \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}}; 628 \node (c) [def, draw=none, above=of contract] {$c$}; 629 \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant}; 630 \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; 631 \tikzstyle{C} = [color=black, line width=1pt] 632 633 \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {}; 634 \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {}; 635 \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}}; 636 \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode) {{\small transmit}}; 637 \end{tikzpicture} 638 \end{minipage} 639 \end{frame} 640 641 642 \begin{frame}{Merchant and Exchange: Verify coin (RSA)} 643 \begin{minipage}{6cm} 644 \begin{equation*} 645 s^e \stackrel{?}{\equiv} FDH(C) \mod n 646 \end{equation*} 647 \end{minipage} 648 \begin{minipage}{6cm} 649 \begin{minipage}{0.2\textwidth} 650 \includegraphics[width=\textwidth]{coin.pdf} 651 \end{minipage} 652 $\stackrel{?}{\Leftrightarrow}$ 653 \begin{minipage}{0.2\textwidth} 654 \includegraphics[width=\textwidth]{seal.pdf} 655 \end{minipage} 656 \end{minipage} 657 \vfill 658 The exchange does not only verify the signature, but also 659 checks that the coin was not double-spent. 660 \vfill 661 \pause 662 \begin{center} 663 {\bf Taler is an online payment system.} 664 \end{center} 665 \vfill 666 \end{frame} 667 668 669 \begin{frame}{Requirements: Online vs. Offline Digital Currencies} 670 \framesubtitle{\url{https://taler.net/papers/euro-bearer-online-2021.pdf}} 671 \begin{itemize} 672 \item Offline capabilities are sometimes cited as a requirement for digital payment solutions 673 \item All implementations must either use restrictive hardware elements and/or introduce 674 counterparty risk. 675 \item[$\Rightarrow$] Permanent offline features weaken a digital payment solution (privacy, security) 676 \item[$\Rightarrow$] Introduces unwarranted competition for physical cash (endangers emergency-preparedness). 677 \end{itemize} 678 We recommend a tiered approach: 679 \begin{enumerate} 680 \item Online-first, bearer-based digital currency with Taler 681 \item (Optional:) Limited offline mode for network outages 682 \item Physical cash for emergencies (power outage, catastrophic cyber incidents) 683 \end{enumerate} 684 \end{frame} 685 686 687 \begin{frame}{Payment processing with Taler} 688 \begin{center} 689 \includegraphics[height=0.9\textheight]{figs/taler-pay.pdf} 690 \end{center} 691 \end{frame} 692 693 694 \begin{frame}{Giving change} 695 It would be inefficient to pay EUR 100 with 1 cent coins! 696 \begin{itemize} 697 \item Denomination key represents value of a coin. 698 \item Exchange may offer various denominations for coins. 699 \item Wallet may not have exact change! 700 \item Usability requires ability to pay given sufficient total funds. 701 \end{itemize}\pause 702 Key goals: 703 \begin{itemize} 704 \item maintain unlinkability 705 \item maintain taxability of transactions 706 \end{itemize}\pause 707 Method: 708 \begin{itemize} 709 \item Contract can specify to only pay {\em partial value} of a coin. 710 \item Exchange allows wallet to obtain {\em unlinkable change} 711 for remaining coin value. 712 \end{itemize} 713 \end{frame} 714 715 716 \begin{frame}{Diffie-Hellman (ECDH)} 717 \begin{minipage}{8cm} 718 \begin{enumerate} 719 \item Create private keys $c,t \mod o$ 720 \item Define $C = cG$ 721 \item Define $T = tG$ 722 \item Compute DH \\ $cT = c(tG) = t(cG) = tC$ 723 \end{enumerate} 724 \end{minipage} 725 \begin{minipage}{6cm} 726 \begin{tikzpicture} 727 \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; 728 \node (t) [def, draw=none] at (0,0) {$t$}; 729 \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}}; 730 \node (c) [def, draw=none, above left= of ct] {$c$}; 731 \tikzstyle{C} = [color=black, line width=1pt] 732 733 \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {}; 734 \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {}; 735 \end{tikzpicture} 736 \end{minipage} 737 \end{frame} 738 739 740 \begin{frame}{Strawman solution} 741 \begin{minipage}{8cm} 742 Given partially spent private coin key $c_{old}$: 743 \begin{enumerate} 744 % \item Let $C_{old} := c_{old}G$ (as before) 745 \item Pick random $c_{new} \mod o$ private key 746 \item $C_{new} = c_{new}G$ public key 747 \item Pick random $b_{new}$ 748 \item Compute $f_{new} := FDH(C_{new})$, $m < n$. 749 \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$ 750 \end{enumerate} 751 ... and sign request for change with $c_{old}$. 752 \end{minipage} 753 \begin{minipage}{4cm} 754 \begin{tikzpicture} 755 \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; 756 \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 757 \node (planchet) [def, draw=none, above left= of blinded] {\includegraphics[width=0.15\textwidth]{planchet.pdf}}; 758 \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$}; 759 \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$}; 760 \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; 761 \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; 762 \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; 763 764 \tikzstyle{C} = [color=black, line width=1pt] 765 766 \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {}; 767 \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {}; 768 \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {}; 769 \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {}; 770 \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {}; 771 \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; 772 \end{tikzpicture} 773 \end{minipage} 774 \pause 775 \vfill 776 {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!} 777 \end{frame} 778 779 780 \begin{frame}{Customer: Transfer key setup (ECDH)} 781 \begin{minipage}{8cm} 782 Given partially spent private coin key $c_{old}$: 783 \begin{enumerate} 784 \item Let $C_{old} := c_{old}G$ (as before) 785 \item Create random private transfer key $t \mod o$ 786 \item Compute $T := tG$ 787 \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$ 788 \item Derive $c_{new}$ and $b_{new}$ from $X$ 789 \item Compute $C_{new} := c_{new}G$ 790 \item Compute $f_{new} := FDH(C_{new})$ 791 \item Transmit $f_{new}' := f_{new} b_{new}^e$ 792 \end{enumerate} 793 \end{minipage} 794 \begin{minipage}{4cm} 795 \begin{tikzpicture} 796 \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; 797 \node (t) [def, draw=none] at (0,0) {$t$}; 798 \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; 799 \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; 800 \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; 801 \node (cp) [def, draw=none, below left= of dh] {$c_{new}$}; 802 \node (bp) [def, draw=none, below right= of dh] {$b_{new}$}; 803 \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 804 \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; 805 806 \tikzstyle{C} = [color=black, line width=1pt] 807 808 \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; 809 \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; 810 \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; 811 \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; 812 \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; 813 \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; 814 \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; 815 \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; 816 \end{tikzpicture} 817 \end{minipage} 818 \end{frame} 819 820 821 \begin{frame}{Cut-and-Choose} 822 \begin{minipage}{4cm} 823 \begin{tikzpicture} 824 \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; 825 \node (t) [def, draw=none] at (0,0) {$t_1$}; 826 \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; 827 \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; 828 \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; 829 \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; 830 \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; 831 \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 832 \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; 833 834 \tikzstyle{C} = [color=black, line width=1pt] 835 836 \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; 837 \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; 838 \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; 839 \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; 840 \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; 841 \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; 842 \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; 843 \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; 844 \end{tikzpicture} 845 \end{minipage} 846 \begin{minipage}{4cm} 847 \begin{tikzpicture} 848 \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; 849 \node (t) [def, draw=none] at (0,0) {$t_2$}; 850 \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; 851 \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; 852 \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; 853 \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$}; 854 \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$}; 855 \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 856 \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; 857 858 \tikzstyle{C} = [color=black, line width=1pt] 859 860 \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; 861 \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; 862 \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; 863 \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; 864 \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; 865 \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; 866 \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; 867 \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; 868 \end{tikzpicture} 869 \end{minipage} 870 \begin{minipage}{4cm} 871 \begin{tikzpicture} 872 \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; 873 \node (t) [def, draw=none] at (0,0) {$t_3$}; 874 \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}}; 875 \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; 876 \node (d) [def, draw=none, above left= of dh] {$c_{old}$}; 877 \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; 878 \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; 879 \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 880 \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange}; 881 882 \tikzstyle{C} = [color=black, line width=1pt] 883 884 \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {}; 885 \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; 886 \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {}; 887 \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; 888 \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; 889 \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; 890 \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; 891 \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}}; 892 \end{tikzpicture} 893 \end{minipage} 894 \end{frame} 895 896 897 \begin{frame}{Exchange: Choose!} 898 \begin{center} 899 \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer. 900 \end{center} 901 \end{frame} 902 903 904 \begin{frame}{Customer: Reveal} 905 \begin{enumerate} 906 \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange 907 \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange 908 \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange 909 \end{enumerate} 910 \end{frame} 911 912 913 \begin{frame}{Exchange: Verify ($\gamma = 2$)} 914 \begin{minipage}{4cm} 915 \begin{tikzpicture} 916 \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; 917 \node (h) [def, draw=none] at (0,0) {$t_1$}; 918 \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; 919 \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; 920 \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$}; 921 \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$}; 922 \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 923 924 \tikzstyle{C} = [color=black, line width=1pt] 925 926 \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; 927 \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; 928 \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; 929 \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; 930 \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; 931 \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; 932 \end{tikzpicture} 933 \end{minipage} 934 \begin{minipage}{4cm} 935 \ 936 \end{minipage} 937 \begin{minipage}{4cm} 938 \begin{tikzpicture} 939 \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; 940 \node (h) [def, draw=none] at (0,0) {$t_3$}; 941 \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; 942 \node (d) [def, draw=none, above left= of dh] {$C_{old}$}; 943 \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$}; 944 \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$}; 945 \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 946 947 \tikzstyle{C} = [color=black, line width=1pt] 948 949 \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {}; 950 \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {}; 951 \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; 952 \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; 953 \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {}; 954 \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {}; 955 \end{tikzpicture} 956 \end{minipage} 957 \end{frame} 958 959 960 \begin{frame}{Exchange: Blind sign change (RSA)} 961 \begin{minipage}{6cm} 962 \begin{enumerate} 963 \item Take $f_{new,\gamma}'$. 964 \item Compute $s' := f_{new,\gamma}'^d \mod n$. 965 \item Send signature $s'$. 966 \end{enumerate} 967 \end{minipage} 968 \begin{minipage}{6cm} 969 \begin{tikzpicture} 970 \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; 971 \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}}; 972 \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}}; 973 \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}}; 974 \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer}; 975 \tikzstyle{C} = [color=black, line width=1pt] 976 977 \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {}; 978 \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {}; 979 \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}}; 980 \end{tikzpicture} 981 \end{minipage} 982 \end{frame} 983 984 985 \begin{frame}{Customer: Unblind change (RSA)} 986 \begin{minipage}{6cm} 987 \begin{enumerate} 988 \item Receive $s'$. 989 \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$. 990 \end{enumerate} 991 \end{minipage} 992 \begin{minipage}{6cm} 993 \begin{tikzpicture} 994 \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em]; 995 \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$}; 996 \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; 997 \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; 998 \tikzstyle{C} = [color=black, line width=1pt] 999 1000 \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {}; 1001 \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; 1002 \end{tikzpicture} 1003 \end{minipage} 1004 \end{frame} 1005 1006 1007 \begin{frame}{Exchange: Allow linking change} 1008 \begin{minipage}{7cm} 1009 \begin{center} 1010 Given $C_{old}$ 1011 1012 \vspace{1cm} 1013 1014 return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$. 1015 \end{center} 1016 \end{minipage} 1017 \begin{minipage}{5cm} 1018 \begin{tikzpicture} 1019 \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em]; 1020 \node (co) [def, draw=none] at (0,0) {$C_{old}$}; 1021 \node (T) [def, draw=none, below left=of co]{$T_\gamma$}; 1022 \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; 1023 \node (customer) [def, draw, below right=of T] {Customer}; 1024 1025 \tikzstyle{C} = [color=black, line width=1pt] 1026 1027 \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {}; 1028 \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {}; 1029 \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link}; 1030 \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link}; 1031 \end{tikzpicture} 1032 \end{minipage} 1033 \end{frame} 1034 1035 1036 \begin{frame}{Customer: Link (threat!)} 1037 \begin{minipage}{6.3cm} 1038 \begin{enumerate} 1039 \item Have $c_{old}$. 1040 \item Obtain $T_\gamma$, $s$ from exchange 1041 \item Compute $X_\gamma = c_{old}T_\gamma$ 1042 \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$ 1043 \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$ 1044 \end{enumerate} 1045 1046 \end{minipage} 1047 \begin{minipage}{5.7cm} 1048 \begin{tikzpicture} 1049 \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em]; 1050 \node (T) [def, draw=none] at (0,0) {$T_\gamma$}; 1051 \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange}; 1052 \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}}; 1053 \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{ct.pdf}}; 1054 \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$}; 1055 \node (co) [def, draw=none, above right= of dh] {$c_{old}$}; 1056 \node (cp) [def, draw=none, below= of dh] {$c_{new,\gamma}$}; 1057 \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}}; 1058 \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}}; 1059 1060 \tikzstyle{C} = [color=black, line width=1pt] 1061 1062 \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {}; 1063 \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {}; 1064 \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {}; 1065 \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {}; 1066 \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {}; 1067 \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {}; 1068 \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link}; 1069 \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link}; 1070 \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {}; 1071 \end{tikzpicture} 1072 \end{minipage} 1073 \end{frame} 1074 1075 1076 \begin{frame}{Refresh protocol summary} 1077 \begin{itemize} 1078 \item Customer asks exchange to convert old coin to new coin 1079 \item Protocol ensures new coins can be recovered from old coin 1080 \item[$\Rightarrow$] New coins are owned by the same entity! 1081 \end{itemize} 1082 Thus, the refresh protocol allows: 1083 \begin{itemize} 1084 \item To give unlinkable change. 1085 \item To give refunds to an anonymous customer. 1086 \item To expire old keys and migrate coins to new ones. 1087 \item To handle protocol aborts. 1088 \end{itemize} 1089 \noindent 1090 \begin{center} 1091 \bf 1092 Transactions via refresh are equivalent to {\em sharing} a wallet. 1093 \end{center} 1094 \end{frame} 1095 1096 1097 \begin{frame}{Scalability} 1098 On paper, the design scales linearly with computing resources: 1099 \begin{itemize} 1100 \item Front-end logic at the central bank only needs to perform a few signature operations, a 1101 single CPU core can typically do a few thousands per second. 1102 \item Front-end servers need to talk to a database to prevent double-spending. A single database server can handle tens of thousands of such operations per second. 1103 \item All operations are easily split across multiple database servers by simply assigning 1104 each database server a range of values. 1105 \item The frontends need to talk to the backends using an interconnect. The size of an 1106 individual transaction is typically about 1–10 kilobytes. Modern interconnects 1107 can support millions of such transactions per second. 1108 \item To securely store 1-10 kilobytes per transaction, using AWS pricing, the cost of the 1109 system (storage, bandwidth, computation) at scale would be 0.0001 USD per transaction. 1110 \end{itemize} 1111 \end{frame} 1112 1113 1114 \begin{frame}{Scalability in numbers} 1115 On a {\bf single desktop system}, we measured: 1116 \begin{itemize} 1117 \item {\bf 1k+} withdraws\&deposits/second (client and server doing 2048-bit RSA) 1118 \item {\bf 50k+} import inbound wire transfers per second (to RTGS) 1119 \item {\bf 33k+} transactions aggregated/second 1120 \item {\bf 62k+} export outbound wire transfers per second (to RTGS) 1121 \end{itemize} 1122 We are now configuring the Grid5000 for larger-scale experiments. 1123 \end{frame} 1124 1125 1126 \begin{frame}{Taler: Project Status} 1127 \framesubtitle{\url{https://docs.taler.net/}} 1128 \begin{itemize} 1129 \item Cryptographic protocols and core exchange component are stable 1130 \item Current focus: KYC process at commercial bank, scalability evaluation, age-restricted payments, P2P payments 1131 \item Internal alpha deployment with a commercial bank in progress 1132 \item Pilot project at Bern University of Applied Sciences cafeteria 1133 \end{itemize} 1134 \begin{center} 1135 \includegraphics[width=0.7\textwidth]{taler-in-use.png} 1136 \end{center} 1137 \end{frame} 1138 1139 1140 \section{Competitor comparison} 1141 \begin{frame}{Competitor comparison} 1142 \begin{center} \small 1143 \begin{tabular}{l||c|c|c|c|c} 1144 & Cash & DLT & HW-Token & CB-Account & GNU Taler \\ \hline \hline 1145 Online &$-$$-$$-$ & + & $-$ & ++ & +++ \\ \hline 1146 Offline & +++ & $-$$-$$-$ & $+$ & $-$$-$ & $-$$-$ \\ \hline 1147 Cost & $-$ & $-$$-$$-$ & $-$ & + & ++ \\ \hline 1148 Speed & + & $-$$-$$-$ & $+$ & o & ++ \\ \hline 1149 Taxation & $-$ & +++ & $-$$-$ & +++ & +++ \\ \hline 1150 Payer-anon & ++ & $-$$-$ & ??? & $-$$-$ & +++ \\ \hline 1151 Payee-anon & ++ & $-$$-$ & ??? & $-$$-$ & $-$$-$$-$ \\ \hline 1152 Security & $-$ & ??? & $-$$-$ & o & ++ \\ \hline 1153 Migration & +++ & $-$$-$$-$ & $-$$-$$-$& o & + \\ \hline 1154 Libre & $-$ & ??? & $-$$-$$-$& N/A & +++ \\ 1155 \end{tabular} 1156 \end{center} 1157 \end{frame} 1158 1159 1160 \begin{frame}{The Future: System Integration and Partnerships} 1161 Pilots with banking organizations could: 1162 \begin{itemize} 1163 \item Share knowledge on Taler deployment 1164 \item Study integration with the underlying RTGS layer: 1165 \begin{itemize} 1166 \item Develop standardized operational procedures 1167 \item Perform cost analysis in banking environment 1168 \item Assess effort for integration with commercial banks 1169 \end{itemize} 1170 \item Analyze regulatory considerations for different legislations 1171 \item Perform independent security audits of Taler components 1172 \end{itemize} 1173 \end{frame} 1174 1175 1176 \begin{frame} 1177 \frametitle{Do you have any questions?} 1178 \vfill 1179 References: 1180 {\tiny 1181 \begin{enumerate} 1182 \item{David Chaum, Christian Grothoff and Thomas Moser. 1183 {\em How to issue a central bank digital currency}. 1184 {\bf SNB Working Papers, 2021}.} 1185 \item{Christian Grothoff, Bart Polot and Carlo von Loesch. 1186 {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}. 1187 {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.} 1188 \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci. 1189 {\em Enabling Secure Web Payments with GNU Taler}. 1190 {\bf SPACE 2016}.} 1191 \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff. 1192 {\em Taler: Taxable Anonymous Libre Electronic Reserves}. 1193 Available upon request. 2016.} 1194 \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza. 1195 {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}. 1196 {\bf IEEE Symposium on Security \& Privacy, 2016}.} 1197 \item{David Chaum, Amos Fiat and Moni Naor. 1198 {\em Untraceable electronic cash}. 1199 {\bf Proceedings on Advances in Cryptology, 1990}.} 1200 \item{Phillip Rogaway. 1201 {\em The Moral Character of Cryptographic Work}. 1202 {\bf Asiacrypt}, 2015.} \label{bib:rogaway} 1203 \end{enumerate} 1204 } 1205 \end{frame} 1206 1207 1208 \end{document}