2-preliminaries.tex (31120B)
1 \section{\faIcon{coins} Preliminaries} 2 % Taler Intro, protocols 3 4 % abort-idempotency, Blind Signatures, HKDF, CS scheme, ROS problem Chap 3 5 \begin{frame}{\faIcon{coins} GNU Taler Overview} 6 \framesubtitle{A privacy-preserving, fast and intuitive payment system} 7 % Protokolle (achtung Flughöhe, Zeit) 8 \begin{columns}[c] % align columns 9 \begin{column}{.48\textwidth} 10 \includegraphics[width=6.3cm]{images/diagram-simple.png} 11 \end{column}% 12 \hfill% 13 \begin{column}{.48\textwidth} 14 Taler Components 15 \begin{itemize} 16 \item \faIcon{piggy-bank} Exchange \\ 17 Payment service provider between customer and merchant 18 \item \faIcon{shopping-basket} Merchant \\ 19 Accepts payments with Taler in exchange for goods and services 20 \item \faIcon{wallet} Wallet \\ 21 A customer holds coins in his electronic wallet 22 \item \faIcon{eye} Auditor \\ 23 The auditors (financial regulators) monitor the exchanges behaviour 24 \end{itemize} 25 \end{column}% 26 \end{columns} 27 {\tiny graphics source: \url{https://taler.net/images/diagram-simple.png}} 28 \end{frame} 29 30 \begin{frame}{\faIcon{coins} GNU Taler properties} 31 % Important because our redesigned protocols need to fulfill all of them! 32 % Income Transparency 33 \begin{columns}[T] % align columns 34 \begin{column}{.48\textwidth} 35 Properties: 36 \begin{itemize} 37 \item \faIcon{hand-holding-heart} Free Software 38 \item \faIcon{user-secret} Buyer Privacy Protection 39 \item \faIcon{coins} Merchant Taxability 40 \item \faIcon{eye} Auditability - Income Transparency % Compliant to regulations AML/CFT/KYC 41 \item \faIcon{shield-alt} Prevent payment fraud 42 \end{itemize} 43 \end{column} 44 \hfill 45 \begin{column}{.48\textwidth} 46 \begin{itemize} 47 \item \faIcon{user-shield} Privacy by design 48 \item \faIcon{user} Easy to use 49 \item \faIcon{bolt} Efficient - Even more efficient with our improvements! \faIcon{rocket} 50 \item \faIcon{anchor} Fault-tolerant design 51 \item \faIcon{briefcase} Foster competition 52 \end{itemize} 53 \end{column} 54 \end{columns} 55 \vspace{1cm} 56 {\scriptsize More details on \url{https://taler.net/en/principles.html}} 57 \end{frame} 58 59 \begin{frame}{\faIcon{code} Abort-Idempotency} 60 61 \begin{itemize} 62 \item \textbf{Idempotency} 63 \\ Idempotency ensures that the state of a system will not change, no matter how many times the same request was made. 64 \\In other words: The same request will receive the same response.\\ 65 \item \textbf{Abort-Idempotency} 66 \\ Abort-Idempotency also ensures Idempotency in every abort scenario. 67 \end{itemize} 68 \end{frame} 69 70 % \begin{frame}{\faIcon{coins} Taler PKI} 71 % \begin{center} 72 % \includegraphics[width=11cm]{images/taler-pki.png} 73 % \end{center} 74 % {\tiny graphics source: \url{https://taler.net/papers/thesis-dold-phd-2019.pdf}} 75 % \end{frame} 76 77 78 \begin{frame}{\faIcon{coins} HKDF RFC5869} 79 %Can be used as PRNG 80 \framesubtitle{The HMAC-based Extract-and-Expand Key Derivation Function} 81 \begin{itemize} 82 \item HKDF can be used as a pseudo-random function, a deterministic function whose output appears to be random 83 \item follows the \textbf{extract-then-expand} paradigm 84 \item A fixed-length high-entropy key $K$ is \textbf{extracted} from potentially weaker input keying material 85 \item The key $K$ is then \textbf{expanded} to output a variable-length, pseudo-random key 86 %\item HKDF makes use of HMAC instantiated with a hash function together with a salt, the input keying material, output length and optional info 87 \end{itemize} 88 89 \end{frame} 90 91 \begin{frame}{\faIcon{coins} Curve25519} 92 \begin{columns}[T] % align columns 93 \begin{column}{.48\textwidth} 94 Curve25519: 95 \begin{itemize} 96 \item Curve25519 is a Montgomery-Curve over prime field $2^{255} - 19$ 97 \item Provides 128 bits of security 98 \item Well-known and trusted 99 \item Good choice in terms of security \& speed 100 \end{itemize} 101 Alternatives: 102 \begin{itemize} 103 \item Curve448-Goldilocks 104 \item Secp256k1 ("Bitcoin curve") 105 \end{itemize} 106 \end{column}% 107 \hfill% 108 \begin{column}{.48\textwidth} 109 \begin{figure} 110 \includegraphics[width=6.3cm]{images/curve25519.png} 111 \caption{\footnotesize Abbild der elliptischen Kurve $y2 = x3 + 486662x2 + x $} 112 \end{figure} 113 \end{column}% 114 \end{columns} 115 {\vspace{1cm}\tiny graphics source: \url{https://heise.cloudimg.io/v7/_www-heise-de_/imgs/18/1/4/5/9/6/8/9/curve25519-5b8d94dd2448661c.png}} 116 \end{frame} 117 118 \begin{frame}{\faIcon{coins} EdDSA} 119 \begin{columns}[c] % align columns 120 \begin{column}{.48\textwidth} 121 \begin{itemize} 122 \item The coin is a EdDSA keypair 123 \item Uses Curve25519 124 \item Public key is the planchet to be signed by the exchange 125 \item The coin can be spent by signing a contract with the coin's private key 126 \end{itemize} 127 \end{column}% 128 \hfill% 129 \begin{column}{.48\textwidth} 130 \begin{center} 131 \includegraphics[height=4cm]{images/planchet.png} 132 \end{center} 133 \end{column}% 134 \end{columns} 135 {\vspace{1cm}\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} 136 \end{frame} 137 138 \begin{frame}{\faIcon{coins} Blind Signatures} 139 % Was ist eine blinde Signatur? 140 % Was bringen einem blinde Signaturen? 141 % Zentral für Taler 142 % Privacy preserving 143 \framesubtitle{RSA Blind Signatures in Taler} 144 \begin{columns}[t] 145 \begin{column}{.33\textwidth} 146 \begin{center} 147 Customer:\\ 148 \includegraphics[width=2.6cm]{images/blind-coin.png} 149 \end{center} 150 \end{column} 151 \begin{column}{.33\textwidth} 152 \begin{center} 153 Exchange: 154 \includegraphics[width=3cm]{images/blind-sign.png} 155 \end{center} 156 \end{column} 157 \begin{column}{.33\textwidth} 158 \begin{center} 159 Customer: 160 \includegraphics[width=3cm]{images/unblind-coin.png} 161 \end{center} 162 \end{column} 163 \end{columns} 164 \vspace{0.8cm} 165 {\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} 166 % RSA blind signature scheme (, Nachteile von RSA) 167 \end{frame} 168 169 \begin{frame}{\faIcon{coins} RSA Blind Signatures} 170 \begin{center} 171 \resizebox{0.8\textwidth}{!}{\begin{minipage}{\textwidth} 172 \begin{figure} 173 \begin{equation*} 174 \begin{array}{ l c l } 175 \text{Alice} & & \text{Bob} 176 \\ \text{knows:} & & \text{knows:} 177 \\ \text{RSA public key } D_B = e, N & & \text{RSA keys } d_B, D_B 178 \\ \text{message } m & & 179 \\ & & 180 \\ f = FDH(m) & & 181 \\ & & 182 \\ \text{blind:} & & 183 \\ r \leftarrow random \in \mathbb{Z}_N^* & & 184 \\ f' = f*r^{e} \mod N & & 185 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{f'} & 186 \\ & & \text{sign:} 187 \\ & & s' = (f')^{d_B} \mod N 188 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{s'} & 189 \\ \text{unblind:}& & 190 \\ s = s'*r^{-1} & & 191 \end{array} 192 \end{equation*} 193 \end{figure} 194 \end{minipage}} 195 \end{center} 196 \end{frame} 197 198 \begin{frame}{\faIcon{coins} Schnorr Signature Scheme} 199 \begin{center} 200 \resizebox{0.83\textwidth}{!}{\begin{minipage}{\textwidth} 201 \begin{figure} 202 \begin{equation*} 203 \begin{array}{ l c l } 204 % preliminaries 205 \text{User} & & \text{Signer} 206 \\ \text{knows:} & \text{public parameters:} & \text{knows:} 207 \\ \text{public key } X & \langle p, \mathbb{G}, G, H\rangle & \text{private signing key } x, X := xG 208 \\ & & r \leftarrow random \in \mathbb{Z}_p 209 \\ & & R := rG 210 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{R} & 211 \\ c := H(R,m) 212 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{c} & 213 \\ & & s := r + cx \mod p 214 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{s} & 215 \\ \text{check } sG = R + cX 216 \\ \sigma := \langle R,s \rangle 217 \end{array} 218 \end{equation*} 219 \end{figure} 220 \end{minipage}} 221 \end{center} 222 \end{frame} 223 224 \begin{frame}{\faIcon{coins} The (broken) Blind Schnorr Signature Scheme} 225 \begin{center} 226 \resizebox{0.83\textwidth}{!}{\begin{minipage}{\textwidth} 227 \begin{figure}[htp] 228 \begin{equation*} 229 \begin{array}{ l c l } 230 % preliminaries 231 \text{User} & & \text{Signer} 232 \\ \text{knows:} & \text{public parameters:} & \text{knows:} 233 \\ \text{public key } X & \langle p, \mathbb{G}, G, H\rangle & \text{private signing key } x, X := xG 234 \\ & & r \leftarrow random \in \mathbb{Z}_p 235 \\ & & R := rG 236 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{R} & 237 \\ \alpha, \beta \leftarrow random \in \mathbb{Z}_p 238 \\ R' := R + \alpha G + \beta X 239 \\ c' := H(R',m) 240 \\ c := c' + \beta \mod p 241 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{c} & 242 \\ & & s := r+cx \mod p 243 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{s} & 244 \\ \text{check } sG = R + cX 245 \\ s' := s + \alpha \mod p 246 \\ \sigma := \langle R',s' \rangle 247 \end{array} 248 \end{equation*} 249 \end{figure} 250 \end{minipage}} 251 \end{center} 252 \end{frame} 253 254 \begin{frame}{\faIcon{coins} ROS problem - (informally)} 255 \framesubtitle{Random inhomogeneities in an Overdetermined, Solvable system of linear 256 equations} 257 \begin{columns}[T] % align columns 258 \begin{column}{.48\textwidth} 259 ROS problem: 260 \begin{itemize} 261 \item ROS depends on group order $p$, parameterized with integer $\ell$ 262 \item An adversary can produce $\ell + 1$ valid signatures after $\ell > \log_2(p)$ parallel sessions by solving a linear equation system 263 \item $ \sum_{j=1}^{\ell} \rho_{i,j} c_j = H_{ros}(\overrightarrow{p}_i), i \in [\ell + 1]$ 264 \item There exist a polynomial-time attack against $ROS_\ell$ when $\ell > \log_2(p)$ 265 \end{itemize} 266 \end{column}% 267 \hfill% 268 \begin{column}{.48\textwidth} 269 Modified ROS: 270 \begin{itemize} 271 \item Does not apply to the modified ROS problem 272 \item Queries oracle with two vectors instead of one 273 \item The signer returns a signature by randomly flipping a bit $b$ 274 \item Only the $c_b$ is signed and returned 275 \item An adversary would need to commit to $c_b$ before learning about $b$ 276 \end{itemize} 277 \end{column}% 278 \end{columns} 279 \vspace{1cm} 280 {\tiny See: Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model} {\tiny (\url{https://eprint.iacr.org/2019/877.pdf})\\} 281 {\tiny See: On the (in)security of ROS } 282 {\tiny (\url{https://eprint.iacr.org/2020/945})} 283 \end{frame} 284 285 \begin{frame}{\faIcon{coins} Clause Blind Schnorr Signature Scheme} 286 \begin{center} 287 \resizebox{0.65\textwidth}{!}{\begin{minipage}{\textwidth} 288 \begin{figure} 289 \begin{equation*} 290 \begin{array}{ l c l } 291 % preliminaries 292 \text{User} & & \text{Signer} 293 \\ \text{knows:} & \text{public parameters:} & \text{knows:} 294 \\ \text{public key } X & \langle p, \mathbb{G}, G, H\rangle & \text{private signing key } x, X := xG 295 \\ & & r_0, r_1 \leftarrow random \in \mathbb{Z}_p 296 \\ & & R_0 := r_0G 297 \\ & & R_1 := r_1G 298 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{R_0, R_1} & 299 \\ \alpha_0, \alpha_1, \beta_0, \beta_1 \leftarrow random \in \mathbb{Z}_p 300 \\ R_0' := R_0 + \alpha_0 G + \beta_0 X 301 \\ R_1' := R_1 + \alpha_1 G + \beta_1 X 302 \\ c_0' := H(R_0',m) 303 \\ c_1' := H(R_1',m) 304 \\ c_0 := c_0' + \beta_0 \mod p 305 \\ c_1 := c_1' + \beta_1 \mod p 306 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{c_0, c_1} & 307 \\ & & b \leftarrow random \in \{ 0,1\} 308 \\ & & s := r_b+c_bx \mod p 309 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{b, s} & 310 \\ \text{check } sG = R + cX 311 \\ s' := s + \alpha_b \mod p 312 \\ \sigma := \langle R_b',s' \rangle 313 \end{array} 314 \end{equation*} 315 \end{figure} 316 \end{minipage}} 317 \end{center} 318 \end{frame} 319 320 \begin{frame}{\faIcon{coins} Taler Protocols} 321 \begin{columns}[T] % align columns 322 \begin{column}{.25\textwidth} 323 Protocols: 324 \begin{itemize} 325 \item \faIcon{money-bill-alt} Withdrawal 326 \item \faIcon{sync-alt} Refresh 327 \item \faIcon{shopping-bag} Spend 328 \item \faIcon{piggy-bank} Deposit 329 \item \faIcon{gift} Tipping 330 \item \faIcon{hand-holding-usd} Payback 331 \item \faIcon{undo} Recoup 332 \end{itemize} 333 \end{column}% 334 \hfill% 335 \begin{column}{.60\textwidth} 336 \includegraphics[width=6.3cm]{images/diagram-simple.png} 337 {\\\tiny graphics source: \url{https://taler.net/images/diagram-simple.png}} 338 \end{column}% 339 \end{columns} 340 \end{frame} 341 342 \begin{frame}{\faIcon{coins} Withdrawal Protocol} 343 \begin{center} 344 \resizebox{0.64\textwidth}{!}{\begin{minipage}{\textwidth} 345 \begin{figure}[htp] 346 \begin{equation*} 347 \resizebox{1.0\textwidth}{!}{$\displaystyle 348 \begin{array}{ l c l } 349 \text{Customer} & & \text{Exchange} 350 \\ \text{reserve keys } w_s, W_p & & \text{reserve public key } W_p 351 \\ \text{denomination public key } D_p = e, N & & \text{denomination keys } d_s, D_p 352 \\ & & 353 \\\text{generate coin key pair:} & & 354 \\ c_s, C_p \leftarrow Ed25519.KeyGen() & & 355 \\ \text{blind:} & & 356 \\ r \leftarrow random \in \mathbb{Z}_N^* & & 357 \\ m' = \text{FDH}(N, C_p)*r^{e} \mod N & & 358 \\ \text{sign with reserve private key:} & & 359 \\ \rho_W = D_p, m' & & 360 \\ \sigma_W = \text{Ed25519.Sign}(w_s, \rho_W) & & 361 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho = W_p, \sigma_W, \rho_W} & 362 \\ & & \text{verify if denomination public key} 363 \\ & & \text{is valid} 364 \\ & & \text{check } \text{Ed25519.Verify}(W_p, \rho_W, \sigma_W) 365 \\ & & \text{decrease balance if sufficient} 366 \\ & & \text{sign:} 367 \\ & & \sigma'_c = (m')^{d_s} \mod N 368 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\sigma'_c} & 369 \\ \text{unblind:}& & 370 \\ \sigma_c = \sigma'_c*r^{-1} & & 371 \\ \text{verify signature:}& & 372 \\ \text{check } \sigma_c^{e} = \text{FDH}(N, C_p) & & 373 \\ \text{resulting coin: } c_s, C_p, \sigma_c, D_p & & 374 \end{array}$ 375 } 376 \end{equation*} 377 \end{figure} 378 \end{minipage}} 379 \end{center} 380 \end{frame} 381 382 383 \begin{frame}{\faIcon{coins} Refresh Protocol - DH-Lock} 384 \begin{columns}[c] % align columns 385 \begin{column}{.48\textwidth} 386 Diffie-Hellman Lock: 387 \begin{itemize} 388 \item keypairs $C = cG$ and $T = tG$ 389 \item Both keys can unlock the lock: $k = tC = cT$ 390 \end{itemize} 391 \begin{center} 392 \includegraphics[width=2.6cm]{images/dh-lock.png} 393 \end{center} 394 \end{column}% 395 \hfill% 396 \begin{column}{.48\textwidth} 397 \includegraphics[width=5cm]{images/refresh-derive-rsa.png} 398 \end{column}% 399 \end{columns} 400 {\vspace{0.2cm}\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} 401 \end{frame} 402 403 \begin{frame}{\faIcon{coins} Refresh Protocol - Cut and Choose} 404 \begin{itemize} 405 \item Customer sets up $k$ DH-Locks 406 \item Exchange sends back random $\gamma \in \{1,\dots,k\}$ 407 \item Customer reveals transfer private keys, except $t_\gamma$ 408 \item Exchange can detect fraud attempts with a probability of $1/k$ 409 \end{itemize} 410 \begin{center} 411 \includegraphics[width=7cm]{images/cutandchose.png} 412 \end{center} 413 {\vspace{-0.2cm}\tiny graphics source: \url{https://git.taler.net/marketing.git/plain/presentations/comprehensive/main.pdf}} 414 \end{frame} 415 416 \begin{frame}{\faIcon{coins} Refresh Protocol Commit Phase} 417 \begin{columns}[c] % align columns 418 \begin{column}{.43\textwidth} 419 \begin{itemize} 420 \item Customer creates $k$ RefreshDerives (DH-Locks) 421 \item Customer commits by calculating a commit hash \\ 422 $h_T := H(T_1, \dots,T_k)$ \\ 423 $h_{\overline{m}} := H(\overline{m}_1, \dots,\overline{m}_k)$ \\ 424 $h_C := H(h_T,h_{\overline{m}} )$ 425 \item The exchange answers with a random $\gamma \in \{1,\dots,k\}$ 426 \end{itemize} 427 \end{column}% 428 \hfill% 429 \begin{column}{.53\textwidth} 430 \begin{center} 431 \vspace{-1cm} 432 \begin{figure} 433 \begin{equation*} 434 \resizebox{1.0\textwidth}{!}{$\displaystyle 435 \begin{array}{ l c l } 436 \text{Customer} & & \text{Exchange} 437 \\ \text{denomination public key } D_{p(i)} & & \text{denomination keys } d_{s(i)}, D_{p(i)} 438 \\ \text{coin}_0 = \langle D_{p(0)}, c_s^{(0)}, C_p^{(0)}, \sigma_c^{(0)} \rangle & & 439 % refresh request 440 \\ \text{Select} \langle N_t, e_t\rangle := D_{p(t)} \in D_{p(i)} 441 \\ \textbf{for } i = 1, \dots, \kappa: % generate k derives 442 \\ s_i \rightarrow \{0,1\}^{256} % seed generation 443 \\ X_i := \text{RefreshDerive}(s_i, D_{p(t)}, C_p^{(0)}) 444 \\ (t_i, T_i, x_i, c_s^{(i)}, C_p^{(i)}, \overline{m}_i) := X_i 445 \\ \textbf{endfor} 446 \\ h_T := H(T_1, \dots, T_k) 447 \\ h_{\overline{m}} := H(\overline{m}_1, \dots, \overline{m}_k) 448 \\ h_C := H(h_t, h_{\overline{m}}) 449 \\ \rho_{RC} := \langle h_C, D_{p(t)}, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} \rangle 450 \\ \sigma_{RC} := \text{Ed25519.Sign}(c_s^{(0), \rho_{RC}}) 451 \\ \text{Persist refresh-request} \langle \rho_{RC}, \sigma_{RC} \rangle 452 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RC}, \sigma_{RC}} & 453 % Exchange checks refresh request 454 \\ & & (h_C, D_{p(t)}, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} = \rho_{RC}) 455 \\ & & \textbf{check} \text{Ed25519.Verify}(C_p^{(0)}, \sigma_{RC}, \rho_{RC}) 456 \\ & & x \rightarrow \text{GetOldRefresh}(\rho_{RC}) 457 \\ & & \textbf{Comment: }\text{GetOldRefresh} \\ &&(\rho_{RC} \mapsto \{\bot,\gamma\}) 458 \\ & & \pcif x = \bot 459 \\ & & v := D(D_{p(t)}) 460 \\ & & \langle e_0, N_0 \rangle := D_{p(0)} 461 \\ & & \textbf{check } \text{IsOverspending}(C_p^{(0)}, D_ {p(0)}, v) 462 \\ & & \textbf{check } D_{p(t)} \in \{D_{p(i)}\} 463 \\ & & \textbf{check } \text{FDH}(N_0, C_p^{(0)}) \equiv_{N_0} (\sigma_0^{(0)})^{e_0} 464 \\ & & \text{MarkFractionalSpend}(C_p^{(0)}, v) 465 \\ & & \gamma \leftarrow \{1, \dots, \kappa\} 466 \\ & & \text{Persist refresh-record } \langle \rho_{RC},\gamma \rangle 467 \\ & & \pcelse 468 \\ & & \gamma := x 469 \\ & & \textbf{endif} 470 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\gamma} & 471 \end{array}$ 472 } 473 \end{equation*} 474 \end{figure} 475 \end{center} 476 \end{column}% 477 \end{columns} 478 \end{frame} 479 480 \begin{frame}{\faIcon{coins} Refresh Protocol Reveal Phase} 481 \begin{columns}[c] % align columns 482 \begin{column}{.43\textwidth} 483 \begin{itemize} 484 \item Customer reveals every transfer key (seed), except $t_\gamma$ 485 \item The exchange now proves if the customer is honest by recalculating the RefreshDerives 486 \item If the check succeeds, the exchange returns the signature of the new coin 487 \item Fraud attempts are detected with probability of $1/k$ 488 \end{itemize} 489 \end{column}% 490 \hfill% 491 \begin{column}{.53\textwidth} 492 \begin{center} 493 \begin{figure} 494 \begin{equation*} 495 \resizebox{1.0\textwidth}{!}{$\displaystyle 496 \begin{array}{ l c l } 497 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\gamma} & 498 \\ \textbf{check } \text{IsConsistentChallenge}(\rho_{RC}, \gamma) 499 \\ \textbf{Comment: } \text{IsConsistentChallenge}\\(\rho_{RC}, \gamma) \mapsto \{ \bot,\top \} 500 \\ 501 \\ \text{Persist refresh-challenge} \langle \rho_{RC}, \gamma \rangle 502 \\ S := \langle s_1, \dots, s_{\gamma-1}, s_{\gamma+1}, \dots,s_x \rangle % all seeds without the gamma seed 503 \\ \rho_L = \langle C_p^{(0)}, D_{p(t)}, T_{\gamma},\overline{m}_\gamma \rangle 504 \\ \rho_{RR} = \langle T_\gamma, \overline{m}_\gamma, S \rangle 505 \\ \sigma_{L} = \text{Ed25519.Sign}(c_s^{(0)}, \rho_{L}) 506 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} & 507 % check revealed msgs and sign coin 508 \\ & & \langle T'_\gamma, \overline{m}'_\gamma, S \rangle := \rho_{RR} 509 \\ & & \langle s_1,\dots,s_{\gamma-1},s_{\gamma+1},\dots,s_\kappa \rangle ) := S 510 \\ & & \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \sigma_L, \rho_L) 511 \\ & & \pcfor i = 1,\dots, \gamma-1, \gamma+1,\dots, \kappa 512 \\ & & X_i := \text{RefreshDerive}(s_i, D_{p(t)}, C_p^{(0)}) 513 \\ & & \langle t_i, T_i, x_i, c_s^{(i)}, C_p^{(i)}, \overline{m}_i \rangle := X_i 514 \\ & & \textbf{endfor} 515 \\ & & h_T' = H(T_1,\dots,T_{\gamma-1},T'_{\gamma},T_{\gamma+1},\dots,T_\kappa) 516 \\ & & h_{\overline{m}}' = H(\overline{m}_1,\dots,\overline{m}_{\gamma-1},\overline{m}'_{\gamma},\overline{m}_{\gamma+1},\dots,\overline{m}_\kappa) 517 \\ & & h_C' = H(h_T', h_{\overline{m}}') 518 \\ & & \textbf{check } h_C = h_C' 519 \\ & & \overline{\sigma}_C^{(\gamma)} := \overline{m}^{d_{s(t)}} 520 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\overline{\sigma}_C^{(\gamma)}} & 521 % Check coin signature and persist coin 522 \\ \sigma_C^{(\gamma)} := r^{-1}\overline{\sigma}_C^{(\gamma)} 523 \\ \textbf{check } (\sigma_C^{(\gamma)})^{e_t} \equiv_{N_t} C_p^{(\gamma)} 524 \\ \text{Persist coin} \langle D_{p(t)}, c_s^{(\gamma)}, C_p^{(\gamma)}, \sigma_C^{(\gamma)} \rangle 525 \end{array}$ 526 } 527 \end{equation*} 528 \end{figure} 529 \end{center} 530 \end{column}% 531 \end{columns} 532 \end{frame} 533 534 \begin{frame}{\faIcon{coins} Link Protocol} 535 % Money Laundring 536 \begin{columns}[c] % align columns 537 \begin{column}{.43\textwidth} 538 \begin{itemize} 539 \item Threat: An evil customer sends the old coins private key to a third party. 540 \item The third party refreshes the coin and receives a new coin. 541 \item Solution: re-obtain refreshed coin with link protocol from $c_{s(old)}$ 542 \end{itemize} 543 \end{column}% 544 \hfill% 545 \begin{column}{.53\textwidth} 546 \begin{center} 547 \begin{figure} 548 \begin{equation*} 549 \resizebox{1.0\textwidth}{!}{$\displaystyle 550 \begin{array}{ l c l } 551 % preliminaries 552 \text{Customer} & & \text{Exchange} 553 \\ \text{knows:} & & \text{knows:} 554 \\ \text{coin}_0 = \langle D_{p(0)}, c_s^{(0)}, C_p^{(0)}, \sigma_{C}^{(0)} \rangle 555 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{C_{p(0)}} & 556 \\ & & L := \text{LookupLink}(C_{p(0)}) 557 \\ & & \textbf{Comment: } \text{LookupLink}(C_p) \mapsto \{\langle \rho_L^{(i)}, 558 \\ & & \sigma_L^{(i)}, \overline{\sigma}_C^{(i)} \rangle\} 559 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{L} & 560 \\ \pcfor \langle \rho_{L}^{(i)}, \overline{\sigma}_L^{(i)}, \sigma_C^{(i)} \rangle \in L 561 \\ \langle \hat{C}_p^{(i)}, D_{p(t)}^{(i)}, T_\gamma^{(i)}, \overline{m}_\gamma^{(i)} \rangle := \rho_L^{(i)} 562 \\ \langle e_t^{(i)}, N_t^{(i)} \rangle := D_{p(t)}^{(i)} 563 \\ \textbf{check } \hat{C}_p^{(i)} \equiv C_p^{(0)} 564 \\ \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \rho_{L}^{(i)}, \sigma_L^{(i)}) 565 \\ x_i := \text{ECDH}(c_s^{(0)}, T_{\gamma}^{(i)}) 566 \\ r_i := \text{SelectSeeded}(x_i,\mathbb{Z}^*_{N_t}) 567 \\ c_s^{(i)} := \text{HKDF}(256,x_i,"c") 568 \\ C_p^{(i)} := \text{Ed25519.GetPub}(c_s^{(i)}) 569 \\ \sigma_C^{(i)} := (r_i)^{-1} \cdot \overline{m}_\gamma^{(i)} 570 \\ \textbf{check } (\sigma_C^{(i)})^{e_t^{(i)}} \equiv_{N_t^{(i)}} C_p^{(i)} 571 \\ \text{(Re-)obtain coin} \langle D_{p(t)}^{(i)},c_s^{(i)}, C_p^{(i)}, \sigma_C^{(i)} \rangle 572 \end{array}$ 573 } 574 \end{equation*} 575 \end{figure} 576 \end{center} 577 \end{column}% 578 \end{columns} 579 \end{frame} 580 581 \begin{frame}{\faIcon{coins} Challenges} 582 \begin{itemize} 583 \item \faIcon{hashtag} Two blinding factors 584 \item \faIcon{exchange-alt} Additional request 585 \item \faIcon{calculator} Many calculations are done twice 586 \item \faIcon{dice} Many random elements - What about Abort-Idempotency? 587 \end{itemize} 588 \vspace{1cm} 589 How can we redesign Taler's protocols to work with the Clause Blind Schnorr signature scheme while still preserving all properties? 590 \end{frame} 591