3-protocol-redesign.tex (6158B)
1 \section{\faIcon{clipboard-list} Protocol Redesign} 2 3 \begin{frame}{\faIcon{clipboard-list} Protocol Redesign} 4 \begin{itemize} 5 \item \faIcon{eye} Analyze Taler protocols 6 \item \faIcon{user-secret} Integrate where blind signatures are used 7 \item \faIcon{scroll} Proposal 8 % FIXME: begin very early in the thesis 9 \item \faIcon{comments} Rounds of Feedback 10 \end{itemize} 11 \end{frame} 12 13 % CS R 14 \begin{frame}{\faIcon{clipboard-list} CS R} 15 \begin{itemize} 16 \item Additional Request during signature creation 17 \item Introduces complexity 18 \item Challenge regarding abort-idempotency 19 \item Vanilla Clause Blind Schnorr Signature Scheme: \\ 20 \begin{itemize} 21 \item $ r_0 \leftarrow random $ 22 \item $ R_0 := rG $ 23 \end{itemize} 24 \item Our Changes: \\ 25 \begin{itemize} 26 \item Introduces Nonce $ n $ used for Derivation 27 \item Derives R: \\ 28 $ r_0 := \text{HKDF}(256,n || d_s, " \text{r} 0 ") $ \\ 29 $ R_0 := r_0G $ 30 \item Denomination private key as long-term secret 31 % FIXME: Payback Protocol 32 \end{itemize} 33 \end{itemize} 34 \end{frame} 35 36 % Withdraw 37 \begin{frame}{\faIcon{clipboard-list} Withdraw Protocol} 38 \begin{itemize} 39 \item Signature scheme related operations replaced 40 \item Additional round-trip introduced 41 \item Extensively uses HKDF to achieve abort-idempotency 42 \item Randomness in CS replaced with derivation $ \rightarrow $ unpredictable 43 \end{itemize} 44 \end{frame} 45 46 \begin{frame}{\faIcon{clipboard-list} Withdraw Protocol} 47 \framesubtitle{Protocol Changes} 48 \begin{columns}[c] 49 \begin{column}{.48\textwidth} 50 \begin{itemize} 51 \item Withdraw Nonce (Wallet): \\ 52 $ c_s, C_p \leftarrow \text{Ed25519.KeyGen}() $ \\ 53 $ n_w := \text{HKDF}(256, c_s, "\text{n}") $ 54 \item Request R 55 \item Derive R (Exchange) 56 \item Derive Blinding Secrets (Wallet): \\ 57 $ b_s := \text{HKDF}(256, c_s || R_0 || R_1,"\text{b-seed}") $ \\ 58 $ \alpha_0 := \text{HKDF}(256, b_s, "\text{a}0") $ \\ 59 $ \dots $ \\ 60 $ \beta_1 := \text{HKDF}(256, b_s, "\text{b}1") $ 61 % FIXME: Advantages for Payback 62 \end{itemize} 63 \end{column} 64 \hfill 65 \begin{column}{.48\textwidth} 66 \includegraphics[width=6.5cm]{images/withdraw1.png} 67 \end{column} 68 \end{columns} 69 \end{frame} 70 71 \begin{frame}{\faIcon{clipboard-list} Withdraw Protocol} 72 \framesubtitle{Protocol Changes} 73 \begin{columns}[c] 74 \begin{column}{.48\textwidth} 75 \begin{itemize} 76 \item Derive $b$ (exchange): \\ 77 $ b := \text{HKDF}(1,n_w || d_s, "\text{b}") $ 78 \item Re-derive $ r_b $ 79 \item Calculate signature scalar 80 \item Unblind, construct signature $ \langle R_b', s' \rangle $ 81 \end{itemize} 82 \end{column} 83 \hfill 84 \begin{column}{.48\textwidth} 85 \includegraphics[width=6.5cm]{images/withdraw2.png} 86 \end{column} 87 \end{columns} 88 \end{frame} 89 90 \begin{frame}{\faIcon{clipboard-list} Withdraw Protocol} 91 \framesubtitle{Nonce Check} 92 \begin{itemize} 93 \item Is this safe? (without nonce reuse check) \\ 94 $ r_0 := \text{HKDF}(256,n || d_s, " \text{r} 0 ") $ 95 \item (Hint $ \rightarrow $ no): 96 \begin{itemize} 97 \item $ s_2 - s_1 = d_s (c_1' - c_2') - (r_1 - r_2) $ 98 \item if $ r_1 = r_2 $: \\ 99 $ s_2 - s_1 = d_s (c_1' - c_2') $ 100 \item Allows private key recovery 101 \item Happened before (Bitcoin, PlayStation 3) 102 \end{itemize} 103 \item Prevent $ r $ reuse $ \rightarrow $ do not allow nonce reuse (per denomination) 104 \item Applies to withdraw AND refresh 105 \end{itemize} 106 \end{frame} 107 108 % Spend 109 \begin{frame}{\faIcon{clipboard-list} Deposit Protocol} 110 \begin{itemize} 111 \item Only coin signature verification changes: \\ 112 \begin{align*} 113 s'G & = R' + c' D_p 114 \\ &= R' + H(R', C_p) D_p 115 \end{align*} 116 \end{itemize} 117 \end{frame} 118 119 % Refresh 120 \begin{frame}{\faIcon{clipboard-list} Refresh and Linking} 121 \begin{columns}[c] 122 \begin{column}{.48\textwidth} 123 \begin{itemize} 124 \item Integration similar to withdraw (additional round trip, derivation, etc.) 125 \item Introduced new random refresh secret 126 \begin{itemize} 127 \item Transfer secret 128 \item Refresh nonce 129 \end{itemize} 130 \item Nonce check 131 \item Two commit hashes instead of one 132 \end{itemize} 133 \end{column} 134 \hfill 135 \begin{column}{.48\textwidth} 136 \includegraphics[width=4.5cm]{images/refresh-derive.png} 137 \end{column} 138 \end{columns} 139 \end{frame} 140 141 % Tipping 142 \begin{frame}{\faIcon{clipboard-list} Tipping} 143 \begin{itemize} 144 \item Wallet: same changes as Withdraw 145 \item Merchant: Only message signed by merchant's reserve private key changes 146 \end{itemize} 147 \end{frame} 148 149 % Payback 150 \begin{frame}{\faIcon{clipboard-list} Payback Protocol} 151 \begin{itemize} 152 \item Three different cases: 153 \begin{itemize} 154 \item \textbf{Revoked coin has never been seen by exchange}: \\ 155 Adjust Withdraw Transcript 156 \item \textbf{Coin partially spent}: \\ 157 Invoke Refresh Protocol 158 \item \textbf{Coin resulted from refresh, has never been seen}: \\ 159 Adjust refresh transcript 160 \end{itemize} 161 \end{itemize} 162 \end{frame}