marketing

2022-ethz.tex (110343B)

---

 \pdfminorversion=3
 \documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer}
 \usepackage{amsmath}
 \usepackage{multimedia}
 \usepackage[utf8]{inputenc}
 \usepackage{framed,color,ragged2e}
 \usepackage[absolute,overlay]{textpos}
 \definecolor{shadecolor}{rgb}{0.8,0.8,0.8}
 \usetheme{boxes}
 \setbeamertemplate{navigation symbols}{}
 \usepackage{xcolor}
 \usepackage[normalem]{ulem}
 \usepackage{listings}
 \usepackage{adjustbox}
 \usepackage{array}
 \usepackage{bbding}
 \usepackage{relsize}
 \usepackage{graphicx}
 \usepackage{tikz,eurosym,calc}
 \usetikzlibrary{tikzmark}
 \usetikzlibrary{shapes,arrows,arrows.meta}
 \usetikzlibrary{positioning,fit,patterns}
 \usetikzlibrary{calc}
 
 % CSS
 \lstdefinelanguage{CSS}{
   basicstyle=\ttfamily\scriptsize,
   keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function},
   sensitive=true,
   morecomment=[l]{//},
   morecomment=[s]{/*}{*/},
   morestring=[b]',
   morestring=[b]",
   alsoletter={:},
   alsodigit={-}
 }
 
 % JavaScript
 \lstdefinelanguage{JavaScript}{
   basicstyle=\ttfamily\scriptsize,
   morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
   morecomment=[s]{/*}{*/},
   morecomment=[l]//,
   morestring=[b]",
   morestring=[b]'
 }
 
 \lstdefinelanguage{HTML5}{
   basicstyle=\ttfamily\scriptsize,
   language=html,
   sensitive=true,
   alsoletter={<>=-},
   morecomment=[s]{<!-}{-->},
   tag=[s],
   otherkeywords={
   % General
   >,
   % Standard tags
 	<!DOCTYPE,
   </html, <html, <head, <title, </title, <style, </style, <link, </head, <meta, />,
 	% body
 	</body, <body,
 	% Divs
 	</div, <div, </div>,
 	% Paragraphs
 	</p, <p, </p>,
 	% scripts
 	</script, <script,
   % More tags...
   <canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video, <source, <iframe, </iframe>, </video>, <image, </image>
   },
   ndkeywords={
   % General
   =,
   % HTML attributes
   charset=, src=, id=, width=, height=, style=, type=, rel=, href=,
   % SVG attributes
   fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=,
   % CSS properties
   margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:,
 	% CSS3 properties
   transform:, -moz-transform:, -webkit-transform:,
   animation:, -webkit-animation:,
   transition:,  transition-duration:, transition-property:, transition-timing-function:,
   }
 }
 
 \lstdefinelanguage{JavaScript}{
   basicstyle=\ttfamily\scriptsize,
   keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for},
   keywordstyle=\color{blue}\bfseries,
   ndkeywords={class, export, boolean, throw, implements, import, this},
   ndkeywordstyle=\color{darkgray}\bfseries,
   identifierstyle=\color{black},
   sensitive=false,
   comment=[l]{//},
   morecomment=[s]{/*}{*/},
   commentstyle=\color{purple}\ttfamily,
   stringstyle=\color{red}\ttfamily,
   morestring=[b]',
   morestring=[b]"
 }
 
 \setbeamersize{description width=1em}
 
 \definecolor{blue}{rgb}{0,0,0.7}
 \newcommand{\orange}[1]{{\color{orange}#1}}
 \newcommand{\blue}[1]{{\color{blue}#1}}
 \newcommand{\red}[1]{{\color{red}#1}}
 \newcommand{\Guardian}{\mathcal{G}}
 \newcommand{\Child}{\mathcal{C}}
 \newcommand{\Customer}{\mathcal{C}}
 \newcommand{\Merchant}{\mathcal{M}}
 \newcommand{\Exchange}{\mathcal{E}}
 
 \newcommand{\Commit}{\mathsf{Commit}}
 \newcommand{\Attest}{\mathsf{Attest}}
 \newcommand{\Verify}{\mathsf{Verify}}
 \newcommand{\Derive}{\mathsf{Derive}}
 \newcommand{\DeriveCompare}{\mathsf{DeriveCompare_\kappa}}
 \newcommand{\Compare}{\mathsf{Compare}}
 \newcommand{\AgeVer}{\mathsf{AgeVer}}
 
 \newcommand{\HashF}{\mathsf{H}}
 \newcommand{\Hash}{\mathsf{H}}
 \newcommand{\Block}{\mathbb{B}}
 \newcommand{\Pub}{\mathsf{Pub}}
 \newcommand{\Sign}{\mathsf{Sig}}
 \newcommand{\Ver}{\mathsf{Ver}}
 \newcommand{\Encoding}{\mathsf{Encoding}}
 \newcommand{\ECDSA}{\mathsf{ECDSA}}
 \newcommand{\Null}{\mathcal{O}}
 \newcommand{\EC}{\mathrm{ec}}
 \newcommand{\Curve}{\mathsf{Curve25519}}
 \newcommand{\SHA}{\mathsf{SHA256}}
 \newcommand{\SHAF}{\mathsf{SHA252}}
 \newcommand{\FDH}{\mathsf{FDH}}
 
 \newcommand{\negl}{\epsilon}
 
 \newcommand{\rand}{\mathsf{rand}}
 \newcommand{\age}{\mathsf{a}}
 \newcommand{\Age}{\mathsf{M}}
 \newcommand{\bage}{\mathsf{b}}
 \newcommand{\minage}{\mathsf{m}}
 \newcommand{\attest}{\mathsf{T}}
 \newcommand{\commitment}{\mathsf{Q}}
 \newcommand{\pruf}{\mathsf{P}}
 \newcommand{\Vcommitment}{\vec{\mathsf{Q}}}
 \newcommand{\Vpruf}{\vec{\mathsf{P}}}
 \newcommand{\blinding}{\beta}
 
 \newcommand{\ZN}{\mathbb{Z}_N}
 \newcommand{\Z}{\mathbb{Z}}
 \newcommand{\N}{\mathbb{N}}
 \newcommand{\A}{\mathbb{A}}
 \newcommand{\E}{\mathbb{E}}
 \newcommand{\F}{\mathbb{F}}
 \newcommand{\seck}{\mathsf{s}}
 \newcommand{\pubk}{\mathsf{P}}
 \renewcommand{\H}{\mathbb{H}}
 \newcommand{\K}{\mathbb{K}}
 \newcommand{\Proofs}{\mathbb{P}}
 \newcommand{\Commitments}{\mathbb{O}}
 \newcommand{\Attests}{\mathbb{T}}
 \newcommand{\Blindings}{\mathbb{B}}
 \newcommand{\Nil}{\perp}
 
 \newcommand{\p}{\mathsf{p}}
 \newcommand{\com}{\mathsf{com}}
 \newcommand{\prf}{\mathsf{prf}}
 
 \newcommand{\Adv}{\mathcal{A}}
 \newcommand{\PPT}{\mathfrak{A}}
 \newcommand{\Probability}{\mathrm{Pr}}
 \newcommand{\Algorithm}{f}
 \renewcommand{\Game}[1]{G_\Adv^\mathsf{#1}}
 
 \DeclareMathOperator{\Image}{Im}
 \DeclareMathOperator{\Mod}{mod}
 
 \newcommand{\Encode}[1]{\overbracket[0.5pt][2pt]{\,#1\,}}
 \newcommand{\Decode}[1]{\underbracket[0.5pt][3pt]{\,#1\,}}
 \newcommand{\FDHg}[1]{[#1]_g\,}
 \newcommand{\logg}{{\breve{g}}}
 
 
 \newcommand{\drawfrom}{\xleftarrow{\$}}
 \newcommand\Exists{%
 	  \mathop{\lower0.75ex\hbox{\ensuremath{%
 		  \mathlarger{\mathlarger{\mathlarger{\mathlarger{\exists}}}}}}}%
 	  \limits}
 
 \newcommand\Forall{%
 	  \mathop{\lower0.75ex\hbox{\ensuremath{%
 		  \mathlarger{\mathlarger{\mathlarger{\mathlarger{\forall}}}}}}}%
 	  \limits}
 
 
 \title{GNU Taler}
 %\subtitle{}
 
 \setbeamertemplate{navigation symbols}{\includegraphics[width=1cm]{inria.pdf} \includegraphics[width=2.3cm]{bfh.png} \includegraphics[width=1.6cm]{fub.pdf} \includegraphics[width=0.4cm]{ashoka.png}  \includegraphics[width=0.4cm]{gnu.png} \includegraphics[width=1cm]{taler-logo-2021-inkscape.pdf} \hfill}
 %\setbeamercovered{transparent=1}
 
 \author[C. Grothoff]{J. Burdges, F. Dold, {\bf C. Grothoff}, M. Stanisci}
 \date{\today}
 \institute{The GNU Project}
 
 
 \begin{document}
 
 \justifying
 
 \begin{frame}
   \begin{center}
     \LARGE {\bf GNU}
 
     \vfill
 %    \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf}
     \includegraphics[width=0.66\textwidth]{taler-logo-2021-inkscape.pdf}
   \end{center}
 \begin{textblock*}{6cm}(.5cm,7.7cm) % {block width} (coords)
     {\Large {\bf \href{https://taler.net/}{taler.net}} \\
     \href{https://twitter.com/taler}{taler@twitter} \\
     \href{https://taler-systems.com/}{taler-systems.com}}
 \end{textblock*}
 
 % Substitute based on who is giving the talk!
  \begin{textblock*}{6cm}(6.7cm,7.7cm) % {block width} (coords)
    {\hfill {\Large {\bf Florian Dold \&} \\
     \hfill {\bf Christian Grothoff}} \\
     \hfill \{dold,grothoff\}@taler.net }
 \end{textblock*}
 
 \end{frame}
 
 
 \begin{frame}{A Social Problem}
 %  \vfill
   This was a question posed to RAND researchers in 1971:
 
 \begin{quote}
   ``Suppose you were an advisor to the head of the KGB, the Soviet Secret Police. Suppose you are given the assignment of designing a system for the surveillance of all citizens and visitors within the boundaries of the USSR. The system is not to be too obtrusive or obvious. What would be your decision?''
 \end{quote}
 %The result: an electronic funds transfer system that looks
 %strikingly similar today's debit card system.
 \pause
   \begin{center}
   \includegraphics[height=2cm]{pics/nsa_spy.jpg}
   \end{center}
 \vfill
   \begin{center}
 ``I think one of the big things that we need to do, is we need
 to get a way from true-name payments on the Internet. The credit
 card payment system is one of the worst things that happened for the
 user, in terms of being able to divorce their access from their
 identity.'' \hfill --Edward Snowden, IETF 93 (2015)
 \end{center}
 
 \end{frame}
 
 
 
 \section{The Bank's Problem}
 \begin{frame}{The Bank's Problem}
 
   3D secure (``verified by visa'') is a nightmare:
 
   \begin{minipage}{5cm}
     \begin{itemize}
     \item Complicated process
     \item Shifts liability to consumer
     \item Significant latency
     \item Can refuse valid requests
     \item Legal vendors excluded
     \item No privacy for buyers
      \end{itemize}
   \end{minipage}
   \begin{minipage}{5cm}
       \includegraphics[width=\textwidth]{illustrations/cc3ds.pdf}
   \end{minipage}
   \vfill
     Online credit card payments will be replaced, but with what?
 \end{frame}
 
 
 \begin{frame}{The Bank's Problem}
 \vfill
   \begin{textblock*}{12cm}(0.5cm,1cm) % {block width} (coords)
     \begin{itemize}
     \item Global tech companies push oligopolies
     \item Privacy and federated finance are at risk
 %    \item 30\% fees are conceivable
     \item Economic sovereignty is in danger
     \end{itemize}
 \end{textblock*}
 \begin{textblock*}{4cm}(3.5cm,5.2cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/amazon.png}}
 \end{textblock*}
 \begin{textblock*}{2cm}(7cm,3cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/alipay.jpeg}}
 \end{textblock*}
 \begin{textblock*}{2cm}(3cm,3.5cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/paypal.jpeg}}
 \end{textblock*}
 \begin{textblock*}{2cm}(9cm,5cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/applepay.jpeg}}
 \end{textblock*}
 \begin{textblock*}{2cm}(7.5cm,5.9cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/samsungpay.jpeg}}
 \end{textblock*}
 \begin{textblock*}{1cm}(9.5cm,6.3cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/android_pay.png}}
 \end{textblock*}
 \vfill
 \end{frame}
 
 
 \begin{frame}{The Distraction: Bitcoin}
 
 \begin{itemize}
 \item Unregulated payment system and currency:
 \item[] $\Rightarrow$ lack of regulation is a feature!
 \item Implemented in free software
 \item Decentralised peer-to-peer system   \pause
 \item Decentralised banking requires solving Byzantine consensus
 \item Creative solution: tie initial accumulation to solving consensus \pause
 \item[] $\Rightarrow$ Proof-of-work advances ledger
 \item[] $\Rightarrow$ Very expensive banking
 \end{itemize}
 \end{frame}
 
 
 \begin{frame}
   \frametitle{\includegraphics[height=0.5cm]{pics/bitcoin.png}?}
   \framesubtitle{Background: \url{https://blockchain.com/charts/}}
   \centering
 \noindent
 \includegraphics[width=\textwidth]{pics/btc-transaction-cost.png}
 
 Current average transaction value: $\approx$ 1000 USD
 \end{frame}
 
 
 \begin{frame}
   \frametitle{\includegraphics[height=0.5cm]{pics/zerocoin.png}?}
 
 Cryptography is rather primitive:
 \begin{center}
   {\bf All Bitcoin transactions are public and linkable!}
 \end{center}
 
 \begin{itemize}
 \item[] $\Rightarrow$ no privacy guarantees
 \item[] $\Rightarrow$ enhanced with ``laundering'' services
 \end{itemize}
 ZeroCoin, CryptoNote (Monero) and ZeroCash (ZCash) offer anonymity.
 \end{frame}
 
 
 \begin{frame}
   \vfill
 \begin{center}
 {\bf Do you want to have a libertarian economy?}
 \end{center}
   \vfill
 \begin{center}
 {\bf Do you want to live under total surveillance?}
 \end{center}
 \vfill
 \end{frame}
 
 
 
 \begin{frame}{The Bank of International Settlements}
   \begin{center}
     \movie[%scale=0.6,
            autostart,
            poster]
            {
                \includegraphics[height=0.6\textwidth,width=0.8\textwidth]{white.png}
            }
           {bis-cbdc.mp4}
   \end{center}
 \end{frame}
 
 
 \begin{frame}{The Emergency Act of Canada\footnote{Speech by Premier Kenney, Alberta, February 2022}}
   \begin{center}
     \movie[%scale=0.6,
            autostart,
            poster]
            {
                \includegraphics[height=0.6\textwidth,width=0.8\textwidth]{ca.png}
            }
           {emergencyact.mp4}
 
   {\tiny \url{https://www.youtube.com/watch?v=NehMAj492SA} (2'2022)}
   \end{center}
 \end{frame}
 
 
 
 \begin{frame}{GNU Taler}
   \vfill
   \begin{center}
     {\huge {\bf Digital} cash, made \textbf{socially responsible}.}
   \end{center}
   \vfill
   \begin{center}
   \includegraphics[scale=0.3]{taler-logo-2021-inkscape.pdf}
   \end{center}
   \vfill
   \begin{center}
     Privacy-Preserving, Practical, Taxable, Free Software, Efficient
   \end{center}
  \vfill
  \vfill
 \ %
 \end{frame}
 
 
 \section{What is Taler?}
 \begin{frame}{What is Taler?}
   \framesubtitle{\url{https://taler.net/en/features.html}}  \noindent
 Taler is
   \vfill
   \begin{itemize}
     \item a Free/Libre software \emph{payment system} infrastructure project
     \item ... with a surrounding software ecosystem
     \item ... and a company (Taler Systems S.A.) and community that wants to deploy it
       as widely as possible.
   \end{itemize}
   \vfill
 \noindent
  However, Taler is
   \begin{itemize}
     \item \emph{not} a currency
     \item \emph{not} a long-term store of value
     \item \emph{not} a network or instance of a system
     \item \emph{not} decentralized
     \item \emph{not} based on proof-of-work or proof-of-stake
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Design principles}
   \framesubtitle{https://taler.net/en/principles.html}
 GNU Taler must ...
 \begin{enumerate}
   \item {... be implemented as {\bf free software}.}
   \item {... protect the {\bf privacy of buyers}.}
   \item {... must enable the state to {\bf tax income} and crack down on
     illegal business activities.}
   \item {... prevent payment fraud.}
   \item {... only {\bf disclose the minimal amount of information
     necessary}.}
   \item {... be usable.}
   \item {... be efficient.}
   \item {... avoid single points of failure.}
   \item {... foster {\bf competition}.}
 \end{enumerate}
 \end{frame}
 
 
 \begin{frame}
 \frametitle{Taler Overview}
 \begin{center}
 \begin{tikzpicture}
  \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (exchange) [def,above=of origin,draw]{Exchange};
  \node (customer) [def, draw, below left=of origin] {Customer};
  \node (merchant) [def, draw, below right=of origin] {Merchant};
  \node (auditor) [def, draw, above right=of origin]{Auditor};
 % \node (regulator) [def, draw, above=of auditor]{CSSF};
 
  \tikzstyle{C} = [color=black, line width=1pt]
 
  \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins};
  \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins};
  \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins};
  \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify};
 % \draw [<-, C] (regulator) -- (auditor) node [midway, above, sloped] (TextNode) {report};
 
 \end{tikzpicture}
 \end{center}
 \end{frame}
 
 
 \begin{frame}
   % TODO: replace with simplified NEW architecture picture!
 \frametitle{Architecture of Taler}
 \begin{center}
   \includegraphics[width=1\textwidth]{operations.png}
 \end{center}
 \end{frame}
 
 
 \begin{frame}{Taler: Unique Regulatory Features for Central Banks}
   \framesubtitle{\url{https://www.snb.ch/en/mmr/papers/id/working_paper_2021_03}}
   \begin{itemize}
     \item Central bank issues digital coins equivalent to issuing cash \\
           $\Rightarrow$ monetary policy remains under CB control
     \item Architecture with consumer accounts at commercial banks \\
           $\Rightarrow$ no competition for commercial banking (S\&L) \\
           $\Rightarrow$ CB does not have to manage KYC, customer support
     \item Withdrawal limits and denomination expiration \\
           $\Rightarrow$ protects against bank runs and hoarding
     \item Income transparency and possibility to set fees \\
           $\Rightarrow$ additional insights into economy and new policy options
     \item Revocation protocols and loss limitations \\
           $\Rightarrow$ exit strategy and handles catastrophic security incidents
     \item Privacy by cryptographic design not organizational compliance \\
           $\Rightarrow$ CB cannot be forced to facilitate mass-surveillance
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Usability of Taler}
   \vfill
   \begin{center}
     \url{https://demo.taler.net/}
   \end{center}
   \begin{enumerate}
   \item Install browser extension.
   \item Visit the {\tt bank.demo.taler.net} to withdraw coins.
   \item Visit the {\tt shop.demo.taler.net} to spend coins.
   \end{enumerate}
   \vfill
 \end{frame}
 
 
 \begin{frame}{Use Case: Journalism}
   Today:
   \begin{itemize}
     \item Corporate structure % ($\Rightarrow$ filter)
     \item Advertising primary revenue % ($\Rightarrow$ dependence)
     \item Tracking readers critical for business success
     \item Journalism and marketing hard to distinguish
   \end{itemize}\vfill\pause
   With GNU Taler:
   \begin{itemize}
     \item One-click micropayments per article
     \item Hosting requires no expertise % (no PCI DSS)
     \item Reader-funded reporting separated from marketing
     \item Readers can remain anonymous
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{How does it work?}
 We use a few ancient constructions:
   \begin{itemize}
   \item Cryptographic hash function (1989)
   \item Blind signature (1983)
   \item Schnorr signature (1989)
   \item Diffie-Hellman key exchange (1976)
   \item Cut-and-choose zero-knowledge proof (1985)
   \end{itemize}
 But of course we use modern instantiations.
 \end{frame}
 
 
 \begin{frame}{Definition: Taxability}
   We say Taler is taxable because:
   \begin{itemize}
   \item Merchant's income is visible from deposits.
   \item Hash of contract is part of deposit data.
   \item State can trace income and enforce taxation.
   \end{itemize}\pause
   Limitations:
   \begin{itemize}
   \item withdraw loophole
   \item {\em sharing} coins among family and friends
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Exchange setup: Create a denomination key (RSA)}
    \begin{minipage}{6cm}
     \begin{enumerate}
     \item Pick random primes $p,q$.
     \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$
     \item Pick small $e < \phi(n)$ such that
           $d := e^{-1} \mod \phi(n)$ exists.
     \item Publish public key $(e,n)$.
     \end{enumerate}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
  \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$};
     \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}};
     \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
 %  \includegraphics[width=0.4\textwidth]{seal.pdf}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Merchant: Create a signing key (EdDSA)}
   \begin{minipage}{6cm}
     \begin{itemize}
   \item pick random $m \mod o$ as private key
   \item $M = mG$ public key
   \end{itemize}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (m) [draw=none, below = of origin] at (0,0) {$m$};
     \node (seal) [draw=none, below=of m]{M};
    \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ }
   \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}}
 \end{frame}
 
 
 \begin{frame}{Customer: Create a planchet (EdDSA)}
   \begin{minipage}{8cm}
   \begin{itemize}
   \item Pick random $c \mod o$ private key
   \item $C = cG$ public key
   \end{itemize}
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (c) [draw=none, below = of origin] at (0,0) {$c$};
     \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ }
   \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}}
 \end{frame}
 
 
 \begin{frame}{Customer: Blind planchet (RSA)}
   \begin{minipage}{6cm}
     \begin{enumerate}
     \item Obtain public key $(e,n)$
     \item Compute $f := FDH(C)$, $f < n$.
     \item Pick blinding factor $b \in \mathbb Z_n$
     \item Transmit $f' := f b^e \mod n$
     \end{enumerate}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$};
     \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}};
     \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Exchange: Blind sign (RSA)}
    \begin{minipage}{6cm}
     \begin{enumerate}
     \item Receive $f'$.
     \item Compute $s' := f'^d \mod n$.
     \item Send signature $s'$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
     \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
     \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Customer: Unblind coin (RSA)}
   \begin{minipage}{6cm}
    \begin{enumerate}
     \item Receive $s'$.
     \item Compute $s := s' b^{-1} \mod n$ % \\
     % ($(f')^d = (f b^e)^d = f^d b$).
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (b) [def, draw=none] at (0,0) {$b$};
     \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Customer: Build shopping cart}
   \begin{center}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{shop.pdf}};
     \node (cart) [draw=none, below=of m]{\includegraphics[width=0.2\textwidth]{cart.pdf}};
     \node (merchant) [node distance=4em and 0.5em, draw, below =of cart]{Merchant};
     \tikzstyle{C} = [color=black, line width=1pt];
     \draw [<-, C] (cart) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (merchant) -- (cart) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{center}
 \end{frame}
 
 
 \begin{frame}{Merchant: Propose contract (EdDSA)}
    \begin{minipage}{6cm}
    \begin{enumerate}
     \item Complete proposal $D$.
     \item Send $D$, $EdDSA_m(D)$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}};
     \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt];
     \node (sign) [def, draw=none, above right=of proposal] {$m$};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Customer: Spend coin (EdDSA)}
   \begin{minipage}{6cm}
    \begin{enumerate}
     \item Receive proposal $D$, $EdDSA_m(D)$.
     \item Send $s$, $C$, $EdDSA_c(D)$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer sep=.3em];
     \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
     \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
     \node (c) [def, draw=none, above=of contract] {$c$};
     \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant};
     \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}};
     \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Merchant and Exchange: Verify coin (RSA)}
    \begin{minipage}{6cm}
  \begin{equation*}
    s^e \stackrel{?}{\equiv} FDH(C) \mod n
    \end{equation*}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{minipage}{0.2\textwidth}
     \includegraphics[width=\textwidth]{coin.pdf}
   \end{minipage}
   $\stackrel{?}{\Leftrightarrow}$
   \begin{minipage}{0.2\textwidth}
     \includegraphics[width=\textwidth]{seal.pdf}
   \end{minipage}
   \end{minipage}
   \vfill
   The exchange does not only verify the signature, but also
   checks that the coin was not double-spent.
   \vfill
   \pause
   \begin{center}
   {\bf Taler is an online payment system.}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{Requirements: Online vs. Offline Digital Currencies}
 \framesubtitle{\url{https://taler.net/papers/euro-bearer-online-2021.pdf}}
 \begin{itemize}
     \item Offline capabilities are sometimes cited as a requirement for digital payment solutions
     \item All implementations must either use restrictive hardware elements and/or introduce
       counterparty risk.
     \item[$\Rightarrow$] Permanent offline features weaken a digital payment solution (privacy, security)
     \item[$\Rightarrow$] Introduces unwarranted competition for physical cash (endangers emergency-preparedness).
   \end{itemize}
   We recommend a tiered approach:
       \begin{enumerate}
         \item Online-first, bearer-based digital currency with Taler
         \item (Optional:) Limited offline mode for network outages
         \item Physical cash for emergencies (power outage, catastrophic cyber incidents)
       \end{enumerate}
 \end{frame}
 
 
 \begin{frame}{Giving change}
   It would be inefficient to pay EUR 100 with 1 cent coins!
   \begin{itemize}
   \item Denomination key represents value of a coin.
   \item Exchange may offer various denominations for coins.
   \item Wallet may not have exact change!
   \item Usability requires ability to pay given sufficient total funds.
   \end{itemize}\pause
   Key goals:
   \begin{itemize}
   \item maintain unlinkability
   \item maintain taxability of transactions
   \end{itemize}\pause
   Method:
   \begin{itemize}
     \item Contract can specify to only pay {\em partial value} of a coin.
     \item Exchange allows wallet to obtain {\em unlinkable change}
       for remaining coin value.
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Diffie-Hellman (ECDH)}
   \begin{minipage}{8cm}
    \begin{enumerate}
     \item Create private keys $c,t \mod o$
     \item Define $C = cG$
     \item Define $T = tG$
     \item Compute DH \\ $cT = c(tG) = t(cG) = tC$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t$};
     \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}};
     \node (c) [def, draw=none, above left= of ct]  {$c$};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Strawman solution}
   \begin{minipage}{8cm}
     Given partially spent private coin key $c_{old}$:
    \begin{enumerate}
 %    \item Let $C_{old} := c_{old}G$ (as before)
     \item Pick random $c_{new} \mod o$ private key
     \item $C_{new} = c_{new}G$ public key
     \item Pick random $b_{new}$
     \item Compute $f_{new} := FDH(C_{new})$, $m < n$.
     \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$
    \end{enumerate}
    ... and sign request for change with $c_{old}$.
    \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (planchet) [def, draw=none, above left= of blinded]  {\includegraphics[width=0.15\textwidth]{planchet.pdf}};
     \node (cnew) [def, draw=none, above= of planchet]  {$c_{new}$};
     \node (bnew) [def, draw=none, above right= of blinded]  {$b_{new}$};
     \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \pause
   \vfill
   {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!}
 \end{frame}
 
 
 \begin{frame}{Customer: Transfer key setup (ECDH)}
   \begin{minipage}{8cm}
     Given partially spent private coin key $c_{old}$:
    \begin{enumerate}
     \item Let $C_{old} := c_{old}G$ (as before)
     \item Create random private transfer key $t \mod o$
     \item Compute $T := tG$
     \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$
     \item Derive $c_{new}$ and $b_{new}$ from $X$
     \item Compute $C_{new} := c_{new}G$
     \item Compute $f_{new} := FDH(C_{new})$
     \item Transmit $f_{new}' := f_{new} b_{new}^e$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Cut-and-Choose}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_1$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,1}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,1}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_2$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,2}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,2}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_3$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,3}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,3}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Exchange: Choose!}
    \begin{center}
     \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer.
     \end{center}
 \end{frame}
 
 
 \begin{frame}{Customer: Reveal}
    \begin{enumerate}
    \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange
    \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange
    \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange
   \end{enumerate}
 \end{frame}
 
 
 \begin{frame}{Exchange: Verify ($\gamma = 2$)}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (h) [def, draw=none] at (0,0) {$t_1$};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$C_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,1}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,1}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \begin{minipage}{4cm}
  \
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (h) [def, draw=none] at (0,0) {$t_3$};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$C_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,3}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,3}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Exchange: Blind sign change (RSA)}
    \begin{minipage}{6cm}
     \begin{enumerate}
     \item Take $f_{new,\gamma}'$.
     \item Compute $s' := f_{new,\gamma}'^d \mod n$.
     \item Send signature $s'$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
     \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
     \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Customer: Unblind change (RSA)}
   \begin{minipage}{6cm}
    \begin{enumerate}
     \item Receive $s'$.
     \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
     \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Exchange: Allow linking change}
   \begin{minipage}{7cm}
     \begin{center}
     Given $C_{old}$
 
     \vspace{1cm}
 
     return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$.
   \end{center}
    \end{minipage}
   \begin{minipage}{5cm}
    \begin{tikzpicture}
     \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em];
     \node (co) [def, draw=none] at (0,0) {$C_{old}$};
     \node (T) [def, draw=none, below left=of co]{$T_\gamma$};
     \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \node (customer) [def, draw, below right=of T] {Customer};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link};
     \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Customer: Link (threat!)}
   \begin{minipage}{6.3cm}
    \begin{enumerate}
     \item Have $c_{old}$.
     \item Obtain $T_\gamma$, $s$ from exchange
     \item Compute $X_\gamma = c_{old}T_\gamma$
     \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
     \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
   \end{enumerate}
 
    \end{minipage}
   \begin{minipage}{5.7cm}
   \begin{tikzpicture}
   \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (T) [def, draw=none] at (0,0) {$T_\gamma$};
     \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
     \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (bp) [def, draw=none, below left= of dh]  {$b_{new,\gamma}$};
     \node (co) [def, draw=none, above right= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below= of dh]  {$c_{new,\gamma}$};
     \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link};
     \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link};
     \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Refresh protocol summary}
   \begin{itemize}
   \item Customer asks exchange to convert old coin to new coin
   \item Protocol ensures new coins can be recovered from old coin
   \item[$\Rightarrow$] New coins are owned by the same entity!
   \end{itemize}
   Thus, the refresh protocol allows:
   \begin{itemize}
   \item To give unlinkable change.
   \item To give refunds to an anonymous customer.
   \item To expire old keys and migrate coins to new ones.
   \item To handle protocol aborts.
   \end{itemize}
   \noindent
   \begin{center}
     \bf
    Transactions via refresh are equivalent to {\em sharing} a wallet.
 \end{center}
 \end{frame}
 
 
 \section{Age restrictions}
 
 \begin{frame}{Age restriction in E-commerce}
 
 	\begin{description}
 		\item[Problem:]~\\[1em]
 			Verification of minimum age requirements in e-commerce.\\[2em]
 
 		\item[Common solutions:]
 
 \begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
 	& \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
 	1. ID Verification     & bad   & required & \\[\medskipamount]
 	2. Restricted Accounts & bad   & required & \\[\medskipamount]
 	3. Attribute-based     & good  & required &\tikzmark{bottomau} \\[\medskipamount]
 \end{tabular}
 	\end{description}
 
 \uncover<4->{
 	\begin{tikzpicture}[overlay,remember picture]
 	\draw[orange,thick,rounded corners]
 		($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
 	\end{tikzpicture}
 	\begin{center}
 	\bf Principle of Subsidiarity is violated
 	\end{center}
 }
 \end{frame}
 
 
 \begin{frame}{Principle of Subsidiarity}
 \begin{center} \Large
 	Functions of government---such as granting and restricting
 	rights---should be performed\\
 	{\it at the lowest level of authority possible},\\
 	as long as they can be performed {\it adequately}.
 \end{center}
 \vfill
 \uncover<2->{
 	For age-restriction, the lowest level of authority is:\\
 	\begin{center}\Large
 	Parents, guardians and caretakers
 	\end{center}
 }
 \end{frame}
 
 
 \begin{frame}{Age restriction design for GNU Taler}
 Design and implementation of an age restriction scheme\\
 with the following goals:
 
 \begin{enumerate}
 \item It ties age restriction to the \textbf{ability to pay} (not to ID's)
 \item maintains \textbf{anonymity of buyers}
 \item maintains \textbf{unlinkability of transactions}
 \item aligns with \textbf{principle of subsidiartiy}
 \item is \textbf{practical and efficient}
 \end{enumerate}
 
 \end{frame}
 
 
 \begin{frame}{Age restriction}
 	\framesubtitle{Assumptions and scenario}
 
 	\begin{columns}
 		\column{7.5cm}
 	\begin{itemize}
 		\item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
 		\item<2-> \textit{Guardians} \textbf{commit} to an maximum age
 		\item<3-> \textit{Minors} \textbf{attest} their adequate age
 		\item<4-> \textit{Merchants} \textbf{verify} the attestations
 		\item<5-> Minors \textbf{derive} age commitments from existing ones
 		\item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
 	\end{itemize}
 		\column{5cm}
 		\uncover<7->
 		{
 		\begin{center}
 		\fontsize{7pt}{7pt}\selectfont
 	\begin{tikzpicture}[scale=.5]
 		\node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=15pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 		\node[circle,minimum size=15pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=15pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
 
 		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
 			{$\Commit$} (Guardian);
 		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
 			{\blue{$\Attest$}} (Client);
 		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
 			{\blue{$\Verify$}} (Merchant);
 		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 			{\orange{$\Derive$}} (Client);
 		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 			{\orange{$\Compare$}} (Exchange);
 
 		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 			{\orange{\scriptsize }} (Exchange);
 		\draw[blue,|->] (Client)   to node[sloped, above]
 			{\blue{\scriptsize }} (Merchant);
 		\draw[,|->] (Guardian) to node[above,sloped,align=left]
 			{{\scriptsize }} (Client);
 	\end{tikzpicture}
 		\end{center}
 		}
 	\end{columns}
 	\vfill
 	\uncover<7->{Note: Scheme is independent of payment service protocol.}
 \end{frame}
 
 
 \begin{frame}{Formal Function Signatures}
 \small 
 Searching for functions \uncover<2->{with the following signatures}
 \begin{align*}
 	&\bf \Commit\uncover<2->{:
 		&(\age, \omega) &\mapsto (\commitment, \pruf)
 		&\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
 		}
 	\\
 	&\bf \Attest\uncover<3->{:
 		&(\minage, \commitment, \pruf) &\mapsto \attest
 		&\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
 		}
 	\\
 	&\bf \Verify\uncover<4->{:
 		&(\minage, \commitment, \attest) &\mapsto b
 		&\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
 		}
 	\\
 	&\bf \Derive\uncover<5->{:
 		&(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
 		&\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
 		}
 	\\
 	&\bf \Compare\uncover<6->{:
 		&(\commitment, \commitment', \blinding) &\mapsto b
 		&\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
 		}
 \end{align*}
 	\uncover<7->{
 		with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
 		sufficiently large sets.\\[1em]
 		Basic and security requirements are defined later.\\[2em]
 	}
 
 		\scriptsize
 	\uncover<2->{
 		Mnemonics:\\
 		$\Commitments=$ \textit{c$\Commitments$mmitments},
 		$\commitment=$ \textit{Q-mitment} (commitment),
 		$\Proofs=$ \textit{$\Proofs$roofs},
 	}
 	\uncover<3->{
 		$\pruf=$ \textit{$\pruf$roof},\\
 		$\Attests=$ \textit{a$\Attests$testations},
 		$\attest=$ \textit{a$\attest$testation},
 	}
 	\uncover<5->{
 		$\Blindings=$ \textit{$\Blindings$lindings},
 		$\blinding=$ \textit{$\blinding$linding}.
 	}
 \end{frame}
 
 \begin{frame}{Age restriction}
 	\framesubtitle{Naïve scheme}
 	\begin{center}
 	\begin{tikzpicture}[scale=.85]
 		\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 		\node[circle,minimum size=20pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=20pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
 
 		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
 			{$\Commit$} (Guardian);
 		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
 			{\blue{$\Attest$}} (Client);
 		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
 			{\blue{$\Verify$}} (Merchant);
 		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 			{\orange{$\Derive$}} (Client);
 		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 			{\orange{$\Compare$}} (Exchange);
 
 		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 			{\orange{\scriptsize }} (Exchange);
 		\draw[blue,|->] (Client)   to node[sloped, above]
 			{\blue{\scriptsize }} (Merchant);
 		\draw[,|->] (Guardian) to node[above,sloped,align=left]
 			{{\scriptsize }} (Client);
 	\end{tikzpicture}
 	\end{center}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	\begin{columns}
 		\column{3cm}
 		\begin{center}
 		\fontsize{8pt}{9pt}\selectfont
 		\begin{tikzpicture}[scale=.65]
 			\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 			\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 
 			\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 				{\orange{$\footnotesize \Derive()$}} (Client);
 			\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 				{\orange{$\footnotesize \Compare()$}} (Exchange);
 
 			\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 				{\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
 		\end{tikzpicture}
 		\end{center}
 
 		\column{9cm}
 	Simple use of $\Derive()$ and $\Compare()$ is problematic.
 
 	\begin{itemize}
 		\item<2-> Calling $\Derive()$ iteratively generates sequence 
 			$(\commitment_0, \commitment_1, \dots)$ of commitments.
 		\item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$ 
 		\item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
 		\item[$\implies$]\uncover<3->{\bf Unlinkability broken}
 	\end{itemize}
 	\end{columns}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	Define cut\&choose protocol \orange{$\DeriveCompare$},
 	using $\Derive()$ and $\Compare()$.\\[0.5em]
 	\uncover<2->{
 	Sketch:
 	\small
 	\begin{enumerate}
 		\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$ 
 			from $\commitment_0$ \\
 			by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
 		\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
 		\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
 		\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
 		\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
 		\item $\Exchange$ compares $h_0$ and 
 			$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
 			and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
 	\end{enumerate}
 	\vfill
 	Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
 	}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	With \orange{$\DeriveCompare$}
 	\begin{itemize}
 		\item $\Exchange$ learns nothing about $\commitment_\gamma$,
 		\item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
 		\item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
 	\end{itemize}
 	\vfill
 	Note: Still need Derive and Compare to be defined.
 \end{frame}
 
 \begin{frame}{Refined scheme}
 
 	\begin{tikzpicture}[scale=.8]
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
 		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
 
 		\draw[orange,<->] (Client)   to node[sloped,below,align=center]
 			{\orange{$\DeriveCompare$}} (Exchange);
 		\draw[blue,->] (Client)   to node[sloped, below]
 			{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
 
 		\draw[->] (Guardian)   to [out=150,in=70, loop] node[above]
 			{$\Commit(\age)$} (Guardian);
 		\draw[->] (Guardian)   to node[below,sloped]
 			{($\commitment$, $\pruf_\age$)} (Client);
 		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
 		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
 	\end{tikzpicture}
 \end{frame}
 
 % \begin{frame}{Achieving Unlinkability}
 % 	\scriptsize
 % 	$\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
 % 	\vfill
 % 	$\DeriveCompare(\commitment, \pruf, \omega) =$
 % \begin{itemize}
 % \it
 % 	\itemsep0.5em
 % 	\item[$\Child$:]
 % 		\begin{enumerate}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item for all $i \in \{1,\dots,\kappa\}:
 % 				(\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
 % 			\item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
 % 			\item send $(\commitment, h)$ to $\Exchange$
 % 		\end{enumerate}
 % 	\item[$\Exchange$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{4}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item save $(\commitment, h)$ \label{st:hash}
 % 			\item $\gamma \drawfrom \{1,\dots ,\kappa\}$
 % 			\item send $\gamma$ to $\Child$
 % 		\end{enumerate}
 % 	\item[$\Child$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{7}
 % 
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
 % 			\item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
 % 				(\commitment_{\gamma-1}, \beta_{\gamma-1}),
 % 				\Nil,
 % 				(\commitment_{\gamma+1}, \beta_{\gamma+1}),
 % 				\dots,(\commitment_\kappa, \beta_\kappa)\big]$
 % 			\item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
 % 		\end{enumerate}
 % 	\item[$\Exchange$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{10}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
 % 			\item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
 % 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
 % 				if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
 % 			\item return 1
 % 		\end{enumerate}
 % \end{itemize}
 % \end{frame}
 
 \begin{frame}{Basic Requirements}
 
 	Candidate functions 
 	\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
 	must first meet \textit{basic} requirements:
 
 	\begin{itemize}
 		\item Existence of attestations
 		\item Efficacy of attestations
 		\item Derivability of commitments and attestations
 	\end{itemize}
 \end{frame}
 
 \begin{frame}{Basic Requirements}
 	\framesubtitle{Formal Details}
 
 	\begin{description}
 		\item[Existence of attestations]
 			{\scriptsize
 			\begin{align*}
 				\Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
 				\Commit(\age, \omega) =: (\commitment, \pruf)
 				\implies 
 				\Attest(\minage, \commitment, \pruf) =
 				\begin{cases}
 					\attest \in \Attests, \text{ if } \minage \leq \age\\
 					\Nil \text{ otherwise}
 				\end{cases}
 			\end{align*}}
 		\item[Efficacy of attestations]
 			{\scriptsize
 			\begin{align*}
 				\Verify(\minage, \commitment, \attest) = \
 				\begin{cases}
 					1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
 					0 \text{ otherwise}
 				\end{cases}
 			\end{align*}}
 
 			{\scriptsize
 			\begin{align*}
 				\forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
 			\end{align*}}
 		\item[etc.]
 	\end{description}
 \end{frame}
 
 %\begin{frame}{Requirements}
 %	\framesubtitle{Details}
 %
 %	\begin{description}
 %		\item[Derivability of commitments and proofs:]~\\[0.1em]
 %		{\scriptsize
 %		Let \begin{align*}
 %			\age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
 %			(\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
 %			(\commitment_1, \pruf_1, \blinding) & \leftarrow  \Derive(\commitment_0, \pruf_0, \omega_1).
 %		\end{align*}
 %		We require
 %		\begin{align*}
 %			\Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
 %		\end{align*}
 %		and for all $n\leq\age$:
 %		\begin{align*}
 %					\Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
 %					=
 %					\Verify(n, \commitment_0,  \Attest(n, \commitment_0,  \pruf_0))
 %		\end{align*}}
 %	\end{description}
 %\end{frame}
 
 \begin{frame}{Security Requirements}
 	Candidate functions must also meet \textit{security} requirements.
 	Those are defined via security games:
 	\begin{itemize}
 		\item Game: Age disclosure by commitment or attestation
 		\item[$\leftrightarrow$] Requirement: Non-disclosure of age
 			\vfill
 
 		\item Game: Forging attestation
 		\item[$\leftrightarrow$] Requirement: Unforgeability of
 			minimum age
 			\vfill
 
 		\item Game: Distinguishing derived commitments and attestations
 		\item[$\leftrightarrow$] Requirement: Unlinkability of
 			commitments and attestations
 
 	\end{itemize}
 	\vfill
 
 	Meeting the security requirements means that adversaries can win
 	those games only with negligible advantage.
 	\vfill
 	Adversaries are arbitrary polynomial-time algorithms, acting on all
 	relevant input.
 \end{frame}
 
 \begin{frame}{Security Requirements}
 	\framesubtitle{Simplified Example}
 
 	\begin{description}
 		\item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
 	{\small
 	\begin{enumerate}
 		\item $ (\age, \omega)	\drawfrom	\N_{\Age-1}\times\Omega $
 		\item $ (\commitment, \pruf)	\leftarrow	\Commit(\age, \omega) $
 		\item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
 		\item Return 0 if $\minage \leq \age$
 		\item Return $\Verify(\minage,\commitment,\attest)$
 	\end{enumerate}
 	}
 	\vfill
 	\item[Requirement: Unforgeability of minimum age]
 		{\small
 	\begin{equation*}
 		\Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
 		\Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
 	\end{equation*}
 	}
 	\end{description}
 \end{frame}
 
 
 \begin{frame}{Solution: Instantiation with ECDSA}
 %	\framesubtitle{Definition of Commit}
 
 	\begin{description}
 		\item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
 		\begin{enumerate}
 			\item<2-> Guardian generates ECDSA-keypairs, one per age (group):
 				\[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
 			\item<3-> Guardian then \textbf{drops} all private keys
 				$p_i$ for $i > \age$:
 				\[\Big \langle(q_1, p_1),\dots, 
 					(q_\age, p_\age), 
 					(q_{\age +1}, \red{\Nil}),\dots, 
 					(q_\Age, \red{\Nil})\Big\rangle\]
 
 				\begin{itemize}
 					\item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
 					\item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
 				\end{itemize}
 				\vfill
 			\item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
 				\vfill
 		\end{enumerate}
 	\end{description}
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 	\framesubtitle{Definitions of Attest and Verify}
 
 	Child has 
 	\begin{itemize}
 		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
 		\item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
 	\end{itemize}
 	\begin{description}
 		\item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
 			Sign a message with ECDSA using private key $p_\blue{\minage}$
 	\end{description}
 
 	\vfill
 
 	\uncover<3->{
 	Merchant gets 
 	\begin{itemize}
 		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
 		\item Signature $\sigma$
 	\end{itemize}
 	\begin{description}
 		\item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
 			Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
 	\end{description}
 	}
 	\vfill
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 	\framesubtitle{Definitions of Derive and Compare}
 	Child has 
 	$\Vcommitment = (q_1, \dots, q_\Age) $ and 
 	$\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
 	\begin{description}
 		\item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
 			Choose random $\beta\in\Z_g$ and calculate
 			\small
 			\begin{align*}
 				\Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
 				\Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
 			\end{align*}
 			Note: $ (\beta p_i)*G = \beta*(p_i*G)  = \beta*q_i$\\
 			\scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
 	\end{description}
 
 		\vfill
 	\uncover<3->{
 		Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
 	\begin{description}
 		\item[To \blue{Compare}, calculate:]
 			\small
 		$(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
 	\end{description}
 	\vfill
 	}
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 
 	Functions
 	(Commit, Attest, Verify, Derive, Compare)\\
 	as defined in the instantiation with ECDSA\\[0.5em]
 	\begin{itemize}
 		\item meet the basic requirements,\\[0.5em]
 		\item also meet all security requirements.\\
 		Proofs by security reduction, details are in the paper.
 	\end{itemize}
 
 \end{frame}
 
 
 % \begin{frame}{Instantiation with ECDSA}
 % 	\framesubtitle{Full definitions}
 % 	\scriptsize
 % 
 % \begin{align*}
 % 	\Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
 % 		\overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
 % 		\overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
 % 		\Big\rangle\\
 % 	\Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
 % 		\begin{cases}
 % 			\attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
 % 			\Nil & \text{otherwise}
 % 		\end{cases}\\
 % %
 % 	\Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
 % %
 % 	\Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
 % 		\Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
 % 		     (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
 % 		     & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
 % %
 % 	\Compare_E(\Vcommitment, \Vcommitment', \beta)	&:=
 % 		\begin{cases}
 % 			1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
 % 			0 & \text{otherwise}
 % 		\end{cases}
 % \end{align*}
 % \end{frame}
 
 
 \begin{frame}{Reminder: GNU Taler Fundamentals}
 	\begin{center}
 	\begin{tikzpicture}[scale=.55]
 		\node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
 		\node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
 		\node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
 
 		\draw[<->] (Customer)   to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
 		\draw[<->] (Customer)   to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
 		\draw[<->] (Customer)   to node[sloped, below] {\sf purchase} (Merchant);
 		\draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
 	\end{tikzpicture}
 	\end{center}
 
 	\vfill
 	\begin{itemize}
 		\item Coins are public-/private key-pairs $(C_p, c_s)$.
 		\item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
 		\item Verification:
 		\begin{eqnarray*}
 			1  &\stackrel{?}{=}&
 			\mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
 		\end{eqnarray*}
 		\scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
 
 	\end{itemize}
 \end{frame}
 
 \begin{frame}{Integration with GNU Taler}
 	\framesubtitle{Binding age restriction to coins}
 
 	To bind an age commitment $\commitment$ to a coin $C_p$, instead of
 	signing $\FDH(C_p)$, $\Exchange$ now blindly signs 
 	\begin{center}
 		$\FDH(C_p, \orange{H(\commitment)})$
 	\end{center}
 
 	\vfill
 	Verfication of a coin now requires $H(\commitment)$, too:
 	\begin{center}
 		$1  \stackrel{?}{=}
 		\mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
 	\end{center}
 	\vfill
 \end{frame}
 
 \begin{frame}{Integration with GNU Taler}
 	\framesubtitle{Integrated schemes}
 	\fontsize{8pt}{9pt}\selectfont
 	\begin{tikzpicture}[scale=.9]
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
 		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
 
 		\draw[<->] (Guardian)   to  node[sloped,above,align=center]
 			{{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
 		\draw[<->] (Client)   to node[sloped,below,align=center]
 			{{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
 		\draw[<->] (Client)   to node[sloped, below]
 			{{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
 		\draw[<->] (Merchant) to node[sloped, above]
 			{{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
 
 		\draw[->] (Guardian)   to [out=70,in=150, loop] node[above]
 			{$\Commit(\age)$} (Guardian);
 		\draw[->] (Guardian)   to node[below,sloped]
 			{($\commitment$, $\pruf_\age$)} (Client);
 		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
 		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
 	\end{tikzpicture}
 \end{frame}
 
 \begin{frame}{Instantiation with Edx25519}
 	Paper also formally defines another signature scheme: Edx25519.\\[1em]
 
 	\begin{itemize}
 		\item Scheme already in use in GNUnet,
 		\item based on EdDSA (Bernstein et al.),
 		\item generates compatible signatures and
 		\item allows for key derivation from both, private and public keys, independently.
 	\end{itemize}~\\[1em]
 
 	Current implementation of age restriction in GNU Taler uses Edx25519.
 \end{frame}
 
 
 \begin{frame}{Discussion}
 	\begin{itemize}
 		\item Our solution can in principle be used with any token-based payment scheme
 		\item GNU Taler best aligned with our design goals (security, privacy and efficiency)
 		\item Subsidiarity requires bank accounts being owned by adults
 			\begin{itemize}
 			\item Scheme can be adapted to case where minors have bank accounts
 				\begin{itemize}
 					\item Assumption: banks provide minimum age
 						information during bank
 						transactions.
 					\item Child and Exchange execute a variant of
 						the cut\&choose protocol.
 				\end{itemize}
 			\end{itemize}
 		\item Our scheme offers an alternative to identity management systems (IMS)
 	\end{itemize}
 \end{frame}
 \begin{frame}{Related Work}
 	\begin{itemize}
 		\item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
 		\item Attribute-based approach lacks support: 
 			\begin{itemize}
 				\item Complex for consumers and retailers
 				\item Requires trusted third authority
 			\end{itemize}
 		\vfill
 		\item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
 			\begin{itemize}
 				\item Advantage: mandatory to payment process
 				\item Not privacy friendly
 			\end{itemize}
 	\end{itemize}
 \end{frame}
 
 \begin{frame}{Conclusion}
 	Age restriction is a technical, ethical and legal challenge.
 
 	Existing solutions are
 	\begin{itemize}
 		\item without strong protection of privacy or
 		\item based on identity management systems (IMS)
 	\end{itemize}
 	\vfill
 
 	Our scheme offers a solution that is
 	\begin{itemize}
 		\item based on subsidiarity
 		\item privacy preserving
 		\item efficient
 		\item an alternative to IMS
 	\end{itemize}
 \end{frame}
 
 
 \begin{frame}{Blockchain based cryptocurrencies}
     \begin{tikzpicture}[remember picture,overlay]
         \node (N1)[above right=5mm and 25mm of current page.center] {\includegraphics[width=34mm]{media/news1.png}};
         \node (N0)[below=-3mm of N1] {\includegraphics[width=34mm]{media/news0.png}};
         \node (N2)[below left=-26mm and -2.5mm of N1] {\includegraphics[width=34mm]{media/news2.png}};
     \end{tikzpicture}
     \begin{block}{Biggest cryptocurrencies}
         \begin{itemize}
             \item \textbf{BTC} Bitcoin
             \item \textbf{ETH} Ethereum
         \end{itemize}
     \end{block}
     \begin{block}{Common blockchain limitations}
         \begin{itemize}
             \item \textbf{Delay} block and confirmation delay
             \item \textbf{Cost} transaction fees
             \item \textbf{Scalability} limited amount of transaction per second
             \item \textbf{Ecological impact} computation redundancy
             \item \textbf{Privacy}
             \item \textbf{Regulatory risk}
         \end{itemize}
     \end{block}
 \end{frame}
 
 \begin{frame}{Taler}{Architecture}
     \begin{columns}
         \column{0.5\paperwidth}
         \begin{tikzpicture}[
                 rect/.style={circle, draw=black},
                 sym/.style={-stealth, shorten >= 2pt, shorten <= 2pt}
             ]
             % Taler payment system
             \node[rect](1) {Exchange};
             \node[rect,below left=1.5cm and 0.7cm of 1](2) {Customer};
             \node[rect,below right=1.5cm and 0.7cm of 1](3) {Merchant};
 
             \draw[sym] (1) -- node [midway, above, sloped] {\tiny Withdraw coins} (2);
             \draw[sym] (2) -- node [midway, above, sloped] {\tiny Spend coins} (3);
             \draw[sym] (3) -- node [midway, above, sloped] {\tiny Deposit coins} (1);
 
             % Settlement layer
             \node[left=2cm of 1](E1){};
             \node[right=2cm of 1](E2){};
             \draw[sym] (E1) -- node [midway, above] {\tiny Deposit money} (1);
             \draw[sym] (1) -- node [midway, above] {\tiny Withdraw money} (E2);
 
             % Auditor
             \node[above= of 1](A){Auditor};
             \draw[sym] (A) -- node [midway, right] {\tiny Verify} (1);
 
             % Separator
             \node[below=1mm of E1] (S1S) {};
             \node[below=1mm of E2] (S1E) {};
             \node[above=6mm of E1] (S2S) {};
             \node[above=6mm of E2] (S2E) {};
 
             \draw[dotted] (S1S) -- (S1E);
             \draw[dotted] (S2S) -- (S2E);
 
             \node[below right=-2mm and -1.5mm of S2S] {\tiny{\emph{Settlement Layer}}};
             \node[below right=-2mm and -1.5mm of S1S] {\tiny{\emph{Taler payment system}}};
         \end{tikzpicture}
         \column{0.47\paperwidth}
         \begin{block}{Settlement layer}
             \begin{itemize}
                 \item This work, Blockchain!
             \end{itemize}
         \end{block}
         \begin{block}{Taler payment system}
             \begin{itemize}
                 \item Realtime transactions, 1 RTT
                 \item Scalable microtransactions
                 \item Blind signatures (privacy)
             \end{itemize}
         \end{block}
 
     \end{columns}
 \end{frame}
 
 \begin{frame}{Taler}{Blockchain settlement layer}
     \begin{center}
         \begin{tikzpicture}[
                 rect/.style={rectangle, draw=black, minimum width=30mm},
                 sym/.style={stealth-stealth, shorten >= 2pt, shorten <= 2pt},
                 block/.style={rectangle,draw=black,fill=black!10,minimum size=7mm},
             ]
 
             %% Architecture
             \node(Tt){Taler};
             \node[rect,below=0cm of Tt](Tc){Exchange};
             \node[rect,fit={(Tt) (Tc)}](T){};
 
             \node[rect,below=7mm of Tc](D) {\textbf{Depolymerization}};
 
             \node[rect,below=7mm of D](Bc){Node};
             \node[below=0cm of Bc](Bt){Blockchain};
             \node[rect,fit={(Bt) (Bc)}](B){};
 
             \draw[sym] (T) -- (D);
             \draw[sym] (D) -- (B);
 
             %% Blockchain
             \node[block,right=8mm of B] (1){};
             \node[block,right=4mm of 1] (2){};
             \node[block,right=4mm of 2] (3){};
             \node[block,right=4mm of 3] (4){};
             \node[block,right=4mm of 4] (5){};
             \node[block,right=4mm of 5] (6){};
             \draw[-stealth] (1) -- (2);
             \draw[-stealth] (2) -- (3);
             \draw[-stealth] (3) -- (4);
             \draw[-stealth] (4) -- (5);
             \draw[-stealth] (5) -- (6);
 
             \node[left=4mm of 1] (S){};
             \node[right=4mm of 6] (E){};
             \draw[-stealth] (S) -- (1);
             \draw[-stealth] (6) -- (E);
 
             %% Taler
             \node[block, below right=-7.5mm and 20.5mm of T] (off){Off-chain transactions};
             \node[above=-0.5mm of off] {\includegraphics[height=7mm]{media/taler.png}};
 
             %% Depolymerization
             \node[right=11mm of D] {\small{Credit}};
             \node[right=50mm of D] {\small{Debit}};
             \draw[dashed,-stealth] (1.north) |- (off.west);
             \draw[dashed,-stealth] (off.east) -| (6.north);
         \end{tikzpicture}
     \end{center}
 \end{frame}
 
 \begin{frame}{Challenges}
     \begin{block}{Taler Metadata}
         \begin{itemize}
             \item Metadata are required to link a wallet to credits and
                   allow merchant to link deposits to debits
             \item Putting metadata in blockchain transactions can be tricky
         \end{itemize}
     \end{block}
     \begin{block}{Blockchain based cryptocurrencies}
         \begin{itemize}
             \item Blockchain transactions lack finality (fork)
             \item Transactions can be stuck for a long time (mempool)
         \end{itemize}
     \end{block}
 \end{frame}
 
 \begin{frame}{Blockchain challenges}{Chain reorganization}
     \begin{center}
         \begin{tikzpicture}[
                 block/.style={rectangle,draw=black,fill=black!10,minimum size=7mm},
                 ar/.style={-stealth}
             ]
             % Common
             \node[block](1){};
             \node[block,right=5mm of 1](2){$D_0$};
             \node[block,right=5mm of 2](3){};
             \draw[ar] (1) -- (2);
             \draw[ar] (2) -- (3);
 
             % Current
             \node [block,right=5mm of 3](4){};
             \node[block,right=5mm of 4](5){};
             \node[block,right=5mm of 5](6){$D_1$};
             \draw[ar] (3) -- (4);
             \draw[ar] (4) -- (5);
             \draw[ar] (5) -- (6);
 
             % Fork
             \node [block,above=7mm of 4](4p){};
             \node[block,right=5mm of 4p](5p){$D_2$};
             \node[block,right=5mm of 5p](6p){};
             \node[block,right=5mm of 6p](7p){};
             \draw[ar] (3.east) -- (4p.west);
             \draw[ar] (4p) -- (5p);
             \draw[ar] (5p) -- (6p);
             \draw[ar] (6p) -- (7p);
 
             % Indication
             \node [right=5mm of 7p]{\emph{fork}};
             \node [right=17mm of 6]{\emph{active}};
         \end{tikzpicture}
     \end{center}
     A fork is when concurrent blockchain states coexist. Nodes will follow
     the longest chain, replacing recent blocks if necessary during a
     blockchain reorganization. If a deposit transaction disappears from the
     blockchain, an irrevocable withdraw transactions would no longer be backed
     by credit.
 \end{frame}
 
 \begin{frame}{Blockchain challenges}{Stuck transactions}
     We want confirmed debits within a limited time frame.
     \begin{figure}
         \centering
         \only<1> {
             \begin{tikzpicture}[
                     dot/.style={circle,fill,inner sep=1pt,}
                 ]
                 \node (I) {\includegraphics[width=\textwidth]{media/fee.png}};
                 \node [below left=-2.5mm and -1.5cm of I] (Tx) {\small Tx};
                 \node [dot,above=8.4mm of Tx](D) {};
                 \draw [dotted,thick] (Tx) -- (D);
                 \node [left=-4.5cm of Tx] (C) {\small conf};
                 \node [dot,above=8.4mm of C](D1) {};
                 \draw [dotted,thick] (C) -- (D1);
             \end{tikzpicture}
         }
         \only<2> {
             \includegraphics[width=\textwidth]{media/fee_var.png}
             \caption{Bitcoin average transaction fee over 6 months {\tiny (ychart)}}
         }
     \end{figure}
     \only<1>{When we trigger a debit with a fee too small, it may not be
         confirmed in a timely fashion.}
     \only<2>{However, transaction fees are unpredictable.}
 \end{frame}
 
 
 \begin{frame}{Depolymerization}{Architecture}
     \begin{center}
         \begin{tikzpicture}[
                 rect/.style={rectangle, draw=black, minimum height=6mm, minimum width=28mm},
                 sym/.style={stealth-stealth, shorten >= 2pt, shorten <= 2pt}
             ]
             \node[rect](1) {Taler Exchange};
             \node[rect,below=of 1](2) {Wire Gateway};
             \node[rect,right=of 2](3) {PostgreSQL};
             \node[rect,right=of 3](4) {DLT Adapter};
             \node[rect,above=of 4](5) {DLT Full Node};
 
             \draw[sym] (1) -- node [midway,right] {\tiny HTTP} (2);
             \draw[sym] (2) -- node [midway,above] {\tiny SQL} (3);
             \draw[sym] (3) -- node [midway,above] {\tiny SQL} (4);
             \draw[sym] (4) -- node [midway,left ] {\tiny RPC} (5);
 
 
             \node[above= 2mm of 1]{\small{\emph{Wire Gateway API}}};
             \node[above= 2mm of 5]{\small{\emph{DLT specific}}};
             \node[above=22mm of 3](T) {};
             \draw[dotted] (3) -- (T);
         \end{tikzpicture}
     \end{center}
     \begin{itemize}
         \item Common database to store transactions state and communicate
               with notifications
         \item Wire Gateway for Taler API compatibility
         \item DLT specific adapter
     \end{itemize}
 \end{frame}
 
 \begin{frame}{Storing metadata}{Bitcoin}
     \begin{block}{Bitcoin - Credit}
         \begin{itemize}
             \item Transactions from code
             \item Only 32B + URI
             \item \textbf{OP\_RETURN}
         \end{itemize}
     \end{block}
     \begin{block}{Bitcoin - Debit}
         \begin{itemize}
             \item Transactions from common wallet software
             \item Only 32B
             \item \textbf{Fake Segwit Addresses}
         \end{itemize}
     \end{block}
 \end{frame}
 \begin{frame}{Storing metadata}{Ethereum}
     \begin{block}{Smart contract ?}
         \begin{itemize}
             \item Logs in smart contract is the recommend way {\tiny (ethereum.org)}
             \item Expensive (additional storage and execution fees)
             \item Avoidable attack surface (error prone)
         \end{itemize}
     \end{block}
     \begin{block}{Custom input format}
         Use input data in transactions, usually used to call smart contract, to
         store our metadata.
     \end{block}
 \end{frame}
 
 \begin{frame}{Handling blockchain reorganization}
     \begin{center}
         \begin{tikzpicture}[
                 block/.style={rectangle,draw=black,fill=black!10,minimum size=7mm},
                 conf/.style={draw=black!60!green,fill=black!60!green!10},
                 nconf/.style={dotted},
                 err/.style={draw=black!60!red,fill=black!60!red!10},
                 ar/.style={-stealth}
             ]
             % Common
             \node[block,conf](1){};
             \node[block,conf,right=5mm of 1](2){$D_0$};
             \node[block,conf,right=5mm of 2](3){};
             \draw[ar] (1) -- (2);
             \draw[ar] (2) -- (3);
 
             % Current
             \only<1>{
                 \node [block,nconf,right=5mm of 3](4){};
             }
             \only<2->{
                 \node [block,conf,right=5mm of 3](4){\only<3>{$D_3$}};
             }
             \node[block,nconf,right=5mm of 4](5){};
             \node[block,nconf,right=5mm of 5](6){$D_1$};
             \draw[ar] (3) -- (4);
             \draw[ar] (4) -- (5);
             \draw[ar] (5) -- (6);
 
             % Fork
             \only<-2>{
                 \node [block,nconf,above=7mm of 4](4p){};
             }
             \only<3>{
                 \node [block,dashed,err,above=7mm of 4](4p){$D_3'$};
             }
             \node[block,nconf,right=5mm of 4p](5p){$D_2$};
             \node[block,nconf,right=5mm of 5p](6p){};
             \node[block,nconf,right=5mm of 6p](7p){};
             \draw[ar] (3.east) -- (4p.west);
             \draw[ar] (4p) -- (5p);
             \draw[ar] (5p) -- (6p);
             \draw[ar] (6p) -- (7p);
 
             % Indication
             \node [right=5mm of 7p]{\emph{fork}};
             \node [right=17mm of 6]{\emph{active}};
         \end{tikzpicture}
     \end{center}
     \only<1>{As small reorganizations are common, Satoshi already recommended to
         apply a confirmation delay to handle most disturbances and attacks.}
     \only<2>{If a reorganization longer than the confirmation delay happens,
         but it did not remove credits, Depolymerizer is safe and automatically
         resumes.}
     \only<3>{If a fork removed a confirmed debit, an attacker may create a
         conflicting transaction. Depolymerizer suspends operation until lost
         credits reappear.}
 \end{frame}
 
 \begin{frame}{Adaptive confirmation}
     \begin{center}
         \begin{tikzpicture}[
                 block/.style={rectangle,draw=black,fill=black!10,minimum size=7mm},
                 conf/.style={draw=black!60!green,fill=black!60!green!10},
                 nconf/.style={dotted},
                 conft/.style={text=black!60!green},
                 confl/.style={draw=black!60!green},
                 ar/.style={-stealth}
             ]
             % Common
             \node(0){};
             \node[block,conf,right=5mm of 0](1){};
             \node[block,conf,right=5mm of 1](2){};
             \draw[ar] (0) -- (1);
             \draw[ar] (1) -- (2);
 
             % Current
             \node[block,conf,right=5mm of 2](3){};
             \node[block,nconf,right=5mm of 3](4){};
             \node[block,nconf,right=5mm of 4](5){};
             \node[block,nconf,right=5mm of 5](6){};
             \draw[ar] (2) -- (3);
             \draw[ar] (3) -- (4);
             \draw[ar] (4) -- (5);
             \draw[ar] (5) -- (6);
 
             % Fork
             \node[block,nconf,above=7mm of 3](3p){};
             \node[block,nconf,right=5mm of 3p](4p){};
             \node[block,nconf,right=5mm of 4p](5p){};
             \node[block,nconf,right=5mm of 5p](6p){};
             \node[block,nconf,right=5mm of 6p](7p){};
             \draw[ar] (2.east) -- (3p.west);
             \draw[ar] (3p) -- (4p);
             \draw[ar] (4p) -- (5p);
             \draw[ar] (5p) -- (6p);
             \draw[ar] (6p) -- (7p);
 
             % Indication
             \node[right=5mm of 7p]{\emph{fork}};
             \node[right=17mm of 6]{\emph{active}};
 
             % Confirmation
             \path (0) -- (1) node[conft,midway, below=6mm] (M) {Max};
             \path (2) -- (3) node[conft,midway, below=6mm] (N) {New};
             \path (3) -- (4) node[conft,midway, below=6mm] (I) {Initial};
             \node[above=25mm of M] (Mp) {};
             \node[above=25mm of N] (Np) {};
             \node[above=25mm of I] (Ip) {};
             \draw[confl,thick,dotted](M) -- (Mp);
             \draw[confl](N) -- (Np);
             \draw[confl,thick,dotted](I) -- (Ip);
         \end{tikzpicture}
     \end{center}
     If we experience a reorganization once, its dangerously likely for another
     one of a similar scope to happen again. Depolymerizer learns from reorganizations
     by increasing its confirmation delay.
 \end{frame}
 
 
 
 \begin{frame}{DLT Adapter}{Architecture}
     \begin{block}{Event system}
         \begin{itemize}
             \item \textbf{Watcher} watch and notify for new blocks with credits
             \item \textbf{Wire Gateway} notify requested debits
             \item \textbf{Worker} operates on notifications updating state
         \end{itemize}
     \end{block}
 \end{frame}
 
 
 \begin{frame}{DLT Adapter state machine}
     \begin{columns}
         \column{0.5\paperwidth}
         \begin{figure}
             \begin{tikzpicture}[
                     rect/.style={rectangle, draw=black, minimum height=6mm, minimum width=50mm},
                 ]
 
                 \node[rect](wo1) {Wait for notifications};
                 \node[rect, below=4mm of wo1](wo2) {Reconcile local DB with DLT};
                 \node[rect, below=4mm of wo2](wo3) {Trigger debits};
                 \node[rect, below=4mm of wo3](wo4) {Reissue stuck debits};
                 \node[rect, below=4mm of wo4](wo5) {Bounce malformed credits};
                 \draw[-stealth] (wo1) -- (wo2);
                 \draw[-stealth] (wo2) -- (wo3);
                 \draw[-stealth] (wo3) -- (wo4);
                 \draw[-stealth] (wo4) -- (wo5);
                 \draw[-stealth] (wo5) .. controls ([xshift=-0.4cm] wo5.west) and ([xshift=-0.4cm] wo1.west) .. (wo1);
             \end{tikzpicture}
             \caption{Worker loop}
         \end{figure}
         \column{0.47\paperwidth}
         \begin{block}{DLT reconcialisation}
             \begin{itemize}
                 \item List new and removed transactions since last reconciliation
                 \item Check for confirmed credits removal
                 \item Register new credits
                 \item Recover lost debits
             \end{itemize}
         \end{block}
     \end{columns}
 \end{frame}
 
 \begin{frame}{Related work}
     \begin{block}{Centralization - Coinbase off-chain sending}
         \begin{itemize}
             \item [$+$] Fast and cheap: off chain transaction
             \item [$-$] Trust in Coinbase: privacy, security \& transparency
         \end{itemize}
     \end{block}
     \begin{block}{Layering - Lightning Network}
         \begin{itemize}
             \item [$+$] Fast and cheap: off-chain transactions
             \item [$-$] Requires setting up bidirectional payment channels
             \item [$-$] Fraud attempts are mitigated via a complex penalty system
         \end{itemize}
     \end{block}
 \end{frame}
 
 \begin{frame}{Conclusion}
     Blockchains can be used as a settlement layer for GNU Taler
     with Depolymerizer.
 
     \begin{itemize}
         \item [$-$] Trust exchange operator or auditors
         \item [$+$] Fast and cheap
         \item [$+$] Realtime, ms latency
         \item [$+$] Linear scalability
         \item [$+$] Ecological
         \item [$+$] Privacy when it can, transparency when it must (avoid tax evasion and money laundering)
     \end{itemize}
 Future work:
     \begin{itemize}
         \item  Universal auditability, using sharded transactions history
         \item  Smarter analysis, update confirmation delay based on currency network behavior
         \item  Multisig by multiple operator for transactions validation
     \end{itemize}
 \end{frame}
 
 
 \section{Conclusion}
 
 
 \begin{frame}{Taler: Project Status}
 \framesubtitle{\url{https://docs.taler.net/}}
 \begin{itemize}
     \item Cryptographic protocols and core exchange component are stable
     \item Current focus: Merchant integration, settlement integration, wallet backup
     \item Pilot project at Bern University of Applied Sciences cafeteria
     \item Internal alpha deployment with a commercial bank in progress
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Competitor comparison}
   \begin{center} \small
     \begin{tabular}{l||c|c|c|c|c}
                 & Cash & Bitcoin & Zerocoin & Creditcard & GNU Taler \\ \hline \hline
    Online      &$-$$-$$-$  &   ++    &    ++    &     +      &   +++  \\ \hline
     Offline     & +++  &   $-$$-$    &    $-$$-$    &     +      &   $-$$-$  \\ \hline
     Trans. cost & +    & $-$$-$$-$   & $-$$-$$-$  &     $-$      &   ++  \\ \hline
     Speed       & +    & $-$$-$$-$   & $-$$-$$-$  &     o      &   ++  \\ \hline
     Taxation    & $-$    &   $-$$-$    &  $-$$-$$-$   &    +++     &  +++  \\ \hline
     Payer-anon  &  ++  &   o     &    ++    &  $-$$-$$-$   &  +++  \\ \hline
     Payee-anon  & ++   &   o     &    ++    &  $-$$-$$-$    &  $-$$-$$-$ \\ \hline
     Security    &  $-$   &   o     &    o     &    $-$$-$      &  ++   \\ \hline
     Conversion  & +++  &  $-$$-$$-$   & $-$$-$$-$ &    +++     &  +++  \\ \hline
     Libre       &  $-$   &  +++    &    +++   & $-$ $-$ $-$      &  +++  \\
   \end{tabular}
   \end{center}
 \end{frame}
 
 
 \begin{frame}{How to support?}
   \begin{description}
     \item[Join:] {\small \url{https://lists.gnu.org/mailman/listinfo/taler}}, \\
                  \url{https://libera.chat/\#taler}
     \item[Develop:] \url{https://bugs.taler.net/}, \url{https://git.taler.net/}
     \item[Translate:] \url{https://weblate.taler.net/}, \url{translation-volunteer@taler.net}
     \item[Integrate:] \url{https://docs.taler.net/}
     \item[Donate:] \url{https://gnunet.org/ev}
     \item[Invest:] \url{https://taler-systems.com/}
   \end{description}
 \end{frame}
 
 
 \begin{frame}{Conclusion}
   \begin{center}
     {\bf  What can we do?}
    \end{center}
   \vfill
 \begin{itemize}
  \item{Suffer mass-surveillance enabled by credit card oligopolies with high fees, and}
  \item{Engage in arms race with deliberately unregulatable blockchains}
 % \item{Enjoy the ``benefits'' of cash \\
 %  \hfill  \includegraphics[height=0.3\textheight]{atm-rupee.jpg} \hfill}
 \end{itemize}
 \vfill
 \begin{center}
   {\bf OR}
 \end{center}
 \vfill
 \begin{itemize}
  \item{Establish free software alternative balancing social goals!}
 \end{itemize}
 \vfill
 \end{frame}
 
 
 \begin{frame}
 \frametitle{Do you have any questions?}
 \vfill
 References:
 {\tiny
   \begin{enumerate}
  \item{David Chaum, Christian Grothoff and Thomas Moser.
        {\em How to issue a central bank digital currency}.
        {\bf SNB Working Papers, 2021}.}
  \item{Christian Grothoff, Bart Polot and Carlo von Loesch.
        {\em The Internet is broken: Idealistic Ideas for Building a GNU Network}.
        {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT)}, 2014.}
  \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci.
        {\em Enabling Secure Web Payments with GNU Taler}.
        {\bf SPACE 2016}.}
  \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges and Christian Grothoff.
        {\em Taler: Taxable Anonymous Libre Electronic Reserves}.
        Available upon request. 2016.}
  \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer and Madars Virza.
        {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}.
        {\bf IEEE Symposium on Security \& Privacy, 2016}.}
  \item{David Chaum, Amos Fiat and Moni Naor.
        {\em Untraceable electronic cash}.
        {\bf Proceedings on Advances in Cryptology, 1990}.}
   \item{Phillip Rogaway.
        {\em The Moral Character of Cryptographic Work}.
        {\bf Asiacrypt}, 2015.} \label{bib:rogaway}
 \end{enumerate}
 }
 \begin{center}
   {\bf Let money facilitate trade; but ensure capital serves society.}
 \end{center}
 \end{frame}
 
 
 
 
 \end{document}
 
 
 
 
 \begin{frame}{Taler {\tt /withdraw/sign}}
 % Customer withdrawing coins with blind signatures
 % \bigskip
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
         \begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
           ]
           \node[draw = MidnightBlue,
             fill = CornflowerBlue,
             minimum width = .3cm,
             minimum height = 10cm
           ] (h1) at (-4, 0) {};
           \node[draw = MidnightBlue,
             fill = CornflowerBlue,
             minimum width = .3cm,
             minimum height = 10cm
           ] (h2) at (4, 0) {};
           \node[above = 0cm of h1] {Wallet};
           \node[above = 0cm of h2] {Exchange};
 
           \path[->, color = MidnightBlue, very thick, >=stealth]
             (-5, 4.5) edge
             node[rotate=90, text = Black, yshift = .3cm] {Time}
             (-5, -4.5);
           \path[okmsg, dashed]
              ($(h1.east)+(0, 4.0)+(0, -1.0)$) edge
              node[msglabel] {SEPA(RK,A)}
              ($(h2.west)+(0, 3.5)+(0, -1.0)$);
           \path[okmsg]
             ($(h1.east)+(0, -1.0)$) edge
             node[msglabel] {POST {\tt /withdraw/sign} $S_{RK}(DK, B_b(C))$}
             ($(h2.west)+(0, -1.5)$);
           \path[okmsg]
             ($(h2.west)+(0, -2.0)$) edge
             node[msglabel] {200 OK: $S_{DK}(B_b(C))$)}
             ($(h1.east)+(0, -2.5)$);
           \path[rstmsg]
             ($(h2.west)+(0, -3.5)$) edge
             node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)}
             ($(h1.east)+(0, -4)$);
           \node at (5.3, 0) {};
         \end{tikzpicture}
       \end{center}
       Result: $\langle c, S_{DK}(C) \rangle$.
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$A$] Some amount, $A \ge A_{DK}$
       \item[$RK$] Reserve key
       \item[$DK$] Denomination key
       \item[$b$] Blinding factor
       \item[$B_b()$] RSA-FDH blinding % DK supressed
       \item[$C$] Coin public key $C := cG$
       \item[$S_{RK}()$] EdDSA signature
       \item[$S_{DK}()$] RSA-FDH signature
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}[t]{Taler {\tt /deposit}}
 Merchant and exchange see only the public coin $\langle C, S_{DK}(C) \rangle$.
 \bigskip
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
         \begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
           ]
           \node[draw = MidnightBlue,
             fill = CornflowerBlue,
             minimum width = .3cm,
             minimum height = 10cm
           ] (h1) at (-4, 0) {};
           \node[draw = MidnightBlue,
             fill = CornflowerBlue,
             minimum width = .3cm,
             minimum height = 10cm
           ] (h2) at (4, 0) {};
           \node[above = 0cm of h1] {Merchant};
           \node[above = 0cm of h2] {Exchange};
 
           \path[->, color = MidnightBlue, very thick, >=stealth]
             (-5, 4.5) edge
             node[rotate=90, text = Black, yshift = .3cm] {Time}
             (-5, -4.5);
           \path[->, color = MidnightBlue, thick, >=stealth]
             ($(h1.east)+(0,3)$) edge
             node[text = Black, yshift = .3cm, sloped] {POST {\tt /deposit} $S_{DK}(C), S_{c}(D)$}
             ($(h2.west)+(0,2)$);
           \path[->, color = MidnightBlue, thick, >=stealth]
             ($(h2.west)+(0,0.5)$) edge
             node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$}
             ($(h1.east)+(0,-0.5)$);
           \path[rstmsg]
             ($(h2.west)+(0, -2.5)$) edge
             node[msglabel] {409 CONFLICT: $S_{c}(D')$}
             ($(h1.east)+(0, -3.5)$);
           \node at (5.3, 0) {};
         \end{tikzpicture}
       \end{center}
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$DK$] Denomination key
       \item[$S_{DK}()$] RSA-FDH signature using $DK$
       \item[$c$] Private coin key, $C := cG$.
       \item[$S_{C}()$] EdDSA signature using $c$
       \item[$D$] Deposit details
       \item[$SK$] Exchange's signing key
       \item[$S_{SK}()$] EdDSA signature using $SK$
       \item[$D'$] Conficting deposit details $D' \not= D$
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}{Taler {\tt /refresh/melt}}
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
 	\begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
 	  ]
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h1) at (-4, 0) {};
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h2) at (4, 0) {};
 	  \node[above = 0cm of h1] {Customer};
 	  \node[above = 0cm of h2] {Exchange};
 
 	  \path[->, color = MidnightBlue, very thick, >=stealth]
 	    (-5, 4.5) edge
 	    node[rotate=90, text = Black, yshift = .3cm] {Time}
 	    (-5, -4.5);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h1.east)+(0,3)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$}
 	    ($(h2.west)+(0,2)$);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h2.west)+(0,0.5)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$}
 	    ($(h1.east)+(0,-0.5)$);
 	  \path[rstmsg]
 	    ($(h2.west)+(0, -2.5)$) edge
 	    node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$}
 	    ($(h1.east)+(0, -3.5)$);
 	  \node at (5.3, 0) {};
 	\end{tikzpicture}
       \end{center}
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$\kappa$] System-wide security parameter, usually 3.
       \\ \smallskip
       \item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\
       $D + \sum_i A_{DK^{(i)}} < A_{DK}$
       \item[$t_j$] Random scalar for $j<\kappa$
       \item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$
       \item[$k_j$] $:= c T_j = t_j C$ is an ECDHE
       \item[$b_j^{(i)}$] $:= KDF_b(k_j,i)$ % blinding factor
       \item[$c_j^{(i)}$] $:= KDF_c(k_j,i)$ % coin secret keys
       \item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys
       \item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\
          $\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$
       \\ \smallskip
       \item[$\gamma$] Random value in $[0,\kappa)$
 %      \\ \smallskip
 %      \item[$X$] Deposit or refresh
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}{Taler {\tt /refresh/reveal}}
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
 	\begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
 	  ]
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h1) at (-4, 0) {};
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h2) at (4, 0) {};
 	  \node[above = 0cm of h1] {Customer};
 	  \node[above = 0cm of h2] {Exchange};
 
 	  \path[->, color = MidnightBlue, very thick, >=stealth]
 	    (-5, 4.5) edge
 	    node[rotate=90, text = Black, yshift = .3cm] {Time}
 	    (-5, -4.5);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h1.east)+(0,3)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$}
 	    ($(h2.west)+(0,2)$);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h2.west)+(0,0.5)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$}
 	    ($(h1.east)+(0,-0.5)$);
 	  \path[rstmsg]
 	    ($(h2.west)+(0, -2.5)$) edge
 	    node[msglabel] {400 BAD REQUEST: $Z$}
 	    ($(h1.east)+(0, -3.5)$);
 	  \node at (5.3, 0) {};
 	\end{tikzpicture}
       \end{center}
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$\cal DK$] $:= [DK^{(i)}]_i$
       \item[$t_j$] .. \\ \smallskip
 
       \item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip
 
       \item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$
       \item[$b_\gamma^{(i)}$] $:= KDF_b(k_\gamma,i)$
       \item[$c_\gamma^{(i)}$] $:= KDF_c(k_\gamma,i)$
       \item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$
 
       \item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$
       \item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$
       \item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip
 
       \item[$Z$] Cut-and-choose missmatch information
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}{Taler {\tt /refresh/link}}
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
 	\begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
 	  ]
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h1) at (-4, 0) {};
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h2) at (4, 0) {};
 	  \node[above = 0cm of h1] {Customer};
 	  \node[above = 0cm of h2] {Exchagne};
 
 	  \path[->, color = MidnightBlue, very thick, >=stealth]
 	    (-5, 4.5) edge
 	    node[rotate=90, text = Black, yshift = .3cm] {Time}
 	    (-5, -4.5);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h1.east)+(0,3)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$}
 	    ($(h2.west)+(0,2)$);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h2.west)+(0,0.5)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$}
 	    ($(h1.east)+(0,-0.5)$);
 	  \path[rstmsg]
 	    ($(h2.west)+(0, -2.5)$) edge
 	    node[msglabel] {404 NOT FOUND}
 	    ($(h1.east)+(0, -3.5)$);
 	  \node at (5.3, 0) {};
 	\end{tikzpicture}
       \end{center}
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$C$] Old coind public key \\ \smallskip
       \item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}{Operational security}
   \begin{center}
     \resizebox{\textwidth}{!}{
 \begin{tikzpicture}[
   font=\sffamily,
   every matrix/.style={ampersand replacement=\&,column sep=2cm,row sep=2cm},
   source/.style={draw,thick,rounded corners,fill=green!20,inner sep=.3cm},
   process/.style={draw,thick,circle,fill=blue!20},
   sink/.style={source,fill=green!20},
   datastore/.style={draw,very thick,shape=datastore,inner sep=.3cm},
   dots/.style={gray,scale=2},
   to/.style={->,>=stealth',shorten >=1pt,semithick,font=\sffamily\footnotesize},
   every node/.style={align=center}]
 
   % Position the nodes using a matrix layout
   \matrix{
     \node[source] (wallet) {Wallet};
       \& \node[process] (browser) {Browser};
       \& \node[process] (shop) {Web shop};
       \& \node[sink] (backend) {Taler backend}; \\
   };
 
   % Draw the arrows between the nodes and label them.
   \draw[to] (browser) to[bend right=50] node[midway,above] {(4) signed contract}
       node[midway,below] {(signal)} (wallet);
   \draw[to] (wallet) to[bend right=50] node[midway,above] {(signal)}
       node[midway,below] {(5) signed coins} (browser);
   \draw[<->] (browser) -- node[midway,above] {(3,6) custom}
       node[midway,below] {(HTTPS)} (shop);
   \draw[to] (shop) to[bend right=50] node[midway,above] {(HTTPS)}
       node[midway,below] {(1) proposed contract / (7) signed coins} (backend);
   \draw[to] (backend) to[bend right=50] node[midway,above] {(2) signed contract / (8) confirmation}
       node[midway,below] {(HTTPS)} (shop);
 \end{tikzpicture}
 }
 \end{center}
 \end{frame}