marketing

2023-sbb.tex (111379B)

---

 \pdfminorversion=3
 \documentclass[fleqn,xcolor={usenames,dvipsnames},handout
 ]{beamer}
 \usepackage{amsmath}
 \usepackage{multimedia}
 \usepackage[utf8]{inputenc}
 \usepackage{framed,color,ragged2e}
 \usepackage[absolute,overlay]{textpos}
 \definecolor{shadecolor}{rgb}{0.8,0.8,0.8}
 \usetheme{boxes}
 \setbeamertemplate{navigation symbols}{}
 \usepackage{xcolor}
 \usepackage[normalem]{ulem}
 \usepackage{listings}
 \usepackage{adjustbox}
 \usepackage{array}
 \usepackage{bbding}
 \usepackage{relsize}
 \usepackage{graphicx}
 \usepackage{tikz,eurosym,calc}
 \usetikzlibrary{tikzmark}
 \usetikzlibrary{shapes,arrows,arrows.meta}
 \usetikzlibrary{positioning,fit,patterns}
 \usetikzlibrary{calc}
 
 % CSS
 \lstdefinelanguage{CSS}{
   basicstyle=\ttfamily\scriptsize,
   keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function},
   sensitive=true,
   morecomment=[l]{//},
   morecomment=[s]{/*}{*/},
   morestring=[b]',
   morestring=[b]",
   alsoletter={:},
   alsodigit={-}
 }
 
 % JavaScript
 \lstdefinelanguage{JavaScript}{
   basicstyle=\ttfamily\scriptsize,
   morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
   morecomment=[s]{/*}{*/},
   morecomment=[l]//,
   morestring=[b]",
   morestring=[b]'
 }
 
 \lstdefinelanguage{HTML5}{
   basicstyle=\ttfamily\scriptsize,
   language=html,
   sensitive=true,
   alsoletter={<>=-},
   morecomment=[s]{<!-}{-->},
   tag=[s],
   otherkeywords={
   % General
   >,
   % Standard tags
 	<!DOCTYPE,
   </html, <html, <head, <title, </title, <style, </style, <link, </head, <meta, />,
 	% body
 	</body, <body,
 	% Divs
 	</div, <div, </div>,
 	% Paragraphs
 	</p, <p, </p>,
 	% scripts
 	</script, <script,
   % More tags...
   <canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video, <source, <iframe, </iframe>, </video>, <image, </image>
   },
   ndkeywords={
   % General
   =,
   % HTML attributes
   charset=, src=, id=, width=, height=, style=, type=, rel=, href=,
   % SVG attributes
   fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=,
   % CSS properties
   margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:,
 	% CSS3 properties
   transform:, -moz-transform:, -webkit-transform:,
   animation:, -webkit-animation:,
   transition:,  transition-duration:, transition-property:, transition-timing-function:,
   }
 }
 
 \lstdefinelanguage{JavaScript}{
   basicstyle=\ttfamily\scriptsize,
   keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for},
   keywordstyle=\color{blue}\bfseries,
   ndkeywords={class, export, boolean, throw, implements, import, this},
   ndkeywordstyle=\color{darkgray}\bfseries,
   identifierstyle=\color{black},
   sensitive=false,
   comment=[l]{//},
   morecomment=[s]{/*}{*/},
   commentstyle=\color{purple}\ttfamily,
   stringstyle=\color{red}\ttfamily,
   morestring=[b]',
   morestring=[b]"
 }
 
 \def\checkmark{\tikz\fill[scale=0.4](0,.35) -- (.25,0) -- (1,.7) -- (.25,.15) -- cycle;}
 
 
 \setbeamersize{description width=1em}
 
 \definecolor{blue}{rgb}{0,0,0.7}
 \newcommand{\orange}[1]{{\color{orange}#1}}
 \newcommand{\blue}[1]{{\color{blue}#1}}
 \newcommand{\red}[1]{{\color{red}#1}}
 \newcommand{\Guardian}{\mathcal{G}}
 \newcommand{\Child}{\mathcal{C}}
 \newcommand{\Customer}{\mathcal{C}}
 \newcommand{\Merchant}{\mathcal{M}}
 \newcommand{\Exchange}{\mathcal{E}}
 
 \newcommand{\Commit}{\mathsf{Commit}}
 \newcommand{\Attest}{\mathsf{Attest}}
 \newcommand{\Verify}{\mathsf{Verify}}
 \newcommand{\Derive}{\mathsf{Derive}}
 \newcommand{\DeriveCompare}{\mathsf{DeriveCompare_\kappa}}
 \newcommand{\Compare}{\mathsf{Compare}}
 \newcommand{\AgeVer}{\mathsf{AgeVer}}
 
 \newcommand{\HashF}{\mathsf{H}}
 \newcommand{\Hash}{\mathsf{H}}
 \newcommand{\Block}{\mathbb{B}}
 \newcommand{\Pub}{\mathsf{Pub}}
 \newcommand{\Sign}{\mathsf{Sig}}
 \newcommand{\Ver}{\mathsf{Ver}}
 \newcommand{\Encoding}{\mathsf{Encoding}}
 \newcommand{\ECDSA}{\mathsf{ECDSA}}
 \newcommand{\Null}{\mathcal{O}}
 \newcommand{\EC}{\mathrm{ec}}
 \newcommand{\Curve}{\mathsf{Curve25519}}
 \newcommand{\SHA}{\mathsf{SHA256}}
 \newcommand{\SHAF}{\mathsf{SHA252}}
 \newcommand{\FDH}{\mathsf{FDH}}
 
 \newcommand{\negl}{\epsilon}
 
 \newcommand{\rand}{\mathsf{rand}}
 \newcommand{\age}{\mathsf{a}}
 \newcommand{\Age}{\mathsf{M}}
 \newcommand{\bage}{\mathsf{b}}
 \newcommand{\minage}{\mathsf{m}}
 \newcommand{\attest}{\mathsf{T}}
 \newcommand{\commitment}{\mathsf{Q}}
 \newcommand{\pruf}{\mathsf{P}}
 \newcommand{\Vcommitment}{\vec{\mathsf{Q}}}
 \newcommand{\Vpruf}{\vec{\mathsf{P}}}
 \newcommand{\blinding}{\beta}
 
 \newcommand{\ZN}{\mathbb{Z}_N}
 \newcommand{\Z}{\mathbb{Z}}
 \newcommand{\N}{\mathbb{N}}
 \newcommand{\A}{\mathbb{A}}
 \newcommand{\E}{\mathbb{E}}
 \newcommand{\F}{\mathbb{F}}
 \newcommand{\seck}{\mathsf{s}}
 \newcommand{\pubk}{\mathsf{P}}
 \renewcommand{\H}{\mathbb{H}}
 \newcommand{\K}{\mathbb{K}}
 \newcommand{\Proofs}{\mathbb{P}}
 \newcommand{\Commitments}{\mathbb{O}}
 \newcommand{\Attests}{\mathbb{T}}
 \newcommand{\Blindings}{\mathbb{B}}
 \newcommand{\Nil}{\perp}
 
 \newcommand{\p}{\mathsf{p}}
 \newcommand{\com}{\mathsf{com}}
 \newcommand{\prf}{\mathsf{prf}}
 
 \newcommand{\Adv}{\mathcal{A}}
 \newcommand{\PPT}{\mathfrak{A}}
 \newcommand{\Probability}{\mathrm{Pr}}
 \newcommand{\Algorithm}{f}
 \renewcommand{\Game}[1]{G_\Adv^\mathsf{#1}}
 
 \DeclareMathOperator{\Image}{Im}
 \DeclareMathOperator{\Mod}{mod}
 
 \newcommand{\Encode}[1]{\overbracket[0.5pt][2pt]{\,#1\,}}
 \newcommand{\Decode}[1]{\underbracket[0.5pt][3pt]{\,#1\,}}
 \newcommand{\FDHg}[1]{[#1]_g\,}
 \newcommand{\logg}{{\breve{g}}}
 
 
 \newcommand{\drawfrom}{\xleftarrow{\$}}
 \newcommand\Exists{%
 	  \mathop{\lower0.75ex\hbox{\ensuremath{%
 		  \mathlarger{\mathlarger{\mathlarger{\mathlarger{\exists}}}}}}}%
 	  \limits}
 
 \newcommand\Forall{%
 	  \mathop{\lower0.75ex\hbox{\ensuremath{%
 		  \mathlarger{\mathlarger{\mathlarger{\mathlarger{\forall}}}}}}}%
 	  \limits}
 
 
 \title{GNU Taler}
 %\subtitle{}
 
 \setbeamertemplate{navigation symbols}{\includegraphics[width=1cm]{inria.pdf} \includegraphics[width=2.3cm]{bfh.png} \includegraphics[width=1.6cm]{fub.pdf} \includegraphics[width=0.4cm]{ashoka.png}  \includegraphics[width=0.4cm]{gnu.png} \includegraphics[width=1cm]{taler-logo-2021-inkscape.pdf} \hfill}
 %\setbeamercovered{transparent=1}
 
 \author[C. Grothoff]{J. Burdges, {\bf F. Dold, C. Grothoff, M. Stanisci}}
 \date{\today}
 \institute{Taler Systems SA \& The GNU Project}
 
 
 \begin{document}
 
 \justifying
 
 \begin{frame}
   \begin{center}
     \LARGE {\bf GNU} \\
     \vspace{0.3cm}
 %    \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf}
     \includegraphics[width=0.66\textwidth]{taler-logo-2021-inkscape.pdf}
     \vfill
   \end{center}
 \begin{textblock*}{6cm}(.5cm,7.7cm) % {block width} (coords)
     {\Large {\bf \href{https://taler.net/}{taler.net}} \\
     \href{https://twitter.com/taler}{taler@twitter} \\
     \href{https://taler-systems.com/}{taler-systems.com}}
 \end{textblock*}
 
 % Substitute based on who is giving the talk!
  \begin{textblock*}{8cm}(4.7cm,6.7cm) % {block width} (coords)
    {\hfill {{\bf Dr. Emmanuel Benoist} \\
     \hfill {\bf Dr. Florian Dold} \\
     \hfill {\bf Prof. Andreas Habegger} \\
     \hfill {\bf Dr. Christian Grothoff} \\ }
     \hfill \{benoist,dold,habegger,grothoff\}@taler.net }
 \end{textblock*}
 
 \end{frame}
 
 \begin{frame}{GNU Taler}
   \vfill
   \begin{center}
     {\huge {\bf Digital} cash, made \textbf{socially responsible}.}
   \end{center}
   \vfill
   \begin{center}
   \includegraphics[scale=0.3]{taler-logo-2021-inkscape.pdf}
   \end{center}
   \vfill
   \begin{center}
     Privacy-Preserving, Practical, Taxable, Free Software, Efficient
   \end{center}
  \vfill
  \vfill
 \ %
 \end{frame}
 
 
 \begin{frame}{Agenda}
 \tableofcontents
 \end{frame}
 
 
 \section{Introduction}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Part I: Introduction}
   \end{center}
   \vfill
 \end{frame}
 
 
 \section{What is Taler?}
 \begin{frame}{What is Taler?}
   \framesubtitle{\url{https://taler.net/en/features.html}}  \noindent
 Taler is
   \vfill
   \begin{itemize}
     \item a Free/Libre software \emph{payment system} infrastructure project
     \item ... with a surrounding software ecosystem
     \item ... and a company (Taler Systems S.A.) and community that wants to deploy it
       as widely as possible.
   \end{itemize}
   \vfill
 \noindent
  However, Taler is
   \begin{itemize}
     \item \emph{not} a currency
     \item \emph{not} a long-term store of value
     \item \emph{not} a network or instance of a system
     \item \emph{not} decentralized
 %    \item \emph{not} based on proof-of-work or proof-of-stake
     \item combinable with a DLT back-end if requested
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Design principles}
   \framesubtitle{https://taler.net/en/principles.html}
 GNU Taler must ...
 \begin{enumerate}
   \item {... be implemented as {\bf free software} (but {\em available} under a commercial license).}
   \item {... protect the {\bf privacy of buyers}.}
   \item {... must enable the state to {\bf tax income} and crack down on
     illegal business activities.}
   \item {... prevent payment fraud.}
   \item {... only {\bf disclose the minimal amount of information
     necessary}.}
   \item {... be usable.}
   \item {... be efficient.}
   \item {... avoid single points of failure.}
   \item {... foster {\bf competition} in associated services.}
 \end{enumerate}
 \end{frame}
 
 
 \begin{frame}
 \frametitle{Taler Overview}
 \begin{center}
 \begin{tikzpicture}
  \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (exchange) [def,above=of origin,draw]{Exchange};
  \node (customer) [def, draw, below left=of origin] {Customer};
  \node (merchant) [def, draw, below right=of origin] {Merchant};
  \node (auditor) [def, draw, above right=of origin]{Auditor};
 % \node (regulator) [def, draw, above=of auditor]{CSSF};
 
  \tikzstyle{C} = [color=black, line width=1pt]
 
  \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins};
  \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins};
  \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins};
  \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify};
 % \draw [<-, C] (regulator) -- (auditor) node [midway, above, sloped] (TextNode) {report};
 
 \end{tikzpicture}
 \end{center}
 \end{frame}
 
 
 \begin{frame}{Architecture of Taler}
 \begin{center}
   \includegraphics[width=1\textwidth]{operations.png}
 \end{center}
 \end{frame}
 
 
 \begin{frame}{Consumer Impact of Taler}
 \begin{itemize}
 \item {\bf Convenient:} pay with one click instantly --– in Euro,
 Dollar, Swiss Franc or Bitcoin
 \item {\bf Friction-free security:} Payments do not require sign-up,
 login or multi-factor authentication
 \item {\bf Privacy-preserving:} payment requires/shares no personal information
 \item {\bf Bank account:} not required
 \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Merchant Impact of Taler}
 \begin{itemize}
 \item {\bf Instant clearance:} one-click transactions and instant clearance at par
 \item {\bf Easy \& compliant:} GDPR \& PCI-DSS compliance-free and without any effort
 \item {\bf Major profit increase:} efficient protocol $+$ no fraud $=$ extremely low costs
 \item {\bf 1-click checkout:} without Amazon and without false
 positives in fraud detection
 \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Taler: Unique Regulatory Features for Central Banks}
   \framesubtitle{\url{https://www.snb.ch/en/mmr/papers/id/working_paper_2021_03}}
   \begin{itemize}
     \item Central bank issues digital coins equivalent to issuing cash \\
           $\Rightarrow$ monetary policy remains under CB control
     \item Architecture with consumer accounts at commercial banks \\
           $\Rightarrow$ no competition for commercial banking (S\&L) \\
           $\Rightarrow$ CB does not have to manage KYC, customer support
     \item Withdrawal limits and denomination expiration \\
           $\Rightarrow$ protects against bank runs and hoarding
     \item Income transparency and possibility to set fees \\
           $\Rightarrow$ additional insights into economy and new policy options
     \item Revocation protocols and loss limitations \\
           $\Rightarrow$ exit strategy and handles catastrophic security incidents
     \item Privacy by cryptographic design not organizational compliance \\
           $\Rightarrow$ CB cannot be forced to facilitate mass-surveillance
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Active collaborations}
 {\tiny
   \begin{description}
   \item {\bf Berner Fachhochschule:} \\ Snack machine \& blockchain integration \& scalability
   \item {\bf Technische Universit\"at Eindhoven:} \\ Post-quantum cryptography
   \item {\bf Freie Universit\"at Berlin:} \\ Programmability \& embedded systems
   \item {\bf The GNU Project}: \\ Integration into FLOSS software
   \item {\bf Code Blau GmbH}: \\ Independent auditor development
 %  \item {\bf Fraunhofer Gesellschaft}: \\ Identity management \& SSI \& wallet-to-wallet communication
   \item {\bf Fiscaltrust GmbH}: \\ Point-of-sale integration ({\bf
 new})
   \item {\bf Bank of International Settlements}: \\ Participation in Point Zero Forum 2023 ({\bf new})
   \item {\bf Oesterreichische Nationalbank AG}: \\ Joint presentation
 proposal for Re:publica 2023 ({\bf new})
   \end{description}
   }
 \end{frame}
 
 
 \begin{frame}{Launch Timeline}
   \begin{description}
     \item[2022] Internal deployment at BFH
     \item[Q1'2023] Deployment using Bitcoin at BFH (running, but not yet announced)
     \item[Q2-3'2023] Deployment of local currency Netzbon in Basel
     \item[Q3'2023] Public deployment of eCHF stablecoin in Switzerland, cleared by FINMA
     \item[2024] German bank executes ``new product process'' for launch in Eurozone
   \end{description}
 \end{frame}
 
 
 \begin{frame}{Usability of Taler}
   \vfill
   \begin{center}
     \url{https://demo.taler.net/}
   \end{center}
   \begin{enumerate}
   \item Install browser extension.
   \item Visit the {\tt bank.demo.taler.net} to withdraw coins.
   \item Visit the {\tt shop.demo.taler.net} to spend coins.
   \end{enumerate}
   \vfill
 \end{frame}
 
 
 \begin{frame}[c]{Example: The Taler Snack Machine\footnote{by M. Boss and D. Hofer}}
   \framesubtitle{Integration of a MDB/ICP to Taler gateway.\\Implementation of a NFC or QR-Code to Taler wallet interface.}
 	\vfill
 	\begin{figure}
   \centering
   \includegraphics[width=1.0\textwidth]{design}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}[c]{User story: Install App on Android}
 \framesubtitle{\url{https://wallet.taler.net/}}
 		\begin{figure}
 			\includegraphics[width=0.8\textwidth]{download_wallet.png}
 		\end{figure}
 \end{frame}
 
 \begin{frame}{User story: Withdraw e-cash}
 		\begin{figure}
 			\includegraphics[width=0.8\textwidth]{get_taler_coins.png}
 		\end{figure}
 \end{frame}
 
 \begin{frame}{User story: Use machine!}
 		\begin{figure}
 			\includegraphics[width=0.8\textwidth]{get_snacks.png}
 		\end{figure}
 \end{frame}
 
 
 \section{Component Zoo}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Part II: Component Zoo}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{The Taler Software Ecosystem: Overview}
   \framesubtitle{\url{https://taler.net/en/docs.html}}
   Taler is based on modular components that work together to provide a
   complete payment system:
   \vfill
   \begin{itemize}
     \item {\bf Exchange:} Service provider for digital cash
       \begin{itemize}
         \item Core exchange software (cryptography, database)
         \item Air-gapped key management, real-time {\bf auditing}
         \item {\bf LibEuFin}: Modular integration with banking systems
       \end{itemize}
     \item {\bf Merchant:} Integration service for existing businesses
       \begin{itemize}
         \item Core merchant backend software (cryptography, database)
         \item {\bf Back-office interface} for staff
         \item {\bf Frontend integration} (E-commerce, Point-of-sale)
       \end{itemize}
     \item {\bf Wallet:} Consumer-controlled applications for e-cash
       \begin{itemize}
         \item Multi-platform wallet software (for browsers \& mobile phones)
         \item Wallet backup storage providers ({\bf sync})
         \item {\bf Anastasis}: Recovery of lost wallets based on secret splitting
       \end{itemize}
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Taler Exchange}
   The {\bf Exchange} is the core logic of the payment system.
 
   \begin{itemize}
     \item One exchange at minimum must be operated per currency
     \item Offers a REST API for merchants and customers
     \item Uses several helper processes for configuration and to
           interact with RTGS and cryptography
     \item KYC support via OAuth 2.0, KycAID or Persona APIs
     \item Implemented in C on top of GNU libmicrohttpd
   \end{itemize}
   Scalability: 28'500 transactions/second measured % in BS-thesis
   in 2022 using two servers on Grid5000. Likely several times
   higher today (but we did not re-measure recently).
 \end{frame}
 
 
 \begin{frame}{Taler Merchant}
   The {\bf Merchant} is the software run by merchants to accept\\
   GNU Taler payments.
 
   \begin{minipage}{6cm}
   \begin{itemize}
     \item REST API for integration with e-commerce
     \item SPA provides Web interface for administration
     \item Features include:
       \begin{itemize}
       \item Multi-tenant support
       \item Refunds
       \item Tipping (Website pays visitor)
       \item Webhooks
       \item Inventory management (optional)
       \end{itemize}
     \item Implemented in C on top of GNU libmicrohttpd
   \end{itemize}
   \end{minipage}
   \begin{minipage}{5cm}
   \includegraphics[width=5cm]{screenshots/merchant-spa-settings}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Taler Wallet}
   The {\bf Wallet} is the software run by consumers to store
   their digital cash and authorize transactions.
 
   \begin{minipage}{8cm}
   \begin{itemize}
     \item {\bf wallet-core} is the logic shared by all interfaces
     \item Applications exist for Android, F-Droid,
           WebExtension (Chrome, Chromium, Firefox, etc.), iOS ({\bf WiP})
     \item Features include:
       \begin{itemize}
       \item Multi-currency support
       \item Wallet-to-wallet payments (NFC or QR code)
       \item CRDT-like data model
       \end{itemize}
     \item {\bf wallet-core} implemented in TypeScript
   \end{itemize}
   Can be integrated into other Apps if desired.
   \end{minipage}
   \begin{minipage}{3cm}
   \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103520.png}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Taler Auditor}
   The {\bf Auditor} is the software run by an independent auditor
   to validate the operation of an Exchange.
 
   \begin{itemize}
     \item REST API for additional report inputs by merchants (optional)
     \item Secure database replication logic
     \item Implemented in C on top of GNU libmicrohttpd
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Pretix Taler payment plugin}
 \begin{center}
 \includegraphics[width=0.5\textwidth]{screenshots/pretix.png}
 \end{center}
 
   Pretix is a ticket sales system.
 
   \begin{itemize}
     \item Pretix payment plugin enables payments via GNU Taler
     \item Developed by Pretix.eu for \EUR{3,000} on behalf of Taler Systems SA
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{WooCommerce Taler payment plugin}
 \begin{minipage}{6cm}
   \begin{itemize}
     \item WooCommerce is an e-commerce plugin for WordPress.
     \item WooCommerce payment plugin enables payments via GNU Taler
     \item Features include:
       \begin{itemize}
       \item Trivial configuration
       \item Support for refunds
       \item Full internationalization
       \end{itemize}
     \item WooCommerce and its plugins are implemented in PHP
   \end{itemize}
 \end{minipage}
 \begin{minipage}{5cm}
   \includegraphics[width=4cm]{screenshots/woocommerce-cart.png}
   \includegraphics[width=4cm]{screenshots/woocommerce-settings.png}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Point-of-Sale App for Android}
 
 \begin{minipage}{7cm}
   \begin{itemize}
     \item Allows merchant to generate orders against Taler backend
           and display QR code to enable customer to pay in person
     \item Patterned after ViewTouch restaurant UI
     \item Features include:
       \begin{itemize}
       \item Internet-based configuration
       \item Products sorted by categories
       \item Easy undo of every operation
       \item Manages multiple concurrent orders
       \end{itemize}
     \item The Point-of-Sale App is implemented in Kotlin
   \end{itemize}
 \end{minipage}
 \begin{minipage}{4cm}
   \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194112.jpg}
   \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194119.jpg}
   \includegraphics[width=4cm]{screenshots/Screenshot_20230224-195348.jpg}
 \end{minipage}
 \end{frame}
 
 
 \begin{frame}{LibEuFin}
   LibEuFin is a standalone project that provides adapters to bank account
   access APIs.
 
   \begin{itemize}
     \item LibEuFin provides both a generic access layer and an
       implementation of the Wire Gateway for the exchange
     \item Supports EBICS 2.5
     \item other APIs such as FinTS or PSD2-style XS2A APIs can be added
       without requiring changes to the Exchange
     \item tested with German bank GLS business account and real Euros
   \end{itemize}
   \vfill
   \begin{itemize}
     \item \texttt{libeufin-nexus} is the main service
     \item Almost all configuration (except DB credentials)
       is stored in the database and managed via a RESTful HTTP API
     \item \texttt{libeufin-sandbox} implements a toy EBICS host for protocol
       testing
     \item \texttt{libeufin-cli} is client for the HTTP API (only implements a subset
       of available functionality)
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Cashier App for Android}
 \begin{minipage}{4cm}
   \begin{itemize}
     \item Enables BFH staff to convert cash to e-cash
     \item Staff has special bank accounts with limited funds
     \item Students can pay staff in cash to receive e-cash
     \item The Cashier App is implemented in Kotlin
   \end{itemize}
   \end{minipage}
   \begin{minipage}{3cm}
   \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103315.png}
   \end{minipage}
   \begin{minipage}{3cm}
   \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103325.png}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Depolymerization}
   Depolymerization is a bridge between GNU Taler and blockchains,
   making Taler a layer 2 system for crypto-currencies (like Lightning).
 
   \begin{itemize}
     \item Currently implemented for Bitcoin and Ethereum
           crypto-currencies, with the DLTs as the ``RTGS''
     \item Provides same API to Exchange as LibEuFin
 %   \item Transaction rate and speed limited by the underlying blockchain
     \item Implemented in Rust
   \end{itemize}
   \begin{center}
       \url{https://bitcoin.ice.bfh.ch/}
   \end{center}
 \end{frame}
 
 
 \begin{frame}{TalDir (WiP)}
   TalDir is an extension to the existing
   peer-to-peer payment functionality.
 
   \begin{itemize}
     \item Registry to associate wallets with network addresses
     \item Extensible to different types of network services:
       \begin{itemize}
     \item E-mail
     \item SMS
     \item Twitter
     \item ...
      \end{itemize}
     \item Send payments or invoices to wallets associated with network address
     \item Will {\bf not} require sending wallet to use same network service
   \end{itemize}
 \end{frame}
 
 
 \section{Basic Cryptography}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Part III: Basic Cryptography}
   \end{center}
   \vfill
 \end{frame}
 
 
 
 
 \begin{frame}{How does it work?}
 We use a few well established and tested constructions:
   \begin{itemize}
   \item Cryptographic hash function (1989)
   \item Blind signature (1983)
   \item Schnorr signature (1989)
   \item Diffie-Hellman key exchange (1976)
   \item Cut-and-choose zero-knowledge proof (1985)
   \end{itemize}
 But of course we use modern instantiations.
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Definition: Taxability}
   We say Taler is taxable because:
   \begin{itemize}
   \item Merchant's income is visible from deposits.
   \item Hash of contract is part of deposit data.
   \item State can trace income and enforce taxation.
   \end{itemize}\pause
   Limitations:
   \begin{itemize}
   \item withdraw loophole
   \item {\em sharing} coins among family and friends
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Exchange setup: Create a denomination key (RSA)}
    \begin{minipage}{6cm}
     \begin{enumerate}
     \item Pick random primes $p,q$.
     \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$
     \item Pick small $e < \phi(n)$ such that
           $d := e^{-1} \mod \phi(n)$ exists.
     \item Publish public key $(e,n)$.
     \end{enumerate}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
  \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$};
     \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}};
     \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
 %  \includegraphics[width=0.4\textwidth]{seal.pdf}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Merchant: Create a signing key (EdDSA)}
   \begin{minipage}{6cm}
     \begin{itemize}
   \item pick random $m \mod o$ as private key
   \item $M = mG$ public key
   \end{itemize}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (m) [draw=none, below = of origin] at (0,0) {$m$};
     \node (seal) [draw=none, below=of m]{M};
    \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ }
   \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Create a planchet (EdDSA)}
   \begin{minipage}{8cm}
   \begin{itemize}
   \item Pick random $c \mod o$ private key
   \item $C = cG$ public key
   \end{itemize}
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (c) [draw=none, below = of origin] at (0,0) {$c$};
     \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ }
   \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Blind planchet (RSA)}
   \begin{minipage}{6cm}
     \begin{enumerate}
     \item Obtain public key $(e,n)$
     \item Compute $f := FDH(C)$, $f < n$.
     \item Pick blinding factor $b \in \mathbb Z_n$
     \item Transmit $f' := f b^e \mod n$
     \end{enumerate}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$};
     \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}};
     \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Exchange: Blind sign (RSA)}
    \begin{minipage}{6cm}
     \begin{enumerate}
     \item Receive $f'$.
     \item Compute $s' := f'^d \mod n$.
     \item Send signature $s'$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
     \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
     \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Unblind coin (RSA)}
   \begin{minipage}{6cm}
    \begin{enumerate}
     \item Receive $s'$.
     \item Compute $s := s' b^{-1} \mod n$ % \\
     % ($(f')^d = (f b^e)^d = f^d b$).
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (b) [def, draw=none] at (0,0) {$b$};
     \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 \begin{frame}{Withdrawing coins on the Web}
   \begin{center}
     \includegraphics[height=0.9\textheight]{figs/taler-withdraw.pdf}
   \end{center}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Build shopping cart}
   \begin{center}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.18\textwidth]{shop.pdf}};
     \node (cart) [draw=none, below=of m]{\includegraphics[width=0.18\textwidth]{cart.pdf}};
     \node (merchant) [node distance=4em and 0.5em, draw, below =of cart]{Merchant};
     \tikzstyle{C} = [color=black, line width=1pt];
     \draw [<-, C] (cart) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (merchant) -- (cart) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{center}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Merchant Integration: Payment Request}
 % \begin{figure}[p!]
  \lstset{language=HTML5}
  \lstinputlisting{figs/taler-402.html}
 %  \caption{Sample HTTP response to prompt the wallet to show an offer.}
 %   \label{listing:http-contract}
 % \end{figure}
 
 % \begin{figure*}[p!]
 % \lstset{language=HTML5}
 % \lstinputlisting{figs/taler-contract.html}
 % \caption{Sample JavaScript code to prompt the wallet to show an offer.
 %          Here, the contract is fetched on-demand from the server.
 %          The {\tt taler\_pay()} function needs to be invoked
 %          when the user triggers the checkout.}
 % \label{listing:contract}
 % \end{figure*}
 \end{frame}
 
 
 
 \begin{frame}<1-| handout:0>{Merchant: Propose contract (EdDSA)}
    \begin{minipage}{6cm}
    \begin{enumerate}
     \item Complete proposal $D$.
     \item Send $D$, $EdDSA_m(D)$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}};
     \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt];
     \node (sign) [def, draw=none, above right=of proposal] {$m$};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Spend coin (EdDSA)}
   \begin{minipage}{6cm}
    \begin{enumerate}
     \item Receive proposal $D$, $EdDSA_m(D)$.
     \item Send $s$, $C$, $EdDSA_c(D)$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer sep=.3em];
     \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
     \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
     \node (c) [def, draw=none, above=of contract] {$c$};
     \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant};
     \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}};
     \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Merchant and Exchange: Verify coin (RSA)}
    \begin{minipage}{6cm}
  \begin{equation*}
    s^e \stackrel{?}{\equiv} FDH(C) \mod n
    \end{equation*}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{minipage}{0.2\textwidth}
     \includegraphics[width=\textwidth]{coin.pdf}
   \end{minipage}
   $\stackrel{?}{\Leftrightarrow}$
   \begin{minipage}{0.2\textwidth}
     \includegraphics[width=\textwidth]{seal.pdf}
   \end{minipage}
   \end{minipage}
   \vfill
   The exchange does not only verify the signature, but also
   checks that the coin was not double-spent.
   \vfill
   \pause
   \begin{center}
   {\bf This step requires communication with the exchange.}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{Payment processing with Taler}
   \begin{center}
     \includegraphics[height=0.9\textheight]{figs/taler-pay.pdf}
   \end{center}
 \end{frame}
 
 
 \section{Giving Change}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Part IV: Giving Change}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{Giving change}
   It would be inefficient to pay EUR 100 with 1 cent coins!
   \begin{itemize}
   \item Denomination key represents value of a coin.
   \item Exchange may offer various denominations for coins.
   \item Wallet may not have exact change!
   \item Usability requires ability to pay given sufficient total funds.
   \end{itemize}\pause
   Key goals:
   \begin{itemize}
   \item maintain unlinkability
   \item maintain taxability of transactions
   \end{itemize}\pause
   Method:
   \begin{itemize}
     \item Contract can specify to only pay {\em partial value} of a coin.
     \item Exchange allows wallet to obtain {\em unlinkable change}
       for remaining coin value.
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Diffie-Hellman (ECDH)}
   \begin{minipage}{8cm}
    \begin{enumerate}
     \item Create private keys $c,t \mod o$
     \item Define $C = cG$
     \item Define $T = tG$
     \item Compute DH \\ $cT = c(tG) = t(cG) = tC$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t$};
     \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}};
     \node (c) [def, draw=none, above left= of ct]  {$c$};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Strawman solution}
   \begin{minipage}{8cm}
     Given partially spent private coin key $c_{old}$:
    \begin{enumerate}
 %    \item Let $C_{old} := c_{old}G$ (as before)
     \item Pick random $c_{new} \mod o$ private key
     \item $C_{new} = c_{new}G$ public key
     \item Pick random $b_{new}$
     \item Compute $f_{new} := FDH(C_{new})$, $m < n$.
     \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$
    \end{enumerate}
    ... and sign request for change with $c_{old}$.
    \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.45em, inner sep=0em, outer sep=.3em];
     \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (planchet) [def, draw=none, above left= of blinded]  {\includegraphics[width=0.15\textwidth]{planchet.pdf}};
     \node (cnew) [def, draw=none, above= of planchet]  {$c_{new}$};
     \node (bnew) [def, draw=none, above right= of blinded]  {$b_{new}$};
     \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \pause
   \vfill
   {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Transfer key setup (ECDH)}
   \begin{minipage}{8cm}
     Given partially spent private coin key $c_{old}$:
    \begin{enumerate}
     \item Let $C_{old} := c_{old}G$ (as before)
     \item Create random private transfer key $t \mod o$
     \item Compute $T := tG$
     \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$
     \item Derive $c_{new}$ and $b_{new}$ from $X$
     \item Compute $C_{new} := c_{new}G$
     \item Compute $f_{new} := FDH(C_{new})$
     \item Transmit $f_{new}' := f_{new} b_{new}^e$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.4em and 0.45em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Cut-and-Choose}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.4em and 0.45em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_1$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,1}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,1}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.4em and 0.45em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_2$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,2}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,2}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.4em and 0.45em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_3$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,3}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,3}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Exchange: Choose!}
    \begin{center}
     \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer.
     \end{center}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Reveal}
    \begin{enumerate}
    \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange
    \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange
    \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange
   \end{enumerate}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Exchange: Verify ($\gamma = 2$)}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (h) [def, draw=none] at (0,0) {$t_1$};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$C_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,1}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,1}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \begin{minipage}{4cm}
  \
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (h) [def, draw=none] at (0,0) {$t_3$};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$C_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,3}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,3}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Exchange: Blind sign change (RSA)}
    \begin{minipage}{6cm}
     \begin{enumerate}
     \item Take $f_{new,\gamma}'$.
     \item Compute $s' := f_{new,\gamma}'^d \mod n$.
     \item Send signature $s'$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
     \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
     \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Unblind change (RSA)}
   \begin{minipage}{6cm}
    \begin{enumerate}
     \item Receive $s'$.
     \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
     \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Exchange: Allow linking change}
   \begin{minipage}{7cm}
     \begin{center}
     Given $C_{old}$
 
     \vspace{1cm}
 
     return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$.
   \end{center}
    \end{minipage}
   \begin{minipage}{5cm}
    \begin{tikzpicture}
     \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em];
     \node (co) [def, draw=none] at (0,0) {$C_{old}$};
     \node (T) [def, draw=none, below left=of co]{$T_\gamma$};
     \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \node (customer) [def, draw, below right=of T] {Customer};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link};
     \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Customer: Link (threat!)}
   \begin{minipage}{6.3cm}
    \begin{enumerate}
     \item Have $c_{old}$.
     \item Obtain $T_\gamma$, $s$ from exchange
     \item Compute $X_\gamma = c_{old}T_\gamma$
     \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
     \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
   \end{enumerate}
 
    \end{minipage}
   \begin{minipage}{5.7cm}
   \begin{tikzpicture}
   \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (T) [def, draw=none] at (0,0) {$T_\gamma$};
     \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
     \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (bp) [def, draw=none, below left= of dh]  {$b_{new,\gamma}$};
     \node (co) [def, draw=none, above right= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below= of dh]  {$c_{new,\gamma}$};
     \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link};
     \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link};
     \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Refresh protocol properties}
   \begin{itemize}
   \item Customer asks exchange to convert old coin to new coin
   \item Protocol ensures new coins can be recovered from old coin
   \item[$\Rightarrow$] New coins are owned by the same entity!
   \end{itemize}
   Thus, the refresh protocol allows:
   \begin{itemize}
   \item To give unlinkable change.
   \item To give refunds to an anonymous customer.
   \item To expire old keys and migrate coins to new ones.
   \item To handle protocol aborts.
   \end{itemize}
   \noindent
 %  \begin{center}
 %   { \bf Transactions via refresh are equivalent to {\em sharing} a wallet.}
 %  \end{center}
 \end{frame}
 
 
 \section{Illustration of Programmable Money: Age Restrictions}
 
 \begin{frame}
   \vfill
   \begin{center}
     \vfill
     {\bf Part V:}
     \vfill
     {\bf Illustration of Programmable Money}
     \vfill
     {\bf Zero-knowledge Age Restrictions}
     \vfill
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{Age restriction in e-commerce}
 
 	\begin{description}
 		\item[Problem:]~\\[1em]
 			Verification of minimum age requirements in e-commerce.\\[2em]
 
 		\item[Common solutions:]
 
 \begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
 	& \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
 	1. ID Verification     & bad   & required & \\[\medskipamount]
 	2. Restricted Accounts & bad   & required & \\[\medskipamount]
 	3. Attribute-based     & good  & required &\tikzmark{bottomau} \\[\medskipamount]
 \end{tabular}
 	\end{description}
 
 \uncover<4->{
 	\begin{tikzpicture}[overlay,remember picture]
 	\draw[orange,thick,rounded corners]
 		($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
 	\end{tikzpicture}
 	\begin{center}
 	\bf Principle of subsidiarity is violated
 	\end{center}
 }
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Principle of Subsidiarity}
 \begin{center} \Large
 	Functions of government---such as granting and restricting
 	rights---should be performed\\
 	{\it at the lowest level of authority possible},\\
 	as long as they can be performed {\it adequately}.
 \end{center}
 \vfill
 \uncover<2->{
 	For age-restriction, the lowest level of authority is:\\
 	\begin{center}\Large
 	Parents, guardians and caretakers
 	\end{center}
 }
 \end{frame}
 
 
 \begin{frame}{Age restriction design for GNU Taler}
 Design and implementation of an age restriction scheme\\
 with the following goals:
 
 \begin{enumerate}
 \item It ties age restriction to the \textbf{ability to pay} (not to ID's)
 \item maintains \textbf{anonymity of buyers}
 \item maintains \textbf{unlinkability of transactions}
 \item aligns with \textbf{principle of subsidiarity}
 \item is \textbf{practical and efficient}
 \end{enumerate}
 
 \end{frame}
 
 
 \begin{frame}{Age restriction}
 	\framesubtitle{Assumptions and scenario}
 
 	\begin{columns}
 		\column{7.5cm}
 	\begin{itemize}
 		\item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
 		\item<2-> \textit{Guardians} \textbf{commit} to an maximum age
 		\item<3-> \textit{Minors} \textbf{attest} their adequate age
 		\item<4-> \textit{Merchants} \textbf{verify} the attestations
 		\item<5-> Minors \textbf{derive} age commitments from existing ones
 		\item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
 	\end{itemize}
 		\column{5cm}
 		\uncover<7->
 		{
 		\begin{center}
 		\fontsize{7pt}{7pt}\selectfont
 	\begin{tikzpicture}[scale=.5]
 		\node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=15pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 		\node[circle,minimum size=15pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=15pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
 
 		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
 			{$\Commit$} (Guardian);
 		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
 			{\blue{$\Attest$}} (Client);
 		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
 			{\blue{$\Verify$}} (Merchant);
 		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 			{\orange{$\Derive$}} (Client);
 		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 			{\orange{$\Compare$}} (Exchange);
 
 		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 			{\orange{\scriptsize }} (Exchange);
 		\draw[blue,|->] (Client)   to node[sloped, above]
 			{\blue{\scriptsize }} (Merchant);
 		\draw[,|->] (Guardian) to node[above,sloped,align=left]
 			{{\scriptsize }} (Client);
 	\end{tikzpicture}
 		\end{center}
 		}
 	\end{columns}
 	\vfill
 %	\uncover<7->{Note: Scheme is independent of payment service protocol.}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Formal Function Signatures}
 \small
 Searching for functions \uncover<2->{with the following signatures}
 \begin{align*}
 	&\bf \Commit\uncover<2->{:
 		&(\age, \omega) &\mapsto (\commitment, \pruf)
 		&\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
 		}
 	\\
 	&\bf \Attest\uncover<3->{:
 		&(\minage, \commitment, \pruf) &\mapsto \attest
 		&\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
 		}
 	\\
 	&\bf \Verify\uncover<4->{:
 		&(\minage, \commitment, \attest) &\mapsto b
 		&\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
 		}
 	\\
 	&\bf \Derive\uncover<5->{:
 		&(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
 		&\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
 		}
 	\\
 	&\bf \Compare\uncover<6->{:
 		&(\commitment, \commitment', \blinding) &\mapsto b
 		&\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
 		}
 \end{align*}
 	\uncover<7->{
 		with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
 		sufficiently large sets.\\[1em]
 		Basic and security requirements are defined later.\\[2em]
 	}
 
 		\scriptsize
 	\uncover<2->{
 		Mnemonics:\\
 		$\Commitments=$ \textit{c$\Commitments$mmitments},
 		$\commitment=$ \textit{Q-mitment} (commitment),
 		$\Proofs=$ \textit{$\Proofs$roofs},
 	}
 	\uncover<3->{
 		$\pruf=$ \textit{$\pruf$roof},\\
 		$\Attests=$ \textit{a$\Attests$testations},
 		$\attest=$ \textit{a$\attest$testation},
 	}
 	\uncover<5->{
 		$\Blindings=$ \textit{$\Blindings$lindings},
 		$\blinding=$ \textit{$\blinding$linding}.
 	}
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Age restriction}
 	\framesubtitle{Naïve scheme}
 	\begin{center}
 	\begin{tikzpicture}[scale=.85]
 		\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 		\node[circle,minimum size=20pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=20pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
 
 		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
 			{$\Commit$} (Guardian);
 		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
 			{\blue{$\Attest$}} (Client);
 		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
 			{\blue{$\Verify$}} (Merchant);
 		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 			{\orange{$\Derive$}} (Client);
 		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 			{\orange{$\Compare$}} (Exchange);
 
 		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 			{\orange{\scriptsize }} (Exchange);
 		\draw[blue,|->] (Client)   to node[sloped, above]
 			{\blue{\scriptsize }} (Merchant);
 		\draw[,|->] (Guardian) to node[above,sloped,align=left]
 			{{\scriptsize }} (Client);
 	\end{tikzpicture}
 	\end{center}
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Achieving Unlinkability}
 	\begin{columns}
 		\column{3cm}
 		\begin{center}
 		\fontsize{8pt}{9pt}\selectfont
 		\begin{tikzpicture}[scale=.65]
 			\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 			\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 
 			\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 				{\orange{$\footnotesize \Derive()$}} (Client);
 			\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 				{\orange{$\footnotesize \Compare()$}} (Exchange);
 
 			\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 				{\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
 		\end{tikzpicture}
 		\end{center}
 
 		\column{9cm}
 	Simple use of $\Derive()$ and $\Compare()$ is problematic.
 
 	\begin{itemize}
 		\item<2-> Calling $\Derive()$ iteratively generates sequence
 			$(\commitment_0, \commitment_1, \dots)$ of commitments.
 		\item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$
 		\item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
 		\item[$\implies$]\uncover<3->{\bf Unlinkability broken}
 	\end{itemize}
 	\end{columns}
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Achieving Unlinkability}
 	Define cut\&choose protocol \orange{$\DeriveCompare$},
 	using $\Derive()$ and $\Compare()$.\\[0.5em]
 	\uncover<2->{
 	Sketch:
 	\small
 	\begin{enumerate}
 		\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
 			from $\commitment_0$ \\
 			by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
 		\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
 		\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
 		\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
 		\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
 		\item $\Exchange$ compares $h_0$ and
 			$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
 			and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
 	\end{enumerate}
 	\vfill
 	Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
 	}
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Achieving Unlinkability}
 	With \orange{$\DeriveCompare$}
 	\begin{itemize}
 		\item $\Exchange$ learns nothing about $\commitment_\gamma$,
 		\item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
 		\item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
 	\end{itemize}
 	\vfill
 	Note: Still need Derive and Compare to be defined.
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Refined scheme}
 
 	\begin{tikzpicture}[scale=.8]
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
 		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
 
 		\draw[orange,<->] (Client)   to node[sloped,below,align=center]
 			{\orange{$\DeriveCompare$}} (Exchange);
 		\draw[blue,->] (Client)   to node[sloped, below]
 			{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
 
 		\draw[->] (Guardian)   to [out=150,in=70, loop] node[above]
 			{$\Commit(\age)$} (Guardian);
 		\draw[->] (Guardian)   to node[below,sloped]
 			{($\commitment$, $\pruf_\age$)} (Client);
 		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
 		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
 	\end{tikzpicture}
 \end{frame}
 
 % \begin{frame}{Achieving Unlinkability}
 % 	\scriptsize
 % 	$\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
 % 	\vfill
 % 	$\DeriveCompare(\commitment, \pruf, \omega) =$
 % \begin{itemize}
 % \it
 % 	\itemsep0.5em
 % 	\item[$\Child$:]
 % 		\begin{enumerate}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item for all $i \in \{1,\dots,\kappa\}:
 % 				(\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
 % 			\item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
 % 			\item send $(\commitment, h)$ to $\Exchange$
 % 		\end{enumerate}
 % 	\item[$\Exchange$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{4}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item save $(\commitment, h)$ \label{st:hash}
 % 			\item $\gamma \drawfrom \{1,\dots ,\kappa\}$
 % 			\item send $\gamma$ to $\Child$
 % 		\end{enumerate}
 % 	\item[$\Child$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{7}
 %
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
 % 			\item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
 % 				(\commitment_{\gamma-1}, \beta_{\gamma-1}),
 % 				\Nil,
 % 				(\commitment_{\gamma+1}, \beta_{\gamma+1}),
 % 				\dots,(\commitment_\kappa, \beta_\kappa)\big]$
 % 			\item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
 % 		\end{enumerate}
 % 	\item[$\Exchange$:]
 % 		\begin{enumerate}
 % 			\setcounter{enumi}{10}
 % 				\scriptsize
 % 			\itemsep0.3em
 % 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
 % 			\item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
 % 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
 % 				if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
 % 			\item return 1
 % 		\end{enumerate}
 % \end{itemize}
 % \end{frame}
 
 \begin{frame}<1-| handout:0>{Basic Requirements}
 
 	Candidate functions
 	\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
 	must first meet \textit{basic} requirements:
 
 	\begin{itemize}
 		\item Existence of attestations
 		\item Efficacy of attestations
 		\item Derivability of commitments and attestations
 	\end{itemize}
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Basic Requirements}
 	\framesubtitle{Formal Details}
 
 	\begin{description}
 		\item[Existence of attestations]
 			{\scriptsize
 			\begin{align*}
 				\Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
 				\Commit(\age, \omega) =: (\commitment, \pruf)
 				\implies
 				\Attest(\minage, \commitment, \pruf) =
 				\begin{cases}
 					\attest \in \Attests, \text{ if } \minage \leq \age\\
 					\Nil \text{ otherwise}
 				\end{cases}
 			\end{align*}}
 		\item[Efficacy of attestations]
 			{\scriptsize
 			\begin{align*}
 				\Verify(\minage, \commitment, \attest) = \
 				\begin{cases}
 					1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
 					0 \text{ otherwise}
 				\end{cases}
 			\end{align*}}
 
 			{\scriptsize
 			\begin{align*}
 				\forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
 			\end{align*}}
 		\item[etc.]
 	\end{description}
 \end{frame}
 
 %\begin{frame}{Requirements}
 %	\framesubtitle{Details}
 %
 %	\begin{description}
 %		\item[Derivability of commitments and proofs:]~\\[0.1em]
 %		{\scriptsize
 %		Let \begin{align*}
 %			\age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
 %			(\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
 %			(\commitment_1, \pruf_1, \blinding) & \leftarrow  \Derive(\commitment_0, \pruf_0, \omega_1).
 %		\end{align*}
 %		We require
 %		\begin{align*}
 %			\Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
 %		\end{align*}
 %		and for all $n\leq\age$:
 %		\begin{align*}
 %					\Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
 %					=
 %					\Verify(n, \commitment_0,  \Attest(n, \commitment_0,  \pruf_0))
 %		\end{align*}}
 %	\end{description}
 %\end{frame}
 
 \begin{frame}<1-| handout:0>{Security Requirements}
 	Candidate functions must also meet \textit{security} requirements.
 	Those are defined via security games:
 	\begin{itemize}
 		\item Game: Age disclosure by commitment or attestation
 		\item[$\leftrightarrow$] Requirement: Non-disclosure of age
 			\vfill
 
 		\item Game: Forging attestation
 		\item[$\leftrightarrow$] Requirement: Unforgeability of
 			minimum age
 			\vfill
 
 		\item Game: Distinguishing derived commitments and attestations
 		\item[$\leftrightarrow$] Requirement: Unlinkability of
 			commitments and attestations
 
 	\end{itemize}
 	\vfill
 
 	Meeting the security requirements means that adversaries can win
 	those games only with negligible advantage.
 	\vfill
 	Adversaries are arbitrary polynomial-time algorithms, acting on all
 	relevant input.
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Security Requirements}
 	\framesubtitle{Simplified Example}
 
 	\begin{description}
 		\item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
 	{\small
 	\begin{enumerate}
 		\item $ (\age, \omega)	\drawfrom	\N_{\Age-1}\times\Omega $
 		\item $ (\commitment, \pruf)	\leftarrow	\Commit(\age, \omega) $
 		\item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
 		\item Return 0 if $\minage \leq \age$
 		\item Return $\Verify(\minage,\commitment,\attest)$
 	\end{enumerate}
 	}
 	\vfill
 	\item[Requirement: Unforgeability of minimum age]
 		{\small
 	\begin{equation*}
 		\Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
 		\Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
 	\end{equation*}
 	}
 	\end{description}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Solution: Instantiation with ECDSA}
 %	\framesubtitle{Definition of Commit}
 
 	\begin{description}
 		\item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
 		\begin{enumerate}
 			\item<2-> Guardian generates ECDSA-keypairs, one per age (group):
 				\[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
 			\item<3-> Guardian then \textbf{drops} all private keys
 				$p_i$ for $i > \age$:
 				\[\Big \langle(q_1, p_1),\dots,
 					(q_\age, p_\age),
 					(q_{\age +1}, \red{\Nil}),\dots,
 					(q_\Age, \red{\Nil})\Big\rangle\]
 
 				\begin{itemize}
 					\item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
 					\item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
 				\end{itemize}
 				\vfill
 			\item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
 				\vfill
 		\end{enumerate}
 	\end{description}
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Instantiation with ECDSA}
 	\framesubtitle{Definitions of Attest and Verify}
 
 	Child has
 	\begin{itemize}
 		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
 		\item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
 	\end{itemize}
 	\begin{description}
 		\item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
 			Sign a message with ECDSA using private key $p_\blue{\minage}$
 	\end{description}
 
 	\vfill
 
 	\uncover<3->{
 	Merchant gets
 	\begin{itemize}
 		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
 		\item Signature $\sigma$
 	\end{itemize}
 	\begin{description}
 		\item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
 			Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
 	\end{description}
 	}
 	\vfill
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Instantiation with ECDSA}
 	\framesubtitle{Definitions of Derive and Compare}
 	Child has
 	$\Vcommitment = (q_1, \dots, q_\Age) $ and
 	$\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
 	\begin{description}
 		\item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
 			Choose random $\beta\in\Z_g$ and calculate
 			\small
 			\begin{align*}
 				\Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
 				\Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
 			\end{align*}
 			Note: $ (\beta p_i)*G = \beta*(p_i*G)  = \beta*q_i$\\
 			\scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
 	\end{description}
 
 		\vfill
 	\uncover<3->{
 		Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
 	\begin{description}
 		\item[To \blue{Compare}, calculate:]
 			\small
 		$(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
 	\end{description}
 	\vfill
 	}
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Instantiation with ECDSA}
 
 	Functions
 	(Commit, Attest, Verify, Derive, Compare)\\
 	as defined in the instantiation with ECDSA\\[0.5em]
 	\begin{itemize}
 		\item meet the basic requirements,\\[0.5em]
 		\item also meet all security requirements.\\
 		Proofs by security reduction, details are in the paper.
 	\end{itemize}
 
 \end{frame}
 
 
 % \begin{frame}{Instantiation with ECDSA}
 % 	\framesubtitle{Full definitions}
 % 	\scriptsize
 %
 % \begin{align*}
 % 	\Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
 % 		\overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
 % 		\overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
 % 		\Big\rangle\\
 % 	\Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
 % 		\begin{cases}
 % 			\attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
 % 			\Nil & \text{otherwise}
 % 		\end{cases}\\
 % %
 % 	\Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
 % %
 % 	\Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
 % 		\Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
 % 		     (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
 % 		     & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
 % %
 % 	\Compare_E(\Vcommitment, \Vcommitment', \beta)	&:=
 % 		\begin{cases}
 % 			1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
 % 			0 & \text{otherwise}
 % 		\end{cases}
 % \end{align*}
 % \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Reminder: GNU Taler Fundamentals}
 	\begin{center}
 	\begin{tikzpicture}[scale=.55]
 		\node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
 		\node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
 		\node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
 
 		\draw[<->] (Customer)   to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
 		\draw[<->] (Customer)   to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
 		\draw[<->] (Customer)   to node[sloped, below] {\sf purchase} (Merchant);
 		\draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
 	\end{tikzpicture}
 	\end{center}
 
 	\vfill
 	\begin{itemize}
 		\item Coins are public-/private key-pairs $(C_p, c_s)$.
 		\item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
 		\item Verification:
 		\begin{eqnarray*}
 			1  &\stackrel{?}{=}&
 			\mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
 		\end{eqnarray*}
 		\scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
 
 	\end{itemize}
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Integration with GNU Taler}
 	\framesubtitle{Binding age restriction to coins}
 
 	To bind an age commitment $\commitment$ to a coin $C_p$, instead of
 	signing $\FDH(C_p)$, $\Exchange$ now blindly signs
 	\begin{center}
 		$\FDH(C_p, \orange{H(\commitment)})$
 	\end{center}
 
 	\vfill
 	Verfication of a coin now requires $H(\commitment)$, too:
 	\begin{center}
 		$1  \stackrel{?}{=}
 		\mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
 	\end{center}
 	\vfill
 \end{frame}
 
 \begin{frame}<1-| handout:0>{Integration with GNU Taler}
 	\framesubtitle{Integrated schemes}
 	\fontsize{8pt}{9pt}\selectfont
 	\begin{tikzpicture}[scale=.9]
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
 		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
 
 		\draw[<->] (Guardian)   to  node[sloped,above,align=center]
 			{{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
 		\draw[<->] (Client)   to node[sloped,below,align=center]
 			{{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
 		\draw[<->] (Client)   to node[sloped, below]
 			{{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
 		\draw[<->] (Merchant) to node[sloped, above]
 			{{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
 
 		\draw[->] (Guardian)   to [out=70,in=150, loop] node[above]
 			{$\Commit(\age)$} (Guardian);
 		\draw[->] (Guardian)   to node[below,sloped]
 			{($\commitment$, $\pruf_\age$)} (Client);
 		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
 		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
 	\end{tikzpicture}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Instantiation with Edx25519}
 	Paper also formally defines another signature scheme: Edx25519.\\[1em]
 
 	\begin{itemize}
 		\item Scheme already in use in GNUnet,
 		\item based on EdDSA (Bernstein et al.),
 		\item generates compatible signatures and
 		\item allows for key derivation from both, private and public keys, independently.
 	\end{itemize}~\\[1em]
 
 	Current implementation of age restriction in GNU Taler uses Edx25519.
 \end{frame}
 
 
 \begin{frame}{Age Restrictions based on KYC}
 %		\item Our solution can in principle be used with any token-based payment scheme
 %		\item GNU Taler best aligned with our design goals (security, privacy and efficiency)
  Subsidiarity requires bank accounts being owned by adults
 			\begin{itemize}
 			\item Scheme can be adapted to case where minors have bank accounts
 				\begin{itemize}
 					\item Assumption: banks provide minimum age
 						information during bank
 						transactions.
 					\item Child and Exchange execute a variant of
 						the cut\&choose protocol.
 				\end{itemize}
 			\end{itemize}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Related Work}
 	\begin{itemize}
 		\item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
 		\item Attribute-based approach lacks support:
 			\begin{itemize}
 				\item Complex for consumers and retailers
 				\item Requires trusted third authority
 			\end{itemize}
 		\vfill
 		\item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
 			\begin{itemize}
 				\item Advantage: mandatory to payment process
 				\item Not privacy friendly
 			\end{itemize}
 	\end{itemize}
 \end{frame}
 
 \begin{frame}{Conclusion}
 	Age restriction is a technical, ethical and legal challenge.
 
 	Existing solutions are
 	\begin{itemize}
 		\item without strong protection of privacy or
 		\item based on identity management systems (IMS)
 	\end{itemize}
 	\vfill
 
 	Our age restriction scheme offers a solution that is
 	\begin{itemize}
 		\item based on subsidiarity
 		\item privacy-preserving
 		\item efficient
 		\item an alternative to IMS
 	\end{itemize}
     Other types of programmability (escrow, auctions) are under development.
 \end{frame}
 
 
 \section{Component Architecture}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Part VI: Component Architecture}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}[fragile]{Taler: Bank Perspective}
 \begin{adjustbox}{max totalsize={.9\textwidth}{.7\textheight},center}
 \begin{tikzpicture}
  \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (exchange) [def,above=of origin,draw]{Exchange};
  \node (nexus) [def, draw, below right=of exchange] {Nexus};
  \node (corebanking) [def, draw, below left=of nexus] {Core Banking};
  \node (nginx) [def, draw, above=of exchange]{Nginx};
  \node (postgres) [def, draw, below left=of exchange]{Postgres};
  \node (postgres-nexus) [def, draw, below right=of nexus]{Postgres};
 
  \tikzstyle{C} = [color=black, line width=1pt]
 
  \draw [<-, C] (exchange) -- (nginx) node [midway, above, sloped] (TextNode) {REST API};
  \draw [<-, C] (postgres) -- (exchange) node [midway, above, sloped] (TextNode) {SQL};
  \draw [<-, C] (postgres-nexus) -- (nexus) node [midway, above, sloped] (TextNode) {SQL};
  \draw [<-, C] (nexus) -- (exchange) node [midway, above, sloped] (TextNode) {Internal REST API};
  \draw [<-, C] (corebanking) -- (nexus) node [midway, above, sloped] (TextNode) {EBICS/FinTS};
 
 \end{tikzpicture}
 \end{adjustbox}
 \end{frame}
 
 
 \begin{frame}{Taler: Exchange Architecture}
 \begin{center}
 \begin{tikzpicture}
  \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (httpd) [def,above=of origin,draw]{httpd};
  \node (secmod-rsa) [def, draw, right=of httpd] {secmod-rsa};
  \node (secmod-eddsa) [def, draw, left=of httpd] {secmod-eddsa};
  \node (postgres) [def, draw, below=of httpd]{Postgres};
  \node (aggregator) [def, draw, right=of postgres]{aggregator};
  \node (transfer) [def, draw, below left=of postgres]{transfer};
  \node (wirewatch) [def, draw, below right=of postgres]{wirewatch};
  \node (nexus) [def, draw, below=of postgres]{Nexus};
 
  \tikzstyle{C} = [color=black, line width=1pt]
 
  \draw [<->, C] (httpd) -- (postgres) node [midway, above, sloped] (TextNode) {};
  \draw [<->, C] (httpd) -- (secmod-rsa) node [midway, above, sloped] (TextNode) {};
  \draw [<->, C] (httpd) -- (secmod-eddsa) node [midway, above, sloped] (TextNode) {};
  \draw [<->, C] (aggregator) -- (postgres) node [midway, above, sloped] (TextNode) {};
  \draw [<->, C] (wirewatch) -- (postgres) node [midway, above, sloped] (TextNode) {};
  \draw [<->, C] (transfer) -- (postgres) node [midway, above, sloped] (TextNode) {};
  \draw [->, C] (transfer) -- (nexus) node [midway, above, sloped] (TextNode) {};
  \draw [<-, C] (wirewatch) -- (nexus) node [midway, above, sloped] (TextNode) {};
 \end{tikzpicture}
 \end{center}
 \end{frame}
 
 
 \begin{frame}
 \frametitle{Taler: Auditor Perspective}
 \begin{center}
 \begin{tikzpicture}
  \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (httpd) [def,above left=of origin,draw]{auditor-httpd};
  \node (report) [def,above right=of origin,draw]{auditor-report};
  \node (postgres-A) [def, draw, below=of origin] {Postgres (Auditor)};
  \node (postgres-E) [def, draw, below=of postgres-A] {Postgres (Exchange)};
 
  \tikzstyle{C} = [color=black, line width=1pt]
 
  \draw [->, C] (postgres-E) -- (postgres-A) node [midway, above, sloped] (TextNode) {sync};
  \draw [<->, C] (httpd) -- (postgres-A) node [midway, above, sloped] (TextNode) {};
  \draw [<->, C] (report) -- (postgres-A) node [midway, above, sloped] (TextNode) {};
 \end{tikzpicture}
 \end{center}
 \end{frame}
 
 
 \begin{frame}
 \frametitle{Taler: Merchant Perspective}
 \begin{center}
 \begin{tikzpicture}
  \tikzstyle{def} = [node distance= 3.5em and 2em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (backend) [def,above=of origin,draw]{{\tiny taler-merchant-httpd}};
  \node (frontend) [def,above left=of backend,draw]{{\tiny E-commerce Frontend}};
  \node (backoffice) [def,above right=of
 backend,draw]{\tiny Backoffice};
  \node (postgres) [def, draw, below left=of backend] {\tiny Postgres};
  \node (sqlite) [def, draw, below=of backend] {\tiny Sqlite};
  \node (alt) [def, draw, below right=of backend] {...};
 
  \tikzstyle{C} = [color=black, line width=1pt]
 
  \draw [->, C] (frontend) -- (backend) node [midway, above, sloped]
 (TextNode) {\tiny REST API};
  \draw [->, C] (backoffice) -- (backend) node [midway, above, sloped]
 (TextNode) {\tiny REST API};
  \draw [<->, C] (backend) -- (postgres) node [midway, above, sloped]
 (TextNode) {\tiny SQL};
  \draw [<->, C] (backend) -- (sqlite) node [midway, above, sloped]
 (TextNode) {\tiny SQL};
  \draw [<->, C] (backend) -- (alt) node [midway, above, sloped]
 (TextNode) {\tiny SQL};
 \end{tikzpicture}
 \end{center}
 \end{frame}
 
 
 \begin{frame}
 \frametitle{Taler: Wallet Architecture}
 \begin{center}
 \begin{tikzpicture}
  \tikzstyle{def} = [node distance= 5em and 4.5em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (gui) [def,above=of origin,draw]{wallet-gui};
  \node (core) [def,below=of gui,draw]{wallet-core};
  \node (sync) [def, draw, below left=of core] {Sync};
  \node (taler) [def, draw, below right=of core] {Taler};
  \node (anastasis) [def, draw, below=of core] {Anastasis};
 
  \tikzstyle{C} = [color=black, line width=1pt]
  \draw [<->, C] (gui) -- (core) node [midway, above, sloped] (TextNode) {};
  \draw [<->, C] (core) -- (sync) node [midway, above, sloped] (TextNode) {Backup};
  \draw [<->, C] (core) -- (taler) node [midway, above, sloped] (TextNode) {Payment};
  \draw [<->, C] (core) -- (anastasis) node [midway, above, sloped] (TextNode) {Key Escrow};
 \end{tikzpicture}
 \end{center}
 \end{frame}
 
 
 \begin{frame}[t]{Software architecture for the Taler Snack Machine}
   \framesubtitle{Code at \url{https://git.taler.net/taler-mdb}}
 \begin{figure}
   				\centering
   				\includegraphics[width=.9\textwidth]{software_stack}
 				\end{figure}
 \end{frame}
 
 
 
 \section{Integration considerations}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Part VII: Integration considerations}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}[fragile]{RFC 8905: \texttt{payto:} Uniform Identifiers for Payments and Accounts}
   \vfill
   Like \texttt{mailto:}, but for bank accounts instead of email accounts!
   \vfill
   \begin{verbatim}
     payto://<PAYMENT-METHOD>/<ACCOUNT-NR>
       ?subject=InvoiceNr42
       &amount=EUR:12.50
   \end{verbatim}
   \vfill
   Default action:  Open app to review and confirm payment.
   \vfill
 \includegraphics[width=0.25\textwidth]{einzahlschein-ch.jpeg}
 \hfill
 \includegraphics[width=0.2\textwidth]{de-ueberweisungsformular.png}
   \vfill
 \end{frame}
 
 
 \begin{frame}[fragile]{Benefits of {\tt payto://}}
   \begin{itemize}
     \item Standardized way to represent financial resources (bank account, bitcoin wallet)
       and payments to them
     \item Useful on the client-side on the Web and for FinTech backend applications
     \item Payment methods (such as IBAN, ACH, Bitcoin) are registered with
           IANA and allow extra options
   \end{itemize}
   \begin{center}
   {\bf Taler wallet can generate payto://-URI for withdraw!}
   \end{center}
 \end{frame}
 
 
 \begin{frame}{Fully Offline Payments {\bf (WiP)}}
 \framesubtitle{\url{https://docs.taler.net/design-documents/030-offline-payments.html}}
 Many central banks today demand offline capabilities for digital payment solutions.
 \vfill
 \noindent
 Three possible approaches:
 \begin{enumerate}
   \item Trust-based offline payments (has counterparty and/or privacy risks)
   \item Full HSM Taler wallet (has hardware costs)
   \item Light-weight HSM balance register
 \end{enumerate}
 \vfill
 \end{frame}
 
 
 \begin{frame}{Partially Offline Payments with GNU Taler}
 We have filed for a patent to address situations where only the merchant is offline:
 \begin{enumerate}
   \item Customer pays by scanning static QR code and entering amount on mobile phone.
   \item Merchant confirms payment by checking simple unique numeric confirmation code.
   \item[$\Rightarrow$] Allows for very simple, cheap and secure merchant on-boarding.
      Makes integration with existing PoS vendors optional.
 \end{enumerate}
 \begin{center}
        {\bf Needed Point-of-sale hardware costs only $\approx$ \EUR{10}}
 \end{center}
 \vfill \pause
 Largely implemented, only UI support missing. Expected to ship in Q1'2023.
 \end{frame}
 
 
 \section{Conclusion}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Part VIII: Conclusion}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{Trust Earned on Multiple Levels}
 \begin{itemize}
 \item Free/Libre software with published external code reviews.
 \item The Swiss National Bank published white paper:
  ``How to issue a CBDC'' on their website based on Taler technology.
 \item Taler endorsed by the Austrian National Bank in their Q2'2022
   publication as potential {\em Digital Euro} solution.
 \item The EU Commission has issued a Seal of Excellence to Taler
   Systems SA
 \item FINMA Switzerland had no objections to launch (planned for Q3'2023)
 \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Features we did NOT discuss in-depth}
   \begin{description}
   \item[{\bf taler-exchange-secmod-cs:}] Clause-Schnorr blind signature support
   \item[{\bf Fakebank:}] high-performance in-memory RTGS emulator
   \item[{\bf libbrandt:}] Escrow-based programmability extensions (e.g. for auctions)
   \item[{\bf twister}:] Man-in-the-middle fault-injection for testing
   \item[{\bf mch}:] Taler for embedded devices ({\bf WiP})
   \end{description}
 \end{frame}
 
 
 \begin{frame}{Feature comparison}
   \begin{center} \small
     \begin{tabular}{l||c|c|c|c|c}
                 & Cash & Bitcoin & Zerocoin & Creditcard & GNU Taler \\ \hline \hline
     Online      &$-$$-$$-$  &   ++    &    ++    &     +      &   +++  \\ \hline
     Offline     & +++  &   $-$$-$    &    $-$$-$    &     +      &   ++  \\ \hline
     Trans. cost & +    & $-$$-$$-$   & $-$$-$$-$  &     $-$      &   ++  \\ \hline
     Speed       & +    & $-$$-$$-$   & $-$$-$$-$  &     o      &   ++  \\ \hline
     Taxation    & $-$    &   $-$$-$    &  $-$$-$$-$   &    +++     &  +++  \\ \hline
     Payer-anon  &  ++  &   o     &    ++    &  $-$$-$$-$   &  +++  \\ \hline
     Payee-anon  & ++   &   o     &    ++    &  $-$$-$$-$    &  $-$$-$$-$ \\ \hline
     Security    &  $-$   &   o     &    o     &    $-$$-$      &  ++   \\ \hline
     Conversion  & +++  &  $-$$-$$-$   & $-$$-$$-$ &    +++     &  +++  \\ \hline
     Libre       &  $-$   &  +++    &    +++   & $-$ $-$ $-$      &  +++  \\
   \end{tabular}
   \end{center}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Development Infrastructure}
   \begin{itemize}
     \item Borg: incremental backup
     \item Buildbot: CI/CD
     \item Davical: Caldav group calendar
     \item Docker: virtualization, packaging
     \item Git/Gitolite: distributed version control
     \item Mailman: public e-mail lists
     \item Mantis: bug tracker
     \item Mattermost: messaging, process management
     \item Sphinx: documentation generation (HTML, PDF, info, man)
     \item Weblate: collaborative AI-supported internationalization
     \end{itemize}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Development Tools}
   \begin{itemize}
     \item Coverity: static analysis (C/C++)
     \item GNU recutils: constant registration
     \item Twister: fault injection
     \item Valgrind: dynamic analysis (C/C++)
     \item zzuf: fuzzing
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Cryptographic dependencies}
   \begin{itemize}
     \item libargon2
     \item libgcrypt
     \item libsodium
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}<1-| handout:0>{Additional dependencies}
   \begin{itemize}
     \item libsqlite3
     \item libpq / Postgres
     \item libjansson
     \item libcurl
     \item libunistring
     \item {\bf GNU libmicrohttpd}
     \item {\bf GNUnet}
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Summary of Taler Solution}
 
 \begin{enumerate}
 \item {\bf Frictionless one click}, cash-like digital payments \&
 instant
 confirmation for all fiat- and crypto-currencies and for all users,
 unbanked, young and old.
 \item With {\bf income-transparency on the recipient side} is
 crime-preventing \& Taler coins are as secure as cash without
 counterfeits. No ID theft.
 \item {\bf Guaranteed privacy} for spender \& data minimization: payment
 requires/shares no personal information.
 \item {\bf No bank account needed}
 \item Highly efficient in power, processing \& storage, extremely low
 cost \& {\bf highly scalable} to 100’000 transactions/sec.
 \item Economically viable (sub-cent) instant {\bf micro-transactions} for
 e-commerce, Internet of Things, metaverse, machine2machine, $\ldots$
 \end{enumerate}
 \end{frame}
 
 \begin{frame}{Collaboration with BFH \& SBB}
 \framesubtitle{Discussion Proposal}
 {\small
 With an SBB machine, we could:
 \begin{itemize}
 \item Pay for SBB tickets with GNU Taler
 \item[$\Rightarrow$] SBB would receive money in regular bank account
 \item[$\Rightarrow$] Lower costs than with CC / physical cash
 \item[$\Rightarrow$] Customers would pay with privacy
 \item Convert physical cash to digital cash
 \item[$\Rightarrow$] SBB would need Taler ``reserve'' to withdraw from
 \item[$\Rightarrow$] Regulatory requirements (SMS, withdraw limits)
 \item[$\Rightarrow$] SBB would likely want to charge service fees
 \end{itemize}
 Steps:
 \begin{enumerate}
 \item SBB provides BFH with access \& documentation
 \item BFH researchers and students would do integration
 \item Pilot machine could likely be set up around here
 \item SBB would have final decision on any rollout
 \end{enumerate}
 }
 \end{frame}
 
 
 
 \begin{frame}{Do you have any questions?}
   \framesubtitle{\url{https://taler.net/en/bibliography.html}}
   \vfill
 References:
 {\tiny
   \begin{enumerate}
  \item{David Chaum, Christian Grothoff and Thomas Moser.
        {\em How to issue a central bank digital currency}.
        {\bf SNB Working Papers, 2021}.}
  \item{Martin Summer and Hannes Hermanky.
        {\em A digital euro and the future of cash}.
        {\bf Monetary Policy \& The Economy Q1-Q2/22}.}
  \item{Antoine d’Aligny, Emmanuel Benoist, Florian Dold, Christian Grothoff, Özgür Kesim and Martin Schanzenbach.
        {\em Who comes after us? The correct mindset for designing a Central Bank Digital Currency}.
        {\bf SUERF Policy Notes 279/2022}.}
  \item{Florian Dold.
        {\em GNU Taler}.
        {\bf University of Rennes 1, PhD Thesis, 2019}.}
  \item{Christian Grothoff and Alex Pentland.
        {\em Digital cash and privacy: What are the alternatives to Libra?}.
        {\bf MIT Media Lab, 2019}.}
  \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci.
        {\em Enabling Secure Web Payments with GNU Taler}.
        {\bf SPACE 2016}.}
  \item{Özgür Kesim, Christian Grothoff, Florian Dold and Martin Schanzenbach.
        {\em Zero-Knowledge Age Restriction for GNU Taler}.
        {\bf ESORICS, 2022}.}
  \item{Gian Demarmels and Lucien Heuzeveldt.
        {\em Adding Schnorr's Blind Signature in Taler}.
        {\bf BFH, Bachelor's Thesis, 2022}.}
  \item{Marco Boss.
        {\em GNU Taler Scalability}.
        {\bf BFH, Bachelor's Thesis, 2022}.}
 \end{enumerate}
 }
 \end{frame}
 
 \end{document}
 
 
 
 
 \begin{frame}{Taler {\tt /withdraw/sign}}
 % Customer withdrawing coins with blind signatures
 % \bigskip
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
         \begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
           ]
           \node[draw = MidnightBlue,
             fill = CornflowerBlue,
             minimum width = .3cm,
             minimum height = 10cm
           ] (h1) at (-4, 0) {};
           \node[draw = MidnightBlue,
             fill = CornflowerBlue,
             minimum width = .3cm,
             minimum height = 10cm
           ] (h2) at (4, 0) {};
           \node[above = 0cm of h1] {Wallet};
           \node[above = 0cm of h2] {Exchange};
 
           \path[->, color = MidnightBlue, very thick, >=stealth]
             (-5, 4.5) edge
             node[rotate=90, text = Black, yshift = .3cm] {Time}
             (-5, -4.5);
           \path[okmsg, dashed]
              ($(h1.east)+(0, 4.0)+(0, -1.0)$) edge
              node[msglabel] {SEPA(RK,A)}
              ($(h2.west)+(0, 3.5)+(0, -1.0)$);
           \path[okmsg]
             ($(h1.east)+(0, -1.0)$) edge
             node[msglabel] {POST {\tt /withdraw/sign} $S_{RK}(DK, B_b(C))$}
             ($(h2.west)+(0, -1.5)$);
           \path[okmsg]
             ($(h2.west)+(0, -2.0)$) edge
             node[msglabel] {200 OK: $S_{DK}(B_b(C))$)}
             ($(h1.east)+(0, -2.5)$);
           \path[rstmsg]
             ($(h2.west)+(0, -3.5)$) edge
             node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)}
             ($(h1.east)+(0, -4)$);
           \node at (5.3, 0) {};
         \end{tikzpicture}
       \end{center}
       Result: $\langle c, S_{DK}(C) \rangle$.
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$A$] Some amount, $A \ge A_{DK}$
       \item[$RK$] Reserve key
       \item[$DK$] Denomination key
       \item[$b$] Blinding factor
       \item[$B_b()$] RSA-FDH blinding % DK supressed
       \item[$C$] Coin public key $C := cG$
       \item[$S_{RK}()$] EdDSA signature
       \item[$S_{DK}()$] RSA-FDH signature
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}[t]{Taler {\tt /deposit}}
 Merchant and exchange see only the public coin $\langle C, S_{DK}(C) \rangle$.
 \bigskip
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
         \begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
           ]
           \node[draw = MidnightBlue,
             fill = CornflowerBlue,
             minimum width = .3cm,
             minimum height = 10cm
           ] (h1) at (-4, 0) {};
           \node[draw = MidnightBlue,
             fill = CornflowerBlue,
             minimum width = .3cm,
             minimum height = 10cm
           ] (h2) at (4, 0) {};
           \node[above = 0cm of h1] {Merchant};
           \node[above = 0cm of h2] {Exchange};
 
           \path[->, color = MidnightBlue, very thick, >=stealth]
             (-5, 4.5) edge
             node[rotate=90, text = Black, yshift = .3cm] {Time}
             (-5, -4.5);
           \path[->, color = MidnightBlue, thick, >=stealth]
             ($(h1.east)+(0,3)$) edge
             node[text = Black, yshift = .3cm, sloped] {POST {\tt /deposit} $S_{DK}(C), S_{c}(D)$}
             ($(h2.west)+(0,2)$);
           \path[->, color = MidnightBlue, thick, >=stealth]
             ($(h2.west)+(0,0.5)$) edge
             node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$}
             ($(h1.east)+(0,-0.5)$);
           \path[rstmsg]
             ($(h2.west)+(0, -2.5)$) edge
             node[msglabel] {409 CONFLICT: $S_{c}(D')$}
             ($(h1.east)+(0, -3.5)$);
           \node at (5.3, 0) {};
         \end{tikzpicture}
       \end{center}
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$DK$] Denomination key
       \item[$S_{DK}()$] RSA-FDH signature using $DK$
       \item[$c$] Private coin key, $C := cG$.
       \item[$S_{C}()$] EdDSA signature using $c$
       \item[$D$] Deposit details
       \item[$SK$] Exchange's signing key
       \item[$S_{SK}()$] EdDSA signature using $SK$
       \item[$D'$] Conficting deposit details $D' \not= D$
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}{Taler {\tt /refresh/melt}}
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
 	\begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
 	  ]
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h1) at (-4, 0) {};
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h2) at (4, 0) {};
 	  \node[above = 0cm of h1] {Customer};
 	  \node[above = 0cm of h2] {Exchange};
 
 	  \path[->, color = MidnightBlue, very thick, >=stealth]
 	    (-5, 4.5) edge
 	    node[rotate=90, text = Black, yshift = .3cm] {Time}
 	    (-5, -4.5);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h1.east)+(0,3)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$}
 	    ($(h2.west)+(0,2)$);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h2.west)+(0,0.5)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$}
 	    ($(h1.east)+(0,-0.5)$);
 	  \path[rstmsg]
 	    ($(h2.west)+(0, -2.5)$) edge
 	    node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$}
 	    ($(h1.east)+(0, -3.5)$);
 	  \node at (5.3, 0) {};
 	\end{tikzpicture}
       \end{center}
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$\kappa$] System-wide security parameter, usually 3.
       \\ \smallskip
       \item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\
       $D + \sum_i A_{DK^{(i)}} < A_{DK}$
       \item[$t_j$] Random scalar for $j<\kappa$
       \item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$
       \item[$k_j$] $:= c T_j = t_j C$ is an ECDHE
       \item[$b_j^{(i)}$] $:= KDF_b(k_j,i)$ % blinding factor
       \item[$c_j^{(i)}$] $:= KDF_c(k_j,i)$ % coin secret keys
       \item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys
       \item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\
          $\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$
       \\ \smallskip
       \item[$\gamma$] Random value in $[0,\kappa)$
 %      \\ \smallskip
 %      \item[$X$] Deposit or refresh
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}{Taler {\tt /refresh/reveal}}
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
 	\begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
 	  ]
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h1) at (-4, 0) {};
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h2) at (4, 0) {};
 	  \node[above = 0cm of h1] {Customer};
 	  \node[above = 0cm of h2] {Exchange};
 
 	  \path[->, color = MidnightBlue, very thick, >=stealth]
 	    (-5, 4.5) edge
 	    node[rotate=90, text = Black, yshift = .3cm] {Time}
 	    (-5, -4.5);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h1.east)+(0,3)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$}
 	    ($(h2.west)+(0,2)$);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h2.west)+(0,0.5)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$}
 	    ($(h1.east)+(0,-0.5)$);
 	  \path[rstmsg]
 	    ($(h2.west)+(0, -2.5)$) edge
 	    node[msglabel] {400 BAD REQUEST: $Z$}
 	    ($(h1.east)+(0, -3.5)$);
 	  \node at (5.3, 0) {};
 	\end{tikzpicture}
       \end{center}
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$\cal DK$] $:= [DK^{(i)}]_i$
       \item[$t_j$] .. \\ \smallskip
 
       \item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip
 
       \item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$
       \item[$b_\gamma^{(i)}$] $:= KDF_b(k_\gamma,i)$
       \item[$c_\gamma^{(i)}$] $:= KDF_c(k_\gamma,i)$
       \item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$
 
       \item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$
       \item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$
       \item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip
 
       \item[$Z$] Cut-and-choose missmatch information
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}{Taler {\tt /refresh/link}}
   \begin{figure}[th]
     \begin{minipage}[b]{0.45\linewidth}
       \begin{center}
 	\begin{tikzpicture}[scale = 0.4,
             transform shape,
             msglabel/.style    = { text = Black, yshift = .3cm,
                                    sloped, midway },
             okmsg/.style       = { ->, color = MidnightBlue, thick,
                                    >=stealth },
             rstmsg/.style      = { ->, color = BrickRed, thick,
                                    >=stealth }
 	  ]
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h1) at (-4, 0) {};
 	  \node[draw = MidnightBlue,
 	    fill = CornflowerBlue,
 	    minimum width = .3cm,
 	    minimum height = 10cm
 	  ] (h2) at (4, 0) {};
 	  \node[above = 0cm of h1] {Customer};
 	  \node[above = 0cm of h2] {Exchagne};
 
 	  \path[->, color = MidnightBlue, very thick, >=stealth]
 	    (-5, 4.5) edge
 	    node[rotate=90, text = Black, yshift = .3cm] {Time}
 	    (-5, -4.5);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h1.east)+(0,3)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$}
 	    ($(h2.west)+(0,2)$);
 	  \path[->, color = MidnightBlue, thick, >=stealth]
 	    ($(h2.west)+(0,0.5)$) edge
 	    node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$}
 	    ($(h1.east)+(0,-0.5)$);
 	  \path[rstmsg]
 	    ($(h2.west)+(0, -2.5)$) edge
 	    node[msglabel] {404 NOT FOUND}
 	    ($(h1.east)+(0, -3.5)$);
 	  \node at (5.3, 0) {};
 	\end{tikzpicture}
       \end{center}
     \end{minipage}
     \hspace{0.5cm}
     \begin{minipage}[b]{0.45\linewidth}
       \tiny
       \begin{description}
       \item[$C$] Old coind public key \\ \smallskip
       \item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$
       \end{description}
     \end{minipage}
   \end{figure}
 \end{frame}
 
 
 \begin{frame}{Operational security}
   \begin{center}
     \resizebox{\textwidth}{!}{
 \begin{tikzpicture}[
   font=\sffamily,
   every matrix/.style={ampersand replacement=\&,column sep=2cm,row sep=2cm},
   source/.style={draw,thick,rounded corners,fill=green!20,inner sep=.3cm},
   process/.style={draw,thick,circle,fill=blue!20},
   sink/.style={source,fill=green!20},
   datastore/.style={draw,very thick,shape=datastore,inner sep=.3cm},
   dots/.style={gray,scale=2},
   to/.style={->,>=stealth',shorten >=1pt,semithick,font=\sffamily\footnotesize},
   every node/.style={align=center}]
 
   % Position the nodes using a matrix layout
   \matrix{
     \node[source] (wallet) {Wallet};
       \& \node[process] (browser) {Browser};
       \& \node[process] (shop) {Web shop};
       \& \node[sink] (backend) {Taler backend}; \\
   };
 
   % Draw the arrows between the nodes and label them.
   \draw[to] (browser) to[bend right=50] node[midway,above] {(4) signed contract}
       node[midway,below] {(signal)} (wallet);
   \draw[to] (wallet) to[bend right=50] node[midway,above] {(signal)}
       node[midway,below] {(5) signed coins} (browser);
   \draw[<->] (browser) -- node[midway,above] {(3,6) custom}
       node[midway,below] {(HTTPS)} (shop);
   \draw[to] (shop) to[bend right=50] node[midway,above] {(HTTPS)}
       node[midway,below] {(1) proposed contract / (7) signed coins} (backend);
   \draw[to] (backend) to[bend right=50] node[midway,above] {(2) signed contract / (8) confirmation}
       node[midway,below] {(HTTPS)} (shop);
 \end{tikzpicture}
 }
 \end{center}
 \end{frame}
 
 
 \begin{frame}{Use Cases: Refugee Camps}
   Today:
   \begin{itemize}
   \item Non-bankable
   \item Direct distribution of goods to population
   \item Limited economic activity in camps
   \item High level of economic dependence
   \end{itemize}\vfill\pause
   With GNU Taler:
   \begin{itemize}
   \item Local currency issued as basic income backed by aid
   \item Taxation possible based on economic status
   \item Local governance enabled by local taxes
   \item Increased economic independence and political participation
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Use Case: Anti-Spam}
   \framesubtitle{Background: \url{https://pep.security/}}
   Today, p$\equiv$p provides authenticated encryption for e-mail:
   \begin{itemize}
     \item Free software
     \item Easy to use opportunistic encryption
     \item Available for Outlook, Android, Enigmail
     \item Spies \& spam filters can no longer inspect content
   \end{itemize}\vfill\pause
   With GNU Taler:
   \begin{itemize}
     \item Peer-to-peer payments via e-mail
     \item If unsolicited sender, hide messages from user \&
           automatically request payment from sender
     \item Sender can attach payment to be moved to inbox
     \item Receiver may grant refund to sender
   \end{itemize}
 \end{frame}