marketing

2025-ethz.tex (73527B)

---

 \documentclass[aspectratio=169,t]{beamer}
 \input taler-macros
 
 \newcommand{\TITLE}{NEXT \\ GENERATION \\ INTERNET}
 \newcommand{\SUB}{The GNU Taler Payment System}
 \newcommand{\AUTHOR}{Christian Grothoff}
 \newcommand{\SPEAKER}{Christian Grothoff}
 \newcommand{\INST}{The GNU Project}
 \newcommand{\DATE}{Traffic Seminar --- ETHZ}
 
 % Do not edit this part
 \title{\TITLE}
 \subtitle{\SUB}
 \date{\DATE}
 \author[\SPEAKER]{\AUTHOR}
 \institute{\INST}
 
 
 \usepackage{amsmath}
 \usepackage{multimedia}
 \usepackage[utf8]{inputenc}
 \usepackage{framed,color,ragged2e}
 \usepackage[absolute,overlay]{textpos}
 \definecolor{shadecolor}{rgb}{0.8,0.8,0.8}
 \usetheme{boxes}
 \setbeamertemplate{navigation symbols}{}
 \usepackage{xcolor}
 \usepackage[normalem]{ulem}
 \usepackage{listings}
 \usepackage{adjustbox}
 \usepackage{array}
 \usepackage{bbding}
 \usepackage{relsize}
 \usepackage{graphicx}
 \usepackage{tikz,eurosym,calc}
 \usetikzlibrary{tikzmark}
 \usetikzlibrary{shapes,arrows,arrows.meta}
 \usetikzlibrary{positioning,fit,patterns}
 \usetikzlibrary{calc}
 \usepackage{multicol}
 \usepackage{pgf-umlsd}
 \usepackage{relsize}
 
 \usepackage{booktabs}
 \usepackage{makecell}
 \usepackage{arydshln}
 
 
 
 % "The GNU Taler Payment System", including
 % an introduction to our objectives,
 % background on the technology,
 % demonstration of the system,
 % social implications and open issues.
 
 % CSS
 \lstdefinelanguage{CSS}{
   basicstyle=\ttfamily\scriptsize,
   keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function},
   sensitive=true,
   morecomment=[l]{//},
   morecomment=[s]{/*}{*/},
   morestring=[b]',
   morestring=[b]",
   alsoletter={:},
   alsodigit={-}
 }
 
 % JavaScript
 \lstdefinelanguage{JavaScript}{
   basicstyle=\ttfamily\scriptsize,
   morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
   morecomment=[s]{/*}{*/},
   morecomment=[l]//,
   morestring=[b]",
   morestring=[b]'
 }
 
 \lstdefinelanguage{HTML5}{
   basicstyle=\ttfamily\scriptsize,
   language=html,
   sensitive=true,
   alsoletter={<>=-},
   morecomment=[s]{<!-}{-->},
   tag=[s],
   otherkeywords={
   % General
   >,
   % Standard tags
 	<!DOCTYPE,
   </html, <html, <head, <title, </title, <style, </style, <link, </head, <meta, />,
 	% body
 	</body, <body,
 	% Divs
 	</div, <div, </div>,
 	% Paragraphs
 	</p, <p, </p>,
 	% scripts
 	</script, <script,
   % More tags...
   <canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video, <source, <iframe, </iframe>, </video>, <image, </image>
   },
   ndkeywords={
   % General
   =,
   % HTML attributes
   charset=, src=, id=, width=, height=, style=, type=, rel=, href=,
   % SVG attributes
   fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=,
   % CSS properties
   margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:,
 	% CSS3 properties
   transform:, -moz-transform:, -webkit-transform:,
   animation:, -webkit-animation:,
   transition:,  transition-duration:, transition-property:, transition-timing-function:,
   }
 }
 
 \lstdefinelanguage{JavaScript}{
   basicstyle=\ttfamily\scriptsize,
   keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for},
   keywordstyle=\color{blue}\bfseries,
   ndkeywords={class, export, boolean, throw, implements, import, this},
   ndkeywordstyle=\color{darkgray}\bfseries,
   identifierstyle=\color{black},
   sensitive=false,
   comment=[l]{//},
   morecomment=[s]{/*}{*/},
   commentstyle=\color{purple}\ttfamily,
   stringstyle=\color{red}\ttfamily,
   morestring=[b]',
   morestring=[b]"
 }
 
 \setbeamersize{description width=1em}
 
 \definecolor{blue}{rgb}{0,0,0.7}
 \newcommand{\orange}[1]{{\color{orange}#1}}
 \newcommand{\blue}[1]{{\color{blue}#1}}
 \newcommand{\red}[1]{{\color{red}#1}}
 \newcommand{\Guardian}{\mathcal{G}}
 \newcommand{\Child}{\mathcal{C}}
 \newcommand{\Customer}{\mathcal{C}}
 \newcommand{\Merchant}{\mathcal{M}}
 \newcommand{\Exchange}{\mathcal{E}}
 
 \newcommand{\Commit}{\mathsf{Commit}}
 \newcommand{\Attest}{\mathsf{Attest}}
 \newcommand{\Verify}{\mathsf{Verify}}
 \newcommand{\Derive}{\mathsf{Derive}}
 \newcommand{\DeriveCompare}{\mathsf{DeriveCompare_\kappa}}
 \newcommand{\Compare}{\mathsf{Compare}}
 \newcommand{\AgeVer}{\mathsf{AgeVer}}
 
 \newcommand{\HashF}{\mathsf{H}}
 \newcommand{\Hash}{\mathsf{H}}
 \newcommand{\Block}{\mathbb{B}}
 \newcommand{\Pub}{\mathsf{Pub}}
 \newcommand{\Sign}{\mathsf{Sig}}
 \newcommand{\Ver}{\mathsf{Ver}}
 \newcommand{\Encoding}{\mathsf{Encoding}}
 \newcommand{\ECDSA}{\mathsf{ECDSA}}
 \newcommand{\Null}{\mathcal{O}}
 \newcommand{\EC}{\mathrm{ec}}
 \newcommand{\Curve}{\mathsf{Curve25519}}
 \newcommand{\SHA}{\mathsf{SHA256}}
 \newcommand{\SHAF}{\mathsf{SHA252}}
 \newcommand{\FDH}{\mathsf{FDH}}
 
 \newcommand{\negl}{\epsilon}
 
 \newcommand{\rand}{\mathsf{rand}}
 \newcommand{\age}{\mathsf{a}}
 \newcommand{\Age}{\mathsf{M}}
 \newcommand{\bage}{\mathsf{b}}
 \newcommand{\minage}{\mathsf{m}}
 \newcommand{\attest}{\mathsf{T}}
 \newcommand{\commitment}{\mathsf{Q}}
 \newcommand{\pruf}{\mathsf{P}}
 \newcommand{\Vcommitment}{\vec{\mathsf{Q}}}
 \newcommand{\Vpruf}{\vec{\mathsf{P}}}
 \newcommand{\blinding}{\beta}
 
 \newcommand{\ZN}{\mathbb{Z}_N}
 \newcommand{\Z}{\mathbb{Z}}
 \newcommand{\N}{\mathbb{N}}
 \newcommand{\A}{\mathbb{A}}
 \newcommand{\E}{\mathbb{E}}
 \newcommand{\F}{\mathbb{F}}
 \newcommand{\seck}{\mathsf{s}}
 \newcommand{\pubk}{\mathsf{P}}
 \renewcommand{\H}{\mathbb{H}}
 \newcommand{\K}{\mathbb{K}}
 \newcommand{\Proofs}{\mathbb{P}}
 \newcommand{\Commitments}{\mathbb{O}}
 \newcommand{\Attests}{\mathbb{T}}
 \newcommand{\Blindings}{\mathbb{B}}
 \newcommand{\Nil}{\perp}
 
 \newcommand{\p}{\mathsf{p}}
 \newcommand{\com}{\mathsf{com}}
 \newcommand{\prf}{\mathsf{prf}}
 
 \newcommand{\Adv}{\mathcal{A}}
 \newcommand{\PPT}{\mathfrak{A}}
 \newcommand{\Probability}{\mathrm{Pr}}
 \newcommand{\Algorithm}{f}
 \renewcommand{\Game}[1]{G_\Adv^\mathsf{#1}}
 
 \DeclareMathOperator{\Image}{Im}
 \DeclareMathOperator{\Mod}{mod}
 
 \newcommand{\Encode}[1]{\overbracket[0.5pt][2pt]{\,#1\,}}
 \newcommand{\Decode}[1]{\underbracket[0.5pt][3pt]{\,#1\,}}
 \newcommand{\FDHg}[1]{[#1]_g\,}
 \newcommand{\logg}{{\breve{g}}}
 
 
 \newcommand{\drawfrom}{\xleftarrow{\$}}
 \newcommand\Exists{%
 	  \mathop{\lower0.75ex\hbox{\ensuremath{%
 		  \mathlarger{\mathlarger{\mathlarger{\mathlarger{\exists}}}}}}}%
 	  \limits}
 
 \newcommand\Forall{%
 	  \mathop{\lower0.75ex\hbox{\ensuremath{%
 		  \mathlarger{\mathlarger{\mathlarger{\mathlarger{\forall}}}}}}}%
 	  \limits}
 
 
 \begin{document}
 
 \begin{frame}[plain]
 \maketitle
 \end{frame}
 
 \begin{frame}{Agenda}
   \tableofcontents
 \end{frame}
 
 \section{Motivation \& Background}
 
 
 \begin{frame}{A Social Problem}
 %  \vfill
   This was a question posed to RAND researchers in 1971:
 
 \begin{quote}
   ``Suppose you were an advisor to the head of the KGB. Suppose you are given the assignment of designing a system for the surveillance of all citizens and visitors within the boundaries of the USSR. The system is not to be too obtrusive or obvious. What would be your decision?''
 \end{quote}
 %The result: an electronic funds transfer system that looks
 %strikingly similar today's debit card system.
 \pause
 \begin{minipage}{2cm}
 \includegraphics[width=2cm]{pics/nsa_spy.jpg}
 \end{minipage}
 \begin{minipage}{12cm}
 ``I think one of the big things that we need to do, is we need
 to get away from true-name payments on the Internet. The credit
 card payment system is one of the worst things that happened for the
 user, in terms of being able to divorce their access from their
 identity.'' \hfill --Edward Snowden, IETF 93 (2015)
 \end{minipage}
 
 \end{frame}
 
 
 \begin{frame}{Banks have Problems, too!}
 
   3D secure (``verified by visa'') is a nightmare:
 
   \begin{minipage}{5cm}
     \begin{itemize}
     \item Complicated process
     \item Shifts liability to consumer
     \item Significant latency
     \item Can refuse valid requests
     \item Legal vendors excluded
     \item No privacy for buyers
      \end{itemize}
   \end{minipage}
   \begin{minipage}{5cm}
       \includegraphics[width=\textwidth]{illustrations/cc3ds.pdf}
   \end{minipage}
   \vfill
     Online credit card payments will be replaced, but with what?
 \end{frame}
 
 
 \begin{frame}{The Bank's Problem}
     \begin{itemize}
     \item Global tech companies push oligopolies
     \item Privacy and federated finance are at risk
 %    \item 30\% fees are conceivable
     \item Economic sovereignty is in danger
     \end{itemize}
 \begin{textblock*}{4cm}(11.5cm,5.2cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/amazon.png}}
 \end{textblock*}
 \begin{textblock*}{2cm}(11cm,3cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/alipay.jpeg}}
 \end{textblock*}
 \begin{textblock*}{2cm}(11cm,7cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/paypal.jpeg}}
 \end{textblock*}
 \begin{textblock*}{2cm}(3cm,9cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/applepay.jpeg}}
 \end{textblock*}
 \begin{textblock*}{2cm}(7cm,7cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/samsungpay.jpeg}}
 \end{textblock*}
 \begin{textblock*}{1cm}(9.5cm,6.3cm) % {block width} (coords)
  {\includegraphics[width=\textwidth]{../investors/competitor-logos/android_pay.png}}
 \end{textblock*}
 \vfill
 \end{frame}
 
 
 \begin{frame}{Predicting the Future}
   \begin{itemize}
   \item Google and Apple will be your bank and run your payment system
   \item They can target advertising based on your purchase history, location and
         your ability to pay
   \item They will provide more usable, faster and broadly available
         payment solutions; our federated banking system will be history
 %        just like SMTP is now Gmail.
   \item After they dominate the payment sector, they will start to charge fees
         befitting their oligopoly size
   \item Competitors and vendors not aligning with their corporate ``values''
         will be excluded by policy and go bankrupt
   \item The imperium will have another major tool for its financial warfare
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Central Bank Digital Currency?}
 Speech by Augustin Carstens, Bank of International Settlements (October 2020) on the difference between Central Bank Digital Currencies and cash.
  \begin{center}
     \movie[height = 0.5\paperheight, poster, showcontrols]{Central Bank Digital Currency vs. Cash}
           {bis-cbdc.mp4}
 
 {\tiny
 \url{https://www.youtube.com/watch?v=R_E4Uu7ycqE} (10'2020)}
 \end{center}
 \end{frame}
 
 
 
 \begin{frame}{The Emergency Act of Canada}
 Speech by Premier Kenney, Alberta, February 2022.
  \begin{center}
     \movie[height = 0.5\paperheight, poster, showcontrols]{The Emergency Act of Canada}
           {emergencyact.mp4}
 
 {\tiny \url{https://www.youtube.com/watch?v=NehMAj492SA} (2'2022)}
   \end{center}
 \end{frame}
 
 
 \section{GNU Taler: Introduction}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf GNU Taler: Introduction}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{GNU Taler~\cite{taler2016space,DBLP:phd/hal/Dold19,cbdc2021chaum}}
   \vfill
   \begin{center}
     {\huge {\bf Digital} cash, made \textbf{socially responsible}.}
   \end{center}
   \vfill
   \begin{center}
   \includegraphics[scale=0.3]{taler-logo-2021-inkscape.pdf}
   \end{center}
   \vfill
   \begin{center}
     Privacy-Preserving, Practical, Taxable, Free Software, Efficient
   \end{center}
  \vfill
  \vfill
 \ %
 \end{frame}
 
 
 \begin{frame}{What is Taler?}
   \framesubtitle{\url{https://taler.net/en/features.html}}  \noindent
 Taler is
   \vfill
   \begin{itemize}
     \item a Free/Libre software \emph{payment system} infrastructure project
     \item ... with a surrounding software ecosystem
     \item ... and a company (Taler Systems S.A.) and community that wants to deploy it
       as widely as possible.
   \end{itemize}
   \vfill
 \noindent
  However, Taler is
   \begin{itemize}
     \item \emph{not} a currency or speculative asset
     \item \emph{not} a long-term store of value
     \item \emph{not} a network or instance of a system
     \item \emph{not} based on proof-of-work or proof-of-stake
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Design principles}
   \framesubtitle{https://taler.net/en/principles.html}
 GNU Taler must ...
 \begin{enumerate}
   \item {... be implemented as {\bf free software}.}
   \item {... protect the {\bf privacy of buyers}.}
   \item {... enable the state to {\bf tax income} and crack down on
     illegal business activities.}
   \item {... prevent payment fraud.}
   \item {... only {\bf disclose the minimal amount of information
     necessary}.}
   \item {... be usable.}
   \item {... be efficient.}
   \item {... avoid single points of failure.}
   \item {... foster {\bf competition}.}
 \end{enumerate}
 \end{frame}
 
 
 \begin{frame}
 \frametitle{Taler Overview}
 \begin{center}
 \begin{tikzpicture}
  \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer sep=.3em];
  \node (origin) at (0,0) {};
  \node (exchange) [def,above=of origin,draw]{Exchange};
  \node (customer) [def, draw, below left=of origin] {Customer};
  \node (merchant) [def, draw, below right=of origin] {Merchant};
  \node (auditor) [def, draw, above right=of origin]{Auditor};
 % \node (regulator) [def, draw, above=of auditor]{CSSF};
 
  \tikzstyle{C} = [color=black, line width=1pt]
 
  \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped] (TextNode) {withdraw coins};
  \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped] (TextNode) {deposit coins};
  \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped] (TextNode) {spend coins};
  \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode) {verify};
 % \draw [<-, C] (regulator) -- (auditor) node [midway, above, sloped] (TextNode) {report};
 
 \end{tikzpicture}
 \end{center}
 \end{frame}
 
 
 
 \begin{frame}
 \frametitle{Architecture of Taler}
 \begin{center}
   \includegraphics[width=0.8\textwidth]{operations.png}
 \end{center}
 \end{frame}
 
 
 \begin{frame}{Consumer Impact of Taler}
 \begin{itemize}
 \item {\bf Convenient:} pay with one click instantly --– in Euro,
 Dollar, Yen or Bitcoin
 \item {\bf Friction-free security:} Payments do not require sign-up,
 login or multi-factor authentication
 \item {\bf Privacy-preserving:} payment requires/shares no personal information
 \item {\bf Bank account:} not required
 \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Merchant Impact of Taler}
 \begin{itemize}
 \item {\bf Instant clearance:} one-click transactions and instant clearance at par
 \item {\bf Easy \& compliant:} GDPR \& PCI-DSS compliance-free and without any effort
 \item {\bf Major profit increase:} efficient protocol $+$ no fraud $=$ extremely low costs
 \item {\bf 1-click checkout:} without Amazon and without false positives in fraud detection
 \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Usability of Taler}
   \vfill
   \begin{center}
     \url{https://demo.taler.net/}
   \end{center}
   \begin{enumerate}
   \item Install browser extension.
   \item Visit the {\tt bank.demo.taler.net} to withdraw coins.
   \item Visit the {\tt shop.demo.taler.net} to spend coins.
   \end{enumerate}
   \vfill
 \end{frame}
 
 
 \section{Protocol Basics}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Protocol Basics}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}[plain]
    \begin{tikzpicture}[remember picture,overlay]
      \node[anchor=south west, inner sep=0pt] at (current page.south west) {%
        \movie[height = \paperheight, width = \paperwidth, poster, showcontrols] {BFH Bachelor's thesis video}{cs-movie.mp4}%
      };
    \end{tikzpicture}
 \end{frame}
 
 
 \begin{frame}{How does it work?}
 We use a few ancient constructions:
   \begin{itemize}
   \item Cryptographic hash function (1989)
   \item Blind signature (1983)
   \item Schnorr signature (1989)
   \item \sout{Diffie-Hellman key exchange (1976)} Deterministic signatures (1977) % 1977: RSA, 2008: EdDSA
   \item Cut-and-choose zero-knowledge proof (1985)
   \end{itemize}
 But of course we use modern instantiations.
 \end{frame}
 
 
 \begin{frame}{Definition: Taxability}
   We say Taler is taxable because:
   \begin{itemize}
   \item Merchant's income is visible from deposits.
   \item Hash of contract is part of deposit data.
   \item State can trace income and enforce taxation.
   \end{itemize}\pause
   Limitations:
   \begin{itemize}
   \item withdraw loophole
   \item {\em sharing} coins among family and friends
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Exchange setup: Create a denomination key (RSA)}
    \begin{minipage}{6cm}
     \begin{enumerate}
     \item Generate random primes $p,q$.
     \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$
     \item Pick small $e < \phi(n)$ such that
           $d := e^{-1} \mod \phi(n)$ exists.
     \item Publish public key $(e,n)$.
     \end{enumerate}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
  \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$};
     \node (seal) [def, draw=none, below left=of primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}};
     \node (hammer) [def, draw=none, below right=of primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
 %  \includegraphics[width=0.4\textwidth]{seal.pdf}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Merchant: Create a signing key (EdDSA)}
   \begin{minipage}{6cm}
     \begin{itemize}
   \item Generate random number $m \mod o$ as private key
   \item Compute public key $M := mG$
   \end{itemize}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (m) [draw=none, below = of origin] at (0,0) {$m$};
     \node (seal) [draw=none, below=of m]{M};
    \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ }
   \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}}
 \end{frame}
 
 
 \begin{frame}{Customer: Create a planchet (EdDSA)}
   \begin{minipage}{8cm}
   \begin{itemize}
   \item Generate random number $c \mod o$ as private key
   \item Compute public key $C := cG$
   \end{itemize}
   \end{minipage}
   \begin{minipage}{4cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (c) [draw=none, below = of origin] at (0,0) {$c$};
     \node (planchet) [draw=none, below=of c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ }
   \raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}}
 \end{frame}
 
 
 \begin{frame}{Customer: Blind planchet (RSA)}
   \begin{minipage}{6cm}
     \begin{enumerate}
     \item Obtain public key $(e,n)$
     \item Compute $f := FDH(C)$, $f < n$.
     \item Generate random blinding factor $b \in \mathbb Z_n$
     \item Transmit $f' := f b^e \mod n$
     \end{enumerate}
   \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$};
     \node (blinded) [def, draw=none, below right=of b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}};
     \node (planchet) [def, draw=none, above right=of blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
     \node (exchange) [node distance=4em and 0.5em, draw, below =of blinded]{Exchange};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Exchange: Blind sign (RSA)}
    \begin{minipage}{6cm}
     \begin{enumerate}
     \item Receive $f'$.
     \item Compute $s' := f'^d \mod n$.
     \item Send signature $s'$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
     \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
     \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (signed) node [midway, above, sloped] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Customer: Unblind coin (RSA)}
   \begin{minipage}{6cm}
    \begin{enumerate}
     \item Receive $s'$.
     \item Compute $s := s' b^{-1} \mod n$ % \\
     % ($(f')^d = (f b^e)^d = f^d b$).
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (b) [def, draw=none] at (0,0) {$b$};
     \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Customer: Build shopping cart}
   \begin{center}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer sep=.3em];
     \node (origin) [draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}};
     \node (merchant) [node distance=4em and 0.5em, draw, below =of origin]{\includegraphics[width=0.15\textwidth]{shop.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt];
     \draw [<-, C] (merchant) -- (origin) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{center}
 \end{frame}
 
 
 \begin{frame}{Merchant: Propose contract (EdDSA)}
    \begin{minipage}{6cm}
    \begin{enumerate}
     \item Complete proposal $D$.
     \item Send $D$, $EdDSA_m(D)$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (cart) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{cart.pdf}};
     \node (proposal) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{merchant_propose.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of proposal]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt];
     \node (sign) [def, draw=none, above right=of proposal] {$m$};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (proposal) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Customer: Spend coin (EdDSA)}
   \begin{minipage}{6cm}
    \begin{enumerate}
     \item Receive proposal $D$, $EdDSA_m(D)$.
     \item Send $s$, $C$, $EdDSA_c(D)$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance=1.5em and 0.4em, inner sep=0em, outer sep=.3em];
     \node (proposal) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
     \node (contract) [def, draw=none, below right=of cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
     \node (c) [def, draw=none, above=of contract] {$c$};
     \node (merchant) [node distance=4em and 0.5em, draw, below=of contract]{Merchant};
     \node (coin) [def, draw=none, right=of contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped] (TextNode) {{\small transmit}};
     \draw [<-, C] (merchant) -- (coin) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Merchant and Exchange: Verify coin (RSA)}
    \begin{minipage}{6cm}
  \begin{equation*}
    s^e \stackrel{?}{\equiv} FDH(C) \mod n
    \end{equation*}
    \end{minipage}
   \begin{minipage}{6cm}
   \begin{minipage}{0.2\textwidth}
     \includegraphics[width=\textwidth]{coin.pdf}
   \end{minipage}
   $\stackrel{?}{\Leftrightarrow}$
   \begin{minipage}{0.2\textwidth}
     \includegraphics[width=\textwidth]{seal.pdf}
   \end{minipage}
   \end{minipage}
   \vfill
   The exchange does not only verify the signature, but also
   checks that the coin was not double-spent.
   \vfill
   \pause
   \begin{center}
   {\bf Taler is an online payment system.}
   \end{center}
   \vfill
 \end{frame}
 
 \input refresh.tex
 
 
 \section{Component Zoo}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Component Zoo}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{The Taler Software Ecosystem: Overview}
   \framesubtitle{\url{https://taler.net/en/docs.html}}
   Taler is based on modular components that work together to provide a
   complete payment system:
   \vfill
   \begin{itemize}
     \item {\bf Exchange:} Service provider for digital cash
       \begin{itemize}
         \item Core exchange software (cryptography, database)
         \item Air-gapped key management, real-time {\bf auditing}
         \item {\bf libeufin}: Modular integration with banking systems
         \item {\bf challenger}: KYC service with OAuth 2.0 API
       \end{itemize}
     \item {\bf Merchant:} Integration service for existing businesses
       \begin{itemize}
         \item Core merchant backend software (cryptography, database)
         \item {\bf Back-office interface} for staff
         \item {\bf Frontend integration} (E-commerce, Point-of-sale)
       \end{itemize}
     \item {\bf Wallet:} Consumer-controlled applications for e-cash
       \begin{itemize}
         \item Multi-platform wallet software (for browsers \& mobile phones)
         \item Wallet backup storage providers ({\bf sync} \& {\bf Anastasis})
       \end{itemize}
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Taler Exchange}
   The {\bf Exchange} is the core logic of the payment system.
 
   \begin{itemize}
     \item One exchange at minimum must be operated per currency
     \item Offers a REST API for merchants and customers
     \item Uses several helper processes for configuration and to
           interact with RTGS and cryptography
     \item KYC support via OAuth 2.0, KycAID or Persona APIs
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Taler Merchant}
   The {\bf Merchant} is the software run by merchants to accept\\
   GNU Taler payments.
 
   \begin{minipage}{6cm}
   \begin{itemize}
     \item REST API for integration with e-commerce
     \item SPA provides Web interface for administration
     \item Features include:
       \begin{itemize}
       \item Multi-tenant support
       \item Refunds
       \item Templates
       \item Webhooks
       \item Inventory management (optional)
       \end{itemize}
   \end{itemize}
   \end{minipage}
   \begin{minipage}{5cm}
   \includegraphics[width=5cm]{screenshots/merchant-spa-settings}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Taler Wallet}
   The {\bf Wallet} is the software run by consumers to store
   their digital cash and authorize transactions.
 
   \begin{minipage}{8cm}
   \begin{itemize}
     \item {\bf wallet-core} is the logic shared by all interfaces
     \item Works on Android, F-Droid, iOS, Ubuntu Touch,
           WebExtension (Chrome, Chromium, Firefox, etc.)
     \item Features include:
       \begin{itemize}
       \item Multi-currency support
       \item Wallet-to-wallet payments (NFC or QR code)
       \item CRDT-like data model
       \end{itemize}
   \end{itemize}
   \end{minipage}
   \begin{minipage}{3cm}
   \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103520.png}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Taler Auditor}
   The {\bf Auditor} is the software run by an independent auditor
   to validate the operation of an Exchange.
 
   \begin{itemize}
     \item REST API for additional report inputs by merchants (optional)
     \item Secure database replication logic
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{libeufin-nexus}
   libeufin-nexus allows Taler components to interact with a core banking system. It:
 
   \begin{itemize}
     \item provides an implementation of the Wire Gateway for the exchange
     \item supports EBICS 2.5 and 3.0
     \item other APIs such as FinTS or PSD2-style XS2A APIs can be added
       without requiring changes to the Exchange
     \item was tested with GLS Bank (DE) and Postfinance (CH) accounts and real EUR/CHF
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{libeufin-bank}
   libeufin-bank implements a standalone bank with a Web interface. It:
 
   \begin{itemize}
     \item provides the Taler Core Bank API for RESTful online banking
        using a Web interface (with multi-factor authentication)
     \item includes a Taler Wire Gateway for the exchange
     \item offers the Taler Bank Integration API to allow wallets
        to easily withdraw digital cash
     \item optionally provides the Taler Conversion Info API for currency
        conversion between fiat and regional currencies
     \item optionally integrates with libeufin-nexus to interact with
        a core banking system
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Challenger}
   Challenger allows clients to obtain validated address (KYC) data about
   users:
 
   \begin{itemize}
     \item Customizable Web-based process for address validation
     \item Can validate phone numbers, e-mail addresses or physical mailing addresses
     \item Provides an exchange-compatible OAuth 2.0 API
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Depolymerization}
   Depolymerization is a bridge between GNU Taler and blockchains,
   making Taler a layer 2 system for crypto-currencies (like Lightning).
 
   \begin{itemize}
     \item provides an implementation of the Wire Gateway for the exchange
     \item Works on top of Bitcoin and Ethereum
           crypto-currencies, with the DLTs as the ``RTGS''
     \item Provides same API to Exchange as libeufin-nexus
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Point-of-Sale App for Android}
 \begin{minipage}{7cm}
   \begin{itemize}
     \item Allows merchant to generate orders against Taler backend
           and display QR code to enable customer to pay in person
     \item Patterned after ViewTouch restaurant UI
   \end{itemize}
 \end{minipage}
 \begin{minipage}{4cm}
   \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194112.jpg}
   \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194119.jpg}
   \includegraphics[width=4cm]{screenshots/Screenshot_20230224-195348.jpg}
 \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Payment plugins}
 \begin{minipage}{5cm}
   \includegraphics[width=4cm]{screenshots/woocommerce-cart.png}
   \includegraphics[width=4cm]{screenshots/pretix.png}
   \end{minipage}
 \begin{minipage}{5cm}
   \begin{itemize}
     \item Pretix, ticket sales system
     \item Joomla!, an e-commerce platform
     \item WooCommerce, an e-commerce solution on top of WordPress
     \item DrupalCommerce, an e-commerce solution on top of Drupal
   \end{itemize}
 \end{minipage}
 \end{frame}
 
 
 \section{Offline payments}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Offline payments}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}[fragile]{Digitaler Euro --- Offline?}
 Many central banks today demand offline capabilities for CBDCs.
 \vfill \pause
 \begin{figure}
 \def\svgwidth{0.8\textwidth}
 
 \begingroup%
 \makeatletter%
 \providecommand\color[2][]{%
 	\errmessage{(Inkscape) Color is used for the text in Inkscape, but the package 'color.sty' is not loaded}%
 	\renewcommand\color[2][]{}%
 }%
 \providecommand\transparent[1]{%
 	\errmessage{(Inkscape) Transparency is used (non-zero) for the text in Inkscape, but the package 'transparent.sty' is not loaded}%
 	\renewcommand\transparent[1]{}%
 }%
 \providecommand\rotatebox[2]{#2}%
 \newcommand*\fsize{\dimexpr\f@size pt\relax}%
 \newcommand*\lineheight[1]{\fontsize{\fsize}{#1\fsize}\selectfont}%
 \ifx\svgwidth\undefined%
 	\setlength{\unitlength}{345bp}%
 	\ifx\svgscale\undefined%
 	\relax%
 	\else%
 	\setlength{\unitlength}{\unitlength * \real{\svgscale}}%
 	\fi%
 \else%
 	\setlength{\unitlength}{\svgwidth}%
 \fi%
 \global\let\svgwidth\undefined%
 \global\let\svgscale\undefined%
 \makeatother%
 \begin{picture}(1,0.53623188)%
 	\lineheight{1}%
 	\setlength\tabcolsep{0pt}%
 	\put(0,0){\includegraphics[width=\unitlength,page=1]{offline-timeline.pdf}}%
 	\put(0.10624514,0.04914349){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Feb 2017 \cite{arm2017boomerang}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=2]{offline-timeline.pdf}}%
 	\put(0.28309276,0.44884928){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Mar, Jun 2020 \cite{intel2020lvi,intel2020sgaxe}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=3]{offline-timeline.pdf}}%
 	\put(0.18177392,0.17262607){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Aug 2017 \cite{arm2017clkscrew}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=4]{offline-timeline.pdf}}%
 	\put(0.08024638,0.44884927){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Dec 2017 \cite{samsung2017knox}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=5]{offline-timeline.pdf}}%
 	\put(0.02512174,0.36103189){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny May, Aug 2016 \cite{arm2016alias,arm2016cache,zhang2016truspy}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=6]{offline-timeline.pdf}}%
 	\put(0.34119422,0.08566952){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Aug 2019 \cite{amd2019}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=7]{offline-timeline.pdf}}%
 	\put(0.3956406,0.36131883){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Oct 2019 \cite{sim2019}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=8]{offline-timeline.pdf}}%
 	\put(0.38164733,0.17343635){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Jun 2020 \cite{smartcard2020}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=9]{offline-timeline.pdf}}%
 	\put(0.59564059,0.44827535){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Sep 2022 \cite{atecc2022}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=10]{offline-timeline.pdf}}%
 	\put(0.55650392,0.05335936){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Mar 2023 \cite{tpm2023}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=11]{offline-timeline.pdf}}%
 	\put(0.80271684,0.06728262){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Sep 2024 \cite{infineon2024}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=12]{offline-timeline.pdf}}%
 	\put(0.59062556,0.17319998){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Feb 2023 \cite{intel2023sgx}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=13]{offline-timeline.pdf}}%
 	\put(0.78984349,0.17291304){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Oct 2024 \cite{amd2025}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=14]{offline-timeline.pdf}}%
 	\put(0.7963995,0.44796104){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Aug 2023 \cite{arm2023}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=15]{offline-timeline.pdf}}%
 	\put(0.59916521,0.36103188){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Apr 2023 \cite{amd2023}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=16]{offline-timeline.pdf}}%
 	\put(0.79631301,0.36103188){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny Aug 2024 \cite{intel2024}\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=17]{offline-timeline.pdf}}%
 	\put(0.123203,0.24410952){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny 2015\end{tabular}}}}%
 	\put(0.5000146,0.24410952){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny 2020\end{tabular}}}}%
 	\put(0.87682623,0.24410952){\color[rgb]{0,0,0}\makebox(0,0)[lt]{\lineheight{1.25}\smash{\begin{tabular}[t]{l}\tiny 2025\end{tabular}}}}%
 	\put(0,0){\includegraphics[width=\unitlength,page=18]{offline-timeline.pdf}}%
 \end{picture}%
 \endgroup%
 \end{figure}
 \end{frame}
 
 
 \begin{frame}{A Scenario}
 {God is offline, but customer pays online}
 \begin{center}
   \includegraphics[height=0.4\textwidth]{shrine.jpg}
 \end{center}
 \end{frame}
 
 \begin{frame}{Typical Payment Process}{All equivalent: Twint, PayPal, AliPay, PayTM}
 \begin{center}
    \movie[%scale=0.6,
            autostart,
            poster]
            {
                \includegraphics[height=0.3\textwidth,width=0.4\textwidth]{white.png}
            }
            {twint.mkv}
 
            {\tiny (C) Twint, 2023}
 \end{center}
 \end{frame}
 
 
 \begin{frame}{Secure Payment ...}{Everything green?}
 \begin{center}
   \includegraphics[height=0.3\textwidth]{paymentTwint-screen_25.png}
 \end{center}
 \end{frame}
 
 \begin{frame}{Exploit ``Code''}{Programming optional}
 \begin{center}
   \includegraphics[height=0.3\textwidth]{paymentTwint-screen.png}
 \end{center}
 \end{frame}
 
 \begin{frame}{``Customers'' {\em love} Twint ...}{Daily non-business for shops}
 \begin{center}
   \includegraphics[height=0.3\textwidth]{paymentTwint-screen_50.png}
 \end{center}
 \end{frame}
 
 
 \begin{frame}{Partially Offline Payments with GNU Taler~\cite{suerf2023huang}}
 
 \begin{center}
 \resizebox{8cm}{6cm}{
 \begin{sequencediagram}
     \newinst{pos}{\shortstack{PoS \\
       \\ \begin{tikzpicture}
         \node [fill=gray!20,draw=black,thick ,align=center] {PoS key \\ PoS ID};
       \end{tikzpicture}
     }}
     \newinst[2]{customer}{\shortstack{Customer \\
       \\ \begin{tikzpicture}
         \node [fill=gray!20,draw=black,thick ,align=center] {Digital \\ Wallet};
       \end{tikzpicture}
     }}
     \newinst[2]{backend}{\shortstack{Merchant Backend \\
        \\ \begin{tikzpicture}[shape aspect=.5]
         \tikzset{every node/.style={cylinder, shape border rotate=90, draw,fill=gray!25}}
         \node at (1.5,0) {\shortstack{{\tiny PoS key} \\ {\tiny PoS ID}}};
        \end{tikzpicture}
     }}
     \postlevel
     \mess[0]{pos}{PoS ID}{customer}
     \begin{sdblock}{optional}{}
       \begin{callself}{customer}{Amount}{}
       \end{callself}
     \end{sdblock}
     \prelevel
     \prelevel
     \prelevel
     \prelevel
     \prelevel
     \begin{sdblock}{optional}{}
       \begin{callself}{pos}{Amount}{}
       \end{callself}
     \end{sdblock}
     \postlevel
     \mess[0]{customer}{PoS ID, [Amount]?}{backend}
     \mess[0]{backend}{Contract}{customer}
     \postlevel
     \mess[0]{customer}{Payment}{backend}
     \begin{callself}{pos}{OTP(PoS key)}{}
     \end{callself}
     \prelevel
     \prelevel
     \begin{callself}{backend}{OTP(PoS key)}{}
     \end{callself}
     \mess[0]{backend}{OTP code}{customer}
     \postlevel
     \mess[0]{customer}{OTP code}{pos}
 \end{sequencediagram}
 }
 \end{center}
 \end{frame}
 
 
 
 \section{Programmable money: Age restrictions}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Programmable money: Age restrictions}~\cite{esorics2022age}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{Age restriction in E-commerce}
 
 	\begin{description}
 		\item[Problem:]~\\[1em]
 			Verification of minimum age requirements in e-commerce.\\[2em]
 
 		\item[Common solutions:]
 
 \begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
 	& \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
 	1. ID Verification     & bad   & required & \\[\medskipamount]
 	2. Restricted Accounts & bad   & required & \\[\medskipamount]
 	3. Attribute-based     & good  & required &\tikzmark{bottomau} \\[\medskipamount]
 \end{tabular}
 	\end{description}
 
 \uncover<4->{
 	\begin{tikzpicture}[overlay,remember picture]
 	\draw[orange,thick,rounded corners]
 		($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
 	\end{tikzpicture}
 	\begin{center}
 	\bf Principle of Subsidiarity is violated
 	\end{center}
 }
 \end{frame}
 
 
 \begin{frame}{Principle of Subsidiarity}
 \begin{center} \Large
 	Functions of government---such as granting and restricting
 	rights---should be performed\\
 	{\it at the lowest level of authority possible},\\
 	as long as they can be performed {\it adequately}.
 \end{center}
 \vfill
 \uncover<2->{
 	For age-restriction, the lowest level of authority is:\\
 	\begin{center}\Large
 	Parents, guardians and caretakers
 	\end{center}
 }
 \end{frame}
 
 
 \begin{frame}{Age restriction design for GNU Taler}
 Design and implementation of an age restriction scheme\\
 with the following goals:
 
 \begin{enumerate}
 \item It ties age restriction to the \textbf{ability to pay} (not to ID's)
 \item maintains \textbf{anonymity of buyers}
 \item maintains \textbf{unlinkability of transactions}
 \item aligns with \textbf{principle of subsidiartiy}
 \item is \textbf{practical and efficient}
 \end{enumerate}
 
 \end{frame}
 
 
 \begin{frame}{Age restriction}
 	\framesubtitle{Assumptions and scenario}
 
 	\begin{columns}
 		\column{7.5cm}
 	\begin{itemize}
 		\item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
 		\item<2-> \textit{Guardians} \textbf{commit} to an maximum age
 		\item<3-> \textit{Minors} \textbf{attest} their adequate age
 		\item<4-> \textit{Merchants} \textbf{verify} the attestations
 		\item<5-> Minors \textbf{derive} age commitments from existing ones
 		\item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
 	\end{itemize}
 		\column{5cm}
 		\uncover<7->
 		{
 		\begin{center}
 		\fontsize{7pt}{7pt}\selectfont
 	\begin{tikzpicture}[scale=.5]
 		\node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=15pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 		\node[circle,minimum size=15pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=15pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
 
 		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
 			{$\Commit$} (Guardian);
 		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
 			{\blue{$\Attest$}} (Client);
 		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
 			{\blue{$\Verify$}} (Merchant);
 		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 			{\orange{$\Derive$}} (Client);
 		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 			{\orange{$\Compare$}} (Exchange);
 
 		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 			{\orange{\scriptsize }} (Exchange);
 		\draw[blue,|->] (Client)   to node[sloped, above]
 			{\blue{\scriptsize }} (Merchant);
 		\draw[,|->] (Guardian) to node[above,sloped,align=left]
 			{{\scriptsize }} (Client);
 	\end{tikzpicture}
 		\end{center}
 		}
 	\end{columns}
 	\vfill
 \end{frame}
 
 
 \begin{frame}{Formal Function Signatures}
 \small
 Searching for functions \uncover<2->{with the following signatures}
 \begin{align*}
 	&\bf \Commit\uncover<2->{:
 		&(\age, \omega) &\mapsto (\commitment, \pruf)
 		&\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
 		}
 	\\
 	&\bf \Attest\uncover<3->{:
 		&(\minage, \commitment, \pruf) &\mapsto \attest
 		&\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
 		}
 	\\
 	&\bf \Verify\uncover<4->{:
 		&(\minage, \commitment, \attest) &\mapsto b
 		&\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
 		}
 	\\
 	&\bf \Derive\uncover<5->{:
 		&(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
 		&\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
 		}
 	\\
 	&\bf \Compare\uncover<6->{:
 		&(\commitment, \commitment', \blinding) &\mapsto b
 		&\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
 		}
 \end{align*}
 	\uncover<7->{
 		with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
 		sufficiently large sets.\\[1em]
 		Basic and security requirements are defined later.\\[2em]
 	}
 
 		\scriptsize
 	\uncover<2->{
 		Mnemonics:\\
 		$\Commitments=$ \textit{c$\Commitments$mmitments},
 		$\commitment=$ \textit{Q-mitment} (commitment),
 		$\Proofs=$ \textit{$\Proofs$roofs},
 	}
 	\uncover<3->{
 		$\pruf=$ \textit{$\pruf$roof},\\
 		$\Attests=$ \textit{a$\Attests$testations},
 		$\attest=$ \textit{a$\attest$testation},
 	}
 	\uncover<5->{
 		$\Blindings=$ \textit{$\Blindings$lindings},
 		$\blinding=$ \textit{$\blinding$linding}.
 	}
 \end{frame}
 
 \begin{frame}{Age restriction}
 	\framesubtitle{Naïve scheme}
 	\begin{center}
 	\begin{tikzpicture}[scale=.85]
 		\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 		\node[circle,minimum size=20pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=20pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
 
 		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
 			{$\Commit$} (Guardian);
 		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
 			{\blue{$\Attest$}} (Client);
 		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
 			{\blue{$\Verify$}} (Merchant);
 		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 			{\orange{$\Derive$}} (Client);
 		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 			{\orange{$\Compare$}} (Exchange);
 
 		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 			{\orange{\scriptsize }} (Exchange);
 		\draw[blue,|->] (Client)   to node[sloped, above]
 			{\blue{\scriptsize }} (Merchant);
 		\draw[,|->] (Guardian) to node[above,sloped,align=left]
 			{{\scriptsize }} (Client);
 	\end{tikzpicture}
 	\end{center}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	\begin{columns}
 		\column{3cm}
 		\begin{center}
 		\fontsize{8pt}{9pt}\selectfont
 		\begin{tikzpicture}[scale=.65]
 			\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
 			\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
 
 			\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
 				{\orange{$\footnotesize \Derive()$}} (Client);
 			\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
 				{\orange{$\footnotesize \Compare()$}} (Exchange);
 
 			\draw[orange,|->] (Client)   to node[sloped,above,align=left]
 				{\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
 		\end{tikzpicture}
 		\end{center}
 
 		\column{9cm}
 	Simple use of $\Derive()$ and $\Compare()$ is problematic.
 
 	\begin{itemize}
 		\item<2-> Calling $\Derive()$ iteratively generates sequence
 			$(\commitment_0, \commitment_1, \dots)$ of commitments.
 		\item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$
 		\item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
 		\item[$\implies$]\uncover<3->{\bf Unlinkability broken}
 	\end{itemize}
 	\end{columns}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	Define cut\&choose protocol \orange{$\DeriveCompare$},
 	using $\Derive()$ and $\Compare()$.\\[0.5em]
 	\uncover<2->{
 	Sketch:
 	\small
 	\begin{enumerate}
 		\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
 			from $\commitment_0$ \\
 			by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
 		\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
 		\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
 		\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
 		\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
 		\item $\Exchange$ compares $h_0$ and
 			$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
 			and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
 	\end{enumerate}
 	\vfill
 	Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
 	}
 \end{frame}
 
 \begin{frame}{Achieving Unlinkability}
 	With \orange{$\DeriveCompare$}
 	\begin{itemize}
 		\item $\Exchange$ learns nothing about $\commitment_\gamma$,
 		\item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
 		\item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
 	\end{itemize}
 	\vfill
 	Note: Still need Derive and Compare to be defined.
 \end{frame}
 
 \begin{frame}{Refined scheme}
 
 	\begin{tikzpicture}[scale=.8]
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
 		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
 
 		\draw[orange,<->] (Client)   to node[sloped,below,align=center]
 			{\orange{$\DeriveCompare$}} (Exchange);
 		\draw[blue,->] (Client)   to node[sloped, below]
 			{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
 
 		\draw[->] (Guardian)   to [out=150,in=70, loop] node[above]
 			{$\Commit(\age)$} (Guardian);
 		\draw[->] (Guardian)   to node[below,sloped]
 			{($\commitment$, $\pruf_\age$)} (Client);
 		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
 		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
 	\end{tikzpicture}
 \end{frame}
 
  \begin{frame}{Achieving Unlinkability}
  	\scriptsize
  	$\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
  	\vfill
  	$\DeriveCompare(\commitment, \pruf, \omega) =$
  \begin{itemize}
  \it
  	\itemsep0.5em
  	\item[$\Child$:]
  		\begin{enumerate}
  				\scriptsize
  			\itemsep0.3em
  			\item for all $i \in \{1,\dots,\kappa\}:
  				(\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
  			\item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
  			\item send $(\commitment, h)$ to $\Exchange$
  		\end{enumerate}
  	\item[$\Exchange$:]
  		\begin{enumerate}
  			\setcounter{enumi}{3}
  				\scriptsize
  			\itemsep0.3em
  			\item save $(\commitment, h)$ \label{st:hash}
  			\item $\gamma \drawfrom \{1,\dots ,\kappa\}$
  			\item send $\gamma$ to $\Child$
  		\end{enumerate}
  	\item[$\Child$:]
  		\begin{enumerate}
  			\setcounter{enumi}{6}
 
  				\scriptsize
  			\itemsep0.3em
  			\item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
  			\item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
  				(\commitment_{\gamma-1}, \beta_{\gamma-1}),
  				\Nil,
  				(\commitment_{\gamma+1}, \beta_{\gamma+1}),
  				\dots,(\commitment_\kappa, \beta_\kappa)\big]$
  			\item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
  		\end{enumerate}
  	\item[$\Exchange$:]
  		\begin{enumerate}
  			\setcounter{enumi}{9}
  				\scriptsize
  			\itemsep0.3em
  			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
  			\item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
  			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
  				if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
  			\item return 1
  		\end{enumerate}
  \end{itemize}
  \end{frame}
 
 \begin{frame}{Basic Requirements}
 
 	Candidate functions
 	\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
 	must first meet \textit{basic} requirements:
 
 	\begin{itemize}
 		\item Existence of attestations
 		\item Efficacy of attestations
 		\item Derivability of commitments and attestations
 	\end{itemize}
 \end{frame}
 
 \begin{frame}{Basic Requirements}
 	\framesubtitle{Formal Details}
 
 	\begin{description}
 		\item[Existence of attestations]
 			{\scriptsize
 			\begin{align*}
 				\Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
 				\Commit(\age, \omega) =: (\commitment, \pruf)
 				\implies
 				\Attest(\minage, \commitment, \pruf) =
 				\begin{cases}
 					\attest \in \Attests, \text{ if } \minage \leq \age\\
 					\Nil \text{ otherwise}
 				\end{cases}
 			\end{align*}}
 		\item[Efficacy of attestations]
 			{\scriptsize
 			\begin{align*}
 				\Verify(\minage, \commitment, \attest) = \
 				\begin{cases}
 					1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
 					0 \text{ otherwise}
 				\end{cases}
 			\end{align*}}
 
 			{\scriptsize
 			\begin{align*}
 				\forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
 			\end{align*}}
 		\item[etc.]
 	\end{description}
 \end{frame}
 
 \begin{frame}{Requirements}
 	\framesubtitle{Details}
 
 	\begin{description}
 		\item[Derivability of commitments and proofs:]~\\[0.1em]
 		{\scriptsize
 		Let \begin{align*}
 			\age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
 			(\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
 			(\commitment_1, \pruf_1, \blinding) & \leftarrow  \Derive(\commitment_0, \pruf_0, \omega_1).
 		\end{align*}
 		We require
 		\begin{align*}
 			\Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
 		\end{align*}
 		and for all $n\leq\age$:
 		\begin{align*}
 					\Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
 					=
 					\Verify(n, \commitment_0,  \Attest(n, \commitment_0,  \pruf_0))
 		\end{align*}}
 	\end{description}
 \end{frame}
 
 \begin{frame}{Security Requirements}
 	Candidate functions must also meet \textit{security} requirements.
 	Those are defined via security games:
 	\begin{itemize}
 		\item Game: Age disclosure by commitment or attestation
 		\item[$\leftrightarrow$] Requirement: Non-disclosure of age
 			\vfill
 
 		\item Game: Forging attestation
 		\item[$\leftrightarrow$] Requirement: Unforgeability of
 			minimum age
 			\vfill
 
 		\item Game: Distinguishing derived commitments and attestations
 		\item[$\leftrightarrow$] Requirement: Unlinkability of
 			commitments and attestations
 
 	\end{itemize}
 	\vfill
 
 	Meeting the security requirements means that adversaries can win
 	those games only with negligible advantage.
 	\vfill
 	Adversaries are arbitrary polynomial-time algorithms, acting on all
 	relevant input.
 \end{frame}
 
 \begin{frame}{Security Requirements}
 	\framesubtitle{Simplified Example}
 
 	\begin{description}
 		\item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
 	{\small
 	\begin{enumerate}
 		\item $ (\age, \omega)	\drawfrom	\N_{\Age-1}\times\Omega $
 		\item $ (\commitment, \pruf)	\leftarrow	\Commit(\age, \omega) $
 		\item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
 		\item Return 0 if $\minage \leq \age$
 		\item Return $\Verify(\minage,\commitment,\attest)$
 	\end{enumerate}
 	}
 	\vfill
 	\item[Requirement: Unforgeability of minimum age]
 		{\small
 	\begin{equation*}
 		\Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
 		\Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
 	\end{equation*}
 	}
 	\end{description}
 \end{frame}
 
 
 \begin{frame}{Solution: Instantiation with ECDSA}
 %	\framesubtitle{Definition of Commit}
 
 	\begin{description}
 		\item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
 		\begin{enumerate}
 			\item<2-> Guardian generates ECDSA-keypairs, one per age (group):
 				\[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
 			\item<3-> Guardian then \textbf{drops} all private keys
 				$p_i$ for $i > \age$:
 				\[\Big \langle(q_1, p_1),\dots,
 					(q_\age, p_\age),
 					(q_{\age +1}, \red{\Nil}),\dots,
 					(q_\Age, \red{\Nil})\Big\rangle\]
 
 				\begin{itemize}
 					\item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
 					\item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
 				\end{itemize}
 				\vfill
 			\item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
 				\vfill
 		\end{enumerate}
 	\end{description}
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 	\framesubtitle{Definitions of Attest and Verify}
 
 	Child has
 	\begin{itemize}
 		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
 		\item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
 	\end{itemize}
 	\begin{description}
 		\item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
 			Sign a message with ECDSA using private key $p_\blue{\minage}$
 	\end{description}
 
 	\vfill
 
 	\uncover<3->{
 	Merchant gets
 	\begin{itemize}
 		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
 		\item Signature $\sigma$
 	\end{itemize}
 	\begin{description}
 		\item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
 			Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
 	\end{description}
 	}
 	\vfill
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 	\framesubtitle{Definitions of Derive and Compare}
 	Child has
 	$\Vcommitment = (q_1, \dots, q_\Age) $ and
 	$\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
 	\begin{description}
 		\item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
 			Choose random $\beta\in\Z_g$ and calculate
 			\small
 			\begin{align*}
 				\Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
 				\Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
 			\end{align*}
 			Note: $ (\beta p_i)*G = \beta*(p_i*G)  = \beta*q_i$\\
 			\scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
 	\end{description}
 
 		\vfill
 	\uncover<3->{
 		Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
 	\begin{description}
 		\item[To \blue{Compare}, calculate:]
 			\small
 		$(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
 	\end{description}
 	\vfill
 	}
 \end{frame}
 
 \begin{frame}{Instantiation with ECDSA}
 
 	Functions
 	(Commit, Attest, Verify, Derive, Compare)\\
 	as defined in the instantiation with ECDSA\\[0.5em]
 	\begin{itemize}
 		\item meet the basic requirements,\\[0.5em]
 		\item also meet all security requirements.\\
 		Proofs by security reduction, details are in the paper.
 	\end{itemize}
 
 \end{frame}
 
 
 \begin{frame}{Instantiation with ECDSA}
  	\framesubtitle{Full definitions}
  	\scriptsize
 
  \begin{align*}
  	\Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
  		\overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
  		\overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
  		\Big\rangle\\
  	\Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
  		\begin{cases}
  			\attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
  			\Nil & \text{otherwise}
  		\end{cases}\\
  %
  	\Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
  %
  	\Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
  		\Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
  		     (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
  		     & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
  %
  	\Compare_E(\Vcommitment, \Vcommitment', \beta)	&:=
  		\begin{cases}
  			1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
  			0 & \text{otherwise}
  		\end{cases}
  \end{align*}
 \end{frame}
 
 
 \begin{frame}{Reminder: GNU Taler Fundamentals}
 	\begin{center}
 	\begin{tikzpicture}[scale=.55]
 		\node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
 		\node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
 		\node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
 
 		\draw[<->] (Customer)   to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
 		\draw[<->] (Customer)   to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
 		\draw[<->] (Customer)   to node[sloped, below] {\sf purchase} (Merchant);
 		\draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
 	\end{tikzpicture}
 	\end{center}
 
 	\vfill
 	\begin{itemize}
 		\item Coins are public-/private key-pairs $(C_p, c_s)$.
 		\item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
 		\item Verification:
 		\begin{eqnarray*}
 			1  &\stackrel{?}{=}&
 			\mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
 		\end{eqnarray*}
 		\scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
 
 	\end{itemize}
 \end{frame}
 
 \begin{frame}{Integration with GNU Taler}
 	\framesubtitle{Binding age restriction to coins}
 
 	To bind an age commitment $\commitment$ to a coin $C_p$, instead of
 	signing $\FDH(C_p)$, $\Exchange$ now blindly signs
 	\begin{center}
 		$\FDH(C_p, \orange{H(\commitment)})$
 	\end{center}
 
 	\vfill
 	Verfication of a coin now requires $H(\commitment)$, too:
 	\begin{center}
 		$1  \stackrel{?}{=}
 		\mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
 	\end{center}
 	\vfill
 \end{frame}
 
 \begin{frame}{Integration with GNU Taler}
 	\framesubtitle{Integrated schemes}
 	\fontsize{8pt}{9pt}\selectfont
 	\begin{tikzpicture}[scale=.9]
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
 		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
 		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
 		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
 
 		\draw[<->] (Guardian)   to  node[sloped,above,align=center]
 			{{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
 		\draw[<->] (Client)   to node[sloped,below,align=center]
 			{{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
 		\draw[<->] (Client)   to node[sloped, below]
 			{{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
 		\draw[<->] (Merchant) to node[sloped, above]
 			{{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
 
 		\draw[->] (Guardian)   to [out=70,in=150, loop] node[above]
 			{$\Commit(\age)$} (Guardian);
 		\draw[->] (Guardian)   to node[below,sloped]
 			{($\commitment$, $\pruf_\age$)} (Client);
 		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
 		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
 			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
 	\end{tikzpicture}
 \end{frame}
 
 \begin{frame}{Instantiation with Edx25519}
 	Paper also formally defines another signature scheme: Edx25519.\\[1em]
 
 	\begin{itemize}
 		\item Scheme already in use in GNUnet,
 		\item based on EdDSA (Bernstein et al.),
 		\item generates compatible signatures and
 		\item allows for key derivation from both, private and public keys, independently.
 	\end{itemize}~\\[1em]
 
 	Current implementation of age restriction in GNU Taler uses Edx25519.
 \end{frame}
 
 
 \begin{frame}{Age Restrictions based on KYC}
  Subsidiarity requires bank accounts being owned by adults.
 			\begin{itemize}
 			\item Scheme can be adapted to case where minors have bank accounts
 				\begin{itemize}
 					\item Assumption: banks provide minimum age
 						information during bank
 						transactions.
 					\item Child and Exchange execute a variant of
 						the cut\&choose protocol.
 				\end{itemize}
 			\end{itemize}
 \end{frame}
 
 
 \begin{frame}{Discussion}
 	\begin{itemize}
 		\item Our solution can in principle be used with any token-based payment scheme
 		\item GNU Taler best aligned with our design goals (security, privacy and efficiency)
 		\item Subsidiarity requires bank accounts being owned by adults
 			\begin{itemize}
 			\item Scheme can be adapted to case where minors have bank accounts
 				\begin{itemize}
 					\item Assumption: banks provide minimum age
 						information during bank
 						transactions.
 					\item Child and Exchange execute a variant of
 						the cut\&choose protocol.
 				\end{itemize}
 			\end{itemize}
 		\item Our scheme offers an alternative to identity management systems (IMS)
 	\end{itemize}
 \end{frame}
 
 
 \begin{frame}{Related Work}
 	\begin{itemize}
 		\item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
 		\item Attribute-based approach lacks support:
 			\begin{itemize}
 				\item Complex for consumers and retailers
 				\item Requires trusted third authority
 			\end{itemize}
 		\vfill
 		\item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
 			\begin{itemize}
 				\item Advantage: mandatory to payment process
 				\item Not privacy friendly
 			\end{itemize}
 	\end{itemize}
 \end{frame}
 
 
 \begin{frame}{Conclusion}
 	Age restriction is a technical, ethical and legal challenge.
 
 	Existing solutions are
 	\begin{itemize}
 		\item without strong protection of privacy or
 		\item based on identity management systems (IMS)
 	\end{itemize}
 	\vfill
 
 	Our scheme offers a solution that is
 	\begin{itemize}
 		\item based on subsidiarity
 		\item privacy preserving
 		\item efficient
 		\item an alternative to IMS
 	\end{itemize}
 \end{frame}
 
 
 \section{Future Work \& Conclusion}
 
 \begin{frame}
   \vfill
   \begin{center}
     {\bf Future Work \& Conclusion}
   \end{center}
   \vfill
 \end{frame}
 
 
 \begin{frame}{Use Case: Journalism}
   Today:
   \begin{itemize}
     \item Corporate structure % ($\Rightarrow$ filter)
     \item Advertising primary revenue % ($\Rightarrow$ dependence)
     \item Tracking readers critical for business success
     \item Journalism and marketing hard to distinguish
   \end{itemize}\vfill\pause
   With GNU Taler:
   \begin{itemize}
     \item One-click micropayments per article
     \item Hosting requires no expertise % (no PCI DSS)
     \item Reader-funded reporting separated from marketing
     \item Readers can remain anonymous
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Taler: Project Status}
 \framesubtitle{\url{https://docs.taler.net/}}
 \begin{itemize}
     \item Cryptographic protocols and core exchange component are stable
     \item Pilot project at Bern University of Applied Sciences cafeteria
     \item Netzbon (regional currency) in Basel launched
     \item Taler Operations AG live Swiss-wide
     \item Internal alpha deployment with GLS Bank (Germany)
     \item Internal alpha deployment with Magnet Bank (Hungary)
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Competitor comparison}
   \begin{center} \small
     \begin{tabular}{l||c|c|c|c|c}
                 & Cash     & Bitcoin    & Zerocoin  & Creditcard & GNU Taler  \\ \hline \hline
     Online      &$-$$-$$-$ &   ++       &    ++     &     +      &   +++      \\ \hline
     Offline     & +++      &   $-$$-$   &    $-$$-$ &     +      &   $+$$+$   \\ \hline
     Trans. cost & +        & $-$$-$$-$  & $-$$-$$-$ &     $-$    &   ++       \\ \hline
     Speed       & +        & $-$$-$$-$  & $-$$-$$-$ &     o      &   ++       \\ \hline
     Taxation    & $-$      &   $-$$-$   & $-$$-$$-$ &    +++     &  +++       \\ \hline
     Payer-anon  &  ++      &   o        &    ++     &  $-$$-$$-$ &  +++       \\ \hline
     Payee-anon  & ++       &   o        &    ++     &  $-$$-$$-$ &  $-$$-$$-$ \\ \hline
     Security    &  $-$     &   o        &    o      &    $-$$-$  &  ++        \\ \hline
     Conversion  & +++      &  $-$$-$$-$ & $-$$-$$-$ &    +++     &  +++       \\ \hline
     Libre       &  $-$     &  +++       &    +++    & $-$ $-$ $-$&  +++       \\
   \end{tabular}
   \end{center}
 \end{frame}
 
 
 \begin{frame}{Other ongoing developments}
   \begin{itemize}
     \item Privacy-preserving auctions (trading, currency exchange) ({\tt oezguer@taler.net})
     \item Hardware and software support for embedded systems ({\tt mikolai@taler.net})
     \item Tax-deductable receipts for donations to charities (donau.git)
     \item Unlinkable anonymous subscriptions and discount tokens ({\tt ivan@taler.net})
     \item Support for illiterate and innumerate users\footnote{Background: \url{https://myoralvillage.org/}}
          ({\tt marc@taler.net})
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{Open Challanges}
   \begin{itemize}
     \item Try to explain this to lawyers and AML staff of banks
     \item What are convincing arguments for citizens to switch?
     \item How to address anti-competitive cash-back from card payments?
     \item $\ldots$
   \end{itemize}
 \end{frame}
 
 
 \begin{frame}{How to support?}
   \begin{description}
     \item[Join:] {\small \url{https://lists.gnu.org/mailman/listinfo/taler}}
     \item[Discuss:] {\small \url{https://ich.taler.net/}}
     \item[Develop:] \url{https://bugs.taler.net/}, \url{https://git.taler.net/}
     \item[Apply:] \url{https://nlnet.nl/propose}, \url{https://nlnet.nl/taler}
     \item[Translate:] \url{https://weblate.taler.net/}, \url{translation-volunteer@taler.net}
     \item[Integrate:] \url{https://docs.taler.net/}
     \item[Donate:] \url{https://gnunet.org/ev}
     \item[Partner:] \url{https://taler-systems.com/}
   \end{description}
 \end{frame}
 
 
 \begin{frame}{Conclusion}
   \begin{center}
     {\bf  What can we do?}
    \end{center}
   \vfill
 \begin{itemize}
  \item{Suffer mass-surveillance enabled by credit card oligopolies with high fees, and}
  \item{Engage in arms race with deliberately unregulatable blockchains}
 % \item{Enjoy the ``benefits'' of cash \\
 %  \hfill  \includegraphics[height=0.3\textheight]{atm-rupee.jpg} \hfill}
 \end{itemize}
 \vfill
 \begin{center}
   {\bf OR}
 \end{center}
 \vfill
 \begin{itemize}
  \item{Establish free software alternative balancing social goals!}
 \end{itemize}
 \vfill
 \end{frame}
 
 
 
 \section*{References}
 \begin{frame}[allowframebreaks]{References}
 \bibliographystyle{plain}
 \bibliography{ref,extra,rfc,biblio-defqa}
 \end{frame}
 
 
 % This should be last...
 \begin{frame}{Acknowledgments}
 
   \begin{minipage}{0.45\textwidth} \ \\
     {\tiny Funded by the European Union (Project 101135475).}
 
     \begin{center}
       \includegraphics[width=0.5\textwidth]{../bandera.jpg}
     \end{center}
   \end{minipage}
   \hfill
   \begin{minipage}{0.45\textwidth}
     {\tiny Funded by SERI (HEU-Projekt 101135475-TALER).}
 
     \begin{center}
       \includegraphics[width=0.65\textwidth]{../sbfi.jpg}
     \end{center}
   \end{minipage}
 
   \vfill
 
   {\tiny
 
     Views and opinions expressed are however those of the author(s) only
     and do not necessarily reflect those of the European Union. Neither the
     European Union nor the granting authority can be held responsible for
     them.
 
   }
 \end{frame}
 
 
 \end{document}
 
 
 
 \begin{frame}{Future work}
   \begin{itemize}
     \item Performance improvements for RSA in FLOSS crypto libraries
     \item Integrate with e-ID for easier \& cheaper KYC
     \item Buy anonymous pre-paid debit cards on-demand with Taler wallet
     \item Implement PQC across the stack (with cipher agility, where possible with additive security)
   \end{itemize}
 \end{frame}