marketing

refresh.tex (31780B)

---

 
 \begin{frame}{Giving change}
   \note[item]{Taler issues digital cash using blind signatures, where each
   signature conveys the respective coin a particular value.}
   It would be inefficient to pay EUR 100 with 1 cent coins!
   \note[item]{We want to avoid cryptographic expenses linear in the amount being paid!}
   \begin{itemize}
   \item Denomination key represents value of a coin.
   \item Exchange may offer various denominations.
   \item Wallet may not have exact change!
   \item Must be able to pay given sufficient total funds.
   \end{itemize}\pause
   Key goals:
   \begin{itemize}
   \item maintain unlinkability
   \item maintain taxability of transactions
   \end{itemize}\pause
   Method:
   \begin{itemize}
     \item Contract can specify to pay {\em partial value} of a coin.
     \item Allow wallet to obtain {\em unlinkable change}.
   \end{itemize}
   \note[item]{Thus we need a way to get change, but doing so must not void our security
     assurances, specifically unlinkability (and anonymity) for the payer, and income
     transparency for the payee.}
   \note[item]{The high-level approach for getting change is pretty simple: when paying
     with a coin, the (EdDSA) coin signature can specify that not the full value of the coin
     is to be spent, but only a fraction.  The exchange then allows a wallet to request
     change by creating a second signature using the partially spent coin's private (EdDSA)
     key over a change request with fresh (blinded) digital coins that total up to the
     amount of change that is due.}
 \end{frame}
 
 
 \begin{frame}{Unique Signatures}
   \vfill
   \begin{minipage}{8cm}
     \begin{itemize}
     \item Some public key operations depend on a nonce or ``random'' value
       \begin{itemize}
       \item Ex.: DSA/ECDSA (signing)
       \item[+] same plaintext, different ciphertext
       \item[-] security may break on nonce-reuse
       \end{itemize}
     \item Generating the nonce deterministically by hashing all inputs
       (see also: Fiat-Shamir transformation) can make these algorithms
       {\bf deterministic}
       \begin{itemize}
       \item Ex.: EdDSA
       \end{itemize}
     \item If only one form of a valid signature exists and the verifier
       can check this, a signature is {\bf unique}.
       \begin{itemize}
       \item Ex.: RSA, Verifiable Random Func.
       \end{itemize}
     \end{itemize}
    \end{minipage}
   \begin{minipage}{4cm}
     {\small Unique signatures:}
     \begin{center}
       \includegraphics[width=0.5\textwidth]{ecollect.jpeg}
 
       $=$
 
       \includegraphics[width=0.5\textwidth]{unisig.pdf}
     \end{center}
   \end{minipage}
   \vfill
   \note[item]{Before we can introduce the change protocol, we need to consider that
     not all cryptographic signatures are unique.}
   \note[item]{Following modern approach to e-collecting, we will use the image on
     the right to illustrate {\bf unique} signatures.}
   \note[item]{Replacing random inputs or nonces with hashes is a common trick to
     make signature algorithms deterministic, but not usually unique.}
 \end{frame}
 
 
 \begin{frame}{Verifiable Random Functions}
   Micali, Rabin, \& Vadhan (1999) proposed verifiable random functions.
 
   \vfill
 
   Let $M$ be some input.
   \begin{itemize}
     \item $(sk,pk) := VRF_{keygen}()$
     \item {\em Verifier} picks $M$
     \item $(v,p) := VRF_{sign}(M, sk)$
     \item $v$ is deterministic, unpredictable and high-entropy
           for any $M$ and $sk$, and $(v,p)$ can only be computed with $sk$
     \item $VRF_{verify}(M, pk, v, p)$ returns true only if $v$ was computed correctly
     \item $sk$ cannot be derived from $M$, $pk$, $v$ and $p$
   \end{itemize}
   \vfill
   \note[item]{A VRF is equivalent to a unique signature: only
     the signer can produce it, the verifier can check but not compute it.
     The only differences are that with a unique signature
     usually the signer picks $M$, and the signature is not
     then hashed to produced pseudo-random data. But one can
     always use a unique signature to construct a VRF and vice-versa.}
 \end{frame}
 
 
 
 \begin{frame}{Straw-man solution}
   \begin{minipage}{7.5cm}
     {\small Given partially spent private coin key $c_{old}$:}
    \begin{enumerate}
 %    \item Let $C_{old} := c_{old}G$ (as before)
     \item Pick random $c_{new} \mod o$ private key
     \item Compute $C_{new} := c_{new}G$ public key
     \item Pick random $b_{new}$
     \item Compute $f_{new} := FDH(C_{new})$, $m < n$.
     \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$
    \end{enumerate}
    ... and sign request for change with $c_{old}$.
    \end{minipage}
   \begin{minipage}{3cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (blinded) [def, draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (planchet) [def, draw=none, above left= of blinded]  {\includegraphics[width=0.15\textwidth]{planchet.pdf}};
     \node (cnew) [def, draw=none, above= of planchet]  {$c_{new}$};
     \node (bnew) [def, draw=none, above right= of blinded]  {$b_{new}$};
     \node (dice1) [def, draw=none, above = of cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dice2) [def, draw=none, above = of bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (exchange) [def, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \note[item]{A straw-man solution is one that does not work, but still could be useful to illuminate the issue.}
   \note[item]{Here, the protocol allows users to obtain change ($c_{new}$) by signing the request for
     change (the envelope) with an old coin $c_{old}$ that has some residual value from a previous
     purchase (that signature is not shown).}
   \note[item]{{\bf Problem}: Owner of $c_{new}$ may differ from owner of $c_{old}$ breaks income-transparency / enables
     tax evasion!}
 \end{frame}
 
 
 \begin{frame}{Customer: Transfer setup (UNISIG)} \label{page:transfersetup}
   \begin{minipage}{7.5cm}
     {\small Given partially spent private coin key $c_{old}$:}
    \begin{enumerate}
     \item Let $C_{old} := c_{old}G$ (as before)
     \item Create random nonce $t$
     \item Compute unique signature $X := UNISIG_{c_{old}}(t)$
     \item Derive $c_{new}$ and $b_{new}$ from $X$ using HKDF
     \item Compute $C_{new} := c_{new}G$
     \item Compute $f_{new} := FDH(C_{new})$
     \item Transmit $f_{new}' := f_{new} b_{new}^e$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{3cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (X) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{unisig.pdf}};
     \node (d) [def, draw=none, above left= of X]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of X]  {$c_{new}$};
     \node (bp) [def, draw=none, below right= of X]  {$b_{new}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [def, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (X) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (X) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (X) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (X) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \note[item]{In this construction, we {\em derive} the blinding factor $b_{new}$ and
     the private key of the new coin $c_{new}$ from the DH of the $c_{old}$ and a newly
     created transfer key $t$. Note that it is a bit unusual but perfectly find that
     we here have {\bf both} private keys to compute the DH.}
   \note[item]{The resulting blinded public key of the new coin
     (public key derivation and blinding are elided to keep the diagram concise) is
     then signed with $c_{old}$ to request change.}
   \note[item]{This approach has an obvious problem: from the perspective of the
     Exchange, we cannot even tell that the user followed this procedure as the
     resulting request with the blinded coin is indistinguishable from the previous
     construction.}
 \end{frame}
 
 
 \begin{frame}{Cut-and-Choose}
   \begin{minipage}{3cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.05em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_1$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{unisig.pdf} ($X_1$)};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,1}$};
     \node (bp) [def, draw, below right= of dh, draw=none, align=left]  {$\hspace{-1.5em}b_{new,1}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [def, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \hfill
   \begin{minipage}{3cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.05em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_2$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{unisig.pdf} ($X_2$)};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,2}$};
     \node (bp) [def, draw, below right= of dh, draw=none, align=left]  {$\hspace{-1.5em}b_{new,2}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [def, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \hfill
   \begin{minipage}{3cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.05em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t_3$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of t]{\includegraphics[width=0.2\textwidth]{unisig.pdf} ($X_3$)};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,3}$};
     \node (bp) [def, draw, below right= of dh, draw=none, align=left]  {$\hspace{-1.5em}b_{new,3}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [def, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \note[item]{This DH-construction thus obviously does not work, so in the usual
     approach of an insane person, we don't just do it once, but three times
     using three different transfer keys $t_1$, $t_2$, and $t_3$ instead of just $t$.}
   \note[item]{Now, before you decide that we have just gone mad, this is actually
     a well-known technique called {\bf cut-and-choose}. Here, we do a protocol
     step multiple times to basically be able to {\bf burn} some of these iterations
     to {\bf prove} our honesty.}
   \note[item]{There are also {\bf non-interactive} cut-and-choose protocols, but
     this one is a simple interactive one.}
 \end{frame}
 
 
 \begin{frame}{Exchange: Choose!}
    \begin{center}
     \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the customer.
     \end{center}
   \note[item]{This is the typical interaction: the Exchange picks one of the
     three at random, basically deciding on which iterations to challenge the
     wallet's honesty.}
   \note[item]{$\gamma$ primarily needs to be {\bf unpredictable} for the wallet.}
   \note[item]{Note that the protocol has a security parameter $\kappa=3$, and
     so the wallet could guess correctly in $\frac{1}{3}$ of the cases. Usually
     in security we would think of this to be way too low, and you will see much
     higher values in other cut-and-choose protocols. But, we will see why
     $\kappa=3$ is actually enough for GNU Taler!}
 \end{frame}
 
 
 \begin{frame}{Customer: Reveal}
   \vfill
    \begin{enumerate}
    \item If $\gamma = 1$, send $\langle t_2, X_2 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
    \item If $\gamma = 2$, send $\langle t_1, X_1 \rangle$, $\langle t_3, X_3 \rangle$ to exchange
    \item If $\gamma = 3$, send $\langle t_1, X_1 \rangle$, $\langle t_2, X_2 \rangle$ to exchange
   \end{enumerate}
   \vfill
   \note[item]{So given the $\gamma$ challenge value, the wallet
     has to send back the $t_i$ values for $i\not=\gamma$.}
 \end{frame}
 
 
 \begin{frame}{Exchange: Verify ($\gamma = 2$)}
   \begin{minipage}{3cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (h) [def, draw=none] at (0,0) {$t_1$};
     \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{univerify.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$C_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,1}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,1}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \hfill
   \begin{minipage}{3cm}
  \
   \end{minipage}
   \hfill
   \begin{minipage}{3cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (h) [def, draw=none] at (0,0) {$t_3$};
     \node (dh) [def, draw=none, below left=of h]{\includegraphics[width=0.2\textwidth]{univerify.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$C_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new,3}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new,3}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \note[item]{Given those two values the exchange can {\bf validate} the
     construction as it can compute the DH from the {\bf transfer private keys} $t_i$
     and the {\bf coin public key} $C_{old}$.}
   \note[item]{If the result matches with the original request from the wallet,
     the exchange has established that with $\frac{2}{3}$ probability the wallet
     made an honest request for change following the prescribed construction.}
   \note[item]{If the wallet is unable (or unwilling) to produce the required
     $t_i$ values, or if the resulting blinded values do not match, the entire
     change is forfeit, and the customer looses their money.}
   \note[item]{Thus, trying to cheat on income-transparency is punished with
     what amounts to a {\bf 66.67\% tax}.  Thus, a security level of $\kappa$
     is sufficient as long as the {\em effective} income tax (after deductions,
     on the full income) is below $\frac{\kappa - 1}{\kappa}$.
     Taler always uses $\kappa=3$.}
 \end{frame}
 
 
 \begin{frame}{Exchange: Blind sign change (RSA)}
    \begin{minipage}{5cm}
     \begin{enumerate}
     \item Take $f_{new,\gamma}'$.
     \item Compute \\
           $s' := f_{new,\gamma}'^d \mod n$.
     \item Return signature $s'$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{5cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (hammer) [def, draw=none] at (0,0) {\includegraphics[width=0.15\textwidth]{hammer.pdf}};
     \node (signed) [def, draw=none, below left=of hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
     \node (blinded) [def, draw=none, above left=of signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (customer) [node distance=4em and 0.5em, draw, below =of signed]{Customer};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (signed) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \note[item]{If the customer's request did follow the DH-construction, the exchange takes the
     third envelope, the one where $t_\gamma$ was not disclosed, and signs this one to issue the
     change.}
 \end{frame}
 
 
 \begin{frame}{Customer: Unblind change (RSA)}
   \vfill
   \begin{minipage}{7cm}
    \begin{enumerate}
     \item Receive $s'$.
     \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{5cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
     \node (coin) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (signed) [def, draw=none, above left=of coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \vfill
   \note[item]{As with the ordinary blind-signature based withdraw, the customer can
     then unblind the signature and has a valid coin.}
   \note[item]{Without knowledge of $c_{old}$ or $t_\gamma$, the coins derived from this
     process are indistinguishable from coins that were withdrawn directly from an account.}
   \note[item]{Most importantly, without knowledge of $t_\gamma$ or $c_{old}$,
     the $c_{new}$ is unlinkable to $c_{old}$.}
 \end{frame}
 
 \begin{frame}{Exchange: Allow linking change}
   \begin{minipage}{5cm}
     \begin{center}
     Given $C_{old}$
 
     \vspace{1cm}
 
     return $t_\gamma$ and
     \begin{equation*}
       s := s' b_{new,\gamma}^{-1} \mod n.
     \end{equation*}
   \end{center}
    \end{minipage}
   \begin{minipage}{5cm}
    \begin{tikzpicture}
     \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer sep=.3em];
     \node (co) [def, draw=none] at (0,0) {$C_{old}$};
     \node (T) [def, draw=none, below left=of co]{$t_\gamma$};
     \node (sign) [def, draw=none, below right=of co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \node (customer) [def, draw, below right=of T] {Customer};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode) {link};
     \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode) {link};
   \end{tikzpicture}
   \end{minipage}
   \note[item]{But, how does this address the issue that $c_{old}$ may have a different
     owner from $c_{new,\gamma}$? Well, so far it does not! In principle, the envelope can
     easily be constructed by someone who was not the original owner of $c_{old}$.}
   \note[item]{So how does this help? Well, the exchange has one more sub-protocol,
     which is the {\bf link} protocol. Given the old coin's public key, $C_{old}$,
     it returns $t_\gamma$, the {\bf public transfer key}, and the blind signature
     over the new coin that was rendered as change.}
   \note[item]{Note that this is a request that the owner of $c_{old}$ can always
     trivially make, as they know $C_{old}$.}
   \note[item]{So how does that help?}
 \end{frame}
 
 
 \begin{frame}{Customer: Link (threat!)}
   \begin{minipage}{6.5cm}
    \begin{enumerate}
     \item Have $c_{old}$.
     \item Obtain $T_\gamma$, $s$ from exchange
     \item Compute $X_\gamma = UNISIG_{c_{old}}(t_\gamma)$
     \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
     \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
   \end{enumerate}
    \end{minipage}
   \begin{minipage}{6.5cm}
   \begin{tikzpicture}
   \tikzstyle{def} = [node distance= 0.75em and 1em, inner sep=0em, outer sep=.3em];
     \node (T) [def, draw=none] at (0,0) {$t_\gamma$};
     \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
     \node (signed) [def, draw=none, below left=of T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
     \node (dh) [def, draw=none, below right=of T]{\includegraphics[width=0.2\textwidth]{unisig.pdf} ($X_\gamma$)};
     \node (bp) [def, draw=none, below left= of dh]  {$b_{new,\gamma}$};
     \node (co) [def, draw=none, above right= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below right= of dh]  {$c_{new,\gamma}$};
     \node (coin) [def, draw=none, below left = of bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
     \node (psign) [def, node distance=1.5em and 0em, draw=none, below = of cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode) {link};
     \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped] (TextNode) {link};
     \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{minipage}
   \note[item]{Well, given these two values, the owner of the original $c_{old}$ can
     {\bf again} compute the UNISIG (from $c_{old}$ and $t_\gamma$), and then
     also derive $c_{new,\gamma}$ and also unblind the exchange's signature using $b_{new,\gamma}$.}
   \note[item]{As a result, the owner of the old coin can always compute the change,
     and thus is effectively {\bf also} always an owner of the change rendered!}
   \note[item]{Thus, we have {\bf reduced} the possibility of abusing the change
     protocol for a transaction that would result in a {\bf mutually exclusive transfer
     of ownership} to the case where the ownership of the change is {\bf shared}.}
   \note[item]{But, we previously explained that {\bf sharing} is not something we can
     or would care to prevent, so the change protocol does not weaken income transparency.}
 \end{frame}
 
 
 \begin{frame}{VRF vs. Dold'19 with Diffie-Hellman (ECDH)}
   VRF/unique signatures are {\em slightly} stronger than required!
 
   \begin{minipage}{7cm}
    \begin{enumerate}
     \item Create private keys $c,t \mod o$
     \item Define $C = cG$
     \item Define $T = tG$
     \item Compute DH \\ $cT = c(tG) = t(cG) = tC$
     \item Sign $T$ with EdDSA:
       DH is unique, with EdDSA we have a signature,
       $t$ allows verifier to check!
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{5cm}
     \begin{center}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t$};
     \node (ct) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{dh.pdf}};
     \node (c) [def, draw=none, above left= of ct]  {$c$};
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {};
   \end{tikzpicture}
   \end{center}
   \end{minipage}
 \end{frame}
 
 
 \begin{frame}{Transfer setup with ECDH-based Refresh}
   \begin{minipage}{7.5cm}
     {\small Given partially spent private coin key $c_{old}$:}
    \begin{enumerate}
     \item Let $C_{old} := c_{old}G$ (as before)
     \item Create random private transfer key $t \mod o$
     \item Compute $T := tG$
     \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$
     \item Derive $c_{new}$ and $b_{new}$ from $X$
     \item Compute $C_{new} := c_{new}G$
     \item Compute $f_{new} := FDH(C_{new})$
     \item Transmit $f_{new}' := f_{new} b_{new}^e$
     \end{enumerate}
    \end{minipage}
   \begin{minipage}{3cm}
   \begin{tikzpicture}
    \tikzstyle{def} = [node distance= 1em and 0.5em, inner sep=0em, outer sep=.3em];
     \node (t) [def, draw=none] at (0,0) {$t$};
     \node (dice) [def, draw=none, above = of t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
     \node (dh) [def, draw=none, below left=of b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
     \node (d) [def, draw=none, above left= of dh]  {$c_{old}$};
     \node (cp) [def, draw=none, below left= of dh]  {$c_{new}$};
     \node (bp) [def, draw=none, below right= of dh]  {$b_{new}$};
     \node (blinded) [def, draw=none, below right=of cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
     \node (exchange) [node distance=1.5em and 0.5em, draw, below =of blinded]{Exchange};
 
     \tikzstyle{C} = [color=black, line width=1pt]
 
     \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
     \draw [<-, C] (exchange) -- (blinded) node [midway, right] (TextNode) {{\small transmit}};
   \end{tikzpicture}
   \end{minipage}
   \note[item]{This is the Dold'19 replacement for slide~\pageref{page:transfersetup}.}
 \end{frame}
 
 
 \begin{frame}{Refresh protocol summary}
   \begin{itemize}
   \item Customer asks exchange to convert old coin to new coin
   \item Protocol ensures new coins can be recovered from old coin
   \item[$\Rightarrow$] New coins are owned by the same entity!
   \end{itemize}
   Thus, the refresh protocol allows:
   \begin{itemize}
   \item To give unlinkable change.
   \item To give refunds to an anonymous customer.
   \item To expire old keys and migrate coins to new ones.
   \item To handle protocol aborts.
   \end{itemize}
   \noindent
   \begin{center}
    { \bf
    Transactions via refresh are equivalent to {\em sharing} a wallet. }
   \end{center}
   \note[item]{In Taler, the overall protocol is called the {\bf refresh} protocol,
     not the {\bf change} protocol, as it has uses beyond getting unlinkable change.}
   \note[item]{A merchant can grant a refund to an anonymous
     customer by telling the exchange to nullify the original deposit. Then
     the anonymous owner of the original coin can obtain the refund
     via the refresh protocol.}
   \note[item]{If a coin is about to expire (because the exchange
     only accepts deposits for a certain denomination key for a limited amount of time),
     the refresh protocol can be used to obtain fresh coins, signed with the current
     denomination key. This is like rolling over to a fresh series of bank notes.}
   \note[item]{Finally, we can handle situations where the customer did try to spend
     digital cash, but then the message was lost, say due to a power outage, before
     the transaction was actually completed. But, the customer might not be sure that
     nobody else saw the public key of the coin! So, to ensure that transactions
     remain unlinkable (and that the merchant cannot deposit the coin later), the
     wallet can again use the refresh protocol.}
 \end{frame}