[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] [taler-marketing] branch master updated: bankerdemia draft
|
From: |
gnunet |
|
Subject: |
[GNUnet-SVN] [taler-marketing] branch master updated: bankerdemia draft |
|
Date: |
Thu, 09 May 2019 20:10:46 +0200 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository marketing.
The following commit(s) were added to refs/heads/master by this push:
new 38ea914 bankerdemia draft
38ea914 is described below
commit 38ea9140024fba3aeb535cff0d74e411a5a11432
Author: Christian Grothoff <address@hidden>
AuthorDate: Thu May 9 20:10:44 2019 +0200
bankerdemia draft
---
presentations/comprehensive/bankademia.tex | 994 +++++++++++++++++++++++++++++
1 file changed, 994 insertions(+)
diff --git a/presentations/comprehensive/bankademia.tex
b/presentations/comprehensive/bankademia.tex
new file mode 100644
index 0000000..22b7155
--- /dev/null
+++ b/presentations/comprehensive/bankademia.tex
@@ -0,0 +1,994 @@
+\pdfminorversion=3
+\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer}
+\usepackage{amsmath}
+\usepackage{multimedia}
+\usepackage[utf8]{inputenc}
+\usepackage{framed,color,ragged2e}
+\usepackage[absolute,overlay]{textpos}
+\definecolor{shadecolor}{rgb}{0.8,0.8,0.8}
+\usetheme{boxes}
+\setbeamertemplate{navigation symbols}{}
+\usepackage{xcolor}
+\usepackage{tikz,eurosym}
+\usepackage[normalem]{ulem}
+\usepackage{listings}
+
+% CSS
+\lstdefinelanguage{CSS}{
+ basicstyle=\ttfamily\scriptsize,
+
keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width,
transition:, transform:, transition-property, transition-duration,
transition-timing-function},
+ sensitive=true,
+ morecomment=[l]{//},
+ morecomment=[s]{/*}{*/},
+ morestring=[b]',
+ morestring=[b]",
+ alsoletter={:},
+ alsodigit={-}
+}
+
+% JavaScript
+\lstdefinelanguage{JavaScript}{
+ basicstyle=\ttfamily\scriptsize,
+ morekeywords={typeof, new, true, false, catch, function, return, null,
catch, switch, var, if, in, while, do, else, case, break},
+ morecomment=[s]{/*}{*/},
+ morecomment=[l]//,
+ morestring=[b]",
+ morestring=[b]'
+}
+
+\lstdefinelanguage{HTML5}{
+ basicstyle=\ttfamily\scriptsize,
+ language=html,
+ sensitive=true,
+ alsoletter={<>=-},
+ morecomment=[s]{<!-}{-->},
+ tag=[s],
+ otherkeywords={
+ % General
+ >,
+ % Standard tags
+ <!DOCTYPE,
+ </html, <html, <head, <title, </title, <style, </style, <link, </head,
<meta, />,
+ % body
+ </body, <body,
+ % Divs
+ </div, <div, </div>,
+ % Paragraphs
+ </p, <p, </p>,
+ % scripts
+ </script, <script,
+ % More tags...
+ <canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video,
<source, <iframe, </iframe>, </video>, <image, </image>
+ },
+ ndkeywords={
+ % General
+ =,
+ % HTML attributes
+ charset=, src=, id=, width=, height=, style=, type=, rel=, href=,
+ % SVG attributes
+ fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=,
repeatCount=, xlink:href=,
+ % CSS properties
+ margin:, padding:, background-image:, border:, top:, left:, position:,
width:, height:,
+ % CSS3 properties
+ transform:, -moz-transform:, -webkit-transform:,
+ animation:, -webkit-animation:,
+ transition:, transition-duration:, transition-property:,
transition-timing-function:,
+ }
+}
+
+\lstdefinelanguage{JavaScript}{
+ basicstyle=\ttfamily\scriptsize,
+ keywords={typeof, new, true, false, catch, function, return, null, catch,
switch, var, if, in, while, do, else, case, break, for},
+ keywordstyle=\color{blue}\bfseries,
+ ndkeywords={class, export, boolean, throw, implements, import, this},
+ ndkeywordstyle=\color{darkgray}\bfseries,
+ identifierstyle=\color{black},
+ sensitive=false,
+ comment=[l]{//},
+ morecomment=[s]{/*}{*/},
+ commentstyle=\color{purple}\ttfamily,
+ stringstyle=\color{red}\ttfamily,
+ morestring=[b]',
+ morestring=[b]"
+}
+
+\usetikzlibrary{shapes,arrows}
+\usetikzlibrary{positioning}
+\usetikzlibrary{calc}
+
+\title{Surviving Private Key Compromise in Centrally Banked Electronic
Currencies}
+%\subtitle{}
+
+\setbeamertemplate{navigation symbols}{\includegraphics[width=1cm]{inria.pdf}
\includegraphics[width=0.5cm]{gnu.png}
\includegraphics[width=3cm]{bfh.png}\hfill}
+%\setbeamercovered{transparent=1}
+
+\author[C. Grothoff]{J. Burdges, F. Dold, {\bf C. Grothoff}, M. Stanisci}
+\date{\today}
+\institute{The GNU Project}
+
+
+\begin{document}
+
+\justifying
+
+\begin{frame}
+ \begin{center}
+ {\bf Surviving Private Key Compromise in Centrally Banked Electronic
Currencies}
+
+ \vfill
+
+ \LARGE {\bf GNU}
+
+ \vfill
+% \includegraphics[width=0.66\textwidth]{logo-2017-fr.pdf}
+ \includegraphics[width=0.66\textwidth]{taler-logo-2018.pdf}
+ \vfill
+ \vfill
+ \end{center}
+\begin{textblock*}{4cm}(.5cm,6.5cm) % {block width} (coords)
+ {\Large {\bf \url{taler.net}} \\
+ IRC{\bf \#taler} \\
+ {\small (on freenode)} \\
+ address@hidden \\
+ address@hidden }
+\end{textblock*}
+
+% Substitute based on who is giving the talk!
+ \begin{textblock*}{6cm}(6.7cm,7.7cm) % {block width} (coords)
+ {\hfill {\Large {\bf Florian Dold \&} \\
+ \hfill {\bf Christian Grothoff}} \\
+ \hfill \{dold,address@hidden }
+\end{textblock*}
+
+\end{frame}
+
+
+\begin{frame}{GNU Taler}
+ \vfill
+ \begin{center}
+ {\huge {\bf Digital} cash, made \textbf{socially responsible}.}
+ \end{center}
+ \vfill
+ \begin{center}
+ \includegraphics[scale=1.5]{taler-logo-2018.pdf}
+ \end{center}
+ \vfill
+ \begin{center}
+ Privacy-Preserving, Practical, Taxable, Free Software, Efficient
+ \end{center}
+ \vfill
+ \vfill
+\ %
+\end{frame}
+
+
+\section{payto://}
+
+% FIXME: Start with payto:// (warm-up!)
+
+
+\section{What is Taler?}
+\begin{frame}{What is Taler?}
+ \vfill
+ \begin{center}
+Taler is an electronic instant payment system suitable for a CBEC.
+ \end{center}
+ \begin{itemize}
+ \item Uses electronic coins stored in {\bf wallets} on customer's device
+ \item Like {\bf cash}
+ \item Pay in {\bf existing currencies} (i.e. EUR, USD, BTC)
+ \end{itemize}
+ \vfill
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Taler Overview}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer
sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (exchange) [def,above=of origin,draw]{Exchange};
+ \node (customer) [def, draw, below left=of origin] {Customer};
+ \node (merchant) [def, draw, below right=of origin] {Merchant};
+ \node (auditor) [def, draw, above right=of origin]{Auditor};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (customer) -- (exchange) node [midway, above, sloped]
(TextNode) {withdraw coins};
+ \draw [<-, C] (exchange) -- (merchant) node [midway, above, sloped]
(TextNode) {deposit coins};
+ \draw [<-, C] (merchant) -- (customer) node [midway, above, sloped]
(TextNode) {spend coins};
+ \draw [<-, C] (exchange) -- (auditor) node [midway, above, sloped] (TextNode)
{verify};
+
+\end{tikzpicture}
+\end{center}
+\end{frame}
+
+
+\begin{frame}
+ % TODO: replace with simplified NEW architecture picture!
+\frametitle{Architecture of Taler}
+\begin{center}
+ \includegraphics[width=0.9\textwidth]{illustrations/taler-arch-full.pdf}
+
+ $\Rightarrow$ Convenient, taxable, privacy-enhancing, \& resource friendly!
+\end{center}
+\end{frame}
+
+
+\begin{frame}{How does it work?}
+We use a few ancient constructions:
+ \begin{itemize}
+ \item Cryptographic hash function (1989)
+ \item Blind signature (1983)
+ \item Schnorr signature (1989)
+ \item Diffie-Hellman key exchange (1976)
+ \item Cut-and-choose zero-knowledge proof (1985)
+ \end{itemize}
+But of course we use modern instantiations.
+\end{frame}
+
+
+\begin{frame}{Exchange setup: Create a denomination key (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Pick random primes $p,q$.
+ \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$
+ \item Pick small $e < \phi(n)$ such that
+ $d := e^{-1} \mod \phi(n)$ exists.
+ \item Publish public key $(e,n)$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$};
+ \node (seal) [def, draw=none, below left=of
primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}};
+ \node (hammer) [def, draw=none, below right=of
primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode)
{};
+ \end{tikzpicture}
+% \includegraphics[width=0.4\textwidth]{seal.pdf}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Merchant: Create a signing key (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{itemize}
+ \item pick random $m \mod o$ as private key
+ \item $M = mG$ public key
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (m) [draw=none, below = of origin] at (0,0) {$m$};
+ \node (seal) [draw=none, below=of m]{M};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode)
{};
+ \end{tikzpicture}
+ \end{minipage}
+ \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ }
+
\raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}}
+\end{frame}
+
+
+\begin{frame}{Customer: Create a planchet (EdDSA)}
+ \begin{minipage}{8cm}
+ \begin{itemize}
+ \item Pick random $c \mod o$ private key
+ \item $C = cG$ public key
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (c) [draw=none, below = of origin] at (0,0) {$c$};
+ \node (planchet) [draw=none, below=of
c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ }
+
\raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}}
+\end{frame}
+
+
+\begin{frame}{Customer: Blind planchet (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Obtain public key $(e,n)$
+ \item Compute $f := FDH(C)$, $f < n$.
+ \item Pick blinding factor $b \in \mathbb Z_n$
+ \item Transmit $f' := f b^e \mod n$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$};
+ \node (blinded) [def, draw=none, below right=of
b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}};
+ \node (planchet) [def, draw=none, above right=of
blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped]
(TextNode) {};
+ \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Exchange: Blind sign (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Receive $f'$.
+ \item Compute $s' := f'^d \mod n$.
+ \item Send signature $s'$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (hammer) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
+ \node (signed) [def, draw=none, below left=of
hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
+ \node (blinded) [def, draw=none, above left=of
signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (customer) [node distance=4em and 0.5em, draw, below =of
signed]{Customer};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped]
(TextNode) {};
+ \draw [<-, C] (customer) -- (signed) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Customer: Unblind coin (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Receive $s'$.
+ \item Compute $s := s' b^{-1} \mod n$ % \\
+ % ($(f')^d = (f b^e)^d = f^d b$).
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (b) [def, draw=none] at (0,0) {$b$};
+ \node (coin) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \node (signed) [def, draw=none, above left=of
coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode)
{};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Customer: Build shopping cart}
+ \begin{center}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{shop.pdf}};
+ \node (cart) [draw=none, below=of
m]{\includegraphics[width=0.2\textwidth]{cart.pdf}};
+ \node (merchant) [node distance=4em and 0.5em, draw, below =of
cart]{Merchant};
+ \tikzstyle{C} = [color=black, line width=1pt];
+ \draw [<-, C] (cart) -- (origin) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (merchant) -- (cart) node [midway, above, sloped] (TextNode)
{{\small transmit}};
+ \end{tikzpicture}
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{Merchant: Propose contract (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Complete proposal $D$.
+ \item Send $D$, $EdDSA_m(D)$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (cart) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{cart.pdf}};
+ \node (proposal) [def, draw=none, below right=of
cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}};
+ \node (customer) [node distance=4em and 0.5em, draw, below =of
proposal]{Customer};
+ \tikzstyle{C} = [color=black, line width=1pt];
+ \node (sign) [def, draw=none, above right=of proposal] {$m$};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Customer: Spend coin (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Receive proposal $D$, $EdDSA_m(D)$.
+ \item Send $s$, $C$, $EdDSA_c(D)$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer
sep=.3em];
+ \node (proposal) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
+ \node (contract) [def, draw=none, below right=of
cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
+ \node (c) [def, draw=none, above=of contract] {$c$};
+ \node (merchant) [node distance=4em and 0.5em, draw, below=of
contract]{Merchant};
+ \node (coin) [def, draw=none, right=of
contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped]
(TextNode) {};
+ \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode)
{{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Merchant and Exchange: Verify coin (RSA)}
+ \begin{minipage}{6cm}
+ \begin{equation*}
+ s^e \stackrel{?}{\equiv} FDH(C) \mod n
+ \end{equation*}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{minipage}{0.2\textwidth}
+ \includegraphics[width=\textwidth]{coin.pdf}
+ \end{minipage}
+ $\stackrel{?}{\Leftrightarrow}$
+ \begin{minipage}{0.2\textwidth}
+ \includegraphics[width=\textwidth]{seal.pdf}
+ \end{minipage}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Warranting deposit safety}
+ Exchange has {\em another} online signing key $O = oG$:
+ \begin{center}
+ Sends $E$, $EdDSA_o(M,H(D),FDH(C))$ to the merchant.
+ \end{center}
+ This signature means that $M$ was the {\em first} to deposit
+ $C$ and that the exchange thus must pay $M$.
+ \begin{center}
+ Without this, an evil exchange could reneg on the deposit
+ confirmation and claim double-spending if a coin were
+ deposited twice, and then not pay either merchant!
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{Online keys}
+\begin{itemize}
+\item The exchange needs $d$ and $o$ to be available for online signing.
+\item The corresponding public keys $O$ and $(e,n)$ are certified using
+ Taler's public key infrastructure (which uses offline-only keys).
+\end{itemize}
+\vfill
+\begin{center}
+{\bf What happens if those private keys are compromised?}
+\end{center}
+\vfill
+\end{frame}
+
+
+\begin{frame}{Denomination key $(e,n)$ compromise}
+\begin{itemize}
+\item An attacker who learns $d$ can sign an arbitrary number of illicit coins
+ into existence and deposit them.
+\item Auditor and exchange can detect this once the total number of deposits
+ (illicit and legitimate) exceeds the number of legitimate coins the
+ exchange created.
+\item At this point, $(e,n)$ is {\em revoked}. Users of {\em unspent}
+ legitimate coins reveal $b$ from their withdrawal operation and
+ obtain a {\em refund}.
+\item The financial loss of the exchange is {\em bounded} by the number of
+ legitimate coins signed with $d$.
+\item[$\Rightarrow$] Taler frequently rotates denomination signing keys and
+ deletes $d$ after the signing period of the respective key expires.
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Online signing key $O$ compromise}
+\begin{itemize}
+\item An attacker who learns $o$ can sign deposit confirmations.
+\item Attacker sets up two (or more) merchants and customer(s) which
double-spend
+ legitimate coins at both merchants.
+\item The merchants only deposit each coin once at the exchange and get paid
once.
+\item The attacker then uses $o$ to fake deposit confirmations for the
double-spent
+ transactions.
+\item The attacker uses the faked deposit confirmations to complain to the
auditor
+ that the exchange did not honor the (faked) deposit confirmations.
+\end{itemize}
+The auditor can then detect the double-spending, but cannot tell who is to
blame,
+and (likely) would presume an evil exchange, forcing it to pay both merchants.
+\end{frame}
+
+
+\begin{frame}{Detecting online signing key $O$ compromise}
+\begin{itemize}
+\item Merchants are required to {\em probabilistically} report
+ signed deposit confirmations to the auditor.
+\item Auditor can thus detect exchanges not reporting signed
+ deposit confirmations.
+\item[$\Rightarrow$] Exchange can rekey if illicit key use is detected,
+ then only has to honor deposit confirmations it already provided
+ to the auditor {\em and} those without proof of double-spending
+ {\em and} those merchants reported to the auditor.
+\item[$\Rightarrow$] Merchants that do not participate in reporting
+ to the auditor risk their deposit permissions being voided.
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Summary and further reading}
+\begin{itemize}
+\item We can design protocols that fail {\em soft}.
+\item GNU Taler's design limits financial damage
+ even in the case private keys are compromised.
+\item GNU Taler does more:
+\begin{itemize}
+\item Gives change, can provide refunds
+\item Integrates nicely with HTTP, handles network failures
+\item High performance
+\item Formal security proofs
+\item Free Software
+\end{itemize}
+\item More information at \url{https://taler.net/}.
+\end{itemize}
+\end{frame}
+
+
+
+\begin{frame}{How to support?}
+ \begin{itemize}
+ \item GNU, TUM, INRIA and BFH are {\em not} banks.
+ \item We created Taler Systems SA for commercial support and development
of GNU Taler.
+ \item We are in discussions with central banks, commercial banks,
suppliers, merchants and various
+ Free Software projects to get GNU Taler into operation.
+ \item More banking partners and venture capital would be welcome.
+ \end{itemize}
+ \begin{center}
+ Talk to us!
+ \end{center}
+\end{frame}
+
+
+\begin{frame}
+\frametitle{Do you have any questions?}
+\vfill
+References:
+{\tiny
+ \begin{enumerate}
+ \item{Christian Grothoff, Bart Polot and Carlo von Loesch.
+ {\em The Internet is broken: Idealistic Ideas for Building a GNU
Network}.
+ {\bf W3C/IAB Workshop on Strengthening the Internet Against Pervasive
Monitoring (STRINT)}, 2014.}
+ \item{Jeffrey Burdges, Florian Dold, Christian Grothoff and Marcello Stanisci.
+ {\em Enabling Secure Web Payments with GNU Taler}.
+ {\bf SPACE 2016}.}
+ \item{Florian Dold, Sree Harsha Totakura, Benedikt M\"uller, Jeffrey Burdges
and Christian Grothoff.
+ {\em Taler: Taxable Anonymous Libre Electronic Reserves}.
+ Available upon request. 2016.}
+ \item{Eli Ben-Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian
Miers, Eran Tromer and Madars Virza.
+ {\em Zerocash: Decentralized Anonymous Payments from Bitcoin}.
+ {\bf IEEE Symposium on Security \& Privacy, 2016}.}
+ \item{David Chaum, Amos Fiat and Moni Naor.
+ {\em Untraceable electronic cash}.
+ {\bf Proceedings on Advances in Cryptology, 1990}.}
+ \item{Phillip Rogaway.
+ {\em The Moral Character of Cryptographic Work}.
+ {\bf Asiacrypt}, 2015.} \label{bib:rogaway}
+ \item{Florian Dold.
+ {\em The GNU Taler System: Practical and Provably Secure Electronic
Payments}.
+ {\bf PhD thesis. University of Rennes 1}, 2019.} \label{bib:dold}
+\end{enumerate}
+}
+\end{frame}
+
+
+
+
+\end{document}
+
+
+
+
+\begin{frame}{Taler {\tt /withdraw/sign}}
+% Customer withdrawing coins with blind signatures
+% \bigskip
+ \begin{figure}[th]
+ \begin{minipage}[b]{0.45\linewidth}
+ \begin{center}
+ \begin{tikzpicture}[scale = 0.4,
+ transform shape,
+ msglabel/.style = { text = Black, yshift = .3cm,
+ sloped, midway },
+ okmsg/.style = { ->, color = MidnightBlue, thick,
+ >=stealth },
+ rstmsg/.style = { ->, color = BrickRed, thick,
+ >=stealth }
+ ]
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h1) at (-4, 0) {};
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h2) at (4, 0) {};
+ \node[above = 0cm of h1] {Wallet};
+ \node[above = 0cm of h2] {Exchange};
+
+ \path[->, color = MidnightBlue, very thick, >=stealth]
+ (-5, 4.5) edge
+ node[rotate=90, text = Black, yshift = .3cm] {Time}
+ (-5, -4.5);
+ \path[okmsg, dashed]
+ ($(h1.east)+(0, 4.0)+(0, -1.0)$) edge
+ node[msglabel] {SEPA(RK,A)}
+ ($(h2.west)+(0, 3.5)+(0, -1.0)$);
+ \path[okmsg]
+ ($(h1.east)+(0, -1.0)$) edge
+ node[msglabel] {POST {\tt /withdraw/sign} $S_{RK}(DK, B_b(C))$}
+ ($(h2.west)+(0, -1.5)$);
+ \path[okmsg]
+ ($(h2.west)+(0, -2.0)$) edge
+ node[msglabel] {200 OK: $S_{DK}(B_b(C))$)}
+ ($(h1.east)+(0, -2.5)$);
+ \path[rstmsg]
+ ($(h2.west)+(0, -3.5)$) edge
+ node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)}
+ ($(h1.east)+(0, -4)$);
+ \node at (5.3, 0) {};
+ \end{tikzpicture}
+ \end{center}
+ Result: $\langle c, S_{DK}(C) \rangle$.
+ \end{minipage}
+ \hspace{0.5cm}
+ \begin{minipage}[b]{0.45\linewidth}
+ \tiny
+ \begin{description}
+ \item[$A$] Some amount, $A \ge A_{DK}$
+ \item[$RK$] Reserve key
+ \item[$DK$] Denomination key
+ \item[$b$] Blinding factor
+ \item[$B_b()$] RSA-FDH blinding % DK supressed
+ \item[$C$] Coin public key $C := cG$
+ \item[$S_{RK}()$] EdDSA signature
+ \item[$S_{DK}()$] RSA-FDH signature
+ \end{description}
+ \end{minipage}
+ \end{figure}
+\end{frame}
+
+
+\begin{frame}[t]{Taler {\tt /deposit}}
+Merchant and exchange see only the public coin $\langle C, S_{DK}(C) \rangle$.
+\bigskip
+ \begin{figure}[th]
+ \begin{minipage}[b]{0.45\linewidth}
+ \begin{center}
+ \begin{tikzpicture}[scale = 0.4,
+ transform shape,
+ msglabel/.style = { text = Black, yshift = .3cm,
+ sloped, midway },
+ okmsg/.style = { ->, color = MidnightBlue, thick,
+ >=stealth },
+ rstmsg/.style = { ->, color = BrickRed, thick,
+ >=stealth }
+ ]
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h1) at (-4, 0) {};
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h2) at (4, 0) {};
+ \node[above = 0cm of h1] {Merchant};
+ \node[above = 0cm of h2] {Exchange};
+
+ \path[->, color = MidnightBlue, very thick, >=stealth]
+ (-5, 4.5) edge
+ node[rotate=90, text = Black, yshift = .3cm] {Time}
+ (-5, -4.5);
+ \path[->, color = MidnightBlue, thick, >=stealth]
+ ($(h1.east)+(0,3)$) edge
+ node[text = Black, yshift = .3cm, sloped] {POST {\tt /deposit}
$S_{DK}(C), S_{c}(D)$}
+ ($(h2.west)+(0,2)$);
+ \path[->, color = MidnightBlue, thick, >=stealth]
+ ($(h2.west)+(0,0.5)$) edge
+ node[text = Black, yshift = .3cm, sloped] {200 OK:
$S_{SK}(S_{c}(D))$}
+ ($(h1.east)+(0,-0.5)$);
+ \path[rstmsg]
+ ($(h2.west)+(0, -2.5)$) edge
+ node[msglabel] {409 CONFLICT: $S_{c}(D')$}
+ ($(h1.east)+(0, -3.5)$);
+ \node at (5.3, 0) {};
+ \end{tikzpicture}
+ \end{center}
+ \end{minipage}
+ \hspace{0.5cm}
+ \begin{minipage}[b]{0.45\linewidth}
+ \tiny
+ \begin{description}
+ \item[$DK$] Denomination key
+ \item[$S_{DK}()$] RSA-FDH signature using $DK$
+ \item[$c$] Private coin key, $C := cG$.
+ \item[$S_{C}()$] EdDSA signature using $c$
+ \item[$D$] Deposit details
+ \item[$SK$] Exchange's signing key
+ \item[$S_{SK}()$] EdDSA signature using $SK$
+ \item[$D'$] Conficting deposit details $D' \not= D$
+ \end{description}
+ \end{minipage}
+ \end{figure}
+\end{frame}
+
+
+\begin{frame}{Taler {\tt /refresh/melt}}
+ \begin{figure}[th]
+ \begin{minipage}[b]{0.45\linewidth}
+ \begin{center}
+ \begin{tikzpicture}[scale = 0.4,
+ transform shape,
+ msglabel/.style = { text = Black, yshift = .3cm,
+ sloped, midway },
+ okmsg/.style = { ->, color = MidnightBlue, thick,
+ >=stealth },
+ rstmsg/.style = { ->, color = BrickRed, thick,
+ >=stealth }
+ ]
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h1) at (-4, 0) {};
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h2) at (4, 0) {};
+ \node[above = 0cm of h1] {Customer};
+ \node[above = 0cm of h2] {Exchange};
+
+ \path[->, color = MidnightBlue, very thick, >=stealth]
+ (-5, 4.5) edge
+ node[rotate=90, text = Black, yshift = .3cm] {Time}
+ (-5, -4.5);
+ \path[->, color = MidnightBlue, thick, >=stealth]
+ ($(h1.east)+(0,3)$) edge
+ node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt}
$S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$}
+ ($(h2.west)+(0,2)$);
+ \path[->, color = MidnightBlue, thick, >=stealth]
+ ($(h2.west)+(0,0.5)$) edge
+ node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal
T}, {\cal B}),\gamma)$}
+ ($(h1.east)+(0,-0.5)$);
+ \path[rstmsg]
+ ($(h2.west)+(0, -2.5)$) edge
+ node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$}
+ ($(h1.east)+(0, -3.5)$);
+ \node at (5.3, 0) {};
+ \end{tikzpicture}
+ \end{center}
+ \end{minipage}
+ \hspace{0.5cm}
+ \begin{minipage}[b]{0.45\linewidth}
+ \tiny
+ \begin{description}
+ \item[$\kappa$] System-wide security parameter, usually 3.
+ \\ \smallskip
+ \item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\
+ $D + \sum_i A_{DK^{(i)}} < A_{DK}$
+ \item[$t_j$] Random scalar for $j<\kappa$
+ \item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$
+ \item[$k_j$] $:= c T_j = t_j C$ is an ECDHE
+ \item[$b_j^{(i)}$] $:= KDF_b(k_j,i)$ % blinding factor
+ \item[$c_j^{(i)}$] $:= KDF_c(k_j,i)$ % coin secret keys
+ \item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys
+ \item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\
+ $\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$
+ \\ \smallskip
+ \item[$\gamma$] Random value in $[0,\kappa)$
+% \\ \smallskip
+% \item[$X$] Deposit or refresh
+ \end{description}
+ \end{minipage}
+ \end{figure}
+\end{frame}
+
+
+\begin{frame}{Taler {\tt /refresh/reveal}}
+ \begin{figure}[th]
+ \begin{minipage}[b]{0.45\linewidth}
+ \begin{center}
+ \begin{tikzpicture}[scale = 0.4,
+ transform shape,
+ msglabel/.style = { text = Black, yshift = .3cm,
+ sloped, midway },
+ okmsg/.style = { ->, color = MidnightBlue, thick,
+ >=stealth },
+ rstmsg/.style = { ->, color = BrickRed, thick,
+ >=stealth }
+ ]
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h1) at (-4, 0) {};
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h2) at (4, 0) {};
+ \node[above = 0cm of h1] {Customer};
+ \node[above = 0cm of h2] {Exchange};
+
+ \path[->, color = MidnightBlue, very thick, >=stealth]
+ (-5, 4.5) edge
+ node[rotate=90, text = Black, yshift = .3cm] {Time}
+ (-5, -4.5);
+ \path[->, color = MidnightBlue, thick, >=stealth]
+ ($(h1.east)+(0,3)$) edge
+ node[text = Black, yshift = .3cm, sloped] {POST {\tt
/refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$}
+ ($(h2.west)+(0,2)$);
+ \path[->, color = MidnightBlue, thick, >=stealth]
+ ($(h2.west)+(0,0.5)$) edge
+ node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$}
+ ($(h1.east)+(0,-0.5)$);
+ \path[rstmsg]
+ ($(h2.west)+(0, -2.5)$) edge
+ node[msglabel] {400 BAD REQUEST: $Z$}
+ ($(h1.east)+(0, -3.5)$);
+ \node at (5.3, 0) {};
+ \end{tikzpicture}
+ \end{center}
+ \end{minipage}
+ \hspace{0.5cm}
+ \begin{minipage}[b]{0.45\linewidth}
+ \tiny
+ \begin{description}
+ \item[$\cal DK$] $:= [DK^{(i)}]_i$
+ \item[$t_j$] .. \\ \smallskip
+
+ \item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\
\smallskip
+
+ \item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$
+ \item[$b_\gamma^{(i)}$] $:= KDF_b(k_\gamma,i)$
+ \item[$c_\gamma^{(i)}$] $:= KDF_c(k_\gamma,i)$
+ \item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$
+
+ \item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$
+ \item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$
+ \item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\
\smallskip
+
+ \item[$Z$] Cut-and-choose missmatch information
+ \end{description}
+ \end{minipage}
+ \end{figure}
+\end{frame}
+
+
+\begin{frame}{Taler {\tt /refresh/link}}
+ \begin{figure}[th]
+ \begin{minipage}[b]{0.45\linewidth}
+ \begin{center}
+ \begin{tikzpicture}[scale = 0.4,
+ transform shape,
+ msglabel/.style = { text = Black, yshift = .3cm,
+ sloped, midway },
+ okmsg/.style = { ->, color = MidnightBlue, thick,
+ >=stealth },
+ rstmsg/.style = { ->, color = BrickRed, thick,
+ >=stealth }
+ ]
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h1) at (-4, 0) {};
+ \node[draw = MidnightBlue,
+ fill = CornflowerBlue,
+ minimum width = .3cm,
+ minimum height = 10cm
+ ] (h2) at (4, 0) {};
+ \node[above = 0cm of h1] {Customer};
+ \node[above = 0cm of h2] {Exchagne};
+
+ \path[->, color = MidnightBlue, very thick, >=stealth]
+ (-5, 4.5) edge
+ node[rotate=90, text = Black, yshift = .3cm] {Time}
+ (-5, -4.5);
+ \path[->, color = MidnightBlue, thick, >=stealth]
+ ($(h1.east)+(0,3)$) edge
+ node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link}
$C$}
+ ($(h2.west)+(0,2)$);
+ \path[->, color = MidnightBlue, thick, >=stealth]
+ ($(h2.west)+(0,0.5)$) edge
+ node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$}
+ ($(h1.east)+(0,-0.5)$);
+ \path[rstmsg]
+ ($(h2.west)+(0, -2.5)$) edge
+ node[msglabel] {404 NOT FOUND}
+ ($(h1.east)+(0, -3.5)$);
+ \node at (5.3, 0) {};
+ \end{tikzpicture}
+ \end{center}
+ \end{minipage}
+ \hspace{0.5cm}
+ \begin{minipage}[b]{0.45\linewidth}
+ \tiny
+ \begin{description}
+ \item[$C$] Old coind public key \\ \smallskip
+ \item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$
+ \end{description}
+ \end{minipage}
+ \end{figure}
+\end{frame}
+
+
+\begin{frame}{Operational security}
+ \begin{center}
+ \resizebox{\textwidth}{!}{
+\begin{tikzpicture}[
+ font=\sffamily,
+ every matrix/.style={ampersand replacement=\&,column sep=2cm,row sep=2cm},
+ source/.style={draw,thick,rounded corners,fill=green!20,inner sep=.3cm},
+ process/.style={draw,thick,circle,fill=blue!20},
+ sink/.style={source,fill=green!20},
+ datastore/.style={draw,very thick,shape=datastore,inner sep=.3cm},
+ dots/.style={gray,scale=2},
+ to/.style={->,>=stealth',shorten
>=1pt,semithick,font=\sffamily\footnotesize},
+ every node/.style={align=center}]
+
+ % Position the nodes using a matrix layout
+ \matrix{
+ \node[source] (wallet) {Wallet};
+ \& \node[process] (browser) {Browser};
+ \& \node[process] (shop) {Web shop};
+ \& \node[sink] (backend) {Taler backend}; \\
+ };
+
+ % Draw the arrows between the nodes and label them.
+ \draw[to] (browser) to[bend right=50] node[midway,above] {(4) signed
contract}
+ node[midway,below] {(signal)} (wallet);
+ \draw[to] (wallet) to[bend right=50] node[midway,above] {(signal)}
+ node[midway,below] {(5) signed coins} (browser);
+ \draw[<->] (browser) -- node[midway,above] {(3,6) custom}
+ node[midway,below] {(HTTPS)} (shop);
+ \draw[to] (shop) to[bend right=50] node[midway,above] {(HTTPS)}
+ node[midway,below] {(1) proposed contract / (7) signed coins} (backend);
+ \draw[to] (backend) to[bend right=50] node[midway,above] {(2) signed
contract / (8) confirmation}
+ node[midway,below] {(HTTPS)} (shop);
+\end{tikzpicture}
+}
+\end{center}
+\end{frame}
--
To stop receiving notification emails like this one, please contact
address@hidden
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] [taler-marketing] branch master updated: bankerdemia draft,
gnunet <=