[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-marketing] branch master updated: first round of slide updates
From: |
gnunet |
Subject: |
[taler-marketing] branch master updated: first round of slide updates |
Date: |
Thu, 29 Feb 2024 11:36:26 +0100 |
This is an automated email from the git hooks/post-receive script.
grothoff pushed a commit to branch master
in repository marketing.
The following commit(s) were added to refs/heads/master by this push:
new e1c3663 first round of slide updates
e1c3663 is described below
commit e1c366333d8bd174accdcc65f128a8d4a7226c16
Author: Christian Grothoff <christian@grothoff.org>
AuthorDate: Thu Feb 29 11:36:22 2024 +0100
first round of slide updates
---
presentations/comprehensive/g5k.pdf | Bin 0 -> 32940 bytes
presentations/comprehensive/main.tex | 4051 ++++++++++----------
presentations/comprehensive/mining.pdf | Bin 0 -> 30796 bytes
.../comprehensive/paymentTwint-screen.png | Bin 0 -> 40497 bytes
.../comprehensive/paymentTwint-screen.xcf | Bin 0 -> 164559 bytes
.../comprehensive/paymentTwint-screen_25.png | Bin 0 -> 35808 bytes
.../comprehensive/paymentTwint-screen_50.png | Bin 0 -> 35002 bytes
presentations/comprehensive/performance.pdf | Bin 0 -> 21204 bytes
presentations/comprehensive/privacy.pdf | Bin 0 -> 30714 bytes
presentations/comprehensive/shrine.jpg | Bin 0 -> 835870 bytes
presentations/comprehensive/twint.mkv | Bin 0 -> 2953804 bytes
11 files changed, 2055 insertions(+), 1996 deletions(-)
diff --git a/presentations/comprehensive/g5k.pdf
b/presentations/comprehensive/g5k.pdf
new file mode 100644
index 0000000..e951aa8
Binary files /dev/null and b/presentations/comprehensive/g5k.pdf differ
diff --git a/presentations/comprehensive/main.tex
b/presentations/comprehensive/main.tex
index 6f81bae..991065a 100644
--- a/presentations/comprehensive/main.tex
+++ b/presentations/comprehensive/main.tex
@@ -243,6 +243,9 @@
\end{frame}
+\setbeamertemplate{navigation symbols}{\hfill
\includegraphics[width=1cm]{taler-logo-2021-inkscape.pdf}}
+
+
\begin{frame}{Agenda}
\tableofcontents
@@ -403,7 +406,7 @@ Current average transaction value: $\approx$ 1000 USD
\begin{frame}
\frametitle{\includegraphics[height=0.5cm]{pics/zerocoin.png}?}
-Cryptography is rather primitive:
+Bitcoin cryptography is rather primitive:
\begin{center}
{\bf All Bitcoin transactions are public and linkable!}
\end{center}
@@ -429,8 +432,8 @@ ZeroCoin, CryptoNote (Monero) and ZeroCash (ZCash) offer
anonymity.
\end{frame}
-
\begin{frame}{The Bank of International Settlements}
+ \framesubtitle{Central Bank Digital Currency vs. Cash}
\begin{center}
\movie[%scale=0.6,
autostart,
@@ -624,7 +627,7 @@ positives in fraud detection
\begin{frame}{Social Impact of Taler}
\begin{center}
- \includegraphics[height=0.9\textheight]{../../social-impact.pdf}
+ \includegraphics[height=0.9\textheight]{../social-impact.pdf}
\end{center}
\end{frame}
@@ -695,606 +698,610 @@ positives in fraud detection
\end{frame}
-
-\section{Protocol Basics}
+\section{Component Zoo}
\begin{frame}
\vfill
\begin{center}
- {\bf Protocol Basics}
+ {\bf Component Zoo}
\end{center}
\vfill
\end{frame}
-\begin{frame}{How does it work?}
-We use a few ancient constructions:
+
+\begin{frame}{The Taler Software Ecosystem: Overview}
+ \framesubtitle{\url{https://taler.net/en/docs.html}}
+ Taler is based on modular components that work together to provide a
+ complete payment system:
+ \vfill
\begin{itemize}
- \item Cryptographic hash function (1989)
- \item Blind signature (1983)
- \item Schnorr signature (1989)
- \item Diffie-Hellman key exchange (1976)
- \item Cut-and-choose zero-knowledge proof (1985)
+ \item {\bf Exchange:} Service provider for digital cash
+ \begin{itemize}
+ \item Core exchange software (cryptography, database)
+ \item Air-gapped key management, real-time {\bf auditing}
+ \item {\bf libeufin}: Modular integration with banking systems
+ \end{itemize}
+ \item {\bf Merchant:} Integration service for existing businesses
+ \begin{itemize}
+ \item Core merchant backend software (cryptography, database)
+ \item {\bf Back-office interface} for staff
+ \item {\bf Frontend integration} (E-commerce, Point-of-sale)
+ \end{itemize}
+ \item {\bf Wallet:} Consumer-controlled applications for e-cash
+ \begin{itemize}
+ \item Multi-platform wallet software (for browsers \& mobile phones)
+ \item Wallet backup storage providers ({\bf sync})
+ \item {\bf Anastasis}: Recovery of lost wallets based on secret
splitting
+ \end{itemize}
\end{itemize}
-But of course we use modern instantiations.
\end{frame}
-\begin{frame}{Definition: Taxability}
- We say Taler is taxable because:
- \begin{itemize}
- \item Merchant's income is visible from deposits.
- \item Hash of contract is part of deposit data.
- \item State can trace income and enforce taxation.
- \end{itemize}\pause
- Limitations:
+\begin{frame}{Taler Exchange}
+ The {\bf Exchange} is the core logic of the payment system.
+
\begin{itemize}
- \item withdraw loophole
- \item {\em sharing} coins among family and friends
+ \item One exchange at minimum must be operated per currency
+ \item Offers a REST API for merchants and customers
+ \item Uses several helper processes for configuration and to
+ interact with RTGS and cryptography
+ \item KYC support via OAuth 2.0, KycAID or Persona APIs
+ \item Implemented in C on top of GNU libmicrohttpd
\end{itemize}
\end{frame}
-\begin{frame}{Exchange setup: Create a denomination key (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Pick random primes $p,q$.
- \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$
- \item Pick small $e < \phi(n)$ such that
- $d := e^{-1} \mod \phi(n)$ exists.
- \item Publish public key $(e,n)$.
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em];
- \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$};
- \node (seal) [def, draw=none, below left=of
primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}};
- \node (hammer) [def, draw=none, below right=of
primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
+\begin{frame}{Taler: Exchange Architecture}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer
sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (httpd) [def,above=of origin,draw]{httpd};
+ \node (secmod-rsa) [def, draw, right=of httpd] {secmod-rsa};
+ \node (secmod-eddsa) [def, draw, left=of httpd] {secmod-eddsa};
+ \node (postgres) [def, draw, below=of httpd]{Postgres};
+ \node (aggregator) [def, draw, right=of postgres]{aggregator};
+ \node (transfer) [def, draw, below left=of postgres]{transfer};
+ \node (wirewatch) [def, draw, below right=of postgres]{wirewatch};
+ \node (nexus) [def, draw, below=of postgres]{Nexus};
- \tikzstyle{C} = [color=black, line width=1pt]
+ \tikzstyle{C} = [color=black, line width=1pt]
- \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode)
{};
- \end{tikzpicture}
-% \includegraphics[width=0.4\textwidth]{seal.pdf}
- \end{minipage}
+ \draw [<->, C] (httpd) -- (postgres) node [midway, above, sloped] (TextNode)
{};
+ \draw [<->, C] (httpd) -- (secmod-rsa) node [midway, above, sloped]
(TextNode) {};
+ \draw [<->, C] (httpd) -- (secmod-eddsa) node [midway, above, sloped]
(TextNode) {};
+ \draw [<->, C] (aggregator) -- (postgres) node [midway, above, sloped]
(TextNode) {};
+ \draw [<->, C] (wirewatch) -- (postgres) node [midway, above, sloped]
(TextNode) {};
+ \draw [<->, C] (transfer) -- (postgres) node [midway, above, sloped]
(TextNode) {};
+ \draw [->, C] (transfer) -- (nexus) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (wirewatch) -- (nexus) node [midway, above, sloped] (TextNode)
{};
+\end{tikzpicture}
+\end{center}
\end{frame}
-\begin{frame}{Merchant: Create a signing key (EdDSA)}
+\begin{frame}{Taler Merchant}
+ The {\bf Merchant} is the software run by merchants to accept\\
+ GNU Taler payments.
+
\begin{minipage}{6cm}
- \begin{itemize}
- \item pick random $m \mod o$ as private key
- \item $M = mG$ public key
+ \begin{itemize}
+ \item REST API for integration with e-commerce
+ \item SPA provides Web interface for administration
+ \item Features include:
+ \begin{itemize}
+ \item Multi-tenant support
+ \item Refunds
+ \item Tipping (Website pays visitor)
+ \item Webhooks
+ \item Inventory management (optional)
+ \end{itemize}
+ \item Implemented in C on top of GNU libmicrohttpd
\end{itemize}
\end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
- \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (m) [draw=none, below = of origin] at (0,0) {$m$};
- \node (seal) [draw=none, below=of m]{M};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode)
{};
- \end{tikzpicture}
+ \begin{minipage}{5cm}
+ \includegraphics[width=5cm]{screenshots/merchant-spa-settings}
\end{minipage}
- \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ }
-
\raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}}
\end{frame}
-\begin{frame}{Customer: Create a planchet (EdDSA)}
- \begin{minipage}{8cm}
- \begin{itemize}
- \item Pick random $c \mod o$ private key
- \item $C = cG$ public key
- \end{itemize}
- \end{minipage}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
- \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (c) [draw=none, below = of origin] at (0,0) {$c$};
- \node (planchet) [draw=none, below=of
c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
+\begin{frame}
+\frametitle{Taler: Merchant Perspective}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 3.5em and 2em, inner sep=1em, outer
sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (backend) [def,above=of origin,draw]{{\tiny taler-merchant-httpd}};
+ \node (frontend) [def,above left=of backend,draw]{{\tiny E-commerce
Frontend}};
+ \node (backoffice) [def,above right=of backend,draw]{Backoffice};
+ \node (postgres) [def, draw, below left=of backend] {Postgres};
+ \node (sqlite) [def, draw, below=of backend] {Sqlite};
+ \node (alt) [def, draw, below right=of backend] {...};
- \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
- \end{minipage}
- \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ }
-
\raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}}
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [->, C] (frontend) -- (backend) node [midway, above, sloped] (TextNode)
{REST API};
+ \draw [->, C] (backoffice) -- (backend) node [midway, above, sloped]
(TextNode) {REST API};
+ \draw [<->, C] (backend) -- (postgres) node [midway, above, sloped]
(TextNode) {SQL};
+ \draw [<->, C] (backend) -- (sqlite) node [midway, above, sloped] (TextNode)
{SQL};
+ \draw [<->, C] (backend) -- (alt) node [midway, above, sloped] (TextNode)
{SQL};
+\end{tikzpicture}
+\end{center}
\end{frame}
-\begin{frame}{Customer: Blind planchet (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Obtain public key $(e,n)$
- \item Compute $f := FDH(C)$, $f < n$.
- \item Pick blinding factor $b \in \mathbb Z_n$
- \item Transmit $f' := f b^e \mod n$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$};
- \node (blinded) [def, draw=none, below right=of
b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}};
- \node (planchet) [def, draw=none, above right=of
blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
- \tikzstyle{C} = [color=black, line width=1pt]
- \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped]
(TextNode) {};
- \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
+\begin{frame}{Taler Wallet}
+ The {\bf Wallet} is the software run by consumers to store
+ their digital cash and authorize transactions.
+
+ \begin{minipage}{8cm}
+ \begin{itemize}
+ \item {\bf wallet-core} is the logic shared by all interfaces
+ \item Applications exist for Android, F-Droid,
+ WebExtension (Chrome, Chromium, Firefox, etc.), iOS ({\bf WiP})
+ \item Features include:
+ \begin{itemize}
+ \item Multi-currency support
+ \item Wallet-to-wallet payments (NFC or QR code)
+ \item CRDT-like data model
+ \end{itemize}
+ \item {\bf wallet-core} implemented in TypeScript
+ \end{itemize}
+ Can be integrated into other Apps if desired.
+ \end{minipage}
+ \begin{minipage}{3cm}
+ \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103520.png}
\end{minipage}
\end{frame}
-\begin{frame}{Exchange: Blind sign (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Receive $f'$.
- \item Compute $s' := f'^d \mod n$.
- \item Send signature $s'$.
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (hammer) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
- \node (signed) [def, draw=none, below left=of
hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
- \node (blinded) [def, draw=none, above left=of
signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (customer) [node distance=4em and 0.5em, draw, below =of
signed]{Customer};
- \tikzstyle{C} = [color=black, line width=1pt]
+\begin{frame}
+\frametitle{Taler: Wallet Architecture}
+ \framesubtitle{Background: \url{https://anastasis.lu/}}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 5em and 4.5em, inner sep=1em, outer
sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (gui) [def,above=of origin,draw]{wallet-gui};
+ \node (core) [def,below=of gui,draw]{wallet-core};
+ \node (sync) [def, draw, below left=of core] {Sync};
+ \node (taler) [def, draw, below right=of core] {Taler};
+ \node (anastasis) [def, draw, below=of core] {Anastasis};
- \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped]
(TextNode) {};
- \draw [<-, C] (customer) -- (signed) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
+ \tikzstyle{C} = [color=black, line width=1pt]
+ \draw [<->, C] (gui) -- (core) node [midway, above, sloped] (TextNode) {};
+ \draw [<->, C] (core) -- (sync) node [midway, above, sloped] (TextNode)
{Backup};
+ \draw [<->, C] (core) -- (taler) node [midway, above, sloped] (TextNode)
{Payment};
+ \draw [<->, C] (core) -- (anastasis) node [midway, above, sloped] (TextNode)
{Key Escrow};
+\end{tikzpicture}
+\end{center}
\end{frame}
-\begin{frame}{Customer: Unblind coin (RSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Receive $s'$.
- \item Compute $s := s' b^{-1} \mod n$ % \\
- % ($(f')^d = (f b^e)^d = f^d b$).
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (b) [def, draw=none] at (0,0) {$b$};
- \node (coin) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \node (signed) [def, draw=none, above left=of
coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode)
{};
- \end{tikzpicture}
- \end{minipage}
+\begin{frame}[fragile]{RFC 8905: \texttt{payto:} Uniform Identifiers for
Payments and Accounts}
+ \vfill
+ Like \texttt{mailto:}, but for bank accounts instead of email accounts!
+ \vfill
+ \begin{verbatim}
+ payto://<PAYMENT-METHOD>/<ACCOUNT-NR>
+ ?subject=InvoiceNr42
+ &amount=EUR:12.50
+ \end{verbatim}
+ \vfill
+ Default action: Open app to review and confirm payment.
+ \vfill
+\includegraphics[width=0.25\textwidth]{einzahlschein-ch.jpeg}
+\hfill
+\includegraphics[width=0.2\textwidth]{de-ueberweisungsformular.png}
+ \vfill
\end{frame}
-\begin{frame}{Withdrawing coins on the Web}
+
+\begin{frame}[fragile]{Benefits of {\tt payto://}}
+ \begin{itemize}
+ \item Standardized way to represent financial resources (bank account,
bitcoin wallet)
+ and payments to them
+ \item Useful on the client-side on the Web and for FinTech backend
applications
+ \item Payment methods (such as IBAN, ACH, Bitcoin) are registered with
+ IANA and allow extra options
+ \end{itemize}
\begin{center}
- \includegraphics[height=0.9\textheight]{figs/taler-withdraw.pdf}
+ {\bf Taler wallet can generate payto://-URI for withdraw!}
\end{center}
\end{frame}
-\begin{frame}{Customer: Build shopping cart}
- \begin{center}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
- \node (origin) [draw=none] at (0,0)
{\includegraphics[width=0.2\textwidth]{cart.pdf}};
- \node (merchant) [node distance=4em and 0.5em, draw, below =of
origin]{\includegraphics[width=0.2\textwidth]{shop.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt];
- \draw [<-, C] (merchant) -- (origin) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{center}
+\begin{frame}{Taler Auditor}
+ The {\bf Auditor} is the software run by an independent auditor
+ to validate the operation of an Exchange.
+
+ \begin{itemize}
+ \item REST API for additional report inputs by merchants (optional)
+ \item Secure database replication logic
+ \item Implemented in C on top of GNU libmicrohttpd
+ \end{itemize}
\end{frame}
-\begin{frame}{Merchant Integration: Contract}
- % \begin{figure*}[t!]
- {\tiny
- \lstset{language=JavaScript}
- \lstinputlisting{figs/taler-contract.json}
-% \caption{Minimal Taler contract over a digital article with a value of
\EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash
over the wire transfer information was truncated to make it fit to the page.}
-% \label{listing:json-contract}
- % \end{figure*}
- }
+\begin{frame}
+\frametitle{Taler: Auditor Perspective}
+\begin{center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer
sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (httpd) [def,above left=of origin,draw]{auditor-httpd};
+ \node (report) [def,above right=of origin,draw]{auditor-report};
+ \node (postgres-A) [def, draw, below=of origin] {Postgres (Auditor)};
+ \node (postgres-E) [def, draw, below=of postgres-A] {Postgres (Bank)};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [->, C] (postgres-E) -- (postgres-A) node [midway, above, sloped]
(TextNode) {sync};
+ \draw [<->, C] (httpd) -- (postgres-A) node [midway, above, sloped]
(TextNode) {};
+ \draw [<->, C] (report) -- (postgres-A) node [midway, above, sloped]
(TextNode) {};
+\end{tikzpicture}
+\end{center}
\end{frame}
-\begin{frame}{Merchant Integration: Payment Request}
-% \begin{figure}[p!]
- \lstset{language=HTML5}
- \lstinputlisting{figs/taler-402.html}
-% \caption{Sample HTTP response to prompt the wallet to show an offer.}
-% \label{listing:http-contract}
-% \end{figure}
+\begin{frame}{libeufin-nexus}
+ libeufin-nexus allows Taler components to interact with a core banking
system. It:
-% \begin{figure*}[p!]
-% \lstset{language=HTML5}
-% \lstinputlisting{figs/taler-contract.html}
-% \caption{Sample JavaScript code to prompt the wallet to show an offer.
-% Here, the contract is fetched on-demand from the server.
-% The {\tt taler\_pay()} function needs to be invoked
-% when the user triggers the checkout.}
-% \label{listing:contract}
-% \end{figure*}
+ \begin{itemize}
+ \item provides an implementation of the Wire Gateway for the exchange
+ \item supports EBICS 2.5
+ \item other APIs such as FinTS or PSD2-style XS2A APIs can be added
+ without requiring changes to the Exchange
+ \item was tested with GLS Bank (DE) and Postfinance (CH) accounts and real
EUR/CHF
+ \end{itemize}
\end{frame}
+\begin{frame}{libeufin-bank}
+ libeufin-bank implements a standalone bank with a Web interface. It:
-\begin{frame}{Merchant: Propose contract (EdDSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Complete proposal $D$.
- \item Send $D$, $EdDSA_m(D)$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (cart) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{cart.pdf}};
- \node (proposal) [def, draw=none, below right=of
cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}};
- \node (customer) [node distance=4em and 0.5em, draw, below =of
proposal]{Customer};
- \tikzstyle{C} = [color=black, line width=1pt];
- \node (sign) [def, draw=none, above right=of proposal] {$m$};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
+ \begin{itemize}
+ \item provides the Taler Core Bank API for RESTful online banking
+ using a Web interface (with multi-factor authentication)
+ \item includes a Taler Wire Gateway for the exchange
+ \item offers the Taler Bank Integration API to allow wallets
+ to easily withdraw digital cash
+ \item optionally provides the Taler Conversion Info API for currency
+ conversion between fiat and regional currencies
+ \item optionally integrates with libeufin-nexus to interact with
+ a core banking system
+ \end{itemize}
\end{frame}
-\begin{frame}{Customer: Spend coin (EdDSA)}
- \begin{minipage}{6cm}
- \begin{enumerate}
- \item Receive proposal $D$, $EdDSA_m(D)$.
- \item Send $s$, $C$, $EdDSA_c(D)$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer
sep=.3em];
- \node (proposal) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
- \node (contract) [def, draw=none, below right=of
cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
- \node (c) [def, draw=none, above=of contract] {$c$};
- \node (merchant) [node distance=4em and 0.5em, draw, below=of
contract]{Merchant};
- \node (coin) [def, draw=none, right=of
contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
+\begin{frame}[fragile]{Taler: Bank Perspective}
+\begin{adjustbox}{max totalsize={.9\textwidth}{.7\textheight},center}
+\begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer
sep=.3em];
+ \node (origin) at (0,0) {};
+ \node (exchange) [def,above=of origin,draw]{Exchange};
+ \node (nexus) [def, draw, below right=of exchange] {Nexus};
+ \node (corebanking) [def, draw, below left=of nexus] {Core Banking};
+ \node (nginx) [def, draw, above=of exchange]{Nginx};
+ \node (postgres) [def, draw, below left=of exchange]{Postgres};
+ \node (postgres-nexus) [def, draw, below right=of nexus]{Postgres};
- \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped]
(TextNode) {};
- \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode)
{{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
-\end{frame}
+ \tikzstyle{C} = [color=black, line width=1pt]
+ \draw [<-, C] (exchange) -- (nginx) node [midway, above, sloped] (TextNode)
{REST API};
+ \draw [<-, C] (postgres) -- (exchange) node [midway, above, sloped]
(TextNode) {SQL};
+ \draw [<-, C] (postgres-nexus) -- (nexus) node [midway, above, sloped]
(TextNode) {SQL};
+ \draw [<-, C] (nexus) -- (exchange) node [midway, above, sloped] (TextNode)
{Internal REST API};
+ \draw [<-, C] (corebanking) -- (nexus) node [midway, above, sloped]
(TextNode) {EBICS/FinTS};
-\begin{frame}{Merchant and Exchange: Verify coin (RSA)}
- \begin{minipage}{6cm}
- \begin{equation*}
- s^e \stackrel{?}{\equiv} FDH(C) \mod n
- \end{equation*}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{minipage}{0.2\textwidth}
- \includegraphics[width=\textwidth]{coin.pdf}
- \end{minipage}
- $\stackrel{?}{\Leftrightarrow}$
- \begin{minipage}{0.2\textwidth}
- \includegraphics[width=\textwidth]{seal.pdf}
- \end{minipage}
- \end{minipage}
- \vfill
- The exchange does not only verify the signature, but also
- checks that the coin was not double-spent.
- \vfill
- \pause
- \begin{center}
- {\bf Taler is an online payment system.}
- \end{center}
- \vfill
+\end{tikzpicture}
+\end{adjustbox}
\end{frame}
-\begin{frame}{Payment processing with Taler}
+\begin{frame}{Depolymerization}
+ Depolymerization is a bridge between GNU Taler and blockchains,
+ making Taler a layer 2 system for crypto-currencies (like Lightning).
+
+ \begin{itemize}
+ \item provides an implementation of the Wire Gateway for the exchange
+ \item Works on top of Bitcoin and Ethereum
+ crypto-currencies, with the DLTs as the ``RTGS''
+ \item Provides same API to Exchange as libeufin-nexus
+ \item Implemented in Rust
+ \end{itemize}
\begin{center}
- \includegraphics[height=0.9\textheight]{figs/taler-pay.pdf}
+ \url{https://bitcoin.ice.bfh.ch/}
\end{center}
\end{frame}
-\begin{frame}{Giving change}
- It would be inefficient to pay EUR 100 with 1 cent coins!
- \begin{itemize}
- \item Denomination key represents value of a coin.
- \item Exchange may offer various denominations for coins.
- \item Wallet may not have exact change!
- \item Usability requires ability to pay given sufficient total funds.
- \end{itemize}\pause
- Key goals:
- \begin{itemize}
- \item maintain unlinkability
- \item maintain taxability of transactions
- \end{itemize}\pause
- Method:
+\begin{frame}{Pretix Taler payment plugin}
+\begin{center}
+\includegraphics[width=0.5\textwidth]{screenshots/pretix.png}
+\end{center}
+
+ Pretix is a ticket sales system.
+
\begin{itemize}
- \item Contract can specify to only pay {\em partial value} of a coin.
- \item Exchange allows wallet to obtain {\em unlinkable change}
- for remaining coin value.
+ \item Pretix payment plugin enables payments via GNU Taler
+ \item Developed by Pretix.eu for \EUR{3,000} on behalf of Taler Systems SA
\end{itemize}
\end{frame}
-\begin{frame}{Diffie-Hellman (ECDH)}
- \begin{minipage}{8cm}
- \begin{enumerate}
- \item Create private keys $c,t \mod o$
- \item Define $C = cG$
- \item Define $T = tG$
- \item Compute DH \\ $cT = c(tG) = t(cG) = tC$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{6cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t$};
- \node (ct) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{dh.pdf}};
- \node (c) [def, draw=none, above left= of ct] {$c$};
- \tikzstyle{C} = [color=black, line width=1pt]
-
- \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {};
- \end{tikzpicture}
+\begin{frame}{WooCommerce Taler payment plugin}
+\begin{minipage}{6cm}
+ \begin{itemize}
+ \item WooCommerce is an e-commerce plugin for WordPress.
+ \item WooCommerce payment plugin enables payments via GNU Taler
+ \item Features include:
+ \begin{itemize}
+ \item Trivial configuration
+ \item Support for refunds
+ \item Full internationalization
+ \end{itemize}
+ \item WooCommerce and its plugins are implemented in PHP
+ \end{itemize}
+\end{minipage}
+\begin{minipage}{5cm}
+ \includegraphics[width=4cm]{screenshots/woocommerce-cart.png}
+ \includegraphics[width=4cm]{screenshots/woocommerce-settings.png}
\end{minipage}
\end{frame}
-\begin{frame}{Strawman solution}
- \begin{minipage}{8cm}
- Given partially spent private coin key $c_{old}$:
- \begin{enumerate}
-% \item Let $C_{old} := c_{old}G$ (as before)
- \item Pick random $c_{new} \mod o$ private key
- \item $C_{new} = c_{new}G$ public key
- \item Pick random $b_{new}$
- \item Compute $f_{new} := FDH(C_{new})$, $m < n$.
- \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$
- \end{enumerate}
- ... and sign request for change with $c_{old}$.
- \end{minipage}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (blinded) [def,
draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (planchet) [def, draw=none, above left= of blinded]
{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
- \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$};
- \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$};
- \node (dice1) [def, draw=none, above = of
cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dice2) [def, draw=none, above = of
bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
+\begin{frame}{Joomla! Taler payment plugin}
+\begin{minipage}{6cm}
+ \begin{itemize}
+ \item Joomla! is an e-commerce platform
+ \item Joomla! payment plugin enables payments via GNU Taler
+ \item Features include:
+ \begin{itemize}
+ \item Trivial configuration
+ \item Support for refunds
+ \item Full internationalization
+ \end{itemize}
+ \item Joomla! and its plugins are implemented in PHP
+ \end{itemize}
+\end{minipage}
+% FIXME: add screenshots
+%\begin{minipage}{5cm}
+% \includegraphics[width=4cm]{screenshots/woocommerce-cart.png}
+% \includegraphics[width=4cm]{screenshots/woocommerce-settings.png}
+% \end{minipage}
+\end{frame}
- \tikzstyle{C} = [color=black, line width=1pt]
- \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped]
(TextNode) {};
- \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \pause
- \vfill
- {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!}
-\end{frame}
-\begin{frame}{Customer: Transfer key setup (ECDH)}
- \begin{minipage}{8cm}
- Given partially spent private coin key $c_{old}$:
- \begin{enumerate}
- \item Let $C_{old} := c_{old}G$ (as before)
- \item Create random private transfer key $t \mod o$
- \item Compute $T := tG$
- \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$
- \item Derive $c_{new}$ and $b_{new}$ from $X$
- \item Compute $C_{new} := c_{new}G$
- \item Compute $f_{new} := FDH(C_{new})$
- \item Transmit $f_{new}' := f_{new} b_{new}^e$
- \end{enumerate}
- \end{minipage}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t$};
- \node (dice) [def, draw=none, above = of
t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new}$};
- \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
+\begin{frame}{Point-of-Sale App for Android}
- \tikzstyle{C} = [color=black, line width=1pt]
+\begin{minipage}{7cm}
+ \begin{itemize}
+ \item Allows merchant to generate orders against Taler backend
+ and display QR code to enable customer to pay in person
+ \item Patterned after ViewTouch restaurant UI
+ \item Features include:
+ \begin{itemize}
+ \item Internet-based configuration
+ \item Products sorted by categories
+ \item Easy undo of every operation
+ \item Manages multiple concurrent orders
+ \end{itemize}
+ \item The Point-of-Sale App is implemented in Kotlin
+ \end{itemize}
+\end{minipage}
+\begin{minipage}{4cm}
+ \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194112.jpg}
+ \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194119.jpg}
+ \includegraphics[width=4cm]{screenshots/Screenshot_20230224-195348.jpg}
+\end{minipage}
+\end{frame}
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
+
+\begin{frame}{Cashier App for Android}
+\begin{minipage}{4cm}
+ \begin{itemize}
+ \item Enables BFH staff to convert cash to e-cash
+ \item Staff has special bank accounts with limited funds
+ \item Students can pay staff in cash to receive e-cash
+ \item The Cashier App is implemented in Kotlin
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{3cm}
+ \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103315.png}
+ \end{minipage}
+ \begin{minipage}{3cm}
+ \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103325.png}
\end{minipage}
\end{frame}
-\begin{frame}{Cut-and-Choose}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_1$};
- \node (dice) [def, draw=none, above = of
t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
- \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
+\begin{frame}{TalDir (WiP)}
+ TalDir is an extension to the existing
+ peer-to-peer payment functionality.
- \tikzstyle{C} = [color=black, line width=1pt]
+ \begin{itemize}
+ \item Registry to associate wallets with network addresses
+ \item Extensible to different types of network services:
+ \begin{itemize}
+ \item E-mail
+ \item SMS
+ \item Twitter
+ \item ...
+ \end{itemize}
+ \item Send payments or invoices to wallets associated with network address
+ \item Will {\bf not} require sending wallet to use same network service
+ \end{itemize}
+\end{frame}
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_2$};
- \node (dice) [def, draw=none, above = of
t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$};
- \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
- \tikzstyle{C} = [color=black, line width=1pt]
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
- \begin{minipage}{4cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (t) [def, draw=none] at (0,0) {$t_3$};
- \node (dice) [def, draw=none, above = of
t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
- \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
- \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
- \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
- \tikzstyle{C} = [color=black, line width=1pt]
+\section{Protocol Basics}
- \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
- \end{tikzpicture}
- \end{minipage}
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Protocol Basics}
+ \end{center}
+ \vfill
\end{frame}
-\begin{frame}{Exchange: Choose!}
- \begin{center}
- \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the
customer.
- \end{center}
+\begin{frame}{A Bachelor's Thesis Video}
+ \begin{center}
+ \movie[%scale=0.6,
+ autostart,
+ poster]
+ {
+
\includegraphics[height=0.6\textwidth,width=0.8\textwidth]{white.png}
+ }
+ {cs-movie.mp4}
+ \end{center}
\end{frame}
-\begin{frame}{Customer: Reveal}
- \begin{enumerate}
- \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange
- \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange
- \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange
- \end{enumerate}
+\begin{frame}{How does it work?}
+We use a few ancient constructions:
+ \begin{itemize}
+ \item Cryptographic hash function (1989)
+ \item Blind signature (1983)
+ \item Schnorr signature (1989)
+ \item Diffie-Hellman key exchange (1976)
+ \item Cut-and-choose zero-knowledge proof (1985)
+ \end{itemize}
+But of course we use modern instantiations.
\end{frame}
-\begin{frame}{Exchange: Verify ($\gamma = 2$)}
- \begin{minipage}{4cm}
+\begin{frame}{Definition: Taxability}
+ We say Taler is taxable because:
+ \begin{itemize}
+ \item Merchant's income is visible from deposits.
+ \item Hash of contract is part of deposit data.
+ \item State can trace income and enforce taxation.
+ \end{itemize}\pause
+ Limitations:
+ \begin{itemize}
+ \item withdraw loophole
+ \item {\em sharing} coins among family and friends
+ \end{itemize}
+\end{frame}
+
+
+\begin{frame}{Exchange setup: Create a denomination key (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Pick random primes $p,q$.
+ \item Compute $n := pq$, $\phi(n) = (p-1)(q-1)$
+ \item Pick small $e < \phi(n)$ such that
+ $d := e^{-1} \mod \phi(n)$ exists.
+ \item Publish public key $(e,n)$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (h) [def, draw=none] at (0,0) {$t_1$};
- \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
- \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \tikzstyle{def} = [node distance=1em and 1em, inner sep=0em, outer sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (primes) [draw=none, below = of origin] at (0,0) {$(p, q)$};
+ \node (seal) [def, draw=none, below left=of
primes]{\includegraphics[width=0.15\textwidth]{seal.pdf}};
+ \node (hammer) [def, draw=none, below right=of
primes]{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
\tikzstyle{C} = [color=black, line width=1pt]
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (primes) -- (origin) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (hammer) -- (primes) node [midway, above, sloped] (TextNode)
{};
+ \end{tikzpicture}
+% \includegraphics[width=0.4\textwidth]{seal.pdf}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Merchant: Create a signing key (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{itemize}
+ \item pick random $m \mod o$ as private key
+ \item $M = mG$ public key
+ \end{itemize}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (m) [draw=none, below = of origin] at (0,0) {$m$};
+ \node (seal) [draw=none, below=of m]{M};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (m) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (seal) -- (primes) node [midway, above, sloped] (TextNode)
{};
\end{tikzpicture}
\end{minipage}
- \begin{minipage}{4cm}
- \
+ \parbox[t]{3cm}{{\bf Capability:} $m \Rightarrow$ }
+
\raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{merchant-sign.pdf}}
+\end{frame}
+
+
+\begin{frame}{Customer: Create a planchet (EdDSA)}
+ \begin{minipage}{8cm}
+ \begin{itemize}
+ \item Pick random $c \mod o$ private key
+ \item $C = cG$ public key
+ \end{itemize}
\end{minipage}
\begin{minipage}{4cm}
\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (h) [def, draw=none] at (0,0) {$t_3$};
- \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
- \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
- \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
- \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
- \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (c) [draw=none, below = of origin] at (0,0) {$c$};
+ \node (planchet) [draw=none, below=of
c]{\includegraphics[width=0.4\textwidth]{planchet.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (c) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (planchet) -- (c) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \parbox[t]{3cm}{{\bf Capability:} $c \Rightarrow$ }
+
\raisebox{\dimexpr-\height+\baselineskip}{\includegraphics[width=0.1\textwidth]{planchet-sign.pdf}}
+\end{frame}
+
+\begin{frame}{Customer: Blind planchet (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Obtain public key $(e,n)$
+ \item Compute $f := FDH(C)$, $f < n$.
+ \item Pick blinding factor $b \in \mathbb Z_n$
+ \item Transmit $f' := f b^e \mod n$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (origin) at (0,0) {\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (b) [def, draw=none, below = of origin] at (0,-0.2) {$b$};
+ \node (blinded) [def, draw=none, below right=of
b]{\includegraphics[width=0.2\textwidth]{blinded.pdf}};
+ \node (planchet) [def, draw=none, above right=of
blinded]{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
\tikzstyle{C} = [color=black, line width=1pt]
- \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (b) -- (origin) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped]
(TextNode) {};
+ \draw [<-, C] (blinded) -- (b) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
\end{tikzpicture}
\end{minipage}
\end{frame}
-\begin{frame}{Exchange: Blind sign change (RSA)}
+\begin{frame}{Exchange: Blind sign (RSA)}
\begin{minipage}{6cm}
\begin{enumerate}
- \item Take $f_{new,\gamma}'$.
- \item Compute $s' := f_{new,\gamma}'^d \mod n$.
+ \item Receive $f'$.
+ \item Compute $s' := f'^d \mod n$.
\item Send signature $s'$.
\end{enumerate}
\end{minipage}
@@ -1315,17 +1322,18 @@ But of course we use modern instantiations.
\end{frame}
-\begin{frame}{Customer: Unblind change (RSA)}
+\begin{frame}{Customer: Unblind coin (RSA)}
\begin{minipage}{6cm}
\begin{enumerate}
\item Receive $s'$.
- \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
+ \item Compute $s := s' b^{-1} \mod n$ % \\
+ % ($(f')^d = (f b^e)^d = f^d b$).
\end{enumerate}
\end{minipage}
\begin{minipage}{6cm}
\begin{tikzpicture}
\tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
+ \node (b) [def, draw=none] at (0,0) {$b$};
\node (coin) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
\node (signed) [def, draw=none, above left=of
coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
\tikzstyle{C} = [color=black, line width=1pt]
@@ -1336,952 +1344,1243 @@ But of course we use modern instantiations.
\end{minipage}
\end{frame}
-
-\begin{frame}{Exchange: Allow linking change}
- \begin{minipage}{7cm}
- \begin{center}
- Given $C_{old}$
-
- \vspace{1cm}
-
- return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$.
+\begin{frame}{Withdrawing coins on the Web}
+ \begin{center}
+ \includegraphics[height=0.9\textheight]{figs/taler-withdraw.pdf}
\end{center}
- \end{minipage}
- \begin{minipage}{5cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer
sep=.3em];
- \node (co) [def, draw=none] at (0,0) {$C_{old}$};
- \node (T) [def, draw=none, below left=of co]{$T_\gamma$};
- \node (sign) [def, draw=none, below right=of
co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \node (customer) [def, draw, below right=of T] {Customer};
+\end{frame}
- \tikzstyle{C} = [color=black, line width=1pt]
- \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode)
{link};
- \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode)
{link};
+\begin{frame}{Customer: Build shopping cart}
+ \begin{center}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1em and 1em, inner sep=0em, outer
sep=.3em];
+ \node (origin) [draw=none] at (0,0)
{\includegraphics[width=0.2\textwidth]{cart.pdf}};
+ \node (merchant) [node distance=4em and 0.5em, draw, below =of
origin]{\includegraphics[width=0.2\textwidth]{shop.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt];
+ \draw [<-, C] (merchant) -- (origin) node [midway, above, sloped]
(TextNode) {{\small transmit}};
\end{tikzpicture}
- \end{minipage}
+ \end{center}
\end{frame}
-\begin{frame}{Customer: Link (threat!)}
- \begin{minipage}{6.3cm}
- \begin{enumerate}
- \item Have $c_{old}$.
- \item Obtain $T_\gamma$, $s$ from exchange
- \item Compute $X_\gamma = c_{old}T_\gamma$
- \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
- \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
- \end{enumerate}
+\begin{frame}{Merchant Integration: Contract}
+ % \begin{figure*}[t!]
+ {\tiny
+ \lstset{language=JavaScript}
+ \lstinputlisting{figs/taler-contract.json}
+% \caption{Minimal Taler contract over a digital article with a value of
\EUR{0.10}. The merchant will pay transaction fees up to \EUR{0.01}. The hash
over the wire transfer information was truncated to make it fit to the page.}
+% \label{listing:json-contract}
+ % \end{figure*}
+ }
+\end{frame}
- \end{minipage}
- \begin{minipage}{5.7cm}
- \begin{tikzpicture}
- \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
- \node (T) [def, draw=none] at (0,0) {$T_\gamma$};
- \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
- \node (signed) [def, draw=none, below left=of
T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
- \node (dh) [def, draw=none, below right=of
T]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
- \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$};
- \node (co) [def, draw=none, above right= of dh] {$c_{old}$};
- \node (cp) [def, draw=none, below= of dh] {$c_{new,\gamma}$};
- \node (coin) [def, draw=none, below left = of
bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
- \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of
cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
- \tikzstyle{C} = [color=black, line width=1pt]
+\begin{frame}{Merchant Integration: Payment Request}
+% \begin{figure}[p!]
+ \lstset{language=HTML5}
+ \lstinputlisting{figs/taler-402.html}
+% \caption{Sample HTTP response to prompt the wallet to show an offer.}
+% \label{listing:http-contract}
+% \end{figure}
- \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
- \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode)
{link};
- \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped]
(TextNode) {link};
- \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped]
(TextNode) {};
- \end{tikzpicture}
- \end{minipage}
+% \begin{figure*}[p!]
+% \lstset{language=HTML5}
+% \lstinputlisting{figs/taler-contract.html}
+% \caption{Sample JavaScript code to prompt the wallet to show an offer.
+% Here, the contract is fetched on-demand from the server.
+% The {\tt taler\_pay()} function needs to be invoked
+% when the user triggers the checkout.}
+% \label{listing:contract}
+% \end{figure*}
\end{frame}
-\begin{frame}{Refresh protocol summary}
- \begin{itemize}
- \item Customer asks exchange to convert old coin to new coin
- \item Protocol ensures new coins can be recovered from old coin
- \item[$\Rightarrow$] New coins are owned by the same entity!
- \end{itemize}
- Thus, the refresh protocol allows:
- \begin{itemize}
- \item To give unlinkable change.
- \item To give refunds to an anonymous customer.
- \item To expire old keys and migrate coins to new ones.
- \item To handle protocol aborts.
- \end{itemize}
- \noindent
- \begin{center}
- \bf
- Transactions via refresh are equivalent to {\em sharing} a wallet.
-\end{center}
+
+\begin{frame}{Merchant: Propose contract (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Complete proposal $D$.
+ \item Send $D$, $EdDSA_m(D)$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (cart) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{cart.pdf}};
+ \node (proposal) [def, draw=none, below right=of
cart]{\includegraphics[width=0.5\textwidth]{merchant_propose.pdf}};
+ \node (customer) [node distance=4em and 0.5em, draw, below =of
proposal]{Customer};
+ \tikzstyle{C} = [color=black, line width=1pt];
+ \node (sign) [def, draw=none, above right=of proposal] {$m$};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (proposal) -- (sign) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (proposal) -- (cart) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (customer) -- (proposal) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
\end{frame}
+\begin{frame}{Customer: Spend coin (EdDSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Receive proposal $D$, $EdDSA_m(D)$.
+ \item Send $s$, $C$, $EdDSA_c(D)$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance=2em and 0.4em, inner sep=0em, outer
sep=.3em];
+ \node (proposal) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{merchant_propose.pdf}};
+ \node (contract) [def, draw=none, below right=of
cart]{\includegraphics[width=0.3\textwidth]{contract.pdf}};
+ \node (c) [def, draw=none, above=of contract] {$c$};
+ \node (merchant) [node distance=4em and 0.5em, draw, below=of
contract]{Merchant};
+ \node (coin) [def, draw=none, right=of
contract]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
-\begin{frame}{Warranting deposit safety}
- Exchange has {\em another} online signing key $W = wG$:
- \begin{center}
- Sends $EdDSA_w(M,H(D),FDH(C))$ to the merchant.
- \end{center}
- This signature means that $M$ was the {\em first} to deposit
- $C$ and that the exchange thus must pay $M$.
+ \draw [<-, C] (contract) -- (c) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (contract) -- (proposal) node [midway, above, sloped]
(TextNode) {};
+ \draw [<-, C] (merchant) -- (contract) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \draw [<-, C] (merchant) -- (coin) node [midway, below, sloped] (TextNode)
{{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Merchant and Exchange: Verify coin (RSA)}
+ \begin{minipage}{6cm}
+ \begin{equation*}
+ s^e \stackrel{?}{\equiv} FDH(C) \mod n
+ \end{equation*}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{minipage}{0.2\textwidth}
+ \includegraphics[width=\textwidth]{coin.pdf}
+ \end{minipage}
+ $\stackrel{?}{\Leftrightarrow}$
+ \begin{minipage}{0.2\textwidth}
+ \includegraphics[width=\textwidth]{seal.pdf}
+ \end{minipage}
+ \end{minipage}
\vfill
+ The exchange does not only verify the signature, but also
+ checks that the coin was not double-spent.
+ \vfill
+ \pause
\begin{center}
- Without this, an evil exchange could renege on the deposit
- confirmation and claim double-spending if a coin were
- deposited twice, and then not pay either merchant!
+ {\bf Taler is an online payment system.}
\end{center}
+ \vfill
\end{frame}
-\begin{frame}{Online keys}
-\begin{itemize}
-\item The exchange needs $d$ and $w$ to be available for online signing.
-\item The corresponding public keys $W$ and $(e,n)$ are certified using
- Taler's public key infrastructure (which uses offline-only keys).
-\end{itemize}
-\begin{center}
-\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png}
-\end{center}
-\vfill
-\begin{center}
-{\bf What happens if those private keys are compromised?}
-\end{center}
-\vfill
+\begin{frame}{Payment processing with Taler}
+ \begin{center}
+ \includegraphics[height=0.9\textheight]{figs/taler-pay.pdf}
+ \end{center}
\end{frame}
-\begin{frame}{Denomination key $(e,n)$ compromise}
-\begin{itemize}
-\item An attacker who learns $d$ can sign an arbitrary number of illicit coins
- into existence and deposit them.
-\item Auditor and exchange can detect this once the total number of deposits
- (illicit and legitimate) exceeds the number of legitimate coins the
- exchange created.
-\item At this point, $(e,n)$ is {\em revoked}. Users of {\em unspent}
- legitimate coins reveal $b$ from their withdrawal operation and
- obtain a {\em refund}.
-\item The financial loss of the exchange is {\em bounded} by the number of
- legitimate coins signed with $d$.
-\item[$\Rightarrow$] Taler frequently rotates denomination signing keys and
- deletes $d$ after the signing period of the respective key expires.
-\end{itemize}
-\begin{center}
-\includegraphics[width=0.5\textwidth]{taler-diagram-denom-expiration.png}
-\end{center}
+\begin{frame}{Giving change}
+ It would be inefficient to pay EUR 100 with 1 cent coins!
+ \begin{itemize}
+ \item Denomination key represents value of a coin.
+ \item Exchange may offer various denominations for coins.
+ \item Wallet may not have exact change!
+ \item Usability requires ability to pay given sufficient total funds.
+ \end{itemize}\pause
+ Key goals:
+ \begin{itemize}
+ \item maintain unlinkability
+ \item maintain taxability of transactions
+ \end{itemize}\pause
+ Method:
+ \begin{itemize}
+ \item Contract can specify to only pay {\em partial value} of a coin.
+ \item Exchange allows wallet to obtain {\em unlinkable change}
+ for remaining coin value.
+ \end{itemize}
\end{frame}
-\begin{frame}{Online signing key $W$ compromise}
-\begin{itemize}
-\item An attacker who learns $w$ can sign deposit confirmations.
-\item Attacker sets up two (or more) merchants and customer(s) which
double-spend
- legitimate coins at both merchants.
-\item The merchants only deposit each coin once at the exchange and get paid
once.
-\item The attacker then uses $w$ to fake deposit confirmations for the
double-spent
- transactions.
-\item The attacker uses the faked deposit confirmations to complain to the
auditor
- that the exchange did not honor the (faked) deposit confirmations.
-\end{itemize}
-The auditor can then detect the double-spending, but cannot tell who is to
blame,
-and (likely) would presume an evil exchange, forcing it to pay both merchants.
-\end{frame}
-
+\begin{frame}{Diffie-Hellman (ECDH)}
+ \begin{minipage}{8cm}
+ \begin{enumerate}
+ \item Create private keys $c,t \mod o$
+ \item Define $C = cG$
+ \item Define $T = tG$
+ \item Compute DH \\ $cT = c(tG) = t(cG) = tC$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t$};
+ \node (ct) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{dh.pdf}};
+ \node (c) [def, draw=none, above left= of ct] {$c$};
+ \tikzstyle{C} = [color=black, line width=1pt]
-\begin{frame}{Detecting online signing key $W$ compromise}
-\begin{itemize}
-\item Merchants are required to {\em probabilistically} report
- signed deposit confirmations to the auditor.
-\item Auditor can thus detect exchanges not reporting signed
- deposit confirmations.
-\item[$\Rightarrow$] Exchange can rekey if illicit key use is detected,
- then only has to honor deposit confirmations it already provided
- to the auditor {\em and} those without proof of double-spending
- {\em and} those merchants reported to the auditor.
-\item[$\Rightarrow$] Merchants that do not participate in reporting
- to the auditor risk their deposit permissions being voided in
- cases of an exchange's private key being compromised.
-\end{itemize}
+ \draw [<-, C] (ct) -- (c) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (ct) -- (t) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
\end{frame}
-\section{Offline payments}
+\begin{frame}{Strawman solution}
+ \begin{minipage}{8cm}
+ Given partially spent private coin key $c_{old}$:
+ \begin{enumerate}
+% \item Let $C_{old} := c_{old}G$ (as before)
+ \item Pick random $c_{new} \mod o$ private key
+ \item $C_{new} = c_{new}G$ public key
+ \item Pick random $b_{new}$
+ \item Compute $f_{new} := FDH(C_{new})$, $m < n$.
+ \item Transmit $f'_{new} := f_{new} b_{new}^e \mod n$
+ \end{enumerate}
+ ... and sign request for change with $c_{old}$.
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (blinded) [def,
draw=none]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (planchet) [def, draw=none, above left= of blinded]
{\includegraphics[width=0.15\textwidth]{planchet.pdf}};
+ \node (cnew) [def, draw=none, above= of planchet] {$c_{new}$};
+ \node (bnew) [def, draw=none, above right= of blinded] {$b_{new}$};
+ \node (dice1) [def, draw=none, above = of
cnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dice2) [def, draw=none, above = of
bnew]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
-\begin{frame}
- \vfill
- \begin{center}
- {\bf Offline payments}
- \end{center}
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (cnew) -- (dice1) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (planchet) -- (cnew) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (bnew) -- (dice2) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (planchet) node [midway, above, sloped]
(TextNode) {};
+ \draw [<-, C] (blinded) -- (bnew) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \pause
\vfill
+ {\bf Problem: Owner of $c_{new}$ may differ from owner of $c_{old}$!}
\end{frame}
-\begin{frame}{Requirements: Online vs. Offline Digital Currencies}
-\framesubtitle{\url{https://taler.net/papers/euro-bearer-online-2021.pdf}}
-\begin{itemize}
- \item Offline capabilities are sometimes cited as a requirement for
digital payment solutions
- \item All implementations must either use restrictive hardware elements
and/or introduce
- counterparty risk.
- \item[$\Rightarrow$] Permanent offline features weaken a digital payment
solution (privacy, security)
- \item[$\Rightarrow$] Introduces unwarranted competition for physical cash
(endangers emergency-preparedness).
- \end{itemize}
- We recommend a tiered approach:
- \begin{enumerate}
- \item Online-first, bearer-based digital currency with Taler
- \item (Optional:) Limited offline mode for network outages
- \item Physical cash for emergencies (power outage, catastrophic cyber
incidents)
- \end{enumerate}
+\begin{frame}{Customer: Transfer key setup (ECDH)}
+ \begin{minipage}{8cm}
+ Given partially spent private coin key $c_{old}$:
+ \begin{enumerate}
+ \item Let $C_{old} := c_{old}G$ (as before)
+ \item Create random private transfer key $t \mod o$
+ \item Compute $T := tG$
+ \item Compute $X := c_{old}(tG) = t(c_{old}G) = tC_{old}$
+ \item Derive $c_{new}$ and $b_{new}$ from $X$
+ \item Compute $C_{new} := c_{new}G$
+ \item Compute $f_{new} := FDH(C_{new})$
+ \item Transmit $f_{new}' := f_{new} b_{new}^e$
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t$};
+ \node (dice) [def, draw=none, above = of
t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new}$};
+ \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Cut-and-Choose}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_1$};
+ \node (dice) [def, draw=none, above = of
t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
+ \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_2$};
+ \node (dice) [def, draw=none, above = of
t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,2}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,2}$};
+ \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (t) [def, draw=none] at (0,0) {$t_3$};
+ \node (dice) [def, draw=none, above = of
t]{\includegraphics[width=0.2\textwidth]{dice.pdf}};
+ \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
+ \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (exchange) [node distance=4em and 0.5em, draw, below =of
blinded]{Exchange};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (t) -- (dice) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (t) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (exchange) -- (blinded) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Exchange: Choose!}
+ \begin{center}
+ \item Exchange sends back random $\gamma \in \{ 1, 2, 3 \}$ to the
customer.
+ \end{center}
+\end{frame}
+
+
+\begin{frame}{Customer: Reveal}
+ \begin{enumerate}
+ \item If $\gamma = 1$, send $t_2$, $t_3$ to exchange
+ \item If $\gamma = 2$, send $t_1$, $t_3$ to exchange
+ \item If $\gamma = 3$, send $t_1$, $t_2$ to exchange
+ \end{enumerate}
+\end{frame}
+
+
+\begin{frame}{Exchange: Verify ($\gamma = 2$)}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (h) [def, draw=none] at (0,0) {$t_1$};
+ \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,1}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,1}$};
+ \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \
+ \end{minipage}
+ \begin{minipage}{4cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (h) [def, draw=none] at (0,0) {$t_3$};
+ \node (dh) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
+ \node (d) [def, draw=none, above left= of dh] {$C_{old}$};
+ \node (cp) [def, draw=none, below left= of dh] {$c_{new,3}$};
+ \node (bp) [def, draw=none, below right= of dh] {$b_{new,3}$};
+ \node (blinded) [def, draw=none, below right=of
cp]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (d) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (h) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (cp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (blinded) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Exchange: Blind sign change (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Take $f_{new,\gamma}'$.
+ \item Compute $s' := f_{new,\gamma}'^d \mod n$.
+ \item Send signature $s'$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (hammer) [def, draw=none] at (0,0)
{\includegraphics[width=0.15\textwidth]{hammer.pdf}};
+ \node (signed) [def, draw=none, below left=of
hammer]{\includegraphics[width=0.2\textwidth]{sign.pdf}};
+ \node (blinded) [def, draw=none, above left=of
signed]{\includegraphics[width=0.15\textwidth]{blinded.pdf}};
+ \node (customer) [node distance=4em and 0.5em, draw, below =of
signed]{Customer};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (signed) -- (hammer) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (signed) -- (blinded) node [midway, above, sloped]
(TextNode) {};
+ \draw [<-, C] (customer) -- (signed) node [midway, above, sloped]
(TextNode) {{\small transmit}};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Customer: Unblind change (RSA)}
+ \begin{minipage}{6cm}
+ \begin{enumerate}
+ \item Receive $s'$.
+ \item Compute $s := s' b_{new,\gamma}^{-1} \mod n$.
+ \end{enumerate}
+ \end{minipage}
+ \begin{minipage}{6cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 2em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (b) [def, draw=none] at (0,0) {$b_{new,\gamma}$};
+ \node (coin) [def, draw=none, below left=of
b]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \node (signed) [def, draw=none, above left=of
coin]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (coin) -- (b) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode)
{};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Exchange: Allow linking change}
+ \begin{minipage}{7cm}
+ \begin{center}
+ Given $C_{old}$
+
+ \vspace{1cm}
+
+ return $T_\gamma$, $s := s' b_{new,\gamma}^{-1} \mod n$.
+ \end{center}
+ \end{minipage}
+ \begin{minipage}{5cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 3em and 0.5em, inner sep=0.5em, outer
sep=.3em];
+ \node (co) [def, draw=none] at (0,0) {$C_{old}$};
+ \node (T) [def, draw=none, below left=of co]{$T_\gamma$};
+ \node (sign) [def, draw=none, below right=of
co]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \node (customer) [def, draw, below right=of T] {Customer};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (T) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (sign) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (customer) -- (T) node [midway, above, sloped] (TextNode)
{link};
+ \draw [<-, C] (customer) -- (sign) node [midway, above, sloped] (TextNode)
{link};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Customer: Link (threat!)}
+ \begin{minipage}{6.3cm}
+ \begin{enumerate}
+ \item Have $c_{old}$.
+ \item Obtain $T_\gamma$, $s$ from exchange
+ \item Compute $X_\gamma = c_{old}T_\gamma$
+ \item Derive $c_{new,\gamma}$ and $b_{new,\gamma}$ from $X_\gamma$
+ \item Unblind $s := s' b_{new,\gamma}^{-1} \mod n$
+ \end{enumerate}
+
+ \end{minipage}
+ \begin{minipage}{5.7cm}
+ \begin{tikzpicture}
+ \tikzstyle{def} = [node distance= 1.5em and 0.5em, inner sep=0em, outer
sep=.3em];
+ \node (T) [def, draw=none] at (0,0) {$T_\gamma$};
+ \node (exchange) [def, inner sep=0.5em, draw, above left=of T] {Exchange};
+ \node (signed) [def, draw=none, below left=of
T]{\includegraphics[width=0.15\textwidth]{sign.pdf}};
+ \node (dh) [def, draw=none, below right=of
T]{\includegraphics[width=0.2\textwidth]{ct.pdf}};
+ \node (bp) [def, draw=none, below left= of dh] {$b_{new,\gamma}$};
+ \node (co) [def, draw=none, above right= of dh] {$c_{old}$};
+ \node (cp) [def, draw=none, below= of dh] {$c_{new,\gamma}$};
+ \node (coin) [def, draw=none, below left = of
bp]{\includegraphics[width=0.2\textwidth]{coin.pdf}};
+ \node (psign) [def, node distance=2.5em and 0em, draw=none, below = of
cp]{\includegraphics[width=0.2\textwidth]{planchet-sign.pdf}};
+
+ \tikzstyle{C} = [color=black, line width=1pt]
+
+ \draw [<-, C] (dh) -- (co) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (dh) -- (T) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (cp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (bp) -- (dh) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (coin) -- (signed) node [midway, above, sloped] (TextNode)
{};
+ \draw [<-, C] (coin) -- (bp) node [midway, above, sloped] (TextNode) {};
+ \draw [<-, C] (T) -- (exchange) node [midway, above, sloped] (TextNode)
{link};
+ \draw [<-, C] (signed) -- (exchange) node [midway, below, sloped]
(TextNode) {link};
+ \draw [<-, C, double] (psign) -- (cp) node [midway, below, sloped]
(TextNode) {};
+ \end{tikzpicture}
+ \end{minipage}
+\end{frame}
+
+
+\begin{frame}{Refresh protocol summary}
+ \begin{itemize}
+ \item Customer asks exchange to convert old coin to new coin
+ \item Protocol ensures new coins can be recovered from old coin
+ \item[$\Rightarrow$] New coins are owned by the same entity!
+ \end{itemize}
+ Thus, the refresh protocol allows:
+ \begin{itemize}
+ \item To give unlinkable change.
+ \item To give refunds to an anonymous customer.
+ \item To expire old keys and migrate coins to new ones.
+ \item To handle protocol aborts.
+ \end{itemize}
+ \noindent
+ \begin{center}
+ \bf
+ Transactions via refresh are equivalent to {\em sharing} a wallet.
+\end{center}
+\end{frame}
+
+
+\section{Attacks \& Defenses}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ \vfill
+ {\bf Attacks \& Defenses}
+ \vfill
+ \end{center}
+ \vfill
+\end{frame}
+
+
+\begin{frame}{Key management}
+Taler has many types of keys:
+\begin{itemize}
+\item Coin keys
+\item Denomination keys
+\item Online message signing keys
+\item Offline key signing keys
+\item Merchant keys
+\item Auditor key
+\item Security module keys
+\item Transfer keys
+\item Wallet keys
+\item {\em TLS keys, DNSSEC keys}
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Offline keys}
+Both exchange and auditor use offline keys.
+\begin{itemize}
+\item Those keys must be backed up and remain highly confidential!
+\item We recommend that computers that have ever had access to those
+ keys to NEVER again go online.
+\item We recommend using a Raspberry Pi for offline key operations.
+ Store it in a safe under multiple locks and keys.
+\item Apply full-disk encryption on offline-key signing systems.
+\item Have 3--5 full-disk backups of offline-key signing systems.
+\end{itemize}
+\begin{center}
+\includegraphics[scale=0.1]{pi.png}
+\end{center}
\end{frame}
-\begin{frame}{Fully Offline Payments {\bf (WiP)}}
-\framesubtitle{\url{https://docs.taler.net/design-documents/030-offline-payments.html}}
-Many central banks today demand offline capabilities for digital payment
solutions.
+\begin{frame}{Online keys}
+The exchange needs RSA and EdDSA keys to be available for online signing.
+\begin{itemize}
+\item Knowledge of these private keys will allow an adversary to
+ mint digital cash, possibly resulting in huge financial losses
+ (eventually, this will be detected by the auditor, but only
+ after some financial losses have been irrevocably incurred).
+\item The corresponding public keys are certified using
+ Taler's public key infrastructure (which uses offline-only keys).
+\end{itemize}
+\begin{center}
+\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png}
+\end{center}
\vfill
-\noindent
-Three possible approaches:
-\begin{enumerate}
- \item Trust-based offline payments (has counterparty and/or privacy risks)
- \item Full HSM Taler wallet (has hardware costs)
- \item Light-weight HSM balance register
-\end{enumerate}
+{\tt taler-exchange-offline} can also be used to {\bf revoke} the
+online signing keys, if we find they have been compromised.
\vfill
\end{frame}
-\begin{frame}{Partially Offline Payments with GNU Taler\footnote{Joint work
with Emmanuel Benoist, Priscilla Huang and Sebastian Marchano}}
+\begin{frame}{Protecting online keys}
+The exchange needs RSA and EdDSA keys to be available for online signing.
+\begin{itemize}
+\item {\tt taler-exchange-secmod-rsa} and {\tt taler-exchange-secmod-eddsa}
+ are the only processes that must have access to the private keys.
+\item The secmod processes should run under a different UID, but share
+ the same GID with the exchange.
+\item The secmods generate the keys, allow {\tt taler-exchange-httpd} to sign
with
+ them, and eventually delete the private keys.
+\item Communication between secmods and {\tt taler-exchange-httpd} is via
+ a UNIX domain socket.
+\item Online private keys are stored on disk (not in database!) and should
+ NOT be backed up (RAID should suffice). If disk is lost, we can always
+ create fresh replacement keys!
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Online keys}
+\begin{itemize}
+\item The exchange needs $d$ and $w$ to be available for online signing.
+\item The corresponding public keys $W$ and $(e,n)$ are certified using
+ Taler's public key infrastructure (which uses offline-only keys).
+\end{itemize}
\begin{center}
-\resizebox{8cm}{7cm}{
-\begin{sequencediagram}
- \newinst{pos}{\shortstack{PoS \\
- \\ \begin{tikzpicture}
- \node [fill=gray!20,draw=black,thick ,align=center] {PoS key \\ PoS
ID};
- \end{tikzpicture}
- }}
- \newinst[2]{customer}{\shortstack{Customer \\
- \\ \begin{tikzpicture}
- \node [fill=gray!20,draw=black,thick ,align=center] {Digital \\
Wallet};
- \end{tikzpicture}
- }}
- \newinst[2]{backend}{\shortstack{Merchant Backend \\
- \\ \begin{tikzpicture}[shape aspect=.5]
- \tikzset{every node/.style={cylinder, shape border rotate=90,
draw,fill=gray!25}}
- \node at (1.5,0) {\shortstack{{\tiny PoS key} \\ {\tiny PoS ID}}};
- \end{tikzpicture}
- }}
- \postlevel
- \mess[0]{pos}{PoS ID}{customer}
- \begin{sdblock}{optional}{}
- \begin{callself}{customer}{Amount}{}
- \end{callself}
- \end{sdblock}
- \prelevel
- \prelevel
- \prelevel
- \prelevel
- \prelevel
- \begin{sdblock}{optional}{}
- \begin{callself}{pos}{Amount}{}
- \end{callself}
- \end{sdblock}
- \postlevel
- \mess[0]{customer}{PoS ID, [Amount]?}{backend}
- \mess[0]{backend}{Contract}{customer}
- \postlevel
- \mess[0]{customer}{Payment}{backend}
- \begin{callself}{pos}{OTP(PoS key)}{}
- \end{callself}
- \prelevel
- \prelevel
- \begin{callself}{backend}{OTP(PoS key)}{}
- \end{callself}
- \mess[0]{backend}{OTP code}{customer}
- \postlevel
- \mess[0]{customer}{OTP code}{pos}
-\end{sequencediagram}
-}
+\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png}
+\end{center}
+\vfill
+\begin{center}
+{\bf What happens if those private keys are compromised?}
\end{center}
+\vfill
\end{frame}
+\begin{frame}{Denomination key $(e,n)$ compromise}
+\begin{itemize}
+\item An attacker who learns $d$ can sign an arbitrary number of illicit coins
+ into existence and deposit them.
+\item Auditor and exchange can detect this once the total number of deposits
+ (illicit and legitimate) exceeds the number of legitimate coins the
+ exchange created.
+\item At this point, $(e,n)$ is {\em revoked}. Users of {\em unspent}
+ legitimate coins reveal $b$ from their withdrawal operation and
+ obtain a {\em refund}.
+\item The financial loss of the exchange is {\em bounded} by the number of
+ legitimate coins signed with $d$.
+\item[$\Rightarrow$] Taler frequently rotates denomination signing keys and
+ deletes $d$ after the signing period of the respective key expires.
+\end{itemize}
+\begin{center}
+\includegraphics[width=0.5\textwidth]{taler-diagram-denom-expiration.png}
+\end{center}
+\end{frame}
-\section{Programmable money: Age restrictions}
-\begin{frame}
- \vfill
- \begin{center}
- {\bf Programmable money: Age restrictions}
- \end{center}
- \vfill
+\begin{frame}{Online signing key $W$ compromise}
+\begin{itemize}
+\item An attacker who learns $w$ can sign deposit confirmations.
+\item Attacker sets up two (or more) merchants and customer(s) which
double-spend
+ legitimate coins at both merchants.
+\item The merchants only deposit each coin once at the exchange and get paid
once.
+\item The attacker then uses $w$ to fake deposit confirmations for the
double-spent
+ transactions.
+\item The attacker uses the faked deposit confirmations to complain to the
auditor
+ that the exchange did not honor the (faked) deposit confirmations.
+\end{itemize}
+The auditor can then detect the double-spending, but cannot tell who is to
blame,
+and (likely) would presume an evil exchange, forcing it to pay both merchants.
\end{frame}
-\begin{frame}{Age restriction in E-commerce}
+\begin{frame}{Detecting online signing key $W$ compromise}
+\begin{itemize}
+\item Merchants are required to {\em probabilistically} report
+ signed deposit confirmations to the auditor.
+\item Auditor can thus detect exchanges not reporting signed
+ deposit confirmations.
+\item[$\Rightarrow$] Exchange can rekey if illicit key use is detected,
+ then only has to honor deposit confirmations it already provided
+ to the auditor {\em and} those without proof of double-spending
+ {\em and} those merchants reported to the auditor.
+\item[$\Rightarrow$] Merchants that do not participate in reporting
+ to the auditor risk their deposit permissions being voided in
+ cases of an exchange's private key being compromised.
+\end{itemize}
+\end{frame}
- \begin{description}
- \item[Problem:]~\\[1em]
- Verification of minimum age requirements in
e-commerce.\\[2em]
- \item[Common solutions:]
+\begin{frame}{Warranting deposit safety}
+ Exchange has {\em another} online signing key $W = wG$:
+ \begin{center}
+ Sends $EdDSA_w(M,H(D),FDH(C))$ to the merchant.
+ \end{center}
+ This signature means that $M$ was the {\em first} to deposit
+ $C$ and that the exchange thus must pay $M$.
+ \vfill
+ \begin{center}
+ Without this, an evil exchange could renege on the deposit
+ confirmation and claim double-spending if a coin were
+ deposited twice, and then not pay either merchant!
+ \end{center}
+\end{frame}
-\begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
- & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}&
\\[\medskipamount]
- 1. ID Verification & bad & required & \\[\medskipamount]
- 2. Restricted Accounts & bad & required & \\[\medskipamount]
- 3. Attribute-based & good & required &\tikzmark{bottomau}
\\[\medskipamount]
-\end{tabular}
- \end{description}
-\uncover<4->{
- \begin{tikzpicture}[overlay,remember picture]
- \draw[orange,thick,rounded corners]
- ($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau)
-(0.3, 0.2)$);
- \end{tikzpicture}
- \begin{center}
- \bf Principle of Subsidiarity is violated
- \end{center}
-}
+\begin{frame}{Database}
+The exchange needs the database to detect double spending.
+\begin{itemize}
+\item Loss of the database will allow technically skilled people
+ to double-spend their digital cash, possibly resulting in
+ significant financial losses.
+\item The database contains total amounts customers withdrew and
+ merchants received, so sensitive private banking data. It
+ must thus not become public.
+\item The auditor must have a (current) copy. Asynchronous replication
+ should be sufficient. This copy can also serve as an
+ additional (off-site?) backup.
+\end{itemize}
\end{frame}
-\begin{frame}{Principle of Subsidiarity}
-\begin{center} \Large
- Functions of government---such as granting and restricting
- rights---should be performed\\
- {\it at the lowest level of authority possible},\\
- as long as they can be performed {\it adequately}.
-\end{center}
-\vfill
-\uncover<2->{
- For age-restriction, the lowest level of authority is:\\
- \begin{center}\Large
- Parents, guardians and caretakers
- \end{center}
-}
+\begin{frame}{taler-exchange-wirewatch}
+{\tt taler-exchange-wirewatch} needs credentials to access data about
+incoming wire transfers from the Nexus.
+\begin{itemize}
+\item This tool should run as a separate UID and GID (from
+ {\tt taler-exchange-httpd}).
+\item It must have access to the Postgres database (SELECT + INSERT).
+\item Its configuration file contains the credentials to talk to Nexus.
+\item[$\Rightarrow$] Configuration should be separate from {\tt
taler-exchange-httpd}.
+\end{itemize}
\end{frame}
-\begin{frame}{Age restriction design for GNU Taler}
-Design and implementation of an age restriction scheme\\
-with the following goals:
+\begin{frame}{taler-exchange-transfer}
+Only {\tt taler-exchange-transfer} needs credentials to initiate wire
+transfers using the Nexus.
+\begin{itemize}
+\item This tool should run as a separate UID and GID (from
+ {\tt taler-exchange-httpd}).
+\item It must have access to the Postgres database (SELECT + INSERT).
+\item Its configuration file contains the credentials to talk to Nexus.
+\item[$\Rightarrow$] Configuration should be separate from {\tt
taler-exchange-httpd}.
+\end{itemize}
+\end{frame}
-\begin{enumerate}
-\item It ties age restriction to the \textbf{ability to pay} (not to ID's)
-\item maintains \textbf{anonymity of buyers}
-\item maintains \textbf{unlinkability of transactions}
-\item aligns with \textbf{principle of subsidiartiy}
-\item is \textbf{practical and efficient}
-\end{enumerate}
+\begin{frame}{libeufin-nexus}
+libeufin-nexus has to be able to interact with the escrow account of the
exchange.
+\begin{itemize}
+\item It must have the private keys to sign EBICS/FinTS messages.
+\item It also has its own local database.
+\item The Nexus user and database should be kept separate from
+ the other exchange users and the Taler exchange database.
+\end{itemize}
\end{frame}
-\begin{frame}{Age restriction}
- \framesubtitle{Assumptions and scenario}
-
- \begin{columns}
- \column{7.5cm}
- \begin{itemize}
- \item<1-> Assumption: Checking accounts are under control of
eligible adults/guardians.
- \item<2-> \textit{Guardians} \textbf{commit} to an maximum age
- \item<3-> \textit{Minors} \textbf{attest} their adequate age
- \item<4-> \textit{Merchants} \textbf{verify} the attestations
- \item<5-> Minors \textbf{derive} age commitments from existing
ones
- \item<6-> \textit{Exchanges} \textbf{compare} the derived age
commitments
- \end{itemize}
- \column{5cm}
- \uncover<7->
- {
- \begin{center}
- \fontsize{7pt}{7pt}\selectfont
- \begin{tikzpicture}[scale=.5]
- \node[circle,minimum size=15pt,fill=black!15] at ( 60:4)
(Exchange) {$\Exchange$};
- \node[circle,minimum size=15pt,fill=black!15] at ( 0:0)
(Client) {$\Child$};
- \node[circle,minimum size=15pt,fill=black!15] at ( 0:4)
(Merchant) {$\Merchant$};
- \node[circle,minimum size=15pt,fill=blue!15] at (140:3)
(Guardian) {$\Guardian$};
+\begin{frame}{Hardware}
+General notions:
+\begin{itemize}
+\item Platforms with disabled Intel ME \& disabled remote administration are
safer.
+\item VMs are not a security mechanism. Side-channel attacks abound. Avoid
running any
+ Taler component in a virtual machine ``for security''.
+\end{itemize}
+\end{frame}
- \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
- {$\Commit$} (Guardian);
- \draw[->,blue] (Client) to [out=-125,in=-190, loop]
node[below,left]
- {\blue{$\Attest$}} (Client);
- \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
- {\blue{$\Verify$}} (Merchant);
- \draw[->,orange] (Client) to [out=-35,in=-100, loop]
node[below]
- {\orange{$\Derive$}} (Client);
- \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
- {\orange{$\Compare$}} (Exchange);
- \draw[orange,|->] (Client) to node[sloped,above,align=left]
- {\orange{\scriptsize }} (Exchange);
- \draw[blue,|->] (Client) to node[sloped, above]
- {\blue{\scriptsize }} (Merchant);
- \draw[,|->] (Guardian) to node[above,sloped,align=left]
- {{\scriptsize }} (Client);
- \end{tikzpicture}
- \end{center}
- }
- \end{columns}
- \vfill
- \uncover<7->{Note: Scheme is independent of payment service protocol.}
+\begin{frame}{Operating system}
+General notions:
+\begin{itemize}
+\item It should be safe to run the different Taler components (including
Nginx, Nexus
+ and Postgres) all on the same physical hardware (under different
UIDs/GIDs).
+ We would separate them onto different physical machines during
scale-out, but not
+ necessarily for ``basic'' security.
+\item Limiting and auditing system administrator access will be crucial.
+\item We recommend to {\bf not} use any anti-virus.
+\item We recommend using a well-supported GNU/Linux operating system (such as
+ Debian or Ubuntu).
+\end{itemize}
\end{frame}
-\begin{frame}{Formal Function Signatures}
-\small
-Searching for functions \uncover<2->{with the following signatures}
-\begin{align*}
- &\bf \Commit\uncover<2->{:
- &(\age, \omega) &\mapsto (\commitment, \pruf)
- &\scriptstyle \N_\Age \times \Omega &\scriptstyle \to
\Commitments\times\Proofs,
- }
- \\
- &\bf \Attest\uncover<3->{:
- &(\minage, \commitment, \pruf) &\mapsto \attest
- &\scriptstyle \N_\Age\times\Commitments\times\Proofs
&\scriptstyle \to \Attests \cup \{\Nil\},
- }
- \\
- &\bf \Verify\uncover<4->{:
- &(\minage, \commitment, \attest) &\mapsto b
- &\scriptstyle \N_\Age\times\Commitments\times\Attests
&\scriptstyle \to \Z_2,
- }
- \\
- &\bf \Derive\uncover<5->{:
- &(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf',
\blinding)
- &\scriptstyle \Commitments\times\Proofs\times\Omega
&\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
- }
- \\
- &\bf \Compare\uncover<6->{:
- &(\commitment, \commitment', \blinding) &\mapsto b
- &\scriptstyle \Commitments\times\Commitments\times\Blindings
&\scriptstyle \to \Z_2,
- }
-\end{align*}
- \uncover<7->{
- with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
- sufficiently large sets.\\[1em]
- Basic and security requirements are defined later.\\[2em]
- }
-
- \scriptsize
- \uncover<2->{
- Mnemonics:\\
- $\Commitments=$ \textit{c$\Commitments$mmitments},
- $\commitment=$ \textit{Q-mitment} (commitment),
- $\Proofs=$ \textit{$\Proofs$roofs},
- }
- \uncover<3->{
- $\pruf=$ \textit{$\pruf$roof},\\
- $\Attests=$ \textit{a$\Attests$testations},
- $\attest=$ \textit{a$\attest$testation},
- }
- \uncover<5->{
- $\Blindings=$ \textit{$\Blindings$lindings},
- $\blinding=$ \textit{$\blinding$linding}.
- }
+\begin{frame}{Network}
+\begin{itemize}
+\item We recommend to {\bf not} use any host-based firewall.
+ Taler components can use UNIX domain sockets (or bind to localhost).
+\item A network-based
+ firewall is not required, but as long as TCP 80/443 are open Taler should
+ work fine.
+\item Any firewall must be configured to permit connection to Auditor
+ for database synchronization.
+\item We recommend running the Taler exchange behind an Nginx or Apache
+ proxy for TLS termination.
+\item We recommend using static IP address configurations (IPv4 and IPv6).
+\item We recommend using DNSSEC with DANE in addition to TLS certificates.
+\item We recommend auditing the TLS setup using
\url{https://observatory.mozilla.org}.
+\end{itemize}
\end{frame}
-\begin{frame}{Age restriction}
- \framesubtitle{Naïve scheme}
- \begin{center}
- \begin{tikzpicture}[scale=.85]
- \node[circle,minimum size=20pt,fill=black!15] at ( 60:4)
(Exchange) {$\Exchange$};
- \node[circle,minimum size=20pt,fill=black!15] at ( 0:0)
(Client) {$\Child$};
- \node[circle,minimum size=20pt,fill=black!15] at ( 0:4)
(Merchant) {$\Merchant$};
- \node[circle,minimum size=20pt,fill=blue!15] at (140:3)
(Guardian) {$\Guardian$};
-
- \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
- {$\Commit$} (Guardian);
- \draw[->,blue] (Client) to [out=-125,in=-190, loop]
node[below,left]
- {\blue{$\Attest$}} (Client);
- \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
- {\blue{$\Verify$}} (Merchant);
- \draw[->,orange] (Client) to [out=-35,in=-100, loop]
node[below]
- {\orange{$\Derive$}} (Client);
- \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
- {\orange{$\Compare$}} (Exchange);
- \draw[orange,|->] (Client) to node[sloped,above,align=left]
- {\orange{\scriptsize }} (Exchange);
- \draw[blue,|->] (Client) to node[sloped, above]
- {\blue{\scriptsize }} (Merchant);
- \draw[,|->] (Guardian) to node[above,sloped,align=left]
- {{\scriptsize }} (Client);
- \end{tikzpicture}
- \end{center}
-\end{frame}
-\begin{frame}{Achieving Unlinkability}
- \begin{columns}
- \column{3cm}
- \begin{center}
- \fontsize{8pt}{9pt}\selectfont
- \begin{tikzpicture}[scale=.65]
- \node[circle,minimum size=20pt,fill=black!15] at (
60:4) (Exchange) {$\Exchange$};
- \node[circle,minimum size=20pt,fill=black!15] at (
0:0) (Client) {$\Child$};
- \draw[->,orange] (Client) to [out=-35,in=-100, loop]
node[below]
- {\orange{$\footnotesize \Derive()$}} (Client);
- \draw[->,orange] (Exchange) to [out=50,in=130, loop]
node[above]
- {\orange{$\footnotesize \Compare()$}}
(Exchange);
+\section{Offline payments}
- \draw[orange,|->] (Client) to
node[sloped,above,align=left]
- {\orange{\tiny
\uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
- \end{tikzpicture}
- \end{center}
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Offline payments}
+ \end{center}
+ \vfill
+\end{frame}
- \column{9cm}
- Simple use of $\Derive()$ and $\Compare()$ is problematic.
- \begin{itemize}
- \item<2-> Calling $\Derive()$ iteratively generates sequence
- $(\commitment_0, \commitment_1, \dots)$ of commitments.
- \item<2-> Exchange calls $\Compare(\commitment_i,
\commitment_{i+1}, .)$
- \item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
- \item[$\implies$]\uncover<3->{\bf Unlinkability broken}
- \end{itemize}
- \end{columns}
+\begin{frame}{Requirements: Online vs. Offline Digital Currencies}
+\framesubtitle{\url{https://taler.net/papers/euro-bearer-online-2021.pdf}}
+\begin{itemize}
+ \item Offline capabilities are sometimes cited as a requirement for
digital payment solutions
+ \item All implementations must either use restrictive hardware elements
and/or introduce
+ counterparty risk.
+ \item[$\Rightarrow$] Permanent offline features weaken a digital payment
solution (privacy, security)
+ \item[$\Rightarrow$] Introduces unwarranted competition for physical cash
(endangers emergency-preparedness).
+ \end{itemize}
+ We recommend a tiered approach:
+ \begin{enumerate}
+ \item Online-first, bearer-based digital currency with Taler
+ \item (Optional:) Limited offline mode for network outages
+ \item Physical cash for emergencies (power outage, catastrophic cyber
incidents)
+ \end{enumerate}
\end{frame}
-\begin{frame}{Achieving Unlinkability}
- Define cut\&choose protocol \orange{$\DeriveCompare$},
- using $\Derive()$ and $\Compare()$.\\[0.5em]
- \uncover<2->{
- Sketch:
- \small
- \begin{enumerate}
- \item $\Child$ derives commitments
$(\commitment_1,\dots,\commitment_\kappa)$
- from $\commitment_0$ \\
- by calling $\Derive()$ with blindings
$(\beta_1,\dots,\beta_\kappa)$
- \item $\Child$ calculates $h_0:=H\left(H(\commitment_1,
\beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
- \item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
- \item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$
randomly
- \item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma,
\beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma,
\beta_\gamma)$
- \item $\Exchange$ compares $h_0$ and
- $H\left(H(\commitment_1,
\beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
- and evaluates $\Compare(\commitment_0, \commitment_i,
\beta_i)$.
- \end{enumerate}
- \vfill
- Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
- }
+
+\begin{frame}{Fully Offline Payments {\bf (WiP)}}
+\framesubtitle{\url{https://docs.taler.net/design-documents/030-offline-payments.html}}
+Many central banks today demand offline capabilities for digital payment
solutions.
+\vfill
+\noindent
+Three possible approaches:
+\begin{enumerate}
+ \item Trust-based offline payments (has counterparty and/or privacy risks)
+ \item Full HSM Taler wallet (has hardware costs)
+ \item Light-weight HSM balance register
+\end{enumerate}
+\vfill
\end{frame}
-\begin{frame}{Achieving Unlinkability}
- With \orange{$\DeriveCompare$}
- \begin{itemize}
- \item $\Exchange$ learns nothing about $\commitment_\gamma$,
- \item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
- \item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
- \end{itemize}
- \vfill
- Note: Still need Derive and Compare to be defined.
+
+\begin{frame}{A Scenario}
+{God is offline, but customer pays online}
+\begin{center}
+ \includegraphics[height=0.4\textwidth]{shrine.jpg}
+\end{center}
\end{frame}
-\begin{frame}{Refined scheme}
+\begin{frame}{Typical Payment Process}{All equivalent: Twint, PayPal, AliPay,
PayTM}
+\begin{center}
+ \movie[%scale=0.6,
+ autostart,
+ poster]
+ {
+
\includegraphics[height=0.3\textwidth,width=0.4\textwidth]{white.png}
+ }
+ {twint.mkv}
- \begin{tikzpicture}[scale=.8]
- \node[circle,minimum size=25pt,fill=black!15] at ( 0:0)
(Client) {$\Child$};
- \node[circle,minimum size=25pt,fill=black!15] at ( 60:5)
(Exchange) {$\Exchange$};
- \node[circle,minimum size=25pt,fill=black!15] at ( 0:5)
(Merchant) {$\Merchant$};
- \node[circle,minimum size=25pt,fill=blue!15] at (130:3)
(Guardian) {$\Guardian$};
+ {\tiny (C) Twint, 2023}
+\end{center}
+\end{frame}
- \draw[orange,<->] (Client) to node[sloped,below,align=center]
- {\orange{$\DeriveCompare$}} (Exchange);
- \draw[blue,->] (Client) to node[sloped, below]
- {\blue{$(\attest_\minage, \commitment)$}} (Merchant);
- \draw[->] (Guardian) to [out=150,in=70, loop] node[above]
- {$\Commit(\age)$} (Guardian);
- \draw[->] (Guardian) to node[below,sloped]
- {($\commitment$, $\pruf_\age$)} (Client);
- \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
- {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}}
(Client);
- \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
- {\blue{$\Verify(\minage, \commitment,
\attest_{\minage})$}} (Merchant);
- \end{tikzpicture}
+\begin{frame}{Secure Payment ...}{Everything green?}
+\begin{center}
+ \includegraphics[height=0.3\textwidth]{paymentTwint-screen_25.png}
+\end{center}
\end{frame}
-% \begin{frame}{Achieving Unlinkability}
-% \scriptsize
-% $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
-% \vfill
-% $\DeriveCompare(\commitment, \pruf, \omega) =$
-% \begin{itemize}
-% \it
-% \itemsep0.5em
-% \item[$\Child$:]
-% \begin{enumerate}
-% \scriptsize
-% \itemsep0.3em
-% \item for all $i \in \{1,\dots,\kappa\}:
-% (\commitment_i,\pruf_i,\beta_i) \leftarrow
\Derive(\commitment, \pruf, \omega + i)$
-% \item $h \leftarrow
\Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa)
\big)$
-% \item send $(\commitment, h)$ to $\Exchange$
-% \end{enumerate}
-% \item[$\Exchange$:]
-% \begin{enumerate}
-% \setcounter{enumi}{4}
-% \scriptsize
-% \itemsep0.3em
-% \item save $(\commitment, h)$ \label{st:hash}
-% \item $\gamma \drawfrom \{1,\dots ,\kappa\}$
-% \item send $\gamma$ to $\Child$
-% \end{enumerate}
-% \item[$\Child$:]
-% \begin{enumerate}
-% \setcounter{enumi}{7}
-%
-% \scriptsize
-% \itemsep0.3em
-% \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma,
\beta_\gamma)$
-% \item $\mathbf{E}_\gamma \leftarrow
\big[(\commitment_1,\beta_1),\dots,
-% (\commitment_{\gamma-1}, \beta_{\gamma-1}),
-% \Nil,
-% (\commitment_{\gamma+1}, \beta_{\gamma+1}),
-% \dots,(\commitment_\kappa, \beta_\kappa)\big]$
-% \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to
$\Exchange$
-% \end{enumerate}
-% \item[$\Exchange$:]
-% \begin{enumerate}
-% \setcounter{enumi}{10}
-% \scriptsize
-% \itemsep0.3em
-% \item for all $i \in
\{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow
\Hash(\mathbf{E}_\gamma[i])$
-% \item if $h \stackrel{?}{\neq}
\HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$
return 0
-% \item for all $i \in
\{1,\dots,\kappa\}\setminus\{\gamma\}$:
-% if $0 \stackrel{?}{=}
\Compare(\commitment,\commitment_i, \beta_i)$ return $0$
-% \item return 1
-% \end{enumerate}
-% \end{itemize}
-% \end{frame}
+\begin{frame}{Exploit ``Code''}{Programming optional}
+\begin{center}
+ \includegraphics[height=0.3\textwidth]{paymentTwint-screen.png}
+\end{center}
+\end{frame}
-\begin{frame}{Basic Requirements}
+\begin{frame}{``Customers'' {\em love} Twint ...}{Daily non-business for shops}
+\begin{center}
+ \includegraphics[height=0.3\textwidth]{paymentTwint-screen_50.png}
+\end{center}
+\end{frame}
- Candidate functions
- \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
- must first meet \textit{basic} requirements:
- \begin{itemize}
- \item Existence of attestations
- \item Efficacy of attestations
- \item Derivability of commitments and attestations
- \end{itemize}
+\begin{frame}{Partially Offline Payments with GNU Taler\footnote{Joint work
with Emmanuel Benoist, Priscilla Huang and Sebastian Marchano}}
+
+\begin{center}
+\resizebox{8cm}{7cm}{
+\begin{sequencediagram}
+ \newinst{pos}{\shortstack{PoS \\
+ \\ \begin{tikzpicture}
+ \node [fill=gray!20,draw=black,thick ,align=center] {PoS key \\ PoS
ID};
+ \end{tikzpicture}
+ }}
+ \newinst[2]{customer}{\shortstack{Customer \\
+ \\ \begin{tikzpicture}
+ \node [fill=gray!20,draw=black,thick ,align=center] {Digital \\
Wallet};
+ \end{tikzpicture}
+ }}
+ \newinst[2]{backend}{\shortstack{Merchant Backend \\
+ \\ \begin{tikzpicture}[shape aspect=.5]
+ \tikzset{every node/.style={cylinder, shape border rotate=90,
draw,fill=gray!25}}
+ \node at (1.5,0) {\shortstack{{\tiny PoS key} \\ {\tiny PoS ID}}};
+ \end{tikzpicture}
+ }}
+ \postlevel
+ \mess[0]{pos}{PoS ID}{customer}
+ \begin{sdblock}{optional}{}
+ \begin{callself}{customer}{Amount}{}
+ \end{callself}
+ \end{sdblock}
+ \prelevel
+ \prelevel
+ \prelevel
+ \prelevel
+ \prelevel
+ \begin{sdblock}{optional}{}
+ \begin{callself}{pos}{Amount}{}
+ \end{callself}
+ \end{sdblock}
+ \postlevel
+ \mess[0]{customer}{PoS ID, [Amount]?}{backend}
+ \mess[0]{backend}{Contract}{customer}
+ \postlevel
+ \mess[0]{customer}{Payment}{backend}
+ \begin{callself}{pos}{OTP(PoS key)}{}
+ \end{callself}
+ \prelevel
+ \prelevel
+ \begin{callself}{backend}{OTP(PoS key)}{}
+ \end{callself}
+ \mess[0]{backend}{OTP code}{customer}
+ \postlevel
+ \mess[0]{customer}{OTP code}{pos}
+\end{sequencediagram}
+}
+\end{center}
\end{frame}
-\begin{frame}{Basic Requirements}
- \framesubtitle{Formal Details}
- \begin{description}
- \item[Existence of attestations]
- {\scriptsize
- \begin{align*}
- \Forall_{\age\in\N_\Age \atop \omega \in
\Omega}:
- \Commit(\age, \omega) =: (\commitment, \pruf)
- \implies
- \Attest(\minage, \commitment, \pruf) =
- \begin{cases}
- \attest \in \Attests, \text{ if }
\minage \leq \age\\
- \Nil \text{ otherwise}
- \end{cases}
- \end{align*}}
- \item[Efficacy of attestations]
- {\scriptsize
- \begin{align*}
- \Verify(\minage, \commitment, \attest) = \
- \begin{cases}
- 1, \text{if } \Exists_{\pruf \in
\Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
- 0 \text{ otherwise}
- \end{cases}
- \end{align*}}
- {\scriptsize
- \begin{align*}
- \forall_{n \leq \age}: \Verify\big(n,
\commitment, \Attest(n, \commitment, \pruf)\big) = 1.
- \end{align*}}
- \item[etc.]
- \end{description}
+\section{Programmable money: Age restrictions}
+
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Programmable money: Age restrictions}
+ \end{center}
+ \vfill
\end{frame}
-%\begin{frame}{Requirements}
-% \framesubtitle{Details}
-%
-% \begin{description}
-% \item[Derivability of commitments and proofs:]~\\[0.1em]
-% {\scriptsize
-% Let \begin{align*}
-% \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
-% (\commitment_0, \pruf_0) & \leftarrow \Commit(\age,
\omega_0),\\
-% (\commitment_1, \pruf_1, \blinding) & \leftarrow
\Derive(\commitment_0, \pruf_0, \omega_1).
-% \end{align*}
-% We require
-% \begin{align*}
-% \Compare(\commitment_0, \commitment_1, \blinding) = 1
\label{req:comparity}
-% \end{align*}
-% and for all $n\leq\age$:
-% \begin{align*}
-% \Verify(n, \commitment_1, \Attest(n,
\commitment_1, \pruf_1)) &%
-% =
-% \Verify(n, \commitment_0, \Attest(n,
\commitment_0, \pruf_0))
-% \end{align*}}
-% \end{description}
-%\end{frame}
-\begin{frame}{Security Requirements}
- Candidate functions must also meet \textit{security} requirements.
- Those are defined via security games:
- \begin{itemize}
- \item Game: Age disclosure by commitment or attestation
- \item[$\leftrightarrow$] Requirement: Non-disclosure of age
- \vfill
+\begin{frame}{Age restriction in E-commerce}
- \item Game: Forging attestation
- \item[$\leftrightarrow$] Requirement: Unforgeability of
- minimum age
- \vfill
+ \begin{description}
+ \item[Problem:]~\\[1em]
+ Verification of minimum age requirements in
e-commerce.\\[2em]
- \item Game: Distinguishing derived commitments and attestations
- \item[$\leftrightarrow$] Requirement: Unlinkability of
- commitments and attestations
+ \item[Common solutions:]
- \end{itemize}
- \vfill
+\begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
+ & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}&
\\[\medskipamount]
+ 1. ID Verification & bad & required & \\[\medskipamount]
+ 2. Restricted Accounts & bad & required & \\[\medskipamount]
+ 3. Attribute-based & good & required &\tikzmark{bottomau}
\\[\medskipamount]
+\end{tabular}
+ \end{description}
- Meeting the security requirements means that adversaries can win
- those games only with negligible advantage.
- \vfill
- Adversaries are arbitrary polynomial-time algorithms, acting on all
- relevant input.
+\uncover<4->{
+ \begin{tikzpicture}[overlay,remember picture]
+ \draw[orange,thick,rounded corners]
+ ($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau)
-(0.3, 0.2)$);
+ \end{tikzpicture}
+ \begin{center}
+ \bf Principle of Subsidiarity is violated
+ \end{center}
+}
\end{frame}
-\begin{frame}{Security Requirements}
- \framesubtitle{Simplified Example}
- \begin{description}
- \item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
- {\small
- \begin{enumerate}
- \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega
$
- \item $ (\commitment, \pruf) \leftarrow \Commit(\age,
\omega) $
- \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment,
\pruf)$
- \item Return 0 if $\minage \leq \age$
- \item Return $\Verify(\minage,\commitment,\attest)$
- \end{enumerate}
- }
- \vfill
- \item[Requirement: Unforgeability of minimum age]
- {\small
- \begin{equation*}
- \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to
\N_\Age\times\Attests)}:
- \Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
- \end{equation*}
- }
- \end{description}
+\begin{frame}{Principle of Subsidiarity}
+\begin{center} \Large
+ Functions of government---such as granting and restricting
+ rights---should be performed\\
+ {\it at the lowest level of authority possible},\\
+ as long as they can be performed {\it adequately}.
+\end{center}
+\vfill
+\uncover<2->{
+ For age-restriction, the lowest level of authority is:\\
+ \begin{center}\Large
+ Parents, guardians and caretakers
+ \end{center}
+}
\end{frame}
-\begin{frame}{Solution: Instantiation with ECDSA}
-% \framesubtitle{Definition of Commit}
+\begin{frame}{Age restriction design for GNU Taler}
+Design and implementation of an age restriction scheme\\
+with the following goals:
- \begin{description}
- \item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
- \begin{enumerate}
- \item<2-> Guardian generates ECDSA-keypairs, one per
age (group):
- \[\langle(q_1,
p_1),\dots,(q_\Age,p_\Age)\rangle\]
- \item<3-> Guardian then \textbf{drops} all private keys
- $p_i$ for $i > \age$:
- \[\Big \langle(q_1, p_1),\dots,
- (q_\age, p_\age),
- (q_{\age +1}, \red{\Nil}),\dots,
- (q_\Age, \red{\Nil})\Big\rangle\]
+\begin{enumerate}
+\item It ties age restriction to the \textbf{ability to pay} (not to ID's)
+\item maintains \textbf{anonymity of buyers}
+\item maintains \textbf{unlinkability of transactions}
+\item aligns with \textbf{principle of subsidiartiy}
+\item is \textbf{practical and efficient}
+\end{enumerate}
- \begin{itemize}
- \item $\Vcommitment := (q_1, \dots,
q_\Age)$ is the \textit{Commitment},
- \item $\Vpruf_\age := (p_1, \dots,
p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
- \end{itemize}
- \vfill
- \item<4-> Guardian gives child $\langle \Vcommitment,
\Vpruf_\age \rangle$
- \vfill
- \end{enumerate}
- \end{description}
\end{frame}
-\begin{frame}{Instantiation with ECDSA}
- \framesubtitle{Definitions of Attest and Verify}
- Child has
+\begin{frame}{Age restriction}
+ \framesubtitle{Assumptions and scenario}
+
+ \begin{columns}
+ \column{7.5cm}
\begin{itemize}
- \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age)
$,
- \item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil,
\dots, \Nil)$.
+ \item<1-> Assumption: Checking accounts are under control of
eligible adults/guardians.
+ \item<2-> \textit{Guardians} \textbf{commit} to an maximum age
+ \item<3-> \textit{Minors} \textbf{attest} their adequate age
+ \item<4-> \textit{Merchants} \textbf{verify} the attestations
+ \item<5-> Minors \textbf{derive} age commitments from existing
ones
+ \item<6-> \textit{Exchanges} \textbf{compare} the derived age
commitments
\end{itemize}
- \begin{description}
- \item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq
\age$:]~\\
- Sign a message with ECDSA using private key
$p_\blue{\minage}$
- \end{description}
+ \column{5cm}
+ \uncover<7->
+ {
+ \begin{center}
+ \fontsize{7pt}{7pt}\selectfont
+ \begin{tikzpicture}[scale=.5]
+ \node[circle,minimum size=15pt,fill=black!15] at ( 60:4)
(Exchange) {$\Exchange$};
+ \node[circle,minimum size=15pt,fill=black!15] at ( 0:0)
(Client) {$\Child$};
+ \node[circle,minimum size=15pt,fill=black!15] at ( 0:4)
(Merchant) {$\Merchant$};
+ \node[circle,minimum size=15pt,fill=blue!15] at (140:3)
(Guardian) {$\Guardian$};
- \vfill
+ \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
+ {$\Commit$} (Guardian);
+ \draw[->,blue] (Client) to [out=-125,in=-190, loop]
node[below,left]
+ {\blue{$\Attest$}} (Client);
+ \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
+ {\blue{$\Verify$}} (Merchant);
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop]
node[below]
+ {\orange{$\Derive$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+ {\orange{$\Compare$}} (Exchange);
- \uncover<3->{
- Merchant gets
- \begin{itemize}
- \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
- \item Signature $\sigma$
- \end{itemize}
- \begin{description}
- \item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
- Verify the ECDSA-Signature $\sigma$ with public key
$q_\minage$.
- \end{description}
- }
+ \draw[orange,|->] (Client) to node[sloped,above,align=left]
+ {\orange{\scriptsize }} (Exchange);
+ \draw[blue,|->] (Client) to node[sloped, above]
+ {\blue{\scriptsize }} (Merchant);
+ \draw[,|->] (Guardian) to node[above,sloped,align=left]
+ {{\scriptsize }} (Client);
+ \end{tikzpicture}
+ \end{center}
+ }
+ \end{columns}
\vfill
+ \uncover<7->{Note: Scheme is independent of payment service protocol.}
\end{frame}
-\begin{frame}{Instantiation with ECDSA}
- \framesubtitle{Definitions of Derive and Compare}
- Child has
- $\Vcommitment = (q_1, \dots, q_\Age) $ and
- $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
- \begin{description}
- \item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
- Choose random $\beta\in\Z_g$ and calculate
- \small
- \begin{align*}
- \Vcommitment' &:= \big(\beta * q_1,\ldots,\beta
* q_\Age\big),\\
- \Vpruf' &:= \big(\beta p_1,\ldots,\beta
p_\age,\Nil,\ldots,\Nil\big)
- \end{align*}
- Note: $ (\beta p_i)*G = \beta*(p_i*G) = \beta*q_i$\\
- \scriptsize $\beta*q_i$ is scalar multiplication on the
elliptic curve.
- \end{description}
- \vfill
+\begin{frame}{Formal Function Signatures}
+\small
+Searching for functions \uncover<2->{with the following signatures}
+\begin{align*}
+ &\bf \Commit\uncover<2->{:
+ &(\age, \omega) &\mapsto (\commitment, \pruf)
+ &\scriptstyle \N_\Age \times \Omega &\scriptstyle \to
\Commitments\times\Proofs,
+ }
+ \\
+ &\bf \Attest\uncover<3->{:
+ &(\minage, \commitment, \pruf) &\mapsto \attest
+ &\scriptstyle \N_\Age\times\Commitments\times\Proofs
&\scriptstyle \to \Attests \cup \{\Nil\},
+ }
+ \\
+ &\bf \Verify\uncover<4->{:
+ &(\minage, \commitment, \attest) &\mapsto b
+ &\scriptstyle \N_\Age\times\Commitments\times\Attests
&\scriptstyle \to \Z_2,
+ }
+ \\
+ &\bf \Derive\uncover<5->{:
+ &(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf',
\blinding)
+ &\scriptstyle \Commitments\times\Proofs\times\Omega
&\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
+ }
+ \\
+ &\bf \Compare\uncover<6->{:
+ &(\commitment, \commitment', \blinding) &\mapsto b
+ &\scriptstyle \Commitments\times\Commitments\times\Blindings
&\scriptstyle \to \Z_2,
+ }
+\end{align*}
+ \uncover<7->{
+ with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
+ sufficiently large sets.\\[1em]
+ Basic and security requirements are defined later.\\[2em]
+ }
+
+ \scriptsize
+ \uncover<2->{
+ Mnemonics:\\
+ $\Commitments=$ \textit{c$\Commitments$mmitments},
+ $\commitment=$ \textit{Q-mitment} (commitment),
+ $\Proofs=$ \textit{$\Proofs$roofs},
+ }
\uncover<3->{
- Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$,
$\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
- \begin{description}
- \item[To \blue{Compare}, calculate:]
- \small
- $(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=}
(q'_1,\ldots, q'_\Age)$
- \end{description}
- \vfill
+ $\pruf=$ \textit{$\pruf$roof},\\
+ $\Attests=$ \textit{a$\Attests$testations},
+ $\attest=$ \textit{a$\attest$testation},
+ }
+ \uncover<5->{
+ $\Blindings=$ \textit{$\Blindings$lindings},
+ $\blinding=$ \textit{$\blinding$linding}.
}
\end{frame}
-\begin{frame}{Instantiation with ECDSA}
+\begin{frame}{Age restriction}
+ \framesubtitle{Naïve scheme}
+ \begin{center}
+ \begin{tikzpicture}[scale=.85]
+ \node[circle,minimum size=20pt,fill=black!15] at ( 60:4)
(Exchange) {$\Exchange$};
+ \node[circle,minimum size=20pt,fill=black!15] at ( 0:0)
(Client) {$\Child$};
+ \node[circle,minimum size=20pt,fill=black!15] at ( 0:4)
(Merchant) {$\Merchant$};
+ \node[circle,minimum size=20pt,fill=blue!15] at (140:3)
(Guardian) {$\Guardian$};
- Functions
- (Commit, Attest, Verify, Derive, Compare)\\
- as defined in the instantiation with ECDSA\\[0.5em]
- \begin{itemize}
- \item meet the basic requirements,\\[0.5em]
- \item also meet all security requirements.\\
- Proofs by security reduction, details are in the paper.
- \end{itemize}
+ \draw[->] (Guardian) to [out=50,in=130, loop] node[above]
+ {$\Commit$} (Guardian);
+ \draw[->,blue] (Client) to [out=-125,in=-190, loop]
node[below,left]
+ {\blue{$\Attest$}} (Client);
+ \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
+ {\blue{$\Verify$}} (Merchant);
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop]
node[below]
+ {\orange{$\Derive$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+ {\orange{$\Compare$}} (Exchange);
+ \draw[orange,|->] (Client) to node[sloped,above,align=left]
+ {\orange{\scriptsize }} (Exchange);
+ \draw[blue,|->] (Client) to node[sloped, above]
+ {\blue{\scriptsize }} (Merchant);
+ \draw[,|->] (Guardian) to node[above,sloped,align=left]
+ {{\scriptsize }} (Client);
+ \end{tikzpicture}
+ \end{center}
\end{frame}
+\begin{frame}{Achieving Unlinkability}
+ \begin{columns}
+ \column{3cm}
+ \begin{center}
+ \fontsize{8pt}{9pt}\selectfont
+ \begin{tikzpicture}[scale=.65]
+ \node[circle,minimum size=20pt,fill=black!15] at (
60:4) (Exchange) {$\Exchange$};
+ \node[circle,minimum size=20pt,fill=black!15] at (
0:0) (Client) {$\Child$};
-% \begin{frame}{Instantiation with ECDSA}
-% \framesubtitle{Full definitions}
-% \scriptsize
-%
-% \begin{align*}
-% \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
-% \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
-% \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf
\text{, length }\Age}
-% \Big\rangle\\
-% \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
-% \begin{cases}
-% \attest_\bage :=
\Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage]
\stackrel{?}{\neq} \Nil\\
-% \Nil & \text{otherwise}
-% \end{cases}\\
-% %
-% \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:=
\Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
-% %
-% \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
-% \Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
-% (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta
\Big\rangle \\
-% & \text{ with } \beta := \FDHg{\omega} \text{ and
multiplication } \beta p_i \text{ modulo } g \nonumber\\
-% %
-% \Compare_E(\Vcommitment, \Vcommitment', \beta) &:=
-% \begin{cases}
-% 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age)
\stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
-% 0 & \text{otherwise}
-% \end{cases}
-% \end{align*}
-% \end{frame}
-
+ \draw[->,orange] (Client) to [out=-35,in=-100, loop]
node[below]
+ {\orange{$\footnotesize \Derive()$}} (Client);
+ \draw[->,orange] (Exchange) to [out=50,in=130, loop]
node[above]
+ {\orange{$\footnotesize \Compare()$}}
(Exchange);
-\begin{frame}{Reminder: GNU Taler Fundamentals}
- \begin{center}
- \begin{tikzpicture}[scale=.55]
- \node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
- \node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
- \node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
+ \draw[orange,|->] (Client) to
node[sloped,above,align=left]
+ {\orange{\tiny
\uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
+ \end{tikzpicture}
+ \end{center}
- \draw[<->] (Customer) to [out=65,in=220] node[sloped,above]
{\sf withdraw} (Exchange);
- \draw[<->] (Customer) to [out=45,in=240] node[sloped,below]
{\sf refresh} (Exchange);
- \draw[<->] (Customer) to node[sloped, below] {\sf purchase}
(Merchant);
- \draw[<->] (Merchant) to node[sloped, above] {\sf deposit}
(Exchange);
- \end{tikzpicture}
- \end{center}
+ \column{9cm}
+ Simple use of $\Derive()$ and $\Compare()$ is problematic.
- \vfill
\begin{itemize}
- \item Coins are public-/private key-pairs $(C_p, c_s)$.
- \item Exchange blindly signs $\FDH(C_p)$ with denomination key
$d_p$
- \item Verification:
- \begin{eqnarray*}
- 1 &\stackrel{?}{=}&
- \mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
- \end{eqnarray*}
- \scriptsize($D_p$ = public key of denomination and $\sigma_p$ =
signature)
-
+ \item<2-> Calling $\Derive()$ iteratively generates sequence
+ $(\commitment_0, \commitment_1, \dots)$ of commitments.
+ \item<2-> Exchange calls $\Compare(\commitment_i,
\commitment_{i+1}, .)$
+ \item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
+ \item[$\implies$]\uncover<3->{\bf Unlinkability broken}
\end{itemize}
+ \end{columns}
\end{frame}
-\begin{frame}{Integration with GNU Taler}
- \framesubtitle{Binding age restriction to coins}
-
- To bind an age commitment $\commitment$ to a coin $C_p$, instead of
- signing $\FDH(C_p)$, $\Exchange$ now blindly signs
- \begin{center}
- $\FDH(C_p, \orange{H(\commitment)})$
- \end{center}
-
+\begin{frame}{Achieving Unlinkability}
+ Define cut\&choose protocol \orange{$\DeriveCompare$},
+ using $\Derive()$ and $\Compare()$.\\[0.5em]
+ \uncover<2->{
+ Sketch:
+ \small
+ \begin{enumerate}
+ \item $\Child$ derives commitments
$(\commitment_1,\dots,\commitment_\kappa)$
+ from $\commitment_0$ \\
+ by calling $\Derive()$ with blindings
$(\beta_1,\dots,\beta_\kappa)$
+ \item $\Child$ calculates $h_0:=H\left(H(\commitment_1,
\beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
+ \item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
+ \item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$
randomly
+ \item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma,
\beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma,
\beta_\gamma)$
+ \item $\Exchange$ compares $h_0$ and
+ $H\left(H(\commitment_1,
\beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
+ and evaluates $\Compare(\commitment_0, \commitment_i,
\beta_i)$.
+ \end{enumerate}
\vfill
- Verfication of a coin now requires $H(\commitment)$, too:
- \begin{center}
- $1 \stackrel{?}{=}
- \mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p,
\sigma_p\big)$
- \end{center}
+ Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
+ }
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+ With \orange{$\DeriveCompare$}
+ \begin{itemize}
+ \item $\Exchange$ learns nothing about $\commitment_\gamma$,
+ \item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
+ \item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
+ \end{itemize}
\vfill
+ Note: Still need Derive and Compare to be defined.
\end{frame}
-\begin{frame}{Integration with GNU Taler}
- \framesubtitle{Integrated schemes}
- \fontsize{8pt}{9pt}\selectfont
- \begin{tikzpicture}[scale=.9]
+\begin{frame}{Refined scheme}
+
+ \begin{tikzpicture}[scale=.8]
\node[circle,minimum size=25pt,fill=black!15] at ( 0:0)
(Client) {$\Child$};
\node[circle,minimum size=25pt,fill=black!15] at ( 60:5)
(Exchange) {$\Exchange$};
\node[circle,minimum size=25pt,fill=black!15] at ( 0:5)
(Merchant) {$\Merchant$};
\node[circle,minimum size=25pt,fill=blue!15] at (130:3)
(Guardian) {$\Guardian$};
- \draw[<->] (Guardian) to node[sloped,above,align=center]
- {{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{,
H(\commitment)})$} (Exchange);
- \draw[<->] (Client) to node[sloped,below,align=center]
- {{\sf refresh} \orange{ + }\\
\orange{$\DeriveCompare$}} (Exchange);
- \draw[<->] (Client) to node[sloped, below]
- {{\sf purchase} \blue{+ $(\attest_\minage,
\commitment)$}} (Merchant);
- \draw[<->] (Merchant) to node[sloped, above]
- {{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
+ \draw[orange,<->] (Client) to node[sloped,below,align=center]
+ {\orange{$\DeriveCompare$}} (Exchange);
+ \draw[blue,->] (Client) to node[sloped, below]
+ {\blue{$(\attest_\minage, \commitment)$}} (Merchant);
- \draw[->] (Guardian) to [out=70,in=150, loop] node[above]
+ \draw[->] (Guardian) to [out=150,in=70, loop] node[above]
{$\Commit(\age)$} (Guardian);
\draw[->] (Guardian) to node[below,sloped]
{($\commitment$, $\pruf_\age$)} (Client);
@@ -2292,565 +2591,528 @@ Searching for functions \uncover<2->{with the
following signatures}
\end{tikzpicture}
\end{frame}
-\begin{frame}{Instantiation with Edx25519}
- Paper also formally defines another signature scheme: Edx25519.\\[1em]
-
- \begin{itemize}
- \item Scheme already in use in GNUnet,
- \item based on EdDSA (Bernstein et al.),
- \item generates compatible signatures and
- \item allows for key derivation from both, private and public
keys, independently.
- \end{itemize}~\\[1em]
-
- Current implementation of age restriction in GNU Taler uses Edx25519.
-\end{frame}
-
-
-\begin{frame}{Discussion}
- \begin{itemize}
- \item Our solution can in principle be used with any
token-based payment scheme
- \item GNU Taler best aligned with our design goals (security,
privacy and efficiency)
- \item Subsidiarity requires bank accounts being owned by adults
- \begin{itemize}
- \item Scheme can be adapted to case where minors have
bank accounts
- \begin{itemize}
- \item Assumption: banks provide minimum
age
- information during bank
- transactions.
- \item Child and Exchange execute a
variant of
- the cut\&choose protocol.
- \end{itemize}
- \end{itemize}
- \item Our scheme offers an alternative to identity management
systems (IMS)
- \end{itemize}
-\end{frame}
-\begin{frame}{Related Work}
- \begin{itemize}
- \item Current privacy-perserving systems all based on
attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et
al., Au et al.)
- \item Attribute-based approach lacks support:
- \begin{itemize}
- \item Complex for consumers and retailers
- \item Requires trusted third authority
- \end{itemize}
- \vfill
- \item Other approaches tie age-restriction to ability to pay
("debit cards for kids")
- \begin{itemize}
- \item Advantage: mandatory to payment process
- \item Not privacy friendly
- \end{itemize}
- \end{itemize}
-\end{frame}
+ \begin{frame}{Achieving Unlinkability}
+ \scriptsize
+ $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
+ \vfill
+ $\DeriveCompare(\commitment, \pruf, \omega) =$
+ \begin{itemize}
+ \it
+ \itemsep0.5em
+ \item[$\Child$:]
+ \begin{enumerate}
+ \scriptsize
+ \itemsep0.3em
+ \item for all $i \in \{1,\dots,\kappa\}:
+ (\commitment_i,\pruf_i,\beta_i) \leftarrow
\Derive(\commitment, \pruf, \omega + i)$
+ \item $h \leftarrow
\Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa)
\big)$
+ \item send $(\commitment, h)$ to $\Exchange$
+ \end{enumerate}
+ \item[$\Exchange$:]
+ \begin{enumerate}
+ \setcounter{enumi}{4}
+ \scriptsize
+ \itemsep0.3em
+ \item save $(\commitment, h)$ \label{st:hash}
+ \item $\gamma \drawfrom \{1,\dots ,\kappa\}$
+ \item send $\gamma$ to $\Child$
+ \end{enumerate}
+ \item[$\Child$:]
+ \begin{enumerate}
+ \setcounter{enumi}{7}
+
+ \scriptsize
+ \itemsep0.3em
+ \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma,
\beta_\gamma)$
+ \item $\mathbf{E}_\gamma \leftarrow
\big[(\commitment_1,\beta_1),\dots,
+ (\commitment_{\gamma-1}, \beta_{\gamma-1}),
+ \Nil,
+ (\commitment_{\gamma+1}, \beta_{\gamma+1}),
+ \dots,(\commitment_\kappa, \beta_\kappa)\big]$
+ \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to
$\Exchange$
+ \end{enumerate}
+ \item[$\Exchange$:]
+ \begin{enumerate}
+ \setcounter{enumi}{10}
+ \scriptsize
+ \itemsep0.3em
+ \item for all $i \in
\{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow
\Hash(\mathbf{E}_\gamma[i])$
+ \item if $h \stackrel{?}{\neq}
\HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$
return 0
+ \item for all $i \in
\{1,\dots,\kappa\}\setminus\{\gamma\}$:
+ if $0 \stackrel{?}{=}
\Compare(\commitment,\commitment_i, \beta_i)$ return $0$
+ \item return 1
+ \end{enumerate}
+ \end{itemize}
+ \end{frame}
-\begin{frame}{Conclusion}
- Age restriction is a technical, ethical and legal challenge.
+\begin{frame}{Basic Requirements}
- Existing solutions are
- \begin{itemize}
- \item without strong protection of privacy or
- \item based on identity management systems (IMS)
- \end{itemize}
- \vfill
+ Candidate functions
+ \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
+ must first meet \textit{basic} requirements:
- Our scheme offers a solution that is
\begin{itemize}
- \item based on subsidiarity
- \item privacy preserving
- \item efficient
- \item an alternative to IMS
+ \item Existence of attestations
+ \item Efficacy of attestations
+ \item Derivability of commitments and attestations
\end{itemize}
\end{frame}
+\begin{frame}{Basic Requirements}
+ \framesubtitle{Formal Details}
-\section{Software architecture}
-
-\begin{frame}
- \vfill
- \begin{center}
- {\bf Software architecture}
- \end{center}
- \vfill
-\end{frame}
-
-
-\begin{frame}{The Taler Software Ecosystem}
- \framesubtitle{\url{https://taler.net/en/docs.html}}
- Taler is based on modular components that work together to provide a
- complete payment system:
- \vfill
- \begin{itemize}
- \item {\bf Exchange:} Service provider for digital cash
- \begin{itemize}
- \item Core exchange software (cryptography, database)
- \item Air-gapped key management, real-time {\bf auditing}
- \item LibEuFin: Modular integration with banking systems
- \end{itemize}
- \item {\bf Merchant:} Integration service for existing businesses
- \begin{itemize}
- \item Core merchant backend software (cryptography, database)
- \item Back-office interface for staff
- \item Frontend integration (E-commerce, Point-of-sale)
- \end{itemize}
- \item {\bf Wallet:} Consumer-controlled applications for e-cash
- \begin{itemize}
- \item Multi-platform wallet software (for browsers \& mobile phones)
- \item Wallet backup storage providers
- \item {\bf Anastasis}: Recovery of lost wallets based on secret
splitting
- \end{itemize}
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}{Taler Exchange}
- The {\bf Exchange} is the core logic of the payment system.
-
- \begin{itemize}
- \item One exchange at minimum must be operated per currency
- \item Offers a REST API for merchants and customers
- \item Uses several helper processes for configuration and to
- interact with RTGS and cryptography
- \item KYC support via OAuth 2.0, KycAID or Persona APIs
- \item AML staff can analyze transactions and freeze income
- \item Implemented in C on top of GNU libmicrohttpd
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}{Taler Merchant}
- The {\bf Merchant} is the software run by merchants to accept\\
- GNU Taler payments.
-
- \begin{minipage}{6cm}
- \begin{itemize}
- \item REST API for integration with e-commerce
- \item SPA provides Web interface for administration
- \item Features include:
- \begin{itemize}
- \item Multi-tenant support
- \item Refunds
- \item Rewards (Website pays visitor)
- \item Templates (static QR codes with payment request)
- \item Webhooks
- \item Inventory management
- \end{itemize}
- \item Implemented in C on top of GNU libmicrohttpd
- \end{itemize}
- \end{minipage}
- \begin{minipage}{5cm}
- \includegraphics[width=5cm]{screenshots/merchant-spa-settings}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Taler Wallet}
- The {\bf Wallet} is the software run by consumers to store
- their digital cash and authorize transactions.
-
- \begin{minipage}{8cm}
- \begin{itemize}
- \item {\bf wallet-core} is the logic shared by all interfaces
- \item Applications exist for Android, F-Droid, iOS,
- WebExtension (Chrome, Chromium, Firefox, etc.)
- \item Features include:
- \begin{itemize}
- \item Multi-currency support
- \item Wallet-to-wallet payments (NFC or QR code)
- \item CRDT-like data model
- \end{itemize}
- \item {\bf wallet-core} implemented in TypeScript
- \end{itemize}
- Can be integrated into other Apps if desired.
- \end{minipage}
- \begin{minipage}{3cm}
- \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103520.png}
- \end{minipage}
-\end{frame}
-
-
-\begin{frame}{Taler Auditor}
- The {\bf Auditor} is the software run by an independent auditor
- to validate the operation of an Exchange.
-
- \begin{itemize}
- \item REST API for additional report inputs by merchants (optional)
- \item Secure database replication logic
- \item Implemented in C on top of GNU libmicrohttpd
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}{Pretix Taler payment plugin}
-\begin{center}
-\includegraphics[width=0.5\textwidth]{screenshots/pretix.png}
-\end{center}
-
- Pretix is a ticket sales system.
-
- \begin{itemize}
- \item Pretix payment plugin enables payments via GNU Taler
- \item Developed by Pretix.eu for \EUR{3,000} on behalf of Taler Systems SA
- \end{itemize}
-\end{frame}
-
-
-\begin{frame}{WooCommerce Taler payment plugin}
-\begin{minipage}{6cm}
- \begin{itemize}
- \item WooCommerce is an e-commerce plugin for WordPress.
- \item WooCommerce payment plugin enables payments via GNU Taler
- \item Features include:
- \begin{itemize}
- \item Trivial configuration
- \item Support for refunds
- \item Full internationalization
- \end{itemize}
- \item WooCommerce and its plugins are implemented in PHP
- \end{itemize}
-\end{minipage}
-\begin{minipage}{5cm}
- \includegraphics[width=4cm]{screenshots/woocommerce-cart.png}
- \includegraphics[width=4cm]{screenshots/woocommerce-settings.png}
- \end{minipage}
-\end{frame}
-
+ \begin{description}
+ \item[Existence of attestations]
+ {\scriptsize
+ \begin{align*}
+ \Forall_{\age\in\N_\Age \atop \omega \in
\Omega}:
+ \Commit(\age, \omega) =: (\commitment, \pruf)
+ \implies
+ \Attest(\minage, \commitment, \pruf) =
+ \begin{cases}
+ \attest \in \Attests, \text{ if }
\minage \leq \age\\
+ \Nil \text{ otherwise}
+ \end{cases}
+ \end{align*}}
+ \item[Efficacy of attestations]
+ {\scriptsize
+ \begin{align*}
+ \Verify(\minage, \commitment, \attest) = \
+ \begin{cases}
+ 1, \text{if } \Exists_{\pruf \in
\Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
+ 0 \text{ otherwise}
+ \end{cases}
+ \end{align*}}
-\begin{frame}{Joomla! Taler payment plugin}
-\begin{minipage}{6cm}
- \begin{itemize}
- \item Joomla! is an e-commerce platform
- \item Joomla! payment plugin enables payments via GNU Taler
- \item Features include:
- \begin{itemize}
- \item Trivial configuration
- \item Support for refunds
- \item Full internationalization
- \end{itemize}
- \item Joomla! and its plugins are implemented in PHP
- \end{itemize}
-\end{minipage}
-% FIXME: add screenshots
-%\begin{minipage}{5cm}
-% \includegraphics[width=4cm]{screenshots/woocommerce-cart.png}
-% \includegraphics[width=4cm]{screenshots/woocommerce-settings.png}
-% \end{minipage}
+ {\scriptsize
+ \begin{align*}
+ \forall_{n \leq \age}: \Verify\big(n,
\commitment, \Attest(n, \commitment, \pruf)\big) = 1.
+ \end{align*}}
+ \item[etc.]
+ \end{description}
\end{frame}
+\begin{frame}{Requirements}
+ \framesubtitle{Details}
-\begin{frame}{Point-of-Sale App for Android}
-
-\begin{minipage}{7cm}
- \begin{itemize}
- \item Allows merchant to generate orders against Taler backend
- and display QR code to enable customer to pay in person
- \item Patterned after ViewTouch restaurant UI
- \item Features include:
- \begin{itemize}
- \item Internet-based configuration
- \item Products sorted by categories
- \item Easy undo of every operation
- \item Manages multiple concurrent orders
- \end{itemize}
- \item The Point-of-Sale App is implemented in Kotlin
- \end{itemize}
-\end{minipage}
-\begin{minipage}{4cm}
- \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194112.jpg}
- \includegraphics[width=4cm]{screenshots/Screenshot_20230224-194119.jpg}
- \includegraphics[width=4cm]{screenshots/Screenshot_20230224-195348.jpg}
-\end{minipage}
+ \begin{description}
+ \item[Derivability of commitments and proofs:]~\\[0.1em]
+ {\scriptsize
+ Let \begin{align*}
+ \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
+ (\commitment_0, \pruf_0) & \leftarrow \Commit(\age,
\omega_0),\\
+ (\commitment_1, \pruf_1, \blinding) & \leftarrow
\Derive(\commitment_0, \pruf_0, \omega_1).
+ \end{align*}
+ We require
+ \begin{align*}
+ \Compare(\commitment_0, \commitment_1, \blinding) = 1
\label{req:comparity}
+ \end{align*}
+ and for all $n\leq\age$:
+ \begin{align*}
+ \Verify(n, \commitment_1, \Attest(n,
\commitment_1, \pruf_1)) &%
+ =
+ \Verify(n, \commitment_0, \Attest(n,
\commitment_0, \pruf_0))
+ \end{align*}}
+ \end{description}
\end{frame}
+\begin{frame}{Security Requirements}
+ Candidate functions must also meet \textit{security} requirements.
+ Those are defined via security games:
+ \begin{itemize}
+ \item Game: Age disclosure by commitment or attestation
+ \item[$\leftrightarrow$] Requirement: Non-disclosure of age
+ \vfill
-\begin{frame}{Cashier App for Android}
-\begin{minipage}{4cm}
- \begin{itemize}
- \item Enables BFH staff to convert cash to e-cash
- \item Staff has special bank accounts with limited funds
- \item Students can pay staff in cash to receive e-cash
- \item The Cashier App is implemented in Kotlin
- \end{itemize}
- \end{minipage}
- \begin{minipage}{3cm}
- \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103315.png}
- \end{minipage}
- \begin{minipage}{3cm}
- \includegraphics[width=3cm]{screenshots/Screenshot_20230225-103325.png}
- \end{minipage}
-\end{frame}
+ \item Game: Forging attestation
+ \item[$\leftrightarrow$] Requirement: Unforgeability of
+ minimum age
+ \vfill
+ \item Game: Distinguishing derived commitments and attestations
+ \item[$\leftrightarrow$] Requirement: Unlinkability of
+ commitments and attestations
-\begin{frame}{LibEuFin}
- LibEuFin is a standalone project that provides adapters to bank account
- access APIs.
+ \end{itemize}
+ \vfill
- \begin{itemize}
- \item LibEuFin provides both a generic access layer and an
- implementation of the Wire Gateway for the exchange
- \item Supports EBICS 2.5 and 3.0
- \item other APIs such as FinTS or PSD2-style XS2A APIs can be added
- without requiring changes to the Exchange
- \item tested with German bank GLS business account and real Euros
- \end{itemize}
- \vfill
- \begin{itemize}
- \item \texttt{libeufin-nexus} is the main service
- \item \texttt{libeufin-bank} implements a bank
- (suitable for regional currencies)
- \item \texttt{libeufin-sandbox} implements a toy EBICS host for protocol
- testing
- \end{itemize}
+ Meeting the security requirements means that adversaries can win
+ those games only with negligible advantage.
+ \vfill
+ Adversaries are arbitrary polynomial-time algorithms, acting on all
+ relevant input.
\end{frame}
+\begin{frame}{Security Requirements}
+ \framesubtitle{Simplified Example}
-\begin{frame}{Depolymerization}
- Depolymerization is a bridge between GNU Taler and blockchains,
- making Taler a layer 2 system for crypto-currencies (like Lightning).
-
- \begin{itemize}
- \item Currently implemented for Bitcoin and Ethereum
- crypto-currencies, with the DLTs as the ``RTGS''
- \item Provides same API to Exchange as LibEuFin
-% \item Transaction rate and speed limited by the underlying blockchain
- \item Implemented in Rust
- \end{itemize}
- \begin{center}
- \url{https://bitcoin.ice.bfh.ch/}
- \end{center}
+ \begin{description}
+ \item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
+ {\small
+ \begin{enumerate}
+ \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega
$
+ \item $ (\commitment, \pruf) \leftarrow \Commit(\age,
\omega) $
+ \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment,
\pruf)$
+ \item Return 0 if $\minage \leq \age$
+ \item Return $\Verify(\minage,\commitment,\attest)$
+ \end{enumerate}
+ }
+ \vfill
+ \item[Requirement: Unforgeability of minimum age]
+ {\small
+ \begin{equation*}
+ \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to
\N_\Age\times\Attests)}:
+ \Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
+ \end{equation*}
+ }
+ \end{description}
\end{frame}
-\begin{frame}{TalDir (WiP)}
- TalDir is an extension to the existing
- peer-to-peer payment functionality.
+\begin{frame}{Solution: Instantiation with ECDSA}
+% \framesubtitle{Definition of Commit}
- \begin{itemize}
- \item Registry to associate wallets with network addresses
- \item Extensible to different types of network services:
- \begin{itemize}
- \item E-mail
- \item SMS
- \item Twitter
- \item ...
- \end{itemize}
- \item Send payments or invoices to wallets associated with network address
- \item Will {\bf not} require sending wallet to use same network service
- \end{itemize}
+ \begin{description}
+ \item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
+ \begin{enumerate}
+ \item<2-> Guardian generates ECDSA-keypairs, one per
age (group):
+ \[\langle(q_1,
p_1),\dots,(q_\Age,p_\Age)\rangle\]
+ \item<3-> Guardian then \textbf{drops} all private keys
+ $p_i$ for $i > \age$:
+ \[\Big \langle(q_1, p_1),\dots,
+ (q_\age, p_\age),
+ (q_{\age +1}, \red{\Nil}),\dots,
+ (q_\Age, \red{\Nil})\Big\rangle\]
+
+ \begin{itemize}
+ \item $\Vcommitment := (q_1, \dots,
q_\Age)$ is the \textit{Commitment},
+ \item $\Vpruf_\age := (p_1, \dots,
p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
+ \end{itemize}
+ \vfill
+ \item<4-> Guardian gives child $\langle \Vcommitment,
\Vpruf_\age \rangle$
+ \vfill
+ \end{enumerate}
+ \end{description}
\end{frame}
+\begin{frame}{Instantiation with ECDSA}
+ \framesubtitle{Definitions of Attest and Verify}
-\begin{frame}<1-| handout:0>{Development Infrastructure}
- \begin{itemize}
- \item Borg: incremental backup
- \item Buildbot: CI/CD ({\url https://buildbot.taler.net/})
- \item Davical: Caldav group calendar
- \item Docker: virtualization, packaging
- \item Git/Gitolite: distributed version control ({\url
https://git.taler.net/})
- \item Mailman: public e-mail lists ({\url taler@gnu.org/})
- \item Mantis: bug tracker ({\url https://bugs.taler.net/})
- \item Mattermost: messaging, process management ({\url
https://mattermost.taler.net/})
- \item Sphinx: documentation generation (HTML, PDF, info, man) ({\url
https://docs.taler.net/})
- \item Weblate: collaborative AI-supported internationalization ({\url
https://weblate.taler.net/})
- \end{itemize}
-\end{frame}
+ Child has
+ \begin{itemize}
+ \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age)
$,
+ \item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil,
\dots, \Nil)$.
+ \end{itemize}
+ \begin{description}
+ \item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq
\age$:]~\\
+ Sign a message with ECDSA using private key
$p_\blue{\minage}$
+ \end{description}
+ \vfill
-\begin{frame}<1-| handout:0>{Development Tools}
- \begin{itemize}
- \item Coverity: static analysis (C/C++) ({\url https://scan.coverity.com/})
- \item GNU recutils: constant registration ({\url https://gana.gnunet.org/})
- \item Twister: fault injection
- \item Valgrind: dynamic analysis (C/C++)
- \item zzuf: fuzzing
- \end{itemize}
+ \uncover<3->{
+ Merchant gets
+ \begin{itemize}
+ \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
+ \item Signature $\sigma$
+ \end{itemize}
+ \begin{description}
+ \item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
+ Verify the ECDSA-Signature $\sigma$ with public key
$q_\minage$.
+ \end{description}
+ }
+ \vfill
\end{frame}
+\begin{frame}{Instantiation with ECDSA}
+ \framesubtitle{Definitions of Derive and Compare}
+ Child has
+ $\Vcommitment = (q_1, \dots, q_\Age) $ and
+ $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
+ \begin{description}
+ \item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
+ Choose random $\beta\in\Z_g$ and calculate
+ \small
+ \begin{align*}
+ \Vcommitment' &:= \big(\beta * q_1,\ldots,\beta
* q_\Age\big),\\
+ \Vpruf' &:= \big(\beta p_1,\ldots,\beta
p_\age,\Nil,\ldots,\Nil\big)
+ \end{align*}
+ Note: $ (\beta p_i)*G = \beta*(p_i*G) = \beta*q_i$\\
+ \scriptsize $\beta*q_i$ is scalar multiplication on the
elliptic curve.
+ \end{description}
-\begin{frame}<1-| handout:0>{Cryptographic dependencies}
- \begin{itemize}
- \item libargon2
- \item libgcrypt
- \item libsodium
- \end{itemize}
+ \vfill
+ \uncover<3->{
+ Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$,
$\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
+ \begin{description}
+ \item[To \blue{Compare}, calculate:]
+ \small
+ $(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=}
(q'_1,\ldots, q'_\Age)$
+ \end{description}
+ \vfill
+ }
\end{frame}
+\begin{frame}{Instantiation with ECDSA}
+
+ Functions
+ (Commit, Attest, Verify, Derive, Compare)\\
+ as defined in the instantiation with ECDSA\\[0.5em]
+ \begin{itemize}
+ \item meet the basic requirements,\\[0.5em]
+ \item also meet all security requirements.\\
+ Proofs by security reduction, details are in the paper.
+ \end{itemize}
-\begin{frame}<1-| handout:0>{Additional dependencies}
- \begin{itemize}
- \item libsqlite3
- \item libpq / Postgres
- \item libjansson
- \item libcurl
- \item libunistring
- \item {\bf GNU libmicrohttpd}
- \item {\bf GNUnet}
- \end{itemize}
\end{frame}
+\begin{frame}{Instantiation with ECDSA}
+ \framesubtitle{Full definitions}
+ \scriptsize
+
+ \begin{align*}
+ \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
+ \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
+ \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf
\text{, length }\Age}
+ \Big\rangle\\
+ \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
+ \begin{cases}
+ \attest_\bage :=
\Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage]
\stackrel{?}{\neq} \Nil\\
+ \Nil & \text{otherwise}
+ \end{cases}\\
+ %
+ \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:=
\Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
+ %
+ \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
+ \Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
+ (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta
\Big\rangle \\
+ & \text{ with } \beta := \FDHg{\omega} \text{ and
multiplication } \beta p_i \text{ modulo } g \nonumber\\
+ %
+ \Compare_E(\Vcommitment, \Vcommitment', \beta) &:=
+ \begin{cases}
+ 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age)
\stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
+ 0 & \text{otherwise}
+ \end{cases}
+ \end{align*}
+\end{frame}
-\section{Bank integration and exchange administration}
-\begin{frame}
- \vfill
- \begin{center}
- {\bf Bank integration and exchange administration}
- \end{center}
- \vfill
+\begin{frame}{Reminder: GNU Taler Fundamentals}
+ \begin{center}
+ \begin{tikzpicture}[scale=.55]
+ \node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
+ \node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
+ \node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
+
+ \draw[<->] (Customer) to [out=65,in=220] node[sloped,above]
{\sf withdraw} (Exchange);
+ \draw[<->] (Customer) to [out=45,in=240] node[sloped,below]
{\sf refresh} (Exchange);
+ \draw[<->] (Customer) to node[sloped, below] {\sf purchase}
(Merchant);
+ \draw[<->] (Merchant) to node[sloped, above] {\sf deposit}
(Exchange);
+ \end{tikzpicture}
+ \end{center}
+
+ \vfill
+ \begin{itemize}
+ \item Coins are public-/private key-pairs $(C_p, c_s)$.
+ \item Exchange blindly signs $\FDH(C_p)$ with denomination key
$d_p$
+ \item Verification:
+ \begin{eqnarray*}
+ 1 &\stackrel{?}{=}&
+ \mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
+ \end{eqnarray*}
+ \scriptsize($D_p$ = public key of denomination and $\sigma_p$ =
signature)
+
+ \end{itemize}
\end{frame}
+\begin{frame}{Integration with GNU Taler}
+ \framesubtitle{Binding age restriction to coins}
-\begin{frame}[fragile]{RFC 8905: \texttt{payto:} Uniform Identifiers for
Payments and Accounts}
- \vfill
- Like \texttt{mailto:}, but for bank accounts instead of email accounts!
- \vfill
- \begin{verbatim}
- payto://<PAYMENT-METHOD>/<ACCOUNT-NR>
- ?subject=InvoiceNr42
- &amount=EUR:12.50
- \end{verbatim}
- \vfill
- Default action: Open app to review and confirm payment.
- \vfill
-\includegraphics[width=0.25\textwidth]{einzahlschein-ch.jpeg}
-\hfill
-\includegraphics[width=0.2\textwidth]{de-ueberweisungsformular.png}
- \vfill
+ To bind an age commitment $\commitment$ to a coin $C_p$, instead of
+ signing $\FDH(C_p)$, $\Exchange$ now blindly signs
+ \begin{center}
+ $\FDH(C_p, \orange{H(\commitment)})$
+ \end{center}
+
+ \vfill
+ Verfication of a coin now requires $H(\commitment)$, too:
+ \begin{center}
+ $1 \stackrel{?}{=}
+ \mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p,
\sigma_p\big)$
+ \end{center}
+ \vfill
\end{frame}
+\begin{frame}{Integration with GNU Taler}
+ \framesubtitle{Integrated schemes}
+ \fontsize{8pt}{9pt}\selectfont
+ \begin{tikzpicture}[scale=.9]
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:0)
(Client) {$\Child$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 60:5)
(Exchange) {$\Exchange$};
+ \node[circle,minimum size=25pt,fill=black!15] at ( 0:5)
(Merchant) {$\Merchant$};
+ \node[circle,minimum size=25pt,fill=blue!15] at (130:3)
(Guardian) {$\Guardian$};
-\begin{frame}[fragile]{Benefits of {\tt payto://}}
- \begin{itemize}
- \item Standardized way to represent financial resources (bank account,
bitcoin wallet)
- and payments to them
- \item Useful on the client-side on the Web and for FinTech backend
applications
- \item Payment methods (such as IBAN, ACH, Bitcoin) are registered with
- IANA and allow extra options
- \end{itemize}
- \begin{center}
- {\bf Taler wallet can generate payto://-URI for withdraw!}
- \end{center}
+ \draw[<->] (Guardian) to node[sloped,above,align=center]
+ {{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{,
H(\commitment)})$} (Exchange);
+ \draw[<->] (Client) to node[sloped,below,align=center]
+ {{\sf refresh} \orange{ + }\\
\orange{$\DeriveCompare$}} (Exchange);
+ \draw[<->] (Client) to node[sloped, below]
+ {{\sf purchase} \blue{+ $(\attest_\minage,
\commitment)$}} (Merchant);
+ \draw[<->] (Merchant) to node[sloped, above]
+ {{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
+
+ \draw[->] (Guardian) to [out=70,in=150, loop] node[above]
+ {$\Commit(\age)$} (Guardian);
+ \draw[->] (Guardian) to node[below,sloped]
+ {($\commitment$, $\pruf_\age$)} (Client);
+ \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}}
(Client);
+ \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
+ {\blue{$\Verify(\minage, \commitment,
\attest_{\minage})$}} (Merchant);
+ \end{tikzpicture}
\end{frame}
+\begin{frame}{Instantiation with Edx25519}
+ Paper also formally defines another signature scheme: Edx25519.\\[1em]
-\begin{frame}[fragile]{Taler: Bank Perspective}
-\begin{adjustbox}{max totalsize={.9\textwidth}{.7\textheight},center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 5em and 6.5em, inner sep=1em, outer
sep=.3em];
- \node (origin) at (0,0) {};
- \node (exchange) [def,above=of origin,draw]{Exchange};
- \node (nexus) [def, draw, below right=of exchange] {Nexus};
- \node (corebanking) [def, draw, below left=of nexus] {Core Banking};
- \node (nginx) [def, draw, above=of exchange]{Nginx};
- \node (postgres) [def, draw, below left=of exchange]{Postgres};
- \node (postgres-nexus) [def, draw, below right=of nexus]{Postgres};
+ \begin{itemize}
+ \item Scheme already in use in GNUnet,
+ \item based on EdDSA (Bernstein et al.),
+ \item generates compatible signatures and
+ \item allows for key derivation from both, private and public
keys, independently.
+ \end{itemize}~\\[1em]
- \tikzstyle{C} = [color=black, line width=1pt]
+ Current implementation of age restriction in GNU Taler uses Edx25519.
+\end{frame}
- \draw [<-, C] (exchange) -- (nginx) node [midway, above, sloped] (TextNode)
{REST API};
- \draw [<-, C] (postgres) -- (exchange) node [midway, above, sloped]
(TextNode) {SQL};
- \draw [<-, C] (postgres-nexus) -- (nexus) node [midway, above, sloped]
(TextNode) {SQL};
- \draw [<-, C] (nexus) -- (exchange) node [midway, above, sloped] (TextNode)
{Internal REST API};
- \draw [<-, C] (corebanking) -- (nexus) node [midway, above, sloped]
(TextNode) {EBICS/FinTS};
-\end{tikzpicture}
-\end{adjustbox}
+\begin{frame}{Age Restrictions based on KYC}
+ Subsidiarity requires bank accounts being owned by adults.
+ \begin{itemize}
+ \item Scheme can be adapted to case where minors have
bank accounts
+ \begin{itemize}
+ \item Assumption: banks provide minimum
age
+ information during bank
+ transactions.
+ \item Child and Exchange execute a
variant of
+ the cut\&choose protocol.
+ \end{itemize}
+ \end{itemize}
\end{frame}
+\begin{frame}{Discussion}
+ \begin{itemize}
+ \item Our solution can in principle be used with any
token-based payment scheme
+ \item GNU Taler best aligned with our design goals (security,
privacy and efficiency)
+ \item Subsidiarity requires bank accounts being owned by adults
+ \begin{itemize}
+ \item Scheme can be adapted to case where minors have
bank accounts
+ \begin{itemize}
+ \item Assumption: banks provide minimum
age
+ information during bank
+ transactions.
+ \item Child and Exchange execute a
variant of
+ the cut\&choose protocol.
+ \end{itemize}
+ \end{itemize}
+ \item Our scheme offers an alternative to identity management
systems (IMS)
+ \end{itemize}
+\end{frame}
+\begin{frame}{Related Work}
+ \begin{itemize}
+ \item Current privacy-perserving systems all based on
attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et
al., Au et al.)
+ \item Attribute-based approach lacks support:
+ \begin{itemize}
+ \item Complex for consumers and retailers
+ \item Requires trusted third authority
+ \end{itemize}
+ \vfill
+ \item Other approaches tie age-restriction to ability to pay
("debit cards for kids")
+ \begin{itemize}
+ \item Advantage: mandatory to payment process
+ \item Not privacy friendly
+ \end{itemize}
+ \end{itemize}
+\end{frame}
-\begin{frame}{Taler: Exchange Architecture}
-\begin{center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer
sep=.3em];
- \node (origin) at (0,0) {};
- \node (httpd) [def,above=of origin,draw]{httpd};
- \node (secmod-rsa) [def, draw, right=of httpd] {secmod-rsa};
- \node (secmod-eddsa) [def, draw, left=of httpd] {secmod-eddsa};
- \node (postgres) [def, draw, below=of httpd]{Postgres};
- \node (aggregator) [def, draw, right=of postgres]{aggregator};
- \node (transfer) [def, draw, below left=of postgres]{transfer};
- \node (wirewatch) [def, draw, below right=of postgres]{wirewatch};
- \node (nexus) [def, draw, below=of postgres]{Nexus};
+\begin{frame}{Conclusion}
+ Age restriction is a technical, ethical and legal challenge.
- \tikzstyle{C} = [color=black, line width=1pt]
+ Existing solutions are
+ \begin{itemize}
+ \item without strong protection of privacy or
+ \item based on identity management systems (IMS)
+ \end{itemize}
+ \vfill
- \draw [<->, C] (httpd) -- (postgres) node [midway, above, sloped] (TextNode)
{};
- \draw [<->, C] (httpd) -- (secmod-rsa) node [midway, above, sloped]
(TextNode) {};
- \draw [<->, C] (httpd) -- (secmod-eddsa) node [midway, above, sloped]
(TextNode) {};
- \draw [<->, C] (aggregator) -- (postgres) node [midway, above, sloped]
(TextNode) {};
- \draw [<->, C] (wirewatch) -- (postgres) node [midway, above, sloped]
(TextNode) {};
- \draw [<->, C] (transfer) -- (postgres) node [midway, above, sloped]
(TextNode) {};
- \draw [->, C] (transfer) -- (nexus) node [midway, above, sloped] (TextNode)
{};
- \draw [<-, C] (wirewatch) -- (nexus) node [midway, above, sloped] (TextNode)
{};
-\end{tikzpicture}
-\end{center}
+ Our scheme offers a solution that is
+ \begin{itemize}
+ \item based on subsidiarity
+ \item privacy preserving
+ \item efficient
+ \item an alternative to IMS
+ \end{itemize}
\end{frame}
-\begin{frame}
-\frametitle{Taler: Auditor Perspective}
-\begin{center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance=2em and 2.5em, inner sep=1em, outer
sep=.3em];
- \node (origin) at (0,0) {};
- \node (httpd) [def,above left=of origin,draw]{auditor-httpd};
- \node (report) [def,above right=of origin,draw]{auditor-report};
- \node (postgres-A) [def, draw, below=of origin] {Postgres (Auditor)};
- \node (postgres-E) [def, draw, below=of postgres-A] {Postgres (Bank)};
-
- \tikzstyle{C} = [color=black, line width=1pt]
+\section{Software development \& deployment}
- \draw [->, C] (postgres-E) -- (postgres-A) node [midway, above, sloped]
(TextNode) {sync};
- \draw [<->, C] (httpd) -- (postgres-A) node [midway, above, sloped]
(TextNode) {};
- \draw [<->, C] (report) -- (postgres-A) node [midway, above, sloped]
(TextNode) {};
-\end{tikzpicture}
-\end{center}
+\begin{frame}
+ \vfill
+ \begin{center}
+ {\bf Software development \& deployment}
+ \end{center}
+ \vfill
\end{frame}
-\begin{frame}
-\frametitle{Taler: Merchant Perspective}
-\begin{center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 3.5em and 2em, inner sep=1em, outer
sep=.3em];
- \node (origin) at (0,0) {};
- \node (backend) [def,above=of origin,draw]{{\tiny taler-merchant-httpd}};
- \node (frontend) [def,above left=of backend,draw]{{\tiny E-commerce
Frontend}};
- \node (backoffice) [def,above right=of backend,draw]{Backoffice};
- \node (postgres) [def, draw, below left=of backend] {Postgres};
- \node (sqlite) [def, draw, below=of backend] {Sqlite};
- \node (alt) [def, draw, below right=of backend] {...};
+\begin{frame}{Development Infrastructure}
+ \begin{itemize}
+ \item Borg: incremental backup
+ \item Buildbot: CI/CD ({\url https://buildbot.taler.net/})
+ \item Davical: Caldav group calendar
+ \item Docker: virtualization, packaging
+ \item Git/Gitolite: distributed version control ({\url
https://git.taler.net/})
+ \item Mailman: public e-mail lists ({\url taler@gnu.org/})
+ \item Mantis: bug tracker ({\url https://bugs.taler.net/})
+ \item Mattermost: messaging, process management ({\url
https://mattermost.taler.net/})
+ \item Sphinx: documentation generation (HTML, PDF, info, man) ({\url
https://docs.taler.net/})
+ \item Weblate: collaborative AI-supported internationalization ({\url
https://weblate.taler.net/})
+ \end{itemize}
+\end{frame}
- \tikzstyle{C} = [color=black, line width=1pt]
- \draw [->, C] (frontend) -- (backend) node [midway, above, sloped] (TextNode)
{REST API};
- \draw [->, C] (backoffice) -- (backend) node [midway, above, sloped]
(TextNode) {REST API};
- \draw [<->, C] (backend) -- (postgres) node [midway, above, sloped]
(TextNode) {SQL};
- \draw [<->, C] (backend) -- (sqlite) node [midway, above, sloped] (TextNode)
{SQL};
- \draw [<->, C] (backend) -- (alt) node [midway, above, sloped] (TextNode)
{SQL};
-\end{tikzpicture}
-\end{center}
+\begin{frame}{Development Tools}
+ \begin{itemize}
+ \item Coverity: static analysis (C/C++) ({\url https://scan.coverity.com/})
+ \item GNU recutils: constant registration ({\url https://gana.gnunet.org/})
+ \item Twister: fault injection
+ \item Valgrind: dynamic analysis (C/C++)
+ \item zzuf: fuzzing
+ \end{itemize}
\end{frame}
-\begin{frame}
-\frametitle{Taler: Wallet Architecture}
- \framesubtitle{Background: \url{https://anastasis.lu/}}
-\begin{center}
-\begin{tikzpicture}
- \tikzstyle{def} = [node distance= 5em and 4.5em, inner sep=1em, outer
sep=.3em];
- \node (origin) at (0,0) {};
- \node (gui) [def,above=of origin,draw]{wallet-gui};
- \node (core) [def,below=of gui,draw]{wallet-core};
- \node (sync) [def, draw, below left=of core] {Sync};
- \node (taler) [def, draw, below right=of core] {Taler};
- \node (anastasis) [def, draw, below=of core] {Anastasis};
+\begin{frame}{Cryptographic dependencies}
+ \begin{itemize}
+ \item libargon2
+ \item libgcrypt
+ \item libsodium
+ \end{itemize}
+\end{frame}
- \tikzstyle{C} = [color=black, line width=1pt]
- \draw [<->, C] (gui) -- (core) node [midway, above, sloped] (TextNode) {};
- \draw [<->, C] (core) -- (sync) node [midway, above, sloped] (TextNode)
{Backup};
- \draw [<->, C] (core) -- (taler) node [midway, above, sloped] (TextNode)
{Payment};
- \draw [<->, C] (core) -- (anastasis) node [midway, above, sloped] (TextNode)
{Key Escrow};
-\end{tikzpicture}
-\end{center}
+
+\begin{frame}{Additional dependencies}
+ \begin{itemize}
+ \item libsqlite3
+ \item libpq / Postgres
+ \item libjansson
+ \item libcurl
+ \item libunistring
+ \item {\bf GNU libmicrohttpd}
+ \item {\bf GNUnet}
+ \end{itemize}
\end{frame}
@@ -2859,10 +3121,10 @@ Searching for functions \uncover<2->{with the following
signatures}
\dots as a bank
\begin{enumerate}
\item Create an escrow bank account for the exchange with EBICS access
- \item Provision offline signing machine (or account during testing)
- \item Provision two PostgreSQL databases (for LibEuFin Nexus and exchange)
+ \item Provision offline signing machine
+ \item Provision two PostgreSQL databases (for libeufin-nexus and exchange)
\item Provision user-facing exchange service and secmod processes
- \item Provision LibEuFin Nexus (connected to escrow account and providing
+ \item Provision libeufin-nexus (connected to escrow account and providing
an internal API to the exchange)
\item Test using the ``taler-wallet-cli``
\end{enumerate}
@@ -2870,7 +3132,7 @@ Searching for functions \uncover<2->{with the following
signatures}
\begin{frame}{Exchange escrow account access}
-The Taler exchange needs to communicate with the core banking system \dots
+The Taler exchange needs to communicate with a core banking system \dots
\begin{itemize}
\item to query for transactions into the exchange's escrow account
\item to initiate payments of aggregated Taler deposits to merchants
@@ -2881,47 +3143,18 @@ for Taler-specific access to the Exchange's escrow
account. Multiple implementa
of the Taler Wire Gateway exist:
\begin{itemize}
- \item a self-contained play money demo bank
- \item LibEuFin, an adapter to EBICS and other protocols
+ \item libeufin-bank, a self-contained play money demo bank
+ \item libeufin-nexus, an adapter to EBICS and other protocols
+ \item Depolymerizer, an adapter to blockchains
\end{itemize}
-
-\end{frame}
-
-\begin{frame}{LibEuFin}
- LibEuFin is a standalone project that provides adapters to bank account
- access APIs.
-
- \begin{itemize}
- \item LibEuFin provides both a generic access layer and an
- implementation of the Taler Wire Gateway API for the exchange
- \item supports EBICS 2.5 and 3.0
- \item other APIs such as FinTS or PSD2-style XS2A APIs can be added
- without requiring changes to the Exchange
- \item tested with GLS Bank and Postfinance bank accounts
- \end{itemize}
-\end{frame}
-
-\begin{frame}{LibEuFin Concepts}
- \begin{itemize}
- \item A LibEuFin \emph{bank connection} is a set of credentials and
parameters
- to talk to the bank's account access API.
- \item A LibEuFin \emph{bank account} is the information about a bank
- account (balances, transactions, payment initiations) stored locally
- within the LibEuFin service. A LibEuFin bank account has a default Bank
- Connection that is used to communicate with the bank's API.
- \item A \emph{facade} provides a domain-specific access layer to bank
accounts
- and connections. The \emph{Taler Wire Gateway Facade} implements the
- API required by the Taler exchange and translates it to operations on the
- underlying account/connection.
- \end{itemize}
\end{frame}
-\begin{frame}{LibEuFin Setup Overview}
+\begin{frame}{libeufin-nexus setup overview}
\framesubtitle{\url{https://docs.taler.net/libeufin/}}
\begin{itemize}
\item Obtain EBICS subscriber configuration (host URL, host ID, user ID,
- partner ID) for the Exchange's escrow account
+ partner ID) for the bank account
\item Create and back up the key material for the bank connection (contains
EBICS subscriber configuration and private keys)
\item Export key letter and activate subscriber in the EBICS host
(physical mail)
@@ -2931,10 +3164,10 @@ of the Taler Wire Gateway exist:
\end{frame}
-\begin{frame}{LibEuFin EBICS Limitations}
+\begin{frame}{libeufin-nexus limitations at GLS Bank}
The GLS accounts with EBICS access that we have access to have some
limitations:
\begin{itemize}
- \item SEPA Instant Credit Transfers aren't supported yet
+ \item SEPA instant credit transfers are not supported yet (by the bank)
\item Erroneous payment initiations are accepted by the GLS EBICS host,
but an error message is later sent only by paper mail (and not reported
by the CRZ download request)
@@ -2944,175 +3177,6 @@ of the Taler Wire Gateway exist:
-\begin{frame}{Key management}
-Taler has many types of keys:
-\begin{itemize}
-\item Coin keys
-\item Denomination keys
-\item Online message signing keys
-\item Offline key signing keys
-\item Merchant keys
-\item Auditor key
-\item Security module keys
-\item Transfer keys
-\item Wallet keys
-\item {\em TLS keys, DNSSEC keys}
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}{Offline keys}
-Both exchange and auditor use offline keys.
-\begin{itemize}
-\item Those keys must be backed up and remain highly confidential!
-\item We recommend that computers that have ever had access to those
- keys to NEVER again go online.
-\item We recommend using a Raspberry Pi for offline key operations.
- Store it in a safe under multiple locks and keys.
-\item Apply full-disk encryption on offline-key signing systems.
-\item Have 3--5 full-disk backups of offline-key signing systems.
-\end{itemize}
-\begin{center}
-\includegraphics[scale=0.1]{pi.png}
-\end{center}
-\end{frame}
-
-
-\begin{frame}{Online keys}
-The exchange needs RSA and EdDSA keys to be available for online signing.
-\begin{itemize}
-\item Knowledge of these private keys will allow an adversary to
- mint digital cash, possibly resulting in huge financial losses
- (eventually, this will be detected by the auditor, but only
- after some financial losses have been irrevocably incurred).
-\item The corresponding public keys are certified using
- Taler's public key infrastructure (which uses offline-only keys).
-\end{itemize}
-\begin{center}
-\includegraphics[width=0.5\textwidth]{taler-diagram-signatures.png}
-\end{center}
-\vfill
-{\tt taler-exchange-offline} can also be used to {\bf revoke} the
-online signing keys, if we find they have been compromised.
-\vfill
-\end{frame}
-
-
-\begin{frame}{Protecting online keys}
-The exchange needs RSA and EdDSA keys to be available for online signing.
-\begin{itemize}
-\item {\tt taler-exchange-secmod-rsa} and {\tt taler-exchange-secmod-eddsa}
- are the only processes that must have access to the private keys.
-\item The secmod processes should run under a different UID, but share
- the same GID with the exchange.
-\item The secmods generate the keys, allow {\tt taler-exchange-httpd} to sign
with
- them, and eventually delete the private keys.
-\item Communication between secmods and {\tt taler-exchange-httpd} is via
- a UNIX domain socket.
-\item Online private keys are stored on disk (not in database!) and should
- NOT be backed up (RAID should suffice). If disk is lost, we can always
- create fresh replacement keys!
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}{Database}
-The exchange needs the database to detect double spending.
-\begin{itemize}
-\item Loss of the database will allow technically skilled people
- to double-spend their digital cash, possibly resulting in
- significant financial losses.
-\item The database contains total amounts customers withdrew and
- merchants received, so sensitive private banking data. It
- must also not become public.
-\item The auditor must have a (current) copy. Asynchronous replication
- is considered sufficient. This copy could also be used as an
- additional (off-site?) backup.
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}{taler-exchange-wirewatch}
-{\tt taler-exchange-wirewatch} needs credentials to access data about
-incoming wire transfers from the Nexus.
-\begin{itemize}
-\item This tool should run as a separate UID and GID (from
- {\tt taler-exchange-httpd}).
-\item It must have access to the Postgres database (SELECT + INSERT).
-\item Its configuration file contains the credentials to talk to Nexus.
-\item[$\Rightarrow$] Configuration should be separate from {\tt
taler-exchange-httpd}.
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}{taler-exchange-transfer}
-Only {\tt taler-exchange-transfer} needs credentials to initiate wire
-transfers using the Nexus.
-\begin{itemize}
-\item This tool should run as a separate UID and GID (from
- {\tt taler-exchange-httpd}).
-\item It must have access to the Postgres database (SELECT + INSERT).
-\item Its configuration file contains the credentials to talk to Nexus.
-\item[$\Rightarrow$] Configuration should be separate from {\tt
taler-exchange-httpd}.
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}{Nexus}
-The Nexus has to be able to interact with the escrow account of the bank.
-\begin{itemize}
-\item It must have the private keys to sign EBICS/FinTS messages.
-\item It also has its own local database.
-\item The Nexus user and database should be kept separate from
- the other exchange users and the Taler exchange database.
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}{Hardware}
-General notions:
-\begin{itemize}
-\item Platforms with disabled Intel ME \& disabled remote administration are
safer.
-\item VMs are not a security mechanism. Side-channel attacks abound. Avoid
running any
- Taler component in a virtual machine ``for security''.
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}{Operating system}
-General notions:
-\begin{itemize}
-\item It should be safe to run the different Taler components (including
Nginx, Nexus
- and Postgres) all on the same physical hardware (under different
UIDs/GIDs).
- We would separate them onto different physical machines during
scale-out, but not
- necessarily for ``basic'' security.
-\item Limiting and auditing system administrator access will be crucial.
-\item We recommend to {\bf not} use any anti-virus.
-\item We recommend using a well-supported GNU/Linux operating system (such as
- Debian or Ubuntu).
-\end{itemize}
-\end{frame}
-
-
-\begin{frame}{Network}
-\begin{itemize}
-\item We recommend to {\bf not} use any host-based firewall.
- Taler components can use UNIX domain sockets (or bind to localhost).
-\item A network-based
- firewall is not required, but as long as TCP 80/443 are open Taler should
- work fine.
-\item Any firewall must be configured to permit connection to Auditor
- for database synchronization.
-\item We recommend running the Taler exchange behind an Nginx or Apache
- proxy for TLS termination.
-\item We recommend using static IP address configurations (IPv4 and IPv6).
-\item We recommend using DNSSEC with DANE in addition to TLS certificates.
-\item We recommend auditing the TLS setup using
\url{https://observatory.mozilla.org}.
-\end{itemize}
-\end{frame}
-
-
-
\section{Performance}
\begin{frame}
@@ -3133,8 +3197,8 @@ General notions:
\only<2->{4 TPS}\\
\visible<3->{
\vspace{2em}
- \includegraphics[width=0.2\linewidth]{performance}\hspace{1em}
- \includegraphics[width=0.2\linewidth]{mining}
+ \includegraphics[width=0.2\linewidth]{performance.pdf}\hspace{1em}
+ \includegraphics[width=0.2\linewidth]{mining.pdf}
}
\end{minipage}
\begin{minipage}{0.32\textwidth}
@@ -3142,7 +3206,7 @@ General notions:
\visible<4->{PayPal\\\vspace{1em}193 TPS}\\
\visible<5->{
\vspace{2em}
- \includegraphics[width=0.2\linewidth]{privacy}
+ \includegraphics[width=0.2\linewidth]{privacy.pdf}
}
\end{minipage}
\begin{minipage}{0.32\textwidth}
@@ -3150,7 +3214,7 @@ General notions:
\visible<6->{Visa\\\vspace{1em}1'667 TPS}\\
\visible<7->{
\vspace{2em}
- \includegraphics[width=0.2\textwidth]{privacy}
+ \includegraphics[width=0.2\textwidth]{privacy.pdf}
}
\end{minipage}
\let\thefootnote\relax\footnote{
@@ -3167,8 +3231,8 @@ General notions:
\visible<1->{e-Krona (Sweden)\\\vspace{1em}100 TPS}\\
\visible<2->{
\vspace{2em}
- \includegraphics[width=0.2\linewidth]{performance}\hspace{1em}
- \includegraphics[width=0.2\linewidth]{privacy}
+ \includegraphics[width=0.2\linewidth]{performance.pdf}\hspace{1em}
+ \includegraphics[width=0.2\linewidth]{privacy.pdf}
}
\end{minipage}
\begin{minipage}{0.32\textwidth}
@@ -3176,7 +3240,7 @@ General notions:
\visible<3->{e-CNY (China)\\\vspace{1em}10'000 TPS}\\
\visible<4->{
\vspace{2em}
- \includegraphics[width=0.2\linewidth]{privacy}
+ \includegraphics[width=0.2\linewidth]{privacy.pdf}
}
\end{minipage}
\begin{minipage}{0.32\textwidth}
@@ -3184,8 +3248,8 @@ General notions:
\visible<5->{Project Hamilton (MIT)\\\vspace{1em}1'700'000 TPS}\\
\visible<6->{
\vspace{2em}
- \includegraphics[width=0.2\textwidth]{privacy}\hspace{1em}
- \includegraphics[width=0.2\textwidth]{applicable}
+ \includegraphics[width=0.2\textwidth]{privacy.pdf}\hspace{1em}
+ \includegraphics[width=0.2\textwidth]{applicable.pdf}
}
\end{minipage}
\let\thefootnote\relax\footnote{
@@ -3217,7 +3281,7 @@ General notions:
\vfill \null
\columnbreak
\begin{center}
- \includegraphics[width=0.5\linewidth]{g5k.png}\\
+ \includegraphics[width=0.5\linewidth]{g5k.pdf}\\
\vspace{2em}
\includegraphics[width=0.9\linewidth]{g5k-map.jpg}
\end{center}
@@ -3282,22 +3346,6 @@ General notions:
\end{frame}
-\begin{frame}{A Bachelor's Thesis Video}
- \begin{center}
- \movie[%scale=0.6,
- autostart,
- poster]
- {
-
\includegraphics[height=0.6\textwidth,width=0.8\textwidth]{white.png}
- }
- {cs-movie.mp4}
- \end{center}
-\end{frame}
-
-
-
-
-
\section{Blockchain integration: Project Depolymerization}
\begin{frame}
@@ -3835,15 +3883,14 @@ Future work:
\begin{frame}{Active collaborations}
\begin{description}
- \item {\bf Freie Universit\"at Berlin:} \\ Programmability
- \item {\bf Technical University Dresden:} \\ embedded systems
+ \item {\bf Freie Universit\"at Berlin:} \\ Programmability \& embedded
systems
\item {\bf The GNU Project}: \\ Integration into FLOSS software
- \item {\bf Anastasis SARL}: \\ Distributed key escrow for backups
\item {\bf Fraunhofer Gesellschaft}: \\ Identity management \& SSI \&
wallet-to-wallet communication
-% \item {\bf Fiscaltrust GmbH}: \\ Point-of-sale integration ({\bf new})
+ \item {\bf NGI TALER}: \\ 11 partners deploying GNU Taler across Europe
\end{description}
\end{frame}
+
\begin{frame}{NGI TALER PILOT}
\framesubtitle{\url{https://taler.net/en/consortium.html}}
@@ -3871,6 +3918,18 @@ Future work:
\end{frame}
+\begin{frame}{Launch Timeline}
+ \begin{description}
+ \item[Q2'2022] Internal deployment at BFH
+ \item[Q1'2023] Deployment using Bitcoin at BFH (running, but not announced)
+ \item[Q2'2024] Deployment of local currency Netzbon in Basel
+ \item[Q3'2024] Public deployment of eCHF stablecoin in Switzerland,
cleared by FINMA
+ \item[Q1'2025] GLS bank launches in Eurozone
+ \item[Q3'2025] Magnet bank launches in Hungary
+ \end{description}
+\end{frame}
+
+
\begin{frame}{Other ongoing developments}
\begin{itemize}
\item Privacy-preserving auctions (trading, currency exchange) ({\tt
oezguer@taler.net})
diff --git a/presentations/comprehensive/mining.pdf
b/presentations/comprehensive/mining.pdf
new file mode 100644
index 0000000..4a98e15
Binary files /dev/null and b/presentations/comprehensive/mining.pdf differ
diff --git a/presentations/comprehensive/paymentTwint-screen.png
b/presentations/comprehensive/paymentTwint-screen.png
new file mode 100644
index 0000000..c540841
Binary files /dev/null and
b/presentations/comprehensive/paymentTwint-screen.png differ
diff --git a/presentations/comprehensive/paymentTwint-screen.xcf
b/presentations/comprehensive/paymentTwint-screen.xcf
new file mode 100644
index 0000000..11ba31e
Binary files /dev/null and
b/presentations/comprehensive/paymentTwint-screen.xcf differ
diff --git a/presentations/comprehensive/paymentTwint-screen_25.png
b/presentations/comprehensive/paymentTwint-screen_25.png
new file mode 100644
index 0000000..bda99eb
Binary files /dev/null and
b/presentations/comprehensive/paymentTwint-screen_25.png differ
diff --git a/presentations/comprehensive/paymentTwint-screen_50.png
b/presentations/comprehensive/paymentTwint-screen_50.png
new file mode 100644
index 0000000..3f1dcec
Binary files /dev/null and
b/presentations/comprehensive/paymentTwint-screen_50.png differ
diff --git a/presentations/comprehensive/performance.pdf
b/presentations/comprehensive/performance.pdf
new file mode 100644
index 0000000..ee01881
Binary files /dev/null and b/presentations/comprehensive/performance.pdf differ
diff --git a/presentations/comprehensive/privacy.pdf
b/presentations/comprehensive/privacy.pdf
new file mode 100644
index 0000000..2ac90b8
Binary files /dev/null and b/presentations/comprehensive/privacy.pdf differ
diff --git a/presentations/comprehensive/shrine.jpg
b/presentations/comprehensive/shrine.jpg
new file mode 100644
index 0000000..77659dd
Binary files /dev/null and b/presentations/comprehensive/shrine.jpg differ
diff --git a/presentations/comprehensive/twint.mkv
b/presentations/comprehensive/twint.mkv
new file mode 100644
index 0000000..c7c0f70
Binary files /dev/null and b/presentations/comprehensive/twint.mkv differ
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-marketing] branch master updated: first round of slide updates,
gnunet <=