update legal evaluation et. al.

This commit is contained in:
Özgür Kesim 2022-10-30 13:46:43 +01:00
parent 906a22de47
commit 3b61924585

View File

@ -16,6 +16,7 @@
\usepackage{graphicx} \usepackage{graphicx}
\usepackage{listings} \usepackage{listings}
\usepackage{fontspec} \usepackage{fontspec}
\usepackage{menukeys}
\usepackage{tikz} \usepackage{tikz}
\usetikzlibrary{tikzmark} \usetikzlibrary{tikzmark}
\usetikzlibrary{shapes,arrows,arrows.meta} \usetikzlibrary{shapes,arrows,arrows.meta}
@ -122,8 +123,8 @@ age-restriction of the old coin with the new coin (in a zero-knowledge
protocol $\DeriveCompare$, that gives the minor a 1/$\kappa$ chance to raise protocol $\DeriveCompare$, that gives the minor a 1/$\kappa$ chance to raise
the minimum age for the new coin). the minimum age for the new coin).
The following figure gives an overview of the scheme for age restriction Figure~\ref{scheme} gives an overview of the scheme for age restriction
detached from the payment flow: detached from the payment flow.
\begin{figure}[h] \begin{figure}[h]
\begin{center}\footnotesize \begin{center}\footnotesize
@ -156,8 +157,13 @@ detached from the payment flow:
commitment for a maximum age $\age \in \{1,...,\Age\}$ and commitment for a maximum age $\age \in \{1,...,\Age\}$ and
$\pruf_{\age}$ is the corresponding proof. $\attest_{\minage}$ is an $\pruf_{\age}$ is the corresponding proof. $\attest_{\minage}$ is an
attestation of a required age $\minage \leq \age$.} attestation of a required age $\minage \leq \age$.}
\label{scheme}
\end{figure} \end{figure}
We have implemented all parts of this scheme in GNU Taler's exchange, wallet
and merchant code bases for the most common protocols: withdraw, purchase,
deposit and refresh.
\subsection{Technical details} \subsection{Technical details}
Our implementation of the five functions $\Commit$, $\Attest$, $\Verify$, Our implementation of the five functions $\Commit$, $\Attest$, $\Verify$,
@ -185,9 +191,10 @@ $\Derive$ and $\Compare$ is based on the following main building blocks:
\, (\perp, q_{m+1}), \, (\perp, q_{m+1}),
\ldots, (\perp, q_M)\bigr\rangle \ldots, (\perp, q_M)\bigr\rangle
\] F.e. if none of the private keys is provided, the age \] F.e. if none of the private keys is provided, the age
commitment would be restricted to the zeroth age group. Note commitment would be restricted to the zeroth age group.
that the action of dropping private keys is performed by the
guardian $\Guardian$. Note that the action of dropping private keys is performed by
the guardian $\Guardian$.
\item An \textit{age commitment} (without prefix) is just the vector of \item An \textit{age commitment} (without prefix) is just the vector of
public keys: $\commitment := \langle q_1, \ldots, q_M \rangle$. public keys: $\commitment := \langle q_1, \ldots, q_M \rangle$.
@ -198,7 +205,7 @@ $\Derive$ and $\Compare$ is based on the following main building blocks:
\item A child $\Child$ receives the commitment $\commitment$ along with \item A child $\Child$ receives the commitment $\commitment$ along with
the proof, the restricted vector\\ the proof, the restricted vector\\
$\pruf_\age := (p_1,\ldots,p_\age,\perp,\ldots,\perp)$. $\pruf_\age := (p_1,\ldots,p_\age,\perp,\ldots,\perp)$.
The child can now create an \textit{attestation} $\Child$ can now create an \textit{attestation}
$\attest_\minage$ for age group $\minage \leq \age$, which is $\attest_\minage$ for age group $\minage \leq \age$, which is
simply a signature to some message with the private key simply a signature to some message with the private key
$p_\minage$. $p_\minage$.
@ -209,14 +216,34 @@ $\Derive$ and $\Compare$ is based on the following main building blocks:
full-domain-hash $\text{FDH}(C_p)$ with the RSA private key of full-domain-hash $\text{FDH}(C_p)$ with the RSA private key of
a denomination, the exchange signs $\text{FDH}(C_p, a denomination, the exchange signs $\text{FDH}(C_p,
\orange{H(\commitment)})$. \orange{H(\commitment)})$.
\item $\DeriveCompare$ is a zero-knowledge, cut-and-choose protocol,
using the functions $\Derive$ and $\Compare$, which allows
$\Child$ to derive new commitments from existing ones in an
unlinkable way and $\Exchange$ to statistically trust them to
be equivalent. The protocol is defined roughly as follows,
with $\kappa \in \N$ the security parameter (currently $\kappa
= 3$):
\begin{enumerate}
\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
from $\commitment_0$ by calling $\Derive()$ \\ with blindings $(\beta_1,\dots,\beta_\kappa)$
\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
\item $\Exchange$ compares $h_0$ and
$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$
and \\ evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
\end{enumerate}
\end{itemize} \end{itemize}
The schemes for age restriction and the scheme for payment in GNU Taler The integration of both schemes for age restriction and the scheme for payment
(protocols \textsf{withdraw}, \textsf{purchase}, \textsf{deposit} and in GNU Taler (protocols \textsf{withdraw}, \textsf{purchase}, \textsf{deposit}
\textsf{refresh}) are integrated as sketched in the following figure: and \textsf{refresh}) is sketched in Figure~\ref{bothschemes}.
\begin{figure}[h] \begin{figure}[ht]
\begin{center}\footnotesize \begin{center}
\begin{tikzpicture}[scale=.8] \begin{tikzpicture}[scale=.9]
\node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
\node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
@ -243,27 +270,9 @@ The schemes for age restriction and the scheme for payment in GNU Taler
\end{center} \end{center}
\caption{Sketch of the integration of the schemes for age restriction \caption{Sketch of the integration of the schemes for age restriction
and payment in GNU Taler.} and payment in GNU Taler.}
\label{bothschemes}
\end{figure} \end{figure}
\filbreak
The cut-and-choose protocol $\DeriveCompare$ is defined roughly as follows:
\begin{center}
\parbox{0.75\textwidth}{
\begin{enumerate}
\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
from $\commitment_0$ \\
by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
\item $\Exchange$ compares $h_0$ and
$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
\end{enumerate}}
\end{center}
The proposed solution maintains the guarantees of GNU Taler with respect to The proposed solution maintains the guarantees of GNU Taler with respect to
anonymity and unlinkability. Precise formulations of the functions, protocols, anonymity and unlinkability. Precise formulations of the functions, protocols,
requirements and security guarantees---together with proofs---can be found in requirements and security guarantees---together with proofs---can be found in
@ -276,10 +285,43 @@ published in the
\subsection{Legal evaluation}
We are in correspondence with the \href{https://www.kjm-online.de/en/}{German
Commission for the Protections of Minors in the Media (KJM)}. The commission
acts as the central supervisory body for the protection of minors in private
broadcasting and media in Germany. The commission runs a Berlin-based joint
office of state authorities for media and journalism within the Federal
republic of Germany. Its plenary congregation meets in Berlin on December 7,
2022, for which GNU Taler applies with a systematic description and the
whitepaper on Taler tokens with age restrictions in German language. The
application is assisted and coordinated by Mr. Henning Mellage, Legal \&
Supervision Officer, at the Landesanstalt für Medien NRW in Düsseldorf which is
part of the KJM.
The KJM confirmed its intention to evaluate GNU Taler as recommendable concept
for the protection of minors and to add GNU Taler to its list of positively
evaluated, so-called ``cross-channel concepts'' at
\href{https://www.kjm-online.de/en/supervision/technical-protection-of-minors-in-the-media/cross-channel-concepts}%
{\texttt{https://www.kjm-online.de/en/supervision/{\small \keys{\return}}\\
technical-protection-of-minors-in-the-media/cross-channel-concepts}}. This
includes the presentation of GNU Taler in the document
\href{https://www.kjm-online.de/fileadmin/user_upload/KJM/Aufsicht/Technischer_Jugendmedienschutz/Uebergreifende_Jugendschutzkonzepte.pdf}{\textit{Übersicht
über positiv bewertete übergreifende Jugendschutzkonzepte}}, which mirrors the
content of the mentioned website with recommended concepts of youth protection.
GNU Taler is going to be evaluated under the category ``holistic youth
protection concept''. The KJM uses this category only for concepts that are
widely accessible to the public and do not only serve a closed user group
(closed user group means: access to content or goods is granted only after age
verification by presenting an official ID card, driving licenses or the
like---which is endangering privacy, data security, and informational
self-determination).
\subsection{Future Works} \subsection{Future Works}
\begin{description} \begin{description}
\item[Complete support for all GNU Taler protocols:] So far, age restriction is \item[Completion of support for all GNU Taler protocols:] So far, age restriction is
only implemented for the GNU Taler protocols \textsf{withdraw}, only implemented for the GNU Taler protocols \textsf{withdraw},
\textsf{purchase}, \textsf{deposit} and \textsf{refresh}. We \textsf{purchase}, \textsf{deposit} and \textsf{refresh}. We
will extend the support for age restriction in GNU Taler to will extend the support for age restriction in GNU Taler to
@ -303,25 +345,9 @@ published in the
\textit{maximum} age for the age commitment during the \textit{maximum} age for the age commitment during the
\textsf{withdraw} protocol. \textsf{withdraw} protocol.
\item[Legal certification of our age restriction scheme:] We are in
correspondence with the
\href{https://www.kjm-online.de/en/}{German Commission for the
Protections of Minors in the Media (KJM)} which evaluates and
recommends concepts for protection of minors. GNU Taler has
been recognized as a potential candidate in the so-called
``cross-channel concepts for the protection of minors''.
We will prepare a white paper about GNU Taler's age restriction
as input for the commission's next meeting on December 7, 2022,
in Berlin. Our goal is to convince the commission of GNU
Taler's age restriction scheme as a legally acceptable form of
age verification and add it to its list of
\href{https://www.kjm-online.de/aufsicht/technischer-jugendmedienschutz/uebergreifende-konzepte}%
{positively evaluated concepts}.
\end{description} \end{description}
\subsection{Links} \subsection{Links}
Our scheme for age restriction in GNU Taler has been Our scheme for age restriction in GNU Taler has been
@ -441,11 +467,13 @@ purse (with contract and expiration time) and immediately ensures that
the balance of the purse is the target amount. The payer then sends the balance of the purse is the target amount. The payer then sends
the merge-capability key of the purse to the payee. The payee can the merge-capability key of the purse to the payee. The payee can
then use the merge-capability key to merge (move) the balance of the then use the merge-capability key to merge (move) the balance of the
purse into a KYCed (i.e. know-your-customer ready) reserve of the receiving purse into a KYC%
wallet. A KYCed reserve basically is a long-term public-private key pair that \footnote{KYC: Know-Your-Customer, a legally required procedure for customers
identifies a wallet and a user at an exchange, ensuring income transparency. to identify themselves with the bank.}ed
Once the money is in the reserve, the wallet can then use the reserve private reserve of the receiving wallet. A KYCed reserve basically is a long-term
key to withdraw fresh coins. public-private key pair that identifies a wallet and a user at an exchange,
ensuring income transparency. Once the money is in the reserve, the wallet can
then use the reserve private key to withdraw fresh coins.
When invoicing, the initiator again creates a purse, but this time When invoicing, the initiator again creates a purse, but this time
does not put any money into it and keeps the merge capability key does not put any money into it and keeps the merge capability key