diff --git a/m4/definitions.tex b/m4/definitions.tex new file mode 100644 index 0000000..35ac0bf --- /dev/null +++ b/m4/definitions.tex @@ -0,0 +1,91 @@ +\newcommand{\orange}[1]{{\color{orange}#1}} +\newcommand{\blue}[1]{{\color{blue}#1}} +\newcommand{\red}[1]{{\color{red}#1}} +\newcommand{\Guardian}{\mathcal{G}} +\newcommand{\Child}{\mathcal{C}} +\newcommand{\Customer}{\mathcal{C}} +\newcommand{\Merchant}{\mathcal{M}} +\newcommand{\Exchange}{\mathcal{E}} + +\newcommand{\Commit}{\mathsf{Commit}} +\newcommand{\Attest}{\mathsf{Attest}} +\newcommand{\Verify}{\mathsf{Verify}} +\newcommand{\Derive}{\mathsf{Derive}} +\newcommand{\DeriveCompare}{\mathsf{DeriveCompare_\kappa}} +\newcommand{\Compare}{\mathsf{Compare}} +\newcommand{\AgeVer}{\mathsf{AgeVer}} + +\newcommand{\HashF}{\mathsf{H}} +\newcommand{\Hash}{\mathsf{H}} +\newcommand{\Block}{\mathbb{B}} +\newcommand{\Pub}{\mathsf{Pub}} +\newcommand{\Sign}{\mathsf{Sig}} +\newcommand{\Ver}{\mathsf{Ver}} +\newcommand{\Encoding}{\mathsf{Encoding}} +\newcommand{\ECDSA}{\mathsf{ECDSA}} +\newcommand{\Null}{\mathcal{O}} +\newcommand{\EC}{\mathrm{ec}} +\newcommand{\Curve}{\mathsf{Curve25519}} +\newcommand{\SHA}{\mathsf{SHA256}} +\newcommand{\SHAF}{\mathsf{SHA252}} +\newcommand{\FDH}{\mathsf{FDH}} + +\newcommand{\negl}{\epsilon} + +\newcommand{\rand}{\mathsf{rand}} +\newcommand{\age}{\mathsf{a}} +\newcommand{\Age}{\mathsf{M}} +\newcommand{\bage}{\mathsf{b}} +\newcommand{\minage}{\mathsf{m}} +\newcommand{\attest}{\mathsf{T}} +\newcommand{\commitment}{\mathsf{Q}} +\newcommand{\pruf}{\mathsf{P}} +\newcommand{\Vcommitment}{\vec{\mathsf{Q}}} +\newcommand{\Vpruf}{\vec{\mathsf{P}}} +\newcommand{\blinding}{\beta} + +\newcommand{\ZN}{\mathbb{Z}_N} +\newcommand{\Z}{\mathbb{Z}} +\newcommand{\N}{\mathbb{N}} +\newcommand{\A}{\mathbb{A}} +\newcommand{\E}{\mathbb{E}} +\newcommand{\F}{\mathbb{F}} +\newcommand{\seck}{\mathsf{s}} +\newcommand{\pubk}{\mathsf{P}} +\renewcommand{\H}{\mathbb{H}} +\newcommand{\K}{\mathbb{K}} +\newcommand{\Proofs}{\mathbb{P}} +\newcommand{\Commitments}{\mathbb{O}} +\newcommand{\Attests}{\mathbb{T}} +\newcommand{\Blindings}{\mathbb{B}} +\newcommand{\Nil}{\perp} + +\newcommand{\p}{\mathsf{p}} +\newcommand{\com}{\mathsf{com}} +\newcommand{\prf}{\mathsf{prf}} + +\newcommand{\Adv}{\mathcal{A}} +\newcommand{\PPT}{\mathfrak{A}} +\newcommand{\Probability}{\mathrm{Pr}} +\newcommand{\Algorithm}{f} +\renewcommand{\Game}[1]{G_\Adv^\mathsf{#1}} + +\DeclareMathOperator{\Image}{Im} +\DeclareMathOperator{\Mod}{mod} + +\newcommand{\Encode}[1]{\overbracket[0.5pt][2pt]{\,#1\,}} +\newcommand{\Decode}[1]{\underbracket[0.5pt][3pt]{\,#1\,}} +\newcommand{\FDHg}[1]{[#1]_g\,} +\newcommand{\logg}{{\breve{g}}} + + +\newcommand{\drawfrom}{\xleftarrow{\$}} +\newcommand\Exists{% + \mathop{\lower0.75ex\hbox{\ensuremath{% + \mathlarger{\mathlarger{\mathlarger{\mathlarger{\exists}}}}}}}% + \limits} + +\newcommand\Forall{% + \mathop{\lower0.75ex\hbox{\ensuremath{% + \mathlarger{\mathlarger{\mathlarger{\mathlarger{\forall}}}}}}}% + \limits} diff --git a/m4/ngi-ap3-m4-report.tex b/m4/ngi-ap3-m4-report.tex index 3624d55..eeb3d48 100644 --- a/m4/ngi-ap3-m4-report.tex +++ b/m4/ngi-ap3-m4-report.tex @@ -16,6 +16,11 @@ \usepackage{graphicx} \usepackage{listings} \usepackage{fontspec} +\usepackage{tikz} +\usetikzlibrary{tikzmark} +\usetikzlibrary{shapes,arrows,arrows.meta} +\usetikzlibrary{positioning,patterns} +\usetikzlibrary{calc} \setmonofont[Path = ../fonts/, Extension = .ttf, UprightFont = *-Regular, @@ -55,6 +60,7 @@ emphstyle=\bfseries } \newcommand{\TODO}[1]{{\color{orange}#1}\marginpar{{\color{orange}TODO}}} +\include{definitions} \begin{document} @@ -75,8 +81,8 @@ Emmanuel Benoist\\[\bigskipamount] \section*{Management summary} \begin{abstract} - -For the \textsc{NGI Pointer} programme, the AP³ project team extended GNU Taler with +\noindent + For the \textsc{NGI Pointer} programme, the AP³ project team extended GNU Taler with \begin{itemize} \item age-restricted payments, \item peer-to-peer (P2P) payments and @@ -85,8 +91,8 @@ For the \textsc{NGI Pointer} programme, the AP³ project team extended GNU Taler \end{itemize} This document provides the report for the final milestone IV with details on - the state of the implementation, the results of user experience studies - and projected future work. + the results of our usability study, the state of the implementation of + the features and projected future work. \end{abstract} @@ -102,13 +108,297 @@ This document provides the report for the final milestone IV with details on \section{Age Restriction} -\TODO{} +We designed and implemented a scheme for age restriction in GNU Taler based on +the following basic ideas: + +Parents/warden can choose to \textbf{commit} a certain maximum age out of a +predefined list of age groups and bind that commitment to a particular coin. +The minors receive those coins and can now \textbf{attest} a required minimum +age (provided that age is less or equal to the committed age of the coins) to +merchants, who can \textbf{verify} the minimum age. For the rest values +(change) after an transaction, the minor/ward can \textbf{derive} new +age-restricted coins. The exchange can \textbf{compare} the equality of the +age-restriction of the old coin with the new coin (in a zero-knowledge +protocol $\DeriveCompare$, that gives the minor a 1/$\kappa$ chance to raise +the minimum age for the new coin). + +The following figure gives an overview of the scheme for age restriction +detached from the payment flow: + +\begin{figure}[h] + \begin{center}\footnotesize +\begin{tikzpicture}[scale=.8] + \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; + \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$}; + + \draw[orange,<->] (Client) to node[sloped,below,align=center] + {\orange{$\DeriveCompare$}} (Exchange); + \draw[blue,->] (Client) to node[sloped, below] + {\blue{$(\attest_\minage, \commitment)$}} (Merchant); + + \draw[->] (Guardian) to [out=150,in=70, loop] node[above] + {$\Commit(\age)$} (Guardian); + \draw[->] (Guardian) to node[below,sloped] + {($\commitment$, $\pruf_\age$)} (Client); + \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below] + {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client); + \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below] + {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant); +\end{tikzpicture} + \end{center} + \caption{Scheme of the age restriction performed between a guardian + $\Guardian$, a child $\Child$, a merchant $\Merchant$ and an exchange + $\Exchange$, using the functions $\Commit$, $\Attest$, $\Verify$ and + the zero-knowledge protocol $\DeriveCompare$ which is based on + functions $\Derive$ and $\Compare$. $\commitment$ is the age + commitment for a maximum age $\age \in \{1,...,\Age\}$ and + $\pruf_{\age}$ is the corresponding proof. $\attest_{\minage}$ is an + attestation of a required age $\minage \leq \age$.} +\end{figure} + \subsection{Technical details} -\TODO{} + +Our implementation of the five functions $\Commit$, $\Attest$, $\Verify$, +$\Derive$ and $\Compare$ is based on the following main building blocks: + +\begin{itemize} + \item The exchange $\Exchange$ defines and publishes M+1 different + \textit{age groups} of increasing order: $0 < a_1 < \ldots < + a_M$ with $a_i \in \mathbb{N}$. The zeroth age group is + $\{0,\ldots,a_1-1\}$. + + \item An \textit{unrestricted} age commitment is defined as a vector of + length $\Age$ of pairs of + \href{https://docs.taler.net/design-documents/024-age-restriction.html#edx25519}{Edx25519} + public and private keys on Curve25519. In other words: one key + pair for each age group after the zeroth: $\bigl\langle (p_1, + q_1), \ldots, (p_M, q_M) \bigr\rangle$. (Here, $p_i$ are + \textit{private} and $q_i$ are public keys). + + \item A \textit{restricted} age commitment to age group m (or m-th age + group) is derived from an unrestricted age commitment by + removing all private keys for indices larger than m: + \[ + \bigl\langle (p_1, q_1), \ldots, (p_m, q_m), + \, (\perp, q_{m+1}), + \ldots, (\perp, q_M)\bigr\rangle + \] F.e. if none of the private keys is provided, the age + commitment would be restricted to the zeroth age group. Note + that the action of dropping private keys is performed by the + guardian $\Guardian$. + + \item An \textit{age commitment} (without prefix) is just the vector of + public keys: $\commitment := \langle q_1, \ldots, q_M \rangle$. + Note that from just the age commitment one can not deduce if it + was originated from an unrestricted or restricted age + commitment (and what age). + + \item A child $\Child$ receives the commitment $\commitment$ along with + the proof, the restricted vector\\ + $\pruf_\age := (p_1,\ldots,p_\age,\perp,\ldots,\perp)$. + The child can now create an \textit{attestation} + $\attest_\minage$ for age group $\minage \leq \age$, which is + simply a signature to some message with the private key + $p_\minage$. + + \item An age commitment $\commitment$ is bound to a particular coin + $C_p$ by incorporating the SHA256 hash value of $\commitment$ + into the signature of the coin. So, instead of signing the + full-domain-hash $\text{FDH}(C_p)$ with the RSA private key of + a denomination, the exchange signs $\text{FDH}(C_p, + \orange{H(\commitment)})$. +\end{itemize} + +The schemes for age restriction and the scheme for payment in GNU Taler +(protocols \textsf{withdraw}, \textsf{purchase}, \textsf{deposit} and +\textsf{refresh}) are integrated as sketched in the following figure: +\begin{figure}[h] +\begin{center}\footnotesize +\begin{tikzpicture}[scale=.8] + \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; + \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$}; + + \draw[<->] (Guardian) to node[sloped,above,align=center] + {\textsf{withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange); + \draw[<->] (Client) to node[sloped,below,align=center] + {\textsf{refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange); + \draw[<->] (Client) to node[sloped, below] + {\textsf{purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant); + \draw[<->] (Merchant) to node[sloped, above] + {\textsf{deposit} \orange{+ $H(\commitment)$}} (Exchange); + + \draw[->] (Guardian) to [out=70,in=150, loop] node[above] + {$\Commit(\age)$} (Guardian); + \draw[->] (Guardian) to node[below,sloped] + {($\commitment$, $\pruf_\age$)} (Client); + \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below] + {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client); + \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below] + {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant); +\end{tikzpicture} +\end{center} + \caption{Sketch of the integration of the schemes for age restriction + and payment in GNU Taler.} +\end{figure} + +\filbreak +The cut-and-choose protocol $\DeriveCompare$ is defined roughly as follows: +\begin{center} + \parbox{0.75\textwidth}{ +\begin{enumerate} + \item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$ + from $\commitment_0$ \\ + by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$ + \item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$ + \item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$ + \item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly + \item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$ + \item $\Exchange$ compares $h_0$ and + $H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\ + and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$. +\end{enumerate}} +\end{center} + + +The proposed solution maintains the guarantees of GNU Taler with respect to +anonymity and unlinkability. Precise formulations of the functions, protocols, +requirements and security guarantees---together with proofs---can be found in +our paper +\href{https://taler.net/papers/esorics2022-age-restriction.pdf} +{\textit{Zero-Knowledge Age Restriction for GNU Taler}}, +published in the +\href{https://link.springer.com/chapter/10.1007/978-3-031-17140-6\_6} +{proceedings to ESORICS 2022}. + + + \subsection{Future Works} -\TODO{} + +\begin{description} + \item[Complete support for all GNU Taler protocols:] So far, age restriction is + only implemented for the GNU Taler protocols \textsf{withdraw}, + \textsf{purchase}, \textsf{deposit} and \textsf{refresh}. We + will extend the support for age restriction in GNU Taler to + include the protocols for P2P payments, tipping and refund. + + \item[Support for minors with bank accounts:] The current design + of age restriction is based on the assumption that only + adults can have bank accounts. That is: wire transfers to the + exchange are assumed to be originated by adults. + + However, in some countries, like Germany, it is possible for + minors to have bank accounts, too, starting from a certain age. + In those cases, the wire transfer record will indicate that the + originating account is owned by a minor. + + We plan to extend the current design and implementation of age + restriction to handle those situations as well: After the + exchange receives a wire transfer from a bank account of a + minor, it will require in a zero-knowledge-proof for a) the + presence of age restriction and b) the appropriate + \textit{maximum} age for the age commitment during the + \textsf{withdraw} protocol. + + \item[Legal certification of our age restriction scheme:] We are in + correspondence with the + \href{https://www.kjm-online.de/en/}{German Commission for the + Protections of Minors in the Media (KJM)} which evaluates and + recommends concepts for protection of minors. GNU Taler has + been recognized as a potential candidate in the so-called + ``cross-channel concepts for the protection of minors''. + + We will prepare a white paper about GNU Taler's age restriction + as input for the commission's next meeting on December 7, 2022, + in Berlin. Our goal is to convince the commission of GNU + Taler's age restriction scheme as a legally acceptable form of + age verification and add it to its list of + \href{https://www.kjm-online.de/aufsicht/technischer-jugendmedienschutz/uebergreifende-konzepte}% + {positively evaluated concepts}. + + +\end{description} + \subsection{Links} -\TODO{} + +Our scheme for age restriction in GNU Taler has been +\href{https://link.springer.com/chapter/10.1007/978-3-031-17140-6\_6}{published +in the proceedings to ESORICS 2022}. +In addition, +\href{https://docs.taler.net/design-documents/024-age-restriction.html}% +{document 24} at \url{https://docs.taler.net/design-documents} also lays out +the design. The implementation is distributed across multiple repositories: + +{ \small +\begin{description} + \item[Exchange:] The following REST endpoint handlers and their + accompanying helper functions in + \url{https://git.taler.net/exchange.git/tree/src}: + \begin{itemize} + \item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_deposit.c}{\texttt{TEH\_handler\_deposit}} + \item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_melt.c}{\texttt{TEH\_handler\_melt}} + \item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_refreshes_reveal.c}{\texttt{TEH\_handler\_reveal}} + \item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_recoup.c}{\texttt{TEH\_handler\_recoup}} + \item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_recoup-refresh.c}{\texttt{TEH\_handler\_recoup\_refresh}} + \end{itemize} + + Under \url{https://git.taler.net/exchange.git/tree/src/exchangedb}:\\ + \href{https://git.taler.net/exchange.git/tree/src/exchangedb/common.sql}{common.sql}, + \href{https://git.taler.net/exchange.git/tree/src/exchangedb/exchange-0001.sql}{exchange-0001.sql}, + \href{https://git.taler.net/exchange.git/tree/src/exchangedb/plugin\_exchangedb\_postgres.c}{plugin\_exchangedb\_postgres.c}. + \item[Merchant:] + Under \url{https://git.taler.net/merchant.git/tree/src/}, + \begin{itemize} + \item schema changes in + \href{https://git.taler.net/merchant.git/tree/src/backenddb/merchant-0001.sql}{backenddb/merchant-0001.sql} and\\ + \href{https://git.taler.net/merchant.git/tree/src/backenddb/plugin_merchantdb_postgres.c}{backenddb/plugin\_merchantdb\_postgres.c} + \item functions \verb|process_pay_with_exchange| and \verb|parse_pay| in\\ + \href{https://git.taler.net/merchant.git/tree/src/backend/taler-merchant-httpd_post-orders-ID-pay.c}{backend/taler-merchant-httpd\_post-orders-ID-pay.c} + \end{itemize} + + \item[Wallet:] + Under \url{https://git.taler.net/wallet-core.git/tree/packages/taler-util} + \begin{itemize} + \item low-level cryptographic primitives in + \href{https://git.taler.net/wallet-core.git/tree/packages/taler-util/src/nacl-fast.ts}{\texttt{crypto\_edx25519}} and + \href{https://git.taler.net/wallet-core.git/tree/packages/taler-util/src/talerCrypto.ts#n851}{namespace \texttt{Edx25519}} + \item high-level cryptographic primitives in + \href{https://git.taler.net/wallet-core.git/tree/packages/taler-util/src/talerCrypto.ts#n966}{namespace \texttt{AgeRestrictions}} + \item API changes to wallet-core RPC API in + \href{https://git.taler.net/wallet-core.git/tree/packages/taler-util/src/walletTypes.ts}{\texttt{restrictAge}} + \end{itemize} + Under \url{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/} + \begin{itemize} + \item withdrawal and refresh primitives in \href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/crypto/cryptoImplementation.ts}{\texttt{crypto/cryptoImplementation.ts}} + \item wallet database requests and HTTP requests in \\ + \href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/db.ts}{\texttt{db.ts}}, + \href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/operations/withdraw.ts}{\texttt{withdraw.ts}} and + \href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/operations/refresh.ts}{\texttt{refresh.ts}} + \item coin/denomination selection in + \href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/util/coinSelection.ts}{\texttt{util/coinSelection.ts}} + \end{itemize} + + + \item[Tests:] Under \url{https://git.taler.net/exchange.git/tree/src}: + \begin{itemize} + \item \href{https://git.taler.net/exchange.git/tree/src/util/test\_crypto.c}{util/test\_crypto.c} + \item \href{https://git.taler.net/exchange.git/tree/src/util/test\_age\_restriction.c}{util/test\_age\_restriction.c} + \item \href{https://git.taler.net/exchange.git/tree/src/util/tv\_age\_restriction.c}{util/tv\_age\_restriction.c} + \item \href{https://git.taler.net/exchange.git/tree/src/testing/test\_exchange\_api.c}{testing/test\_exchange\_api.c} + \end{itemize} +\end{description} + + +The definition of Edx25519, a variant of EdDSA that we designed for usage in +our age restriction scheme in GNU Taler, and its implementation is located at +\url{https://git.gnunet.org/gnunet.git/} in file +\href{https://git.gnunet.org/gnunet.git/tree/src/util/crypto\_edx25519.c}{util/crypto\_edx25519.c}. + +} + \newpage @@ -264,7 +554,7 @@ locations under \url{https://git.taler.net/wallet-core.git/tree/packages/} \newpage -\section{User Experience Studies} +\section{Usability Study} For the \textsc{NGI Pointer} programme, the AP³ project team performed a usability study to gather feedback and inform further development of the