taler/ngi-pointer-ap3
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[wip] age restriction section done

Browse Source
This commit is contained in:
Özgür Kesim 2022-10-29 23:51:01 +02:00
parent aecc4dbeec
commit 906a22de47
2 changed files with 390 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
m4/definitions.tex Normal file
View File

@ -0,0 +1,91 @@
\newcommand{\orange}[1]{{\color{orange}#1}}
\newcommand{\blue}[1]{{\color{blue}#1}}
\newcommand{\red}[1]{{\color{red}#1}}
\newcommand{\Guardian}{\mathcal{G}}
\newcommand{\Child}{\mathcal{C}}
\newcommand{\Customer}{\mathcal{C}}
\newcommand{\Merchant}{\mathcal{M}}
\newcommand{\Exchange}{\mathcal{E}}
\newcommand{\Commit}{\mathsf{Commit}}
\newcommand{\Attest}{\mathsf{Attest}}
\newcommand{\Verify}{\mathsf{Verify}}
\newcommand{\Derive}{\mathsf{Derive}}
\newcommand{\DeriveCompare}{\mathsf{DeriveCompare_\kappa}}
\newcommand{\Compare}{\mathsf{Compare}}
\newcommand{\AgeVer}{\mathsf{AgeVer}}
\newcommand{\HashF}{\mathsf{H}}
\newcommand{\Hash}{\mathsf{H}}
\newcommand{\Block}{\mathbb{B}}
\newcommand{\Pub}{\mathsf{Pub}}
\newcommand{\Sign}{\mathsf{Sig}}
\newcommand{\Ver}{\mathsf{Ver}}
\newcommand{\Encoding}{\mathsf{Encoding}}
\newcommand{\ECDSA}{\mathsf{ECDSA}}
\newcommand{\Null}{\mathcal{O}}
\newcommand{\EC}{\mathrm{ec}}
\newcommand{\Curve}{\mathsf{Curve25519}}
\newcommand{\SHA}{\mathsf{SHA256}}
\newcommand{\SHAF}{\mathsf{SHA252}}
\newcommand{\FDH}{\mathsf{FDH}}
\newcommand{\negl}{\epsilon}
\newcommand{\rand}{\mathsf{rand}}
\newcommand{\age}{\mathsf{a}}
\newcommand{\Age}{\mathsf{M}}
\newcommand{\bage}{\mathsf{b}}
\newcommand{\minage}{\mathsf{m}}
\newcommand{\attest}{\mathsf{T}}
\newcommand{\commitment}{\mathsf{Q}}
\newcommand{\pruf}{\mathsf{P}}
\newcommand{\Vcommitment}{\vec{\mathsf{Q}}}
\newcommand{\Vpruf}{\vec{\mathsf{P}}}
\newcommand{\blinding}{\beta}
\newcommand{\ZN}{\mathbb{Z}_N}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\A}{\mathbb{A}}
\newcommand{\E}{\mathbb{E}}
\newcommand{\F}{\mathbb{F}}
\newcommand{\seck}{\mathsf{s}}
\newcommand{\pubk}{\mathsf{P}}
\renewcommand{\H}{\mathbb{H}}
\newcommand{\K}{\mathbb{K}}
\newcommand{\Proofs}{\mathbb{P}}
\newcommand{\Commitments}{\mathbb{O}}
\newcommand{\Attests}{\mathbb{T}}
\newcommand{\Blindings}{\mathbb{B}}
\newcommand{\Nil}{\perp}
\newcommand{\p}{\mathsf{p}}
\newcommand{\com}{\mathsf{com}}
\newcommand{\prf}{\mathsf{prf}}
\newcommand{\Adv}{\mathcal{A}}
\newcommand{\PPT}{\mathfrak{A}}
\newcommand{\Probability}{\mathrm{Pr}}
\newcommand{\Algorithm}{f}
\renewcommand{\Game}[1]{G_\Adv^\mathsf{#1}}
\DeclareMathOperator{\Image}{Im}
\DeclareMathOperator{\Mod}{mod}
\newcommand{\Encode}[1]{\overbracket[0.5pt][2pt]{\,#1\,}}
\newcommand{\Decode}[1]{\underbracket[0.5pt][3pt]{\,#1\,}}
\newcommand{\FDHg}[1]{[#1]_g\,}
\newcommand{\logg}{{\breve{g}}}
\newcommand{\drawfrom}{\xleftarrow{\$}}
\newcommand\Exists{%
\mathop{\lower0.75ex\hbox{\ensuremath{%
\mathlarger{\mathlarger{\mathlarger{\mathlarger{\exists}}}}}}}%
\limits}
\newcommand\Forall{%
\mathop{\lower0.75ex\hbox{\ensuremath{%
\mathlarger{\mathlarger{\mathlarger{\mathlarger{\forall}}}}}}}%
\limits}

308
m4/ngi-ap3-m4-report.tex
View File

@ -16,6 +16,11 @@
\usepackage{graphicx} \usepackage{graphicx}
\usepackage{listings} \usepackage{listings}
\usepackage{fontspec} \usepackage{fontspec}
\usepackage{tikz}
\usetikzlibrary{tikzmark}
\usetikzlibrary{shapes,arrows,arrows.meta}
\usetikzlibrary{positioning,patterns}
\usetikzlibrary{calc}
\setmonofont[Path = ../fonts/, \setmonofont[Path = ../fonts/,
Extension = .ttf, Extension = .ttf,
UprightFont = *-Regular, UprightFont = *-Regular,
@ -55,6 +60,7 @@
emphstyle=\bfseries emphstyle=\bfseries
} }
\newcommand{\TODO}[1]{{\color{orange}#1}\marginpar{{\color{orange}TODO}}} \newcommand{\TODO}[1]{{\color{orange}#1}\marginpar{{\color{orange}TODO}}}
\include{definitions}
\begin{document} \begin{document}
@ -75,8 +81,8 @@ Emmanuel Benoist\\[\bigskipamount]
\section*{Management summary} \section*{Management summary}
\begin{abstract} \begin{abstract}
\noindent
For the \textsc{NGI Pointer} programme, the AP³ project team extended GNU Taler with For the \textsc{NGI Pointer} programme, the AP³ project team extended GNU Taler with
\begin{itemize} \begin{itemize}
\item age-restricted payments, \item age-restricted payments,
\item peer-to-peer (P2P) payments and \item peer-to-peer (P2P) payments and
@ -85,8 +91,8 @@ For the \textsc{NGI Pointer} programme, the AP³ project team extended GNU Taler
\end{itemize} \end{itemize}
This document provides the report for the final milestone IV with details on This document provides the report for the final milestone IV with details on
the state of the implementation, the results of user experience studies the results of our usability study, the state of the implementation of
and projected future work. the features and projected future work.
\end{abstract} \end{abstract}
@ -102,13 +108,297 @@ This document provides the report for the final milestone IV with details on
\section{Age Restriction} \section{Age Restriction}
\TODO{} We designed and implemented a scheme for age restriction in GNU Taler based on
the following basic ideas:
Parents/warden can choose to \textbf{commit} a certain maximum age out of a
predefined list of age groups and bind that commitment to a particular coin.
The minors receive those coins and can now \textbf{attest} a required minimum
age (provided that age is less or equal to the committed age of the coins) to
merchants, who can \textbf{verify} the minimum age. For the rest values
(change) after an transaction, the minor/ward can \textbf{derive} new
age-restricted coins. The exchange can \textbf{compare} the equality of the
age-restriction of the old coin with the new coin (in a zero-knowledge
protocol $\DeriveCompare$, that gives the minor a 1/$\kappa$ chance to raise
the minimum age for the new coin).
The following figure gives an overview of the scheme for age restriction
detached from the payment flow:
\begin{figure}[h]
\begin{center}\footnotesize
\begin{tikzpicture}[scale=.8]
\node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
\node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
\node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
\draw[orange,<->] (Client) to node[sloped,below,align=center]
{\orange{$\DeriveCompare$}} (Exchange);
\draw[blue,->] (Client) to node[sloped, below]
{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
\draw[->] (Guardian) to [out=150,in=70, loop] node[above]
{$\Commit(\age)$} (Guardian);
\draw[->] (Guardian) to node[below,sloped]
{($\commitment$, $\pruf_\age$)} (Client);
\draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
\end{tikzpicture}
\end{center}
\caption{Scheme of the age restriction performed between a guardian
$\Guardian$, a child $\Child$, a merchant $\Merchant$ and an exchange
$\Exchange$, using the functions $\Commit$, $\Attest$, $\Verify$ and
the zero-knowledge protocol $\DeriveCompare$ which is based on
functions $\Derive$ and $\Compare$. $\commitment$ is the age
commitment for a maximum age $\age \in \{1,...,\Age\}$ and
$\pruf_{\age}$ is the corresponding proof. $\attest_{\minage}$ is an
attestation of a required age $\minage \leq \age$.}
\end{figure}
\subsection{Technical details} \subsection{Technical details}
\TODO{}
Our implementation of the five functions $\Commit$, $\Attest$, $\Verify$,
$\Derive$ and $\Compare$ is based on the following main building blocks:
\begin{itemize}
\item The exchange $\Exchange$ defines and publishes M+1 different
\textit{age groups} of increasing order: $0 < a_1 < \ldots <
a_M$ with $a_i \in \mathbb{N}$. The zeroth age group is
$\{0,\ldots,a_1-1\}$.
\item An \textit{unrestricted} age commitment is defined as a vector of
length $\Age$ of pairs of
\href{https://docs.taler.net/design-documents/024-age-restriction.html#edx25519}{Edx25519}
public and private keys on Curve25519. In other words: one key
pair for each age group after the zeroth: $\bigl\langle (p_1,
q_1), \ldots, (p_M, q_M) \bigr\rangle$. (Here, $p_i$ are
\textit{private} and $q_i$ are public keys).
\item A \textit{restricted} age commitment to age group m (or m-th age
group) is derived from an unrestricted age commitment by
removing all private keys for indices larger than m:
\[
\bigl\langle (p_1, q_1), \ldots, (p_m, q_m),
\, (\perp, q_{m+1}),
\ldots, (\perp, q_M)\bigr\rangle
\] F.e. if none of the private keys is provided, the age
commitment would be restricted to the zeroth age group. Note
that the action of dropping private keys is performed by the
guardian $\Guardian$.
\item An \textit{age commitment} (without prefix) is just the vector of
public keys: $\commitment := \langle q_1, \ldots, q_M \rangle$.
Note that from just the age commitment one can not deduce if it
was originated from an unrestricted or restricted age
commitment (and what age).
\item A child $\Child$ receives the commitment $\commitment$ along with
the proof, the restricted vector\\
$\pruf_\age := (p_1,\ldots,p_\age,\perp,\ldots,\perp)$.
The child can now create an \textit{attestation}
$\attest_\minage$ for age group $\minage \leq \age$, which is
simply a signature to some message with the private key
$p_\minage$.
\item An age commitment $\commitment$ is bound to a particular coin
$C_p$ by incorporating the SHA256 hash value of $\commitment$
into the signature of the coin. So, instead of signing the
full-domain-hash $\text{FDH}(C_p)$ with the RSA private key of
a denomination, the exchange signs $\text{FDH}(C_p,
\orange{H(\commitment)})$.
\end{itemize}
The schemes for age restriction and the scheme for payment in GNU Taler
(protocols \textsf{withdraw}, \textsf{purchase}, \textsf{deposit} and
\textsf{refresh}) are integrated as sketched in the following figure:
\begin{figure}[h]
\begin{center}\footnotesize
\begin{tikzpicture}[scale=.8]
\node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
\node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
\node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
\draw[<->] (Guardian) to node[sloped,above,align=center]
{\textsf{withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
\draw[<->] (Client) to node[sloped,below,align=center]
{\textsf{refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
\draw[<->] (Client) to node[sloped, below]
{\textsf{purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
\draw[<->] (Merchant) to node[sloped, above]
{\textsf{deposit} \orange{+ $H(\commitment)$}} (Exchange);
\draw[->] (Guardian) to [out=70,in=150, loop] node[above]
{$\Commit(\age)$} (Guardian);
\draw[->] (Guardian) to node[below,sloped]
{($\commitment$, $\pruf_\age$)} (Client);
\draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
\end{tikzpicture}
\end{center}
\caption{Sketch of the integration of the schemes for age restriction
and payment in GNU Taler.}
\end{figure}
\filbreak
The cut-and-choose protocol $\DeriveCompare$ is defined roughly as follows:
\begin{center}
\parbox{0.75\textwidth}{
\begin{enumerate}
\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
from $\commitment_0$ \\
by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
\item $\Exchange$ compares $h_0$ and
$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
\end{enumerate}}
\end{center}
The proposed solution maintains the guarantees of GNU Taler with respect to
anonymity and unlinkability. Precise formulations of the functions, protocols,
requirements and security guarantees---together with proofs---can be found in
our paper
\href{https://taler.net/papers/esorics2022-age-restriction.pdf}
{\textit{Zero-Knowledge Age Restriction for GNU Taler}},
published in the
\href{https://link.springer.com/chapter/10.1007/978-3-031-17140-6\_6}
{proceedings to ESORICS 2022}.
\subsection{Future Works} \subsection{Future Works}
\TODO{}
\begin{description}
\item[Complete support for all GNU Taler protocols:] So far, age restriction is
only implemented for the GNU Taler protocols \textsf{withdraw},
\textsf{purchase}, \textsf{deposit} and \textsf{refresh}. We
will extend the support for age restriction in GNU Taler to
include the protocols for P2P payments, tipping and refund.
\item[Support for minors with bank accounts:] The current design
of age restriction is based on the assumption that only
adults can have bank accounts. That is: wire transfers to the
exchange are assumed to be originated by adults.
However, in some countries, like Germany, it is possible for
minors to have bank accounts, too, starting from a certain age.
In those cases, the wire transfer record will indicate that the
originating account is owned by a minor.
We plan to extend the current design and implementation of age
restriction to handle those situations as well: After the
exchange receives a wire transfer from a bank account of a
minor, it will require in a zero-knowledge-proof for a) the
presence of age restriction and b) the appropriate
\textit{maximum} age for the age commitment during the
\textsf{withdraw} protocol.
\item[Legal certification of our age restriction scheme:] We are in
correspondence with the
\href{https://www.kjm-online.de/en/}{German Commission for the
Protections of Minors in the Media (KJM)} which evaluates and
recommends concepts for protection of minors. GNU Taler has
been recognized as a potential candidate in the so-called
``cross-channel concepts for the protection of minors''.
We will prepare a white paper about GNU Taler's age restriction
as input for the commission's next meeting on December 7, 2022,
in Berlin. Our goal is to convince the commission of GNU
Taler's age restriction scheme as a legally acceptable form of
age verification and add it to its list of
\href{https://www.kjm-online.de/aufsicht/technischer-jugendmedienschutz/uebergreifende-konzepte}%
{positively evaluated concepts}.
\end{description}
\subsection{Links} \subsection{Links}
\TODO{}
Our scheme for age restriction in GNU Taler has been
\href{https://link.springer.com/chapter/10.1007/978-3-031-17140-6\_6}{published
in the proceedings to ESORICS 2022}.
In addition,
\href{https://docs.taler.net/design-documents/024-age-restriction.html}%
{document 24} at \url{https://docs.taler.net/design-documents} also lays out
the design. The implementation is distributed across multiple repositories:
{ \small
\begin{description}
\item[Exchange:] The following REST endpoint handlers and their
accompanying helper functions in
\url{https://git.taler.net/exchange.git/tree/src}:
\begin{itemize}
\item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_deposit.c}{\texttt{TEH\_handler\_deposit}}
\item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_melt.c}{\texttt{TEH\_handler\_melt}}
\item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_refreshes_reveal.c}{\texttt{TEH\_handler\_reveal}}
\item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_recoup.c}{\texttt{TEH\_handler\_recoup}}
\item \href{https://git.taler.net/exchange.git/tree/src/exchange/taler-exchange-httpd_recoup-refresh.c}{\texttt{TEH\_handler\_recoup\_refresh}}
\end{itemize}
Under \url{https://git.taler.net/exchange.git/tree/src/exchangedb}:\\
\href{https://git.taler.net/exchange.git/tree/src/exchangedb/common.sql}{common.sql},
\href{https://git.taler.net/exchange.git/tree/src/exchangedb/exchange-0001.sql}{exchange-0001.sql},
\href{https://git.taler.net/exchange.git/tree/src/exchangedb/plugin\_exchangedb\_postgres.c}{plugin\_exchangedb\_postgres.c}.
\item[Merchant:]
Under \url{https://git.taler.net/merchant.git/tree/src/},
\begin{itemize}
\item schema changes in
\href{https://git.taler.net/merchant.git/tree/src/backenddb/merchant-0001.sql}{backenddb/merchant-0001.sql} and\\
\href{https://git.taler.net/merchant.git/tree/src/backenddb/plugin_merchantdb_postgres.c}{backenddb/plugin\_merchantdb\_postgres.c}
\item functions \verb|process_pay_with_exchange| and \verb|parse_pay| in\\
\href{https://git.taler.net/merchant.git/tree/src/backend/taler-merchant-httpd_post-orders-ID-pay.c}{backend/taler-merchant-httpd\_post-orders-ID-pay.c}
\end{itemize}
\item[Wallet:]
Under \url{https://git.taler.net/wallet-core.git/tree/packages/taler-util}
\begin{itemize}
\item low-level cryptographic primitives in
\href{https://git.taler.net/wallet-core.git/tree/packages/taler-util/src/nacl-fast.ts}{\texttt{crypto\_edx25519}} and
\href{https://git.taler.net/wallet-core.git/tree/packages/taler-util/src/talerCrypto.ts#n851}{namespace \texttt{Edx25519}}
\item high-level cryptographic primitives in
\href{https://git.taler.net/wallet-core.git/tree/packages/taler-util/src/talerCrypto.ts#n966}{namespace \texttt{AgeRestrictions}}
\item API changes to wallet-core RPC API in
\href{https://git.taler.net/wallet-core.git/tree/packages/taler-util/src/walletTypes.ts}{\texttt{restrictAge}}
\end{itemize}
Under \url{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/}
\begin{itemize}
\item withdrawal and refresh primitives in \href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/crypto/cryptoImplementation.ts}{\texttt{crypto/cryptoImplementation.ts}}
\item wallet database requests and HTTP requests in \\
\href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/db.ts}{\texttt{db.ts}},
\href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/operations/withdraw.ts}{\texttt{withdraw.ts}} and
\href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/operations/refresh.ts}{\texttt{refresh.ts}}
\item coin/denomination selection in
\href{https://git.taler.net/wallet-core.git/tree/packages/taler-wallet-core/src/util/coinSelection.ts}{\texttt{util/coinSelection.ts}}
\end{itemize}
\item[Tests:] Under \url{https://git.taler.net/exchange.git/tree/src}:
\begin{itemize}
\item \href{https://git.taler.net/exchange.git/tree/src/util/test\_crypto.c}{util/test\_crypto.c}
\item \href{https://git.taler.net/exchange.git/tree/src/util/test\_age\_restriction.c}{util/test\_age\_restriction.c}
\item \href{https://git.taler.net/exchange.git/tree/src/util/tv\_age\_restriction.c}{util/tv\_age\_restriction.c}
\item \href{https://git.taler.net/exchange.git/tree/src/testing/test\_exchange\_api.c}{testing/test\_exchange\_api.c}
\end{itemize}
\end{description}
The definition of Edx25519, a variant of EdDSA that we designed for usage in
our age restriction scheme in GNU Taler, and its implementation is located at
\url{https://git.gnunet.org/gnunet.git/} in file
\href{https://git.gnunet.org/gnunet.git/tree/src/util/crypto\_edx25519.c}{util/crypto\_edx25519.c}.
}
\newpage \newpage
@ -264,7 +554,7 @@ locations under \url{https://git.taler.net/wallet-core.git/tree/packages/}
\newpage \newpage
\section{User Experience Studies} \section{Usability Study}
For the \textsc{NGI Pointer} programme, the AP³ project team performed a For the \textsc{NGI Pointer} programme, the AP³ project team performed a
usability study to gather feedback and inform further development of the usability study to gather feedback and inform further development of the