talks/eipsi2024/eipsi2024.tex

\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer}
\usepackage{appendixnumberbeamer}
\usepackage{amsmath}
\usepackage{multimedia}
\usepackage{wrapfig}
\usepackage[utf8]{inputenc}
\usepackage{framed,color,ragged2e}
\usepackage[absolute,overlay]{textpos}
\usetheme[progressbar=frametitle]{metropolis}
%\setbeamertemplate{navigation symbols}{\insertframenumber/\inserttotalframenumber}
\setbeamersize{description width=1em}
\setbeamertemplate{section in toc}[sections]
\setbeamertemplate{footline}{}
\usepackage{xcolor}
\usepackage[normalem]{ulem}
\usepackage{listings}
\usepackage{adjustbox}
\usepackage{array}
\usepackage{bbding}
\usepackage{relsize}
\usepackage{graphicx}
\usepackage{tikz,eurosym,calc}
\usetikzlibrary{tikzmark}
\usetikzlibrary{shapes,arrows,arrows.meta}
\usetikzlibrary{positioning,patterns}
\usetikzlibrary{calc}

\usepackage{fontspec}
\IfFontExistsTF{IBM Plex Sans}{\setsansfont{IBM Plex Sans}}{}
\IfFontExistsTF{IBM Plex Serif}{\setmainfont{IBM Plex Serif}}{}

\definecolor{blue}{rgb}{0,0.4,1}
\newcommand{\orange}[1]{{\color{orange}#1}}
\newcommand{\TODO}[1]{\orange{TODO: #1}}

\makeatletter
\setbeamercolor{framesubtitle}{fg=mDarkTeal}
\defbeamertemplate*{frametitle}{myframetitle}{%
    \nointerlineskip
    \begin{beamercolorbox}[%
        wd=\paperwidth,%
        sep=0pt,%
        leftskip=\metropolis@frametitle@padding,
        rightskip=\metropolis@frametitle@padding,
        ]{frametitle}%
        \metropolis@frametitlestrut@start
        \quad\insertframetitle%%%%%%%%%%%%%%%%%%%%%%
        \nolinebreak
        \metropolis@frametitlestrut@end
    \end{beamercolorbox}\par
    \usebeamerfont{framesubtitle}%
    \usebeamercolor[fg]{framesubtitle}%
    \vskip3pt
    \hspace*{-0.5\metropolis@frametitle@padding}%
    \insertframesubtitle
}
\makeatother
\setbeamertemplate{frametitle}[myframetitle]

\newcommand{\Section}[2]{\section[#1\newline\scriptsize{#2}]{#1}}

\input{definitions}

\title{Are you old enough to buy this?}
\subtitle{Zero-Knowledge Age Restriction for GNU Taler}

\author{Özgür Kesim}
\institute{Code Blau GmbH, FU Berlin, TU Dresden}
\date{31 May 2024}

\titlegraphic{\centering\vspace*{-0.5cm}\includegraphics[width=0.4\textwidth]{images/surveilance-logo.png}}


\begin{document}

%\justifying

\begin{frame}
  \titlepage
\end{frame}

\section*{Prolog}%{Who am I, what do I want and who pays for all this?}

\begin{frame}{Who am I}
	Özgür Kesim,
	\begin{itemize}
		\item security consultant for 20+ years,
		\item PhD candidate at FU Berlin,
		\item member of GNU Taler dev-team.
	\end{itemize}
	\note{fnord}

	\vfill
	\url{oec-taler@kesim.org} \hfill \url{@oec@mathstodon.xyz} \hfill

\end{frame}

\begin{frame}{What to expect}
	\small
	\begin{description}
		\item<1->[Deliverable]~\\
			Present a solution to age restriction and its integration in GNU Taler.
			\vfill
		\item<2->[Side-Channel]~\\
			Show concepts from cryptography by example:

			Zero-Knowledge protocol, Security Game and Security Proof

			This will be technical.
			\vfill
		\item<3->[Non-goals]~\\
			\begin{itemize}
				\item[] \underline{Rigorous} introduction into GNU Taler
				\item[] Demos
			\end{itemize}
	\end{description}
\end{frame}


\begin{frame}{Sponsors}
	\centering\begin{columns}[T]
		\column{0.5\textwidth}
		\centering NGI Pointer program of the European Commission\\[2em]

		\centering\includegraphics[width=0.7\textwidth]{images/ngi-ap3.png}

		\column{0.5\textwidth}
		\centering Project \textit{Concrete Contracts} in the
		\textit{KMU-innovativ} programm\\[2em]

		\centering\includegraphics[width=0.9\textwidth]{images/bmbf-english.jpg}
	\end{columns}
\end{frame}

\begin{frame}{Chapters}
	\tableofcontents[pausesections,hideallsubsections]
\end{frame}


\section[Introduction\newline\scriptsize Age Restriction in E-commerce]{Introduction}

\begin{frame}{Youth protection}

	Broad consensus in society about the necessity to protect minors from
	harmful content.

	\vfill

	Also wanted from policy makers:\\[1em]
	\begin{quote}
		11. Member states should encourage the \textbf{use of
		conditional access tools} by content and service providers in
		relation to content harmful to minors, \textbf{such as
		age-verification systems}, ...
	\end{quote}

	\tiny
	From the
	\href{https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680645b44}
	{\textit{Recommendation Rec (2001) 8 of the Committee of
	Ministers to member states on self-regulation concerning cyber
	content}} of the Council of Europe.

\end{frame}

\begin{frame}{Age restriction in E-commerce}

	\begin{description}[<+->]
		\item[Problem:]~\\[1em]
			Verification of minimum age requirements in e-commerce.\\[2em]

		\item[Common solutions:]

		\begin{tabular}{l<{\onslide<3->}c<{\onslide<4->}cr<{\onslide}}
			& \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
			1. ID Verification     & bad   & required & \\[\medskipamount]
			2. Restricted Accounts & bad   & required & \\[\medskipamount]
			3. Attribute-based     & good  & required &\tikzmark{bottomau} \\[\medskipamount]
		\end{tabular}
	\end{description}

\uncover<5->{
	\begin{tikzpicture}[overlay,remember picture]
	\draw[orange,thick,rounded corners]
		($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
	\end{tikzpicture}
	\begin{center}
	\bf Principle of subsidiarity is ignored
	\end{center}
}
\end{frame}


\begin{frame}{Principle of Subsidiarity}
\begin{center}\large
	Functions of government\\
	---such as granting and restricting rights---\\
	should be performed\\
	{\it at the lowest level of authority possible},\\
	as long as they can be performed {\it adequately}.
\end{center}
\vfill
\uncover<2->{
	For age-restriction, the lowest level of authority is:\\
	\begin{center}\Large
	Parents, guardians and caretakers
	\end{center}
}
\end{frame}

\begin{frame}{Our goal}
A design and implementation of an age restriction scheme\\
with the following properties:
\pause
\begin{enumerate}[<+->]
	\item It ties age restriction to the \textbf{ability to pay} (not to ID's),
	\item maintains the \textbf{anonymity of buyers},
	\item maintains \textbf{unlinkability of transactions},
	\item aligns with the \textbf{principle of subsidiarity},
	\item is \textbf{practical and efficient}.
\end{enumerate}

\end{frame}

\begin{frame}{Teaser}
	\centering \includegraphics[height=0.9\textheight]{images/wallet-age.png}
\end{frame}

\Section{The quest for a solution to age restriction}{A journey through cryptic territory}

\begin{frame}{Basic assumption and ideas}
	\small
	Assumption: Bank accounts are under control of adults/guardians.

	\vfill
	Sketch of scheme, independent of payment service protocol:

	\begin{columns}
		\column{7cm}
	\begin{enumerate}
		\item<2->  \textit{Guardians} \textbf{commit} to a maximum age
		\item<4->  \tikzmark{sstart}\textit{Minors} \textbf{attest} their adequate age
		\item<6->  \textit{Merchants} \textbf{verify} the attestations
		\item<7->  \textit{Minors} \textbf{derive} age commitments from existing ones
		\item<9->  \textit{Exchanges} \textbf{compare} the derived age commitments
		\item<10-> \tikzmark{send}{\large \texttt{GOTO}} 2.
			\begin{tikzpicture}[overlay, remember picture]
				\draw[line width=1pt,->]
						([shift=({-6mm, 1mm})]pic cs:send) to
						([shift=({-1cm, 1mm})]pic cs:send) to
						([shift=({-1cm, 1mm})]pic cs:sstart) to
						([shift=({-6mm, 1mm})]pic cs:sstart);
			\end{tikzpicture}
	\end{enumerate}
		\column{4.5cm}
		\begin{center}
		\fontsize{7pt}{7pt}\selectfont
	\begin{tikzpicture}[scale=.5]
		\uncover<2->{
			\node[circle,minimum size=15pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
			\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
				{$\Commit$} (Guardian);
		}
		\uncover<3->{
			\node[circle,minimum size=15pt,fill=black!15] at (  0:0) (Client) {$\Child$};
			\draw[,|->] (Guardian) to node[above,sloped,align=left]
				{{\scriptsize }} (Client);
		}
		\uncover<4->{
			\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
				{\blue{$\Attest$}} (Client);
		}
		\uncover<5->{
			\node[circle,minimum size=15pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
			\draw[blue,|->] (Client)   to node[sloped, above]
				{\blue{\scriptsize }} (Merchant);
		}
		\uncover<6->{
			\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
				{\blue{$\Verify$}} (Merchant);
		}
		\uncover<7->{
			\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
				{\orange{$\Derive$}} (Client);
		}
		\uncover<8->{
			\node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
			\draw[orange,|->] (Client)   to node[sloped,above,align=left]
				{\orange{\scriptsize }} (Exchange);
		}
		\uncover<9->{
			\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
				{\orange{$\Compare$}} (Exchange);
		}
	\end{tikzpicture}
		\end{center}
	\end{columns}
\end{frame}


\begin{frame}{Specification of the Function Signatures}
\small
Searching for functions \uncover<2->{with the following signatures}
\begin{align*}
	&\bf \Commit\uncover<2->{:
		&(\age, \omega) &\mapsto (\commitment, \pruf)
		&\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
		}
	\\
	%FIXME: This is how Attest was defined in the orignal paper (_with_) commitment!
	%&\bf \Attest\uncover<3->{:
	%	&(\minage, \commitment, \pruf) &\mapsto \attest
	%	&\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
	%	}
	%\\
	&\bf \Attest\uncover<3->{:
		&(\minage, \pruf) &\mapsto \attest
		&\scriptstyle \N_\Age\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
		}
	\\
	&\bf \Verify\uncover<4->{:
		&(\minage, \commitment, \attest) &\mapsto b
		&\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
		}
	\\
	&\bf \Derive\uncover<5->{:
		&(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
		&\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
		}
	\\
	&\bf \Compare\uncover<6->{:
		&(\commitment, \commitment', \blinding) &\mapsto b
		&\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
		}
\end{align*}
	\uncover<7->{
		with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
		sufficiently large sets.\\[1em]
	}
	%\uncover<8->{
	%	The blindings $\beta$ ensure that only the Exchange can compare commitments.\\[1em]
	%}
	\uncover<8->{
		We will define basic and security requirements later.\\[1em]
	}

		\scriptsize
	\uncover<2->{
		Mnemonics:\\
		$\Commitments=$ \textit{c$\Commitments$mmitments},
		$\commitment=$ \textit{Q-mitment} (commitment),
		$\Proofs=$ \textit{$\Proofs$roofs},
	}
	\uncover<3->{
		$\pruf=$ \textit{$\pruf$roof},\\
		$\Attests=$ \textit{a$\Attests$testations},
		$\attest=$ \textit{a$\attest$testation},
	}
	\uncover<5->{
		$\Blindings=$ \textit{$\Blindings$lindings},
	 	$\blinding=$ \textit{$\blinding$linding}.
	}
\end{frame}

\begin{frame}{Naïve scheme}
	\begin{center}
	\begin{tikzpicture}[scale=.8]
		\node[circle,minimum size=20pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
		\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
		\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
		\node[circle,minimum size=20pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};

		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
			{$\Commit$} (Guardian);
		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
			{\blue{$\Attest$}} (Client);
		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
			{\blue{$\Verify$}} (Merchant);
		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
			{\orange{$\Derive$}} (Client);
		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
			{\orange{$\Compare$}} (Exchange);

		\draw[,|->] (Guardian) to node[above,sloped,align=left]
			{\scriptsize ($\commitment$, $\pruf_\age$)} (Client);
		\draw[blue,|->] (Client)   to node[sloped, above]
			{\blue{\scriptsize($\minage$, $\commitment$, $\attest$) }} (Merchant);
		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
			{\orange{\scriptsize($\commitment$, $\commitment'$, $\beta$) }} (Exchange);
	\end{tikzpicture}
	\end{center}
%	\pause{Why should $\Merchant$ trust those $\commitment$?  Will solve later.
%	\tiny (Hint: blind signature from $\Exchange$)}
\end{frame}

\begin{frame}{Problem of unlinkability}
	\begin{columns}
		\column{3cm}
		\begin{center}
		\fontsize{8pt}{9pt}\selectfont
		\begin{tikzpicture}[scale=.65]
			\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
			\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};

			\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
				{\orange{$\footnotesize \Derive()$}} (Client);
			\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
				{\orange{$\footnotesize \Compare()$}} (Exchange);

			\draw[orange,|->] (Client)   to node[sloped,above,align=left]
				{\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
		\end{tikzpicture}
		\end{center}

		\column{9cm}
	Simple use of $\Derive()$ and $\Compare()$ is problematic.

	\pause
	\begin{itemize}[<+->]
		\item Calling $\Derive()$ iteratively generates sequence
			$(\commitment_0, \commitment_1, \dots)$ of commitments.
		\item Exchange calls $\Compare(\commitment_i, \commitment_{i+1},~.~)$
		\item[$\implies$]Exchange identifies sequence
		\item[$\implies$]{\bf Unlinkability broken}
	\end{itemize}
	\end{columns}
\end{frame}

\begin{frame}{Achieving Unlinkability}
	Given $\Derive()$ and $\Compare()$, define the Zero-Knowledge-protocol
	\orange{$\DeriveCompare$} as follows (sketch):

	\uncover<2->{
	\small
	Let $\kappa \in \N$ (say: $\kappa = 3$)
	\begin{itemize}[<+->]
		\item[$\Child$:]
			\begin{enumerate}
				\item generates $(\commitment_1,\dots,\commitment_\kappa)$
					and $(\beta_1,\dots,\beta_\kappa)$ from $\commitment_0$\\
					by calling $\kappa$ times $\Derive(\commitment_0, \pruf_0, \omega_i)$
				\item calculates $h_0:=H\left(H(\commitment_1, \beta_1)\parallel \dots\parallel H(\commitment_\kappa, \beta_\kappa)\right)$
				\item sends $\commitment_0$ and $h_0$ to $\Exchange$
			\end{enumerate}
		\item[$\Exchange$:]
			\begin{enumerate}
				\item[4.] saves $\commitment_0$ and $h_0$ and sends $\Child$ random  $\gamma \in \{1,\dots,\kappa\}$
			\end{enumerate}
		\item[$\Child$:]
			\begin{enumerate}
				\item[5.] reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
			\end{enumerate}
		\item[$\Exchange$:]
			\begin{enumerate}
				\item[6.] compares $h_0$ and
			$H\left(H(\commitment_1, \beta_1)\parallel ...\parallel h_\gamma\parallel ...\parallel H(\commitment_\kappa, \beta_\kappa)\right)$
				\item[7.] evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$ for all $i \neq \gamma$.
			\end{enumerate}
	\end{itemize}
	\pause
	If all steps succeed, $\commitment_\gamma$ is the new commitment.
	}
\end{frame}

\begin{frame}{Achieving Unlinkability}%{Certainty trade-off}

	With \orange{$\DeriveCompare$}
	\begin{itemize}
		\item $\Exchange$ learns nothing about $\commitment_\gamma$ or $H(\commitment_\gamma)$,
		\item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
		\item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
		\item<2->[$\implies$] \textbf{Gives us unlinkability at the price of (adjustable) uncertainty!}
	\end{itemize}

	\vfill
	\uncover<3->{Notes:
		\begin{itemize}
			\item similar to the cut\&choose {\it refresh} protocol in GNU Taler
			\item still need to define $\Derive()$ and $\Compare()$.
		\end{itemize}
	}
\end{frame}

\begin{frame}{Refined scheme}
	\begin{center}
	\begin{tikzpicture}[scale=.8]
		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};

		\uncover<2-3,8->{
			\draw[->] (Guardian)   to [out=150,in=70, loop] node[above]
				{$\Commit(\age)$} (Guardian);
		}
		\uncover<3,8->{
			\draw[->] (Guardian)   to node[below,sloped]
				{($\commitment$, $\pruf_\age$)} (Client);
		}

		\uncover<4-6,8->{
			\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
				% FIXME: This is in the original paper:
				% {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
				{\blue{$\Attest(\minage, \pruf_{\age})$}} (Client);
			}
		\uncover<5-6,8->{
			\draw[blue,->] (Client)   to node[sloped, below]
				{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
			}
		\uncover<6,8->{
			\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
				{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
		}
		\uncover<7,8->{
			\draw[orange,<->] (Client)   to
			node[sloped,below,align=center] {\orange{$\commitment \mapsto \commitment_\gamma$}}
			node[sloped,above,align=center] {\orange{$\DeriveCompare$}} (Exchange);
		}

	\end{tikzpicture}
	\end{center}
\end{frame}


\begin{frame}{Sensible solutions}
	Quest for functions should lead to \textit{sensible} solutions.

	\pause
	F. e. $\Verify()$ should not simply always return \texttt{true}.

	\pause
	We need more requirements.
\end{frame}

% \begin{frame}{Achieving Unlinkability}
% 	\scriptsize
% 	$\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
% 	\vfill
% 	$\DeriveCompare(\commitment, \pruf, \omega) =$
% \begin{itemize}
% \it
% 	\itemsep0.5em
% 	\item[$\Child$:]
% 		\begin{enumerate}
% 				\scriptsize
% 			\itemsep0.3em
% 			\item for all $i \in \{1,\dots,\kappa\}:
% 				(\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
% 			\item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
% 			\item send $(\commitment, h)$ to $\Exchange$
% 		\end{enumerate}
% 	\item[$\Exchange$:]
% 		\begin{enumerate}
% 			\setcounter{enumi}{4}
% 				\scriptsize
% 			\itemsep0.3em
% 			\item save $(\commitment, h)$ \label{st:hash}
% 			\item $\gamma \drawfrom \{1,\dots ,\kappa\}$
% 			\item send $\gamma$ to $\Child$
% 		\end{enumerate}
% 	\item[$\Child$:]
% 		\begin{enumerate}
% 			\setcounter{enumi}{7}
%
% 				\scriptsize
% 			\itemsep0.3em
% 			\item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
% 			\item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
% 				(\commitment_{\gamma-1}, \beta_{\gamma-1}),
% 				\Nil,
% 				(\commitment_{\gamma+1}, \beta_{\gamma+1}),
% 				\dots,(\commitment_\kappa, \beta_\kappa)\big]$
% 			\item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
% 		\end{enumerate}
% 	\item[$\Exchange$:]
% 		\begin{enumerate}
% 			\setcounter{enumi}{10}
% 				\scriptsize
% 			\itemsep0.3em
% 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
% 			\item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
% 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
% 				if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
% 			\item return 1
% 		\end{enumerate}
% \end{itemize}
% \end{frame}

\section*{Requirements}

\begin{frame}{Basic Requirements}
	\label{fr:basicRequirements}
	Candidate functions
	\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
	must meet \textit{basic requirements}:

	\begin{itemize}
		\item Existence of attestations
		\item Efficacy of attestations
		\item Derivability of commitments and attestations
	\end{itemize}
	\pause
	More details in the published paper and \hyperlink{fr:detailedBasicRequirements}{Appendix}.
\end{frame}

\begin{frame}{Security Requirements}
	Candidate functions must also meet \textit{security requirements},
	defined via security games:
	\vfill
	{
	\small
	\pause
	\hspace*{-1em}\begin{tabular}{rp{9cm}}
		\bf Requirement:& Unforgeability of minimum age\pause\\
		\bf $\leftrightarrow$\hfill Game:& Forging an attestation\pause\\[0.5em]
		\bf Requirement: & Non-disclosure of age \pause\\
		\bf$\leftrightarrow$\hfill Game: & Age disclosure by commitment or attestation \pause\\[0.5em]
		\bf Requirement:& Unlinkability of commitments and attestations\pause\\
		\bf $\leftrightarrow$\hfill Game:& Distinguishing derived commitments and attestations
	\end{tabular}
	}
	\vfill

	\pause
	Meeting the security requirements means that adversaries can win
	those games only with negligible advantage.
	\vfill
	\pause
	Adversaries are arbitrary polynomial-time algorithms, acting on all
	relevant input.
\end{frame}

\begin{frame}{Security Requirements}{Simplified Example}

	\begin{description}[<+->]
		\item[Game $\Game{FA}$: Forging an attest]~\\
		{\small
		\begin{enumerate}
			\item $ (\age, \omega)	\drawfrom	\N_{\Age-1}\times\Omega $
			\item $ (\commitment, \pruf)	\leftarrow	\Commit(\age, \omega) $
			\item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
			\item Return 0 if $\minage \leq \age$
			\item Return $\Verify(\minage,\commitment,\attest)$
			\item[]~\\[0.5em] Adversary $\Adv$ wins the game, if $\Game{FA}$ returns 1.
		\end{enumerate}
		}
		\vfill
		\item[Requirement: Unforgeability of minimum age]
			{\small
			\begin{equation*}
				\Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
				\Probability\Big[\Game{FA} = 1\Big] \le \negl
			\end{equation*}
			}
	\end{description}

%	\pause
%	Note: This example does not take $\Derive()$ into account.
\end{frame}

\begin{frame}{Our task}
	\large
	Finding functions
	\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
	that meet the basic and security requirements.
\end{frame}

\section*{A solution}


\begin{frame}{Instantiation with ECDSA}
	We propose a solution based on ECDSA.

	Think: One key-pair per age group.

\end{frame}

\begin{frame}{Definition of Commit with ECDSA}%{Definition of Commit}

	\begin{description}
		\item[To \blue{Commit} to age group $\age \in \{1,\dots,\Age\}$]~\\
		\begin{enumerate}[<+->]
			\item Guardian generates ECDSA-keypairs, one per age group:
				\[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
			\item Guardian then \textbf{drops} all private keys
				$p_i$ for $i > \age$:
				\[\Big \langle(q_1, p_1),\dots,
					(q_\age, p_\age),
					(q_{\age +1}, \red{\Nil}),\dots,
					(q_\Age, \red{\Nil})\Big\rangle\]
			\item[] then set \begin{itemize}
					\setlength{\itemindent}{5em}
					\item[\bf Commitment:] $\Vcommitment := (q_1,~\dots~\dots~\dots~,q_\Age)$
					\item[\bf Proof:] $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$
				\end{itemize}
				\vfill
			\item Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
				\vfill
		\end{enumerate}
	\end{description}
\end{frame}

\begin{frame}{Attest and Verify with ECDSA}
	Child has
	\begin{itemize}
		\item ordered public-keys $\Vcommitment = (q_1, \dots~\dots~\dots, q_\Age) $,
		\item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
	\end{itemize}
	\begin{description}
		\item<2->[To \blue{Attest} a minimum age (group) $\blue{\minage} \leq \age$:]~\\
			Sign a message with ECDSA using private key
			$p_\blue{\minage}$.  The signature $\sigma_\blue{\minage}$ is the
			attestation.
	\end{description}

	\vfill

	\uncover<3->{
	Merchant gets
	\begin{itemize}
		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
		\item Signature $\sigma_\blue{\minage}$
	\end{itemize}
	\begin{description}
		\item<4->[To \blue{Verify} a minimum age (group) \blue{$\minage$}:]~\\
			Verify the ECDSA-Signature $\sigma_\blue{\minage}$ with public key $q_\blue{\minage}$.
	\end{description}
	}
	\vfill
\end{frame}

\begin{frame}{Derive and Compare with ECDSA}
	Child has
	$\Vcommitment = (q_1, \dots, q_\Age) $ and
	$\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
	\begin{description}
		\item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
			Choose random $\beta\in\Z_g$ and calculate
			\small
			\begin{align*}
				\Vcommitment' &= \big(q'_1,~\ldots~\ldots~\ldots~,q'_\Age\big) &&:= \big(\beta * q_1,\ldots~\ldots,\beta * q_\Age\big) ,\\
				\Vpruf' &= \big(p'_1,\ldots,p'_\age, \Nil, \ldots, \Nil\big) &&:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
			\end{align*}
			\uncover<3->{
				\small
			Note:
			\begin{itemize}
				\item $\beta*q_i$ is scalar multiplication on the elliptic curve.
				\item $p'_i*G$ = $(\beta p_i)*G = \beta*(p_i*G)  = \beta*q_i = q'_i$
				\item[$\implies$] {\bf $p'_i$ actually \textit{is} private key to $q'_i$}
			\end{itemize}
			}
	\end{description}

		\vfill
	\uncover<4->{
		Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
	\begin{description}
		\item[To \blue{Compare}, calculate:]
			\small
		$(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
	\end{description}
	\vfill
	}
\end{frame}

\begin{frame}{Instantiation with ECDSA}

	Functions
	(Commit, Attest, Verify, Derive, Compare)\\
	as defined in the instantiation with ECDSA\\[0.5em]
	\begin{itemize}
		\item meet the basic requirements,\\[0.5em]
		\item also meet all security requirements.\\
	\end{itemize}

	Security proofs by reduction, details are in the paper.
\end{frame}


\begin{frame}{Example: Proof of Unforgeability}
	\begin{columns}
	\column{0.4\textwidth}
		\begin{minipage}{\textwidth}
		\tiny
		\begin{description}
			\item[Game $\Game{FA}$: Forging an attest]~\\
			 1. $(\age, \omega)	\drawfrom	\N_{\Age-1}\times\Omega $\\
			 2. $(\commitment, \pruf)	\leftarrow	\Commit(\age, \omega) $\\
			 3. $(\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$\\
			 4. Return 0 if $\minage \leq \age$\\
			 5. Return $\Verify(\minage,\commitment,\attest)$\\
			\vfill
		\item[Requirement:]~\\
			$\Forall_{\Adv}: \Probability\Big[\Game{FA} = 1\Big] \le \negl$
		\end{description}
		\end{minipage}
	\column{0.7\textwidth}
		Proof by reduction:
		\pause
		\small
		\begin{enumerate}[<+->]
			\item Adversary wins if $1 = \Verify(\minage,\commitment,\attest)$.
			\item That means: $\sigma$ was a valid ECDSA-signature, validated with $q_m$.
			\item But adversary does not have the private key $p_m$ to $q_m$.
			\item[$\implies$] So winning this game would require to existentially forge
				the signature, which is negligible.
		\end{enumerate}

	\end{columns}
\end{frame}

\begin{frame}{Instantiation with Edx25519}
	But... isn't ECDSA considered to be difficult to implement correctly?

	\pause
	We also formally define another signature scheme, Edx25519:\\[1em]

	\begin{itemize}
		\item based on EdDSA (Bernstein et al.),
		\item generates compatible signatures,
		\item allows for key derivation from both, private and public keys, independently and
		\item is already in use in GNUnet.
	\end{itemize}~\\[1em]

	Current implementation of age restriction in GNU Taler uses Edx25519.
\end{frame}


% \begin{frame}{Instantiation with ECDSA}
% 	\framesubtitle{Full definitions}
% 	\scriptsize
%
% \begin{align*}
% 	\Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
% 		\overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
% 		\overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
% 		\Big\rangle\\
% 	\Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
% 		\begin{cases}
% 			\attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
% 			\Nil & \text{otherwise}
% 		\end{cases}\\
% %
% 	\Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
% %
% 	\Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
% 		\Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
% 		     (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
% 		     & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
% %
% 	\Compare_E(\Vcommitment, \Vcommitment', \beta)	&:=
% 		\begin{cases}
% 			1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
% 			0 & \text{otherwise}
% 		\end{cases}
% \end{align*}
% \end{frame}

\section{Integration with GNU Taler}

\begin{frame}{GNU Taler}{https://www.taler.net}
	\label{fr:GnuTaler}
	\begin{columns}
		\column{4cm}
		\fontsize{8pt}{9pt}\selectfont
	\begin{tikzpicture}[scale=.55]
		\node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
		\node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
		\node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};

		\draw[<->] (Customer)   to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
		\draw[<->] (Customer)   to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
		\draw[<->] (Customer)   to node[sloped, below] {\sf purchase} (Merchant);
		\draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
	\end{tikzpicture}
		\column{8cm}
		\begin{itemize}
			\item Protocol suite for online payment services
			\item Based on Chaum's \hyperlink{fr:reminderBlindSignature}{blind signatures}
			\item Taxable, efficient, free software
			\item Allows for change and refund
			\item Privacy preserving: anonymous and unlinkable payments
		\end{itemize}
	\end{columns}

	\vfill
	\uncover<2->{
	\begin{itemize}
		\item Coins are public-/private key-pairs $(C_p, c_s)$.
		\item Exchange \hyperlink{fr:reminderBlindSignature}{blindly signs} $H(C_p)$ with denomination key $d_p$
		\item Verification:
		\begin{eqnarray*}
			1  &\stackrel{?}{=}&
			\mathsf{SigCheck}\big(H(C_p), D_p, \sigma_p\big)
		\end{eqnarray*}
		\scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)

	\end{itemize}
	}
\end{frame}

\begin{frame}{Integration with GNU Taler}{Binding age restriction to coins}
	\label{fr:bindingToCoins}

	To bind an age commitment $\commitment$ to a coin $C_p$, instead of
	blindly signing \[ H(C_p), \]
	$\Exchange$ now \hyperlink{fr:reminderBlindSignature}{blindly signs}
	\[ H\left(C_p\parallel\orange{H(\commitment)}\right) \]

	\vfill
	Therefore, verfication of a coin now requires $H(\commitment)$, too:
	\[
		1  \stackrel{?}{=}
		\mathsf{SigCheck}\big(H\left(C_p\parallel\orange{H(\commitment)}\right), D_p, \sigma_p\big)
	\]
	\vfill
\end{frame}

\begin{frame}{Integration with GNU Taler}
	\framesubtitle{Integrated schemes}
	\fontsize{8pt}{9pt}\selectfont
	\begin{tikzpicture}[scale=.9]
		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};

		\draw[<->] (Guardian)   to  node[sloped,above,align=center]
			{{\sf withdraw}\orange{, using}\\ $H(C_p\orange{\parallel H(\commitment)})$} (Exchange);
		\draw[<->] (Client)   to node[sloped,below,align=center]
			{{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
		\draw[<->] (Client)   to node[sloped, below]
			{{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
		\draw[<->] (Merchant) to node[sloped, above]
			{{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);

		\draw[->] (Guardian)   to [out=70,in=150, loop] node[above]
			{$\Commit(\age)$} (Guardian);
		\draw[->] (Guardian)   to node[below,sloped]
			{($\commitment$, $\pruf_\age$)} (Client);
		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
	\end{tikzpicture}
\end{frame}

\begin{frame}{Age restriction in the wallet}
	\centering \includegraphics[height=0.9\textheight]{images/wallet-age.png}
\end{frame}

\include{gnu}

\begin{frame}{Interested in GNU Taler?}
	We are looking for developers, testers, users!

	\begin{description}
		\item[Intro:] \url{https://taler.net}
		\item[Learn:] \url{https://docs.taler.net}
		\item[Develop:] \url{https://git.taler.net}, \url{https://bugs.taler.net}
	\end{description}
\end{frame}

\section{Discussion \& Conclusion}

\begin{frame}{Discussion}
	\begin{itemize}[<+->]
		\item Our solution can in principle be used with any token-based payment scheme
		\item[] However, GNU Taler best aligned with our design goals
			(security, privacy and efficiency).

		\item Subsidiarity requires bank accounts being owned by adults.
		\item[] However, scheme can be adapted to cases of
			\begin{itemize}
			\item minors have bank accounts
			\item peer-to-peer payments
			\item[] Hint: Know-Your-Customer (KYC) and adapted
				withdraw protocol.
			\end{itemize}
		\item Our scheme offers an alternative to identity management systems (IMS)
	\end{itemize}
\end{frame}

% \begin{frame}{Related Work}
% 	\begin{itemize}
% 		\item Current privacy-perserving systems all based on
% 			attribute-based credentials (Koning et al.,
% 			Schanzenbach et al., Camenisch et al., Au et al.)
%
% 		\item Attribute-based approach lacks support:
% 			\begin{itemize}
% 				\item Complex for consumers and retailers
% 				\item Requires trusted third authority
% 			\end{itemize}
% 		\vfill
% 		\item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
% 			\begin{itemize}
% 				\item Advantage: mandatory to payment process
% 				\item Not privacy friendly
% 			\end{itemize}
% 	\end{itemize}
% \end{frame}

\begin{frame}{Conclusion}
	Age restriction is a technical, ethical and legal challenge.

	\pause
	Existing solutions are
	\begin{itemize}
		\item without strong protection of privacy or
		\item based on identity management systems (IMS)
	\end{itemize}
	\vfill

	\pause
	Our scheme offers a solution that
	\begin{itemize}
		\item aligns with subsidiarity
		\item preserves privacy
		\item is efficient
		\item and an alternative to IMS
	\end{itemize}
\end{frame}


\begin{frame}{}
	\large
	\begin{center}
		{\Huge \textbf{Thank you!}}\\
	Questions?
	\end{center}

	\begin{center}
		\texttt{oec-taler@kesim.org}\\
		\texttt{@oec@mathstodon.xyz}
	\vfill
	{Interested in GNU Taler?}
	\begin{description}
		\item[Intro:] \url{https://taler.net}
		\item[Learn:] \url{https://docs.taler.net}
		\item[Develop:] \url{https://git.taler.net}, \url{https://bugs.taler.net}
	\end{description}
	\end{center}
\end{frame}

\appendix

\begin{frame}{Taler Overview}
	\hspace*{-3em}\includegraphics[width=\paperwidth]{images/taler-overview-blue.png}
\end{frame}

\begin{frame}{Basic Requirements - Details}
	\label{fr:detailedBasicRequirements}
	{\scriptsize \it back to \hyperlink{fr:basicRequirements}{Basic Requirements}}
	\begin{description}[<+->]
		\item[Existence of attestations]
			{\scriptsize
			\begin{align*}
				\Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
				\Commit(\age, \omega) =: (\commitment, \pruf)
				\implies
				\Attest(\minage, \commitment, \pruf) =
				\begin{cases}
					\attest \in \Attests, \text{ if } \minage \leq \age\\
					\Nil \text{ otherwise}
				\end{cases}
			\end{align*}}
		\item[Efficacy of attestations]
			{\scriptsize
			\begin{align*}
				\Verify(\minage, \commitment, \attest) = \
				\begin{cases}
					1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
					0 \text{ otherwise}
				\end{cases}
			\end{align*}}

			{\scriptsize
			\begin{align*}
				\forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
			\end{align*}}

			...
		\item[Derivability of commitments and attestations]...
	\end{description}

	\pause
	More details in the published paper.
\end{frame}

\begin{frame}{Reminder: RSA blind signature}
	\label{fr:reminderBlindSignature}
	\small
	In RSA, a public key $(e, N)$ and private key $(d, N)$ have the property
		\[ x^{ed} = x \mod N \]

	\pause
	Bob (B) creates a blind signature of a message $m$ for Alice (A):
	\begin{itemize}[<+->]
		\item[A:]
			\begin{itemize}
				\item chooses random integer $b$
				\item calculates $m' := m*b^e$ {\hfill \scriptsize \textit{(blinding)}}
				\item sends $m'$ to B.
			\end{itemize}
		\item[B:]
			\begin{itemize}
				\item signs $m'$, by calculating
					$\sigma' := (m')^d \mod N$ {\hfill \scriptsize \textit{(B doesn't learn $m$)}}
				\item sends $\sigma'$ to A.
				\item[] \scriptsize Note: $(m')^d = (m*b^e)^d = m^d*b^{ed} = m^d*b \mod N$
			\end{itemize}
		\item[A:]\begin{itemize}
				\item unblinds $\sigma'$ by calculating
			\[ \sigma := \sigma'*b^{-1} (= m^d) \]
			\item[$\implies$]$\sigma$ is a valid RSA signature to message $m$.
		\end{itemize}
	\end{itemize}
	\hfill \tiny back to \hyperlink{fr:GnuTaler}{\textit{taler}} or \hyperlink{fr:bindingToCoins}{\textit{binding}}
\end{frame}

%\begin{frame}{Requirements}
%	\framesubtitle{Details}
%
%	\begin{description}
%		\item[Derivability of commitments and proofs:]~\\[0.1em]
%		{\scriptsize
%		Let \begin{align*}
%			\age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
%			(\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
%			(\commitment_1, \pruf_1, \blinding) & \leftarrow  \Derive(\commitment_0, \pruf_0, \omega_1).
%		\end{align*}
%		We require
%		\begin{align*}
%			\Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
%		\end{align*}
%		and for all $n\leq\age$:
%		\begin{align*}
%					\Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
%					=
%					\Verify(n, \commitment_0,  \Attest(n, \commitment_0,  \pruf_0))
%		\end{align*}}
%	\end{description}
%\end{frame}

\end{document}