diff --git a/esorics2022/esorics2022.tex b/esorics2022/esorics2022.tex
new file mode 100644
index 0000000..96aca1e
--- /dev/null
+++ b/esorics2022/esorics2022.tex
@@ -0,0 +1,801 @@
+%\pdfminorversion=3
+\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer}
+\include{setup}
+
+\title{Zero-Knowledge Age Restriction for GNU Taler}
+%\subtitle{}
+
+\setbeamertemplate{navigation symbols}{%
+	\includegraphics[width=1.6cm]{images/fub.pdf}
+	\hspace{1em}
+	\includegraphics[width=2.3cm]{images/bfh.png}
+	\includegraphics[width=1cm]{images/taler-logo-2020.jpg}
+	\includegraphics[width=1cm]{images/fraunhofer.png}
+	\hfill%
+}
+%\setbeamercovered{transparent=1}
+
+\author[Özgür Kesim]{{\bf Özgür Kesim}, Christian Grothoff,\\ Florian Dold, Martin Schanzenbach}
+\date{September 26, 2022\\
+	\includegraphics[width=4cm]{images/esorics2022.png}}
+\institute{FU Berlin, BFH Bern, Taler Systems SA, Fraunhofer AISEC}
+
+
+\begin{document}
+
+\justifying
+
+\begin{frame}
+  \titlepage
+\end{frame}
+
+%\begin{frame}
+%  \begin{center}
+%    \LARGE {\bf Zero-Knowledge Age Restriction\\for GNU Taler}
+%
+%    \vfill
+%  \end{center}
+% Substitute based on who is giving the talk!
+%  \vfill
+%	\begin{tabular}{rl}
+%		\bf Özgür Kesim\href{mailto:o.kesim@fu-berlin.de}{\small \Envelope} & \small Freie Universität Berlin, Germany \\
+%		Christian Grothoff & \small Bern University of Applied Sciences, Switzerland \\
+%		Florian Dold & \small Taler Systems SA, Luxembourg \\
+%		Martin Schanzenbach &\small  Fraunhofer AISEC, Germany \\
+%	\end{tabular}
+%\end{frame}
+
+\section{Introduction}
+
+\begin{frame}{Age restriction in E-commerce}
+
+	\begin{description}
+		\item[Problem:]~\\[1em]
+			Verification of minimum age requirements in e-commerce.\\[2em]
+
+		\item[Common solutions:]
+
+\begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
+	& \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
+	1. ID Verification     & bad   & required & \\[\medskipamount]
+	2. Restricted Accounts & bad   & required & \\[\medskipamount]
+	3. Attribute-based     & good  & required &\tikzmark{bottomau} \\[\medskipamount]
+\end{tabular}
+	\end{description}
+
+\uncover<4->{
+	\begin{tikzpicture}[overlay,remember picture]
+	\draw[orange,thick,rounded corners]
+		($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
+	\end{tikzpicture}
+	\begin{center}
+	\bf Principle of Subsidiarity is violated
+	\end{center}
+}
+\end{frame}
+
+
+\begin{frame}{Principle of Subsidiarity}
+\begin{center} \Large
+	Functions of government---such as granting and restricting
+	rights---should be performed\\
+	{\it at the lowest level of authority possible},\\
+	as long as they can be performed {\it adequately}.
+\end{center}
+\vfill
+\uncover<2->{
+	For age-restriction, the lowest level of authority is:\\
+	\begin{center}\Large
+	Parents, guardians and caretakers
+	\end{center}
+}
+\end{frame}
+
+\begin{frame}{Our contribution}
+Design and implementation of an age restriction scheme\\
+with the following goals:
+
+\begin{enumerate}
+\item It ties age restriction to the \textbf{ability to pay} (not to ID's)
+\item maintains \textbf{anonymity of buyers}
+\item maintains \textbf{unlinkability of transactions}
+\item aligns with \textbf{principle of subsidiartiy}
+\item is \textbf{practical and efficient}
+\end{enumerate}
+
+\end{frame}
+
+
+\section{Age Restriction}
+
+\begin{frame}{Age restriction}
+	\framesubtitle{Assumptions and scenario}
+
+	\begin{columns}
+		\column{7.5cm}
+	\begin{itemize}
+		\item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
+		\item<2-> \textit{Guardians} \textbf{commit} to an maximum age
+		\item<3-> \textit{Minors} \textbf{attest} their adequate age
+		\item<4-> \textit{Merchants} \textbf{verify} the attestations
+		\item<5-> Minors \textbf{derive} age commitments from existing ones
+		\item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
+	\end{itemize}
+		\column{5cm}
+		\uncover<7->
+		{
+		\begin{center}
+		\fontsize{7pt}{7pt}\selectfont
+	\begin{tikzpicture}[scale=.5]
+		\node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+		\node[circle,minimum size=15pt,fill=black!15] at (  0:0) (Client) {$\Child$};
+		\node[circle,minimum size=15pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
+		\node[circle,minimum size=15pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
+
+		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
+			{$\Commit$} (Guardian);
+		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
+			{\blue{$\Attest$}} (Client);
+		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
+			{\blue{$\Verify$}} (Merchant);
+		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
+			{\orange{$\Derive$}} (Client);
+		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+			{\orange{$\Compare$}} (Exchange);
+
+		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
+			{\orange{\scriptsize }} (Exchange);
+		\draw[blue,|->] (Client)   to node[sloped, above]
+			{\blue{\scriptsize }} (Merchant);
+		\draw[,|->] (Guardian) to node[above,sloped,align=left]
+			{{\scriptsize }} (Client);
+	\end{tikzpicture}
+		\end{center}
+		}
+	\end{columns}
+	\vfill
+	\uncover<7->{Note: Scheme is independent of payment service protocol.}
+\end{frame}
+
+
+\begin{frame}{Formal Function Signatures}
+\small 
+Searching for functions \uncover<2->{with the following signatures}
+\begin{align*}
+	&\bf \Commit\uncover<2->{:
+		&(\age, \omega) &\mapsto (\commitment, \pruf)
+		&\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
+		}
+	\\
+	&\bf \Attest\uncover<3->{:
+		&(\minage, \commitment, \pruf) &\mapsto \attest
+		&\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
+		}
+	\\
+	&\bf \Verify\uncover<4->{:
+		&(\minage, \commitment, \attest) &\mapsto b
+		&\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
+		}
+	\\
+	&\bf \Derive\uncover<5->{:
+		&(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
+		&\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
+		}
+	\\
+	&\bf \Compare\uncover<6->{:
+		&(\commitment, \commitment', \blinding) &\mapsto b
+		&\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
+		}
+\end{align*}
+	\uncover<7->{
+		with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
+		sufficiently large sets.\\[1em]
+		Basic and security requirements are defined later.\\[2em]
+	}
+
+		\scriptsize
+	\uncover<2->{
+		Mnemonics:\\
+		$\Commitments=$ \textit{c$\Commitments$mmitments},
+		$\commitment=$ \textit{Q-mitment} (commitment),
+		$\Proofs=$ \textit{$\Proofs$roofs},
+	}
+	\uncover<3->{
+		$\pruf=$ \textit{$\pruf$roof},\\
+		$\Attests=$ \textit{a$\Attests$testations},
+		$\attest=$ \textit{a$\attest$testation},
+	}
+	\uncover<5->{
+		$\Blindings=$ \textit{$\Blindings$lindings},
+		$\blinding=$ \textit{$\blinding$linding}.
+	}
+\end{frame}
+
+\begin{frame}{Age restriction}
+	\framesubtitle{Naïve scheme}
+	\begin{center}
+	\begin{tikzpicture}[scale=.85]
+		\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+		\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
+		\node[circle,minimum size=20pt,fill=black!15] at (  0:4) (Merchant) {$\Merchant$};
+		\node[circle,minimum size=20pt,fill=blue!15]  at (140:3) (Guardian) {$\Guardian$};
+
+		\draw[->] (Guardian)   to [out=50,in=130, loop] node[above]
+			{$\Commit$} (Guardian);
+		\draw[->,blue] (Client)   to [out=-125,in=-190, loop] node[below,left]
+			{\blue{$\Attest$}} (Client);
+		\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
+			{\blue{$\Verify$}} (Merchant);
+		\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
+			{\orange{$\Derive$}} (Client);
+		\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+			{\orange{$\Compare$}} (Exchange);
+
+		\draw[orange,|->] (Client)   to node[sloped,above,align=left]
+			{\orange{\scriptsize }} (Exchange);
+		\draw[blue,|->] (Client)   to node[sloped, above]
+			{\blue{\scriptsize }} (Merchant);
+		\draw[,|->] (Guardian) to node[above,sloped,align=left]
+			{{\scriptsize }} (Client);
+	\end{tikzpicture}
+	\end{center}
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+	\begin{columns}
+		\column{3cm}
+		\begin{center}
+		\fontsize{8pt}{9pt}\selectfont
+		\begin{tikzpicture}[scale=.65]
+			\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
+			\node[circle,minimum size=20pt,fill=black!15] at (  0:0) (Client) {$\Child$};
+
+			\draw[->,orange] (Client)   to [out=-35,in=-100, loop] node[below]
+				{\orange{$\footnotesize \Derive()$}} (Client);
+			\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
+				{\orange{$\footnotesize \Compare()$}} (Exchange);
+
+			\draw[orange,|->] (Client)   to node[sloped,above,align=left]
+				{\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
+		\end{tikzpicture}
+		\end{center}
+
+		\column{9cm}
+	Simple use of $\Derive()$ and $\Compare()$ is problematic.
+
+	\begin{itemize}
+		\item<2-> Calling $\Derive()$ iteratively generates sequence 
+			$(\commitment_0, \commitment_1, \dots)$ of commitments.
+		\item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$ 
+		\item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
+		\item[$\implies$]\uncover<3->{\bf Unlinkability broken}
+	\end{itemize}
+	\end{columns}
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+	Define cut\&choose protocol \orange{$\DeriveCompare$},
+	using $\Derive()$ and $\Compare()$.\\[0.5em]
+	\uncover<2->{
+	Sketch:
+	\small
+	\begin{enumerate}
+		\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$ 
+			from $\commitment_0$ \\
+			by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
+		\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
+		\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
+		\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
+		\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
+		\item $\Exchange$ compares $h_0$ and 
+			$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
+			and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
+	\end{enumerate}
+	\vfill
+	Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
+	}
+\end{frame}
+
+\begin{frame}{Achieving Unlinkability}
+	With \orange{$\DeriveCompare$}
+	\begin{itemize}
+		\item $\Exchange$ learns nothing about $\commitment_\gamma$,
+		\item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
+		\item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
+	\end{itemize}
+	\vfill
+	Note: Still need Derive and Compare to be defined.
+\end{frame}
+
+\begin{frame}{Refined scheme}
+
+	\begin{tikzpicture}[scale=.8]
+		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
+		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
+		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
+		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
+
+		\draw[orange,<->] (Client)   to node[sloped,below,align=center]
+			{\orange{$\DeriveCompare$}} (Exchange);
+		\draw[blue,->] (Client)   to node[sloped, below]
+			{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
+
+		\draw[->] (Guardian)   to [out=150,in=70, loop] node[above]
+			{$\Commit(\age)$} (Guardian);
+		\draw[->] (Guardian)   to node[below,sloped]
+			{($\commitment$, $\pruf_\age$)} (Client);
+		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
+			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
+		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
+			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
+	\end{tikzpicture}
+\end{frame}
+
+% \begin{frame}{Achieving Unlinkability}
+% 	\scriptsize
+% 	$\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
+% 	\vfill
+% 	$\DeriveCompare(\commitment, \pruf, \omega) =$
+% \begin{itemize}
+% \it
+% 	\itemsep0.5em
+% 	\item[$\Child$:]
+% 		\begin{enumerate}
+% 				\scriptsize
+% 			\itemsep0.3em
+% 			\item for all $i \in \{1,\dots,\kappa\}:
+% 				(\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
+% 			\item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
+% 			\item send $(\commitment, h)$ to $\Exchange$
+% 		\end{enumerate}
+% 	\item[$\Exchange$:]
+% 		\begin{enumerate}
+% 			\setcounter{enumi}{4}
+% 				\scriptsize
+% 			\itemsep0.3em
+% 			\item save $(\commitment, h)$ \label{st:hash}
+% 			\item $\gamma \drawfrom \{1,\dots ,\kappa\}$
+% 			\item send $\gamma$ to $\Child$
+% 		\end{enumerate}
+% 	\item[$\Child$:]
+% 		\begin{enumerate}
+% 			\setcounter{enumi}{7}
+% 
+% 				\scriptsize
+% 			\itemsep0.3em
+% 			\item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
+% 			\item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
+% 				(\commitment_{\gamma-1}, \beta_{\gamma-1}),
+% 				\Nil,
+% 				(\commitment_{\gamma+1}, \beta_{\gamma+1}),
+% 				\dots,(\commitment_\kappa, \beta_\kappa)\big]$
+% 			\item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
+% 		\end{enumerate}
+% 	\item[$\Exchange$:]
+% 		\begin{enumerate}
+% 			\setcounter{enumi}{10}
+% 				\scriptsize
+% 			\itemsep0.3em
+% 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
+% 			\item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
+% 			\item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
+% 				if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
+% 			\item return 1
+% 		\end{enumerate}
+% \end{itemize}
+% \end{frame}
+
+\begin{frame}{Basic Requirements}
+
+	Candidate functions 
+	\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
+	must first meet \textit{basic} requirements:
+
+	\begin{itemize}
+		\item Existence of attestations
+		\item Efficacy of attestations
+		\item Derivability of commitments and attestations
+	\end{itemize}
+\end{frame}
+
+\begin{frame}{Basic Requirements}
+	\framesubtitle{Formal Details}
+
+	\begin{description}
+		\item[Existence of attestations]
+			{\scriptsize
+			\begin{align*}
+				\Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
+				\Commit(\age, \omega) =: (\commitment, \pruf)
+				\implies 
+				\Attest(\minage, \commitment, \pruf) =
+				\begin{cases}
+					\attest \in \Attests, \text{ if } \minage \leq \age\\
+					\Nil \text{ otherwise}
+				\end{cases}
+			\end{align*}}
+		\item[Efficacy of attestations]
+			{\scriptsize
+			\begin{align*}
+				\Verify(\minage, \commitment, \attest) = \
+				\begin{cases}
+					1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
+					0 \text{ otherwise}
+				\end{cases}
+			\end{align*}}
+
+			{\scriptsize
+			\begin{align*}
+				\forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
+			\end{align*}}
+		\item[etc.]
+	\end{description}
+\end{frame}
+
+%\begin{frame}{Requirements}
+%	\framesubtitle{Details}
+%
+%	\begin{description}
+%		\item[Derivability of commitments and proofs:]~\\[0.1em]
+%		{\scriptsize
+%		Let \begin{align*}
+%			\age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
+%			(\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
+%			(\commitment_1, \pruf_1, \blinding) & \leftarrow  \Derive(\commitment_0, \pruf_0, \omega_1).
+%		\end{align*}
+%		We require
+%		\begin{align*}
+%			\Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
+%		\end{align*}
+%		and for all $n\leq\age$:
+%		\begin{align*}
+%					\Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
+%					=
+%					\Verify(n, \commitment_0,  \Attest(n, \commitment_0,  \pruf_0))
+%		\end{align*}}
+%	\end{description}
+%\end{frame}
+
+\begin{frame}{Security Requirements}
+	Candidate functions must also meet \textit{security} requirements.
+	Those are defined via security games:
+	\begin{itemize}
+		\item Game: Age disclosure by commitment or attestation
+		\item[$\leftrightarrow$] Requirement: Non-disclosure of age
+			\vfill
+
+		\item Game: Forging attestation
+		\item[$\leftrightarrow$] Requirement: Unforgeability of
+			minimum age
+			\vfill
+
+		\item Game: Distinguishing derived commitments and attestations
+		\item[$\leftrightarrow$] Requirement: Unlinkability of
+			commitments and attestations
+
+	\end{itemize}
+	\vfill
+
+	Meeting the security requirements means that adversaries can win
+	those games only with negligible advantage.
+	\vfill
+	Adversaries are arbitrary polynomial-time algorithms, acting on all
+	relevant input.
+\end{frame}
+
+\begin{frame}{Security Requirements}
+	\framesubtitle{Simplified Example}
+
+	\begin{description}
+		\item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
+	{\small
+	\begin{enumerate}
+		\item $ (\age, \omega)	\drawfrom	\N_{\Age-1}\times\Omega $
+		\item $ (\commitment, \pruf)	\leftarrow	\Commit(\age, \omega) $
+		\item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
+		\item Return 0 if $\minage \leq \age$
+		\item Return $\Verify(\minage,\commitment,\attest)$
+	\end{enumerate}
+	}
+	\vfill
+	\item[Requirement: Unforgeability of minimum age]
+		{\small
+	\begin{equation*}
+		\Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
+		\Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
+	\end{equation*}
+	}
+	\end{description}
+\end{frame}
+
+\section{Solution/Instantiation}
+
+\begin{frame}{Solution: Instantiation with ECDSA}
+%	\framesubtitle{Definition of Commit}
+
+	\begin{description}
+		\item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
+		\begin{enumerate}
+			\item<2-> Guardian generates ECDSA-keypairs, one per age (group):
+				\[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
+			\item<3-> Guardian then \textbf{drops} all private keys
+				$p_i$ for $i > \age$:
+				\[\Big \langle(q_1, p_1),\dots, 
+					(q_\age, p_\age), 
+					(q_{\age +1}, \red{\Nil}),\dots, 
+					(q_\Age, \red{\Nil})\Big\rangle\]
+
+				\begin{itemize}
+					\item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
+					\item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
+				\end{itemize}
+				\vfill
+			\item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
+				\vfill
+		\end{enumerate}
+	\end{description}
+\end{frame}
+
+\begin{frame}{Instantiation with ECDSA}
+	\framesubtitle{Definitions of Attest and Verify}
+
+	Child has 
+	\begin{itemize}
+		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
+		\item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
+	\end{itemize}
+	\begin{description}
+		\item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
+			Sign a message with ECDSA using private key $p_\blue{\minage}$
+	\end{description}
+
+	\vfill
+
+	\uncover<3->{
+	Merchant gets 
+	\begin{itemize}
+		\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
+		\item Signature $\sigma$
+	\end{itemize}
+	\begin{description}
+		\item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
+			Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
+	\end{description}
+	}
+	\vfill
+\end{frame}
+
+\begin{frame}{Instantiation with ECDSA}
+	\framesubtitle{Definitions of Derive and Compare}
+	Child has 
+	$\Vcommitment = (q_1, \dots, q_\Age) $ and 
+	$\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
+	\begin{description}
+		\item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
+			Choose random $\beta\in\Z_g$ and calculate
+			\small
+			\begin{align*}
+				\Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
+				\Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
+			\end{align*}
+			Note: $ (\beta p_i)*G = \beta*(p_i*G)  = \beta*q_i$\\
+			\scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
+	\end{description}
+
+		\vfill
+	\uncover<3->{
+		Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
+	\begin{description}
+		\item[To \blue{Compare}, calculate:]
+			\small
+		$(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
+	\end{description}
+	\vfill
+	}
+\end{frame}
+
+\begin{frame}{Instantiation with ECDSA}
+
+	Functions
+	(Commit, Attest, Verify, Derive, Compare)\\
+	as defined in the instantiation with ECDSA\\[0.5em]
+	\begin{itemize}
+		\item meet the basic requirements,\\[0.5em]
+		\item also meet all security requirements.\\
+		Proofs by security reduction, details are in the paper.
+	\end{itemize}
+
+\end{frame}
+
+
+% \begin{frame}{Instantiation with ECDSA}
+% 	\framesubtitle{Full definitions}
+% 	\scriptsize
+% 
+% \begin{align*}
+% 	\Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
+% 		\overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
+% 		\overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
+% 		\Big\rangle\\
+% 	\Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
+% 		\begin{cases}
+% 			\attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
+% 			\Nil & \text{otherwise}
+% 		\end{cases}\\
+% %
+% 	\Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
+% %
+% 	\Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
+% 		\Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
+% 		     (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
+% 		     & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
+% %
+% 	\Compare_E(\Vcommitment, \Vcommitment', \beta)	&:=
+% 		\begin{cases}
+% 			1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
+% 			0 & \text{otherwise}
+% 		\end{cases}
+% \end{align*}
+% \end{frame}
+
+\section{Integration with GNU Taler}
+
+\begin{frame}{GNU Taler}
+	\framesubtitle{https://www.taler.net}
+	\begin{columns}
+		\column{4cm}
+		\fontsize{8pt}{9pt}\selectfont
+	\begin{tikzpicture}[scale=.55]
+		\node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
+		\node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
+		\node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
+
+		\draw[<->] (Customer)   to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
+		\draw[<->] (Customer)   to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
+		\draw[<->] (Customer)   to node[sloped, below] {\sf purchase} (Merchant);
+		\draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
+	\end{tikzpicture}
+		\column{8cm}
+		\begin{itemize}
+			\item Protocol suite for online payment services
+			\item Based on Chaum's blind signatures
+			% \item Taxable, efficient, free software
+			\item Allows for change and refund (F. Dold)
+			\item Privacy preserving: anonymous and unlinkable payments
+		\end{itemize}
+	\end{columns}
+
+	\vfill
+	\uncover<2->{
+	\begin{itemize}
+		\item Coins are public-/private key-pairs $(C_p, c_s)$.
+		\item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
+		\item Verification:
+		\begin{eqnarray*}
+			1  &\stackrel{?}{=}&
+			\mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
+		\end{eqnarray*}
+		\scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
+
+	\end{itemize}
+	}
+\end{frame}
+
+\begin{frame}{Integration with GNU Taler}
+	\framesubtitle{Binding age restriction to coins}
+
+	To bind an age commitment $\commitment$ to a coin $C_p$, instead of
+	signing $\FDH(C_p)$, $\Exchange$ now blindly signs 
+	\begin{center}
+		$\FDH(C_p, \orange{H(\commitment)})$
+	\end{center}
+
+	\vfill
+	Verfication of a coin now requires $H(\commitment)$, too:
+	\begin{center}
+		$1  \stackrel{?}{=}
+		\mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
+	\end{center}
+	\vfill
+\end{frame}
+
+\begin{frame}{Integration with GNU Taler}
+	\framesubtitle{Integrated schemes}
+	\fontsize{8pt}{9pt}\selectfont
+	\begin{tikzpicture}[scale=.9]
+		\node[circle,minimum size=25pt,fill=black!15] at (  0:0) (Client)   {$\Child$};
+		\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
+		\node[circle,minimum size=25pt,fill=black!15] at (  0:5) (Merchant) {$\Merchant$};
+		\node[circle,minimum size=25pt,fill=blue!15]  at (130:3) (Guardian) {$\Guardian$};
+
+		\draw[<->] (Guardian)   to  node[sloped,above,align=center]
+			{{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
+		\draw[<->] (Client)   to node[sloped,below,align=center]
+			{{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
+		\draw[<->] (Client)   to node[sloped, below]
+			{{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
+		\draw[<->] (Merchant) to node[sloped, above]
+			{{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
+
+		\draw[->] (Guardian)   to [out=70,in=150, loop] node[above]
+			{$\Commit(\age)$} (Guardian);
+		\draw[->] (Guardian)   to node[below,sloped]
+			{($\commitment$, $\pruf_\age$)} (Client);
+		\draw[->,blue] (Client)   to [out=-50,in=-130, loop] node[below]
+			{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
+		\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
+			{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
+	\end{tikzpicture}
+\end{frame}
+
+\begin{frame}{Instantiation with Edx25519}
+	Paper also formally defines another signature scheme: Edx25519.\\[1em]
+
+	\begin{itemize}
+		\item Scheme already in use in GNUnet,
+		\item based on EdDSA (Bernstein et al.),
+		\item generates compatible signatures and
+		\item allows for key derivation from both, private and public keys, independently.
+	\end{itemize}~\\[1em]
+
+	Current implementation of age restriction in GNU Taler uses Edx25519.
+\end{frame}
+
+\section{Discussion, Related Work, Conclusion}
+
+\begin{frame}{Discussion}
+	\begin{itemize}
+		\item Our solution can in principle be used with any token-based payment scheme
+		\item GNU Taler best aligned with our design goals (security, privacy and efficiency)
+		\item Subsidiarity requires bank accounts being owned by adults
+			\begin{itemize}
+			\item Scheme can be adapted to case where minors have bank accounts
+				\begin{itemize}
+					\item Assumption: banks provide minimum age
+						information during bank
+						transactions.
+					\item Child and Exchange execute a variant of
+						the cut\&choose protocol.
+				\end{itemize}
+			\end{itemize}
+		\item Our scheme offers an alternative to identity management systems (IMS)
+	\end{itemize}
+\end{frame}
+\begin{frame}{Related Work}
+	\begin{itemize}
+		\item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
+		\item Attribute-based approach lacks support: 
+			\begin{itemize}
+				\item Complex for consumers and retailers
+				\item Requires trusted third authority
+			\end{itemize}
+		\vfill
+		\item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
+			\begin{itemize}
+				\item Advantage: mandatory to payment process
+				\item Not privacy friendly
+			\end{itemize}
+	\end{itemize}
+\end{frame}
+
+\begin{frame}{Conclusion}
+	Age restriction is a technical, ethical and legal challenge.
+
+	Existing solutions are
+	\begin{itemize}
+		\item without strong protection of privacy or
+		\item based on identity management systems (IMS)
+	\end{itemize}
+	\vfill
+
+	Our scheme offers a solution that is
+	\begin{itemize}
+		\item based on subsidiarity
+		\item privacy preserving
+		\item efficient
+		\item an alternative to IMS
+	\end{itemize}
+\end{frame}
+
+
+\end{document}
diff --git a/esorics2022/images/bfh.png b/esorics2022/images/bfh.png
new file mode 100644
index 0000000..4c9f8d1
Binary files /dev/null and b/esorics2022/images/bfh.png differ
diff --git a/esorics2022/images/esorics2022.png b/esorics2022/images/esorics2022.png
new file mode 100644
index 0000000..365758a
Binary files /dev/null and b/esorics2022/images/esorics2022.png differ
diff --git a/esorics2022/images/fraunhofer.png b/esorics2022/images/fraunhofer.png
new file mode 100644
index 0000000..0eb26a5
Binary files /dev/null and b/esorics2022/images/fraunhofer.png differ
diff --git a/esorics2022/images/fub.pdf b/esorics2022/images/fub.pdf
new file mode 100644
index 0000000..8094d75
Binary files /dev/null and b/esorics2022/images/fub.pdf differ
diff --git a/esorics2022/images/taler-logo-2020.jpg b/esorics2022/images/taler-logo-2020.jpg
new file mode 100644
index 0000000..489832f
Binary files /dev/null and b/esorics2022/images/taler-logo-2020.jpg differ
diff --git a/esorics2022/loop.sh b/esorics2022/loop.sh
new file mode 100755
index 0000000..e73d711
--- /dev/null
+++ b/esorics2022/loop.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+cleanup () {
+	rm -f *.log *.aux *.toc
+	exit $1
+}
+
+trap cleanup HUP TERM INT
+
+SRC=esorics2022.tex
+
+echo -ne "\e[;1H\e[2J"
+while true; do
+	tectonic $SRC || echo 
+	FILES=$(echo *.tex)
+	while inotifywait $FILES ; do
+		echo -ne "\e[;1H\e[2J"
+		tectonic $SRC || echo 
+	done
+done
diff --git a/esorics2022/setup.tex b/esorics2022/setup.tex
new file mode 100644
index 0000000..639c51c
--- /dev/null
+++ b/esorics2022/setup.tex
@@ -0,0 +1,121 @@
+\usepackage{amsmath}
+\usepackage{multimedia}
+\usepackage[utf8]{inputenc}
+\usepackage{framed,color,ragged2e}
+\usepackage[absolute,overlay]{textpos}
+\definecolor{shadecolor}{rgb}{0.8,0.8,0.8}
+\usetheme{boxes}
+\setbeamertemplate{navigation symbols}{}
+\usepackage{xcolor}
+\usepackage[normalem]{ulem}
+\usepackage{listings}
+\usepackage{adjustbox}
+\usepackage{array}
+\usepackage{bbding}
+\usepackage{relsize}
+\usepackage{graphicx}
+\usepackage{tikz,eurosym,calc}
+\usetikzlibrary{tikzmark}
+\usetikzlibrary{shapes,arrows,arrows.meta}
+\usetikzlibrary{positioning,patterns}
+\usetikzlibrary{calc}
+
+% CSS
+\lstdefinelanguage{CSS}{
+  basicstyle=\ttfamily\scriptsize,
+  keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function},
+  sensitive=true,
+  morecomment=[l]{//},
+  morecomment=[s]{/*}{*/},
+  morestring=[b]',
+  morestring=[b]",
+  alsoletter={:},
+  alsodigit={-}
+}
+
+% JavaScript
+\lstdefinelanguage{JavaScript}{
+  basicstyle=\ttfamily\scriptsize,
+  morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
+  morecomment=[s]{/*}{*/},
+  morecomment=[l]//,
+  morestring=[b]",
+  morestring=[b]'
+}
+
+\lstdefinelanguage{HTML5}{
+  basicstyle=\ttfamily\scriptsize,
+  language=html,
+  sensitive=true,
+  alsoletter={<>=-},
+  morecomment=[s]{<!-}{-->},
+  tag=[s],
+  otherkeywords={
+  % General
+  >,
+  % Standard tags
+	<!DOCTYPE,
+  </html, <html, <head, <title, </title, <style, </style, <link, </head, <meta, />,
+	% body
+	</body, <body,
+	% Divs
+	</div, <div, </div>,
+	% Paragraphs
+	</p, <p, </p>,
+	% scripts
+	</script, <script,
+  % More tags...
+  <canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video, <source, <iframe, </iframe>, </video>, <image, </image>
+  },
+  ndkeywords={
+  % General
+  =,
+  % HTML attributes
+  charset=, src=, id=, width=, height=, style=, type=, rel=, href=,
+  % SVG attributes
+  fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=,
+  % CSS properties
+  margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:,
+	% CSS3 properties
+  transform:, -moz-transform:, -webkit-transform:,
+  animation:, -webkit-animation:,
+  transition:,  transition-duration:, transition-property:, transition-timing-function:,
+  }
+}
+
+\lstdefinelanguage{JavaScript}{
+  basicstyle=\ttfamily\scriptsize,
+  keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for},
+  keywordstyle=\color{blue}\bfseries,
+  ndkeywords={class, export, boolean, throw, implements, import, this},
+  ndkeywordstyle=\color{darkgray}\bfseries,
+  identifierstyle=\color{black},
+  sensitive=false,
+  comment=[l]{//},
+  morecomment=[s]{/*}{*/},
+  commentstyle=\color{purple}\ttfamily,
+  stringstyle=\color{red}\ttfamily,
+  morestring=[b]',
+  morestring=[b]"
+}
+
+%\usetheme{Dresden}
+\setbeamersize{description width=1em}
+
+\setbeamertemplate{footline}{
+    \hbox{%
+    \begin{beamercolorbox}[wd=\paperwidth,ht=3ex,dp=1.5ex,leftskip=2ex,rightskip=2ex]{page footer}%
+        \usebeamerfont{title in head/foot}%
+        \insertshorttitle \hfill
+            \insertsection \hfill
+        \insertframenumber{} / \inserttotalframenumber
+    \end{beamercolorbox}}%
+}
+
+
+\definecolor{blue}{rgb}{0,0,0.7}
+\newcommand{\orange}[1]{{\color{orange}#1}}
+\newcommand{\TODO}[1]{\orange{TODO: #1}}
+
+
+\input{definitions}