taler/talks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

added esorics2022

Browse Source
This commit is contained in:
Özgür Kesim 2022-12-27 14:57:00 +01:00
parent 5379ebf5c9
commit 27a38651d3
8 changed files with 942 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

801
esorics2022/esorics2022.tex Normal file
View File

@ -0,0 +1,801 @@
%\pdfminorversion=3
\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer}
\include{setup}
\title{Zero-Knowledge Age Restriction for GNU Taler}
%\subtitle{}
\setbeamertemplate{navigation symbols}{%
\includegraphics[width=1.6cm]{images/fub.pdf}
\hspace{1em}
\includegraphics[width=2.3cm]{images/bfh.png}
\includegraphics[width=1cm]{images/taler-logo-2020.jpg}
\includegraphics[width=1cm]{images/fraunhofer.png}
\hfill%
}
%\setbeamercovered{transparent=1}
\author[Özgür Kesim]{{\bf Özgür Kesim}, Christian Grothoff,\\ Florian Dold, Martin Schanzenbach}
\date{September 26, 2022\\
\includegraphics[width=4cm]{images/esorics2022.png}}
\institute{FU Berlin, BFH Bern, Taler Systems SA, Fraunhofer AISEC}
\begin{document}
\justifying
\begin{frame}
\titlepage
\end{frame}
%\begin{frame}
% \begin{center}
% \LARGE {\bf Zero-Knowledge Age Restriction\\for GNU Taler}
%
% \vfill
% \end{center}
% Substitute based on who is giving the talk!
% \vfill
% \begin{tabular}{rl}
% \bf Özgür Kesim\href{mailto:o.kesim@fu-berlin.de}{\small \Envelope} & \small Freie Universität Berlin, Germany \\
% Christian Grothoff & \small Bern University of Applied Sciences, Switzerland \\
% Florian Dold & \small Taler Systems SA, Luxembourg \\
% Martin Schanzenbach &\small Fraunhofer AISEC, Germany \\
% \end{tabular}
%\end{frame}
\section{Introduction}
\begin{frame}{Age restriction in E-commerce}
\begin{description}
\item[Problem:]~\\[1em]
Verification of minimum age requirements in e-commerce.\\[2em]
\item[Common solutions:]
\begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}}
& \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
1. ID Verification & bad & required & \\[\medskipamount]
2. Restricted Accounts & bad & required & \\[\medskipamount]
3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount]
\end{tabular}
\end{description}
\uncover<4->{
\begin{tikzpicture}[overlay,remember picture]
\draw[orange,thick,rounded corners]
($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
\end{tikzpicture}
\begin{center}
\bf Principle of Subsidiarity is violated
\end{center}
}
\end{frame}
\begin{frame}{Principle of Subsidiarity}
\begin{center} \Large
Functions of government---such as granting and restricting
rights---should be performed\\
{\it at the lowest level of authority possible},\\
as long as they can be performed {\it adequately}.
\end{center}
\vfill
\uncover<2->{
For age-restriction, the lowest level of authority is:\\
\begin{center}\Large
Parents, guardians and caretakers
\end{center}
}
\end{frame}
\begin{frame}{Our contribution}
Design and implementation of an age restriction scheme\\
with the following goals:
\begin{enumerate}
\item It ties age restriction to the \textbf{ability to pay} (not to ID's)
\item maintains \textbf{anonymity of buyers}
\item maintains \textbf{unlinkability of transactions}
\item aligns with \textbf{principle of subsidiartiy}
\item is \textbf{practical and efficient}
\end{enumerate}
\end{frame}
\section{Age Restriction}
\begin{frame}{Age restriction}
\framesubtitle{Assumptions and scenario}
\begin{columns}
\column{7.5cm}
\begin{itemize}
\item<1-> Assumption: Checking accounts are under control of eligible adults/guardians.
\item<2-> \textit{Guardians} \textbf{commit} to an maximum age
\item<3-> \textit{Minors} \textbf{attest} their adequate age
\item<4-> \textit{Merchants} \textbf{verify} the attestations
\item<5-> Minors \textbf{derive} age commitments from existing ones
\item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments
\end{itemize}
\column{5cm}
\uncover<7->
{
\begin{center}
\fontsize{7pt}{7pt}\selectfont
\begin{tikzpicture}[scale=.5]
\node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
\node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
\node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
\node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
\draw[->] (Guardian) to [out=50,in=130, loop] node[above]
{$\Commit$} (Guardian);
\draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
{\blue{$\Attest$}} (Client);
\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
{\blue{$\Verify$}} (Merchant);
\draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
{\orange{$\Derive$}} (Client);
\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
{\orange{$\Compare$}} (Exchange);
\draw[orange,|->] (Client) to node[sloped,above,align=left]
{\orange{\scriptsize }} (Exchange);
\draw[blue,|->] (Client) to node[sloped, above]
{\blue{\scriptsize }} (Merchant);
\draw[,|->] (Guardian) to node[above,sloped,align=left]
{{\scriptsize }} (Client);
\end{tikzpicture}
\end{center}
}
\end{columns}
\vfill
\uncover<7->{Note: Scheme is independent of payment service protocol.}
\end{frame}
\begin{frame}{Formal Function Signatures}
\small
Searching for functions \uncover<2->{with the following signatures}
\begin{align*}
&\bf \Commit\uncover<2->{:
&(\age, \omega) &\mapsto (\commitment, \pruf)
&\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
}
\\
&\bf \Attest\uncover<3->{:
&(\minage, \commitment, \pruf) &\mapsto \attest
&\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
}
\\
&\bf \Verify\uncover<4->{:
&(\minage, \commitment, \attest) &\mapsto b
&\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
}
\\
&\bf \Derive\uncover<5->{:
&(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
&\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
}
\\
&\bf \Compare\uncover<6->{:
&(\commitment, \commitment', \blinding) &\mapsto b
&\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
}
\end{align*}
\uncover<7->{
with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
sufficiently large sets.\\[1em]
Basic and security requirements are defined later.\\[2em]
}
\scriptsize
\uncover<2->{
Mnemonics:\\
$\Commitments=$ \textit{c$\Commitments$mmitments},
$\commitment=$ \textit{Q-mitment} (commitment),
$\Proofs=$ \textit{$\Proofs$roofs},
}
\uncover<3->{
$\pruf=$ \textit{$\pruf$roof},\\
$\Attests=$ \textit{a$\Attests$testations},
$\attest=$ \textit{a$\attest$testation},
}
\uncover<5->{
$\Blindings=$ \textit{$\Blindings$lindings},
$\blinding=$ \textit{$\blinding$linding}.
}
\end{frame}
\begin{frame}{Age restriction}
\framesubtitle{Naïve scheme}
\begin{center}
\begin{tikzpicture}[scale=.85]
\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
\node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
\node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
\node[circle,minimum size=20pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
\draw[->] (Guardian) to [out=50,in=130, loop] node[above]
{$\Commit$} (Guardian);
\draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
{\blue{$\Attest$}} (Client);
\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
{\blue{$\Verify$}} (Merchant);
\draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
{\orange{$\Derive$}} (Client);
\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
{\orange{$\Compare$}} (Exchange);
\draw[orange,|->] (Client) to node[sloped,above,align=left]
{\orange{\scriptsize }} (Exchange);
\draw[blue,|->] (Client) to node[sloped, above]
{\blue{\scriptsize }} (Merchant);
\draw[,|->] (Guardian) to node[above,sloped,align=left]
{{\scriptsize }} (Client);
\end{tikzpicture}
\end{center}
\end{frame}
\begin{frame}{Achieving Unlinkability}
\begin{columns}
\column{3cm}
\begin{center}
\fontsize{8pt}{9pt}\selectfont
\begin{tikzpicture}[scale=.65]
\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
\node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
\draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
{\orange{$\footnotesize \Derive()$}} (Client);
\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
{\orange{$\footnotesize \Compare()$}} (Exchange);
\draw[orange,|->] (Client) to node[sloped,above,align=left]
{\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
\end{tikzpicture}
\end{center}
\column{9cm}
Simple use of $\Derive()$ and $\Compare()$ is problematic.
\begin{itemize}
\item<2-> Calling $\Derive()$ iteratively generates sequence
$(\commitment_0, \commitment_1, \dots)$ of commitments.
\item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$
\item[$\implies$]\uncover<3->{\bf Exchange identifies sequence}
\item[$\implies$]\uncover<3->{\bf Unlinkability broken}
\end{itemize}
\end{columns}
\end{frame}
\begin{frame}{Achieving Unlinkability}
Define cut\&choose protocol \orange{$\DeriveCompare$},
using $\Derive()$ and $\Compare()$.\\[0.5em]
\uncover<2->{
Sketch:
\small
\begin{enumerate}
\item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$
from $\commitment_0$ \\
by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$
\item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$
\item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$
\item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly
\item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
\item $\Exchange$ compares $h_0$ and
$H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\
and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$.
\end{enumerate}
\vfill
Note: Scheme is similar to the {\it refresh} protocol in GNU Taler.
}
\end{frame}
\begin{frame}{Achieving Unlinkability}
With \orange{$\DeriveCompare$}
\begin{itemize}
\item $\Exchange$ learns nothing about $\commitment_\gamma$,
\item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
\item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
\end{itemize}
\vfill
Note: Still need Derive and Compare to be defined.
\end{frame}
\begin{frame}{Refined scheme}
\begin{tikzpicture}[scale=.8]
\node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
\node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
\node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
\draw[orange,<->] (Client) to node[sloped,below,align=center]
{\orange{$\DeriveCompare$}} (Exchange);
\draw[blue,->] (Client) to node[sloped, below]
{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
\draw[->] (Guardian) to [out=150,in=70, loop] node[above]
{$\Commit(\age)$} (Guardian);
\draw[->] (Guardian) to node[below,sloped]
{($\commitment$, $\pruf_\age$)} (Client);
\draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
\end{tikzpicture}
\end{frame}
% \begin{frame}{Achieving Unlinkability}
% \scriptsize
% $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
% \vfill
% $\DeriveCompare(\commitment, \pruf, \omega) =$
% \begin{itemize}
% \it
% \itemsep0.5em
% \item[$\Child$:]
% \begin{enumerate}
% \scriptsize
% \itemsep0.3em
% \item for all $i \in \{1,\dots,\kappa\}:
% (\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
% \item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
% \item send $(\commitment, h)$ to $\Exchange$
% \end{enumerate}
% \item[$\Exchange$:]
% \begin{enumerate}
% \setcounter{enumi}{4}
% \scriptsize
% \itemsep0.3em
% \item save $(\commitment, h)$ \label{st:hash}
% \item $\gamma \drawfrom \{1,\dots ,\kappa\}$
% \item send $\gamma$ to $\Child$
% \end{enumerate}
% \item[$\Child$:]
% \begin{enumerate}
% \setcounter{enumi}{7}
%
% \scriptsize
% \itemsep0.3em
% \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
% \item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
% (\commitment_{\gamma-1}, \beta_{\gamma-1}),
% \Nil,
% (\commitment_{\gamma+1}, \beta_{\gamma+1}),
% \dots,(\commitment_\kappa, \beta_\kappa)\big]$
% \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
% \end{enumerate}
% \item[$\Exchange$:]
% \begin{enumerate}
% \setcounter{enumi}{10}
% \scriptsize
% \itemsep0.3em
% \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
% \item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
% \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
% if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
% \item return 1
% \end{enumerate}
% \end{itemize}
% \end{frame}
\begin{frame}{Basic Requirements}
Candidate functions
\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
must first meet \textit{basic} requirements:
\begin{itemize}
\item Existence of attestations
\item Efficacy of attestations
\item Derivability of commitments and attestations
\end{itemize}
\end{frame}
\begin{frame}{Basic Requirements}
\framesubtitle{Formal Details}
\begin{description}
\item[Existence of attestations]
{\scriptsize
\begin{align*}
\Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
\Commit(\age, \omega) =: (\commitment, \pruf)
\implies
\Attest(\minage, \commitment, \pruf) =
\begin{cases}
\attest \in \Attests, \text{ if } \minage \leq \age\\
\Nil \text{ otherwise}
\end{cases}
\end{align*}}
\item[Efficacy of attestations]
{\scriptsize
\begin{align*}
\Verify(\minage, \commitment, \attest) = \
\begin{cases}
1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
0 \text{ otherwise}
\end{cases}
\end{align*}}
{\scriptsize
\begin{align*}
\forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
\end{align*}}
\item[etc.]
\end{description}
\end{frame}
%\begin{frame}{Requirements}
% \framesubtitle{Details}
%
% \begin{description}
% \item[Derivability of commitments and proofs:]~\\[0.1em]
% {\scriptsize
% Let \begin{align*}
% \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
% (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
% (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1).
% \end{align*}
% We require
% \begin{align*}
% \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
% \end{align*}
% and for all $n\leq\age$:
% \begin{align*}
% \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
% =
% \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0))
% \end{align*}}
% \end{description}
%\end{frame}
\begin{frame}{Security Requirements}
Candidate functions must also meet \textit{security} requirements.
Those are defined via security games:
\begin{itemize}
\item Game: Age disclosure by commitment or attestation
\item[$\leftrightarrow$] Requirement: Non-disclosure of age
\vfill
\item Game: Forging attestation
\item[$\leftrightarrow$] Requirement: Unforgeability of
minimum age
\vfill
\item Game: Distinguishing derived commitments and attestations
\item[$\leftrightarrow$] Requirement: Unlinkability of
commitments and attestations
\end{itemize}
\vfill
Meeting the security requirements means that adversaries can win
those games only with negligible advantage.
\vfill
Adversaries are arbitrary polynomial-time algorithms, acting on all
relevant input.
\end{frame}
\begin{frame}{Security Requirements}
\framesubtitle{Simplified Example}
\begin{description}
\item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\
{\small
\begin{enumerate}
\item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $
\item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $
\item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
\item Return 0 if $\minage \leq \age$
\item Return $\Verify(\minage,\commitment,\attest)$
\end{enumerate}
}
\vfill
\item[Requirement: Unforgeability of minimum age]
{\small
\begin{equation*}
\Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
\Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)
\end{equation*}
}
\end{description}
\end{frame}
\section{Solution/Instantiation}
\begin{frame}{Solution: Instantiation with ECDSA}
% \framesubtitle{Definition of Commit}
\begin{description}
\item[To Commit to age (group) $\age \in \{1,\dots,\Age\}$]~\\
\begin{enumerate}
\item<2-> Guardian generates ECDSA-keypairs, one per age (group):
\[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
\item<3-> Guardian then \textbf{drops} all private keys
$p_i$ for $i > \age$:
\[\Big \langle(q_1, p_1),\dots,
(q_\age, p_\age),
(q_{\age +1}, \red{\Nil}),\dots,
(q_\Age, \red{\Nil})\Big\rangle\]
\begin{itemize}
\item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment},
\item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof}
\end{itemize}
\vfill
\item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
\vfill
\end{enumerate}
\end{description}
\end{frame}
\begin{frame}{Instantiation with ECDSA}
\framesubtitle{Definitions of Attest and Verify}
Child has
\begin{itemize}
\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $,
\item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
\end{itemize}
\begin{description}
\item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\
Sign a message with ECDSA using private key $p_\blue{\minage}$
\end{description}
\vfill
\uncover<3->{
Merchant gets
\begin{itemize}
\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
\item Signature $\sigma$
\end{itemize}
\begin{description}
\item<4->[To \blue{Verify} a minimum age $\minage$:]~\\
Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$.
\end{description}
}
\vfill
\end{frame}
\begin{frame}{Instantiation with ECDSA}
\framesubtitle{Definitions of Derive and Compare}
Child has
$\Vcommitment = (q_1, \dots, q_\Age) $ and
$\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
\begin{description}
\item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
Choose random $\beta\in\Z_g$ and calculate
\small
\begin{align*}
\Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\
\Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
\end{align*}
Note: $ (\beta p_i)*G = \beta*(p_i*G) = \beta*q_i$\\
\scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve.
\end{description}
\vfill
\uncover<3->{
Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
\begin{description}
\item[To \blue{Compare}, calculate:]
\small
$(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
\end{description}
\vfill
}
\end{frame}
\begin{frame}{Instantiation with ECDSA}
Functions
(Commit, Attest, Verify, Derive, Compare)\\
as defined in the instantiation with ECDSA\\[0.5em]
\begin{itemize}
\item meet the basic requirements,\\[0.5em]
\item also meet all security requirements.\\
Proofs by security reduction, details are in the paper.
\end{itemize}
\end{frame}
% \begin{frame}{Instantiation with ECDSA}
% \framesubtitle{Full definitions}
% \scriptsize
%
% \begin{align*}
% \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
% \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
% \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
% \Big\rangle\\
% \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
% \begin{cases}
% \attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
% \Nil & \text{otherwise}
% \end{cases}\\
% %
% \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
% %
% \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
% \Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
% (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
% & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
% %
% \Compare_E(\Vcommitment, \Vcommitment', \beta) &:=
% \begin{cases}
% 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
% 0 & \text{otherwise}
% \end{cases}
% \end{align*}
% \end{frame}
\section{Integration with GNU Taler}
\begin{frame}{GNU Taler}
\framesubtitle{https://www.taler.net}
\begin{columns}
\column{4cm}
\fontsize{8pt}{9pt}\selectfont
\begin{tikzpicture}[scale=.55]
\node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
\node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
\node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
\draw[<->] (Customer) to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
\draw[<->] (Customer) to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
\draw[<->] (Customer) to node[sloped, below] {\sf purchase} (Merchant);
\draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
\end{tikzpicture}
\column{8cm}
\begin{itemize}
\item Protocol suite for online payment services
\item Based on Chaum's blind signatures
% \item Taxable, efficient, free software
\item Allows for change and refund (F. Dold)
\item Privacy preserving: anonymous and unlinkable payments
\end{itemize}
\end{columns}
\vfill
\uncover<2->{
\begin{itemize}
\item Coins are public-/private key-pairs $(C_p, c_s)$.
\item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$
\item Verification:
\begin{eqnarray*}
1 &\stackrel{?}{=}&
\mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big)
\end{eqnarray*}
\scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
\end{itemize}
}
\end{frame}
\begin{frame}{Integration with GNU Taler}
\framesubtitle{Binding age restriction to coins}
To bind an age commitment $\commitment$ to a coin $C_p$, instead of
signing $\FDH(C_p)$, $\Exchange$ now blindly signs
\begin{center}
$\FDH(C_p, \orange{H(\commitment)})$
\end{center}
\vfill
Verfication of a coin now requires $H(\commitment)$, too:
\begin{center}
$1 \stackrel{?}{=}
\mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$
\end{center}
\vfill
\end{frame}
\begin{frame}{Integration with GNU Taler}
\framesubtitle{Integrated schemes}
\fontsize{8pt}{9pt}\selectfont
\begin{tikzpicture}[scale=.9]
\node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
\node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
\node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
\draw[<->] (Guardian) to node[sloped,above,align=center]
{{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange);
\draw[<->] (Client) to node[sloped,below,align=center]
{{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
\draw[<->] (Client) to node[sloped, below]
{{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
\draw[<->] (Merchant) to node[sloped, above]
{{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
\draw[->] (Guardian) to [out=70,in=150, loop] node[above]
{$\Commit(\age)$} (Guardian);
\draw[->] (Guardian) to node[below,sloped]
{($\commitment$, $\pruf_\age$)} (Client);
\draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
\end{tikzpicture}
\end{frame}
\begin{frame}{Instantiation with Edx25519}
Paper also formally defines another signature scheme: Edx25519.\\[1em]
\begin{itemize}
\item Scheme already in use in GNUnet,
\item based on EdDSA (Bernstein et al.),
\item generates compatible signatures and
\item allows for key derivation from both, private and public keys, independently.
\end{itemize}~\\[1em]
Current implementation of age restriction in GNU Taler uses Edx25519.
\end{frame}
\section{Discussion, Related Work, Conclusion}
\begin{frame}{Discussion}
\begin{itemize}
\item Our solution can in principle be used with any token-based payment scheme
\item GNU Taler best aligned with our design goals (security, privacy and efficiency)
\item Subsidiarity requires bank accounts being owned by adults
\begin{itemize}
\item Scheme can be adapted to case where minors have bank accounts
\begin{itemize}
\item Assumption: banks provide minimum age
information during bank
transactions.
\item Child and Exchange execute a variant of
the cut\&choose protocol.
\end{itemize}
\end{itemize}
\item Our scheme offers an alternative to identity management systems (IMS)
\end{itemize}
\end{frame}
\begin{frame}{Related Work}
\begin{itemize}
\item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.)
\item Attribute-based approach lacks support:
\begin{itemize}
\item Complex for consumers and retailers
\item Requires trusted third authority
\end{itemize}
\vfill
\item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
\begin{itemize}
\item Advantage: mandatory to payment process
\item Not privacy friendly
\end{itemize}
\end{itemize}
\end{frame}
\begin{frame}{Conclusion}
Age restriction is a technical, ethical and legal challenge.
Existing solutions are
\begin{itemize}
\item without strong protection of privacy or
\item based on identity management systems (IMS)
\end{itemize}
\vfill
Our scheme offers a solution that is
\begin{itemize}
\item based on subsidiarity
\item privacy preserving
\item efficient
\item an alternative to IMS
\end{itemize}
\end{frame}
\end{document}

BIN
esorics2022/images/bfh.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
esorics2022/images/esorics2022.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
esorics2022/images/fraunhofer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.2 KiB

BIN
esorics2022/images/fub.pdf Normal file
View File

Binary file not shown.

BIN
esorics2022/images/taler-logo-2020.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

20
esorics2022/loop.sh Executable file
View File

@ -0,0 +1,20 @@
#!/bin/sh
cleanup () {
rm -f *.log *.aux *.toc
exit $1
}
trap cleanup HUP TERM INT
SRC=esorics2022.tex
echo -ne "\e[;1H\e[2J"
while true; do
tectonic $SRC || echo 
FILES=$(echo *.tex)
while inotifywait $FILES ; do
echo -ne "\e[;1H\e[2J"
tectonic $SRC || echo 
done
done

121
esorics2022/setup.tex Normal file
View File

@ -0,0 +1,121 @@
\usepackage{amsmath}
\usepackage{multimedia}
\usepackage[utf8]{inputenc}
\usepackage{framed,color,ragged2e}
\usepackage[absolute,overlay]{textpos}
\definecolor{shadecolor}{rgb}{0.8,0.8,0.8}
\usetheme{boxes}
\setbeamertemplate{navigation symbols}{}
\usepackage{xcolor}
\usepackage[normalem]{ulem}
\usepackage{listings}
\usepackage{adjustbox}
\usepackage{array}
\usepackage{bbding}
\usepackage{relsize}
\usepackage{graphicx}
\usepackage{tikz,eurosym,calc}
\usetikzlibrary{tikzmark}
\usetikzlibrary{shapes,arrows,arrows.meta}
\usetikzlibrary{positioning,patterns}
\usetikzlibrary{calc}
% CSS
\lstdefinelanguage{CSS}{
basicstyle=\ttfamily\scriptsize,
keywords={color,background-image:,margin,padding,font,weight,display,position,top,left,right,bottom,list,style,border,size,white,space,min,width, transition:, transform:, transition-property, transition-duration, transition-timing-function},
sensitive=true,
morecomment=[l]{//},
morecomment=[s]{/*}{*/},
morestring=[b]',
morestring=[b]",
alsoletter={:},
alsodigit={-}
}
% JavaScript
\lstdefinelanguage{JavaScript}{
basicstyle=\ttfamily\scriptsize,
morekeywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break},
morecomment=[s]{/*}{*/},
morecomment=[l]//,
morestring=[b]",
morestring=[b]'
}
\lstdefinelanguage{HTML5}{
basicstyle=\ttfamily\scriptsize,
language=html,
sensitive=true,
alsoletter={<>=-},
morecomment=[s]{<!-}{-->},
tag=[s],
otherkeywords={
% General
>,
% Standard tags
<!DOCTYPE,
</html, <html, <head, <title, </title, <style, </style, <link, </head, <meta, />,
% body
</body, <body,
% Divs
</div, <div, </div>,
% Paragraphs
</p, <p, </p>,
% scripts
</script, <script,
% More tags...
<canvas, /canvas>, <svg, <rect, <animateTransform, </rect>, </svg>, <video, <source, <iframe, </iframe>, </video>, <image, </image>
},
ndkeywords={
% General
=,
% HTML attributes
charset=, src=, id=, width=, height=, style=, type=, rel=, href=,
% SVG attributes
fill=, attributeName=, begin=, dur=, from=, to=, poster=, controls=, x=, y=, repeatCount=, xlink:href=,
% CSS properties
margin:, padding:, background-image:, border:, top:, left:, position:, width:, height:,
% CSS3 properties
transform:, -moz-transform:, -webkit-transform:,
animation:, -webkit-animation:,
transition:, transition-duration:, transition-property:, transition-timing-function:,
}
}
\lstdefinelanguage{JavaScript}{
basicstyle=\ttfamily\scriptsize,
keywords={typeof, new, true, false, catch, function, return, null, catch, switch, var, if, in, while, do, else, case, break, for},
keywordstyle=\color{blue}\bfseries,
ndkeywords={class, export, boolean, throw, implements, import, this},
ndkeywordstyle=\color{darkgray}\bfseries,
identifierstyle=\color{black},
sensitive=false,
comment=[l]{//},
morecomment=[s]{/*}{*/},
commentstyle=\color{purple}\ttfamily,
stringstyle=\color{red}\ttfamily,
morestring=[b]',
morestring=[b]"
}
%\usetheme{Dresden}
\setbeamersize{description width=1em}
\setbeamertemplate{footline}{
\hbox{%
\begin{beamercolorbox}[wd=\paperwidth,ht=3ex,dp=1.5ex,leftskip=2ex,rightskip=2ex]{page footer}%
\usebeamerfont{title in head/foot}%
\insertshorttitle \hfill
\insertsection \hfill
\insertframenumber{} / \inserttotalframenumber
\end{beamercolorbox}}%
}
\definecolor{blue}{rgb}{0,0,0.7}
\newcommand{\orange}[1]{{\color{orange}#1}}
\newcommand{\TODO}[1]{\orange{TODO: #1}}
\input{definitions}