From 355c8992798e942d85ee4aea047c9ee4c397fca4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=96zg=C3=BCr=20Kesim?= Date: Thu, 29 Dec 2022 04:20:50 +0100 Subject: [PATCH] 90% done --- hip2022/hip2022.tex | 787 ++++++++++++++++++++++++++++---------------- 1 file changed, 507 insertions(+), 280 deletions(-) diff --git a/hip2022/hip2022.tex b/hip2022/hip2022.tex index d7f02e8..03a8288 100644 --- a/hip2022/hip2022.tex +++ b/hip2022/hip2022.tex @@ -1,4 +1,3 @@ -%\pdfminorversion=3 \documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer} \usepackage{appendixnumberbeamer} \usepackage{amsmath} @@ -7,9 +6,8 @@ \usepackage[utf8]{inputenc} \usepackage{framed,color,ragged2e} \usepackage[absolute,overlay]{textpos} -%\definecolor{shadecolor}{rgb}{0.8,0.8,0.8} \usetheme[progressbar=frametitle]{metropolis} -\setbeamertemplate{navigation symbols}{} +\setbeamertemplate{navigation symbols}{\insertframenumber/\inserttotalframenumber} \setbeamersize{description width=1em} \setbeamertemplate{section in toc}[sections] \setbeamertemplate{footline}{} @@ -28,12 +26,38 @@ \usetikzlibrary{calc} \usepackage{fontspec} -\setsansfont{IBM Plex Sans} +\IfFontExistsTF{IBM Plex Sans}{\setsansfont{IBM Plex Sans}}{} +\IfFontExistsTF{IBM Plex Serif}{\setmainfont{IBM Plex Serif}}{} \definecolor{blue}{rgb}{0,0.4,1} \newcommand{\orange}[1]{{\color{orange}#1}} \newcommand{\TODO}[1]{\orange{TODO: #1}} +\makeatletter +\setbeamercolor{framesubtitle}{fg=mDarkTeal} +\defbeamertemplate*{frametitle}{myframetitle}{% + \nointerlineskip + \begin{beamercolorbox}[% + wd=\paperwidth,% + sep=0pt,% + leftskip=\metropolis@frametitle@padding, + rightskip=\metropolis@frametitle@padding, + ]{frametitle}% + \metropolis@frametitlestrut@start + \quad\insertframetitle%%%%%%%%%%%%%%%%%%%%%% + \nolinebreak + \metropolis@frametitlestrut@end + \end{beamercolorbox}\par + \usebeamerfont{framesubtitle}% + \usebeamercolor[fg]{framesubtitle}% + \vskip3pt + \hspace*{-0.5\metropolis@frametitle@padding}% + \insertframesubtitle +} +\makeatother +\setbeamertemplate{frametitle}[myframetitle] + +\newcommand{\Section}[2]{\section[#1\newline\scriptsize{#2}]{#1}} \input{definitions} @@ -49,31 +73,56 @@ \begin{document} -\justifying +%\justifying \begin{frame} \titlepage \end{frame} -\begin{frame}{Chapters} - \tableofcontents -\end{frame} - -\section[Prolog\newline\scriptsize{Who am I and who pays for all this?}]{Prolog} +\section*{Prolog}%{Who am I, what do I want and who pays for all this?} \begin{frame}{Who am I} Özgür Kesim, \begin{itemize} \item security consultant for 20+ years, \item PhD candidate at FU Berlin, - \item software developer, \item member of GNU Taler dev-team. \end{itemize} - \url{@oec@mathstodon.xyz} + \vfill + \url{oec-taler@kesim.org} \hfill \url{@oec@mathstodon.xyz} \hfill + \end{frame} +\begin{frame}{What to expect} + \small + \begin{description} + \item<1->[Goals]~\\ + Presentation of + \begin{itemize} + \item our solution for age restriction and + \item its integration into GNU Taler. + \end{itemize} + \vfill + \item<2->[Meta-goals]~\\ + Present examples from cryptography for + \begin{itemize} + \item a zero-knowledge protocol, + \item a security game, + \item a security proof. + \end{itemize} + This will be technical and math-heavy. + \vfill + \item<3->[Non-goals]~\\ + \begin{itemize} + \item \underline{Rigorous} introduction into GNU Taler + \item Demos + \end{itemize} + \end{description} +\end{frame} + + \begin{frame}{Sponsors} \centering\begin{columns}[T] \column{0.5\textwidth} @@ -89,40 +138,70 @@ \end{columns} \end{frame} +\begin{frame}{Chapters} + \tableofcontents[pausesections,hideallsubsections] +\end{frame} + + \section[Introduction\newline\scriptsize Age Restriction in E-commerce]{Introduction} +\begin{frame}{Youth protection} + + Broad consensus in society about the necessity to protect minors from + harmful content. + + \vfill + + Also wanted from policy makers:\\[1em] + \begin{quote} + 11. Member states should encourage the \textbf{use of + conditional access tools} by content and service providers in + relation to content harmful to minors, \textbf{such as + age-verification systems}, ... + \end{quote} + + \tiny + From the + \href{https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680645b44} + {\textit{Recommendation Rec (2001) 8 of the Committee of + Ministers to member states on self-regulation concerning cyber + content}} of the Council of Europe. + +\end{frame} + \begin{frame}{Age restriction in E-commerce} - \begin{description} + \begin{description}[<+->] \item[Problem:]~\\[1em] Verification of minimum age requirements in e-commerce.\\[2em] \item[Common solutions:] -\begin{tabular}{l<{\onslide<2->}c<{\onslide<3->}cr<{\onslide}} - & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount] - 1. ID Verification & bad & required & \\[\medskipamount] - 2. Restricted Accounts & bad & required & \\[\medskipamount] - 3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount] -\end{tabular} + \begin{tabular}{l<{\onslide<3->}c<{\onslide<4->}cr<{\onslide}} + & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount] + 1. ID Verification & bad & required & \\[\medskipamount] + 2. Restricted Accounts & bad & required & \\[\medskipamount] + 3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount] + \end{tabular} \end{description} -\uncover<4->{ +\uncover<5->{ \begin{tikzpicture}[overlay,remember picture] \draw[orange,thick,rounded corners] ($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$); \end{tikzpicture} \begin{center} - \bf Principle of Subsidiarity is violated + \bf Principle of subsidiarity is ignored \end{center} } \end{frame} \begin{frame}{Principle of Subsidiarity} -\begin{center} \Large - Functions of government---such as granting and restricting - rights---should be performed\\ +\begin{center}\large + Functions of government\\ + ---such as granting and restricting rights---\\ + should be performed\\ {\it at the lowest level of authority possible},\\ as long as they can be performed {\it adequately}. \end{center} @@ -135,74 +214,93 @@ } \end{frame} -\begin{frame}{Our contribution} -Design and implementation of an age restriction scheme\\ -with the following goals: - -\begin{enumerate} -\item It ties age restriction to the \textbf{ability to pay} (not to ID's) -\item maintains \textbf{anonymity of buyers} -\item maintains \textbf{unlinkability of transactions} -\item aligns with \textbf{principle of subsidiartiy} -\item is \textbf{practical and efficient} +\begin{frame}{Our goal} +A design and implementation of an age restriction scheme\\ +with the following properties: +\pause +\begin{enumerate}[<+->] + \item It ties age restriction to the \textbf{ability to pay} (not to ID's), + \item maintains the \textbf{anonymity of buyers}, + \item maintains \textbf{unlinkability of transactions}, + \item aligns with the \textbf{principle of subsidiarity}, + \item is \textbf{practical and efficient}. \end{enumerate} \end{frame} -\section[Age Restriction\newline\scriptsize towards a Functional Equation]{Age Restriction} +\Section{The quest for a solution to age restriction}{A journey through cryptic territory} -\begin{frame}{Age restriction} - \framesubtitle{Assumptions and scenario} +\begin{frame}{Basic assumption and ideas} + \small + Assumption: Bank accounts are under control of adults/guardians. - Assumption: Bank accounts are under control of eligible adults/guardians. + \vfill + Sketch of scheme, independent of payment service protocol: \begin{columns} - \column{7.5cm} - \begin{itemize} - \item<2-> \textit{Guardians} \textbf{commit} to an maximum age - \item<3-> \textit{Minors} \textbf{attest} their adequate age - \item<4-> \textit{Merchants} \textbf{verify} the attestations - \item<5-> \textit{Minors} \textbf{derive} age commitments from existing ones - \item<6-> \textit{Exchanges} \textbf{compare} the derived age commitments - \end{itemize} - \column{5cm} - \uncover<7-> - { + \column{7cm} + \begin{enumerate} + \item<2-> \textit{Guardians} \textbf{commit} to a maximum age + \item<4-> \tikzmark{sstart}\textit{Minors} \textbf{attest} their adequate age + \item<6-> \textit{Merchants} \textbf{verify} the attestations + \item<7-> \textit{Minors} \textbf{derive} age commitments from existing ones + \item<9-> \textit{Exchanges} \textbf{compare} the derived age commitments + \item<10-> \tikzmark{send}{\large \texttt{GOTO}} 2. + \begin{tikzpicture}[overlay, remember picture] + \draw[line width=1pt,->] + ([shift=({-6mm, 1mm})]pic cs:send) to + ([shift=({-1cm, 1mm})]pic cs:send) to + ([shift=({-1cm, 1mm})]pic cs:sstart) to + ([shift=({-6mm, 1mm})]pic cs:sstart); + \end{tikzpicture} + \end{enumerate} + \column{4.5cm} \begin{center} \fontsize{7pt}{7pt}\selectfont \begin{tikzpicture}[scale=.5] - \node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; - \node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; - \node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$}; - \node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$}; - - \draw[->] (Guardian) to [out=50,in=130, loop] node[above] - {$\Commit$} (Guardian); - \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left] - {\blue{$\Attest$}} (Client); - \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above] - {\blue{$\Verify$}} (Merchant); - \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below] - {\orange{$\Derive$}} (Client); - \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] - {\orange{$\Compare$}} (Exchange); - - \draw[orange,|->] (Client) to node[sloped,above,align=left] - {\orange{\scriptsize }} (Exchange); - \draw[blue,|->] (Client) to node[sloped, above] - {\blue{\scriptsize }} (Merchant); - \draw[,|->] (Guardian) to node[above,sloped,align=left] - {{\scriptsize }} (Client); + \uncover<2->{ + \node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$}; + \draw[->] (Guardian) to [out=50,in=130, loop] node[above] + {$\Commit$} (Guardian); + } + \uncover<3->{ + \node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \draw[,|->] (Guardian) to node[above,sloped,align=left] + {{\scriptsize }} (Client); + } + \uncover<4->{ + \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left] + {\blue{$\Attest$}} (Client); + } + \uncover<5->{ + \node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$}; + \draw[blue,|->] (Client) to node[sloped, above] + {\blue{\scriptsize }} (Merchant); + } + \uncover<6->{ + \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above] + {\blue{$\Verify$}} (Merchant); + } + \uncover<7->{ + \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below] + {\orange{$\Derive$}} (Client); + } + \uncover<8->{ + \node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; + \draw[orange,|->] (Client) to node[sloped,above,align=left] + {\orange{\scriptsize }} (Exchange); + } + \uncover<9->{ + \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] + {\orange{$\Compare$}} (Exchange); + } \end{tikzpicture} \end{center} - } \end{columns} - \vfill - \uncover<7->{Note: Scheme is independent of payment service protocol.} \end{frame} -\begin{frame}{Formal Function Signatures} +\begin{frame}{Specification of the Function Signatures} \small Searching for functions \uncover<2->{with the following signatures} \begin{align*} @@ -211,9 +309,15 @@ Searching for functions \uncover<2->{with the following signatures} &\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs, } \\ + %FIXME: This is how Attest was defined in the orignal paper (_with_) commitment! + %&\bf \Attest\uncover<3->{: + % &(\minage, \commitment, \pruf) &\mapsto \attest + % &\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\}, + % } + %\\ &\bf \Attest\uncover<3->{: - &(\minage, \commitment, \pruf) &\mapsto \attest - &\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\}, + &(\minage, \pruf) &\mapsto \attest + &\scriptstyle \N_\Age\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\}, } \\ &\bf \Verify\uncover<4->{: @@ -234,7 +338,12 @@ Searching for functions \uncover<2->{with the following signatures} \uncover<7->{ with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$ sufficiently large sets.\\[1em] - Basic and security requirements are defined later.\\[2em] + } + %\uncover<8->{ + % The blindings $\beta$ ensure that only the Exchange can compare commitments.\\[1em] + %} + \uncover<8->{ + We will define basic and security requirements later.\\[1em] } \scriptsize @@ -251,18 +360,17 @@ Searching for functions \uncover<2->{with the following signatures} } \uncover<5->{ $\Blindings=$ \textit{$\Blindings$lindings}, - $\blinding=$ \textit{$\blinding$linding}. + $\blinding=$ \textit{$\blinding$linding}. } \end{frame} -\begin{frame}{Age restriction} - \framesubtitle{Naïve scheme} +\begin{frame}{Naïve scheme} \begin{center} - \begin{tikzpicture}[scale=.85] - \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; - \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; - \node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$}; + \begin{tikzpicture}[scale=.8] \node[circle,minimum size=20pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$}; + \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; + \node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$}; \draw[->] (Guardian) to [out=50,in=130, loop] node[above] {$\Commit$} (Guardian); @@ -275,17 +383,19 @@ Searching for functions \uncover<2->{with the following signatures} \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] {\orange{$\Compare$}} (Exchange); - \draw[orange,|->] (Client) to node[sloped,above,align=left] - {\orange{\scriptsize }} (Exchange); - \draw[blue,|->] (Client) to node[sloped, above] - {\blue{\scriptsize }} (Merchant); \draw[,|->] (Guardian) to node[above,sloped,align=left] - {{\scriptsize }} (Client); + {\scriptsize ($\commitment$, $\pruf_\age$)} (Client); + \draw[blue,|->] (Client) to node[sloped, above] + {\blue{\scriptsize($\minage$, $\commitment$, $\attest$) }} (Merchant); + \draw[orange,|->] (Client) to node[sloped,above,align=left] + {\orange{\scriptsize($\commitment$, $\commitment'$, $\beta$) }} (Exchange); \end{tikzpicture} \end{center} +% \pause{Why should $\Merchant$ trust those $\commitment$? Will solve later. +% \tiny (Hint: blind signature from $\Exchange$)} \end{frame} -\begin{frame}{Achieving Unlinkability} +\begin{frame}{Problem of unlinkability} \begin{columns} \column{3cm} \begin{center} @@ -307,72 +417,122 @@ Searching for functions \uncover<2->{with the following signatures} \column{9cm} Simple use of $\Derive()$ and $\Compare()$ is problematic. - \begin{itemize} - \item<2-> Calling $\Derive()$ iteratively generates sequence + \pause + \begin{itemize}[<+->] + \item Calling $\Derive()$ iteratively generates sequence $(\commitment_0, \commitment_1, \dots)$ of commitments. - \item<2-> Exchange calls $\Compare(\commitment_i, \commitment_{i+1}, .)$ - \item[$\implies$]\uncover<3->{\bf Exchange identifies sequence} - \item[$\implies$]\uncover<3->{\bf Unlinkability broken} + \item Exchange calls $\Compare(\commitment_i, \commitment_{i+1},~.~)$ + \item[$\implies$]Exchange identifies sequence + \item[$\implies$]{\bf Unlinkability broken} \end{itemize} \end{columns} \end{frame} \begin{frame}{Achieving Unlinkability} - Define cut\&choose protocol \orange{$\DeriveCompare$}, - using $\Derive()$ and $\Compare()$.\\[0.5em] + Given $\Derive()$ and $\Compare()$, define the Zero-Knowledge-protocol + \orange{$\DeriveCompare$} as follows (sketch): + \uncover<2->{ - Sketch: \small - \begin{enumerate} - \item $\Child$ derives commitments $(\commitment_1,\dots,\commitment_\kappa)$ - from $\commitment_0$ \\ - by calling $\Derive()$ with blindings $(\beta_1,\dots,\beta_\kappa)$ - \item $\Child$ calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$ - \item $\Child$ sends $\commitment_0$ and $h_0$ to $\Exchange$ - \item $\Exchange$ chooses $\gamma \in \{1,\dots,\kappa\}$ randomly - \item $\Child$ reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$ - \item $\Exchange$ compares $h_0$ and - $H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$\\ - and evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$. - \end{enumerate} - \vfill - Note: Scheme is similar to the {\it refresh} protocol in GNU Taler. + Let $\kappa \in \N$ (say: $\kappa = 3$) + \begin{itemize}[<+->] + \item[$\Child$:] + \begin{enumerate} + \item generates $(\commitment_1,\dots,\commitment_\kappa)$ + and $(\beta_1,\dots,\beta_\kappa)$ from $\commitment_0$\\ + by calling $\kappa$ times $\Derive(\commitment_0, \pruf_0, \omega_i)$ + \item calculates $h_0:=H\left(H(\commitment_1, \beta_1)||\dots||H(\commitment_\kappa, \beta_\kappa)\right)$ + \item sends $\commitment_0$ and $h_0$ to $\Exchange$ + \end{enumerate} + \item[$\Exchange$:] + \begin{enumerate} + \item[4.] saves $\commitment_0$ and $h_0$ and sends $\Child$ random $\gamma \in \{1,\dots,\kappa\}$ + \end{enumerate} + \item[$\Child$:] + \begin{enumerate} + \item[5.] reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$ + \end{enumerate} + \item[$\Exchange$:] + \begin{enumerate} + \item[6.] compares $h_0$ and + $H\left(H(\commitment_1, \beta_1)||...||h_\gamma||...||H(\commitment_\kappa, \beta_\kappa)\right)$ + \item[7.] evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$ for all $i \neq \gamma$. + \end{enumerate} + \end{itemize} + \pause + If all steps succeed, $\commitment_\gamma$ is the new commitment. } \end{frame} -\begin{frame}{Achieving Unlinkability} +\begin{frame}{Achieving Unlinkability}%{Certainty trade-off} + With \orange{$\DeriveCompare$} \begin{itemize} - \item $\Exchange$ learns nothing about $\commitment_\gamma$, + \item $\Exchange$ learns nothing about $\commitment_\gamma$ or $H(\commitment_\gamma)$, \item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty, \item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat. + \item<2->[$\implies$] \textbf{Gives us unlinkability at the price of (adjustable) uncertainty!} \end{itemize} + \vfill - Note: Still need Derive and Compare to be defined. + \uncover<3->{Notes: + \begin{itemize} + \item similar to the cut\&choose {\it refresh} protocol in GNU Taler + \item still need to define $\Derive()$ and $\Compare()$. + \end{itemize} + } \end{frame} \begin{frame}{Refined scheme} - + \begin{center} \begin{tikzpicture}[scale=.8] - \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; - \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; - \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; - \draw[orange,<->] (Client) to node[sloped,below,align=center] - {\orange{$\DeriveCompare$}} (Exchange); - \draw[blue,->] (Client) to node[sloped, below] - {\blue{$(\attest_\minage, \commitment)$}} (Merchant); + \uncover<2-3,8->{ + \draw[->] (Guardian) to [out=150,in=70, loop] node[above] + {$\Commit(\age)$} (Guardian); + } + \uncover<3,8->{ + \draw[->] (Guardian) to node[below,sloped] + {($\commitment$, $\pruf_\age$)} (Client); + } + + \uncover<4-6,8->{ + \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below] + % FIXME: This is in the original paper: + % {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client); + {\blue{$\Attest(\minage, \pruf_{\age})$}} (Client); + } + \uncover<5-6,8->{ + \draw[blue,->] (Client) to node[sloped, below] + {\blue{$(\attest_\minage, \commitment)$}} (Merchant); + } + \uncover<6,8->{ + \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below] + {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant); + } + \uncover<7,8->{ + \draw[orange,<->] (Client) to + node[sloped,below,align=center] {\orange{$\commitment \mapsto \commitment_\gamma$}} + node[sloped,above,align=center] {\orange{$\DeriveCompare$}} (Exchange); + } - \draw[->] (Guardian) to [out=150,in=70, loop] node[above] - {$\Commit(\age)$} (Guardian); - \draw[->] (Guardian) to node[below,sloped] - {($\commitment$, $\pruf_\age$)} (Client); - \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below] - {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client); - \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below] - {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant); \end{tikzpicture} + \end{center} +\end{frame} + + +\begin{frame}{Sensible solutions} + Quest for functions should lead to \textit{sensible} solutions. + + \pause + F. e. $\Verify()$ should not simply always return \texttt{true}. + + \pause + We need more requirements. \end{frame} % \begin{frame}{Achieving Unlinkability} @@ -429,168 +589,131 @@ Searching for functions \uncover<2->{with the following signatures} % \end{itemize} % \end{frame} -\begin{frame}{Basic Requirements} +\section*{Requirements} +\begin{frame}{Basic Requirements} + \label{fr:basicRequirements} Candidate functions \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \] - must first meet \textit{basic} requirements: + must meet \textit{basic requirements}: \begin{itemize} \item Existence of attestations \item Efficacy of attestations \item Derivability of commitments and attestations \end{itemize} -\end{frame} - -\begin{frame}{Basic Requirements} - \framesubtitle{Formal Details} - - \begin{description} - \item[Existence of attestations] - {\scriptsize - \begin{align*} - \Forall_{\age\in\N_\Age \atop \omega \in \Omega}: - \Commit(\age, \omega) =: (\commitment, \pruf) - \implies - \Attest(\minage, \commitment, \pruf) = - \begin{cases} - \attest \in \Attests, \text{ if } \minage \leq \age\\ - \Nil \text{ otherwise} - \end{cases} - \end{align*}} - \item[Efficacy of attestations] - {\scriptsize - \begin{align*} - \Verify(\minage, \commitment, \attest) = \ - \begin{cases} - 1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\ - 0 \text{ otherwise} - \end{cases} - \end{align*}} - - {\scriptsize - \begin{align*} - \forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1. - \end{align*}} - \item[etc.] - \end{description} -\end{frame} - -%\begin{frame}{Requirements} -% \framesubtitle{Details} -% -% \begin{description} -% \item[Derivability of commitments and proofs:]~\\[0.1em] -% {\scriptsize -% Let \begin{align*} -% \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\ -% (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\ -% (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1). -% \end{align*} -% We require -% \begin{align*} -% \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity} -% \end{align*} -% and for all $n\leq\age$: -% \begin{align*} -% \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &% -% = -% \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0)) -% \end{align*}} -% \end{description} -%\end{frame} + \pause + More details in the published paper and \hyperlink{fr:detailedBasicRequirements}{Appendix}. +\end{frame} \begin{frame}{Security Requirements} - Candidate functions must also meet \textit{security} requirements. - Those are defined via security games: - \begin{itemize} - \item Game: Age disclosure by commitment or attestation - \item[$\leftrightarrow$] Requirement: Non-disclosure of age - \vfill - - \item Game: Forging attestation - \item[$\leftrightarrow$] Requirement: Unforgeability of - minimum age - \vfill - - \item Game: Distinguishing derived commitments and attestations - \item[$\leftrightarrow$] Requirement: Unlinkability of - commitments and attestations - - \end{itemize} + Candidate functions must also meet \textit{security requirements}, + defined via security games: + \vfill + { + \small + \pause + \hspace*{-1em}\begin{tabular}{rp{9cm}} + \bf Requirement:& Unforgeability of minimum age\pause\\ + \bf $\leftrightarrow$\hfill Game:& Forging an attestation\pause\\[0.5em] + \bf Requirement: & Non-disclosure of age \pause\\ + \bf$\leftrightarrow$\hfill Game: & Age disclosure by commitment or attestation \pause\\[0.5em] + \bf Requirement:& Unlinkability of commitments and attestations\pause\\ + \bf $\leftrightarrow$\hfill Game:& Distinguishing derived commitments and attestations + \end{tabular} + } \vfill + \pause Meeting the security requirements means that adversaries can win those games only with negligible advantage. \vfill + \pause Adversaries are arbitrary polynomial-time algorithms, acting on all relevant input. \end{frame} -\begin{frame}{Security Requirements} - \framesubtitle{Simplified Example} +\begin{frame}{Security Requirements}{Simplified Example} - \begin{description} - \item[Game $\Game{FA}(\lambda)$---Forging an attest:]~\\ - {\small - \begin{enumerate} - \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $ - \item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $ - \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$ - \item Return 0 if $\minage \leq \age$ - \item Return $\Verify(\minage,\commitment,\attest)$ - \end{enumerate} - } - \vfill - \item[Requirement: Unforgeability of minimum age] + \begin{description}[<+->] + \item[Game $\Game{FA}$: Forging an attest]~\\ {\small - \begin{equation*} - \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}: - \Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda) - \end{equation*} - } + \begin{enumerate} + \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $ + \item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $ + \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$ + \item Return 0 if $\minage \leq \age$ + \item Return $\Verify(\minage,\commitment,\attest)$ + \item[]~\\[0.5em] Adversary $\Adv$ wins the game, if $\Game{FA}$ returns 1. + \end{enumerate} + } + \vfill + \item[Requirement: Unforgeability of minimum age] + {\small + \begin{equation*} + \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}: + \Probability\Big[\Game{FA} = 1\Big] \le \negl + \end{equation*} + } \end{description} + +% \pause +% Note: This example does not take $\Derive()$ into account. \end{frame} -\section{A Solution} +\begin{frame}{Our task} + \large + Finding functions + \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \] + that meet the basic and security requirements. +\end{frame} -\begin{frame}{Solution: Instantiation with ECDSA} -% \framesubtitle{Definition of Commit} +\section*{A solution} + + +\begin{frame}{Instantiation with ECDSA} + We propose a solution based on ECDSA. + + Think: One key-pair per age group. + +\end{frame} + +\begin{frame}{Definition of Commit with ECDSA}%{Definition of Commit} \begin{description} - \item[To \blue{Commit} to age (group) $\age \in \{1,\dots,\Age\}$]~\\ - \begin{enumerate} - \item<2-> Guardian generates ECDSA-keypairs, one per age (group): + \item[To \blue{Commit} to age group $\age \in \{1,\dots,\Age\}$]~\\ + \begin{enumerate}[<+->] + \item Guardian generates ECDSA-keypairs, one per age group: \[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\] - \item<3-> Guardian then \textbf{drops} all private keys + \item Guardian then \textbf{drops} all private keys $p_i$ for $i > \age$: \[\Big \langle(q_1, p_1),\dots, (q_\age, p_\age), (q_{\age +1}, \red{\Nil}),\dots, (q_\Age, \red{\Nil})\Big\rangle\] - - \begin{itemize} - \item $\Vcommitment := (q_1, \dots, q_\Age)$ is the \textit{Commitment}, - \item $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ is the \textit{Proof} + \item[] then set \begin{itemize} + \setlength{\itemindent}{5em} + \item[\bf Commitment:] $\Vcommitment := (q_1,~\dots~\dots~\dots~,q_\Age)$ + \item[\bf Proof:] $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ \end{itemize} \vfill - \item<4-> Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$ + \item Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$ \vfill \end{enumerate} \end{description} \end{frame} -\begin{frame}{Instantiation with ECDSA} - \framesubtitle{Definitions of Attest and Verify} - +\begin{frame}{Attest and Verify with ECDSA} Child has \begin{itemize} - \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $, + \item ordered public-keys $\Vcommitment = (q_1, \dots~\dots~\dots, q_\Age) $, \item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$. \end{itemize} \begin{description} - \item<2->[To \blue{Attest} a minimum age $\blue{\minage} \leq \age$:]~\\ - Sign a message with ECDSA using private key $p_\blue{\minage}$ + \item<2->[To \blue{Attest} a minimum age (group) $\blue{\minage} \leq \age$:]~\\ + Sign a message with ECDSA using private key + $p_\blue{\minage}$. The signature $\sigma$ is the + attestation. \end{description} \vfill @@ -602,15 +725,14 @@ Searching for functions \uncover<2->{with the following signatures} \item Signature $\sigma$ \end{itemize} \begin{description} - \item<4->[To \blue{Verify} a minimum age $\minage$:]~\\ + \item<4->[To \blue{Verify} a minimum age (group) $\minage$:]~\\ Verify the ECDSA-Signature $\sigma$ with public key $q_\minage$. \end{description} } \vfill \end{frame} -\begin{frame}{Instantiation with ECDSA} - \framesubtitle{Definitions of Derive and Compare} +\begin{frame}{Derive and Compare with ECDSA} Child has $\Vcommitment = (q_1, \dots, q_\Age) $ and $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$. @@ -619,15 +741,22 @@ Searching for functions \uncover<2->{with the following signatures} Choose random $\beta\in\Z_g$ and calculate \small \begin{align*} - \Vcommitment' &:= \big(\beta * q_1,\ldots,\beta * q_\Age\big),\\ - \Vpruf' &:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big) + \Vcommitment' &= \big(q'_1,~\ldots~\ldots~\ldots~,q'_\Age\big) &&:= \big(\beta * q_1,\ldots~\ldots,\beta * q_\Age\big) ,\\ + \Vpruf' &= \big(p'_1,\ldots,p'_\age, \Nil, \ldots, \Nil\big) &&:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big) \end{align*} - Note: $ (\beta p_i)*G = \beta*(p_i*G) = \beta*q_i$\\ - \scriptsize $\beta*q_i$ is scalar multiplication on the elliptic curve. + \uncover<3->{ + \small + Note: + \begin{itemize} + \item $\beta*q_i$ is scalar multiplication on the elliptic curve. + \item $p'_i*G$ = $(\beta p_i)*G = \beta*(p_i*G) = \beta*q_i = q'_i$ + \item[$\implies$] {\bf $p'_i$ actually \textit{is} private key to $q'_i$} + \end{itemize} + } \end{description} \vfill - \uncover<3->{ + \uncover<4->{ Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$ \begin{description} \item[To \blue{Compare}, calculate:] @@ -646,9 +775,58 @@ Searching for functions \uncover<2->{with the following signatures} \begin{itemize} \item meet the basic requirements,\\[0.5em] \item also meet all security requirements.\\ - Proofs by security reduction, details are in the paper. \end{itemize} + Security proofs by reduction, details are in the paper. +\end{frame} + + +\begin{frame}{Example: Proof of Unforgeability} + \begin{columns} + \column{0.4\textwidth} + \begin{minipage}{\textwidth} + \tiny + \begin{description} + \item[Game $\Game{FA}(\lambda)$: Forging an attest]~\\ + 1. $(\age, \omega) \drawfrom \N_{\Age-1}\times\Omega(\lambda) $\\ + 2. $(\commitment, \pruf) \leftarrow \Commit(\age, \omega) $\\ + 3. $(\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$\\ + 4. Return 0 if $\minage \leq \age$\\ + 5. Return $\Verify(\minage,\commitment,\attest)$\\ + \vfill + \item[Requirement:]~\\ + $\Forall_{\Adv}: \Probability\Big[\Game{FA}(\lambda) = 1\Big] \le \negl(\lambda)$ + \end{description} + \end{minipage} + \column{0.7\textwidth} + Proof by reduction: + \pause + \small + \begin{enumerate}[<+->] + \item Adversary wins if $1 = \Verify(\minage,\commitment,\attest)$. + \item That means: $\sigma$ was a valid ECDSA-signature, validated with $q_m$. + \item But adversary does not have the private key $p_m$ to $q_m$. + \item[$\implies$] So winning this game would require to existentially forge + the ECDSA private key, which is negligible. + \end{enumerate} + + \end{columns} +\end{frame} + +\begin{frame}{Instantiation with Edx25519} + But... isn't ECDSA considered to be difficult to implement correctly? + + \pause + We also formally define another signature scheme, Edx25519:\\[1em] + + \begin{itemize} + \item based on EdDSA (Bernstein et al.), + \item generates compatible signatures, + \item allows for key derivation from both, private and public keys, independently and + \item is already in use in GNUnet. + \end{itemize}~\\[1em] + + Current implementation of age restriction in GNU Taler uses Edx25519. \end{frame} @@ -704,7 +882,7 @@ Searching for functions \uncover<2->{with the following signatures} \item Protocol suite for online payment services \item Based on Chaum's blind signatures % \item Taxable, efficient, free software - \item Allows for change and refund (F. Dold) + \item Allows for change and refund \item Privacy preserving: anonymous and unlinkable payments \end{itemize} \end{columns} @@ -713,11 +891,11 @@ Searching for functions \uncover<2->{with the following signatures} \uncover<2->{ \begin{itemize} \item Coins are public-/private key-pairs $(C_p, c_s)$. - \item Exchange blindly signs $\FDH(C_p)$ with denomination key $d_p$ + \item Exchange blindly signs $H(C_p)$ with denomination key $d_p$ \item Verification: \begin{eqnarray*} 1 &\stackrel{?}{=}& - \mathsf{SigCheck}\big(\FDH(C_p), D_p, \sigma_p\big) + \mathsf{SigCheck}\big(H(C_p), D_p, \sigma_p\big) \end{eqnarray*} \scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature) @@ -725,22 +903,20 @@ Searching for functions \uncover<2->{with the following signatures} } \end{frame} -\include{gnu} - \begin{frame}{Integration with GNU Taler} \framesubtitle{Binding age restriction to coins} To bind an age commitment $\commitment$ to a coin $C_p$, instead of - signing $\FDH(C_p)$, $\Exchange$ now blindly signs + signing $H(C_p)$, $\Exchange$ now blindly signs \begin{center} - $\FDH(C_p, \orange{H(\commitment)})$ + $H(C_p, \orange{H(\commitment)})$ \end{center} \vfill Verfication of a coin now requires $H(\commitment)$, too: \begin{center} $1 \stackrel{?}{=} - \mathsf{SigCheck}\big(\FDH(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$ + \mathsf{SigCheck}\big(H(C_p, \orange{H(\commitment)}), D_p, \sigma_p\big)$ \end{center} \vfill \end{frame} @@ -755,7 +931,7 @@ Searching for functions \uncover<2->{with the following signatures} \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$}; \draw[<->] (Guardian) to node[sloped,above,align=center] - {{\sf withdraw}\orange{, using}\\ $\FDH(C_p\orange{, H(\commitment)})$} (Exchange); + {{\sf withdraw}\orange{, using}\\ $H(C_p\orange{, H(\commitment)})$} (Exchange); \draw[<->] (Client) to node[sloped,below,align=center] {{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange); \draw[<->] (Client) to node[sloped, below] @@ -774,18 +950,7 @@ Searching for functions \uncover<2->{with the following signatures} \end{tikzpicture} \end{frame} -\begin{frame}{Instantiation with Edx25519} - Paper also formally defines another signature scheme: Edx25519.\\[1em] - - \begin{itemize} - \item Scheme already in use in GNUnet, - \item based on EdDSA (Bernstein et al.), - \item generates compatible signatures and - \item allows for key derivation from both, private and public keys, independently. - \end{itemize}~\\[1em] - - Current implementation of age restriction in GNU Taler uses Edx25519. -\end{frame} +\include{gnu} \section{Discussion, Related Work, Conclusion} @@ -846,7 +1011,7 @@ Searching for functions \uncover<2->{with the following signatures} \begin{frame}{} \begin{center} - \Huge \textbf{Thank you!} + \Huge \textbf{Thank you!}\\ Questions? \end{center} @@ -854,11 +1019,73 @@ Searching for functions \uncover<2->{with the following signatures} \texttt{oec-taler@kesim.org}\\ \texttt{@oec@mathstodon.xyz} \end{center} + \large + Interested in GNU Taler? $~\longrightarrow~$ \url{https://taler.net}\\ \end{frame} \appendix -\begin{frame}{Nothing to see here} +\begin{frame}{Basic Requirements - Details} + \label{fr:detailedBasicRequirements} + {\scriptsize \it back to \hyperlink{fr:basicRequirements}{Basic Requirements}} + \begin{description}[<+->] + \item[Existence of attestations] + {\scriptsize + \begin{align*} + \Forall_{\age\in\N_\Age \atop \omega \in \Omega}: + \Commit(\age, \omega) =: (\commitment, \pruf) + \implies + \Attest(\minage, \commitment, \pruf) = + \begin{cases} + \attest \in \Attests, \text{ if } \minage \leq \age\\ + \Nil \text{ otherwise} + \end{cases} + \end{align*}} + \item[Efficacy of attestations] + {\scriptsize + \begin{align*} + \Verify(\minage, \commitment, \attest) = \ + \begin{cases} + 1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\ + 0 \text{ otherwise} + \end{cases} + \end{align*}} + + {\scriptsize + \begin{align*} + \forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1. + \end{align*}} + + ... + \item[Derivability of commitments and attestations]... + \end{description} + + \pause + More details in the published paper. \end{frame} +%\begin{frame}{Requirements} +% \framesubtitle{Details} +% +% \begin{description} +% \item[Derivability of commitments and proofs:]~\\[0.1em] +% {\scriptsize +% Let \begin{align*} +% \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\ +% (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\ +% (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1). +% \end{align*} +% We require +% \begin{align*} +% \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity} +% \end{align*} +% and for all $n\leq\age$: +% \begin{align*} +% \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &% +% = +% \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0)) +% \end{align*}} +% \end{description} +%\end{frame} + \end{document}