diff --git a/eipsi2024/README.md b/eipsi2024/README.md new file mode 100644 index 0000000..939170d --- /dev/null +++ b/eipsi2024/README.md @@ -0,0 +1,18 @@ +# Talk _Are you old enough to buy this?_ + +Talk for a hacker audience about the inception of age restriction in GNU Taler. + +## Questions from Audience so far + +Here are questions that were asked and should be better answered in the slides + +- [ ] Wouldn't age restriction reduce the anonymity space? +- [ ] Couldn't a older child give a younger child coins with higher age restriction? +- [ ] How does the coin (with age restriction) transfere from guardian to child really work (in the wallet)? +- [ ] Isn't the price for cut&choose more than (uncontrolled) uncertainty? +- [ ] How is the order of the public keys guaranteed? +- [ ] Couldn't the scheme be used by game studios? +- [ ] What is the state of Taler? Is it used anywhere? +- [ ] Is RSA for blind signing necessary? Couldn't you use Wagner's variant based on EcDH? + + diff --git a/eipsi2024/definitions.tex b/eipsi2024/definitions.tex new file mode 100644 index 0000000..c2bdf3e --- /dev/null +++ b/eipsi2024/definitions.tex @@ -0,0 +1,90 @@ +\newcommand{\blue}[1]{{\color{blue}#1}} +\newcommand{\red}[1]{{\color{red}#1}} +\newcommand{\Guardian}{\mathcal{G}} +\newcommand{\Child}{\mathcal{C}} +\newcommand{\Customer}{\mathcal{C}} +\newcommand{\Merchant}{\mathcal{M}} +\newcommand{\Exchange}{\mathcal{E}} + +\newcommand{\Commit}{\mathsf{Commit}} +\newcommand{\Attest}{\mathsf{Attest}} +\newcommand{\Verify}{\mathsf{Verify}} +\newcommand{\Derive}{\mathsf{Derive}} +\newcommand{\DeriveCompare}{\mathsf{DeriveCompare_\kappa}} +\newcommand{\Compare}{\mathsf{Compare}} +\newcommand{\AgeVer}{\mathsf{AgeVer}} + +\newcommand{\HashF}{\mathsf{H}} +\newcommand{\Hash}{\mathsf{H}} +\newcommand{\Block}{\mathbb{B}} +\newcommand{\Pub}{\mathsf{Pub}} +\newcommand{\Sign}{\mathsf{Sig}} +\newcommand{\Ver}{\mathsf{Ver}} +\newcommand{\Encoding}{\mathsf{Encoding}} +\newcommand{\ECDSA}{\mathsf{ECDSA}} +\newcommand{\Null}{\mathcal{O}} +\newcommand{\EC}{\mathrm{ec}} +\newcommand{\Curve}{\mathsf{Curve25519}} +\newcommand{\SHA}{\mathsf{SHA256}} +\newcommand{\SHAF}{\mathsf{SHA252}} +\newcommand{\FDH}{\mathsf{FDH}} + +\newcommand{\negl}{\epsilon} + +\newcommand{\rand}{\mathsf{rand}} +\newcommand{\age}{\mathsf{a}} +\newcommand{\Age}{\mathsf{M}} +\newcommand{\bage}{\mathsf{b}} +\newcommand{\minage}{\mathsf{m}} +\newcommand{\attest}{\mathsf{T}} +\newcommand{\commitment}{\mathsf{Q}} +\newcommand{\pruf}{\mathsf{P}} +\newcommand{\Vcommitment}{\vec{\mathsf{Q}}} +\newcommand{\Vpruf}{\vec{\mathsf{P}}} +\newcommand{\blinding}{\beta} + +\newcommand{\ZN}{\mathbb{Z}_N} +\newcommand{\Z}{\mathbb{Z}} +\newcommand{\N}{\mathbb{N}} +\newcommand{\A}{\mathbb{A}} +\newcommand{\E}{\mathbb{E}} +\newcommand{\F}{\mathbb{F}} +\newcommand{\seck}{\mathsf{s}} +\newcommand{\pubk}{\mathsf{P}} +\renewcommand{\H}{\mathbb{H}} +\newcommand{\K}{\mathbb{K}} +\newcommand{\Proofs}{\mathbb{P}} +\newcommand{\Commitments}{\mathbb{O}} +\newcommand{\Attests}{\mathbb{T}} +\newcommand{\Blindings}{\mathbb{B}} +\newcommand{\Nil}{\perp} + +\newcommand{\p}{\mathsf{p}} +\newcommand{\com}{\mathsf{com}} +\newcommand{\prf}{\mathsf{prf}} + +\newcommand{\Adv}{\mathcal{A}} +\newcommand{\PPT}{\mathfrak{A}} +\newcommand{\Probability}{\mathrm{Pr}} +\newcommand{\Algorithm}{f} +\renewcommand{\Game}[1]{G_\Adv^\mathsf{#1}} + +\DeclareMathOperator{\Image}{Im} +\DeclareMathOperator{\Mod}{mod} + +\newcommand{\Encode}[1]{\overbracket[0.5pt][2pt]{\,#1\,}} +\newcommand{\Decode}[1]{\underbracket[0.5pt][3pt]{\,#1\,}} +\newcommand{\FDHg}[1]{[#1]_g\,} +\newcommand{\logg}{{\breve{g}}} + + +\newcommand{\drawfrom}{\xleftarrow{\$}} +\newcommand\Exists{% + \mathop{\lower0.75ex\hbox{\ensuremath{% + \mathlarger{\mathlarger{\mathlarger{\mathlarger{\exists}}}}}}}% + \limits} + +\newcommand\Forall{% + \mathop{\lower0.75ex\hbox{\ensuremath{% + \mathlarger{\mathlarger{\mathlarger{\mathlarger{\forall}}}}}}}% + \limits} diff --git a/eipsi2024/eipsi2024.tex b/eipsi2024/eipsi2024.tex new file mode 100644 index 0000000..e3b126c --- /dev/null +++ b/eipsi2024/eipsi2024.tex @@ -0,0 +1,1148 @@ +\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer} +\usepackage{appendixnumberbeamer} +\usepackage{amsmath} +\usepackage{multimedia} +\usepackage{wrapfig} +\usepackage[utf8]{inputenc} +\usepackage{framed,color,ragged2e} +\usepackage[absolute,overlay]{textpos} +\usetheme[progressbar=frametitle]{metropolis} +%\setbeamertemplate{navigation symbols}{\insertframenumber/\inserttotalframenumber} +\setbeamersize{description width=1em} +\setbeamertemplate{section in toc}[sections] +\setbeamertemplate{footline}{} +\usepackage{xcolor} +\usepackage[normalem]{ulem} +\usepackage{listings} +\usepackage{adjustbox} +\usepackage{array} +\usepackage{bbding} +\usepackage{relsize} +\usepackage{graphicx} +\usepackage{tikz,eurosym,calc} +\usetikzlibrary{tikzmark} +\usetikzlibrary{shapes,arrows,arrows.meta} +\usetikzlibrary{positioning,patterns} +\usetikzlibrary{calc} + +\usepackage{fontspec} +\IfFontExistsTF{IBM Plex Sans}{\setsansfont{IBM Plex Sans}}{} +\IfFontExistsTF{IBM Plex Serif}{\setmainfont{IBM Plex Serif}}{} + +\definecolor{blue}{rgb}{0,0.4,1} +\newcommand{\orange}[1]{{\color{orange}#1}} +\newcommand{\TODO}[1]{\orange{TODO: #1}} + +\makeatletter +\setbeamercolor{framesubtitle}{fg=mDarkTeal} +\defbeamertemplate*{frametitle}{myframetitle}{% + \nointerlineskip + \begin{beamercolorbox}[% + wd=\paperwidth,% + sep=0pt,% + leftskip=\metropolis@frametitle@padding, + rightskip=\metropolis@frametitle@padding, + ]{frametitle}% + \metropolis@frametitlestrut@start + \quad\insertframetitle%%%%%%%%%%%%%%%%%%%%%% + \nolinebreak + \metropolis@frametitlestrut@end + \end{beamercolorbox}\par + \usebeamerfont{framesubtitle}% + \usebeamercolor[fg]{framesubtitle}% + \vskip3pt + \hspace*{-0.5\metropolis@frametitle@padding}% + \insertframesubtitle +} +\makeatother +\setbeamertemplate{frametitle}[myframetitle] + +\newcommand{\Section}[2]{\section[#1\newline\scriptsize{#2}]{#1}} + +\input{definitions} + +\title{Are you old enough to buy this?} +\subtitle{Zero-Knowledge Age Restriction for GNU Taler} + +\author{Özgür Kesim} +\institute{FU Berlin} +\date{December 29, 2022} + +%TODO: \titlegraphic{\centering\includegraphics[width=0.5\textwidth]{images/hip2022.jpg}} + + +\begin{document} + +%\justifying + +\begin{frame} + \titlepage +\end{frame} + +\section*{Prolog}%{Who am I, what do I want and who pays for all this?} + +\begin{frame}{Who am I} + Özgür Kesim, + \begin{itemize} + \item security consultant for 20+ years, + \item PhD candidate at FU Berlin, + \item member of GNU Taler dev-team. + \end{itemize} + + + \vfill + \url{oec-taler@kesim.org} \hfill \url{@oec@mathstodon.xyz} \hfill + +\end{frame} + +\begin{frame}{What to expect} + \small + \begin{description} + \item<1->[Deliverable]~\\ + Present a solution to age restriction and its integration in GNU Taler. + \vfill + \item<2->[Side-Channel]~\\ + Show concepts from cryptography by example: + + Zero-Knowledge protocol, Security Game and Security Proof + + This will be technical. + \vfill + \item<3->[Non-goals]~\\ + \begin{itemize} + \item[] \underline{Rigorous} introduction into GNU Taler + \item[] Demos + \end{itemize} + \end{description} +\end{frame} + + +\begin{frame}{Sponsors} + \centering\begin{columns}[T] + \column{0.5\textwidth} + \centering NGI Pointer program of the European Commission\\[2em] + + \centering\includegraphics[width=0.7\textwidth]{images/ngi-ap3.png} + + \column{0.5\textwidth} + \centering Project \textit{Concrete Contracts} in the + \textit{KMU-innovativ} programm\\[2em] + + \centering\includegraphics[width=0.9\textwidth]{images/bmbf-english.jpg} + \end{columns} +\end{frame} + +\begin{frame}{Chapters} + \tableofcontents[pausesections,hideallsubsections] +\end{frame} + + +\section[Introduction\newline\scriptsize Age Restriction in E-commerce]{Introduction} + +\begin{frame}{Youth protection} + + Broad consensus in society about the necessity to protect minors from + harmful content. + + \vfill + + Also wanted from policy makers:\\[1em] + \begin{quote} + 11. Member states should encourage the \textbf{use of + conditional access tools} by content and service providers in + relation to content harmful to minors, \textbf{such as + age-verification systems}, ... + \end{quote} + + \tiny + From the + \href{https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680645b44} + {\textit{Recommendation Rec (2001) 8 of the Committee of + Ministers to member states on self-regulation concerning cyber + content}} of the Council of Europe. + +\end{frame} + +\begin{frame}{Age restriction in E-commerce} + + \begin{description}[<+->] + \item[Problem:]~\\[1em] + Verification of minimum age requirements in e-commerce.\\[2em] + + \item[Common solutions:] + + \begin{tabular}{l<{\onslide<3->}c<{\onslide<4->}cr<{\onslide}} + & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount] + 1. ID Verification & bad & required & \\[\medskipamount] + 2. Restricted Accounts & bad & required & \\[\medskipamount] + 3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount] + \end{tabular} + \end{description} + +\uncover<5->{ + \begin{tikzpicture}[overlay,remember picture] + \draw[orange,thick,rounded corners] + ($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$); + \end{tikzpicture} + \begin{center} + \bf Principle of subsidiarity is ignored + \end{center} +} +\end{frame} + + +\begin{frame}{Principle of Subsidiarity} +\begin{center}\large + Functions of government\\ + ---such as granting and restricting rights---\\ + should be performed\\ + {\it at the lowest level of authority possible},\\ + as long as they can be performed {\it adequately}. +\end{center} +\vfill +\uncover<2->{ + For age-restriction, the lowest level of authority is:\\ + \begin{center}\Large + Parents, guardians and caretakers + \end{center} +} +\end{frame} + +\begin{frame}{Our goal} +A design and implementation of an age restriction scheme\\ +with the following properties: +\pause +\begin{enumerate}[<+->] + \item It ties age restriction to the \textbf{ability to pay} (not to ID's), + \item maintains the \textbf{anonymity of buyers}, + \item maintains \textbf{unlinkability of transactions}, + \item aligns with the \textbf{principle of subsidiarity}, + \item is \textbf{practical and efficient}. +\end{enumerate} + +\end{frame} + +\begin{frame}{Teaser} + \centering \includegraphics[height=0.9\textheight]{images/wallet-age.png} +\end{frame} + +\Section{The quest for a solution to age restriction}{A journey through cryptic territory} + +\begin{frame}{Basic assumption and ideas} + \small + Assumption: Bank accounts are under control of adults/guardians. + + \vfill + Sketch of scheme, independent of payment service protocol: + + \begin{columns} + \column{7cm} + \begin{enumerate} + \item<2-> \textit{Guardians} \textbf{commit} to a maximum age + \item<4-> \tikzmark{sstart}\textit{Minors} \textbf{attest} their adequate age + \item<6-> \textit{Merchants} \textbf{verify} the attestations + \item<7-> \textit{Minors} \textbf{derive} age commitments from existing ones + \item<9-> \textit{Exchanges} \textbf{compare} the derived age commitments + \item<10-> \tikzmark{send}{\large \texttt{GOTO}} 2. + \begin{tikzpicture}[overlay, remember picture] + \draw[line width=1pt,->] + ([shift=({-6mm, 1mm})]pic cs:send) to + ([shift=({-1cm, 1mm})]pic cs:send) to + ([shift=({-1cm, 1mm})]pic cs:sstart) to + ([shift=({-6mm, 1mm})]pic cs:sstart); + \end{tikzpicture} + \end{enumerate} + \column{4.5cm} + \begin{center} + \fontsize{7pt}{7pt}\selectfont + \begin{tikzpicture}[scale=.5] + \uncover<2->{ + \node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$}; + \draw[->] (Guardian) to [out=50,in=130, loop] node[above] + {$\Commit$} (Guardian); + } + \uncover<3->{ + \node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \draw[,|->] (Guardian) to node[above,sloped,align=left] + {{\scriptsize }} (Client); + } + \uncover<4->{ + \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left] + {\blue{$\Attest$}} (Client); + } + \uncover<5->{ + \node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$}; + \draw[blue,|->] (Client) to node[sloped, above] + {\blue{\scriptsize }} (Merchant); + } + \uncover<6->{ + \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above] + {\blue{$\Verify$}} (Merchant); + } + \uncover<7->{ + \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below] + {\orange{$\Derive$}} (Client); + } + \uncover<8->{ + \node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; + \draw[orange,|->] (Client) to node[sloped,above,align=left] + {\orange{\scriptsize }} (Exchange); + } + \uncover<9->{ + \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] + {\orange{$\Compare$}} (Exchange); + } + \end{tikzpicture} + \end{center} + \end{columns} +\end{frame} + + +\begin{frame}{Specification of the Function Signatures} +\small +Searching for functions \uncover<2->{with the following signatures} +\begin{align*} + &\bf \Commit\uncover<2->{: + &(\age, \omega) &\mapsto (\commitment, \pruf) + &\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs, + } + \\ + %FIXME: This is how Attest was defined in the orignal paper (_with_) commitment! + %&\bf \Attest\uncover<3->{: + % &(\minage, \commitment, \pruf) &\mapsto \attest + % &\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\}, + % } + %\\ + &\bf \Attest\uncover<3->{: + &(\minage, \pruf) &\mapsto \attest + &\scriptstyle \N_\Age\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\}, + } + \\ + &\bf \Verify\uncover<4->{: + &(\minage, \commitment, \attest) &\mapsto b + &\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2, + } + \\ + &\bf \Derive\uncover<5->{: + &(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding) + &\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings, + } + \\ + &\bf \Compare\uncover<6->{: + &(\commitment, \commitment', \blinding) &\mapsto b + &\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2, + } +\end{align*} + \uncover<7->{ + with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$ + sufficiently large sets.\\[1em] + } + %\uncover<8->{ + % The blindings $\beta$ ensure that only the Exchange can compare commitments.\\[1em] + %} + \uncover<8->{ + We will define basic and security requirements later.\\[1em] + } + + \scriptsize + \uncover<2->{ + Mnemonics:\\ + $\Commitments=$ \textit{c$\Commitments$mmitments}, + $\commitment=$ \textit{Q-mitment} (commitment), + $\Proofs=$ \textit{$\Proofs$roofs}, + } + \uncover<3->{ + $\pruf=$ \textit{$\pruf$roof},\\ + $\Attests=$ \textit{a$\Attests$testations}, + $\attest=$ \textit{a$\attest$testation}, + } + \uncover<5->{ + $\Blindings=$ \textit{$\Blindings$lindings}, + $\blinding=$ \textit{$\blinding$linding}. + } +\end{frame} + +\begin{frame}{Naïve scheme} + \begin{center} + \begin{tikzpicture}[scale=.8] + \node[circle,minimum size=20pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$}; + \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; + \node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$}; + + \draw[->] (Guardian) to [out=50,in=130, loop] node[above] + {$\Commit$} (Guardian); + \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left] + {\blue{$\Attest$}} (Client); + \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above] + {\blue{$\Verify$}} (Merchant); + \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below] + {\orange{$\Derive$}} (Client); + \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] + {\orange{$\Compare$}} (Exchange); + + \draw[,|->] (Guardian) to node[above,sloped,align=left] + {\scriptsize ($\commitment$, $\pruf_\age$)} (Client); + \draw[blue,|->] (Client) to node[sloped, above] + {\blue{\scriptsize($\minage$, $\commitment$, $\attest$) }} (Merchant); + \draw[orange,|->] (Client) to node[sloped,above,align=left] + {\orange{\scriptsize($\commitment$, $\commitment'$, $\beta$) }} (Exchange); + \end{tikzpicture} + \end{center} +% \pause{Why should $\Merchant$ trust those $\commitment$? Will solve later. +% \tiny (Hint: blind signature from $\Exchange$)} +\end{frame} + +\begin{frame}{Problem of unlinkability} + \begin{columns} + \column{3cm} + \begin{center} + \fontsize{8pt}{9pt}\selectfont + \begin{tikzpicture}[scale=.65] + \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; + \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + + \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below] + {\orange{$\footnotesize \Derive()$}} (Client); + \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] + {\orange{$\footnotesize \Compare()$}} (Exchange); + + \draw[orange,|->] (Client) to node[sloped,above,align=left] + {\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange); + \end{tikzpicture} + \end{center} + + \column{9cm} + Simple use of $\Derive()$ and $\Compare()$ is problematic. + + \pause + \begin{itemize}[<+->] + \item Calling $\Derive()$ iteratively generates sequence + $(\commitment_0, \commitment_1, \dots)$ of commitments. + \item Exchange calls $\Compare(\commitment_i, \commitment_{i+1},~.~)$ + \item[$\implies$]Exchange identifies sequence + \item[$\implies$]{\bf Unlinkability broken} + \end{itemize} + \end{columns} +\end{frame} + +\begin{frame}{Achieving Unlinkability} + Given $\Derive()$ and $\Compare()$, define the Zero-Knowledge-protocol + \orange{$\DeriveCompare$} as follows (sketch): + + \uncover<2->{ + \small + Let $\kappa \in \N$ (say: $\kappa = 3$) + \begin{itemize}[<+->] + \item[$\Child$:] + \begin{enumerate} + \item generates $(\commitment_1,\dots,\commitment_\kappa)$ + and $(\beta_1,\dots,\beta_\kappa)$ from $\commitment_0$\\ + by calling $\kappa$ times $\Derive(\commitment_0, \pruf_0, \omega_i)$ + \item calculates $h_0:=H\left(H(\commitment_1, \beta_1)\parallel \dots\parallel H(\commitment_\kappa, \beta_\kappa)\right)$ + \item sends $\commitment_0$ and $h_0$ to $\Exchange$ + \end{enumerate} + \item[$\Exchange$:] + \begin{enumerate} + \item[4.] saves $\commitment_0$ and $h_0$ and sends $\Child$ random $\gamma \in \{1,\dots,\kappa\}$ + \end{enumerate} + \item[$\Child$:] + \begin{enumerate} + \item[5.] reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$ + \end{enumerate} + \item[$\Exchange$:] + \begin{enumerate} + \item[6.] compares $h_0$ and + $H\left(H(\commitment_1, \beta_1)\parallel ...\parallel h_\gamma\parallel ...\parallel H(\commitment_\kappa, \beta_\kappa)\right)$ + \item[7.] evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$ for all $i \neq \gamma$. + \end{enumerate} + \end{itemize} + \pause + If all steps succeed, $\commitment_\gamma$ is the new commitment. + } +\end{frame} + +\begin{frame}{Achieving Unlinkability}%{Certainty trade-off} + + With \orange{$\DeriveCompare$} + \begin{itemize} + \item $\Exchange$ learns nothing about $\commitment_\gamma$ or $H(\commitment_\gamma)$, + \item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty, + \item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat. + \item<2->[$\implies$] \textbf{Gives us unlinkability at the price of (adjustable) uncertainty!} + \end{itemize} + + \vfill + \uncover<3->{Notes: + \begin{itemize} + \item similar to the cut\&choose {\it refresh} protocol in GNU Taler + \item still need to define $\Derive()$ and $\Compare()$. + \end{itemize} + } +\end{frame} + +\begin{frame}{Refined scheme} + \begin{center} + \begin{tikzpicture}[scale=.8] + \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; + + \uncover<2-3,8->{ + \draw[->] (Guardian) to [out=150,in=70, loop] node[above] + {$\Commit(\age)$} (Guardian); + } + \uncover<3,8->{ + \draw[->] (Guardian) to node[below,sloped] + {($\commitment$, $\pruf_\age$)} (Client); + } + + \uncover<4-6,8->{ + \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below] + % FIXME: This is in the original paper: + % {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client); + {\blue{$\Attest(\minage, \pruf_{\age})$}} (Client); + } + \uncover<5-6,8->{ + \draw[blue,->] (Client) to node[sloped, below] + {\blue{$(\attest_\minage, \commitment)$}} (Merchant); + } + \uncover<6,8->{ + \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below] + {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant); + } + \uncover<7,8->{ + \draw[orange,<->] (Client) to + node[sloped,below,align=center] {\orange{$\commitment \mapsto \commitment_\gamma$}} + node[sloped,above,align=center] {\orange{$\DeriveCompare$}} (Exchange); + } + + \end{tikzpicture} + \end{center} +\end{frame} + + +\begin{frame}{Sensible solutions} + Quest for functions should lead to \textit{sensible} solutions. + + \pause + F. e. $\Verify()$ should not simply always return \texttt{true}. + + \pause + We need more requirements. +\end{frame} + +% \begin{frame}{Achieving Unlinkability} +% \scriptsize +% $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\ +% \vfill +% $\DeriveCompare(\commitment, \pruf, \omega) =$ +% \begin{itemize} +% \it +% \itemsep0.5em +% \item[$\Child$:] +% \begin{enumerate} +% \scriptsize +% \itemsep0.3em +% \item for all $i \in \{1,\dots,\kappa\}: +% (\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$ +% \item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$ +% \item send $(\commitment, h)$ to $\Exchange$ +% \end{enumerate} +% \item[$\Exchange$:] +% \begin{enumerate} +% \setcounter{enumi}{4} +% \scriptsize +% \itemsep0.3em +% \item save $(\commitment, h)$ \label{st:hash} +% \item $\gamma \drawfrom \{1,\dots ,\kappa\}$ +% \item send $\gamma$ to $\Child$ +% \end{enumerate} +% \item[$\Child$:] +% \begin{enumerate} +% \setcounter{enumi}{7} +% +% \scriptsize +% \itemsep0.3em +% \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$ +% \item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots, +% (\commitment_{\gamma-1}, \beta_{\gamma-1}), +% \Nil, +% (\commitment_{\gamma+1}, \beta_{\gamma+1}), +% \dots,(\commitment_\kappa, \beta_\kappa)\big]$ +% \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$ +% \end{enumerate} +% \item[$\Exchange$:] +% \begin{enumerate} +% \setcounter{enumi}{10} +% \scriptsize +% \itemsep0.3em +% \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$ +% \item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0 +% \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$: +% if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$ +% \item return 1 +% \end{enumerate} +% \end{itemize} +% \end{frame} + +\section*{Requirements} + +\begin{frame}{Basic Requirements} + \label{fr:basicRequirements} + Candidate functions + \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \] + must meet \textit{basic requirements}: + + \begin{itemize} + \item Existence of attestations + \item Efficacy of attestations + \item Derivability of commitments and attestations + \end{itemize} + \pause + More details in the published paper and \hyperlink{fr:detailedBasicRequirements}{Appendix}. +\end{frame} + +\begin{frame}{Security Requirements} + Candidate functions must also meet \textit{security requirements}, + defined via security games: + \vfill + { + \small + \pause + \hspace*{-1em}\begin{tabular}{rp{9cm}} + \bf Requirement:& Unforgeability of minimum age\pause\\ + \bf $\leftrightarrow$\hfill Game:& Forging an attestation\pause\\[0.5em] + \bf Requirement: & Non-disclosure of age \pause\\ + \bf$\leftrightarrow$\hfill Game: & Age disclosure by commitment or attestation \pause\\[0.5em] + \bf Requirement:& Unlinkability of commitments and attestations\pause\\ + \bf $\leftrightarrow$\hfill Game:& Distinguishing derived commitments and attestations + \end{tabular} + } + \vfill + + \pause + Meeting the security requirements means that adversaries can win + those games only with negligible advantage. + \vfill + \pause + Adversaries are arbitrary polynomial-time algorithms, acting on all + relevant input. +\end{frame} + +\begin{frame}{Security Requirements}{Simplified Example} + + \begin{description}[<+->] + \item[Game $\Game{FA}$: Forging an attest]~\\ + {\small + \begin{enumerate} + \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $ + \item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $ + \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$ + \item Return 0 if $\minage \leq \age$ + \item Return $\Verify(\minage,\commitment,\attest)$ + \item[]~\\[0.5em] Adversary $\Adv$ wins the game, if $\Game{FA}$ returns 1. + \end{enumerate} + } + \vfill + \item[Requirement: Unforgeability of minimum age] + {\small + \begin{equation*} + \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}: + \Probability\Big[\Game{FA} = 1\Big] \le \negl + \end{equation*} + } + \end{description} + +% \pause +% Note: This example does not take $\Derive()$ into account. +\end{frame} + +\begin{frame}{Our task} + \large + Finding functions + \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \] + that meet the basic and security requirements. +\end{frame} + +\section*{A solution} + + +\begin{frame}{Instantiation with ECDSA} + We propose a solution based on ECDSA. + + Think: One key-pair per age group. + +\end{frame} + +\begin{frame}{Definition of Commit with ECDSA}%{Definition of Commit} + + \begin{description} + \item[To \blue{Commit} to age group $\age \in \{1,\dots,\Age\}$]~\\ + \begin{enumerate}[<+->] + \item Guardian generates ECDSA-keypairs, one per age group: + \[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\] + \item Guardian then \textbf{drops} all private keys + $p_i$ for $i > \age$: + \[\Big \langle(q_1, p_1),\dots, + (q_\age, p_\age), + (q_{\age +1}, \red{\Nil}),\dots, + (q_\Age, \red{\Nil})\Big\rangle\] + \item[] then set \begin{itemize} + \setlength{\itemindent}{5em} + \item[\bf Commitment:] $\Vcommitment := (q_1,~\dots~\dots~\dots~,q_\Age)$ + \item[\bf Proof:] $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ + \end{itemize} + \vfill + \item Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$ + \vfill + \end{enumerate} + \end{description} +\end{frame} + +\begin{frame}{Attest and Verify with ECDSA} + Child has + \begin{itemize} + \item ordered public-keys $\Vcommitment = (q_1, \dots~\dots~\dots, q_\Age) $, + \item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$. + \end{itemize} + \begin{description} + \item<2->[To \blue{Attest} a minimum age (group) $\blue{\minage} \leq \age$:]~\\ + Sign a message with ECDSA using private key + $p_\blue{\minage}$. The signature $\sigma_\blue{\minage}$ is the + attestation. + \end{description} + + \vfill + + \uncover<3->{ + Merchant gets + \begin{itemize} + \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $ + \item Signature $\sigma_\blue{\minage}$ + \end{itemize} + \begin{description} + \item<4->[To \blue{Verify} a minimum age (group) \blue{$\minage$}:]~\\ + Verify the ECDSA-Signature $\sigma_\blue{\minage}$ with public key $q_\blue{\minage}$. + \end{description} + } + \vfill +\end{frame} + +\begin{frame}{Derive and Compare with ECDSA} + Child has + $\Vcommitment = (q_1, \dots, q_\Age) $ and + $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$. + \begin{description} + \item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:] + Choose random $\beta\in\Z_g$ and calculate + \small + \begin{align*} + \Vcommitment' &= \big(q'_1,~\ldots~\ldots~\ldots~,q'_\Age\big) &&:= \big(\beta * q_1,\ldots~\ldots,\beta * q_\Age\big) ,\\ + \Vpruf' &= \big(p'_1,\ldots,p'_\age, \Nil, \ldots, \Nil\big) &&:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big) + \end{align*} + \uncover<3->{ + \small + Note: + \begin{itemize} + \item $\beta*q_i$ is scalar multiplication on the elliptic curve. + \item $p'_i*G$ = $(\beta p_i)*G = \beta*(p_i*G) = \beta*q_i = q'_i$ + \item[$\implies$] {\bf $p'_i$ actually \textit{is} private key to $q'_i$} + \end{itemize} + } + \end{description} + + \vfill + \uncover<4->{ + Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$ + \begin{description} + \item[To \blue{Compare}, calculate:] + \small + $(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$ + \end{description} + \vfill + } +\end{frame} + +\begin{frame}{Instantiation with ECDSA} + + Functions + (Commit, Attest, Verify, Derive, Compare)\\ + as defined in the instantiation with ECDSA\\[0.5em] + \begin{itemize} + \item meet the basic requirements,\\[0.5em] + \item also meet all security requirements.\\ + \end{itemize} + + Security proofs by reduction, details are in the paper. +\end{frame} + + +\begin{frame}{Example: Proof of Unforgeability} + \begin{columns} + \column{0.4\textwidth} + \begin{minipage}{\textwidth} + \tiny + \begin{description} + \item[Game $\Game{FA}$: Forging an attest]~\\ + 1. $(\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $\\ + 2. $(\commitment, \pruf) \leftarrow \Commit(\age, \omega) $\\ + 3. $(\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$\\ + 4. Return 0 if $\minage \leq \age$\\ + 5. Return $\Verify(\minage,\commitment,\attest)$\\ + \vfill + \item[Requirement:]~\\ + $\Forall_{\Adv}: \Probability\Big[\Game{FA} = 1\Big] \le \negl$ + \end{description} + \end{minipage} + \column{0.7\textwidth} + Proof by reduction: + \pause + \small + \begin{enumerate}[<+->] + \item Adversary wins if $1 = \Verify(\minage,\commitment,\attest)$. + \item That means: $\sigma$ was a valid ECDSA-signature, validated with $q_m$. + \item But adversary does not have the private key $p_m$ to $q_m$. + \item[$\implies$] So winning this game would require to existentially forge + the signature, which is negligible. + \end{enumerate} + + \end{columns} +\end{frame} + +\begin{frame}{Instantiation with Edx25519} + But... isn't ECDSA considered to be difficult to implement correctly? + + \pause + We also formally define another signature scheme, Edx25519:\\[1em] + + \begin{itemize} + \item based on EdDSA (Bernstein et al.), + \item generates compatible signatures, + \item allows for key derivation from both, private and public keys, independently and + \item is already in use in GNUnet. + \end{itemize}~\\[1em] + + Current implementation of age restriction in GNU Taler uses Edx25519. +\end{frame} + + +% \begin{frame}{Instantiation with ECDSA} +% \framesubtitle{Full definitions} +% \scriptsize +% +% \begin{align*} +% \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle +% \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\; +% \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age} +% \Big\rangle\\ +% \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:= +% \begin{cases} +% \attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\ +% \Nil & \text{otherwise} +% \end{cases}\\ +% % +% \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\ +% % +% \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:= +% \Big\langle(\beta * q_1,\ldots,\beta * q_\Age), +% (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\ +% & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\ +% % +% \Compare_E(\Vcommitment, \Vcommitment', \beta) &:= +% \begin{cases} +% 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\ +% 0 & \text{otherwise} +% \end{cases} +% \end{align*} +% \end{frame} + +\section{Integration with GNU Taler} + +\begin{frame}{GNU Taler}{https://www.taler.net} + \label{fr:GnuTaler} + \begin{columns} + \column{4cm} + \fontsize{8pt}{9pt}\selectfont + \begin{tikzpicture}[scale=.55] + \node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$}; + \node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$}; + \node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$}; + + \draw[<->] (Customer) to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange); + \draw[<->] (Customer) to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange); + \draw[<->] (Customer) to node[sloped, below] {\sf purchase} (Merchant); + \draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange); + \end{tikzpicture} + \column{8cm} + \begin{itemize} + \item Protocol suite for online payment services + \item Based on Chaum's \hyperlink{fr:reminderBlindSignature}{blind signatures} + \item Taxable, efficient, free software + \item Allows for change and refund + \item Privacy preserving: anonymous and unlinkable payments + \end{itemize} + \end{columns} + + \vfill + \uncover<2->{ + \begin{itemize} + \item Coins are public-/private key-pairs $(C_p, c_s)$. + \item Exchange \hyperlink{fr:reminderBlindSignature}{blindly signs} $H(C_p)$ with denomination key $d_p$ + \item Verification: + \begin{eqnarray*} + 1 &\stackrel{?}{=}& + \mathsf{SigCheck}\big(H(C_p), D_p, \sigma_p\big) + \end{eqnarray*} + \scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature) + + \end{itemize} + } +\end{frame} + +\begin{frame}{Integration with GNU Taler}{Binding age restriction to coins} + \label{fr:bindingToCoins} + + To bind an age commitment $\commitment$ to a coin $C_p$, instead of + blindly signing \[ H(C_p), \] + $\Exchange$ now \hyperlink{fr:reminderBlindSignature}{blindly signs} + \[ H\left(C_p\parallel\orange{H(\commitment)}\right) \] + + \vfill + Therefore, verfication of a coin now requires $H(\commitment)$, too: + \[ + 1 \stackrel{?}{=} + \mathsf{SigCheck}\big(H\left(C_p\parallel\orange{H(\commitment)}\right), D_p, \sigma_p\big) + \] + \vfill +\end{frame} + +\begin{frame}{Integration with GNU Taler} + \framesubtitle{Integrated schemes} + \fontsize{8pt}{9pt}\selectfont + \begin{tikzpicture}[scale=.9] + \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; + \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; + \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$}; + + \draw[<->] (Guardian) to node[sloped,above,align=center] + {{\sf withdraw}\orange{, using}\\ $H(C_p\orange{\parallel H(\commitment)})$} (Exchange); + \draw[<->] (Client) to node[sloped,below,align=center] + {{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange); + \draw[<->] (Client) to node[sloped, below] + {{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant); + \draw[<->] (Merchant) to node[sloped, above] + {{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange); + + \draw[->] (Guardian) to [out=70,in=150, loop] node[above] + {$\Commit(\age)$} (Guardian); + \draw[->] (Guardian) to node[below,sloped] + {($\commitment$, $\pruf_\age$)} (Client); + \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below] + {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client); + \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below] + {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant); + \end{tikzpicture} +\end{frame} + +\begin{frame}{Age restriction in the wallet} + \centering \includegraphics[height=0.9\textheight]{images/wallet-age.png} +\end{frame} + +\include{gnu} + +\begin{frame}{Interested in GNU Taler?} + We are looking for developers, testers, users! + + \begin{description} + \item[Intro:] \url{https://taler.net} + \item[Learn:] \url{https://docs.taler.net} + \item[Develop:] \url{https://git.taler.net}, \url{https://bugs.taler.net} + \end{description} +\end{frame} + +\section{Discussion \& Conclusion} + +\begin{frame}{Discussion} + \begin{itemize}[<+->] + \item Our solution can in principle be used with any token-based payment scheme + \item[] However, GNU Taler best aligned with our design goals + (security, privacy and efficiency). + + \item Subsidiarity requires bank accounts being owned by adults. + \item[] However, scheme can be adapted to cases of + \begin{itemize} + \item minors have bank accounts + \item peer-to-peer payments + \item[] Hint: Know-Your-Customer (KYC) and adapted + withdraw protocol. + \end{itemize} + \item Our scheme offers an alternative to identity management systems (IMS) + \end{itemize} +\end{frame} + +% \begin{frame}{Related Work} +% \begin{itemize} +% \item Current privacy-perserving systems all based on +% attribute-based credentials (Koning et al., +% Schanzenbach et al., Camenisch et al., Au et al.) +% +% \item Attribute-based approach lacks support: +% \begin{itemize} +% \item Complex for consumers and retailers +% \item Requires trusted third authority +% \end{itemize} +% \vfill +% \item Other approaches tie age-restriction to ability to pay ("debit cards for kids") +% \begin{itemize} +% \item Advantage: mandatory to payment process +% \item Not privacy friendly +% \end{itemize} +% \end{itemize} +% \end{frame} + +\begin{frame}{Conclusion} + Age restriction is a technical, ethical and legal challenge. + + \pause + Existing solutions are + \begin{itemize} + \item without strong protection of privacy or + \item based on identity management systems (IMS) + \end{itemize} + \vfill + + \pause + Our scheme offers a solution that + \begin{itemize} + \item aligns with subsidiarity + \item preserves privacy + \item is efficient + \item and an alternative to IMS + \end{itemize} +\end{frame} + + +\begin{frame}{} + \large + \begin{center} + {\Huge \textbf{Thank you!}}\\ + Questions? + \end{center} + + \begin{center} + \texttt{oec-taler@kesim.org}\\ + \texttt{@oec@mathstodon.xyz} + \vfill + {Interested in GNU Taler?} + \begin{description} + \item[Intro:] \url{https://taler.net} + \item[Learn:] \url{https://docs.taler.net} + \item[Develop:] \url{https://git.taler.net}, \url{https://bugs.taler.net} + \end{description} + \end{center} +\end{frame} + +\appendix + +\begin{frame}{Taler Overview} + \hspace*{-3em}\includegraphics[width=\paperwidth]{images/taler-overview-blue.png} +\end{frame} + +\begin{frame}{Basic Requirements - Details} + \label{fr:detailedBasicRequirements} + {\scriptsize \it back to \hyperlink{fr:basicRequirements}{Basic Requirements}} + \begin{description}[<+->] + \item[Existence of attestations] + {\scriptsize + \begin{align*} + \Forall_{\age\in\N_\Age \atop \omega \in \Omega}: + \Commit(\age, \omega) =: (\commitment, \pruf) + \implies + \Attest(\minage, \commitment, \pruf) = + \begin{cases} + \attest \in \Attests, \text{ if } \minage \leq \age\\ + \Nil \text{ otherwise} + \end{cases} + \end{align*}} + \item[Efficacy of attestations] + {\scriptsize + \begin{align*} + \Verify(\minage, \commitment, \attest) = \ + \begin{cases} + 1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\ + 0 \text{ otherwise} + \end{cases} + \end{align*}} + + {\scriptsize + \begin{align*} + \forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1. + \end{align*}} + + ... + \item[Derivability of commitments and attestations]... + \end{description} + + \pause + More details in the published paper. +\end{frame} + +\begin{frame}{Reminder: RSA blind signature} + \label{fr:reminderBlindSignature} + \small + In RSA, a public key $(e, N)$ and private key $(d, N)$ have the property + \[ x^{ed} = x \mod N \] + + \pause + Bob (B) creates a blind signature of a message $m$ for Alice (A): + \begin{itemize}[<+->] + \item[A:] + \begin{itemize} + \item chooses random integer $b$ + \item calculates $m' := m*b^e$ {\hfill \scriptsize \textit{(blinding)}} + \item sends $m'$ to B. + \end{itemize} + \item[B:] + \begin{itemize} + \item signs $m'$, by calculating + $\sigma' := (m')^d \mod N$ {\hfill \scriptsize \textit{(B doesn't learn $m$)}} + \item sends $\sigma'$ to A. + \item[] \scriptsize Note: $(m')^d = (m*b^e)^d = m^d*b^{ed} = m^d*b \mod N$ + \end{itemize} + \item[A:]\begin{itemize} + \item unblinds $\sigma'$ by calculating + \[ \sigma := \sigma'*b^{-1} (= m^d) \] + \item[$\implies$]$\sigma$ is a valid RSA signature to message $m$. + \end{itemize} + \end{itemize} + \hfill \tiny back to \hyperlink{fr:GnuTaler}{\textit{taler}} or \hyperlink{fr:bindingToCoins}{\textit{binding}} +\end{frame} + +%\begin{frame}{Requirements} +% \framesubtitle{Details} +% +% \begin{description} +% \item[Derivability of commitments and proofs:]~\\[0.1em] +% {\scriptsize +% Let \begin{align*} +% \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\ +% (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\ +% (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1). +% \end{align*} +% We require +% \begin{align*} +% \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity} +% \end{align*} +% and for all $n\leq\age$: +% \begin{align*} +% \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &% +% = +% \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0)) +% \end{align*}} +% \end{description} +%\end{frame} + +\end{document} diff --git a/eipsi2024/gnu.tex b/eipsi2024/gnu.tex new file mode 100644 index 0000000..715c36f --- /dev/null +++ b/eipsi2024/gnu.tex @@ -0,0 +1,32 @@ +\subsection{GNU Taler as GNU Software} + +\begin{frame} + \frametitle{GNU Software {\tiny (\url{https://www.gnu.org/software/software.en.html})}} +\hspace*{-0.5cm}\begin{minipage}[scale=1.0]{1.1\textwidth} + \tiny + \linespread{1.45}\selectfont + 3dldf 8sync a2ps acct acm adns alive anubis apl archimedes aris artanis aspell auctex autoconf autoconf-archive autogen automake avl ballandpaddle barcode bash bayonne bazaar bc behistun binutils bison bool bpel2owfn c-graph ccaudio ccd2cue ccide ccrtp ccscript cflow cgicc chess cim classpath classpathx clisp combine commoncpp complexity config consensus coreutils cpio cppi cssc cursynth dap datamash dc ddd ddrescue dejagnu denemo dia dico diction diffutils dionysus direvent djgpp dominion dr-geo easejs ed edma electric {emacs} emacs-muse emms enscript epsilon fdisk ferret findutils fisicalab foliot fontopia fontutils freedink freefont freeipmi freetalk fribidi g-golf gama garpd gawk gcal {gcc} gcide gcl gcompris gdb gdbm gengen gengetopt gettext gforth ggradebook ghostscript gift gimp glean gleem glib global glpk glue gmediaserver gmp gnash gnat gnats gnatsweb gneuralnetwork gnome gnowsys gnu-c-manual gnu-crypto gnu-pw-mgr gnuae gnuastro gnubatch gnubg gnubiff gnubik gnucap gnucash gnucobol gnucomm gnudos gnufm gnugo gnuit gnujdoc gnujump gnukart gnulib gnumach gnumed gnumeric gnump3d gnun gnunet gnupg gnupod gnuprologjava gnuradio gnurobots gnuschool gnushogi gnusound gnuspeech gnuspool gnustandards gnustep gnutls gnutrition gnuzilla goptical gorm gpaint gperf gprolog grabcomics greg grep gretl groff grub gsasl gsegrafix gsl gslip gsrc gss gtick gtk+ gtypist guile guile-cv guile-dbi guile-gnome guile-ncurses guile-opengl guile-rpc guile-sdl guix gurgle gv gvpe gwl gxmessage gzip halifax health hello help2man hp2xx html-info httptunnel hurd hyperbole icecat idutils ignuit indent inetutils inklingreader intlfonts jacal jami java-getopt jel jtw jwhois kawa kopi leg less libc libcdio libdbh liberty-eiffel libextractor libffcall libgcrypt libiconv libidn libjit libmatheval libmicrohttpd libredwg librejs libsigsegv libtasn1 libtool libunistring libxmi lightning lilypond lims linux-libre liquidwar6 lispintro lrzsz lsh m4 macchanger mailman mailutils make marst maverik mc mcron mcsim mdk mediagoblin melting mempool mes metaexchange metahtml metalogic-inference mifluz mig miscfiles mit-scheme moe motti mpc mpfr mpria mtools nana nano nano-archimedes ncurses nettle network ocrad octave oleo oo-browser orgadoc osip panorama parallel parted pascal patch paxutils pcb pem pexec phantom\_home pies pipo plotutils poke polyxmass powerguru proxyknife pspp psychosynth pth pyconfigure pythonwebkit qexo quickthreads r radius rcs readline recutils reftex remotecontrol rottlog rpge rush sather scm screen sed serveez sharutils shepherd shishi shmm shtool sipwitch slib smalltalk social solfege spacechart spell sqltutor src-highlite ssw stalkerfs stow stump superopt swbis sysutils taler talkfilters tar termcap termutils teseq teximpatient texinfo texmacs thales time tramp trans-coord trueprint unifont units unrtf userv uucp vc-dwim vcdimager vera vmgen wb wdiff websocket4j webstump wget which womb xaos xboard xlogmaster xmlat xnee xorriso zile +\end{minipage} +\end{frame} + +\begin{frame} + \frametitle{GNU Software {\tiny (\url{https://www.gnu.org/software/software.en.html})}} +\hspace*{-0.5cm}\begin{minipage}[scale=1]{1.1\textwidth} + \tiny + \linespread{1.45}\selectfont + 3dldf 8sync a2ps acct acm adns alive anubis apl archimedes aris artanis aspell auctex autoconf autoconf-archive autogen automake avl ballandpaddle barcode bash bayonne bazaar bc behistun binutils bison bool bpel2owfn c-graph ccaudio ccd2cue ccide ccrtp ccscript cflow cgicc chess cim classpath classpathx clisp combine commoncpp complexity config consensus coreutils cpio cppi cssc cursynth dap datamash dc ddd ddrescue dejagnu denemo dia dico diction diffutils dionysus direvent djgpp dominion dr-geo easejs ed edma electric {\normalsize emacs} emacs-muse emms enscript epsilon fdisk ferret findutils fisicalab foliot fontopia fontutils freedink freefont freeipmi freetalk fribidi g-golf gama garpd gawk gcal {\normalsize gcc} gcide gcl gcompris gdb gdbm gengen gengetopt gettext gforth ggradebook ghostscript gift gimp glean gleem glib global glpk glue gmediaserver gmp gnash gnat gnats gnatsweb gneuralnetwork {\normalsize gnome} gnowsys gnu-c-manual gnu-crypto gnu-pw-mgr gnuae gnuastro gnubatch gnubg gnubiff gnubik gnucap gnucash gnucobol gnucomm gnudos gnufm gnugo gnuit gnujdoc gnujump gnukart gnulib gnumach gnumed gnumeric gnump3d gnun gnunet gnupg gnupod gnuprologjava gnuradio gnurobots gnuschool gnushogi gnusound gnuspeech gnuspool gnustandards gnustep gnutls gnutrition gnuzilla goptical gorm gpaint gperf gprolog grabcomics greg {\normalsize grep} gretl groff grub gsasl gsegrafix gsl gslip gsrc gss gtick gtk+ gtypist guile guile-cv guile-dbi guile-gnome guile-ncurses guile-opengl guile-rpc guile-sdl guix gurgle gv gvpe gwl gxmessage gzip halifax health hello help2man hp2xx html-info httptunnel hurd hyperbole icecat idutils ignuit indent inetutils inklingreader intlfonts jacal jami java-getopt jel jtw jwhois kawa kopi leg less libc libcdio libdbh liberty-eiffel libextractor libffcall libgcrypt libiconv libidn libjit libmatheval libmicrohttpd libredwg librejs libsigsegv libtasn1 libtool libunistring libxmi lightning lilypond lims linux-libre liquidwar6 lispintro lrzsz lsh m4 macchanger mailman mailutils {\normalsize make} marst maverik mc mcron mcsim mdk mediagoblin melting mempool mes metaexchange metahtml metalogic-inference mifluz mig miscfiles mit-scheme moe motti mpc mpfr mpria mtools nana nano nano-archimedes ncurses nettle network ocrad octave oleo oo-browser orgadoc osip panorama parallel parted pascal patch paxutils pcb pem pexec phantom\_home pies pipo plotutils poke polyxmass powerguru proxyknife pspp psychosynth pth pyconfigure pythonwebkit qexo quickthreads r radius rcs readline recutils reftex remotecontrol rottlog rpge rush sather scm screen {\normalsize sed} serveez sharutils shepherd shishi shmm shtool sipwitch slib smalltalk social solfege spacechart spell sqltutor src-highlite ssw stalkerfs stow stump superopt swbis sysutils taler talkfilters tar termcap termutils teseq teximpatient texinfo texmacs thales time tramp trans-coord trueprint unifont units unrtf userv uucp vc-dwim vcdimager vera vmgen wb wdiff websocket4j webstump wget which womb xaos xboard xlogmaster xmlat xnee xorriso zile +\end{minipage} +\end{frame} + +\begin{frame} + \frametitle{GNU Software {\tiny (\url{https://www.gnu.org/software/software.en.html})}} +\hspace*{-0.5cm}\begin{minipage}[scale=1.0]{1.1\textwidth} + \tiny + \linespread{1.45}\selectfont + 3dldf 8sync a2ps acct acm adns alive anubis apl archimedes aris artanis aspell auctex autoconf autoconf-archive autogen automake avl ballandpaddle barcode bash bayonne bazaar bc behistun binutils bison bool bpel2owfn c-graph ccaudio ccd2cue ccide ccrtp ccscript cflow cgicc chess cim classpath classpathx clisp combine commoncpp complexity config consensus coreutils cpio cppi cssc cursynth dap datamash dc ddd ddrescue dejagnu denemo dia dico diction diffutils dionysus direvent djgpp dominion dr-geo easejs ed edma electric emacs emacs-muse emms enscript epsilon fdisk ferret findutils fisicalab foliot fontopia fontutils freedink freefont freeipmi freetalk fribidi g-golf gama garpd gawk gcal gcc gcide gcl gcompris gdb gdbm gengen gengetopt gettext gforth % + \setlength{\columnsep}{1pt} + \setlength{\intextsep}{0pt} + \begin{wrapfigure}{r}{0pt}{\fontsize{40}{2}\selectfont\bf \color{blue}taler}\end{wrapfigure} + ggradebook ghostscript gift gimp glean gleem glib global glpk glue gmediaserver gmp gnash gnat gnats gnatsweb gneuralnetwork gnome gnowsys gnu-c-manual gnu-crypto gnu-pw-mgr gnuae gnuastro gnubatch gnubg gnubiff gnubik gnucap gnucash gnucobol gnucomm gnudos gnufm gnugo gnuit gnujdoc gnujump gnukart gnulib gnumach gnumed gnumeric gnump3d gnun gnunet gnupg gnupod gnuprologjava gnuradio gnurobots gnuschool gnushogi gnusound gnuspeech gnuspool gnustandards gnustep gnutls gnutrition gnuzilla goptical gorm gpaint gperf gprolog grabcomics greg grep gretl groff grub gsasl gsegrafix gsl gslip gsrc gss gtick gtk+ gtypist guile guile-cv guile-dbi guile-gnome guile-ncurses guile-opengl guile-rpc guile-sdl guix gurgle gv gvpe gwl gxmessage gzip halifax health hello help2man hp2xx html-info httptunnel hurd hyperbole icecat idutils ignuit indent inetutils inklingreader intlfonts jacal jami java-getopt jel jtw jwhois kawa kopi leg less libc libcdio libdbh liberty-eiffel libextractor libffcall libgcrypt libiconv libidn libjit libmatheval libmicrohttpd libredwg librejs libsigsegv libtasn1 libtool libunistring libxmi lightning lilypond lims linux-libre liquidwar6 lispintro lrzsz lsh m4 macchanger mailman mailutils make marst maverik mc mcron mcsim mdk mediagoblin melting mempool mes metaexchange metahtml metalogic-inference mifluz mig miscfiles mit-scheme moe motti mpc mpfr mpria mtools nana nano nano-archimedes ncurses nettle network ocrad octave oleo oo-browser orgadoc osip panorama parallel parted pascal patch paxutils pcb pem pexec phantom\_home pies pipo plotutils poke polyxmass powerguru proxyknife pspp psychosynth pth pyconfigure pythonwebkit qexo quickthreads r radius rcs readline recutils reftex remotecontrol rottlog rpge rush sather scm screen sed serveez sharutils shepherd shishi shmm shtool sipwitch slib smalltalk social solfege spacechart spell sqltutor src-highlite ssw stalkerfs stow stump superopt swbis sysutils talkfilters tar termcap termutils teseq teximpatient texinfo texmacs thales time tramp trans-coord trueprint unifont units unrtf userv uucp vc-dwim vcdimager vera vmgen wb wdiff websocket4j webstump wget which womb xaos xboard xlogmaster xmlat xnee xorriso zile +\end{minipage} +\end{frame} diff --git a/eipsi2024/images/bfh.png b/eipsi2024/images/bfh.png new file mode 100644 index 0000000..4c9f8d1 Binary files /dev/null and b/eipsi2024/images/bfh.png differ diff --git a/eipsi2024/images/bmbf-english.jpg b/eipsi2024/images/bmbf-english.jpg new file mode 100644 index 0000000..287a8ca Binary files /dev/null and b/eipsi2024/images/bmbf-english.jpg differ diff --git a/eipsi2024/images/fraunhofer.png b/eipsi2024/images/fraunhofer.png new file mode 100644 index 0000000..0eb26a5 Binary files /dev/null and b/eipsi2024/images/fraunhofer.png differ diff --git a/eipsi2024/images/ngi-ap3.png b/eipsi2024/images/ngi-ap3.png new file mode 100644 index 0000000..a32e02a Binary files /dev/null and b/eipsi2024/images/ngi-ap3.png differ diff --git a/eipsi2024/images/taler-logo-2020.jpg b/eipsi2024/images/taler-logo-2020.jpg new file mode 100644 index 0000000..489832f Binary files /dev/null and b/eipsi2024/images/taler-logo-2020.jpg differ diff --git a/eipsi2024/images/taler-overview-blue.png b/eipsi2024/images/taler-overview-blue.png new file mode 100644 index 0000000..1456e45 Binary files /dev/null and b/eipsi2024/images/taler-overview-blue.png differ diff --git a/eipsi2024/images/wallet-age.png b/eipsi2024/images/wallet-age.png new file mode 100644 index 0000000..89f15de Binary files /dev/null and b/eipsi2024/images/wallet-age.png differ diff --git a/eipsi2024/loop.sh b/eipsi2024/loop.sh new file mode 100755 index 0000000..bf56c52 --- /dev/null +++ b/eipsi2024/loop.sh @@ -0,0 +1,24 @@ +#!/bin/sh + +cleanup () { + rm -f *.log *.aux *.toc + exit $1 +} + +compile () { + tectonic $1 || echo  +} + +trap cleanup HUP TERM INT + +SRC=eipsi2024.tex + +echo -ne "\e[;1H\e[2J" +while true; do + compile $SRC + FILES=$(echo *.tex) + while inotifywait $FILES ; do + echo -ne "\e[;1H\e[2J" + compile $SRC + done +done