\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer} \usepackage{appendixnumberbeamer} \usepackage{amsmath} \usepackage{multimedia} \usepackage{wrapfig} \usepackage[utf8]{inputenc} \usepackage{framed,color,ragged2e} \usepackage[absolute,overlay]{textpos} \usetheme[progressbar=frametitle]{metropolis} %\setbeamertemplate{navigation symbols}{\insertframenumber/\inserttotalframenumber} \setbeamersize{description width=1em} \setbeamertemplate{section in toc}[sections] \setbeamertemplate{footline}{} \usepackage{xcolor} \usepackage[normalem]{ulem} \usepackage{listings} \usepackage{adjustbox} \usepackage{array} \usepackage{bbding} \usepackage{relsize} \usepackage{graphicx} \usepackage{tikz,eurosym,calc} \usetikzlibrary{tikzmark} \usetikzlibrary{shapes,arrows,arrows.meta} \usetikzlibrary{positioning,patterns} \usetikzlibrary{calc} \usepackage{fontspec} \IfFontExistsTF{IBM Plex Sans}{\setsansfont{IBM Plex Sans}}{} \IfFontExistsTF{IBM Plex Serif}{\setmainfont{IBM Plex Serif}}{} \definecolor{blue}{rgb}{0,0.4,1} \newcommand{\orange}[1]{{\color{orange}#1}} \newcommand{\TODO}[1]{\orange{TODO: #1}} \makeatletter \setbeamercolor{framesubtitle}{fg=mDarkTeal} \defbeamertemplate*{frametitle}{myframetitle}{% \nointerlineskip \begin{beamercolorbox}[% wd=\paperwidth,% sep=0pt,% leftskip=\metropolis@frametitle@padding, rightskip=\metropolis@frametitle@padding, ]{frametitle}% \metropolis@frametitlestrut@start \quad\insertframetitle%%%%%%%%%%%%%%%%%%%%%% \nolinebreak \metropolis@frametitlestrut@end \end{beamercolorbox}\par \usebeamerfont{framesubtitle}% \usebeamercolor[fg]{framesubtitle}% \vskip3pt \hspace*{-0.5\metropolis@frametitle@padding}% \insertframesubtitle } \makeatother \setbeamertemplate{frametitle}[myframetitle] \newcommand{\Section}[2]{\section[#1\newline\scriptsize{#2}]{#1}} \input{definitions} \title{Are you old enough to buy this?} \subtitle{Zero-Knowledge Age Restriction for GNU Taler} \author{Özgür Kesim} \institute{Code Blau GmbH, FU Berlin, TU Dresden} \date{31 May 2024} \titlegraphic{\centering\vspace*{-0.5cm}\includegraphics[width=0.3\textwidth]{images/surveilance-logo.png}} \begin{document} %\justifying \begin{frame} \titlepage \end{frame} \section*{Prolog}%{Who am I, what do I want and who pays for all this?} \begin{frame}{Sponsors} \centering\begin{columns}[T] \column{0.6\textwidth} \centering NGI Taler and NGI Pointer programs of the European Commission\\[2em] \centering\includegraphics[width=0.9\textwidth]{images/ngi-taler.jpg} \centering\includegraphics[width=0.5\textwidth]{images/ngi-ap3.png} \column{0.4\textwidth} \centering Project\\ \textit{Concrete Contracts} in the \textit{KMU-innovativ} programm\\[2em] \centering\includegraphics[width=0.9\textwidth]{images/bmbf-english.jpg} \end{columns} \end{frame} \begin{frame}{Who am I} Özgür Kesim, \begin{itemize} \item security consultant for 20+ years, \item PhD candidate at FU Berlin, \item member of GNU Taler dev-team. \end{itemize} \note{fnord} \vfill \url{oec-taler@kesim.org} \hfill \url{@oec@mathstodon.xyz} \hfill \end{frame} \begin{frame}{What to expect} \small \begin{description} \item<1->[Deliverable]~\\ Present a solution to age restriction and its integration in GNU Taler. \vfill \item<2->[Drive-By]~\\ Show concepts from cryptography by example: Zero-Knowledge protocol, Security Game and Security Proof \vfill \item<3->[Non-goals]~\\ \begin{itemize} \item[] \underline{Rigorous} introduction into GNU Taler \item[] Demos \end{itemize} \end{description} \end{frame} \begin{frame}{Chapters} \tableofcontents[pausesections,hideallsubsections] \end{frame} \section[Introduction\newline\scriptsize Age Restriction in E-commerce]{Introduction} \begin{frame}{Youth protection} Broad consensus in society about the necessity to protect minors from harmful content. \vfill Also wanted from policy makers:\\[1em] \begin{quote} 11. Member states should encourage the \textbf{use of conditional access tools} by content and service providers in relation to content harmful to minors, \textbf{such as age-verification systems}, ... \end{quote} \tiny From the \href{https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680645b44} {\textit{Recommendation Rec (2001) 8 of the Committee of Ministers to member states on self-regulation concerning cyber content}} of the Council of Europe. \end{frame} \begin{frame}{Age restriction in E-commerce} \begin{description}[<+->] \item[Problem:]~\\[1em] Verification of minimum age requirements in e-commerce.\\[2em] \item[Common solutions:] \begin{tabular}{l<{\onslide<3->}c<{\onslide<4->}cr<{\onslide}} & \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount] 1. ID Verification & bad & required & \\[\medskipamount] 2. Restricted Accounts & bad & required & \\[\medskipamount] 3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount] \end{tabular} \end{description} \uncover<5->{ \begin{tikzpicture}[overlay,remember picture] \draw[orange,thick,rounded corners] ($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$); \end{tikzpicture} \begin{center} \bf Principle of subsidiarity is ignored \end{center} } \end{frame} \begin{frame}{Principle of Subsidiarity} \begin{center}\large Functions of government\\ ---such as granting and restricting rights---\\ should be performed\\ {\it at the lowest level of authority possible},\\ as long as they can be performed {\it adequately}. \end{center} \vfill \uncover<2->{ For age-restriction, the lowest level of authority is:\\ \begin{center}\Large Parents, guardians and caretakers \end{center} } \end{frame} \begin{frame}{Our goal} A design and implementation of an age restriction scheme\\ with the following properties: \pause \begin{enumerate}[<+->] \item It ties age restriction to the \textbf{ability to pay} (not to ID's), \item maintains the \textbf{anonymity of buyers}, \item maintains \textbf{unlinkability of transactions}, \item aligns with the \textbf{principle of subsidiarity}, \item is \textbf{practical and efficient}. \end{enumerate} \end{frame} \begin{frame}{Teaser} \centering \includegraphics[height=0.9\textheight]{images/wallet-age.png} \end{frame} \Section{The quest for a solution to age restriction}{A journey through cryptic territory} \begin{frame}{Basic assumption and ideas} \small Assumption: Bank accounts are under control of adults/guardians. \vfill Sketch of scheme, independent of payment service protocol: \begin{columns} \column{7cm} \begin{enumerate} \item<2-> \textit{Guardians} \textbf{commit} to a maximum age \item<4-> \tikzmark{sstart}\textit{Minors} \textbf{attest} their adequate age \item<6-> \textit{Merchants} \textbf{verify} the attestations \item<7-> \textit{Minors} \textbf{derive} age commitments from existing ones \item<9-> \textit{Exchanges} \textbf{compare} the derived age commitments \item<10-> \tikzmark{send}{\large \texttt{GOTO}} 2. \begin{tikzpicture}[overlay, remember picture] \draw[line width=1pt,->] ([shift=({-6mm, 1mm})]pic cs:send) to ([shift=({-1cm, 1mm})]pic cs:send) to ([shift=({-1cm, 1mm})]pic cs:sstart) to ([shift=({-6mm, 1mm})]pic cs:sstart); \end{tikzpicture} \end{enumerate} \column{4.5cm} \begin{center} \fontsize{7pt}{7pt}\selectfont \begin{tikzpicture}[scale=.5] \uncover<2->{ \node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$}; \draw[->] (Guardian) to [out=50,in=130, loop] node[above] {$\Commit$} (Guardian); } \uncover<3->{ \node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; \draw[,|->] (Guardian) to node[above,sloped,align=left] {{\scriptsize }} (Client); } \uncover<4->{ \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left] {\blue{$\Attest$}} (Client); } \uncover<5->{ \node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$}; \draw[blue,|->] (Client) to node[sloped, above] {\blue{\scriptsize }} (Merchant); } \uncover<6->{ \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above] {\blue{$\Verify$}} (Merchant); } \uncover<7->{ \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below] {\orange{$\Derive$}} (Client); } \uncover<8->{ \node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; \draw[orange,|->] (Client) to node[sloped,above,align=left] {\orange{\scriptsize }} (Exchange); } \uncover<9->{ \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] {\orange{$\Compare$}} (Exchange); } \end{tikzpicture} \end{center} \end{columns} \end{frame} \begin{frame}{Helpful figure - Commit} \centering\includegraphics[height=0.9\textheight]{images/commit.pdf} \end{frame} \begin{frame}{Helpful figure - Attest and Verify} \centering\includegraphics[height=0.9\textheight]{images/attest-verify.pdf} \end{frame} \begin{frame}{Helpful figure - Derive and Compare} \centering\includegraphics[width=\textwidth]{images/derive-compare.pdf} \end{frame} \begin{frame}{Helpful figure} \small \begin{columns}[t] \column{0.25\textwidth} Commit:\\[1em] \includegraphics[width=\textwidth]{images/commit.pdf} \column{0.25\textwidth} Attest and Verify:\\[1em] \includegraphics[width=\textwidth]{images/attest-verify.pdf} \column{0.5\textwidth} Derive and Compare:\\[1em] \includegraphics[width=\textwidth]{images/derive-compare.pdf} \end{columns} \end{frame} \begin{frame}{Specification of the Function Signatures} \small Searching for functions \uncover<2->{with the following signatures} \begin{align*} &\bf \Commit\uncover<2->{: &(\age, \omega) &\mapsto (\commitment, \pruf) &\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs, } \\ %FIXME: This is how Attest was defined in the orignal paper (_with_) commitment! %&\bf \Attest\uncover<3->{: % &(\minage, \commitment, \pruf) &\mapsto \attest % &\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\}, % } %\\ &\bf \Attest\uncover<3->{: &(\minage, \pruf) &\mapsto \attest &\scriptstyle \N_\Age\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\}, } \\ &\bf \Verify\uncover<4->{: &(\minage, \commitment, \attest) &\mapsto b &\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2, } \\ &\bf \Derive\uncover<5->{: &(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding) &\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings, } \\ &\bf \Compare\uncover<6->{: &(\commitment, \commitment', \blinding) &\mapsto b &\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2, } \end{align*} \uncover<7->{ with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$ sufficiently large sets.\\[1em] } %\uncover<8->{ % The blindings $\beta$ ensure that only the Exchange can compare commitments.\\[1em] %} \uncover<8->{ We will define basic and security requirements later.\\[1em] } \scriptsize \uncover<2->{ Mnemonics:\\ $\Commitments=$ \textit{c$\Commitments$mmitments}, $\commitment=$ \textit{Q-mitment} (commitment), $\Proofs=$ \textit{$\Proofs$roofs}, } \uncover<3->{ $\pruf=$ \textit{$\pruf$roof},\\ $\Attests=$ \textit{a$\Attests$testations}, $\attest=$ \textit{a$\attest$testation}, } \uncover<5->{ $\Blindings=$ \textit{$\Blindings$lindings}, $\blinding=$ \textit{$\blinding$linding}. } \end{frame} \begin{frame}{Naïve scheme} \begin{center} \begin{tikzpicture}[scale=.8] \node[circle,minimum size=20pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$}; \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; \node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$}; \draw[->] (Guardian) to [out=50,in=130, loop] node[above] {$\Commit$} (Guardian); \draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left] {\blue{$\Attest$}} (Client); \draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above] {\blue{$\Verify$}} (Merchant); \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below] {\orange{$\Derive$}} (Client); \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] {\orange{$\Compare$}} (Exchange); \draw[,|->] (Guardian) to node[above,sloped,align=left] {\scriptsize ($\commitment$, $\pruf_\age$)} (Client); \draw[blue,|->] (Client) to node[sloped, above] {\blue{\scriptsize($\minage$, $\commitment$, $\attest$) }} (Merchant); \draw[orange,|->] (Client) to node[sloped,above,align=left] {\orange{\scriptsize($\commitment$, $\commitment'$, $\beta$) }} (Exchange); \end{tikzpicture} \end{center} % \pause{Why should $\Merchant$ trust those $\commitment$? Will solve later. % \tiny (Hint: blind signature from $\Exchange$)} \end{frame} \begin{frame}{Problem of unlinkability} \begin{columns} \column{3cm} \begin{center} \fontsize{8pt}{9pt}\selectfont \begin{tikzpicture}[scale=.65] \node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$}; \node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; \draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below] {\orange{$\footnotesize \Derive()$}} (Client); \draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above] {\orange{$\footnotesize \Compare()$}} (Exchange); \draw[orange,|->] (Client) to node[sloped,above,align=left] {\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange); \end{tikzpicture} \end{center} \column{9cm} Simple use of $\Derive()$ and $\Compare()$ is problematic. \pause \begin{itemize}[<+->] \item Calling $\Derive()$ iteratively generates sequence $(\commitment_0, \commitment_1, \dots)$ of commitments. \item Exchange calls $\Compare(\commitment_i, \commitment_{i+1},~.~)$ \item[$\implies$]Exchange identifies sequence \item[$\implies$]{\bf Unlinkability broken} \end{itemize} \end{columns} \end{frame} \begin{frame}{Achieving Unlinkability} Given $\Derive()$ and $\Compare()$, define the cut\&choose protocol \orange{$\DeriveCompare$} as follows (sketch): \begin{columns} \column{0.3\textwidth} \pause \includegraphics[width=\textwidth]{images/cut-and-choose.pdf} \column{0.7\textwidth} \pause \uncover<2->{ \scriptsize Let $\kappa \in \N$ (say: $\kappa = 3$) \begin{itemize}[<+->] \item[$\Child$:] \begin{enumerate} \scriptsize \item generates $(\commitment_1,\dots,\commitment_\kappa)$ and $(\beta_1,\dots,\beta_\kappa)$ from $\commitment_0$ by calling $\kappa$ times $\Derive(\commitment_0, \pruf_0, \omega_i)$ \item calculates $h_0:=H\left(H(\commitment_1, \beta_1)\parallel \dots\parallel H(\commitment_\kappa, \beta_\kappa)\right)$ \item sends $\commitment_0$ and $h_0$ to $\Exchange$ \end{enumerate} \item[$\Exchange$:] \begin{enumerate} \scriptsize \item[4.] saves $\commitment_0$ and $h_0$ and sends $\Child$ random $\gamma \in \{1,\dots,\kappa\}$ \end{enumerate} \item[$\Child$:] \begin{enumerate} \scriptsize \item[5.] reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$ \end{enumerate} \item[$\Exchange$:] \begin{enumerate} \scriptsize \item[6.] compares $h_0$ and $H\left(H(\commitment_1, \beta_1)\parallel ...\parallel h_\gamma\parallel ...\parallel H(\commitment_\kappa, \beta_\kappa)\right)$ \item[7.] evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$ for all $i \neq \gamma$. \end{enumerate} \end{itemize} \pause \scriptsize If all steps succeed, $\commitment_\gamma$ is the new commitment. } \end{columns} \end{frame} \begin{frame}{Achieving Unlinkability}%{Certainty trade-off} With \orange{$\DeriveCompare$} \begin{itemize} \item $\Exchange$ learns nothing about $\commitment_\gamma$ or $H(\commitment_\gamma)$, \item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty, \item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat. \item<2->[$\implies$] \textbf{Gives us unlinkability at the price of (adjustable) uncertainty!} \end{itemize} \vfill \uncover<3->{Notes: \begin{itemize} \item similar to the cut\&choose {\it refresh} protocol in GNU Taler \item still need to define $\Derive()$ and $\Compare()$. \end{itemize} } \end{frame} \begin{frame}{Refined scheme} \begin{center} \begin{tikzpicture}[scale=.8] \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$}; \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; \uncover<2-3,8->{ \draw[->] (Guardian) to [out=150,in=70, loop] node[above] {$\Commit(\age)$} (Guardian); } \uncover<3,8->{ \draw[->] (Guardian) to node[below,sloped] {($\commitment$, $\pruf_\age$)} (Client); } \uncover<4-6,8->{ \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below] % FIXME: This is in the original paper: % {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client); {\blue{$\Attest(\minage, \pruf_{\age})$}} (Client); } \uncover<5-6,8->{ \draw[blue,->] (Client) to node[sloped, below] {\blue{$(\attest_\minage, \commitment)$}} (Merchant); } \uncover<6,8->{ \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below] {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant); } \uncover<7,8->{ \draw[orange,<->] (Client) to node[sloped,below,align=center] {\orange{$\commitment \mapsto \commitment_\gamma$}} node[sloped,above,align=center] {\orange{$\DeriveCompare$}} (Exchange); } \end{tikzpicture} \end{center} \end{frame} \begin{frame}{Sensible solutions} Quest for functions should lead to \textit{sensible} solutions. \pause F. e. $\Verify()$ should not simply always return \texttt{true}. \pause We need more requirements. \end{frame} % \begin{frame}{Achieving Unlinkability} % \scriptsize % $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\ % \vfill % $\DeriveCompare(\commitment, \pruf, \omega) =$ % \begin{itemize} % \it % \itemsep0.5em % \item[$\Child$:] % \begin{enumerate} % \scriptsize % \itemsep0.3em % \item for all $i \in \{1,\dots,\kappa\}: % (\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$ % \item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$ % \item send $(\commitment, h)$ to $\Exchange$ % \end{enumerate} % \item[$\Exchange$:] % \begin{enumerate} % \setcounter{enumi}{4} % \scriptsize % \itemsep0.3em % \item save $(\commitment, h)$ \label{st:hash} % \item $\gamma \drawfrom \{1,\dots ,\kappa\}$ % \item send $\gamma$ to $\Child$ % \end{enumerate} % \item[$\Child$:] % \begin{enumerate} % \setcounter{enumi}{7} % % \scriptsize % \itemsep0.3em % \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$ % \item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots, % (\commitment_{\gamma-1}, \beta_{\gamma-1}), % \Nil, % (\commitment_{\gamma+1}, \beta_{\gamma+1}), % \dots,(\commitment_\kappa, \beta_\kappa)\big]$ % \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$ % \end{enumerate} % \item[$\Exchange$:] % \begin{enumerate} % \setcounter{enumi}{10} % \scriptsize % \itemsep0.3em % \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$ % \item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0 % \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$: % if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$ % \item return 1 % \end{enumerate} % \end{itemize} % \end{frame} \section*{Requirements} \begin{frame}{Basic Requirements} \label{fr:basicRequirements} Candidate functions \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \] must meet \textit{basic requirements}: \begin{itemize} \item Existence of attestations \item Efficacy of attestations \item Derivability of commitments and attestations \end{itemize} \pause More details in the published paper and \hyperlink{fr:detailedBasicRequirements}{Appendix}. \end{frame} \begin{frame}{Security Requirements} Candidate functions must also meet \textit{security requirements}, defined via security games: \vfill { \small \pause \hspace*{-1em}\begin{tabular}{rp{9cm}} \bf Requirement:& Unforgeability of minimum age\pause\\ \bf $\leftrightarrow$\hfill Game:& Forging an attestation\pause\\[0.5em] \bf Requirement: & Non-disclosure of age \pause\\ \bf$\leftrightarrow$\hfill Game: & Age disclosure by commitment or attestation \pause\\[0.5em] \bf Requirement:& Unlinkability of commitments and attestations\pause\\ \bf $\leftrightarrow$\hfill Game:& Distinguishing derived commitments and attestations \end{tabular} } \vfill \pause Meeting the security requirements means that adversaries can win those games only with negligible advantage. \vfill \pause Adversaries are arbitrary polynomial-time algorithms, acting on all relevant input. \end{frame} \begin{frame}{Security Requirements}{Simplified Example} \begin{description}[<+->] \item[Game $\Game{FA}$: Forging an attest]~\\ {\small \begin{enumerate} \item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $ \item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $ \item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$ \item Return 0 if $\minage \leq \age$ \item Return $\Verify(\minage,\commitment,\attest)$ \item[]~\\[0.5em] Adversary $\Adv$ wins the game, if $\Game{FA}$ returns 1. \end{enumerate} } \vfill \item[Requirement: Unforgeability of minimum age] {\small \begin{equation*} \Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}: \Probability\Big[\Game{FA} = 1\Big] \le \negl \end{equation*} } \end{description} % \pause % Note: This example does not take $\Derive()$ into account. \end{frame} \begin{frame}{Our task} \large Finding functions \[ (\Commit, \Attest, \Verify, \Derive, \Compare) \] that meet the basic and security requirements. \end{frame} \section*{A solution to our quest} \begin{frame}{Instantiation with ECDSA} We propose a solution based on ECDSA. Think: One key-pair per age group. \end{frame} \begin{frame}{Definition of Commit with ECDSA}%{Definition of Commit} \begin{columns} \column{0.2\textwidth} \includegraphics[width=1.1\textwidth]{images/commit.pdf} \column{0.8\textwidth} \begin{description} \small \item[To \blue{Commit} to age group $\age \in \{1,\dots,\Age\}$]~\\ \begin{enumerate}[<+->] \small \item Guardian generates ECDSA-keypairs, one per age group: \[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\] \item Guardian then \textbf{drops} all private keys $p_i$ for $i > \age$: \[\Big \langle(q_1, p_1),\dots, (q_\age, p_\age), (q_{\age +1}, \red{\Nil}),\dots, (q_\Age, \red{\Nil})\Big\rangle\] \item[] then set \begin{itemize} \setlength{\itemindent}{5em} \item[\bf Commitment:] $\Vcommitment := (q_1,~\dots~\dots~\dots~,q_\Age)$ \item[\bf Proof:] $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$ \end{itemize} \vfill \item Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$ \vfill \end{enumerate} \end{description} \end{columns} \end{frame} \begin{frame}{Attest and Verify with ECDSA} \begin{columns} \column{0.2\textwidth} \includegraphics[width=1.1\textwidth]{images/commit.pdf} \includegraphics[width=1.1\textwidth]{images/attest-verify.pdf} \column{0.8\textwidth} \small Child has \begin{itemize} \small \item ordered public-keys $\Vcommitment = (q_1, \dots~\dots~\dots, q_\Age) $, \item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$. \end{itemize} \begin{description} \small \item<2->[To \blue{Attest} a minimum age (group) $\blue{\minage} \leq \age$:]~\\ Sign a message with ECDSA using private key $p_\blue{\minage}$. The signature $\sigma_\blue{\minage}$ is the attestation. \end{description} \vfill \uncover<3->{ \small Merchant gets \begin{itemize} \small \item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $ \item Signature $\sigma_\blue{\minage}$ \end{itemize} \begin{description} \small \item<4->[To \blue{Verify} a minimum age (group) \blue{$\minage$}:]~\\ Verify the ECDSA-Signature $\sigma_\blue{\minage}$ with public key $q_\blue{\minage}$. \end{description} } \vfill \end{columns} \end{frame} \begin{frame}{Reminder: Derive and Compare} \centering\includegraphics[width=\textwidth]{images/derive-compare.pdf} \end{frame} \begin{frame}{Derive and Compare with ECDSA} Child has $\Vcommitment = (q_1, \dots, q_\Age) $ and $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$. \begin{description} \item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:] Choose random $\beta\in\Z_g$ and calculate \small \begin{align*} \Vcommitment' &= \big(q'_1,~\ldots~\ldots~\ldots~,q'_\Age\big) &&:= \big(\beta * q_1,\ldots~\ldots,\beta * q_\Age\big) ,\\ \Vpruf' &= \big(p'_1,\ldots,p'_\age, \Nil, \ldots, \Nil\big) &&:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big) \end{align*} \uncover<3->{ \small Note: \begin{itemize} \item $\beta*q_i$ is scalar multiplication on the elliptic curve. \item $p'_i*G$ = $(\beta p_i)*G = \beta*(p_i*G) = \beta*q_i = q'_i$ \item[$\implies$] {\bf $p'_i$ actually \textit{is} private key to $q'_i$} \end{itemize} } \end{description} \vfill \uncover<4->{ Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$ \begin{description} \item[To \blue{Compare}, calculate:] \small $(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$ \end{description} \vfill } \end{frame} \begin{frame}{Instantiation with ECDSA} Functions (Commit, Attest, Verify, Derive, Compare)\\ as defined in the instantiation with ECDSA\\[0.5em] \begin{itemize} \item meet the basic requirements,\\[0.5em] \item also meet all security requirements.\\ \end{itemize} Security proofs by reduction, details are in the paper. \end{frame} \begin{frame}{Example: Proof of Unforgeability} \begin{columns} \column{0.4\textwidth} \begin{minipage}{\textwidth} \tiny \begin{description} \item[Game $\Game{FA}$: Forging an attest]~\\ 1. $(\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $\\ 2. $(\commitment, \pruf) \leftarrow \Commit(\age, \omega) $\\ 3. $(\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$\\ 4. Return 0 if $\minage \leq \age$\\ 5. Return $\Verify(\minage,\commitment,\attest)$\\ \vfill \item[Requirement:]~\\ $\Forall_{\Adv}: \Probability\Big[\Game{FA} = 1\Big] \le \negl$ \end{description} \end{minipage} \column{0.7\textwidth} Proof by reduction: \pause \small \begin{enumerate}[<+->] \item Adversary wins if $1 = \Verify(\minage,\commitment,\attest)$. \item That means: $\sigma$ was a valid ECDSA-signature, validated with $q_m$. \item But adversary does not have the private key $p_m$ to $q_m$. \item[$\implies$] So winning this game would require to existentially forge the signature, which is negligible. \end{enumerate} \end{columns} \end{frame} % \begin{frame}{Instantiation with ECDSA} % \framesubtitle{Full definitions} % \scriptsize % % \begin{align*} % \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle % \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\; % \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age} % \Big\rangle\\ % \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:= % \begin{cases} % \attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\ % \Nil & \text{otherwise} % \end{cases}\\ % % % \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\ % % % \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:= % \Big\langle(\beta * q_1,\ldots,\beta * q_\Age), % (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\ % & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\ % % % \Compare_E(\Vcommitment, \Vcommitment', \beta) &:= % \begin{cases} % 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\ % 0 & \text{otherwise} % \end{cases} % \end{align*} % \end{frame} \section{Integration with GNU Taler} \begin{frame}{GNU Taler}{https://www.taler.net} \label{fr:GnuTaler} \begin{columns} \column{4cm} \fontsize{8pt}{9pt}\selectfont \begin{tikzpicture}[scale=.55] \node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$}; \node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$}; \node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$}; \draw[<->] (Customer) to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange); \draw[<->] (Customer) to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange); \draw[<->] (Customer) to node[sloped, below] {\sf purchase} (Merchant); \draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange); \end{tikzpicture} \column{8cm} \begin{itemize} \item Protocol suite for online payment services \item Based on Chaum's \hyperlink{fr:reminderBlindSignature}{blind signatures} \item Taxable, efficient, free software \item Allows for change and refund \item Privacy preserving: anonymous and unlinkable payments \end{itemize} \end{columns} \vfill \uncover<2->{ \begin{itemize} \item Coins are public-/private key-pairs $(C_p, c_s)$. \item Exchange \hyperlink{fr:reminderBlindSignature}{blindly signs} $H(C_p)$ with denomination key $d_p$: \[ \beta(\sigma_p) = \mathsf{BlindSign}\big(\beta\left(H(C_p)\right), d_p \big)\] \item Verification: \begin{eqnarray*} 1 &\stackrel{?}{=}& \mathsf{SigCheck}\big(H(C_p), D_p, \sigma_p\big) \end{eqnarray*} \scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature) \end{itemize} } \end{frame} \begin{frame}{Integration with GNU Taler}{Binding age restriction to coins} \label{fr:bindingToCoins} To bind an age commitment $\commitment$ to a coin $C_p$, instead of blindly signing $H(C_p)$ \[ \beta(\sigma_p) = \mathsf{BlindSign}\big(\beta\left(H(C_p)\right), d_p \big)\] $\Exchange$ now \hyperlink{fr:reminderBlindSignature}{blindly signs $H(C_p \parallel \orange{H(\commitment)})$} \[ \beta(\sigma_p) = \mathsf{BlindSign}\big(\beta\left(H(C_p\parallel\orange{H(\commitment)})\right), d_p \big)\] \vfill Therefore, verfication of a coin now requires $H(\commitment)$, too: \[ 1 \stackrel{?}{=} \mathsf{SigCheck}\big(H\left(C_p\parallel\orange{H(\commitment)}\right), D_p, \sigma_p\big) \] \vfill \end{frame} \begin{frame}{Integration with GNU Taler} \framesubtitle{Integrated schemes} \fontsize{8pt}{9pt}\selectfont \begin{tikzpicture}[scale=.9] \node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$}; \node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$}; \node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$}; \node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$}; \draw[<->] (Guardian) to node[sloped,above,align=center] {{\sf withdraw}\orange{, using}\\ $H(C_p\orange{\parallel H(\commitment)})$} (Exchange); \draw[<->] (Client) to node[sloped,below,align=center] {{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange); \draw[<->] (Client) to node[sloped, below] {{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant); \draw[<->] (Merchant) to node[sloped, above] {{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange); \draw[->] (Guardian) to [out=70,in=150, loop] node[above] {$\Commit(\age)$} (Guardian); \draw[->] (Guardian) to node[below,sloped] {($\commitment$, $\pruf_\age$)} (Client); \draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below] {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client); \draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below] {\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant); \end{tikzpicture} \end{frame} \begin{frame}{Age restriction in the wallet} \centering \includegraphics[height=0.9\textheight]{images/wallet-age.png} \end{frame} % \include{gnu} % % \begin{frame}{Interested in GNU Taler?} % We are looking for developers, testers, users! % % \begin{description} % \item[Intro:] \url{https://taler.net} % \item[Learn:] \url{https://docs.taler.net} % \item[Develop:] \url{https://git.taler.net}, \url{https://bugs.taler.net} % \end{description} % \end{frame} \section{Discussion \& Conclusion} \begin{frame}{Discussion}{Technical aspects and challenges} \begin{itemize}[<+->] \item Our solution can in principle be used with any token-based payment scheme \item[] However, GNU Taler best aligned with our design goals (security, privacy and efficiency). \item Subsidiarity requires bank accounts being owned by adults. \item[] However, scheme can be adapted \begin{itemize} \item Know-Your-Customer (KYC) provides age information \item Parents can set age on a long-term wallet of a child \item cut\&choose protocol \texttt{age-withdraw} implemented \end{itemize} \end{itemize} \end{frame} \begin{frame}{Discussion}{Legal aspects and applicability} \begin{itemize}[<+->] \item The scheme only makes sense when cheating can be discouraged, f.e. economically \item There will be limits where the scheme is considered acceptable. \item Our scheme offers an alternative to identity management systems (IMS), where applicable \end{itemize} \end{frame} \begin{frame}{Discussion}{Potential for misuse} \begin{itemize}[<+->] \item Instead of age groups, couldn't the scheme encode \textit{arbitrary} semantics? \item Yes, but \textit{implementation} in GNU Taler only allows for arithmetic comparison. \item Note that augmented coin material (coin + age commitment) remains fungible. \vfill \item Problem of tainting already exists with denomitations keys: \item They could be used to seperate the anonymity set of users. \vfill \item GNU Taler defines the role of an \textit{Auditor}: \item a seperate entity to supervise the operation of the exchange. \end{itemize} \end{frame} \begin{frame}{Conclusion} Age restriction is a technical, ethical and legal challenge. \pause Existing solutions are \begin{itemize} \item without strong protection of privacy or \item based on identity management systems (IMS) \end{itemize} \vfill \pause Our scheme offers an option that \begin{itemize} \item aligns with subsidiarity \item preserves privacy \item is efficient \item and an alternative to IMS \end{itemize} \end{frame} \begin{frame}{} % \large \begin{center} {\Huge \textbf{Thank you!}}\\ Questions? \end{center} \begin{center} \texttt{oec-taler@kesim.org}\\ \texttt{@oec@mathstodon.xyz} \vfill {Interested in GNU Taler?} \begin{tabular}{rl} \textbf{Intro:}&\url{https://taler.net}\\ \textbf{Learn:}&\url{https://docs.taler.net}\\ \textbf{Develop:}&\url{https://git.taler.net}, \url{https://bugs.taler.net}\\ \textbf{Connect:}&\url{https://ich.taler.net}\\ \textbf{NGI Taler:}&\url{https://ngi.taler.net} \end{tabular} \end{center} \end{frame} \appendix \begin{frame}{Taler Overview} \hspace*{-3em}\includegraphics[width=\paperwidth]{images/taler-overview-blue.png} \end{frame} \begin{frame}{Basic Requirements - Details} \label{fr:detailedBasicRequirements} {\scriptsize \it back to \hyperlink{fr:basicRequirements}{Basic Requirements}} \begin{description}[<+->] \item[Existence of attestations] {\scriptsize \begin{align*} \Forall_{\age\in\N_\Age \atop \omega \in \Omega}: \Commit(\age, \omega) =: (\commitment, \pruf) \implies \Attest(\minage, \commitment, \pruf) = \begin{cases} \attest \in \Attests, \text{ if } \minage \leq \age\\ \Nil \text{ otherwise} \end{cases} \end{align*}} \item[Efficacy of attestations] {\scriptsize \begin{align*} \Verify(\minage, \commitment, \attest) = \ \begin{cases} 1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\ 0 \text{ otherwise} \end{cases} \end{align*}} {\scriptsize \begin{align*} \forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1. \end{align*}} ... \item[Derivability of commitments and attestations]... \end{description} \pause More details in the published paper. \end{frame} \begin{frame}{Reminder: RSA blind signature} \label{fr:reminderBlindSignature} \small In RSA, a public key $(e, N)$ and private key $(d, N)$ have the property \[ x^{ed} = x \mod N \] \pause Bob (B) creates a blind signature of a message $m$ for Alice (A): \begin{itemize}[<+->] \item[A:] \begin{itemize} \item chooses random integer $b$ \item calculates $m' := m*b^e$ {\hfill \scriptsize \textit{(blinding)}} \item sends $m'$ to B. \end{itemize} \item[B:] \begin{itemize} \item signs $m'$, by calculating $\sigma' := (m')^d \mod N$ {\hfill \scriptsize \textit{(B doesn't learn $m$)}} \item sends $\sigma'$ to A. \item[] \scriptsize Note: $(m')^d = (m*b^e)^d = m^d*b^{ed} = m^d*b \mod N$ \end{itemize} \item[A:]\begin{itemize} \item unblinds $\sigma'$ by calculating \[ \sigma := \sigma'*b^{-1} (= m^d) \] \item[$\implies$]$\sigma$ is a valid RSA signature to message $m$. \end{itemize} \end{itemize} \hfill \tiny back to \hyperlink{fr:GnuTaler}{\textit{taler}} or \hyperlink{fr:bindingToCoins}{\textit{binding}} \end{frame} %\begin{frame}{Requirements} % \framesubtitle{Details} % % \begin{description} % \item[Derivability of commitments and proofs:]~\\[0.1em] % {\scriptsize % Let \begin{align*} % \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\ % (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\ % (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1). % \end{align*} % We require % \begin{align*} % \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity} % \end{align*} % and for all $n\leq\age$: % \begin{align*} % \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &% % = % \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0)) % \end{align*}} % \end{description} %\end{frame} \begin{frame}{Instantiation with Edx25519} But... isn't ECDSA considered to be difficult to implement correctly? \pause We also formally define another signature scheme, Edx25519:\\[1em] \begin{itemize} \item based on EdDSA (Bernstein et al.), \item generates compatible signatures, \item allows for key derivation from both, private and public keys, independently and \item is already in use in GNUnet. \end{itemize}~\\[1em] Current implementation of age restriction in GNU Taler uses Edx25519. \end{frame} \begin{frame}{Related Work} \begin{itemize} \item Current privacy-perserving systems all based on attribute-based credentials (Koning et al., Schanzenbach et al., Camenisch et al., Au et al.) \item Attribute-based approach lacks support: \begin{itemize} \item Complex for consumers and retailers \item Requires trusted additional authority \end{itemize} \vfill \item Other approaches tie age-restriction to ability to pay ("debit cards for kids") \begin{itemize} \item Advantage: mandatory to payment process \item Not privacy friendly \end{itemize} \end{itemize} \end{frame} \end{document}