1233 lines
39 KiB
TeX
1233 lines
39 KiB
TeX
\documentclass[fleqn,xcolor={usenames,dvipsnames}]{beamer}
|
|
\usepackage{appendixnumberbeamer}
|
|
\usepackage{amsmath}
|
|
\usepackage{multimedia}
|
|
\usepackage{wrapfig}
|
|
\usepackage[utf8]{inputenc}
|
|
\usepackage{framed,color,ragged2e}
|
|
\usepackage[absolute,overlay]{textpos}
|
|
\usetheme[progressbar=frametitle]{metropolis}
|
|
%\setbeamertemplate{navigation symbols}{\insertframenumber/\inserttotalframenumber}
|
|
\setbeamersize{description width=1em}
|
|
\setbeamertemplate{section in toc}[sections]
|
|
\setbeamertemplate{footline}{}
|
|
\usepackage{xcolor}
|
|
\usepackage[normalem]{ulem}
|
|
\usepackage{listings}
|
|
\usepackage{adjustbox}
|
|
\usepackage{array}
|
|
\usepackage{bbding}
|
|
\usepackage{relsize}
|
|
\usepackage{graphicx}
|
|
\usepackage{tikz,eurosym,calc}
|
|
\usetikzlibrary{tikzmark}
|
|
\usetikzlibrary{shapes,arrows,arrows.meta}
|
|
\usetikzlibrary{positioning,patterns}
|
|
\usetikzlibrary{calc}
|
|
|
|
\usepackage{fontspec}
|
|
\IfFontExistsTF{IBM Plex Sans}{\setsansfont{IBM Plex Sans}}{}
|
|
\IfFontExistsTF{IBM Plex Serif}{\setmainfont{IBM Plex Serif}}{}
|
|
|
|
\definecolor{blue}{rgb}{0,0.4,1}
|
|
\newcommand{\orange}[1]{{\color{orange}#1}}
|
|
\newcommand{\TODO}[1]{\orange{TODO: #1}}
|
|
|
|
\makeatletter
|
|
\setbeamercolor{framesubtitle}{fg=mDarkTeal}
|
|
\defbeamertemplate*{frametitle}{myframetitle}{%
|
|
\nointerlineskip
|
|
\begin{beamercolorbox}[%
|
|
wd=\paperwidth,%
|
|
sep=0pt,%
|
|
leftskip=\metropolis@frametitle@padding,
|
|
rightskip=\metropolis@frametitle@padding,
|
|
]{frametitle}%
|
|
\metropolis@frametitlestrut@start
|
|
\quad\insertframetitle%%%%%%%%%%%%%%%%%%%%%%
|
|
\nolinebreak
|
|
\metropolis@frametitlestrut@end
|
|
\end{beamercolorbox}\par
|
|
\usebeamerfont{framesubtitle}%
|
|
\usebeamercolor[fg]{framesubtitle}%
|
|
\vskip3pt
|
|
\hspace*{-0.5\metropolis@frametitle@padding}%
|
|
\insertframesubtitle
|
|
}
|
|
\makeatother
|
|
\setbeamertemplate{frametitle}[myframetitle]
|
|
|
|
\newcommand{\Section}[2]{\section[#1\newline\scriptsize{#2}]{#1}}
|
|
|
|
\input{definitions}
|
|
|
|
\title{Are you old enough to buy this?}
|
|
\subtitle{Zero-Knowledge Age Restriction for GNU Taler}
|
|
|
|
\author{Özgür Kesim}
|
|
\institute{Code Blau GmbH, FU Berlin, TU Dresden}
|
|
\date{31 May 2024}
|
|
|
|
\titlegraphic{\centering\vspace*{-0.5cm}\includegraphics[width=0.3\textwidth]{images/surveilance-logo.png}}
|
|
|
|
|
|
\begin{document}
|
|
|
|
%\justifying
|
|
|
|
\begin{frame}
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\section*{Prolog}%{Who am I, what do I want and who pays for all this?}
|
|
|
|
\begin{frame}{Sponsors}
|
|
\centering\begin{columns}[T]
|
|
\column{0.6\textwidth}
|
|
\centering NGI Taler and NGI Pointer programs of the European Commission\\[2em]
|
|
|
|
\centering\includegraphics[width=0.9\textwidth]{images/ngi-taler.jpg}
|
|
|
|
\centering\includegraphics[width=0.5\textwidth]{images/ngi-ap3.png}
|
|
|
|
\column{0.4\textwidth}
|
|
\centering Project\\ \textit{Concrete Contracts} in the
|
|
\textit{KMU-innovativ} programm\\[2em]
|
|
|
|
\centering\includegraphics[width=0.9\textwidth]{images/bmbf-english.jpg}
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Who am I}
|
|
Özgür Kesim,
|
|
\begin{itemize}
|
|
\item security consultant for 20+ years,
|
|
\item PhD candidate at FU Berlin,
|
|
\item member of GNU Taler dev-team.
|
|
\end{itemize}
|
|
\note{fnord}
|
|
|
|
\vfill
|
|
\url{oec-taler@kesim.org} \hfill \url{@oec@mathstodon.xyz} \hfill
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}{What to expect}
|
|
\small
|
|
\begin{description}
|
|
\item<1->[Deliverable]~\\
|
|
Present a solution to age restriction and its integration in GNU Taler.
|
|
\vfill
|
|
\item<2->[Drive-By]~\\
|
|
Show concepts from cryptography by example:
|
|
|
|
Zero-Knowledge protocol, Security Game and Security Proof
|
|
|
|
\vfill
|
|
\item<3->[Non-goals]~\\
|
|
\begin{itemize}
|
|
\item[] \underline{Rigorous} introduction into GNU Taler
|
|
\item[] Demos
|
|
\end{itemize}
|
|
\end{description}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Chapters}
|
|
\tableofcontents[pausesections,hideallsubsections]
|
|
\end{frame}
|
|
|
|
|
|
\section[Introduction\newline\scriptsize Age Restriction in E-commerce]{Introduction}
|
|
|
|
\begin{frame}{Youth protection}
|
|
|
|
Broad consensus in society about the necessity to protect minors from
|
|
harmful content.
|
|
|
|
\vfill
|
|
|
|
Also wanted from policy makers:\\[1em]
|
|
\begin{quote}
|
|
11. Member states should encourage the \textbf{use of
|
|
conditional access tools} by content and service providers in
|
|
relation to content harmful to minors, \textbf{such as
|
|
age-verification systems}, ...
|
|
\end{quote}
|
|
|
|
\tiny
|
|
From the
|
|
\href{https://rm.coe.int/CoERMPublicCommonSearchServices/DisplayDCTMContent?documentId=0900001680645b44}
|
|
{\textit{Recommendation Rec (2001) 8 of the Committee of
|
|
Ministers to member states on self-regulation concerning cyber
|
|
content}} of the Council of Europe.
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}{Age restriction in E-commerce}
|
|
|
|
\begin{description}[<+->]
|
|
\item[Problem:]~\\[1em]
|
|
Verification of minimum age requirements in e-commerce.\\[2em]
|
|
|
|
\item[Common solutions:]
|
|
|
|
\begin{tabular}{l<{\onslide<3->}c<{\onslide<4->}cr<{\onslide}}
|
|
& \blue{Privacy} & \tikzmark{topau} \blue{Ext. authority}& \\[\medskipamount]
|
|
1. ID Verification & bad & required & \\[\medskipamount]
|
|
2. Restricted Accounts & bad & required & \\[\medskipamount]
|
|
3. Attribute-based & good & required &\tikzmark{bottomau} \\[\medskipamount]
|
|
\end{tabular}
|
|
\end{description}
|
|
|
|
\uncover<5->{
|
|
\begin{tikzpicture}[overlay,remember picture]
|
|
\draw[orange,thick,rounded corners]
|
|
($(pic cs:topau) +(0,0.5)$) rectangle ($(pic cs:bottomau) -(0.3, 0.2)$);
|
|
\end{tikzpicture}
|
|
\begin{center}
|
|
\bf Principle of subsidiarity is ignored
|
|
\end{center}
|
|
}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Principle of Subsidiarity}
|
|
\begin{center}\large
|
|
Functions of government\\
|
|
---such as granting and restricting rights---\\
|
|
should be performed\\
|
|
{\it at the lowest level of authority possible},\\
|
|
as long as they can be performed {\it adequately}.
|
|
\end{center}
|
|
\vfill
|
|
\uncover<2->{
|
|
For age-restriction, the lowest level of authority is:\\
|
|
\begin{center}\Large
|
|
Parents, guardians and caretakers
|
|
\end{center}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Our goal}
|
|
A design and implementation of an age restriction scheme\\
|
|
with the following properties:
|
|
\pause
|
|
\begin{enumerate}[<+->]
|
|
\item It ties age restriction to the \textbf{ability to pay} (not to ID's),
|
|
\item maintains the \textbf{anonymity of buyers},
|
|
\item maintains \textbf{unlinkability of transactions},
|
|
\item aligns with the \textbf{principle of subsidiarity},
|
|
\item is \textbf{practical and efficient}.
|
|
\end{enumerate}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}{Teaser}
|
|
\centering \includegraphics[height=0.9\textheight]{images/wallet-age.png}
|
|
\end{frame}
|
|
|
|
\Section{The quest for a solution to age restriction}{A journey through cryptic territory}
|
|
|
|
\begin{frame}{Basic assumption and ideas}
|
|
\small
|
|
Assumption: Bank accounts are under control of adults/guardians.
|
|
|
|
\vfill
|
|
Sketch of scheme, independent of payment service protocol:
|
|
|
|
\begin{columns}
|
|
\column{7cm}
|
|
\begin{enumerate}
|
|
\item<2-> \textit{Guardians} \textbf{commit} to a maximum age
|
|
\item<4-> \tikzmark{sstart}\textit{Minors} \textbf{attest} their adequate age
|
|
\item<6-> \textit{Merchants} \textbf{verify} the attestations
|
|
\item<7-> \textit{Minors} \textbf{derive} age commitments from existing ones
|
|
\item<9-> \textit{Exchanges} \textbf{compare} the derived age commitments
|
|
\item<10-> \tikzmark{send}{\large \texttt{GOTO}} 2.
|
|
\begin{tikzpicture}[overlay, remember picture]
|
|
\draw[line width=1pt,->]
|
|
([shift=({-6mm, 1mm})]pic cs:send) to
|
|
([shift=({-1cm, 1mm})]pic cs:send) to
|
|
([shift=({-1cm, 1mm})]pic cs:sstart) to
|
|
([shift=({-6mm, 1mm})]pic cs:sstart);
|
|
\end{tikzpicture}
|
|
\end{enumerate}
|
|
\column{4.5cm}
|
|
\begin{center}
|
|
\fontsize{7pt}{7pt}\selectfont
|
|
\begin{tikzpicture}[scale=.5]
|
|
\uncover<2->{
|
|
\node[circle,minimum size=15pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
|
|
\draw[->] (Guardian) to [out=50,in=130, loop] node[above]
|
|
{$\Commit$} (Guardian);
|
|
}
|
|
\uncover<3->{
|
|
\node[circle,minimum size=15pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
|
|
\draw[,|->] (Guardian) to node[above,sloped,align=left]
|
|
{{\scriptsize }} (Client);
|
|
}
|
|
\uncover<4->{
|
|
\draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
|
|
{\blue{$\Attest$}} (Client);
|
|
}
|
|
\uncover<5->{
|
|
\node[circle,minimum size=15pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
|
|
\draw[blue,|->] (Client) to node[sloped, above]
|
|
{\blue{\scriptsize }} (Merchant);
|
|
}
|
|
\uncover<6->{
|
|
\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
|
|
{\blue{$\Verify$}} (Merchant);
|
|
}
|
|
\uncover<7->{
|
|
\draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
|
|
{\orange{$\Derive$}} (Client);
|
|
}
|
|
\uncover<8->{
|
|
\node[circle,minimum size=15pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
|
|
\draw[orange,|->] (Client) to node[sloped,above,align=left]
|
|
{\orange{\scriptsize }} (Exchange);
|
|
}
|
|
\uncover<9->{
|
|
\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
|
|
{\orange{$\Compare$}} (Exchange);
|
|
}
|
|
\end{tikzpicture}
|
|
\end{center}
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Helpful figure - Commit}
|
|
|
|
\centering\includegraphics[height=0.9\textheight]{images/commit.pdf}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}{Helpful figure - Attest and Verify}
|
|
|
|
\centering\includegraphics[height=0.9\textheight]{images/attest-verify.pdf}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}{Helpful figure - Derive and Compare}
|
|
|
|
\centering\includegraphics[width=\textwidth]{images/derive-compare.pdf}
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}{Helpful figure}
|
|
\small
|
|
\begin{columns}[t]
|
|
\column{0.25\textwidth}
|
|
Commit:\\[1em]
|
|
|
|
\includegraphics[width=\textwidth]{images/commit.pdf}
|
|
|
|
\column{0.25\textwidth}
|
|
Attest and Verify:\\[1em]
|
|
|
|
\includegraphics[width=\textwidth]{images/attest-verify.pdf}
|
|
|
|
\column{0.5\textwidth}
|
|
Derive and Compare:\\[1em]
|
|
|
|
\includegraphics[width=\textwidth]{images/derive-compare.pdf}
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Specification of the Function Signatures}
|
|
\small
|
|
Searching for functions \uncover<2->{with the following signatures}
|
|
\begin{align*}
|
|
&\bf \Commit\uncover<2->{:
|
|
&(\age, \omega) &\mapsto (\commitment, \pruf)
|
|
&\scriptstyle \N_\Age \times \Omega &\scriptstyle \to \Commitments\times\Proofs,
|
|
}
|
|
\\
|
|
%FIXME: This is how Attest was defined in the orignal paper (_with_) commitment!
|
|
%&\bf \Attest\uncover<3->{:
|
|
% &(\minage, \commitment, \pruf) &\mapsto \attest
|
|
% &\scriptstyle \N_\Age\times\Commitments\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
|
|
% }
|
|
%\\
|
|
&\bf \Attest\uncover<3->{:
|
|
&(\minage, \pruf) &\mapsto \attest
|
|
&\scriptstyle \N_\Age\times\Proofs &\scriptstyle \to \Attests \cup \{\Nil\},
|
|
}
|
|
\\
|
|
&\bf \Verify\uncover<4->{:
|
|
&(\minage, \commitment, \attest) &\mapsto b
|
|
&\scriptstyle \N_\Age\times\Commitments\times\Attests &\scriptstyle \to \Z_2,
|
|
}
|
|
\\
|
|
&\bf \Derive\uncover<5->{:
|
|
&(\commitment, \pruf, \omega) &\mapsto (\commitment', \pruf', \blinding)
|
|
&\scriptstyle \Commitments\times\Proofs\times\Omega &\scriptstyle \to \Commitments\times\Proofs\times\Blindings,
|
|
}
|
|
\\
|
|
&\bf \Compare\uncover<6->{:
|
|
&(\commitment, \commitment', \blinding) &\mapsto b
|
|
&\scriptstyle \Commitments\times\Commitments\times\Blindings &\scriptstyle \to \Z_2,
|
|
}
|
|
\end{align*}
|
|
\uncover<7->{
|
|
with $\Omega, \Proofs, \Commitments, \Attests, \Blindings$
|
|
sufficiently large sets.\\[1em]
|
|
}
|
|
%\uncover<8->{
|
|
% The blindings $\beta$ ensure that only the Exchange can compare commitments.\\[1em]
|
|
%}
|
|
\uncover<8->{
|
|
We will define basic and security requirements later.\\[1em]
|
|
}
|
|
|
|
\scriptsize
|
|
\uncover<2->{
|
|
Mnemonics:\\
|
|
$\Commitments=$ \textit{c$\Commitments$mmitments},
|
|
$\commitment=$ \textit{Q-mitment} (commitment),
|
|
$\Proofs=$ \textit{$\Proofs$roofs},
|
|
}
|
|
\uncover<3->{
|
|
$\pruf=$ \textit{$\pruf$roof},\\
|
|
$\Attests=$ \textit{a$\Attests$testations},
|
|
$\attest=$ \textit{a$\attest$testation},
|
|
}
|
|
\uncover<5->{
|
|
$\Blindings=$ \textit{$\Blindings$lindings},
|
|
$\blinding=$ \textit{$\blinding$linding}.
|
|
}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Naïve scheme}
|
|
\begin{center}
|
|
\begin{tikzpicture}[scale=.8]
|
|
\node[circle,minimum size=20pt,fill=blue!15] at (140:3) (Guardian) {$\Guardian$};
|
|
\node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
|
|
\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
|
|
\node[circle,minimum size=20pt,fill=black!15] at ( 0:4) (Merchant) {$\Merchant$};
|
|
|
|
\draw[->] (Guardian) to [out=50,in=130, loop] node[above]
|
|
{$\Commit$} (Guardian);
|
|
\draw[->,blue] (Client) to [out=-125,in=-190, loop] node[below,left]
|
|
{\blue{$\Attest$}} (Client);
|
|
\draw[->,blue] (Merchant) to [out=50,in=130, loop] node[above]
|
|
{\blue{$\Verify$}} (Merchant);
|
|
\draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
|
|
{\orange{$\Derive$}} (Client);
|
|
\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
|
|
{\orange{$\Compare$}} (Exchange);
|
|
|
|
\draw[,|->] (Guardian) to node[above,sloped,align=left]
|
|
{\scriptsize ($\commitment$, $\pruf_\age$)} (Client);
|
|
\draw[blue,|->] (Client) to node[sloped, above]
|
|
{\blue{\scriptsize($\minage$, $\commitment$, $\attest$) }} (Merchant);
|
|
\draw[orange,|->] (Client) to node[sloped,above,align=left]
|
|
{\orange{\scriptsize($\commitment$, $\commitment'$, $\beta$) }} (Exchange);
|
|
\end{tikzpicture}
|
|
\end{center}
|
|
% \pause{Why should $\Merchant$ trust those $\commitment$? Will solve later.
|
|
% \tiny (Hint: blind signature from $\Exchange$)}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Problem of unlinkability}
|
|
\begin{columns}
|
|
\column{3cm}
|
|
\begin{center}
|
|
\fontsize{8pt}{9pt}\selectfont
|
|
\begin{tikzpicture}[scale=.65]
|
|
\node[circle,minimum size=20pt,fill=black!15] at ( 60:4) (Exchange) {$\Exchange$};
|
|
\node[circle,minimum size=20pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
|
|
|
|
\draw[->,orange] (Client) to [out=-35,in=-100, loop] node[below]
|
|
{\orange{$\footnotesize \Derive()$}} (Client);
|
|
\draw[->,orange] (Exchange) to [out=50,in=130, loop] node[above]
|
|
{\orange{$\footnotesize \Compare()$}} (Exchange);
|
|
|
|
\draw[orange,|->] (Client) to node[sloped,above,align=left]
|
|
{\orange{\tiny \uncover<2->{$(\commitment_i,\commitment_{i+1})$}}} (Exchange);
|
|
\end{tikzpicture}
|
|
\end{center}
|
|
|
|
\column{9cm}
|
|
Simple use of $\Derive()$ and $\Compare()$ is problematic.
|
|
|
|
\pause
|
|
\begin{itemize}[<+->]
|
|
\item Calling $\Derive()$ iteratively generates sequence
|
|
$(\commitment_0, \commitment_1, \dots)$ of commitments.
|
|
\item Exchange calls $\Compare(\commitment_i, \commitment_{i+1},~.~)$
|
|
\item[$\implies$]Exchange identifies sequence
|
|
\item[$\implies$]{\bf Unlinkability broken}
|
|
\end{itemize}
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Achieving Unlinkability}
|
|
Given $\Derive()$ and $\Compare()$, define the cut-and-choose protocoll
|
|
\orange{$\DeriveCompare$} as follows (sketch):
|
|
|
|
\begin{columns}
|
|
\column{0.3\textwidth}
|
|
\pause
|
|
\includegraphics[width=\textwidth]{images/cut-and-choose.pdf}
|
|
|
|
\column{0.7\textwidth}
|
|
\pause
|
|
|
|
\uncover<2->{
|
|
|
|
\scriptsize
|
|
|
|
Let $\kappa \in \N$ (say: $\kappa = 3$)
|
|
\begin{itemize}[<+->]
|
|
\item[$\Child$:]
|
|
\begin{enumerate}
|
|
\scriptsize
|
|
\item generates $(\commitment_1,\dots,\commitment_\kappa)$
|
|
and $(\beta_1,\dots,\beta_\kappa)$ from $\commitment_0$
|
|
by calling $\kappa$ times $\Derive(\commitment_0, \pruf_0, \omega_i)$
|
|
\item calculates $h_0:=H\left(H(\commitment_1, \beta_1)\parallel \dots\parallel H(\commitment_\kappa, \beta_\kappa)\right)$
|
|
\item sends $\commitment_0$ and $h_0$ to $\Exchange$
|
|
\end{enumerate}
|
|
\item[$\Exchange$:]
|
|
\begin{enumerate}
|
|
\scriptsize
|
|
|
|
\item[4.] saves $\commitment_0$ and $h_0$ and sends $\Child$ random $\gamma \in \{1,\dots,\kappa\}$
|
|
\end{enumerate}
|
|
\item[$\Child$:]
|
|
\begin{enumerate}
|
|
\scriptsize
|
|
\item[5.] reveals $h_\gamma:=H(\commitment_\gamma, \beta_\gamma)$ and all $(\commitment_i, \beta_i)$, except $(\commitment_\gamma, \beta_\gamma)$
|
|
\end{enumerate}
|
|
\item[$\Exchange$:]
|
|
\begin{enumerate}
|
|
\scriptsize
|
|
\item[6.] compares $h_0$ and
|
|
$H\left(H(\commitment_1, \beta_1)\parallel ...\parallel h_\gamma\parallel ...\parallel H(\commitment_\kappa, \beta_\kappa)\right)$
|
|
\item[7.] evaluates $\Compare(\commitment_0, \commitment_i, \beta_i)$ for all $i \neq \gamma$.
|
|
\end{enumerate}
|
|
\end{itemize}
|
|
\pause
|
|
\scriptsize
|
|
|
|
If all steps succeed, $\commitment_\gamma$ is the new commitment.
|
|
}
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Achieving Unlinkability}%{Certainty trade-off}
|
|
|
|
With \orange{$\DeriveCompare$}
|
|
\begin{itemize}
|
|
\item $\Exchange$ learns nothing about $\commitment_\gamma$ or $H(\commitment_\gamma)$,
|
|
\item trusts outcome with $\frac{\kappa-1}{\kappa}$ certainty,
|
|
\item i.e. $\Child$ has $\frac{1}{\kappa}$ chance to cheat.
|
|
\item<2->[$\implies$] \textbf{Gives us unlinkability at the price of (adjustable) uncertainty!}
|
|
\end{itemize}
|
|
|
|
\vfill
|
|
\uncover<3->{Notes:
|
|
\begin{itemize}
|
|
\item similar to the cut\&choose {\it refresh} protocol in GNU Taler
|
|
\item still need to define $\Derive()$ and $\Compare()$.
|
|
\end{itemize}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Refined scheme}
|
|
\begin{center}
|
|
\begin{tikzpicture}[scale=.8]
|
|
\node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
|
|
\node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
|
|
\node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
|
|
\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
|
|
|
|
\uncover<2-3,8->{
|
|
\draw[->] (Guardian) to [out=150,in=70, loop] node[above]
|
|
{$\Commit(\age)$} (Guardian);
|
|
}
|
|
\uncover<3,8->{
|
|
\draw[->] (Guardian) to node[below,sloped]
|
|
{($\commitment$, $\pruf_\age$)} (Client);
|
|
}
|
|
|
|
\uncover<4-6,8->{
|
|
\draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
|
|
% FIXME: This is in the original paper:
|
|
% {\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
|
|
{\blue{$\Attest(\minage, \pruf_{\age})$}} (Client);
|
|
}
|
|
\uncover<5-6,8->{
|
|
\draw[blue,->] (Client) to node[sloped, below]
|
|
{\blue{$(\attest_\minage, \commitment)$}} (Merchant);
|
|
}
|
|
\uncover<6,8->{
|
|
\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
|
|
{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
|
|
}
|
|
\uncover<7,8->{
|
|
\draw[orange,<->] (Client) to
|
|
node[sloped,below,align=center] {\orange{$\commitment \mapsto \commitment_\gamma$}}
|
|
node[sloped,above,align=center] {\orange{$\DeriveCompare$}} (Exchange);
|
|
}
|
|
|
|
\end{tikzpicture}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Sensible solutions}
|
|
Quest for functions should lead to \textit{sensible} solutions.
|
|
|
|
\pause
|
|
F. e. $\Verify()$ should not simply always return \texttt{true}.
|
|
|
|
\pause
|
|
We need more requirements.
|
|
\end{frame}
|
|
|
|
% \begin{frame}{Achieving Unlinkability}
|
|
% \scriptsize
|
|
% $\DeriveCompare : \Commitments\times\Proofs\times\Omega \to \{0,1\}$\\
|
|
% \vfill
|
|
% $\DeriveCompare(\commitment, \pruf, \omega) =$
|
|
% \begin{itemize}
|
|
% \it
|
|
% \itemsep0.5em
|
|
% \item[$\Child$:]
|
|
% \begin{enumerate}
|
|
% \scriptsize
|
|
% \itemsep0.3em
|
|
% \item for all $i \in \{1,\dots,\kappa\}:
|
|
% (\commitment_i,\pruf_i,\beta_i) \leftarrow \Derive(\commitment, \pruf, \omega + i)$
|
|
% \item $h \leftarrow \Hash\big(\Hash(\commitment_1,\beta_1)\parallel\dots\parallel\Hash(\commitment_\kappa,\beta_\kappa) \big)$
|
|
% \item send $(\commitment, h)$ to $\Exchange$
|
|
% \end{enumerate}
|
|
% \item[$\Exchange$:]
|
|
% \begin{enumerate}
|
|
% \setcounter{enumi}{4}
|
|
% \scriptsize
|
|
% \itemsep0.3em
|
|
% \item save $(\commitment, h)$ \label{st:hash}
|
|
% \item $\gamma \drawfrom \{1,\dots ,\kappa\}$
|
|
% \item send $\gamma$ to $\Child$
|
|
% \end{enumerate}
|
|
% \item[$\Child$:]
|
|
% \begin{enumerate}
|
|
% \setcounter{enumi}{7}
|
|
%
|
|
% \scriptsize
|
|
% \itemsep0.3em
|
|
% \item $h'_\gamma \leftarrow \Hash(\commitment_\gamma, \beta_\gamma)$
|
|
% \item $\mathbf{E}_\gamma \leftarrow \big[(\commitment_1,\beta_1),\dots,
|
|
% (\commitment_{\gamma-1}, \beta_{\gamma-1}),
|
|
% \Nil,
|
|
% (\commitment_{\gamma+1}, \beta_{\gamma+1}),
|
|
% \dots,(\commitment_\kappa, \beta_\kappa)\big]$
|
|
% \item send $(\mathbf{E}_\gamma, h'_\gamma)$ to $\Exchange$
|
|
% \end{enumerate}
|
|
% \item[$\Exchange$:]
|
|
% \begin{enumerate}
|
|
% \setcounter{enumi}{10}
|
|
% \scriptsize
|
|
% \itemsep0.3em
|
|
% \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}: h_i \leftarrow \Hash(\mathbf{E}_\gamma[i])$
|
|
% \item if $h \stackrel{?}{\neq} \HashF(h_1\|\dots\|h_{\gamma-1}\|h'_\gamma\|h_{\gamma+1}\|\dots\|h_{\kappa-1})$ return 0
|
|
% \item for all $i \in \{1,\dots,\kappa\}\setminus\{\gamma\}$:
|
|
% if $0 \stackrel{?}{=} \Compare(\commitment,\commitment_i, \beta_i)$ return $0$
|
|
% \item return 1
|
|
% \end{enumerate}
|
|
% \end{itemize}
|
|
% \end{frame}
|
|
|
|
\section*{Requirements}
|
|
|
|
\begin{frame}{Basic Requirements}
|
|
\label{fr:basicRequirements}
|
|
Candidate functions
|
|
\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
|
|
must meet \textit{basic requirements}:
|
|
|
|
\begin{itemize}
|
|
\item Existence of attestations
|
|
\item Efficacy of attestations
|
|
\item Derivability of commitments and attestations
|
|
\end{itemize}
|
|
\pause
|
|
More details in the published paper and \hyperlink{fr:detailedBasicRequirements}{Appendix}.
|
|
\end{frame}
|
|
|
|
\begin{frame}{Security Requirements}
|
|
Candidate functions must also meet \textit{security requirements},
|
|
defined via security games:
|
|
\vfill
|
|
{
|
|
\small
|
|
\pause
|
|
\hspace*{-1em}\begin{tabular}{rp{9cm}}
|
|
\bf Requirement:& Unforgeability of minimum age\pause\\
|
|
\bf $\leftrightarrow$\hfill Game:& Forging an attestation\pause\\[0.5em]
|
|
\bf Requirement: & Non-disclosure of age \pause\\
|
|
\bf$\leftrightarrow$\hfill Game: & Age disclosure by commitment or attestation \pause\\[0.5em]
|
|
\bf Requirement:& Unlinkability of commitments and attestations\pause\\
|
|
\bf $\leftrightarrow$\hfill Game:& Distinguishing derived commitments and attestations
|
|
\end{tabular}
|
|
}
|
|
\vfill
|
|
|
|
\pause
|
|
Meeting the security requirements means that adversaries can win
|
|
those games only with negligible advantage.
|
|
\vfill
|
|
\pause
|
|
Adversaries are arbitrary polynomial-time algorithms, acting on all
|
|
relevant input.
|
|
\end{frame}
|
|
|
|
\begin{frame}{Security Requirements}{Simplified Example}
|
|
|
|
\begin{description}[<+->]
|
|
\item[Game $\Game{FA}$: Forging an attest]~\\
|
|
{\small
|
|
\begin{enumerate}
|
|
\item $ (\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $
|
|
\item $ (\commitment, \pruf) \leftarrow \Commit(\age, \omega) $
|
|
\item $ (\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$
|
|
\item Return 0 if $\minage \leq \age$
|
|
\item Return $\Verify(\minage,\commitment,\attest)$
|
|
\item[]~\\[0.5em] Adversary $\Adv$ wins the game, if $\Game{FA}$ returns 1.
|
|
\end{enumerate}
|
|
}
|
|
\vfill
|
|
\item[Requirement: Unforgeability of minimum age]
|
|
{\small
|
|
\begin{equation*}
|
|
\Forall_{\Adv\in\PPT(\N_\Age\times\Commitments\times\Proofs\to \N_\Age\times\Attests)}:
|
|
\Probability\Big[\Game{FA} = 1\Big] \le \negl
|
|
\end{equation*}
|
|
}
|
|
\end{description}
|
|
|
|
% \pause
|
|
% Note: This example does not take $\Derive()$ into account.
|
|
\end{frame}
|
|
|
|
\begin{frame}{Our task}
|
|
\large
|
|
Finding functions
|
|
\[ (\Commit, \Attest, \Verify, \Derive, \Compare) \]
|
|
that meet the basic and security requirements.
|
|
\end{frame}
|
|
|
|
\section*{A solution}
|
|
|
|
|
|
\begin{frame}{Instantiation with ECDSA}
|
|
We propose a solution based on ECDSA.
|
|
|
|
Think: One key-pair per age group.
|
|
|
|
\end{frame}
|
|
|
|
\begin{frame}{Definition of Commit with ECDSA}%{Definition of Commit}
|
|
\begin{columns}
|
|
\column{0.2\textwidth}
|
|
\includegraphics[width=1.1\textwidth]{images/commit.pdf}
|
|
\column{0.8\textwidth}
|
|
\begin{description}
|
|
\small
|
|
\item[To \blue{Commit} to age group $\age \in \{1,\dots,\Age\}$]~\\
|
|
\begin{enumerate}[<+->]
|
|
\small
|
|
\item Guardian generates ECDSA-keypairs, one per age group:
|
|
\[\langle(q_1, p_1),\dots,(q_\Age,p_\Age)\rangle\]
|
|
\item Guardian then \textbf{drops} all private keys
|
|
$p_i$ for $i > \age$:
|
|
\[\Big \langle(q_1, p_1),\dots,
|
|
(q_\age, p_\age),
|
|
(q_{\age +1}, \red{\Nil}),\dots,
|
|
(q_\Age, \red{\Nil})\Big\rangle\]
|
|
\item[] then set \begin{itemize}
|
|
\setlength{\itemindent}{5em}
|
|
\item[\bf Commitment:] $\Vcommitment := (q_1,~\dots~\dots~\dots~,q_\Age)$
|
|
\item[\bf Proof:] $\Vpruf_\age := (p_1, \dots, p_\age, \Nil,\dots,\Nil)$
|
|
\end{itemize}
|
|
\vfill
|
|
\item Guardian gives child $\langle \Vcommitment, \Vpruf_\age \rangle$
|
|
\vfill
|
|
\end{enumerate}
|
|
\end{description}
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Attest and Verify with ECDSA}
|
|
\begin{columns}
|
|
\column{0.2\textwidth}
|
|
\includegraphics[width=1.1\textwidth]{images/attest-verify.pdf}
|
|
\column{0.8\textwidth}
|
|
\small
|
|
Child has
|
|
\begin{itemize}
|
|
\small
|
|
\item ordered public-keys $\Vcommitment = (q_1, \dots~\dots~\dots, q_\Age) $,
|
|
\item (some) private-keys $\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
|
|
\end{itemize}
|
|
\begin{description}
|
|
\small
|
|
\item<2->[To \blue{Attest} a minimum age (group) $\blue{\minage} \leq \age$:]~\\
|
|
Sign a message with ECDSA using private key
|
|
$p_\blue{\minage}$. The signature $\sigma_\blue{\minage}$ is the
|
|
attestation.
|
|
\end{description}
|
|
|
|
\vfill
|
|
|
|
\uncover<3->{
|
|
\small
|
|
Merchant gets
|
|
\begin{itemize}
|
|
\small
|
|
\item ordered public-keys $\Vcommitment = (q_1, \dots, q_\Age) $
|
|
\item Signature $\sigma_\blue{\minage}$
|
|
\end{itemize}
|
|
\begin{description}
|
|
\small
|
|
\item<4->[To \blue{Verify} a minimum age (group) \blue{$\minage$}:]~\\
|
|
Verify the ECDSA-Signature $\sigma_\blue{\minage}$ with public key $q_\blue{\minage}$.
|
|
\end{description}
|
|
}
|
|
\vfill
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Derive and Compare with ECDSA}
|
|
Child has
|
|
$\Vcommitment = (q_1, \dots, q_\Age) $ and
|
|
$\Vpruf = (p_1, \dots, p_\age, \Nil, \dots, \Nil)$.
|
|
\begin{description}
|
|
\item<2->[To \blue{Derive} new $\Vcommitment'$ and $\Vpruf'$:]
|
|
Choose random $\beta\in\Z_g$ and calculate
|
|
\small
|
|
\begin{align*}
|
|
\Vcommitment' &= \big(q'_1,~\ldots~\ldots~\ldots~,q'_\Age\big) &&:= \big(\beta * q_1,\ldots~\ldots,\beta * q_\Age\big) ,\\
|
|
\Vpruf' &= \big(p'_1,\ldots,p'_\age, \Nil, \ldots, \Nil\big) &&:= \big(\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil\big)
|
|
\end{align*}
|
|
\uncover<3->{
|
|
\small
|
|
Note:
|
|
\begin{itemize}
|
|
\item $\beta*q_i$ is scalar multiplication on the elliptic curve.
|
|
\item $p'_i*G$ = $(\beta p_i)*G = \beta*(p_i*G) = \beta*q_i = q'_i$
|
|
\item[$\implies$] {\bf $p'_i$ actually \textit{is} private key to $q'_i$}
|
|
\end{itemize}
|
|
}
|
|
\end{description}
|
|
|
|
\vfill
|
|
\uncover<4->{
|
|
Exchange gets $\Vcommitment = (q_1,\dots,q_\Age)$, $\Vcommitment' = (q_1', \dots, q_\Age')$ and $\beta$
|
|
\begin{description}
|
|
\item[To \blue{Compare}, calculate:]
|
|
\small
|
|
$(\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)$
|
|
\end{description}
|
|
\vfill
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Instantiation with ECDSA}
|
|
|
|
Functions
|
|
(Commit, Attest, Verify, Derive, Compare)\\
|
|
as defined in the instantiation with ECDSA\\[0.5em]
|
|
\begin{itemize}
|
|
\item meet the basic requirements,\\[0.5em]
|
|
\item also meet all security requirements.\\
|
|
\end{itemize}
|
|
|
|
Security proofs by reduction, details are in the paper.
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Example: Proof of Unforgeability}
|
|
\begin{columns}
|
|
\column{0.4\textwidth}
|
|
\begin{minipage}{\textwidth}
|
|
\tiny
|
|
\begin{description}
|
|
\item[Game $\Game{FA}$: Forging an attest]~\\
|
|
1. $(\age, \omega) \drawfrom \N_{\Age-1}\times\Omega $\\
|
|
2. $(\commitment, \pruf) \leftarrow \Commit(\age, \omega) $\\
|
|
3. $(\minage, \attest) \leftarrow \Adv(\age, \commitment, \pruf)$\\
|
|
4. Return 0 if $\minage \leq \age$\\
|
|
5. Return $\Verify(\minage,\commitment,\attest)$\\
|
|
\vfill
|
|
\item[Requirement:]~\\
|
|
$\Forall_{\Adv}: \Probability\Big[\Game{FA} = 1\Big] \le \negl$
|
|
\end{description}
|
|
\end{minipage}
|
|
\column{0.7\textwidth}
|
|
Proof by reduction:
|
|
\pause
|
|
\small
|
|
\begin{enumerate}[<+->]
|
|
\item Adversary wins if $1 = \Verify(\minage,\commitment,\attest)$.
|
|
\item That means: $\sigma$ was a valid ECDSA-signature, validated with $q_m$.
|
|
\item But adversary does not have the private key $p_m$ to $q_m$.
|
|
\item[$\implies$] So winning this game would require to existentially forge
|
|
the signature, which is negligible.
|
|
\end{enumerate}
|
|
|
|
\end{columns}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Instantiation with Edx25519}
|
|
But... isn't ECDSA considered to be difficult to implement correctly?
|
|
|
|
\pause
|
|
We also formally define another signature scheme, Edx25519:\\[1em]
|
|
|
|
\begin{itemize}
|
|
\item based on EdDSA (Bernstein et al.),
|
|
\item generates compatible signatures,
|
|
\item allows for key derivation from both, private and public keys, independently and
|
|
\item is already in use in GNUnet.
|
|
\end{itemize}~\\[1em]
|
|
|
|
Current implementation of age restriction in GNU Taler uses Edx25519.
|
|
\end{frame}
|
|
|
|
|
|
% \begin{frame}{Instantiation with ECDSA}
|
|
% \framesubtitle{Full definitions}
|
|
% \scriptsize
|
|
%
|
|
% \begin{align*}
|
|
% \Commit_{E,\FDHg{\cdot}}(\age, \omega) &:= \Big\langle
|
|
% \overbrace{(q_1,\ldots,q_\Age)}^{= \Vcommitment},\;
|
|
% \overbrace{(p_1,\ldots,p_\age, \Nil,\ldots,\Nil)}^{= \Vpruf \text{, length }\Age}
|
|
% \Big\rangle\\
|
|
% \Attest_{E,\HashF}(\bage, \Vcommitment, \Vpruf) &:=
|
|
% \begin{cases}
|
|
% \attest_\bage := \Sign_{E,\HashF}\big(\bage,\Vpruf[\bage]\big) & \text{if } \Vpruf[\bage] \stackrel{?}{\neq} \Nil\\
|
|
% \Nil & \text{otherwise}
|
|
% \end{cases}\\
|
|
% %
|
|
% \Verify_{E,\HashF}(\bage, \Vcommitment, \attest) &:= \Ver_{E,\HashF}(\bage, \Vcommitment[\bage], \attest)\\
|
|
% %
|
|
% \Derive_{E, \FDHg{\cdot}}(\Vcommitment, \Vpruf, \omega) &:=
|
|
% \Big\langle(\beta * q_1,\ldots,\beta * q_\Age),
|
|
% (\beta p_1,\ldots,\beta p_\age,\Nil,\ldots,\Nil), \beta \Big\rangle \\
|
|
% & \text{ with } \beta := \FDHg{\omega} \text{ and multiplication } \beta p_i \text{ modulo } g \nonumber\\
|
|
% %
|
|
% \Compare_E(\Vcommitment, \Vcommitment', \beta) &:=
|
|
% \begin{cases}
|
|
% 1 & \text{if } (\beta * q_1, \ldots , \beta * q_\Age) \stackrel{?}{=} (q'_1,\ldots, q'_\Age)\\
|
|
% 0 & \text{otherwise}
|
|
% \end{cases}
|
|
% \end{align*}
|
|
% \end{frame}
|
|
|
|
\section{Integration with GNU Taler}
|
|
|
|
\begin{frame}{GNU Taler}{https://www.taler.net}
|
|
\label{fr:GnuTaler}
|
|
\begin{columns}
|
|
\column{4cm}
|
|
\fontsize{8pt}{9pt}\selectfont
|
|
\begin{tikzpicture}[scale=.55]
|
|
\node[circle,fill=black!10] at (3, 4) (Exchange) {$\Exchange$};
|
|
\node[circle,fill=black!10] at (0, 0) (Customer) {$\Customer$};
|
|
\node[circle,fill=black!10] at (6, 0) (Merchant) {$\Merchant$};
|
|
|
|
\draw[<->] (Customer) to [out=65,in=220] node[sloped,above] {\sf withdraw} (Exchange);
|
|
\draw[<->] (Customer) to [out=45,in=240] node[sloped,below] {\sf refresh} (Exchange);
|
|
\draw[<->] (Customer) to node[sloped, below] {\sf purchase} (Merchant);
|
|
\draw[<->] (Merchant) to node[sloped, above] {\sf deposit} (Exchange);
|
|
\end{tikzpicture}
|
|
\column{8cm}
|
|
\begin{itemize}
|
|
\item Protocol suite for online payment services
|
|
\item Based on Chaum's \hyperlink{fr:reminderBlindSignature}{blind signatures}
|
|
\item Taxable, efficient, free software
|
|
\item Allows for change and refund
|
|
\item Privacy preserving: anonymous and unlinkable payments
|
|
\end{itemize}
|
|
\end{columns}
|
|
|
|
\vfill
|
|
\uncover<2->{
|
|
\begin{itemize}
|
|
\item Coins are public-/private key-pairs $(C_p, c_s)$.
|
|
\item Exchange \hyperlink{fr:reminderBlindSignature}{blindly signs} $H(C_p)$ with denomination key $d_p$
|
|
\item Verification:
|
|
\begin{eqnarray*}
|
|
1 &\stackrel{?}{=}&
|
|
\mathsf{SigCheck}\big(H(C_p), D_p, \sigma_p\big)
|
|
\end{eqnarray*}
|
|
\scriptsize($D_p$ = public key of denomination and $\sigma_p$ = signature)
|
|
|
|
\end{itemize}
|
|
}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Integration with GNU Taler}{Binding age restriction to coins}
|
|
\label{fr:bindingToCoins}
|
|
|
|
To bind an age commitment $\commitment$ to a coin $C_p$, instead of
|
|
blindly signing \[ H(C_p), \]
|
|
$\Exchange$ now \hyperlink{fr:reminderBlindSignature}{blindly signs}
|
|
\[ H\left(C_p\parallel\orange{H(\commitment)}\right) \]
|
|
|
|
\vfill
|
|
Therefore, verfication of a coin now requires $H(\commitment)$, too:
|
|
\[
|
|
1 \stackrel{?}{=}
|
|
\mathsf{SigCheck}\big(H\left(C_p\parallel\orange{H(\commitment)}\right), D_p, \sigma_p\big)
|
|
\]
|
|
\vfill
|
|
\end{frame}
|
|
|
|
\begin{frame}{Integration with GNU Taler}
|
|
\framesubtitle{Integrated schemes}
|
|
\fontsize{8pt}{9pt}\selectfont
|
|
\begin{tikzpicture}[scale=.9]
|
|
\node[circle,minimum size=25pt,fill=black!15] at ( 0:0) (Client) {$\Child$};
|
|
\node[circle,minimum size=25pt,fill=black!15] at ( 60:5) (Exchange) {$\Exchange$};
|
|
\node[circle,minimum size=25pt,fill=black!15] at ( 0:5) (Merchant) {$\Merchant$};
|
|
\node[circle,minimum size=25pt,fill=blue!15] at (130:3) (Guardian) {$\Guardian$};
|
|
|
|
\draw[<->] (Guardian) to node[sloped,above,align=center]
|
|
{{\sf withdraw}\orange{, using}\\ $H(C_p\orange{\parallel H(\commitment)})$} (Exchange);
|
|
\draw[<->] (Client) to node[sloped,below,align=center]
|
|
{{\sf refresh} \orange{ + }\\ \orange{$\DeriveCompare$}} (Exchange);
|
|
\draw[<->] (Client) to node[sloped, below]
|
|
{{\sf purchase} \blue{+ $(\attest_\minage, \commitment)$}} (Merchant);
|
|
\draw[<->] (Merchant) to node[sloped, above]
|
|
{{\sf deposit} \orange{+ $H(\commitment)$}} (Exchange);
|
|
|
|
\draw[->] (Guardian) to [out=70,in=150, loop] node[above]
|
|
{$\Commit(\age)$} (Guardian);
|
|
\draw[->] (Guardian) to node[below,sloped]
|
|
{($\commitment$, $\pruf_\age$)} (Client);
|
|
\draw[->,blue] (Client) to [out=-50,in=-130, loop] node[below]
|
|
{\blue{$\Attest(\minage, \commitment, \pruf_{\age})$}} (Client);
|
|
\draw[->,blue] (Merchant) to [out=-50,in=-130, loop] node[below]
|
|
{\blue{$\Verify(\minage, \commitment, \attest_{\minage})$}} (Merchant);
|
|
\end{tikzpicture}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Age restriction in the wallet}
|
|
\centering \includegraphics[height=0.9\textheight]{images/wallet-age.png}
|
|
\end{frame}
|
|
|
|
% \include{gnu}
|
|
%
|
|
% \begin{frame}{Interested in GNU Taler?}
|
|
% We are looking for developers, testers, users!
|
|
%
|
|
% \begin{description}
|
|
% \item[Intro:] \url{https://taler.net}
|
|
% \item[Learn:] \url{https://docs.taler.net}
|
|
% \item[Develop:] \url{https://git.taler.net}, \url{https://bugs.taler.net}
|
|
% \end{description}
|
|
% \end{frame}
|
|
|
|
\section{Discussion \& Conclusion}
|
|
|
|
\begin{frame}{Discussion}
|
|
Technical Aspects and Challenges
|
|
\begin{itemize}[<+->]
|
|
\item Our solution can in principle be used with any token-based payment scheme
|
|
\item[] However, GNU Taler best aligned with our design goals
|
|
(security, privacy and efficiency).
|
|
|
|
\item Subsidiarity requires bank accounts being owned by adults.
|
|
\item[] However, scheme can be adapted
|
|
\begin{itemize}
|
|
\item Know-Your-Customer (KYC) provides age information
|
|
\item Parents can set age on a long-term wallet of a child
|
|
\item cut\&choose protocol \texttt{age-withdraw} implemented
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Discussion}
|
|
Legal aspects and applicability
|
|
\begin{itemize}[<+->]
|
|
\item The scheme only makes sense when cheating can be discouraged, f.e. economically
|
|
\item There will be limits where the scheme is considered acceptable.
|
|
\item Our scheme offers an alternative to identity management systems (IMS), where applicable
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Related Work}
|
|
\begin{itemize}
|
|
\item Current privacy-perserving systems all based on
|
|
attribute-based credentials (Koning et al.,
|
|
Schanzenbach et al., Camenisch et al., Au et al.)
|
|
|
|
\item Attribute-based approach lacks support:
|
|
\begin{itemize}
|
|
\item Complex for consumers and retailers
|
|
\item Requires trusted third authority
|
|
\end{itemize}
|
|
\vfill
|
|
\item Other approaches tie age-restriction to ability to pay ("debit cards for kids")
|
|
\begin{itemize}
|
|
\item Advantage: mandatory to payment process
|
|
\item Not privacy friendly
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Conclusion}
|
|
Age restriction is a technical, ethical and legal challenge.
|
|
|
|
\pause
|
|
Existing solutions are
|
|
\begin{itemize}
|
|
\item without strong protection of privacy or
|
|
\item based on identity management systems (IMS)
|
|
\end{itemize}
|
|
\vfill
|
|
|
|
\pause
|
|
Our scheme offers an option that
|
|
\begin{itemize}
|
|
\item aligns with subsidiarity
|
|
\item preserves privacy
|
|
\item is efficient
|
|
\item and an alternative to IMS
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{}
|
|
% \large
|
|
\begin{center}
|
|
{\Huge \textbf{Thank you!}}\\
|
|
Questions?
|
|
\end{center}
|
|
|
|
\begin{center}
|
|
\texttt{oec-taler@kesim.org}\\
|
|
\texttt{@oec@mathstodon.xyz}
|
|
\vfill
|
|
{Interested in GNU Taler?}
|
|
\begin{description}
|
|
\item[Intro:] \url{https://taler.net},
|
|
\item[Learn:] \url{https://docs.taler.net}
|
|
\item[Develop:] \url{https://git.taler.net}, \url{https://bugs.taler.net}
|
|
\item[Connect:] \url{https://ich.taler.net}
|
|
\item[NGI Taler:] \url{https://ngi.taler.net}
|
|
\end{description}
|
|
\end{center}
|
|
\end{frame}
|
|
|
|
\appendix
|
|
|
|
\begin{frame}{Taler Overview}
|
|
\hspace*{-3em}\includegraphics[width=\paperwidth]{images/taler-overview-blue.png}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Basic Requirements - Details}
|
|
\label{fr:detailedBasicRequirements}
|
|
{\scriptsize \it back to \hyperlink{fr:basicRequirements}{Basic Requirements}}
|
|
\begin{description}[<+->]
|
|
\item[Existence of attestations]
|
|
{\scriptsize
|
|
\begin{align*}
|
|
\Forall_{\age\in\N_\Age \atop \omega \in \Omega}:
|
|
\Commit(\age, \omega) =: (\commitment, \pruf)
|
|
\implies
|
|
\Attest(\minage, \commitment, \pruf) =
|
|
\begin{cases}
|
|
\attest \in \Attests, \text{ if } \minage \leq \age\\
|
|
\Nil \text{ otherwise}
|
|
\end{cases}
|
|
\end{align*}}
|
|
\item[Efficacy of attestations]
|
|
{\scriptsize
|
|
\begin{align*}
|
|
\Verify(\minage, \commitment, \attest) = \
|
|
\begin{cases}
|
|
1, \text{if } \Exists_{\pruf \in \Proofs}: \Attest(\minage, \commitment, \pruf) = \attest\\
|
|
0 \text{ otherwise}
|
|
\end{cases}
|
|
\end{align*}}
|
|
|
|
{\scriptsize
|
|
\begin{align*}
|
|
\forall_{n \leq \age}: \Verify\big(n, \commitment, \Attest(n, \commitment, \pruf)\big) = 1.
|
|
\end{align*}}
|
|
|
|
...
|
|
\item[Derivability of commitments and attestations]...
|
|
\end{description}
|
|
|
|
\pause
|
|
More details in the published paper.
|
|
\end{frame}
|
|
|
|
\begin{frame}{Reminder: RSA blind signature}
|
|
\label{fr:reminderBlindSignature}
|
|
\small
|
|
In RSA, a public key $(e, N)$ and private key $(d, N)$ have the property
|
|
\[ x^{ed} = x \mod N \]
|
|
|
|
\pause
|
|
Bob (B) creates a blind signature of a message $m$ for Alice (A):
|
|
\begin{itemize}[<+->]
|
|
\item[A:]
|
|
\begin{itemize}
|
|
\item chooses random integer $b$
|
|
\item calculates $m' := m*b^e$ {\hfill \scriptsize \textit{(blinding)}}
|
|
\item sends $m'$ to B.
|
|
\end{itemize}
|
|
\item[B:]
|
|
\begin{itemize}
|
|
\item signs $m'$, by calculating
|
|
$\sigma' := (m')^d \mod N$ {\hfill \scriptsize \textit{(B doesn't learn $m$)}}
|
|
\item sends $\sigma'$ to A.
|
|
\item[] \scriptsize Note: $(m')^d = (m*b^e)^d = m^d*b^{ed} = m^d*b \mod N$
|
|
\end{itemize}
|
|
\item[A:]\begin{itemize}
|
|
\item unblinds $\sigma'$ by calculating
|
|
\[ \sigma := \sigma'*b^{-1} (= m^d) \]
|
|
\item[$\implies$]$\sigma$ is a valid RSA signature to message $m$.
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\hfill \tiny back to \hyperlink{fr:GnuTaler}{\textit{taler}} or \hyperlink{fr:bindingToCoins}{\textit{binding}}
|
|
\end{frame}
|
|
|
|
%\begin{frame}{Requirements}
|
|
% \framesubtitle{Details}
|
|
%
|
|
% \begin{description}
|
|
% \item[Derivability of commitments and proofs:]~\\[0.1em]
|
|
% {\scriptsize
|
|
% Let \begin{align*}
|
|
% \age & \in\N_\Age,\,\, \omega_0, \omega_1 \in\Omega\\
|
|
% (\commitment_0, \pruf_0) & \leftarrow \Commit(\age, \omega_0),\\
|
|
% (\commitment_1, \pruf_1, \blinding) & \leftarrow \Derive(\commitment_0, \pruf_0, \omega_1).
|
|
% \end{align*}
|
|
% We require
|
|
% \begin{align*}
|
|
% \Compare(\commitment_0, \commitment_1, \blinding) = 1 \label{req:comparity}
|
|
% \end{align*}
|
|
% and for all $n\leq\age$:
|
|
% \begin{align*}
|
|
% \Verify(n, \commitment_1, \Attest(n, \commitment_1, \pruf_1)) &%
|
|
% =
|
|
% \Verify(n, \commitment_0, \Attest(n, \commitment_0, \pruf_0))
|
|
% \end{align*}}
|
|
% \end{description}
|
|
%\end{frame}
|
|
|
|
\end{document}
|