A Digital Wallet Implementation for Anonymous Cash Bachelors thesis - - PowerPoint PPT Presentation

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

A Digital Wallet Implementation for Anonymous Cash

Bachelor’s thesis Oliver R. Broome

November 25, 2015 Chair for Network Architectures and Services Department of Informatics Technische Universit¨ at M¨ unchen

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 1

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Motivation

Taler basics Protocol Why a (mobile) wallet?

Implementation

Planned features Actual progress Demonstration

Future work

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 2

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Taler - a quick refresher:

◮ Cryptographically-backed payment system ◮ Based on real currencies ◮ Anonymous (for customers) ◮ Income is auditable and taxable

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 3

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Terminology:

◮ Mint:

Holds reserves, signs coins and reimburses coin deposits

◮ Reserve:

A customer’s money, held by a mint

◮ Coin:

A cryptographic key pair, signed by a mint, taken from a reserve

◮ Denomination:

The value of a coin

◮ Deposit:

A customer-generated permission for a merchant to cash in a coin at a mint

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 4

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

How it works:

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 5

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Protocol - Reserves

◮ The wallet creates a EdDSA key pair ◮ the wallet owner transfers the desired amount of money to

the mint with the public key via a bank transfer

◮ once the mint registers the incoming funds, the customer

can withdraw coins from that reserve

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 6

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Protocol - Coin withdrawal Once the reserve is paid for, the wallet can withdraw coins from the reserve by doing the following:

◮ get the desired denomination key from the mint ◮ calculate the cost of the coin (including withdrawal fees) ◮ Create SHA-512 hashes of

◮ the new coin’s public key ◮ the new coin’s RSA denomination key ◮ the reserve’s public key

◮ blind the hashed coin key with an RSA blinding key ◮ sign the aforementioned data with a reserve’s private key ◮ send the generated data to the mint

The mint then answers with an RSA signature over the blinded coin key, which confirms the coin’s validity after being unblinded by the wallet.

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 7

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Protocol - Payment (contract) With the mint’s signature over the coin, we can now make payments:

◮ when wanting to purchase something, the customer

requests a contract from the merchant - this contains information such as the price and a description of the product or service

◮ this data is also hashed and signed with an EdDSA

signature

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 8

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Protocol - Payment (deposit) The wallet now specifies which coins are used for the payment and, for each coin, adds

◮ the paid amount and deposit fees ◮ public keys of the coin and denomination ◮ the signature obtained during coin withdrawal ◮ an EdDSA signature over these values and the contract

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 9

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Protocol - Refreshing Coins can be spent without using their full value. Using these ”dirty” coins would enable a merchant or a mint to link separate purchases.

◮ the new coins and their respective refreshing fees must be

less than or equal to the remaining value of the old coin

◮ the wallet sends several blinded and EcDHE-encrypted

coin ”candidates” for each desired new coin

◮ the mint then tells the wallet which of these candidates it

has to reveal (all but one of each set of candidates)

◮ the remaining coins can now be used

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 10

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

So, why do we need an Android wallet?

◮ It’s necessary for adoption ◮ Enables ”real-world” payments ◮ HypeTM (Bitcoin, Apple Pay, etc.)

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 11

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

A real-world example:

◮ A shop, caf´

e, etc offers a for-cash service or product

◮ instead of taking a cash payment, they offer a Taler QR

code, which contains the payment information

◮ you scan the code with your mobile phone ◮ the wallet displays the details of the transaction ◮ you confirm the purchase

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 12

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

What the wallet should do:

◮ Facilitate coin generation ◮ Secure coin storage ◮ Manage existing coins (Refreshing/Expiry) ◮ Enable payments to merchants

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 13

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

What components were used: The C libraries used in the wallet are:

◮ libgcrypt

(cryptographic primitives)

◮ GNUnet, wallet code

(basic cryptographic functionality)

◮ Taler mint, wallet code

(additional data structures and cryptography)

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 14

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

But... ... making native code accessible to an Android application is

• hard. You have these alternatives:

◮ Write the entire application in C(++) ◮ Re-write all necessary functionality in Java ◮ Google/Android recommends use of the Java Native

Interface (JNI)

◮ Use automatic interface code generation with Java Native

Access (JNA)

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 15

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Which leaves us with... ... Java Native Access.

◮ introduces a small performance penalty ◮ automatically analyses source code and creates bindings

to native libraries

◮ more resilient to API changes

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 16

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Where we are now: The wallet can, at the moment,

◮ generate the necessary information for creating reserves

with a mint

◮ withdraw coins from a reserve ◮ allow merchants to receive payments from withdrawn coins

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 17

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Demonstration

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 18

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Future work

◮ Coin refreshing ◮ Encryption of wallet data ◮ UI overhaul ◮ Automatic coin management ◮ further implementation details

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 19

Chair for Network Architectures and Services Technische Universit¨ at M¨ unchen

Thank you for your time and attention.

Oliver R. Broome – A Digital Wallet Implementation for Anonymous Cash 20