diff options
authorÖzgür Kesim <>2023-01-11 17:27:06 +0100
committerÖzgür Kesim <>2023-01-11 17:27:06 +0100
commitd968732afb32da7b7ec1ea4c54e3fcced530e5f3 (patch)
parentbccd5efc461707d7c53937a890adaf3f722085dc (diff)
added description of how to derive cs-nonce from the coin_priv for withdraw-ageage-restriction
2 files changed, 18 insertions, 2 deletions
diff --git a/core/api-exchange.rst b/core/api-exchange.rst
index ab046350..db192e07 100644
--- a/core/api-exchange.rst
+++ b/core/api-exchange.rst
@@ -2190,6 +2190,10 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
.. ts:def:: AgeWithdrawRevealRequest
interface AgeWithdrawRevealRequest {
+ // The public key of the reserve that was used for the initial commitment
+ // request. Needed for optimized database lookup.
+ reserve_pub: EddsaPublicKey;
// Array of ``n`` hash codes of denomination public keys to order.
// These denominations MUST support age restriction as defined in the
// output to /keys.
@@ -2217,6 +2221,10 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
// Calculate the blinding beta as
// beta := HKDF(coin_priv, "blinding")
+ // If the denominations are for Clause-Schnorr-Signatures, calculate the
+ // nonce as
+ // nonce := HKDF(coin_priv, "cs-nonce")
+ //
// Let m ∈ {1,...,M} be the maximum age group as defined in the reserve
// that the wallet can commit to.
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index b9553432..5b6e091d 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -392,6 +392,13 @@ Then calculate the blinding :math:`\beta` for the coin as
.. math::
\beta &:= \text{HKDF}(c_s, \text{"blinding"})
+If the denomination is using Clause-Schnorr signatures, calculate the nonce
+:math:`n` for the coin as
+.. math::
+ n &:= \text{HKDF}(c_s, \text{"cs-nonce"})
For the age commitment, calculate:
@@ -414,8 +421,9 @@ the wallet can use the vector :math:`(p_1,\ldots,p_m,\bot,\ldots,\bot)` of
private keys for the attestation.
Provided with the private key :math:`c_s`, the exchange can therefore calculate
-the blinding :math:`\beta` and the age commitment :math:`\vec{q}` itself, along
-with the coin's public key :math:`C_p` and use the value of
+the blinding :math:`\beta`, the nonce :math:`n` (if needed) and the age
+commitment :math:`\vec{q}` itself, along with the coin's public key :math:`C_p`
+and use the value of
.. math::