protocol and schema change for age-withdraw

During the commitment for age-withdraw, the wallet now has to provide
all n*kappa blinded hashes and n denom_pubs.  This allows the exchange
to immediately sign the chosen coins in the initial commit with the
corresponding denomination key.

2 files changed, 38 insertions, 49 deletions

diff --git a/core/api-exchange.rst b/core/api-exchange.rst
index 8d1701d4..b09dadfa 100644
--- a/core/api-exchange.rst
+++ b/core/api-exchange.rst
@@ -2428,20 +2428,21 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
   .. ts:def:: AgeWithdrawRequest
 
     interface AgeWithdrawRequest {
-      // Commitment to the coins with age restriction.  This is the SHA512
-      // hash value $ACH over all n*kappa `BlindedCoinHash` values of all
-      // coins and their age commitments.  It is alter used as part of the URL
-      // in the subsequent call to /age-withdraw/$ACH/reveal.
-      h_commitment : HashCode;
-
-      // The total amount that the client wants to withdraw from the reserve
-      // and must be at most the balance of the reserve.  The balance of the
-      // reserve will be immediatley reduced by that amount.
-      // In the subsequent call to /age-withdraw/$ACH/reveal, the client has to
-      // provide the list of denominations (with support for age restriction)
-      // that the coins shall be signed with.  The sum of the values of those
-      // denominations MUST equal this amount.
-      amount: Amount;
+      // Array of ``n`` hash codes of denomination public keys to order.
+      // These denominations MUST support age restriction as defined in the
+      // output to /keys.
+      // The sum of all denomination's values plus fees MUST be at most the
+      // balance of the reserve.  The balance of the reserve will be
+      // immediatley reduced by that amount.
+      denoms_h: HashCode[];
+
+      // ``n`` arrays of ``kappa`` entries with blinded coin envelopes.  Each
+      // (toplevel)  entry represents ``kappa`` canditates for a particular
+      // coin.  The exchange  will respond with an index ``gamma``, which is
+      // the index that shall remain undisclosed during the reveal phase.
+      // The SHA512 hash $ACH over the blinded coin envelopes is the commitment
+      // that is later used as the key to the reveal-URL.
+      blinded_coins_evs:  CoinEnvelope[][];
 
       // The maximum age to commit to.  MUST be the same as the maximum
       // age in the reserve.
@@ -2515,26 +2516,10 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
       // request.  Needed for optimized database lookup.
       reserve_pub: EddsaPublicKey;
 
-      // Array of ``n`` hash codes of denomination public keys to order.
-      // These denominations MUST support age restriction as defined in the
-      // output to /keys.
-      // The sum of all denomination's values MUST equal the original amount
-      // of the previous commitment.
-      denoms_h: HashCode[];
-
-      // Array of ``n`` entries with blinded coins, which are the non-desclosed
-      // coins in the previous commitment. They match the respective entries
-      // in ``denoms_h``.
-      coin_evs:  CoinEnvelope[];
-
-      // Array of ``n`` of ``(kappa - 1)`` disclosed coin secrets, from
+      // Array of ``n`` of ``(kappa - 1)`` disclosed coin master secrets, from
       // which the coins' private key ``coin_priv``, blinding ``beta`` and nonce
       // ``nonce`` (for Clause-Schnorr) itself are derived as usually in wallet
-      // core.
-      // (TODO: description of the derivation process of the coin's private
-      // key, blinding and nonce).
-      //
-      // Given a coin's secret, the age commitment for the coin MUST be
+      // core.  Given a coin's secret, the age commitment for the coin MUST be
       // derived from this private key as follows:
       //
       // Let m ∈  {1,...,M} be the maximum age group as defined in the reserve
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index ec7edd69..50ea4705 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -332,33 +332,35 @@ for the withdrawal of one coin:
 
    #. calculates :math:`f_i := \text{FDH}(C_i, H(\vec{Q}^i))` for :math:`i \in \{ 1,\ldots,\kappa \}`.
    #. chooses random blindings :math:`\beta_i(.)` for :math:`i \in \{1,\ldots,\kappa\}`.  The blinding functions depend on the cipher (RSA, CS).
-   #. calculates :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))`
-   #. sends :math:`F` to the Exchange
+   #. sends :math:`(\beta_1(f_1),\ldots,\beta_\kappa(f_\kappa))` to the Exchange
 
 - *Exchange*
-   7. receives and stores :math:`F`
+   7. receives :math:`(b_1,\ldots,b_\kappa)`
+   #. calculates :math:`F := \text{H}(b_1||\ldots||b_\kappa)`
    #. chooses randomly :math:`\gamma \in \{1,\ldots,\kappa\}` and
+   #. signs :math:`r := b_\gamma` resulting in signature :math:`\sigma_r`
+   #. stores :math:`F \mapsto (r, \sigma_r)`
    #. sends :math:`\gamma` to the Wallet.
 
 - *Wallet*
    10. receives :math:`\gamma`
-   #. sends to the Exchange the tuple :math:`\left(r_\gamma, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with
+   #. sends to the Exchange the tuple :math:`\left(F, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with
 
-      - :math:`r_\gamma := \beta_\gamma(f_\gamma)`
-      - :math:`\vec{\beta} := (\beta^1,\ldots,\beta^{\gamma-1},\bot,\beta^{\gamma+1},\ldots,\beta^\kappa)`
+      - :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))`
+      - :math:`\vec{\beta} := (\beta_1,\ldots,\beta_{\gamma-1},\bot,\beta_{\gamma+1},\ldots,\beta_\kappa)`
       - :math:`\vec{\vec{Q}} := (\vec{Q}^1,\ldots,\vec{Q}^{\gamma-1},\bot,\vec{Q}^{\gamma+1},\ldots,\vec{Q}^\kappa)`
       - :math:`\vec{\vec{S}} := (\vec{S}^1,\ldots,\vec{S}^{\gamma-1},\bot,\vec{S}^{\gamma+1},\ldots,\vec{S}^\kappa)`
         with :math:`\vec{S}^i := (s^i_j)`
 
 - *Exchange*
-   12. receives :math:`\left(r, (\beta^i), (\vec{Q}^i), (\vec{B}^i) \right)`
-   #. calculates :math:`g_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma`
-   #. compares :math:`F \overset{?}{=} \text{H}(g_1||\ldots||g_{\gamma - 1}||r||g_{\gamma+1}||\ldots||g_\kappa)` and bails out on inequality
+   12. receives :math:`\left(F, (\beta_i), (\vec{Q}^i), (\vec{B}^i) \right)`
+   #. retrieves :math:`(r, \sigma_r)` from :math:`F` or bails out if not present
+   #. calculates :math:`b_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma`
+   #. compares :math:`F \overset{?}{=} \text{H}(b_1||\ldots||b_{\gamma - 1}||r||b_{\gamma+1}||\ldots||b_\kappa)` and bails out on inequality
    #. for each :math:`\vec{B}^i, i \neq \gamma`
 
       i. calculates :math:`\tilde{\omega}^i_j := b^i_j * \Omega` for :math:`j \in \{a+1,\ldots,M\}`
       #. compares each :math:`\tilde{\omega}^i_j` to :math:`q^i_j` from :math:`\vec{Q}^i = (q^i_1, \ldots, q^i_M)` and bails out on inequality
-   #. signs :math:`r`
    #. sends (blinded) signature :math:`\sigma_r` to Wallet
 
 - *Wallet*
@@ -372,11 +374,13 @@ accomodate for handling multiple coins at once -- thus multiplying the amount
 of data by the amount of coins in question--, but all with the same value of
 :math:`\gamma`.
 
-The *actual* implementation of the protocol above will have a major optimization
-to keep the bandwidth usage to a minimum.  Instead of generating and sending
-the age commitment (array of public keys) and blindings for each coin, the
-wallet *MUST* derive the corresponding blindings and the age commitments from
-the coin's private key itself as follows:
+The *actual* implementation of the protocol above will have major optimizations
+to keep the bandwidth usage to a minimum and also ensure that a denomination in
+the commitment doesn't expire before the reveal.
+
+Instead of generating and sending the age commitment (array of public keys) and
+blindings for each coin, the wallet *MUST* derive the corresponding blindings
+and the age commitments from the coin's private key itself as follows:
 
 Let
 
@@ -440,10 +444,10 @@ schema in the exchange is given here:
 		}
 
 		subgraph cluster_reveals {
-			label=<<B>age_withdraw_reveals</B>>
+			label=<<B>age_withdraw_revealed_coins</B>>
 			margin=20
 			reveals [
-			  label="freshcoin_index\l|<comm>h_commitment\l|<denom>denominations_serial\l|coin_ev\l|h_coin_ev\l|ev_sig\l"
+			  label="freshcoin_index\l|<comm>h_commitment\l|<denom>denominations_serial\l|h_blind_ev\l|denom_sig\l"
 			]
 		}