diff options
authorÖzgür Kesim <>2021-10-16 11:39:55 +0200
committerÖzgür Kesim <>2021-10-16 11:39:55 +0200
commit6937cb37a02e238b1f8fe868784ca29780f51e32 (patch)
parente170b87abc922175f3772a68270804e94338ab55 (diff)
general ideas layed out, start reveal phase
1 files changed, 65 insertions, 6 deletions
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index ce6d562..7509d3d 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -62,11 +62,44 @@ to stick to that decision until the support for age restriction is disabled.
We might reconsider this design decision at some point.
-Building Blocks
+Main ideas and building blocks
+The main ideas are simple:
+#. The exchange defines and publishes M different *age groups* of increasing order:
+ :math:`0 < a_1 < \ldots < a_M` with :math:`a_i \in \mathbb{N}`.
+#. An **unrestricted** *age commitment* is defined as a vector of length M of
+ pairs of EdDSA public and private keys on Curve25519. In other words: one
+ key pair for each age group:
+ :math:`\bigl\langle (p_1, s_1), \ldots, (p_M, s_M) \bigr\rangle`
+#. A **restricted** *age commitment* **to age m** is derived from an unrestricted age
+ commitment by removing all private keys for indices larger than m:
+ :math:`\bigl\langle (p_1, s_1), \ldots, (p_m, s_m), \, (p_{m+1}, \perp), \ldots, (p_M, \perp )\bigr\rangle`
+#. An *age commitment* (without prefix) is just the vector of public keys:
+ :math:`\langle p_1, \ldots, p_M \rangle`. Note that from just the age
+ commitment one can not deduce if it was originated from an unrestricted or
+ restricted age commitment (and what age).
+#. An *attestation of age group k* is essentially the act of signing a message
+ with the private key for slot k, if the corresponding private key is
+ available in a restricted age commitment. (Unrestricted age commitments
+ can attest for any age group).
+#. An age commitment is *bound to a particular coin* by incorporating the
+ SHA512 hash value of the age commitment (i.e. the M public keys) into the
+ signature of the coin. So instead of using :math:`\text{FDH}_N(C_p)` (with
+ :math:`C_p` being the public key of the coin), we calculate
+ :math:`\text{FDH}_N(C_p, h_a)`, where :math:`h_a` is the
+ hash of the age commitment.
TODO: Summarize the design based on the five functions ``Commit()``,
-``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``.
+``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``, once the paper from
+Özgür and Christian is published.
Changes in the Exchange
@@ -228,7 +261,8 @@ restriction). Therefore, in the ``/coins/$COIN_PUB/melt`` POST request, the
The responses to the POST request remain the same.
For denominations *without* support for age restriction, the calculation for
-the signature check is as before (borrowing notation from Florian's thesis):
+the signature check is as before (borrowing notation from
+`Florian's thesis <>`_):
.. math::
\text{FDH}(N_0, C_p^{(0)})\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
@@ -238,7 +272,7 @@ hash value ``age_commitment_hash`` (abbreviated as h\ :sub:`a`) into account
when verifying the coin's signature:
.. math::
- \text{FDH}(N_0, C_p^{(0)}, h_a)\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
+ \text{FDH}(N_0, \langle C_p^{(0)}, h_a \rangle )\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
@@ -246,7 +280,32 @@ when verifying the coin's signature:
Refresh - reveal phase
-TODO: Extension of the cut'n-choose-protocol.
+During the reveal phase -- that is upon POST to ``/refreshes/$RCH/reveal`` --
+the client has to provide the original age commitment of the old coin (i.e. the
+vector of public keys), iff the corresponding denomination had support for age
+restriction. The size of the vector ist defined by the Exchange implictely as
+the amount of age groups defined in the field ``.age_groups`` of the
+.. ts:def:: RevealRequest
+ interface RevealRequest {
+ ...
+ // Iff the corresponding denomination has support for age restriction,
+ // the client MUST provide the original age commitment, i.e. the vector
+ // of public keys.
+ // The size of the vector ist defined by the Exchange implictely as the
+ // amount of age groups defined in the field ``.age_groups`` of the
+ // ``ExtensionAgeRestriction``.
+ old_age_commitment?: EddsaPublicKey[];
+ ...
+ }
+TODO: describe how the exchange derives the κ-1 other age-restriction vectors
+and compares them to the one in ``.old_age_commitment``.