**diff options**

author | Özgür Kesim <oec-taler@kesim.org> | 2021-10-16 11:39:55 +0200 |
---|---|---|

committer | Özgür Kesim <oec-taler@kesim.org> | 2021-10-16 11:39:55 +0200 |

commit | 6937cb37a02e238b1f8fe868784ca29780f51e32 (patch) | |

tree | 763c8c09e2f72cd0c056b17abb4bcdc0a3d235be | |

parent | e170b87abc922175f3772a68270804e94338ab55 (diff) | |

download | docs-6937cb37a02e238b1f8fe868784ca29780f51e32.tar.gz docs-6937cb37a02e238b1f8fe868784ca29780f51e32.tar.bz2 docs-6937cb37a02e238b1f8fe868784ca29780f51e32.zip |

general ideas layed out, start reveal phase

-rw-r--r-- | design-documents/024-age-restriction.rst | 71 |

1 files changed, 65 insertions, 6 deletions

diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst index ce6d562..7509d3d 100644 --- a/design-documents/024-age-restriction.rst +++ b/design-documents/024-age-restriction.rst @@ -62,11 +62,44 @@ to stick to that decision until the support for age restriction is disabled. We might reconsider this design decision at some point. -Building Blocks -^^^^^^^^^^^^^^^ +Main ideas and building blocks +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The main ideas are simple: + +#. The exchange defines and publishes M different *age groups* of increasing order: + :math:`0 < a_1 < \ldots < a_M` with :math:`a_i \in \mathbb{N}`. + +#. An **unrestricted** *age commitment* is defined as a vector of length M of + pairs of EdDSA public and private keys on Curve25519. In other words: one + key pair for each age group: + :math:`\bigl\langle (p_1, s_1), \ldots, (p_M, s_M) \bigr\rangle` + +#. A **restricted** *age commitment* **to age m** is derived from an unrestricted age + commitment by removing all private keys for indices larger than m: + :math:`\bigl\langle (p_1, s_1), \ldots, (p_m, s_m), \, (p_{m+1}, \perp), \ldots, (p_M, \perp )\bigr\rangle` + +#. An *age commitment* (without prefix) is just the vector of public keys: + :math:`\langle p_1, \ldots, p_M \rangle`. Note that from just the age + commitment one can not deduce if it was originated from an unrestricted or + restricted age commitment (and what age). + +#. An *attestation of age group k* is essentially the act of signing a message + with the private key for slot k, if the corresponding private key is + available in a restricted age commitment. (Unrestricted age commitments + can attest for any age group). + +#. An age commitment is *bound to a particular coin* by incorporating the + SHA512 hash value of the age commitment (i.e. the M public keys) into the + signature of the coin. So instead of using :math:`\text{FDH}_N(C_p)` (with + :math:`C_p` being the public key of the coin), we calculate + :math:`\text{FDH}_N(C_p, h_a)`, where :math:`h_a` is the + hash of the age commitment. + TODO: Summarize the design based on the five functions ``Commit()``, -``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``. +``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``, once the paper from +Özgür and Christian is published. Changes in the Exchange @@ -228,7 +261,8 @@ restriction). Therefore, in the ``/coins/$COIN_PUB/melt`` POST request, the The responses to the POST request remain the same. For denominations *without* support for age restriction, the calculation for -the signature check is as before (borrowing notation from Florian's thesis): +the signature check is as before (borrowing notation from +`Florian's thesis <https://taler.net/papers/thesis-dold-phd-2019.pdf>`_): .. math:: \text{FDH}(N_0, C_p^{(0)})\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0 @@ -238,7 +272,7 @@ hash value ``age_commitment_hash`` (abbreviated as h\ :sub:`a`) into account when verifying the coin's signature: .. math:: - \text{FDH}(N_0, C_p^{(0)}, h_a)\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0 + \text{FDH}(N_0, \langle C_p^{(0)}, h_a \rangle )\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0 @@ -246,7 +280,32 @@ when verifying the coin's signature: Refresh - reveal phase ~~~~~~~~~~~~~~~~~~~~~~ -TODO: Extension of the cut'n-choose-protocol. +During the reveal phase -- that is upon POST to ``/refreshes/$RCH/reveal`` -- +the client has to provide the original age commitment of the old coin (i.e. the +vector of public keys), iff the corresponding denomination had support for age +restriction. The size of the vector ist defined by the Exchange implictely as +the amount of age groups defined in the field ``.age_groups`` of the +``ExtensionAgeRestriction``. + +.. ts:def:: RevealRequest + + interface RevealRequest { + ... + + // Iff the corresponding denomination has support for age restriction, + // the client MUST provide the original age commitment, i.e. the vector + // of public keys. + // The size of the vector ist defined by the Exchange implictely as the + // amount of age groups defined in the field ``.age_groups`` of the + // ``ExtensionAgeRestriction``. + old_age_commitment?: EddsaPublicKey[]; + + + ... + } + +TODO: describe how the exchange derives the κ-1 other age-restriction vectors +and compares them to the one in ``.old_age_commitment``. Deposit |