summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorÖzgür Kesim <oec-taler@kesim.org>2021-10-16 11:39:55 +0200
committerÖzgür Kesim <oec-taler@kesim.org>2021-10-16 11:39:55 +0200
commit6937cb37a02e238b1f8fe868784ca29780f51e32 (patch)
tree763c8c09e2f72cd0c056b17abb4bcdc0a3d235be
parente170b87abc922175f3772a68270804e94338ab55 (diff)
downloaddocs-6937cb37a02e238b1f8fe868784ca29780f51e32.tar.gz
docs-6937cb37a02e238b1f8fe868784ca29780f51e32.tar.bz2
docs-6937cb37a02e238b1f8fe868784ca29780f51e32.zip
general ideas layed out, start reveal phase
-rw-r--r--design-documents/024-age-restriction.rst71
1 files changed, 65 insertions, 6 deletions
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index ce6d562..7509d3d 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -62,11 +62,44 @@ to stick to that decision until the support for age restriction is disabled.
We might reconsider this design decision at some point.
-Building Blocks
-^^^^^^^^^^^^^^^
+Main ideas and building blocks
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The main ideas are simple:
+
+#. The exchange defines and publishes M different *age groups* of increasing order:
+ :math:`0 < a_1 < \ldots < a_M` with :math:`a_i \in \mathbb{N}`.
+
+#. An **unrestricted** *age commitment* is defined as a vector of length M of
+ pairs of EdDSA public and private keys on Curve25519. In other words: one
+ key pair for each age group:
+ :math:`\bigl\langle (p_1, s_1), \ldots, (p_M, s_M) \bigr\rangle`
+
+#. A **restricted** *age commitment* **to age m** is derived from an unrestricted age
+ commitment by removing all private keys for indices larger than m:
+ :math:`\bigl\langle (p_1, s_1), \ldots, (p_m, s_m), \, (p_{m+1}, \perp), \ldots, (p_M, \perp )\bigr\rangle`
+
+#. An *age commitment* (without prefix) is just the vector of public keys:
+ :math:`\langle p_1, \ldots, p_M \rangle`. Note that from just the age
+ commitment one can not deduce if it was originated from an unrestricted or
+ restricted age commitment (and what age).
+
+#. An *attestation of age group k* is essentially the act of signing a message
+ with the private key for slot k, if the corresponding private key is
+ available in a restricted age commitment. (Unrestricted age commitments
+ can attest for any age group).
+
+#. An age commitment is *bound to a particular coin* by incorporating the
+ SHA512 hash value of the age commitment (i.e. the M public keys) into the
+ signature of the coin. So instead of using :math:`\text{FDH}_N(C_p)` (with
+ :math:`C_p` being the public key of the coin), we calculate
+ :math:`\text{FDH}_N(C_p, h_a)`, where :math:`h_a` is the
+ hash of the age commitment.
+
TODO: Summarize the design based on the five functions ``Commit()``,
-``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``.
+``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``, once the paper from
+Özgür and Christian is published.
Changes in the Exchange
@@ -228,7 +261,8 @@ restriction). Therefore, in the ``/coins/$COIN_PUB/melt`` POST request, the
The responses to the POST request remain the same.
For denominations *without* support for age restriction, the calculation for
-the signature check is as before (borrowing notation from Florian's thesis):
+the signature check is as before (borrowing notation from
+`Florian's thesis <https://taler.net/papers/thesis-dold-phd-2019.pdf>`_):
.. math::
\text{FDH}(N_0, C_p^{(0)})\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
@@ -238,7 +272,7 @@ hash value ``age_commitment_hash`` (abbreviated as h\ :sub:`a`) into account
when verifying the coin's signature:
.. math::
- \text{FDH}(N_0, C_p^{(0)}, h_a)\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
+ \text{FDH}(N_0, \langle C_p^{(0)}, h_a \rangle )\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
@@ -246,7 +280,32 @@ when verifying the coin's signature:
Refresh - reveal phase
~~~~~~~~~~~~~~~~~~~~~~
-TODO: Extension of the cut'n-choose-protocol.
+During the reveal phase -- that is upon POST to ``/refreshes/$RCH/reveal`` --
+the client has to provide the original age commitment of the old coin (i.e. the
+vector of public keys), iff the corresponding denomination had support for age
+restriction. The size of the vector ist defined by the Exchange implictely as
+the amount of age groups defined in the field ``.age_groups`` of the
+``ExtensionAgeRestriction``.
+
+.. ts:def:: RevealRequest
+
+ interface RevealRequest {
+ ...
+
+ // Iff the corresponding denomination has support for age restriction,
+ // the client MUST provide the original age commitment, i.e. the vector
+ // of public keys.
+ // The size of the vector ist defined by the Exchange implictely as the
+ // amount of age groups defined in the field ``.age_groups`` of the
+ // ``ExtensionAgeRestriction``.
+ old_age_commitment?: EddsaPublicKey[];
+
+
+ ...
+ }
+
+TODO: describe how the exchange derives the κ-1 other age-restriction vectors
+and compares them to the one in ``.old_age_commitment``.
Deposit