diff options
author | Özgür Kesim <oec-taler@kesim.org> | 2021-10-16 16:27:36 +0200 |
---|---|---|
committer | Özgür Kesim <oec-taler@kesim.org> | 2021-10-16 16:27:36 +0200 |
commit | beb9d6a804a6889f8a1f1de2932e237f5b2f7f8a (patch) | |
tree | b86287dedb79b73f2a9d8020857e18b102ec58a4 | |
parent | ac517b2833b5c3aa4e68719e2b4d9edd512be52f (diff) | |
download | docs-beb9d6a804a6889f8a1f1de2932e237f5b2f7f8a.tar.gz docs-beb9d6a804a6889f8a1f1de2932e237f5b2f7f8a.tar.bz2 docs-beb9d6a804a6889f8a1f1de2932e237f5b2f7f8a.zip |
be more specific at certain places
-rw-r--r-- | design-documents/024-age-restriction.rst | 49 |
1 files changed, 29 insertions, 20 deletions
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst index d40b2671..725d172b 100644 --- a/design-documents/024-age-restriction.rst +++ b/design-documents/024-age-restriction.rst @@ -77,25 +77,26 @@ The main ideas are simple: #. A **restricted** *age commitment* **to age group m** is derived from an unrestricted age commitment by removing all private keys for indices larger than m: - :math:`\bigl\langle (p_1, s_1), \ldots, (p_m, s_m), \, (p_{m+1}, \perp), \ldots, (p_M, \perp )\bigr\rangle` + :math:`\bigl\langle (p_1, s_1), \ldots, (p_m, s_m), \, (p_{m+1}, \perp), + \ldots, (p_M, \perp )\bigr\rangle`. The act of restricting an unrestricted + age commitment is performed by the parent/ward. #. An *age commitment* (without prefix) is just the vector of public keys: - :math:`\langle p_1, \ldots, p_M \rangle`. Note that from just the age - commitment one can not deduce if it was originated from an unrestricted or - restricted age commitment (and what age). + :math:`\vec{Q} := \langle p_1, \ldots, p_M \rangle`. Note that from + just the age commitment one can not deduce if it was originated from an + unrestricted or restricted age commitment (and what age). -#. An *attestation of age group k* is essentially the act of signing a message +#. An *attestation of age group k* is essentially the signature to any message with the private key for slot k, if the corresponding private key is - available in a restricted age commitment. (Unrestricted age commitments - can attest for any age group). + available in a restricted age commitment. (Unrestricted age commitments can + attest for any age group). #. An age commitment is *bound to a particular coin* by incorporating the SHA512 hash value of the age commitment (i.e. the M public keys) into the - signature of the coin. So instead of using :math:`\text{FDH}_N(C_p)` (with - :math:`C_p` being the public key of the coin), we calculate - :math:`\text{FDH}_N(C_p, h_a)`, where :math:`h_a` is the - hash of the age commitment. - + signature of the coin. So instead of signing :math:`\text{FDH}_N(C_p)` with + the RSA private key of a denomination with support for age restriction, we + sign :math:`\text{FDH}_N(C_p, h_a)`. Here, :math:`C_p` is the EdDSA public + key of a coin and :math:`h_a` is the hash of the age commitment. TODO: Summarize the design based on the five functions ``Commit()``, ``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``, once the paper from @@ -149,10 +150,9 @@ If age-restriction is registered as an extension under the name ``age_restriction.v1``, as described above, the root-object ``ExchangeKeysResponse`` in response to ``/keys`` MUST be extended by an additional field ``age_restricted_denoms``. This is an *additional* list of -denominations that must be used for during modified ``refresh`` and ``deposit`` +denominations that must be used during the modified ``refresh`` and ``deposit`` operations (see below). - The data structure for those denominations is the same as for the regular ones in ``ExchangeKeysResponse.denoms``. **However**, the following differences apply for each denomination in the list: @@ -204,6 +204,11 @@ changed since the given timestamp. SQL changes ----------- +The exchange has to mark denominations with support for age restriction as such +in the database. Also, during the melting phase of the refresh operation, the +exchange will have to persist the SHA512 hash of the age commitment of the +original coin. + The schema for the exchange is changed as follows: .. sourcecode:: sql @@ -260,19 +265,23 @@ restriction). Therefore, in the ``/coins/$COIN_PUB/melt`` POST request, the The responses to the POST request remain the same. -For denominations *without* support for age restriction, the calculation for -the signature check is as before (borrowing notation from +For normal denominations *without* support for age restriction, the calculation +for the signature check is as before (borrowing notation from `Florian's thesis <https://taler.net/papers/thesis-dold-phd-2019.pdf>`_): .. math:: - \text{FDH}(N_0, C_p^{(0)})\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0 + \text{FDH}_N(C_p)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}\,N + +Here, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is its +signature and :math:`\langle e, N \rangle` is the RSA public key of the +denomination. -For denominations **with** support for age restriction, the exchange takes the -hash value ``age_commitment_hash`` (abbreviated as h\ :sub:`a`) into account +For denominations *with* support for age restriction, the exchange takes the +hash value ``age_commitment_hash`` (abbreviated as :math:`h_a`) into account when verifying the coin's signature: .. math:: - \text{FDH}(N_0, \langle C_p^{(0)}, h_a \rangle )\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0 + \text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N |