-fixes in the description of reveal with age restriction

1 files changed, 17 insertions, 12 deletions

diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index 6b97a451..c156842a 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -100,7 +100,7 @@ The main ideas are simple:
    SHA256 hash value of the age commitment (i.e. the M public keys) into the
    signature of the coin.  So instead of signing :math:`\text{FDH}_N(C_p)` with
    the RSA private key of a denomination with support for age restriction, we
-   sign :math:`\text{FDH}_N(C_p, h_a)`.  Here, :math:`C_p` is the Edx25519_ public
+   sign :math:`\text{FDH}_N(C_p, h_a)`.  Here, :math:`C_p` is the EdDSA public
    key of a coin and :math:`h_a` is the hash of the age commitment.
 
 TODO: Summarize the design based on the five functions ``Commit()``,
@@ -323,7 +323,7 @@ for the signature check is as before (borrowing notation from
 .. math::
    \text{FDH}_N(C_p)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}\,N
 
-Here, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is its
+Here, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is its
 signature and :math:`\langle e, N \rangle` is the RSA public key of the
 denomination.
 
@@ -373,14 +373,19 @@ The existing `cut&choose protocol during the reveal phase
 </core/api-exchange.html#post--refreshes-$RCH-reveal>`__ is extended to perform
 the following additional computation and checks:
 
-Using the κ-1 transfer secrets from the reveal request, the exchange derives
-κ-1 age commitments from the ``old_age_commitment`` by calling
-``Edx25519_derive_public(old_age_commitment, s_κ)`` from Edx25519_.  Now
-provided with a total κ age commitments, it can calculate the corresponding κ
-age commitment hash values :math:`h_a` of those commitments.  With those, it
-can continue to perform the cut&choose protocol, i. e. calculate the disclosed
-κ-1 coin's signatures :math:`\text{FDH}_N(C_p, h_a)` and finally compare the
-hash over all κ signatures with the value given during the melt phase.
+Using the κ-1 transfer secrets :math:`\tau_i` from the reveal request, the
+exchange derives κ-1 age commitments from the ``old_age_commitment`` by calling
+``Edx25519_derive_public()`` on each `Edx25519PublicKey` with :math:`\tau_i` as
+the seed. It then calculates the corresponding κ-1 age commitment hash values
+:math:`h_i` of those commitments.
+
+It then calculates the κ-1 blinded hashes 
+:math:`m_i = r^{e_i}\text{FDH}_N(C_p, h_i)` (using the notation from Florian's
+thesis) of the disclosed coins and together with the :math:`m_\gamma` of the
+undisclosed coin, calculates the hash
+:math:`h'_m = H(m_i,\cdots,m_\gamma,\cdots,m_\kappa)` which is then used in the
+final verification step of the cut&choose protocol.
+
 
 Deposit
 ~~~~~~~
@@ -413,7 +418,7 @@ by evaluating
 .. math::
    \text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N
 
-Also again, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is
+Also again, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is
 its signature, :math:`\langle e, N \rangle` is the RSA public key of the
 denomination and :math:`h_a` is the value from ``age_commitment_hash``.
 
@@ -504,7 +509,7 @@ The merchant can now verify
 
    .. math:: \text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N
 
-   Again, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is
+   Again, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is
    its signature, :math:`\langle e, N \rangle` is the RSA public key of the
    denomination and :math:`h_a` is the SHA256 hash value of the vector in
    ``age_commitment``.