diff options
author | Özgür Kesim <oec-taler@kesim.org> | 2022-04-27 17:19:06 +0200 |
---|---|---|
committer | Özgür Kesim <oec-taler@kesim.org> | 2022-04-27 17:19:06 +0200 |
commit | 60084fa7e27bbd219cecbb3814783f817d71efee (patch) | |
tree | 04fe7e206f4b0daba586e5c7d7a0dc9ecc7c3d6b /design-documents | |
parent | 328996a53fecdbae0636a42e51c41138a2c7eae0 (diff) | |
download | docs-60084fa7e27bbd219cecbb3814783f817d71efee.tar.gz docs-60084fa7e27bbd219cecbb3814783f817d71efee.tar.bz2 docs-60084fa7e27bbd219cecbb3814783f817d71efee.zip |
-fixes in the description of reveal with age restriction
Diffstat (limited to 'design-documents')
-rw-r--r-- | design-documents/024-age-restriction.rst | 29 |
1 files changed, 17 insertions, 12 deletions
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst index 6b97a451..c156842a 100644 --- a/design-documents/024-age-restriction.rst +++ b/design-documents/024-age-restriction.rst @@ -100,7 +100,7 @@ The main ideas are simple: SHA256 hash value of the age commitment (i.e. the M public keys) into the signature of the coin. So instead of signing :math:`\text{FDH}_N(C_p)` with the RSA private key of a denomination with support for age restriction, we - sign :math:`\text{FDH}_N(C_p, h_a)`. Here, :math:`C_p` is the Edx25519_ public + sign :math:`\text{FDH}_N(C_p, h_a)`. Here, :math:`C_p` is the EdDSA public key of a coin and :math:`h_a` is the hash of the age commitment. TODO: Summarize the design based on the five functions ``Commit()``, @@ -323,7 +323,7 @@ for the signature check is as before (borrowing notation from .. math:: \text{FDH}_N(C_p)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}\,N -Here, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is its +Here, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is its signature and :math:`\langle e, N \rangle` is the RSA public key of the denomination. @@ -373,14 +373,19 @@ The existing `cut&choose protocol during the reveal phase </core/api-exchange.html#post--refreshes-$RCH-reveal>`__ is extended to perform the following additional computation and checks: -Using the κ-1 transfer secrets from the reveal request, the exchange derives -κ-1 age commitments from the ``old_age_commitment`` by calling -``Edx25519_derive_public(old_age_commitment, s_κ)`` from Edx25519_. Now -provided with a total κ age commitments, it can calculate the corresponding κ -age commitment hash values :math:`h_a` of those commitments. With those, it -can continue to perform the cut&choose protocol, i. e. calculate the disclosed -κ-1 coin's signatures :math:`\text{FDH}_N(C_p, h_a)` and finally compare the -hash over all κ signatures with the value given during the melt phase. +Using the κ-1 transfer secrets :math:`\tau_i` from the reveal request, the +exchange derives κ-1 age commitments from the ``old_age_commitment`` by calling +``Edx25519_derive_public()`` on each `Edx25519PublicKey` with :math:`\tau_i` as +the seed. It then calculates the corresponding κ-1 age commitment hash values +:math:`h_i` of those commitments. + +It then calculates the κ-1 blinded hashes +:math:`m_i = r^{e_i}\text{FDH}_N(C_p, h_i)` (using the notation from Florian's +thesis) of the disclosed coins and together with the :math:`m_\gamma` of the +undisclosed coin, calculates the hash +:math:`h'_m = H(m_i,\cdots,m_\gamma,\cdots,m_\kappa)` which is then used in the +final verification step of the cut&choose protocol. + Deposit ~~~~~~~ @@ -413,7 +418,7 @@ by evaluating .. math:: \text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N -Also again, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is +Also again, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is its signature, :math:`\langle e, N \rangle` is the RSA public key of the denomination and :math:`h_a` is the value from ``age_commitment_hash``. @@ -504,7 +509,7 @@ The merchant can now verify .. math:: \text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N - Again, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is + Again, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is its signature, :math:`\langle e, N \rangle` is the RSA public key of the denomination and :math:`h_a` is the SHA256 hash value of the vector in ``age_commitment``. |