diff options
| author | Özgür Kesim <oec-taler@kesim.org> | 2023-05-02 13:28:04 +0200 |
|---|---|---|
| committer | Özgür Kesim <oec-taler@kesim.org> | 2023-05-02 13:28:04 +0200 |
| commit | 5cb0b3b593105ee4d806a8c756c78148bfd76466 (patch) | |
| tree | fc86cb8de5165ad83050cff080e7d2352e6502ce /design-documents | |
| parent | 9361419fab13ccfd0cab340a8d6d986f76530250 (diff) | |
| download | docs-5cb0b3b593105ee4d806a8c756c78148bfd76466.tar.gz docs-5cb0b3b593105ee4d806a8c756c78148bfd76466.tar.bz2 docs-5cb0b3b593105ee4d806a8c756c78148bfd76466.zip | |
protocol and schema change for age-withdraw
During the commitment for age-withdraw, the wallet now has to provide
all n*kappa blinded hashes and n denom_pubs. This allows the exchange
to immediately sign the chosen coins in the initial commit with the
corresponding denomination key.
Diffstat (limited to 'design-documents')
| -rw-r--r-- | design-documents/024-age-restriction.rst | 38 |
1 files changed, 21 insertions, 17 deletions
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst index ec7edd69..50ea4705 100644 --- a/design-documents/024-age-restriction.rst +++ b/design-documents/024-age-restriction.rst @@ -332,33 +332,35 @@ for the withdrawal of one coin: #. calculates :math:`f_i := \text{FDH}(C_i, H(\vec{Q}^i))` for :math:`i \in \{ 1,\ldots,\kappa \}`. #. chooses random blindings :math:`\beta_i(.)` for :math:`i \in \{1,\ldots,\kappa\}`. The blinding functions depend on the cipher (RSA, CS). - #. calculates :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))` - #. sends :math:`F` to the Exchange + #. sends :math:`(\beta_1(f_1),\ldots,\beta_\kappa(f_\kappa))` to the Exchange - *Exchange* - 7. receives and stores :math:`F` + 7. receives :math:`(b_1,\ldots,b_\kappa)` + #. calculates :math:`F := \text{H}(b_1||\ldots||b_\kappa)` #. chooses randomly :math:`\gamma \in \{1,\ldots,\kappa\}` and + #. signs :math:`r := b_\gamma` resulting in signature :math:`\sigma_r` + #. stores :math:`F \mapsto (r, \sigma_r)` #. sends :math:`\gamma` to the Wallet. - *Wallet* 10. receives :math:`\gamma` - #. sends to the Exchange the tuple :math:`\left(r_\gamma, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with + #. sends to the Exchange the tuple :math:`\left(F, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with - - :math:`r_\gamma := \beta_\gamma(f_\gamma)` - - :math:`\vec{\beta} := (\beta^1,\ldots,\beta^{\gamma-1},\bot,\beta^{\gamma+1},\ldots,\beta^\kappa)` + - :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))` + - :math:`\vec{\beta} := (\beta_1,\ldots,\beta_{\gamma-1},\bot,\beta_{\gamma+1},\ldots,\beta_\kappa)` - :math:`\vec{\vec{Q}} := (\vec{Q}^1,\ldots,\vec{Q}^{\gamma-1},\bot,\vec{Q}^{\gamma+1},\ldots,\vec{Q}^\kappa)` - :math:`\vec{\vec{S}} := (\vec{S}^1,\ldots,\vec{S}^{\gamma-1},\bot,\vec{S}^{\gamma+1},\ldots,\vec{S}^\kappa)` with :math:`\vec{S}^i := (s^i_j)` - *Exchange* - 12. receives :math:`\left(r, (\beta^i), (\vec{Q}^i), (\vec{B}^i) \right)` - #. calculates :math:`g_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma` - #. compares :math:`F \overset{?}{=} \text{H}(g_1||\ldots||g_{\gamma - 1}||r||g_{\gamma+1}||\ldots||g_\kappa)` and bails out on inequality + 12. receives :math:`\left(F, (\beta_i), (\vec{Q}^i), (\vec{B}^i) \right)` + #. retrieves :math:`(r, \sigma_r)` from :math:`F` or bails out if not present + #. calculates :math:`b_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma` + #. compares :math:`F \overset{?}{=} \text{H}(b_1||\ldots||b_{\gamma - 1}||r||b_{\gamma+1}||\ldots||b_\kappa)` and bails out on inequality #. for each :math:`\vec{B}^i, i \neq \gamma` i. calculates :math:`\tilde{\omega}^i_j := b^i_j * \Omega` for :math:`j \in \{a+1,\ldots,M\}` #. compares each :math:`\tilde{\omega}^i_j` to :math:`q^i_j` from :math:`\vec{Q}^i = (q^i_1, \ldots, q^i_M)` and bails out on inequality - #. signs :math:`r` #. sends (blinded) signature :math:`\sigma_r` to Wallet - *Wallet* @@ -372,11 +374,13 @@ accomodate for handling multiple coins at once -- thus multiplying the amount of data by the amount of coins in question--, but all with the same value of :math:`\gamma`. -The *actual* implementation of the protocol above will have a major optimization -to keep the bandwidth usage to a minimum. Instead of generating and sending -the age commitment (array of public keys) and blindings for each coin, the -wallet *MUST* derive the corresponding blindings and the age commitments from -the coin's private key itself as follows: +The *actual* implementation of the protocol above will have major optimizations +to keep the bandwidth usage to a minimum and also ensure that a denomination in +the commitment doesn't expire before the reveal. + +Instead of generating and sending the age commitment (array of public keys) and +blindings for each coin, the wallet *MUST* derive the corresponding blindings +and the age commitments from the coin's private key itself as follows: Let @@ -440,10 +444,10 @@ schema in the exchange is given here: } subgraph cluster_reveals { - label=<<B>age_withdraw_reveals</B>> + label=<<B>age_withdraw_revealed_coins</B>> margin=20 reveals [ - label="freshcoin_index\l|<comm>h_commitment\l|<denom>denominations_serial\l|coin_ev\l|h_coin_ev\l|ev_sig\l" + label="freshcoin_index\l|<comm>h_commitment\l|<denom>denominations_serial\l|h_blind_ev\l|denom_sig\l" ] } |