general ideas layed out, start reveal phase

1 files changed, 65 insertions, 6 deletions

diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index ce6d5629..7509d3d0 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -62,11 +62,44 @@ to stick to that decision until the support for age restriction is disabled.
 We might reconsider this design decision at some point.
 
 
-Building Blocks
-^^^^^^^^^^^^^^^
+Main ideas and building blocks
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The main ideas are simple:
+
+#. The exchange defines and publishes M different *age groups* of increasing order:
+   :math:`0 < a_1 < \ldots < a_M` with :math:`a_i \in \mathbb{N}`.
+
+#. An **unrestricted** *age commitment* is defined as a vector of length M of
+   pairs of EdDSA public and private keys on Curve25519. In other words: one
+   key pair for each age group:
+   :math:`\bigl\langle (p_1, s_1), \ldots, (p_M, s_M) \bigr\rangle`
+
+#. A **restricted** *age commitment* **to age m** is derived from an unrestricted age
+   commitment by removing all private keys for indices larger than m:
+   :math:`\bigl\langle (p_1, s_1), \ldots, (p_m, s_m), \, (p_{m+1}, \perp), \ldots, (p_M, \perp )\bigr\rangle`
+
+#. An *age commitment* (without prefix) is just the vector of public keys:
+   :math:`\langle p_1, \ldots, p_M \rangle`.  Note that from just the age
+   commitment one can not deduce if it was originated from an unrestricted or
+   restricted age commitment (and what age).
+
+#. An *attestation of age group k* is essentially the act of signing a message
+   with the private key for slot k, if the corresponding private key is
+   available in a restricted age commitment.  (Unrestricted age commitments
+   can attest for any age group).
+
+#. An age commitment is *bound to a particular coin* by incorporating the
+   SHA512 hash value of the age commitment (i.e. the M public keys) into the
+   signature of the coin.  So instead of using :math:`\text{FDH}_N(C_p)` (with
+   :math:`C_p` being the public key of the coin), we calculate 
+   :math:`\text{FDH}_N(C_p, h_a)`, where :math:`h_a` is the
+   hash of the age commitment.
+
 
 TODO: Summarize the design based on the five functions ``Commit()``,
-``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``.
+``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``, once the paper from
+Özgür and Christian is published.
 
 
 Changes in the Exchange
@@ -228,7 +261,8 @@ restriction).  Therefore, in the ``/coins/$COIN_PUB/melt`` POST request, the
 The responses to the POST request remain the same.
 
 For denominations *without* support for age restriction, the calculation for
-the signature check is as before (borrowing notation from Florian's thesis):
+the signature check is as before (borrowing notation from 
+`Florian's thesis <https://taler.net/papers/thesis-dold-phd-2019.pdf>`_):
 
 .. math::
    \text{FDH}(N_0, C_p^{(0)})\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
@@ -238,7 +272,7 @@ hash value ``age_commitment_hash`` (abbreviated as h\ :sub:`a`) into account
 when verifying the coin's signature:
 
 .. math::
-   \text{FDH}(N_0, C_p^{(0)}, h_a)\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
+   \text{FDH}(N_0, \langle C_p^{(0)}, h_a \rangle )\; \stackrel{?}{=}\; \left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
 
 
 
@@ -246,7 +280,32 @@ when verifying the coin's signature:
 Refresh - reveal phase
 ~~~~~~~~~~~~~~~~~~~~~~
 
-TODO: Extension of the cut'n-choose-protocol.
+During the reveal phase -- that is upon POST to ``/refreshes/$RCH/reveal`` --
+the client has to provide the original age commitment of the old coin (i.e. the
+vector of public keys), iff the corresponding denomination had support for age
+restriction.  The size of the vector ist defined by the Exchange implictely as
+the amount of age groups defined in the field ``.age_groups`` of the
+``ExtensionAgeRestriction``.
+
+.. ts:def:: RevealRequest
+   
+   interface RevealRequest {
+      ...
+
+      // Iff the corresponding denomination has support for age restriction,
+      // the client MUST provide the original age commitment, i.e. the vector
+      // of public keys.
+      // The size of the vector ist defined by the Exchange implictely as the
+      // amount of age groups defined in the field ``.age_groups`` of the
+      // ``ExtensionAgeRestriction``.
+      old_age_commitment?: EddsaPublicKey[];
+
+      
+      ...
+   }
+
+TODO: describe how the exchange derives the κ-1 other age-restriction vectors
+and compares them to the one in ``.old_age_commitment``.
 
 
 Deposit