3 files changed, 24 insertions, 15 deletions

diff --git a/core/api-common.rst b/core/api-common.rst
index 8468cc3b..7ce43e92 100644
--- a/core/api-common.rst
+++ b/core/api-common.rst
@@ -633,6 +633,7 @@ uses 512-bit hash codes (64 bytes).
      struct GNUNET_ShortHashCode hash;
    };
 
+.. _BlindedCoinHash:
 .. sourcecode:: c
 
    struct TALER_BlindedCoinHash {
diff --git a/core/api-exchange.rst b/core/api-exchange.rst
index 968511b9..6868653a 100644
--- a/core/api-exchange.rst
+++ b/core/api-exchange.rst
@@ -2108,7 +2108,7 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
 
     interface AgeWithdrawRequest {
       // Commitment to the coins with age restriction.  This is the SHA512
-      // hash value $ACH over all n*kappa `TALER_CoinPubHashP` values of all
+      // hash value $ACH over all n*kappa `BlindedCoinHash` values of all
       // coins and their age commitments.  It is alter used as part of the URL
       // in the subsequent call to /age-withdraw/$ACH/reveal.
       age_restricted_coins_commitment: HashCode;
@@ -2135,7 +2135,7 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
       // have to disclose
       noreveal_index: Integer;
 
-      // Signature of `TALER_WithdrawAgeRestrictedConfirmationPS` whereby
+      // Signature of `TALER_AgeWithdrawRequestPS` whereby
       // the exchange confirms the ``noreveal_index``.
       exchange_sig: EddsaSignature;
 
@@ -2183,9 +2183,9 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
        ``TALER_EC_EXCHANGE_GENERIC_MISMATCH_OF_AMOUNT_AND_DENOMINATIONS``.
 
 
-  .. ts:def:: WithdrawRevealRequest
+  .. ts:def:: AgeWithdrawRevealRequest
 
-    interface WithdrawRevealRequest {
+    interface AgeWithdrawRevealRequest {
       // Array of ``n`` hash codes of denomination public keys to order.
       // These denominations MUST support age restriction as defined in the
       // output to /keys.
@@ -2207,19 +2207,22 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
   .. ts:def:: DisclosedAgeRestrictedCoin
 
     interface DisclosedAgeRestrictedCoin {
-      // A coin's private key.  The associated age commitment for this coin
-      // MUST be derived from this private key as follows:
+      // A coin's private key.  The associated blinding and age commitment for
+      // this coin MUST be derived from this private key as follows:
       //
-      // For age group $AG from 1 up to
-      //           <maximum age group as defined in the reserve>
-      // (if they exist), set
+      // Calculate the blinding beta as
+      //    beta := HKDF(coin_priv, "blinding")
+      //
+      // Let m ∈  {1,...,M} be the maximum age group as defined in the reserve
+      // that the wallet can commit to.
+      //
+      // For age group $AG ∈  {1,...m}, set
       //     seed = HDKF(coin_priv, "age-commitment", $AG)
       //   p[$AG] = Edx25519_generate_private(seed)
       // and calculate the corresponding Edx25519PublicKey as
       //   q[$AG] = Edx25519_public_from_private(p[$AG])
       //
-      // For age groups $AG _larger_ than the maximum age group allowed
-      // (if they exist), set
+      // For age groups $AG ∈  {m,...,M}, set
       //   f[$AG] = HDKF(coin_priv, "age-factor", $AG)
       // and calculate the corresponding Edx25519PublicKey as
       //   q[$AG] = Edx25519_derive_public(`PublishedAgeRestrictionBaseKey`, f[$AG])
@@ -2227,7 +2230,7 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
       // Finally, with coin_priv and age commitment (q[]), the exchange
       // will calculate the coin's public key coin_pub and use the
       //    TALER_CoinPubHashP(coin_pub, age_commitment_hash(q))
-      // during the verification of the original age-withdraw-commitment
+      // during the verification of the original age-withdraw-commitment.
       coin_priv: EddsaPrivateKey;
 
     }
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index 996e5638..ae3874c0 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -374,13 +374,18 @@ of data by the amount of coins in question--, but all with the same value of
 
 The *actual* implementation of the protocol above will have a major optimization
 to keep the bandwidth usage to a minimum.  Instead of generating and sending
-the age commitment (array of public keys) for each coin, the wallet *MUST*
-derive the corresponding age commitments from the coin's private key
-:math:`c_s` itself as follows:
+the age commitment (array of public keys) and blindings for each coin, the
+wallet *MUST* derive the corresponding blindings and the age commitments from
+the coin's private key :math:`c_s` itself as follows:
 
 Let :math:`m \in \{1,\ldots,M\}` be the maximum age (according to the reserve)
 that a wallet can commit to during the withdrawal.
 
+Calculate the blinding :math:`\beta` for the coin as
+
+.. math::
+     \beta &:= \text{HKDF}(c_s, \text{"blinding"})
+
 For age group :math:`a \in \{1,\ldots,m\}`, set
 
 .. math::