1 files changed, 196 insertions, 44 deletions
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index 6b1004fc..0445aa6d 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -1,5 +1,5 @@
-DD24: Anonymous Age Restriction Extension for GNU Taler
-#######################################################
+DD 24: Anonymous Age Restriction Extension
+##########################################
 
 Summary
 =======
@@ -29,8 +29,6 @@ optional feature that can be switched on by the exchange operator.
 Requirements
 ============
 
-TODO
-
 * legal requirements for merchants must allow for this kind of mechanism
 
 
@@ -55,7 +53,9 @@ protocol, that gives the minor/ward a 1/κ chance to raise the minimum age for
 the new coin).
 
 The proposed solution maintains the guarantees of GNU Taler with respect to
-anonymity and unlinkability. (TODO: refer to the paper, once published)
+anonymity and unlinkability.  We have published a paper
+`Zero Knowledge Age Restriction for GNU Taler <https://link.springer.com/chapter/10.1007/978-3-031-17140-6_6>`_
+with the details.
 
 ¹) Once the feature is enabled and the age groups are defined, the exchange has
 to stick to that decision until the support for age restriction is disabled.
@@ -65,31 +65,32 @@ We might reconsider this design decision at some point.
 Main ideas and building blocks
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
-The main ideas are simple:
+The main ideas are as follows:
 
 #. The exchange defines and publishes M+1 different *age groups* of increasing
    order: :math:`0 < a_1 < \ldots < a_M` with :math:`a_i \in \mathbb{N}`.  The
    zeroth age group is :math:`\{0,\ldots,a_1-1\}`.
 
-#. An **unrestricted** *age commitment* is defined as a vector of length M of
+#. An **unrestricted age commitment** is defined as a vector of length M of
    pairs of Edx25519_ public and private keys on Curve25519. In other words: one
-   key pair for each age group after the zeroth:
-   :math:`\bigl\langle (p_1, s_1), \ldots, (p_M, s_M) \bigr\rangle`
+   key pair for each age group after the zeroth: :math:`\bigl\langle (q_1,
+   p_1), \ldots, (q_M, p_M) \bigr\rangle`.  Here, :math:`q_i` are the public keys
+   (mnemonic: **q-mitments**), :math:`p_i` are the private keys.
 
-#. A **restricted** *age commitment* **to age group m** (or m-th age group) is
-   derived from an unrestricted age commitment by removing all private keys for
-   indices larger than m: :math:`\bigl\langle (p_1, s_1), \ldots, (p_m, s_m),
-   \, (p_{m+1}, \perp), \ldots, (p_M, \perp )\bigr\rangle`.
-   F.e. if *none* of the private keys is provided, the age commitment would be
-   restricted to the zeroth age group.
+#. A **restricted age commitment** *to age group m* is derived from an
+   unrestricted age commitment by removing all private keys for
+   indices larger than m: :math:`\bigl\langle (q_1, p_1), \ldots, (q_m, p_m),
+   \, (q_{m+1}, \perp), \ldots, (q_M, \perp )\bigr\rangle`.  F.e. if *none* of
+   the private keys is provided, the age commitment would be restricted to the
+   zeroth age group.
 
 #. The act of restricting an unrestricted age commitment is performed by the
    parent/ward.
 
 #. An *age commitment* (without prefix) is just the vector of public keys:
-   :math:`\vec{Q} := \langle p_1, \ldots, p_M \rangle`.  Note that from
-   just the age commitment one can not deduce if it was originated from an
-   unrestricted or restricted age commitment (and what age).
+   :math:`\vec{Q} := \langle q_1, \ldots, q_M \rangle`.  Note that from
+   just the age commitment one can not deduce if it originated from an
+   unrestricted or restricted one (and what age).
 
 #. An *attestation of age group k* is essentially the signature to any message
    with the private key for slot k, if the corresponding private key is
@@ -100,8 +101,13 @@ The main ideas are simple:
    SHA256 hash value of the age commitment (i.e. the M public keys) into the
    signature of the coin.  So instead of signing :math:`\text{FDH}_N(C_p)` with
    the RSA private key of a denomination with support for age restriction, we
-   sign :math:`\text{FDH}_N(C_p, h_a)`.  Here, :math:`C_p` is the EdDSA public
-   key of a coin and :math:`h_a` is the hash of the age commitment.
+   sign :math:`\text{FDH}_N(C_p, h_Q)`.  Here, :math:`C_p` is the EdDSA public
+   key of a coin and :math:`h_Q` is the hash of the age commitment :math:`\vec{Q}`.
+   **Note:** A coin with age restriction can only be validated when both, the
+   public key of the coin itself **and** the hash of the age commitment, are
+   present.  This needs to be supported in each subsystem: Exchange, Wallet and
+   Merchant.
+
 
 TODO: Summarize the design based on the five functions ``Commit()``,
 ``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``, once the paper from
@@ -151,7 +157,7 @@ registering the extension ``age_restriction`` with a value type
    interface ConfigAgeRestriction {
       // The age groups.  This field is mandatory and binding in the sense
       // that its value is taken into consideration when signing the
-      // denominations in `ExchangeKeysResponse`.``age_restricted_denoms``.
+      // age restricted denominations in the `ExchangeKeysResponse`
       age_groups: AgeGroups;
    }
 
@@ -193,12 +199,11 @@ in ``ExchangeKeysResponse.age_restricted_denoms``.
 Age restricted denominations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-If age-restriction is registered as an extension under the name
-``age_restriction``, as described above, the root-object
-``ExchangeKeysResponse`` in response to ``/keys`` MUST be extended by an
-additional field ``age_restricted_denoms``.  This is an *additional* list of
-denominations that must be used during the modified ``refresh`` and ``deposit``
-operations (see below).
+If age-restriction is registered as extension ``age_restriction``, as described
+above, the root-object ``ExchangeKeysResponse`` in response to ``/keys`` MUST
+be extended by an additional field ``age_restricted_denoms``.  This is an
+*additional* list of denominations that must be used during the modified
+``refresh`` and ``deposit`` operations (see below).
 
 The data structure for those denominations is the same as for the regular ones
 in ``ExchangeKeysResponse.denoms``.  **However**, the following differences
@@ -242,13 +247,13 @@ changed since the given timestamp.
    // Similar as for ``.denoms``, if the query parameter ``last_issue_date``
    // was provided by the client, the exchange will only return the keys that
    // have changed since the given timestamp.
-   age_restricted_denoms: Denom[];
+   age_restricted_denoms: DenomCommon[];
 
    //...
    }
 
 
-SQL changes
+SQL schema
 -----------
 
 The exchange has to mark denominations with support for age restriction as such
@@ -286,9 +291,165 @@ NULL, but only iff the corresponding denomination (indirectly referenced via
 table ``known_coins``) has ``.age_restricted`` set to true.  This constraint
 can not be expressed reliably with SQL.
 
+
 Protocol changes
 ----------------
 
+Withdraw
+~~~~~~~~
+
+The withdraw protocol is affected in the following situations:
+
+- A wire transfer to the exchange (to fill a reserve) was marked by the
+  originating bank as coming from a bank account of a minor, belonging to a of
+  a specific age group, or by other means.
+- A KYC-process has been performed with the owner of a reserve and the user has
+  been identified as being a minor.
+- A Peer-to-Peer transaction was performed between customers.  The receiving
+  customer's KYC result tells the exchange that the customer belongs to a
+  specific age group.
+
+In these cases, the wallet will have to perform a zero-knowledge protocol with
+exchange as part of the the withdraw protocol, which we sketch here.  Let
+
+- :math:`\kappa` be the same cut-and-choose parameter for the refresh-protocol.
+- :math:`\Omega \in E` be a published, nothing-up-my-sleeve, constant
+  group-element on the elliptic curve.
+- :math:`a \in \{1,\ldots,M\}` be the maximum age (group) for which the wallet
+  has to prove its commitment.
+
+The values :math:`\kappa`, :math:`\Omega` and :math:`a` are known to the
+Exchange and the Wallet.  Then, Wallet and Exchange run the following protocol
+for the withdrawal of one coin:
+
+- *Wallet*
+   1. creates planchets :math:`C_i` for :math:`i \in \{1,\ldots,\kappa\}` as candidates for *one* coin.
+   #. creates age-commitments :math:`\vec{Q}^i` for :math:`i \in \{1,\ldots,\kappa\}` as follows:
+
+      a) creates :math:`a`-many Edx25519-keypairs :math:`(p^i_j, q^i_j)`
+         randomly for :math:`j \in \{1,\ldots,a\}` (with public keys :math:`q^i_j`),
+      #) chooses randomly :math:`(M - a)`-many scalars :math:`s^i_j` for :math:`j \in \{a+1,\ldots,M\}`,
+      #) calculates :math:`\omega^i_j = s^i_j*\Omega` for :math:`j \in \{a+1,\ldots,M \}`,
+      #) sets :math:`\vec{Q}^i := (q^i_1,\ldots,q^i_a,\omega^i_{a+1},\ldots,\omega^i_M)`
+
+   #. calculates :math:`f_i := \text{FDH}(C_i, H(\vec{Q}^i))` for :math:`i \in \{ 1,\ldots,\kappa \}`.
+   #. chooses random blindings :math:`\beta_i(.)` for :math:`i \in \{1,\ldots,\kappa\}`.  The blinding functions depend on the cipher (RSA, CS).
+   #. sends :math:`(\beta_1(f_1),\ldots,\beta_\kappa(f_\kappa))` to the Exchange
+
+- *Exchange*
+   7. receives :math:`(b_1,\ldots,b_\kappa)`
+   #. calculates :math:`F := \text{H}(b_1||\ldots||b_\kappa)`
+   #. chooses randomly :math:`\gamma \in \{1,\ldots,\kappa\}` and
+   #. signs :math:`r := b_\gamma` resulting in signature :math:`\sigma_r`
+   #. stores :math:`F \mapsto (r, \sigma_r)`
+   #. sends :math:`\gamma` to the Wallet.
+
+- *Wallet*
+   10. receives :math:`\gamma`
+   #. sends to the Exchange the tuple :math:`\left(F, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with
+
+      - :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))`
+      - :math:`\vec{\beta} := (\beta_1,\ldots,\beta_{\gamma-1},\bot,\beta_{\gamma+1},\ldots,\beta_\kappa)`
+      - :math:`\vec{\vec{Q}} := (\vec{Q}^1,\ldots,\vec{Q}^{\gamma-1},\bot,\vec{Q}^{\gamma+1},\ldots,\vec{Q}^\kappa)`
+      - :math:`\vec{\vec{S}} := (\vec{S}^1,\ldots,\vec{S}^{\gamma-1},\bot,\vec{S}^{\gamma+1},\ldots,\vec{S}^\kappa)`
+        with :math:`\vec{S}^i := (s^i_j)`
+
+- *Exchange*
+   12. receives :math:`\left(F, (\beta_i), (\vec{Q}^i), (\vec{B}^i) \right)`
+   #. retrieves :math:`(r, \sigma_r)` from :math:`F` or bails out if not present
+   #. calculates :math:`b_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma`
+   #. compares :math:`F \overset{?}{=} \text{H}(b_1||\ldots||b_{\gamma - 1}||r||b_{\gamma+1}||\ldots||b_\kappa)` and bails out on inequality
+   #. for each :math:`\vec{B}^i, i \neq \gamma`
+
+      i. calculates :math:`\tilde{\omega}^i_j := b^i_j * \Omega` for :math:`j \in \{a+1,\ldots,M\}`
+      #. compares each :math:`\tilde{\omega}^i_j` to :math:`q^i_j` from :math:`\vec{Q}^i = (q^i_1, \ldots, q^i_M)` and bails out on inequality
+   #. sends (blinded) signature :math:`\sigma_r` to Wallet
+
+- *Wallet*
+   18. receives :math:`\sigma_r`
+   #. calculates (unblinded) signature :math:`\sigma_\gamma := \beta^{-1}_\gamma(\sigma_r)` for coin :math:`C_\gamma`.
+
+
+Note that the batch version of withdraw allows the withdrawal of *multiple*
+coins at once.  For that scenario the protocol sketched above is adapted to
+accomodate for handling multiple coins at once -- thus multiplying the amount
+of data by the amount of coins in question--, but all with the same value of
+:math:`\gamma`.
+
+The *actual* implementation of the protocol above will have major optimizations
+to keep the bandwidth usage to a minimum and also ensure that a denomination in
+the commitment doesn't expire before the reveal.
+
+Instead of generating and sending the age commitment (array of public keys) and
+blindings for each coin, the wallet *MUST* derive the corresponding blindings
+and the age commitments from the coin's private key itself as follows:
+
+Let
+
+- :math:`s` be the master secret of the coin, from which the private key :math:`c_s`, blinding :math:`\beta` and nonce :math:`n` are derived as usual in the wallet core
+- :math:`m \in \{1,\ldots,M\}` be the maximum age (according to the reserve)
+  that a wallet can commit to during the withdrawal.
+- :math:`P` be a published constant Edx25519-public-key to which the private
+  key is not known to any client.
+
+For the age commitment, calculate:
+
+1. For age group :math:`a \in \{1,\ldots,m\}`, set
+
+.. math::
+           s_a &:= \text{HDKF}(s, \text{"age-commitment"}, a) \\
+           p_a &:= \text{Edx25519\_generate\_private}(s_a) \\
+           q_a &:= \text{Edx25519\_public\_from\_private}(p_a)
+
+2. For age group :math:`a \in \{m,\ldots,M\}`, set
+
+.. math::
+           f_a &:= \text{HDKF}(s, \text{"age-factor"}, a) \\
+           q_a &:= \text{Edx25519\_derive\_public}(P, f_a).
+
+Then the vector :math:`\vec{q} = \{q_1,\ldots,q_M\}` is then the age commitment
+associated to the coin's private key :math:`c_s`.  For the non-disclosed coins,
+the wallet can use the vector :math:`(p_1,\ldots,p_m,\bot,\ldots,\bot)` of
+private keys for the attestation.
+
+Provided with the secret :math:`s`, the exchange can therefore calculate the
+private key :math:`c_s`, the blinding :math:`\beta`, the nonce :math:`n` (if
+needed) and the age commitment :math:`\vec{q}`, along with the coin's public
+key :math:`C_p` and use the value of
+
+.. math::
+
+  \text{TALER\_CoinPubHashP}(C_p, \text{age\_commitment\_hash}(\vec{q}))
+
+during the verification of the original age-withdraw-commitment.
+
+For the withdrawal with age restriction, a sketch of the corresponding database
+schema in the exchange is given here:
+
+.. graphviz::
+
+	digraph deposit_policies {
+		rankdir = LR;
+		splines = true;
+		fontname="monospace"
+		node [
+			fontname="monospace"
+			shape=record
+		]
+
+		subgraph cluster_commitments {
+			label=<<B>age_withdraw</B>>
+			margin=20
+			commitments [
+			  label="age_withdraw_id\l|<hc>h_commitment\l|amount_with_fee_val\l|amount_with_fee_frac\l|noreveal_index\l|max_age\l|<res>reserve_pub\l|reserve_sig\l|<denom>[n] denominations_serials\l|[n] h_blind_evs\l|[n] denom_sigs\l"
+			]
+		}
+
+		commitments:res->reserves:id [ label="n:1"; fontname="monospace"];
+		commitments:denom -> denominations:id [ label="n:1"; fontname="monospace"] ;
+	}
+
+
 Refresh - melting phase
 ~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -439,9 +600,9 @@ The object ``ContractTerms`` is extended by an optional field
 ``minimum_age`` that can be any integer greater than 0.  In reality
 this value will not be smaller than, say, 8, and not larger than, say, 21.
 
-.. ts:def:: ContractTerms
+.. ts:def:: DD24ContractTerms
 
-   interface ContractTerms {
+   interface DD24ContractTerms {
    ...
 
    // If the order requires a minimum age greater than 0, this field is set
@@ -528,19 +689,14 @@ satisfy any minimum age requirement.
 Changes in the Wallet
 ^^^^^^^^^^^^^^^^^^^^^
 
-TODO.
-
-* choosing age-restriction during withdrawal coins from denominations with
-  support for age restriction.
-* Define protocol to pass denominations to child/ward.
-
+A wallet implementation SHOULD support denominations with age restriction.  In
+that case it SHOULD allow to select an age group as upper bound during
+withdraw.
 
 
 Alternatives
 ============
 
-TODO.
-
 * ID-based systems
 * credit/debit card based systems
 
@@ -548,10 +704,7 @@ TODO.
 Drawbacks
 =========
 
-TODO.
-
 * age groups, once defined, are set permanently
-* age restricted coins are basically shared between ward and warden.
 
 Also discuss:
 
@@ -571,9 +724,8 @@ We had some very engaged discussions on the GNU Taler `mailing list <taler@gnu.o
 
 * `Age-restriction is about coins, not currencies <https://lists.gnu.org/archive/html/taler/2021-09/msg00021.html>`__
 
+* The published paper: `Zero Knowledge Age Restriction for GNU Taler <https://link.springer.com/chapter/10.1007/978-3-031-17140-6_6>`_
 
-The upcoming paper on anonymous age-restriction for GNU Taler from Özgür Kesim
-and Christian Grothoff will be cited here, once it is published.
 
 .. _Edx25519: