1 files changed, 29 insertions, 33 deletions
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index db39234a..0445aa6d 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -1,5 +1,5 @@
-DD24: Anonymous Age Restriction Extension for GNU Taler
-#######################################################
+DD 24: Anonymous Age Restriction Extension
+##########################################
 
 Summary
 =======
@@ -247,7 +247,7 @@ changed since the given timestamp.
    // Similar as for ``.denoms``, if the query parameter ``last_issue_date``
    // was provided by the client, the exchange will only return the keys that
    // have changed since the given timestamp.
-   age_restricted_denoms: Denom[];
+   age_restricted_denoms: DenomCommon[];
 
    //...
    }
@@ -303,6 +303,8 @@ The withdraw protocol is affected in the following situations:
 - A wire transfer to the exchange (to fill a reserve) was marked by the
   originating bank as coming from a bank account of a minor, belonging to a of
   a specific age group, or by other means.
+- A KYC-process has been performed with the owner of a reserve and the user has
+  been identified as being a minor.
 - A Peer-to-Peer transaction was performed between customers.  The receiving
   customer's KYC result tells the exchange that the customer belongs to a
   specific age group.
@@ -332,33 +334,35 @@ for the withdrawal of one coin:
 
    #. calculates :math:`f_i := \text{FDH}(C_i, H(\vec{Q}^i))` for :math:`i \in \{ 1,\ldots,\kappa \}`.
    #. chooses random blindings :math:`\beta_i(.)` for :math:`i \in \{1,\ldots,\kappa\}`.  The blinding functions depend on the cipher (RSA, CS).
-   #. calculates :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))`
-   #. sends :math:`F` to the Exchange
+   #. sends :math:`(\beta_1(f_1),\ldots,\beta_\kappa(f_\kappa))` to the Exchange
 
 - *Exchange*
-   7. receives and stores :math:`F`
+   7. receives :math:`(b_1,\ldots,b_\kappa)`
+   #. calculates :math:`F := \text{H}(b_1||\ldots||b_\kappa)`
    #. chooses randomly :math:`\gamma \in \{1,\ldots,\kappa\}` and
+   #. signs :math:`r := b_\gamma` resulting in signature :math:`\sigma_r`
+   #. stores :math:`F \mapsto (r, \sigma_r)`
    #. sends :math:`\gamma` to the Wallet.
 
 - *Wallet*
    10. receives :math:`\gamma`
-   #. sends to the Exchange the tuple :math:`\left(r_\gamma, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with
+   #. sends to the Exchange the tuple :math:`\left(F, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with
 
-      - :math:`r_\gamma := \beta_\gamma(f_\gamma)`
-      - :math:`\vec{\beta} := (\beta^1,\ldots,\beta^{\gamma-1},\bot,\beta^{\gamma+1},\ldots,\beta^\kappa)`
+      - :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))`
+      - :math:`\vec{\beta} := (\beta_1,\ldots,\beta_{\gamma-1},\bot,\beta_{\gamma+1},\ldots,\beta_\kappa)`
       - :math:`\vec{\vec{Q}} := (\vec{Q}^1,\ldots,\vec{Q}^{\gamma-1},\bot,\vec{Q}^{\gamma+1},\ldots,\vec{Q}^\kappa)`
       - :math:`\vec{\vec{S}} := (\vec{S}^1,\ldots,\vec{S}^{\gamma-1},\bot,\vec{S}^{\gamma+1},\ldots,\vec{S}^\kappa)`
         with :math:`\vec{S}^i := (s^i_j)`
 
 - *Exchange*
-   12. receives :math:`\left(r, (\beta^i), (\vec{Q}^i), (\vec{B}^i) \right)`
-   #. calculates :math:`g_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma`
-   #. compares :math:`F \overset{?}{=} \text{H}(g_1||\ldots||g_{\gamma - 1}||r||g_{\gamma+1}||\ldots||g_\kappa)` and bails out on inequality
+   12. receives :math:`\left(F, (\beta_i), (\vec{Q}^i), (\vec{B}^i) \right)`
+   #. retrieves :math:`(r, \sigma_r)` from :math:`F` or bails out if not present
+   #. calculates :math:`b_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma`
+   #. compares :math:`F \overset{?}{=} \text{H}(b_1||\ldots||b_{\gamma - 1}||r||b_{\gamma+1}||\ldots||b_\kappa)` and bails out on inequality
    #. for each :math:`\vec{B}^i, i \neq \gamma`
 
       i. calculates :math:`\tilde{\omega}^i_j := b^i_j * \Omega` for :math:`j \in \{a+1,\ldots,M\}`
       #. compares each :math:`\tilde{\omega}^i_j` to :math:`q^i_j` from :math:`\vec{Q}^i = (q^i_1, \ldots, q^i_M)` and bails out on inequality
-   #. signs :math:`r`
    #. sends (blinded) signature :math:`\sigma_r` to Wallet
 
 - *Wallet*
@@ -372,11 +376,13 @@ accomodate for handling multiple coins at once -- thus multiplying the amount
 of data by the amount of coins in question--, but all with the same value of
 :math:`\gamma`.
 
-The *actual* implementation of the protocol above will have a major optimization
-to keep the bandwidth usage to a minimum.  Instead of generating and sending
-the age commitment (array of public keys) and blindings for each coin, the
-wallet *MUST* derive the corresponding blindings and the age commitments from
-the coin's private key itself as follows:
+The *actual* implementation of the protocol above will have major optimizations
+to keep the bandwidth usage to a minimum and also ensure that a denomination in
+the commitment doesn't expire before the reveal.
+
+Instead of generating and sending the age commitment (array of public keys) and
+blindings for each coin, the wallet *MUST* derive the corresponding blindings
+and the age commitments from the coin's private key itself as follows:
 
 Let
 
@@ -432,25 +438,15 @@ schema in the exchange is given here:
 		]
 
 		subgraph cluster_commitments {
-			label=<<B>withdraw_age_commitments</B>>
+			label=<<B>age_withdraw</B>>
 			margin=20
 			commitments [
-			  label="withdraw_age_commitments_id\l|<hc>h_commitment\l|amount_with_fee_val\l|amount_with_fee_frac\l|noreveal_index\l|max_age\l|<res>reserve_pub\l|reserve_sig\l|timestamp\l"
-			]
-		}
-
-		subgraph cluster_reveals {
-			label=<<B>withdraw_age_reveals</B>>
-			margin=20
-			reveals [
-			  label="freshcoin_index\l|<comm>h_commitment\l|<denom>denominations_serial\l|h_coin_ev\l"
+			  label="age_withdraw_id\l|<hc>h_commitment\l|amount_with_fee_val\l|amount_with_fee_frac\l|noreveal_index\l|max_age\l|<res>reserve_pub\l|reserve_sig\l|<denom>[n] denominations_serials\l|[n] h_blind_evs\l|[n] denom_sigs\l"
 			]
 		}
 
 		commitments:res->reserves:id [ label="n:1"; fontname="monospace"];
-		reveals:comm -> commitments:hc [ label="n:1"; fontname="monospace" ];
-		reveals:denom -> denominations:id [ label="n:1"; fontname="monospace"] ;
-
+		commitments:denom -> denominations:id [ label="n:1"; fontname="monospace"] ;
 	}
 
 
@@ -604,9 +600,9 @@ The object ``ContractTerms`` is extended by an optional field
 ``minimum_age`` that can be any integer greater than 0.  In reality
 this value will not be smaller than, say, 8, and not larger than, say, 21.
 
-.. ts:def:: ContractTerms
+.. ts:def:: DD24ContractTerms
 
-   interface ContractTerms {
+   interface DD24ContractTerms {
    ...
 
    // If the order requires a minimum age greater than 0, this field is set