From 3270cce0d6a2c0ea0e8696519c967d56dd7b7fd0 Mon Sep 17 00:00:00 2001
From: Özgür Kesim <oec-taler@kesim.org>
Date: Tue, 10 Jan 2023 18:51:36 +0100
Subject: clearity in age withdraw reveal optimization

---
 design-documents/024-age-restriction.rst | 45 ++++++++++++++++----------------
 1 file changed, 22 insertions(+), 23 deletions(-)

diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index ae3874c0..3d743e40 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -376,45 +376,44 @@ The *actual* implementation of the protocol above will have a major optimization
 to keep the bandwidth usage to a minimum.  Instead of generating and sending
 the age commitment (array of public keys) and blindings for each coin, the
 wallet *MUST* derive the corresponding blindings and the age commitments from
-the coin's private key :math:`c_s` itself as follows:
+the coin's private key itself as follows:
 
-Let :math:`m \in \{1,\ldots,M\}` be the maximum age (according to the reserve)
-that a wallet can commit to during the withdrawal.
+Let
 
-Calculate the blinding :math:`\beta` for the coin as
+- :math:`c_s` be the private key of the coin,
+- :math:`m \in \{1,\ldots,M\}` be the maximum age (according to the reserve)
+  that a wallet can commit to during the withdrawal.
+- :math:`P` be a published constant Edx25519-public-key to which the private
+  key is not known to any client.
 
-.. math::
-     \beta &:= \text{HKDF}(c_s, \text{"blinding"})
 
-For age group :math:`a \in \{1,\ldots,m\}`, set
+Then calculate the blinding :math:`\beta` for the coin as
 
 .. math::
-             s_a &:= \text{HDKF}(c_s, \text{"age-commitment"}, a) \\
-           p_a  &:= \text{Edx25519\_generate\_private}(s_a)
-
-
-and calculate the corresponding Edx25519PublicKey as
+     \beta &:= \text{HKDF}(c_s, \text{"blinding"})
 
-.. math::
-           q_a &:= \text{Edx25519\_public\_from\_private}(p_a)
 
+For the age commitment, calculate:
 
-For age group :math:`a \in \{m,\ldots,M\}`, set
+1. For age group :math:`a \in \{1,\ldots,m\}`, set
 
 .. math::
-           f_a &:= \text{HDKF}(c_s, \text{"age-factor"}, a)
+           s_a &:= \text{HDKF}(c_s, \text{"age-commitment"}, a) \\
+           p_a &:= \text{Edx25519\_generate\_private}(s_a) \\
+           q_a &:= \text{Edx25519\_public\_from\_private}(p_a)
 
-and calculate the corresponding Edx25519PublicKey as
+2. For age group :math:`a \in \{m,\ldots,M\}`, set
 
 .. math::
-           q_a &:= \text{Edx25519\_derive\_public}(P, f_a),
+           f_a &:= \text{HDKF}(c_s, \text{"age-factor"}, a) \\
+           q_a &:= \text{Edx25519\_derive\_public}(P, f_a).
 
-where :math:`P` is a published constant public key, for which the private key
-is not known to the client.
+Then the vector :math:`\vec{q} = \{q_1,\ldots,q_M\}` is then the age commitment
+associated to private key :math:`c_s`.
 
-Provided with the private key :math:`c_s`, ghe exchange can therefore calculate the
-age commitment :math:`\vec{q}` itself, along with the coin's public key
-:math:`C_p` and use the value of
+Provided with the private key :math:`c_s`, the exchange can therefore calculate
+the blinding :math:`\beta` and the age commitment :math:`\vec{q}` itself, along
+with the coin's public key :math:`C_p` and use the value of
 
 .. math::
 
-- 
cgit v1.2.3