From 5cb0b3b593105ee4d806a8c756c78148bfd76466 Mon Sep 17 00:00:00 2001 From: Özgür Kesim Date: Tue, 2 May 2023 13:28:04 +0200 Subject: protocol and schema change for age-withdraw During the commitment for age-withdraw, the wallet now has to provide all n*kappa blinded hashes and n denom_pubs. This allows the exchange to immediately sign the chosen coins in the initial commit with the corresponding denomination key. --- core/api-exchange.rst | 49 +++++++++++--------------------- design-documents/024-age-restriction.rst | 38 ++++++++++++++----------- 2 files changed, 38 insertions(+), 49 deletions(-) diff --git a/core/api-exchange.rst b/core/api-exchange.rst index 8d1701d4..b09dadfa 100644 --- a/core/api-exchange.rst +++ b/core/api-exchange.rst @@ -2428,20 +2428,21 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request. .. ts:def:: AgeWithdrawRequest interface AgeWithdrawRequest { - // Commitment to the coins with age restriction. This is the SHA512 - // hash value $ACH over all n*kappa `BlindedCoinHash` values of all - // coins and their age commitments. It is alter used as part of the URL - // in the subsequent call to /age-withdraw/$ACH/reveal. - h_commitment : HashCode; - - // The total amount that the client wants to withdraw from the reserve - // and must be at most the balance of the reserve. The balance of the - // reserve will be immediatley reduced by that amount. - // In the subsequent call to /age-withdraw/$ACH/reveal, the client has to - // provide the list of denominations (with support for age restriction) - // that the coins shall be signed with. The sum of the values of those - // denominations MUST equal this amount. - amount: Amount; + // Array of ``n`` hash codes of denomination public keys to order. + // These denominations MUST support age restriction as defined in the + // output to /keys. + // The sum of all denomination's values plus fees MUST be at most the + // balance of the reserve. The balance of the reserve will be + // immediatley reduced by that amount. + denoms_h: HashCode[]; + + // ``n`` arrays of ``kappa`` entries with blinded coin envelopes. Each + // (toplevel) entry represents ``kappa`` canditates for a particular + // coin. The exchange will respond with an index ``gamma``, which is + // the index that shall remain undisclosed during the reveal phase. + // The SHA512 hash $ACH over the blinded coin envelopes is the commitment + // that is later used as the key to the reveal-URL. + blinded_coins_evs: CoinEnvelope[][]; // The maximum age to commit to. MUST be the same as the maximum // age in the reserve. @@ -2515,26 +2516,10 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request. // request. Needed for optimized database lookup. reserve_pub: EddsaPublicKey; - // Array of ``n`` hash codes of denomination public keys to order. - // These denominations MUST support age restriction as defined in the - // output to /keys. - // The sum of all denomination's values MUST equal the original amount - // of the previous commitment. - denoms_h: HashCode[]; - - // Array of ``n`` entries with blinded coins, which are the non-desclosed - // coins in the previous commitment. They match the respective entries - // in ``denoms_h``. - coin_evs: CoinEnvelope[]; - - // Array of ``n`` of ``(kappa - 1)`` disclosed coin secrets, from + // Array of ``n`` of ``(kappa - 1)`` disclosed coin master secrets, from // which the coins' private key ``coin_priv``, blinding ``beta`` and nonce // ``nonce`` (for Clause-Schnorr) itself are derived as usually in wallet - // core. - // (TODO: description of the derivation process of the coin's private - // key, blinding and nonce). - // - // Given a coin's secret, the age commitment for the coin MUST be + // core. Given a coin's secret, the age commitment for the coin MUST be // derived from this private key as follows: // // Let m ∈ {1,...,M} be the maximum age group as defined in the reserve diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst index ec7edd69..50ea4705 100644 --- a/design-documents/024-age-restriction.rst +++ b/design-documents/024-age-restriction.rst @@ -332,33 +332,35 @@ for the withdrawal of one coin: #. calculates :math:`f_i := \text{FDH}(C_i, H(\vec{Q}^i))` for :math:`i \in \{ 1,\ldots,\kappa \}`. #. chooses random blindings :math:`\beta_i(.)` for :math:`i \in \{1,\ldots,\kappa\}`. The blinding functions depend on the cipher (RSA, CS). - #. calculates :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))` - #. sends :math:`F` to the Exchange + #. sends :math:`(\beta_1(f_1),\ldots,\beta_\kappa(f_\kappa))` to the Exchange - *Exchange* - 7. receives and stores :math:`F` + 7. receives :math:`(b_1,\ldots,b_\kappa)` + #. calculates :math:`F := \text{H}(b_1||\ldots||b_\kappa)` #. chooses randomly :math:`\gamma \in \{1,\ldots,\kappa\}` and + #. signs :math:`r := b_\gamma` resulting in signature :math:`\sigma_r` + #. stores :math:`F \mapsto (r, \sigma_r)` #. sends :math:`\gamma` to the Wallet. - *Wallet* 10. receives :math:`\gamma` - #. sends to the Exchange the tuple :math:`\left(r_\gamma, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with + #. sends to the Exchange the tuple :math:`\left(F, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with - - :math:`r_\gamma := \beta_\gamma(f_\gamma)` - - :math:`\vec{\beta} := (\beta^1,\ldots,\beta^{\gamma-1},\bot,\beta^{\gamma+1},\ldots,\beta^\kappa)` + - :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))` + - :math:`\vec{\beta} := (\beta_1,\ldots,\beta_{\gamma-1},\bot,\beta_{\gamma+1},\ldots,\beta_\kappa)` - :math:`\vec{\vec{Q}} := (\vec{Q}^1,\ldots,\vec{Q}^{\gamma-1},\bot,\vec{Q}^{\gamma+1},\ldots,\vec{Q}^\kappa)` - :math:`\vec{\vec{S}} := (\vec{S}^1,\ldots,\vec{S}^{\gamma-1},\bot,\vec{S}^{\gamma+1},\ldots,\vec{S}^\kappa)` with :math:`\vec{S}^i := (s^i_j)` - *Exchange* - 12. receives :math:`\left(r, (\beta^i), (\vec{Q}^i), (\vec{B}^i) \right)` - #. calculates :math:`g_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma` - #. compares :math:`F \overset{?}{=} \text{H}(g_1||\ldots||g_{\gamma - 1}||r||g_{\gamma+1}||\ldots||g_\kappa)` and bails out on inequality + 12. receives :math:`\left(F, (\beta_i), (\vec{Q}^i), (\vec{B}^i) \right)` + #. retrieves :math:`(r, \sigma_r)` from :math:`F` or bails out if not present + #. calculates :math:`b_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma` + #. compares :math:`F \overset{?}{=} \text{H}(b_1||\ldots||b_{\gamma - 1}||r||b_{\gamma+1}||\ldots||b_\kappa)` and bails out on inequality #. for each :math:`\vec{B}^i, i \neq \gamma` i. calculates :math:`\tilde{\omega}^i_j := b^i_j * \Omega` for :math:`j \in \{a+1,\ldots,M\}` #. compares each :math:`\tilde{\omega}^i_j` to :math:`q^i_j` from :math:`\vec{Q}^i = (q^i_1, \ldots, q^i_M)` and bails out on inequality - #. signs :math:`r` #. sends (blinded) signature :math:`\sigma_r` to Wallet - *Wallet* @@ -372,11 +374,13 @@ accomodate for handling multiple coins at once -- thus multiplying the amount of data by the amount of coins in question--, but all with the same value of :math:`\gamma`. -The *actual* implementation of the protocol above will have a major optimization -to keep the bandwidth usage to a minimum. Instead of generating and sending -the age commitment (array of public keys) and blindings for each coin, the -wallet *MUST* derive the corresponding blindings and the age commitments from -the coin's private key itself as follows: +The *actual* implementation of the protocol above will have major optimizations +to keep the bandwidth usage to a minimum and also ensure that a denomination in +the commitment doesn't expire before the reveal. + +Instead of generating and sending the age commitment (array of public keys) and +blindings for each coin, the wallet *MUST* derive the corresponding blindings +and the age commitments from the coin's private key itself as follows: Let @@ -440,10 +444,10 @@ schema in the exchange is given here: } subgraph cluster_reveals { - label=<age_withdraw_reveals> + label=<age_withdraw_revealed_coins> margin=20 reveals [ - label="freshcoin_index\l|h_commitment\l|denominations_serial\l|coin_ev\l|h_coin_ev\l|ev_sig\l" + label="freshcoin_index\l|h_commitment\l|denominations_serial\l|h_blind_ev\l|denom_sig\l" ] } -- cgit v1.2.3