From d968732afb32da7b7ec1ea4c54e3fcced530e5f3 Mon Sep 17 00:00:00 2001
From: Özgür Kesim <oec-taler@kesim.org>
Date: Wed, 11 Jan 2023 17:27:06 +0100
Subject: added description of how to derive cs-nonce from the coin_priv for
 withdraw-age

---
 core/api-exchange.rst                    |  8 ++++++++
 design-documents/024-age-restriction.rst | 12 ++++++++++--
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/core/api-exchange.rst b/core/api-exchange.rst
index ab046350..db192e07 100644
--- a/core/api-exchange.rst
+++ b/core/api-exchange.rst
@@ -2190,6 +2190,10 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
   .. ts:def:: AgeWithdrawRevealRequest
 
     interface AgeWithdrawRevealRequest {
+      // The public key of the reserve that was used for the initial commitment
+      // request.  Needed for optimized database lookup.
+      reserve_pub: EddsaPublicKey;
+
       // Array of ``n`` hash codes of denomination public keys to order.
       // These denominations MUST support age restriction as defined in the
       // output to /keys.
@@ -2217,6 +2221,10 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
       // Calculate the blinding beta as
       //    beta := HKDF(coin_priv, "blinding")
       //
+      // If the denominations are for Clause-Schnorr-Signatures, calculate the
+      // nonce as
+      //    nonce := HKDF(coin_priv, "cs-nonce")
+      //
       // Let m ∈  {1,...,M} be the maximum age group as defined in the reserve
       // that the wallet can commit to.
       //
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
index b9553432..5b6e091d 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -392,6 +392,13 @@ Then calculate the blinding :math:`\beta` for the coin as
 .. math::
      \beta &:= \text{HKDF}(c_s, \text{"blinding"})
 
+If the denomination is using Clause-Schnorr signatures, calculate the nonce
+:math:`n` for the coin as
+
+.. math::
+     n &:= \text{HKDF}(c_s, \text{"cs-nonce"})
+
+
 
 For the age commitment, calculate:
 
@@ -414,8 +421,9 @@ the wallet can use the vector :math:`(p_1,\ldots,p_m,\bot,\ldots,\bot)` of
 private keys for the attestation.
 
 Provided with the private key :math:`c_s`, the exchange can therefore calculate
-the blinding :math:`\beta` and the age commitment :math:`\vec{q}` itself, along
-with the coin's public key :math:`C_p` and use the value of
+the blinding :math:`\beta`, the nonce :math:`n` (if needed) and the age
+commitment :math:`\vec{q}` itself, along with the coin's public key :math:`C_p`
+and use the value of
 
 .. math::
 
-- 
cgit v1.2.3