From 145912990c8f2f89a1daa05a6a9071615c8904de Mon Sep 17 00:00:00 2001 From: Özgür Kesim Date: Tue, 20 Dec 2022 14:34:31 +0100 Subject: cleanup zk-protocol for age restriction during withdraw --- design-documents/024-age-restriction.rst | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) (limited to 'design-documents/024-age-restriction.rst') diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst index ce1e130e..f43dc18d 100644 --- a/design-documents/024-age-restriction.rst +++ b/design-documents/024-age-restriction.rst @@ -320,17 +320,17 @@ Then: #. *Wallet*: - #. creates planchets :math:`\{C_i \mid i = 1,\ldots,\kappa\}` as candidates for *one* coin. - #. creates age-commitments :math:`\{ \vec{Q}^i \mid i = 1,\ldots,\kappa\}` as follows: + #. creates planchets :math:`C_i` for :math:`i \in \{1,\ldots,\kappa\}` as candidates for *one* coin. + #. creates age-commitments :math:`\vec{Q}^i` for :math:`i \in \{1,\ldots,\kappa\}` as follows: - a) chooses randomly :math:`a`-many scalars :math:`\{p^i_j \mid j = 1,\ldots,a\}`, - #) creates keypairs :math:`\{(p^i_j, q^i_j = p^i_j*G) \mid j = 1,\ldots,a\}` for Edx25519, - #) chooses randomly :math:`(M - a)`-many scalars :math:`\{s^i_j \mid j = a+1,\ldots,M\}`, - #) calculates :math:`\{\omega^i_j = s^i_j*\Omega \mid j = a+1,\ldots,M \}`, + a) chooses randomly :math:`a`-many scalars :math:`p^i_j` for :math:`j \in \{1,\ldots,a\}`, + #) creates Edx25519-keypairs :math:`(p^i_j, q^i_j)` for :math:`j \in \{1,\ldots,a\}`, + #) chooses randomly :math:`(M - a)`-many scalars :math:`s^i_j` for :math:`j \in \{a+1,\ldots,M\}`, + #) calculates :math:`\omega^i_j = s^i_j*\Omega` for :math:`j \in \{a+1,\ldots,M \}`, #) sets :math:`\vec{Q}^i := (q^i_1,\ldots,q^i_a,\omega^i_{a+1},\ldots,\omega^i_M)` - #. calculates :math:`\{ f_i := \text{FDH}(C_i, H(\vec{Q}^i)) \mid i = 1,\ldots,\kappa \}` - #. chooses random blindings :math:`\beta_i(.), i = 1,\ldots,\kappa`, depending on the the cipher (RSA, CS). + #. calculates :math:`f_i := \text{FDH}(C_i, H(\vec{Q}^i))` for :math:`i \in \{ 1,\ldots,\kappa \}`. + #. chooses random blindings :math:`\beta_i(.)` for :math:`i \in \{1,\ldots,\kappa\}`. The blinding functions depend on the cipher (RSA, CS). #. calculates :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))` #. sends :math:`F` to the Exchange @@ -358,10 +358,15 @@ Then: #. compares :math:`F \overset{?}{=} \text{H}(g_1||\ldots||g_{\gamma - 1}||r||g_{\gamma+1}||\ldots||g_\kappa)` and bails out on inequality #. for each :math:`\vec{B}^i, i \neq \gamma` - i. calculates :math:`\tilde{\omega}^i_j := b^i_j * \Omega` for :math:`j = a+1,\ldots,M` + i. calculates :math:`\tilde{\omega}^i_j := b^i_j * \Omega` for :math:`j \in \{a+1,\ldots,M\}` #. compares each :math:`\tilde{\omega}^i_j` to :math:`q^i_j` from :math:`\vec{Q}^i = (q^i_1, \ldots, q^i_M)` and bails out on inequality #. signs :math:`r` - #. sends signature :math:`\sigma_r` to Wallet + #. sends (blinded) signature :math:`\sigma_r` to Wallet + +#. *Wallet*: + + #. receives :math:`\sigma_r` + #. calculates (unblinded) signature :math:`\sigma_c := \beta^{-1}_\gamma(\sigma_r)` -- cgit v1.2.3