rsa-redesign.tex (12401B)
1 \chapter{Redesigned RSA Protocols} 2 In order to bring the RSA and \gls{CSBS} protocols closer, this chapter describes a variant of the RSA protocols with the same changes as in the \gls{CSBS} versions (where they can be applied). 3 4 5 \section{Withdraw Protocol} 6 \begin{figure}[htp] 7 \begin{equation*} 8 \resizebox{1.0\textwidth}{!}{$\displaystyle 9 \begin{array}{ l c l } 10 \text{Customer} & & \text{Exchange} 11 \\ \text{knows:} & & \text{knows:} 12 \\ \text{reserve keys } w_s, W_p & & \text{reserve public key } W_p 13 \\ \text{denomination public key } D_p = e, N & & \text{denomination keys } d_s, D_p 14 \\ & & 15 \\\text{generate withdraw secret:} 16 \\ \omega := randombytes(32) 17 \\ \text{persist } \langle \omega, D_p \rangle 18 \\\text{derive coin key pair:} & & 19 \\ c_s := \text{HKDF}(256, \omega, \text{"cs"}) 20 \\ C_p := \text{Ed25519.GetPub}(c_s) 21 \\ \text{blind:} & & 22 \\ b_s := \text{HKDF}(256, \omega, \text{"b-seed"}) 23 \\ r := \text{FDH}(b_s) 24 \\ m' := \text{FDH}(N, C_p)*r^{e} \mod N & & 25 \\ \text{sign with reserve private key:} & & 26 \\ \rho_W := \langle D_p, m' \rangle & & 27 \\ \sigma_W := \text{Ed25519.Sign}(w_s, \rho_W) & & 28 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho = W_p, \sigma_W, \rho_W} & 29 \\ & & \langle D_p, m' \rangle := \rho_W 30 \\ & & \text{verify if } D_p \text{ is valid} 31 \\ & & \text{check } \text{Ed25519.Verify}(W_p, \rho_W, \sigma_W) 32 \\ & & \sigma'_c = (m')^{d_s} \mod N 33 \\ & & \text{decrease balance if sufficient and} 34 \\ & & \text{persist } \langle D_p, s \rangle 35 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\sigma'_c} & 36 \\ \text{unblind:}& & 37 \\ \sigma_c = \sigma'_c*r^{-1} & & 38 \\ \text{verify signature:}& & 39 \\ \textbf{check if } \sigma_c^{e} = \text{FDH}(N, C_p) & & 40 \\ & & 41 \\ \text{resulting coin: } c_s, C_p, \sigma_c, D_p & & 42 \\ & & 43 \\ \text{implementation note: minimum of} 44 \\ \text{persisted values is } \langle \omega, \sigma_c \rangle 45 \end{array}$ 46 } 47 \end{equation*} 48 \caption{Redesigned RSA withdrawal process} 49 \label{fig:withdrawal-process-rsa-redesign} 50 \end{figure} 51 52 The changes to the RSA witdhdraw protocol (see \autoref{fig:withdrawal-process-rsa-redesign}) are limited to the derivation of the coin and blinding factor. 53 54 55 \section{Refresh Protocol} 56 The changes to the refresh protocol are related to the derivation of transfer secrets and subsequent operations, see \autoref{fig:refresh-derive-rsa-redesign}, \autoref{fig:refresh-part1-rsa-redesign} and \autoref{fig:refresh-part2-rsa-redesign}. 57 \begin{figure}[htp] 58 \centering 59 \fbox{% 60 \procedure[codesize=\small]{$\text{RefreshDerive}(t, \langle e, N \rangle, C_p)$}{% 61 T := \text{Curve25519.GetPub}(t) \\ 62 x := \textrm{ECDH-EC}(t, C_p) \\ 63 b_s := \text{HKDF}(256, x, \text{"b-seed"}) \\ 64 r := \text{FDH}(b_s) \\ 65 c'_s := \text{HKDF}(256,x,"c") \\ 66 C'_p := \text{Ed25519.GetPub}(c'_s) \\ 67 \overline{m} := r^e * C'_p \mod N \\ 68 \pcreturn \langle T, c_s', C_p', \overline{m} \rangle 69 } 70 } 71 \caption{Redesigned RSA RefreshDerive algorithm} 72 \label{fig:refresh-derive-rsa-redesign} 73 \end{figure} 74 75 \begin{figure}[htp] 76 \begin{equation*} 77 \resizebox{1.0\textwidth}{!}{$\displaystyle 78 \begin{array}{ l c l } 79 % preliminaries 80 \text{Customer} & & \text{Exchange} 81 \\ \text{knows:} & & \text{knows:} 82 \\ \text{denomination public key } D_{p(i)} & & \text{denomination keys } d_{s(i)}, D_{p(i)} 83 \\ \text{coin}_0 = \langle D_{p(0)}, c_s^{(0)}, C_p^{(0)}, \sigma_c^{(0)} \rangle & & 84 % refresh request 85 \\ \text{Select} \langle N_t, e_t\rangle := D_{p(t)} \in D_{p(i)} 86 \\ \omega := randombytes(32) 87 \\ \text{persist } \langle \omega, D_{p(t)} \rangle 88 \\ \textbf{for } i = 1, \dots, \kappa: % generate k derives 89 \\ t_i := \text{HKDF}(256, \omega,\text{"t} i \text{"} ) % seed generation 90 \\ X_i := \text{RefreshDerive}(t_i, D_{p(t)}, C_p^{(0)}) 91 \\ (T_i, c_s^{(i)}, C_p^{(i)}, \overline{m}_i) := X_i 92 \\ \textbf{endfor} 93 \\ h_T := H(T_1, \dots, T_k) 94 \\ h_{\overline{m}} := H(\overline{m}_1, \dots, \overline{m}_k) 95 \\ h_C := H(h_t, h_{\overline{m}}) 96 \\ \rho_{RC} := \langle h_C, D_{p(t)}, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} \rangle 97 \\ \sigma_{RC} := \text{Ed25519.Sign}(c_s^{(0)}, \rho_{RC}) 98 \\ \text{Persist refresh-request} \langle \omega, \rho_{RC}, \sigma_{RC} \rangle 99 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RC}, \sigma_{RC}} & 100 % Exchange checks refresh request 101 \\ & & (h_C, D_{p(t)}, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} = \rho_{RC}) 102 \\ & & \textbf{check} \text{Ed25519.Verify}(C_p^{(0)}, \sigma_{RC}, \rho_{RC}) 103 \\ & & x \rightarrow \text{GetOldRefresh}(\rho_{RC}) 104 \\ & & \textbf{Comment: }\text{GetOldRefresh} (\rho_{RC} \mapsto \{\bot,\gamma\}) 105 \\ & & \pcif x = \bot 106 \\ & & v := \text{Denomination}(D_{p(t)}) 107 \\ & & \langle e_0, N_0 \rangle := D_{p(0)} 108 \\ & & \textbf{check } \text{IsOverspending}(C_p^{(0)}, D_ {p(0)}, v) 109 \\ & & \textbf{check } D_{p(t)} \in \{D_{p(i)}\} 110 \\ & & \textbf{check } \text{FDH}(N_0, C_p^{(0)}) \equiv_{N_0} (\sigma_0^{(0)})^{e_0} 111 \\ & & \text{MarkFractionalSpend}(C_p^{(0)}, v) 112 \\ & & \gamma \leftarrow \{1, \dots, \kappa\} 113 \\ & & \text{Persist refresh-record } \langle \rho_{RC},\gamma \rangle 114 \\ & & \pcelse 115 \\ & & \gamma := x 116 \\ & & \textbf{endif} 117 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\gamma} & 118 \\ 119 \\ 120 \\ & \textit{Continued in figure \ref{fig:refresh-part2}} & 121 %\\ \pcintertext[dotted]{(Continued in Figure)} 122 \end{array}$ 123 } 124 \end{equation*} 125 \caption{Redesigned RSA refresh protocol (commit phase)} 126 \label{fig:refresh-part1-rsa-redesign} 127 \end{figure} 128 129 \begin{figure}[htp] 130 \begin{equation*} 131 \resizebox{1.0\textwidth}{!}{$\displaystyle 132 \begin{array}{ l c l } 133 % preliminaries 134 \text{Customer} & & \text{Exchange} 135 \\ & \textit{Continuation of figure \ref{fig:refresh-part1}} & 136 \\ 137 \\ 138 % Check challenge and send challenge response (reveal not selected msgs) 139 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\gamma} & 140 \\ \textbf{check } \text{IsConsistentChallenge}(\rho_{RC}, \gamma) 141 \\ \textbf{Comment: } \text{IsConsistentChallenge}\\(\rho_{RC}, \gamma) \mapsto \{ \bot,\top \} 142 \\ 143 \\ \text{Persist refresh-challenge} \langle \rho_{RC}, \gamma \rangle 144 \\ S := \langle t_1, \dots, t_{\gamma-1}, t_{\gamma+1}, \dots, t_\kappa \rangle % all seeds without the gamma seed 145 \\ \rho_L = \langle C_p^{(0)}, D_{p(t)}, T_{\gamma},\overline{m}_\gamma \rangle 146 \\ \rho_{RR} = \langle T_\gamma, \overline{m}_\gamma, S \rangle 147 \\ \sigma_{L} = \text{Ed25519.Sign}(c_s^{(0)}, \rho_{L}) 148 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} & 149 % check revealed msgs and sign coin 150 \\ & & \langle T'_\gamma, \overline{m}'_\gamma, S \rangle := \rho_{RR} 151 \\ & & \langle t_1, \dots, t_{\gamma-1}, t_{\gamma+1}, \dots, t_\kappa \rangle ) := S 152 \\ & & \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \sigma_L, \rho_L) 153 \\ & & \textbf{for} i = 1,\dots, \gamma-1, \gamma+1,\dots, \kappa 154 \\ & & X_i := \text{RefreshDerive}(t_i, D_{p(t)}, C_p^{(0)}) 155 \\ & & \langle T_i, c_s^{(i)}, C_p^{(i)}, \overline{m}_i \rangle := X_i 156 \\ & & \textbf{endfor} 157 \\ & & h_T' = H(T_1,\dots,T_{\gamma-1},T'_{\gamma},T_{\gamma+1},\dots,T_\kappa) 158 \\ & & h_{\overline{m}}' = H(\overline{m}_1,\dots,\overline{m}_{\gamma-1},\overline{m}'_{\gamma},\overline{m}_{\gamma+1},\dots,\overline{m}_\kappa) 159 \\ & & h_C' = H(h_T', h_{\overline{m}}') 160 \\ & & \textbf{check } h_C = h_C' 161 \\ & & \overline{\sigma}_C^{(\gamma)} := \overline{m}^{d_{s(t)}} 162 \\ & & \text{persist } \langle \rho_L, \sigma_L, S \rangle 163 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{\overline{\sigma}_C^{(\gamma)}} & 164 % Check coin signature and persist coin 165 \\ \sigma_C^{(\gamma)} := r^{-1}\overline{\sigma}_C^{(\gamma)} 166 \\ \textbf{check if } (\sigma_C^{(\gamma)})^{e_t} \equiv_{N_t} C_p^{(\gamma)} 167 \\ \text{Persist coin} \langle D_{p(t)}, c_s^{(\gamma)}, C_p^{(\gamma)}, \sigma_C^{(\gamma)} \rangle 168 \end{array}$ 169 } 170 \end{equation*} 171 \caption{Redesigned RSA refresh protocol (reveal phase)} 172 \label{fig:refresh-part2-rsa-redesign} 173 \end{figure} 174 175 176 \section{Linking Protocol} 177 The changes are described in \autoref{fig:refresh-link-rsa-redesign}. 178 \begin{figure}[htp] 179 \begin{equation*} 180 \resizebox{1.0\textwidth}{!}{$\displaystyle 181 \begin{array}{ l c l } 182 % preliminaries 183 \text{Customer} & & \text{Exchange} 184 \\ \text{knows:} & & \text{knows:} 185 \\ \text{coin}_0 = \langle D_{p(0)}, c_s^{(0)}, C_p^{(0)}, \sigma_{C}^{(0)} \rangle 186 \\ & \xrightarrow[\rule{2.5cm}{0pt}]{C_{p(0)}} & 187 \\ & & L := \text{LookupLink}(C_{p(0)}) 188 \\ & & \textbf{Comment: } \text{LookupLink}(C_p) \mapsto \{\langle \rho_L^{(i)}, 189 \\ & & \sigma_L^{(i)}, \overline{\sigma}_C^{(i)} \rangle\} 190 \\ & \xleftarrow[\rule{2.5cm}{0pt}]{L} & 191 \\ \pcfor \langle \rho_{L}^{(i)}, \overline{\sigma}_L^{(i)}, \sigma_C^{(i)} \rangle \in L 192 \\ \langle \hat{C}_p^{(i)}, D_{p(t)}^{(i)}, T_\gamma^{(i)}, \overline{m}_\gamma^{(i)} \rangle := \rho_L^{(i)} 193 \\ \langle e_t^{(i)}, N_t^{(i)} \rangle := D_{p(t)}^{(i)} 194 \\ \textbf{check } \hat{C}_p^{(i)} \equiv C_p^{(0)} 195 \\ \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \rho_{L}^{(i)}, \sigma_L^{(i)}) 196 \\ x_i := \text{ECDH}(c_s^{(0)}, T_{\gamma}^{(i)}) 197 \\ c_s^{(i)} := \text{HKDF}(256,x_i,"c") 198 \\ C_p^{(i)} := \text{Ed25519.GetPub}(c_s^{(i)}) 199 \\ b_s^{(i)} := \text{HKDF}(256, x_i, \text{"b-seed"}) 200 \\ r_i := \text{FDH}(b_s^{(i)}) 201 \\ \sigma_C^{(i)} := (r_i)^{-1} \cdot \overline{m}_\gamma^{(i)} 202 \\ \textbf{check } (\sigma_C^{(i)})^{e_t^{(i)}} \equiv_{N_t^{(i)}} C_p^{(i)} 203 \\ \text{(Re-)obtain coin} \langle D_{p(t)}^{(i)},c_s^{(i)}, C_p^{(i)}, \sigma_C^{(i)} \rangle 204 \end{array}$ 205 } 206 \end{equation*} 207 \caption{Redesigned RSA linking protocol} 208 \label{fig:refresh-link-rsa-redesign} 209 \end{figure}