commit 04dc8e03d8b80b3e7abc975a4f2f2b3eef6383d8
parent 5ce99d6aad91415aa200cec297a54afa2dfa2457
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Tue, 22 Apr 2025 16:07:36 +0200
[dd:pq-refresh] refined protocol modifications for exchange
Diffstat:
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -115,11 +115,13 @@ published.
fresh coin denomination selections ``pkD[1],...pkD[n]`` to the exchange,
with signature ``σ_c`` made with the dirty coins' private key ``cs`` over the request.
- Exchange verifies the request.
- - Exchange calculates ``h_m = H(r, pkD[], m[][], meta, <maybe more>)``
+ - Exchange calculates ``h_m[i] = H(m[i][1],...,m[i][n])`` for all ``i`` from ``1...κ``
+ - Exchange calculates ``H_m = H(h_m[1],...,h_m[κ])``
+ - Exchange calculates ``rc = H(r, pkD[], H_m, meta, <maybe more>)``
- Exchange chooses ``γ`` from ``1...κ`` and signs all ``m[γ][]``,
resulting in ``σ[γ][]``. This is done now as the exchange may later
have deleted (or lost) its private signing key.
- - Exchange persists ``h_m → (r, γ, pkD[], m[γ][], σ[γ][], σ_c)``,
+ - Exchange persists ``rc → (r, γ, pkD[], H_m, h_m[γ], σ[γ][], σ_c)``,
deducts the cost for the operation from the old coin balance
(in the same database transaction) and returns ``γ`` to the client.
@@ -131,7 +133,9 @@ published.
- Exchange derives ``r_i`` from ``r`` and verifies each signature
``s[i]`` over ``Hash1a("Refresh", C_p, r_i, pkDs)``.
- Exchange reconstructs the blinded coins ``m'[i][]`` for ``i != γ``.
- - Exchange verifies ``h_m = H(pkD[], m'[1][],...,m[γ][],...,m'[κ][], ...)`` equality.
+ - Exchange calculates ``h'_m[i] = H(m'[i][])`` for all ``i != γ``.
+ - Exchange calculates ``H'_m = H(h'_m[1],...,h_m[γ],...h'_m[κ])``.
+ - Exchange verifies ``rc == H(r, pkD[], H'_m, ...)`` equality.
- Exchange returns ``σ[γ][]`` on success.
It is worth noting that, in contrast to the existing refresh protocol, the
