commit 375d7bcce35d1a8c3e1dd6a732261759b61f58fb
parent dad47e3bdf5ffefcb19831910a7f8d1eacd8d57d
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Sat, 12 Apr 2025 18:40:03 +0200
[dd:pq-refresh] refine protocol
Diffstat:
1 file changed, 30 insertions(+), 25 deletions(-)
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -38,45 +38,52 @@ derive the key material of a fresh coin from the old coin:
# Notation:
# r = random seed, cs = coin secret, Cp = coin public key
- # pkDt = denomination key
+ # pkD = denomination key
- def RefreshDerivePQ(r, cs, Cp, pkDt):
- t = ("Refresh", Cp)
- s = SignDeterministic(cs, Hash1(t), r)
- x = Hash1(s)
- X = Hash1(x)
+ def RefreshDerivePQ(r, cs, Cp, pkD):
+ t = Hash1a("Refresh", Cp, r)
+ s = SignDeterministic(cs, t)
+ x = Hash1b(s)
c2_s, C2_p = KeyGen(x)
b = Hash2(x)
- m = Blind(C2_p, b, pkDt)
- return (t, s, X, c2_s, C2_p, m)
+ m = Blind(C2_p, b, pkD)
+ return (t, s, c2_s, C2_p, m)
Key Changes to the existing RefreshDerive:
1. *Deterministic Signatures*: ``s`` proves ownership without DH
- 2. *Hash Chain*: ``x``/``X`` derived through sequential hashing
- 3. *PQ Commitments*: ``X`` serves as public pre-image commitment
+ 2. *Hash Chain*: ``x`` derived through hashing
+
+The hash functions ``Hash1x`` might be the same, but can be pair-wise
+different. However, the hash function ``Hash2`` must be different from
+all of the other.
Protocol Modifications
^^^^^^^^^^^^^^^^^^^^^^
1. **Melting/Commit Phase**:
- - Client generates κ refresh sessions
- - Includes m_i, X_i in commitment
- - Exchange verifies signature s_i over Hash1("Refresh", C_p)
+ - Client generates κ refresh blinded coin candidates m_1,... m_κ.
+ - Sends dirty coin, new denomination and all m_i to the exchange, signed with diry coins' private key
+ - Exchange verifies the request.
+ - Exchange calculates h_m = H(m_1,...m_κ)
+ - Exchange chooses γ from 1...K and signs m_γ.
+ - Exchange persists h_m → (γ, m_γ, σ_γ) and returns γ to the client.
2. **Reveal Phase**:
- - Client discloses all except γ-th session
- - Exchange reconstructs hash chains
- - Verifies h_C = H(h_X, h_m) consistency
+ - Client discloses together with h_m all except the γ-th random seeds r_i
+ and signatures s_i from the call to RefreshDerive.
+ - Exchange verifies signature s_i over Hash1a("Refresh", C_p, r_i).
+ - Exchange reconstructs the blinded coins m'_i.
+ - Exchange verifies h_m = H(m'_1, ..., m_γ, ... m'_κ) equality.
+ - Exchange returns σ_γ on success.
-It is worth noting that, in contrast to the existing refresh protocol
-and the proposed protocol [1]_, the client sents all κ tuples of (m_i, X_i)
-pairs in the commitment phase. This is necessary such that the exchange
-can sign the request with a valid denomination key *at the moment of melting*.
-This ensures idempotency of the melting/commit request and that caries over to
-the reveal phase.
+It is worth noting that, in contrast to the existing refresh protocol, the
+client sents all κ tuples of m_i already in the commitment phase. This is
+necessary such that the exchange can sign the request with a valid denomination
+key *at the moment of melting*. This ensures idempotency of the melting/commit
+request and that caries over to the reveal phase.
Database Changes
^^^^^^^^^^^^^^^^
@@ -159,7 +166,7 @@ Modified melt request structure:
// for the new coins to order.
denoms_h: HashCode[];
- // Hash of all the commitments k*n X_i as defined in the
+ // Hash of all the commitments k*n X_i as defined in the
// RefreshDerivePQ function.
h_Xs: HashCode;
@@ -233,5 +240,3 @@ TODO
References
==========
.. [1] Work by Jonathan Levine et al., TU Eindhoven. Reference be added here once published
-
-
