commit 51cc3553559392d3d782afd20fceb8999a85d3a3
parent 07dbeba84e935c6239b0eedca85e3edcbc551112
Author: Christian Grothoff <christian@grothoff.org>
Date: Tue, 22 Apr 2025 14:47:42 +0200
-clarify
Diffstat:
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -70,8 +70,8 @@ considered as a kind of a commitment ("I'm going to sign this value") by the
dirty coin. Actual *secret* is the signature which needs to be disclosed
during the reveal-part of the refresh operation.
-A variant of this algorithm that is suitable for retrieving a batch of ``n`` coins
-from a dirty coin is as follows:
+A variant of this algorithm that is suitable for retrieving a batch of ``n``
+fresh coins from a dirty coin is as follows:
.. sourcecode:: python
@@ -89,10 +89,13 @@ from a dirty coin is as follows:
m[i] = Blind(C2_p[i], b[i], pkD)
return (s, c2_s, C2_p, m)
-Again, the value ``r`` is a public value and can be considered as a kind of a
-commitment ("I'm going to sign this value") by the dirty coin. Actual
-*secrets* are the signatures which need to be disclosed during the reveal-part
-of the refresh operation.
+Note that the above deriviation will need to be done ``kappa`` times with
+``kappa - 1`` of the signatures ``s`` being checked by the exchange as part of
+the reveal state of the cut-and-choose protocol. Again, each of the ``kappa``
+values ``r`` is a public value and can be considered as a kind of a commitment
+("I'm going to sign this value") by the dirty coin. The actual *secrets* are
+the ``kappa`` signatures ``s`` which need to be disclosed during the
+reveal-part of the refresh operation.
Protocol Modifications
