commit 60084fa7e27bbd219cecbb3814783f817d71efee
parent 328996a53fecdbae0636a42e51c41138a2c7eae0
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Wed, 27 Apr 2022 17:19:06 +0200
-fixes in the description of reveal with age restriction
Diffstat:
1 file changed, 17 insertions(+), 12 deletions(-)
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
@@ -100,7 +100,7 @@ The main ideas are simple:
SHA256 hash value of the age commitment (i.e. the M public keys) into the
signature of the coin. So instead of signing :math:`\text{FDH}_N(C_p)` with
the RSA private key of a denomination with support for age restriction, we
- sign :math:`\text{FDH}_N(C_p, h_a)`. Here, :math:`C_p` is the Edx25519_ public
+ sign :math:`\text{FDH}_N(C_p, h_a)`. Here, :math:`C_p` is the EdDSA public
key of a coin and :math:`h_a` is the hash of the age commitment.
TODO: Summarize the design based on the five functions ``Commit()``,
@@ -323,7 +323,7 @@ for the signature check is as before (borrowing notation from
.. math::
\text{FDH}_N(C_p)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}\,N
-Here, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is its
+Here, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is its
signature and :math:`\langle e, N \rangle` is the RSA public key of the
denomination.
@@ -373,14 +373,19 @@ The existing `cut&choose protocol during the reveal phase
</core/api-exchange.html#post--refreshes-$RCH-reveal>`__ is extended to perform
the following additional computation and checks:
-Using the κ-1 transfer secrets from the reveal request, the exchange derives
-κ-1 age commitments from the ``old_age_commitment`` by calling
-``Edx25519_derive_public(old_age_commitment, s_κ)`` from Edx25519_. Now
-provided with a total κ age commitments, it can calculate the corresponding κ
-age commitment hash values :math:`h_a` of those commitments. With those, it
-can continue to perform the cut&choose protocol, i. e. calculate the disclosed
-κ-1 coin's signatures :math:`\text{FDH}_N(C_p, h_a)` and finally compare the
-hash over all κ signatures with the value given during the melt phase.
+Using the κ-1 transfer secrets :math:`\tau_i` from the reveal request, the
+exchange derives κ-1 age commitments from the ``old_age_commitment`` by calling
+``Edx25519_derive_public()`` on each `Edx25519PublicKey` with :math:`\tau_i` as
+the seed. It then calculates the corresponding κ-1 age commitment hash values
+:math:`h_i` of those commitments.
+
+It then calculates the κ-1 blinded hashes
+:math:`m_i = r^{e_i}\text{FDH}_N(C_p, h_i)` (using the notation from Florian's
+thesis) of the disclosed coins and together with the :math:`m_\gamma` of the
+undisclosed coin, calculates the hash
+:math:`h'_m = H(m_i,\cdots,m_\gamma,\cdots,m_\kappa)` which is then used in the
+final verification step of the cut&choose protocol.
+
Deposit
~~~~~~~
@@ -413,7 +418,7 @@ by evaluating
.. math::
\text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N
-Also again, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is
+Also again, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is
its signature, :math:`\langle e, N \rangle` is the RSA public key of the
denomination and :math:`h_a` is the value from ``age_commitment_hash``.
@@ -504,7 +509,7 @@ The merchant can now verify
.. math:: \text{FDH}_N(C_p, h_a)\; \stackrel{?}{=}\; \left(\sigma_C\right)^{e} \;\;\text{mod}N
- Again, :math:`C_p` is the Edx25519_ public key of a coin, :math:`\sigma_C` is
+ Again, :math:`C_p` is the EdDSA public key of a coin, :math:`\sigma_C` is
its signature, :math:`\langle e, N \rangle` is the RSA public key of the
denomination and :math:`h_a` is the SHA256 hash value of the vector in
``age_commitment``.
