commit 7f1951cfe61f601da87191c98561b44cf1a3ff73
parent abc193e19b81d2341eb6a1bf40e7592550f0473d
Author: Christian Grothoff <christian@grothoff.org>
Date: Tue, 22 Apr 2025 14:57:53 +0200
-clarify
Diffstat:
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -83,8 +83,8 @@ fresh coins from a dirty coin is as follows:
t = Hash1a("Refresh", Cp, r, pkDs, meta)
s = SignDeterministic(cs, t)
for i, pkD in enumerate(pkDs):
- x[i] = Hash1b(s, i)
- b[i] = Hash2(s, i)
+ x[i] = Hash1b(s, i) # Note: can be done with one HKDF for all i
+ b[i] = Hash2(s, i) # Note: can be done with one HKDF for all i
c2_s[i], C2_p[i] = KeyGen(x[i])
m[i] = Blind(C2_p[i], b[i], pkD)
return (s, c2_s, C2_p, m)
@@ -124,15 +124,16 @@ published.
2. **Reveal Phase**:
- - Client discloses together with h_m all except the γ-th
- (secret) signatures s[1],...,s[κ] from the κ calls to RefreshDeriveBatch.
- - Exchange verifies each signature s[i] over Hash1a("Refresh", C_p, r_i, pkDs).
- - Exchange reconstructs the blinded coins m'[][] (except the γ-th).
- - Exchange verifies h_m = H(pkD[], m'[1][],...,m[γ][],...,m'[κ][], ...) equality.
- - Exchange returns σ[γ][] on success.
+ - Client discloses together with ``h_m`` all except the ``γ``-th
+ (secret) signatures ``s[1],...,s[κ]`` from the ``κ`` calls to RefreshDeriveBatch.
+ - Exchange derives ``r_i`` from ``r`` and verifies each signature
+ ``s[i]`` over ``Hash1a("Refresh", C_p, r_i, pkDs)``.
+ - Exchange reconstructs the blinded coins ``m'[i][]`` for ``i != γ``.
+ - Exchange verifies ``h_m = H(pkD[], m'[1][],...,m[γ][],...,m'[κ][], ...)`` equality.
+ - Exchange returns ``σ[γ][]`` on success.
It is worth noting that, in contrast to the existing refresh protocol, the
-client sends all n*κ tuples m[][] already in the commitment phase. This is
+client sends all ``n*κ`` tuples ``m[][]`` already in the commitment phase. This is
necessary such that the exchange can sign the request with a valid denomination
key *at the moment of melting*. This ensures idempotency of the melting/commit
request and that caries over to the reveal phase.
@@ -142,11 +143,14 @@ is a **public** value and can be considered a commitment ("I'm going to sign
this value") made by the dirty coin. The actual *secrets* are the signatures
which are reveal in the second phase.
-Note that for the Linking protocol, given the dirty coin's public key,
-the Exchange simply returns the master seed r and the dirty coins' signature
-σ_c over the original refresh request. The owner of the private key of the
-dirty coin can then replay the refresh protocol and can be sure that the master
-seed was of its own origin.
+Note that for the Linking protocol, given the dirty coin's public key, the
+Exchange simply returns the master seed ``r`` and the dirty coins' signature
+``σ_c`` over the original refresh request. The owner of the private key of
+the dirty coin can then replay the refresh protocol and can be sure that the
+master seed was of its own origin. Furthermore, the coin history endpoint
+must already return this information (so that clients can verify the old coin
+history about the refresh), thus obsoleting the need for a separate "/link"
+endpoint.
Database Changes
