commit 99ac48e1e36b60facc27f84bc50d525be429a42e
parent 2634ad1e6e987d26b830bd71a6b28f0e24744328
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Tue, 22 Apr 2025 13:33:05 +0200
[dd:pq-refresh] make clear that r is a public value, signatures are secrets
Diffstat:
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -27,7 +27,7 @@ This redesign:
Requirements
============
-* PQ-resistant refresh without computational hardness assumptions
+* PQ-resistant refresh key derivation without computational hardness assumptions
* Preservation of unlinkability between old/new coins (except for coin owner)
* Compatibility with existing denomination types
* Minimal bandwidth/storage overhead
@@ -65,6 +65,11 @@ The hash functions ``Hash1x`` might be the same, but can be pair-wise
different. However, the hash function ``Hash2`` must be different from
all of the other.
+Note that the value ``r`` in the algorithm itself is a public value and can be
+considered as a kind of a commitment ("I'm going to sign this value") by the
+dirty coin. Actual *secret* is the signature which needs to be disclosed
+during the reveal-part of the refresh operation.
+
A variant of this algorithm that is suitable for retrieving a batch of n coins
from a dirty coin is as follows:
@@ -84,6 +89,11 @@ from a dirty coin is as follows:
m[i] = Blind(C2_p[i], b[i], pkD)
return (s, c2_s, C2_p, m)
+Again, the value ``r`` is a public value and can be considered as a kind of a
+commitment ("I'm going to sign this value") by the dirty coin. Actual
+*secrets* are the signatures which need to be disclosed during the reveal-part
+of the refresh operation.
+
Protocol Modifications
^^^^^^^^^^^^^^^^^^^^^^
@@ -94,7 +104,7 @@ published.
1. **Melting/Commit Phase**:
- - Client chooses a master seed r and derives κ nonces r_1, ... r_κ.
+ - Client chooses a master (public) seed r and derives κ nonces r_1, ... r_κ.
- Client generates, using RefreshDeriveBatch, κ*n blinded coin planchets
m[1][1],...,m[1][n],...,m[κ][1],..,m[κ][n] from the nonces
- Sends dirty coin, r, all m[i][j] and new denom-info pkD[] to the exchange,
@@ -108,7 +118,7 @@ published.
2. **Reveal Phase**:
- Client discloses together with h_m all except the γ-th
- signatures s[1],...,s[κ] from the κ calls to RefreshDeriveBatch.
+ (secret) signatures s[1],...,s[κ] from the κ calls to RefreshDeriveBatch.
- Exchange verifies each signature s[i] over Hash1a("Refresh", C_p, r_i, pkDs).
- Exchange reconstructs the blinded coins m'[][] (except the γ-th).
- Exchange verifies h_m = H(pkD[], m'[1][],...,m[γ][],...,m'[κ][], ...) equality.
@@ -120,6 +130,11 @@ necessary such that the exchange can sign the request with a valid denomination
key *at the moment of melting*. This ensures idempotency of the melting/commit
request and that caries over to the reveal phase.
+Also note, as described above, the master seed ``r`` for the refresh operation
+is a **public** value and can be considered a commitment ("I'm going to sign
+this value") made by the dirty coin. The actual *secrets* are the signatures
+which are reveal in the second phase.
+
Note that for the Linking protocol, given the dirty coin's public key,
the Exchange simply returns the master seed r and the dirty coins' signature
σ_c over the original refresh request. The owner of the private key of the
