taler-docs

Documentation for GNU Taler components, APIs and protocols
Log | Files | Refs | README | LICENSE
commit ae9fab427be76fdc138b5f0ea6903963bd532050
parent f56e2962da5602b9859ba2555ee6d14f50763cc5
Author: Özgür Kesim <oec-taler@kesim.org>
Date:   Thu, 11 Dec 2025 16:41:42 +0100

[exchange] refine derivation of transfer-batch-seeds and transfer-secrets

Diffstat:

Mcore/api-exchange.rst | 29+++++++++++++++++++----------


1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/core/api-exchange.rst b/core/api-exchange.rst
@@ -2204,10 +2204,15 @@ Melt
        //
        // Note:  The honest owner of the old coin SHOULD use this value
        // and the old coin's private key to derive kappa many
-       // transfer secret seeds like this:
-       //   ``ts_seeds[k] = SHA512(master_refresh_seed, old_coin_priv, "s", k)``
+       // transfer secret batch seeds like this:
+       //   ``bs[] = HKDF(kappa*sizeof(HashCode),``
+       //               ``"refresh-batch-seeds",``
+       //               ``old_coin_priv,``
+       //               ``master_refresh_seed)``
        // Each of the kappa seeds is then expanded via HKDF:
-       //   ``ts[k][] = HKDF(sizeof(HashCode)*n, ts_seeds[k], "ts")``
+       //   ``ts[k][] = HKDF(n*sizeof(HashCode),``
+       //                  ``"refresh-batch-transfer-secrets",``
+       //                  ``bs[k])``
        // An individual coin's transfer secret at kappa-index k and
        // coin index i in the batch is then ``ts[k][i]``
        // This ensures that the honest owner of the old coin can replay
@@ -2346,13 +2351,17 @@ as proof that the age restriction was set correctly (if applicable).
       signatures: CoinSignature[kappa-1];
 
       // @since vDOLDPLUS
-      // The seeds for the transfer secrets to reveal.
-      // For the kappa many batches of n coin candidates,
-      // each of the seeds in this list are expanded via HKDF:
-      //   ``ts[k][] = HKDF(sizeof(HashCode)*n, ts_seeds[k], "ts")``
-      // An individual coin's transfer secret at kappa-index k and
-      // coin index i in the batch is then ``ts[k][i]``.
-      transfer_secret_seeds: HashCode[kappa-1];
+      // The seeds for the transfer secrets to reveal, as they
+      // were generated for the previous `MeltRequest`.
+      // That is, for the kappa many batches of n coin candidates,
+      // the seeds for _all_ kappa were are expanded via HKDF:
+      //   ``bs[] = HKDF(kappa*sizeof(HashCode),``
+      //               ``"refresh-batch-seeds",``
+      //               ``old_coin_priv,``
+      //               ``master_refresh_seed)``
+      // This field contains the entries in ``bs[]`` for all the indeces
+      // *except* the ``noreveal_index``.
+      batch_seeds: HashCode[kappa-1];
 
       // IFF the denomination of the old coin had support for age restriction,
       // the client MUST provide the original age commitment, i. e. the