commit cbf8b5443fffeda2408648d3c2ea9e8450a061f7
parent d162c094fd0c907916c20e43da873a340be63f25
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Wed, 21 Dec 2022 17:08:24 +0100
mentioning of KYC and batch-withdraw
Diffstat:
1 file changed, 22 insertions(+), 22 deletions(-)
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
@@ -301,9 +301,10 @@ The withdraw protocol is affected in the following situations:
- A wire transfer to the exchange (to fill a reserve) was marked by the
originating bank as coming from a bank account of a minor, belonging to a of
- a specific age group.
-- A wire transfer to the exchange was marked to be age-restricted by other
- means (not yet designed or implemented)
+ a specific age group, or by other means.
+- A Peer-to-Peer transaction was performed between customers. The receiving
+ customer's KYC result tells the exchange that the customer belongs to a
+ specific age group.
In these cases, the wallet will have to perform a zero-knowledge protocol with
exchange as part of the the withdraw protocol, which we sketch here. Let
@@ -314,13 +315,12 @@ exchange as part of the the withdraw protocol, which we sketch here. Let
- :math:`a \in \{1,\ldots,M\}` be the maximum age (group) for which the wallet
has to prove its commitment.
-The values :math:`\kappa`, :math:`\Omega` and :math:`a` are known to the Exchange and the Wallet.
+The values :math:`\kappa`, :math:`\Omega` and :math:`a` are known to the
+Exchange and the Wallet. Then, Wallet and Exchange run the following protocol
+for the withdrawal of one coin:
-Then:
-
-#. *Wallet*:
-
- #. creates planchets :math:`C_i` for :math:`i \in \{1,\ldots,\kappa\}` as candidates for *one* coin.
+- *Wallet*
+ 1. creates planchets :math:`C_i` for :math:`i \in \{1,\ldots,\kappa\}` as candidates for *one* coin.
#. creates age-commitments :math:`\vec{Q}^i` for :math:`i \in \{1,\ldots,\kappa\}` as follows:
a) creates :math:`a`-many Edx25519-keypairs :math:`(p^i_j, q^i_j)`
@@ -334,15 +334,13 @@ Then:
#. calculates :math:`F := \text{H}(\beta_1(f_1)||\ldots||\beta_\kappa(f_\kappa))`
#. sends :math:`F` to the Exchange
-#. *Exchange*
-
- #. receives and stores :math:`F`
+- *Exchange*
+ 7. receives and stores :math:`F`
#. chooses randomly :math:`\gamma \in \{1,\ldots,\kappa\}` and
#. sends :math:`\gamma` to the Wallet.
-#. *Wallet*
-
- #. receives :math:`\gamma`
+- *Wallet*
+ 10. receives :math:`\gamma`
#. sends to the Exchange the tuple :math:`\left(r_\gamma, \vec{\beta}, \vec{\vec{Q}}, \vec{\vec{S}}\right)` with
- :math:`r_\gamma := \beta_\gamma(f_\gamma)`
@@ -351,9 +349,8 @@ Then:
- :math:`\vec{\vec{S}} := (\vec{S}^1,\ldots,\vec{S}^{\gamma-1},\bot,\vec{S}^{\gamma+1},\ldots,\vec{S}^\kappa)`
with :math:`\vec{S}^i := (s^i_j)`
-#. *Exchange*:
-
- #. receives :math:`\left(r, (\beta^i), (\vec{Q}^i), (\vec{B}^i) \right)`
+- *Exchange*
+ 12. receives :math:`\left(r, (\beta^i), (\vec{Q}^i), (\vec{B}^i) \right)`
#. calculates :math:`g_i := \beta_i\left(\text{FDH}(\vec{Q}^i)\right)` for :math:`i \neq \gamma`
#. compares :math:`F \overset{?}{=} \text{H}(g_1||\ldots||g_{\gamma - 1}||r||g_{\gamma+1}||\ldots||g_\kappa)` and bails out on inequality
#. for each :math:`\vec{B}^i, i \neq \gamma`
@@ -363,13 +360,16 @@ Then:
#. signs :math:`r`
#. sends (blinded) signature :math:`\sigma_r` to Wallet
-#. *Wallet*:
-
- #. receives :math:`\sigma_r`
+- *Wallet*
+ 18. receives :math:`\sigma_r`
#. calculates (unblinded) signature :math:`\sigma_\gamma := \beta^{-1}_\gamma(\sigma_r)` for coin :math:`C_\gamma`.
-
+Note that the batch version of withdraw allows the withdrawal of *multiple*
+coins at once. For that scenario the protocol sketched above is adapted to
+accomodate for handling multiple coins at once -- thus multiplying the amount
+of data by the amount of coins in question--, but all with the same value of
+:math:`\gamma`.
Refresh - melting phase
