commit d0d42be33fc60dfb12869a2fa0c6529855572039
parent 375d7bcce35d1a8c3e1dd6a732261759b61f58fb
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Sat, 12 Apr 2025 21:31:44 +0200
[dd:pq-refresh] add master seed and note on link-protocol
Diffstat:
1 file changed, 16 insertions(+), 4 deletions(-)
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -61,14 +61,19 @@ all of the other.
Protocol Modifications
^^^^^^^^^^^^^^^^^^^^^^
+Here is a short description of the main steps. We will fill-in the details,
+once the paper is published.
+
1. **Melting/Commit Phase**:
- - Client generates κ refresh blinded coin candidates m_1,... m_κ.
- - Sends dirty coin, new denomination and all m_i to the exchange, signed with diry coins' private key
+ - Client chooses a master seed r and derives κ nonces r_1, ... r_κ.
+ - Client generates κ refresh blinded coin candidates m_1,... m_κ from them.
+ - Sends dirty coin, r, all m_i and new denom-info to the exchange, with signature
+ σ_c of the dirty coins' private key over the request.
- Exchange verifies the request.
- Exchange calculates h_m = H(m_1,...m_κ)
- - Exchange chooses γ from 1...K and signs m_γ.
- - Exchange persists h_m → (γ, m_γ, σ_γ) and returns γ to the client.
+ - Exchange chooses γ from 1...K and signs m_γ, resulting in σ_γ.
+ - Exchange persists h_m → (r, γ, m_γ, σ_γ, σ_c) and returns γ to the client.
2. **Reveal Phase**:
@@ -85,6 +90,13 @@ necessary such that the exchange can sign the request with a valid denomination
key *at the moment of melting*. This ensures idempotency of the melting/commit
request and that caries over to the reveal phase.
+Note that for the Linking protocol, given the dirty coin's public key,
+the Exchange simply returns the master seed r and the dirty coins' signature
+σ_c over the original refresh request. The owner of the private key of the
+dirty coin can then replay the refresh protocol and can be sure that the master
+seed was of its own origin.
+
+
Database Changes
^^^^^^^^^^^^^^^^
