commit d4403f695da0c70ed2404082104237d897486405
parent d0d42be33fc60dfb12869a2fa0c6529855572039
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Sat, 12 Apr 2025 21:41:12 +0200
[dd:pq-refresh] add stub for CoinSignature type
Diffstat:
1 file changed, 25 insertions(+), 18 deletions(-)
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -40,7 +40,7 @@ derive the key material of a fresh coin from the old coin:
# r = random seed, cs = coin secret, Cp = coin public key
# pkD = denomination key
- def RefreshDerivePQ(r, cs, Cp, pkD):
+ def RefreshDerive(r, cs, Cp, pkD):
t = Hash1a("Refresh", Cp, r)
s = SignDeterministic(cs, t)
x = Hash1b(s)
@@ -61,15 +61,15 @@ all of the other.
Protocol Modifications
^^^^^^^^^^^^^^^^^^^^^^
-Here is a short description of the main steps. We will fill-in the details,
-once the paper is published.
+Here is a short description of the main steps. We will provide further
+details, once the related paper [1]_ is published.
1. **Melting/Commit Phase**:
- Client chooses a master seed r and derives κ nonces r_1, ... r_κ.
- Client generates κ refresh blinded coin candidates m_1,... m_κ from them.
- - Sends dirty coin, r, all m_i and new denom-info to the exchange, with signature
- σ_c of the dirty coins' private key over the request.
+ - Sends dirty coin, r, all m_i and new denom-info to the exchange, with
+ signature σ_c of the dirty coins' private key over the request.
- Exchange verifies the request.
- Exchange calculates h_m = H(m_1,...m_κ)
- Exchange chooses γ from 1...K and signs m_γ, resulting in σ_γ.
@@ -105,7 +105,7 @@ TODO, see withdraw
API endpoints
^^^^^^^^^^^^^^
-A new ``/melt`` request is needed, that takes the new `PQMeltRequest` as request
+A new ``/melt`` request is needed, that takes the new `NewMeltRequest` as request
body, see below.
As in the existing melting/commit phase, it invalidates the coin and prepares
for exchanging of fresh coins. Taler uses a global parameter ``kappa`` for the
@@ -147,9 +147,9 @@ Wire Formats
Modified melt request structure:
-.. ts:def:: PQMeltRequest
+.. ts:def:: NewMeltRequest
- interface PQMeltRequest {
+ interface NewMeltRequest {
// The old coin's public key
old_coin_pub: CoinPublicKey;
@@ -178,9 +178,9 @@ Modified melt request structure:
// for the new coins to order.
denoms_h: HashCode[];
- // Hash of all the commitments k*n X_i as defined in the
- // RefreshDerivePQ function.
- h_Xs: HashCode;
+ // Seed from which the nonces for the κ coin candidates are derived
+ // from.
+ r_seed: HashCode;
// Array of ``n`` entries with ``kappa`` many blinded coin candidates,
// matching the respective entries in ``denoms_h``.
@@ -189,17 +189,17 @@ Modified melt request structure:
// function.
coin_evs: CoinEnvelope[][kappa];
- // Signature by the `coin <coin-priv>` over `TALER_PQMeltCommitmentPS`.
- confirm_sig: EddsaSignature;
+ // Signature by the `coin <coin-priv>` over `TALER_NewMeltCommitmentPS`.
+ confirm_sig: CoinSignature;
}
-The new ``TALER_PQMeltCommitmentPS`` is defined as follows:
+The new ``TALER_NewMeltCommitmentPS`` is defined as follows:
-.. _TALER_PQMeltCommitmentPS:
+.. _TALER_NewMeltCommitmentPS:
.. sourcecode:: c
- struct TALER_PQMeltCommitmentPS {
+ struct TALER_newMeltCommitmentPS {
/**
* purpose.purpose = TALER_SIGNATURE_WALLET_COIN_MELT
*/
@@ -221,11 +221,18 @@ The new ``TALER_PQMeltCommitmentPS`` is defined as follows:
*/
struct GNUNET_HashCode h_coin_evs;
/**
- * hash over of the required n*kappa transfer public keys, depths first.
+ * The seed for the nonces
*/
- struct GNUNET_HashCode h_Xs;
+ struct GNUNET_HashCode r_seed;
};
+TODO: definition of ``CoinSignature``
+
+.. ts:def:: CoinSignature
+
+ // TODO: this needs to be fully expanded into a new interface
+ type CoinSignature = string;
+
Security Analysis
