commit f914621e8b8e7c108de0cbcf00393563dce1fbcc
parent 2a13880d2657116216a3460dd4d1770eab8f5d61
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Thu, 17 Apr 2025 20:03:35 +0200
[exchange] update /melt-reveal spec
Diffstat:
3 files changed, 47 insertions(+), 56 deletions(-)
diff --git a/core/api-common.rst b/core/api-common.rst
@@ -1430,36 +1430,6 @@ within the
};
-.. _TALER_MeltCommitmentPS:
-.. sourcecode:: c
-
- struct TALER_MeltCommitmentPS {
- /**
- * purpose.purpose = TALER_SIGNATURE_WALLET_COIN_MELT
- */
- struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
- struct TALER_CoinSpendPublicKeyP old_coin_public_key;
- struct TALER_AgeCommitmentHash old_h_age_commitment;
- struct TALER_AmountNBO value_with_fee;
- /**
- * rms value, or all zeros, if not applicable
- */
- struct TALER_RefreshMasterSecretP rms;
- /**
- * hash over all entries in denoms_h
- */
- struct GNUNET_HashCode h_denoms;
- /**
- * hash over all entries in coin_evs, depths first
- */
- struct GNUNET_HashCode h_coin_evs;
- /**
- * hash over of the required n*kappa transfer public keys, depths first.
- */
- struct GNUNET_HashCode h_transfer_pubs;
- };
-
-
.. _TALER_RefreshMeltCoinAffirmationPS:
.. sourcecode:: c
@@ -1468,6 +1438,14 @@ within the
* purpose.purpose = TALER_SIGNATURE_WALLET_COIN_MELT
*/
struct GNUNET_CRYPTO_EccSignaturePurpose purpose;
+ /**
+ * Hash over:
+ * 1. refresh_seed (v26)
+ * 2. blinding_seed, if present, skip otherwise
+ * 3. list denomination hashes, in order
+ * 4. amount with fee
+ * 5. kappa list of n planchets, depths first: [0..n),[0..n),[0..n)
+ */
struct TALER_RefreshCommitmentP session_hash;
struct TALER_DenominationHash h_denom_pub;
struct TALER_AgeCommitmentHash h_age_commitment;
diff --git a/core/api-exchange.rst b/core/api-exchange.rst
@@ -2144,30 +2144,18 @@ These endpoints are called by the client
.. ts:def:: RevealMeltRequest
interface RevealMeltRequest {
- // The hash over the melt commitment from the ``/melt/`` step,
- // i.e. the SHA512 value of the `TALER_MeltCommitmentPS`
- // from that prior request.
- h_commitment: string;
-
- // Array of ``(kappa - 1)`` disclosed batch secrets,
- // from which for each of the n coins in a batch
- // their coin master secret is derived,
- // from which in turn their private key,
- // blinding, nonce (for Clause-Schnorr) and
- // transfer private keys (in case of prior ``/melt``).
- //
- // TODO: add details about the derivation.
- disclosed_batch_seeds: BatchSeed[TALER_CNC_KAPPA-1];
-
- // Array of ``n`` entries of transfer public keys
- // (ephemeral ECDHE keys), each for the ``noreveal_index``.
- transfer_pubs: EddsaPublicKey[];
-
- // Array of ``n`` signatures made by the wallet
- // using the old coin's private key,
- // used later to verify the /refresh/link response from the exchange.
- // Signs over a `TALER_CoinLinkSignaturePS`.
- link_sigs: EddsaSignature[];
+ // The melt commitment from the ``/melt/`` step,
+ // i.e. the SHA512 value of
+ // 1. refresh_seed
+ // 2. blinding_seed, if applicable, skip otherwise
+ // 3. list of denomination hashes, in order
+ // 4. amount with fee (NBO)
+ // 5. kappa*n planchet hashes, depths first: [0..n)[0..n)[0..n)
+ commitment: string;
+
+ // The disclosed kappa-1 arrays of signatures, one per coin, signed by
+ // the old coin's private key, over the derived nonce values per coin.
+ signatures: CoinSignature[kappa-1][];
// IFF the denomination of the old coin had support for age restriction,
// the client MUST provide the original age commitment, i. e. the
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -85,8 +85,8 @@ published.
2. **Reveal Phase**:
- - Client discloses together with h_m all except the γ-th random seeds r_i
- and signatures s_i from the call to RefreshDerive.
+ - Client discloses together with h_m all except the γ-th
+ signatures s_i from the call to RefreshDerive.
- Exchange verifies signature s_i over Hash1a("Refresh", C_p, r_i).
- Exchange reconstructs the blinded coins m'_i.
- Exchange verifies h_m = H(m'_1, ..., m_γ, ... m'_κ) equality.
@@ -232,6 +232,31 @@ TODO: definition of ``CoinSignature``
type CoinSignature = string;
+TODO: explain /reveal-melt endpoint.
+
+.. ts:def:: NewMeltRevealRequest
+
+ interface NewMeltRevealRequest {
+ // The refresh commitement corresponding to the previous call to /melt
+ // This is the Hash over:
+ // 1. refresh_seed
+ // 2. blinding_seed, if provided, skip otherwise
+ // 3. denominations in order
+ // 4. amount_with_fee
+ // 5. κ*n blinded planchet hashes, depths first: [0..n),[0..n),[0..n)
+ commitment: HashCode;
+
+ // The disclosed kappa-1 arrays of signatures, one per coin, signed by
+ // the old coin's private key, over the derived nonce values per coin.
+ signatures: CoinSignature[kappa-1][];
+
+ // IFF the denomination of the old coin had support for age restriction,
+ // the client MUST provide the original age commitment, i. e. the
+ // vector of public keys, or omitted otherwise.
+ // The size of the vector MUST be the number of age groups as defined by the
+ // Exchange in the field ``.age_groups`` of the extension ``age_restriction``.
+ old_age_commitment?: Edx25519PublicKey[];
+ }
Security Analysis
=================
