commit fbba9835f225bb03ac6a6d4910adcc078588eeed
parent dab1b41eda3788f3747646f543db40896bf23b4b
Author: Özgür Kesim <oec-taler@kesim.org>
Date: Sun, 12 Mar 2023 22:41:13 +0100
need coin's master secret for age-withdraw
Diffstat:
2 files changed, 29 insertions(+), 46 deletions(-)
diff --git a/core/api-exchange.rst b/core/api-exchange.rst
@@ -2468,47 +2468,45 @@ If so, the exchange will blindly sign ``n`` undisclosed coins from the request.
// in ``denoms_h``.
coin_evs: CoinEnvelope[];
- // Array of ``n`` arrays of ``kappa - 1`` disclosed coin private keys,
- // from which the associated age commitments are also derived.
- disclosed_coins: DisclosedAgeRestrictedCoin[][];
-
- }
-
- .. ts:def:: DisclosedAgeRestrictedCoin
-
- interface DisclosedAgeRestrictedCoin {
- // A coin's private key. The associated blinding and age commitment for
- // this coin MUST be derived from this private key as follows:
+ // Array of ``n`` of ``(kappa - 1)`` disclosed coin secrets, from
+ // which the coins' private key ``coin_priv``, blinding ``beta`` and nonce
+ // ``nonce`` (for Clause-Schnorr) itself are derived as usually in wallet
+ // core.
+ // (TODO: description of the derivation process of the coin's private
+ // key, blinding and nonce).
//
- // Calculate the blinding beta as
- // beta := HKDF(coin_priv, "blinding")
- //
- // If the denominations are for Clause-Schnorr-Signatures, calculate the
- // nonce as
- // nonce := HKDF(coin_priv, "cs-nonce")
+ // Given a coin's secret, the age commitment for the coin MUST be
+ // derived from this private key as follows:
//
// Let m ∈ {1,...,M} be the maximum age group as defined in the reserve
// that the wallet can commit to.
//
// For age group $AG ∈ {1,...m}, set
- // seed = HDKF(coin_priv, "age-commitment", $AG)
+ // seed = HDKF(coin_secret, "age-commitment", $AG)
// p[$AG] = Edx25519_generate_private(seed)
// and calculate the corresponding Edx25519PublicKey as
// q[$AG] = Edx25519_public_from_private(p[$AG])
//
// For age groups $AG ∈ {m,...,M}, set
- // f[$AG] = HDKF(coin_priv, "age-factor", $AG)
+ // f[$AG] = HDKF(coin_secret, "age-factor", $AG)
// and calculate the corresponding Edx25519PublicKey as
// q[$AG] = Edx25519_derive_public(`PublishedAgeRestrictionBaseKey`, f[$AG])
//
- // Finally, with coin_priv and age commitment (q[]), the exchange
- // will calculate the coin's public key coin_pub and use the
- // TALER_CoinPubHashP(coin_pub, age_commitment_hash(q))
- // during the verification of the original age-withdraw-commitment.
- coin_priv: EddsaPrivateKey;
+ // Given each coin's private key and age commitment (``q[]``), the
+ // exchange will calculate each coin's blinded hash value und use all
+ // those (disclosed) blinded hashes together with the non-disclosed
+ // envelopes ``coin_evs`` during the verification of the original
+ // age-withdraw-commitment.
+ disclosed_coin_secrets: AgeRestrictedCoinSecret[][];
}
+ .. ts:def:: AgeRestrictedCoinSecret
+
+ // The Master key material for the derivation of age restricted private
+ // coins, blinding factors and age restrictions
+ type AgeRestrictedCoinSecret = string;
+
.. ts:def:: PublishedAgeRestrictionBaseKey
// The value for ``PublishedAgeRestrictionBaseKey`` is a randomly chosen
diff --git a/design-documents/024-age-restriction.rst b/design-documents/024-age-restriction.rst
@@ -380,39 +380,25 @@ the coin's private key itself as follows:
Let
-- :math:`c_s` be the private key of the coin,
+- :math:`s` be the master secret of the coin, from which the private key :math:`c_s`, blinding :math:`\beta` and nonce :math:`n` are derived as usual in the wallet core
- :math:`m \in \{1,\ldots,M\}` be the maximum age (according to the reserve)
that a wallet can commit to during the withdrawal.
- :math:`P` be a published constant Edx25519-public-key to which the private
key is not known to any client.
-
-Then calculate the blinding :math:`\beta` for the coin as
-
-.. math::
- \beta &:= \text{HKDF}(c_s, \text{"blinding"})
-
-If the denomination is using Clause-Schnorr signatures, calculate the nonce
-:math:`n` for the coin as
-
-.. math::
- n &:= \text{HKDF}(c_s, \text{"cs-nonce"})
-
-
-
For the age commitment, calculate:
1. For age group :math:`a \in \{1,\ldots,m\}`, set
.. math::
- s_a &:= \text{HDKF}(c_s, \text{"age-commitment"}, a) \\
+ s_a &:= \text{HDKF}(s, \text{"age-commitment"}, a) \\
p_a &:= \text{Edx25519\_generate\_private}(s_a) \\
q_a &:= \text{Edx25519\_public\_from\_private}(p_a)
2. For age group :math:`a \in \{m,\ldots,M\}`, set
.. math::
- f_a &:= \text{HDKF}(c_s, \text{"age-factor"}, a) \\
+ f_a &:= \text{HDKF}(s, \text{"age-factor"}, a) \\
q_a &:= \text{Edx25519\_derive\_public}(P, f_a).
Then the vector :math:`\vec{q} = \{q_1,\ldots,q_M\}` is then the age commitment
@@ -420,10 +406,10 @@ associated to the coin's private key :math:`c_s`. For the non-disclosed coins,
the wallet can use the vector :math:`(p_1,\ldots,p_m,\bot,\ldots,\bot)` of
private keys for the attestation.
-Provided with the private key :math:`c_s`, the exchange can therefore calculate
-the blinding :math:`\beta`, the nonce :math:`n` (if needed) and the age
-commitment :math:`\vec{q}` itself, along with the coin's public key :math:`C_p`
-and use the value of
+Provided with the secret :math:`s`, the exchange can therefore calculate the
+private key :math:`c_s`, the blinding :math:`\beta`, the nonce :math:`n` (if
+needed) and the age commitment :math:`\vec{q}`, along with the coin's public
+key :math:`C_p` and use the value of
.. math::
@@ -431,7 +417,6 @@ and use the value of
during the verification of the original age-withdraw-commitment.
-
For the withdrawal with age restriction, a sketch of the corresponding database
schema in the exchange is given here:
