commit fcac7311dc01b58e3252bfdaf42c642a34d08089
parent 7f1951cfe61f601da87191c98561b44cf1a3ff73
Author: Christian Grothoff <christian@grothoff.org>
Date: Tue, 22 Apr 2025 14:58:56 +0200
-clarify
Diffstat:
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/design-documents/062-pq-refresh.rst b/design-documents/062-pq-refresh.rst
@@ -57,7 +57,7 @@ derive the key material of a fresh coin from the old coin:
return (s, c2_s, C2_p, m)
-Key Changes to the existing RefreshDerive:
+Key Changes to the existing ``RefreshDerive``:
1. *Proof of ownership*: ``s`` proves ownership through signature, without DH
2. *Key derivation*: ``x`` derived through hashing of the signature
@@ -108,7 +108,7 @@ published.
1. **Melting/Commit Phase**:
- Client chooses a master (public) seed ``r`` and derives ``κ`` nonces ``r_1, ... r_κ``.
- - Client generates, using RefreshDeriveBatch, ``κ*n`` blinded coin planchets
+ - Client generates, using ``RefreshDeriveBatch``, ``κ*n`` blinded coin planchets
``m[1][1],...,m[1][n],...,m[κ][1],...,m[κ][n]`` from the nonces
- Sends dirty coin public key ``Cp``, seed ``r``, all ``m[i][j]`` and
fresh coin denomination selections ``pkD[1],...pkD[n]`` to the exchange,
@@ -125,7 +125,8 @@ published.
2. **Reveal Phase**:
- Client discloses together with ``h_m`` all except the ``γ``-th
- (secret) signatures ``s[1],...,s[κ]`` from the ``κ`` calls to RefreshDeriveBatch.
+ (secret) signatures ``s[1],...,s[κ]`` from the ``κ`` calls to
+ ``RefreshDeriveBatch``.
- Exchange derives ``r_i`` from ``r`` and verifies each signature
``s[i]`` over ``Hash1a("Refresh", C_p, r_i, pkDs)``.
- Exchange reconstructs the blinded coins ``m'[i][]`` for ``i != γ``.
