[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-docs] 02/02: general ideas layed out, start reveal phase
|
From: |
gnunet |
|
Subject: |
[taler-docs] 02/02: general ideas layed out, start reveal phase |
|
Date: |
Sat, 16 Oct 2021 11:40:03 +0200 |
This is an automated email from the git hooks/post-receive script.
oec pushed a commit to branch master
in repository docs.
commit 6937cb37a02e238b1f8fe868784ca29780f51e32
Author: Özgür Kesim <oec-taler@kesim.org>
AuthorDate: Sat Oct 16 11:39:55 2021 +0200
general ideas layed out, start reveal phase
---
design-documents/024-age-restriction.rst | 71 +++++++++++++++++++++++++++++---
1 file changed, 65 insertions(+), 6 deletions(-)
diff --git a/design-documents/024-age-restriction.rst
b/design-documents/024-age-restriction.rst
index ce6d562..7509d3d 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -62,11 +62,44 @@ to stick to that decision until the support for age
restriction is disabled.
We might reconsider this design decision at some point.
-Building Blocks
-^^^^^^^^^^^^^^^
+Main ideas and building blocks
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The main ideas are simple:
+
+#. The exchange defines and publishes M different *age groups* of increasing
order:
+ :math:`0 < a_1 < \ldots < a_M` with :math:`a_i \in \mathbb{N}`.
+
+#. An **unrestricted** *age commitment* is defined as a vector of length M of
+ pairs of EdDSA public and private keys on Curve25519. In other words: one
+ key pair for each age group:
+ :math:`\bigl\langle (p_1, s_1), \ldots, (p_M, s_M) \bigr\rangle`
+
+#. A **restricted** *age commitment* **to age m** is derived from an
unrestricted age
+ commitment by removing all private keys for indices larger than m:
+ :math:`\bigl\langle (p_1, s_1), \ldots, (p_m, s_m), \, (p_{m+1}, \perp),
\ldots, (p_M, \perp )\bigr\rangle`
+
+#. An *age commitment* (without prefix) is just the vector of public keys:
+ :math:`\langle p_1, \ldots, p_M \rangle`. Note that from just the age
+ commitment one can not deduce if it was originated from an unrestricted or
+ restricted age commitment (and what age).
+
+#. An *attestation of age group k* is essentially the act of signing a message
+ with the private key for slot k, if the corresponding private key is
+ available in a restricted age commitment. (Unrestricted age commitments
+ can attest for any age group).
+
+#. An age commitment is *bound to a particular coin* by incorporating the
+ SHA512 hash value of the age commitment (i.e. the M public keys) into the
+ signature of the coin. So instead of using :math:`\text{FDH}_N(C_p)` (with
+ :math:`C_p` being the public key of the coin), we calculate
+ :math:`\text{FDH}_N(C_p, h_a)`, where :math:`h_a` is the
+ hash of the age commitment.
+
TODO: Summarize the design based on the five functions ``Commit()``,
-``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``.
+``Attest()``, ``Verify()``, ``Derive()``, ``Compare()``, once the paper from
+Özgür and Christian is published.
Changes in the Exchange
@@ -228,7 +261,8 @@ restriction). Therefore, in the ``/coins/$COIN_PUB/melt``
POST request, the
The responses to the POST request remain the same.
For denominations *without* support for age restriction, the calculation for
-the signature check is as before (borrowing notation from Florian's thesis):
+the signature check is as before (borrowing notation from
+`Florian's thesis <https://taler.net/papers/thesis-dold-phd-2019.pdf>`_):
.. math::
\text{FDH}(N_0, C_p^{(0)})\; \stackrel{?}{=}\;
\left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
@@ -238,7 +272,7 @@ hash value ``age_commitment_hash`` (abbreviated as h\
:sub:`a`) into account
when verifying the coin's signature:
.. math::
- \text{FDH}(N_0, C_p^{(0)}, h_a)\; \stackrel{?}{=}\;
\left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
+ \text{FDH}(N_0, \langle C_p^{(0)}, h_a \rangle )\; \stackrel{?}{=}\;
\left(\sigma_C^{(0)}\right)^{e_0} \;\;\text{mod}\,N_0
@@ -246,7 +280,32 @@ when verifying the coin's signature:
Refresh - reveal phase
~~~~~~~~~~~~~~~~~~~~~~
-TODO: Extension of the cut'n-choose-protocol.
+During the reveal phase -- that is upon POST to ``/refreshes/$RCH/reveal`` --
+the client has to provide the original age commitment of the old coin (i.e. the
+vector of public keys), iff the corresponding denomination had support for age
+restriction. The size of the vector ist defined by the Exchange implictely as
+the amount of age groups defined in the field ``.age_groups`` of the
+``ExtensionAgeRestriction``.
+
+.. ts:def:: RevealRequest
+
+ interface RevealRequest {
+ ...
+
+ // Iff the corresponding denomination has support for age restriction,
+ // the client MUST provide the original age commitment, i.e. the vector
+ // of public keys.
+ // The size of the vector ist defined by the Exchange implictely as the
+ // amount of age groups defined in the field ``.age_groups`` of the
+ // ``ExtensionAgeRestriction``.
+ old_age_commitment?: EddsaPublicKey[];
+
+
+ ...
+ }
+
+TODO: describe how the exchange derives the κ-1 other age-restriction vectors
+and compares them to the one in ``.old_age_commitment``.
Deposit
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.