[taler-exchange] branch master updated: add cs nonce persistance and reu

gnunet-svn

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[taler-exchange] branch master updated: add cs nonce persistance and reu

From:	gnunet
Subject:	[taler-exchange] branch master updated: add cs nonce persistance and reuse check
Date:	Thu, 17 Feb 2022 21:29:22 +0100

This is an automated email from the git hooks/post-receive script.

lucien-heuzeveldt pushed a commit to branch master
in repository exchange.

The following commit(s) were added to refs/heads/master by this push:
     new eacbe6df add cs nonce persistance and reuse check
eacbe6df is described below

commit eacbe6df19ae332b47794f29d625048f3f3652dc
Author: Lucien Heuzeveldt <lucienclaude.heuzeveldt@students.bfh.ch>
AuthorDate: Thu Feb 17 21:29:18 2022 +0100

    add cs nonce persistance and reuse check
---
 doc/cs/content/4_1_design.tex | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/doc/cs/content/4_1_design.tex b/doc/cs/content/4_1_design.tex
index 1d22b151..4d76675e 100644
--- a/doc/cs/content/4_1_design.tex
+++ b/doc/cs/content/4_1_design.tex
@@ -169,12 +169,14 @@ The denomination key was chosen because it has the recopu 
protocol in place that
       \\ & & b := \text{HKDF}(1,n_w || d_s, \text{"b"})
       \\ & & s \leftarrow \text{GetWithdraw}(n_w, D_p)
       \\ & & \textbf{if } s = \bot
+      \\ & & \textbf{check !} \text{NonceReuse} (n_w, D_p)
       \\ & & r_b := \text{HKDF}(256,n_w || d_s, \text{"r}b\text{"})
       % sign coin
       \\ & & s := r_b + c_b d_s \mod p
       % the following db operations are atomic
       \\ & & \text{decrease balance if sufficient and}
-      \\ & & \text{persist } \langle n_w, D_p, s \rangle
+      \\ & & \text{persist NonceUse } \langle n_w, D_p, s \rangle
+      \\ & & \text{persist } \langle D_p, s \rangle
       \\ & & \textbf{endif}
       \\ & \xleftarrow[\rule{2.5cm}{0pt}]{b,s} &
       % verify signature
@@ -187,7 +189,6 @@ The denomination key was chosen because it has the recopu 
protocol in place that
       \\ \textbf{check if } s'G = R'_b + c'_b D_p & &
       \\ \sigma_C := \langle R'_b, s' \rangle & &
       \\ \text{resulting coin: } c_s, C_p, \sigma_C, D_p & &
-      
     \end{array}$
     }
   \end{equation*}
@@ -287,9 +288,9 @@ In the reveal phase, the RSA signing and unblinding is 
exchanged with Schnorr's
       \\ h_T := H(T_1, \dots, T_k)
       \\ h_{\overline{c_0}} := H(\overline{c_{0_1}},\dots, \overline{c}_{0_k})
       \\ h_{\overline{c_1}} := H(\overline{c_{1_1}},\dots, \overline{c}_{1_k})
-      \\ h_{\overline{c}} := H(h_{\overline{c_0}}, h_{\overline{c_1}})
+      \\ h_{\overline{c}} := H(h_{\overline{c_0}}, h_{\overline{c_1}}, n_r)
       \\ h_C := H(h_T, h_{\overline{c}})
-      \\ \rho_{RC} := \langle h_C, D_p, \text{ } D_{p(0)}, C_p^{(0)}, 
\sigma_C^{(0)}  \rangle
+      \\ \rho_{RC} := \langle h_C, D_p, \text{ } D_{p(0)}, C_p^{(0)}, 
\sigma_C^{(0)} \rangle
       \\ \sigma_{RC} := \text{Ed25519.Sign}(c_s^{(0)}, \rho_{RC})
       \\ \text{Persist refresh-request}
       \\ \langle \omega, R_0, R_1, \rho_{RC}, \sigma_{RC} \rangle
@@ -311,7 +312,7 @@ In the reveal phase, the RSA signing and unblinding is 
exchanged with Schnorr's
       \\ & \textit{Continuation of}
       \\ & \textit{figure \ref{fig:refresh-commit-part1}}
       \\
-      \\ & \xrightarrow[\rule{2cm}{0pt}]{\rho_{RC}, \sigma_{RC}} &
+      \\ & \xrightarrow[\rule{2cm}{0pt}]{\rho_{RC}, \sigma_{RC}, n_r} &
       % Exchange checks refresh request
       \\ & & \langle h_C, D_p, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} \rangle := 
\rho_{RC}
       \\ & & \textbf{check} \text{ Ed25519.Verify}(C_p^{(0)}, \sigma_{RC}, 
\rho_{RC})
@@ -323,10 +324,12 @@ In the reveal phase, the RSA signing and unblinding is 
exchanged with Schnorr's
       \\ & & v := \text{Denomination}(D_p)
       \\ & & \textbf{check } \text{IsOverspending}(C_p^{(0)}, D_ {p(0)}, v)
       \\ & & \text{verify if } D_p \text{ is valid}
+      \\ & & \textbf{check !} \text{NonceReuse} (n_r, D_p)
       \\ & & \textbf{check } \text{Schnorr.Verify}(D_{p(0)}, C_p^{(0)}, 
\sigma_C^{(0)})
       \\ & & \text{MarkFractionalSpend}(C_p^{(0)}, v)
       \\ & & \gamma \leftarrow \{1, \dots, \kappa\}
-      \\ & & \text{Persist refresh-record } \langle \rho_{RC},\gamma \rangle
+      \\ & & \text{persist NonceUse } \langle n_r, D_p, \rho_{RC} \rangle
+      \\ & & \text{persist refresh-record } \langle \rho_{RC},\gamma \rangle
       \\ & \xleftarrow[\rule{2cm}{0pt}]{\gamma} &
       % Check challenge and send challenge response (reveal not selected msgs)
       \\ \textbf{check } \text{IsConsistentChallenge}(\rho_{RC}, \gamma)
@@ -334,7 +337,7 @@ In the reveal phase, the RSA signing and unblinding is 
exchanged with Schnorr's
       \\
       \\ \text{Persist refresh-challenge} \langle \rho_{RC}, \gamma \rangle
       \\ S := \langle t_1, \dots, t_{\gamma-1}, t_{\gamma+1}, \dots,t_\kappa 
\rangle % all seeds without the gamma seed
-      \\ \rho_L := \langle C_p^{(0)}, D_p, T_{\gamma}, \overline{c_0}_\gamma, 
\overline{c_1}_\gamma, n_r \rangle
+      \\ \rho_L := \langle C_p^{(0)}, D_p, T_{\gamma}, \overline{c_0}_\gamma, 
\overline{c_1}_\gamma \rangle
       \\ \rho_{RR} := \langle \rho_L, S \rangle
       \\ \sigma_{L} := \text{Ed25519.Sign}(c_s^{(0)}, \rho_{L})
       \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} &
@@ -359,7 +362,7 @@ In the reveal phase, the RSA signing and unblinding is 
exchanged with Schnorr's
       \\
       \\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} &
       % check revealed msgs and sign coin
-      \\ & & \langle C_p^{(0)}, D_p, T_{\gamma}, \overline{c_0}_\gamma, 
\overline{c_1}_\gamma, n_r \rangle := \rho_L
+      \\ & & \langle C_p^{(0)}, D_p, T_{\gamma}, \overline{c_0}_\gamma, 
\overline{c_1}_\gamma \rangle := \rho_L
       \\ & & \langle T'_\gamma, \overline{c_0}_\gamma, \overline{c_1}_\gamma, 
S \rangle := \rho_{RR}
       \\ & & \langle t_1,\dots,t_{\gamma-1},t_{\gamma+1},\dots,t_\kappa 
\rangle := S
       \\ & & \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \sigma_L, \rho_L)
@@ -371,7 +374,7 @@ In the reveal phase, the RSA signing and unblinding is 
exchanged with Schnorr's
       \\ & & h_T' = 
H(T_1,\dots,T_{\gamma-1},T'_{\gamma},T_{\gamma+1},\dots,T_\kappa)
       \\ & & h_{\overline{c_0}}' := H(\overline{c_{0_1}},\dots, 
\overline{c}_{0_k})
       \\ & & h_{\overline{c_1}}' := H(\overline{c_{1_1}},\dots, 
\overline{c}_{1_k})
-      \\ & & h_{\overline{c}}' := H(h_{\overline{c_0}}, h_{\overline{c_1}})
+      \\ & & h_{\overline{c}}' := H(h_{\overline{c_0}}, h_{\overline{c_1}}, 
n_r)
       \\ & & h_C' = H(h_T', h_{\overline{c}}')
       \\ & & \textbf{check } h_C = h_C'
       \\ & & r_b := \text{HKDF}(256,n_r || d_s, \text{"r}b\text{"})

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.

[Prev in Thread]

Current Thread

[Next in Thread]

[taler-exchange] branch master updated: add cs nonce persistance and reuse check, gnunet <=

Prev by Date: [taler-merchant] branch master updated: -post Oec cleanups
Next by Date: [taler-marketing] branch master updated: defang a bit more
Previous by thread: [taler-merchant] branch master updated: -post Oec cleanups
Next by thread: [taler-marketing] branch master updated: defang a bit more
Index(es):
- Date
- Thread