Re: [Taler] latest draft on the Taler cryptography [re-re-send]

[Luis Ressel]

On Mon, 28 Sep 2015 12:05:13 +0200
Christian Grothoff <address@hidden> wrote:

> > * In the linking protocol (4.4), why does the mint's response
> > include B^\gamma? Shouldn't that be E^\gamma?
> 
> B^{(\gamma)} is the selected blinded coin, which the mint signs if all
> of the non-gamma values were shown to be acceptable. Note that we
> recently changed notation to use B for RSA blinding instead of using E
> for two things. Note that S(B^{(\gamma)}) in the "reveal" step is
> really equivalent to the S(B_b(C_p)) in step 5 of the withdraw
> protocol.
> 
> So yes, it should be B^.
> 

But I don't understand how the linking protocol is supposed to work if
the customer doesn't obtain E^\gamma. To use the new coin, he'll need
S_K(C_p^\gamma) and c_s^\gamma. He could calculate those from
T_p^\gamma, \tilde{C} and E^\gamma (and c_s', of course), but not
without E^\gamma.

> > For the other typos, I've attached a git patch fixing them. (The
> > patch can be applied using 'git am'.)
> 
> Sorry, but the attachment didn't make it. Did you really attach it?
> 

Yes, I did. It's present in the copy I BCC:'ed to myself, but it's
missing on the mailing list. Looks like your Mailman instance is
configured to strip off attachments. Anyway, I'll resend the patch as
the text body of another mail.

By the way, you made a mistake in the merge commit bf8b9d1 yesterday;
the file src/mint/taler-mint-httpd_admin.c still has an unresolved
merge conflict on lines 142ff.


Regards,
Luis Ressel