taler
[Top][All Lists]

## Re: [Taler] clarifying refresh

 From: Fabian Kirsch Subject: Re: [Taler] clarifying refresh Date: Sat, 03 Oct 2015 16:34:20 +0200 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.7.0

Thanks Luis Resse.
Sorry for the inconvenience.
I fear the patch to become broken by line wrapping.
Here it is:

From 53b622fd6525b4e2aafc88616dd48e8ac756732f Mon Sep 17 00:00:00 2001
Date: Sat, 3 Oct 2015 15:33:24 +0200
Subject: [PATCH] rewrote refresh to be more conceptual, less algorithmical

---

doc/paper/taler.tex | 70 +++++++++++++++++++----------------------------------
 1 file changed, 25 insertions(+), 45 deletions(-)

diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index e3d595e..aa696f0 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex

@@ -808,53 +808,33 @@ protocol, $\kappa \ge 3$ is a security parameter and $G$ is the
 generator of the elliptic curve.

\begin{enumerate}
-  \item For each $i = 1,\ldots,\kappa$, the customer

+ \item For each $i = 1,\ldots,\kappa$, the customer creates a potential new identity. (which one gets real, is decided later). Each of the new identities generates randomly:
     \begin{itemize}

- \item randomly generates transfer key $T^{(i)} := \left(t^{(i)}_s,T^{(i)}_p\right)$ where $T^{(i)}_p := t^{(i)}_s G$, - \item randomly generates coin key pair \\ $C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$ where $C^{(i)}_p := c^{(i)}_s G$,
-      \item randomly generates blinding factors $b^{(i)}$,

- \item computes $E^{(i)} := E_{K_i}\left(c_s^{(i)}, b^{(i)}\right)$ where $K_i := H(c'_s T_p^{(i)})$. (The encryption key $K_i$ is - computed by multiplying the private key $c'_s$ of the original coin with the point on the curve - that represents the public key $T^{(i)}_p$ of the transfer key $T^{(i)}$. This is basically DH between coin and transfer key.),
+      \item a coin key pair $C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$,
+      \item a blinding factor $b^{(i)}$,
+      \item a random factor for ElGamal-crypto  $t^{(i)}_s$
\end{itemize}
-    and commits $\langle C', \vec{T}, \vec{C}, \vec{b} \rangle$ to disk.

- \item The customer computes $B^{(i)} := B_{b^{(i)}}(C^{(i)}_p)$ for $i \in \{1,\ldots,\kappa\}$ and sends a commitment
-    $S_{C'}(\vec{E}, \vec{B}, \vec{T_p}))$ to the mint.

- \item The mint generates a random\footnote{Auditing processes need to assure $\gamma$ is unpredictable until this time to - prevent the mint from assisting tax evasion.} $\gamma$ with $1 \le \gamma \le \kappa$ and
-    marks $C'_p$ as spent by committing

- $\langle C', \gamma, S_{C'}(\vec{E}, \vec{B}, \vec{T}) \rangle$ to disk. - \item The mint sends $S_K(C'_p, \gamma)$ to the customer.\footnote{Instead of $K$, it is also - possible to use any equivalent mint signing key known to the customer here, as $K$ merely - serves as proof to the customer that the mint selected this particular $\gamma$.} - \item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk. - \item The customer computes $\mathfrak{R} := \left(t_s^{(i)}, C_p^{(i)}, b^{(i)}\right)_{i \ne \gamma}$
-        and sends $S_{C'}(\mathfrak{R})$ to the mint.

- \item \label{step:refresh-ccheck} The mint checks whether $\mathfrak{R}$ is consistent with the commitments;
-    specifically, it computes for $i \not= \gamma$:
-
-    \vspace{-2ex}
-    \begin{minipage}{5cm}
-    \begin{align*}
-      \overline{K}_i :&= H(t_s^{(i)} C_p'), \\

- (\overline{c}_s^{(i)}, \overline{b}_i) :&= D_{\overline{K}_i}(E^{(i)}), \\
-     \overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G,
-     \end{align*}
-     \end{minipage}
-    \begin{minipage}{5cm}
-      \begin{align*}
-       \overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\
-      \overline{B^{(i)}} :&= B_{b^{(i)}}(\overline{C_p^{(i)}}),
-      \end{align*}
-    \end{minipage}
-
-    and checks if $\overline{B^{(i)}} = B^{(i)}$
-    and $\overline{T^{(i)}_p} = T^{(i)}_p$.
-
-  \item \label{step:refresh-done} If the commitments were consistent,
-    the mint sends the blind signature $\widetilde{C} := - S_{K}(B^{(\gamma)})$ to the customer.  Otherwise, the mint responds
-    with an error indicating the location of the failure.
+    Then each identity computes the blinded new Coin and the "link":
+    \begin{itemize}
+        \item $B^ {(i)} = B_{b^{(i)}}(C_p^{(i)})$

+ \item $(E^{(i)},T_p^{(i)})=\mathrm{ElGamalEncrypt}_{t^{(i)}_s,C'_p}\left(c_s^{(i)}, b^{(i)}\right)$
+    \end{itemize}
+

+ \item the customer stores all potential new identities together with their private data $c_s, b, t_s$ to disk.
+ \item the customer commits to the mint by signing
+   all potential new Coins and their links.
+   $S_C'\left(B, E, T_p) \right)$
+

+ \item the identity $\gamma$ is selected to become real. It is commited by the mint publishing $S_K(C'_p,\gamma)$.
+ \item the customer lays open all random factors $t_s^{(i)}$
+ for $i\neq\gamma$.
+ \item the mint can now "break" the encryption of all links

+ except link $\gamma$. Now the mint knows all private data for the identities $i\neq \gamma$. + \item the mint checks that all links were created correctly by the customer. So they would have worked
+ for anyone knowing the private key $c'_s$ of the dirty coin.

+ \item \label{step:refresh-done} If the commitments were consistent, so all other links were valid,
+ the mint sends the blind signature $\widetilde{C} :=  + S_{K}(B^{(\gamma)})$ to the customer. Otherwise, the mint responds with an error indicating the location of the failure. Additionally the mint devalues $C'_p$ as punishment for the cheating.
 \end{enumerate}

%\subsection{N-to-M Refreshing}
--
2.1.4