Re: [Taler] clarifying refresh

[Fabian Kirsch]

Thanks Luis Resse.
Sorry for the inconvenience.
I fear the patch to become broken by line wrapping.
Here it is:


From 53b622fd6525b4e2aafc88616dd48e8ac756732f Mon Sep 17 00:00:00 2001
From: Fabian Kirsch <address@hidden>
Date: Sat, 3 Oct 2015 15:33:24 +0200
Subject: [PATCH] rewrote refresh to be more conceptual, less algorithmical
To: address@hidden

---
 doc/paper/taler.tex | 70 
+++++++++++++++++++----------------------------------
 1 file changed, 25 insertions(+), 45 deletions(-)

diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index e3d595e..aa696f0 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -808,53 +808,33 @@ protocol, $\kappa \ge 3$ is a security parameter 
and $G$ is the
 generator of the elliptic curve.

 \begin{enumerate}
-  \item For each $i = 1,\ldots,\kappa$, the customer
+  \item For each $i = 1,\ldots,\kappa$, the customer creates a 
potential new identity. (which one gets real, is decided later). Each of 
the new identities generates randomly:
     \begin{itemize}
-      \item randomly generates transfer key $T^{(i)} := 
\left(t^{(i)}_s,T^{(i)}_p\right)$ where $T^{(i)}_p := t^{(i)}_s G$,
-      \item randomly generates coin key pair \\ $C^{(i)} := 
\left(c_s^{(i)}, C_p^{(i)}\right)$ where $C^{(i)}_p := c^{(i)}_s G$,
-      \item randomly generates blinding factors $b^{(i)}$,
-      \item computes $E^{(i)} := E_{K_i}\left(c_s^{(i)}, 
b^{(i)}\right)$ where $K_i := H(c'_s T_p^{(i)})$. (The encryption key 
$K_i$ is
-            computed by multiplying the private key $c'_s$ of the 
original coin with the point on the curve
-            that represents the public key $T^{(i)}_p$ of the transfer 
key $T^{(i)}$. This is basically DH between coin and transfer key.),
+      \item a coin key pair $C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$,
+      \item a blinding factor $b^{(i)}$,
+      \item a random factor for ElGamal-crypto  $t^{(i)}_s$
     \end{itemize}
-    and commits $\langle C', \vec{T}, \vec{C}, \vec{b} \rangle$ to disk.
-  \item The customer computes $B^{(i)} := B_{b^{(i)}}(C^{(i)}_p)$ for 
$i \in \{1,\ldots,\kappa\}$ and sends a commitment
-    $S_{C'}(\vec{E}, \vec{B}, \vec{T_p}))$ to the mint.
-  \item The mint generates a random\footnote{Auditing processes need to 
assure $\gamma$ is unpredictable until this time to
-    prevent the mint from assisting tax evasion.} $\gamma$ with $1 \le 
\gamma \le \kappa$ and
-    marks $C'_p$ as spent by committing
-    $\langle C', \gamma, S_{C'}(\vec{E}, \vec{B}, \vec{T}) \rangle$ to 
disk.
-  \item The mint sends $S_K(C'_p, \gamma)$ to the 
customer.\footnote{Instead of $K$, it is also
-    possible to use any equivalent mint signing key known to the 
customer here, as $K$ merely
-    serves as proof to the customer that the mint selected this 
particular $\gamma$.}
-  \item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to 
disk.
-  \item The customer computes $\mathfrak{R} := \left(t_s^{(i)}, 
C_p^{(i)}, b^{(i)}\right)_{i \ne \gamma}$
-        and sends $S_{C'}(\mathfrak{R})$ to the mint.
-  \item \label{step:refresh-ccheck} The mint checks whether 
$\mathfrak{R}$ is consistent with the commitments;
-    specifically, it computes for $i \not= \gamma$:
-
-    \vspace{-2ex}
-    \begin{minipage}{5cm}
-    \begin{align*}
-      \overline{K}_i :&= H(t_s^{(i)} C_p'), \\
-      (\overline{c}_s^{(i)}, \overline{b}_i) :&= 
D_{\overline{K}_i}(E^{(i)}), \\
-     \overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G,
-     \end{align*}
-     \end{minipage}
-    \begin{minipage}{5cm}
-      \begin{align*}
-       \overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\
-      \overline{B^{(i)}} :&= B_{b^{(i)}}(\overline{C_p^{(i)}}),
-      \end{align*}
-    \end{minipage}
-
-    and checks if $\overline{B^{(i)}} = B^{(i)}$
-    and $\overline{T^{(i)}_p} = T^{(i)}_p$.
-
-  \item \label{step:refresh-done} If the commitments were consistent,
-    the mint sends the blind signature $\widetilde{C} :=
-    S_{K}(B^{(\gamma)})$ to the customer.  Otherwise, the mint responds
-    with an error indicating the location of the failure.
+    Then each identity computes the blinded new Coin and the "link":
+    \begin{itemize}
+        \item $B^ {(i)} = B_{b^{(i)}}(C_p^{(i)})$
+        \item 
$(E^{(i)},T_p^{(i)})=\mathrm{ElGamalEncrypt}_{t^{(i)}_s,C'_p}\left(c_s^{(i)}, 
b^{(i)}\right)$
+    \end{itemize}
+
+ \item the customer stores all potential new identities together with 
their private data $c_s, b, t_s$ to disk.
+ \item the customer commits to the mint by signing
+   all potential new Coins and their links.
+   $S_C'\left(B, E, T_p)  \right)$
+
+ \item the identity $\gamma$ is selected to become real. It is commited 
by the mint publishing $S_K(C'_p,\gamma)$.
+ \item the customer lays open all random factors $t_s^{(i)}$
+ for $i\neq\gamma$.
+ \item the mint can now "break" the encryption of all links
+  except link $\gamma$. Now the mint knows all private data for the 
identities $i\neq \gamma$.
+ \item the mint checks that all links were created correctly by the 
customer. So they would have worked
+ for anyone knowing the private key $c'_s$ of the dirty coin.
+ \item \label{step:refresh-done} If the commitments were consistent, so 
all other links were valid,
+ the mint sends the blind signature $\widetilde{C} :=
+    S_{K}(B^{(\gamma)})$ to the customer.  Otherwise, the mint responds 
with an error indicating the location of the failure. Additionally the 
mint devalues $C'_p$ as punishment for the cheating.
 \end{enumerate}

 %\subsection{N-to-M Refreshing}
--
2.1.4