[taler-docs] 09/15: added derivation of blinding from private key

[gnunet]

This is an automated email from the git hooks/post-receive script.

oec pushed a commit to branch master
in repository docs.

commit d5c0aa338dec665b4879f9d24b168ec5512dde55
Author: Özgür Kesim <oec-taler@kesim.org>
AuthorDate: Tue Jan 10 18:32:37 2023 +0100

    added derivation of blinding from private key
---
 core/api-common.rst                      |  1 +
 core/api-exchange.rst                    | 27 +++++++++++++++------------
 design-documents/024-age-restriction.rst | 11 ++++++++---
 3 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/core/api-common.rst b/core/api-common.rst
index 8468cc3..7ce43e9 100644
--- a/core/api-common.rst
+++ b/core/api-common.rst
@@ -633,6 +633,7 @@ uses 512-bit hash codes (64 bytes).
      struct GNUNET_ShortHashCode hash;
    };
 
+.. _BlindedCoinHash:
 .. sourcecode:: c
 
    struct TALER_BlindedCoinHash {
diff --git a/core/api-exchange.rst b/core/api-exchange.rst
index 968511b..6868653 100644
--- a/core/api-exchange.rst
+++ b/core/api-exchange.rst
@@ -2108,7 +2108,7 @@ If so, the exchange will blindly sign ``n`` undisclosed 
coins from the request.
 
     interface AgeWithdrawRequest {
       // Commitment to the coins with age restriction.  This is the SHA512
-      // hash value $ACH over all n*kappa `TALER_CoinPubHashP` values of all
+      // hash value $ACH over all n*kappa `BlindedCoinHash` values of all
       // coins and their age commitments.  It is alter used as part of the URL
       // in the subsequent call to /age-withdraw/$ACH/reveal.
       age_restricted_coins_commitment: HashCode;
@@ -2135,7 +2135,7 @@ If so, the exchange will blindly sign ``n`` undisclosed 
coins from the request.
       // have to disclose
       noreveal_index: Integer;
 
-      // Signature of `TALER_WithdrawAgeRestrictedConfirmationPS` whereby
+      // Signature of `TALER_AgeWithdrawRequestPS` whereby
       // the exchange confirms the ``noreveal_index``.
       exchange_sig: EddsaSignature;
 
@@ -2183,9 +2183,9 @@ If so, the exchange will blindly sign ``n`` undisclosed 
coins from the request.
        ``TALER_EC_EXCHANGE_GENERIC_MISMATCH_OF_AMOUNT_AND_DENOMINATIONS``.
 
 
-  .. ts:def:: WithdrawRevealRequest
+  .. ts:def:: AgeWithdrawRevealRequest
 
-    interface WithdrawRevealRequest {
+    interface AgeWithdrawRevealRequest {
       // Array of ``n`` hash codes of denomination public keys to order.
       // These denominations MUST support age restriction as defined in the
       // output to /keys.
@@ -2207,19 +2207,22 @@ If so, the exchange will blindly sign ``n`` undisclosed 
coins from the request.
   .. ts:def:: DisclosedAgeRestrictedCoin
 
     interface DisclosedAgeRestrictedCoin {
-      // A coin's private key.  The associated age commitment for this coin
-      // MUST be derived from this private key as follows:
+      // A coin's private key.  The associated blinding and age commitment for
+      // this coin MUST be derived from this private key as follows:
       //
-      // For age group $AG from 1 up to
-      //           <maximum age group as defined in the reserve>
-      // (if they exist), set
+      // Calculate the blinding beta as
+      //    beta := HKDF(coin_priv, "blinding")
+      //
+      // Let m ∈  {1,...,M} be the maximum age group as defined in the reserve
+      // that the wallet can commit to.
+      //
+      // For age group $AG ∈  {1,...m}, set
       //     seed = HDKF(coin_priv, "age-commitment", $AG)
       //   p[$AG] = Edx25519_generate_private(seed)
       // and calculate the corresponding Edx25519PublicKey as
       //   q[$AG] = Edx25519_public_from_private(p[$AG])
       //
-      // For age groups $AG _larger_ than the maximum age group allowed
-      // (if they exist), set
+      // For age groups $AG ∈  {m,...,M}, set
       //   f[$AG] = HDKF(coin_priv, "age-factor", $AG)
       // and calculate the corresponding Edx25519PublicKey as
       //   q[$AG] = Edx25519_derive_public(`PublishedAgeRestrictionBaseKey`, 
f[$AG])
@@ -2227,7 +2230,7 @@ If so, the exchange will blindly sign ``n`` undisclosed 
coins from the request.
       // Finally, with coin_priv and age commitment (q[]), the exchange
       // will calculate the coin's public key coin_pub and use the
       //    TALER_CoinPubHashP(coin_pub, age_commitment_hash(q))
-      // during the verification of the original age-withdraw-commitment
+      // during the verification of the original age-withdraw-commitment.
       coin_priv: EddsaPrivateKey;
 
     }
diff --git a/design-documents/024-age-restriction.rst 
b/design-documents/024-age-restriction.rst
index 996e563..ae3874c 100644
--- a/design-documents/024-age-restriction.rst
+++ b/design-documents/024-age-restriction.rst
@@ -374,13 +374,18 @@ of data by the amount of coins in question--, but all 
with the same value of
 
 The *actual* implementation of the protocol above will have a major 
optimization
 to keep the bandwidth usage to a minimum.  Instead of generating and sending
-the age commitment (array of public keys) for each coin, the wallet *MUST*
-derive the corresponding age commitments from the coin's private key
-:math:`c_s` itself as follows:
+the age commitment (array of public keys) and blindings for each coin, the
+wallet *MUST* derive the corresponding blindings and the age commitments from
+the coin's private key :math:`c_s` itself as follows:
 
 Let :math:`m \in \{1,\ldots,M\}` be the maximum age (according to the reserve)
 that a wallet can commit to during the withdrawal.
 
+Calculate the blinding :math:`\beta` for the coin as
+
+.. math::
+     \beta &:= \text{HKDF}(c_s, \text{"blinding"})
+
 For age group :math:`a \in \{1,\ldots,m\}`, set
 
 .. math::

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.