[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[talerdocs] branch master updated: need coin's master secret for agewi
From: 
gnunet 
Subject: 
[talerdocs] branch master updated: need coin's master secret for agewithdraw 
Date: 
Sun, 12 Mar 2023 22:41:18 +0100 
This is an automated email from the git hooks/postreceive script.
oec pushed a commit to branch master
in repository docs.
The following commit(s) were added to refs/heads/master by this push:
new fbba983 need coin's master secret for agewithdraw
fbba983 is described below
commit fbba9835f225bb03ac6a6d4910adcc078588eeed
Author: Özgür Kesim <oectaler@kesim.org>
AuthorDate: Sun Mar 12 22:41:13 2023 +0100
need coin's master secret for agewithdraw

core/apiexchange.rst  46 +++++++++++++++
designdocuments/024agerestriction.rst  29 +++++
2 files changed, 29 insertions(+), 46 deletions()
diff git a/core/apiexchange.rst b/core/apiexchange.rst
index fad19e8..1909006 100644
 a/core/apiexchange.rst
+++ b/core/apiexchange.rst
@@ 2468,47 +2468,45 @@ If so, the exchange will blindly sign ``n`` undisclosed
coins from the request.
// in ``denoms_h``.
coin_evs: CoinEnvelope[];
 // Array of ``n`` arrays of ``kappa  1`` disclosed coin private keys,
 // from which the associated age commitments are also derived.
 disclosed_coins: DisclosedAgeRestrictedCoin[][];

 }

 .. ts:def:: DisclosedAgeRestrictedCoin

 interface DisclosedAgeRestrictedCoin {
 // A coin's private key. The associated blinding and age commitment for
 // this coin MUST be derived from this private key as follows:
+ // Array of ``n`` of ``(kappa  1)`` disclosed coin secrets, from
+ // which the coins' private key ``coin_priv``, blinding ``beta`` and
nonce
+ // ``nonce`` (for ClauseSchnorr) itself are derived as usually in wallet
+ // core.
+ // (TODO: description of the derivation process of the coin's private
+ // key, blinding and nonce).
//
 // Calculate the blinding beta as
 // beta := HKDF(coin_priv, "blinding")
 //
 // If the denominations are for ClauseSchnorrSignatures, calculate the
 // nonce as
 // nonce := HKDF(coin_priv, "csnonce")
+ // Given a coin's secret, the age commitment for the coin MUST be
+ // derived from this private key as follows:
//
// Let m ∈ {1,...,M} be the maximum age group as defined in the reserve
// that the wallet can commit to.
//
// For age group $AG ∈ {1,...m}, set
 // seed = HDKF(coin_priv, "agecommitment", $AG)
+ // seed = HDKF(coin_secret, "agecommitment", $AG)
// p[$AG] = Edx25519_generate_private(seed)
// and calculate the corresponding Edx25519PublicKey as
// q[$AG] = Edx25519_public_from_private(p[$AG])
//
// For age groups $AG ∈ {m,...,M}, set
 // f[$AG] = HDKF(coin_priv, "agefactor", $AG)
+ // f[$AG] = HDKF(coin_secret, "agefactor", $AG)
// and calculate the corresponding Edx25519PublicKey as
// q[$AG] = Edx25519_derive_public(`PublishedAgeRestrictionBaseKey`,
f[$AG])
//
 // Finally, with coin_priv and age commitment (q[]), the exchange
 // will calculate the coin's public key coin_pub and use the
 // TALER_CoinPubHashP(coin_pub, age_commitment_hash(q))
 // during the verification of the original agewithdrawcommitment.
 coin_priv: EddsaPrivateKey;
+ // Given each coin's private key and age commitment (``q[]``), the
+ // exchange will calculate each coin's blinded hash value und use all
+ // those (disclosed) blinded hashes together with the nondisclosed
+ // envelopes ``coin_evs`` during the verification of the original
+ // agewithdrawcommitment.
+ disclosed_coin_secrets: AgeRestrictedCoinSecret[][];
}
+ .. ts:def:: AgeRestrictedCoinSecret
+
+ // The Master key material for the derivation of age restricted private
+ // coins, blinding factors and age restrictions
+ type AgeRestrictedCoinSecret = string;
+
.. ts:def:: PublishedAgeRestrictionBaseKey
// The value for ``PublishedAgeRestrictionBaseKey`` is a randomly chosen
diff git a/designdocuments/024agerestriction.rst
b/designdocuments/024agerestriction.rst
index 6ad7c3d..db39234 100644
 a/designdocuments/024agerestriction.rst
+++ b/designdocuments/024agerestriction.rst
@@ 380,39 +380,25 @@ the coin's private key itself as follows:
Let
 :math:`c_s` be the private key of the coin,
+ :math:`s` be the master secret of the coin, from which the private key
:math:`c_s`, blinding :math:`\beta` and nonce :math:`n` are derived as usual in
the wallet core
 :math:`m \in \{1,\ldots,M\}` be the maximum age (according to the reserve)
that a wallet can commit to during the withdrawal.
 :math:`P` be a published constant Edx25519publickey to which the private
key is not known to any client.

Then calculate the blinding :math:`\beta` for the coin as

.. math::
 \beta &:= \text{HKDF}(c_s, \text{"blinding"})

If the denomination is using ClauseSchnorr signatures, calculate the nonce
:math:`n` for the coin as

.. math::
 n &:= \text{HKDF}(c_s, \text{"csnonce"})



For the age commitment, calculate:
1. For age group :math:`a \in \{1,\ldots,m\}`, set
.. math::
 s_a &:= \text{HDKF}(c_s, \text{"agecommitment"}, a) \\
+ s_a &:= \text{HDKF}(s, \text{"agecommitment"}, a) \\
p_a &:= \text{Edx25519\_generate\_private}(s_a) \\
q_a &:= \text{Edx25519\_public\_from\_private}(p_a)
2. For age group :math:`a \in \{m,\ldots,M\}`, set
.. math::
 f_a &:= \text{HDKF}(c_s, \text{"agefactor"}, a) \\
+ f_a &:= \text{HDKF}(s, \text{"agefactor"}, a) \\
q_a &:= \text{Edx25519\_derive\_public}(P, f_a).
Then the vector :math:`\vec{q} = \{q_1,\ldots,q_M\}` is then the age commitment
@@ 420,10 +406,10 @@ associated to the coin's private key :math:`c_s`. For
the nondisclosed coins,
the wallet can use the vector :math:`(p_1,\ldots,p_m,\bot,\ldots,\bot)` of
private keys for the attestation.
Provided with the private key :math:`c_s`, the exchange can therefore calculate
the blinding :math:`\beta`, the nonce :math:`n` (if needed) and the age
commitment :math:`\vec{q}` itself, along with the coin's public key :math:`C_p`
and use the value of
+Provided with the secret :math:`s`, the exchange can therefore calculate the
+private key :math:`c_s`, the blinding :math:`\beta`, the nonce :math:`n` (if
+needed) and the age commitment :math:`\vec{q}`, along with the coin's public
+key :math:`C_p` and use the value of
.. math::
@@ 431,7 +417,6 @@ and use the value of
during the verification of the original agewithdrawcommitment.

For the withdrawal with age restriction, a sketch of the corresponding database
schema in the exchange is given here:

To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] 
Current Thread 
[Next in Thread] 
 [talerdocs] branch master updated: need coin's master secret for agewithdraw,
gnunet <=