[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Taler] clarifying refresh
From: |
Fabian Kirsch |
Subject: |
Re: [Taler] clarifying refresh |
Date: |
Sat, 03 Oct 2015 16:34:20 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.7.0 |
Thanks Luis Resse.
Sorry for the inconvenience.
I fear the patch to become broken by line wrapping.
Here it is:
From 53b622fd6525b4e2aafc88616dd48e8ac756732f Mon Sep 17 00:00:00 2001
From: Fabian Kirsch <address@hidden>
Date: Sat, 3 Oct 2015 15:33:24 +0200
Subject: [PATCH] rewrote refresh to be more conceptual, less algorithmical
To: address@hidden
---
doc/paper/taler.tex | 70
+++++++++++++++++++----------------------------------
1 file changed, 25 insertions(+), 45 deletions(-)
diff --git a/doc/paper/taler.tex b/doc/paper/taler.tex
index e3d595e..aa696f0 100644
--- a/doc/paper/taler.tex
+++ b/doc/paper/taler.tex
@@ -808,53 +808,33 @@ protocol, $\kappa \ge 3$ is a security parameter
and $G$ is the
generator of the elliptic curve.
\begin{enumerate}
- \item For each $i = 1,\ldots,\kappa$, the customer
+ \item For each $i = 1,\ldots,\kappa$, the customer creates a
potential new identity. (which one gets real, is decided later). Each of
the new identities generates randomly:
\begin{itemize}
- \item randomly generates transfer key $T^{(i)} :=
\left(t^{(i)}_s,T^{(i)}_p\right)$ where $T^{(i)}_p := t^{(i)}_s G$,
- \item randomly generates coin key pair \\ $C^{(i)} :=
\left(c_s^{(i)}, C_p^{(i)}\right)$ where $C^{(i)}_p := c^{(i)}_s G$,
- \item randomly generates blinding factors $b^{(i)}$,
- \item computes $E^{(i)} := E_{K_i}\left(c_s^{(i)},
b^{(i)}\right)$ where $K_i := H(c'_s T_p^{(i)})$. (The encryption key
$K_i$ is
- computed by multiplying the private key $c'_s$ of the
original coin with the point on the curve
- that represents the public key $T^{(i)}_p$ of the transfer
key $T^{(i)}$. This is basically DH between coin and transfer key.),
+ \item a coin key pair $C^{(i)} := \left(c_s^{(i)}, C_p^{(i)}\right)$,
+ \item a blinding factor $b^{(i)}$,
+ \item a random factor for ElGamal-crypto $t^{(i)}_s$
\end{itemize}
- and commits $\langle C', \vec{T}, \vec{C}, \vec{b} \rangle$ to disk.
- \item The customer computes $B^{(i)} := B_{b^{(i)}}(C^{(i)}_p)$ for
$i \in \{1,\ldots,\kappa\}$ and sends a commitment
- $S_{C'}(\vec{E}, \vec{B}, \vec{T_p}))$ to the mint.
- \item The mint generates a random\footnote{Auditing processes need to
assure $\gamma$ is unpredictable until this time to
- prevent the mint from assisting tax evasion.} $\gamma$ with $1 \le
\gamma \le \kappa$ and
- marks $C'_p$ as spent by committing
- $\langle C', \gamma, S_{C'}(\vec{E}, \vec{B}, \vec{T}) \rangle$ to
disk.
- \item The mint sends $S_K(C'_p, \gamma)$ to the
customer.\footnote{Instead of $K$, it is also
- possible to use any equivalent mint signing key known to the
customer here, as $K$ merely
- serves as proof to the customer that the mint selected this
particular $\gamma$.}
- \item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to
disk.
- \item The customer computes $\mathfrak{R} := \left(t_s^{(i)},
C_p^{(i)}, b^{(i)}\right)_{i \ne \gamma}$
- and sends $S_{C'}(\mathfrak{R})$ to the mint.
- \item \label{step:refresh-ccheck} The mint checks whether
$\mathfrak{R}$ is consistent with the commitments;
- specifically, it computes for $i \not= \gamma$:
-
- \vspace{-2ex}
- \begin{minipage}{5cm}
- \begin{align*}
- \overline{K}_i :&= H(t_s^{(i)} C_p'), \\
- (\overline{c}_s^{(i)}, \overline{b}_i) :&=
D_{\overline{K}_i}(E^{(i)}), \\
- \overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G,
- \end{align*}
- \end{minipage}
- \begin{minipage}{5cm}
- \begin{align*}
- \overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\
- \overline{B^{(i)}} :&= B_{b^{(i)}}(\overline{C_p^{(i)}}),
- \end{align*}
- \end{minipage}
-
- and checks if $\overline{B^{(i)}} = B^{(i)}$
- and $\overline{T^{(i)}_p} = T^{(i)}_p$.
-
- \item \label{step:refresh-done} If the commitments were consistent,
- the mint sends the blind signature $\widetilde{C} :=
- S_{K}(B^{(\gamma)})$ to the customer. Otherwise, the mint responds
- with an error indicating the location of the failure.
+ Then each identity computes the blinded new Coin and the "link":
+ \begin{itemize}
+ \item $B^ {(i)} = B_{b^{(i)}}(C_p^{(i)})$
+ \item
$(E^{(i)},T_p^{(i)})=\mathrm{ElGamalEncrypt}_{t^{(i)}_s,C'_p}\left(c_s^{(i)},
b^{(i)}\right)$
+ \end{itemize}
+
+ \item the customer stores all potential new identities together with
their private data $c_s, b, t_s$ to disk.
+ \item the customer commits to the mint by signing
+ all potential new Coins and their links.
+ $S_C'\left(B, E, T_p) \right)$
+
+ \item the identity $\gamma$ is selected to become real. It is commited
by the mint publishing $S_K(C'_p,\gamma)$.
+ \item the customer lays open all random factors $t_s^{(i)}$
+ for $i\neq\gamma$.
+ \item the mint can now "break" the encryption of all links
+ except link $\gamma$. Now the mint knows all private data for the
identities $i\neq \gamma$.
+ \item the mint checks that all links were created correctly by the
customer. So they would have worked
+ for anyone knowing the private key $c'_s$ of the dirty coin.
+ \item \label{step:refresh-done} If the commitments were consistent, so
all other links were valid,
+ the mint sends the blind signature $\widetilde{C} :=
+ S_{K}(B^{(\gamma)})$ to the customer. Otherwise, the mint responds
with an error indicating the location of the failure. Additionally the
mint devalues $C'_p$ as punishment for the cheating.
\end{enumerate}
%\subsection{N-to-M Refreshing}
--
2.1.4