fix inconsistency in reveal step formulation, now matches implementation
This commit is contained in:
Christian Grothoff
parent
cf5b48eaaa
commit
41126e6d24
@ -828,7 +828,7 @@ generator of the elliptic curve.
|
|||||||
possible to use any equivalent mint signing key known to the customer here, as $K$ merely
|
possible to use any equivalent mint signing key known to the customer here, as $K$ merely
|
||||||
serves as proof to the customer that the mint selected this particular $\gamma$.}
|
serves as proof to the customer that the mint selected this particular $\gamma$.}
|
||||||
\item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
|
\item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
|
||||||
\item The customer computes $\mathfrak{R} := \left(t_s^{(i)}, C_p^{(i)}, b^{(i)}\right)_{i \ne \gamma}$
|
\item The customer computes $\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$
|
||||||
and sends $S_{C'}(\mathfrak{R})$ to the mint.
|
and sends $S_{C'}(\mathfrak{R})$ to the mint.
|
||||||
\item \label{step:refresh-ccheck} The mint checks whether $\mathfrak{R}$ is consistent with the commitments;
|
\item \label{step:refresh-ccheck} The mint checks whether $\mathfrak{R}$ is consistent with the commitments;
|
||||||
specifically, it computes for $i \not= \gamma$:
|
specifically, it computes for $i \not= \gamma$:
|
||||||
@ -837,20 +837,21 @@ generator of the elliptic curve.
|
|||||||
\begin{minipage}{5cm}
|
\begin{minipage}{5cm}
|
||||||
\begin{align*}
|
\begin{align*}
|
||||||
\overline{K}_i :&= H(t_s^{(i)} C_p'), \\
|
\overline{K}_i :&= H(t_s^{(i)} C_p'), \\
|
||||||
(\overline{c}_s^{(i)}, \overline{b}_i) :&= D_{\overline{K}_i}(E^{(i)}), \\
|
(\overline{c}_s^{(i)}, \overline{b_i}) :&= D_{\overline{K}_i}(E^{(i)}), \\
|
||||||
\overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G,
|
\overline{C^{(i)}_p} :&= \overline{c}_s^{(i)} G,
|
||||||
\end{align*}
|
\end{align*}
|
||||||
\end{minipage}
|
\end{minipage}
|
||||||
\begin{minipage}{5cm}
|
\begin{minipage}{5cm}
|
||||||
\begin{align*}
|
\begin{align*}
|
||||||
\overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\
|
\overline{T_p^{(i)}} :&= t_s^{(i)} G, \\ \\
|
||||||
\overline{B^{(i)}} :&= B_{b^{(i)}}(\overline{C_p^{(i)}}),
|
\overline{B^{(i)}} :&= B_{\overline{b_i}}(\overline{C_p^{(i)}}),
|
||||||
\end{align*}
|
\end{align*}
|
||||||
\end{minipage}
|
\end{minipage}
|
||||||
|
|
||||||
and checks if $\overline{B^{(i)}} = B^{(i)}$
|
and checks if $\overline{B^{(i)}} = B^{(i)}$
|
||||||
and $\overline{T^{(i)}_p} = T^{(i)}_p$.
|
and $\overline{T^{(i)}_p} = T^{(i)}_p$.
|
||||||
|
|
||||||
|
|
||||||
\item \label{step:refresh-done} If the commitments were consistent,
|
\item \label{step:refresh-done} If the commitments were consistent,
|
||||||
the mint sends the blind signature $\widetilde{C} :=
|
the mint sends the blind signature $\widetilde{C} :=
|
||||||
S_{K}(B^{(\gamma)})$ to the customer. Otherwise, the mint responds
|
S_{K}(B^{(\gamma)})$ to the customer. Otherwise, the mint responds
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user