Start making the protocol more explicit

This commit is contained in:
Jeff Burdges 2016-09-12 15:53:20 +02:00
parent b1ec11e492
commit 937d7f48b9
5 changed files with 425 additions and 44 deletions

View File

@ -0,0 +1,62 @@
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Merchant};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {$S_{DK}(C), S_{c}(D)$}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$}
($(h1.east)+(0,-0.5)$);
\path[rstmsg]
($(h2.west)+(0, -2.5)$) edge
node[msglabel] {409 CONFLICT: $S_{c}(D')$}
($(h1.east)+(0, -3.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.5cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$DK$] Denomination key
\item[$S_{DK}()$] RSA-FDH signature using $DK$
\item[$c$] Private coin key, $C := cG$.
\item[$S_{C}()$] EdDSA signature using $c$
\item[$D$] Deposit details
\item[$SK$] Exchange's signing key
\item[$S_{SK}()$] EdDSA signature using $SK$
\item[$D'$] Conficting deposit details $D' \not= D$
\end{description}
\end{minipage}
\end{figure}

54
doc/paper/figs/keys.tex Normal file
View File

@ -0,0 +1,54 @@
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Wallet};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {GET {\tt /keys}}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_T(DK,A_{DK},M), S_M(SK)$}
($(h1.east)+(0,-0.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.4cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$T$] financial regulator key Necessarily pinned
\item[$DK$] RSA public key (``denomination key'')
\item[$A_{DK}$] Value of coins signed by $DK$
\item[$M$] Offline master key of exchange
\item[$SK$] Online signing key of exchange
\end{description}
\end{minipage}
\end{figure}

200
doc/paper/figs/refresh.tex Normal file
View File

@ -0,0 +1,200 @@
\begin{frame}{Taler {\tt /refresh/melt}}
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Customer};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$}
($(h1.east)+(0,-0.5)$);
\path[rstmsg]
($(h2.west)+(0, -2.5)$) edge
node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$}
($(h1.east)+(0, -3.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.5cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$\kappa$] System-wide security parameter, usually 3.
\\ \smallskip
\item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\
$D + \sum_i A_{DK^{(i)}} < A_{DK}$
\item[$t_j$] Random scalar for $j<\kappa$
\item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$
\item[$k_j$] $:= c T_j = t_j C$ is an ECDHE
\item[$b_j^{(i)}$] $:= \texttt{KDFb}(k_j,i)$ % blinding factor
\item[$c_j^{(i)}$] $:= \texttt{KDFc}(k_j,i)$ % coin secret keys
\item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys
\item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\
$\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$
\\ \smallskip
\item[$\gamma$] Random value in $[0,\kappa)$
% \\ \smallskip
% \item[$X$] Deposit or refresh
\end{description}
\end{minipage}
\end{figure}
\end{frame}
\begin{frame}{Taler {\tt /refresh/reveal}}
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Customer};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$}
($(h1.east)+(0,-0.5)$);
\path[rstmsg]
($(h2.west)+(0, -2.5)$) edge
node[msglabel] {400 BAD REQUEST: $Z$}
($(h1.east)+(0, -3.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.5cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$\cal DK$] $:= [DK^{(i)}]_i$
\item[$t_j$] .. \\ \smallskip
\item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip
\item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$
\item[$b_\gamma^{(i)}$] $:= \texttt{KDFb}(k_\gamma,i)$
\item[$c_\gamma^{(i)}$] $:= \texttt{KDFc}(k_\gamma,i)$
\item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$
\item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$
\item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$
\item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip
\item[$Z$] Cut-and-choose missmatch information
\end{description}
\end{minipage}
\end{figure}
\end{frame}
\begin{frame}{Taler {\tt /refresh/link}}
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Customer};
\node[above = 0cm of h2] {Exchagne};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$}
($(h1.east)+(0,-0.5)$);
\path[rstmsg]
($(h2.west)+(0, -2.5)$) edge
node[msglabel] {404 NOT FOUND}
($(h1.east)+(0, -3.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.5cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$C$] Old coind public key \\ \smallskip
\item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$
\end{description}
\end{minipage}
\end{figure}
\end{frame}

View File

@ -0,0 +1,49 @@
\begin{SCfigure}
\begin{minipage}[b]{0.45\linewidth}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Wallet};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[okmsg, dashed]
($(h1.east)+(0, 4.0)+(0, -1.0)$) edge
node[msglabel] {SEPA(RK,A)}
($(h2.west)+(0, 3.5)+(0, -1.0)$);
\path[okmsg]
($(h1.east)+(0, -1.0)$) edge
node[msglabel] {$S_{RK}(DK, B_b(C))$}
($(h2.west)+(0, -1.5)$);
\path[okmsg]
($(h2.west)+(0, -2.0)$) edge
node[msglabel] {200 OK: $S_{DK}(B_b(C))$)}
($(h1.east)+(0, -2.5)$);
\path[rstmsg]
($(h2.west)+(0, -3.5)$) edge
node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)}
($(h1.east)+(0, -4)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{minipage}
\end{SCfigure}

View File

@ -26,15 +26,18 @@
\usepackage{palatino} \usepackage{palatino}
\usepackage{xspace} \usepackage{xspace}
\usepackage{microtype} \usepackage{microtype}
\usepackage{tikz,eurosym} \usepackage{amsmath,amssymb,eurosym}
\usepackage{amsmath,amssymb} \usepackage[dvipsnames]{xcolor}
\usepackage{enumitem} \usepackage{tikz}
\usetikzlibrary{shapes,arrows} \usetikzlibrary{shapes,arrows}
\usetikzlibrary{positioning} \usetikzlibrary{positioning}
\usetikzlibrary{calc} \usetikzlibrary{calc}
% \usepackage{enumitem}
\usepackage{caption} \usepackage{caption}
\usepackage{subcaption} \usepackage{subcaption}
\usepackage{subfig} \usepackage{subfig}
% \usepackage{sidecap}
% \usepackage{wrapfig}
% Relate to: % Relate to:
% http://fc14.ifca.ai/papers/fc14_submission_124.pdf % http://fc14.ifca.ai/papers/fc14_submission_124.pdf
@ -607,7 +610,6 @@ We use RSA for denomination keys and EdDSA over some eliptic curve
$\mathbb{E}$ for all other keys. Let $G$ denote the generator of $\mathbb{E}$ for all other keys. Let $G$ denote the generator of
our elliptic curve $\mathbb{E}$. our elliptic curve $\mathbb{E}$.
\subsection{Withdrawal} \subsection{Withdrawal}
To withdraw anonymous digital coins, the customer first selects an To withdraw anonymous digital coins, the customer first selects an
@ -624,23 +626,28 @@ Now the customer carries out the following interaction with the exchange:
% It does create some confusion, like is a withdrawal key semi-ephemeral % It does create some confusion, like is a withdrawal key semi-ephemeral
% like a linking key? % like a linking key?
\begin{enumerate} \begin{description}
\item The customer randomly generates: \item[Setup] The customer randomly generates:
\begin{itemize} \begin{itemize}
\item withdrawal key $W := (w_s,W_p)$ with private key $w_s$ and public key $W_p$, \item withdrawal key $W := (w_s,W_p)$ with private key $w_s$ and public key $W_p$,
\item coin key $C := (c_s,C_p)$ with private key $c_s$ and public key $C_p := c_s G$, \item coin key $C := (c_s,C_p)$ with private key $c_s$ and public key $C_p := c_s G$,
\item blinding factor $b$, and commits $\langle W, C, b \rangle$ to disk. \item blinding factor $b$, and commits $\langle W, C, b \rangle$ to disk.
\end{itemize} \end{itemize}
\item The customer transfers an amount of money corresponding to at least $K_v$ \item[SEPA Send]
to the exchange, with $W_p$ in the subject line of the transaction. The customer transfers an amount of money corresponding to
\item The exchange receives the transaction and credits the $W_p$ reserve with at least $K_v$ to the exchange, with $W_p$ in the subject line
the respective amount in its database. of the transaction.
\item The customer sends $S_W(B)$ where $B := B_b(\FDH_K(C_p))$ to the exchange \item[SEPA Recieve]
to request withdrawal of $C$; here, $B_b$ denotes Chaum-style blinding with The exchange receives the transaction and credits the reserve $W_p$
blinding factor $b$. with the respective amount in its database.
\item The exchange checks if the same withdrawal request was issued before; \item[POST {\tt /withdraw/sign}]
in this case, it sends $S_K(B)$ to the customer.% The customer sends $S_W(B)$ where $B := B_b(\FDH_K(C_p))$ to
\footnote{$S_K$ denotes a Chaum-style blind signature with private key $K_s$.} the exchange to request withdrawal of $C$; here, $B_b$ denotes
Chaum-style blinding with blinding factor $b$.
\item[200 OK / 402 PAYMENT REQUIRED]
The exchange checks if the same withdrawal request was issued before;
in this case, it sends a Chaum-style blind signature $S_K(B)$ with
private key $K_s$ to the customer. \\
If this is a fresh withdrawal request, the exchange performs the following transaction: If this is a fresh withdrawal request, the exchange performs the following transaction:
\begin{enumerate} \begin{enumerate}
\item checks if the reserve $W_p$ has sufficient funds \item checks if the reserve $W_p$ has sufficient funds
@ -656,11 +663,11 @@ Now the customer carries out the following interaction with the exchange:
Assuming the signature was valid, this would involve showing the transaction Assuming the signature was valid, this would involve showing the transaction
history for the reserve. history for the reserve.
% FIXME: Is it really the whole history? % FIXME: Is it really the whole history?
\item The customer computes and verifies the unblinded signature \item[Done] The customer computes and verifies the unblinded signature
$S_K(\FDH_K{C_p}) = U_b(S_K(B))$. $S_K(\FDH_K{C_p}) = U_b(S_K(B))$.
Finally the customer saves the coin $\langle S_K(\FDH_K(C_p)), c_s \rangle$ Finally the customer saves the coin $\langle S_K(\FDH_K(C_p)), c_s \rangle$
to their local wallet on disk. to their local wallet on disk.
\end{enumerate} \end{description}
\subsection{Exact and partial spending} \subsection{Exact and partial spending}
@ -681,11 +688,13 @@ with signature $\widetilde{C} := S_K(\FDH_K(C_p))$
% FIXME: Again, these steps occur at different points in time, maybe % FIXME: Again, these steps occur at different points in time, maybe
% that's okay, but refresh is slightly different. % that's okay, but refresh is slightly different.
\begin{enumerate} \begin{description}
\item\label{contract} \item[Merchant Setup] % \label{contract}
Let $\vec{X} := \langle X_1, \ldots, X_n \rangle$ denote the list of Let $\vec{X} := \langle X_1, \ldots, X_n \rangle$ denote the list of
exchanges accepted by the merchant where each $X_j$ is a exchange's exchanges accepted by the merchant where each $X_j$ is a exchange's
public key. The merchant creates a digitally signed contract public key.
\item[Proposal]
The merchant creates a digitally signed contract
$\mathcal{A} := S_M(m, f, a, H(p, r), \vec{X})$ $\mathcal{A} := S_M(m, f, a, H(p, r), \vec{X})$
where $m$ is an identifier for this transaction, $a$ is data relevant where $m$ is an identifier for this transaction, $a$ is data relevant
to the contract indicating which services or goods the merchant will to the contract indicating which services or goods the merchant will
@ -693,26 +702,30 @@ with signature $\widetilde{C} := S_K(\FDH_K(C_p))$
$p$ is the merchant's payment information (e.g. his IBAN number), and $p$ is the merchant's payment information (e.g. his IBAN number), and
$r$ is a random nonce. The merchant commits $\langle \mathcal{A} \rangle$ $r$ is a random nonce. The merchant commits $\langle \mathcal{A} \rangle$
to disk and sends $\mathcal{A}$ to the customer. to disk and sends $\mathcal{A}$ to the customer.
\item\label{deposit} \item[Customer Setup] % \label{deposit}
The customer should already possess a coin issued by a exchange that is The customer should already possess a coin issued by a exchange that is
accepted by the merchant, meaning $K$ should be publicly signed by accepted by the merchant, meaning $K$ should be publicly signed by
some $X_j$ from $\vec{X}$, and has a value $\geq f$. some $X_j$ from $\vec{X}$, and has a value $\geq f$.
\item The customer generates a \emph{deposit-permission} $\mathcal{D} := \item[POST {\tt /???}]
S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$ The customer generates a \emph{deposit-permission}
$\mathcal{D} := S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$
and sends $\langle \mathcal{D}, X_j\rangle$ to the merchant, and sends $\langle \mathcal{D}, X_j\rangle$ to the merchant,
where $X_j$ is the exchange which signed $K$. where $X_j$ is the exchange which signed $K$.
\item The merchant gives $(\mathcal{D}, p, r)$ to the exchange, thereby \item[POST {\tt/deposit}]
The merchant gives $(\mathcal{D}, p, r)$ to the exchange, thereby
revealing $p$ only to the exchange. revealing $p$ only to the exchange.
\item The exchange validates $\mathcal{D}$ and checks for double spending. \item[200 OK / 409 CONFLICT]
The exchange validates $\mathcal{D}$ and checks for double spending.
If the coin has been involved in previous transactions and the new If the coin has been involved in previous transactions and the new
one would exceed its remaining value, it sends an error one would exceed its remaining value, it sends an error
with the records from the previous transactions back to the merchant. with the records from the previous transactions back to the merchant. \\
% %
If double spending is not found, the exchange commits $\langle \mathcal{D} \rangle$ to disk If double spending is not found, the exchange commits $\langle \mathcal{D} \rangle$ to disk
and notifies the merchant that the deposit operation was successful. and notifies the merchant that the deposit operation was successful.
\item The merchant commits and forwards the notification from the exchange to the \item[200 OK / ???]
The merchant commits and forwards the notification from the exchange to the
customer, confirming the success or failure of the operation. customer, confirming the success or failure of the operation.
\end{enumerate} \end{description}
We have simplified the exposition by assuming that one coin suffices, We have simplified the exposition by assuming that one coin suffices,
but in practice a customer can use multiple coins from the same but in practice a customer can use multiple coins from the same
@ -771,8 +784,9 @@ generator of the elliptic curve.
% FIXME: I'm explicit about the rounds in postquantum.tex % FIXME: I'm explicit about the rounds in postquantum.tex
\begin{enumerate} \begin{description}
\item For each $i = 1,\ldots,\kappa$, the customer randomly generates \item[POST {\tt /refresh/melt}]
For each $i = 1,\ldots,\kappa$, the customer randomly generates
a transfer private key $t^{(i)}_s$ and computes a transfer private key $t^{(i)}_s$ and computes
\begin{itemize} \begin{itemize}
\item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and \item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and
@ -800,19 +814,21 @@ generator of the elliptic curve.
The customer computes $B^{(i)} := B_{b^{(i)}}(\FDH_K(C^{(i)}_p))$ The customer computes $B^{(i)} := B_{b^{(i)}}(\FDH_K(C^{(i)}_p))$
for $i \in \{1,\ldots,\kappa\}$ and sends a commitment for $i \in \{1,\ldots,\kappa\}$ and sends a commitment
$S_{C'}(\vec{B}, \vec{T_p})$ to the exchange. $S_{C'}(\vec{B}, \vec{T_p})$ to the exchange.
\item The exchange generates a random $\gamma$ with $1 \le \gamma \le \kappa$ and \item[200 OK / 409 CONFLICT]
The exchange generates a random $\gamma$ with $1 \le \gamma \le \kappa$ and
marks $C'_p$ as spent by committing marks $C'_p$ as spent by committing
$\langle C', \gamma, S_{C'}(\vec{B}, \vec{T_p}) \rangle$ to disk. $\langle C', \gamma, S_{C'}(\vec{B}, \vec{T_p}) \rangle$ to disk.
Auditing processes should assure that $\gamma$ is unpredictable until Auditing processes should assure that $\gamma$ is unpredictable until
this time to prevent the exchange from assisting tax evasion. this time to prevent the exchange from assisting tax evasion. \\
\item The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where %
The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where
$K'$ is the exchange's message signing key. $K'$ is the exchange's message signing key.
\item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk. \item[POST {\tt /refresh/reveal}]
The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
% \item Also, the customer assembles
Also, the customer assembles $\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$ $\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$
and sends $S_{C'}(\mathfrak{R})$ to the exchange. and sends $S_{C'}(\mathfrak{R})$ to the exchange.
\item \label{step:refresh-ccheck} \item[200 OK / 400 BAD REQUEST] % \label{step:refresh-ccheck}
The exchange checks whether $\mathfrak{R}$ is consistent with The exchange checks whether $\mathfrak{R}$ is consistent with
the commitments; specifically, it computes for $i \not= \gamma$: the commitments; specifically, it computes for $i \not= \gamma$:
@ -835,12 +851,12 @@ generator of the elliptic curve.
and checks if $\overline{B^{(i)}} = B^{(i)}$ and checks if $\overline{B^{(i)}} = B^{(i)}$
and $\overline{T^{(i)}_p} = T^{(i)}_p$. and $\overline{T^{(i)}_p} = T^{(i)}_p$.
\item \label{step:refresh-done} % \item[200 OK / 409 CONFLICT] % \label{step:refresh-done}
If the commitments were consistent, the exchange sends the If the commitments were consistent, the exchange sends the
blind signature $\widetilde{C} := S_{K}(B^{(\gamma)})$ to the customer. blind signature $\widetilde{C} := S_{K}(B^{(\gamma)})$ to the customer.
Otherwise, the exchange responds with an error indicating Otherwise, the exchange responds with an error indicating
the location of the failure. the location of the failure.
\end{enumerate} \end{description}
%\subsection{N-to-M Refreshing} %\subsection{N-to-M Refreshing}
% %