taler/exchange
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Start making the protocol more explicit

Browse Source
This commit is contained in:
Jeff Burdges 2016-09-12 15:53:20 +02:00
parent b1ec11e492
commit 937d7f48b9
5 changed files with 425 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
doc/paper/figs/deposit.tex Normal file
View File

@ -0,0 +1,62 @@
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Merchant};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {$S_{DK}(C), S_{c}(D)$}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(S_{c}(D))$}
($(h1.east)+(0,-0.5)$);
\path[rstmsg]
($(h2.west)+(0, -2.5)$) edge
node[msglabel] {409 CONFLICT: $S_{c}(D')$}
($(h1.east)+(0, -3.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.5cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$DK$] Denomination key
\item[$S_{DK}()$] RSA-FDH signature using $DK$
\item[$c$] Private coin key, $C := cG$.
\item[$S_{C}()$] EdDSA signature using $c$
\item[$D$] Deposit details
\item[$SK$] Exchange's signing key
\item[$S_{SK}()$] EdDSA signature using $SK$
\item[$D'$] Conficting deposit details $D' \not= D$
\end{description}
\end{minipage}
\end{figure}

54
doc/paper/figs/keys.tex Normal file
View File

@ -0,0 +1,54 @@
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Wallet};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {GET {\tt /keys}}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_T(DK,A_{DK},M), S_M(SK)$}
($(h1.east)+(0,-0.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.4cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$T$] financial regulator key Necessarily pinned
\item[$DK$] RSA public key (``denomination key'')
\item[$A_{DK}$] Value of coins signed by $DK$
\item[$M$] Offline master key of exchange
\item[$SK$] Online signing key of exchange
\end{description}
\end{minipage}
\end{figure}

200
doc/paper/figs/refresh.tex Normal file
View File

@ -0,0 +1,200 @@
\begin{frame}{Taler {\tt /refresh/melt}}
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Customer};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/melt} $S_{DK}(C), S_c({\cal DK}, {\cal T},{\cal B})$}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $S_{SK}(H({\cal T}, {\cal B}),\gamma)$}
($(h1.east)+(0,-0.5)$);
\path[rstmsg]
($(h2.west)+(0, -2.5)$) edge
node[msglabel] {409 CONFLICT: $S_{C}(X), \ldots$}
($(h1.east)+(0, -3.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.5cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$\kappa$] System-wide security parameter, usually 3.
\\ \smallskip
\item[$\cal DK$] $:= [DK^{(i)}]_i$ \\ List of denomination keys \\
$D + \sum_i A_{DK^{(i)}} < A_{DK}$
\item[$t_j$] Random scalar for $j<\kappa$
\item[${\cal T}$] $:= [T_j]_\kappa$ where $T_j = t_j G$
\item[$k_j$] $:= c T_j = t_j C$ is an ECDHE
\item[$b_j^{(i)}$] $:= \texttt{KDFb}(k_j,i)$ % blinding factor
\item[$c_j^{(i)}$] $:= \texttt{KDFc}(k_j,i)$ % coin secret keys
\item[$C_j^{(i)}$] $: = c_j^{(i)} G$ % new coin publics % keys
\item[${\cal B}$] $:= [H( \beta_j )]_\kappa$ where \\
$\beta_j := \left[ B_{b_j^{(i)}}(C_j^{(i)}) \right]_i$
\\ \smallskip
\item[$\gamma$] Random value in $[0,\kappa)$
% \\ \smallskip
% \item[$X$] Deposit or refresh
\end{description}
\end{minipage}
\end{figure}
\end{frame}
\begin{frame}{Taler {\tt /refresh/reveal}}
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Customer};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/reveal} $H({\cal T}, {\cal B}), {\tilde{\cal T}}, \beta_\gamma$}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $\cal S$}
($(h1.east)+(0,-0.5)$);
\path[rstmsg]
($(h2.west)+(0, -2.5)$) edge
node[msglabel] {400 BAD REQUEST: $Z$}
($(h1.east)+(0, -3.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.5cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$\cal DK$] $:= [DK^{(i)}]_i$
\item[$t_j$] .. \\ \smallskip
\item[$\tilde{\cal T}$] $:= [t_j | j \in \kappa, j \neq \gamma]$ \\ \smallskip
\item[$k_\gamma$] $:= c T_\gamma = t_\gamma C$
\item[$b_\gamma^{(i)}$] $:= \texttt{KDFb}(k_\gamma,i)$
\item[$c_\gamma^{(i)}$] $:= \texttt{KDFc}(k_\gamma,i)$
\item[$C_\gamma^{(i)}$] $: = c_\gamma^{(i)} G$
\item[$B_\gamma^{(i)}$] $:= B_{b_\gamma^{(i)}}(C_\gamma^{(i)})$
\item[$\beta_\gamma$] $:= \big[ B_\gamma^{(i)} \big]_i$
\item[$\cal S$] $:= \left[ S_{DK^{(i)}}( B_\gamma^{(i)} ) \right]_i$ \\ \smallskip
\item[$Z$] Cut-and-choose missmatch information
\end{description}
\end{minipage}
\end{figure}
\end{frame}
\begin{frame}{Taler {\tt /refresh/link}}
\begin{figure}[th]
\begin{minipage}[b]{0.45\linewidth}
\begin{center}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Customer};
\node[above = 0cm of h2] {Exchagne};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h1.east)+(0,3)$) edge
node[text = Black, yshift = .3cm, sloped] {POST {\tt /refresh/link} $C$}
($(h2.west)+(0,2)$);
\path[->, color = MidnightBlue, thick, >=stealth]
($(h2.west)+(0,0.5)$) edge
node[text = Black, yshift = .3cm, sloped] {200 OK: $T_\gamma$}
($(h1.east)+(0,-0.5)$);
\path[rstmsg]
($(h2.west)+(0, -2.5)$) edge
node[msglabel] {404 NOT FOUND}
($(h1.east)+(0, -3.5)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{center}
\end{minipage}
\hspace{0.5cm}
\begin{minipage}[b]{0.45\linewidth}
\tiny
\begin{description}
\item[$C$] Old coind public key \\ \smallskip
\item[$T_\gamma$] Linkage data $\cal L$ at $\gamma$
\end{description}
\end{minipage}
\end{figure}
\end{frame}

49
doc/paper/figs/withdraw.tex Normal file
View File

@ -0,0 +1,49 @@
\begin{SCfigure}
\begin{minipage}[b]{0.45\linewidth}
\begin{tikzpicture}[scale = 0.4,
transform shape,
msglabel/.style = { text = Black, yshift = .3cm,
sloped, midway },
okmsg/.style = { ->, color = MidnightBlue, thick,
>=stealth },
rstmsg/.style = { ->, color = BrickRed, thick,
>=stealth }
]
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h1) at (-4, 0) {};
\node[draw = MidnightBlue,
fill = CornflowerBlue,
minimum width = .3cm,
minimum height = 10cm
] (h2) at (4, 0) {};
\node[above = 0cm of h1] {Wallet};
\node[above = 0cm of h2] {Exchange};
\path[->, color = MidnightBlue, very thick, >=stealth]
(-5, 4.5) edge
node[rotate=90, text = Black, yshift = .3cm] {Time}
(-5, -4.5);
\path[okmsg, dashed]
($(h1.east)+(0, 4.0)+(0, -1.0)$) edge
node[msglabel] {SEPA(RK,A)}
($(h2.west)+(0, 3.5)+(0, -1.0)$);
\path[okmsg]
($(h1.east)+(0, -1.0)$) edge
node[msglabel] {$S_{RK}(DK, B_b(C))$}
($(h2.west)+(0, -1.5)$);
\path[okmsg]
($(h2.west)+(0, -2.0)$) edge
node[msglabel] {200 OK: $S_{DK}(B_b(C))$)}
($(h1.east)+(0, -2.5)$);
\path[rstmsg]
($(h2.west)+(0, -3.5)$) edge
node[msglabel] {402 PAYMENT REQUIRED: $S_{RK}(DK, B_b(C))$)}
($(h1.east)+(0, -4)$);
\node at (5.3, 0) {};
\end{tikzpicture}
\end{minipage}
\end{SCfigure}

98
doc/paper/taler.tex
View File

@ -26,15 +26,18 @@
\usepackage{palatino}
\usepackage{xspace}
\usepackage{microtype}
\usepackage{tikz,eurosym}
\usepackage{amsmath,amssymb}
\usepackage{enumitem}
\usepackage{amsmath,amssymb,eurosym}
\usepackage[dvipsnames]{xcolor}
\usepackage{tikz}
\usetikzlibrary{shapes,arrows}
\usetikzlibrary{positioning}
\usetikzlibrary{calc}
% \usepackage{enumitem}
\usepackage{caption}
\usepackage{subcaption}
\usepackage{subfig}
% \usepackage{sidecap}
% \usepackage{wrapfig}
% Relate to:
% http://fc14.ifca.ai/papers/fc14_submission_124.pdf
@ -607,7 +610,6 @@ We use RSA for denomination keys and EdDSA over some eliptic curve
$\mathbb{E}$ for all other keys. Let $G$ denote the generator of
our elliptic curve $\mathbb{E}$.
\subsection{Withdrawal}
To withdraw anonymous digital coins, the customer first selects an
@ -624,23 +626,28 @@ Now the customer carries out the following interaction with the exchange:
% It does create some confusion, like is a withdrawal key semi-ephemeral
% like a linking key?
\begin{enumerate}
\item The customer randomly generates:
\begin{description}
\item[Setup] The customer randomly generates:
\begin{itemize}
\item withdrawal key $W := (w_s,W_p)$ with private key $w_s$ and public key $W_p$,
\item coin key $C := (c_s,C_p)$ with private key $c_s$ and public key $C_p := c_s G$,
\item blinding factor $b$, and commits $\langle W, C, b \rangle$ to disk.
\end{itemize}
\item The customer transfers an amount of money corresponding to at least $K_v$
to the exchange, with $W_p$ in the subject line of the transaction.
\item The exchange receives the transaction and credits the $W_p$ reserve with
the respective amount in its database.
\item The customer sends $S_W(B)$ where $B := B_b(\FDH_K(C_p))$ to the exchange
to request withdrawal of $C$; here, $B_b$ denotes Chaum-style blinding with
blinding factor $b$.
\item The exchange checks if the same withdrawal request was issued before;
in this case, it sends $S_K(B)$ to the customer.%
\footnote{$S_K$ denotes a Chaum-style blind signature with private key $K_s$.}
\item[SEPA Send]
The customer transfers an amount of money corresponding to
at least $K_v$ to the exchange, with $W_p$ in the subject line
of the transaction.
\item[SEPA Recieve]
The exchange receives the transaction and credits the reserve $W_p$
with the respective amount in its database.
\item[POST {\tt /withdraw/sign}]
The customer sends $S_W(B)$ where $B := B_b(\FDH_K(C_p))$ to
the exchange to request withdrawal of $C$; here, $B_b$ denotes
Chaum-style blinding with blinding factor $b$.
\item[200 OK / 402 PAYMENT REQUIRED]
The exchange checks if the same withdrawal request was issued before;
in this case, it sends a Chaum-style blind signature $S_K(B)$ with
private key $K_s$ to the customer. \\
If this is a fresh withdrawal request, the exchange performs the following transaction:
\begin{enumerate}
\item checks if the reserve $W_p$ has sufficient funds
@ -656,11 +663,11 @@ Now the customer carries out the following interaction with the exchange:
Assuming the signature was valid, this would involve showing the transaction
history for the reserve.
% FIXME: Is it really the whole history?
\item The customer computes and verifies the unblinded signature
\item[Done] The customer computes and verifies the unblinded signature
$S_K(\FDH_K{C_p}) = U_b(S_K(B))$.
Finally the customer saves the coin $\langle S_K(\FDH_K(C_p)), c_s \rangle$
to their local wallet on disk.
\end{enumerate}
\end{description}
\subsection{Exact and partial spending}
@ -681,11 +688,13 @@ with signature $\widetilde{C} := S_K(\FDH_K(C_p))$
% FIXME: Again, these steps occur at different points in time, maybe
% that's okay, but refresh is slightly different.
\begin{enumerate}
\item\label{contract}
\begin{description}
\item[Merchant Setup] % \label{contract}
Let $\vec{X} := \langle X_1, \ldots, X_n \rangle$ denote the list of
exchanges accepted by the merchant where each $X_j$ is a exchange's
public key. The merchant creates a digitally signed contract
public key.
\item[Proposal]
The merchant creates a digitally signed contract
$\mathcal{A} := S_M(m, f, a, H(p, r), \vec{X})$
where $m$ is an identifier for this transaction, $a$ is data relevant
to the contract indicating which services or goods the merchant will
@ -693,26 +702,30 @@ with signature $\widetilde{C} := S_K(\FDH_K(C_p))$
$p$ is the merchant's payment information (e.g. his IBAN number), and
$r$ is a random nonce. The merchant commits $\langle \mathcal{A} \rangle$
to disk and sends $\mathcal{A}$ to the customer.
\item\label{deposit}
\item[Customer Setup] % \label{deposit}
The customer should already possess a coin issued by a exchange that is
accepted by the merchant, meaning $K$ should be publicly signed by
some $X_j$ from $\vec{X}$, and has a value $\geq f$.
\item The customer generates a \emph{deposit-permission} $\mathcal{D} :=
S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$
\item[POST {\tt /???}]
The customer generates a \emph{deposit-permission}
$\mathcal{D} := S_c(\widetilde{C}, m, f, H(a), H(p,r), M_p)$
and sends $\langle \mathcal{D}, X_j\rangle$ to the merchant,
where $X_j$ is the exchange which signed $K$.
\item The merchant gives $(\mathcal{D}, p, r)$ to the exchange, thereby
\item[POST {\tt/deposit}]
The merchant gives $(\mathcal{D}, p, r)$ to the exchange, thereby
revealing $p$ only to the exchange.
\item The exchange validates $\mathcal{D}$ and checks for double spending.
\item[200 OK / 409 CONFLICT]
The exchange validates $\mathcal{D}$ and checks for double spending.
If the coin has been involved in previous transactions and the new
one would exceed its remaining value, it sends an error
with the records from the previous transactions back to the merchant.
with the records from the previous transactions back to the merchant. \\
%
If double spending is not found, the exchange commits $\langle \mathcal{D} \rangle$ to disk
and notifies the merchant that the deposit operation was successful.
\item The merchant commits and forwards the notification from the exchange to the
\item[200 OK / ???]
The merchant commits and forwards the notification from the exchange to the
customer, confirming the success or failure of the operation.
\end{enumerate}
\end{description}
We have simplified the exposition by assuming that one coin suffices,
but in practice a customer can use multiple coins from the same
@ -771,8 +784,9 @@ generator of the elliptic curve.
% FIXME: I'm explicit about the rounds in postquantum.tex
\begin{enumerate}
\item For each $i = 1,\ldots,\kappa$, the customer randomly generates
\begin{description}
\item[POST {\tt /refresh/melt}]
For each $i = 1,\ldots,\kappa$, the customer randomly generates
a transfer private key $t^{(i)}_s$ and computes
\begin{itemize}
\item the transfer public key $T^{(i)}_p := t^{(i)}_s G$ and
@ -800,19 +814,21 @@ generator of the elliptic curve.
The customer computes $B^{(i)} := B_{b^{(i)}}(\FDH_K(C^{(i)}_p))$
for $i \in \{1,\ldots,\kappa\}$ and sends a commitment
$S_{C'}(\vec{B}, \vec{T_p})$ to the exchange.
\item The exchange generates a random $\gamma$ with $1 \le \gamma \le \kappa$ and
\item[200 OK / 409 CONFLICT]
The exchange generates a random $\gamma$ with $1 \le \gamma \le \kappa$ and
marks $C'_p$ as spent by committing
$\langle C', \gamma, S_{C'}(\vec{B}, \vec{T_p}) \rangle$ to disk.
Auditing processes should assure that $\gamma$ is unpredictable until
this time to prevent the exchange from assisting tax evasion.
\item The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where
this time to prevent the exchange from assisting tax evasion. \\
%
The exchange sends $S_{K'}(C'_p, \gamma)$ to the customer where
$K'$ is the exchange's message signing key.
\item The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
% \item
Also, the customer assembles $\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$
\item[POST {\tt /refresh/reveal}]
The customer commits $\langle C', S_K(C'_p, \gamma) \rangle$ to disk.
Also, the customer assembles
$\mathfrak{R} := \left(t_s^{(i)}\right)_{i \ne \gamma}$
and sends $S_{C'}(\mathfrak{R})$ to the exchange.
\item \label{step:refresh-ccheck}
\item[200 OK / 400 BAD REQUEST] % \label{step:refresh-ccheck}
The exchange checks whether $\mathfrak{R}$ is consistent with
the commitments; specifically, it computes for $i \not= \gamma$:
@ -835,12 +851,12 @@ generator of the elliptic curve.
and checks if $\overline{B^{(i)}} = B^{(i)}$
and $\overline{T^{(i)}_p} = T^{(i)}_p$.
\item \label{step:refresh-done}
% \item[200 OK / 409 CONFLICT] % \label{step:refresh-done}
If the commitments were consistent, the exchange sends the
blind signature $\widetilde{C} := S_{K}(B^{(\gamma)})$ to the customer.
Otherwise, the exchange responds with an error indicating
the location of the failure.
\end{enumerate}
\end{description}
%\subsection{N-to-M Refreshing}
%