add cs nonce persistance and reuse check
This commit is contained in:
parent
d380ff1ffe
commit
eacbe6df19
@ -169,12 +169,14 @@ The denomination key was chosen because it has the recopu protocol in place that
|
|||||||
\\ & & b := \text{HKDF}(1,n_w || d_s, \text{"b"})
|
\\ & & b := \text{HKDF}(1,n_w || d_s, \text{"b"})
|
||||||
\\ & & s \leftarrow \text{GetWithdraw}(n_w, D_p)
|
\\ & & s \leftarrow \text{GetWithdraw}(n_w, D_p)
|
||||||
\\ & & \textbf{if } s = \bot
|
\\ & & \textbf{if } s = \bot
|
||||||
|
\\ & & \textbf{check !} \text{NonceReuse} (n_w, D_p)
|
||||||
\\ & & r_b := \text{HKDF}(256,n_w || d_s, \text{"r}b\text{"})
|
\\ & & r_b := \text{HKDF}(256,n_w || d_s, \text{"r}b\text{"})
|
||||||
% sign coin
|
% sign coin
|
||||||
\\ & & s := r_b + c_b d_s \mod p
|
\\ & & s := r_b + c_b d_s \mod p
|
||||||
% the following db operations are atomic
|
% the following db operations are atomic
|
||||||
\\ & & \text{decrease balance if sufficient and}
|
\\ & & \text{decrease balance if sufficient and}
|
||||||
\\ & & \text{persist } \langle n_w, D_p, s \rangle
|
\\ & & \text{persist NonceUse } \langle n_w, D_p, s \rangle
|
||||||
|
\\ & & \text{persist } \langle D_p, s \rangle
|
||||||
\\ & & \textbf{endif}
|
\\ & & \textbf{endif}
|
||||||
\\ & \xleftarrow[\rule{2.5cm}{0pt}]{b,s} &
|
\\ & \xleftarrow[\rule{2.5cm}{0pt}]{b,s} &
|
||||||
% verify signature
|
% verify signature
|
||||||
@ -187,7 +189,6 @@ The denomination key was chosen because it has the recopu protocol in place that
|
|||||||
\\ \textbf{check if } s'G = R'_b + c'_b D_p & &
|
\\ \textbf{check if } s'G = R'_b + c'_b D_p & &
|
||||||
\\ \sigma_C := \langle R'_b, s' \rangle & &
|
\\ \sigma_C := \langle R'_b, s' \rangle & &
|
||||||
\\ \text{resulting coin: } c_s, C_p, \sigma_C, D_p & &
|
\\ \text{resulting coin: } c_s, C_p, \sigma_C, D_p & &
|
||||||
|
|
||||||
\end{array}$
|
\end{array}$
|
||||||
}
|
}
|
||||||
\end{equation*}
|
\end{equation*}
|
||||||
@ -287,9 +288,9 @@ In the reveal phase, the RSA signing and unblinding is exchanged with Schnorr's
|
|||||||
\\ h_T := H(T_1, \dots, T_k)
|
\\ h_T := H(T_1, \dots, T_k)
|
||||||
\\ h_{\overline{c_0}} := H(\overline{c_{0_1}},\dots, \overline{c}_{0_k})
|
\\ h_{\overline{c_0}} := H(\overline{c_{0_1}},\dots, \overline{c}_{0_k})
|
||||||
\\ h_{\overline{c_1}} := H(\overline{c_{1_1}},\dots, \overline{c}_{1_k})
|
\\ h_{\overline{c_1}} := H(\overline{c_{1_1}},\dots, \overline{c}_{1_k})
|
||||||
\\ h_{\overline{c}} := H(h_{\overline{c_0}}, h_{\overline{c_1}})
|
\\ h_{\overline{c}} := H(h_{\overline{c_0}}, h_{\overline{c_1}}, n_r)
|
||||||
\\ h_C := H(h_T, h_{\overline{c}})
|
\\ h_C := H(h_T, h_{\overline{c}})
|
||||||
\\ \rho_{RC} := \langle h_C, D_p, \text{ } D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} \rangle
|
\\ \rho_{RC} := \langle h_C, D_p, \text{ } D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} \rangle
|
||||||
\\ \sigma_{RC} := \text{Ed25519.Sign}(c_s^{(0)}, \rho_{RC})
|
\\ \sigma_{RC} := \text{Ed25519.Sign}(c_s^{(0)}, \rho_{RC})
|
||||||
\\ \text{Persist refresh-request}
|
\\ \text{Persist refresh-request}
|
||||||
\\ \langle \omega, R_0, R_1, \rho_{RC}, \sigma_{RC} \rangle
|
\\ \langle \omega, R_0, R_1, \rho_{RC}, \sigma_{RC} \rangle
|
||||||
@ -311,7 +312,7 @@ In the reveal phase, the RSA signing and unblinding is exchanged with Schnorr's
|
|||||||
\\ & \textit{Continuation of}
|
\\ & \textit{Continuation of}
|
||||||
\\ & \textit{figure \ref{fig:refresh-commit-part1}}
|
\\ & \textit{figure \ref{fig:refresh-commit-part1}}
|
||||||
\\
|
\\
|
||||||
\\ & \xrightarrow[\rule{2cm}{0pt}]{\rho_{RC}, \sigma_{RC}} &
|
\\ & \xrightarrow[\rule{2cm}{0pt}]{\rho_{RC}, \sigma_{RC}, n_r} &
|
||||||
% Exchange checks refresh request
|
% Exchange checks refresh request
|
||||||
\\ & & \langle h_C, D_p, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} \rangle := \rho_{RC}
|
\\ & & \langle h_C, D_p, D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)} \rangle := \rho_{RC}
|
||||||
\\ & & \textbf{check} \text{ Ed25519.Verify}(C_p^{(0)}, \sigma_{RC}, \rho_{RC})
|
\\ & & \textbf{check} \text{ Ed25519.Verify}(C_p^{(0)}, \sigma_{RC}, \rho_{RC})
|
||||||
@ -323,10 +324,12 @@ In the reveal phase, the RSA signing and unblinding is exchanged with Schnorr's
|
|||||||
\\ & & v := \text{Denomination}(D_p)
|
\\ & & v := \text{Denomination}(D_p)
|
||||||
\\ & & \textbf{check } \text{IsOverspending}(C_p^{(0)}, D_ {p(0)}, v)
|
\\ & & \textbf{check } \text{IsOverspending}(C_p^{(0)}, D_ {p(0)}, v)
|
||||||
\\ & & \text{verify if } D_p \text{ is valid}
|
\\ & & \text{verify if } D_p \text{ is valid}
|
||||||
|
\\ & & \textbf{check !} \text{NonceReuse} (n_r, D_p)
|
||||||
\\ & & \textbf{check } \text{Schnorr.Verify}(D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)})
|
\\ & & \textbf{check } \text{Schnorr.Verify}(D_{p(0)}, C_p^{(0)}, \sigma_C^{(0)})
|
||||||
\\ & & \text{MarkFractionalSpend}(C_p^{(0)}, v)
|
\\ & & \text{MarkFractionalSpend}(C_p^{(0)}, v)
|
||||||
\\ & & \gamma \leftarrow \{1, \dots, \kappa\}
|
\\ & & \gamma \leftarrow \{1, \dots, \kappa\}
|
||||||
\\ & & \text{Persist refresh-record } \langle \rho_{RC},\gamma \rangle
|
\\ & & \text{persist NonceUse } \langle n_r, D_p, \rho_{RC} \rangle
|
||||||
|
\\ & & \text{persist refresh-record } \langle \rho_{RC},\gamma \rangle
|
||||||
\\ & \xleftarrow[\rule{2cm}{0pt}]{\gamma} &
|
\\ & \xleftarrow[\rule{2cm}{0pt}]{\gamma} &
|
||||||
% Check challenge and send challenge response (reveal not selected msgs)
|
% Check challenge and send challenge response (reveal not selected msgs)
|
||||||
\\ \textbf{check } \text{IsConsistentChallenge}(\rho_{RC}, \gamma)
|
\\ \textbf{check } \text{IsConsistentChallenge}(\rho_{RC}, \gamma)
|
||||||
@ -334,7 +337,7 @@ In the reveal phase, the RSA signing and unblinding is exchanged with Schnorr's
|
|||||||
\\
|
\\
|
||||||
\\ \text{Persist refresh-challenge} \langle \rho_{RC}, \gamma \rangle
|
\\ \text{Persist refresh-challenge} \langle \rho_{RC}, \gamma \rangle
|
||||||
\\ S := \langle t_1, \dots, t_{\gamma-1}, t_{\gamma+1}, \dots,t_\kappa \rangle % all seeds without the gamma seed
|
\\ S := \langle t_1, \dots, t_{\gamma-1}, t_{\gamma+1}, \dots,t_\kappa \rangle % all seeds without the gamma seed
|
||||||
\\ \rho_L := \langle C_p^{(0)}, D_p, T_{\gamma}, \overline{c_0}_\gamma, \overline{c_1}_\gamma, n_r \rangle
|
\\ \rho_L := \langle C_p^{(0)}, D_p, T_{\gamma}, \overline{c_0}_\gamma, \overline{c_1}_\gamma \rangle
|
||||||
\\ \rho_{RR} := \langle \rho_L, S \rangle
|
\\ \rho_{RR} := \langle \rho_L, S \rangle
|
||||||
\\ \sigma_{L} := \text{Ed25519.Sign}(c_s^{(0)}, \rho_{L})
|
\\ \sigma_{L} := \text{Ed25519.Sign}(c_s^{(0)}, \rho_{L})
|
||||||
\\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} &
|
\\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} &
|
||||||
@ -359,7 +362,7 @@ In the reveal phase, the RSA signing and unblinding is exchanged with Schnorr's
|
|||||||
\\
|
\\
|
||||||
\\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} &
|
\\ & \xrightarrow[\rule{2.5cm}{0pt}]{\rho_{RR},\rho_L, \sigma_{L}} &
|
||||||
% check revealed msgs and sign coin
|
% check revealed msgs and sign coin
|
||||||
\\ & & \langle C_p^{(0)}, D_p, T_{\gamma}, \overline{c_0}_\gamma, \overline{c_1}_\gamma, n_r \rangle := \rho_L
|
\\ & & \langle C_p^{(0)}, D_p, T_{\gamma}, \overline{c_0}_\gamma, \overline{c_1}_\gamma \rangle := \rho_L
|
||||||
\\ & & \langle T'_\gamma, \overline{c_0}_\gamma, \overline{c_1}_\gamma, S \rangle := \rho_{RR}
|
\\ & & \langle T'_\gamma, \overline{c_0}_\gamma, \overline{c_1}_\gamma, S \rangle := \rho_{RR}
|
||||||
\\ & & \langle t_1,\dots,t_{\gamma-1},t_{\gamma+1},\dots,t_\kappa \rangle := S
|
\\ & & \langle t_1,\dots,t_{\gamma-1},t_{\gamma+1},\dots,t_\kappa \rangle := S
|
||||||
\\ & & \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \sigma_L, \rho_L)
|
\\ & & \textbf{check } \text{Ed25519.Verify}(C_p^{(0)}, \sigma_L, \rho_L)
|
||||||
@ -371,7 +374,7 @@ In the reveal phase, the RSA signing and unblinding is exchanged with Schnorr's
|
|||||||
\\ & & h_T' = H(T_1,\dots,T_{\gamma-1},T'_{\gamma},T_{\gamma+1},\dots,T_\kappa)
|
\\ & & h_T' = H(T_1,\dots,T_{\gamma-1},T'_{\gamma},T_{\gamma+1},\dots,T_\kappa)
|
||||||
\\ & & h_{\overline{c_0}}' := H(\overline{c_{0_1}},\dots, \overline{c}_{0_k})
|
\\ & & h_{\overline{c_0}}' := H(\overline{c_{0_1}},\dots, \overline{c}_{0_k})
|
||||||
\\ & & h_{\overline{c_1}}' := H(\overline{c_{1_1}},\dots, \overline{c}_{1_k})
|
\\ & & h_{\overline{c_1}}' := H(\overline{c_{1_1}},\dots, \overline{c}_{1_k})
|
||||||
\\ & & h_{\overline{c}}' := H(h_{\overline{c_0}}, h_{\overline{c_1}})
|
\\ & & h_{\overline{c}}' := H(h_{\overline{c_0}}, h_{\overline{c_1}}, n_r)
|
||||||
\\ & & h_C' = H(h_T', h_{\overline{c}}')
|
\\ & & h_C' = H(h_T', h_{\overline{c}}')
|
||||||
\\ & & \textbf{check } h_C = h_C'
|
\\ & & \textbf{check } h_C = h_C'
|
||||||
\\ & & r_b := \text{HKDF}(256,n_r || d_s, \text{"r}b\text{"})
|
\\ & & r_b := \text{HKDF}(256,n_r || d_s, \text{"r}b\text{"})
|
||||||
|
Loading…
Reference in New Issue
Block a user