Wallet Rollover

To rollover a wallet credential to a new epoch, the client requests blinded issuance of a new credential with the same wallet balance and a new nullifier.

  1. Client. Given the credential attributes \((w,n)\) and tag \((P_0,Q_0)\) for a previously-issued wallet credential, the client proceeds as follows, simultaneously preparing a presentation of the previous wallet credential and a request for blinded issuance of a new credential. The client:

    1. Uses the current time and the epoch duration to determine the epoch index for the new credential, denoting by \(\mathbf X\) the issuance parameters for the current credential's epoch and by \(\mathbf X'\) the issuance parameters for the new credential's epoch.

    2. Re-randomizes the tag, choosing \(t \xleftarrow{\$} \mathbb F_p\) and computing \((P, Q) \gets (t P_0, t Q_0)\).

    3. Computes \( \operatorname{Com}(w) = w P + \widetilde w \widetilde B \) using randomness \( \widetilde w \xleftarrow{\$} \mathbb F_p \).

    4. Commits to \(Q\) by choosing \( r_Q \xleftarrow{\$} \mathbb F_p \) and computing \( C_Q = Q + r_Q B \).

    5. Computes a correction term \( V \gets \widetilde w X_1 - rB \).

    6. Generates a random nullifier for the new credential, \( n' \xleftarrow{\$} \mathbb F_p \).

    7. Generates an ephemeral ElGamal public key \( d \xleftarrow{\$} \mathbb F_p \) and computes the ephemeral public key \( D \gets d B \).

    8. Generates randomness \( r_n, r_w \xleftarrow{\$} \mathbb F_p \) and computes \[ \operatorname{Enc}_D(w B) \gets (r_w B, (w + r_w d)B) \] and \[ \operatorname{Enc}_D(n' B) \gets (r_n B, (n' + r_n d)B). \]

    9. Forms the following proof, which combines credential presentation and blinded issuance statements: \[ \begin{aligned} \pi &\gets \operatorname{PK}\{ \\ &\mathtt{wallet::rollover::client}, \\ &(d, w, \widetilde w, n', r_Q, r_w, r_n), \\ &( D, \operatorname{Enc}_D(w B), \operatorname{Enc}_D(n' B), P, V, \operatorname{Com}(w) ), \\ &(B, \widetilde B) \; : \\ &\operatorname{Enc}_D(n' B) = (r_n B, n' B + r_n D) \\ &\operatorname{Enc}_D(w B) = (r_w B, w B + r_w D) \\ &\operatorname{Com}(w) = w P + \widetilde w \widetilde B \\ & V = \widetilde w X_1 - r_Q B \\ \}. \end{aligned} \] The proof transcript should additionally be bound to the epoch indexes of the current epoch and of the requested epoch. The client keeps the transcript state while awaiting a response.

    10. Sends the pair of epoch indices, the old nullifier \(n\), \(D\), \(\operatorname{Enc}(n'B)\), \(\operatorname{Enc}(wB)\), \(\operatorname{Com}(w)\), \(P\), \(C_Q\), and \(\pi\) to the issuer.

  2. Issuer. The issuer processes the request as follows. The issuer:

    1. Checks that the issuance parameters for the old epoch index specified by the client are in Active, Primary, or Rollover state, and that the issuance parameters for the new epoch index specified by the client are in the Active or Primary state. The old parameters are denoted by \((\mathbf X, \mathbf x)\) and the new parameters are denoted by \((\mathbf X', \mathbf x')\).

    2. Checks whether the nullifier \(n\) is in the wallet nullifier set for the old epoch, rejecting the request if it is present and adding it to the nullifier set if it is not present.

    3. Computes \(V\) using the old secrets as \[ V \gets (x_0 + x_2 n) B + x_1 \operatorname{Com}(w) - C_Q. \]

    4. Verifies the proof \(\pi\) and saves the transcript state.

    5. Selects \( b \xleftarrow{\$} \mathbb F_p \) and computes \( P \gets bB \).

    6. Selects \( r \xleftarrow{\$} \mathbb F_p \) to compute \[ \operatorname{Enc}_D(Q) \gets (rB, x_0' P + rD) + b x_1' \operatorname{Enc}_D(wB) + b x_2' \operatorname{Enc}_D(n'B) \] using the new secrets.

    7. The issuer forms the proof \[ \begin{aligned} \pi &\gets \operatorname{PK}\{ \\ &\mathtt{wallet::rollover::issuer}, \\ &( b, r, \mathbf x, \widetilde x_0, \mathbf x', \widetilde x_0', t_1, t_2 ), \\ &( P, D, \operatorname{Enc}_D(wB), \operatorname{Enc}_D(n'B), \operatorname{Enc}_D(Q), T_1, T_2 ), \\ &(\mathbf X, \mathbf X', B, \widetilde B) \; : \\ & X_0 = x_0 B + \widetilde x_0 \widetilde B, \; X_1 = x_1 \widetilde B, \; X_2 = x_2 \widetilde B, \\ & X_0' = x_0' B + \widetilde x_0' \widetilde B, \; X_1' = x_1' \widetilde B, \; X_2' = x_2' \widetilde B, \\ & P = bB, \\ & T_1 = bX_1', \; T_1 = t_1 \widetilde B, \\ & T_2 = bX_2', \; T_2 = t_2 \widetilde B, \\ & \operatorname{Enc}_D(Q) = (rB, x_0' P + rD) + t_1 \operatorname{Enc}_D(wB) + t_2 \operatorname{Enc}_D(n'B) \\ \}. \end{aligned} \] This proof should be added to the transcript from step (2.4), chaining the issuer's proof onto the client's proof.

    8. The issuer sends \(P\), \(\operatorname{Enc}_D(Q)\), \(T_1\), \(T_2\), and \(\pi\) to the client.

  3. Client. The client processes the response as follows:

    1. The client uses the transcript state from step (1.9) to verify \(\pi\).

    2. The client decrypts \(Q\) by computing \[ Q \gets \operatorname{Enc}_D(Q)_1 - d \operatorname{Enc}_D(Q)_0. \]