"start":
- Client sends S, H if this is the first round of the protocol
- Client generates r in [0, |G|[ at random
- - Client sends x = h("g^r || m || g^r")
+ - Client generates t in [0, |G|[ at random
+ - Client sends x = h("g^r || g^t || m || g^r || g^t")
- Client sends m in plain
"challenge":
- Server receives S, H if this is the first round of the protocol
- Server verifies H = h'(I(S))
- Server receives x, m
- Server generates c in [0, 2^k0[ at random
- - Server generates R in [0, |G|[ at random
- - Server sends c and g^R
+ - Server generates T in [0, |G|[ at random
+ - Server sends c and g^T
"response":
- - Client receives c and g^R
+ - Client receives c and g^T
- Client verifies that the received values are in the allowed ranges
- - Client sends y = r + s * c mod |G|
- - Client calculates K = (g^R)^r
+ - Client sends y = r - s * c mod |G|
+ - Client sends g^t
+ - Client calculates K = (g^T)^t
"verify":
- - Server receives y
- - Server calculates z = g^y S^-c
- - Server calculates x' = h("z || m || z")
+ - Server receives y and g^t
+ - Server calculates z = g^y S^c
+ - Server calculates x' = h("z || g^t || m || z || g^t")
- Server verifies x == x'
- - Server calculates K = z^R
+ - Server calculates K = (g^t)^T
Protocol variant: g and G can be also part of the public ID. In this case, g
and G are sent as part of this protocol additionally to S, H.
succeeds. If the protocol succeeds, the authenticity of m has been verified
too.
+Signature protocol:
+ Client provides a message m that is to be signed as part of the protocol
+ "start":
+ - Client sends S, H if this is the first round of the protocol
+ - Client generates r in [0, |G|[ at random
+ - Client sends c = h("m || g^r")
+ - Client sends y = r - s * c
+ - Client sends m in plain
+ "verify":
+ - Server receives c, y, and m
+ - Server calculates z = g^y S^c
+ - Server calculates c' = h("m || z")
+ - Server verifies c == c'
+
Low level protocol:
"packet"
- a value in double quotes is also defined in terms of this protocol, i.e.
the length is preceded
+
+
+
+NOTE: to generate NON blind IDs, the process is not very straightforward. It
+works like this:
+
+Server shall:
+- load private key
+
+Both shall:
+- perform authentication as usual
+
+Server shall:
+- notice that the status is false
+- call d0_blind_id_authenticate_with_private_id_generate_missing_signature
+- write public ID
+- send that data to client
+
+Client shall:
+- read own private ID
+- get fingerprint
+- read received public ID (leaves the private part alone)
+- verify fingerprint
+- possibly verify ID
+- write own private ID again
+
+This ensures that only the ID the client authenticated with is signed by the
+server