X-Git-Url: http://git.xonotic.org/?p=xonotic%2Fd0_blind_id.git;a=blobdiff_plain;f=d0_blind_id.txt;h=deb008aaab9a953b34b7a09abfe595238fa7b8d0;hp=a469118bda966b953dfbb325cda89d2a7f8e3fc2;hb=HEAD;hpb=ad845bbe96926e37e65dcf3aea505c9ab31f5943

diff --git a/d0_blind_id.txt b/d0_blind_id.txt
index a469118..deb008a 100644
--- a/d0_blind_id.txt
+++ b/d0_blind_id.txt
@@ -74,13 +74,13 @@ Authentication protocol:
 	"response":
 	- Client receives c and g^T
 	- Client verifies that the received values are in the allowed ranges
-	- Client sends y = r + s * c mod |G|
+	- Client sends y = r - s * c mod |G|
 	- Client sends g^t
 	- Client calculates K = (g^T)^t
 	"verify":
 	- Server receives y and g^t
-	- Server calculates z = g^y S^-c
-	- Server calculates x' = h("z || m || z")
+	- Server calculates z = g^y S^c
+	- Server calculates x' = h("z || g^t || m || z || g^t")
 	- Server verifies x == x'
 	- Server calculates K = (g^t)^T
 
@@ -93,6 +93,20 @@ the same values on both sides only if the Schnorr identification scheme
 succeeds. If the protocol succeeds, the authenticity of m has been verified
 too.
 
+Signature protocol:
+	Client provides a message m that is to be signed as part of the protocol
+	"start":
+	- Client sends S, H if this is the first round of the protocol
+	- Client generates r in [0, |G|[ at random
+	- Client sends c = h("m || g^r")
+	- Client sends y = r - s * c
+	- Client sends m in plain
+	"verify":
+	- Server receives c, y, and m
+	- Server calculates z = g^y S^c
+	- Server calculates c' = h("m || z")
+	- Server verifies c == c'
+
 
 
 Low level protocol: