From 27202f34f5cbf844ba0bbbec3ad338bcbdffaa61 Mon Sep 17 00:00:00 2001 From: Rudolf Polzer Date: Fri, 17 Sep 2010 08:45:04 +0200 Subject: [PATCH] also describe the signature protocol --- d0_blind_id.txt | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/d0_blind_id.txt b/d0_blind_id.txt index a469118..7d33aaf 100644 --- a/d0_blind_id.txt +++ b/d0_blind_id.txt @@ -80,7 +80,7 @@ Authentication protocol: "verify": - Server receives y and g^t - Server calculates z = g^y S^-c - - Server calculates x' = h("z || m || z") + - Server calculates x' = h("z || g^t || m || z || g^t") - Server verifies x == x' - Server calculates K = (g^t)^T @@ -93,6 +93,20 @@ the same values on both sides only if the Schnorr identification scheme succeeds. If the protocol succeeds, the authenticity of m has been verified too. +Signature protocol: + Client provides a message m that is to be signed as part of the protocol + "start": + - Client sends S, H if this is the first round of the protocol + - Client generates r in [0, |G|[ at random + - Client sends c = h("m || g^r") + - Client sends y = r + s * c + - Client sends m in plain + "verify": + - Server receives c, y, and m + - Server calculates z = g^y S^-c + - Server calculates c' = h("m || z") + - Server verifies c == c' + Low level protocol: -- 2.39.2