From 2897326c90ac5ee5a65ed1a936bdef9866a6230a Mon Sep 17 00:00:00 2001
From: Rudolf Polzer <divverent@alientrap.org>
Date: Fri, 11 Mar 2011 22:23:12 +0100
Subject: [PATCH] in the .txt, actually explain the current "default" protocol
 (fix signs)

---
 d0_blind_id.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/d0_blind_id.txt b/d0_blind_id.txt
index 7d33aaf..deb008a 100644
--- a/d0_blind_id.txt
+++ b/d0_blind_id.txt
@@ -74,12 +74,12 @@ Authentication protocol:
 	"response":
 	- Client receives c and g^T
 	- Client verifies that the received values are in the allowed ranges
-	- Client sends y = r + s * c mod |G|
+	- Client sends y = r - s * c mod |G|
 	- Client sends g^t
 	- Client calculates K = (g^T)^t
 	"verify":
 	- Server receives y and g^t
-	- Server calculates z = g^y S^-c
+	- Server calculates z = g^y S^c
 	- Server calculates x' = h("z || g^t || m || z || g^t")
 	- Server verifies x == x'
 	- Server calculates K = (g^t)^T
@@ -99,11 +99,11 @@ Signature protocol:
 	- Client sends S, H if this is the first round of the protocol
 	- Client generates r in [0, |G|[ at random
 	- Client sends c = h("m || g^r")
-	- Client sends y = r + s * c
+	- Client sends y = r - s * c
 	- Client sends m in plain
 	"verify":
 	- Server receives c, y, and m
-	- Server calculates z = g^y S^-c
+	- Server calculates z = g^y S^c
 	- Server calculates c' = h("m || z")
 	- Server verifies c == c'
 
-- 
2.39.2