From: Rudolf Polzer <divverent@alientrap.org>
Date: Fri, 17 Sep 2010 06:45:04 +0000 (+0200)
Subject: also describe the signature protocol
X-Git-Tag: xonotic-v0.1.0preview~7
X-Git-Url: http://de.git.xonotic.org/?p=xonotic%2Fd0_blind_id.git;a=commitdiff_plain;h=27202f34f5cbf844ba0bbbec3ad338bcbdffaa61

also describe the signature protocol
---

diff --git a/d0_blind_id.txt b/d0_blind_id.txt
index a469118..7d33aaf 100644
--- a/d0_blind_id.txt
+++ b/d0_blind_id.txt
@@ -80,7 +80,7 @@ Authentication protocol:
 	"verify":
 	- Server receives y and g^t
 	- Server calculates z = g^y S^-c
-	- Server calculates x' = h("z || m || z")
+	- Server calculates x' = h("z || g^t || m || z || g^t")
 	- Server verifies x == x'
 	- Server calculates K = (g^t)^T
 
@@ -93,6 +93,20 @@ the same values on both sides only if the Schnorr identification scheme
 succeeds. If the protocol succeeds, the authenticity of m has been verified
 too.
 
+Signature protocol:
+	Client provides a message m that is to be signed as part of the protocol
+	"start":
+	- Client sends S, H if this is the first round of the protocol
+	- Client generates r in [0, |G|[ at random
+	- Client sends c = h("m || g^r")
+	- Client sends y = r + s * c
+	- Client sends m in plain
+	"verify":
+	- Server receives c, y, and m
+	- Server calculates z = g^y S^-c
+	- Server calculates c' = h("m || z")
+	- Server verifies c == c'
+
 
 
 Low level protocol: