diff options
| author | Christian Grothoff <christian@grothoff.org> | 2018-09-25 11:51:23 +0200 |
|---|---|---|
| committer | Christian Grothoff <christian@grothoff.org> | 2018-09-25 11:51:23 +0200 |
| commit | c1dc251de5065984ad010801ef6b21c1e74e9f46 (patch) | |
| tree | b9f6d08a81fb4a6cc742a669ccd48bfa9fc2d65f /taler-fc19 | |
| parent | 32a88cf13de3b44ca577e0d67a2f7ffc73872537 (diff) | |
| download | papers-c1dc251de5065984ad010801ef6b21c1e74e9f46.tar.gz papers-c1dc251de5065984ad010801ef6b21c1e74e9f46.tar.bz2 papers-c1dc251de5065984ad010801ef6b21c1e74e9f46.zip | |
similify
Diffstat (limited to 'taler-fc19')
| -rw-r--r-- | taler-fc19/paper.tex | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/taler-fc19/paper.tex b/taler-fc19/paper.tex index 052ebd8..43b72ac 100644 --- a/taler-fc19/paper.tex +++ b/taler-fc19/paper.tex @@ -753,11 +753,10 @@ is the signer and $\mathcal{R}$ is the signature requester: to blind a message $m$ that is to be signed later. The result is a blinded message $\overline{m}$ and
a residual $r$ that allows to unblind a blinded signature on $m$ made by $\V{sk}$.
\item $\algo{Sign}_{BS}(\mathcal{S}(\V{sk}), \mathcal{R}(\overline{m})) \mapsto
- \overline{\sigma}$ is a protocol to sign a blinded message $\overline{m}$.
+ \overline{\sigma}$ is an algorithm to sign a blinded message $\overline{m}$.
The result $\overline{\sigma}$ is a blinded signature that must be unblinded
using the $r$ returned from the corresponding blinding operation before
- verification. We restrict $\algo{Sign}_{BS}$ to be a two-move protocol, where the
- requester sends the first message, and the signer responds.
+ verification.
\item $\algo{UnblindSig}_{BS}(r, m, \overline{\sigma}) \mapsto \sigma$
is an algorithm to unblind a blinded signature.
\item $\algo{Verify}_{BS}(\V{pk}, m, \sigma) \mapsto b$ is a algorithm to check the validity of a blind
@@ -977,16 +976,18 @@ Using these primitives, we now instantiate the syntax: \end{align*}
Now the exchange checks if $h_C = h_C'$, and aborts the protocol if the check fails.
-
- Otherwise, the exchange sends a message back to $\prt{C}$ that the commitment verification succeeded.
+ Otherwise, the exchange sends a message back to $\prt{C}$ that the commitment verification succeeded and includes
+ the signature
+ \begin{equation*}
+ \overline{\sigma}_\gamma := \algo{Sign}_{BS}(\mathcal{E}(\V{skD}_u), \mathcal{C}(\overline{m}_\gamma)).
+ \end{equation*}
As a last step, the customer obtains the signature $\sigma_\gamma$ on the new coin's public key $\V{pkCoin}_u$ with
- \begin{align*}
- \overline{\sigma}_\gamma &\leftarrow \algo{Sign}(\mathcal{E}(\V{skD}_u), \mathcal{C}(\overline{m}_\gamma))\\
- \sigma_\gamma &\leftarrow \algo{UnblindSig}(r_\gamma, \V{pkCoin}_\gamma, \overline{\sigma}_\gamma).
- \end{align*}
+ \begin{equation*}
+ \sigma_\gamma := \algo{UnblindSig}(r_\gamma, \V{pkCoin}_\gamma, \overline{\sigma}_\gamma).
+ \end{equation*}
- Thus the new, unlinkable coin is $\V{coin}_u = (\V{skCoin}_\gamma, \V{pkCoin}_\gamma, \V{pkD}_u, \sigma_\gamma)$.
+ Thus the new, unlinkable coin is $\V{coin}_u := (\V{skCoin}_\gamma, \V{pkCoin}_\gamma, \V{pkD}_u, \sigma_\gamma)$.
\item $\algo{Link}(\prt{E}(\V{sksE}), \prt{C}(\V{skCustomer}, \V{pksE}, \V{coin}_0))$:
The customer sends the public key $\V{pkCoin}_0$ of $\V{coin}_0$ to the exchange.
|