Cryptography Reference
In-Depth Information
Then she calculates
D.3
g
s
1
g
t
2
A
u
1
(mod
p
) and
Y
g
s
1
g
t
2
A
u
2
(mod
p
)
.
X
≡
≡
(3) Alice computes a challenge,
c
1
=
H
1
(
y
1
,Y
1
,Y
2
,Y
3
,X
)
,
c
1
z
−
1
≡
and blinds it with
c
(mod
q
), which she sends to the bank.
2
(4) The bank sends a response
r
xc
+
w
(mod
q
) to Alice, and debits her
account. Alice accepts
r
if and only if
D.4
≡
α
r
h
c
y
2
(mod
p
) and
A
r
y
1
y
3
(mod
p
)
.
≡
≡
(5) Alice computes
Z
≡
rz
2
+
z
3
(mod
q
). Her coin is
C
=(
X,Y,Y
1
,Y
2
,Y
3
,Z
)
,
which she can now spend.
(
Essentially
(
Y
1
,Y
2
,Y
3
,Z
)
is the banks's signature on
(
X,Y
)
, so we write
(
X,Y,
sig(
X,Y
))
for
C
in what follows for simplicity.
)
Spending Protocol:
Alice wishes to purchase some goods from the mer-
chant.
(1) She sends the merchant her coin (
X,Y,
sig(
X,Y
)).
=1,
D.5
(2) The merchant verifies that
XY
then sends a challenge,
c
=
H
2
(
X,Y,M,T
M
)
to Alice, where
T
M
is a timestamp with the date and time on it.
D.3
Note that by this step,
XY ≡ y
1
(mod
p
), which is Alice's blinded identity. The reason
for this is as follows:
XY
g
s
1
g
t
2
g
s
1
g
t
2
(
g
e
1
g
e
2
)
u
1
(
g
e
1
g
e
2
)
u
2
g
s
1
+
s
2
1
g
t
1
+
t
2
2
g
e
1
u
1
1
g
e
2
u
2
2
≡
≡
≡
g
e
1
z
1
1
g
e
2
z
1
2
(
g
e
1
g
e
2
)
u
1
+
u
2
(
g
e
1
g
e
2
)
z
1
A
z
1
y
1
(mod
p
)
.
≡
≡
≡
D.4
Thesearenecessaryandsu cientconditionforAlicetoacceptthebank'sresponsebecause
only the bank knows
x
. Therefore, only the bank can send a response satisfying both
α
r
≡ α
xc
+
w
≡
(
α
x
)
c
α
w
≡ h
c
y
2
(mod
p
)
and
A
r
A
xc
+
w
(
A
x
)
c
A
w
m
c
y
3
(mod
p
)
.
≡
≡
≡
D.5
The merchant must check this since, if Alice is legitimate, then
XY
= 1. The reason is
that by Footnote D.3,
XY
y
1
(mod
p
). Thus, since
y
1
≡
A
x
(mod
p
) with
A
1(mod
p
)
by step (1) of the protocol for opening Alice's account, and since
x ∈
(
Z
/q
Z
)
∗
, by step (3) of
the setup stage, then
x
≡
≡
≡
0(mod
q
), which completes the reasoning.
Search WWH ::
Custom Search