Cryptography Asked by Fiono on October 24, 2021
In https://www.win.tue.nl/~berry/papers/crypto99.pdf, Schoenmakers proposes a publicly verifiable secret sharing scheme, that uses a non-interactive DLEQ proof to allow any participant to verify the shares of the secret (section 3.1 of the paper).
In “Distribution of the shares”, it says “Applying Fiat-Shamir’s technique, the challenge $c$ for the protocol is computed as a cryptographic hash of $X_i , Y_i , a_{1i} , a_{2i} , 1 ≤ i ≤ n$.”
And later, “Using $y_i , X_i , Y_i , r_i , 1 ≤ i ≤ n$ and $c$ as input, the verifier computes $a_{1i} , a_{2i}$ as
$$a_{1i} = g^{ri} X_i^c,$$ $$a_{2i} = y_i^{ri} Y_i^c ,$$
and checks that the hash of $X_i , Y_i , a_{1i} , a_{2i} , 1 ≤ i ≤ n$, matches $c$.”
My question is: how can the challenge $c$ be used as input of the hash that computes itself (the challenge $c$), or am I misunderstanding?
Here's my understanding:
The wording is '$c$ is computed as ...'
And later the verifier checks if $c$ matches the Output of the hash function used on the same input variables. If different values were used in the original run, the hash would differ.
So yes, you misunderstood the statement.
Answered by tylo on October 24, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP