|
|
|
@ -635,7 +635,7 @@ The preceding protocol has several security problems. Most notable is that one
|
|
|
|
|
party might learn the public keys of the other parties before committing
|
|
|
|
|
to their own public key. For example, Alice generates her public key
|
|
|
|
|
_yG_ honestly and shares it with Bob. Bob generates his public key
|
|
|
|
|
using _zG_ – _yG_. When their two keys are combined (_yG_ + _zG_ – _yG_), the
|
|
|
|
|
using _zG_ – _yG_. When their two keys are combined [.keep-together]#(_yG_ + _zG_ – _yG_),# the
|
|
|
|
|
positive and negative _yG_ terms cancel out so the public key only represents
|
|
|
|
|
the private key for _z_ (i.e., Bob's private key). Now Bob can create a
|
|
|
|
|
valid signature without any assistance from Alice. This is ((("key cancellation attacks")))called a
|
|
|
|
|