|
|
|
|
@ -444,7 +444,7 @@ Bob waits to receive Alice's public nonce
|
|
|
|
|
actual equation the impersonator simply chooses a random number for _s_, generates
|
|
|
|
|
_sG_, and then uses EC subtraction to select a _kG_ that equals _kG_ =
|
|
|
|
|
_sG_ – _exG_. They give Bob their calculated _kG_ and later their random
|
|
|
|
|
_sG_, and Bob thinks that's valid because _sG_ == (_sG_ – _exG_) + _exG_.
|
|
|
|
|
_sG_, and Bob thinks that's valid because [.keep-together]#_sG_ == (_sG_ – _exG_)# + _exG_.
|
|
|
|
|
This explains why the order of operations in the protocol is
|
|
|
|
|
essential: Bob must only give Alice the challenge scalar after Alice
|
|
|
|
|
has committed to her public nonce.
|
|
|
|
|
|
claylock
7 months ago