Update README.md

README.md

@@ -46,18 +46,23 @@ $`H_{a_{i}} \leftarrow g_{1}^{r_{i}}`$
 The CA randomly selects $`r_{ISK}, r, \bar{r}`$ and computes bases
 
 $`H_{ISK} \leftarrow g_{1}^{r_{ISK}}`$
+
 $`H_{r} \leftarrow g_{1}^{r}`$
+
 $`\bar{g_1} \leftarrow g_{1}^{\bar{r}}`$
+
 $`\bar{g_2} \leftarrow \bar{g_1}^{ISK}`$
 
 Then the CA randomly selects $`r_p`$ and computes
 
 $`t_1 \leftarrow g_2^{r_p}`$
+
 $`t_2 \leftarrow \bar{g_1}^{r_p}`$
 
 It also generates
 
 $`C \leftarrow H(t_1||t_2||g_2||\bar{g_1}||W||\bar{g_2})`$
+
 $`s \leftarrow r_{p} %2B C \cdot ISK`$
 
 The issuer public key $`PK_{I}`$ is
@@ -79,13 +84,17 @@ $`sk_{c} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
 and random elements
 
 $`r_{sk} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`nonce \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
 
 and then computes
 
 $`N \leftarrow H_{ISK}^{sk_{c}}`$
+
 $`t \leftarrow H_{ISK}^{r_{sk}}`$
+
 $`C \leftarrow H(t||H_{ISK}||N||nonce||h_{CA})`$
+
 $`s \leftarrow r_{sk} %2B C \cdot sk_{c}`$
 
 The credential request sent to the CA is $`\{ N, nonce, C, s \}`$.
@@ -101,12 +110,15 @@ $`C = H(t'||H_{ISK}||N||nonce||h_{CA})`$
 If so, the CA picks random elements
 
 $`E \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`S \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
 
 and computes
 
 $`B \leftarrow g_{1} \cdot N \cdot H_{r}^S \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{ci}}`$
+
 $`e \leftarrow \frac{1}{E %2B ISK}`$
+
 $`A \leftarrow B^e`$
 
 The CA returns the credential $`\{ A, B, S, E \}`$ to the user.
@@ -131,38 +143,63 @@ $`Nym \leftarrow N \cdot H_{r}^{r_{n}}`$
 And then generates the new signature as follows
 
 $`n \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_1 \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_2 \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_3 \leftarrow \frac{1}{r_1}`$
+
 $`A' \leftarrow A^{r_1}`$
+
 $`\bar{A} \leftarrow B^{r1} \cdot A'^{-E}`$
+
 $`B' \leftarrow \frac{B^{r1}}{H_{r}^{r_2}}`$
+
 $`S' \leftarrow S-r_2 \cdot r_3`$
 
 The client then generates random elements
 
 $`r_{sk_{c}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{e} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{r_2} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{r_3} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{S'} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{r_{n}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{a_{0}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{a_{1}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{a_{2}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{a_{3}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
 
 and then generates
 
 $`t_1 \leftarrow A'^{r_{e}} \cdot H_{r}^{r_{r_2}}`$
+
 $`t_2 \leftarrow B'^{r_{r_3}} \cdot H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{S'}} \cdot \prod_{i=0}^4 H_{a_{i}}^{r_{a_{i}} \bar{d}_i}`$
+
 $`t_3 \leftarrow H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{r_{n}}}`$
+
 $`C \leftarrow H(H(t_1||t_2||t_3||A'||\bar{A}||B'||Nym||h_{CA}||d_0||\ldots||d_3||m)||n)`$
+
 $`S_{sk_{c}} \leftarrow r_{sk_{c}} %2B sk_{c} C`$
+
 $`S_{E} \leftarrow r_{e} - E C`$
+
 $`S_{r_2} \leftarrow r_{r_2} %2B r_2 C`$
+
 $`S_{r_3} \leftarrow r_{r_3} - r_3 C`$
+
 $`S_{S'} \leftarrow r_{S'} %2B S' C`$
+
 $`S_{r_{n}} \leftarrow r_{r_{n}} %2B r_{n} C`$
 
 and for each attribute $`a_{i}`$ that requires disclosure, it generates
@@ -180,7 +217,9 @@ $`e(W, A') = e(g_{2}, \bar{A})`$
 If so, it recomputes
 
 $`t'_1 \leftarrow \frac{A'^{S_{E}} \cdot H_{r}^{S_{r_2}}}{\left( \bar{A} \cdot B'^{-1} \right)^C}`$
+
 $`t'_2 \leftarrow H_{r}^{S_{S'}} \cdot B'^{S_{r_3}} \cdot H_{ISK}^{S_{sk_{c}}} \cdot \prod_{i=0}^4 H_{a_{i}}^{S_{a_{i}} \bar{d}_i} \cdot \left(g_{1} \cdot \prod_{i=0}^4 H_{a_{i}}^{a_{i} d_i} \right)^C`$
+
 $`t'_3 \leftarrow \frac{H_{ISK}^{S_{sk_{c}}} \cdot H_{r}^{S_{r_{n}}}}{Nym^C}`$
 
 and accepts the signature if
@@ -194,14 +233,19 @@ This verification also verifies the disclosed subset of attributes.
 Differently from a standard signature, a pseudonymous signature does not prove that the pseudonym possesses a user certificate signed by a CA. It only proves that the pseudonym $`Nym`$ signed message $`m`$. The signature is generated starting from the pseudonym (as generated in the section above) together with secret key $`sk_{c}`$ and randomness $`r_{n}`$ as follows: at first it picks random elements
 
 $`n \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{sk_{c}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{r_{n}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
 
 Then it generates
 
 $`t \leftarrow H_{ISK}^{r_{sk_{c}}} \cdot H_{r}^{r_{r_{n}}}`$
+
 $`C \leftarrow H(H(t||Nym||h_{CA}||m)||n)`$
+
 $`S_{sk_{c}} \leftarrow r_{sk_{c}} %2B sk_{c} C`$
+
 $`S_{r_{n}} \leftarrow r_{r_{n}} %2B r_{n} C`$
 
 The signature $`\sigma`$ is $`\sigma \leftarrow \{ Nym, C, S_{sk_{c}}, S_{r_{n}}, n \}`$.
@@ -227,6 +271,7 @@ The enrollment id is one of the cerified attributes ($`a_{2}`$ with value $`a_{c
 The pseudonym is computed by sampling
 
 $`r_{eid} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
+
 $`r_{r_{eid}} \gets_{\scriptscriptstyle\$} \mathbb{Z}_{r}`$
 
 and by generating the pseudonym