Posted by: m.kiraz
Date: 24 March 2010 12:02
Dear Vahid & Yaser
Let me continue asking for further questions: You say that the security of your protocol comes from the security of Okamoto's protocol.
Note that in the first phase CA sends Cert_v, a, I, (u_1,u_2)^(e_AS) to the Voter. It is like the first phase of Okamoto's protocol (namely, signer sends a): Therefore, CA looks like Signer and Voter looks like User here.
However, in the second step the Voter sends [c, Cert_V, I, (u_1,u_2)^(e_AS) ]^(e_AS) to AS. This part now looks like the second step of Okamoto's protocol (namely, User sends c). After that AS computes re_1 = u_1+cx_1 mod q, re_2 = u_2+cx_2 mod q. Check now that the Voter is User and AS is Signer. The roles are changed and overlapped. That's really strange since CA was signer above. Therefore, who knows x_1 and x_2 ??? is CA=AS?? In your scheme: CA---> V ----> AS ---->V ----> VS. It is not like Okamoto's protocol as there are only two parties there, Signer and User.
Finally, are x_1, x_2's used for only a voter or re-generated for every voter??
Hope to hear you soon.