I am making an implementation of Niels Ferguson's paper: Single Term Off-Line Coins in Python.
In the Coin withdrawal protocol, in the last steps, Alice checks that the signatures she received are correct. She checks if she needs to adjust the signatures by making corrections. When I run the program I get most of the times that $S_{b}^{v} = C^{U}B$ but not that $S_{a}^{v} = C^{k}A$. I try to find calculations that need to change.
What are those corrections, and when and how do we apply them?
In the beginning of the protocol, we choose $h_{b},h_{c} \in \mathbb{F}_{p}$ of order $n$, for some prime $p$. However, it seems that at the step of finding a one-way function $f(.)$ that we consider $h_{b}^{b_{1}b_{2}}, h_{c}^{c_{1}c_{2}} \in \mathbb{Z}_{n}$.This can be seen in the calculation of $e_{a}$ which includes $f(a)$, where $a$ is calculated $modn$ and because $p$ is only known to the Bank. Why did we make this simplification and why we chose $h_{b},h_{c} \in \mathbb{F}_{p}$ with the properties that are given in the paper?
Here is part of the code that I used to make the necessary changes. I use the following functions that are self-described:
# Functions used
fastPower(base, power, modulo), multInverse(a, modulo)
e_a = (k_1_inverse * f(x_a) - tau)
e_b = (f(x_b) - phi)
e_c = (f(x_c) - sigma)
if e_a // v < 0:
g = fastPower(g_a, k_1, N)
S_a = S_a *multInverse(g, N) % N
if e_b // v < 0:
S_b = S_b * multInverse(g_b, N) % N
if e_c // v < 0:
g_1 = fastPower(g_c, k_1 * k_2, N)
S_a = S_a * multInverse(g_1, N) % N
g_2 = fastPower(g_c, U, N)
S_b = S_b * multInverse(g_2, N) % N
