





The certificate authority (CA) has two private key $x,y$ and public key $X = x G$ and $Y = y G$.  Alice has a secret key $a$ and a public key $A = a G$.

=== Certificate request protocol ===

Alice sends the DLEQ proof
CA has a 



CA sends Alice a fresh public key $Z = z G$ 

Alice computes and sends $A' = a Z$ along with a DLEQ proof $(c0,s0) = \DLEQ \{ a Z / Z = A/G \}$ constructed as follows.
- Alice creates a nonce $k$ and computes $K = k G$ and $K' = k Z$.
- Alice computes and sends $c0 = H( G, Z, K, K', A, A' )$ and $s0 = k - c a$.

CA checks the DLEQ proof $(c0,s0)$ with $c0 == H( G, s0 G - c0 A, s0 Z + c0 A', A, A' )$.




Alice sends the CA her public key $A_X = \aaa X$ along with a DLEQ proof ...














==Description of the ECQV scheme==

Initially the scheme parameters must be agreed upon. These are:
* The [[Elliptic-curve_cryptography-Domain_parameters|elliptic curve parameters]], including a generating point $G \,$of order $n \,$. 
* An encoding function $ \textrm{Encode}(ID, \gamma)$ which encodes its arguments as a byte-block, and a corresponding $\textrm{Decode}_{\gamma}( \sdot )$ which extracts the $\gamma$ value from an encoding.
* A [[Cryptographic_hash_function|hash function]] $H_n( \sdot )$ which accepts a byte-block and yields a hash value as an integer in the range $[0, n-1]$

The certificate authority (CA) has two private key $x,y$ and public key $X = x G$ and $Y = y G$.  Alice has a secret key $a$ and a public key $A = a G$.

=== Certificate request protocol ===

Alice sends the DLEQ proof
CA has a 



CA sends Alice a fresh public key $Z = z G$ 

Alice computes and sends $A' = a Z$ along with a DLEQ proof $(c0,s0) = \DLEQ \{ a Z / Z = A/G \}$ constructed as follows.
- Alice creates a nonce $k$ and computes $K = k G$ and $K' = k Z$.
- Alice computes and sends $c0 = H( G, Z, K, K', A, A' )$ and $s0 = k - c a$.

CA checks the DLEQ proof $(c0,s0)$ with $c0 == H( G, s0 G - c0 A, s0 Z + c0 A', A, A' )$.




Alice sends the CA her public key $A_X = \aaa X$ along with a DLEQ proof ...



Alice generates a random integer $\alpha$.
Alice computes $AA = \alpha Y$ and sends $AA$ and $ID_A$ to the CA.

Alice sends the CA her public



- CA selects a random integer $k$ from $[1, n-1]$ and computes $k G$.
- CA computes $K = k G$ and sends $K$ to the user.

- Alice generates a random integers $\alpha,\beta$
- Alice computes $\gamma = \alpha G$, the unblinded public key reconstruction data.
- Alice computes $\Cert = \textrm{Encode} (\gamma, Q_{CA})$
- Alice computes $e' = H_n( \Cert )$ and $e = e' + \beta$
- Alice sends $e$ to the CA

- CA computes $s' = e' k + c \pmod{n}$, the blinded private key reconstruction data.
- CA sends $s'$ to Alice

- Alice computes $e' = H_n (\Cert)$ and her private key $a = e'\alpha + s \pmod{n}$
- Alice computes $\gamma' = \textrm{Decode}_{\gamma} (\Cert)$ and her public key $Q_A = e'\gamma' + Q_{CA}$
- Alice verifies that the certificate is valid, i.e. that $Q_A = aG$

=== Using the certificate ===

Here, Alice wants to prove her identity to Bob, who trusts the CA.

- Alice sends $Cert$ to Bob, and a ciphertext $C$ created using her private key $a$. The ciphertext can be a digital signature, or part of an [[Authenticated Key Exchange]] protocol.
- Bob computes $\gamma'' = \textrm{Decode}_{\gamma} (\Cert)$ and $e'' = H_n (\Cert)$.
- Bob computes Alice's alleged public key $Q_A' = e''\gamma'' + Q_{CA}$
- Bob validates ciphertext $C$ using $Q_A'$. If this validation is successful, he can trust that the key $Q_A'$ is owned by the user whose identity information is contained in $Cert$.

=== Proof of equivalence of private and public keys ===

Alice's private key is $a = e'\alpha + s = e\alpha + ek + c \pmod{n}$

The public key reconstruction value $\gamma = A + kG = (\alpha + k)G$

Alice's public key is $Q_A = e\gamma + Q_{CA} = e(\alpha + k)G + cG = (e\alpha + ek + c)G$

Therefore, $Q_A = aG$, which completes the proof.
