Progress

sander · sander · commit 0649dbd6386c · 2025-01-18T15:30:39.000+01:00
diff --git a/draft-dijkhuis-cfrg-hdkeys.md b/draft-dijkhuis-cfrg-hdkeys.md
@@ -250,6 +250,27 @@ Note that by design of `BL`, when a document is issued using HDK, the reader doe
 
 An HDK implementation MAY leave BL-Blind-Private-Key implicit in cases where the blinding method is constructed in a distributed way. In those cases, the secure cryptographic device holding the private key does not need to support key blinding, and the value of the blinded private key is never available during computation.
 
+Using these constructs, an example proof of possession protocol is:
+
+~~~
+# 1. Unit shares with reader: pk
+
+# 2. Reader computes:
+nonce = generate_random_nonce() # out of scope for this spec
+
+# 3. Reader shares with unit: nonce
+
+# 4. Unit computes:
+msg = create_message(pk, nonce) # out of scope for this spec
+signature = DSA-Sign(sk, msg)
+
+# 5. Reader computes:
+msg = create_message(pk, nonce) # out of scope for this spec
+DSA-Verify(signature, pk, msg)
+~~~
+
+By design of `BL`, the same proof of possession protocol can be used with blinded key pairs and BL-Blind-Sign, in such a way that the reader does not recognise that key blinding was used.
+
 ## The HDK context
 
 A local unit or remote party creates an HDK context from an index.
