Editing Undeniable signature (section)

=== Confirmation (i.e., avowal) protocol ===
Bob wishes to verify the signature, ''z'', of ''m'' by Alice under the key, ''y''.
# Bob picks two random numbers: ''a'' and ''b'', and uses them to blind the message, sending to Alice: {{glossary}}{{defn|''c {{=}} m<sup>a</sup>g<sup>b</sup>''.}}{{glossary end}}
# Alice picks a random number, ''q'', uses it to blind, ''c'', and then signing this using her private key, ''x'', sending to Bob: {{glossary}}{{defn|''s<sub>1</sub> {{=}} cg<sup>q</sup>'' and}}{{defn|''s<sub>2</sub>'' {{=}} ''s<sub>1</sub><sup>x</sup>''.}}{{glossary end}} Note that {{glossary}}{{defn|''s<sub>1</sub><sup>x</sup>'' {{=}} ''(cg<sup>q</sup>){{sup|x}}'' {{=}} ''(m<sup>a</sup>g<sup>b</sup>'')''{{sup|x}}g<sup>qx</sup>'' {{=}} ''(m{{sup|x}}){{sup|a}}(g{{sup|x}}){{sup|b+q}}'' {{=}} ''z{{sup|a}}y{{sup|b+q}}''.}}{{glossary end}}
# Bob reveals ''a'' and ''b''.
# Alice verifies that ''a'' and ''b'' are the correct blind values, then, if so, reveals ''q''. Revealing these blinds makes the exchange zero knowledge.
# Bob verifies ''s<sub>1</sub>'' = ''cg<sup>q</sup>'', proving ''q'' has not been chosen dishonestly, and {{glossary}}{{defn|''s<sub>2</sub>'' {{=}} ''z<sup>a</sup>y<sup>b+q</sup>'',}}{{glossary end}} proving z is valid signature issued by Alice's key. Note that {{glossary}}{{defn|''z<sup>a</sup>y<sup>b+q</sup>'' {{=}} ''(m{{sup|x}})<sup>a</sup>(g<sup>x</sup>)<sup>b+q</sup>''.}}{{glossary end}}

Alice can cheat at step 2 by attempting to randomly guess ''s<sub>2</sub>''.