C samples a random ‘blind’ r ← ZZ_q  #模为q的整数环
C computes T = H_1(t) and then blinds it by computing rT  
C sends M = rT to S
S computes Z = xM and returns Z to C
C computes (1/r)*Z = xT = N and stores the pair (t,N) for some point in the future #C无法知道S的私钥x

C calculates request binding data req and chooses an unspent token (t,N)
C calculates a shared key sk = H_2(t,N) and sends (t, MAC_sk(req)) to S  #sk即共同密钥
S recalculates req' based on the request data that it witnesses
S checks that t has not been spent already and calculates T = H_1(t), N = xT, and sk = H_2(t,N)  #确定t还没用过，用私钥x计算出sk
Finally S checks that MAC_sk(req') =?= MAC_sk(req), and stores t to check against future redemptions