[doc/wrestlers] / wrslide.tex

\xcalways\section{The Wrestlers Protocol}\x

\xcalways\subsection{Identification using Diffie-Hellman}\x

\begin{slide}
  \resetseq
  \head{Identification using Diffie-Hellman \seq: Properties}
  \topic{properties}

  \begin{itemize}
  \item Simple -- easy to remember, analyse and implement
  \item Practical -- two scalar multiplications for each party
  \item Secure -- under Computational Diffie-Hellman assumption
  \item Zero-knowledge -- statistical ZK
  \item Proofs in random oracle model -- but without `programming'
  \end{itemize}
\end{slide}

\begin{slide}
  \head{Identification using Diffie-Hellman \seq: Basic setting}
  \topic{setting}

  \begin{itemize}
  \item Cyclic group $(G, +)$
  \item $|G| = q$ is prime
  \item $P$ generates $G$
  \item Alice's private key is $a \inr \Nupto{q}$
  \item Alice's public key is $A = a P$
  \item Assume computational Diffie-Hellman problem hard in $G$
  \end{itemize}
\end{slide}

\begin{slide}
  \head{Identification using Diffie-Hellman \seq: Na\"\i ve attempt}
  \topic{protocol design}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
    \\[\medskipamount]
    & $r \getsr \Nupto{q}$; \\
    & $R \gets r P$; \\
    \\
    \\
    \\
    \send{<-}{R}
    $Y \gets a R$; \\
    \\
    \\
    \\
    \send{->}{Y}
    & \textbf{Check} $Y = r A$
  \end{protocol}
\end{slide}

\begin{slide}
  \head{Identification using Diffie-Hellman \seq: Fix it with a hash}
  \protocolskip0pt

  \begin{protocol}
    Alice & Bob \\
    (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
    \\[\medskipamount]
    & $r \getsr \Nupto{q}$; \\
    & $R \gets r P$; \\
    & $Y \gets r A$; \\
    & \diff $h \gets H(\cookie{check}, R, Y)$; \\
    & \\
    \send{<-}{(R, \hbox{\diff $h$})}
    $Y \gets a R$; \\
    \\
    \\
    \diff \textbf{Check} $h = H(\cookie{check}, R, Y)$ \\
    \send{->}{Y}
    & \textbf{Check} $Y$
  \end{protocol}
  \dots but there are still small-subgroup attacks
\end{slide}

\begin{slide}
  \head{Identification using Diffie-Hellman \seq: Stinson-Wu [SW06]}
  \protocolskip0pt

  \begin{protocol}
    Alice & Bob \\
    (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
    \\[\medskipamount]
    & $r \getsr \Nupto{q}$; \\
    & $R \gets r P$; \\
    & $Y \gets r A$; \\
    & $h \gets H(\cookie{check}, R, Y)$; \\
    & \\
    \send{<-}{(R, h)}
    $Y \gets a R$; \\
    \\
    \diff \textbf{Check} $q R = 0$; \\
    \textbf{Check} $h = H(\cookie{check}, R, Y)$ \\
    \send{->}{Y}
    & \textbf{Check} $Y$
  \end{protocol}
  \dots and apply the Knowledge of Exponent assumption
\end{slide}

\begin{slide}
  \head{Identification using Diffie-Hellman \seq: The Wrestlers Protocol
  $\Wident$}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
    \\[\medskipamount]
    & $r \getsr \Nupto{q}$; \\
    & $R \gets r P$; \\
    & $Y \gets r A$; \\
    & $h \gets H(\cookie{check}, R, Y)$; \\
    & \diff $c \gets h \xor r$; \\
    \send{<-}{(R, \hbox{\diff $c$})}
    $Y \gets a R$; \\
    $h \gets H(\cookie{check}, R, Y)$; \\
    \diff $r \gets c \xor h$; \\
    \diff \textbf{Check} $R = r P$ \\
    \send{->}{Y}
    & \textbf{Check} $Y$
  \end{protocol}
\end{slide}

\begin{slide}
  \head{Identification using Diffie-Hellman \seq: Identification-based
  $\Wident$}

  \begin{protocol}
    Alice & Bob \\
    (Private key $K_A = t I_A$) &
    (Public key $I_A = H(\cookie{id}, \text{Alice})$)
    \\[\medskipamount]
    & $r \getsr \Nupto{q}$; \\
    & $R \gets r P$; \\
    & \diff $Y \gets \hat{e}(T, I_A)^r$; \\
    & $h \gets H(\cookie{check}, R, Y)$; \\
    & $c \gets h \xor r$; \\
    \send{<-}{(R, c)}
    \diff $Y \gets \hat{e}(R, K_A)$; \\
    $h \gets H(\cookie{check}, R, Y)$; \\
    $r \gets c \xor h$; \\
    \textbf{Check} $R = r P$ \\
    \send{->}{Y}
    & \textbf{Check} $Y$
  \end{protocol}
  (Trusted authority's private key $t \inr \Nupto{q}$; public key $T = t P$)
\end{slide}

\xcalways\subsection{Key exchange}\x

\begin{slide}
  \resetseq
  \head{Mutual identification \seq: Bob identifies Alice}
  \topic{mutual identification}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a$, public key $A = a P$)
    \\[\medskipamount]
    & $r_B \getsr \Nupto{q}$; \\
    & $R_B \gets r_B P$; \\
    \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
    \\
    $Y_B \gets a R_B$; \\
    \\
    \send{->}{Y_B}
  \end{protocol}
\end{slide}
    
\begin{slide}
  \head{Mutual identification \seq: Alice identifies Bob too}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a$, public key $A = a P$) &
    \other (Private key $b$, public key $B = b P$)
    \\[\medskipamount]
    \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
    \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
    \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
    \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
    $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
    \\
    \send{->}{Y_B}
    \send{<-}{\other Y_A}
  \end{protocol}
\end{slide}
    
\begin{slide}
  \head{Mutual identification \seq: Key exchange?}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a$, public key $A = a P$) &
    \other (Private key $b$, public key $B = b P$)
    \\[\medskipamount]
    \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
    \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
    \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
    \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
    $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
    \\
    \send{->}{Y_B}
    \send{<-}{\other Y_A}
    \diff $Z \gets r_A R_B$; & \diff $Z \gets r_B R_A$;
  \end{protocol}
  \bigskip
  Unfortunately it's not secure.
\end{slide}

\begin{slide}
  \resetseq
  \head{Key exchange \seq: Properties}
  \topic{properties}

  \begin{itemize}
  \item Simple -- symmetrical; based on mutual identification
  \item Practical -- three, four or five flows; four multiplications by each
    party
  \item Secure -- provides SK-security in model of [CK01]
  \item Deniable -- simulator can produce convincing transcripts
  \item Proofs in random oracle model -- again without `programming'
  \end{itemize}
\end{slide}

\begin{slide}
  \head{Key exchange \seq: Setting}
  \topic{setting}

  \begin{itemize}
  \item Cyclic group $(G, +)$
  \item $|G| = q$ is prime
  \item $P$ generates $G$
  \item Alice's private key is $a \inr \Nupto{q}$; her public key is $A = a
    P$
  \item Bob's private key is $b \inr \Nupto{q}$; his public key is $B = b
    P$
  \item Symmetric IND-CCA encryption scheme $\E = (\kappa, E, D)$
  \item Assume computational Diffie-Hellman problem hard in $G$
  \end{itemize}
\end{slide}

\begin{slide}
  \head{Key exchange \seq: Broken first attempt}
  \topic{protocol design}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a$, public key $A = a P$) &
    \other (Private key $b$, public key $B = b P$)
    \\[\medskipamount]
    \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
    \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
    \\
    \\
    \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
    \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
    $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
    $Z \gets r_A R_B$; & $Z \gets r_B R_A$; \\
    \send{->}{(R_A, Y_B)}
    \send{<-}{\other (R_B, Y_A)}
    Key is $Z$ & Key is $Z$
  \end{protocol}
\end{slide}

\begin{slide}
  \head{Key exchange \seq: Solution -- encrypt responses}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a$, public key $A = a P$) &
    \other (Private key $b$, public key $B = b P$)
    \\[\medskipamount]
    \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
    \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
    \\
    \\
    \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
    \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
    $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
    \diff $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
    \diff $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
    \send{->}{(R_A, \hbox{\diff $E_{K_0}(Y_B)$})}
    \send{<-}{\other (R_B, \hbox{\diff $E_{K_0}(Y_A)$})}
    Key is $K_1$ & Key is $K_1$
  \end{protocol}
\end{slide}

\begin{slide}
  \head{Key exchange \seq: Multiple sessions}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a$, public key $A = a P$) &
    \other (Private key $b$, public key $B = b P$)
    \\[\medskipamount]
    \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
    \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
    \\
    \\
    \send{<-}{(R_B, r_B \xor H(\cookie{check},
      \hbox{\diff $B$}, \hbox{\diff $s$}, R_B, Y_B))}
    \send{->}{\other (R_A, r_A \xor H(\cookie{check},
      \hbox{\diff $A$}, \hbox{\diff $s$}, R_A, Y_A))}
    $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
    $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
    $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
    \send{->}{(R_A, E_{K_0}(Y_B))}
    \send{<-}{\other (R_B, E_{K_0}(Y_A))}
    Key is $K_1$ & Key is $K_1$
  \end{protocol}
  (Session id is $s$)
\end{slide}

\begin{slide}
  \head{Key exchange \seq: Fully deniable variant}

  \begin{protocol}
    Alice & Bob \\
    (Private key $a$, public key $A = a P$) &
    \other (Private key $b$, public key $B = b P$)
    \\[\medskipamount]
    \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
    \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
    \send{->}{\diff R_A}
    \send{<-}{\diff R_B}
    \send{<-}{(R_B, r_B \xor H(\cookie{check}, B, s, \hbox{\diff $R_A$}, R_B, Y_B))}
    \send{->}{\other (R_A, r_A \xor H(\cookie{check}, A, s, \hbox{\diff $R_B$}, R_A, Y_A))}
    $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
    $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
    $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
    \send{->}{(R_A, E_{K_0}(Y_B))}
    \send{<-}{\other (R_B, E_{K_0}(Y_A))}
    Key is $K_1$ & Key is $K_1$
  \end{protocol}
\end{slide}

\endinput

%%% Local Variables: 
%%% mode: latex
%%% TeX-master: "wrslides"
%%% End:
Commit	Line	Data
a6e375a6 MW	1	\xcalways\section{The Wrestlers Protocol}\x
	2
	3	\xcalways\subsection{Identification using Diffie-Hellman}\x
	4
	5	\begin{slide}
	6	\resetseq
	7	\head{Identification using Diffie-Hellman \seq: Properties}
	8	\topic{properties}
	9
	10	\begin{itemize}
	11	\item Simple -- easy to remember, analyse and implement
	12	\item Practical -- two scalar multiplications for each party
	13	\item Secure -- under Computational Diffie-Hellman assumption
	14	\item Zero-knowledge -- statistical ZK
	15	\item Proofs in random oracle model -- but without `programming'
	16	\end{itemize}
	17	\end{slide}
	18
	19	\begin{slide}
	20	\head{Identification using Diffie-Hellman \seq: Basic setting}
	21	\topic{setting}
	22
	23	\begin{itemize}
	24	\item Cyclic group $(G, +)$
	25	\item $\|G\| = q$ is prime
	26	\item $P$ generates $G$
	27	\item Alice's private key is $a \inr \Nupto{q}$
	28	\item Alice's public key is $A = a P$
	29	\item Assume computational Diffie-Hellman problem hard in $G$
	30	\end{itemize}
	31	\end{slide}
	32
	33	\begin{slide}
	34	\head{Identification using Diffie-Hellman \seq: Na\"\i ve attempt}
	35	\topic{protocol design}
	36
	37	\begin{protocol}
	38	Alice & Bob \\
	39	(Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
	40	\\[\medskipamount]
	41	& $r \getsr \Nupto{q}$; \\
	42	& $R \gets r P$; \\
	43	\\
	44	\\
	45	\\
	46	\send{<-}{R}
	47	$Y \gets a R$; \\
	48	\\
	49	\\
	50	\\
	51	\send{->}{Y}
	52	& \textbf{Check} $Y = r A$
	53	\end{protocol}
	54	\end{slide}
	55
	56	\begin{slide}
	57	\head{Identification using Diffie-Hellman \seq: Fix it with a hash}
	58	\protocolskip0pt
	59
	60	\begin{protocol}
	61	Alice & Bob \\
	62	(Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
	63	\\[\medskipamount]
	64	& $r \getsr \Nupto{q}$; \\
65	& $R \gets r P$; \\
66	& $Y \gets r A$; \\
67	& \diff $h \gets H(\cookie{check}, R, Y)$; \\
68	& \\
69	\send{<-}{(R, \hbox{\diff $h$})}
70	$Y \gets a R$; \\
71	\\
72	\\
73	\diff \textbf{Check} $h = H(\cookie{check}, R, Y)$ \\
74	\send{->}{Y}
75	& \textbf{Check} $Y$
76	\end{protocol}
77	\dots but there are still small-subgroup attacks
78	\end{slide}
79
80	\begin{slide}
81	\head{Identification using Diffie-Hellman \seq: Stinson-Wu [SW06]}
82	\protocolskip0pt
83
84	\begin{protocol}
85	Alice & Bob \\
86	(Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
87	\\[\medskipamount]
88	& $r \getsr \Nupto{q}$; \\
89	& $R \gets r P$; \\
90	& $Y \gets r A$; \\
91	& $h \gets H(\cookie{check}, R, Y)$; \\
92	& \\
93	\send{<-}{(R, h)}
94	$Y \gets a R$; \\
95	\\
96	\diff \textbf{Check} $q R = 0$; \\
97	\textbf{Check} $h = H(\cookie{check}, R, Y)$ \\
98	\send{->}{Y}
99	& \textbf{Check} $Y$
100	\end{protocol}
101	\dots and apply the Knowledge of Exponent assumption
102	\end{slide}
103
104	\begin{slide}
105	\head{Identification using Diffie-Hellman \seq: The Wrestlers Protocol
106	$\Wident$}
107
108	\begin{protocol}
109	Alice & Bob \\
110	(Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
111	\\[\medskipamount]
112	& $r \getsr \Nupto{q}$; \\
113	& $R \gets r P$; \\
114	& $Y \gets r A$; \\
115	& $h \gets H(\cookie{check}, R, Y)$; \\
116	& \diff $c \gets h \xor r$; \\
117	\send{<-}{(R, \hbox{\diff $c$})}
118	$Y \gets a R$; \\
119	$h \gets H(\cookie{check}, R, Y)$; \\
120	\diff $r \gets c \xor h$; \\
121	\diff \textbf{Check} $R = r P$ \\
122	\send{->}{Y}
123	& \textbf{Check} $Y$
124	\end{protocol}
125	\end{slide}
126
127	\begin{slide}
128	\head{Identification using Diffie-Hellman \seq: Identification-based
129	$\Wident$}
130
131	\begin{protocol}
132	Alice & Bob \\
133	(Private key $K_A = t I_A$) &
134	(Public key $I_A = H(\cookie{id}, \text{Alice})$)
135	\\[\medskipamount]
136	& $r \getsr \Nupto{q}$; \\
137	& $R \gets r P$; \\
138	& \diff $Y \gets \hat{e}(T, I_A)^r$; \\
139	& $h \gets H(\cookie{check}, R, Y)$; \\
140	& $c \gets h \xor r$; \\
141	\send{<-}{(R, c)}
142	\diff $Y \gets \hat{e}(R, K_A)$; \\
143	$h \gets H(\cookie{check}, R, Y)$; \\
144	$r \gets c \xor h$; \\
145	\textbf{Check} $R = r P$ \\
146	\send{->}{Y}
147	& \textbf{Check} $Y$
148	\end{protocol}
149	(Trusted authority's private key $t \inr \Nupto{q}$; public key $T = t P$)
150	\end{slide}
151
152	\xcalways\subsection{Key exchange}\x
153
154	\begin{slide}
155	\resetseq
156	\head{Mutual identification \seq: Bob identifies Alice}
157	\topic{mutual identification}
158
159	\begin{protocol}
160	Alice & Bob \\
161	(Private key $a$, public key $A = a P$)
162	\\[\medskipamount]
163	& $r_B \getsr \Nupto{q}$; \\
164	& $R_B \gets r_B P$; \\
165	\send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
166	\\
167	$Y_B \gets a R_B$; \\
168	\\
169	\send{->}{Y_B}
170	\end{protocol}
171	\end{slide}
172
173	\begin{slide}
174	\head{Mutual identification \seq: Alice identifies Bob too}
175
176	\begin{protocol}
177	Alice & Bob \\
178	(Private key $a$, public key $A = a P$) &
179	\other (Private key $b$, public key $B = b P$)
180	\\[\medskipamount]
181	\other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
182	\other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
183	\send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
184	\send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
185	$Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
186	\\
187	\send{->}{Y_B}
188	\send{<-}{\other Y_A}
189	\end{protocol}
190	\end{slide}
191
192	\begin{slide}
193	\head{Mutual identification \seq: Key exchange?}
194
195	\begin{protocol}
196	Alice & Bob \\
197	(Private key $a$, public key $A = a P$) &
198	\other (Private key $b$, public key $B = b P$)
199	\\[\medskipamount]
200	\other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
201	\other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
202	\send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
203	\send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
204	$Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
205	\\
206	\send{->}{Y_B}
207	\send{<-}{\other Y_A}
208	\diff $Z \gets r_A R_B$; & \diff $Z \gets r_B R_A$;
209	\end{protocol}
210	\bigskip
211	Unfortunately it's not secure.
212	\end{slide}
213
214	\begin{slide}
215	\resetseq
216	\head{Key exchange \seq: Properties}
217	\topic{properties}
218
219	\begin{itemize}
220	\item Simple -- symmetrical; based on mutual identification
221	\item Practical -- three, four or five flows; four multiplications by each
222	party
223	\item Secure -- provides SK-security in model of [CK01]
224	\item Deniable -- simulator can produce convincing transcripts
225	\item Proofs in random oracle model -- again without `programming'
226	\end{itemize}
227	\end{slide}
228
229	\begin{slide}
230	\head{Key exchange \seq: Setting}
231	\topic{setting}
232
233	\begin{itemize}
234	\item Cyclic group $(G, +)$
235	\item $\|G\| = q$ is prime
236	\item $P$ generates $G$
237	\item Alice's private key is $a \inr \Nupto{q}$; her public key is $A = a
238	P$
239	\item Bob's private key is $b \inr \Nupto{q}$; his public key is $B = b
240	P$
241	\item Symmetric IND-CCA encryption scheme $\E = (\kappa, E, D)$
242	\item Assume computational Diffie-Hellman problem hard in $G$
243	\end{itemize}
244	\end{slide}
245
246	\begin{slide}
247	\head{Key exchange \seq: Broken first attempt}
248	\topic{protocol design}
249
250	\begin{protocol}
251	Alice & Bob \\
252	(Private key $a$, public key $A = a P$) &
253	\other (Private key $b$, public key $B = b P$)
254	\\[\medskipamount]
255	\other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
256	\other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
257	\\
258	\\
259	\send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
260	\send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
261	$Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
262	$Z \gets r_A R_B$; & $Z \gets r_B R_A$; \\
263	\send{->}{(R_A, Y_B)}
264	\send{<-}{\other (R_B, Y_A)}
265	Key is $Z$ & Key is $Z$
266	\end{protocol}
267	\end{slide}
268
269	\begin{slide}
270	\head{Key exchange \seq: Solution -- encrypt responses}
271
272	\begin{protocol}
273	Alice & Bob \\
274	(Private key $a$, public key $A = a P$) &
275	\other (Private key $b$, public key $B = b P$)
276	\\[\medskipamount]
277	\other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
278	\other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
279	\\
280	\\
281	\send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
282	\send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
283	$Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
284	\diff $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
285	\diff $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
286	\send{->}{(R_A, \hbox{\diff $E_{K_0}(Y_B)$})}
287	\send{<-}{\other (R_B, \hbox{\diff $E_{K_0}(Y_A)$})}
288	Key is $K_1$ & Key is $K_1$
289	\end{protocol}
290	\end{slide}
291
292	\begin{slide}
293	\head{Key exchange \seq: Multiple sessions}
294
295	\begin{protocol}
296	Alice & Bob \\
297	(Private key $a$, public key $A = a P$) &
298	\other (Private key $b$, public key $B = b P$)
299	\\[\medskipamount]
300	\other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
301	\other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
302	\\
303	\\
304	\send{<-}{(R_B, r_B \xor H(\cookie{check},
305	\hbox{\diff $B$}, \hbox{\diff $s$}, R_B, Y_B))}
306	\send{->}{\other (R_A, r_A \xor H(\cookie{check},
307	\hbox{\diff $A$}, \hbox{\diff $s$}, R_A, Y_A))}
308	$Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
309	$(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
310	$(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
311	\send{->}{(R_A, E_{K_0}(Y_B))}
312	\send{<-}{\other (R_B, E_{K_0}(Y_A))}
313	Key is $K_1$ & Key is $K_1$
314	\end{protocol}
315	(Session id is $s$)
316	\end{slide}
317
318	\begin{slide}
319	\head{Key exchange \seq: Fully deniable variant}
320
321	\begin{protocol}
322	Alice & Bob \\
323	(Private key $a$, public key $A = a P$) &
324	\other (Private key $b$, public key $B = b P$)
325	\\[\medskipamount]
326	\other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
327	\other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
328	\send{->}{\diff R_A}
329	\send{<-}{\diff R_B}
330	\send{<-}{(R_B, r_B \xor H(\cookie{check}, B, s, \hbox{\diff $R_A$}, R_B, Y_B))}
331	\send{->}{\other (R_A, r_A \xor H(\cookie{check}, A, s, \hbox{\diff $R_B$}, R_A, Y_A))}
332	$Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
333	$(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
334	$(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
335	\send{->}{(R_A, E_{K_0}(Y_B))}
336	\send{<-}{\other (R_B, E_{K_0}(Y_A))}
337	Key is $K_1$ & Key is $K_1$
338	\end{protocol}
339	\end{slide}
340
341	\endinput
342
343	%%% Local Variables:
344	%%% mode: latex
345	%%% TeX-master: "wrslides"
346	%%% End: