X-Git-Url: https://git.distorted.org.uk/~mdw/doc/wrestlers/blobdiff_plain/8b8b883978ff98f5d9edc60f1bf6771b3d66b617..32609df3198ff2b57dc418199e863c3e16ffa8f0:/wr-main.tex diff --git a/wr-main.tex b/wr-main.tex index 3df0e46..e876700 100644 --- a/wr-main.tex +++ b/wr-main.tex @@ -1,26 +1,20 @@ -\xcalways\section{The Wrestlers Protocol}\x +\section{The Wrestlers Protocol} +\frame{\tableofcontents[currentsection]} -\xcalways\subsection{Identification using Diffie-Hellman}\x +\subsection{Identification using Diffie-Hellman} -\begin{slide} - \resetseq - \head{Identification using Diffie-Hellman \seq: properties} - \topic{properties} - - \begin{itemize} +\begin{frame}{Identification using Diffie-Hellman: properties} + \begin{itemize}[<+->] \item Simple -- easy to remember, analyse and implement \item Practical -- two scalar multiplications for each party \item Secure -- under Computational Diffie-Hellman assumption \item Zero-knowledge -- statistical ZK \item Proofs in random oracle model -- but without `programming' \end{itemize} -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: basic setting} - \topic{setting} +\end{frame} - \begin{itemize} +\begin{frame}{Identification using Diffie-Hellman: basic setting} + \begin{itemize}[<+->] \item Cyclic group $(G, +)$ \item $|G| = q$ is prime \item $P$ generates $G$ @@ -28,222 +22,237 @@ \item Alice's public key is $A = a P$ \item Assume computational Diffie-Hellman problem hard in $G$ \end{itemize} -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: na\"\i ve attempt} - \topic{protocol design} - - \begin{protocol} - Alice & Bob \\ - (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - \\ - \\ - \\ - \send{<-}{R} - $Y \gets a R$; \\ - \\ - \\ - \\ - \send{->}{Y} - & \textbf{Check} $Y = r A$ - \end{protocol} -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: fix it with a hash} - \protocolskip0pt - - \begin{protocol} - Alice & Bob \\ - (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - & $Y \gets r A$; \\ - & \diff $h \gets H(\cookie{check}, R, Y)$; \\ - & \\ - \send{<-}{(R, \hbox{\diff $h$})} - $Y \gets a R$; \\ - \\ - \\ - \diff \textbf{Check} $h = H(\cookie{check}, R, Y)$ \\ - \send{->}{Y} - & \textbf{Check} $Y$ - \end{protocol} - \dots but there are still small-subgroup attacks -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: Stinson-Wu [SW06]} - \protocolskip0pt - - \begin{protocol} - Alice & Bob \\ - (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - & $Y \gets r A$; \\ - & $h \gets H(\cookie{check}, Y)$; \\ - & \\ - \send{<-}{(R, h)} - $Y \gets a R$; \\ - \\ - \diff \textbf{Check} $q R = 0$; \\ - \textbf{Check} $h = H(\cookie{check}, Y)$ \\ - \send{->}{Y} - & \textbf{Check} $Y$ - \end{protocol} - \dots and apply the Knowledge of Exponent assumption -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: the Wrestlers Protocol - $\Wident$} - - \begin{protocol} - Alice & Bob \\ - (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - & $Y \gets r A$; \\ - & $h \gets H(\cookie{check}, R, Y)$; \\ - & \diff $c \gets h \xor r$; \\ - \send{<-}{(R, \hbox{\diff $c$})} - $Y \gets a R$; \\ - $h \gets H(\cookie{check}, R, Y)$; \\ - \diff $r \gets c \xor h$; \\ - \diff \textbf{Check} $R = r P$ \\ - \send{->}{Y} - & \textbf{Check} $Y$ - \end{protocol} -\end{slide} - -\begin{slide} - \head{Identification using Diffie-Hellman \seq: identification-based - $\Wident$} - - \begin{protocol} - Alice & Bob \\ - (Private key $K_A = t I_A$) & - (Public key $I_A = H(\cookie{id}, \text{Alice})$) - \\[\medskipamount] - & $r \getsr \Nupto{q}$; \\ - & $R \gets r P$; \\ - & \diff $Y \gets \hat{e}(T, I_A)^r$; \\ - & $h \gets H(\cookie{check}, R, Y)$; \\ - & $c \gets h \xor r$; \\ - \send{<-}{(R, c)} - \diff $Y \gets \hat{e}(R, K_A)$; \\ - $h \gets H(\cookie{check}, R, Y)$; \\ - $r \gets c \xor h$; \\ - \textbf{Check} $R = r P$ \\ - \send{->}{Y} - & \textbf{Check} $Y$ +\end{frame} + +\begin{frame}{Identification using Diffie-Hellman: protocols} + %% Overlays: + %% 1 - basic setup (alice's keys) + %% naïve version + %% 2 - bob makes eqphemeral keys + %% 3 - bob sends challenge to alice + %% 4 - alice computes response and sends it back + %% 5 - bob computes expected answer + %% 6 - bob checks alice's response + %% 7 - remark? + %% hash fix (8) + %% 9 - bob computes check hash and sends it + %% 10 - alice verifies the hash + %% 11 - remark? + %% stinson-wu (12) + %% 13 - check subgroup membership + %% 14 - don't hash U + %% 15 - remark? + %% wrestlers (16) + %% 17 - bob computes and sends c + %% 18 - alice recovers and checks u + \begin{protocol}{5}{16} + \node [alice, thoughts] at (0, 2) + {Private: $a \inr \Nupto{q}$ \\ + Public: $A = a P$}; + \uncover<2->{ + \node [bob, thoughts] at (0, 4) + {{$u \getsr \Nupto{q}$; \\ + $U \gets u P$; \\ + \action<5->{$Y \gets u A$;} \\ + \action<9-| alert@9-11>{$ + h \gets H(\cookie{check}, + \only<9-13,16->{U, Y} + \action{Y}) + $;} \\ + \action<17-| alert@17-> { + $c \gets u \xor h$; + } + }}; + } + \uncover<3->{ + \path [message, ->] (0, 10) -- node [above] + {{\vphantom{$,$} + \only<3-8>{$U$} + \only<9-16>{$U, \alert<9-11>{h}$} + \only<17->{$U, \alert<17->{c}$} }} + +(1, 0); + } + \uncover<4->{ + \node [alice, thoughts] at (0, 10) + {{$Y' \gets a U$; \\ + \action + {Check $h = H(\cookie{check}, + \only<10-13,16->{U, Y} + \action{Y}) + $; \\} + \only<17-> + {$h' \gets H(\cookie{check}, U, Y)$; \\} + \action{Check $q U = 0$;} + \action{ + $r' \gets h' \xor c$; \\ + Check $r' P = U$; + }}}; + \path [message, <-] (0, 14) -- node [above] {$Y'$} +(1, 0); + } + \uncover<6->{ + \node [bob, thoughts] at (0, 14) {Check $Y = Y'$;}; + } \end{protocol} - (Trusted authority's private key $t \inr \Nupto{q}$; public key $T = t P$) -\end{slide} - -\xcalways\subsection{Key exchange}\x - -\begin{slide} - \resetseq - \head{Mutual identification \seq: Bob identifies Alice} - \topic{mutual identification} - - \begin{protocol} - Alice & Bob \\ - (Private key $a$, public key $A = a P$) - \\[\medskipamount] - & $r_B \getsr \Nupto{q}$; \\ - & $R_B \gets r_B P$; \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \\ - $Y_B \gets a R_B$; \\ - \\ - \send{->}{Y_B} - \end{protocol} -\end{slide} - -\begin{slide} - \head{Mutual identification \seq: Alice identifies Bob too} - - \begin{protocol} - Alice & Bob \\ - (Private key $a$, public key $A = a P$) & - \other (Private key $b$, public key $B = b P$) - \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - \\ - \send{->}{Y_B} - \send{<-}{\other Y_A} - \end{protocol} -\end{slide} - -\begin{slide} - \head{Mutual identification \seq: key exchange?} - - \begin{protocol} - Alice & Bob \\ - (Private key $a$, public key $A = a P$) & - \other (Private key $b$, public key $B = b P$) - \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - \\ - \send{->}{Y_B} - \send{<-}{\other Y_A} - \diff $Z \gets r_A R_B$; & \diff $Z \gets r_B R_A$; + \par\vskip-\bigskipamount + \begin{itemize} + \item Naïve attempt + \only<7>{-- lots of attacks against this protocol.} + \item Fix it with a hash + \only<11>{-- still open to small-subgroup attacks.} + \item Stinson-Wu [SW06] + \only<15>{-- and assume Knowledge of Exponent.} + \item The Wrestlers identification protocol $\Wident$. + \end{itemize} \par +\end{frame} + +\subsection{Key exchange} + +\begin{frame}{Mutual identification: protocol} + \begin{protocol}{4}{14} + \node [alice, thoughts] at (0, 2) + {\footnotesize Private $a$; public $A = a P$}; + + \node [bob, thoughts] at (0, 3) + {{ $u \getsr \Nupto{q}$; \\ + $U \gets u P$; + $Y_B \gets u A$; }}; + \path [message, ->] (0, 5.5) -- node [above] + {$U, u \xor H(\cookie{check}, U, Y_B$)} + +(1, 0); + + \node [alice, thoughts] at (0, 8) + {{ $Y'_B \gets a U$; }}; + \path [message, <-] (0, 9) -- node [above] + {$Y'_B$} + +(1, 0); + + \only<2->{ + \node [bob, other, thoughts] at (0, 2) + {\footnotesize Private $b$; public $B = b P$}; + + \node [alice, other, thoughts] at (0, 3) + {{ $v \getsr \Nupto{q}$; \\ + $V \gets v P$; + $Y_A \gets v B$; }}; + \path [message, other, <-] (0, 7) -- node [above] + {$V, v \xor H(\cookie{check}, V, Y_A$)} + +(1, 0); + + \node [bob, other, thoughts] at (0, 8) + {{ $Y'_A \gets b V$; }}; + \path [message, other, ->] (0, 10.5) -- node [above] + {$Y'_A$} + +(1, 0); + } + \action<3-| alert@3->{ + \node [bob, thoughts] at (0, 11) {$Z \gets u V = u v P$;}; + \node [alice, thoughts] at (0, 11) {$Z \gets v U = u v P$;}; + } \end{protocol} - \bigskip - Unfortunately it's not secure. -\end{slide} - -\begin{slide} - \resetseq - \head{Key exchange \seq: properties} - \topic{properties} - + \par\vskip-\bigskipamount \begin{itemize} - \item Simple -- symmetrical; based on mutual identification - \item Practical -- three, four or five flows; four multiplications by each - party - \item Secure -- provides SK-security in model of [CK01] - \item Deniable -- simulator can produce convincing transcripts - \item Proofs in random oracle model -- again without `programming' + \item<3-> We can do ephemeral Diffie-Hellman with the challenges! + \item<4-> Unfortunately, it's not secure. \end{itemize} -\end{slide} +\end{frame} -\begin{slide} - \head{Key exchange \seq: setting} - \topic{setting} +\begin{frame}{Key exchange: properties} + \begin{itemize}[<+->] + \item Simple -- symmetrical; based on mutual identification. + \item Practical -- three, four or five flows; four multiplications by each + party. + \item Secure -- provides SK-security in model of [CK01]. + \item Deniable -- simulator can produce convincing transcripts. + \item Proofs in random oracle model -- again without `programming'. + \end{itemize} +\end{frame} - \begin{itemize} - \item Cyclic group $(G, +)$ - \item $|G| = q$ is prime - \item $P$ generates $G$ +\begin{frame}{Key exchange: setting} + \begin{itemize}[<+->] + \item Cyclic group $(G, +)$. + \item $|G| = q$ is prime. + \item $P$ generates $G$. \item Alice's private key is $a \inr \Nupto{q}$; her public key is $A = a - P$ + P$. \item Bob's private key is $b \inr \Nupto{q}$; his public key is $B = b - P$ - \item Symmetric IND-CCA encryption scheme $\E = (\kappa, E, D)$ - \item Assume computational Diffie-Hellman problem hard in $G$ + P$. + \item Symmetric IND-CCA encryption scheme $\E = (\kappa, E, D)$. + \item Assume computational Diffie-Hellman problem hard in $G$. \end{itemize} -\end{slide} +\end{frame} + +\begin{frame}{Key exchange: protocols} + %% overlays + %% 1 - original broken protocol + %% 2 - encrypt responses + %% 3 - session-ids + %% 4 - pre-challenges + \begin{protocol}{3.9}{17} + \node [alice, thoughts] at (0, 1.5) + {\footnotesize Private $a$; public $A = a P$}; + + \node [bob, thoughts] at (0, 3) + {{ $u \getsr \Nupto{q}$; \\ + $U \gets u P$; + $Y_B \gets u A$; }}; + \only<4-> + {\path [message, ->] (0, 6) -- node [above] {$\alert<4>{U}$} +(1, 0);} + \path [message, ->] (0, 9) -- node [above] + {$U, u \xor H(\cookie{check}, + \only<3->{\alert<3>{B}, \alert<3>{s},} + \only<4->{\alert<4>{V},} + U, Y_B$)} + +(1, 0); + + \node [alice, thoughts] at (0, 11) + {{\strut + \only<1>{$Z \gets v U$; \\}% + \action + {$(K, \hat{K}) \gets H(\cookie{key}, v U)$; \\}% + $Y'_B \gets a U$; }}; + \path [message, <-] (0, 13.5) -- node [above] + {$\action{E_{\hat{K}}(} + Y'_B + \action{)}$} + +(1, 0); + + \node [bob, other, thoughts] at (0, 1.5) + {\footnotesize Private $b$; public $B = b P$}; + + \node [alice, other, thoughts] at (0, 3) + {{ $v \getsr \Nupto{q}$; \\ + $V \gets v P$; + $Y_A \gets v B$; }}; + \only<4-> + {\path [message, other, <-] (0, 7.5) -- + node [above] {$\alert<4>{V}$} +(1, 0);} + \path [message, other, <-] (0, 10.5) -- node [above] + {$V, v \xor H(\cookie{check}, + \only<3->{\alert<3>{A}, \alert<3>{s},} + \only<4->{\alert<4>{U},} + V, Y_A$)} + +(1, 0); + + \node [bob, other, thoughts] at (0, 11) + {{\strut + \only<1>{$Z \gets u V$; \\}% + \action + {$(K, \hat{K}) \gets H(\cookie{key}, u V)$; \\}% + $Y'_A \gets b V$; }}; + \path [message, other, ->] (0, 15) -- node [above] + {${\action{E_{\hat{K}}(}} + Y'_A + {\action{)}}$} + +(1, 0); + \node [bob, thoughts] at (0, 15.5) {Use key $K$;}; + \node [alice, thoughts] at (0, 15.5) {Use key $K$;}; + \end{protocol} +\end{frame} -\begin{slide} +\endinput + + +\begin{frame} \head{Key exchange \seq: broken first attempt} \topic{protocol design} @@ -252,21 +261,21 @@ (Private key $a$, public key $A = a P$) & \other (Private key $b$, public key $B = b P$) \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ + \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\ + \other $U_A \gets u_A P$ & $U \gets u P$; \\ \\ \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - $Z \gets r_A R_B$; & $Z \gets r_B R_A$; \\ - \send{->}{(R_A, Y_B)} - \send{<-}{\other (R_B, Y_A)} + \send{<-}{(U, u \xor H(\cookie{check}, U, Y_B))} + \send{->}{\other (U_A, u_A \xor H(\cookie{check}, U_A, Y_A))} + $Y_B \gets a U$; & \other $Y_A \gets b U$; \\ + $Z \gets u_A U$; & $Z \gets u U_A$; \\ + \send{->}{(U_A, Y_B)} + \send{<-}{\other (U, Y_A)} Key is $Z$ & Key is $Z$ \end{protocol} -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: solution -- encrypt responses} \begin{protocol} @@ -274,22 +283,22 @@ (Private key $a$, public key $A = a P$) & \other (Private key $b$, public key $B = b P$) \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ + \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\ + \other $U_A \gets u_A P$ & $U \gets u P$; \\ \\ \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - \diff $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; & - \diff $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\ - \send{->}{(R_A, \hbox{\diff $E_{K_0}(Y_B)$})} - \send{<-}{\other (R_B, \hbox{\diff $E_{K_0}(Y_A)$})} + \send{<-}{(U, u \xor H(\cookie{check}, U, Y_B))} + \send{->}{\other (U_A, u_A \xor H(\cookie{check}, U_A, Y_A))} + $Y_B \gets a U$; & \other $Y_A \gets b U$; \\ + \diff $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; & + \diff $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\ + \send{->}{(U_A, \hbox{\diff $E_{K_0}(Y_B)$})} + \send{<-}{\other (U, \hbox{\diff $E_{K_0}(Y_A)$})} Key is $K_1$ & Key is $K_1$ \end{protocol} -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: multiple sessions} \begin{protocol} @@ -297,25 +306,25 @@ (Private key $a$, public key $A = a P$) & \other (Private key $b$, public key $B = b P$) \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ + \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\ + \other $U_A \gets u_A P$ & $U \gets u P$; \\ \\ \\ - \send{<-}{(R_B, r_B \xor H(\cookie{check}, - \hbox{\diff $B$}, \hbox{\diff $s$}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, - \hbox{\diff $A$}, \hbox{\diff $s$}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; & - $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\ - \send{->}{(R_A, E_{K_0}(Y_B))} - \send{<-}{\other (R_B, E_{K_0}(Y_A))} + \send{<-}{(U, u \xor H(\cookie{check}, + \hbox{\diff $B$}, \hbox{\diff $s$}, U, Y_B))} + \send{->}{\other (U_A, u_A \xor H(\cookie{check}, + \hbox{\diff $A$}, \hbox{\diff $s$}, U_A, Y_A))} + $Y_B \gets a U$; & \other $Y_A \gets b U$; \\ + $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; & + $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\ + \send{->}{(U_A, E_{K_0}(Y_B))} + \send{<-}{\other (U, E_{K_0}(Y_A))} Key is $K_1$ & Key is $K_1$ \end{protocol} (Session id is $s$) -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: proof sketch} \begin{itemize} @@ -324,20 +333,20 @@ (collision bound). \item In $\G2$, use extractor to answer challenges other than from matching session. - \item In $\G3$, stop game if adversary queries $H(\cookie{key}, r_A r_b P)$ + \item In $\G3$, stop game if adversary queries $H(\cookie{key}, u_A u P)$ (CDH in $G$). \item In $\G4$, stop game if session accepts response except from matching session. \begin{itemize} \item In $\G5$, focus on a single session (factor of $q_S$). - \item In $\G6$, encrypt $1^{|Y|}$ instead of $Y = x R$ (IND-CCA of $\E$). + \item In $\G6$, encrypt $1^{|Y|}$ instead of $Y = x U$ (IND-CCA of $\E$). \item In $\G7$, focus on a single party (factor of $n$). \item Now if party accepts, reduce from impersonating in $\Wident$. \end{itemize} \end{itemize} -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: security result} \begin{spliteqn*} \InSec{sk}(\Wkx^{G, \E}; t, n, q_S, q_M, q_I, q_K) \le @@ -358,9 +367,9 @@ \item $t' = t + O(q_S) + O(q_M q_I) + O(q_K)$ \end{itemize} \end{multicols} -\end{slide} +\end{frame} -\begin{slide} +\begin{frame} \head{Key exchange \seq: fully deniable variant} \begin{protocol} @@ -368,24 +377,23 @@ (Private key $a$, public key $A = a P$) & \other (Private key $b$, public key $B = b P$) \\[\medskipamount] - \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\ - \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\ - \send{->}{\diff R_A} - \send{<-}{\diff R_B} - \send{<-}{(R_B, r_B \xor H(\cookie{check}, B, s, \hbox{\diff $R_A$}, R_B, Y_B))} - \send{->}{\other (R_A, r_A \xor H(\cookie{check}, A, s, \hbox{\diff $R_B$}, R_A, Y_A))} - $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\ - $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; & - $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\ - \send{->}{(R_A, E_{K_0}(Y_B))} - \send{<-}{\other (R_B, E_{K_0}(Y_A))} + \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\ + \other $U_A \gets u_A P$ & $U \gets u P$; \\ + \send{->}{\diff U_A} + \send{<-}{\diff U} + \send{<-}{(U, u \xor H(\cookie{check}, B, s, \hbox{\diff $U_A$}, U, Y_B))} + \send{->}{\other (U_A, u_A \xor H(\cookie{check}, A, s, \hbox{\diff $U$}, U_A, Y_A))} + $Y_B \gets a U$; & \other $Y_A \gets b U$; \\ + $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; & + $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\ + \send{->}{(U_A, E_{K_0}(Y_B))} + \send{<-}{\other (U, E_{K_0}(Y_A))} Key is $K_1$ & Key is $K_1$ \end{protocol} -\end{slide} - -\endinput +\end{frame} -%%% Local Variables: +%%% Local Variables: %%% mode: latex %%% TeX-master: "wrslides" -%%% End: +%%% TeX-PDF-mode: t +%%% End: