X-Git-Url: https://git.distorted.org.uk/~mdw/doc/wrestlers/blobdiff_plain/a6e375a6211f5c082a45c9424a96820054219a55:/wrslide.tex..dff0fad2fb0c4edacbe668fdd72030e7e8ac5db7:/wr-main.tex

diff --git a/wrslide.tex b/wr-main.tex
similarity index 80%
rename from wrslide.tex
rename to wr-main.tex
index 96bbe36..185bc37 100644
--- a/wrslide.tex
+++ b/wr-main.tex
@@ -4,7 +4,7 @@
 
 \begin{slide}
   \resetseq
-  \head{Identification using Diffie-Hellman \seq: Properties}
+  \head{Identification using Diffie-Hellman \seq: properties}
   \topic{properties}
 
   \begin{itemize}
@@ -17,7 +17,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Identification using Diffie-Hellman \seq: Basic setting}
+  \head{Identification using Diffie-Hellman \seq: basic setting}
   \topic{setting}
 
   \begin{itemize}
@@ -31,7 +31,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Identification using Diffie-Hellman \seq: Na\"\i ve attempt}
+  \head{Identification using Diffie-Hellman \seq: na\"\i ve attempt}
   \topic{protocol design}
 
   \begin{protocol}
@@ -54,7 +54,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Identification using Diffie-Hellman \seq: Fix it with a hash}
+  \head{Identification using Diffie-Hellman \seq: fix it with a hash}
   \protocolskip0pt
 
   \begin{protocol}
@@ -102,7 +102,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Identification using Diffie-Hellman \seq: The Wrestlers Protocol
+  \head{Identification using Diffie-Hellman \seq: the Wrestlers Protocol
   $\Wident$}
 
   \begin{protocol}
@@ -125,7 +125,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Identification using Diffie-Hellman \seq: Identification-based
+  \head{Identification using Diffie-Hellman \seq: identification-based
   $\Wident$}
 
   \begin{protocol}
@@ -190,7 +190,7 @@
 \end{slide}
     
 \begin{slide}
-  \head{Mutual identification \seq: Key exchange?}
+  \head{Mutual identification \seq: key exchange?}
 
   \begin{protocol}
     Alice & Bob \\
@@ -213,7 +213,7 @@
 
 \begin{slide}
   \resetseq
-  \head{Key exchange \seq: Properties}
+  \head{Key exchange \seq: properties}
   \topic{properties}
 
   \begin{itemize}
@@ -227,7 +227,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Key exchange \seq: Setting}
+  \head{Key exchange \seq: setting}
   \topic{setting}
 
   \begin{itemize}
@@ -244,7 +244,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Key exchange \seq: Broken first attempt}
+  \head{Key exchange \seq: broken first attempt}
   \topic{protocol design}
 
   \begin{protocol}
@@ -267,7 +267,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Key exchange \seq: Solution -- encrypt responses}
+  \head{Key exchange \seq: solution -- encrypt responses}
 
   \begin{protocol}
     Alice & Bob \\
@@ -290,7 +290,7 @@
 \end{slide}
 
 \begin{slide}
-  \head{Key exchange \seq: Multiple sessions}
+  \head{Key exchange \seq: multiple sessions}
 
   \begin{protocol}
     Alice & Bob \\
@@ -316,7 +316,52 @@
 \end{slide}
 
 \begin{slide}
-  \head{Key exchange \seq: Fully deniable variant}
+  \head{Key exchange \seq: proof sketch}
+
+  \begin{itemize}
+  \item $\G0$ is SK-security game.
+  \item In $\G1$, stop game unless all parties have distinct public keys
+    (collision bound).
+  \item In $\G2$, use extractor to answer challenges other than from matching
+    session.
+  \item In $\G3$, stop game if adversary queries $H(\cookie{key}, r_A r_b P)$
+    (CDH in $G$).
+  \item In $\G4$, stop game if session accepts response except from matching
+    session.
+    \begin{itemize}
+    \item In $\G5$, focus on a single session (factor of $q_S$).
+    \item In $\G6$, encrypt $1^{|Y|}$ instead of $Y = x R$ (IND-CCA of $\E$).
+    \item In $\G7$, focus on a single party (factor of $n$).
+    \item Now if party accepts, reduce from impersonating in $\Wident$.
+    \end{itemize}
+  \end{itemize}
+\end{slide}
+
+\begin{slide}
+  \head{Key exchange \seq: security result}
+  \begin{spliteqn*}
+    \InSec{sk}(\Wkx^{G, \E}; t, n, q_S, q_M, q_I, q_K) \le
+      2 q_S \bigl( \InSec{ind-cca}(\E; t', q_M, q_M) + {} \\
+      \InSec{mcdh}(G; t', q_K) +
+      n \,\InSec{mcdh}(G; t', q_M + q_I) \bigr) + {} \\
+      \frac{n (n - 1)}{|G|} +
+      \frac{2 q_M}{2^{\ell_I}}.
+  \end{spliteqn*}
+  \begin{multicols}{2}
+    \begin{itemize}
+    \item $t$ is running time of adversary
+    \item $n$ is number of parties
+    \item $q_S$ is number of new sessions
+    \item $q_M$ is number of messages sent
+    \item $q_I$ is number of $H(\cookie{check}, \cdot)$ queries
+    \item $q_K$ is number of $H(\cookie{key}, \cdot)$ queries
+    \item $t' = t + O(q_S) + O(q_M q_I) + O(q_K)$
+    \end{itemize}
+  \end{multicols}
+\end{slide}
+
+\begin{slide}
+  \head{Key exchange \seq: fully deniable variant}
 
   \begin{protocol}
     Alice & Bob \\