-\xcalways\section{The Wrestlers Protocol}\x
+\section{The Wrestlers Protocol}
+\frame{\tableofcontents[currentsection]}
-\xcalways\subsection{Identification using Diffie-Hellman}\x
+\subsection{Identification using Diffie-Hellman}
-\begin{slide}
- \resetseq
- \head{Identification using Diffie-Hellman \seq: properties}
- \topic{properties}
-
- \begin{itemize}
+\begin{frame}{Identification using Diffie-Hellman: properties}
+ \begin{itemize}[<+->]
\item Simple -- easy to remember, analyse and implement
\item Practical -- two scalar multiplications for each party
\item Secure -- under Computational Diffie-Hellman assumption
\item Zero-knowledge -- statistical ZK
\item Proofs in random oracle model -- but without `programming'
\end{itemize}
-\end{slide}
-
-\begin{slide}
- \head{Identification using Diffie-Hellman \seq: basic setting}
- \topic{setting}
+\end{frame}
- \begin{itemize}
+\begin{frame}{Identification using Diffie-Hellman: basic setting}
+ \begin{itemize}[<+->]
\item Cyclic group $(G, +)$
\item $|G| = q$ is prime
\item $P$ generates $G$
\item Alice's public key is $A = a P$
\item Assume computational Diffie-Hellman problem hard in $G$
\end{itemize}
-\end{slide}
-
-\begin{slide}
- \head{Identification using Diffie-Hellman \seq: na\"\i ve attempt}
- \topic{protocol design}
-
- \begin{protocol}
- Alice & Bob \\
- (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
- \\[\medskipamount]
- & $r \getsr \Nupto{q}$; \\
- & $R \gets r P$; \\
- \\
- \\
- \\
- \send{<-}{R}
- $Y \gets a R$; \\
- \\
- \\
- \\
- \send{->}{Y}
- & \textbf{Check} $Y = r A$
- \end{protocol}
-\end{slide}
-
-\begin{slide}
- \head{Identification using Diffie-Hellman \seq: fix it with a hash}
- \protocolskip0pt
-
- \begin{protocol}
- Alice & Bob \\
- (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
- \\[\medskipamount]
- & $r \getsr \Nupto{q}$; \\
- & $R \gets r P$; \\
- & $Y \gets r A$; \\
- & \diff $h \gets H(\cookie{check}, R, Y)$; \\
- & \\
- \send{<-}{(R, \hbox{\diff $h$})}
- $Y \gets a R$; \\
- \\
- \\
- \diff \textbf{Check} $h = H(\cookie{check}, R, Y)$ \\
- \send{->}{Y}
- & \textbf{Check} $Y$
- \end{protocol}
- \dots but there are still small-subgroup attacks
-\end{slide}
-
-\begin{slide}
- \head{Identification using Diffie-Hellman \seq: Stinson-Wu [SW06]}
- \protocolskip0pt
-
- \begin{protocol}
- Alice & Bob \\
- (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
- \\[\medskipamount]
- & $r \getsr \Nupto{q}$; \\
- & $R \gets r P$; \\
- & $Y \gets r A$; \\
- & $h \gets H(\cookie{check}, Y)$; \\
- & \\
- \send{<-}{(R, h)}
- $Y \gets a R$; \\
- \\
- \diff \textbf{Check} $q R = 0$; \\
- \textbf{Check} $h = H(\cookie{check}, Y)$ \\
- \send{->}{Y}
- & \textbf{Check} $Y$
- \end{protocol}
- \dots and apply the Knowledge of Exponent assumption
-\end{slide}
-
-\begin{slide}
- \head{Identification using Diffie-Hellman \seq: the Wrestlers Protocol
- $\Wident$}
-
- \begin{protocol}
- Alice & Bob \\
- (Private key $a \inr \Nupto{q}$) & (Public key $A = a P$)
- \\[\medskipamount]
- & $r \getsr \Nupto{q}$; \\
- & $R \gets r P$; \\
- & $Y \gets r A$; \\
- & $h \gets H(\cookie{check}, R, Y)$; \\
- & \diff $c \gets h \xor r$; \\
- \send{<-}{(R, \hbox{\diff $c$})}
- $Y \gets a R$; \\
- $h \gets H(\cookie{check}, R, Y)$; \\
- \diff $r \gets c \xor h$; \\
- \diff \textbf{Check} $R = r P$ \\
- \send{->}{Y}
- & \textbf{Check} $Y$
- \end{protocol}
-\end{slide}
-
-\begin{slide}
- \head{Identification using Diffie-Hellman \seq: identification-based
- $\Wident$}
-
- \begin{protocol}
- Alice & Bob \\
- (Private key $K_A = t I_A$) &
- (Public key $I_A = H(\cookie{id}, \text{Alice})$)
- \\[\medskipamount]
- & $r \getsr \Nupto{q}$; \\
- & $R \gets r P$; \\
- & \diff $Y \gets \hat{e}(T, I_A)^r$; \\
- & $h \gets H(\cookie{check}, R, Y)$; \\
- & $c \gets h \xor r$; \\
- \send{<-}{(R, c)}
- \diff $Y \gets \hat{e}(R, K_A)$; \\
- $h \gets H(\cookie{check}, R, Y)$; \\
- $r \gets c \xor h$; \\
- \textbf{Check} $R = r P$ \\
- \send{->}{Y}
- & \textbf{Check} $Y$
+\end{frame}
+
+\begin{frame}{Identification using Diffie-Hellman: protocols}
+ %% Overlays:
+ %% 1 - basic setup (alice's keys)
+ %% naïve version
+ %% 2 - bob makes eqphemeral keys
+ %% 3 - bob sends challenge to alice
+ %% 4 - alice computes response and sends it back
+ %% 5 - bob computes expected answer
+ %% 6 - bob checks alice's response
+ %% 7 - remark?
+ %% hash fix (8)
+ %% 9 - bob computes check hash and sends it
+ %% 10 - alice verifies the hash
+ %% 11 - remark?
+ %% stinson-wu (12)
+ %% 13 - check subgroup membership
+ %% 14 - don't hash U
+ %% 15 - remark?
+ %% wrestlers (16)
+ %% 17 - bob computes and sends c
+ %% 18 - alice recovers and checks u
+ \begin{protocol}{5}{16}
+ \node [alice, thoughts] at (0, 2)
+ {Private: $a \inr \Nupto{q}$ \\
+ Public: $A = a P$};
+ \uncover<2->{
+ \node [bob, thoughts] at (0, 4)
+ {{$u \getsr \Nupto{q}$; \\
+ $U \gets u P$; \\
+ \action<5->{$Y \gets u A$;} \\
+ \action<9-| alert@9-11>{$
+ h \gets H(\cookie{check},
+ \only<9-13,16->{U, Y}
+ \action<alert@14-15| only@14-15>{Y})
+ $;} \\
+ \action<17-| alert@17-> {
+ $c \gets u \xor h$;
+ }
+ }};
+ }
+ \uncover<3->{
+ \path [message, ->] (0, 10) -- node [above]
+ {{\vphantom{$,$}
+ \only<3-8>{$U$}
+ \only<9-16>{$U, \alert<9-11>{h}$}
+ \only<17->{$U, \alert<17->{c}$} }}
+ +(1, 0);
+ }
+ \uncover<4->{
+ \node [alice, thoughts] at (0, 10)
+ {{$Y' \gets a U$; \\
+ \action<only@10-16| alert@10-11>
+ {Check $h = H(\cookie{check},
+ \only<10-13,16->{U, Y}
+ \action<alert@14-15| only@14-15>{Y})
+ $; \\}
+ \only<17->
+ {$h' \gets H(\cookie{check}, U, Y)$; \\}
+ \action<only@13-15| alert@13-15>{Check $q U = 0$;}
+ \action<only@18-| alert@18->{
+ $r' \gets h' \xor c$; \\
+ Check $r' P = U$;
+ }}};
+ \path [message, <-] (0, 14) -- node [above] {$Y'$} +(1, 0);
+ }
+ \uncover<6->{
+ \node [bob, thoughts] at (0, 14) {Check $Y = Y'$;};
+ }
\end{protocol}
- (Trusted authority's private key $t \inr \Nupto{q}$; public key $T = t P$)
-\end{slide}
-
-\xcalways\subsection{Key exchange}\x
-
-\begin{slide}
- \resetseq
- \head{Mutual identification \seq: Bob identifies Alice}
- \topic{mutual identification}
-
- \begin{protocol}
- Alice & Bob \\
- (Private key $a$, public key $A = a P$)
- \\[\medskipamount]
- & $r_B \getsr \Nupto{q}$; \\
- & $R_B \gets r_B P$; \\
- \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
- \\
- $Y_B \gets a R_B$; \\
- \\
- \send{->}{Y_B}
- \end{protocol}
-\end{slide}
-
-\begin{slide}
- \head{Mutual identification \seq: Alice identifies Bob too}
-
- \begin{protocol}
- Alice & Bob \\
- (Private key $a$, public key $A = a P$) &
- \other (Private key $b$, public key $B = b P$)
- \\[\medskipamount]
- \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
- \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
- \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
- \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
- $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
- \\
- \send{->}{Y_B}
- \send{<-}{\other Y_A}
- \end{protocol}
-\end{slide}
-
-\begin{slide}
- \head{Mutual identification \seq: key exchange?}
-
- \begin{protocol}
- Alice & Bob \\
- (Private key $a$, public key $A = a P$) &
- \other (Private key $b$, public key $B = b P$)
- \\[\medskipamount]
- \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
- \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
- \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
- \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
- $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
- \\
- \send{->}{Y_B}
- \send{<-}{\other Y_A}
- \diff $Z \gets r_A R_B$; & \diff $Z \gets r_B R_A$;
+ \par\vskip-\bigskipamount
+ \begin{itemize}
+ \item<only@2-7> Naïve attempt
+ \only<7>{-- lots of attacks against this protocol.}
+ \item<only@8-11> Fix it with a hash
+ \only<11>{-- still open to small-subgroup attacks.}
+ \item<only@12-15> Stinson-Wu [SW06]
+ \only<15>{-- and assume Knowledge of Exponent.}
+ \item<only@16-> The Wrestlers identification protocol $\Wident$.
+ \end{itemize} \par
+\end{frame}
+
+\subsection{Key exchange}
+
+\begin{frame}{Mutual identification: protocol}
+ \begin{protocol}{4}{14}
+ \node [alice, thoughts] at (0, 2)
+ {\footnotesize Private $a$; public $A = a P$};
+
+ \node [bob, thoughts] at (0, 3)
+ {{ $u \getsr \Nupto{q}$; \\
+ $U \gets u P$;
+ $Y_B \gets u A$; }};
+ \path [message, ->] (0, 5.5) -- node [above]
+ {$U, u \xor H(\cookie{check}, U, Y_B$)}
+ +(1, 0);
+
+ \node [alice, thoughts] at (0, 8)
+ {{ $Y'_B \gets a U$; }};
+ \path [message, <-] (0, 9) -- node [above]
+ {$Y'_B$}
+ +(1, 0);
+
+ \only<2->{
+ \node [bob, other, thoughts] at (0, 2)
+ {\footnotesize Private $b$; public $B = b P$};
+
+ \node [alice, other, thoughts] at (0, 3)
+ {{ $v \getsr \Nupto{q}$; \\
+ $V \gets v P$;
+ $Y_A \gets v B$; }};
+ \path [message, other, <-] (0, 7) -- node [above]
+ {$V, v \xor H(\cookie{check}, V, Y_A$)}
+ +(1, 0);
+
+ \node [bob, other, thoughts] at (0, 8)
+ {{ $Y'_A \gets b V$; }};
+ \path [message, other, ->] (0, 10.5) -- node [above]
+ {$Y'_A$}
+ +(1, 0);
+ }
+ \action<3-| alert@3->{
+ \node [bob, thoughts] at (0, 11) {$Z \gets u V = u v P$;};
+ \node [alice, thoughts] at (0, 11) {$Z \gets v U = u v P$;};
+ }
\end{protocol}
- \bigskip
- Unfortunately it's not secure.
-\end{slide}
-
-\begin{slide}
- \resetseq
- \head{Key exchange \seq: properties}
- \topic{properties}
-
+ \par\vskip-\bigskipamount
\begin{itemize}
- \item Simple -- symmetrical; based on mutual identification
- \item Practical -- three, four or five flows; four multiplications by each
- party
- \item Secure -- provides SK-security in model of [CK01]
- \item Deniable -- simulator can produce convincing transcripts
- \item Proofs in random oracle model -- again without `programming'
+ \item<3-> We can do ephemeral Diffie-Hellman with the challenges!
+ \item<4-> Unfortunately, it's not secure.
\end{itemize}
-\end{slide}
+\end{frame}
-\begin{slide}
- \head{Key exchange \seq: setting}
- \topic{setting}
+\begin{frame}{Key exchange: properties}
+ \begin{itemize}[<+->]
+ \item Simple -- symmetrical; based on mutual identification.
+ \item Practical -- three, four or five flows; four multiplications by each
+ party.
+ \item Secure -- provides SK-security in model of [CK01].
+ \item Deniable -- simulator can produce convincing transcripts.
+ \item Proofs in random oracle model -- again without `programming'.
+ \end{itemize}
+\end{frame}
- \begin{itemize}
- \item Cyclic group $(G, +)$
- \item $|G| = q$ is prime
- \item $P$ generates $G$
+\begin{frame}{Key exchange: setting}
+ \begin{itemize}[<+->]
+ \item Cyclic group $(G, +)$.
+ \item $|G| = q$ is prime.
+ \item $P$ generates $G$.
\item Alice's private key is $a \inr \Nupto{q}$; her public key is $A = a
- P$
+ P$.
\item Bob's private key is $b \inr \Nupto{q}$; his public key is $B = b
- P$
- \item Symmetric IND-CCA encryption scheme $\E = (\kappa, E, D)$
- \item Assume computational Diffie-Hellman problem hard in $G$
+ P$.
+ \item Symmetric IND-CCA encryption scheme $\E = (\kappa, E, D)$.
+ \item Assume computational Diffie-Hellman problem hard in $G$.
\end{itemize}
-\end{slide}
+\end{frame}
+
+\begin{frame}{Key exchange: protocols}
+ %% overlays
+ %% 1 - original broken protocol
+ %% 2 - encrypt responses
+ %% 3 - session-ids
+ %% 4 - pre-challenges
+ \begin{protocol}{3.9}{17}
+ \node [alice, thoughts] at (0, 1.5)
+ {\footnotesize Private $a$; public $A = a P$};
+
+ \node [bob, thoughts] at (0, 3)
+ {{ $u \getsr \Nupto{q}$; \\
+ $U \gets u P$;
+ $Y_B \gets u A$; }};
+ \only<4->
+ {\path [message, ->] (0, 6) -- node [above] {$\alert<4>{U}$} +(1, 0);}
+ \path [message, ->] (0, 9) -- node [above]
+ {$U, u \xor H(\cookie{check},
+ \only<3->{\alert<3>{B}, \alert<3>{s},}
+ \only<4->{\alert<4>{V},}
+ U, Y_B$)}
+ +(1, 0);
+
+ \node [alice, thoughts] at (0, 11)
+ {{\strut
+ \only<1>{$Z \gets v U$; \\}%
+ \action<only@2-| alert@2>
+ {$(K, \hat{K}) \gets H(\cookie{key}, v U)$; \\}%
+ $Y'_B \gets a U$; }};
+ \path [message, <-] (0, 13.5) -- node [above]
+ {$\action<only@2-| alert@2>{E_{\hat{K}}(}
+ Y'_B
+ \action<only@2-| alert@2>{)}$}
+ +(1, 0);
+
+ \node [bob, other, thoughts] at (0, 1.5)
+ {\footnotesize Private $b$; public $B = b P$};
+
+ \node [alice, other, thoughts] at (0, 3)
+ {{ $v \getsr \Nupto{q}$; \\
+ $V \gets v P$;
+ $Y_A \gets v B$; }};
+ \only<4->
+ {\path [message, other, <-] (0, 7.5) --
+ node [above] {$\alert<4>{V}$} +(1, 0);}
+ \path [message, other, <-] (0, 10.5) -- node [above]
+ {$V, v \xor H(\cookie{check},
+ \only<3->{\alert<3>{A}, \alert<3>{s},}
+ \only<4->{\alert<4>{U},}
+ V, Y_A$)}
+ +(1, 0);
+
+ \node [bob, other, thoughts] at (0, 11)
+ {{\strut
+ \only<1>{$Z \gets u V$; \\}%
+ \action<only@2-| alert@2>
+ {$(K, \hat{K}) \gets H(\cookie{key}, u V)$; \\}%
+ $Y'_A \gets b V$; }};
+ \path [message, other, ->] (0, 15) -- node [above]
+ {${\action<only@2-| alert@2>{E_{\hat{K}}(}}
+ Y'_A
+ {\action<only@2-| alert@2>{)}}$}
+ +(1, 0);
+ \node [bob, thoughts] at (0, 15.5) {Use key $K$;};
+ \node [alice, thoughts] at (0, 15.5) {Use key $K$;};
+ \end{protocol}
+\end{frame}
-\begin{slide}
+\endinput
+
+
+\begin{frame}
\head{Key exchange \seq: broken first attempt}
\topic{protocol design}
(Private key $a$, public key $A = a P$) &
\other (Private key $b$, public key $B = b P$)
\\[\medskipamount]
- \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
- \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
+ \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\
+ \other $U_A \gets u_A P$ & $U \gets u P$; \\
\\
\\
- \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
- \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
- $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
- $Z \gets r_A R_B$; & $Z \gets r_B R_A$; \\
- \send{->}{(R_A, Y_B)}
- \send{<-}{\other (R_B, Y_A)}
+ \send{<-}{(U, u \xor H(\cookie{check}, U, Y_B))}
+ \send{->}{\other (U_A, u_A \xor H(\cookie{check}, U_A, Y_A))}
+ $Y_B \gets a U$; & \other $Y_A \gets b U$; \\
+ $Z \gets u_A U$; & $Z \gets u U_A$; \\
+ \send{->}{(U_A, Y_B)}
+ \send{<-}{\other (U, Y_A)}
Key is $Z$ & Key is $Z$
\end{protocol}
-\end{slide}
+\end{frame}
-\begin{slide}
+\begin{frame}
\head{Key exchange \seq: solution -- encrypt responses}
\begin{protocol}
(Private key $a$, public key $A = a P$) &
\other (Private key $b$, public key $B = b P$)
\\[\medskipamount]
- \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
- \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
+ \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\
+ \other $U_A \gets u_A P$ & $U \gets u P$; \\
\\
\\
- \send{<-}{(R_B, r_B \xor H(\cookie{check}, R_B, Y_B))}
- \send{->}{\other (R_A, r_A \xor H(\cookie{check}, R_A, Y_A))}
- $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
- \diff $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
- \diff $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
- \send{->}{(R_A, \hbox{\diff $E_{K_0}(Y_B)$})}
- \send{<-}{\other (R_B, \hbox{\diff $E_{K_0}(Y_A)$})}
+ \send{<-}{(U, u \xor H(\cookie{check}, U, Y_B))}
+ \send{->}{\other (U_A, u_A \xor H(\cookie{check}, U_A, Y_A))}
+ $Y_B \gets a U$; & \other $Y_A \gets b U$; \\
+ \diff $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; &
+ \diff $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\
+ \send{->}{(U_A, \hbox{\diff $E_{K_0}(Y_B)$})}
+ \send{<-}{\other (U, \hbox{\diff $E_{K_0}(Y_A)$})}
Key is $K_1$ & Key is $K_1$
\end{protocol}
-\end{slide}
+\end{frame}
-\begin{slide}
+\begin{frame}
\head{Key exchange \seq: multiple sessions}
\begin{protocol}
(Private key $a$, public key $A = a P$) &
\other (Private key $b$, public key $B = b P$)
\\[\medskipamount]
- \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
- \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
+ \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\
+ \other $U_A \gets u_A P$ & $U \gets u P$; \\
\\
\\
- \send{<-}{(R_B, r_B \xor H(\cookie{check},
- \hbox{\diff $B$}, \hbox{\diff $s$}, R_B, Y_B))}
- \send{->}{\other (R_A, r_A \xor H(\cookie{check},
- \hbox{\diff $A$}, \hbox{\diff $s$}, R_A, Y_A))}
- $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
- $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
- $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
- \send{->}{(R_A, E_{K_0}(Y_B))}
- \send{<-}{\other (R_B, E_{K_0}(Y_A))}
+ \send{<-}{(U, u \xor H(\cookie{check},
+ \hbox{\diff $B$}, \hbox{\diff $s$}, U, Y_B))}
+ \send{->}{\other (U_A, u_A \xor H(\cookie{check},
+ \hbox{\diff $A$}, \hbox{\diff $s$}, U_A, Y_A))}
+ $Y_B \gets a U$; & \other $Y_A \gets b U$; \\
+ $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; &
+ $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\
+ \send{->}{(U_A, E_{K_0}(Y_B))}
+ \send{<-}{\other (U, E_{K_0}(Y_A))}
Key is $K_1$ & Key is $K_1$
\end{protocol}
(Session id is $s$)
-\end{slide}
+\end{frame}
-\begin{slide}
+\begin{frame}
\head{Key exchange \seq: proof sketch}
\begin{itemize}
(collision bound).
\item In $\G2$, use extractor to answer challenges other than from matching
session.
- \item In $\G3$, stop game if adversary queries $H(\cookie{key}, r_A r_b P)$
+ \item In $\G3$, stop game if adversary queries $H(\cookie{key}, u_A u P)$
(CDH in $G$).
\item In $\G4$, stop game if session accepts response except from matching
session.
\begin{itemize}
\item In $\G5$, focus on a single session (factor of $q_S$).
- \item In $\G6$, encrypt $1^{|Y|}$ instead of $Y = x R$ (IND-CCA of $\E$).
+ \item In $\G6$, encrypt $1^{|Y|}$ instead of $Y = x U$ (IND-CCA of $\E$).
\item In $\G7$, focus on a single party (factor of $n$).
\item Now if party accepts, reduce from impersonating in $\Wident$.
\end{itemize}
\end{itemize}
-\end{slide}
+\end{frame}
-\begin{slide}
+\begin{frame}
\head{Key exchange \seq: security result}
\begin{spliteqn*}
\InSec{sk}(\Wkx^{G, \E}; t, n, q_S, q_M, q_I, q_K) \le
\item $t' = t + O(q_S) + O(q_M q_I) + O(q_K)$
\end{itemize}
\end{multicols}
-\end{slide}
+\end{frame}
-\begin{slide}
+\begin{frame}
\head{Key exchange \seq: fully deniable variant}
\begin{protocol}
(Private key $a$, public key $A = a P$) &
\other (Private key $b$, public key $B = b P$)
\\[\medskipamount]
- \other $r_A \getsr \Nupto{q}$; & $r_B \getsr \Nupto{q}$; \\
- \other $R_A \gets r_A P$ & $R_B \gets r_B P$; \\
- \send{->}{\diff R_A}
- \send{<-}{\diff R_B}
- \send{<-}{(R_B, r_B \xor H(\cookie{check}, B, s, \hbox{\diff $R_A$}, R_B, Y_B))}
- \send{->}{\other (R_A, r_A \xor H(\cookie{check}, A, s, \hbox{\diff $R_B$}, R_A, Y_A))}
- $Y_B \gets a R_B$; & \other $Y_A \gets b R_B$; \\
- $(K_0, K_1) \gets H(\cookie{key}, r_A R_B)$; &
- $(K_0, K_1) \gets H(\cookie{key}, r_B R_A)$; \\
- \send{->}{(R_A, E_{K_0}(Y_B))}
- \send{<-}{\other (R_B, E_{K_0}(Y_A))}
+ \other $u_A \getsr \Nupto{q}$; & $u \getsr \Nupto{q}$; \\
+ \other $U_A \gets u_A P$ & $U \gets u P$; \\
+ \send{->}{\diff U_A}
+ \send{<-}{\diff U}
+ \send{<-}{(U, u \xor H(\cookie{check}, B, s, \hbox{\diff $U_A$}, U, Y_B))}
+ \send{->}{\other (U_A, u_A \xor H(\cookie{check}, A, s, \hbox{\diff $U$}, U_A, Y_A))}
+ $Y_B \gets a U$; & \other $Y_A \gets b U$; \\
+ $(K_0, K_1) \gets H(\cookie{key}, u_A U)$; &
+ $(K_0, K_1) \gets H(\cookie{key}, u U_A)$; \\
+ \send{->}{(U_A, E_{K_0}(Y_B))}
+ \send{<-}{\other (U, E_{K_0}(Y_A))}
Key is $K_1$ & Key is $K_1$
\end{protocol}
-\end{slide}
-
-\endinput
+\end{frame}
-%%% Local Variables:
+%%% Local Variables:
%%% mode: latex
%%% TeX-master: "wrslides"
-%%% End:
+%%% TeX-PDF-mode: t
+%%% End:
%%% (c) 2006 Mark Wooding
%%%
-\newif\iffancystyle\fancystylefalse
-\newif\ifshort\shortfalse
-\fancystyletrue
-\InputIfFileExists{wr.cfg}\relax\relax
+\ifx\iffancystyle\xxundefined\newif\iffancystyle\fancystyletrue\fi
+\ifx\ifshort\xxundefined\newif\ifshort\shortfalse\fi
+
+\typeout{Options:}
+\typeout{ Fancy style: \iffancystyle ON\else OFF\fi}
+\typeout{ Short version: \ifshort ON\else OFF\fi}
+
\errorcontextlines=\maxdimen
\showboxdepth=\maxdimen
\showboxbreadth=\maxdimen
\iffancystyle
- \documentclass
- [a4paper, article, 10pt, numbering, noherefloats, notitlepage,
- runinsubsubsec]
- {strayman}
+ \documentclass{strayman}
+ \parskip=0pt plus 1pt \parindent=1.2em
\usepackage[T1]{fontenc}
\usepackage[palatino, helvetica, courier, maths=cmr]{mdwfonts}
\usepackage[within = subsection, mdwmargin]{mdwthm}
\usepackage{mdwlist}
\usepackage{sverb}
- \if0\ifx\pdfoutput\xxundefined0\else\the\pdfoutput\fi
+ \ifpdfing\else
\PassOptionsToPackage{dvips}{xy}
\fi
\else
- \documentclass[a4paper]{llncs}
- \usepackage{a4wide}
+ \PassOptionsToClass{runningheads}{llncs}
+ \documentclass{llncs}
\fi
\PassOptionsToPackage{show}{slowbox}
%\PassOptionsToPackage{hide}{slowbox}
-\usepackage{mdwtab, mathenv, mdwmath, crypto}
+\usepackage{mdwtab, mdwmath, crypto}
\usepackage{slowbox}
\usepackage{amssymb, amstext}
\usepackage{url, multicol}
\usepackage[all]{xy}
\turnradius{4pt}
\fi
+\usepackage{mathenv}
+\newcommand{\Nupto}[1]{\{0, 1, \ldots, #1 - 1\}}
\iffancystyle
- \def\next{\title[The Wrestlers Protocol]}
+ \let\next\title
\else
- \def\next{\title}
+ \def\next[#1]{\titlerunning{#1}\title}
\fi
\next
- {The Wrestlers Protocol \\
+ [The Wrestlers Protocol]
+ {The Wrestlers Protocol%
+ \ifshort\thanks{This is an extended abstract; the full version
+ \cite{Wooding:2006:WP} is available from
+ \texttt{http://eprint.iacr.org/2006/386/}.}\fi \\
A simple, practical, secure, deniable protocol for key-exchange}
\iffancystyle
\author{Mark Wooding \\ \email{mdw@distorted.org.uk}}
\numberwithin{equation}{subsection}
\let\random\$
\else
- \bibliographystyle{plain}
+ \bibliographystyle{splncs}
\expandafter\let\csname claim*\endcsname\claim
\expandafter\let\csname endclaim*\endcsname\endclaim
\fi
-\iffancystyle
- \newcommand{\Nupto}[1]{\N_{<{#1}}}
-\else
- \newcommand{\Nupto}[1]{\{0, 1, \ldots, #1 - 1\}}
-\fi
\let\Bin\Sigma
\let\emptystring\lambda
\edef\Pr{\expandafter\noexpand\Pr\nolimits}
\def\fixme#1{\marginpar{FIXME}[FIXME: #1]}
\def\hex#1{\texttt{#1}_{x}}
+\newenvironment{longproof}[1]{%
+ \ifshort#1\expandafter\ignore
+ \else\proof\fi
+}{%
+ \ifshort\else\endproof\fi
+}
+
\def\dbox#1{%
\vtop{%
\def\\{\unskip\egroup\hbox\bgroup\strut\ignorespaces}%
\def\PRreveal{\textsf{Session-state reveal}\ar[r]}
\def\protocolrun#1{\[\xymatrix @R=0pt @C=2em {#1}\]}
+\def\protocol{%
+ \unskip\bigskip
+ \begin{tabular*}{\linewidth}%
+ {@{\qquad}l@{\extracolsep{0ptplus1fil}}r@{\qquad}}}
+\def\endprotocol{\end{tabular*}}
+\def\send#1#2{\noalign{%
+ \centerline{\xy\ar @{#1}|*+{\mathstrut#2}<.5\linewidth, 0pt>\endxy}}}
+
%% class-ids for proof of extractor lemma
\let\Cid=\Lambda
\let\Csession=S
\def\HG#1{\mathbf{H}_{#1}}
+\iffancystyle\else
+ \let\xsssec\subsubsection\def\subsubsection#1{\xsssec[#1]{#1.}}
+\fi
+
\begin{document}
%%%--------------------------------------------------------------------------
\section{Introduction}
-
This paper proposes protocols for \emph{identification} and
\emph{authenticated key-exchange}.
of recognising Alice; for instance, he might know her public key. Our
protocol requires only two messages -- a challenge and a response -- and has
a number of useful properties. It is very similar to, though designed
-independently of, a recent protocol by Stinson and Wu; we discuss their
-protocol in section~\ref{sec:stinson-ident}.
+independently of, a recent protocol by Stinson and Wu
+\cite{Stinson:2006:EST}; we discuss their protocol and compare it to ours in
+\ifshort the full version of this paper. \else
+section~\ref{sec:stinson-ident}. \fi
Identification protocols are typically less useful than they sound. As Shoup
\cite{Shoup:1999:OFM} points out, it provides a `secure ping', by which Bob
a given protocol execution.
\end{itemize}
+\ifshort\else
\subsection{Asymptotic and concrete security results}
Most security definitions for identification (particularly zero-knowledge)
`secure', we associate with each protocol an `insecurity function' which
gives an upper bound on the advantage of any adversary attacking the protocol
within given resource bounds.
-
+\fi
\subsection{Formal models for key-exchange}
+\ifshort
+
+The first model for studying the \emph{computational} security of
+key-exchange protocols (rather than using protocol-analysis logics like that
+of \cite{Burrows:1989:LA}) was given by Bellare and Rogaway
+\cite{Bellare:1994:EAK}; the model has since been enhanced, both by the
+original authors and others, in \cite{Bellare:1995:PSS,%
+Blake-Wilson:1997:KAP,Blake-Wilson:1998:EAA}. The model defines security
+in terms of a game: key-exchange protocols are secure if an adversary can't
+distinguish the key agreed by a chosen `challenge session' from a key chosen
+independently at random. Other models for key-exchange have been proposed in
+\cite{Bellare:1998:MAD} and \cite{Shoup:1999:OFM}; these use a different
+notion of security, involving implementation of an ideal functionality.
+
+\else
+
Many proposed key-exchange protocols have turned out to have subtle security
flaws. The idea of using formal methods to analyse key-exchange protocols
begins with the logic of Burrows, Abadi and Needham \cite{Burrows:1989:LA}.
particularly \cite{Bellare:1994:EAK} and \cite{Bellare:1998:MAD}, and
highlights some of their inadequacies.
+\fi
+
Canetti and Krawczyk \cite{Canetti:2001:AKE} describe a new notion of
-security in the basic model of \cite{Bellare:1998:MAD}, based on the
+security in the model of \cite{Bellare:1998:MAD}, based on the
challenge-session notion of \cite{Bellare:1994:EAK}. The security notion,
called `SK-security', seems weaker in various ways than those of earlier
works such as \cite{Bellare:1994:EAK} or \cite{Shoup:1999:OFM}. However, the
authors show that their notion suffices for constructing `secure channel'
protocols, which they also define.
+\ifshort\else
In \cite{Canetti:2001:UCS}, Canetti describes the `universal composition'
framework. Here, security notions are simulation-based: one defines security
notions by presenting an `ideal functionality'. A protocol securely
functionalities and appeal to the theorem to prove the security of the entire
protocol. The UC framework gives rise to very strong notions of security,
due to the interactive nature of the `environment' distinguisher.
+\fi
Canetti and Krawczyk \cite{Canetti:2002:UCN} show that the SK-security notion
of \cite{Canetti:2001:AKE} is \emph{equivalent} to a `relaxed' notion of
-key-exchange security in the UC framework, and suffices for the construction
-of UC secure channels.
+key-exchange security in the UC framework\ifshort\space of
+\cite{Canetti:2001:UCS}\fi, and suffices for the construction of UC secure
+channels.
The result of \cite{Canetti:2002:UCN} gives us confidence that SK-security is
the `right' notion of security for key-exchange protocols. Accordingly,
\item Section \ref{sec:kx} describes the simple version of our key-exchange
protocol, and proves its security and deniability. It also describes some
minor modifications which bring practical benefits without damaging
- security.
+ security.
\item Finally, section \ref{sec:conc} presents our conclusions.
\end{itemize}
+\ifshort
+The full version of this paper describes how to make our protocols
+identity-based by using bilinear pairings using the techniques introduced in
+\cite{Boneh:2003:IBE}. It also contains proofs of the various theorems
+stated here.
+\fi
+
%%%--------------------------------------------------------------------------
\section{Preliminaries}
\label{sec:prelim}
-\subsection{Miscellaneous notation}
+\ifshort
+\subsection{Basics}
+\let\prelimsec\subsubsection
+\else
+\let\prelimsec\subsection
+\fi
+
+\prelimsec{Miscellaneous notation}
We write $\Func{D}{R}$ for the set of all functions with domain $D$ and range
$R$.
-\iffancystyle
-We write $\Nupto{n} = \{\, i \in \Z \mid 0 \le i < n \,\} = \{0, 1, \ldots, n
-- 1\}$ for the set of nonnegative integers less than $n$.
-\fi
-
-\subsection{Groups}
+\prelimsec{Groups}
Let $(G, +)$ be a cyclic group\footnote{
We find that additive group notation is easier to read. In particular, in
of prime order $q$, and generated by an element $P$. We shall write the
identity of $G$ as $0_G$, or simply as $0$ when no ambiguity is likely to
arise. Thus, we have $\langle P \rangle = G$ and $q P = 0$. Any $X \in G$
-can be written as $X = x P$ for some $x \in \Nupto{q}$.
+can be written as $X = x P$ for some $x \in \{0, 1, \ldots, q - 1\}$.
+We consider a cyclic group of order $n$ as a $\Z/n\Z$-module, and in
+particular our group $G$ can be seen as a vector space over $\gf{q}$. This
+makes the notation slightly more convenient.
-\subsection{Bit strings and encodings}
+\prelimsec{Bit strings and encodings}
\label{sec:bitenc}
Let $\Bin = \{0, 1\}$ be the set of binary digits. Then $\Bin^n$ is the set
bit of $x$. The empty string is denoted $\emptystring$.
Let $x$ and $y$ be two bit strings. If $|x| = |y| = n$, we write $x \xor y$
-to mean the bitwise exclusive-or of $x$ and $y$: if $z = x \xor y$ then $|z|
-= n$, and $z[i] = (x[i] + y[i]) \bmod 2$ for $0 \le i < n$. We write $x \cat
-y$ to mean the concatenation of $x$ and $y$: if $z = x \cat y$ then $|z| =
-|x| + |y|$ and $z[i] = x[i]$ if $0 \le i < |x|$ and $z[i] = y[i - |x|]$ if
-$|x| < i \le |x| + |y|$.
+to mean the bitwise exclusive-or of $x$ and $y$\ifshort\else: if $z = x \xor
+y$ then $|z| = n$, and $z[i] = (x[i] + y[i]) \bmod 2$ for $0 \le i < n$\fi.
+We write $x \cat y$ to mean the concatenation of $x$ and $y$\ifshort\else: if
+$z = x \cat y$ then $|z| = |x| + |y|$ and $z[i] = x[i]$ if $0 \le i < |x|$
+and $z[i] = y[i - |x|]$ if $|x| < i \le |x| + |y|$\fi.
Finally, we let $\bot$ be a value distinct from any bit string.
We shall want to encode group elements $X \in G$ and indices $x \in I =
-\Nupto{|G|}$ as bit strings. To this end, we shall assume the existence of
+\gf{q}$ as bit strings.
+\ifshort
+To this end, we shall assume the existence of efficient, unambiguous
+encodings of group elements as $\ell_G$-bit strings, and indices as
+$\ell_I$-bit strings. To reduce clutter, we shall leave encoding and
+decoding as implicit operations.
+\else
+To this end, we shall assume the existence of
integers $\ell_G, \ell_I > 0$ and functions
\[
e_S\colon S \to \Bin^{\ell_S}
\quad \textrm{and} \quad
d_S\colon \Bin^{\ell_S} \to S \cup \{ \bot \}
\qquad
- \textrm{for } S \in \{ G, I \}.
+ \textrm{for } S \in \{ G, \F \}.
\]
with the following properties.
\begin{itemize}
We shall frequently abuse notation by omitting the encoding and decoding
functions where it is obvious that they are required.
+\fi
-
-\subsection{Games, adversaries, and oracles}
+\ifshort\else
+\prelimsec{Games, adversaries, and oracles}
\label{sec:games}
Many of the security definitions and results given here make use of
protocol. For security, we will either define a notion of `winning' the
game, and require that all adversaries have only a very small probability of
winning, or we consider two different games and require that no adversary can
-distinguish between the two except with very small probability.
+distinguish between the two except with very small probability.
Our proofs make frequent use of sequences of games; see
\cite{Shoup:2004:SGT,Bellare:2004:CBG}. The presentation owes much to Shoup
useful.
\begin{lemma}[Difference Lemma]
\label{lem:shoup}
- Let $S$, $T$, $F$ be events. Suppose $\Pr[S|\bar F] = \Pr[T|\bar F]$.
- Then $|\Pr[S] - \Pr[T]| \le \Pr[F]$.
+ Let $S$, $T$, $F$ be events. Suppose $\Pr[S \mid \bar F] =
+ \Pr[T \mid \bar F]$. Then $|\Pr[S] - \Pr[T]| \le \Pr[F]$.
\end{lemma}
\begin{proof}
A simple calculation:
\begin{eqnarray*}[rl]
|\Pr[S] - \Pr[T]|
- & = |(\Pr[S|F]\Pr[F] + \Pr[S|\bar F]\Pr[\bar F]) -
- (\Pr[T|F]\Pr[F] + \Pr[T|\bar F]\Pr[\bar F])| \\
- & = \Pr[F] \cdot |\Pr[S|F] - \Pr[T|F]| \\
+ & = |(\Pr[S \mid F]\Pr[F] + \Pr[S \mid \bar F]\Pr[\bar F]) -
+ (\Pr[T \mid F]\Pr[F] + \Pr[T \mid \bar F]\Pr[\bar F])| \\
+ & = \Pr[F] \cdot |\Pr[S \mid F] - \Pr[T \mid F]| \\
& \le \Pr[F]
\end{eqnarray*}
and we're done!
\end{proof}
+\fi
-\subsection{The random oracle model}
+\prelimsec{The random oracle model}
\label{sec:ro}
+\ifshort\else
In particular, most of our results will make use of the \emph{random oracle}
model \cite{Bellare:1993:ROP}, in which all the participants, including the
adversary, have access to a number of `random oracles'. A random oracle with
Canetti, Goldreich and Halevi \cite{Canetti:2004:ROM} show that there are
schemes which can be proven secure in the random oracle model but provably
have no secure instantiation in the standard model.
+\fi
-The random oracle model is useful for constructing reductions and simulators
-for two main reasons.
+The random oracle model \ifshort\cite{Bellare:1993:ROP} \fi is useful for
+constructing reductions and simulators for two main reasons.
\begin{enumerate}
\item One can use the transcript of an adversary's queries to random oracles
in order to extract knowledge from it.
particular string is to actually compute the hash function, and the random
oracle model is, we hope, just giving us a `hook' into this process.
+\ifshort\else
(Our protocols can be modified to make use of bilinear pairings so as to
provide identity-based identification and key-exchange, using the techniques
of \cite{Boneh:2003:IBE}. Proving the security of the modifications we
discuss would involve `programming' random oracles, but this doesn't affect
the zero-knowledge or deniability of the resulting protocols.)
+\fi
-\subsection{Notation for algorithms}
+\ifshort\else
+\prelimsec{Notation for algorithms}
We shall have occasion to describe algorithms by means of a pseudocode. Our
choice of pseudocode is unlikely to be particularly controversial. We let $x
Finally, the notation $\Pr[\textit{algorithm} : \textit{condition}]$ denotes
the probability that \textit{condition} is true after running the given
\textit{algorithm}.
+\fi
-
-\subsection{Diffie-Hellman problems}
+\prelimsec{Diffie-Hellman problems}
\label{sec:dhp}
The security of our protocols is related to the hardness of the
The \emph{computational} Diffie-Hellman problem (CDH) is as follows: given
two group elements $X = x P$ and $Y = y P$, find $Z = x y P$.
+\ifshort\else
\begin{definition}[The computational Diffie-Hellman problem]
Let $(G, +)$ be a cyclic group generated by $P$. For any adversary $A$, we
say that $A$'s \emph{success probability} at solving the computational
Diffie-Hellman problem in $G$ is
\[ \Succ{cdh}{G}(A) =
- \Pr[ x \getsr I; y \getsr \Nupto{|G|} : A(x P, y P) = x y P ]
+ \Pr[ x \getsr I; y \getsr \Z/\#G\Z : A(x P, y P) = x y P ]
\]
where the probability is taken over the random choices of $x$ and $y$ and
any random decisions made by $A$. We say that the \emph{CDH insecurity
problem. The converse is not clear, though. Shoup \cite{Shoup:1997:LBD}
gives us some confidence in the difficulty of the problem by showing that a
\emph{generic} adversary -- i.e., one which makes no use of the specific
-structure of a group -- has success probability no greater than $q^2/|G|$.
+structure of a group -- has success probability no greater than $q^2/\#G$.
This isn't quite sufficient for our purposes. Our proofs will be able to
come up with (possibly) a large number of guesses for the correct answer, and
Diffie-Hellman problem (DDH), which \cite{Shoup:1997:LBD} shows, in the
generic group model, is about as hard as CDH. (See \cite{Boneh:1998:DDP} for
a survey of the decision Diffie-Hellman problem.)
-
+\par\fi
Our reference problem will be a `multiple-guess computational Diffie-Hellman
problem' (MCDH), which is captured by a game as follows. An adversary is
given a pair of group elements $(x P, y P)$, and an oracle $V(\cdot)$ which
accepts group elements as input. The adversary wins the game if it queries
$V(x y P)$.
-\begin{definition}[The multiple-guess computational Diffie-Hellman problem]
- \label{def:mcdh}
- Let $(G, +)$ be a cyclic group generated by $P$. For some adversary $A$,
- we say that $A$'s \emph{success probability} at solving the multiple-guess
- computational Diffie-Hellman problem in $G$ is
- \[ \Succ{mcdh}{G}(A) = \Pr[\Game{mcdh}{G}(A) = 1] \]
- where $\Game{mcdh}{G}(A)$ is shown in figure~\ref{fig:mcdh}. We say that
- the \emph{MCDH insecurity function of $G$} is
- \[ \InSec{mcdh}(G; t, q_V) = \max_A \Succ{mcdh}{G}(A) \]
- where the maximum is taken over adversaries which complete in time $t$ and
- make at most $q_V$-oracle queries.
-\end{definition}
\begin{figure}
\begin{program}
$\Game{mcdh}{G}(A)$: \+ \\
$w \gets 0$; \\
- $x \getsr \Nupto{|G|}$; $y \getsr \Nupto{|G|}$; \\
+ $x \getsr \Z/\#G\Z$; $y \getsr \Z/\#G\Z$; \\
$A^{V(\cdot)}(x P, y P)$; \\
\RETURN $w$;
\next
\label{fig:mcdh}
\end{figure}
+\begin{definition}[The multiple-guess computational Diffie-Hellman problem]
+ \label{def:mcdh}
+ Let $(G, +)$ be a cyclic group generated by $P$. For some adversary $A$,
+ we say that $A$'s \emph{success probability} at solving the multiple-guess
+ computational Diffie-Hellman problem in $G$ is
+ \[ \Succ{mcdh}{G}(A) = \Pr[\Game{mcdh}{G}(A) = 1] \]
+ where $\Game{mcdh}{G}(A)$ is shown in figure~\ref{fig:mcdh}. We say that
+ the \emph{MCDH insecurity function of $G$} is
+ \[ \InSec{mcdh}(G; t, q_V) = \max_A \Succ{mcdh}{G}(A) \]
+ where the maximum is taken over adversaries which complete in time $t$ and
+ make at most $q_V$-oracle queries.
+\end{definition}
+\ifshort
+We can (loosely) relate the difficulty of MCDH to the difficulty of
+the standard CDH problem, in which the adversary is allowed only a single
+guess.
+\else
Note that our MCDH problem is not quite the `gap Diffie-Hellman problem'
(GDH). The gap problem measures the intractibility of solving CDH even with
the assistance of an oracle for solving (restricted) decision Diffie-Hellman
$V(Z)$ can be simulated with the gap problem's DDH oracle, as $D(Y, Z)$.
However, we can (loosely) relate the difficulty of MCDH to the difficulty of
CDH.
+\fi
\begin{proposition}[Comparison of MCDH and CDH security]
For any cyclic group $(G, +)$,
- \[ \InSec{mcdh}(G; t, q_V) \le q_V\,\InSec{cdh}(G; t + O(q_V)). \]
+ \[ \InSec{mcdh}(G; t, q_V) \le
+ \ifshort q_V\,\InSec{mcdh}(G; t + O(q_V), 1) \else
+ q_V\,\InSec{cdh}(G; t + O(q_V)) \fi.
+ \]
\end{proposition}
-\begin{proof}
+\begin{longproof}{The proof of this proposition may be found in the full
+ version of this paper.}
Let $A$ be an adversary attacking the multiple-guess computational
Diffie-Hellman problem in $G$, and suppose that it runs in time $t$ and
issues $q_V$ queries to its verification oracle.
\RETURN $0$;
\end{program}
Observe that $B$ provides $A$ with an accurate simulation of game $\G1$.
- Moreover, at the end of the algorithm, we have $0 < n \le q_V$, the
- output of $A$ is stored in $Q_{n-1}$ and the values $Q_0$, $Q_1$, \dots,
- $Q_{n-1}$ are the values of $A$'s oracle queries. Hence, with probability
- $Pr[S_1]$, at least of one of the $Q_i$ is the correct answer to the CDH
- problem. Let $\epsilon = \Pr[S_1] = \Pr[S_0]$; we claim that $B$'s
- probability of success is at least $\epsilon/q_V$. The proposition
- follows directly from this claim and that, because $A$ was chosen
- arbitrarily, we can maximize and count resources.
+ Moreover, at the end of the algorithm, we have $0 < n \le q_V$, and the
+ values $Q_0$, $Q_1$, \dots, $Q_{n-1}$ are the values of $A$'s oracle
+ queries. Hence, with probability $Pr[S_1]$, at least of one of the $Q_i$
+ is the correct answer to the CDH problem. Let $\epsilon = \Pr[S_1] =
+ \Pr[S_0]$; we claim that $B$'s probability of success is at least
+ $\epsilon/q_V$. The proposition follows directly from this claim and that,
+ because $A$ was chosen arbitrarily, we can maximize and count resources.
We now prove the above claim. For $0 \le i < q_V$, let $W_i$ be the
event that $Q_i = x y P$, i.e., that $Q_i$ is the correct response. A
& = \frac{\epsilon}{q_V}.
\end{eqnarray*}
which completes the proof.
-\end{proof}
+\end{longproof}
-
-\subsection{Example groups and encodings}
+\ifshort\else
+\prelimsec{Example groups and encodings}
For nonnegative integers $0 \le n < 2^\ell$, there is a natural binary
encoding $N_\ell\colon \Nupto{2^\ell} \to \Bin^\ell$ which we can define
The reader can verify that the functions $e(L, \ell, \cdot)$ and $d(L, \ell,
\cdot)$ satisfy the requirements of section~\ref{sec:bitenc}.
-Given some $q < 2^{\ell_I}$ and $I = \Nupto{q}$, then, we can define an
-encoding $(e_I, d_I)$ by $e_I(n) = e(q, \ell_I, n)$ and $d_I(a) = d(q,
-\ell_I, a)$.
-
-Let $p$ and $q$ be primes, with $q|(p - 1)$. Then there is an order-$q$
-subgroup of $(\Z/p\Z)^*$. In practice, an order-$q$ element can be found
-easily by taking elements $h \in (\Z/p\Z)^*$ at random and computing $g =
-h^{(p-1)/2}$ until $g \ne 1$; then $G = \langle g \rangle$ is a group of $q$
-elements. Assuming that $p$ and $q$ are sufficiently large, the
-Diffie-Hellman problems seem to be difficult in $G$. Some texts recommend
-additional restrictions on $p$, in particular that $(p - 1)/2q$ be either
-prime or the product of large primes. Primes of this form protect against
-small-subgroup attacks; but our protocols are naturally immune to these
-attacks, so such precautions are unnecessary here. Elements of $G$ can be
-encoded readily, since each element $n + p\Z$ of $\Z/p\Z$ has an obvious
-`representative' integer $n$ such that $0 \le n < p$, and given $2^{\ell_G} >
-p$, we can encode $n$ as $e(p, \ell_G, n)$, as above.
+Given some $q$ with $q < 2^{\ell_I}$, then, we can define an encoding
+$(e_\F, d_\F)$ by $e_\F(n) = e(q, \ell_I, n)$ and $d_\F(a) = d(q, \ell_I,
+a)$.
+
+Let $p$ and $q$ be primes, with $q \mid (p - 1)$. Then there is an order-$q$
+subgroup of $\F_p^*$. In practice, an order-$q$ element can be found easily
+by taking elements $h \in \F_p^*$ at random and computing $g = h^{(p-1)/2}$
+until $g \ne 1$; then $G = \langle g \rangle$ is a group of $q$ elements.
+Assuming that $p$ and $q$ are sufficiently large, the Diffie-Hellman problems
+seem to be difficult in $G$. Some texts recommend additional restrictions on
+$p$, in particular that $(p - 1)/2q$ be either prime or the product of large
+primes. Primes of this form protect against small-subgroup attacks; but our
+protocols are naturally immune to these attacks, so such precautions are
+unnecessary here. Elements of $G$ can be encoded readily, since each element
+$n + p\Z$ of $\F_p = \Z/p\Z$ has an obvious `representative' integer $n$ such
+that $0 \le n < p$, and given $2^{\ell_G} > p$, we can encode $n$ as $e(p,
+\ell_G, n)$, as above.
Alternatively, let $\F = \gf{p^f}$ be a finite field, and $E$ be an elliptic
curve defined over $\F$ such that the group $E(\F)$ of $\F$-rational points
\[ r(x) = \sum_{0\le i<f} c_i x^i \]
and hence we can uniquely encode $r$ as an $f$-bit string $a$ such that $a[i]
= c_i$.
+\fi
-\subsection{Symmetric encryption}
+\prelimsec{Symmetric encryption}
\label{sec:sym-enc}
Our key-exchange protocol requires a symmetric encryption scheme. Our
Our security notion for symmetric encryption is the standard notion of
left-or-right indistinguishability of ciphertexts under chosen-ciphertext
attack.
-\begin{definition}
- [Indistinguishability under chosen-ciphertext attack (IND-CCA)]
+\begin{definition}[IND-CCA]
\label{def:ind-cca}
Let $\E = (\kappa, E, D)$ be a symmetric encryption scheme, and $A$ be an
adversary. Let $\id{lr}_b(x_0, x_1) = x_b$ for $b \in \{0, 1\}$. Let
In section~\ref{sec:zk-ident}, we shall prove that our identification
protocol is zero-knowledge; in section~\ref{sec:denial}, we show that our
key-exchange protocol is deniable. In both of these proofs, we shall need to
-demonstrate \emph{simulatability}.
+demonstrate \emph{simulatability}.
+
+\ifshort
+
+We consider an adversary~$A$ interacting with a `world'~$W$; we model both as
+probabilistic algorithms. Both $A$ and~$W$ are given a common input~$c$; the
+world is additionally given a private input~$w$; these are chosen by a
+randomized initialization function $I$. The adversary is additionally given
+an auxiliary input~$u$ computed from $w$ by a randomized algorithm~$U$. All
+these algorithms -- the adversary and the world, but also the initialization
+and auxiliary-input algorithms $I$ and~$U$ -- have access to a number of
+random oracles $\mathcal{H} = (H_0, H_1, \ldots, H_{n-1})$. The adversary
+eventually decides to stop interacting, and produces an output~$a$.
+
+A \emph{simulator} for $A$'s interaction with $W$ is an algorithm $S^A$ which
+attempts to produce a similar output distribution, but without interacting
+with $W$. The simulator is given the same inputs $(c, u)$ as we gave
+to~$A$, and $S$ is also allowed to query the random oracles~$\mathcal{H}$.
+
+To measure the effectiveness of a simulator, we consider a distinguisher~$D$
+which is given $(c, u, a)$, and access to $\mathcal{H}$, and returns a bit
+$b$ representing its verdict as to whether the output $a$ was produced by the
+adversary or the simulator.
+
+\else
\subsubsection{General framework}
Consider a game in which an adversary~$A$ interacts with some `world'~$W$,
simulator is meant to represent the adversary's ability to compute things on
its own, without interacting with the world, and since the adversary is given
the auxiliary input, the simulator must be too. The distinguisher must be
-the auxiliary input because otherwise the simulator could just `make up'
-plausible-looking inputs.
+given the auxiliary input because otherwise the simulator could just `make
+up' plausible-looking inputs.
+
+\fi
+
+\ifshort
+Because we're interested in a concrete, quantitative analysis, we must
+constrain the resource usage of the various algorithms described above.
+Specifically, we shall be interested in
+\else
\subsubsection{Resource limits}
We shall not allow our algorithms to perform completely arbitrary
computations and interactions. Instead, we impose limits on the amount of
time they are allowed to take, the number of random-oracle queries they make,
and so on. Specifically, we are interested in
+\fi
\begin{itemize}
\item the time $t_A$ taken by the adversary and $t_D$ taken by the
distinguisher,
\end{itemize}
Sometimes we shall not be interested in proving simulatability of adversaries
with auxiliary inputs. We write $\mathcal{U} = 0$ to indicate that auxiliary
-output is not allowed.
+input is not allowed.
+
+\ifshort\else
\subsubsection{World syntax}
It will be worth our while being more precise about what a `world' actually
\item The `state' $\sigma$ is empty on the world's first invocation; on each
subsequent call, the value of the world's output $\sigma'$ is passed back.
In this way, the world can maintain state.
-\item The `type $\tau$ is a token giving the type of invocation this is.
+\item The `type $\tau$ is a token giving the type of invocation this is.
\item The `message' $\mu$ is any other information passed in; its form will
typically depend on the type~$\tau$ of the invocation.
\item The `new state' $\sigma'$ is the value of $\sigma$ to pass to the next
\subsubsection{Definitions}
We are now ready to begin making definitions.
+\fi
+
\begin{definition}[Simulation security]
\label{def:sim}
Consider the game described above, with the initialization function~$I$,
universal quantification over inputs fails to capture deniability in the
random oracle model, since the inputs can't therefore depend on the random
oracle. Our formulation therefore actually gives \emph{stronger}
- deniability that the usual one.
+ deniability than the usual one.
\end{remark}
\begin{figure}
\label{fig:sim}
\end{figure}
+\ifshort\else
\subsubsection{Fake-world simulators}
The simulators we shall be considering in the present paper are of a specific
type which we call `fake-world simulators'. They work by running the
\]
as required.
\end{proof}
+\fi
%%%--------------------------------------------------------------------------
\subsection{Description}
Here we present a simple zero-knowledge identification scheme. Fix some
-group $G$. Suppose Alice chooses a private key $x \inr \Nupto{|G|}$, and
-publishes the corresponding public key $X = x P$. Let $H_I\colon G^2 \to
-\Bin^{\ell_I}$ be a secure hash function. Here's a simple protocol which
-lets her prove her identity to Bob.
+group $G$ with prime order $q = \#G$. Suppose Alice chooses a private key $x
+\inr \gf{q}$, and publishes the corresponding public key $X = x P$. Let
+$H_I\colon G^2 \to \Bin^{\ell_I}$ be a secure hash function. Here's a simple
+protocol which lets her prove her identity to Bob.
\begin{enumerate}
-\item Bob selects a random $r \inr \Nupto{|G|}$, and computes $R = r P$, $Y =
- r X$, and $c = r \xor H_I(R, Y)$. He sends the pair $(R, c)$ to Alice as
- his \emph{challenge}.
+\item Bob selects a random $r \inr \gf{q}$, and computes $R = r P$, $Y = r X$,
+ and $c = r \xor H_I(R, Y)$. He sends the pair $(R, c)$ to Alice as his
+ \emph{challenge}.
\item Alice receives $(R, c)$. She computes $Y' = x R$ and $r' = c \xor
H_I(R', Y')$, and checks that $R = r' P$. If so, she sends $Y'$ as her
\emph{response}; otherwise she sends $\bot$.
\begin{figure}
\begin{description}
- \item[Setup] Group $G = \langle P \rangle$; $|G| = q$ is prime.
+ \item[Setup] Group $G = \langle P \rangle$; $\#G = q$ is prime.
$H_I(\cdot, \cdot)$ is a secure hash.
- \item[Private key] $x \inr \Nupto{q}$.
+ \item[Private key] $x \inr \gf{q}$.
\item[Public key] $X = x P$.
- \item[Challenge] $(R, c)$ where $r \inr \Nupto{q}$, $R = r P$, $c = r \xor
+ \item[Challenge] $(R, c)$ where $r \inr \gf{q}$, $R = r P$, $c = r \xor
H_I(R, r X)$.
\item[Response] $x R = r X$ if $R = (c \xor H_I(R, x R)) P$; otherwise
$\bot$.
\begin{figure}
\begin{program}
Function $\id{setup}()$: \+ \\
- $x \getsr \Nupto{q}$; \\
+ $x \getsr \gf{q}$; \\
$X \gets x P$; \\
\RETURN $(x, X)$;
- \next
+ \ifshort\newline\else\next\fi
Function $\id{challenge}^{H_I(\cdot, \cdot)}(R, c, X)$: \+ \\
- $r \getsr \Nupto{q}$; \\
+ $r \getsr \gf{q}$; \\
$R \gets r P$; $Y \gets r X$; \\
$h \gets H_I(R, Y)$; $c \gets r \xor h$; \\
\RETURN $(Y, R, c)$; \- \\[\medskipamount]
Note that the security bound here is \emph{independent} of the value of
$n$.
\end{remark}
-\begin{proof}
+\begin{longproof}{The proof of this theorem can be found in the full version
+ of the paper.}
We prove this by defining a sequence of games $\G{i}$. The first will be
the same as the attack game $\Game{imp-$n$}{\Wident}(A)$ and the others
will differ from it in minor ways. In each game $\G{i}$, let $S_i$ be the
event that $A$ wins the game -- i.e., that it successfully impersonates the
holder of the private key~$x$.
-
+
Let game $\G0$ be the attack game $\Game{imp}{\Wident}(A)$, and let $(R',
Y')$ be the output of $A$ in the game.
\caption{Soundness of $\Wident$: reduction from MCDH}
\label{fig:wident-sound-cdh}
\end{figure}
-
-\end{proof}
+\end{longproof}
\subsubsection{Zero-knowledge}
Finally we must prove that $\Wident$ is (statistical) zero-knowledge -- i.e.,
We shall actually consider a slightly more complex setting. We grant Bob
access to an oracle which produces random, correctly-formed challenges. We
require this to model the legitimate challenges of other parties when we
-analyse the security of our key exchange protocol. The extractor is
-permitted to fail given
+analyse the security of our key exchange protocol.
\begin{definition}[Discrete-log extractors]
Let $T$, $B$ be randomized algorithms. Define the game
is defined as
\[ \Succ{dl-ext}{G}(T, B) = \Pr[\Game{dl-ext}{G}(T, B) = 1]. \]
\end{definition}
-Let's unpack this definition slightly. We make the following demands of our
-extractor.
-\begin{itemize}
-\item It is given a bare `transcript' of $B$'s execution. In particular, it
- is given only its output and a list of $B$'s random-oracle queries in no
- particular order.
-\item While the extractor is not given the private key~$x$, the adversary~$B$
- is given the private key.
-\item We require that, if the extractor produces values $r, Y \ne \bot$ then
- $r$ and $Y$ are \emph{correct}; i.e., that $R = r P$ and $Y = x R$.
-\item The extractor is explicitly \emph{not} given the outputs of the
- challenge-generation oracle $C()$, nor of the random-oracle queries issued
- by $C()$. However, we allow the extractor to fail (i.e., return $\bot$) if
- $B$ simply parrots one of its $C$-outputs.
-\item The extractor is allowed -- indeed \emph{required} -- to fail if the
- challenge $(R, c)$ is \emph{invalid} (i.e., Alice would return $\bot$ given
- the challenge).
-\end{itemize}
-The resulting definition bears a striking similarity to the concept of
-\emph{plaintext awareness} in \cite{Bellare:1998:RAN}.
\begin{figure}
\begin{program}
$Y' \gets x R$; $h' \gets H_I(R, Y')$; $r' \gets c \xor h'$; \\
\IF $r \ne \bot$ \THEN \\ \quad
\IF $Y = \bot \lor R \ne r P \lor Y \ne Y'$ \THEN \RETURN $0$; \\
- \IF $R = r' P$ \THEN $(r^*, Y^*) = (r', Y')$; \\
+ \IF $R = r' P$ \THEN $(r^*, Y^*) \gets (r', Y')$; \\
\ELSE $(r^*, Y^*) \gets (\bot, \bot)$; \\
\IF $(R, c) \in Q_C$ \THEN \RETURN $1$; \\
\IF $(r, Y) = (r', Y')$ \THEN \RETURN $1$; \\
$Q_H \gets Q_H \cup \{(R', Y', h)\}$; \\
\RETURN $h$; \- \\[\medskipamount]
Oracle $C()$: \+ \\
- $r \getsr \Nupto{q}$; \\
+ $r \getsr \gf{q}$; \\
$R \gets r P$; $c \gets r \xor H_I(R, r X)$; \\
$Q_C \gets Q_C \cup \{(R, c)\}$; \\
- \RETURN $(R, c)$
+ \RETURN $(R, c)$
\end{program}
\caption{Discrete log extraction game: $\Game{dl-ext}{G}(T, B)$}
\label{fig:dlext}
\end{figure}
+Let's unpack this definition slightly. We make the following demands of our
+extractor.
+\begin{itemize}
+\item It is given a bare `transcript' of $B$'s execution. In particular, it
+ is given only its output and a list of $B$'s random-oracle queries in no
+ particular order.
+\item While the extractor is not given the private key~$x$, the adversary~$B$
+ is given the private key.
+\item We require that, if the extractor produces values $r, Y \ne \bot$ then
+ $r$ and $Y$ are \emph{correct}; i.e., that $R = r P$ and $Y = x R$.
+\item The extractor is explicitly \emph{not} given the outputs of the
+ challenge-generation oracle $C()$, nor of the random-oracle queries issued
+ by $C()$. However, we allow the extractor to fail (i.e., return $\bot$) if
+ $B$ simply parrots one of its $C$-outputs.
+\item The extractor is allowed -- indeed \emph{required} -- to fail if the
+ challenge $(R, c)$ is \emph{invalid} (i.e., Alice would return $\bot$ given
+ the challenge).
+\end{itemize}
+The resulting definition bears a striking similarity to the concept of
+\emph{plaintext awareness} in \cite{Bellare:1998:RAN}.
+
Such an extractor indeed exists, as the following lemma states.
\begin{lemma}[Effectiveness of extractor $T_\Wident$]
\label{lem:dlext}
- There exists a \emph{universal discrete-log extractor} $T_\Wident$ which,
- for any algorithm $B$,
+ There exists a \emph{universal discrete-log extractor} $T_\Wident$, shown
+ in figure~\ref{fig:twident}, such that, for any algorithm $B$,
\[ \Succ{dl-ext}{G}(T_\Wident, B) \ge 1 - \frac{1}{2^{\ell_I}}. \]
Moreover, if $B$ issues at most $q_H$ random-oracle queries, then the
running time of $T_\Wident$ is $O(q_H)$.
\end{lemma}
+\ifshort
+The proof of this lemma is given in the full version of this paper.
+\else
We prove this result at the end of the section. For now, let us see how to
prove that $\Wident$ is zero-knowledge.
+\fi
+
+\begin{figure}
+ \begin{program}
+ Extractor $T_\Wident(R, c, Q_H)$: \+ \\
+ \FOR $(R', Y', h)$ \IN $Q_H$ \DO \\ \ind
+ $r \gets h \xor c$; \\
+ \IF $R = R' = r P \land Y' = r X$ \THEN \RETURN $(r, Y')$; \- \\
+ \RETURN $(\bot, \bot)$;
+ \end{program}
+
+ \caption{The discrete-log extractor $T_\Wident$}
+ \label{fig:twident}
+\end{figure}
We use the set-up described in section~\ref{sec:sim}. Our initialization
-function~$I_\Wident$ just chooses a random $x \in \Nupto{q}$ as the world
+function~$I_\Wident$ just chooses a random $x \in \gf{q}$ as the world
private input and sets $X = x P$ as the common input. In the `real world',
the adversary is allowed to submit a (single) challenge to the prover; it is
given the prover's response, and must then compute its output. This is shown
\]
where $q_C$ is the maximum number of challenges allowed by the adversary.
\end{theorem}
-\begin{proof}
+\begin{longproof}{}
The simulator simply uses the extractor~$T_\Wident$ to extract the answer
from the adversary's history of random oracle queries. Observe that
$S_\Wident$ is a fake-world simulator. By lemma~\ref{lem:dlext}, the
extractor fails with probability only $2^{-\ell_I}$. The theorem follows
by a simple union bound and proposition~\ref{prop:fakesim}.
-\end{proof}
+\end{longproof}
+%\ifshort\else
\begin{figure}
\begin{program}
Initialization function $I_\Wident()$: \+ \\
- $x \getsr \Nupto{|G|}$; \\
+ $x \getsr \gf{q}$; \\
$X \gets x P$; \\
\RETURN $(x, X)$;
\- \\[\medskipamount]
\caption{Real-prover and simulator for zero-knowledge of $\Wident$}
\label{fig:wident-sim}
\end{figure}
+%\fi
-We now return to proving that our extractor exists and functions as claimed.
+\ifshort\else
+We now return to proving that the extractor $T_\Wident$ functions as claimed.
The following two trivial lemmata will be useful, both now and later.
\begin{lemma}[Uniqueness of discrete-logs]
\label{lem:unique-dl}
Let $G = \langle P \rangle$ be a cyclic group. For any $X \in G$ there is
- a unique integer $x$ where $0 \le x < |G|$ and $X = x P$.
+ a unique $x \in \gf{q}$ where $X = x P$.
\end{lemma}
\begin{proof}
Certainly such an $x$ exists, since $G$ is cyclic and finite. Suppose $X =
x P = x' P$: then $0 = x P - x' P = (x - x') P$. Hence $(x - x')$ is a
- multiple of $|G|$.
+ multiple of $q$, i.e., $x = x'$.
\end{proof}
\begin{lemma}[Uniqueness of check values]
\label{lem:unique-c}
- Let $G = \langle P \rangle$ be a cyclic group; let $H_I$ be a function
- $H_I\colon \Bin^{2\ell_G} \to \Bin^{\ell_I}$. Fix some $x \in
- \Nupto{|G|}$ and define the set
+ Let $G = \langle P \rangle$ be a cyclic group of prime order $q$; let $H_I$
+ be a function $H_I\colon \Bin^{2\ell_G} \to \Bin^{\ell_I}$. Fix some $x
+ \in \gf{q}$ and define the set
\[ V_x = \bigl\{\, (R, c) \in G \times \Bin^{\ell_I} \bigm|
R = \bigl( c \xor H_I(R, x R) \bigr) P \,\bigr\}.
\]
Then, for any $R$, $c$, $c'$, if $(R, c) \in V_x$ and $(R, c') \in V_x$
- then $c = c'$.
+ then $c = c'$.
\end{lemma}
\begin{proof}
- From lemma~\ref{lem:unique-dl}, we see that there is a unique $r \in
- \Nupto{|G|}$ for which $R = r P$. Now, if $(R, c) \in V_x$, we must have
- $r = c \xor H_I(R, x R)$. It follows that $c = r \xor H_I(R, x R)$.
+ From lemma~\ref{lem:unique-dl}, we see that there is a unique $r \in \gf{q}$
+ for which $R = r P$. Now, if $(R, c) \in V_x$, we must have $r = c \xor
+ H_I(R, x R)$. It follows that $c = r \xor H_I(R, x R)$.
\end{proof}
\begin{proof}[Proof of lemma~\ref{lem:dlext}]
- Our extractor $T_\Wident$ is shown in figure~\ref{fig:twident}.
-
- \begin{figure}
- \begin{program}
- Extractor $T_\Wident(R, c, Q_H)$: \+ \\
- \FOR $(R', Y', h)$ \IN $Q_H$ \DO \\ \ind
- $r \gets h \xor c$; \\
- \IF $R = R' = r P \land Y' = r X$ \THEN \RETURN $(r, Y')$; \- \\
- \RETURN $(\bot, \bot)$;
- \end{program}
-
- \caption{The discrete-log extractor $T_\Wident$}
- \label{fig:twident}
- \end{figure}
-
Let $B$ be any randomized algorithm, and let $(R, c, Q_H)$ be as given to
the extractor by $\Game{dl-ext}{G}(T_\Wident, B)$. Let the quantities
$H_I$, $Q_C$, $r$, $r'$, $x$ and $X$ be as in that game.
zero-knowledge against honest verifiers. We're much more interested in
dishonest verifiers, though.
\end{remark}
+\fi
+\ifshort\else
\subsection{An identity-based identification scheme}
\label{sec:wident-id}
\subsubsection{The identity-based scheme}
We need a trusted authority; following \cite{Schneier:1996:ACP} we shall call
-him Trent. Trent's private key is $t \in \Nupto{q}$; his public key is $T =
+him Trent. Trent's private key is $t \in \gf{q}$; his public key is $T =
t P$.
Finally, we need cryptographic hash functions $H_I\colon G \times G_T \to
\item Bob computes $\gamma_A = \hat{e}(T, A) \in G_T$. (He can do this once
and store the result if he wants, but it's not that onerous to work it out
each time.)
-\item Bob chooses $r \inr \Nupto{q}$, and sets $R = r P$. He also computes
+\item Bob chooses $r \inr \gf{q}$, and sets $R = r P$. He also computes
$\psi = \gamma_A^r$, $h = H_I(R, \psi)$ and $c = r \xor h$. He sends his
challenge $(R, c)$ to Alice.
\item Alice receives $(R', c')$. She computes $\psi' = \hat{e}(R, K_A)$, $h'
out of this identity-based identification scheme, yielding an identity-based
authenticated key-exchange protocol. We leave it to the reader to work
through the details.
+\fi
+\ifshort\else
\subsection{Comparison with the protocol of Stinson and Wu}
\label{sec:stinson-ident}
Our protocol is similar to a recent proposal by Stinson and Wu
\cite{Stinson:2006:EST}. They restrict their attention to Schnorr groups $G
-\subset \F_p^*$. Let $\gamma$ be an element of order $q = |G|$. The
-prover's private key is $a \inr \Nupto{q}$ and her public key is $\alpha =
-\gamma^a$. In their protocol, the challenger chooses $r \inr \Nupto{q}$,
-computes $\rho = \gamma^r$ and $\psi = \alpha^r$, and sends a challenge
-$(\rho, H(\psi))$. The prover checks that $\rho^q \ne 1$, computes $\psi =
-\rho^a$, checks the hash, and sends $\psi$ back by way of response. They
-prove their protocol's security in the random-oracle model.
+\subset \F_p^*$. Let $\gamma$ be an element of order $q = \#G$. The
+prover's private key is $a \inr \gf{q}$ and her public key is $\alpha =
+\gamma^a$. In their protocol, the challenger chooses $r \inr \gf{q}$, computes
+$\rho = \gamma^r$ and $\psi = \alpha^r$, and sends a challenge $(\rho,
+H(\psi))$. The prover checks that $\rho^q \ne 1$, computes $\psi = \rho^a$,
+checks the hash, and sends $\psi$ back by way of response. They prove their
+protocol's security in the random-oracle model.
Both the Wrestlers protocol and Stinson-Wu require both prover and verifier
to compute two exponentiations (or scalar multiplications) each. The
-sizes of the messages used by the two protocols are also identical.
+sizes of the messages used by the two protocols are also identical.
(An earlier version of the Stinson-Wu protocol used a cofactor
exponentiation: if we set $f = (p - 1)/q$, then we use $\psi = \alpha^{rf}) =
\\ \hlx{v[1]hv}
%% unpleasant hacking to make the R and c columns the same width :-(
\settowidth{\dimen0}{\textbf{Challenge}}%
- \dimen0=.5\dimen0
+ \dimen0=.5\dimen0
\advance\dimen0by-\tabcolsep
\advance\dimen0by-.5\arrayrulewidth
\hbox to\dimen0{\hfil$R$\hfil}
(lemma~\ref{lem:dlext}); $Y'$ probably wrong by
theorem~\ref{thm:wident-sound}. \\ \hlx{vh}
\end{tabular}
-
+
\caption{Security of $\Wident$ against active intruders (summary)}
\label{tab:wident-active}
\end{table}
Stinson-Wu rather than the Wrestlers identification scheme. We haven't,
however, gone through all the details, since we believe our protocol is just
as efficient and is based on much more conservative assumptions.
+\fi
%%%--------------------------------------------------------------------------
Suppose that Alice's and Bob's private keys are $a$ and $b$ respectively, and
their public keys are $A = a P$ and $B = b P$.
\begin{enumerate}
-\item Alice chooses a random index $r \inr \Nupto{|G|}$. She computes $R = r
- P$ and $c = r \xor H_I(R, r B)$. She sends the pair $(R, c)$ to Bob.
-\item Similarly, Bob chooses a random $s \inr \Nupto{|G|}$. He computes $S
- = s P$ and $d = s \xor H_I(S, s A)$. He sends $(S, d)$ to Alice.
+\item Alice chooses a random index $r \inr \gf{q}$. She computes $R = r P$ and
+ $c = r \xor H_I(R, r B)$. She sends the pair $(R, c)$ to Bob.
+\item Similarly, Bob chooses a random $s \inr \gf{q}$. He computes $S = s P$
+ and $d = s \xor H_I(S, s A)$. He sends $(S, d)$ to Alice.
\item Alice receives $(S', d')$ from Bob. She computes $s' = d' \xor H_I(S',
a S')$, and verifies that $S' = s' P$. If so, she computes $K_A = H_K(0
\cat r S')$, and sends $R, E_{K_A}(a S')$ to Bob.
\begin{figure}
\begin{description}
- \item[Setup] Group $G = \langle P \rangle$; $|G| = q$ is prime.
+ \item[Setup] Group $G = \langle P \rangle$; $\#G = q$ is prime.
$H_I(\cdot, \cdot)$ and $H_K(\cdot)$ are secure hashes. $\E = (\kappa,
E, D)$ is an IND-CCA2 symmetric encryption scheme.
\item[Parties] $U_i$ for $0 \le i < n$.
- \item[Private keys] $x_i \inr \Nupto{q}$.
+ \item[Private keys] $x_i \inr \gf{q}$.
\item[Public keys] $X_i = x_i P$.
\end{description}
- \[ \begin{graph}
- !{0; <8cm, 0cm>: <0cm, 3cm>::}
- *+[F]\dbox{$r_i \getsr I$; $R_i \gets r_i P$ \\
- $c_i \gets r_i \xor H_I(R_i, r_i X_j)$} ="i0"
- [d]
- *+[F]\dbox{Check $R_j = \bigl(c_j \xor H_I(x_i R_j)\bigr) P$ \\
- $Z \gets r_i R_j$; $K \gets H_K(0, Z)$ \\
- $\chi_i \gets E_K(x_i R_j)$} ="i1"
- [d]
- *+[F]\dbox{Check $D_K(\chi_j) = r_i X_j$ \\
- Shared key is $H_K(1, Z)$} ="i2"
- "i0" [r]
- *+[F]\dbox{$r_j \getsr I$; $R_j \gets r_j P$ \\
- $c_j \gets r_j \xor H_I(R_j, r_j X_i)$} ="j0"
- [d]
- *+[F]\dbox{Check $R_i = \bigl(c_i \xor H_I(x_j R_i)\bigr) P$ \\
- $Z \gets r_j R_i$; $K \gets H_K(0, Z)$ \\
- $\chi_j \gets E_K(x_j R_i)$} ="j1"
- [d]
- *+[F]\dbox{Check $D_K(\chi_i) = r_j X_i$ \\
- Shared key is $H_K(1, Z)$} ="j2"
- %
- "i0" : |(0)/3.25cm/*+{(R_i, c_i)} "j1"
- "i1" : |(0)/3.25cm/*+{(R_i, \chi_i)} "j2"
- "j0" : |(0)/3.25cm/*+{(R_j, c_j)} "i1"
- "j1" : |(0)/3.25cm/*+{(R_j, \chi_j)} "i2"
- \end{graph} \]
+ \begin{protocol}
+ $r_i \getsr I$; $R_i \gets r_i P$; &
+ $r_j \getsr I$; $R_j \gets r_j P$; \\
+ $c_i \gets r_i \xor H_I(R_i, r_i X_j)$; &
+ $c_j \gets r_j \xor H_I(R_j, r_j X_i)$; \\
+ \send{->}{(R_i, c_i)}
+ \send{<-}{(R_j, c_j)}
+ Check $R_j = \bigl(c_j \xor H_I(x_i R_j)\bigr) P$; &
+ Check $R_i = \bigl(c_i \xor H_I(x_j R_i)\bigr) P$; \\
+ $Z \gets r_i R_j$; $(K_0, K_1) \gets H_K(Z)$; &
+ $Z \gets r_j R_i$; $(K_0, K_1) \gets H_K(Z)$; \\
+ $\chi_i \gets E_{K_0}(x_i R_j)$; &
+ $\chi_j \gets E_{K_0}(x_j R_i)$; \\
+ \send{->}{(R_i, \chi_i)}
+ \send{<-}{(R_j, \chi_j)}
+ Check $D_{K_0}(\chi_j) = r_i X_j$; &
+ Check $D_{K_0}(\chi_i) = r_j X_i$; \\
+ Shared key is $K_1$. & Shared key is $K_1$.
+ \end{protocol}
\caption{Summary of the Wrestlers Key Exchange protocol, $\Wkx$}
\label{fig:wkx}
responds to Alice's message;
\item $b R' = b R = b (r P) = r (b P) = r B$, and $a S' = a S = a (s P) = s
(a P) = s A$, and therefore both parties compute their responses correctly;
- and
+ and
\item $r S' = r S = r (s P) = s (r P) = s R = s R'$, so $K_A = K_B$, and
therefore they can decrypt each others' responses, and agree the same
shared secret.
SK-security game.
\end{enumerate}
+\ifshort
+
+Readers interested in the details of the model should see Canetti and
+Krawczyk's paper \cite{Canetti:2001:AKE}, or the full version of this paper.
+
+\else
+
\subsubsection{Overview}
We briefly describe our modified model, pointing out the changes we have
made, and how they apply to our protocol. Much of Canetti and Krawczyk's
\subsubsection{Sessions}
Parties don't act directly. Instead, each party runs a number of
-\emph{sessions}. A session a triple $S = (P_i, P_j, s)$, where $i, j \in
-\Nupto{n}$ identify the owning party and a \emph{partner}, and $s \in
-\Bin^{\ell_S}$ is a \emph{session-id}. (The original model includes a
-r\^ole, for distinguishing between initiators and responders. Our protocol
-is symmetrical, so this distinction isn't useful.) If $P_i$ runs a session
-$S = (P_i, P_j, s)$ and $P_j$ runs a session $S' = (P_j, P_i, s)$ then we say
-that $S$ and $S'$ are \emph{matching}, and that $P_j$ is $P_i$'s
+\emph{sessions}. A session is represented by a triple $S = (P_i, P_j, s)$,
+where $i, j \in \Nupto{n}$ identify the owning party and a \emph{partner},
+and $s \in \Bin^{\ell_S}$ is a \emph{session-id}. (The original model
+includes a r\^ole, for distinguishing between initiators and responders. Our
+protocol is symmetrical, so this distinction isn't useful.) If $P_i$ runs a
+session $S = (P_i, P_j, s)$ and $P_j$ runs a session $S' = (P_j, P_i, s)$
+then we say that $S$ and $S'$ are \emph{matching}, and that $P_j$ is $P_i$'s
\emph{partner} for the session.
At most one participant in the game is \emph{active} at any given time.
\item the adversary correctly guesses the hidden bit~$b^*$.
\end{enumerate}
More formally, we make the following definition.
+\fi
\begin{definition}[SK-security]
\label{def:sk}
Let $\Pi^{H_0(\cdot), H_1(\cdot), \ldots}$ be a key-exchange protocol
which makes use of random oracles $H_0(\cdot)$, $H_1(\cdot)$, \dots, and
- let $A$ be an adversary playing the game described previously, where $n$
+ let $A$ be an adversary playing the game described \ifshort in
+ \cite{Canetti:2001:AKE}\else previously\fi, where $n$
parties run the protocol~$\Pi$. Let $V$ be the event that any pair of
matching, unexposed sessions completed, but output different session keys.
Let $W$ be the event that the adversary's output bit matches the game's
\subsection{Security}
In order to analyse our protocol $\Wkx^{G, \E}$ properly, we must describe
-exactly how it fits into the formal model described in our formal model.
+exactly how it fits into our formal model.
\subsubsection{Sessions and session-ids}
Our formal model introduced the concept of sessions, which the informal
\begin{program}
Function $\id{init}(n)$: \+ \\
\FOR $i \in \Nupto{n}$ \DO \\ \ind
- $x \getsr \Nupto{|G|}$; \\
+ $x \getsr \gf{q}$; \\
$\mathbf{i}[i] \gets x$; \\
$\mathbf{p}[i] \gets x P$; \- \\
\RETURN $(\mathbf{p}, \mathbf{i})$;
$X \gets \mathbf{p}[i]$;
$X' \gets \mathbf{p}[j]$;
$C \gets \emptyset$; \\
- $r \getsr \Nupto{|G|}$;
+ $r \getsr \gf{q}$;
$R \gets r P$;
$Y \gets r X'$; \\
$h \gets H_I(X, s, R, Y)$;
\OUTPUT $K_1$;
\STOP;
\end{program}
-
+
\caption{Formalization of $\Wkx$}
\label{fig:wkx-formal}
\end{figure}
\subsubsection{Security}
Having formally presented the protocol, we can now state our main theorem
-about its security. The proof is given in appendix~\ref{sec:sk-proof}.
+about its security. The proof is given in \ifshort the full version of the
+paper\else appendix~\ref{sec:sk-proof}\fi.
\begin{theorem}[SK-security of $\Wkx$]
\label{thm:sk}
Let $G$ be a cyclic group. Let $\E = (\kappa, E, D)$ be a symmetric
2 q_S \bigl( \InSec{ind-cca}(\E; t', q_M, q_M) + {} \\
\InSec{mcdh}(G; t', q_K) +
n \,\InSec{mcdh}(G; t', q_M + q_I) \bigr) +
- \frac{n (n - 1)}{|G|} +
+ \frac{n (n - 1)}{q} +
\frac{2 q_M}{2^{\ell_I}}.
\end{spliteqn*}
where $t' = t + O(n) + O(q_S) + O(q_M q_I) + O(q_K)$.
\end{theorem}
+\ifshort\else
\subsection{Insecure protocol variants}
\label{sec:kx-insecure}
Although each of Alice and Bob have two sessions with session-id~$s$, this is
allowed, since they are with different partners. The rest of the attack in
fact proceeds identically to the previous case.
-
+\fi
\subsection{Deniability}
\label{sec:denial}
the judge to bring him the evidence necessary to convict Alice. Here's how.
Alice's public key is $A$, and Bob's public key is $B$. The judge chooses
-some session-id $s$, and $r \inr \Nupto{q}$. He computes $R = r P$ and $c =
+some session-id $s$, and $r \inr \gf{q}$. He computes $R = r P$ and $c =
r \xor H_I(B, s, R, r A)$, and gives Bob the triple $(s, R, c)$, keeping $r$
secret. Bob can now persuade Alice to enter into a key-exchange with him,
with session-id $s$. He uses $(R, c)$ as his challenge message. When Alice
\begin{figure}
\begin{description}
- \item[Setup] Group $G = \langle P \rangle$; $|G| = q$ is prime.
+ \item[Setup] Group $G = \langle P \rangle$; $\#G = q$ is prime.
$H_I(\cdot, \cdot, \cdot, \cdot, \cdot)$ and $H_K(cdot)$ are secure
hashes. $\E = (\kappa, E, D)$ is an IND-CCA2 symmetric encryption
scheme.
\item[Parties] $U_i$ for $0 \le i < n$.
- \item[Private keys] $x_i \inr \Nupto{q}$.
+ \item[Private keys] $x_i \inr \gf{q}$.
\item[Public keys] $X_i = x_i P$.
\end{description}
- \[ \begin{graph}
- !{0; <8cm, 0cm>: <0cm, 3cm>::}
- *+[F]\dbox{$r_i \getsr I$; $R_i \gets r_i P$} ="i-1"
- [d]
- *+[F]\dbox{$c_i \gets r_i \xor H_I(R_j, X_i, s, R_i, r_i X_j)$} ="i0"
- [d]
- *+[F]\dbox{Check $R_j = \bigl(c_j \xor H_I(x_i R_j)\bigr) P$ \\
- $Z \gets r_i R_j$; $K \gets H_K(0, Z)$ \\
- $\chi_i \gets E_K(x_i R_j)$} ="i1"
- [d]
- *+[F]\dbox{Check $D_K(\chi_j) = r_i X_j$ \\
- Shared key is $H_K(1, Z)$} ="i2"
- "i-1" [r]
- *+[F]\dbox{$r_j \getsr I$; $R_j \gets r_j P$} ="j-1"
- [d]
- *+[F]\dbox{$c_j \gets r_j \xor H_I(R_i, X_j, s, R_j, r_j X_i)$} ="j0"
- [d]
- *+[F]\dbox{Check $R_i = \bigl(c_i \xor H_I(x_j R_i)\bigr) P$ \\
- $Z \gets r_j R_i$; $K \gets H_K(0, Z)$ \\
- $\chi_j \gets E_K(x_j R_i)$} ="j1"
- [d]
- *+[F]\dbox{Check $D_K(\chi_i) = r_j X_i$ \\
- Shared key is $H_K(1, Z)$} ="j2"
- %
- "i-1" : |(0)/3.25cm/*+{R_i} "j0"
- "i0" : |(0)/3.25cm/*+{(R_i, c_i)} "j1"
- "i1" : |(0)/3.25cm/*+{(R_i, \chi_i)} "j2"
- "j-1" : |(0)/3.25cm/*+{R_j} "i0"
- "j0" : |(0)/3.25cm/*+{(R_j, c_j)} "i1"
- "j1" : |(0)/3.25cm/*+{(R_j, \chi_j)} "i2"
- \end{graph} \]
+
+ \begin{protocol}
+ $r_i \getsr I$; $R_i \gets r_i P$; &
+ $r_j \getsr I$; $R_j \gets r_j P$; \\
+ \send{->}{R_i}
+ \send{<-}{R_j}
+ $c_i \gets r_i \xor H_I(R_j, X_i, s, R_i, r_i X_j)$; &
+ $c_j \gets r_j \xor H_I(R_i, X_j, s, R_j, r_j X_i)$; \\
+ \send{->}{(R_i, c_i)}
+ \send{<-}{(R_j, c_j)}
+ Check $R_j = \bigl(c_j \xor H_I(x_i R_j)\bigr) P$; &
+ Check $R_i = \bigl(c_i \xor H_I(x_j R_i)\bigr) P$; \\
+ $Z \gets r_i R_j$; $(K_0, K_1) \gets H_K(Z)$; &
+ $Z \gets r_j R_i$; $(K_0, K_1) \gets H_K(Z)$; \\
+ $\chi_i \gets E_{K_0}(x_i R_j)$; &
+ $\chi_j \gets E_{K_0}(x_j R_i)$; \\
+ \send{->}{(R_i, \chi_i)}
+ \send{<-}{(R_j, \chi_j)}
+ Check $D_{K_0}(\chi_j) = r_i X_j$; &
+ Check $D_{K_0}(\chi_i) = r_j X_i$; \\
+ Shared key is $K_1$. & Shared key is $K_1$.
+ \end{protocol}
\caption{Summary of the Deniable Wrestlers Key Exchange protocol, $\Wdkx$}
\label{fig:wdkx}
\begin{program}
Function $\id{init}(n)$: \+ \\
\FOR $i \in \Nupto{n}$ \DO \\ \ind
- $x \getsr \Nupto{|G|}$; \\
+ $x \getsr \gf{q}$; \\
$\mathbf{i}[i] \gets x$; \\
$\mathbf{p}[i] \gets x P$; \- \\
\RETURN $(\mathbf{p}, \mathbf{i})$;
$X \gets \mathbf{p}[i]$;
$X' \gets \mathbf{p}[j]$;
$C \gets \emptyset$; \\
- $r \getsr \Nupto{|G|}$;
+ $r \getsr \gf{q}$;
$R \gets r P$;
$Y \gets r X'$; \\
\SEND $(\cookie{pre-challange}, R)$;
\OUTPUT $K_1$;
\STOP;
\end{program}
-
+
\caption{Deniable key-exchange: formalization of $\Wdkx$}
\label{fig:wdkx-formal}
\end{figure}
The security of this variant is given by the following theorem, whose proof
-is in appendix~\ref{sec:sk2-proof}.
+is \ifshort given in the full version of this paper\else in
+appendix~\ref{sec:sk2-proof}\fi.
\begin{theorem}[SK-security of $\Wdkx$]
\label{thm:sk2}
Let $G$ be a cyclic group. Let $\E = (\kappa, E, D)$ be a symmetric
\frac{q_M}{2^{\ell_I}}
\]
and
- \[ \InSec{sim}(W_{\Wdkx^{G, \E}}, I_{\Wdkx^{G, \E}}, S_{\Wdkx^{G, \E}};
- t_D, t_A, \mathcal{Q}_D, \mathcal{Q}_A, (q_S, q_M), n_C) \le
- \frac{n_C q_S}{|G|} +
+ \iffancystyle\[\else\begin{spliteqn*}\fi
+ \InSec{sim}(W_{\Wdkx^{G, \E}}, I_{\Wdkx^{G, \E}}, S_{\Wdkx^{G, \E}};
+ t_D, t_A, \mathcal{Q}_D, \mathcal{Q}_A, (q_S, q_M), n_C) \le
+ \iffancystyle\else\\\fi
+ \frac{n_C q_S}{\#G} +
\frac{q_M}{2^{\ell_I}}.
- \]
+ \iffancystyle\]\else\end{spliteqn*}\fi
The running time of the simulators is $O(t_A) + O(\mathcal{Q}_A q_M)$.
\end{theorem}
-\begin{proof}
+\begin{longproof}{The proof of this theorem can be found in the full version
+ of this paper.}
The simulators $S_\Wkx$ and $S_\Wdkx$ are very similar. We describe both
here. Both are fake-world simulators, working as follows.
\begin{enumerate}
giving each the public key $X_i$ from the common input.
\item Suppose the adversary requests creation of a new session $S = (P_i,
P_j, s)$. Then the simulator creates a new session, including a random
- value $r_S \inr \Nupto{|G|}$, and computes $R_S = r_S P$, and $Y_S = r_S
+ value $r_S \inr \gf{q}$, and computes $R_S = r_S P$, and $Y_S = r_S
X_j$. For $\Wdkx$, it sends the message $(\cookie{pre-challenge}, R_S)$;
for $\Wkx$, it additionally computes $h = H_I(X_i, s, R_S, Y_S)$ and
sends $(\cookie{challenge}, R_S, r_S \xor h)$.
adversary's auxiliary input. In this case the simulator must fail. But
$R_S = r_S P$, and $r_S$ was chosen uniformly at random. If there are at
most $n_C$ challenge sets in the auxiliary input then this happens with
- probability at most $n_C/|G|$ for any given session.
+ probability at most $n_C/\#G$ for any given session.
\end{itemize}
We conclude that the simulator fails with probability
- \[ \frac{q_M}{2^{\ell_I}} + \frac{q_S n_C}{|G|}. \]
+ \[ \frac{q_M}{2^{\ell_I}} + \frac{q_S n_C}{\#G}. \]
(Note that we only consider $n_C = 0$ for $\Wkx$.) No adversary can
distinguish the simulator from a real interaction unless the simulator
fails, and the simulator is a fake-world simulator. We therefore apply
proposition~\ref{prop:fakesim}; the theorem follows.
-\end{proof}
-
+\end{longproof}
+\ifshort\else
\subsection{Practical issues}
\label{sec:practice}
ciphertexts to insert the corresponding plaintexts into the channel.
We offer a sketch proof of this claim in appendix~\ref{sec:sc-proof}.
+\fi
%%%--------------------------------------------------------------------------
%%%--------------------------------------------------------------------------
+\ifshort\def\next{\end{document}}\expandafter\next\fi
\appendix
\section{Proofs}
crediting the adversary with a win. This only happens when the corresponding
private keys are equal, i.e., $x_i = x_j$, and since the initialization
function chooses private keys uniformly at random, this happens with
-probability at most $\binom{n}{2}/|G|$. Since if this doesn't happen, the
+probability at most $\binom{n}{2}/\#G$. Since if this doesn't happen, the
game is identical to $\G0$, we can apply lemma~\ref{lem:shoup}, and see that
\begin{equation}
\label{eq:sk-g0-g1}
- \diff{0}{1} \le \frac{1}{|G|} \binom{n}{2} = \frac{n (n - 1)}{2 |G|}.
+ \diff{0}{1} \le \frac{1}{\#G} \binom{n}{2} = \frac{n (n - 1)}{2 \#G}.
\end{equation}
In game~$\G1$ and onwards, we can assume that public keys for distinct
parties are themselves distinct. Note that the game now takes at most
\Pr[V_4] = 0 \qquad \text{and} \qquad \Pr[W_4] = \frac{1}{2}.
\end{equation}
Putting equations~\ref{eq:sk-g0-g1}--\ref{eq:sk-g4} together, we find
+\begingroup \splitright=4em minus 4em
\begin{spliteqn}
\Adv{sk}{\Wident^{G, \E}}(A) \le
2 q_S \bigl(\InSec{ind-cca}(\E; t', q_M, q_M) + {} \\
\InSec{mcdh}(G; t', q_K) +
n \,\InSec{mcdh}(G; t', q_M + q_I) \bigr) + {}
- \frac{n (n - 1)}{|G|} +
+ \frac{n (n - 1)}{\#G} +
\frac{2 q_M}{2^{\ell_I}}.
-\end{spliteqn}
+\end{spliteqn} \endgroup
The theorem follows, since $A$ was chosen arbitrarily.
= \frac{1}{2^{\ell_I}} \sum_\Cid \Ccount(\Cid)
\le \frac{q_M}{2^{\ell_I}}
\]
- as required.
+ as required.
Now observe that, in $\G2$, sessions don't actually check incoming
challenges in this way any more -- instead we run the extractor. So, to
choose a random $m \in \Nupto{n}$, and when the adversary creates the
session $S = S_k = (P_i, P_j, s)$, we abort the game unless $j = m$.
Clearly we have $\Pr[F_6] = n \Pr[F_7]$.
-
+
Finally, we can explicitly bound $F_6$. In $\G6$, the adversary's view is
independent of the correct response $Y_S = r_S X_S = x_j R_S$ to $S$'s
challenge. Therefore, if $A$ manages to send any message $\mu \notin M_T$
The proof is almost identical to the proof of theorem~\ref{thm:sk}, in
appendix~\ref{sec:sk-proof}. Unfortunately a black-box reduction doesn't
-seem possible.
+seem possible.
We use the games and notation of section~\ref{sec:sk-proof}.
\end{equation}
Finally, we can bound the adversary's advantage at guessing the hidden bit
$b^*$. We isolate (we hope) the challenge session $S$ by choosing a target
-session at random, as before. Let $K_* = H_K(Z_S)$ be the key agreed by the
+session at random, as before. Let $K^* = H_K(Z_S)$ be the key agreed by the
session (if it becomes ripe). We define an adversary $B$ against the IND-CCA
security of $\E$. The adversary $B$ simulates the game. If the adversary
exposes the target session, or doesn't choose it as the challenge session,
\end{document}
-%%% Local Variables:
+%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
-%%% End:
+%%% End:
~mdw / doc / wrestlers / commitdiff