paper: Fix description of Stinson-Wu protocol.

They don't hash the challenge value.  They ought to (it makes the
reduction more efficient if you consider multiple challenges), and they
did in the first version, I'm sure.

diff --git a/wrestlers.tex b/wrestlers.tex
index 2ee5702..44a8a5d 100644 (file)
--- a/wrestlers.tex
+++ b/wrestlers.tex
@@ -1789,9 +1789,9 @@ Our protocol is similar to a recent proposal by Stinson and Wu
 prover's private key is $a \inr \Nupto{q}$ and her public key is $\alpha =
 \gamma^a$.  In their protocol, the challenger chooses $r \inr \Nupto{q}$,
 computes $\rho = \gamma^r$ and $\psi = \alpha^r$, and sends a challenge
-$(\rho, H(\rho, \psi))$.  The prover checks that $\rho^q \ne 1$, computes
-$\psi = \rho^a$, checks the hash, and sends $\psi$ back by way of response.
-They prove their protocol's security in the random-oracle model.
+$(\rho, H(\psi))$.  The prover checks that $\rho^q \ne 1$, computes $\psi =
+\rho^a$, checks the hash, and sends $\psi$ back by way of response.  They
+prove their protocol's security in the random-oracle model.
 
 Both the Wrestlers protocol and Stinson-Wu require both prover and verifier
 to compute two exponentiations (or scalar multiplications) each.  The
@@ -1818,7 +1818,7 @@ extractor.
 
 The KEA assumption as stated in \cite{Stinson:2006:EST} allows the extractor
 to fail with some negligible probability, over and above the probability that
-a dishonest verifier managed to guess the correct $h = H(\rho, \psi)$ without
+a dishonest verifier managed to guess the correct $h = H(\psi)$ without
 making this random-oracle query.  Not only does our protocol achieve zero-
 knowledge without the KEA, our extractor is, in this sense, `perfect'.