prover's private key is $a \inr \Nupto{q}$ and her public key is $\alpha =
\gamma^a$. In their protocol, the challenger chooses $r \inr \Nupto{q}$,
computes $\rho = \gamma^r$ and $\psi = \alpha^r$, and sends a challenge
-$(\rho, H(\rho, \psi))$. The prover checks that $\rho^q \ne 1$, computes
-$\psi = \rho^a$, checks the hash, and sends $\psi$ back by way of response.
-They prove their protocol's security in the random-oracle model.
+$(\rho, H(\psi))$. The prover checks that $\rho^q \ne 1$, computes $\psi =
+\rho^a$, checks the hash, and sends $\psi$ back by way of response. They
+prove their protocol's security in the random-oracle model.
Both the Wrestlers protocol and Stinson-Wu require both prover and verifier
to compute two exponentiations (or scalar multiplications) each. The
The KEA assumption as stated in \cite{Stinson:2006:EST} allows the extractor
to fail with some negligible probability, over and above the probability that
-a dishonest verifier managed to guess the correct $h = H(\rho, \psi)$ without
+a dishonest verifier managed to guess the correct $h = H(\psi)$ without
making this random-oracle query. Not only does our protocol achieve zero-
knowledge without the KEA, our extractor is, in this sense, `perfect'.