They don't hash the challenge value. They ought to (it makes the
reduction more efficient if you consider multiple challenges), and they
did in the first version, I'm sure.
prover's private key is $a \inr \Nupto{q}$ and her public key is $\alpha =
\gamma^a$. In their protocol, the challenger chooses $r \inr \Nupto{q}$,
computes $\rho = \gamma^r$ and $\psi = \alpha^r$, and sends a challenge
prover's private key is $a \inr \Nupto{q}$ and her public key is $\alpha =
\gamma^a$. In their protocol, the challenger chooses $r \inr \Nupto{q}$,
computes $\rho = \gamma^r$ and $\psi = \alpha^r$, and sends a challenge
-$(\rho, H(\rho, \psi))$. The prover checks that $\rho^q \ne 1$, computes
-$\psi = \rho^a$, checks the hash, and sends $\psi$ back by way of response.
-They prove their protocol's security in the random-oracle model.
+$(\rho, H(\psi))$. The prover checks that $\rho^q \ne 1$, computes $\psi =
+\rho^a$, checks the hash, and sends $\psi$ back by way of response. They
+prove their protocol's security in the random-oracle model.
Both the Wrestlers protocol and Stinson-Wu require both prover and verifier
to compute two exponentiations (or scalar multiplications) each. The
Both the Wrestlers protocol and Stinson-Wu require both prover and verifier
to compute two exponentiations (or scalar multiplications) each. The
The KEA assumption as stated in \cite{Stinson:2006:EST} allows the extractor
to fail with some negligible probability, over and above the probability that
The KEA assumption as stated in \cite{Stinson:2006:EST} allows the extractor
to fail with some negligible probability, over and above the probability that
-a dishonest verifier managed to guess the correct $h = H(\rho, \psi)$ without
+a dishonest verifier managed to guess the correct $h = H(\psi)$ without
making this random-oracle query. Not only does our protocol achieve zero-
knowledge without the KEA, our extractor is, in this sense, `perfect'.
making this random-oracle query. Not only does our protocol achieve zero-
knowledge without the KEA, our extractor is, in this sense, `perfect'.