From: Mark Wooding Date: Thu, 2 Nov 2006 22:13:52 +0000 (+0000) Subject: paper: Fix description of Stinson-Wu protocol. X-Git-Url: https://git.distorted.org.uk/~mdw/doc/wrestlers/commitdiff_plain/8b8b883978ff98f5d9edc60f1bf6771b3d66b617 paper: Fix description of Stinson-Wu protocol. They don't hash the challenge value. They ought to (it makes the reduction more efficient if you consider multiple challenges), and they did in the first version, I'm sure. --- diff --git a/wrestlers.tex b/wrestlers.tex index 2ee5702..44a8a5d 100644 --- a/wrestlers.tex +++ b/wrestlers.tex @@ -1789,9 +1789,9 @@ Our protocol is similar to a recent proposal by Stinson and Wu prover's private key is $a \inr \Nupto{q}$ and her public key is $\alpha = \gamma^a$. In their protocol, the challenger chooses $r \inr \Nupto{q}$, computes $\rho = \gamma^r$ and $\psi = \alpha^r$, and sends a challenge -$(\rho, H(\rho, \psi))$. The prover checks that $\rho^q \ne 1$, computes -$\psi = \rho^a$, checks the hash, and sends $\psi$ back by way of response. -They prove their protocol's security in the random-oracle model. +$(\rho, H(\psi))$. The prover checks that $\rho^q \ne 1$, computes $\psi = +\rho^a$, checks the hash, and sends $\psi$ back by way of response. They +prove their protocol's security in the random-oracle model. Both the Wrestlers protocol and Stinson-Wu require both prover and verifier to compute two exponentiations (or scalar multiplications) each. The @@ -1818,7 +1818,7 @@ extractor. The KEA assumption as stated in \cite{Stinson:2006:EST} allows the extractor to fail with some negligible probability, over and above the probability that -a dishonest verifier managed to guess the correct $h = H(\rho, \psi)$ without +a dishonest verifier managed to guess the correct $h = H(\psi)$ without making this random-oracle query. Not only does our protocol achieve zero- knowledge without the KEA, our extractor is, in this sense, `perfect'.