%%% -*-latex-*-
%%%
-%%% $Id: wrestlers.tex,v 1.4 2001/06/29 19:36:05 mdw Exp $
+%%% $Id: wrestlers.tex,v 1.5 2002/01/13 14:55:31 mdw Exp $
%%%
%%% Description of the Wrestlers Protocol
%%%
%%%----- Revision history ---------------------------------------------------
%%%
%%% $Log: wrestlers.tex,v $
+%%% Revision 1.5 2002/01/13 14:55:31 mdw
+%%% More incomplete stuff.
+%%%
%%% Revision 1.4 2001/06/29 19:36:05 mdw
%%% Some progress made on laptop.
%%%
%%% Initial versions of documentation.
%%%
-\documentclass[a4paper]{article}
-\usepackage{a4wide}
-\usepackage{amssymb}
-\usepackage{amstext}
-\usepackage{mdwtab}
+\newif\iffancystyle\fancystylefalse
+
+\iffancystyle
+ \documentclass
+ [a4paper, article, 10pt, numbering, noherefloats, notitlepage]
+ {strayman}
+ \usepackage[palatino, helvetica, courier, maths=cmr]{mdwfonts}
+ \usepackage[margin]{amsthm}
+\else
+ \documentclass[a4paper]{article}
+ \usepackage{a4wide}
+ \usepackage{amsthm}
+\fi
+
+\usepackage{amssymb, amstext}
+\usepackage{mdwtab, mathenv}
\errorcontextlines=999
+\showboxbreadth=999
+\showboxdepth=999
\makeatletter
\title{The Wrestlers Protocol: proof-of-receipt and secure key exchange}
\bibliographystyle{alpha}
\newtheorem{theorem}{Theorem}
-\newenvironment{proof}[1][Proof]{%
- \par\noindent\textbf{#1}\ %
-}{%
- \penalty\@M\hfill\vadjust{}%
- \penalty\z@\relax\vadjust{}%
- \penalty\@M\hfill$\square$%
- \par%
-}
-
-\newcommand{\rgets}{\stackrel{\scriptscriptstyle R}{\gets}}
+\renewcommand{\qedsymbol}{$\square$}
+
+\newcommand{\getsr}{\stackrel{\scriptscriptstyle R}{\gets}}
+\newcommand{\inr}{\in_{\scriptscriptstyle R}}
\newcommand{\oracle}[1]{\mathcal{#1}}
\newcommand{\expt}[2]{\mathbf{Exp}^{\text{\normalfont#1}}_{#2}}
\newcommand{\adv}[2]{\mathbf{Adv}^{\text{\normalfont#1}}_{#2}}
\newcommand{\ord}{\mathop{\operator@font ord}}
-\newcommand{\poly}{\mathrm{poly}}
+\newcommand{\poly}[1]{\mathop{\operator@font poly}({#1})}
+\newcommand{\negl}[1]{\mathop{\operator@font negl}({#1})}
\newcommand{\compind}{\stackrel{c}{\approx}}
\newcolumntype{G}{p{0pt}}
+\newcommand{\xor}{\oplus}
+\renewcommand{\epsilon}{\varepsilon}
+
\newenvironment{program}
- {\begin{tabbing}}
- {\end{tabbing}}
+ {\begin{tabular}[C]{|G|}\hlx{hv[][\tabcolsep]}\begin{tabbing}}
+ {\end{tabbing}\\\hlx{v[][\tabcolsep]h}\end{tabular}}
\begin{document}
% authentication oracle is useless if the hash function has appropriate
% properties.
-We start by introducing a simple proof-of-identity protocol, based on the
+We begin by introducing a simple proof-of-identity protocol, based on the
Diffie-Hellman key-exchange protocol \cite{Diffie:1976:NDC} and prove some of
its useful properties.
\subsection{Introduction}
-Suppose that $G$ is some cyclic group of prime order $q$, generated by an
-element $g$, in which the decision Diffie-Hellman problem
-\cite{Boneh:1998:DDP} is hard.
+We start by selecting a security parameter $k$. We choose a cyclic group $G
+= \langle g \rangle$ with $q = |G|$ prime, in which the decision
+Diffie-Hellman problem is assumed to be hard \cite{Boneh:1998:DDP}; we
+require that $q$ is a $k$-bit number. Suitable groups include elliptic
+curves over finite fields and prime-order subgroups of prime fields.
+Throughout, we shall write the group operation as multiplication, and we
+shall assume that group elements are interchangeable with their binary
+representations.
-Alice can choose a private key $1 < \alpha < q$ and publish her corresponding
-public key $A = g^\alpha$.
+Alice can choose a private key $\alpha$ from the set $\{ 1, 2, \ldots, q - 1
+\}$ and publish her corresponding public key $a = g^\alpha$.
A simplistic proof-of-identity protocol might then proceed as follows:
\begin{enumerate}
-\item Bob chooses a random exponent $1 < \beta < q$, and sends a
- \emph{challenge} $B = g^\beta$ to Alice.
-\item Alice computes $B^\alpha$ and returns it to Bob.
-\item If Alice's response is equal to $A^\beta$ then Bob is satisfied.
+\item Bob chooses a random exponent $\beta$, also from $\{ 1, 2, \ldots, q -
+ 1 \}$, and sends a \emph{challenge} $b = g^\beta$ to Alice.
+\item Alice computes her \emph{response} $b^\alpha$ and returns it to Bob.
+\item If Alice's response is equal to $a^\beta$ then Bob is satisfied.
\end{enumerate}
-This is evidently secure if the Diffie-Hellman problem is hard: computing
-$g^{\alpha\beta}$ given $g^\alpha$ and $g^\beta$ is precisely the
-Diffie-Hellman problem.
+If Bob always plays by the rules then this protocol is evidently secure,
+since computing $g^{\alpha\beta}$ given $g^\alpha$ and $g^\beta$ is precisely
+the Diffie-Hellman problem.
This protocol has a flaw, though: by using Alice as an oracle for the
function $x \mapsto x^\alpha$, he could conceivably acquire information about
$(-g^\beta)^\alpha = g^{\alpha\beta}$, Bob can conclude that $\alpha$ is
even.
-We fix this protocol by requiring that Bob prove that he already knows the
-answer to his challenge. Instead of sending just his challenge $B$, he sends
-the pair $(B, h(A^\beta))$ for some function $h$: Alice verifies that
-$h(B^\alpha) = h(A^\beta)$ before returning her response. We need to choose
-the function $h$ such that
-\begin{itemize}
-\item $h$ is one-way, so that providing $h(A^\beta)$ doesn't provide an
- impersonator with an additional clue to guessing the correct response; and
-\item providing $h(A^\beta)$ is hard without previously knowing the value of
- $A^\beta$.
-\end{itemize}
-
-\subsection{Analysis}
-
-We now examine the protocol in a more formal setting, with the objective of
-characterizing our requirements for the function $\oracle{H}$. Fix a
-\emph{group description} $\mathcal{G} = (G, q, g)$, where $G$ is a cyclic
-group of prime order $q$ generated by $g \in G$, and a function
-$\oracle{H}\colon \{ 0, 1 \}^* \to \{ 0, 1 \}^L$. Define the
-\emph{authentication oracle} $\oracle{O}_{\mathcal{G}, \oracle{H}}(\alpha, x,
-h)$, where $\alpha \in \mathbb{Z} / q \mathbb{Z}$, $x \in g$ and $h \in \{ 0,
-1 \}^L$, to return $x^\alpha$ if $h = \oracle{H}(x^\alpha)$ and the symbol
-$\bot$ otherwise.
-
-We introduce two experiments:
-\begin{tabular}[C]{@{}G|G@{}}
- \begin{program}
- \quad \= \quad \= \kill
- Experiment $\expt{uni-cca}{A_{\text{cca}}, \oracle{H}}(\mathcal{G})$ \\
- \> $\alpha, \tau \rgets \mathbb{Z}/q\mathbb{Z}$; \\
- \> $R \gets
- A_{\text{cca}}
- ^{\oracle{O}_{\mathcal{G}, \oracle{H}}(\alpha, \cdot, \cdot),
- \oracle{H}
- (\cdot)}
- (g^\alpha, g^\tau, \oracle{H}(g^{\alpha\tau}))$; \\
- \> \textbf{if} $R = g^{\alpha\tau}$ \textbf{then} \textbf{return} $1$; \\
- \> \textbf{else} \textbf{return} $0$;
- \end{program}
- &
- \begin{program}
- \quad \= \quad \= \kill
- Experiment $\expt{uni-no}{A}(\mathcal{G})$ \\
- \> $\alpha, \tau \rgets \mathbb{Z}/q\mathbb{Z}$; \\
- \> $R \gets A(g^\alpha, g^\tau)$; \\
- \> \textbf{if} $R = g^{\alpha\tau}$ \textbf{then} \textbf{return} $1$; \\
- \> \textbf{else} \textbf{return} $0$;
- \end{program}
-\end{tabular}
-We mandate that the adversary $A_{\text{cca}}$ never query its authentication
-oracle with the test challenge $g^\tau$.
-
-We will consider a function $\oracle{H}$ to be suitable for our purposes if
-for any adversary $A_{\text{cca}}$, there is an adversary $A$ for which the
-distributions of $\expt{uni-cca}{A_{\text{cca}}, \oracle{H}}(\mathcal{G})$
-and $\expt{uni-no}{A}(\mathcal{G})$ are computationally indistinguishable.
-Intuitively, this means that the authentication oracle isn't useful in
-attacking the protocol: any adversary which has access to an oracle can be
-replaced by one which has approximately the same probability of success but
-without oracle access.
-
-We first prove that a random oracle \cite{Bellare:1993:ROP} makes a
-`suitable' function.
+We fix the protocol by requiring that Bob prove that he already knows the
+answer to his challenge. We introduce a hash function $h$ whose properties
+we shall investigate later. The \emph{Wrestlers Authentication Protocol} is
+then:
+\begin{enumerate}
+\item Bob chooses a secret $\beta \getsr \{ 1, 2, \ldots, q - 1 \}$. He
+ computes his \emph{challenge} $b \gets g^\beta$ and also a \emph{check
+ value} $c \gets \beta \xor h(a^\beta)$. He sends the pair $(b, c)$.
+\item Alice receives $(b', c')$. She computes $r \gets b'^\alpha$ and
+ $\gamma \gets c' \xor h(R)$. If $b' = g^\gamma$, she sends $r$ back as her
+ \emph{response}; otherwise she sends the distinguished value $\bot$.
+\item Bob receives $r'$. If $r' = a^\beta$ then he accepts that he's talking
+ to Alice.
+\end{enumerate}
+We show that the introduction of the check value has indeed patched up the
+weakness described above, and that the check value itself hasn't made an
+impersonator's job much easier.
+
+\subsection{Analysis in the random oracle model}
+
+Here, we prove that the Wrestlers Authentication Protocol is secure if $h$ is
+implemented by a public \emph{random oracle} \cite{Bellare:1993:ROP}.
+
+Fix a private key $\alpha \inr \{ 1, 2, \ldots, q - 1\}$ and the corresponding public
+key $a = g^\alpha$, and consider a probabilistic polynomial-time adversary
+$A$, equipped with two oracles. One is a random oracle $\oracle{H}\colon
+\{0, 1\}^* \to \{0, 1\}^k$, which implements a function $h$ randomly selected
+from the set of all functions with that signature; the other is an
+authentication oracle $\oracle{O}\colon G \times \{0, 1\}^k \to G \cup \{
+\bot \}$ defined by:
+\[
+\oracle{O}^(b, c) = \begin{cases}
+ b^\alpha & if $b = g^{c \xor h(b^\alpha)}$ \\
+ \bot & otherwise
+\end{cases}
+\]
+The authentication oracle will play the part of Alice in the following. We
+first show that access to this authentication oracle can't help an adversary
+learn how to impersonate Alice.
\begin{theorem}
- If $\oracle{H}$ is a random oracle with $L$-bit output, where $L$ is some
- polynomial function of the length of $q$, then, for any adversary
- $A_{\text{cca}}$, there exists an adversary $A$ such that
- \[ \expt{uni-cca}{A_{\text{cca}}, \oracle{H}}(\mathcal{G})
- \compind \expt{uni-no}{A}(\mathcal{G}) \]
+ The Wrestlers Authentication Protocol with random oracle is computational
+ zero knowledge \cite{Brassard:1989:SZK}.
+ \label{thm:wap-czk}
\end{theorem}
\begin{proof}
- The idea behind the proof is that we construct an adversary $A$ in terms of
- the given adversary $A_{\text{cca}}$ with the same output in all but
- negligibly few cases.
-
- Our adversary $A$ isn't provided with either oracle supplied to
- $A_{\text{cca}}$.
+ \newcommand{\Hlist}{\textit{$\oracle{H}$-list}}
+ \newcommand{\Hsim}{\textit{$\oracle{H}$-sim}}
+ \newcommand{\Osim}{\textit{$\oracle{O}$-sim}}
+ \renewcommand{\H}{\oracle{H}}
+ \renewcommand{\O}{\oracle{O}}
+ %
+ Let $A$ be any probabilistic polynomial-time adversary with access to a
+ random. We shall construct a probabilistic polynomial-time adversary $A'$
+ without either oracle such that the probability distributions on the output
+ of $A$ and $A'$ are equal. Specifically, $A'$ runs $A$ with simulated
+ random and authentication oracles whose behaviour is computationally
+ indistinguishable from the originals. The algorithm for $A'$ and the
+ simulated oracles is shown in figure~\ref{fig:wap-czk-sim}.
+
+ \begin{figure}
+ \begin{program}
+ \quad \= \kill
+ Adversary $A'^{\H(\cdot)}$: \+ \\
+ $\Hlist \gets \emptyset$; \\
+ $r \gets A^{\Hsim(\cdot), \Osim(\cdot, \cdot)}$; \\
+ \textbf{return} $r$; \- \\[\medskipamount]
+ %
+ Simulated random oracle $\Hsim(q)$: \+ \\
+ \textbf{if} $\exists r : (q, r) \in \Hlist$ \textbf{then}
+ \textbf{return} $r$; \\
+ $r \getsr \H(q)$; \\
+ $\Hlist \gets \Hlist \cup \{ (q, r) \}$; \\
+ \textbf{return} $r$; \- \\[\medskipamount]
+ %
+ Simulated authentication oracle $\Osim(b, c)$: \+ \\
+ \textbf{if} $\exists q, r : (q, r) \in \Hlist \wedge
+ b = g^{c \xor r} \wedge
+ q = a^{c \xor r}$ \textbf{then}
+ \textbf{return} $a^{c \xor r}$; \\
+ \textbf{else} \textbf{return} $\bot$;
+ \end{program}
+ %
+ \caption{The algorithm and simulated oracles for the proof of
+ theorem~\ref{thm:wap-czk}.}
+ \label{fig:wap-czk-sim}
+ \end{figure}
- Simulating the random oracle is easy. $A$ maintains a table, initially
- empty, of pairs $(q, r)$. When the oracle is invoked on input $q$, we look
- it up in the table: if there is some entry $(q, r)$, it returns $r$;
- otherwise we toss coins to choose a new output $r$ and add $(q, r)$ to the
- table. This is obviously a polynomial-time activity, since
- $A_{\text{cca}}$ makes only polynomially many queries, and answering each
- one takes polynomial time.
+ Firstly we show that $A'$ runs in polynomial time. The only modifications
+ to $\Hlist$ are in $\Hsim$, which adds at most one element for each oracle
+ query. Since $\Hlist$ is initially empty and $A$ can only make $\poly{k}$
+ queries to $\Hsim$, this implies that $|\Hlist|$ is always
+ polynomially-bounded. Each query can be answered in polynomial time:
+ indeed, the search implied by the test $\exists r : (q, r) \in \Hlist$ can
+ be performed in $O(\log q)$ time by indexing $\Hlist$ on $q$ using a radix
+ tree. Now, since $|\Hlist|$ is polynomially bounded, the test $\exists q,
+ r : (q, r) \in \Hlist \wedge b = g^{c \xor r} \wedge q = a^{c \xor r}$ at
+ the start of $\Osim$ runs in polynomial time even though it requires an
+ exhaustive search of the history of $A$'s queries to its simulated random
+ oracle.
- The authentication oracle is a little harder. Suppose $A_{\text{cca}}$
- makes a query $(x, h)$. If there is an entry $(q, h)$ in the random oracle
- table, the authentication oracle returns $q$; otherwise it returns $\bot$.
-
- It remains to show that this is a valid thing to do.
+ Next, we examine the behaviour of the simulated oracles. Since $\Hsim$ is
+ implemented in terms of the public random oracle $\H$, and returns the same
+ answers to queries, its probability distribution must be identical.
+
+ We turn our attention to the simulation of the authentication oracle.
+ Consider a query $(b, c)$ made by $A$ to its authentication oracle.
+
+ Firstly, suppose that there is a $\beta$ such that $b = g^\beta$ and $c =
+ \beta \xor r$ where $r$ is the response to a previous query made by $A$ to
+ its random oracle on $a^\beta$. Then the true authentication oracle $\O$
+ is satisfied because $b = g^\beta = g^{c \xor r} = g^{c \xor h(a^\beta)} =
+ g^{c \xor h(b^\alpha)}$, and returns $b^\alpha$. Similarly, the simulated
+ authentication oracle $\Osim$ will find the pair $(a^\beta, r) \in \Hlist$,
+ recover $\beta = c \xor r$, confirm that $b = g^\beta$, and return
+ $a^\beta$ as required. These events all occur with probability 1.
+
+ Conversely, suppose that there is no such $\beta$. Then the simulated
+ oracle $\Osim$ will reject the query, returning $\bot$, again with
+ probability 1. However, a genuine authentication oracle $\O$ will succeed
+ and return $b^\alpha$ with probability $2^{-k}$. To see this, note that $b
+ = g^\gamma$ for some $\gamma \in \{ 0, 1, \ldots, q - 1 \}$, and the
+ probability that $h(b^\alpha) = c \xor \gamma$ is precisely $2^{-k}$, since
+ $c$ and $\gamma$ are $k$-bit strings. Since this probability is
+ negligible, we have shown that the distributions of the simulated oracles
+ $\Hsim$ and $\Osim$ are computationally indistinguishable from the genuine
+ oracles $\H$ and $\O$. The theorem follows.
\end{proof}
+Our next objective is to show that pretending to be Alice is hard without
+knowledge of her secret $\alpha$. We say that an adversary $A$
+\emph{impersonates} in the Wrestlers Authentication Protocol with probability
+$\epsilon$ if
+\[ \Pr[A^{\oracle{H}(\cdot)}(g^\alpha, g^\beta,
+ \beta \xor h(g^{\alpha\beta}))
+ = g^{\alpha\beta}]
+ = \epsilon
+\]
+where the probability is taken over all choices of $\alpha, \beta \in \{ 1,
+2, \ldots, q - 1 \}$ and random oracles $\oracle{H}$.
+\begin{theorem}
+ Assuming that the Diffie-Hellman problem is hard in $G$, no probabilistic
+ polynomial-time adversary can impersonate in the Wrestlers Authentication
+ Protocol with random oracle with better than negligible probability.
+ \label{thm:wap-dhp}
+\end{theorem}
+\begin{proof}
+ \newcommand{\Hlist}{\textit{$\oracle{H}$-list}}
+ \newcommand{\Hqueries}{\textit{$\oracle{H}$-queries}}
+ \newcommand{\Hsim}{\textit{$\oracle{H}$-sim}}
+ \renewcommand{\H}{\oracle{H}}
+ %
+ We prove the theorem by contradiction. Given a polynomial-time adversary
+ $A$ which impersonates Alice with non-negligible probability $\epsilon$, we
+ construct an adversary which solves the Diffie-Hellman problem with
+ probability no less than $\epsilon \poly{k}$, i.e.,
+ \[ \Pr[A'(g^\alpha, g^\beta) = g^{\alpha\beta}] \ge \epsilon \poly{k}. \]
+ Thus, if there is any polynomial-time $A$ which impersonates with better
+ than negligible probability, then there is a polynomial-time $A'$ which
+ solves Diffie-Hellman with essentially the same probability, which would
+ violate our assumption of the hardness of Diffie-Hellman.
+
+ The idea behind the proof is that the check value is only useful to $A$
+ once it has discovered the correct response to the challenge, which it must
+ have done by solving the Diffie-Hellman problem. Hence, our Diffie-Hellman
+
+ \begin{figure}
+ \begin{program}
+ \quad \= \kill
+ Adversary $A'(a, b)$: \+ \\
+ $\Hlist \gets \emptyset$; \\
+ $\Hqueries \gets \emptyset$; \\
+ $r \getsr \{ 0, 1 \}^k$; \\
+ $x \gets A^{\Hsim(\cdot)}(a, b, r)$; \\
+ $c \getsr (\Hlist \cup \{ x \}) \cap G$; \\
+ \textbf{return} $c$; \- \\[\medskipamount]
+ %
+ Simulated random oracle $\Hsim(q)$: \+ \\
+ \textbf{if} $\exists r : (q, r) \in \Hlist$
+ \textbf{then} \textbf{return} $r$; \\
+ $r \gets \{ 0, 1 \}^k$; \\
+ $\Hlist \gets \Hlist \cup \{ (q, r) \}$; \\
+ $\Hqueries \gets \Hqueries \cup \{ q \}$; \\
+ \textbf{return} $r$;
+ \end{program}
+ %
+ \caption{The algorithm for the proof of theorem~\ref{thm:wap-dhp}}
+ \label{fig:wap-dhp-rdc}
+ \end{figure}
+
+ The adversary $A'$ is shown in figure~\ref{fig:wap-dhp-rdc}. It generates
+ a random check-value and runs the impersonator $A$.
+
+ The simulated random oracle $\Hsim$ gathers together the results of all of
+ the random oracle queries made by $A$. The final result returned by $A'$
+ is randomly chosen from among all of the `plausible' random oracle queries
+ and $A$'s output, i.e., those queries which are actually members of the
+ group. The check value given to $A$ is most likely incorrect (with
+ probability $1 - 2^{-k}$): the intuition is that $A$ can only notice if it
+ actually computes the right answer and then checks explicitly.
+
+ If $A$ does compute the correct answer $g^{\alpha\beta}$ and either returns
+ it or queries $\Hsim$ on it, then $A'$ succeeds with probability $\epsilon
+ / |(\Hlist \cup \{ x \}) \cap G| = \epsilon \poly{k}$, since $|\Hlist|$ is
+ no greater than the number of random oracle queries made by $A$ (which must
+ be polynomially bounded).\footnote{%
+ This polynomial factor introduces a loss in the perceived security of the
+ authentication protocol. It appears that this loss is only caused by the
+ possibility of the adversary $A$ being deliberately awkward and checking
+ the value of $c$ after having computed the answer. However, we can't see
+ a way to improve the security bound on the scheme without imposing
+ artificial requirements on $A$.} %
+
+ It remains to show that if $A$ never queries its random oracle on
+ $g^{\alpha\beta}$ then it cannot distinguish the random check value $r$
+ from the correct one $\beta \xor \H(g^{\alpha\beta})$, and hence won't
+ notice that $A'$ is lying to it. But this is obvious: $A$'s probability of
+ guessing the random value that would have been returned had it actually
+ queried $\Hsim$ on the input $g^{\alpha\beta}$ is equal to the probability
+ of it guessing $\beta \xor r$ instead, since $\Hsim$ chooses its responses
+ uniformly at random. This completes the proof.
+\end{proof}
+We conclude here that the Wrestlers Authentication Protocol is a secure
+authentication protocol in the random oracle model: impersonation is hard if
+the Diffie-Hellman problem is hard, and proving one's identity doesn't leak
+secret key information.
+\subsection{Requirements on hash functions}
+Having seen that the Wrestlers Authentication Protocol is secure in the
+random oracle model, we now ask which properties we require from the hash
+function. This at least demonstrates that the protocol isn't deeply flawed,
+and suggests an efficient implementation in terms of conventional hash
+functions.
+Here we investigate more carefully the properties required of the hash
+function, and provide a more quantitative analysis of the protocol.
+Looking at the proofs of the previous two sections, we see that the random
+oracles are mainly a device which allow our constructions to `grab hold' of
+the hashing operations performed by the adversary.
+%%%--------------------------------------------------------------------------
+\section{A key-exchange protocol}
+% Present the Wrestlers protocol in all its glory. Show, by means of the
+% previous proofs, that the Wrestlers protocol is simulatable in the
+% authenticated model using a much simpler protocol. Show that the simpler
+% protocol is SK-secure.
+% messages
+%
+% pre-challenge: g^b
+% cookie: g^b, h(cookie, g^b')
+% challenge: g^b, h(g^b'), b + h(reply-check, g^b, g^b', g^ab')
+% reply: g^b, h(g^b'), b + h(reply-check, g^b, g^b', g^ab'), E_k(g^a'b)
+% switch: h(g^b), h(g^b'), E_k(g^a'b, h(switch-request, g^a, g^a'))
+% switch-ok: E_k(g^ab, h(switch-confirm, g^a, g^a'))begin{
-%%%--------------------------------------------------------------------------
+We now describe the full Wrestlers Protocol, in a multi-party setting. Fix a
+cyclic group $G = \langle g \rangle$ of order $q = |G|$. Each player $P_i$
+chooses a private key $\alpha_i \in \{ 1, 2, \ldots, q - 1 \}$ and publishes
+the corresponding public key $a_i = g^{\alpha_i}$ to the other players.
-\section{An MT-authenticator}
-% Use the protocol of the previous section as an MT-authenticator, within the
-% meaning of [Canetti:2001:AKE].
-%%%--------------------------------------------------------------------------
-\section{A key-exchange protocol}
-% Present the Wrestlers protocol in all its glory. Show, by means of the
-% previous proofs, that the Wrestlers protocol is simulatable in the
-% authenticated model using a much simpler protocol. Show that the simpler
-% protocol is SK-secure.
%%%----- That's all, folks --------------------------------------------------
%%% Local Variables:
%%% mode: latex
%%% TeX-master: "wrestlers"
-%%% End:
+%%% End: