Beginnings of an RFC.

[tripe] / doc / wrestlers.tex

%%% -*-latex-*-
%%%
%%% $Id: wrestlers.tex,v 1.3 2001/06/22 19:41:31 mdw Exp $
%%%
%%% Description of the Wrestlers Protocol
%%%
%%% (c) 2001 Mark Wooding
%%%

%%%----- Revision history ---------------------------------------------------
%%%
%%% $Log: wrestlers.tex,v $
%%% Revision 1.3  2001/06/22 19:41:31  mdw
%%% Restart with different structure and rather more formal objectives.
%%%
%%% Revision 1.2  2001/02/22 09:09:05  mdw
%%% Partially through reworking.
%%%
%%% Revision 1.1  2001/02/16 21:43:33  mdw
%%% Initial versions of documentation.
%%%

\documentclass{article}
\usepackage{amssymb}
\usepackage{amstext}

\errorcontextlines=999
\makeatletter

\title{The Wrestlers Protocol: proof-of-receipt and secure key exchange}
\author{Mark Wooding \and Clive Jones}

\bibliographystyle{alpha}

\newtheorem{theorem}{Theorem}
\newenvironment{proof}[1][Proof]{%
  \par\noindent\textbf{#1.} %
}{%
  \penalty\@M\hfill\vadjust{}%
  \penalty\z@\relax\vadjust{}%
  \penalty\@M\hfill$\square$%
  \par%
}

\begin{document}

\maketitle
\begin{abstract}
  Fill this in later.
\end{abstract}
\tableofcontents
\newpage

%%%--------------------------------------------------------------------------

\section{Introduction}
% Some waffle here about the desirability of a key-exchange protocol that
% doesn't leave signatures lying around, followed by an extended report of
% the various results.

%%%--------------------------------------------------------------------------

\section{A simple authentication protocol}
% Present the basic Diffie-Hellman-based authenticator, and prove that an
% authentication oracle is useless if the hash function has appropriate
% properties.

Suppose that $G$ is some cyclic group of order $q$, generated by an element
$g$, in which the decision Diffie-Hellman problem \cite{Boneh:1998:DDP} is
hard.  Alice can choose a private key $1 < \alpha < q$ and publish her
corresponding public key $A = g^\alpha$.  Later, Bob can verify that he's
talking to Alice by choosing a random $1 < \beta < q$ and sending Alice a
\emph{challenge} $B = g^\beta$.  If she replies with $B^\alpha$, Bob accepts
that he's talking to Alice, otherwise he doesn't.

%%%--------------------------------------------------------------------------

\section{An MT-authenticator}
% Use the protocol of the previous section as an MT-authenticator, within the
% meaning of [Canetti:2001:AKE].

%%%--------------------------------------------------------------------------

\section{A key-exchange protocol}
% Present the Wrestlers protocol in all its glory.  Show, by means of the
% previous proofs, that the Wrestlers protocol is simulatable in the
% authenticated model using a much simpler protocol.  Show that the simpler
% protocol is SK-secure.

%%%----- That's all, folks --------------------------------------------------

\bibliography{cryptography,mdw-crypto}
\end{document}

%%% Local Variables: 
%%% mode: latex
%%% TeX-master: "wrestlers"
%%% End: