%%% -*-latex-*-
%%%
-%%% $Id: wrestlers.tex,v 1.2 2001/02/22 09:09:05 mdw Exp $
-%%%
%%% Description of the Wrestlers Protocol
%%%
%%% (c) 2001 Mark Wooding
%%%
-%%%----- Revision history ---------------------------------------------------
-%%%
-%%% $Log: wrestlers.tex,v $
-%%% Revision 1.2 2001/02/22 09:09:05 mdw
-%%% Partially through reworking.
-%%%
-%%% Revision 1.1 2001/02/16 21:43:33 mdw
-%%% Initial versions of documentation.
-%%%
+\newif\iffancystyle\fancystyletrue
+
+\iffancystyle
+ \documentclass
+ [a4paper, article, 10pt, numbering, noherefloats, notitlepage]
+ {strayman}
+ \usepackage[palatino, helvetica, courier, maths=cmr]{mdwfonts}
+ \usepackage[mdwmargin]{mdwthm}
+ \PassOptionsToPackage{dvips}{xy}
+\else
+ \documentclass{llncs}
+\fi
+
+\usepackage{mdwtab, mathenv, mdwlist, mdwmath, crypto}
+\usepackage{amssymb, amstext}
+\usepackage{tabularx}
+\usepackage{url}
+\usepackage[all]{xy}
+
+\errorcontextlines=999
+\showboxbreadth=999
+\showboxdepth=999
+\makeatletter
-\documentclass{article}
-\usepackage{amssymb}
-\title{The Wrestlers Protocol}
-\author{Mark Wooding \\ Clive Jones}
-\def\from{\leftarrow}
+\title{The Wrestlers Protocol: proof-of-receipt and secure key exchange}
+\author{Mark Wooding \and Clive Jones}
+
+\bibliographystyle{mdwalpha}
+
+\newcolumntype{G}{p{0pt}}
+\def\Nupto#1{\N_{<{#1}}}
+\let\Bin\Sigma
+\let\epsilon\varepsilon
+\let\emptystring\lambda
+\def\bitsto{\mathbin{..}}
+\turnradius{4pt}
+\def\fixme{\marginpar{FIXME}}
+\def\messages{%
+ \basedescript{%
+ \desclabelwidth{2.5cm}%
+ \desclabelstyle\pushlabel%
+ \let\makelabel\cookie%
+ }%
+}
+\let\endmessages\endbasedescript
\begin{document}
\maketitle
-
\begin{abstract}
- We present a simple key-exchange protocol with of mutual authentication and
- perfect forward-secrecy, which doesn't leave any long-lasting evidence of
- participation in the exchange. The protocol's security depends on the
- intractability of the Diffie-Hellman problem (in some cyclic group), and on
- the strength of a hash function.
+ The Wrestlers Protocol\footnote{%
+ `The Wrestlers' is a pub in Cambridge which serves good beer and
+ excellent Thai food. It's where the authors made their first attempts at
+ a secure key-exchange protocol which doesn't use signatures.} %
+ is a key-exchange protocol with the interesting property that it leaves no
+ evidence which could be used to convince a third party that any of the
+ participants are involved. We describe the protocol and prove its security
+ in the random oracle model.
+
+ Almost incidentally, we provide a new security proof for the CBC encryption
+ mode. Our proof is much simpler than that of \cite{Bellare:2000:CST}, and
+ gives a slightly better security bound.
+
+ % I've not yet decided whose key-exchange model to use, but this ought to
+ % be mentioned.
\end{abstract}
+\tableofcontents
+\newpage
+
+%%%--------------------------------------------------------------------------
\section{Introduction}
+\label{sec:intro}
+% Some waffle here about the desirability of a key-exchange protocol that
+% doesn't leave signatures lying around, followed by an extended report of
+% the various results.
+
+%%%--------------------------------------------------------------------------
+
+\section{Preliminaries}
+\label{sec:prelim}
+% Here we provide definitions of the various kinds of things we use and make,
+% and describe some of the notation we use.
+
+\subsection{Bit strings}
+
+Most of our notation for bit strings is standard. The main thing to note is
+that everything is zero-indexed.
-Current key-agreement protocols are all very well for securing generally
-`honest' traffic (e.g., transmission of credit-card details to a merchant),
-but they're less satisfactory if you actually have something to hide.
-
-In the UK, new key exchange protocols have been particularly motivated by the
-new Regulation of Investigatory Powers Act, which allows `authorized persons'
-to intercept communications and demand long-term encryption keys.
-
-Let's suppose that Alice and Bob are shady characters, and that their
-communications are of great interest to the draconian r\'egime in which they
-live. (They might be international arms smugglers, for example, because they
-export cryptographic toolkits.)
-
-Alice could just invent a session key and transmit it to Bob, encrypted under
-his public key, each time she wanted to talk to him. However, once the
-secret police turn up at Bob's house and demand his private key, the game is
-over and all of the communications can be recovered.
-
-Alice and Bob would clearly be better off using a system which offers forward
-secrecy, for example, Diffie-Hellman. However, in order to prevent active
-attacks, the messages in the Diffie-Hellman exchange must be authenticated.
-The way this usually works is that Alice and Bob pick a group $G$ of order
-$q$ generated by $g$. When Alice and Bob want to communicate, they choose
-exponents $\alpha$ and $\beta$ respectively ($1 < \alpha, \beta < q$), Alice
-sends $S_A(g^\alpha)$ to Bob, Bob sends $S_B(g^\beta)$ to Alice, and, after
-verifying each other's signatures, they each compute a shared key $K =
-g^{\alpha \beta}$. They dispose of their secrets $\alpha$ and $\beta$
-forthwith, and destroy $K$ when the conversation finishes. Now the secret
-police can demand all they like: they still can't decrypt old sessions, and
-Alice and Bob, however badly tortured, can't help them. The secret police
-might not even be all owed to demand their long-term signing keys: for
-example, the RIPA grants special protection to authentication-only keys.
-
-This is fine, except that sending $S_A(g^\alpha)$ is a wonderful way of
-shouting `Alice was here' to all of the spooks tapping Bob's network
-connection. The Wrestlers Protocol\footnote{%
- Named after the excellent pub in Cambridge where most of the design was
- done.}
-fixes these problems. It provides perfect forward secrecy, just like
-Diffie-Hellman, without leaving signatures around for the spooks.
-
-
-\section{A simple authentication protocol}
-
-As a building-block, we construct a simple authentication protocol based on
-Diffie-Hellman key exchange. As before, let's use a group $G$ of order $q$
-(for some prime $q$), generated by a group element $g$.
-
-A Diffie-Hellman key exchange allows two parties to compute the same value,
-with different knowledge. We'll use this to make an authentication protocol.
-
-Alice chooses a private key $1 < a < q$. Her public key is $A = g^a$. She
-can prove her knowledge of $a$ to Bob like this:
-\begin{enumerate}
-\item Bob makes up a random $1 < \beta < q$. He sends a challenge $C =
- g^\beta$ to Alice.
-\item Alice computes the response $R = C^a = g^{a \beta}$. This would
- be the shared key if we were doing proper Diffie-Hellman, but we aren't.
- Instead, she just sends $R$ back to Bob.
-\item Bob checks that $R = A^\beta$. If it is, he accepts that the person
- he's talking to has Alice's private key, and hence is presumably Alice.
-\end{enumerate}
-
-This protocol has nice properties. It's not terribly difficult to implement,
-given the usual tools like modular exponentiation or elliptic curve
-point-addition.
-
-An eavesdropper -- let's call her Eve, for tradition's sake -- doesn't learn
-anything terribly interesting from watching the exchange. She sees $C$ going
-one way and then $C^a$ coming back. If she finds this illuminating, she can
-program her computer to generate random numbers $\gamma$ and show her pairs
-$C = g^\gamma$ and $R = A^\gamma = C^a$. So Eve learns nothing useful she
-couldn't have worked out for herself. In fact, she doesn't even learn that
-Alice is involved in the conversation! Bob can fake up an authentication
-with Alice by secretly agreeing which value of $\beta$ he's going to use with
-an accomplice.
-
-Bob's in a better position than Eve. If he computes his challenges honestly
-then he doesn't learn much except that he's talking to Alice, because as
-we've seen, she only tells him $R$, which he knew already. However, if Bob
-carefully chooses a challenge $C$ without knowing its discrete log $\beta$,
-then Alice's response might tell him useful information about her private
-key that he couldn't have worked out just by sitting at home computing
-discrete logs.
-
-We can fix this little problem easily enough if we make Bob transmit a hash
-of his expected answer. Let $H \colon \mathbb{Z} \to \{\,0, 1\,\}^n$ be a
-hash function. The property we require from $H$ is that Bob can't compute
-$H(g^{a \beta})$ given only $C = g^\beta$ and $A = g^a$ with more than
-negligible probability; a random function would fit the bill fine. This
-does, of course, also assume that the Diffie-Hellman problem is difficult.
-The new protocol looks very much like the old one:
-\begin{enumerate}
-\item Bob chooses a random $1 < \beta < q$. He computes $C = g^\beta$ and $R
- = A^\beta$, and sends $C, H(R)$ to Alice.
-\item Alice computes $R' = C^a$ and checks that it matches the hash which Bob
- sent. If it doesn't, he's trying to cheat, and she should refuse to
- answer. Otherwise, she sends her response $R'$ back to Bob.
-\item Bob checks that Alice's reply matches the one he computed back in step
- 1. If it does, he knows that he's talking to Alice.
-\end{enumerate}
-
-
-\section{A key exchange protocol}
-
-We observe a useful side-effect of the authentication protocol just
-described: Bob should be convinved that Alice received his challenge $C$
-correctly. The idea of the Wrestlers Protocol is to use this to construct a
-full Diffie-Hellman key exchange with mutual authentication. We maintain the
-useful properties of the previous protocol.
-
-Before they can use the protocol, Alice and Bob must agree on a group $G$ as
-before. Alice chooses a private key $1 < a < q$, and publishes her public
-key $A = g^a$; Bob similarly chooses a private key $1 < b < q$ and publishes
-his public key $B = g^b$.
-
-Here's the actual protocol in summary:
-\begin{enumerate}
-\item $A \to B$:\quad $g^\alpha$
-\item $A \from B$:\quad $g^\beta$, $H(g^\alpha, g^\beta, g^{a \beta})$
-\item $A \to B$:\quad $g^{a \beta}$, $H(g^\beta, g^\alpha, g^{\alpha b})$
-\item $A \from B$:\quad $g^{\alpha b}$
-\end{enumerate}
-
-And now in detail:
-\begin{enumerate}
-
-\item Alice invents a temporary secret $1 < \alpha < q$. She computes her
- challenge $C_A = g^\alpha$, and sends it to Bob.
-
-\item Bob receives the $C_A$, and stores it away. He invents a temporary
- secret $1 < \beta < q$ of his own, and computes both his challenge $C_B =
- g^\beta$ and the expected response $R_B = A^\beta = g^{a \beta}$. He
- hashes both challenges (hers first) and the expected response $R_B$, and
- sends his challenge and the hash back to Alice.
-
-\item Alice reads Bob's challenge. She computes her response $R_B' = C_B^a =
- g^{a \beta}$ and ensures that the Bob's hash is correct. If it isn't, she
- stops talking to Bob. If the hash matches, she sends back her response,
- together with a hash of Bob's challenge, her original challenge from step
- 1, and her expected response $R_A = B^\alpha = g^{\alpha b}$.
-
-\item Bob reads Alice's response. If it's wrong then he stops talking.
- Otherwise he computes his response to Alice's challenge $R_A' = C_A^b =
- g^{\alpha b}$ and checks Alice's hash. If the hash is wrong, he also stops
- talking. Otherwise he sends the response back to Alice.
-
-\end{enumerate}
-Finally, Alice checks Bob's response, stopping the conversation if it's
-wrong. Then both sides compute their shared key $K = C_A^\beta = C_B^\alpha
-= g^{\alpha \beta}$, and discard their temporary secrets.
-
-The protocol is essentially symmetrical: each side sends and receives both a
-challenge and hash pair, and a response, but it doesn't look that simple
-because the hashes include both sides' challenges. Looking at it from one
-side at a time will make things clearer, so let's just take Alice's point of
-view.
-
-Alice constructs her challenge in step 1, and sends it off. She receives a
-challenge and hash in step 2. When she computes the response to the
-challenge, she verifies the hash she received. If it matches, she knows that
\begin{itemize}
-\item whoever she's talking to hasn't attempted to cheat her by sending a
- challenge for which he doesn't know the answer; and
-\item he has successfully received her challenge.
+\item We write $\Bin = \{0, 1\}$ for the set of binary digits. Then $\Bin^n$
+ is the set of $n$-bit strings, and $\Bin^*$ is the set of all bit strings.
+\item If $x$ is a bit string then $|x|$ is the length of $x$. If $x \in
+ \Bin^n$ then $|x| = n$.
+\item If $x, y \in \Bin^n$ are strings of bits of the same length then $x
+ \xor y \in \Bin^n$ is their bitwise XOR.
+\item If $x$ and $y$ are bit strings then $x \cat y$ is the result of
+ concatenating $y$ to $x$. If $z = x \cat y$ then we have $|z| = |x| +
+ |y|$.
+\item The empty string is denoted $\emptystring$. We have $|\emptystring| =
+ 0$, and $x = x \cat \emptystring = \emptystring \cat x$ for all strings $x
+ \in \Bin^*$.
+\item If $x$ is a bit string and $i$ is an integer satisfying $0 \le i < |x|$
+ then $x[i]$ is the $i$th bit of $x$. If $a$ and $b$ are integers
+ satisfying $0 \le a \le b \le |x|$ then $x[a \bitsto b]$ is the substring
+ of $x$ beginning with bit $a$ and ending just \emph{before} bit $b$. We
+ have $|x[i]| = 1$ and $|x[a \bitsto b]| = b - a$; if $y = x[a \bitsto b]$
+ then $y[i] = x[a + i]$.
+\item If $x$ is a bit string and $n$ is a natural number then $x^n$ is the
+ result of concatenating $x$ to itself $n$ times. We have $x^0 =
+ \emptystring$ and if $n > 0$ then $x^n = x^{n-1} \cat x = x \cat x^{n-1}$.
\end{itemize}
-Because she's now received a challenge, she can work out her hash. She sends
-off her response to the challenge, together with the hash, and awaits the
-response.
-In step 4, the response arrives. If it's correct, she knows that it's from
-Bob, and that he (Bob) received her challenge OK. Tying everything else
-together is the tricky bit.
+\subsection{Other notation}
-If we assume that Bob is playing by the rules, the fact that he's sent his
-response means that he verified it against Alice's hash and decided that
\begin{itemize}
-\item Alice wasn't trying to cheat him and find out about his private key;
- and
-\item Alice correctly received his challenge.
+\item If $n$ is any natural number, then $\Nupto{n}$ is the set $\{\, i \in
+ \Z \mid 0 \le i < n \,\} = \{ 0, 1, \ldots, n \}$.
+\item The symbol $\bot$ (`bottom') is different from every bit string and
+ group element.
+\item We write $\Func{l}{L}$ as the set of all functions from $\Bin^l$ to
+ $\Bin^L$, and $\Perm{l}$ as the set of all permutations on $\Bin^l$.
\end{itemize}
-Because Bob wouldn't have replied if these weren't true, Alice can therefore
-believe that she has received Bob's challenge correctly.
-To summarize: Alice has managed to get a challenge to Bob, and he responded;
-Alice has also received Bob's challenge correctly.
+\subsection{Algorithm descriptions}
+
+Most of the notation used in the algorithm descriptions should be obvious.
+We briefly note a few features which may be unfamiliar.
+\begin{itemize}
+\item The notation $a \gets x$ denotes the action of assigning the value $x$
+ to the variable $a$.
+\item The notation $a \getsr X$, where $X$ is a finite set, denotes the
+ action of assigning to $a$ a random value $x \in X$ according to the
+ uniform probability distribution on $X$; i.e., following $a \getsr X$,
+ $\Pr[a = x] = 1/|X|$ for any $x \in X$.
+\end{itemize}
+The notation is generally quite sloppy about types and scopes. In
+particular, there are implicit coercions between bit strings, integers and
+group elements. Any simple injective mapping will do for handling the
+conversions. We don't think these informalities cause much confusion, and
+they greatly simplify the presentation of the algorithms.
+
+\subsection{Random oracles}
+
+We shall analyse the Wrestlers Protocol in the random oracle model
+\cite{Bellare:1993:ROP}. That is, each participant including the adversary
+is given oracle access (only) to a uniformly-distributed random function
+$H\colon \Bin^* \to \Bin^\infty$ chosen at the beginning of the game: for any
+input string $x$, the oracle can produce, on demand, any prefix of an
+infinitely long random answer $y = H(x)$. Repeating a query yields a prefix
+of the same random result string; asking a new query yields a prefix of a new
+randomly-chosen string.
+
+We shan't need either to query the oracle on very long input strings nor
+shall we need outputs much longer than a representation of a group index.
+Indeed, since all the programs we shall be dealing with run in finite time,
+and can therefore make only a finite number of oracle queries, each with a
+finitely long result, we can safely think about the random oracle as a finite
+object.
+
+Finally, we shall treat the oracle as a function of multiple inputs and
+expect it to operate on some unambiguous encoding of all of the arguments in
+order.
+
+\subsection{Symmetric encryption}
+
+\begin{definition}[Symmetric encryption]
+ \label{def:sym-enc}
+ A \emph{symmetric encryption scheme} $\mathcal{E} = (E, D)$ is a pair of
+ algorithms:
+ \begin{itemize}
+ \item a randomized \emph{encryption algorithm} $E\colon \keys \mathcal{E}
+ \times \Bin^* \to \Bin^*$; and
+ \item a deterministic \emph{decryption algorithm} $E\colon \keys
+ \mathcal{E} \times \Bin^* \to \Bin^* \cup \{ \bot \}$
+ \end{itemize}
+ with the property that, for any $K \in \keys \mathcal{E}$, any plaintext
+ message $x$, and any ciphertext $y$ returned as a result of $E_K(x)$, we
+ have $D_K(y) = x$.
+\end{definition}
+
+\begin{definition}[Chosen plaintext security for symmetric encryption]
+ \label{def:sym-cpa}
+ Let $\mathcal{E} = (E, D)$ be a symmetric encryption scheme. Let $A$ be
+ any algorithm. Define
+ \begin{program}
+ Experiment $\Expt{lor-cpa-$b$}{\mathcal{E}}(A)$: \+ \\
+ $K \getsr \keys \mathcal{E}$; \\
+ $b' \getsr A^{E_K(\id{lr}(b, \cdot, \cdot))}$; \\
+ \RETURN $b'$;
+ \next
+ Function $\id{lr}(b, x_0, x_1)$: \+ \\
+ \RETURN $x_b$;
+ \end{program}
+ An adversary $A$ is forbidden from querying its encryption oracle
+ $E_K(\id{lr}(b, \cdot, \cdot))$ on a pair of strings with differing
+ lengths. We define the adversary's \emph{advantage} in this game by
+ \begin{equation}
+ \Adv{lor-cpa}{\mathcal{E}}(A) =
+ \Pr[\Expt{lor-cpa-$1$}{\mathcal{E}}(A) = 1] -
+ \Pr[\Expt{lor-cpa-$0$}{\mathcal{E}}(A) = 1]
+ \end{equation}
+ and the \emph{left-or-right insecurity of $\mathcal{E}$ under
+ chosen-plaintext attack} is given by
+ \begin{equation}
+ \InSec{lor-cpa}(\mathcal{E}; t, q_E, \mu_E) =
+ \max_A \Adv{lor-cpa}{\mathcal{E}}(A)
+ \end{equation}
+ where the maximum is taken over all adversaries $A$ running in time $t$ and
+ making at most $q_E$ encryption queries, totalling most $\mu_E$ bits of
+ plaintext.
+\end{definition}
+
+\subsection{The decision Diffie-Hellman problem}
+
+Let $G$ be some cyclic group. The standard \emph{Diffie-Hellman problem}
+\cite{Diffie:1976:NDC} is to compute $g^{\alpha\beta}$ given $g^\alpha$ and
+$g^\beta$. We need a slightly stronger assumption: that, given $g^\alpha$
+and $g^\beta$, it's hard to tell the difference between the correct
+Diffie-Hellman value $g^{\alpha\beta}$ and a randomly-chosen group element
+$g^\gamma$. This is the \emph{decision Diffie-Hellman problem}
+\cite{Boneh:1998:DDP}.
+
+\begin{definition}
+ \label{def:ddh}
+ Let $G$ be a cyclic group of order $q$, and let $g$ be a generator of $G$.
+ Let $A$ be any algorithm. Then $A$'s \emph{advantage in solving the
+ decision Diffie-Hellman problem in $G$} is
+ \begin{equation}
+ \begin{eqnalign}[rl]
+ \Adv{ddh}{G}(A) =
+ & \Pr[\alpha \getsr \Nupto{q}; \beta \getsr \Nupto{q} :
+ A(g^\alpha, g^\beta, g^{\alpha\beta}) = 1] - {} \\
+ & \Pr[\alpha \getsr \Nupto{q}; \beta \getsr \Nupto{q};
+ \gamma \getsr \Nupto{q} :
+ A(g^\alpha, g^\beta, g^\gamma) = 1].
+ \end{eqnalign}
+ \end{equation}
+ The \emph{insecurity function of the decision Diffie-Hellman problem in
+ $G$} is
+ \begin{equation}
+ \InSec{ddh}(G; t) = \max_A \Adv{ddh}{G}(A)
+ \end{equation}
+ where the maximum is taken over all algorithms $A$ which run in time $t$.
+\end{definition}
+
+%%%--------------------------------------------------------------------------
+
+\section{The protocol}
+\label{sec:protocol}
+
+The Wrestlers Protocol is parameterized. We need the following things:
+\begin{itemize}
+\item A cyclic group $G$ whose order~$q$ is prime. Let $g$ be a generator
+ of~$G$. We require that the (decision?\fixme) Diffie-Hellman problem be
+ hard in~$G$. The group operation is written multiplicatively.
+\item A symmetric encryption scheme $\mathcal{E} = (E, D)$. We require that
+ $\mathcal{E}$ be secure against adaptive chosen-plaintext attacks. Our
+ implementation uses Blowfish \cite{Schneier:1994:BEA} in CBC mode with
+ ciphertext stealing. See section~\ref{sec:cbc} for a description of
+ ciphertext stealing and an analysis of its security.
+\item A message authentication scheme $\mathcal{M} = (T, V)$. We require
+ that $\mathcal{M}$ be (strongly) existentially unforgeable under
+ chosen-message attacks. Our implementation uses RIPEMD-160
+ \cite{Dobbertin:1996:RSV} in the HMAC \cite{Bellare:1996:HC} construction.
+\item An instantiation for the random oracle. We use RIPEMD-160 again,
+ either on its own, if the output is long enough, or in the MGF-1
+ \cite{RFC2437} construction, if we need a larger output.\footnote{%
+ The use of the same hash function in the MAC as for instantiating the
+ random oracle is deliberate, with the aim of reducing the number of
+ primitives whose security we must assume. In an application of HMAC, the
+ message to be hashed is prefixed by a secret key padded out to the hash
+ function's block size. In a `random oracle' query, the message is
+ prefixed by a fixed identification string and not padded. Interference
+ between the two is then limited to the case where one of the HMAC keys
+ matches a random oracle prefix, which happens only with very tiny
+ probability.}%
+\end{itemize}
+
+An authenticated encryption scheme with associated data (AEAD)
+\cite{Rogaway:2002:AEAD, Rogaway:2001:OCB, Kohno:2003:CWC} could be used
+instead of a separate symmetric encryption scheme and MAC.
+
+\subsection{Symmetric encryption}
+
+The same symmetric encryption subprotocol is used both within the key
+exchange, to ensure secrecy and binding, and afterwards for message
+transfer. It provides a secure channel between two players, assuming that
+the key was chosen properly.
+
+A \id{keyset} contains the state required for communication between the two
+players. In particular it maintains:
+\begin{itemize}
+\item separate encryption and MAC keys in each direction (four keys in
+ total), chosen using the random oracle based on an input key assumed to be
+ unpredictable by the adversary and a pair of nonces chosen by the two
+ players; and
+\item incoming and outgoing sequence numbers, to detect and prevent replay
+ attacks.
+\end{itemize}
+
+The operations involved in the symmetric encryption protocol are shown in
+figure~\ref{fig:keyset}.
+
+The \id{keygen} procedure initializes a \id{keyset}, resetting the sequence
+numbers, and selecting keys for the encryption scheme and MAC using the
+random oracle. It uses the nonces $r_A$ and $r_B$ to ensure that with high
+probability the keys are different for the two directions: assuming that
+Alice chose her nonce $r_A$ at random, and that the keys and nonce are
+$\kappa$~bits long, the probability that the keys in the two directions are
+the same is at most $2^{\kappa - 2}$.
+
+The \id{encrypt} procedure constructs a ciphertext from a message $m$ and a
+\emph{message type} $\id{ty}$. It encrypts the message giving a ciphertext
+$y$, and computes a MAC tag $\tau$ for the triple $(\id{ty}, i, y)$, where
+$i$ is the next available outgoing sequence number. The ciphertext message
+to send is then $(i, y, \tau)$. The message type codes are used to
+separate ciphertexts used by the key-exchange protocol itself from those sent
+by the players later.
+
+The \id{decrypt} procedure recovers the plaintext from a ciphertext triple
+$(i, y, \tau)$, given its expected type code $\id{ty}$. It verifies that the
+tag $\tau$ is valid for the message $(\id{ty}, i, y)$, checks that the
+sequence number $i$ hasn't been seen before,\footnote{%
+ The sequence number checking shown in the figure is simple but obviously
+ secure. The actual implementation maintains a window of 32 previous
+ sequence numbers, to allow out-of-order reception of messages while still
+ preventing replay attacks. This doesn't affect our analysis.}%
+and then decrypts the ciphertext $y$.
+
+\begin{figure}
+ \begin{program}
+ Structure $\id{keyset}$: \+ \\
+ $\Xid{K}{enc-in}$; $\Xid{K}{enc-out}$; \\
+ $\Xid{K}{mac-in}$; $\Xid{K}{mac-out}$; \\
+ $\id{seq-in}$; $\id{seq-out}$; \- \\[\medskipamount]
+ Function $\id{gen-keys}(r_A, r_B, K)$: \+ \\
+ $k \gets \NEW \id{keyset}$; \\
+ $k.\Xid{K}{enc-in} \gets H(\cookie{encryption}, r_A, r_B, K)$; \\
+ $k.\Xid{K}{enc-out} \gets H(\cookie{encryption}, r_B, r_A, K)$; \\
+ $k.\Xid{K}{mac-in} \gets H(\cookie{integrity}, r_A, r_B, K)$; \\
+ $k.\Xid{K}{mac-out} \gets H(\cookie{integrity}, r_B, r_A, K)$; \\
+ $k.\id{seq-in} \gets 0$; \\
+ $k.\id{seq-out} \gets 0$; \\
+ \RETURN $k$;
+ \next
+ Function $\id{encrypt}(k, \id{ty}, m)$: \+ \\
+ $y \gets (E_{k.\Xid{K}{enc-out}}(m))$; \\
+ $i \gets k.\id{seq-out}$; \\
+ $\tau \gets T_{k.\Xid{K}{mac-out}}(\id{ty}, i, y)$; \\
+ $k.\id{seq-out} \gets i + 1$; \\
+ \RETURN $(i, y, \tau)$; \- \\[\medskipamount]
+ Function $\id{decrypt}(k, \id{ty}, c)$: \+ \\
+ $(i, y, \tau) \gets c$; \\
+ \IF $V_{k.\Xid{K}{mac-in}}((\id{ty}, i, y), \tau) = 0$ \THEN \\ \ind
+ \RETURN $\bot$; \- \\
+ \IF $i < k.\id{seq-in}$ \THEN \RETURN $\bot$; \\
+ $m \gets D_{k.\Xid{K}{enc-in}}(y)$; \\
+ $k.\id{seq-in} \gets i + 1$; \\
+ \RETURN $m$;
+ \end{program}
+
+ \caption{Symmetric-key encryption functions}
+ \label{fig:keyset}
+\end{figure}
+
+\subsection{The key-exchange}
+
+The key-exchange protocol is completely symmetrical. Either party may
+initiate, or both may attempt to converse at the same time. We shall
+describe the protocol from the point of view of Alice attempting to exchange
+a key with Bob.
+
+Alice's private key is a random index $\alpha \inr \Nupto{q}$. Her public
+key is $a = g^\alpha$. Bob's public key is $b \in G$. We'll subscript the
+variables Alice computes with an~$A$, and the values Bob has sent with a~$B$.
+Of course, if Bob is following the protocol correctly, he will have computed
+his $B$ values in a completely symmetrical way.
+
+There are six messages in the protocol, and we shall briefly discuss the
+purpose of each before embarking on the detailed descriptions. At the
+beginning of the protocol, Alice chooses a new random index $\rho_A$ and
+computes her \emph{challenge} $r_A = g^{\rho_A}$. Eventually, the shared
+secret key will be computed as $K = r_B^{\rho_A} = r_A^{\rho_B} =
+g^{\rho_A\rho_B}$, as for standard Diffie-Hellman key agreement.
-What if Bob isn't honest? The only hole in the protocol which can be
-exploited by Bob is that he can send a response \emph{even though} it doesn't
-match Alice's hash. This means that the protocol will continue even if Alice
-is attempting to cheat Bob and find information about his private key: this
-is a penalty Bob has to pay for not following the rules. The protocol still
-aborts if an adversary interferes with the challenges: if Alice isn't given
-Bob's challenge accurately, her response will be wrong, and Bob can abort the
-exchange; similarly, if Bob isn't given Alice's challenge, she will detect
-this and abort the exchange.
+Throughout, we shall assume that messages are implicitly labelled with the
+sender's identity. If Alice is actually trying to talk to several other
+people she'll need to run multiple instances of the protocol, each with its
+own state, and she can use the sender label to decide which instance a
+message should be processed by. There's no need for the implicit labels to
+be attached securely.
+We'll summarize the messages and their part in the scheme of things before we
+start on the serious detail. For a summary of the names and symbols used in
+these descriptions, see table~\ref{tab:kx-names}. The actual message
+contents are summarized in table~\ref{tab:kx-messages}. A state-transition
+diagram of the protocol is shown in figure~\ref{fig:kx-states}. If reading
+pesudocode algorithms is your thing then you'll find message-processing
+procedures in figure~\ref{fig:kx-messages} with the necessary support procedures
+in figure~\ref{fig:kx-support}.
-\section{Practical considerations}
+\begin{table}
+ \begin{tabularx}{\textwidth}{Mr X}
+ G & A cyclic group known by all participants \\
+ q = |G| & The prime order of $G$ \\
+ g & A generator of $G$ \\
+ E_K(\cdot) & Encryption under key $K$, here used to denote
+ application of the $\id{encrypt}(K, \cdot)$
+ operation \\
+ \alpha \inr \Nupto{q} & Alice's private key \\
+ a = g^{\alpha} & Alice's public key \\
+ \rho_A \inr \Nupto{q} & Alice's secret Diffie-Hellman value \\
+ r_A = g^{\rho_A} & Alice's public \emph{challenge} \\
+ c_A = H(\cookie{cookie}, r_A)
+ & Alice's \emph{cookie} \\
+ v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})
+ & Alice's challenge \emph{check value} \\
+ r_B^\alpha = a^{\rho_B}
+ & Alice's reply \\
+ K = r_B^{\rho_A} = r_B^{\rho_A} = g^{\rho_A\rho_B}
+ & Alice and Bob's shared secret key \\
+ w_A = H(\cookie{switch-request}, c_A, c_B)
+ & Alice's \emph{switch request} value \\
+ u_A = H(\cookie{switch-confirm}, c_A, c_B)
+ & Alice's \emph{switch confirm} value \\
+ \end{tabularx}
+ \caption{Names used during key-exchange}
+ \label{tab:kx-names}
+\end{table}
+
+\begin{table}
+ \begin{tabular}[C]{Ml}
+ \cookie{kx-pre-challenge}, r_A \\
+ \cookie{kx-cookie}, r_A, c_B \\
+ \cookie{kx-challenge}, r_A, c_B, v_A \\
+ \cookie{kx-reply}, c_A, c_B, v_A, E_K(r_B^\alpha)) \\
+ \cookie{kx-switch}, c_A, c_B, E_K(r_B^\alpha, w_A)) \\
+ \cookie{kx-switch-ok}, E_K(u_A))
+ \end{tabular}
+
+ \caption{Message contents, as sent by Alice}
+ \label{tab:kx-messages}
+\end{table}
+
+\begin{messages}
+\item[kx-pre-challenge] Contains a plain statement of Alice's challenge.
+ This is Alice's first message of a session.
+\item[kx-cookie] A bare acknowledgement of a received challenge: it restates
+ Alice's challenge, and contains a hash of Bob's challenge. This is an
+ engineering measure (rather than a cryptographic one) which prevents
+ trivial denial-of-service attacks from working.
+\item[kx-challenge] A full challenge, with a `check value' which proves the
+ challenge's honesty. Bob's correct reply to this challenge informs Alice
+ that she's received his challenge correctly.
+\item[kx-reply] A reply. This contains a `check value', like the
+ \cookie{kx-challenge} message above, and an encrypted reply which confirms
+ to Bob Alice's successful receipt of his challenge and lets Bob know he
+ received Alice's challenge correctly.
+\item[kx-switch] Acknowledges Alice's receipt of Bob's \cookie{kx-reply}
+ message, including Alice's own reply to Bob's challenge. Tells Bob that
+ she can start using the key they've agreed.
+\item[kx-switch-ok] Acknowlegement to Bob's \cookie{kx-switch} message.
+\end{messages}
+
+\begin{figure}
+ \small
+ \let\ns\normalsize
+ \let\c\cookie
+ \[ \begin{graph}
+ []!{0; <4.5cm, 0cm>: <0cm, 1.5cm>::}
+ *++[F:<4pt>]\txt{\ns Start \\ Choose $\rho_A$} ="start"
+ :[dd]
+ *++[F:<4pt>]\txt{
+ \ns State \c{challenge} \\
+ Send $(\c{pre-challenge}, r_A)$}
+ ="chal"
+ [] "chal" !{!L(0.5)} ="chal-cookie"
+ :@(d, d)[l]
+ *+\txt{Send $(\c{cookie}, r_A, c_B)$}
+ ="cookie"
+ |*+\txt{Receive \\ $(\c{pre-challenge}, r_B)$ \\ (no spare slot)}
+ :@(u, u)"chal-cookie"
+ "chal" :@/_0.8cm/ [ddddl]
+ *+\txt{Send \\ $(\c{challenge}, $\\$ r_A, c_B, v_A)$}
+ ="send-chal"
+ |<>(0.67) *+\txt\small{
+ Receive \\ $(\c{pre-challenge}, r_B)$ \\ (spare slot)}
+ "chal" :@/^0.8cm/ "send-chal" |<>(0.33)
+ *+\txt{Receive \\ $(\c{cookie}, r_B, c_A)$}
+ :[rr]
+ *+\txt{Send \\ $(\c{reply}, c_A, c_B, $\\$ v_A, E_K(r_B^\alpha))$}
+ ="send-reply"
+ |*+\txt{Receive \\ $(\c{challenge}, $\\$ r_B, c_A, v_B)$}
+ "chal" :"send-reply"
+ |*+\txt{Receive \\ $(\c{challenge}, $\\$ r_B, c_A, v_B)$}
+ "send-chal" :[ddd]
+ *++[F:<4pt>]\txt{
+ \ns State \c{commit} \\
+ Send \\ $(\c{switch}, c_A, c_B, $\\$ E_K(r_B^\alpha, w_A))$}
+ ="commit"
+ |*+\txt{Receive \\ $(\c{reply}, c_B, c_A, $\\$ v_B, E_K(b^{\rho_A}))$}
+ :[rr]
+ *+\txt{Send \\ $(\c{switch-ok}, E_K(u_A))$}
+ ="send-switch-ok"
+ |*+\txt{Receive \\ $(\c{switch}, c_B, c_A, $\\$ E_K(b^{\rho_A}, w_B))$}
+ "send-reply" :"commit"
+ |*+\txt{Receive \\ $(\c{reply}, c_B, c_A, $\\$ v_B, E_K(b^{\rho_A}))$}
+ "send-reply" :"send-switch-ok"
+ |*+\txt{Receive \\ $(\c{switch}, c_B, c_A, $\\$ E_K(b^{\rho_A}, w_B))$}
+ :[dddl]
+ *++[F:<4pt>]\txt{\ns Done}
+ ="done"
+ "commit" :"done"
+ |*+\txt{Receive \\ $(\c{switch-ok}, E_K(u_B))$}
+ "send-chal" [r] !{+<0cm, 0.75cm>}
+ *\txt\itshape{For each outstanding challenge}
+ ="for-each"
+ !{"send-chal"+DL-<8pt, 8pt> ="p0",
+ "for-each"+U+<8pt> ="p1",
+ "send-reply"+UR+<8pt, 8pt> ="p2",
+ "send-reply"+DR+<8pt, 8pt> ="p3",
+ "p0" !{"p1"-"p0"} !{"p2"-"p1"} !{"p3"-"p2"}
+ *\frm<8pt>{--}}
+ \end{graph} \]
+
+ \caption{State-transition diagram for key-exchange protocol}
+ \label{fig:kx-states}
+\end{figure}
+
+We now describe the protocol message by message, and Alice's actions when she
+receives each. Since the protocol is completely symmetrical, Bob should do
+the same, only swapping round $A$ and $B$ subscripts, the public keys $a$ and
+$b$, and using his private key $\beta$ instead of $\alpha$.
+
+\subsubsection{Starting the protocol}
+
+As described above, at the beginning of the protocol Alice chooses a random
+$\rho_A \inr \Nupto q$, and computes her \emph{challenge} $r_A = g^{\rho_A}$
+and her \emph{cookie} $c_A = H(\cookie{cookie}, r_A)$. She sends her
+announcement of her challenge as
+\begin{equation}
+ \label{eq:kx-pre-challenge}
+ \cookie{kx-pre-challenge}, r_A
+\end{equation}
+and enters the \cookie{challenge} state.
+
+\subsubsection{The \cookie{kx-pre-challenge} message}
+
+If Alice receieves a \cookie{kx-pre-challenge}, she ensures that she's in the
+\cookie{challenge} state: if not, she rejects the message.
+
+She must first calculate Bob's cookie $c_B = H(\cookie{cookie}, r_B)$. Then
+she has a choice: either she can send a full challenge, or she can send the
+cookie back.
+
+Suppose she decides to send a full challenge. She must compute a \emph{check
+value}
+\begin{equation}
+ \label{eq:v_A}
+ v_A = \rho_A \xor H(\cookie{expected-reply}, r_A, r_B, b^{\rho_A})
+\end{equation}
+and sends
+\begin{equation}
+ \label{eq:kx-challenge}
+ \cookie{kx-challenge}, r_A, c_B, v_A
+\end{equation}
+to Bob. Then she remembers Bob's challenge for later use, and awaits his
+reply.
+
+If she decides to send only a cookie, she just transmits
+\begin{equation}
+ \label{eq:kx-cookie}
+ \cookie{kx-cookie}, r_A, c_B
+\end{equation}
+to Bob and forgets all about it.
+
+Why's this useful? Well, if Alice sends off a full \cookie{kx-challenge}
+message, she must remember Bob's $r_B$ so she can check his reply and that
+involves using up a table slot. That means that someone can send Alice
+messages purporting to come from Bob which will chew up Alice's memory, and
+they don't even need to be able to read Alice's messages to Bob to do that.
+If this protocol were used over the open Internet, script kiddies from all
+over the world might be flooding Alice with bogus \cookie{kx-pre-challenge}
+messages and she'd never get around to talking to Bob.
+
+By sending a cookie intead, she avoids committing a table slot until Bob (or
+someone) sends either a cookie or a full challenge, thus proving, at least,
+that he can read her messages. This is the best we can do at this stage in
+the protocol. Against an adversary as powerful as the one we present in
+section~\fixme\ref{sec:formal} this measure provides no benefit (but we have
+to analyse it anyway); but it raises the bar too sufficiently high to
+eliminate a large class of `nuisance' attacks in the real world.
+
+Our definition of the Wrestlers Protocol doesn't stipulate when Alice should
+send a full challenge or just a cookie: we leave this up to individual
+implementations, because it makes no difference to the security of the
+protocol against powerful adversaries. But we recommend that Alice proceed
+`optimistically' at first, sending full challenges until her challenge table
+looks like it's running out, and then generating cookies only if it actually
+looks like she's under attack. This is what our pseudocode in
+figure~\ref{fig:kx-messages} does.
+
+\subsubsection{The \cookie{kx-cookie} message}
+
+When Alice receives a \cookie{kx-cookie} message, she must ensure that she's
+in the \cookie{challenge} state: if not, she rejects the message. She checks
+the cookie in the message against the value of $c_A$ she computed earlier.
+If all is well, Alice sends a \cookie{kx-challenge} message, as in
+equation~\ref{eq:kx-challenge} above.
+
+This time, she doesn't have a choice about using up a table slot to remember
+Bob's $r_B$. If her table size is fixed, she must choose a slot to recycle.
+We suggest simply recycling slots at random: this means there's no clever
+pattern of \cookie{kx-cookie} messages an attacker might be able to send to
+clog up all of Alice's slots.
+
+\subsubsection{The \cookie{kx-challenge} message}
+
+
+
+\begin{figure}
+ \begin{program}
+ Procedure $\id{kx-initialize}$: \+ \\
+ $\rho_A \getsr [q]$; \\
+ $r_a \gets g^{\rho_A}$; \\
+ $\id{state} \gets \cookie{challenge}$; \\
+ $\Xid{n}{chal} \gets 0$; \\
+ $k \gets \bot$; \\
+ $\id{chal-commit} \gets \bot$; \\
+ $\id{send}(\cookie{kx-pre-challenge}, r_A)$; \- \\[\medskipamount]
+ Procedure $\id{kx-receive}(\id{type}, \id{data})$: \\ \ind
+ \IF $\id{type} = \cookie{kx-pre-challenge}$ \THEN \\ \ind
+ \id{msg-pre-challenge}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-cookie}$ \THEN \\ \ind
+ \id{msg-cookie}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-challenge}$ \THEN \\ \ind
+ \id{msg-challenge}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-reply}$ \THEN \\ \ind
+ \id{msg-reply}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-switch}$ \THEN \\ \ind
+ \id{msg-switch}(\id{data}); \- \\
+ \ELSE \IF $\id{type} = \cookie{kx-switch-ok}$ \THEN \\ \ind
+ \id{msg-switch-ok}(\id{data}); \-\- \\[\medskipamount]
+ Procedure $\id{msg-pre-challenge}(\id{data})$: \+ \\
+ \IF $\id{state} \ne \cookie{challenge}$ \THEN \RETURN; \\
+ $r \gets \id{data}$; \\
+ \IF $\Xid{n}{chal} \ge \Xid{n}{chal-thresh}$ \THEN \\ \ind
+ $\id{send}(\cookie{kx-cookie}, r_A, \id{cookie}(r_A)))$; \- \\
+ \ELSE \+ \\
+ $\id{new-chal}(r)$; \\
+ $\id{send}(\cookie{kx-challenge}, r_A,
+ \id{cookie}(r), \id{checkval}(r))$; \-\-\\[\medskipamount]
+ Procedure $\id{msg-cookie}(\id{data})$: \+ \\
+ \IF $\id{state} \ne \cookie{challenge}$ \THEN \RETURN; \\
+ $(r, c_A) \gets \id{data}$; \\
+ \IF $c_A \ne \id{cookie}(r_A)$ \THEN \RETURN; \\
+ $\id{new-chal}(r)$; \\
+ $\id{send}(\cookie{kx-challenge}, r_A,
+ \id{cookie}(r), \id{checkval}(r))$; \- \\[\medskipamount]
+ Procedure $\id{msg-challenge}(\id{data})$: \+ \\
+ \IF $\id{state} \ne \cookie{challenge}$ \THEN \RETURN; \\
+ $(r, c_A, v) \gets \id{data}$; \\
+ \IF $c_A \ne \id{cookie}(r_A)$ \THEN \RETURN; \\
+ $i \gets \id{check-reply}(\bot, r, v)$; \\
+ \IF $i = \bot$ \THEN \RETURN; \\
+ $k \gets \id{chal-tab}[i].k$; \\
+ $y \gets \id{encrypt}(k, \cookie{kx-reply}, r^\alpha)$; \\
+ $\id{send}(\cookie{kx-reply}, c_A, \id{cookie}(r),
+ \id{checkval}(r), y)$
+ \next
+ Procedure $\id{msg-reply}(\id{data})$: \+ \\
+ $(c, c_A, v, y) \gets \id{data}$; \\
+ \IF $c_A \ne \id{cookie}(r_A)$ \THEN \RETURN; \\
+ $i \gets \id{find-chal}(c)$; \\
+ \IF $i = \bot$ \THEN \RETURN; \\
+ \IF $\id{check-reply}(i, \id{chal-tab}[i].r, v) = \bot$ \THEN \\ \ind
+ \RETURN; \- \\
+ $k \gets \id{chal-tab}[i].k$; \\
+ $x \gets \id{decrypt}(k, \cookie{kx-reply}, y)$; \\
+ \IF $x = \bot$ \THEN \RETURN; \\
+ \IF $x \ne b^{\rho_A}$ \THEN \RETURN; \\
+ $\id{state} \gets \cookie{commit}$; \\
+ $\id{chal-commit} \gets \id{chal-tab}[i]$; \\
+ $w \gets H(\cookie{switch-request}, c_A, c)$; \\
+ $x \gets \id{chal-tab}[i].r^\alpha$; \\
+ $y \gets \id{encrypt}(k, (x, \cookie{kx-switch}, w))$; \\
+ $\id{send}(\cookie{kx-switch}, c_A, c, y)$; \-\\[\medskipamount]
+ Procedure $\id{msg-switch}(\id{data})$: \+ \\
+ $(c, c_A, y) \gets \id{data}$; \\
+ \IF $c_A \ne \cookie(r_A)$ \THEN \RETURN; \\
+ $i \gets \id{find-chal}(c)$; \\
+ \IF $i = \bot$ \THEN \RETURN; \\
+ $k \gets \id{chal-tab}[i].k$; \\
+ $x \gets \id{decrypt}(k, \cookie{kx-switch}, y)$; \\
+ \IF $x = \bot$ \THEN \RETURN; \\
+ $(x, w) \gets x$; \\
+ \IF $\id{state} = \cookie{challenge}$ \THEN \\ \ind
+ \IF $x \ne b^{\rho_A}$ \THEN \RETURN; \\
+ $\id{chal-commit} \gets \id{chal-tab}[i]$; \- \\
+ \ELSE \IF $c \ne \id{chal-commit}.c$ \THEN \RETURN; \\
+ \IF $w \ne H(\cookie{switch-request}, c, c_A)$ \THEN \RETURN; \\
+ $w \gets H(\cookie{switch-confirm}, c_A, c)$; \\
+ $y \gets \id{encrypt}(y, \cookie{kx-switch-ok}, w)$; \\
+ $\id{send}(\cookie{switch-ok}, y)$; \\
+ $\id{done}(k)$; \- \\[\medskipamount]
+ Procedure $\id{msg-switch-ok}(\id{data})$ \+ \\
+ \IF $\id{state} \ne \cookie{commit}$ \THEN \RETURN; \\
+ $y \gets \id{data}$; \\
+ $k \gets \id{chal-commit}.k$; \\
+ $w \gets \id{decrypt}(k, \cookie{kx-switch-ok}, y)$; \\
+ \IF $w = \bot$ \THEN \RETURN; \\
+ $c \gets \id{chal-commit}.c$; \\
+ $c_A \gets \id{cookie}(r_A)$; \\
+ \IF $w \ne H(\cookie{switch-confirm}, c, c_A)$ \THEN \RETURN; \\
+ $\id{done}(k)$;
+ \end{program}
+
+ \caption{The key-exchange protocol: message handling}
+ \label{fig:kx-messages}
+\end{figure}
+
+\begin{figure}
+ \begin{program}
+ Structure $\id{chal-slot}$: \+ \\
+ $r$; $c$; $\id{replied}$; $k$; \- \\[\medskipamount]
+ Function $\id{find-chal}(c)$: \+ \\
+ \FOR $i = 0$ \TO $\Xid{n}{chal}$ \DO \\ \ind
+ \IF $\id{chal-tab}[i].c = c$ \THEN \RETURN $i$; \- \\
+ \RETURN $\bot$; \- \\[\medskipamount]
+ Function $\id{cookie}(r)$: \+ \\
+ \RETURN $H(\cookie{cookie}, r)$; \- \\[\medskipamount]
+ Function $\id{check-reply}(i, r, v)$: \+ \\
+ \IF $i \ne \bot \land \id{chal-tab}[i].\id{replied} = 1$ \THEN \\ \ind
+ \RETURN $i$; \- \\
+ $\rho \gets v \xor H(\cookie{expected-reply}, r, r_A, r^\alpha)$; \\
+ \IF $g^\rho \ne r$ \THEN \RETURN $\bot$; \\
+ \IF $i = \bot$ \THEN $i \gets \id{new-chal}(r)$; \\
+ $\id{chal-tab}[i].k \gets \id{gen-keys}(r_A, r, r^{\rho_A})$; \\
+ $\id{chal-tab}[i].\id{replied} \gets 1$; \\
+ \RETURN $i$;
+ \next
+ Function $\id{checkval}(r)$: \\ \ind
+ \RETURN $\rho_A \xor H(\cookie{expected-reply},
+ r_A,r, b^{\rho_A})$; \- \\[\medskipamount]
+ Function $\id{new-chal}(r)$: \+ \\
+ $c \gets \id{cookie}(r)$; \\
+ $i \gets \id{find-chal}(c)$; \\
+ \IF $i \ne \bot$ \THEN \RETURN $i$; \\
+ \IF $\Xid{n}{chal} < \Xid{n}{chal-max}$ \THEN \\ \ind
+ $i \gets \Xid{n}{chal}$; \\
+ $\id{chal-tab}[i] \gets \NEW \id{chal-slot}$; \\
+ $\Xid{n}{chal} \gets \Xid{n}{chal} + 1$; \- \\
+ \ELSE \\ \ind
+ $i \getsr [\Xid{n}{chal-max}]$; \- \\
+ $\id{chal-tab}[i].r \gets r$; \\
+ $\id{chal-tab}[i].c \gets c$; \\
+ $\id{chal-tab}[i].\id{replied} \gets 0$; \\
+ $\id{chal-tab}[i].k \gets \bot$; \\
+ \RETURN $i$;
+ \end{program}
+
+ \caption{The key-exchange protocol: support functions}
+ \label{fig:kx-support}
+\end{figure}
+
+%%%--------------------------------------------------------------------------
+
+\section{CBC mode encryption}
+\label{sec:cbc}
+
+Our implementation of the Wrestlers Protocol uses Blowfish
+\cite{Schneier:1994:BEA} in CBC mode. However, rather than pad plaintext
+messages to a block boundary, with the ciphertext expansion that entails, we
+use a technique called \emph{ciphertext stealing}
+\cite[section 9.3]{Schneier:1996:ACP}.
+
+\subsection{Standard CBC mode}
+
+Suppose $E$ is an $\ell$-bit pseudorandom permutation. Normal CBC mode works
+as follows. Given a message $X$, we divide it into blocks $x_0, x_1, \ldots,
+x_{n-1}$. Choose a random \emph{initialization vector} $I \inr \Bin^\ell$.
+Before passing each $x_i$ through $E$, we XOR it with the previous
+ciphertext, with $I$ standing in for the first block:
+\begin{equation}
+ y_0 = E_K(x_0 \xor I) \qquad
+ y_i = E_K(x_i \xor y_{i-1} \ \text{(for $1 \le i < n$)}.
+\end{equation}
+The ciphertext is then the concatenation of $I$ and the $y_i$. Decryption is
+simple:
+\begin{equation}
+ x_0 = E^{-1}_K(y_0) \xor I \qquad
+ x_i = E^{-1}_K(y_i) \xor y_{i-1} \ \text{(for $1 \le i < n$)}
+\end{equation}
+See figure~\ref{fig:cbc} for a diagram of CBC encryption.
+
+\begin{figure}
+ \[ \begin{graph}
+ []!{0; <0.85cm, 0cm>: <0cm, 0.5cm>::}
+ *+=(1, 0)+[F]{\mathstrut x_0}="x"
+ :[dd] *{\xor}="xor"
+ [ll] *+=(1, 0)+[F]{I} :"xor"
+ :[dd] *+[F]{E}="e" :[ddd] *+=(1, 0)+[F]{\mathstrut y_0}="i"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_1}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :`r [ru] `u "xor" "xor"
+ :[dd] *+[F]{E}="e" :[ddd]
+ *+=(1, 0)+[F]{\mathstrut y_1}="i"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F--]{\mathstrut x_i}="x"
+ :@{-->}[dd] *{\xor}="xor"
+ "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+ :@{-->}[dd] *+[F]{E}="e" :@{-->}[ddd]
+ *+=(1, 0)+[F--]{\mathstrut y_i}="i"
+ "e" [l] {K} :@{-->}"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-1}}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+ :[dd] *+[F]{E}="e" :[ddd]
+ *+=(1, 0)+[F]{\mathstrut y_{n-1}}="i"
+ "e" [l] {K} :"e"
+ \end{graph} \]
+
+ \caption{Encryption using CBC mode}
+ \label{fig:cbc}
+\end{figure}
+
+\begin{definition}[CBC mode]
+ \label{def:cbc}
+ Let $P\colon \keys P \times \Bin^\ell to \Bin^\ell$ be a pseudorandom
+ permutation. We define the symmetric encryption scheme
+ $\Xid{\mathcal{E}}{CBC}^P = (\Xid{E}{CBC}^P, \Xid{D}{CBC}^P)$ for messages
+ in $\Bin^{\ell\Z}$ by setting $\keys \Xid{\mathcal{E}}{CBC} = \keys P$ and
+ defining the encryption and decryption algorithms as follows:
+ \begin{program}
+ Algorithm $\Xid{E}{CBC}^P_K(x)$: \+ \\
+ $I \getsr \Bin^\ell$; \\
+ $y \gets I$; \\
+ \FOR $i = 0$ \TO $|x|/\ell$ \DO \\ \ind
+ $x_i \gets x[\ell i \bitsto \ell (i + 1)]$; \\
+ $y_i \gets P_K(x_i \xor I)$; \\
+ $I \gets y_i$; \\
+ $y \gets y \cat y_i$; \- \\
+ \RETURN $y$;
+ \next
+ Algorithm $\Xid{D}{CBC}^P_K(y)$: \+ \\
+ $I \gets y[0 \bitsto \ell]$; \\
+ $x \gets \emptystring$; \\
+ \FOR $1 = 0$ \TO $|y|/\ell$ \DO \\ \ind
+ $y_i \gets y[\ell i \bitsto \ell (i + 1)]$; \\
+ $x_i \gets P^{-1}_K(y_i) \xor I$; \\
+ $I \gets y_i$; \\
+ $x \gets x \cat x_i$; \- \\
+ \RETURN $x$;
+ \end{program}
+\end{definition}
+
+\begin{theorem}[Security of standard CBC mode]
+ \label{thm:cbc}
+ Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+ permutation. Then,
+ \begin{equation}
+ \InSec{lor-cpa}(\Xid{\mathcal{E}}{CBC}; t, q_E + \mu_E) \le
+ 2 \cdot \InSec{prp}(P; t + q t_P, q) +
+ \frac{q (q - 1)}{2^\ell - 2^{\ell/2}}
+ \end{equation}
+ where $q = \mu_E/\ell$ and $t_P$ is some small constant.
+\end{theorem}
+
+\begin{note}
+ Our security bound is slightly better than that of \cite[theorem
+ 17]{Bellare:2000:CST}. Their theorem statement contains a term $3 \cdot q
+ (q - 1) 2^{-\ell-1}$. Our result lowers the factor from 3 to just over 2.
+ Our proof is also much shorter and considerably more comprehensible.
+\end{note}
+
+The proof of this theorem is given in section~\ref{sec:cbc-proof}
+
+\subsection{Ciphertext stealing}
+
+Ciphertext stealing allows us to encrypt any message in $\Bin^*$ and make the
+ciphertext exactly $\ell$ bits longer than the plaintext. See
+figure~\ref{fig:cbc-steal} for a diagram.
+
+\begin{figure}
+ \[ \begin{graph}
+ []!{0; <0.85cm, 0cm>: <0cm, 0.5cm>::}
+ *+=(1, 0)+[F]{\mathstrut x_0}="x"
+ :[dd] *{\xor}="xor"
+ [ll] *+=(1, 0)+[F]{I} :"xor"
+ :[dd] *+[F]{E}="e" :[ddddd] *+=(1, 0)+[F]{\mathstrut y_0}="i"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_1}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :`r [ru] `u "xor" "xor"
+ :[dd] *+[F]{E}="e" :[ddddd]
+ *+=(1, 0)+[F]{\mathstrut y_1}="i"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F--]{\mathstrut x_i}="x"
+ :@{-->}[dd] *{\xor}="xor"
+ "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+ :@{-->}[dd] *+[F]{E}="e" :@{-->}[ddddd]
+ *+=(1, 0)+[F--]{\mathstrut y_i}="i"
+ "e" [l] {K} :@{-->}"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-2}}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :@{-->}`r [ru] `u "xor" "xor"
+ :[dd] *+[F]{E}="e"
+ "e" [l] {K} :"e"
+ [rrruuuu] *+=(1, 0)+[F]{\mathstrut x_{n-1} \cat 0^{\ell-t}}="x"
+ :[dd] *{\xor}="xor"
+ "e" [d] :`r [ru] `u "xor" "xor"
+ "e" [dddddrrr] *+=(1, 0)+[F]{\mathstrut y_{n-1}[0 \bitsto t]}="i"
+ "e" [dd] ="x"
+ "i" [uu] ="y"
+ []!{"x"; "e" **{}, "x"+/4pt/ ="p",
+ "x"; "y" **{}, "x"+/4pt/ ="q",
+ "y"; "x" **{}, "y"+/4pt/ ="r",
+ "y"; "i" **{}, "y"+/4pt/ ="s",
+ "e";
+ "p" **\dir{-};
+ "q" **\crv{"x"};
+ "r" **\dir{-};
+ "s" **\crv{"y"};
+ "i" **\dir{-}?>*\dir{>}}
+ "xor" :[dd] *+[F]{E}="e"
+ "e" [l] {K} :"e"
+ "e" [dddddlll] *+=(1, 0)+[F]{\mathstrut y_{n-2}}="i"
+ "e" [dd] ="x"
+ "i" [uu] ="y"
+ []!{"x"; "e" **{}, "x"+/4pt/ ="p",
+ "x"; "y" **{}, "x"+/4pt/ ="q",
+ "y"; "x" **{}, "y"+/4pt/ ="r",
+ "y"; "i" **{}, "y"+/4pt/ ="s",
+ "x"; "y" **{} ?="c" ?(0.5)/-4pt/ ="cx" ?(0.5)/4pt/ ="cy",
+ "e";
+ "p" **\dir{-};
+ "q" **\crv{"x"};
+ "cx" **\dir{-};
+ "c" *[@]\cir<4pt>{d^u};
+ "cy";
+ "r" **\dir{-};
+ "s" **\crv{"y"};
+ "i" **\dir{-}?>*\dir{>}}
+ \end{graph} \]
+
+ \caption{Encryption using CBC mode with ciphertext stealing}
+ \label{fig:cbc-steal}
+\end{figure}
+
+\begin{definition}[CBC stealing]
+ \label{def:cbc-steal}
+ Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+ permutation. We define the symmetric encryption scheme
+ $\Xid{\mathcal{E}}{CBC-steal}^P = (\Xid{G}{CBC}^P, \Xid{E}{CBC-steal}^P,
+ \Xid{D}{CBC-steal}^P)$ for messages in $\Bin^{\ell\Z}$ by setting $\keys
+ \Xid{\mathcal{E}}{CBC-steal} = \keys P$ and defining the encryption and
+ decryption algorithms as follows:
+ \begin{program}
+ Algorithm $\Xid{E}{CBC-steal}^P_K(x)$: \+ \\
+ $I \getsr \Bin^\ell$; \\
+ $y \gets I$; \\
+ $t = |x| \bmod \ell$; \\
+ \IF $t \ne 0$ \THEN $x \gets x \cat 0^{\ell-t}$; \\
+ \FOR $i = 0$ \TO $|x|/\ell$ \DO \\ \ind
+ $x_i \gets x[\ell i \bitsto \ell (i + 1)]$; \\
+ $y_i \gets P_K(x_i \xor I)$; \\
+ $I \gets y_i$; \\
+ $y \gets y \cat y_i$; \- \\
+ \IF $t \ne 0$ \THEN \\ \ind
+ $b \gets |y| - 2\ell$; \\
+ $y \gets $\=$y[0 \bitsto b] \cat
+ y[b + \ell \bitsto |y|] \cat {}$ \\
+ \>$y[b \bitsto b + t]$; \- \\
+ \RETURN $y$;
+ \next
+ Algorithm $\Xid{D}{CBC-steal}^P_K(y)$: \+ \\
+ $I \gets y[0 \bitsto \ell]$; \\
+ $t = |y| \bmod \ell$; \\
+ \IF $t \ne 0$ \THEN \\ \ind
+ $b \gets |y| - t - \ell$; \\
+ $z \gets P^{-1}_K(y[b \bitsto b + \ell])$; \\
+ $y \gets $\=$y[0 \bitsto b] \cat
+ y[b + \ell \bitsto |y|] \cat {}$ \\
+ \>$z[t \bitsto \ell]$; \- \\
+ $x \gets \emptystring$; \\
+ \FOR $1 = 0$ \TO $|y|/\ell$ \DO \\ \ind
+ $y_i \gets y[\ell i \bitsto \ell (i + 1)]$; \\
+ $x_i \gets P^{-1}_K(y_i) \xor I$; \\
+ $I \gets y_i$; \\
+ $x \gets x \cat x_i$; \- \\
+ \IF $t \ne 0$ \THEN \\ \ind
+ $x \gets x \cat z[0 \bitsto t] \xor y[b \bitsto b + t]$; \- \\
+ \RETURN $x$;
+ \end{program}
+\end{definition}
+
+\begin{theorem}[Security of CBC with ciphertext stealing]
+ \label{thm:cbc-steal}
+ Let $P\colon \keys P \times \Bin^\ell \to \Bin^\ell$ be a pseudorandom
+ permutation. Then
+ \begin{equation}
+ \InSec{lor-cpa}(\Xid{\mathcal{E}}{CBC-steal}; t, q_E, \mu_E) \le
+ 2 \cdot \InSec{prp}(P; t + q t_P, q) +
+ \frac{q (q - 1)}{2^\ell - 2^{\ell/2}}
+ \end{equation}
+ where $q = \mu_E/\ell$ and $t_P$ is some small constant.
+\end{theorem}
+
+\begin{proof}
+ This is an easy reducibility argument. Let $A$ be an adversary attacking
+ $\Xid{\mathcal{E}}{CBC-steal}^P$. We construct an adversary which attacks
+ $\Xid{\mathcal{E}}{CBC}^P$:
+ \begin{program}
+ Adversary $A'^{E(\cdot)}$: \+ \\
+ $b \gets A^{\Xid{E}{steal}(\cdot)}$; \\
+ \RETURN $b$;
+ \- \\[\medskipamount]
+ Oracle $\Xid{E}{steal}(x_0, x_1)$: \+ \\
+ \IF $|x_0| \ne |x_1|$ \THEN \ABORT; \\
+ \RETURN $\id{steal}(|x_0|, E(\id{pad}(x_0), \id{pad}(x_1)))$;
+ \next
+ Function $\id{pad}(x)$: \+ \\
+ $t \gets |x| \bmod \ell$; \\
+ \RETURN $x \cat 0^{\ell-t}$;
+ \- \\[\medskipamount]
+ Function $\id{steal}(l, y)$: \+ \\
+ $t \gets l \bmod \ell$; \\
+ \IF $t \ne 0$ \THEN \\ \ind
+ $b \gets |y| - 2\ell$; \\
+ $y \gets $\=$y[0 \bitsto b] \cat
+ y[b + \ell \bitsto |y|] \cat y[b \bitsto b + t]$; \- \\
+ \RETURN $y$;
+ \end{program}
+ Comparing this to definition~\ref{def:cbc-steal} shows that $A'$ simlates
+ the LOR-CPA game for $\Xid{\mathcal{E}}{CBC-steal}$ perfectly. The theorem
+ follows.
+\end{proof}
+
+\subsection{Proof of theorem~\ref{thm:cbc}}
+\label{sec:cbc-proof}
+
+Consider an adversary $A$ attacking CBC encryption using an ideal random
+permutation $P(\cdot)$. Pick some point in the attack game when we're just
+about to encrypt the $n$th plaintext block. For each $i \in \Nupto{n}$,
+let $x_i$ be the $i$th block of plaintext we've processed; let $y_i$ be the
+corresponding ciphertext; and let $z_i = P^{-1}(y_i)$, i.e., $z_i = x_i \xor
+I$ for the first block of a message, and $z_i = x_i \xor y_{i-1}$ for the
+subsequent blocks.
+
+Say that `something went wrong' if any $z_i = z_j$ for $i \ne j$. This is
+indeed a disaster, because it means that $y_i = y_j$ , so he can detect it,
+and $x_i \xor y_{i-1} = x_j \xor y_{j-1}$, so he can compute an XOR
+difference between two plaintext blocks from the ciphertext and thus
+(possibly) reveal whether he's getting his left or right plaintexts
+encrypted. The alternative, `everything is fine', is much better. If all
+the $z_i$ are distinct, then because $y_i = P(z_i)$, the $y_i$ are all
+generated by $P(\cdot)$ on inputs it's never seen before, so they're all
+random subject to the requirement that they be distinct. If everything is
+fine, then, the adversary has no better way of deciding whether he has a left
+oracle or a right oracle than tossing a coin, and his advantage is therefore
+zero. Thus, we must bound the probability that something went wrong.
+
+Assume that, at our point in the game so far, everything is fine. But we're
+just about to encrypt $x^* = x_n$. There are two cases:
+\begin{itemize}
+\item If $x_n$ is the first block in a new message, we've just invented a new
+ random IV $I \in \Bin^\ell$ which is unknown to $A$, and $z_n = x_n \xor
+ I$. Let $y^* = I$.
+\item If $x_n$ is \emph{not} the first block, then $z_n = x_n \xor y_{n-1}$,
+ but the adversary doesn't yet know $y_{n-1}$, except that because $P$ is a
+ permutation and all the $z_i$ are distinct, $y_{n-1} \ne y_i$ for any $0
+ \le i < n - 1$. Let $y^* = y_{n-1}$.
+\end{itemize}
+Either way, the adversary's choice of $x^*$ is independent of $y^*$. Let
+$z^* = x^* \xor y^*$. We want to know the probability that something goes
+wrong at this point, i.e., that $z^* = z_i$ for some $0 \le i < n$. Let's
+call this event $C_n$. Note first that, in the first case, there are
+$2^\ell$ possible values for $y^*$ and in the second there are $2^\ell - n +
+1$ possibilities for $y^*$. Then
+\begin{eqnarray}[rl]
+ \Pr[C_n]
+ & = \sum_{x \in \Bin^\ell} \Pr[C_n \mid x^* = x] \Pr[x^* = x] \\
+ & = \sum_{x \in \Bin^\ell}
+ \Pr[x^* = x] \sum_{0\le i<n} \Pr[y^* = z_i \xor x] \\
+ & \le \sum_{0\le i<n} \frac{1}{2^\ell - n}
+ \sum_{x \in \Bin^\ell} \Pr[x^* = x] \\
+ & = \frac{n}{2^\ell - n}
+\end{eqnarray}
-\section{Conclusions and further work}
+Having bounded the probability that something went wrong for any particular
+block, we can proceed to bound the probability of something going wrong in
+the course of the entire game. Let's suppose that $q = \mu_E/\ell \le
+2^{\ell/2}$; for if not, $q (q - 1) > 2^\ell$ and the theorem is trivially
+true, since no adversary can achieve advantage greater than one.
-We have presented a new key exchange protocol based upon a novel use of
-Diffie-Hellman key exchange as a means of authentication.
+Let's give the name $W_i$ to the probability that something went wrong after
+encrypting $i$ blocks. We therefore want to bound $W_q$ from above.
+Armed with the knowledge that $q \le 2^{\ell/2}$, we have
+\begin{eqnarray}[rl]
+ W_q &\le \sum_{0\le i<q} \Pr[C_i]
+ \le \sum_{0\le i<q} \frac{i}{2^\ell - i} \\
+ &\le \frac{1}{2^\ell - 2^{\ell/2}} \sum_{0\le i<q} i \\
+ &= \frac{q (q - 1)}{2 \cdot (2^\ell - 2^{\ell/2})}
+\end{eqnarray}
+Working through the definition of LOR-CPA security, we can see that $A$'s
+(and hence any adversary's) advantage against the ideal system is at most $2
+W_q$.
-The arguments given in the previous section sound fairly convincing, but they
-don't provide a formal proof of the security of the Wrestlers Protocol. The
-authors are unaware of a logic system for verifying protocols which correctly
-capture the properties of hash functions.
+By using an adversary attacking CBC encryption as a statistical test in an
+attempt to distinguish $P_K(\cdot)$ from a pseudorandom permutation, we see
+that
+\begin{equation}
+ \InSec{prp}(P; t + q t_P, q) \ge
+ \frac{1}{2} \cdot
+ \InSec{lor-cpa}(\Xid{\mathcal{E}}{CBC}; t, q_E, \mu_E) -
+ \frac{q (q - 1)}{2 \cdot (2^\ell - 2^{\ell/2})}
+\end{equation}
+where $t_P$ expresses the overhead of doing the XORs and other care and
+feeding of the CBC adversary; whence
+\begin{equation}
+ \InSec{lor-cpa}(\Xid{\mathcal{E}}{CBC}; t, q_E, \mu_E) \le
+ 2 \cdot \InSec{prp}(P; t, q) + \frac{q (q - 1)}{2^\ell - 2^{\ell/2}}
+\end{equation}
+as required.
+\qed
%%%----- That's all, folks --------------------------------------------------
+\bibliography{mdw-crypto,cryptography,cryptography2000,rfc}
\end{document}
-%%% Local Variables:
+%%% Local Variables:
%%% mode: latex
%%% TeX-master: "wrestlers"
-%%% End:
+%%% End: