As mentioned before, a cryptographic protocol is a distributed algorithm defined by a sequence of steps precisely specifying the actions required of two or more entities to achieve a specific security objective. The following notation is used in this book to describe cryptographic protocols:
Capital letters , such as A, B, C, . . ., are used to refer to principals. Note that many publications on cryptography and cryptographic protocols use names , such as Alice and Bob, to refer to principals. This is a convenient way of making things unambiguous with relatively few words, because the pronoun ˜ ˜she can be used for Alice, and ˜ ˜he can be used for Bob. However, the advantages and disadvantages of this naming scheme are controversial , and we are not going to use it in this book.
K is used to refer to a secret key. A secret key is basically a key of a secret key cryptosystem.
The pair ( k; k -1 ) is used to refer to a public key pair, whereas k is used to refer to the public key and k -1 is used to refer to the corresponding private key.
In either case, key subscripts are used to indicate principals. In general, capital letter subscripts are used for long-term keys, and small letter subscripts are used for short- term keys. For example, KA is used to refer to A s long-term secret key, whereas kb is used to refer to B s short-term public key.
w The term { M } K is used to refer to a message M that is encrypted with the secret key K . Since the same key K is used for decryption, {{ M } K } K equals M . If K is used to compute and verify a message authentication code (MAC) for message M , then the term ( M ( K is used to refer to the MAC.
Similarly, the term { M } k is used to refer to a message M that is encrypted with the public key k . The message can only be decrypted with the corresponding private key k -1 . If a public key cryptosystem is used to digitally sign messages, the private key is used for signing, and the corresponding public key is used for verifying signatures. Referring to the terminology of the OSI security architecture, the term { M } k -1 is used to refer to a digital signature giving message recovery, and ( M ( k -1 is used to refer to a digital signature with appendix. Note that in the second case, ( M ( k -1 in fact abbreviates M; { h ( M )} k -1 , with h being an OWHF or CRHF.
Finally, the term X << Y >> is used to refer to a public key certificate that has been issued by X for Y s public key. It implies that X has verified Y s identity and certified the binding of Y s long-term public key k Y with its identity.
