Security Model. We describe below the adversarial model following Xxxxxxx et al.’s [15] formal security model that we adopt for the security analysis of our protocols. This model is more general in the sense that it covers authenticated key agreement in group setting and suited for dynamic groups. P A P { } Let = U1, . . . , Un be a set of n (fixed) users or participants. At any point of time, any subset of may decide to establish a session key. Thus a user can execute the protocol for group key agreement several times withdifferent partners, can join or leave the group at his desire by executing the protocols for Join or Leave. We identify the execution of protocols for key agreement, member(s) join and member(s) leave as different sessions. The adversarial model consists of allowing each user an unlimited number of instances with which it executes the protocol for key agreement or inclusion or exclusion of a user or a set of users. We assume adversary never participates as a user in the protocol. This adversarial model allows concurrent execution of the protocol. The interaction between the adversary and the protocol participants occur only via oracle queries, which model the adversary’s capabilities in a real attack. Let S, S1, S2 be three sets defined as: S = {(V1, i1), . . . , (Vl, il)}, S1 = {(Vl+1, il+1), . . . , (Vl+k, il+k)}, S2 = {(Vj1 , ij1 ), . . . , (Vjk , ijk )} where {V1, . . . , Vl} is any non-empty subset of P. We will require the following notations. Π i U U ski : i-th instance of user U . U : session key after execution of the protocol by Xx . sidi : session identity for instance Πi . We set sidi = S = {(U1, i1), . . . , (Uk, ik)} U U U1 Uk such that (U, i) ∈ S and Xx0 , . . . , Xxx U wish to agree upon a common key. pidi : partner identity for instance Πi , defined by pidi = {U1, . . . , Uk}, U U such that (Uj, ij) ∈ sidi U U for all 1 ≤ j ≤ k. U acci : 0/1-valued variable which is set to be 1 by Πi U the session and 0 otherwise. upon normal termination of U ∈ / ∩ ∅ We will make the assumption that in each session at most one instance of each user participates. Further, an instance of a particular user participates in exactly one session. This is not a very restrictive assumption, since a user can spawn an instance for each session it participates in. On the other hand, there is an important consequence of this assumption. Suppose there are several sessions which are being concurrently executed. Let the session ID’s be sid1, . . . , sidk. Then for any ...
Security Model. This section defines the components of the system, the adversary and its capabilities and the meaning of system breakdown.
Security Model. The model is defined by the following game which is run between a challenger C H and an adversary A . A controls all communications from and to the protocol participants via accessing to a set of oracles as described below. Every participant involved in a session is treated as an oracle. We denote an instance i of the participant U as k = sr (R + PK − X ) = sr (r + s − x )P = ∏i , where U ∈ {C , · · · ,C } S S. Each client C has an 3 S C C C S C C C U 1 n (rC + sC − xC)rSsP = (rC + sC − xC)RS = k4. Thus the client C and the server S establish a common session key sk = H4(IDC, RS, RC,WC, Ppub, k3) = H4(IDC, RS, RC,WC, Ppub, k4).
Security Model. We prove our protocols secure in the Universal Composability framework intro- duced in [Can01]. This model is explained in Appendix A.
Security Model. We now briefly describe the formal security model of Bel- xxxx et al. [6] as standardized by Xxxxxxx et al. [12, 13] and refer the reader to [6, 12, 13] for more details. A protocol P for password-based group key agreement assumes that there is a set P = {U1, U2, . . . , Un} of n users (n is fixed), who share a low entropy secret password pw drawn uniformly from a small dictionary of size N . The adversary is given control over all communication in the external network. U U U We assume that users do not deviate from the protocol and adversary never participates as a user in the proto- col. This adversarial model allows concurrent execution of the protocol among n users. The interaction between the adversary A and the protocol participants occur only via oracle queries, which model the adversary’s capabil- ities in a real attack. These queries are as follows (Πi denotes the i-th instance of user U and ski denotes the session key after execution of the protocol by Πi ): U – Send(U, i, m): The adversary can carry out an ac- tive attack by this query. The adversary may in- tercept a message and then either modify it, create a new one or simply forward it to the intended par- ticipant. The output of the query is the reply (if any) generated by the instance Πi upon receipt of message m. The adversary is allowed to prompt the U unused instance Πi to initiate the protocol by invok- 2 Preliminaries In this section, we define the Computation Xxxxxx-Xxxxxxx (CDH) problem and describe the security notion that a password-based group key agreement protocol should achieve. We use the notation a∈RS to denote that a is chosen uniformly from the set S.
Security Model. Following the approach of Xxxxxxx et al. [18] for the analysis of TLS 1.3, we model KEMTLS-PDK as a multi-stage key-agreement protocol [20], where each session has several stages in each of which a shared secret key is established. This model is an adaptation of the Bellare–Rogaway security model for authenticated key exchange [4]. The formal model appears in the full version;1 we describe it briefly here. Each party (client or server) has a long-term public-key/secret-key pair, and we assume there exists a public-key infrastructure for certifying these public keys. Each party can run multiple instances of the protocol simultaneously or 1 The full version is available from xxxxxxxxxxx.xx/xxxxxxxxxxx/xxxxxxxxx/.
Security Model. So far, we have mentioned the DH assumptions under which formal proofs of security for key agreement protocols can be given. We stated this security is achieved against a passive adversary. Later on, we sketched the desired properties, taking into account an active adversary. Throughout the evolution of the key agreement protocols we can meet with the imperfection of stating the security of protocols without giving a unifiable formal proof. The protocols often proposed proofs of security against individual attacks using heuristics and a proving system that was not transferable to other protocols. A major improvement in this area, with respect to group of participants, was due to Bresson et al. [11] (later also regarding dynamically changing groups [10]). Bresson et al. designed a for- mal model for protocols to provide a proof of their properties. The model determines the participants of the protocol together with their capabilities using a game-theoretical point of view. The players are both the parties that want to behave according to the key agreement proto- col and the adversary having its own capabilities and goals. Within this model, it is possible to define the security goals and attempt to prove their achievement. The two main security goals were proven; namely the implicit key authentication and key confirmation. The short- ened description of the model could be misleading, hence the reader is re- ferred to the original paper.
Security Model. Λ Based on the works of He et al. [32] and Xxxx et al. [34], we adopt a security model for the PCAKA scheme. The security of our proposed authentication and key negotiation (PCAKA) scheme on a peer-to-peer cloud can be defined as a game between adversary A and challenger C. We indicate the kth instance of Λ by Πk , where Λ ∈ {C1, C2, ...}. A can perform some queries on C, and C will responds as follows.
Security Model. The first security model for AGKA protocols was presented by Wu et al. [25], derived from the security model for conventional GKA protocols [10]. We note that the security model in [25] only considers passive attackers. In the sequel, we will extend this model to capture the ability of active attackers and integrate the notion of IB-PKC.
Security Model. We now introduce our security models for the analysis of privacy-preserving key agreement (PPKA) protocols. Our first security experiment is based on standard key-exchange models in the tradition of Xxxxxxx-Xxxxxxx [4] key indistin- guishability games. This allows our model to easily capture known key secrecy, as well as generically capture key ran- domness notions, since our adversary is tasked merely with the goal of distinguishing the targeted session key from a random session key from the same distribution. Our second security experiment allows us to capture privacy notions of sessions, by challenging an adversary to determine which of two previously selected nodes ran a given protocol ex- ecution. Our cleanness predicates (see Section 5.4) allows us to model KCI attacks by allowing the adversary to re- veal the long-term key of the node running the PPKA pro- tocol, as well as the notions of partial forward secrecy. We HN, running a number of instances of the PPKA protocol Π , and a set of (up to) nN nodes N1, . . . , NnN (representing nodes communicating with the hub node HN), each poten- tially running one stage of (up to) nS consecutive stages of id
