{"component": "clause", "props": {"groups": [{"size": 3, "samples": [{"hash": "kMU61GZkIUf", "uri": "/contracts/kMU61GZkIUf#security-model", "label": "Group Key Agreement Protocol", "score": 24.8165645599, "published": true}], "snippet": "We assume that the reader is familier with the model of \u2587\u2587\u2587\u2587\u2587\u2587\u2587 et al. [14], which is the model in which we prove security of our dynamic key aggreement protocol. For completeness, we review their definitions and refer the reader to [14] for more details. Let P = {U1, . . . , Un} be a set of n (fixed) users or participants. A user can execute the protocol for group key agreement several times with different partners, can join or leave the group at it\u2019s desire by executing the protocols for Insert or Delete. We assume that users do not deviate from the protocol and adversary never participates as a user in the protocol. This adversarial model allows concurrent execution of the protocol. The interaction between the adversary A and the protocol participants occur only via oracle queries, which model the adversary\u2019s capabilities in a real attack. These queries are as follows, where \u03a0 \u03a0i . denotes the i-th instance of user U and ski denotes the session key after execution of the protocol by \u2013 Send(U, i, m) : This query models an active attack, in which the adversary may intercept a message and then either modify it, create a new one or simply forward it to the intended participant. The output of the query is the reply (if any) generated by the instance \u03a0i upon receipt of message m. The adversary is allowed to prompt the unused instance \u03a0i to initiate the protocol with partners U2, . . . , Ul, l \u2264 n, by invoking Send(U, i, \u27e8U2, . . . , Ul\u27e9). \u2013 Execute({(V1, i1), . . . , (Vl, il)}) : Here {V1, . . . , Vl} is a non empty subset of P. This query models passive attacks in which the attacker evesdrops on honest execution of group key agreement protocol among unused instances \u03a0i1 , . . . , \u03a0il and outputs the transcript of the execution. A transcript consists of V1 Vl the messages that were exchanged during the honest execution of the protocol. \u2013 Join({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the insertion of a user instance \u03a0i in the group (V1, . . . , Vl) \u2208 P for which Execute have already been queried. The output of this query is the transcript generated by the invocation of algorithm Insert. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. \u2013 Leave({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the removal of a user instance \u03a0i from the group (V1, . . . Vl) \u2208 P. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. Otherwise, algorithm Delete is invoked. The adversary is given the transcript generated by the honest execution of procedure Delete. \u2013 Reveal(U, i) : This outputs session key ski . This query models the misuse of the session keys, i.e known session key attack. \u2013 Corrupt(U ) : This outputs the long-term secret key (if any) of player U . The adversarial model that we adopt is a weak-corruption model in the sense that only the long-term secret keys are compromised, but the ephemeral keys or the internal data of the protocol participants are not corrupted. This query models (perfect) forward secrecy. \u2013 Test(U, i) : This query is allowed only once, at any time during the adversary\u2019s execution. A bit b \u2208 {0, 1} is chosen uniformly at random. The adversary is given ski if b = 1, and a random session key if b = 0. This oracle computes the adversary\u2019s ability to distinguish a real session key from a random one. An adversary which has access to the Execute, Join, Leave, Reveal, Corrupt and Test oracles, is considered to be passive while an active adversary is given access to the Send oracle in addition. We also use notations sidi : session identity for instance \u03a0i . We set sidi = S = {(U1, i1), . . . , (Uk, ik)} such that (U, i) \u2208 S and \u03a0i1 , . . . , \u03a0ik wish to agree upon a common key. U1 Uk pidi : partner identity for instance \u03a0i , defined by pidi = {U1, . . . , Uk}, such that (Uj, ij) \u2208 sidi for all 1 \u2264 j \u2264 k. acci : 0/1-valued variable which is set to be 1 by \u03a0i 0 otherwise. upon normal termination of the session and The adversary can ask Send, Execute, Join, Leave, Reveal and Corrupt queries several times, but Test query is asked only once and on a fresh instance. We say that an instance \u03a0i adversary, at some point, queried Reveal(U, i) or Reveal(U ', j) with U ' \u2208 pidi is fresh unless either the or the adversary queried Corrupt(V ) (with V \u2208 pidi ) before a query of the form Send(U, i, \u2217) or Send(U ', j, \u2217) where U ' \u2208 pidi . Finally adversary outputs a guess bit b'. Such an adversary is said to win the game if b = b' where b is the hidden bit used by the Test oracle. Let Succ denote the event that the adversary A wins the game for a protocol XP. We define AdvA,XP := |2 Prob[Succ] \u2212 1| to be the advantage of the adversary A in attacking the protocol XP. The protocol XP is said to be a secure unauthenticated group key agreement (KA) protocol if there is no polynomial time passive adversary with non-negligible advantage. We say that protocol XP is a secure authenticated group key agreement (AKA) protocol if there is no polynomial time active adversary with non-negligible advantage. Next we define the advantage functions. XP AdvKA(t, qE) := the maximum advantage of any passive adversary attacking protocol XP, running in time t and ma \u2587\u2587\u2587\u2587 \u2587\u2587 calls to the Execute oracle. XP AdvAKA(t, qE, qJ , qL, qS) := the maximum advantage of any active adversary attacking protocol XP, running in time t and m \u2587\u2587\u2587\u2587\u2587 qE calls to the Execute oracle, qJ calls to Join oracle, qL calls to the Leave oracle and qS calls to the Send oracle.", "snippet_links": [{"key": "the-model", "type": "clause", "offset": [43, 52]}, {"key": "security-of", "type": "clause", "offset": [114, 125]}, {"key": "definitions-and", "type": "clause", "offset": [197, 212]}, {"key": "more-details", "type": "clause", "offset": [242, 254]}, {"key": "the-protocol", "type": "clause", "offset": [345, 357]}, {"key": "group-key-agreement", "type": "clause", "offset": [362, 381]}, {"key": "the-group", "type": "clause", "offset": [439, 448]}, {"key": "concurrent-execution", "type": "clause", "offset": [657, 677]}, {"key": "session-key", "type": "definition", "offset": [954, 965]}, {"key": "upon-receipt-of", "type": "definition", "offset": [1271, 1286]}, {"key": "a-non", "type": "clause", "offset": [1527, 1532]}, {"key": "agreement-protocol", "type": "clause", "offset": [1651, 1669]}, {"key": "the-execution", "type": "clause", "offset": [1741, 1754]}, {"key": "removal-of", "type": "definition", "offset": [2306, 2316]}, {"key": "forward-secrecy", "type": "clause", "offset": [3057, 3072]}, {"key": "at-any-time", "type": "clause", "offset": [3122, 3133]}, {"key": "ability-to", "type": "clause", "offset": [3325, 3335]}, {"key": "access-to-the", "type": "clause", "offset": [3409, 3422]}, {"key": "in-addition", "type": "clause", "offset": [3568, 3579]}, {"key": "termination-of-the", "type": "clause", "offset": [3976, 3994]}, {"key": "where-u", "type": "clause", "offset": [4407, 4414]}, {"key": "the-event", "type": "definition", "offset": [4587, 4596]}, {"key": "in-time", "type": "clause", "offset": [5230, 5237]}], "hash": "eb43fda4c100b81130994673db24f01d", "id": 1}, {"size": 2, "samples": [{"hash": "lXB5d56pcWx", "uri": "/contracts/lXB5d56pcWx#security-model", "label": "Oblivious Transfer Protocol", "score": 23.8571052551, "published": true}, {"hash": "k77sfCuQDwf", "uri": "/contracts/k77sfCuQDwf#security-model", "label": "Oblivious Transfer Protocol", "score": 23.6408538818, "published": true}], "snippet": "We prove our protocols secure in the Universal Composability framework intro- duced in [Can01]. This model is explained in Appendix A.", "snippet_links": [], "hash": "57c54d8050711ed3c4001ea96a01941a", "id": 2}, {"size": 2, "samples": [{"hash": "caIcn3GPCTt", "uri": "/contracts/caIcn3GPCTt#security-model", "label": "Remote User Authentication and Key Agreement Scheme", "score": 24.2300930023, "published": true}, {"hash": "C7027vOnTX", "uri": "/contracts/C7027vOnTX#security-model", "label": "Authentication and Key Agreement Scheme", "score": 24.2300930023, "published": true}], "snippet": "The model is defined by the following game which is run between a challenger C H and an adversary A . A controls all communications from and to the protocol participants via accessing to a set of oracles as described below. Every participant involved in a session is treated as an oracle. We denote an instance i of the participant U as k = sr (R + PK \u2212 X ) = sr (r + s \u2212 x )P = \u220fi , where U \u2208 {C , \u00b7 \u00b7 \u00b7 ,C } S S. Each client C has an 3 S C C C S C C C U 1 n (rC + sC \u2212 xC)rSsP = (rC + sC \u2212 xC)RS = k4. Thus the client C and the server S establish a common session key sk = H4(IDC, RS, RC,WC, Ppub, k3) = H4(IDC, RS, RC,WC, Ppub, k4).", "snippet_links": [{"key": "the-model", "type": "clause", "offset": [0, 9]}, {"key": "the-protocol", "type": "clause", "offset": [144, 156]}, {"key": "the-participant", "type": "clause", "offset": [316, 331]}, {"key": "where-u", "type": "clause", "offset": [384, 391]}, {"key": "the-client", "type": "clause", "offset": [509, 519]}, {"key": "session-key", "type": "definition", "offset": [558, 569]}], "hash": "a96e0b5bb42e11618450ea47a9cc084a", "id": 3}, {"size": 2, "samples": [{"hash": "d1hoND4HM4", "uri": "/contracts/d1hoND4HM4#security-model", "label": "End User Agreement", "score": 23.0301170349, "published": true}, {"hash": "4fEOE4r4sOM", "uri": "/contracts/4fEOE4r4sOM#security-model", "label": "End User Agreement", "score": 23.0301170349, "published": true}], "snippet": "\u200c\n3.1. We settle the basic notation of distinguishers in Sect.\n3.2. For reference, the black-box duplex security model of Daemen et al. [15] is treated in Sect.\n3.3. We lift the model to leakage resilience in Sect. 3.4.\n3.1 Sampling of Keys\u200c D \u2190\u2212\u2212 { } The duplex construction of Sect. 2 is based on an array of u k-bit keys. These keys may be generated uniformly at random, as K DK ( 0, 1 k)u. In our analysis of leakage resilience, however, we will require the scheme to be still secure if the keys are not uniformly random but as long as they have su\ufb03cient min-entropy. \u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587\u2587, we will adopt the approach of Daemen et al. [15] to consider keys sampled using a distribution K , that distributes the key independently1 and with su\ufb03cient min-entropy, i.e., for which D\u221e \u03b4 H ( K ) = min \u2208[1,u] H\u221e(K[\u03b4]) is su\ufb03ciently high. Note that if DK is the random distribution, H\u221e(DK ) = k.", "snippet_links": [{"key": "in-sect", "type": "clause", "offset": [54, 61]}, {"key": "for-reference", "type": "clause", "offset": [68, 81]}, {"key": "the-model", "type": "clause", "offset": [174, 183]}, {"key": "construction-of", "type": "clause", "offset": [263, 278]}, {"key": "based-on", "type": "definition", "offset": [290, 298]}, {"key": "the-scheme", "type": "clause", "offset": [458, 468]}, {"key": "the-approach", "type": "clause", "offset": [598, 610]}, {"key": "a-distribution", "type": "clause", "offset": [664, 678]}], "hash": "ac2c305bb88eeb8cfb4d2a51c35c5e0e", "id": 4}, {"size": 2, "samples": [{"hash": "kLLKm9sZFfZ", "uri": "/contracts/kLLKm9sZFfZ#security-model", "label": "Authenticated Key Agreement Scheme", "score": 21.2505130768, "published": true}, {"hash": "5yTSg6Llg4O", "uri": "/contracts/5yTSg6Llg4O#security-model", "label": "Authenticated Key Agreement Scheme", "score": 21.2477760315, "published": true}], "snippet": "This section defines the components of the system, the adversary and its capabilities and the meaning of system breakdown.\n4.1.1. System The system comprises nodes belonging to one administrative unit under the same TA. It is assumed that TA has access to a cryptographically secure random number generator. The master keys are assumed secure and cannot be stolen. If need be, they can be deleted after generating all of the possible public and private key sets. The nodes have access to secure cryptographic algorithms, such as AESencryption and hash algorithms.", "snippet_links": [{"key": "the-system", "type": "definition", "offset": [39, 49]}, {"key": "meaning-of", "type": "definition", "offset": [94, 104]}, {"key": "administrative-unit", "type": "definition", "offset": [181, 200]}, {"key": "access-to", "type": "definition", "offset": [246, 255]}, {"key": "random-number-generator", "type": "definition", "offset": [283, 306]}, {"key": "master-keys", "type": "clause", "offset": [312, 323]}, {"key": "private-key", "type": "definition", "offset": [445, 456]}, {"key": "to-secure", "type": "clause", "offset": [485, 494]}], "hash": "971f4462212bbd384625cd4ca3aa8436", "id": 5}, {"size": 1, "samples": [{"hash": "a8oDVgX2vgp", "uri": "/contracts/a8oDVgX2vgp#security-model", "label": "Intelligent Drone Assisted Anonymous Authentication and Key Agreement", "score": 22.3826141357, "published": true}], "snippet": "Before going to prove that the session key security is preserved by the proposed scheme, we discuss describe the ROR model [46]. \u2022 Participants. Let V , Dj , and CC denote the \u03b1th Lemma 1 (Difference Lemma): Let A, B, F denote the events defined in some probability distribution, and assume instance of vehicle Vi, the \u03b2th instance of drone Dj and that A \u2227 \u00acF \u21d0\u21d2 B \u2227 \u00acF . Then | Pr[A] \u2212 Pr[B] \u2264 Pr[F ]. the \u03b3th instance of CC, respectively. These instances are named the oracles. \u2022 Accepted state. If an instance V \u03b1 jumps to the accepted state after the last expected protocol message is received, it will be in the accepted state. The session identification (sid) of V \u03b1 for the current session that is constructed", "snippet_links": [{"key": "session-key", "type": "definition", "offset": [31, 42]}, {"key": "the-proposed-scheme", "type": "clause", "offset": [68, 87]}, {"key": "the-events", "type": "clause", "offset": [227, 237]}, {"key": "the-current", "type": "clause", "offset": [677, 688]}], "hash": "af55c0ee67285786307496ef5e3e2615", "id": 6}, {"size": 1, "samples": [{"hash": "5wBjL0iFKoH", "uri": "/contracts/5wBjL0iFKoH#security-model", "label": "Authenticated Key Agreement Protocol", "score": 17.0, "published": true}], "snippet": "Players. We assume that two users A and B participate in the key agreement protocol P. Each of them may have several instances called oracles involved in distinct executions of P. We denote instance s of i \u2208 {A, B} by \u03a0s for an integer s \u2208 N. We also use the notation \u03a0s to define the s-th instantiation of A executing with B. Adversarial Model. We allow a probabilistic polynomial time (PPT) adver- sary F to access to all message flows in the system. All oracles only communicate with each other via F . F can replay, modify, delay, interleave or delete messages. At any time, the adversary F can make the following queries: \u2013 Execute(A, B ): This query models passive attacks, where F gets access to an honest execution of P between A and B by eavesdropping. \u2013 Send(\u03a0s, m): This query models F sending a message m to instance \u03a0s.", "snippet_links": [{"key": "a-and-b", "type": "clause", "offset": [34, 41]}, {"key": "participate-in", "type": "definition", "offset": [42, 56]}, {"key": "agreement-protocol", "type": "clause", "offset": [65, 83]}, {"key": "access-to", "type": "definition", "offset": [410, 419]}, {"key": "the-system", "type": "definition", "offset": [441, 451]}, {"key": "at-any-time", "type": "clause", "offset": [566, 577]}], "hash": "9edbbbd29fe08f953d2ca7a1d6fedfbc", "id": 7}, {"size": 1, "samples": [{"hash": "8qNMWbMiZ4k", "uri": "/contracts/8qNMWbMiZ4k#security-model", "label": "Quantum Key Distribution Protocol", "score": 29.3034515381, "published": true}], "snippet": "\u200c We consider a hybrid security model by combining a computational assumption, that there exist a short-term- secure computational encryption, and conversely assum- ing that any optical quantum memory is technologically bound to decohere within a timescale shorter than the time for which the computational encryption is secure. This new, Quantum Computational Hybrid (QCH) secu- rity model, is formally defined as:", "snippet_links": [{"key": "hybrid-security", "type": "definition", "offset": [16, 31]}], "hash": "f5d3a81a2ac8a2ba94ea5a17ced52351", "id": 8}, {"size": 1, "samples": [{"hash": "gEoCl0Z6QDR", "uri": "/contracts/gEoCl0Z6QDR#security-model", "label": "Authentication and Key Agreement Protocol", "score": 28.9841957092, "published": true}], "snippet": "We formulated a series of games between challenger \u2587 and adversary \ud835\udc34 to define our security model. Assume that participant \u220f\ud835\udc56 \u2208 {\ud835\udc48, \ud835\udc38\ud835\udc37, \ud835\udc36\ud835\udc46} represents the i-th instance and \ud835\udeec represents the entire protocol. The \ud835\udc34 can ask the \ud835\udc36 oracle queries, and the C can respond. \u26ab \ud835\udc46\ud835\udc52\ud835\udc5b\ud835\udc51(\u220f\ud835\udc56, \ud835\udc5a): If A asks the query for the message \ud835\udc5a, the \ud835\udc36 executes the specific steps of the protocol and returns the result. \u26ab \ud835\udc38\ud835\udc65\ud835\udc52\ud835\udc50\ud835\udc62\ud835\udc61\ud835\udc52(\u220f\ud835\udc48 , \u220f\ud835\udc38\ud835\udc37 , \u220f\ud835\udc36\ud835\udc46): This oracle query models a", "snippet_links": [{"key": "our-security", "type": "clause", "offset": [79, 91]}, {"key": "the-c", "type": "clause", "offset": [247, 252]}, {"key": "the-protocol", "type": "clause", "offset": [357, 369]}], "hash": "982eac4259be0b07666a9df58c6361bb", "id": 9}, {"size": 1, "samples": [{"hash": "lpB4uhl0cJG", "uri": "/contracts/lpB4uhl0cJG#security-model", "label": "Thesis Submission", "score": 21.0, "published": true}], "snippet": "The security of ring signature schemes is defined via the following notions.", "snippet_links": [{"key": "security-of", "type": "clause", "offset": [4, 15]}], "hash": "22185cc72e2ca879df1219f55d784c83", "id": 10}], "next_curs": "ClcSUWoVc35sYXdpbnNpZGVyY29udHJhY3RzcjMLEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IhdzZWN1cml0eS1tb2RlbCMwMDAwMDAwYQyiAQJlbhgAIAA=", "clause": {"size": 35, "title": "Security Model", "parents": [["security-of-the-byka-scheme", "Security of the Byka Scheme"], ["cryptographic-investigation", "Cryptographic Investigation"], ["key-generation-kg", "\u2013 Key Generation KG"], ["model", "Model"], ["the-non-generic-forking-lemma", "The Non-Generic Forking Lemma"]], "children": [["system-breakdown", "System Breakdown"], ["adversary", "Adversary"], ["vulnerabilities", "Vulnerabilities"], ["broadcast-communication-and-player-failure", "Broadcast Communication and Player Failure"], ["authenticated-links", "Authenticated Links"]], "id": "security-model", "related": [["security-measures", "Security Measures", "Security Measures"], ["security-technology", "Security Technology", "Security Technology"], ["security-protocols", "Security Protocols", "Security Protocols"], ["security-safeguards", "Security Safeguards", "Security Safeguards"], ["security-program", "Security Program", "Security Program"]], "related_snippets": [], "updated": "2025-07-24T06:48:53+00:00", "also_ask": [], "drafting_tip": null, "explanation": "The Security Model clause defines the standards and protocols that must be followed to protect data, systems, or assets from unauthorized access, breaches, or other security threats. It typically outlines the technical and organizational measures required, such as encryption, access controls, regular security assessments, and incident response procedures. By establishing clear security expectations and responsibilities, this clause helps prevent data breaches and ensures both parties understand their obligations to maintain a secure environment."}, "json": true, "cursor": ""}}