Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E-IBAK′, which does not provide perfect forward secrecy, and prove that it is ID-mBJM secure using the Xxxxx–Paterson modular technique. We then prove that the protocol E-IBAK is also secure in the ID- mBJM model and provides perfect forward secrecy. The only reason for describing the protocol E-IBAK′ is to make the presentation easier to follow. Protocol E-IBAK′ is almost identical to protocol E-IBAK except that the final session key is computed as skAB = H′(A, X, XX, XX, Xx, Xx), { } ×{ } × × × × → { } where H′ : 0, 1 ∗ 0, 1 ∗ G1 G1 G2 G2 0, 1 k is a key derivation function. In other words, without the value Fab being part of the session string. With the description of the ID-mBJM model in Section 2.3, we now state:
Security Proof. We now consider the security of our concurrent A-BA protocol. Before stating the theorem, it is worth noting that the specific parameters of the hybrid model, which combine the different ideal functionalities, are not explicitly specified in the theorem statement. However, they can be determined from the protocol’s parameters and are integral to the overall security guarantees of the protocol. Now, let us state the theorem formally:
Security Proof. Theorem 1. The protocol is a secure AK, provided the CDH assumption holds and the hash function H is mod- eled as a random oracle.
Security Proof. F Having described our A-OCC protocol, we proceed to present and prove the formal security state- ment that demonstrates how the protocol UC-realizes a-occ. However, we first prove a combinato- rial observation regarding vectors of random values that facilitates the security proof. We formulate this observation separately in the following lemma, as it may be of independent interest. ⊆ | | ≥ ∈ ≤
Security Proof. Theorem 1. The proposed tripartite STS key confirmation protocol is secure in the sense of Definition 4 if the underlying digital signature scheme is secure against the adaptively chosen message attack and the CDHP is hard. Proof: the proof is given in the appendix.
Security Proof. The security proof from various threats, for the proposed scheme has been elaborated as below:
Security Proof. Theorem 14. The 2SM scheme defined in Figure 2 is non-adaptively (t, q, 2qspke)-secure, where spke is such that the PKE protocol is (tj, spke)-secure for tj ≈ t. Proof. Let q1, . . . , qq be the sequence of queries made by the adversary, which we can fix in advance because it is non-adaptive. Without loss of generality these queries satisfy 2SM-safe. Similarly, we assume the adversary never fails a require clause. Then in terms of the bit b sampled at the beginning of the game, Adv = 2SM 2sm-na
Security Proof. The proof follows that of Xxxxxxx and Rogaway [4]; differences include the number of entities involved and the different partnering function used. The validity of the protocol is straightforward to verify. Thus, it remains to prove that the protocol satisfies the indistinguishability requirement. The general idea of the security proof is to assume that the adversary can gain a non-negligible advantage in distinguishing test keys, and use this to break the assumption about the security of the underlying encryption scheme or the signature scheme. Since the adversary relies on its oracles to run we simulate the oracles so that we can supply the answers to all the queries the adversary might ask. In our protocol we assume that the principals involved in each conference are the same. We do not assume that the same principal acts as the initiator. The case where the set of principals is chosen dynamically is easily handled too. The effect on the security proof is to make the reduction less tight. Following Xxxxxxx and Rogaway [4] we need to extend the definition of a se- cure encryption scheme to allow the adversary to obtain encryptions of the same plaintext under multiple different independent encryption keys. Such an adver- sary is termed a multiple eavesdropper. We can bound the advantage of a multiple eavesdropper by considering it as a special case of the multi-user setting anal- ysed by Bellare et al. [5]. In their notation we have the case of qe = 1, meaning that the eavesdropper can only obtain one encryption for each public key. Let r be the number of encryptions of the same plaintext message seen by a multiple eavesdropper. Specialising their main theorem gives the following.
Security Proof. We prove the security of the protocol by a usual reduction argument. More pre- cisely we show how to reduce the existence of an adversary breaking the protocol into an algorithm that is able to break the SDH Assumption with non-negligible probability. The adversary is modeled as a CK attacker: (see Section 2.1 for details): in particular it will choose a test session among the complete and un- exposed sessions and will try to distinguish between its real session key and a random one. In our reduction we will make use of the General Forking Xxxxx, stated by Bellare and Xxxxx in [2]. It follows the original forking lemma of Xxxxxxxxxxx and Xxxxx [31], but, unlike that, it makes no mention of signature schemes and random oracles. In this sense it is more general and it can be used to prove the security of our protocol. We briefly recall it in the following.
Security Proof. P A A P Σ
