Common use of Security Proof Clause in Contracts

Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E-IBAK′, which does not provide perfect forward secrecy, and prove that it is ID-mBJM secure using the ▇▇▇▇▇–Paterson modular technique. We then prove that the protocol E-IBAK is also secure in the ID- mBJM model and provides perfect forward secrecy. The only reason for describing the protocol E-IBAK′ is to make the presentation easier to follow. Protocol E-IBAK′ is almost identical to protocol E-IBAK except that the final session key is computed as AB = H (A, B, TA, TB, F , F ), where H′ : {0, 1}∗ ×{0, 1}∗ × G1 × G1 × G2 × G2 → {0, 1}k is a key derivation function. In other words, without the value Fab being part of the session string. With the description of the ID-mBJM model in Section 2.3, we now state:

Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E-IBAK′IBAKj, which does not provide perfect forward secrecy, and prove that it is ID-mBJM secure using the ▇▇▇▇▇–Paterson modular technique. We then prove that the protocol E-IBAK is also secure in the ID- mBJM model and provides perfect forward secrecy. The only reason for describing the protocol E-IBAK′ IBAKj is to make the presentation easier to follow. Protocol E-IBAK′ IBAKj is almost identical to protocol E-IBAK except that the final session key is computed as AB skAB = H (AHj(A, B▇, TA▇▇, TB▇▇, F ▇▇, F ▇▇), where H′ Hj : {0, 1}∗ ×{0, 1}∗ × G1 × G1 × G2 × G2 → {1 ∗ 0, 1}k 1 ∗ G1 G1 G2 G2 0, 1 k is a key derivation function. In other words, without the value Fab being part of the session string. With the description of the ID-mBJM model in Section 2.3, we now state: