{"component": "clause", "props": {"groups": [{"snippet_links": [{"key": "the-proposed", "type": "clause", "offset": [11, 23]}, {"key": "definition-4", "type": "clause", "offset": [91, 103]}, {"key": "digital-signature", "type": "clause", "offset": [122, 139]}, {"key": "the-appendix", "type": "clause", "offset": [253, 265]}], "samples": [{"hash": "lK5Sr0YwYax", "uri": "/contracts/lK5Sr0YwYax#security-proof", "label": "Secure Tripartite STS Key Agreement Protocol", "score": 18.2290786925, "published": true}, {"hash": "lpmS0DsroZy", "uri": "/contracts/lpmS0DsroZy#security-proof", "label": "Secure Tripartite STS Key Agreement Protocol", "score": 17.6146469116, "published": true}], "snippet": "Theorem 1. The proposed tripartite STS key confirmation protocol is secure in the sense of Definition 4 if the underlying digital signature scheme is secure against the adaptively chosen message attack and the CDHP is hard. Proof: the proof is given in the appendix.", "size": 2, "hash": "fa0cada4c68819f05c328d1038d23558", "id": 1}, {"snippet_links": [{"key": "the-formal", "type": "clause", "offset": [27, 37]}, {"key": "we-provide", "type": "clause", "offset": [158, 168]}, {"key": "informal-discussion", "type": "clause", "offset": [172, 191]}, {"key": "in-section-6", "type": "clause", "offset": [223, 235]}, {"key": "the-protocol", "type": "clause", "offset": [295, 307]}], "samples": [{"hash": "kBX5p9IOgOp", "uri": "/contracts/kBX5p9IOgOp#security-proof", "label": "Identity Based Authenticated Key Agreement Protocol", "score": 23.1234912872, "published": true}], "snippet": "In this section we present the formal security proof for our protocol described in the previous section. But before proceeding with the formal security proof we provide an informal discussion how our construction presented in Section 6 counters and fixes all the attacks presented in [MM13] for the protocol [FAA14].", "size": 2, "hash": "22a1f1fc411e98febd735946a9d35681", "id": 2}, {"snippet_links": [{"key": "security-of", "type": "clause", "offset": [22, 33]}, {"key": "hybrid-model", "type": "clause", "offset": [147, 159]}, {"key": "the-protocol", "type": "clause", "offset": [304, 316]}, {"key": "integral-to", "type": "definition", "offset": [338, 349]}, {"key": "security-guarantees", "type": "clause", "offset": [362, 381]}, {"key": "let-us", "type": "clause", "offset": [404, 410]}], "samples": [{"hash": "3Iab5IdLAzZ", "uri": "/contracts/3Iab5IdLAzZ#security-proof", "label": "Byzantine Agreement", "score": 32.9769973755, "published": true}], "snippet": "\u200c We now consider the security of our concurrent A-BA protocol. Before stating the theorem, it is worth noting that the specific parameters of the hybrid model, which combine the different ideal functionalities, are not explicitly specified in the theorem statement. However, they can be determined from the protocol\u2019s parameters and are integral to the overall security guarantees of the protocol. Now, let us state the theorem formally:", "size": 2, "hash": "212be14419d4c7959d6296528cc1da21", "id": 3}, {"snippet_links": [{"key": "the-security", "type": "clause", "offset": [9, 21]}, {"key": "perfect-forward-secrecy", "type": "clause", "offset": [172, 195]}, {"key": "the-\u2587", "type": "clause", "offset": [239, 244]}, {"key": "the-protocol", "type": "clause", "offset": [296, 308]}, {"key": "the-final", "type": "clause", "offset": [557, 566]}, {"key": "session-key", "type": "definition", "offset": [567, 578]}, {"key": "the-value", "type": "clause", "offset": [737, 746]}, {"key": "description-of-the", "type": "definition", "offset": [794, 812]}, {"key": "section-23", "type": "clause", "offset": [830, 841]}], "samples": [{"hash": "iePLKCiVy5q", "uri": "/contracts/iePLKCiVy5q#security-proof", "label": "Key Agreement Protocol", "score": 19.0, "published": true}], "snippet": "We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E-IBAK\u2032, which does not provide perfect forward secrecy, and prove that it is ID-mBJM secure using the \u2587\u2587\u2587\u2587\u2587\u2013Paterson modular technique. We then prove that the protocol E-IBAK is also secure in the ID- mBJM model and provides perfect forward secrecy. The only reason for describing the protocol E-IBAK\u2032 is to make the presentation easier to follow. Protocol E-IBAK\u2032 is almost identical to protocol E-IBAK except that the final session key is computed as AB = H (A, B, TA, TB, F , F ), where H\u2032 : {0, 1}\u2217 \u00d7{0, 1}\u2217 \u00d7 G1 \u00d7 G1 \u00d7 G2 \u00d7 G2 \u2192 {0, 1}k is a key derivation function. In other words, without the value Fab being part of the session string. With the description of the ID-mBJM model in Section 2.3, we now state:", "size": 2, "hash": "f2f610ec239a2f4f91e8923cffb9f97a", "id": 4}, {"snippet_links": [{"key": "hybrid-model", "type": "clause", "offset": [131, 143]}, {"key": "the-parties", "type": "definition", "offset": [153, 164]}, {"key": "access-to", "type": "definition", "offset": [170, 179]}, {"key": "place-of", "type": "definition", "offset": [216, 224]}, {"key": "description-of", "type": "definition", "offset": [275, 289]}, {"key": "the-evaluation", "type": "clause", "offset": [341, 355]}, {"key": "order-of", "type": "clause", "offset": [407, 415]}], "samples": [{"hash": "34D4VC0MorF", "uri": "/contracts/34D4VC0MorF#security-proof", "label": "Private Identity Agreement", "score": 29.2925014496, "published": true}], "snippet": "Our protocol for component labeling achieves security in the honest-but-curious model with random oracles. We write the proof in a hybrid model in which the parties have access to a functionality F GC that takes the place of their garbled circuit evaluations. F GC takes the description of a circuit c and two parties\u2019 inputs and it returns the evaluation of c on those inputs to the parties, revealing the order of c\u2019s output gates. The parties invoke F GC to evaluate their garbled circuits. We denote by F lbl = (F lbl, F lbl) the two-party component labeling functionality. Recall that Filbl is", "size": 1, "hash": "86b830aedb092153d8ae7fa429b1e3ca", "id": 5}, {"snippet_links": [{"key": "the-security", "type": "clause", "offset": [47, 59]}, {"key": "ability-to", "type": "clause", "offset": [186, 196]}, {"key": "other-parts", "type": "clause", "offset": [263, 274]}, {"key": "the-p", "type": "clause", "offset": [278, 283]}, {"key": "security-of-the", "type": "clause", "offset": [395, 410]}, {"key": "the-multi", "type": "clause", "offset": [586, 595]}, {"key": "proof-of", "type": "clause", "offset": [636, 644]}, {"key": "high-level", "type": "definition", "offset": [660, 670]}, {"key": "three-steps", "type": "clause", "offset": [684, 695]}, {"key": "an-appropriate", "type": "clause", "offset": [724, 738]}, {"key": "sampling-strategy", "type": "clause", "offset": [749, 766]}, {"key": "case-analysis", "type": "definition", "offset": [901, 914]}], "samples": [{"hash": "MTwZXyrsWj", "uri": "/contracts/MTwZXyrsWj#security-proof", "label": "Quantum Conference Key Agreement", "score": 25.043806076, "published": true}], "snippet": "To prove security of this protocol, we analyze the security of an equivalent entanglement based version. Here, instead of having \u2587\u2587\u2587\u2587\u2587 prepare and send a quantum state, we allow Eve the ability to create any arbitrary initial state, sending part to \u2587\u2587\u2587\u2587\u2587 and the other parts to the p Bob\u2019s while also potentially maintaining a private entangled ancilla. Clearly security in this case will imply security of the prepare-and-measure version discussed in the previous section. We also use as a foundation, a proof methodology we introduced in [26], though making several modifications for the multi-party protocol being analyzed here. Our proof of security, at a high level, proceeds in three steps: first we define an analyze an appropriate classical sampling strategy allowing us to use Theorem 1; second, we analyze the ideal states produced by that Theorem; and third, finally, we promote that ideal-case analysis to the real state.", "size": 1, "hash": "3ac07cc8623300d702f6feee6d88b2e8", "id": 6}, {"snippet_links": [{"key": "the-protocol", "type": "clause", "offset": [0, 12]}], "samples": [{"hash": "ab2RNopA39n", "uri": "/contracts/ab2RNopA39n#security-proof", "label": "Key Agreement Protocol", "score": 24.3761901855, "published": true}], "snippet": "The protocol is a secure AK, provided the CDH assumption holds and the hash function H is mod- eled as a random oracle.", "size": 1, "hash": "4dfe554496ea7cd896958b297e50d08e", "id": 7}, {"snippet_links": [{"key": "the-security", "type": "clause", "offset": [10, 22]}, {"key": "similar-to", "type": "definition", "offset": [51, 61]}, {"key": "the-scheme", "type": "clause", "offset": [62, 72]}, {"key": "our-scheme", "type": "definition", "offset": [156, 166]}, {"key": "number-of", "type": "clause", "offset": [276, 285]}, {"key": "an-event", "type": "clause", "offset": [661, 669]}], "samples": [{"hash": "ltIiybPD7sJ", "uri": "/contracts/ltIiybPD7sJ#security-proof", "label": "Multi Factor Based Session Secret Key Agreement", "score": 30.1148147583, "published": true}], "snippet": "\u2126,SE \u2126,ME The security proof given by \u2587\u2587\u2587\u2587\u2587\u2587\u2587 1 is similar to the scheme [41, 43]. Theorem 1: Suppose A is an adversary active in polynomial time t against our scheme LS in the random oracle. PD is a uniform distribu- tion of password dictionary, |PD| is the size of PD, l is number of bits in the biological key \u03c3i. And qh, qsend is the number of H queries, Send queries. HASH is the range space of h(\u00b7). AdvIND\u2212CPA(n)/AdvIND\u2212CPA(n) is the advantage of of breaking the IND-CPA secure cipher \u2126. And AdvIND\u2212CPA(n)=AdvIND\u2212CPA(n) or AdvIND\u2212CPA(n). \u2126 \u2126,SE \u2126,ME Proof : Next, we will use five game completion proofs say Gamei (i = 0, 1, 2, 3, 4). Assume that PSi is an event in which the adversary A can cor- rectly guess the random bit c in Gamei.", "size": 1, "hash": "b6ed521bc5414e0319ed03bd9bd99490", "id": 8}, {"snippet_links": [{"key": "secure-authentication", "type": "definition", "offset": [61, 82]}, {"key": "key-agreement", "type": "clause", "offset": [87, 100]}, {"key": "and-rules", "type": "clause", "offset": [172, 181]}, {"key": "the-shared", "type": "clause", "offset": [519, 529]}, {"key": "according-to", "type": "definition", "offset": [888, 900]}, {"key": "in-order-to", "type": "clause", "offset": [1210, 1221]}, {"key": "form-of", "type": "clause", "offset": [1889, 1896]}, {"key": "based-on", "type": "definition", "offset": [1911, 1919]}, {"key": "that-ms", "type": "clause", "offset": [2762, 2769]}, {"key": "security-goals", "type": "clause", "offset": [3934, 3948]}], "samples": [{"hash": "1BqORafiMbi", "uri": "/contracts/1BqORafiMbi#security-proof", "label": "Copyright", "score": 22.622177124, "published": true}], "snippet": "In this section, we will prove the PAKA protocol can provide secure authentication and key agreement by using the widely-accepted BAN logic [10], [11], [29]. The notations and rules about BAN logic are illustrated as follows: #( X ) : X is fresh. P \uf03c X : P sees X . P |\u21d2 X : P |\u2261 X : P has jurisdiction over X . P believes X is true. P |~ X : P once said X . < X >Y : X is combined with Y . ( X ,Y ) : X or Y is one part of ( X ,Y ) . PXQ : X is secretly known to P and Q and trusted by them. P \u2190\uf8e7k\u2192Q : P and Q may use the shared key k to communicate. The key k will never be discovered by anyentity except P and Q. \u2022 Rule1 : The message-meaning rule: \u2022 Rule2 : The nonce-verification rule: P |\u2261 PYQ, P \uf03c< X >Y P |\u2261 Q |~ X ; P |\u2261#( X ), P |\u2261 Q |~ X ; P |\u2261 Q |\u2261 X \u2022 Rule3 : The jurisdiction rule: P |\u2261 Q |\u21d2 X , P |\u2261 Q |\u2261 X ; P |\u2261 X \u2022 Rule4 : The freshness rule: P |\u2261#( X ) . P |\u2261#( X ,Y ) According to the analytic procedures of the BAN logic, the PAKA protocol should achieve the following goals: \u2022 Goal1: U |\u2261 PS |\u2261 (U \u2190\uf8e7SK\u2192 PS ) ; \u2022 Goal2: U |\u2261 (U \u2190\uf8e7SK\u2192 PS ) ; \u2022 Goal3: PS |\u2261 U |\u2261 (U \u2190\uf8e7SK\u2192 PS ) ; \u2022 Goal4: PS |\u2261 (U \u2190\uf8e7SK\u2192 PS ) . First, we idealize the communication messages of the PAKA protocol as follows: (In order to simplify, let A = h(Cij || Dij || IDjk ) . \u2022 msg1: Ui \u2192 MS j :< Cij , IDS j , IDjk , Rc >Ui Dij MS j ; \u2022 msg2: MS j \u2192 PS jk :< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) >MS j Xij PS jk ; \u2022 msg3: PS \u2192 U :< ID , R , R ,U \u2190\uf8e7SK \u2192 PS > . . jk Ui A( MS j ,PS jk ) Second, the following assumptions about the initial state are made to analyze the PAKA protocol: \u2022 H1: Ui |\u2261#(Rc ) ; \u2022 H2: MS j |\u2261#(Rs ) ; \u2022 H3: PS jk |\u2261#(Rk ) ; \u2022 H4: Ui |\u2261 Ui A(MS j , PS jk ) ; \u2022 H5: U |\u2261 PS |\u21d2 (U \u2190\uf8e7SK\u2192 PS ) ; \u2022 H6: MS j |\u2261 Ui Dij MS j ; \u2022 H7: PS jk |\u2261 PS jk X ijMS j \u2022 H8: PS jk |\u2261 MS j |\u21d2 (Ui A(MS j , PS jk )) ; \u2022 H9: PS |\u2261 U |\u21d2 (U \u2190\uf8e7SK\u2192 PS ) . Third, the main proofs of the idealized form of PAKA protocol based on the BAN logic rules and assumptions is analyzed as follows: From msg3, we get: U \uf03c< ID , R , R ,U \u2190\uf8e7SK \u2192 PS > ; jk Ui A( MS j ,PS jk ) From H4, S1 and Rule1, we get: U |\u2261 U , PS ),U \uf03c< ID , R , R ,U \u2190\uf8e7SK\u2192 PS > jk Ui A( MS j ,PS jk ) ; U |\u2261 PS |~< ID , R , R ,U \u2190\uf8e7SK\u2192 PS > From H1, S2, Rule2 and Rule4 we have: Ui |\u2261#(Rc ) ; U |\u2261#< ID , R , R ,U \u2190\uf8e7SK \u2192 PS > U |\u2261#< ID , R , R ,U \u2190\uf8e7SK\u2192 PS >,U |\u2261 PS |~< ID , R , R ,U \u2190\uf8e7SK \u2192 PS > U |\u2261 PS |\u2261< ID , R , R ,U \u2190\uf8e7SK \u2192 PS > U |\u2261 PS |\u2261 (U \u2190\uf8e7SK\u2192 PS ) (Goal1); From H5, S3, and Rule3 we obtain: Ui |\u2261 PS jk |\u21d2 (Ui \u2190\uf8e7SK\u2192 PS ),Ui |\u2261 PS jk |\u2261 (Ui \u2190\uf8e7SK\u2192 PS ) ;(Goal2) From msg1, we get: Ui |\u2261 (Ui \u2190\uf8e7SK\u2192 PS ) MS j \uf03e< Cij , IDS j , IDjk , Rc >Ui Dij MS j ; From H6, S5 and Rule1, we also get: MS j |\u2261 Ui Dij MS j , MS j \uf03e< Cij , IDS , IDjk , Rc >U D MS MS j |\u2261 Ui |~< Cij , IDS j , IDjk , Rc > ; Here, we know that MS j |\u2261#(Rc ) , and MS j shares Rc PS jk |\u2261#(Rc ) . From msg2, we get: with PS jk . Then, PS jk PS jk \uf03c< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) >MS j Xij PS jk ; From H7, S7 and Rule1, we also get: PS jk |\u2261 PS jk X ijMS j , PS jk \uf03c< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) >MS j Xij PS jk PS jk |\u2261 MS j |~< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) > From S6, S8, Rule2 and Rule4 we also have: PS jk |\u2261#(Rc ) PS jk |\u2261#< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) > PS jk |\u2261#< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) >, PS jk |\u2261 MS j |~< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) > PS jk |\u2261 MS j |\u2261< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) > PS jk |\u2261 MS j |\u2261 (Ui A(MS j , PS jk )) From H8, S9 and Rule3 we also get: PS jk |\u2261 MS j |\u21d2 (Ui A(MS j , PS jk )), PS jk |\u2261 MS j |\u2261 (Ui A(MS j , PS jk )) PS jk |\u2261 (Ui A(MS j , PS jk )) From H3, S6, and S10 we can obtain: PS |\u2261 U |\u2261 (U \u2190\uf8e7SK\u2192 PS ) ;(Goal3) From H9, S11, and Rule3 we also obtain: |\u2261 Ui |\u21d2 (Ui \u2190\uf8e7SK\u2192 PS ), PS jk |\u2261 Ui |\u2261 (Ui \u2190\uf8e7SK\u2192 PS ) .(Goal4) PS jk |\u2261 (Ui \u2190\uf8e7SK\u2192 PS ) According to \u2587\u2587\u2587\u2587\u2587, \u2587\u2587\u2587\u2587\u2587, Goal3 and Goal4, we can conclude that our PAKA protocol is truly able to achieve the scheduled security goals.", "size": 1, "hash": "ae2755d5dc3ce87ab2a6b594116b6549", "id": 9}, {"snippet_links": [], "samples": [{"hash": "3Iab5IdLAzZ", "uri": "/contracts/3Iab5IdLAzZ#security-proof", "label": "Byzantine Agreement", "score": 32.9769973755, "published": true}], "snippet": "F \u2286 | | \u2265 \u2208 \u2264", "size": 1, "hash": "c9d9a18620f92d52c1b05e60f7c0a2c2", "id": 10}], "next_curs": "ClcSUWoVc35sYXdpbnNpZGVyY29udHJhY3RzcjMLEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2IhdzZWN1cml0eS1wcm9vZiMwMDAwMDAwYQyiAQJlbhgAIAA=", "clause": {"parents": [["acknowledgments", "Acknowledgments"], ["organization-of-the-paper", "Organization of the Paper"], ["security-analysis", "Security Analysis"], ["security-proof-f", "Security Proof\u200c\n\nF"], ["from-dcgka-to-decentralized-secure-group-messaging", "From DCGKA to Decentralized Secure Group Messaging"]], "size": 20, "title": "Security Proof", "children": [["", ""], ["proverif", "ProVerif"], ["protocol-modeling", "Protocol modeling"], ["threat-model-and-security-requirements", "Threat model and security requirements"], ["real-state-security", "Real State Security"]], "id": "security-proof", "related": [["security-protocols", "Security Protocols", "Security Protocols"], ["security-procedure", "Security Procedure", "Security Procedure"], ["security-program", "Security Program", "Security Program"], ["security-procedures", "Security Procedures", "Security Procedures"], ["information-security-program", "Information Security Program", "Information Security Program"]], "related_snippets": [], "updated": "2025-07-24T04:27:51+00:00"}, "json": true, "cursor": ""}}