Security Model. We describe below the adversarial model following Bresson et al.’s [15] formal security model that we adopt for the security analysis of our protocols. This model is more general in the sense that it covers authenticated key agreement in group setting and suited for dynamic groups. P A P { } Let = U1, . . . , Un be a set of n (fixed) users or participants. At any point of time, any subset of may decide to establish a session key. Thus a user can execute the protocol for group key agreement several times withdifferent partners, can join or leave the group at his desire by executing the protocols for Join or Leave. We identify the execution of protocols for key agreement, member(s) join and member(s) leave as different sessions. The adversarial model consists of allowing each user an unlimited number of instances with which it executes the protocol for key agreement or inclusion or exclusion of a user or a set of users. We assume adversary never participates as a user in the protocol. This adversarial model allows concurrent execution of the protocol. The interaction between the adversary and the protocol participants occur only via oracle queries, which model the adversary’s capabilities in a real attack. Let S, S1, S2 be three sets defined as: S = {(V1, i1), . . . , (Vl, il)}, S1 = {(Vl+1, il+1), . . . , (Vl+k, il+k)}, S2 = {(Vj1 , ij1 ), . . . , (Vjk , ijk )} where {V1, . . . , Vl} is any non-empty subset of P. We will require the following notations. Π i U U ski : i-th instance of user U . U : session key after execution of the protocol by Πi . sidi : session identity for instance Πi . We set sidi = S = {(U1, i1), . . . , (Uk, ik)} U U U1 Uk such that (U, i) ∈ S and Xx0 , . . . , Xxx U wish to agree upon a common key. pidi : partner identity for instance Πi , defined by pidi = {U1, . . . , Uk}, U U such that (Uj, ij) ∈ sidi U U for all 1 ≤ j ≤ k. U acci : 0/1-valued variable which is set to be 1 by Πi U the session and 0 otherwise. upon normal termination of U ∈ / ∩ ∅ We will make the assumption that in each session at most one instance of each user participates. Further, an instance of a particular user participates in exactly one session. This is not a very restrictive assumption, since a user can spawn an instance for each session it participates in. On the other hand, there is an important consequence of this assumption. Suppose there are several sessions which are being concurrently executed. Let the session ID’s be sid1, . . . , sidk. Then for any ...
Security Model. We now briefly describe the formal security model of Bel- xxxx et al. [6] as standardized by Xxxxxxx et al. [12, 13] and refer the reader to [6, 12, 13] for more details. A protocol P for password-based group key agreement assumes that there is a set P = {U1, U2, . . . , Un} of n users (n is fixed), who share a low entropy secret password pw drawn uniformly from a small dictionary of size N . The adversary is given control over all communication in the external network. U U U We assume that users do not deviate from the protocol and adversary never participates as a user in the proto- col. This adversarial model allows concurrent execution of the protocol among n users. The interaction between the adversary A and the protocol participants occur only via oracle queries, which model the adversary’s capabil- ities in a real attack. These queries are as follows (Πi denotes the i-th instance of user U and ski denotes the session key after execution of the protocol by Πi ): U – Send(U, i, m): The adversary can carry out an ac- tive attack by this query. The adversary may in- tercept a message and then either modify it, create a new one or simply forward it to the intended par- ticipant. The output of the query is the reply (if any) generated by the instance Πi upon receipt of message m. The adversary is allowed to prompt the U unused instance Πi to initiate the protocol by invok- 2 Preliminaries In this section, we define the Computation Xxxxxx-Xxxxxxx (CDH) problem and describe the security notion that a password-based group key agreement protocol should achieve. We use the notation a∈RS to denote that a is chosen uniformly from the set S.
Security Model. The model is defined by the following game which is run between a challenger C H and an adversary A . A controls all communications from and to the protocol participants via accessing to a set of oracles as described below. Every participant involved in a session is treated as an oracle. We denote an instance i of the participant U as k = sr (R + PK − X ) = sr (r + s − x )P = ∏i , where U ∈ {C , · · · ,C } S S. Each client C has an 3 S C C C S C C C U 1 n (rC + sC − xC)rSsP = (rC + sC − xC)RS = k4. Thus the client C and the server S establish a common session key sk = H4(IDC, RS, RC,WC, Ppub, k3) = H4(IDC, RS, RC,WC, Ppub, k4).
Security Model. This section defines the components of the system, the adversary and its capabilities and the meaning of system breakdown.
Security Model. We prove our protocols secure in the Universal Composability framework intro- duced in [Can01]. This model is explained in Appendix A.
Security Model. Players. We assume that two users A and B participate in the key agreement protocol P. Each of them may have several instances called oracles involved in i distinct executions of P. We denote instance s of i ∈ {A, B} by Πs for an A,B integer s ∈ N. We also use the notation Πs to define the s-th instantiation of P A executing with B. Adversarial Model. We allow a probabilistic polynomial time (PPT) adver- sary F to access to all message flows in the system. All oracles only communicate with each other via F . F can replay, modify, delay, interleave or delete messages. At any time, the adversary F can make the following queries: – Execute(A, B ): This query models passive attacks, where F gets access to an honest execution of P between A and B by eavesdropping. – Send(Πs, m): This query models F sending a message m to instance Πs.
Security Model. We assume that the reader is familier with the model of Xxxxxxx et al. [14], which is the model in which we prove security of our dynamic key aggreement protocol. For completeness, we review their definitions and refer the reader to [14] for more details. U Let P = {U1, . . . , Un} be a set of n (fixed) users or participants. A user can execute the protocol for group key agreement several times with different partners, can join or leave the group at it’s desire by executing the protocols for Insert or Delete. We assume that users do not deviate from the protocol and adversary never participates as a user in the protocol. This adversarial model allows concurrent execution of the protocol. The interaction between the adversary A and the protocol participants occur only via oracle queries, which model the adversary’s capabilities in a real attack. These queries are as follows, where Π U Πi . denotes the i-th instance of user U and ski denotes the session key after execution of the protocol by – Send(U, i, m) : This query models an active attack, in which the adversary may intercept a message and then either modify it, create a new one or simply forward it to the intended participant. The U output of the query is the reply (if any) generated by the instance Πi upon receipt of message m. U The adversary is allowed to prompt the unused instance Πi to initiate the protocol with partners U2, . . . , Ul, l ≤ n, by invoking Send(U, i, ⟨U2, . . . , Ul⟩). – Execute({(V1, i1), . . . , (Vl, il)}) : Here {V1, . . . , Vl} is a non empty subset of P. This query models passive attacks in which the attacker evesdrops on honest execution of group key agreement protocol among unused instances Πi1 , . . . , Πil and outputs the transcript of the execution. A transcript consists of V1 Vl the messages that were exchanged during the honest execution of the protocol. U – Join({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the insertion of a user instance Πi in the group (V1, . . . , Vl) ∈ P for which Execute have already been queried. The output of this query is the transcript generated by the invocation of algorithm Insert. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. U – Leave({(V1, i1), . . . , (Vl, il)}, (U, i)) : This query models the removal of a user instance Πi from the group (V1, . . . Vl) ∈ P. If Execute({(V1, i1), . . . (Vl, il)}) has not taken place, then the adversary is given no output. Otherwise, algorit...
Security Model. We assume that there exists an adversary A. All messages available in the network are also available to A. This includes all the messages sent by any set S∗ of users within the system. The main goal of A is to attack the scheme by decrypting any messages sent in the network intended to any set of users in S∗ but not him. A is considered to be successful if he wins the following interactive experiment. n • Init: A picks a set of users S ∗ = {ID∗ ,⋯, ID∗} that he wants to attack (with n≤N) and sents S* to challenger C . • Setup: Challenger C runs the setup algorithm and sends adversary A the public parameters PK.
Security Model. The security of ring signature schemes is defined via the following notions.
