Security Proof Sample Clauses

Security Proof. In this section we present the formal security proof for our protocol described in the previous section. But before proceeding with the formal security proof we provide an informal discussion how our construction presented in Section 6 counters and fixes all the attacks presented in [MM13] for the protocol [FAA14].

Security Proof. ‌ We now consider the security of our concurrent A-BA protocol. Before stating the theorem, it is worth noting that the specific parameters of the hybrid model, which combine the different ideal functionalities, are not explicitly specified in the theorem statement. However, they can be determined from the protocol’s parameters and are integral to the overall security guarantees of the protocol. Now, let us state the theorem formally:

Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E-IBAK′, which does not provide perfect forward secrecy, and prove that it is ID-mBJM secure using the ▇▇▇▇▇–Paterson modular technique. We then prove that the protocol E-IBAK is also secure in the ID- mBJM model and provides perfect forward secrecy. The only reason for describing the protocol E-IBAK′ is to make the presentation easier to follow. Protocol E-IBAK′ is almost identical to protocol E-IBAK except that the final session key is computed as AB = H (A, B, TA, TB, F , F ), where H′ : {0, 1}∗ ×{0, 1}∗ × G1 × G1 × G2 × G2 → {0, 1}k is a key derivation function. In other words, without the value Fab being part of the session string. With the description of the ID-mBJM model in Section 2.3, we now state:

Security Proof. Our protocol for component labeling achieves security in the honest-but-curious model with random oracles. We write the proof in a hybrid model in which the parties have access to a functionality F GC that takes the place of their garbled circuit evaluations. F GC takes the description of a circuit c and two parties’ inputs and it returns the evaluation of c on those inputs to the parties, revealing the order of c’s output gates. The parties invoke F GC to evaluate their garbled circuits. We denote by F lbl = (F lbl, F lbl) the two-party component labeling functionality. Recall that Filbl is

Security Proof. To prove security of this protocol, we analyze the security of an equivalent entanglement based version. Here, instead of having ▇▇▇▇▇ prepare and send a quantum state, we allow Eve the ability to create any arbitrary initial state, sending part to ▇▇▇▇▇ and the other parts to the p Bob’s while also potentially maintaining a private entangled ancilla. Clearly security in this case will imply security of the prepare-and-measure version discussed in the previous section. We also use as a foundation, a proof methodology we introduced in [26], though making several modifications for the multi-party protocol being analyzed here. Our proof of security, at a high level, proceeds in three steps: first we define an analyze an appropriate classical sampling strategy allowing us to use Theorem 1; second, we analyze the ideal states produced by that Theorem; and third, finally, we promote that ideal-case analysis to the real state.

Security Proof. The protocol is a secure AK, provided the CDH assumption holds and the hash function H is mod- eled as a random oracle.

Security Proof. Ω,SE Ω,ME The security proof given by ▇▇▇▇▇▇▇ 1 is similar to the scheme [41, 43]. Theorem 1: Suppose A is an adversary active in polynomial time t against our scheme LS in the random oracle. PD is a uniform distribu- tion of password dictionary, |PD| is the size of PD, l is number of bits in the biological key σi. And qh, qsend is the number of H queries, Send queries. HASH is the range space of h(·). AdvIND−CPA(n)/AdvIND−CPA(n) is the advantage of of breaking the IND-CPA secure cipher Ω. And AdvIND−CPA(n)=AdvIND−CPA(n) or AdvIND−CPA(n). Ω Ω,SE Ω,ME Proof : Next, we will use five game completion proofs say Gamei (i = 0, 1, 2, 3, 4). Assume that PSi is an event in which the adversary A can cor- rectly guess the random bit c in Gamei.

Security Proof. In this section, we will prove the PAKA protocol can provide secure authentication and key agreement by using the widely-accepted BAN logic [10], [11], [29]. The notations and rules about BAN logic are illustrated as follows: #( X ) : X is fresh. P  X : P sees X . P |⇒ X : P |≡ X : P has jurisdiction over X . P believes X is true. P |~ X : P once said X . < X >Y : X is combined with Y . ( X ,Y ) : X or Y is one part of ( X ,Y ) . PXQ : X is secretly known to P and Q and trusted by them. P ←k→Q : P and Q may use the shared key k to communicate. The key k will never be discovered by anyentity except P and Q. • Rule1 : The message-meaning rule: • Rule2 : The nonce-verification rule: P |≡ PYQ, P < X >Y P |≡ Q |~ X ; P |≡#( X ), P |≡ Q |~ X ; P |≡ Q |≡ X • Rule3 : The jurisdiction rule: P |≡ Q |⇒ X , P |≡ Q |≡ X ; P |≡ X • Rule4 : The freshness rule: P |≡#( X ) . P |≡#( X ,Y ) According to the analytic procedures of the BAN logic, the PAKA protocol should achieve the following goals: • Goal1: U |≡ PS |≡ (U ←SK→ PS ) ; • Goal2: U |≡ (U ←SK→ PS ) ; • Goal3: PS |≡ U |≡ (U ←SK→ PS ) ; • Goal4: PS |≡ (U ←SK→ PS ) . First, we idealize the communication messages of the PAKA protocol as follows: (In order to simplify, let A = h(Cij || Dij || IDjk ) . • msg1: Ui → MS j :< Cij , IDS j , IDjk , Rc >Ui Dij MS j ; • msg2: MS j → PS jk :< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) >MS j Xij PS jk ; • msg3: PS → U :< ID , R , R ,U ←SK → PS > . . jk Ui A( MS j ,PS jk ) Second, the following assumptions about the initial state are made to analyze the PAKA protocol: • H1: Ui |≡#(Rc ) ; • H2: MS j |≡#(Rs ) ; • H3: PS jk |≡#(Rk ) ; • H4: Ui |≡ Ui A(MS j , PS jk ) ; • H5: U |≡ PS |⇒ (U ←SK→ PS ) ; • H6: MS j |≡ Ui Dij MS j ; • H7: PS jk |≡ PS jk X ijMS j • H8: PS jk |≡ MS j |⇒ (Ui A(MS j , PS jk )) ; • H9: PS |≡ U |⇒ (U ←SK→ PS ) . Third, the main proofs of the idealized form of PAKA protocol based on the BAN logic rules and assumptions is analyzed as follows: From msg3, we get: U < ID , R , R ,U ←SK → PS > ; jk Ui A( MS j ,PS jk ) From H4, S1 and Rule1, we get: U |≡ U , PS ),U < ID , R , R ,U ←SK→ PS > jk Ui A( MS j ,PS jk ) ; U |≡ PS |~< ID , R , R ,U ←SK→ PS > From H1, S2, Rule2 and Rule4 we have: Ui |≡#(Rc ) ; U |≡#< ID , R , R ,U ←SK → PS > U |≡#< ID , R , R ,U ←SK→ PS >,U |≡ PS |~< ID , R , R ,U ←SK → PS > U |≡ PS |≡< ID , R , R ,U ←SK → PS > U |≡ PS |≡ (U ←SK→ PS ) (Goal1); From H5, S3, and Rule3 we obtain: Ui |≡ PS jk |⇒ (Ui ←SK→ PS ),Ui |≡ PS jk |≡ (U...

Security Proof. F ⊆ | | ≥ ∈ ≤