Security Proof Clause Examples

Security Proof. ‌ We now consider the security of our concurrent A-BA protocol. Before stating the theorem, it is worth noting that the specific parameters of the hybrid model, which combine the different ideal functionalities, are not explicitly specified in the theorem statement. However, they can be determined from the protocol’s parameters and are integral to the overall security guarantees of the protocol. Now, let us state the theorem formally:

Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E-IBAK′, which does not provide perfect forward secrecy, and prove that it is ID-mBJM secure using the ▇▇▇▇▇–Paterson modular technique. We then prove that the protocol E-IBAK is also secure in the ID- mBJM model and provides perfect forward secrecy. The only reason for describing the protocol E-IBAK′ is to make the presentation easier to follow. Protocol E-IBAK′ is almost identical to protocol E-IBAK except that the final session key is computed as AB = H (A, B, TA, TB, F , F ), where H′ : {0, 1}∗ ×{0, 1}∗ × G1 × G1 × G2 × G2 → {0, 1}k is a key derivation function. In other words, without the value Fab being part of the session string. With the description of the ID-mBJM model in Section 2.3, we now state:

Security Proof. Theorem 1. The proposed tripartite STS key confirmation protocol is secure in the sense of Definition 4 if the underlying digital signature scheme is secure against the adaptively chosen message attack and the CDHP is hard. Proof: the proof is given in the appendix.

Security Proof. Our protocol for component labeling achieves security in the honest-but-curious model with random oracles. We write the proof in a hybrid model in which the parties have access to a functionality F GC that takes the place of their garbled circuit evaluations. F GC takes the description of a circuit c and two parties’ inputs and it returns the evaluation of c on those inputs to the parties, revealing the order of c’s output gates. The parties invoke F GC to evaluate their garbled circuits. We denote by F lbl = (F lbl, F lbl) the two-party component labeling functionality. Recall that Filbl is

Security Proof. F ⊆ | | ≥ ∈ ≤

Security Proof. The proof follows that of ▇▇▇▇▇▇▇ and Rogaway [4]; differences include the number of entities involved and the different partnering function used. The validity of the protocol is straightforward to verify. Thus, it remains to prove that the protocol satisfies the indistinguishability requirement. The general idea of the security proof is to assume that the adversary can gain a non-negligible advantage in distinguishing test keys, and use this to break the assumption about the security of the underlying encryption scheme or the signature scheme. Since the adversary relies on its oracles to run we simulate the oracles so that we can supply the answers to all the queries the adversary might ask. In our protocol we assume that the principals involved in each conference are the same. We do not assume that the same principal acts as the initiator. The case where the set of principals is chosen dynamically is easily handled too. The effect on the security proof is to make the reduction less tight. Following ▇▇▇▇▇▇▇ and Rogaway [4] we need to extend the definition of a se- cure encryption scheme to allow the adversary to obtain encryptions of the same plaintext under multiple different independent encryption keys. Such an adver- sary is termed a multiple eavesdropper. We can bound the advantage of a multiple eavesdropper by considering it as a special case of the multi-user setting anal- ysed by Bellare et al. [5]. In their notation we have the case of qe = 1, meaning that the eavesdropper can only obtain one encryption for each public key. Let r be the number of encryptions of the same plaintext message seen by a multiple eavesdropper. Specialising their main theorem gives the following. Lemma 1 ( [5]). Suppose that an adversary has advantage at most s(k) for encryption scheme PE = (K, E, D). Then a multiple eavesdropper has advantage not more than r · s(k). We follow Bresson et al. [13] in dividing the proof into two cases. Firstly we consider the case in which the adversary gains her advantage by forging a signature with respect to some user’s signing key. In this case we construct a simple signature forging algorithm F against Σ that uses A. In the second case, A gains her advantage without forging a signature. Then, we can construct an algorithm X that uses A against the security of the encryption algorithm.

Security Proof. The basis of QCKA is that all legitimate users share almost perfect multiparty entanglement states. If multiparty entanglement states are shared, because the monogamy of entanglement, the users can obtain secure conference keys by measuring their states. Assume N users each prepare entangled state which contains a local qubit and an optical mode. Based on the entanglement swapping concept, we assume that each user prepares a Bell state consist of a virtual qubit and an optical mode. They send the optical mode to untrusted relay to perform the GHZ state measurement and post-select the successful GHZ state measurement events [6], leaving the local qubits to be entangled. Similar to the security prove for the asynchronous MDI-QKD [37], here we provide the security proof for the AMDI- QCKA by using the entanglement swapping argument. We start from virtual protocols, which can be reduced to the practical protocol described in the main text.

Security Proof. In this section, we will prove the PAKA protocol can provide secure authentication and key agreement by using the widely-accepted BAN logic [10], [11], [29]. The notations and rules about BAN logic are illustrated as follows: #( X ) : X is fresh. P  X : P sees X . P |⇒ X : P |≡ X : P has jurisdiction over X . P believes X is true. P |~ X : P once said X . < X >Y : X is combined with Y . ( X ,Y ) : X or Y is one part of ( X ,Y ) . PXQ : X is secretly known to P and Q and trusted by them. P ←k→Q : P and Q may use the shared key k to communicate. The key k will never be discovered by anyentity except P and Q. • Rule1 : The message-meaning rule: • Rule2 : The nonce-verification rule: P |≡ PYQ, P < X >Y P |≡ Q |~ X ; P |≡#( X ), P |≡ Q |~ X ; P |≡ Q |≡ X • Rule3 : The jurisdiction rule: P |≡ Q |⇒ X , P |≡ Q |≡ X ; P |≡ X • Rule4 : The freshness rule: P |≡#( X ) . P |≡#( X ,Y ) According to the analytic procedures of the BAN logic, the PAKA protocol should achieve the following goals: • Goal1: U |≡ PS |≡ (U ←SK→ PS ) ; • Goal2: U |≡ (U ←SK→ PS ) ; • Goal3: PS |≡ U |≡ (U ←SK→ PS ) ; • Goal4: PS |≡ (U ←SK→ PS ) . First, we idealize the communication messages of the PAKA protocol as follows: (In order to simplify, let A = h(Cij || Dij || IDjk ) . • msg1: Ui → MS j :< Cij , IDS j , IDjk , Rc >Ui Dij MS j ; • msg2: MS j → PS jk :< IDS j , IDjk , Rc , Rs ,Ui A(MS j , PS jk ) >MS j Xij PS jk ; • msg3: PS → U :< ID , R , R ,U ←SK → PS > . . jk Ui A( MS j ,PS jk ) Second, the following assumptions about the initial state are made to analyze the PAKA protocol: • H1: Ui |≡#(Rc ) ; • H2: MS j |≡#(Rs ) ; • H3: PS jk |≡#(Rk ) ; • H4: Ui |≡ Ui A(MS j , PS jk ) ; • H5: U |≡ PS |⇒ (U ←SK→ PS ) ; • H6: MS j |≡ Ui Dij MS j ; • H7: PS jk |≡ PS jk X ijMS j • H8: PS jk |≡ MS j |⇒ (Ui A(MS j , PS jk )) ; • H9: PS |≡ U |⇒ (U ←SK→ PS ) . Third, the main proofs of the idealized form of PAKA protocol based on the BAN logic rules and assumptions is analyzed as follows: From msg3, we get: U < ID , R , R ,U ←SK → PS > ; jk Ui A( MS j ,PS jk ) From H4, S1 and Rule1, we get: U |≡ U , PS ),U < ID , R , R ,U ←SK→ PS > jk Ui A( MS j ,PS jk ) ; U |≡ PS |~< ID , R , R ,U ←SK→ PS > From H1, S2, Rule2 and Rule4 we have: Ui |≡#(Rc ) ; U |≡#< ID , R , R ,U ←SK → PS > U |≡#< ID , R , R ,U ←SK→ PS >,U |≡ PS |~< ID , R , R ,U ←SK → PS > U |≡ PS |≡< ID , R , R ,U ←SK → PS > U |≡ PS |≡ (U ←SK→ PS ) (Goal1); From H5, S3, and Rule3 we obtain: Ui |≡ PS jk |⇒ (Ui ←SK→ PS ),Ui |≡ PS jk |≡ (U...

Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E- IBAK’, which does not provide perfect forward se- KBA1 = eˆ(dB, TA) = eˆ(dB, aQA) = Fa, crecy, and prove that it is ID-mBJM secure using and KAB2 = KBA2 = Fab. the ▇▇▇▇▇–▇▇▇▇▇▇▇▇ modular technique. We then prove that the protocol E-IBAK is also secure in Thus, the two session keys computed by ▇▇▇▇▇ and ▇▇▇ are skAB = skBA = H(A, B, TA, TB, Fa, Fb, Fab).