Common use of Formal Security Analysis Clause in Contracts

Formal Security Analysis. We now show that our key agreement scheme offers session key security under the CK adversary model [3,21] and in the random oracle model, following the method of [10,11,22]. The participants U in our scheme are the SM, SP, TTP or a random oracle O, i.e., U = {SM, SP, TTP, O}. Taking into account the CK adversary model, we assume that the attacker can run the following queries. • Hash queries Hi(m) with i ∈ {0, 1, 2, 3, 4, 5}. If m already exists in the list LHi , the value Hi(m) will be returned. Otherwise, a random value will be generated, added to the list LHi , and returned. – Send(0,SP). A random value r2 is chosen to compute R2 = r2P. The output of the query is M0 = {R2}. – Send(M0,SM). A random value r1 is chosen to compute R1 = (r1 + dA)P. Next, K = H1((r1 + dA)PB) is determined, together with C = EK(IDAǁcertA). Then, h1 = H2(IDAǁIDBǁR1 ǁR2ǁPAǁPB) and h2 = H2(IDBǁIDAǁR2ǁR1ǁPBǁPA) are computed to derive SK = H3((( r1 + dA)h1 + dA)(h2R2 +PB)). Finally, S1 = H4(R1ǁ CǁPAǁSK) is computed. The message M1 = {R1, C, S1} is returned. – Send(M1,SP). First, K = H1(dB R1) is determined, leading to IDAǁcertA = DK(C). Then, PA = H0(certAǁIDA)certA + PTTP is derived. Next, h1 = H2(IDAǁIDBǁR1ǁR2ǁPAǁPB) and h2 = H2(IDBǁIDAǁR2ǁR1ǁPBǁPA) are computed, to find SK = H3((r2h2 + dB)(h1R1 + PA)) and check H4(R1ǁCǁPAǁSK) against S1. If the verification is unsuccessful, the session can stop, otherwise S2 = H5(IDAǁIDBǁR1ǁR2ǁPAǁPBǁSK) is computed and M2 = {S2} is the output of the query. – Send(M2,SP). If S2 = H5(IDAǁIDBǁR1ǁR2ǁPAǁPBǁSK) is not valid, then the session is terminated. Otherwise, both SP and SM have successfully negotiated a common secret key SK. – SSReveal(SM). The output of this query results in r1 + dA, h1, h2, R1, C, S1. – SSReveal(SP). The output of this query results in x0, X0, x0, x0, X0. • Test query. In this query, either the established SK or a random value is returned, dependent on the output c = 1 or c = 0, respectively of a flipped coin c. Note that the test query cannot be issued when the SKReveal query, the SSReveal(SM) and Corrupt(SM), or SSReveal(SP) and Corrupt(SP), have been executed. In order to prove the semantic security of the scheme, we consider the following two definitions. The final goal of the adversary A is to distinguish the difference between a real secret session key or a random value, i.e., to successfully predict the output of the test query. If Pr(succ) denotes the probability that the adversary succeeds in its mission, the advantage of the adversary in breaking the semantic security of the proposed scheme equals to Adv(A) = |2Pr[succ] − 1|. Consequently, our scheme offers semantic security under the CK adversary and random oracle model if the advantage for A winning the game satisfies Adv(A) ≤ g, for any sufficiently small g >0. The difference lemma [23] is used to prove the statement. Lemma 1. (Difference Lemma) Let X0, X0 be the events of winning game 1 and game 2. Denote an error event by E, such that E1|¬E occurs if and only if E2|¬E. Then, |Pr[E1] − Pr[E2]| ≤ Pr[E]. 2q 2q

Appears in 2 contracts

Samples: Key Agreement, Key Agreement

AutoNDA by SimpleDocs

Formal Security Analysis. We now show that our key agreement scheme offers session key security under the CK adversary model [3,21] and in the random oracle model, following the method of [10,11,22]. The participants U in our scheme are the SM, SP, TTP or a random oracle O, i.e., U = {SM, SP, TTP, O}. Taking into account the CK adversary model, we assume that the attacker can run the following queries. • Hash queries Hi(m) with i ∈ {0, 1, 2, 3, 4, 5}. If m already exists in the list LHi , the value Hi(m) will be returned. Otherwise, a random value will be generated, added to the list LHi , and returned. – Send(0,SP). A random value r2 is chosen to compute R2 = r2P. The output of the query is M0 = {R2}. – Send(M0,SM). A random value r1 is chosen to compute R1 = (r1 + dA)P. Next, K = H1((r1 + dA)PB) is determined, together with C = EK(IDAǁcertAEK(XXX xxxxX). Then, h1 = H2(IDAǁIDBǁR1 ǁR2ǁPAǁPBH2(XXX IDB R1 R2 PA PB) and h2 = H2(IDBǁIDAǁR2ǁR1ǁPBǁPAH2(IDB XXX R2 R1 PB PA) are computed to derive SK = H3((( r1 + dA)h1 + dA)(h2R2 +PB)). Finally, S1 = H4(R1ǁ CǁPAǁSKH4(R1 C PA SK) is computed. The message M1 = {R1, C, S1} is returned. – Send(M1,SP). First, K = H1(dB R1) is determined, leading to IDAǁcertA XXX xxxxX = DK(C). Then, PA = H0(certAǁIDA)certA H0(xxxxX XXX)xxxxX + PTTP is derived. Next, h1 = H2(IDAǁIDBǁR1ǁR2ǁPAǁPBH2(XXX IDB R1 R2 PA PB) and h2 = H2(IDBǁIDAǁR2ǁR1ǁPBǁPAH2(IDB XXX R2 R1 PB PA) are computed, to find SK = H3((r2h2 + dB)(h1R1 + PA)) and check H4(R1ǁCǁPAǁSKH4(R1 C PA SK) against S1. If the verification is unsuccessful, the session can stop, otherwise S2 = H5(IDAǁIDBǁR1ǁR2ǁPAǁPBǁSKH5(XXX IDB R1 R2 PA PB SK) is computed and M2 = {S2} is the output of the query. – Send(M2,SP). If S2 = H5(IDAǁIDBǁR1ǁR2ǁPAǁPBǁSKH5(XXX IDB R1 R2 PA PB SK) is not valid, then the session is terminated. Otherwise, both SP and SM have successfully negotiated a common secret key SK. – SSReveal(SM). The output of this query results in r1 + dA, h1, h2, R1, C, S1. – SSReveal(SP). The output of this query results in x0r2, X0R2, x0h1, x0h2, X0S2. • Test query. In this query, either the established SK or a random value is returned, dependent on the output c = 1 or c = 0, respectively of a flipped coin c. Note that the test query cannot be issued when the SKReveal query, the SSReveal(SM) and Corrupt(SM), or SSReveal(SP) and Corrupt(SP), have been executed. In order to prove the semantic security of the scheme, we consider the following two definitions. The final goal of the adversary A is to distinguish the difference between a real secret session key or a random value, i.e., to successfully predict the output of the test query. If Pr(succ) denotes the probability that the adversary succeeds in its mission, the advantage of the adversary in breaking the semantic security of the proposed scheme equals to Adv(A) = |2Pr[succ] − 1|. Consequently, our scheme offers semantic security under the CK adversary and random oracle model if the advantage for A winning the game satisfies Adv(A) ≤ ge, for any sufficiently small g e >0. The difference lemma [23] is used to prove the statement. Lemma 1. (Difference Lemma) Let X0E1, X0 E2 be the events of winning game 1 and game 2. Denote an error event by E, such that E1|¬E occurs if and only if E2|¬E. Then, |Pr[E1] − Pr[E2]| ≤ Pr[E]. 2q 2q

Appears in 1 contract

Samples: Open Access License

AutoNDA by SimpleDocs

Formal Security Analysis. We now show that our key agreement scheme offers session key security under the CK adversary model [3,21] and in the random oracle model, following the method of [10,11,22]. The participants U in our scheme are the SM, SP, TTP or a random oracle O, i.e., U = {SM, SP, TTP, O}. Taking into account the CK adversary model, we assume that the attacker can run the following queries. • Hash queries Hi(m) with i ∈ {0, 1, 2, 3, 4, 5}. If m already exists in the list LHi , the value Hi(m) will be returned. Otherwise, a random value will be generated, added to the list LHi , and returned. – Send(0,SP). A random value r2 is chosen to compute R2 = r2P. The output of the query is M0 = {R2}. – Send(M0,SM). A random value r1 is chosen to compute R1 = (r1 + dA)P. Next, K = H1((r1 + dA)PB) is determined, together with C = EK(IDAǁcertAEK(XXX xxxxX). Then, h1 = H2(IDAǁIDBǁR1 ǁR2ǁPAǁPBX0(XXX XXX R1 R2 PA PB) and h2 = H2(IDBǁIDAǁR2ǁR1ǁPBǁPAX0(XXX XXX X0 R1 PB PA) are computed to derive SK = H3((( r1 + dA)h1 + dA)(h2R2 +PB)). Finally, S1 = H4(R1ǁ CǁPAǁSKH4(R1 C PA SK) is computed. The message M1 = {R1, C, S1} is returned. – Send(M1,SP). First, K = H1(dB R1) is determined, leading to IDAǁcertA XXX xxxxX = DK(C). Then, PA = H0(certAǁIDA)certA H0(xxxxX XXX)certA + PTTP is derived. Next, h1 = H2(IDAǁIDBǁR1ǁR2ǁPAǁPBX0(XXX XXX R1 R2 PA PB) and h2 = H2(IDBǁIDAǁR2ǁR1ǁPBǁPAX0(XXX XXX X0 R1 PB PA) are computed, to find SK = H3((r2h2 + dB)(h1R1 + PA)) and check H4(R1ǁCǁPAǁSKH4(R1 C PA SK) against S1. If the verification is unsuccessful, the session can stop, otherwise S2 = H5(IDAǁIDBǁR1ǁR2ǁPAǁPBǁSKH5(XXX IDB R1 R2 PA PB SK) is computed and M2 = {S2} is the output of the query. – Send(M2,SP). If S2 = H5(IDAǁIDBǁR1ǁR2ǁPAǁPBǁSKX0(XXX XXX R1 R2 PA PB SK) is not valid, then the session is terminated. Otherwise, both SP and SM have successfully negotiated a common secret key SK. – SSReveal(SM). The output of this query results in r1 + dA, h1, h2, R1, C, S1. – SSReveal(SP). The output of this query results in x0, X0, x0, x0, X0. • Test query. In this query, either the established SK or a random value is returned, dependent on the output c = 1 or c = 0, respectively of a flipped coin c. Note that the test query cannot be issued when the SKReveal query, the SSReveal(SM) and Corrupt(SM), or SSReveal(SP) and Corrupt(SP), have been executed. In order to prove the semantic security of the scheme, we consider the following two definitions. The final goal of the adversary A is to distinguish the difference between a real secret session key or a random value, i.e., to successfully predict the output of the test query. If Pr(succ) denotes the probability that the adversary succeeds in its mission, the advantage of the adversary in breaking the semantic security of the proposed scheme equals to Adv(A) = |2Pr[succ] − 1|. Consequently, our scheme offers semantic security under the CK adversary and random oracle model if the advantage for A winning the game satisfies Adv(A) ≤ g, for any sufficiently small g >0. The difference lemma [23] is used to prove the statement. Lemma 1. (Difference Lemma) Let X0, X0 be the events of winning game 1 and game 2. Denote an error event by E, such that E1|¬E occurs if and only if E2|¬E. Then, |Pr[E1] − Pr[E2]| ≤ Pr[E]. 2q 2q

Appears in 1 contract

Samples: Key Agreement

Draft better contracts in just 5 minutes Get the weekly Law Insider newsletter packed with expert videos, webinars, ebooks, and more!