Security Proof. We now consider the security of our concurrent A-BA protocol. Before stating the theorem, it is worth noting that the specific parameters of the hybrid model, which combine the different ideal functionalities, are not explicitly specified in the theorem statement. However, they can be determined from the protocol’s parameters and are integral to the overall security guarantees of the protocol. Now, let us state the theorem formally:
Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E-IBAK′, which does not provide perfect forward secrecy, and prove that it is ID-mBJM secure using the Xxxxx–Paterson modular technique. We then prove that the protocol E-IBAK is also secure in the ID- mBJM model and provides perfect forward secrecy. The only reason for describing the protocol E-IBAK′ is to make the presentation easier to follow. Protocol E-IBAK′ is almost identical to protocol E-IBAK except that the final session key is computed as AB = H (A, B, TA, TB, F , F ), where H′ : {0, 1}∗ ×{0, 1}∗ × G1 × G1 × G2 × G2 → {0, 1}k is a key derivation function. In other words, without the value Fab being part of the session string. With the description of the ID-mBJM model in Section 2.3, we now state:
Security Proof. F ⊆ | | ≥ ∈ ≤
Security Proof. The basis of QCKA is that all legitimate users share almost perfect multiparty entanglement states. If multiparty entanglement states are shared, because the monogamy of entanglement, the users can obtain secure conference keys by measuring their states. Assume N users each prepare entangled state which contains a local qubit and an optical mode. Based on the entanglement swapping concept, we assume that each user prepares a Bell state consist of a virtual qubit and an optical mode. They send the optical mode to untrusted relay to perform the GHZ state measurement and post-select the successful GHZ state measurement events [6], leaving the local qubits to be entangled. Similar to the security prove for the asynchronous MDI-QKD [37], here we provide the security proof for the AMDI- QCKA by using the entanglement swapping argument. We start from virtual protocols, which can be reduced to the practical protocol described in the main text.
Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E- IBAK’, which does not provide perfect forward se- KBA1 = eˆ(dB, TA) = eˆ(dB, aQA) = Fa, crecy, and prove that it is ID-mBJM secure using and KAB2 = KBA2 = Fab. the Xxxxx–Xxxxxxxx modular technique. We then prove that the protocol E-IBAK is also secure in Thus, the two session keys computed by Xxxxx and Xxx are skAB = skBA = H(A, B, TA, TB, Fa, Fb, Fab).
Security Proof. The proof follows that of Xxxxxxx and Rogaway [4]; differences include the number of entities involved and the different partnering function used. The validity of the protocol is straightforward to verify. Thus, it remains to prove that the protocol satisfies the indistinguishability requirement. The general idea of the security proof is to assume that the adversary can gain a non-negligible advantage in distinguishing test keys, and use this to break the assumption about the security of the underlying encryption scheme or the signature scheme. Since the adversary relies on its oracles to run we simulate the oracles so that we can supply the answers to all the queries the adversary might ask. In our protocol we assume that the principals involved in each conference are the same. We do not assume that the same principal acts as the initiator. The case where the set of principals is chosen dynamically is easily handled too. The effect on the security proof is to make the reduction less tight. Following Xxxxxxx and Rogaway [4] we need to extend the definition of a se- cure encryption scheme to allow the adversary to obtain encryptions of the same plaintext under multiple different independent encryption keys. Such an adver- sary is termed a multiple eavesdropper. We can bound the advantage of a multiple eavesdropper by considering it as a special case of the multi-user setting anal- ysed by Bellare et al. [5]. In their notation we have the case of qe = 1, meaning that the eavesdropper can only obtain one encryption for each public key. Let r be the number of encryptions of the same plaintext message seen by a multiple eavesdropper. Specialising their main theorem gives the following.
Lemma 1 ( [5]). Suppose that an adversary has advantage at most s(k) for encryption scheme PE = (K, E, D). Then a multiple eavesdropper has advantage not more than r · s(k). We follow Bresson et al. [13] in dividing the proof into two cases. Firstly we consider the case in which the adversary gains her advantage by forging a signature with respect to some user’s signing key. In this case we construct a simple signature forging algorithm F against Σ that uses A. In the second case, A gains her advantage without forging a signature. Then, we can construct an algorithm X that uses A against the security of the encryption algorithm.
Security Proof. Theorem 1. The proposed tripartite STS key confirmation protocol is secure in the sense of Definition 4 if the underlying digital signature scheme is secure against the adaptively chosen message attack and the CDHP is hard. Proof: the proof is given in the appendix.
Security Proof. The 2SM scheme defined in Figure 2 is non-adaptively (t, q, 2qspke)-secure, where spke is such that the PKE protocol is (tj, spke)-secure for tj ≈ t. Proof. Let q1, . . . , qq be the sequence of queries made by the adversary, which we can fix in advance because it is non-adaptive. Without loss of generality these queries satisfy 2SM-safe. Similarly, we assume the adversary never fails a require clause. Then in terms of the bit b sampled at the beginning of the game, Adv = 2SM 2sm-na
Security Proof. To prove security of this protocol, we analyze the security of an equivalent entanglement based version. Here, instead of having Xxxxx prepare and send a quantum state, we allow Eve the ability to create any arbitrary initial state, sending part to Xxxxx and the other parts to the p Bob’s while also potentially maintaining a private entangled ancilla. Clearly security in this case will imply security of the prepare-and-measure version discussed in the previous section. We also use as a foundation, a proof methodology we introduced in [26], though making several modifications for the multi-party protocol being analyzed here. Our proof of security, at a high level, proceeds in three steps: first we define an analyze an appropriate classical sampling strategy allowing us to use Theorem 1; second, we analyze the ideal states produced by that Theorem; and third, finally, we promote that ideal-case analysis to the real state.
Security Proof. The protocol is a secure AK, provided the CDH assumption holds and the hash function H is mod- eled as a random oracle.
