Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E-IBAKj, which does not provide perfect forward secrecy, and prove that it is ID-mBJM secure using the Xxxxx–Paterson modular technique. We then prove that the protocol E-IBAK is also secure in the ID- mBJM model and provides perfect forward secrecy. The only reason for describing the protocol E-IBAKj is to make the presentation easier to follow. Protocol E-IBAKj is almost identical to protocol E-IBAK except that the final session key is computed as skAB = Hj(A, X, XX, XX, Xx, Xx), { } ×{ } × × × × → { } where Hj : 0, 1 ∗ 0, 1 ∗ G1 G1 G2 G2 0, 1 k is a key derivation function. In other words, without the value Fab being part of the session string. With the description of the ID-mBJM model in Section 2.3, we now state:
Security Proof. We now consider the security of our concurrent A-BA protocol. Before stating the theorem, it is worth noting that the specific parameters of the hybrid model, which combine the different ideal functionalities, are not explicitly specified in the theorem statement. However, they can be determined from the protocol’s parameters and are integral to the overall security guarantees of the protocol. Now, let us state the theorem formally:
Security Proof. The proof follows that of Xxxxxxx and Rogaway [4]; differences include the number of entities involved and the different partnering function used. The validity of the protocol is straightforward to verify. Thus, it remains to prove that the protocol satisfies the indistinguishability requirement. The general idea of the security proof is to assume that the adversary can gain a non-negligible advantage in distinguishing test keys, and use this to break the assumption about the security of the underlying encryption scheme or the signature scheme. Since the adversary relies on its oracles to run we simulate the oracles so that we can supply the answers to all the queries the adversary might ask. In our protocol we assume that the principals involved in each conference are the same. We do not assume that the same principal acts as the initiator. The case where the set of principals is chosen dynamically is easily handled too. The effect on the security proof is to make the reduction less tight. Following Xxxxxxx and Rogaway [4] we need to extend the definition of a se- cure encryption scheme to allow the adversary to obtain encryptions of the same plaintext under multiple different independent encryption keys. Such an adver- sary is termed a multiple eavesdropper. We can bound the advantage of a multiple eavesdropper by considering it as a special case of the multi-user setting anal- ysed by Bellare et al. [5]. In their notation we have the case of qe = 1, meaning that the eavesdropper can only obtain one encryption for each public key. Let r be the number of encryptions of the same plaintext message seen by a multiple eavesdropper. Specialising their main theorem gives the following.
Security Proof. The basis of QCKA is that all legitimate users share almost perfect multiparty entanglement states. If multiparty entanglement states are shared, because the monogamy of entanglement, the users can obtain secure conference keys by measuring their states. Assume N users each prepare entangled state which contains a local qubit and an optical mode. Based on the entanglement swapping concept, we assume that each user prepares a Bell state consist of a virtual qubit and an optical mode. They send the optical mode to untrusted relay to perform the GHZ state measurement and post-select the successful GHZ state measurement events [6], leaving the local qubits to be entangled. Similar to the security prove for the asynchronous MDI-QKD [37], here we provide the security proof for the AMDI- QCKA by using the entanglement swapping argument. We start from virtual protocols, which can be reduced to the practical protocol described in the main text. √
Security Proof. We prove the security (i.e. ID-mBJM security plus PFS) of our new protocol E-IBAK in stages. We first give a basic identity-based protocol, E- IBAK’, which does not provide perfect forward se- KBA1 = eˆ(dB, TA) = eˆ(dB, aQA) = Fa, crecy, and prove that it is ID-mBJM secure using and KAB2 = KBA2 = Fab. the Xxxxx–Xxxxxxxx modular technique. We then prove that the protocol E-IBAK is also secure in Thus, the two session keys computed by Xxxxx and Xxx are skAB = skBA = H(A, B, TA, TB, Fa, Fb, Fab).
Security Proof. P A A P Σ
Security Proof. F Having described our A-OCC protocol, we proceed to present and prove the formal security state- ment that demonstrates how the protocol UC-realizes a-occ. However, we first prove a combinato- rial observation regarding vectors of random values that facilitates the security proof. We formulate this observation separately in the following lemma, as it may be of independent interest. ⊆ | | ≥ ∈ ≤
Security Proof. The security proof from various threats, for the proposed scheme has been elaborated as below:
Security Proof. Our protocol for component labeling achieves security in the honest-but-curious model with random oracles. We write the proof in a hybrid model in which the parties have access to a functionality F GC that takes the place of their garbled circuit evaluations. F GC takes the description of a circuit c and two parties’ inputs and it returns the evaluation of c on those inputs to the parties, revealing the order of c’s output gates. The parties invoke F GC to evaluate their garbled circuits. We denote by F lbl = (F lbl, F lbl) the two-party component labeling functionality. Recall that Filbl is
Security Proof. Theorem 1. The protocol is a secure AK, provided the CDH assumption holds and the hash function H is mod- eled as a random oracle.
