Game G2 definition

Game G2. In this game, we reject an authenticator that is sent without having been asked to the oracle H1. It makes a di erence if one rejects such an authenticator that is actually valid. But this, of course, happens only with negligible probability: G2 and G1 are statistically indistinguishable.

Game G2. The game is transferred from G1 is used to simulate active attacks by adding H1, H2 and Send oracles in which A tries to forge messages. By arbitrarily issuing queries to H1, H2, A attempts q2 q2 to capture collisions. The probability of collisions is at most ( H1 + H2 ) according to the birthday |H1 | |H2 | 2 paradox. The probability of collisions in the transcripts is at most (qsend +qexe ) . Therefore, we get: q2 q2 (q + q )2 H1 H2 |Pr[Succ1] − Pr[Succ2]| ≤ 2 | H1 | + 2 | H2 | +

Game G2. The game G2 is identical to G1 except that ∆ aborts if a nonce used in some Send query has already been used in some Execute or Send query before. We denote the occurrence of the nonce being repeated in some Send query as event E2. Then: | Pr[W in1] - Pr[W in2]| ≤ Pr[E2]. ∆ can detect event E2 as he can track all nonces generated, via the Sessions table. Calculation of Pr[E2]: Clearly the probability of event E2 happening is . qs(qex+qs) 2k1 Game G3: In game G3, ∆ modifies the way it answers the queries slightly. ∆ chooses a DDH-tuple (g, gra , grb , grarb ). ∆ follows the protocol as before to generate query responses but changes the way it generates the blinded secrets used in the transcript. The change is as follows: − Whenever a blinded secret is to be generated for some session participant Mi, instead of raising the group generator g to a randomly chosen number ri (from [1, q 1], as specified by the protocol), it raises grb (from the given tuple) to ri. Thus, in brief, ∆ uses the value grbri as blinded secret for participant Mi in the transcript. The corresponding blinded response is generated as before by raising the blinded secret to the group leader’s secret rl (which is also randomly chosen from [1, q − 1], as specified by the protocol). Also, ∆ stores the blinded secret so generated and the corresponding ri in table L. In this way, ∆ knows all blinded secrets generated by him during the game and their corresponding secrets. Clearly from the adversary’s point of view there is no change in the game. Thus | Pr[W in2] = Pr[W in3]|.

Examples of Game G2 in a sentence

• The Base Order also gave the FMV an option to make additional purchases at any time through June 30, 2010.

• Game G2 sets bad1 only if A has made some ROA query (xkr, mr, nr) beforehand, such that for the Mr and (m0, m1, xk, n) ← Mr, there are some b ∈ {0, 1} and some i ∈ [|n|] satisfying (xk[i], mb[i], n[i]) = (xk , m , n ).

• Game G2 is the same as game G1 except that we add the following rule: we choose at random two values i0 in [1, n] and c0 in [1, Q].

• In the random oracle model, given a PPT adversary against the SC-IND-CCA2 security of the SCKWC signcryption scheme, there exists a PPT adversary 1 against the GDH problem and a PPT adversary 2 against the OT- IND property of the symmetric encryption scheme such that: AdvSC−IND−CCA2(k) ≤ 2AdvGDH (k)+ AdvOT −IND(k)+0 1Pr[S1] = Pr[S0]⊥⊥∈ { }Game G2: In this game, we replace the signcryption oracle by the signcryption oracle simulator SCSim as described in Figure 3.

• Since we do not need anymore α, β and C either for the simulation (they were just required in Game G2 for simulating K and the Ki), we are now just given A and B.

• In the random oracle model, given a PPT adversary A against the SC-UF-CMA property of the pro- posed signcryption scheme, there exists a PPT algorithm BSince (s, r, W ) are independent and uniformly distributed over Z2 × G, the views of attacker in Game G1 and Game G2 are equivalent, as long as the event ⊥SC does not happen.

• Game G2: Let pj , sst , A , B , O , pΛ ,i, Λ ,i.tqn q be the guess of the adversary.

• Since A learns ρi∗ only in theattack-ed session (as observed in Game G2) and having excluded PRF collisions and random guesses the∗iprobability that A is able to influence Πs computing Ri∗+1 in the attack stage is bound by the probabilityowAA ⊕that in the attack-ed session computes the appropriate nonce ri∗+1 such that π(ri∗+1) = Ri∗+1 ρi∗ holds.

• If b = 1, then it follows by the context hiding property of Σ′ that Adv(G1,Q) ≥ Adv(G0) − Q · Advch(λ).Hybrid Game G2.

• If there is an efficient, malicious signer , which is able to distinguish the two games, then we can use it to break the hiding property of C.2In Game G2 the bit b is never used.

More Definitions of Game G2

Game G2. Let Enc be the event when the adversary makes a hash oracle query involving some (IDi, xi) and the same hash query was asked by the a protocol participant (user or U0). This can be checked from the list of hash that is maintained. If such an event occurs it means, adversary has been able to attack the encryption scheme. The probability of success against the encryption scheme after making qs queries is qs ∗ Succenc(A ). The game is identical to G1 except when enc occurs. Thus the total winning probability of the game Pr(Win2) − Pr(Win1) ≤ qs ∗ Succenc(A )) Combining all the results, we obtain Pr(Win0) ≤ N ∗ Succτ(A ) + qs ∗ Succenc(A ) Thus, according to our security assumptions, the probability of the polynomially bound adversary to win the game is negligible.

Game G2. In this game, we avoid collisions amongst an m or µ value of the current hon- est choice and those of the previous execution, and amongst the hi( ) queries asked by the adversary for i 2, 3, 4 , with probability bounded by the birthday paradox. We can postu- late random oracle queries H0(C, π) and h1(C, π) are respectively free from mutual collisions in the information theoretic sense. Let Collχ be the event that an χ value generated by a Send or Execute query is equal to a value of the previous execution’s corresponding query, or an input to the previous execution’s succeeding Send query. We play the game in a way to abort if the event Collm or Collµ occurs. A new list Coll keeps track of m and µ by saving [Ci, Sj], [in, out], [m, µ] where [χ, ψ] means one of χ and ψ is drawn. The random outputs or inputs must be checked with Coll for a collision in each simulation of send queries. So, this

Game G2. Adding ’s Record-Keeping and TestPwd Interface Modifications to : We now allow to do all of the record-keeping described in Figure 3. Game Functionality F SRFE Property Used NewSession TestPwd NewKey Game G0 N/A N/A N/A N/A Game G1 forwards inputs to SRFE forwards outputs to dummy parties runs protocol for honest parties Game G2 records inputs creates NewKey queries from party outputs both parties honest Game G3 chooses keys for both parties whend(pw0, pw1) ≤ δ garbled output randomness Game G4 chooses key forP0 whend(pw0, pw1) > δ garbled output randomness Game G5 chooses keys for both parties when d(pw0, pw1) > δ garbled output randomness Game G6 simulates F0, X0 obliviousness Game G7 does not forwardpw0, pw1 simulates F1, X1 obliviousness Pi honest, P1−i corrupt Game G8 replaces the malicious NewSession input with the one given by SRFE extracts malicious pw′1−i from OT, and tells F to replace the malicious NewSessioninput with pw′1−i Game G9 chooses key for Pi when d(pw0, pw1) > δ (now fully implemented) garbled output randomness Game G10 simulates Fi, Xiusingd(pwi, pw′1−i) privacy Game G11 does not forwardpwi fullyimplemented makes TestPwd query to set pw′i Fig. 18. A Summary of the Sequence of Games in the Proof of Theorem 1 P0 P1 FOT P0 P1 FOT

Game G2. This game corresponds with an active attack in which the adversaries can do Send, Hash and PUF queries, followed by a Test query. Taking into account that the probability of collisions between the hash outputs is less than q2 , between the output values is less than the probability that the attacker wins the game. Therefore, if