Game G4. In this game, we formally modify the way we simulate the honest players. The simulator still knows their passwords. In round 1, S sends a random value ci on behalf of Pi and afterwards, when all cj have been sent, it sends a random value zi∗ (chosen without asking the encryption oracle, since we try to avoid the use of the password), and the veri cation key VKi, generated honestly. Finally, S sets ci = H3(ssid, zi∗, VKi, i) by programming the oracle. There is a negligible risk that the simulation fails, if the adversary has already asked this query to the oracle, which probability is bounded by qh3 /q. In round 2, S proceeds by using the password pwi: it asks for the three decryption queries, on zi∗, zi∗ 1, and zi∗+1 , with key pwi and appropriate tweaks. Granted the way we simulate the decryption oracle, we learn zi−1, zi, and zi+1, together with the discrete logarithm xi in base g of zi, unless the corresponding encryption queries have been asked. Our simulation does not make any encryption, xi is not initialized if zi∗ has been obtained has a ciphertext by the adversary: This happens with negligible probability. Once we have xi, one can thus conclude by computing the Zi and Zi+1, and then hi, hi+1 and Xi. Such a change in the process does not alter the view of the adversary, in any way, since this is a purely syntactic rewriting, with negligible probability of failure.
Game G4. In this game, we do exactly as above except that any hash value involving KR(= KL), asked by instance ΠU , one invokes the decryption oracle to com- 1 2 pw pw pute X = Dj (Y ) (or Djj (Y )). The oracle goes into an expecting state. Note that we do not allow the event En- crypt to occur, i.e. adversary is not given the power of encrypting a message by itself guessing the password. So any subsequent send query (i.e. after Send0(∗, ∗, “Start”) query) is on a properly encrypted message which is en- the users are answered independently from the random oracles. More explicitely, we are given an instance (A = ga, B = gb) of CDH problem without its solution C = gab and without the values a, b. Now, whenever two successive users U1 and U2 compute X1 = gx1 , X2 = gx2 respectively choosing x1, x2 randomly from Z∗, we simulate as in G3, i.e. with X1 = Ac1 and crypted by the simulator (and not by the adversary) on q c ∗ querying the encryption oracle. U1 Consider send queries for instance Πd1 which are limit- xxx to any of the followings: X2 = B 2 where c1, c2 are random values in Zq . The exponents xj for other users Uj are chosen at random from Z∗. The only difference of this game with G3 is that the hash value involving KR(= KL), asked by the Send0(U1, d1, “Start”), Send1(U1, d1, Y2), Send1(U1, d1, 1 2 Yn), and Send2(U1, d1, Y i) for 1 ≤ i ≤ n, i 1. The Send0 and Send2 queries are simulated as usual. In re- sponse to Send1(U1, d1, Y1) and Send1(U1, d1, Yn) queries, one invokes the decryp- tion and hash oracles as in game G2 to compute users (simulator), is answered with a random value r from {0, 1}l instead of quering the hash oracle. Here the adversary A may ask the same hash query which is still answered by quering the random oracle. Thus we have the folowing distribution of transcript, session key pair. X2 = Dpw(Y2), KR = KL = H(Cc1 c2 ) and Xn = ∗ l
Game G4. In this game, we abort the protocol runs if the adversary has been lucky in guessing the values γ' (or γ) and u (or u−1) without asking the corresponding random oracle queries. We achieve this aim by modifying the random oracle queries to hi for i ∈ {2, 3, 4}. Provided that the hi(C, S, m, µ, α, γ') query was asked by the adversary and ⟨0, C, π, γ⟩ ∈ h for γ = (γ')−1, it must be checked whether 0, C, π, γ A and 1, C, π, u A just before returning r for i 2, 3, 4 . If the latter test fails, the game must be aborted. Say, the simulator is able to determine if the adversary had made a correct guess for u or not by observing A. This modification ensures that the adversary should have asked correct random oracle queries to H0 and h1 for asking correct queries to hi for i 2, 3, 4 . The two games G4 and G3 are perfectly indistinguishable unless the protocol aborts in the random oracle queries. The abortion may happen only if the adversary has correctly guessed the values γ and u without asking the corresponding random oracle queries. So we have: O(qro) |Pr[Succ4] − Pr[Succ3]| ≤ 2κ .
← A ← ← ⟨ ⟩ ∈ { }
Examples of Game G4 in a sentence
Since p | q, generating b from U (R5×1) instead of U (R5×1) makes the advantage of the adversary in Game G4−′at least as big as in game G3, as the adversary in Game G4 can easily calculate the same value for c as in Game G3.
In game G4, since Ri is uniform at random in2 3 c s Game G4 (Randomize Credentials).
We assume that is an attacker that breaks the AKE security game with a different advantage in Game G5 than in Game G4, then we construct an adversary ' which is able to distinguish triples coming from either a DDH or a random distribution: at the beginning of the experiment, ' receives a triple (X, Y, Z) which is a DDH triple if b = 0 or a random triple if b = 1.
Since p | q, generating b from U (Rl×1) instead of U (Rl×1) makes the advantage of the adversary in Game G4−jat least as big as in game G3, as the adversary in Game G4 can easily calculate the same value for c as in Game G3.
Since the computation is only rearranged, Pr[G3 = 1] = Pr[G2 = 1].Game 4: Game G4 is the same except that y values are$now drawn randomly from Z∗.
Game G4 Line 07 is removed to undo the modification introduced in game G1.
This game is identical to Game G4 except that ∆ is given a tuple from the random TDDH$ distribution.
As a result, Pr [γ2] = Pr [γ3] .Game G4 : It is the same as G3, except that bi = Ui + Encode (Ri) and b = U + Encode (R)now is changed back to bi = Aiw + ei + Encode (Ri) + Aiδi and b = Aw + e + Enc (R).
Since the languages are not satisfied, the perfect smoothness guarantees perfect indistinguishability: AdvG3 (A) = AdvG2 ( ).Game G4: We now modify the way Execute-queries between two incompatible users are an-swered: we replace both session keys KC = ProjHash(hpS, LAC , cC, rC) × Hash(hkC, LAS , cS)πC πS,CπCπS,CKS = Hash(hkS, LAC , cC) × ProjHash(hpC, LAC , cS, rS)(for the client and the server) by two independent truly random values.
Game G4: We define the game G4 as the game G3, but we encaps K1 instead of K0: Encaps(EK, Reg, S∗):2.
More Definitions of Game G4
Game G4. S handles dictionary attacks using the TestPwd interface. In this game, we only change the simulation. Consider the following setting: Pi obtained input (NewSession, sid, pwi, role) and P1−i is corrupted and already provided its inputs to FA-iPAKE. In this situation, S will proceed simulation of Pi as follows: S assembles pwZ ∈ Fn from the queries to FA-iPAKE that P1−i issued. S sends (TestPwd, sid, Pi, pwZ ) to F , obtaining either “wrong guess”, “correct guess” and per- haps also a mask M ⊆ [n] from F . If S does not receive a mask, S is not modified further. Else, let I := [n] \ M the set of mismatching indices, and d := |I| ≤ γ their
Game G4. In the last game, the attacker can also execute SSReveal queries of either the user’s device or the IoT device. As SSReveal(U ) = z, K , the attacker will not be able to find h and SK without knowledge of du, h, which requires to find a correct hash collision and solving the ECDHP. Similar, SSReveal(D) = rd, K, h and again the attacker does not find h, SK without knowledge of ddQu and thus solving the ECDHP. To conclude, for G4, we find that |Pr[succ4(A)] − Pr[succ3(A)]| ≤ cannot be constructed as z is not known and can not be revealed due to the ECDHP. Without K, there is also no h and thus no SK to find. If dd is leaked of the IoT device, we still have assumed that there is no access to the PUF design of the device. As a consequence, even if K is derived, Cd, rd, h are not found due to the one-time pad security offered by the xor operation. • Protection against leakage of temporal session state infor- mation: This is obtained since in both cases, the attacker will not be able to find a valid value for h. as knowledge is missing on private data of one of the participants to derive ddQu = duQd. q2
Game G4. Game G4 is same as game G3 except that ∆ modifies the way it generates the blinded responses. Using the same DDH-tuple (g, gra , grb , grarb ), ∆ does the following: A Whenever a blinded response is to be generated for some session participant Mi, ∆ retrieves the corresponding blinded secret gri from the table Sessions. Then it looks for this blinded secret in table L. If ∆ finds it in the table, it retrieves the corresponding secret entry (ri) and raises grarb (from the DDH- tuple) to it to get grarbri . It further raises it to the secret, rl (randomly chosen from [1, q − 1]), of the group leader. The resulting value grarbrirl is used as the blinded response for participant Mi in the session transcript. If on the other hand, ∆ does not find gri in table L, this means that this blinded secret has been introduced by the adversary and ∆ does not know the corresponding secret. Thus for a session where any of the blinded secrets is not found in table L, ∆ continues to generate the blinded responses (for all the participants) as in game G3 (by raising blinded secret to the secret of the leader). Thus, in brief, ∆ uses the value grarbrirl as the blinded response for participant Mi, if all blinded secrets in that session were generated by him otherwise it uses the value grbrirl . Note that as A can make a Test query only on a fresh A participant instance, this rules out those sessions where has been able to introduce blinded secrets on his own (by asking the Corrupt query). Thus ∆ can respond to the queries of such sessions without using data from the DDH-tuple 4 . Clearly again from the adversary’s point of view there is no change in the game. Thus | Pr[W in3] = Pr[W in4]|.