Game G4. In this game, we do exactly as above except that any hash value involving KR(= KL), asked by instance ΠU , one invokes the decryption oracle to com- 1 2 pw pw pute X = Dj (Y ) (or Djj (Y )). The oracle goes into an expecting state. Note that we do not allow the event En- crypt to occur, i.e. adversary is not given the power of encrypting a message by itself guessing the password. So any subsequent send query (i.e. after Send0(∗, ∗, “Start”) query) is on a properly encrypted message which is en- the users are answered independently from the random oracles. More explicitely, we are given an instance (A = ga, B = gb) of CDH problem without its solution C = gab and without the values a, b. Now, whenever two successive users U1 and U2 compute X1 = gx1 , X2 = gx2 respectively choosing x1, x2 randomly from Z∗, we simulate as in G3, i.e. with X1 = Ac1 and crypted by the simulator (and not by the adversary) on q c ∗ querying the encryption oracle. U1 Consider send queries for instance Πd1 which are limit- xxx to any of the followings: X2 = B 2 where c1, c2 are random values in Zq . The exponents xj for other users Uj are chosen at random from Z∗. The only difference of this game with G3 is that the hash value involving KR(= KL), asked by the Send0(U1, d1, “Start”), Send1(U1, d1, Y2), Send1(U1, d1, 1 2 Yn), and Send2(U1, d1, Y i) for 1 ≤ i ≤ n, i 1. The Send0 and Send2 queries are simulated as usual. In re- sponse to Send1(U1, d1, Y1) and Send1(U1, d1, Yn) queries, one invokes the decryp- tion and hash oracles as in game G2 to compute users (simulator), is answered with a random value r from {0, 1}l instead of quering the hash oracle. Here the adversary A may ask the same hash query which is still answered by quering the random oracle. Thus we have the folowing distribution of transcript, session key pair. X2 = Dpw(Y2), KR = KL = H(Cc1 c2 ) and Xn = ∗ l
Game G4. In this game, we formally modify the way we simulate the honest players. The simulator still knows their passwords. In round 1, S sends a random value ci on behalf of Pi and afterwards, when all cj have been sent, it sends a random value zi∗ (chosen without asking the encryption oracle, since we try to avoid the use of the password), and the veri cation key VKi, generated honestly. Finally, S sets ci = H3(ssid, zi∗, VKi, i) by programming the oracle. There is a negligible risk that the simulation fails, if the adversary has already asked this query to the oracle, which probability is bounded by qh3 /q. In round 2, S proceeds by using the password pwi: it asks for the three decryption queries, on zi∗, zi∗ 1, and zi∗+1 , with key pwi and appropriate tweaks. Granted the way we simulate the decryption oracle, we learn zi—1, zi, and zi+1, together with the discrete logarithm xi in base g of zi, unless the corresponding encryption queries have been asked. Our simulation does not make any encryption, xi is not initialized if zi∗ has been obtained has a ciphertext by the adversary: This happens with negligible probability. Once we have xi, one can thus conclude by computing the Zi and Zi+1, and then hi, hi+1 and Xi. Such a change in the process does not alter the view of the adversary, in any way, since this is a purely syntactic rewriting, with negligible probability of failure.
Game G4. Game G4 is same as game G3 except that ∆ modifies the way it generates the blinded responses. Using the same DDH-tuple (g, gra , grb , grarb ), ∆ does the following: A Whenever a blinded response is to be generated for some session participant Mi, ∆ retrieves the corresponding blinded secret gri from the table Sessions. Then it looks for this blinded secret in table L. If ∆ finds it in the table, it retrieves the corresponding secret entry (ri) and raises grarb (from the DDH- tuple) to it to get grarbri . It further raises it to the secret, rl (randomly chosen from [1, q − 1]), of the group leader. The resulting value grarbrirl is used as the blinded response for participant Mi in the session transcript. If on the other hand, ∆ does not find gri in table L, this means that this blinded secret has been introduced by the adversary and ∆ does not know the corresponding secret. Thus for a session where any of the blinded secrets is not found in table L, ∆ continues to generate the blinded responses (for all the participants) as in game G3 (by raising blinded secret to the secret of the leader). Thus, in brief, ∆ uses the value grarbrirl as the blinded response for participant Mi, if all blinded secrets in that session were generated by him otherwise it uses the value grbrirl . Note that as A can make a Test query only on a fresh A participant instance, this rules out those sessions where has been able to introduce blinded secrets on his own (by asking the Corrupt query). Thus ∆ can respond to the queries of such sessions without using data from the DDH-tuple 4 . Clearly again from the adversary’s point of view there is no change in the game. Thus | Pr[W in3] = Pr[W in4]|.
Examples of Game G4 in a sentence
We can use any environment who can distinguish this game from Game G4 to build an adversary that can break the garbled output randomness property (Definition 7, Theorem 8) of our garbling scheme, exactly as we did in the reduction above.
Game G4: 7 generates a random session key for an honest, inter- rupted session.
More Definitions of Game G4
Game G4. In the last game, the attacker can also execute SSReveal queries of either the user’s device or the IoT device. As SSReveal(U ) = z, K , the attacker will not be able to find h and SK without knowledge of du, h, which requires to find a correct hash collision and solving the ECDHP. Similar, SSReveal(D) = rd, K, h and again the attacker does not find h, SK without knowledge of ddQu and thus solving the ECDHP. To conclude, for G4, we find that |Pr[succ4(A)] − Pr[succ3(A)]| ≤ cannot be constructed as z is not known and can not be revealed due to the ECDHP. Without K, there is also no h and thus no SK to find. If dd is leaked of the IoT device, we still have assumed that there is no access to the PUF design of the device. As a consequence, even if K is derived, Cd, rd, h are not found due to the one-time pad security offered by the xor operation. • Protection against leakage of temporal session state infor- mation: This is obtained since in both cases, the attacker will not be able to find a valid value for h. as knowledge is missing on private data of one of the participants to derive ddQu = duQd. q2
Game G4. In this game, we abort the protocol runs if the adversary has been lucky in guessing the values γ' (or γ) and u (or u−1) without asking the corresponding random oracle queries. We achieve this aim by modifying the random oracle queries to hi for i ∈ {2, 3, 4}. Provided that the hi(C, S, m, µ, α, γ') query was asked by the adversary and ⟨0, C, π, γ⟩ ∈ h for γ = (γ')−1, it must be checked whether 0, C, π, γ A and 1, C, π, u A just before returning r for i 2, 3, 4 . If the latter test fails, the game must be aborted. Say, the simulator is able to determine if the adversary had made a correct guess for u or not by observing A. This modification ensures that the adversary should have asked correct random oracle queries to H0 and h1 for asking correct queries to hi for i 2, 3, 4 . The two games G4 and G3 are perfectly indistinguishable unless the protocol aborts in the random oracle queries. The abortion may happen only if the adversary has correctly guessed the values γ and u without asking the corresponding random oracle queries. So we have: O(qro) |Pr[Succ4] − Pr[Succ3]| ≤ 2κ .
← A ← ← ⟨ ⟩ ∈ { }
Game G4. S handles dictionary attacks using the TestPwd interface. In this game, we only change the simulation. Consider the following setting: Pi obtained input (NewSession, sid, pwi, role) and P1−i is corrupted and already provided its inputs to FA-iPAKE. In this situation, S will proceed simulation of Pi as follows: S assembles pwZ ∈ Fn from the queries to FA-iPAKE that P1−i issued. S sends (TestPwd, sid, Pi, pwZ ) to F , obtaining either “wrong guess”, “correct guess” and per- haps also a mask M ⊆ [n] from F . If S does not receive a mask, S is not modified further. Else, let I := [n] \ M the set of mismatching indices, and d := |I| ≤ γ their
Game G4 handles dictionary attacks using the TestPwd interface. In this game, we only change the simulation. Consider the following setting: Pi obtained input (NewSession, sid, pwi) and P1−i is corrupted and already provided its inputs to 7A-iPAKE. In this situation, S will proceed simulation of Pi as follows: n S assembles pwZ ∈ Fp from the queries to 7A-iPAKE that P1−i issued. S sends (XxxxXxx, xxx, Pi, pwZ ) to 7, obtaining either “wrong guess”, “correct guess” and perhaps also a mask M ⊆ [n] from 7. If S does not receive a mask, S is not modified further. Else, let I := [n] \ M the set of mismatching indices, and d := |I| ≤ γ their number. S sets up n pairs of keys (K, L) with $ (K , L ) = (K′, L′ ) ← F2 for the matching indices t ∈ M and independent (K , L ) ←$ F2 and (K′, L′ ) ←$ F2 for the mismatching indices t ∈ I, where (K′, L′) denotes the output of A-iPAKE towards 1−i. now continues the simulation of i using (K, L) as output of A-iPAKE. We have to analyze different cases depending on the different outcomes of TestPwd. However, note that the modifications only have an impact on the output ki of i if the record gets interrupted, and only affect the transcript if the answer to the TestPwd query contains a mask. Considering the case where TestPwd – outputs m and sets the record compromised, i.e. d γ since the distri- bution of X, X′, L, L′ only depends on the mask of the pass-strings, the view of is identically distributed in game G4 and game G3; outputs “wrong guess” and sets the record interrupted, i.e. d > γ: i will now obtain a randomly chosen session key from , substituting the key ki computed by . However, in this case, observe that the privacy property implies that nothing is learned about the secret V ′. Hence, ki looks random. We formally show this in Lemma 13, namely, that the probability that outputs an F that lets i output a non-randomly chosen session key is negligible; Lemma 13. Consider an honest party i, holding an adversarially deter- mined pass-string pwi, running the protocol with the adversary holding a pass-string pw1 i with d := d(pwi, pw1 i) > γ. Then the probability that i outputs a non-randomly chosen session key is negligible in λ.