Strengthening the security of authenticated key exchange against bad randomness

Abstract

Recent history has revealed that many random number generators (RNGs) used in cryptographic algorithms and protocols were not providing appropriate randomness, either by accident or on purpose. Subsequently, researchers have proposed new algorithms and protocols that are less dependent on the RNG. One exception is that all prominent authenticated key exchange (AKE) protocols are insecure given bad randomness, even when using good long-term keying material. We analyse the security of AKE protocols in the presence of adversaries that can perform attacks based on chosen randomness, i.e., attacks in which the adversary controls the randomness used in protocol sessions. We propose novel stateful protocols, which modify memory shared among a user’s sessions, and show in what sense they are secure against this worst case randomness failure. We develop a stronger security notion for AKE protocols that captures the security that we can achieve under such failures, and prove that our main protocol is correct in this model. Our protocols make substantially weaker assumptions on the RNG than existing protocols.

Appendices

Appendix 1: Proof of Proposition 2

Proof

It is straightforward to verify the first condition of Definition 5. We next verify that the second condition of Definition 5 holds. Let E denote a PPT adversary against protocol \(\pi :=\mathrm {\mathrm {CNX}}\). We show that the probability of event \(\text {Multiple-Match}_{\pi ,E}^{W({{\text {CR-eCK}}^{w}})}(k) \) is bounded above by a negligible function in the security parameter k, where \(\text {Multiple-Match}_{\pi ,E}^{W({{\text {CR-eCK}}^{w}})}(k) \) denotes the event that, in the security experiment, there exist a session s with \(s_{ status }={\mathtt {accepted}}\) and at least two distinct sessions \(s'\) and \(s''\) that are matching session s. Note that, if both sessions \(s'\) and \(s''\) are matching session s, then it must hold that \(s''_{ actor }=s'_{ actor }\) and \(s''_{ role }=s'_{ role }\)). In addition, the counter value in two different sessions of the same user are distinct. For some fixed session s that has accepted, let \( Ev \) denote the event that there exist two distinct sessions \(s'\) and \(s''\) such that s and \(s'\) are matching as well as s and \(s''\). We have:

$$\begin{aligned} P( Ev )\le & {} P(\bigcup _{\begin{array}{c} s',s'' \\ s'\ne s'' \end{array}}\{H_{1}(s''_{ rand },\mathsf{sk}_{\hat{P}},i)=H_{1}(s'_{ rand },\mathsf{sk}_{\hat{P}},j)\})\\\le & {} \sum _{\begin{array}{c} s',s'' \\ s'\ne s'' \end{array}}P(\{H_{1}(s''_{ rand },\mathsf{sk}_{\hat{P}},i)=H_{1}(s'_{ rand },\mathsf{sk}_{\hat{P}},j)\})\\\le & {} q^{2}_{s}\frac{1}{p},\\ \end{aligned}$$

where \(\hat{P}=s''_{ actor }=s'_{ actor }\), \(i\ne j\) and \(q_{s}\) denotes the number of created sessions (either via the \(\mathsf {create} \) or the \(\mathsf {cr\text{- }create} \) query) by the adversary. Therefore, \(P(\text {Multiple-Match}_{\pi ,E}^{W({{\text {CR-eCK}}^{w}})}(k)) \le q^{3}_{s}\frac{1}{p}\).

The third condition of Definition 5 is implied by an adaptation of the security proof of NAXOS in the eCK\(^{w}\) model from [19]. Let \(s^{*}\) denote the test session. Consider first the event \(K^{c}\) where the adversary M wins the security experiment against \(\pi \) with non-negligible advantage and does not query \(H_{2}\) with \((\sigma _{1},\sigma _{2},\sigma _{3},\hat{A},\hat{B})\), where \(\sigma _{1}=CDH (Y,A),\sigma _{2}=CDH (B,X)\) and \(\sigma _{3}=CDH (X,Y)\).

Event \(K^{c}\)

If event \(K^{c}\) occurs, then the adversary M must have issued a \(\mathsf {session\text{- }key}\) query to some session s such that \(K_{s}=K_{s^{*}}\) (where \(K_{s}\) and \(K_{s^{*}}\) denote the session keys computed in sessions s and \(s^{*}\), respectively) and s does not match \(s^{*}\). We consider the following four events:

1. 1.

   \(A_{1}\): there exist two distinct sessions \(s',s''\) created via a \(\mathsf {create} \) query such that \(s'_{ rand }=s''_{ rand }\).

2. 2.

   \(A_{2}\): there exists a session \(s\ne s^{*}\) such that \(H_{1}(s_{ rand },\mathsf{sk}_{s_{ actor }},i)= H_{1}(s^{*}_{ rand },\mathsf{sk}_{s^{*}_{ actor }},j)\).

3. 3.

   \(A_{3}\): there exists a session \(s'\ne s^{*}\) such that \(H_{2}(\mathrm {input}_{s'})=H_{2}(\mathrm {input}_{s^{*}})\) with \(\mathrm {input}_{s'}\ne \mathrm {input}_{s^{*}}\).

4. 4.

   \(A_{4}\): there exists an adversarial query \(\mathrm {input}_{M}\) to the oracle \(H_{2}\) such that \(H_{2}(\mathrm {input}_{M})=H_{2}(\mathrm {input}_{s^{*}})\) with \(\mathrm {input}_{M}\ne \mathrm {input}_{s^{*}}\).

In contrast to the NAXOS protocol with respect to model \({\text {CR-eCK}}^{w}\), the adversary cannot force two sessions of protocol \(\pi \) of the same user with the same role to compute the same session key via a chosen-randomness replay attack, as the \(H_{1}\) values in both sessions will be different with overwhelming probability due to different counter values. The latter event is included in event \(A_{2}\).

Analysis of event \(K^{c}\)

We denote by \(q_{s}\) the number of created sessions (either via the \(\mathsf {create} \) or the \(\mathsf {cr\text{- }create} \) query) by the adversary and by \(q_{\mathrm {ro}2}\) the number of queries to the random oracle \(H_{2}\). We have that

$$\begin{aligned} P(K^{c})&\le P(A_{1} \vee A_{2} \vee A_{3} \vee A_{4}) \le P(A_{1})+ P(A_{2}) + P(A_{3}) +P(A_{4})\\&\le \frac{q^{2}_{s}}{2}\frac{1}{2^{k}} + \frac{q_{s}}{p} + \frac{q_{s}+q_{\mathrm {ro}2}}{2^{k}}, \end{aligned}$$

which is a negligible function of the security parameter k.

In the subsequent events (and their analyses) we assume that no collisions in the queries to the oracle \(H_{1}\) occur and that none of the events \(A_{1},\ldots ,A_{4}\) occurs. As in the proof of [19, Proposition 7], we next consider the following three events:

1. 1.

   \(DL \wedge K\),

2. 2.

   \(T_{O}\wedge DL^{c} \wedge K\), and

3. 3.

   \((T_{O})^{c} \wedge DL^{c} \wedge K\), where

\(T_{O}\) denotes the event that there exists an origin-session for the test session, DL denotes the event where there exists a user \(\hat{C}\in \mathcal {P} \) such that the adversary M, during its execution, queries \(H_{1}\) with \((*,c,*)\) before issuing a \(\mathsf {corrupt} (\hat{C})\) query and K denotes the event that M wins the security experiment against \(\mathrm {NAXOS}\) by querying \(H_{2}\) with \((\sigma _{1},\sigma _{2},\sigma _{3},\hat{A},\hat{B})\), where \(\sigma _{1}=CDH (Y,A),\sigma _{2}=CDH (B,X)\) and \(\sigma _{3}=CDH (X,Y)\).

Event \(DL\wedge K\)

Let the input to the \(\mathrm {GAP\text {-}DLog} \) challenge be C. Suppose that event \(DL\wedge K\) occurs with non-negligible probability. In this case, the simulator S chooses one user \(\hat{C}\in \mathcal {P} \) at random and sets its long-term public key to C. S chooses long-term secret/public key pairs for the remaining honest parties and stores the associated long-term secret keys. Additionally S chooses a random value \(m\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). We denote the m’th activated session by adversary M by \(s^{*}\). Suppose further that \(s^{*}_{ actor }=\hat{A}, s^{*}_{ peer }=\hat{B}\) and \(s^{*}_{ role }=\mathcal {I}\), w.l.o.g. We now define S’s responses to M’s queries for the pre-specified peer setting; the post-specified peer case proceeds similarly. Algorithm S maintains tables Q, J, T and L, all of which are initially empty. S also maintains a variable \(\omega \) initialized with 1 and a table \( CV \) maintaining for each user the current counter value. Initially, table \( CV \) contains an entry \((\hat{P},0)\) for each user \(\hat{P}\in \mathcal {P} \).

1. 1.

   \(\mathsf {create} \left( \hat{P},r,\hat{Q}\right) \) to create session s: S checks whether \(\hat{P}\in \mathcal {P},\hat{Q}\in \mathcal {P} \), and \(r\in \{\mathcal {I},\mathcal {R}\}\). If one of the checks fails, then S returns \(\bot \). Else, S initializes the session variables according to the protocol specification, and stores an entry of the form \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},l_{s},\kappa \right) \in (\mathcal {P} \times \mathbb {N})\times \left\{ 0,1\right\} ^{k}\times (\mathbb {Z}_{p}\cup \left\{ *\right\} )\times \mathbb {N} \times \mathbb {Z}_{p}\) in table Q as follows:

   • S retrieves the counter value c for the user with identifier \(\hat{P}\) from table \( CV \), increments c by 1, and updates the counter value for \(\hat{P}\) stored in table \( CV \) with \(c+1\),

   • S chooses \(s_{ rand }\in _{R} \left\{ 0,1\right\} ^{k}\) (i.e. the randomness of session s),

   • S chooses \(\kappa \in _{R}\mathbb {Z}_{p}\),

   • if \(s_{ actor }\ne \hat{C}\), then S stores the entry \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},c+1,\kappa \right) \) in Q, else S stores the entry \(\left( s,s_{ rand },*,c+1,\kappa \right) \) in Q,⁵ and

   • if \(r=\mathcal {I}\), then S returns the Diffie–Hellman exponential \(g^{\kappa }\) to M, else S returns \(\mathsf {\star } \).

2. 2.

   \(\mathsf {cr\text{- }create} \left( \hat{P},r,str,\hat{Q}\right) \) to create session s: S checks whether \(\hat{P}\in \mathcal {P},\hat{Q}\in \mathcal {P} \), and \(r\in \{\mathcal {I},\mathcal {R}\}\). If one of the checks fails, then S returns \(\bot \). Else, S initializes the session variables according to the protocol specification, and stores an entry of the form \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},l_{s},\kappa \right) \in (\mathcal {P} \times \mathbb {N})\times \left\{ 0,1\right\} ^{k}\times (\mathbb {Z}_{p}\cup \left\{ *\right\} )\times \mathbb {N} \times \mathbb {Z}_{p}\) in table Q as follows:

   • S retrieves the counter value c for the user with identifier \(\hat{P}\) from table \( CV \), increments c by 1, and updates the counter value for \(\hat{P}\) stored in table \( CV \) with \(c+1\),

   • if there is an entry \((r_{i},h_{i},l_{i},\kappa _{i})\) in table J such that \(r_{i}=str\), \(h_{i}=\mathsf{sk}_{\hat{P}}\), and \(l_{i}=c+1\), then S sets \(\omega \leftarrow \kappa _{i}\), else S chooses \(\kappa \in _{R}\mathbb {Z}_{p}\), and sets \(\omega \leftarrow \kappa \).⁶

   • if \(s_{ actor }\ne \hat{C}\), then S stores the entry \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},c+1,x_{5}\right) \) in Q, else S stores the entry \(\left( s,s_{ rand },*,c+1,x_{5}\right) \) in Q, where \(x_{5}\) denotes the value of variable \(\omega \),

   • if \(r=\mathcal {I}\), then S returns the Diffie–Hellman exponential \(g^{\kappa }\) to M, else S returns \(\mathsf {\star } \).

3. 3.

   S stores entries of the form \(\left( r,h,l,\kappa \right) \in \left\{ 0,1\right\} ^{k}\times \mathbb {Z}_{p}\times \mathbb {N}\times \mathbb {Z}_{p}\) in table J. When M makes a query of the form \(\left( r,h,l\right) \) to the random oracle for \(H_{1}\), answer it as follows:

   • If \(C=g^{h}\), then S aborts M and is successful by outputting \(\mathrm {DLog} _{g}(C)=h\).

   • Else if \(\left( r,h,l,\kappa \right) \in J\) for some \(\kappa \in \mathbb {Z}_{p}\), then S returns \(\kappa \) to M.

   • Else if there exists an entry \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},l_{s},\kappa \right) \) in Q, for some \(s\in \mathcal {P} \times \mathbb {N},s_{ rand }\in \left\{ 0,1\right\} ^{k},\mathsf{sk}_{s_{ actor }}\in \mathbb {Z}_{p}\), \(l_{s}\in \mathbb {N}\) and \(\kappa \in \mathbb {Z}_{p}\), such that \(s_{ rand }=r\), \(\mathsf{sk}_{s_{ actor }}=h\) and \(l_{s}=l\), then S returns \(\kappa \) to M and stores the entry \(\left( r,h,l,\kappa \right) \) in table J.

   • Else, S chooses \(\kappa \in _{R} \mathbb {Z}_{p}\), returns it to M and stores the entry \(\left( r,h,l,\kappa \right) \) in table J.

4. 4.

   \(\mathsf {send} (\hat{P},i,V)\) to send message V to session \(s=(\hat{P},i)\): If \(s_{ status }\ne {\mathtt {active}}\), then S returns \(\bot \). Else if \(s_{ role }=\mathcal {I}\), then S does the following. If \(V\notin G\), then the status of session s is set to \({\mathtt {rejected}}\). Else, the status of session s is set to \({\mathtt {accepted}}\), the variable recv is updated to \(s_{ recv }\leftarrow (s_{ recv },V)\) and

   • If there exists an entry \(\left( s_{ peer },s_{ actor },\mathcal {R},s_{ recv },s_{ sent },\lambda \right) \) in table T, then S stores the entry \(\left( s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\lambda \right) \) in table T.

   • Else if there exists an entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},s_{ actor },s_{ peer },\lambda \right) \) in table L, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(\text {DDH}(s_{ recv },s_{ sent },\sigma _{3})=1\), \(\text {DDH}(s_{ sent },\mathsf{pk}_{s_{ peer }},\sigma _{2})=1\) and \(\text {DDH}(s_{ recv },\mathsf{pk}_{s_{ actor }},\sigma _{1})=1\), then S stores \(\left( s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\lambda \right) \) in table T.

   • Else, S chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\) and stores the entry \((s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\mu )\) in T.

   Else if \(s_{ role }=\mathcal {R}\), then S does the following. If \(V\notin G\), then the status of session s is set to \({\mathtt {rejected}}\). Else, S sets the status of session s to \({\mathtt {accepted}}\), and the variable recv to \((s_{ recv },V)\). S returns \(g^{\kappa }\) to M, where \(\kappa \) denotes the last element of the entry \(\left( s,r,\mathsf{sk}_{s_{ actor }},l,\kappa \right) \) in table Q, and proceeds in a similar way as in the previous case.

5. 5.

   When M makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

   • If \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then S returns \(\lambda \) to M.

   • Else if there exist entries \(\left( \hat{P}_{i},\hat{P}_{j},\mathcal {I},U,V,\lambda \right) \) or \(\left( \hat{P}_{j},\hat{P}_{i},\mathcal {R},V,U,\lambda \right) \) in table T, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,\mathsf{pk}_{\hat{P}_{i}},\sigma _{1})=1\) and \(\text {DDH}(U,\mathsf{pk}_{\hat{P}_{j}},\sigma _{2})=1\), then S returns \(\lambda \) to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \) in table L.

   • Else, S chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\mu \right) \) in L.

6. 6.

   \(\mathsf {randomness} (s)\): If \(s_{ status }=\bot \), then S returns \(\bot \). Otherwise, S returns \(s_{ rand }\) (via lookup in table Q).

7. 7.

   \(\mathsf {session\text{- }key} (s)\): If \(s_{ status }\ne {\mathtt {accepted}}\), then S returns \(\bot \). Otherwise, S answers this query by lookup in table T.

8. 8.

   \(\mathsf {test\text{- }session} (s)\): If \(s\ne s^{*}\), then S aborts; otherwise S answers the query in the appropriate way.

9. 9.

   \(\mathsf {corrupt} (\hat{P})\): If \(\hat{P}\notin \mathcal {P} \), then S returns \(\bot \). Else if \(\hat{P}=\hat{C}\), then S aborts. Else S returns \(\mathsf{sk}_{\hat{P}}\).

10. 10.

    M outputs a guess: S aborts.

Analysis of event \(DL\wedge K\)

Similar to the analysis of the related event \(DL\wedge K\) in the proof of [19, Proposition 7].

Event \(T_{O}\wedge DL^{c}\wedge K\)

Let \(s^{*}\) and \(s'\) denote the test session and the origin-session for the test session, respectively. We split event \( Evt :=T_{O}\wedge DL^{c}\wedge K\) into the following events \(B_{1},\ldots ,B_{3}\) so that \( Evt =B_{1}\vee B_{2}\vee B_{3}\):

1. 1.

   \(B_{1}\): \( Evt \) occurs and \(s^{*}_{ peer }=s'_{ actor }\).

2. 2.

   \(B_{2}\): \( Evt \) occurs and \(s^{*}_{ peer }\ne s'_{ actor }\) and M does issue neither a \(\mathsf {randomness} (s')\) query nor a \(\mathsf {cr\text{- }create} (s',\times )\) query to the origin-session \(s'\) of \(s^{*}\), but may issue a \(\mathsf {corrupt} (s^{*}_{ peer })\) query.

3. 3.

   \(B_{3}\): \( Evt \) occurs and \(s^{*}_{ peer }\ne s'_{ actor }\) and M does not issue a \(\mathsf {corrupt} (s^{*}_{ peer })\) query, but may issue either a \(\mathsf {randomness} (s')\) query or a \(\mathsf {cr\text{- }create} (s',\times )\) query to the origin-session \(s'\) of \(s^{*}\).

Event \(B_{1}\)

Let the input to the \(\mathrm {GDH} \) challenge be \((X_{0},Y_{0})\). Suppose that event \(B_{1}\) occurs with non-negligible probability. In this case S chooses long-term secret/public key pairs for all the honest parties and stores the associated long-term secret keys. Additionally S chooses two random values \(m,n\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). The m’th activated session by adversary M will be called \(s^{*}\) and the n’th activated session will be called \(s'\). Suppose further that \(s^{*}_{ actor }=\hat{A}, s^{*}_{ peer }=\hat{B}\) and \(s^{*}_{ role }=\mathcal {I}\), w.l.o.g. The simulation of \(M'\)s environment proceeds as follows:

1. 1.

   \(\mathsf {create} (\hat{A}, \mathcal {I},\hat{B})\) or \(\mathsf {cr\text{- }create} (\hat{A}, \mathcal {I},str,\hat{B})\) to create session \(s^{*}\): If \(\mathsf {create} \) is issued, then S chooses \(s^{*}_{ rand }\in _{R} \{0,1\}^{k}\). Else, S sets \(s^{*}_{ rand }\leftarrow str\). Then, S (a) returns the message \(X_{0}\), where \((X_{0},Y_{0})\) is the \(\mathrm {GDH} \) challenge, (b) increments by 1 the counter value c for the user with identifier \(\hat{A}\) (stored in table CV), and (c) stores the updated counter value \(c+1\) for \(\hat{A}\) in table CV.⁷

2. 2.

   \(\mathsf {create} (\hat{B},r,\hat{Q})\) or \(\mathsf {cr\text{- }create} (\hat{B},r,str,\hat{Q})\) to create session \(s'\): If \(\mathsf {create} \) is issued, then S chooses \(s'_{ rand }\in _{R} \{0,1\}^{k}\). Else, S sets \(s'_{ rand } \leftarrow str\). S then increments by 1 the counter value c for the user with identifier \(\hat{B}\) (stored in table CV), and stores the updated counter value \(c+1\) for \(\hat{B}\) in table CV.If \(r=\mathcal {I}\), then S returns message \(Y_{0}\) to M, where \((X_{0},Y_{0})\) is the \(\mathrm {GDH} \) challenge. Else, \(\mathsf {\star } \) is returned.

3. 3.

   \(\mathsf {send} (\hat{B},i,Z)\) with \((\hat{B},i)=s'\): If \(s'_{ status }\ne {\mathtt {active}}\), then S returns \(\bot \). Else if \(s'_{ role }=\mathcal {R}\) and \(Z\in G\), then S returns message \(Y_{0}\) to M, where \((X_{0},Y_{0})\) is the \(\mathrm {GDH} \) challenge, sets the status of session \(s'\) to \({\mathtt {accepted}}\), and proceeds as in the previous simulation for completing the session. Else, S proceeds as in the previous simulation.

4. 4.

   \(\mathsf {send} (\hat{A},i,Y_{0})\) with \((\hat{A},i)=s^{*}\): S proceeds as in the previous simulation for completing the session.

5. 5.

   Other \(\mathsf {create},\mathsf {cr\text{- }create} \) and \(\mathsf {send} \) queries are answered as in the previous simulation.

6. 6.

   \(\mathsf {randomness} (s)\): If \(s_{ status }=\bot \), then S returns \(\bot \). Else, S returns \(s_{ rand }\).

7. 7.

   \(\mathsf {session\text{- }key} (s)\): If \(s_{ status }\ne {\mathtt {accepted}}\), then S returns \(\bot \). Otherwise, S answers this query by lookup in table T.

8. 8.

   \(\mathsf {test\text{- }session} (s)\): If \(s\ne s^{*}\) or if \(s'\) is not the origin-session for session \(s^{*}\), then S aborts; otherwise S answers the query in the appropriate way.

9. 9.

   \(H_{1}(r,h,*)\): If \(h=a\) and \(r=s^{*}_{ rand }\) or if \(h=b\) and \(r=s'_{ rand }\), then S aborts. Otherwise S simulates a random oracle as in the previous simulation.

10. 10.

    \(\mathsf {corrupt} (\hat{P})\): If \(\hat{P}\notin \mathcal {P} \), then S returns \(\bot \). Else, S returns \(\mathsf{sk}_{\hat{P}}\).

11. 11.

    When M makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

    • If \(\left\{ \hat{P}_{i},\hat{P}_{j}\right\} =\left\{ \hat{A},\hat{B}\right\} \), \(\sigma _{1}=Y_{0}^{a}\), \(\sigma _{2}=X_{0}^{b}\) and \(\text {DDH}(X_{0},Y_{0},\sigma _{3})=1\), then S aborts M and is successful by outputting \(CDH (X_{0},Y_{0})=\sigma _{3}\).

    • Else if \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then S returns \(\lambda \) to M.

    • Else if there exist entries \(\left( \hat{P}_{i},\hat{P}_{j},\mathcal {I},U,V,\lambda \right) \) or \(\left( \hat{P}_{j},\hat{P}_{i},\mathcal {R},V,U,\lambda \right) \) in table T, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,\mathsf{pk}_{\hat{P}_{i}},\sigma _{1})=1\) and \(\text {DDH}(U,\mathsf{pk}_{\hat{P}_{j}},\sigma _{2})=1\), then S returns \(\lambda \) to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \) in table L.

    • Else, S chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\), returns it to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\mu \right) \) in L.

12. 12.

    M outputs a guess: S aborts.

Analysis of event \(B_{1}\)

Similar to the analysis of the related event \(B_{1}\) in the proof of [19, Proposition 7].

Event \(B_{2}\)

Let the input to the \(\mathrm {GDH} \) challenge be \((X_{0},Y_{0})\). Suppose that event \(B_{2}\) occurs with non-negligible probability. The simulation of S proceeds in the same way as for event \(B_{1}\) with the following changes:

• \(\mathsf {create} (\hat{B},r,\hat{Q})\) or \(\mathsf {cr\text{- }create} (\hat{B},r,str,\hat{Q})\) to create session \(s'\): If \(\mathsf {cr\text{- }create} \) is issued, then S aborts. Else, S proceeds as described before.

• \(\mathsf {randomness} (s)\): If \(s_{ status }=\bot \), then S returns \(\bot \). Else if \(s=s'\), then S aborts. Else, S returns \(s_{ rand }\).

• \(H_{1}(r,h,*)\): If \(h=a\) and \(r=s^{*}_{ rand }\), then S aborts. Otherwise S simulates a random oracle as in the previous simulation.

Analysis of event \(B_{2}\)

Similar to the analysis of the related event \(B_{2}\) in the proof of [19, Proposition 7].

Event \(B_{3}\)

Let the input to the \(\mathrm {GDH} \) challenge be \((X_{0},B)\). Suppose that event \(B_{3}\) occurs with non-negligible probability. In this case, S chooses one user \(\hat{B}\in \mathcal {P} \) at random from the set \(\mathcal {P} \) and sets its long-term public key to B. S chooses long-term secret/public key pairs for the remaining parties in \(\mathcal {P} \) and stores the associated long-term secret keys. Additionally S chooses two random values \(m,n\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). We denote the m’th activated session by adversary M by \(s^{*}\) and the n’th activated session by \(s'\). Suppose further that \(s^{*}_{ actor }=\hat{A}, s^{*}_{ peer }=\hat{B}\) and \(s^{*}_{ role }=\mathcal {I}\), w.l.o.g. Algorithm S maintains tables Q, J, T and L, all of which are initially empty. S also maintains a variable \(\omega \) initialized with 1 and a table \( CV \) maintaining for each user the current counter value. Initially, table \( CV \) contains an entry \((\hat{P},0)\) for each user \(\hat{P}\in \mathcal {P} \). The simulation of \(M'\)s environment proceeds as follows:

1. 1.

   \(\mathsf {create} (\hat{A}, \mathcal {I},\hat{B})\) or \(\mathsf {cr\text{- }create} (\hat{A}, \mathcal {I},str,\hat{B})\) to create session \(s^{*}\): If \(\mathsf {create} \) is issued, then S chooses \(s^{*}_{ rand }\in _{R} \{0,1\}^{k}\). Else, S sets \(s^{*}_{ rand }\leftarrow str\). Then, S (a) returns the message \(X_{0}\), (b) increments by 1 the counter value c for the user with identifier \(\hat{A}\) (stored in table CV), and (c) stores the updated counter value \(c+1\) for \(\hat{A}\) in table CV.

2. 2.

   \(\mathsf {create} \left( \hat{P},r,\hat{Q}\right) \) to create session s: S checks whether \(\hat{P}\in \mathcal {P},\hat{Q}\in \mathcal {P} \), and \(r\in \{\mathcal {I},\mathcal {R}\}\). If one of the checks fails, then S returns \(\bot \). Else, S initializes the session variables according to the protocol specification, and stores an entry of the form \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},l_{s},\kappa \right) \in (\mathcal {P} \times \mathbb {N})\times \left\{ 0,1\right\} ^{k}\times (\mathbb {Z}_{p}\cup \left\{ *\right\} )\times \mathbb {N} \times \mathbb {Z}_{p}\) in table Q as follows:

   • S retrieves the counter value c for the user with identifier \(\hat{P}\) from table \( CV \), increments c by 1, and updates the counter value for \(\hat{P}\) stored in table \( CV \) with \(c+1\),

   • S chooses \(s_{ rand }\in _{R} \left\{ 0,1\right\} ^{k}\) (i.e. the randomness of session s),

   • S chooses \(\kappa \in _{R}\mathbb {Z}_{p}\),

   • if \(s_{ actor }\ne \hat{B}\), then S stores the entry \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},c+1,\kappa \right) \) in Q, else S stores the entry \(\left( s,s_{ rand },*,c+1,\kappa \right) \) in Q, and

   • if \(r=\mathcal {I}\), then S returns the Diffie–Hellman exponential \(g^{\kappa }\) to M, else S returns \(\mathsf {\star } \).

3. 3.

   \(\mathsf {cr\text{- }create} \left( \hat{P},r,str,\hat{Q}\right) \) to create session s: S checks whether \(\hat{P}\in \mathcal {P},\hat{Q}\in \mathcal {P} \), and \(r\in \{\mathcal {I},\mathcal {R}\}\). If one of the checks fails, then S returns \(\bot \). Else, S initializes the session variables according to the protocol specification, and stores an entry of the form \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},l_{s},\kappa \right) \in (\mathcal {P} \times \mathbb {N})\times \left\{ 0,1\right\} ^{k}\times (\mathbb {Z}_{p}\cup \left\{ *\right\} )\times \mathbb {N} \times \mathbb {Z}_{p}\) in table Q as follows:

   • S retrieves the counter value c for the user with identifier \(\hat{P}\) from table \( CV \), increments c by 1, and updates the counter value for \(\hat{P}\) stored in table \( CV \) with \(c+1\),

   • if there is an entry \((r_{i},h_{i},l_{i},\kappa _{i})\) in table J such that \(r_{i}=str\), \(h_{i}=\mathsf{sk}_{\hat{P}}\), and \(l_{i}=c+1\), then S sets \(\omega \leftarrow \kappa _{i}\), else S chooses \(\kappa \in _{R}\mathbb {Z}_{p}\), and sets \(\omega \leftarrow \kappa \).

   • if \(s_{ actor }\ne \hat{B}\), then S stores the entry \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},c+1,x_{5}\right) \) in Q, else S stores the entry \(\left( s,s_{ rand },*,c+1,x_{5}\right) \) in Q, where \(x_{5}\) denotes the value of variable \(\omega \),

   • if \(r=\mathcal {I}\), then S returns the Diffie–Hellman exponential \(g^{\kappa }\) to M, else S returns \(\mathsf {\star } \).

4. 4.

   S stores entries of the form \(\left( r,h,l,\kappa \right) \in \left\{ 0,1\right\} ^{k}\times \mathbb {Z}_{p}\times \mathbb {N}\times \mathbb {Z}_{p}\) in table J. When M makes a query of the form \(\left( r,h,l\right) \) to the random oracle for \(H_{1}\), answer it as follows:

   • If \(r=s^{*}_{ rand }\) and \(h=a\), then S aborts,

   • Else if \(\left( r,h,l,\kappa \right) \in J\) for some \(\kappa \in \mathbb {Z}_{p}\), then S returns \(\kappa \) to M.

   • Else if there exists an entry \(\left( s,s_{ rand },\mathsf{sk}_{s_{ actor }},l_{s},\kappa \right) \) in Q, for some \(s\in \mathcal {P} \times \mathbb {N},s_{ rand }\in \left\{ 0,1\right\} ^{k},\mathsf{sk}_{s_{ actor }}\in \mathbb {Z}_{p}\), \(l_{s}\in \mathbb {N}\) and \(\kappa \in \mathbb {Z}_{p}\), such that \(s_{ rand }=r\), \(\mathsf{sk}_{s_{ actor }}=h\) and \(l_{s}=l\), then S returns \(\kappa \) to M and stores the entry \(\left( r,h,l,\kappa \right) \) in table J.

   • Else, S chooses \(\kappa \in _{R} \mathbb {Z}_{p}\), returns it to M and stores the entry \(\left( r,h,l,\kappa \right) \) in table J.

5. 5.

   \(\mathsf {send} (\hat{P},i,V)\) to send message V to session \(s=(\hat{P},i)\): If \(s_{ status }\ne {\mathtt {active}}\), then S returns \(\bot \). Else if \(s_{ role }=\mathcal {I}\), then S does the following. If \(V\notin G\), then the status of session s is set to \({\mathtt {rejected}}\). Else, the status of session s is set to \({\mathtt {accepted}}\), the variable recv is updated to \(s_{ recv }\leftarrow (s_{ recv },V)\) and

   • If there exists an entry \(\left( s_{ peer },s_{ actor },\mathcal {R},s_{ recv },s_{ sent },\lambda \right) \) in table T, then S stores the entry \(\left( s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\lambda \right) \) in table T.

   • Else if there exists an entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},s_{ actor },s_{ peer },\lambda \right) \) in table L, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(\text {DDH}(s_{ recv },s_{ sent },\sigma _{3})=1\), \(\text {DDH}(s_{ sent },\mathsf{pk}_{s_{ peer }},\sigma _{2})=1\) and \(\text {DDH}(s_{ recv },\mathsf{pk}_{s_{ actor }},\sigma _{1})=1\), then S stores \(\left( s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\lambda \right) \) in table T.

   • Else, S chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\) and stores the entry \((s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\mu )\) in T.

   Else if \(s_{ role }=\mathcal {R}\), then S does the following. If \(V\notin G\), then the status of session s is set to \({\mathtt {rejected}}\). Else, S sets the status of session s to \({\mathtt {accepted}}\), and the variable recv to \((s_{ recv },V)\). S returns \(g^{\kappa }\) to M, where \(\kappa \) denotes the last element of the entry \(\left( s,r,\mathsf{sk}_{s_{ actor }},l,\kappa \right) \) in table Q, and proceeds in a similar way as in the previous case.

6. 6.

   When M makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

   • If \(s'_{ status }\ne \bot \), \(\left\{ \hat{P}_{i},\hat{P}_{j}\right\} =\left\{ \hat{A},\hat{B}\right\} \), \(\sigma _{1}=A^{\kappa }\), \(\text {DDH}(X_{0},B,\sigma _{2})=1\), and \(\sigma _{3}=X_{0}^{\kappa }\), where \(\kappa \) denotes the last element of the entry \((s',s'_{ rand },\mathsf{sk}_{s'_{ actor }},l,\kappa )\) in table Q,⁸ then S aborts M and is successful by outputting \(CDH (X_{0},B)=\sigma _{2}\).

   • Else if \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then S returns \(\lambda \) to M.

   • Else if there exist entries \(\left( \hat{P}_{i},\hat{P}_{j},\mathcal {I},U,V,\lambda \right) \) or \(\left( \hat{P}_{j},\hat{P}_{i},\mathcal {R},V,U,\lambda \right) \) in table T, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,\mathsf{pk}_{\hat{P}_{i}},\sigma _{1})=1\) and \(\text {DDH}(U,\mathsf{pk}_{\hat{P}_{j}},\sigma _{2})=1\), then S returns \(\lambda \) to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \) in table L.

   • Else, S chooses \(\mu \!\in _{R}\! \left\{ 0,1\right\} ^{k}\), returns it to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\mu \right) \) in L.

7. 7.

   \(\mathsf {randomness} (s)\): If \(s_{ status }=\bot \), then S returns \(\bot \). Else, S returns \(s_{ rand }\).

8. 8.

   \(\mathsf {session\text{- }key} (s)\): If \(s_{ status }\ne {\mathtt {accepted}}\), then S returns \(\bot \). Otherwise, S answers this query by lookup in table T.

9. 9.

   \(\mathsf {test\text{- }session} (s)\): If \(s\ne s^{*}\) or if \(s'\) is not the origin-session for session \(s^{*}\), then S aborts; otherwise S answers the query in the appropriate way.

10. 10.

    \(\mathsf {corrupt} (\hat{P})\): If \(\hat{P}\notin \mathcal {P} \), then S returns \(\bot \). Else if \(\hat{P}=\hat{B}\), then S aborts. Else, S returns \(\mathsf{sk}_{\hat{P}}\).

11. 11.

    M outputs a guess: S aborts.

Analysis of event \(B_{3}\)

Similar to the analysis of the related event \(B_{3}\) in the proof of [19, Proposition 7].

Event \((T_{O})^{c}\wedge DL^{c}\wedge K\)

The simulation and analysis are very similar to the simulation and analysis related to event \(B_{3}\). \(\square \)

Appendix 2: Proof of Proposition 7

Proof

It is straightforward to verify the first condition of Definition 5. We next verify that the second condition of Definition 5 holds. Let E denote a PPT adversary against protocol \(\pi :=\mathrm {NXPR} \). We show that the probability of event \(\text {Multiple-Match}_{\pi ,E}^{W(\varOmega _{\varLambda })}(k) \) is bounded above by a negligible function in the security parameter k, where \(\text {Multiple-Match}_{\pi ,E}^{W(\varOmega _{\varLambda })}(k) \) denotes the event that, in the security experiment, there exist a session s with \(s_{ status }={\mathtt {accepted}}\) and at least two distinct sessions \(s'\) and \(s''\) that are matching session s. Note that, if both sessions \(s'\) and \(s''\) are matching session s, then it must hold that \(s''_{ actor }=s'_{ actor }\) and \(s''_{ role }=s'_{ role }\). In addition, it is easy to see that the value of the variable data in two different sessions of the same user are distinct (since of different length). For some fixed session s that has accepted, let \( Ev \) denote the event that there exist two distinct sessions \(s'\) and \(s''\) such that s and \(s'\) are matching as well as s and \(s''\). We have:

$$\begin{aligned} P( Ev )\le & {} P\left( \bigcup _{\begin{array}{c} s',s'' \\ s'\ne s'' \end{array}}\{H_{1}(s''_{ rand },s''_{ data },\mathsf{sk}_{\hat{P}})=H_{1}(s'_{ rand },s'_{ data },\mathsf{sk}_{\hat{P}})\}\right) \\\le & {} \sum _{\begin{array}{c} s',s'' \\ s'\ne s'' \end{array}}P\big (\{H_{1}(s''_{ rand },s''_{ data },\mathsf{sk}_{\hat{P}})=H_{1}(s'_{ rand },s'_{ data },\mathsf{sk}_{\hat{P}})\}\big )\\\le & {} \frac{q_{s}^{2}}{p},\\ \end{aligned}$$

where \(\hat{P}=s''_{ actor }=s'_{ actor }\) and \(q_{s}\) denotes the number of created sessions (either via the \(\mathsf {create} \) or the \(\mathsf {cr\text{- }create} \) query) by the adversary.

In the above computation, we distinguished between the following two events:

1. 1.

   \(D_{1}:=\{s''_{ rand }\ne s'_{ rand }\wedge s''_{ data }\ne s'_{ data }\}\); the probability that the two hash values are identical given \(D_{1}\) is the probability of a collision in the hash function, and

2. 2.

   \(D_{2}:=\{s''_{ rand }=s'_{ rand }\wedge s''_{ data }\ne s'_{ data }\}\); the probability that the two hash values are identical given \(D_{2}\) is the probability of a collision in the hash function.

The events \(D_{3}:=\{s''_{ rand }=s'_{ rand }\wedge s''_{ data }=s'_{ data }\}\) and \(D_{4}:=\{s''_{ rand }\ne s'_{ rand }\wedge s''_{ data }= s'_{ data }\}\) both occur with probability zero.

Even though the value of the variable rand can be the same for two different session of the same user due to the queries \(\mathsf {cr\text{- }create} \) and \(\mathsf {randomness} \), the value of the variable data of two different sessions \(s'\) and \(s''\) of the same user is always different since the bit strings \(s'_{ data }\) and \(s''_{ data }\) differ in length. Given a created session s, the length of the bit string \(s_{ data }\) depends on the number of sessions of user \(s_{ actor }\) that have already been created either via \(\mathsf {create} \) or \(\mathsf {cr\text{- }create} \).

Finally, \(P(\text {Multiple-Match}_{\pi ,E}^{W(\varOmega _{\varLambda })}(k)) \le q^{3}_{s}\frac{1}{p}\).

The third condition of Definition 5 is implied by an adaptation of the security proof of protocol \(\mathrm {CNX}\) in the \(\varOmega ^{-}_{\mathsf {INDP\text {-}DH}}\) model (see Appendix 1). Let \(s^{*}\) denote the test session. Consider first the event \(K^{c}\) where the adversary M wins the security experiment against \(\pi \) with non-negligible advantage and does not query \(H_{2}\) with \((\sigma _{1},\sigma _{2},\sigma _{3},\hat{A},\hat{B})\), where \(\sigma _{1}=CDH (Y,A),\sigma _{2}=CDH (B,X)\) and \(\sigma _{3}=CDH (X,Y)\).

Event \(K^{c}\)

If event \(K^{c}\) occurs, then the adversary M must have issued a \(\mathsf {session\text{- }key}\) query to some session s such that \(K_{s}=K_{s^{*}}\) (where \(K_{s}\) and \(K_{s^{*}}\) denote the session keys computed in sessions s and \(s^{*}\), respectively) and s does not match \(s^{*}\). We consider the following four events:

1. 1.

   \(A_{1}:\) there exist two distinct sessions \(s',s''\) created via a \(\mathsf {create} \) query such that \(s'_{ rand }=s''_{ rand }\).⁹

2. 2.

   \(A_{2}:\) there exists a session \(s\ne s^{*}\) such that \(H_{1}(s_{ rand },s_{ data })=H_{1}(s^{*}_{ rand },s^{*}_{ data })\).

3. 3.

   \(A_{3}:\) there exists a session \(s'\ne s^{*}\) such that \(H_{2}(\mathrm {input}_{s'})=H_{2}(\mathrm {input}_{s^{*}})\) with \(\mathrm {input}_{s'}\ne \mathrm {input}_{s^{*}}\).

4. 4.

   \(A_{4}:\) there exists an adversarial query \(\mathrm {input}_{M}\) to the oracle \(H_{2}\) such that \(H_{2}(\mathrm {input}_{M})=H_{2}(\mathrm {input}_{s^{*}})\) with \(\mathrm {input}_{M}\ne \mathrm {input}_{s^{*}}\).

Analysis of event \(K^{c}\)

We denote by \(q_{s}\) the number of created sessions (either via the query \(\mathsf {create} \) or the query \(\mathsf {cr\text{- }create} \)) by the adversary and by \(q_{\mathrm {ro}2}\) the number of queries to the random oracle \(H_{2}\). We have that

$$\begin{aligned} P(K^{c})&\le P(A_{1} \vee A_{2} \vee A_{3} \vee A_{4}) \le P(A_{1})+ P(A_{2}) + P(A_{3}) +P(A_{4})\\&\le \frac{q^{2}_{s}}{2}\frac{1}{2^{k}} + \frac{q_{s}}{p} + \frac{q_{s}+q_{\mathrm {ro}2}}{2^{k}}, \end{aligned}$$

which is a negligible function of the security parameter k.

In contrast to the NAXOS protocol analyzed with respect to model \(\varOmega _{\mathsf {INDP\text {-}DH}}\), the adversary cannot force two sessions of protocol \(\pi \) of the same user with the same role to compute the same session key via a chosen-randomness replay attack since the \(H_{1}\) values in both sessions will be different with overwhelming probability. The latter event is included in event \(A_{2}\).

In the subsequent events (and their analyses) we assume that no collisions in the queries to the oracle \(H_{1}\) occur and that none of the events \(A_{1},\ldots ,A_{4}\) occurs. As in the proof of [19, Proposition 7], we next consider the following three events:

1. 1.

   \(DL \wedge K\),

2. 2.

   \(T_{O}\wedge DL^{c} \wedge K\), and

3. 3.

   \((T_{O})^{c} \wedge DL^{c} \wedge K\), where

\(T_{O}\) denotes the event that there exists an origin-session for the test session, DL denotes the event where there exists a user \(\hat{C}\in \mathcal {P} \) such that the adversary M, during its execution, queries \(H_{1}\) with \((*,c)\) before issuing a \(\mathsf {corrupt} (\hat{C})\) query and K denotes the event that M wins the security experiment against \(\mathrm {NXPR}\) by querying \(H_{2}\) with \((\sigma _{1},\sigma _{2},\sigma _{3},\hat{A},\hat{B})\), where \(\sigma _{1}=CDH (Y,A),\sigma _{2}=CDH (B,X)\) and \(\sigma _{3}=CDH (X,Y)\).

Event \(DL\wedge K\)

Let the input to the \(\mathrm {GAP\text {-}DLog} \) challenge be C. Suppose that event \(DL\wedge K\) occurs with non-negligible probability. In this case, the simulator S chooses one user \(\hat{C}\in \mathcal {P} \) at random and sets its long-term public key to C. S chooses long-term secret/public key pairs for the remaining honest parties and stores the associated long-term secret keys. Additionally S chooses a random value \(m\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). We denote the m’th activated session by adversary M by \(s^{*}\). Suppose further that \(s^{*}_{ actor }=\hat{A}, s^{*}_{ peer }=\hat{B}\) and \(s^{*}_{ role }=\mathcal {I}\), w.l.o.g. We now define S’s responses to M’s queries for the pre-specified peer setting; the post-specified peer case proceeds similarly. Algorithm S maintains tables Q, J, T and L, all of which are initially empty. S also maintains a variable \(\omega \) initialized with 1.

1. 1.

   \(\mathsf {create} \left( \hat{P},r,\hat{Q}\right) \) to create session s: S checks whether \(\hat{P}\in \mathcal {P} \), \(\hat{Q}\in \mathcal {P} \), and \(r\in \{\mathcal {I},\mathcal {R}\}\). If one of the checks fails, then S returns \(\bot \). Else, S initializes the session variables according to the protocol specification, and stores an entry of the form \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \in (\mathcal {P} \times \mathbb {N})\times \left\{ 0,1\right\} ^{k}\times \left\{ 0,1\right\} ^{*} \times (\mathbb {Z}_{p}\cup \left\{ *\right\} ) \times \mathbb {Z}_{p}\) in table Q as follows:

   • S chooses \(s_{ rand }\in _{R} \left\{ 0,1\right\} ^{k}\) (i.e. the randomness of session s),

   • S chooses \(\kappa \in _{R}\mathbb {Z}_{p}\),

   • if there is no entry \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \) in table Q such that \(s_{ actor }=\hat{P}\), then S sets the value of \(l_{s}\) to \(s_{ rand }\), else S sets the value of \(l_{s}\) to \((s_{ rand },l_{s'})\), where \(s'\) is the previous session with \(s'_{ actor }=s_{ actor }\) for which an entry in table Q has been made.¹⁰

   • if \(s_{ actor }\ne \hat{C}\), then S stores the entry \(\left( s,s_{ rand },s_{ data },\mathsf{sk}_{s_{ actor }},\kappa \right) \) in Q, else S stores the entry \(\left( s,s_{ rand },s_{ data },*,\kappa \right) \) in Q, and

   • if \(r=\mathcal {I}\), then S returns the Diffie–Hellman exponential \(g^{\kappa }\) to M, else S returns \(\mathsf {\star } \).

2. 2.

   \(\mathsf {cr\text{- }create} \left( \hat{P},r,str,\hat{Q}\right) \) to create session s: S checks whether \(\hat{P}\in \mathcal {P} \), \(\hat{Q}\in \mathcal {P} \), and \(r\in \{\mathcal {I},\mathcal {R}\}\). If one of the checks fails, then S returns \(\bot \). Else, S initializes the session variables according to the protocol specification, and stores an entry of the form \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \in (\mathcal {P} \times \mathbb {N})\times \left\{ 0,1\right\} ^{k}\times \left\{ 0,1\right\} ^{*} \times (\mathbb {Z}_{p}\cup \left\{ *\right\} ) \times \mathbb {Z}_{p}\) in table Q as follows:

   • if there is an entry \((r_{i},h_{i},\kappa _{i})\) in table J such that \(r_{i}=(str,l_{s'})\), and \(h_{i}=\mathsf{sk}_{\hat{P}}\), where \(s'\) is the previous session with \(s'_{ actor }=s_{ actor }\) for which an entry in table Q has been made, then S sets \(\omega \leftarrow \kappa _{i}\), else S chooses \(\kappa \in _{R}\mathbb {Z}_{p}\) and sets \(\omega \leftarrow \kappa \).

   • if \(s_{ actor }\ne \hat{C}\), then S stores the entry \(\left( s,s_{ rand },r_{i},\mathsf{sk}_{s_{ actor }},\omega \right) \) in Q, else S stores the entry \(\left( s,s_{ rand },l_{s},*,\omega \right) \) in Q with \(l_{s}=(str,l_{s'})\),

   • if \(r=\mathcal {I}\), then S returns the Diffie–Hellman exponential \(g^{\kappa }\) to M, else S returns \(\mathsf {\star } \).

3. 3.

   S stores entries of the form \(\left( r,h,\kappa \right) \in \left\{ 0,1\right\} ^{*}\times \mathbb {Z}_{p}\times \mathbb {Z}_{p}\) in table J. When M makes a query of the form \(\left( r,h\right) \) to the random oracle for \(H_{1}\), answer it as follows:

   • If \(C=g^{h}\), then S aborts M and is successful by outputting \(\mathrm {DLog} _{g}(C)=h\).

   • Else if \(\left( r,h,\kappa \right) \in J\) for some \(\kappa \in \mathbb {Z}_{p}\), then S returns \(\kappa \) to M.

   • Else if there exists an entry \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \) in table Q with \(l_{s}=r\) and \(\mathsf{sk}_{s_{ actor }}=h\), then S returns \(\kappa \) to M and stores the entry \(\left( r,h,\kappa \right) \) in table J.

   • Else, S chooses \(\kappa \in _{R} \mathbb {Z}_{p}\), returns it to M and stores the entry \(\left( r,h,\kappa \right) \) in table J.

4. 4.

   \(\mathsf {send} (\hat{P},i,V)\) to send message V to session \(s=(\hat{P},i)\): If \(s_{ status }\ne {\mathtt {active}}\), then S returns \(\bot \). Else if \(s_{ role }=\mathcal {I}\), then S does the following. If \(V\notin G\), then the status of session s is set to \({\mathtt {rejected}}\). Else, the status of session s is set to \({\mathtt {accepted}}\), and

   • If there exists an entry \(\left( s_{ peer },s_{ actor },\mathcal {R},s_{ recv },s_{ sent },\lambda \right) \) in table T, then S stores the entry \(\left( s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\lambda \right) \) in table T.

   • Else if there exists an entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},s_{ actor },s_{ peer },\lambda \right) \) in table L, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(\text {DDH}(s_{ recv },s_{ sent },\sigma _{3})=1\), \(\text {DDH}(s_{ sent },\mathsf{pk}_{s_{ peer }},\sigma _{2})=1\) and \(\text {DDH}(s_{ recv },\mathsf{pk}_{s_{ actor }},\sigma _{1})=1\), then S stores \(\left( s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\lambda \right) \) in table T.

   • Else, S chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\) and stores the entry \((s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\mu )\) in T.

   Else if \(s_{ role }=\mathcal {R}\), then S does the following. If \(V\notin G\), then the status of session s is set to \({\mathtt {rejected}}\). Else, S sets the status of session s to \({\mathtt {accepted}}\), returns \(g^{\kappa }\) to M, where \(\kappa \) denotes the last element of the entry \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \) in table Q, and proceeds in a similar way as in the previous case.

5. 5.

   When M makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

   • If \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then S returns \(\lambda \) to M.

   • Else if there exist entries \(\left( \hat{P}_{i},\hat{P}_{j},\mathcal {I},U,V,\lambda \right) \) or \(\left( \hat{P}_{j},\hat{P}_{i},\mathcal {R},V,U,\lambda \right) \) in table T, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,\mathsf{pk}_{\hat{P}_{i}},\sigma _{1})=1\) and \(\text {DDH}(U,\mathsf{pk}_{\hat{P}_{j}},\sigma _{2})=1\), then S returns \(\lambda \) to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \) in table L.

   • Else, S chooses \(\mu \!\in _{R}\! \left\{ 0,1\right\} ^{k}\), returns it to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\mu \right) \) in L.

6. 6.

   \(\mathsf {randomness} (s)\): If \(s_{ status }=\bot \), then S returns \(\bot \). Otherwise, S returns \(s_{ rand }\).

7. 7.

   \(\mathsf {session\text{- }key} (s)\): If \(s_{ status }\ne {\mathtt {accepted}}\), then S returns \(\bot \). Otherwise, S answers this query by lookup in table T.

8. 8.

   \(\mathsf {test\text{- }session} (s)\): If \(s\ne s^{*}\), then S aborts; otherwise S answers the query in the appropriate way.

9. 9.

   \(\mathsf {corrupt} (\hat{P})\): If \(\hat{P}\notin \mathcal {P} \), then S returns \(\bot \). Else if \(\hat{P}=\hat{C}\), then S aborts. Else, S returns \(\mathsf{sk}_{\hat{P}}\).

10. 10.

    M outputs a guess: S aborts.

Analysis of event \(DL\wedge K\)

Similar to the analysis of the related event \(DL\wedge K\) in the proof of [19, Proposition 7].

Event \(T_{O}\wedge DL^{c}\wedge K\)

Let \(s^{*}\) and \(s'\) denote the test session and the origin-session for the test session, respectively. We split event \( Evt :=T_{O}\wedge DL^{c}\wedge K\) into the following events \(B_{1},\ldots ,B_{3}\) so that \( Evt =B_{1}\vee B_{2}\vee B_{3}\):

1. 1.

   \(B_{1}:\) \( Evt \) occurs and \(s^{*}_{ peer }=s'_{ actor }\).

2. 2.

   \(B_{2}:\) \( Evt \) occurs and \(s^{*}_{ peer }\ne s'_{ actor }\) and M does not issue the queries \(\mathsf {randomness} \) or \(\mathsf {cr\text{- }create} \) to all sessions of \(s'_{ actor }\) that were created prior to creation of the origin-session \(s'\) of \(s^{*}\), including the origin-session itself, but may issue a \(\mathsf {corrupt} (s^{*}_{ peer })\) query.

3. 3.

   \(B_{3}:\) \( Evt \) occurs and \(s^{*}_{ peer }\ne s'_{ actor }\) and M does not issue a \(\mathsf {corrupt} (s^{*}_{ peer })\) query, but may issue the queries \(\mathsf {randomness} \) or \(\mathsf {cr\text{- }create} \) to all session created prior to creation of the origin-session, including the origin-session \(s'\) itself.

Event \(B_{1}\)

Let the input to the \(\mathrm {GDH} \) challenge be \((X_{0},Y_{0})\). Suppose that event \(B_{1}\) occurs with non-negligible probability. In this case S chooses long-term secret/public key pairs for all the honest parties and stores the associated long-term secret keys. Additionally S chooses two random values \(m,n\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). The m’th activated session by adversary M will be called \(s^{*}\) and the n’th activated session will be called \(s'\). Suppose further that \(s^{*}_{ actor }=\hat{A}, s^{*}_{ peer }=\hat{B}\) and \(s^{*}_{ role }=\mathcal {I}\), w.l.o.g. We now define S’s responses to M’s queries. S maintains tables Q, J, T and L, all of which are initially empty, as well as a variable \(\omega \) initialized with 1.

1. 1.

   \(\mathsf {create} (\hat{A}, \mathcal {I},\hat{B})\) or \(\mathsf {cr\text{- }create} (\hat{A}, \mathcal {I},str,\hat{B})\) to create session \(s^{*}\): If \(\mathsf {create} \) is issued, S chooses \(s^{*}_{ rand }\in _{R} \{0,1\}^{k}\). Else, S sets \(s^{*}_{ rand }\leftarrow str\). S (a) returns the message \(X_{0}\), where \((X_{0},Y_{0})\) is the \(\mathrm {GDH} \) challenge, and (b) stores the entry \((s^{*},s^{*}_{ rand },l_{s^{*}},\mathsf{sk}_{\hat{A}},*)\) in table Q, where \(l_{s^{*}}=(s^{*}_{ rand },l_{s})\) if there exists a previously created session s of user \(s_{ actor }=\hat{A}\) with an entry in table Q, and \(l_{s^{*}}=s^{*}_{ rand }\) if there no such session exists.

2. 2.

   \(\mathsf {create} (\hat{B},r,\hat{Q})\) or \(\mathsf {cr\text{- }create} (\hat{B},r,str,\hat{Q})\) with \(r\in \{\mathcal {I},\mathcal {R}\}\) to create session \(s'\): If \(\mathsf {create} \) is issued, S chooses \(s'_{ rand }\in _{R} \{0,1\}^{k}\). Else, S sets \(s'_{ rand } \leftarrow str\). S stores the entry \((s',s'_{ rand },l_{s'},\mathsf{sk}_{\hat{B}},*)\) in table Q, where \(l_{s'}=(s'_{ rand },l_{s})\) if there exists a previously created session s of user \(s_{ actor }=\hat{A}\) with an entry in table Q, and \(l_{s'}=s'_{ rand }\) if there no such session exists. If \(r=\mathcal {I}\), then S returns message \(Y_{0}\) to M, where \((X_{0},Y_{0})\) is the \(\mathrm {GDH} \) challenge. Else, \(\mathsf {\star } \) is returned.

3. 3.

   \(\mathsf {send} (\hat{B},i,Z)\) with \((\hat{B},i)=s'\): If \(s'_{ status }\ne {\mathtt {active}}\), then S returns \(\bot \). Else if \(s'_{ role }=\mathcal {R}\) and \(Z\in G\), then S returns message \(Y_{0}\) to M, where \((X_{0},Y_{0})\) is the \(\mathrm {GDH} \) challenge, sets the status of session \(s'\) to \({\mathtt {accepted}}\), and proceeds as in the previous simulation for completing the session. Else, S proceeds as in the previous simulation.

4. 4.

   \(\mathsf {send} (\hat{A},i,Y_{0})\) with \((\hat{A},i)=s^{*}\): S proceeds as in the previous simulation for completing the session.

5. 5.

   Other \(\mathsf {create},\mathsf {cr\text{- }create} \) and \(\mathsf {send} \) queries are answered as in the simulation relative to event \(DL\wedge K\).

6. 6.

   When M makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

   • If \(\left\{ \hat{P}_{i},\hat{P}_{j}\right\} =\left\{ \hat{A},\hat{B}\right\} \), \(\sigma _{1}=Y_{0}^{a}\), \(\sigma _{2}=X_{0}^{b}\) and \(\text {DDH}(X_{0},Y_{0},\sigma _{3})=1\), then S aborts M and is successful by outputting \(CDH (X_{0},Y_{0})=\sigma _{3}\).

   • Else if \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then S returns \(\lambda \) to M.

   • Else if there exist entries \(\left( \hat{P}_{i},\hat{P}_{j},\mathcal {I},U,V,\lambda \right) \) or \(\left( \hat{P}_{j},\hat{P}_{i},\mathcal {R},V,U,\lambda \right) \) in table T, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,\mathsf{pk}_{\hat{P}_{i}},\sigma _{1})=1\) and \(\text {DDH}(U,\mathsf{pk}_{\hat{P}_{j}},\sigma _{2})=1\), then S returns \(\lambda \) to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \) in table L.

   • Else, S chooses \(\mu \!\in _{R}\! \left\{ 0,1\right\} ^{k}\), returns it to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\mu \right) \) in L.

7. 7.

   \(\mathsf {randomness} (s)\): If \(s_{ status }=\bot \), then S returns \(\bot \). Otherwise, S returns \(s_{ rand }\).

8. 8.

   \(\mathsf {session\text{- }key} (s)\): If \(s_{ status }\ne {\mathtt {accepted}}\), then S returns \(\bot \). Otherwise, S answers this query by lookup in table T.

9. 9.

   \(\mathsf {test\text{- }session} (s)\): If \(s\ne s^{*}\) or if \(s'\) is not the origin-session for session \(s^{*}\), then S aborts; otherwise S answers the query in the appropriate way.

10. 10.

    \(H_{1}(r,h)\): If \(r=l_{s^{*}}\) and \(h=\mathsf{sk}_{\hat{A}}\) or if \(r=l_{s'}\) and \(h=\mathsf{sk}_{\hat{B}}\), then S aborts. Otherwise S simulates a random oracle as in the simulation relative to event \(DL\wedge K\).

11. 11.

    \(\mathsf {corrupt} (\hat{P})\): If \(\hat{P}\notin \mathcal {P} \), then S returns \(\bot \). Else, S returns \(\mathsf{sk}_{\hat{P}}\).

12. 12.

    M outputs a guess: S aborts.

Analysis of event \(B_{1}\)

S’s simulation of M’s environment is perfect except with negligible probability. The probability that M selects \(s^{*}\) as the test-session and \(s'\) as the origin-session for the test-session is \(\frac{1}{(q_{s})^{2}}\). Assuming that this is indeed the case, S does not abort in Step 9. Under event \(DL^{c}\), the adversary first issues a \(\mathsf {corrupt} (\hat{P})\) query to party \(\hat{P}\) before making an \(H_{1}\) query that involves the long-term secret key of party \(\hat{P}\). Freshness of the test session guarantees that the adversary can reveal/determine either \(l_{s^{*}}\) or \(\mathsf{sk}_{\hat{A}}\), but not both. Similar for \(l_{s'}\) and \(\mathsf{sk}_{\hat{B}}\). Hence S does not abort in Step 10. Under event K, except with negligible probability of guessing \(CDH(X_{0},Y_{0})\), S is successful as described in the first case of Step 6 and does not abort as in Step 12. Hence, if event \(B_{1}\) occurs, then the success probability of S is given by \(P(S)\ge \frac{1}{(q_{s})^{2}} P(B_{1})\).

Event \(B_{2}\)

Let the input to the \(\mathrm {GDH} \) challenge be \((X_{0},Y_{0})\). Suppose that event \(B_{2}\) occurs with non-negligible probability. The simulation of S proceeds in the same way as for event \(B_{1}\) with the following changes. S additionally keeps a history H of M’s queries.

• \(\mathsf {randomness} (s)\): If \(s_{ status }=\bot \), then S returns \(\bot \). Else if \(s=s'\) and there were queries (\(\mathsf {randomness} \) or \(\mathsf {cr\text{- }create} \)) to all previous sessions of the same user \(s'_{ actor }\), then S aborts. Else, S returns \(s_{ rand }\).

• \(H_{1}(r,h)\): If \(r=l_{s^{*}}\) and \(h=\mathsf{sk}_{\hat{A}}\), then S aborts. Otherwise S simulates a random oracle as in the previous simulation.

Analysis of event \(B_{2}\)

Similar to the analyses of the related event \(B_{2}\) in the proof of [19, Proposition 7] and event \(B_{1}\).

Event \(B_{3}\)

Let the input to the \(\mathrm {GDH} \) challenge be \((X_{0},B)\). Suppose that event \(B_{3}\) occurs with non-negligible probability. In this case, S chooses one user \(\hat{B}\in \mathcal {P} \) at random from the set \(\mathcal {P} \) and sets its long-term public key to B. S chooses long-term secret/public key pairs for the remaining parties in \(\mathcal {P} \) and stores the associated long-term secret keys. Additionally S chooses two random values \(m,n\in _{R} \left\{ 1,2,\ldots ,q_{s}\right\} \). We denote the m’th activated session by adversary M by \(s^{*}\) and the n’th activated session by \(s'\). Suppose further that \(s^{*}_{ actor }=\hat{A}, s^{*}_{ peer }=\hat{B}\) and \(s^{*}_{ role }=\mathcal {I}\), w.l.o.g. Algorithm S maintains tables Q, J, T and L, all of which are initially empty. S also maintains a variable \(\omega \) initialized with 1.

1. 1.

   \(\mathsf {create} (\hat{A}, \mathcal {I},\hat{B})\) or \(\mathsf {cr\text{- }create} (\hat{A}, \mathcal {I},str,\hat{B})\) to create session \(s^{*}\): If \(\mathsf {create} \) is issued, S chooses \(s^{*}_{ rand }\in _{R} \{0,1\}^{k}\). Else, S sets \(s^{*}_{ rand }\leftarrow str\). S (a) returns the message \(X_{0}\), where \((X_{0},B)\) is the \(\mathrm {GDH} \) challenge, and (b) stores the entry \((s^{*},s^{*}_{ rand },l_{s^{*}},\mathsf{sk}_{\hat{A}},*)\) in table Q, where \(l_{s^{*}}=(s^{*}_{ rand },l_{s})\) if there exists a previously created session s of user \(s_{ actor }=\hat{A}\) with an entry in table Q, and \(l_{s^{*}}=s^{*}_{ rand }\) if there no such session exists.

2. 2.

   \(\mathsf {create} \left( \hat{P},r,\hat{Q}\right) \) to create session s: S checks whether \(\hat{P}\in \mathcal {P} \), \(\hat{Q}\in \mathcal {P} \), and \(r\in \{\mathcal {I},\mathcal {R}\}\). If one of the checks fails, then S returns \(\bot \). Else, S initializes the session variables according to the protocol specification, and stores an entry of the form \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \in (\mathcal {P} \times \mathbb {N})\times \left\{ 0,1\right\} ^{k}\times \left\{ 0,1\right\} ^{*} \times (\mathbb {Z}_{p}\cup \left\{ *\right\} ) \times \mathbb {Z}_{p}\) in table Q as follows:

   • S chooses \(s_{ rand }\in _{R} \left\{ 0,1\right\} ^{k}\) (i.e. the randomness of session s),

   • S chooses \(\kappa \in _{R}\mathbb {Z}_{p}\),

   • if there is no entry \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \) in table Q such that \(s_{ actor }=\hat{P}\), then S sets the value of \(l_{s}\) to \(s_{ rand }\), else S sets the value of \(l_{s}\) to \((s_{ rand },l_{s'})\), where \(s'\) is the previous session with \(s'_{ actor }=s_{ actor }\) for which an entry in table Q has been made.

   • if \(s_{ actor }\ne \hat{B}\), then S stores the entry \(\left( s,s_{ rand },s_{ data },\mathsf{sk}_{s_{ actor }},\kappa \right) \) in Q, else S stores the entry \(\left( s,s_{ rand },s_{ data },*,\kappa \right) \) in Q, and

   • if \(r=\mathcal {I}\), then S returns the Diffie–Hellman exponential \(g^{\kappa }\) to M, else S returns \(\mathsf {\star } \).

3. 3.

   \(\mathsf {cr\text{- }create} \left( \hat{P},r,str,\hat{Q}\right) \) to create session s: S checks whether \(\hat{P}\in \mathcal {P} \), \(\hat{Q}\in \mathcal {P} \), and \(r\in \{\mathcal {I},\mathcal {R}\}\). If one of the checks fails, then S returns \(\bot \). Else, S initializes the session variables according to the protocol specification, and stores an entry of the form \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \in (\mathcal {P} \times \mathbb {N})\times \left\{ 0,1\right\} ^{k}\times \left\{ 0,1\right\} ^{*} \times (\mathbb {Z}_{p}\cup \left\{ *\right\} ) \times \mathbb {Z}_{p}\) in table Q as follows:

   • if there is an entry \((r_{i},h_{i},\kappa _{i})\) in table J such that \(r_{i}=(str,l_{s'})\), and \(h_{i}=\mathsf{sk}_{\hat{P}}\), where \(s'\) is the previous session with \(s'_{ actor }=s_{ actor }\) for which an entry in table Q has been made, then S sets \(\omega \leftarrow \kappa _{i}\), else S chooses \(\kappa \in _{R}\mathbb {Z}_{p}\) and sets \(\omega \leftarrow \kappa \).

   • if \(s_{ actor }\ne \hat{B}\), then S stores the entry \(\left( s,s_{ rand },r_{i},\mathsf{sk}_{s_{ actor }},\omega \right) \) in Q, else S stores the entry \(\left( s,s_{ rand },l_{s},*,\omega \right) \) in Q with \(l_{s}=(str,l_{s'})\),

   • if \(r=\mathcal {I}\), then S returns the Diffie–Hellman exponential \(g^{\kappa }\) to M, else S returns \(\mathsf {\star } \).

4. 4.

   S stores entries of the form \(\left( r,h,\kappa \right) \in \left\{ 0,1\right\} ^{*}\times \mathbb {Z}_{p}\times \mathbb {Z}_{p}\) in table J. When M makes a query of the form \(\left( r,h\right) \) to the random oracle for \(H_{1}\), answer it as follows:

   • If \(r=l_{s^{*}}\) and \(h=\mathsf{sk}_{\hat{A}}\), then S aborts.

   • Else if \(\left( r,h,\kappa \right) \in J\) for some \(\kappa \in \mathbb {Z}_{p}\), then S returns \(\kappa \) to M.

   • Else if there exists an entry \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \) in table Q with \(l_{s}=r\) and \(\mathsf{sk}_{s_{ actor }}=h\), then S returns \(\kappa \) to M and stores the entry \(\left( r,h,\kappa \right) \) in table J.

   • Else, S chooses \(\kappa \in _{R} \mathbb {Z}_{p}\), returns it to M and stores the entry \(\left( r,h,\kappa \right) \) in table J.

5. 3.

   \(\mathsf {send} (\hat{P},i,V)\) to send message V to session \(s=(\hat{P},i)\): If \(s_{ status }\ne {\mathtt {active}}\), then S returns \(\bot \). Else if \(s_{ role }=\mathcal {I}\), then S does the following. If \(V\notin G\), then the status of session s is set to \({\mathtt {rejected}}\). Else, the status of session s is set to \({\mathtt {accepted}}\), and

   • If there exists an entry \(\left( s_{ peer },s_{ actor },\mathcal {R},s_{ recv },s_{ sent },\lambda \right) \) in table T, then S stores the entry \(\left( s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\lambda \right) \) in table T.

   • Else if there exists an entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},s_{ actor },s_{ peer },\lambda \right) \) in table L, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), such that \(\text {DDH}(s_{ recv },s_{ sent },\sigma _{3})=1\), \(\text {DDH}(s_{ sent },\mathsf{pk}_{s_{ peer }},\sigma _{2})=1\) and \(\text {DDH}(s_{ recv },\mathsf{pk}_{s_{ actor }},\sigma _{1})=1\), then S stores \(\left( s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\lambda \right) \) in table T.

   • Else, S chooses \(\mu \in _{R} \left\{ 0,1\right\} ^{k}\) and stores the entry \((s_{ actor },s_{ peer },\mathcal {I},s_{ sent },s_{ recv },\mu )\) in T.

   Else if \(s_{ role }=\mathcal {R}\), then S does the following. If \(V\notin G\), then the status of session s is set to \({\mathtt {rejected}}\). Else, S sets the status of session s to \({\mathtt {accepted}}\), returns \(g^{\kappa }\) to M, where \(\kappa \) denotes the last element of the entry \(\left( s,s_{ rand },l_{s},\mathsf{sk}_{s_{ actor }},\kappa \right) \) in table Q, and proceeds in a similar way as in the previous case.

6. 6.

   When M makes a query of the form \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j}\right) \) to the random oracle for \(H_{2}\), answer it as follows:

   • If \(\left\{ \hat{P}_{i},\hat{P}_{j}\right\} =\left\{ \hat{A},\hat{B}\right\} \), \(\sigma _{1}=A^{\kappa }\), \(\text {DDH}(X_{0},B,\sigma _{2})=1\), and \(\sigma _{3}=X_{0}^{\kappa }\), where \(\kappa \) denotes the last element of the entry \((s',s'_{ rand },l_{s'},\mathsf{sk}_{s'_{ actor }},\kappa )\) in table Q, then S aborts M and is successful by outputting \(CDH (X_{0},B)=\sigma _{2}\).

   • Else if \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then S returns \(\lambda \) to M.

   • If \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \in L\) for some \(\lambda \in \left\{ 0,1\right\} ^{k}\), then S returns \(\lambda \) to M.

   • Else if there exist entries \(\left( \hat{P}_{i},\hat{P}_{j},\mathcal {I},U,V,\lambda \right) \) or \(\left( \hat{P}_{j},\hat{P}_{i},\mathcal {R},V,U,\lambda \right) \) in table T, for some \(\lambda \in \left\{ 0,1\right\} ^{k}\) and \(U,V\in G\), such that \(\text {DDH}(V,U,\sigma _{3})=1\), \(\text {DDH}(V,\mathsf{pk}_{\hat{P}_{i}},\sigma _{1})=1\) and \(\text {DDH}(U,\mathsf{pk}_{\hat{P}_{j}},\sigma _{2})=1\), then S returns \(\lambda \) to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\lambda \right) \) in table L.

   • Else, S chooses \(\mu \!\in _{R}\! \left\{ 0,1\right\} ^{k}\), returns it to M and stores the entry \(\left( \sigma _{1},\sigma _{2},\sigma _{3},\hat{P}_{i},\hat{P}_{j},\mu \right) \) in L.

7. 7.

   \(\mathsf {randomness} (s)\): If \(s_{ status }=\bot \), then S returns \(\bot \). Otherwise, S returns \(s_{ rand }\).

8. 8.

   \(\mathsf {session\text{- }key} (s)\): If \(s_{ status }\ne {\mathtt {accepted}}\), then S returns \(\bot \). Otherwise, S answers this query by lookup in table T.

9. 9.

   \(\mathsf {test\text{- }session} (s)\): If \(s\ne s^{*}\) or if \(s'\) is not the origin-session for session \(s^{*}\), then S aborts; otherwise S answers the query in the appropriate way.

10. 10.

    \(\mathsf {corrupt} (\hat{P})\): If \(\hat{P}\notin \mathcal {P} \), then S returns \(\bot \). Else if \(\hat{P}=\hat{B}\), then S aborts. Else, S returns \(\mathsf{sk}_{\hat{P}}\).

11. 11.

    M outputs a guess: S aborts.

Analysis of event \(B_{3}\)

Similar to the analysis of the related event \(B_{3}\) in the proof of [19, Proposition 7].

Event \((T_{O})^{c}\wedge DL^{c}\wedge K\)

The simulation and analysis are very similar to the simulation and analysis related to event \(B_{3}\). \(\square \)