Abstract
The Signal protocol is a secure instant messaging protocol that underlies the security of numerous applications such as WhatsApp, Skype, Facebook Messenger among many others. The Signal protocol consists of two subprotocols known as the X3DH protocol and the double ratchet protocol, where the latter has recently gained much attention. For instance, Alwen, Coretti, and Dodis (Eurocrypt’19) provided a concrete security model along with a generic construction based on simple building blocks that are instantiable from versatile assumptions, including postquantum ones. In contrast, as far as we are aware, works focusing on the X3DH protocol seem limited. In this work, we cast the X3DH protocol as a specific type of authenticated key exchange (AKE) protocol, which we call a Signalconforming AKE protocol, and formally define its security model based on the vast prior works on AKE protocols. We then provide the first efficient generic construction of a Signalconforming AKE protocol based on standard cryptographic primitives such as key encapsulation mechanisms (KEM) and signature schemes. Specifically, this results in the first postquantum secure replacement of the X3DH protocol based on wellestablished assumptions. Similar to the X3DH protocol, our Signalconforming AKE protocol offers a strong (or stronger) flavor of security, where the exchanged key remains secure even when all the nontrivial combinations of the longterm secrets and sessionspecific secrets are compromised. Moreover, our protocol has a weak flavor of deniability and we further show how to progressively strengthen it using ring signatures and/or noninteractive zeroknowledge proof systems. Finally, we provide a fullfledged, generic C implementation of our (weakly deniable) protocol. We instantiate it with several Round 3 candidates (finalists and alternates) to the NIST postquantum standardization process and compare the resulting bandwidth and computation performances. Our implementation is publicly available.
This is a preview of subscription content, access via your institution.
Notes
The name Signal is used to point to the app and the protocol.
Although [63, Section 4.6] states that the X3DH protocol is susceptible to KCI attacks, this is only because they consider the scenario where the sessionspecific secret is compromised. If we consider the standard KCI attack scenario where the longterm secret is the only information being compromised [15], then the X3DH protocol is secure.
Although the X3DH protocol can naturally be made secure against leakage of sessionspecific secrets (including randomness generated within the session) by using the generic NAXOS trick, e.g., [43, 54, 58, 79], it typically requires additional computation. Since this negatively affects efficiency, we target AKE protocols without using the NAXOS trick. See Sect. 1.3 for more detail.
We assume Alice and Bob know each other’s longterm key. In practice, this can be enforced by “outofbound” authentications (see [63, Section 4.1]).
In practice, Bob may initiate the double ratchet protocol using \(\mathsf {k}_\mathsf {B} \) and send his message to Alice along with \(g^y\) to the server before Alice responds.
This property has also been called as postspecified peers [22] in the context of Internet Key Exchange (IKE) protocols.
To be more precise, we additionally assume that the \(\mathsf {KEM}\) ciphertext to be anonymous (i.e., indistinguishable from random) as well. This is often the case for standard encryption schemes such as those based on lattices.
We note that the definition of \(\mathsf{DVS}\) and ring signature come in various flavors. Thus, we only show equivalence under the security properties that Brendel et al. [19] required to construct their AKE protocol. Namely, our implication relies on the fact that their \(\mathsf{DVS}\) assumes the signature is publicly verifiable.
We assume algorithms \(\mathcal {C} \) and \(\mathcal {E} _\mathcal {C} \) are stateful.
Looking ahead, when the first message is independent of party \(P_j\) (i.e., \(\mathcal {C}\) can first create the first message without knowledge of \(P_j\) and then set \(\mathsf {Pid}^s_i := j\)), we call the scheme receiver oblivious. See Sect. 3.4 for more details.
Note that by definition, the peer id \(\mathsf {Pid}_i^s\) of a tested oracle \(\pi ^s_i\) is always defined.
We note that the subsequent variants differ from the original BR model [9] as they also model forward secrecy and KCI attacks.
Note that the meaning of the sessionstate is different from those we defined in Sect. 3.1 (i.e., \({\texttt {state}}^s_i\)). In the CK model, a “sessionstate” is only defined in the security model and does not capture the \({\texttt {state}}^s_i\) specified by the implementation.
These variants also strengthen the CK model by allowing the adversary to obtain the sessionstate of the tested oracle and further modeling KCI attacks.
Notice the protocol is receiver oblivious since the first message is computed independently of the receiver.
Unlike in the figure, the signed prekey and prekey signature are uploaded by all the parties and not only by Alice.
In Table 2, pairing KEMs and signatures schemes with the same NIST security level yields \(7 \times 5 + 7 \times 4 + 6 \times 5 = 93\) distinct combinations (some schemes offer multiple instantiations at a given NIST level).
The X3DH protocol assumes the parties authenticate the longterm public keys through some authenticated channel [63, Section 4.1].
The results for all 93 instantiations can be found in the repository containing the implementation [55].
We only consider schemes that are proven secure in the (possibly slight variant of the) deniability framework proposed by the seminal work of Di Raimondo et al. [32].
We observe that although in [32, Definition 2], \(\mathsf {aux}\) is defined as fixed information that \(\mathcal {M}\) cannot adaptively choose, their proof implicitly assumes that \(\mathsf {aux}\) is sampled adaptively from some distribution dependent on \((\mathsf {pp}, \overrightarrow{\mathsf {lpk}}, \overrightarrow{\mathsf {lsk}})\). Such adaptivity of \(\mathsf {aux}\) is necessary to invoke PA2 security of the underlying encryption scheme in their security proof. We view enhancing the deniability definition of [32] to capture this adaptivity to be an important future work.
Notice the protocol is receiver oblivious since the first message is computed independently of the receiver.
Although we only consider a classical adversary \(\mathcal {M} \), it can be checked that the exact same proof holds even for a quantum adversary.
To be fair, we compare \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\) with a variant of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) who not sign the first message. Presented in [47], such variant is as secure as \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\) (modulo the difference between weak and perfect forward secrecy), and the main difference of the two schemes is deniability.
The attack equally works for the subsequent protocol proposed by Brendel et al. [19]. We note that this does not contradict their security proof since the new definition of indistinguishabilitybased deniability they introduce does not capture malicious adversaries.
This guarantees that the witness from a proof can be extracted without rewinding the adversary.
We note that this is redundant since it is implicitly implied by the keyawareness assumption. We only include it for clarity.
We note that although we can consider an adversary \(\mathcal {A} \) that makes no reveal queries (i.e., all \(\mathsf {lsk}\) and \({\texttt {state}}\) are either \({\times }\)or “”), we can exclude them without loss of generality since such \(\mathcal {A} \) can always be modified into an adversary \(\mathcal {A} '\) that follows one of the strategies listed in Table 1.
For example, \(\mathcal {C}\) can efficiently notice if the two oracles \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) become nonpartners even before \(\mathcal {A} \) makes a \(\mathsf {Test}\)query by checking the input–output of each oracles.
We note that for Lemma A.1 we do not require the full power of the PRF; a pseudorandom generator (PRG) would have sufficed since the key \(\mathsf {K}_2\) is used nowhere else in the game.
References
D. Aharonov, O. Regev, Lattice problems in NP cap coNP, in 45th FOCS (IEEE Computer Society Press, 2004), pp. 362–371
J. Alawatugoda, D. Stebila, C. Boyd, Modelling afterthefact leakage for key exchange, in S. Moriai, T. Jaeger, K. Sakurai, editors, ASIACCS 14 (ACM Press, 2014), pp. 207–216
J. Alwen, S. Coretti, Y. Dodis, The double ratchet: security notions, proofs, and modularization for the Signal protocol, in Y. Ishai, V. Rijmen, editors, EUROCRYPT 2019, Part I, volume 11476 of LNCS (Springer, Heidelberg, 2019), pp. 129–158
C. Bader, D. Hofheinz, T. Jager, E. Kiltz, Y. Li, Tightlysecure authenticated key exchange, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part I, volume 9014 of LNCS (Springer, Heidelberg, 2015), pp. 629–658
M. Bellare, New proofs for NMAC and HMAC: security without collisionresistance, in C. Dwork, editor, CRYPTO 2006, volume 4117 of LNCS (Springer, Heidelberg, 2006), pp. 602–619
M. Bellare, New proofs for NMAC and HMAC: security without collision resistance. J. Cryptol. 28(4), 844–878 (2015)
M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for publickey encryption schemes, in H. Krawczyk, editor, CRYPTO’98, volume 1462 of LNCS (Springer, Heidelberg, 1998), pp. 26–45
M. Bellare, A. Palacio, Towards plaintextaware publickey encryption without random oracles, in P.J. Lee, editor, ASIACRYPT 2004, volume 3329 of LNCS (Springer, Heidelberg, 2004), pp. 48–62
M. Bellare, P. Rogaway, Entity authentication and key distribution, in D.R. Stinson, editor, CRYPTO’93, volume 773 of LNCS (Springer, Heidelberg, 1994), pp. 232–249
M. Bellare, P. Rogaway, Optimal asymmetric encryption, in A.D. Santis, editor, EUROCRYPT’94, volume 950 of LNCS (Springer, Heidelberg, 1995), pp. 92–111
M. Bellare, A.C. Singh, J. Jaeger, M. Nyayapati, I. Stepanovs, Ratcheted encryption and key exchange: the security of messaging, in J. Katz, H. Shacham, editors, CRYPTO 2017, Part III, volume 10403 of LNCS (Springer, Heidelberg, 2017), pp. 619–650
D.J. Bernstein, Curve25519: new Diffie–Hellman speed records, in M. Yung, Y. Dodis, A. Kiayias, T. Malkin, editors, PKC 2006, volume 3958 of LNCS (Springer, Heidelberg, 2006), pp. 207–228
W. Beullens, S. Katsumata, F. Pintore, Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices, in S. Moriai, H. Wang, editors, ASIACRYPT 2020, Part II, volume 12492 of LNCS (Springer, Heidelberg, 2020), pp. 464–492
W. Beullens, T. Kleinjung, F. Vercauteren, CSIFiSh: efficient isogeny based signatures through class group computations, in S.D. Galbraith, S. Moriai, editors, ASIACRYPT 2019, Part I, volume 11921 of LNCS (Springer, Heidelberg, 2019), pp. 227–247
S. BlakeWilson, D. Johnson, A. Menezes, Key agreement protocols and their security analysis, in M. Darnell, editor, 6th IMA International Conference on Cryptography and Coding, volume 1355 of LNCS (Springer, Heidelberg, 1997), pp. 30–45
S. BlakeWilson, A. Menezes, Unknown keyshare attacks on the stationtostation (STS) protocol, in H. Imai, Y. Zheng, editors, PKC’99, volume 1560 of LNCS (Springer, Heidelberg, 1999), pp. 154–170
X. Bonnetain, A. Schrottenloher, Quantum security analysis of CSIDH, in A. Canteaut, Y. Ishai, editors, EUROCRYPT 2020, Part II, volume 12106 of LNCS (Springer, Heidelberg, 2020), pp. 493–522
Z. Brakerski, Y.T. Kalai, A framework for efficient signatures, ring signatures and identity based encryption in the standard model. Cryptology ePrint Archive, Report 2010/086 (2010). https://eprint.iacr.org/2010/086
J. Brendel, R. Fiedler, F. Günther, C. Janson, D. Stebila, Postquantum asynchronous deniable key exchange and the signal handshake. Cryptology ePrint Archive, Report 2021/769 (2021)
J. Brendel, M. Fischlin, F. Günther, C. Janson, D. Stebila, Towards postquantum security for signal’s X3DH handshake, in O. Dunkelman, M.J. Jacobson, Jr., C. O’Flynn, editors, Selected Areas in Cryptography (Springer, Cham, 2020), pp. 404–430
R. Canetti, H. Krawczyk, Analysis of keyexchange protocols and their use for building secure channels, in B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS (Springer, Heidelberg, 2001), pp. 453–474
R. Canetti, H. Krawczyk, Security analysis of IKE’s signaturebased keyexchange protocol, in M. Yung, editor, CRYPTO 2002, volume 2442 of LNCS (Springer, Heidelberg, 2002), pp. 143–161. https://eprint.iacr.org/2002/120/
D. Cash, E. Kiltz, V. Shoup, The twin Diffie–Hellman problem and applications, in N.P. Smart, editor, EUROCRYPT 2008, volume 4965 of LNCS (Springer, Heidelberg, 2008), pp. 127–145
K. CohnGordon, C. Cremers, B. Dowling, L. Garratt, D. Stebila, A formal security analysis of the signal messaging protocol, in IEEE European Symposium on Security and Privacy (EuroS &P) (2017), pp. 451–466
K. CohnGordon, C. Cremers, B. Dowling, L. Garratt, D. Stebila, A formal security analysis of the signal messaging protocol. J. Cryptol. 33(4), 1914–1983 (2020)
K. CohnGordon, C. Cremers, K. Gjøsteen, H. Jacobsen, T. Jager, Highly efficient key exchange protocols with optimal tightness, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part III, volume 11694 of LNCS (Springer, Heidelberg, 2019), pp. 767–797
C. Cremers, Examining indistinguishabilitybased security models for key exchange protocols: the case of CK, CKHMQV, and eCK, in B.S.N. Cheung, L.C.K. Hui, R.S. Sandhu, D.S. Wong, editors, ASIACCS 11 (ACM Press, 2011), pp. 80–91
C.J.F. Cremers, Sessionstate reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol, in M. Abdalla, D. Pointcheval, P.A. Fouque, D. Vergnaud, editors, ACNS 09, volume 5536 of LNCS (Springer, Heidelberg, 2009), pp. 20–33
C.J.F. Cremers, M. Feltz, Beyond eCK: perfect forward secrecy under actor compromise and ephemeralkey reveal, in S. Foresti, M. Yung, F. Martinelli, editors, ESORICS 2012, volume 7459 of LNCS (Springer, Heidelberg, 2012), pp. 734–751
B. de Kock, K. Gjøsteen, M. Veroni, Practical isogenybased keyexchange with optimal tightness, in O. Dunkelman, M.J. Jacobson, Jr., C. O’Flynn, editors, Selected Areas in Cryptography (Springer, Cham, 2020), pp. 451–479
C. de Saint Guilhem, M. Fischlin, B. Warinschi, Authentication in keyexchange: definitions, relations and composition, in L. Jia, R. Küsters, editors, CSF 2020 Computer Security Foundations Symposium (IEEE Computer Society Press, 2020), pp. 288–303
M. Di Raimondo, R. Gennaro, H. Krawczyk, Deniable authentication and key exchange, in A. Juels, R.N. Wright, S. De Capitani di Vimercati, editors, ACM CCS 2006 (ACM Press, 2006), pp. 400–409
W. Diffie, P.C. Van Oorschot, M.J. Wiener, Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992)
S. Dobson, S.D. Galbraith, Postquantum signal key agreement with SIDH. Cryptology ePrint Archive, Report 2021/1187 (2021). https://ia.cr/2021/1187
Y. Dodis, J. Katz, A. Smith, S. Walfish, Composability and online deniability of authentication, in O. Reingold, editor, TCC 2009, volume 5444 of LNCS (Springer, Heidelberg, 2009), pp. 146–162
F.B. Durak, S. Vaudenay, Bidirectional asynchronous ratcheted key agreement with linear complexity, in N. Attrapadung, T. Yagi, editors, IWSEC 19, volume 11689 of LNCS (Springer, Heidelberg, 2019), pp. 343–362
M.F. Esgin, R. Steinfeld, J.K. Liu, D. Liu, Latticebased zeroknowledge proofs: new techniques for shorter and faster constructions and applications, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part I, volume 11692 of LNCS (Springer, Heidelberg, 2019), pp. 115–146
M.F. Esgin, R. Steinfeld, A. Sakzad, J.K. Liu, D. Liu, Short latticebased oneoutofmany proofs and applications to ring signatures, in R.H. Deng, V. GauthierUmaña, M. Ochoa, M. Yung, editors, ACNS 19, volume 11464 of LNCS (Springer, Heidelberg, 2019), pp. 67–88
M.F. Esgin, R.K. Zhao, R. Steinfeld, J.K. Liu, D. Liu, MatRiCT: efficient, scalable and postquantum blockchain confidential transactions protocol, in L. Cavallaro, J. Kinder, X. Wang, J. Katz, editors, ACM CCS 2019 (ACM Press, 2019), pp. 567–584
M. Fischlin, Communicationefficient noninteractive proofs of knowledge with online extractors, in V. Shoup, editor, CRYPTO 2005, volume 3621 of LNCS (Springer, Heidelberg, 2005), pp. 152–168
P.A. Fouque, D. Pointcheval, S. Zimmer, HMAC is a randomness extractor and applications to TLS, in M. Abe, V. Gligor, editors, ASIACCS 08 (ACM Press, 2008), pp. 21–32
E.S.V. Freire, D. Hofheinz, E. Kiltz, K.G. Paterson, Noninteractive key exchange, in K. Kurosawa, G. Hanaoka, editors, PKC 2013, volume 7778 of LNCS (Springer, Heidelberg, 2013), pp. 254–271
A. Fujioka, K. Suzuki, K. Xagawa, K. Yoneyama, Strongly secure authenticated key exchange from factoring, codes, and lattices, in M. Fischlin, J. Buchmann, M. Manulis, editors, PKC 2012, volume 7293 of LNCS (Springer, Heidelberg, 2012), pp. 467–484
A. Fujioka, K. Suzuki, K. Xagawa, K. Yoneyama, Practical and postquantum authenticated key exchange from oneway secure key encapsulation mechanism, in K. Chen, Q. Xie, W. Qiu, N. Li, W.G. Tzeng, editors, ASIACCS 13 (ACM Press, 2013), pp. 83–94
K. Gjøsteen, T. Jager, Practical and tightlysecure digital signatures and authenticated key exchange, in H. Shacham, A. Boldyreva, editors, CRYPTO 2018, Part II, volume 10992 of LNCS Springer, Heidelberg, 2018), pp. 95–125
S. Guo, P. Kamath, A. Rosen, K. Sotiraki, Limits on the efficiency of (ring) LWE based noninteractive key exchange, in A. Kiayias, M. Kohlweiss, P. Wallden, V. Zikas, editors, PKC 2020, Part I, volume 12110 of LNCS (Springer, Heidelberg, 2020), pp. 374–395
K. Hashimoto, S. Katsumata, K. Kwiatkowski, T. Prest, An efficient and generic construction for signal’s handshake (X3DH): postquantum, state leakage secure, and deniable, in J. Garay, editor, PKC 2021, Part II, volume 12711 of LNCS (Springer, Heidelberg, 2021), pp. 410–440
K. Hövelmanns, E. Kiltz, S. Schäge, D. Unruh, Generic authenticated key exchange in the quantum random oracle model, in A. Kiayias, M. Kohlweiss, P. Wallden, V. Zikas, editors, PKC 2020, Part II, volume 12111 of LNCS (Springer, Heidelberg, 2020), pp. 389–422
T. Jager, E. Kiltz, D. Riepel, S. Schäge, Tightlysecure authenticated key exchange, revisited, in A. Canteaut, F.X. Standaert, editors, EUROCRYPT 2021, Part I, volume 12696 of LNCS (Springer, Heidelberg, 2021), pp. 117–146
D. Jost, U. Maurer, M. Mularczyk, Efficient ratcheting: almostoptimal guarantees for secure messaging, in Y. Ishai, V. Rijmen, editors, EUROCRYPT 2019, Part I, volume 11476 of LNCS (Springer, Heidelberg, 2019), pp. 159–188
D. Jost, U. Maurer, M. Mularczyk, A unified and composable take on ratcheting, in D. Hofheinz, A. Rosen, editors, TCC 2019, Part II, volume 11892 of LNCS (Springer, Heidelberg, 2019), pp. 180–210
T. Kawashima, K. Takashima, Y. Aikawa, T. Takagi, An efficient authenticated key exchange from random selfreducibility on CSIDH, in D. Hong, editor, ICISC 20, volume 12593 of LNCS (Springer, Heidelberg, 2020), pp. 58–84
H. Krawczyk, HMQV: a highperformance secure Diffie–Hellman protocol, in V. Shoup, editor, CRYPTO 2005, volume 3621 of LNCS (Springer, Heidelberg, 2005), pp. 546–566
K. Kurosawa, J. Furukawa, 2pass key exchange protocols from CPAsecure KEM, in J. Benaloh, editor, CTRSA 2014, volume 8366 of LNCS (Springer, Heidelberg, 2014), pp. 385–401
K. Kwiatkowski, An efficient and generic construction for signal’s handshake (X3DH): postquantum, state leakage secure, and deniable. proof of concept implementation (2020). https://github.com/postquantumcryptography/postquantumstateleakagesecureake
K. Kwiatkowski, PQ Crypto Catalog (2020). https://github.com/kriskwiatkowski/pqc
LibTomCrypt. https://github.com/libtom/libtomcrypt
B.A. LaMacchia, K. Lauter, A. Mityagin, Stronger security of authenticated key exchange, in W. Susilo, J.K. Liu, Y. Mu, editors, ProvSec 2007, volume 4784 of LNCS (Springer, Heidelberg, 2007), pp. 1–16
Y. Li, S. Schäge, Nomatch attacks and robust partnering definitions: defining trivial attacks for security protocols is not trivial, in B.M. Thuraisingham, D. Evans, T. Malkin, D. Xu, editors, ACM CCS 2017 (ACM Press, 2017), pp. 1343–1360
X. Lu, M.H. Au, Z. Zhang, Raptor: a practical latticebased (linkable) ring signature, in R.H. Deng, V. GauthierUmaña, M. Ochoa, M. Yung, editors, ACNS 19, volume 11464 of LNCS (Springer, Heidelberg, 2019), pp. 110–130
V. Lyubashevsky, L. Ducas, E. Kiltz, T. Lepoint, P. Schwabe, G. Seiler, D. Stehlé, S. Bai, CRYSTALSDILITHIUM. Technical report, National Institute of Standards and Technology (2020). available at https://csrc.nist.gov/projects/postquantumcryptography/round3submissions
M. Marlinspike and T. Perrin, The double ratchet algorithm (2016). https://signal.org/docs/specifications/doubleratchet/
M. Marlinspike, T. Perrin, The X3DH key agreement protocol (2016). https://signal.org/docs/specifications/x3dh/
S. Myers, M. Sergi, A. shelat, Blackbox construction of a more than nonmalleable CCA1 encryption scheme from plaintext awareness, in I. Visconti, R.D. Prisco, editors, SCN 12, volume 7485 of LNCS (Springer, Heidelberg, 2012), pp. 149–165
C. Paquin, D. Stebila, G. Tamvada, Benchmarking postquantum cryptography in TLS, in J. Ding, J.P. Tillich, editors, PostQuantum Cryptography—11th International Conference, PQCrypto 2020 (Springer, Heidelberg, 2020), pp. 72–91
R. Pass, On deniability in the common reference string and random oracle model, in D. Boneh, editor, CRYPTO 2003, volume 2729 of LNCS (Springer, Heidelberg, 2003), pp. 316–337
C. Peikert, He gives Csieves on the CSIDH, in A. Canteaut, Y. Ishai, editors, EUROCRYPT 2020, Part II, volume 12106 of LNCS (Springer, Heidelberg, 2020), pp. 463–492
T. Perrin, The XEdDSA and VXEdDSA signature schemes (2016). https://signal.org/docs/specifications/xeddsa/
B. Poettering, P. Rösler, Towards bidirectional ratcheted key exchange, in H. Shacham, A. Boldyreva, editors, CRYPTO 2018, Part I, volume 10991 of LNCS (Springer, Heidelberg, 2018), pp. 3–32
D. Pointcheval, O. Sanders, Forward secure noninteractive key exchange, in M. Abdalla, R.D. Prisco, editors, SCN 14, volume 8642 of LNCS (Springer, Heidelberg, 2014), pp. 21–39
T. Prest, P.A. Fouque, J. Hoffstein, P. Kirchner, V. Lyubashevsky, T. Pornin, T. Ricosset, G. Seiler, W. Whyte, Z. Zhang, FALCON. Technical report, National Institute of Standards and Technology (2020). Available at https://csrc.nist.gov/projects/postquantumcryptography/round3submissions
Signal protocol: Technical documentation. https://signal.org/docs/
N. Unger, I. Goldberg, Deniable key exchanges for secure messaging, in I. Ray, N. Li, C. Kruegel, editors, ACM CCS 2015 (ACM Press, 2015), pp. 1211–1223
N. Unger, I. Goldberg, Improved strongly deniable authenticated key exchanges for secure messaging. PoPETs 2018(1), 21–66 (2018)
N. Vatandas, R. Gennaro, B. Ithurburn, H. Krawczyk, On the cryptographic deniability of the signal protocol, in M. Conti, J. Zhou, E. Casalicchio, A. Spognardi, editors, ACNS 20, Part II, volume 12147 of LNCS (Springer, Heidelberg, 2020), pp. 188–209
H. Xue, M.H. Au, R. Yang, B. Liang, H. Jiang, Compact authenticated key exchange in the quantum random oracle model. Cryptology ePrint Archive, Report 2020/1282 (2020). https://eprint.iacr.org/2020/1282
H. Xue, X. Lu, B. Li, B. Liang, J. He, Understanding and constructing AKE via doublekey key encapsulation mechanism, in T. Peyrin, S. Galbraith, editors, ASIACRYPT 2018, Part II, volume 11273 of LNCS (Springer, Heidelberg, 2018), pp. 158–189
Z. Yang, Modelling simultaneous mutual authentication for authenticated key exchange, in J.L. Danger, M. Debbabi, J.Y. Marion, J. GarciaAlfaro, N. Zincir Heywood, editors, Foundations and Practice of Security (Springer, Cham, 2014), pp. 46–62
Z. Yang, Y. Chen, S. Luo, Twomessage key exchange with strong security from ideal lattices, in N.P. Smart, editor, CTRSA 2018, volume 10808 of LNCS (Springer, Heidelberg, 2018), pp. 98–115
A.C.C. Yao, Y. Zhao, Deniable internet key exchange, in J. Zhou, M. Yung, editors, ACNS 10, volume 6123 of LNCS (Springer, Heidelberg, 2010), pp. 329–348
T.H. Yuen, M.F. Esgin, J.K. Liu, M.H. Au, Z. Ding, DualRing: generic construction of ring signatures with efficient instantiations, in T. Malkin, C. Peikert, editors, CRYPTO 2021, Part I, volume 12825 of LNCS (Springer, Heidelberg, 2021), pp. 251–281
Acknowledgements
The second author was supported by JST CREST Grant Number JPMJCR19F6. The third and fourth authors were supported by the Innovate UK Research Grant 104423 (PQ Cybersecurity).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Masayuki Abe.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This is the full version of a preliminary work that appeared in PKC 2021 [47].
Appendices
A Full Proofs for SignalConforming AKE \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\)
We prove the security of our Signalconforming AKE protocol \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) .
Proof of Theorem 4.3
Let \(\mathcal {A}\) be an adversary that plays the security game \(G^{\mathsf {FS}}_{\Pi _\mathsf {SC}\text {}\mathsf {AKE} {}}(\mu , \ell )\) with the challenger \(\mathcal {C}\) with advantage \(\mathsf {Adv}{}^{\mathsf {AKE}\textsf {}\mathsf {FS}}_{\Pi _\mathsf {SC}\text {}\mathsf {AKE} {}}(\mathcal {A}) = \epsilon \). In order to prove Theorem 4.3, we distinguish between the strategy that can be taken by the \(\mathcal {A} \). Specifically, \(\mathcal {A} \)’s strategy can be divided into the eight types of strategies listed in Table 1. Here, each strategy is mutually independent and covers all possible (nontrivial) strategies.^{Footnote 30} We point out that for our specific AKE construction we have \({\texttt {state}}_\mathtt {resp}:= \bot \) since the responder does not maintain any states (see Remark 4.1). Therefore, the Type1 (resp. Type3, Type7) strategy is strictly stronger than the Type2 (resp. Type4, Type8) strategy. We only include the full types of strategies in Table 1 as we believe it would be helpful when proving other AKE protocols, and note that our proof implicitly handles both strategies at the same time.
For each possible strategy taken by \(\mathcal {A} \), we construct an algorithm that breaks one of the underlying assumptions by using such an adversary \(\mathcal {A} \) as a subroutine. More formally, we construct six algorithms \(\mathcal {B}_{1}\), \(\mathcal {B}_{2}\), \(\mathcal {B}_{3,0}\), \(\mathcal {B}_{3,1}\), \(\mathcal {D}_{1}\) and \(\mathcal {D}_{2}\) satisfying the following:

1.
If \(\mathcal {A}\) uses the Type1 (or Type2) strategy, then \(\mathcal {B}_{1}\) succeeds in breaking the \(\mathsf {IND\text {}CPA}\) security of \(\Pi _\mathsf{wKEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \) or \(\mathcal {D}_{1}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \).

2.
If \(\mathcal {A}\) uses the Type3 (or Type4) strategy, then \(\mathcal {B}_{2}\) succeeds in breaking the \(\mathsf {IND\text {}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{2}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).

3.
If \(\mathcal {A}\) uses the Type5 or Type6 strategy, then \(\mathcal {B}_{3,0}\) succeeds in breaking the \(\mathsf {EUF\text {}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) with advantage \(\approx \frac{1}{\mu }\epsilon \).

4.
If \(\mathcal {A}\) uses the Type7 (or Type8) strategy, then \(\mathcal {B}_{3,1}\) succeeds in breaking the \(\mathsf {EUF\text {}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) with advantage \(\approx \frac{1}{\mu }\epsilon \).
We present a security proof structured as a sequence of games. Without loss of generality, we assume that \(\mathcal {A}\) always issues a \(\mathsf {Test}\)query. In the following, let \(\mathsf {S}_{j}\) denote the event that \(b = b'\) occurs in game \(G_{j}\) and let \(\epsilon _{j} \mathrel {\mathop :}=\left \Pr \left[ \mathsf {S}_{j}\right]  1/2 \right \) denote the advantage of the adversary in game \(G_{j}\). Regardless of the strategy taken by \(\mathcal {A}\), all proofs share a common game sequence \(G_{0}\)\(G_{1}\) as described below.
Game \(G_{0}\) This game is identical to the original security game. We thus have
Game \(G_{1}\) This game is identical to \(G_{0}\), except that we add an abort condition. Let \(\mathsf {E}_{\mathsf {corr}}{}\) be the event that there exist two partner oracles \(\pi ^s_i\) and \(\pi ^t_j\) that do not agree on the same session key. If \(\mathsf {E}_{\mathsf {corr}}\) occurs, then \(\mathcal {C}\) aborts (i.e., sets \(\mathcal {A} \)’s output to be a random bit) at the end of the game.
There are at most \(\mu \ell /2\) responder oracles and each oracle is assigned uniform randomness. From Theorem 4.2, the probability of error occurring during the security game is at most \(\mu \ell (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}})/2\). Therefore, \(\mathsf {E}_{\mathsf {corr}}\) occurs with probability at most \(\mu \ell (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}})/2\). We thus have
In the following games we assume no decryption error or signature verification error occurs.
We now divide the game sequence depending on the strategy taken by the adversary \(\mathcal {A}\). Regardless of \(\mathcal {A}{}\)’s strategy, we prove that \(\epsilon _{1}\) is negligible, which in particular implies that \(\epsilon \) is also negligible. Formally, this is shown in Lemmata A.1 to A.4 provided in their respective subsections below. We first complete the proof of the theorem. Specifically, by combining all the lemmata together and folding adversaries \(\mathcal {B}_{3,0}\) and \(\mathcal {B}_{3,1}\) into one adversary \(\mathcal {B}_{3}\), we obtain the following desired bound:
Here, the running time of the algorithms \(\mathcal {B}_{1}\), \(\mathcal {B}_{2}\), \(\mathcal {B}_{3}\), \(\mathcal {D}_{1}\) and \(\mathcal {D}_{2}\) consist essentially the time required to simulate the security game for \(\mathcal {A}\) once, plus a minor number of additional operations. \(\square \)
It remains to prove Lemmata A.1 to A.4.
Proof of Lemma A.1: Against Type1 or Type2 Adversary
Lemma A.1
For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type1 or Type2 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {}CPA}\) security of \(\Pi _\mathsf{wKEM}\) and \(\mathcal {D}_{1}\) breaking the security of PRF \(\mathsf {F}\) such that
Proof of Lemma A.1
We present the rest of the sequence of games from game \(G_{1}\).
Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses an initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) and a responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) uniformly at random from the \(\mu \ell \) oracles. Let \(\mathsf {E_{testO}}\) be the event that the tested oracle is neither \(\pi ^{\hat{s}}_{\hat{\imath }}\) nor \(\pi ^{\hat{t}}_{\hat{\jmath }}\), or \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) are not partner. Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs.^{Footnote 31}\(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability at least \(1/\mu ^{2}\ell ^{2}\), so we have
Game \(G_{3}\) In this game, we modify the way the initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) responds on its second invocation. In particular, when \(\pi ^{\hat{s}}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\), it proceeds as in the previous game except that it uses the key \(\mathsf {K}_{T}\) that was generated by the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}_{T}\). Here, conditioned on \(\mathsf {E_{testO}}\) not occurring, we are guaranteed that the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) generated \(\mathsf {C}_{T}\) by running \((\mathsf {K}_{T}, \mathsf {C}_{T}) \leftarrow \mathsf {wKEM}.\mathsf {Encap}(\mathsf {ek}_{T})\), where \(\mathsf {ek}_T\) is the encapsulation key that \(\pi ^{\hat{s}}_{\hat{\imath }}\) outputs on the first invocation. This is because otherwise, the oracles \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) will not be partner oracles. Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_2\) and \(G_3\) are identical. Hence,
Game \(G_{4}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), the game samples a random key instead of computing \((\mathsf {K}_{T}, \mathsf {C}_{T}) \leftarrow \mathsf {wKEM}.\mathsf {Encap}(\mathsf {ek}_{T})\). Note that when the initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\), it uses this random key \(\mathsf {K}_T\). We claim \(G_{3}\) and \(G_{4}\) are indistinguishable assuming the \(\mathsf {IND\text {}CPA}\) security of \(\Pi _\mathsf{wKEM}\). To prove this, we construct an algorithm \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {}CPA}\) security as follows.
\(\mathcal {B}_{1}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {wKEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{1}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {wKEM}}\) and computes \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) for all \(i \in [\mu ]\) by running the protocol honestly, and samples \((\hat{\imath }, \hat{\jmath }, \hat{s}, \hat{t})\) uniformly random from \([\mu ]^2 \times [\ell ]^2\). It then invokes \(\mathcal {A}\) on the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers queries made by \(\mathcal {A}\) as follows:

\(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): If \((i, s, j) = (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) returns \(\mathsf {ek}^{*}\) to \(\mathcal {A} \) and implicitly sets \({\texttt {state}}^{s}_{i} \mathrel {\mathop :}={} \mathsf {dk}^{*}\). Otherwise, \(\mathcal {B}_{1}\) responds as in \(G_4\).

\(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (j, t, i), it performs the following:

If \((j, t) = (\hat{\jmath }, \hat{t})\) and \(i \ne \hat{\imath }\), then \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) cannot be partner oracles. Therefore, since event \(\mathsf {E_{testO}}\) is triggered \(\mathcal {B}_{1}\) aborts.

If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{1}\) checks if \(\mathsf {ek}_T =\mathsf {ek}^*\). If not, event \(\mathsf {E_{testO}}\) is triggered so it aborts. Otherwise, it proceeds as in \(G_4\) except that it sets \(\mathsf {K}{}_{T} = \mathsf {K}^{*}\) and \(\mathsf {C}{}_{T} = \mathsf {C}^{*}\) rather than sampling them on its own. It then returns the message \((\mathsf {C}, \mathsf {C}_T, \mathsf {c}{})\).

If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{1}\) responds as in \(G_4\).


\(\mathsf {Send}(i, s, m = (\mathsf {C}, \mathsf {C}_T, \mathsf {c}))\): Let \(j \mathrel {\mathop :}=\mathsf {Pid}^{s}_{i}\). Depending on the values of (i, s, j), it performs the following:

If \((i, s) = (\hat{\imath }, \hat{s})\) and \(j \ne \hat{\jmath }\), then \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) cannot be partner oracles. Therefore, since event \(\mathsf {E_{testO}}\) is triggered \(\mathcal {B}_{1}\) aborts.

If \((i, s, j) = (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) checks if \(\mathsf {C}_T = \mathsf {C}^*\). If not, event \(\mathsf {E_{testO}}\) is triggered so it aborts. Otherwise, it responds as in \(G_4\).

If \((i, s, j) \ne (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) responds as in \(G_4\).


\(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{1}\) proceeds as in the previous game. Here, note that since \(\mathcal {A} \) follows the Type1 or Type2 strategy, \(\mathcal {B}_1\) can answer all the \(\mathsf {RevState}\)query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevState}(\hat{\imath }, \hat{s})\) (i.e., \({\texttt {state}}^{\hat{s}}_{\hat{\imath }} \mathrel {\mathop :}={} \mathsf {dk}^{*}\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_1\) cannot answer.

\(\mathsf {Test}(i, s)\): \(\mathcal {B}_{1}\) responds as in \(G_4\). Here, in case \((i, s) \not \in \left\{ (\hat{\imath }, \hat{s}), (\hat{\jmath },\hat{t}) \right\} \), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.
Finally, if \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{1}\) outputs \(b'\). It can be checked that \(\mathcal {B}_1\) perfectly simulates game \(G_3\) (resp. \(G_4\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have
Game \(G_{5}\) In this game, we modify how the PRF key \(\mathsf {K}_{2}\) is generated by the tested oracle and its partner oracle. Instead of computing \(\mathsf {K}{}_{2} \leftarrow \mathsf {Ext}_{ s {}}(\mathsf {K}_{T})\), both oracles use the same randomly sampled . Due to the modification we made in the previous game, \(\mathsf {K}_{T}\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {wKEM}\) so \(\mathsf {K}_T\) has \(\log _2(\mathcal {KS}_\mathsf {wKEM}) \ge \gamma _\mathsf {KEM} \) minentropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))extractor \(\mathsf {Ext}\), we have
Game \(G_{6}\) In this game, we modify how the session key \(\mathsf {k}\) is generated by the tested oracle. Instead of computing \(\mathsf {k}\Vert \tilde{k}\leftarrow \mathsf {F}_{\mathsf {K}_{1}}(\mathsf {sid}) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid})\), the tested oracle (which is either \(\pi ^{\hat{s}}_{\hat{\imath }}\) or \(\pi ^{\hat{t}}_{\hat{\jmath }}\) conditioned on event \(\mathsf {E_{testO}}\) not occurring) computes the session key as \(\mathsf {k}\Vert \tilde{k}\leftarrow \mathsf {F}_{\mathsf {K}{}_{1}}(\mathsf {sid}) \oplus x\), where x is chosen uniformly at random from \( \{ 0,1 \} ^{\kappa + d}\). Since \(\mathsf {K}{}_{2}\) is chosen uniformly and hidden from the views of the adversary \(\mathcal {A} \), games \(G_{5}\) and \(G_{6}\) are indistinguishable by the security of the PRF.^{Footnote 32} In particular, we can construct a PRF adversary \(\mathcal {D}_{1}\) that uses \(\mathcal {A} \) as a subroutine such that
In \(G_{6}\), the session key in the tested oracle is uniformly random. Thus, even an unbounded adversary \(\mathcal {A}\) cannot have distinguishing advantages. Therefore, \(\Pr \left[ \mathsf {S}_{6}\right] = 1/2\). Combining everything together, we have
\(\square \)
Proof of Lemma A.2: Against Type3 or Type4 Adversary
Lemma A.2
For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type3 or Type4 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{2}\) breaking the security of PRF \(\mathsf {F}\) such that
Proof of Lemma A.2
We present the rest of the sequence of games from game \(G_{1}\).
Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add another abort condition. Let \({\mathsf {E}}_{\mathsf {uniq}}\) be the event that there exists an oracle that has more than one partner oracles. If \({\mathsf {E}}_{\mathsf {uniq}}\) occurs, then \(\mathcal {C}\) aborts. Since \(G_{1}\) and \(G_{2}\) proceed identically unless \({\mathsf {E}}_{\mathsf {uniq}}\) occurs, we have
We claim
Fix \(j \in [\mu ]\) and consider the set of oracles \(S_{j} = \left\{ \pi ^{s}_{i} \mid \mathsf {Pid}^{s}_{i} = j \right\} \). For any \(\pi ^{s}_{i} \in S_{j}\), if there exist two oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) with \(t \ne t' \in [\ell ]\) that are partners of \(\pi ^{s}_{i}\), then \(\mathsf {sid}^{s}_{i} = \mathsf {sid}^{t}_{j} = \mathsf {sid}^{t'}_{j}\) holds. We distinguish between the following cases.
Case 1 We first consider the case \(\pi ^{s}_{i}\) is an initiator and \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) are responders. Let \(\mathsf {ek}_{T}\) be the ephemeral encapsulation key generated by \(\pi ^{s}_{i}\). In this case, \({\mathsf {E}}_{\mathsf {uniq}}\) occurs if the responder oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) generate the same ciphertext with respect to \(\mathsf {ek}_{i}\) and \(\mathsf {ek}_{T}\). Since \(\mathsf {ek}_{i}\) and \(\mathsf {ek}_{T}\) are independently and honestly generated by the game and each responder oracle is assigned uniform randomness, the probability of a ciphertext collision is upper bounded by \(\ell ^{2}/2^{2 \chi _{\mathsf {KEM}}}\), where recall \(\chi _{\mathsf {KEM}}\) is the ciphertext minentropy of \(\Pi _\mathsf{wKEM}\) and \(\Pi _\mathsf {KEM}\) . Taking the union bound over all \(j \in [\mu ]\), we conclude that Case 1 occurs with probability at most \(\mu \ell ^{2}/2^{2\chi _{\mathsf {KEM}}}\).
Case 2 We next consider the case \(\pi ^{s}_{i}\) is a responder and \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) are initiators. In this case, \({\mathsf {E}}_{\mathsf {uniq}}\) occurs if the initiator oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) generate the same ephemeral encapsulation key. Since each initiator oracle samples an encapsulation key independently, the probability of an encapsulation key collision is upper bounded by \(\ell ^{2}/2^{\nu _{\mathsf {KEM}}}\), where recall \(\nu _{\mathsf {KEM}}\) is the encapsulation key minentropy of \(\Pi _\mathsf{wKEM}\). Taking the union bound over all \(j \in [\mu ]\), we conclude that Case 2 occurs with probability at most \(\mu \ell ^{2}/2^{\nu _{\mathsf {KEM}}}\).
The claim can be shown by combining the two probabilities from Case 1 and Case 2. In the following games we assume every oracle has a unique partner oracle if it exists.
Game \(G_{3}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a random party \(P_{\hat{\imath }}\) from the \(\mu \) parties and a random responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) from the \(\mu \ell \) oracles. Let \(\mathsf {E_{testO}}\) be the event where \(\lnot \mathsf {E_{testO}}\) denotes the event that either the tested oracle is \(\pi ^{\hat{s}}_{\hat{\imath }}\) for some \(s \in [\ell ]\) and its partner oracle is \(\pi ^{\hat{t}}_{\hat{\jmath }}\), or the tested oracle is \(\pi ^{\hat{t}}_{\hat{\jmath }}\) and its peer is \(P_{\hat{\imath }}\). Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs. \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu ^{2}\ell \), so we have
Game \(G_{4}\) In this game, we modify the way the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) responds on its second invocation. Let \((\mathsf {K}, \mathsf {C})\) be the \(\Pi _\mathsf {KEM}\) keyciphertext pair generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Then, when \(\pi ^{s}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\), it first checks if \(\mathsf {C}' = \mathsf {C}\). If so, it proceeds as in the previous game except that it uses the key \(\mathsf {K}\) that was generated by \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}'\). Otherwise, if \(\mathsf {C}' \ne \mathsf {C}\), then it proceeds exactly as in the previous game. Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_3\) and \(G_4\) are identical. Hence,
Game \(G_{5}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), it samples a random key instead of computing \((\mathsf {K}, \mathsf {C}) \leftarrow \mathsf {KEM}.\mathsf {Encap}(\mathsf {ek}_{\hat{\imath }})\). Note that due to the modification we made in the previous game, when the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\) for \(\mathsf {C}' = \mathsf {C}\), it uses the random key \(\mathsf {K}\) generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). We claim \(G_{4}\) and \(G_{5}\) are indistinguishable assuming the \(\mathsf {IND\text {}CCA}\) security of \(\Pi _\mathsf {KEM}\) . To prove this, we construct an algorithm \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {}CCA}\) security as follows.
\(\mathcal {B}_{2}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {KEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{2}\) then samples a random , sets up the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {KEM}}\), and generates the longterm key pairs as follows. For party \(P_{\hat{\imath }}\), \(\mathcal {B}_{2}\) runs \(({\mathsf{vk}}_{\hat{\imath }}, {\mathsf{sk}}_{\hat{\imath }}) \leftarrow \mathsf{SIG}.\mathsf{KeyGen}(\mathsf {pp}_{\mathsf{SIG}})\) and sets the longterm public key as \(\mathsf {lpk} _{\hat{\imath }} := (\mathsf {ek}^{*}, {\mathsf{vk}}_{\hat{\imath }})\) and implicitly sets the longterm secret key as \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, {\mathsf{sk}}_{\hat{\imath }})\), where note that \(\mathcal {B}_2\) does not know \(\mathsf {dk}^*\). For all the other parties \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{2}\) computes the longterm key pairs \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_5\). Finally, \(\mathcal {B}_{2}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries made by \(\mathcal {A}\) as follows:

\(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{2}\) responds as in \(G_5\).

\(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (j, t, i), it performs the following:

If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{2}\) responds as in \(G_5\) except that it sets \((\mathsf {K}, \mathsf {C}) := (\mathsf {K}^*, \mathsf {C}^{*})\) rather than generating them on its own. It then returns the message \((\mathsf {C}^{*}, \mathsf {C}_{T}, \mathsf {c}{})\).

If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{2}\) responds as in \(G_5\).


\(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): Depending on the value of i, it performs the following:

If \(i = \hat{\imath }\), then \(\mathcal {B}_{2}\) checks if \(\mathsf {C}= \mathsf {C}^*\). If so, it responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}^{*}\). Otherwise, if \(\mathsf {C}\ne \mathsf {C}^*\), then it queries the decapsulation oracle on \(\mathsf {C}\) and receives back \(\mathsf {K}'\). \(\mathcal {B}_2\) then responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}'\).

If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{2}\) responds as in \(G_5\).


\(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{2}\) responds as in \(G_5\). Here, note that since \(\mathcal {A} \) follows the Type3 or Type4 strategy, \(\mathcal {B}_2\) can answer all the \(\mathsf {RevLTK}\)query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, {\mathsf{sk}}_{\hat{\imath }})\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_2\) cannot answer.

\(\mathsf {Test}(i, s)\): \(\mathcal {B}_{2}\) responds to the query as the definition. Here, in case \(i \ne \hat{\imath }\) or \((i, s) \ne (\hat{\jmath },\hat{t})\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.
If \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{2}\) outputs \(b'\). It can be checked that \(\mathcal {B}_2\) perfectly simulates game \(G_4\) (resp. \(G_5\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have
Game \(G_{6}\) In this game, whenever we need to derive \(\mathsf {K}^*_1 \leftarrow \mathsf {Ext}_s(\mathsf {K}^*)\), we instead use a uniformly and randomly chosen PRF key (fixed once and for all), where \(\mathsf {K}^*\) is the KEM key chosen by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Due to the modification we made in the previous game, \(\mathsf {K}^*\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {KEM} \) so \(\mathsf {K}\) has \(\log _2(\mathcal {KS}_\mathsf {KEM} ) \ge \gamma _\mathsf {KEM} \) minentropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))extractor \(\mathsf {Ext}\), we have
Game \(G_{7}\) In this game, we sample a random function \(\mathsf {RF}\) and whenever we need to compute \(\mathsf {F}_{\mathsf {K}^*_1}(\mathsf {sid})\) for any \(\mathsf {sid}\), we instead compute \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid})\). Due to the modification we made in the previous game, \(\mathsf {K}^*_1\) is sampled uniformly from \(\mathcal {FK}\). Therefore, the two games can be easily shown to be indistinguishable assuming the pseudorandomness of the PRF. In particular, we can construct a PRF adversary \(\mathcal {D}_{2}\) such that
It remains to show that the session key output by the tested oracle in the game \(G_7\) is uniformly random regardless of the challenge bit \(b \in \{ 0,1 \} \) chosen by the game. We consider the case where \(b = 0\) and prove that the honestly generated session key by the tested oracle is distributed uniformly random. First conditioning on event \(\mathsf {E_{testO}}\) not occurring, it must be the case that the tested oracle (and its partner oracle) prepares the session key as \(\mathsf {k}^* \Vert \tilde{k}\leftarrow \mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid}^*)\) for some \(\mathsf {sid}^*\). That is, \(\mathsf {K}^*_1\) sampled by the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is used to compute the session key. Next, conditioning on event \({\mathsf {E}}_{\mathsf {uniq}}\) not occurring, the only oracles that share the same \(\mathsf {sid}^*\) must be the tested oracle and its partner oracle since otherwise it would break the uniqueness of partner oracles. Therefore, we conclude that \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*)\) is only used to compute the session key of the tested oracle and its partner oracle. Since the output of \(\mathsf {RF}\) is distributed uniformly random for different inputs, we conclude that \(\Pr \left[ \mathsf {S}_{7}\right] = 1/2\). Combining all the arguments together, we obtain
\(\square \)
Proof of Lemma A.3: Against Type5 or Type6 Adversary
Lemma A.3
For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type5 or Type6 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3,0}\) breaking the \(\mathsf {EUF\text {}CMA}\) of \(\Pi _{\mathsf{SIG}}\) such that
Proof of Lemma A.3
We present the rest of the sequence of games from game \(G_{1}\).
Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a party \(P_{\hat{\jmath }}\) uniformly at random from the \(\mu \) parties. Let \(\mathsf {E_{testO}}\) be the event that the peer of the tested oracle is not \(P_{\hat{\jmath }}\). If event \(\mathsf {E_{testO}}\) occurs, \(\mathcal {C}\) aborts. Since \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu \), we have
Game \(G_{3}\) This game is identical to \(G_{2}\), except that we add an abort condition. Let S be a list of messagesignature pairs that \(P_{\hat{\jmath }}\) generated as being a responder oracle. That is, every time \(\pi ^t_{\hat{\jmath }}\) for some \(t \in [\ell ]\) is invoked as a responder, it updates the list S by appending the messagesignature pair \((\mathsf {sid}^t_{\hat{\jmath }}, \sigma ^t_{\hat{\jmath }})\) that it generates. Then, when an initiator oracle \(\pi _{i}^s\) for any \((i, s) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\) from party \(P_{\hat{\jmath }}\) (i.e., \(\mathsf {Pid}^s_i = \hat{\jmath }\)), it first computes \(\mathsf {sid}^s_i\) and \(\sigma \) as in the previous game, and it checks if \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}_{\hat{\jmath }}, \mathsf {sid}^s_i, \sigma ) = 1\) and \(P_{\hat{\jmath }}\) is not corrupted, then \((\mathsf {sid}^s_i, \sigma ) \in S\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have
Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A} \) following the Type5 or Type6 strategy has winning advantage in game \(G_3\), i.e., \(\Pr [\mathsf {S}_3] = 1/2\). To see this, first let us assume \(\mathcal {A} \) issued \(\mathsf {Test}(i^{*}, s^{*})\) and received a key that is not a \(\bot \). That is \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state. Due to the modification we made in game \(G_2\) and by the definition of the Type5 or Type6 strategy, \(\pi ^{s^*}_{i^*}\) has no partner oracle \(\pi ^t_{\hat{\jmath }}\) for any \(t \in [\ell ]\) and the peer \(P_{\hat{\jmath }}\) was not corrupted before \(\pi ^{s^*}_{i^*}\) completes the protocol execution conditioning on \(\mathsf {E_{testO}}\) not occurring. On the other hand, if \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not triggered. Consequently, there exists some oracle \(\pi ^t_{\hat{\jmath }}\) that output \((\mathsf {sid}^{s^*}_{i^*}, \sigma ^*)\). Parsing \(\mathsf {sid}^{s^*}_{i^*}\) as \( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\), this implies that \(\pi ^t_{\hat{\jmath }}\) and \(\pi ^{s^*}_{i^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A} \) can only receive \(\bot \) when it issues \(\mathsf {Test}(i^{*}, s^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A} \), we have \(\Pr [\mathsf {S}_3] = 1/2\).
It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3,0}\) against the \(\mathsf {EUF\text {}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) . The description of \(\mathcal {B}_{3,0}\) follows: \(\mathcal {B}_{3,0}\) receives the public parameter \(\mathsf {pp}_{\mathsf{SIG}}\) and the challenge verification key \({\mathsf{vk}}^{*}\). \(\mathcal {B}_{3,0}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) as in \(G_2\) using \(\mathsf {pp}_{\mathsf{SIG}}\). \(\mathcal {B}_{3,0}\) then samples \(\hat{\jmath }\) randomly from \([\mu ]\), runs \((\mathsf {dk}_{\hat{\jmath }}, \mathsf {ek}_{\hat{\jmath }}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\), and sets the longterm public key of party \(P_{\hat{\jmath }}\) as \(\mathsf {lpk} _{\hat{\jmath }} \mathrel {\mathop :}={} (\mathsf {ek}_{\hat{\jmath }}, {\mathsf{vk}}^{*})\). The longterm secret key is implicitly set as \(\mathsf {lsk}_{\hat{\jmath }} \mathrel {\mathop :}=(\mathsf {dk}_{\hat{\jmath }}, {\mathsf{sk}}^*)\), where \({\mathsf{sk}}^*\) is unknown to \(\mathcal {B}_{3,0}\). For the rest of the parties \( P _{ i }\) for \(i \in [\mu \backslash \hat{\jmath }]\), \(\mathcal {B}_{3,0}\) generates \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_2\). Finally, \(\mathcal {B}_{3,0}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

\(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\).

\(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Depending on the value of j, it performs the following:

If \(j = \hat{\jmath }\), then \(\mathcal {B}_{3,0}\) prepares \(\mathsf {sid}^t_{\hat{\jmath }}\) as in \(G_2\), and then sends \(\mathsf {sid}^t_{\hat{\jmath }}\) to its signing oracle and receives back a signature \(\sigma '\) for message \(\mathsf {sid}^t_{\hat{\jmath }}\) under \({\mathsf{sk}}^{*}\). \(\mathcal {B}_{3,0}\) then responds as in \(G_2\) except that it sets \(\sigma \mathrel {\mathop :}=\sigma '\).

If \(j \ne \hat{\jmath }\), then \(\mathcal {B}_{3,0}\) responds as in \(G_2\).


\(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\).

\(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\). Here, note that since \(\mathcal {A} \) follows the Type5 or Type6 strategy, \(\mathcal {B}_{3,0}\) can answer all the \(\mathsf {RevLTK}\)query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\jmath })\) (i.e., \(\mathsf {lsk}_{\hat{\jmath }} := (\mathsf {dk}_{\hat{\jmath }}, {\mathsf{sk}}^*)\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,0}\) cannot answer.

\(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\). Here, in case \(\mathsf {Pid}^s_i \ne \hat{\jmath }\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.
It is clear that \(\mathcal {B}_{3,0}\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A} \). Below, we analyze the probability that \(\mathcal {B}_{3,0}\) breaks the \(\mathsf {EUF\text {}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).
We assume \(\mathcal {A}\) issues \(\mathsf {Test}(i^{*}, s^{*})\). Let the message sent by the initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {ek}^{*}_{T}, \sigma _{i^*})\) and the message received by \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T}, \mathsf {c}^{*})\). Let \(\sigma ^{*}\) be the signature recovered from \(\mathsf {c}^{*}\). Then, by the definition of the Type5 or Type6 strategy and conditioned on \(\mathsf {E_{testO}}\) not occurring, the tested oracle \(\pi ^{s^{*}}_{i^{*}}\) satisfies the following conditions:

\(\mathsf {role}^{s^{*}}_{i^{*}} = \mathtt {init}{}\) and \(\mathsf {Pid}^{s^{*}}_{i^{*}} = \hat{\jmath }\),

\(\pi ^{s^{*}}_{i^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}^{*}, P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*}) = 1\) holds,

\(P_{\hat{\jmath }}\) was not corrupted before \(\pi ^{s^{*}}_{i^{*}}\) completes the protocol execution,

\(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.
Since \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles, there exists no responder oracle \(\pi ^t_{\hat{\jmath }}\) that has received \(\mathsf {ek}^*_T\) from \( P _{ i^* }\) and output \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T})\). In other words, there is no oracle \(\pi ^t_{\hat{\jmath }}\) that has signed on the message \( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); an initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) receives a signature that was not signed by an oracle \(\pi ^t_{\hat{\jmath }}\) for any \(t \in [\ell ]\), and \(P_{\hat{\jmath }}\) was not corrupted when \(\pi ^{s^{*}}_{i^{*}}\) receives the signature. Therefore, \(\mathcal {B}_{3,0}\) obtains a valid forgery \(( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*})\), and we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {EUF\text {}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,0})\). Combining everything together, we conclude
\(\square \)
Proof of Lemma A.4: Against Type7 or Type8 Adversary
Lemma A.4
For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type7 or Type8 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3,1}\) breaking the \(\mathsf {EUF\text {}CMA}\) of \(\Pi _{\mathsf{SIG}}\) such that
Proof of Lemma A.4
We present the rest of the sequence of games from game \(G_{1}\).
Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a party \(P_{\hat{\imath }}\) uniformly at random from the \(\mu \) parties. Let \(\mathsf {E_{testO}}\) be the event that the peer of the tested oracle is not \(P_{\hat{\imath }}\). If event \(\mathsf {E_{testO}}\) occurs, \(\mathcal {C}\) aborts. Since \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu \), we have
Game \(G_{3}\) This game is identical to \(G_{2}\), except that we add an abort condition. Let S be a list of messagesignature pairs that \(P_{\hat{\imath }}\) generated as being an initiator oracle. That is, every time \(\pi ^s_{\hat{\imath }}\) for some \(s \in [\ell ]\) is invoked as an initiator, it updates the list S by appending the messagesignature pair \((\mathsf {ek}^s_{\hat{\imath }}, \sigma ^s_{\hat{\imath }})\) that it generates. Then, when a responder oracle \(\pi _{j}^t\) for any \((j, t) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {ek}_T, \sigma )\) from party \(P_{\hat{\imath }}\) (i.e., \(\mathsf {Pid}^t_j = \hat{\imath }\)), it checks if \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}_{\hat{\imath }}, \mathsf {ek}_T, \sigma ) = 1\) and \(P_{\hat{\imath }}\) is not corrupted, then \((\mathsf {ek}_T, \sigma ) \in S\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have
Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A} \) following the Type7 or Type8 strategy has winning advantage in game \(G_3\), i.e., \(\Pr [\mathsf {S}_3] = 1/2\). To see this, first let us assume \(\mathcal {A} \) issued \(\mathsf {Test}(j^{*}, t^{*})\) and received a key that is not a \(\bot \). That is \(\pi ^{t^*}_{j^*}\) is in the \(\mathtt {accept}\) state. Due to the modification we made in game \(G_2\) and by the definition of the Type7 or Type8 strategy, \(\pi ^{t^*}_{j^*}\) has no partner oracle \(\pi ^s_{\hat{\imath }}\) for any \(s \in [\ell ]\) and the peer \(P_{\hat{\imath }}\) was not corrupted before \(\pi ^{t^*}_{j^*}\) completes the protocol execution conditioning on \(\mathsf {E_{testO}}\) not occurring. On the other hand, if \(\pi ^{t^*}_{j^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not been triggered. Consequently, there exists some oracle \(\pi ^s_{\hat{\imath }}\) that output \((\mathsf {ek}^{s}_{\hat{\imath }}, \sigma ^{s}_{\hat{\imath }})\) and \(\pi ^{t^*}_{j^*}\) receives it. This implies that \(\pi ^s_{\hat{\imath }}\) and \(\pi ^{t^*}_{j^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A} \) can only receive \(\bot \) when it issues \(\mathsf {Test}(j^{*}, t^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A} \), we have \(\Pr [\mathsf {S}_3] = 1/2\).
It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3,1}\) against the \(\mathsf {EUF\text {}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) . The description of \(\mathcal {B}_{3,1}\) follows: \(\mathcal {B}_{3,1}\) receives the public parameter \(\mathsf {pp}_{\mathsf{SIG}}\) and the challenge verification key \({\mathsf{vk}}^{*}\). \(\mathcal {B}_{3,1}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) as in \(G_2\) using \(\mathsf {pp}_{\mathsf{SIG}}\). \(\mathcal {B}_{3,1}\) then samples \(\hat{\imath }\) randomly from \([\mu ]\), runs \((\mathsf {dk}_{\hat{\imath }}, \mathsf {ek}_{\hat{\imath }}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\), and sets the longterm public key of party \(P_{\hat{\imath }}\) as \(\mathsf {lpk} _{\hat{\imath }} \mathrel {\mathop :}={} (\mathsf {ek}_{\hat{\imath }}, {\mathsf{vk}}^{*})\). The longterm secret key is implicitly set as \(\mathsf {lsk}_{\hat{\imath }} \mathrel {\mathop :}=(\mathsf {dk}_{\hat{\imath }}, {\mathsf{sk}}^*)\), where \({\mathsf{sk}}^*\) is unknown to \(\mathcal {B}_{3,1}\). For the rest of the parties \( P _{ i }\) for \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{3,1}\) generates \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_2\). Finally, \(\mathcal {B}_{3,1}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

\(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): Depending on the value of i, it performs the following:

If \(i = \hat{\imath }\), then \(\mathcal {B}_{3,1}\) prepares \(\mathsf {ek}_{T}\) as in \(G_2\), and then sends \(\mathsf {ek}_{T}\) to its signing oracle and receives back a signature \(\sigma '\) for message \(\mathsf {ek}_{T}\) under \({\mathsf{sk}}^{*}\). \(\mathcal {B}_{3,1}\) then responds as in \(G_2\) except that it sets \(\sigma _{i} \mathrel {\mathop :}=\sigma '\).

If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{3,1}\) responds as in \(G_2\).


\(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\).

\(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\).

\(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\). Here, note that since \(\mathcal {A} \) follows the Type7 or Type8 strategy, \(\mathcal {B}_{3,1}\) can answer all the \(\mathsf {RevLTK}\)query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}_{\hat{\imath }}, {\mathsf{sk}}^*)\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,1}\) cannot answer.

\(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\). Here, in case \(\mathsf {Pid}^s_i \ne \hat{\imath }\), then event \(\mathsf {E_{testO}}\) is triggered, so it aborts.
It is clear that \(\mathcal {B}_{3,1}\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A} \). Below, we analyze the probability that \(\mathcal {B}_{3,1}\) breaks the \(\mathsf {EUF\text {}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).
We assume \(\mathcal {A}\) issues \(\mathsf {Test}(j^{*}, t^{*})\). Let the message received by the responder oracle \(\pi ^{t^{*}}_{j^{*}}\) be \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\). Then, by the definition of the Type7 or Type8 strategy and conditioned on \(\mathsf {E_{testO}}\) not occurring, the oracle \(\pi ^{t^{*}}_{j^{*}}\) satisfies the following conditions:

\(\mathsf {role}^{t^{*}}_{j^{*}} = \mathtt {resp}{}\) and \(\mathsf {Pid}^{t^{*}}_{j^{*}} = \hat{\imath }\),

\(\pi ^{t^{*}}_{j^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}^{*}, \mathsf {ek}^{*}_{T}, \sigma ^{*}) = 1\) holds,

\(P_{\hat{\imath }}\) was not corrupted before \(\pi ^{t^{*}}_{j^{*}}\) completes the protocol execution,

\(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.
Since \(\pi ^{t^{*}}_{j^{*}}\) has no partner oracles, there exists no initiator oracle \(\pi ^s_{\hat{\imath }}\) that has output \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\). In other words, there is no oracle \(\pi ^s_{\hat{\imath }}\) that has signed the message \(\mathsf {ek}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); a responder oracle \(\pi ^{t^{*}}_{j^{*}}\) receives a signature that was not signed by an oracle \(\pi ^s_{\hat{\imath }}\) for any \(s \in [\ell ]\), and \(P_{\hat{\imath }}\) was not corrupted when \(\pi ^{t^{*}}_{j^{*}}\) receives the signature. Therefore, \(\mathcal {B}_{3,1}\) obtains a valid forgery \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\), and we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {EUF\text {}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,1})\)
Combining everything together, we conclude
\(\square \)
B Full Proofs for Deniable SignalConforming AKE \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\)
In this section, we provide the proofs of the correctness and security of our deniable Signalconforming AKE protocol \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\) .
B.1 Correctness of Deniable SignalConforming AKE \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\)
We prove the correctness of our deniable SignalConforming AKE protocol \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\).
Proof of Theorem 7.6
This proof is similar to the proof of Theorem 4.2. It is clear that an initiator oracle and a responder oracle become partners when they execute the protocol faithfully. Moreover, if no correctness error occurs in the underlying KEM schemes and ring signature scheme, the partner oracles compute an identical session key. Since each oracle is assigned to uniform randomness, the probability that a correctness error occurs in one of the underlying schemes is bounded by \(\delta _{\mathsf {RS}{}} +2 \delta _{\mathsf {KEM}} \). Since there are at most \(\mu \ell /2\) responder oracles, the AKE protocol is correct except with probability \(\mu \ell \cdot (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). \(\square \)
B.2 Security of Deniable SignalConforming AKE \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\)
We prove the security of our deniable SignalConforming AKE protocol \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\).
Proof of Theorem 7.7
Let \(\mathcal {A}\) be an adversary that plays the security game \(G^{\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {}\mathsf {DAKE} {}}(\mu , \ell )\) with the challenger \(\mathcal {C}\) with advantage \(\mathsf {Adv}{}^{\mathsf {AKE}\textsf {}\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {}\mathsf {DAKE} {}}(\mathcal {A}) = \epsilon \). The bulk of the proof is identical to the proof of Theorem 4.3 for the (nondeniable) protocol \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\). Namely, we divide the strategy that can be taken by \(\mathcal {A} \) (listed in Table 1) and we construct an algorithm that breaks one of the underlying assumptions by using such an \(\mathcal {A} \) as a subroutine. Formally, we construct seven algorithms \(\mathcal {B}_{1}, \dots , \mathcal {B}_{4}\) and \(\mathcal {D}_{1}, \dots , \mathcal {D}_{3}\) satisfying the following:

1.
If \(\mathcal {A}\) uses the Type1 (or Type2) strategy, then \(\mathcal {B}_{1}\) succeeds in breaking the \(\mathsf {IND\text {}CPA}\) security of \(\Pi _\mathsf{wKEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \) or \(\mathcal {D}_{1}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \).

2.
If \(\mathcal {A}\) uses the Type3 (or Type4) strategy, then \(\mathcal {B}_{2}\) succeeds in breaking the \(\mathsf {IND\text {}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{2}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).

3.
If \(\mathcal {A}\) uses the Type5 or Type6 strategy, then \(\mathcal {B}_{3}\) succeeds in breaking the unforgeability of \(\Pi _\mathsf{RS}\) with advantage \(\approx \epsilon \).

4.
If \(\mathcal {A}\) uses the Type7 (or Type8) strategy, then \(\mathcal {B}_{4}\) succeeds in breaking the \(\mathsf {IND\text {}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{3}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).
We present a security proof structured as a sequence of games. Without loss of generality, we assume that \(\mathcal {A}\) always issues a \(\mathsf {Test}\)query. In the following, let \(\mathsf {S}_{j}\) denote the event that \(b = b'\) occurs in game \(G_{j}\) and let \(\epsilon _{j} \mathrel {\mathop :}=\left \Pr \left[ \mathsf {S}_{j}\right]  1/2 \right \) denote the advantage of the adversary in game \(G_{j}\). Regardless of the strategy taken by \(\mathcal {A}\), all proofs share a common game sequence \(G_{0}\)\(G_{1}\) as described below. Although they are identical to those of Theorem 4.3, we provide them for completeness.
Game \(G_{0}\) This game is identical to the original security game. We thus have
Game \(G_{1}\) This game is identical to \(G_{0}\), except that we add an abort condition. Let \(\mathsf {E}_{\mathsf {corr}}{}\) be the event that there exist two partner oracles \(\pi ^s_i\) and \(\pi ^t_j\) that do not agree on the same session key. If \(\mathsf {E}_{\mathsf {corr}}\) occurs, then \(\mathcal {C}\) aborts (i.e., sets \(\mathcal {A} \)’s output to be a random bit) at the end of the game.
There are at most \(\mu \ell /2\) responder oracles and each oracle is assigned uniform randomness. From Theorem 7.6, the probability of error occurring during the security game is at most \(\mu \ell (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). Therefore, \(\mathsf {E}_{\mathsf {corr}}\) occurs with probability at most \(\mu \ell (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). We thus have
In the following games we assume no decryption error or signature verification error occurs.
We now divide the game sequence depending on the strategy taken by the adversary \(\mathcal {A}\). Regardless of \(\mathcal {A}{}\)’s strategy, we prove that \(\epsilon _{1}\) is negligible, which in particular implies that \(\epsilon \) is also negligible. Formally, this is shown in Lemmata B.3 to B.2 provided below. We first complete the proof of the theorem. Specifically, by combining all the lemmata together, we obtain the following desired bound:
Here, the running time of the algorithms \(\mathcal {B}_{1}, \dots , \mathcal {B}_{4}\) and \(\mathcal {D}_{1}, \dots , \mathcal {D}_{3}\) consist essentially the time required to simulate the security game for \(\mathcal {A}\) once, plus a minor number of additional operations. \(\square \)
It remains to prove Lemmata B.3 to B.2. Since the proof of Lemmata B.3 and B.4 is a direct consequence of the proof of the corresponding Lemmata A.1 and A.2 of Theorem 4.3,^{Footnote 33} we focus on proving Lemmas B.1 and B.2 below.
Lemma B.1
For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type5 or Type6 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3}\) breaking the unforgeability of \(\Pi _\mathsf{RS}\) such that
Proof of Lemma B.1
We present the rest of the sequence of games from game \(G_{1}\).
Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add an abort condition. Let \(S_{j}\) be a list of messagesignature pairs that \( P _{ j }\) generated as being a responder oracle. That is, every time \(\pi ^t_{j}\) for some \(t \in [\ell ]\) is invoked as a responder, it updates the list \(S_{j}\) by appending the messagesignature pair \((\mathsf {sid}^t_{j}, \sigma ^t_{j})\) that it generates. Then, when an initiator oracle \(\pi _{i}^s\) for any \((i, s) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\) from party \( P _{ j }\) (i.e., \(\mathsf {Pid}^s_i = j\)), it first computes \(\mathsf {sid}^s_i\) and \(\sigma \) as in the previous game and checks if \(\mathsf {RS}.\mathsf {Verify}(\left\{ \mathsf {vk}_T, \mathsf {vk}_{j} \right\} , \mathsf {sid}^s_i, \sigma ) = 1\) and \((\mathsf {sid}^s_i, \sigma ) \in S_{j}\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have
Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A}\) following the Type5 or Type6 strategy has winning advantage in game \(G_2\), i.e., \(\Pr [\mathsf {S}_2] = 1/2\). To see this, first let us assume \(\mathcal {A}\) issued \(\mathsf {Test}(i^{*}, s^{*})\) and received a key that is not a \(\bot \). In other words, \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state. By the definition of the Type5 or Type6 strategy, \(\pi ^{s^*}_{i^*}\) has no partner oracle \(\pi ^t_{j}\) for any \((j, t) \in [\mu ] \times [\ell ]\). On the other hand, if \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not triggered. Consequently, there exists some oracle \(\pi ^t_{j}\) that output \((\mathsf {sid}^{s^*}_{i^*}, \sigma ^*)\). Parsing \(\mathsf {sid}^{s^*}_{i^*}\) as \( P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\), this implies that \(\pi ^t_{j}\) and \(\pi ^{s^*}_{i^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A}\) can only receive \(\bot \) when it issues \(\mathsf {Test}(i^{*}, s^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A}\), we have \(\Pr [\mathsf {S}_2] = 1/2\).
It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3}\) against the unforgeability of \(\Pi _\mathsf{RS}\) . The description of \(\mathcal {B}_3\) follows: \(\mathcal {B}_3\) receives the public parameter \(\mathsf {pp}_{\mathsf {RS}}\) and \(\mu + \mu \ell \) verification keys \(\mathsf {vk}_{1},\dots ,\mathsf {vk}_{\mu }\) and \(\mathsf {vk}^{1}_{1},\dots ,\mathsf {vk}^{\ell }_{\mu }\). \(\mathcal {B}_3\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\) as in game \(G_{2}\) using \(\mathsf {pp}_{\mathsf {RS}}\). \(\mathcal {B}_3\) then runs \((\mathsf {dk}_{i}, \mathsf {ek}_{i}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\) and sets the longterm public key of party \( P _{ i }\) as \(\mathsf {lpk} _{i} \mathrel {\mathop :}={} (\mathsf {ek}_{i}, \mathsf {vk}_{i})\). The longterm secret key is implicitly set as \(\mathsf {lsk}_{i} \mathrel {\mathop :}=(\mathsf {dk}_{i}, \mathsf {sk}_{i})\), where \(\mathsf {sk}_{i}\) is unknown to \(\mathcal {B}_3\). Finally, \(\mathcal {B}_{3}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

\(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{3}\) responds as in \(G_1\) except that it sets \(\mathsf {vk}_{T} \mathrel {\mathop :}=\mathsf {vk}^{s}_{i}\).

\(\mathsf {Send}(j, t, m=(\mathsf {ek}_{T}, \mathsf {vk}_{T}))\): \(\mathcal {B}_3\) responds as in \(G_1\) except that rather than constructing the signature \(\sigma \) on its own, it sends \((\mathsf {sign}, j, \mathsf {sid}^t_{j}, \left\{ \mathsf {vk}_{T}, \mathsf {vk}_{j} \right\} )\) to its signing oracle and uses the signature \(\sigma '\) that it receives.

\(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3}\) responds as in \(G_1\).

\(\mathsf {RevLTK}(i)\): \(\mathcal {B}_{3}\) sends \((\mathsf {corrupt}, i)\) to its corruption oracle and receives back a signing key \(\mathsf {sk}'_{i}\). \(\mathcal {B}_3\) then sets \(\mathsf {sk}_{i} \mathrel {\mathop :}=\mathsf {sk}'_{i}\) and returns \(\mathsf {lsk}_{i} = (\mathsf {dk}_i, \mathsf {sk}_i)\).

\(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3}\) responds as in \(G_1\).

\(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3}\) responds as in \(G_1\).
It is clear that \(\mathcal {B}_3\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A}\). Below, we analyze the probability that \(\mathcal {B}_3\) breaks the unforgeability of \(\Pi _\mathsf{RS}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).
We assume \(\mathcal {A}\) issues \(\mathsf {Test}(i^{*}, s^{*})\). Let the message sent by the initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {ek}^{*}_{T}, \mathsf {vk}^{*}_{T})\) and the message received by \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T}, \mathsf {c}^{*})\). Let \(\sigma ^{*}\) be the signature recovered from \(\mathsf {c}^{*}\). Then, by the definition of the Type5 or Type6 strategy, the tested oracle \(\pi ^{s^{*}}_{i^{*}}\) satisfies the following conditions:

\(\mathsf {role}^{s^{*}}_{i^{*}} = \mathtt {init}{}\),

\( P _{ j }\) is not corrupted where \(\mathsf {Pid}^{s^{*}}_{i^{*}} = j\) and \(j \in [\mu ]\),

\(\pi ^{s^{*}}_{i^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf {RS}.\mathsf {Verify}(\left\{ \mathsf {vk}^{*}_{T}, \mathsf {vk}_{j} \right\} , P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*}) = 1\) holds,

\(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.
Since \( P _{ j }\) is not corrupted, \(\mathcal {A}\) has never queried \(\mathsf {RevLTK}(j)\)query. Moreover, since an honest initiator discards \(\mathsf {sk}^*_T\) on generation, \(\mathcal {B}_3\) never uses them for simulation. These two facts imply that \((\mathsf {corrupt}, j)\) and \((\mathsf {corrupt}, (i, T))\) has never been queried, where \((\mathsf {corrupt}, (i, T))\) is a query regarding the verification key \(\mathsf {vk}^{s^*}_{i^*}\). In particular, the ring \(\left\{ \mathsf {vk}^{*}_{T}, \mathsf {vk}_{j} \right\} \) consists of noncorrupted verification keys. Moreover, since \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles, there exists no responder oracle \(\pi ^t_{j}\) that has received \((\mathsf {ek}^*_T, \mathsf {vk}^{*}_{T})\) from \( P _{ i^* }\) and sent \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T})\). In other words, there is no oracle \(\pi ^t_{j}\) that has signed on the message \( P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); an initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) receives a signature that was not signed by an oracle \(\pi ^t_{j}\) for any \(t \in [\ell ]\). Therefore, we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3})\).
Combining everything together, we conclude
\(\square \)
Lemma B.2
For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type7 or Type8 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{4}\) breaking the \(\mathsf {IND\text {}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{3}\) breaking the security of PRF \(\mathsf {F}\) such that
Proof of Lemma B.2
We present the rest of the sequence of games from game \(G_{1}\).
Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add another abort condition. Let \(\mathsf {E}_{\mathsf {coll}}\) be the event that there exists two responder oracles \(\pi ^t_j\) and \(\pi ^{t'}_j\) for any \(j \in [\mu ]\) and \(t \ne t' \in [\ell ]\) such that they output the same \(\Pi _\mathsf {KEM}\) ciphertext. That is, there exists two oracles \(\pi ^t_j\) and \(\pi ^{t'}_j\) that output \((\mathsf {C}, \mathsf {C}_T, \mathsf {c})\) and \((\mathsf {C}', \mathsf {C}'_T, \mathsf {c}')\) such that \(\mathsf {C}= \mathsf {C}'\). Here, we only consider the case where \(\mathsf {Pid}^t_j\) and \(\mathsf {Pid}^{t'}_j\) correspond to parties generated by the game (and not parties added by the adversary). If \(\mathsf {E}_{\mathsf {coll}}\) occurs, then \(\mathcal {C}\) aborts. Since \(G_{1}\) and \(G_{2}\) proceed identically unless \(\mathsf {E}_{\mathsf {coll}}\) occurs, we have
We claim
Since each oracles \(\pi ^t_j\) are initialized with uniform random and independent randomness and \(\mathsf {ek}_i\) is honestly generated, where \(i = \mathsf {Pid}^t_j\), each ciphertext \(\mathsf {C}\) output by oracle \(\pi ^t_j\) has \(\chi _{\mathsf {KEM}}\)min entropy due to the \( \chi _{\mathsf {KEM}}\)high ciphertext minentropy of \(\Pi _\mathsf {KEM} \). Fixing on one \(j \in [\mu ]\), the probability of a collision occurring is upper bounded by \(\mu ^2/ 2^{ \chi _{\mathsf {KEM}}}\). Then, taking the union bound on all the parties, we obtain the claimed bound.
Game \(G_{3}\) In this game, before starting the game, \(\mathcal {C}\) chooses a responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) and a party \(P_{\hat{\imath }}\) uniformly at random from \(\mu \ell \) oracles and \(\mu \) parties, respectively. Let \(\mathsf {E_{testO}}\) be the event that the tested oracle is not \(\pi ^{\hat{t}}_{\hat{\jmath }}\) or the peer of the tested oracle is not \(P_{\hat{\imath }}\). Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs. \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu ^{2}\ell \), so we have
Game \(G_{4}\) In this game, we modify the way the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) responds on its second invocation. Let \((\mathsf {K}, \mathsf {C})\) be the \(\Pi _\mathsf {KEM}\) keyciphertext pair generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Then, when \(\pi ^{s}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\), it first checks if \(\mathsf {C}' = \mathsf {C}\). If so, it proceeds as in the previous game except that it uses the key \(\mathsf {K}\) that was generated by \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}'\). Otherwise, if \(\mathsf {C}' \ne \mathsf {C}\), then it proceeds exactly as in the previous game.
Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_3\) and \(G_4\) are identical. Hence,
Game \(G_{5}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), it samples a random key instead of computing \((\mathsf {K}, \mathsf {C}) \leftarrow \mathsf {KEM}.\mathsf {Encap}(\mathsf {ek}_{\hat{\imath }})\). Note that due to the modification we made in the previous game, when the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\) for \(\mathsf {C}' = \mathsf {C}\), it uses the random key \(\mathsf {K}\) generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). We claim \(G_{4}\) and \(G_{5}\) are indistinguishable assuming the \(\mathsf {IND\text {}CCA}\) security of \(\Pi _\mathsf {KEM}\) . To prove this, we construct an algorithm \(\mathcal {B}_{4}\) breaking the \(\mathsf {IND\text {}CCA}\) security as follows.
\(\mathcal {B}_{4}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {KEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{4}\) then samples a random , sets up the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {KEM}}\), and generates the longterm key pairs as follows. For party \(P_{\hat{\imath }}\), \(\mathcal {B}_{4}\) runs \((\mathsf {vk}_{\hat{\imath }}, \mathsf {sk}_{\hat{\imath }}) \leftarrow \mathsf {RS}.\mathsf {KeyGen}(1^{\kappa })\) and sets the longterm public key as \(\mathsf {lpk} _{\hat{\imath }} := (\mathsf {ek}^{*}, \mathsf {vk}_{\hat{\imath }})\) and implicitly sets the longterm secret key as \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, \mathsf {sk}_{\hat{\imath }})\), where note that \(\mathcal {B}_{3,1}\) does not know \(\mathsf {dk}^*\). For all the other parties \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{4}\) computes the longterm key pairs \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_5\). Finally, \(\mathcal {B}_{4}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries made by \(\mathcal {A}\) as follows:

\(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{4}\) proceeds as in \(G_5\).

\(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (j, t, i), it performs the following:

If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{4}\) responds as in \(G_5\) except that it sets \((\mathsf {K}, \mathsf {C}) := (\mathsf {K}^*, \mathsf {C}^{*})\) rather than generating them on its own. It then returns the message \((\mathsf {C}^{*}, \mathsf {C}_{T}, \mathsf {c}{})\).

If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{4}\) responds as in \(G_5\).


\(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): Depending on the value of i, it performs the following:

If \(i = \hat{\imath }\), then \(\mathcal {B}_{4}\) checks if \(\mathsf {C}= \mathsf {C}^*\). If so, it responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}^{*}\). Otherwise, if \(\mathsf {C}\ne \mathsf {C}^*\), then it queries the decapsulation oracle on \(\mathsf {C}\) and receives back \(\mathsf {K}'\). \(\mathcal {B}_{3,1}\) then responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}'\).

If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{4}\) responds as in \(G_5\).


\(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{4}\) responds as in \(G_5\). Here, note that since \(\mathcal {A} \) follows the Type7 or Type8 strategy, \(\mathcal {B}_{3,1}\) can answer all the \(\mathsf {RevLTK}\)query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, \mathsf {sk}_{\hat{\imath }})\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,1}\) cannot answer.

\(\mathsf {Test}(i, s)\): \(\mathcal {B}_{4}\) responds to the query as in the definition. Here, in case \((i, s) \ne (\hat{\jmath },\hat{t})\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.
If \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{4}\) outputs \(b'\). It can be checked that \(\mathcal {B}_{4}\) perfectly simulates game \(G_4\) (resp. \(G_5\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have
Game \(G_{6}\) In this game, whenever we need to derive \(\mathsf {K}^*_1 \leftarrow \mathsf {Ext}_s(\mathsf {K}^*)\), we instead use a uniformly and randomly chosen PRF key (fixed once and for all), where \(\mathsf {K}^*\) is the KEM key chosen by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Due to the modification we made in the previous game, \(\mathsf {K}^*\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {KEM} \) so \(\mathsf {K}\) has \(\log _2(\mathcal {KS}_\mathsf {KEM} ) \ge \gamma _\mathsf {KEM} \) minentropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))extractor \(\mathsf {Ext}\), we have
Game \(G_{7}\) In this game, we sample a random function \(\mathsf {RF}\) and whenever we need to compute \(\mathsf {F}_{\mathsf {K}^*_1}(\mathsf {sid})\) for any \(\mathsf {sid}\), we instead compute \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid})\). Due to the modification we made in the previous game, \(\mathsf {K}^*_1\) is sampled uniformly from \(\mathcal {FK}\). Therefore, the two games can be easily shown to be indistinguishable assuming the pseudorandomness of the PRF. In particular, we can construct a PRF adversary \(\mathcal {D}_{3}\) such that
It remains to show that the session key outputted by the tested oracle in the game \(G_7\) is uniformly random regardless of the challenge bit \(b \in \{ 0,1 \} \) chosen by the game. We consider the case where \(b = 0\) and prove that the honestly generated session key by the tested oracle is distributed uniformly random. First conditioning on event \(\mathsf {E_{testO}}\) not occurring, it must be the case that the tested oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) prepares the session key as \(\mathsf {k}^* \Vert \tilde{k}\leftarrow \mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid}^*)\) for some \(\mathsf {sid}^*\). Here, recall \(\mathsf {K}^*_1\) is the random PRF key sampled by the oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) (see game \(G_6\)). Next, since the tested oracle has no partner oracle (by definition of the Type7 and Type8 strategy), there are no oracles \(\pi ^s_i\) such that \(i \ne i\) that runs \(\mathsf {RF}(\mathsf {K}^*_1, \cdot )\) on input \(\mathsf {sid}^*\). Moreover, conditioning on event \(\mathsf {E}_{\mathsf {coll}}\) not occurring, no oracles \(\pi ^t_{\hat{\imath }}\) for \(t \ne \hat{t}\) run \(\mathsf {RF}(\mathsf {K}^*_1, \cdot )\) on input \(\mathsf {sid}^*\) as well since \((\mathsf {C}, \mathsf {C}_T)\) output by these oracles must be distinct from what \(\pi ^{\hat{t}}_{\hat{\jmath }}\) outputs. Therefore, we conclude that \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*)\) is only used to compute the session key of the tested oracle and used nowhere else. Since the output of \(\mathsf {RF}\) is distributed uniformly random for different inputs, we conclude that \(\Pr \left[ \mathsf {S}_{7}\right] = 1/2\). Combining all the arguments together, we obtain
\(\square \)
For completeness, we state the remaining Lemmata B.3 and B.4 and provide a proof sketch.
Lemma B.3
For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type1 or Type2 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {}CPA}\) security of \(\Pi _\mathsf{wKEM}\) and \(\mathcal {D}_{1}\) breaking the security of PRF \(\mathsf {F}\) such that
Lemma B.4
For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type3 or Type4 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{2}\) breaking the security of PRF \(\mathsf {F}\) such that
Proof Sketch of Lemmata B.3 and B.4
The difference between \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\) and \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\) is that the former uses a ring signature and the first message sent by the initiator includes the ephemeral verification key \(\mathsf {vk}_{T}\); and the initiator does not sign the first message. In addition, the former considers weak forward secrecy (\(\mathcal {A}\) plays \(G^{\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {}\mathsf {DAKE} {}}(\mu , \ell )\)), and the latter considers perfect forward secrecy (\(\mathcal {A}\) plays \(G^{\mathsf {FS}}_{\Pi _\mathsf {SC}\text {}\mathsf {AKE} {}}(\mu , \ell )\)). However, it can be easily verified that this modification brings no advantage to the adversary following the strategies in the statement. In particular, when \(\mathcal {A}\) uses the Type1, Type2, Type3 or Type4 strategy (i.e., the tested oracle has a partner oracle), the winning condition (cf. freshness clauses Items 1 to 4) of the two security game is identical. Specifically, the proofs are identical to the proofs of Lemmata A.1 and A.2.
In slightly more detail, notice the session key derivation step in \(\Pi _\mathsf {SC}\text {}\mathsf {DAKE}\) is exactly the same as those in \(\Pi _\mathsf {SC}\text {}\mathsf {AKE}\). Namely, the value of the derived session key is independent of the signature conditioning on the signature being valid. Further, notice the proofs of Lemmata A.1 and A.2 only relies on the security properties of the KEM, PRF, and extractor. That is, the proof does not hinge on the security offered by the signature scheme and this holds even if remove the signature from the first message and replace the signature scheme with a ring signature scheme. Here, we note that the validity of the ephemeral ring signature verification key never comes in play in the security proof. Therefore, the proofs of Lemmata A.1 and A.2 follow. \(\square \)
C Equivalence Between \(\mathsf{DVS}\) and Ring Signature
In a subsequent work, Brendel et al. [19] showed a generic construction of a deniable Signalconforming AKE protocol based on a designated verifier signature (\(\mathsf{DVS}\)) and a \(\mathsf {KEM}\). They showed how to instantiate \(\mathsf{DVS}\) from a ring signature (for a ring of two users) but left open the opposite implication and speculated the possibility of constructing \(\mathsf{DVS}\) easier than a ring signature.
In this section, we solve this open problem. We show how to instantiate a ring signature (for a ring of two users) from \(\mathsf{DVS}\) and show that \(\mathsf{DVS}\) is a ring signature in disguise. As discussed in Footnote 10, the security notion of \(\mathsf{DVS}\) and ring signatures may come in different flavors so it is not always the case that they are equivalent. We only focus on \(\mathsf{DVS}\) and ring signatures that Brendel et al. [19] required to construct their AKE protocol. Namely, the definition of ring signature we provide in Sect. 2.6 is strictly stronger than those considered in [19]. We make this clear when we provide the security proof of our ring signature based on \(\mathsf{DVS}\).
The following syntax and security definition of \(\mathsf{DVS}\) is taken almost verbatim from [19, Section 3]. One thing to keep in mind is that even though it is called designated verifier, the syntax of Brendel et al. allows the signature to be publicly verifiable. This will be essential when building a ring signature.
Definition C.1
A \(\mathsf{DVS}\) is a tuple of algorithms \(\mathsf{DVS} = (\mathsf {SKGen}, \mathsf {VKGen}, \mathsf {Sign}, \mathsf {Vrfy}, \mathsf {Sim})\) along with a message space \(\mathcal {M}\).

\(\mathsf {SKGen}() \rightarrow ({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S})\): A probabilistic key generation algorithm that outputs a public/secretkey pair for the signer.

\(\mathsf {VKGen}() \rightarrow (\mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D})\): A probabilistic key generation algorithm that outputs a public/secretkey pair for the verifier.

\(\mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {M}) \rightarrow \sigma \): A probabilistic signing algorithm that uses a signer’s secret key \(\mathsf {sk}_\mathsf {S}\) to produce a signature \(\sigma \) for a message \(\mathsf {M}\in \mathcal {M}\) for a designated verifier with public key \(\mathsf {pk}_\mathsf {D}\).

\(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}, \mathsf {M}, \sigma ) \rightarrow 1/0\): A deterministic verification algorithm that checks a message \(\mathsf {M}\) and a signature \(\sigma \) against a signer’s public key \({\mathsf {pk}_\mathsf {S}}\) and a verifier’s public key \(\mathsf {pk}_\mathsf {D}\).

\(\mathsf {Sim}({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {D}, \mathsf {M}) \rightarrow \sigma \): A probabilistic signature simulation algorithm that uses the verifier’s secret key \(\mathsf {sk}_\mathsf {D}\) to produce a signature \(\sigma \) on a message \(\mathsf {M}\) for signer’s public key \({\mathsf {pk}_\mathsf {S}}\).
Definition C.2
(Unforgeability) A \(\mathsf{DVS}\) is unforgeable if for any efficient adversary \(\mathcal {A} \) we have \(\Pr [G^{\mathsf {uf}}(\mathcal {A}) = 1]\) is negligible, where the game \(G^{\mathsf {uf}}\) is defined in Fig. 6.
Definition C.3
(Source Hiding) A \(\mathsf{DVS}\) is source hiding if for any efficient adversary \(\mathcal {A} \) we have \(\left \Pr [G^{\mathsf {srchid}}(\mathcal {A}) = 1]  1/2 \right \) is negligible, where the game \(G^{\mathsf {srchid}}\) is defined in Fig. 6.
Using a standard hybrid argument, we can assume without loss of generality that \(\mathcal {A} \) queries oracle \(\mathtt {Chall}\) once.
Construction We now provide a generic construction of a ring signature from any \(\mathsf{DVS}\) satisfying the above syntax and security definitions. Following Brendel et al. [19], we assume there is no public parameter and omit \(\mathsf {RS}.\mathsf {Setup}\). We also only consider a ring signature for a ring of two users as this is sufficient to construct an AKE protocol. Moreover, we assume without loss of generality that \({\mathsf {pk}_\mathsf {S}}\) can be ordered lexicographically, e.g., \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\).
 \(\mathsf {RS}.\mathsf {KeyGen}()\)::

Run \(({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S}) \leftarrow \mathsf {SKGen}()\) and \((\mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D}) \leftarrow \mathsf {VKGen}()\), and output \((\mathsf {RS}.\mathsf {vk}:= ({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}), \mathsf {RS}.\mathsf {sk}:= (\mathsf {sk}_\mathsf {S}, \mathsf {sk}_\mathsf {D}))\).
 \(\mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}, \mathsf {RS}.\mathsf {vk}' \right\} )\)::

Parse \(({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}) \leftarrow \mathsf {RS}.\mathsf {vk}\) and \(({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}') \leftarrow \mathsf {RS}.\mathsf {vk}'\). If \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\), then output \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}', \mathsf {M})\). Otherwise, output \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}', \mathsf {sk}_\mathsf {D}, \mathsf {M})\).
 \(\mathsf {RS}.\mathsf {Verify}(\mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}, \mathsf {RS}.\mathsf {vk}' \right\} , \mathsf {M}, \sigma )\)::

Parse \(({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}) \leftarrow \mathsf {RS}.\mathsf {vk}\) and \(({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}') \leftarrow \mathsf {RS}.\mathsf {vk}'\). If \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\), then output \(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}', \mathsf {M}, \sigma )\). Otherwise, output \(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}, \mathsf {M}, \sigma )\).
Security We first prove anonymity of the ring signature. The anonymity definition considered by Brendel et al. [19] is almost identical to those in Definition 2.14 except that they additionally consider the verification and signing keys to be generated honestly, rather than being generated by possibly malicious randomness. This suffices to prove their deniability since the AKE keys are assumed to be generated honestly.
Lemma C.4
If \(\mathsf{DVS}\) satisfies source hiding, then the ring signature is anonymous (with respect to honestly generated verification and signing keys with rings of size two).
Proof
Assume there exists an adversary \(\mathcal {B} \) against the anonymity of the ring signature. We construct an adversary \(\mathcal {A} \) against the source hiding of \(\mathsf{DVS}\) as follows.
\(\mathcal {A} \) is provided \(({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D})\) from the \(\mathsf{DVS}\) challenger. It queries \(\mathsf {M}\) to oracle \(\mathtt {Chall}\) and receives \(\sigma \). It then generates \((\overline{\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {sk}_\mathsf {S}}) \leftarrow \mathsf {SKGen}()\) and \((\overline{\mathsf {pk}_\mathsf {D}}, \overline{\mathsf {sk}_\mathsf {D}}) \leftarrow \mathsf {VKGen}()\) conditioned on \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\). Note that this is without loss of generality since \(\mathcal {A} \) can simply regenerate \(\overline{\mathsf {pk}_\mathsf {S}}\) until it succeeds (and possibly halt after it exceeds some number of trials to make \(\mathcal {A} \) run in strict polynomial time). It then samples a random bit \(d \leftarrow \{ 0,1 \} \) and sets
It finally provides \(\mathcal {B} \) with \(\left\{ (\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {sk}_i) \right\} _{i \in \{ 0,1 \} }\) and \(\sigma \). When \(\mathcal {B} \) outputs \(d'\) as its guess, \(\mathcal {A} \) outputs its guess as \(b' := d \oplus d'\).
Let us analyze the advantage of \(\mathcal {A} \). First of all, since d is information theoretically hidden from \(\mathcal {B} \), the ring signature keys \(\left\{ (\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {sk}_i) \right\} _{i \in \{ 0,1 \} }\) are distributed identically to the anonymity game even conditioned on \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\). Moreover, if oracle \(\mathtt {Chall}\) was using \(b = 0\), then \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {M})\). Since \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\), \(\sigma \) is distributed identical to \(\mathsf {RS}.\mathsf {Sign}( \mathsf {RS}.\mathsf {sk}_d, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_0, \mathsf {RS}.\mathsf {vk}_1 \right\} )\). On the other hand, if oracle \(\mathtt {Chall}\) was using \(b = 1\), then \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {D}, \mathsf {M})\). Then, this is distributed identical to \(\mathsf {RS}.\mathsf {Sign}( \mathsf {RS}.\mathsf {sk}_{1d}, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_0, \mathsf {RS}.\mathsf {vk}_1 \right\} )\). Hence, if \(\mathcal {B} \) outputs a guess \(d'\) and \(d = 0\), then \(\mathcal {A} \) simply needs to output \(d'\) as its guess. Otherwise, \(\mathcal {A} \) flips the guess \(d'\) in order to uncompute the swap induced by \(d = 1\). This completes the proof. \(\square \)
The unforgeability definition considered by Brendel et al. [19] is similar to those in Definition 2.15 except that they restrict the adversary to only query the signing oracle on rings consisting of honestly generated verification keys. This weaker definition suffices for their application since they consider deniability only against honestly generated longterm keys.
Lemma C.5
If \(\mathsf{DVS}\) satisfies source hiding and unforgeability, then the ring signature is unforgeable (with respect to honestly generated rings of size two).
Proof
Before providing the reduction, we first modify the unforgeability game of the ring signature (with respect to honestly generated rings of size two) to the following. The modification from the original Definition 2.15 is underlined in black. The only difference is that the challenger samples two random distinct indices \((i^*_0, i^*_1) \in [N] \times [N]\) and hopes that the adversary outputs a forgery on the ring \(\left\{ \mathsf {RS}.\mathsf {vk}_{i^*_0}, \mathsf {RS}.\mathsf {vk}_{i^*_1} \right\} \). Moreover, whenever the adversary \(\mathcal {A} \) queries the signing oracle, the challenger will never use \(\mathsf {RS}.\mathsf {sk}_{i^*_0}\) to sign the message.

(i)
The challenger generates key pairs \((\mathsf {RS}.\mathsf {vk}_i,\mathsf {RS}.\mathsf {sk}_i)=\mathsf {RS}.\mathsf {KeyGen}()\) for all \(i \in [N]\). It sets \(\mathsf {VK}:= \left\{ \mathsf {RS}.\mathsf {vk}_i \mid i \in [N] \right\} \) and initializes two empty sets \(\mathsf {SL}\) and \(\mathsf {CL}\). \(\hbox {It also samples two distinct }(i^*_0, i^*_1) \leftarrow [N] \times [N].\)

(ii)
The challenger provides \(\mathsf {VK}\) to \(\mathcal {A} \);

(iii)
\(\mathcal {A} \) can make signing and corruption queries an arbitrary polynomial number of times:

\((\mathsf {sign}, i ,\mathsf {M},\mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {vk}_j \right\} )\): The challenger checks if \((\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {vk}_j) \subseteq \mathsf {R}\) and outputs \(\bot \) if not. \(\hbox {Otherwise, if }i = i_0^*,\hbox { then it computes the signature }\) \(\sigma \leftarrow \mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}_j,\mathsf {M},\mathsf {R}).\hbox { If }i \ne i^*_0,\) \(\hbox {then it computes the signature }\) \(\sigma \leftarrow \mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}_i,\mathsf {M},\mathsf {R}).\) Finally, the challenger provides \(\sigma \) to \(\mathcal {A} \) and adds \((i,\mathsf {M},\mathsf {R})\) to \(\mathsf {SL}\);

\((\mathsf {corrupt},i)\): \(\hbox {If }i \in \left\{ i^*_0, i^*_1 \right\} , \hbox {then abort the game.}\) Otherwise, the challenger adds \(\mathsf {RS}.\mathsf {vk}_i\) to \(\mathsf {CL}\) and returns \(\mathsf {RS}.\mathsf {sk}_i\) to \(\mathcal {A} \).


(iv)
\(\mathcal {A} \) outputs \((\mathsf {R}^*, \mathsf {M}^*, \sigma ^*)\). If \(\mathsf {R}^* = \left\{ \mathsf {RS}.\mathsf {vk}_{i^*_0}, \mathsf {RS}.\mathsf {vk}_{i^*_1} \right\} \), \((\cdot ,\mathsf {M}^*,\mathsf {R}^*) \not \in \mathsf {SL}\), and \(\mathsf {Verify}(\mathsf {R}^*, \mathsf {M}^*, \sigma ^*)=1\), then we say the adversary \(\mathcal {A} \) wins.
It is straightforward to show that this modified unforgeability game is as hard as the original unforgeability game assuming that the ring signature is anonymous (which from Lemma C.4 is an implication of the source hiding of \(\mathsf{DVS}\)). Concretely, we first modify the original game to a game in which the challenger simply guesses the noncorrupted indices \((i^*_0, i^*_1) \in [N] \times [N]\) that the adversary will use for its forgery. Since these indices are information theoretically hidden from the adversary, this is indistinguishable from the original game (except for a loss of \(1/N^2\) in the reduction). Next, assuming \(\mathcal {A} \) makes at most Qqueries to the signing oracle, we can define Qhybrids, where in the kth hybrid, the challenger answers as in the original game up to the \((k1)\)th signing query and as in the modified game from the kth signing query. Each adjacent hybrids \((k1)\) and k are indistinguishable assuming the anonymity of the ring signature; the reduction samples a random index \(j^* \leftarrow [N]\) and embeds its two verification keys provided by the anonymity game in the two indices \((i^*_0, j^*)\). It generates all other verification keys as in the unforgeability game. Note that the reduction knows the signing keys to all parties. It answers all \(k'\)th signing query for \(k' \ne k\) as in hybrids \((k1)\) and k. If \(i = i^*_0\) is used in the kth query, it further checks if \(\mathsf {vk}_{j^*}\) is used. If so, the reduction simulates the signing oracle by embedding its challenge. If \(\mathsf {vk}_{j^*}\) is not used, then aborts the game. Otherwise, if \(i \ne i^*_0\), then it answers the signing oracle as in the \((k1)\hbox {th}\) and kth hybrids. This completes the reduction. In case the signature is created using \(\mathsf {sk}_{i_0^*}\) (resp. \(\mathsf {sk}_{j}\)), it perfectly simulates the \((k1)\)th (resp. kth) hybrid (condition on not aborting). Therefore, assuming the ring signature is anonymous, the two hybrids are indistinguishable.
Now, we are ready to show that this modified unforgeability for the ring signature is hard assuming the unforgeability of the \(\mathsf{DVS}\). Assume there exists an adversary \(\mathcal {B} \) against the modified unforgeability of the ring signature. We construct an adversary \(\mathcal {A} \) against the unforgeability of \(\mathsf{DVS}\) as follows:
\(\mathcal {A} \) is given \({\mathsf {pk}_\mathsf {S}}\), \(\mathsf {pk}_\mathsf {D}\), and \(L = \left\{ (\mathsf {pk}_{\mathsf {D}, i}, \mathsf {sk}_{\mathsf {D}, i}) \right\} _{i \in [n]}\). It generates \((\overline{\mathsf {pk}_\mathsf {D}}, \overline{\mathsf {sk}_\mathsf {D}}) \leftarrow \mathsf {VKGen}()\), \((\overline{\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {sk}_\mathsf {S}}) \leftarrow \mathsf {SKGen}()\), and \((\mathsf {pk}_{\mathsf {S}, i}, \mathsf {sk}_{\mathsf {S}, i}) \leftarrow \mathsf {SKGen}()\) for \(i \in [n]\). It then creates \((n + 2)\) pairs of verification key pair for the ring signature \(({\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {pk}_\mathsf {D}})\), \((\overline{\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D})\), and \(\left\{ (\mathsf {pk}_{\mathsf {S}, i}, \mathsf {pk}_{\mathsf {D}, i}) \right\} _{i \in [n]}\) and randomly permutes them and sets them as \((\mathsf {RS}.\mathsf {vk}_i)_{i \in [n + 2]}\). Let \(i^*_0\) be the index such that \(\mathsf {RS}.\mathsf {vk}_{i^*_0} := (\overline{\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D})\) and \(i^*_1\) be the index such that \(\mathsf {RS}.\mathsf {vk}_{i^*_1} := ({\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {pk}_\mathsf {D}})\). \(\mathcal {A} \) finally provides \(\mathsf {VK}:= \left\{ \mathsf {RS}.\mathsf {vk}_i \mid i \in [n + 2] \right\} \) to \(\mathcal {B} \). Notice \(\mathcal {A} \) knows the signing keys for indices in \([n+2]\backslash \left\{ i^*_0, i^*_1 \right\} \), so it can simulate the signing query and corrupt query for any \(i \notin \left\{ i^*_0, i^*_1 \right\} \). Moreover, since \(\mathcal {A} \) aborts when \(i \in \left\{ i^*_0, i^*_1 \right\} \) is queried to the corruption oracle, it remains to see how \(\mathcal {A} \) simulates the signing queries when \(i \in \left\{ i^*_0, i^*_1 \right\} \). Due to the modification we made to the unforgeability game, \(\mathcal {A} \) never needs to sign using the signing key corresponding to index \(i^*_0\), so it suffices to check the case \(i = i^*_1\). Now, when \(i = i^*_1\) and \({\mathsf {pk}_\mathsf {S}}< \mathsf {pk}_{\mathsf {S}, j}\), then \(\mathcal {A} \) queries its signing oracle and obtains a signature using \(\mathsf {sk}_\mathsf {S}\). Otherwise, it uses \(\overline{\mathsf {sk}_\mathsf {D}}\) to generate \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}_j, \overline{\mathsf {sk}_\mathsf {D}}, \mathsf {M})\). This completes the description of \(\mathcal {A} \).
Notice the winning condition of the modified unforgeability of the ring signature and the unforgeability of the \(\mathsf{DVS}\) is identical. Moreover, since \(\mathcal {A} \) randomly permutes the indices in \([n+2]\), \(\mathcal {A} \) simulates the distribution of the two indices \((i^*_0, i^*_1)\) perfectly. Therefore, \(\mathcal {A} \) has the same advantage as \(\mathcal {B} \). This concludes the proof. \(\square \)
Rights and permissions
About this article
Cite this article
Hashimoto, K., Katsumata, S., Kwiatkowski, K. et al. An Efficient and Generic Construction for Signal’s Handshake (X3DH): Postquantum, State Leakage Secure, and Deniable. J Cryptol 35, 17 (2022). https://doi.org/10.1007/s00145022094271
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145022094271