Skip to main content

An Efficient and Generic Construction for Signal’s Handshake (X3DH): Post-quantum, State Leakage Secure, and Deniable

Abstract

The Signal protocol is a secure instant messaging protocol that underlies the security of numerous applications such as WhatsApp, Skype, Facebook Messenger among many others. The Signal protocol consists of two sub-protocols known as the X3DH protocol and the double ratchet protocol, where the latter has recently gained much attention. For instance, Alwen, Coretti, and Dodis (Eurocrypt’19) provided a concrete security model along with a generic construction based on simple building blocks that are instantiable from versatile assumptions, including post-quantum ones. In contrast, as far as we are aware, works focusing on the X3DH protocol seem limited. In this work, we cast the X3DH protocol as a specific type of authenticated key exchange (AKE) protocol, which we call a Signal-conforming AKE protocol, and formally define its security model based on the vast prior works on AKE protocols. We then provide the first efficient generic construction of a Signal-conforming AKE protocol based on standard cryptographic primitives such as key encapsulation mechanisms (KEM) and signature schemes. Specifically, this results in the first post-quantum secure replacement of the X3DH protocol based on well-established assumptions. Similar to the X3DH protocol, our Signal-conforming AKE protocol offers a strong (or stronger) flavor of security, where the exchanged key remains secure even when all the non-trivial combinations of the long-term secrets and session-specific secrets are compromised. Moreover, our protocol has a weak flavor of deniability and we further show how to progressively strengthen it using ring signatures and/or non-interactive zero-knowledge proof systems. Finally, we provide a full-fledged, generic C implementation of our (weakly deniable) protocol. We instantiate it with several Round 3 candidates (finalists and alternates) to the NIST post-quantum standardization process and compare the resulting bandwidth and computation performances. Our implementation is publicly available.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Notes

  1. The name Signal is used to point to the app and the protocol.

  2. Although [63, Section 4.6] states that the X3DH protocol is susceptible to KCI attacks, this is only because they consider the scenario where the session-specific secret is compromised. If we consider the standard KCI attack scenario where the long-term secret is the only information being compromised [15], then the X3DH protocol is secure.

  3. Being vulnerable against KCI attacks seems to be intrinsic to on-line deniability [63, 73, 74].

  4. Although the X3DH protocol can naturally be made secure against leakage of session-specific secrets (including randomness generated within the session) by using the generic NAXOS trick, e.g., [43, 54, 58, 79], it typically requires additional computation. Since this negatively affects efficiency, we target AKE protocols without using the NAXOS trick. See Sect. 1.3 for more detail.

  5. We assume Alice and Bob know each other’s long-term key. In practice, this can be enforced by “out-of-bound” authentications (see [63, Section 4.1]).

  6. In the actual protocol [63, 68], XEdDSA is used as the signature scheme, and the same long-term key \((a, g^a)\) is used for both key exchange and signing.

  7. In practice, Bob may initiate the double ratchet protocol using \(\mathsf {k}_\mathsf {B} \) and send his message to Alice along with \(g^y\) to the server before Alice responds.

  8. This property has also been called as post-specified peers [22] in the context of Internet Key Exchange (IKE) protocols.

  9. To be more precise, we additionally assume that the \(\mathsf {KEM}\) ciphertext to be anonymous (i.e., indistinguishable from random) as well. This is often the case for standard encryption schemes such as those based on lattices.

  10. We note that the definition of \(\mathsf{DVS}\) and ring signature come in various flavors. Thus, we only show equivalence under the security properties that Brendel et al. [19] required to construct their AKE protocol. Namely, our implication relies on the fact that their \(\mathsf{DVS}\) assumes the signature is publicly verifiable.

  11. We assume algorithms \(\mathcal {C} \) and \(\mathcal {E} _\mathcal {C} \) are stateful.

  12. Looking ahead, when the first message is independent of party \(P_j\) (i.e., \(\mathcal {C}\) can first create the first message without knowledge of \(P_j\) and then set \(\mathsf {Pid}^s_i := j\)), we call the scheme receiver oblivious. See Sect. 3.4 for more details.

  13. Note that by definition, the peer id \(\mathsf {Pid}_i^s\) of a tested oracle \(\pi ^s_i\) is always defined.

  14. We note that the subsequent variants differ from the original BR model [9] as they also model forward secrecy and KCI attacks.

  15. Note that the meaning of the session-state is different from those we defined in Sect. 3.1 (i.e., \({\texttt {state}}^s_i\)). In the CK model, a “session-state” is only defined in the security model and does not capture the \({\texttt {state}}^s_i\) specified by the implementation.

  16. These variants also strengthen the CK model by allowing the adversary to obtain the session-state of the tested oracle and further modeling KCI attacks.

  17. Notice the protocol is receiver oblivious since the first message is computed independently of the receiver.

  18. Unlike in the figure, the signed pre-key and pre-key signature are uploaded by all the parties and not only by Alice.

  19. In Table 2, pairing KEMs and signatures schemes with the same NIST security level yields \(7 \times 5 + 7 \times 4 + 6 \times 5 = 93\) distinct combinations (some schemes offer multiple instantiations at a given NIST level).

  20. The X3DH protocol assumes the parties authenticate the long-term public keys through some authenticated channel [63, Section 4.1].

  21. The results for all 93 instantiations can be found in the repository containing the implementation [55].

  22. We only consider schemes that are proven secure in the (possibly slight variant of the) deniability framework proposed by the seminal work of Di Raimondo et al. [32].

  23. We observe that although in [32, Definition 2], \(\mathsf {aux}\) is defined as fixed information that \(\mathcal {M}\) cannot adaptively choose, their proof implicitly assumes that \(\mathsf {aux}\) is sampled adaptively from some distribution dependent on \((\mathsf {pp}, \overrightarrow{\mathsf {lpk}}, \overrightarrow{\mathsf {lsk}})\). Such adaptivity of \(\mathsf {aux}\) is necessary to invoke PA-2 security of the underlying encryption scheme in their security proof. We view enhancing the deniability definition of [32] to capture this adaptivity to be an important future work.

  24. Notice the protocol is receiver oblivious since the first message is computed independently of the receiver.

  25. Although we only consider a classical adversary \(\mathcal {M} \), it can be checked that the exact same proof holds even for a quantum adversary.

  26. To be fair, we compare \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) with a variant of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) who not sign the first message. Presented in [47], such variant is as secure as \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) (modulo the difference between weak and perfect forward secrecy), and the main difference of the two schemes is deniability.

  27. The attack equally works for the subsequent protocol proposed by Brendel et al. [19]. We note that this does not contradict their security proof since the new definition of indistinguishability-based deniability they introduce does not capture malicious adversaries.

  28. This guarantees that the witness from a proof can be extracted without rewinding the adversary.

  29. We note that this is redundant since it is implicitly implied by the key-awareness assumption. We only include it for clarity.

  30. We note that although we can consider an adversary \(\mathcal {A} \) that makes no reveal queries (i.e., all \(\mathsf {lsk}\) and \({\texttt {state}}\) are either \({\times }\)or “-”), we can exclude them without loss of generality since such \(\mathcal {A} \) can always be modified into an adversary \(\mathcal {A} '\) that follows one of the strategies listed in Table 1.

  31. For example, \(\mathcal {C}\) can efficiently notice if the two oracles \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) become non-partners even before \(\mathcal {A} \) makes a \(\mathsf {Test}\)-query by checking the input–output of each oracles.

  32. We note that for Lemma A.1 we do not require the full power of the PRF; a pseudorandom generator (PRG) would have sufficed since the key \(\mathsf {K}_2\) is used nowhere else in the game.

  33. Note that Lemma B.3 (resp. Lemma B.4) corresponds to Lemma A.1 (resp. Lemma A.2).

References

  1. D. Aharonov, O. Regev, Lattice problems in NP cap coNP, in 45th FOCS (IEEE Computer Society Press, 2004), pp. 362–371

  2. J. Alawatugoda, D. Stebila, C. Boyd, Modelling after-the-fact leakage for key exchange, in S. Moriai, T. Jaeger, K. Sakurai, editors, ASIACCS 14 (ACM Press, 2014), pp. 207–216

  3. J. Alwen, S. Coretti, Y. Dodis, The double ratchet: security notions, proofs, and modularization for the Signal protocol, in Y. Ishai, V. Rijmen, editors, EUROCRYPT 2019, Part I, volume 11476 of LNCS (Springer, Heidelberg, 2019), pp. 129–158

  4. C. Bader, D. Hofheinz, T. Jager, E. Kiltz, Y. Li, Tightly-secure authenticated key exchange, in Y. Dodis, J.B. Nielsen, editors, TCC 2015, Part I, volume 9014 of LNCS (Springer, Heidelberg, 2015), pp. 629–658

  5. M. Bellare, New proofs for NMAC and HMAC: security without collision-resistance, in C. Dwork, editor, CRYPTO 2006, volume 4117 of LNCS (Springer, Heidelberg, 2006), pp. 602–619

  6. M. Bellare, New proofs for NMAC and HMAC: security without collision resistance. J. Cryptol. 28(4), 844–878 (2015)

    MathSciNet  Article  Google Scholar 

  7. M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in H. Krawczyk, editor, CRYPTO’98, volume 1462 of LNCS (Springer, Heidelberg, 1998), pp. 26–45

  8. M. Bellare, A. Palacio, Towards plaintext-aware public-key encryption without random oracles, in P.J. Lee, editor, ASIACRYPT 2004, volume 3329 of LNCS (Springer, Heidelberg, 2004), pp. 48–62

  9. M. Bellare, P. Rogaway, Entity authentication and key distribution, in D.R. Stinson, editor, CRYPTO’93, volume 773 of LNCS (Springer, Heidelberg, 1994), pp. 232–249

  10. M. Bellare, P. Rogaway, Optimal asymmetric encryption, in A.D. Santis, editor, EUROCRYPT’94, volume 950 of LNCS (Springer, Heidelberg, 1995), pp. 92–111

  11. M. Bellare, A.C. Singh, J. Jaeger, M. Nyayapati, I. Stepanovs, Ratcheted encryption and key exchange: the security of messaging, in J. Katz, H. Shacham, editors, CRYPTO 2017, Part III, volume 10403 of LNCS (Springer, Heidelberg, 2017), pp. 619–650

  12. D.J. Bernstein, Curve25519: new Diffie–Hellman speed records, in M. Yung, Y. Dodis, A. Kiayias, T. Malkin, editors, PKC 2006, volume 3958 of LNCS (Springer, Heidelberg, 2006), pp. 207–228

  13. W. Beullens, S. Katsumata, F. Pintore, Calamari and Falafl: logarithmic (linkable) ring signatures from isogenies and lattices, in S. Moriai, H. Wang, editors, ASIACRYPT 2020, Part II, volume 12492 of LNCS (Springer, Heidelberg, 2020), pp. 464–492

  14. W. Beullens, T. Kleinjung, F. Vercauteren, CSI-FiSh: efficient isogeny based signatures through class group computations, in S.D. Galbraith, S. Moriai, editors, ASIACRYPT 2019, Part I, volume 11921 of LNCS (Springer, Heidelberg, 2019), pp. 227–247

  15. S. Blake-Wilson, D. Johnson, A. Menezes, Key agreement protocols and their security analysis, in M. Darnell, editor, 6th IMA International Conference on Cryptography and Coding, volume 1355 of LNCS (Springer, Heidelberg, 1997), pp. 30–45

  16. S. Blake-Wilson, A. Menezes, Unknown key-share attacks on the station-to-station (STS) protocol, in H. Imai, Y. Zheng, editors, PKC’99, volume 1560 of LNCS (Springer, Heidelberg, 1999), pp. 154–170

  17. X. Bonnetain, A. Schrottenloher, Quantum security analysis of CSIDH, in A. Canteaut, Y. Ishai, editors, EUROCRYPT 2020, Part II, volume 12106 of LNCS (Springer, Heidelberg, 2020), pp. 493–522

  18. Z. Brakerski, Y.T. Kalai, A framework for efficient signatures, ring signatures and identity based encryption in the standard model. Cryptology ePrint Archive, Report 2010/086 (2010). https://eprint.iacr.org/2010/086

  19. J. Brendel, R. Fiedler, F. Günther, C. Janson, D. Stebila, Post-quantum asynchronous deniable key exchange and the signal handshake. Cryptology ePrint Archive, Report 2021/769 (2021)

  20. J. Brendel, M. Fischlin, F. Günther, C. Janson, D. Stebila, Towards post-quantum security for signal’s X3DH handshake, in O. Dunkelman, M.J. Jacobson, Jr., C. O’Flynn, editors, Selected Areas in Cryptography (Springer, Cham, 2020), pp. 404–430

  21. R. Canetti, H. Krawczyk, Analysis of key-exchange protocols and their use for building secure channels, in B. Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS (Springer, Heidelberg, 2001), pp. 453–474

  22. R. Canetti, H. Krawczyk, Security analysis of IKE’s signature-based key-exchange protocol, in M. Yung, editor, CRYPTO 2002, volume 2442 of LNCS (Springer, Heidelberg, 2002), pp. 143–161. https://eprint.iacr.org/2002/120/

  23. D. Cash, E. Kiltz, V. Shoup, The twin Diffie–Hellman problem and applications, in N.P. Smart, editor, EUROCRYPT 2008, volume 4965 of LNCS (Springer, Heidelberg, 2008), pp. 127–145

  24. K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, D. Stebila, A formal security analysis of the signal messaging protocol, in IEEE European Symposium on Security and Privacy (EuroS &P) (2017), pp. 451–466

  25. K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, D. Stebila, A formal security analysis of the signal messaging protocol. J. Cryptol. 33(4), 1914–1983 (2020)

    MathSciNet  Article  Google Scholar 

  26. K. Cohn-Gordon, C. Cremers, K. Gjøsteen, H. Jacobsen, T. Jager, Highly efficient key exchange protocols with optimal tightness, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part III, volume 11694 of LNCS (Springer, Heidelberg, 2019), pp. 767–797

  27. C. Cremers, Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK, in B.S.N. Cheung, L.C.K. Hui, R.S. Sandhu, D.S. Wong, editors, ASIACCS 11 (ACM Press, 2011), pp. 80–91

  28. C.J.F. Cremers, Session-state reveal is stronger than ephemeral key reveal: attacking the NAXOS authenticated key exchange protocol, in M. Abdalla, D. Pointcheval, P.-A. Fouque, D. Vergnaud, editors, ACNS 09, volume 5536 of LNCS (Springer, Heidelberg, 2009), pp. 20–33

  29. C.J.F. Cremers, M. Feltz, Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal, in S. Foresti, M. Yung, F. Martinelli, editors, ESORICS 2012, volume 7459 of LNCS (Springer, Heidelberg, 2012), pp. 734–751

  30. B. de Kock, K. Gjøsteen, M. Veroni, Practical isogeny-based key-exchange with optimal tightness, in O. Dunkelman, M.J. Jacobson, Jr., C. O’Flynn, editors, Selected Areas in Cryptography (Springer, Cham, 2020), pp. 451–479

  31. C. de Saint Guilhem, M. Fischlin, B. Warinschi, Authentication in key-exchange: definitions, relations and composition, in L. Jia, R. Küsters, editors, CSF 2020 Computer Security Foundations Symposium (IEEE Computer Society Press, 2020), pp. 288–303

  32. M. Di Raimondo, R. Gennaro, H. Krawczyk, Deniable authentication and key exchange, in A. Juels, R.N. Wright, S. De Capitani di Vimercati, editors, ACM CCS 2006 (ACM Press, 2006), pp. 400–409

  33. W. Diffie, P.C. Van Oorschot, M.J. Wiener, Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992)

    MathSciNet  Article  Google Scholar 

  34. S. Dobson, S.D. Galbraith, Post-quantum signal key agreement with SIDH. Cryptology ePrint Archive, Report 2021/1187 (2021). https://ia.cr/2021/1187

  35. Y. Dodis, J. Katz, A. Smith, S. Walfish, Composability and on-line deniability of authentication, in O. Reingold, editor, TCC 2009, volume 5444 of LNCS (Springer, Heidelberg, 2009), pp. 146–162

  36. F.B. Durak, S. Vaudenay, Bidirectional asynchronous ratcheted key agreement with linear complexity, in N. Attrapadung, T. Yagi, editors, IWSEC 19, volume 11689 of LNCS (Springer, Heidelberg, 2019), pp. 343–362

  37. M.F. Esgin, R. Steinfeld, J.K. Liu, D. Liu, Lattice-based zero-knowledge proofs: new techniques for shorter and faster constructions and applications, in A. Boldyreva, D. Micciancio, editors, CRYPTO 2019, Part I, volume 11692 of LNCS (Springer, Heidelberg, 2019), pp. 115–146

  38. M.F. Esgin, R. Steinfeld, A. Sakzad, J.K. Liu, D. Liu, Short lattice-based one-out-of-many proofs and applications to ring signatures, in R.H. Deng, V. Gauthier-Umaña, M. Ochoa, M. Yung, editors, ACNS 19, volume 11464 of LNCS (Springer, Heidelberg, 2019), pp. 67–88

  39. M.F. Esgin, R.K. Zhao, R. Steinfeld, J.K. Liu, D. Liu, MatRiCT: efficient, scalable and post-quantum blockchain confidential transactions protocol, in L. Cavallaro, J. Kinder, X. Wang, J. Katz, editors, ACM CCS 2019 (ACM Press, 2019), pp. 567–584

  40. M. Fischlin, Communication-efficient non-interactive proofs of knowledge with online extractors, in V. Shoup, editor, CRYPTO 2005, volume 3621 of LNCS (Springer, Heidelberg, 2005), pp. 152–168

  41. P.-A. Fouque, D. Pointcheval, S. Zimmer, HMAC is a randomness extractor and applications to TLS, in M. Abe, V. Gligor, editors, ASIACCS 08 (ACM Press, 2008), pp. 21–32

  42. E.S.V. Freire, D. Hofheinz, E. Kiltz, K.G. Paterson, Non-interactive key exchange, in K. Kurosawa, G. Hanaoka, editors, PKC 2013, volume 7778 of LNCS (Springer, Heidelberg, 2013), pp. 254–271

  43. A. Fujioka, K. Suzuki, K. Xagawa, K. Yoneyama, Strongly secure authenticated key exchange from factoring, codes, and lattices, in M. Fischlin, J. Buchmann, M. Manulis, editors, PKC 2012, volume 7293 of LNCS (Springer, Heidelberg, 2012), pp. 467–484

  44. A. Fujioka, K. Suzuki, K. Xagawa, K. Yoneyama, Practical and post-quantum authenticated key exchange from one-way secure key encapsulation mechanism, in K. Chen, Q. Xie, W. Qiu, N. Li, W.-G. Tzeng, editors, ASIACCS 13 (ACM Press, 2013), pp. 83–94

  45. K. Gjøsteen, T. Jager, Practical and tightly-secure digital signatures and authenticated key exchange, in H. Shacham, A. Boldyreva, editors, CRYPTO 2018, Part II, volume 10992 of LNCS Springer, Heidelberg, 2018), pp. 95–125

  46. S. Guo, P. Kamath, A. Rosen, K. Sotiraki, Limits on the efficiency of (ring) LWE based non-interactive key exchange, in A. Kiayias, M. Kohlweiss, P. Wallden, V. Zikas, editors, PKC 2020, Part I, volume 12110 of LNCS (Springer, Heidelberg, 2020), pp. 374–395

  47. K. Hashimoto, S. Katsumata, K. Kwiatkowski, T. Prest, An efficient and generic construction for signal’s handshake (X3DH): post-quantum, state leakage secure, and deniable, in J. Garay, editor, PKC 2021, Part II, volume 12711 of LNCS (Springer, Heidelberg, 2021), pp. 410–440

  48. K. Hövelmanns, E. Kiltz, S. Schäge, D. Unruh, Generic authenticated key exchange in the quantum random oracle model, in A. Kiayias, M. Kohlweiss, P. Wallden, V. Zikas, editors, PKC 2020, Part II, volume 12111 of LNCS (Springer, Heidelberg, 2020), pp. 389–422

  49. T. Jager, E. Kiltz, D. Riepel, S. Schäge, Tightly-secure authenticated key exchange, revisited, in A. Canteaut, F.-X. Standaert, editors, EUROCRYPT 2021, Part I, volume 12696 of LNCS (Springer, Heidelberg, 2021), pp. 117–146

  50. D. Jost, U. Maurer, M. Mularczyk, Efficient ratcheting: almost-optimal guarantees for secure messaging, in Y. Ishai, V. Rijmen, editors, EUROCRYPT 2019, Part I, volume 11476 of LNCS (Springer, Heidelberg, 2019), pp. 159–188

  51. D. Jost, U. Maurer, M. Mularczyk, A unified and composable take on ratcheting, in D. Hofheinz, A. Rosen, editors, TCC 2019, Part II, volume 11892 of LNCS (Springer, Heidelberg, 2019), pp. 180–210

  52. T. Kawashima, K. Takashima, Y. Aikawa, T. Takagi, An efficient authenticated key exchange from random self-reducibility on CSIDH, in D. Hong, editor, ICISC 20, volume 12593 of LNCS (Springer, Heidelberg, 2020), pp. 58–84

  53. H. Krawczyk, HMQV: a high-performance secure Diffie–Hellman protocol, in V. Shoup, editor, CRYPTO 2005, volume 3621 of LNCS (Springer, Heidelberg, 2005), pp. 546–566

  54. K. Kurosawa, J. Furukawa, 2-pass key exchange protocols from CPA-secure KEM, in J. Benaloh, editor, CT-RSA 2014, volume 8366 of LNCS (Springer, Heidelberg, 2014), pp. 385–401

  55. K. Kwiatkowski, An efficient and generic construction for signal’s handshake (X3DH): post-quantum, state leakage secure, and deniable. proof of concept implementation (2020). https://github.com/post-quantum-cryptography/post-quantum-state-leakage-secure-ake

  56. K. Kwiatkowski, PQ Crypto Catalog (2020). https://github.com/kriskwiatkowski/pqc

  57. LibTomCrypt. https://github.com/libtom/libtomcrypt

  58. B.A. LaMacchia, K. Lauter, A. Mityagin, Stronger security of authenticated key exchange, in W. Susilo, J.K. Liu, Y. Mu, editors, ProvSec 2007, volume 4784 of LNCS (Springer, Heidelberg, 2007), pp. 1–16

  59. Y. Li, S. Schäge, No-match attacks and robust partnering definitions: defining trivial attacks for security protocols is not trivial, in B.M. Thuraisingham, D. Evans, T. Malkin, D. Xu, editors, ACM CCS 2017 (ACM Press, 2017), pp. 1343–1360

  60. X. Lu, M.H. Au, Z. Zhang, Raptor: a practical lattice-based (linkable) ring signature, in R.H. Deng, V. Gauthier-Umaña, M. Ochoa, M. Yung, editors, ACNS 19, volume 11464 of LNCS (Springer, Heidelberg, 2019), pp. 110–130

  61. V. Lyubashevsky, L. Ducas, E. Kiltz, T. Lepoint, P. Schwabe, G. Seiler, D. Stehlé, S. Bai, CRYSTALS-DILITHIUM. Technical report, National Institute of Standards and Technology (2020). available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  62. M. Marlinspike and T. Perrin, The double ratchet algorithm (2016). https://signal.org/docs/specifications/doubleratchet/

  63. M. Marlinspike, T. Perrin, The X3DH key agreement protocol (2016). https://signal.org/docs/specifications/x3dh/

  64. S. Myers, M. Sergi, A. shelat, Blackbox construction of a more than non-malleable CCA1 encryption scheme from plaintext awareness, in I. Visconti, R.D. Prisco, editors, SCN 12, volume 7485 of LNCS (Springer, Heidelberg, 2012), pp. 149–165

  65. C. Paquin, D. Stebila, G. Tamvada, Benchmarking post-quantum cryptography in TLS, in J. Ding, J.-P. Tillich, editors, Post-Quantum Cryptography—11th International Conference, PQCrypto 2020 (Springer, Heidelberg, 2020), pp. 72–91

  66. R. Pass, On deniability in the common reference string and random oracle model, in D. Boneh, editor, CRYPTO 2003, volume 2729 of LNCS (Springer, Heidelberg, 2003), pp. 316–337

  67. C. Peikert, He gives C-sieves on the CSIDH, in A. Canteaut, Y. Ishai, editors, EUROCRYPT 2020, Part II, volume 12106 of LNCS (Springer, Heidelberg, 2020), pp. 463–492

  68. T. Perrin, The XEdDSA and VXEdDSA signature schemes (2016). https://signal.org/docs/specifications/xeddsa/

  69. B. Poettering, P. Rösler, Towards bidirectional ratcheted key exchange, in H. Shacham, A. Boldyreva, editors, CRYPTO 2018, Part I, volume 10991 of LNCS (Springer, Heidelberg, 2018), pp. 3–32

  70. D. Pointcheval, O. Sanders, Forward secure non-interactive key exchange, in M. Abdalla, R.D. Prisco, editors, SCN 14, volume 8642 of LNCS (Springer, Heidelberg, 2014), pp. 21–39

  71. T. Prest, P.-A. Fouque, J. Hoffstein, P. Kirchner, V. Lyubashevsky, T. Pornin, T. Ricosset, G. Seiler, W. Whyte, Z. Zhang, FALCON. Technical report, National Institute of Standards and Technology (2020). Available at https://csrc.nist.gov/projects/post-quantum-cryptography/round-3-submissions

  72. Signal protocol: Technical documentation. https://signal.org/docs/

  73. N. Unger, I. Goldberg, Deniable key exchanges for secure messaging, in I. Ray, N. Li, C. Kruegel, editors, ACM CCS 2015 (ACM Press, 2015), pp. 1211–1223

  74. N. Unger, I. Goldberg, Improved strongly deniable authenticated key exchanges for secure messaging. PoPETs 2018(1), 21–66 (2018)

    Google Scholar 

  75. N. Vatandas, R. Gennaro, B. Ithurburn, H. Krawczyk, On the cryptographic deniability of the signal protocol, in M. Conti, J. Zhou, E. Casalicchio, A. Spognardi, editors, ACNS 20, Part II, volume 12147 of LNCS (Springer, Heidelberg, 2020), pp. 188–209

  76. H. Xue, M.H. Au, R. Yang, B. Liang, H. Jiang, Compact authenticated key exchange in the quantum random oracle model. Cryptology ePrint Archive, Report 2020/1282 (2020). https://eprint.iacr.org/2020/1282

  77. H. Xue, X. Lu, B. Li, B. Liang, J. He, Understanding and constructing AKE via double-key key encapsulation mechanism, in T. Peyrin, S. Galbraith, editors, ASIACRYPT 2018, Part II, volume 11273 of LNCS (Springer, Heidelberg, 2018), pp. 158–189

  78. Z. Yang, Modelling simultaneous mutual authentication for authenticated key exchange, in J.L. Danger, M. Debbabi, J.-Y. Marion, J. Garcia-Alfaro, N. Zincir Heywood, editors, Foundations and Practice of Security (Springer, Cham, 2014), pp. 46–62

  79. Z. Yang, Y. Chen, S. Luo, Two-message key exchange with strong security from ideal lattices, in N.P. Smart, editor, CT-RSA 2018, volume 10808 of LNCS (Springer, Heidelberg, 2018), pp. 98–115

  80. A.C.-C. Yao, Y. Zhao, Deniable internet key exchange, in J. Zhou, M. Yung, editors, ACNS 10, volume 6123 of LNCS (Springer, Heidelberg, 2010), pp. 329–348

  81. T.H. Yuen, M.F. Esgin, J.K. Liu, M.H. Au, Z. Ding, DualRing: generic construction of ring signatures with efficient instantiations, in T. Malkin, C. Peikert, editors, CRYPTO 2021, Part I, volume 12825 of LNCS (Springer, Heidelberg, 2021), pp. 251–281

Download references

Acknowledgements

The second author was supported by JST CREST Grant Number JPMJCR19F6. The third and fourth authors were supported by the Innovate UK Research Grant 104423 (PQ Cybersecurity).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Keitaro Hashimoto.

Additional information

Communicated by Masayuki Abe.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This is the full version of a preliminary work that appeared in PKC 2021 [47].

Appendices

A Full Proofs for Signal-Conforming AKE \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\)

We prove the security of our Signal-conforming AKE protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) .

Proof of Theorem 4.3

Let \(\mathcal {A}\) be an adversary that plays the security game \(G^{\mathsf {FS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {AKE} {}}(\mu , \ell )\) with the challenger \(\mathcal {C}\) with advantage \(\mathsf {Adv}{}^{\mathsf {AKE}\textsf {-}\mathsf {FS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {AKE} {}}(\mathcal {A}) = \epsilon \). In order to prove Theorem 4.3, we distinguish between the strategy that can be taken by the \(\mathcal {A} \). Specifically, \(\mathcal {A} \)’s strategy can be divided into the eight types of strategies listed in Table 1. Here, each strategy is mutually independent and covers all possible (non-trivial) strategies.Footnote 30 We point out that for our specific AKE construction we have \({\texttt {state}}_\mathtt {resp}:= \bot \) since the responder does not maintain any states (see Remark 4.1). Therefore, the Type-1 (resp. Type-3, Type-7) strategy is strictly stronger than the Type-2 (resp. Type-4, Type-8) strategy. We only include the full types of strategies in Table 1 as we believe it would be helpful when proving other AKE protocols, and note that our proof implicitly handles both strategies at the same time.

For each possible strategy taken by \(\mathcal {A} \), we construct an algorithm that breaks one of the underlying assumptions by using such an adversary \(\mathcal {A} \) as a subroutine. More formally, we construct six algorithms \(\mathcal {B}_{1}\), \(\mathcal {B}_{2}\), \(\mathcal {B}_{3,0}\), \(\mathcal {B}_{3,1}\), \(\mathcal {D}_{1}\) and \(\mathcal {D}_{2}\) satisfying the following:

  1. 1.

    If \(\mathcal {A}\) uses the Type-1 (or Type-2) strategy, then \(\mathcal {B}_{1}\) succeeds in breaking the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \) or \(\mathcal {D}_{1}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \).

  2. 2.

    If \(\mathcal {A}\) uses the Type-3 (or Type-4) strategy, then \(\mathcal {B}_{2}\) succeeds in breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{2}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).

  3. 3.

    If \(\mathcal {A}\) uses the Type-5 or Type-6 strategy, then \(\mathcal {B}_{3,0}\) succeeds in breaking the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) with advantage \(\approx \frac{1}{\mu }\epsilon \).

  4. 4.

    If \(\mathcal {A}\) uses the Type-7 (or Type-8) strategy, then \(\mathcal {B}_{3,1}\) succeeds in breaking the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) with advantage \(\approx \frac{1}{\mu }\epsilon \).

We present a security proof structured as a sequence of games. Without loss of generality, we assume that \(\mathcal {A}\) always issues a \(\mathsf {Test}\)-query. In the following, let \(\mathsf {S}_{j}\) denote the event that \(b = b'\) occurs in game \(G_{j}\) and let \(\epsilon _{j} \mathrel {\mathop :}=\left| \Pr \left[ \mathsf {S}_{j}\right] - 1/2 \right| \) denote the advantage of the adversary in game \(G_{j}\). Regardless of the strategy taken by \(\mathcal {A}\), all proofs share a common game sequence \(G_{0}\)-\(G_{1}\) as described below.

Game \(G_{0}\) This game is identical to the original security game. We thus have

$$\begin{aligned} \epsilon _{0} = \epsilon . \end{aligned}$$

Game \(G_{1}\) This game is identical to \(G_{0}\), except that we add an abort condition. Let \(\mathsf {E}_{\mathsf {corr}}{}\) be the event that there exist two partner oracles \(\pi ^s_i\) and \(\pi ^t_j\) that do not agree on the same session key. If \(\mathsf {E}_{\mathsf {corr}}\) occurs, then \(\mathcal {C}\) aborts (i.e., sets \(\mathcal {A} \)’s output to be a random bit) at the end of the game.

There are at most \(\mu \ell /2\) responder oracles and each oracle is assigned uniform randomness. From Theorem 4.2, the probability of error occurring during the security game is at most \(\mu \ell (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}})/2\). Therefore, \(\mathsf {E}_{\mathsf {corr}}\) occurs with probability at most \(\mu \ell (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}})/2\). We thus have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{0}\right] - \Pr \left[ \mathsf {S}_{1}\right] \right| \le \frac{\mu \ell }{2} \cdot (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}} ). \end{aligned}$$

In the following games we assume no decryption error or signature verification error occurs.

We now divide the game sequence depending on the strategy taken by the adversary \(\mathcal {A}\). Regardless of \(\mathcal {A}{}\)’s strategy, we prove that \(\epsilon _{1}\) is negligible, which in particular implies that \(\epsilon \) is also negligible. Formally, this is shown in Lemmata A.1 to A.4 provided in their respective subsections below. We first complete the proof of the theorem. Specifically, by combining all the lemmata together and folding adversaries \(\mathcal {B}_{3,0}\) and \(\mathcal {B}_{3,1}\) into one adversary \(\mathcal {B}_{3}\), we obtain the following desired bound:

$$\begin{aligned}&\mathsf {Adv}{}^{\mathsf {AKE}\textsf {-}\mathsf {FS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {AKE} {}}(\mathcal {A})\\&\quad \le \max \left\{ \begin{array}{l} \mu ^{2}\ell ^{2} \cdot (\mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1}) + \varepsilon _{\mathsf {Ext}}),\\ \mu ^{2}\ell \cdot (\mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) ,\\ \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3}), \end{array} \right\} \\&\qquad + \frac{\mu \ell }{2} \cdot (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}} ) \end{aligned}$$

Here, the running time of the algorithms \(\mathcal {B}_{1}\), \(\mathcal {B}_{2}\), \(\mathcal {B}_{3}\), \(\mathcal {D}_{1}\) and \(\mathcal {D}_{2}\) consist essentially the time required to simulate the security game for \(\mathcal {A}\) once, plus a minor number of additional operations. \(\square \)

It remains to prove Lemmata A.1 to A.4.

Proof of Lemma A.1: Against Type-1 or Type-2 Adversary

Lemma A.1

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-1 or Type-2 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\) and \(\mathcal {D}_{1}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell ^{2} \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1})+ \varepsilon _{\mathsf {Ext}}\right) . \end{aligned}$$

Proof of Lemma A.1

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses an initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) and a responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) uniformly at random from the \(\mu \ell \) oracles. Let \(\mathsf {E_{testO}}\) be the event that the tested oracle is neither \(\pi ^{\hat{s}}_{\hat{\imath }}\) nor \(\pi ^{\hat{t}}_{\hat{\jmath }}\), or \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) are not partner. Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs.Footnote 31\(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability at least \(1/\mu ^{2}\ell ^{2}\), so we have

$$\begin{aligned} \epsilon _{2} \ge \frac{1}{\mu ^{2}\ell ^{2}}\epsilon _{1}. \end{aligned}$$

Game \(G_{3}\) In this game, we modify the way the initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) responds on its second invocation. In particular, when \(\pi ^{\hat{s}}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\), it proceeds as in the previous game except that it uses the key \(\mathsf {K}_{T}\) that was generated by the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}_{T}\). Here, conditioned on \(\mathsf {E_{testO}}\) not occurring, we are guaranteed that the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) generated \(\mathsf {C}_{T}\) by running \((\mathsf {K}_{T}, \mathsf {C}_{T}) \leftarrow \mathsf {wKEM}.\mathsf {Encap}(\mathsf {ek}_{T})\), where \(\mathsf {ek}_T\) is the encapsulation key that \(\pi ^{\hat{s}}_{\hat{\imath }}\) outputs on the first invocation. This is because otherwise, the oracles \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) will not be partner oracles. Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_2\) and \(G_3\) are identical. Hence,

$$\begin{aligned} \epsilon _{3} = \epsilon _2. \end{aligned}$$

Game \(G_{4}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), the game samples a random key instead of computing \((\mathsf {K}_{T}, \mathsf {C}_{T}) \leftarrow \mathsf {wKEM}.\mathsf {Encap}(\mathsf {ek}_{T})\). Note that when the initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\), it uses this random key \(\mathsf {K}_T\). We claim \(G_{3}\) and \(G_{4}\) are indistinguishable assuming the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\). To prove this, we construct an algorithm \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {-}CPA}\) security as follows.

\(\mathcal {B}_{1}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {wKEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{1}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {wKEM}}\) and computes \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) for all \(i \in [\mu ]\) by running the protocol honestly, and samples \((\hat{\imath }, \hat{\jmath }, \hat{s}, \hat{t})\) uniformly random from \([\mu ]^2 \times [\ell ]^2\). It then invokes \(\mathcal {A}\) on the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers queries made by \(\mathcal {A}\) as follows:

  • \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): If \((i, s, j) = (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) returns \(\mathsf {ek}^{*}\) to \(\mathcal {A} \) and implicitly sets \({\texttt {state}}^{s}_{i} \mathrel {\mathop :}={} \mathsf {dk}^{*}\). Otherwise, \(\mathcal {B}_{1}\) responds as in \(G_4\).

  • \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (jti), it performs the following:

    • If \((j, t) = (\hat{\jmath }, \hat{t})\) and \(i \ne \hat{\imath }\), then \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) cannot be partner oracles. Therefore, since event \(\mathsf {E_{testO}}\) is triggered \(\mathcal {B}_{1}\) aborts.

    • If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{1}\) checks if \(\mathsf {ek}_T =\mathsf {ek}^*\). If not, event \(\mathsf {E_{testO}}\) is triggered so it aborts. Otherwise, it proceeds as in \(G_4\) except that it sets \(\mathsf {K}{}_{T} = \mathsf {K}^{*}\) and \(\mathsf {C}{}_{T} = \mathsf {C}^{*}\) rather than sampling them on its own. It then returns the message \((\mathsf {C}, \mathsf {C}_T, \mathsf {c}{})\).

    • If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{1}\) responds as in \(G_4\).

  • \(\mathsf {Send}(i, s, m = (\mathsf {C}, \mathsf {C}_T, \mathsf {c}))\): Let \(j \mathrel {\mathop :}=\mathsf {Pid}^{s}_{i}\). Depending on the values of (isj), it performs the following:

    • If \((i, s) = (\hat{\imath }, \hat{s})\) and \(j \ne \hat{\jmath }\), then \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) cannot be partner oracles. Therefore, since event \(\mathsf {E_{testO}}\) is triggered \(\mathcal {B}_{1}\) aborts.

    • If \((i, s, j) = (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) checks if \(\mathsf {C}_T = \mathsf {C}^*\). If not, event \(\mathsf {E_{testO}}\) is triggered so it aborts. Otherwise, it responds as in \(G_4\).

    • If \((i, s, j) \ne (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) responds as in \(G_4\).

  • \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{1}\) proceeds as in the previous game. Here, note that since \(\mathcal {A} \) follows the Type-1 or Type-2 strategy, \(\mathcal {B}_1\) can answer all the \(\mathsf {RevState}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevState}(\hat{\imath }, \hat{s})\) (i.e., \({\texttt {state}}^{\hat{s}}_{\hat{\imath }} \mathrel {\mathop :}={} \mathsf {dk}^{*}\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_1\) cannot answer.

  • \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{1}\) responds as in \(G_4\). Here, in case \((i, s) \not \in \left\{ (\hat{\imath }, \hat{s}), (\hat{\jmath },\hat{t}) \right\} \), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.

Finally, if \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{1}\) outputs \(b'\). It can be checked that \(\mathcal {B}_1\) perfectly simulates game \(G_3\) (resp. \(G_4\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{3}\right] - \Pr \left[ \mathsf {S}_{4}\right] \right| \le \mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}). \end{aligned}$$

Game \(G_{5}\) In this game, we modify how the PRF key \(\mathsf {K}_{2}\) is generated by the tested oracle and its partner oracle. Instead of computing \(\mathsf {K}{}_{2} \leftarrow \mathsf {Ext}_{ s {}}(\mathsf {K}_{T})\), both oracles use the same randomly sampled . Due to the modification we made in the previous game, \(\mathsf {K}_{T}\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {wKEM}\) so \(\mathsf {K}_T\) has \(\log _2(|\mathcal {KS}_\mathsf {wKEM}|) \ge \gamma _\mathsf {KEM} \) min-entropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))-extractor \(\mathsf {Ext}\), we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{4}\right] - \Pr \left[ \mathsf {S}_{5}\right] \right| \le \varepsilon _{\mathsf {Ext}}. \end{aligned}$$

Game \(G_{6}\) In this game, we modify how the session key \(\mathsf {k}\) is generated by the tested oracle. Instead of computing \(\mathsf {k}\Vert \tilde{k}\leftarrow \mathsf {F}_{\mathsf {K}_{1}}(\mathsf {sid}) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid})\), the tested oracle (which is either \(\pi ^{\hat{s}}_{\hat{\imath }}\) or \(\pi ^{\hat{t}}_{\hat{\jmath }}\) conditioned on event \(\mathsf {E_{testO}}\) not occurring) computes the session key as \(\mathsf {k}\Vert \tilde{k}\leftarrow \mathsf {F}_{\mathsf {K}{}_{1}}(\mathsf {sid}) \oplus x\), where x is chosen uniformly at random from \( \{ 0,1 \} ^{\kappa + d}\). Since \(\mathsf {K}{}_{2}\) is chosen uniformly and hidden from the views of the adversary \(\mathcal {A} \), games \(G_{5}\) and \(G_{6}\) are indistinguishable by the security of the PRF.Footnote 32 In particular, we can construct a PRF adversary \(\mathcal {D}_{1}\) that uses \(\mathcal {A} \) as a subroutine such that

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{5}\right] - \Pr \left[ \mathsf {S}_{6}\right] \right| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1}). \end{aligned}$$

In \(G_{6}\), the session key in the tested oracle is uniformly random. Thus, even an unbounded adversary \(\mathcal {A}\) cannot have distinguishing advantages. Therefore, \(\Pr \left[ \mathsf {S}_{6}\right] = 1/2\). Combining everything together, we have

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell ^{2} \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1}) + \varepsilon _{\mathsf {Ext}}\right) . \end{aligned}$$

\(\square \)

Proof of Lemma A.2: Against Type-3 or Type-4 Adversary

Lemma A.2

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-3 or Type-4 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{2}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) . \end{aligned}$$

Proof of Lemma A.2

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add another abort condition. Let \({\mathsf {E}}_{\mathsf {uniq}}\) be the event that there exists an oracle that has more than one partner oracles. If \({\mathsf {E}}_{\mathsf {uniq}}\) occurs, then \(\mathcal {C}\) aborts. Since \(G_{1}\) and \(G_{2}\) proceed identically unless \({\mathsf {E}}_{\mathsf {uniq}}\) occurs, we have

$$\begin{aligned} \left| \epsilon _1 - \epsilon _2 \right| \le \Pr \left[ {\mathsf {E}}_{\mathsf {uniq}}\right] . \end{aligned}$$

We claim

$$\begin{aligned} \Pr \left[ {\mathsf {E}}_{\mathsf {uniq}}{}\right] \le \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) . \end{aligned}$$

Fix \(j \in [\mu ]\) and consider the set of oracles \(S_{j} = \left\{ \pi ^{s}_{i} \mid \mathsf {Pid}^{s}_{i} = j \right\} \). For any \(\pi ^{s}_{i} \in S_{j}\), if there exist two oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) with \(t \ne t' \in [\ell ]\) that are partners of \(\pi ^{s}_{i}\), then \(\mathsf {sid}^{s}_{i} = \mathsf {sid}^{t}_{j} = \mathsf {sid}^{t'}_{j}\) holds. We distinguish between the following cases.

Case 1 We first consider the case \(\pi ^{s}_{i}\) is an initiator and \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) are responders. Let \(\mathsf {ek}_{T}\) be the ephemeral encapsulation key generated by \(\pi ^{s}_{i}\). In this case, \({\mathsf {E}}_{\mathsf {uniq}}\) occurs if the responder oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) generate the same ciphertext with respect to \(\mathsf {ek}_{i}\) and \(\mathsf {ek}_{T}\). Since \(\mathsf {ek}_{i}\) and \(\mathsf {ek}_{T}\) are independently and honestly generated by the game and each responder oracle is assigned uniform randomness, the probability of a ciphertext collision is upper bounded by \(\ell ^{2}/2^{2 \chi _{\mathsf {KEM}}}\), where recall \(\chi _{\mathsf {KEM}}\) is the ciphertext min-entropy of \(\Pi _\mathsf{wKEM}\) and \(\Pi _\mathsf {KEM}\) . Taking the union bound over all \(j \in [\mu ]\), we conclude that Case 1 occurs with probability at most \(\mu \ell ^{2}/2^{2\chi _{\mathsf {KEM}}}\).

Case 2 We next consider the case \(\pi ^{s}_{i}\) is a responder and \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) are initiators. In this case, \({\mathsf {E}}_{\mathsf {uniq}}\) occurs if the initiator oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) generate the same ephemeral encapsulation key. Since each initiator oracle samples an encapsulation key independently, the probability of an encapsulation key collision is upper bounded by \(\ell ^{2}/2^{\nu _{\mathsf {KEM}}}\), where recall \(\nu _{\mathsf {KEM}}\) is the encapsulation key min-entropy of \(\Pi _\mathsf{wKEM}\). Taking the union bound over all \(j \in [\mu ]\), we conclude that Case 2 occurs with probability at most \(\mu \ell ^{2}/2^{\nu _{\mathsf {KEM}}}\).

The claim can be shown by combining the two probabilities from Case 1 and Case 2. In the following games we assume every oracle has a unique partner oracle if it exists.

Game \(G_{3}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a random party \(P_{\hat{\imath }}\) from the \(\mu \) parties and a random responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) from the \(\mu \ell \) oracles. Let \(\mathsf {E_{testO}}\) be the event where \(\lnot \mathsf {E_{testO}}\) denotes the event that either the tested oracle is \(\pi ^{\hat{s}}_{\hat{\imath }}\) for some \(s \in [\ell ]\) and its partner oracle is \(\pi ^{\hat{t}}_{\hat{\jmath }}\), or the tested oracle is \(\pi ^{\hat{t}}_{\hat{\jmath }}\) and its peer is \(P_{\hat{\imath }}\). Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs. \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu ^{2}\ell \), so we have

$$\begin{aligned} \epsilon _{3} = \frac{1}{\mu ^{2}\ell }\epsilon _{2}. \end{aligned}$$

Game \(G_{4}\) In this game, we modify the way the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) responds on its second invocation. Let \((\mathsf {K}, \mathsf {C})\) be the \(\Pi _\mathsf {KEM}\) key-ciphertext pair generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Then, when \(\pi ^{s}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\), it first checks if \(\mathsf {C}' = \mathsf {C}\). If so, it proceeds as in the previous game except that it uses the key \(\mathsf {K}\) that was generated by \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}'\). Otherwise, if \(\mathsf {C}' \ne \mathsf {C}\), then it proceeds exactly as in the previous game. Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_3\) and \(G_4\) are identical. Hence,

$$\begin{aligned} \epsilon _{4} = \epsilon _3. \end{aligned}$$

Game \(G_{5}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), it samples a random key instead of computing \((\mathsf {K}, \mathsf {C}) \leftarrow \mathsf {KEM}.\mathsf {Encap}(\mathsf {ek}_{\hat{\imath }})\). Note that due to the modification we made in the previous game, when the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\) for \(\mathsf {C}' = \mathsf {C}\), it uses the random key \(\mathsf {K}\) generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). We claim \(G_{4}\) and \(G_{5}\) are indistinguishable assuming the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) . To prove this, we construct an algorithm \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {-}CCA}\) security as follows.

\(\mathcal {B}_{2}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {KEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{2}\) then samples a random , sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {KEM}}\), and generates the long-term key pairs as follows. For party \(P_{\hat{\imath }}\), \(\mathcal {B}_{2}\) runs \(({\mathsf{vk}}_{\hat{\imath }}, {\mathsf{sk}}_{\hat{\imath }}) \leftarrow \mathsf{SIG}.\mathsf{KeyGen}(\mathsf {pp}_{\mathsf{SIG}})\) and sets the long-term public key as \(\mathsf {lpk} _{\hat{\imath }} := (\mathsf {ek}^{*}, {\mathsf{vk}}_{\hat{\imath }})\) and implicitly sets the long-term secret key as \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, {\mathsf{sk}}_{\hat{\imath }})\), where note that \(\mathcal {B}_2\) does not know \(\mathsf {dk}^*\). For all the other parties \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{2}\) computes the long-term key pairs \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_5\). Finally, \(\mathcal {B}_{2}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries made by \(\mathcal {A}\) as follows:

  • \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{2}\) responds as in \(G_5\).

  • \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (jti), it performs the following:

    • If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{2}\) responds as in \(G_5\) except that it sets \((\mathsf {K}, \mathsf {C}) := (\mathsf {K}^*, \mathsf {C}^{*})\) rather than generating them on its own. It then returns the message \((\mathsf {C}^{*}, \mathsf {C}_{T}, \mathsf {c}{})\).

    • If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{2}\) responds as in \(G_5\).

  • \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): Depending on the value of i, it performs the following:

    • If \(i = \hat{\imath }\), then \(\mathcal {B}_{2}\) checks if \(\mathsf {C}= \mathsf {C}^*\). If so, it responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}^{*}\). Otherwise, if \(\mathsf {C}\ne \mathsf {C}^*\), then it queries the decapsulation oracle on \(\mathsf {C}\) and receives back \(\mathsf {K}'\). \(\mathcal {B}_2\) then responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}'\).

    • If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{2}\) responds as in \(G_5\).

  • \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{2}\) responds as in \(G_5\). Here, note that since \(\mathcal {A} \) follows the Type-3 or Type-4 strategy, \(\mathcal {B}_2\) can answer all the \(\mathsf {RevLTK}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, {\mathsf{sk}}_{\hat{\imath }})\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_2\) cannot answer.

  • \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{2}\) responds to the query as the definition. Here, in case \(i \ne \hat{\imath }\) or \((i, s) \ne (\hat{\jmath },\hat{t})\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.

If \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{2}\) outputs \(b'\). It can be checked that \(\mathcal {B}_2\) perfectly simulates game \(G_4\) (resp. \(G_5\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{4}\right] - \Pr \left[ \mathsf {S}_{5}\right] \right| \le \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}). \end{aligned}$$

Game \(G_{6}\) In this game, whenever we need to derive \(\mathsf {K}^*_1 \leftarrow \mathsf {Ext}_s(\mathsf {K}^*)\), we instead use a uniformly and randomly chosen PRF key (fixed once and for all), where \(\mathsf {K}^*\) is the KEM key chosen by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Due to the modification we made in the previous game, \(\mathsf {K}^*\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {KEM} \) so \(\mathsf {K}\) has \(\log _2(|\mathcal {KS}_\mathsf {KEM} |) \ge \gamma _\mathsf {KEM} \) min-entropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))-extractor \(\mathsf {Ext}\), we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{5}\right] - \Pr \left[ \mathsf {S}_{6}\right] \right| \le \varepsilon _{\mathsf {Ext}}. \end{aligned}$$

Game \(G_{7}\) In this game, we sample a random function \(\mathsf {RF}\) and whenever we need to compute \(\mathsf {F}_{\mathsf {K}^*_1}(\mathsf {sid})\) for any \(\mathsf {sid}\), we instead compute \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid})\). Due to the modification we made in the previous game, \(\mathsf {K}^*_1\) is sampled uniformly from \(\mathcal {FK}\). Therefore, the two games can be easily shown to be indistinguishable assuming the pseudo-randomness of the PRF. In particular, we can construct a PRF adversary \(\mathcal {D}_{2}\) such that

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{6}\right] - \Pr \left[ \mathsf {S}_{7}\right] \right| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}). \end{aligned}$$

It remains to show that the session key output by the tested oracle in the game \(G_7\) is uniformly random regardless of the challenge bit \(b \in \{ 0,1 \} \) chosen by the game. We consider the case where \(b = 0\) and prove that the honestly generated session key by the tested oracle is distributed uniformly random. First conditioning on event \(\mathsf {E_{testO}}\) not occurring, it must be the case that the tested oracle (and its partner oracle) prepares the session key as \(\mathsf {k}^* \Vert \tilde{k}\leftarrow \mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid}^*)\) for some \(\mathsf {sid}^*\). That is, \(\mathsf {K}^*_1\) sampled by the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is used to compute the session key. Next, conditioning on event \({\mathsf {E}}_{\mathsf {uniq}}\) not occurring, the only oracles that share the same \(\mathsf {sid}^*\) must be the tested oracle and its partner oracle since otherwise it would break the uniqueness of partner oracles. Therefore, we conclude that \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*)\) is only used to compute the session key of the tested oracle and its partner oracle. Since the output of \(\mathsf {RF}\) is distributed uniformly random for different inputs, we conclude that \(\Pr \left[ \mathsf {S}_{7}\right] = 1/2\). Combining all the arguments together, we obtain

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) . \end{aligned}$$

\(\square \)

Proof of Lemma A.3: Against Type-5 or Type-6 Adversary

Lemma A.3

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-5 or Type-6 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3,0}\) breaking the \(\mathsf {EUF\text {-}CMA}\) of \(\Pi _{\mathsf{SIG}}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,0}). \end{aligned}$$

Proof of Lemma A.3

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a party \(P_{\hat{\jmath }}\) uniformly at random from the \(\mu \) parties. Let \(\mathsf {E_{testO}}\) be the event that the peer of the tested oracle is not \(P_{\hat{\jmath }}\). If event \(\mathsf {E_{testO}}\) occurs, \(\mathcal {C}\) aborts. Since \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu \), we have

$$\begin{aligned} \epsilon _{2} = \frac{1}{\mu }\epsilon _{1}. \end{aligned}$$

Game \(G_{3}\) This game is identical to \(G_{2}\), except that we add an abort condition. Let S be a list of message-signature pairs that \(P_{\hat{\jmath }}\) generated as being a responder oracle. That is, every time \(\pi ^t_{\hat{\jmath }}\) for some \(t \in [\ell ]\) is invoked as a responder, it updates the list S by appending the message-signature pair \((\mathsf {sid}^t_{\hat{\jmath }}, \sigma ^t_{\hat{\jmath }})\) that it generates. Then, when an initiator oracle \(\pi _{i}^s\) for any \((i, s) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\) from party \(P_{\hat{\jmath }}\) (i.e., \(\mathsf {Pid}^s_i = \hat{\jmath }\)), it first computes \(\mathsf {sid}^s_i\) and \(\sigma \) as in the previous game, and it checks if \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}_{\hat{\jmath }}, \mathsf {sid}^s_i, \sigma ) = 1\) and \(P_{\hat{\jmath }}\) is not corrupted, then \((\mathsf {sid}^s_i, \sigma ) \in S\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{2}\right] - \Pr \left[ \mathsf {S}_{3}\right] \right| \le \Pr \left[ \mathsf {E_{sig}}\right] . \end{aligned}$$

Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A} \) following the Type-5 or Type-6 strategy has winning advantage in game \(G_3\), i.e., \(\Pr [\mathsf {S}_3] = 1/2\). To see this, first let us assume \(\mathcal {A} \) issued \(\mathsf {Test}(i^{*}, s^{*})\) and received a key that is not a \(\bot \). That is \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state. Due to the modification we made in game \(G_2\) and by the definition of the Type-5 or Type-6 strategy, \(\pi ^{s^*}_{i^*}\) has no partner oracle \(\pi ^t_{\hat{\jmath }}\) for any \(t \in [\ell ]\) and the peer \(P_{\hat{\jmath }}\) was not corrupted before \(\pi ^{s^*}_{i^*}\) completes the protocol execution conditioning on \(\mathsf {E_{testO}}\) not occurring. On the other hand, if \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not triggered. Consequently, there exists some oracle \(\pi ^t_{\hat{\jmath }}\) that output \((\mathsf {sid}^{s^*}_{i^*}, \sigma ^*)\). Parsing \(\mathsf {sid}^{s^*}_{i^*}\) as \( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\), this implies that \(\pi ^t_{\hat{\jmath }}\) and \(\pi ^{s^*}_{i^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A} \) can only receive \(\bot \) when it issues \(\mathsf {Test}(i^{*}, s^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A} \), we have \(\Pr [\mathsf {S}_3] = 1/2\).

It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3,0}\) against the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) . The description of \(\mathcal {B}_{3,0}\) follows: \(\mathcal {B}_{3,0}\) receives the public parameter \(\mathsf {pp}_{\mathsf{SIG}}\) and the challenge verification key \({\mathsf{vk}}^{*}\). \(\mathcal {B}_{3,0}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) as in \(G_2\) using \(\mathsf {pp}_{\mathsf{SIG}}\). \(\mathcal {B}_{3,0}\) then samples \(\hat{\jmath }\) randomly from \([\mu ]\), runs \((\mathsf {dk}_{\hat{\jmath }}, \mathsf {ek}_{\hat{\jmath }}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\), and sets the long-term public key of party \(P_{\hat{\jmath }}\) as \(\mathsf {lpk} _{\hat{\jmath }} \mathrel {\mathop :}={} (\mathsf {ek}_{\hat{\jmath }}, {\mathsf{vk}}^{*})\). The long-term secret key is implicitly set as \(\mathsf {lsk}_{\hat{\jmath }} \mathrel {\mathop :}=(\mathsf {dk}_{\hat{\jmath }}, {\mathsf{sk}}^*)\), where \({\mathsf{sk}}^*\) is unknown to \(\mathcal {B}_{3,0}\). For the rest of the parties \( P _{ i }\) for \(i \in [\mu \backslash \hat{\jmath }]\), \(\mathcal {B}_{3,0}\) generates \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_2\). Finally, \(\mathcal {B}_{3,0}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

  • \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\).

  • \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Depending on the value of j, it performs the following:

    • If \(j = \hat{\jmath }\), then \(\mathcal {B}_{3,0}\) prepares \(\mathsf {sid}^t_{\hat{\jmath }}\) as in \(G_2\), and then sends \(\mathsf {sid}^t_{\hat{\jmath }}\) to its signing oracle and receives back a signature \(\sigma '\) for message \(\mathsf {sid}^t_{\hat{\jmath }}\) under \({\mathsf{sk}}^{*}\). \(\mathcal {B}_{3,0}\) then responds as in \(G_2\) except that it sets \(\sigma \mathrel {\mathop :}=\sigma '\).

    • If \(j \ne \hat{\jmath }\), then \(\mathcal {B}_{3,0}\) responds as in \(G_2\).

  • \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\).

  • \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\). Here, note that since \(\mathcal {A} \) follows the Type-5 or Type-6 strategy, \(\mathcal {B}_{3,0}\) can answer all the \(\mathsf {RevLTK}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\jmath })\) (i.e., \(\mathsf {lsk}_{\hat{\jmath }} := (\mathsf {dk}_{\hat{\jmath }}, {\mathsf{sk}}^*)\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,0}\) cannot answer.

  • \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\). Here, in case \(\mathsf {Pid}^s_i \ne \hat{\jmath }\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.

It is clear that \(\mathcal {B}_{3,0}\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A} \). Below, we analyze the probability that \(\mathcal {B}_{3,0}\) breaks the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).

We assume \(\mathcal {A}\) issues \(\mathsf {Test}(i^{*}, s^{*})\). Let the message sent by the initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {ek}^{*}_{T}, \sigma _{i^*})\) and the message received by \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T}, \mathsf {c}^{*})\). Let \(\sigma ^{*}\) be the signature recovered from \(\mathsf {c}^{*}\). Then, by the definition of the Type-5 or Type-6 strategy and conditioned on \(\mathsf {E_{testO}}\) not occurring, the tested oracle \(\pi ^{s^{*}}_{i^{*}}\) satisfies the following conditions:

  • \(\mathsf {role}^{s^{*}}_{i^{*}} = \mathtt {init}{}\) and \(\mathsf {Pid}^{s^{*}}_{i^{*}} = \hat{\jmath }\),

  • \(\pi ^{s^{*}}_{i^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}^{*}, P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*}) = 1\) holds,

  • \(P_{\hat{\jmath }}\) was not corrupted before \(\pi ^{s^{*}}_{i^{*}}\) completes the protocol execution,

  • \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.

Since \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles, there exists no responder oracle \(\pi ^t_{\hat{\jmath }}\) that has received \(\mathsf {ek}^*_T\) from \( P _{ i^* }\) and output \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T})\). In other words, there is no oracle \(\pi ^t_{\hat{\jmath }}\) that has signed on the message \( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); an initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) receives a signature that was not signed by an oracle \(\pi ^t_{\hat{\jmath }}\) for any \(t \in [\ell ]\), and \(P_{\hat{\jmath }}\) was not corrupted when \(\pi ^{s^{*}}_{i^{*}}\) receives the signature. Therefore, \(\mathcal {B}_{3,0}\) obtains a valid forgery \(( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*})\), and we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,0})\). Combining everything together, we conclude

$$\begin{aligned} \epsilon _{1} \le \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,0}). \end{aligned}$$

\(\square \)

Proof of Lemma A.4: Against Type-7 or Type-8 Adversary

Lemma A.4

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-7 or Type-8 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3,1}\) breaking the \(\mathsf {EUF\text {-}CMA}\) of \(\Pi _{\mathsf{SIG}}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,1}). \end{aligned}$$

Proof of Lemma A.4

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a party \(P_{\hat{\imath }}\) uniformly at random from the \(\mu \) parties. Let \(\mathsf {E_{testO}}\) be the event that the peer of the tested oracle is not \(P_{\hat{\imath }}\). If event \(\mathsf {E_{testO}}\) occurs, \(\mathcal {C}\) aborts. Since \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu \), we have

$$\begin{aligned} \epsilon _{2} = \frac{1}{\mu }\epsilon _{1}. \end{aligned}$$

Game \(G_{3}\) This game is identical to \(G_{2}\), except that we add an abort condition. Let S be a list of message-signature pairs that \(P_{\hat{\imath }}\) generated as being an initiator oracle. That is, every time \(\pi ^s_{\hat{\imath }}\) for some \(s \in [\ell ]\) is invoked as an initiator, it updates the list S by appending the message-signature pair \((\mathsf {ek}^s_{\hat{\imath }}, \sigma ^s_{\hat{\imath }})\) that it generates. Then, when a responder oracle \(\pi _{j}^t\) for any \((j, t) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {ek}_T, \sigma )\) from party \(P_{\hat{\imath }}\) (i.e., \(\mathsf {Pid}^t_j = \hat{\imath }\)), it checks if \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}_{\hat{\imath }}, \mathsf {ek}_T, \sigma ) = 1\) and \(P_{\hat{\imath }}\) is not corrupted, then \((\mathsf {ek}_T, \sigma ) \in S\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{2}\right] - \Pr \left[ \mathsf {S}_{3}\right] \right| \le \Pr \left[ \mathsf {E_{sig}}\right] . \end{aligned}$$

Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A} \) following the Type-7 or Type-8 strategy has winning advantage in game \(G_3\), i.e., \(\Pr [\mathsf {S}_3] = 1/2\). To see this, first let us assume \(\mathcal {A} \) issued \(\mathsf {Test}(j^{*}, t^{*})\) and received a key that is not a \(\bot \). That is \(\pi ^{t^*}_{j^*}\) is in the \(\mathtt {accept}\) state. Due to the modification we made in game \(G_2\) and by the definition of the Type-7 or Type-8 strategy, \(\pi ^{t^*}_{j^*}\) has no partner oracle \(\pi ^s_{\hat{\imath }}\) for any \(s \in [\ell ]\) and the peer \(P_{\hat{\imath }}\) was not corrupted before \(\pi ^{t^*}_{j^*}\) completes the protocol execution conditioning on \(\mathsf {E_{testO}}\) not occurring. On the other hand, if \(\pi ^{t^*}_{j^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not been triggered. Consequently, there exists some oracle \(\pi ^s_{\hat{\imath }}\) that output \((\mathsf {ek}^{s}_{\hat{\imath }}, \sigma ^{s}_{\hat{\imath }})\) and \(\pi ^{t^*}_{j^*}\) receives it. This implies that \(\pi ^s_{\hat{\imath }}\) and \(\pi ^{t^*}_{j^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A} \) can only receive \(\bot \) when it issues \(\mathsf {Test}(j^{*}, t^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A} \), we have \(\Pr [\mathsf {S}_3] = 1/2\).

It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3,1}\) against the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) . The description of \(\mathcal {B}_{3,1}\) follows: \(\mathcal {B}_{3,1}\) receives the public parameter \(\mathsf {pp}_{\mathsf{SIG}}\) and the challenge verification key \({\mathsf{vk}}^{*}\). \(\mathcal {B}_{3,1}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) as in \(G_2\) using \(\mathsf {pp}_{\mathsf{SIG}}\). \(\mathcal {B}_{3,1}\) then samples \(\hat{\imath }\) randomly from \([\mu ]\), runs \((\mathsf {dk}_{\hat{\imath }}, \mathsf {ek}_{\hat{\imath }}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\), and sets the long-term public key of party \(P_{\hat{\imath }}\) as \(\mathsf {lpk} _{\hat{\imath }} \mathrel {\mathop :}={} (\mathsf {ek}_{\hat{\imath }}, {\mathsf{vk}}^{*})\). The long-term secret key is implicitly set as \(\mathsf {lsk}_{\hat{\imath }} \mathrel {\mathop :}=(\mathsf {dk}_{\hat{\imath }}, {\mathsf{sk}}^*)\), where \({\mathsf{sk}}^*\) is unknown to \(\mathcal {B}_{3,1}\). For the rest of the parties \( P _{ i }\) for \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{3,1}\) generates \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_2\). Finally, \(\mathcal {B}_{3,1}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

  • \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): Depending on the value of i, it performs the following:

    • If \(i = \hat{\imath }\), then \(\mathcal {B}_{3,1}\) prepares \(\mathsf {ek}_{T}\) as in \(G_2\), and then sends \(\mathsf {ek}_{T}\) to its signing oracle and receives back a signature \(\sigma '\) for message \(\mathsf {ek}_{T}\) under \({\mathsf{sk}}^{*}\). \(\mathcal {B}_{3,1}\) then responds as in \(G_2\) except that it sets \(\sigma _{i} \mathrel {\mathop :}=\sigma '\).

    • If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{3,1}\) responds as in \(G_2\).

  • \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\).

  • \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\).

  • \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\). Here, note that since \(\mathcal {A} \) follows the Type-7 or Type-8 strategy, \(\mathcal {B}_{3,1}\) can answer all the \(\mathsf {RevLTK}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}_{\hat{\imath }}, {\mathsf{sk}}^*)\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,1}\) cannot answer.

  • \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\). Here, in case \(\mathsf {Pid}^s_i \ne \hat{\imath }\), then event \(\mathsf {E_{testO}}\) is triggered, so it aborts.

It is clear that \(\mathcal {B}_{3,1}\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A} \). Below, we analyze the probability that \(\mathcal {B}_{3,1}\) breaks the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).

We assume \(\mathcal {A}\) issues \(\mathsf {Test}(j^{*}, t^{*})\). Let the message received by the responder oracle \(\pi ^{t^{*}}_{j^{*}}\) be \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\). Then, by the definition of the Type-7 or Type-8 strategy and conditioned on \(\mathsf {E_{testO}}\) not occurring, the oracle \(\pi ^{t^{*}}_{j^{*}}\) satisfies the following conditions:

  • \(\mathsf {role}^{t^{*}}_{j^{*}} = \mathtt {resp}{}\) and \(\mathsf {Pid}^{t^{*}}_{j^{*}} = \hat{\imath }\),

  • \(\pi ^{t^{*}}_{j^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}^{*}, \mathsf {ek}^{*}_{T}, \sigma ^{*}) = 1\) holds,

  • \(P_{\hat{\imath }}\) was not corrupted before \(\pi ^{t^{*}}_{j^{*}}\) completes the protocol execution,

  • \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.

Since \(\pi ^{t^{*}}_{j^{*}}\) has no partner oracles, there exists no initiator oracle \(\pi ^s_{\hat{\imath }}\) that has output \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\). In other words, there is no oracle \(\pi ^s_{\hat{\imath }}\) that has signed the message \(\mathsf {ek}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); a responder oracle \(\pi ^{t^{*}}_{j^{*}}\) receives a signature that was not signed by an oracle \(\pi ^s_{\hat{\imath }}\) for any \(s \in [\ell ]\), and \(P_{\hat{\imath }}\) was not corrupted when \(\pi ^{t^{*}}_{j^{*}}\) receives the signature. Therefore, \(\mathcal {B}_{3,1}\) obtains a valid forgery \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\), and we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,1})\)

Combining everything together, we conclude

$$\begin{aligned} \epsilon _{1} \le \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,1}). \end{aligned}$$

\(\square \)

B Full Proofs for Deniable Signal-Conforming AKE \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\)

In this section, we provide the proofs of the correctness and security of our deniable Signal-conforming AKE protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) .

B.1 Correctness of Deniable Signal-Conforming AKE \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\)

We prove the correctness of our deniable Signal-Conforming AKE protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\).

Proof of Theorem 7.6

This proof is similar to the proof of Theorem 4.2. It is clear that an initiator oracle and a responder oracle become partners when they execute the protocol faithfully. Moreover, if no correctness error occurs in the underlying KEM schemes and ring signature scheme, the partner oracles compute an identical session key. Since each oracle is assigned to uniform randomness, the probability that a correctness error occurs in one of the underlying schemes is bounded by \(\delta _{\mathsf {RS}{}} +2 \delta _{\mathsf {KEM}} \). Since there are at most \(\mu \ell /2\) responder oracles, the AKE protocol is correct except with probability \(\mu \ell \cdot (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). \(\square \)

B.2 Security of Deniable Signal-Conforming AKE \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\)

We prove the security of our deniable Signal-Conforming AKE protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\).

Proof of Theorem 7.7

Let \(\mathcal {A}\) be an adversary that plays the security game \(G^{\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {DAKE} {}}(\mu , \ell )\) with the challenger \(\mathcal {C}\) with advantage \(\mathsf {Adv}{}^{\mathsf {AKE}\textsf {-}\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {DAKE} {}}(\mathcal {A}) = \epsilon \). The bulk of the proof is identical to the proof of Theorem 4.3 for the (non-deniable) protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\). Namely, we divide the strategy that can be taken by \(\mathcal {A} \) (listed in Table 1) and we construct an algorithm that breaks one of the underlying assumptions by using such an \(\mathcal {A} \) as a subroutine. Formally, we construct seven algorithms \(\mathcal {B}_{1}, \dots , \mathcal {B}_{4}\) and \(\mathcal {D}_{1}, \dots , \mathcal {D}_{3}\) satisfying the following:

  1. 1.

    If \(\mathcal {A}\) uses the Type-1 (or Type-2) strategy, then \(\mathcal {B}_{1}\) succeeds in breaking the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \) or \(\mathcal {D}_{1}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \).

  2. 2.

    If \(\mathcal {A}\) uses the Type-3 (or Type-4) strategy, then \(\mathcal {B}_{2}\) succeeds in breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{2}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).

  3. 3.

    If \(\mathcal {A}\) uses the Type-5 or Type-6 strategy, then \(\mathcal {B}_{3}\) succeeds in breaking the unforgeability of \(\Pi _\mathsf{RS}\) with advantage \(\approx \epsilon \).

  4. 4.

    If \(\mathcal {A}\) uses the Type-7 (or Type-8) strategy, then \(\mathcal {B}_{4}\) succeeds in breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{3}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).

We present a security proof structured as a sequence of games. Without loss of generality, we assume that \(\mathcal {A}\) always issues a \(\mathsf {Test}\)-query. In the following, let \(\mathsf {S}_{j}\) denote the event that \(b = b'\) occurs in game \(G_{j}\) and let \(\epsilon _{j} \mathrel {\mathop :}=\left| \Pr \left[ \mathsf {S}_{j}\right] - 1/2 \right| \) denote the advantage of the adversary in game \(G_{j}\). Regardless of the strategy taken by \(\mathcal {A}\), all proofs share a common game sequence \(G_{0}\)-\(G_{1}\) as described below. Although they are identical to those of Theorem 4.3, we provide them for completeness.

Game \(G_{0}\) This game is identical to the original security game. We thus have

$$\begin{aligned} \epsilon _{0} = \epsilon . \end{aligned}$$

Game \(G_{1}\) This game is identical to \(G_{0}\), except that we add an abort condition. Let \(\mathsf {E}_{\mathsf {corr}}{}\) be the event that there exist two partner oracles \(\pi ^s_i\) and \(\pi ^t_j\) that do not agree on the same session key. If \(\mathsf {E}_{\mathsf {corr}}\) occurs, then \(\mathcal {C}\) aborts (i.e., sets \(\mathcal {A} \)’s output to be a random bit) at the end of the game.

There are at most \(\mu \ell /2\) responder oracles and each oracle is assigned uniform randomness. From Theorem 7.6, the probability of error occurring during the security game is at most \(\mu \ell (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). Therefore, \(\mathsf {E}_{\mathsf {corr}}\) occurs with probability at most \(\mu \ell (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). We thus have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{0}\right] - \Pr \left[ \mathsf {S}_{1}\right] \right| \le \frac{\mu \ell }{2} \cdot (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}} ). \end{aligned}$$

In the following games we assume no decryption error or signature verification error occurs.

We now divide the game sequence depending on the strategy taken by the adversary \(\mathcal {A}\). Regardless of \(\mathcal {A}{}\)’s strategy, we prove that \(\epsilon _{1}\) is negligible, which in particular implies that \(\epsilon \) is also negligible. Formally, this is shown in Lemmata B.3 to B.2 provided below. We first complete the proof of the theorem. Specifically, by combining all the lemmata together, we obtain the following desired bound:

$$\begin{aligned}&\mathsf {Adv}{}^{\mathsf {AKE}\textsf {-}\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {DAKE} {}}(\mathcal {A})\\&\quad \le \max \left\{ \begin{array}{l} \mu ^{2}\ell ^{2} \cdot (\mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1}) + \varepsilon _{\mathsf {Ext}}),\\ \mu ^{2}\ell \cdot (\mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) ,\\ \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3}),\\ \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{4}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{3}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \frac{1}{2^{\chi _{\mathsf {KEM}}}} \end{array} \right\} \\&\qquad + \frac{\mu \ell }{2} \cdot (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}} ). \end{aligned}$$

Here, the running time of the algorithms \(\mathcal {B}_{1}, \dots , \mathcal {B}_{4}\) and \(\mathcal {D}_{1}, \dots , \mathcal {D}_{3}\) consist essentially the time required to simulate the security game for \(\mathcal {A}\) once, plus a minor number of additional operations. \(\square \)

It remains to prove Lemmata B.3 to B.2. Since the proof of Lemmata B.3 and B.4 is a direct consequence of the proof of the corresponding Lemmata A.1 and A.2 of Theorem 4.3,Footnote 33 we focus on proving Lemmas B.1 and B.2 below.

Lemma B.1

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-5 or Type-6 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3}\) breaking the unforgeability of \(\Pi _\mathsf{RS}\) such that

$$\begin{aligned} \epsilon _{1} \le \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3}). \end{aligned}$$

Proof of Lemma B.1

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add an abort condition. Let \(S_{j}\) be a list of message-signature pairs that \( P _{ j }\) generated as being a responder oracle. That is, every time \(\pi ^t_{j}\) for some \(t \in [\ell ]\) is invoked as a responder, it updates the list \(S_{j}\) by appending the message-signature pair \((\mathsf {sid}^t_{j}, \sigma ^t_{j})\) that it generates. Then, when an initiator oracle \(\pi _{i}^s\) for any \((i, s) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\) from party \( P _{ j }\) (i.e., \(\mathsf {Pid}^s_i = j\)), it first computes \(\mathsf {sid}^s_i\) and \(\sigma \) as in the previous game and checks if \(\mathsf {RS}.\mathsf {Verify}(\left\{ \mathsf {vk}_T, \mathsf {vk}_{j} \right\} , \mathsf {sid}^s_i, \sigma ) = 1\) and \((\mathsf {sid}^s_i, \sigma ) \in S_{j}\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{2}\right] - \Pr \left[ \mathsf {S}_{3}\right] \right| \le \Pr \left[ \mathsf {E_{sig}}\right] . \end{aligned}$$

Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A}\) following the Type-5 or Type-6 strategy has winning advantage in game \(G_2\), i.e., \(\Pr [\mathsf {S}_2] = 1/2\). To see this, first let us assume \(\mathcal {A}\) issued \(\mathsf {Test}(i^{*}, s^{*})\) and received a key that is not a \(\bot \). In other words, \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state. By the definition of the Type-5 or Type-6 strategy, \(\pi ^{s^*}_{i^*}\) has no partner oracle \(\pi ^t_{j}\) for any \((j, t) \in [\mu ] \times [\ell ]\). On the other hand, if \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not triggered. Consequently, there exists some oracle \(\pi ^t_{j}\) that output \((\mathsf {sid}^{s^*}_{i^*}, \sigma ^*)\). Parsing \(\mathsf {sid}^{s^*}_{i^*}\) as \( P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\), this implies that \(\pi ^t_{j}\) and \(\pi ^{s^*}_{i^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A}\) can only receive \(\bot \) when it issues \(\mathsf {Test}(i^{*}, s^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A}\), we have \(\Pr [\mathsf {S}_2] = 1/2\).

It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3}\) against the unforgeability of \(\Pi _\mathsf{RS}\) . The description of \(\mathcal {B}_3\) follows: \(\mathcal {B}_3\) receives the public parameter \(\mathsf {pp}_{\mathsf {RS}}\) and \(\mu + \mu \ell \) verification keys \(\mathsf {vk}_{1},\dots ,\mathsf {vk}_{\mu }\) and \(\mathsf {vk}^{1}_{1},\dots ,\mathsf {vk}^{\ell }_{\mu }\). \(\mathcal {B}_3\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) as in game \(G_{2}\) using \(\mathsf {pp}_{\mathsf {RS}}\). \(\mathcal {B}_3\) then runs \((\mathsf {dk}_{i}, \mathsf {ek}_{i}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\) and sets the long-term public key of party \( P _{ i }\) as \(\mathsf {lpk} _{i} \mathrel {\mathop :}={} (\mathsf {ek}_{i}, \mathsf {vk}_{i})\). The long-term secret key is implicitly set as \(\mathsf {lsk}_{i} \mathrel {\mathop :}=(\mathsf {dk}_{i}, \mathsf {sk}_{i})\), where \(\mathsf {sk}_{i}\) is unknown to \(\mathcal {B}_3\). Finally, \(\mathcal {B}_{3}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

  • \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{3}\) responds as in \(G_1\) except that it sets \(\mathsf {vk}_{T} \mathrel {\mathop :}=\mathsf {vk}^{s}_{i}\).

  • \(\mathsf {Send}(j, t, m=(\mathsf {ek}_{T}, \mathsf {vk}_{T}))\): \(\mathcal {B}_3\) responds as in \(G_1\) except that rather than constructing the signature \(\sigma \) on its own, it sends \((\mathsf {sign}, j, \mathsf {sid}^t_{j}, \left\{ \mathsf {vk}_{T}, \mathsf {vk}_{j} \right\} )\) to its signing oracle and uses the signature \(\sigma '\) that it receives.

  • \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3}\) responds as in \(G_1\).

  • \(\mathsf {RevLTK}(i)\): \(\mathcal {B}_{3}\) sends \((\mathsf {corrupt}, i)\) to its corruption oracle and receives back a signing key \(\mathsf {sk}'_{i}\). \(\mathcal {B}_3\) then sets \(\mathsf {sk}_{i} \mathrel {\mathop :}=\mathsf {sk}'_{i}\) and returns \(\mathsf {lsk}_{i} = (\mathsf {dk}_i, \mathsf {sk}_i)\).

  • \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3}\) responds as in \(G_1\).

  • \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3}\) responds as in \(G_1\).

It is clear that \(\mathcal {B}_3\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A}\). Below, we analyze the probability that \(\mathcal {B}_3\) breaks the unforgeability of \(\Pi _\mathsf{RS}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).

We assume \(\mathcal {A}\) issues \(\mathsf {Test}(i^{*}, s^{*})\). Let the message sent by the initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {ek}^{*}_{T}, \mathsf {vk}^{*}_{T})\) and the message received by \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T}, \mathsf {c}^{*})\). Let \(\sigma ^{*}\) be the signature recovered from \(\mathsf {c}^{*}\). Then, by the definition of the Type-5 or Type-6 strategy, the tested oracle \(\pi ^{s^{*}}_{i^{*}}\) satisfies the following conditions:

  • \(\mathsf {role}^{s^{*}}_{i^{*}} = \mathtt {init}{}\),

  • \( P _{ j }\) is not corrupted where \(\mathsf {Pid}^{s^{*}}_{i^{*}} = j\) and \(j \in [\mu ]\),

  • \(\pi ^{s^{*}}_{i^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf {RS}.\mathsf {Verify}(\left\{ \mathsf {vk}^{*}_{T}, \mathsf {vk}_{j} \right\} , P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*}) = 1\) holds,

  • \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.

Since \( P _{ j }\) is not corrupted, \(\mathcal {A}\) has never queried \(\mathsf {RevLTK}(j)\)-query. Moreover, since an honest initiator discards \(\mathsf {sk}^*_T\) on generation, \(\mathcal {B}_3\) never uses them for simulation. These two facts imply that \((\mathsf {corrupt}, j)\) and \((\mathsf {corrupt}, (i, T))\) has never been queried, where \((\mathsf {corrupt}, (i, T))\) is a query regarding the verification key \(\mathsf {vk}^{s^*}_{i^*}\). In particular, the ring \(\left\{ \mathsf {vk}^{*}_{T}, \mathsf {vk}_{j} \right\} \) consists of non-corrupted verification keys. Moreover, since \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles, there exists no responder oracle \(\pi ^t_{j}\) that has received \((\mathsf {ek}^*_T, \mathsf {vk}^{*}_{T})\) from \( P _{ i^* }\) and sent \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T})\). In other words, there is no oracle \(\pi ^t_{j}\) that has signed on the message \( P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); an initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) receives a signature that was not signed by an oracle \(\pi ^t_{j}\) for any \(t \in [\ell ]\). Therefore, we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3})\).

Combining everything together, we conclude

$$\begin{aligned} \epsilon _{1} \le \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3}). \end{aligned}$$

\(\square \)

Lemma B.2

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-7 or Type-8 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{4}\) breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{3}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{4}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{3}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \frac{1}{2^{\chi _{\mathsf {KEM}}}}. \end{aligned}$$

Proof of Lemma B.2

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add another abort condition. Let \(\mathsf {E}_{\mathsf {coll}}\) be the event that there exists two responder oracles \(\pi ^t_j\) and \(\pi ^{t'}_j\) for any \(j \in [\mu ]\) and \(t \ne t' \in [\ell ]\) such that they output the same \(\Pi _\mathsf {KEM}\) ciphertext. That is, there exists two oracles \(\pi ^t_j\) and \(\pi ^{t'}_j\) that output \((\mathsf {C}, \mathsf {C}_T, \mathsf {c})\) and \((\mathsf {C}', \mathsf {C}'_T, \mathsf {c}')\) such that \(\mathsf {C}= \mathsf {C}'\). Here, we only consider the case where \(\mathsf {Pid}^t_j\) and \(\mathsf {Pid}^{t'}_j\) correspond to parties generated by the game (and not parties added by the adversary). If \(\mathsf {E}_{\mathsf {coll}}\) occurs, then \(\mathcal {C}\) aborts. Since \(G_{1}\) and \(G_{2}\) proceed identically unless \(\mathsf {E}_{\mathsf {coll}}\) occurs, we have

$$\begin{aligned} \left| \epsilon _1 - \epsilon _2 \right| \le \Pr \left[ \mathsf {E}_{\mathsf {coll}}\right] . \end{aligned}$$

We claim

$$\begin{aligned} \Pr \left[ \mathsf {E}_{\mathsf {coll}}{}\right] \le \mu \ell ^{2} \cdot \frac{1}{2^{ \chi _{\mathsf {KEM}}}}. \end{aligned}$$

Since each oracles \(\pi ^t_j\) are initialized with uniform random and independent randomness and \(\mathsf {ek}_i\) is honestly generated, where \(i = \mathsf {Pid}^t_j\), each ciphertext \(\mathsf {C}\) output by oracle \(\pi ^t_j\) has \(\chi _{\mathsf {KEM}}\)-min entropy due to the \( \chi _{\mathsf {KEM}}\)-high ciphertext min-entropy of \(\Pi _\mathsf {KEM} \). Fixing on one \(j \in [\mu ]\), the probability of a collision occurring is upper bounded by \(\mu ^2/ 2^{ \chi _{\mathsf {KEM}}}\). Then, taking the union bound on all the parties, we obtain the claimed bound.

Game \(G_{3}\) In this game, before starting the game, \(\mathcal {C}\) chooses a responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) and a party \(P_{\hat{\imath }}\) uniformly at random from \(\mu \ell \) oracles and \(\mu \) parties, respectively. Let \(\mathsf {E_{testO}}\) be the event that the tested oracle is not \(\pi ^{\hat{t}}_{\hat{\jmath }}\) or the peer of the tested oracle is not \(P_{\hat{\imath }}\). Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs. \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu ^{2}\ell \), so we have

$$\begin{aligned} \epsilon _3 = \frac{1}{\mu ^{2}\ell }\epsilon _{2}. \end{aligned}$$

Game \(G_{4}\) In this game, we modify the way the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) responds on its second invocation. Let \((\mathsf {K}, \mathsf {C})\) be the \(\Pi _\mathsf {KEM}\) key-ciphertext pair generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Then, when \(\pi ^{s}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\), it first checks if \(\mathsf {C}' = \mathsf {C}\). If so, it proceeds as in the previous game except that it uses the key \(\mathsf {K}\) that was generated by \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}'\). Otherwise, if \(\mathsf {C}' \ne \mathsf {C}\), then it proceeds exactly as in the previous game.

Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_3\) and \(G_4\) are identical. Hence,

$$\begin{aligned} \epsilon _{4} = \epsilon _3. \end{aligned}$$

Game \(G_{5}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), it samples a random key instead of computing \((\mathsf {K}, \mathsf {C}) \leftarrow \mathsf {KEM}.\mathsf {Encap}(\mathsf {ek}_{\hat{\imath }})\). Note that due to the modification we made in the previous game, when the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\) for \(\mathsf {C}' = \mathsf {C}\), it uses the random key \(\mathsf {K}\) generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). We claim \(G_{4}\) and \(G_{5}\) are indistinguishable assuming the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) . To prove this, we construct an algorithm \(\mathcal {B}_{4}\) breaking the \(\mathsf {IND\text {-}CCA}\) security as follows.

\(\mathcal {B}_{4}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {KEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{4}\) then samples a random , sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {KEM}}\), and generates the long-term key pairs as follows. For party \(P_{\hat{\imath }}\), \(\mathcal {B}_{4}\) runs \((\mathsf {vk}_{\hat{\imath }}, \mathsf {sk}_{\hat{\imath }}) \leftarrow \mathsf {RS}.\mathsf {KeyGen}(1^{\kappa })\) and sets the long-term public key as \(\mathsf {lpk} _{\hat{\imath }} := (\mathsf {ek}^{*}, \mathsf {vk}_{\hat{\imath }})\) and implicitly sets the long-term secret key as \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, \mathsf {sk}_{\hat{\imath }})\), where note that \(\mathcal {B}_{3,1}\) does not know \(\mathsf {dk}^*\). For all the other parties \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{4}\) computes the long-term key pairs \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_5\). Finally, \(\mathcal {B}_{4}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries made by \(\mathcal {A}\) as follows:

  • \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{4}\) proceeds as in \(G_5\).

  • \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (jti), it performs the following:

    • If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{4}\) responds as in \(G_5\) except that it sets \((\mathsf {K}, \mathsf {C}) := (\mathsf {K}^*, \mathsf {C}^{*})\) rather than generating them on its own. It then returns the message \((\mathsf {C}^{*}, \mathsf {C}_{T}, \mathsf {c}{})\).

    • If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{4}\) responds as in \(G_5\).

  • \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): Depending on the value of i, it performs the following:

    • If \(i = \hat{\imath }\), then \(\mathcal {B}_{4}\) checks if \(\mathsf {C}= \mathsf {C}^*\). If so, it responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}^{*}\). Otherwise, if \(\mathsf {C}\ne \mathsf {C}^*\), then it queries the decapsulation oracle on \(\mathsf {C}\) and receives back \(\mathsf {K}'\). \(\mathcal {B}_{3,1}\) then responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}'\).

    • If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{4}\) responds as in \(G_5\).

  • \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{4}\) responds as in \(G_5\). Here, note that since \(\mathcal {A} \) follows the Type-7 or Type-8 strategy, \(\mathcal {B}_{3,1}\) can answer all the \(\mathsf {RevLTK}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, \mathsf {sk}_{\hat{\imath }})\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,1}\) cannot answer.

  • \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{4}\) responds to the query as in the definition. Here, in case \((i, s) \ne (\hat{\jmath },\hat{t})\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.

If \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{4}\) outputs \(b'\). It can be checked that \(\mathcal {B}_{4}\) perfectly simulates game \(G_4\) (resp. \(G_5\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{4}\right] - \Pr \left[ \mathsf {S}_{5}\right] \right| \le \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{4}). \end{aligned}$$

Game \(G_{6}\) In this game, whenever we need to derive \(\mathsf {K}^*_1 \leftarrow \mathsf {Ext}_s(\mathsf {K}^*)\), we instead use a uniformly and randomly chosen PRF key (fixed once and for all), where \(\mathsf {K}^*\) is the KEM key chosen by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Due to the modification we made in the previous game, \(\mathsf {K}^*\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {KEM} \) so \(\mathsf {K}\) has \(\log _2(|\mathcal {KS}_\mathsf {KEM} |) \ge \gamma _\mathsf {KEM} \) min-entropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))-extractor \(\mathsf {Ext}\), we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{5}\right] - \Pr \left[ \mathsf {S}_{6}\right] \right| \le \varepsilon _{\mathsf {Ext}}. \end{aligned}$$

Game \(G_{7}\) In this game, we sample a random function \(\mathsf {RF}\) and whenever we need to compute \(\mathsf {F}_{\mathsf {K}^*_1}(\mathsf {sid})\) for any \(\mathsf {sid}\), we instead compute \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid})\). Due to the modification we made in the previous game, \(\mathsf {K}^*_1\) is sampled uniformly from \(\mathcal {FK}\). Therefore, the two games can be easily shown to be indistinguishable assuming the pseudo-randomness of the PRF. In particular, we can construct a PRF adversary \(\mathcal {D}_{3}\) such that

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{6}\right] - \Pr \left[ \mathsf {S}_{7}\right] \right| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{3}). \end{aligned}$$

It remains to show that the session key outputted by the tested oracle in the game \(G_7\) is uniformly random regardless of the challenge bit \(b \in \{ 0,1 \} \) chosen by the game. We consider the case where \(b = 0\) and prove that the honestly generated session key by the tested oracle is distributed uniformly random. First conditioning on event \(\mathsf {E_{testO}}\) not occurring, it must be the case that the tested oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) prepares the session key as \(\mathsf {k}^* \Vert \tilde{k}\leftarrow \mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid}^*)\) for some \(\mathsf {sid}^*\). Here, recall \(\mathsf {K}^*_1\) is the random PRF key sampled by the oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) (see game \(G_6\)). Next, since the tested oracle has no partner oracle (by definition of the Type-7 and Type-8 strategy), there are no oracles \(\pi ^s_i\) such that \(i \ne i\) that runs \(\mathsf {RF}(\mathsf {K}^*_1, \cdot )\) on input \(\mathsf {sid}^*\). Moreover, conditioning on event \(\mathsf {E}_{\mathsf {coll}}\) not occurring, no oracles \(\pi ^t_{\hat{\imath }}\) for \(t \ne \hat{t}\) run \(\mathsf {RF}(\mathsf {K}^*_1, \cdot )\) on input \(\mathsf {sid}^*\) as well since \((\mathsf {C}, \mathsf {C}_T)\) output by these oracles must be distinct from what \(\pi ^{\hat{t}}_{\hat{\jmath }}\) outputs. Therefore, we conclude that \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*)\) is only used to compute the session key of the tested oracle and used nowhere else. Since the output of \(\mathsf {RF}\) is distributed uniformly random for different inputs, we conclude that \(\Pr \left[ \mathsf {S}_{7}\right] = 1/2\). Combining all the arguments together, we obtain

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \frac{1}{2^{\chi _{\mathsf {KEM}}}}. \end{aligned}$$

\(\square \)

For completeness, we state the remaining Lemmata B.3 and B.4 and provide a proof sketch.

Lemma B.3

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-1 or Type-2 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\) and \(\mathcal {D}_{1}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell ^{2} \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1})+ \varepsilon _{\mathsf {Ext}}\right) . \end{aligned}$$

Lemma B.4

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-3 or Type-4 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{2}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) . \end{aligned}$$

Proof Sketch of Lemmata B.3 and B.4

The difference between \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) and \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) is that the former uses a ring signature and the first message sent by the initiator includes the ephemeral verification key \(\mathsf {vk}_{T}\); and the initiator does not sign the first message. In addition, the former considers weak forward secrecy (\(\mathcal {A}\) plays \(G^{\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {DAKE} {}}(\mu , \ell )\)), and the latter considers perfect forward secrecy (\(\mathcal {A}\) plays \(G^{\mathsf {FS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {AKE} {}}(\mu , \ell )\)). However, it can be easily verified that this modification brings no advantage to the adversary following the strategies in the statement. In particular, when \(\mathcal {A}\) uses the Type-1, Type-2, Type-3 or Type-4 strategy (i.e., the tested oracle has a partner oracle), the winning condition (cf. freshness clauses Items 1 to 4) of the two security game is identical. Specifically, the proofs are identical to the proofs of Lemmata A.1 and A.2.

In slightly more detail, notice the session key derivation step in \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) is exactly the same as those in \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\). Namely, the value of the derived session key is independent of the signature conditioning on the signature being valid. Further, notice the proofs of Lemmata A.1 and A.2 only relies on the security properties of the KEM, PRF, and extractor. That is, the proof does not hinge on the security offered by the signature scheme and this holds even if remove the signature from the first message and replace the signature scheme with a ring signature scheme. Here, we note that the validity of the ephemeral ring signature verification key never comes in play in the security proof. Therefore, the proofs of Lemmata A.1 and A.2 follow. \(\square \)

C Equivalence Between \(\mathsf{DVS}\) and Ring Signature

In a subsequent work, Brendel et al. [19] showed a generic construction of a deniable Signal-conforming AKE protocol based on a designated verifier signature (\(\mathsf{DVS}\)) and a \(\mathsf {KEM}\). They showed how to instantiate \(\mathsf{DVS}\) from a ring signature (for a ring of two users) but left open the opposite implication and speculated the possibility of constructing \(\mathsf{DVS}\) easier than a ring signature.

In this section, we solve this open problem. We show how to instantiate a ring signature (for a ring of two users) from \(\mathsf{DVS}\) and show that \(\mathsf{DVS}\) is a ring signature in disguise. As discussed in Footnote 10, the security notion of \(\mathsf{DVS}\) and ring signatures may come in different flavors so it is not always the case that they are equivalent. We only focus on \(\mathsf{DVS}\) and ring signatures that Brendel et al. [19] required to construct their AKE protocol. Namely, the definition of ring signature we provide in Sect. 2.6 is strictly stronger than those considered in [19]. We make this clear when we provide the security proof of our ring signature based on \(\mathsf{DVS}\).

The following syntax and security definition of \(\mathsf{DVS}\) is taken almost verbatim from [19, Section 3]. One thing to keep in mind is that even though it is called designated verifier, the syntax of Brendel et al. allows the signature to be publicly verifiable. This will be essential when building a ring signature.

Definition C.1

A \(\mathsf{DVS}\) is a tuple of algorithms \(\mathsf{DVS} = (\mathsf {SKGen}, \mathsf {VKGen}, \mathsf {Sign}, \mathsf {Vrfy}, \mathsf {Sim})\) along with a message space \(\mathcal {M}\).

  • \(\mathsf {SKGen}() \rightarrow ({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S})\): A probabilistic key generation algorithm that outputs a public-/secret-key pair for the signer.

  • \(\mathsf {VKGen}() \rightarrow (\mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D})\): A probabilistic key generation algorithm that outputs a public-/secret-key pair for the verifier.

  • \(\mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {M}) \rightarrow \sigma \): A probabilistic signing algorithm that uses a signer’s secret key \(\mathsf {sk}_\mathsf {S}\) to produce a signature \(\sigma \) for a message \(\mathsf {M}\in \mathcal {M}\) for a designated verifier with public key \(\mathsf {pk}_\mathsf {D}\).

  • \(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}, \mathsf {M}, \sigma ) \rightarrow 1/0\): A deterministic verification algorithm that checks a message \(\mathsf {M}\) and a signature \(\sigma \) against a signer’s public key \({\mathsf {pk}_\mathsf {S}}\) and a verifier’s public key \(\mathsf {pk}_\mathsf {D}\).

  • \(\mathsf {Sim}({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {D}, \mathsf {M}) \rightarrow \sigma \): A probabilistic signature simulation algorithm that uses the verifier’s secret key \(\mathsf {sk}_\mathsf {D}\) to produce a signature \(\sigma \) on a message \(\mathsf {M}\) for signer’s public key \({\mathsf {pk}_\mathsf {S}}\).

Definition C.2

(Unforgeability) A \(\mathsf{DVS}\) is unforgeable if for any efficient adversary \(\mathcal {A} \) we have \(\Pr [G^{\mathsf {uf}}(\mathcal {A}) = 1]\) is negligible, where the game \(G^{\mathsf {uf}}\) is defined in Fig. 6.

Definition C.3

(Source Hiding) A \(\mathsf{DVS}\) is source hiding if for any efficient adversary \(\mathcal {A} \) we have \(\left| \Pr [G^{\mathsf {srchid}}(\mathcal {A}) = 1] - 1/2 \right| \) is negligible, where the game \(G^{\mathsf {srchid}}\) is defined in Fig. 6.

Using a standard hybrid argument, we can assume without loss of generality that \(\mathcal {A} \) queries oracle \(\mathtt {Chall}\) once.

Fig. 6
figure 6

Unforgeability and source hiding for \(\mathsf{DVS}\)

Construction We now provide a generic construction of a ring signature from any \(\mathsf{DVS}\) satisfying the above syntax and security definitions. Following Brendel et al. [19], we assume there is no public parameter and omit \(\mathsf {RS}.\mathsf {Setup}\). We also only consider a ring signature for a ring of two users as this is sufficient to construct an AKE protocol. Moreover, we assume without loss of generality that \({\mathsf {pk}_\mathsf {S}}\) can be ordered lexicographically, e.g., \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\).

\(\mathsf {RS}.\mathsf {KeyGen}()\)::

Run \(({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S}) \leftarrow \mathsf {SKGen}()\) and \((\mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D}) \leftarrow \mathsf {VKGen}()\), and output \((\mathsf {RS}.\mathsf {vk}:= ({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}), \mathsf {RS}.\mathsf {sk}:= (\mathsf {sk}_\mathsf {S}, \mathsf {sk}_\mathsf {D}))\).

\(\mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}, \mathsf {RS}.\mathsf {vk}' \right\} )\)::

Parse \(({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}) \leftarrow \mathsf {RS}.\mathsf {vk}\) and \(({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}') \leftarrow \mathsf {RS}.\mathsf {vk}'\). If \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\), then output \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}', \mathsf {M})\). Otherwise, output \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}', \mathsf {sk}_\mathsf {D}, \mathsf {M})\).

\(\mathsf {RS}.\mathsf {Verify}(\mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}, \mathsf {RS}.\mathsf {vk}' \right\} , \mathsf {M}, \sigma )\)::

Parse \(({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}) \leftarrow \mathsf {RS}.\mathsf {vk}\) and \(({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}') \leftarrow \mathsf {RS}.\mathsf {vk}'\). If \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\), then output \(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}', \mathsf {M}, \sigma )\). Otherwise, output \(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}, \mathsf {M}, \sigma )\).

Security We first prove anonymity of the ring signature. The anonymity definition considered by Brendel et al. [19] is almost identical to those in Definition 2.14 except that they additionally consider the verification and signing keys to be generated honestly, rather than being generated by possibly malicious randomness. This suffices to prove their deniability since the AKE keys are assumed to be generated honestly.

Lemma C.4

If \(\mathsf{DVS}\) satisfies source hiding, then the ring signature is anonymous (with respect to honestly generated verification and signing keys with rings of size two).

Proof

Assume there exists an adversary \(\mathcal {B} \) against the anonymity of the ring signature. We construct an adversary \(\mathcal {A} \) against the source hiding of \(\mathsf{DVS}\) as follows.

\(\mathcal {A} \) is provided \(({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D})\) from the \(\mathsf{DVS}\) challenger. It queries \(\mathsf {M}\) to oracle \(\mathtt {Chall}\) and receives \(\sigma \). It then generates \((\overline{\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {sk}_\mathsf {S}}) \leftarrow \mathsf {SKGen}()\) and \((\overline{\mathsf {pk}_\mathsf {D}}, \overline{\mathsf {sk}_\mathsf {D}}) \leftarrow \mathsf {VKGen}()\) conditioned on \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\). Note that this is without loss of generality since \(\mathcal {A} \) can simply regenerate \(\overline{\mathsf {pk}_\mathsf {S}}\) until it succeeds (and possibly halt after it exceeds some number of trials to make \(\mathcal {A} \) run in strict polynomial time). It then samples a random bit \(d \leftarrow \{ 0,1 \} \) and sets

$$\begin{aligned} (\mathsf {RS}.\mathsf {vk}_d, \mathsf {RS}.\mathsf {sk}_d)&:= (( {\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {pk}_\mathsf {D}}), ( \mathsf {sk}_\mathsf {S}, \overline{\mathsf {sk}_\mathsf {D}})) \text { and } (\mathsf {RS}.\mathsf {vk}_{1-d}, \mathsf {RS}.\mathsf {sk}_{1-d}) \\&:= (( \overline{\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}), ( \overline{\mathsf {sk}_\mathsf {S}}, \mathsf {sk}_\mathsf {D})). \end{aligned}$$

It finally provides \(\mathcal {B} \) with \(\left\{ (\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {sk}_i) \right\} _{i \in \{ 0,1 \} }\) and \(\sigma \). When \(\mathcal {B} \) outputs \(d'\) as its guess, \(\mathcal {A} \) outputs its guess as \(b' := d \oplus d'\).

Let us analyze the advantage of \(\mathcal {A} \). First of all, since d is information theoretically hidden from \(\mathcal {B} \), the ring signature keys \(\left\{ (\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {sk}_i) \right\} _{i \in \{ 0,1 \} }\) are distributed identically to the anonymity game even conditioned on \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\). Moreover, if oracle \(\mathtt {Chall}\) was using \(b = 0\), then \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {M})\). Since \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\), \(\sigma \) is distributed identical to \(\mathsf {RS}.\mathsf {Sign}( \mathsf {RS}.\mathsf {sk}_d, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_0, \mathsf {RS}.\mathsf {vk}_1 \right\} )\). On the other hand, if oracle \(\mathtt {Chall}\) was using \(b = 1\), then \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {D}, \mathsf {M})\). Then, this is distributed identical to \(\mathsf {RS}.\mathsf {Sign}( \mathsf {RS}.\mathsf {sk}_{1-d}, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_0, \mathsf {RS}.\mathsf {vk}_1 \right\} )\). Hence, if \(\mathcal {B} \) outputs a guess \(d'\) and \(d = 0\), then \(\mathcal {A} \) simply needs to output \(d'\) as its guess. Otherwise, \(\mathcal {A} \) flips the guess \(d'\) in order to uncompute the swap induced by \(d = 1\). This completes the proof. \(\square \)

The unforgeability definition considered by Brendel et al. [19] is similar to those in Definition 2.15 except that they restrict the adversary to only query the signing oracle on rings consisting of honestly generated verification keys. This weaker definition suffices for their application since they consider deniability only against honestly generated long-term keys.

Lemma C.5

If \(\mathsf{DVS}\) satisfies source hiding and unforgeability, then the ring signature is unforgeable (with respect to honestly generated rings of size two).

Proof

Before providing the reduction, we first modify the unforgeability game of the ring signature (with respect to honestly generated rings of size two) to the following. The modification from the original Definition 2.15 is underlined in black. The only difference is that the challenger samples two random distinct indices \((i^*_0, i^*_1) \in [N] \times [N]\) and hopes that the adversary outputs a forgery on the ring \(\left\{ \mathsf {RS}.\mathsf {vk}_{i^*_0}, \mathsf {RS}.\mathsf {vk}_{i^*_1} \right\} \). Moreover, whenever the adversary \(\mathcal {A} \) queries the signing oracle, the challenger will never use \(\mathsf {RS}.\mathsf {sk}_{i^*_0}\) to sign the message.

  1. (i)

    The challenger generates key pairs \((\mathsf {RS}.\mathsf {vk}_i,\mathsf {RS}.\mathsf {sk}_i)=\mathsf {RS}.\mathsf {KeyGen}()\) for all \(i \in [N]\). It sets \(\mathsf {VK}:= \left\{ \mathsf {RS}.\mathsf {vk}_i \mid i \in [N] \right\} \) and initializes two empty sets \(\mathsf {SL}\) and \(\mathsf {CL}\). \(\hbox {It also samples two distinct }(i^*_0, i^*_1) \leftarrow [N] \times [N].\)

  2. (ii)

    The challenger provides \(\mathsf {VK}\) to \(\mathcal {A} \);

  3. (iii)

    \(\mathcal {A} \) can make signing and corruption queries an arbitrary polynomial number of times:

    • \((\mathsf {sign}, i ,\mathsf {M},\mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {vk}_j \right\} )\): The challenger checks if \((\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {vk}_j) \subseteq \mathsf {R}\) and outputs \(\bot \) if not. \(\hbox {Otherwise, if }i = i_0^*,\hbox { then it computes the signature }\) \(\sigma \leftarrow \mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}_j,\mathsf {M},\mathsf {R}).\hbox { If }i \ne i^*_0,\) \(\hbox {then it computes the signature }\) \(\sigma \leftarrow \mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}_i,\mathsf {M},\mathsf {R}).\) Finally, the challenger provides \(\sigma \) to \(\mathcal {A} \) and adds \((i,\mathsf {M},\mathsf {R})\) to \(\mathsf {SL}\);

    • \((\mathsf {corrupt},i)\): \(\hbox {If }i \in \left\{ i^*_0, i^*_1 \right\} , \hbox {then abort the game.}\) Otherwise, the challenger adds \(\mathsf {RS}.\mathsf {vk}_i\) to \(\mathsf {CL}\) and returns \(\mathsf {RS}.\mathsf {sk}_i\) to \(\mathcal {A} \).

  4. (iv)

    \(\mathcal {A} \) outputs \((\mathsf {R}^*, \mathsf {M}^*, \sigma ^*)\). If \(\mathsf {R}^* = \left\{ \mathsf {RS}.\mathsf {vk}_{i^*_0}, \mathsf {RS}.\mathsf {vk}_{i^*_1} \right\} \), \((\cdot ,\mathsf {M}^*,\mathsf {R}^*) \not \in \mathsf {SL}\), and \(\mathsf {Verify}(\mathsf {R}^*, \mathsf {M}^*, \sigma ^*)=1\), then we say the adversary \(\mathcal {A} \) wins.

It is straightforward to show that this modified unforgeability game is as hard as the original unforgeability game assuming that the ring signature is anonymous (which from Lemma C.4 is an implication of the source hiding of \(\mathsf{DVS}\)). Concretely, we first modify the original game to a game in which the challenger simply guesses the non-corrupted indices \((i^*_0, i^*_1) \in [N] \times [N]\) that the adversary will use for its forgery. Since these indices are information theoretically hidden from the adversary, this is indistinguishable from the original game (except for a loss of \(1/N^2\) in the reduction). Next, assuming \(\mathcal {A} \) makes at most Q-queries to the signing oracle, we can define Q-hybrids, where in the k-th hybrid, the challenger answers as in the original game up to the \((k-1)\)-th signing query and as in the modified game from the k-th signing query. Each adjacent hybrids \((k-1)\) and k are indistinguishable assuming the anonymity of the ring signature; the reduction samples a random index \(j^* \leftarrow [N]\) and embeds its two verification keys provided by the anonymity game in the two indices \((i^*_0, j^*)\). It generates all other verification keys as in the unforgeability game. Note that the reduction knows the signing keys to all parties. It answers all \(k'\)-th signing query for \(k' \ne k\) as in hybrids \((k-1)\) and k. If \(i = i^*_0\) is used in the k-th query, it further checks if \(\mathsf {vk}_{j^*}\) is used. If so, the reduction simulates the signing oracle by embedding its challenge. If \(\mathsf {vk}_{j^*}\) is not used, then aborts the game. Otherwise, if \(i \ne i^*_0\), then it answers the signing oracle as in the \((k-1)\hbox {th}\) and k-th hybrids. This completes the reduction. In case the signature is created using \(\mathsf {sk}_{i_0^*}\) (resp. \(\mathsf {sk}_{j}\)), it perfectly simulates the \((k-1)\)-th (resp. k-th) hybrid (condition on not aborting). Therefore, assuming the ring signature is anonymous, the two hybrids are indistinguishable.

Now, we are ready to show that this modified unforgeability for the ring signature is hard assuming the unforgeability of the \(\mathsf{DVS}\). Assume there exists an adversary \(\mathcal {B} \) against the modified unforgeability of the ring signature. We construct an adversary \(\mathcal {A} \) against the unforgeability of \(\mathsf{DVS}\) as follows:

\(\mathcal {A} \) is given \({\mathsf {pk}_\mathsf {S}}\), \(\mathsf {pk}_\mathsf {D}\), and \(L = \left\{ (\mathsf {pk}_{\mathsf {D}, i}, \mathsf {sk}_{\mathsf {D}, i}) \right\} _{i \in [n]}\). It generates \((\overline{\mathsf {pk}_\mathsf {D}}, \overline{\mathsf {sk}_\mathsf {D}}) \leftarrow \mathsf {VKGen}()\), \((\overline{\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {sk}_\mathsf {S}}) \leftarrow \mathsf {SKGen}()\), and \((\mathsf {pk}_{\mathsf {S}, i}, \mathsf {sk}_{\mathsf {S}, i}) \leftarrow \mathsf {SKGen}()\) for \(i \in [n]\). It then creates \((n + 2)\) pairs of verification key pair for the ring signature \(({\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {pk}_\mathsf {D}})\), \((\overline{\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D})\), and \(\left\{ (\mathsf {pk}_{\mathsf {S}, i}, \mathsf {pk}_{\mathsf {D}, i}) \right\} _{i \in [n]}\) and randomly permutes them and sets them as \((\mathsf {RS}.\mathsf {vk}_i)_{i \in [n + 2]}\). Let \(i^*_0\) be the index such that \(\mathsf {RS}.\mathsf {vk}_{i^*_0} := (\overline{\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D})\) and \(i^*_1\) be the index such that \(\mathsf {RS}.\mathsf {vk}_{i^*_1} := ({\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {pk}_\mathsf {D}})\). \(\mathcal {A} \) finally provides \(\mathsf {VK}:= \left\{ \mathsf {RS}.\mathsf {vk}_i \mid i \in [n + 2] \right\} \) to \(\mathcal {B} \). Notice \(\mathcal {A} \) knows the signing keys for indices in \([n+2]\backslash \left\{ i^*_0, i^*_1 \right\} \), so it can simulate the signing query and corrupt query for any \(i \notin \left\{ i^*_0, i^*_1 \right\} \). Moreover, since \(\mathcal {A} \) aborts when \(i \in \left\{ i^*_0, i^*_1 \right\} \) is queried to the corruption oracle, it remains to see how \(\mathcal {A} \) simulates the signing queries when \(i \in \left\{ i^*_0, i^*_1 \right\} \). Due to the modification we made to the unforgeability game, \(\mathcal {A} \) never needs to sign using the signing key corresponding to index \(i^*_0\), so it suffices to check the case \(i = i^*_1\). Now, when \(i = i^*_1\) and \({\mathsf {pk}_\mathsf {S}}< \mathsf {pk}_{\mathsf {S}, j}\), then \(\mathcal {A} \) queries its signing oracle and obtains a signature using \(\mathsf {sk}_\mathsf {S}\). Otherwise, it uses \(\overline{\mathsf {sk}_\mathsf {D}}\) to generate \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}_j, \overline{\mathsf {sk}_\mathsf {D}}, \mathsf {M})\). This completes the description of \(\mathcal {A} \).

Notice the winning condition of the modified unforgeability of the ring signature and the unforgeability of the \(\mathsf{DVS}\) is identical. Moreover, since \(\mathcal {A} \) randomly permutes the indices in \([n+2]\), \(\mathcal {A} \) simulates the distribution of the two indices \((i^*_0, i^*_1)\) perfectly. Therefore, \(\mathcal {A} \) has the same advantage as \(\mathcal {B} \). This concludes the proof. \(\square \)

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Hashimoto, K., Katsumata, S., Kwiatkowski, K. et al. An Efficient and Generic Construction for Signal’s Handshake (X3DH): Post-quantum, State Leakage Secure, and Deniable. J Cryptol 35, 17 (2022). https://doi.org/10.1007/s00145-022-09427-1

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-022-09427-1