Signed (Group) Diffie–Hellman Key Exchange with Tight Security

We propose the first tight security proof for the ordinary two-message signed Diffie–Hellman key exchange protocol in the random oracle model. Our proof is based on the strong computational Diffie–Hellman assumption and the multiuser security of a digital signature scheme. With our security proof, the signed DH protocol can be deployed with optimal parameters, independent of the number of users or sessions, without the need to compensate any security loss. We abstract our approach with a new notion called verifiable key exchange. In contrast to a known tight three-message variant of the signed Diffie–Hellman protocol (Gjøsteen and Jager, in: Shacham, Boldyreva (eds) CRYPTO 2018, Part II. LNCS, Springer, Heidelberg, 2018), we do not require any modification to the original protocol, and our tightness result is proven in the “Single-Bit-Guess” model which we know can be tightly composed with symmetric cryptographic primitives to establish a secure channel. Finally, we extend our approach to the group setting and construct the first tightly secure group authenticated key exchange protocol.


Introduction
Authenticated key exchange (AKE) protocols are protocols where two users can securely share a session key in the presence of active adversaries.Beyond passively observing, adversaries against an AKE protocol can modify messages and adaptively corrupt users' long-term keys or the established session key between users.Hence, it is very challenging to construct a secure AKE protocol.
The signed Diffie-Hellman (DH) key exchange protocol is a classical AKE protocol.It is a two-message (namely, two message-moves or one-round) protocol and can be viewed as a generic method to transform a passively secure Diffie-Hellman key exchange J. Pan et al.

Fig. 1.
Our signed Diffie-Hellman key exchange protocol and the tight variant of Gjøsteen and Jager [24].The functions H and H are hash functions.Operations marked with a gray box are for our signed DH protocol, and dashed boxes are for Gjøsteen and Jager's.Operations without a box are performed by both protocols.All signatures are verified upon arrival with the corresponding messages, and the protocol aborts if any verification fails .
protocol [19] into a secure AKE protocol using digital signatures.Figure 1 visualizes the protocol.The origin of signed DH is unclear to us, but its idea has been used in and serves as a solid foundation for many well-known AKE protocols, including the Station-to-Station protocol [20], IKE protocol [26], the one in TLS 1.3 [42] and many others [7,24,29,30,33].Tight Security.Security of a cryptographic scheme is usually proven by constructing a reduction.Asymptotically, a reduction reduces any efficient adversary A against the scheme into an adversary R against the underlying computational problem.Concretely, a reduction provides a security bound for the scheme, ε A ≤ • ε R , where ε A is the success probability of A and ε R is that of R. We say a reduction is tight if is a small constant and the running time of A is approximately the same as that of R. For the same scheme, it is more desirable to have a tight security proof than a non-tight one, since a tight security proof enables implementations without the need to compensate a security loss with increased parameters.
Multi-Challenge Security for AKE.An adversary against an AKE protocol has full control of the communication channel and, additionally, it can adaptively corrupt users' long-term keys and reveal session keys.The goal of an adversary is to distinguish between a (non-revealed) session key and a random bit-string of the same length, which is captured by the Test query.We follow the Bellare-Rogaway (BR) model [5] to capture these capabilities, but formalize it with the game-based style of [28].Instead of weak perfect forward secrecy, our model captures the (full) perfect forward secrecy.
Unlike the BR model, our model captures multi-challenge security, where an adversary can make T many Test queries which are answered with a single random bit.This is a standard and well-established multi-challenge notion, and [28] called it "Single-Bit-Guess" (SBG) security.Another multi-challenge notion is the "Multi-Bit-Guess" (MBG) security where each Test query is answered with a different random bit.Although several tightly secure AKE protocols [2,24,36,46] are proven in the MBG model, we stress that the SBG model is well-established and allows tight composition of the AKE with symmetric cryptographic primitives, which is not the case for the nonstandard MBG model.Thus, the SBG multi-challenge model is more desirable than the MBG model.More details about this have been provided by Jager et al. [28,Introduction] and Cohn-Gordon et al. [14,Section 3].The Non-Tight Security of Signed DH.Many existing security proofs of signed DH-like protocols [7,29,30] lose a quadratic factor, O(μ 2 S 2 ), where μ and S are the maximum numbers of users and sessions.In the SBG model with T many Test queries, these proofs also lose an additional multiplicative factor T .
At CRYPTO 2018, Gjøsteen and Jager [24] proposed a tightly secure variant of it by introducing an additional message move into the ordinary signed DH protocol.They showed that if the signature scheme is tightly secure in the multiuser setting then their protocol is tightly secure.They required the underlying signature scheme to be strongly unforgeable against adaptive Corruption and Chosen-Message Attacks (StCorrCMA) which is a notion in the multiuser setting and an adversary can adaptively corrupt some of the honest users to see their secret keys.Moreover, they constructed a tightly multiuser secure signature scheme based on the decisional Diffie-Hellman (DDH) assumption in the random oracle model [4].Combining these two results, they gave a practical three message fully tight AKE.We note that their tight security is proven in the less desirable MBG model, and, to the best of our knowledge, the MBG security can only non-tightly imply the SBG security [28].Due to the "commitment problem", the additional message is crucial for the tightness of their protocol.In particular, the "commitment problem" seems to be the reason why most security proofs for AKEs are non-tight.

Our Contribution
In this paper, we propose a new tight security proof of the ordinary two-message signed Diffie-Hellman key exchange protocol in the random oracle model.More precisely, we prove the security of the signed DH protocol tightly based on the multiuser security of the underlying signature scheme in the random oracle model.Our proof improves upon the work of Gjøsteen and Jager [24] in the sense that we do not require any modification to the signed DH protocol and our tight multi-challenge security is in the SBG model.This implies that our analysis supports the optimal implementation of the ordinary signed DH protocol with theoretically sound security in a meaningful model.
Our technique is a new approach to resolve the "commitment problem".At the core of it is a new notion called verifiable key exchange protocols.We first briefly recall the "commitment problem" and give an overview of our approach.
Technical Difficulty: The "commitment problem".As explained in [24], this problem is the reason why almost all proofs of classical AKE protocols are non-tight.In a security proof of an AKE protocol, the reduction needs to embed a hard problem instance into the protocol messages of Test sessions so that in the end the reduction can extract a solution to the hard problem from the adversary A. After the instance is embedded, A has not committed itself to which sessions it will query to Test yet, and, for instance, A can ask the reduction for Reveal queries on sessions with a problem instance embedded to get the corresponding session keys.At this point, the reduction cannot respond to these Reveal queries.A natural way to resolve this is to guess which sessions A will query Test on, and to embed a hard problem instance in those sessions only.However, this introduces an extremely large security loss.To resolve this "commitment problem", a tight reduction should be able to answer both Test and Reveal for every session without any guessing.Gjøsteen and Jager achieved this for the signed DH by adding an additional message.
In this paper, we show that this additional message is not necessary for tight security.Our Approach: Verifiable Key Exchange.In this work, we, for simplicity, use the signed Diffie-Hellman protocol based on the plain Diffie-Hellman protocol [19] (as described in Fig. 1) to explain our approach.In the technical part, we abstract and present our idea with a new notion called verifiable key exchange protocols.
Let G := g be a cyclic group of prime-order p where the computational Diffie-Hellman (CDH) problem is hard.Let (g α , g β ) (where α, β ← $ Z p ) be an instance of the CDH problem.By its random self-reducibility, we can efficiently randomize it to multiple independently distributed instances (g α i , g β i ), and given some g α i β i , we can extract the solution g αβ .
For preparation, we assume that a Test session does not contain any valid forgeries.This can be tightly justified by the StCorrCMA security of the underlying signature scheme, which can be instantiated with the recent scheme in [17].
After that, an adversary can only observe the protocol transcripts or forward the honestly generated transcripts in arbitrary orders.This is the most important step for bounding such an adversary tightly without involving the "commitment problem".Our reduction embeds the randomized instance (g α i , g β i ) into each session.Now it seems we can answer neither Test nor Reveal queries: The answer has the form K := H(ctxt, g xy ), but the term g xy cannot be computed by the reduction, since g x and g y are from the CDH challenge and the reduction knows neither x nor y.However, our reduction can answer this by carefully simulating the random oracle H and keeping the adversary's view consistent.More precisely, we answer Test and Reveal queries with a random K , and we carefully program the random oracle H so that adversary A cannot detect this change.To achieve this, when we receive a random oracle query H(ctxt, Z ), we answer it consistently if the secret element Z corresponds to the context ctxt and ctxt belongs to one of the Test or Reveal queries.This check can be efficiently done by using the strong DH oracle [1].Our approach is motivated by the two-message AKE in [14].
The approach described above can be abstracted by a notion called verifiable key exchange (VKE) protocols.Roughly speaking, a VKE protocol is firstly passively secure, namely a passive observer cannot compute the secret session key.Additionally, a VKE provides an oracle to an adversary to check whether a session key belongs to some honestly generated session, and to forward messages in a different order to create non-matching sessions.This VKE notion gives rise to a tight security proof of the signed DH protocol.We believe this is of independent interest.On the Strong CDH Assumption.Our techniques require the Strong CDH assumption [1] for the security of our VKE protocol.We refer to [15, Appendix C] for a detailed analysis of this assumption in the generic group model (GGM).Without using the GGM, we can use the twinning technique [13] to remove this strong assumption and base the VKE security tightly on the (standard) CDH assumption.This approach will double the number of group elements.Alternatively, we can use the group of signed Quadratic Residues (QR) [27] to instantiate our VKE protocol, and then the VKE security is tightly based on the factoring assumption (by [27,Theorem 2]).Real-World Impacts.As mentioned earlier, the signed DH protocol serves as a solid foundation for many real-world protocols, including the one in TLS 1.3 [42], IKE [26], and the Station-to-Station [20] protocols.We believe our approach can naturally be extended to tighten the security proofs of these protocols.In particular, our notion of VKE protocols can abstract some crucial steps in a recent tight proof of TLS 1.3 [15].
Another practical benefit of our tight security proof is that, even if we implement the underlying signature with a standardized, non-tight scheme (such as Ed25519 [8] or RSA-PKCS #1 v1.5 [40]), our implementation does not need to lose the additional factor that is linear in the number of sessions.In today's Internet, there can be easily 2 30  sessions per year.For instance, Facebook has about 2 30 monthly active users 1 .Assuming that each user only logs in once a month, this already leads to 2 30 sessions.

Protocol Comparison
We compare the instantiation of signed DH according to our tight proof with the existing explicitly authenticated key exchange protocols in Fig. 2. For complete tightness, all these protocols require tight multiuser security of their underlying signature scheme.We implement the signature scheme in all protocols with the recent efficient scheme from Diemert et al. [17] whose signatures contain 3 Z p elements, and whose security is based on the DDH assumption.The implementation of TLS is according to the recent tight proofs in [15,18], and we instantiate the underlying signature scheme with the same DDH-based scheme from [17].
We note that the non-tight protocol from Cohn-Gorden et al. [14], whose security loss is linear in the number of users, has better communication efficiency (2, 0, 0).However, its security is weaker than all protocols listed in Fig. 2, since their protocol is only implicitly authenticated and achieves weak perfect forward secrecy.
We detail the comparison with JKRS [28].Using the DDH-based signature scheme in [17], the communication complexity of our signed DH protocol is (2, 0, 6), while that of JKRS is (5, 1, 3).We suppose the efficiency of our protocol is comparable to JKRS.
Our main weakness is that our security model is weaker than that of JKRS.Namely, ours does not allow adversaries to corrupt any internal secret state.We highlight that our proof does not inherently rely on any decisional assumption.In particular, if there is a tightly multiuser secure signature scheme based on only search assumptions, our proof Fig. 2. Comparison of AKE protocols.We denote Comm.as the communication complexity of the protocols in terms of the number of group elements, hashes and Z p elements (which is due to the use of the signature scheme in [17]).The column Model lists the AKE security model and distinguishes between multi-bit guessing (MBG) and the single-bit-guessing (SBG) security .
directly gives a tightly secure AKE based on search assumptions only, which is not the case for [28].

An Extension and Open Problems
We extend our approach to group AKE (GAKE) protocols, where a group of users can agree on a session key, and construct the first tightly secure GAKE protocol.Research on GAKE has a long history and several GAKE protocols have been constructed in the literature [9][10][11]25,31].However, none of the existing GAKE protocols enjoy a tight security proof.We suppose that tight security is more desirable for GAKE than AKE, since many applications require GAKE protocols (such as online audio-video conference systems and instant messaging [43]) are often in a truly large-scale setting.
Similar to the two-party setting, we propose the notion of verifiable group key exchange (VGKE) protocols and transform a VGKE to GAKE using a signature scheme.Our transformation is tightness-preserving.As an instantiation of our approach, we prove that under the strong CDH assumption the classical Burmester-Desmedt protocol is a tightly secure VGKE protocol [12].Combining with a tightly StCorrCMA-secure signature (for instance, [17]), it yields the first tightly secure GAKE protocol.Alternatively, our transformation can be viewed as a tight improvement on the (non-tight) generic compiler of Katz and Yung [31] where we require the underlying non-authenticated group key exchange protocol to be verifiable.
Open Problems.We do not know of any tightly multiuser secure signature schemes with corruptions based on a search assumption, and the schemes in [39] based on search assumptions do not allow any corruption.It is therefore insufficient for our purpose, and we leave constructing a tightly secure AKE based purely on search assumptions as an open problem.

History of This Paper
This is the full version of a paper published at CT-RSA 2021 [38].The main change here is to extend our approach in the group key exchange setting and propose the first tightly secure GAKE protocol (cf.Sect.6).Due to this main extension, we (slightly) change the title to the current one.Moreover, we give a detailed proof for the multiuser security of Schnorr's signature scheme in the generic group model (cf.Appendix A).

Preliminaries
For n ∈ N, let [n] = {1, . . ., n}.For a finite set S, we denote the sampling of a uniform random element x by x ← $ S. By B , we denote the bit that is 1 if the evaluation of the Boolean statement B is true and 0 otherwise.
Algorithms.For an algorithm A which takes x as input, we denote its computation by y ← A(x) if A is deterministic, and y ← $ A(x) if A is probabilistic.We assume all the algorithms (including adversaries) in this paper to be probabilistic unless we state it.We denote an algorithm A with access to an oracle O by A O .In terms of running time, if a reduction's running time t is dominated by that of an adversary t (more precisely, t = t + s where s t), we write t ≈ t.
Games.We use code-based games [6] to present our definitions and proofs.We implicitly assume all Boolean flags to be initialized to 0 (false), numerical variables to 0, sets to ∅ and strings to ⊥.We make the convention that a procedure terminates once it has returned an output.G A ⇒ b denotes the final (Boolean) output b of game G running adversary A, and if b = 1 we say A wins G.The randomness in Pr[G A ⇒ 1] is over all the random coins in game G. Within a procedure, "abort" means that we terminate the run of an adversary A.
Digital signatures.We recall the syntax and security of a digital signature scheme.
Let par be some system parameters shared among all participants.
Definition 1. (Digital Signature) A digital signature scheme SIG := (Gen, Sign, Ver) is defined as follows.
-The key generation algorithm Gen(par) returns a public key and a secret key (pk, sk).We assume that pk implicitly defines a message space M and a signature space .-The signing algorithm Sign(sk, m ∈ M) returns a signature σ ∈ on m.
In addition, we say that SIG has α bits of (public) key min-entropy if an honestly generated public key pk is chosen from a distribution with at least α bits min-entropy.Formally, for all bit-strings pk we have Pr[pk = pk : (pk, sk) ← $ Gen(par)] ≤ 2 −α .
We include the definition of entropy here because our proofs require an estimate on the probability of a collision in the public keys.[17,24])

Definition 2. (StCorrCMA Security
A digital signature scheme SIG is (t, ε, μ, Q s , Q Cor )-StCorrCMA secure (Strong unforgeability against Corruption and Chosen Message Attacks), if for all adversaries A running in time at most t, interacting with μ users, making at most Q s queries to the signing oracle Sign, and at most Q Cor (Q Cor < μ) queries to the corruption oracle Corr as in Fig. 3, we have Security in the random oracle model.A common approach to analyze the security of signature schemes that involve a hash function is to use the random oracle model [4] where hash queries are answered by an oracle H, where H is defined as follows: On input x, it first checks whether H(x) has previously been defined.If so, it returns H(x).Otherwise, it sets H(x) to a uniformly random value in the range of H and then returns H(x).We parameterize the maximum number of hash queries in our security notions.For instance, we define (t, ε, μ, Q s , Q Cor , Q H )-StCorrCMA as security against any adversary that makes at most Q H queries to H in the StCorrCMA game.Furthermore, we make the standard convention that any random oracle query that is asked as a result of a query to the signing oracle in the StCorrCMA game is also counted as a query to the random oracle.This implies that Signature schemes.The tight security of our authenticated key exchange (AKE) protocols is established based on the StCorrCMA security of the underlying signature schemes.To obtain a completely tight AKE, we use the recent signature scheme from [17] to implement our protocols.
By adapting the non-tight proof in [23], the standard unforgeability against chosenmessage attacks (UF-CMA) notion for signature schemes implies the StCorrCMA security of the same scheme non-tightly (with security loss μ).Thus, many widely used signature schemes (such as the Schnorr [44], Ed25519 [8] and RSA-PKCS #1 v1.5 [40] signature schemes) are non-tightly StCorrCMA secure.We do not know any better reductions for these schemes.We leave proving the StCorrCMA security of these schemes without losing a linear factor of μ as a future direction.However, our tight proof for the signed DH protocol strongly indicates that the aforementioned non-tight reduction is optimal for these practical schemes.This is because if we can prove these schemes tightly secure, we can combine them with our tight proof to obtain a tightly secure AKE with unique and verifiable private keys, which may contradict the impossibility result from [14].
For the Schnorr signature, we analyze its StCorrCMA security in the generic group model (GGM) [37,45].We recall the Schnorr signature scheme below and show the GGM bound of its StCorrCMA security in Theorem 1.
Let par = ( p, g, G), where G = g is a cyclic group of prime order p with a hard discrete logarithm problem.Let H : {0, 1} * → Z p be a hash function.Schnorr's signature scheme, Schnorr := (Gen, Sign, Ver), is defined as follows: secure in the GGM and in the programmable random oracle model, where Here, Q G is the number of group operations queried by the adversary.
The proof of Theorem 1 is following the approach in [3,32]: We first define an algebraic interactive assumption, CorrIDLOG, which is tightly equivalent to the StCorrCMA security of Schnorr, and then we analyze the hardness of CorrIDLOG in the GGM.CorrIDLOG stands for Interactive Discrete Logarithm with Corruption.It is motivated by the IDLOG (Interactive Discrete Logarithm) assumption in [32].CorrIDLOG is a stronger assumption than IDLOG in the sense that it allows an adversary to corrupt the secret exponents of some public keys.Details are given in Appendix A.

Security Model for Two-Message Authenticated Key Exchange
In this section, we use the security model in [28] to define the security of two-message authenticated key exchange protocols.This section is almost verbatim to Section 4 of [28].We highlight the difference we make for our protocol: Since our protocols do not have security against (ephemeral) state reveal attacks (as in the extended Canetti-Krawczyk (eCK) model [34]), we do not consider state reveals in our model.
A two-message key exchange protocol AKE := (Gen AKE , Init I , Der R , Der I ) consists of four algorithms which are executed interactively by two parties as shown in Fig. 4. We denote the party which initiates the session by P i and the party which responds to the session by P r .The key generation algorithm Gen AKE outputs a key pair (pk, sk) for one party.The initialization algorithm Init I inputs the initiator's long-term secret key sk i and the responder's long-term public key pk r , and outputs a message m i and a state st.The responder's derivation algorithm Der R takes as input the responder's long-term secret key, the initiator's public key pk i and a message m i .It computes a message m r and a session key K .The initiator's derivation algorithm Der I inputs the initiator's long-term key sk i , the responder's long-term public key pk r , the responder's message m r and the state st.Note that the responder is not required to save any internal state information besides the session key K .We give a security game written in pseudocode.We define a model for explicit authenticated protocols achieving (full) forward secrecy instead of weak forward secrecy.Namely, an adversary in our model can be active and corrupt the user who owns the Test session sID * , and the only restriction is that if there is no matching session to sID * , then the peer of sID * must not be corrupted before the session finishes.
Here, explicit authentication means entity authentication in the sense that a party can explicitly confirm that he is talking to the actual owner of the recipient's public key.The key confirmation property is only implicit [21], where a party is assured that the other identified party can compute the same session key.The game IND-FS is given in Figs. 5  and 6.We refer readers to [16] for more details on different types of authentication for key exchange protocols.
Execution Environment.We consider μ parties P 1 , . . ., P μ with long-term key pairs When two parties A and B want to communicate, the initiator, say, A first creates a session.To identify this session, we increase the global identification number sID and assign the current state of sID to identify this session owned by A. The state of sID will increase after every assignment.Moreover, a message will be sent to the responder.The responder then similarly creates a corresponding session which is assigned the current state of sID.Hence, each conversation includes two sessions.We then define variables in relation to the identifier sID: -init[sID] ∈ [μ] denotes the initiator of the session.
-type[sID] ∈ {"In", "Re"} denotes the session's view, i. e. whether the initiator or the responder computes the session key.-Msg I [sID] denotes the message that was computed by the initiator.
-Msg R [sID] denotes the message that was computed by the responder.
-state[sID] denotes the (secret) state information, i. e. ephemeral secret keys.
To establish a session between two parties, the adversary is given access to oracles Session I and Session R , where the first one starts a session of type "In" and the second one of type "Re".The Session R oracle also runs the Der R algorithm to compute its session key and complete the session, as it has access to all the required variables.In order to complete the initiator's session, the oracle Der I has to be queried.
Following [28], we do not allow the adversary to register adversarially controlled parties by providing long-term public keys, as the registered keys would be treated no differently than regular corrupted keys.If we would include the key registration oracle, Helper procedures Fresh and Valid are defined in Fig. 6.If there exists any test session which is neither fresh nor valid, the game will return b .Fig. 6.Helper procedures Fresh and Valid for game IND-FS defined in Fig. 5. Procedure Fresh checks if the adversary performed some trivial attack.In procedure Valid, each attack is evaluated by the set of variables shown in Table 2 and checks if an allowed attack was performed.If the values of the variables are set as in the corresponding row, the attack was performed, i. e. attack = true, and thus the session is valid .
then our proof requires a stronger notion of signature schemes in the sense that our signature challenger can generate the system parameters with some trapdoor.With the trapdoor, the challenger can simulate a valid signature under the adversarially registered public keys.This is the case for the Schnorr signature and the tight scheme in [17], since they are honest-verifier zero-knowledge and the aforementioned property can be achieved by programming the random oracles.
Finally, the adversary has access to oracles Corr and Reveal to obtain secret information.We use the following Boolean values to keep track of which queries the adversary made: -corrupted[n] denotes whether the long-term secret key of party P n was given to the adversary.-revealed[sID] denotes whether the session key was given to the adversary.
-peerCorrupted[sID] denotes whether the peer of the session was corrupted and its long-term key was given to the adversary at the time the owner's session key was computed, which is important for forward security.
The adversary can forward messages between sessions or modify them.By that, we can define the relationship between two sessions: - Our protocols use signatures to preserve integrity so that any successful no-match attacks described in [35] will lead to a signature forgery and thus can be excluded.Finally, the adversary is given access to oracle Test, which can be queried multiple times and which will return either the session key of the specified session or a uniformly random key.We use one bit b for all test queries, and store test sessions in a set S. The adversary can obtain information on the interactions between two parties by querying the long-term secret keys and the session key.However, for each test session, we require that the adversary does not issue queries such that the session key can be trivially computed.We define the properties of freshness and validity which all test sessions have to satisfy: -Freshness: A (test) session is called fresh if the session key was not revealed.
Furthermore, if there exists a matching session, we require that this session's key is not revealed and that this session is not also a test session.-Validity: A (test) session is called valid if it is fresh and the adversary performed any attack which is defined in the security model.We capture this with attack Table 2.
Attack Tables.We define validity of different attack strategies.All attacks are defined using variables to indicate which queries the adversary may (not) make.We consider three dimensions: -whether the test session is on the initiator's (type[sID * ] ="In") or the responder's side (type[sID * ] ="Re"), Table 1.Full table of attacks for adversaries against explicitly authenticated two-message protocols.
An attack is regarded as an AND conjunction of variables with specified values as shown in the each line, where "-" means that this variable can take arbitrary value and F means "false."The trivial attacks where the session's peer is corrupted when the key is derived, and the corresponding variables are set to T, are marked with gray .The ⊥ symbol indicates that the adversary cannot query anything more from this party, as he already possesses the long-term key -all combinations of long-term secret key reveal, taking into account when a corruption happened (corrupted and peerCorrupted variables), -the number of matching sessions, i.e., whether the adversary acted passively (matching session) or actively (no matching session).
The purpose of these tables is to make our proofs precise by listing all the possible attacks.
How to read the tables.Table 1 lists all possible attacks from an adversary.By excluding trivial attacks and merging similar attacks, we obtain Table 2 from Table 1.If the set of variables corresponding to a test session is set as in any row of Table 2, this row will evaluate to true in line 10 in Fig. 6.We now describe the different attacks in Table 1 in more detail: Row 0. If the protocol does not use appropriate randomness, it should not be considered secure.In this case, there can be multiple matching sessions to a test session, which an adversary can take advantage of.For an honest run of the protocol, the underlying min-entropy ensures that this attack will only happen with negligible probability.Row 1.Here, the tested session has one matching session, is of type "In", and both parties might be corrupted.Since there is a matching session, the adversary has acted passively during the execution of the protocol.Thus, even if both parties were corrupted during the execution, the adversary cannot break the AKE security without breaking the passive security of the underlying protocol.Hence, it should make no difference if the parties were corrupted before or after the key was computed, and the corrupted and peerCorrupted columns can take any value.Row 2. This attack is similar to the one above, the only difference is the session type.Row 3. Here, the responder of the session was corrupted when the initiator computed its key, and there is no matching session.This means that the adversary has performed an active attack and changed or reordered the message being sent.This can lead to a trivial attack, because the adversary can impersonate the responder with the corrupted secret key.By knowing the underlying message, he can compute the same session key as the initiator will compute, and test the initiators session.Whether the adversary corrupts the initiator makes no difference, and hence this column can take any value.Row 4. Similar to the attack above, with the types switched, and hence the initiator was corrupted by the time the responder computed the key.This leads to a trivial attack in the same way.Row 5. Here, there is no matching session, but we specify that the responder was not corrupted when the initiator computed its key.The adversary can choose whether or not to corrupt the initiator before the responder computes its key.The key point is that whether he can impersonate the initiator or not, he does not know the internal state of the initiator, and to break security he must either break the underlying key exchange protocol, or impersonate the responder and break the authentication directly.Hence, this column can take any value.After the initiators key is computed, it should not matter whether the responder gets corrupted or not, and hence, this column can also take any value.Row 6.Similar to above, but with the types changed so that the initiator was not corrupted when the responder computed its key.
From the 6 attacks in total presented in Table 1, rows (3.) and (4.) are trivial wins for the adversary and can thus be excluded.Note that rows (1.) and (2.) denote similar attacks against initiator and responder sessions.Since the session's type does not change the queries the adversary is allowed to make in this case, we can merge these rows.For the same reason, we can also merge rows (5.) and (6.).The resulting table is given in Table 2.
Attacks covered in our model capture forward secrecy (FS) and key compromise impersonation (KCI) attacks.
Note that we do not include reflection attacks, where the adversary makes a party run the protocol with himself.For the KE DH protocol, we could include these and create an additional reduction to the square Diffie-Hellman assumption (given g x , to compute g x 2 ), but for simplicity of our presentation we will not consider reflection attacks in this paper.
For all test sessions, at least one attack has to evaluate to true.Then, the adversary wins if he distinguishes the session keys from uniformly random keys which he obtains through queries to the Test oracle.

Definition 3. (Key Indistinguishability of AKE)
We define game IND-FS as in Figs. 5  and 6.A protocol AKE is (t, ε, μ, S, T, Q Cor )-IND-FS-secure if for all adversaries A attacking the protocol in time t with μ users, S sessions, T test queries and Q Cor corruptions, we have Note that if there exists a session which is neither fresh nor valid, the game outputs the bit b, which implies that Pr[IND-FS A ⇒ 1] = 1/2, giving the adversary an advantage equal to 0. This captures that an adversary will not gain any advantage by performing a trivial attack.

Verifiable Key Exchange Protocols
A key exchange protocol KE := (Init I , Der R , Der I ) can be run between two (unauthenticated) parties i and r , and can be visualized as in Fig. 4, but with differences where (1): parties do not hold any public key or private key, and (2): public and private keys in algorithms Init I , Der R , Der I are replaced with the corresponding users' (public) identities.
The standard signed Diffie-Hellman (DH) protocol can be viewed as a generic way to transform a passively secure key exchange protocol to an actively secure AKE protocol using digital signatures.Our tight transformation does not modify the construction of the signed DH protocol, but requires a security notion (i.e., One-Wayness against Honest and key Verification attacks, or OW-HV) that is (slightly) stronger than passive security: Namely, in addition to passive attacks, an adversary is allowed to check if a key corresponds to some honestly generated transcripts and to forward transcripts in a different order to create non-matching sessions.Here, we require that all the involved transcripts must be honestly generated by the security game and not by the adversary.This is formally defined by Definition 4 with security game OW-HV as in Fig. 7.

Definition 4. (One-Wayness against Honest and key Verification attacks (OW-HV))
A key exchange protocol KE is (t, ε, μ, S, Q V )-OW-HV secure, where μ is the number of users, S is the number of sessions and Q V is the number of calls to KVer, if for all adversaries A attacking the protocol in time at most t, we have

Pr[OW-HV
We require that a key exchange protocol KE has α bits of min-entropy, i.e., that for all messages m we have Pr[m = m ] ≤ 2 −α , where m is output by either Init I or Der R .

Example: Plain Diffie-Hellman Protocol
We show that the plain Diffie-Hellman (DH) protocol over prime-order group [19] is a OW-HV-secure key exchange under the strong computational DH (StCDH) assumption [1].We use our syntax to recall the original DH protocol KE DH in Fig. 8.
Let par = ( p, g, G) be a set of system parameters, where G := g is a cyclic group of prime order p.

Definition 5. (Strong CDH Assumption)
The strong CDH (StCDH) assumption is said to be (t, ε, Q Dh )-hard in par = ( p, g, G), if for all adversaries A running in time at most t and making at most Q Dh queries to the DH predicate oracle Dh a , we have: where the DH predicate oracle Dh a (C, D) outputs 1 if D = C a and 0 otherwise.

Lemma 1.
Let KE DH be the DH key exchange protocol as in Fig. 8. Then KE DH has α = log 2 p bits of min-entropy, and for every adversary A that breaks the (t, ε, μ, S, Q V )-OW-HV-security of KE DH , there is an adversary B that breaks the (t , ε , Q Dh )-StCDH  assumption with Proof.The min-entropy assertion is straightforward, as the DH protocol generates messages by drawing exponents x, y ← $ Z p uniformly as random.
We prove the rest of the lemma by constructing a reduction B which inputs the StCDH challenge (A, B) and is given access to the decisional oracle Dh a .B simulates the OW-HV security game for the adversary A, namely answers A's oracle access as in Fig. 9.More precisely, B uses the random self-reducibility of StCDH to simulate the whole security game, instead of using the Init I and Der R algorithms.The most relevant codes are highlighted with bold line numbers.
We show that B simulates the OW-HV game for A perfectly: -Since X generated in line 26 and Y generated in line 37 are uniformly random, the outputs of Session I and Session R are distributed as in the real protocol.Note that the output of Der I does not get modified.-For KVer(sID, K ), if K is a valid key that corresponds to session sID, then there must exist sessions sID 1 and sID 2 such that type[sID 1 ] = "In" (defined in line 24) and type[sID 2 ] = "Re" (defined in line 34) and where (defined in line 37).Thus, the output of KVer(sID, K ) is the same as that of Dh a (Y, K /Y α[sID 1 ] ).
Finally, A returns sID * ∈ [cnt S ] and a key K * .If A wins, then KVer(sID * , K * ) = 1 which means that there exists sessions sID 1 and sID 2 such that type[sID 1 ] = "In", type[sID 2 ] = "Re" and where . This means B breaks the StCDH with ) as in line 08, if A break the OW-HV of KE DH .Hence, ε = ε .The running time of B is the running time of A plus one exponentiation for every call to Session I and Session R , so we get t ≈ t .The number of calls to Dh a is the number of calls to KVer, plus one additional call to verify the adversary's forgery, and hence Group of Signed Quadratic Residues Our construction of a key exchange protocol in Fig. 8 is based on the StCDH assumption over a prime order group.Alternatively, we can instantiate our VKE protocol in a group of signed quadratic residues QR + N [27].As the StCDH assumption in QR + N groups is tightly implied by the factoring assumption (by [27, Theorem 2]), our VKE protocol is secure based on the classical factoring assumption.

Signed Diffie-Hellman, revisited
Following the definition in Sect.3, we want to construct a IND-FS-secure authenticated key exchange protocol AKE = (Gen AKE , Init I , Der I , Der R ) by combining a StCorrCMA-secure signature scheme SIG = (Gen, Sign, Ver), a OW-HV-secure key exchange protocol KE = (Init I , Der I , Der R ), and a random oracle H.The construction is given in Fig. 10, and follow the execution order from Fig. 4.
We now prove that this construction is in fact a secure AKE protocol.
Theorem 2. For every adversary A that breaks the (t, ε, μ, S, T, Q H , Q Cor )-IND-FSsecurity of a protocol AKE constructed as in Fig. 10, we can construct an adversary B against the (t , ε , μ, Q s , Q Cor )-StCorrCMA-security of a signature scheme SIG with α bits of key min-entropy, and an adversary C against the (t , ε , μ, S , Q V )-OW-HV security of a key exchange protocol KE with β bits of min-entropy, such that Proof.We will prove this by using the following hybrid games, which are illustrated in Fig. 11.
Game G 0 : This is the IND-FS security game for the protocol AKE.We assume that all long-term keys, and all messages output by Init I and Der R are distinct.If a collision happens, the game aborts.To bound the probability of this happening, we use that SIG has α bits of key min-entropy, and KE has β bits of min-entropy.We can upper bound the probability of a collision happening in the keys as μ 2 /2 α+1 for μ parties, and the probability of a collision happening in the messages as S 2 /2 β+1 for S sessions, as each session computes one message.Thus, we have

Pr[IND-FS
Game G 1 : In this game, when the oracles Der I and Session R try to derive a session key, they will abort if the input message does not correspond to a previously sent message, and the corresponding signature is valid w.r.t. an uncorrupted party (namely, A generates the message itself).This step is to exclude the active attacks where an adversary creates its own messages.An adversary cannot notice this change, since it requires the adversary to forge a signature on the underlying St-UF-CMA secure signature scheme.Later on, we will formally prove this.Moreover, this is the preparation step for reducing an IND-FS adversary of AKE to an OW-HV adversary of KE.Note that in this game we do not exclude all the non-matching Test sessions, but it is already enough for the "IND-FS-to-OW-HV" reduction.For instance, A can still force some responder session to be non-matching by reusing some of the previous initiator messages to query Session R , and then A uses the non-matching responder session to query Test.
The only way to distinguish G 0 and G 1 is to trigger the new abort event in either line 19 (i.e., AbortDer R ) or line 39 (i.e., AbortDer I ) of Fig. 11.We define the event AbortDer := AbortDer I ∨ AbortDer R and have that To bound this probability, we construct an adversary B against the (t , ε , μ, Q s , Q Cor )-StCorrCMA-security of SIG in Fig. 12.We note that AbortDer is true only if A performs attacks 5+6 in Table 2 which may lead to a session without any matching session.If AbortDer = true then is defined in lines 26 and 42 of Fig. 12 and is a valid StCorrCMA forge for SIG.We only show that for the case when AbortDer R = true here, and the argument is similar for the case when AbortDer I = true.Given that AbortDer R happens, we have that Ver(pk i , X, σ i ) = 1 and peerCorrupted[sID] = false.Due to the criteria in line 40, the pair (X, σ i ) has not been output by Session I on input (i, r ) for any r , and hence (i, X ) has never been queried to the Sign oracle.Therefore, B aborts A in the IND-FS game and returns (i, X, σ i ) to the StCorrCMA challenger to win the StCorrCMA game.Therefore, we have The running time of B is the same as that of A, plus the time used to run the key exchange algorithms Init I , Der R , Der I and the signature verification algorithm Ver.This gives t ≈ t.For the number of signature queries, we have Q s ≤ S, since Session R can abort before it queries the signature oracle, and the adversary can reuse messages output by Session I .For the number of corruptions, we have Game G 2 : Intuitively, since in G 1 an adversary A is not allowed to create its own message to attack the protocol, A can only use the honestly generated messages, but it may forward these messages in an different order.The OW-HV security of the underlying KE allows us to tightly prove that such an A cannot distinguish a real session key from a random one, which conclude our security proof.To formally prove it, in G 2 , Test oracle always returns a uniformly random key, independent on the bit b (Fig. 13).
Since we have excluded collisions in the messages output by the experiment, it is impossible to create two sessions of the same type that compute the same session key.Hence, an adversary must query the random oracle H on the correct input of a test session to detect the change between G 1 and G 2 (which is only in case b = 0).More precisely, we have Pr To bound Eq. ( 7), we construct an adversary C to (t , ε , μ, S , Q V )-break the OW-HV security of KE.The input to C is the number of parties μ, and system parameters par.In addition, C has access to oracles Session I , Session R , Der I and KVer.
We firstly show that the outputs of Session I , Session R and Der I (simulated by C) are distributed the same as in G 1 .Due to the abort conditions introduced in G 1 , for all sessions that has finished computing a key without making the game abort, their messages are honestly generated, although they may be in a different order and there are non-matching sessions.Hence, Session I , Session R and Der I can be perfectly simulated using Session I , Session R and Der I of the OW-HV game and the signing key.
It is also easy to see that the random oracle H simulated by C has the same output distribution as in G 1 .We stress that if line 66 is executed then adversary A may use the sID to distinguish G 2 and G 1 for b = 0, which is the only case for A to see the difference.At the same time, we obtain a valid attack := (sID, K * ) for the OW-HV security.Thus, we have As before, the running time of C is that of A, plus generating and verifying signatures, and we have t ≈ t.Furthermore, S = S, as the counter for the OW-HV game increases once for every call to Session I and Session R .
At last, for game G 2 we have Pr[G A 2 ⇒ 1] = 1 2 , as the response from the Test oracle is independent of the bit b.Summing up all the equations, we obtain

Security Model for Group Authenticated Key Exchange
We consider two-round broadcast group authenticated key exchange protocols that are executed interactively between μ > 2 parties.Each round corresponds to a messages broadcast.Formally, it is defined as GAKE = (Gen GAKE , Init, Res, Der) consisting of four algorithms.It is visualized as in Fig. 14.We denote the set of potential participants by P = (P 1 , . . ., P μ ).Before the protocol is executed for the first time, each party P i ∈ P runs the algorithm Gen GAKE (par) to generate his own long-term public and private keys (pk i , sk i ).
Our two-round GAKE protocol allows all parties in a group Q ⊆ P to establish a common secret key.For a party P i , we say that P i is the rest of the group from P i 's view, and we can write Q = {P i } ∪ P i .By a slight abuse of notation, we will often write j ∈ P i instead of P j ∈ P i .
In the first round, each party P i ∈ Q starts the session sID by the initialization algorithm Init(sk i , {pk j } j∈P i ) which outputs a message m i and a state st.The party P i broadcasts (i, m i ) and keeps the internal state st.
In the second round, let M i denote the set of all pairs ( j, m j ) received by P i in the first round.Then, each party P i ∈ Q executes the response algorithm Res(sk i , {pk j } j∈P i , st, M i ) to compute a message mi and an updated state st.As in the first round, P i broadcasts (i, mi ) and keeps the state st.
In the final phase, let Mi denote the set of all pairs ( j, m j ) received by party P i in the second round.To obtain the common group session key, each party P i can execute Der(sk i , {pk j } j∈P i , st, M i , Mi ) which outputs the key K.An illustration is given in Fig. 14.
Similar to our two-party key exchange protocol, our security game is written in pseudocode.In our model, GAKE achieves forward secrecy and has both the explicit authentication and implicit key confirmation properties.In the group key exchange setting, explicit authentication means entity authentication for every message transmitted in the sense that each party can explicitly confirm that the initial message is issued by the actual owner of the associated public key.Moreover, the key confirmation property is also implicit for our GAKE, where every party in a group Q is assured implicitly that all members of the group will have the same session key.The security game is given in Figs. 15 and 16.Our model can be viewed as a careful extension of our two-party model to μ parties.Moreover, we note that Poettering et al. [41] proposed a general framework for defining security of GAKE protocols.To the best of our knowledge, our model can be viewed as a specified use case of their framework.For instance, we do not consider Expose queries to reveal the local session-state.Execution environment.We consider μ parties P = (P 1 , . . ., P μ ) with long-term key pairs (pk i , sk i ), i ∈ [μ].For each group key exchange, each party in a group Q has their own session with a unique identification number sID, and variables which are defined relative to sID: -sKey[sID] denotes the session key.
Adversary model.Similar to the AKE security notion, we do not allow the adversary to register adversarially controlled parties by providing long-term public keys, and the adversary has access to oracles Corr and Reveal as described in Fig. 15.We use the following Boolean values to store which queries the adversary made: -corrupted[i] denotes whether the long-term secret key of party P i was given to the adversary.-revealed[sID] denotes whether the group session key was given to the adversary.
-peerCorrupted[sID] denotes whether one of the peers in the group was corrupted and its long-term key was given to the adversary at the time when the session key was derived.
Matching sessions.Extending the definition of matching sessions from the two-party case, we define matching sessions in the GAKE setting as follows.
-Matching Sessions: Two sessions sID i , sID j are matching if: As in the AKE setting, our protocols in the full GAKE model will use signatures, and hence any successful no-match attack as described in [35] will lead to a signature forgery.
Test session.The adversary is given access to the test oracle Test.This oracle can be queried multiple times and depending on a randomly chosen bit b ← $ {0, 1} (which is shared between all test queries), it outputs either a uniformly random key, or the specified session key.

Verifiable Group Key Exchange
To achieve tight security, we extend the verifiable key exchange from the two-party setting to μ-parties.As for the regular two party AKE, we construct our tightly secure group authenticated key exchange based on a verifiable (non-authenticated) group key exchange (GKE) that has One-Wayness against Honest and key Verification attacks (aka.OW-G-HV security).As in the two-party case, the adversary can perform passive attacks, or forward messages in a different order to create non-matching sessions, and check if a key corresponds to some honestly generated transcripts.We require that all the involved messages must be honestly generated by the security game and not by the adversary.A (non-authenticated) group key exchange (GKE) protocol consists of a tuple of algorithms GKE := (Init, Res, Der), where parties do not hold any public or private key and Init algorithms now take users' identities (i, P i ) as input.3 and checks if an allowed attack was performed.If the values of the variables are set as in the corresponding row, the attack was performed, i. e. attack = true, and thus the session is valid .
Table 3. Table of attacks for adversaries against explicitly authenticated group key exchange protocols without ephemeral state reveals.
An attack is regarded as an AND conjunction of variables with specified values as shown in the each line, where "-" means that this variable can take arbitrary value and F means "false" The OW-G-HV security is formally defined by Definition 6 with the security game OW-G-HV as in Fig. 17.Definition 6. (Group One-Wayness against Honest and Key Verification Attacks (OW-G-HV)) A group key exchange protocol GKE is (t, ε, μ, S, Q V )-OW-G-HVsecure where μ is the number of users, S is the number of sessions and Q V is the number of call to KVer, if for all adversaries A attacking the protocol in time at most t, we have: We require that a group key exchange protocol GKE has α-bits of min-entropy, namely if for all messages m we have Pr[m = m ] ≤ 2 −α , where m is output by either Init or Res.

Instantiation of OW-G-HV with Burmester-Desmedt
We show that the Burmester-Desmedt group key exchange protocol [12] is OW-G-HV secure.We begin by describing the protocol in our framework, and then prove its security based on the strong computational Diffie-Hellman assumption.
Let par = ( p, g, G) define a prime-order cyclic group G := g .We choose a group of users Q with |Q| = n, and order the participants as P 1 to P n in a cycle.Messages m i and mi are sent by P i .We then have P n+1 = P 1 , and for the messages m n+1 and mn+1 we have m n+1 = m 1 and mn+1 = m1 .
The Burmester-Desmedt protocol is described in Fig. 18, and for correctness we show that all parties compute the key Recall that for user i, we have st := r i .We define the following values: It then follows that for the key computed in line 06 of Fig. 18, we have Lemma 2. Let GKE BD be the Burmester-Desmedt group key exchange protocol as in Fig. 18.Then, GKE BD has α = log 2 p bits of min-entropy, and for every adversary A that breaks the (t, ε, μ, S, Q V )-security of GKE BD , there exists an adversary B which breaks the (t , ε , Q V )-security of StCDH with Proof.The entropy statement is again straightforward, since r i being drawn uniformly at random implies that both m i and mi are uniformly random as well.
We now construct a simulator B, which on input (g x , g y ) breaks the CDH assumption by simulating the OW-G-HV game to A.
To simulate Session I (i ∈ [μ], P i ⊆ [μ]), B proceeds as in Fig. 17, but instead of running the Init algorithm in line 10, it does the following: -if i is odd, B draws an element a i ← $ Z p and sets and returns m i := g x g a i -if i is even, B draws an element a i ← $ Z p and sets and returns m i := g y g a i .
All m i 's are uniformly distributed, exactly as in the original protocol.
To simulate Session R , note that B does not know the discrete logarithm of m i 's, but it can compute mi in the following way: If i is even, B computes mi := m a i+1 −a i−1 i , since we have Simulation of mi for odd i is similar.Equation (10) shows that the simulated mi are distributed the same as in the real distribution.
To simulate Der, B follows the steps in Fig. 17, but skips the key derivation in line 34 and leaves the corresponding session key empty.Since there are no session-key-reveal oracles in this game, A will not notice this and the simulation is perfect from A's viewpoint.
To simulate the KVer oracle on input (sID, K ), for readability, we label r i := x + a i for odd i and r i := y + a i for even i and m i = g r i for all i.Recall that the derived session key in GKE BD is K = g r 1 r 2 +r 2 r 3 +•••r n−1 r n +r n r 1 .We then write for odd i, and for even i.Note that all a i 's are known.If K is valid for an sID, we have g xy (g x ) a i+1 (g y ) a i g a i a i+1 1≤i≤n i≡0 mod 2 g xy (g x ) a i (g y ) a i+1 g a i a i+1 = g nx y g n i=1 a i a i+1 1≤i≤n i≡1 mod 2 This implies that we can compute If K is valid for an sID, we have K = g xy .Hence, B queries Dh x g y , K to verify the key, and returns the answer.This completes the simulation.
If A is able to compute a valid session key, then B wins the StCDH game, and hence ε ≤ ε .The running time of B is that of A plus one exponentiation for each Session I and Session R call, and 6 exponentiations and one inversion (disregarding the inversion of n, which is essentially free) for each call to KVer, since we can sum the various exponents together before we perform the exponentiations in the denominator.The total number as we get one additional call to KVer when we verify the adversaries forgery.This completes the lemma.

Our Generic Transformation for GAKE
Following the construction from Sect. 5, we construct an IND-G-FS-secure authenticated group key exchange protocol GAKE = (Gen GAKE , Init, Res, Der) by combining a StCorrCMA-secure signature scheme SIG = (Gen, Sign, Ver), an OW-G-HVsecure group key exchange protocol GKE = (Init , Res , Der ), and a random oracle H.The construction is given in Fig. 19 Theorem 3.For every adversary A that breaks the (t, ε, μ, S, Q H , Q Cor )-IND-G-FS security of a protocol GAKE constructed as in Fig. 19, we can construct an adversary B that breaks the (t , ε , μ, Q s , Q H , Q Cor )-StCorrCMA security of the underlying signature scheme SIG with α bits of key min-entropy, or breaks the (t , ε , μ, S , Q V )-OW-G-HV security of the underlying key exchange protocol with β bits of min-entropy, such that Proof.We will prove this by using the following hybrid games, which are illustrated in Fig. 20.
Game G 0 : This is the original IND-G-FS for the protocol GAKE.We assume that all long-term keys, and all messages generated by Init and Res are distinct.The security game aborts if a collision happens.Using the fact that SIG has α-bits of key min-entropy and GKE has β-bits of message min-entropy, a collision in the keys happens with probability at most μ 2 /2 α+1 , and a collision in the messages happens with probability at most S 2 /2 β+1 .Here, μ is the number of users and S is the number of sessions.Thus, we have: Game G 1 : In this game, Session R and Der abort upon input a session id and a message set which do not correspond to a previously broadcast message set (i.e.all messages are honestly generated by using the given oracles; however, there may still be non-matching sessions), and all signatures with respect to each non-corrupted party in the group are valid.This step is to exclude the active attacks where an adversary creates its own message.This change is unnoticed by the adversary, since it requires him to forge at least one valid signature for the underlying StCorrCMA secure signature scheme.We will give a formal proof of the indistinguishability of G 0 and G 1 in Lemma 3. We denote the abort event as AbortGAKE := AbortSessR∪AbortDer, where AbortSessR and AbortDer correspond to the aborting event in line line 29 and line 47 of Fig. 20, respectively.
Since the only difference between G 0 and G 1 is the aborting events AbortGAKE, using Lemma 3 we have Game G 2 : Intuitively, since in G 1 an adversary A is not allowed to create its own message for active attacks against the protocol, A can either observe the protocol execution or forward the honestly generated messages in a different order.We will use the OW-G-HV security to tightly argue the indistinguishability of a real session key and a uniformly random one.Formally in G 2 , the Test oracle always returns a uniformly random key, independent on the bit b.Since we already in G 0 assume that all messages generated by Init and Res are distinct, and we are in the random oracle model, the only way for A to compute a valid session key K is to query the correct input.Therefore, by Lemma 4 we can reduce the difference between G 2 and G 1 to the OW-G-HV security of GKE, and we have In summary, we have Lemma 3.For every adversary A running in time t 0,1 that distinguishes G 0 from G 1 with probability ε 0,1 , we can construct an adversary B against the (t , ε , μ, Q H , Q Cor )-StCorrCMA security of the underlying signature scheme SIG, where Proof.The only difference between G 0 and G 1 is the aborting events AbortSessR and AbortDer.To bound the probability of these, we build an adversary B against the StCorrCMA of the underlying signature scheme SIG as in Fig. 21.The adversary will successfully generate a valid forgery if and only if AbortSessR or AbortDer happens.More precisely, if AbortGAKE is true, then the signatures in line 31 and in line 54 of Fig. 21 are valid forgeries against the CorrCMA security of SIG.Here, we only prove the case where AbortSessR = true.The other case where AbortDer = true follows the same idea.Given the fact that AbortSessR happens, we have that for all j ∈ P, Ver(pk j , m j , σ j ) = 1 and peerCorrupted[sID] = false.Moreover, due to the criteria of line 30, there exists j * ∈ P such that ( j * , (m j * , σ j * )) has never been output by Session I .Therefore, (m j * , σ j * ) is a valid forgery against the CorrCMA security of Similarly, we also have Pr[AbortDer] ≤ ε .Overall, we have Lemma 4. For every PPT adversary A running in time t 1,2 that distinguishes G 1 from G 2 with probability ε 1,2 , we can construct an adversary B against (t , ε , μ, S , Q V )-OW-G-HV security of the underlying group key exchange protocol, where Proof.Notice that when b = 1, the Test oracle always returns a uniformly random key in both G 2 and G 1 ; therefore, the only difference between G 2 and G 1 occurs when

Appendices A Security of Schnorr in the Generic Group Model
We show the StCorrCMA security of Schnorr's signature scheme in the generic group model (GGM) which has been formally stated in Theorem 1.This section also gives a proof of the theorem.We proceed as follows: Firstly, we propose a variant of the IDLOG assumption [32], CorrIDLOG, by introducing an additional corruption oracle.Secondly, by using a slightly different version of [32, Lemma 5.8], we prove that Schnorr's signature is tightly StCorrCMA-secure based on the CorrIDLOG assumption.Finally, we prove the hardness of CorrIDLOG.
Note that in [32] it has been proven that IDLOG tightly implies the multiuser security of Schnorr without corruptions, which does not necessary give us tight multiuser security with corruptions.However, our new CorrIDLOG assumption tightly implies the multiuser security of Schnorr with corruptions.We believe that our CorrIDLOG assumption is of independent interest.
Let par = ( p, g, G) be a set of system parameters.The CorrIDLOG assumption is defined as follow: where on the j-th challenge query Ch(R j ∈ G) ( j ∈ [Q Ch ]) Ch returns h j ← $ Z p to A, and on a corruption query Dl(i) for i ∈ [μ], Dl returns x i to A and adds i into the corruption list L C (namely, L C := L C ∪ {i}).
Before proving the hardness of CorrIDLOG in the GGM, Lemma 5 shows that CorrIDLOG tightly implies the StCorrCMA security of Schnorr in the random oracle model (without using the GGM).Note that this lemma does not contradict the impossibility result of [22], since our assumption is interactive.In fact, following the framework in [32, Section 3], one can easily prove that the standard DLOG assumption non-tightly implies the CorrIDLOG assumption in the standard model.
Proof.This proof is straightforward by [32], but for completeness we prove it in details here.Let A be an adversary against StCorrCMA security.We construct B against CorrIDLOG (Fig. 23).Firstly, we argue that B perfectly simulates the experiment StCorrCMA unless B aborts in line 14, namely (R, m) collides with a previous hash query.Since R is distributed uniformly at random, by the union bound the probability that B aborts in line 14 is bounded by Q H Q s / p.Secondly, we show that B's forgery s * is a valid CorrIDLOG forgery.Given the (h * , s * ) from A, we have R * = g s * • X −h * i * and Hash(R * , m * ) = h * .We make our argument in the following steps: 1.With high probability, there exists ((R * , m * ), h * ) ∈ L H . Otherwise, it means A was able to guess the hash value of (R * , m * ) without querying Hash.This event is bounded by 1/ p.

A.1 Generic Hardness of CorrIDLOG
Generic Group Model.In the GGM for prime-order groups G [37,45], operations in G can only be carried out via black-box access to the group oracle O G (•, •), and adversaries only get non-random handles of the group elements.Since groups (G, •) and (Z p , +) are isomorphic, every element in G is internally identified as a Z p element.To consistently simulate the group operations, the simulator maintains a list L G internally and a counter cnt that keeps track of the number of entries in L G .L G contains entries of the form (z(x), C z ), where z(x) ∈ Z p [x] represents a group element and the positive integer C z is its counter.We assume A can make at most Q G queries to O G .Lemma 6.For any adversary A that (t, ε, μ, Q Ch , Q Dl )-breaks the CorrIDLOG assumption, we have We recall the Schwartz-Zippel Lemma that is useful for proving Lemma 6.
Lemma 7. (Schwartz-Zippel Lemma) Let f (x 1 , . . ., x n ) be a nonzero multivariant polynomial of maximum degree d ≥ 0 over a field F. Let S be a finite subset of F and a 1 , . . ., a n be chosen uniformly at random from S. Then, we have Proof of Lemma 6.A is an adversary against the CorrIDLOG assumption.B is simulator that simulates the CorrIDLOG security game in the GGM and interacts with A. The simulation is described in Fig. 24 B simulates the CorrIDLOG game in a symbolic way using degree-1 polynomials.The internal list L G stores the entries of the form ( f (x), C f (x) ), where f (x) ∈ Z p [x 1 , . . ., x μ ] is a degree-1 polynomial and C f (x) ∈ N identifies which entry it is.B also keeps track of the size of L G by cnt.After A outputs an attack, all the variables (x 1 . . .x μ ) will be assigned a value (a 1 , . . ., a μ ) ← $ Z μ p chosen uniformly at random.We remark that B perfectly simulates the CorrIDLOG security game in the GGM if none of the distinct polynomials z i and z j stored in L G collide when evaluating on the random vector a over Z p .Applying the union bound over all pairs of distinct polynomials in L G , we have: where the factor 1 p comes from Lemma 7 and the fact that L G contains only degree-1 polynomials and (a 1 , . . ., a μ ) is chosen uniformly at random from Z μ p .We give an upper bound of the success probability of A as follows: The second term

Fig. 3 .
Fig. 3. StCorrCMA security game for a signature scheme SIG.A has access to the oracles O := {Sign, Corr} .

Fig. 4 .
Fig. 4. Running an authenticated key exchange protocol between two parties .

Fig. 5 .
Fig. 5. Game IND-FS for AKE.A has access to oracles O := {Session I , Session R , Der I , Reveal, Corr, Test}.Helper procedures Fresh and Valid are defined in Fig.6.If there exists any test session which is neither fresh nor valid, the game will return b .
Matching Session: Two sessions sID and sID match if the same parties are involved (init[sID] = init[sID ] and resp[sID] = resp[sID ]), the messages sent and received are the same (Msg I [sID] = Msg I [sID ] and Msg R [sID] = Msg R [sID ]) and they are of different types (type[sID] = type[sID ]).

Fig. 9 .
Fig. 9. Reduction B that breaks the StCDH assumption and simulates the OW-HV game for A, when A = g a and B = g b for some unknown a and b .

Fig. 10 .
Fig. 10.Generic construction of AKE from SIG, KE and a random oracle H .

Fig. 11 .
Fig. 11.Games G 0 -G 2 .A has access to oracles O := {Session I , Session R , Der I , Reveal, Corr, Test}, where Reveal and Corr are simulated as in the original IND-FS game in Fig.5.Game G 0 implicitly assumes that there is no collision between long term keys or messages output by the experiment .

Fig. 12 .
Fig. 12. Adversary B against the (t , ε , μ, Q s , Q Cor )-StCorrCMA-security of SIG.The StCorrCMA game provides oracles Sign , Corr .The adversary A has access to oracles O := {Session I , Session R , Der I , Reveal, Corr, Test, H}, where Reveal and Test remain the same as in Fig. 4. We highlight the most relevant codes with bold line numbers .

Fig. 13 .
Fig. 13.Reduction C against the (t , ε , μ, S , Q V )-OW-HV-security of KE.The OW-HV game provides oracles O := {Session I , Session R , Der I , KVer}.The adversary A has access to oracles O := {Session I , Session R , Der I , Reveal, Corr, Test, H}, where Reveal, Corr and Test are defined as in G 2 of Fig. 11.We highlight the most relevant codes with bold line numbers.The center dot '•' in this figure means arbitrary value .

Fig. 14 .
Fig.14.Illustration of running a group authenticated key exchange from party P i 's point of view.All messages are broadcast to all parties, and every party runs all the algorithms .

Fig. 15 .
Fig. 15.Game IND-G-FS for GAKE.The number of messages in the set M i is denoted by |M i |, and |P i | denotes the number of parties in P i .

-
owner[sID] ∈ [μ] denotes the owner of the session.-peer[sID] ⊆ [μ] denotes the peers of the session.-Q[sID] denotes all the participants of the session.-Msg I [sID] denotes the message sent by the owner during the first round.-M[sID] denotes the messages received by the owner during the first round.-Msg R [sID] denotes the message sent by the owner during the second round.-M[sID] denotes the messages received by the owner during the second round.-state[sID] denotes the (secret) state information i.e. ephemeral secret keys.

Fig. 16 .
Fig. 16.Helper procedures Fresh and Valid for game IND-G-FS defined in Fig.15.Procedure Fresh checks if the adversary performed some trivial attack.In procedure Valid, each attack is evaluated by the set of variables shown in Table3and checks if an allowed attack was performed.If the values of the variables are set as in the corresponding row, the attack was performed, i. e. attack = true, and thus the session is valid .

Fig. 19 .
Fig. 19.Generic construction of GAKE from SIG, GKE and a random oracle H . of

Fig. 21 .
Fig. 21.Adversary B against the (t , ε , μ, Q s , Q Cor )-StCorrCMA of SIG.The StCorrCMA game provides oracles Sign , Corr .The adversary A has access to oracles o := {Session I , Session R , Der, Reveal, Corr, Test, H}, where Reveal and Test remain the same as in Fig. 15.We highlight the most relevant codes with bold line numbers .

2 .
If ((R * , m * ), h * ) was added to L H by the signing oracle Sign, then Sign must have chosen an s such thatg s • X −h * i * = R * = g s * • X −h *i * , which means s = s * .However, if (h * , s * ) from A is a valid StCorrCMA forgery, then s = s * cannot happen.

3 .
Now ((R * , m * ), h * ) can only be added to L H by the hashing oracle Hash.This is equivalent toR * = R j and h * = h j for some j ∈ [Q G ]. Thus g s * = R * • X h * i * = R j • X h j i * ,and s * is a valid attack in the CorrIDLOG security game.This concludes the proof of Lemma 5. Combining Lemma 5 and Lemma 6 (namely, the generic hardness of CorrIDLOG), we can conclude the StCorrCMA security of Schnorr's signature in Theorem 1.

Fig. 24 .
Fig. 24.B simulates the CorrIDLOG security game in the GGM and interacts with A. The adversary A has access to the oracles O := (O G , Chall, Dl) .

Table 2 .
Distilled table of attacks for adversaries against explicitly authenticated two-message protocols without ephemeral state reveals.An attack is regarded as an AND conjunction of variables with specified values as shown in the each line, where "-" means that this variable can take arbitrary value and F means "false" Definition 7. (CorrIDLOG) The CorrIDLOG problem is (t, ε, μ, Q Ch , Q Dl )-hard in par, iffor all adversaries A interacting with μ users, running in time at most t and making at most Q Ch queries to the challenge oracle Ch and Q Dl queries to the corruption oracle Dl, we have: