Strongly secure authenticated key exchange from factoring, codes, and lattices

Abstract

An unresolved problem in research on authenticated key exchange (AKE) in the public-key setting is to construct a secure protocol against advanced attacks such as key compromise impersonation and maximal exposure attacks without relying on random oracles. HMQV, a state of the art AKE protocol, achieves both efficiency and the strong security proposed by Krawczyk (we call it the \({\mathrm {CK}}^+\) model), which includes resistance to advanced attacks. However, the security proof is given under the random oracle model. We propose a generic construction of AKE from a key encapsulation mechanism (KEM). The construction is based on a chosen-ciphertext secure KEM, and the resultant AKE protocol is \({\mathrm {CK}}^+\) secure in the standard model. The construction gives the first \({\mathrm {CK}}^+\) secure AKE protocols based on the hardness of integer factorization problem, code-based problems, or learning problems with errors. In addition, instantiations under the Diffie–Hellman assumption or its variant can be proved to have strong security without non-standard assumptions such as \(\pi \)PRF and KEA1. Furthermore, we extend the \({\mathrm {CK}}^+\) model to identity-based (called the \({\hbox {id-CK}^+}\) model), and propose a generic construction of identity-based AKE (ID-AKE) based on identity-based KEM, which satisfies \({\hbox {id-CK}^+}\) security. The construction leads first strongly secure ID-AKE protocols under the hardness of integer factorization problem, or learning problems with errors.

Appendices

Appendix 1: Proof of Theorem 1

In the experiment of \({\mathrm {CK}}^+\) security, we suppose that \(\mathsf {sid}^*\) is the session identity for the test session, and that there are \(N\) users and at most \(\ell \) sessions are activated. Let \(\kappa \) be the security parameter, and let \(\mathcal {A}\) be a PPT (in \(\kappa \)) bounded adversary. \(Suc\) denotes the event that \(\mathcal {A}\) wins. We consider the following events that cover all cases of the behavior of \(\mathcal {A}\).

• Let \(E_1\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the initiator and the static secret key of the initiator is given to \(\mathcal {A}\).

• Let \(E_2\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the initiator and the ephemeral secret key of \(\mathsf {sid}^*\) is given to \(\mathcal {A}\).

• Let \(E_3\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the responder and the static secret key of the responder is given to \(\mathcal {A}\).

• Let \(E_4\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the responder and the ephemeral secret key of \(\mathsf {sid}^*\) is given to \(\mathcal {A}\).

• Let \(E_5\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and both static secret keys of the initiator and the responder are given to \(\mathcal {A}\).

• Let \(E_6\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and both ephemeral secret keys of \(\mathsf {sid}^*\hbox { and }\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

• Let \(E_7\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and the static secret key of the owner of \(\mathsf {sid}^*\) and the ephemeral secret key of \(\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

• Let \(E_8\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and the ephemeral secret key of \(\mathsf {sid}^*\) and the static secret key of the owner of \(\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

To finish the proof, we investigate events \(E_{i} \wedge Suc\,(i=1,\dots ,8)\) that cover all cases of event \(Suc\).

1.1 Appendix 1.1: Event \(E_{1} \wedge Suc\)

We change the interface of oracle queries and the computation of the session key. These instances are gradually changed over seven hybrid experiments, depending on specific sub-cases. In the last hybrid experiment, the session key in the test session does not contain information of the bit \(b\). Thus, the adversary clearly only output a random guess. We denote these hybrid experiments by \(\mathbf{H}_0, \dots , \mathbf{H}_6\) and the advantage of the adversary \(\mathcal {A}\) when participating in experiment \(\mathbf{H}_i\) by \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_i)\).

Hybrid experiment \(\mathbf{H}_0\): This experiment denotes the real experiment for \({\mathrm {CK}}^+\) security and in this experiment the environment for \(\mathcal {A}\) is as defined in the protocol. Thus, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)\) is the same as the advantage of the real experiment.

Hybrid experiment \(\mathbf{H}_1\): In this experiment, if session identities in two sessions are identical, the experiment halts.

When two ciphertexts from different randomness are identical and two public keys from different randomness are identical, session identities in two sessions are also identical. In the IND-CCA secure KEM, such an event occurs with negligible probability. Thus, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)| \le negl\).

Hybrid experiment \(\mathbf{H}_2\): In this experiment, the experiment selects a party \(U_A\) and integer \(i \in [1,\ell ]\) randomly in advance. If \(\mathcal {A}\) poses \(\mathsf {Test}\) query to a session except \(i\)-th session of \(U_A\), the experiment halts.

Since guess of the test session matches with \(\mathcal {A}\)’s choice with probability \(1/N^2\ell ,\,{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)\,\ge 1/N^2\ell \cdot {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) \).

Hybrid experiment \(\mathbf{H}_3\): In this experiment, the computation of \((CT^*_{A},K^*_{A})\) in the test session is changed. Instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct a distinguisher \(\mathcal {D}\) between PRF \(F^* : \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\) and a random function \(RF\) from \(\mathcal {A}\) in \(\mathbf{H}_2\) or \(\mathbf{H}_3\). \(\mathcal {D}\) performs the following steps.

Setup \(\mathcal {D}\) chooses PRF \(F : \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\hbox { and }G : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). Also, \(\mathcal {D}\) embeds \(F^*\) into \(F'\). These are provided as a part of the public parameters. Also, \(\mathcal {D}\) sets all \(N\) users’ static secret and public keys. \(\mathcal {D}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\) is given to \(\mathcal {A}\).

Next, \({\mathcal {D}}\) sets the ephemeral public key of \(i\)-th session of \(U_A\) (i.e., the test session) as follows: \(\mathcal {D}\) selects ephemeral secret keys \(r^*_{A} \in \{0,1\}^\kappa ,\,r_{A}'^* \in \mathcal {FS}\hbox { and }r^*_{TA} \in \mathcal {RS}_G\) randomly. Then, \(\mathcal {D}\) poses \(\sigma _A'\) to his oracle (i.e., \(F^*\) or a random function \(RF\)) and obtains \(x \in \mathcal {RS}_E\). \(\mathcal {D}\) computes \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r^*_{A}) \oplus x)\) and \((dk^*_{T},ek^*_{T}) \leftarrow \mathsf {KeyGen}(r^*_{TA})\), and sets the ephemeral public key \((CT^*_{A},ek^*_{T})\) of \(i\)-th session of \(U_A\).

Simulation \(\mathcal {D}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {D}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): If \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {D}\) returns the ephemeral public key \((CT^*_{A},ek^*_{T})\) computed in the setup. Otherwise, \(\mathcal {D}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

2. 2.

   \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): \(\mathcal {D}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

3. 3.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}}, CT_{T}))\) is not recorded, \(\mathcal {D}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Otherwise, \(\mathcal {D}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

   1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {D}\) returns an error message.

   2. (b)

      Otherwise, \(\mathcal {D}\) returns the recorded value \(SK\).

5. 5.

   \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {D}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

6. 6.

   \(\mathsf {Corrupt}(U_P)\): \(\mathcal {D}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

7. 7.

   \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {D}\) responds to the query as the definition.

8. 8.

   If \(\mathcal {A}\) outputs a guess \(b' = 0,\,\mathcal {D}\) outputs that the oracle is the PRF \(F^*\). Otherwise, \(\mathcal {D}\) outputs that the oracle is a random function \(RF\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {D}\) is same as the experiment \(\mathbf{H}_2\) if the oracle is the PRF \(F^*\). Otherwise, the simulation by \(\mathcal {D}\) is same as the experiment \(\mathbf{H}_3\). Thus, if the advantage of \(\mathcal {D}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)| \le negl\).

Hybrid experiment \(\mathbf{H}_4\): In this experiment, the computation of \(K^*_{A}\) in the test session is changed again. Instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), it is changed as choosing \(K^*_{A} \leftarrow \mathcal {KS}\) randomly, where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct an IND-CCA adversary \(\mathcal {S}\) from \(\mathcal {A}\) in \(\mathbf{H}_3\) or \(\mathbf{H}_4\). \(\mathcal {S}\) performs the following steps.

Init \(\mathcal {S}\) receives the public key \(ek^*\) as a challenge.

Setup \(\mathcal {S}\) chooses PRF \(F, F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and \(G : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {S}\) sets all \(N\) users’ static secret and public keys except \(U_B\). \(\mathcal {S}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\) is given to \(\mathcal {A}\).

Next, \(\mathcal {S}\) sets \(ek^*\) as the static public key of \(U_B\). Also, \(\mathcal {S}\) receives the challenge \((K^*, CT^*)\) from the challenger.

Simulation \(\mathcal {S}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {S}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): If \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes \(ek_{T}\) obeying the protocol and returns the ephemeral public key \((CT^*, ek_{T})\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

2. 2.

   \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(\bar{P} = B\hbox { and }CT_{P} \not = CT^*,\,\mathcal {S}\) poses \(CT_{P}\) to the decryption oracle, obtains \(K_{P}\), computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Else if \(\bar{P} = B\hbox { and }CT_{P} = CT^*,\,\mathcal {S}\) sets \(K_{P} = K^*\), computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi ,\,U_P,\,U_{\bar{P}},\,(CT_{P},\,ek_{T}),\,(CT_{\bar{P}},\,CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

3. 3.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {S}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes the session key \(SK\) obeying the protocol except that \(K^*_{A} = K^*\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

   1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {S}\) returns an error message.

   2. (b)

      Otherwise, \(\mathcal {S}\) returns the recorded value \(SK\).

5. 5.

   \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {S}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. If the owner of \(\mathsf {sid}\) is \(U_B,\,\mathcal {S}\) poses ciphertexts received by \(U_B\) to the decryption oracle and can simulate all intermediate computation results. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

6. 6.

   \(\mathsf {Corrupt}(U_P)\): \(\mathcal {S}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

7. 7.

   \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {S}\) responds to the query as the definition.

8. 8.

   If \(\mathcal {A}\) outputs a guess \(b',\,\mathcal {S}\) outputs \(b'\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_3\) if the challenge is \((K^*_1, CT^*_0)\). Otherwise, the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_4\). Also, both \(K^*_{A}\) in two experiments have \(\kappa \)-min-entropy because \((\mathsf {KeyGen}, \mathsf {EnCap}, \mathsf {DeCap})\) is \(\kappa \)-min-entropy KEM. Thus, if the advantage of \(\mathcal {S}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3)| \le negl\).

Hybrid experiment \(\mathbf{H}_5\): In this experiment, the computation of \(K'^*_{1}\) in the test session is changed. Instead of computing \(K'^*_{1} \leftarrow KDF(s, K^*_{A})\), it is changed as choosing \(K'^*_{1} \in \mathcal {FS}\) randomly.

Since \(K^*_{A}\) is randomly chosen in \(\mathbf{H}_4\), it has sufficient min-entropy. Thus, by the definition of the KDF, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4)| \le negl\).

Hybrid experiment \(\mathbf{H}_6\): In this experiment, the computation of \(SK\) in the test session is changed. Instead of computing \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\), it is changed as \(SK = x\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\) where \(x \in \{0,1\}^\kappa \) is chosen randomly and we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct a distinguisher \(\mathcal {D'}\) between PRF \(F^* : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \) and a random function \(RF\) from \(\mathcal {A}\) in \(\mathbf{H}_5\) or \(\mathbf{H}_6\). \(\mathcal {D'}\) performs the following steps.

Setup \(\mathcal {D'}\) chooses PRF \(F: \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E,\,F' : \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), sets \(G = F^*\), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {D'}\) sets all \(N\) users’ static secret and public keys. \(\mathcal {D'}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\) is given to \(\mathcal {A}\).

Simulation \(\mathcal {D'}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {D'}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): \(\mathcal {D'}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

2. 2.

   \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): \(\mathcal {D'}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi ,\,U_P,\,U_{\bar{P}},\,(CT_{P},\,ek_{T}),\,(CT_{\bar{P}},\,CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

3. 3.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {D'}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = x\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

   1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {D'}\) returns an error message.

   2. (b)

      Otherwise, \(\mathcal {D'}\) returns the recorded value \(SK\).

5. 5.

   \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {D'}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

6. 6.

   \(\mathsf {Corrupt}(U_P)\): \(\mathcal {D'}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

7. 7.

   \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {D'}\) responds to the query as the definition.

8. 8.

   If \(\mathcal {A}\) outputs a guess \(b' = 0,\,\mathcal {D'}\) outputs that the oracle is the PRF \(F^*\). Otherwise, \(\mathcal {D'}\) outputs that the oracle is a random function \(RF\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_5\) if the oracle is the PRF \(F^*\). Otherwise, the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_6\). Thus, if the advantage of \(\mathcal {D'}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_6) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5)| \le negl\).

In \(\mathbf{H}_6\), the session key in the test session is perfectly randomized. Thus, \(\mathcal {A}\) cannot obtain any advantage from \(\mathsf {Test}\) query.

Therefore, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_6) = 0\hbox { and }\Pr [E_{1} \wedge Suc]\) is negligible.

1.2 Appendix 1.2: Event \(E_{2} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{1} \wedge Suc\). There is a difference in the experiment \(\mathbf{H}_3\). In the event \(E_{1} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session. In the event \(E_{2} \wedge Suc\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(RF(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\). Since \(\mathcal {A}\) cannot obtain \(\sigma _A\) by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_{1} \wedge Suc\).

1.3 Appendix 1.3: Event \(E_{3} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{1} \wedge Suc\). There is differences in experiments \(\mathbf{H}_3\hbox { and }\mathbf{H}_4\). In \(\mathbf{H}_3\) of the event \(E_{1} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session. In \(\mathbf{H}_3\) of the event \(E_{3} \wedge Suc\), instead of computing \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(F_{{\sigma _B}}(r_{B}) \oplus F'_{{r'_{B}}}(\sigma _B'))\), it is changed as \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(F_{{\sigma _B}}(r_{B}) \oplus RF(\sigma _B'))\). In \(\mathbf{H}_4\) of the event \(E_{1} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus RF(\sigma _A'))\), it is changed as choosing \(K^*_{A} \leftarrow \mathcal {KS}\) randomly. In \(\mathbf{H}_4\) of the event \(E_{3} \wedge Suc\), instead of computing \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(F_{{\sigma _B}}(r_{B}) \oplus RF(\sigma _B'))\), it is changed as choosing \(K^*_{B} \leftarrow \mathcal {KS}\) randomly. Since \(\mathcal {A}\) cannot obtain \(\sigma _B\) by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_{1} \wedge Suc\).

1.4 Appendix 1.4: Event \(E_{4} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{2} \wedge Suc\). There is differences in experiments \(\mathbf{H}_3\hbox { and }\mathbf{H}_4\). In \(\mathbf{H}_3\) of the event \(E_{2} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(F_{{\sigma _A}}(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(RF(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session. In \(\mathbf{H}_3\) of the event \(E_{3} \wedge Suc\), instead of computing \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(F_{{\sigma _B}}(r_{B}) \oplus F'_{{r'_{B}}}(\sigma _B'))\), it is changed as \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(RF(r_{B}) \oplus F'_{{r'_{B}}}(\sigma _B'))\). In \(\mathbf{H}_4\) of the event \(E_{2} \wedge Suc\), instead of computing \((CT^*_{A},K^*_{A}) \leftarrow \mathsf {EnCap}_{ek_{B}}(RF(r_{A}) \oplus F'_{{r'_{A}}}(\sigma _A'))\), it is changed as choosing \(K^*_{A} \leftarrow \mathcal {KS}\) randomly. In \(\mathbf{H}_4\) of the event \(E_{3} \wedge Suc\), instead of computing \((CT^*_{B},K^*_{B}) \leftarrow \mathsf {EnCap}_{ek_{A}}(RF(r_{B}) \oplus F'_{{r'_{B}}}(\sigma _B'))\), it is changed as choosing \(K^*_{B} \leftarrow \mathcal {KS}\) randomly. Since \(\mathcal {A}\) cannot obtain \(\sigma _B\) by the freshness definition in this event, we can construct a distinguisher \(\mathcal {D}\) from \(\mathcal {A}\) in the similar manner in the proof of the event \(E_{1} \wedge Suc\).

1.5 Appendix 1.5: Event \(E_{5} \wedge Suc\)

We change the interface of oracle queries and the computation of the session key. These instances are gradually changed over six hybrid experiments, depending on specific sub-cases. In the last hybrid experiment, the session key in the test session does not contain information of the bit \(b\). Thus, the adversary clearly only output a random guess. We denote these hybrid experiments by \(\mathbf{H}_0, \dots , \mathbf{H}_5\) and the advantage of the adversary \(\mathcal {A}\) when participating in experiment \(\mathbf{H}_i\) by \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_i)\).

Hybrid experiment \(\mathbf{H}_0\): This experiment denotes the real experiment for \({\mathrm {CK}}^+\) security and in this experiment the environment for \(\mathcal {A}\) is as defined in the protocol. Thus, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)\) is the same as the advantage of the real experiment.

Hybrid experiment \(\mathbf{H}_1\): In this experiment, if session identities in two sessions are identical, the experiment halts.

By the same as the event \(E_{1} \wedge Suc,\,|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)| \le negl\).

Hybrid experiment \(\mathbf{H}_2\): In this experiment, the experiment selects a party \(U_A\) and integer \(i \in [1,\ell ]\) randomly in advance. If \(\mathcal {A}\) poses \(\mathsf {Test}\) query to a session except \(i\)-th session of \(U_A\), the experiment halts.

By the same as the event \(E_{1} \wedge Suc,\,{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2) \ge 1/N^2\ell \cdot {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) \).

Hybrid experiment \(\mathbf{H}_3\): In this experiment, the computation of \(K^*_{T}\) in the test session is changed. Instead of computing \((CT^*_{T},K^*_{T}) \leftarrow \mathsf {wEnCap}_{ek_{T}}(r_{TB})\), it is changed as choosing \(K^*_{T} \leftarrow \mathcal {KS}\) randomly, where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct an IND-CPA adversary \(\mathcal {S}\) from \(\mathcal {A}\) in \(\mathbf{H}_2\) or \(\mathbf{H}_3\). \(\mathcal {S}\) performs the following steps.

Init \(\mathcal {S}\) receives the public key \(ek^*\) as a challenge.

Setup \(\mathcal {S}\) chooses PRF \(F, F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and \(G : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {S}\) sets all \(N\) users’ static secret and public keys. \(\mathcal {S}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\hbox { and }U_B\)’s static key \((dk_{B}, \sigma _B, \sigma _B')\) are given to \(\mathcal {A}\).

Next, \(\mathcal {S}\) receives the challenge \((K^*, CT^*)\) from the challenger.

Simulation \(\mathcal {S}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {S}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): If \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes \(CT_{A}\) obeying the protocol and returns the ephemeral public key \((CT_{A}, ek^*)\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

2. 2.

   \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(\bar{P} = B,\,\mathcal {S}\) computes \(CT_{\bar{P}}\) and the session key \(SK\) obeying the protocol except that \(K_{T} = K^*\), returns the ephemeral public key \((CT_{\bar{P}},CT^*)\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

3. 3.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {S}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes the session key \(SK\) obeying the protocol except that \(K^*_{T} = K^*\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

   1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {S}\) returns an error message.

   2. (b)

      Otherwise, \(\mathcal {S}\) returns the recorded value \(SK\).

5. 5.

   \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {S}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

6. 6.

   \(\mathsf {Corrupt}(U_P)\): \(\mathcal {S}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

7. 7.

   \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {S}\) responds to the query as the definition.

8. 8.

   If \(\mathcal {A}\) outputs a guess \(b',\,\mathcal {S}\) outputs \(b'\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_2\) if the challenge is \((K^*_1, CT^*_0)\). Otherwise, the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_3\). Also, both \(K^*_{T}\) in two experiments have \(\kappa \)-min-entropy because \((\mathsf {wKeyGen}, \mathsf {wEnCap}, \mathsf {wDeCap})\) is \(\kappa \)-min-entropy KEM. Thus, if the advantage of \(\mathcal {S}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)| \le negl\).

Hybrid experiment \(\mathbf{H}_4\): In this experiment, the computation of \(K'^*_{3}\) in the test session is changed. Instead of computing \(K'^*_{3} \leftarrow KDF(s, K^*_{T})\), it is changed as choosing \(K'^*_{3} \in \mathcal {FS}\) randomly.

Since \(K^*_{T}\) is randomly chosen in \(\mathbf{H}_3\), it has sufficient min-entropy. Thus, by the definition of the KDF, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3)| \le negl\).

Hybrid experiment \(\mathbf{H}_5\): In this experiment, the computation of \(SK\) in the test session is changed. Instead of computing \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\), it is changed as \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\) where \(x \in \{0,1\}^\kappa \) is chosen randomly and we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct a distinguisher \(\mathcal {D'}\) between PRF \(F^* : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \) and a random function \(RF\) from \(\mathcal {A}\) in \(\mathbf{H}_4\) or \(\mathbf{H}_5\). \(\mathcal {D'}\) performs the following steps.

Setup \(\mathcal {D'}\) chooses PRF \(F,F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and sets \(G = F^*\), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {D'}\) sets all \(N\) users’ static secret and public keys. \(\mathcal {D'}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r \in _R \mathcal {RS}_G\), and runs \((ek_{P}, dk_{P}) \leftarrow \mathsf {KeyGen}(1^\kappa , r)\). Party \(U_P\)’s SSK and SPK are \(((dk_{P}, \sigma _P, \sigma _P'),ek_{P})\). \(U_A\)’s static key \((dk_{A}, \sigma _A, \sigma _A')\hbox { and }U_B\)’s static key \((dk_{B}, \sigma _B, \sigma _B')\) are given to \(\mathcal {A}\).

Simulation \(\mathcal {D'}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {D'}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): \(\mathcal {D'}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

2. 2.

   \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(P = A\) and the session is partnered with \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

3. 3.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {D'}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

   1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {D'}\) returns an error message.

   2. (b)

      Otherwise, \(\mathcal {D'}\) returns the recorded value \(SK\).

5. 5.

   \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {D'}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

6. 6.

   \(\mathsf {Corrupt}(U_P)\): \(\mathcal {D'}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

7. 7.

   \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {D'}\) responds to the query as the definition.

8. 8.

   If \(\mathcal {A}\) outputs a guess \(b' = 0,\,\mathcal {D'}\) outputs that the oracle is the PRF \(F^*\). Otherwise, \(\mathcal {D'}\) outputs that the oracle is a random function \(RF\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_4\) if the oracle is the PRF \(F^*\). Otherwise, the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_5\). Thus, if the advantage of \(\mathcal {D'}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4)| \le negl\).

In \(\mathbf{H}_5\), the session key in the test session is perfectly randomized. Thus, \(\mathcal {A}\) cannot obtain any advantage from \(\mathsf {Test}\) query.

Therefore, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) = 0\hbox { and }\Pr [E_{5} \wedge Suc]\) is negligible.

1.6 Appendix 1.6: Event \(E_{6} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{2} \wedge Suc\). The situation that the ephemeral secret key of \(\overline{\mathsf {sid}}^*\) is given to \(\mathcal {A}\) is the same as \(\mathsf {sid}\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_{2} \wedge Suc\).

1.7 Appendix 1.7: Event \(E_{7} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{1} \wedge Suc\). The situation that the ephemeral secret key of \(\overline{\mathsf {sid}}^*\) is given to \(\mathcal {A}\) is the same as \(\mathsf {sid}\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_{1} \wedge Suc\).

1.8 Appendix 1.8: Event \(E_{8} \wedge Suc\)

The proof in this case is essentially same as the event \(E_{4} \wedge Suc\). The situation that the ephemeral secret key of \(\overline{\mathsf {sid}}^*\) is given to \(\mathcal {A}\) is the same as \(\overline{\mathsf {sid}}^*\) has no matching session because \(\mathcal {A}\) can decide arbitrary ephemeral key. Thus, the proof in this event follows that in the event \(E_{4} \wedge Suc\).

Appendix 2: Proof of Theorem 2

In the experiment of \({\hbox {id-CK}^+}\) security, we suppose that \(\mathsf {sid}^*\) is the session identity for the test session, and that there are \(N\) users and at most \(\ell \) sessions are activated. Let \(\kappa \) be the security parameter, and let \(\mathcal {A}\) be a PPT (in \(\kappa \)) bounded adversary. \(Suc\) denotes the event that \(\mathcal {A}\) wins. We consider the following events that cover all cases of the behavior of \(\mathcal {A}\).

• Let \(E_1\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the initiator and the static secret key of the initiator is given to \(\mathcal {A}\).

• Let \(E_2\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the initiator and the ephemeral secret key of \(\mathsf {sid}^*\) is given to \(\mathcal {A}\).

• Let \(E_3\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the responder and the static secret key of the responder is given to \(\mathcal {A}\).

• Let \(E_4\) be the event that the test session \(\mathsf {sid}^*\) has no matching session \(\overline{\mathsf {sid}}^*\), the owner of \(\mathsf {sid}^*\) is the responder and the ephemeral secret key of \(\mathsf {sid}^*\) is given to \(\mathcal {A}\).

• Let \(E_5\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and both static secret keys of the initiator and the responder are given to \(\mathcal {A}\).

• Let \(E_6\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and both ephemeral secret keys of \(\mathsf {sid}^*\hbox { and }\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

• Let \(E_7\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and the static secret key of the owner of \(\mathsf {sid}^*\) and the ephemeral secret key of \(\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

• Let \(E_8\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and the ephemeral secret key of \(\mathsf {sid}^*\) and the static secret key of the owner of \(\overline{\mathsf {sid}^*}\) are given to \(\mathcal {A}\).

• Let \(E_9\) be the event that the test session \(\mathsf {sid}^*\) has matching session \(\overline{\mathsf {sid}}^*\), and master secret key is given to \(\mathcal {A}\).

To finish the proof, we investigate events \(E_{i} \wedge Suc\,(i=1,\dots ,9)\) that cover all cases of event \(Suc\). Though proofs of events are essentially same as the case of Theorem 1, \(E_{9} \wedge Suc\) is the characteristic event for Theorem 2. Thus, we only show the proof of event \(E_{9} \wedge Suc\).

1.1 Appendix 2.1: Event \(E_{9} \wedge Suc\)

We change the interface of oracle queries and the computation of the session key. These instances are gradually changed over six hybrid experiments, depending on specific sub-cases. In the last hybrid experiment, the session key in the test session does not contain information of the bit \(b\). Thus, the adversary clearly only output a random guess. We denote these hybrid experiments by \(\mathbf{H}_0, \dots , \mathbf{H}_5\) and the advantage of the adversary \(\mathcal {A}\) when participating in experiment \(\mathbf{H}_i\) by \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_i)\).

Hybrid experiment \(\mathbf{H}_0\): This experiment denotes the real experiment for \({\hbox {id-CK}^+}\) security and in this experiment the environment for \(\mathcal {A}\) is as defined in the protocol. Thus, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)\) is the same as the advantage of the real experiment.

Hybrid experiment \(\mathbf{H}_1\): In this experiment, if session identities in two sessions are identical, the experiment halts.

When two ciphertexts from different randomness are identical, session identities in two sessions are also identical. In the IND-sID-CCA secure IB-KEM, such an event occurs with negligible probability. Thus, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_0)| \le negl\).

Hybrid experiment \(\mathbf{H}_2\): In this experiment, the experiment selects a party \(U_A\) and integer \(i \in [1,\ell ]\) randomly in advance. If \(\mathcal {A}\) poses \(\mathsf {Test}\) query to a session except \(i\)-th session of \(U_A\), the experiment halts.

Since guess of the test session matches with \(\mathcal {A}\)’s choice with probability \(1/N^2\ell ,\,{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)\,\ge 1/N^2\ell \cdot {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_1) \).

Hybrid experiment \(\mathbf{H}_3\): In this experiment, the computation of \(K^*_{T}\) in the test session is changed. Instead of computing \((CT^*_{T},K^*_{T}) \leftarrow \mathsf {wEnCap}_{ek_{T}}(r_{TB})\), it is changed as choosing \(K^*_{T} \leftarrow \mathcal {KS}\) randomly, where we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct an IND-CPA adversary \(\mathcal {S}\) from \(\mathcal {A}\) in \(\mathbf{H}_2\) or \(\mathbf{H}_3\). \(\mathcal {S}\) performs the following steps.

Init \(\mathcal {S}\) receives the public key \(ek^*\) as a challenge.

Setup \(\mathcal {S}\) chooses PRF \(F, F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and \(G : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {S}\) sets the master public and secret key, and all \(N\) users’ static secret keys. \(\mathcal {S}\) selects \(r \in \mathcal {RS}_G\), and generates master public and secret keys \((mpk,msk) \leftarrow \mathsf{MKeyGen}(1^\kappa , r)\), where \(\mathcal {RS}_G\) is the randomness space of \(\mathsf{MKeyGen}\). Then, \(\mathcal {S}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r' \in \mathcal {RS}_G\), and runs the key derivation algorithm \(dk_{P} \leftarrow \mathsf {KeyDer}(mpk,msk,U_P,r')\), where \(\mathcal {RS}_G\) is the randomness space of \(\mathsf {KeyDer}\). Party \(U_P\)’s static secret key is \((dk_{P},\sigma _P, \sigma _P')\). The master key \(msk\) is given to \(\mathcal {A}\).

Next, \(\mathcal {S}\) receives the challenge \((K^*, CT^*)\) from the challenger.

Simulation \(\mathcal {S}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {S}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): If \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes \(CT_{A}\) obeying the protocol and returns the ephemeral public key \((CT_{A}, ek^*)\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

2. 2.

   \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(\bar{P} = B,\,\mathcal {S}\) computes \(CT_{\bar{P}}\) and the session key \(SK\) obeying the protocol except that \(K_{T} = K^*\), returns the ephemeral public key \((CT_{\bar{P}},CT^*)\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

3. 3.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {S}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {S}\) computes the session key \(SK\) obeying the protocol except that \(K^*_{T} = K^*\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {S}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

   1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {S}\) returns an error message.

   2. (b)

      Otherwise, \(\mathcal {S}\) returns the recorded value \(SK\).

5. 5.

   \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {S}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

6. 6.

   \(\mathsf {Corrupt}(U_P)\): \(\mathcal {S}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

7. 7.

   \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {S}\) responds to the query as the definition.

8. 8.

   If \(\mathcal {A}\) outputs a guess \(b',\,\mathcal {S}\) outputs \(b'\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_2\) if the challenge is \((K^*_1, CT^*_0)\). Otherwise, the simulation by \(\mathcal {S}\) is same as the experiment \(\mathbf{H}_3\). Also, both \(K^*_{T}\) in two experiments have \(\kappa \)-min-entropy because \((\mathsf {wKeyGen}, \mathsf {wEnCap}, \mathsf {wDeCap})\) is \(\kappa \)-min-entropy KEM. Thus, if the advantage of \(\mathcal {S}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_2)| \le negl\).

Hybrid experiment \(\mathbf{H}_4\): In this experiment, the computation of \(K'^*_{3}\) in the test session is changed. Instead of computing \(K'^*_{3} \leftarrow KDF(s, K^*_{T})\), it is changed as choosing \(K'^*_{3} \in \mathcal {FS}\) randomly.

Since \(K^*_{T}\) is randomly chosen in \(\mathbf{H}_3\), it has sufficient min-entropy. Thus, by the definition of the KDF, \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_3)| \le negl\).

Hybrid experiment \(\mathbf{H}_5\): In this experiment, the computation of \(SK\) in the test session is changed. Instead of computing \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,G_{{K'_{3}}}(\mathsf {ST})\), it is changed as \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\) where \(x \in \{0,1\}^\kappa \) is chosen randomly and we suppose that \(U_B\) is the intended partner of \(U_A\) in the test session.

We construct a distinguisher \(\mathcal {D'}\) between PRF \(F^* : \{0,1\}^* \times \mathcal {FS}\rightarrow \{0,1\}^\kappa \) and a random function \(RF\) from \(\mathcal {A}\) in \(\mathbf{H}_4\) or \(\mathbf{H}_5\). \(\mathcal {D'}\) performs the following steps.

Setup \(\mathcal {D'}\) chooses PRF \(F,F': \{0,1\}^* \times \mathcal {FS}\rightarrow \mathcal {RS}_E\), and sets \(G = F^*\), where \(\mathcal {FS}\) is the key space of PRFs, and a KDF \(KDF : Salt \times \mathcal {KS}\rightarrow \mathcal {FS}\) with a non-secret random salt \(s \in Salt\). These are provided as a part of the public parameters. Also, \(\mathcal {S}\) sets the master public and secret key, and all \(N\) users’ static secret keys. \(\mathcal {S}\) selects \(r \in \mathcal {RS}_G\), and generates master public and secret keys \((mpk,msk) \leftarrow \mathsf{MKeyGen}(1^\kappa , r)\), where \(\mathcal {RS}_G\) is the randomness space of \(\mathsf{MKeyGen}\). Then, \(\mathcal {S}\) selects \(\sigma _P \in _R \mathcal {FS},\,\sigma _P' \in _R \{0,1\}^\kappa \hbox { and }r' \in \mathcal {RS}_G\), and runs the key derivation algorithm \(dk_{P} \leftarrow \mathsf {KeyDer}(mpk,msk,U_P,r')\), where \(\mathcal {RS}_G\) is the randomness space of \(\mathsf {KeyDer}\). Party \(U_P\)’s static secret key is \((dk_{P},\sigma _P, \sigma _P')\). The master key \(msk\) is given to \(\mathcal {A}\).

Simulation \(\mathcal {D'}\) maintains the list \(\mathcal {L}_{SK}\) that contains queries and answers of \(\mathsf {SessionKeyReveal}\). \(\mathcal {D'}\) simulates oracle queries by \(\mathcal {A}\) as follows.

1. 1.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}})\): \(\mathcal {D'}\) computes the ephemeral public key \((CT_{P},ek_{T})\) obeying the protocol, returns it and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}))\).

2. 2.

   \(\mathsf {Send}(\Pi , \mathcal {R}, U_{\bar{P}}, U_P, (CT_{P},ek_{T}))\): If \(P = A\) and the session is partnered with \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the ephemeral public key \((CT_{\bar{P}},CT_{T})\) and the session key \(SK\) obeying the protocol, returns the ephemeral public key, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

3. 3.

   \(\mathsf {Send}(\Pi , \mathcal {I}, U_P, U_{\bar{P}}, (CT_{P},ek_{T}), (CT_{\bar{P}},CT_{T}))\): If \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not recorded, \(\mathcal {D'}\) records the session \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) is not completed. Else if \(P = A\) and the session is \(i\)-th session of \(U_A,\,\mathcal {D'}\) poses \(\mathsf {ST}\) to his oracle (i.e., \(F^*\) or a random function \(RF\)), obtains \(x \in \{0,1\}^\kappa \), computes the session key \(SK = G_{{K'_{1}}}(\mathsf {ST})\,\oplus \,G_{{K'_{2}}}(\mathsf {ST})\,\oplus \,x\), and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\). Otherwise, \(\mathcal {D'}\) computes the session key \(SK\) obeying the protocol, and records \((\Pi , U_P, U_{\bar{P}}, (CT_{P},ek_{T}),\,(CT_{\bar{P}},CT_{T}))\) as the completed session and \(SK\) in the list \(\mathcal {L}_{SK}\).

4. 4.

   \(\mathsf {SessionKeyReveal}(\mathsf {sid})\):

   1. (a)

      If the session \(\mathsf {sid}\) is not completed, \(\mathcal {D'}\) returns an error message.

   2. (b)

      Otherwise, \(\mathcal {D'}\) returns the recorded value \(SK\).

5. 5.

   \(\mathsf {SessionStateReveal}(\mathsf {sid})\): \(\mathcal {D'}\) responds the ephemeral secret key and intermediate computation results of \(\mathsf {sid}\) as the definition. Note that the \(\mathsf {SessionStateReveal}\) query is not posed to the test session from the freshness definition.

6. 6.

   \(\mathsf {Corrupt}(U_P)\): \(\mathcal {D'}\) responds the static secret key and all unerased session states of \(U_P\) as the definition.

7. 7.

   \(\mathsf {Test}(\mathsf {sid})\): \(\mathcal {D'}\) responds to the query as the definition.

8. 8.

   If \(\mathcal {A}\) outputs a guess \(b' = 0,\,\mathcal {D'}\) outputs that the oracle is the PRF \(F^*\). Otherwise, \(\mathcal {D'}\) outputs that the oracle is a random function \(RF\).

Analysis For \(\mathcal {A}\), the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_4\) if the oracle is the PRF \(F^*\). Otherwise, the simulation by \(\mathcal {D'}\) is same as the experiment \(\mathbf{H}_5\). Thus, if the advantage of \(\mathcal {D'}\) is negligible, then \(|{\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) - {\mathbf {Adv}}(\mathcal {A},\mathbf{H}_4)| \le negl\).

In \(\mathbf{H}_5\), the session key in the test session is perfectly randomized. Thus, \(\mathcal {A}\) cannot obtain any advantage from \(\mathsf {Test}\) query.

Therefore, \({\mathbf {Adv}}(\mathcal {A},\mathbf{H}_5) = 0\hbox { and }\Pr [E_{5} \wedge Suc]\) is negligible.