We prove Theorem 3.1 using similar techniques as described in [19]. We define a series of hybrid experiments. In each experiment, we modify the way session keys are chosen for instances involved in protocol execution. We start by choosing random session keys for instances for which the Execute oracle is called. Then, we continue to choose random session keys for instances for which the Send oracle is called. These instances are gradually changed over five hybrid experiments and in the last experiment, all the session keys are selected uniformly at random. Thus, the adversary \mathcal{A} cannot distinguish them from random numbers. We denote these hybrid experiments by P_{0}, P_{1}, ..., P_{4} and by Adv\left(\mathcal{A},{P}_{i}\right) the advantage of \mathcal{A} when participating in experiment P_{
i
}.
Experiment P_{0}
This describes the real adversary attack. During the attack, the adversary \mathcal{A} makes a number of oracle calls (Send, Execute, and Test) as specified in Section 2. In addition, the adversary \mathcal{A} has access to four independent random oracles
H:{\left\{0,1\right\}}^{*}\to {Z}_{n},{H}_{1},{H}_{2},{H}_{3}:{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^{k}.
Each random oracle H_{
i
}(or H) maintains a list of inputoutput pairs (q_{0}, r_{0}), (q_{1}, r_{1})···. On a new input q, H_{
i
}(or H) checks if q was queried before. If there exists q_{
i
}in the list such that q = q_{
i
}, then the random oracle returns the corresponding r_{
i
}as its reply. If q is not in the list, the random oracle chooses a random number r, returns r as its reply and adds the pair (q, r) to its list. It is clear that Adv\left(\mathcal{A}\right)=Adv\left(\mathcal{A},{P}_{0}\right).
Experiment P_{1}
In this experiment, the Execute oracle is modified so that the session keys of instances for which Execute is called are selected uniformly at random, that is, if the oracle Execute (C^{i}, G^{j}) is called, then the session key sk is set equal to a random number selected from {0, 1}^{k}, rather than the output of the random oracle H_{3}. The following lemma shows that modifying the Execute oracle in this way affects the advantage of \mathcal{A} by a negligible value.
Lemma Appendix A.1
For every polynomialtime adversary\mathcal{A}making Q_{
execute
}oracle calls of type Execute,
Adv\left(\mathcal{A},{P}_{1}\right)Adv\left(\mathcal{A},{P}_{0}\right)\le 2{Q}_{execute}Ad{v}^{rsa}\left(O\left(t\right)\right)+{Q}_{execute}{Q}_{oh}\u2215\varphi \left(n\right),
where Q_{
oh
}denotes the number of random oracle calls, and t is the running time of\mathcal{A}.
Proof. We prove this lemma by showing how any advantage that \mathcal{A} has in distinguishing P_{1} from P_{0} can be used to break RSA. In experiment P_{0}, the session key is the output of the random oracle H_{3} on the input (b_{1}, b_{2}, ID), where ID is the concatenation of all the exchanged messages. If the adversary does not know b_{1} and b_{2}, she cannot distinguish the output of H_{3} from a random number uniformly selected from {0, 1}^{k}. Hence, the adversary \mathcal{A} can distinguish P_{1} and P_{0} if and only if \mathcal{A} can recover the integers b_{1} and b_{2}. Let {p}_{{b}_{1}}\left({p}_{{b}_{2}}\right) denote the probability that \mathcal{A} recovers the integer b_{1} (b_{2}).
For a easier analysis, we let the adversary win if the adversary recovers the integer b_{2}. To bound {p}_{{b}_{2}}, we consider the following two games G_{1} and G_{2}.
Game G_{1}
The adversary \mathcal{A} carries out an honest execution between the instances C^{i}and G^{j}as the protocol description. When the game ends, the adversary \mathcal{A} outputs her guess of the integer b_{2}.
Game G_{2}
This game is similar to game G_{1} except that we use private oracles when we compute w, μ, and η.
Let {p}_{{b}_{2}}\left({G}_{1}\right) denote the probability that \mathcal{A} makes a correct guess of b_{2} in game G_{1}. Likewise, {p}_{{b}_{2}}\left({G}_{2}\right) denote the probability that {p}_{{b}_{2}}={p}_{{b}_{2}}\left({G}_{1}\right) makes a correct guess of b_{2} in game G_{2}. It is clear that \mathcal{A}. Let AskH denote the event that \mathcal{A} queries random oracle H on (pw, x_{2}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}). Let AskH_{1,2} denote the event that \mathcal{A} queries random oracle H_{1} on (x_{1}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2},z, c_{1}) or H_{2} on (x_{1}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}, z, c_{1}, c_{2}), while AskH does not happen.
Then, we have
\begin{array}{c}{p}_{{b}_{2}}\left({G}_{1}\right){p}_{{b}_{2}}\left({G}_{2}\right)\le Pr\left[AskH\right]+Pr\left[Ask{H}_{1,2}\right],\\ {p}_{{b}_{2}}\left({G}_{1}\right)\le Pr\left[AskH\right]+Pr\left[Ask{H}_{1,2}\right]+{p}_{{b}_{2}}\left({G}_{2}\right).\end{array}
Let Q_{
oh
}denote the number of random oracle calls to H_{1} and H_{2} by \mathcal{A} In the following, we bound the probabilities of events AskH and AskH_{1,2}, and also show that {p}_{{b}_{1}}\left({G}_{2}\right)\le Ad{v}^{rsa}\left(O\left(t\right)\right).
Given RSA public key (n, e) and integer c ∈_{
R
}Z_{
n
}, we construct an efficient algorithm \mathcal{C} to decrypt c as follows: algorithm \mathcal{C} runs the adversary \mathcal{A} exactly as in game G_{2} except that when simulate the authentication server, \mathcal{C} first chooses two random numbers x, {x}^{\prime}\in {Z}_{n}^{*}, computes y_{2} = x^{e}· c mod n, and set z to be z = x^{'e}· c · w mod n, where w is uniformly chosen from {Z}_{n}^{*}. Finally, when simulate the gateway, \mathcal{C} set c_{2} to be c. If event AskH happens, which means \mathcal{A} queries random oracle H on (pw, x_{2}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}), where {x}_{2}^{e}={x}^{e}\cdot c mod n, then we can decrypt c by x_{2}/x mod n. If event AskH does not happen, then z is a random number from \mathcal{A}'s view. \mathcal{A} can select a random number {x}^{\prime}\in {Z}_{n}^{*} as her guess on x_{1} and verifies the correctness of x' by comparing μ (or η). Then,
\begin{array}{c}\mathsf{\text{Pr}}\left(AskH\right)={Adv}_{\mathcal{C}}^{rsa}\left(O\left(t\right)\right)\le {Adv}^{rsa}\left(O\left(t\right)\right),\\ \mathsf{\text{Pr}}\left(Ask{H}_{1,2}\right)={Q}_{oh}\u2215\varphi \left(n\right).\end{array}
Similarly, if \mathcal{A}'s output (denoted by b_{2}) in game G_{2} is correct, then b_{2} is the decryption of c.
{p}_{{b}_{2}}\left({G}_{2}\right)=Ad{v}_{C}^{rsa}\left(O\left(t\right)\right)\le Ad{v}^{rsa}\left(O\left(t\right)\right),{p}_{{b}_{2}}\le 2Ad{v}^{rsa}\left(O\left(t\right)\right)+{Q}_{oh}\u2215\varphi \left(n\right).
Assume that \mathcal{A} makes Q_{
execute
}oracle calls of type Execute in the hybrid experiment P_{1}, then
Adv\left(\mathcal{A},{P}_{1}\right)Adv\left(\mathcal{A},{P}_{0}\right)\le 2{Q}_{execute}Ad{v}^{rsa}\left(O\left(t\right)\right)+{Q}_{execute}{Q}_{oh}\u2215\varphi \left(n\right).
Before we present the experiments P_{2}, P_{3}, and P_{4}, we describe Send oracles which an active adversary \mathcal{A} uses.

Send_{0}(C^{i}): the instance C^{i}selects a pair of RSA public/private keys e, d, n, and a random number r_{1} ∈ {0, 1}^{k}. It returns C, n, e, and r_{1} to the adversary \mathcal{A}.

Send_{1}(G^{j}, C, n, e, r_{1}): the instance G^{j}selects a pair of RSA public/private keys (e', d', n'), sends (C, n, e, n', e', r_{1}) to the server. G^{j}obtains (r_{2}, z, y_{2}) as the reply of the server. It returns (n', e', r_{2}, z, y_{2}) to the adversary \mathcal{A}.

Send_{2}(C^{i}, n', e', r_{2}, z, y_{2}): the instance C^{i}verifies if n' is big enough, i.e., n' > 1023. Then, C^{i}selects a random number {b}_{1}\in {Z}_{{n}^{\prime}}^{*}, and decrypts {x}_{2}={y}_{2}^{d} mod n, then computes w using her password pw and x_{2}, checks if w and n are relatively prime. If gcd (w, n) = 1, C^{i}decrypts x_{1} = (w^{1}·z)^{d}mod n, computes {c}_{1}={b}_{1}^{{e}^{\prime}} mod n'. Finally, C^{i}computes μ = H_{1}(x_{1}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}, z, c_{1}) and returns (c_{1}, μ) to the adversary \mathcal{A}.

Send_{3}(G^{j},c_{1},μ): the instance G^{j}selects a random number {b}_{2}\in {Z}_{n}^{*}, computes {c}_{2}={b}_{2}^{e} mod n, sends (c_{1},c_{2},μ) to S. G^{j}obtains η as the reply of the server. It decrypts {b}_{1}={c}_{1}^{{d}^{\prime}} mod n', sets the session key sk = H_{3}(b_{1}, b_{2}, ID), where ID is the concatenation of all the exchanged messages. It returns η and c_{2} to the adversary \mathcal{A}.

Send_{4}(C^{i}, η, c_{2}): the instance C^{i}checks whether η is valid or not. If η is invalid, it rejects. Otherwise, it decrypts {b}_{2}={c}_{2}^{d} mod n, and computes sk = H_{3}(b_{1}, b_{2}, ID), where ID is the concatenation of all the exchanged messages.
A message is said to have been oraclegenerated if it was output by an instance; otherwise, it is said to have been adversariallygenerated. A message generated by instance U^{i}is said to have been U^{i}oraclegenerated.
Experiment P_{2}
In this experiment, an instance G^{j}receives a C^{i}oraclegenerated message (C, n, e, r_{1}) in a Send_{1} oracle call. If both C^{i}and G^{j}accept, they are given the same random session keys sk ∈ {0, 1}^{k}, and if G^{j}accepts but C^{i}does not accept, then only G^{j}receives a random session key, and no session key is defined for C^{i}.
Lemma Appendix A.2
For every polynomialtime adversary\mathcal{A}making Q_{
send
}oracle calls of type Send to different instances,
Adv\left(\mathcal{A},{P}_{2}\right)Adv\left(\mathcal{A},{P}_{1}\right)\le 2{Q}_{send}Ad{v}^{rsa}\left(O\left(t\right)\right),
where t is the running time of\mathcal{A}.
Proof. Assume that G^{j}returns (G, n', e', r_{2}, z, y_{2}) to the adversary according to the description of the protocol after receiving a C^{i}oraclegenerated message (C, n, e, r_{1}) in a Send_{1} oracle call. Since the RSA public key (e, n) was generated by C^{i}, not by \mathcal{A}, the private key d is not known to \mathcal{A}. As shown in the proof of Lemma A.1, the probability for \mathcal{A} to recover the random number x_{1} is upper bounded by Adv^{rsa}(O (t)). Hence, except for a probability as small as Adv^{rsa}(O (t)), G^{j}has received a C^{i}oraclegenerated message in a Send_{3} oracle when G^{j}accepts. Similarly, if C^{i}accepts, then it has received a G^{j}oraclegenerated message in a Send_{4} oracle call. If both C^{i}and G^{j}accept, then they share the same session key which is equal to the output of the random oracle H_{3} on (b_{1}, b_{2}, ID), where ID is the concatenation of all the exchanged messages. Hence, the modification of the session keys of C^{i}and G^{j}affects the adversary's advantage by a value as small as Adv^{rsa}(O (t)). Since \mathcal{A} makes Q_{
send
}oracle calls of type Send to different instances, \mathcal{A}'s advantage in distinguishing between P_{2} and P_{1} is upper bounded by Q_{
send
}Adv^{rsa}(O(t)).
Experiment P_{3}
In this experiment, an instance C^{i}receives a G^{j}oraclegenerated message (n', e', r_{2}, z, y_{2}) in a Send_{2} oracle call, while the instance G^{j}has received a C^{i}oraclegenerated message (C, n, e, r_{1}) in a Send_{1} oracle call. If both C^{i}and G^{j}accept, then they are given the same random session keys sk ∈ {0, 1}^{k}. It is clear that the advantage of \mathcal{A} in P_{3} is the same as its advantage in P_{2}.
Lemma Appendix A.3
For every polynomialtime adversary\mathcal{A}making Q_{
send
}oracle calls of type Send to different instances,
Adv\left(\mathcal{A},{P}_{3}\right)=Adv\left(\mathcal{A},{P}_{2}\right).
Experiment P_{4}
In this experiment, we consider an instance C^{i}(or G^{j}) that receives an adversariallygenerated message in a Send_{2} (or Send_{1}) oracle call. In this case, if C^{i}(or G^{j}) accepts, then the experiment is halted, and the adversary is said to have succeeded. This certainly improves the probability of success of the adversary.
Lemma Appendix A.4
For every polynomialtime adversary\mathcal{A}making Q_{
send
}oracle calls of type Send to different instances,
Adv\left(\mathcal{A},{P}_{3}\right)=Adv\left(\mathcal{A},{P}_{4}\right).
At this point, we have given random session keys to all the accepted instances that receive Execute or Send oracle calls. We next proceed to bound the adversary's success probability in P_{4}. The following lemma shows that the adversary's success probability in the experiment P_{4} is negligible.
Lemma Appendix A.5
For every polynomialtime adversary\mathcal{A}making Q_{
send
}oracle calls of type Send to different instances, Q_{
send
}≤ D,
Adv\left(\mathcal{A},{P}_{4}\right)\le \frac{2{Q}_{send}}{\left\mathcal{D}\right}+2{Q}_{send}Ad{v}^{rsa}\left(O\left(t\right)\right)+\frac{2{Q}_{send}{Q}_{oh}}{\varphi \left(n\right)}+\frac{{Q}_{send}}{{2}^{k1}}+\frac{{Q}_{send}}{{2}^{79}},
where Q_{
oh
}denotes the number of random oracle calls, and t is the running time of\mathcal{A}.
Proof. Let {Q}_{sen{d}_{1}} and {Q}_{sen{d}_{2}} denote the number of Send_{1} and Send_{2} oracle calls made by the adversary in experiment P_{4}, respectively. We consider the following two cases:
Case 1: Consider an instance C^{i}receives an adversariallygenerated message (n', e', r_{2}, z, y_{2}) in a Send_{2} oracle. Assume that C^{i}returns (n, e, r_{1}) in a Send_{0} oracle. After receiving (n', e', r_{2}, z, y_{2}), C^{i}first decrypts y_{2} to obtain x_{2}, then queries the random oracle H on (pw, x_{2}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}) and receives w from H. Without lose of generality, we assume that gcd (w, n) = 1. Then, C^{i}computes x_{1} = (w^{1} · z)^{d}mod n and {c}_{1}={b}_{1}^{{e}^{\prime}} mod n', where {b}_{1}\in {Z}_{{n}^{\prime}}^{*}. C^{i}queries H_{1} on (x_{1}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}, z, c_{1}) and returns the reply (denoted by μ) to the adversary \mathcal{A}. To succeed in this case, \mathcal{A} must generate a number η which is equal to the output of the random oracle H_{2} on (x_{1}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}, z, c_{1}, c_{2}). Without the knowledge of x_{1}, the probability for \mathcal{A} to generate η is just 2^{k}. Let {p}_{{x}_{1}} denote the probability that \mathcal{A} can recover the integer x_{1}. The adversary's success probability in this case is bounded by
Pr\left[Succ\right]\le {Q}_{sen{d}_{2}}\left({p}_{{x}_{1}}+{2}^{k}\right).
If z was selected by \mathcal{A} at random from {Z}_{n}^{*}, then similar to the proof of Lemma A.1, we can prove that {p}_{{x}_{1}} is bounded by
{p}_{{x}_{1}}\le Ad{v}^{rsa}\left(O\left(t\right)\right)+\frac{{Q}_{oh}}{\varphi \left(n\right)}.
Next, assume that z was generated by \mathcal{A} as follows: \mathcal{A} selected two random numbers {x}_{1},{x}_{2}\in {Z}_{n}^{*}, as well as a candidate password p{w}^{\prime}\in \mathcal{D},\mathcal{A} queries the random oracle H on (pw', x_{2}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}) and receives the reply w, then \mathcal{A} computed z={x}_{1}^{e}\cdot w mod n. In this scenario, if \mathcal{A} guesses the correct password pw = pw', then \mathcal{A} succeeds. If \mathcal{A} guesses an invalid password pw ≠ pw', then z can be treated as a random number in {Z}_{n}^{*}. Hence, we have
{p}_{{x}_{1}}\le \frac{1}{\left\mathcal{D}\right}+Ad{v}^{rsa}\left(O\left(t\right)\right)+\frac{{Q}_{oh}}{\varphi \left(n\right)}.
The adversary's success probability in Case 1 is upper bounded by
Pr\left[Succ\right]\le \frac{{Q}_{sen{d}_{2}}}{\left\mathcal{D}\right}+{Q}_{sen{d}_{2}}Ad{v}^{rsa}\left(O\left(t\right)\right)+\frac{{Q}_{sen{d}_{2}}{Q}_{oh}}{\varphi \left(n\right)}+\frac{{Q}_{sen{d}_{2}}}{{2}^{k}}.
Case 2: Consider an instance G^{j}receives an adversariallygenerated message (C, n, e, r_{1}) in a Send_{1} oracle, where n is an odd integer, and e is odd prime. The instance G^{j}sends (C, n, e, n, e, r_{1}) to the server. The server replies (r_{2}, z) according to the protocol description. To succeed in this case, \mathcal{A} must send back a number μ which is equal to the output of the random oracle H_{1} on (x_{1}, C, G, n, e, n', e', r_{1}, r_{2}, z, c_{1}). Without the knowledge of x_{1}, the probability for \mathcal{A} to generate μ is just 2^{k}. Let {p}_{{x}_{1}} denote the probability that \mathcal{A} can recover the integer x_{1}.
Note that (n, e) was generated by \mathcal{A}. If gcd (e, ϕ(n)) = 1, then \mathcal{A} can compute w = H (pw', x_{2}, C, G, n, e, n', e', r_{1}, r_{2}, y_{2}) using a guessing password pw'. Then, congruence z={x}_{1}^{e}\cdot w mod n has a unique solution because gcd (e, ϕ(n)) = 1. If \mathcal{A} guesses the correct password pw = pw', then \mathcal{A} can obtain x_{1} correctly. If \mathcal{A} does not guess the correct password, then \mathcal{A} will not succeed. On the other hand, if gcd (e, ϕ(n)) ≠ 1, since we require that e is an 80bit prime, then the congruence {y}_{2}={x}_{2}^{e} mod n has e solutions. In order to recover the correct x_{1}, the adversary needs to find out the correct x_{2}. As is shown in Section 3, the probability to find out the correct x_{2} is 1/2^{80}, which is negligible.
Hence, the adversary's success probability in Case 2 is bounded by
Pr\left[Succ\right]\le \frac{{Q}_{sen{d}_{1}}}{\left\mathcal{D}\right}+\frac{{Q}_{sen{d}_{1}}}{{2}^{k}}+\frac{{Q}_{sen{d}_{1}}}{{2}^{80}}.
From the above analysis, it can be concluded that the adversary's success probability in experiment P_{4} is upper bounded by
\begin{array}{ll}\hfill Pr\left[Succ\right]& \le \frac{{Q}_{send}}{\left\mathcal{D}\right}+{Q}_{sen{d}_{2}}Ad{v}^{rsa}\left(O\left(t\right)\right)+\frac{{Q}_{sen{d}_{2}}{Q}_{oh}}{\varphi \left(n\right)}+\frac{{Q}_{send}}{{2}^{k}}+\frac{{Q}_{sen{d}_{1}}}{{2}^{80}}\phantom{\rule{2em}{0ex}}\\ \le \frac{{Q}_{send}}{\left\mathcal{D}\right}+{Q}_{send}Ad{v}^{rsa}\left(O\left(t\right)\right)+\frac{{Q}_{sen{d}_{2}}{Q}_{oh}}{\varphi \left(n\right)}+\frac{{Q}_{send}}{{2}^{k}}+\frac{{Q}_{send}}{{2}^{80}}.\phantom{\rule{2em}{0ex}}\end{array}
Since Q_{
send
}≤ D, we have \frac{{Q}_{send}}{\left\mathcal{D}\right}\le 1. Therefore,
\begin{array}{ll}\hfill Adv\left(\mathcal{A},{P}_{4}\right)& =2Pr\left[Succ\right]1\phantom{\rule{2em}{0ex}}\\ \le \frac{2{Q}_{send}}{\left\mathcal{D}\right}+2{Q}_{send}Ad{v}^{rsa}\left(O\left(t\right)\right)+\frac{2{Q}_{send}{Q}_{oh}}{\varphi \left(n\right)}+\frac{{Q}_{send}}{{2}^{k1}}+\frac{{Q}_{send}}{{2}^{79}}.\phantom{\rule{2em}{0ex}}\end{array}
This completes the proof of Lemma A.5.
By combining Lemma A.1 to Lemma A.5, we get the announced result.