We prove Theorem 3.1 using similar techniques as described in [19]. We define a series of hybrid experiments. In each experiment, we modify the way session keys are chosen for instances involved in protocol execution. We start by choosing random session keys for instances for which the Execute oracle is called. Then, we continue to choose random session keys for instances for which the Send oracle is called. These instances are gradually changed over five hybrid experiments and in the last experiment, all the session keys are selected uniformly at random. Thus, the adversary cannot distinguish them from random numbers. We denote these hybrid experiments by P0, P1, ..., P4 and by the advantage of when participating in experiment P
i
.
Experiment P0
This describes the real adversary attack. During the attack, the adversary makes a number of oracle calls (Send, Execute, and Test) as specified in Section 2. In addition, the adversary has access to four independent random oracles
Each random oracle H
i
(or H) maintains a list of input-output pairs (q0, r0), (q1, r1)···. On a new input q, H
i
(or H) checks if q was queried before. If there exists q
i
in the list such that q = q
i
, then the random oracle returns the corresponding r
i
as its reply. If q is not in the list, the random oracle chooses a random number r, returns r as its reply and adds the pair (q, r) to its list. It is clear that .
Experiment P1
In this experiment, the Execute oracle is modified so that the session keys of instances for which Execute is called are selected uniformly at random, that is, if the oracle Execute (Ci, Gj) is called, then the session key sk is set equal to a random number selected from {0, 1}k, rather than the output of the random oracle H3. The following lemma shows that modifying the Execute oracle in this way affects the advantage of by a negligible value.
Lemma Appendix A.1
For every polynomial-time adversarymaking Q
execute
oracle calls of type Execute,
where Q
oh
denotes the number of random oracle calls, and t is the running time of.
Proof. We prove this lemma by showing how any advantage that has in distinguishing P1 from P0 can be used to break RSA. In experiment P0, the session key is the output of the random oracle H3 on the input (b1, b2, ID), where ID is the concatenation of all the exchanged messages. If the adversary does not know b1 and b2, she cannot distinguish the output of H3 from a random number uniformly selected from {0, 1}k. Hence, the adversary can distinguish P1 and P0 if and only if can recover the integers b1 and b2. Let denote the probability that recovers the integer b1 (b2).
For a easier analysis, we let the adversary win if the adversary recovers the integer b2. To bound , we consider the following two games G1 and G2.
Game G1
The adversary carries out an honest execution between the instances Ciand Gjas the protocol description. When the game ends, the adversary outputs her guess of the integer b2.
Game G2
This game is similar to game G1 except that we use private oracles when we compute w, μ, and η.
Let denote the probability that makes a correct guess of b2 in game G1. Likewise, denote the probability that makes a correct guess of b2 in game G2. It is clear that . Let AskH denote the event that queries random oracle H on (pw, x2, C, G, n, e, n', e', r1, r2, y2). Let AskH1,2 denote the event that queries random oracle H1 on (x1, C, G, n, e, n', e', r1, r2, y2,z, c1) or H2 on (x1, C, G, n, e, n', e', r1, r2, y2, z, c1, c2), while AskH does not happen.
Then, we have
Let Q
oh
denote the number of random oracle calls to H1 and H2 by In the following, we bound the probabilities of events AskH and AskH1,2, and also show that .
Given RSA public key (n, e) and integer c ∈
R
Z
n
, we construct an efficient algorithm to decrypt c as follows: algorithm runs the adversary exactly as in game G2 except that when simulate the authentication server, first chooses two random numbers x, , computes y2 = xe· c mod n, and set z to be z = x'e· c · w mod n, where w is uniformly chosen from . Finally, when simulate the gateway, set c2 to be c. If event AskH happens, which means queries random oracle H on (pw, x2, C, G, n, e, n', e', r1, r2, y2), where mod n, then we can decrypt c by x2/x mod n. If event AskH does not happen, then z is a random number from 's view. can select a random number as her guess on x1 and verifies the correctness of x' by comparing μ (or η). Then,
Similarly, if 's output (denoted by b2) in game G2 is correct, then b2 is the decryption of c.
Assume that makes Q
execute
oracle calls of type Execute in the hybrid experiment P1, then
Before we present the experiments P2, P3, and P4, we describe Send oracles which an active adversary uses.
-
Send0(Ci): the instance Ciselects a pair of RSA public/private keys e, d, n, and a random number r1 ∈ {0, 1}k. It returns C, n, e, and r1 to the adversary .
-
Send1(Gj, C, n, e, r1): the instance Gjselects a pair of RSA public/private keys (e', d', n'), sends (C, n, e, n', e', r1) to the server. Gjobtains (r2, z, y2) as the reply of the server. It returns (n', e', r2, z, y2) to the adversary .
-
Send2(Ci, n', e', r2, z, y2): the instance Civerifies if n' is big enough, i.e., n' > 1023. Then, Ciselects a random number , and decrypts mod n, then computes w using her password pw and x2, checks if w and n are relatively prime. If gcd (w, n) = 1, Cidecrypts x1 = (w-1·z)dmod n, computes mod n'. Finally, Cicomputes μ = H1(x1, C, G, n, e, n', e', r1, r2, y2, z, c1) and returns (c1, μ) to the adversary .
-
Send3(Gj,c1,μ): the instance Gjselects a random number , computes mod n, sends (c1,c2,μ) to S. Gjobtains η as the reply of the server. It decrypts mod n', sets the session key sk = H3(b1, b2, ID), where ID is the concatenation of all the exchanged messages. It returns η and c2 to the adversary .
-
Send4(Ci, η, c2): the instance Cichecks whether η is valid or not. If η is invalid, it rejects. Otherwise, it decrypts mod n, and computes sk = H3(b1, b2, ID), where ID is the concatenation of all the exchanged messages.
A message is said to have been oracle-generated if it was output by an instance; otherwise, it is said to have been adversarially-generated. A message generated by instance Uiis said to have been Ui-oracle-generated.
Experiment P2
In this experiment, an instance Gjreceives a Ci-oracle-generated message (C, n, e, r1) in a Send1 oracle call. If both Ciand Gjaccept, they are given the same random session keys sk ∈ {0, 1}k, and if Gjaccepts but Cidoes not accept, then only Gjreceives a random session key, and no session key is defined for Ci.
Lemma Appendix A.2
For every polynomial-time adversarymaking Q
send
oracle calls of type Send to different instances,
where t is the running time of.
Proof. Assume that Gjreturns (G, n', e', r2, z, y2) to the adversary according to the description of the protocol after receiving a Ci-oracle-generated message (C, n, e, r1) in a Send1 oracle call. Since the RSA public key (e, n) was generated by Ci, not by , the private key d is not known to . As shown in the proof of Lemma A.1, the probability for to recover the random number x1 is upper bounded by Advrsa(O (t)). Hence, except for a probability as small as Advrsa(O (t)), Gjhas received a Ci-oracle-generated message in a Send3 oracle when Gjaccepts. Similarly, if Ciaccepts, then it has received a Gj-oracle-generated message in a Send4 oracle call. If both Ciand Gjaccept, then they share the same session key which is equal to the output of the random oracle H3 on (b1, b2, ID), where ID is the concatenation of all the exchanged messages. Hence, the modification of the session keys of Ciand Gjaffects the adversary's advantage by a value as small as Advrsa(O (t)). Since makes Q
send
oracle calls of type Send to different instances, 's advantage in distinguishing between P2 and P1 is upper bounded by Q
send
Advrsa(O(t)).
Experiment P3
In this experiment, an instance Cireceives a Gj-oracle-generated message (n', e', r2, z, y2) in a Send2 oracle call, while the instance Gjhas received a Ci-oracle-generated message (C, n, e, r1) in a Send1 oracle call. If both Ciand Gjaccept, then they are given the same random session keys sk ∈ {0, 1}k. It is clear that the advantage of in P3 is the same as its advantage in P2.
Lemma Appendix A.3
For every polynomial-time adversarymaking Q
send
oracle calls of type Send to different instances,
Experiment P4
In this experiment, we consider an instance Ci(or Gj) that receives an adversarially-generated message in a Send2 (or Send1) oracle call. In this case, if Ci(or Gj) accepts, then the experiment is halted, and the adversary is said to have succeeded. This certainly improves the probability of success of the adversary.
Lemma Appendix A.4
For every polynomial-time adversarymaking Q
send
oracle calls of type Send to different instances,
At this point, we have given random session keys to all the accepted instances that receive Execute or Send oracle calls. We next proceed to bound the adversary's success probability in P4. The following lemma shows that the adversary's success probability in the experiment P4 is negligible.
Lemma Appendix A.5
For every polynomial-time adversarymaking Q
send
oracle calls of type Send to different instances, Q
send
≤ |D|,
where Q
oh
denotes the number of random oracle calls, and t is the running time of.
Proof. Let and denote the number of Send1 and Send2 oracle calls made by the adversary in experiment P4, respectively. We consider the following two cases:
Case 1: Consider an instance Cireceives an adversarially-generated message (n', e', r2, z, y2) in a Send2 oracle. Assume that Cireturns (n, e, r1) in a Send0 oracle. After receiving (n', e', r2, z, y2), Cifirst decrypts y2 to obtain x2, then queries the random oracle H on (pw, x2, C, G, n, e, n', e', r1, r2, y2) and receives w from H. Without lose of generality, we assume that gcd (w, n) = 1. Then, Cicomputes x1 = (w-1 · z)dmod n and mod n', where . Ciqueries H1 on (x1, C, G, n, e, n', e', r1, r2, y2, z, c1) and returns the reply (denoted by μ) to the adversary . To succeed in this case, must generate a number η which is equal to the output of the random oracle H2 on (x1, C, G, n, e, n', e', r1, r2, y2, z, c1, c2). Without the knowledge of x1, the probability for to generate η is just 2-k. Let denote the probability that can recover the integer x1. The adversary's success probability in this case is bounded by
If z was selected by at random from , then similar to the proof of Lemma A.1, we can prove that is bounded by
Next, assume that z was generated by as follows: selected two random numbers , as well as a candidate password queries the random oracle H on (pw', x2, C, G, n, e, n', e', r1, r2, y2) and receives the reply w, then computed mod n. In this scenario, if guesses the correct password pw = pw', then succeeds. If guesses an invalid password pw ≠ pw', then z can be treated as a random number in . Hence, we have
The adversary's success probability in Case 1 is upper bounded by
Case 2: Consider an instance Gjreceives an adversarially-generated message (C, n, e, r1) in a Send1 oracle, where n is an odd integer, and e is odd prime. The instance Gjsends (C, n, e, n, e, r1) to the server. The server replies (r2, z) according to the protocol description. To succeed in this case, must send back a number μ which is equal to the output of the random oracle H1 on (x1, C, G, n, e, n', e', r1, r2, z, c1). Without the knowledge of x1, the probability for to generate μ is just 2-k. Let denote the probability that can recover the integer x1.
Note that (n, e) was generated by . If gcd (e, ϕ(n)) = 1, then can compute w = H (pw', x2, C, G, n, e, n', e', r1, r2, y2) using a guessing password pw'. Then, congruence mod n has a unique solution because gcd (e, ϕ(n)) = 1. If guesses the correct password pw = pw', then can obtain x1 correctly. If does not guess the correct password, then will not succeed. On the other hand, if gcd (e, ϕ(n)) ≠ 1, since we require that e is an 80-bit prime, then the congruence mod n has e solutions. In order to recover the correct x1, the adversary needs to find out the correct x2. As is shown in Section 3, the probability to find out the correct x2 is 1/280, which is negligible.
Hence, the adversary's success probability in Case 2 is bounded by
From the above analysis, it can be concluded that the adversary's success probability in experiment P4 is upper bounded by
Since Q
send
≤ |D|, we have . Therefore,
This completes the proof of Lemma A.5.
By combining Lemma A.1 to Lemma A.5, we get the announced result.