9 bytes removed, 5 years ago
* <span>'''Send(<math>\Pi^S_i,m</math>)/(<math>U_i,m</math>)'''</span> sends a message ''m'' to the instance <math>\Pi^S_i</math>. We assume that ''m'' contains information to identify the sender <math>U_j</math>. <math>\mathcal{A}</math> will receive the execution transcript. Specifically, by sending <math>plist</math> messages it forces <math>U_i</math> to initiate <math>\Pi^S_i</math>.
* <span>'''SKE(<math>\Pi^S_i, spid_i</math>)''': asks <math>\Pi^S_i</math> to compute the subgroup key for the <math>spid_i</math> subsession. In response, <math>\Pi^S_i</math> will either send a message or compute the subgroup key <math>k_{spid_i}</math> depending on the state of <math>\Pi^S_i</math>. This can be invoked only once per input.
* <span>'''RevealGK(<math>\Pi^S_i</math>)}''': <math>\Pi^S_i</math> gives <math>sk_i</math> to <math>\mathcal{A}_a</math> if it has accepted (as defined in Definition III.3).
* <span>'''RevealSK(<math>\Pi^S_i, T</math>)''': <math>\Pi^S_i</math> gives the <math>subk^T_i</math> to <math>\mathcal{A}_a</math> if it has been computed for subsession ''T''.
* <span>'''Corrupt(<math>U_i</math>)'''</span>: <math>U_i</math> gives its long term secret key to <math>\mathcal{A}_a</math> (but not the session key).
'''Definition VI.3''' An ''AKE Adversary for the join key agreement'' <math>\mathcal{A}_{join}</math> is a probabilistic polynomial time algorithm (ppt) which can invoke all the functions given above with a
condition that the TestSK TestGK is invoked '''at least once''' against a fresh instance <math>\Pi^S_i</math> which stays fresh until the end of the game. The game ends when <math>\mathcal{A}_{join}</math> outputs its guess for ''b''. We say a key exchange protocol is secure if the following function is negligible:
===Forward Secrecy Adversary===
We do not define an independent forward secrecy adversary. Forward secrecy can be derived by resistance against the confidentiality adversary as well incorporating a forward secure key exchange as described in [GBN10]. The adversaries of Definition VI.3 and VI.4, are able to ''Corrupt'' users after the communication of DH secrets. Therefore they can trivially break an AKE which without forward secrecy. In this sense, the resistance against forward secrecy adversary is included in AKE adversarial model.
===Deniability Adversary===
To this end each member <math>U_i</math> compute <math>z_i := GroupEnc(k_{i,j} for j \in \{1,...,n\}, z'_i)</math> and broadcast <math>z_i</math> on <math>\mathcal{C}</math>. Later on when <math>U_i</math> receives all <math>z_j</math>. It recovers all secrets <math>z'_i</math> by computing <math>GroupDec(k_{i,j} for j \in \{1,...,n\}, z'_i)</math>.
===(n+1)nsec sec key exchange vs original Flexible Group Key Exchange of [ACMP10]===Although in higher level view of (n+1)nsec sec we generalized the process of key exchange using ''GroupEnc''/''GroupDec'' abstraction, at lower level our choice of primitive for this functions make the group key computation processes of ''(n+1)sec'' and the original key exchange algorithm the same. Hence, the steps marked pink in Algorithm 1, only differ in from [ACMP10] but not in result.
(n+1)run a deniable mutual authentication protocol along side with the key exchange protocol, this results in communicating extra key confirmation data along side of other data exchanged during the course of running the protocol. As we will show in the proof, these data has effect on the usual run of the algorithm.