**Proof.** We can easily verify the protocol correctness: if all the participants follow the protocol description and there is no active adversarial interference, then all checks will succeed and every participant will set the same $\mathsf{pid}$ and $\mathsf{sid}$. Moreover every participant will receive the correct ${\left\{{X}_{j}\right\}}_{j=0}^{n-1}$ and consequently they will be able to compute the same session key ${K}_{0}$.

To illustrate the security of our compiler, we use the “game hopping” technique, where we let the adversary $\mathcal{A}$ interact with a simulator $\mathcal{B}$. We denote by $\mathrm{Adv}(\mathcal{A},{G}_{i})$ the advantage of the adversary in Game i. The security parameter is denoted by ℓ. Further, we denote by ${q}_{e}$ and ${q}_{s}$ the maximum number of queries made by the adversary to the $\mathsf{Execute}$ and $\mathsf{Send}$ oracles, respectively.

Game 0. This game is identical to the original attack game, with all the oracles being simulated as in the real protocol. Therefore,

Game 1. Let $\mathsf{Forge}$ be the event that the adversary succeeds in forging an authenticated message $p{k}_{0},\dots ,p{k}_{n-1},{C}_{0},\dots ,{C}_{n-1},{X}_{i},pi{d}_{i},{\sigma}_{i}$ of at least one party ${U}_{i}$ without having queried $\mathsf{Corrupt}({U}_{i})$ and where all the values signed involved $p{k}_{0},\dots ,p{k}_{n-1},{C}_{0},\dots ,{C}_{n-1},{X}_{i},pi{d}_{i},{\sigma}_{i}$ were not output by a same ${U}_{i}$’s instance. Any time this event occurs, we abort and mark this as success for the adversary.

An adversary $\mathcal{A}$ that can achieve $\mathsf{Forge}$ can be used to construct an adversary ${\mathcal{A}}^{\prime}$ that forges a signature in the EUF-CMA game: the given public key is assigned randomly to ${U}_{i}$, one of the users; all other participants are initialized as the protocol indicates; afterwards all the queries in the security game are answered faithfully and when a signature by the chosen user is needed, the signing oracle of the EUF-CMA game is queried to produce it.

The probability of the adversary choosing

${U}_{i}$ when assigning the public key for the signature is at least

$1/|\mathcal{U}|$, and with

$|\mathcal{U}|$ being polynomial size, this is non-negligible:

which yields

for a polynomial bound

${\mathrm{poly}}_{\mathsf{Forge}}$ on

$|\mathcal{U}|$.

Game 2. This game is exactly as Game 1 except that a session

t is chosen uniformly at random. If the

$\mathsf{Test}$ query does not occur in the

t-th session the game aborts, and we count it as win for the adversary. As the number of active protocol instances is polynomially bounded, we have

for a polynomial bound

${\mathrm{poly}}_{\mathsf{Test}}$ on the number of protocol sessions activated.

Game 3. This game is identical to the previous game, except that the simulation of the $\mathsf{Send}$, $\mathsf{Execute}$ and $\mathsf{Test}$ oracles is modified as follows. The symmetric key ${K}_{0}$ output by $\mathtt{Encaps}(p{k}_{0})$ in the $\mathsf{Test}$ instance ${\Pi}_{0}^{t}$ is replaced with a random key ${K}^{\ast}$ chosen from ${\{0,1\}}^{\ell}$.

In order to bound the difference in the advantages between Games 2 and 3, we will build, from an adversary

$\mathcal{A}$ ble to distinguish between both games, an adversary

$\mathcal{B}$ attacking the key encapsulation mechanism

$\mathcal{E}$ such that

where

${\mathrm{Adv}}_{\mathcal{B}}^{\mathrm{IND}-\mathrm{CCA}}(\ell )$ denotes the advantage of a probabilistic polynomial time adversary

$\mathcal{B}$ attacking

$\mathcal{KEM}$. To establish this bound, we assume that

$\mathcal{B}$, which runs

$\mathcal{A}$ as an auxiliary algorithm, can access a simulation of

$\mathcal{KEM}$. Further,

$\mathcal{B}$ executes the key generation algorithm of

$\mathcal{S}$ for each user

${U}_{i},$ thus obtaining a pair of keys

$(v{k}_{i},sig{k}_{i})$ for the signature scheme. Adversary

$\mathcal{B}$ also executes the key generation algorithm of

$\mathcal{KEM}$ for user

${U}_{0},$ and obtains the public key corresponding to users

${U}_{1},\dots ,{U}_{n}$. Our adversary

$\mathcal{B}$ obtains a challenge

$({C}^{\ast},{K}_{0},{K}_{1})$ as described in Definition 1, and we have to describe how

$\mathcal{B}$ answers to

$\mathcal{A}$’s queries:

Whenever a query $\mathsf{Corrupt}({U}_{i})$ is made by $\mathcal{A}$, $\mathcal{B}$ generates the keys for the signature and returns $sig{k}_{i}$ as answer to $\mathcal{A}$.

To answer a $\mathsf{Send}$ query for Round 2 involving ${U}_{0}$, $\mathcal{B}$ uses the challenge encapsulation ${C}^{\ast}$. The rest of the answers are generated as in a real execution of the protocol.

To answer an $\mathsf{Execute}$ query by $\mathcal{A}$, our adversary $\mathcal{B}$ modifies the messages as described for the simulation of the $\mathsf{Send}$ oracle.

A $\mathsf{Reveal}$ query by $\mathcal{A}$ is answered in a similar way as a $\mathsf{Send}$ or $\mathsf{Execute}$ query. Notice that a $\mathsf{Reveal}$ query cannot be made on t or any partnered instance. To answer any other $\mathsf{Reveal}$ query $\mathcal{B}$ uses the decapsulation oracle of its IND-CCA game.

Finally, to answer a $\mathsf{Test}$ query, a bit ${b}^{\prime}$ is chosen by $\mathcal{B}$ when starting the simulation. $\mathcal{B}$ will return the key ${K}_{{b}^{\prime}}$ received from the KEM challenger to $\mathcal{A}$.

At some point $\mathcal{A}$ will output a bit ${b}^{\u2033}$ as a guess for ${b}^{\prime}$ which will determine the output b of $\mathcal{B}$ for the KEM challenge. Specifically, $\mathcal{B}$ outputs $b=0$ if and only if ${b}^{\prime}={b}^{\u2033}$. Taking into account that the view of $\mathcal{A}$ is identical to Game 2, if the answers of $\mathcal{B}$’s simulation of $\mathsf{Test}$ are real keys and to Game 3 if the answers of $\mathcal{B}$’s simulation of $\mathsf{Test}$ are random ones, we obtain that $|\mathrm{Adv}(\mathcal{A},{G}_{2})-\mathrm{Adv}(\mathcal{A},{G}_{3})|$ is bounded by $2\xb7{\mathrm{Adv}}_{\mathcal{B}}^{IND-CCA}$.

To conclude the proof, we can see that the advantage of the adversary in Game 3 equals 0, as the session keys are chosen uniformly at random in ${\{0,1\}}^{{\kappa}_{\ell}}$. Collecting all the advantages, we can see that ${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{ke}}$ is indeed negligible. □