Proof. We can easily verify the protocol correctness: if all the participants follow the protocol description and there is no active adversarial interference, then all checks will succeed and every participant will set the same and . Moreover every participant will receive the correct and consequently they will be able to compute the same session key .
To illustrate the security of our compiler, we use the “game hopping” technique, where we let the adversary interact with a simulator . We denote by the advantage of the adversary in Game i. The security parameter is denoted by ℓ. Further, we denote by and the maximum number of queries made by the adversary to the and oracles, respectively.
Game 0. This game is identical to the original attack game, with all the oracles being simulated as in the real protocol. Therefore,
Game 1. Let be the event that the adversary succeeds in forging an authenticated message of at least one party without having queried and where all the values signed involved were not output by a same ’s instance. Any time this event occurs, we abort and mark this as success for the adversary.
An adversary that can achieve can be used to construct an adversary that forges a signature in the EUF-CMA game: the given public key is assigned randomly to , one of the users; all other participants are initialized as the protocol indicates; afterwards all the queries in the security game are answered faithfully and when a signature by the chosen user is needed, the signing oracle of the EUF-CMA game is queried to produce it.
The probability of the adversary choosing
when assigning the public key for the signature is at least
, and with
being polynomial size, this is non-negligible:
which yields
for a polynomial bound
on
.
Game 2. This game is exactly as Game 1 except that a session
t is chosen uniformly at random. If the
query does not occur in the
t-th session the game aborts, and we count it as win for the adversary. As the number of active protocol instances is polynomially bounded, we have
for a polynomial bound
on the number of protocol sessions activated.
Game 3. This game is identical to the previous game, except that the simulation of the , and oracles is modified as follows. The symmetric key output by in the instance is replaced with a random key chosen from .
In order to bound the difference in the advantages between Games 2 and 3, we will build, from an adversary
ble to distinguish between both games, an adversary
attacking the key encapsulation mechanism
such that
where
denotes the advantage of a probabilistic polynomial time adversary
attacking
. To establish this bound, we assume that
, which runs
as an auxiliary algorithm, can access a simulation of
. Further,
executes the key generation algorithm of
for each user
thus obtaining a pair of keys
for the signature scheme. Adversary
also executes the key generation algorithm of
for user
and obtains the public key corresponding to users
. Our adversary
obtains a challenge
as described in Definition 1, and we have to describe how
answers to
’s queries:
Whenever a query is made by , generates the keys for the signature and returns as answer to .
To answer a query for Round 2 involving , uses the challenge encapsulation . The rest of the answers are generated as in a real execution of the protocol.
To answer an query by , our adversary modifies the messages as described for the simulation of the oracle.
A query by is answered in a similar way as a or query. Notice that a query cannot be made on t or any partnered instance. To answer any other query uses the decapsulation oracle of its IND-CCA game.
Finally, to answer a query, a bit is chosen by when starting the simulation. will return the key received from the KEM challenger to .
At some point will output a bit as a guess for which will determine the output b of for the KEM challenge. Specifically, outputs if and only if . Taking into account that the view of is identical to Game 2, if the answers of ’s simulation of are real keys and to Game 3 if the answers of ’s simulation of are random ones, we obtain that is bounded by .
To conclude the proof, we can see that the advantage of the adversary in Game 3 equals 0, as the session keys are chosen uniformly at random in . Collecting all the advantages, we can see that is indeed negligible. □