An Efficient and Generic Construction for Signal’s Handshake (X3DH): Post-quantum, State Leakage Secure, and Deniable

Abstract

The Signal protocol is a secure instant messaging protocol that underlies the security of numerous applications such as WhatsApp, Skype, Facebook Messenger among many others. The Signal protocol consists of two sub-protocols known as the X3DH protocol and the double ratchet protocol, where the latter has recently gained much attention. For instance, Alwen, Coretti, and Dodis (Eurocrypt’19) provided a concrete security model along with a generic construction based on simple building blocks that are instantiable from versatile assumptions, including post-quantum ones. In contrast, as far as we are aware, works focusing on the X3DH protocol seem limited. In this work, we cast the X3DH protocol as a specific type of authenticated key exchange (AKE) protocol, which we call a Signal-conforming AKE protocol, and formally define its security model based on the vast prior works on AKE protocols. We then provide the first efficient generic construction of a Signal-conforming AKE protocol based on standard cryptographic primitives such as key encapsulation mechanisms (KEM) and signature schemes. Specifically, this results in the first post-quantum secure replacement of the X3DH protocol based on well-established assumptions. Similar to the X3DH protocol, our Signal-conforming AKE protocol offers a strong (or stronger) flavor of security, where the exchanged key remains secure even when all the non-trivial combinations of the long-term secrets and session-specific secrets are compromised. Moreover, our protocol has a weak flavor of deniability and we further show how to progressively strengthen it using ring signatures and/or non-interactive zero-knowledge proof systems. Finally, we provide a full-fledged, generic C implementation of our (weakly deniable) protocol. We instantiate it with several Round 3 candidates (finalists and alternates) to the NIST post-quantum standardization process and compare the resulting bandwidth and computation performances. Our implementation is publicly available.

Appendices

A Full Proofs for Signal-Conforming AKE \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\)

We prove the security of our Signal-conforming AKE protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) .

Proof of Theorem 4.3

Let \(\mathcal {A}\) be an adversary that plays the security game \(G^{\mathsf {FS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {AKE} {}}(\mu , \ell )\) with the challenger \(\mathcal {C}\) with advantage \(\mathsf {Adv}{}^{\mathsf {AKE}\textsf {-}\mathsf {FS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {AKE} {}}(\mathcal {A}) = \epsilon \). In order to prove Theorem 4.3, we distinguish between the strategy that can be taken by the \(\mathcal {A} \). Specifically, \(\mathcal {A} \)’s strategy can be divided into the eight types of strategies listed in Table 1. Here, each strategy is mutually independent and covers all possible (non-trivial) strategies.³⁰ We point out that for our specific AKE construction we have \({\texttt {state}}_\mathtt {resp}:= \bot \) since the responder does not maintain any states (see Remark 4.1). Therefore, the Type-1 (resp. Type-3, Type-7) strategy is strictly stronger than the Type-2 (resp. Type-4, Type-8) strategy. We only include the full types of strategies in Table 1 as we believe it would be helpful when proving other AKE protocols, and note that our proof implicitly handles both strategies at the same time.

For each possible strategy taken by \(\mathcal {A} \), we construct an algorithm that breaks one of the underlying assumptions by using such an adversary \(\mathcal {A} \) as a subroutine. More formally, we construct six algorithms \(\mathcal {B}_{1}\), \(\mathcal {B}_{2}\), \(\mathcal {B}_{3,0}\), \(\mathcal {B}_{3,1}\), \(\mathcal {D}_{1}\) and \(\mathcal {D}_{2}\) satisfying the following:

1. 1.

   If \(\mathcal {A}\) uses the Type-1 (or Type-2) strategy, then \(\mathcal {B}_{1}\) succeeds in breaking the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \) or \(\mathcal {D}_{1}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \).

2. 2.

   If \(\mathcal {A}\) uses the Type-3 (or Type-4) strategy, then \(\mathcal {B}_{2}\) succeeds in breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{2}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).

3. 3.

   If \(\mathcal {A}\) uses the Type-5 or Type-6 strategy, then \(\mathcal {B}_{3,0}\) succeeds in breaking the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) with advantage \(\approx \frac{1}{\mu }\epsilon \).

4. 4.

   If \(\mathcal {A}\) uses the Type-7 (or Type-8) strategy, then \(\mathcal {B}_{3,1}\) succeeds in breaking the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) with advantage \(\approx \frac{1}{\mu }\epsilon \).

We present a security proof structured as a sequence of games. Without loss of generality, we assume that \(\mathcal {A}\) always issues a \(\mathsf {Test}\)-query. In the following, let \(\mathsf {S}_{j}\) denote the event that \(b = b'\) occurs in game \(G_{j}\) and let \(\epsilon _{j} \mathrel {\mathop :}=\left| \Pr \left[ \mathsf {S}_{j}\right] - 1/2 \right| \) denote the advantage of the adversary in game \(G_{j}\). Regardless of the strategy taken by \(\mathcal {A}\), all proofs share a common game sequence \(G_{0}\)-\(G_{1}\) as described below.

Game \(G_{0}\) This game is identical to the original security game. We thus have

$$\begin{aligned} \epsilon _{0} = \epsilon . \end{aligned}$$

Game \(G_{1}\) This game is identical to \(G_{0}\), except that we add an abort condition. Let \(\mathsf {E}_{\mathsf {corr}}{}\) be the event that there exist two partner oracles \(\pi ^s_i\) and \(\pi ^t_j\) that do not agree on the same session key. If \(\mathsf {E}_{\mathsf {corr}}\) occurs, then \(\mathcal {C}\) aborts (i.e., sets \(\mathcal {A} \)’s output to be a random bit) at the end of the game.

There are at most \(\mu \ell /2\) responder oracles and each oracle is assigned uniform randomness. From Theorem 4.2, the probability of error occurring during the security game is at most \(\mu \ell (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}})/2\). Therefore, \(\mathsf {E}_{\mathsf {corr}}\) occurs with probability at most \(\mu \ell (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}})/2\). We thus have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{0}\right] - \Pr \left[ \mathsf {S}_{1}\right] \right| \le \frac{\mu \ell }{2} \cdot (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}} ). \end{aligned}$$

In the following games we assume no decryption error or signature verification error occurs.

We now divide the game sequence depending on the strategy taken by the adversary \(\mathcal {A}\). Regardless of \(\mathcal {A}{}\)’s strategy, we prove that \(\epsilon _{1}\) is negligible, which in particular implies that \(\epsilon \) is also negligible. Formally, this is shown in Lemmata A.1 to A.4 provided in their respective subsections below. We first complete the proof of the theorem. Specifically, by combining all the lemmata together and folding adversaries \(\mathcal {B}_{3,0}\) and \(\mathcal {B}_{3,1}\) into one adversary \(\mathcal {B}_{3}\), we obtain the following desired bound:

$$\begin{aligned}&\mathsf {Adv}{}^{\mathsf {AKE}\textsf {-}\mathsf {FS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {AKE} {}}(\mathcal {A})\\&\quad \le \max \left\{ \begin{array}{l} \mu ^{2}\ell ^{2} \cdot (\mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1}) + \varepsilon _{\mathsf {Ext}}),\\ \mu ^{2}\ell \cdot (\mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) ,\\ \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3}), \end{array} \right\} \\&\qquad + \frac{\mu \ell }{2} \cdot (\delta _{\mathsf{SIG}{}} + 2\delta _{\mathsf {KEM}} ) \end{aligned}$$

Here, the running time of the algorithms \(\mathcal {B}_{1}\), \(\mathcal {B}_{2}\), \(\mathcal {B}_{3}\), \(\mathcal {D}_{1}\) and \(\mathcal {D}_{2}\) consist essentially the time required to simulate the security game for \(\mathcal {A}\) once, plus a minor number of additional operations. \(\square \)

It remains to prove Lemmata A.1 to A.4.

Proof of Lemma A.1: Against Type-1 or Type-2 Adversary

Lemma A.1

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-1 or Type-2 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\) and \(\mathcal {D}_{1}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell ^{2} \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1})+ \varepsilon _{\mathsf {Ext}}\right) . \end{aligned}$$

Proof of Lemma A.1

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses an initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) and a responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) uniformly at random from the \(\mu \ell \) oracles. Let \(\mathsf {E_{testO}}\) be the event that the tested oracle is neither \(\pi ^{\hat{s}}_{\hat{\imath }}\) nor \(\pi ^{\hat{t}}_{\hat{\jmath }}\), or \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) are not partner. Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs.³¹\(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability at least \(1/\mu ^{2}\ell ^{2}\), so we have

$$\begin{aligned} \epsilon _{2} \ge \frac{1}{\mu ^{2}\ell ^{2}}\epsilon _{1}. \end{aligned}$$

Game \(G_{3}\) In this game, we modify the way the initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) responds on its second invocation. In particular, when \(\pi ^{\hat{s}}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\), it proceeds as in the previous game except that it uses the key \(\mathsf {K}_{T}\) that was generated by the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}_{T}\). Here, conditioned on \(\mathsf {E_{testO}}\) not occurring, we are guaranteed that the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) generated \(\mathsf {C}_{T}\) by running \((\mathsf {K}_{T}, \mathsf {C}_{T}) \leftarrow \mathsf {wKEM}.\mathsf {Encap}(\mathsf {ek}_{T})\), where \(\mathsf {ek}_T\) is the encapsulation key that \(\pi ^{\hat{s}}_{\hat{\imath }}\) outputs on the first invocation. This is because otherwise, the oracles \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) will not be partner oracles. Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_2\) and \(G_3\) are identical. Hence,

$$\begin{aligned} \epsilon _{3} = \epsilon _2. \end{aligned}$$

Game \(G_{4}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), the game samples a random key instead of computing \((\mathsf {K}_{T}, \mathsf {C}_{T}) \leftarrow \mathsf {wKEM}.\mathsf {Encap}(\mathsf {ek}_{T})\). Note that when the initiator oracle \(\pi ^{\hat{s}}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\), it uses this random key \(\mathsf {K}_T\). We claim \(G_{3}\) and \(G_{4}\) are indistinguishable assuming the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\). To prove this, we construct an algorithm \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {-}CPA}\) security as follows.

\(\mathcal {B}_{1}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {wKEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{1}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {wKEM}}\) and computes \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) for all \(i \in [\mu ]\) by running the protocol honestly, and samples \((\hat{\imath }, \hat{\jmath }, \hat{s}, \hat{t})\) uniformly random from \([\mu ]^2 \times [\ell ]^2\). It then invokes \(\mathcal {A}\) on the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers queries made by \(\mathcal {A}\) as follows:

• \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): If \((i, s, j) = (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) returns \(\mathsf {ek}^{*}\) to \(\mathcal {A} \) and implicitly sets \({\texttt {state}}^{s}_{i} \mathrel {\mathop :}={} \mathsf {dk}^{*}\). Otherwise, \(\mathcal {B}_{1}\) responds as in \(G_4\).

• \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (j, t, i), it performs the following:

  • If \((j, t) = (\hat{\jmath }, \hat{t})\) and \(i \ne \hat{\imath }\), then \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) cannot be partner oracles. Therefore, since event \(\mathsf {E_{testO}}\) is triggered \(\mathcal {B}_{1}\) aborts.

  • If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{1}\) checks if \(\mathsf {ek}_T =\mathsf {ek}^*\). If not, event \(\mathsf {E_{testO}}\) is triggered so it aborts. Otherwise, it proceeds as in \(G_4\) except that it sets \(\mathsf {K}{}_{T} = \mathsf {K}^{*}\) and \(\mathsf {C}{}_{T} = \mathsf {C}^{*}\) rather than sampling them on its own. It then returns the message \((\mathsf {C}, \mathsf {C}_T, \mathsf {c}{})\).

  • If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{1}\) responds as in \(G_4\).

• \(\mathsf {Send}(i, s, m = (\mathsf {C}, \mathsf {C}_T, \mathsf {c}))\): Let \(j \mathrel {\mathop :}=\mathsf {Pid}^{s}_{i}\). Depending on the values of (i, s, j), it performs the following:

  • If \((i, s) = (\hat{\imath }, \hat{s})\) and \(j \ne \hat{\jmath }\), then \(\pi ^{\hat{s}}_{\hat{\imath }}\) and \(\pi ^{\hat{t}}_{\hat{\jmath }}\) cannot be partner oracles. Therefore, since event \(\mathsf {E_{testO}}\) is triggered \(\mathcal {B}_{1}\) aborts.

  • If \((i, s, j) = (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) checks if \(\mathsf {C}_T = \mathsf {C}^*\). If not, event \(\mathsf {E_{testO}}\) is triggered so it aborts. Otherwise, it responds as in \(G_4\).

  • If \((i, s, j) \ne (\hat{\imath }, \hat{s}, \hat{\jmath })\), then \(\mathcal {B}_{1}\) responds as in \(G_4\).

• \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{1}\) proceeds as in the previous game. Here, note that since \(\mathcal {A} \) follows the Type-1 or Type-2 strategy, \(\mathcal {B}_1\) can answer all the \(\mathsf {RevState}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevState}(\hat{\imath }, \hat{s})\) (i.e., \({\texttt {state}}^{\hat{s}}_{\hat{\imath }} \mathrel {\mathop :}={} \mathsf {dk}^{*}\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_1\) cannot answer.

• \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{1}\) responds as in \(G_4\). Here, in case \((i, s) \not \in \left\{ (\hat{\imath }, \hat{s}), (\hat{\jmath },\hat{t}) \right\} \), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.

Finally, if \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{1}\) outputs \(b'\). It can be checked that \(\mathcal {B}_1\) perfectly simulates game \(G_3\) (resp. \(G_4\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{3}\right] - \Pr \left[ \mathsf {S}_{4}\right] \right| \le \mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}). \end{aligned}$$

Game \(G_{5}\) In this game, we modify how the PRF key \(\mathsf {K}_{2}\) is generated by the tested oracle and its partner oracle. Instead of computing \(\mathsf {K}{}_{2} \leftarrow \mathsf {Ext}_{ s {}}(\mathsf {K}_{T})\), both oracles use the same randomly sampled . Due to the modification we made in the previous game, \(\mathsf {K}_{T}\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {wKEM}\) so \(\mathsf {K}_T\) has \(\log _2(|\mathcal {KS}_\mathsf {wKEM}|) \ge \gamma _\mathsf {KEM} \) min-entropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))-extractor \(\mathsf {Ext}\), we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{4}\right] - \Pr \left[ \mathsf {S}_{5}\right] \right| \le \varepsilon _{\mathsf {Ext}}. \end{aligned}$$

Game \(G_{6}\) In this game, we modify how the session key \(\mathsf {k}\) is generated by the tested oracle. Instead of computing \(\mathsf {k}\Vert \tilde{k}\leftarrow \mathsf {F}_{\mathsf {K}_{1}}(\mathsf {sid}) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid})\), the tested oracle (which is either \(\pi ^{\hat{s}}_{\hat{\imath }}\) or \(\pi ^{\hat{t}}_{\hat{\jmath }}\) conditioned on event \(\mathsf {E_{testO}}\) not occurring) computes the session key as \(\mathsf {k}\Vert \tilde{k}\leftarrow \mathsf {F}_{\mathsf {K}{}_{1}}(\mathsf {sid}) \oplus x\), where x is chosen uniformly at random from \( \{ 0,1 \} ^{\kappa + d}\). Since \(\mathsf {K}{}_{2}\) is chosen uniformly and hidden from the views of the adversary \(\mathcal {A} \), games \(G_{5}\) and \(G_{6}\) are indistinguishable by the security of the PRF.³² In particular, we can construct a PRF adversary \(\mathcal {D}_{1}\) that uses \(\mathcal {A} \) as a subroutine such that

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{5}\right] - \Pr \left[ \mathsf {S}_{6}\right] \right| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1}). \end{aligned}$$

In \(G_{6}\), the session key in the tested oracle is uniformly random. Thus, even an unbounded adversary \(\mathcal {A}\) cannot have distinguishing advantages. Therefore, \(\Pr \left[ \mathsf {S}_{6}\right] = 1/2\). Combining everything together, we have

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell ^{2} \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1}) + \varepsilon _{\mathsf {Ext}}\right) . \end{aligned}$$

\(\square \)

Proof of Lemma A.2: Against Type-3 or Type-4 Adversary

Lemma A.2

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-3 or Type-4 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{2}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) . \end{aligned}$$

Proof of Lemma A.2

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add another abort condition. Let \({\mathsf {E}}_{\mathsf {uniq}}\) be the event that there exists an oracle that has more than one partner oracles. If \({\mathsf {E}}_{\mathsf {uniq}}\) occurs, then \(\mathcal {C}\) aborts. Since \(G_{1}\) and \(G_{2}\) proceed identically unless \({\mathsf {E}}_{\mathsf {uniq}}\) occurs, we have

$$\begin{aligned} \left| \epsilon _1 - \epsilon _2 \right| \le \Pr \left[ {\mathsf {E}}_{\mathsf {uniq}}\right] . \end{aligned}$$

We claim

$$\begin{aligned} \Pr \left[ {\mathsf {E}}_{\mathsf {uniq}}{}\right] \le \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) . \end{aligned}$$

Fix \(j \in [\mu ]\) and consider the set of oracles \(S_{j} = \left\{ \pi ^{s}_{i} \mid \mathsf {Pid}^{s}_{i} = j \right\} \). For any \(\pi ^{s}_{i} \in S_{j}\), if there exist two oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) with \(t \ne t' \in [\ell ]\) that are partners of \(\pi ^{s}_{i}\), then \(\mathsf {sid}^{s}_{i} = \mathsf {sid}^{t}_{j} = \mathsf {sid}^{t'}_{j}\) holds. We distinguish between the following cases.

Case 1 We first consider the case \(\pi ^{s}_{i}\) is an initiator and \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) are responders. Let \(\mathsf {ek}_{T}\) be the ephemeral encapsulation key generated by \(\pi ^{s}_{i}\). In this case, \({\mathsf {E}}_{\mathsf {uniq}}\) occurs if the responder oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) generate the same ciphertext with respect to \(\mathsf {ek}_{i}\) and \(\mathsf {ek}_{T}\). Since \(\mathsf {ek}_{i}\) and \(\mathsf {ek}_{T}\) are independently and honestly generated by the game and each responder oracle is assigned uniform randomness, the probability of a ciphertext collision is upper bounded by \(\ell ^{2}/2^{2 \chi _{\mathsf {KEM}}}\), where recall \(\chi _{\mathsf {KEM}}\) is the ciphertext min-entropy of \(\Pi _\mathsf{wKEM}\) and \(\Pi _\mathsf {KEM}\) . Taking the union bound over all \(j \in [\mu ]\), we conclude that Case 1 occurs with probability at most \(\mu \ell ^{2}/2^{2\chi _{\mathsf {KEM}}}\).

Case 2 We next consider the case \(\pi ^{s}_{i}\) is a responder and \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) are initiators. In this case, \({\mathsf {E}}_{\mathsf {uniq}}\) occurs if the initiator oracles \(\pi ^{t}_{j}\) and \(\pi ^{t'}_{j}\) generate the same ephemeral encapsulation key. Since each initiator oracle samples an encapsulation key independently, the probability of an encapsulation key collision is upper bounded by \(\ell ^{2}/2^{\nu _{\mathsf {KEM}}}\), where recall \(\nu _{\mathsf {KEM}}\) is the encapsulation key min-entropy of \(\Pi _\mathsf{wKEM}\). Taking the union bound over all \(j \in [\mu ]\), we conclude that Case 2 occurs with probability at most \(\mu \ell ^{2}/2^{\nu _{\mathsf {KEM}}}\).

The claim can be shown by combining the two probabilities from Case 1 and Case 2. In the following games we assume every oracle has a unique partner oracle if it exists.

Game \(G_{3}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a random party \(P_{\hat{\imath }}\) from the \(\mu \) parties and a random responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) from the \(\mu \ell \) oracles. Let \(\mathsf {E_{testO}}\) be the event where \(\lnot \mathsf {E_{testO}}\) denotes the event that either the tested oracle is \(\pi ^{\hat{s}}_{\hat{\imath }}\) for some \(s \in [\ell ]\) and its partner oracle is \(\pi ^{\hat{t}}_{\hat{\jmath }}\), or the tested oracle is \(\pi ^{\hat{t}}_{\hat{\jmath }}\) and its peer is \(P_{\hat{\imath }}\). Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs. \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu ^{2}\ell \), so we have

$$\begin{aligned} \epsilon _{3} = \frac{1}{\mu ^{2}\ell }\epsilon _{2}. \end{aligned}$$

Game \(G_{4}\) In this game, we modify the way the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) responds on its second invocation. Let \((\mathsf {K}, \mathsf {C})\) be the \(\Pi _\mathsf {KEM}\) key-ciphertext pair generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Then, when \(\pi ^{s}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\), it first checks if \(\mathsf {C}' = \mathsf {C}\). If so, it proceeds as in the previous game except that it uses the key \(\mathsf {K}\) that was generated by \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}'\). Otherwise, if \(\mathsf {C}' \ne \mathsf {C}\), then it proceeds exactly as in the previous game. Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_3\) and \(G_4\) are identical. Hence,

$$\begin{aligned} \epsilon _{4} = \epsilon _3. \end{aligned}$$

Game \(G_{5}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), it samples a random key instead of computing \((\mathsf {K}, \mathsf {C}) \leftarrow \mathsf {KEM}.\mathsf {Encap}(\mathsf {ek}_{\hat{\imath }})\). Note that due to the modification we made in the previous game, when the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\) for \(\mathsf {C}' = \mathsf {C}\), it uses the random key \(\mathsf {K}\) generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). We claim \(G_{4}\) and \(G_{5}\) are indistinguishable assuming the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) . To prove this, we construct an algorithm \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {-}CCA}\) security as follows.

\(\mathcal {B}_{2}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {KEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{2}\) then samples a random , sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {KEM}}\), and generates the long-term key pairs as follows. For party \(P_{\hat{\imath }}\), \(\mathcal {B}_{2}\) runs \(({\mathsf{vk}}_{\hat{\imath }}, {\mathsf{sk}}_{\hat{\imath }}) \leftarrow \mathsf{SIG}.\mathsf{KeyGen}(\mathsf {pp}_{\mathsf{SIG}})\) and sets the long-term public key as \(\mathsf {lpk} _{\hat{\imath }} := (\mathsf {ek}^{*}, {\mathsf{vk}}_{\hat{\imath }})\) and implicitly sets the long-term secret key as \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, {\mathsf{sk}}_{\hat{\imath }})\), where note that \(\mathcal {B}_2\) does not know \(\mathsf {dk}^*\). For all the other parties \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{2}\) computes the long-term key pairs \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_5\). Finally, \(\mathcal {B}_{2}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries made by \(\mathcal {A}\) as follows:

• \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{2}\) responds as in \(G_5\).

• \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (j, t, i), it performs the following:

  • If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{2}\) responds as in \(G_5\) except that it sets \((\mathsf {K}, \mathsf {C}) := (\mathsf {K}^*, \mathsf {C}^{*})\) rather than generating them on its own. It then returns the message \((\mathsf {C}^{*}, \mathsf {C}_{T}, \mathsf {c}{})\).

  • If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{2}\) responds as in \(G_5\).

• \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): Depending on the value of i, it performs the following:

  • If \(i = \hat{\imath }\), then \(\mathcal {B}_{2}\) checks if \(\mathsf {C}= \mathsf {C}^*\). If so, it responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}^{*}\). Otherwise, if \(\mathsf {C}\ne \mathsf {C}^*\), then it queries the decapsulation oracle on \(\mathsf {C}\) and receives back \(\mathsf {K}'\). \(\mathcal {B}_2\) then responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}'\).

  • If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{2}\) responds as in \(G_5\).

• \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{2}\) responds as in \(G_5\). Here, note that since \(\mathcal {A} \) follows the Type-3 or Type-4 strategy, \(\mathcal {B}_2\) can answer all the \(\mathsf {RevLTK}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, {\mathsf{sk}}_{\hat{\imath }})\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_2\) cannot answer.

• \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{2}\) responds to the query as the definition. Here, in case \(i \ne \hat{\imath }\) or \((i, s) \ne (\hat{\jmath },\hat{t})\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.

If \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{2}\) outputs \(b'\). It can be checked that \(\mathcal {B}_2\) perfectly simulates game \(G_4\) (resp. \(G_5\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{4}\right] - \Pr \left[ \mathsf {S}_{5}\right] \right| \le \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}). \end{aligned}$$

Game \(G_{6}\) In this game, whenever we need to derive \(\mathsf {K}^*_1 \leftarrow \mathsf {Ext}_s(\mathsf {K}^*)\), we instead use a uniformly and randomly chosen PRF key (fixed once and for all), where \(\mathsf {K}^*\) is the KEM key chosen by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Due to the modification we made in the previous game, \(\mathsf {K}^*\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {KEM} \) so \(\mathsf {K}\) has \(\log _2(|\mathcal {KS}_\mathsf {KEM} |) \ge \gamma _\mathsf {KEM} \) min-entropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))-extractor \(\mathsf {Ext}\), we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{5}\right] - \Pr \left[ \mathsf {S}_{6}\right] \right| \le \varepsilon _{\mathsf {Ext}}. \end{aligned}$$

Game \(G_{7}\) In this game, we sample a random function \(\mathsf {RF}\) and whenever we need to compute \(\mathsf {F}_{\mathsf {K}^*_1}(\mathsf {sid})\) for any \(\mathsf {sid}\), we instead compute \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid})\). Due to the modification we made in the previous game, \(\mathsf {K}^*_1\) is sampled uniformly from \(\mathcal {FK}\). Therefore, the two games can be easily shown to be indistinguishable assuming the pseudo-randomness of the PRF. In particular, we can construct a PRF adversary \(\mathcal {D}_{2}\) such that

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{6}\right] - \Pr \left[ \mathsf {S}_{7}\right] \right| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}). \end{aligned}$$

It remains to show that the session key output by the tested oracle in the game \(G_7\) is uniformly random regardless of the challenge bit \(b \in \{ 0,1 \} \) chosen by the game. We consider the case where \(b = 0\) and prove that the honestly generated session key by the tested oracle is distributed uniformly random. First conditioning on event \(\mathsf {E_{testO}}\) not occurring, it must be the case that the tested oracle (and its partner oracle) prepares the session key as \(\mathsf {k}^* \Vert \tilde{k}\leftarrow \mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid}^*)\) for some \(\mathsf {sid}^*\). That is, \(\mathsf {K}^*_1\) sampled by the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is used to compute the session key. Next, conditioning on event \({\mathsf {E}}_{\mathsf {uniq}}\) not occurring, the only oracles that share the same \(\mathsf {sid}^*\) must be the tested oracle and its partner oracle since otherwise it would break the uniqueness of partner oracles. Therefore, we conclude that \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*)\) is only used to compute the session key of the tested oracle and its partner oracle. Since the output of \(\mathsf {RF}\) is distributed uniformly random for different inputs, we conclude that \(\Pr \left[ \mathsf {S}_{7}\right] = 1/2\). Combining all the arguments together, we obtain

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) . \end{aligned}$$

\(\square \)

Proof of Lemma A.3: Against Type-5 or Type-6 Adversary

Lemma A.3

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-5 or Type-6 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3,0}\) breaking the \(\mathsf {EUF\text {-}CMA}\) of \(\Pi _{\mathsf{SIG}}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,0}). \end{aligned}$$

Proof of Lemma A.3

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a party \(P_{\hat{\jmath }}\) uniformly at random from the \(\mu \) parties. Let \(\mathsf {E_{testO}}\) be the event that the peer of the tested oracle is not \(P_{\hat{\jmath }}\). If event \(\mathsf {E_{testO}}\) occurs, \(\mathcal {C}\) aborts. Since \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu \), we have

$$\begin{aligned} \epsilon _{2} = \frac{1}{\mu }\epsilon _{1}. \end{aligned}$$

Game \(G_{3}\) This game is identical to \(G_{2}\), except that we add an abort condition. Let S be a list of message-signature pairs that \(P_{\hat{\jmath }}\) generated as being a responder oracle. That is, every time \(\pi ^t_{\hat{\jmath }}\) for some \(t \in [\ell ]\) is invoked as a responder, it updates the list S by appending the message-signature pair \((\mathsf {sid}^t_{\hat{\jmath }}, \sigma ^t_{\hat{\jmath }})\) that it generates. Then, when an initiator oracle \(\pi _{i}^s\) for any \((i, s) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\) from party \(P_{\hat{\jmath }}\) (i.e., \(\mathsf {Pid}^s_i = \hat{\jmath }\)), it first computes \(\mathsf {sid}^s_i\) and \(\sigma \) as in the previous game, and it checks if \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}_{\hat{\jmath }}, \mathsf {sid}^s_i, \sigma ) = 1\) and \(P_{\hat{\jmath }}\) is not corrupted, then \((\mathsf {sid}^s_i, \sigma ) \in S\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{2}\right] - \Pr \left[ \mathsf {S}_{3}\right] \right| \le \Pr \left[ \mathsf {E_{sig}}\right] . \end{aligned}$$

Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A} \) following the Type-5 or Type-6 strategy has winning advantage in game \(G_3\), i.e., \(\Pr [\mathsf {S}_3] = 1/2\). To see this, first let us assume \(\mathcal {A} \) issued \(\mathsf {Test}(i^{*}, s^{*})\) and received a key that is not a \(\bot \). That is \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state. Due to the modification we made in game \(G_2\) and by the definition of the Type-5 or Type-6 strategy, \(\pi ^{s^*}_{i^*}\) has no partner oracle \(\pi ^t_{\hat{\jmath }}\) for any \(t \in [\ell ]\) and the peer \(P_{\hat{\jmath }}\) was not corrupted before \(\pi ^{s^*}_{i^*}\) completes the protocol execution conditioning on \(\mathsf {E_{testO}}\) not occurring. On the other hand, if \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not triggered. Consequently, there exists some oracle \(\pi ^t_{\hat{\jmath }}\) that output \((\mathsf {sid}^{s^*}_{i^*}, \sigma ^*)\). Parsing \(\mathsf {sid}^{s^*}_{i^*}\) as \( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\), this implies that \(\pi ^t_{\hat{\jmath }}\) and \(\pi ^{s^*}_{i^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A} \) can only receive \(\bot \) when it issues \(\mathsf {Test}(i^{*}, s^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A} \), we have \(\Pr [\mathsf {S}_3] = 1/2\).

It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3,0}\) against the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) . The description of \(\mathcal {B}_{3,0}\) follows: \(\mathcal {B}_{3,0}\) receives the public parameter \(\mathsf {pp}_{\mathsf{SIG}}\) and the challenge verification key \({\mathsf{vk}}^{*}\). \(\mathcal {B}_{3,0}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) as in \(G_2\) using \(\mathsf {pp}_{\mathsf{SIG}}\). \(\mathcal {B}_{3,0}\) then samples \(\hat{\jmath }\) randomly from \([\mu ]\), runs \((\mathsf {dk}_{\hat{\jmath }}, \mathsf {ek}_{\hat{\jmath }}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\), and sets the long-term public key of party \(P_{\hat{\jmath }}\) as \(\mathsf {lpk} _{\hat{\jmath }} \mathrel {\mathop :}={} (\mathsf {ek}_{\hat{\jmath }}, {\mathsf{vk}}^{*})\). The long-term secret key is implicitly set as \(\mathsf {lsk}_{\hat{\jmath }} \mathrel {\mathop :}=(\mathsf {dk}_{\hat{\jmath }}, {\mathsf{sk}}^*)\), where \({\mathsf{sk}}^*\) is unknown to \(\mathcal {B}_{3,0}\). For the rest of the parties \( P _{ i }\) for \(i \in [\mu \backslash \hat{\jmath }]\), \(\mathcal {B}_{3,0}\) generates \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_2\). Finally, \(\mathcal {B}_{3,0}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

• \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\).

• \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Depending on the value of j, it performs the following:

  • If \(j = \hat{\jmath }\), then \(\mathcal {B}_{3,0}\) prepares \(\mathsf {sid}^t_{\hat{\jmath }}\) as in \(G_2\), and then sends \(\mathsf {sid}^t_{\hat{\jmath }}\) to its signing oracle and receives back a signature \(\sigma '\) for message \(\mathsf {sid}^t_{\hat{\jmath }}\) under \({\mathsf{sk}}^{*}\). \(\mathcal {B}_{3,0}\) then responds as in \(G_2\) except that it sets \(\sigma \mathrel {\mathop :}=\sigma '\).

  • If \(j \ne \hat{\jmath }\), then \(\mathcal {B}_{3,0}\) responds as in \(G_2\).

• \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\).

• \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\). Here, note that since \(\mathcal {A} \) follows the Type-5 or Type-6 strategy, \(\mathcal {B}_{3,0}\) can answer all the \(\mathsf {RevLTK}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\jmath })\) (i.e., \(\mathsf {lsk}_{\hat{\jmath }} := (\mathsf {dk}_{\hat{\jmath }}, {\mathsf{sk}}^*)\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,0}\) cannot answer.

• \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3,0}\) responds as in \(G_2\). Here, in case \(\mathsf {Pid}^s_i \ne \hat{\jmath }\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.

It is clear that \(\mathcal {B}_{3,0}\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A} \). Below, we analyze the probability that \(\mathcal {B}_{3,0}\) breaks the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).

We assume \(\mathcal {A}\) issues \(\mathsf {Test}(i^{*}, s^{*})\). Let the message sent by the initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {ek}^{*}_{T}, \sigma _{i^*})\) and the message received by \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T}, \mathsf {c}^{*})\). Let \(\sigma ^{*}\) be the signature recovered from \(\mathsf {c}^{*}\). Then, by the definition of the Type-5 or Type-6 strategy and conditioned on \(\mathsf {E_{testO}}\) not occurring, the tested oracle \(\pi ^{s^{*}}_{i^{*}}\) satisfies the following conditions:

• \(\mathsf {role}^{s^{*}}_{i^{*}} = \mathtt {init}{}\) and \(\mathsf {Pid}^{s^{*}}_{i^{*}} = \hat{\jmath }\),

• \(\pi ^{s^{*}}_{i^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}^{*}, P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*}) = 1\) holds,

• \(P_{\hat{\jmath }}\) was not corrupted before \(\pi ^{s^{*}}_{i^{*}}\) completes the protocol execution,

• \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.

Since \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles, there exists no responder oracle \(\pi ^t_{\hat{\jmath }}\) that has received \(\mathsf {ek}^*_T\) from \( P _{ i^* }\) and output \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T})\). In other words, there is no oracle \(\pi ^t_{\hat{\jmath }}\) that has signed on the message \( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); an initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) receives a signature that was not signed by an oracle \(\pi ^t_{\hat{\jmath }}\) for any \(t \in [\ell ]\), and \(P_{\hat{\jmath }}\) was not corrupted when \(\pi ^{s^{*}}_{i^{*}}\) receives the signature. Therefore, \(\mathcal {B}_{3,0}\) obtains a valid forgery \(( P _{ i^{*} } \Vert P_{\hat{\jmath }} \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{\hat{\jmath }} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*})\), and we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,0})\). Combining everything together, we conclude

$$\begin{aligned} \epsilon _{1} \le \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,0}). \end{aligned}$$

\(\square \)

Proof of Lemma A.4: Against Type-7 or Type-8 Adversary

Lemma A.4

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-7 or Type-8 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3,1}\) breaking the \(\mathsf {EUF\text {-}CMA}\) of \(\Pi _{\mathsf{SIG}}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,1}). \end{aligned}$$

Proof of Lemma A.4

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) In this game, at the beginning of the game, \(\mathcal {C}\) chooses a party \(P_{\hat{\imath }}\) uniformly at random from the \(\mu \) parties. Let \(\mathsf {E_{testO}}\) be the event that the peer of the tested oracle is not \(P_{\hat{\imath }}\). If event \(\mathsf {E_{testO}}\) occurs, \(\mathcal {C}\) aborts. Since \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu \), we have

$$\begin{aligned} \epsilon _{2} = \frac{1}{\mu }\epsilon _{1}. \end{aligned}$$

Game \(G_{3}\) This game is identical to \(G_{2}\), except that we add an abort condition. Let S be a list of message-signature pairs that \(P_{\hat{\imath }}\) generated as being an initiator oracle. That is, every time \(\pi ^s_{\hat{\imath }}\) for some \(s \in [\ell ]\) is invoked as an initiator, it updates the list S by appending the message-signature pair \((\mathsf {ek}^s_{\hat{\imath }}, \sigma ^s_{\hat{\imath }})\) that it generates. Then, when a responder oracle \(\pi _{j}^t\) for any \((j, t) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {ek}_T, \sigma )\) from party \(P_{\hat{\imath }}\) (i.e., \(\mathsf {Pid}^t_j = \hat{\imath }\)), it checks if \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}_{\hat{\imath }}, \mathsf {ek}_T, \sigma ) = 1\) and \(P_{\hat{\imath }}\) is not corrupted, then \((\mathsf {ek}_T, \sigma ) \in S\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{2}\right] - \Pr \left[ \mathsf {S}_{3}\right] \right| \le \Pr \left[ \mathsf {E_{sig}}\right] . \end{aligned}$$

Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A} \) following the Type-7 or Type-8 strategy has winning advantage in game \(G_3\), i.e., \(\Pr [\mathsf {S}_3] = 1/2\). To see this, first let us assume \(\mathcal {A} \) issued \(\mathsf {Test}(j^{*}, t^{*})\) and received a key that is not a \(\bot \). That is \(\pi ^{t^*}_{j^*}\) is in the \(\mathtt {accept}\) state. Due to the modification we made in game \(G_2\) and by the definition of the Type-7 or Type-8 strategy, \(\pi ^{t^*}_{j^*}\) has no partner oracle \(\pi ^s_{\hat{\imath }}\) for any \(s \in [\ell ]\) and the peer \(P_{\hat{\imath }}\) was not corrupted before \(\pi ^{t^*}_{j^*}\) completes the protocol execution conditioning on \(\mathsf {E_{testO}}\) not occurring. On the other hand, if \(\pi ^{t^*}_{j^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not been triggered. Consequently, there exists some oracle \(\pi ^s_{\hat{\imath }}\) that output \((\mathsf {ek}^{s}_{\hat{\imath }}, \sigma ^{s}_{\hat{\imath }})\) and \(\pi ^{t^*}_{j^*}\) receives it. This implies that \(\pi ^s_{\hat{\imath }}\) and \(\pi ^{t^*}_{j^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A} \) can only receive \(\bot \) when it issues \(\mathsf {Test}(j^{*}, t^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A} \), we have \(\Pr [\mathsf {S}_3] = 1/2\).

It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3,1}\) against the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) . The description of \(\mathcal {B}_{3,1}\) follows: \(\mathcal {B}_{3,1}\) receives the public parameter \(\mathsf {pp}_{\mathsf{SIG}}\) and the challenge verification key \({\mathsf{vk}}^{*}\). \(\mathcal {B}_{3,1}\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) as in \(G_2\) using \(\mathsf {pp}_{\mathsf{SIG}}\). \(\mathcal {B}_{3,1}\) then samples \(\hat{\imath }\) randomly from \([\mu ]\), runs \((\mathsf {dk}_{\hat{\imath }}, \mathsf {ek}_{\hat{\imath }}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\), and sets the long-term public key of party \(P_{\hat{\imath }}\) as \(\mathsf {lpk} _{\hat{\imath }} \mathrel {\mathop :}={} (\mathsf {ek}_{\hat{\imath }}, {\mathsf{vk}}^{*})\). The long-term secret key is implicitly set as \(\mathsf {lsk}_{\hat{\imath }} \mathrel {\mathop :}=(\mathsf {dk}_{\hat{\imath }}, {\mathsf{sk}}^*)\), where \({\mathsf{sk}}^*\) is unknown to \(\mathcal {B}_{3,1}\). For the rest of the parties \( P _{ i }\) for \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{3,1}\) generates \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_2\). Finally, \(\mathcal {B}_{3,1}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

• \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): Depending on the value of i, it performs the following:

  • If \(i = \hat{\imath }\), then \(\mathcal {B}_{3,1}\) prepares \(\mathsf {ek}_{T}\) as in \(G_2\), and then sends \(\mathsf {ek}_{T}\) to its signing oracle and receives back a signature \(\sigma '\) for message \(\mathsf {ek}_{T}\) under \({\mathsf{sk}}^{*}\). \(\mathcal {B}_{3,1}\) then responds as in \(G_2\) except that it sets \(\sigma _{i} \mathrel {\mathop :}=\sigma '\).

  • If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{3,1}\) responds as in \(G_2\).

• \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\).

• \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\).

• \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\). Here, note that since \(\mathcal {A} \) follows the Type-7 or Type-8 strategy, \(\mathcal {B}_{3,1}\) can answer all the \(\mathsf {RevLTK}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}_{\hat{\imath }}, {\mathsf{sk}}^*)\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,1}\) cannot answer.

• \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3,1}\) responds as in \(G_2\). Here, in case \(\mathsf {Pid}^s_i \ne \hat{\imath }\), then event \(\mathsf {E_{testO}}\) is triggered, so it aborts.

It is clear that \(\mathcal {B}_{3,1}\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A} \). Below, we analyze the probability that \(\mathcal {B}_{3,1}\) breaks the \(\mathsf {EUF\text {-}CMA}\) security of \(\Pi _{\mathsf{SIG}}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).

We assume \(\mathcal {A}\) issues \(\mathsf {Test}(j^{*}, t^{*})\). Let the message received by the responder oracle \(\pi ^{t^{*}}_{j^{*}}\) be \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\). Then, by the definition of the Type-7 or Type-8 strategy and conditioned on \(\mathsf {E_{testO}}\) not occurring, the oracle \(\pi ^{t^{*}}_{j^{*}}\) satisfies the following conditions:

• \(\mathsf {role}^{t^{*}}_{j^{*}} = \mathtt {resp}{}\) and \(\mathsf {Pid}^{t^{*}}_{j^{*}} = \hat{\imath }\),

• \(\pi ^{t^{*}}_{j^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf{SIG}.\mathsf{Verify}({\mathsf{vk}}^{*}, \mathsf {ek}^{*}_{T}, \sigma ^{*}) = 1\) holds,

• \(P_{\hat{\imath }}\) was not corrupted before \(\pi ^{t^{*}}_{j^{*}}\) completes the protocol execution,

• \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.

Since \(\pi ^{t^{*}}_{j^{*}}\) has no partner oracles, there exists no initiator oracle \(\pi ^s_{\hat{\imath }}\) that has output \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\). In other words, there is no oracle \(\pi ^s_{\hat{\imath }}\) that has signed the message \(\mathsf {ek}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); a responder oracle \(\pi ^{t^{*}}_{j^{*}}\) receives a signature that was not signed by an oracle \(\pi ^s_{\hat{\imath }}\) for any \(s \in [\ell ]\), and \(P_{\hat{\imath }}\) was not corrupted when \(\pi ^{t^{*}}_{j^{*}}\) receives the signature. Therefore, \(\mathcal {B}_{3,1}\) obtains a valid forgery \((\mathsf {ek}^{*}_{T}, \sigma ^{*})\), and we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,1})\)

Combining everything together, we conclude

$$\begin{aligned} \epsilon _{1} \le \mu \cdot \mathsf {Adv}^{\mathsf {EUF\text {-}CMA}}_{\mathsf{SIG}{}}(\mathcal {B}_{3,1}). \end{aligned}$$

\(\square \)

B Full Proofs for Deniable Signal-Conforming AKE \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\)

In this section, we provide the proofs of the correctness and security of our deniable Signal-conforming AKE protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) .

1.1 B.1 Correctness of Deniable Signal-Conforming AKE \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\)

We prove the correctness of our deniable Signal-Conforming AKE protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\).

Proof of Theorem 7.6

This proof is similar to the proof of Theorem 4.2. It is clear that an initiator oracle and a responder oracle become partners when they execute the protocol faithfully. Moreover, if no correctness error occurs in the underlying KEM schemes and ring signature scheme, the partner oracles compute an identical session key. Since each oracle is assigned to uniform randomness, the probability that a correctness error occurs in one of the underlying schemes is bounded by \(\delta _{\mathsf {RS}{}} +2 \delta _{\mathsf {KEM}} \). Since there are at most \(\mu \ell /2\) responder oracles, the AKE protocol is correct except with probability \(\mu \ell \cdot (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). \(\square \)

1.2 B.2 Security of Deniable Signal-Conforming AKE \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\)

We prove the security of our deniable Signal-Conforming AKE protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\).

Proof of Theorem 7.7

Let \(\mathcal {A}\) be an adversary that plays the security game \(G^{\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {DAKE} {}}(\mu , \ell )\) with the challenger \(\mathcal {C}\) with advantage \(\mathsf {Adv}{}^{\mathsf {AKE}\textsf {-}\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {DAKE} {}}(\mathcal {A}) = \epsilon \). The bulk of the proof is identical to the proof of Theorem 4.3 for the (non-deniable) protocol \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\). Namely, we divide the strategy that can be taken by \(\mathcal {A} \) (listed in Table 1) and we construct an algorithm that breaks one of the underlying assumptions by using such an \(\mathcal {A} \) as a subroutine. Formally, we construct seven algorithms \(\mathcal {B}_{1}, \dots , \mathcal {B}_{4}\) and \(\mathcal {D}_{1}, \dots , \mathcal {D}_{3}\) satisfying the following:

1. 1.

   If \(\mathcal {A}\) uses the Type-1 (or Type-2) strategy, then \(\mathcal {B}_{1}\) succeeds in breaking the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \) or \(\mathcal {D}_{1}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell ^{2}}\epsilon \).

2. 2.

   If \(\mathcal {A}\) uses the Type-3 (or Type-4) strategy, then \(\mathcal {B}_{2}\) succeeds in breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{2}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).

3. 3.

   If \(\mathcal {A}\) uses the Type-5 or Type-6 strategy, then \(\mathcal {B}_{3}\) succeeds in breaking the unforgeability of \(\Pi _\mathsf{RS}\) with advantage \(\approx \epsilon \).

4. 4.

   If \(\mathcal {A}\) uses the Type-7 (or Type-8) strategy, then \(\mathcal {B}_{4}\) succeeds in breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \) or \(\mathcal {D}_{3}\) succeeds in breaking the security of PRF \(\mathsf {F}\) with advantage \(\approx \frac{1}{\mu ^{2}\ell }\epsilon \).

We present a security proof structured as a sequence of games. Without loss of generality, we assume that \(\mathcal {A}\) always issues a \(\mathsf {Test}\)-query. In the following, let \(\mathsf {S}_{j}\) denote the event that \(b = b'\) occurs in game \(G_{j}\) and let \(\epsilon _{j} \mathrel {\mathop :}=\left| \Pr \left[ \mathsf {S}_{j}\right] - 1/2 \right| \) denote the advantage of the adversary in game \(G_{j}\). Regardless of the strategy taken by \(\mathcal {A}\), all proofs share a common game sequence \(G_{0}\)-\(G_{1}\) as described below. Although they are identical to those of Theorem 4.3, we provide them for completeness.

Game \(G_{0}\) This game is identical to the original security game. We thus have

$$\begin{aligned} \epsilon _{0} = \epsilon . \end{aligned}$$

Game \(G_{1}\) This game is identical to \(G_{0}\), except that we add an abort condition. Let \(\mathsf {E}_{\mathsf {corr}}{}\) be the event that there exist two partner oracles \(\pi ^s_i\) and \(\pi ^t_j\) that do not agree on the same session key. If \(\mathsf {E}_{\mathsf {corr}}\) occurs, then \(\mathcal {C}\) aborts (i.e., sets \(\mathcal {A} \)’s output to be a random bit) at the end of the game.

There are at most \(\mu \ell /2\) responder oracles and each oracle is assigned uniform randomness. From Theorem 7.6, the probability of error occurring during the security game is at most \(\mu \ell (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). Therefore, \(\mathsf {E}_{\mathsf {corr}}\) occurs with probability at most \(\mu \ell (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}})/2\). We thus have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{0}\right] - \Pr \left[ \mathsf {S}_{1}\right] \right| \le \frac{\mu \ell }{2} \cdot (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}} ). \end{aligned}$$

In the following games we assume no decryption error or signature verification error occurs.

We now divide the game sequence depending on the strategy taken by the adversary \(\mathcal {A}\). Regardless of \(\mathcal {A}{}\)’s strategy, we prove that \(\epsilon _{1}\) is negligible, which in particular implies that \(\epsilon \) is also negligible. Formally, this is shown in Lemmata B.3 to B.2 provided below. We first complete the proof of the theorem. Specifically, by combining all the lemmata together, we obtain the following desired bound:

$$\begin{aligned}&\mathsf {Adv}{}^{\mathsf {AKE}\textsf {-}\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {DAKE} {}}(\mathcal {A})\\&\quad \le \max \left\{ \begin{array}{l} \mu ^{2}\ell ^{2} \cdot (\mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1}) + \varepsilon _{\mathsf {Ext}}),\\ \mu ^{2}\ell \cdot (\mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) ,\\ \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3}),\\ \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{4}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{3}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \frac{1}{2^{\chi _{\mathsf {KEM}}}} \end{array} \right\} \\&\qquad + \frac{\mu \ell }{2} \cdot (\delta _{\mathsf {RS}{}} + 2\delta _{\mathsf {KEM}} ). \end{aligned}$$

Here, the running time of the algorithms \(\mathcal {B}_{1}, \dots , \mathcal {B}_{4}\) and \(\mathcal {D}_{1}, \dots , \mathcal {D}_{3}\) consist essentially the time required to simulate the security game for \(\mathcal {A}\) once, plus a minor number of additional operations. \(\square \)

It remains to prove Lemmata B.3 to B.2. Since the proof of Lemmata B.3 and B.4 is a direct consequence of the proof of the corresponding Lemmata A.1 and A.2 of Theorem 4.3,³³ we focus on proving Lemmas B.1 and B.2 below.

Lemma B.1

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-5 or Type-6 strategy, there exists a \(\mathsf {QPT}\) algorithm \(\mathcal {B}_{3}\) breaking the unforgeability of \(\Pi _\mathsf{RS}\) such that

$$\begin{aligned} \epsilon _{1} \le \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3}). \end{aligned}$$

Proof of Lemma B.1

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add an abort condition. Let \(S_{j}\) be a list of message-signature pairs that \( P _{ j }\) generated as being a responder oracle. That is, every time \(\pi ^t_{j}\) for some \(t \in [\ell ]\) is invoked as a responder, it updates the list \(S_{j}\) by appending the message-signature pair \((\mathsf {sid}^t_{j}, \sigma ^t_{j})\) that it generates. Then, when an initiator oracle \(\pi _{i}^s\) for any \((i, s) \in [\mu ] \times [\ell ]\) is invoked on input \((\mathsf {C}, \mathsf {C}_{T}, \mathsf {c})\) from party \( P _{ j }\) (i.e., \(\mathsf {Pid}^s_i = j\)), it first computes \(\mathsf {sid}^s_i\) and \(\sigma \) as in the previous game and checks if \(\mathsf {RS}.\mathsf {Verify}(\left\{ \mathsf {vk}_T, \mathsf {vk}_{j} \right\} , \mathsf {sid}^s_i, \sigma ) = 1\) and \((\mathsf {sid}^s_i, \sigma ) \in S_{j}\). If not, the game aborts. Otherwise, it proceeds as in the previous game. We call the event that abort occurs as \(\mathsf {E_{sig}}\). Since the two games are identical until abort, we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{2}\right] - \Pr \left[ \mathsf {S}_{3}\right] \right| \le \Pr \left[ \mathsf {E_{sig}}\right] . \end{aligned}$$

Before, bounding \(\Pr \left[ \mathsf {E_{sig}}\right] \), we finish the proof of the lemma. We show that no adversary \(\mathcal {A}\) following the Type-5 or Type-6 strategy has winning advantage in game \(G_2\), i.e., \(\Pr [\mathsf {S}_2] = 1/2\). To see this, first let us assume \(\mathcal {A}\) issued \(\mathsf {Test}(i^{*}, s^{*})\) and received a key that is not a \(\bot \). In other words, \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state. By the definition of the Type-5 or Type-6 strategy, \(\pi ^{s^*}_{i^*}\) has no partner oracle \(\pi ^t_{j}\) for any \((j, t) \in [\mu ] \times [\ell ]\). On the other hand, if \(\pi ^{s^*}_{i^*}\) is in the \(\mathtt {accept}\) state, then event \(\mathsf {E_{sig}}\) must have not triggered. Consequently, there exists some oracle \(\pi ^t_{j}\) that output \((\mathsf {sid}^{s^*}_{i^*}, \sigma ^*)\). Parsing \(\mathsf {sid}^{s^*}_{i^*}\) as \( P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\), this implies that \(\pi ^t_{j}\) and \(\pi ^{s^*}_{i^*}\) are partner oracles. Since this forms a contradiction, \(\mathcal {A}\) can only receive \(\bot \) when it issues \(\mathsf {Test}(i^{*}, s^{*})\). Hence, since the challenge bit b is statistically hidden from \(\mathcal {A}\), we have \(\Pr [\mathsf {S}_2] = 1/2\).

It remains to bound \(\Pr \left[ \mathsf {E_{sig}}\right] \). We do this by constructing an algorithm \(\mathcal {B}_{3}\) against the unforgeability of \(\Pi _\mathsf{RS}\) . The description of \(\mathcal {B}_3\) follows: \(\mathcal {B}_3\) receives the public parameter \(\mathsf {pp}_{\mathsf {RS}}\) and \(\mu + \mu \ell \) verification keys \(\mathsf {vk}_{1},\dots ,\mathsf {vk}_{\mu }\) and \(\mathsf {vk}^{1}_{1},\dots ,\mathsf {vk}^{\ell }_{\mu }\). \(\mathcal {B}_3\) sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) as in game \(G_{2}\) using \(\mathsf {pp}_{\mathsf {RS}}\). \(\mathcal {B}_3\) then runs \((\mathsf {dk}_{i}, \mathsf {ek}_{i}) \leftarrow \mathsf {KEM}.\mathsf {KeyGen}(\mathsf {pp}{}_{\mathsf {KEM}})\) and sets the long-term public key of party \( P _{ i }\) as \(\mathsf {lpk} _{i} \mathrel {\mathop :}={} (\mathsf {ek}_{i}, \mathsf {vk}_{i})\). The long-term secret key is implicitly set as \(\mathsf {lsk}_{i} \mathrel {\mathop :}=(\mathsf {dk}_{i}, \mathsf {sk}_{i})\), where \(\mathsf {sk}_{i}\) is unknown to \(\mathcal {B}_3\). Finally, \(\mathcal {B}_{3}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries by \(\mathcal {A}\) as follows:

• \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{3}\) responds as in \(G_1\) except that it sets \(\mathsf {vk}_{T} \mathrel {\mathop :}=\mathsf {vk}^{s}_{i}\).

• \(\mathsf {Send}(j, t, m=(\mathsf {ek}_{T}, \mathsf {vk}_{T}))\): \(\mathcal {B}_3\) responds as in \(G_1\) except that rather than constructing the signature \(\sigma \) on its own, it sends \((\mathsf {sign}, j, \mathsf {sid}^t_{j}, \left\{ \mathsf {vk}_{T}, \mathsf {vk}_{j} \right\} )\) to its signing oracle and uses the signature \(\sigma '\) that it receives.

• \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): \(\mathcal {B}_{3}\) responds as in \(G_1\).

• \(\mathsf {RevLTK}(i)\): \(\mathcal {B}_{3}\) sends \((\mathsf {corrupt}, i)\) to its corruption oracle and receives back a signing key \(\mathsf {sk}'_{i}\). \(\mathcal {B}_3\) then sets \(\mathsf {sk}_{i} \mathrel {\mathop :}=\mathsf {sk}'_{i}\) and returns \(\mathsf {lsk}_{i} = (\mathsf {dk}_i, \mathsf {sk}_i)\).

• \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{3}\) responds as in \(G_1\).

• \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{3}\) responds as in \(G_1\).

It is clear that \(\mathcal {B}_3\) perfectly simulates the view of game \(G_{2}\) to \(\mathcal {A}\). Below, we analyze the probability that \(\mathcal {B}_3\) breaks the unforgeability of \(\Pi _\mathsf{RS}\) and relate it to \(\Pr [\mathsf {E_{sig}}]\).

We assume \(\mathcal {A}\) issues \(\mathsf {Test}(i^{*}, s^{*})\). Let the message sent by the initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {ek}^{*}_{T}, \mathsf {vk}^{*}_{T})\) and the message received by \(\pi ^{s^{*}}_{i^{*}}\) be \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T}, \mathsf {c}^{*})\). Let \(\sigma ^{*}\) be the signature recovered from \(\mathsf {c}^{*}\). Then, by the definition of the Type-5 or Type-6 strategy, the tested oracle \(\pi ^{s^{*}}_{i^{*}}\) satisfies the following conditions:

• \(\mathsf {role}^{s^{*}}_{i^{*}} = \mathtt {init}{}\),

• \( P _{ j }\) is not corrupted where \(\mathsf {Pid}^{s^{*}}_{i^{*}} = j\) and \(j \in [\mu ]\),

• \(\pi ^{s^{*}}_{i^{*}}\) is in the \(\mathtt {accept}\) state. This implies \(\mathsf {RS}.\mathsf {Verify}(\left\{ \mathsf {vk}^{*}_{T}, \mathsf {vk}_{j} \right\} , P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}, \sigma ^{*}) = 1\) holds,

• \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles.

Since \( P _{ j }\) is not corrupted, \(\mathcal {A}\) has never queried \(\mathsf {RevLTK}(j)\)-query. Moreover, since an honest initiator discards \(\mathsf {sk}^*_T\) on generation, \(\mathcal {B}_3\) never uses them for simulation. These two facts imply that \((\mathsf {corrupt}, j)\) and \((\mathsf {corrupt}, (i, T))\) has never been queried, where \((\mathsf {corrupt}, (i, T))\) is a query regarding the verification key \(\mathsf {vk}^{s^*}_{i^*}\). In particular, the ring \(\left\{ \mathsf {vk}^{*}_{T}, \mathsf {vk}_{j} \right\} \) consists of non-corrupted verification keys. Moreover, since \(\pi ^{s^{*}}_{i^{*}}\) has no partner oracles, there exists no responder oracle \(\pi ^t_{j}\) that has received \((\mathsf {ek}^*_T, \mathsf {vk}^{*}_{T})\) from \( P _{ i^* }\) and sent \((\mathsf {C}^{*}, \mathsf {C}^{*}_{T})\). In other words, there is no oracle \(\pi ^t_{j}\) that has signed on the message \( P _{ i^{*} } \Vert P _{ j } \Vert \mathsf {lpk} _{i^{*}} \Vert \mathsf {lpk} _{j} \Vert \mathsf {ek}^{*}_{T} \Vert \mathsf {vk}^{*}_{T} \Vert \mathsf {C}^{*} \Vert \mathsf {C}^{*}_{T}\). Notice that this is exactly the event \(\mathsf {E_{sig}}\); an initiator oracle \(\pi ^{s^{*}}_{i^{*}}\) receives a signature that was not signed by an oracle \(\pi ^t_{j}\) for any \(t \in [\ell ]\). Therefore, we have \(\Pr [\mathsf {E_{sig}}] = \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3})\).

Combining everything together, we conclude

$$\begin{aligned} \epsilon _{1} \le \mathsf {Adv}^{\mathsf {Unf}}_{\mathsf {RS}{}}(\mathcal {B}_{3}). \end{aligned}$$

\(\square \)

Lemma B.2

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-7 or Type-8 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{4}\) breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{3}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{4}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{3}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \frac{1}{2^{\chi _{\mathsf {KEM}}}}. \end{aligned}$$

Proof of Lemma B.2

We present the rest of the sequence of games from game \(G_{1}\).

Game \(G_{2}\) This game is identical to \(G_{1}\), except that we add another abort condition. Let \(\mathsf {E}_{\mathsf {coll}}\) be the event that there exists two responder oracles \(\pi ^t_j\) and \(\pi ^{t'}_j\) for any \(j \in [\mu ]\) and \(t \ne t' \in [\ell ]\) such that they output the same \(\Pi _\mathsf {KEM}\) ciphertext. That is, there exists two oracles \(\pi ^t_j\) and \(\pi ^{t'}_j\) that output \((\mathsf {C}, \mathsf {C}_T, \mathsf {c})\) and \((\mathsf {C}', \mathsf {C}'_T, \mathsf {c}')\) such that \(\mathsf {C}= \mathsf {C}'\). Here, we only consider the case where \(\mathsf {Pid}^t_j\) and \(\mathsf {Pid}^{t'}_j\) correspond to parties generated by the game (and not parties added by the adversary). If \(\mathsf {E}_{\mathsf {coll}}\) occurs, then \(\mathcal {C}\) aborts. Since \(G_{1}\) and \(G_{2}\) proceed identically unless \(\mathsf {E}_{\mathsf {coll}}\) occurs, we have

$$\begin{aligned} \left| \epsilon _1 - \epsilon _2 \right| \le \Pr \left[ \mathsf {E}_{\mathsf {coll}}\right] . \end{aligned}$$

We claim

$$\begin{aligned} \Pr \left[ \mathsf {E}_{\mathsf {coll}}{}\right] \le \mu \ell ^{2} \cdot \frac{1}{2^{ \chi _{\mathsf {KEM}}}}. \end{aligned}$$

Since each oracles \(\pi ^t_j\) are initialized with uniform random and independent randomness and \(\mathsf {ek}_i\) is honestly generated, where \(i = \mathsf {Pid}^t_j\), each ciphertext \(\mathsf {C}\) output by oracle \(\pi ^t_j\) has \(\chi _{\mathsf {KEM}}\)-min entropy due to the \( \chi _{\mathsf {KEM}}\)-high ciphertext min-entropy of \(\Pi _\mathsf {KEM} \). Fixing on one \(j \in [\mu ]\), the probability of a collision occurring is upper bounded by \(\mu ^2/ 2^{ \chi _{\mathsf {KEM}}}\). Then, taking the union bound on all the parties, we obtain the claimed bound.

Game \(G_{3}\) In this game, before starting the game, \(\mathcal {C}\) chooses a responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) and a party \(P_{\hat{\imath }}\) uniformly at random from \(\mu \ell \) oracles and \(\mu \) parties, respectively. Let \(\mathsf {E_{testO}}\) be the event that the tested oracle is not \(\pi ^{\hat{t}}_{\hat{\jmath }}\) or the peer of the tested oracle is not \(P_{\hat{\imath }}\). Since \(\mathsf {E_{testO}}\) is an efficiently checkable event, \(\mathcal {C}\) aborts as soon as it detects that event \(\mathsf {E_{testO}}\) occurs. \(\mathcal {C}\) guesses the choice made by \(\mathcal {A}\) correctly with probability \(1/\mu ^{2}\ell \), so we have

$$\begin{aligned} \epsilon _3 = \frac{1}{\mu ^{2}\ell }\epsilon _{2}. \end{aligned}$$

Game \(G_{4}\) In this game, we modify the way the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) responds on its second invocation. Let \((\mathsf {K}, \mathsf {C})\) be the \(\Pi _\mathsf {KEM}\) key-ciphertext pair generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Then, when \(\pi ^{s}_{\hat{\imath }}\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\), it first checks if \(\mathsf {C}' = \mathsf {C}\). If so, it proceeds as in the previous game except that it uses the key \(\mathsf {K}\) that was generated by \(\pi ^{\hat{t}}_{\hat{\jmath }}\) rather than using the key obtained through decrypting \(\mathsf {C}'\). Otherwise, if \(\mathsf {C}' \ne \mathsf {C}\), then it proceeds exactly as in the previous game.

Conditioning on event \(\mathsf {E}_{\mathsf {corr}}{}\) (i.e., decryption failure) not occurring, the two games \(G_3\) and \(G_4\) are identical. Hence,

$$\begin{aligned} \epsilon _{4} = \epsilon _3. \end{aligned}$$

Game \(G_{5}\) In this game, we modify the way the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) responds. When the responder oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) is invoked on input \(\mathsf {ek}_T\), it samples a random key instead of computing \((\mathsf {K}, \mathsf {C}) \leftarrow \mathsf {KEM}.\mathsf {Encap}(\mathsf {ek}_{\hat{\imath }})\). Note that due to the modification we made in the previous game, when the initiator oracle \(\pi ^{s}_{\hat{\imath }}\) for any \(s \in [\ell ]\) is invoked (on the second time) on input \((\mathsf {C}', \mathsf {C}_{T}, \mathsf {c})\) for \(\mathsf {C}' = \mathsf {C}\), it uses the random key \(\mathsf {K}\) generated by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). We claim \(G_{4}\) and \(G_{5}\) are indistinguishable assuming the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) . To prove this, we construct an algorithm \(\mathcal {B}_{4}\) breaking the \(\mathsf {IND\text {-}CCA}\) security as follows.

\(\mathcal {B}_{4}\) receives a public parameter \(\mathsf {pp}{}_{\mathsf {KEM}}\), a public key \(\mathsf {ek}^{*}\), and a challenge \((\mathsf {K}^{*}, \mathsf {C}^{*})\) from its challenger. \(\mathcal {B}_{4}\) then samples a random , sets up the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) using \(\mathsf {pp}{}_{\mathsf {KEM}}\), and generates the long-term key pairs as follows. For party \(P_{\hat{\imath }}\), \(\mathcal {B}_{4}\) runs \((\mathsf {vk}_{\hat{\imath }}, \mathsf {sk}_{\hat{\imath }}) \leftarrow \mathsf {RS}.\mathsf {KeyGen}(1^{\kappa })\) and sets the long-term public key as \(\mathsf {lpk} _{\hat{\imath }} := (\mathsf {ek}^{*}, \mathsf {vk}_{\hat{\imath }})\) and implicitly sets the long-term secret key as \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, \mathsf {sk}_{\hat{\imath }})\), where note that \(\mathcal {B}_{3,1}\) does not know \(\mathsf {dk}^*\). For all the other parties \(i \in [\mu \backslash \hat{\imath }]\), \(\mathcal {B}_{4}\) computes the long-term key pairs \((\mathsf {lpk} _{i}, \mathsf {lsk}_{i})\) as in \(G_5\). Finally, \(\mathcal {B}_{4}\) invokes \(\mathcal {A}\) on input the public parameter of \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) and \(\left\{ \mathsf {lpk} _{i} \mid i \in [\mu ] \right\} \) and answers the queries made by \(\mathcal {A}\) as follows:

• \(\mathsf {Send}(i, s, \langle \mathtt {START}: \mathsf {role}{}, j \rangle )\): \(\mathcal {B}_{4}\) proceeds as in \(G_5\).

• \(\mathsf {Send}(j, t, m = (\mathsf {ek}_T, \sigma _{i}))\): Let \(i \mathrel {\mathop :}=\mathsf {Pid}^{t}_{j}\). Depending on the values of (j, t, i), it performs the following:

  • If \((j, t, i) = (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{4}\) responds as in \(G_5\) except that it sets \((\mathsf {K}, \mathsf {C}) := (\mathsf {K}^*, \mathsf {C}^{*})\) rather than generating them on its own. It then returns the message \((\mathsf {C}^{*}, \mathsf {C}_{T}, \mathsf {c}{})\).

  • If \((j, t, i) \ne (\hat{\jmath }, \hat{t}, \hat{\imath })\), then \(\mathcal {B}_{4}\) responds as in \(G_5\).

• \(\mathsf {Send}(i, s, m=(\mathsf {C}, \mathsf {C}_{T}, \mathsf {c}))\): Depending on the value of i, it performs the following:

  • If \(i = \hat{\imath }\), then \(\mathcal {B}_{4}\) checks if \(\mathsf {C}= \mathsf {C}^*\). If so, it responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}^{*}\). Otherwise, if \(\mathsf {C}\ne \mathsf {C}^*\), then it queries the decapsulation oracle on \(\mathsf {C}\) and receives back \(\mathsf {K}'\). \(\mathcal {B}_{3,1}\) then responds as in \(G_5\) except that it sets \(\mathsf {K}\mathrel {\mathop :}=\mathsf {K}'\).

  • If \(i \ne \hat{\imath }\), then \(\mathcal {B}_{4}\) responds as in \(G_5\).

• \(\mathsf {RevLTK}(i)\), \(\mathsf {RegisterLTK}(i)\), \(\mathsf {RevState}(i, s)\), \(\mathsf {RevSessKey}(i, s)\): \(\mathcal {B}_{4}\) responds as in \(G_5\). Here, note that since \(\mathcal {A} \) follows the Type-7 or Type-8 strategy, \(\mathcal {B}_{3,1}\) can answer all the \(\mathsf {RevLTK}\)-query. Namely, \(\mathcal {A} \) never queries \(\mathsf {RevLTK}(\hat{\imath })\) (i.e., \(\mathsf {lsk}_{\hat{\imath }} := (\mathsf {dk}^*, \mathsf {sk}_{\hat{\imath }})\)) conditioning on \(\mathsf {E_{testO}}\) not occurring, which is the only query that \(\mathcal {B}_{3,1}\) cannot answer.

• \(\mathsf {Test}(i, s)\): \(\mathcal {B}_{4}\) responds to the query as in the definition. Here, in case \((i, s) \ne (\hat{\jmath },\hat{t})\), then event \(\mathsf {E_{testO}}\) is triggered so it aborts.

If \(\mathcal {A}\) outputs a guess \(b'\), \(\mathcal {B}_{4}\) outputs \(b'\). It can be checked that \(\mathcal {B}_{4}\) perfectly simulates game \(G_4\) (resp. \(G_5\)) to \(\mathcal {A} \) when the challenge \(\mathsf {K}^{*}\) is the real key (resp. a random key). Thus we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{4}\right] - \Pr \left[ \mathsf {S}_{5}\right] \right| \le \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{4}). \end{aligned}$$

Game \(G_{6}\) In this game, whenever we need to derive \(\mathsf {K}^*_1 \leftarrow \mathsf {Ext}_s(\mathsf {K}^*)\), we instead use a uniformly and randomly chosen PRF key (fixed once and for all), where \(\mathsf {K}^*\) is the KEM key chosen by oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\). Due to the modification we made in the previous game, \(\mathsf {K}^*\) is chosen uniformly at random from \(\mathcal {KS}_\mathsf {KEM} \) so \(\mathsf {K}\) has \(\log _2(|\mathcal {KS}_\mathsf {KEM} |) \ge \gamma _\mathsf {KEM} \) min-entropy. Then, by the definition of the strong (\(\gamma _\mathsf {KEM}, \varepsilon _{\mathsf {Ext}}\))-extractor \(\mathsf {Ext}\), we have

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{5}\right] - \Pr \left[ \mathsf {S}_{6}\right] \right| \le \varepsilon _{\mathsf {Ext}}. \end{aligned}$$

Game \(G_{7}\) In this game, we sample a random function \(\mathsf {RF}\) and whenever we need to compute \(\mathsf {F}_{\mathsf {K}^*_1}(\mathsf {sid})\) for any \(\mathsf {sid}\), we instead compute \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid})\). Due to the modification we made in the previous game, \(\mathsf {K}^*_1\) is sampled uniformly from \(\mathcal {FK}\). Therefore, the two games can be easily shown to be indistinguishable assuming the pseudo-randomness of the PRF. In particular, we can construct a PRF adversary \(\mathcal {D}_{3}\) such that

$$\begin{aligned} \left| \Pr \left[ \mathsf {S}_{6}\right] - \Pr \left[ \mathsf {S}_{7}\right] \right| \le \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{3}). \end{aligned}$$

It remains to show that the session key outputted by the tested oracle in the game \(G_7\) is uniformly random regardless of the challenge bit \(b \in \{ 0,1 \} \) chosen by the game. We consider the case where \(b = 0\) and prove that the honestly generated session key by the tested oracle is distributed uniformly random. First conditioning on event \(\mathsf {E_{testO}}\) not occurring, it must be the case that the tested oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) prepares the session key as \(\mathsf {k}^* \Vert \tilde{k}\leftarrow \mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*) \oplus \mathsf {F}_{\mathsf {K}_{2}}(\mathsf {sid}^*)\) for some \(\mathsf {sid}^*\). Here, recall \(\mathsf {K}^*_1\) is the random PRF key sampled by the oracle \(\pi ^{\hat{t}}_{\hat{\jmath }}\) (see game \(G_6\)). Next, since the tested oracle has no partner oracle (by definition of the Type-7 and Type-8 strategy), there are no oracles \(\pi ^s_i\) such that \(i \ne i\) that runs \(\mathsf {RF}(\mathsf {K}^*_1, \cdot )\) on input \(\mathsf {sid}^*\). Moreover, conditioning on event \(\mathsf {E}_{\mathsf {coll}}\) not occurring, no oracles \(\pi ^t_{\hat{\imath }}\) for \(t \ne \hat{t}\) run \(\mathsf {RF}(\mathsf {K}^*_1, \cdot )\) on input \(\mathsf {sid}^*\) as well since \((\mathsf {C}, \mathsf {C}_T)\) output by these oracles must be distinct from what \(\pi ^{\hat{t}}_{\hat{\jmath }}\) outputs. Therefore, we conclude that \(\mathsf {RF}(\mathsf {K}^*_1, \mathsf {sid}^*)\) is only used to compute the session key of the tested oracle and used nowhere else. Since the output of \(\mathsf {RF}\) is distributed uniformly random for different inputs, we conclude that \(\Pr \left[ \mathsf {S}_{7}\right] = 1/2\). Combining all the arguments together, we obtain

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \frac{1}{2^{\chi _{\mathsf {KEM}}}}. \end{aligned}$$

\(\square \)

For completeness, we state the remaining Lemmata B.3 and B.4 and provide a proof sketch.

Lemma B.3

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-1 or Type-2 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{1}\) breaking the \(\mathsf {IND\text {-}CPA}\) security of \(\Pi _\mathsf{wKEM}\) and \(\mathcal {D}_{1}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell ^{2} \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CPA}}_{\mathsf {wKEM}}(\mathcal {B}_{1}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{1})+ \varepsilon _{\mathsf {Ext}}\right) . \end{aligned}$$

Lemma B.4

For any \(\mathsf {QPT}\) adversary \(\mathcal {A}\) using the Type-3 or Type-4 strategy, there exist \(\mathsf {QPT}\) algorithms \(\mathcal {B}_{2}\) breaking the \(\mathsf {IND\text {-}CCA}\) security of \(\Pi _\mathsf {KEM}\) and \(\mathcal {D}_{2}\) breaking the security of PRF \(\mathsf {F}\) such that

$$\begin{aligned} \epsilon _{1} \le \mu ^{2}\ell \cdot \left( \mathsf {Adv}^{\mathsf {IND\text {-}CCA}}_{\mathsf {KEM} {}}(\mathcal {B}_{2}) + \mathsf {Adv}^{\mathsf {PRF}}_{\mathsf {F}}(\mathcal {D}_{2}) + \varepsilon _{\mathsf {Ext}}\right) + \mu \ell ^{2} \cdot \left( \frac{1}{2^{ 2 \chi _{\mathsf {KEM}}}} + \frac{1}{2^{\nu _{\mathsf {KEM}}}}\right) . \end{aligned}$$

Proof Sketch of Lemmata B.3 and B.4

The difference between \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) and \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\) is that the former uses a ring signature and the first message sent by the initiator includes the ephemeral verification key \(\mathsf {vk}_{T}\); and the initiator does not sign the first message. In addition, the former considers weak forward secrecy (\(\mathcal {A}\) plays \(G^{\mathsf {weakFS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {DAKE} {}}(\mu , \ell )\)), and the latter considers perfect forward secrecy (\(\mathcal {A}\) plays \(G^{\mathsf {FS}}_{\Pi _\mathsf {SC}\text {-}\mathsf {AKE} {}}(\mu , \ell )\)). However, it can be easily verified that this modification brings no advantage to the adversary following the strategies in the statement. In particular, when \(\mathcal {A}\) uses the Type-1, Type-2, Type-3 or Type-4 strategy (i.e., the tested oracle has a partner oracle), the winning condition (cf. freshness clauses Items 1 to 4) of the two security game is identical. Specifically, the proofs are identical to the proofs of Lemmata A.1 and A.2.

In slightly more detail, notice the session key derivation step in \(\Pi _\mathsf {SC}\text {-}\mathsf {DAKE}\) is exactly the same as those in \(\Pi _\mathsf {SC}\text {-}\mathsf {AKE}\). Namely, the value of the derived session key is independent of the signature conditioning on the signature being valid. Further, notice the proofs of Lemmata A.1 and A.2 only relies on the security properties of the KEM, PRF, and extractor. That is, the proof does not hinge on the security offered by the signature scheme and this holds even if remove the signature from the first message and replace the signature scheme with a ring signature scheme. Here, we note that the validity of the ephemeral ring signature verification key never comes in play in the security proof. Therefore, the proofs of Lemmata A.1 and A.2 follow. \(\square \)

C Equivalence Between \(\mathsf{DVS}\) and Ring Signature

In a subsequent work, Brendel et al. [19] showed a generic construction of a deniable Signal-conforming AKE protocol based on a designated verifier signature (\(\mathsf{DVS}\)) and a \(\mathsf {KEM}\). They showed how to instantiate \(\mathsf{DVS}\) from a ring signature (for a ring of two users) but left open the opposite implication and speculated the possibility of constructing \(\mathsf{DVS}\) easier than a ring signature.

In this section, we solve this open problem. We show how to instantiate a ring signature (for a ring of two users) from \(\mathsf{DVS}\) and show that \(\mathsf{DVS}\) is a ring signature in disguise. As discussed in Footnote 10, the security notion of \(\mathsf{DVS}\) and ring signatures may come in different flavors so it is not always the case that they are equivalent. We only focus on \(\mathsf{DVS}\) and ring signatures that Brendel et al. [19] required to construct their AKE protocol. Namely, the definition of ring signature we provide in Sect. 2.6 is strictly stronger than those considered in [19]. We make this clear when we provide the security proof of our ring signature based on \(\mathsf{DVS}\).

The following syntax and security definition of \(\mathsf{DVS}\) is taken almost verbatim from [19, Section 3]. One thing to keep in mind is that even though it is called designated verifier, the syntax of Brendel et al. allows the signature to be publicly verifiable. This will be essential when building a ring signature.

Definition C.1

A \(\mathsf{DVS}\) is a tuple of algorithms \(\mathsf{DVS} = (\mathsf {SKGen}, \mathsf {VKGen}, \mathsf {Sign}, \mathsf {Vrfy}, \mathsf {Sim})\) along with a message space \(\mathcal {M}\).

• \(\mathsf {SKGen}() \rightarrow ({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S})\): A probabilistic key generation algorithm that outputs a public-/secret-key pair for the signer.

• \(\mathsf {VKGen}() \rightarrow (\mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D})\): A probabilistic key generation algorithm that outputs a public-/secret-key pair for the verifier.

• \(\mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {M}) \rightarrow \sigma \): A probabilistic signing algorithm that uses a signer’s secret key \(\mathsf {sk}_\mathsf {S}\) to produce a signature \(\sigma \) for a message \(\mathsf {M}\in \mathcal {M}\) for a designated verifier with public key \(\mathsf {pk}_\mathsf {D}\).

• \(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}, \mathsf {M}, \sigma ) \rightarrow 1/0\): A deterministic verification algorithm that checks a message \(\mathsf {M}\) and a signature \(\sigma \) against a signer’s public key \({\mathsf {pk}_\mathsf {S}}\) and a verifier’s public key \(\mathsf {pk}_\mathsf {D}\).

• \(\mathsf {Sim}({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {D}, \mathsf {M}) \rightarrow \sigma \): A probabilistic signature simulation algorithm that uses the verifier’s secret key \(\mathsf {sk}_\mathsf {D}\) to produce a signature \(\sigma \) on a message \(\mathsf {M}\) for signer’s public key \({\mathsf {pk}_\mathsf {S}}\).

Definition C.2

(Unforgeability) A \(\mathsf{DVS}\) is unforgeable if for any efficient adversary \(\mathcal {A} \) we have \(\Pr [G^{\mathsf {uf}}(\mathcal {A}) = 1]\) is negligible, where the game \(G^{\mathsf {uf}}\) is defined in Fig. 6.

Definition C.3

(Source Hiding) A \(\mathsf{DVS}\) is source hiding if for any efficient adversary \(\mathcal {A} \) we have \(\left| \Pr [G^{\mathsf {srchid}}(\mathcal {A}) = 1] - 1/2 \right| \) is negligible, where the game \(G^{\mathsf {srchid}}\) is defined in Fig. 6.

Using a standard hybrid argument, we can assume without loss of generality that \(\mathcal {A} \) queries oracle \(\mathtt {Chall}\) once.

Fig. 6

Unforgeability and source hiding for \(\mathsf{DVS}\)

Construction We now provide a generic construction of a ring signature from any \(\mathsf{DVS}\) satisfying the above syntax and security definitions. Following Brendel et al. [19], we assume there is no public parameter and omit \(\mathsf {RS}.\mathsf {Setup}\). We also only consider a ring signature for a ring of two users as this is sufficient to construct an AKE protocol. Moreover, we assume without loss of generality that \({\mathsf {pk}_\mathsf {S}}\) can be ordered lexicographically, e.g., \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\).

\(\mathsf {RS}.\mathsf {KeyGen}()\)::

Run \(({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S}) \leftarrow \mathsf {SKGen}()\) and \((\mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D}) \leftarrow \mathsf {VKGen}()\), and output \((\mathsf {RS}.\mathsf {vk}:= ({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}), \mathsf {RS}.\mathsf {sk}:= (\mathsf {sk}_\mathsf {S}, \mathsf {sk}_\mathsf {D}))\).

\(\mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}, \mathsf {RS}.\mathsf {vk}' \right\} )\)::

Parse \(({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}) \leftarrow \mathsf {RS}.\mathsf {vk}\) and \(({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}') \leftarrow \mathsf {RS}.\mathsf {vk}'\). If \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\), then output \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}', \mathsf {M})\). Otherwise, output \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}', \mathsf {sk}_\mathsf {D}, \mathsf {M})\).

\(\mathsf {RS}.\mathsf {Verify}(\mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}, \mathsf {RS}.\mathsf {vk}' \right\} , \mathsf {M}, \sigma )\)::

Parse \(({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}) \leftarrow \mathsf {RS}.\mathsf {vk}\) and \(({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}') \leftarrow \mathsf {RS}.\mathsf {vk}'\). If \({\mathsf {pk}_\mathsf {S}}< {\mathsf {pk}_\mathsf {S}}'\), then output \(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}', \mathsf {M}, \sigma )\). Otherwise, output \(\mathsf {Vrfy}({\mathsf {pk}_\mathsf {S}}', \mathsf {pk}_\mathsf {D}, \mathsf {M}, \sigma )\).

Security We first prove anonymity of the ring signature. The anonymity definition considered by Brendel et al. [19] is almost identical to those in Definition 2.14 except that they additionally consider the verification and signing keys to be generated honestly, rather than being generated by possibly malicious randomness. This suffices to prove their deniability since the AKE keys are assumed to be generated honestly.

Lemma C.4

If \(\mathsf{DVS}\) satisfies source hiding, then the ring signature is anonymous (with respect to honestly generated verification and signing keys with rings of size two).

Proof

Assume there exists an adversary \(\mathcal {B} \) against the anonymity of the ring signature. We construct an adversary \(\mathcal {A} \) against the source hiding of \(\mathsf{DVS}\) as follows.

\(\mathcal {A} \) is provided \(({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {sk}_\mathsf {D})\) from the \(\mathsf{DVS}\) challenger. It queries \(\mathsf {M}\) to oracle \(\mathtt {Chall}\) and receives \(\sigma \). It then generates \((\overline{\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {sk}_\mathsf {S}}) \leftarrow \mathsf {SKGen}()\) and \((\overline{\mathsf {pk}_\mathsf {D}}, \overline{\mathsf {sk}_\mathsf {D}}) \leftarrow \mathsf {VKGen}()\) conditioned on \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\). Note that this is without loss of generality since \(\mathcal {A} \) can simply regenerate \(\overline{\mathsf {pk}_\mathsf {S}}\) until it succeeds (and possibly halt after it exceeds some number of trials to make \(\mathcal {A} \) run in strict polynomial time). It then samples a random bit \(d \leftarrow \{ 0,1 \} \) and sets

$$\begin{aligned} (\mathsf {RS}.\mathsf {vk}_d, \mathsf {RS}.\mathsf {sk}_d)&:= (( {\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {pk}_\mathsf {D}}), ( \mathsf {sk}_\mathsf {S}, \overline{\mathsf {sk}_\mathsf {D}})) \text { and } (\mathsf {RS}.\mathsf {vk}_{1-d}, \mathsf {RS}.\mathsf {sk}_{1-d}) \\&:= (( \overline{\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D}), ( \overline{\mathsf {sk}_\mathsf {S}}, \mathsf {sk}_\mathsf {D})). \end{aligned}$$

It finally provides \(\mathcal {B} \) with \(\left\{ (\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {sk}_i) \right\} _{i \in \{ 0,1 \} }\) and \(\sigma \). When \(\mathcal {B} \) outputs \(d'\) as its guess, \(\mathcal {A} \) outputs its guess as \(b' := d \oplus d'\).

Let us analyze the advantage of \(\mathcal {A} \). First of all, since d is information theoretically hidden from \(\mathcal {B} \), the ring signature keys \(\left\{ (\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {sk}_i) \right\} _{i \in \{ 0,1 \} }\) are distributed identically to the anonymity game even conditioned on \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\). Moreover, if oracle \(\mathtt {Chall}\) was using \(b = 0\), then \(\sigma \leftarrow \mathsf {Sign}(\mathsf {sk}_\mathsf {S}, \mathsf {pk}_\mathsf {D}, \mathsf {M})\). Since \({\mathsf {pk}_\mathsf {S}}< \overline{\mathsf {pk}_\mathsf {S}}\), \(\sigma \) is distributed identical to \(\mathsf {RS}.\mathsf {Sign}( \mathsf {RS}.\mathsf {sk}_d, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_0, \mathsf {RS}.\mathsf {vk}_1 \right\} )\). On the other hand, if oracle \(\mathtt {Chall}\) was using \(b = 1\), then \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}, \mathsf {sk}_\mathsf {D}, \mathsf {M})\). Then, this is distributed identical to \(\mathsf {RS}.\mathsf {Sign}( \mathsf {RS}.\mathsf {sk}_{1-d}, \mathsf {M}, \mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_0, \mathsf {RS}.\mathsf {vk}_1 \right\} )\). Hence, if \(\mathcal {B} \) outputs a guess \(d'\) and \(d = 0\), then \(\mathcal {A} \) simply needs to output \(d'\) as its guess. Otherwise, \(\mathcal {A} \) flips the guess \(d'\) in order to uncompute the swap induced by \(d = 1\). This completes the proof. \(\square \)

The unforgeability definition considered by Brendel et al. [19] is similar to those in Definition 2.15 except that they restrict the adversary to only query the signing oracle on rings consisting of honestly generated verification keys. This weaker definition suffices for their application since they consider deniability only against honestly generated long-term keys.

Lemma C.5

If \(\mathsf{DVS}\) satisfies source hiding and unforgeability, then the ring signature is unforgeable (with respect to honestly generated rings of size two).

Proof

Before providing the reduction, we first modify the unforgeability game of the ring signature (with respect to honestly generated rings of size two) to the following. The modification from the original Definition 2.15 is underlined in black. The only difference is that the challenger samples two random distinct indices \((i^*_0, i^*_1) \in [N] \times [N]\) and hopes that the adversary outputs a forgery on the ring \(\left\{ \mathsf {RS}.\mathsf {vk}_{i^*_0}, \mathsf {RS}.\mathsf {vk}_{i^*_1} \right\} \). Moreover, whenever the adversary \(\mathcal {A} \) queries the signing oracle, the challenger will never use \(\mathsf {RS}.\mathsf {sk}_{i^*_0}\) to sign the message.

1. (i)

   The challenger generates key pairs \((\mathsf {RS}.\mathsf {vk}_i,\mathsf {RS}.\mathsf {sk}_i)=\mathsf {RS}.\mathsf {KeyGen}()\) for all \(i \in [N]\). It sets \(\mathsf {VK}:= \left\{ \mathsf {RS}.\mathsf {vk}_i \mid i \in [N] \right\} \) and initializes two empty sets \(\mathsf {SL}\) and \(\mathsf {CL}\). \(\hbox {It also samples two distinct }(i^*_0, i^*_1) \leftarrow [N] \times [N].\)

2. (ii)

   The challenger provides \(\mathsf {VK}\) to \(\mathcal {A} \);

3. (iii)

   \(\mathcal {A} \) can make signing and corruption queries an arbitrary polynomial number of times:

   • \((\mathsf {sign}, i ,\mathsf {M},\mathsf {R}= \left\{ \mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {vk}_j \right\} )\): The challenger checks if \((\mathsf {RS}.\mathsf {vk}_i, \mathsf {RS}.\mathsf {vk}_j) \subseteq \mathsf {R}\) and outputs \(\bot \) if not. \(\hbox {Otherwise, if }i = i_0^*,\hbox { then it computes the signature }\) \(\sigma \leftarrow \mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}_j,\mathsf {M},\mathsf {R}).\hbox { If }i \ne i^*_0,\) \(\hbox {then it computes the signature }\) \(\sigma \leftarrow \mathsf {RS}.\mathsf {Sign}(\mathsf {RS}.\mathsf {sk}_i,\mathsf {M},\mathsf {R}).\) Finally, the challenger provides \(\sigma \) to \(\mathcal {A} \) and adds \((i,\mathsf {M},\mathsf {R})\) to \(\mathsf {SL}\);

   • \((\mathsf {corrupt},i)\): \(\hbox {If }i \in \left\{ i^*_0, i^*_1 \right\} , \hbox {then abort the game.}\) Otherwise, the challenger adds \(\mathsf {RS}.\mathsf {vk}_i\) to \(\mathsf {CL}\) and returns \(\mathsf {RS}.\mathsf {sk}_i\) to \(\mathcal {A} \).

4. (iv)

   \(\mathcal {A} \) outputs \((\mathsf {R}^*, \mathsf {M}^*, \sigma ^*)\). If \(\mathsf {R}^* = \left\{ \mathsf {RS}.\mathsf {vk}_{i^*_0}, \mathsf {RS}.\mathsf {vk}_{i^*_1} \right\} \), \((\cdot ,\mathsf {M}^*,\mathsf {R}^*) \not \in \mathsf {SL}\), and \(\mathsf {Verify}(\mathsf {R}^*, \mathsf {M}^*, \sigma ^*)=1\), then we say the adversary \(\mathcal {A} \) wins.

It is straightforward to show that this modified unforgeability game is as hard as the original unforgeability game assuming that the ring signature is anonymous (which from Lemma C.4 is an implication of the source hiding of \(\mathsf{DVS}\)). Concretely, we first modify the original game to a game in which the challenger simply guesses the non-corrupted indices \((i^*_0, i^*_1) \in [N] \times [N]\) that the adversary will use for its forgery. Since these indices are information theoretically hidden from the adversary, this is indistinguishable from the original game (except for a loss of \(1/N^2\) in the reduction). Next, assuming \(\mathcal {A} \) makes at most Q-queries to the signing oracle, we can define Q-hybrids, where in the k-th hybrid, the challenger answers as in the original game up to the \((k-1)\)-th signing query and as in the modified game from the k-th signing query. Each adjacent hybrids \((k-1)\) and k are indistinguishable assuming the anonymity of the ring signature; the reduction samples a random index \(j^* \leftarrow [N]\) and embeds its two verification keys provided by the anonymity game in the two indices \((i^*_0, j^*)\). It generates all other verification keys as in the unforgeability game. Note that the reduction knows the signing keys to all parties. It answers all \(k'\)-th signing query for \(k' \ne k\) as in hybrids \((k-1)\) and k. If \(i = i^*_0\) is used in the k-th query, it further checks if \(\mathsf {vk}_{j^*}\) is used. If so, the reduction simulates the signing oracle by embedding its challenge. If \(\mathsf {vk}_{j^*}\) is not used, then aborts the game. Otherwise, if \(i \ne i^*_0\), then it answers the signing oracle as in the \((k-1)\hbox {th}\) and k-th hybrids. This completes the reduction. In case the signature is created using \(\mathsf {sk}_{i_0^*}\) (resp. \(\mathsf {sk}_{j}\)), it perfectly simulates the \((k-1)\)-th (resp. k-th) hybrid (condition on not aborting). Therefore, assuming the ring signature is anonymous, the two hybrids are indistinguishable.

Now, we are ready to show that this modified unforgeability for the ring signature is hard assuming the unforgeability of the \(\mathsf{DVS}\). Assume there exists an adversary \(\mathcal {B} \) against the modified unforgeability of the ring signature. We construct an adversary \(\mathcal {A} \) against the unforgeability of \(\mathsf{DVS}\) as follows:

\(\mathcal {A} \) is given \({\mathsf {pk}_\mathsf {S}}\), \(\mathsf {pk}_\mathsf {D}\), and \(L = \left\{ (\mathsf {pk}_{\mathsf {D}, i}, \mathsf {sk}_{\mathsf {D}, i}) \right\} _{i \in [n]}\). It generates \((\overline{\mathsf {pk}_\mathsf {D}}, \overline{\mathsf {sk}_\mathsf {D}}) \leftarrow \mathsf {VKGen}()\), \((\overline{\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {sk}_\mathsf {S}}) \leftarrow \mathsf {SKGen}()\), and \((\mathsf {pk}_{\mathsf {S}, i}, \mathsf {sk}_{\mathsf {S}, i}) \leftarrow \mathsf {SKGen}()\) for \(i \in [n]\). It then creates \((n + 2)\) pairs of verification key pair for the ring signature \(({\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {pk}_\mathsf {D}})\), \((\overline{\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D})\), and \(\left\{ (\mathsf {pk}_{\mathsf {S}, i}, \mathsf {pk}_{\mathsf {D}, i}) \right\} _{i \in [n]}\) and randomly permutes them and sets them as \((\mathsf {RS}.\mathsf {vk}_i)_{i \in [n + 2]}\). Let \(i^*_0\) be the index such that \(\mathsf {RS}.\mathsf {vk}_{i^*_0} := (\overline{\mathsf {pk}_\mathsf {S}}, \mathsf {pk}_\mathsf {D})\) and \(i^*_1\) be the index such that \(\mathsf {RS}.\mathsf {vk}_{i^*_1} := ({\mathsf {pk}_\mathsf {S}}, \overline{\mathsf {pk}_\mathsf {D}})\). \(\mathcal {A} \) finally provides \(\mathsf {VK}:= \left\{ \mathsf {RS}.\mathsf {vk}_i \mid i \in [n + 2] \right\} \) to \(\mathcal {B} \). Notice \(\mathcal {A} \) knows the signing keys for indices in \([n+2]\backslash \left\{ i^*_0, i^*_1 \right\} \), so it can simulate the signing query and corrupt query for any \(i \notin \left\{ i^*_0, i^*_1 \right\} \). Moreover, since \(\mathcal {A} \) aborts when \(i \in \left\{ i^*_0, i^*_1 \right\} \) is queried to the corruption oracle, it remains to see how \(\mathcal {A} \) simulates the signing queries when \(i \in \left\{ i^*_0, i^*_1 \right\} \). Due to the modification we made to the unforgeability game, \(\mathcal {A} \) never needs to sign using the signing key corresponding to index \(i^*_0\), so it suffices to check the case \(i = i^*_1\). Now, when \(i = i^*_1\) and \({\mathsf {pk}_\mathsf {S}}< \mathsf {pk}_{\mathsf {S}, j}\), then \(\mathcal {A} \) queries its signing oracle and obtains a signature using \(\mathsf {sk}_\mathsf {S}\). Otherwise, it uses \(\overline{\mathsf {sk}_\mathsf {D}}\) to generate \(\sigma \leftarrow \mathsf {Sim}({\mathsf {pk}_\mathsf {S}}_j, \overline{\mathsf {sk}_\mathsf {D}}, \mathsf {M})\). This completes the description of \(\mathcal {A} \).

Notice the winning condition of the modified unforgeability of the ring signature and the unforgeability of the \(\mathsf{DVS}\) is identical. Moreover, since \(\mathcal {A} \) randomly permutes the indices in \([n+2]\), \(\mathcal {A} \) simulates the distribution of the two indices \((i^*_0, i^*_1)\) perfectly. Therefore, \(\mathcal {A} \) has the same advantage as \(\mathcal {B} \). This concludes the proof. \(\square \)