Relato Etnográfico

description of the game-changes and the claims we make about them. Here we provide all the missing details.

GameG1: Let(zidi, zi)be the KEM (ciphertext,key) pair generated in Step I.1 byΠiS.

Let Z be a random function which maps onto κ-bit strings. Let EZcol be the event

that any two S sessions pick the same zid eld, i.e. that for any i1, i2 in [nS] we have i1 6= i2 and zidi1 = zidi2. Let A1 = A0 and let game G1 be like G0 except that (1) it aborts ifEZcol happens and (2) it sets eachzi aszi ←Z(zidi). Note that p1≤p0+KEM(nS) +n2S/2

κ_{where the last term follows from the fact that}

zid-collision

implies az-collision, andz-collision occurs in nS random z samples with probability

at mostn2S/2 κ_.

GameG2: LetSIMSASbe the simulator for the SAS-MA scheme. Let A2=A1, and let G2 be like G1 except that in Step II.1 when instanceΠjC ofC and instanceΠlD of D

execute the SAS-MA sub-protocol, we replace this SAS-MA execution with a simu- lator SIMSAS interacting withA1 and the ideal SAS-MA functionalityFSAS[t]. Namely, instanceΠC

j, instead of sendingMC= (pk, zid)toA1and starting a SAS-MA instance to authenticateMCtoD, will issue command[SAS.SEND,sid, ΠlD,MC]toFSAS[t], which triggers SIMSAS to start simulating to A1 the SAS-MA protocol betweenΠjC and Π

D l

on messageMCas an input. Depending on the wayA1 responds,SIMSAScan act in one

of the following three ways: (1) If SIMSAS sends [SAS.CONNECT,sid] to FSAS[t] then FSAS[t] sends [SAS.SEND,sid, ΠjC,MC]to ΠlD and ΠlD proceeds to step II.2 using this

received message; (2) If SIMSAS sends [SAS.ABORT,sid] to FSAS[t] then FSAS[t] sends ⊥ to ΠD

l and ΠlD aborts; (3) If SIMSAS sends [SAS.ATTACK,sid,MC∗]to SIMSAS for

someMC∗ (w.l.o.g. MC∗6=MC) thenFSAS[t] throws a coin ρl which comes out1with probability2−t _{and0 with probability1−2}−t_{, and ifρ= 0 thenF}

SAS[t] sends fail to SIMSAS and ⊥ to ΠlD and ΠlD aborts, and ifρ = 1 then FSAS[t] sends succ to A and [SAS.SEND,sid, ΠjC,MC∗] to ΠlD, and then Π

D

l proceeds to step II.2 using message

MC∗. Since the SAS-MA protocol realizes the UC functionality FSAS[t] with at most error SAS (per instance), and the simulatorSIMSAS executes independently from the

rest of the security gameG2, it follows thatp2≤p1+ min(nC, nD)·SAS.

GameG3: Note that in the above security game adversary A2 interacts with game G2 which internally runs interactive algorithms SIMSAS andFSAS[t]. Note also that the SIMSASalgorithm interacts only withFSAS[t]on one end and A2 on the other. We can, therefore, draw the boundaries between the adversarial algorithm Aand the security game Gslightly dierently: Consider an adversarial algorithmA3 which executes the steps of A2 and SIMSAS, and a security game G3 which executes the rest of game G2, including the operation of functionality FSAS[t]. Note that G3 does not execute the SAS-MA protocol, but interacts withA3 using theFSAS[t] interface toSIMSAS, i.e.

G3 sends toA3 messages of the type[SAS.SEND,sid, ΠjC, ΠlD,MC], and A3's response must be one of[SAS.CONNECT,sid],[SAS.ABORT,sid], and[SAS.ATTACK,sid,MC∗].

Since we are only re-drawing the boundaries between the adversarial algorithm and the security game, we have thatp3=p2.

GameG4: Let A4 = A3 and let G4 be as G3 except that for every mes- sage [SAS.SEND,sid, ΠjC, ΠlD,MC] send by G3 for some (j, l) pair, if A4 sends [SAS.CONNECT,sid]in response, then we make the following changes: First, theeD

value sent byΠlD is formed asEnc(pk,(0 κ

,0κ))instead ofEnc(pk,(z, KCD))as inG3, for pk specied inMC = (pk, zid). Secondly, if A3 passes this eD value to ΠjC then

ΠC

j decrypts it as the(z, KCD)pair which was generated byΠlD. Otherwise the game

does not change, and in particular ifA3 passes some other ciphertexte∗D6=eDto Π C j

thenΠC

j decryptse ∗

Din a standard way. By the reduction to CCA security of the PKE

scheme(KG,Enc,Dec), it follows thatp4≤p3+ min(nC, nD)·PKE.

GameG5: LetEACbreak(CD) be an event that there is some session pair(ΠjC, ΠlD)s.t. (a)

A4 responded with[SAS.CONNECT,sid]to [SAS.SEND,sid, ΠjC, Π D

l,MC], and (b)A4 deliveredeDsent byΠD

l toΠjC, and (c) in the DE-PAKE interaction betweenΠjC and ΠlD authenticated by keyKCD in step III either party accepts a message either not

sent by the counterparty or delivered out of order. LetA5=A4andG5be asG4except thatG5aborts ifEACbreak(CD) ever happens. Since in gameG4, under conditions (a) and (b), the adversary has no information about keyKCD used by bothΠC

j andΠlD, by

the security of the authentic channel implementation we have that condition (c) can hold with probability at mostmin(nC, nD)·AC, hencep5≤p4+ min(nC, nD)·AC. GameG6: LetEACbreak(CD0₎ be an event that there is some session pair(Π_jC, Π_lD)s.t. (a) A4 responded with[SAS.CONNECT,sid] to [SAS.SEND,sid, ΠjC, ΠlD,MC], (b) A4 did not delivereD sent byΠlD toΠ

C

j, and (c) instanceΠlD did not abort in step III. Let

A6 =A5 and G6 be asG5 except thatG6 aborts ifEACbreak(CD0₎ ever happens. Since in gameG5, under conditions (a) and (b), onlyΠlDhas information on key KCD, by the

security of the authenticated channel implementation we have that condition (c) can hold with probability at mostqD·AC, hencep6≤p5+qD·AC.

GameG7: LetA7=A6andG7be asG6 except that for every instance ofuKEexecuted in step I.1, e.g. between ΠiS and ΠjC, if the adversary is an eavesdropper on such

instance thenG7 replaces keyKCS established byΠiSandΠjCwith a random key. By

the security of the key exchange schemeuKE, it follows thatp7≤p6+min(nC, nS)·uKE. GameG8: LetEACbreak(CS)be an event that there is some session pair(ΠiS, ΠjC)s.t. (a) the

adversary is passive on the KE executed in step I.1 and (b) in the DE-PAKE interaction between ΠC

j and ΠiS authenticated by key KCS in step III either party accepts a

message either not sent by the counterparty or delivered out of order. LetA8=A7 and G8 be asG7 except that G8 aborts ifEACbreak(CS) ever happens. Since in gameG7 the adversary has no information aboutKCS, by the security of the authenticated channel

implementation we have thatp8≤p7+ max(nC, nS)·AC.

Note that at this point the game has the following properties: IfAis passive on theC-Skey exchange in step I thenAis forced, by gameG8, to be passive on theC-S link in the DE-PAKE in step III. Also, ifAdoes not attack the SAS-MA sub-protocol and deliversD's ciphertext toCin step II thenAis forced, by gameG5, to be passive on theC-Dlink in the DE-PAKE in step III (and ifAdoes not deliverD's ciphertext toCthen thisDinstance will not respond to any further messages, by gameG6). The remaining cases are thus active attacks on the key exchange in step I and the case when Aeither attacks the SAS-MA sub-protocol and gets Dto acceptMC∗ 6=MC or

sendse∗D6=eD toC.

We will handle these cases next, and the crucial issue will be what the adversary does with thezidvalues created byS. Consider anySinstanceΠS

i in which the adver-

sary interferes with the key exchange protocol in step I.1. Without loss of generality assume that the adversary learns key KCS output by ΠS

i in this step. Note that D

keeps a variable zidSet in which it stores allzid values it ever receives, and that D aborts if it sees anyzidmore than once. Therefore each game execution denes a 1-1

functionL: [nS]→[nD]∪ {⊥} s.t. ifL(i) 6=⊥then L(i) is the unique index in[nD] s.t.ΠLD(i) receivesMC= (pk, zidi)in step II.1 for somepk, andL(i) =⊥if and only if

noDsession receiveszidi. IfL(i)6=⊥then consider two cases: First, ifMC= (pk, zidi)

which containszidi originates with some sessionΠjC, and second ifMC= (pk, zidi) is

created by the adversary.

GameG9: Consider rst the case of a rogue session ΠiS and a rogue session ΠjC to

which the adversary sendszidi in step I.2. Consider rst the case when the adversary

stops ΠjC from getting the corresponding zi. Namely, let EzidOmit(i) be an event s.t. the adversary (a) either never issues[SAS.ATTACK,sid,MC∗]forMC∗ containingzidi

or it does but the corresponding coin toss comes out ρ = 0, (b) does not sendzidi

to any C instance, or it does send it to ΠjC for some j ∈ [nC], but either responds

with [SAS.ABORT,sid] to[SAS.SEND,sid, ΠC

j, ΠlD,MC]in step II.1 or responds with

[SAS.CONNECT,sid]but does not delivereDsent byΠlDtoΠ C

j in step II.2. Note that

by conditions (a) and (b), and the fact that already in gameG4ciphertexteDcreated in response to[SAS.CONNECT,sid]does not contain any information aboutzi=Z(zidi),

neither session ΠC

j nor the adversary have any information about zi. Therefore by

the security of the authenticated channel implementationΠiS should reject. Consider

A9 = A8 and G9 like G8 except G9 sets ΠiS's output to ⊥ at the end of step III if

EzidOmit(i)happens. By the argument above we have thatp9≤p8+qS·AC.

GameG10: Consider the same case of a rogue sessionΠiS and a rogue session ΠjC to

which the adversary sendszidi in step I.2, but now consider the possibility that the

adversary lets ΠjC get the correspondingzi but does not learnzi itself. Namely, let

EzidPass(i,j) be an event for somei∈[nS]andj∈[nC], (a)ΠjC receiveszidi in step I.2,

(b) the adversary responds with[SAS.CONNECT,sid]to[SAS.SEND,sid, ΠjC, Π D l,MC]

in step II.1, (c) the adversary never issues[SAS.ATTACK,sid,MC∗]forMC∗containing zidi, and (d) the adversary deliverseDsent byΠlDtoΠ

C

j in step II.2. ConsiderA10=A9 and G10 like G9 except that if EzidPass(i,j) happens and in the DE-PAKE interaction between ΠjC and ΠiS (where both parties use zi to authenticate this interaction), if

the adversary does not deliver to either ΠiS or Π C

j the messages of the counterparty

in the correct order,G10 makes this party abort and sets its output to⊥. (Note that this means that the other party will also abort, unless the misdelivered message was the last message this party sent.) Note that by conditions (a) and (b) instance ΠD l

receiveszidi inMC sent byΠjC. By condition (c) this is the rst timeDreceiveszidi,

hence it will not abort, and by condition (d)ΠC

j will receivezi corresponding tozidi.

Since the adversary has no information aboutzi, by the security of the authenticated

channel implementation it follows that ΠC

j and ΠiS output K 6=⊥ only (except for

the probability of an attack on the authenticated channel) if the adversary passes the DE-PAKE messagesm0 (authenticated byz) between these two rogue instances as a

man-in-the-middle. It follows thatp10≤p9+ min(qC, qS)·AC.

Note that by the changes done by gamesG9 and G10, if the adversary interferes with the KE in step I.1 with sessionΠiS, sendszidito someΠjCand does not send it

to someΠlDin a[SAS.ATTACK,sid,(pk ∗

, zidi)]message for anylthen the adversary is

forced to be a passive eavesdropper on the DE-PAKE protocol in step III, or otherwise

ΠiS will output ⊥. Note that this is the case when L(i) = l s.t. the game issues

[SAS.SEND,sid, ΠC

j, ΠlD,(pk, zidi)] for some pk, i.e. if some ΠlD receives value zidi,

it receives it as part of a messageMCoriginated by some client sessionΠjC.

GameG11: Consider now the case when the adversary sendszidi to D by itself, i.e. when L(i) =ls.t. the adversary does sends[SAS.ATTACK,sid,MC∗= (pk∗, zidi)]for

somepk∗in response to[SAS.SEND,sid, ΠC

j, ΠlD,MC]for somejandMC. LetEzFail(i,l) be an event that (a) the above conditions hold, (b) that the adversary does not send

aborts. ConsiderA11 =A10 andG11 just likeG10except thatG10makesΠiS abort in

step III and sets its output to ⊥in case of eventEzFail(i,l) for any l∈[nD]. Note that by condition (a) and (b) sessionl=L(i)ofDis the only one which getszidi, hence if ρl= 0then the adversary has no information aboutzi=Z(zidi), hence by the security

of the authenticated channel it follows thatp11≤p10+qS·AC.

After these game changes, we are nally ready to make a reduction from an attack on underlying DE-PAKE to an attack on the TFA-KE. Specically, we will construct an algorithmA∗which runs in time comparable toA, achieves advantageAdvDEPAKEA∗ = 2·(p11−1/2)against the underlying DE-PAKE scheme, and makesq∗S, q

∗

D, qC, qCrogue

queries respectively toS,D, toC on its connection to S, and to Con its connection withD, where qS∗ =q

∗ D =q

∗ _where

q∗ is a random variable equal to the sum ofq= min(qS, qD)coin tosses which come out1with probability2−t and0with probability 1−2−t_{. Recall that Adv}TFA

A = 2·(p0−1/2)and that by the game changes above we have that|p11−p0|is a negligible quantity, and henceAdvDEPAKEA∗ is negligibly close to AdvTFAA .

Reducing DE-PAKE attack to TFA-KE attack. The reduction works byA∗internally running algorithmAand emulating entitiesS,C, andDtoAas in gameG11. IfAstarts up an instanceΠiS,ΠjC, andΠlD,A

∗_{starts up its local state for these sessions, which} we will denote_Π¯S

i,Π¯jC, andΠ¯lD.

Emulation of Step I ofGenTFAtoA: WhenA∗starts upΠ¯iSorΠ¯jC, it runs the KE

on their behalf in step I.1. LetKS

CS,i,KCS,jC be the keys these instances output from

the KE step. If AconnectsΠ¯iS andΠ¯jC in HbC fashion, we call this pair HbC-paired,

andA∗setsKCS,iS =K C

CS,j to a random key, as inG11(seeG7). In Step I.2 forΠ¯iS,A ∗ pickszidi and setszi=Z(zidi) as inG11(seeG1), and sendsACSend(KCS,iS ,1, zidi).

Denote this (zidi, zi) pair as (zidSi, z S

i). WhenΠ¯ C

j receives a message in step I.2, it

decodes it aszidC

j usingACRec(KCS,iC ,1,·). IfACRecfails thenΠ¯jC aborts. IfΠ¯iS and

¯

ΠjCare not HbC-paired butzidCj =zidSi, we call these instances zid-paired.

Emulation of Step II ofGenTFAtoA:A∗picks(sk,pk)asCin step II.1 and sends [SAS.SEND,sid, ΠjC, ΠlD,MC]to AforMC = (pk, zid) andzid=zidCj, wherel is some

new index in [nD] specied by A. If A responds with [SAS.CONNECT,sid] and zid

was not sent to D before (otherwise Π¯lD aborts), A

∗ _generates

eD as an encryption

of two xed bitstrings as inG11 (seeG4). If Aforwards this eD to Π¯jC,A ∗ _sets

zCj = Z(zidC

j), picks a random keyKCD,jC , setsKCD,lD =KCD,jC , and denotes suchΠ¯jC,Π¯lD

instances as paired. If, on the other hand, A responds with [SAS.ATTACK,sid,MC∗]

for MC∗ = (pk∗, zid∗) s.t.zid∗ was not sent to D before (otherwise Π¯lD aborts), A ∗ picks a coinρlas in G11 (seeG2) and abortsΠ¯lD unlessρl = 1(which happens with

probability 2−t_{). IfΠ¯}D

l does not abort,A

∗ _{picks a random key} KD

CD,l and sends out eD =Enc(pk∗,(Z(zid∗), KD

CD,l)). IfA didn't respond with[SAS.CONNECT,sid]or it

did but_Π¯C

j receivese ∗

Dwhich is dierent fromeDsent byΠ¯ D l,A ∗ _sets (zjC, K C CD,j)← Dec(sk, e∗D).

As inG11,A∗can abort some sessions at this point: (1)A∗abortsΠ¯lDifAresponds

with[SAS.CONNECT,sid]above but doesn't forwardeDtoΠ¯C

j (seeG6); (2)A∗aborts ¯

ΠiS and sets its output to⊥if the conditions of eventEzidOmit(i) are satised (seeG9), i.e. (a)Awas not HbC in the key exchange withΠ¯S

i in step I, (b)Aeither does not send

[SAS.ATTACK,sid,·]withzidSi or it does but the corresponding coin-tossρcomes out

0, (c)Adoesn't sentzidS

i to anyΠ¯jCsession, or it does for somejbut then either does

not do[SAS.CONNECT,sid]or does not deliver the resultingeD toClinstprimej; (3)

for some l ∈ [nD] (see G11), i.e. A does not send zidSi to any Π¯jC instance, sends

[SAS.ATTACK,sid,(pk∗, zidiS)]to someΠ¯lDbut coinρlcomes out0.

Emulation of Step III ofGenTFA toA: Finally, A∗ emulates step III of TFA-KE by using the state held by_Π¯P

i for anyP∈ {S,C,D}andis.t.Π¯iP reached step III of

GenTFAwithout aborting.A∗performs this emulation by implementing the Authenti- cated Channel layer as in step III ofGenTFAusing the corresponding state computed above, i.e. KCS,iS , z

S i forΠ¯ S i,K C CS,j, z C j, K C CD,j forΠ¯ C j, and K D CD,l forΠ¯ D l, and imple-

menting the DE-PAKE messages by initiating and communicating with the external

In document Entre ríos y palafitos, construcciones audiovisuales en Guapi (Cauca) (página 60-65)