Simple Security Denitions for and Constructions of 0-RTT Key Exchange

Transcription

1 Smple Securty Dentons for and Constructons of 0-RTT Key Exchange Brtta Hale 1 and Tbor Jager 2 and Sebastan Lauer 3 and Jörg Schwenk 3 1 NTNU, Norwegan Unversty of Scence and Technology, Trondhem brtta.hale@ntnu.no 2 Paderborn Unversty tbor.ager@upb.de 3 Horst Görtz Insttute, Ruhr-Unversty Bochum {sebastan.lauer, oerg.schwenk}@rub.de Abstract. Zero Round-Trp Tme (0-RTT) key exchange protocols allow for the transmsson of cryptographcally protected payload data wthout requrng the pror exchange of messages of a cryptographc key exchange protocol. The 0-RTT KE concept was rst realzed by Google n the QUIC Crypto protocol, and a 0-RTT mode has been ntensvely dscussed for ncluson n TLS 1.3. In 0-RTT KE two keys are generated, typcally usng a De-Hellman key exchange. The rst key s a combnaton of an ephemeral clent share and a long-lved server share. The second key s computed usng an ephemeral server share and the same ephemeral clent share. In ths paper, we propose smple securty models, whch catch the ntuton behnd known 0-RTT KE protocols; namely that the rst (resp. second) key should reman ndstngushable from a random value, even f the second (resp. rst) key s revealed. We call ths property strong key ndependence. We also gve the rst constructons of 0-RTT KE whch are provably secure n these models, based on the generc assumpton that secure non-nteractve key exchange (NIKE) exsts. Keywords: Foundatons, low-latency key exchange, 0-RTT protocols, authentcated key exchange, non-nteractve key exchange, QUIC, TLS Introducton Ecency, n terms of messages to be exchanged before a key s establshed, s a growng consderaton for nternet protocols today. Bascally, the rst generaton of nternet key exchange protocols dd not care too much about ecency, snce secure connectons were consdered to be the excepton rather than the rule: SSL (versons 2.0 and 3.0) and TLS (versons 1.0, 1.1, and 1.2) requre 2 round-trp tmes (RTT) for key establshment before the rst cryptographcally-protected payload data can be sent. Wth the ncreased use of encrypton, 4 ecency s Ths work was partally supported by a STSM Grant from COST Acton IC For example, ntatves lke Let's Encrypt (

2 of escalatng mportance for protocols lke TLS. Smlarly, the older IPSec IKE verson v1 needs between 3 RTT (aggressve mode + quck mode) and 4.5 RTT (man mode + quck mode). Ths was soon realzed to be problematc, and n IKEv2 the number of RTTs was reduced to 2. The QUIC protocol. Fundamentally, the dscusson on low-latency key exchange (aka. LLKE, zero-rtt or 0-RTT key exchange) was opened when Google proposed the QUIC protocol. 5 QUIC (cf. Fgure 1) acheves low-latency by cachng a sgned server conguraton le on the clent sde, whch contans a medum-lved De-Hellman (DH) share Y 0 = g y0. 6 When a clent wshes to establsh a connecton wth a server and possesses a vald conguraton le of that server, t chooses a fresh ephemeral DH share X = g x and computes a temporal key k 1 from g y0x. Usng ths key k 1, the clent can encrypt and authentcate data to be sent to the server, together wth X. In response, the server sends a fresh DH share Y = g y and computes a sesson key k 2 from g xy, whch s used for all subsequent data exchanges. Clent (Y 0, σ S) π s C (sk sg S Server, pksg S ) (Y 0, y 0) π t S x $ Z q X = g x, k 1 = Y x 0 k 2 = Y x X, AE(k1; payload) AE(k1; Y ), AE(k2; payload) AE(k2; payload) k 1 = X y 0 y $ Z q Y = g y, k 2 = X y Fg. 1: Google's QUIC protocol (smpled) wth cached server key conguraton le (Y 0, σ S ). AE denotes a symmetrc authentcated encrypton algorthm (e.g., AES-GCM), (sk sg S, pksg S ) denotes the server's long-term sgnng keys, and πt S (resp. πc s ) denotes the oracle at server S executng the sngle t-th nstance of the protocol (resp. for clent). 5 See 6 If the clent does not have a vald le, t has to be requested from the server, whch ncreases the number of RTTs by 1, but may then be re-used for future sessons. 2

3 TLS 1.3. Early TLS 1.3 drafts, e.g. draft-etf-tls-tls13-08 [24], contaned a 0-RTT key exchange mode where a QUIC-lke ServerConfguraton message s cached by the clent. The current verson draft-etf-tls-tls13-18 [25] follows a derent approach, where the ntal key establshment between a clent and a server s never 0-RTT. Instead, t denes a method to establsh a new sesson based on the secret key of a prevous sesson. Even though ths s also called 0-RTT n the current TLS 1.3 speccaton, t s rather a 0-RTT sesson resumpton protocol, but does not allow for 0-RTT key establshment. Most mportantly, the maor derence between the approach of the current TLS 1.3 draft n comparson to a real 0-RTT key exchange protocol s that the former requres storng of secret key nformaton on the clent between sessons. In contrast, a 0-RTT key establshment protocol does not requre secret nformaton to be stored between sessons. Facebook's Zero protocol. Very recently, the socal network Facebook announced that t s currently expermentng wth a 0-RTT KE protocol called Zero. 7 Zero s very smlar to QUIC, except that t uses another nonce and encrypton of the ServerHello message. It s noteworthy that the man derence between Zero and QUIC was ntroduced n order to prevent an attack dscovered by Facebook, whch has been reported to Google and meanwhle been xed n QUIC, too. We beleve that ths s a good example that shows the demand of smple securty dentons and provably-secure constructons for such protocols. Securty goals. 0-RTT KE protocols lke QUIC have ad-hoc desgns that am at achevng three goals: (1) 0-RTT encrypton, where cphertext data can already be sent together wth the rst handshake message; (2) perfect forward secrecy (PFS), where all cphertexts exchanged after the second handshake message wll reman secure even after the (statc or sem-statc) prvate keys of the server have been leaked, and (3) key ndependence, where knowledge about one of the two symmetrc keys generated should not endanger the securty of the other key. Strong key ndependence. Intutvely, a 0-RTT KE protocol should acheve strong key ndependence between k 1 and k 2 ; f any one of the two keys s leaked at any tme, the other key should stll be ndstngushable from a random value. In all known securty models, ths ntuton would be formalzed as follows: f the adversary A asks a Reveal query for k 1, he s stll allowed to ask a Test query for k 2, and vce versa. If the two keys are computatonally ndependent from each other (whch also ncludes computatons on the derent protocol messages), then the adversary should have only a neglgble advantage n answerng the Test query correctly. Ultmately ths leads to the followng research questons: Do exstng examples of 0-RTT KE protocols have strong key ndependence? Can we descrbe a 7 See buldng-zero-protocol-for-fast-secure-moble-connectons/. 3

4 generc way to construct 0-RTT KE protocols that provably acheve strong key ndependence? QUIC does not provde strong key ndependence. If an attacker A s allowed to learn k 1 by a Reveal-query, then he s able to decrypt AE(k 1 ; Y ) and re-encrypt ts own value Y := g y as AE(k 1 ; Y ). Furthermore, he can then compute the same k 2 = X y as the clent oracle, and can thus dstngush between the real key and a random key chosen by the Test query. See [11] for more detals on key dependency n QUIC. Note that ths theoretcal attack does not mply that QUIC s nsecure. It only shows that the authentcty of the server's De-Hellman share, whch s sent n QUIC to establsh k 2, depends strongly on the securty of key k 1. Therefore QUIC does not provde strong key ndependence n the sense sketched above. Prevous work on 0-RTT Key Exchange. The concept of 0-RTT key exchange was not developed n academa, but n ndustry motvated by concrete practcal demands of dstrbuted applcatons. All prevous works on 0-RTT KE [11,22] conducted a-posteror securty analyses of the QUIC protocol, wth talored models. There are no foundatonal constructons as yet, and the relaton to other cryptographc protocols and prmtves s not yet well-understood. At ACM CCS 2014, Fschln and Günther [11] provded a formal denton of mult-stage key exchange protocols and used t to analyze the securty of QUIC. Lychev et al. [22] gave an alternate analyss of QUIC, whch consders both ecency and securty. They descrbe a securty model whch s bespoke to QUIC, adoptng the complex, monolthc securty model of [16] to the protocol's requrements. Zhao [30] consders dentty-concealed 0-RTT protocols, where user prvacy s protected by hdng denttes of users n a settng wth mutual cryptographc authentcaton of both communcatng partes. Günther et al. [14] extended the puncturable encrypton-approach of Green and Mers [13] to show that even 0-RTT KE wth full forward secrecy s possble, by evolvng the secret key after each decrypton. However, ther constructon s currently manly of conceptual nterest, as t s not yet ecent enough to be deployed at large scale n practce. Securty model. In ths paper, we use a varant of the Canett-Krawczyk [7] securty model. Ths famly of securty models s especally suted to protocols wth only two message exchanges, wth one-round key exchange protocols consttutng the most mportant subclass. Popular examples of such protocols are MQV [21], HMQV [17], SMQV [26], KEA [23,20], and NAXOS [19]. A comparson of dfferent varants of the Canett-Krawczyk model can be found n [9,28]. The mportance of smplcty of securty models. Securty models for key exchange protocols have to consder actve adversares that may modfy, replay, nect, drop, etc., any message transmtted between communcatng partes. They also need to capture parallel executons of multple protocol sessons, potental reveals of earler sesson keys, and adaptve corruptons of long-term secrets of 4

5 partes. Ths makes even standard securty models for key exchange extremely complex (n comparson to most other standard cryptographc prmtves, lke dgtal sgnatures or publc-key encrypton, for example). Naturally, the novel prmtve of 0-RTT KE requres formal securty dentons. There are derent ways to create such a model. One approach s to focus on generalty of the model. Fschln and Günther [11] followed ths path, by denng mult-stage key exchange protocols, a generalzaton of 0-RTT KE. Ths approach has the advantage that t lays the foundaton for the study of a very general class of nterestng and novel prmtves. However, ts drawback s that ths generalty nherently also brngs a huge complexty to the model. Clearly, the more complex the securty model, the more dcult t becomes to devse new, smple, ecent, and provably-secure constructons. Moreover, proofs n complex models tend to be error-prone and less ntutve, because central techncal deas may be concealed n formal detals that are requred to handle the generalty of the model. Another approach s to devse a model whch s talored to the analyss of one specc protocol. For example, the complex, monolthc ACCE securty model was developed n [16] to provde an a posteror securty analyss of TLS. 8 A smlar approach was followed by Lychev et al. [22], who adopted ths model for an a posteror analyss of QUIC, by denng the so-called Q-ACCE model. The notable drawback of ths approach s that such talor-made models tend to capture only the propertes acheved by exstng protocols, but not necessarly all propertes that we would expect from a good 0-RTT KE protocol. In general, such talor-made models do not, therefore, form a useful foundaton for the creaton of new protocols. In ths paper, we follow a derent approach. We propose novel bare-bone securty models for 0-RTT KE, whch am at capturng all (strong key ndependence and forward secrecy), but also only the propertes ntutvely expected from good 0-RTT KE protocols. We propose two derent models. One consders the practcally-relevant case of server-only authentcaton (where the clent may or may not authentcate later over the establshed communcaton channel, smlar n sprt to the server-only-authentcated ACCE model of [18]). The other consders tradtonal mutual cryptographc authentcaton of a clent and server. The reduced generalty of our dentons n comparson to the very general mult-stage securty model of [11] s ntended. A model whch captures only, but also all the propertes expected from a good 0-RTT KE protocol allows us to devse relatvely smple, foundatonal, and generc constructons of 0-RTT KE protocols wth as-clean-as-possble securty analyses. Importance of foundatonal generc constructons. Followng [3], we use nonnteractve key exchange (NIKE) [8,12] n combnaton wth dgtal sgnatures as a man buldng block. 9 Ths yelds the rst examples of 0-RTT KE protocols 8 A more modular approach was later proposed n [4]. 9 Recall that dgtal sgnatures are mpled by one-way functons, whch n turn are mpled by NIKE. Thus, essentally we only assume the exstence of NIKE as a buldng block. 5

6 wth strong key ndependence, as well as the rst constructons of 0-RTT KE from generc complexty assumptons. There are many advantages of such generc constructons: 1. Generc constructons provde a better understandng of the structure of protocols. Snce the prmtves we use have abstract securty propertes, we can see precsely whch abstract securty requrements are needed to mplement 0-RTT KE protocols. 2. They clarfy the relatons and mplcatons between derent types of cryptographc prmtves. 3. They can be genercally nstantated wth buldng blocks based on derent complexty assumptons. For example, f post-quantum securty s needed, one can drectly obtan a concrete protocol by usng only post-quantum secure buldng blocks n the generc constructon. Usually generc constructons tend to nvolve more computatonal overhead than ad-hoc constructons. However, we note that our 0-RTT KE protocols can be nstantated relatvely ecently, gven the ecent NIKE schemes of [12], for example. Contrbutons. Contrbutons n ths paper can be summarzed as follows: Smple securty models. We provde smple securty models, whch capture all propertes that we expect from a good 0-RTT KE protocol, but only these propertes. We consder both the practcal settng wth server-only authentcaton and the classcal settng wth mutual authentcaton. Frst generc constructons. We gve ntutve, relatvely smple, and ecent constructons of 0-RTT KE protocols n both settngs. Frst Non-DH nstantaton. Both QUIC and TLS 1.3 are based on DH key exchange. Our generc constructon yelds the rst 0-RTT KE protocol whch s not based on De-Hellman (e.g., by nstantatng the generc constructon wth the factorng-based NIKE scheme of Frere et al. [12]). Frst 0-RTT KE wth strong key ndependence. Our 0-RTT KE protocols are the rst to acheve strong key ndependence n the sense descrbed above. Well-establshed, general assumptons. The constructon s based on general assumptons, namely the exstence of secure NIKE and dgtal sgnature schemes. For all buldng blocks we requre only standard securty propertes. Securty n the Standard Model. The securty analyss s completely n the standard model,.e. t s performed wthout resortng to the Random Oracle heurstc [1] and wthout relyng on non-standard complexty assumptons. Ecent nstantablty. Despte the fact that our constructons are generc, the resultng protocols can be nstantated relatvely ecently. 2 Prelmnares For our constructon n Secton 5.2, we need sgnature schemes and non-nteractve key exchange (NIKE) protocols. Here we summarze the dentons of these two prmtves and ther securty from the lterature. 6

7 2.1 Dgtal Sgnatures A dgtal sgnature scheme conssts of three polynomal-tme algorthm SIG = $ (SIG.Gen, SIG.Sgn, SIG.Vfy). The key generaton algorthm (sk, pk) SIG.Gen(1 λ ) generates a publc vercaton key pk and a secret sgnng key sk on nput of securty parameter λ. Sgnng algorthm σ $ SIG.Sgn(sk, m) generates a sgnature for message m. Vercaton algorthm SIG.Vfy(pk, σ, m) returns 1 f σ s a vald sgnature for m under key pk, and 0 otherwse. Consder the followng securty experment played between a challenger C and an adversary A. 1. The challenger generates a publc/secret key par (sk, pk) $ SIG.Gen(1 λ ), the adversary receves pk as nput. 2. The adversary may query arbtrary messages m to the challenger. The challenger reples to each query wth a sgnature σ = SIG.Sgn(sk, m ). Here s an ndex, rangng between 1 q for some q N. Queres can be made adaptvely. 3. Eventually, the adversary outputs a message/sgnature par (m, σ). Denton 1. We dene the advantage on an adversary A n ths game as [ ] AdvSIG,A (λ) := Pr (m, σ) $ A C(λ) SIG.Vfy(pk, σ, m) = 1, (pk) :. (m, σ) (m, σ ) SIG s strongly secure aganst exstental forgeres under adaptve chosenmessage attacks (seuf-cma), f AdvSIG,A (λ) s a neglgble functon n λ for all probablstc polynomal-tme adversares A. Remark 1. Sgnatures wth seuf-cma securty can be constructed genercally from any EUF-CMA-secure sgnature scheme and chameleon hash functons [6,27]. 2.2 Secure Non-Interactve Key Exchange Denton 2. A non-nteractve key exchange (NIKE) scheme conssts of two determnstc algorthms (NIKE.Gen, NIKE.Key). NIKE.Gen(1 λ, r) takes a securty parameter λ and randomness r {0, 1} λ. It $ outputs a key par (pk, sk). We wrte (pk, sk) NIKE.Gen(1 λ ) to denote that NIKE.Gen(1 λ, r) s executed wth unformly random r $ {0, 1} λ. NIKE.Key(sk, pk ) s a determnstc algorthm whch takes as nput a secret key sk and a publc key pk, and outputs a key k,. We say that a NIKE scheme s correct, f for all (pk, sk ) $ NIKE.Gen(1 λ ) and (pk, sk ) $ NIKE.Gen(1 λ ) holds that NIKE.Key(sk, pk ) = NIKE.Key(sk, pk ). A NIKE scheme s used by d partes P 1,..., P d as follows. Each party P generates a key par (pk, sk ) NIKE.Gen(1 λ ) and publshes pk. In order to compute the key shared by P and P, party P computes k, = NIKE.Key(sk, pk ). Smlarly, party P computes k, = NIKE.Key(sk, pk ). Correctness of the NIKE scheme guarantees that k, = k,. 7

8 CKS-lght securty. The CKS-lght securty model for NIKE protocols s relatvely smplstc and compact. We choose ths model because other (more complex) NIKE securty models lke CKS, CKS-heavy, and m-cks-heavy are polynomal-tme equvalent to CKS-lght. See [12] for more detals. Securty of a NIKE protocol NIKE s dened by a game NIKE played between an adversary A and a challenger. The challenger takes a securty parameter λ and a random bt b as nput and answers all queres of A untl she outputs a bt b. The challenger answers the followng queres for A: RegsterHonest(). A supples an ndex. The challenger runs NIKE.Gen(1 λ ) to generate a key par (pk, sk ) and records the tuple (honest, pk, sk ) for later and returns pk to A. Ths query may be asked at most twce by A. RegsterCorrupt(pk ). Wth ths query A supples a publc key pk. The challenger records the tuple (Corrupt, pk ) for later. GetCorruptKey(, ). A supples two ndces and where pk was regstered as corrupt and pk as honest. The challenger runs k NIKE.Key(sk, pk ) and returns k to A. Test(, ). The adversary supples two ndces and that were regstered honestly. Now the challenger uses bt b: f b = 0, then the challenger runs k, NIKE.Key(pk, sk ) and returns the key k,. If b = 1, then the challenger samples a random element from the key space, records t for later, and returns the key to A. The game NIKE outputs 1, denoted by NIKE A NIKE(λ) = 1, f b = b and 0 otherwse. We say A wns the game f NIKE A NIKE(λ) = 1. Denton 3. For any adversary A playng the above NIKE game aganst a NIKE scheme NIKE, we dene the advantage of wnnng the game NIKE as ] Adv CKS-lght 2 NIKE,A (λ) = Pr [NIKE A NIKE(λ) = 1 1. Let λ be a securty parameter, NIKE be a NIKE protocol and A an adversary. We say NIKE s a CKS-lght-secure NIKE protocol, f for all probablstc polynomaltme adversares A, the functon Adv CKS-lght NIKE,A (λ) s a neglgble functon n λ. 3 0-RTT Key Exchange Protocols: Syntax and Securty wth Server-only Authentcaton In the model presented n ths secton, we gve formal dentons for 0-RTT KE wth strong key ndependence and man-key forward secrecy. We start wth the case of server-only authentcaton, as t s the more mportant case n practce (n partcular, server-only authentcaton wll be the man operatng mode of both QUIC and TLS 1.3). 8

9 3.1 Syntax and Correctness Denton 4. A 0-RTT key exchange scheme wth server-only authentcaton conssts of determnstc algorthms (Gen server, KE clent nt, KE clent refresh, KEserver refresh ). Gen server (1 λ, r) (pk, sk): A key generaton algorthm that takes as nput a securty parameter λ and randomness r {0, 1} λ and outputs a key par (pk, sk). We wrte (pk, sk) $ Gen server (1 λ ) to denote that a par (pk, sk) s the output of Gen server when executed wth unformly random r $ {0, 1} λ. KE clent nt (pk, r ) (ktmp,, m ): An algorthm that takes as nput a publc key pk and randomness r {0, 1} λ, and outputs a temporary key ktmp, and a message m. KE server refresh (sk, r, m ) (kman,, ktmp,, m ): An algorthm that takes as nput a secret key sk, randomness r and a message m, and outputs a key kman,, a temporary key ktmp, and a message m. KE clent refresh (pk, r, m ) kman:, An algorthm that takes as nput a publc key pk, randomness r, and message m, and outputs a key kman., We say that a 0-RTT key exchange scheme s correct, f for all (pk, sk ), $ Gen server (1 λ $ ) and for all r, r {0, 1} λ holds that Pr[k, tmp k, tmp or k, man k, man] negl(λ), where (ktmp,, m ) KE clent nt (pk, r ), (k, k, man KE clent refresh (pk, r, m ). man, k, tmp, m ) KE server refresh (sk, r, m ), and A 0-RTT KE scheme s used by a set partes whch are ether clents C or servers S (cf. Fgure 2). Each server S p has a generated key par (sk p, pk p ) $ Gen server (1 λ, ) wth publshed pk p. The protocol s executed as follows: 1. The clent oracle C chooses r {0, 1} λ and selects the publc key of the ntended partner S (whch must be a server, otherwse ths value s unde- ned). Then t computes (ktmp,, m ) KE clent nt (pk, r ), and sends m to S. Addtonally, C can use ktmp, to encrypt some data M. 2. Upon recepton of message m, S ntalzes a new oracle S,t. Ths oracle chooses r {0, 1} λ and computes (kman,, ktmp,, m ) KE server refresh (sk, r, m ). The server may use the ephemeral key k, tmp to decrypt D. Then, the server sends m and optonally some data M encrypted wth the key k, man to the clent. 3. C computes k, man KE clent refresh (pk, r, m ) and can optonally decrypt D. Correctness of the 0-RTT KE scheme guarantees that k, man = k, man. 9

10 C S (sk, pk ) $ Gen server (1 λ, ) $ r {0, 1} λ (ktmp,, m ) KE clent nt (pk, r ) D Encrypt(ktmp,, M ) k, man KE clent refresh(pk, r, m ) m, D r $ {0, 1} λ m, D (kman,, k, D Encrypt(kman,, M ) tmp, m ) KE server refresh (sk, r, m ) Fg. 2: Executon of a 0-RTT KE Protocol wth Server-Only Authentcaton n Parallel to Encrypted Applcaton Data. Note that the messages D and D correspond to the symmetrc encrypton protocol used to encrypt payload data, and are therefore not part of the 0-RTT KE protocol, but a separate protocol. These messages are only dsplayed here only to llustrate the basc, parallel applcaton message ow to that of a 0-RTT KE protocol. Whle t would n prncple be possble to dene the symmetrc encrypton drectly as part of the protocol, ths would requre a sgncantly more complex ACCE-style [16] securty model, whch we avod for sake of smplcty. 3.2 Executon Envronment We provde an adversary A aganst a 0-RTT KE protocol wth the followng executon envronment. Clents, whch are not n possesson of a long-term secret are represented by oracles C 1,..., C d (wthout any partcular dentty). We consder l servers, each server has a long-term key par (sk, pk ) 10, {1,..., l}, and each clent has access to all publc keys pk 1,..., pk l. Each server s represented by a collecton of k oracles S,1,..., S,k, where each oracle represents a process that executes one sngle nstance of the protocol. We use the followng varables to mantan the nternal state of oracles. Clents. Each clent oracle C, [d], mantans two varables k tmp and k man to store the temporal and man keys of a sesson, a varable Partner, whch contans the dentty of the ntended communcaton partner, and varables M n and M out contanng messages sent and receved by the oracle. The nternal state of a clent oracle s ntalzed to (k tmp, k man, Partner, M n, M out ) := (,,,, ). Servers. Each server oracle S,t, (, t) [l] [k], mantans: two varables k tmp and k man to store the temporal and man keys of a sesson, and 10 We do not dstngush between statc (.e. long-lved) and sem-statc (.e. medum lved) key pars. Thus the long-lved keys n ths model correspond to the server conguraton le keys of QUIC and TLS

11 varables M n,t server. and Mout,t contanng messages sent and receved by the The nternal state of a server oracle s ntalzed to (k tmp ) := (,,, ). M out,t,t, kman,t, M n We say that an oracle has accepted the temporal key f k tmp, and accepted the man key f k man. In the securty experment, the adversary s able to nteract wth the oracles by ssung the followng queres. Send(C /S,t, m). The adversary sends a message m to the requested oracle. The oracle processes m accordng to the protocol speccaton. Any response generated by the oracle accordng to the protocol speccaton s returned to the adversary. If a clent oracle C receves m as the rst message, then the oracle checks f m conssts of a specal ntalzaton message (m = (nt, )). If true, then the oracle responds wth the rst protocol message generated for ntended partner S,, else t outputs. Reveal(C /S,t, tmp/man). Ths query returns the key of the gven stage f t already has been computed, or otherwse. Corrupt(). On nput of a server dentty, ths query returns the long-term prvate key of the server. If Corrupt() s the τ-th query ssued by A, we say a party s τ-corrupted. For partes that are not corrupted we dene τ :=. Test(C /S,t, tmp/man). Ths query s used to test a key and s only asked once. It s answered as follows: If the varable of the requested key s not empty, a random b $ {0, 1} s selected, and f b = 0 then the requested key s returned, else f b = 1 then a random key, accordng to the probablty dstrbuton of keys generated by the protocol, s returned. Otherwse s returned.,t, Securty Model Securty Game GA. After recevng a securty parameter λ the challenger C smulates the protocol and keeps track of all varables of the executon envronment: he generates the long-lved key pars of all server partes and answers fathfully to all queres by the adversary. The adversary receves all publc keys pk 1,..., pk l and can nteract wth the challenger by ssung any combnaton of the queres Send(), Corrupt(), and Reveal(). At some pont the adversary queres Test() to an oracle and receves a key, whch s ether the requested key or a random value. The adversary may contnue askng Send(), Corrupt(), and Reveal()-queres after recevng the key and nally outputs some bt b. Denton 5 (0-RTT KE-Securty wth Server-Only Authentcaton). Let an adversary A nteract wth the challenger n game GA as t s descrbed above. We say the challenger outputs 1, denoted by GA (λ) = 1, f b = b and the followng condtons hold: 11

12 f A ssues Test(C, tmp) all of the followng hold: Reveal(C, tmp) was never quered by A Reveal(S,t, tmp) was never quered by A for any oracle S,t such that Partner = and M n,t = Mout the communcaton partner Partner =, f t exsts, s not τ-corrupted wth τ < f A ssues Test(C, man) all of the followng hold: Reveal(C, man) was never quered by A Reveal(S,t, man) was never quered by A, where Partner =, M n M out = M out,t,t =, and M n the communcaton Partner = s not τ-corrupted wth τ < τ 0, where Test(C, man) s the τ 0 -th query ssued by A f A ssues Test(S,t, tmp) all of the followng hold: Reveal(S,t, tmp) was never quered by A there exsts an oracle C wth M out = M n,t Reveal(C, tmp) was never quered by A to any oracle C wth M out M n,t Reveal(S,t, tmp) was never quered by A for any oracle S,t M n,t = Mn,t s not τ-corrupted wth τ < f A ssues Test(S,t, man) all of the followng hold: Reveal(S,t, man) was never quered by A there exsts an oracle C wth M out = M n,t Reveal(C, man) was never quered by A, f M n = M out,t = wth else the game outputs a random bt. We dene the advantage of A n the game G (λ) by A Adv A (λ) := 2 Pr[G A (λ) = 1] 1. Denton 6. We say that a 0-RTT key exchange protocol s test-secure, f there exsts a neglgble functon negl(λ) such that for all PPT adversares A nteractng accordng to the securty game G (λ) t holds that A AdvA (λ) negl Remark 2. Our securty model captures forward secrecy for the man-key, because key ndstngushablty s requred to hold even f the adversary s able to corrupt the communcaton partner of the test-oracle (but only after the test-oracle has accepted, of course, n order to avod trval attacks). Moreover, strong key ndependence s modeled by the fact that an adversary whch attempts to dstngush a tmp-key from random (.e., an adversary whch asks Test(X, tmp) for X {C, S,t for some,, t}) s allowed to learn the man-key of X. Smlarly, an adversary whch tres to dstngush a man-key from random by askng Test(X, man) s allowed to learn the tmp-key of X as well. Securty n ths sense guarantees that the tmp-key and the man-key look ndependent to a computatonally-bounded adversary. 12

13 Remark 3. Note that the requrements of M out = M n,t etc. n the above securty model essentally adopt the noton of matchng conversatons, dened by Bellare and Rogaway [2] for general, mult-message key exchange protocols, to the specal case of 0-RTT KE. 3.3 Composng a 0-RTT KE Protocol wth Symmetrc Encrypton The securty model descrbed above consders only the 0-RTT KE protocol, wthout symmetrc encrypton of payload data (that s, wthout the messages D and D dsplayed n Fgure 2). A protocol secure n ths sense guarantees the ndstngushablty of keys n a hypothetcal settng, where the key s not used for symmetrc encrypton of payload messages potentally known to the adversary. One may thnk that ths s not sucent for 0-RTT KE, because the key wll be used to encrypt payload data, and ths wll enable an adversary to trvally dstngush a real key from a random key (ths holds for both the temporal key ktmp, and the actual man sesson key kman)., Note that ths argument apples not only to the above 0-RTT KE securty model, but actually to any securty model for (authentcated) key exchange whch s based on the ndstngushablty of keys, such as the classcal model of Bellare and Rogaway and many smlar models [2,5,7,19,10,26]. In practce, ths key wll usually be used n a cryptographc protocol, e.g. to encrypt messages, and therefore trvally allow for dstngushng real from random keys. The securty of the composton of a protocol secure n the sense of [2,5,7,19,10,26] wth a symmetrc encrypton protocol follows from a standard two-step hybrd argument, whch essentally proceeds as follows: 1. In the orgnal securty experment, the adversary nteracts wth a composed protocol, where the KE protocol s rst used to derve a key k, whch s then used to encrypt payload data wth the symmetrc encrypton protocol. 2. In the next hybrd experment, the adversary nteracts wth a composed protocol, where the symmetrc encrypton does not use the key k computed by the KE protocol, but an ndependent random key. Note that an adversary that dstngushes ths hybrd from the orgnal game can be used to dstngush a real key of the KE protocol from a random one. Now the adversary nteracts wth an encrypton protocol that uses a key whch s ndependent of the KE protocol. Ths allows for a reducton of the securty of the composed protocol to the securty of the symmetrc protocol. A smlarly straghtforward hybrd argument apples to the composton of 0-RTT KE wth symmetrc encrypton, whch works as follows: 1. In the orgnal securty experment, the adversary nteracts wth a composed protocol, where the 0-RTT KE protocol s rst used to derve a key ktmp,, whch s then used to encrypt the payload data sent along wth the rst protocol message. Then the 0-RTT KE protocol s used to derve the man key kman,, whch n turn s used to encrypt all further payload data. 13

14 2. In the rst hybrd experment, the adversary nteracts wth a composed protocol, where only ktmp, s replaced wth an ndependent random value. An adversary that dstngushes ths hybrd from the orgnal game can be used to dstngush a real ktmp, from a random one. Now the adversary nteracts wth an encrypton protocol that encrypts the rst payload message wth a key whch s ndependent of the 0-RTT KE protocol. Ths allows for a reducton of the securty of the rst payload message to the securty of the symmetrc protocol. 3. In the second hybrd experment, the adversary nteracts wth a composed protocol, where k, man s now also replaced wth an ndependent random value. An adversary that dstngushes ths hybrd from the prevous one can be used to dstngush a real k, man from a random one. Ths allows for a reducton of the securty of all further payload messages to the securty of the symmetrc protocol. Followng the long tradton of prevous works on ndstngushablty-based key exchange securty models [2,5,7,19,10,26], we can thus consder an ndstngushablty-based securty model for 0-RTT KE even though n practce key exchange messages wll be nterleaved wth messages of the symmetrc encrypton protocol. Ths allows for smple securty models, and enables a modular analyss of the buldng blocks of a composed protocol. 4 Generc Constructon of 0-RTT KE from NIKE Now we are ready to descrbe our generc NIKE-based 0-RTT KE protocol and ts securty analyss. 4.1 Generc Constructon Let NIKE = (NIKE.Gen, NIKE.Key) be a NIKE scheme accordng to Denton 2 and let SIG = (SIG.Gen, SIG.Sgn, SIG.Vfy) be a sgnature scheme. Then we construct a 0-RTT KE scheme 0-RTT = (Gen server, KE clent nt, KE clent refresh, KEserver refresh ), per Denton 4, n the followng way (cf. Fgure 3). Gen server (1 λ, r) computes key pars usng the NIKE key generaton algorthm (pk nke statc, sk nke statc ) $ NIKE.Gen(1 λ ) and sgnature keys usng the SIG algorthm (pk sg, sk sg ) $ SIG.Gen, and outputs (pk, sk) := ((pk nke statc, pk sg ), (sk nke statc, sk sg )). KE clent $ nt (pk, r ) samples r {0, 1} λ, parses pk = (pk nke statc, pk sg ), runs (pk nke, sk nke ) NIKE.Gen(1 λ, r ) and k, nke NIKE.Key(sk nke, pk nke statc ), and outputs (ktmp,, m ) := (k, nke, pk nke ). 14

15 C $ r {0, 1} λ (pk nke, sk nke ) NIKE.Gen(1 λ, r ) ktmp, NIKE.Key(sk nke, pk nke statc ) m := pk nke Check true SIG.Vfy(pk sg, σ, pk nke ) k, man NIKE.Key(sk nke, pk nke k, := k, man ) m m ((pk nke statc $ r {0, 1} λ k, (pk nke S, pk sg nke statc ), (sk, sk sg )) tmp NIKE.Key(sk nke statc, pk nke, sk nke ) NIKE.Gen(1 λ, r ) σ SIG.Sgn(sk sg nke, pk ) k, man NIKE.Key(sk nke, pk nke m := (pk nke, σ ) k, := k, man ) ) Fg. 3: 0-RTT KE from NIKE. Agan, t s possble to nclude the parallel executon of a symmetrc encrypton protocol whch would behave as n Fgure 2 for encrypted applcaton data. As such a protocol s not part of the 0-RTT KE protocol, we omt t here for smplcty. KE server refresh (sk, r, m ) takes n m = pk nke, parses sk = (sk nke statc, sk sg ), and $ samples r {0, 1} λ. It then computes k, nke NIKE.Key(sk nke statc, pk nke ),, sk nke ) NIKE.Gen(1 λ, r ), and σ SIG.Sgn(sk sg nke, pk ). If m = (pk nke pk nke statc NIKE.Key(sk nke then t samples kman nke unformly random, else t computes k nke, pk nke ), outputtng (k, man, k, tmp, m ) := (k nke man, k nke,, (pk nke, σ )). man KE clent refresh (pk, r, m ) parses pk = (pk nke statc, pk sg ) and m = (pk nke, σ ). It then checks true SIG.Vfy(pk sg, σ, pk nke ) and computes kman nke NIKE.Key(sk nke, pk nke ), outputtng k, man := kman. nke Ultmately, the constructon follows by applyng the NIKE NIKE.Gen algorthm and the sgnature SIG.Gen algorthm to generate a server conguraton le whch s comprsed of the server publc key and a server publc sgnature key whch a clent can then employ for generatng the rst protocol ow. In order for the 0-RTT KE constructon to abstract the securty guarantees of the underlyng NIKE, the approprate clent (pk nke, sk nke ) must be avalable for use n the NIKE.Key algorthm. Consequently, the (pk nke, sk nke ) values are generated locally by the clent, wth pk nke passed to the server as a message. Note that ths constructon naturally forgoes clent-sde authentcaton. Fgure 3 demonstrates the constructon. Remark 4. One may wonder why we dene KE server refresh (sk, r, m ) such that t samples a random key when t takes as nput a clent message m whch s equal 15

16 to ts own statc NIKE key, that s, f m = pk nke statc. We note that ths s necessary for the securty the constructed 0-RTT KE scheme to be reducble to that of the NIKE scheme, because n some cases we wll not be able to smulate the key computed by a server oracle that receves as nput a message whch s equal to the statc NIKE publc key contaned n ts 0-RTT KE publc key. Note that ths ncurs a neglgble correctness error. However, t s straghtforward to verfy the correctness of the protocol accordng to Denton 4. Theorem 1. Let 0-RTT be executed wth d clents, l servers wth long-term keys, and k server oracles modelng each server. From each attacker A, we can construct attackers B sg, accordng to Denton 1, and B nke, accordng to Defnton 3, such that ( A (λ) 2kdl Adv CKS-lght (λ) + Adv ( + dl k Adv CKS-lght (λ) + Adv Adv + dl ( Adv CKS-lght (λ) + Adv ) (λ) ) (λ) ) (λ) SIG,B sg SIG,B sg SIG,B sg + 4 Adv CKS-lght The runnng tme of B sg and B nke s approxmately equal to the tme requred to execute the securty experment wth A once. Intuton for the proof of Theorem 1. In order to prove Theorem 1, we dstngush between four types of attackers: adversary A 1 asks Test() to a clent oracle and the temporary key (CTattacker) adversary A 2 asks Test() to a clent oracle and the man key (CM-attacker) adversary A 3 asks Test() to a server oracle and the temporary key (STattacker) adversary A 4 asks Test() to a server oracle and the man key (SM-attacker) Let us gve some ntuton why ths classcaton of attackers wll be useful for the securty proof. In the 0-RTT KE scheme 0-RTT each party computes 2 derent keys k tmp, and k man,, where k tmp, depends on the ephemeral keys of the clent and the statc keys of the server, and k, man depends on the ephemeral keys of both partes. In our proof we want to be able to reduce the ndstngushablty of the 0-RTT-key to the ndstngushablty of the NIKE-key. In the NIKE securty experment the attacker receves two challenge publc keys {pk nke, pk nke }. In the reducton, we want to embed these keys n the 0- RTT securty experment, accordng to Secton 3.2, and stll be able to answer all Reveal()- and Corrupt()-queres correctly. In the case of adversares that test the temporary key of the clent or the server we can embed the NIKE-keys as pk nke statc = pk nke and m = pk nke. However, ths does not work for adversares aganst the man key, because k, man depends on the ephemeral keys of the partes. 16

17 In ths case we have to embed the keys as m = pk nke and m = pk nke. The Test()-query of the attacker n the 0-RTT experment can then be answered wth the challenge the attacker n the NIKE experment receves. 4.2 Proof of Theorem 1 We prove securty of 0-RTT n the model of Secton 3.2 wth server-only authentcaton. CT-attacker We start wth the rst attacker that asks Test(C, tmp). Lemma 1. From each CT-attacker A 1, we can construct attackers B sg, accordng to Denton 1, and B nke, accordng to Denton 3, such that ( ) Adv (λ) dl Adv CKS-lght (λ) + Adv (λ) +Adv CKS-lght A 1 SIG,B sg The runnng tme of B sg and B nke s approxmately equal to the tme requred to execute the securty experment wth A 1 once. Proof. The proof s a sequence of derent games played between the attacker and a challenger accordng to the securty experment from Denton 5. Henceforth, let Adv := 2 Pr[Game = 1] 1 denote the advantage of A n Game. Game 0. Ths s the orgnal securty experment. By denton we have Adv 0 = AdvA 1 Game 1. Game 1 s dentcal to Game 0, except that we add an abort condton. We rase event abort, abort the game, and output a random bt, f there ever exst two oracles whch compute the same NIKE publc key (ether n messages or n ther long-term publc keys). We have Adv 1 Adv 0 Pr[abort]. Note that n the whole experment at most (k +1)l+d NIKE keys are generated. By a straghtforward reducton to the securty of the NIKE scheme, we can construct a trval NIKE adversary B nke, whch retreves a publc key pk nke from the NIKE securty experment, and then generates addtonal (k+1)l+d 1 NIKE key pars (pk nke, sk nke ) NIKE.Gen(1 λ, r ), exactly lke the securty experment n Game 1. If there exst [k + d + dl 1] wth pk nke = pk nke, then B nke can trvally break the securty of the NIKE scheme. Thus we have and therefore Pr[abort] Adv CKS-lght (λ) Adv 1 Adv 0 Adv CKS-lght 17

18 Game 2. Ths game s dentcal to Game 1 wth one excepton. We guess $ [d] unformly random and let the game abort f A 1 does not ssue a Test(C, man)- query wth =. That means, n ths game we guess the Test-oracle. Note that we are consderng the case of CT-attackers, whch always ask a Test-query aganst a clent-oracle. Therefore the probablty of guessng ths oracle correctly s 1/d, whch mples Adv 2 = 1 d Adv 1 Game 3. Now, we want to guess the partner of the Test-oracle. We choose $ [l] unformly random, and abort f Partner. We may assume that C accepts (as otherwse the Test-query returns uncondtonally and the adversary cannot wn), we must have Partner [l] and therefore Adv 3 = 1 l Adv 2. Game 4. In ths game we add another abort condton to make sure that C does not receve the statc publc key of the server as nput. We abort and output a random bt f M n = (pk nke statc, σ) where true SIG.Vfy(pk sg, σ, pk nke statc ), but there exsts no t [k] wth M out,t = M n. Here we can use the fact that the message receved by C s dgtally sgned. Clearly, we have Adv 4 Adv 3 Pr[abort ]. We clam that we can construct a sgnature adversary B sg wth Pr[abort ] AdvSIG,B sg (λ). B sg proceeds as follows. It receves as nput a publc key pk sg and sets pk sg := pk sg. In order to compute sgnatures to smulate the oracles of server, B sg uses the sgnng oracle provded by the seuf-cma securty experment. If event abort occurs, then ths means that C receves as nput a tuple M n = (pk nke statc, σ) wth true SIG.Vfy(pk sg, σ, pk nke statc ), but there exsts no server oracle whch has output ths tuple. Thus, (pk nke statc, σ) s a vald seuf-cma forgery for pk sg. Ths proves our clam, and therefore we have Adv 4 Adv 3 AdvSIG,B sg The nal reducton to the securty of the NIKE scheme. We clam that we are now able to construct an ecent attacker B nke whch s able to answer all queres correctly of A 1 such that Adv 4 Adv CKS-lght B nke nteracts wth the challenger exactly as t s descrbe n Denton 3 and runs A as subroutne, by smulatng the experment as t s descrbed n Game 4. In the reducton, B nke regsters two honest partes P and P and receves the publc keys {pk nke, pk nke }. B nke sets the publc key of S,t to pk nke statc 18 = pk nke

19 and generates the sgnng keys S,t. Then, B nke sets the rst message of C to m = pk nke. Next, B nke answers all Send()-, Reveal()-, and Corrupt()-queres of A as follows. Corrupt-queres: A 1 asks only Corrupt-queres for server oracles S,t (see securty denton of the model n Denton 5) for. B nke can answer all these queres correctly by usng the RegsterCorrupt()-query and the SIG.Gen-algorthm. Reveal-queres: Here, we have to dstngush between the derent keys and stages. Reveal(C, tmp): In ths case, B nke s able to reveal all keys for, because he can generate the secret keys hmself. The query for = s not allowed by the securty denton. Reveal(C, man): For, B nke can agan use the self-generated secret keys. In the case of =, Game 1) guarantees that the message receved by the clent s not equal to the statc publc key of the server. For all other messages we can use the RegsterCorrupt()-query and the GetCorruptKey()-query. Reveal(S,t, tmp): If t holds that M n,t = Mout and = then by securty denton ths query s not allowed. In contrast, the other two cases are addressed as follows. If then B nke s able to generate all necessary keys to answer the query. For = and M n,t Mout he has to use the RegsterCorrupt()-query and the GetCorruptKey(). B nke has to generate a random key f M n nke,t = pk to smulate the envronment for A 1. Ths s also dened n the generc constructon. Reveal(S,t, man): In ths case, B nke can generate the secret keys hmself to answer the query correctly. Send-queres: B nke s able to answer all of ths queres usng the keys that are self-generated and wth the messages answered by the NIKE oracle. After the Test-query A 1 has to get a random value or a key whch depends on the keys (sk nke, pk nke statc ). Ths s exactly the same nput whch B nke receves after queryng Test(, ) n the NIKE experment. Combnng all the above games completes the reducton. CM-attacker The next proof s about attackers that ask Test(C, man). Lemma 2. From each CM-attacker A 2, we can construct attackers B sg, accordng to Denton 1, and B nke, accordng to Denton 3, such that ( ) AdvA 2 (λ) dl k Adv CKS-lght (λ) + Adv (λ) + Adv CKS-lght SIG,B sg The runnng tmes of B sg and B nke are approxmately equal to the tme requred to execute the securty experment wth A 2 once. Proof. Agan, we proceed n a sequence of games. 19

20 Game 0. Ths s the orgnal securty experment. By denton we have Adv 0 = AdvA 2 Game 1. Game 1 s dentcal to Game 0, except that we add an abort condton. Lke n Game 1 n the proof of Lemma 1, we rase event abort and abort the game f there ever exsts two oracles whch compute the same NIKE key. Wth exactly the same argument as n Game 1 from the proof of Lemma 1, we have Adv 0 Adv 1 + Adv CKS-lght Game 2. Ths game s dentcal to Game 1, except that we guess the Test-oracle. $ More precsely, we guess an ndex [d] unformly at random and abort the game f A 2 does not ssue a Test(C, man)-query wth =. Note that we are consderng the case of CM-attackers, whch always ask a Test-query aganst a clent-oracle. Therefore the probablty of guessng ths oracle correctly s 1/d, whch mples Adv 2 = 1 d Adv 1. Game 3. Next, we guess the dentty of the partner of oracle C. More precsely, we choose $ [l] unformly random and abort f Partner. We may assume that C accepts (as otherwse the Test-query returns uncondtonally and the adversary cannot wn) and thus we must have Partner [l]. Therefore Adv 3 = 1 l Adv 2. Game 4. Now we want to make sure that there exsts a server-oracle, whch has output the message receved by clent C. Here we can use the fact that the message receved by C s dgtally sgned, and that the partner of the Test-oracle must not be corrupted before C accepts. Formally, Game 4 s dentcal to Game 3, wth the excepton that we add another abort condton. We rase event abort, let the experment abort, and output a random bt, f M n = (pk nke but there does not exst t [k] wth M out,t, σ ) where true SIG.Vfy(pk sg, σ, pk nke ), = M n. Clearly, we have Adv 4 Adv 3 Pr[abort ]. We clam that we can construct a sgnature adversary B sg wth Pr[abort ] AdvSIG,B sg (λ). B sg proceeds as follows. It receves as nput a publc key pk sg and sets pk sg := pk sg. In order to compute sgnatures to smulate the oracles of server, B sg uses the sgnng oracle provded by the seuf-cma securty experment. If event abort occurs, then ths means that C receves as nput a tuple M n = (pk nke, σ ) wth true SIG.Vfy(pk sg, σ, pk nke ), but there exsts no 20

21 server oracle whch has output ths tuple. Thus, (pk nke, σ ) s a vald seuf-cma forgery for pk sg. Ths proves our clam, and therefore we have Adv 3 Adv 4 + AdvSIG,B sg Game 5. In ths game, we guess the partner oracle of C, whch s guaranteed to exst due to Game 4. That s, we choose t $ [k] unformly at random and abort the game f M n M out,t. Due to Game 4 we know that there exsts (, t ) wth M n = M out,t. (Moreover, (, t ) s unque, due to Game 1). Thus, we have Pr[t = t ] = 1/k, and thus Adv 5 = 1 k Adv 4. The nal reducton to the securty of the NIKE scheme. Fnally, we clam that we can buld B nke, whch s able to answer all queres of A 2 and t holds that Adv 5 Adv CKS-lght Frst, B nke regsters two honest partes P and P and receves the publc keys {pk nke, pk nke }. In ths case, B nke sets the message m of S,t to m = pk nke and the message m of C to m = pk nke. Then, B nke generates all long term keys of the server oracles and answers the queres as follows: Corrupt-queres: A 2 asks only Corrupt-queres for server oracles S,t for. B nke can answer all these queres correctly by usng the RegsterCorrupt()- query and the SIG.Gen-algorthm. After queryng the Test-query, the attacker s allowed to receve the long-term keys of S,t for =. Reveal-queres: Here, we have to dstngush between the derent keys and stages. Reveal(C, tmp): In ths case, B nke s able to reveal all keys, because he knows all the long term keys of the server oracles. Reveal(C, man): For, B nke can use agan the self-generated secret keys. In the case of =, t holds that the quered key depends on the keys sk nke and pk nke Game1. For the keys sk nke ask the Reveal-query., else the game would abort by denton of and pk nke the attacker A 2 s not allowed to Reveal(S,t, tmp): In ths case, B nke can use the self-generated long term keys of the server to answer the query correctly. Reveal(S,t, man): If = and M n,t = Mout then ths query s not allowed by the securty denton. For all other cases, B nke can use the RegsterCorrupt()-query and the GetCorruptKey() to answer the query or the self-generated keys. Send-queres: B nke s able to answer all of ths queres usng the keys that are self-generated and wth the messages answered by the NIKE oracle. Summarly, the last part of the proof follows that of Lemma 1. 21

22 ST-attacker We now turn to attackers that ask Test(S,t, tmp). Lemma 3. From each ST-attacker A 3, we can construct attackers B sg, accordng to Denton 1, and B nke, accordng to Denton 3, such that ( ) Adv (λ) kdl Adv CKS-lght (λ) + Adv (λ) +Adv CKS-lght A 3 SIG,B sg The runnng tmes of B sg and B nke are approxmately equal to the tme requred to execute the securty experment wth A 3 once. Proof. Agan, we proceed n a sequence of games. Game 0. Ths s the orgnal securty experment. By denton we have Adv 0 = AdvA 3 Game 1. Game 1 s dentcal to Game 0, except that we add an abort condton. We rase event abort and abort the game, outputtng a random bt, f there ever exsts two oracles whch compute the same NIKE key. Reducng to the securty of the NIKE scheme as n Game 1 of Lemma 1, yelds Adv 0 Adv 1 + Adv CKS-lght Game 2. Ths game s dentcal to Game 1, except that we guess the Testoracle S,t va unformly random ndces (, t) $ [l] [k], and abort and output a random bt f the guess s wrong. As before, we have Adv 1 = lk Adv 2. Game 3. Note that there must exst an oracle C whch has output the message receved by S,t (by the correspondng condton n the securty experment, whch rules out trval attacks). We guess ths partner oracle C, by choosng $ [d] unformly at random and abortng the experment, outputtng a random bt, f M n,t Mout. We may assume that S,t accepts (as otherwse the Testquery returns uncondtonally and the adversary cannot wn). Therefore Adv 2 = d Adv 3. Game 4. Now we want to make sure that the clent oracle C receves only a vald message generated by an oracle of server as nput. We can use the fact that party must not be corrupted to use the securty of the sgnature scheme as an argument. Game 4 s dentcal to Game 3, wth the excepton that we add another abort condton. We rase event abort, let the experment abort, and output 22