Here we presented the security of (i) unauthenticated protocol (UP): the initial key agreement (NM-CHH.IGKA). (ii) the authenticated key agreement (AKA): the NM-ACHH and (iii) the dynamic authenticated key agreement (DAKA): NM-DCHH (NM-CHH.Join and NM-CHH.Leave) of proposed protocols separately.
Theorem 4.2 addresses the security of unauthenticated static NM-CHH-IGKA and then the Theorem 4.3 deals with security of authenticated CHH protocol (NM-ACHH). Finally Theorem 4.4 states the security of dynamic authenticated CHH protocol (NM-DACHH).
Lemma 4.1
The unauthenticated NM-GKA scheme depicted in "
Background protocols
" section is secure in opposition to passive opponent under ECDDH supposition, accomplishes forward secrecy and fulfils the accompanying: \(Adv_{NM}^{KA} \left( {t,\;q_{E} } \right) \le 2Adv_{G}^{ECDDH} \left( {t^{\prime}} \right) + {{2q_{E} } \mathord{\left/ {\vphantom {{2q_{E} } {\left| {G } \right|}}} \right. \kern-0pt} {\left| {G } \right|}},\) where \(t^{\prime} = t + O\;\left( {\left| {\mathcal{P}} \right|q_{E} t_{s.m} } \right),\) ts.m is the time required to carry out scalar multiplications over \(G = E\left( {F_{p} } \right),\;\left| {\mathcal{P}} \right|\) is the amount of participants in the network and \(q_{E}\) is the amount of implemented queries that an opponent may ask.
Proof
The lemma’s proof is depicted in [16] as a theorem. □
Theorem 4.2
The unauthenticated static NM-CHH.IGKA protocol depicted in "
Proposed protocol
" section is secure against inactive opponent under ECDDH presumption, accomplishes forward secrecy and fulfils the accompanying:
$$Adv_{NM - CHH}^{KA} \left( {t,\;q_{E} } \right) \le Adv_{Symm} \left( {t,\;0,0} \right) + \frac{1}{{ \left( {r + 1} \right)q_{E} }} Adv_{NM}^{ECDDH} \left( {t^{\prime}} \right) + \frac{1}{{ \left( {r + 1} \right)\left( { 2q_{E} + \left| G \right|} \right) }},$$
where \(t^{\prime} = t + O\;\left( {\left| {{\mathcal{P}}_{max} } \right|q_{E} t_{s.m} } \right),\) ts.m is the time required to execute scalar multiplications over G = E(Fp), \(P_{max}\) = maximum amount of users in a cluster of the network, r +1 is the amount of clusters formed in the network and \(q_{E}\) is the amount of implemented queries that an opponent may pose.
Proof
The verification regard as an opponent \({\mathcal{A}}\) who overcomes the security of proposed unauthenticated static NM-CHH scheme. Given \(\mathcal{A}\), we build an enemy \(\mathcal{B}\) assaulting the symmetric encryption plot (Symm); identifying with the achievement likelihood of \(\mathcal{A}\) and \(\mathcal{B}\) gives the expressed consequence of the theorem. Before portraying \(\mathcal{B}\), we initially characterize event Bad and bound its likelihood. Let Bad be the event to be the occasion that \(\mathcal{A}\) can recognize a CK (which is a key concurred by the NM scheme) from a arbitrary value anytime amid its execution.
Let Prob [Bad] stands for \({\text{Prob}}_{{NM{ - }CHH}}\)[Bad]. Let Succ indicate the event that \(\mathcal{A}\) succeed the game.
Notice that r + 1 clusters are required in the network, in each execution of proposed protocol to form the GK:
-
i.
The execution of NM-GKA protocol simultaneously for r clusters in level-I.
-
ii.
The execution of the NM-GKA protocol among the r CHs in level-II.
-
iii.
Symmetric encryption scheme: Symm for distributing the key among the clusters with respect to given CKs.
The opponent \(\mathcal{A}\) performs \({\varvec{q}}_ {\varvec{E}}\) execute queries and accordingly carry out \({\varvec{r}} \cdot {\varvec{q}}_{ {\varvec{E}}}\) executions of NM-GKA scheme in level-I and \(1 \cdot {\varvec{q}}_{ {\varvec{E}}}\) executions of NM-GKA protocol in level-II respectively. Consequently performs a total of \(( r+ 1 ) {\varvec{q}}_{ {\varvec{E}}} .\)
$$\therefore Prob\left[ {Bad} \right] \le \frac{{Prob\left[ {succ} \right]}}{{\left( {r + 1} \right) q_{E} }}.$$
Now by definition,
$$\begin{aligned} Adv_{{NM,{\mathcal{A}}}}^{KA} & = \left| {2 Prob\left[ {succ} \right] - 1} \right| \\ \Rightarrow Prob\left[ {succ} \right] &\le \frac{1}{2}\left[ {1 + Adv_{NM,A}^{KA} } \right]. \\ \end{aligned}$$
Hence we have
$$\begin{aligned} Prob\left[ {Bad} \right] & \le \frac{{\frac{1}{2}\left[ {1 + Adv_{NM,A}^{KA} } \right]}}{{\left( {r + 1} \right) q_{E} }} \\ &= \frac{{Adv_{NM,A}^{KA} }}{{2\left( {r + 1} \right)q_{E} }} + \frac{1}{{2\left( {r + 1} \right) q_{E} }}. \\ \end{aligned}$$
\(\mathcal{B}\) simulates every oracle queries of \(\mathcal{A}\) by implementing the unauthenticated static NM-CHH protocol all alone. Thusly, \(\mathcal{B}\) can recognize the event of occasion Bad. \(\mathcal{B}\) gives impeccable simulation to \(\mathcal{A}\) so long as the occasion Bad does not happen. If at any point the event Bad happens, \(\mathcal{B}\) prematurely ends and yield a random bit. Something else, \(\mathcal{B}\) outputs whatever bit in the end yield by \(\mathcal{A}\). So \(Prob_{{{\mathcal{A}},NM - CCH}} \left[ {succ|Bad} \right] = \raise.5ex\hbox{$\scriptstyle 1$}\kern-.1em/ \kern-.15em\lower.25ex\hbox{$\scriptstyle 2$} .\)
Now,
$$\begin{aligned} Adv_{{{\mathcal{B}},Symm }} & = 2\left| {Prob_{{{\mathcal{B}},Symm}} \left[ {Succ} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{{\mathcal{A}},NM - CCH}} \left[ {Succ \wedge \overline{Bad} } \right] + Prob_{{{\mathcal{A}},NM - CCH}} \left[ {Succ \wedge Bad } \right] - 1/2} \right| \\ & = 2|Prob_{{{\mathcal{A}},NM - CCH}} [Succ \wedge \overline{Bad} ] + Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Succ|Bad} \right]\;\left. {\left( {Prob_{{{\mathcal{A}},CHH}} \left[ {Bad} \right] - 1/2} \right)} \right| \\ & = 2\left| {Prob_{{{\mathcal{A}},NM - CHH}} [Succ \wedge \overline{Bad} ] + \left( {\frac{1}{2}} \right)Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Bad} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Succ} \right] - Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Succ \wedge Bad} \right] + \left( {\frac{1}{2}} \right)Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Bad} \right] - 1/2} \right| \\ & \ge \left| {2.Prob_{{{\mathcal{A}},NM - CHH}} [Succ] - 1} \right| - \left| {Prob_{{{\mathcal{A}},NM - CCH}} [Bad] - 2Prob_{{{\mathcal{A}},NM - CHH}} \left[ {Succ \wedge Bad} \right]} \right| \\ & \ge Adv_{{{\mathcal{A}},NM - CHH}} - Prob\left[ {Bad} \right] \\ \end{aligned}$$
Note that ever call upon its encrypting oracle E. Furthermore, the \(\mathcal{B}\)’s running time is at most t.
As \(Adv_{B,Symm} \le Adv_{Symm} \left( {t,\;0,0} \right),\) by assumption.
$$\begin{aligned} Adv_{NM - CHH}^{KA} \left( {t,\;q_{E} } \right) & \le Adv_{Symm} \left( {t,0,0} \right) + Prob\left[ {Bad} \right] \\ & \le Adv_{Symm} \left( {t,\;0,0} \right) + \frac{{Adv_{NM,A}^{KA} \left( {t, \left( {r + 1} \right)q_{E} } \right)}}{{2\left( {r + 1} \right)q_{E} }} + \frac{1}{{ 2\left( {r + 1} \right)q_{E} }} \\ & \le Adv_{Symm} \left( {t,\;0,0} \right) + \frac{1}{{ 2\left( {r + 1} \right)q_{E} }}\left[ {2Adv_{NM}^{ECDDH} \left( {t^{\prime}} \right) + \frac{{2q_{E} }}{{\left| {G } \right|}}} \right] + \frac{1}{{ 2\left( {r + 1} \right)q_{E} }} \\ & = Adv_{Symm} \left( {t,\;0,0} \right) + \frac{1}{{ \left( {r + 1} \right)q_{E} }} Adv_{NM}^{ECDDH} \left( {t^{\prime}} \right) + \frac{1}{{ \left( {r + 1} \right)\left( { 2q_{E} + \left| G \right|} \right) }}, \\ \end{aligned}$$
when \(t^{\prime} = t + O\left( {\left| {P_{m} } \right| q_{E} t_{sm} } \right) = t + O\left( {\left( {r + 1} \right)\left| {q_{E} t_{sm} } \right.} \right)\;,\) where \(\left| {P_{m} } \right|\) = maximum amount of clusters in the network = r +1
Hence by Lemma 4.1, we realize the theorem. □
We now present the security of the NM-ACHH in which the security is depends on that of unauthenticated schemes relied on fact that DSig (signature scheme) is secure.
Theorem 4.3
The authenticated CHH scheme (NM-ACHH) is secure in opposition to active opponent under Elliptic Curve-Decision Diffie Hellman (EC-DDH) supposition, accomplishes forward secrecy and outputs the following:
$$Adv_{NM - ACHH}^{AKA} \left( {t,\;q_{E} ,\; q_{S} } \right) \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},\;q_{E} + \frac{{q_{S} }}{2}} \right) + \left| {\mathcal{P}} \right|Adv_{Dsig} ,$$
where
\(t^{\prime} = t +( \left| {\mathcal{P}} \right|q_{E} + q_{S} )t_{ACHH} ,\)
with
\(t_{ACHH }\)
is the time needed for carrying out of NM-ACHH by each of the party,
\(q_{S} \;and\; q_{E}\)
are respectively the maximum amount of Send and Execute query an opponent may pose.
Proof
Let \(\mathcal{A}^\prime\) be a opponent ambushing the AP. With this we construct an enemy \(\mathcal{A}\) attacking the UP.
We initially confine the likelihood of the event Forge that \(\mathcal{A}^\prime\) outputs an authentic forge w.r.t publickey pki for some client \({M_i} \in \mathcal{P}\) before making the question corrupt (Mi).
Claim
Let Forge be the incident that a signature of Dsig is forged by
\(\mathcal{A}^\prime\)
then
$$Prob\left[ {Forge} \right] \le \left| {\mathcal{P}} \right|Adv_{Dsig} \left( {t^{\prime}} \right).$$
(1)
Proof
\(\mathcal{A}^\prime\) prepares a signature forger \(\mathcal{F}\) to challenge Dsig-scheme. The aim of \(\mathcal{F}\) preparation is that, when a publickey PK is given as input, \(\mathcal{F}\) has permission to a signing oracle using PK, which generates a legitimate forgery (m, σ), i.e., \(\gamma_{PK} \left( {m, \, \sigma } \right)\, = \,1 \ni \sigma\) was not previously output by the signing oracle as a signature over m. The \(\mathcal{F}\) chooses a client \(M_{f} \in\) at random, and sets PKƒ to the PK. For left over members, \(\mathcal{F}\) legitimately generates key pair (private key, public key) by executing GKA protocol. In addition, \(\mathcal{F}\) carryout the method, necessary for Initiating UP. At this moment \(\mathcal{F}\) carryout \(\mathcal{A}^\prime\) as a subprogram \(\in\) simulated queries from \(\mathcal{A}^\prime\) are as below:
-
Execute (M)/Reveal \(\left( {\pi_{i}^{s} } \right)\)/Dump \(\left( {\left( {\pi_{i}^{s} } \right)} \right)\)/Test \(\left( {\left( {\pi_{i}^{s} } \right)} \right)\): these questions are answered in an obvious manner.
-
Send \(\left( {\left( {\pi_{i}^{s} } \right),\;m} \right)\): every private keys of Mi are aware to \(\mathcal{F}\) when i ≠ ƒ, then, respond to queries subsequent to the particular protocol specifically. Conversely if i = ƒ, then every \(M^{\prime}_{i}\)’s signing keys are unrecognized by \(\mathcal{F}\) Incidentally, \(\mathcal{F}\) can acquire message signature it needs by accomplishment to signing oracle related to PK.
-
Corrupt (Mi). If i ≠ ƒ, F principally holds \(M^{\prime}_{i}\)’s private keys stands for long period, created itself. On the other hand if \(\mathcal{A}^\prime\) corrupts Mi= Mƒ, then, \(\mathcal{F}\) terminates and returns “fail”.
The displayed above simulation is marvelously ill defined from the authentic execution except if enemy \(\mathcal{A}^\prime\) represents the query corrupt (Mƒ). All the way through this simulation, \(\mathcal{F}\) glances each send question from \(\mathcal{A}^\prime,\) and keeps an eye in the unlikely event that it fuses an authentic pair (m, σ) using PK. If no such inquiry is posed till \(\mathcal{A}^\prime\) ends, at that point \(\mathcal{F}\) closures and returns “fail”. Else, \(\mathcal{F}\) generates (m, σ) as real fraud w.r.t PK. Lemma 3 straight forwardly inferred from the manner in which the second case occurs with likelihood pγ[Forge]/n.
Currently we portray the improvement of attacking UP, that utilizes \(\mathcal{A}^\prime\) ambushing AP. \(\mathcal{A}\) uses tlist and keep (session Ids, transcripts) in it. \(\mathcal{A}\) makes (verification keys (pkM), signing keys (skM)) for each customer M ∈ P and check keys are given to \(\mathcal{A}^\prime.\) At the point when the event Forge occurs, \(\mathcal{A}\) rashly closures and outputs an arbitrary bit. Else, outputs a similar bit whatever \(\mathcal{A}^\prime\) outputs. \(\mathcal{A}\) can recognize occasion of the event Forge \(\mathcal{A}^\prime\) in light of the fact that it knows skM and pkM. The oracle questions of \(\mathcal{A}^\prime\) are imitated by \(\mathcal{A}\) using its inquiries to the Execute Oracle (EO). The motto is to procure a transcript (T) of UP for every single Execute question of \(\mathcal{A}^\prime.\) Besides for every one beginning send question, send0 (M, I, *) of \(\mathcal{A}^\prime.\) \(\mathcal{A}\) then fixes legitimate sign with messages in T to secure a transcript (T′) of AP and uses T′ to answer request of \(\mathcal{A}^\prime.\) since by assumption, \(\mathcal{A}^\prime\) can’t forge, \(\mathcal{A}^\prime\) is “compelled” to send out messages viably contained in T′. This system gives a decent simulation. The details are underneath:
Execute queries (EQs’): presume \(\mathcal{A}^\prime\) asks EQ ((Mi1,d1),…,(Mik, dk)) and so that occasions \(\pi_{{M_{1} }}^{{i_{1} }} \ldots \pi_{{M_{k} }}^{{i_{k} }}\) are incorporated.
\(\mathcal{A}\) characterizes \(S = \left\{ {\left( {M_{{i_{1} }} ,\;d_{1} } \right), \ldots ,\left( {M_{{i_{k} }} ,d_{k} } \right)} \right\}\) and send out the EQ to its EO. It outputs a T by implementing UP. It attaches (s, t) to tlist and after that broadens T for the UP into T′ for the AP. It offers T′ to \(\mathcal{A}^\prime.\)
Send queries (SQs’): the prime SQ means, \(\mathcal{A}^\prime\) asks an occasion to commence one more session, indicated by send0. The opponent desires to use SQs’ to commence a session between occasions \(\pi_{{M_{1} }}^{{i_{1} }} \ldots \pi_{{M_{k} }}^{{i_{k} }}\) which are not yet used:
$$Send_{0} = \left( {M_{{i_{j} }} ,d_{j} ,\left\langle {M_{{i_{1} }} \ldots M_{{i_{k} }} } \right\rangle - M_{{i_{j} }} } \right), \quad 1 \le J \le k.$$
These queries should not in an explicit order. \(\mathcal{A}\) forms \(S = \left\{ {\left( {M_{{i_{1} }} ,d_{1} } \right), \ldots ,\left( {M_{{i_{k} }} ,d_{k} } \right)} \right\}\) when these queries are prepared and sends an EQ to it’s executing oracle. It outputs T and includes (S, T) to tlist.
Assume that signatures can’t be forged, any progressive SQ to an event \(\pi_{M}^{i}\) is a really sorted out messages with a real signature. For each such SQ, \(\mathcal{A}\) checks the question as depicted in the authenticated NM-CHH-GKA protocol. In the event that the confirmation overruled, \(\mathcal{A}\) sets \(acc_{M}^{i} = 0,\) \(sK_{M}^{i} = NULL\) and ends \(\pi_{M}^{i} .\) Else, \(\mathcal{A}\) plays out the action to be completed by π in the AP. It finishes as under:
-
Finds an sole entry (S,T) in tlist ∋ (M, i) ∈ S, such a novel entry exits for every one event by assumption. Presently from T, \(\mathcal{A}\) finds best possible messages which is identified with the message transmitted by \(\mathcal{A}^\prime\) to \(\pi_{M}^{i} .\) From T, \(\mathcal{A}\) gets following open information yielded by \(\pi_{M}^{i}\) and offers to \(\mathcal{A}.\)
Reveal/test queries (R Q/T Q): Suppose \(\mathcal{A}^\prime\) asks the RQ (M, i) or TQ (M, i) to an incident \(\pi_{M}^{i}\) for which \({\text{acc}}_{M}^{i} = 1.\). Currently the T’ in which \(\pi_{M}^{i}\) took part has been predefined. Now first finds an sole entry (S,T) in the tlist ∋ (M, i) ∈ S. Imagine that, forge doesn’t occur, T is sole unauthenticated transcript which is related to T′. Now asks proper RQ or TQ to any occasion incorporated in T and hand over a proportional payback to \(\mathcal{A}^\prime\) is just right. When Forge occurs, opponent \(\mathcal{A}\) terminates and outputs an arbitrary bit.
$$Prob_{{A^{\prime},AP}} \left[ {Succ|Forge} \right] = 1/2.$$
$$\begin{aligned} Now,\;Adv_{A,UP} & = 2\left| {Prob_{A,UP} [Succ] - 1/2} \right| \\ & = 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Fo\bar{r}ge} \right] + Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Forge} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Fo\bar{r}ge} \right] + Prob_{{A^{\prime},AP}} \left[ {Succ|Forge} \right]Prob_{{A^{\prime},AP}} \left[ {Forge} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Fo\bar{r}ge} \right] + 1/2Prob_{{A^{\prime},AP}} \left[ {Forge} \right] - 1/2} \right| \\ & = 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ} \right] - Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Forge} \right] + 1/2Prob_{{A^{\prime},AP}} \left[ {Forge} \right] - 1/2} \right| \\ & \ge 2\left| {Prob_{{A^{\prime},AP}} \left[ {Succ} \right] - 1\left| - \right|Prob_{{A^{\prime},AP}} \left[ {Forge} \right] - 2Prob_{{A^{\prime},AP}} \left[ {Succ \wedge Forge} \right]} \right| \\ & \ge Adv_{A,AP} - Prob\left[ {Forge} \right]. \\ \end{aligned}$$
$$Adv_{NM - ACHH}^{AKA} \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},\;q_{s} + q_{e} /2} \right) + prob\left[ {Forge} \right]$$
(2)
\(\mathcal{A}\) asks an EQ in line with each EQ of \(\mathcal{A}^\prime.\) Similarly poses an EQ in all sessions underway by \(\mathcal{A}^\prime.\) Because, session consist of at least two instances, such as EQ is processed after at least two SQs’ of \(\mathcal{A}^\prime.\) The max. no of such queries are qs/2, where qs is amount of queries posed by \(\mathcal{A}^\prime.\) The maximum amount of EQs executed by \(\mathcal{A}\) is qe + qs/2, where qe is the amount of EQs’ executed by \(\mathcal{A}^\prime.\)
Already we have \(Adv_{NM - ACHH}^{AKA} \left( {t,\;q_{E} , q_{S} } \right) \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},\;q_{E} + \frac{{q_{S} }}{2}} \right)\) by supposition,
from 1 and 2 we get,
$$Adv_{NM - ACHH}^{AKA} \left( {t,q_{E} , q_{S} } \right) \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},q_{E} + \frac{{q_{S} }}{2}} \right) + \left| {\mathcal{P}} \right|Adv_{Dsig}$$
The statement of the theorem is yielded. □
We currently present the security of dynamic authenticated protocol (DAP): (NM-DACHH). Expecting that, DSig is secure, we can change over any enemy assaulting convention DAP into a opponent assaulting convention UP. We disregard Corrupt queries since our convention DAP does not utilize any long-time secret keys. Along these lines convention DAP obviously accomplishes forward secrecy.
Theorem 4.4
The dynamic authenticated CHH scheme (NM-DACHH) depicted in
“
Proposed protocol
" section
fulfils the following:
$$Adv_{NM - DACHH}^{AKA} \left( {t,q_{E} , q_{J,} q_{L} , q_{S} } \right) \le Adv_{NM - CHH}^{KA} \left( {t^{\prime},q_{E} + \frac{{\left( {q_{J} + q_{l} + q_{S} } \right)}}{2}} \right) + \left| {\mathcal{P}} \right|Adv_{Dsig} \left( {t^{\prime}} \right),$$
where
\(t^{\prime}\, = \,{\text{t}}\, +( \left| {\mathcal{P}} \right|q_{E} + q_{J} + q_{l} + q_{S} ) t_{DACHH} ,\)
with
\(t_{AHP}\)
is the time needed for carrying out of DACHH by each of the party
\(q_{E} , \;q_{S } q_{J,} q_{L}\)
are in that order the maximum amount of Execute, Send, Join and Leave queries an opponent may pose.
Proof
Let \(\mathcal{A}^\prime\) be an opponent who tries to attack DAP. By means of this we build an opponent \(\mathcal{A}\) who assaults UP. As in the preceding proof, we had the following claim.
Claim
Let Forge be the incident, that
\(\mathcal{A}^\prime\)
forged the signature, then
$${\text{Prob}}\left[ {\text{Forge}} \right]\, \le \,\left| \cal P \right|{\text{ AdvDSig }}(t^{\prime}).$$
At the moment we present the creation of the passive opponent \(\mathcal{A}\) assaulting UP that utilizes opponent \(\mathcal{A}^\prime\) assaulting DAP. Opponent \(\mathcal{A}\) can implement the UP numerous times, among every subset of Ƥ and can acquire session key of scheme implementation by producing a RQ to any occurrence concerned in session. Now we demonstrate that \(\mathcal{A}\) simulates itself Leave and Join questions of \(\mathcal{A}^\prime\) utilizing its own Reveal Oracles (ROs) and EOs. Opponent \(\mathcal{A}^\prime\) keeps up a Tlist to store sets of session IDs and transcripts. It likewise utilizes two records Llist and Jlist to be determined in future.
Opponent \(\mathcal{A}\) creates signing/confirmation key pair (pkU, skU) for every client U ∈ Ƥ and gives confirmation keys to \(\mathcal{A}^\prime.\) If at any time the occasion Forge happens, opponent \(\mathcal{A}\) prematurely ends and outputs an arbitrary bit. Else, \(\mathcal{A}\) outputs no matter what bit is in the long run yield by \(\mathcal{A}^\prime.\) Since the signing and confirmation keys, it can identify event of occasion Forge. \(\mathcal{A}\) reproduces the oracle inquiries of \(\mathcal{A}^\prime\) utilizing its own questions to the ROs and EOs. We present particulars below.
EQs’: these queries are replicated in Theorem 4.2 proof.
SQs’: separately from regular SQ, two special send queries, SendL and SendJ are there.
Let, set S1 = {(Mik+1, dk+1),…,(Mik+l, dk+l)} of occurrences, needs to join gathering S = {(Mi1, d1),…,(Mik, dk)}, at that point \(\mathcal{A}^\prime\) will create SendJ (Mij, dj, ‹Mi1,…, Mik›) query for every j, k +1≤ j ≤ k + l. These queries commence Join (S, S1) query. The occurrence in S might have previously implemented either (a) UP or (b) leave protocol or (c) join protocol. As a result, first \(\mathcal{A}\) finds any of the subsequent form of a sole entry: (1) (S, T) in Tlist or (2) (S′, S″, T) in Jlist with S = S′ ∪ S″ or (3) (S′, S″, T) in Llist with S = S′\S″. If no such entry, makes an EQ to its personal EO on S, obtains a transcript T and keeps (S, T) in Tlist.
Whenever (S, T) ∈ Tlist, \(\mathcal{A}\) fundamentally issues RQ to an event in S so as to accomplish the session key sk identified with T, calculates seed x = H(sk) and plan the calculation for Join by questioning its EO (rolling out fitting improvements). At that point include signature in every message, acquires T′ and stores (S, S1, T′) in Jlist. In this manner reproduces the transcript T′ of Join utilizing self RO and EO. In the rest of the cases (2) and (3), produces T by and by thus \(\mathcal{A}\) can simulate T’ of Join from T.
Likewise, when an unused instances of S2={(Ml1, dl1),…,(Mlm, dlm)} desires to leave S ={(Mi1, d1),…,(Mik, dk)}, then, \(\mathcal{A}^\prime\) will SendL (Mij, dj,(Mi1,…, Mik)) inquiry for every j, j ∈ {l1,…, lm}. These inquires commences Leave(S, S2) query. As stated in join member, first traces an entry (S, T) in Tlist or an entry (S′, S″, T) in Jlist with S = S′ U S″ or an entry (S′, S″, T) in Llist with S = S′\S″. If entry is missing, then \(\mathcal{A}\) set up an inquiry to its personal EO on S, obtain T and adds (S, T) to Tlist.
\(\mathcal{A}\) simulates protocol for Leave without anyone else’s input and gets an altered T ′ from T as pursues: \(\mathcal{A}\) distinguishes the situations in T where the new messages are to be infused or the old messages are to be supplanted by new. \(\mathcal{A}\) do these alterations in T as indicated by protocol for leave depicted in Fig. 5 and gets an adjusted T′ by fixing up fitting signature with each message. In this way \(\mathcal{A}\) extends T into a T′ for Leave protocol. \(\mathcal{A}\) stores (S, S2, T′) in Llist.
\({\text{Send}}_{0}\) questions are replied as in Theorem 4.3. The typical send questions are prepared as in Theorem 4.3 with the accompanying changes.
Assume \(\mathcal{A}^\prime\) formulates a SQ to occurrence \(\prod_{M}^{i}\). After appropriate check, discovers an entry (S, T) ∈ Tlist, such that (M, i) ∈ S. The response to this inquiry is as in Theorem 4.3. If no such entry is found, then discovers a sole entry (S, S1, T′) in Jlist such that (M, i) ∈ S1.
This implies the session for Join has just been started. At that point acquires the next public information for T′ to be yield by \(\prod_{M}^{i}\) (given all essential data has been achieved by \(\varPi_{M}^{i}\) by SQs from \(\mathcal{A}^\prime\)) and forwards it to \(\mathcal{A}^\prime.\) If discovers an sole entry (S, S2, T′) in Llist such that (M, i) ∈ S2, then as above, the proper response to the question is found from T′.
Join queries (JQs): assume \(\mathcal{A}^\prime\) sends a JQ (S, S1) where S = {(Mi1, d1),…,(Mik, dk)} and S = {(Mik+1, dk+1),…,(Mik+l, dk+l). The occurrences \(\varPi_{{M_{{i_{k + 1} }} }}^{{d_{k + 1} }} , . . . ,\varPi_{{M_{{i_{k + l} }} }}^{{d_{k + l} }}\) desire to join the group \(\varPi_{{M_{{i_{1} }} }}^{{d_{1} }} , . . . ,\varPi_{{M_{{i_{k} }} }}^{{d_{k} }} .\) \(\mathcal{A}\) discovers an entry of the form (S, S1, T′) in Jlist. If no such entry, then the opponent \(\mathcal{A}^\prime\) doesn’t give any output. Else, \(\mathcal{A}\) returns T′ to \(\mathcal{A}^\prime\)
Leave queries (LQs): Assume \(\mathcal{A}^\prime\) sends a LQ(S, S2) where S ={(Mi1, d1),…,(Mik,, dk)} and S2={(Ml1, dl1),…,(Mlm, dlm)} where (Mlj, dlj) ∈ S for 1≤ j ≤ m. The occurrences \(\varPi_{{M_{{l_{1} }} }}^{{d_{l1} }} , . . . ,\varPi_{{M_{{l_{m} }} }}^{{d_{{l_{m} }} }}\) desires to leave the group \(\varPi_{{M_{{i_{1} }} }}^{{d_{1} }} , \ldots ,\varPi_{{M_{{i_{k} }} }}^{{d_{{i_{k} }} }}\) where \(M_{{i_{j} }} \in \left\{ {M_{{i_{1} }} , \ldots ,M_{{i_{k} }} } \right\}\) for 1 ≤ j ≤ m. \(\mathcal{A}^\prime\) discovered an entry of the form (S, S2, T′) in Llist. If no such entry, then the opponent \(\mathcal{A}^\prime\) is doesn’t give any output. Else, \(\mathcal{A}\) returns T′ to \(\mathcal{A}^\prime.\)
Reveal/Test (R/T) queries: assume \(\mathcal{A}^\prime\) sends the RQ(M, i) or TQ(M, i) for an occurrence \(\varPi_{M}^{i}\) for which \(acc_{M}^{i} = \, 1.\). At this moment the transcript T′ in which Π \(_{M}^{i}\) take part has been predefined. If T′ related to the transcript of the AP then \(\mathcal{A}^\prime\) discovers the sole pair (S, T) in Tlist such that (M, i) ∈ S. Supposing that the occasion Forge does not occur, T is the sole unauthenticated transcript which relates to the transcript T′. Then sends the suitable RQ or TQ to one of the occasions concerned in T and returns the result to \(\mathcal{A}^\prime.\) Else, T′ is the transcript for Join or Leave, as the case may be. Because T′ has been simulated by \(\mathcal{A}\), is capable to calculate the updated session key and hence send an appropriate reply to \(\mathcal{A}^\prime.\)
Providing Forge doesn’t occur, the above simulation for \(\mathcal{A}^\prime\) is perfect. At the time Forge occurs, opponent \(\mathcal{A}\) terminates and outputs a arbitrary bit.
So \(Prob_{{{\mathcal{A}^{\prime}},AP}} \left[ {Succ|Forge} \right]\, = \,\frac{1}{2}.\) By means of this, one can prove
$$Adv,_{UP} \, \ge \,Adv_{{{\mathcal{A}^{\prime}},DAP}} \, - \,Prob\left[ {Forge} \right]$$
The opponent \(\mathcal{A}\) sends an EQ for every EQ of \(\mathcal{A}^\prime\). \(\mathcal{A}^\prime\) poses qJ, JQs and qL, LQs. These inquiries are commenced respectively by SendJ and SendL inquires of \(\mathcal{A}^\prime\). Currently every SendJ and SendL inquiry of \(\mathcal{A}^\prime\) poses at most one EQ of. Consequently there are at most qJ+ qL EQs posed by \(\mathcal{A}\) to reply all the SendJ and SendL inquiries of \(\mathcal{A}^\prime\). Also \(\mathcal{A}\) poses an EQ for every session commenced by \(\mathcal{A}^\prime\) by means of SQs. Because a session engages at least two occurrences, such an EQ is prepared after at least two SQs of \(\mathcal{A}^\prime\). Consequently there are (qS − qJ − qL)/2 EQs of \(\mathcal{A}\) to react to all other SQs of \(\mathcal{A}^\prime,\) where qS is the amount of SQs prepared by \(\mathcal{A}^\prime.\) Consequently the total amount of EQs posed by is at most qE + qJ + qL +(qS − qJ − qL)/2 = qE + (qJ + qL + qS)/2, where qE is the amount of EQs posed by \(\mathcal{A}^\prime.\) Furthermore since \(Adv_{A,UP} \left( {t^{\prime},\;q_{E} ,\;q_{J} ,\;q_{L} ,\;q_{S} } \right) \le Adv_{UP}^{KA} \left( {t^{\prime},\;q_{E} + q_{J/2} + q_{L/2} + q_{S/2} } \right)\) by assumption, we obtain:
$$Adv_{DAP}^{AKA} ( {\text{t}},\;q_{E} ,\;q_{J} ,\;q_{L} ,\;q_{S} )\, \le \,Adv_{UP}^{KA} (t^{\prime},\;q_{E} \, + \,(q_{J} \, + \,q_{L} \, + \,q_{S} )/ 2)\, + \,{\text{Prob}}\left[ {\text{Forge}} \right].$$
$$Adv_{NM - DACHH}^{AKA} \, \le \,Adv_{NM - CHH}^{KA} (t^{\prime},\;q_{E} \, + \,(q_{J} \, + \,q_{L} \, + \,q_{S} )/2)\, + \,\left| \cal P \right|Adv_{DSig} \left( {t^{\prime}} \right)$$
This implies the statement of the theorem. □