The Security Model

In this section, we recall the security model of Bellare, Pointcheval, and Ro-gaway (FTGmodel) [10], which is principally used formally as follows.

(1) Define the Characteristics of Participating Entities

PROTOCOL PARTICIPANTS. We denote by C and S two parties that can par-ticipate in the key exchange protocol P . A party may have several instances, called oracles, involved in distinct concurrent executions of P . We denote Uⁱ as the instance i of a participant U, which is either a client or a server.

LONG-LIVED KEYS. Each client C ∈ client holds a low-entropy pwC. Each server S ∈ server holds a value pwS[C]. The value pwS[C] is denoted a derived password. Schemes where pwS[C] = pwC are called symmetric; in general, pwS[C] may differ from pwC, i.e. S employ a hashG and stores pwC

asG(pwC). We call pwC and pwS[C] as the long-lived keys and assume that the password is drawn from the dictionaryDictaccording to the distribution D . D (q) denotes as the probability to be in the most probable set of q

passwords as follows:

Dpw(q) = max

ρ⊆Dict

pwPr∈Dpw[pw ∈ ρ|#ρ ≤ q]

 .

Note that if we denote byUN the uniform distribution among N passwords, UN(q) = q/N.

SESSION IDENTITY AND PARTNER IDENTITY. The session identity SID is used to uniquely name the ensuing session. SID(Uⁱ) is the concatenation of all flows with the oracle Uⁱ. PID(Uⁱ)=U
, denoted as Uⁱ, is the communica-tion with another participant U
. BothSIDandPIDare publicly available.

ACCEPTING ANDTERMINATING. There are two states,ACC(Uⁱ) andTERM(Uⁱ), for an oracle Uⁱ. ACC(Uⁱ)=true denotes that Uⁱ has enough information to compute a session keySK. At any time an oracle can accept messages right away. As soon as Uⁱ is accepted, SK(Uⁱ), SID(Uⁱ) andPID(Uⁱ) are defined.

When an oracle sends or receives the last message of the protocol, receives an invalid message, or misses an expected message, the state ofTERM(Uⁱ) is set to true. As long as Uⁱ is terminated, no message will be sent out.

(2) Define an Adversary’s Capabilities

The adversaryA has an endless supply of oracles and models various queries to them. Each query models a capability of the adversary, such as forward secrecy, know-key security, etc. The six queries and their responses are listed below.

• Send(Uⁱ, m): This query modelsA sending a message m to Uⁱ. A gets back from his query the response which Uⁱ would have generated in processing message m and updates SID, PID, and its state. A in the

formSend(Uⁱ,start) initiates an execution of the protocol.

• Execute(Cⁱ, S^j): This query modelsA obtaining an honest execution of the protocol in the middle of two oracles Cⁱand S^j. Execute(Cⁱ, S^j) modelsA obtaining an honest execution of the protocols between two oracles Cⁱand S^j.

• Reveal(Uⁱ): This query models A obtaining a session keySKwith an unconditional return by Uⁱ. The query is for dealing with know-key security. TheRevealquery is only available if the stateACC(Uⁱ)=true.

• Corrupt(U): This query models A obtaining a long-lived key pw with an unconditional return by U. The query is for dealing with forward secrecy. As in [10], we assume the weak corruption model in which the internal states of all instances of that user are not returned toA.

• Hash(q): In the ideal hash model,A gets hash results by making queries to a random oracle. After receiving this query, the random oracle will check whether q has been queried. If so, it returns the result previously generated toA; otherwise it generates a random number r and sends it toA, and stores (q, r) into the hash list Λ_H, which is a record set used to record all previousHashqueries.

• Test(Uⁱ): This query models the semantic security of the session key SK(the indistinguishability between the real session key and a random string). During an execution of the protocol, A can make any of the above queries, and at once, asks for aTestquery. Then, Uⁱflips a coin b and returnsSKif b = 1 or a random string with length |SK| if b = 0.

The query is only available if Uⁱ is fresh.A outputs a bit b
and wins the

Execute-query may at first seem useless since A already can carry out an honest execution among oracles. Yet, the query is essential for properly dealing with password guessing attacks. The number qs of Send-queries directly asked by the adversary does not take into account the number of Execute-queries. Therefore, qsrepresents the number of flows the adversary has built by itself, and the therefore the number of passwords it would have tried.

(3) Definitions of Security

FRESHNESS. An oracle U is identified as fresh (or holds a fresh SK) if the following three conditions are satisfied. (1) Uⁱ has been accepted, (2) No oracle has been asked for a Corrupt-query before Uⁱ is accepted, and (3) Neither Uⁱ nor its partner has been asked for aReveal-query.

PARTNERING. We say two oracles Cⁱ and S^j are partnered if the following conditions are satisfied. (1) Cⁱand S^jhave been accepted, (2)SK(Cⁱ)=SK(S^j), (3)SID(Cⁱ)∩SID(S^j)=0, (4)PID(Cⁱ)=S andPID(S^j)=C, and (5) No other or-acle acceptsSK=SK(Cⁱ)=SK(S^j).

AKESEMANTICSECURITY. AKEreferred to as Authenticated Key Exchange.

Consider an execution of the protocol P by the adversary A, in which the latter is given to access to the Execute, Send, andTestoracles and asks at most oneTestquery to a fresh instance Uⁱ. Let b
be his output. Such an ad-versary is said to win the experiment defining the sematic security if b
= b, where b is the hidden bit used by theTest-query. LetSuccdenote the event which the adversary wins this game.

The advantage of A in violating the AKE sematic security of the protocol

P and the advantage function of the protocol P , when passwords are draw from a dictionaryDict, are defined, respectively, as follows:

Adv^AKE_P,Dict(A) = 2 · Pr[Succ] − 1,

where maximum is over allA with time-complexity at most t and using re-sources at most R (such as the number of oracle queries). The definition of time-complexity is the usual one, which includes the maximum of all exe-cution times in the experiments defining the security plus the code size [2].

The probability rescaling was added to make the advantage of an adversary that simply guesses the bit b equal to 0.

MUTUAL AUTHENTICATION. A protocol is said to achieve mutual authen-tication if each party can be ensured that it has established a session key with the players it intended to. The above property of AKEsemantic secu-rity means that only legitimate participants can obtain the secret session key, and any adversary cannot learn information about the key. This is also know as implicit authentication. In the context of password-based schemes, authen-tication between the players is often done through authenticators. An au-thenticator is only can computed withe the knowledge of a secret password.

We denote bySucc^auth_P,Dict^S(A) the success probability of an adversary A trying to impersonate the server in the protocol P . This is the probability with which a client instance accepts without having a server partner. Similarly, Succ^auth_P,Dict^C(A) denotes the success probability of an adversary A trying to im-personate the client in the protocol P . We denote the probability of violating mutual authentication bySucc^MA_P,Dict(A). It is trivial that

We say the protocol P isMA-secure ifSucc^MA_P,Dict(A) is negligible.

5.4 Attacks on Some Password Authenticated Key