Previously:
The signed DDH protocol as described in [G] features two roles, P and S. Each role is associated to a secret key (skP and skS).
We consider multiple sessions but two agents only (one agent for the role P and one agent for the role S) and show the strong secrecy of the shared key.
signed-ddh-P.sp, we show that the key gab as computed by P is indistinguishable from g^k with k fresh (system secretP).signed-ddh-S.sp, we show that the key gab as computed by S is indistinguishable from g^k with k fresh (system secretS).[G] ISO/IEC 9798-3:2019, IT Security techniques – Entity authentication – Part 3: Mechanisms using digital signature techniques.
We first declare some public constants, the secret keys for roles P and S, the channels used by these two roles.
name a : index -> messageNames a and b represent the random numbers used by roles P and S. They are indexed so that each new session uses a new random name.
The name k represents the random number used in the strong secrecy property. It has 2 as index arity to model the fact that each interaction between session i of role P and session j of role S uses a new random name.
We declare a DDH context, using g for the generator element and ^ for the power operator.
We also declare a signature scheme by specifying 3 function symbols.
process Pchall(i:index) =In the system secretP, we add an output at the end of the role of P. This output is actually a bi-term:
g^k(i,j) where k(i,j) is fresh.The goal will be to prove that these two sides are indistinguishable.
The try find construct is needed to retrieve the index j, but this else branch should never be reachable. We thus output a bi-term with distinct public constants so that the equivalence for the strong secrecy could not hold if this else branch is reached.
In the proof of strong secrecy for the system secretP, we will use the following property, stating that whenever P accepts a message from S, this message is of the form <<_,x>,_> where x = g^b(j).
The high-level idea of the proof is to use the EUF cryptographic axiom: only S can forge a correct signature that will be accepted by P since the secret key is not known by the attacker.
intro Hap Hcond. [> Line 118: (intro Hap Hcond)We start by introducing the hypotheses and expanding the macros.
We then rewrite Meq using the message equality Meq0.
euf Meq. [> Line 127: (euf Meq)We are now able to apply the euf tactic, which will search for occurences of signatures with skS: the only possibility is the output of an action S(j).
The conclusion is now trivial from the Meq1 and D1 hypotheses.
We now show the strong secrecy of the shared key for the system secretP, expressed by the logic formula forall t:timestamp, frame@t where frame@t is actually a bi-frame. We will prove that the left projection of frame@t (i.e. where the shared key g^a^b is outputted) is indistinguishable from the right projection of frame@t (i.e. where g^k is outputted).
The proof is done by induction, after having enriched the frame with some additional (bi-)terms. Intuitively, the idea of enriching the frame is to simplify the cases that are contexts built using applications of public function symbols and terms added in the enriched frame. It then remains to prove:
diff(ok,ko), i.e. prove that this output is never reached using the previous P_charac property.We start by enriching the frame.
induction t; try (by expandall; apply IH). [> Line 166: ((induction t);(try by (expandall;(apply ... ))))We now apply the induction tactic, which generates several cases, one for each possible value that can be taken by the timestamp t.
For most cases, applying the induction hypothesis IH allows to conclude because frame@t can be built from frame@pred(t) and elements added to the frame by the tactic enrich.
Case where t = init. We use here the DDH assumption.
Case where t = Pchall3(i). We will show that this case is not possible, by showing that the formula exec@pred(Pchall3(i)) && cond@Pchall3(i) is equivalent to False, relying on the previous property P_charac.
It now remains to simplify if false then diff(ok,ko).