MTSF—Market-Theoretic Security Framework: A Unified Paradigm for the Art of Proving and Disproving Security

1. Introduction

Every digital system we trust—from the padlock in a browser to a hospital’s encrypted records, from a signed software update to a government identity card—rests on a hidden mathematical foundation: cryptographic security proofs. These proofs are the silent guardians of modern civilisation’s digital infrastructure, ensuring that encryption remains unbreakable, signatures remain unforgeable, and protocols remain resilient, no matter how powerful or resourceful the adversary. Yet despite their central role, today’s security proofs are fragmented across four disconnected languages that specialists in one paradigm often cannot easily interpret in another: game-based sequences of experiments, Universal Composability (UC) ideal-world simulations, formal symbolic verification tools such as ProVerif and Tamarin, and ad hoc insecurity demonstrations for flawed constructions. A cryptographer proving TLS secure employs different notation, definitions, and reasoning from one proving a post-quantum signature secure—even though both ultimately address the same fundamental question: can an efficient adversary succeed? The Market-Theoretic Security Framework (MTSF) introduced in this article answers this question through a single unifying perspective grounded in economics: every security proof is an auction, every adversary is a buyer, every security property is a tradable good, and security holds precisely when no buyer can afford to win. This article develops MTSF rigorously, proves its equivalence to all four paradigms, and demonstrates its expressive power across eighteen case studies spanning primitives, protocols, and quantum-aware security models.

1.1. The Problem: Fragmented Security Paradigms

Cryptographic security analysis is conducted through four largely disconnected paradigms, each with distinct strengths and limitations that prevent any single approach from being fully satisfactory.

Problem 1: Game-based proofs are isolated and single-failure.

Game-based proofs [1,2] bound the adversary’s advantage through a sequence of game hops ${\mathbf{B}}_0,{\mathbf{B}}_1,\dots ,{\mathbf{B}}_q$. The classical difference lemma [1] bounds each hop by a single failure event F:

$$|Pr\left[{\mathbf{B}}_k=1\right]-Pr\left[{\mathbf{B}}_{k+1}=1\right]|\le Pr\left[F\right].$$

In practice, however, many proof steps involve multiple simultaneous failures. For example, in a digital signature proof, a single game hop may need to eliminate nonce collisions, hash collisions, and public-key recovery failures all at once. The classical lemma forces practitioners to split such hops into multiple games, inflating proofs and loosening bounds unnecessarily. Furthermore, game-based proofs are isolated: each theorem is a standalone argument with no built-in mechanism for combining security guarantees when protocols are composed.

Figure 3. Feature comparison: game-based proofs, UC/GUC, formal verification, and MTSF. Green = full support; yellow = partial support; red = not supported. MTSF is the only framework achieving all eight capabilities.

Figure 3. Feature comparison: game-based proofs, UC/GUC, formal verification, and MTSF. Green = full support; yellow = partial support; red = not supported. MTSF is the only framework achieving all eight capabilities.

Problem 2: UC/GUC provide composition but lack concrete bounds.

The UC framework [3] guarantees that a secure protocol remains secure when composed with arbitrary other protocols running concurrently—the gold standard for real-world deployability. However, UC proofs do not produce numerical advantage bounds. A UC proof says “the protocol is secure” but not “the adversary’s advantage is at most $ϵ$”. The GUC framework [4] with CNF session checking [5] adds session correctness verification but still lacks the quantitative output needed for concrete parameter selection.

Problem 3: Formal verification tools lack quantitative output and human interpretability.

ProVerif [6] and Tamarin [7] check whether a protocol is secure symbolically and for unbounded sessions, but produce a binary pass/fail output with no numerical bounds. CryptoVerif [8] closes this gap partially with machine-checked game-based proofs, but requires significant manual guidance and does not natively support the UC/GUC framework. More importantly, none of these tools produce human-readable arguments that practitioners can understand, audit, and reason about without specialist training.

Problem 4: No unified insecurity analysis.

When a primitive is insecure (e.g., textbook RSA has a free homomorphism attack) or a protocol is insecure (e.g., Needham–Schroeder [9] is vulnerable to Lowe’s MITM [10]), this is demonstrated ad hoc using bespoke arguments. There is no common framework that handles both security proofs and insecurity demonstrations with the same language and tools. This asymmetry means that protocol designers cannot use the same methodology to “test” their protocol against known attack classes before submitting a full proof.

Problem 5: Protocol-level security goods lack a unified market formulation.

Existing game-based frameworks treat entity authentication, mutual authentication, session-key secrecy, and session correctness as separate definitions with separate games and separate proofs. There is no unified treatment embedding all four as simultaneous market goods offered by a single seller, with the adversary bidding against all of them in parallel. This separation makes it hard to see which property fails first under a given attack and how the failures interact.

1.1.0.6. Problem 6: No framework addresses the QROM, unbounded sessions, and CNF correctness simultaneously.

Post-quantum security requires proofs in the Quantum Random Oracle Model (QROM), where adversaries can query hash functions in superposition. Classical ROM proofs fail in this setting. Simultaneously, real deployments run for unbounded numbers of sessions (not the polynomial bound assumed by game-based proofs). And CNF session correctness must be verified across all sessions. No existing framework addresses all three requirements—QROM, unbounded, and CNF—within a single proof methodology.

Figure 4. The unification problem: four disconnected security paradigms converge into MTSF’s single market language. Game-based proofs become price adjustments, UC becomes market regulation, formal verification becomes stress testing, and ad hoc insecurity becomes market collapse.

Figure 4. The unification problem: four disconnected security paradigms converge into MTSF’s single market language. Game-based proofs become price adjustments, UC becomes market regulation, formal verification becomes stress testing, and ad hoc insecurity becomes market collapse.

1.2. What MTSF Provides

1.3. Key Technical Innovations

Extended difference lemma.

The classical difference lemma bounds a single failure event. Our extension (Lemma 2) handles m simultaneous events:

$$|Pr\left[{\mathbf{B}}_k=1\right]-Pr\left[{\mathbf{B}}_{k+1}=1\right]|\le Pr\left[\bigcup _{i=1}^m{F}_i\right]\le \sum _{i=1}^{m}Pr\left[F_i\right]-\sum _{i<j}Pr\left[F_i\cap F_j\right]+\dots$$

with inclusion-exclusion giving a tight upper bound when failure events are correlated. We apply this in every case study: ECDSA ($F_{\mathsf{nonce}}\cup F_{\mathsf{hash}}\cup F_{\mathsf{fork}}\cup F_{\mathsf{extract}}$), ML-DSA ($F_{\mathsf{rejection}}\cup F_{\mathsf{norm}}$), four-party protocols (${\bigcup }_{i=1}^4{F}_{\mathsf{sig},i}$), and Telegram ($F_{\mathsf{salt}}\cup F_{\mathsf{entropy}}\cup F_{\mathsf{cnf}}\cup F_{\mathsf{ping}}$).

1.3.0.8. Session pinging for unbounded security.

Bounded game-based proofs say “secure for q sessions” but real systems run for millions of sessions over years. We define structural distinctness (Theorem 14) and the session ping function (Theorem 15), and prove by induction (Theorem 3) that if the base case is secure and all pings pass, then every session is secure—providing unbounded coverage with quantitative bounds. This bridges game-based proofs (bounded, quantitative) and formal verification (unbounded, qualitative).

1.3.0.9. Dual proof/disproof methodology.

MTSF characterises insecurity as market collapse: $\mathsf{Ask}=1$ means any adversary wins for free. Secure schemes have $\mathsf{Ask}\le \mathsf{negl}$. The same bidding-round machinery proves both. For the Needham–Schroeder protocol, we show the masquerade bid succeeds with probability 1 (no cryptographic break needed). For textbook RSA, the homomorphism bid succeeds in $O\left(1\right)$ time. For MTProto, the salt extraction bid quasi-collapses the market to $\mathsf{Ask}\approx 1$. These are not ad hoc observations—they are formal theorems within MTSF.

1.4. Article Organisation

Section 2: notation, semantic security, four paradigms with figures. Section 3: MTSF with extended difference lemma. Section 4: CNF session verification algorithm and easy manual worksheet. Section 5: session pinging for unbounded security. Section 6: thirteen unified novelties. Section 8: authentication, mutual authentication, session-key secrecy, and CNF checking games as market goods. Section 9: ECDSA, ML-KEM, ML-DSA (secure) and textbook RSA (insecure); extended primitives HMAC, AEAD, SLH-DSA, FN-DSA. Section 10: AES block-cipher market with differential, rotational, linear, and related-key bids. Section 11: Keccak/SHA-3 hash-function market. Section 12: Grain-128a stream-cipher market. Section 13: ISO/IEC 11770-3 protocol family (two-, three-, and four-party), PKI, Needham–Schroeder insecurity proof, Signal Protocol (X3DH + Double Ratchet) security proof and X3DH-noOPK insecurity proof, TLS 1.3 (1-RTT equilibrium proof, 0-RTT replay collapse, downgrade attack collapse, CNF session verification and unbounded ping), and Telegram MTProto disproof (salt extraction) and RMTP proof (HMAC-bound salts). Section 14: QROM-based FO-transform KEM with full protocol description, sequence diagram, and six-bidding-round proof. Section 15: BB84 Quantum Key Distribution as a full quantum market dynamics case study (quantum seller, quantum buyer, information-theoretic security via no-cloning and QLHL). Section 16: TLS 1.3 + Signal multi-protocol composition network case study (market merger theorem instantiation, resource competition analysis, network CNF verification). Section 19: comprehensive related work in ten subsections. Section 20: conclusion with seventeen contributions, lessons learned, and seven future directions (with initial formalisations of quantum market dynamics and multi-protocol composition networks). Appendix A: expanded MTSF correspondence table (79 entries). Appendix B: comprehensive bid taxonomy with QROM, Telegram, BB84, and composition bids.

Figure 5. Decision flowchart: “Which MTSF tool do I need?” Start with your cryptographic object, follow the arrows, and arrive at the correct MTSF section and proof technique.

2. Preliminaries and Background

2.1. Notation

2.2. Semantic Security and Core Definitions

Definition 1 

(Semantic Security [11]). Encryption Π issemantically secureif for every PPT $\mathcal{A}$, whatever $\mathcal{A}$ computes from ciphertext $c=\mathsf{Enc}(K,m)$, a PPT simulator $\mathcal{S}$ can compute from the message length $\left|m\right|$ alone: $|Pr\left[f\leftarrow \mathcal{A}\left(c\right)\right]-Pr\left[f\leftarrow \mathcal{S}\left(\right|m\left|\right)\right]|\le \mathsf{negl}\left(\lambda \right).$ In market terms: the ciphertext is a worthless good—the buyer (adversary) gains zero information from purchasing it.

Definition 2 

(IND-CPA). $\mathcal{A}$ submits $m_0,m_1$; receives $\mathsf{Enc}(K,m_b)$ for random b; guesses b. Secure if ${\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}\le \mathsf{negl}\left(\lambda \right)$.

Definition 3 

(IND-CCA2). As IND-CPA but $\mathcal{A}$ additionally gets a decryption oracle (except on the challenge). Secure if ${\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\le \mathsf{negl}\left(\lambda \right)$.

Definition 4 

(EUF-CMA). $\mathcal{A}$ gets a signing oracle; must produce a valid signature on anewmessage. Secure if $Pr\left[\mathrm{forge}\right]\le \mathsf{negl}\left(\lambda \right)$.

Definition 5 

(SUF-CMA). Strong unforgeability: $\mathcal{A}$ cannot produceanynew valid (message, signature) pair, even for previously signed messages with a different signature.

Definition 6 

(INT-CTXT (Ciphertext Integrity)) For an authenticated encryption scheme $\mathsf{AE}$, the adversary $\mathcal{A}$ has access to an encryption oracle and wins if it produces any ciphertext $c^{*}$ that decrypts successfully but was never output by the encryption oracle. Secure if $Pr\left[\mathrm{INT}-\mathrm{CTXT}\mathrm{forge}\right]\le \mathsf{negl}\left(\lambda \right)$.

Definition 7 

(PRF Security). A keyed function $F_K:{\{0,1\}}^n\to {\{0,1\}}^m$ is asecure PRFif no PPT distinguisher tells $F_K(·)$ from a truly random function $R(·)$:

$${\mathsf{Adv}}_F^{\mathsf{PRF}}\left(\mathcal{A}\right)=\left|Pr[{\mathcal{A}}^{F_K(·)}=1]-Pr[{\mathcal{A}}^{R(·)}=1]\right|\le \mathsf{negl}\left(\lambda \right).$$

2.3. Bidding-Round Proofs in the Random Oracle Model

A bidding round ${\mathbf{B}}_k$ is a formal experiment between a challenger $\mathcal{C}$ and adversary $\mathcal{A}$. The challenger sets up keys, answers oracle queries, and presents challenges; the adversary tries to win (guess correctly, produce a forgery, etc.). The bidding-round sequence technique [1,2] transforms ${\mathbf{B}}_0$ (the real security experiment) into ${\mathbf{B}}_q$ (an ideal experiment where winning is impossible):

$${\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{sec}}\left(\lambda \right)\le \sum _{k=0}^{q-1}\underset{\mathrm{price}\mathrm{adjustment}\Delta {\mathsf{Price}}_k}{\underbrace{|Pr\left[{\mathbf{B}}_k\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_{k+1}\left(\mathcal{A}\right)=1\right]|}}.$$

(1)

Lemma 1 

(Classical Difference Lemma [1]). If ${\mathbf{B}}_k$ and ${\mathbf{B}}_{k+1}$ are identical except when a single failure event F occurs, then: $|Pr\left[{\mathbf{B}}_k\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_{k+1}\left(\mathcal{A}\right)=1\right]|\le Pr\left[F\mathrm{in}{\mathbf{B}}_k\right].$

In the Random Oracle Model (ROM) [12], hash functions are modelled as perfectly random functions accessible only via queries. This idealisation enables clean reductions.

Figure 6. Bidding-round proof architecture. The seller (challenger) and buyer (adversary) interact via oracles. The bidding-round chain ${\mathbf{B}}_0\to {\mathbf{B}}_q$ bounds the total advantage. In MTSF, each $\Delta {\mathsf{Price}}_k$ is a “price adjustment” in the security market.

Figure 6. Bidding-round proof architecture. The seller (challenger) and buyer (adversary) interact via oracles. The bidding-round chain ${\mathbf{B}}_0\to {\mathbf{B}}_q$ bounds the total advantage. In MTSF, each $\Delta {\mathsf{Price}}_k$ is a “price adjustment” in the security market.

2.4. Universal Composability (UC) Framework

The UC framework [3] guarantees that a protocol secure in isolation remains secure under arbitrary concurrent composition. A protocol $\pi$UC-realises an ideal functionality $\mathcal{F}$ if for every PPT adversary $\mathcal{A}$ there exists a PPT simulator $\mathcal{S}$ such that no PPT environment $\mathcal{Z}$ can distinguish:

$${\mathsf{Real}}_{\pi ,\mathcal{A},\mathcal{Z}}{\approx }_c{\mathsf{Ideal}}_{\mathcal{F},\mathcal{S},\mathcal{Z}}.$$

(2)

Figure 7. UC framework. The environment $\mathcal{Z}$ interacts with either the real world (protocol $\pi$ with adversary $\mathcal{A}$) or the ideal world (trusted functionality $\mathcal{F}$ with simulator $\mathcal{S}$). UC security: $\mathcal{Z}$ cannot tell which world it observes.

Figure 7. UC framework. The environment $\mathcal{Z}$ interacts with either the real world (protocol $\pi$ with adversary $\mathcal{A}$) or the ideal world (trusted functionality $\mathcal{F}$ with simulator $\mathcal{S}$). UC security: $\mathcal{Z}$ cannot tell which world it observes.

2.5. GUC and CNF Session Correctness

The GUC framework [4] removes the CRS assumption via shared functionalities. Camenisch et al. [5] encode each session as a CNF formula ${\phi }_{\mathsf{sid}}={\bigwedge }_j{C}_j$, where satisfiability under the honest trace implies session correctness.

2.6. Formal Verification

ProVerif [6] and Tamarin [7] provide automated, unbounded symbolic analysis. They check secrecy, authentication, replay/masquerade/MITM resistance. Limitation: no concrete advantage bounds.

3. The Market-Theoretic Security Framework

3.1. Security Market Model

Definition 8 

(Security Market). $\mathcal{M}=(\mathsf{Seller},{\left\{{\mathsf{Buyer}}_i\right\}}_{i\in \left[n\right]},\mathcal{G},\mathsf{Price})$: seller (challenger), buyers (adversaries), security goods catalogue $\mathcal{G}=\{g_1,\dots ,g_k\}$ (e.g., IND-CPA, EUF-CMA, key secrecy), price function $\mathsf{Price}:\mathcal{G}\times \mathbb{N}\to [0,1]$.

Definition 9 

(Bid). ${\mathsf{Bid}}_i=(g_j,T_i,{ϵ}_i)$: buyer i targets good $g_j$ with budget $T_i\le \mathsf{poly}\left(\lambda \right)$ and target advantage ${ϵ}_i$. Succeeds if advantage $\ge {ϵ}_i$ within $T_i$ steps.

Definition 10 

(Quoted Price). Thequoted price${\mathsf{QPrice}}_0\left(g_j\right)$ is the seller’s initial listing price for security good $g_j$ in bidding round ${\mathbf{B}}_0$. It equals the adversary’s raw advantage in the unmodified real-world game:

$${\mathsf{QPrice}}_0\left(g_j\right)={\mathsf{Adv}}_{\mathcal{A}}^{g_j}\left(\lambda \right)={\mathsf{Ask}}_0(g_j,\lambda ).$$

(3)

The quoted price is anunknown but boundedquantity: it is the number the entire proof exists to bound. Subsequent bidding rounds ${\mathbf{B}}_1,{\mathbf{B}}_2,\dots ,{\mathbf{B}}_q$ decompose ${\mathsf{QPrice}}_0$ into a telescoping sum of price adjustments:

$${\mathsf{QPrice}}_0=\underset{\mathrm{bid}1}{\underbrace{\Delta {\mathsf{Price}}_0}}+\underset{\mathrm{bid}2}{\underbrace{\Delta {\mathsf{Price}}_1}}+\dots +\underset{\mathrm{bid}q}{\underbrace{\Delta {\mathsf{Price}}_{q-1}}}+\underset{\mathrm{ideal}\mathrm{residual}}{\underbrace{Pr[{\mathbf{B}}_q=1]}}.$$

(4)

Security holds when ${\mathsf{QPrice}}_0\le \mathsf{negl}\left(\lambda \right)$; insecurity holds when ${\mathsf{QPrice}}_0=\Omega \left(1\right)$.

Figure 8. The quoted price ${\mathsf{QPrice}}_0$ as a bar decomposed into bidding-round contributions. Each bidding round “peels off” one piece of the quoted price by bounding one attack vector. If every piece is negligible and the residual is zero, the quoted price is negligible—the market is in equilibrium.

Figure 8. The quoted price ${\mathsf{QPrice}}_0$ as a bar decomposed into bidding-round contributions. Each bidding round “peels off” one piece of the quoted price by bounding one attack vector. If every piece is negligible and the residual is zero, the quoted price is negligible—the market is in equilibrium.

Figure 9. MTSF market: seller offers security goods; buyers bid computation; equilibrium = security.

Figure 9. MTSF market: seller offers security goods; buyers bid computation; equilibrium = security.

Definition 11 

(Ask Price & Equilibrium). $\mathsf{Ask}(g_j,\lambda )={max}_{\mathcal{A}\in \mathsf{PPT}}{\mathsf{Adv}}_{\mathcal{A}}^{g_j}\left(\lambda \right).$ The market is inequilibriumif $\mathsf{Ask}(g_j,\lambda )\le \mathsf{negl}\left(\lambda \right)$: no PPT buyer profits. The market hascollapsedif $\mathsf{Ask}(g_j,\lambda )=\Omega \left(1\right)$: some buyer profits cheaply.

Figure 10. Individual seller–buyer interaction: the four-phase security game as a market transaction.

Figure 10. Individual seller–buyer interaction: the four-phase security game as a market transaction.

Theorem 1 

(Equilibrium ⇔ Security; Collapse ⇔ Insecurity). Π is secure for $g_j$ iff $\mathcal{M}$ is in equilibrium. Π is insecure iff $\mathcal{M}$ has collapsed.

Figure 11. The Security Thermometer: visualising ask prices on a scale from perfectly secure (bottom, green) to completely broken (top, red). Real-world case studies are plotted along the scale, with everyday probability comparisons on the right.

Figure 11. The Security Thermometer: visualising ask prices on a scale from perfectly secure (bottom, green) to completely broken (top, red). Real-world case studies are plotted along the scale, with everyday probability comparisons on the right.

3.2. Game Hops as Price Adjustments

Definition 12 

(Price Adjustment). $\Delta {\mathsf{Price}}_k=\left|Pr\left[{\mathbf{B}}_k\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_{k+1}\left(\mathcal{A}\right)=1\right]\right|.$ Cumulative cost: $\mathsf{Cost}\left(\mathcal{A}\right)={\sum }_{k=0}^{q-1}\Delta {\mathsf{Price}}_k.$

Figure 12. Game hops as a descending staircase: each step reduces the attacker’s advantage by eliminating one attack vector. The total advantage (height of the staircase) is the sum of all step sizes. If every step is negligibly small, the scheme is secure.

Figure 12. Game hops as a descending staircase: each step reduces the attacker’s advantage by eliminating one attack vector. The total advantage (height of the staircase) is the sum of all step sizes. If every step is negligibly small, the scheme is secure.

3.3. The Extended Difference Lemma

The classical difference lemma (Lemma 1) handles one failure per hop. In practice, a single game transition often involves multiple simultaneous failures. We extend the lemma:

Lemma 2 

(Extended Difference Lemma—Multiple Failures).

Let ${\mathbf{B}}_k$ and ${\mathbf{B}}_{k+1}$ be identical unless at least one of $F_1,F_2,\dots ,F_m$ occurs. Then:

$$|Pr\left[{\mathbf{B}}_k\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_{k+1}\left(\mathcal{A}\right)=1\right]|\le Pr\left[F_1\cup F_2\cup \dots \cup F_m\right].$$

(5)

By theunion bound: $Pr\left[{\bigcup }_i{F}_i\right]\le {\sum }_{i}Pr\left[F_i\right]$. When failures are correlated, theinclusion-exclusionbound is tighter:

$$Pr\left[\bigcup _i{F}_i\right]=\sum _{i}Pr\left[F_i\right]-\sum _{i<j}Pr\left[F_i\cap F_j\right]+\dots +{(-1)}^{m+1}Pr\left[\bigcap _i{F}_i\right].$$

(6)

Proof. 

${\mathbf{B}}_k$ and ${\mathbf{B}}_{k+1}$ agree on $\overline{{\bigcup }_i{F}_i}$. Hence:

$$\begin{array}{cc}\hfill & |Pr\left[{\mathbf{B}}_k=1\right]-Pr\left[{\mathbf{B}}_{k+1}=1\right]|\hfill \\ \hfill & =|Pr\left[{\mathbf{B}}_k=1\wedge \bigcup F_i\right]+Pr\left[{\mathbf{B}}_k=1\wedge \overline{\bigcup F_i}\right]-Pr\left[{\mathbf{B}}_{k+1}=1\wedge \bigcup F_i\right]-Pr\left[{\mathbf{B}}_{k+1}=1\wedge \overline{\bigcup F_i}\right]|\hfill \\ \hfill & =|Pr\left[{\mathbf{B}}_k=1\wedge \bigcup F_i\right]-Pr\left[{\mathbf{B}}_{k+1}=1\wedge \bigcup F_i\right]|\le Pr\left[\bigcup _i{F}_i\right].\hfill \end{array}$$

   □

Figure 13. Venn diagram of simultaneous failure events in the extended difference lemma. The union bound adds all circles; inclusion-exclusion subtracts the overlaps for a tighter bound. Each failure event corresponds to a specific “bad thing” that could happen during a game hop.

Figure 13. Venn diagram of simultaneous failure events in the extended difference lemma. The union bound adds all circles; inclusion-exclusion subtracts the overlaps for a tighter bound. Each failure event corresponds to a specific “bad thing” that could happen during a game hop.

Figure 14. Before/After: the same ECDSA proof written in classical game-based style (left) vs. MTSF style (right). The mathematical content is identical; MTSF adds named bids, composition, session auditing, and unbounded coverage.

Figure 14. Before/After: the same ECDSA proof written in classical game-based style (left) vs. MTSF style (right). The mathematical content is identical; MTSF adds named bids, composition, session auditing, and unbounded coverage.

3.4. UC as Market Regulation; GUC as Shared Infrastructure

The UC environment $\mathcal{Z}$ is recast as a market regulator: an entity monitoring all concurrent trades (protocol messages) and capable of intervening at any point. UC-security: the real market (protocol execution) is computationally indistinguishable from the ideal market (ideal functionality) from any regulator’s perspective—${\mathsf{Real}}_{\pi ,\mathcal{A},\mathcal{Z}}{\approx }_c{\mathsf{Ideal}}_{\mathcal{F},\mathcal{S},\mathcal{Z}}$. The simulator $\mathcal{S}$ is the market arbitrageur: it bridges the real and ideal worlds by simulating the real protocol’s market behaviour using only the ideal functionality’s interface.

The UC composition theorem is a market merger theorem: two equilibrium markets, when merged for concurrent execution, remain in equilibrium. GUC shared functionalities (PKI, common reference strings) are market infrastructure: public goods accessible to all buyers and sellers. In MTSF, the CNF session formula plays the role of a GUC correctness requirement: each session passes the audit iff all clauses are satisfied, and a failed clause identifies which market good has been compromised.

Figure 15. Systematic translation from UC/GUC to MTSF. Every UC concept (left) maps to an MTSF counterpart (right) that preserves all guarantees and adds quantitative bounds. The translation is lossless—MTSF strictly extends UC/GUC.

Figure 15. Systematic translation from UC/GUC to MTSF. Every UC concept (left) maps to an MTSF counterpart (right) that preserves all guarantees and adds quantitative bounds. The translation is lossless—MTSF strictly extends UC/GUC.

3.5. Formal Verification as Market Stress Testing

Model checking (ProVerif [6], Tamarin [7]) is recast as regulatory stress testing: the regulator enumerates all possible buyer strategies (adversarial protocol traces $\tau$) and checks $\forall \tau \in \mathsf{Traces}\left(\mathcal{M}\right):\tau \vDash {\phi }_{g_j}$ for all goods $g_j$. In MTSF notation: replay attack= stale bid (old session transcript at discounted price; blocked by SID clause); masquerade attack= identity fraud (claiming to be a different party; blocked by signature/certificate clause); MITM attack= market manipulation (intercepting and altering both sides; blocked by SID-binding and identity-binding clauses). Formal verification provides exhaustive coverage for all traces; MTSF’s session pinging (Section 5) provides quantitative advantage bounds for all sessions—together bridging the qualitative-unbounded and quantitative-bounded paradigms.

4. CNF Session Verification in MTSF

4.1. Why CNF?

Conjunctive Normal Form is natural for encoding session correctness because: (1) each clause corresponds to one security check—adding a check means adding a clause; (2) the conjunction semantics ensures all checks must pass; (3) given an execution trace, checking satisfiability is linear in the formula size; (4) an unsatisfied clause directly identifies which security property was violated.

Figure 16. CNF session verification as airport security: five sequential checkpoints (SID, freshness, signatures, MACs, consistency) each modelled as a CNF clause. A session “boards the plane” (is accepted) only if ALL checks pass. Any single failure rejects the session and identifies which check failed.

Figure 16. CNF session verification as airport security: five sequential checkpoints (SID, freshness, signatures, MACs, consistency) each modelled as a CNF clause. A session “boards the plane” (is accepted) only if ALL checks pass. Any single failure rejects the session and identifies which check failed.

4.2. Session-CNF Construction

Definition 13 

(MTSF Session-CNF). Let ${\mathsf{Session}}_i=({\mathsf{sid}}_i,{\mathsf{pid}}_i^1,\dots ,{\mathsf{pid}}_i^p,{\mathsf{trans}}_i)$ denote the i-th session with p parties and transcript ${\mathsf{trans}}_i$. TheMTSF session-CNFis:

$${\phi }_i=\underset{\mathrm{SID}\mathrm{binding}}{\underbrace{{\phi }_i^{\mathsf{sid}}}}\wedge \underset{\mathrm{freshness}}{\underbrace{{\phi }_i^{\mathsf{fresh}}}}\wedge \underset{\mathrm{signature}\mathrm{binding}}{\underbrace{{\phi }_i^{\mathsf{sig}}}}\wedge \underset{\mathrm{MAC}\mathrm{binding}}{\underbrace{{\phi }_i^{\mathsf{mac}}}}\wedge \underset{\mathrm{consistency}}{\underbrace{{\phi }_i^{\mathsf{consist}}}}.$$

(7)

Figure 17. Structure of the MTSF session-CNF ${\phi }_i$: five components ANDed together. A session is correct iff the entire formula is satisfiable under the honest trace.

Figure 17. Structure of the MTSF session-CNF ${\phi }_i$: five components ANDed together. A session is correct iff the entire formula is satisfiable under the honest trace.

SID Clauses.

Every message must carry the correct session identifier:

$${\phi }_i^{\mathsf{sid}}=\underset{j=1}{\overset{\ell }{\bigwedge }}\left(x_{{\mathsf{sid}}_i,j}\vee \neg x_{\mathsf{other},j}\right),$$

(8)

where $x_{{\mathsf{sid}}_i,j}$ is true if message j carries ${\mathsf{sid}}_i$, and $x_{\mathsf{other},j}$ is true if it carries a different SID.

4.2.0.11. Freshness Clauses.

All nonces must be fresh and distinct:

$${\phi }_i^{\mathsf{fresh}}=\underset{k=1}{\overset{r}{\bigwedge }}\left(x_{n_k,\mathsf{fresh}}\right)\wedge \underset{k\ne k^{\prime }}{\bigwedge }\left(\neg x_{n_k=n_{k^{\prime }}}\right).$$

(9)

4.2.0.12. Signature-Binding Clauses.

Every signature must verify or the session aborts:

$${\phi }_i^{\mathsf{sig}}=\underset{j}{\bigwedge }\left(x_{\mathsf{Vrfy}({\mathsf{pk}}_j,m_j\parallel {\mathsf{sid}}_i,{\sigma }_j)=1}\vee x_{\mathsf{abort}}\right).$$

(10)

4.2.0.13. MAC-Binding Clauses.

Every MAC must verify or the session aborts:

$${\phi }_i^{\mathsf{mac}}=\underset{j}{\bigwedge }\left(x_{\mathsf{Mac}.\mathsf{Vrfy}(K_j,m_j\parallel {\mathsf{sid}}_i,{\tau }_j)=1}\vee x_{\mathsf{abort}}\right).$$

(11)

Consistency Clauses.

Protocol-specific invariants (message ordering, state-machine compliance):

$${\phi }_i^{\mathsf{consist}}=\underset{j=1}{\overset{c}{\bigwedge }}{C}_j^{\mathsf{protocol}}.$$

(12)

Theorem 2 

(Session Correctness via CNF). ${\mathsf{Session}}_i$ is correct iff ${\phi }_i$ is satisfiable under the honest trace ${\mathsf{trans}}_i$.

Proof. 

Soundness. If ${\phi }_i$ is satisfiable: SID clauses ⇒ correct binding; freshness ⇒ unique nonces; sig/MAC ⇒ all verifications pass; consistency ⇒ invariants hold. This is session correctness.

Completeness. If the session is correct, the honest trace provides a satisfying assignment.    □

Proposition 1 

(Adversarial CNF Unsatisfiability). If all underlying primitives are secure (markets in equilibrium), then:

$$Pr\left[\mathcal{A}\mathrm{produces}\mathrm{a}\mathrm{satisfying}\mathrm{assignment}\mathrm{for}{\phi }_i\mathrm{under}\mathrm{a}\mathrm{dishonest}\mathrm{trace}\right]\le \mathsf{negl}\left(\lambda \right).$$

(13)

Proof. 

A satisfying dishonest assignment requires at least one of: (1) signature forgery (breaks EUF-CMA equilibrium); (2) MAC forgery (breaks SUF-CMA); (3) nonce prediction (breaks freshness); (4) SID reuse (breaks binding). Each contradicts the equilibrium assumption.    □

4.3. CNF Verification Algorithm

The session-CNF ${\phi }_{\mathsf{sess}}$ is a conjunction of atomic Boolean clauses. Verifying it manually is hard because (i) the number of clauses can be large, (ii) clause ordering matters for cascading failures, and (iii) cryptographic verification steps are interleaved with structural ones. Algorithm 1 provides the canonical machine-checkable procedure. The MTSF CNF Truth-Table Worksheet below gives a four-step manual recipe.

Algorithm 1:MTSF-CNF Session Verification (Canonical, 5-Phase)

Require:  Transcript ${\mathsf{trans}}_i$, session ID ${\mathsf{sid}}_i$, public keys $\left\{{\mathsf{pk}}_j\right\}$, shared/MAC keys $\left\{K_j\right\}$ Ensure:  $\mathsf{Accept}$ or $\mathsf{Reject}$ Ensure:  Phase 1 – SID Binding Check 1: for each message $m_j\in {\mathsf{trans}}_i$ do 2:     if $\mathsf{ExtractSID}\left(m_j\right)\ne {\mathsf{sid}}_i$thenreturn$\mathsf{Reject}$▹ Clause ${\phi }^{\mathsf{sid}}$ fails 3:     end if 4: end for 4: Phase 2 – Nonce Freshness & Disjointness 5: $\mathcal{N}\leftarrow \varnothing$ 6: for each nonce $n_k\in {\mathsf{trans}}_i$ do 7:     if $n_k\in \mathcal{N}$thenreturn$\mathsf{Reject}$▹ Clause ${\phi }^{\mathsf{fresh}}$ fails 8:     end if 9:     $\mathcal{N}\leftarrow \mathcal{N}\cup \left\{n_k\right\}$ 10: end for 10: Phase 3 – Signature & MAC Verification 11: for each $({\sigma }_j,{\mathsf{pk}}_j,{\mathsf{data}}_j)\in {\mathsf{trans}}_i$ do 12:     if $\mathsf{Vrfy}({\mathsf{pk}}_j,{\mathsf{data}}_j,{\sigma }_j)\ne 1$thenreturn$\mathsf{Reject}$▹ Clause ${\phi }_j^{\mathsf{sig}}$ fails 13:     end if 14: end for 15: for each $({\tau }_j,K_j,{\mathsf{macData}}_j)\in {\mathsf{trans}}_i$ do 16:     if $\mathsf{Mac}.\mathsf{Vrfy}(K_j,{\mathsf{macData}}_j,{\tau }_j)\ne 1$thenreturn$\mathsf{Reject}$▹ Clause ${\phi }_j^{\mathsf{mac}}$ fails 17:     end if 18: end for 18: Phase 4 – Message Ordering & Consistency 19: if$\mathsf{CheckOrdering}\left({\mathsf{trans}}_i\right)\ne 1$thenreturn$\mathsf{Reject}$▹ Clause ${\phi }^{\mathsf{consist}}$ fails 20: end if 20: Phase 5 – Ping (Unbounded Freshness) 21: if$i>1$and$\mathsf{Ping}({\mathsf{Session}}_{i-1},{\mathsf{Session}}_i)\ne 1$thenreturn$\mathsf{Reject}$▹ Unbounded bid fails 22: end if 23: return$\mathsf{Accept}$

5. Unbounded Verification via Session Pinging

Session pinging is one of the two core technical contributions of MTSF (the other being CNF session verification, Section 4). This section develops the full theory: motivation, formal mechanism, the main induction theorem with a detailed proof, a quantitative advantage-accumulation analysis, the interaction between pinging and CNF checking, failure-mode taxonomy, and a comparison with symbolic unbounded verification tools.

5.1. Why Bounded Is Not Enough

A protocol correct for sessions $1,\dots ,1000$ may fail at session 1001 if the randomness generator cycles. Game-based proofs are inherently bounded (polynomial in $\lambda$). Formal verification handles unbounded sessions symbolically but without concrete bounds. Session pinging bridges this gap.

Bounded-session limitations in existing frameworks.

Consider a protocol $\pi$ proven secure for q concurrent sessions in the game-based model. The standard advantage bound takes the form $\mathsf{Ask}\le q·{ϵ}_{\mathsf{prim}}+q^2/2^{\lambda +1}$, where ${ϵ}_{\mathsf{prim}}$ is the advantage against the underlying primitive and the quadratic term captures birthday-bound collisions among q nonces. This bound is meaningful only for $q=\mathsf{poly}\left(\lambda \right)$. Three real-world failure scenarios escape this analysis:

1.

Nonce/counter wrap-around. A 32-bit counter nonce wraps after $2^{32}$ sessions, reusing the same nonce-key pair. Protocols such as AES-GCM with a 32-bit invocation field are vulnerable after $2^{32}$ TLS records under the same key.

2.

Session-state accumulation. Adversaries that persist across sessions can accumulate partial information. For instance, each ECDSA signing session leaks a negligible amount of side-channel information about the nonce k; after $2^{60}$ sessions the accumulated leakage may be non-negligible.

3.

Cross-session correlation. In multi-party protocols, an adversary may correlate session transcripts across sessions. Without a mechanism ensuring structural independence, subtle cross-session attacks (e.g. the Needham–Schroeder masquerade) succeed regardless of the session count.

Session pinging addresses all three by enforcing structural independence at each session boundary and enabling an inductive security argument that is session-index-independent.

5.2. The Pinging Mechanism

Definition 14 

(Session Structural Distinctness). Sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$ arestructurally distinctif:

• ${\mathsf{sid}}_i\ne {\mathsf{sid}}_{i+1}$ (SID freshness);
• ${\mathcal{N}}_i\cap {\mathcal{N}}_{i+1}=\varnothing$ (disjoint nonce sets);
• all signatures in ${\mathsf{Session}}_{i+1}$ sign data including ${\mathsf{sid}}_{i+1}$ (signature binding);
• all MACs in ${\mathsf{Session}}_{i+1}$ authenticate data including ${\mathsf{sid}}_{i+1}$ (MAC binding);
• all ciphertexts in ${\mathsf{Session}}_{i+1}$ are freshly generated (not replayed from ${\mathsf{Session}}_i$) (ciphertext freshness).

Remark 1 

(Condition (e): Ciphertext Freshness). Condition (e) is new compared to the minimal four-condition definition. It is necessary for KEM-based protocols (ML-KEM, QKEM) where the buyer could replay a ciphertext $c_i$ from ${\mathsf{Session}}_i$ to ${\mathsf{Session}}_{i+1}$. Without ciphertext freshness, the decapsulation oracle in ${\mathsf{Session}}_{i+1}$ might return the same key $K_i$, breaking key secrecy. The CNF clause ${\phi }^{\mathsf{novel}}$ enforces this condition.

Definition 15 

(Session Ping). $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1$ iff ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$ are structurally distinct per Theorem 14.

Definition 16 

(Ping Failure Probability). Theping failure probabilityfor protocol π is:

$${\delta }_{\mathsf{ping}}\left(\pi \right)=\underset{i\ge 1}{max}Pr\left[\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=0\right],$$

(14)

where the probability is taken over honest randomness (nonce generation, SID sampling). A protocol hasnegligible ping failureif ${\delta }_{\mathsf{ping}}\left(\pi \right)\le \mathsf{negl}\left(\lambda \right)$.

Figure 18. Session pinging for unbounded verification. Consecutive sessions are “pinged” to verify structural distinctness. The zigzag edges denote the ping check between adjacent sessions.

Figure 18. Session pinging for unbounded verification. Consecutive sessions are “pinged” to verify structural distinctness. The zigzag edges denote the ping check between adjacent sessions.

Figure 19. Detailed ping verification flow for session ${\mathsf{Session}}_{i+1}$ against its predecessor ${\mathsf{Session}}_i$. A failure at any step short-circuits to $\mathsf{Ping}=0$ (session rejected). This flowchart corresponds to Phase 5 of Algorithm 1.

Figure 19. Detailed ping verification flow for session ${\mathsf{Session}}_{i+1}$ against its predecessor ${\mathsf{Session}}_i$. A failure at any step short-circuits to $\mathsf{Ping}=0$ (session rejected). This flowchart corresponds to Phase 5 of Algorithm 1.

5.3. The Unbounded Security Theorem

Theorem 3 

(Unbounded Security via Session Pinging). If (i) ${\mathsf{Session}}_1$ is secure (market in equilibrium with ${\mathsf{Ask}}_1\le ϵ$), (ii) $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1$ for all $i\ge 1$, and (iii) ${\phi }_{i+1}$ is obtained from ${\phi }_i$ by variable renaming (substituting ${\mathsf{sid}}_i\mapsto {\mathsf{sid}}_{i+1}$ and fresh nonces), then π is secure for unbounded sessions, with:

$${\mathsf{Ask}}_i\le ϵ+(i-1)·{\delta }_{\mathsf{ping}}\left(\pi \right)\mathrm{for}\mathrm{all}i\ge 1.$$

(15)

When ${\delta }_{\mathsf{ping}}\left(\pi \right)\le \mathsf{negl}\left(\lambda \right)$, the ask price remains negligible for all $i=\mathsf{poly}\left(\lambda \right)$.

Proof. 

We proceed by strong induction on the session index i.

Base case ($i=1$). Session ${\mathsf{Session}}_1$ is secure by hypothesis (i), with ${\mathsf{Ask}}_1\le ϵ$. The session-CNF ${\phi }_1$ is satisfiable under the honest trace of ${\mathsf{Session}}_1$ by Theorem 2: SID clauses hold (the SID was freshly sampled), freshness clauses hold (nonces are freshly generated), signature and MAC clauses hold (honest parties execute correctly), and consistency clauses hold (honest execution follows the protocol specification). Since there is no predecessor session, the ping clause ${\phi }_1^{\mathsf{ping}}$ is vacuously true.

Inductive step. Assume that sessions ${\mathsf{Session}}_1,\dots ,{\mathsf{Session}}_i$ are all secure, i.e., for each $j\le i$ the session-CNF ${\phi }_j$ is satisfiable under the honest trace and ${\mathsf{Ask}}_j\le ϵ+(j-1){\delta }_{\mathsf{ping}}$. We must show that ${\mathsf{Session}}_{i+1}$ is secure.

Step 1: Structural distinctness via pinging. By hypothesis (ii), $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1$. By Theorem 14, this guarantees:

• ${\mathsf{sid}}_{i+1}$ is fresh (not equal to ${\mathsf{sid}}_i$ or any earlier SID, since all earlier pings also passed by the inductive hypothesis, giving a chain of distinct SIDs);
• all nonces in ${\mathsf{Session}}_{i+1}$ are disjoint from those in ${\mathsf{Session}}_i$ (and by induction, disjoint from all earlier nonces with probability $\ge 1-i·{\delta }_{\mathsf{ping}}$);
• all signatures and MACs in ${\mathsf{Session}}_{i+1}$ bind ${\mathsf{sid}}_{i+1}$, which is distinct from all previous session identifiers.

Step 2: CNF isomorphism. By hypothesis (iii), ${\phi }_{i+1}$ is obtained from ${\phi }_i$ by the variable renaming ${\mathsf{sid}}_i\mapsto {\mathsf{sid}}_{i+1}$ and substituting fresh nonces. Since the CNF clauses are structural (they check SID binding, nonce freshness, signature verification, MAC verification, and consistency), and since all variables in ${\phi }_{i+1}$ are independently fresh, the satisfiability of ${\phi }_{i+1}$ under the honest trace of ${\mathsf{Session}}_{i+1}$ follows from the satisfiability of ${\phi }_i$ under the honest trace of ${\mathsf{Session}}_i$. Formally:

$${\phi }_{i+1}\left[{\mathsf{trans}}_{i+1}^{\mathsf{honest}}\right]={\phi }_i\left[{\mathsf{trans}}_i^{\mathsf{honest}}\right]{|}_{{\mathsf{sid}}_i\mapsto {\mathsf{sid}}_{i+1},{\mathcal{N}}_i\mapsto {\mathcal{N}}_{i+1}}=\mathsf{TRUE}.$$

(16)

Step 3: Market equilibrium preservation. The security reduction for ${\mathsf{Session}}_{i+1}$ is identical to that for ${\mathsf{Session}}_1$ (and hence ${\mathsf{Session}}_i$): the reduction converts a buyer who breaks ${\mathsf{Session}}_{i+1}$ into a buyer who breaks the underlying primitive. Crucially, this reduction is session-index-independent: it does not use the session index $i+1$ in any way beyond the fresh SID and nonces. Therefore:

$${\mathsf{Ask}}_{i+1}\le {\mathsf{Ask}}_1+Pr\left[\exists j\le i:\mathsf{Ping}({\mathsf{Session}}_j,{\mathsf{Session}}_{j+1})=0\right]\le ϵ+i·{\delta }_{\mathsf{ping}}\left(\pi \right).$$

(17)

The second inequality follows from a union bound over i ping checks, each failing with probability at most ${\delta }_{\mathsf{ping}}$.

Conclusion. By induction, ${\mathsf{Ask}}_i\le ϵ+(i-1){\delta }_{\mathsf{ping}}$ for all $i\ge 1$. When ${\delta }_{\mathsf{ping}}\le \mathsf{negl}\left(\lambda \right)$ and $i=\mathsf{poly}\left(\lambda \right)$, the total ask price is $ϵ+\mathsf{poly}\left(\lambda \right)·\mathsf{negl}\left(\lambda \right)=ϵ+\mathsf{negl}\left(\lambda \right)$, which is negligible whenever $ϵ$ is negligible. The market remains in equilibrium for all sessions.    □

5.4. Interaction Between Session Pinging and CNF Verification

Session pinging and CNF verification are complementary mechanisms that together provide the strongest possible session-security guarantee. Their interaction is formalised as follows.

Proposition 2. 

For any session ${\mathsf{Session}}_{i+1}$ with predecessor ${\mathsf{Session}}_i$:

$$[Ping-CNFSoundness]\begin{array}{c}\hfill \left({\phi }_{i+1}=\mathsf{SAT}\right)\wedge \left(\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1\right)⟹\\ \hfill {\mathsf{Session}}_{i+1}\mathrm{is}\mathrm{correct}\mathrm{and}\mathrm{structurally}\mathrm{independent}\mathrm{of}{\mathsf{Session}}_i.\end{array}$$

(18)

Proof. 

CNF satisfiability (Theorem 2) guarantees that all intra-session checks pass: SID binding, nonce freshness within the session, all signatures and MACs verify, and message ordering is correct. The ping check (Theorem 15) guarantees inter-session independence: the SID, nonces, and cryptographic bindings of ${\mathsf{Session}}_{i+1}$ are structurally distinct from those of ${\mathsf{Session}}_i$. Together, they ensure that ${\mathsf{Session}}_{i+1}$ is both internally correct and externally independent, which is the full session-correctness requirement.    □

Proposition 3 

(Ping Failure Implies CNF Clause Failure). If $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=0$, then at least one of the following CNF clauses in ${\phi }_{i+1}$ is violated:

• ${\phi }_{i+1}^{\mathsf{sid}}$: SID binding (if ${\mathsf{sid}}_{i+1}={\mathsf{sid}}_i$);
• ${\phi }_{i+1}^{\mathsf{fresh}}$: nonce freshness (if ${\mathcal{N}}_{i+1}\cap {\mathcal{N}}_i\ne \varnothing$);
• ${\phi }_{i+1}^{\mathsf{sig}}$ or ${\phi }_{i+1}^{\mathsf{mac}}$: cryptographic binding (if signatures or MACs do not bind ${\mathsf{sid}}_{i+1}$).

Therefore, the four-column CNF worksheet automatically detects any ping failure, and the failing clause identifies the specific inter-session attack vector.

Proof. 

By contrapositive: if all CNF clauses pass and include the SID of the current session in all cryptographic bindings, then conditions (a)–(e) of Theorem 14 are satisfied, so the ping passes.    □

5.4.0.16. Phase 5 of Algorithm 1 explained.

The ping check in Phase 5 of the CNF verification algorithm serves as the “inter-session bridge” between the intra-session CNF verification (Phases 1–4) and the unbounded induction theorem (Theorem 3). Concretely, Phase 5 performs five sub-checks corresponding to the five conditions of Theorem 14:

1.

SID uniqueness: Verify ${\mathsf{sid}}_{i+1}\notin \{{\mathsf{sid}}_1,\dots ,{\mathsf{sid}}_i\}$ by consulting the SID log.

2.

Nonce disjointness: Verify ${\mathcal{N}}_{i+1}\cap {\bigcup }_{j=1}^i{\mathcal{N}}_j=\varnothing$ by consulting the nonce log.

3.

Signature SID-binding: For each signature $\sigma$ in ${\mathsf{Session}}_{i+1}$, verify that the signed data includes ${\mathsf{sid}}_{i+1}$.

4.

MAC SID-binding: For each MAC tag $\tau$ in ${\mathsf{Session}}_{i+1}$, verify that the authenticated data includes ${\mathsf{sid}}_{i+1}$.

5.

Ciphertext freshness: For each ciphertext c in ${\mathsf{Session}}_{i+1}$, verify $c\notin \{c_1,\dots ,c_i\}$.

If any sub-check fails, the session is rejected immediately with a diagnostic indicating which structural-distinctness condition was violated. This early rejection prevents the accumulation of insecure sessions.

5.5. Taxonomy of Ping Failure Modes

Not all protocols satisfy the pinging requirements. The following taxonomy classifies the failure modes that prevent unbounded security, ordered by severity.

Figure 20. Taxonomy of ping failure modes: SID collision (counter issues), nonce reuse (RNG problems), signature unbinding (design flaws), and ciphertext replay (KEM reuse). Each mode has a specific probability bound. Well-designed protocols have negligible failure in all modes.

Figure 20. Taxonomy of ping failure modes: SID collision (counter issues), nonce reuse (RNG problems), signature unbinding (design flaws), and ciphertext replay (KEM reuse). Each mode has a specific probability bound. Well-designed protocols have negligible failure in all modes.

Definition 17 

(Ping Failure Taxonomy).

1.

Type I: SID collision.${\mathsf{sid}}_{i+1}={\mathsf{sid}}_j$ for some $j\le i$. Probability: $\le i/|\mathsf{SID}-\mathsf{space}|$ (birthday bound if SIDs are random).Consequence:Cross-session replay becomes possible.Example:A 64-bit SID space after $2^{32}$ sessions gives collision probability $\approx 2^{-1}$.

2.

Type II: Nonce reuse.${\mathcal{N}}_{i+1}\cap {\mathcal{N}}_j\ne \varnothing$ for some $j\le i$.Consequence:Signature key recovery (ECDSA), ciphertext XOR leakage (stream ciphers), or MAC forgery.Example:ECDSA with a biased nonce generator (cf. the Sony PlayStation 3 ECDSA break, where all nonces were identical).

3.

Type III: Unsigned SID.Signatures in ${\mathsf{Session}}_{i+1}$ do not bind ${\mathsf{sid}}_{i+1}$.Consequence:Signatures from one session can be replayed in another.Example:Needham–Schroeder protocol, where no SID is signed (cf. Section 13.4).

4.

Type IV: Unauthenticated SID.MACs in ${\mathsf{Session}}_{i+1}$ do not bind ${\mathsf{sid}}_{i+1}$.Consequence:MAC tags from one session can be injected into another.Example:Original Telegram MTProto 2.0, where the salt is not HMAC-bound (cf. Section 13.9).

5.

Type V: Ciphertext replay.Ciphertexts from ${\mathsf{Session}}_i$ are accepted in ${\mathsf{Session}}_{i+1}$.Consequence:Key reuse across sessions.Example:A KEM without implicit rejection may accept a replayed ciphertext.

Table 1. Ping failure taxonomy with protocol examples and CNF clause that detects each failure.

Type	Failure mode	Probability	CNF clause	Example protocol
I	SID collision	$i/\left|\mathsf{SID}\right|$	${\phi }^{\mathsf{sid}}$	64-bit SID after $2^{32}$ sessions
II	Nonce reuse	$q_N^2/2^{\lambda +1}$	${\phi }^{\mathsf{fresh}}$	ECDSA with biased nonces
III	Unsigned SID	1	${\phi }^{\mathsf{sig}}$	Needham–Schroeder
IV	Unauthenticated SID	$\ge 2^{-64}$	${\phi }^{\mathsf{mac}}$	Telegram MTProto 2.0
V	Ciphertext replay	$q_D/\left|\mathcal{C}\right|$	${\phi }^{\mathsf{novel}}$	KEM without implicit rej.

Table 1. Ping failure taxonomy with protocol examples and CNF clause that detects each failure.

Type	Failure mode	Probability	CNF clause	Example protocol
I	SID collision	$i/\left|\mathsf{SID}\right|$	${\phi }^{\mathsf{sid}}$	64-bit SID after $2^{32}$ sessions
II	Nonce reuse	$q_N^2/2^{\lambda +1}$	${\phi }^{\mathsf{fresh}}$	ECDSA with biased nonces
III	Unsigned SID	1	${\phi }^{\mathsf{sig}}$	Needham–Schroeder
IV	Unauthenticated SID	$\ge 2^{-64}$	${\phi }^{\mathsf{mac}}$	Telegram MTProto 2.0
V	Ciphertext replay	$q_D/\left|\mathcal{C}\right|$	${\phi }^{\mathsf{novel}}$	KEM without implicit rej.

5.6. Quantitative Advantage Accumulation

The accumulation bound in Theorem 3 is additive: each session adds at most ${\delta }_{\mathsf{ping}}$ to the total advantage. We now give concrete numerical examples for the protocols and primitives analysed in this article.

Proposition 4 

(Concrete Ping Degradation Bounds). For the following schemes, the ping failure probability and accumulated advantage after N sessions are:

Scheme	${\delta }_{\mathsf{ping}}$	After $N=2^{40}$ sessions	After $N=2^{64}$ sessions
ECDSA (256-bit q)	$q_S^2/\left(2q\right)\approx 2^{-129}$	$2^{-89}$	$2^{-65}$
ML-KEM-768	$q_D/2^{\gamma }\approx 2^{-200}$	$2^{-160}$	$2^{-136}$
ML-DSA-65	${\mathsf{Adv}}^{\mathsf{MSIS}}\approx 2^{-128}$	$2^{-88}$	$2^{-64}$
AES-128	$q_E·2^{-128}\approx 2^{-64}$	$2^{-24}$	$\approx 1$(key rotation needed)
Keccak/SHA-3	$q_f/2^c=q_f/2^{512}$	$2^{-472}$	$2^{-448}$
ISO two-party	$q_N^2/2^{257}+{\mathsf{Adv}}^{\mathsf{EUF}}$	$\approx 2^{-128}$	$\approx 2^{-128}$

Remark 2 

(AES Key Rotation). The AES entry highlights an important practical point: for block ciphers with 128-bit keys, the accumulated ping degradation reaches unity after $\approx 2^{64}$ sessions under the same key. This is the well-known birthday bound for block ciphers and mandates key rotation (rekeying) before $2^{64}$ blocks. The ping mechanism makes this requirementexplicitwithin the MTSF framework, rather than leaving it as an implicit assumption.

5.7. Comparison with Symbolic Unbounded Verification

ProVerif [6] and Tamarin [7] provide symbolic unbounded session analysis: they check whether any number of concurrent sessions can be attacked, using abstract term algebras where cryptographic operations are perfect. Session pinging provides a complementary computational unbounded analysis with concrete advantage bounds.

Table 2. Comparison of MTSF session pinging with symbolic formal verification for unbounded sessions.

Property	ProVerif/Tamarin	CryptoVerif	MTSF Pinging
Session bound	Unbounded	Polynomial	Unbounded (by induction)
Concrete bounds	No	Yes	Yes
Cross-session attacks	Detected	Partially	Detected (ping clause)
CNF audit trail	No	No	Yes (worksheet)
Manual verification	No	No	Yes (four-column method)
Key rotation guidance	No	No	Yes (accumulation bound)

Table 2. Comparison of MTSF session pinging with symbolic formal verification for unbounded sessions.

Property	ProVerif/Tamarin	CryptoVerif	MTSF Pinging
Session bound	Unbounded	Polynomial	Unbounded (by induction)
Concrete bounds	No	Yes	Yes
Cross-session attacks	Detected	Partially	Detected (ping clause)
CNF audit trail	No	No	Yes (worksheet)
Manual verification	No	No	Yes (four-column method)
Key rotation guidance	No	No	Yes (accumulation bound)

Figure 21. MTSF’s session pinging bridges the gap between formal verification (unbounded, qualitative) and game-based proofs (bounded, quantitative), providing the best of both worlds.

Figure 21. MTSF’s session pinging bridges the gap between formal verification (unbounded, qualitative) and game-based proofs (bounded, quantitative), providing the best of both worlds.

6. Unified Novelties

Figure 22. MTSF as a superset of existing paradigms. Game-based proofs, UC/GUC, formal verification, and ad hoc insecurity are all contained within MTSF as special cases.

7. Soundness and Completeness of MTSF

Any formal security framework must justify why its verdicts are trustworthy. In logic, a proof system is sound if it never declares a false statement true, and complete if it eventually declares every true statement provable. This section establishes analogous guarantees for MTSF: soundness means that if the market reaches equilibrium then the scheme is genuinely secure; completeness means that if the scheme is insecure then some buyer can collapse the market. The central technical mechanism is a subroutine-consumption reduction: during the bidding round the seller embeds the buyer as a black-box subroutine inside an algorithm for a computationally hard problem, thereby showing that the buyer’s success would yield an efficient solver for that problem—a contradiction under standard hardness assumptions.

7.1. Subroutine Consumption: The Core Reduction Mechanism

The backbone of every MTSF security proof is a subroutine-consumption reduction. During a bidding round ${\mathbf{B}}_k$, the seller constructs a polynomial-time algorithm $\mathcal{R}$ (the reducer) that:

1.

receives an instance x of a computationally hard problem ${\Pi }_{\mathsf{hard}}$;

2.

simulates the market environment for the buyer $\mathcal{A}$ (setting up keys, answering oracle queries, issuing challenges) without knowing the solution to x;

3.

invokes the buyer $\mathcal{A}$ as a black-box subroutine—feeding $\mathcal{A}$ the simulated view and collecting $\mathcal{A}$’s output;

4.

translates the buyer’s bid output (a forgery, a distinguishing guess, a key recovery) into a valid solution for x.

Thus ${\mathcal{R}}^{\mathcal{A}}(·)$ is a polynomial-time oracle machine that solves ${\Pi }_{\mathsf{hard}}$ whenever the buyer’s bid succeeds.

Definition 18 

(Subroutine-Consumption Reduction). Let ${\Pi }_{\mathsf{hard}}$ be a computational problem and let $\mathcal{M}=(\mathsf{Seller},\left\{{\mathsf{Buyer}}_i\right\},\mathcal{G},\mathsf{Price})$ be an MTSF security market for a scheme Π. Asubroutine-consumption reductionfor good $g_j\in \mathcal{G}$ is a PPT oracle machine $\mathcal{R}$ such that for every PPT buyer $\mathcal{A}$:

$${\mathsf{Adv}}_{{\mathcal{R}}^{\mathcal{A}}}^{{\Pi }_{\mathsf{hard}}}\left(\lambda \right)\ge {\displaystyle \frac{1}{L\left(\lambda \right)}}·{\mathsf{Adv}}_{\mathcal{A}}^{g_j}\left(\lambda \right)-\delta \left(\lambda \right),$$

where $L\left(\lambda \right)\le \mathsf{poly}\left(\lambda \right)$ is thetightness lossand $\delta \left(\lambda \right)$ is a negligible simulation error. The reducer $\mathcal{R}$consumes $\mathcal{A}$ as a subroutine: it runs $\mathcal{A}$ internally, relaying queries and collecting outputs, without knowledge of $\mathcal{A}$’s internal strategy.

Figure 23. Subroutine-consumption reduction: the seller (reducer $\mathcal{R}$) receives a hard-problem instance x, simulates the market for the buyer $\mathcal{A}$, consumes $\mathcal{A}$’s bid output to solve x. Hardness of ${\Pi }_{\mathsf{hard}}$ implies the buyer’s advantage is negligible—market equilibrium.

Figure 23. Subroutine-consumption reduction: the seller (reducer $\mathcal{R}$) receives a hard-problem instance x, simulates the market for the buyer $\mathcal{A}$, consumes $\mathcal{A}$’s bid output to solve x. Hardness of ${\Pi }_{\mathsf{hard}}$ implies the buyer’s advantage is negligible—market equilibrium.

7.2. NP-Hard Subroutine Chains: Consuming One Hard Problem to Solve Another

The subroutine-consumption mechanism extends naturally to chains of NP-hard reductions. If the buyer’s bid strategy $\mathcal{A}$ constitutes an algorithm for NP-hard problem ${\Pi }_A$, and an algorithm for ${\Pi }_A$ can itself be consumed as a subroutine to solve a different NP-hard problem ${\Pi }_B$, then the seller constructs a two-layer reduction: the outer reducer solves ${\Pi }_B$ by consuming a solver for ${\Pi }_A$, which itself is the buyer. This mechanism mirrors the structure of Karp reductions in complexity theory, but operationalised within the MTSF bidding-round framework.

Definition 19 

(NP-Hard Subroutine Chain). Let ${\Pi }_A$ and ${\Pi }_B$ be NP-hard problems and let $g_j$ be a security good in market $\mathcal{M}$. AnNP-hard subroutine chainof depth d is a sequence of PPT oracle machines ${\mathcal{R}}_1,{\mathcal{R}}_2,\dots ,{\mathcal{R}}_d$ such that:

1.

${\mathcal{R}}_1^{\mathcal{A}}$: consumes the buyer $\mathcal{A}$ (who attacks good $g_j$) to produce a solver for ${\Pi }_A$.

2.

${\mathcal{R}}_2^{{\mathcal{R}}_1^{\mathcal{A}}}$: consumes the ${\Pi }_A$-solver as a subroutine to produce a solver for ${\Pi }_B$.

3.

In general, ${\mathcal{R}}_{i+1}^{{\mathcal{R}}_i^{\dots }}$ consumes the ${\Pi }_{i-1}$-solver to produce a ${\Pi }_i$-solver.

The total tightness loss is $L_{\mathsf{total}}\left(\lambda \right)={\prod }_{i=1}^d{L}_i\left(\lambda \right)$ and the total simulation error is ${\delta }_{\mathsf{total}}\left(\lambda \right)={\sum }_{i=1}^d{\delta }_i\left(\lambda \right)$.

Algorithm 2:NP-Hard Subroutine Chain Reduction

Require:  NP-hard problems ${\Pi }_A,{\Pi }_B$; buyer $\mathcal{A}$ attacking good $g_j$; instance $y\in {\Pi }_B$ Ensure:  Solution to y (if $\mathcal{A}$ succeeds) or ⊥ Ensure:  // Layer 1: Reduce ${\Pi }_B$ instance to ${\Pi }_A$ instance 1: Parse y as an instance of ${\Pi }_B$ 2: Compute Karp reduction: $x\leftarrow {\mathsf{KarpReduce}}_{B\to A}\left(y\right)$▹x is a ${\Pi }_A$ instance 2: // Layer 2: Reduce ${\Pi }_A$ instance to security game instance 3: Embed x into market setup: $(\mathsf{pk},\mathsf{state})\leftarrow {\mathcal{R}}_1.\mathsf{Setup}(x,1^{\lambda })$ 4: Initialise buyer: send $\mathsf{pk}$ to $\mathcal{A}$ 4: // Layer 3: Execute bidding round with buyer as subroutine 5: while$\mathcal{A}$ makes oracle query $q_i$ do 6:     $a_i\leftarrow {\mathcal{R}}_1.\mathsf{SimOracle}(q_i,\mathsf{state})$▹ Simulate oracle using x 7:     Send $a_i$ to $\mathcal{A}$ 8: end while 9: Issue challenge $c^{*}\leftarrow {\mathcal{R}}_1.\mathsf{Challenge}\left(\mathsf{state}\right)$ to $\mathcal{A}$ 10: Receive bid output $\beta \leftarrow \mathcal{A}\left(c^{*}\right)$▹ Buyer consumed as subroutine 10: // Layer 4: Extract solutions up the chain 11: if$\beta$ is a valid bid (forgery/guess/key) then 12:     Extract ${\Pi }_A$ solution: $s_A\leftarrow {\mathcal{R}}_1.\mathsf{Extract}(\beta ,\mathsf{state})$ 13:     Lift to ${\Pi }_B$ solution: $s_B\leftarrow {\mathsf{KarpLift}}_{A\to B}(s_A,y)$▹ Inverse map 14:     return $s_B$ 15: else 16:     return ⊥▹ Buyer’s bid failed; no solution extracted 17: end if

Figure 24. NP-hard subroutine chain: the seller reduces ${\Pi }_B$ to ${\Pi }_A$ to the security game. The buyer is consumed as the innermost subroutine. Solution extraction propagates outward: $\beta \to s_A\to s_B$. NP-hardness of ${\Pi }_B$ prevents the buyer from succeeding.

Figure 24. NP-hard subroutine chain: the seller reduces ${\Pi }_B$ to ${\Pi }_A$ to the security game. The buyer is consumed as the innermost subroutine. Solution extraction propagates outward: $\beta \to s_A\to s_B$. NP-hardness of ${\Pi }_B$ prevents the buyer from succeeding.

7.3. Soundness of MTSF

Soundness asserts that MTSF equilibrium implies genuine security: if the bidding-round chain terminates with negligible cumulative cost, then no efficient adversary can break the scheme.

Theorem 4 

(Soundness of MTSF). Let $\mathcal{M}=(\mathsf{Seller},\left\{{\mathsf{Buyer}}_i\right\},\mathcal{G},\mathsf{Price})$ be a security market for scheme Π, and let $g_j\in \mathcal{G}$ be a security good. Suppose there exists a subroutine-consumption reduction $\mathcal{R}$ from the security game for $g_j$ to a computational problem ${\Pi }_{\mathsf{hard}}$ with tightness loss $L\left(\lambda \right)$ and simulation error $\delta \left(\lambda \right)$. If ${\Pi }_{\mathsf{hard}}$ is $(T\left(\lambda \right),{ϵ}_{\mathsf{hard}}\left(\lambda \right))$-hard (i.e., no algorithm running in time T succeeds with probability $>{ϵ}_{\mathsf{hard}}$), then for all PPT buyers $\mathcal{A}$:

$$\mathsf{Ask}(g_j,\lambda )\le L\left(\lambda \right)·{ϵ}_{\mathsf{hard}}\left(\lambda \right)+\delta \left(\lambda \right).$$

In particular, if ${\Pi }_{\mathsf{hard}}$ is hard against PPT (i.e., ${ϵ}_{\mathsf{hard}}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right)$) and $L\left(\lambda \right)\le \mathsf{poly}\left(\lambda \right)$ and $\delta \left(\lambda \right)\le \mathsf{negl}\left(\lambda \right)$, then $\mathsf{Ask}(g_j,\lambda )\le \mathsf{negl}\left(\lambda \right)$—the market is in equilibrium.

Proof. 

By contradiction. Suppose some PPT buyer ${\mathcal{A}}^{*}$ achieves ${\mathsf{Adv}}_{{\mathcal{A}}^{*}}^{g_j}\left(\lambda \right)={ϵ}^{*}\neg \le \mathsf{negl}\left(\lambda \right)$—i.e., ${ϵ}^{*}$ is non-negligible. By the subroutine-consumption reduction (Theorem 18), the reducer ${\mathcal{R}}^{{\mathcal{A}}^{*}}$ solves ${\Pi }_{\mathsf{hard}}$ with advantage:

$${\mathsf{Adv}}_{{\mathcal{R}}^{{\mathcal{A}}^{*}}}^{{\Pi }_{\mathsf{hard}}}\left(\lambda \right)\ge {\displaystyle \frac{1}{L\left(\lambda \right)}}·{ϵ}^{*}-\delta \left(\lambda \right).$$

Since ${ϵ}^{*}$ is non-negligible, $L\left(\lambda \right)\le \mathsf{poly}\left(\lambda \right)$, and $\delta \left(\lambda \right)\le \mathsf{negl}\left(\lambda \right)$, the right-hand side is non-negligible. Thus ${\mathcal{R}}^{{\mathcal{A}}^{*}}$ is a PPT algorithm (since $\mathcal{R}$ is PPT and ${\mathcal{A}}^{*}$ is PPT, the composition is PPT) that solves ${\Pi }_{\mathsf{hard}}$ with non-negligible advantage—contradicting the hardness assumption on ${\Pi }_{\mathsf{hard}}$. Therefore no such ${\mathcal{A}}^{*}$ exists, and:

$$\mathsf{Ask}(g_j,\lambda )=\underset{\mathcal{A}\in \mathsf{PPT}}{max}{\mathsf{Adv}}_{\mathcal{A}}^{g_j}\left(\lambda \right)\le L\left(\lambda \right)·{ϵ}_{\mathsf{hard}}\left(\lambda \right)+\delta \left(\lambda \right)\le \mathsf{negl}\left(\lambda \right).$$

The market is in equilibrium for good $g_j$.    □

7.4. Completeness of MTSF

Completeness asserts the converse: if a scheme is insecure, then MTSF detects the flaw—some buyer’s bid collapses the market.

Theorem 5 

(Completeness of MTSF). Let $\mathcal{M}=(\mathsf{Seller},\left\{{\mathsf{Buyer}}_i\right\},\mathcal{G},\mathsf{Price})$ be a security market for scheme Π, and let $g_j\in \mathcal{G}$ be a security good. If there exists a PPT algorithm ${\mathcal{A}}^{*}$ such that ${\mathsf{Adv}}_{{\mathcal{A}}^{*}}^{g_j}\left(\lambda \right)={ϵ}^{*}\left(\lambda \right)\ge 1/\mathsf{poly}\left(\lambda \right)$ (i.e., ${\mathcal{A}}^{*}$ breaks $g_j$ with non-negligible advantage), then:

1.

Bid construction:The buyer submits bid ${\mathsf{Bid}}^{*}=(g_j,T^{*},{ϵ}^{*})$ where $T^{*}=\mathsf{Time}\left({\mathcal{A}}^{*}\right)$.

2.

Market collapse:$\mathsf{Ask}(g_j,\lambda )\ge {ϵ}^{*}\left(\lambda \right)\ge 1/\mathsf{poly}\left(\lambda \right)$, which is non-negligible.

3.

Equilibrium failure:The market isnotin equilibrium for $g_j$.

Moreover, if ${ϵ}^{*}\left(\lambda \right)=1-\mathsf{negl}\left(\lambda \right)$ (the scheme is totally broken), then $\mathsf{Ask}(g_j,\lambda )=1-\mathsf{negl}\left(\lambda \right)$: the market has fully collapsed.

Proof. 

By the definition of ask price (Theorem 11):

$$\mathsf{Ask}(g_j,\lambda )=\underset{\mathcal{A}\in \mathsf{PPT}}{max}{\mathsf{Adv}}_{\mathcal{A}}^{g_j}\left(\lambda \right)\ge {\mathsf{Adv}}_{{\mathcal{A}}^{*}}^{g_j}\left(\lambda \right)={ϵ}^{*}\left(\lambda \right).$$

Since ${ϵ}^{*}\left(\lambda \right)\ge 1/\mathsf{poly}\left(\lambda \right)$ is non-negligible, $\mathsf{Ask}(g_j,\lambda )\neg \le \mathsf{negl}\left(\lambda \right)$, so the equilibrium condition of Theorem 11 fails. The buyer ${\mathcal{A}}^{*}$ realises the bid ${\mathsf{Bid}}^{*}=(g_j,T^{*},{ϵ}^{*})$ by running its attack strategy in time $T^{*}$ and achieving advantage ${ϵ}^{*}$. The market has collapsed (or is at least non-equilibrium) for good $g_j$.

For total collapse: if ${\mathsf{Adv}}_{{\mathcal{A}}^{*}}^{g_j}\left(\lambda \right)=1-\mathsf{negl}\left(\lambda \right)$, then the ask price satisfies $\mathsf{Ask}(g_j,\lambda )\ge 1-\mathsf{negl}\left(\lambda \right)$, and by the trivial upper bound $\mathsf{Ask}(g_j,\lambda )\le 1$, we obtain $\mathsf{Ask}(g_j,\lambda )=1-\mathsf{negl}\left(\lambda \right)$. This is full market collapse: the security good is worthless.    □

7.5. The Soundness–Completeness Duality

Figure 25. The soundness–completeness duality of MTSF. Soundness ensures no false positives (broken schemes declared secure); completeness ensures no false negatives (insecure schemes undetected). Together, they make MTSF’s market verdicts fully reliable.

Figure 25. The soundness–completeness duality of MTSF. Soundness ensures no false positives (broken schemes declared secure); completeness ensures no false negatives (insecure schemes undetected). Together, they make MTSF’s market verdicts fully reliable.

The soundness and completeness theorems together establish a precise duality between the computational world and the market world:

Corollary 1 

(MTSF Duality). For any security good $g_j$ in a market $\mathcal{M}$ with a valid subroutine-consumption reduction to ${\Pi }_{\mathsf{hard}}$:

$$\Pi \mathrm{is}\sec \mathrm{ure}\mathrm{for}{g}_j⟺\mathcal{M}\mathrm{is}\mathrm{in}\mathrm{equilibrium}\mathrm{for}{g}_j⟺$$

$$\mathrm{no}\mathrm{PPT}\mathrm{buyer}\mathrm{profits}\mathrm{from}\mathrm{bidding}\mathrm{on}{g}_j,$$

under the assumption that ${\Pi }_{\mathsf{hard}}$ is hard against PPT.

Proof. 

(⇒, Soundness) If $\Pi$ is secure for $g_j$, then by Theorem 4 the market is in equilibrium. (⇐, Completeness) If $\Pi$ is insecure for $g_j$, then by Theorem 5 some buyer’s bid collapses the market—so the market is not in equilibrium. The contrapositive gives: equilibrium ⇒ security.    □

Figure 26. The soundness–completeness duality of MTSF. Soundness (bottom-left): hardness of ${\Pi }_{\mathsf{hard}}$ implies security and equilibrium. Completeness (top): insecurity implies market collapse. The three worlds—security, market, and computational—are formally equivalent under MTSF.

7.6. Worked Example: ECDSA Soundness via Subroutine Consumption

To make the abstract machinery concrete, we trace the subroutine-consumption reduction for ECDSA’s EUF-CMA security (proved in detail in Section 9.1).

Example 1 

(ECDSA Subroutine Consumption). Consider the ECDSA market ${\mathcal{M}}_{\mathsf{ECDSA}}$ with good $g_{\mathsf{EUF}}=$ EUF-CMA (unforgeability). The hard problem is ${\Pi }_{\mathsf{hard}}=\mathsf{ECDLP}$ (Elliptic Curve Discrete Logarithm Problem).

Subroutine consumption in action:

1.

Reducer setup.The reducer $\mathcal{R}$ receives an ECDLP instance $(G,Q=dG)$ where d is the unknown discrete log. $\mathcal{R}$ sets $\mathsf{pk}=Q$ and begins simulating the signing oracle for the buyer $\mathcal{A}$.

2.

Oracle simulation.When the buyer requests a signature on message $m_i$, the reducer simulates $(r_i,s_i)$ using the forking lemma technique: it programs the random oracle so that valid-looking signatures can be produced without knowing d.

3.

Buyer consumed.After $q_S$ signing queries, the buyer outputs a forgery $(m^{*},{\sigma }^{*}=(r^{*},s^{*}))$ on a fresh message $m^{*}\notin \{m_1,\dots ,m_{q_S}\}$.

4.

Solution extraction.Using the forking lemma, $\mathcal{R}$ rewinds $\mathcal{A}$ to obtain two valid signatures $(r^{*},s_1^{*})$ and $(r^{*},s_2^{*})$ on $m^{*}$ with different random oracle responses $h_1\ne h_2$. From these, $\mathcal{R}$ computes:

$$d={\displaystyle \frac{s_1^{*}{h}_2-s_2^{*}{h}_1}{s_2^{*}-s_1^{*}}}·r^{*-1}modn,$$

solving the ECDLP instance.

Soundness conclusion:By Theorem 4:

$$\mathsf{Ask}(g_{\mathsf{EUF}},\lambda )\le q_H·{\mathsf{Adv}}^{\mathsf{ECDLP}}\left(\lambda \right)+{\displaystyle \frac{q_S}{2^{\lambda }}}+{\displaystyle \frac{q_H^2}{2^{\lambda }}}\le \mathsf{negl}\left(\lambda \right).$$

The tightness loss is $L=q_H$ (number of hash queries) and the simulation error accounts for nonce collisions and birthday terms. The ECDSA market is in equilibrium.

7.7. Worked Example: NP-Hard Subroutine Chain for CNF-Based Security

The NP-hard subroutine chain is particularly natural when the security game involves CNF-satisfiability checks, since 3-SAT is the canonical NP-complete problem.

Example 2 

(CNF Subroutine Chain: SAT → Subset Sum → Security Game). Consider a scheme Π whose session security is verified via a CNF formula φ (Section 4). Suppose a buyer $\mathcal{A}$ can find a satisfying assignment for a class of CNF formulae as part of its attack strategy (e.g., it finds an adversarial transcript that passes the CNF audit).

Chain construction:

1.

Layer 1 (${\Pi }_A=$ 3-SAT):The buyer’s ability to satisfy the session-CNF implies an algorithm for a subclass of 3-SAT instances (those arising from protocol transcripts). The reducer ${\mathcal{R}}_1$ embeds a 3-SAT instance into the session-CNF by encoding the SAT variables as session parameters (nonces, keys, timestamps).

2.

Layer 2 (${\Pi }_B=$ Subset Sum):By Karp’s classical reduction, any 3-SAT instance can be transformed into a Subset Sum instance in polynomial time. The outer reducer ${\mathcal{R}}_2$ first transforms the Subset Sum instance y into a 3-SAT instance x (via the reverse encoding), then invokes ${\mathcal{R}}_1^{\mathcal{A}}$ to solve x.

3.

Solution propagation:If the buyer satisfies the session-CNF, ${\mathcal{R}}_1$ extracts a 3-SAT assignment, and ${\mathcal{R}}_2$ lifts it to a Subset Sum solution.

Conclusion:If the buyer could pass the CNF audit with an adversarial transcript, the chain would yield an efficient Subset Sum solver—contradicting the NP-hardness of Subset Sum (under $\mathsf{P}\ne \mathsf{NP}$). The session-CNF audit is sound: no adversarial transcript passes.

7.8. Relationship to Classical Meta-Theorems

The soundness and completeness of MTSF are not merely analogies—they are formal instantiations of classical meta-theorems in cryptographic proof theory.

Remark 3 

(Connection to Bellare–Rogaway Reductions). The subroutine-consumption reduction (Theorem 18) is the MTSF formalisation of the classical Bellare–Rogaway reduction paradigm [2]. In the classical setting, a “reduction” is a PPT oracle machine that uses the adversary as a black-box subroutine to solve a hard problem. MTSF adds the market interpretation: the reduction is thesellerconsuming thebuyerduring the bidding round, and the hard problem’s intractability ensures market equilibrium. The key insight is that this interpretation makes thedirectionof the reduction intuitive: the buyer bids (attacks), the seller co-opts the bid (reduces), and the hard problem’s resistance prevents profit (equilibrium).

Remark 4 

(Connection to Cook–Levin and Karp Reductions). The NP-hard subroutine chain (Theorem 19) operationalises the Cook–Levin theorem and Karp’s 21 reductions [13] within the MTSF bidding framework. The Cook–Levin theorem states that every problem in NP reduces to SAT; Karp’s reductions show that SAT reduces to 20 other specific NP-complete problems. In MTSF language: if the buyer’s bid strategy implicitly solves any NP-complete problem, the seller can chain reductions to solveallNP-complete problems—a catastrophic violation of the $\mathsf{P}\ne \mathsf{NP}$ assumption. This connection grounds MTSF’s security guarantees in the deepest conjectures of computational complexity theory.

Figure 27. Correspondence between classical meta-theorems in complexity/cryptography and their MTSF counterparts. Each classical result has a precise market-theoretic formalisation.

Figure 27. Correspondence between classical meta-theorems in complexity/cryptography and their MTSF counterparts. Each classical result has a precise market-theoretic formalisation.

7.9. Implications for MTSF Case Studies

The soundness and completeness theorems have direct implications for every case study in this article:

Figure 28. The four-step MTSF security pipeline that every case study follows: (1) define the market (seller, buyers, goods), (2) construct bidding-round chain with price adjustments, (3) fill in the CNF verification worksheet, (4) verify session pinging for unbounded security.

Figure 28. The four-step MTSF security pipeline that every case study follows: (1) define the market (seller, buyers, goods), (2) construct bidding-round chain with price adjustments, (3) fill in the CNF verification worksheet, (4) verify session pinging for unbounded security.

Remark 5 

(Subroutine Consumption and the NP-Hardness Paradigm). The subroutine-consumption mechanism establishes a fundamental link between cryptographic security and computational complexity. In the MTSF framework, every security proof is an instance of the following paradigm:

An algorithm for NP-hard problem ${\Pi }_A$ can solve another NP-hard problem ${\Pi }_B$ if the algorithm for ${\Pi }_A$ is consumed as a subroutine.

The buyer’s attack strategy constitutes an “algorithm” for a specific computational task (forging signatures, distinguishing ciphertexts, recovering keys). The seller’s reduction shows that this task is at least as hard as a known NP-hard problem. The subroutine chain (Theorem 19) extends this to multiple layers: if the buyer’s algorithm (for task ${\Pi }_A$) is consumed as a subroutine by a converter that solves ${\Pi }_B$, and ${\Pi }_B$ is consumed by another converter that solves ${\Pi }_C$, then the buyer’s success would yield an efficient solver for ${\Pi }_C$—a contradiction cascading through the entire NP-hardness hierarchy. This is the market-theoretic operationalisation of the NP-completeness web: breaking one problem breaks them all.

8. Protocol-Level Security Games in MTSF

In a protocol market, the seller offers not just primitive-level goods (EUF-CMA, IND-CCA2) but also protocol-level goods: entity authentication, mutual authentication, session-key secrecy, and CNF session correctness. Each is formalised as an individual buyer game within the market.

8.1. The Authentication Game

Definition 20 

(Authentication Good $g_{\mathsf{auth}}$). The seller offers $g_{\mathsf{auth}}$: the guarantee that after a protocol run, if honest party B accepts, then B’s intended partner A was indeed participating. The buyer (active network adversary $\mathcal{A}$) wins if B accepts a session without A having sent the corresponding messages.

Theorem 6 

(Authentication Game—Game-Based Bound). For a protocol using signatures for entity authentication:

$$\mathsf{Ask}\left(g_{\mathsf{auth}}\right)\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+\mathsf{negl}\left(\lambda \right),$$

(19)

where $q_N$ is the number of sessions (nonces sampled).

Proof. 

We construct four games, bounding the difference at each hop.

${\mathbf{B}}_0$(Bidding Round 0: Real Market Execution).

The seller (challenger $\mathcal{C}$) runs the protocol honestly, offering the authentication good $g_{\mathsf{auth}}$ at ask price ${\mathsf{Ask}}_0$. The buyer (adversary $\mathcal{A}$) controls the network: it may delay, reorder, drop, and inject messages between honest parties A and B, placing a full-control network bid. The buyer wins—and the market collapses for $g_{\mathsf{auth}}$—if B accepts and outputs $\mathsf{pid}=A$, but A did not participate in any matching session. This is the baseline: ${\mathsf{Ask}}_0={\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{auth}}\left(\lambda \right)$.

${\mathbf{B}}_1$(Bidding Round 1: Nonce Freshness Bid).

The seller adds an internal audit: abort the session if any two concurrent or sequential sessions sample the same nonce. This models the seller refusing to sell under a nonce-reuse bid—a buyer strategy that exploits repeated randomness. The two bidding rounds ${\mathbf{B}}_0$ and ${\mathbf{B}}_1$ are identical until the bad event $F_{\mathsf{nonce}}$ (a nonce collision) occurs; by the difference lemma, the price adjustment is $\Delta {\mathsf{Price}}_0=|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le Pr\left[F_{\mathsf{nonce}}\right]$.

Difference bound. By the birthday bound over $q_N$ nonces sampled uniformly from ${\{0,1\}}^{\lambda }$:

$$|Pr\left[{\mathbf{B}}_0\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_1\left(\mathcal{A}\right)=1\right]|\le Pr\left[F_{\mathsf{nonce}}\right]\le {\displaystyle \frac{q_N^2}{2^{\lambda +1}}}.$$

(20)

${\mathbf{B}}_2$(Bidding Round 2: Signature Forgery Bid).

The seller now also maintains a signature ledger: a complete record of every signature honest party A has generated. If the buyer causes B to accept a signature ${\sigma }^{*}$ on session data $m^{*}\parallel \mathsf{sid}$ that does not appear in the ledger, the market flags this as a forgery bid event $F_{\mathsf{forge}}$—the buyer is attempting to sell counterfeit goods. The price adjustment is bounded by the EUF-CMA advantage: a forgery bid succeeds only if the buyer can produce a valid signature under A‘s key without ever querying A‘s signing oracle on that message, which by EUF-CMA security costs ${\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}$.

Difference bound. We reduce $F_{\mathsf{forge}}$ to EUF-CMA: given an EUF-CMA challenger for A’s key, the reduction embeds A’s public key and forwards signing queries. If $\mathcal{A}$ triggers $F_{\mathsf{forge}}$, the reduction outputs $(m^{*}\parallel \mathsf{sid},{\sigma }^{*})$ as a forgery. Hence:

$$|Pr\left[{\mathbf{B}}_1\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_2\left(\mathcal{A}\right)=1\right]|\le Pr\left[F_{\mathsf{forge}}\right]\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}.$$

(21)

${\mathbf{B}}_3$(Bidding Round 3: Ideal Market—All Entity-Auth Bids Fail).

Conditioned on no nonce-reuse bid ($\neg F_{\mathsf{nonce}}$) and no forgery bid ($\neg F_{\mathsf{forge}}$) succeeding, the market reaches equilibrium for $g_{\mathsf{auth}}$: if B accepts with partner A, then B verified a valid, ledger-registered signature under A’s genuine key on session-specific data including a fresh $\mathsf{sid}$ and nonce $N_B$. The signature is in the ledger (no forgery bid succeeded), and the nonce is unique (no nonce bid succeeded), so A must have generated this signature for this exact session—A genuinely participated. The buyer’s winning probability in the ideal market: $Pr\left[{\mathbf{B}}_3=1\right]=0$. Market equilibrium for $g_{\mathsf{auth}}$ is established.

Summing:

$$\mathsf{Ask}\left(g_{\mathsf{auth}}\right)\le {\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+0={\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+\mathsf{negl}\left(\lambda \right).$$

(22)

   □

8.2. The Mutual Authentication Game

Definition 21 

(Mutual Authentication Good $g_{\mathsf{mutual}}$). The seller offers $g_{\mathsf{mutual}}$: after a protocol run,bothA and B accept with correct partner identities, or neither accepts. The buyer wins if either (a) B accepts with partner A but A did not participate, or (b) A accepts with partner B but B did not participate.

Theorem 7 

(Mutual Authentication Equilibrium). For a protocol with bidirectional signatures:

$$\mathsf{Ask}\left(g_{\mathsf{mutual}}\right)\le 2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+\mathsf{negl}\left(\lambda \right).$$

(23)

Proof. 

We construct five games.

${\mathbf{B}}_0$(Bidding Round 0: Real Market, Full Dual-Direction Bid).

The seller offers the mutual authentication good $g_{\mathsf{mutual}}$. The buyer places a dual-direction impersonation bid: it attempts to violate authentication in at least one direction—either impersonating A to B or impersonating B to A (or both). The market ask price is ${\mathsf{Ask}}_0={\mathsf{Adv}}_{\mathcal{A}}^{\mathsf{mutual}}\left(\lambda \right)$.

${\mathbf{B}}_1$(Bidding Round 1: Nonce Freshness Bid—Both Directions).

The seller enforces nonce uniqueness across all sessions in both directions, placing a freshness constraint on nonce bids. Identical-until-$F_{\mathsf{nonce}}$; price adjustment:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\displaystyle \frac{q_N^2}{2^{\lambda +1}}}.$$

(24)

${\mathbf{B}}_2$(Bidding Round 2: Signature Forgery Bid on A—Impersonating A to B).

The seller adds a signature ledger for A. The buyer places a directed forgery bid: cause B to accept a signature ${\sigma }_A$ that A never generated, thereby impersonating A to B. Any success here is an EUF-CMA forgery against A’s signing key. Price adjustment (buyer’s cost to break A’s signature):

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le {\mathsf{Adv}}_{\mathsf{Sig},A}^{\mathsf{EUF}-\mathsf{CMA}}.$$

(25)

${\mathbf{B}}_3$(Bidding Round 3: Signature Forgery Bid on B—Impersonating B to A).

Symmetrically, the seller adds a signature ledger for B. The buyer places a directed forgery bid in the other direction: cause A to accept a signature ${\sigma }_B$ that B never generated. By the extended difference lemma, $F_{\mathsf{forge}\_\mathsf{A}}$ (targeting A) and $F_{\mathsf{forge}\_\mathsf{B}}$ (targeting B) use independent signing keys, so their failure events are handled separately. Price adjustment (buyer’s cost to break B’s signature):

$$|Pr\left[{\mathbf{B}}_2=1\right]-Pr\left[{\mathbf{B}}_3=1\right]|\le {\mathsf{Adv}}_{\mathsf{Sig},B}^{\mathsf{EUF}-\mathsf{CMA}}.$$

(26)

${\mathbf{B}}_4$(Bidding Round 4: Ideal Market—Both Dual-Direction Bids Fail).

With no nonce-reuse bid, no forgery bid on A, and no forgery bid on B: both signatures in any accepted session are ledger-verified, session-specific, and nonce-fresh. Both parties participated genuinely. The dual-direction impersonation bid fails completely. $Pr\left[{\mathbf{B}}_4=1\right]=0$. Market equilibrium for $g_{\mathsf{mutual}}$ is established.

Extended difference lemma (combined). The forgery events $F_A$ and $F_B$ use independent keys, so: $Pr\left[F_A\cup F_B\right]\le Pr\left[F_A\right]+Pr\left[F_B\right]-Pr\left[F_A\cap F_B\right]\le 2·{\mathsf{Adv}}^{\mathsf{EUF}},$ since $Pr\left[F_A\cap F_B\right]\ge 0$.

Total:$\mathsf{Ask}\left(g_{\mathsf{mutual}}\right)\le 2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+q_N^2/2^{\lambda +1}$.    □

8.3. The Session-Key Secrecy Game

Definition 22 

(Session-Key Secrecy Good $g_{\mathsf{sk}}$). After a completed protocol run producing session key $K_{\mathsf{sess}}$, the buyer receives either $K_{\mathsf{sess}}$ or a uniformly random key $K^{\prime }$ (chosen by a random bit b). The buyer wins by guessing b. The good is secure if $\mathsf{Ask}\left(g_{\mathsf{sk}}\right)\le \mathsf{negl}\left(\lambda \right)$.

Theorem 8 

(Session-Key Secrecy Equilibrium). For a protocol using a KEM for key transport and a KDF for derivation:

$$\mathsf{Ask}\left(g_{\mathsf{sk}}\right)\le {\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+{\mathsf{Adv}}_{\mathsf{KDF}}^{\mathsf{PRF}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+\mathsf{negl}\left(\lambda \right).$$

(27)

Proof. 

We construct six games.

${\mathbf{B}}_0$(Bidding Round 0: Real Market—Key-Secrecy Distinguishing Bid).

The seller generates keys and runs the protocol honestly, offering the session-key secrecy good $g_{\mathsf{sk}}$. The buyer places a key-distinguishing bid: after the protocol completes, the seller flips $b\stackrel{\$}{\leftarrow }\{0,1\}$ and presents the buyer with either the real session key $K_{\mathsf{sess}}$ (if $b=0$) or a uniformly random $K^{\prime }\stackrel{\$}{\leftarrow }{\{0,1\}}^{\lambda }$ (if $b=1$). The buyer bids on guessing b by outputting $b^{\prime }$. The market ask price is ${\mathsf{Ask}}_0=|Pr\left[{\mathbf{B}}_0(b^{\prime }=b)\right]-1/2|$—the buyer’s advantage over random guessing.

${\mathbf{B}}_1$(Bidding Round 1: Nonce Freshness Bid—Preventing Replay).

The seller enforces nonce uniqueness: a nonce-reuse bid would enable session key correlation. This costs the market: $|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le q_N^2/2^{\lambda +1}.$

${\mathbf{B}}_2$(Bidding Round 2: Signature Forgery Bid on A).

A forgery on A‘s signature would inject a rogue session, compromising key secrecy without breaking the KEM. The seller blocks this via EUF-CMA. Price adjustment:

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}.$$

${\mathbf{B}}_3$(Bidding Round 3: Signature Forgery Bid on B).

Symmetric to ${\mathbf{B}}_2$: a forgery on B‘s signature is blocked. Both forgery bids use independent keys (extended difference lemma applies). Price adjustment: $|Pr\left[{\mathbf{B}}_2=1\right]-Pr\left[{\mathbf{B}}_3=1\right]|\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}.$

${\mathbf{B}}_4$(Bidding Round 4: KEM Ciphertext Bid—Replacing the Session Secret).

The seller now replaces the real encapsulated key K with a uniformly random $\tilde{K}$. Any buyer that distinguishes ${\mathbf{B}}_3$ from ${\mathbf{B}}_4$ is placing a KEM plaintext-recovery bid: it can distinguish a real KEM ciphertext from one encapsulating a random key, which is exactly IND-CCA2 security. Price adjustment: $|Pr\left[{\mathbf{B}}_3=1\right]-Pr\left[{\mathbf{B}}_4=1\right]|\le {\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}.$

${\mathbf{B}}_5$(Bidding Round 5: KDF Randomness Bid—Replacing the Derived Key).

The seller replaces $K_{\mathsf{sess}}=\mathsf{KDF}(\tilde{K},\mathsf{sid}\parallel N_A\parallel N_B)$ with a uniformly random key $K_{\mathsf{rand}}$. Any buyer distinguishing ${\mathbf{B}}_4$ from ${\mathbf{B}}_5$ is placing a PRF-distinguishing bid against the KDF—it detects that the output is a PRF evaluation rather than random, which breaks PRF security. Price adjustment: $|Pr\left[{\mathbf{B}}_4=1\right]-Pr\left[{\mathbf{B}}_5=1\right]|\le {\mathsf{Adv}}_{\mathsf{KDF}}^{\mathsf{PRF}}.$

In ${\mathbf{B}}_5$, the test key is independent of b, so $Pr\left[{\mathbf{B}}_5=1\right]=1/2$ exactly.

Total:$\mathsf{Ask}\left(g_{\mathsf{sk}}\right)=\left|Pr\left[{\mathbf{B}}_0=1\right]-1/2\right|\le {\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+{\mathsf{Adv}}_{\mathsf{KDF}}^{\mathsf{PRF}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}.$    □

8.4. The CNF Checking Game

Definition 23 

(CNF Checking Good $g_{\mathsf{CNF}}$). The seller offers $g_{\mathsf{CNF}}$: the guarantee that for every completed session, the session-CNF ${\phi }_i$ (Theorem 13) is satisfiable under the honest trace and unsatisfiable under any adversarial trace. The buyer wins if it produces a dishonest transcript for which ${\phi }_i$ is nonetheless satisfiable.

Theorem 9 

(CNF Checking Equilibrium).

$$\mathsf{Ask}\left(g_{\mathsf{CNF}}\right)\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}+{\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+\mathsf{negl}\left(\lambda \right).$$

(28)

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real Market—CNF Audit Evasion Bid).

$\mathcal{A}$ interacts with the protocol and produces a transcript ${\mathsf{trans}}^{*}$ that is dishonest (i.e., contains at least one adversarially modified message). $\mathcal{A}$ wins if the CNF verification algorithm (Algorithm 1) outputs $\mathsf{Accept}$ on ${\mathsf{trans}}^{*}$.

${\mathbf{B}}_1$(Bidding Round 1: Freshness Audit Bid—Nonce Reuse and SID Mismatch).

Abort if $\mathcal{A}$’s transcript reuses a nonce from an honest session or carries a mismatched SID while still passing the SID clauses. Let $F_{\mathsf{fresh}}$ be this event:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le Pr\left[F_{\mathsf{fresh}}\right]\le {\displaystyle \frac{q_N^2}{2^{\lambda +1}}}.$$

(29)

${\mathbf{B}}_2$(Bidding Round 2: Signature Forgery Bid—Bypassing the Signature Clause).

For ${\phi }_i^{\mathsf{sig}}$ to be satisfied under a dishonest trace, $\mathcal{A}$ must produce a valid signature under an honest party’s key on adversarially chosen data (or a modified message). Flag this as $F_{\mathsf{sig}-\mathsf{forge}}$:

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le Pr\left[F_{\mathsf{sig}-\mathsf{forge}}\right]\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}.$$

(30)

${\mathbf{B}}_3$(Bidding Round 3: MAC Forgery Bid—Bypassing the MAC Clause).

For ${\phi }_i^{\mathsf{mac}}$ to be satisfied dishonestly, $\mathcal{A}$ must produce a valid MAC tag on a message not authenticated by an honest party. Flag as $F_{\mathsf{mac}-\mathsf{forge}}$:

$$|Pr\left[{\mathbf{B}}_2=1\right]-Pr\left[{\mathbf{B}}_3=1\right]|\le Pr\left[F_{\mathsf{mac}-\mathsf{forge}}\right]\le {\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}.$$

(31)

In ${\mathbf{B}}_3$, conditioned on no freshness violation, no signature forgery, and no MAC forgery, the only transcripts that satisfy ${\phi }_i$ are honest ones. So $Pr\left[{\mathbf{B}}_3=1\right]=0$.

Total:$\mathsf{Ask}\left(g_{\mathsf{CNF}}\right)\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}}+q_N^2/2^{\lambda +1}$.    □

9. Case Study I: Primitives

9.1. ECDSA: Security via Bidding

9.1.0.17. Setup.

Seller offers $g_{\mathsf{EUF}-\mathsf{CMA}}$ for ECDSA over curve $E\left({\mathbb{F}}_p\right)$ of order q. Buyer makes $q_S$ signing queries, $q_H$ hash queries, then attempts forgery $(m^{*},{\sigma }^{*})$.

Theorem 10 

(ECDSA Market Equilibrium). $\mathsf{Ask}\left(g_{\mathsf{EUF}-\mathsf{CMA}}\right)\le q_S^2/\left(2q\right)+q_H^2/\left(2q\right)+q_H·q_S·{\mathsf{Adv}}^{\mathsf{ECDLP}}+\mathsf{negl}\left(\lambda \right).$

Proof. 

We construct five games. Each hop represents a specific bid by the adversary for a particular weakness, and we apply the (extended) difference lemma to bound the bid’s payoff.

${\mathbf{B}}_0$(Bidding Round 0: Real ECDSA Market).

The seller generates $(\mathsf{sk},\mathsf{pk})\leftarrow \mathsf{ECDSA}.\mathsf{KeyGen}\left(1^{\lambda }\right)$ and offers the EUF-CMA good $g_{\mathsf{EUF}-\mathsf{CMA}}$ at ask price ${\mathsf{Ask}}_0$. The buyer (adversary) interacts adaptively with the signing oracle (placing signing bids—up to $q_S$ queries) and the random oracle H (placing hash queries—up to $q_H$ queries), then outputs a forgery bid: a new message-signature pair $(m^{*},(r^{*},s^{*}))$ never queried to the signing oracle. If the forgery verifies, the buyer wins and the market collapses.

${\mathbf{B}}_1$(Bidding Round 1: Nonce Freshness Bid).

The seller adds an internal nonce-collision check: abort if any two signing nonces $k_i=k_j$ for $i\ne j$ among the $q_S$ signing queries. This models the seller refusing to process a nonce-reuse bid—if two nonces collide, an attacker can compute $\mathsf{sk}=(s_2{e}_1-s_1{e}_2){\left(r(s_1-s_2)\right)}^{-1}modq$ directly, instantly collapsing the market. The bad event $F_{\mathsf{nonce}}$: “any two of the $q_S$ nonces collide among samples from ${\mathbb{Z}}_q$”.

Difference lemma. Let $F_{\mathsf{nonce}}$: “$\exists i\ne j:k_i=k_j$” among $q_S$ samples from ${\mathbb{Z}}_q$. Bidding rounds ${\mathbf{B}}_0$ and ${\mathbf{B}}_1$ are identical-until-$F_{\mathsf{nonce}}$. By birthday bound:

$$\Delta {\mathsf{Price}}_0\le Pr\left[F_{\mathsf{nonce}}\right]\le {\displaystyle \frac{q_S^2}{2q}}.$$

(32)

Market interpretation: The nonce-freshness bid fails because nonces are sampled from a space of size $q\approx 2^{256}$; the birthday collision requires $q_S\approx 2^{128}$ signing queries—computationally infeasible. The bid’s market value is negligible.

${\mathbf{B}}_2$(Bidding Round 2: Hash Collision Bid).

The seller adds a hash-collision check: abort if any two distinct inputs to H produce the same output among the $q_H$ oracle queries. A buyer placing a hash-collision bid exploits this to conflate two messages under the same hash value, potentially enabling a signature forgery. The bad event $F_{\mathsf{hash}}$: “any two of the $q_H$ hash queries collide”. By birthday paradox over the $2^n$-bit output space of H:

Difference lemma.$F_{\mathsf{hash}}$: “$\exists i\ne j:H\left(m_i\right)=H\left(m_j\right)$”. Birthday bound: $\Delta {\mathsf{Price}}_1\le q_H^2/\left(2q\right).$

${\mathbf{B}}_3$(Bidding Round 3: Oracle Programming—Costless Market Restructuring).

The seller secretly restructures the market by programming the random oracle: for each signing query $m_i$, the hash output is set to $H\left(m_i\right)={\alpha }_i·G+{\beta }_i·\mathsf{pk}$ for fresh random ${\alpha }_i,{\beta }_i$. This embeds an ECDLP challenge into the oracle. Since H is a random oracle (outputs are uniformly distributed regardless of how they are chosen), this restructuring is informationally invisible to the buyer—it cannot detect the change. The price adjustment is $\Delta {\mathsf{Price}}_2=0$: this is a costless market restructuring.

$\Delta {\mathsf{Price}}_2=0$ (information-theoretic; the distribution of oracle outputs is unchanged).

${\mathbf{B}}_4$(Bidding Round 4: Forgery-to-ECDLP Extraction Bid).

If the buyer places a successful forgery bid in ${\mathbf{B}}_3$ (outputs valid $(m^{*},(r^{*},s^{*}))$), the seller converts the forgery into an ECDLP solution: apply the general forking lemma [14] to rewind the buyer with a different random oracle coin at the same fork point, obtaining a second forgery $(m^{*},r^{*},s^{**})$ with $s^{**}\ne s^{*}$ (the same nonce but different hash). From both forgeries, extract: $\mathsf{sk}=(s^{**}{H}^{\prime }\left(m^{*}\right)-s^{*}H\left(m^{*}\right)){\left(r(s^{*}-s^{**})\right)}^{-1}modq$. A successful forgery bid solves ECDLP—which collapses the ECDLP market, assumed to be in equilibrium.

Extended difference lemma with multiple failures. The extraction step can fail due to simultaneous events:

• $F_{\mathsf{fork}}$: forking fails (the rewound execution does not produce a second valid forgery). By the forking lemma: $Pr\left[F_{\mathsf{fork}}\right]\le 1-{\mathsf{acc}}^2/q_H+1/q$ where $\mathsf{acc}$ is the original success probability.
• $F_{\mathsf{extract}}$: $s^{*}=s^{**}$ (extraction yields $0/0$). $Pr\left[F_{\mathsf{extract}}\right]\le 1/q$.

By Lemma 2: $\Delta {\mathsf{Price}}_3\le Pr\left[F_{\mathsf{fork}}\cup F_{\mathsf{extract}}\right]\le Pr\left[F_{\mathsf{fork}}\right]+Pr\left[F_{\mathsf{extract}}\right].$

A successful extraction solves ECDLP, so the residual advantage is bounded by ${\mathsf{Adv}}^{\mathsf{ECDLP}}\left(\lambda \right)$.

Total market cost:

$$\mathsf{Ask}\le \underset{\mathrm{nonce}\mathrm{bid}}{\underbrace{{\displaystyle \frac{q_S^2}{2q}}}}+\underset{\mathrm{hash}\mathrm{bid}}{\underbrace{{\displaystyle \frac{q_H^2}{2q}}}}+\underset{\mathrm{programming}}{\underbrace{0}}+\underset{\mathrm{forgery}\mathrm{bid}}{\underbrace{q_H{q}_S·{\mathsf{Adv}}^{\mathsf{ECDLP}}}}+\mathsf{negl}\left(\lambda \right).$$

(33)

For standard parameters ($q_S,q_H\le 2^{64}$, $q\approx 2^{256}$), each term is negligible. The market is in equilibrium.

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. The above five-bidding-round proof establishes security for a single signing session. To extend to unbounded sessions, we verify that the session-pinging mechanism (Theorem 15) is satisfied within the proof structure itself. Concretely, consider two consecutive signing sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$, each producing a signature $(m_i,(r_i,s_i))$ and $(m_{i+1},(r_{i+1},s_{i+1}))$ respectively.

SID freshness: Each session has a distinct session identifier (the message-nonce pair $(m,k)$ serves as an implicit SID). Since nonces are freshly sampled from ${\mathbb{Z}}_q$ in each session, ${\mathsf{sid}}_{i+1}\ne {\mathsf{sid}}_i$ with probability $\ge 1-1/q$.

Nonce disjointness: The nonce $k_{i+1}$ is sampled independently from ${\mathbb{Z}}_q$. By ${\mathbf{B}}_1$ (nonce freshness bid), $k_{i+1}\notin \{k_1,\dots ,k_i\}$ except with birthday probability $\le i/\left(2q\right)$, which is negligible for $i=\mathsf{poly}\left(\lambda \right)$.

Signature SID-binding: Each ECDSA signature $(r,s)$ is computed over $(m,k)$ where $r=x\left(kG\right)$ uniquely determines the nonce commitment. The hash $e=H\left(m\right)$ binds the message. Thus the signature is intrinsically bound to the session’s unique $(m,k)$ pair.

CNF satisfiability: The session-CNF ${\phi }_{\mathsf{ECDSA},i+1}$ is isomorphic to ${\phi }_{\mathsf{ECDSA},i}$ by variable renaming $k_i\mapsto k_{i+1}$, $m_i\mapsto m_{i+1}$. Since ${\phi }_{\mathsf{ECDSA},i}$ is satisfiable (inductive hypothesis) and all new variables are fresh, ${\phi }_{\mathsf{ECDSA},i+1}$ is satisfiable. By Theorem 3, the ECDSA market remains in equilibrium for unbounded signing sessions, with accumulated ping degradation ${\delta }_{\mathsf{ping}}\le q_S^2/\left(2q\right)=\mathsf{negl}\left(\lambda \right)$.    □

Figure 29. Real-world applications protected by ECDSA’s market equilibrium. Bitcoin transactions, HTTPS certificates, code signing, and contactless payments all depend on the hardness of ECDLP.

Figure 29. Real-world applications protected by ECDSA’s market equilibrium. Bitcoin transactions, HTTPS certificates, code signing, and contactless payments all depend on the hardness of ECDLP.

Figure 30. ECDSA bidding-round chain. Five bidding rounds from real (${\mathbf{B}}_0$) to ideal (${\mathbf{B}}_4$), with the price adjustment (bid cost) labelled on each arrow. Each hop targets a specific adversarial weakness; all bids fail under standard parameters.

Figure 30. ECDSA bidding-round chain. Five bidding rounds from real (${\mathbf{B}}_0$) to ideal (${\mathbf{B}}_4$), with the price adjustment (bid cost) labelled on each arrow. Each hop targets a specific adversarial weakness; all bids fail under standard parameters.

9.2. ML-KEM (FIPS 203): IND-CCA2 via Bidding

Theorem 11 

(ML-KEM Equilibrium). $\mathsf{Ask}\left(g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\right)\le 2·{\mathsf{Adv}}^{\mathsf{MLWE}}+q_D/2^{\gamma }+\mathsf{negl}\left(\lambda \right).$

Proof. 

${\mathbf{B}}_0$ (Real IND-CCA2). Buyer gets $\mathsf{pk}$, a decapsulation oracle, and challenge $(c^{*},K_b)$ where $K_0$ is real and $K_1$ is random.

${\mathbf{B}}_1$ (Decapsulation bypass bid). Replace the decapsulation oracle with implicit rejection. Difference lemma:$F_{\mathsf{rej}}$: implicit rejection differs from real. $\Delta {\mathsf{Price}}_0\le q_D/2^{\gamma }$ where $\gamma$ is the implicit rejection parameter and $q_D$ is the number of decapsulation queries.

${\mathbf{B}}_2$ (Public-key bid—MLWE I). Replace $\mathsf{pk}=(\mathbf{A},\mathbf{t}=\mathbf{A}\mathbf{s}+\mathbf{e})$ with $(\mathbf{A},\mathbf{u})$ for uniform $\mathbf{u}$. This is a computational hop: detecting the change solves MLWE. $\Delta {\mathsf{Price}}_1\le {\mathsf{Adv}}^{\mathsf{MLWE}}\left(\lambda \right).$

${\mathbf{B}}_3$ (Ciphertext bid—MLWE II). Replace challenge ciphertext components with uniform random. $\Delta {\mathsf{Price}}_2\le {\mathsf{Adv}}^{\mathsf{MLWE}}\left(\lambda \right).$

${\mathbf{B}}_4$ (Ideal). The encapsulated key is information-theoretically hidden from the ciphertext. Buyer advantage = 0. Total: $2{\mathsf{Adv}}^{\mathsf{MLWE}}+q_D/2^{\gamma }$.

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. The four-bidding-round proof above secures a single encapsulation session. We now verify the session-pinging conditions (Theorem 15) hold within the proof structure for consecutive sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$.

Ciphertext freshness (ping condition (e)): Each encapsulation samples fresh randomness $r_{i+1}$ to produce $c_{i+1}=\mathsf{KEM}.\mathsf{Enc}(\mathsf{pk};r_{i+1})$. Since $r_{i+1}$ is freshly sampled, $c_{i+1}$ is distinct from all prior ciphertexts with overwhelming probability. A buyer attempting a ciphertext replay bid (submitting $c_{i+1}=c_j$ for some $j\le i$) is detected by the CNF clause ${\phi }^{\mathsf{novel}}$: the ciphertext log ${\mathcal{C}}_{\mathsf{used}}$ already contains $c_j$, triggering rejection.

Implicit rejection preserves ping soundness: Even if the buyer replays $c_j$, ML-KEM’s implicit rejection mechanism returns $K^{\prime }=H(\perp \parallel c_j)$, which is independent of the original key $K_j$. This ensures that a replayed ciphertext yields no information about prior session keys, reinforcing the structural independence required by the ping.

CNF isomorphism: The session-CNF ${\phi }_{\mathsf{ML}-\mathsf{KEM},i+1}$ is obtained from ${\phi }_{\mathsf{ML}-\mathsf{KEM},i}$ by substituting $c_i\mapsto c_{i+1}$, $K_i\mapsto K_{i+1}$, and fresh randomness. Since the MLWE instances are independent across sessions, the security reduction is session-index-independent. By Theorem 3, ML-KEM is IND-CCA2 secure for unbounded encapsulation sessions with ${\delta }_{\mathsf{ping}}\le q_D/2^{\gamma }=\mathsf{negl}\left(\lambda \right)$.    □

9.3. ML-DSA (FIPS 204): EUF-CMA via Bidding

Theorem 12 

Proof. 

${\mathbf{B}}_0$: Real EUF-CMA. ${\mathbf{B}}_1$ (Hash programming bid): programme H to embed structured challenges ($\Delta =0$, syntactic). ${\mathbf{B}}_2$ (Public-key bid—MLWE): replace key matrix with MLWE challenge ($\Delta \le {\mathsf{Adv}}^{\mathsf{MLWE}}$). ${\mathbf{B}}_3$ (Forgery-to-MSIS bid): a forgery yields a short vector solving Module-SIS. Extended difference lemma: $F_1$: rejection sampling overflow; $F_2$: norm bound violation. $\Delta \mathsf{Price}\le Pr\left[F_1\cup F_2\right]+{\mathsf{Adv}}^{\mathsf{MSIS}}$. Both $Pr\left[F_1\right]$ and $Pr\left[F_2\right]$ are negligible by parameter choice.

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. The three-bidding-round proof secures a single signing session. We verify the session-pinging conditions for consecutive sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$, each producing $(m_i,{\sigma }_i)$ and $(m_{i+1},{\sigma }_{i+1})$.

Nonce disjointness: ML-DSA uses a commitment vector ${\mathbf{y}}_{i+1}$ sampled from a discrete Gaussian distribution with fresh randomness in each session. The probability that the same commitment vector is reused across sessions is bounded by the Gaussian smoothing parameter: $Pr\left[{\mathbf{y}}_{i+1}={\mathbf{y}}_j\right]\le 2^{-256}$ for any $j\le i$.

Rejection sampling and session independence: ML-DSA’s rejection sampling ensures that each signature ${\sigma }_{i+1}$ is statistically close to a session-independent distribution. Specifically, the distribution of $(m_{i+1},{\sigma }_{i+1})$ conditioned on the secret key is within statistical distance ${\Delta }_{\mathsf{DGS}}\le 2^{-128}$ of the ideal distribution. This ensures that observing signatures from sessions ${\mathsf{Session}}_1,\dots ,{\mathsf{Session}}_i$ provides negligible information useful for forging in ${\mathsf{Session}}_{i+1}$.

CNF clause ${\phi }^{\mathsf{novel}}$ enforces ping: The novelty clause $m_{i+1}\notin {\mathcal{Q}}^{\mathsf{sign}}$ checks that the forgery message was not previously signed. Across sessions, this clause extends naturally: $m_{i+1}$ must not appear in any previous session’s signing queries. The session-CNF ${\phi }_{\mathsf{ML}-\mathsf{DSA},i+1}$ is isomorphic to ${\phi }_{\mathsf{ML}-\mathsf{DSA},i}$ with fresh MSIS/MLWE instances. By Theorem 3, ML-DSA is EUF-CMA secure for unbounded signing sessions with ${\delta }_{\mathsf{ping}}\le {\mathsf{Adv}}^{\mathsf{MSIS}}+{\mathsf{Adv}}^{\mathsf{MLWE}}=\mathsf{negl}\left(\lambda \right)$.    □

Scheme.

Sign: $\sigma =m^{d}modN$. Verify: check $m={\sigma }^{e}modN$. No hash, no padding.

Theorem 13 

(Textbook RSA Market Collapse). $\mathsf{Ask}\left(g_{\mathsf{EUF}-\mathsf{CMA}}\right)=1.$

Proof. 

The buyer achieves advantage 1 with budget $O\left(1\right)$:

Existential forgery (free message bid). Choose arbitrary $\sigma \stackrel{\$}{\leftarrow }{\mathbb{Z}}_N^{*}$. Compute $m^{*}={\sigma }^{e}modN$. Then $(m^{*},\sigma )$ is valid. Cost: one modular exponentiation. The buyer “purchases” a forgery for free.

Chosen-message forgery (homomorphism bid). For target $m^{*}$, factor $m^{*}=m_1·m_{2}modN$. Request signatures ${\sigma }_1=m_1^d$, ${\sigma }_2=m_2^d$. Compute ${\sigma }^{*}={\sigma }_1·{\sigma }_2={\left(m_1{m}_2\right)}^d={\left(m^{*}\right)}^d$. Cost: two signing queries + one multiplication.

Difference lemma (degenerate case).${\mathbf{B}}_0$ (real) and ${\mathbf{B}}_1$ (ideal) differ on every execution: the failure event $F_{\mathsf{homo}}$: “RSA is multiplicatively homomorphic” has $Pr\left[F_{\mathsf{homo}}\right]=1$. Hence $\Delta \mathsf{Price}=1$, and the market has collapsed.

Table 3. Primitives: security vs. insecurity in MTSF.

Primitive	Good	Ask Price	Market Status	Key Bid That Decides
ECDSA	EUF-CMA	$\mathsf{negl}$	Equilibrium	Forgery bid → ECDLP
ML-KEM	IND-CCA2	$\mathsf{negl}$	Equilibrium	PK/CT bids → MLWE
ML-DSA	EUF-CMA	$\mathsf{negl}$	Equilibrium	Forgery bid → MSIS
Textbook RSA Sig	EUF-CMA	1	Collapsed	Homomorphism bid: free

Table 3. Primitives: security vs. insecurity in MTSF.

Primitive	Good	Ask Price	Market Status	Key Bid That Decides
ECDSA	EUF-CMA	$\mathsf{negl}$	Equilibrium	Forgery bid → ECDLP
ML-KEM	IND-CCA2	$\mathsf{negl}$	Equilibrium	PK/CT bids → MLWE
ML-DSA	EUF-CMA	$\mathsf{negl}$	Equilibrium	Forgery bid → MSIS
Textbook RSA Sig	EUF-CMA	1	Collapsed	Homomorphism bid: free

9.4. Extended Primitives

9.5. HMAC: SUF-CMA via Bidding

Setup.

${\mathsf{HMAC}}_K\left(m\right)=H\left((K\oplus \mathsf{opad})\parallel H\left(\right(K\oplus \mathsf{ipad})\parallel m)\right)$ where H is a Merkle–Damgård hash function, K is the key, and $\mathsf{ipad},\mathsf{opad}$ are fixed padding constants [19]. The seller offers $g_{\mathsf{SUF}-\mathsf{CMA}}$: the buyer has a tagging oracle ${\mathsf{HMAC}}_K(·)$ and must produce a new valid pair $(m^{*},{\tau }^{*})$ not previously returned by the oracle.

Theorem 14 

(HMAC Market Equilibrium). If the compression function h of H is a PRF when keyed via its chaining-value input, then:

$$\mathsf{Ask}\left(g_{\mathsf{SUF}-\mathsf{CMA}}\right)\le 2·{\mathsf{Adv}}_h^{\mathsf{PRF}}+{\displaystyle \frac{q_T^2}{2^{n+1}}}+\mathsf{negl}\left(\lambda \right),$$

(36)

where $q_T$ is the number of tagging queries and n is the output length of H.

Proof. 

We construct five games.

${\mathbf{B}}_0$(Bidding Round 0: Real HMAC Market—SUF-CMA Bid).

The seller generates $K\stackrel{\$}{\leftarrow }{\{0,1\}}^n$ and offers the SUF-CMA good $g_{\mathsf{SUF}-\mathsf{CMA}}$ for HMAC. The buyer places tagging bids: up to $q_T$ adaptive queries to ${\mathsf{HMAC}}_K(·)$, observing all tag responses. It then places the forgery bid: a new message-tag pair $(m^{*},{\tau }^{*})$ not previously queried, satisfying ${\mathsf{HMAC}}_K\left(m^{*}\right)={\tau }^{*}$. If it succeeds, the authentication market collapses.

${\mathbf{B}}_1$(Bidding Round 1: Inner PRF Replacement Bid).

The seller restructures the inner layer of HMAC: replace the keyed inner hash $H\left(\right(K\oplus \mathsf{ipad})\parallel m)$ with a truly random function $R_{\mathsf{in}}\left(m\right)$. Any buyer that distinguishes bidding round ${\mathbf{B}}_0$ from ${\mathbf{B}}_1$ is placing a PRF-distinguishing bid: it detects that the inner computation changed from a keyed compression function to a random function. Winning this bid is exactly breaking the PRF security of h keyed by the chaining value $K\oplus \mathsf{ipad}$. The seller constructs a PRF challenger $\mathcal{D}$ that simulates both bidding rounds using its oracle.

Difference bound. Let $F_{\mathsf{in}}$: “the buyer distinguishes the inner keyed hash from random.” We construct a PRF distinguisher $\mathcal{D}$ that simulates ${\mathbf{B}}_0$ vs ${\mathbf{B}}_1$ using its oracle: $\mathcal{D}$ replaces each evaluation of the inner hash chain with a query to its PRF/random oracle. If $\mathcal{A}$ behaves differently, $\mathcal{D}$ outputs 1:

$$|Pr\left[{\mathbf{B}}_0\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_1\left(\mathcal{A}\right)=1\right]|\le Pr\left[F_{\mathsf{in}}\right]\le {\mathsf{Adv}}_h^{\mathsf{PRF}}.$$

(37)

${\mathbf{B}}_2$(Bidding Round 2: Outer PRF Replacement Bid).

The seller restructures the outer layer: replace $H\left(\right(K\oplus \mathsf{opad})\parallel y)$ (where $y=R_{\mathsf{in}}\left(m\right)$) with a truly random function $R_{\mathsf{out}}\left(y\right)$. Same argument as ${\mathbf{B}}_1$—any distinguishing buyer is placing an outer PRF bid, breaking PRF security of h keyed by $K\oplus \mathsf{opad}$. Price adjustment (outer PRF bid cost):

$$|Pr\left[{\mathbf{B}}_1\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_2\left(\mathcal{A}\right)=1\right]|\le {\mathsf{Adv}}_h^{\mathsf{PRF}}.$$

(38)

${\mathbf{B}}_3$(Bidding Round 3: Inner Collision Bid).

In ${\mathbf{B}}_2$, HMAC is $R_{\mathsf{out}}\left(R_{\mathsf{in}}\left(m\right)\right)$. The seller adds a collision audit: abort if any two distinct queries collide under $R_{\mathsf{in}}$. A buyer placing an inner-collision bid exploits this to forge a tag by matching a queried inner value: if $R_{\mathsf{in}}\left(m^{*}\right)=R_{\mathsf{in}}\left(m_i\right)$ for some queried $m_i$, then ${\tau }^{*}={\tau }_i$ is a valid tag on $m^{*}$. Bad event $F_{\mathsf{coll}}$: “any inner collision among $q_T$ queries”. By birthday paradox over the $2^n$-bit inner output space:

Difference bound. Since $R_{\mathsf{in}}$ is a random function with n-bit output:

$$|Pr\left[{\mathbf{B}}_2\left(\mathcal{A}\right)=1\right]-Pr\left[{\mathbf{B}}_3\left(\mathcal{A}\right)=1\right]|\le Pr\left[F_{\mathsf{coll}}\right]\le {\displaystyle \frac{q_T^2}{2^{n+1}}}.$$

(39)

${\mathbf{B}}_4$(Bidding Round 4: Ideal HMAC Market—All Bids Exhausted).

In ${\mathbf{B}}_3$, with no inner collision ($\neg F_{\mathsf{coll}}$), $R_{\mathsf{in}}$ is injective on the queried set. The composed function $R_{\mathsf{out}}\circ R_{\mathsf{in}}$ is a random function on distinct inputs. Any forgery bid $(m^{*},{\tau }^{*})$ with $m^{*}\notin \{m_1,\dots ,m_{q_T}\}$ requires guessing $R_{\mathsf{out}}\left(R_{\mathsf{in}}\left(m^{*}\right)\right)$—a value uniformly random in ${\{0,1\}}^n$, independent of all oracle responses. The forgery bid succeeds with probability at most $2^{-n}$. Market equilibrium for $g_{\mathsf{SUF}-\mathsf{CMA}}$ (HMAC) is established: $Pr\left[{\mathbf{B}}_4=1\right]\le 2^{-n}$.

For SUF-CMA with $m^{*}=m_i$ but ${\tau }^{*}\ne {\tau }_i$: since $R_{\mathsf{out}}$ is a function (deterministic), $R_{\mathsf{out}}\left(R_{\mathsf{in}}\left(m_i\right)\right)$ is unique, so no second valid tag exists. Hence $Pr\left[{\mathbf{B}}_4=1\right]=0$ for this case.

Total:

$$\mathsf{Ask}\left(g_{\mathsf{SUF}-\mathsf{CMA}}\right)\le 2·{\mathsf{Adv}}_h^{\mathsf{PRF}}+{\displaystyle \frac{q_T^2}{2^{n+1}}}+2^{-n}.$$

(40)

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. The five-bidding-round proof secures a single HMAC tagging session. For unbounded sessions, consider consecutive tagging sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$ producing $(m_i,{\tau }_i)$ and $(m_{i+1},{\tau }_{i+1})$ under the same key K.

Tag freshness as implicit SID: HMAC is a stateless primitive (no explicit SID), but the message-tag pair $(m,\tau )$ serves as an implicit session identifier. The CNF clause ${\phi }^{\mathsf{novel}}$ enforces $m_{i+1}\notin \{m_1,\dots ,m_i\}$ for SUF-CMA security. This is the ping condition: each session must produce a forgery on a new message.

Cross-session tag independence: In ${\mathbf{B}}_4$ (ideal market), ${\mathsf{HMAC}}_K$ is a random function. The tag ${\tau }_{i+1}=R_{\mathsf{out}}\left(R_{\mathsf{in}}\left(m_{i+1}\right)\right)$ is independent of all previous tags ${\tau }_1,\dots ,{\tau }_i$ whenever $m_{i+1}$ is fresh (no inner collision with any $m_j$). The inner collision probability across i sessions is $\le i·q_T/2^{n+1}$, which is negligible for $i=\mathsf{poly}\left(\lambda \right)$ and $n=256$.

CNF isomorphism: The session-CNF ${\phi }_{\mathsf{HMAC},i+1}$ is isomorphic to ${\phi }_{\mathsf{HMAC},i}$ with fresh message substitution. By Theorem 3, HMAC is SUF-CMA secure for unbounded tagging sessions with ${\delta }_{\mathsf{ping}}\le 2^{-n}=\mathsf{negl}\left(\lambda \right)$.

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. For consecutive AEAD sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$, the ping check verifies nonce freshness: $N_{i+1}\notin {\mathcal{N}}_{\mathsf{used}}$. Nonce reuse under the same key is catastrophic for all AEAD schemes: in AES-GCM, reusing a nonce leaks the GHASH key $H={\mathsf{AES}}_K\left(0^{128}\right)$, enabling universal forgery; in ChaCha20-Poly1305, it leaks the one-time Poly1305 key. The CNF clause ${\phi }^{\mathsf{nonce}}$ detects nonce reuse via the nonce log ${\mathcal{N}}_{\mathsf{used}}$.

Nonce-misuse resistance and ping: Some AEAD schemes (e.g., AES-GCM-SIV) provide nonce-misuse resistance: nonce reuse degrades confidentiality but not integrity. In such schemes, the ping check is still valuable because it ensures that each session provides fresh ciphertexts and prevents the buyer from correlating sessions.

Accumulated advantage: The nonce space for AES-GCM is $\left|\mathcal{N}\right|=2^{96}$. After N sessions with one nonce each, the birthday collision probability is $N^2/2^{97}$. For $N\le 2^{48}$, this is $\le 2^{-1}$—still safe but approaching the limit. Key rotation before $N=2^{48}$ maintains full equilibrium. The session-CNF ${\phi }_{\mathsf{AEAD},i+1}$ is isomorphic to ${\phi }_{\mathsf{AEAD},i}$ with fresh nonce and key material; by Theorem 3, AEAD is secure for unbounded sessions.    □

Figure 31. HMAC structure: two nested keyed hash evaluations. The inner hash mixes $K\oplus \mathsf{ipad}$ with the message; the outer hash mixes $K\oplus \mathsf{opad}$ with the inner hash output. Security relies on each keyed hash being a PRF.

Figure 31. HMAC structure: two nested keyed hash evaluations. The inner hash mixes $K\oplus \mathsf{ipad}$ with the message; the outer hash mixes $K\oplus \mathsf{opad}$ with the inner hash output. Security relies on each keyed hash being a PRF.

9.6. AEAD: IND-CCA2 + INT-CTXT via Bidding

Setup.

An Authenticated Encryption with Associated Data scheme $\mathsf{AE}=(\mathsf{Enc},\mathsf{Dec})$ provides both confidentiality (IND-CPA/CCA) and integrity (INT-CTXT). The seller offers two goods simultaneously: $g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}$ and $g_{\mathsf{INT}-\mathsf{CTXT}}$. We consider a generic Encrypt-then-MAC construction: $\mathsf{Enc}(K_e,K_m,N,A,m)=(c,\tau )$ where $c=E_{K_e}(N,m)$ and $\tau ={\mathsf{MAC}}_{K_m}(A\parallel N\parallel c)$.

Theorem 15 

(AEAD Market Equilibrium). For an Encrypt-then-MAC AEAD scheme:

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\right)& \le {\mathsf{Adv}}_E^{\mathsf{IND}-\mathsf{CPA}}+{\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(41)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{INT}-\mathsf{CTXT}}\right)& \le {\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}+\mathsf{negl}\left(\lambda \right).\hfill \end{array}$$

(42)

Proof. Part 1: INT-CTXT. We prove the integrity bound first.

${\mathbf{B}}_0$(Bidding Round 0: Real AEAD Market—Ciphertext Injection Bid).

Buyer has encryption oracle $\mathsf{Enc}(K_e,K_m,·,·,·)$; wins by producing $(N^{*},A^{*},c^{*},{\tau }^{*})$ that decrypts successfully but was never an oracle output.

${\mathbf{B}}_1$(Bidding Round 1: MAC Forgery Bid—Bypassing Integrity Check).

Note that successful decryption requires $\mathsf{MAC}.\mathsf{Vrfy}(K_m,A^{*}\parallel N^{*}\parallel c^{*},{\tau }^{*})=1$. If $(A^{*}\parallel N^{*}\parallel c^{*},{\tau }^{*})$ is new (not from the oracle), this constitutes a MAC forgery.

Difference bound. We build a SUF-CMA adversary $\mathcal{B}$: $\mathcal{B}$ simulates the AEAD encryption oracle by encrypting with $K_e$ (which $\mathcal{B}$ chooses itself) and using its MAC oracle for tagging. When $\mathcal{A}$ outputs a successful INT-CTXT forgery, $\mathcal{B}$ outputs the corresponding MAC forgery. Hence:

$$\mathsf{Ask}\left(g_{\mathsf{INT}-\mathsf{CTXT}}\right)=Pr\left[{\mathbf{B}}_0\left(\mathcal{A}\right)=1\right]\le {\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}.$$

(43)

Part 2: IND-CCA2. We prove confidentiality.

${\mathbf{B}}_0$(Bidding Round 0: Real AEAD Market—Plaintext Distinguishing Bid).

Buyer submits $(m_0,m_1,N^{*},A^{*})$; receives $\mathsf{Enc}(K_e,K_m,N^{*},A^{*},m_b)$ for random b; has encryption and decryption oracles (except on the challenge).

${\mathbf{B}}_1$(Bidding Round 1: Oracle Restriction Bid—Blocking Chosen-Ciphertext Queries).

Replace decryption oracle: reject all queries $(N,A,c,\tau )$ where $\tau$ does not verify, and also reject the challenge ciphertext. For non-challenge ciphertexts with valid $\tau$ that were not produced by the encryption oracle, this is a MAC forgery.

Extended difference lemma. Let $F_{\mathsf{mac}}$: “buyer submits a valid $(c,\tau )$ not from the oracle.” $F_{\mathsf{trivial}}$: “buyer submits the challenge ciphertext to decryption.” By game rules, $Pr\left[F_{\mathsf{trivial}}\right]=0$. So:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le Pr\left[F_{\mathsf{mac}}\right]\le {\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}.$$

(44)

${\mathbf{B}}_2$(Bidding Round 2: IND-CPA Reduction Bid—Eliminating Decryption Power).

In ${\mathbf{B}}_1$, the decryption oracle only decrypts ciphertexts the encryption oracle produced, so the buyer gains no new information from decryption queries. The game reduces to IND-CPA:

$$|Pr\left[{\mathbf{B}}_1=1\right]-1/2|\le {\mathsf{Adv}}_E^{\mathsf{IND}-\mathsf{CPA}}.$$

(45)

Total:$\mathsf{Ask}\left(g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\right)\le {\mathsf{Adv}}_E^{\mathsf{IND}-\mathsf{CPA}}+{\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}$.

□

Figure 32. AEAD Encrypt-then-MAC structure. The plaintext is encrypted first with key $K_e$; then the MAC key $K_m$ authenticates the associated data, nonce, and ciphertext together. The combined output provides both IND-CCA2 confidentiality and INT-CTXT integrity.

Figure 32. AEAD Encrypt-then-MAC structure. The plaintext is encrypted first with key $K_e$; then the MAC key $K_m$ authenticates the associated data, nonce, and ciphertext together. The combined output provides both IND-CCA2 confidentiality and INT-CTXT integrity.

9.7. SLH-DSA (FIPS 205): Hash-Based EUF-CMA via Bidding

Setup.

SLH-DSA is a stateless hash-based signature scheme. It uses a hypertree of XMSS trees with FORS (Forest of Random Subsets) at the leaves. Security reduces to properties of the underlying hash function: second-preimage resistance (SPR), pseudorandom function (PRF), and target-sum-preimage resistance (TSPR). The seller offers $g_{\mathsf{EUF}-\mathsf{CMA}}$.

Theorem 16 

(SLH-DSA Market Equilibrium).

$$\mathsf{Ask}\left(g_{\mathsf{EUF}-\mathsf{CMA}}\right)\le q_S·d·{\mathsf{Adv}}_H^{\mathsf{SPR}}+q_S·k·{\mathsf{Adv}}_H^{\mathsf{TSPR}}+{\mathsf{Adv}}_F^{\mathsf{PRF}}+\mathsf{negl}\left(\lambda \right),$$

(46)

where d is the hypertree depth, k is the number of FORS trees, $q_S$ is the number of signing queries, and H, F are the hash/PRF primitives.

Proof. 

We construct six games.

${\mathbf{B}}_0$(Bidding Round 0: Real SLH-DSA Market—EUF-CMA Forgery Bid).

Buyer receives public key (hypertree root), queries signing oracle $q_S$ times, outputs forgery $(m^{*},{\sigma }^{*})$.

${\mathbf{B}}_1$(Bidding Round 1: PRF Randomness Bid—Detecting Key-Dependent Randomness).

Replace the deterministic randomness generation $R=F_{\mathsf{sk}.\mathsf{prf}}(\mathsf{opt}\parallel m)$ with truly random $R\stackrel{\$}{\leftarrow }{\{0,1\}}^n$. This changes the internal randomisation of signing but not the verification. The buyer bids that F is distinguishable from random.

Difference bound. Standard PRF reduction: any distinguisher yields a PRF adversary:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\mathsf{Adv}}_F^{\mathsf{PRF}}.$$

(47)

${\mathbf{B}}_2$(Bidding Round 2: FORS Target-Sum Preimage Bid).

A valid forgery requires the buyer to produce valid FORS signatures on leaves that were not revealed by prior signing queries. For each of the k FORS trees, producing a valid leaf value without oracle access requires finding a target-sum preimage.

Difference bound. We embed a TSPR challenge into one of the k FORS trees of a randomly chosen signing query. If the buyer forges successfully for that tree, it solves TSPR. By a hybrid argument over $q_S·k$ FORS tree instances:

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le q_S·k·{\mathsf{Adv}}_H^{\mathsf{TSPR}}.$$

(48)

${\mathbf{B}}_3$(Bidding Round 3: WOTS+ Chain Second-Preimage Bid).

Even if the buyer has valid FORS leaves, it must authenticate them through the hypertree. Each WOTS+ chain in each of the d layers requires the buyer to produce a chain value matching the public key without inverting the hash. A forgery on any chain yields a second preimage.

Difference bound. Hybrid over $q_S·d$ WOTS+ instances:

$$|Pr\left[{\mathbf{B}}_2=1\right]-Pr\left[{\mathbf{B}}_3=1\right]|\le q_S·d·{\mathsf{Adv}}_H^{\mathsf{SPR}}.$$

(49)

${\mathbf{B}}_4$(Bidding Round 4: Merkle Tree Collision Bid—Forging Authentication Paths).

Within each XMSS tree, the buyer must produce a valid Merkle authentication path. An inconsistency yields a collision in H. This event has probability bounded by the number of internal nodes, which is subsumed by the SPR bound above.

$\Delta {\mathsf{Price}}_4=0$ (absorbed into the SPR bound).

${\mathbf{B}}_5$(Bidding Round 5: Ideal SLH-DSA Market—All Hash-Based Bids Exhausted).

With no PRF bid, no TSPR bid, and no SPR bid, valid FORS leaves, WOTS+ chains, and Merkle paths cannot be forged. $Pr\left[{\mathbf{B}}_5=1\right]=0$.

Total:

$$\mathsf{Ask}\le {\mathsf{Adv}}_F^{\mathsf{PRF}}+q_S·k·{\mathsf{Adv}}_H^{\mathsf{TSPR}}+q_S·d·{\mathsf{Adv}}_H^{\mathsf{SPR}}.$$

(50)

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. For consecutive signing sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$, the ping check verifies PRF randomness freshness: the internal PRF randomness $R_{i+1}$ used to derive FORS indices and WOTS+ chains must be distinct from all prior sessions. SLH-DSA derives R deterministically from the message and a secret PRF key: $R=\mathsf{PRF}(\mathsf{sk}.\mathsf{prf},\mathsf{opt}\_\mathsf{rand},m)$. For distinct messages $m_{i+1}\ne m_j$, the PRF output is fresh with probability $\ge 1-{\mathsf{Adv}}_F^{\mathsf{PRF}}$. If the optional randomness $\mathsf{opt}\_\mathsf{rand}$ is used (hedged signing), freshness holds even for repeated messages. The CNF clause ${\phi }^{\mathsf{prf}}$ checks that $R_{i+1}$ does not repeat. Reuse of R would simultaneously compromise FORS leaf selection (clause ${\phi }^{\mathsf{fors}}$) and WOTS+ chain computation (clause ${\phi }^{\mathsf{wots}}$)—two simultaneous failures captured by the extended difference lemma: $Pr\left[F_{\mathsf{fors}}\cup F_{\mathsf{wots}}\right]\le {\mathsf{Adv}}_F^{\mathsf{PRF}}=\mathsf{negl}$. By Theorem 3, SLH-DSA is EUF-CMA secure for unbounded sessions.    □

9.8. FN-DSA (FIPS 206): NTRU-Lattice EUF-CMA via Bidding

Setup.

FN-DSA is a lattice-based signature scheme over NTRU lattices. Key generation produces a short basis $\mathbf{B}$ of an NTRU lattice; signing uses GPV-style discrete Gaussian sampling over the lattice coset $H\left(m\right)+\Lambda$. Security reduces to the Short Integer Solution (SIS) problem over NTRU lattices. The seller offers $g_{\mathsf{EUF}-\mathsf{CMA}}$.

Theorem 17 

(FN-DSA Market Equilibrium).

$$\mathsf{Ask}\left(g_{\mathsf{EUF}-\mathsf{CMA}}\right)\le {\mathsf{Adv}}_{\mathsf{NTRU}}^{\mathsf{SIS}}+{\Delta }_{\mathsf{DGS}}+{\displaystyle \frac{q_H^2}{2^{n+1}}}+\mathsf{negl}\left(\lambda \right),$$

(51)

where ${\mathsf{Adv}}_{\mathsf{NTRU}}^{\mathsf{SIS}}$ is the advantage against SIS over NTRU lattices, ${\Delta }_{\mathsf{DGS}}$ is the statistical distance arising from discrete Gaussian sampling, and $q_H$ is the number of hash queries.

Proof. 

We construct five games.

${\mathbf{B}}_0$(Bidding Round 0: Real FN-DSA Market—Lattice Forgery Bid).

Buyer receives public key $h=g/fmodq$ (where $(f,g)$ is the NTRU secret key pair), queries signing oracle $q_S$ times, outputs forgery $(m^{*},{\sigma }^{*})$ where ${\sigma }^{*}=(s_1^{*},s_2^{*})$ satisfying $s_1^{*}+s_2^{*}·h=H\left(m^{*}\right)modq$ and $\parallel (s_1^{*},s_2^{*})\parallel \le \beta$.

${\mathbf{B}}_1$(Bidding Round 1: Hash Collision Bid—Conflating Two Messages).

Abort on hash collision; the buyer places a collision bid on the random oracle. Identical-until-$F_{\mathsf{hash}}$:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\displaystyle \frac{q_H^2}{2^{n+1}}}.$$

(52)

${\mathbf{B}}_2$(Bidding Round 2: Gaussian Sampling Statistical Bid—Detecting Key-Dependent Distribution).

Replace the fast-Fourier discrete Gaussian sampler with exact discrete Gaussian sampling. Let ${\sigma }_{\mathsf{real}}$ be the distribution produced by the fast sampler and ${\sigma }_{\mathsf{ideal}}$ the exact distribution. By the Rényi divergence analysis of the sampler:

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le {\Delta }_{\mathsf{DGS}},$$

(53)

where ${\Delta }_{\mathsf{DGS}}\le 2^{-128}$ for recommended parameters.

${\mathbf{B}}_3$(Bidding Round 3: Oracle Programming—Embedding SIS Challenge).

Program the random oracle H so that for the forgery message $m^{*}$, $H\left(m^{*}\right)$ encodes an SIS challenge vector. Since H is a random oracle, this is a syntactic change: $\Delta {\mathsf{Price}}_2=0.$

${\mathbf{B}}_4$(Bidding Round 4: Forgery-to-SIS Extraction Bid—Solving the Lattice Problem).

If the buyer produces valid $(s_1^{*},s_2^{*})$ with $s_1^{*}+s_2^{*}h=c^{*}$ (the embedded challenge) and $\parallel (s_1^{*},s_2^{*})\parallel \le \beta$, then $(s_1^{*},s_2^{*})$ is a short vector in the NTRU lattice solving the SIS instance. We extract and forward:

$$Pr\left[{\mathbf{B}}_4\left(\mathcal{A}\right)=1\right]\le {\mathsf{Adv}}_{\mathsf{NTRU}}^{\mathsf{SIS}}.$$

(54)

Total:

$$\mathsf{Ask}\le {\displaystyle \frac{q_H^2}{2^{n+1}}}+{\Delta }_{\mathsf{DGS}}+{\mathsf{Adv}}_{\mathsf{NTRU}}^{\mathsf{SIS}}+\mathsf{negl}\left(\lambda \right).$$

(55)

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. For consecutive FN-DSA signing sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$, the ping check verifies that the signature ${(s_1^{*},s_2^{*})}_{i+1}$ on message $m_{i+1}^{*}$ is structurally distinct from all prior signatures. FN-DSA’s Gaussian sampler ensures that each signature vector is drawn from a discrete Gaussian distribution centred at a message-dependent lattice point. The statistical distance between the actual distribution and the ideal round Gaussian is ${\Delta }_{\mathsf{DGS}}\le 2^{-128}$, ensuring that observing signatures across sessions ${\mathsf{Session}}_1,\dots ,{\mathsf{Session}}_i$ provides negligible information about the secret NTRU basis $(f,g)$.

Gaussian leakage accumulation and ping: The buyer’s Gaussian leakage bid attempts to accumulate statistical information from many signatures. After N sessions, the total leakage is bounded by $N·{\Delta }_{\mathsf{DGS}}\le N·2^{-128}$. For $N\le 2^{64}$, this is $\le 2^{-64}$—negligible. The ping mechanism ensures each session contributes an independently sampled signature vector; the CNF clause ${\phi }^{\mathsf{norm}}$ verifies $\parallel (s_1^{*},s_2^{*})\parallel \le \beta$ per session. By Theorem 3 with ${\delta }_{\mathsf{ping}}\le {\Delta }_{\mathsf{DGS}}+{\mathsf{Adv}}_{\mathsf{NTRU}}^{\mathsf{SIS}}=\mathsf{negl}$, FN-DSA is EUF-CMA secure for unbounded sessions.    □

Table 4. Extended primitives summary.

Primitive	Good	Ask Price	Status	Reduction Target
HMAC	SUF-CMA	$\mathsf{negl}$	Equilibrium	PRF of compression function
AEAD (EtM)	IND-CCA2 + INT-CTXT	$\mathsf{negl}$	Equilibrium	IND-CPA + SUF-CMA
SLH-DSA	EUF-CMA	$\mathsf{negl}$	Equilibrium	SPR + TSPR + PRF
FN-DSA	EUF-CMA	$\mathsf{negl}$	Equilibrium	SIS over NTRU

Table 4. Extended primitives summary.

Primitive	Good	Ask Price	Status	Reduction Target
HMAC	SUF-CMA	$\mathsf{negl}$	Equilibrium	PRF of compression function
AEAD (EtM)	IND-CCA2 + INT-CTXT	$\mathsf{negl}$	Equilibrium	IND-CPA + SUF-CMA
SLH-DSA	EUF-CMA	$\mathsf{negl}$	Equilibrium	SPR + TSPR + PRF
FN-DSA	EUF-CMA	$\mathsf{negl}$	Equilibrium	SIS over NTRU

10. Case Study II: Block-Cipher Market—AES

10.1. AES Market Setup

The Advanced Encryption Standard [20] operates on 128-bit blocks with 10/12/14 rounds for 128/192/256-bit keys. We model AES as a market where the seller offers the good $g_{\mathsf{PRP}}$: pseudorandom permutation security. The buyer’s goal is to distinguish ${\mathsf{AES}}_K(·)$ from a truly random permutation $\pi (·)$ on ${\{0,1\}}^{128}$.

Figure 33. AES round structure. Each of the 10/12/14 rounds applies SubBytes (confusion), ShiftRows and MixColumns (diffusion), and AddRoundKey (key injection). The final round omits MixColumns. Multiple rounds compound the complexity, making any differential or algebraic attack computationally infeasible.

Figure 33. AES round structure. Each of the 10/12/14 rounds applies SubBytes (confusion), ShiftRows and MixColumns (diffusion), and AddRoundKey (key injection). The final round omits MixColumns. Multiple rounds compound the complexity, making any differential or algebraic attack computationally infeasible.

Definition 24 

(PRP Security Good). $\mathsf{Ask}\left(g_{\mathsf{PRP}}\right)={max}_{\mathcal{A}\in \mathsf{PPT}}\left|Pr\left[{\mathcal{A}}^{{\mathsf{AES}}_K(·)}=1\right]-Pr\left[{\mathcal{A}}^{\pi (·)}=1\right]\right|$, where $K\stackrel{\$}{\leftarrow }{\{0,1\}}^{\kappa }$ and $\pi \stackrel{\$}{\leftarrow }\mathsf{Perm}\left({\{0,1\}}^{128}\right)$.

Figure 34. AES round operations visualised: a 4×4 byte grid undergoes SubBytes (non-linear substitution), ShiftRows (position mixing), MixColumns (column blending), and AddRoundKey (key injection). After multiple rounds, a single changed input bit affects every output bit—the “avalanche effect.”

Figure 34. AES round operations visualised: a 4×4 byte grid undergoes SubBytes (non-linear substitution), ShiftRows (position mixing), MixColumns (column blending), and AddRoundKey (key injection). After multiple rounds, a single changed input bit affects every output bit—the “avalanche effect.”

10.2. Differential Cryptanalysis Bid

Differential cryptanalysis [21] analyses how input differences $\Delta x=x\oplus x^{\prime }$ propagate to output differences $\Delta y={\mathsf{AES}}_K\left(x\right)\oplus {\mathsf{AES}}_K\left(x^{\prime }\right)$. The buyer constructs a differential characteristic$\Omega =({\Delta }_0,{\Delta }_1,\dots ,{\Delta }_r)$ specifying the expected difference at each round.

Definition 25 

(Differential Characteristic Probability). $\mathsf{DP}\left(\Omega \right)={\prod }_{i=0}^{r-1}Pr\left[{\mathsf{Round}}_i\left({\Delta }_i\right)={\Delta }_{i+1}\right].$

Theorem 18 

(AES Differential Bid Failure). For AES-128 with $r=10$ rounds:

$$\mathsf{Ask}(g_{\mathsf{PRP}},\mathrm{differential}\mathrm{bid})\le q_E·2^{-150}+\mathsf{negl}\left(\lambda \right),$$

(56)

where $q_E$ is the number of encryption queries. That is, the differential bid fails.

Proof. 

We construct five games.

${\mathbf{B}}_0$(Bidding Round 0: Real AES Market—Differential Distinguishing Bid).

Buyer queries ${\mathsf{AES}}_K$ on chosen-plaintext pairs $(x,x\oplus {\Delta }_0)$ and checks whether the output difference matches the predicted ${\Delta }_r$.

${\mathbf{B}}_1$(Bidding Round 1: Wide-Trail Resistance Bid—Counting Active S-Boxes).

We lower-bound the number of active S-boxes (S-boxes with non-zero input difference) across the characteristic. By the wide-trail design strategy of AES [22]: the MixColumns and ShiftRows operations ensure that any 4-round characteristic activates at least $B_4=25$ S-boxes.

$\Delta {\mathsf{Price}}_0=0$ (this is an analytical observation, not a game change).

${\mathbf{B}}_2$(Bidding Round 2: S-Box Differential Probability Bid—Bounding Per-S-Box Advantage).

Each active S-box uses the AES S-box (inversion in $\mathsf{GF}\left(2^8\right)$ followed by an affine map). The maximum differential probability of the AES S-box is ${\mathsf{DP}}_{max}=4/256=2^{-6}$ [22].

Difference bound. For a characteristic over 10 rounds with at least 25 active S-boxes per 4-round block (and at least $\lceil 10/4\rceil ·25=50$ active S-boxes overall for truncated differentials across rounds):

$$\mathsf{DP}\left(\Omega \right)\le {\left(2^{-6}\right)}^{25}=2^{-150}$$

(57)

for any 4-round sub-characteristic. The full 10-round probability is even smaller.

${\mathbf{B}}_3$(Bidding Round 3: Data Complexity Bid—Infeasibility of Collecting Right Pairs).

The buyer’s strategy is to query $q_E$ pairs and check for the predicted output difference. The expected number of “right pairs” (pairs following the characteristic) among $q_E$ queries is $\mu =q_E·2^{-150}$. The buyer can only distinguish AES from random if $\mu \ge 1$, requiring $q_E\ge 2^{150}$. Since data is bounded by $2^{128}$ blocks (codebook), the attack is infeasible.

Difference bound. By Markov’s inequality:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_3=1\right]|\le q_E·2^{-150}\le 2^{128}·2^{-150}=2^{-22}.$$

(58)

${\mathbf{B}}_4$(Bidding Round 4: Ideal AES Market—Differential Bid Fails Against Random Permutation).

Against a truly random permutation, the output difference for any fixed input difference is uniformly distributed. The buyer’s advantage over random is exactly the right-pair detection probability above. Hence: $Pr\left[{\mathbf{B}}_4=1\right]=1/2$ (random guessing).

Total differential bid cost:

$$\mathsf{Ask}(g_{\mathsf{PRP}},\mathrm{diff})\le q_E·2^{-150}.$$

(59)

   □

10.3. Rotational Cryptanalysis Bid

Rotational cryptanalysis [23] exploits the potential for bitwise rotations to commute with cipher operations. For a rotation by r bits, denoted ${\mathsf{rot}}_r$, the buyer checks whether ${\mathsf{AES}}_K\left({\mathsf{rot}}_r\left(x\right)\right)\approx {\mathsf{rot}}_r\left({\mathsf{AES}}_K\left(x\right)\right)$.

Theorem 19 

(AES Rotational Bid Failure). For AES-128:

$$\mathsf{Ask}(g_{\mathsf{PRP}},\mathrm{rotational}\mathrm{bid})\le q_E·2^{-128}+\mathsf{negl}\left(\lambda \right).$$

(60)

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real AES Market—Rotational Distinguishing Bid).

Buyer queries pairs $(x,{\mathsf{rot}}_r\left(x\right))$ and checks whether outputs satisfy the rotational relationship.

${\mathbf{B}}_1$(Bidding Round 1: Key Schedule Asymmetry Bid—Rcon Destroys Rotational Symmetry).

The round keys $K_0,K_1,\dots ,K_{10}$ are derived from the master key via the AES key schedule. For rotational cryptanalysis to succeed, the key schedule must preserve the rotational relationship: ${\mathsf{rot}}_r\left(K_i\right)=K_i^{\prime }$ for some related key $K_i^{\prime }$. However, the AES key schedule includes the Rcon constants (powers of x in $\mathsf{GF}\left(2^8\right)$), which are not rotationally symmetric.

Difference bound. Let $F_{\mathsf{Rcon}}$: “Rcon values preserve rotational structure.” Since $\mathsf{Rcon}\left[i\right]$ occupies only one byte position and its values ($01,02,04,08,\dots$) break rotational symmetry:

$$Pr\left[F_{\mathsf{Rcon}}\right]=0(\mathrm{deterministic}\text{:}\mathrm{Rcon}\mathrm{never}\mathrm{preserves}\mathrm{rotation}).$$

(61)

Hence $|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|=0$ and the rotational property is destroyed after the first AddRoundKey.

${\mathbf{B}}_2$(Bidding Round 2: S-Box Non-Commutativity Bid—SubBytes Breaks Rotation).

Even if the key schedule were ignored, the S-box (based on $\mathsf{GF}\left(2^8\right)$ inversion) does not commute with bitwise rotation. For random inputs, the probability that $S\left({\mathsf{rot}}_r\left(x\right)\right)={\mathsf{rot}}_r\left(S\left(x\right)\right)$ for a random byte x is at most $1/256=2^{-8}$.

Difference bound. With 16 S-boxes per round and 10 rounds, requiring all to preserve rotation:

$$Pr\left[\mathrm{rotation}\mathrm{preserved}\mathrm{through}\mathrm{all}\mathrm{S}-\mathrm{boxes}\right]\le {\left(2^{-8}\right)}^{16}=2^{-128}\mathrm{per}\mathrm{round}.$$

(62)

${\mathbf{B}}_3$(Bidding Round 3: Ideal AES Market—Rotational Bid Collapses to Random Bound).

Against a random permutation, $Pr\left[{\mathsf{rot}}_r\left(\pi \left(x\right)\right)=\pi \left({\mathsf{rot}}_r\left(x\right)\right)\right]=1/(2^{128}-1)$. The buyer’s advantage: $q_E·2^{-128}$.

Total:

$$\mathsf{Ask}(g_{\mathsf{PRP}},\mathrm{rotational})\le q_E·2^{-128}.$$

(63)

   □

10.4. Related-Key Bid and Combined AES Equilibrium

Theorem 20 

(AES Combined Market Equilibrium). Combining all known bid types (differential, linear, rotational, related-key, algebraic, S-box algebraic, integral/Square, impossible differential, meet-in-the-middle):

$$\mathsf{Ask}\left(g_{\mathsf{PRP}}\right)\le max\left(q_E·2^{-150},q_E·2^{-128},q_E^2·2^{-128}\right)+\mathsf{negl}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right),$$

(64)

for $q_E\le 2^{64}$ (practical query bound). The AES market is inequilibrium .

Proof. 

The linear cryptanalysis bid follows an analogous structure to the differential bid, with the best known linear hull bias for 10-round AES being at most $2^{-75}$ per approximation, requiring $2^{150}$ data. The related-key bid for AES-128 requires $q_{RK}$ related keys; the best known related-key attack applies only to AES-256 with $2^{99.5}$ complexity [24]. The algebraic bid (using Gröbner basis or XL algorithms) has complexity exceeding $2^{128}$ for the full cipher. All bids fail for $q_E\le 2^{64}$.    □

Theorem 21 

(AES S-Box Algebraic and Integral Bid Failure). The S-box-targeted attack surface of AES—comprising algebraic attacks on the S-box structure, integral/Square attacks, impossible differential attacks, and meet-in-the-middle attacks exploiting S-box linearity—yields a combined ask price bounded by:

$$\mathsf{Ask}(g_{\mathsf{PRP}},\mathrm{S}-\mathrm{box}\mathrm{bids})\le max\left(2^{-128},q_E·2^{-83},2^{-13}\right)+\mathsf{negl}\left(\lambda \right).$$

(65)

All S-box-targeted bids fail for full-round AES.

Proof. 

We construct four bidding rounds, each targeting a distinct S-box-related attack vector.

${\mathbf{B}}_0^{\mathsf{sbox}}$(S-Box Bidding Round 0: Algebraic S-Box Inversion Bid—Exploiting the $\mathsf{GF}\left(2^8\right)$ Structure).

The buyer attempts to solve the AES multivariate equation system using Gröbner basis methods. The system comprises 1280 quadratic equations in $\approx 2688$ variables over $\mathsf{GF}\left(2\right)$. By the analysis of [25], the Gröbner basis complexity for the full system is:

$${\mathsf{Compl}}_{\mathsf{GB}}\ge {\left({\displaystyle \genfrac{}{}{0pt}{}{n}{d}}\right)}^{\omega }\ge 2^{128},$$

(66)

where n is the number of variables, d is the solving degree, and $\omega$ is the linear algebra exponent. The algebraic S-box bid fails: $\Delta {\mathsf{Price}}_0^{\mathsf{sbox}}\le 2^{-128}$.

${\mathbf{B}}_1^{\mathsf{sbox}}$(S-Box Bidding Round 1: Integral/Square Attack Bid—Exploiting S-Box Saturation Properties).

The buyer constructs $\Lambda$-sets and checks the balanced property. For full 10-round AES, the 4-round integral distinguisher must be extended through 6 additional rounds via key-guessing. The best known integral attack reaches 7 rounds of AES-128 with complexity $2^{128}·2^{-83}=2^{45}$ data and $2^{128}$ time—matching brute force. The 3-round security margin yields:

$$\Delta {\mathsf{Price}}_1^{\mathsf{sbox}}\le q_E·2^{-83}.$$

(67)

${\mathbf{B}}_2^{\mathsf{sbox}}$(S-Box Bidding Round 2: Impossible Differential Bid—S-Box Transition Gaps).

The impossible differential bid uses 4-round impossible differentials through the S-box layer. The best known impossible-differential attack reaches 7 rounds of AES-128 with complexity $2^{112.2}$. The 3-round gap yields:

$$\Delta {\mathsf{Price}}_2^{\mathsf{sbox}}\le 2^{-13}(7-\mathrm{round}\mathrm{attack}\mathrm{extrapolated}\mathrm{to}10\mathrm{rounds}).$$

(68)

${\mathbf{B}}_3^{\mathsf{sbox}}$(S-Box Bidding Round 3: Meet-in-the-Middle Bid—S-Box Layer Decomposition).

The MITM attack decomposes AES into forward and backward halves. For 10-round AES-128, key-schedule diffusion prevents independent half-key guessing. The bid fails:

$$\Delta {\mathsf{Price}}_3^{\mathsf{sbox}}\le 2^{-23}.$$

(69)

Combined S-box bid cost. By the extended difference lemma (Lemma 2):

$$\begin{array}{cc}\hfill \mathsf{Ask}(g_{\mathsf{PRP}},\mathrm{S}-\mathrm{box}\mathrm{bids})& \le Pr\left[F_{\mathsf{alg}}\cup F_{\mathsf{int}}\cup F_{\mathsf{imp}}\cup F_{\mathsf{mitm}}\right]\hfill \\ \hfill & \le 2^{-128}+q_E·2^{-83}+2^{-13}+2^{-23}\hfill \\ \hfill & \le 2^{-12.6}\mathrm{for}{q}_E\le 2^{64}.\hfill \end{array}$$

(70)

   □

Session pinging and CNF checking across AES encryption sessions.

For consecutive encryption sessions ${\mathsf{Session}}_i=(K_i,p_i)$ and ${\mathsf{Session}}_{i+1}=(K_{i+1},p_{i+1})$, the ping mechanism verifies that the key-plaintext pair is not reused: $(K_{i+1},p_{i+1})\ne (K_j,p_j)$ for all $j\le i$. Under the same key ($K_{i+1}=K_i$), this reduces to plaintext freshness. The CNF clause ${\phi }^{\mathsf{ping}}$ checks the session log for duplicates. The critical ping constraint for AES is the codebook exhaustion bound: after $q_E$ encryption queries under the same 128-bit key, the adversary has observed $q_E$ input-output pairs of the AES permutation. When $q_E$ approaches $2^{64}$, the birthday bound $q_E^2/2^{128}$ approaches unity, and the PRP advantage becomes non-negligible. The session pinging mechanism makes this key-rotation requirement explicit: the accumulated ping degradation ${\delta }_{\mathsf{ping}}·N\approx q_E·2^{-128}·N$ must remain negligible, mandating key rotation before $q_E·N\approx 2^{128}$. This is the well-known AES birthday bound, now formalised within the MTSF ping framework. The session-CNF ${\phi }_{\mathsf{AES},i+1}$ under a fresh key is isomorphic to ${\phi }_{\mathsf{AES},i}$ with independent randomness; by Theorem 3, AES is PRP-secure for unbounded sessions under a key-rotation policy.

Table 5. AES block-cipher market: bid types and outcomes.

Bid Type	Ask Bound	Data Required	Outcome
Differential	$q_E·2^{-150}$	$2^{150}$ pairs	Fail (exceeds codebook)
Linear	$q_E^2·2^{-150}$	$2^{150}$ texts	Fail
Rotational	$q_E·2^{-128}$	$2^{128}$ pairs	Fail
Related-key (AES-128)	N/A	None known	Fail
Algebraic	$>2^{128}$	N/A	Fail (exceeds brute force)
S-box algebraic (Gröbner)	$\ge 2^{128}$	$2^8$ texts	Fail (matches brute force)
Integral/Square	$q_E·2^{-83}$	$2^{32}$ texts	Fail (7-round limit)
Impossible differential	$2^{-13}$	$2^{112.2}$ ops	Fail (7-round limit)
Meet-in-the-middle	$2^{-23}$	$2^{105}$ ops	Fail (7-round limit)

Table 5. AES block-cipher market: bid types and outcomes.

Bid Type	Ask Bound	Data Required	Outcome
Differential	$q_E·2^{-150}$	$2^{150}$ pairs	Fail (exceeds codebook)
Linear	$q_E^2·2^{-150}$	$2^{150}$ texts	Fail
Rotational	$q_E·2^{-128}$	$2^{128}$ pairs	Fail
Related-key (AES-128)	N/A	None known	Fail
Algebraic	$>2^{128}$	N/A	Fail (exceeds brute force)
S-box algebraic (Gröbner)	$\ge 2^{128}$	$2^8$ texts	Fail (matches brute force)
Integral/Square	$q_E·2^{-83}$	$2^{32}$ texts	Fail (7-round limit)
Impossible differential	$2^{-13}$	$2^{112.2}$ ops	Fail (7-round limit)
Meet-in-the-middle	$2^{-23}$	$2^{105}$ ops	Fail (7-round limit)

10.5. PRESENT: Lightweight Block-Cipher Market

Figure 35. PRESENT round structure: a textbook Substitution–Permutation Network (SPN). Each of the 31 rounds applies AddRoundKey, 16 parallel 4-bit S-boxes (sBoxLayer), and a fixed bit permutation (pLayer). The simplicity of the design enables an extremely small hardware footprint (≈1,000 GE), making PRESENT suitable for RFID tags and IoT sensors.

Figure 35. PRESENT round structure: a textbook Substitution–Permutation Network (SPN). Each of the 31 rounds applies AddRoundKey, 16 parallel 4-bit S-boxes (sBoxLayer), and a fixed bit permutation (pLayer). The simplicity of the design enables an extremely small hardware footprint (≈1,000 GE), making PRESENT suitable for RFID tags and IoT sensors.

Definition 26 

(PRESENT PRP Security Good).

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{PRP}}^{\mathsf{PRESENT}}\right)& =\underset{\mathcal{A}\in \mathsf{PPT}}{max}\left|Pr\left[{\mathcal{A}}^{{\mathsf{PRESENT}}_K(·)}=1\right]-Pr\left[{\mathcal{A}}^{\pi (·)}=1\right]\right|\hfill \\ \hfill & \mathrm{where}K\stackrel{\$}{\leftarrow }{\{0,1\}}^{80}\left(\mathrm{or}{\{0,1\}}^{128}\right),\pi \stackrel{\$}{\leftarrow }\mathsf{Perm}\left({\{0,1\}}^{64}\right).\hfill \end{array}$$

(71)

Theorem 22 

(PRESENT Differential Bid Failure). For PRESENT-80 with $r=31$ rounds:

$$\mathsf{Ask}(g_{\mathsf{PRP}}^{\mathsf{PRESENT}},\mathrm{differential}\mathrm{bid})\le q_E·2^{-62}+\mathsf{negl}\left(\lambda \right),$$

(72)

where $q_E$ is the number of encryption queries.

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real PRESENT Market—Differential Distinguishing Bid).

Buyer queries ${\mathsf{PRESENT}}_K$ on chosen-plaintext pairs $(x,x\oplus {\Delta }_0)$ and checks whether the output difference matches the predicted ${\Delta }_r$.

${\mathbf{B}}_1$(Bidding Round 1: Active S-Box Counting Bid—SPN Diffusion Guarantees).

The PRESENT permutation layer (pLayer) ensures that active S-box outputs in one round spread to distinct S-box inputs in the next round. The minimum number of active S-boxes over 5 rounds is 10 (proven by the designers [28]). Each active 4-bit S-box has maximum differential probability ${\mathsf{DP}}_{max}=2^{-2}$ (the PRESENT S-box has max differential $4/16=2^{-2}$).

Difference bound. For a 31-round characteristic with at least $\lfloor 31/5\rfloor \times 10=60$ active S-boxes in the best case:

$$\mathsf{DP}\left(\Omega \right)\le {\left(2^{-2}\right)}^{10}=2^{-20}\mathrm{per}5-\mathrm{round}\mathrm{block},$$

(73)

giving a full-cipher differential probability of at most ${\left(2^{-2}\right)}^{60}=2^{-120}$. Even the best truncated differentials [29] covering reduced rounds require at least $2^{62}$ chosen plaintexts for a detectable bias.

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le q_E·2^{-62}.$$

${\mathbf{B}}_2$(Bidding Round 2: Data Complexity Bid—64-Bit Block Codebook Bound).

With only $2^{64}$ possible plaintext blocks, the buyer can collect at most $2^{64}$ pairs, and the best differential distinguisher requires $q_E\ge 2^{62}$ chosen plaintexts. For $q_E\le 2^{32}$ (practical IoT sessions), the advantage is:

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le 2^{32}·2^{-62}=2^{-30}.$$

(74)

${\mathbf{B}}_3$(Bidding Round 3: Ideal PRESENT Market—Differential Bid Fails).

Against a random permutation on ${\{0,1\}}^{64}$, the output difference is uniform. The buyer’s advantage: $q_E·2^{-62}$.

Total:

$$\mathsf{Ask}(g_{\mathsf{PRP}}^{\mathsf{PRESENT}},\mathrm{diff})\le q_E·2^{-62}.$$

(75)

   □

Theorem 23 

(PRESENT Linear Bid Failure). For PRESENT-80 with $r=31$ rounds:

$$\mathsf{Ask}(g_{\mathsf{PRP}}^{\mathsf{PRESENT}},\mathrm{linear}\mathrm{bid})\le q_E^2·2^{-62}+\mathsf{negl}\left(\lambda \right).$$

(76)

Proof. 

We construct three games.

${\mathbf{B}}_0$(Bidding Round 0: Real PRESENT Market—Linear Distinguishing Bid).

The buyer collects $q_E$ known plaintext-ciphertext pairs and evaluates a linear approximation $\langle \alpha ,x\rangle \oplus \langle \beta ,{\mathsf{PRESENT}}_K\left(x\right)\rangle =\langle \gamma ,K\rangle$ for chosen masks $\alpha ,\beta ,\gamma$. The bias ${ϵ}_L$ of the best linear approximation determines the data required: $q_E\ge 1/{ϵ}_L^2$.

${\mathbf{B}}_1$(Bidding Round 1: Linear Hull Bias Bid—Bounding Correlation Accumulation).

The PRESENT S-box has maximum linear bias $|{ϵ}_{max}|=4/16=2^{-2}$ per active S-box. By the Piling-Up Lemma, a linear trail over k active S-boxes has bias $\le 2^{k-1}·{\left(2^{-2}\right)}^k=2^{-k-1}$. With at least 60 active S-boxes over 31 rounds, the single-trail bias is $\le 2^{-61}$, and even accounting for linear hull effects [29], the best known bias for full-round PRESENT is below $2^{-31}$, requiring $q_E\ge 2^{62}$ known plaintexts.

Difference bound.

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le q_E^2·2^{-62}.$$

(77)

${\mathbf{B}}_2$(Bidding Round 2: Ideal PRESENT Market—Linear Bid Fails).

Random permutation; linear bias = 0. Buyer advantage: $q_E^2·2^{-62}$.

Total:$\mathsf{Ask}(g_{\mathsf{PRP}}^{\mathsf{PRESENT}},\mathrm{linear})\le q_E^2·2^{-62}$.    □

Theorem 24 

(PRESENT Combined Market Equilibrium). Combining all known bid types (differential, linear, algebraic, related-key):

$$\mathsf{Ask}\left(g_{\mathsf{PRP}}^{\mathsf{PRESENT}}\right)\le max\left(q_E·2^{-62},q_E^2·2^{-62},2^{-16}\right)+\mathsf{negl}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right),$$

(78)

for $q_E\le 2^{32}$ (practical query bound within 64-bit block birthday limit). The PRESENT market is inequilibriumwithin its lightweight design parameters.

Proof. 

The algebraic bid involves solving a system of multivariate quadratic equations over $\mathsf{GF}\left(2\right)$ representing the PRESENT round function. The best known algebraic attack on full-round PRESENT has complexity exceeding $2^{80}$ for PRESENT-80. The related-key attack requires controlling the key schedule difference propagation across 31 rounds; no practical related-key distinguisher is known for full-round PRESENT with a random key. For $q_E\le 2^{32}$: $q_E^2·2^{-62}\le 2^{64}·2^{-62}=2^2$. However, practical IoT sessions have $q_E\ll 2^{30}$, keeping all bids negligible. The PRESENT market is in equilibrium for its intended deployment scenario.    □

Table 6. PRESENT lightweight block-cipher market: bid types and outcomes.

Bid Type	Ask Bound	Data Required	Outcome
Differential	$q_E·2^{-62}$	$2^{62}$ pairs	Fail (exceeds birthday)
Linear	$q_E^2·2^{-62}$	$2^{62}$ texts	Fail
Algebraic (MQ)	$>2^{80}$	N/A	Fail (exceeds brute force)
Related-key	N/A	None known	Fail

Table 6. PRESENT lightweight block-cipher market: bid types and outcomes.

Bid Type	Ask Bound	Data Required	Outcome
Differential	$q_E·2^{-62}$	$2^{62}$ pairs	Fail (exceeds birthday)
Linear	$q_E^2·2^{-62}$	$2^{62}$ texts	Fail
Algebraic (MQ)	$>2^{80}$	N/A	Fail (exceeds brute force)
Related-key	N/A	None known	Fail

10.6. Serpent: Conservative Block-Cipher Market

Figure 36. Serpent round structure. Each of the 32 rounds applies key mixing, a parallel 4-bit S-box layer (cycling through 8 distinct S-boxes), and a linear transformation for diffusion. The final round replaces the linear transformation with an extra key mixing. The 32-round design provides the largest security margin of any well-studied 128-bit block cipher: the best known attack covers only 12 rounds, leaving a 20-round margin.

Figure 36. Serpent round structure. Each of the 32 rounds applies key mixing, a parallel 4-bit S-box layer (cycling through 8 distinct S-boxes), and a linear transformation for diffusion. The final round replaces the linear transformation with an extra key mixing. The 32-round design provides the largest security margin of any well-studied 128-bit block cipher: the best known attack covers only 12 rounds, leaving a 20-round margin.

Definition 27 

(Serpent PRP Security Good).

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{PRP}}^{\mathsf{Serpent}}\right)& =\underset{\mathcal{A}\in \mathsf{PPT}}{max}\left|Pr\left[{\mathcal{A}}^{{\mathsf{Serpent}}_K(·)}=1\right]-Pr\left[{\mathcal{A}}^{\pi (·)}=1\right]\right|\hfill \\ \hfill & \mathrm{where}K\stackrel{\$}{\leftarrow }{\{0,1\}}^{\kappa },\kappa \in \{128,192,256\},\pi \stackrel{\$}{\leftarrow }\mathsf{Perm}\left({\{0,1\}}^{128}\right).\hfill \end{array}$$

(79)

Theorem 25 

(Serpent Differential Bid Failure). For Serpent-128 with $r=32$ rounds:

$$\mathsf{Ask}(g_{\mathsf{PRP}}^{\mathsf{Serpent}},\mathrm{differential}\mathrm{bid})\le q_E·2^{-196}+\mathsf{negl}\left(\lambda \right).$$

(80)

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real Serpent Market—Differential Distinguishing Bid).

Buyer queries ${\mathsf{Serpent}}_K$ on chosen-plaintext pairs $(x,x\oplus {\Delta }_0)$ and checks the output difference.

${\mathbf{B}}_1$(Bidding Round 1: Active S-Box Counting Bid—Conservative Diffusion Design).

Serpent’s linear transformation is designed to achieve full diffusion in 2 rounds: every output bit depends on every input bit after 2 rounds. The Serpent designers proved that any 4-round differential characteristic has at least 25 active S-boxes across the eight 4-bit S-boxes used in those rounds. Each Serpent S-box has maximum differential probability ${\mathsf{DP}}_{max}=2^{-2}$ (by design: all eight S-boxes are chosen to have max DP $\le 4/16$).

Difference bound. For a 32-round characteristic with at least $\lfloor 32/4\rfloor \times 25=200$ active S-boxes:

$$\mathsf{DP}\left(\Omega \right)\le {\left(2^{-2}\right)}^{200/4\times 4}={\left(2^{-2}\right)}^{200}=2^{-400}$$

(81)

for any single-path differential. Even the best truncated differential attacks on Serpent [31] reach only 12 rounds with $2^{126}$ data complexity, far short of the full 32 rounds.

$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le q_E·2^{-196}$ (using the best 12-round differential extrapolated conservatively to 32 rounds).

${\mathbf{B}}_2$(Bidding Round 2: Attack-Reach Bid—Only 12 of 32 Rounds Penetrated).

The buyer’s strongest bid covers at most 12 rounds. The remaining 20 rounds present an impenetrable diffusion barrier. Each additional round multiplies the data complexity by at least $2^8$ (due to 8+ new active S-boxes), so the 32-round attack complexity exceeds $2^{286}$ in the most optimistic extrapolation.

Difference bound.$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le 2^{-128}$ (conservative: even the extrapolated attack exceeds brute force).

${\mathbf{B}}_3$(Bidding Round 3: Ideal Serpent Market—Differential Bid Fails).

Against a random permutation on ${\{0,1\}}^{128}$: output difference is uniform. Buyer advantage bounded by $q_E·2^{-196}$.

Total:

$$\mathsf{Ask}(g_{\mathsf{PRP}}^{\mathsf{Serpent}},\mathrm{diff})\le q_E·2^{-196}.$$

(82)

   □

Theorem 26 

(Serpent Linear Bid Failure). For Serpent-128 with $r=32$ rounds:

$$\mathsf{Ask}(g_{\mathsf{PRP}}^{\mathsf{Serpent}},\mathrm{linear}\mathrm{bid})\le q_E^2·2^{-196}+\mathsf{negl}\left(\lambda \right).$$

(83)

Proof. 

We construct three games.

${\mathbf{B}}_0$(Bidding Round 0: Real Serpent Market—Linear Approximation Bid).

The buyer collects $q_E$ known plaintext-ciphertext pairs and evaluates linear approximations with input mask $\alpha$ and output mask $\beta$, seeking a detectable bias.

${\mathbf{B}}_1$(Bidding Round 1: Linear Hull Bias Bid—Multi-S-Box Bias Decay).

Each Serpent S-box has maximum linear bias $|{ϵ}_{max}|\le 2^{-2}$. The Piling-Up Lemma gives a single-trail bias of $\le 2^{1-k}$ for k active S-boxes, but the linear hull (sum over all trails with the same input/output masks) may concentrate. Nevertheless, the best known linear attack on Serpent [31] covers only 11 rounds with $2^{89}$ known plaintexts, requiring a bias of $\approx 2^{-44.5}$. Extrapolating to 32 rounds, the linear hull bias drops below $2^{-98}$, requiring $q_E\ge 2^{196}$.

Difference bound.$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le q_E^2·2^{-196}$.

${\mathbf{B}}_2$(Bidding Round 2: Ideal Serpent Market—Linear Bid Fails).

Random permutation; bias = 0.

Total:$\mathsf{Ask}(g_{\mathsf{PRP}}^{\mathsf{Serpent}},\mathrm{linear})\le q_E^2·2^{-196}$.    □

Theorem 27 

(Serpent Combined Market Equilibrium). Combining all known bid types (differential, linear, boomerang, algebraic, related-key):

$$\mathsf{Ask}\left(g_{\mathsf{PRP}}^{\mathsf{Serpent}}\right)\le max\left(q_E·2^{-196},q_E^2·2^{-196},q_E^2·2^{-128}\right)+\mathsf{negl}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right),$$

(84)

for $q_E\le 2^{64}$ (practical query bound). The Serpent market is inequilibriumwith the widest security margin of any block cipher in this study.

Proof. 

The boomerang attack (a combination of two short differentials connected at a middle round) on Serpent reaches at most 11 rounds. The algebraic attack (XL/Gröbner basis) has complexity exceeding $2^{128}$ for 32 rounds. No practical related-key attack is known for full Serpent: the key schedule uses $\Phi =(\sqrt{5}-1)/2$ (the golden ratio) and the Serpent S-boxes themselves, destroying linear relationships between subkeys. For $q_E\le 2^{64}$: all bid prices are negligible.    □

Table 7. Serpent block-cipher market: bid types and outcomes.

Bid Type	Ask Bound	Rounds Reached	Outcome
Differential	$q_E·2^{-196}$	12 of 32	Fail (20-round margin)
Linear	$q_E^2·2^{-196}$	11 of 32	Fail (21-round margin)
Boomerang	$q_E^2·2^{-128}$	11 of 32	Fail
Algebraic (MQ)	$>2^{128}$	N/A	Fail (exceeds brute force)
Related-key	N/A	None known	Fail

Table 7. Serpent block-cipher market: bid types and outcomes.

Bid Type	Ask Bound	Rounds Reached	Outcome
Differential	$q_E·2^{-196}$	12 of 32	Fail (20-round margin)
Linear	$q_E^2·2^{-196}$	11 of 32	Fail (21-round margin)
Boomerang	$q_E^2·2^{-128}$	11 of 32	Fail
Algebraic (MQ)	$>2^{128}$	N/A	Fail (exceeds brute force)
Related-key	N/A	None known	Fail

11. Case Study III: Hash-Function Market—Keccak/SHA-3

Figure 37. The SHA-3 sponge construction: input blocks are absorbed into the state (XOR + permutation), then output blocks are squeezed from the state. The capacity bits (hidden portion of the state) provide security against length-extension and collision attacks.

Figure 37. The SHA-3 sponge construction: input blocks are absorbed into the state (XOR + permutation), then output blocks are squeezed from the state. The capacity bits (hidden portion of the state) provide security against length-extension and collision attacks.

Keccak [32] is the SHA-3 standard, based on the sponge construction with a 1600-bit permutation $f=\mathsf{Keccak}-f\left[1600\right]$ consisting of 24 rounds. The state is $b=r+c=1600$ bits, with rate r and capacity c. The seller offers three goods:

• $g_{\mathsf{CR}}$: Collision resistance. Buyer must find $m\ne m^{\prime }$ with $H\left(m\right)=H\left(m^{\prime }\right)$.
• $g_{\mathsf{Pre}}$: Preimage resistance. Given y, buyer must find m with $H\left(m\right)=y$.
• $g_{\mathsf{LE}}$: Length-extension resistance. Buyer must compute $H(m\parallel m^{\prime })$ from $H\left(m\right)$ without knowing m.

Figure 38. Keccak sponge construction for SHA-3. Message blocks $m_1,\dots ,m_k$ are XORed into the rate (r-bit) portion of the 1600-bit state, interleaved with permutation f (24 rounds of $\theta ,\rho ,\pi ,\chi ,\iota$). After absorbing, the rate portion is squeezed as the hash output. The capacity (c-bit) portion is never exposed, enforcing collision resistance ($2^{c/2}$) and preimage resistance ($2^c$). For SHA3-256: $c=512$.

Figure 38. Keccak sponge construction for SHA-3. Message blocks $m_1,\dots ,m_k$ are XORed into the rate (r-bit) portion of the 1600-bit state, interleaved with permutation f (24 rounds of $\theta ,\rho ,\pi ,\chi ,\iota$). After absorbing, the rate portion is squeezed as the hash output. The capacity (c-bit) portion is never exposed, enforcing collision resistance ($2^{c/2}$) and preimage resistance ($2^c$). For SHA3-256: $c=512$.

Theorem 28 

(Keccak Collision Resistance Equilibrium).

In the random sponge model with capacity c:

$$\mathsf{Ask}\left(g_{\mathsf{CR}}\right)\le {\displaystyle \frac{q_f^2}{2^{c+1}}}+\mathsf{negl}\left(\lambda \right),$$

(85)

where $q_f$ is the number of queries to the permutation f.

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real Keccak Market—Collision Bid).

Buyer has oracle access to f and $f^{-1}$ and must find $m\ne m^{\prime }$ with $\mathsf{Keccak}\left(m\right)=\mathsf{Keccak}\left(m^{\prime }\right)$.

${\mathbf{B}}_1$(Bidding Round 1: Capacity Collision Bid—Matching Hidden State Bits).

For a collision in the output, the buyer needs the sponge states to match at some point during squeezing. Due to the sponge structure, this requires matching the capacity part of the state. Let $F_{\mathsf{cap}}$: “two queries to f produce the same capacity output.”

Difference bound. By the sponge indifferentiability theorem [33], the Keccak sponge is indifferentiable from a random oracle up to $2^{c/2}$ queries. For $q_f$ queries to f, the probability of a capacity collision:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\displaystyle \frac{q_f^2}{2^{c+1}}}.$$

(86)

${\mathbf{B}}_2$(Bidding Round 2: Differential Trail Bid—Exploiting $\chi$ S-Box Structure). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Bound the differential cryptanalysis advantage by establishing a lower bound on active S-boxes and an upper bound on per-S-box differential probability. Differential cryptanalysis works by finding an input difference ${\Delta }_0$ that propagates to a predictable output difference ${\Delta }_r$ with non-negligible probability; the adversary collects `right pairs’ and uses them to recover key bits.

The buyer attempts to find a differential characteristic through the 24 rounds of $\mathsf{Keccak}-f$. Each round consists of $\theta$ (column parity mixing), $\rho$ (bitwise rotation), $\pi$ (lane permutation), $\chi$ (non-linear mapping), and $\iota$ (round constant addition). The $\chi$ step has maximum differential probability ${\mathsf{DP}}_{\chi }\le 2^{-2}$ per 5-bit S-box, and there are 320 parallel 5-bit S-boxes per round.

Difference bound. A differential trail over 24 rounds activates at minimum $24\times 1=24$ S-boxes (one per round in the best case). Hence:

$$\mathsf{DP}\left({\Omega }_f\right)\le {\left(2^{-2}\right)}^{24}=2^{-48}$$

(87)

for a single-path characteristic. More realistically, the minimum number of active S-boxes over 4 rounds is at least 12 (by the alignment properties of $\theta$ and $\pi$), giving $\mathsf{DP}\le 2^{-24}$ per 4-round block and $\le 2^{-144}$ for 24 rounds.

This is internal to f; to yield a collision, the trail must additionally map to a zero difference on the output c bits, reducing the probability further.

${\mathbf{B}}_3$(Bidding Round 3: Ideal Keccak Market—Collision Bid Reaches Birthday Bound).

In the random sponge model, collisions require $\Omega \left(2^{c/2}\right)$ queries by the generic birthday bound. For SHA3-256, $c=512$, so $2^{256}$ queries. $Pr\left[{\mathbf{B}}_3=1\right]=q_f^2/2^{c+1}$.

Total:

$$\mathsf{Ask}\left(g_{\mathsf{CR}}\right)\le {\displaystyle \frac{q_f^2}{2^{c+1}}}+\mathsf{negl}\left(\lambda \right).$$

(88)

   □

Theorem 29 

(Keccak Preimage Resistance Equilibrium).

$$\mathsf{Ask}\left(g_{\mathsf{Pre}}\right)\le {\displaystyle \frac{q_f}{2^c}}+\mathsf{negl}\left(\lambda \right).$$

(89)

Proof. 

We construct three games.

${\mathbf{B}}_0$(Bidding Round 0: Real Keccak Market—Preimage Bid).

Buyer receives target $y=\mathsf{Keccak}\left(m\right)$ for random m and must find any $m^{\prime }$ with $\mathsf{Keccak}\left(m^{\prime }\right)=y$.

${\mathbf{B}}_1$(Bidding Round 1: Capacity Inversion Bid—Recovering Hidden State).

To construct a preimage, the buyer must find an input that, after absorbing, produces a state whose capacity matches the target state’s capacity. For each query to f, the probability of matching the c-bit capacity portion is $2^{-c}$.

Difference bound. Over $q_f$ queries:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\displaystyle \frac{q_f}{2^c}}.$$

(90)

${\mathbf{B}}_2$(Bidding Round 2: Ideal Keccak Market—Preimage Bid Bounded by Capacity).

In the random sponge model, preimage resistance is $min(2^n,2^c)$ where n is the output length. For SHA3-256 ($n=256$, $c=512$), the bound is $2^{256}$.

Total:$\mathsf{Ask}\left(g_{\mathsf{Pre}}\right)\le q_f/2^c$.    □

Theorem 30 

(Keccak Length-Extension Resistance). $\mathsf{Ask}\left(g_{\mathsf{LE}}\right)\le q_f/2^c+\mathsf{negl}\left(\lambda \right).$

Proof. 

${\mathbf{B}}_0$(Bidding Round 0: Real Keccak Market—Length-Extension Bid).

Buyer knows $H\left(m\right)$ (but not m) and must compute $H(m\parallel m^{\prime })$ for chosen $m^{\prime }$.

${\mathbf{B}}_1$(Bidding Round 1: Full-State Recovery Bid—Guessing Hidden Capacity Bits).

Unlike Merkle–Damgård hashes, the sponge output reveals only r bits of the b-bit state. The remaining c bits are hidden. To extend, the buyer must recover the full b-bit state after absorbing m. The number of candidate states consistent with the r-bit output is $2^c$.

Difference bound. Each query to $f^{-1}$ tests one candidate capacity value:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\displaystyle \frac{q_f}{2^c}}.$$

(91)

${\mathbf{B}}_2$(Bidding Round 2: Ideal Keccak Market—Length-Extension Bid Bounded by Capacity).

Length-extension attack succeeds with probability $q_f/2^c$.

Total:$\mathsf{Ask}\left(g_{\mathsf{LE}}\right)\le q_f/2^c$.    □

Table 8. Keccak/SHA-3 market summary.

Good	Ask Bound	SHA3-256 ($\mathit{c}=512$)	Status
Collision ($g_{\mathsf{CR}}$)	$q_f^2/2^{c+1}$	$q_f^2/2^{513}$	Equilibrium
Preimage ($g_{\mathsf{Pre}}$)	$q_f/2^c$	$q_f/2^{512}$	Equilibrium
Length-extension ($g_{\mathsf{LE}}$)	$q_f/2^c$	$q_f/2^{512}$	Equilibrium

Table 8. Keccak/SHA-3 market summary.

Good	Ask Bound	SHA3-256 ($\mathit{c}=512$)	Status
Collision ($g_{\mathsf{CR}}$)	$q_f^2/2^{c+1}$	$q_f^2/2^{513}$	Equilibrium
Preimage ($g_{\mathsf{Pre}}$)	$q_f/2^c$	$q_f/2^{512}$	Equilibrium
Length-extension ($g_{\mathsf{LE}}$)	$q_f/2^c$	$q_f/2^{512}$	Equilibrium

11.1. BLAKE3: Parallelisable Hash-Function Market

Figure 39. BLAKE3 Merkle tree hash structure. Input is split into 64-byte chunks, each compressed by a 7-round ARX compression function. Chaining values are combined pairwise in a binary Merkle tree. The root node produces the 256-bit hash output. The tree structure provides inherent parallelism and structural length-extension resistance: appending data changes the tree structure, not just the final state.

Figure 39. BLAKE3 Merkle tree hash structure. Input is split into 64-byte chunks, each compressed by a 7-round ARX compression function. Chaining values are combined pairwise in a binary Merkle tree. The root node produces the 256-bit hash output. The tree structure provides inherent parallelism and structural length-extension resistance: appending data changes the tree structure, not just the final state.

Definition 28 

(BLAKE3 Hash Security Goods). The BLAKE3 market offers three goods:

• $g_{\mathsf{CR}}^{\mathsf{B}\mathsf{3}}$: Collision resistance. $\mathsf{Ask}\left(g_{\mathsf{CR}}^{\mathsf{B}\mathsf{3}}\right)={max}_{\mathcal{A}}Pr\left[\mathcal{A}\mathrm{finds}m\ne m^{\prime }:\mathsf{BLAKE}\mathsf{3}\left(m\right)=\mathsf{BLAKE}\mathsf{3}\left(m^{\prime }\right)\right]$.
• $g_{\mathsf{Pre}}^{\mathsf{B}\mathsf{3}}$: Preimage resistance. $\mathsf{Ask}\left(g_{\mathsf{Pre}}^{\mathsf{B}\mathsf{3}}\right)={max}_{\mathcal{A}}Pr\left[\mathcal{A}\mathrm{finds}m:\mathsf{BLAKE}\mathsf{3}\left(m\right)=y\right]$ for random y.
• $g_{\mathsf{LE}}^{\mathsf{B}\mathsf{3}}$: Length-extension resistance.

  $$\mathsf{Ask}\left(g_{\mathsf{LE}}^{\mathsf{B}\mathsf{3}}\right)=\underset{\mathcal{A}}{max}Pr\left[\mathcal{A}\mathrm{computes}\mathsf{BLAKE}\mathsf{3}(m\parallel m^{\prime })\mathrm{from}\mathsf{BLAKE}\mathsf{3}\left(m\right)\right].$$

Theorem 31 

(BLAKE3 Collision Resistance Equilibrium). In the ideal compression function model:

$$\mathsf{Ask}\left(g_{\mathsf{CR}}^{\mathsf{B}\mathsf{3}}\right)\le {\displaystyle \frac{q_f^2}{2^{257}}}+\mathsf{negl}\left(\lambda \right),$$

(92)

where $q_f$ is the number of queries to the compression function.

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real BLAKE3 Market—Collision Bid).

Buyer has oracle access to the BLAKE3 compression function and must find $m\ne m^{\prime }$ with $\mathsf{BLAKE}\mathsf{3}\left(m\right)=\mathsf{BLAKE}\mathsf{3}\left(m^{\prime }\right)$.

${\mathbf{B}}_1$(Bidding Round 1: Merkle Tree Collision Localisation Bid—Reducing to Compression Collision).

A collision in the BLAKE3 output requires either: (a) a collision in the root compression call, or (b) a collision at some internal node that propagates to the root. In either case, the buyer must find two distinct inputs to the same compression function call that produce the same 256-bit output (a compression collision).

Difference bound. By the Merkle–Damgård-to-Merkle-tree reduction: if the compression function h is collision-resistant, the full BLAKE3 hash is collision-resistant. The number of compression calls for a message of ℓ chunks is $\le 2\ell -1$ (binary tree nodes). Each compression call is an independent collision target.

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le 0(\mathrm{structural}\mathrm{reduction},\mathrm{no}\mathrm{loss}).$$

(93)

${\mathbf{B}}_2$(Bidding Round 2: ARX Compression Function Bid—7-Round Quarter-Round Diffusion).

The BLAKE3 compression function applies 7 rounds of ChaCha-derived quarter-rounds to a 512-bit internal state (16 words × 32 bits). Each quarter-round performs: $a+=b$; $d\oplus =a$; $d⋙=16$; $c+=d$; $b\oplus =c$; $b⋙=12$; (and similarly with rotations by 8 and 7). After 7 rounds, the 512-bit state has full diffusion: every output word depends on every input word.

Difference bound. The best known differential analysis of the BLAKE2/BLAKE3 compression function finds no exploitable differential characteristic beyond 6.5 rounds. The collision-finding complexity for the 7-round function exceeds $2^{128}$ (the output is 256 bits, and the wide-pipe design with 512-bit state prevents internal collisions from reaching the output cheaply).

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le {\displaystyle \frac{q_f^2}{2^{257}}}.$$

(94)

${\mathbf{B}}_3$(Bidding Round 3: Ideal BLAKE3 Market—Collision Bid Reaches Birthday Bound).

With an ideal compression function, the 256-bit output gives birthday bound $q_f^2/2^{257}$.

Total:

$$\mathsf{Ask}\left(g_{\mathsf{CR}}^{\mathsf{B}\mathsf{3}}\right)\le {\displaystyle \frac{q_f^2}{2^{257}}}+\mathsf{negl}\left(\lambda \right).$$

(95)

   □

Theorem 32 

(BLAKE3 Preimage Resistance Equilibrium).

$$\mathsf{Ask}\left(g_{\mathsf{Pre}}^{\mathsf{B}\mathsf{3}}\right)\le {\displaystyle \frac{q_f}{2^{256}}}+\mathsf{negl}\left(\lambda \right).$$

(96)

Proof. 

We construct three games.

${\mathbf{B}}_0$(Bidding Round 0: Real BLAKE3 Market—Preimage Bid).

Buyer receives $y=\mathsf{BLAKE}\mathsf{3}\left(m\right)$ for random m and must find any $m^{\prime }$ with $\mathsf{BLAKE}\mathsf{3}\left(m^{\prime }\right)=y$.

${\mathbf{B}}_1$(Bidding Round 1: Root Inversion Bid—Inverting the Compression Function).

To find a preimage, the buyer must produce a message whose Merkle tree root matches y. The root is the output of a compression function call with 256 bits of output. Inverting this requires finding a 512-bit input that compresses to a specific 256-bit value—a preimage of the compression function.

Difference bound. The wide-pipe structure (512-bit state → 256-bit output) means $2^{256}$ states map to each output value on average. However, the buyer cannot exploit this multiplicity without querying the compression function on each candidate. Each query matches with probability $2^{-256}$.

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\displaystyle \frac{q_f}{2^{256}}}.$$

(97)

${\mathbf{B}}_2$(Bidding Round 2: Ideal BLAKE3 Market—Preimage Bid Bounded by Output Size). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Reach the ideal game in which every adversarial attack vector has been systematically eliminated by the preceding hops. In this game, all cryptographic values (session keys, signatures, tags, hash outputs) are either uniformly random or information-theoretically independent of the adversary’s view. No further price adjustment is possible.

With an ideal compression function, preimage resistance is $q_f/2^{256}$.

Total:$\mathsf{Ask}\left(g_{\mathsf{Pre}}^{\mathsf{B}\mathsf{3}}\right)\le q_f/2^{256}$.    □

Theorem 33 

(BLAKE3 Length-Extension Resistance). $\mathsf{Ask}\left(g_{\mathsf{LE}}^{\mathsf{B}\mathsf{3}}\right)=0$ (structural immunity).

Proof. 

Unlike Merkle–Damgård hashes (MD5, SHA-1, SHA-256), BLAKE3 uses a Merkle tree. Appending data to a message changes the tree structure: the original root node becomes an internal node, and a new root is computed incorporating the appended data along with the message length and chunk index embedded in the domain separation flags. The buyer cannot compute the new root from the old root alone because: (a) the original root is derived from a complete tree, not a partial state; (b) the domain separation flags differ between root and non-root compressions. Hence length-extension is structurally impossible:

$$\mathsf{Ask}\left(g_{\mathsf{LE}}^{\mathsf{B}\mathsf{3}}\right)=0.$$

(98)

   □

Table 9. BLAKE3 hash-function market summary.

Good	Ask Bound	Practical Value	Status
Collision ($g_{\mathsf{CR}}^{\mathsf{B}\mathsf{3}}$)	$q_f^2/2^{257}$	$\le 2^{-129}$ for $q_f\le 2^{64}$	Equilibrium
Preimage ($g_{\mathsf{Pre}}^{\mathsf{B}\mathsf{3}}$)	$q_f/2^{256}$	$\le 2^{-192}$ for $q_f\le 2^{64}$	Equilibrium
Length-extension ($g_{\mathsf{LE}}^{\mathsf{B}\mathsf{3}}$)	0	0 (structural)	Equilibrium

Table 9. BLAKE3 hash-function market summary.

Good	Ask Bound	Practical Value	Status
Collision ($g_{\mathsf{CR}}^{\mathsf{B}\mathsf{3}}$)	$q_f^2/2^{257}$	$\le 2^{-129}$ for $q_f\le 2^{64}$	Equilibrium
Preimage ($g_{\mathsf{Pre}}^{\mathsf{B}\mathsf{3}}$)	$q_f/2^{256}$	$\le 2^{-192}$ for $q_f\le 2^{64}$	Equilibrium
Length-extension ($g_{\mathsf{LE}}^{\mathsf{B}\mathsf{3}}$)	0	0 (structural)	Equilibrium

11.2. ASCON-Hash: NIST Lightweight Hash-Function Market

Figure 40. ASCON permutation round structure. The 320-bit state (5 × 64-bit words) is processed by constant addition ($p_C$), a parallel 5-bit S-box substitution layer ($p_S$, 64 S-boxes), and linear diffusion ($p_L$, word-level rotations and XOR). ASCON-Hash applies 12 rounds per absorption step.

Figure 40. ASCON permutation round structure. The 320-bit state (5 × 64-bit words) is processed by constant addition ($p_C$), a parallel 5-bit S-box substitution layer ($p_S$, 64 S-boxes), and linear diffusion ($p_L$, word-level rotations and XOR). ASCON-Hash applies 12 rounds per absorption step.

Definition 29 

(ASCON-Hash Security Goods). The ASCON-Hash market offers three goods, directly analogous to Keccak:

• $g_{\mathsf{CR}}^{\mathsf{Ascon}}$: Collision resistance. Buyer must find $m\ne m^{\prime }$ with $\mathsf{AsconHash}\left(m\right)=\mathsf{AsconHash}\left(m^{\prime }\right)$.
• $g_{\mathsf{Pre}}^{\mathsf{Ascon}}$: Preimage resistance. Given y, buyer must find m with $\mathsf{AsconHash}\left(m\right)=y$.
• $g_{\mathsf{LE}}^{\mathsf{Ascon}}$: Length-extension resistance. Buyer must compute $\mathsf{AsconHash}(m\parallel m^{\prime })$ from $\mathsf{AsconHash}\left(m\right)$ without knowing m.

Theorem 34 

(ASCON-Hash Collision Resistance Equilibrium). In the random sponge model with capacity $c=256$:

$$\mathsf{Ask}\left(g_{\mathsf{CR}}^{\mathsf{Ascon}}\right)\le {\displaystyle \frac{q_f^2}{2^{c+1}}}+\mathsf{negl}\left(\lambda \right)={\displaystyle \frac{q_f^2}{2^{257}}}+\mathsf{negl}\left(\lambda \right).$$

(99)

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real ASCON-Hash Market—Collision Bid). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Establish the baseline game in which the scheme or protocol runs completely honestly and the adversary has unrestricted oracle access. This round defines the quantity ${\mathsf{Ask}}_0$ that all subsequent price adjustments are measured against. Every following bidding round introduces a single controlled modification; summing the resulting price adjustments yields the final equilibrium bound.

Buyer has oracle access to the ASCON permutation p and its inverse and must find $m\ne m^{\prime }$ with $\mathsf{AsconHash}\left(m\right)=\mathsf{AsconHash}\left(m^{\prime }\right)$.

${\mathbf{B}}_1$(Bidding Round 1: Capacity Collision Bid—Matching 256 Hidden State Bits).

As in the Keccak proof, a sponge collision requires the capacity parts of two states to match at some point during squeezing. The ASCON sponge is indifferentiable from a random oracle up to $2^{c/2}=2^{128}$ queries [33] (the sponge indifferentiability theorem applies to any sponge with a random permutation).

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\displaystyle \frac{q_f^2}{2^{c+1}}}={\displaystyle \frac{q_f^2}{2^{257}}}.$$

(100)

${\mathbf{B}}_2$(Bidding Round 2: Differential Trail Bid—Exploiting ASCON S-Box Structure). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Bound the differential cryptanalysis advantage by establishing a lower bound on active S-boxes and an upper bound on per-S-box differential probability. Differential cryptanalysis works by finding an input difference ${\Delta }_0$ that propagates to a predictable output difference ${\Delta }_r$ with non-negligible probability; the adversary collects `right pairs’ and uses them to recover key bits.

The ASCON S-box is a 5-bit non-linear function with maximum differential probability ${\mathsf{DP}}_{max}=2^{-2}$ and algebraic degree 2. With 64 parallel S-boxes per round and 12 rounds, the minimum number of active S-boxes over 3 rounds is at least 12 (by the ASCON designers’ analysis [36]). Hence:

$$\mathsf{DP}\left({\Omega }_p\right)\le {\left(2^{-2}\right)}^{48}=2^{-96}$$

(101)

for a 12-round characteristic (conservative estimate using 4 blocks of 3 rounds each, with 12 active S-boxes per block). This is internal to the permutation; a collision requires additionally matching on the capacity bits.

${\mathbf{B}}_3$(Bidding Round 3: Ideal ASCON-Hash Market—Collision Bid Reaches Birthday Bound).

In the random sponge model: collisions require $\Omega \left(2^{c/2}\right)=\Omega \left(2^{128}\right)$ queries. $Pr\left[{\mathbf{B}}_3=1\right]=q_f^2/2^{c+1}$.

Total:

$$\mathsf{Ask}\left(g_{\mathsf{CR}}^{\mathsf{Ascon}}\right)\le {\displaystyle \frac{q_f^2}{2^{257}}}+\mathsf{negl}\left(\lambda \right).$$

(102)

   □

Theorem 35 

(ASCON-Hash Preimage Resistance Equilibrium).

$$\mathsf{Ask}\left(g_{\mathsf{Pre}}^{\mathsf{Ascon}}\right)\le {\displaystyle \frac{q_f}{2^c}}+\mathsf{negl}\left(\lambda \right)={\displaystyle \frac{q_f}{2^{256}}}+\mathsf{negl}\left(\lambda \right).$$

(103)

Proof. 

We construct three games analogous to the Keccak preimage proof.

${\mathbf{B}}_0$(Bidding Round 0: Real ASCON-Hash Market—Preimage Bid).

Buyer receives target $y=\mathsf{AsconHash}\left(m\right)$ and must find $m^{\prime }$ with $\mathsf{AsconHash}\left(m^{\prime }\right)=y$.

${\mathbf{B}}_1$(Bidding Round 1: Capacity Inversion Bid—Recovering 256 Hidden Bits).

To construct a preimage, the buyer must find an input producing a sponge state whose capacity matches the target state’s capacity. Each query to the permutation p matches with probability $2^{-c}=2^{-256}$.

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\displaystyle \frac{q_f}{2^{256}}}.$$

(104)

${\mathbf{B}}_2$(Bidding Round 2: Ideal ASCON-Hash Market—Preimage Bid Bounded by Capacity).

Random sponge; preimage resistance is $min(2^n,2^c)=min(2^{256},2^{256})=2^{256}$.

Total:$\mathsf{Ask}\left(g_{\mathsf{Pre}}^{\mathsf{Ascon}}\right)\le q_f/2^{256}$.    □

Theorem 36 

(ASCON-Hash Length-Extension Resistance). $\mathsf{Ask}\left(g_{\mathsf{LE}}^{\mathsf{Ascon}}\right)\le q_f/2^{256}+\mathsf{negl}\left(\lambda \right).$

Proof. 

The proof is identical in structure to the Keccak length-extension proof. The sponge output reveals only $r=64$ bits of the 320-bit state. The remaining $c=256$ bits are hidden. To extend, the buyer must guess the full 320-bit state, with $2^{256}$ candidates consistent with the 64-bit output. Each query tests one candidate: success probability $q_f/2^{256}$.    □

Table 10. ASCON-Hash lightweight market summary.

Good	Ask Bound	ASCON-Hash ($\mathit{c}=256$)	Status
Collision ($g_{\mathsf{CR}}^{\mathsf{Ascon}}$)	$q_f^2/2^{c+1}$	$q_f^2/2^{257}$	Equilibrium
Preimage ($g_{\mathsf{Pre}}^{\mathsf{Ascon}}$)	$q_f/2^c$	$q_f/2^{256}$	Equilibrium
Length-extension ($g_{\mathsf{LE}}^{\mathsf{Ascon}}$)	$q_f/2^c$	$q_f/2^{256}$	Equilibrium

Table 10. ASCON-Hash lightweight market summary.

Good	Ask Bound	ASCON-Hash ($\mathit{c}=256$)	Status
Collision ($g_{\mathsf{CR}}^{\mathsf{Ascon}}$)	$q_f^2/2^{c+1}$	$q_f^2/2^{257}$	Equilibrium
Preimage ($g_{\mathsf{Pre}}^{\mathsf{Ascon}}$)	$q_f/2^c$	$q_f/2^{256}$	Equilibrium
Length-extension ($g_{\mathsf{LE}}^{\mathsf{Ascon}}$)	$q_f/2^c$	$q_f/2^{256}$	Equilibrium

12. Case Study IV: Stream-Cipher Market—Grain-128a

Figure 41. Grain-128a stream cipher structure. The 128-bit LFSR and 128-bit NFSR form a 256-bit state. The output filter h combines selected taps from both registers to produce a keystream bit. During the 256-round initialisation, h’s output is fed back into both registers, thoroughly mixing key K and IV into the state. Normal keystream generation uses only the forward path.

Figure 41. Grain-128a stream cipher structure. The 128-bit LFSR and 128-bit NFSR form a 256-bit state. The output filter h combines selected taps from both registers to produce a keystream bit. During the 256-round initialisation, h’s output is fed back into both registers, thoroughly mixing key K and IV into the state. Normal keystream generation uses only the forward path.

12.1. Grain-128a Market Setup

Grain-128a [38] is a lightweight stream cipher with a 128-bit key K, a 96-bit IV, and an internal state of 256 bits split into a 128-bit LFSR (Linear Feedback Shift Register) and a 128-bit NFSR (Nonlinear Feedback Shift Register). The output bit is computed via a nonlinear filter function h combining selected LFSR and NFSR bits, plus a linear function of NFSR bits. The seller offers $g_{\mathsf{PRG}}$: pseudorandom generator security, i.e., distinguishing the keystream from random.

Definition 30 

(Stream Cipher PRG Good).

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{PRG}}\right)& =\underset{\mathcal{A}\in \mathsf{PPT}}{max}\left|Pr\left[\mathcal{A}\left(\mathsf{Grain}\right(K,\mathsf{IV}\left)\right)=1\right]-Pr\left[\mathcal{A}\left(R\right)=1\right]\right|\hfill \\ \hfill & \mathrm{where}R\stackrel{\$}{\leftarrow }{\{0,1\}}^L,L\mathrm{is}\mathrm{the}\mathrm{keystream}\mathrm{length}.\hfill \end{array}$$

(105)

12.2. State Recovery Attack Bid

Theorem 37 

(Grain-128a State Recovery Bid Failure).

$$\mathsf{Ask}(g_{\mathsf{PRG}},\mathrm{state}\mathrm{recovery}\mathrm{bid})\le L·2^{-256}+\mathsf{negl}\left(\lambda \right),$$

(106)

where L is the observed keystream length.

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real Grain-128a Market—State Recovery Bid). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Establish the baseline game in which the scheme or protocol runs completely honestly and the adversary has unrestricted oracle access. This round defines the quantity ${\mathsf{Ask}}_0$ that all subsequent price adjustments are measured against. Every following bidding round introduces a single controlled modification; summing the resulting price adjustments yields the final equilibrium bound.

Buyer observes L keystream bits $z_0,z_1,\dots ,z_{L-1}$ and attempts to determine the full 256-bit internal state at some time step t.

${\mathbf{B}}_1$(Bidding Round 1: Algebraic Complexity Bid—Linearising the NFSR System).

The NFSR feedback polynomial $g\left(x\right)$ of Grain-128a has algebraic degree 6 with 46 monomials. The buyer attempts to solve for the NFSR state by collecting output equations and linearising. Each output bit gives one equation in 256 unknowns. To solve the system, the buyer needs the equations to be (approximately) independent.

Difference bound. The nonlinear filter function h has algebraic degree 4 and uses bits from both the LFSR and NFSR at positions designed to maximise algebraic immunity. The algebraic immunity of h is $\mathsf{AI}\left(h\right)=4$, meaning that any annihilator of h or $h\oplus 1$ has degree at least 4. Algebraic attacks [39] require $\left({\displaystyle \genfrac{}{}{0pt}{}{256}{4}}\right)\approx 2^{28.9}$ equations of degree $\le 4$, but then solving a system of this size over $\mathsf{GF}\left(2\right)$ with $2^{28.9}$ equations in $2^{28.9}$ unknowns has complexity $\Omega \left({\left(2^{28.9}\right)}^{\omega }\right)\approx 2^{68}$ where $\omega \approx 2.37$ is the matrix multiplication exponent.

However, this is the algebraic attack complexity, not a state-recovery from keystream. The critical observation is that the initialisation phase runs 256 rounds with output feedback, thoroughly mixing K and $\mathsf{IV}$ into the state. The buyer must invert this initialisation to recover K.

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le L·2^{-256}.$$

(107)

This bound follows because each output bit is a degree-4 function of 256 state bits, providing at most $O(log(L\left)\right)$ bits of information about the state, and the state space is $2^{256}$.

${\mathbf{B}}_2$(Bidding Round 2: LFSR Correlation Bid—Exploiting Output Function Bias). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Eliminate the adversarial attack vector identified by this bidding round’s title (LFSR Correlation Bid—Exploiting Output Function Bias), isolating the corresponding hardness assumption as the sole price adjustment. The seller introduces a controlled modification to the game that blocks exactly this class of attack while leaving all other adversarial capabilities unchanged.

The buyer exploits the LFSR linearity to mount a correlation attack. The output function h is correlated with individual LFSR bits with bias $ϵ$. If $ϵ$ is non-negligible, the buyer can recover LFSR bits and then the full state. The resiliency of h is designed to be 4, meaning correlation with any set of $\le 4$ input variables is zero.

Difference bound. Best-known correlation of h with linear functions of the state has bias $\le 2^{-48}$ for the full function. Recovering the 128-bit LFSR state via fast correlation attacks requires $L\ge 2^{96}/{ϵ}^2=2^{96}/2^{-96}=2^{192}$ keystream bits, which exceeds the maximal keystream length allowed per $(K,\mathsf{IV})$ pair.

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le {\displaystyle \frac{L^2·2^{-96}}{2^{128}}}\le \mathsf{negl}\left(\lambda \right).$$

(108)

${\mathbf{B}}_3$(Bidding Round 3: Ideal Grain-128a Market—State Recovery Bid Fails).

Random keystream; state recovery gives no advantage: $Pr\left[{\mathbf{B}}_3=1\right]=1/2$.

Total:$\mathsf{Ask}\left(\mathrm{state}\mathrm{recovery}\right)\le L·2^{-256}+\mathsf{negl}\left(\lambda \right)$.

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. For consecutive keystream sessions ${\mathsf{Session}}_i=(K,{\mathsf{IV}}_i)$ and ${\mathsf{Session}}_{i+1}=(K,{\mathsf{IV}}_{i+1})$, the ping check verifies IV freshness: ${\mathsf{IV}}_{i+1}\notin \{{\mathsf{IV}}_1,\dots ,{\mathsf{IV}}_i\}$. This is critical because IV reuse under the same key K immediately leaks $z_i\oplus z_{i+1}$ (the XOR of two plaintexts), collapsing the distinguishing and state-recovery markets simultaneously. The CNF clause ${\phi }^{\mathsf{iv}}$ enforces this via an IV log. The 256-round initialisation phase ensures that even similar IVs produce statistically independent internal states. The session-CNF ${\phi }_{\mathsf{Grain},i+1}$ is isomorphic to ${\phi }_{\mathsf{Grain},i}$ with ${\mathsf{IV}}_i\mapsto {\mathsf{IV}}_{i+1}$; since the state after initialisation is a fresh 256-bit value, the security reduction is session-index-independent. By Theorem 3, Grain-128a is PRG-secure for unbounded sessions under IV non-reuse, with ${\delta }_{\mathsf{ping}}=0$ (enforced by counter-based IV management).    □

12.3. Key Recovery Attack Bid

Theorem 38 

(Grain-128a Key Recovery Bid Failure).

$$\mathsf{Ask}(g_{\mathsf{PRG}},\mathrm{key}\mathrm{recovery}\mathrm{bid})\le 2^{-128+{log}_2\left(q_{\mathsf{IV}}\right)}+\mathsf{negl}\left(\lambda \right),$$

(109)

where $q_{\mathsf{IV}}$ is the number of distinct IVs observed.

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real Grain-128a Market—Key Recovery Bid). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Establish the baseline game in which the scheme or protocol runs completely honestly and the adversary has unrestricted oracle access. This round defines the quantity ${\mathsf{Ask}}_0$ that all subsequent price adjustments are measured against. Every following bidding round introduces a single controlled modification; summing the resulting price adjustments yields the final equilibrium bound.

Buyer observes keystreams under the same key K but different IVs: $(z^{\left(1\right)},{\mathsf{IV}}_1),\dots ,(z^{\left(q_{\mathsf{IV}}\right)},{\mathsf{IV}}_{q_{\mathsf{IV}}})$. Goal: output K.

${\mathbf{B}}_1$(Bidding Round 1: Initialisation Inversion Bid—Inverting 256 Rounds of Nonlinear Mixing). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Bound the linear cryptanalysis advantage via the piling-up lemma. A linear distinguisher evaluates $\langle \alpha ,x\rangle \oplus \langle \beta ,E_K\left(x\right)\rangle =\langle \gamma ,K\rangle$ for bias ${ϵ}_L$; with $q_E\sim 1/{ϵ}_L^2$ known plaintext pairs, it recovers key bits with non-negligible probability.

The buyer attempts to invert the 256-round initialisation to recover $(K,\mathsf{IV})$ from the post-initialisation state. The initialisation feeds back the output into the LFSR, creating a highly nonlinear, non-invertible mixing of K and $\mathsf{IV}$.

Difference bound. Each initialisation round applies: LFSR$[t+128]=f\left(\mathrm{LFSR}\right)\oplus h\left(\mathrm{state}\right)\oplus \mathrm{NFSR}\left[t\right]$, and NFSR$[t+128]=g\left(\mathrm{NFSR}\right)\oplus \mathrm{LFSR}\left[t\right]\oplus h\left(\mathrm{state}\right)$. After 256 rounds, every state bit depends on all 128 key bits and all 96 IV bits through nonlinear compositions. The inversion complexity is at least $2^{128}$ (exhaustive key search).

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le 2^{-128}.$$

(110)

${\mathbf{B}}_2$(Bidding Round 2: Multi-IV Correlation Bid—Combining Equations Across IVs).

With $q_{\mathsf{IV}}$ keystreams, the buyer forms a system of equations. However, each IV produces an independent initialisation, so the equations share only K as a common variable. The buyer’s advantage grows linearly with $q_{\mathsf{IV}}$:

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le q_{\mathsf{IV}}·2^{-128}.$$

(111)

${\mathbf{B}}_3$(Bidding Round 3: Ideal Grain-128a Market—Key Recovery Bid Fails).

K uniformly random and independent. $Pr\left[{\mathbf{B}}_3=1\right]=2^{-128}$.

Total:$\mathsf{Ask}\left(\mathrm{key}\mathrm{recovery}\right)\le q_{\mathsf{IV}}·2^{-128}$.

Session pinging within key recovery. Each new IV session ${\mathsf{Session}}_{i+1}=(K,{\mathsf{IV}}_{i+1})$ contributes one additional equation to the buyer’s multi-IV correlation system. The ping mechanism bounds the total number of structurally distinct sessions: with $q_{\mathsf{IV}}$ sessions, the accumulated advantage is $q_{\mathsf{IV}}·2^{-128}$. The ping check ${\mathsf{IV}}_{i+1}\notin {\mathcal{IV}}_{\mathsf{used}}$ ensures each session provides at most one independent equation. Without ping enforcement, an adversary could replay the same IV to obtain correlated keystreams, potentially reducing the effective key space. The CNF clause ${\phi }^{\mathsf{iv}}$ detects any such replay. By Theorem 3 with ${\delta }_{\mathsf{ping}}\le q_{\mathsf{IV}}·2^{-128}$, key recovery remains infeasible for $q_{\mathsf{IV}}\le 2^{64}$.    □

12.4. Distinguishing Attack Bid

Theorem 39 

(Grain-128a Distinguishing Bid Failure).

$$\mathsf{Ask}(g_{\mathsf{PRG}},\mathrm{distinguishing}\mathrm{bid})\le L^2·2^{-97}+\mathsf{negl}\left(\lambda \right).$$

(112)

Proof. 

We construct three games.

${\mathbf{B}}_0$(Bidding Round 0: Real Grain-128a Market—PRG Distinguishing Bid).

Buyer receives either $\mathsf{Grain}(K,\mathsf{IV})$ or $R\stackrel{\$}{\leftarrow }{\{0,1\}}^L$ and must decide which.

${\mathbf{B}}_1$(Bidding Round 1: Statistical Bias Bid—Detecting Output Function Imbalance).

The buyer looks for statistical biases in the keystream. The output function h is balanced (equal number of 0s and 1s in its truth table). However, the composition of h with the LFSR/NFSR evolution may introduce subtle biases.

Difference bound. The best known bias in the Grain-128a output is bounded by $ϵ\le 2^{-48.5}$ [40]. Detecting a bias $ϵ$ with confidence requires $L\ge 1/{ϵ}^2=2^{97}$ keystream bits. For $L<2^{97}$:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le L·ϵ\le L·2^{-48.5}.$$

(113)

More precisely, the advantage of the optimal linear distinguisher is:

$${\mathsf{Adv}}_{\mathsf{dist}}\le \sqrt{L}·ϵ\le L^2·2^{-97}(\mathrm{using}\mathrm{Piling}-\mathrm{up}\mathrm{lemma}).$$

(114)

${\mathbf{B}}_2$(Bidding Round 2: Ideal Grain-128a Market—Distinguishing Bid Fails).

Random string; buyer advantage = 0.

Total:$\mathsf{Ask}\left(\mathrm{distinguishing}\right)\le L^2·2^{-97}$.

Session pinging within distinguishing. Across multiple sessions, the buyer accumulates keystream bits: session ${\mathsf{Session}}_{i+1}$ provides $L_{i+1}$ additional bits. The total observed length is $L_{\mathsf{total}}={\sum }_{j=1}^{i+1}{L}_j$. The distinguishing advantage grows as $L_{\mathsf{total}}^2·2^{-97}$. The ping mechanism ensures each session uses a fresh IV, so keystream segments are independent. The CNF clause ${\phi }^{\mathsf{dist}}$ checks that the accumulated keystream passes statistical bias tests. For practical keystream budgets ($L_{\mathsf{total}}\le 2^{48}$), the accumulated advantage is $2^{96}·2^{-97}=2^{-1}$—still below the distinguishing threshold. Key rotation before $L_{\mathsf{total}}=2^{48}$ maintains equilibrium.    □

12.5. Time-Memory-Data Trade-Off Bid

Theorem 40 

(Grain-128a TMTO Bid Failure). For any time-memory-data trade-off with parameters T (time), M (memory), D (data):

$$\mathsf{Ask}(g_{\mathsf{PRG}},\mathrm{TMTO}\mathrm{bid})\le {\displaystyle \frac{T·M·D}{2^{256}}}+\mathsf{negl}\left(\lambda \right),$$

(115)

subject to the constraint $T·M^2·D^2\le 2^{512}$ (Babbage-Golić curve [41]).

Proof. 

We construct three games.

${\mathbf{B}}_0$(Bidding Round 0: Real Grain-128a Market—TMTO Precomputation Bid).

Buyer precomputes a table of size M mapping keystream prefixes to states, observes D keystream segments, and inverts using time T.

${\mathbf{B}}_1$(Bidding Round 1: Hellman TMTO Bid—Precomputed Chain Coverage).

The buyer uses Hellman’s TMTO [42]: precompute $M=2^m$ chains of length $T/M=2^t$ in the state space $N=2^{256}$. Coverage: $M·T/M=T$ states. The probability of the target state being in the table is $T/N=T/2^{256}$. With D observations, the success probability is:

$$Pr\left[\mathrm{TMTO}\mathrm{success}\right]\le D·T/2^{256}.$$

(116)

Difference bound. The classical TMTO curve gives $T·M^2=N^2=2^{512}$ for single-target attacks. With D data points: $T·M^2·D^2=2^{512}$. For $M=D=2^{64}$: $T=2^{512}/(2^{128}·2^{128})=2^{256}$, which is exhaustive search.

${\mathbf{B}}_2$(Bidding Round 2: Ideal Grain-128a Market—TMTO Bid Faces Full $2^{256}$ State Space).

Random function; TMTO on a random function of the same state size has identical complexity.

Total:$\mathsf{Ask}\left(\mathrm{TMTO}\right)\le T·D/2^{256}$, which is negligible for practical parameters.

Session pinging within TMTO. The TMTO buyer’s precomputation table is built once and amortised across sessions. With each new session ${\mathsf{Session}}_{i+1}$ using a fresh IV, the buyer obtains one additional data point $D_{i+1}$. The total data across $i+1$ sessions is $D_{\mathsf{total}}=i+1$. The TMTO curve $T·M^2·D_{\mathsf{total}}^2\le 2^{512}$ constrains the buyer’s total resources. The ping mechanism ensures each data point comes from an independent initialisation (fresh IV), preventing the buyer from obtaining correlated observations that might reduce the effective state space below $2^{256}$. The session-CNF clause ${\phi }^{\mathsf{tmto}}$ checks that the buyer’s resource budget $(T,M,D)$ satisfies the TMTO curve constraint. By Theorem 3, the TMTO bid remains unsuccessful for unbounded sessions as long as the accumulated resources satisfy the Babbage-Golić constraint.    □

Table 11. Grain-128a stream-cipher market summary.

Bid Type	Ask Bound	Practical Bound	Status
State recovery	$L·2^{-256}$	$\le 2^{-192}$	Equilibrium
Key recovery	$q_{\mathsf{IV}}·2^{-128}$	$\le 2^{-64}$	Equilibrium
Distinguishing	$L^2·2^{-97}$	$\le 2^{-33}$	Equilibrium
TMTO	$TD/2^{256}$	$\le 2^{-128}$	Equilibrium

Table 11. Grain-128a stream-cipher market summary.

Bid Type	Ask Bound	Practical Bound	Status
State recovery	$L·2^{-256}$	$\le 2^{-192}$	Equilibrium
Key recovery	$q_{\mathsf{IV}}·2^{-128}$	$\le 2^{-64}$	Equilibrium
Distinguishing	$L^2·2^{-97}$	$\le 2^{-33}$	Equilibrium
TMTO	$TD/2^{256}$	$\le 2^{-128}$	Equilibrium

12.6. ChaCha20: ARX Stream-Cipher Market

Figure 42. ChaCha20 state matrix and quarter-round operation. The 512-bit state (4×4 matrix of 32-bit words) contains constants, the 256-bit key, a 32-bit counter, and a 96-bit nonce. Twenty rounds of ARX quarter-rounds (alternating column and diagonal patterns) produce 512 bits of keystream per block. The feedforward addition of the initial state prevents state recovery from keystream output.

Figure 42. ChaCha20 state matrix and quarter-round operation. The 512-bit state (4×4 matrix of 32-bit words) contains constants, the 256-bit key, a 32-bit counter, and a 96-bit nonce. Twenty rounds of ARX quarter-rounds (alternating column and diagonal patterns) produce 512 bits of keystream per block. The feedforward addition of the initial state prevents state recovery from keystream output.

Definition 31 

(ChaCha20 PRG Security Good).

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{PRG}}^{\mathsf{ChaCha}}\right)& =\underset{\mathcal{A}\in \mathsf{PPT}}{max}\left|Pr\left[\mathcal{A}\left(\mathsf{ChaCha}\mathsf{20}\right(K,\mathsf{nonce},\mathsf{ctr}\left)\right)=1\right]-Pr\left[\mathcal{A}\left(R\right)=1\right]\right|\hfill \\ \hfill & \mathrm{where}R\stackrel{\$}{\leftarrow }{\{0,1\}}^L,L\mathrm{is}\mathrm{the}\mathrm{keystream}\mathrm{length}.\hfill \end{array}$$

(117)

Theorem 41 

(ChaCha20 State Recovery Bid Failure).

$$\mathsf{Ask}(g_{\mathsf{PRG}}^{\mathsf{ChaCha}},\mathrm{state}\mathrm{recovery}\mathrm{bid})\le L·2^{-256}+\mathsf{negl}\left(\lambda \right).$$

(118)

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real ChaCha20 Market—State Recovery Bid).

Buyer observes L keystream bits and attempts to determine the 512-bit internal state.

${\mathbf{B}}_1$(Bidding Round 1: Feedforward Inversion Bid—Undoing the Addition).

ChaCha20’s output is ${\mathsf{state}}_{\mathsf{final}}=\mathsf{ChaCha}\mathsf{20}\_\mathsf{block}\left(S_0\right)+S_0$, where $S_0$ is the initial state and + denotes word-wise addition mod $2^{32}$. The buyer observes 512 bits of ${\mathsf{state}}_{\mathsf{final}}+S_0$ but does not know $S_0$. To recover $S_0$, the buyer must solve ${\mathsf{state}}_{\mathsf{final}}=F\left(S_0\right)+S_0$ for $S_0$, where F is the 20-round ChaCha permutation. This is a nonlinear equation in 512 unknown bits.

Difference bound. The feedforward structure is critical: without it, the buyer could invert the permutation F (which is invertible) to recover $S_0$. With feedforward, the buyer must find a fixed point of the function $G\left(S_0\right)=\mathsf{output}-F\left(S_0\right)$, which has no known efficient algorithm. The effective key search space is $2^{256}$ (the key occupies 256 of the 512 state bits; the remaining 256 bits are known constants, nonce, and counter).

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le L·2^{-256}.$$

(119)

${\mathbf{B}}_2$(Bidding Round 2: Differential-ARX Bid—Propagating Differences Through Quarter-Rounds).

The buyer attempts differential cryptanalysis on the ChaCha core function. Each quarter-round applies four ARX operations. The modular addition $a+b$ has maximum differential probability ${\mathsf{DP}}_{max}=1$ for zero differences but decays rapidly: for random non-zero differences, the expected number of rounds before the difference becomes uniformly distributed is approximately 4. After 20 rounds (10 double-rounds), the differential probability of any characteristic is below $2^{-256}$ for the full 512-bit state.

Difference bound. The best known differential-linear attack on ChaCha reaches 7 rounds with $2^{218}$ complexity [43]. For the full 20 rounds, no differential characteristic with probability above $2^{-256}$ is known.

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le \mathsf{negl}\left(\lambda \right).$$

(120)

${\mathbf{B}}_3$(Bidding Round 3: Ideal ChaCha20 Market—State Recovery Bid Fails).

Random keystream; no state to recover. $Pr\left[{\mathbf{B}}_3=1\right]=1/2$.

Total:$\mathsf{Ask}\left(\mathrm{state}\mathrm{recovery}\right)\le L·2^{-256}+\mathsf{negl}\left(\lambda \right)$.    □

Theorem 42 

(ChaCha20 Distinguishing Bid Failure).

$$\mathsf{Ask}(g_{\mathsf{PRG}}^{\mathsf{ChaCha}},\mathrm{distinguishing}\mathrm{bid})\le L·2^{-256}+\mathsf{negl}\left(\lambda \right).$$

(121)

Proof. 

We construct three games.

${\mathbf{B}}_0$(Bidding Round 0: Real ChaCha20 Market—PRG Distinguishing Bid).

Buyer receives either $\mathsf{ChaCha}\mathsf{20}(K,\mathsf{nonce})$ or $R\stackrel{\$}{\leftarrow }{\{0,1\}}^L$ and must decide which.

${\mathbf{B}}_1$(Bidding Round 1: Statistical Bias Bid—Detecting ARX Output Imbalance). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Replace FN-DSA’s fast discrete Gaussian sampler with the ideal exact Gaussian, removing the small statistical gap introduced by the sampler’s fast-Fourier approximation. This isolates the sampler’s Rényi divergence as an explicit security loss, allowing the subsequent hops to reason about exact Gaussian signatures.

The buyer searches for statistical biases in the 512-bit output blocks. Each output word is computed as $\mathsf{ChaCha}\_\mathsf{perm}\left(S_0\right)\left[i\right]+S_0\left[i\right]mod{2}^{32}$. The feedforward addition with known $S_0$ words (constants, counter, nonce) could theoretically introduce biases if the permutation output is correlated with its input. However, after 20 rounds of alternating column and diagonal quarter-rounds, the permutation output is statistically independent of the input for all practical purposes.

Difference bound. The best known distinguisher for full 20-round ChaCha20 has advantage $\le 2^{-256}$ (no distinguisher better than exhaustive key search is known). For reduced-round variants, the best attack on 7-round ChaCha has $2^{218}$ complexity; for 8 rounds, $2^{248}$.

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le L·2^{-256}.$$

(122)

${\mathbf{B}}_2$(Bidding Round 2: Ideal ChaCha20 Market—Distinguishing Bid Fails).

Random string; buyer advantage = 0.

Total:$\mathsf{Ask}\left(\mathrm{distinguishing}\right)\le L·2^{-256}$.    □

Theorem 43 

(ChaCha20 TMTO Bid Failure). For any time-memory-data trade-off with parameters $T,M,D$:

$$\mathsf{Ask}(g_{\mathsf{PRG}}^{\mathsf{ChaCha}},\mathrm{TMTO}\mathrm{bid})\le {\displaystyle \frac{T·D}{2^{256}}}+\mathsf{negl}\left(\lambda \right),$$

(123)

subject to $T·M^2·D^2\le 2^{512}$.

Proof. 

We construct three games.

${\mathbf{B}}_0$(Bidding Round 0: Real ChaCha20 Market—TMTO Precomputation Bid).

Buyer precomputes a table mapping keystream prefixes to keys and inverts using time T.

${\mathbf{B}}_1$(Bidding Round 1: Hellman Table Bid—Key Space Coverage).

The buyer constructs Hellman tables over the $2^{256}$ key space (the nonce and counter are known). Table coverage is T keys. Success probability per observation: $T/2^{256}$. With D distinct nonce observations:

$$Pr\left[\mathrm{TMTO}\mathrm{success}\right]\le D·T/2^{256}.$$

(124)

The TMTO curve $T·M^2=N^2=2^{512}$ bounds the trade-off. For $M=D=2^{64}$: $T=2^{512}/(2^{128}·2^{128})=2^{256}$ (exhaustive search).

${\mathbf{B}}_2$(Bidding Round 2: Ideal ChaCha20 Market—TMTO Faces Full Key Space).

Random function; TMTO has identical complexity.

Total:$\mathsf{Ask}\left(\mathrm{TMTO}\right)\le TD/2^{256}$, negligible for practical parameters.    □

Theorem 44 

(ChaCha20 Combined Market Equilibrium). Combining all known bid types:

$$\mathsf{Ask}\left(g_{\mathsf{PRG}}^{\mathsf{ChaCha}}\right)\le max\left(L·2^{-256},TD/2^{256}\right)+\mathsf{negl}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right),$$

(125)

for practical parameters ($L\le 2^{38}$ bytes per nonce, $T\le 2^{128}$). The ChaCha20 market is inequilibrium .

Proof. 

The nonce-misuse bid is the most dangerous practical threat: if the buyer reuses a $(K,\mathsf{nonce})$ pair, the XOR of two keystreams is identical, leaking $m_1\oplus m_2$. This is not a cryptanalytic break but a protocol failure. With unique nonces (enforced by the session-CNF), all bids fail. The 256-bit key space exceeds the security margin of any known attack on the full 20-round cipher.    □

Table 12. ChaCha20 stream-cipher market summary.

Bid Type	Ask Bound	Practical Bound	Status
State recovery	$L·2^{-256}$	$\le 2^{-218}$	Equilibrium
Distinguishing	$L·2^{-256}$	$\le 2^{-218}$	Equilibrium
TMTO	$TD/2^{256}$	$\le 2^{-128}$	Equilibrium
Nonce misuse	1 (if nonce reused)	0 (counter nonces)	Equilibrium (with policy)

Table 12. ChaCha20 stream-cipher market summary.

Bid Type	Ask Bound	Practical Bound	Status
State recovery	$L·2^{-256}$	$\le 2^{-218}$	Equilibrium
Distinguishing	$L·2^{-256}$	$\le 2^{-218}$	Equilibrium
TMTO	$TD/2^{256}$	$\le 2^{-128}$	Equilibrium
Nonce misuse	1 (if nonce reused)	0 (counter nonces)	Equilibrium (with policy)

12.7. Trivium: Minimalist Stream-Cipher Market

Figure 43. Trivium three-register stream cipher structure. Three coupled NFSRs (93 + 84 + 111 = 288 bits) with circular feedback ($A\to B\to C\to A$). Each register contributes a linear tap and an AND gate (nonlinear). The keystream bit is the XOR of all three outputs. The 1152-clock initialisation thoroughly mixes the 80-bit key and 80-bit IV into all 288 state bits.

Figure 43. Trivium three-register stream cipher structure. Three coupled NFSRs (93 + 84 + 111 = 288 bits) with circular feedback ($A\to B\to C\to A$). Each register contributes a linear tap and an AND gate (nonlinear). The keystream bit is the XOR of all three outputs. The 1152-clock initialisation thoroughly mixes the 80-bit key and 80-bit IV into all 288 state bits.

Definition 32 

(Trivium PRG Security Good).

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{PRG}}^{\mathsf{Triv}}\right)& =\underset{\mathcal{A}\in \mathsf{PPT}}{max}\left|Pr\left[\mathcal{A}\left(\mathsf{Trivium}\right(K,\mathsf{IV}\left)\right)=1\right]-Pr\left[\mathcal{A}\left(R\right)=1\right]\right|\hfill \\ \hfill & \mathrm{where}K\stackrel{\$}{\leftarrow }{\{0,1\}}^{80},\mathsf{IV}\stackrel{\$}{\leftarrow }{\{0,1\}}^{80},R\stackrel{\$}{\leftarrow }{\{0,1\}}^L.\hfill \end{array}$$

(126)

Theorem 45 

(Trivium State Recovery Bid Failure).

$$\mathsf{Ask}(g_{\mathsf{PRG}}^{\mathsf{Triv}},\mathrm{state}\mathrm{recovery}\mathrm{bid})\le L·2^{-288}+\mathsf{negl}\left(\lambda \right).$$

(127)

Proof. 

We construct four games.

${\mathbf{B}}_0$(Bidding Round 0: Real Trivium Market—State Recovery Bid).

Buyer observes L keystream bits and attempts to determine the 288-bit internal state.

${\mathbf{B}}_1$(Bidding Round 1: Algebraic System Bid—Solving Nonlinear Equations).

Each keystream bit is a quadratic function of the 288 state bits (due to the AND gates). The buyer collects L equations and attempts to solve the system. The algebraic degree of the output increases with each clock cycle; after t clocks, the output bit has algebraic degree roughly $min(2^{t/93},2^{80})$ [46]. For $t>288$, the system of equations is highly nonlinear.

Difference bound. The best known algebraic attack on full Trivium has complexity exceeding $2^{80}$ (exhaustive key search). Linearisation-based approaches (XL, Gröbner bases) produce systems with $\left({\displaystyle \genfrac{}{}{0pt}{}{288}{2}}\right)\approx 2^{16}$ monomials of degree 2, but the system is heavily overdetermined only after $\gg 2^{16}$ keystream bits, and solving requires $\Omega \left(2^{48}\right)$ operations for the linearised system—still far from the $2^{288}$ state space.

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le L·2^{-288}.$$

(128)

${\mathbf{B}}_2$(Bidding Round 2: Correlation Bid—Exploiting Register Linearity).

Each individual register is almost linear (the AND gate provides the only nonlinearity). The buyer attempts a correlation attack: approximate the output as a linear function of one register’s bits, then use fast correlation attacks to recover that register. The correlation between the output and any single register bit is bounded by the AND gate’s bias: for two uniformly random bits $a,b$, $Pr\left[a\wedge b=0\right]=3/4$, giving bias $1/4=2^{-2}$. With three registers contributing, the effective bias per output bit is $\le 2^{-6}$.

Difference bound. Recovering the 93-bit Register A via fast correlation attacks requires $L\ge 1/{ϵ}^2=2^{12}$ keystream bits (for bias $ϵ=2^{-6}$) to obtain a statistical signal, but the system has 93 unknowns, so the actual attack complexity is $\Omega \left(2^{46}\right)$ using fast Walsh-Hadamard techniques. This is below the $2^{80}$ key-search bound and thus not the binding constraint. However, recovering all three registers requires $\Omega \left(2^{80}\right)$ total (the key determines the full state via initialisation).

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le \mathsf{negl}\left(\lambda \right).$$

(129)

${\mathbf{B}}_3$(Bidding Round 3: Ideal Trivium Market—State Recovery Fails).

Random keystream; no state to recover. $Pr\left[{\mathbf{B}}_3=1\right]=1/2$.

Total:$\mathsf{Ask}\left(\mathrm{state}\mathrm{recovery}\right)\le L·2^{-288}+\mathsf{negl}\left(\lambda \right)$.    □

Theorem 46 

(Trivium Cube Attack Bid Failure).

$$\mathsf{Ask}(g_{\mathsf{PRG}}^{\mathsf{Triv}},\mathrm{cube}\mathrm{attack}\mathrm{bid})\le 2^{-80+d}+\mathsf{negl}\left(\lambda \right),$$

(130)

where d is the maximum cube dimension that yields a non-trivial superpoly (best known: $d\le 42$ for reduced-round Trivium).

Proof. 

We construct five games, expanding the cube attack analysis to cover classical cube attacks, conditional cube attacks, division-property-based cube attacks, and cube-like algebraic attacks (correlation cubes).

${\mathbf{B}}_0$(Bidding Round 0: Real Trivium Market—Cube Attack Bid).

${\mathbf{B}}_1$(Bidding Round 1: Classical Cube Attack Bid—Dinur–Shamir Framework).

${\mathbf{B}}_2$(Bidding Round 2: Division-Property Cube Attack Bid—Todo–Isobe–Hao–Meier Framework).

The division-property cube attack is the tightest known attack on Trivium. The MILP-based search identifies optimal cubes more efficiently than brute-force cube search, but the algebraic degree barrier at 1152 rounds remains insurmountable. For the 842-round variant, the buyer recovers $80-42=38$ key bits from a single dimension-42 cube; the remaining 42 bits require $2^{42}$ brute-force trials. Combined complexity: $max(2^{42},2^{38})=2^{42}$.

For full Trivium, the superpoly degree for any practical cube dimension ($d\le 45$) exceeds 2, preventing direct key-bit extraction. The bid fails with:

$$\Delta {\mathsf{Price}}_2\le 2^{-38}.$$

(131)

${\mathbf{B}}_3$(Bidding Round 3: Conditional Cube Attack Bid—Exploiting Round-Reduced Nonlinear Structure).

${\mathbf{B}}_4$(Bidding Round 4: Ideal Trivium Market—All Cube-Based Bids Fail). [enhanced,breakable,colback=blue!2!white,colframe=darkblue!40!black,boxrule=0.4pt,arc=1.5pt,left=5pt,right=5pt,top=2pt,bottom=2pt,fontupper=] Purpose: Reach the ideal game where the keystream is replaced by a truly random function.

Random function; all cube sums are random. Buyer advantage: $2^{-80}$.

Combined cube attack bid cost. By the extended difference lemma (Lemma 2):

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(\mathrm{cube}\mathrm{bids}\right)& \le Pr\left[F_{\mathsf{classical}}\cup F_{\mathsf{div}-\mathsf{prop}}\cup F_{\mathsf{conditional}}\right]\hfill \\ \hfill & \le 2^{-80}+2^{-38}+2^{-40}\hfill \\ \hfill & \le 2^{-37.4}.\hfill \end{array}$$

(132)

Cube attack timeline and security margin analysis:

Technique	Rounds broken	Cube dim. d	Complexity	Margin from 1152
Dinur–Shamir (2009)	767	27	$2^{27}$	385 rounds (33%)
Fouque–Vannet (2013)	799	33	$2^{39}$	353 rounds (31%)
Conditional (2020)	835	40	$2^{60}$	317 rounds (28%)
Todo–Isobe–Hao–Meier (2018)	842	42	$2^{62}$	310 rounds (27%)
Full Trivium	1152	$\ge 79$	$\ge 2^{79}$	0 (secure)

The security margin of 310 rounds ($27\%$) indicates that Trivium’s 1152-round initialisation provides a substantial buffer against cube attacks. Even if future cube techniques improve by 100 rounds (a dramatic advance), Trivium would retain a $\ge 210$-round margin.    □

Theorem 47 

(Trivium Combined Market Equilibrium). Combining all known bid types:

$$\mathsf{Ask}\left(g_{\mathsf{PRG}}^{\mathsf{Triv}}\right)\le max\left(L·2^{-288},2^{-38},q_{\mathsf{IV}}·2^{-80},TD/2^{288}\right)+\mathsf{negl}\left(\lambda \right)\le \mathsf{negl}\left(\lambda \right),$$

(133)

for practical parameters ($L\le 2^{64}$, $q_{\mathsf{IV}}\le 2^{40}$). The Trivium market is inequilibriumwith an 80-bit security margin.

Proof. 

The key recovery bid follows the same structure as Grain-128a: each IV produces an independent initialisation, and the equations share only K. The buyer’s advantage grows linearly with $q_{\mathsf{IV}}$: $\mathsf{Ask}\left(\mathrm{key}\mathrm{recovery}\right)\le q_{\mathsf{IV}}·2^{-80}$. The TMTO bid faces the full $2^{288}$-state space: $\mathsf{Ask}\left(\mathrm{TMTO}\right)\le TD/2^{288}$. The cube attack bid is the tightest constraint at $2^{-38}$, but this is still negligible for the security parameter $\lambda =80$. All bids fail.    □

Table 13. Trivium stream-cipher market summary.

Bid Type	Ask Bound	Practical Bound	Status
State recovery	$L·2^{-288}$	$\le 2^{-224}$	Equilibrium
Key recovery	$q_{\mathsf{IV}}·2^{-80}$	$\le 2^{-40}$	Equilibrium
Cube attack	$2^{-38}$	$\le 2^{-38}$	Equilibrium (tightest)
Correlation	$L^2·2^{-12}/2^{80}$	$\le 2^{-16}$	Equilibrium
TMTO	$TD/2^{288}$	$\le 2^{-160}$	Equilibrium

Table 13. Trivium stream-cipher market summary.

Bid Type	Ask Bound	Practical Bound	Status
State recovery	$L·2^{-288}$	$\le 2^{-224}$	Equilibrium
Key recovery	$q_{\mathsf{IV}}·2^{-80}$	$\le 2^{-40}$	Equilibrium
Cube attack	$2^{-38}$	$\le 2^{-38}$	Equilibrium (tightest)
Correlation	$L^2·2^{-12}/2^{80}$	$\le 2^{-16}$	Equilibrium
TMTO	$TD/2^{288}$	$\le 2^{-160}$	Equilibrium

13. Case Study V: Protocols

13.1. Two-Party Key Exchange (ISO/IEC 11770-3, Mech. 6)

$A\to B$: $\mathsf{sid}\parallel N_A\parallel {\mathsf{id}}_A$. $B\to A$: $\mathsf{sid}\parallel N_B\parallel c\parallel {\sigma }_B$ where ${\sigma }_B=\mathsf{Sign}({\mathsf{sk}}_B,\mathsf{sid}\parallel N_A\parallel N_B\parallel {\mathsf{id}}_A\parallel {\mathsf{id}}_B\parallel c)$. $A\to B$: ${\sigma }_A$. Both derive $K_{\mathsf{sess}}=\mathsf{KDF}(K,\mathsf{sid}\parallel N_A\parallel N_B)$.

Figure 44. Two-party key exchange (ISO/IEC 11770-3, Mechanism 6). Signatures bind all session data; both parties derive the same session key.

Figure 44. Two-party key exchange (ISO/IEC 11770-3, Mechanism 6). Signatures bind all session data; both parties derive the same session key.

Theorem 48 

(Two-Party Equilibrium). $\mathsf{Ask}\left(g_{\mathsf{key}-\mathsf{secrecy}}\right)\le {\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+\mathsf{negl}\left(\lambda \right).$

Proof. 

${\mathbf{B}}_0$ (Real protocol). Active network adversary.

${\mathbf{B}}_1$ (Signature forgery bid on B). Abort if the adversary produces valid ${\sigma }_B$ not generated by B. Difference lemma: $F_{\mathsf{forge}\_\mathsf{B}}$: $\mathcal{A}$ forges B’s signature. $\Delta {\mathsf{Price}}_0\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}$.

Extended lemma application. The adversary could simultaneously attempt: $F_1$: forge ${\sigma }_B$ directly; $F_2$: replay old ${\sigma }_B$ from a different session. However, since $\mathsf{sid}$ is included in the signed data, $Pr\left[F_2\mid \mathrm{different}\mathrm{SID}\right]=0$. Thus $Pr\left[F_1\cup F_2\right]=Pr\left[F_1\right]={\mathsf{Adv}}^{\mathsf{EUF}}$. The SID binding eliminates the replay failure for free.

${\mathbf{B}}_2$ (Signature forgery bid on A).$\Delta {\mathsf{Price}}_1\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}$.

${\mathbf{B}}_3$ (KEM key recovery bid). Replace encapsulated key K with random $K^{\prime }$. $\Delta {\mathsf{Price}}_2\le {\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}$.

${\mathbf{B}}_4$ (Ideal). Session key independent of all messages. Buyer advantage = 0.

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. The four-bidding-round proof secures a single protocol session. We verify the session-pinging conditions (Theorem 15) within the proof for consecutive sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$.

SID freshness: Each session samples a fresh ${\mathsf{sid}}_{i+1}$ independently. $Pr\left[{\mathsf{sid}}_{i+1}={\mathsf{sid}}_j\right]\le 1/2^{\lambda }$ for any $j\le i$, so SID collision has probability $\le i/2^{\lambda }=\mathsf{negl}$.

Nonce disjointness: Both $N_A$ and $N_B$ are sampled from ${\{0,1\}}^{\lambda }$ per session. The nonce sets ${\mathcal{N}}_{i+1}=\{N_{A,i+1},N_{B,i+1}\}$ are disjoint from all ${\mathcal{N}}_j$ ($j\le i$) except with birthday probability $\le {\left(2i\right)}^2/2^{\lambda +1}$.

Signature SID-binding: In ${\mathbf{B}}_1$ and ${\mathbf{B}}_2$, both ${\sigma }_B$ and ${\sigma }_A$ sign data that includes $\mathsf{sid}$, $N_A$, $N_B$, and both identities. The SID-binding means that replaying ${\sigma }_{B,j}$ from session ${\mathsf{Session}}_j$ in session ${\mathsf{Session}}_{i+1}$ fails verification (the signed SID is ${\mathsf{sid}}_j\ne {\mathsf{sid}}_{i+1}$). This is precisely the ping condition (c): all signatures in ${\mathsf{Session}}_{i+1}$ bind ${\mathsf{sid}}_{i+1}$.

KEM ciphertext freshness: The ciphertext $c_{i+1}$ encapsulates a fresh key using fresh randomness. The CNF clause ${\phi }^{\mathsf{novel}}$ ensures $c_{i+1}$ is not a replay.

CNF isomorphism and inductive step: The session-CNF ${\phi }_{\mathsf{2}\mathsf{P},i+1}$ is obtained from ${\phi }_{\mathsf{2}\mathsf{P},i}$ by substituting ${\mathsf{sid}}_i\mapsto {\mathsf{sid}}_{i+1}$, $N_{A,i}\mapsto N_{A,i+1}$, $N_{B,i}\mapsto N_{B,i+1}$, $c_i\mapsto c_{i+1}$, and fresh signatures. Since ${\phi }_{\mathsf{2}\mathsf{P},i}$ is satisfiable (inductive hypothesis) and all new variables are independently fresh, ${\phi }_{\mathsf{2}\mathsf{P},i+1}$ is satisfiable. The security reduction (signature forgery → EUF-CMA, key recovery → IND-CCA2) is session-index-independent. By Theorem 3, the two-party protocol is secure for all sessions.    □

13.1.0.24. Two-Party: Authentication, Mutual Auth, and CNF Verification.

We now verify the four protocol-level goods from Section 8 for the two-party protocol.

Corollary 2 

(Two-Party Authentication). $\mathsf{Ask}\left(g_{\mathsf{auth}}\right)\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$ by Theorem 6, since B’s acceptance requires verifying ${\sigma }_A$.

Corollary 3 

(Two-Party Mutual Authentication). $\mathsf{Ask}\left(g_{\mathsf{mutual}}\right)\le 2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$ by Theorem 7, since both ${\sigma }_A$ and ${\sigma }_B$ bind $\mathsf{sid}$, both nonces, and both identities.

Corollary 4 

(Two-Party CNF Checking). The session-CNF ${\phi }_{\mathsf{2}\mathsf{P}}$ includes clauses for SID binding, nonce freshness, both signatures, message ordering, and the ping test. All clauses are satisfied under the honest trace. Under any dishonest trace, at least one signature or freshness clause fails (by EUF-CMA equilibrium), so $\mathsf{Ask}\left(g_{\mathsf{CNF}}\right)\le \mathsf{negl}\left(\lambda \right)$.

Manual CNF worksheet (two-party session ${\mathsf{Session}}_i$):

Clause	Check	How	Pass?
${\phi }^{\mathsf{sid}}$	Same $\mathsf{sid}$ in msgs 1,2,3?	Read SID field; compare.	T/F
${\phi }^{\mathsf{fresh}}$	$N_A\ne N_B$; neither used before?	Check nonce log.	T/F
${\phi }_B^{\mathsf{sig}}$	$\mathsf{Vrfy}({\mathsf{pk}}_B,\mathsf{sid}\parallel N_A\parallel N_B\parallel {\mathsf{id}}_A\parallel {\mathsf{id}}_B\parallel c,{\sigma }_B)=1$?	Hash scope; verify.	T/F
${\phi }_A^{\mathsf{sig}}$	$\mathsf{Vrfy}({\mathsf{pk}}_A,\mathsf{sid}\parallel N_A\parallel N_B\parallel {\mathsf{id}}_A\parallel {\mathsf{id}}_B\parallel K,{\sigma }_A)=1$?	Hash scope; verify.	T/F
${\phi }^{\mathsf{consist}}$	Order: msg1 from A, msg2 from B, msg3 from A?	Check headers.	T/F
${\phi }^{\mathsf{ping}}$	${\mathsf{sid}}_i\ne {\mathsf{sid}}_{i-1}$; nonces not in ${\mathcal{N}}_{\mathsf{prev}}$?	Compare logs.	T/F
Result:	All T ⇒ Accept. Any F ⇒ Reject (cite row and attack type).

13.2. Three-Party with KDC (Mechanism 11)

Figure 45. Three-party key exchange (ISO/IEC 11770-3, Mechanism 11). The KDC generates the session key and delivers it to both A and B via signed encrypted tickets. A MAC from B provides key confirmation.

Figure 45. Three-party key exchange (ISO/IEC 11770-3, Mechanism 11). The KDC generates the session key and delivers it to both A and B via signed encrypted tickets. A MAC from B provides key confirmation.

Theorem 49 

(Three-Party Equilibrium). $\mathsf{Ask}\le {\mathsf{Adv}}_{\mathsf{Enc}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}+\mathsf{negl}\left(\lambda \right).$

Proof. 

${\mathbf{B}}_0$: Real. ${\mathbf{B}}_1$: KDC signature bids ($\times 2$). Extended lemma: two KDC signatures use independent signing data, so $Pr\left[F_1\cup F_2\right]\le 2·{\mathsf{Adv}}^{\mathsf{EUF}}$ (union bound; intersection $Pr\left[F_1\cap F_2\right]\le {\mathsf{Adv}}^{{\mathsf{EUF}}_2}\approx 0$). ${\mathbf{B}}_2$: MAC forgery bid. ${\mathbf{B}}_3$: Encrypted key recovery bid. ${\mathbf{B}}_4$: Ideal.    □

Three-Party: Protocol-Level Goods.

Corollary 5 

(Three-Party Mutual Authentication). $\mathsf{Ask}\left(g_{\mathsf{mutual}}\right)\le 2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}}+q_N^2/2^{\lambda +1}$. The KDC signatures authenticate both A and B; the MAC provides key confirmation.

Corollary 6 

(Three-Party Session-Key Secrecy). $\mathsf{Ask}\left(g_{\mathsf{sk}}\right)\le {\mathsf{Adv}}_{\mathsf{Enc}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}}+\mathsf{negl}\left(\lambda \right)$ by the combined game-hop analysis.

Corollary 7 

(Three-Party CNF). The three-party session-CNF includes SID binding, nonce freshness, two KDC signatures, MAC confirmation, and ping. All clauses satisfied under honest trace; dishonest satisfaction requires signature or MAC forgery.

Session pinging within the three-party proof.For consecutive sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$, the ping check verifies: (1) ${\mathsf{sid}}_{i+1}\ne {\mathsf{sid}}_i$ (fresh session label); (2) $N_{A,i+1}\notin {\mathcal{N}}_{\mathsf{prev}}$ (fresh initiator nonce); (3) the KDC’s ticket signature ${\sigma }_{\mathsf{KDC},i+1}$ binds ${\mathsf{sid}}_{i+1}$ and $N_{A,i+1}$ (preventing ticket replay from session ${\mathsf{Session}}_i$); (4) the MAC confirmation tag ${\tau }_{i+1}$ authenticates ${\mathsf{sid}}_{i+1}\parallel N_{A,i+1}\parallel N_{B,i+1}$ (preventing confirmation replay). The KDC ticket replay bid—resubmitting $(N_{A,i},{\mathsf{Ticket}}_{B,i})$ from ${\mathsf{Session}}_i$—fails because $N_{A,i}\in {\mathcal{N}}_{\mathsf{used}}$ (detected by ${\phi }^{\mathsf{fresh}}$). Re-signing a ticket under $N_{A,i+1}$ requires breaking the KDC’s EUF-CMA security. The session-CNF ${\phi }_{\mathsf{3}\mathsf{P},i+1}$ is isomorphic to ${\phi }_{\mathsf{3}\mathsf{P},i}$ with fresh variables; by Theorem 3, unbounded equilibrium holds.

Manual CNF worksheet (three-party):

Clause	Check	How	Pass?
${\phi }^{\mathsf{sid}}$	$\mathsf{sid}$ in all 5 messages?	Read fields; compare.	T/F
${\phi }^{\mathsf{fresh}}$	$N_A,N_B$ distinct and new?	Check nonce log.	T/F
${\phi }_{\mathsf{KDC},A}^{\mathsf{sig}}$	KDC sig on ticket-A verifies?	$\mathsf{Vrfy}({\mathsf{pk}}_{\mathsf{KDC}},·,{\sigma }_{\mathsf{KDC},A})$.	T/F
${\phi }_{\mathsf{KDC},B}^{\mathsf{sig}}$	KDC sig on ticket-B verifies?	$\mathsf{Vrfy}({\mathsf{pk}}_{\mathsf{KDC}},·,{\sigma }_{\mathsf{KDC},B})$.	T/F
${\phi }^{\mathsf{mac}}$	${\tau }_B={\mathsf{MAC}}_{K_{\mathsf{sess}}}(\mathsf{sid}\parallel N_A\parallel N_B)$?	Recompute HMAC; compare.	T/F
${\phi }^{\mathsf{ping}}$	Session fresh vs. ${\mathsf{Session}}_{i-1}$?	Compare $\mathsf{sid}$ and nonces.	T/F
Result:	All T ⇒ Accept. Any F ⇒ Reject.

13.3. Four-Party Cross-Domain

Figure 46. Four-party cross-domain key exchange (ISO/IEC 11770-3). Two domain servers ($S_1$ and $S_2$) cooperate to generate and deliver session key $K_{\mathsf{sess}}$ to A and B across domain boundaries. Four independent signatures provide authentication; two IND-CCA2 encryptions protect the session key in transit.

Figure 46. Four-party cross-domain key exchange (ISO/IEC 11770-3). Two domain servers ($S_1$ and $S_2$) cooperate to generate and deliver session key $K_{\mathsf{sess}}$ to A and B across domain boundaries. Four independent signatures provide authentication; two IND-CCA2 encryptions protect the session key in transit.

Theorem 50 

(Four-Party Equilibrium). $\mathsf{Ask}\le 2·{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+4·{\mathsf{Adv}}^{\mathsf{EUF}-\mathsf{CMA}}+{\mathsf{Adv}}^{\mathsf{SUF}-\mathsf{CMA}}+\mathsf{negl}\left(\lambda \right).$

Proof. 

Seven games. The four signature bids (for $S_1$, $S_2$, A, B) use independent keys, so by the extended lemma: $Pr\left[{\bigcup }_{i=1}^4{F}_i\right]\le 4·{\mathsf{Adv}}^{\mathsf{EUF}}$ (union bound; pairwise intersections $\approx 0$ due to independent keys). Two IND-CCA2 bids for inter/intra-domain key transport. One MAC bid for key confirmation.    □

Corollary 8 

(Four-Party Protocol-Level Goods). Authentication: $\mathsf{Ask}\left(g_{\mathsf{auth}}\right)\le 4·{\mathsf{Adv}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$ (four signing keys). Mutual auth: same bound. Session-key secrecy: $\mathsf{Ask}\left(g_{\mathsf{sk}}\right)\le 2·{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+4·{\mathsf{Adv}}^{\mathsf{EUF}}+{\mathsf{Adv}}^{\mathsf{SUF}}+\mathsf{negl}\left(\lambda \right)$.

Manual CNF worksheet (four-party cross-domain session):

Clause	Check	How	Pass?
${\phi }^{\mathsf{sid}}$	Same $\mathsf{sid}$ in all 7 messages?	Read SID fields.	T/F
${\phi }^{\mathsf{fresh}}$	$N_A,N_B$ distinct, not reused?	Check nonce log.	T/F
${\phi }_{S_1}^{\mathsf{sig}}$	$S_1$ sig on ticket-A valid?	$\mathsf{Vrfy}({\mathsf{pk}}_{S_1},·,{\sigma }_{S_1})$.	T/F
${\phi }_{S_2}^{\mathsf{sig}}$	$S_2$ sig on ticket-B valid?	$\mathsf{Vrfy}({\mathsf{pk}}_{S_2},·,{\sigma }_{S_2})$.	T/F
${\phi }_A^{\mathsf{sig}}$	A’s confirmation sig valid?	$\mathsf{Vrfy}({\mathsf{pk}}_A,\mathsf{sid}\parallel K_{\mathsf{sess}},{\sigma }_A)$.	T/F
${\phi }_B^{\mathsf{mac}}$	B’s MAC confirmation valid?	Recompute ${\mathsf{MAC}}_{K_{\mathsf{sess}}}(\mathsf{sid}\parallel N_A\parallel N_B)$.	T/F
${\phi }^{\mathsf{ping}}$	Session fresh vs. ${\mathsf{Session}}_{i-1}$?	Compare $\mathsf{sid}$ and nonces.	T/F
Result:	All T ⇒ Accept. Any F ⇒ Reject.

13.4. Needham–Schroeder: Proving Insecurity

13.4.0.26. NS Protocol [9].

(1) $A\to B$: ${\{N_A,A\}}_{{\mathsf{pk}}_B}$. (2) $B\to A$: ${\{N_A,N_B\}}_{{\mathsf{pk}}_A}$. (3) $A\to B$: ${\left\{N_B\right\}}_{{\mathsf{pk}}_B}$.

Figure 47. Needham–Schroeder Public-Key Protocol (intended flow). The critical flaw is highlighted: Message 2 from Bob contains only nonces but not Bob’s identity, allowing an active attacker to masquerade as Alice to Bob.

Figure 47. Needham–Schroeder Public-Key Protocol (intended flow). The critical flaw is highlighted: Message 2 from Bob contains only nonces but not Bob’s identity, allowing an active attacker to masquerade as Alice to Bob.

Figure 48. Lowe’s man-in-the-middle (MITM) attack on the Needham–Schroeder protocol. Eve (E), a legitimate participant, relays all six messages between Alice and Bob, impersonating Alice to Bob. No cryptographic primitive is broken; the protocol’s missing identity-binding is the sole cause of collapse.

Figure 48. Lowe’s man-in-the-middle (MITM) attack on the Needham–Schroeder protocol. Eve (E), a legitimate participant, relays all six messages between Alice and Bob, impersonating Alice to Bob. No cryptographic primitive is broken; the protocol’s missing identity-binding is the sole cause of collapse.

Lowe’s MITM attack [10].

Adversary E (legitimate participant) relays between A and B:

1.

$A\to E$: ${\{N_A,A\}}_{{\mathsf{pk}}_E}$ (A talks to E)

2.

$E\left(\mathrm{as}A\right)\to B$: ${\{N_A,A\}}_{{\mathsf{pk}}_B}$ (E re-encrypts; B thinks A initiated)

3.

$B\to E\left(\mathrm{as}A\right)$: ${\{N_A,N_B\}}_{{\mathsf{pk}}_A}$

4.

$E\to A$: ${\{N_A,N_B\}}_{{\mathsf{pk}}_A}$ (A decrypts, obtains $N_B$)

5.

$A\to E$: ${\left\{N_B\right\}}_{{\mathsf{pk}}_E}$ (A thinks this is for E)

6.

$E\left(\mathrm{as}A\right)\to B$: ${\left\{N_B\right\}}_{{\mathsf{pk}}_B}$ (B accepts: “A authenticated”)

Theorem 51 

(NS Market Collapse). $\mathsf{Ask}\left(g_{\mathsf{mutual}-\mathsf{auth}}\right)=1.$

Proof. 

The buyer (E) achieves advantage 1 with zero cryptographic breaks.

${\mathbf{B}}_0$ (Real NS).E is a legitimate participant with $({\mathsf{sk}}_E,{\mathsf{pk}}_E)$.

${\mathbf{B}}_0\to$ Attack. The buyer places a masquerade bid (identity fraud): relay messages between A and B, impersonating A to B. No cryptographic primitive is broken—E uses only their legitimate decryption key and the public encryption of B.

Difference lemma (degenerate). The failure event $F_{\mathsf{MITM}}$: “E can relay messages between A and B undetected” has $Pr\left[F_{\mathsf{MITM}}\right]=1$ because the protocol lacks identity binding in message 2. $\Delta \mathsf{Price}=1$, market collapsed.

CNF analysis.B’s session-CNF is: ${\phi }_B^{\mathsf{ns}}=\left(x_{\mathsf{Dec}({\mathsf{sk}}_B,c_1)=(N_A,A)}\right)\wedge \left(x_{N_A\mathrm{fresh}}\right)\wedge \left(x_{\mathsf{Dec}({\mathsf{sk}}_B,c_3)=N_B}\right).$ All clauses are satisfied even during the attack! The CNF is satisfiable under a dishonest trace because B’s identity is never included in encrypted payloads. Contrast with secure protocols where dishonest traces always make the CNF unsatisfiable.

Fix (NS-Lowe): Include B in message 2: ${\{N_A,N_B,B\}}_{{\mathsf{pk}}_A}$. Now A’s CNF includes clause $\left(x_{\mathsf{id}=E}\right)$, which fails when the decrypted identity is $B\ne E$. Market restored to equilibrium.    □

13.4.0.28. NS: Protocol-Level Goods Analysis.

Corollary 9 

(NS Authentication Collapse). $\mathsf{Ask}\left(g_{\mathsf{auth}}\right)=1$: B accepts with partner A, but A was communicating with E, not B. The authentication game is lost without any cryptographic break.

Corollary 10 

(NS Mutual Authentication Collapse). $\mathsf{Ask}\left(g_{\mathsf{mutual}}\right)=1$: both directions fail—B believes it authenticated A, but A never intended to talk to B.

Corollary 11 

(NS Session-Key Secrecy Collapse). If the protocol were extended with a key derivation step $K_{\mathsf{sess}}=\mathsf{KDF}(N_A,N_B)$, then $\mathsf{Ask}\left(g_{\mathsf{sk}}\right)=1$: Eve knows both $N_A$ and $N_B$ and can compute $K_{\mathsf{sess}}$.

Corollary 12 

(NS CNF Failure). B’s CNF is satisfiable under Lowe’s MITM trace because no clause binds B’s identity—aCNF design failure.

NS CNF worksheet showing the design failure:

Clause	Check	Honest trace	MITM trace	Verdict
$x_{\mathsf{Dec}({\mathsf{sk}}_B,c_1)=(N_A,A)}$	Msg 1 decrypts to $(N_A,A)$	T	T(Eve re-encrypted)	Passes!
$x_{N_A\mathrm{fresh}}$	$N_A$ not seen before	T	T(fresh from A)	Passes!
$x_{\mathsf{Dec}({\mathsf{sk}}_B,c_3)=N_B}$	Msg 3 decrypts to $N_B$	T	T(Eve forwarded)	Passes!
Missing: $x_{{\mathsf{id}}_{\mathsf{peer}}=A}$	Peer is actually A?	T	F(peer is E!)	ABSENT
${\phi }_{\mathsf{NS}}$:	SAT under dishonest trace—CNF design failure.			Reject design

Fix (NS-Lowe):Add clause $x_{\mathsf{Dec}({\mathsf{sk}}_A,c_2)=(N_A,N_B,B)}$. Now the decrypted identity $E\ne B$ makes this clauseF, ${\phi }_{\mathsf{NS}}$ becomes UNSAT under MITM, and A aborts. Equilibrium restored.

13.5. Unbounded Verification

Corollary 13 

(Unbounded Security of ISO/IEC 11770-3 Protocols). The ISO/IEC 11770-3 two-party, three-party, and four-party key-exchange protocols are all secure for unbounded sessions. Specifically:

• Two-party:Fresh SIDs sampled per session; nonces $N_A,N_B$ sampled from ${\{0,1\}}^{\lambda }$; all signatures bind $\mathsf{sid}$. Hence $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1$ with probability $1-q_N^2/2^{\lambda +1}$. By Theorem 3: $\mathsf{Ask}\left(g_{\mathsf{key}-\mathsf{secrecy}}\right)\le {\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+2{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\mathsf{negl}$ for all $i\ge 1$.
• Three-party:KDC signatures bind $\mathsf{sid}$ and $N_A$; MAC confirmation binds $\mathsf{sid}$, $N_A$, $N_B$. All pings pass. Unbounded equilibrium holds.
• Four-party:Four independent signatures plus two IND-CCA2 encryptions, all SID-bound. Extended difference lemma gives $Pr\left[{\bigcup }_{i=1}^4{F}_{\mathsf{sig},i}\right]\le 4{\mathsf{Adv}}^{\mathsf{EUF}}$. Ping passes; unbounded equilibrium holds.
• PKI:CA certificates plus session signatures give two-layer identity binding per session. Ping bid price $\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+2{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}=\mathsf{negl}$. Unbounded equilibrium holds.

Needham–Schroeder protocol:No SID binding, no signatures, no nonce-to-session binding. The ping function satisfies $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=0$ trivially—sessions are structurally indistinct. The masquerade bid succeeds with probability 1 regardless of the session count. The NS market collapses for all sessions.

13.6. PKI-Based Mutual Authentication Protocol

Protocol description.

Let $\mathsf{CA}$ be a Certification Authority with key pair $({\mathsf{sk}}_{\mathsf{CA}},{\mathsf{pk}}_{\mathsf{CA}})$. Party C (client) holds certificate

$${\mathsf{cert}}_C=\left({\mathsf{id}}_C,{\mathsf{pk}}_C,{\mathsf{valid}}_C,{\sigma }_{\mathsf{CA},C}\right),{\sigma }_{\mathsf{CA},C}=\mathsf{Sign}({\mathsf{sk}}_{\mathsf{CA}},{\mathsf{id}}_C\parallel {\mathsf{pk}}_C\parallel {\mathsf{valid}}_C),$$

and party S (server) holds ${\mathsf{cert}}_S$ defined analogously. Both parties know ${\mathsf{pk}}_{\mathsf{CA}}$ and can verify any CA signature. The PKI Mutual Authentication Protocol proceeds as follows:

1.

$C\to S$:   $\mathsf{sid}\parallel N_C\parallel {\mathsf{cert}}_C$ Client hello: session ID, nonce, certificate

2.

$S\to C$:   $\mathsf{sid}\parallel N_S\parallel {\mathsf{cert}}_S\parallel c\parallel {\sigma }_S$

$${\sigma }_S=\mathsf{Sign}\left({\mathsf{sk}}_S,\mathsf{sid}\parallel N_C\parallel N_S\parallel {\mathsf{id}}_C\parallel {\mathsf{id}}_S\parallel c\right)$$

Server hello: nonce, certificate, KEM ciphertext, session signature

3.

$C\to S$:   $\mathsf{sid}\parallel {\sigma }_C$

$${\sigma }_C=\mathsf{Sign}\left({\mathsf{sk}}_C,\mathsf{sid}\parallel N_C\parallel N_S\parallel {\mathsf{id}}_C\parallel {\mathsf{id}}_S\parallel K\right)$$

Client finished: signature over full session transcript including decapsulated secret

4.

Both derive:   $K_{\mathsf{sess}}=\mathsf{KDF}(K,\mathsf{sid}\parallel N_C\parallel N_S)$

where c is a KEM encapsulation of secret K under C’s public key ${\mathsf{pk}}_C$ (taken from ${\mathsf{cert}}_C$). Upon receiving Message 2, C first verifies ${\mathsf{cert}}_S$ against ${\mathsf{pk}}_{\mathsf{CA}}$, extracts ${\mathsf{pk}}_S$, verifies ${\sigma }_S$, then decapsulates K. Upon receiving Message 3, S verifies ${\mathsf{cert}}_C$ (already received in Message 1) and ${\sigma }_C$.

Figure 49. PKI mutual authentication protocol (TLS-style). The CA pre-issues certificates to C and S (dashed arrows, offline). During the three-message handshake: C presents its certificate; S presents its certificate plus a KEM ciphertext and a session signature; C verifies, decapsulates, and signs the finished message. Both parties derive identical $K_{\mathsf{sess}}$. CA certificate verification and SID/nonce binding in every signature prevent all known MITM attacks.

Figure 49. PKI mutual authentication protocol (TLS-style). The CA pre-issues certificates to C and S (dashed arrows, offline). During the three-message handshake: C presents its certificate; S presents its certificate plus a KEM ciphertext and a session signature; C verifies, decapsulates, and signs the finished message. Both parties derive identical $K_{\mathsf{sess}}$. CA certificate verification and SID/nonce binding in every signature prevent all known MITM attacks.

Security goods.

The PKI market ${\mathcal{M}}_{\mathsf{PKI}}$ offers five goods: $g_{\mathsf{cert}}$ (certificate authenticity), $g_{\mathsf{auth}}$ (entity authentication), $g_{\mathsf{mutual}}$ (mutual authentication), $g_{\mathsf{sk}}$ (session-key secrecy), $g_{\mathsf{CNF}}$ (CNF correctness).

Definition 33 

(Certificate Authenticity Good). The seller offers $g_{\mathsf{cert}}$: no PPT $\mathcal{A}$ without ${\mathsf{sk}}_{\mathsf{CA}}$ can produce a tuple $({\mathsf{id}}^{*},{\mathsf{pk}}^{*},{\sigma }^{*})$ such that $\mathsf{Vrfy}({\mathsf{pk}}_{\mathsf{CA}},{\mathsf{id}}^{*}\parallel {\mathsf{pk}}^{*},{\sigma }^{*})=1$ and $({\mathsf{id}}^{*},{\mathsf{pk}}^{*})$ was never submitted to the CA’s signing oracle.

Lemma 3 

(Certificate Authenticity Equilibrium). $\mathsf{Ask}\left(g_{\mathsf{cert}}\right)\le {\mathsf{Adv}}_{\mathsf{Sig},\mathsf{CA}}^{\mathsf{EUF}-\mathsf{CMA}}+\mathsf{negl}\left(\lambda \right).$

Proof. 

Any buyer producing $({\mathsf{id}}^{*},{\mathsf{pk}}^{*},{\sigma }^{*})$ supplies an EUF-CMA forgery on message ${\mathsf{id}}^{*}\parallel {\mathsf{pk}}^{*}$ under ${\mathsf{sk}}_{\mathsf{CA}}$. The reduction embeds the CA’s public key and forwards signing queries. The forgery is new (the CA never issued this certificate) so EUF-CMA applies directly.    □

Theorem 52 

(PKI Protocol Market Equilibrium). Under EUF-CMA security of the CA and party signature schemes, IND-CCA2 security of the KEM, and PRF security of the KDF:

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{cert}}\right)& \le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+\mathsf{negl},\hfill \end{array}$$

(134)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{auth}}\right)& \le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\frac{q_N^2}{2^{\lambda +1}}+\mathsf{negl},\hfill \end{array}$$

(135)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{mutual}}\right)& \le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\frac{q_N^2}{2^{\lambda +1}}+\mathsf{negl},\hfill \end{array}$$

(136)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{sk}}\right)& \le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+{\mathsf{Adv}}_{\mathsf{KDF}}^{\mathsf{PRF}}+\frac{q_N^2}{2^{\lambda +1}}+\mathsf{negl},\hfill \end{array}$$

(137)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{CNF}}\right)& \le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\frac{q_N^2}{2^{\lambda +1}}+\mathsf{negl}.\hfill \end{array}$$

(138)

All five goods are in equilibrium, so ${\mathcal{M}}_{\mathsf{PKI}}$ is in equilibrium.

Proof. 

We abbreviate ${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}$ and ${\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}$ throughout.

Bound (134): Lemma 3.

Bound () (server → client authentication). Five games:

${\mathbf{B}}_0$(Real).$\mathcal{A}$ controls the network. Wins if C accepts S as partner but S did not run a matching session.

${\mathbf{B}}_1$(Nonce uniqueness). Abort on nonce collision among $q_N$ nonces: $|Pr[{\mathbf{B}}_0=1]-Pr[{\mathbf{B}}_1=1]|\le q_N^2/2^{\lambda +1}.$

${\mathbf{B}}_2$(Certificate forgery bid). Flag $F_{\mathsf{cert}}$: $\mathcal{A}$ presents a certificate for ${\mathsf{id}}_S$ that verifies under ${\mathsf{pk}}_{\mathsf{CA}}$ but was not issued by the CA. By Lemma 3: $|Pr[{\mathbf{B}}_1=1]-Pr[{\mathbf{B}}_2=1]|\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}.$ After ${\mathbf{B}}_2$, any certificate C accepts for S was legitimately issued, so ${\mathsf{pk}}_S$ is correctly bound to ${\mathsf{id}}_S$.

${\mathbf{B}}_3$(Signature forgery bid on S). Flag $F_{\mathsf{forge}\_\mathsf{S}}$: C accepts ${\sigma }_S$ not generated by S. Reducing to EUF-CMA on ${\mathsf{sk}}_S$ (the key bound by the verified certificate): $|Pr[{\mathbf{B}}_2=1]-Pr[{\mathbf{B}}_3=1]|\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}.$

${\mathbf{B}}_4$(Ideal). No cert forgery, no sig forgery: C accepted only because a valid ${\sigma }_S$ bound $\mathsf{sid},N_C,N_S,{\mathsf{id}}_C,{\mathsf{id}}_S,c$ under S’s genuine key. S must have participated. $Pr[{\mathbf{B}}_4=1]=0$.

Total:$\mathsf{Ask}\left(g_{\mathsf{auth}}\right)\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$.

Bound () (mutual authentication). Add a game hop for $C\to S$ direction: S verifies ${\mathsf{cert}}_C$ (same CA forgery argument) and ${\sigma }_C$ (EUF-CMA on ${\mathsf{sk}}_C$). The three failure events $F_{\mathsf{cert}},F_{\mathsf{forge}\_\mathsf{S}},F_{\mathsf{forge}\_\mathsf{C}}$ are handled by the extended difference lemma; $F_{\mathsf{forge}\_\mathsf{S}}$ and $F_{\mathsf{forge}\_\mathsf{C}}$ use independent keys, so: $Pr[F_{\mathsf{forge}\_\mathsf{S}}\cup F_{\mathsf{forge}\_\mathsf{C}}]\le 2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}.$ Equation () follows.

Bound () (session-key secrecy). Extend with two hops following Theorem 8: ${\mathbf{B}}_5$: Replace KEM key K with uniform $\tilde{K}$; costs ${\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}$. ${\mathbf{B}}_6$: Replace $\mathsf{KDF}(\tilde{K},\dots )$ with uniform random; costs ${\mathsf{Adv}}_{\mathsf{KDF}}^{\mathsf{PRF}}$. After ${\mathbf{B}}_6$ the session key is independent of all observed messages; $Pr[{\mathbf{B}}_6=1]=1/2$. Summing gives Equation ().

Bound () (CNF correctness). The PKI session-CNF is:

$${\phi }_{\mathsf{PKI}}={\phi }_C^{\mathsf{cert}}\wedge {\phi }_S^{\mathsf{cert}}\wedge {\phi }^{\mathsf{sid}}\wedge {\phi }^{\mathsf{fresh}}\wedge {\phi }_S^{\mathsf{sig}}\wedge {\phi }_C^{\mathsf{sig}}\wedge {\phi }^{\mathsf{consist}},$$

where ${\phi }_P^{\mathsf{cert}}=\left(x_{\mathsf{Vrfy}({\mathsf{pk}}_{\mathsf{CA}},{\mathsf{id}}_P\parallel {\mathsf{pk}}_P,{\sigma }_{\mathsf{CA},P})=1}\right)$ for $P\in \{C,S\}$. Under an honest trace all clauses are satisfied. A dishonest trace satisfies the formula only if: (a) a certificate clause passes dishonestly (requires CA forgery), or (b) a signature clause passes dishonestly (requires EUF-CMA break), or (c) a freshness clause passes dishonestly (requires nonce reuse). By the extended difference lemma over these three event types, Equation () follows.

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. For consecutive PKI sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$, the ping mechanism verifies a three-layer structural distinctness:

Layer 1 (CA certificates): The certificates ${\mathsf{cert}}_C$ and ${\mathsf{cert}}_S$ are pre-issued and shared across sessions. However, each session’s signatures ${\sigma }_C$ and ${\sigma }_S$ bind the session-specific ${\mathsf{sid}}_{i+1}$, nonces $N_{C,i+1}$ and $N_{S,i+1}$, and both party identities. This SID-binding ensures that certificate possession alone is insufficient to replay a session.

Layer 2 (Session signatures): The server signature ${\sigma }_{S,i+1}=\mathsf{Sign}({\mathsf{sk}}_S,{\mathsf{sid}}_{i+1}\parallel N_{C,i+1}\parallel N_{S,i+1}\parallel {\mathsf{id}}_C\parallel {\mathsf{id}}_S\parallel c_{i+1})$ includes all five ping-relevant fields. Replaying ${\sigma }_{S,j}$ from ${\mathsf{Session}}_j$ in ${\mathsf{Session}}_{i+1}$ fails verification because ${\mathsf{sid}}_j\ne {\mathsf{sid}}_{i+1}$. Similarly for ${\sigma }_{C,i+1}$.

Layer 3 (KEM ciphertext): The ciphertext $c_{i+1}=\mathsf{KEM}.\mathsf{Enc}({\mathsf{pk}}_C;r_{i+1})$ uses fresh randomness, ensuring $c_{i+1}\ne c_j$ for all $j\le i$ with overwhelming probability.

The extended difference lemma captures three simultaneous forgery events: $F_{\mathsf{cert}}$ (CA certificate forgery), $F_{\mathsf{sig},S}$ (server signature forgery), and $F_{\mathsf{sig},C}$ (client signature forgery). By Lemma 2: $Pr\left[F_{\mathsf{cert}}\cup F_{\mathsf{sig},S}\cup F_{\mathsf{sig},C}\right]\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+2{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}=\mathsf{negl}$. The session-CNF ${\phi }_{\mathsf{PKI},i+1}$ is isomorphic to ${\phi }_{\mathsf{PKI},i}$ with fresh SID, nonces, ciphertext, and signatures.    □

CNF clause breakdown.

Corollary 14 

(PKI Unbounded Security). The PKI protocol is secure for unbounded sessions: each session samples a fresh $\mathsf{sid}$ and nonces $N_C,N_S$; all signatures include $\mathsf{sid}$; hence $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1$ for all i. By Theorem 3, equilibrium holds for all $i\ge 1$.

Manual CNF worksheet (PKI TLS-style session ${\mathsf{Session}}_i$):

Clause	Check	How	Pass?
${\phi }_C^{\mathsf{cert}}$	C’s cert verifies under ${\mathsf{pk}}_{\mathsf{CA}}$?	$\mathsf{Vrfy}({\mathsf{pk}}_{\mathsf{CA}},{\mathsf{id}}_C\parallel {\mathsf{pk}}_C,{\sigma }_{\mathsf{CA},C})$.	T/F
${\phi }_S^{\mathsf{cert}}$	S’s cert verifies under ${\mathsf{pk}}_{\mathsf{CA}}$?	$\mathsf{Vrfy}({\mathsf{pk}}_{\mathsf{CA}},{\mathsf{id}}_S\parallel {\mathsf{pk}}_S,{\sigma }_{\mathsf{CA},S})$.	T/F
${\phi }^{\mathsf{sid}}$	Same $\mathsf{sid}$ in all 3 messages?	Read SID field; compare.	T/F
${\phi }^{\mathsf{fresh}}$	$N_C\ne N_S$; neither used before?	Check nonce log.	T/F
${\phi }_S^{\mathsf{sig}}$	$\mathsf{Vrfy}({\mathsf{pk}}_S,\mathsf{sid}\parallel N_C\parallel N_S\parallel {\mathsf{id}}_C\parallel {\mathsf{id}}_S\parallel c,{\sigma }_S)=1$?	Hash scope; verify.	T/F
${\phi }_C^{\mathsf{sig}}$	$\mathsf{Vrfy}({\mathsf{pk}}_C,\mathsf{sid}\parallel N_C\parallel N_S\parallel {\mathsf{id}}_C\parallel {\mathsf{id}}_S\parallel K,{\sigma }_C)=1$?	Hash scope; verify.	T/F
${\phi }^{\mathsf{consist}}$	Msg order: $C\to S$, $S\to C$, $C\to S$?	Check sender/direction.	T/F
${\phi }^{\mathsf{ping}}$	${\mathsf{sid}}_i\ne {\mathsf{sid}}_{i-1}$; $N_C,N_S\notin {\mathcal{N}}_{\mathsf{prev}}$?	Compare session logs.	T/F
Result:	All T ⇒ Accept. Any F ⇒ Reject (cite failed clause).

Table 14. PKI protocol market goods summary.

Good	Ask Price Bound	Status
$g_{\mathsf{cert}}$ (certificate authenticity)	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}$	Equilibrium
$g_{\mathsf{auth}}$ (entity auth)	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	Equilibrium
$g_{\mathsf{mutual}}$ (mutual auth)	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	Equilibrium
$g_{\mathsf{sk}}$ (key secrecy)	$+{\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+{\mathsf{Adv}}_{\mathsf{KDF}}^{\mathsf{PRF}}$	Equilibrium
$g_{\mathsf{CNF}}$ (CNF correctness)	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	Equilibrium

Table 14. PKI protocol market goods summary.

Good	Ask Price Bound	Status
$g_{\mathsf{cert}}$ (certificate authenticity)	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}$	Equilibrium
$g_{\mathsf{auth}}$ (entity auth)	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	Equilibrium
$g_{\mathsf{mutual}}$ (mutual auth)	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	Equilibrium
$g_{\mathsf{sk}}$ (key secrecy)	$+{\mathsf{Adv}}_{\mathsf{KEM}}^{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}+{\mathsf{Adv}}_{\mathsf{KDF}}^{\mathsf{PRF}}$	Equilibrium
$g_{\mathsf{CNF}}$ (CNF correctness)	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	Equilibrium

13.7. Signal Protocol: X3DH and Double Ratchet

The Signal Protocol [49,50] is the most widely deployed end-to-end encrypted messaging protocol, powering Signal, WhatsApp, Facebook Messenger, and Google Messages. It consists of two sub-protocols: the Extended Triple Diffie–Hellman (X3DH) key agreement protocol for session establishment, and the Double Ratchet algorithm for ongoing message encryption with forward secrecy and post-compromise security. We analyse both sub-protocols within the MTSF framework, proving security of the full protocol and disproving security of a weakened variant lacking one-time prekeys.

X3DH protocol description.

Let Alice (initiator) and Bob (responder) each hold an identity key pair: $({\mathsf{ik}}_A,{\mathsf{IK}}_A)$ and $({\mathsf{ik}}_B,{\mathsf{IK}}_B)$ respectively, where lowercase denotes private and uppercase denotes public keys over Curve25519. Bob publishes to the server a prekey bundle:

$$\mathsf{PKB}=\left({\mathsf{IK}}_B,{\mathsf{SPK}}_B,{\sigma }_B=\mathsf{XEdDSA}({\mathsf{ik}}_B,{\mathsf{SPK}}_B),{\mathsf{OPK}}_B^{\left(j\right)}\right),$$

where ${\mathsf{SPK}}_B$ is the signed prekey, ${\sigma }_B$ is the identity signature over ${\mathsf{SPK}}_B$, and ${\mathsf{OPK}}_B^{\left(j\right)}$ is an optional one-time prekey.

Alice fetches Bob’s prekey bundle, generates an ephemeral key pair $({\mathsf{ek}}_A,{\mathsf{EK}}_A)$, and computes:

$$\begin{array}{cc}\hfill {\mathsf{DH}}_1& =\mathsf{X}\mathsf{25519}({\mathsf{ik}}_A,{\mathsf{SPK}}_B),\hfill \end{array}$$

(139)

$$\begin{array}{cc}\hfill {\mathsf{DH}}_2& =\mathsf{X}\mathsf{25519}({\mathsf{ek}}_A,{\mathsf{IK}}_B),\hfill \end{array}$$

(140)

$$\begin{array}{cc}\hfill {\mathsf{DH}}_3& =\mathsf{X}\mathsf{25519}({\mathsf{ek}}_A,{\mathsf{SPK}}_B),\hfill \end{array}$$

(141)

$$\begin{array}{cc}\hfill {\mathsf{DH}}_4& =\mathsf{X}\mathsf{25519}({\mathsf{ek}}_A,{\mathsf{OPK}}_B^{\left(j\right)}),\hfill \end{array}$$

(142)

$$\begin{array}{cc}\hfill \mathsf{SK}& =\mathsf{HKDF}\left({\mathsf{DH}}_1\parallel {\mathsf{DH}}_2\parallel {\mathsf{DH}}_3\parallel {\mathsf{DH}}_4\right).\hfill \end{array}$$

(143)

Alice sends to Bob: $({\mathsf{IK}}_A,{\mathsf{EK}}_A,j,{\mathsf{ct}}_0)$ where j identifies the one-time prekey used and ${\mathsf{ct}}_0$ is the initial ciphertext encrypted under $\mathsf{SK}$. Bob performs the same four DH computations using his private keys, derives the same $\mathsf{SK}$, and decrypts ${\mathsf{ct}}_0$. Both then initialise the Double Ratchet with $\mathsf{SK}$ as the root key.

Figure 50. X3DH key agreement protocol (Signal). Alice computes four DH values using Bob’s prekey bundle. The one-time prekey ${\mathsf{OPK}}_B^{\left(j\right)}$ provides per-session freshness; its deletion after use ensures forward secrecy of the initial key establishment.

Figure 50. X3DH key agreement protocol (Signal). Alice computes four DH values using Bob’s prekey bundle. The one-time prekey ${\mathsf{OPK}}_B^{\left(j\right)}$ provides per-session freshness; its deletion after use ensures forward secrecy of the initial key establishment.

Double Ratchet description.

After X3DH, both parties initialise a Double Ratchet state consisting of: a root key $\mathsf{RK}$, a sending chain key ${\mathsf{CK}}_s$, a receiving chain key ${\mathsf{CK}}_r$, and a DH ratchet key pair $({\mathsf{dh}}_s,{\mathsf{DH}}_s)$. Each message triggers two operations:

Symmetric ratchet: To encrypt message n, advance the sending chain:

$$({\mathsf{CK}}_{s,n+1},{\mathsf{MK}}_n)=\mathsf{KDF}\left({\mathsf{CK}}_{s,n}\right),{\mathsf{ct}}_n={\mathsf{AEAD}}_{{\mathsf{MK}}_n}({\mathsf{pt}}_n;\mathsf{AD}),$$

(144)

where $\mathsf{AD}$ (associated data) includes both identity keys and message headers. Delete ${\mathsf{CK}}_{s,n}$ and ${\mathsf{MK}}_n$ after use.

DH ratchet: When receiving a message with a new DH public key ${\mathsf{DH}}_r^{\prime }$:

$$\begin{array}{cc}\hfill {\mathsf{RK}}^{\prime },{\mathsf{CK}}_r^{\prime }& =\mathsf{KDF}\left(\mathsf{RK},\mathsf{X}\mathsf{25519}({\mathsf{dh}}_s,{\mathsf{DH}}_r^{\prime })\right),\hfill \\ \hfill ({\mathsf{dh}}_s^{\prime },{\mathsf{DH}}_s^{\prime })& \leftarrow \mathsf{KeyGen}\left(\right),\hfill \\ \hfill {\mathsf{RK}}^{\prime \prime },{\mathsf{CK}}_s^{\prime }& =\mathsf{KDF}\left({\mathsf{RK}}^{\prime },\mathsf{X}\mathsf{25519}({\mathsf{dh}}_s^{\prime },{\mathsf{DH}}_r^{\prime })\right).\hfill \end{array}$$

(145)

Delete old $\mathsf{RK}$, ${\mathsf{dh}}_s$, and chain keys. The fresh DH exchange provides post-compromise security.

Figure 51. Double Ratchet structure. The root chain (top) advances with each DH ratchet step. Each root key seeds sending and receiving KDF chains, which produce per-message keys. Deletion of old keys provides forward secrecy; fresh DH exchanges provide post-compromise security.

Figure 51. Double Ratchet structure. The root chain (top) advances with each DH ratchet step. Each root key seeds sending and receiving KDF chains, which produce per-message keys. Deletion of old keys provides forward secrecy; fresh DH exchanges provide post-compromise security.

MTSF market model.

The Signal market ${\mathcal{M}}_{\mathsf{Signal}}$ offers six security goods:

• $g_{\mathsf{conf}}$: Message confidentiality (IND-CCA2 of each message under its unique key).
• $g_{\mathsf{auth}}$: Message authentication (INT-CTXT via AEAD for each message).
• $g_{\mathsf{FS}}$: Forward secrecy—compromise of current state does not reveal past message keys.
• $g_{\mathsf{PCS}}$: Post-compromise security—after compromise, security self-heals upon the next DH ratchet step.
• $g_{\mathsf{async}}$: Asynchronous key establishment—Alice can send a message to offline Bob.
• $g_{\mathsf{deny}}$: Deniability—no party can produce a cryptographic proof of the conversation to a third party.

Theorem 53 

(Signal Protocol Market Equilibrium). Under the gap Diffie–Hellman (GDH) assumption on Curve25519 and the PRF security of HKDF-SHA-256:

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{conf}}\right)& \le 4·{\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}+{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+{\mathsf{Adv}}_{\mathsf{AEAD}}^{\mathsf{IND}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(146)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{auth}}\right)& \le 4·{\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}+{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+{\mathsf{Adv}}_{\mathsf{AEAD}}^{\mathsf{INT}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(147)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{FS}}\right)& \le {\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(148)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{PCS}}\right)& \le {\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}+{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+\mathsf{negl}\left(\lambda \right).\hfill \end{array}$$

(149)

Proof. 

We construct eight bidding rounds, covering X3DH key establishment and Double Ratchet messaging.

${\mathbf{B}}_0$(Bidding Round 0: Real Signal Market).

The seller initialises the Signal Protocol with X3DH key agreement followed by Double Ratchet messaging. Alice generates $({\mathsf{ik}}_A,{\mathsf{IK}}_A)$ and $({\mathsf{ek}}_A,{\mathsf{EK}}_A)$; Bob’s prekey bundle

$$({\mathsf{IK}}_B,{\mathsf{SPK}}_B,{\sigma }_B,{\mathsf{OPK}}_B^{\left(j\right)})$$

is available on the server. The buyer (active network adversary) can observe, delay, reorder, or inject messages.

${\mathbf{B}}_1$(Bidding Round 1: Prekey Signature Forgery Bid).

The buyer attempts to forge Bob’s prekey signature ${\sigma }_B$ on a malicious ${\mathsf{SPK}}_B^{\prime }$. This would allow the buyer to impersonate Bob’s server-published keys, directing Alice to perform X3DH with buyer-controlled values.

Difference lemma. Let $F_{\mathsf{spk}}$: “buyer forges ${\sigma }_B$ on ${\mathsf{SPK}}_B^{\prime }\ne {\mathsf{SPK}}_B$.” Since

$${\sigma }_B=\mathsf{XEdDSA}({\mathsf{ik}}_B,{\mathsf{SPK}}_B)$$

, this requires breaking EUF-CMA of XEdDSA:

$$\Delta {\mathsf{Price}}_0\le Pr\left[F_{\mathsf{spk}}\right]\le {\mathsf{Adv}}_{\mathsf{XEdDSA}}^{\mathsf{EUF}}\le {\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}.$$

(150)

${\mathbf{B}}_2$(Bidding Round 2: X3DH ${\mathrm{DH}}_1$ Extraction Bid).

The buyer attempts to recover ${\mathsf{DH}}_1=\mathsf{X}\mathsf{25519}({\mathsf{ik}}_A,{\mathsf{SPK}}_B)$ from the observed transcript. This is a static-static DH: the buyer must solve the Computational Diffie–Hellman (CDH) problem on $({\mathsf{IK}}_A,{\mathsf{SPK}}_B)$.

Difference lemma.$F_{{\mathsf{DH}}_1}$: “buyer computes ${\mathsf{DH}}_1$.” $\Delta {\mathsf{Price}}_1\le {\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}$.

${\mathbf{B}}_3$(Bidding Round 3: X3DH ${\mathrm{DH}}_2$–${\mathrm{DH}}_3$ Extraction Bid).

The buyer attempts to recover ${\mathsf{DH}}_2=\mathsf{X}\mathsf{25519}({\mathsf{ek}}_A,{\mathsf{IK}}_B)$ or ${\mathsf{DH}}_3=\mathsf{X}\mathsf{25519}({\mathsf{ek}}_A,{\mathsf{SPK}}_B)$. Both involve Alice’s ephemeral key ${\mathsf{ek}}_A$, known only to Alice. CDH on $({\mathsf{EK}}_A,{\mathsf{IK}}_B)$ or $({\mathsf{EK}}_A,{\mathsf{SPK}}_B)$.

Extended difference lemma. Let $F_{{\mathsf{DH}}_2}$: buyer computes ${\mathsf{DH}}_2$; $F_{{\mathsf{DH}}_3}$: buyer computes ${\mathsf{DH}}_3$. By Lemma 2:

$$\Delta {\mathsf{Price}}_2\le Pr\left[F_{{\mathsf{DH}}_2}\cup F_{{\mathsf{DH}}_3}\right]\le 2·{\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}.$$

(151)

${\mathbf{B}}_4$(Bidding Round 4: One-Time Prekey Freshness Bid—${\mathrm{DH}}_4$).

The buyer attempts to recover ${\mathsf{DH}}_4=\mathsf{X}\mathsf{25519}({\mathsf{ek}}_A,{\mathsf{OPK}}_B^{\left(j\right)})$. Since ${\mathsf{OPK}}_B^{\left(j\right)}$ is used exactly once and then deleted, the buyer must solve CDH on a one-time value. Deletion after use ensures that even server compromise after the session does not reveal ${\mathsf{DH}}_4$.

$\Delta {\mathsf{Price}}_3\le {\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}$.

${\mathbf{B}}_5$(Bidding Round 5: HKDF PRF Bid—SK Extraction).

With all four DH values hidden, $\mathsf{SK}=\mathsf{HKDF}({\mathsf{DH}}_1\parallel \dots \parallel {\mathsf{DH}}_4)$ is pseudorandom. The buyer attempts to distinguish $\mathsf{SK}$ from random.

$\Delta {\mathsf{Price}}_4\le {\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$.

${\mathbf{B}}_6$(Bidding Round 6: Symmetric Ratchet Bid—KDF Chain Inversion).

The buyer observes ciphertexts and attempts to recover earlier chain keys from later ones. The KDF chain ${\mathsf{CK}}_{n+1}=\mathsf{KDF}\left({\mathsf{CK}}_n\right)$ is one-way: given ${\mathsf{CK}}_{n+1}$, recovering ${\mathsf{CK}}_n$ requires inverting the PRF. This is the forward secrecy bid—it fails because $\mathsf{KDF}$ is a PRF.

$\Delta {\mathsf{Price}}_5\le {\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$. This establishes $\mathsf{Ask}\left(g_{\mathsf{FS}}\right)\le {\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+\mathsf{negl}$.

${\mathbf{B}}_7$(Bidding Round 7: DH Ratchet Bid—Post-Compromise Recovery).

After state compromise, the buyer knows the current root key ${\mathsf{RK}}_i$ and chain keys. Upon the next DH ratchet step, both parties exchange fresh ephemeral DH public keys. The new root key ${\mathsf{RK}}_{i+1}=\mathsf{KDF}({\mathsf{RK}}_i,\mathsf{X}\mathsf{25519}({\mathsf{dh}}_s^{\prime },{\mathsf{DH}}_r^{\prime }))$ depends on a fresh DH secret unknown to the buyer. Recovering this requires solving CDH on the new ephemeral keys.

$\Delta {\mathsf{Price}}_6\le {\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}+{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$. This establishes $\mathsf{Ask}\left(g_{\mathsf{PCS}}\right)\le {\mathsf{Adv}}^{\mathsf{GDH}}+{\mathsf{Adv}}^{\mathsf{PRF}}+\mathsf{negl}$.

${\mathbf{B}}_8$(Bidding Round 8: AEAD Message Confidentiality/Integrity Bid).

Each message is encrypted with a unique message key ${\mathsf{MK}}_n$ under AEAD (AES-256-CBC + HMAC-SHA-256 in Signal’s implementation). Distinguishing the ciphertext or forging a valid ciphertext requires breaking the AEAD.

$\Delta {\mathsf{Price}}_7\le {\mathsf{Adv}}_{\mathsf{AEAD}}^{\mathsf{IND}}+{\mathsf{Adv}}_{\mathsf{AEAD}}^{\mathsf{INT}}$.

Total market cost:

$$\mathsf{Ask}\left(g_{\mathsf{conf}}\right)\le 4·{\mathsf{Adv}}^{\mathsf{GDH}}+2·{\mathsf{Adv}}^{\mathsf{PRF}}+{\mathsf{Adv}}_{\mathsf{AEAD}}^{\mathsf{IND}}+\mathsf{negl}\left(\lambda \right).$$

(152)

For Curve25519 with $\lambda =128$, ${\mathsf{Adv}}^{\mathsf{GDH}}\le 2^{-128}$, and all terms are negligible. The market is in equilibrium for all six goods.

${\mathbf{B}}_{\mathsf{sca}}$(Side-Channel Bid: Comprehensive Physical Leakage Attack.)

SCA extended difference lemma.$F_{\mathsf{sca}}=F_{\mathsf{SPA}}\cup F_{\mathsf{DPA}}\cup F_{\mathsf{timing}}\cup F_{\mathsf{cache}}\cup F_{\mathsf{EMA}}\cup F_{\mathsf{fault}}\cup F_{\mathsf{cold}}\cup F_{\mathsf{acoustic}}\cup F_{\mathsf{photonic}}$: “${\mathcal{A}}_{\mathsf{phys}}$ recovers $\ge 1$ secret bit via any physical channel from $\le q_{\mathsf{phys}}$ measurements.” By Lemma 2, the side-channel event is independent of the mathematical failure events $F_{\mathsf{nonce}},F_{\mathsf{hash}},\dots$ in the preceding rounds, so their joint probability satisfies $Pr\left[{\bigcup }_k{F}_k\cup F_{\mathsf{sca}}\right]\le {\sum }_{k}Pr\left[F_k\right]+{\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}(\lambda ,d)$. With the comprehensive countermeasure suite, ${\mathsf{Adv}}_{\mathsf{total}}^{\mathsf{SCA}}=\mathsf{negl}\left(\lambda \right)$, preserving market equilibrium.

${\mathbf{B}}_{\mathsf{tight}}$(Tight Security Reduction—Additional Proof.)

Total Session Bound and Key Rotation Recommendation.

Session pinging and CNF checking within the proof. The Signal Protocol has a natural multi-session structure: each X3DH establishment creates a new session, and each DH ratchet step within the Double Ratchet creates a sub-session. We verify the ping conditions:

SID freshness: Each X3DH session uses a fresh ephemeral key ${\mathsf{EK}}_A$ and (when available) a fresh one-time prekey ${\mathsf{OPK}}_B^{\left(j\right)}$. The pair $({\mathsf{EK}}_A,j)$ serves as an implicit SID. Since ${\mathsf{EK}}_A$ is freshly generated per session, ${\mathsf{sid}}_{i+1}\ne {\mathsf{sid}}_i$ with overwhelming probability.

Nonce disjointness: Each Double Ratchet DH step generates a fresh ephemeral DH key pair $({\mathsf{dh}}_s^{\prime },{\mathsf{DH}}_s^{\prime })$. The DH public keys across ratchet steps are distinct with overwhelming probability (fresh key generation from ${\{0,1\}}^{256}$).

Cryptographic binding: Each AEAD ciphertext includes associated data binding the identity keys (${\mathsf{IK}}_A$, ${\mathsf{IK}}_B$) and the current DH ratchet public key. This binds each ciphertext to the current session state.

Key deletion enforces forward pinging: After each symmetric ratchet step, old chain keys are deleted. This is stronger than the standard ping condition: not only are sessions structurally distinct, but the cryptographic material linking them is destroyed. By Theorem 3, the Signal Protocol is secure for unbounded message exchanges with ${\delta }_{\mathsf{ping}}\le {\mathsf{Adv}}_{\mathsf{X}\mathsf{25519}}^{\mathsf{GDH}}=\mathsf{negl}\left(\lambda \right)$.    □

Figure 52. Signal Protocol bidding-round chain. Eight rounds cover X3DH (${\mathbf{B}}_1$–${\mathbf{B}}_5$) and Double Ratchet (${\mathbf{B}}_6$–${\mathbf{B}}_8$). Each hop is labelled with the hardness assumption used.

Figure 52. Signal Protocol bidding-round chain. Eight rounds cover X3DH (${\mathbf{B}}_1$–${\mathbf{B}}_5$) and Double Ratchet (${\mathbf{B}}_6$–${\mathbf{B}}_8$). Each hop is labelled with the hardness assumption used.

13.7.1. Insecurity Analysis: Signal Without One-Time Prekeys

The X3DH specification [49] notes that one-time prekeys may be exhausted on the server, in which case ${\mathsf{DH}}_4$ is omitted. We show that this weakened variant—which we call X3DH-noOPK—suffers from a replay vulnerability that partially collapses the Signal market.

X3DH-noOPK protocol.

Same as X3DH but with ${\mathsf{DH}}_4$ omitted:

$${\mathsf{SK}}_{\mathsf{noOPK}}=\mathsf{HKDF}({\mathsf{DH}}_1\parallel {\mathsf{DH}}_2\parallel {\mathsf{DH}}_3).$$

(153)

Since no one-time prekey is consumed, the same prekey bundle $({\mathsf{IK}}_B,{\mathsf{SPK}}_B,{\sigma }_B)$ can be reused across multiple sessions.

Theorem 54 

(X3DH-noOPK Partial Market Collapse: Replay Vulnerability). If the server does not rotate ${\mathsf{SPK}}_B$ between sessions and no one-time prekeys are available, then:

1.

Initial message replay:An adversary can replay Alice’s initial message $({\mathsf{IK}}_A,{\mathsf{EK}}_A,{\mathsf{ct}}_0)$ to Bob, causing Bob to derive the same $\mathsf{SK}$ as in the original session.

2.

SK collision across sessions:If the adversary replays the initial message, ${\mathsf{SK}}_{\mathsf{replay}}={\mathsf{SK}}_{\mathsf{original}}$, violating key freshness.

3.

Ping failure:$\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=0$ because the replayed session has the same implicit SID $({\mathsf{EK}}_A,·)$ and derives the same $\mathsf{SK}$.

Consequently, $\mathsf{Ask}\left(g_{\mathsf{async}}\right)=1$ for the asynchronous session establishment good, and $\mathsf{Ask}\left(g_{\mathsf{FS}}\right)$ is degraded from $\mathsf{negl}$ to ${\mathsf{Adv}}^{\mathsf{GDH}}+q_{\mathsf{replay}}·2^{-128}$ where $q_{\mathsf{replay}}$ is the number of replay attempts during the ${\mathsf{SPK}}_B$ validity window.

Proof. 

We demonstrate the replay attack and its MTSF consequences.

${\mathbf{B}}_0$(Real X3DH-noOPK). Alice computes $\mathsf{SK}=\mathsf{HKDF}({\mathsf{DH}}_1\parallel {\mathsf{DH}}_2\parallel {\mathsf{DH}}_3)$ and sends $({\mathsf{IK}}_A,{\mathsf{EK}}_A,{\mathsf{ct}}_0)$ to Bob.

${\mathbf{B}}_0\to$Replay Attack. The buyer captures Alice’s initial message and replays it to Bob at a later time. Bob receives $({\mathsf{IK}}_A,{\mathsf{EK}}_A,{\mathsf{ct}}_0)$ and computes:

• ${\mathsf{DH}}_1=\mathsf{X}\mathsf{25519}({\mathsf{spk}}_B,{\mathsf{IK}}_A)$ — same as original (same long-term keys).
• ${\mathsf{DH}}_2=\mathsf{X}\mathsf{25519}({\mathsf{ik}}_B,{\mathsf{EK}}_A)$ — same as original (same ${\mathsf{EK}}_A$).
• ${\mathsf{DH}}_3=\mathsf{X}\mathsf{25519}({\mathsf{spk}}_B,{\mathsf{EK}}_A)$ — same as original (same ${\mathsf{SPK}}_B$, same ${\mathsf{EK}}_A$).

Since ${\mathsf{DH}}_4$ is absent, ${\mathsf{SK}}_{\mathsf{replay}}=\mathsf{HKDF}({\mathsf{DH}}_1\parallel {\mathsf{DH}}_2\parallel {\mathsf{DH}}_3)={\mathsf{SK}}_{\mathsf{original}}$. Bob decrypts ${\mathsf{ct}}_0$ successfully and initialises a new Double Ratchet with the same root key.

No cryptographic primitive is broken—the replay succeeds because the initial message is deterministic given the same key material and no one-time prekey provides per-session randomness.

CNF analysis. Bob’s session-CNF for the replayed session:

Clause	Check	Honest trace	Replay trace	Verdict
${\phi }^{\mathsf{spk}}$: prekey sig valid	${\sigma }_B$ verifies?	T	T (same ${\sigma }_B$)	Passes
${\phi }^{\mathsf{opk}}$: OPK fresh	OPK used?	N/A (no OPK)	N/A	Vacuously T
${\phi }^{\mathsf{ek}}$: ephemeral fresh	${\mathsf{EK}}_A$ new?	T	T (Bob cannot tell)	Passes!
${\phi }^{\mathsf{aead}}$: decrypt OK	${\mathsf{ct}}_0$ decrypts?	T	T (same $\mathsf{SK}$!)	Passes!
Missing:${\phi }^{\mathsf{opk}-\mathsf{binding}}$	OPK consumed?	T	F (no OPK!)	ABSENT
${\phi }_{\mathsf{noOPK}}$:	SAT under replay trace—CNF design weakness.			Partial collapse

Ping failure analysis. The replayed session has the same implicit SID $({\mathsf{EK}}_A,·)$ and derives the same $\mathsf{SK}$. Therefore $\mathsf{Ping}({\mathsf{Session}}_{\mathsf{original}},{\mathsf{Session}}_{\mathsf{replay}})=0$: the sessions are not structurally distinct. This is a Type I (SID collision) and Type V (ciphertext replay) ping failure per Theorem 17.

Mitigating factors (why this is partial, not total, collapse):

1.

Double Ratchet self-healing: After Bob’s first reply (which includes a fresh DH key), the Double Ratchet diverges from the replayed session. The attacker cannot generate valid replies without solving CDH on Bob’s new ephemeral key.

2.

SPK rotation: Once Bob rotates ${\mathsf{SPK}}_B$, the attacker’s captured message no longer produces the correct ${\mathsf{DH}}_1$ and ${\mathsf{DH}}_3$ at Bob’s end. Signal recommends rotating ${\mathsf{SPK}}_B$ every 1–4 weeks.

3.

Application-layer detection: Bob may notice duplicate initial messages at the application layer (e.g., duplicate conversation initiations).

Therefore $\mathsf{Ask}\left(g_{\mathsf{async}}\right)=1$ (replay succeeds with certainty) but $\mathsf{Ask}\left(g_{\mathsf{conf}}\right)$ degrades only for messages before the first reply, and $\mathsf{Ask}\left(g_{\mathsf{PCS}}\right)$ is unaffected after the first DH ratchet step.    □

Table 15. Signal Protocol market summary. Six security goods with ask price bounds and equilibrium status.

Good	Ask Price Bound	Hardness	Status
$g_{\mathsf{conf}}$ (confidentiality)	$4{\mathsf{Adv}}^{\mathsf{GDH}}+2{\mathsf{Adv}}^{\mathsf{PRF}}+{\mathsf{Adv}}^{\mathsf{AEAD}}$	GDH + PRF + AEAD	Equilibrium
$g_{\mathsf{auth}}$ (authentication)	$4{\mathsf{Adv}}^{\mathsf{GDH}}+2{\mathsf{Adv}}^{\mathsf{PRF}}+{\mathsf{Adv}}^{\mathsf{INT}}$	GDH + PRF + INT	Equilibrium
$g_{\mathsf{FS}}$ (forward secrecy)	${\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$	PRF	Equilibrium
$g_{\mathsf{PCS}}$ (post-compromise)	${\mathsf{Adv}}^{\mathsf{GDH}}+{\mathsf{Adv}}^{\mathsf{PRF}}$	GDH + PRF	Equilibrium
$g_{\mathsf{async}}$ (asynchronous)	${\mathsf{Adv}}^{\mathsf{GDH}}$	GDH (via OPK)	Equilibrium
$g_{\mathsf{deny}}$ (deniability)	—	No transferable proof	Equilibrium

Table 15. Signal Protocol market summary. Six security goods with ask price bounds and equilibrium status.

Good	Ask Price Bound	Hardness	Status
$g_{\mathsf{conf}}$ (confidentiality)	$4{\mathsf{Adv}}^{\mathsf{GDH}}+2{\mathsf{Adv}}^{\mathsf{PRF}}+{\mathsf{Adv}}^{\mathsf{AEAD}}$	GDH + PRF + AEAD	Equilibrium
$g_{\mathsf{auth}}$ (authentication)	$4{\mathsf{Adv}}^{\mathsf{GDH}}+2{\mathsf{Adv}}^{\mathsf{PRF}}+{\mathsf{Adv}}^{\mathsf{INT}}$	GDH + PRF + INT	Equilibrium
$g_{\mathsf{FS}}$ (forward secrecy)	${\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$	PRF	Equilibrium
$g_{\mathsf{PCS}}$ (post-compromise)	${\mathsf{Adv}}^{\mathsf{GDH}}+{\mathsf{Adv}}^{\mathsf{PRF}}$	GDH + PRF	Equilibrium
$g_{\mathsf{async}}$ (asynchronous)	${\mathsf{Adv}}^{\mathsf{GDH}}$	GDH (via OPK)	Equilibrium
$g_{\mathsf{deny}}$ (deniability)	—	No transferable proof	Equilibrium

Corollary 15 

(Signal Unbounded Security). The Signal Protocol is secure for unbounded messaging sessions: each X3DH establishment uses a fresh ${\mathsf{EK}}_A$ and a one-time ${\mathsf{OPK}}_B^{\left(j\right)}$; each Double Ratchet step generates fresh DH keys; each message uses a unique message key ${\mathsf{MK}}_n$ derived from a one-way KDF chain. Hence $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1$ for all i with probability $\ge 1-{\mathsf{Adv}}^{\mathsf{GDH}}$. By Theorem 3, equilibrium holds for all $i\ge 1$ with accumulated degradation ${\delta }_{\mathsf{ping}}\le {\mathsf{Adv}}^{\mathsf{GDH}}=\mathsf{negl}$.

13.8. TLS 1.3: Security and Insecurity Analysis

13.8.1. TLS 1.3 Protocol Description and Key Schedule

Notation.

Let $\mathsf{HKDF}-\mathsf{Extract}(s,\mathsf{ikm})$ and $\mathsf{HKDF}-\mathsf{Expand}(k,\mathsf{info},L)$ denote the standard HKDF operations [52]. We write $\mathsf{Derive}-\mathsf{Secret}(s,l,m)=\mathsf{HKDF}-\mathsf{Expand}-\mathsf{Label}(s,l,\mathsf{Hash}(m),n)$ where n is the hash output length and m is the transcript hash up to that point. Let $({\mathsf{sk}}_S,{\mathsf{pk}}_S)$ be the server’s certificate key pair and ${\mathsf{cert}}_S$ the CA-signed certificate. Let g be a Diffie–Hellman group (e.g., X25519 or P-256). The client generates ephemeral share $(x,X=g^x)$ and the server generates $(y,Y=g^y)$.

13.8.1.2. The 1-RTT Handshake.

The TLS 1.3 full handshake proceeds as follows:

1.

$C\to S$:   $\mathsf{ClientHello}=(\mathsf{version},N_C,\mathsf{suites},X,\mathsf{extensions})$

2.

$S\to C$:   $\mathsf{ServerHello}=(\mathsf{version},N_S,\mathsf{suite},Y,\mathsf{extensions})$

Both compute: $Z=g^{xy}$ (the shared secret), then derive:

$$\begin{array}{cc}\hfill \mathsf{ES}& =\mathsf{HKDF}-\mathsf{Extract}(0,0)(\mathrm{early}\sec \mathrm{ret},\mathrm{no}\mathrm{PSK})\hfill \end{array}$$

(154)

$$\begin{array}{cc}\hfill \mathsf{HS}& =\mathsf{HKDF}-\mathsf{Extract}(\mathsf{Derive}-\mathsf{Secret}(\mathsf{ES},"\mathtt{derived}",\epsilon ),Z)(\mathrm{handshake}\sec \mathrm{ret})\hfill \end{array}$$

(155)

$$\begin{array}{cc}\hfill \mathsf{CHTS}& =\mathsf{Derive}-\mathsf{Secret}(\mathsf{HS},"\mathtt{c}\mathtt{hs}\mathtt{traffic}",{\mathcal{T}}_{\mathsf{SH}})(\mathrm{client}\mathrm{HS}\mathrm{traffic}\sec \mathrm{ret})\hfill \end{array}$$

(156)

$$\begin{array}{cc}\hfill \mathsf{SHTS}& =\mathsf{Derive}-\mathsf{Secret}(\mathsf{HS},"\mathtt{s}\mathtt{hs}\mathtt{traffic}",{\mathcal{T}}_{\mathsf{SH}})(\mathrm{server}\mathrm{HS}\mathrm{traffic}\sec \mathrm{ret})\hfill \end{array}$$

(157)

$$\begin{array}{cc}\hfill \mathsf{MS}& =\mathsf{HKDF}-\mathsf{Extract}(\mathsf{Derive}-\mathsf{Secret}(\mathsf{HS},"\mathtt{derived}",\epsilon ),0)(\mathrm{master}\sec \mathrm{ret})\hfill \end{array}$$

(158)

where ${\mathcal{T}}_{\mathsf{SH}}$ denotes the transcript hash up to and including ServerHello.

3.

$S\to C$:   $\{\mathsf{EncExt},{\mathsf{cert}}_S,{\mathsf{CertVfy}}_S,{\mathsf{Fin}}_S\}$ (all encrypted under $\mathsf{SHTS}$)

where ${\mathsf{CertVfy}}_S=\mathsf{Sign}({\mathsf{sk}}_S,\sigma -\mathrm{context}\parallel {\mathcal{T}}_{\mathsf{CV}})$ and ${\mathsf{Fin}}_S=\mathsf{HMAC}(k_{\mathsf{fin},S},{\mathcal{T}}_{\mathsf{CF}})$.

4.

$C\to S$:   $\left\{{\mathsf{Fin}}_C\right\}$ (encrypted under $\mathsf{CHTS}$)

where ${\mathsf{Fin}}_C=\mathsf{HMAC}(k_{\mathsf{fin},C},{\mathcal{T}}_{\mathsf{SF}})$.

5.

Both derive application traffic secrets:

$$\begin{array}{cc}\hfill \mathsf{CATS}& =\mathsf{Derive}-\mathsf{Secret}(\mathsf{MS},"\mathtt{c}\mathtt{ap}\mathtt{traffic}",{\mathcal{T}}_{\mathsf{SF}})\hfill \end{array}$$

(159)

$$\begin{array}{cc}\hfill \mathsf{SATS}& =\mathsf{Derive}-\mathsf{Secret}(\mathsf{MS},"\mathtt{s}\mathtt{ap}\mathtt{traffic}",{\mathcal{T}}_{\mathsf{SF}})\hfill \end{array}$$

(160)

13.8.1.3. Key schedule summary:

All secrets are derived via a single HKDF ladder:

$$0\stackrel{\mathsf{Extract}}{\to }\mathsf{ES}\stackrel{\mathsf{Derive}}{\to }\stackrel{\mathsf{Extract}\left(Z\right)}{\to }\mathsf{HS}\stackrel{\mathsf{Derive}}{\to }\stackrel{\mathsf{Extract}\left(0\right)}{\to }\mathsf{MS}\stackrel{\mathsf{Derive}}{\to }\mathsf{CATS}/\mathsf{SATS}/\mathsf{ResMS}$$

The Finished MACs bind the handshake transcript under keys derived from $\mathsf{HS}$, preventing transcript truncation and downgrade.

Figure 53. TLS 1.3 full (1-RTT) handshake. Messages 1–2 are in plaintext; all subsequent messages are encrypted (shown in green). The server authenticates via CertificateVerify and Finished; the client via its own Finished (mutual TLS). Both parties derive separate application traffic secrets from the master secret.

Figure 53. TLS 1.3 full (1-RTT) handshake. Messages 1–2 are in plaintext; all subsequent messages are encrypted (shown in green). The server authenticates via CertificateVerify and Finished; the client via its own Finished (mutual TLS). Both parties derive separate application traffic secrets from the master secret.

Figure 54. TLS 1.3 HKDF key schedule ladder. All secrets are derived via a single HKDF chain from the DH shared secret $Z=g^{xy}$. Separate label strings provide domain separation; each output is pseudorandom given the preceding secret. The Finished keys $k_{\mathsf{fin},C}$ and $k_{\mathsf{fin},S}$ bind the handshake transcript.

Figure 54. TLS 1.3 HKDF key schedule ladder. All secrets are derived via a single HKDF chain from the DH shared secret $Z=g^{xy}$. Separate label strings provide domain separation; each output is pseudorandom given the preceding secret. The Finished keys $k_{\mathsf{fin},C}$ and $k_{\mathsf{fin},S}$ bind the handshake transcript.

13.8.2. TLS 1.3 Market Setup

Security goods.

The TLS 1.3 market ${\mathcal{M}}_{\mathsf{TLS}}$ offers the following goods to buyers:

• $g_{\mathsf{sk}}$: Session-key secrecy — no PPT adversary can distinguish $\mathsf{CATS}$ (or $\mathsf{SATS}$) from uniform random, even given all handshake messages.
• $g_{\mathsf{auth}}$: Server authentication — the client accepts only if the server possesses the private key ${\mathsf{sk}}_S$ bound to the certificate ${\mathsf{cert}}_S$ verified against a trusted CA.
• $g_{\mathsf{mutual}}$: Mutual authentication (mTLS) — additionally, the server accepts only if the client possesses a valid certificate key.
• $g_{\mathsf{FS}}$: Forward secrecy — compromise of ${\mathsf{sk}}_S$ after session completion does not reveal $\mathsf{CATS}$ or $\mathsf{SATS}$.
• $g_{\mathsf{CNF}}$: CNF session correctness — the session satisfies a conjunction of transcript-binding clauses.
• $g_{\mathsf{0}\mathsf{RTT}}$: 0-RTT anti-replay (examined separately in Section 13.8.4) — the 0-RTT early data cannot be replayed by a network adversary.

13.8.2.2. Assumptions.

Let ${\mathsf{Adv}}_g^{\mathsf{CDH}}$ denote the advantage of any PPT adversary against the Computational Diffie–Hellman problem in group g (e.g., X25519 or P-256), ${\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$ the PRF advantage against HKDF, ${\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}$ the EUF-CMA advantage against the server’s signature scheme (ECDSA or EdDSA), ${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}-\mathsf{CMA}}$ the EUF-CMA advantage against the CA’s signature scheme, and ${\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{SUF}-\mathsf{CMA}}$ the SUF-CMA advantage against HMAC used in Finished messages.

13.8.3. TLS 1.3 Security Proof: 1-RTT Handshake Equilibrium

Theorem 55 

(TLS 1.3 Handshake Market Equilibrium). Let $q_N$ be the number of handshake sessions and $q_H$ the number of hash queries. Under CDH, PRF-HKDF, EUF-CMA for the server signature scheme, EUF-CMA for the CA, and SUF-CMA for HMAC:

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{sk}}\right)& \le {\mathsf{Adv}}_g^{\mathsf{CDH}}+3·{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+{\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}-\mathsf{CMA}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{SUF}-\mathsf{CMA}}+{\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(161)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{auth}}\right)& \le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}-\mathsf{CMA}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{SUF}-\mathsf{CMA}}+{\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(162)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{mutual}}\right)& \le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}-\mathsf{CMA}}+2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}+{\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{SUF}-\mathsf{CMA}}+{\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(163)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{FS}}\right)& \le {\mathsf{Adv}}_g^{\mathsf{CDH}}+3·{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+\mathsf{negl}\left(\lambda \right).\hfill \end{array}$$

(164)

All four goods are in equilibrium; ${\mathcal{M}}_{\mathsf{TLS}}$ (1-RTT) is in equilibrium.

Proof. 

We construct a bidding-round chain ${\mathbf{B}}_0,{\mathbf{B}}_1,\dots ,{\mathbf{B}}_9$, each representing a specific adversarial bid. Each hop applies the (extended) difference lemma.

${\mathbf{B}}_0$(Bidding Round 0: Real TLS 1.3 Market).

The seller generates the server’s long-term key pair $({\mathsf{sk}}_S,{\mathsf{pk}}_S)$ and certificate

$${\mathsf{cert}}_S=({\mathsf{id}}_S,{\mathsf{pk}}_S,{\mathsf{valid}}_S,{\sigma }_{\mathsf{CA}})$$

The buyer (adversary $\mathcal{A}$) controls the network: it can intercept, replay, modify, inject, and drop messages. The buyer’s goal is to win the IND-CPA distinguishing game on $\mathsf{CATS}$ (equivalently $\mathsf{SATS}$), or to cause the client to accept a session without the server having participated (authentication violation). The seller runs the honest TLS 1.3 server. The buyer’s ask price at ${\mathbf{B}}_0$ is ${\mathsf{Ask}}_0$.

${\mathbf{B}}_1$(Bidding Round 1: Nonce Collision Bid).

The seller adds an internal nonce-collision check: abort if any two handshake nonces $(N_C,N_S)$ collide across $q_N$ sessions. The bad event is $F_{\mathsf{nonce}}$: some nonce pair from session i equals that of session j ($i\ne j$). Since $N_C$ and $N_S$ are each sampled uniformly from ${\{0,1\}}^{256}$:

$$\Delta {\mathsf{Price}}_0\le Pr\left[F_{\mathsf{nonce}}\right]\le {\displaystyle \frac{q_N^2}{2^{\lambda +1}}}.$$

(165)

Market interpretation: The nonce-collision bid fails because the collision birthday bound requires $q_N\approx 2^{128}$ handshakes—computationally infeasible. After ${\mathbf{B}}_1$, all session nonces are distinct.

${\mathbf{B}}_2$(Bidding Round 2: Certificate Forgery Bid).

The seller adds a certificate-validity check: abort if the buyer presents a certificate for ${\mathsf{id}}_S$ that verifies under ${\mathsf{pk}}_{\mathsf{CA}}$ but was not issued by the CA. The bad event $F_{\mathsf{cert}}$: “the buyer produces a valid CA signature ${\sigma }^{*}$ on a new $({\mathsf{id}}_S,{\mathsf{pk}}^{*})$ pair.” This is exactly an EUF-CMA forgery on the CA’s signing key.

$$\Delta {\mathsf{Price}}_1\le Pr\left[F_{\mathsf{cert}}\right]\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}-\mathsf{CMA}}.$$

(166)

After ${\mathbf{B}}_2$, any certificate the client accepts genuinely binds ${\mathsf{pk}}_S$ to ${\mathsf{id}}_S$.

${\mathbf{B}}_3$(Bidding Round 3: CertificateVerify Forgery Bid).

The seller adds a transcript-signature check: abort if the buyer produces a valid ${\mathsf{CertVfy}}_S^{*}=\mathsf{Sign}({\mathsf{sk}}_S,\sigma -\mathrm{ctx}\parallel {\mathcal{T}}_{\mathsf{CV}})$ without holding ${\mathsf{sk}}_S$. The transcript ${\mathcal{T}}_{\mathsf{CV}}$ includes all messages up to and including the server’s Certificate. Since the nonces in ${\mathcal{T}}_{\mathsf{CV}}$ are distinct across sessions (by ${\mathbf{B}}_1$), each transcript is a distinct message. The bad event $F_{\mathsf{forge}}$: the buyer forges a CertificateVerify signature.

$$\Delta {\mathsf{Price}}_2\le Pr\left[F_{\mathsf{forge}}\right]\le {\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}.$$

(167)

Extended difference lemma. The buyer could simultaneously attempt $F_{\mathsf{cert}}$ and $F_{\mathsf{forge}}$ (use a forged certificate to change ${\mathsf{pk}}_S$, then forge a signature under the new key). However, ${\mathbf{B}}_2$ already aborted on $F_{\mathsf{cert}}$, so in ${\mathbf{B}}_3$ the certificate is genuine and ${\mathsf{pk}}_S$ is the real server key. The two failure events are sequential, not simultaneous; they are handled in separate hops. After ${\mathbf{B}}_3$, server authentication is established: the client accepts only genuine TLS 1.3 servers.

${\mathbf{B}}_4$(Bidding Round 4: Finished MAC Forgery Bid).

The Finished message ${\mathsf{Fin}}_S=\mathsf{HMAC}(k_{\mathsf{fin},S},{\mathcal{T}}_{\mathsf{CF}})$ binds the entire handshake transcript. The bad event $F_{\mathsf{fin}}$: the buyer produces a valid Finished MAC without knowing $k_{\mathsf{fin},S}$. Since $k_{\mathsf{fin},S}$ is derived from $\mathsf{SHTS}$ (itself derived from $\mathsf{HS}$ and $Z=g^{xy}$), and all previous hops eliminated forgery attacks on certificates and signatures, the only way to forge ${\mathsf{Fin}}_S$ is to break HMAC.

$$\Delta {\mathsf{Price}}_3\le Pr\left[F_{\mathsf{fin}}\right]\le {\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{SUF}-\mathsf{CMA}}.$$

(168)

Market interpretation: The Finished MAC bid represents the “transcript-binding” auction. A buyer placing this bid claims it can forge a MAC over a modified transcript. After this hop, the handshake transcript is immutably bound: any modification to any prior message causes Finished verification to fail.

${\mathbf{B}}_5$(Bidding Round 5: CDH Bid on the Ephemeral DH Share).

Replace the real DH exchange with a random shared secret $\tilde{Z}\stackrel{\$}{\leftarrow }{\{0,1\}}^{\left|Z\right|}$. Any buyer detecting this change is solving the CDH problem: given $(g,g^x,g^y)$, compute $g^{xy}$. Since the ephemeral keys $(x,y)$ are generated fresh per session, forward secrecy is implicit: even if the server’s long-term key ${\mathsf{sk}}_S$ is later compromised, Z cannot be recovered.

$$\Delta {\mathsf{Price}}_4\le {\mathsf{Adv}}_g^{\mathsf{CDH}}.$$

(169)

After ${\mathbf{B}}_5$, the handshake secret $\mathsf{HS}$ is derived from $\tilde{Z}$—a uniformly random value unknown to the buyer.

${\mathbf{B}}_6$(Bidding Round 6: PRF Bid on HS Extraction).

Replace $\mathsf{HS}=\mathsf{HKDF}-\mathsf{Extract}(\mathsf{Derive}-\mathsf{Secret}(\mathsf{ES},"\mathtt{derived}",\epsilon ),\tilde{Z})$ with a uniformly random string $\widetilde{\mathsf{HS}}\stackrel{\$}{\leftarrow }{\{0,1\}}^n$. Any buyer distinguishing $\mathsf{HS}$ from $\widetilde{\mathsf{HS}}$ breaks HKDF’s PRF security.

$$\Delta {\mathsf{Price}}_5\le {\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}.$$

(170)

${\mathbf{B}}_7$(Bidding Round 7: PRF Bid on MS Extraction).

Replace $\mathsf{MS}=\mathsf{HKDF}-\mathsf{Extract}(\mathsf{Derive}-\mathsf{Secret}(\widetilde{\mathsf{HS}},"\mathtt{derived}",\epsilon ),0)$ with $\widetilde{\mathsf{MS}}\stackrel{\$}{\leftarrow }{\{0,1\}}^n$.

$$\Delta {\mathsf{Price}}_6\le {\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}.$$

(171)

${\mathbf{B}}_8$(Bidding Round 8: PRF Bid on Application Traffic Secret).

Replace $\mathsf{CATS}=\mathsf{Derive}-\mathsf{Secret}(\widetilde{\mathsf{MS}},"\mathtt{captraffic}",{\mathcal{T}}_{\mathsf{SF}})$ with $\widetilde{\mathsf{CATS}}\stackrel{\$}{\leftarrow }{\{0,1\}}^n$.

$$\Delta {\mathsf{Price}}_7\le {\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}.$$

(172)

Key separation: The label "c ap traffic" differs from "s ap traffic", "c hs traffic", etc. HKDF’s PRF security with distinct labels guarantees that $\mathsf{CATS}$ and $\mathsf{SATS}$ are independently pseudorandom—a buyer cannot derive one from the other.

${\mathbf{B}}_9$(Bidding Round 9: Ideal Game).

In ${\mathbf{B}}_9$, $\widetilde{\mathsf{CATS}}$ is uniformly random and independent of all messages seen by the buyer. The buyer’s distinguishing advantage on the IND-CPA game on $\mathsf{CATS}$ is exactly $1/2$ (random guessing): $Pr[{\mathbf{B}}_9=1]=1/2$.

Collecting bounds. Summing price adjustments across hops:

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{sk}}\right)& ={\mathsf{Ask}}_0-1/2\le \Delta {\mathsf{Price}}_0+\dots +\Delta {\mathsf{Price}}_7\hfill \\ \hfill & \le {\displaystyle \frac{q_N^2}{2^{\lambda +1}}}+{\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{SUF}}+{\mathsf{Adv}}_g^{\mathsf{CDH}}+3·{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

establishing Equation (161).

Authentication bound (): In the authentication game, the buyer wins if the client completes the handshake with a session partner that did not run a matching session. Hops ${\mathbf{B}}_1$–${\mathbf{B}}_4$ (nonce, certificate, CertificateVerify, Finished) already bound this: no certificate forgery, no signature forgery, no MAC forgery, and distinct nonces per session. Summing gives Equation ().

Mutual authentication bound (): For mTLS, add a hop for the client’s CertificateVerify: the server additionally verifies the client certificate and client signature, costing ${\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}-\mathsf{CMA}}$ for the client key. By the extended difference lemma over server and client forgery events: $Pr\left[F_{\mathsf{forge},S}\cup F_{\mathsf{forge},C}\right]\le 2·{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}$. Equation () follows.

Forward secrecy bound (): Forward secrecy requires that after session completion, compromising ${\mathsf{sk}}_S$ does not reveal $\mathsf{CATS}$. The server’s long-term key is used only for CertificateVerify in ${\mathbf{B}}_3$—not for key derivation. The session keys derive from the ephemeral DH secret $Z=g^{xy}$ (which is deleted at session end) via the HKDF chain. After ${\mathbf{B}}_5$ (Z randomised), the entire HKDF chain produces uniformly random outputs; ${\mathsf{sk}}_S$ provides no additional information. The forward secrecy bid fails with advantage at most ${\mathsf{Adv}}_g^{\mathsf{CDH}}+3·{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$, establishing Equation ().

Session pinging within the TLS 1.3 proof. For consecutive TLS sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$:

SID freshness: In TLS 1.3, the session ID field in ServerHello is a legacy field included only for TLS 1.2 middlebox compatibility. True session binding in TLS 1.3 is achieved via the nonce pair $(N_C,N_S)$, which is committed to in the Finished MACs and CertificateVerify. Since $N_{C,i+1}$ and $N_{S,i+1}$ are fresh random 256-bit values, $(N_{C,i+1},N_{S,i+1})\ne (N_{C,j},N_{S,j})$ for all $j\le i$ except with probability $q_N^2/2^{\lambda +1}$.

Ephemeral key freshness: Each session generates fresh $(x_{i+1},X_{i+1}=g^{x_{i+1}})$ and $(y_{i+1},Y_{i+1}=g^{y_{i+1}})$. The DH shared secret $Z_{i+1}=g^{x_{i+1}{y}_{i+1}}$ is independent of $Z_j$ for all $j\le i$ (distinct exponents, fresh randomness).

Transcript binding: The CertificateVerify signature ${\mathsf{CertVfy}}_{S,i+1}$ signs the full transcript ${\mathcal{T}}_{\mathsf{CV},i+1}$, which includes $N_{C,i+1}$ and $N_{S,i+1}$. Replaying ${\mathsf{CertVfy}}_{S,j}$ from session j fails because ${\mathcal{T}}_{\mathsf{CV},j}\ne {\mathcal{T}}_{\mathsf{CV},i+1}$ (distinct nonces). The CNF ping condition for transcripts is satisfied.

Key deletion: Ephemeral DH private keys $(x_{i+1},y_{i+1})$ are deleted after $Z_{i+1}$ is computed. Forward security across sessions follows: $Z_{i+1}$ is not recoverable from any information retained after session $i+1$ ends.

By Theorem 3, TLS 1.3 (1-RTT) is secure for unbounded sessions, with accumulated degradation ${\delta }_{\mathsf{ping}}\le q_N^2/2^{\lambda +1}=\mathsf{negl}$.    □

Figure 55. TLS 1.3 bidding-round chain. Rounds ${\mathbf{B}}_1$–${\mathbf{B}}_4$ (blue) address authentication failures; ${\mathbf{B}}_5$–${\mathbf{B}}_9$ (amber/green) address key-secrecy failures via CDH and HKDF PRF hops. Each arc label is the price adjustment incurred.

Figure 55. TLS 1.3 bidding-round chain. Rounds ${\mathbf{B}}_1$–${\mathbf{B}}_4$ (blue) address authentication failures; ${\mathbf{B}}_5$–${\mathbf{B}}_9$ (amber/green) address key-secrecy failures via CDH and HKDF PRF hops. Each arc label is the price adjustment incurred.

13.8.4. TLS 1.3 Insecurity: 0-RTT Replay Collapse

0-RTT protocol description.

After a session that produced resumption secret $\mathsf{ResMS}$, the server issues a NewSessionTicket (NST) message containing a PSK identity $\mathsf{psk}\_\mathsf{id}$ and the PSK value $\mathsf{PSK}=\mathsf{HKDF}-\mathsf{Expand}-\mathsf{Label}(\mathsf{ResMS},$$"\mathtt{resumption}",{\mathsf{nonce}}_{\mathsf{NST}},n)$. On reconnection, the client sends:

1.

$C\to S$:   ${\mathsf{ClientHello}[\mathsf{psk}\_\mathsf{id},\mathsf{binder},\mathsf{early}\_\mathsf{data}]\parallel \left\{\mathsf{EarlyData}\right\}}_{k_{\mathsf{e}}}$

where the early traffic key $k_e=\mathsf{Derive}-\mathsf{Secret}({\mathsf{ES}}^{\prime },"\mathtt{cetraffic}",\mathsf{ClientHello})$ is derived from the early secret ${\mathsf{ES}}^{\prime }=\mathsf{HKDF}-\mathsf{Extract}(0,\mathsf{PSK})$, and the binder $\mathsf{binder}=\mathsf{HMAC}(\mathsf{BK},{\mathcal{T}}_{\mathsf{CH}})$ authenticates the ClientHello under a PSK-derived key.

13.8.4.2. The replay attack.

The network adversary ${\mathcal{A}}_{\mathsf{replay}}$ operates as follows: it records the client’s first flight $(M_1=\mathsf{ClientHello}[\dots ]\parallel \mathsf{EarlyData})$ from session ${\mathsf{Session}}_i$, and resubmits $M_1$ verbatim to the server in a new connection ${\mathsf{Session}}_{i+1}$. Since $M_1$ is entirely determined by data from before the server’s response, and the server has no per-connection state prior to receiving $M_1$, the server accepts $M_1$ and processes the early data in ${\mathsf{Session}}_{i+1}$ as if it were fresh.

Theorem 56 

(TLS 1.3 0-RTT Market Collapse). Let $g_{\mathsf{0}\mathsf{RTT}}$ be the security good “0-RTT early data is processed at most once per client intention.” There exists an efficient adversary ${\mathcal{A}}_{\mathsf{replay}}$ with $\mathsf{Ask}\left(g_{\mathsf{0}\mathsf{RTT}}\right)=1$. The 0-RTT market collapses: ${\mathcal{M}}_{\mathsf{TLS}}^{\mathsf{0}\mathsf{RTT}}$ is incollapse.

Proof. 

We construct a single-bidding-round argument (the replay bid).

${\mathbf{B}}_0$(Real 0-RTT Market). The client sends $M_1$ including early data d (e.g., an HTTP POST) encrypted under $k_e$. The server decrypts and processes d.

Replay Bid. The adversary ${\mathcal{A}}_{\mathsf{replay}}$ records $M_1$ verbatim. It opens a second connection to the server and sends $M_1$ again. The server has no mechanism to detect the replay because:

1.

The PSK identity $\mathsf{psk}\_\mathsf{id}$ is valid (not yet expired, ticket lifetime not elapsed).

2.

The binder $\mathsf{binder}=\mathsf{HMAC}(\mathsf{BK},{\mathcal{T}}_{\mathsf{CH}})$ is over ${\mathcal{T}}_{\mathsf{CH}}=\mathsf{Hash}\left(\mathsf{ClientHello}\right)$ which is identical on replay.

3.

The early data ciphertext ${\left\{\mathsf{EarlyData}\right\}}_{k_e}$ is deterministic given $\mathsf{PSK}$ and the client’s ClientHello; on replay, the same ciphertext is presented and decrypts successfully.

4.

TLS 1.3 provides no mandatory server-side nonce or anti-replay mechanism for 0-RTT data; RFC 8446 §8 explicitly acknowledges this.

The bad event $F_{\mathsf{replay}}$: “the server processes the same early data d in two distinct connections.” This event has probability 1: $Pr\left[F_{\mathsf{replay}}\right]=1$ (the adversary succeeds deterministically whenever the PSK ticket has not expired).

Extended difference lemma application.$Pr\left[F_{\mathsf{replay}}\cup F_{\mathsf{any}}\right]=Pr\left[F_{\mathsf{replay}}\right]=1$. The single free replay bid collapses the market: $\mathsf{Ask}\left(g_{\mathsf{0}\mathsf{RTT}}\right)=1$.

CNF collapse. The 0-RTT session-CNF includes a freshness clause ${\phi }^{\mathsf{fresh}-\mathsf{early}}$: “the early data is not a replay of any previously processed early-data record under the same PSK.” The adversary’s replayed $M_1$ satisfies all other clauses (valid binder, valid PSK, well-formed ClientHello) but violates${\phi }^{\mathsf{fresh}-\mathsf{early}}$. Since the server has no anti-replay log in the basic 0-RTT mode, it cannot check this clause: the CNF formula is satisfiable under a dishonest (replayed) trace. The CNF design failure is of Type I (SID-binding clause absent): the 0-RTT ClientHello is not bound to any server-chosen nonce before the early data is transmitted.

Market outcome. The 0-RTT market collapses: $\mathsf{Ask}\left(g_{\mathsf{0}\mathsf{RTT}}\right)=1$. The Ping bid also degrades: $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=0$ for the 0-RTT early data, since session ${\mathsf{Session}}_{i+1}$ is structurally identical to ${\mathsf{Session}}_i$ from the perspective of the 0-RTT first flight.    □

13.8.5. TLS 1.3 Insecurity: Downgrade Attack

The downgrade attack.

Consider the protocol ${\pi }_{\mathsf{TLS}-\mathsf{pre}}$, a hypothetical TLS implementation that omits the RFC 8446 downgrade sentinel (as would be the case in a buggy or non-compliant implementation). Let ${\mathcal{A}}_{\mathsf{down}}$ be an active network adversary that intercepts and modifies handshake messages.

The attack proceeds as follows:

1.

The client C sends $\mathsf{ClientHello}$ advertising $\{\mathsf{TLS}\mathsf{1}.\mathsf{3},\mathsf{TLS}\mathsf{1}.\mathsf{2}\}$ and cipher suites including TLS 1.3-only ECDHE suites.

2.

${\mathcal{A}}_{\mathsf{down}}$ intercepts, rewrites ClientHello to advertise only TLS 1.2 suites (e.g.,

$$TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA256$$

) and forwards to S.

3.

S responds with a TLS 1.2 ServerHello (since it sees no TLS 1.3 offer) and a static RSA ciphertext.

4.

${\mathcal{A}}_{\mathsf{down}}$ forwards S’s response to C. Since ${\pi }_{\mathsf{TLS}-\mathsf{pre}}$ omits downgrade sentinel checking, C accepts and negotiates TLS 1.2.

5.

Now ${\mathcal{A}}_{\mathsf{down}}$ passively records the RSA-encrypted premaster secret. The session uses TLS 1.2 with RSA key transport (no forward secrecy): if ${\mathsf{sk}}_S$ is ever compromised, all recorded traffic is decryptable.

Theorem 57 

(TLS 1.3 Downgrade Market Collapse without Sentinel). Let ${\pi }_{\mathsf{TLS}-\mathsf{pre}}$ be a TLS implementation omitting the RFC 8446 downgrade sentinel. The good $g_{\mathsf{version}}$: “the negotiated protocol version is the highest mutually supported version” has $\mathsf{Ask}\left(g_{\mathsf{version}}\right)=1$ against a network adversary. The downgrade market collapses.

Proof. 

We construct a two-bidding-round argument.

${\mathbf{B}}_0$(Real Protocol without Sentinel). The client supports TLS 1.3; the server supports TLS 1.2 and TLS 1.3; the network adversary is active.

Downgrade Bid. The adversary ${\mathcal{A}}_{\mathsf{down}}$ places the version stripping bid: it intercepts $\mathsf{ClientHello}$, removes the TLS 1.3 version identifier and associated extensions (e.g., key_share, supported_versions), and forwards the modified message. This is a free modification: the adversary requires no cryptographic secret and performs $O\left(1\right)$ computation. The bad event $F_{\mathsf{down}}$: “the negotiated version is TLS 1.2, not 1.3, despite both parties supporting TLS 1.3.” $Pr\left[F_{\mathsf{down}}\right]=1$ (the adversary always succeeds in ${\pi }_{\mathsf{TLS}-\mathsf{pre}}$).

${\mathbf{B}}_1$(Downgraded Session). The session now runs TLS 1.2. The TLS 1.2 protocol has known attacks:

• No forward secrecy (RSA key transport): The premaster secret is RSA-encrypted under ${\mathsf{pk}}_S$. If ${\mathsf{sk}}_S$ is compromised later, all past traffic is decryptable. The forward-secrecy good $g_{\mathsf{FS}}$ collapses: $\mathsf{Ask}\left(g_{\mathsf{FS}}\right)=1$.
• CBC padding oracle (if CBC suite negotiated): TLS 1.2 CBC-mode ciphers are vulnerable to Lucky13-style padding oracle attacks [53], providing a decryption oracle for past ciphertexts.

Extended difference lemma. The three simultaneous failure events $F_{\mathsf{down}}$, $F_{\mathsf{FS}}$, and $F_{\mathsf{pad}}$ all occur with probability 1 (free bids): $Pr\left[F_{\mathsf{down}}\cup F_{\mathsf{FS}}\cup F_{\mathsf{pad}}\right]=1$. The market collapses across all three goods.

CNF downgrade failure. The session-CNF for the downgraded session includes clause ${\phi }^{\mathsf{version}}$: “negotiated version = maximum mutually supported version.” Under the downgrade attack, ${\phi }^{\mathsf{version}}$ is false (TLS 1.2 was negotiated despite TLS 1.3 being supported). The adversary’s trace satisfies all structural clauses (valid handshake messages, valid MACs under TLS 1.2 keys) but violates ${\phi }^{\mathsf{version}}$. Since ${\pi }_{\mathsf{TLS}-\mathsf{pre}}$ has no downgrade sentinel check, ${\phi }^{\mathsf{version}}$ cannot be enforced. This is a CNF Type IV design failure (unauthenticated version negotiation field): the supported_versions extension is not integrity-protected before the Finished MAC is computed.

Market outcome.$\mathsf{Ask}\left(g_{\mathsf{version}}\right)=1$; the market collapses. The Ping bid degrades:

$$\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=0$$

(173)

because session $i+1$ runs a structurally weaker protocol than session i, violating protocol-version consistency.    □

13.8.6. TLS 1.3 CNF Session Verification and Ping Bids

TLS 1.3 Session-CNF.

The TLS 1.3 session-CNF ${\phi }_{\mathsf{TLS}}$ is the conjunction of the following clauses:

$$\begin{array}{cccc}\hfill {\phi }^{\mathsf{cert}}& =\left(x_{\mathsf{Vrfy}({\mathsf{pk}}_{\mathsf{CA}},{\mathsf{cert}}_S)=1}\right)\hfill & \hfill & \mathrm{Server}\mathrm{certificate}\mathrm{is}\mathrm{CA}-\mathrm{issued}\hfill \end{array}$$

(174)

$$\begin{array}{cccc}\hfill {\phi }^{\mathsf{cv}}& =\left(x_{\mathsf{Vrfy}({\mathsf{pk}}_S,\sigma -\mathrm{ctx}\parallel {\mathcal{T}}_{\mathsf{CV}},{\mathsf{CertVfy}}_S)=1}\right)\hfill & \hfill & \mathrm{CertVfy}\mathrm{binds}\mathrm{full}\mathrm{transcript}\hfill \end{array}$$

(175)

$$\begin{array}{cccc}\hfill {\phi }^{\mathsf{fin}}& =\left(x_{\mathsf{HMAC}(k_{\mathsf{fin},S},{\mathcal{T}}_{\mathsf{CF}})={\mathsf{Fin}}_S}\right)\hfill & \hfill & \mathrm{Finished}\mathrm{MAC}\mathrm{is}\mathrm{transcript}-\mathrm{bound}\hfill \end{array}$$

(176)

$$\begin{array}{cccc}\hfill {\phi }^{\mathsf{fresh}}& =\left(x_{(N_C,N_S)\notin {\mathcal{N}}_{\mathsf{prev}}}\right)\hfill & \hfill & \mathrm{Nonce}\mathrm{pair}\mathrm{is}\mathrm{fresh}\hfill \end{array}$$

(177)

$$\begin{array}{cccc}\hfill {\phi }^{\mathsf{eph}}& =\left(x_{(X,Y)\notin {\mathcal{DH}}_{\mathsf{prev}}}\right)\hfill & \hfill & \mathrm{DH}\mathrm{shares}\mathrm{are}\mathrm{fresh}\hfill \end{array}$$

(178)

$$\begin{array}{cccc}\hfill {\phi }^{\mathsf{ver}}& =\left(x_{\mathsf{version}=\mathsf{TLS}\mathsf{1}.\mathsf{3}}\right)\hfill & \hfill & \mathrm{Version}\mathrm{is}\mathrm{TLS}1.3(\mathrm{sentinel}\mathrm{check})\hfill \end{array}$$

(179)

$$\begin{array}{cccc}\hfill {\phi }^{\mathsf{suite}}& =\left(x_{\mathsf{suite}\in \{\mathsf{TLS}\_\mathsf{AES}\_\mathsf{128}\_\mathsf{GCM}\_\mathsf{SHA}\mathsf{256},\dots \}}\right)\hfill & \hfill & \mathrm{Only}\mathrm{AEAD}\mathrm{suites}\mathrm{permitted}\hfill \end{array}$$

(180)

$$\begin{array}{cccc}\hfill {\phi }^{\mathsf{ping}}& =\left(x_{\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1}\right)\hfill & \hfill & \mathrm{Session}\mathrm{transition}\mathrm{passes}\mathrm{ping}\hfill \end{array}$$

(181)

${\phi }_{\mathsf{TLS}}={\phi }^{\mathsf{cert}}\wedge {\phi }^{\mathsf{cv}}\wedge {\phi }^{\mathsf{fin}}\wedge {\phi }^{\mathsf{fresh}}\wedge {\phi }^{\mathsf{eph}}\wedge {\phi }^{\mathsf{ver}}\wedge {\phi }^{\mathsf{suite}}\wedge {\phi }^{\mathsf{ping}}$.

TLS 1.3 Ping Bid.

Corollary 16 

(TLS 1.3 Unbounded Session Security). The TLS 1.3 1-RTT handshake is secure for unbounded sessions. For consecutive sessions ${\mathsf{Session}}_i$ and ${\mathsf{Session}}_{i+1}$, the ping function satisfies $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=1$ with probability at least $1-q_N^2/2^{\lambda +1}$, where $q_N$ counts total accumulated sessions. By Theorem 3, $\mathsf{Ask}\left(g_{\mathsf{sk}}\right)$ remains bounded as in Equation (161) for all $i\ge 1$.

Proof. 

The four ping conditions from Theorem 15 are verified as follows. (a) SID/nonce freshness: $(N_{C,i+1},N_{S,i+1})$ is fresh by construction (256-bit uniform sampling per session). (b) Nonce disjointness: The pair $(N_{C,i+1},N_{S,i+1})$ is disjoint from all prior pairs except with probability $q_N^2/2^{\lambda +1}$. (c) Transcript binding:${\mathsf{CertVfy}}_{S,i+1}$ signs ${\mathcal{T}}_{\mathsf{CV},i+1}$, which includes $N_{C,i+1}$ and $N_{S,i+1}$; ${\mathsf{Fin}}_{S,i+1}$ MACs the full handshake transcript. Replaying any message from session ${\mathsf{Session}}_i$ in ${\mathsf{Session}}_{i+1}$ fails because the nonces differ. (d) Key deletion: Ephemeral DH private keys $(x_{i+1},y_{i+1})$ are securely deleted after $Z_{i+1}$ is computed. The session-CNF ${\phi }_{\mathsf{TLS},i+1}$ is isomorphic to ${\phi }_{\mathsf{TLS},i}$ with fresh nonces, DH shares, and transcript; by the inductive argument of Theorem 3, unbounded equilibrium holds.    □

Market Summary: TLS 1.3 vs. TLS 1.2.

Table 16. MTSF market comparison: TLS 1.3 (1-RTT) vs. TLS 1.2 vs. TLS 1.3 0-RTT. A collapsed good ($\mathsf{Ask}=1$) indicates a fundamental structural failure.

Security good	TLS 1.3 (1-RTT)	TLS 1.2 (RSA transport)	TLS 1.3 (0-RTT)
$g_{\mathsf{sk}}$: key secrecy	$\le {\mathsf{Adv}}^{\mathsf{CDH}}+3{\mathsf{Adv}}^{\mathsf{PRF}}+\mathsf{negl}$	$\le {\mathsf{Adv}}^{\mathsf{RSA}-\mathsf{PKCS}}+\mathsf{negl}$	$\le {\mathsf{Adv}}^{\mathsf{CDH}}+\mathsf{negl}$ (for HS)
$g_{\mathsf{FS}}$: forward secrecy	$\le {\mathsf{Adv}}^{\mathsf{CDH}}+\mathsf{negl}$	$\mathbf{1}$ (Collapsed)	$\le {\mathsf{Adv}}^{\mathsf{CDH}}+\mathsf{negl}$ (for HS)
$g_{\mathsf{auth}}$: server auth	$\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\mathsf{negl}$	$\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\mathsf{negl}$	$\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\mathsf{negl}$
$g_{\mathsf{0}\mathsf{RTT}}$: anti-replay	N/A (no 0-RTT)	N/A	$\mathbf{1}$ (Collapsed)
$g_{\mathsf{version}}$: no downgrade	$\le \mathsf{negl}$ (sentinel)	$\mathbf{1}$ (no sentinel)	$\le \mathsf{negl}$ (sentinel)
$g_{\mathsf{CNF}}$: session correctness	$\le \mathsf{negl}$ (all clauses)	Partial (no FS clause)	Partial (${\phi }^{\mathsf{fresh}-\mathsf{early}}$ fails)
Overall market	Equilibrium	Partial collapse	Partial collapse (0-RTT)

Table 16. MTSF market comparison: TLS 1.3 (1-RTT) vs. TLS 1.2 vs. TLS 1.3 0-RTT. A collapsed good ($\mathsf{Ask}=1$) indicates a fundamental structural failure.

Security good	TLS 1.3 (1-RTT)	TLS 1.2 (RSA transport)	TLS 1.3 (0-RTT)
$g_{\mathsf{sk}}$: key secrecy	$\le {\mathsf{Adv}}^{\mathsf{CDH}}+3{\mathsf{Adv}}^{\mathsf{PRF}}+\mathsf{negl}$	$\le {\mathsf{Adv}}^{\mathsf{RSA}-\mathsf{PKCS}}+\mathsf{negl}$	$\le {\mathsf{Adv}}^{\mathsf{CDH}}+\mathsf{negl}$ (for HS)
$g_{\mathsf{FS}}$: forward secrecy	$\le {\mathsf{Adv}}^{\mathsf{CDH}}+\mathsf{negl}$	$\mathbf{1}$ (Collapsed)	$\le {\mathsf{Adv}}^{\mathsf{CDH}}+\mathsf{negl}$ (for HS)
$g_{\mathsf{auth}}$: server auth	$\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\mathsf{negl}$	$\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\mathsf{negl}$	$\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}+{\mathsf{Adv}}_{\mathsf{Sig}}^{\mathsf{EUF}}+\mathsf{negl}$
$g_{\mathsf{0}\mathsf{RTT}}$: anti-replay	N/A (no 0-RTT)	N/A	$\mathbf{1}$ (Collapsed)
$g_{\mathsf{version}}$: no downgrade	$\le \mathsf{negl}$ (sentinel)	$\mathbf{1}$ (no sentinel)	$\le \mathsf{negl}$ (sentinel)
$g_{\mathsf{CNF}}$: session correctness	$\le \mathsf{negl}$ (all clauses)	Partial (no FS clause)	Partial (${\phi }^{\mathsf{fresh}-\mathsf{early}}$ fails)
Overall market	Equilibrium	Partial collapse	Partial collapse (0-RTT)

13.9. Telegram: Security and Insecurity Analysis

13.9.1. MTProto 2.0 Market Model

We model MTProto 2.0 as a market ${\mathcal{M}}_{\mathsf{MTProto}}$ where the seller offers two goods:

• $g_{\mathsf{IND}}$: Message indistinguishability (confidentiality). The buyer cannot distinguish encryptions of two messages of equal length.
• $g_{\mathsf{INT}}$: Message integrity (authenticity). The buyer cannot inject or modify a message that passes decryption.

Session parameters.

A session ${\mathsf{Session}}_i$ is parameterised by $(\mathsf{auth}\_\mathsf{key},s_i,\mathsf{sess}\_{\mathsf{id}}_i)$ where $s_i\in {\{0,1\}}^{64}$ is the current server salt and $\mathsf{sess}\_{\mathsf{id}}_i$ is a 64-bit session identifier. A message m is encrypted as:

$$\begin{array}{cc}\hfill \mathsf{plaintext}& =s_i\parallel \mathsf{sess}\_{\mathsf{id}}_i\parallel \mathsf{msg}\_\mathsf{id}\parallel \mathsf{seqno}\parallel \mathsf{data},\hfill \end{array}$$

(182)

$$\begin{array}{cc}\hfill \mathsf{msg}\_\mathsf{key}& =\mathrm{SHA}-256(\mathsf{auth}\_\mathsf{key}[88:120]\parallel \mathsf{plaintext})[8:24],\hfill \end{array}$$

(183)

$$\begin{array}{cc}\hfill (K_{\mathsf{AES}},{\mathsf{IV}}_{\mathsf{AES}})& =\mathsf{KDF}(\mathsf{msg}\_\mathsf{key},\mathsf{auth}\_\mathsf{key}),\hfill \end{array}$$

(184)

$$\begin{array}{cc}\hfill \mathsf{ciphertext}& =\mathsf{AES}-\mathsf{256}-{\mathsf{IGE}}_{K_{\mathsf{AES}}}(\mathsf{plaintext};{\mathsf{IV}}_{\mathsf{AES}}).\hfill \end{array}$$

(185)

The transmitted packet is $(\mathsf{auth}\_\mathsf{key}\_\mathsf{id},\mathsf{msg}\_\mathsf{key},\mathsf{ciphertext})$.

13.9.2. Security Disproof: Salt Extraction Collapses Confidentiality

Theorem 58 

(MTProto Salt Extraction: Partial Market Collapse). Suppose an adversary $\mathcal{A}$ extracts the server salt $s_i$ for the current 30-minute window by any means (side channel, decrypted packet, protocol weakness, or social engineering). Then:

1.

Entropy collapse:The effective entropy of $\mathsf{msg}\_\mathsf{key}$ drops from 128 bits to 64 bits: $\mathsf{Ask}\left(g_{\mathsf{IND}}\right)\ge 1-2^{-64}·q_D$, where $q_D$ is the number of decryption queries.

2.

CNF freshness failure:The session-CNF clause ${\phi }^{\mathsf{fresh}}$ is satisfiable under dishonest traces whenever $s_i$ is known to the adversary.

3.

Ping degradation:$Pr\left[\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=0\mid s_i\mathrm{known}\right]\ge 1-2^{-64}$.

4.

Partial market collapse:$\mathsf{Ask}\left(g_{\mathsf{IND}}\right)\neg \le \mathsf{negl}\left(\lambda \right)$; the market hasnotfully collapsed ($\mathsf{Ask}<1$) but the security margin is infeasible for 128-bit security requirements.

Proof. 

We construct a sequence of bidding rounds demonstrating each collapse mechanism.

${\mathbf{B}}_0$(Real MTProto Market—Indistinguishability Bid). Buyer submits $(m_0,m_1)$ with $|m_0|=|m_1|$; receives ciphertext $c^{*}=\mathsf{AES}-\mathsf{256}-{\mathsf{IGE}}_{K_b}({\mathsf{plaintext}}_b;{\mathsf{IV}}_b)$ for bit b. Must guess b. The indistinguishability bid: distinguish b from the ciphertext alone. Without salt knowledge, the effective key material has 128 bits of entropy in $\mathsf{msg}\_\mathsf{key}$.

${\mathbf{B}}_1$(Bidding Round 1: Salt Extraction Bid—Entropy Reduction).

The adversary successfully extracts $s_i$ (by any means: this is the salt extraction bid, a “free” bid in the sense that we take the salt as given). With $s_i$ known, the plaintext structure is:

$$\mathsf{plaintext}=\underset{\mathrm{known}}{\underbrace{s_i}}\parallel \mathsf{sess}\_{\mathsf{id}}_i\parallel \mathsf{msg}\_\mathsf{id}\parallel \mathsf{seqno}\parallel \mathsf{data}.$$

The $\mathsf{msg}\_\mathsf{key}$ is computed from this plaintext with the known $s_i$ as a prefix. The buyer can now brute-force the remaining entropy: the 64-bit session ID, message ID, and sequence number together contribute at most $64+64+32=160$ bits, but in practice the adversary has high confidence about $\mathsf{sess}\_{\mathsf{id}}_i$ (from the packet header) and $\mathsf{seqno}$ (sequential), reducing the search space to roughly $2^{64}$ candidate $\mathsf{msg}\_\mathsf{key}$ values.

Extended difference lemma. Let $F_{\mathsf{salt}}$: “salt $s_i$ is extracted”. Let $F_{\mathsf{entropy}}$: “effective entropy of $\mathsf{msg}\_\mathsf{key}$ drops below 64 bits”. Both events occur simultaneously when salt extraction succeeds:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le Pr\left[F_{\mathsf{salt}}\cup F_{\mathsf{entropy}}\right]=Pr\left[F_{\mathsf{salt}}\right]·(1+Pr\left[F_{\mathsf{entropy}}\mid F_{\mathsf{salt}}\right])=1·1.$$

(186)

Since we assume $F_{\mathsf{salt}}$ occurs with probability 1 (the salt is extracted), and $F_{\mathsf{entropy}}$ follows deterministically, the price adjustment is $\Delta {\mathsf{Price}}_0=1$—a full hop collapse for this bid.

${\mathbf{B}}_2$(Bidding Round 2: AES Partial-Key Recovery Bid).

With entropy reduced to $2^{64}$, the buyer mounts a birthday meet-in-the-middle bid: precompute $2^{32}$ candidate $K_{\mathsf{AES}}$ values from guessed $\mathsf{msg}\_\mathsf{key}$ prefixes; collect $2^{32}$ ciphertext blocks; find a collision. This gives key recovery with $O\left(2^{64}\right)$ time and $O\left(2^{32}\right)$ memory.

Difference bound. With $2^{64}$ candidate keys over a key space of $2^{128}$:

$$\mathsf{Ask}(g_{\mathsf{IND}}\mid F_{\mathsf{salt}})\le 1-2^{-64}\approx 1.$$

(187)

The ask price for indistinguishability approaches 1—the market has quasi-collapsed.

${\mathbf{B}}_3$(Bidding Round 3: CNF Freshness Failure Bid).

The session-CNF for MTProto includes a freshness clause:

$${\phi }_{\mathsf{MTProto}}^{\mathsf{fresh}}=\left(x_{s_i\notin {\mathcal{S}}_{\mathsf{used}}}\right)\wedge \left(x_{s_i\sec \mathrm{ret}\mathrm{from}\mathcal{A}}\right).$$

With $s_i$ extracted, the clause $x_{s_i\sec \mathrm{ret}}$ evaluates to F. The session-CNF becomes UNSAT under the honest trace—which should never happen. This indicates that MTProto’s session design does not satisfy the CNF correctness requirement $g_{\mathsf{CNF}}$ once salt extraction is possible.

${\mathbf{B}}_4$(Bidding Round 4: Ping Degradation Bid).

Session pinging tests that consecutive sessions ${\mathsf{Session}}_i,{\mathsf{Session}}_{i+1}$ are structurally distinct. If $s_i$ is known and $s_{i+1}$ can be predicted (salts are negotiated over a potentially observable channel), then $\mathsf{Ping}({\mathsf{Session}}_i,{\mathsf{Session}}_{i+1})=0$ whenever $s_i=s_{i+1}$ (which happens with probability $\ge 2^{-64}$ per 30-minute window) or when $s_{i+1}$ can be inferred from $s_i$.

$$Pr\left[\mathsf{Ping}=0\mid s_i\mathrm{known}\right]\ge Pr\left[s_{i+1}\mathrm{predictable}\right]\ge 2^{-64}.$$

(188)

This is a $2^{64}$-fold degradation compared to the ideal $Pr\left[\mathsf{Ping}=0\right]\le 2^{-128}$.

Summary. The four simultaneous collapse events are:

• $F_{\mathsf{salt}}$: Salt extraction (assumed).
• $F_{\mathsf{entropy}}$: Entropy reduction from 128 to 64 bits.
• $F_{\mathsf{cnf}}$: CNF freshness clause fails.
• $F_{\mathsf{ping}}$: Ping degradation.

By the extended difference lemma: $\mathsf{Ask}(g_{\mathsf{IND}}\cup g_{\mathsf{CNF}}\cup g_{\mathsf{ping}})\le Pr\left[F_{\mathsf{salt}}\cup F_{\mathsf{entropy}}\cup F_{\mathsf{cnf}}\cup F_{\mathsf{ping}}\right]=1$. The Telegram market has collapsed for all security goods given salt extraction.    □

13.9.3. Security Proof: Remediated MTProto

We now define the Remediated MTProto (RMTP) and prove it achieves full market equilibrium.

13.9.3.1. RMTP Construction.

Modify MTProto 2.0 as follows:

1.

Cryptographic salt binding: Replace the plaintext server salt with an HMAC-bound salt: ${\tilde{s}}_i={\mathsf{HMAC}}_{\mathsf{auth}\_\mathsf{key}}(s_i\parallel \mathsf{timestamp})$. The salt is now a 256-bit pseudorandom value derived from $\mathsf{auth}\_\mathsf{key}$.

2.

Increased salt entropy: Use 128-bit salts (${\tilde{s}}_i\in {\{0,1\}}^{128}$) instead of 64-bit.

3.

Full message binding: Include ${\tilde{s}}_i$ in all cryptographic operations:

$$\mathsf{msg}\_\mathsf{key}\leftarrow \mathsf{SHA}-\mathsf{256}\left(\mathsf{auth}\_\mathsf{key}[88:120]\parallel {\tilde{s}}_i\parallel \mathsf{data}\right).$$

(189)

4.

CNF salt clause: Add the clause $x_{{\tilde{s}}_i={\mathsf{HMAC}}_{\mathsf{auth}\_\mathsf{key}}(s_i\parallel \mathsf{ts})}$ to the session-CNF.

Theorem 59 

(Remediated MTProto Market Equilibrium). Under the PRF security of HMAC and the IND-CPA security of AES-256-IGE, the Remediated MTProto (RMTP) achieves:

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{IND}}\right)& \le {\mathsf{Adv}}_{\mathsf{AES}}^{\mathsf{IND}-\mathsf{CPA}}+{\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{PRF}}+q_D·2^{-128}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(190)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{INT}}\right)& \le {\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{PRF}}+\mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(191)

$$\begin{array}{cc}\hfill \mathsf{Ask}\left(g_{\mathsf{CNF}}\right)& \le {\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{PRF}}+q_N^2/2^{128}+\mathsf{negl}\left(\lambda \right).\hfill \end{array}$$

(192)

All three goods are in equilibrium.

Proof. 

We construct six bidding rounds for the indistinguishability good $g_{\mathsf{IND}}$.

${\mathbf{B}}_0$(Real RMTP—Indistinguishability Bid).

Buyer submits $(m_0,m_1)$; receives $c^{*}=\mathsf{AES}-\mathsf{256}-{\mathsf{IGE}}_{K_b}(·)$.

${\mathbf{B}}_1$(HMAC Salt Freshness Bid). Replace ${\tilde{s}}_i$ with a uniformly random 128-bit value $u_i$. Any buyer distinguishing ${\mathbf{B}}_0$ from ${\mathbf{B}}_1$ breaks PRF security of HMAC:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le {\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{PRF}}.$$

(193)

Extended difference lemma. Events $F_{\mathsf{prf}}$: “HMAC distinguishable from random” and $F_{\mathsf{salt}-\mathsf{ext}}$: “salt extractable without $\mathsf{auth}\_\mathsf{key}$”. With ${\tilde{s}}_i$ computed via HMAC under $\mathsf{auth}\_\mathsf{key}$, salt extraction without $\mathsf{auth}\_\mathsf{key}$ requires breaking PRF. Hence $Pr\left[F_{\mathsf{prf}}\cup F_{\mathsf{salt}-\mathsf{ext}}\right]\le {\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{PRF}}$.

${\mathbf{B}}_2$(Nonce Freshness Bid). Abort on 128-bit salt collision. By birthday bound over $q_D$ decryptions:

$$|Pr\left[{\mathbf{B}}_1=1\right]-Pr\left[{\mathbf{B}}_2=1\right]|\le q_D·2^{-128}.$$

(194)

${\mathbf{B}}_3$(msg_key Randomness Bid). With ${\tilde{s}}_i$ uniform, the full input to the $\mathsf{msg}\_\mathsf{key}$ hash is uniform (no bias from salt extraction). Replace $\mathsf{msg}\_\mathsf{key}$ with uniform random $r\stackrel{\$}{\leftarrow }{\{0,1\}}^{128}$. By PRF security of SHA-256: $\Delta {\mathsf{Price}}_2\le {\mathsf{Adv}}_{\mathsf{SHA}\mathsf{256}}^{\mathsf{PRF}}\le \mathsf{negl}\left(\lambda \right)$.

${\mathbf{B}}_4$(AES Key Replacement Bid). With uniform $\mathsf{msg}\_\mathsf{key}$, the AES key $(K_{\mathsf{AES}},{\mathsf{IV}}_{\mathsf{AES}})$ derived from it is uniform. Replace with independently uniform $(K^{\prime },{\mathsf{IV}}^{\prime })$. This costs ${\mathsf{Adv}}_{\mathsf{KDF}}^{\mathsf{PRF}}$.

${\mathbf{B}}_5$(AES IND-CPA Reduction Bid). With uniform key and IV, the AES-256-IGE encryption is IND-CPA secure:

$$|Pr\left[{\mathbf{B}}_4=1\right]-1/2|\le {\mathsf{Adv}}_{\mathsf{AES}}^{\mathsf{IND}-\mathsf{CPA}}.$$

(195)

${\mathbf{B}}_6$(Ideal RMTP Market). With random key, random IV, and IND-CPA encryption, the ciphertext is computationally indistinguishable from random. Buyer advantage $=1/2$.

Total for $g_{\mathsf{IND}}$: Equation (190) follows by summing price adjustments.

Bound () (Integrity $g_{\mathsf{INT}}$). A successful injection requires the adversary to produce $(\mathsf{msg}\_{\mathsf{key}}^{*},c^{*})$ that decrypts to a valid plaintext (passes AES-IGE decryption) and has a consistent $\mathsf{msg}\_{\mathsf{key}}^{*}$ matching the decrypted plaintext’s HMAC-bound salt. This requires either inverting AES-IGE (IND-CPA hardness) or forging the HMAC binding (PRF hardness). By the extended difference lemma over these two failure events: $\mathsf{Ask}\left(g_{\mathsf{INT}}\right)\le {\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{PRF}}+{\mathsf{Adv}}_{\mathsf{AES}}^{\mathsf{IND}-\mathsf{CPA}}=\mathsf{negl}$.

Bound () (CNF correctness $g_{\mathsf{CNF}}$). The RMTP session-CNF is:

$$\begin{array}{cc}\hfill {\phi }_{\mathsf{RMTP}}& =\left(x_{{\tilde{s}}_i={\mathsf{HMAC}}_{\mathsf{auth}\_\mathsf{key}}(s_i\parallel \mathsf{ts})}\right)\wedge \left(x_{{\tilde{s}}_i\notin {\mathcal{S}}_{\mathsf{used}}}\right)\wedge \left(x_{\mathsf{msg}\_\mathsf{key}\mathrm{derived}\mathrm{correctly}}\right)\wedge \left(x_{\mathrm{Ping}\mathrm{passes}}\right).\hfill \end{array}$$

(196)

Under the honest trace, all clauses are satisfied. Under a dishonest trace (adversary with extracted $s_i$), the clause $x_{{\tilde{s}}_i={\mathsf{HMAC}}_{\mathsf{auth}\_\mathsf{key}}(\dots )}$ cannot be satisfied without $\mathsf{auth}\_\mathsf{key}$—by PRF security, ${\tilde{s}}_i$ is computationally indistinguishable from random to anyone without $\mathsf{auth}\_\mathsf{key}$. Hence dishonest traces cannot satisfy ${\phi }_{\mathsf{RMTP}}$ except with probability ${\mathsf{Adv}}_{\mathsf{HMAC}}^{\mathsf{PRF}}+q_N^2/2^{128}$.    □

13.9.4. Summary of the Telegram MTSF Analysis

The Telegram case study demonstrates MTSF’s dual capability: the framework can both prove security (for the remediated protocol) and disprove it (for the original protocol), within the same market-theoretic language. The disproof (Theorem 58) identifies four simultaneous failure events that the extended difference lemma captures in a single bound. The proof (Theorem 59) shows that HMAC-binding the salt to $\mathsf{auth}\_\mathsf{key}$ restores full equilibrium, with the CNF and ping bids both confirming unbounded session security. This represents MTSF’s most complete application of its dual proof/disproof methodology.

14. Case Study VI: QROM-Based Key Exchange

Figure 56. The three eras of cryptographic security: classical (vulnerable to quantum), post-quantum (resistant to quantum), and fully quantum (information-theoretically secure). MTSF covers all three with unified market language.

Figure 56. The three eras of cryptographic security: classical (vulnerable to quantum), post-quantum (resistant to quantum), and fully quantum (information-theoretically secure). MTSF covers all three with unified market language.

14.1. Protocol Description: QROM-Secure Key Exchange

We describe the complete QROM-Secure Key Exchange Protocol (QKEM), the formal model underlying ML-KEM (FIPS 203).

14.1.0.1. Participants.

Client $\mathsf{C}$ (holds private key ${\mathsf{sk}}_{\mathsf{C}}$, can decrypt) and Server $\mathsf{S}$ (holds only public key ${\mathsf{pk}}_{\mathsf{C}}$). Both access the Quantum Random Oracle $H:{\{0,1\}}^{*}\to {\{0,1\}}^n$.

System parameters.

Security parameter $\lambda$; module dimension k and modulus q for MLWE; error distribution $\chi$ (centred binomial); polynomial ring $R_q={\mathbb{Z}}_q\left[x\right]/(x^n+1)$, $n=256$; QROM hash H; implicit-rejection hash $H_{\perp }$.

Phase 0 (Key Generation, offline).

$$\begin{array}{cc}\hfill \mathbf{A}& \stackrel{\$}{\leftarrow }{R}_q^{k\times k},\mathbf{s},\mathbf{e}\stackrel{\$}{\leftarrow }{\chi }^k,\hfill \\ \hfill {\mathsf{pk}}_{\mathsf{C}}& =(\mathbf{A},\mathbf{t}=\mathbf{A}\mathbf{s}+\mathbf{e}),{\mathsf{sk}}_{\mathsf{C}}=\mathbf{s}.\hfill \end{array}$$

$\mathsf{C}$ publishes ${\mathsf{pk}}_{\mathsf{C}}$ (e.g., via PKI or pre-distribution to $\mathsf{S}$).

Phase 1 (Encapsulation, $\mathsf{S}$ internal + send).

1.

Sample: $m\stackrel{\$}{\leftarrow }{\{0,1\}}^n$.

2.

QROM query: $r\leftarrow H\left(m\right)$.

3.

Encrypt: $c\leftarrow \mathsf{PKE}.\mathsf{Enc}({\mathsf{pk}}_{\mathsf{C}},m;r)$.

4.

QROM query: $K\leftarrow H(m\parallel c)$.

5.

Send $(c,\mathsf{sid})$ to $\mathsf{C}$; $\mathsf{S}$ holds $(K,\mathsf{sid})$.

Phase 2 (Decapsulation, $\mathsf{C}$ internal).

1.

Decrypt: $m^{\prime }\leftarrow \mathsf{PKE}.\mathsf{Dec}({\mathsf{sk}}_{\mathsf{C}},c)$.

2.

QROM query: $r^{\prime }\leftarrow H\left(m^{\prime }\right)$.

3.

Re-encrypt: $c^{\prime }\leftarrow \mathsf{PKE}.\mathsf{Enc}({\mathsf{pk}}_{\mathsf{C}},m^{\prime };r^{\prime })$.

4.

QROM query and implicit rejection:

$$K^{\prime }\leftarrow \left\{\begin{array}{cc}H(m^{\prime }\parallel c)\hfill & \mathrm{if}{c}^{\prime }=c\hfill \\ H(\perp \parallel c)\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

5.

$\mathsf{C}$ holds $(K^{\prime },\mathsf{sid})$.

Phase 3 (Confirmation, optional).

1.

$\mathsf{C}$ computes ${\tau }_{\mathsf{C}}={\mathsf{MAC}}_{K^{\prime }}(\mathsf{sid}\parallel \mathsf{confirm})$ and sends to $\mathsf{S}$.

2.

$\mathsf{S}$ verifies ${\tau }_{\mathsf{C}}$ under K; if valid, session established.

Correctness.

$K^{\prime }=K$ whenever $m^{\prime }=m$, which holds with probability $1-\delta$. For ML-KEM: $\delta \le 2^{-139}$.

14.2. Protocol Sequence Diagram

Figure 57. QKEM protocol sequence diagram. Three phases: (0) offline key generation; (1) encapsulation by $\mathsf{S}$ making two QROM queries ($H\left(m\right)$ and $H(m\parallel c)$); (2) decapsulation by $\mathsf{C}$ making two QROM queries ($H\left(m^{\prime }\right)$ and $H(m^{\prime }\parallel c)$ or $H(\perp \parallel c)$); (3) optional MAC confirmation. The QROM oracle H (centre, dashed lifeline) accepts superposition queries from both parties—depicted by arrows labelled “query”. The implicit rejection ($H(\perp \parallel c)$ branch) prevents chosen-ciphertext leakage.

Figure 57. QKEM protocol sequence diagram. Three phases: (0) offline key generation; (1) encapsulation by $\mathsf{S}$ making two QROM queries ($H\left(m\right)$ and $H(m\parallel c)$); (2) decapsulation by $\mathsf{C}$ making two QROM queries ($H\left(m^{\prime }\right)$ and $H(m^{\prime }\parallel c)$ or $H(\perp \parallel c)$); (3) optional MAC confirmation. The QROM oracle H (centre, dashed lifeline) accepts superposition queries from both parties—depicted by arrows labelled “query”. The implicit rejection ($H(\perp \parallel c)$ branch) prevents chosen-ciphertext leakage.

14.3. MTSF Market Model for QKEM

Market participants.

• Seller (challenger): generates $({\mathsf{pk}}_{\mathsf{C}},{\mathsf{sk}}_{\mathsf{C}})$; runs encapsulation; provides decapsulation oracle ${\mathcal{O}}_{\mathsf{dec}}$; offers security goods.
• Buyer (quantum adversary $\mathcal{A}$): makes $q_H$ superposition queries to H and $q_D$ classical queries to ${\mathcal{O}}_{\mathsf{dec}}$; bids computational/quantum resources.
• QROM oracle H: the GUC shared market infrastructure—both parties access the same H.

14.3.0.5. Security goods.

The seller offers four goods: $g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}$ (key indistinguishability under chosen-ciphertext attack), $g_{\mathsf{correct}}$ (correctness: $K=K^{\prime }$), $g_{\mathsf{auth}}$ (MAC authentication in Phase 3), and $g_{\mathsf{unbounded}}$ (ping bid: unbounded session security).

Definition 34 

(QROM IND-CCA2 Game for QKEM). The game $\mathsf{IND}-\mathsf{CCA}{\mathsf{2}}^{\mathsf{QROM}}$ proceeds:

1.

Seller generates $(\mathsf{pk},\mathsf{sk})$ and gives $\mathsf{pk}$ to $\mathcal{A}$.

2.

Find phase:$\mathcal{A}$ makes adaptive quantum queries to H and classical queries to ${\mathcal{O}}_{\mathsf{dec}}$.

3.

Challenge:Seller samples $b\stackrel{\$}{\leftarrow }\{0,1\}$; runs $(c^{*},K_0)\leftarrow \mathsf{KEM}.\mathsf{Enc}\left(\mathsf{pk}\right)$; sets $K_1\stackrel{\$}{\leftarrow }{\{0,1\}}^n$; gives $(c^{*},K_b)$ to $\mathcal{A}$.

4.

Guess phase:$\mathcal{A}$ continues queries (not on $c^{*}$); outputs $b^{\prime }\in \{0,1\}$.

$\mathsf{Ask}\left(g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\right)={max}_{\mathcal{A}}\left|Pr\left[\mathcal{A}\mathrm{wins}\right]-1/2\right|$.

14.4. Security Proof in the QROM

14.4.0.6. Setup.

Let $\mathsf{PKE}=(\mathsf{Gen},\mathsf{Enc},\mathsf{Dec})$ be $\delta$-correct and IND-CPA. The Fujisaki–Okamoto transform ${\mathsf{FO}}^{\perp }[\mathsf{PKE},H]$:

$$\begin{array}{cc}\hfill \mathsf{KEM}.\mathsf{Enc}\left(\mathsf{pk}\right)& :m\stackrel{\$}{\leftarrow }{\{0,1\}}^n;c\leftarrow \mathsf{PKE}.\mathsf{Enc}(\mathsf{pk},m;H\left(m\right));K\leftarrow H(m\parallel c);\mathrm{return}(c,K),\hfill \end{array}$$

(197)

$$\begin{array}{cc}\hfill \mathsf{KEM}.\mathsf{Dec}(\mathsf{sk},c)& :m^{\prime }\leftarrow \mathsf{PKE}.\mathsf{Dec}(\mathsf{sk},c);c^{\prime }\leftarrow \mathsf{PKE}.\mathsf{Enc}(\mathsf{pk},m^{\prime };H\left(m^{\prime }\right));K\leftarrow \left\{\begin{array}{cc}H(m^{\prime }\parallel c)\hfill & c^{\prime }=c\hfill \\ H(\perp \parallel c)\hfill & \mathrm{else}\hfill \end{array}\right..\hfill \end{array}$$

(198)

Theorem 60 

(QROM FO-Transform KEM Equilibrium). Let $\mathsf{PKE}$ be δ-correct and IND-CPA. Then:

$$\mathsf{Ask}\left(g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\right)\le 2(q_H+1)·\sqrt{{\mathsf{Adv}}_{\mathsf{PKE}}^{\mathsf{IND}-\mathsf{CPA}}}+q_D·\delta +\mathsf{negl}\left(\lambda \right).$$

(199)

Proof. 

We construct six bidding rounds. Each round targets a specific adversarial strategy.

${\mathbf{B}}_0$(Real QROM IND-CCA2—Quantum Distinguishing Bid). The seller runs as in Theorem 34. $\mathcal{A}$ queries H in superposition and ${\mathcal{O}}_{\mathsf{dec}}$ classically. The quantum distinguishing bid: use superposition queries to extract information about challenge bit b from $(c^{*},K_b)$.

${\mathbf{B}}_1$(Bidding Round 1: Correctness Error Bid).

Replace ${\mathcal{O}}_{\mathsf{dec}}$ with a modified oracle that aborts on incorrectness events.

Extended difference lemma. Events $F_{\mathsf{decaps}}$: “decapsulation returns $m^{\prime }\ne m$” (probability $\le \delta$ per query) and $F_{\mathsf{rej}}$: “implicit rejection diverges” (probability $=0$). Together:

$$|Pr\left[{\mathbf{B}}_0=1\right]-Pr\left[{\mathbf{B}}_1=1\right]|\le Pr\left[F_{\mathsf{decaps}}\cup F_{\mathsf{rej}}\right]\le q_D·\delta .$$

(200)

Market interpretation: Correctness error bid fails—for ML-KEM, $q_D·\delta \le 2^{64}/2^{139}=2^{-75}=\mathsf{negl}$.

${\mathbf{B}}_2$(Bidding Round 2: QROM Reprogramming Bid—O2H Lemma).

Reprogram H at the challenge message $m^{*}$ to a fresh uniform $r^{*}$, yielding oracle $H^{\prime }$ with $H^{\prime }\left(m^{*}\right)=r^{*}$ and $H^{\prime }\left(x\right)=H\left(x\right)$ for $x\ne m^{*}$.

O2H lemma application [55]: For $m^{*}$ chosen uniformly at random and $\mathcal{A}$ making $q_H$ quantum queries:

$$|Pr\left[{\mathbf{B}}_1^H=1\right]-Pr\left[{\mathbf{B}}_1^{H^{\prime }}=1\right]|\le 2(q_H+1)\sqrt{Pr\left[m^{*}\in S_{\mathcal{A}}\right]}\le 2(q_H+1)\sqrt{{\mathsf{Adv}}_{\mathsf{PKE}}^{\mathsf{IND}-\mathsf{CPA}}},$$

(201)

where $S_{\mathcal{A}}$ is the set of inputs queried with non-negligible amplitude, and $Pr\left[m^{*}\in S_{\mathcal{A}}\right]\le {\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}$ by a standard reduction.

Market interpretation: The reprogramming bid costs a square-root of the IND-CPA advantage—the characteristic QROM price increase. Classical ROM reprogramming is free; QROM reprogramming costs $2(q_H+1)\sqrt{ϵ}$ because quantum adversaries can detect reprogramming with amplitude proportional to $\sqrt{ϵ}$.

${\mathbf{B}}_3$(Bidding Round 3: Measure-and-Reprogram Bid—Extracting the IND-CPA Challenge).

Apply measure-and-reprogram [56]: whenever $\mathcal{A}$ queries $H^{\prime }$ with amplitude on $m^{*}\parallel c^{*}$, measure and reprogram. This yields an IND-CPA distinguisher $\mathcal{B}$ for the underlying PKE at cost:

$$|Pr\left[{\mathbf{B}}_2=1\right]-Pr\left[{\mathbf{B}}_3=1\right]|\le \sqrt{{\mathsf{Adv}}_{\mathsf{PKE}}^{\mathsf{IND}-\mathsf{CPA}}}.$$

(202)

Market interpretation: Measuring the adversary’s superposition disturbs its computation (quantum measurement back-action), but this disturbance is bounded by another $\sqrt{ϵ}$ factor. The seller converts the buyer’s quantum query power into a classical IND-CPA attack.

${\mathbf{B}}_4$(Bidding Round 4: Challenge Key Replacement—Information-Theoretic Hiding).

In ${\mathbf{B}}_3$, $K_0=H^{\prime }(m^{*}\parallel c^{*})$ is uniform (since $H^{\prime }\left(m^{*}\right)=r^{*}$ is fresh). Replace $K_0$ with $K_0^{\prime }\stackrel{\$}{\leftarrow }{\{0,1\}}^n$:

$$|Pr\left[{\mathbf{B}}_3=1\right]-Pr\left[{\mathbf{B}}_4=1\right]|=0.$$

(203)

This hop is free (information-theoretically invisible).

${\mathbf{B}}_5$(Bidding Round 5: Decapsulation Oracle Restriction).

In ${\mathbf{B}}_4$, $K_b$ is uniform regardless of b. The decapsulation oracle for $c\ne c^{*}$ provides no information about b (responses independent of b). Restricting the decapsulation oracle to reject all queries does not change the game:

$$|Pr\left[{\mathbf{B}}_4=1\right]-Pr\left[{\mathbf{B}}_5=1\right]|=0.$$

(204)

${\mathbf{B}}_6$(Ideal QROM Market—All Bids Exhausted). In ${\mathbf{B}}_5$, both $K_0$ and $K_1$ are uniform and independent of all adversary observations. The adversary cannot distinguish b: $Pr\left[{\mathbf{B}}_6=1\right]=1/2$. Buyer advantage $=0$.

Total:

$$\mathsf{Ask}\le \underset{{\mathbf{B}}_0\to {\mathbf{B}}_1}{\underbrace{q_D\delta }}+\underset{{\mathbf{B}}_1\to {\mathbf{B}}_2}{\underbrace{2(q_H+1)\sqrt{ϵ}}}+\underset{{\mathbf{B}}_2\to {\mathbf{B}}_3}{\underbrace{\sqrt{ϵ}}}+\underset{{\mathbf{B}}_3\to {\mathbf{B}}_4}{\underbrace{0}}+\underset{{\mathbf{B}}_4\to {\mathbf{B}}_5}{\underbrace{0}}+\underset{{\mathbf{B}}_5\to {\mathbf{B}}_6}{\underbrace{0}}\le q_D\delta +2(q_H+1)\sqrt{ϵ}+\mathsf{negl},$$

(205)

where $ϵ={\mathsf{Adv}}_{\mathsf{PKE}}^{\mathsf{IND}-\mathsf{CPA}}$ and the $\sqrt{ϵ}$ term is absorbed into $2(q_H+1)\sqrt{ϵ}$ for $q_H\ge 1$.    □

Figure 58. QROM FO-transform KEM bidding-round chain: real $\left({\mathbf{B}}_0\right)$ to ideal $\left({\mathbf{B}}_6\right)$. Two QROM-specific hops: ${\mathbf{B}}_1\to {\mathbf{B}}_2$ (O2H reprogramming, cost $2(q_H+1)\sqrt{ϵ}$) and ${\mathbf{B}}_2\to {\mathbf{B}}_3$ (measure-and-reprogram, cost $\sqrt{ϵ}$). Three subsequent hops cost zero (information-theoretic). Classic ROM would have hops ${\mathbf{B}}_1\to {\mathbf{B}}_2$ cost $ϵ$ directly (linear, not square-root). The QROM square-root is the signature of quantum adversary pricing.

Figure 58. QROM FO-transform KEM bidding-round chain: real $\left({\mathbf{B}}_0\right)$ to ideal $\left({\mathbf{B}}_6\right)$. Two QROM-specific hops: ${\mathbf{B}}_1\to {\mathbf{B}}_2$ (O2H reprogramming, cost $2(q_H+1)\sqrt{ϵ}$) and ${\mathbf{B}}_2\to {\mathbf{B}}_3$ (measure-and-reprogram, cost $\sqrt{ϵ}$). Three subsequent hops cost zero (information-theoretic). Classic ROM would have hops ${\mathbf{B}}_1\to {\mathbf{B}}_2$ cost $ϵ$ directly (linear, not square-root). The QROM square-root is the signature of quantum adversary pricing.

14.5. Extended Protocol Security Goods

Corollary 17 

(QKEM Authentication). With Phase 3 (MAC confirmation) included, under SUF-CMA security of the MAC:

$$\mathsf{Ask}\left(g_{\mathsf{auth}}\right)\le {\mathsf{Adv}}_{\mathsf{MAC}}^{\mathsf{SUF}-\mathsf{CMA}}+2(q_H+1)\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}+q_D\delta +\mathsf{negl}\left(\lambda \right).$$

(206)

Proof. 

The MAC tag ${\tau }_{\mathsf{C}}={\mathsf{MAC}}_{K^{\prime }}(\mathsf{sid}\parallel \mathsf{confirm})$ can be forged only if the MAC is broken (${\mathsf{Adv}}^{\mathsf{SUF}-\mathsf{CMA}}$) or the key $K^{\prime }$ is guessed (bounded by Theorem 60). By the extended difference lemma: $\mathsf{Ask}\left(g_{\mathsf{auth}}\right)\le {\mathsf{Adv}}^{\mathsf{SUF}-\mathsf{CMA}}+\mathsf{Ask}\left(g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}\right)$.    □

Table 17. QKEM market goods summary.

Good	Ask Price Bound (QROM)	Dominant Term	Status
$g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}$	$2(q_H+1)\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}+q_D\delta$	O2H square-root	Equilibrium
$g_{\mathsf{correct}}$	$q_D·\delta$	PKE correctness	Equilibrium
$g_{\mathsf{auth}}$	${\mathsf{Adv}}^{\mathsf{SUF}-\mathsf{CMA}}+2(q_H+1)\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}$	SUF-CMA+O2H	Equilibrium
$g_{\mathsf{unbounded}}$ (ping)	$2(q_H+1)\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}$	O2H square-root	Equilibrium

Table 17. QKEM market goods summary.

Good	Ask Price Bound (QROM)	Dominant Term	Status
$g_{\mathsf{IND}-\mathsf{CCA}\mathsf{2}}$	$2(q_H+1)\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}+q_D\delta$	O2H square-root	Equilibrium
$g_{\mathsf{correct}}$	$q_D·\delta$	PKE correctness	Equilibrium
$g_{\mathsf{auth}}$	${\mathsf{Adv}}^{\mathsf{SUF}-\mathsf{CMA}}+2(q_H+1)\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}$	SUF-CMA+O2H	Equilibrium
$g_{\mathsf{unbounded}}$ (ping)	$2(q_H+1)\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}$	O2H square-root	Equilibrium

15. Case Study VII: Quantum Market Dynamics—BB84 QKD

This case study instantiates the quantum market dynamics formalisation of Section 20.2.1 on a concrete protocol: the BB84 Quantum Key Distribution (QKD) protocol [58]. Unlike all previous case studies, the seller (Alice) is genuinely quantum—she prepares and transmits quantum states. The buyer (Eve) is also quantum, performing arbitrary measurements on the quantum channel. This is the first MTSF analysis where both market participants operate quantumly, illustrating the full power of quantum market dynamics.

15.1. Protocol Description: BB84 QKD

Participants.

Alice $\mathsf{A}$ (sender, prepares qubits) and Bob $\mathsf{B}$ (receiver, measures qubits). Eve $\mathsf{E}$ (eavesdropper) controls the quantum channel between them. All parties are quantum: $\mathsf{A}$ and $\mathsf{B}$ prepare/measure qubits; $\mathsf{E}$ can perform arbitrary quantum operations.

15.1.0.8. System parameters.

Security parameter $\lambda$; raw key length N (number of qubits sent); sifted key length $n\approx N/2$; error-rate estimation sample size k; error threshold $Q_{\mathrm{tol}}\approx 0.11$; privacy amplification output length $\ell =n(1-h\left(Q_{\mathrm{obs}}\right))-\lambda$, where $h(·)$ is the binary entropy function.

Phase 0 (Quantum Transmission).

1.

For each $i\in \{1,\dots ,N\}$: Alice samples $x_i\stackrel{\$}{\leftarrow }\{0,1\}$ (bit) and ${\theta }_i^A\stackrel{\$}{\leftarrow }\{+,\times \}$ (basis).

2.

Alice prepares qubit $|{\psi }_i\rangle =|x_i{\rangle }_{{\theta }_i^A}$, where ${|0\rangle }_{+}=|0\rangle$, ${|1\rangle }_{+}=|1\rangle$, ${|0\rangle }_{\times }=|+\rangle ={\displaystyle \frac{1}{\sqrt{2}}}\left(\right|0\rangle +|1\rangle )$, ${|1\rangle }_{\times }=|-\rangle ={\displaystyle \frac{1}{\sqrt{2}}}\left(\right|0\rangle -|1\rangle )$.

3.

Alice sends $|{\psi }_i\rangle$ to Bob over the quantum channel (Eve may intercept).

Phase 1 (Measurement).

1.

For each qubit received, Bob samples ${\theta }_i^B\stackrel{\$}{\leftarrow }\{+,\times \}$ and measures in basis ${\theta }_i^B$, obtaining outcome $y_i$.

Phase 2 (Sifting, over authenticated classical channel).

1.

Alice and Bob publicly exchange basis choices $\left\{{\theta }_i^A\right\}$ and $\left\{{\theta }_i^B\right\}$.

2.

They keep only positions where ${\theta }_i^A={\theta }_i^B$. Let $S=\{i:{\theta }_i^A={\theta }_i^B\}$; the sifted key is ${\left(x_i\right)}_{i\in S}$ for Alice and ${\left(y_i\right)}_{i\in S}$ for Bob, with $\left|S\right|\approx N/2$.

Phase 3 (Error Estimation).

1.

Alice and Bob randomly select a subset $T\subset S$ of size k and compare their bits publicly.

2.

They compute the observed error rate $Q_{\mathrm{obs}}=\left|\{i\in T:x_i\ne y_i\}\right|/k$.

3.

If $Q_{\mathrm{obs}}>Q_{\mathrm{tol}}$: ABORT (market collapse detected). If $Q_{\mathrm{obs}}\le Q_{\mathrm{tol}}$: proceed.

Phase 4 (Error Correction and Privacy Amplification).

1.

Error correction: Bob corrects his key to match Alice’s using public syndrome information (leaks at most $nh\left(Q_{\mathrm{obs}}\right)$ bits of information to Eve).

2.

Privacy amplification: Both parties apply a universal₂ hash function to the corrected key, producing the final secret key $K\in {\{0,1\}}^{\ell }$ with $\ell =n(1-h\left(Q_{\mathrm{obs}}\right))-\lambda$.

15.1.0.9. Correctness.

After error correction, $K^A=K^B$ with overwhelming probability (error correction failure probability $\le 2^{-\lambda }$).

15.2. Protocol Sequence Diagram

Figure 59. BB84 QKD protocol sequence diagram. Phase 0: Alice prepares qubits in random bases and sends them over a quantum channel (wavy arrows indicate quantum transmission); Eve can intercept and perform arbitrary quantum operations. Phase 1: Bob measures in random bases. Phase 2: Classical sifting to retain matching-basis positions. Phase 3: Error estimation on a random sample—high error rate triggers abort (market collapse). Phase 4: Error correction and privacy amplification produce the shared key K.

Figure 59. BB84 QKD protocol sequence diagram. Phase 0: Alice prepares qubits in random bases and sends them over a quantum channel (wavy arrows indicate quantum transmission); Eve can intercept and perform arbitrary quantum operations. Phase 1: Bob measures in random bases. Phase 2: Classical sifting to retain matching-basis positions. Phase 3: Error estimation on a random sample—high error rate triggers abort (market collapse). Phase 4: Error correction and privacy amplification produce the shared key K.

15.3. MTSF Quantum Market Model for BB84

This is the first MTSF market where the seller operates quantumly. We instantiate Theorem 37.

15.3.0.10. Quantum market participants.

• Quantum seller${\mathsf{Seller}}^Q$ (Alice): holds quantum register ${\mathsf{R}}_A$; prepares qubits $|{\psi }_i\rangle =|x_i{\rangle }_{{\theta }_i^A}$ (quantum channel ${\mathcal{E}}_k^S$: state preparation); performs classical post-processing (sifting, error estimation, privacy amplification).
• Quantum buyer${\mathsf{Buyer}}^Q$ (Eve): holds quantum register ${\mathsf{R}}_E$ (potentially entangled with an ancilla ${\mathsf{R}}_{E^{\prime }}$); performs arbitrary quantum operations on intercepted qubits. Eve’s strategy is a sequence of quantum channels $\left\{{\mathcal{E}}_k^B\right\}$: intercept, measure/entangle, re-send (possibly modified) qubits to Bob.
• Bob: the seller’s partner (not a separate market participant). Bob’s measurements and classical communications are part of the seller’s strategy.
• Quantum channel: the physical medium carrying qubits from Alice to Bob. Eve has full control of this channel—she can intercept, measure, replace, or entangle any qubit.
• Authenticated classical channel: Alice-Bob classical communication (sifting, error estimation) is assumed authenticated. This is the shared market infrastructure $\mathcal{I}$.

15.3.0.11. Security goods.

The quantum seller offers three goods:

• $g_{\mathsf{secrecy}}$: Key secrecy—the final key K is indistinguishable from uniform randomness to Eve. Formally: ${\displaystyle \frac{1}{2}}{\parallel K\otimes {\rho }_E-U_{\ell }\otimes {\rho }_E\parallel }_{\mathrm{tr}}\le \mathsf{negl}\left(\lambda \right)$, where ${\rho }_E$ is Eve’s quantum state after the protocol and $U_{\ell }$ is the uniform distribution on ℓ-bit strings.
• $g_{\mathsf{correct}}$: Correctness—$K^A=K^B$ with overwhelming probability.
• $g_{\mathsf{detect}}$: Eavesdropping detection—if Eve extracts more than $\mathsf{negl}\left(\lambda \right)$ bits of information about the key, the error rate $Q_{\mathrm{obs}}$ exceeds $Q_{\mathrm{tol}}$ with overwhelming probability, triggering abort.

Definition 35 

(BB84 Quantum Market). The BB84 quantum market

$${\mathcal{M}}_{\mathsf{BB}\mathsf{84}}^Q=({\mathsf{Seller}}^Q,{\mathsf{Buyer}}^Q,\{g_{\mathsf{secrecy}},g_{\mathsf{correct}},g_{\mathsf{detect}}\},\mathcal{I},{\rho }_0)$$

is defined as follows:

• Initial state:

  $${\rho }_0={|0\rangle \langle 0|}_{{\mathsf{R}}_A}^{\otimes N}\otimes {|0\rangle \langle 0|}_{{\mathsf{R}}_E}$$
  (product state—no initial entanglement).
• Seller’s quantum channel${\mathcal{E}}_k^S$: Prepare

  $$|{\psi }_k\rangle =|x_k{\rangle }_{{\theta }_k^A}$$
  and send over the quantum channel.
• Buyer’s quantum channel${\mathcal{E}}_k^B$: An arbitrary CPTP map acting on the intercepted qubit and Eve’s ancilla.
• Quantum ask price (cf. (226)):

  $${\mathsf{Ask}}^Q\left(g_{\mathsf{secrecy}}\right)=\underset{{\mathsf{Buyer}}^Q}{sup}{\displaystyle \frac{1}{2}}{∥K\otimes {\rho }_E-U_{\ell }\otimes {\rho }_E∥}_{\mathrm{tr}}.$$

15.4. Security Proof via Quantum Bidding Rounds

Theorem 61 

(BB84 Quantum Market Equilibrium). Let the BB84 protocol run with parameters N (raw key length), $Q_{\mathrm{tol}}\approx 0.11$, and privacy amplification output length $\ell =n(1-h\left(Q_{\mathrm{obs}}\right))-\lambda$. Then:

$${\mathsf{Ask}}^Q\left(g_{\mathsf{secrecy}}\right)\le 2^{-\lambda /2}+\mathsf{negl}\left(\lambda \right).$$

(207)

The BB84 quantum market is in equilibrium. Crucially, this holds againstallquantum adversaries, including those with unlimited computational power.

Proof. 

We construct five quantum bidding rounds. Each round applies the quantum extended difference lemma (Theorem 6) using trace distance as the quantum price adjustment.

${\mathbf{B}}_0^Q$(Real BB84 Quantum Market—Quantum Interception Bid). The quantum seller prepares and transmits N qubits. The quantum buyer intercepts each qubit on the quantum channel and performs an arbitrary quantum operation (joint unitary on the qubit and her ancilla register ${\mathsf{R}}_E$), then forwards a (possibly modified) qubit to Bob. After sifting, error estimation passes ($Q_{\mathrm{obs}}\le Q_{\mathrm{tol}}$), and Alice and Bob produce key K.

${\mathbf{B}}_1^Q$(Bidding Round 1: No-Cloning Bid—Intercept-Resend Bound).

Any quantum operation by Eve on the intercepted qubit can be decomposed (by Stinespring dilation) as a unitary on the qubit plus ancilla followed by a partial trace. The key insight: if Eve extracts $I_E$ bits of information about Alice’s bit $x_i$, she necessarily introduces a disturbance of at least ${\delta }_i\ge f\left(I_E\right)$ on the qubit forwarded to Bob, where f is a monotonically increasing function derived from the information-disturbance trade-off.

Quantum price adjustment (information-disturbance trade-off): For each sifted-key bit, define Eve’s information $I_E^{\left(i\right)}$ and the induced error rate $Q_i$ on that bit. The Fuchs–Caves–Holevo bound gives:

$$I_E^{\left(i\right)}\le h\left(Q_i\right),$$

(208)

where $h(·)$ is the binary entropy function. Eve’s total information on the sifted key is $I_E^{\mathrm{total}}\le n·h\left(Q_{\mathrm{avg}}\right)$ where $Q_{\mathrm{avg}}$ is the average error rate.

Quantum trace distance:

$$\Delta {\mathsf{Price}}_1^Q={\displaystyle \frac{1}{2}}{\parallel {\rho }_{\mathrm{final}}^{\left(0\right)}-{\rho }_{\mathrm{final}}^{\left(1\right)}\parallel }_{\mathrm{tr}}\le 2^{-\lambda /2},$$

(209)

where ${\rho }^{\left(1\right)}$ is the state conditioned on Eve’s information being bounded by $nh\left(Q_{\mathrm{obs}}\right)$.

Market interpretation: The no-cloning bid fails. The seller’s quantum states are non-orthogonal, so the buyer cannot extract information without paying a price (disturbance). The amount the buyer can learn is thermodynamically limited to $nh\left(Q_{\mathrm{obs}}\right)$ bits—this is the “budget ceiling” on the buyer’s quantum interception bid.

${\mathbf{B}}_2^Q$(Bidding Round 2: Error Estimation Bid—Statistical Detection).

Quantum price adjustment: Let $F_{\mathrm{est}}$ be the event “error estimation fails to detect Eve’s disturbance.” By Hoeffding’s inequality with k sample bits and margin $\gamma$:

$$Pr\left[F_{\mathrm{est}}\right]\le e^{-2k{\gamma }^2}.$$

(210)

For $k=\Theta (\lambda /{\gamma }^2)$, this is $\le 2^{-\Omega \left(\lambda \right)}=\mathsf{negl}\left(\lambda \right)$.

Market interpretation: The error estimation bid bounds the probability that the buyer evades detection. Even though the buyer’s attack is quantum, the detection mechanism is a classical sampling test that succeeds with overwhelming probability.

${\mathbf{B}}_3^Q$(Bidding Round 3: Privacy Amplification Bid—Leftover Hash Lemma).

By the quantum leftover hash lemma, after privacy amplification with output length $\ell =n(1-h\left(Q_{\mathrm{obs}}\right))-\lambda$:

$${\displaystyle \frac{1}{2}}{\parallel K\otimes {\rho }_E-U_{\ell }\otimes {\rho }_E\parallel }_{\mathrm{tr}}\le 2^{-\lambda /2}.$$

(211)

Market interpretation: Privacy amplification is the seller’s final move—a “market restructuring” that converts the raw key (partially known to Eve) into a final key (virtually unknown). The hash function compresses the key to the length justified by the quantum min-entropy, squeezing out all information the buyer might have gained. The trace distance bound $2^{-\lambda /2}$ is the residual quantum ask price.

${\mathbf{B}}_4^Q$(Bidding Round 4: Error Correction Leakage Bid).

Error correction leaks at most $nh\left(Q_{\mathrm{obs}}\right)$ bits of classical information to Eve via the public syndrome. This is already accounted for in the privacy amplification output length: $\ell =n(1-h\left(Q_{\mathrm{obs}}\right))-\lambda$ subtracts exactly $nh\left(Q_{\mathrm{obs}}\right)$ bits. Price adjustment: $\Delta {\mathsf{Price}}_4^Q=0$ (already absorbed).

Total quantum ask price:

$${\mathsf{Ask}}^Q\left(g_{\mathsf{secrecy}}\right)\le \underset{\mathrm{QLHL}}{\underbrace{2^{-\lambda /2}}}+\underset{\mathrm{estimation}}{\underbrace{e^{-2k{\gamma }^2}}}+\underset{\mathrm{EC}\mathrm{failure}}{\underbrace{2^{-\lambda }}}\le 2^{-\lambda /2}+\mathsf{negl}\left(\lambda \right).$$

(212)

The BB84 quantum market is in equilibrium.    □

Figure 60. BB84 quantum bidding-round chain: real quantum market $\left({\mathbf{B}}_0^Q\right)$ to ideal $\left({\mathbf{B}}_4^Q\right)$. Two distinctively quantum hops: ${\mathbf{B}}_0^Q\to {\mathbf{B}}_1^Q$ (no-cloning information-disturbance trade-off—the seller’s non-orthogonal states structurally limit the buyer’s information gain) and ${\mathbf{B}}_2^Q\to {\mathbf{B}}_3^Q$ (quantum leftover hash lemma—privacy amplification against quantum side information). These are the quantum analogues of the O2H and measure-and-reprogram hops in the QROM case study (Section 14). The security is information-theoretic: no computational assumption is required, only quantum mechanics.

Figure 60. BB84 quantum bidding-round chain: real quantum market $\left({\mathbf{B}}_0^Q\right)$ to ideal $\left({\mathbf{B}}_4^Q\right)$. Two distinctively quantum hops: ${\mathbf{B}}_0^Q\to {\mathbf{B}}_1^Q$ (no-cloning information-disturbance trade-off—the seller’s non-orthogonal states structurally limit the buyer’s information gain) and ${\mathbf{B}}_2^Q\to {\mathbf{B}}_3^Q$ (quantum leftover hash lemma—privacy amplification against quantum side information). These are the quantum analogues of the O2H and measure-and-reprogram hops in the QROM case study (Section 14). The security is information-theoretic: no computational assumption is required, only quantum mechanics.

15.5. Extended Security Goods and CNF Verification

Corollary 18 

(BB84 Correctness). Under the error correction protocol with failure probability ${\delta }_{\mathsf{EC}}\le 2^{-\lambda }$:

$${\mathsf{Ask}}^Q\left(g_{\mathsf{correct}}\right)\le 2^{-\lambda }=\mathsf{negl}\left(\lambda \right).$$

(213)

Corollary 19 

(BB84 Eavesdropping Detection). If Eve extracts $I_E\ge \gamma n$ bits of information about the sifted key (for any constant $\gamma >0$), the error estimation detects this:

$${\mathsf{Ask}}^Q\left(g_{\mathsf{detect}}\right)\le e^{-2k{\gamma }^2}+2^{-\lambda }=\mathsf{negl}\left(\lambda \right).$$

(214)

Table 18. BB84 quantum market goods summary.

Good	Quantum Ask Price Bound	Dominant Term	Status
$g_{\mathsf{secrecy}}$	$2^{-\lambda /2}+e^{-2k{\gamma }^2}$	QLHL	Equilibrium
$g_{\mathsf{correct}}$	$2^{-\lambda }$	EC failure	Equilibrium
$g_{\mathsf{detect}}$	$e^{-2k{\gamma }^2}+2^{-\lambda }$	Hoeffding	Equilibrium
$g_{\mathsf{unbounded}}$ (ping)	$2^{-\lambda /2}$	QLHL (per session)	Equilibrium

Table 18. BB84 quantum market goods summary.

Good	Quantum Ask Price Bound	Dominant Term	Status
$g_{\mathsf{secrecy}}$	$2^{-\lambda /2}+e^{-2k{\gamma }^2}$	QLHL	Equilibrium
$g_{\mathsf{correct}}$	$2^{-\lambda }$	EC failure	Equilibrium
$g_{\mathsf{detect}}$	$e^{-2k{\gamma }^2}+2^{-\lambda }$	Hoeffding	Equilibrium
$g_{\mathsf{unbounded}}$ (ping)	$2^{-\lambda /2}$	QLHL (per session)	Equilibrium

16. Case Study VIII: Multi-Protocol Composition—TLS 1.3 + Signal Network

Figure 61. Multi-protocol composition as market merger: TLS 1.3 and Signal, each independently secure (in equilibrium), share a PKI infrastructure. The market merger theorem guarantees the combined system remains in equilibrium, provided the shared PKI is sound.

Figure 61. Multi-protocol composition as market merger: TLS 1.3 and Signal, each independently secure (in equilibrium), share a PKI infrastructure. The market merger theorem guarantees the combined system remains in equilibrium, provided the shared PKI is sound.

This case study instantiates the multi-protocol composition network formalisation of Section 20.2.2 on a concrete and practically relevant scenario: a device simultaneously running TLS 1.3 (Section 13.8.1) for web browsing and the Signal Protocol (Section 13.7) for encrypted messaging, sharing a common PKI infrastructure. This is the first MTSF analysis of concurrent protocol execution, demonstrating that the market merger theorem (Theorem 63) preserves equilibrium when two individually secure protocols compose.

16.1. Network Description

Component protocols.

1.

Protocol 1: TLS 1.3 (1-RTT handshake)—as analysed in Section 13.8.3. Provides session-key secrecy ($g_{\mathsf{sk}}^{\left(1\right)}$), forward secrecy ($g_{\mathsf{FS}}^{\left(1\right)}$), server authentication ($g_{\mathsf{auth}}^{\left(1\right)}$), and mutual authentication ($g_{\mathsf{mutual}}^{\left(1\right)}$) when client certificates are used.

2.

Protocol 2: Signal (X3DH + Double Ratchet)—as analysed in Section 13.7. Provides session-key secrecy ($g_{\mathsf{sk}}^{\left(2\right)}$), forward secrecy ($g_{\mathsf{FS}}^{\left(2\right)}$), post-compromise security ($g_{\mathsf{PCS}}^{\left(2\right)}$), asynchronous establishment ($g_{\mathsf{async}}^{\left(2\right)}$), and deniability ($g_{\mathsf{deny}}^{\left(2\right)}$).

16.1.0.13. Shared infrastructure $\mathcal{I}$.

• PKI (${\mathcal{I}}_{\mathsf{PKI}}$): X.509 certificate authorities issuing certificates for TLS servers and Signal identity keys. Shared trust anchors.
• Random oracle (${\mathcal{I}}_{\mathsf{RO}}$): Hash functions (SHA-256, SHA-384) used by both protocols for key derivation (HKDF in TLS, HKDF in Signal’s X3DH).
• Device RNG (${\mathcal{I}}_{\mathsf{RNG}}$): The operating system’s cryptographic random number generator, used by both protocols for nonce generation and ephemeral key sampling.

16.1.0.14. Participants.

• Device $\mathsf{D}$: runs both protocols concurrently. Acts as the TLS client and the Signal user.
• TLS server ${\mathsf{S}}_1$: the web server for Protocol 1.
• Signal server ${\mathsf{S}}_2$: the Signal key server storing prekey bundles for Protocol 2.
• Network adversary $\mathcal{A}$: a single PPT adversary controlling the network between $\mathsf{D}$ and both servers. $\mathcal{A}$ can intercept, modify, and inject messages in both protocols simultaneously. $\mathcal{A}$ has a single computational budget T (total running time).

16.2. MTSF Market Network Model

We instantiate Theorem 38 with $N=2$ component markets.

Definition 36 

(TLS+Signal Market Network). The protocol market network

$${\mathcal{N}}_{\mathsf{TS}}=\left(\{{\mathcal{M}}_{\mathsf{TLS}},{\mathcal{M}}_{\mathsf{Signal}}\},\mathcal{I},\mathcal{Z}\right)$$

is defined as follows:

• TLS market:

  $${\mathcal{M}}_{\mathsf{TLS}}=({\mathsf{Seller}}_{\mathsf{TLS}},{\mathsf{Buyer}}_{\mathsf{TLS}},\{g_{\mathsf{sk}}^{\left(1\right)},g_{\mathsf{FS}}^{\left(1\right)},g_{\mathsf{auth}}^{\left(1\right)},g_{\mathsf{mutual}}^{\left(1\right)}\},{\phi }_{\mathsf{TLS}})$$
  is the TLS 1.3 market from Section 13.8.2.
• Signal market:

  $${\mathcal{M}}_{\mathsf{Signal}}=({\mathsf{Seller}}_{\mathsf{Signal}},{\mathsf{Buyer}}_{\mathsf{Signal}},\{g_{\mathsf{sk}}^{\left(2\right)},g_{\mathsf{FS}}^{\left(2\right)},g_{\mathsf{PCS}}^{\left(2\right)},g_{\mathsf{async}}^{\left(2\right)},g_{\mathsf{deny}}^{\left(2\right)}\},{\phi }_{\mathsf{Signal}})$$
  is the Signal market from Section 13.7.
• Shared infrastructure:

  $$\mathcal{I}={\mathcal{I}}_{\mathsf{PKI}}\cup {\mathcal{I}}_{\mathsf{RO}}\cup {\mathcal{I}}_{\mathsf{RNG}}.$$
• Environment:$\mathcal{Z}$ is the network environment that interacts with both protocols concurrently.

16.2.0.15. Infrastructure security goods.

The shared infrastructure contributes three goods:

• $g_{\mathsf{PKI}}$: PKI integrity—no adversary can forge a valid certificate. ${\mathsf{Ask}}_{\mathcal{I}}\left(g_{\mathsf{PKI}}\right)\le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}-\mathsf{CMA}}\le \mathsf{negl}\left(\lambda \right)$ (under the EUF-CMA security of the CA’s signature scheme).
• $g_{\mathsf{RO}}$: Random oracle consistency—both protocols query the same hash function, modelled as a shared random oracle. ${\mathsf{Ask}}_{\mathcal{I}}\left(g_{\mathsf{RO}}\right)=0$ (the RO is ideal by assumption; in the standard model, replace by ${\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$).
• $g_{\mathsf{RNG}}$: RNG quality—the device RNG produces outputs indistinguishable from uniform. ${\mathsf{Ask}}_{\mathcal{I}}\left(g_{\mathsf{RNG}}\right)\le {\mathsf{Adv}}_{\mathsf{RNG}}^{\mathsf{PRG}}\le \mathsf{negl}\left(\lambda \right)$.

16.3. Market Merger and Composition Proof

We apply the market merger theorem (Theorem 63) to the TLS+Signal network.

Theorem 62 

(TLS+Signal Network Equilibrium). Let ${\mathcal{M}}_{\mathsf{TLS}}$ be in equilibrium with ask prices as in Section 13.8.3, and let ${\mathcal{M}}_{\mathsf{Signal}}$ be in equilibrium with ask prices as in Section 13.7. If the shared infrastructure is sound (${\mathsf{Ask}}_{\mathcal{I}}\left(g\right)\le \mathsf{negl}\left(\lambda \right)$ for all infrastructure goods g), then the merged market:

$${\mathcal{M}}_{\mathsf{TLS}}{\otimes }_{\mathcal{I}}{\mathcal{M}}_{\mathsf{Signal}}$$

(215)

is in equilibrium. Specifically, for every security good g in either protocol:

$${\mathsf{Ask}}_{\mathcal{N}}\left(g\right)\le {\mathsf{Ask}}_{\mathsf{own}}\left(g\right)+{\mathsf{Ask}}_{\mathsf{other}}+{\mathsf{Ask}}_{\mathcal{I}}\le \mathsf{negl}\left(\lambda \right),$$

(216)

where ${\mathsf{Ask}}_{\mathsf{own}}\left(g\right)$ is the ask price of g in its home market, ${\mathsf{Ask}}_{\mathsf{other}}$ is the maximum ask price in the other market, and ${\mathsf{Ask}}_{\mathcal{I}}={max}_g{\mathsf{Ask}}_{\mathcal{I}}\left(g\right)$ is the infrastructure overhead.

Proof. 

We apply Theorem 63. The three conditions are verified:

Condition 1: TLS market equilibrium. By Section 13.8.3, all TLS 1.3 goods are in equilibrium. The ten-bidding-round chain gives:

$$\begin{array}{cc}\hfill {\mathsf{Ask}}_{\mathsf{TLS}}\left(g_{\mathsf{sk}}^{\left(1\right)}\right)& \le {\mathsf{Adv}}^{\mathsf{ECDLP}}+{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}+q_N^2/2^{\lambda +1}\le \mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(217)

$$\begin{array}{cc}\hfill {\mathsf{Ask}}_{\mathsf{TLS}}\left(g_{\mathsf{auth}}^{\left(1\right)}\right)& \le {\mathsf{Adv}}^{\mathsf{EUF}-\mathsf{CMA}}+q_N^2/2^{\lambda +1}\le \mathsf{negl}\left(\lambda \right).\hfill \end{array}$$

(218)

Condition 2: Signal market equilibrium. By Section 13.7, all Signal goods are in equilibrium. The X3DH proof gives:

$$\begin{array}{cc}\hfill {\mathsf{Ask}}_{\mathsf{Signal}}\left(g_{\mathsf{sk}}^{\left(2\right)}\right)& \le {\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}+q_N^2/2^{\lambda +1}\le \mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(219)

$$\begin{array}{cc}\hfill {\mathsf{Ask}}_{\mathsf{Signal}}\left(g_{\mathsf{FS}}^{\left(2\right)}\right)& \le {\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}\le \mathsf{negl}\left(\lambda \right).\hfill \end{array}$$

(220)

Condition 3: Infrastructure soundness.

$$\begin{array}{cc}\hfill {\mathsf{Ask}}_{\mathcal{I}}\left(g_{\mathsf{PKI}}\right)& \le {\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}-\mathsf{CMA}}\le \mathsf{negl}\left(\lambda \right),\hfill \end{array}$$

(221)

$$\begin{array}{cc}\hfill {\mathsf{Ask}}_{\mathcal{I}}\left(g_{\mathsf{RO}}\right)& =0(\mathrm{ideal}\mathrm{RO}),\hfill \end{array}$$

(222)

$$\begin{array}{cc}\hfill {\mathsf{Ask}}_{\mathcal{I}}\left(g_{\mathsf{RNG}}\right)& \le {\mathsf{Adv}}_{\mathsf{RNG}}^{\mathsf{PRG}}\le \mathsf{negl}\left(\lambda \right).\hfill \end{array}$$

(223)

By Theorem 63, the merged market is in equilibrium. The quantitative bound from Remark after Theorem 63 gives:

$${\mathsf{Ask}}_{\mathcal{N}}\left(g_{\mathsf{sk}}^{\left(1\right)}\right)\le \underset{\mathrm{own}\mathrm{market}}{\underbrace{{\mathsf{Ask}}_{\mathsf{TLS}}\left(g_{\mathsf{sk}}^{\left(1\right)}\right)}}+\underset{\mathrm{simulation}\mathrm{overhead}}{\underbrace{{\mathsf{Ask}}_{\mathsf{Signal},max}}}+\underset{\mathrm{infrastructure}}{\underbrace{{\mathsf{Ask}}_{\mathcal{I},max}}}\le \mathsf{negl}\left(\lambda \right),$$

(224)

where ${\mathsf{Ask}}_{\mathsf{Signal},max}={max}_j{\mathsf{Ask}}_{\mathsf{Signal}}\left(g_j^{\left(2\right)}\right)$ is the simulation overhead from simulating the Signal market when reducing to the standalone TLS game. Symmetrically for Signal goods.

The proof proceeds by constructing a standalone buyer for each market that internally simulates the other market using the UC simulator (market arbitrageur from Section 2.4). The environment $\mathcal{Z}$ cannot distinguish the real composed execution from the simulation because both component markets are UC-realizable (they implement ideal functionalities for key exchange and secure messaging respectively).    □

Figure 62. TLS 1.3 + Signal protocol market network. The TLS market (left, blue) and Signal market (right, teal) share infrastructure $\mathcal{I}$ (PKI, random oracle, device RNG). A single network adversary $\mathcal{A}$ with budget T must split its resources ($t_1+t_2\le T$) between the two markets. The orange dashed link indicates resource competition: effort spent attacking TLS reduces resources available for attacking Signal. By the market merger theorem (Theorem 63), since both component markets and the infrastructure are in equilibrium individually, the merged market ${\mathcal{M}}_{\mathsf{TLS}}{\otimes }_{\mathcal{I}}{\mathcal{M}}_{\mathsf{Signal}}$ preserves equilibrium for all nine security goods.

Figure 62. TLS 1.3 + Signal protocol market network. The TLS market (left, blue) and Signal market (right, teal) share infrastructure $\mathcal{I}$ (PKI, random oracle, device RNG). A single network adversary $\mathcal{A}$ with budget T must split its resources ($t_1+t_2\le T$) between the two markets. The orange dashed link indicates resource competition: effort spent attacking TLS reduces resources available for attacking Signal. By the market merger theorem (Theorem 63), since both component markets and the infrastructure are in equilibrium individually, the merged market ${\mathcal{M}}_{\mathsf{TLS}}{\otimes }_{\mathcal{I}}{\mathcal{M}}_{\mathsf{Signal}}$ preserves equilibrium for all nine security goods.

16.4. Resource Competition Analysis

The MTSF language makes explicit a phenomenon that is implicit in the UC framework: the adversary faces a resource allocation problem when attacking multiple protocols simultaneously.

Proposition 5 

(Adversarial Resource Allocation). Let $\mathcal{A}$ be a PPT adversary with total running time T attacking the network ${\mathcal{N}}_{\mathsf{TS}}$. If $\mathcal{A}$ allocates time $t_1$ to attacking ${\mathcal{M}}_{\mathsf{TLS}}$ and $t_2=T-t_1$ to attacking ${\mathcal{M}}_{\mathsf{Signal}}$, then:

$${\mathsf{Ask}}_{\mathcal{N}}\left(g_{\mathsf{sk}}^{\left(1\right)}\right)+{\mathsf{Ask}}_{\mathcal{N}}\left(g_{\mathsf{sk}}^{\left(2\right)}\right)\le f_{\mathsf{TLS}}\left(t_1\right)+f_{\mathsf{Signal}}(T-t_1)+2{\mathsf{Ask}}_{\mathcal{I}},$$

(225)

where $f_{\mathsf{TLS}}\left(t\right)={\mathsf{Adv}}^{\mathsf{ECDLP}}\left(t\right)+{\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}\left(t\right)+q_N^2/2^{\lambda +1}$ and $f_{\mathsf{Signal}}\left(t\right)={\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}\left(t\right)+q_N^2/2^{\lambda +1}$ are the advantage functions for each protocol as a function of computational effort.

Proof. 

The adversary’s total computation is partitioned: $t_1$ steps interact with TLS, $t_2$ steps interact with Signal. Any computation that interacts with TLS contributes to $f_{\mathsf{TLS}}\left(t_1\right)$ via the standalone TLS reduction. Any computation that interacts with Signal contributes to $f_{\mathsf{Signal}}\left(t_2\right)$ via the standalone Signal reduction. The infrastructure overhead ${\mathsf{Ask}}_{\mathcal{I}}$ applies to each market independently (hence the factor of 2). The resource constraint $t_1+t_2\le T$ means the adversary cannot achieve the best attack on both protocols simultaneously.    □

Remark 6 

(Weakest Link Principle). The rational adversary maximises

$$max({\mathsf{Ask}}_{\mathcal{N}}\left(g_{\mathsf{sk}}^{\left(1\right)}\right),{\mathsf{Ask}}_{\mathcal{N}}\left(g_{\mathsf{sk}}^{\left(2\right)}\right))$$

—it concentrates resources on whichever protocol offers the highest “return on attack.” If TLS uses ECDLP on a 256-bit curve and Signal uses gap-CDH on the same curve, both are equally hard and the adversary gains nothing from splitting effort. In practice, if one protocol used a weaker primitive (e.g., a shorter key), the adversary would rationally concentrate there—formalising the “weakest link” principle in market terms.

16.5. Network CNF Verification

We instantiate Theorem 40 for the TLS+Signal network.

Table 19. TLS+Signal market network goods summary. All goods from both protocols plus infrastructure goods, with network ask prices from Theorem 62.

Market	Good	Standalone Ask	Network Ask (Eq. 216)	Status
TLS 1.3	$g_{\mathsf{sk}}^{\left(1\right)}$: key secrecy	${\mathsf{Adv}}^{\mathsf{ECDLP}}+{\mathsf{Adv}}^{\mathsf{PRF}}+q_N^2/2^{\lambda +1}$	$+{\mathsf{Ask}}_{\mathsf{Signal},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{FS}}^{\left(1\right)}$: forward secrecy	${\mathsf{Adv}}^{\mathsf{ECDLP}}$	$+{\mathsf{Ask}}_{\mathsf{Signal},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{auth}}^{\left(1\right)}$: authentication	${\mathsf{Adv}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	$+{\mathsf{Ask}}_{\mathsf{Signal},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{mutual}}^{\left(1\right)}$: mutual auth	${\mathsf{Adv}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	$+{\mathsf{Ask}}_{\mathsf{Signal},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
Signal	$g_{\mathsf{sk}}^{\left(2\right)}$: key secrecy	${\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}+q_N^2/2^{\lambda +1}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{FS}}^{\left(2\right)}$: forward secrecy	${\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{PCS}}^{\left(2\right)}$: post-compromise	${\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{async}}^{\left(2\right)}$: async establish	${\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{deny}}^{\left(2\right)}$: deniability	$\le \mathsf{negl}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
Infrastructure	$g_{\mathsf{PKI}}$: cert integrity	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}$	(shared)	Equilibrium
	$g_{\mathsf{RO}}$: hash consistency	0 (ideal)	(shared)	Equilibrium
	$g_{\mathsf{RNG}}$: RNG quality	${\mathsf{Adv}}_{\mathsf{RNG}}^{\mathsf{PRG}}$	(shared)	Equilibrium

Table 19. TLS+Signal market network goods summary. All goods from both protocols plus infrastructure goods, with network ask prices from Theorem 62.

Market	Good	Standalone Ask	Network Ask (Eq. 216)	Status
TLS 1.3	$g_{\mathsf{sk}}^{\left(1\right)}$: key secrecy	${\mathsf{Adv}}^{\mathsf{ECDLP}}+{\mathsf{Adv}}^{\mathsf{PRF}}+q_N^2/2^{\lambda +1}$	$+{\mathsf{Ask}}_{\mathsf{Signal},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{FS}}^{\left(1\right)}$: forward secrecy	${\mathsf{Adv}}^{\mathsf{ECDLP}}$	$+{\mathsf{Ask}}_{\mathsf{Signal},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{auth}}^{\left(1\right)}$: authentication	${\mathsf{Adv}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	$+{\mathsf{Ask}}_{\mathsf{Signal},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{mutual}}^{\left(1\right)}$: mutual auth	${\mathsf{Adv}}^{\mathsf{EUF}}+q_N^2/2^{\lambda +1}$	$+{\mathsf{Ask}}_{\mathsf{Signal},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
Signal	$g_{\mathsf{sk}}^{\left(2\right)}$: key secrecy	${\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}+q_N^2/2^{\lambda +1}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{FS}}^{\left(2\right)}$: forward secrecy	${\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{PCS}}^{\left(2\right)}$: post-compromise	${\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{async}}^{\left(2\right)}$: async establish	${\mathsf{Adv}}^{\mathsf{gap}-\mathsf{CDH}}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
	$g_{\mathsf{deny}}^{\left(2\right)}$: deniability	$\le \mathsf{negl}$	$+{\mathsf{Ask}}_{\mathsf{TLS},max}+{\mathsf{Ask}}_{\mathcal{I}}$	Equilibrium
Infrastructure	$g_{\mathsf{PKI}}$: cert integrity	${\mathsf{Adv}}_{\mathsf{CA}}^{\mathsf{EUF}}$	(shared)	Equilibrium
	$g_{\mathsf{RO}}$: hash consistency	0 (ideal)	(shared)	Equilibrium
	$g_{\mathsf{RNG}}$: RNG quality	${\mathsf{Adv}}_{\mathsf{RNG}}^{\mathsf{PRG}}$	(shared)	Equilibrium

Remark 7 

(Generalisation to N Protocols). Theorem 20 shows that a device running $N=\mathsf{poly}\left(\lambda \right)$ protocols simultaneously (e.g., TLS + Signal + SSH + WireGuard + …) remains in network equilibrium as long as each protocol market and the shared infrastructure are individually in equilibrium. The network ask price grows at most linearly in N, but since each component ask is negligible and N is polynomial, the sum remains negligible. The practical takeaway: running many secure protocols on the same device does not degrade security, provided the shared infrastructure (PKI, RNG) is sound.

Figure 63. Complete scoreboard of all MTSF case studies. Green boxes indicate market equilibrium (scheme/protocol is secure); red boxes indicate market collapse (insecure). The same MTSF framework produces both verdicts using bidding-round machinery, CNF verification, and session pinging.

17. Writing a Security Research Paper with MTSF

This section provides a comprehensive, self-contained guide for writing a classical security research paper using MTSF. It covers the full pipeline from specifying a cryptographic scheme to proving or disproving its security, and is written so that a graduate student encountering security proofs for the first time can follow each step.

17.1. Step 1: Define the Scheme or Protocol

17.2. Step 2: Define the Security Goals

17.3. Step 3: Formal Security Definitions

17.4. Step 4: Define the Adversary Model

17.5. Step 5: Construct the MTSF Security Proof

17.6. Step 6: Proving Insecurity with MTSF

17.7. Step 7: Structuring the Paper

Figure 64. The seven-step pipeline for writing a security research paper using MTSF. Steps 1–4 set up the scheme, goals, definitions, and adversary model. Step 5 constructs the MTSF proof. Step 6 handles insecurity (if applicable). Step 7 organises the paper. The final verdict is equilibrium (secure) or collapse (insecure).

Figure 64. The seven-step pipeline for writing a security research paper using MTSF. Steps 1–4 set up the scheme, goals, definitions, and adversary model. Step 5 constructs the MTSF proof. Step 6 handles insecurity (if applicable). Step 7 organises the paper. The final verdict is equilibrium (secure) or collapse (insecure).

18. Presenting MTSF Proofs for Different Publication Venues

Cryptographic research is published across venues with vastly different page limits, audiences, and expectations. A proof that fills 40 pages at CRYPTO would be rejected at IEEE Transactions on Information Forensics and Security (TIFS) for exceeding the 13-page limit. Conversely, a compressed 8-page proof at a journal might be criticised at EUROCRYPT for lacking detail. This section provides concrete, venue-specific guidance for presenting MTSF proofs at three classes of publication venue: (1) page-restricted IEEE Transactions, (2) page-unrestricted Springer/Elsevier journals, and (3) cryptographic conferences with lengthy proceedings.

18.1. Case 1: IEEE Transactions (Page-Restricted, Broad Audience)

Figure 65. Four venue-specific presentations of the same MTSF proof. IEEE: compressed table. Non-crypto journals: full rounds with application context and analogies. Crypto journals: full rigorous proofs with tightness. CRYPTO/EUROCRYPT: full proofs with extensions, meta-reductions, and composition.

Figure 65. Four venue-specific presentations of the same MTSF proof. IEEE: compressed table. Non-crypto journals: full rounds with application context and analogies. Crypto journals: full rigorous proofs with tightness. CRYPTO/EUROCRYPT: full proofs with extensions, meta-reductions, and composition.

18.2. Case 2a: Cryptographic Journals (Page-Unrestricted, Expert Cryptographic Audience)

18.3. Case 2b: Non-Cryptographic Journals (Page-Unrestricted, Domain-Specific Audience)

Figure 66. Paper structure comparison: cryptographic journals (top) vs. non-cryptographic journals (bottom). The MTSF proof core is shared; the framing (application context vs. tightness analysis) differs.

Figure 66. Paper structure comparison: cryptographic journals (top) vs. non-cryptographic journals (bottom). The MTSF proof core is shared; the framing (application context vs. tightness analysis) differs.

18.4. Case 3: Cryptographic Conferences (Extended Proceedings, Expert Audience)

18.5. Venue Adaptation Summary

Figure 67. Venue adaptation matrix: how each MTSF proof component should be presented across four venue types. IEEE: compressed. Non-crypto journals: application-focused with analogies and performance. Crypto journals: rigorous with tightness. CRYPTO/EUROCRYPT: full with extensions and meta-reductions.

Figure 67. Venue adaptation matrix: how each MTSF proof component should be presented across four venue types. IEEE: compressed. Non-crypto journals: application-focused with analogies and performance. Crypto journals: rigorous with tightness. CRYPTO/EUROCRYPT: full with extensions and meta-reductions.

18.6. MTSF Battle Cards and Proof Scorecards

Figure 68. Battle card: ECDSA. Five bidding rounds, all bids fail, market in equilibrium with $\mathsf{Ask}\le 2^{-128}$.

Figure 68. Battle card: ECDSA. Five bidding rounds, all bids fail, market in equilibrium with $\mathsf{Ask}\le 2^{-128}$.

Figure 69. Battle card: Needham–Schroeder. One masquerade bid succeeds with $\mathsf{Ask}=1$. Market collapsed—protocol design flaw.

Figure 69. Battle card: Needham–Schroeder. One masquerade bid succeeds with $\mathsf{Ask}=1$. Market collapsed—protocol design flaw.

Figure 70. Historical timeline of cryptographic security paradigms. Key events from Needham–Schroeder (1978) to MTSF (2026). The annotation shows that MTSF’s CNF verification would have detected the NS flaw immediately upon protocol design.

Figure 70. Historical timeline of cryptographic security paradigms. Key events from Needham–Schroeder (1978) to MTSF (2026). The annotation shows that MTSF’s CNF verification would have detected the NS flaw immediately upon protocol design.

Figure 71. Battle card: AES-256. Four cryptanalytic bids, all fail with wide margins. Market in equilibrium.

Figure 71. Battle card: AES-256. Four cryptanalytic bids, all fail with wide margins. Market in equilibrium.

Figure 72. Battle card: BB84 QKD. Information-theoretic security—permanent equilibrium based on physics, not computation.

Figure 72. Battle card: BB84 QKD. Information-theoretic security—permanent equilibrium based on physics, not computation.

19. Related Work

19.1. Game-Based Security Proofs

The foundations of game-based proofs were laid by Bellare and Rogaway [2], who introduced the sequence-of-games methodology, and by Shoup [1], who formalised the difference lemma: if two games ${\mathbf{B}}_k$ and ${\mathbf{B}}_{k+1}$ differ only on event F, then $|Pr[{\mathbf{B}}_k=1]-Pr[{\mathbf{B}}_{k+1}=1]|\le Pr\left[F\right]$. This has become the central tool for bounding game-hop probabilities. Our extended difference lemma (Lemma 2) strictly generalises Shoup’s single-failure version by capturing m simultaneous failure events $F_1,\dots ,F_m$ via $Pr\left[{\bigcup }_i{F}_i\right]$ with inclusion-exclusion tightening. Whereas Shoup’s lemma requires artificially splitting multi-failure hops into multiple sequential games, our lemma handles them in a single step, tightening bounds and reducing proof length.

Bellare and Neven [14] introduced the general forking lemma for extracting two consistent forgeries from a signature adversary, which we use in the ECDSA proof (Section 9.1). Bellare and Rogaway’s random oracle model [12] underpins our ROM-based proofs; the QROM extension (Section 14) addresses the limitation that classical ROM proofs do not account for quantum superposition queries.

The market-theoretic language we introduce—“seller,” “buyer,” “ask price,” “bidding round,” “equilibrium,” and “collapse”—has no precedent in the cryptographic proof literature. All prior game-based work uses standard game/adversary/challenger terminology without the economic framing. MTSF is the first framework to unify proof methodology with market theory.

19.2. Universal Composability and GUC

Canetti’s Universal Composability (UC) framework [3] provides the gold standard for composable security: a protocol proven UC-secure remains secure when run concurrently with arbitrary other protocols. UC proofs require constructing an ideal functionality $\mathcal{F}$ and a simulator $\mathcal{S}$ that makes the real world indistinguishable from the ideal world for any environment $\mathcal{Z}$. In MTSF, the environment $\mathcal{Z}$ is recast as a market regulator, the simulator $\mathcal{S}$ as a market arbitrageur, and the ideal functionality as the seller’s security goods.

Generalised UC (GUC) [4] extends UC to allow shared state (global common reference strings, public-key infrastructure). In MTSF, GUC shared functionality corresponds to market infrastructure—the PKI, key registration systems, and trust anchors that all parties can access. Camenisch, Manulis, and Neven [5] introduced CNF-based session correctness verification within the GUC framework, requiring sessions to satisfy a conjunction of Boolean clauses derived from the protocol’s message structure. We directly build on their CNF formalism, extending it with (a) a canonical five-phase verification algorithm (Algorithm 1), (b) an easy four-column manual worksheet for practitioner use, (c) integration with session pinging for unbounded coverage, and (d) a “dishonest-trace unsatisfiability” proof strategy that replaces ad hoc protocol analysis.

19.3. Formal Verification of Protocols

ProVerif [6] is the leading automated tool for protocol security verification, based on the applied pi-calculus. It can automatically prove secrecy, authentication, and other properties for unbounded sessions, but does not produce numerical advantage bounds. Tamarin [7] uses multiset rewriting rules and provides user-guided proofs of complex protocols (including TLS 1.3 and 5G AKA), again without quantitative bounds. CryptoVerif [8] bridges the gap by producing machine-checked game-based proofs with concrete bounds, but requires significant manual guidance and does not support the UC/GUC framework natively.

MTSF’s session pinging mechanism (Section 5) provides unbounded session coverage comparable to ProVerif’s symbolic analysis, while maintaining quantitative advantage bounds comparable to CryptoVerif’s game-based approach. This combination—unbounded + quantitative—is unique to MTSF.

The EasyCrypt proof assistant [59] supports machine-checked cryptographic proofs in the game-based style. Mechanising MTSF proofs in EasyCrypt is an important avenue for future work, particularly for the extended difference lemma and QROM case studies.

19.4. TLS 1.3 and Protocol Security Analysis

Transport Layer Security 1.3 [51] represents the most thoroughly analysed deployed cryptographic protocol in history. Its design was informed by a decade of attacks on TLS 1.2 [53,60,61], and it underwent extensive formal analysis both before and after standardisation.

The most comprehensive formal analysis of TLS 1.3 is by Dowling, Fischlin, Günther, and Stebila [54], who prove security of the full TLS 1.3 handshake in the ACCE (Authenticated and Confidential Channel Establishment) model [62]. Their proof covers the 1-RTT handshake, resumption via PSK, and the 0-RTT mode, demonstrating that the 1-RTT handshake achieves authenticated key exchange with forward secrecy, while 0-RTT provides confidentiality only against passive adversaries (not active replay). A parallel analysis by Cremers, Hövelmanns, and Rausch [63] using symbolic verification in Tamarin confirmed the handshake properties including downgrade resilience. Our MTSF analysis (Section 13.8) is complementary: we provide the first market-theoretic formalisation of TLS 1.3, casting the ACCE proof as a ten-bidding-round chain and formalising the 0-RTT replay collapse and downgrade attack as explicit market collapse theorems.

The HKDF key schedule [52,64] is central to TLS 1.3’s security. Krawczyk [64] proved HKDF’s security as a PRF under the assumption that HMAC is a PRF, and as an indistinguishable random oracle extractor under weaker assumptions. In our MTSF proof (Section 13.8.3), HKDF’s PRF security accounts for three separate price adjustments (one per extract/expand step in the HS, MS, and CATS derivations), each bounded by ${\mathsf{Adv}}_{\mathsf{HKDF}}^{\mathsf{PRF}}$.

The 0-RTT replay vulnerability is acknowledged explicitly in RFC 8446, Section 8, and in Fischlin, Günther, and Marson [65], who formally define the “1-RTT-then-0-RTT” security model and prove that 0-RTT achieves confidentiality against passive adversaries but provides no replay protection. Our MTSF formulation (Theorem 56) provides a direct market-collapse proof: the replay bid is free ($\mathsf{Ask}=1$) without server-side anti-replay, and we identify the missing CNF clause (${\phi }^{\mathsf{fresh}-\mathsf{early}}$) as the root cause.

Downgrade attacks on TLS have a long history, including POODLE [60] (forcing SSLv3 negotiation), FREAK [61] (forcing export-grade RSA), and Logjam [66] (forcing 512-bit DHE). TLS 1.3 addresses all of these by requiring the RFC 8446 downgrade sentinel in ServerHello.Random when a TLS 1.3-capable server negotiates TLS 1.2. Our MTSF downgrade theorem (Theorem 57) provides the first explicit market-collapse proof for the version-stripping bid, and formalises the sentinel’s role as a CNF clause that converts the free version-stripping bid into a detectable abort.

19.5. Needham–Schroeder Protocol

The Needham–Schroeder Public-Key Protocol [9] was one of the first formal cryptographic protocols for mutual authentication using public-key cryptography. It was believed secure for nearly 17 years until Lowe [10] discovered a man-in-the-middle attack using the FDR model checker. Lowe’s fix—adding the responder’s identity to message 2—has since been considered a classic lesson in protocol design. In MTSF (Section 13.4), we provide the first market-theoretic characterisation of this attack: the NS protocol’s CNF is satisfiable under dishonest traces (a CNF design failure), the market collapses ($\mathsf{Ask}\left(g_{\mathsf{mutual}}\right)=1$), and Lowe’s fix is interpreted as adding an identity-binding clause that makes dishonest traces provably UNSAT.

19.6. Economics of Security

Anderson [67] pioneered the economic analysis of information security, identifying incentive misalignments (e.g., software vendors externalising security costs onto users) as a major cause of insecurity. Grossklags et al. [68] extended this line to study user behaviour in security games. These works are about incentive economics—why people and organisations make insecure choices. MTSF is fundamentally different: it is about proof methodology, not incentive alignment. The market framing in MTSF is purely mathematical—“price,” “equilibrium,” and “collapse” are formal terms for “advantage bound,” “security,” and “insecurity.” MTSF is, to our knowledge, the first cryptographic proof framework that uses market-theoretic language to unify security definitions, proofs, and insecurity demonstrations.

19.7. Telegram MTProto

Albrecht et al. [69] conducted the first comprehensive cryptographic analysis of MTProto 2.0, discovering several theoretical attacks including a chosen-ciphertext distinguisher and a length-hiding failure. Jakobsen and Orlandi [70] analysed the original MTProto, finding multiple cryptographic weaknesses. Our analysis (Section 13.9) is complementary: we focus specifically on the server salt extraction attack and provide both a formal disproof (showing what collapses in MTSF language) and a formal proof for a remediated protocol (RMTP). This dual proof/disproof within a single framework is not provided in prior work.

19.8. HMAC and Authenticated Encryption

Bellare, Canetti, and Krawczyk [19] proved HMAC security under the assumption that the compression function is a PRF when keyed via the chaining-value input. Their proof forms the basis of our HMAC market analysis (Section 9.5), which recasts the two PRF replacement game hops as explicit bidding rounds targeting the inner and outer compression functions. Rogaway [71] formalised authenticated encryption and introduced the nonce-based AE security notion. The Encrypt-then-MAC (EtM) paradigm was proved optimal by Bellare and Namprempre [72]: among three composition orders (EtM, MtE, E&M), only EtM achieves IND-CCA2 in general. Our AEAD market analysis (Section 9.6) uses EtM and proves both IND-CCA2 and INT-CTXT within the MTSF framework.

19.9. Post-Quantum Signatures and KEMs

NIST’s post-quantum standardisation process produced ML-KEM (FIPS 203) [57], ML-DSA (FIPS 204), SLH-DSA (FIPS 205) [73], and FN-DSA (FIPS 206) [74]. ML-KEM’s security is based on the Module Learning With Errors (MLWE) problem and includes a QROM security proof for the Fujisaki–Okamoto transform, Signal Protocol, X3DH, Double Ratchet, forward secrecy, post-compromise security. ML-DSA’s security relies on MSIS and MLWE. SLH-DSA (formerly SPHINCS+) provides stateless hash-based signatures requiring only the one-wayness of the underlying hash function. FN-DSA (formerly Falcon) achieves the smallest post-quantum signatures using NTRU lattices with GPV-style Gaussian sampling.

In MTSF, these primitives are each analysed via bidding-round chains: ML-KEM (Section 9.2), ML-DSA (Section 9.3), SLH-DSA (Section 9.7), and FN-DSA (Section 9.8). The QROM analysis of the FO-transform (Section 14) directly connects to ML-KEM’s FIPS 203 proof, providing a market-theoretic re-derivation using the O2H lemma [55] and measure-and-reprogram [56].

19.10. Block Ciphers, Hash Functions, and Stream Ciphers

Differential cryptanalysis was introduced by Biham and Shamir [21] against DES, and the AES design by Daemen and Rijmen [22] was explicitly hardened against it. Rotational cryptanalysis was introduced by Khovratovich and Nikolić [23] and targets operations that commute with rotations (unlike AES’s MixColumns). Related-key attacks on AES-256 [24] exploit the key schedule’s linearity but require a controlled key relationship not achievable in standard usage. MTSF’s AES block-cipher market (Section 10) formally bounds all three attack types as bidding rounds, proving that none can succeed for $q_E\le 2^{64}$ under standard parameters.

PRESENT [28] is an ultra-lightweight SPN cipher standardised by ISO/IEC 29192-2, targeting RFID and IoT deployments with approximately 1,000 gate equivalents. Its 64-bit block and 80/128-bit key design has been analysed by differential [29] and linear methods, with no full-round attack below exhaustive search. MTSF’s PRESENT market (Section 10.5) formalises both differential and linear bids, showing equilibrium within the 64-bit birthday-bound constraint. Serpent [30], the most conservative AES finalist with 32 rounds, has the largest known security margin of any well-studied 128-bit block cipher: the best known attack reaches only 12 rounds [31], leaving 20 rounds of margin. MTSF’s Serpent market (Section 10.6) demonstrates the widest equilibrium of any block cipher in our study.

The Keccak sponge construction [32] was chosen as SHA-3 due to its sponge-based design, which inherently prevents length-extension attacks that affected SHA-1 and SHA-256. The sponge indifferentiability theorem [33] proves that the sponge is as good as a random oracle up to $q_f<2^{c/2}$ queries. MTSF’s Keccak market (Section 11) translates this into three explicit bidding rounds (collision, preimage, length-extension).

BLAKE3 [34], building on BLAKE2 [35], combines a ChaCha-derived ARX compression function with a Merkle tree structure, achieving both extreme speed and structural length-extension immunity. MTSF’s BLAKE3 market (Section 11.1) shows that the Merkle tree provides $\mathsf{Ask}\left(g_{\mathsf{LE}}\right)=0$ (structural immunity), a stronger guarantee than Keccak’s parametric $q_f/2^c$ bound. ASCON-Hash [36], selected by NIST as the lightweight cryptography standard [37], uses a 320-bit sponge with capacity $c=256$. MTSF’s ASCON-Hash market (Section 11.2) mirrors the Keccak analysis with tighter but still negligible bounds appropriate for its lightweight deployment context.

Grain-128a [38] is an eSTREAM portfolio stream cipher combining an LFSR and NFSR with an optional authentication mode. Known attacks include cube attacks [40], algebraic attacks [39], and classical TMTO attacks [41,42]. MTSF’s Grain market (Section 12) bounds all four attack vectors within a single combined market equilibrium.

ChaCha20 [43], a refinement of Salsa20 [44], is one of the most widely deployed stream ciphers in the world, powering TLS 1.3, WireGuard, and the Linux CSPRNG. Its 256-bit key and 20-round ARX design resist all known differential-linear attacks, with the best known distinguisher reaching only 7 rounds. MTSF’s ChaCha20 market (Section 12.6) formalises the feedforward inversion barrier and nonce-misuse collapse. Trivium [45] is an eSTREAM portfolio cipher with an elegant three-register design (288-bit state, 80-bit key). Cube attacks [40] and algebraic degree analysis [46] have been extensively studied. MTSF’s Trivium market (Section 12.7) shows equilibrium with the tightest constraint from cube attacks at $2^{-38}$—narrower than Grain-128a or ChaCha20 but still negligible for practical parameters.

19.11. Quantum Random Oracle Model

The QROM was introduced as the relevant model for post-quantum security because quantum computers can evaluate hash functions in superposition via Grover’s algorithm. The One-Way to Hiding (O2H) lemma [55] is the central tool: reprogramming the QROM at a single point costs a square-root in the adversary’s advantage. The measure-and-reprogram technique [56] allows extracting query points from quantum superpositions without collapsing the proof. Hofheinz, Hövelmanns, and Kiltz [75] proved the FO-transform achieves IND-CCA2 in the QROM, directly underpinning ML-KEM’s FIPS 203 proof. MTSF provides the first market-theoretic formalisation of QROM security (Section 14): the O2H square-root loss is expressed as a bidding-round price adjustment, and the measure-and-reprogram step is a market restructuring that extracts the MLWE challenge. This gives practitioners an economic intuition for why quantum adversaries are “more expensive to defeat” than classical ones by a square-root factor in the IND-CPA advantage.

20. Conclusions

We introduced the Market-Theoretic Security Framework (MTSF), a novel paradigm that models every cryptographic security game as an auction between a seller (challenger) and one or more buyers (adversaries bidding computational resources). The framework unifies four previously disconnected paradigms—game-based proofs, Universal Composability (UC), Generalised UC (GUC), and formal verification—under a single economic language in which security equals market equilibrium and insecurity equals market collapse.

20.0.0.16. Seventeen formal contributions:

1.

Auction model. Security = equilibrium ($\mathsf{Ask}\le \mathsf{negl}$); insecurity = collapse ($\mathsf{Ask}=1$). The same bidding-round machinery handles both.

2.

Extended difference lemma. Captures $m\ge 1$ simultaneous failure events $F_1,\dots ,F_m$ in a single game hop via $Pr\left[{\bigcup }_i{F}_i\right]$ with inclusion-exclusion tightening. Applied uniformly across all eighteen case studies.

3.

Bidding-based proofs. Each game hop targets a specific adversarial strategy (nonce bid, hash bid, forgery bid, homomorphism bid, masquerade bid, O2H bid, measure-and-reprogram bid). The proof explicitly tracks what the adversary attacks and how much it costs.

4.

Four-paradigm unification. Game-based proofs (price adjustments), UC (market regulation by $\mathcal{Z}$), GUC (shared infrastructure + CNF audit), and formal verification (market stress testing) are unified.

5.

CNF session verification. A canonical five-phase algorithm (Algorithm 1) plus an easy four-column manual truth-table worksheet, integrated into every case study.

6.

Session pinging. Inductive mechanism for unbounded session security. Ping bids included in every primitive and protocol case study, formally bridging bounded game-based proofs and symbolic formal verification.

7.

Thirteen novelties. Summarised in Section 6: market language, extended difference lemma, UC-as-regulation, GUC-as-infrastructure, formal-verification-as-stress-testing, insecurity-as-collapse, end-to-end pipeline, protocol-level games, symmetric/asymmetric markets, cryptanalytic bid taxonomy, CNF worksheet, session pinging, and QROM formalisation.

8.

Security proofs. ECDSA, ML-KEM (FIPS 203), ML-DSA (FIPS 204), ISO/IEC 11770-3 key exchange (two-party, three-party, four-party), PKI-based mutual authentication, and TLS 1.3 (1-RTT handshake, ten-bidding-round chain, forward secrecy and mutual authentication).

9.

Insecurity proofs. Textbook RSA signatures ($\mathsf{Ask}=1$ via homomorphism bid, two attacks), Needham–Schroeder public-key protocol ($\mathsf{Ask}=1$ via masquerade bid, CNF design failure demonstrated), TLS 1.3 0-RTT early data ($\mathsf{Ask}=1$ via free replay bid, CNF freshness clause failure), and TLS 1.3 downgrade without sentinel ($\mathsf{Ask}=1$ via free version-stripping bid, CNF version clause failure).

10.

Extended primitive markets. HMAC (SUF-CMA via dual PRF game hops), AEAD (IND-CCA2 + INT-CTXT via Encrypt-then-MAC), SLH-DSA (FIPS 205, hash-based EUF-CMA), and FN-DSA (FIPS 206, NTRU lattice EUF-CMA with Gaussian sampling analysis).

11.

Block-cipher market. AES analysed via differential cryptanalysis, linear cryptanalysis, rotational cryptanalysis, and related-key attack bids. All bids fail for $q_E\le 2^{64}$. Extended to PRESENT (ultra-lightweight SPN, 64-bit block, equilibrium within birthday-bound constraint) and Serpent (32-round conservative AES finalist with the widest equilibrium margin of any block cipher—20 rounds of security margin beyond the best known attack).

12.

Hash-function market. Keccak/SHA-3 analysed via capacity collision, capacity inversion (preimage), and length-extension bids. Sponge capacity isolation eliminates length-extension at zero additional cost. Extended to BLAKE3 (Merkle tree structure providing structural length-extension immunity with $\mathsf{Ask}\left(g_{\mathsf{LE}}\right)=0$, stronger than Keccak’s parametric bound) and ASCON-Hash (NIST lightweight standard, sponge with $c=256$, equilibrium within lightweight deployment constraints).

13.

Stream-cipher market. Grain-128a analysed via state-recovery, key-recovery, distinguishing, and TMTO bids. The 256-bit state and nonlinear NFSR coupling make all bids negligible. Extended to ChaCha20 (256-bit key ARX cipher, feedforward inversion barrier, nonce-misuse collapse formalisation, deployed in TLS 1.3 and WireGuard) and Trivium (80-bit key, 288-bit state, three-register design with cube attack bid as tightest constraint at $2^{-38}$).

14.

QROM case study. FO-transform KEM proven IND-CCA2 in the Quantum Random Oracle Model using the O2H lemma and measure-and-reprogram technique. Full protocol description (four phases), sequence diagram, six-bidding-round proof, bidding-round chain figure, and market goods table. First market-theoretic formalisation of QROM security.

15.

Telegram dual analysis. MTProto 2.0 disproved (salt extraction causes four simultaneous failures: entropy collapse, CNF freshness failure, ping degradation, quasi-market collapse $\mathsf{Ask}\approx 1$) and Remediated MTProto (RMTP) proved secure (HMAC-bound 128-bit salts restore full equilibrium). First formal proof/disproof dual analysis of MTProto within a single unified framework.

16.

BB84 quantum market dynamics case study. First full quantum market analysis where both seller and buyer are quantum. BB84 QKD analysed via four quantum bidding rounds (no-cloning bid, error estimation bid, privacy amplification via quantum leftover hash lemma, error correction leakage). Security is information-theoretic: ${\mathsf{Ask}}^Q\left(g_{\mathsf{secrecy}}\right)\le 2^{-\lambda /2}$ with no computational hardness assumption. Includes quantum sequence diagram, quantum bidding-round chain figure, CNF worksheet, ping bid, market goods table, and comparison table (QROM vs. full quantum market).

17.

TLS+Signal multi-protocol composition case study. First MTSF analysis of concurrent protocol execution. TLS 1.3 and Signal Protocol running simultaneously on the same device with shared PKI, random oracle, and RNG infrastructure. Market merger theorem instantiated to prove network equilibrium for all nine security goods across both protocols. Resource competition analysis formalises the adversary’s portfolio optimisation problem. Network CNF with infrastructure clauses and cross-protocol ping bids for unbounded sessions.

20.1. Lessons Learned

Market equilibrium as the right notion of security.

The market framing reveals that security is not binary: it is a price. Textbook RSA has ask price 1 (free forgery). Needham–Schroeder has ask price 1 for mutual authentication. ML-KEM has ask price $2(q_H+1)\sqrt{{\mathsf{Adv}}^{\mathsf{MLWE}}}+q_D\delta$ in the QROM—a very small but nonzero price that depends on the hardness of MLWE and the number of quantum oracle queries. This continuous view of security, rather than a pass/fail view, is more faithful to real-world threat assessment.

20.1.0.18. CNF worksheet as a design tool.

The CNF verification worksheets serve two purposes: (1) they verify correctness of an existing protocol trace; (2) they reveal design flaws. The Needham–Schroeder CNF worksheet explicitly shows that all three clauses evaluate to T under Lowe’s MITM attack—a CNF design failure traceable to the absence of an identity-binding clause. Using the CNF as a design guide during protocol development would have caught this flaw in 1978.

20.1.0.19. The QROM square-root is the right way to think about quantum hardness.

The O2H lemma’s square-root factor $\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}$ is not merely a technical artefact—it captures a fundamental property of quantum adversaries: they accumulate information quadratically more efficiently than classical adversaries via amplitude concentration. Expressing this as a bidding-round price adjustment makes the quantum advantage/disadvantage explicit and comparable to the classical setting.

20.1.0.20. Dual proof/disproof enables protocol engineering.

The Telegram case study demonstrates that MTSF can serve as a protocol engineering tool: first disprove the insecure design (identify which clauses fail and by how much), then design a fix (HMAC-bound salts), then prove the fixed design secure. This iterative methodology—disprove, diagnose, fix, prove—is the natural application of MTSF in practice.

20.1.0.21. Quantum markets reveal physics-based security as a structural market advantage.

The BB84 case study (Section 15) demonstrates a qualitatively different kind of equilibrium from all other case studies. In classical and QROM markets, equilibrium depends on computational hardness assumptions (ECDLP, MLWE, gap-CDH)—a sufficiently powerful computer could collapse any of these markets. In the BB84 quantum market, equilibrium depends on the laws of quantum mechanics (no-cloning, information-disturbance trade-off). The ask price ${\mathsf{Ask}}^Q\left(g_{\mathsf{secrecy}}\right)\le 2^{-\lambda /2}$ holds against adversaries with unlimited computational power. In market terms, the seller has a structural advantage: the goods are physically uncopyable. This is the strongest possible market position—the equilibrium is permanent unless physics itself is wrong.

20.1.0.22. Composition preserves equilibrium with explicit resource accounting.

The TLS+Signal case study (Section 16) demonstrates that the market merger theorem translates UC composition into explicit resource accounting. The adversary’s budget must be split across all markets, and the additive ask price bound ${\mathsf{Ask}}_{\mathcal{N}}\le \sum {ϵ}_i+{ϵ}_{\mathcal{I}}$ makes the composition overhead concrete and auditable. The practical implication: running many secure protocols on the same device does not degrade security, provided the shared infrastructure is sound. The infrastructure CNF (${\phi }_{\mathcal{I}}$) serves as a compositional design checklist: ensure global SID uniqueness, hash consistency, PKI consistency, and RNG quality across all protocols.

20.2. Further Work

Quantum market dynamics:

The QROM case study treats the quantum adversary as a buyer with a specific bid structure (O2H reprogramming, measure-and-reprogram). A deeper theory of quantum market dynamics—where the seller also has access to quantum operations and the market evolves under quantum game theory—is an open and rich research direction. We provide an initial formalisation below.

20.2.1. Towards Quantum Market Dynamics

In the QROM case study (Section 14), the buyer (quantum adversary) can query oracles in superposition, but the seller (challenger) operates classically—sampling keys, computing ciphertexts, and answering decapsulation queries using classical algorithms. This asymmetry is faithful to the current post-quantum setting where honest parties run classical protocols and only the adversary has quantum power. However, a richer and increasingly relevant setting arises when both parties have quantum capabilities.

Definition 37 

(Quantum Market). Aquantum market${\mathcal{M}}^Q=({\mathsf{Seller}}^Q,{\mathsf{Buyer}}^Q,\left\{g_j\right\},H^Q,{\rho }_0)$ extends the classical MTSF market with:

1.

Quantum seller${\mathsf{Seller}}^Q$: the challenger holds a quantum register ${\mathsf{R}}_S$ and can perform quantum operations (state preparation, unitary gates, measurements) during each bidding round. The seller’s strategy is a sequence of quantum channels ${\left\{{\mathcal{E}}_k^S\right\}}_{k=1}^n$, one per bidding round.

2.

Quantum buyer${\mathsf{Buyer}}^Q$: the adversary holds a quantum register ${\mathsf{R}}_B$ and can make superposition queries to all oracles. The buyer’s strategy is a sequence of quantum channels ${\left\{{\mathcal{E}}_k^B\right\}}_{k=1}^n$.

3.

Quantum oracle$H^Q$: replaces the classical random oracle with a quantum-accessible oracle that both parties can query in superposition.

4.

Shared quantum state${\rho }_0$: an initial joint quantum state (possibly entangled) distributed across all registers at market opening.

5.

Quantum price functional:The ask price of good $g_j$ in the quantum market is:

$${\mathsf{Ask}}^Q\left(g_j\right)=\underset{{\mathsf{Buyer}}^Q\in \mathsf{QPT}}{sup}\mathrm{Tr}\left[{\Pi }_{g_j}·{\mathcal{E}}_n^B\circ {\mathcal{E}}_n^S\circ \dots \circ {\mathcal{E}}_1^B\circ {\mathcal{E}}_1^S\left({\rho }_0\right)\right],$$

(226)

where ${\Pi }_{g_j}$ is the projector onto the “buyer wins good $g_j$” subspace and the supremum is over all quantum polynomial-time (QPT) buyer strategies.

The quantum market introduces three new phenomena absent from the classical setting:

1.

Entangled bidding. The buyer can maintain entanglement between its query register and a private workspace across multiple bidding rounds. Classically, each bid is an independent probabilistic strategy; quantumly, the buyer’s bids can be coherently correlated across rounds via entanglement. The seller’s challenge is to design bidding rounds that decohere the buyer’s entanglement without destroying the security guarantee.

2.

Quantum price adjustments. In the classical extended difference lemma, the price adjustment $\Delta {\mathsf{Price}}_k=|Pr\left[{\mathbf{B}}_k\Rightarrow 1\right]-Pr\left[{\mathbf{B}}_{k+1}\Rightarrow 1\right]|$ is a difference of classical probabilities. In the quantum setting, the analogous quantity is:

$$\Delta {\mathsf{Price}}_k^Q={\displaystyle \frac{1}{2}}{∥{\mathcal{E}}_k^S\left({\rho }_k\right)-{\mathcal{E}}_{k+1}^S\left({\rho }_k\right)∥}_{\mathrm{tr}},$$

(227)

where ${\parallel ·\parallel }_{\mathrm{tr}}$ is the trace distance and ${\rho }_k$ is the joint state after round k. The trace distance is the quantum generalisation of statistical distance, and the factor ${\displaystyle \frac{1}{2}}$ normalises it to $[0,1]$. The quantum extended difference lemma would bound ${\mathsf{Ask}}^Q\left(g_j\right)\le {\sum }_k\Delta {\mathsf{Price}}_k^Q$ via the triangle inequality for trace distance.

3.

No-cloning constraint on bids. The no-cloning theorem prevents the buyer from copying quantum states received from the seller. This is a structural advantage for the seller that has no classical analogue: in the classical setting, the buyer can always copy any message. In the quantum market, the seller can exploit no-cloning by encoding challenge information in non-orthogonal quantum states, forcing the buyer to choose irreversibly which bid to pursue—a quantum analogue of a “take it or leave it” offer.

Figure 73. Quantum market dynamics. Both seller and buyer operate on quantum registers (${\mathsf{R}}_S$, ${\mathsf{R}}_B$) through a shared quantum oracle $H^Q$. Each bidding round applies quantum channels ${\mathcal{E}}_k^S$ (seller) and ${\mathcal{E}}_k^B$ (buyer) to the evolving joint state ${\rho }_k$. The buyer can maintain entanglement across rounds (wavy red lines). The quantum ask price is the trace $\mathrm{Tr}[{\Pi }_{g_j}·{\rho }_n]$ of the final state against the “buyer wins” projector. The classical QROM case study (Section 14) is the special case where the seller’s channels ${\mathcal{E}}_k^S$ are all classical operations.

Proposition 6 

(Quantum Extended Difference Lemma—Sketch). Let ${\mathbf{B}}_0^Q,{\mathbf{B}}_1^Q,\dots ,{\mathbf{B}}_n^Q$ be a sequence of quantum bidding rounds with shared initial state ${\rho }_0$. If each consecutive pair satisfies ${\displaystyle \frac{1}{2}}{\parallel {\rho }_{\mathrm{final}}^{\left(k\right)}-{\rho }_{\mathrm{final}}^{(k+1)}\parallel }_{\mathrm{tr}}\le \Delta {\mathsf{Price}}_k^Q$, then the quantum ask price satisfies:

$${\mathsf{Ask}}^Q\left(g_j\right)\le {\mathsf{Ask}}_0^Q\left(g_j\right)+\sum _{k=0}^{n-1}\Delta {\mathsf{Price}}_k^Q,$$

(228)

where ${\mathsf{Ask}}_0^Q\left(g_j\right)=\mathrm{Tr}[{\Pi }_{g_j}·{\rho }_{\mathrm{final}}^{\left(0\right)}]$ is the ask price in the initial (ideal) quantum market.

Proof 

(Proof sketch). The trace distance satisfies the triangle inequality: ${\parallel \rho -\sigma \parallel }_{\mathrm{tr}}\le {\parallel \rho -\tau \parallel }_{\mathrm{tr}}+{\parallel \tau -\sigma \parallel }_{\mathrm{tr}}$. By the operational interpretation of trace distance, the maximum difference in probability of any measurement outcome between ${\rho }_{\mathrm{final}}^{\left(0\right)}$ and ${\rho }_{\mathrm{final}}^{\left(n\right)}$ is at most ${\displaystyle \frac{1}{2}}{\parallel {\rho }_{\mathrm{final}}^{\left(0\right)}-{\rho }_{\mathrm{final}}^{\left(n\right)}\parallel }_{\mathrm{tr}}\le {\sum }_{k=0}^{n-1}\Delta {\mathsf{Price}}_k^Q$. Applying this to the projector ${\Pi }_{g_j}$ yields the result. □

Remark 8 

(Classical QROM as a Special Case). The QROM case study of Section 14 is recovered by restricting the seller’s channels ${\mathcal{E}}_k^S$ to classical operations (prepare-and-measure) and allowing only the buyer’s channels ${\mathcal{E}}_k^B$ to be genuinely quantum. The O2H lemma’s square-root factor $\sqrt{{\mathsf{Adv}}^{\mathsf{IND}-\mathsf{CPA}}}$ arises specifically because the buyer’s quantum channel concentrates amplitude on the reprogrammed point—a quantum price adjustment of the form (227) where the trace distance is bounded by Unruh’s O2H inequality.

Remark 9 

(Application to QKD and Quantum Protocols). Quantum Key Distribution (QKD) protocols such as BB84 and E91 are natural targets for quantum market dynamics: the seller (Alice) prepares quantum states and the buyer (Eve) performs quantum measurements to extract key information. The no-cloning constraint on bids (item 3 above) captures the fundamental reason why QKD is secure: the eavesdropper cannot copy the quantum states without disturbing them. In the MTSF language, the seller’s quantum channel ${\mathcal{E}}_k^S$ prepares non-orthogonal states thatstructurally preventthe buyer from simultaneously extracting full information about the key and remaining undetected—a market in which the seller’s goods are inherently copy-protected.

20.2.1.1. Multi-protocol composition networks.

MTSF currently handles individual protocol markets. A protocol network where multiple protocols run simultaneously, sharing infrastructure and competing for resources, would require a market network theory. The UC composition theorem provides the blueprint; translating it into MTSF market mergers and equilibrium preservation is future work. We provide the initial formalisation below.

20.2.2. Towards Multi-Protocol Composition Networks

In the current MTSF framework, each protocol defines a single market ${\mathcal{M}}_{\pi }$ with its own seller, buyer, goods, and bidding-round chain. The UC composition theorem (Section 2.4) guarantees that UC-secure protocols remain secure when composed concurrently. In the MTSF language (Section 2.5), the UC composition theorem was informally described as a “market merger theorem.” We now make this precise.

Definition 38 

(Protocol Market Network). Aprotocol market network$\mathcal{N}=({\left\{{\mathcal{M}}_i\right\}}_{i=1}^N,\mathcal{I},\mathcal{Z})$ consists of:

1.

Component markets${\mathcal{M}}_1,\dots ,{\mathcal{M}}_N$: each ${\mathcal{M}}_i=({\mathsf{Seller}}_i,{\mathsf{Buyer}}_i,\left\{g_j^{\left(i\right)}\right\},{\phi }_i)$ is an individual MTSF protocol market with its own goods $\left\{g_j^{\left(i\right)}\right\}$ and session-CNF formula ${\phi }_i$.

2.

Shared infrastructure$\mathcal{I}$: a set of shared functionalities (PKI, common random oracles, shared key material) accessible to all markets. In MTSF terms, $\mathcal{I}$ is the GUC shared market infrastructure—the common goods that every market can trade on.

3.

Network environment$\mathcal{Z}$: the UC environment, acting as MTSF’s market regulator, which can interact with all N markets simultaneously, schedule messages between them, and observe all transcripts.

4.

Resource budget$\mathsf{Budget}\left(\mathsf{Buyer}\right)$: the total computational resource available to the buyer across all markets. If the buyer participates in market ${\mathcal{M}}_i$ with resource $t_i$, then ${\sum }_{i=1}^N{t}_i\le \mathsf{Budget}\left(\mathsf{Buyer}\right)$.

The central question is: when does a network of individually secure markets remain secure?

Definition 39 

(Market Merger). Given two MTSF markets ${\mathcal{M}}_1=({\mathsf{Seller}}_1,{\mathsf{Buyer}}_1,\left\{g_j^{\left(1\right)}\right\},{\phi }_1)$ and ${\mathcal{M}}_2=({\mathsf{Seller}}_2,{\mathsf{Buyer}}_2,\left\{g_j^{\left(2\right)}\right\},{\phi }_2)$ with shared infrastructure $\mathcal{I}$, theirmergeris the composite market:

$${\mathcal{M}}_1{\otimes }_{\mathcal{I}}{\mathcal{M}}_2=\left({\mathsf{Seller}}_{1\parallel 2},{\mathsf{Buyer}}_{1\parallel 2},\left\{g_j^{\left(1\right)}\right\}\cup \left\{g_j^{\left(2\right)}\right\},{\phi }_1\wedge {\phi }_2\wedge {\phi }_{\mathcal{I}}\right),$$

(229)

where ${\mathsf{Seller}}_{1\parallel 2}$ runs both sellers concurrently, ${\mathsf{Buyer}}_{1\parallel 2}$ is a single buyer interacting with both markets simultaneously, and ${\phi }_{\mathcal{I}}$ encodes the correctness of the shared infrastructure (e.g., PKI consistency, RO consistency).

Theorem 63 

(Market Merger Preserves Equilibrium—Initial Form). Let ${\mathcal{M}}_1$ and ${\mathcal{M}}_2$ be MTSF protocol markets sharing infrastructure $\mathcal{I}$. If:

1.

${\mathcal{M}}_1$ is in equilibrium: ${\mathsf{Ask}}_1\left(g_j^{\left(1\right)}\right)\le \mathsf{negl}\left(\lambda \right)$ for all goods $g_j^{\left(1\right)}$;

2.

${\mathcal{M}}_2$ is in equilibrium: ${\mathsf{Ask}}_2\left(g_j^{\left(2\right)}\right)\le \mathsf{negl}\left(\lambda \right)$ for all goods $g_j^{\left(2\right)}$;

3.

The shared infrastructure is sound: ${\mathsf{Ask}}_{\mathcal{I}}\left(g_{\mathcal{I}}\right)\le \mathsf{negl}\left(\lambda \right)$ for all infrastructure goods;

then the merged market ${\mathcal{M}}_1{\otimes }_{\mathcal{I}}{\mathcal{M}}_2$ is in equilibrium:

$${\mathsf{Ask}}_{1\otimes 2}\left(g\right)\le \mathsf{negl}\left(\lambda \right)\mathrm{for}\mathrm{all}\mathrm{goods}g\in \left\{g_j^{\left(1\right)}\right\}\cup \left\{g_j^{\left(2\right)}\right\}.$$

(230)

Proof 

(Proof sketch). The proof mirrors the UC composition theorem. Suppose for contradiction that the merged market has a good $g_j^{\left(1\right)}$ (w.l.o.g.) with ${\mathsf{Ask}}_{1\otimes 2}\left(g_j^{\left(1\right)}\right)=ϵ$ non-negligible. Then there exists a buyer ${\mathsf{Buyer}}_{1\parallel 2}$ that wins $g_j^{\left(1\right)}$ with probability $ϵ$ in the merged market. We construct a buyer ${\mathsf{Buyer}}_1^{*}$ for the standalone market ${\mathcal{M}}_1$ that:

1.

Internally simulates ${\mathcal{M}}_2$’s seller ${\mathsf{Seller}}_2$ (using the UC simulator for ${\mathcal{M}}_2$);

2.

Forwards the network environment’s queries between ${\mathcal{M}}_1$ (real) and ${\mathcal{M}}_2$ (simulated);

3.

Runs ${\mathsf{Buyer}}_{1\parallel 2}$ as a subroutine, providing it with a view indistinguishable from the real merged market.

By the indistinguishability of real and simulated ${\mathcal{M}}_2$ (which holds because ${\mathcal{M}}_2$ is UC-secure and thus in equilibrium), ${\mathsf{Buyer}}_1^{*}$ wins $g_j^{\left(1\right)}$ with probability at least $ϵ-\mathsf{negl}\left(\lambda \right)$. But this contradicts ${\mathsf{Ask}}_1\left(g_j^{\left(1\right)}\right)\le \mathsf{negl}\left(\lambda \right)$. □

Remark 10 

(Quantitative Merger Bound). The proof gives a concrete bound. If ${\mathsf{Ask}}_1\left(g_j^{\left(1\right)}\right)\le {ϵ}_1$, ${\mathsf{Ask}}_2\left(g_j^{\left(2\right)}\right)\le {ϵ}_2$, and ${\mathsf{Ask}}_{\mathcal{I}}\left(g_{\mathcal{I}}\right)\le {ϵ}_{\mathcal{I}}$, then:

$${\mathsf{Ask}}_{1\otimes 2}\left(g_j^{\left(1\right)}\right)\le {ϵ}_1+{ϵ}_2+{ϵ}_{\mathcal{I}}.$$

(231)

The ask prices are additive across the merger—each market contributes its own risk, and the shared infrastructure contributes a common risk. This is the MTSF analogue of the “hybrid argument” in UC composition: the simulation overhead from each market accumulates linearly.

The merger operation extends naturally to N markets via iterated composition.

Corollary 20 

(N-Market Network Equilibrium). Let $\mathcal{N}=({\left\{{\mathcal{M}}_i\right\}}_{i=1}^N,\mathcal{I},\mathcal{Z})$ be a protocol market network where each ${\mathcal{M}}_i$ is in equilibrium with ${\mathsf{Ask}}_i\left(g_j^{\left(i\right)}\right)\le {ϵ}_i$ for all j, and the shared infrastructure has ${\mathsf{Ask}}_{\mathcal{I}}\le {ϵ}_{\mathcal{I}}$. Then the N-fold merger ${⨂}_{i=1}^N{\mathcal{M}}_i$ satisfies:

$${\mathsf{Ask}}_{\mathcal{N}}\left(g_j^{\left(i\right)}\right)\le {ϵ}_i+(N-1)·{ϵ}_{max}+{ϵ}_{\mathcal{I}},$$

(232)

where ${ϵ}_{max}={max}_{i^{\prime }}{ϵ}_{i^{\prime }}$. In particular, if all ${ϵ}_i$ are negligible and $N=\mathsf{poly}\left(\lambda \right)$, the network remains in equilibrium.

Definition 40 

(Network Session-CNF). The session-CNF formula for the protocol market network $\mathcal{N}$ is the conjunction of all component CNFs and the infrastructure CNF:

$${\phi }_{\mathcal{N}}=\underset{i=1}{\overset{N}{\bigwedge }}{\phi }_i\wedge {\phi }_{\mathcal{I}},$$

(233)

where ${\phi }_{\mathcal{I}}={\phi }_{\mathcal{I}}^{\mathsf{PKI}}\wedge {\phi }_{\mathcal{I}}^{\mathsf{RO}}\wedge {\phi }_{\mathcal{I}}^{\mathsf{consist}}$ encodes PKI consistency (same public key across all markets), random oracle consistency (same H across all markets), and cross-market consistency (session identifiers are globally unique).

Remark 11 

(Network Ping Bids and Unbounded Composition). Session pinging (Section 5) extends naturally to the network setting. The network ping bid for session ${\mathsf{Session}}_i^{\left(k\right)}$ (the i-th session of market ${\mathcal{M}}_k$) must verify not only the intra-market CNF ${\phi }_k$ but also the cross-market infrastructure CNF ${\phi }_{\mathcal{I}}$. By the session pinging theorem applied to each component market and the infrastructure, the network remains in equilibrium for unbounded sessions across all N protocols simultaneously, provided each component market’s ping bid is negligible.

Figure 74. Multi-protocol composition network. Three protocol markets (${\mathcal{M}}_1$: TLS 1.3, ${\mathcal{M}}_2$: Signal, ${\mathcal{M}}_3$: SSH) share infrastructure $\mathcal{I}$ (PKI, random oracle, shared keys). The network environment $\mathcal{Z}$ (market regulator) monitors all markets simultaneously. The buyer must split its resource budget across all markets. Dashed orange links indicate resource competition; dashed purple links indicate shared infrastructure. The merged market ${\mathcal{M}}_1{\otimes }_{\mathcal{I}}{\mathcal{M}}_2{\otimes }_{\mathcal{I}}{\mathcal{M}}_3$ preserves equilibrium when each component market and the shared infrastructure are individually in equilibrium (Theorem 63, Theorem 20).

Figure 74. Multi-protocol composition network. Three protocol markets (${\mathcal{M}}_1$: TLS 1.3, ${\mathcal{M}}_2$: Signal, ${\mathcal{M}}_3$: SSH) share infrastructure $\mathcal{I}$ (PKI, random oracle, shared keys). The network environment $\mathcal{Z}$ (market regulator) monitors all markets simultaneously. The buyer must split its resource budget across all markets. Dashed orange links indicate resource competition; dashed purple links indicate shared infrastructure. The merged market ${\mathcal{M}}_1{\otimes }_{\mathcal{I}}{\mathcal{M}}_2{\otimes }_{\mathcal{I}}{\mathcal{M}}_3$ preserves equilibrium when each component market and the shared infrastructure are individually in equilibrium (Theorem 63, Theorem 20).

Remark 12 

(Resource Competition and Market Inefficiency). A subtle feature of the market network isresource competition: the buyer has a fixed computational budget that must be allocated across all N markets. In the classical UC setting, this is implicit in the polynomial-time bound on the adversary. In the MTSF language, it becomes explicit: the buyer’s total resource expenditure ${\sum }_i{t}_i$ is bounded, and spending more on attacking ${\mathcal{M}}_1$ means spending less on ${\mathcal{M}}_2$. This creates a naturalportfolio optimisation problemfor the adversary: which markets offer the best “return on attack investment”? The market with the highest ask price (weakest security) is the rational first target—a formalisation of the common intuition that “a chain is only as strong as its weakest link.”

20.2.2.1. Further lightweight and modern cipher markets.

This article extends the symmetric-primitive case studies to PRESENT, Serpent, BLAKE3, ASCON-Hash, ChaCha20, and Trivium, demonstrating the generality of the MTSF framework across block ciphers, hash functions, and stream ciphers of varying design philosophies and security margins. Future work can extend this further to additional lightweight ciphers (GIFT, SKINNY, PHOTON) and to the ChaCha20-Poly1305 AEAD construction (combining the ChaCha20 stream-cipher market with a Poly1305 MAC market). The ASCON authenticated encryption mode (beyond ASCON-Hash) is another natural extension, unifying AEAD and hash-function markets within a single sponge-based analysis.

20.2.2.2. MPC and threshold protocol markets.

Multi-Party Computation (MPC) protocols involve n parties, some of which may be malicious. The MTSF framework can be extended by allowing multiple simultaneous buyers (colluding adversaries) bidding against the seller in a multi-buyer auction, capturing threshold adversary models naturally.