Adaptive Proofs Have Straightline Extractors (In The Random Oracle Model)
Adaptive Proofs Have Straightline Extractors (In The Random Oracle Model)
1 Introduction
1
proof scheme is adaptively secure if there is an extractor that can rewind, but
must eciently extract even from provers who make sequences of proofs. The
notion is called adaptive because the extractor must return a witness for the
rst proof to the prover before the prover makes the second one, and so on.
The main theorem of the cited work shows that the usual Fiat-Shamir-
Schnorr proof scheme is not an adaptive proof unless the one-more discrete
logarithm assumption is easy.
This result essentially separates the usual PoK notion from adaptive proofs,
but the separation relies on an inecient interactive assumption, it is specic to
a proof system for a specic problem (discrete logarithm), and a specic class
of proofs (those obtained from Sigma protocols via the Fiat-Shamir transform).
It also leaves open the question whether any adaptive proofs exist that are not
also straight-line .
1
1
Straight-line proofs are trivially adaptively secure.
2
This theorem answers the main open question of [12] and hints at a short-
coming of proofs based on the FiatShamir transform: if used in a setting where
the prover gets to adaptively chose statements an extractor would have to be
(more or less) straight-line. However, if this is the case, the proof may not be
that interesting anyway as the underlying witness is not well-protected:
In conclusion, we suggest that adaptive proofs are not a new class of proofs
but rather another description of the class of straight-line extractable proofs;
and Fiat-Shamir transformed Sigma protocols for useful functions are not in
this class.
3
Weaker assumptions. The obvious next question is whether one could strengthen
our results even further and only rely on one-wayness of φ (e.g. in the case of
Schnorr, DLOG) rather than Σ -one-wayness. We show using a meta-metareduction
that no algebraic metareduction [4] from a programming extractor to one-wayness
(e.g. DLOG) can exist, unless one-wayness is already easy. All previous metare-
ductions in this area [10, 12] including ours to Σ -one-wayness are algebraic: the
only operations they perform on elements of the target group are group opera-
tions.
2 Preliminaries
4
Σ -protocols Let k be a eld. Let W, X be k -vector spaces and let φ : W →
X be a k -linear map. Suppose further that one can sample uniformly from k and
W.
2
The inversion 1/(c − c0 ) is in the eld k where it exists due to c 6= c0 ; the dot in this
formula is eld-vector multiplication.
5
Fiat-Shamir The Fiat-Shamir transformation turns Σ -protocols into non-
interactive proof schemes that are full zero-knowledge proofs of knowledge in the
random oracle model. The idea is simply to replace the verier's challenge c by
a hash over the statement x and the commitment a.
Σ -protocols are only useful when the function φ is hard to invert: otherwise, they
are trivially zero-knowledge proofs of knowledge, but so is the protocol in which
the prover just sends the statement x to the verier. For the same reasons, if φ is
easy to invert then Fφ is adaptively secure too. This shows that we cannot hope
for a theorem of the form Fiat-Shamir Schnorr is not adaptively secure, since it
is adaptively secure e.g. in the group (Zp , +) where taking discrete logarithms is
easy. Consequently, limitation theorems take the form if Schnorr is adaptively
secure then some property (e.g. OMDL) is easy to break.
We discuss some possible security properties of the function φ and introduce
Σ -one-wayness. Later on we will show that Fiat-Shamir proofs cannot be adap-
tively secure unless Σ -one-wayness of φ is easy to break (in which case, their use
within protocols would be already questionable).
6
We propose a new security notion that we call Σ -one-wayness (for linear func-
tions). This says that even a dishonest verier (who choses c arbitrarily, maybe
depending on x and a) cannot extract w from a single run of the protocol. We do
not claim that Σ -one-wayness is a sucient security notion for Σ protocols (it
says nothing about extracting partial information on w ) but we postulate that it
is only deployed if this condition is satised. Consequently, we are not proposing
a new scheme that is secure under the Σ -one-wayness assumption, but we will
claim that if the Fiat-Shamir proof scheme for a function φ is adaptively secure
then the Σ -one-wayness property for φ is easy to break too. Σ -one-wayness is
clearly stronger than one-wayness of the function φ, but it will turn out to be
weaker than one-more one-wayness (which we dene in a moment).
7
allows the adversary to open challenges themselves; this is isucient for our
applications. Instead we propose a new property: weak one-more one-wayness
xes this problem by restricting the adversary to asking linear combinations of
the sampled challenges. Your task is still to recover all wi with fewer queries to
the linear combination oracle than to the sampling oracle. The requirement for
φ to be invertible can also be dropped again.
Denition 7. The weak and normal one-more one-wayness properties for a bi-
jection φ : W → X are given by the following games. In each game the adversary
can call the sample and open oracles many times, in any order. The adversary
wins the game if it can provide preimages under φ for all samples that it had
obtained and yet it made fewer opening queries than sample queries.
weak one-more one-wayness: one-more one-wayness:
1 sample(): 1 sample():
2 n←n+1 2 (same as weak version)
3 w[n] W 3
4 return φ(w[n]) 4
5 5
6 open(c1 , . . . , cP
n ∈ k ):
n
6 open(x ∈ X ):
7 return n
i=1 ci · wi 7 return φ−1 (x)
The strong problem clearly reduces to the weak one. A weak adversary can
still obtain a preimage of a particular sample by submitting the vector with 1
at the appropriate position and 0 elsewhere.
The point of the weak one-more one-wayness property is that the theorem
by Bernhard et al. [12] can trivially be strengthened to show that Fiat-Shamir-
Schnorr is not adaptively secure even under the weak one-more discrete logarithm
property: their reduction only ever makes opening queries on elements that are
linear combinations of samples with known coecients. This is not surprising
since their reduction is trying to simulate Schnorr proofs on sample elements.
Σ -one-wayness reduces to weak one-more one-wayness, even to a weaker ver-
sion where the number of samples is additionally bounded at 2 and only a single
linear combination query is allowed. Thus, we end up with a hierarchy of one-
wayness / Σ -one-wayness / weak one-more one-wayness / one-more one-wayness,
in order of increasing strength.
4 Adaptive proofs
In this section we recall the notion of adaptive proofs and introduce templates
for a couple of provers that form the basis of the results we prove in the next
section.
8
prover and we write P(r) to mean running prover P on random string r ∈ R.
In the ROM, we write (x, π, l) ← P(r) to mean that we also return the list l of
random oracle queries made by this execution of the prover on random string r.
A proof scheme is sound with error ε if for any prover P , the probability
of producing a pair (x, π) such that verify(x, π) = 1 but no w exists making
ρ(x, w) hold, is at most ε.
A proof scheme in the random oracle model is straight-line extractable with
error ε K as follows. For any prover P , pick r R and
if there is an extractor
execute (x, π, l) ← P(r). If verify(x, π) = 1 w.r.t.3 l then with probability at
least 1 − ε, K(x, π, l) returns a w such that ρ(x, w) holds. It follows immediately
that an extractable proof scheme with error ε is also sound with at most the
same error.
A proof scheme in the ROM has a programming straight-line extractor with
error ε K as follows. Let any prover P interact with K
if there is an extractor
in the sense that K answers P 's random oracle queries. If P outputs (x, π) such
that verify(x, π) = 1 w.r.t. the oracle queries made by P , then with probability
at least 1 − ε, K outputs a w such that ρ(x, w) holds.
A straight-line extractor, whether programming or not, may have black-box
access to further copies of the prover in the following sense: it may start these
copies and control all interaction with them, including picking the random string
and answering all random oracle queries. As motivation for this (established)
notion of straightline extractors, consider an extractor who is trying to extract
from a honest prover. The code of the honest prover is known, so the extractor
can always simulate the honest prover on inputs of its choice. The extractor
cannot see the random string of the main copy of the honest prover from
which it is trying to extract, however.
A rewinding extractor can, in addition to the capabilities of a straight-line
extractor, launch further copies of the prover P with the same random string as
the one that the extractor is trying to extract from, and answer their random
oracle queries. The dierence between straight-line and rewinding extractors is
thus that rewinding extractors can run further copies of the prover that behave
identically to the main one, as long as they receive the same inputs and outputs,
and thus fork the prover instance from which they are trying to extract.
Adaptive proofs. We present the adaptive proof game of Bernhard et al. [12].
The game is an interactive algorithm with two interfaces for an adaptive prover
and an extractor. An adaptive prover for a proof scheme (Π, prove, verify)
w.r.t. (X, W, ρ) is an algorithm that can repeatedly output pairs (x, π) ∈ X × Π
and expect witnesses w∈W in return. After a number of such interactions, the
adaptive prover halts. In the random oracle model, an adaptive prover may also
ask random oracle queries.
3
We say verify(x, π) = 1 w.r.t. l if all elements on which verify queries the oracle
on input (x, π) are contained in l, and verify outputs 1 on these inputs if given the
appropriate responses in l.
9
1 initialise : 18 K asks ro(x):
2 Q←[ ] 19 y ← ro(x)
3 K←0 20 send y to K
4 rR 21
5 run P(r) 22 K w:
outputs
6 23 if ρ(Ξ, w) then
7 P asksro(x): 24 K ←K +1
8 y ← ro(x) 25 if K = n then
9 Q ← Q :: (x, y) 26 K wins; halt.
10 send y to P 27 end
11 28 send w to P
12 P outputs(x, π): 29 else
13 if not verify(x, π) then 30 P wins; halt.
14 K wins; halt. 31 end
15 end 32 P halts:
16 Ξ←x 33 K wins; halt.
17 send (x, π, Q) to K
Fig. 1. The adaptive proof game. The extractor also has access to further copies of
P(r) using coins r sampled from an appropriate size domain R.
The game uses three global variables. K stores the number of witnesses that
the extractor has found so far. If this counter reaches n, the extractor wins and
the scheme is an n-proof. Q stores a list of all the prover's random oracle queries
so far. These are provided
4 to the extractor along with each of the prover's
10
claims. Ξ stores the last statement that appeared in one of the prover's claims;
it is used to check the validity of a witness returned by the extractor.
A n-proof for n=1 is simply a proof of knowledge in the ROM: the prover
makes a single claim (a pair containing a statement x and a proof π) and the
extractor wins if it can obtain a witness. A proof scheme is an adaptive proof if
there is an adaptive extractor that works for any polynomially bounded param-
eter n.
If required, the canonical prover can also return the list l of all random oracle
queries made during its execution (by prove).
Since an extractor is supposed to work against any (ecient) prover, to argue
that an extractor cannot exist it is enough to show that one cannot extract from
the canonical prover. To deal with adaptive extractors, we propose the following
construction of an adaptive chain prover Pn from any prover P. It follows the
idea of Shoup and Gennaro [1] in making a chain of challenges (in this case
proofs) where each challenge depends on all previous ones and then asking queries
on them in reverse order. This way, the obvious rewinding extractor using special
soundness will take exponential time.
To make each challenge depend on previous ones, we use a function F to
update the random string for each of the n contained copies of P based on the
(random oracle) state of the previous copy. The nal parameter l returned by
P is the list of all random oracle queries made by this copy. Recall that P(r)
means run prover P on random string r∈R where R is the randomness space
for this prover.
4
The original denition gave the extractor an extra list oracle to query the prover's
random oracle list. Our presentation is equivalent.
11
5 for i = n, 1, -1 do
n 6 output (xi , πi )
P (r):
7 input w0
1 for i = 1, n do 8 if not ρ(xi , w0 ) then
2 (xi , πi , l) ← P(r) 9 halt
3 r ← F (r, l) 10 end
4 end 11 end
We recall the hierarchy of security denitions for functions (the last is the
strongest): one-way / Σ -one-way / weak one-more one-way / one-more one-way.
Known limitations. Seurin and Treger [10] proved that Fiat-Shamir-Schnorr can-
not have a non-programming straight-line extractor unless the underlying func-
tion is not one-way (i.e. one can take discrete logarithms). The following theorem
generalizes this result to the case of arbitrary Σ -protocols.
Theorem 12. Suppose there is a non-programming straight-line extractor K for
the proof scheme Fφ . Then φ is not one-way. Specically, there is an algorithm
breaking one-wayness with approximately the same running time and success
probability as the extractor K has against the canonical prover PC .
Letx be a challenge from the one-way game for φ; we need to nd a w0 such
0
that φ(w ) = x. We simulate a proof: pick s W , c k and a ← φ(s) − c · x.
Then we give the extractor the statement x, proof (a, s) and a list of random
oracle queries consisting of the entry RO(x, a) = c. These elements are identically
distributed to what the extractor would see in an execution with the canonical
prover PC for Σφ . We pass any witness w0 returned by the extractor on to the
challenger to win with the same success probability. q.e.d.
Bernhard et al. [12] showed that substituting an adaptive extractor for a
straight-line one gets a similar result for the one-more one-wayness assumption
on the function φ the proof of this theorem is nontrivial however. While
12
their original proof only concerned Fiat-Shamir-Schnorr, a close inspection of
the proof shows that it works for any Σ protocol and that the weak one-more
assumption is sucient too. In summary.
Theorem 13. Suppose that there is an ecient adaptive extractor for Fφ . Then
φ is not weak one-more one-way.
We will not re-prove the theorem here. As to running time, as long as the
extractor makes fewer than 2n queries when running against a particular prover
then the reduction to weak one-more one-wayness runs in the same time as the
extractor, but its success probability is the inverse of the number of copies of the
prover that the extractor causes to be invoked. Although Bernhard et al. [12]
only prove the theorem for the case of the Fiat-Shamir-Schnorr protocol, their
reduction is black box in the sense that it only needs to be able to sample and
open instances of the underlying Sigma protocol. The exact same proof will work
for our generalisation. We can write the prover in the cited theorem as (PC )n ,
the adaptive chain prover derived from the canonical prover. This will allow us
to conclude that any extractor against the chain prover implies a straight-line
extractor against the canonical prover PC .
We simulate the canonical prover towards the extractor. Receive x, a from the
Σ -one-way challenger and ask the random oracle query c ← RO(x, a) (which the
extractor answers). Then send c to the Σ -one-way challenger to get s and send
(x, a, s) to the extractor. Again, whenever the extractor provides the correct w0 ,
we win against the challenger. q.e.d.
This result is new, but not surprising Fiat-Shamir transformed Sigma
protocols are not supposed to be straight-line extractable and the Σ -one-wayness
property is constructed exactly to make this reduction work. The value of said
property is that we can also use it for adaptive extractors.
Our main contribution in this paper is a new theorem that says all adaptive
proofs in the ROM admit a straight-line extractor.
Theorem 15. Consider any non-interactive ROM proof scheme with an adap-
tive extractor K. Suppose that, running against any n-prover Pb, the extractor
K causes at most f (n) < 2n copies of the prover to be run in the experiment
and answers all extraction queries of the main run correctly with probability at
least p(n) > 0. Then there is a programming straight-line extractor against any
non-adaptive prover P with success probability p(n)/(n · f (n)).
13
Applying this theorem to Fiat-Shamir transformed Sigma protocols gets us
the following insight.
14
{b1 , ..., bs } be a basis for Im(φ). For each 1≤i≤s denote ai to be an element
of W so that φ(ai ) = bi .
The generic group model is a model which analyses success of algorithms
against representations of groups which do not reveal any information to ad-
versary. There are many ways to formalise this idea [1315]. We will follow the
denition provided by Shoup [15]. Here, adversary is given access to images of el-
ements of a group under a random injective map σ : X → S ⊂ {0, 1}∗ , called an
encoding function. Group operations can be computed by making oracle queries.
The adversary is given access to two oracles ADD and INV :
Note that the adversary cannot get any information from the representation
σ(x) of element x. A generic algorithm A for X on S is a probabilistic algorithm
that takes as input an encoding list (σ(x1 ), σ(x2 ), ..., σ(xl )) where each xi ∈ X
and σ is an encoding function of X on S . As the algorithm executes, it makes
queries to ADD or IN V oracles and then appends outputs of the queries to
the encoding list. The output of A is a bit string denoted as A(σ; x1 , ..., xl ). We
also want to extend the inteface of the model and introduce the F SSr,w oracle:
F SSr,w (c) = r + cw for some r, w ∈ W and c ∈ k . We may assume that when
oracles encounter some σ1 6∈ Im(σ), they return an error message.
Similarly to most of the proofs of generic hardness of computational prob-
lems, we use the Schwartz-Zippel lemma to estimate the probability of a generic
algorithm winning the Σ−one-wayness game. However, we are interested in the
version of this theorem when we sample uniformly from a vector space rather
than a eld.
Lemma 17. Let V be a nite dimensional vector space over k and F be a non-
zero linear polynomial in k[X1 , ..., Xt ]. Then, for x1 , x2 , ..., xt selected at random
independently and uniformly from V the probability that F (x1 , x2 , ..., xt ) = 0 is
at most 1/|V |.
Proof. Note that V k m , where m = dim(V ). Hence we can as-
is isomorphic to
sume without loss of generality that V = k m . Let x1 , ..., xt be uniformly random
and independent elements of V and denote xi,j to be the j−th component of xi .
Therefore, since F is linear we have that:
Pr(F (x1 , x2 , ..., xn ) = 0) = Pr(F (x1,1 , ..., xt,1 ) = 0, ..., F (x1,m , ..., xt,m ) = 0)
m
Y
= Pr(F (x1,i , ..., xt,i ) = 0)
i=1
≤ (1/|k|)m = 1/|V |
(1)
15
Theorem 18. Let w, r be random elements of W and A be a generic algorithm
for X on S ⊂ {0, 1}∗ that makes at most m queries to ADD and INV oracles and
exactly one query to F SSr,w oracle. Then the probability that φ(A(σ; b1 , ..., bn , x,
y)) = x is O((m + n)2 /|X | + |ker(φ)|/|W|), where x = φ(w) and y = φ(r).
Full proof is provided in the appendix. Here we skip the details and only
show brief sketch of it. We use techniques suggested by Shoup [4] and introduce
a Polynomial Simulation Model (PSM). We dene indeterminants X and Y and
keep lists of polynomials Fi0 s in k[X, Y ]. Each polynomial Fi has corresponding
values zi ∈ W ∪ {⊥} and σi ∈ S . We can think of them as preimages of Fi (x, y)
w.r.t. φ and σ(Fi (x, y)) respectively. At the beginning we set Fi = bi for i =
1, 2, ..., n, Fn+1 = X, Fn+2 = Y , zi = ai for i = 1, 2, ..., s and ⊥ for i = s +
1, ..., n+2, and σ1 , σ2 , ..., σn+2 are chosen at random, but σi 6= σj for 1 ≤ i < j ≤
n. When query to ADD or IN V oracle occurs, we perform the same operation
on our polynomials corresponding to the input of the query. If extraction query
is made, we return a random value from W . We have to remember to update zi0 s
after every query.
Note that if for every Fi 6= Fj we have Fi (x, y) 6= Fj (x, y) (i.e. no collision
occurs) then adversary is not able to spot the dierence between the GGM and
PSM. We use Lemma 17 to nd upper bound on the probability of such an event.
Then we easily argue that adversary cannot win the game in the model we just
dened by showing that zn+1 = ⊥.
Theorem 18 implies that every generic algorithm A, which
p wins Σ−one-
wayness with high probability, must perform at least
p Ω(α |X |) group opera-
tions, where α =p 1 − |ker(φ)|/|W|. In particular, if W is large then we get the
lower bound Ω( |X |) for IES by choosing φ(w) = g w .
7 Reducing to DLOG?
5
Paillier and Vergnaud dened the algerbraic model for groups; one can interpret
a GF (p) vector space as an Abelian group to use their denition of the algebraic
model.
16
Theorem 19. If there is an algebraic metareduction from a programming straight-
line extractor for Fiat-Shamir-Schnorr proofs to the DLOG problem then there
is also a meta-metareduction breaking the DLOG problem directly with approxi-
mately the same success probability.
The proof is in the appendix. The idea is that a metareduction M gets
to see two bases in the group: the generator g and the challenge h from its
DLOG challenger. Since we assumed a programming extractor, M must ask its
random oracle queries to its extractor interface where our meta-metareduction
will answer them. Any statement output by M (to the extractor) therefore has
the form (g a hb ) for some (a, b) which are available to our meta-metareduction
by use of the algebraic model. Proofs of the form (a, 0) are independent of the
challenge h; intuitively they should not help to compute the discrete logarithm
of h so we just return the witness a. The rst time M outputs a proof with a
statement of the form (a, b) with b 6= 0, we fork M on the relevant random oracle
query and use special soundness to nd the discrete logarithm of h to basis g .
8 Conclusions
17
References
18
?
game description loss
B / Pn initial game
B1 single copy of F ≡
B2 memoize F ≡
B3 switch F for random function ≡ or ∆PRF (F )
B4 lazy sampling ≡
B5 / S n change random inputs pcoll
?
≡: games are equivalent. ∆PRF (F ): distinguishing advantage between F and a
random function. pcoll : probability of a collision.
A Proof of Theorem 15
Recall that a prover P is an algorithm that may take some random input r∈R
(for a randomness space R specic to the prover), may make random oracle
queries and eventually outputs a statement/proof pair (x, π). For any prover P,
the prover Pn is the construction described in Denition 11. If a proof scheme is
adaptively secure, there is an extractor K that can win the adaptive game against
any n-prover. In particular it wins against P n for any (non-adaptive) prover P .
We show how use this extractor to build a straight-line extractor against P .
Recall that in the extraction game the knowledge extractor needs to extract all
witnesses corresponding to a run of the malicious adaptive prover and that in
the process the extractor has access to a number of copies of the prover, all using
the same coins as the main run.
19
1 oracle random(r, l)
2 if not T [(r, l)] then
3 T [(r, l)] R
4 end
5 return T [(r, l)]
list of all random oracle queries that all copies of P simulated by this copy of
P n have made so far. For P n , this means that it must keep a list T of all oracle
queries made so far and after every copy of P nishes, append the list l of this
copy to its list T . Call the black box with this change made to all its copies of
P n , algorithm B5 . The code with which B5 simulates a copy of P n is in Figure 5.
Algorithms B4 and B5 are indistinguishable if R is large enough, as the following
results show.
The proof of Claim A.1 is an induction over all calls to random that occur in
an execution trace. Before the rst call, the table T will be empty so the rst
value returned from random will be uniformly distributed in R in both B4 and
B5 .
20
1 algorithm random(t) -- called only as a subroutine from prover.
2 if not T [t] then -- if undefined at this point
3 T [t] R
4 end
5 return T [t]
6
7 algorithm prover(r)
8 for i = 1, n do
9 (xi , πi , l) ← P(r)
10 Q ← Q :: l
11 r ← random(Q)
12 end
13 for i = n, 1, -1 do
14 w0 ← extract(xi , πi )
15 if not ρ(xi , w0 ) then
16 halt
17 end
18 end
For any following call, there are two cases. The rst is that the call is fresh,
i.e. random ends up drawing a new random value. In both B4 and B5 , these
values are uniformly distributed in R and independent of previous values.
6
This may also be the same copy of Pn at an earlier point in time, when it had a
dierent (shorter) random oracle history.
21
Before we continue, we dene some terms that we will use in the following
claims and proofs.
Lemma 22. Consider a run of the simulator S n and assume that neither a
collision nor event E have occurred. Suppose that some simulated copy of P n
gets a correct answer to an extraction query at some depth k, for a copy of P
with random string r and random oracle history s. Then there are at least 2k−1
copies of P n that have been simulated by S n so far which have completed their
rst loop and used (r, s) for the (n − k + 1)-st pass through this loop.
Corollary 23. As long as collisions and event E do not occur in a run of S n ,
any corretly answered extraction query at depth k implies that the extractor has
22
launched at least 2k copies of the prover P n . In particular, if the extractor wins
the adaptive proof game against S n then there must have been at least 2n copies
of P n that were simulated by S n .
We prove the corollary rst. For the extractor to win, either a prover must
have made an invalid proof but the canonical prover never does this or
the extractor must have answered all the main prover's n queries correctly. In
particular it has answered the main prover's query at depth n correctly, and this
query must have a partner (or else we would have event E ).
k−1
By Lemma 22, both the query and its partner must each have 2 associated
n
copies of P . These copies cannot overlap: suppose the extractor answers some
0 0 k−1
query for parameters (r, s) with partner (r, s ) and s 6= s . Then there are 2
copies of the prover with (r, s) as their parameters for the (n − k + 1)-st copy of
P and 2k−1 copies of the prover P n with (r, s0 ) in the same position, for a total
k n
of 2 copies of P . q.e.d.
This is the proof of Lemma 22, by induction on k . For k = 1 the lemma says
n
that there is at least one copy of P which ran on the parameters leading to the
query in question, which is certainly true. Since the extraction queries are made
in reverse order, a query at depth k corresponds to the (n − k + 1)-st copy of P
in a copy of P n . Suppose that case k is proven and consider an extraction query
n n
at depth k + 1 with parameters (r, s) in some copy of P . Since this copy of P
has progressed to its (k + 1)-st query, it must have got an answer to its k -th
0 0
query, let's call the parameters in this k -th query (r , s ). Since this query was
answered without event E occurring, it must have a partner. By the induction
k−1 n
hypothesis, there are 2 copies of P around that had their (n − k + 1)-st copy
0 0
of P run on parameters (r , s ). This means that all these copies must have used
the same random strings and oracle histories for queries 1, . . . , n − k or we would
0
have a collision on r . In particular, they used the same parameters for query
n − k = n − (k + 1) + 1; these parameters correspond to the (k + 1)-st extraction
k
query so they must be (r, s). This gives us one half of the required 2 copies to
prove the induction step.
Let's look at the copy of Pn that made the extraction query on the partner
0 00 0 0
(r , s ) of (r , s ). By the previous claim, this query must also have been at depth
k or we would have a collision. Using the induction hypothesis, we nd a further
2k−1 copies of P n that have (r0 , s00 ) at their (n − k + 1)-st position. These copies
are distinct from the ones we found in the last step since their (n − k + 1)-st
00 0
random oracle history element is s which is distinct from s . But by the same
reasoning as above, these copies must have (r, s) at position n − k so we have
k
found 2 copies with this property, concluding the induction and the proof of
Lemma 22. q.e.d.
Finally, we give a metareduction that works when event E does occur and the
metareduction guesses correctly where to hide the challenge.
23
Lemma 24. There is a metareduction M as follows. Take any adaptive extrac-
tor K that, in the n-proof game for any n, launches at most f (n) copies of the
adaptive prover, wins with probability at least p(n); event E occurs with probabil-
ity e(n) given that the extractor wins. Then the metareduction M with black-box
access to K is a programmable straight-line extractor against any non-adaptive
prover P (with randomness space R) for the scheme in question with success
probability at least
e(n)p(n) nf (n) + n2 f (n)2
−
n · f (n) |R|
B Proof of Theorem 18
24
along with a list z[1], ..., z[t] of values in k ∪ {⊥}, list e[1], ..., e[t] of values in S
and also a polynomial D and a value zD ∈ W . One can observe that if we make
a group operation in GGM, we can make an analogous operation on polynomials
in PSM. We might think of e[i] and z[i] as representations of σ(F [i](x, y)) and
preimage of F [i](x, y) w.r.t. φ respectively.
Proof. Let us run A in GGM and PSM and let N = {σ1 , ..., σα } be the set of
values σi in k such that when A used σi as input of oracle queries then σi had not
been already on the encoding list (in GGM). We introduce a notion of collision.
We are interested in view of adversary when Ē holds i.e. when there is no collision.
The following lemma states that view of adversary in GGM and PSM is identical
given Ē .
Lemma 28. Pr[φ(ACGGM ) = x|Ē] = Pr[φ(ACP SM ) = x|Ē].
Proof. Clearly, the probability of getting initial values for σ(b1 ), ..., σ(bn ), σ(x)
and σ(y) in both models are the same. Hence we just need to show that for
any sequence of oracle queries, the probability that adversary gets exact val-
ues from oracles in GGM and PSM are equal. We formalise this idea: dene
(D1 , D2 , .., Dt ; d1 , ..., dt )X to be an event that A makes queries D1 , ..., Dt (in
this particular order) in model X and for query Di , an oracle outputs di . We
claim that for any queries D1 , ..., Dt and any d1 , ..., dt we have
25
We will prove this statement by induction on t. Clearly the statement holds for
t = 0. Suppose that it holds for some non-negative t.
Let PX = Pr[(Dt+1 ; dt+1 )X |(D1 , .., Dt ; d1 , ..., dt )X ]. Note that:
α = |Pr[φ(AC C
GGM ) = x|E] · Pr[E] + Pr[φ(AGGM ) = x|Ē] · Pr[Ē]
− Pr[φ(AC C
P SM ) = x|E] · Pr[E] + Pr[φ(AP SM ) = x|Ē] · Pr[Ē]|
(2)
= Pr[E] · |(Pr[φ(AC C
GGM ) = x|Ē] − Pr[φ(AP SM ) = x|Ē])|
≤ Pr[E] = O((m + n)2 /|X |).
Now, in order to show that a generic algorithm cannot win the Σ−one-wayness
game in PSM with high probability, we just need the following lemma:
26
Proof. Suppose that z[n + 1] 6= ⊥. We can dene W = Span{b1 , b2 , ..., bs , D}
to be a subspace of k[X, Y, X1 , ..., Xv ] with dim(W ) = s + 1. On the other
hand, note that for every i we have z[i] 6= ⊥ ⇐⇒ F [i] ∈ W . Indeed, this
follows straight from the design of PSM. Thus F [n + 1] = X ∈ W . Therefore,
F [n + 2] = Y = (Y + cX) − cX = D − cX ∈ W , for some c ∈ k . Note that
F [1], F [2], ..., F [s], F [n + 1], F [n + 2] are clearly linearly independent, so s + 2 ≤
dim(W ) = s + 1, contradiction.
The lemma above implies that a generic algorithm A is not able to win the
game in Polynomial Simulation Model unless it randomly guesses the witness.
C
We deduce that Pr[φ(AP SM ) = x] = O(|ker(φ)|/|W|). So by this observation
and Claim B the statement of Theorem 18 holds.
C Proof of Theorem 19
An algorithm is algebraic over a group G in the sense of Paillier and Vergnaud [4]
if the only operations that it applies to group elements are the group operation
and derived ones (e.g. inversion, exponentiation). We chose to dene Sigma pro-
tocols over vector spaces rather than groups; one can interpret a GF (p) vector
space as an Abelian group to use the algebraic model. Vector addition becomes
the group operation and scalar multiplication becomes group exponentiation;
for the Schnorr protocol one recovers the usual denition over a group G with
generator g (but loses sight of the fact that the linearity of x 7→ g x is what makes
the Sigma protocol work).
The algebraic model says that for any algebraic algorithm that has seen
some group elements g1 , . . . , gn ∈ G Q
and outputs a value γ ∈ G, we can extract
n ci
coecients c1 , . . . , cn such that γ = i=1 gi (writing the group operation mul-
tiplicatively). In the language of vector spaces, any output can be expressed as
a linear combination of the input elements.
Fix a group G with generator g . Suppose that there is an algebraic metareduc-
tion M that solves DLOG given access to a programming straight-line extractor
for Schnorr proofs. Such an extractor has the following interface: random oracle
queries are answered like a random oracle and on input a statement/proof pair
(x, (a, s)) that is valid w.r.t. the random oracle queries so far, K outputs the
w
witness w s.t. x = g .
M has access to the group generator g and can obtain a single group element
h from its DLOG challenger. M wins if it can return the discrete logarithm u
u
such that h = g . M may also have access to one or many copies of the extractor
K (the argument is the same in both cases). For every group element γ that M
α β
outputs (to K ), we assume that values α, β are available such that γ = g h .
We write this as γ = [α, β]. Since the extractor K never outputs group elements,
M cannot learn any more bases in the group G.
Now consider the following meta-metareduction µ. Let a challenge h be ob-
tained from a DLOG challenger and give it to M if/when it requests a DLOG
challenge. Whenever M outputs a valid proof (x, (a, s)) for extraction, if the
27
group element x gives us a representation[d, 0] (i.e. independent of h) then
just return d as the witness. The rst time M outputs a valid proof with x
represented as [α, β] for β 6= 0, output the relevant (x, (a, s)) and halt. The
meta-metareduction µ also answers random oracle queries on behalf of M by
calling an external random oracle. Should M output a guess at u without ever
making an extraction query depending on h, then µ returns u to the DLOG
challenger in this case M must have taken the discrete logarithm itself.
We claim that M cannot distinguish µ from an extractor K until the point
where M outputs a proof depending on h. Indeed, the distribution of all elements
from K is identical: random oracle responses are consistent and random; re-
turned witnesses are the (unique) discrete logs of the relevant statements x.
Consider the case where M does not extract the discrete logarithm u of
h without making at least one proof depending on h. Then the algorithm µ
(containing M ) is itself a random oracle model prover: it makes RO calls and
outputs a proof (x, (a, s)), namely the rst of M 's proofs that depends on h i.e. x
α β
has representation g h with β 6= 0. We apply the forking lemma to µ to obtain
the discrete logarithm w of x, with overwhelming probability. From this we can
compute the discrete logarithm of h as (w − α)/β (in the eld GF (p) where p is
the group order).
It follows that if M is a metareduction from a programming extractor to
DLOG with advantage α then µ is a meta-metareduction to DLOG directly
with advantage cα (c is the forking lemma factor a non-negligible constant).
In other words, a reduction from a programming extractor to DLOG can only
exist if DLOG is already easy.
The very same argument works for a metareduction M from an adaptive ex-
tractor for Fiat-Shamir-Schnorr to DLOG: if M never outputs a proof depending
on the challenge h then we can simulate the extractor; otherwise, let µ be the
algorithm that runs M and the simulated extractor up to the rst proof that
does depend on h, then apply the forking lemma.
28
1 initialise : 34 update (f ):
pi bi for some p1 , ..., ps , q ∈ k then
if f = qD + si=1 P
P
2 V ← [X, Y ] 35
3 v←0 36 return qzD + si=1 pi ai
4 37
F ← [b1 , b2 , ..., bn , X, Y ] else
5 z ← [a1 , a2 , ..., as ] 38 return ⊥
6 for i = s + 1, ..., n + 2 39
7 z ← z :: ⊥ 40 add (a, b):
8 σ1 , σn+1 , ..., σn+2 S 41 if a 6∈ e then
9 e ← [σ1 ] 42 newvar (a)
10 for i = 2, ..., n 43 if b 6∈ e
11 e ← e :: (a S\e) 44 newvar (b)
12 e ← e :: [σn+1 , σn+2 ] 45 f ← F [i] + F [j], where e[i] = a and e[j] = b
13 D = 0 ∈ k[X, Y ] 46 if f = F [l] for some l then
14 zD = 0 ∈ W 47 return e[l]
15 (σ1 , σ2 , ..., σn+2 ) 48 else
16 49 F ← F :: f
17 50 z ← z :: update (f )
18 newvar (s): 51 s S\e
19 v ←v+1 52 e ← e :: s
20 V ← V :: Xv 53 return s
21 F ← F :: Xv 54
22 z ← z :: ⊥ 55 inv (a):
23 e ← e :: s 56 if a 6∈ e then
24 57 newvar (a)
25 58 f ← −F [i], where e[i] = a
26 FSS r,w (c): 59 if f = F [l] for some l then
27 rW 60 return e[l]
28 zD ← r 61 else
29 D ← Y + cX 62 F ← F :: f
30 for i = 1, ..., |F | 63 z ← z :: update (f )
31 if update (f ) 6= ⊥ 64 s S\e
32 z[i] ← update (f )65 e ← e :: s
33 return r 66 return s
29