Adaptive Proofs have Straightline Extractors

(in the Random Oracle Model)

Abstract. The concept of adaptive security for proofs of knowledge was

recently studied by Bernhard et al. They formalised adaptive security
in the ROM and showed that the non-interactive version of the Schnorr
protocol obtained using the Fiat-Shamir transformation is not adaptively
secure unless the one-more discrete logarithm problem is easy. Their only
construction for adaptively secure protocols used the Fischlin transfor-
mation [3] which yields protocols with straight-line extractors. In this
paper we provide two further key insights. Our main result shows that
any adaptively secure protocol must have a straight-line extractor: even
the most clever rewinding strategies cannot oer any benets against
adaptive provers.
Then, we show that any Fiat-Shamir transformed Σ -protocol is not adap-
tively secure unless a related problem which we call the Σ -one-wayness
problem is easy. This assumption concerns not just Schnorr but applies
to a whole class of Σ -protocols including e.g. Chaum-Pedersen and rep-
resentation proofs. We also prove that Σ -one-wayness is hard in the
generic group model. Taken together, these results suggest that Fiat-
Shamir transformed Σ -protocols should not be used in settings where
adaptive security is important.

1 Introduction

Non-interactive zero-knowledge (NIZK) proof schemes are proofs of knowledge

(PoK) if they admit an extractor such that, for every prover creating a state-
ment/proof pair that veries, the extractor can return a witness to the statement.
In this paper we study the relation between variants of the proof of knowledge
property with dierent kinds of extractors. An extractor is straight-line if it only
sees a single execution of the prover (and learns the RO queries/answers that the
prover makes), or rewinding if it is allowed to launch and interact with further
copies of the prover (with the same coins used to produce the statement) before
returning a witness.
The distinction between straightline and rewinding extractors may be crucial
in applications since for a rewinding extractor it is not clear how many times does
it have to rewind to extract all witnesses from a prover who makes a sequence of
n proofs. Shoup and Gennaro [1] rst encountered this problem in the context of
proving CCA security of a particular public-key encryption scheme; the obvious
approach ends up rewinding 2n times which leads to an inecient reduction.
Clearly, this problem disappears for a straight-line extractor.
Bernhard et al. [12] proposed a notion of adaptive proofs that lie somewhere
between proofs with inecient rewinding strategies and straight-line PoKs: a

1
proof scheme is adaptively secure if there is an extractor that can rewind, but
must eciently extract even from provers who make sequences of proofs. The
notion is called adaptive because the extractor must return a witness for the
rst proof to the prover before the prover makes the second one, and so on.
The main theorem of the cited work shows that the usual Fiat-Shamir-
Schnorr proof scheme is not an adaptive proof unless the one-more discrete
logarithm assumption is easy.
This result essentially separates the usual PoK notion from adaptive proofs,
but the separation relies on an inecient interactive assumption, it is specic to
a proof system for a specic problem (discrete logarithm), and a specic class
of proofs (those obtained from Sigma protocols via the Fiat-Shamir transform).
It also leaves open the question whether any adaptive proofs exist that are not
also straight-line .
1

Our contribution. In this paper we obtain a full characterization of adaptive

proofs in the random oracle model and we leverage this result to provide more
general results regarding the limitations of the Fiat-Shamir transform.

Adaptive proofs ≡ straightline extractors. Our main contribution an-

swers Bernhard et al.'s open question negatively. It holds for all non-interactive
proof schemes in the ROM, whether or not they are derived from Sigma proto-
cols:

Theorem 1 (Informal). Consider an arbitrary non-interactive proof of knowl-

edge system in the ROM. If the proof system has an ecient adaptive extractor
(against adaptive provers) then it also has a straight-line extractor.
The immediate consequence of this theorem is that when designing PoKs for
an adaptive setting, one cannot rely on rewinding and instead one should ensure
the existence of a straightline extractor. While a general strategy is to employ
Fischlin's transformation [3], one may still want to rely on the more ecient
construction that uses the Fiat-Shamir transformation whenever possible  the
impossibility result of Bernhard et al. [12] only applies to Fiat-Shamir-Schnorr
proofs.

Limitations of the Fiat-Shamir transform. We show that the Fiat-Shamir

transformation has intrinsic limitaitons. In particular, we generalize the results
of [12] in two distinct directions. On the one hand, we show that it holds for
arbitrary Sigma protocols for proving knowledge of preimages of linear functions
(including Schnorr, ChaumPedersen and representation proofs). More inter-
estingly, we weaken the condition under which these proofs are not adaptively
secure from one-more discrete logarithm (resp. one-more one-wayness [2]) to the
following assumption: a dishonest verier in a single execution of the Sigma
protocol cannot extract the witness. We call this assumption Σ -one-wayness.
Our result thus improves from a  q -type assumption, which does not admit an
ecient game, to an ecient game with only three rounds.

1
Straight-line proofs are trivially adaptively secure.

2
 This theorem answers the main open question of [12] and hints at a short-
coming of proofs based on the FiatShamir transform: if used in a setting where
the prover gets to adaptively chose statements an extractor would have to be
(more or less) straight-line. However, if this is the case, the proof may not be
that interesting anyway as the underlying witness is not well-protected:

Theorem 2 (Informal). Suppose there is a straight-line extractor for a Fiat-

Shamir transformed Sigma protocol Σ (to prove knowledge of a preimage of some
linear function f ). Then a dishonest verifer can extract a witness (a preimage
under f ) in a single run of Σ .
Taken together, these results imply that Fiat-Shamir transformed Sigma pro-
tocols are not adaptively secure in any setting in which they might be useful.
Take the Schnorr protocol as an example: if Fiat-Shamir-Schnorr is adaptively
secure then either discrete logarithms are easy in the relevant group, in which
case the Schnorr protocol is redundant, or the Schnorr protocol provably helps
a dishonest verier to extract the discrete log of the statement  in which case
Schnorr is certainly not zero-knowledge.
The theorem of Bernhard et al. [12] contains an adaptive prover who makes
a sequence of n proofs such that each one depends on all previous ones. The
straightforward rewinding strategy  rewind on every proof to extract  ends
up rewinding 2n times since the rewound provers make new proofs which again
have to be rewound. A combinatorial argument then shows that any strategy
that rewinds fewer than 2n times must have taken a discrete logarithm to nd
out the witness for one of the proofs output by the prover. The problem is that
we do not know where, and also if we inject a challenge in one proof then we
end up having to simulate all other proofs in the experiment. So far the solution
to this problem was to reduce to the one-more discrete logarithm problem.
Our proof technique for Theorem 2 (formally, Theorem 14) is to take any
prover and turn it into an adaptive prover who makes a chain of n proofs,
together with some bookkeeping. We then show that any adaptive extractor
against this prover must either take exponential time or reduce to a straight-line
extractor against the original prover. Applying this theorem to the honest prover,
we get a reduction to Σ -one-wayness. We summarize these results in the following
table (FSS=Fiat-Shamir-Schnorr, DLOG=discrete logarithm, OMDL=one-more
discrete logarithm).

property breaks if FSS has

one-way (e.g. DLOG) straight line extractor [10]

Σ -one-way adaptive extractor (new)
one-more one-way (e.g. OMDL) adaptive extractor [12]

In conclusion, we suggest that adaptive proofs are not a new class of proofs
but rather another description of the class of straight-line extractable proofs;
and Fiat-Shamir transformed Sigma protocols for useful functions are not in
this class.

3
Weaker assumptions. The obvious next question is whether one could strengthen
our results even further and only rely on one-wayness of φ (e.g. in the case of
Schnorr, DLOG) rather than Σ -one-wayness. We show using a meta-metareduction
that no algebraic metareduction [4] from a programming extractor to one-wayness
(e.g. DLOG) can exist, unless one-wayness is already easy. All previous metare-
ductions in this area [10, 12] including ours to Σ -one-wayness are algebraic: the
only operations they perform on elements of the target group are group opera-
tions.

A generalization of the Generic Group Model (GGM). To strengthen

trust in the Σ -one-wayness hypothesis on which our impossibility rely we provide
a justication in the generic group model. Interestingly, the rst problem that
one needs to face here is that the existing approaches to formalizing and using
GGM is not suitable: in brief, an adversary that interacts with the Σ protocol
for some problem gets to see not only group elements but also some information
related to the exponents of these group elements  this ability is not considered
the standard GGM formalizations. We suggest one approach to deal with this
issue and use the resulting model to formally justify Σ -one-wayness.
Related work. One-more type assumptions were introduced by Bellare et al.
[2]. Their value in proving schemes secure is subject to some debate, as explained
by Koblitz and Menezes [8] who also gave the rst weakened one-more assump-
tion. Problems with forking-based proofs were rst noted by Shoup and Gennaro
[1]; Paillier and Vergnaud [4] developed separation results for Schnorr-based sig-
natures using metareductions that formed the rst formal proof of a limitation of
Schnorr-based techniques. Both Brown [6] and Bresson et al. [7] concurrently ap-
plied separation techniques to one-more problems. Fischlin and Fleischhacker [9]
were the rst to consider limitations of metareductions via meta-metareductions.
The most recent results that motivated this paper are Seurin and Treger [10] who
gave a very simple metareduction from a non-programming extractor for Schnorr
proofs to discrete log; and Bernhard et al. [12] who introduced adaptive proofs.

2 Preliminaries

Notation. f : A → B is a function with domain A and range B; A : A  B

is a randomised algorithm on the same domain and range. We write security
games in a language based on Bellare and Rogaway's code-based game-playing
[5]. y ← f (x) is assignment, x  R is uniform random sampling. T [i] is the
element at index i of table T.
An interactive, randomised algorithm A has access to a random string r
and an input/output interface. It maintains its state between calls. A security
game is such an algorithm that may at some point output win or lose, which
terminates the entire execution. We say that a security property is given by a
game, to mean that the property holds if no ecient adversary can cause the
game to output win with more than negligible probability in some underlying
security parameter.

4
Σ -protocols  Let k be a eld. Let W, X be k -vector spaces and let φ : W →
X be a k -linear map. Suppose further that one can sample uniformly from k and
W.

Denition 3. The Σ -protocol Σφ is the following interactive protocol for a

prover P to prove knowledge of a preimage under φ to a verier V .
P (w ∈ W, x = φ(w)) V
(x,a)
r  W; a ← φ(r) −−−→
c
←−−− ck
s ?
s←r+c·w −−−→ φ(s) = a + c · x
We choose to let P transmit the statement x to V as part of the rst round
of the proof  of course, V may also know x in advance. The verier accepts
if the equation φ(s) = a + c · x holds in X , in which case we call (x, a, c, s) an
accepting transcript. Instances of this template protocol include:

 Schnorr: W = k = GF (p), X G of order p with a generator g

is some group
(e.g. over an elliptic curve) andφ(w) = g w .
 Chaum-Pedersen: W = k, X = G × G for a group as above and φ(w) =
(g w , hw ) for two dierent generators g, h of G.
 Representation: W = kn , X = G and φ(w1 , . . . , wn ) = ni=1 gi wi for some
Q
known set of generators {gi }i∈I of G.

Σ -protocols according to our denition automatically satisfy:

 (x, a, c, s) and (x, a, c0 , s0 ) are accepting transcripts with

Special soundness: if
c 6= c then 1/(c − c ) · (s − s0 ) is a preimage2 of x under φ.
0 0

 Soundness: if x0 ∈ X \ Im[φ], then a cheating prover gets a verier to accept

with probability at most 1/|k|.
 Honest-verier zero-knowledge: a verier who choses c as prescribed (at least,
independently of a) gains no information from the protocol beyond the fact
that the prover knows a preimage of x under φ.

Proof schemes  A (non-interactive) proof scheme for a relation ρ on sets

X × W consists of a proof space Π and a pair of algorithms prove : X × W  Π
and verify : X × Π → {0, 1} (i.e. verify is deterministic). An element π ∈ Π
satisfying verify(x, π) = 1 is called a valid proof for x. For any (x, w) satisfying
ρ, if π ← prove(x, w) then we require verify(x, π) = 1. We further assume
that there is an algorithm sample : X × W that produces elements uniformly
distributed in ρ (as a subset of X × W ). In the random oracle model (ROM),
both prove and verify may call a function H that is modelled as a random
oracle in security proofs. The relation ρ itself does not use H .

2
The inversion 1/(c − c0 ) is in the eld k where it exists due to c 6= c0 ; the dot in this
formula is eld-vector multiplication.

5
Fiat-Shamir  The Fiat-Shamir transformation turns Σ -protocols into non-
interactive proof schemes that are full zero-knowledge proofs of knowledge in the
random oracle model. The idea is simply to replace the verier's challenge c by
a hash over the statement x and the commitment a.

Denition 4. Let φ : W → X be a k-linear function where W and k are e-

ciently sampleable. Suppose that H is a function with domain (including) X × X
and range k. Then the Fiat-Shamir transformed Σ -protocol Fφ is the following
proof scheme for sets (X , W) and relation ρ(x, w) = 1 ⇐⇒ φ(w) = x. The
proof space is Π = X × W and the algorithms are

 sample(): pick w  W , set x ← φ(w) and return (x, w).

 prove(x, w): pick r  W , set a ← φ(r), c ← H(x, a) and s ← r + cw.
The proof is π = (a, s).
 verify(x, (a, s)): check that φ(s) = a + H(x, a) · x.

3 Variations on the theme of one-wayness

Σ -protocols are only useful when the function φ is hard to invert: otherwise, they
are trivially zero-knowledge proofs of knowledge, but so is the protocol in which
the prover just sends the statement x to the verier. For the same reasons, if φ is
easy to invert then Fφ is adaptively secure too. This shows that we cannot hope
for a theorem of the form Fiat-Shamir Schnorr is not adaptively secure, since it
is adaptively secure e.g. in the group (Zp , +) where taking discrete logarithms is
easy. Consequently, limitation theorems take the form if Schnorr is adaptively
secure then some property (e.g. OMDL) is easy to break.
We discuss some possible security properties of the function φ and introduce
Σ -one-wayness. Later on we will show that Fiat-Shamir proofs cannot be adap-
tively secure unless Σ -one-wayness of φ is easy to break (in which case, their use
within protocols would be already questionable).

Σ -one-wayness. One-wayness is the rst obvious candidate property. Recall

that a property dened by a game means that the property (in this case one-
wayness of φ) holds if it is hard to make the game output win. The game gives
the adversary a uniformly chosen image x; the adversary wins by recovering any
preimage w0 s.t. φ(w0 ) = x.

Denition 5. The one-wayness property for a function φ : W → X is given by

the following game.
1 w  W; x ← φ(w)
2 output x; input w0 ∈ W
3 if φ(w0 ) = x then return win else return lose end

6
 We propose a new security notion that we call Σ -one-wayness (for linear func-
tions). This says that even a dishonest verier (who choses c arbitrarily, maybe
depending on x and a) cannot extract w from a single run of the protocol. We do
not claim that Σ -one-wayness is a sucient security notion for Σ protocols (it
says nothing about extracting partial information on w ) but we postulate that it
is only deployed if this condition is satised. Consequently, we are not proposing
a new scheme that is secure under the Σ -one-wayness assumption, but we will
claim that if the Fiat-Shamir proof scheme for a function φ is adaptively secure
then the Σ -one-wayness property for φ is easy to break too. Σ -one-wayness is
clearly stronger than one-wayness of the function φ, but it will turn out to be
weaker than one-more one-wayness (which we dene in a moment).

Denition 6. The Σ -one-wayness property for a linear function φ : W → X is

dened by the following game.
1 w  W; x ← φ(w)
2 r  W; a ← φ(r)
3 output (x, a); input c ∈ k
4 s←r+c·w
5 output s; input w0 ∈ W
6 if φ(w0 ) = x then return win else return lose end

If Σ -one-wayness of a function φ is easy to break but one-wayness is hard

to break, then running the protocol Σφ could leak a preimage to a dishonest
verier, that said verier could otherwise not compute by herself. In this case we
would discourage the use of the protocol Σφ (among other things it is certainly
not zero-knowledge). If both Σ -one-wayness and one-wayness of φ are easy to
break then Σφ is both harmless and useless. So, we think that Σ -one-wayness
of φ is a necessary condition for the protocol Σφ to be deployed. Under this
condition, we will show that the Fiat-Shamir transformed Σφ is not adaptively
secure.

Weak one-more one-wayness. For Schnorr, the one-wayness property of the

function φ(x) = g x is the discrete logarithm property. Bernhard et al. [12] use
a stronger assumption known as one-more discrete logarithm, which generalises
to one-more one-wayness[2, 7].
One-more one-wayness assumes an invertible function φ. The adversary is
given two oracles which she can call in any order: a sampling oracle that picks
a random preimage wi ∈ W and reveals xi = φ(wi ) and an opening oracle that
on input x outputsφ−1 (x). To win the game, the adversary must recover the
preimages of all samples xi with fewer calls to the opening oracle than to the
sampling oracle.
One-more one-wayness was rst discussed by Bellare et al. [2] although the
name rst appears in a later paper [7]. Unlike the other properties here, it does
not admit an ecient security game: the game itself needs to be able to invert
φ on arbitrary inputs. Koblitz and Menezes [8] discussed a variant that only

7
allows the adversary to open challenges themselves; this is isucient for our
applications. Instead we propose a new property: weak one-more one-wayness
xes this problem by restricting the adversary to asking linear combinations of
the sampled challenges. Your task is still to recover all wi with fewer queries to
the linear combination oracle than to the sampling oracle. The requirement for
φ to be invertible can also be dropped again.

Denition 7. The weak and normal one-more one-wayness properties for a bi-
jection φ : W → X are given by the following games. In each game the adversary
can call the sample and open oracles many times, in any order. The adversary
wins the game if it can provide preimages under φ for all samples that it had
obtained and yet it made fewer opening queries than sample queries.
weak one-more one-wayness: one-more one-wayness:
1 sample(): 1 sample():
2 n←n+1 2 (same as weak version)
3 w[n]  W 3
4 return φ(w[n]) 4
5 5
6 open(c1 , . . . , cP
n ∈ k ):
n
6 open(x ∈ X ):
7 return n
i=1 ci · wi 7 return φ−1 (x)

The strong problem clearly reduces to the weak one. A weak adversary can
still obtain a preimage of a particular sample by submitting the vector with 1
at the appropriate position and 0 elsewhere.
The point of the weak one-more one-wayness property is that the theorem
by Bernhard et al. [12] can trivially be strengthened to show that Fiat-Shamir-
Schnorr is not adaptively secure even under the weak one-more discrete logarithm
property: their reduction only ever makes opening queries on elements that are
linear combinations of samples with known coecients. This is not surprising
since their reduction is trying to simulate Schnorr proofs on sample elements.
Σ -one-wayness reduces to weak one-more one-wayness, even to a weaker ver-
sion where the number of samples is additionally bounded at 2 and only a single
linear combination query is allowed. Thus, we end up with a hierarchy of one-
wayness / Σ -one-wayness / weak one-more one-wayness / one-more one-wayness,
in order of increasing strength.

4 Adaptive proofs

In this section we recall the notion of adaptive proofs and introduce templates
for a couple of provers that form the basis of the results we prove in the next
section.

Denition 8. A prover is an algorithm P that outputs a statement/proof pair

(x, π); in the ROM a prover may make random oracle calls. We assume that
there is a uniformly sampleable space of random strings R associated to each

8
prover and we write P(r) to mean running prover P on random string r ∈ R.
In the ROM, we write (x, π, l) ← P(r) to mean that we also return the list l of
random oracle queries made by this execution of the prover on random string r.
A proof scheme is sound with error ε if for any prover P , the probability
of producing a pair (x, π) such that verify(x, π) = 1 but no w exists making
ρ(x, w) hold, is at most ε.
A proof scheme in the random oracle model is straight-line extractable with
error ε K as follows. For any prover P , pick r  R and
if there is an extractor
execute (x, π, l) ← P(r). If verify(x, π) = 1 w.r.t.3 l then with probability at
least 1 − ε, K(x, π, l) returns a w such that ρ(x, w) holds. It follows immediately
that an extractable proof scheme with error ε is also sound with at most the
same error.
A proof scheme in the ROM has a programming straight-line extractor with
error ε K as follows. Let any prover P interact with K
if there is an extractor
in the sense that K answers P 's random oracle queries. If P outputs (x, π) such
that verify(x, π) = 1 w.r.t. the oracle queries made by P , then with probability
at least 1 − ε, K outputs a w such that ρ(x, w) holds.
A straight-line extractor, whether programming or not, may have black-box
access to further copies of the prover in the following sense: it may start these
copies and control all interaction with them, including picking the random string
and answering all random oracle queries. As motivation for this (established)
notion of straightline extractors, consider an extractor who is trying to extract
from a honest prover. The code of the honest prover is known, so the extractor
can always simulate the honest prover on inputs of its choice. The extractor
cannot see the random string of the main copy of the honest prover from
which it is trying to extract, however.
A rewinding extractor can, in addition to the capabilities of a straight-line
extractor, launch further copies of the prover P with the same random string as
the one that the extractor is trying to extract from, and answer their random
oracle queries. The dierence between straight-line and rewinding extractors is
thus that rewinding extractors can run further copies of the prover that behave
identically to the main one, as long as they receive the same inputs and outputs,
and thus fork the prover instance from which they are trying to extract.

Adaptive proofs. We present the adaptive proof game of Bernhard et al. [12].
The game is an interactive algorithm with two interfaces for an adaptive prover
and an extractor. An adaptive prover for a proof scheme (Π, prove, verify)
w.r.t. (X, W, ρ) is an algorithm that can repeatedly output pairs (x, π) ∈ X × Π
and expect witnesses w∈W in return. After a number of such interactions, the
adaptive prover halts. In the random oracle model, an adaptive prover may also
ask random oracle queries.

3
We say verify(x, π) = 1 w.r.t. l if all elements on which verify queries the oracle
on input (x, π) are contained in l, and verify outputs 1 on these inputs if given the
appropriate responses in l.

9
 1 initialise : 18 K asks ro(x):
2 Q←[ ] 19 y ← ro(x)
3 K←0 20 send y to K
4 rR 21
5 run P(r) 22 K w:
outputs
6 23 if ρ(Ξ, w) then
7 P asksro(x): 24 K ←K +1
8 y ← ro(x) 25 if K = n then
9 Q ← Q :: (x, y) 26 K wins; halt.
10 send y to P 27 end
11 28 send w to P
12 P outputs(x, π): 29 else
13 if not verify(x, π) then 30 P wins; halt.
14 K wins; halt. 31 end
15 end 32 P halts:
16 Ξ←x 33 K wins; halt.
17 send (x, π, Q) to K

Fig. 1. The adaptive proof game. The extractor also has access to further copies of
P(r) using coins r sampled from an appropriate size domain R.

An adaptive extractor is an algorithm K that can interact with an adaptive

prover: it repeatedly takes pairs (x, π) ∈ X × Π such that verify(x, π) = 1
as input and returns witnesses w ∈ W such that ρ(x, w) = 1. In addition, an
adaptive extractor may be rewinding, i.e. launch further copies of the adaptive
prover that run on the same random string as the main one (managed by the
game) and answer all their queries. The adaptive proof game does not check the
correctness of witnesses for the other copies of the prover.

Denition 9. A proof scheme (Π, prove, verify) is an n-proof (with error ε)

in the random oracle model if there is an adaptive extractor K such that for
any adaptive prover P , the extractor wins the game in Figure 1 (with probability
at least 1 − ε). The adaptive extractor K may launch and interact with further
copies of the adaptive prover P on the same random string r as the main one,
without the game mediating between them.

In the n-proof game in Figure 1, the prover P is trying to nd a claim(x, π)

that veries, but from which the extractor K cannot extract a witness w. The
extractor is trying to extract witnesses from all claims made by the prover.

The game uses three global variables. K stores the number of witnesses that
the extractor has found so far. If this counter reaches n, the extractor wins and
the scheme is an n-proof. Q stores a list of all the prover's random oracle queries
so far. These are provided
4 to the extractor along with each of the prover's

10
claims. Ξ stores the last statement that appeared in one of the prover's claims;
it is used to check the validity of a witness returned by the extractor.
A n-proof for n=1 is simply a proof of knowledge in the ROM: the prover
makes a single claim (a pair containing a statement x and a proof π) and the
extractor wins if it can obtain a witness. A proof scheme is an adaptive proof if
there is an adaptive extractor that works for any polynomially bounded param-
eter n.

Canonical provers. The canonical prover PC samples a statement/witness

pair and creates a proof. We write RC for the randomness space of the canonical
prover and PC (r) to denote running the canonical prover on the random string
r ∈ RC .

Denition 10 (canonical prover). Let (Π, prove, verify) be a proof scheme

for (X, W, ρ) where r is uniformly sampleable via an algorithm sample. The
canonical prover PC for this scheme is the following algorithm.
(x, w) ← sample(); π ← prove(x, w); return (x, π)

If required, the canonical prover can also return the list l of all random oracle
queries made during its execution (by prove).
Since an extractor is supposed to work against any (ecient) prover, to argue
that an extractor cannot exist it is enough to show that one cannot extract from
the canonical prover. To deal with adaptive extractors, we propose the following
construction of an adaptive chain prover Pn from any prover P. It follows the
idea of Shoup and Gennaro [1] in making a chain of challenges (in this case
proofs) where each challenge depends on all previous ones and then asking queries
on them in reverse order. This way, the obvious rewinding extractor using special
soundness will take exponential time.
To make each challenge depend on previous ones, we use a function F to
update the random string for each of the n contained copies of P based on the
(random oracle) state of the previous copy. The nal parameter l returned by
P is the list of all random oracle queries made by this copy. Recall that P(r)
means run prover P on random string r∈R where R is the randomness space
for this prover.

Denition 11 (adaptive chain prover). Let (Π, prove, verify) be a proof

scheme for (X, W, ρ). Let P be any prover (in the ROM) and let R be its random-
ness space. Let L be the space of possible random oracle input/output transcripts.
Let F : R × L → R be a function (which does not depend on the random oracle).
The adaptive chain prover P n of order n w.r.t. function F is the algorithm in
Figure 2, taking an r ∈ R as input.

4
The original denition gave the extractor an extra list oracle to query the prover's
random oracle list. Our presentation is equivalent.

11
 5 for i = n, 1, -1 do
n 6 output (xi , πi )
P (r):
7 input w0
1 for i = 1, n do 8 if not ρ(xi , w0 ) then
2 (xi , πi , l) ← P(r) 9 halt
3 r ← F (r, l) 10 end
4 end 11 end

Fig. 2. The adaptive chain prover P n.

Later on, we will take F to be a (pseudo-)random function. This has the

eect that two copies of P n that get identical answers to their random oracle
queries will behave identically, but two copies of Pn that fork will behave as
copies of P with independent random strings from the forking point onwards.
The intuition behind this construction is that having access to copies of P on
some uniformly random string r0 cannot help you extract from a copy P(r), as
long as r and r0 are independent  certainly, an extractor could always simulate
such copies herself if the code of P is known. We will use this idea to show that
forking a copy of Pn is no help in extracting from the proofs made later on by
another copy.

5 Limitations of the Fiat-Shamir transformation

We recall the hierarchy of security denitions for functions (the last is the
strongest): one-way / Σ -one-way / weak one-more one-way / one-more one-way.
Known limitations. Seurin and Treger [10] proved that Fiat-Shamir-Schnorr can-
not have a non-programming straight-line extractor unless the underlying func-
tion is not one-way (i.e. one can take discrete logarithms). The following theorem
generalizes this result to the case of arbitrary Σ -protocols.
Theorem 12. Suppose there is a non-programming straight-line extractor K for
the proof scheme Fφ . Then φ is not one-way. Specically, there is an algorithm
breaking one-wayness with approximately the same running time and success
probability as the extractor K has against the canonical prover PC .
Letx be a challenge from the one-way game for φ; we need to nd a w0 such
0
that φ(w ) = x. We simulate a proof: pick s  W , c  k and a ← φ(s) − c · x.
Then we give the extractor the statement x, proof (a, s) and a list of random
oracle queries consisting of the entry RO(x, a) = c. These elements are identically
distributed to what the extractor would see in an execution with the canonical
prover PC for Σφ . We pass any witness w0 returned by the extractor on to the
challenger to win with the same success probability. q.e.d.
Bernhard et al. [12] showed that substituting an adaptive extractor for a
straight-line one gets a similar result for the one-more one-wayness assumption
on the function φ  the proof of this theorem is nontrivial however. While

12
their original proof only concerned Fiat-Shamir-Schnorr, a close inspection of
the proof shows that it works for any Σ protocol and that the weak one-more
assumption is sucient too. In summary.

Theorem 13. Suppose that there is an ecient adaptive extractor for Fφ . Then
φ is not weak one-more one-way.
We will not re-prove the theorem here. As to running time, as long as the
extractor makes fewer than 2n queries when running against a particular prover
then the reduction to weak one-more one-wayness runs in the same time as the
extractor, but its success probability is the inverse of the number of copies of the
prover that the extractor causes to be invoked. Although Bernhard et al. [12]
only prove the theorem for the case of the Fiat-Shamir-Schnorr protocol, their
reduction is black box in the sense that it only needs to be able to sample and
open instances of the underlying Sigma protocol. The exact same proof will work
for our generalisation. We can write the prover in the cited theorem as (PC )n ,
the adaptive chain prover derived from the canonical prover. This will allow us
to conclude that any extractor against the chain prover implies a straight-line
extractor against the canonical prover PC .

New Results. If we switch to a programming straight-line extractor, we can

show a separation result under the Σ -one-wayness assumption.

Theorem 14. Suppose there is a programming straight-line extractor K for Fφ .

Then φ is not Σ -one-way. Specically, there exists a reduction with approxi-
mately the same running time and the same success probability as the extractor
K against the canonical prover PC .

We simulate the canonical prover towards the extractor. Receive x, a from the
Σ -one-way challenger and ask the random oracle query c ← RO(x, a) (which the
extractor answers). Then send c to the Σ -one-way challenger to get s and send
(x, a, s) to the extractor. Again, whenever the extractor provides the correct w0 ,
we win against the challenger. q.e.d.
This result is new, but not surprising  Fiat-Shamir transformed Sigma
protocols are not supposed to be straight-line extractable and the Σ -one-wayness
property is constructed exactly to make this reduction work. The value of said
property is that we can also use it for adaptive extractors.
Our main contribution in this paper is a new theorem that says all adaptive
proofs in the ROM admit a straight-line extractor.

Theorem 15. Consider any non-interactive ROM proof scheme with an adap-
tive extractor K. Suppose that, running against any n-prover Pb, the extractor
K causes at most f (n) < 2n copies of the prover to be run in the experiment
and answers all extraction queries of the main run correctly with probability at
least p(n) > 0. Then there is a programming straight-line extractor against any
non-adaptive prover P with success probability p(n)/(n · f (n)).

13
 Applying this theorem to Fiat-Shamir transformed Sigma protocols gets us
the following insight.

Corollary 16. Suppose that the Fiat-Shamir transformed Sigma protocol Fφ is

adaptively secure. Then φ is not Σ -one-way secure.
For the corollary, note that we have a programming straight-line extractor
against the canonical prover PC by applying Theorem 15 to the prover (PC )n .
The result then follows from Theorem 14.
We sketch the proof here and provide the full argument in the appendices.
Let P be a non-adaptive prover. We construct a simulator Sn that is indistin-
guishable from the black box providing rewinding access for multiple copies of
P n. The point of the simulator is that it shares state between the copies. We
then guess which instance of the prover (specically, which proof ) the extrac-
tor is going to answer without forking and inject the Σ -one-wayness challenge
into it. The same combinatorial argument as in the proof of Bernhard et al. [12]
shows that such an instance must exist if the extractor launches fewer than 2n
copies of the prover.
The core of such a simulation argument is to keep track of a history of each
instance of the prover, since two copies of the prover with identical histories
(PC )n , this history is implicitly
must behave identically towards the extractor. In
tracked in the randomness r used for each copy of PC , however a collision in the
random oracle could lead to two copies with dierent histories merging. Our
simulator computes an explicit history instead, namely the list of all random
oracle queries so far.
As in Bernhard et al. [12] we dene an event E that occurs whenever a
copy of the prover gets its extraction query answered without having a partner
(another copy, from which the witness was extracted by forking and special
soundness). The novelty in our proof is that because we have cast the prover as
a chain (PC )n with suitable state tracking, we can show that event E implies
not only a break of the chain prover but also of one of the contained canonical
provers PC . We then show that, if the simulator guessed correctly, event E
implies that the simulator can solve its Σ -one-wayness challenge. This is a much
weaker assumption than one-more one-wayness.

6 Generic hardness of Σ -one-wayness

In this section we show that Fiat-Shamir transformed Sigma Fφ is not adaptively

secure in the generic setting. Thus if we want to build a protocol where we need
an adaptively secure proof (such as to get CCA encryption), we would not use
Fφ . By Corollary 16 we just need to prove that φ is Σ−one-way secure in the
generic group model (GGM). Again, let X, W be vector spaces over k and
φ : W → X be a k -linear map. We assume that k is a nite eld and X,W
are nite dimensional, since sampling uniformly from an innite set does not
make much sense. Let b1 , b2 , ..., bn be basis vectors of X, where dim(X ) =n and

14
{b1 , ..., bs } be a basis for Im(φ). For each 1≤i≤s denote ai to be an element
of W so that φ(ai ) = bi .
The generic group model is a model which analyses success of algorithms
against representations of groups which do not reveal any information to ad-
versary. There are many ways to formalise this idea [1315]. We will follow the
denition provided by Shoup [15]. Here, adversary is given access to images of el-
ements of a group under a random injective map σ : X → S ⊂ {0, 1}∗ , called an
encoding function. Group operations can be computed by making oracle queries.
The adversary is given access to two oracles ADD and INV :

ADD(σ(x), σ(y)) = σ(x + y), IN V (σ(x)) = σ(−x).

Note that the adversary cannot get any information from the representation
σ(x) of element x. A generic algorithm A for X on S is a probabilistic algorithm
that takes as input an encoding list (σ(x1 ), σ(x2 ), ..., σ(xl )) where each xi ∈ X
and σ is an encoding function of X on S . As the algorithm executes, it makes
queries to ADD or IN V oracles and then appends outputs of the queries to
the encoding list. The output of A is a bit string denoted as A(σ; x1 , ..., xl ). We
also want to extend the inteface of the model and introduce the F SSr,w oracle:
F SSr,w (c) = r + cw for some r, w ∈ W and c ∈ k . We may assume that when
oracles encounter some σ1 6∈ Im(σ), they return an error message.
Similarly to most of the proofs of generic hardness of computational prob-
lems, we use the Schwartz-Zippel lemma to estimate the probability of a generic
algorithm winning the Σ−one-wayness game. However, we are interested in the
version of this theorem when we sample uniformly from a vector space rather
than a eld.

Lemma 17. Let V be a nite dimensional vector space over k and F be a non-
zero linear polynomial in k[X1 , ..., Xt ]. Then, for x1 , x2 , ..., xt selected at random
independently and uniformly from V the probability that F (x1 , x2 , ..., xt ) = 0 is
at most 1/|V |.
Proof. Note that V k m , where m = dim(V ). Hence we can as-
is isomorphic to
sume without loss of generality that V = k m . Let x1 , ..., xt be uniformly random
and independent elements of V and denote xi,j to be the j−th component of xi .
Therefore, since F is linear we have that:

Pr(F (x1 , x2 , ..., xn ) = 0) = Pr(F (x1,1 , ..., xt,1 ) = 0, ..., F (x1,m , ..., xt,m ) = 0)
m
Y
= Pr(F (x1,i , ..., xt,i ) = 0)
i=1
≤ (1/|k|)m = 1/|V |
(1)

by the Schwartz-Zippel lemma.

The next theorem establishes generic hardness of Σ−one-wayness.

15
Theorem 18. Let w, r be random elements of W and A be a generic algorithm
for X on S ⊂ {0, 1}∗ that makes at most m queries to ADD and INV oracles and
exactly one query to F SSr,w oracle. Then the probability that φ(A(σ; b1 , ..., bn , x,
y)) = x is O((m + n)2 /|X | + |ker(φ)|/|W|), where x = φ(w) and y = φ(r).

Full proof is provided in the appendix. Here we skip the details and only
show brief sketch of it. We use techniques suggested by Shoup [4] and introduce
a Polynomial Simulation Model (PSM). We dene indeterminants X and Y and
keep lists of polynomials Fi0 s in k[X, Y ]. Each polynomial Fi has corresponding
values zi ∈ W ∪ {⊥} and σi ∈ S . We can think of them as preimages of Fi (x, y)
w.r.t. φ and σ(Fi (x, y)) respectively. At the beginning we set Fi = bi for i =
1, 2, ..., n, Fn+1 = X, Fn+2 = Y , zi = ai for i = 1, 2, ..., s and ⊥ for i = s +
1, ..., n+2, and σ1 , σ2 , ..., σn+2 are chosen at random, but σi 6= σj for 1 ≤ i < j ≤
n. When query to ADD or IN V oracle occurs, we perform the same operation
on our polynomials corresponding to the input of the query. If extraction query
is made, we return a random value from W . We have to remember to update zi0 s
after every query.
Note that if for every Fi 6= Fj we have Fi (x, y) 6= Fj (x, y) (i.e. no collision
occurs) then adversary is not able to spot the dierence between the GGM and
PSM. We use Lemma 17 to nd upper bound on the probability of such an event.
Then we easily argue that adversary cannot win the game in the model we just
dened by showing that zn+1 = ⊥.
Theorem 18 implies that every generic algorithm A, which
p wins Σ−one-
wayness with high probability, must perform at least
p Ω(α |X |) group opera-
tions, where α =p 1 − |ker(φ)|/|W|. In particular, if W is large then we get the
lower bound Ω( |X |) for IES by choosing φ(w) = g w .

7 Reducing to DLOG?

Given a non-programming straight line extractor in the ROM for a Fiat-Shamir

transformed Sigma protocol Fφ we can break one-wayness of φ; for a program-
ming extractor or an adaptive extractor we can break Σ -one-wayness. This raises
the question, can we break one-wayness given a programming extractor? Our
answer is negative. We give the argument for the case of Schnorr proofs where
one-wayness is the discrete logarithm (DLOG) problem; this also implies that
there can be no generic metareduction to one-wayness for any Sigma protocol.
The metareductions in the theorems of Seurin and Treger [10], Bernhard et
al. [12] and this paper are all algebraic (in the sense of Paillier and Vergnaud)
[4] over the vector space
5 X, the range of the function φ. We therefore consider
it a meaningful result to show that no algebraic metareduction to DLOG can
exist (unless DLOG is already easy).

5
Paillier and Vergnaud dened the algerbraic model for groups; one can interpret
a GF (p) vector space as an Abelian group to use their denition of the algebraic
model.

16
Theorem 19. If there is an algebraic metareduction from a programming straight-
line extractor for Fiat-Shamir-Schnorr proofs to the DLOG problem then there
is also a meta-metareduction breaking the DLOG problem directly with approxi-
mately the same success probability.
The proof is in the appendix. The idea is that a metareduction M gets
to see two bases in the group: the generator g and the challenge h from its
DLOG challenger. Since we assumed a programming extractor, M must ask its
random oracle queries to its extractor interface where our meta-metareduction
will answer them. Any statement output by M (to the extractor) therefore has
the form (g a hb ) for some (a, b) which are available to our meta-metareduction
by use of the algebraic model. Proofs of the form (a, 0) are independent of the
challenge h; intuitively they should not help to compute the discrete logarithm
of h so we just return the witness a. The rst time M outputs a proof with a
statement of the form (a, b) with b 6= 0, we fork M on the relevant random oracle
query and use special soundness to nd the discrete logarithm of h to basis g .

8 Conclusions

Bernhard et al. introduced adaptive proofs, setting up a hierarchy of (1) proofs

of knowledge (2) adaptive proofs and (3) straight-line extractable proofs, with
a separation between (1) and (2). While useful for proving limitations of Sigma
protocols, we have showed that adaptive proofs are not a new class of proof
after all: all adaptively secure proofs admit a straight-line extractor against the
canonical prover.
Along the way we have generalised previous results from Schnorr's protocol
to Sigma protocols. In addition, we have weakened the counter-assumption from
one-more one-wayness, which is a  q -type interactive assumption (adversary
gets an unbounded number of sample queries) and is not eciently realisable
to Σ -one-wayness, which both has a constant number of steps and an ecient
security game.
Our result shows that the Fiat-Shamir transformation and Sigma protocols in
general may be even weaker than previously thought. Namely, the non-interactive
proof scheme Fφ only achieves adaptive security if a single execution of the inter-
active protocol Σφ against a dishonest verier already leaks the secret witness
with non-negligible probability. In such a case, the use of any Sigma-protocol
based scheme for φ is highly questionable.

17
References

1. V. Shoup and R. Gennaro. Securing Threshold Cryptosystems Against

Chosen-Ciphertext Attack. In: Advances in Cryptology (Eurocrypt '98),
LNCS 1403, pages 116, 1998.
2. M. Bellare, C. Namprempre, D. Pointcheval and M. Semanko. The One-
More-RSA-Inversion Problems and the Security of Chaum's Blind Signature
Scheme. eprint 2001/002. Originally appeared as The Power of RSA Inversion
Oracles and the Security of Chaum's RSA-Based Blind Signature Scheme in
Financial Cryptography, LNCS 2339, pages 319338, Springer 2001.
3. M. Fischlin. Communication-Ecient Non-Interactive Proofs of Knowledge
with Online Extractors. In: Proceedings of the 25th annual international
cryptology conference on advances in cryptology (CRYPTO '05), pages 152
168, 2005.
4. P. Paillier and D. Vergnaud. Discrete-Log Based Signatures may not be Equiv-
alent to Discrete Log. In: Asiacrypt '05, LNCS 3788, pages 120, Springer
2005.
5. M. Bellare and P. Rogaway. Code-based game-playing proofs and the security
of triple encryption. In: Advances in Cryptology  Eurocrypt '06, LNCS
4004, pages 409426, 2006. The title cited is from the latest version on eprint
at http://eprint.iacr.org/2004/331.
6. D. Brown. Irreducibility to the One-More Evaluation Problems: More May
Be Less. eprint 2007/435.
7. E. Bresson, J. Monnerat and D. Vergnaud. Separation Results on the One-
More Computational Problems. In: CT-RSA '08, LNCS 4964, pages 7187,
Springer 2008.
8. N. Koblitz and A. Menezes. Another look at non-standard discrete log and
Die-Hellman problems. In: Journal of Mathematical Cryptology, vol. 2 issue
4, pages 311326, 2008. eprint 2007/442.
9. M. Fischlin and N. Fleischhacker. Limitations of the Meta-Reduction Tech-
nique: The Case of Schnorr Signatures. In: Eurocrypt '13, LNCS 7881, pages
444460, Springer 2013. eprint 2013/140.
10. Y. Seurin and J. Treger. A Robust and Plaintext-Aware Variant of Signed
ElGamal Encryption. In: CT-RSA LNCS 7779, pages 6883, Springer 2013.
11. David Bernhard. Zero-Knowledge Proofs in Theory and Practice. PhD
thesis, University of Bristol, 2014. Available at www.cs.bris.ac.uk/$\
sim$bernhard/papers.html
12. David Bernhard, Marc Fischlin and Bogdan Warinschi. Adaptive Proofs of
Knowledge in the Random Oracle Model. PKC '15, LNCS 9020, Springer,
pages 629649, 2015.
13. Maurer, Ueli. Abstract models of computation in cryptography. IMA Interna-
tional Conference on Cryptography and Coding. Springer Berlin Heidelberg,
2005.
14. Nechaev, Vassiliy Ilyich. Complexity of a determinate algorithm for the dis-
crete logarithm. Mathematical Notes 55.2 (1994): 165-172.
15. Shoup, Victor. Lower bounds for discrete logarithms and related problems.
International Conference on the Theory and Applications of Cryptographic
Techniques. Springer Berlin Heidelberg, 1997.

18
 ?
game description loss

B / Pn initial game 
B1 single copy of F ≡
B2 memoize F ≡
B3 switch F for random function ≡ or ∆PRF (F )
B4 lazy sampling ≡
B5 / S n change random inputs pcoll

?
≡: games are equivalent. ∆PRF (F ): distinguishing advantage between F and a
random function. pcoll : probability of a collision.

Fig. 3. Game-hops to construct the simulator S n.

A Proof of Theorem 15

Recall that a prover P is an algorithm that may take some random input r∈R
(for a randomness space R specic to the prover), may make random oracle
queries and eventually outputs a statement/proof pair (x, π). For any prover P,
the prover Pn is the construction described in Denition 11. If a proof scheme is
adaptively secure, there is an extractor K that can win the adaptive game against
any n-prover. In particular it wins against P n for any (non-adaptive) prover P .
We show how use this extractor to build a straight-line extractor against P .
Recall that in the extraction game the knowledge extractor needs to extract all
witnesses corresponding to a run of the malicious adaptive prover and that in
the process the extractor has access to a number of copies of the prover, all using
the same coins as the main run.

A.1 The simulator S n

We will construct a simulator Sn that is indistinguishable from a black box
providing access to multiple copies of P n. The proof of this fact uses a number
of game-hops summarised in Figure 3. We begin with a black box B that provides
access to multiple copies of P n, all running with the same random string r and
containing their own copy of the function F.
Hop 1. We replace all copies of F with one single copy, shared between the
instances of P n, to get a new black box B1 . Since functions are stateless, deter-
ministic, non-interactive (F may not depend on the random oracle) and their
output is completely determined by their inputs on each call, this transformation
does not change the behaviour of the black box. Call the new algorithm thus
obtained B1 .
Hop 2. Next, we memoize access to F: whenever a call is made on fresh
inputs, we call the function F on these inputs and store the inputs and the
output in a table R. Whenever a call is made on inputs already in the table,
we return the stored output directly without calling F. This gives us a new
box B2 . The properties of a function mentioned in the last step imply that this
transformation too does not change the behaviour of the black box.

19
1 oracle random(r, l)
2 if not T [(r, l)] then
3 T [(r, l)]  R
4 end
5 return T [(r, l)]

Fig. 4. A random function R × L → R.

Hop 3. We switch F for a random function R × L → R, giving a new black

box B3 . Since F was a pseudorandom function, any environment distinguishing
B2 from B3 reduces to a distinguisher between F and a random function with
the same distinguishing advantage.
Hop 4. A random function has the property that its outputs on any two
distinct inputs are independent and uniformly random in its codomain. We can
replace all remaining calls to the random function by its memoizer drawing fresh,
uniform randomness from R itself, so-called lazy sampling. This does not change
the behaviour of the black box. Call this memoizer algorithm random. We give
its current operation in Figure 4 and call the new black box B4 .
Hop 5. The only use that random makes of its parameters r, l is to answer
repeated calls with the same parameters consistently. A call random(r, l) occurs
0
when a new random string r is required for a copy of P to be run as part of a
n
copy of P ; when this call occurs, l is the list of all random oracle calls made
n
by the last copy of P that is part of the copy of P making the call and r is a
function of the initial randomness r0 and the lists l of all previous copies of P
n
that were part of the copy of P making the call.
We replace these parameters (r, l), in both random and its caller P , by the
n

list of all random oracle queries that all copies of P simulated by this copy of
P n have made so far. For P n , this means that it must keep a list T of all oracle
queries made so far and after every copy of P nishes, append the list l of this
copy to its list T . Call the black box with this change made to all its copies of
P n , algorithm B5 . The code with which B5 simulates a copy of P n is in Figure 5.
Algorithms B4 and B5 are indistinguishable if R is large enough, as the following
results show.

Claim. For an adversary who causes up to m copies of P to be launched, the

probability of distinguishing B4 and B5 is at most (m + m2 )/|R|.

Corollary 20. If n is a security parameter, m is polynomial in n and |R| ≈ 2n

then the distinguishing advantage between B4 and B5 is negligible in n.

The proof of Claim A.1 is an induction over all calls to random that occur in
an execution trace. Before the rst call, the table T will be empty so the rst
value returned from random will be uniformly distributed in R in both B4 and
B5 .

20
 1 algorithm random(t) -- called only as a subroutine from prover.
2 if not T [t] then -- if undefined at this point
3 T [t]  R
4 end
5 return T [t]
6
7 algorithm prover(r)
8 for i = 1, n do
9 (xi , πi , l) ← P(r)
10 Q ← Q :: l
11 r ← random(Q)
12 end
13 for i = n, 1, -1 do
14 w0 ← extract(xi , πi )
15 if not ρ(xi , w0 ) then
16 halt
17 end
18 end

Fig. 5. The lazy simulator Sn . Each prover Pn is simulated by a copy of prover(r);

algorithm random is shared between all provers.

For any following call, there are two cases. The rst is that the call is fresh,
i.e. random ends up drawing a new random value. In both B4 and B5 , these
values are uniformly distributed in R and independent of previous values.

The second case is that a call is made on a value already recorded in T.

In B5 , this can only happen if the current and previous caller (who caused the
relevant T -entry to be made) represent copies of P n with the exact same random
oracle history, since the index into T is the entire random oracle history of the
n
current copy. In B4 , two copies of P with the same history will also trigger the
same random call, but it is also possible that a r -value collides with a previously
n
chosen one. If this happens, the next copy of P in the current copy of P will
run on the same randomness r as some previous copy of P in another copy of
6
P n , even though the random oracle histories of the two P n copies are not the
same. This is the only case in which the output distributions of B4 and B5 can
dier.

We compute the probability of a collision in the output of random. The

probability of hitting r0
1/|R|. The probability of a collision between two calls
is
2
when there are m calls in total is bounded by m /|R| (the birthday bound).
Together, this means that an adversary triggering at most m copies of P (each
of which leads to one random call) triggers a collision with probability at most
(m + m2 )/|R|. q.e.d.

6
This may also be the same copy of Pn at an earlier point in time, when it had a
dierent (shorter) random oracle history.

21
 Before we continue, we dene some terms that we will use in the following
claims and proofs.

Simulator S n . The collection of B5 and all copies of the adaptive prover P

that it launches is called the simulator S n.
Collision. In an execution of Sn with initial randomness r0 , a collision is the
event that either a random sample drawn in random hits the value r0 or two
such samples hit the same value.
Partner. A copy of P simulated by Sn which has completed its execution with
random stringr and random oracle history s has a partner if there is some
other copy of P with the same random string r but a dierent random oracle
0
history s 6= s. (Partnership is symmetric but not reexive.)
Event E . In an execution of S n , the event E occurs if the environment with
n
which S is interacting answers an extraction query for a copy of P that
does not have a partner.
Depth. The depth of an extraction query in an execution of the prover Pn is
the index of this query in the execution history: the rst extraction query
has depth 1, the second depth 2 etc.

A.2 Rewinding is exponential

The rest of the proof is a case distinction on an event that we call event E. If
event E does not occur in an execution of Sn (and there are no collisions, the
probability of which we already bounded above) then any successful extractor
must take exponential time. Informally, if event E occurs then the extractor
has taken a discrete logarithm somewhere; formally we build a metareduction
that straight-line extracts from a single prover P and succeeds with the same
probability as that of event E occurring.

Denition 21. The event E occurs in an execution of S n if the extractor an-

swers an extraction query for a copy of P that does not have a partner: no other
copy of P has been simulated that used the same random string r as the current
one but got a dierent answer to at least one random oracle query.
First, we deal with the case that event E does not occur. For a completed copy
of P, we say that it used parameters (r, s) if it ran on input r and s is the list
of its random oracle queries and responses.

Lemma 22. Consider a run of the simulator S n and assume that neither a
collision nor event E have occurred. Suppose that some simulated copy of P n
gets a correct answer to an extraction query at some depth k, for a copy of P
with random string r and random oracle history s. Then there are at least 2k−1
copies of P n that have been simulated by S n so far which have completed their
rst loop and used (r, s) for the (n − k + 1)-st pass through this loop.
Corollary 23. As long as collisions and event E do not occur in a run of S n ,
any corretly answered extraction query at depth k implies that the extractor has

22
launched at least 2k copies of the prover P n . In particular, if the extractor wins
the adaptive proof game against S n then there must have been at least 2n copies
of P n that were simulated by S n .
We prove the corollary rst. For the extractor to win, either a prover must
have made an invalid proof  but the canonical prover never does this  or
the extractor must have answered all the main prover's n queries correctly. In
particular it has answered the main prover's query at depth n correctly, and this
query must have a partner (or else we would have event E ).
k−1
By Lemma 22, both the query and its partner must each have 2 associated
n
copies of P . These copies cannot overlap: suppose the extractor answers some
0 0 k−1
query for parameters (r, s) with partner (r, s ) and s 6= s . Then there are 2
copies of the prover with (r, s) as their parameters for the (n − k + 1)-st copy of
P and 2k−1 copies of the prover P n with (r, s0 ) in the same position, for a total
k n
of 2 copies of P . q.e.d.
This is the proof of Lemma 22, by induction on k . For k = 1 the lemma says
n
that there is at least one copy of P which ran on the parameters leading to the
query in question, which is certainly true. Since the extraction queries are made
in reverse order, a query at depth k corresponds to the (n − k + 1)-st copy of P
in a copy of P n . Suppose that case k is proven and consider an extraction query
n n
at depth k + 1 with parameters (r, s) in some copy of P . Since this copy of P
has progressed to its (k + 1)-st query, it must have got an answer to its k -th
0 0
query, let's call the parameters in this k -th query (r , s ). Since this query was
answered without event E occurring, it must have a partner. By the induction
k−1 n
hypothesis, there are 2 copies of P around that had their (n − k + 1)-st copy
0 0
of P run on parameters (r , s ). This means that all these copies must have used
the same random strings and oracle histories for queries 1, . . . , n − k or we would
0
have a collision on r . In particular, they used the same parameters for query
n − k = n − (k + 1) + 1; these parameters correspond to the (k + 1)-st extraction
k
query so they must be (r, s). This gives us one half of the required 2 copies to
prove the induction step.
Let's look at the copy of Pn that made the extraction query on the partner
0 00 0 0
(r , s ) of (r , s ). By the previous claim, this query must also have been at depth
k or we would have a collision. Using the induction hypothesis, we nd a further
2k−1 copies of P n that have (r0 , s00 ) at their (n − k + 1)-st position. These copies
are distinct from the ones we found in the last step since their (n − k + 1)-st
00 0
random oracle history element is s which is distinct from s . But by the same
reasoning as above, these copies must have (r, s) at position n − k so we have
k
found 2 copies with this property, concluding the induction and the proof of
Lemma 22. q.e.d.

A.3 Adaptive proofs are straight line

Finally, we give a metareduction that works when event E does occur and the
metareduction guesses correctly where to hide the challenge.

23
Lemma 24. There is a metareduction M as follows. Take any adaptive extrac-
tor K that, in the n-proof game for any n, launches at most f (n) copies of the
adaptive prover, wins with probability at least p(n); event E occurs with probabil-
ity e(n) given that the extractor wins. Then the metareduction M with black-box
access to K is a programmable straight-line extractor against any non-adaptive
prover P (with randomness space R) for the scheme in question with success
probability at least
e(n)p(n) nf (n) + n2 f (n)2
−
n · f (n) |R|

Assume that F is a (pseudo-) random function R×L → R and that K is an

adaptive extractor as dened in the lemma. Consider an execution of K against
Sn
the simulator for the prover P n. The probability of a collision is bounded by
2
(m + m )/|R(n)| where m is the number of random values r drawn in the entire
execution; since there are at most f (n) simulated adaptive provers Pn each of
which simulates n canonical provers, we have m = n · f (n).
We choose one of the up to n · f (n) provers P at random and replace it with
the challenge instance from which we want to straight-line extract. The extractor
may be choosing the random oracle responses of this instance if it is not part
of the main copy of P n, this is ne as we are constructing a programming
extractor. If there is no collision, with probability e(n)/(n · f (n)) we placed
the challenge in a prover that never obtains a partner and so we never have to
rewind the challenge prover (if we guessed wrongly, we abort the metareduction).
With probability at least p(n), the execution will return the correct witness to
the challenger (otherwise the extractor cannot win) and so the metareduction
obtains the correct witness for the challenge copy of the prover P, making it a
straight-line extractor. q.e.d.
Now suppose that the extractor K is ecient. This means that (at least from
some n0 onwards) we have f (n) < 2n , in which case the extractor winning implies
event E has occurred by the corollary to Lemma 22. So we must have e(n) = 1
(from some n0 onwards). If further |R(n)| is exponentially large in n then the
collision term is negligible in n  this is certainly the case for Sigma protocols
where R must encompass at least the domain of the function φ; if this is not
large enough then φ cannot even be one-way. This leaves us with a probability
p(n)/(n · f (n)) − negl. that the metareduction succeeds.

B Proof of Theorem 18

First of all, we dene a Polynomial Simulation Model.

Denition 25. Polynomial Simulation Model (PSM) is a model dened in Fig-

ure 6 which provides the same interface as Generic Group Model.
We simulate oracle queries as follows: let V be the set of indeterminants of
size v + 2. At any step in the simulation, the algorithm has computed a list
F [1], ..., F [t] of linear polynomials in k[V1 , ..., Vv+2 ], where V = {V1 , ..., Vv+2 },

24
along with a list z[1], ..., z[t] of values in k ∪ {⊥}, list e[1], ..., e[t] of values in S
and also a polynomial D and a value zD ∈ W . One can observe that if we make
a group operation in GGM, we can make an analogous operation on polynomials
in PSM. We might think of e[i] and z[i] as representations of σ(F [i](x, y)) and
preimage of F [i](x, y) w.r.t. φ respectively.

We want to show that view of adversary in both models is identical, unless

a collision occurs - this term will be introduced later. The main result is as
follows:

Claim. Denote C A and let AC

as sequence of coin ips made by GGM be an output
C
of A in the generic group model. Similarly, we dene AP SM for the polynomial
C C
simulation model. Let α = |Pr[φ(AGGM ) = x] − Pr[φ(AP SM ) = x]|. Then

α = O((m + n)2 /|X |).

Proof. Let us run A in GGM and PSM and let N = {σ1 , ..., σα } be the set of
values σi in k such that when A used σi as input of oracle queries then σi had not
been already on the encoding list (in GGM). We introduce a notion of collision.

Denition 26. Let x1 , ..., xα be elements of k so that σ(xi ) = σi and E be an

event such that there exist i, j so that F [i] 6= F [j] and F [i](x, y, x1 , ..., xα ) =
F [j](x, y, x1 , ..., xα ). We say that E is a collision.
First, we will nd an upper bound on probability that a collision occurs.

Lemma 27. Pr[E] = O((m + n)2 /|X |).

Proof. Let us choose i, j such that F [i] 6= F [j]. Note that the total degree of
F [i] − F [j] is at most 1 and F [i](x, y, x1 , ..., xα ) = F [j](x, y, x1 , ..., xα ) is equiv-
alent to F [i](x, y, x1 , ..., xα ) − F [j](x, y, x1 , ..., xα ) = 0. This occurs with prob-
ability at most 1/|X | by Lemma 1. By checking all possible pairs we obtain an
2
upper bound for Pr[E], which is O((m + n) /|X |).

We are interested in view of adversary when Ē holds i.e. when there is no collision.
The following lemma states that view of adversary in GGM and PSM is identical
given Ē .
Lemma 28. Pr[φ(ACGGM ) = x|Ē] = Pr[φ(ACP SM ) = x|Ē].
Proof. Clearly, the probability of getting initial values for σ(b1 ), ..., σ(bn ), σ(x)
and σ(y) in both models are the same. Hence we just need to show that for
any sequence of oracle queries, the probability that adversary gets exact val-
ues from oracles in GGM and PSM are equal. We formalise this idea: dene
(D1 , D2 , .., Dt ; d1 , ..., dt )X to be an event that A makes queries D1 , ..., Dt (in
this particular order) in model X and for query Di , an oracle outputs di . We
claim that for any queries D1 , ..., Dt and any d1 , ..., dt we have

Pr[(D1 , .., Dt ; d1 , ..., dt )GGM ] = Pr[(D1 , .., Dt ; d1 , ..., dt )P SM ].

25
We will prove this statement by induction on t. Clearly the statement holds for
t = 0. Suppose that it holds for some non-negative t.
Let PX = Pr[(Dt+1 ; dt+1 )X |(D1 , .., Dt ; d1 , ..., dt )X ]. Note that:

Pr[(D1 , .., Dt+1 ; d1 , ..., dt+1 )X ] = PX · Pr[(D1 , .., Dt ; d1 , ..., dt )X ].

By inductive hypothesis we just need to show that PGGM = PP SM . Consider

the cases for Dt+1 :
Case 1 - Dt+1 = ADD(a, b) or Dt+1 = IN V (a) : since these two cases are very
similar, we will only consider the case when the next query is an addition query.
In PSM we have a = e[i] and b = e[j] for some i, j . Now, if polynomial F [i]+F [j]
has already been added to the list F i.e. F [l] = F [i] + F [j], then it returns e[l].
Note that e[l] has been an output of a query made before, hence e[l] = du for
some u ≤ t. In GGM, however, adversary can expand the preimages of a and b in
terms of x, y, x1 , ..., xα . Let p, q be elements of X so that σ(p) = a and σ(q) = b.
Then A can write down a = f (x, y, x1 , ..., xα ) and b = g(x, y, x1 , ..., xα ) for
some linear polynomials f, g . The key observation is that {F [i] − f, F [j] − g} ⊂
Span(D − zD ), where D and zD are dened in PSM. Similarly, A can write
down c = h(x, y, x1 , ..., xα ) for some linear polynomial h, where σ(c) = e[l], and
we have F [l] − h ∈ Span(D − zD ), assuming no collision occurs. Hence we get
c = h(x, y, x1 , ..., xα ) = f (x, y, x1 , ..., xα ) + g(x, y, x1 , ..., xα ) = p + q . Therefore,
given Ē the ADD oracle will also return e[l]. Now, if F [i] + F [j] has not been
added to the list then in PSM the ADD oracle returns a random element in
S\e. So if dk+1 ∈ S\e, then PP SM = 1/|S\e| and 0 otherwise. Since no collision
occurs, the oracle in GGM will also return a random value from S , distinct from
the elements on the encoding list. Hence we conclude that PP SM = PGGM .
Case 2 - Dt+1 = F SSr,w (c): when the oracle in PSM is given c, she returns
a random value in W . Therefore PP SM = 1/|W|. Now, we need to prove that
PGGM = 1/|W|. Clearly, it is equivalent to showing that there are exactly |W|
solutions (counting with order) to the equation: r + cw = dt+1 , where w, r are
unknown. Note that we can choose w in |W| ways and then we just adjust r to
2
get a solution. Hence PGGM = |W|/|W| = 1/|W| = PP SM . Thus the lemma
holds.

Finally, by Lemmas 27 and 28 we get:

α = |Pr[φ(AC C
GGM ) = x|E] · Pr[E] + Pr[φ(AGGM ) = x|Ē] · Pr[Ē]

− Pr[φ(AC C
P SM ) = x|E] · Pr[E] + Pr[φ(AP SM ) = x|Ē] · Pr[Ē]|
(2)
= Pr[E] · |(Pr[φ(AC C
GGM ) = x|Ē] − Pr[φ(AP SM ) = x|Ē])|
≤ Pr[E] = O((m + n)2 /|X |).

Now, in order to show that a generic algorithm cannot win the Σ−one-wayness
game in PSM with high probability, we just need the following lemma:

Lemma 29. When the generic algorithm A terminates, we have z[n + 1] = ⊥.

26
Proof. Suppose that z[n + 1] 6= ⊥. We can dene W = Span{b1 , b2 , ..., bs , D}
to be a subspace of k[X, Y, X1 , ..., Xv ] with dim(W ) = s + 1. On the other
hand, note that for every i we have z[i] 6= ⊥ ⇐⇒ F [i] ∈ W . Indeed, this
follows straight from the design of PSM. Thus F [n + 1] = X ∈ W . Therefore,
F [n + 2] = Y = (Y + cX) − cX = D − cX ∈ W , for some c ∈ k . Note that
F [1], F [2], ..., F [s], F [n + 1], F [n + 2] are clearly linearly independent, so s + 2 ≤
dim(W ) = s + 1, contradiction.

The lemma above implies that a generic algorithm A is not able to win the
game in Polynomial Simulation Model unless it randomly guesses the witness.
C
We deduce that Pr[φ(AP SM ) = x] = O(|ker(φ)|/|W|). So by this observation
and Claim B the statement of Theorem 18 holds.

C Proof of Theorem 19

An algorithm is algebraic over a group G in the sense of Paillier and Vergnaud [4]
if the only operations that it applies to group elements are the group operation
and derived ones (e.g. inversion, exponentiation). We chose to dene Sigma pro-
tocols over vector spaces rather than groups; one can interpret a GF (p) vector
space as an Abelian group to use the algebraic model. Vector addition becomes
the group operation and scalar multiplication becomes group exponentiation;
for the Schnorr protocol one recovers the usual denition over a group G with
generator g (but loses sight of the fact that the linearity of x 7→ g x is what makes
the Sigma protocol work).
The algebraic model says that for any algebraic algorithm that has seen
some group elements g1 , . . . , gn ∈ G Q
and outputs a value γ ∈ G, we can extract
n ci
coecients c1 , . . . , cn such that γ = i=1 gi (writing the group operation mul-
tiplicatively). In the language of vector spaces, any output can be expressed as
a linear combination of the input elements.
Fix a group G with generator g . Suppose that there is an algebraic metareduc-
tion M that solves DLOG given access to a programming straight-line extractor
for Schnorr proofs. Such an extractor has the following interface: random oracle
queries are answered like a random oracle and on input a statement/proof pair
(x, (a, s)) that is valid w.r.t. the random oracle queries so far, K outputs the
w
witness w s.t. x = g .
M has access to the group generator g and can obtain a single group element
h from its DLOG challenger. M wins if it can return the discrete logarithm u
u
such that h = g . M may also have access to one or many copies of the extractor
K (the argument is the same in both cases). For every group element γ that M
α β
outputs (to K ), we assume that values α, β are available such that γ = g h .
We write this as γ = [α, β]. Since the extractor K never outputs group elements,
M cannot learn any more bases in the group G.
Now consider the following meta-metareduction µ. Let a challenge h be ob-
tained from a DLOG challenger and give it to M if/when it requests a DLOG
challenge. Whenever M outputs a valid proof (x, (a, s)) for extraction, if the

27
group element x gives us a representation[d, 0] (i.e. independent of h) then
just return d as the witness. The rst time M outputs a valid proof with x
represented as [α, β] for β 6= 0, output the relevant (x, (a, s)) and halt. The
meta-metareduction µ also answers random oracle queries on behalf of M by
calling an external random oracle. Should M output a guess at u without ever
making an extraction query depending on h, then µ returns u to the DLOG
challenger  in this case M must have taken the discrete logarithm itself.
We claim that M cannot distinguish µ from an extractor K until the point
where M outputs a proof depending on h. Indeed, the distribution of all elements
from K  is identical: random oracle responses are consistent and random; re-
turned witnesses are the (unique) discrete logs of the relevant statements x.
Consider the case where M does not extract the discrete logarithm u of
h without making at least one proof depending on h. Then the algorithm µ
(containing M ) is itself a random oracle model prover: it makes RO calls and
outputs a proof (x, (a, s)), namely the rst of M 's proofs that depends on h i.e. x
α β
has representation g h with β 6= 0. We apply the forking lemma to µ to obtain
the discrete logarithm w of x, with overwhelming probability. From this we can
compute the discrete logarithm of h as (w − α)/β (in the eld GF (p) where p is
the group order).
It follows that if M is a metareduction from a programming extractor to
DLOG with advantage α then µ is a meta-metareduction to DLOG directly
with advantage cα (c is the forking lemma factor  a non-negligible constant).
In other words, a reduction from a programming extractor to DLOG can only
exist if DLOG is already easy.
The very same argument works for a metareduction M from an adaptive ex-
tractor for Fiat-Shamir-Schnorr to DLOG: if M never outputs a proof depending
on the challenge h then we can simulate the extractor; otherwise, let µ be the
algorithm that runs M and the simulated extractor up to the rst proof that
does depend on h, then apply the forking lemma.

28
 1 initialise : 34 update (f ):
pi bi for some p1 , ..., ps , q ∈ k then
if f = qD + si=1 P
P
2 V ← [X, Y ] 35
3 v←0 36 return qzD + si=1 pi ai
4 37
F ← [b1 , b2 , ..., bn , X, Y ] else
5 z ← [a1 , a2 , ..., as ] 38 return ⊥
6 for i = s + 1, ..., n + 2 39
7 z ← z :: ⊥ 40 add (a, b):
8 σ1 , σn+1 , ..., σn+2  S 41 if a 6∈ e then
9 e ← [σ1 ] 42 newvar (a)
10 for i = 2, ..., n 43 if b 6∈ e
11 e ← e :: (a  S\e) 44 newvar (b)
12 e ← e :: [σn+1 , σn+2 ] 45 f ← F [i] + F [j], where e[i] = a and e[j] = b
13 D = 0 ∈ k[X, Y ] 46 if f = F [l] for some l then
14 zD = 0 ∈ W 47 return e[l]
15 (σ1 , σ2 , ..., σn+2 ) 48 else
16 49 F ← F :: f
17 50 z ← z :: update (f )
18 newvar (s): 51 s  S\e
19 v ←v+1 52 e ← e :: s
20 V ← V :: Xv 53 return s
21 F ← F :: Xv 54
22 z ← z :: ⊥ 55 inv (a):
23 e ← e :: s 56 if a 6∈ e then
24 57 newvar (a)
25 58 f ← −F [i], where e[i] = a
26 FSS r,w (c): 59 if f = F [l] for some l then
27 rW 60 return e[l]
28 zD ← r 61 else
29 D ← Y + cX 62 F ← F :: f
30 for i = 1, ..., |F | 63 z ← z :: update (f )
31 if update (f ) 6= ⊥ 64 s  S\e
32 z[i] ← update (f )65 e ← e :: s
33 return r 66 return s

Fig. 6. Polynomial Simulation Model

29