Simulation-Sound Extractability

To work with Fiat-Shamir-Schnorr proofs, we propose the following theorem.

Theorem 12.6 Let a Fiat-Shamir-Schnorr proof system be given based on a linear functionφ and with a challenge space R.

Let A be any algorithm that may make random oracle queries and G be a game that can make random oracle queries and queries to the following algorithm:

Prove(v∈V, w ∈W) :rW; t←φ(r); c←H(v, t); s←r+cw; return (v, t, c, s)

Suppose that in an execution ofAwithGand a random oracle,Aends the execution by returning a valid proof (w.r.t. the oracle) (v, t, c, s) with probability α. Then, if one replaces all Prove

queries with simulated queries as described in the proof below, there exists an extractor K that runs A and in addition returns a witness w ∈ W such that φ(w) = v, as long as A does not return one of the simulated proofs, with probability at least

α2 ν 1− νσ |R| 2 − α |R| 1− νσ |R|

for any upper bound ν on the total number of random oracle queries and σ on the total number of simulation queries in the execution.

clearly does not change the distribution of any inputs or outputs — we are just moving around artificial subsytem boundaries — so the adversary still outputs a valid proof with probability

α.

Next, we change the random oracle as follows. Let it store a list Q (for “queries”), initially empty. On a random oracle queryH(x), if there is a pair (x, y) inQthen we returny, otherwise we delegate to the existing random oracle to get an answer y and store (x, y) in the list Q. Further, we introduce a new procedure

patch(x, y) : if ∃z: (x, z)∈Q then abort else add (x, y) toQ

As long as no-one calls patch, we have simply memoized the oracle so we have not made any changes to the semantics of the game and the probability of A returning a valid proof is still

α. Whenever we usepatchwe will need to argue that its use is unlikely to cause an abort. Call this game G2.

Next, we pick the calls to Proveand replace them with calls to the following algorithm: Sim(v∈V) :sW; cR; t←φ(s)−c·v; patch(t, c); return (v, t, c, s) Call this gameG3. We have to check two properties of this hop.

• The point t is chosen such that it has at least as much entropy as a random point in R (assuming|R| ≤ |V|). Therefore, for an execution where at mostν random oracle queries happen (from both the game and the adversary) and where at mostσ simulation queries happen, the probability of aborting inpatch is at most νσ/|R| as each simulation query has a 1/|R| probability of colliding with each previously made random oracle query. • If thepatchdoes not abort, then the distribution of the returned simulated proofs (v, t, c, s)

is identical to the distribution of Prove. Indeed, in both cases the distribution is uniform on (v0, t0, c0, s0) ∈ V ×T × R ×W subject to the conditions v = v0, H(v0, t0) = c0 and

φ(s0) =t0+c0·v0.

As long as G3 does not abort, the probability of A creating its proof therefore cannot have

changed. (A separate argument for each specific game will be needed to show that A cannot return one of the simulated proofs itself.) The probablity of A creating a proof is therefore

α0=α(1−νσ/|R|).

Finally, we consider the adversary A, the game G₃ and the random oracle memoiser (but not the random oracle itself) as an algorithm B that returns whatever A returns. We can now apply the Forking Lemma of Bellare and Neven [1] to this algorithm B to get the result that if B returns a proof with probabilityα0, which is valid w.r.t. the external oracle (i.e. not one of the simulated proofs) then there is an extractor K that also returns the associated witness with probability (α0)2/ν−α0/|R|. Reordering terms gives us the desired result. q.e.d. We will use this theorem in the proof of Ballot Verifiability and Confirmed as Intended.

References

[1] M. Bellare and G. Neven. Multi-signatures in the plain public-key model and a general fork- ing lemma. InProceedings of the 13th ACM Conference on Computer and Communications Security, CCS ’06, pages 390–399, New York, NY, USA, 2006. ACM.

[2] D. Bernhard, V. Cortier, D. Galindo, O. Pereira, and B. Warinschi. Sok: A comprehensive analysis of game-based ballot privacy definitions. In 2015 IEEE Symposium on Security and Privacy (SP), volume 00, pages 499–516, May 2015.

[3] D. Bernhard, O. Pereira, and B. Warinschi. How not to prove yourself: Pitfalls of the fiat- shamir heuristic and applications to helios. In X. Wang and K. Sako, editors,ASIACRYPT, volume 7658 ofLecture Notes in Computer Science, pages 626–643. Springer, 2012. [4] D. Bernhard and B. Warinschi. Cryptographic Voting — A Gentle Introduction, pages

167–211. Springer International Publishing, Cham, 2014.

[5] B. Blanchet. Automatic verification of security protocols in the symbolic model: The verifier ProVerif. In Foundations of Security Analysis and Design (FOSAD’13), volume 8604 ofLNCS, pages 54–87. Springer, 2013.

[6] B. Blanchet. Modeling and verifying security protocols with the applied pi calculus and ProVerif. Foundations and Trends in Privacy and Security, 1(1–2):1–135, Oct. 2016. [7] D. Boneh and R. Venkatesan. Hardness of computing the most significant bits of secret

keys in diffie-hellman and related schemes. In N. Koblitz, editor, Advances in Cryptology — CRYPTO ’96, pages 129–142, Berlin, Heidelberg, 1996. Springer Berlin Heidelberg. [8] V. Cheval, V. Cortier, and M. Turuani. A little more conversation, a little less action, a

lot more satisfaction: Global states in proverif. InProceedings of the 31st IEEE Computer Security Foundations Symposium (CSF’18), 2018.

[9] V. Cortier, D. Galindo, R. Kusters, J. Muller, and T. Truderung. Sok: Verifiability notions for e-voting protocols. In2016 IEEE Symposium on Security and Privacy (SP), volume 00, pages 779–798, May 2016.

[10] V. Cortier, D. Galindo, and M. Turuani. A formal analysis of the neuchˆatel e-voting protocol. In3rd IEEE European Symposium on Security and Privacy (EuroSP’18), London, UK, April 2018.

[11] R. Gennaro, S. Jarecki, H. Krawczyk, and T. Rabin. Secure distributed key generation for discrete-log based cryptosystems. J. Cryptol., 20(1):51–83, Jan. 2007.

[12] R. Haenni, R. E. Koenig, P. Locher, and E. Dubuis. Chvote system specification. Cryptol- ogy ePrint Archive, Report 2017/325, 2017. https://eprint.iacr.org/2017/325. [13] G. Lowe. A hierarchy of authentication specifications. In 10th IEEE Computer Security

Foundations Workshop (CSFW’97). IEEE Computer Society Press, 1997.

[14] T. P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’91, pages 129–140, London, UK, UK, 1992. Springer-Verlag.

protocols and advanced security properties. In25th IEEE Computer Security Foundations Symposium (CSF’12), pages 78–94, 2012.

[16] V. Shoup. Sequences of games: a tool for taming complexity in security proofs, 2004. [email protected] 13166 received 30 Nov 2004, last revised 18 Jan 2006.