1 Introduction

Security reductions. In this paper we investigate the interplay between security reductions and setup assumptions. Security reductions [15] are perhaps the single most powerful idea that underlies modern cryptography. Roughly speaking, a security reduction is an algorithm which turns an adversary that breaks some protocol Q into one which breaks some underlying primitive PFootnote 1. If such a reduction exists, it follows that if P is secure, then so is Q, so the security of a complex system is reduced to that of its underlying components. Here, and throughout the paper, P and Q are understood as security notions; that is classes of instantiations together with an experiment which defines their security. Furthermore, reductions correspond to specific constructions which turn an instance of P into an instance of Q.

The landscape of reductions has been carefully mapped via a taxonomy introduced by Reingold, Trevisan and Vadhan (RTV) [22] and later refined by Baecher, Brzuska, and Fischlin [1]. In its latest incarnation, the taxonomy identifies three components relevant to reductions, namely, the construction, the adversary and the instance used in the construction, and classifies reductions depending on how they access these components. Of central interest in this taxonomy are the so-called “black-box” reductions where the reduction only gets oracle access (i.e. only input/output) to the adversary; further variants distinguish between how the reduction accesses the construction and the instance of the primitive used in the construction. Indeed, with only very few exceptions, the cryptographic practice employs black-box reductions. Not only are these reductions simpler to design but black-box access to the adversary and the instance enables a hierarchical modular design, thereby helping tame the inherent complexity of cryptographic designs.

Setup assumptions. For efficiency reasons, or to circumvent impossibility results, concrete instantiations of cryptographic constructs often rely on setup assumptions. That is, constructions make use of already set-up trusted components. Well-known examples of such assumptions include the random beacon model [21], the random oracle [3], the ideal cipher model [23], the common random string model [4], and its common reference string variant. Other examples include the quantum random oracle [5] or access to specific hardware [9, 14, 20].

Reductions may use setup assumptions in fundamental ways. They may track the adversary’s queries towards the random oracle and program the output of random oracles at dynamically identified inputs. They can access a trapdoor associated to a common random string which allows them to decrypt adversarial ciphertexts or equivocate commitments.

In this paper we are interested in the interplay between reductions and security assumptions. Most of the previous work on classifying reductions does not explicitly surface the use of setup assumptions and, a priori, are set in the standard (vanilla) model. A notable exception is the work of Fischlin et al. [13] who extends the black-box separation techniques to get impossibility results for various constructions even in settings with a (or with variants of the) random oracle model.

The problem. In this paper we investigate the interaction between reductions and setup assumptions from a different perspective which we detail below. For concreteness, in our motivating discussion we use the random oracle as an example setup assumption under consideration. Nonetheless, our work treats generically other settings as well.

Assume that we have already designed a black-box reduction from some protocol Q to a primitive P. The reduction is in the standard model. Then consider protocol \(Q_{\mathcal {O}}\) which uses in its construction instantiations of the primitive \(P_\mathcal {O}\) which potentially rely on the random oracle \(\mathcal {O}.\) Can we conclude something about the security of \(Q_{\mathcal {O}}?\) Put differently, does a black-box reduction from Q to P in the standard model lift to a reduction from \(Q_\mathcal {O}\) to \(P_\mathcal {O}\)? And what, and how does one define the extension of \(P_\mathcal {O}\) to the random oracle, in the first place?

We contend that the answer is far from obvious. The first obstacle is a syntactic one. Observe that an adversary against \(Q_\mathcal {O}\) makes queries that exercise the functionality of the protocol yet also queries the random oracle. The reduction from Q to P “knows” how to deal with the former type of queries but makes no provisions for the latter type. We consider the natural extension of the standard model reduction to a non-programming random oracle reduction, where the reduction simply forwards the queries and answers between the adversary and the random oracle.

The second obstacle is more substantial. How would one argue that the random oracle reduction works? Since the existence of the standard model reduction is the only available handle one would need to relate the event that a random oracle adversary wins to the event that a standard adversary wins. However, there is a fundamental difference between the standard model setting and the random oracle one.

In the standard model the only information available to the adversary about the internal state of the protocol is whatever can be inferred from their communication mediated by the security game. In the random oracle model, however, the adversary and the protocol indirectly share state through their joint access to the random oracle. With this in mind, it is unclear how to map events from the joint-state setting to the standard model or, indeed, whether this is even possible. It is conceivable that the adversary manages to break the protocol because of the shared state and this is something which the standard model reduction may not even account for. Looking ahead, we show how to bypass these obstacles and provide a positive answer to the question we posed above. We detail our results next.

2 Our contributions

Formal foundations. Our first contribution is a framework which allows to talk about “lifting” notions and reductions between notions from the standard model to a model with setup assumptions. Our starting point is the recent framework of Hofheinz and Nguyen [16], who in turn build on the work of Reingold, Trevisan, and Vadhan [22]. In their framework, the notion of a primitive has two key ingredients: i) a set theoretic notion of an instance (essentially the set of all instantiations for the primitive), and ii) an explicit notion of a security game – defined as an interactive (oracle) Turing machine (and an associated advantage function). We extend this framework in two ways. First, we formalize setup assumptions as a mathematical object, essentially as family of distributions over sets of functions. Later in the section, we outline a number of technical challenges we need to overcome to make this approach rigorous, and make our definitions precise and general. One can then extend arbitrary security games to include setup assumptions by providing to the adversary (and the primitive) black-box access to a function; which is sampled in an eager manner (from a computational perspective) according to the distribution(s) before the execution begins. Our abstract approach subsumes many of the widely used setup assumptions including the random oracle model, the CRS model, and the ideal cipher model.

Second, we provide a careful treatment of the notion of primitive instances. Both [22] and [16] define instances of a primitive as arbitrary sets of Turing machines. This approach is too abstract for our purposes since it does not give rise to a meaningful way of lifting the notion of an instantiation from the standard model to the random oracle model. A more concrete definition is necessary that allows one to explicitly define correctness and security membership sets for the primitives. We opt for identifying primitive instances by considering an explicit correctness game associated to the primitive.

With these extensions in place, we can then rigorously define the extension of a particular cryptographic notion to a specific setup assumption and the lifting of a reduction from the standard model to a model with a setup assumption.

Main result. Our main result establishes that fully black-box reductions in the standard model indeed do lift to setup assumptions. That is, if a standard model reduction from some protocol Q to some primitive P exists, then the reduction (or rather its canonical extension) also “works” in the setup assumption. The proof of this result is along the following lines. Once an individual instance of the setup assumption is fixed, then the adversary can be viewed as an adversary in the standard model with the instance of the setup hardwired in its code; the same observation holds for the primitive. One can therefore establish a relation between the success of the reduction and the success of the adversary, for each individual instance of the setup assumption. The crux of the proof is to show how to “aggregate” the distinct individual bounds on advantage functions to get a bound on the adversary’s advantage when the setup is sampled according to its defining distribution.

A related and somewhat simpler case of this problem is to show that instantiating a protocol with a correct instance of the primitive with a setup assumption yields a correct instance of the protocol (with a setup assumption). We cast both of these problems as a generic property of (countable) sets of certain type of families of negligible functions.

Technical challenges. As it soon becomes clear in the paper, we require a lot of mathematical machinery, and it is instructive to understand the source of some of the complications we deal with. In particular, there are two related challenges rooted in an interesting interplay between fully black-box reductions and random oracles: (i) how to define a generic notion of a setup assumption and (ii) how to define the adversary’s advantage. Recall that a fully black-box reduction “works” even if the adversary against the protocol is unbounded. In particular, the reduction needs to work even for an adversary that with some small probability does not stop and instead keeps on querying the random oracle on increasingly larger inputs. How should one then define the advantage of the adversary? The difficulty here is identifying the underlying sample space of the experiment since an unbounded adversary will essentially require an unbounded random tape.

This discussion also sheds some light on our modeling of a setup assumption. Intuitively, we would like to define a setup assumption simply as a function from some domain X to some co-domain Y to which the different parties involved in the execution get access. The function would need to be sampled, eagerly, at the beginning of the execution. This intuitively appealing approach does not work for the type of infinite execution in the above discussion. For the random oracle model we would have \(X=Y=\{0,1\}^*\) and it’s not clear how to sample from this space “uniformly at random” as one would expect.

Our solution is to view the setup as a family of sampling algorithms indexed by a natural number \(\ell \). For each \(\ell \) the setup is sampled from finite sets of functions with (now bounded) domain \(X_\ell \) and range Y. Our formalization enforces that \(X_\ell \subseteq X_{\ell +1}\) and that sampling is “consistent” across the parameters, that is the distribution on \(Y^{X_{\ell +1}}\) extends naturally the distribution on \(Y^{X_{\ell }}\). For each parameter \(\ell \) we define a corresponding execution model where the execution of the game aborts if either the adversary or the construction queries the setup on a point outside \(X_\ell \). With these bounds in place, we can rigorously show the sample space, required by the setup assumption, is well-defined, and the advantage of the adversary for each individual parameter is well defined and converges. That is the corresponding sums parameterized over \(\ell \) converge and thus it makes sense to define the notions of adversarial advantage and correctness.

Applications. In order to illustrate the practicality of our main result, we present the following simple example. Consider the Lamport construction of a one-time (OT) signature scheme out of a one-way function (OWF). Let us call the generic construction \(\mathsf {Lamp}[\cdot ]\). The traditional reduction shows that \(\mathsf {Lamp}[f]\) is a secure OT signature scheme if f is a OWF: for any OWF instance f, an adversary against \(\mathsf {Lamp}[f]\) can be used in a black-box way to break f. Note that the reduction allows to establish the security of OT signature instances of the form \(\mathsf {Lamp}[f]\) only for instantiations of f in the standard model.

Consider now an OWF instance which uses a random oracle (RO), e.g. consider the construction \(g^\mathcal {O}\), where g simply forwards its inputs to the random oracle \(\mathcal {O}\) and returns the result. We claim that, given the state of the art, it is not possible to immediately conclude \(\mathsf {Lamp}[g^\mathcal {O}]\) is a secure OT signature. Indeed, one cannot draw any rigorous conclusions from existing results: even brushing under the carpet that \(g^\mathcal {O}\) is “obviously” a OWF, the key observation is that the scheme \(\mathsf {Lamp}[g^\mathcal {O}]\) is a scheme in the RO model. So, the existing reduction does not apply. It is here where our main result is useful: it lifts the reduction from the standard model to the random oracle model and allows us to conclude that the security of \(\mathsf {Lamp}[f]\) reduces to that of f, even if f is a construction in the RO.

Obviously, one can re-establish the security of \(\mathsf {Lamp}[g^\mathcal {O}]\) directly, in the random oracle, but that would require a new proof where one would have to redo the interesting part of the reduction.

To give another example, consider the black-box construction of a NM-CPA scheme out of a semantically secure scheme by Choi, Soled, Malkin, and Wee [10]. For brevity we shall call the construction CSMW. Their result shows that CSMW[Enc] is an NM-CPA scheme for any semantically secure scheme in the standard model.

Consider now the instantiation of CSMW[BR] where BR is the concrete semantically secure scheme from the original RO paper by Bellare and Rogaway [2], i.e. for a trapdoor permutation \(f\) then \({\text {Enc}}(m) = f(r) || H(r) \oplus m\). Our results allow one to conclude that CSMW[BR] is an NM-CPA scheme in the RO model. Without this contribution, one would have to the best of our knowledge provide a direct reduction to the security of \(f\)Footnote 2. Generally, our results expose the concrete security gap, yet the theorems allow for abstract, and relatively simple, proofs as shown in Sect. 5.5.

Discussion. Our main result shows how to lift fully black-box reductions set in the standard model to a model with a setup. In particular, we rely in a reasonably strong way on the fact that such reductions can deal with unbounded adversaries – at some point we need to hardwire a potentially large table (representing the setup) into adversaries and implementations. Consequently, the resulting constructions may not be efficient anymore. In turn this implies that our result does not immediately extend to a reduction which is only guaranteed to work for efficient adversaries e.g. [1, Section 2.6]. That would be extending our result to BBBa reductions using the terminology of [1]. Restricting our results to such a setting would, however, allow us to avoid many complications that the unbounded nature of the random oracle causes, as outlined above.

An intriguing question is whether our results extend to the case where starting reduction/construction is already in a model with already an idealized setup (as opposed to the standard model). In particular, answering this question raises the question of how idealized models interact/compose. We leave both of these questions to further work.

Related work. The closest work to ours is the work of Hofheinz and Nguyen [16]. They introduce a generic framework for abstractly specifying games (and security reductions) and use it to study the relation between single instance and multi-instance security of primitives. Our work extends their framework with setup assumptions and explicit correctness games, and we study a different extension of the reduction. A somewhat related line of work studies “relativizing” reductions [1, 18, 22]. This concept borrowed from complexity theory is about establishing relations of the type: if primitive P can be instantiated (securely) then primitive Q can also be instantiated (securely). Such a relation “relativizes” if the statement holds even if the adversaries against P and Q have access to an arbitrary oracle \(\varPi .\) Although apparently related, the focus and results of that line of work are quite different.

RTV [22] assumed probabilistic polynomial time oracle machines when introducing relativizing reductions. In particular, they asserted that for a primitive with oracle access to exist there must be a PPTOM machine that can compute it and that no PPTOM machine breaks it (see Definition 2 in the full version of [22] or definition 5 of [1]). Lifting does not have that restriction, and is as such a more general and flexible notion. A lifted reduction holds even if the adversary performs a countable number of queries from an infinite query space. Furthermore, we do not require an efficient implementation in the idealized model (see Definition 5). The same holds for the security definition – even though as is standard we define here security via a PPT game – one may transfer our result to non-polynomial time security settings. As such our tooling and approach can accommodate oracle querying with non-trivial, non-finite, underlying probability distributions.

Note also the difference is one of intent. In relativizing reductions, the security of the primitive under question is not impacted by the choice of oracle the adversary has access to. The reduction must hold for any oracle. This of course can rule out such reductions due to oracle separation results. In our work we focus on a particular idealized model and inquire if we can “lift” the security to this idealized model.

A rich line of research, also originating in the seminal work of Rudich and Impagliazzo [18] and continuing with the works of Boneh and Venkatesan [6], Simon [24] and Hsiao and Reyzin [17] has developed a number of black-box separation techniques. These can be used to show negative results of the type: no black-box construction of protocol Q out of primitive P exists, or conversely that no black-box reduction from Q to P exists. Such results are important to rule out minimal assumption for the existence of Q, or identify the need for non-black box constructions but do not serve as support for drawing positive results.

3 Preliminaries

3.1 Notation

For two arbitrary sets X and Y we write \(Y^X\) for the set of all functions from X to Y. Let \(\mathbb {N} = \{0,1,2,3,\ldots ,\}\) be the set of natural numbers. We use \(\lambda \in \mathbb {N}\) to denote the security parameter, which is a natural number; we assume that it is implicitly provided to all algorithms in the unary representation \(1^\lambda \), unless stated otherwise.

We use the shorthand \({\text {PPT}}\) for the Probabilistic Polynomial Time algorithms – in the (unary) security parameter \(\lambda \). We describe as an event when \(\mathcal {A}\) gets \((1^\lambda ,x_1,\dots )\) as input, uses fresh random coins r and outputs \((y_1,\dots )\). If \(\mathcal {A}\) is deterministic then we simply write \((y_1,\dots ) \leftarrow \mathcal {A}(1^\lambda ,x_1,\dots )\). Let us write \(\mathcal {A}^B\) to denote that \(\mathcal {A}\) has black-box access to algorithm B, meaning it sees only its input-output behaviour. The notation \(\mathcal {A}^{(\cdot )}\) means that \(\mathcal {A}\) expects a black-box access to some other algorithm. Similarly as in [13], we highlight that when an algorithm \(\mathcal {B}\) is given oracle access to \(\mathcal {A}^{\mathcal {O}}\) for a particular oracle \(\mathcal {O}\) then \(\mathcal {B}\) does not get to answer \(\mathcal {A}\)’s queries to \(\mathcal {O}\). Throughout the paper, \(\bot \) denotes an error symbol.

For a finite set S, we denote its cardinality by |S| and write meaning that we choose an element s from S uniformly at random. For readability, we define \([k] = \{1,\ldots ,k\}\) for \(k\in \mathbb {N}\) and \([a,b] = \{x \in \mathbb {R} : a \le x \le b\}\). Set S is countable if there exists an injective map \(\phi : S \rightarrow \mathbb {N}\).

A function \(\epsilon :\mathbb {N} \rightarrow \mathbb {R}\) is negligible if for any \(c \in \mathbb {N}\), there exists \(N \in \mathbb {N}\) such that for all \(\lambda \ge N\): \( |\epsilon (\lambda )|< 1/\lambda ^c\). We write \(\mathsf {negl}(\lambda )\) for an unspecified negligible function in \(\lambda \). In general, we denote with \(\textsf {negl}\) to be a set of all negligible functions. Similarly, we define \(\mathsf {UBnegl}\)  to be the set of functions \(f:\mathbb {N} \rightarrow \mathbb {R}\) which are upper-bounded by a negligible function. Concretely, \(f \in \mathsf {UBnegl}\) if and only if there exists \(\epsilon (\cdot ) \in \mathsf {negl}\) such that \(f(\lambda ) \le \epsilon (\lambda )\) for all \(\lambda \in \mathbb {N}\). We highlight that functions in \(\mathsf {UBnegl}\) are not necessarily negligible, e.g. the constant function \(f(\lambda ) = -1\). By definition of a negligible function we obtain the following lemma.

Lemma 1

Let \(f:\mathbb {N} \rightarrow \mathbb {R}\) be a function. Then, the following conditions are equivalent.

  1. 1.

    \(f\in \mathsf {UBnegl}\),

  2. 2.

    function \(g(\lambda ) := \max \{f(\lambda ),0\}\) is negligible,

  3. 3.

    for all \(c \in \mathbb {N}\), there exists \(N \in \mathbb {N}\) such that for all \(\lambda \ge N\): \(f(\lambda ) < 1/\lambda ^c\).

3.2 Limits and Suprema

Let A be a (possibly uncountable) set. Then, for a function \(f:A \rightarrow \mathbb {R}\) we define the supremum \(\sup _{a \in A} f(a)\) to be the smallest real number t (if exists) such that \(f(a) \le t\) for all \(a \in A\). In this paper, will use the following simple lemmas. For completeness, we provide the proofs in Appendix A.

Lemma 2

Let AS be non-empty sets, where S is either finite or countable, and \((f_s)_{s \in S}\) be a sequence of functions \(f_s: A \rightarrow \mathbb {R}\). If for all \(s \in S\), \(\sup _{a \in A} f_s(a) \) exists and if \(\sup _{(a_s \in A )_{s\in S} } \sum _{s \in S}f_s(a_s)\) exists then

$$ \sum _{s \in S} \sup _{a \in A} f_s(a) = \sup _{(a_s \in A)_{s\in S}} \sum _{s \in S}f_s(a_s).$$

Lemma 3

Let A be a non-empty set and \((f_a)_{a \in A}\) be a family of non-decreasing functions \(f_a: \mathbb {N} \rightarrow \mathbb {R}\). Then:

$$\lim _{k \rightarrow +\infty }\sup _{a \in A} f_a(k)= \sup _{a \in A} \lim _{k \rightarrow +\infty } f_a(k) $$

assuming \(\sup _{a \in A} \lim _{k \rightarrow +\infty } f_a(k)\) and \(\lim _{k \rightarrow +\infty } f_a(k)\) exist for all \(a \in A\).

Lemma 4

Let \(f:\mathbb {N} \times \mathbb {N} \rightarrow [0,1]\) be function such that for all \(k,\ell \in \mathbb {N}\): \(f(k,\ell ) \le f(k+1,\ell )\) and \(f(k,\ell ) \le f(k,\ell +1)\). Then, \(\lim _{k \rightarrow + \infty } \lim _{\ell \rightarrow + \infty } f(k,\ell )\) exists and

$$\lim _{k \rightarrow + \infty } \lim _{\ell \rightarrow + \infty } f(k,\ell ) = \lim _{\ell \rightarrow + \infty } \lim _{k \rightarrow + \infty } f(k,\ell ) = \lim _{k \rightarrow + \infty } f(k,k).$$

Lemma 5

Let S be a non-empty, either finite or countable set and \(f: \mathbb {N} \times S \rightarrow [0,1]\) be a function which satisfies \(f(k,s) \le f(k+1,s)\) and

$$\sum _{s \in S}f(k,s) \in [0,1]$$

for all \(k \in \mathbb {N},s \in S\). Then

$$ \sum _{s \in S} \lim _{k \rightarrow +\infty } f(k,s) = \lim _{k \rightarrow +\infty } \sum _{s \in S}f(k,s).$$

3.3 Fully Black-Box Reductions in the Standard Model

We briefly recall the framework on primitives and black-box reductions by Reingold, Trevisan, and Vadhan [22] (RTV). Using their notation, primitive P is a pair \(\big \langle F_P, R_P \big \rangle \) where \(F_P\) is a set of functions \(f:\{0,1\}^* \rightarrow \{0,1\}^*\) and \(R_P\) is a relation over pairs (fM) for \(f\in F_P\) and machine M. One can think of \(F_P\) as implementations of a primitive P and \(R_P\) as security conditions on \(F_P\).

Then, there is a fully black-box reduction from a primitive \(P=\big \langle F_P, R_P \big \rangle \) to \(Q = \big \langle F_Q, R_Q \big \rangle \) if there exist PPT machines GS such that:

  • for every function \(f \in F_Q\), \(G^f \in F_P\),

  • for every function \(f \in F_Q\) and every adversary \(\mathcal {A}\), \((G^f,\mathcal {A}) \in R_P \implies (f,S^\mathcal {A}) \in R_Q\).

Informally, G and S are called the generic construction and the reduction respectively. As mentioned in [22], this definition of reduction does not apply to non-uniform or information-theoretic notions of security. They also define different types of reductions such as semi-black-box or relativizing reductions.

There is a long line of research on formalising (black-box) reductions [1, 13, 16, 19]. In this paper we adapt the recently defined notion of fully black-box reductions by Hofheinz and Nguyen [16]. The main difference to the RTV framework is that the security conditions are represented as a security game instead of a set of relations. Thus, Hofheinz and Nguyen could formally define what is meant by “breaking one primitive with about the same success as the other primitive” in terms of probabilities.

Definition 1

([16]). A primitive P is a tuple \(\big \langle \mathbb {P}, F_P, R_P, \sigma \big \rangle \) where:

  • \(\mathbb {P}\) is a pair of sets (AB)

  • \(F_P\) is a subset of \(\{f:A \rightarrow B\}\),

  • \(R^{(\cdot ,\cdot )}_P\) is a PPT security algorithm,

  • \(\sigma : \mathbb {N} \rightarrow [0,1]\) is a security threshold.

We say that f is an implementation of P if \(f \in F_P\).

Note that usually we define \(F_P\) via the use of correctness games.

Since we do not consider primitives in the multi-instance setting as in [16], we already include the setup \(S_P\) in the security algorithm \(R_P\). For readability, in this paper we also do not restrict the input space for \(R_P\) to call f, i.e. \(C = A\) in [16, Definition 4].

There are two main differences between this definition and the one proposed by RTV. Firstly, \(\mathbb {P}=(A,B)\) is a pair of sets which describe the domain and the co-domain. This modification enables to characterize implementations which are defined on more abstract mathematical models (e.g. groups, rings) rather than on \(\{0,1\}^*\). Secondly, \(R_P\) is now an efficient algorithm which expects black-box access to both an implementation f and an adversary \(\mathcal {A}\). One can think of \(R_P\) as a security game, e.g. one-wayness or IND-CPA game. Here, we want to associate for each pair \((f,\mathcal {A})\) a value in [0, 1] which corresponds to the probability of \(\mathcal {A}\) winning the \(R_P\) game against f. We recall the definition of an advantage from [16].

Definition 2

([16]). Let \(P=\big \langle \mathbb {P}, F_P, R_P,\sigma \big \rangle \) be a primitive. Take \(f \in F_P\) and any algorithm \(\mathcal {A}\). We define the advantage of \(\mathcal {A}\) in breaking f as

where the probability is defined over random coins in the systemFootnote 3.

We say that \(\mathcal {A}\) \(P-\)breaks f if \(\mathsf {Adv}^{P}_{f,\mathcal {A}}[(\lambda )]\not \in \mathsf {UBnegl}\), i.e. there is no negligible function \(\epsilon :\mathbb {N} \rightarrow \mathbb {R}\) such that \(\mathsf {Adv}^{P}_{f,\mathcal {A}}[(\lambda )] \le \epsilon (\lambda )\) for all \(\lambda \in \mathbb {N}\). Primitive P is called secure if there exists an implementation f of P such that there are no PPT algorithms \(\mathcal {A}\) that \(P-\)break f.

Example 1

We define a primitive corresponding to an IND-CPA secure public-key encryption scheme as \(\textsf {PKE}=\big \langle \mathbb {P}_\textsf {PKE}, F_\textsf {PKE}, R_\textsf {PKE},\frac{1}{2} \big \rangle \) where \(\mathbb {P}_\textsf {PKE}\) defines the domain and range for the encryption schemes, \(R_\textsf {PKE}\) is the IND-CPA game and \(F_\textsf {PKE}\) the set that contains encryption schemes, which we could define via a “encryption scheme correctness” game.

We briefly explain why we want the advantage to be in \(\mathsf {UBnegl}\) rather than \(\mathsf {negl}\). Note that there are certain types of adversaries, for which their advantage is not negligible, and yet they do not win the security game in the usual sense. For instance, consider a decisional game, e.g. the IND-CPA game, where the adversary has to guess the bit, and set the security threshold \(\sigma (\lambda ) = \frac{1}{2}\). Then, an adversary \(\mathcal {A}\), which simply aborts/loops, certainly will not win the IND-CPA game (the security game cannot detect \(\mathcal {A}\) looping since it is only given black-box access). However, its advantage, as defined in Definition 2, will be \(0 - \frac{1}{2}\) = \(-\frac{1}{2}\), which is not negligible (but still upper-bounded by a negligible function).

Using the definitions above, Hofheinz and Nguyen formalise fully-black box reductions as follows.

Definition 3 (Fully Black-Box Reductions)

Let \(P = \big \langle \mathbb {P}_1, F_P, R_P, \sigma \big \rangle \) and \(Q = \big \langle \mathbb {P}_2,F_Q,\) \(R_Q, \tau \big \rangle \) be primitives. Then, there is a fully black-box reduction from P to Q if there exist PPT algorithms \(G^{(\cdot )},S^{(\cdot )}\) such that:

  • for every implementation f of Q, \(G^f\) is an implementation of P,

  • for every implementation f of Q and every (unbounded) algorithm \(\mathcal {A}\), if \(\mathcal {A}\) P-breaks \(G^f\) then \(S^\mathcal {A}\) Q-breaks f.

4 Average of Negligible Functions

In this section we establish several technical properties of negligible functions which will be crucial when proving our main reduction correspondence result. It is a well known that given a finite set of negligible functions \(P=\{f_1,f_2,\ldots ,f_n\}\), the average \(\frac{1}{n}\sum ^n_{i=1}f_i\) of these functions is also negligible. We provide a similar result in the setting when the set P is countable.

Informally, suppose we have a function \(P: \mathbb {N} \times \mathbb {N} \rightarrow [-1,1]\) such that for any \(f: \mathbb {N} \rightarrow \mathbb {N}\), function \(P_f(\lambda ):=P(\lambda ,f(\lambda ))\) is negligible in \(\lambda \). Then, for any discrete distribution \(\mathcal {D}\) on \(\mathbb {N}\) and an infinite sequence of independent random variables , the function \(\mathbb {E}(P):\mathbb {N}\rightarrow [-1,1]\) defined as

$$\mathbb {E}(P)(\lambda ) := \mathbb {E}\left( P(\lambda ,X_\lambda )\right) $$

is also negligible. Intuitively, this result says that if a set PFootnote 4 consists of only negligible functions then the “expectation of all functions”, defined as \(\mathbb {E}(P)\) and also called informally as the average of P, is also negligible.

Below we state a generalisation of this result. Roughly speaking and using the language from the previous paragraph, it says the following. Assume there exists a correspondence between negligible functions from set Q to set P. If the expectation of Q is negligible then so is the expectation of P. Clearly, by setting the set Q to only contain the zero functions yields the result described above.

To apply these observations in the context of fully black-box reductions, we work with functions in \(\mathsf {UBnegl}\) (see Sect. 3.1) rather than with negligible functions.

Theorem 1

Let \(k \in \mathbb {N}\), S be a (possibly uncountable) set and \((\mathcal {D}_\lambda )_{\lambda \in \mathbb {N}}\) be a sequence of discrete probability distributions \(\mathcal {D}_\lambda : S_ \lambda \rightarrow [0,1]\) over countable sets \(S_\lambda \subseteq S\). Take arbitrary functions \(P,Q_1,\ldots ,Q_k : \mathbb {N} \times S \rightarrow [-1,1]\). Suppose that for every function \(f: \mathbb {N} \rightarrow S\), the following holds:

$$\forall i\in [k], Q_i(\lambda ,f(\lambda )) \in \mathsf {UBnegl} \implies P(\lambda , f(\lambda )) \in \mathsf {UBnegl}.$$

Then, for we have

$$\forall i \in [k], \mathbb {E}\left( Q_i(\lambda ,X_\lambda )\right) \in \mathsf {UBnegl} \implies \mathbb {E}\left( P(\lambda ,X_\lambda )\right) \in \mathsf {UBnegl}.$$

Proof

Suppose that each \(\mathbb {E}\left( Q_i(\lambda ,X_\lambda )\right) \) is upper-bounded by a negligible function. Then, for each \(i \in [k]\), we can find an infinite sequence of positive integers \(J(i,1)< J(i,2) <\ldots \) such that for every \(d \in \mathbb {N}\) and any \(\lambda \ge J(i,d)\), \(\mathbb {E}\left( Q_i(\lambda ,X_\lambda )\right) < 1/\lambda ^d\). Fix \(d \in \mathbb {N}\) and define

$$j_d = \max \{2k+1,\max _{i \in [k]} J(i,d+1)\}.$$

We claim that for every \(\lambda \ge j_d\), there exists \(a \in S_\lambda \) which satisfies:

$$\forall i\in [k], Q_i(\lambda , a) < 1/\lambda ^d.$$

First, we fix arbitrary \(i \in [k]\) and \(\lambda \ge j_d.\) Let

$$M_i = \{ a : a \in S_\lambda \wedge Q_i(\lambda ,a) < 1/\lambda ^{d}\}.$$

We know that \(\mathbb {E}\left( Q_i(\lambda ,X_\lambda )\right) < 1/\lambda ^{d+1}.\) Therefore,

$$\frac{\Pr [X_\lambda \in S_\lambda \backslash M_i] }{\lambda ^{d}}\le \frac{\sum _{a\in S_\lambda \backslash M_i} \Pr [X_\lambda = a] }{\lambda ^{d} }\le \sum _{a\in S_\lambda } \Pr [X_\lambda = a] \cdot Q_i(\lambda ,a) < \frac{1}{\lambda ^{d+1}}.$$

In particular, \(\Pr [X_\lambda \in S_\lambda \backslash M_i] \le 1/\lambda .\) Then, by the union bound we have:

$$\Pr [\exists i, X_\lambda \in S_\lambda \backslash M_i] \le k/\lambda \le 2k/j_d < 1.$$

Hence, \(\Pr [\forall i, X_\lambda \in M_i ] > 0\) so there exists \(a \in S_\lambda \) such that for every \(i\in [k], Q_i(\lambda , a) < 1/\lambda ^d.\) For \(\lambda \ge j_d\), let \(a(\lambda )\) be the smallest such value.

Next, we prove the following lemma.

Lemma 6

Let \(c \in \mathbb {N}\). Then, there exists a positive integer \(d \ge c\), such that there are only finitely many pairs \((\lambda ,a)\) which satisfy the following conditions:

$$\begin{aligned} a \in S_\lambda \wedge \forall i, Q_i(\lambda ,a) < 1/\lambda ^d \wedge P(\lambda ,a) \ge 1/\lambda ^c. \end{aligned}$$
(1)

Proof

We prove it by contradiction. Suppose there exists a positive integer c, such that for every \(d \ge c\), there are infinitely many pairs \((\lambda ,a)\) which satisfy (1). We construct a function \(f: \mathbb {N} \rightarrow S\) such that for \(i \in [k]\), \(Q_i(\lambda ,f(\lambda ))\in \mathsf {UBnegl}\) but \(P(\lambda ,f(\lambda )) \not \in \mathsf {UBnegl}\). Then, we get a contradiction.

Fix \(d \ge c\). Let us introduce the following notation. First, \(L(\ell , d)\) is the smallest \(\lambda \ge \ell \) such that there exists an integer a so that \((\lambda ,a)\) satisfies (1). Additionally, denote \(R(\ell ,d)\) to be the smallest a such that \((L(\ell ,d),a)\) satisfies (1). Then, by definition \((L(\ell ,d),R(\ell ,d))\) satisfy (1). Finally, set \(I(c) = j_c\) and \(I(d+1) = \max \{j_{d+1},L(I(d),d) + 1\}\).

We define the function f as follows. For \(\lambda < I(c)\), set \(f(\lambda ) = x\) where x is an arbitrary fixed element in \(S_\lambda \). Then, for \(I(d) \le \lambda < I(d+1)\), where \(d \ge c\), define:

$$f(\lambda ) = {\left\{ \begin{array}{ll} R(I(d),d)\text { if } \lambda = L(I(d),d) \\ a( \lambda ) \text { otherwise}. \end{array}\right. }$$

Recall that \(a(\lambda )\) is the smallest value a such that \(i\in [k], Q_i(\lambda , a) < 1/\lambda ^d\).

We now prove that for each i, \(Q_i(\lambda ,f(\lambda ))\) is upper-bounded by a negligible function. Let \(i \in [k]\). By construction, for any \(d \in \mathbb {N}\) and \(I(d) \le \lambda < I(d+1)\), we have \(Q_i(\lambda , f(\lambda )) < 1/\lambda ^d\). Indeed, if \(\lambda = L(I(d),d)\) then \((\lambda ,f(\lambda ))\) satisfies (1). On the other hand, if \(\lambda \ne L(I(d),d)\) then since \(\lambda \ge I(d) \ge j_d\) we have \(Q_i(\lambda , f(\lambda )) = Q_i(\lambda , a(\lambda ))< 1/\lambda ^d\).

As a result, for all \(\lambda \ge I(d)\) we have \(Q_i(\lambda , f(\lambda )) < 1/\lambda ^d\). The reason is that for \(\lambda \ge I(d)\) there is some \(\alpha \ge d\) so that \(I(\alpha )\le \lambda < I(\alpha +1)\). By the observation above, we have \(Q_i(\lambda , f(\lambda ))< 1/\lambda ^\alpha \le 1/\lambda ^d\). Consequently, \(Q_i(\lambda , f(\lambda ))\) is upper-bounded by a negligible function.

On the other hand, for all \(d \in \mathbb {N}\), we have \(P(\lambda , f(\lambda )) \ge 1/\lambda ^c\) where \(\lambda = L(I(d),d)\). This means that there are infinitely many positive integers \(\lambda \) such that \(P(\lambda , f(\lambda )) \ge 1/\lambda ^c\). Hence, \(P(\lambda , f(\lambda ))\not \in \mathsf {UBnegl}\) by Lemma 1.\(\square \)

Finally, we prove that \(\mathbb {E}\left( P(\lambda ,X_\lambda )\right) \) is upper-bounded by a negligible function. Let \(c\in \mathbb {N}\) and \(c' = c+k+1\). From Lemma 6 we know that there exists \(d \ge c'\) such that there are finitely many pairs \((\lambda ,a)\) satisfying (1). Therefore, there is an integer N, such that for all pairs \((\lambda , a)\), where \( \lambda \ge N\), one of the conditions in (1) does not hold. Now, let \(m = \max \{2,j_{2d-1},N\}\). We claim that for all \(\lambda \ge m\), \(\mathbb {E}\left( P(\lambda ,X_\lambda )\right) < 1/\lambda ^c\). This would imply that \(\mathbb {E}\left( P(\lambda ,X_\lambda )\right) \in \mathsf {UBnegl}\).

Take any \(\lambda \ge m\). Let us compute a lower-bound on where

$$ H= \{ a \in S_\lambda : \forall i \in [k], Q_i(\lambda , a) < 1/\lambda ^d \}.$$

We proceed similarly as before. Let \(i \in [k]\). Then, we have \(\mathbb {E}\left( Q_i(\lambda ,X_\lambda )\right) < 1/\lambda ^{2d}\) since \(m \ge j_{2d-1}\). Denote \(H_i = \{ a \in S_\lambda : Q_i(\lambda , a) < 1/\lambda ^d \}\). Thus,

$$\frac{\Pr [X_\lambda \in S_\lambda \backslash H_i] }{\lambda ^{d}}\le \frac{\sum _{a\in S_\lambda \backslash H_i} \Pr [X_\lambda = a] }{\lambda ^{d} }\le \sum _{a\in S_\lambda } \Pr [X_\lambda = a] \cdot Q_i(\lambda ,a) < \frac{1}{\lambda ^{2d}}.$$

Therefore, \(\Pr [X_\lambda \in S_\lambda \backslash H_i] < 1/\lambda ^d\). Hence, by the union bound we get:

$$\Pr [\exists i \in [k], X_\lambda \in S_\lambda \backslash H_i] \le k/\lambda ^d$$

and thus \(\Pr [X_\lambda \in H] \ge 1-k/\lambda ^d\).

Note that each pair \((\lambda , a)\), where \(a \in H\), satisfies the first two conditions in (1). Since \(\lambda \ge m \ge N\), we get that \(P(\lambda , a) < 1/\lambda ^{c'}\). Therefore, we can upper-bound \(\mathbb {E}\left( P(\lambda ,X_\lambda )\right) \) as follows:

$$\begin{aligned} \mathbb {E}\left( P(\lambda ,X_\lambda )\right)&\le \sum _{a\in S_\lambda } \Pr [X_\lambda = a] \cdot P(\lambda ,a) \nonumber \\&\le \sum _{a \in H} \Pr [X_\lambda = a] \cdot P(\lambda ,a) + \sum _{a \not \in H} \Pr [X_\lambda = a] \cdot P(\lambda ,a) \nonumber \\&< \sum _{a \in H} \Pr [X_\lambda = a] \cdot \frac{1}{\lambda ^{c'}} + \sum _{a \not \in H} \Pr [X_\lambda = a] \\&< \frac{\Pr [X_\lambda \in H ]}{\lambda ^{c'}} + \Pr [X_\lambda \in S \backslash H] \nonumber \\&< 1/\lambda ^{c'} + k/\lambda ^{d} \nonumber \\&< (k+1)/\lambda ^{c + k+1} < 1/\lambda ^c. \nonumber \end{aligned}$$
(2)

Thus, \(\mathbb {E}\left( P(\lambda ,X_\lambda )\right) \in \mathsf {UBnegl}\).\(\square \)

5 Setup Assumptions

In this section we formalize, generically, the notion of a setup assumption.

Such assumptions are ubiquitous in modern cryptography and include, for instance, popular settings such as the Ideal Cipher model [23], the Common Random String (CRS) [4], the Random Oracle model (ROM) [3]. They allow one to bypass impossibility results or simply yield more efficient schemes.

Before we present our definition, we motivate some of the choices we make. Naively, we could simply attempt to construct a Turing machine that samples a function \(X \rightarrow Y\) according to some arbitrary distribution, which would encode the expected behaviour of the oracle. The astute reader is soon to notice that several questions arise. How do we pick the domain of the oracle? For example, in the random oracle model the query domain is \(\{0,1\}^*\) which is infinite. What is then our sample space?

We cannot sample eagerly such a function. While one implementation might simply query a small number of polynomial length values in the security parameter \(\lambda \), we must recall that reductions should also work for unbounded adversaries. Indeed, an unbounded adversary might query the oracle infinitely many times, which raises a conundrum.

5.1 Formal Model for Setup Assumptions

Our formalization is heavily influenced by having to solve the Random Oracle case outlined above. We proceed as follows. We model the use of a random oracle (viewed as an infinite random tape) via a sequence of finite setups. Each setup being parameterized by some parameter \(\ell \in \mathbb {N}\) – think about this parameter as a restriction on the size of the valid inputs to the random oracle. As \(\ell \) tends to infinity, the setup becomes a better approximation of a random oracle.

For this approach to be meaningful we require a few additional ingredients. We define \(X_\ell \) to be the first \(\ell \) elements of X. Clearly \(X_\ell \subseteq X_{\ell +1}\) and \(X_\ell \) is an increasingly better approximation of X, as \(\ell \) grows. Thus, we seek that when \(\ell \) goes to infinity, \(X_\ell \) comes close to X. Here we enforce a total order on X. Since we only consider countable sets X, we model this total order by fixing an arbitrary injection \(\phi \) between X and \(\mathbb {N}\); the total order on X is then induced by transporting on X the total order on \(\mathbb {N}\).

We may now define a setup assumption as a tuple \((X,Y,\phi ,\mathcal {M})\) where X and Y are the domain and range for all possible setup instances. The setup generator \(\mathcal {M}\) takes as input the usual security parameter \(\lambda \) and a parameter \(\ell \) as above. For each \(\lambda \) and \(\ell \), the setup generator defines some distribution on the set of functions with domain \(X_\ell \) and range Y.

More importantly, we demand that the distributions defined by \(\mathcal {M}\) are consistent across the choices of \(\ell \). That is, a function sampled from \(Y^{X_{\ell +1}}\) according to \(\mathcal {M}_{\ell +1,\lambda }\), when restricted to \(X_\ell \) has the same distribution as a function sampled from \(\mathcal {M}_{\ell ,\lambda }\). The intuition behind this restriction is that the functions output by the setup should “behave” the same on all entries on which they are defined, independent of the size of the domain specified by \(\ell \).

This requirement is important since, for instance, we do not wish that altering the size of the query space to \(X_{\ell +1}\) affects the behavior of participants that only queries the setup with entries from \(X_{\ell }\). As it will become clear a bit later in the paper (Definition 5), this property is necessary to meaningfully define the adversary advantage when \(\ell \) goes to infinity.

The following definition formalizes the discussion above.

Definition 4 (Setup Assumptions)

Define setup assumption as a tuple \(M = (X,Y,\phi ,\mathcal {M})\) where XY are non-empty countable sets, \(\phi \) is an injective map from X to \(\mathbb {N}\) and \(\mathcal {M}_{(\cdot ,\cdot )}\) is a probabilistic algorithm with the following properties. Namely, given a “length” parameter \(\ell \in \mathbb {N}\) and a security parameter \(\lambda \in \mathbb {N}\), it outputs a function \(\mathcal {O}: X_\ell \rightarrow Y\) according to some distribution over \(Y^{X_\ell }\), where

$$X_\ell := \{ x \in X : \phi (x) < \ell \}.$$

Note that this distribution is still discrete. We further call the setup assumption consistent, if for all \(\ell \in \mathbb {N}\) and \(a_1,\ldots ,a_{|X_\ell |} \in Y\) we have:

figure a

Henceforth, we shall simply refer to consistent sampling setup assumptions simply as setup assumption. When working with primitives in the standard model, we will abuse the notation and write \(M = \varnothing \).

5.2 Defining Primitives with Setup Assumptions

We build on our notion of a setup assumption defined in the previous section to formalize models for primitives with setup assumptions.

Before we proceed, we introduce the following notation. Suppose the sampler \(\mathcal {M}_{(\cdot ,\cdot )}\) of M samples a function \(\mathcal {O}: X \rightarrow Y\) where X and Y are countable and let \(\phi : X \rightarrow \mathbb {N}\) be a fixed injective map. Then, for an algorithm \(\mathcal {A}^{(\cdot )}\) and function \(t: \mathbb {N} \rightarrow \mathbb {N}\), we denote \(\mathcal {A}_t^{(\cdot )}\) to be the algorithm which behaves identically as \(\mathcal {A}^{(\cdot )}\) but if a query \(x\in X\) is made to the setup assumption, where \(\phi (x) > t(\lambda )\), then it automatically aborts. Recall \(\phi \) is our total ordering function. We call t the threshold function. When t is constant, i.e. \(t(\lambda ) = \ell \) for all \(\lambda \), then we slightly abuse notation and simply write \(\mathcal {A}^{(\cdot )}_\ell \).

We now present the notion of a primitive equipped with a setup assumption. The definition below, refines Definition 1 in two different ways. It introduces as part of the execution model the setup generator and it introduces an explicit correctness notion for the primitive as an additional separate algorithm.

Definition 5

Primitive P with a setup assumption M is a tuple \(\big \langle \mathbb {P}, M, C_P, R_P, \sigma \big \rangle \) where:

  • \(\mathbb {P}\) is a pair of sets (AB),

  • \(M = (X,Y,\phi ,\mathcal {M})\) is the setup assumption defining the oracle \(\mathcal {O}\),

  • \(C_P^{(\cdot ,\cdot )}\) is a correctness algorithm,

  • \(R^{(\cdot ,\cdot )}_P\) is a PPT security algorithm (related to \(\lambda \)),

  • \(\sigma : \mathbb {N} \rightarrow [0,1]\) is a security threshold.

We say that \(f^{(\cdot )}: A \rightarrow B\) is an implementation of P if for all (unbounded) adversaries \(\mathcal {A}^{(\cdot )}\):

$$\lim _{k \rightarrow +\infty }\lim _{\ell \rightarrow +\infty } \Pr \left[ 1 \leftarrow C_P^{{f_k}^{\mathcal {O}},\mathcal {A}_{\ell }^{\mathcal {O}}}\right] $$

is negligible, where probability is over random coins in the environment and especially .

For an implementation \(f^{(\cdot )}\) and any algorithm \(\mathcal {A}^{(\cdot )}\), we define the advantage of \(\mathcal {A}^{(\cdot )}\) in breaking \(f^{(\cdot )}\) as

where the probability is defined over and the random coins in the system.

We say that \(\mathcal {A}\) \(P-\)breaks \(f^{(\cdot )}\) if \(\mathsf {Adv}^{P}_{\mathcal {O}\leftarrow M,f,\mathcal {A}}[(\lambda )] \not \in \mathsf {UBnegl}\). Furthermore, \(f^{(\cdot )}\) is called a secure implementation of \(P\) if there are no PPT algorithms \(\mathcal {A}^{(\cdot )}\) that \(P-\)break \(f^{(\cdot )}\).

A few remarks are in order. First, we argue that the notion of correctness and the adversary advantage are well-defined, in that the limits are guaranteed to exist. This property is established by the following lemma. Its proof (in Appendix A) crucially relies on the consistency property of the setup assumption. Broadly speaking, the property guarantees that the behavior of an adversary (in terms of winning the security game) is monotonic with respect to \(\ell \). That is, if an adversary wins the game when its query space is \(X_\ell \) (with some probability), then the adversary will win (with at least the same probability) the instance of the game where the query space is \(X_{\ell +1}\). This property then gives rise to a monotonically non-decreasing sequence upper-bounded by 1, which implies that the desired limit exists.

Lemma 7

Let \(f^{(\cdot )}\), \(\mathcal {A}^{(\cdot )}\) and \(\mathcal {R}^{(\cdot ,\cdot )}\) be any function, unbounded adversary and PPT machine respectively. Then, for \(M = (X,Y,\phi ,\mathcal {M})\), the following limit exists:

$$\lim _{k \rightarrow +\infty }\lim _{\ell \rightarrow +\infty } F(k,\ell ),$$

where

figure b

and the probability is over and the random coins in the environment.

The proof of the lemma is presented in Appendix A.5.

Second, the limits in the definition of a correct implementation can be swapped or merged into a single parameter, as hinted at in the introduction, by Lemma 4. Nonetheless, we prefer to keep the present formulation since it is particularly helpful for proving our main theorem (Theorem 3).

Finally, our definition no longer describes implementations of a primitive as functions from some abstract implementation set. Instead, we identify correct implementations as those for which no efficient adversary can win a correctness game \(C_P\)Footnote 5. The reason for this departure is that we need to formalize what is the extension of a notion P to a setup assumption. Indeed, above we have essentially shown how to define a game with an abstract setup assumption. Lifting a notion from the standard model to some particular setup comes down to simply replacing the setup assumption M (which is \(\varnothing \) for the standard model), appropriately.

5.3 Fully Black-Box Non-programmable Reductions

We now introduce a notion of a fully black-box non-programmable reduction between primitives with setup assumptions.

Definition 6

Let P and Q be primitives with the setup assumption M. We say that there is a fully black-box non-programmable reduction from P to Q in M (written as ) if there exist PPT algorithms \(G^{(\cdot )},S^{(\cdot )}\) such that:

  • for every implementation \(f^{(\cdot )}\) of Q, \({G^f}^{(\cdot )}\) is an implementation of P,

  • for every implementation \(f^{(\cdot )}\) of Q and every (unbounded) algorithm \(\mathcal {A}^{(\cdot )}\), if \(\mathcal {A}^{(\cdot )}\) P-breaks \({G^f}^{(\cdot )}\) then \({S^\mathcal {A}}^{(\cdot )}\) Q-breaks \(f^{(\cdot )}\).

In the literature, S has access to an external oracle \(\mathcal {O}\) instead of \(\mathcal {A}\). We call this reduction non-programmable since we let \(\mathcal {A}\) have access to \(\mathcal {O}\) via S, meaning that if the adversary wants to query \(\mathcal {O}\), it sends the value to S, S passes it to \(\mathcal {O}\) and returns to \(\mathcal {A}\) what it got from \(\mathcal {O}\). Apart from that, S does not query \(\mathcal {O}\) at all. From the perspective of \(\mathcal {A}\), this is clearly equivalent to \(\mathcal {A}\) having access to \(\mathcal {O}\), as illustrated in the definition above. There is another type of reduction called programmable [13], where S can simulate an oracle on its own. However, we omit the details in this paper.

5.4 Setup Assumption Extensions

In order to describe our main result, we need to define what it means to “naturally extend “the primitive to a setup assumption M. Hence, we define a notion of a \(M-\)extension of a primitive.

Definition 7

Let \(P =\big \langle \mathbb {P}_1, \varnothing , C_P, R_P, \sigma \big \rangle \) be a primitive in the standard model and M be a setup assumption. Then, a \(M-\)extension P(M) of P is the tuple \(P(M)=\langle \mathbb {P}_1, M, C_P, R_P, \sigma \big \rangle \).

We can now formalize our main result. Namely, if there exists a fully black-box reduction from P to Q in the standard model, then there also exists a fully black-box reduction from P(M) to Q(M), where M is any setup assumption.

Theorem 2 (Ideal Model Correspondence)

Let P and Q be primitives in the standard model and M be any ideal model. Then, assuming a fully black-box reduction in the standard model implies a fully black-box reduction in the ideal model.

figure c

We provide the proof in Sect. 6.

Remark. Let (GS) be a reduction from P to Q. Intuitively, (GS) should also be a correct reduction from P(M) to Q(M). However, in the M model, the adversary as well as the implementation have access to some “shared state" which is the external oracle. This, however, is not the case in the standard model. Indeed, this additional advice might help an adversary break P(M) but not Q(M). In Theorem 2 we show that if (GS) is a fully black-box reduction, then it can be extended to a setup assumption representing some ideal model. However, the open question remains whether the same property holds when (GS) is not fully black-box anymore.

Fig. 1.
figure 1

We prove a correspondence for fully black-box reductions in the standard model to ideal models.

Full size image

5.5 Common Instantiations of Setup Assumptions

In this section we present common ideal models in the framework we introduced. We also prove they satisfy the consistent sampling property.

The Random Oracle Model. This model [3] is one of the cornerstones of modern cryptography. A random oracle represents ideal hash functions. When a party queries with a bitstring \(\{0,1\}^*\), the random oracle, given a security parameter \(\lambda \), samples an element from \(\{0,1\}^\lambda \) uniformly at random.

Formally, we define a random oracle setup assumption \(M_{{\text {ROM}}}\) as the tuple

$$\begin{aligned} M_{{\text {ROM}}} = \left( \{0,1\}^*, \{0,1\}^{*}, \phi , \mathcal {M}_{\ell ,\lambda }^{{\text {ROM}}} \right) \end{aligned}$$

Note we can well-order all bit-strings, for instance as follows: \(0, 1, 00,01,\cdot \). Here, \(\phi \) simply outputs the index of the ordering above. Now define \(Y\) to be a set of arbitrary bit-strings with cardinality equal to some polynomial of \(\lambda \). That is \(Y_{\lambda }= \{0,1\}^{\ell _{{\text {out}}}(\lambda )}\), for some length function \(\ell _{{\text {out}}}\) – see [8]. Then \(\mathcal {M}_{\ell ,\lambda }^{{\text {ROM}}}\) samples from \(Y_{\lambda }^{X_\ell }\) which has cardinality \(2^{\ell _{{\text {out}}}(\lambda ) \ell }\). Thus the sampler \(\mathcal {M}_{\ell ,\lambda }^{{\text {ROM}}}\) iterates over all \(\ell \) inputs at setup, and for each one picks independently uniformly at random with probability \(\frac{1}{2^{\ell _{{\text {out}}}(\lambda )}}\) an element from \(Y\).

Proposition 1

The above construction \(M_{{\text {ROM}}}\) is a consistent setup assumption.

Proof

We can easily see that on each instantiation of the setup the sampler picks each element independently at random. Thus, the sampler does not depend on elements ordered after \(i\) to pick the value of \(i\). \(\square \)

The Ideal Cipher Model. In the Ideal Cipher Model [23] the participants may access an ideal cipher \(\mathsf {enc}: \{0,1\}^{k} \times \{0,1\}^n \rightarrow \{0,1\}^n\), s.t. \(\mathsf {enc}\) are random permutations \(\{0,1\}^n \rightarrow \{0,1\}^n\) that have been independently and uniformly drawn (with replacement for each key). Recall that the Ideal Cipher model is equivalent to the Random Oracle model [11] (original [12]).

We can define the setup assumption for an \((k,n)\)-ideal cipher similarly to ROM above.

$$\begin{aligned} M_{IC}= \left( \{0,1\}^* \times \{0,1\}^*, \{0,1\}^*, \phi : \{0,1\}^* \times \{0,1\}^* \rightarrow \mathbb {N}, \mathcal {M}_{\ell ,\lambda }^{{\text {IC}}} \right) . \end{aligned}$$

For simplicity we just set \(k\) above equal to \(\lambda .\) Note that here we use the normal ordering as described prior of the bitstrings to the naturals \(\phi \). We order strings similarly. This implies a \(2^n\) period on the domain set: each of the \(2^\lambda \) keys is paired with \(2^n\) input values. In particular, note that the sampler \(\mathcal {M}_{\ell ,\lambda }^{{\text {IC}}}\) has to pick a permutation \(\mathsf {enc}({\text {key}})\!: \{0,1\}^n \rightarrow \{0,1\}^n \) independently for each \({\text {key}}\). Note that \(n\) might depend on the security parameter \(\lambda .\)

Proposition 2

The above setup assumption \(M_{IC}\) satisfies the consistent sampling property.

Proof

Assume the normal ordering as discussed above. First for each new key (of the \(2^k\)) we sample a new random permutation. Thus, we need only to show that while sampling a permutation for \(0\le \ell <2^n\) the consistent sampling property holds. We can generalize for each of the keyed permutations. Without loss of generality, if \(\ell < 2^n-1\), observe that the sampling process of the \(\ell \)’th query element of \(X_{\ell +1}\) does not depend on the \(\ell + 1\) value (it depends only on some of the elements of \(X_{\ell -1}\) (if \(\ell >0\)) – as we sample without replacement.\(\square \)

The Common Reference String model (CRS) In the Common Reference String model, a generalization of the Common Random String  [4] the oracle provides access to a common value that is sampled from some arbitrary desired distribution specific to the protocol. Namely, following the definition of [7] on setup the oracle samples and sends it to the querying party. For each subsequent query the oracle responds with \(d\).

Formally, for a CRS model with distribution \(\mathcal {D}_\lambda \) over a countable set \(D\), we define the following setup assumption \(M_{{\text {CRS}}}\)

$$\begin{aligned} M_{{\text {CRS}}} = \left( \{0\}, D, \phi :\{0\}\rightarrow \mathbb {N}, \mathcal {M}_{\ell ,\lambda }^{{\text {CRS}}} \right) \end{aligned}$$

We simply define \(\phi (0) = 0\) and define the sampler \(\mathcal {M}_{\ell ,\lambda }^{{\text {CRS}}}\) to sample d from \(\mathcal {D}_\lambda \) and return \(\mathcal {O}: 0\mapsto d\).

Proposition 3

The above setup assumption \(M_{{\text {CRS}}}\) satisfies the consistent sampling property.

Proof

It follows immediately from the observation that the sampling process is independent of the parameter \(\ell \). \(\square \)

6 Proof of Theorem 2

We prove our main claim via Theorems 3 and 4. Namely, we show that if (GS) is a fully black-box reduction from primitives P to Q in the standard model then (i) G is a generic construction in the setup assumption M and (ii) for every implementation \(f^{(\cdot )}\) of Q(M) and every (unbounded) algorithm \(\mathcal {A}^{(\cdot )}\), if \(\mathcal {A}^{(\cdot )}\) P(M)-breaks \({G^f}^{(\cdot )}\) then \({S^\mathcal {A}}^{(\cdot )}\) Q(M)-breaks \(f^{(\cdot )}\).

6.1 Generic Construction Theorem

We first prove a vital lemma about satisfying correctness with functions with access to a bounded oracle random tape.

Lemma 8

Let P be a primitive in the setup assumption \(M = (X,Y,\phi ,\mathcal {M})\), \(f^{(\cdot )}\) be a function and \(\mathsf {OA}\) be the set of all unbounded adversaries with oracle access. Then, \(f^{(\cdot )}\) is an implementation of P if and only if \(\mathsf {Corr}_P(f)\) is negligible, where:

figure d

and .

Proof

Clearly, if \( \mathsf {Corr}_P(f)(\lambda ) \) is negligible then for any adversary \(\mathcal {A}\) we have

figure e

Thus, \(f^{(\cdot )}\) is an implementation of P.

Now, suppose that \(f^{(\cdot )}\) is an implementation of P. Note that by definition of supremum, we can find a sequence of adversaries \(\mathcal {A}_1,\mathcal {A}_2,\ldots \) indexed by \(\lambda \) such that for all \(\lambda \):

figure f

Hence, let us pick an adversary \(\mathcal {A}\) which given \(\lambda \) runs \(\mathcal {A}_\lambda \). Since \(f^{(\cdot )}\) is an implementation of P, we know that is negligible and therefore so is \( \mathsf {Corr}_P(f)(\lambda )\).\(\square \)

For convenience, we continue using \(\mathsf {OA}\) to denote the set of all unbounded adversaries with oracle access henceforth.

Theorem 3

Let (GS) be a fully black-box reduction from P to Q in the standard model and \(M=(X,Y,\phi ,\mathcal {M})\) be a setup assumption. Then, for every implementation \(f^{(\cdot )}\) of Q(M), \(G^{f^{(\cdot )}}\) is an implementation of P(M).

Proof

Let us first fix \(\lambda \in \mathbb {N}\) and \(f^{(\cdot )}\) be an implementation of Q(M). We first prove that there exists a function \(t:\mathbb {N} \rightarrow \mathbb {N}\) such that \(f_t\) is also an implementation of Q(M) and if \(G^{f^{(\cdot )}_t}\) is an implementation of P(M) then so is \(G^{f^{(\cdot )}}\).

Lemma 9

For any function \(f^{(\cdot )}\), there exists \(t:\mathbb {N} \rightarrow \mathbb {N}\) which satisfies the following properties:

  • \(f^{(\cdot )}\) is an implementation of Q(M) if and only if \(f_t^{(\cdot )}\) is an implementation of Q(M).

  • \(G^{f^{(\cdot )}}\) is an implementation of P(M) if and only if \(G^{f_t^{(\cdot )}}\) is an implementation of P(M).

Proof

We prove the statement by construction. Let \(f^{(\cdot )}\) be any function and \(\lambda \in \mathbb {N}\). Then, by Lemma 3 we have

(3)

where

figure g

Therefore, there exists an integer \(N_1\) such that for all \(n \ge N_1\)

$$|c_n - \mathsf {Corr}_{Q(M)}(f)(\lambda )| < \frac{1}{2^\lambda }.$$

Note that

(4)

Similarly, one can find \(N_2 \in \mathbb {N}\) such that for all \(n \ge N_2\):

$$| \mathsf {Corr}_{P(M)}\left( G^{f_n}\right) (\lambda ) - \mathsf {Corr}_{P(M)}\left( G^{f}\right) (\lambda )| < \frac{1}{2^\lambda }.$$

Let us set \(t(\lambda ) := \max \{N_1,N_2\}\). Then, the statement holds by construction and Lemma 8.\(\square \)

Next, we select t as in the lemma above and define the “relevant tape” as a sequence of sets \(T_1,T_2,\ldots \) defined as:

$$T_\lambda = X_{t(\lambda )} = \{ x \in X : \phi _\lambda (x) < t(\lambda ) \}.$$

For simplicity, we index \(T_{\lambda }\) as follows \(T_{\lambda } = \{x_{\lambda ,1},\ldots ,x_{\lambda ,|T_{\lambda }|}\}\). Define:

$$ S_\lambda = Y^{|T_\lambda |} \text { and } S = \bigcup _{\lambda \in \mathbb {N}} S_\lambda .$$

Then, we set the distribution \(D_\lambda : S_\lambda \rightarrow [0,1]\) as

figure h

Since \(T_\lambda \) is finite, the distribution is discrete. Moreover, by consistency of setup assumptions we get that for all \(\ell \ge t(\lambda )\):

figure i

Now, we define

figure j

and similarly

figure k

Here, the probabilities are defined over and the random coins in the system. One argues similarly as in Lemma 7 that functions P and Q are well-defined.

We claim that for any \(g:\mathbb {N} \rightarrow S\), we have

$$ Q(\lambda ,g(\lambda )) \in \mathsf {UBnegl} \implies P(\lambda ,g(\lambda )) \in \mathsf {UBnegl}.$$

Indeed, suppose that \(Q(\lambda ,g(\lambda )) \in \mathsf {UBnegl}\). By construction, we have \(0 \le Q(\lambda ,g(\lambda )) \le 1\) for all \(\lambda \in \mathbb {N}\) and thus this function is negligible.

We define the function \(f_t^g\) with hardwired oracle queries g as follows. Given a security parameter \(\lambda \), it behaves identically as in \(f^{(\cdot )}_t\) but when f “queries an oracle” on input \(x_{\lambda ,i}\in T_\lambda \), it gets \(y_i\) where \(g(\lambda )=(y_1,\ldots ,y_{|T_\lambda |}) \in S_\lambda \). On the other hand, for \(\lambda \) so that \(g(\lambda ) \not \in S_\lambda \), we set \(f_t^g\) to simply abort.

By construction, \(\mathsf {Corr}_{Q}(f^g_t) = Q(\lambda ,g(\lambda ))\) is negligible and therefore, \(f^g_t\) is an implementation of Q. Since G is a generic construction in the standard model, we have that \(G^{f^g_t}\) is an implementation of P, i.e. \(\mathsf {Corr}_{Q}(G^{f^g_t})\) is negligible. As a consequence, \(P(\lambda ,g(\lambda ))\) is negligible and in particular \(P(\lambda ,g(\lambda )) \in \mathsf {UBnegl}\).

We are now ready to apply Theorem 1 for \(k=1\). Note that for we have

(5)

which, by Lemma 2, is equal to

figure l

We claim that

figure m

First, take any unbounded adversary \(\mathcal {A}\in \mathsf {OA}\). Then, by Lemma 5:

(6)
(7)
(8)
(9)
(10)

Then, by definition of supremum we have

figure n

On the other hand, let us select any sequence of adversaries \((\mathcal {A}_{\mathbf {y}})_{\mathbf {y} \in S_\lambda }\). We construct an adversary \(\mathcal {A}\) which first calls the external oracle \(\mathcal {O}\) on all inputs in \(T_\lambda \) and given \(\mathbf {y} = (y_1,\ldots ,y_{|T_\lambda |})\), where \(\mathcal {O}(x_{\lambda ,i}) = y_i\), it runs \(\mathcal {A}_{\mathbf {y}}\). Then, we have

(11)
(12)
(13)

Consequently, and the claim holds. In particular,

$$\mathbb {E}(Q(\lambda , Z_\lambda )) = \mathsf {Corr}_{Q(M)}(f_t)(\lambda ) \in \mathsf {UBnegl}.$$

Thus, by Theorem 1, \(\mathbb {E}(P(\lambda , Z_\lambda ))\in \mathsf {UBnegl}\). Note that \(\mathbb {E}(P(\lambda , Z_\lambda )) \in [0,1]\) for all \(\lambda \), and consequently this function is also negligible. By arguing similarly as before, we get that \(\mathbb {E}(P(\lambda , Z_\lambda )) = \mathsf {Corr}_{Q(M)}(G^{f_t})(\lambda )\) and thus, \(G^{f}\) is an implementation of P(M) by Lemmas 8 and 9. \(\square \)

6.2 Reduction Theorem

Theorem 4

Let (GS) be a fully black-box reduction from P to Q in the standard model and M be an external oracle. Then, for every implementation \(f^{(\cdot )}\) of Q(M) and every adversary \(\mathcal {A}^{(\cdot )}\), if \(\mathcal {A}^{(\cdot )}\) P(M)-breaks \({G^f}^{(\cdot )}\) then \({S^\mathcal {A}}^{(\cdot )}\) Q(M)-breaks \(f^{(\cdot )}\).

Proof

We prove the statement by contrapositive. First, we will need an extension of Lemma 9.

Lemma 10

For any implementation \(f^{(\cdot )}\) of Q(M) and adversary \(\mathcal {A}^{(\cdot )}\), there exists \(t:\mathbb {N} \rightarrow \mathbb {N}\) such that for all \(\lambda \in \mathbb {N}\):

  • \(f_t^{(\cdot )}\) is an implementation of Q(M).

  • \(|\mathsf {Adv}^{P(M)}_{G^f,\mathcal {A}}[(\lambda )] - \mathsf {Adv}^{P(M)}_{G^{f_t},\mathcal {A}_t}[(\lambda )]| < \frac{1}{2^\lambda }.\)

  • \(|\mathsf {Adv}^{Q(M)}_{f,S^\mathcal {A}}[(\lambda )] - \mathsf {Adv}^{Q(M)}_{f_t,S^{\mathcal {A}_t}}[(\lambda )]| < \frac{1}{2^\lambda }.\)

Proof

We prove the statement by construction. Let \(f^{(\cdot )}\) and \(\mathcal {A}^{(\cdot )}\) be any implementation of Q(M) and adversary respectively, and \(\lambda \in \mathbb {N}\). First, the proof of Lemma 9 says that there exists \(N_0 \in \mathbb {N}\) such that for all \(n \ge N_0\):

$$ | \mathsf {Corr}_{Q(M)}\left( f_n\right) (\lambda ) - \mathsf {Corr}_{Q(M)}\left( f\right) (\lambda )| < \frac{1}{2^\lambda }. $$

On the other hand, by definition of the advantage and Lemma 4

(14)

where \(\sigma _Q(\lambda )\) is the security threshold for Q and

figure o

for \(k\in \mathbb {N}\). This means there exists \(N_1 \in \mathbb {N}\) such that for all \(n\ge N_1\):

$$|c_{n} - \mathsf {Adv}^{Q(M)}_{f,S^\mathcal {A}}[(\lambda )] | < 1/2^{\lambda }.$$

One can similarly compute such \(N_2\) for \(G^{f}\). Let us set \(t(\lambda ) = \max \{N_0,N_1,N_2\}\). Then, the statement holds by construction.\(\square \)

Fix an implementation \(f^{(\cdot )}\) of Q(M) and adversary \(\mathcal {A}^{(\cdot )}\) such that \(\mathsf {Adv}^{Q(M)}_{f,S^\mathcal {A}}[(\lambda )] \in \mathsf {UBnegl}\) is bounded by a negligible function. Let us select t as in the lemma above. Then, \(f^{(\cdot )}_t\) is an implementation of Q(M) and \(\mathsf {Adv}^{Q(M)}_{f_t,S^{\mathcal {A}_t}}[(\lambda )]\in \mathsf {UBnegl}\) as well.

Define the “relevant tape” as a sequence of sets \(T_1,T_2,\ldots \) as:

$$T_\lambda = X_{t(\lambda )} = \{ x \in \mathcal {X}_\lambda : \phi _\lambda (x) \le t(\lambda ) \}.$$

For simplicity, we write \(T_{\lambda } = \{x_{\lambda ,1},\ldots ,x_{\lambda ,|T_{\lambda }|}\}\). Denote

$$ S_\lambda = \mathcal {Y}^{|T_\lambda |}_\lambda \text { and } S = \bigcup _{\lambda \in \mathbb {N}} S_\lambda .$$

Then, we define the distribution \(D_\lambda : S_\lambda \rightarrow [0,1]\) as

figure p

Since \(|T_\lambda |\) is finite, the distribution is discrete. As before, consistency of a setup assumption implies that for all \(\ell \ge t(\lambda )\):

figure q

Next, we introduce the following functions:

figure r
figure s

and similarly

figure t

Clearly, for any \(\lambda \in \mathbb {N}\) and \(\mathbf {y} \in S\) we have

$$-1 \le Q_1(\lambda , \mathbf {y}),Q_2(\lambda , \mathbf {y}), P(\lambda , \mathbf {y}) \le 1.$$

Let \(g : \mathbb {N} \rightarrow S\). In order to apply Theorem 1 we need to prove that

$$Q_i(\lambda ,g(\lambda )) \in \mathsf {UBnegl} \text { for } i=1,2 \implies P(\lambda , g(\lambda )) \in \mathsf {UBnegl}.$$

Similarly as before, we define the function \(f_t^g\) with hardwired oracle queries g in the following way. Given a security parameter \(\lambda \), it behaves identically as in \(f^{(\cdot )}_t\) but when f “queries an oracle” on input \(x_{\lambda ,i}\in T_\lambda \), it gets \(y_i\) where \(g(\lambda )=(y_1,\ldots ,y_{|T_\lambda |}) \in S_\lambda \). However, for \(\lambda \) so that \(g(\lambda ) \not \in S_\lambda \), we set \(f_t^g\) to simply abort. Similarly, we define \(\mathcal {A}^g_t\). It is easy to see that

$$ Q_1(\lambda ,g(\lambda )) = \mathsf {Adv}^{Q(M)}_{f^g_t,S^{\mathcal {A}^g_t}}[(\lambda )].$$

Suppose \(Q_i(\lambda ,g(\lambda )) \in \mathsf {UBnegl} \text { for } i=1,2\). This implies that (i) \( \mathsf {Adv}^{Q(M)}_{f^g_t,S^{\mathcal {A}^g_t}}[(\lambda )]\) is upper-bounded by a negligible function and (ii) \(f^g_t\) is an implementation of Q in the standard model because

$$Q_2(\lambda ,g(\lambda ))=\mathsf {Corr}_{Q(M)}(f^g_t)(\lambda ) \in \mathsf {UBnegl}$$

and \(\mathsf {Corr}_{Q(M)}(f^g_t)(\lambda ) \in [0,1]\) for all \(\lambda \). Since (GS) is a fully black-box reduction from P to Q in the standard model, we have that \(\mathsf {Adv}^{Q(M)}_{G^{f^g_t},\mathcal {A}^g_t}[(\lambda )]\) is upper-bounded by a negligible function as well – this is indeed equal to \(P(\lambda , g(\lambda ))\).

We can now apply Theorem 1 for \(k=2\) with functions defined above. We observe that by the Law of Total Probability, \(\mathbb {E}(Q_1(\lambda , Z_\lambda ))\) is equal to

figure u

Hence, we get

figure v

Since \(\mathsf {Adv}^{Q(M)}_{f_t,S^{\mathcal {A}_t}}[(\lambda )]\) is upper-bounded by a negligible function, then so is \(\mathbb {E}(Q_1(\lambda , Z_\lambda ))\). Similarly as in the proof of Theorem 3, one argues that

$$\mathbb {E}(Q_2(\lambda , Z_\lambda )) = \mathsf {Corr}_{Q(M)}(f_t)(\lambda ).$$

Since \(f^{(\cdot )}_t\) is an implementation of Q(M), this function is negligible. Hence, by Theorem 1, we have \(\mathbb {E}(P(\lambda , Z_\lambda )) \in \mathsf {UBnegl}\) which directly implies that \(\mathsf {Adv}^{P(M)}_{G^{f_t},\mathcal {A}_t}[(\lambda )]\) is upper-bounded by a negligible function. Finally, \(\mathsf {Adv}^{P(M)}_{G^f,\mathcal {A}}[(\lambda )]\in \mathsf {UBnegl}\) by Lemma 10 and thus the statement holds.