The Multi-User Constrained Pseudorandom Function Security of Generalized GGM Trees for MPC and Hierarchical Wallets

1.1.1 Generalized GGM Tree and Its \(\mathrm{mu}\) Security.

To unify the models in various settings, we extend both the CPRF security definition and the GGM scheme. Regarding the former, we start with the fully adaptive CPRF security notion of Hofheinz et al. [34] and extend it along two axes to reach a \(\mathrm{mu}\) leakage CPRF security definition in the simulation paradigm:

Regarding the scheme, we propose a generalized model for GGM trees. Our model is built upon a public cryptographic primitive \(\mathbf {Prim}\) (that can be accessed by the adversary), uses \(\kappa\)-bit internal secrets, and allows for multiple branches. To reflect influences of public parameters, every \(\mathbf {Prim}\)-call in the tree has an additional input that we informally called label. Modeling \(\mathbf {Prim}\) as either a Fixed-Input-Length Random Oracle (FIL RO) \(\mathbf {H}\) (to justify instantiating \(\mathbf {Prim}\) with cryptographic hash functions) or a Davies-Meyer construction \(\mathsf {DM} ^\mathbf {E} (L,x) = \mathbf {E} (L,x)\oplus x\) based on an ideal cipher \(\mathbf {E}\) (to justify instantiating \(\mathbf {Prim}\) with block ciphers), we analyze the generalized tree w.r.t. our \(\mathrm{mu}\) leakage CPRF security definition. We prove \(\kappa - \log _2 C\) bits \(\mathrm{mu}\) CPRF security, where C is a parameter depending on the probability among distinct “label” inputs of the internal \(\mathbf {Prim}\) calls across all the users. When all “labels” are the same, security becomes (inferior) \(\kappa - \log _2 D\) bits, where D, called effective data complexity, is the total number of \(\mathbf {Prim}\)-calls internally made by the u tree instances and is related to the number of adversarial queries to the trees. When collisions among “labels” are unlikely, security becomes nearly optimal \(\approx \kappa\) bits. Moreover, the leakage of certain intermediate values are indistinguishable from random “simulated leakages,” indicating that protocols can extract (a limited amount of) pseudorandom bits from the intermediate values in the tree and use them in arbitrary.

The random oracle based trees can be instantiated with truncated \({\rm K}{\rm\small{ECCAK-}}p\) permutations of \(\mathsf {SHA3}\) [20], whereas the results on Davies-Meyer-based trees enable instantiations using the compression function of \(\mathsf {SHA512}\) or the \(\mathsf {AES}\) in Davies-Meyer mode. Note that even if \(\mathbf {E}\) is ideal, the Davies-Meyer construction \(\mathsf {DM} ^\mathbf {E}\) cannot be modeled as a random oracle [25], and we thus have to appeal for a dedicated analysis, and the proved bounds differ by a factor of 2.

Although our security definition, model, and provable bounds appear complicated, our analyses complete a large step of proofs for a wide range of GGM tree variants and shed light on the influences of parameters. To derive bounds for concrete designs, designers just need to fill in the parameters and make some additional counting for the aforementioned C and D. We believe this could help characterize \(\text{state-of-the-art}\) designs and provide building blocks for the coming NIST standardization [45]. We will showcase on two applications.

We remark that our bounds are proven in the ideal (function or cipher) model and should be taken as a heuristic insurance for their practical instantiations. This theoretical caveat is shared by similar works [1, 21, 22]. However, the use of an ideal model appears necessary to characterize how local computation (approximated by the number of ideal primitive queries) affects security in the \(\mathrm{mu}\) setting [7, 12, 32]. Meanwhile, as noted in the work of Shrimpton and Terashima [49], standard model proofs fail to yield “realistic” \(\mathrm{mu}\) security bounds for many symmetric schemes with rekeying [12, 32] (which is extensively used in \(\mathsf {Bip32}\)).²

Puncturable Pseudorandom Functions. We take a natural step further and consider generalized GGM as a PPRF [11, 17, 36]. This is a PRF \(\mathsf {F}\) such that given an input x and a key K, one can generate a punctured key, denoted \(K\lbrace x\rbrace\), which allows evaluating \(\mathsf {F}\) at every point except for x, and does not reveal any information about the function value \(\mathsf {F} (K,x)\). The notion was subsequently extended to allow for puncturing multiple inputs [35]. This functionality is the “dual” of CPRFs. In this respect, we extend PPRFs to the mu and leakage setting, and establish mu leakage PPRF security for generalized GGM using the aforementioned CPRF results.

1.1.2 Multi-User Security of \(\mathsf {Bip32}\) and Improvements.

The \(\mathsf {Bip32}\) HDW specifies a GGM tree based approach to derive a collection of digital signature keys organized under an access hierarchy [44]. We refer to Figure 1 for an overview and Section 6.1 for more details. Prior works on such HDWs typically focused on enhancing functionalities or achieving new security notions (see Section 1.2). Despite the importance for practical assurance, (a) the hierarchical security of \(\mathsf {Bip32}\) was never formally proved, and (b) the concrete bounds were never characterized even in the \(\mathrm{su}\) setting (modulo a concurrent work [21]: see Section 1.2).

Fig. 1.

View Figure

Along a parallel though related axis regarding efficiency, the HMAC-SHA512-based \(\mathsf {Bip32}\) standard [44] consumes a huge number of AND gates and is costly when implemented in the MPC setting (for distributed key management), and improvements were mentioned by Lindell [40] as an open problem. Although some ideas appear obvious (e.g., using more efficient hashing instead of HMAC-SHA512), the soundness is unclear due to the lack of formalism and justification.

To address the gap, we consider \(\mathrm{mu}\) hierarchical unforgeability and \(\mathrm{mu}\) hierarchical unlinkability of \(\mathsf {Bip32}\): the former guarantees that the collaboration of several “accounts” cannot forge transactions for the other “accounts” (and are thus unable to spend their money), whereas the latter ensures that in the view of several “accounts,” the public signature keys derived by the other “accounts” are pseudorandom and independent. Then, using our leakage CPRF security of the random oracle based trees, we prove that with u users, \(\mathsf {Bip32}\) achieves (roughly) \(\min \lbrace 247, 256 - \log _2 u \rbrace\) bits \(\mathrm{mu}\) hierarchical unlinkability security and \(\min \lbrace 247, 256 - \log _2 u, f(q_S) \rbrace\) bits \(\mathrm{mu}\) hierarchical unforgeability security, where \(f(q_S)\) is the \(\mathrm{mu}\) security of the underlying signature scheme for \(q_S\) the number of adversarial signing queries. By these, the concrete (even \(\mathrm{mu}\)) unlinkability bounds of the whole \(\mathsf {Bip32}\) system is mostly close to the expectation of its designers (256 bits), and the degradation with u is limited. The concrete unforgeability bounds, however, depend on the \(\mathrm{mu}\) security of the signature, and this is unavoidable. This emphasizes the importance of carefully choosing the signature. Additionally, the relation with CPRFs provide cryptographic insights on HDWs including \(\mathsf {Bip32}\).

Our formal analysis opens the way to improving \(\mathsf {Bip32}\) tree using \(\mathsf {SHACAL3}\), the compression function underlying \(\mathsf {SHA512}\), and \({{\rm K}{\rm\small{ECCAK-}}p} [800,11]\), a cryptographic permutation from the \(\mathsf {SHA3}\) family. Our proposals reduce the number of AND gates by 73.3% to 93.8% compared with the standard \(\mathsf {Bip32}\), and are promising in the context of threshold cryptography and side-channel protections. To demonstrate, we benchmark MPC implementations of our proposals and the standard \(\mathsf {Bip32}\), with results in Table 1 indicating expected improvements.

1.1.3 Multi-User Security of Trees in FSS and Improvements.

FSS is a cryptographic primitive where the client can secretly share a function f to \(f_1\) and \(f_2\) such that each of the function does not reveal the parameters of f. Two servers holding \(f_i\) and x can locally evaluate \(f_i(x),\) and the scheme ensures that \(f(x) = f_1(x)\oplus f_2(x)\). When f is a point function, such construction can be easily used for private information retrieval. Furthermore, the splitting of function f can be performed in a 2PC protocol and thus eliminates the need of a client.

As mentioned earlier, most such applications require a private PPRF, which is built upon a GGM tree. In detail, in PCG, a client (which could be simulated by MPC) samples a key of a PPRF, which is essentially the root of a GGM tree, and then sends the key/root to one of the party. The other party chooses a leaf (in an oblivious manner) and obtains the punctured key enabling evaluating all but that leaf. A popular way to instantiate the GGM tree is to define the length-doubling PRG as \(s \mapsto \mathsf {AES} _{fk}(s)\oplus s\Vert \mathsf {AES} _{fk}(s\oplus 1)\oplus s\oplus 1\) (denoted as \(\mathsf {FBTr}\)), where \(\mathsf {AES} _{fk}\) is the \(\mathsf {AES}\) using fixed, publicly known keys fk. However, security characterizations are lacking even in the \(\mathrm{su}\) setting, leaving gaps in both concrete bounds and design references.

We bridge both gaps. First, regarding security of the aforementioned scheme \(\mathsf {FBTr}\), we formally prove (roughly tight) concrete \(\mathrm{mu}\) PPRF security of \(128 - \log _2 d - \log _2u\) bits, where d is the depth of the tree. These, as discussed, suffer from the (notable) \(\log _2u\) bit degradation.

Next, we show how to improve. First, to overcome the \(\log _2u\) degradation, we propose to use random \(\mathsf {IV}\) as the fixed \(\mathsf {AES}\) key in every FSS protocol instance, and this improves the \(\mathrm{mu}\) security to \(128 - \log _2 d - 2\) bits, which is a good bound since d is typically small in practice. Second, we propose multi-branch generalizations, offering a promising tradeoff with the same \(\mathrm{mu}\) security—that is, it saves 50% computations at the expense of 50% larger puncturable keys.

Although our analysis does not cover the full FSS, it indicates that the trees exhibit no practical security issues. We leave the full characterization for future work.

4.1.1 The Oracles and Leakage Simulator.

We assume the leakage oracle \(\mathsf {L}\) in \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}}\) and \(\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}}\) leaks the leftmost bits \(\mathsf {left} _{n-\kappa }(z)\) for every intermediate node \(z \in \lbrace 0,1\rbrace ^n\) appeared during the computations. In detail, note that by our convention, a query to the evaluation oracle \(\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}}\) is of the form \((i_0,p)\), \(p=i_1/i_2/.../i_d\). In the real world, \(\mathsf {muEv}_\mathbf {K}\) will return \(\mathsf {Nd} (i_0,p)\) the n-bit node value at the end of the path p in the \(i_0\)-th tree. As the corresponding leakages, we assume that \(\mathsf {L} (K_{i_0},p)\) will provide d additional values of \(n-\kappa\) bits—that is, \(\begin{align*} \mathsf {left} _{n-\kappa }\big (\mathsf {Nd} (i_0,\bot)\big), \mathsf {left} _{n-\kappa }\big (\mathsf {Nd} (i_0,i_1)\big),\ldots , \mathsf {left} _{n-\kappa }\big (\mathsf {Nd} (i_0,i_1/.../i_{d-1})\big). \end{align*}\) To wit, after issuing a query to \(\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}}\), \(\mathfrak {D}\) obtains \(n+d(n-\kappa)\) bits information.

Similarly, a query to the constraining oracle \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}}\) is of the form \((i_0,p^*)\), \(p^*=i_1^*/.../i_{d^{\prime }}^*\) (see Figure 2), which may be incomplete (i.e., \(d^{\prime } \le d\)), and \(\mathsf {muCo}_\mathbf {K}\) will return the n-bit node value \(\mathsf {Nd} (i_0,p^*)\). As the leakages, we assume that \(\mathsf {L} (K_{i_0},p^*)\) provides \(d^{\prime }\) values \(\mathsf {left} _{n-\kappa }(\mathsf {Nd} (i_0,\bot))\), \(\mathsf {left} _{n-\kappa }(\mathsf {Nd} (i_0,i_1^*)),\ldots ,\) \(\mathsf {left} _{n-\kappa }(\mathsf {Nd} (i_0,i_1^*/.../i_{d^{\prime }-1}^*))\), which resembles the evaluation queries. This means a single query to \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}} (i_0,i_1^*/.../i_{d^{\prime }}^*)\) gives rise to \(n+d^{\prime }(n-\kappa)\) bits.

As in Definition 2.4, the ideal oracle \(\mathsf {R}\) returns an n-bit random value that is of the same size as \(\mathsf {Nd} (i_0,p)\), and we consider a simulator \(\mathsf {S}\) that simply outputs random simulated leakages. Formally, \(\mathsf {S}\) is described in Figure 4. Consequently, \(\mathfrak {D}\) obtains the same amount of random bits (i.e., \(n+d^{\prime }(n-\kappa)\) bits) as in the real world. We stress that although our security definition is simulation based, our leakage simulator never “hijacks” adversarial random oracle queries. Therefore, our subsequent results only need non-programmable random oracles.

Fig. 4.

View Figure

4.1.2 Query Restrictions.

Besides the query restriction imposed in Definition 2.4, we additionally assume that the distinguisher \(\mathfrak {D}\) never makes redundant queries. Clearly, this cannot decrease attack advantage. For \(\mathsf {GGGM} ^{\mathbf {Prim}}\), these indicate the following:

4.1.3 Brother Paths.

Given a path \(p = i_1/.../i_{d^{\prime }-1}/i_{d^{\prime }} \in \mathcal {P}\), we define a set \(\mathcal {B}\mathsf {r} (p)=\lbrace p_1,p_2,\ldots ,p_w\rbrace\) of w paths, where for \(1 \le \ell \le w\), \(\begin{align*} p_\ell = i_1/.../i_{d^{\prime }-1}/i_{d^{\prime }}^{(\ell)}, \ \ \ \ i_{d^{\prime }}^{(\ell)} = \lfloor \frac{ i_{d^{\prime }} }{ w } \rfloor \cdot w + \ell - 1. \end{align*}\) These w nodes \(\mathsf {Nd} (i_0,p_1),\ldots ,\mathsf {Nd} (i_0,p_w)\) are attributed to the same wn-bit output of a single call to \(\mathbf {Prim}\) in the \(i_0\)-th tree. We thus call them brother paths (of p). This notion will be used in subsequent analyses.

4.1.4 Concentration of Labels.

In the random oracle model, distinct labels separate corresponding \(\mathbf {Prim}\)-calls. To formalize, consider the following sampling process. Given D distinct pairs \(\mathcal {I} = \lbrace (i_0^{(\ell)}, p^{(\ell)}) \in \lbrace 1,\ldots ,u \rbrace \times \mathcal {P} \rbrace _{ \ell = 1,\ldots ,D}\),

Based on \(\mathcal {L}\), we define a quantity for the maximal frequency of a certain label value—that is, (4) \(\begin{align} \mu (\mathcal {L}) := \max _{ t \in \lbrace 0,1\rbrace ^\nu }\Big \lbrace \Big | \big \lbrace (i_0,p,r) \in \mathcal {L}: \mathsf {lf} _{p,j}(r,{\mathsf {pp}} _{i_0}) = t \big \rbrace \Big | \Big \rbrace . \end{align}\) We denote this sampling process by \({\mathbf {P}} \leftarrow \mathsf {KGen}, \mathcal {L} \leftarrow \mathsf {S}\). Note that the quantity reflects a property across multiple users in the ideal world. A trivial upper bound is \(\mu (\mathcal {L}) \le D\) (see Section 4.2). As will be seen in Theorems 4.1 through 5.1, the smaller \(\mu (\mathcal {L})\), the better concrete security. A promising choice is to define \(\mu (\mathcal {L})\) to be a (pseudo)random variable, as will be treated in Theorems 4.1 through 5.1. For example, one can choose a random initialization vector \(\mathsf {IV}\) for every \(\mathsf {GGGM} ^{\mathbf {Prim}}\) instances/users and define \(\mathsf {lf} _{p,j}(r,{\mathsf {pp}}) := \cdot \Vert \mathsf {IV}\). This limits collisions between labels in distinct \(\mathsf {GGGM} ^{\mathbf {Prim}}\) instances and decreases \(\mu (\mathcal {L})\). This approach will be used to improve FSS (see Section 7). As will be seen, a more sophisticated approach is to extract a part of the intermediate values as pseudorandom bits and “embed” them in the images of \(\mathsf {lf} _{p,j}(r,{\mathsf {pp}})\). This approach is used in \(\mathsf {Bip32}\) key tree (see Section 6).

4.2.1 Proof Idea.

Recall that the goal is to derive a bound for \(\begin{align*} \Big | {\Pr }\big [ \mathfrak {D} ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {H}} = 1\big ] - {\Pr }\big [ \mathfrak {D} ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H}} = 1\big ] \Big |. \end{align*}\) In the ideal world \(\mathfrak {D} ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H}}\), the outputs of the oracle \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}}\) (i.e., the constrained keys) depend on the secret keys \(\mathsf {k} _1,\ldots ,\mathsf {k} _u\). This complicates the H-coefficient-based analysis. To remedy, we introduce a random constraining oracle \(\mathsf {\$Cons}^{\mathsf {S}}\), which accepts queries of the same form \((i_0,p^*)\) as \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}}\) (and \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}}\)), but \(\mathsf {\$Cons}\) returns true random n-bit strings as the constrained key \(\mathsf {Nd} (i_0,p^*)\) (while \(\mathsf {S}\) returns random leakages as before). This means for a query \((i_0,i_1^*/.../i_{d^{\prime }}^*)\), the random constraining oracle \(\mathsf {\$Cons}^{\mathsf {S}}\) returns in total \(n+d^{\prime }(n-\kappa)\) random bits. We take \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H})\) as an intermediate world. In this vein, when interacting with \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H})\), the information gained by \(\mathfrak {D}\) is completely independent of any CPRF key, easing the analysis.

We then proceed with two steps: first we prove indistinguishability of the real and the intermediate worlds, then we prove indistinguishability of the intermediate and the ideal worlds.

4.2.2 Indistinguishability of \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {H})\) and \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H})\).

For this step, we view the real \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {H})\) as the real world, and the intermediate world \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H})\) as the ideal world. We prove the following bound using the H-coefficient method: (7) \(\begin{align} \Big | {\Pr }\big [ \mathfrak {D} ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {H}} = 1\big ] - {\Pr }\big [ \mathfrak {D} ^{\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H}} = 1\big ] \Big | \le \varepsilon _{\mu } + \frac{C \cdot ({T} + D) }{2^{\kappa }} . \end{align}\)

Transcripts. Since we are in the random oracle model and aim at statistical indistinguishability, we could, without loss of generality [46], consider a deterministic distinguisher \(\mathfrak {D}\) interacting with the three oracles as reflected in Definition 2.4. To summarize the information gained by \(\mathfrak {D}\) in a clear form, we introduce two list \(\mathcal {Q} _\mathbf {H}\) and \(\mathcal {Q} _\mathsf {Nd}\). The list \(\mathcal {Q} _\mathbf {H} = \lbrace (x^{(1)}, y^{(1)}), \ldots \rbrace\) records \(\mathfrak {D}\)’s queries/answers to/from \(\mathbf {H}\), with \((x, y) \in \mathcal {Q} _\mathbf {H}\) meaning \(\mathbf {H} (x)=y\). The list \(\mathcal {Q} _\mathsf {Nd} = \lbrace (i_0^{(1)},p^{(1)},z^{(1)},b^{(1)}),\ldots \rbrace\) records the values in the tree obtained by \(\mathfrak {D}\) via either the “standard” responses or the leakages. Every tuple \((i_0,p,z,b) \in \mathcal {Q} _\mathsf {Nd}\) is such that \(p \in \mathcal {P}\), and

• \(z \in \lbrace 0,1\rbrace ^{n-\kappa }\) when \(b = 0\), meaning that z is a leaked intermediate value;

• \(z \in \lbrace 0,1\rbrace ^n\) when \(b = 1\), meaning that z is either a constrained key or an output of \(\mathsf {muEv}_\mathbf {K}\).

To simplify our proof language, we follow earlier work [32, 33] and reveal a number of internal secrets to \(\mathfrak {D}\) at the end of the interaction. In detail, we will reveal the \(\kappa\)-bit internal seeds to \(\mathfrak {D}\) and add them to the transcript \(\mathcal {Q} _\mathsf {Nd}\). In this respect, note that in the real world \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {H})\), for every resulted tuple \((i_0,p,z,b) \in \mathcal {Q} _\mathsf {Nd}\), the corresponding node value \(\mathsf {Nd} (i_0,p)\) necessarily appeared during processing the queries. Moreover, \(z = \mathsf {Nd} (i_0,p)\) when \(b = 1\), and \(z = \mathsf {left} _{n - \kappa }(\mathsf {Nd} (i_0,p))\) when \(b = 0\). We will thus reveal the “missing” \(\kappa\) bits \(z_R = \mathsf {right} _{\kappa }(\mathsf {Nd} (i_0,p))\) to \(\mathfrak {D}\) and add them to \(\mathcal {Q} _\mathsf {Nd}\). Since \(\mathsf {k} _{i_0} = \mathsf {Nd} (i_0, \bot)\), this means the u user keys \(\mathsf {k} _1,\ldots ,\mathsf {k} _{u}\) are also completely given. In the ideal world, we reveal and add random “dummy” bits to the transcript. We also append to the transcript u public parameters \({\mathbf {P}} =({\mathsf {pp}} _1,\ldots ,{\mathsf {pp}} _{u})\) that are sampled according to the same distribution as the real world. By this, we obtain an extended list \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} = \lbrace (i_0^{(1)},p^{(1)},z^{(1)},b^{(1)}),\ldots \rbrace\), among which \((i_0^{(1)},p^{(1)}),(i_0^{(2)},p^{(2)}),\ldots\) are exactly the same as those in \(\mathcal {Q} _\mathsf {Nd}\), whereas \(z^{(1)},z^{(2)},\ldots\) are all “full” n-bit strings regardless of the values of \(b^{(1)},b^{(2)},\ldots\) In all, we define \(\begin{equation*} \mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q} _\mathbf {H},{\mathbf {P}}) \end{equation*}\) as a transcript. It is without loss of generality to provide these additional values, since the distinguisher is free to ignore them. In the following, we first define the set \(\Theta _{\mathrm{bad}}\) of bad transcripts and then analyze good transcripts.

Internal Evaluation List \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\). Regarding \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\), we make crucial observations as follows. For any \((i_0,p,z,b) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\), \(p = i_1/.../i_{d^{\prime }}\) with \(d^{\prime } \ge 1\), we have the following:

• It holds \((i_0^{\circ }, p^{\circ }, \mathsf {Nd} (p^{\circ }), \star) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) for every prefix \(p^{\circ }\) of p, since \(\mathsf {Nd} (i_0^{\circ }, p^{\circ })\) indeed appeared during computing \(\mathsf {Nd} (i_0, p) = z\).

• It holds \((i_0, p^{\prime }, \mathsf {Nd} (p^{\prime }), \star) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) for every brother path \(p^{\prime } \in \mathcal {B}\mathsf {r} (p)\) of p. To see this, note that for any path \(p \in \mathcal {P}\), \((i_0, p, \mathsf {Nd} (p), \star) \notin \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) only if the corresponding value \(\mathsf {Nd} (i_0, p)\) is never computed during the interaction. The only possibility is that there exists a constraining query \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}} (i_0, p^*)\) such that \(p^*\) is a prefix of p, and this forbids querying \((i_0,p)\) due to the query restrictions mentioned in Section 4.1.2. This essentially implies \(\mathsf {Nd} (i_0,p^{\prime })\) is never computed for any \(p^{\prime } \in \mathcal {B}\mathsf {r} (p)\). By this, \((i_0, p, \mathsf {Nd} (i_0,p), \star) \notin \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} ~\Leftrightarrow ~ \forall p^{\prime }\in \mathcal {B}\mathsf {r} (p): (i_0, p^{\prime }, \mathsf {Nd} (i_0,p^{\prime }), \star) \notin \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\), and thus the claim.

By these, consider any \((i_0,p,z,\star) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) with \(p = i_1/.../i_{d^{\prime }-1}/i_{d^{\prime }}\), \(1 \le d^{\prime } \le d\). Let \(p^* = i_1/.../i_{d^{\prime }-1}\), \(j^* = \lfloor \frac{ i_{d^{\prime }} }{ w } \rfloor\), and let \(p_\ell = i_1/.../i_{d^{\prime }-1}/ w j^* + \ell - 1\) (\(1 \le \ell \le w\)). Then \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\) includes the “internal evaluation tuple” \((i_0,p^*,j^*,x^*,y^*)\), where (recall from Section 3.2 that \(\mathsf {of} (z,\cdot)\) is bijective) (8) \(\begin{align} &x^* = \mathsf {lf} _{ p^*, j^* } \big (\mathsf {left} _{n-\kappa }\big (\mathsf {Nd} (i_0,p^*) \big) , {\mathsf {pp}} _{i_0} \big) ~\big \Vert ~ \mathsf {sf} _{ p^*, j^* } \big (\mathsf {right} _{\kappa }\big (\mathsf {Nd} (i_0,p^*) \big) \big), \nonumber \nonumber\\ &y^* = \mathsf {of} ^{-1}\big (\mathsf {Nd} (i_0,p^*), \mathsf {Nd} (i_0,p_1) \big) ~\Vert ~ \mathsf {of} ^{-1}\big (\mathsf {Nd} (i_0,p^*), \mathsf {Nd} (i_0,p_2) \big) ~\Vert ~ \mathsf {of} ^{-1}\big (\mathsf {Nd} (i_0,p^*), \mathsf {Nd} (i_0,p_w) \big). \end{align}\)

By the preceding two observations, all the mentioned node values can be found in \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\), and \(x^*\), \(y^*\) are thus well defined. The additional fields \(p^*\) and \(j^*\) will significantly simplify proof languages. It can be seen that the set \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\) records all the internal random oracle evaluations that appeared during the real-world interaction, and \(|\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}} | = D\) is the aforementioned effective data complexity of \(\mathfrak {D}\). Indeed, this constitutes its motivation.

Bad Transcripts. A transcript \(\mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q} _\mathbf {H})\) is bad, if any of the following conditions is fulfilled:

• (B-1) \(\mu \ge C\).

• (B-2) There exist a tuple \((i_0^*,p^*,j^*,x^*,y^*)\in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\) and a pair \((x,y)\in \mathcal {Q} _\mathbf {H}\) such that \(x^* = x\).

• (B-3) There are distinct tuples \((i_0^*,p^*,j^*,x^*,y^*),(i_0^{**},p^{**},j^{**},x^{**},y^{**})\in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\) such that \(x^*=x^{**}\).

The first condition captures that the “labels” of the internal calls are too concentrated. The second condition addresses the case where an internal random oracle evaluation in a \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}}\)/\(\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}}\) query collide with an adversarial offline random oracle query, whereas the third condition addresses the case where distinct \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}}\)/\(\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}}\) queries issue the same internal random oracle evaluation.

First, \(\Pr [\text{(B-1)} ] \le \varepsilon _{\mu }\) immediately follows from Equation (5), since leakages in \(\mathfrak {D} ^{\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H}}\) are purely random. For (B-2), consider each choice of \(((x,y),(i_0^*,p^*, j^*,x^*,y^*))\in \mathcal {Q} _\mathbf {H} \times \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\). By the definition of \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\), \(x=x^*\) means \(x = \mathsf {lf} _{ p^*,j^* } (\mathsf {left} _{n-\kappa }(z^*) , {\mathsf {pp}} _{i_0^*}) \Vert \mathsf {sf} _{ p^*, j^* } (\mathsf {right} _{\kappa }(z^*))\) for \((i_0^*,p^*,z^*,\star) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\). Since the seed \(\mathsf {right} _{\kappa }(z^*)\) is uniform in \(\lbrace 0,1\rbrace ^{\kappa }\) in the ideal world (it is the random “dummy” value appended to \(\mathcal {Q}\)), and since \(\mathsf {sf} _{p^*,j^*} (\cdot)\) is injective, the probability to have \(\mathsf {sf} _{p^*,j^*} ({\mathsf {right} _{\kappa }}(z^*)) = \mathsf {right} _{\lambda } (x)\) is \(1/2^{\kappa }\).

Now, the condition \(x=x^*\) is fulfilled only if \(\mathsf {left} _{\nu }(x)=\mathsf {lf} _{p^*,j^*} ({\mathsf {left} _{n-\kappa }}(z^*) , {\mathsf {pp}} _{i_0^*})\). By this, for any \(t\in \lbrace 0,1\rbrace ^{ \nu }\), we define \(\mathcal {Q} _\mathbf {H} [ t ]:=\lbrace s\in \lbrace 0,1\rbrace ^\lambda :(t \Vert s,\star)\in \mathcal {Q} _\mathbf {H} \rbrace\). Then, the probability that (B-2) is fulfilled w.r.t. the preceding tuple \((i_0^*,p^*,j^*,x^*,y^*)\) is \(| \mathcal {Q} _\mathbf {H} [ \mathsf {lf} _{p^*,j^*} ({\mathsf {left} _{n-\kappa }}(z^*) , {\mathsf {pp}} _{i_0^*}) ] | / 2^{\kappa }\). By the preceding and our definition Equation (4), \(\begin{align*} {\Pr }[ \text{(B-2)} \mid \lnot \text{(B-1)} ] =~& \sum _{(i_0^*,p^*,j^*,x^*,y^*) \in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}}\frac{ |\mathcal {Q} _\mathbf {H} [ \mathsf {lf} _{p^*,j^*} (\mathsf {left} _{n-\kappa }(\mathsf {Nd} (i_0^*,p^*)) , {\mathsf {pp}} _{i_0^*}) ]| }{2^{\kappa }} \\ =~& \sum _{ t\in \lbrace 0,1\rbrace ^{ \nu } } \sum _{ (i_0^*,p^*,j^*,x^*,y^*) \in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}:\mathsf {lf} _{p^*,j^*} (\mathsf {left} _{n-\kappa }(\mathsf {Nd} (i_0^*,p^*)) , {\mathsf {pp}} _{i_0^*}) = t }\frac{ |\mathcal {Q} _\mathbf {H} [ t ]| }{2^{\kappa }} \\ \le ~& \sum _{ t\in \lbrace 0,1\rbrace ^{ \nu } } \frac{ C \cdot |\mathcal {Q} _\mathbf {H} [t]|}{2^{\kappa }} \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \text{(By }\lnot \text{(B-1)}) \\ \le ~& \frac{ C \cdot {T}}{2^{\kappa }} \ \ \ \ \ \ \ \ \ \ \ \ \left(\text{Since } \sum _{ t\in \lbrace 0,1\rbrace ^{ \nu } } \big |\mathcal {Q} _\mathbf {H} [t]\big | = \big |\mathcal {Q} _\mathbf {H} \big | ={T} \right)\!. \end{align*}\)

For (B-3), consider each pair \((i_0^*,p^*,j^*,x^*,y^*)\), \((i_0^{**}, p^{**}, j^{**}, x^{**}, y^{**})\in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\). By the definition of \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\), it holds \(x^*= \mathsf {lf} _{ p^*,j^* } (\mathsf {left} _{n-\kappa }(z^*) , {\mathsf {pp}} _{i_0^*}) \Vert \mathsf {sf} _{ p^*, j^* } (\mathsf {right} _{\kappa }(z^*))\) and \(x^{**}= \mathsf {lf} _{ p^{**},j^{**} } (\mathsf {left} _{n-\kappa }(z^{**}) , {\mathsf {pp}} _{i_0^{**}}) \Vert\)

\(\mathsf {sf} _{ p^{**}, j^{**} } (\mathsf {right} _{\kappa }(z^{**}))\) for \((i_0^*,p^*,z^*,\star),(i_0^{**},p^{**},z^{**},\star) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) respectively. Then the condition \(x^*=x^{**}\) is fulfilled only if \((i_0^*,p^*)\ne (i_0^{**},p^{**})\), as per our restriction on \(\mathsf {sf}\) and \(\mathsf {lf}\). By this, \(\mathsf {right} _{\kappa }(z^*)\) and \(\mathsf {right} _{\kappa }(z^{**})\) are uniform and independent. Moreover, \(\mathsf {sf} _{p^*,j^*} (\cdot)\) and \(\mathsf {sf} _{p^{**},j^{**}} (\cdot)\) are injective. Hence, the probability to have \(\mathsf {sf} _{p^*,j^*} ({\mathsf {right} _{\kappa }}(z^*)) =\mathsf {sf} _{p^{**},j^{**}} ({\mathsf {right} _{\kappa }}(z^{**}))\) is \(1/2^{\kappa }\). Further, \(x^*=x^{**}\) requires \(\mathsf {lf} _{p^*,j^*} ({\mathsf {left} _{n-\kappa }}(z^*) , {\mathsf {pp}} _{i_0^*}) =\mathsf {lf} _{p^{**},j^{**}} ({\mathsf {left} _{n-\kappa }}(z^{**}) , {\mathsf {pp}} _{i_0^{**}})\). Therefore, \(\begin{align*} & {\Pr }\big [ \text{(B-3)} \mid \lnot \text{(B-1)} \big ] \\ =~& \sum _{ (i_0^*,p^*,j^*,x^*,y^*)\in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}} \bigg (\sum _{ \begin{matrix} (i_0^{**},p^{**},j^{**},x^{**},y^{**}) \ne (i_0^*,p^*,j^*,x^*,y^*) : \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \\ \mathsf {lf} _{p^*,j^*} \big (\mathsf {left} _{n-\kappa }(\mathsf {Nd} (i_0^*,p^*)) , {\mathsf {pp}} _{i_0^*} \big) = \mathsf {lf} _{p^{**},j^{**}} \big (\mathsf {left} _{n-\kappa }(\mathsf {Nd} (i_0^{**},p^{**})) , {\mathsf {pp}} _{i_0^{**}} \big) \end{matrix} } \frac{1}{2^{\kappa }} \bigg) \\ \le ~& \sum _{ (i_0^*,p^*,j^*,x^*,y^*)\in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}} \frac{ C}{ 2^{\kappa } } \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \text{(By }\lnot \text{(B-1)}) \\ \le ~& \frac{ C \cdot D }{2^{\kappa }} . \end{align*}\) In all, a union bound yields (9) \(\begin{align} {\Pr }\big [ T_{\mathrm{id}}\in \Theta _{\mathrm{bad}} \big ]\le \varepsilon _{\mu } + \frac{C \cdot ({T} + D) }{2^{\kappa }} . \end{align}\)

Ratio of Probabilities of Good Transcripts. One key insight of the H-coefficient method is that for any \(\mathcal {Q} \in \Theta _{\mathrm{good}}\), the probability ratio \(\Pr [T_{\mathrm{re}}=\mathcal {Q} ]/\Pr [T_{\mathrm{id}}=\mathcal {Q} ]\) is equal to the ratio between the probability that the real-world oracles are consistent with \(\mathcal {Q}\) and the probability that the ideal-world oracles are consistent with \(\mathcal {Q}\). Now, for any attainable transcript \(\mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q} _\mathbf {H},{\mathbf {P}})\), the probability that the ideal-world transcript is consistent with \(\mathcal {Q}\) is always exactly (10) \(\begin{eqnarray} \frac{1}{ 2^{{T} wn} }\times \frac{1}{ 2^{|\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} |n} }\times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ]. \end{eqnarray}\) This is so since in \(\mathfrak {D} ^{\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H}}\),

Bounding the distinguishing advantage of \(\mathfrak {D}\) thus reduces to bounding the probability that the real world is consistent with transcripts \(\mathcal {Q} \in \Theta _{\mathrm{good}}\).

Let \(\mathbf {H} \vdash \mathcal {Q} _\mathbf {H}\) denote the event that a function \(\mathbf {H}\) is consistent with the queries/answers in \(\mathcal {Q} _\mathbf {H}\)—that is, that \(\mathbf {H} (x)=y\) for all \((x, y) \in \mathcal {Q} _\mathbf {H}\). Since, in the real world, the information in \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) is completely determined by \(\mathbf {H}\) and the user keys \(\mathbf {K} =(K_1,\ldots ,K_{u})\), we can also write \((\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) to denote the event that the function \(\mathbf {H}\) and keys \(\mathbf {K}\) are consistent with the queries/answers in \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\). For a (good) transcript \(\mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q} _\mathbf {H},{\mathbf {P}})\), the probability that the real world is consistent with \(\mathcal {Q}\) is exactly (11) \(\begin{align} & {\Pr }\big [ (\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] \times {\Pr }\big [\mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] \times {\Pr }\big [ \mathbf {K} \leftarrow \mathsf {KGen} \big ] \nonumber \nonumber\\ =~& {\Pr }\big [ (\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] \times {\Pr }\big [\mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] \times \frac{1}{ 2^{u n} } \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ] \end{align}\) (using independence of \(\mathbf {K}\) and \(\mathbf {H}\)). We have \(\Pr [\mathbf {H} \vdash \mathcal {Q} _\mathbf {H} ] = 1/2^{{T} wn}\) exactly as before. The crux of the proof thus reduces to bounding \(\Pr [ (\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} ]\). For this, note that in the real world, the list \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\) essentially summarizes all the random oracle queries internally issued by \(\mathsf {GGGM} ^{\mathbf {H}}\) for producing the transcript \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\). Therefore, \(\begin{eqnarray*} {\Pr }\big [ (\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] =~& {\Pr }\big [ \forall (i_0^*,p^*,j^*,x^*,y^*)\in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}: \mathbf {H} (x^*)=y^* \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] . \nonumber \nonumber \end{eqnarray*}\) We further show that the latter probability concerns with \(\mathbf {H}\) satisfying “new” and distinct equations. Let \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}} =((i_0^{(1)},p^{(1)},j^{(1)},x^{(1)},y^{(1)}),\ldots ,(i_0^{(D)},p^{(D)},j^{(D)},x^{(D)},y^{(D)}))\) in arbitrary order. The probability can be expressed as \(\begin{equation*} \prod _{\ell =1}^{D } {\Pr }\big [ \mathbf {H} (x^{(\ell)})=y^{(\ell)} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \wedge \forall \ell ^{\prime } \lt \ell : \mathbf {H} (x^{(\ell ^{\prime })})=y^{(\ell ^{\prime })}\big ]. \end{equation*}\) Fix some \(\ell\). Since the transcript is good, there is no query of the form \((x^{(\ell)}, \star)\) in \(\mathcal {Q} _\mathbf {H}\) (since (B-2) does not occur), nor is \(\mathbf {H} (x^{(\ell)})\) determined by the fact that \(\mathbf {H} (x^{(\ell ^{\prime })})=y^{(\ell ^{\prime })}\) for all \(\ell ^{\prime }\lt \ell\) (since (B-3) does not occur). Thus, we have \(\begin{equation*} {\Pr }\big [ \mathbf {H} (x^{(\ell)})=y^{(\ell)} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \wedge \forall \ell ^{\prime } \lt \ell : \mathbf {H} (x^{(\ell ^{\prime })})=y^{(\ell ^{\prime })}\big ] = 1/2^{wn} \end{equation*}\) for all i. The term \(1/2^{D wn}\) thus follows.

It remains to determine the size of \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\). Recall that for every pair \(\begin{align*} \Big (i_0, p, j, \mathsf {lf} _{p,j} \big (\mathsf {left} _{n-\kappa }\big (\mathsf {Nd} (i_0,p)\big) , {\mathsf {pp}} _{i_0} \big) \big \Vert \mathsf {sf} _{p,j} \big (\mathsf {right} _{\kappa }\big (\mathsf {Nd} (i_0,p)\big) \big),\ \ \overline{z_1} \big \Vert \cdots \big \Vert \overline{z_w}\Big)\in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}, \end{align*}\) it holds \((i_0,p/jw,\mathsf {of} (\mathsf {Nd} (i_0,p), \overline{z_1}),\star),\ldots ,(i_0,p/jw+w-1, \mathsf {of} (\mathsf {Nd} (i_0,p), \overline{z_w}), \star)\in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\). However, it can be seen that for every set of w triples \((i_0,p_1,z_1,\star),\ldots ,(i_0,p_w,z_w,\star)\in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) such that \(p_1=p^*/j^*w\), \(p_1,\ldots ,p_w \in \mathcal {B}\mathsf {r} (p_1)\), the n-bit values \(\mathsf {Nd} (i_0,p^*)=z^*\) and \(z_1,\ldots ,z_w\) correspond to a unique tuple \((i_0,p^*,j^*,x^*,y^*)\in \mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\) with \(y^* = \mathsf {of} ^{-1}(z^*, z_1) \Vert \cdots \Vert \mathsf {of} ^{-1}(z^*, z_w)\). By this, there is a one-to-one correspondence between sets of w tuples in \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) with associated paths being brothers and tuples in \(\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}}\), and thus \(\begin{equation*} |\mathcal {Q} _{\mathbf {H}}^{\mathrm{x}} |=\frac{ | \lbrace (i_0,p,z,b) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}: p \ne \bot \rbrace | }{w}. \end{equation*}\) Note that \(| \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} | - | \lbrace (i_0,p,z,b) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}: p \ne \bot \rbrace | = u\), and the u entries are \((1,\bot ,\mathsf {k} _1,\star),\ldots ,\) \((u,\bot ,\mathsf {k} _{u},\star)\). By this, \(\begin{align*} \text{Equation } (11) =~& \Big (\frac{1}{2^{wn}}\Big)^{D } \times \frac{1}{ 2^{{T} wn} } \times \frac{1}{ 2^{u n} } \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ] \\ =~& \Big (\frac{1}{2^{n}}\Big)^{ \big | \lbrace (i_0,p,z,b) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}: p \ne \bot \rbrace \big | } \times \frac{1}{ 2^{{T} wn} } \times \frac{1}{ 2^{u n} } \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ] \\ =~& \frac{1}{ 2^{{T} wn} } \times \Big (\frac{1}{2^{n}}\Big)^{|\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} |} \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ] . \end{align*}\) So the probability that the real world is consistent with the transcript is the same as Equation (10). This means Equation (9), the probability of obtaining bad transcripts, constitutes the gap between the real world \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {H})\) and the intermediate world \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H})\).

4.2.3 Indistinguishability of \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H})\) and \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H})\).

For this, we view \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}}\), \(\mathsf {R} ^{\mathsf {S}}, \mathbf {H})\) as the real world and \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H})\) as the ideal, and prove the following bound: (12) \(\begin{align} \Big | {\Pr }\big [ \mathfrak {D} ^{\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H}} = 1\big ] - {\Pr }\big [ \mathfrak {D} ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {H}} = 1\big ] \Big | \le \varepsilon _{\mu } + \frac{C \cdot ({T} + D) }{2^{\kappa }} . \end{align}\) Essentially, this step requires establishing pseudorandomness of the constrained keys, which follows the same idea as the first step with a number of changes. In detail, we employ four list \(\mathcal {Q} _\mathbf {H},\mathcal {Q} _\mathsf {S},\mathcal {Q} _\mathsf {Nd}\), and \(\mathcal {Q}_R\) to keep the information gained by \(\mathfrak {D}\). The RO-query list \(\mathcal {Q} _\mathbf {H}\) is just the same as before. The list \(\mathcal {Q} _\mathsf {S} = \lbrace (i_0^{(1)},p^{(1)},r^{(1)}),\ldots \rbrace\) records all the leakages returned by \(\mathsf {S}\), where \(i_0^{(\ell)} \in \lbrace 1,\ldots u \rbrace\), \(p^{(\ell)} \in \mathcal {P}^*\), and \(r^{(\ell)} \in \lbrace 0,1\rbrace ^{n - \kappa }\) indicates that at the position \(p^{(\ell)}\) in the \(i_0^{(1)}\)-th tree, the leakage block returned by \(\mathsf {S}\) is \(r^{(\ell)}\). The list \(\mathcal {Q} _\mathsf {Nd}\) is modified such that \(\mathcal {Q} _\mathsf {Nd} = \lbrace (i_0^{(1)},p^{(1)},z^{(1)}),\ldots \rbrace\) records the queries and responses of \(\mathsf {\$Cons}\)/\(\mathsf {muCo}_\mathbf {K}\). Namely, the \(\ell\)-th tuple \((i_0^{(\ell)},p^{(\ell)},z^{(\ell)}) \in \mathcal {Q} _\mathsf {Nd}\) indicates that \(\mathfrak {D}\) made a query \((i_0^{(\ell)},p^{(\ell)})\) to \(\mathsf {\$Cons}\)/\(\mathsf {muCo}_\mathbf {K}\) and the n-bit “standard” response is \(z^{(\ell)}\). Finally, \(\mathcal {Q}_R = \lbrace (i_0^{(1)},p^{(1)},z^{(1)}),\ldots \rbrace\) records the queries and responses of \(\mathsf {R}\), where \((i_0^{(\ell)},p^{(\ell)},z^{(\ell)}) \in \mathcal {Q} _\mathsf {Nd}\) indicates that \(\mathfrak {D}\) made a query \((i_0^{(\ell)},p^{(\ell)})\) to \(\mathsf {R} ^{\mathsf {S}}\) and the n-bit (random) response of \(\mathsf {R}\) is \(z^{(\ell)}\).

We also reveal the internal values corresponding to \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}}\)’s evaluations to \(\mathfrak {D}\) at the end of the interaction to extend \(\mathcal {Q} _\mathsf {Nd}\), but the strategy differs from the previous step (Section 4.2.2). In detail, note that every tuple \((i_0,p,z) \in \mathcal {Q} _\mathsf {Nd}\) indicates \(\mathfrak {D}\) making a query \((i_0,p)\) to \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}}\), and for every \(p^{\prime }\) that is prefix of p, the corresponding node value \(z^{\prime }=\mathsf {Nd} (i_0,p^{\prime })\) necessarily appeared during processing the query. We thus reveal all such node values \(z^{\prime }=\mathsf {Nd} (i_0,p^{\prime })\) to \(\mathfrak {D}\) and add the corresponding triple \((i_0,p^{\prime },z^{\prime })\) to \(\mathcal {Q} _\mathsf {Nd}\). We also reveal all the u secret keys \(\mathsf {k} _1,\ldots ,\mathsf {k} _{u}\) and add the corresponding triple \((i_0,\bot ,\mathsf {k} _{i_0})\) to \(\mathcal {Q} _\mathsf {Nd}\). In the ideal world, we reveal random “dummy” n-bit blocks \(z^{\prime } \xleftarrow {\$}\lbrace 0,1\rbrace ^n\) to \(\mathfrak {D}\) and add \((i_0,p^{\prime },z^{\prime })\) to \(\mathcal {Q} _\mathsf {Nd}\) correspondingly. By this, we obtain an extended list \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} = \lbrace (i_0^{(1)},p^{(1)},z^{(1)}),\ldots \rbrace\), among which \((i_0^{(1)},p^{(1)}),(i_0^{(2)},p^{(2)}),\ldots\) represents the positions to the nodes in \(\mathcal {Q} _\mathsf {Nd}\), whereas \(z^{(1)},z^{(2)},\ldots\) are all “full” n-bit strings that are either “real” intermediate values (in the real world) or random “dummy” blocks (in the ideal world). Finally, we also sample u public parameters \(\mathbf {P}\) in the ideal world. In all, we define \(\begin{equation*} \mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q}_R,\mathcal {Q} _\mathsf {S},\mathcal {Q} _\mathbf {H},{\mathbf {P}}) \end{equation*}\) as a transcript. Clearly, \(| \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} | \le D\). The real-world probability \({\Pr }[ T_{\mathrm{re}} = \mathcal {Q} ]\) is then written as (13) \(\begin{align} {\Pr }\big [ \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] \times {\Pr }\big [ \mathsf {S} \vdash \mathcal {Q} _\mathsf {S} \big ] \times {\Pr }\big [ \mathsf {R} \vdash \mathcal {Q}_R \big ] \times {\Pr }\big [ (\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ], \end{align}\) where \(\mathsf {S} \vdash \mathcal {Q} _\mathsf {S}\) denotes the event that the random leakages returned by \(\mathsf {S}\) are consistent with those in \(\mathcal {Q} _\mathsf {S}\), \(\mathsf {R} \vdash \mathcal {Q}_R\) denotes \(\mathsf {R} (i_0,p) = z\) for every \((i_0,p,z) \in \mathcal {Q}_R\), and \((\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) denotes the event that values generated by the oracle \(\mathsf {muCo}_{\mathbf {K}}\) (using \(\mathbf {H}\)) are consistent with the records in \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\). The preceding expansion is possible since \(\mathsf {S}\), \(\mathsf {R}\), and \((\mathbf {H}, \mathbf {K})\) are independent. Similarly, (14) \(\begin{align} {\Pr }\big [ T_{\mathrm{id}} = \mathcal {Q} \big ] =~& {\Pr }\big [ \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] \times {\Pr }\big [ \mathsf {S} \vdash \mathcal {Q} _\mathsf {S} \big ] \times {\Pr }\big [ \mathsf {R} \vdash \mathcal {Q}_R \big ] \nonumber \nonumber\\ & \ \ \ \ \ \ \ \ \ \ \ \ \times {\Pr }\big [ (\mathsf {\$Cons},\mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \big ] \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ], \end{align}\) since \((\mathsf {\$Cons},\mathbf {K})\) is independent from \(\mathbf {H}\). Gathering Equations (13) and (14) yields (15) \(\begin{align} \frac{ {\Pr }[ T_{\mathrm{re}} = \mathcal {Q} ] }{ {\Pr }[ T_{\mathrm{id}} = \mathcal {Q} ] } = \frac{ {\Pr }[ (\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} ] }{ {\Pr }[ (\mathsf {\$Cons},\mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} ] }, \end{align}\) and the problem thus reduces to bounding \(\Pr [ (\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} ]\). Subsequent analyses thus simply follow the same line as the first step. The definition of bad transcripts is the same as the first step, resulting in \(\Pr [T_{\mathrm{id}}\in \Theta _{\mathrm{bad}}]\le \varepsilon _{\mu } + \frac{C \cdot ({T} + D) }{2^{\kappa }}\). For a good transcript \(\mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q}_R,\mathcal {Q} _\mathsf {S},\mathcal {Q} _\mathbf {H},{\mathbf {P}})\), following the same line as the previous step, it can be shown that \(\begin{eqnarray*} {\Pr } \big [ (\mathbf {H}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {H} \vdash \mathcal {Q} _\mathbf {H} \big ] = \Big (\frac{1}{2^{n}}\Big)^{ \big | \lbrace (i_0,p,z,b) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}: p \ne \bot \rbrace \big | } .\nonumber \nonumber \end{eqnarray*}\) The preceding established Equation (12). Gathering Equations (7) and (12) yields Equation (6) and completes the proof.

4.3.1 Indistinguishability of \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {E})\) and \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E})\).

View \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {E})\) as the real world and \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E})\) as the ideal world. We prove the following bound: (18) \(\begin{align} \left| {\Pr }\big [ \mathfrak {D} ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {E}} = 1\big ] - {\Pr }\big [ \mathfrak {D} ^{\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E}} = 1\big ] \right| \le \varepsilon _{\mu } + \frac{2C \cdot ({T} + D) }{ 2^{\kappa } } . \end{align}\) The setting is similar to that studied in Section 4.2, except that the random oracle \(\mathbf {H}\) is replaced with an ideal cipher \(\mathbf {E}: \lbrace 0,1\rbrace ^\nu \times \lbrace 0,1\rbrace ^{wn} \mapsto \lbrace 0,1\rbrace ^{wn}\) that can be queried in both forward and backward directions, with \(wn = \lambda\). By this, the transcript of \(\mathfrak {D}\)’s interaction consists of \(\mathcal {Q} _\mathsf {Nd}\) and \(\mathcal {Q} _\mathbf {E}\), where \(\mathcal {Q}_\mathbf {E} = \lbrace (L_1, x_1, y_1), \ldots \rbrace\) records \(\mathfrak {D}\)’s queries/answers to/from \(\mathbf {E}\) (with \((L, x, y) \in \mathcal {Q}_\mathbf {E}\) meaning \(\mathbf {E} (L,x)=y\)), whereas the transcript \(\mathcal {Q} _\mathsf {Nd} = \lbrace (i_0^{(1)},p^{(1)},z^{(1)},b^{(1)}),\ldots \rbrace\), \(i_0^{(\ell)} \in \lbrace 1,\ldots ,u \rbrace\), \(p^{(\ell)}\in \mathcal {P}\), \(z^{(\ell)}\in \lbrace 0,1\rbrace ^n \cup \lbrace 0,1\rbrace ^{n-\kappa }\), \(b^{(\ell)} \in \lbrace 0,1\rbrace\), is just similar to Section 4.2. We also append the \(\kappa\) bit internal secrets to \(\mathcal {Q} _\mathsf {Nd}\) to have the extended list \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) as in Section 4.2, and concentrate on \(\mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q} _\mathbf {E},{\mathbf {P}})\) with \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} =((i_0^{(1)},p^{(1)},z^{(1)},b^{(1)}),\ldots)\), \(i_0^{(\ell)} \in \lbrace 1,\ldots ,u \rbrace\), \(p^{(\ell)}\in \mathcal {P}\), \(z^{(\ell)}\in \lbrace 0,1\rbrace ^n\), \(b^{(\ell)} \in \lbrace 0,1\rbrace\). Denote by \(\mathbf {E} \vdash \mathcal {Q} _\mathbf {E}\) the event that a block cipher \(\mathbf {E}\) is consistent with the queries/answers in \(\mathcal {Q} _\mathbf {E}\) (i.e., that \(\mathbf {E} (L,x)=y\) for all \((L, x, y) \in \mathcal {Q} _\mathbf {E}\)). Then the probability of \(\mathbf {E} \vdash \mathcal {Q} _\mathbf {E}\) for an ideal cipher \(\mathbf {E}\) (with wn-bit blocks and \(\nu\)-bit keys) is exactly \((\prod _{L\in \lbrace 0,1\rbrace ^\nu }(2^{wn})_{T_L})^{-1}\), where for integers \(1\le b\le a\), we set \((a)_b=a\cdot (a-1)\cdots (a-b+1)\) with \((a)_0=1\) by convention, and \(T_L\) is the number of tuples of the form \((L,\star ,\star)\) in \(\mathcal {Q} _\mathbf {E}\) (thus, \(\sum _{L\in \lbrace 0,1\rbrace ^\nu }T_L={T}\)). Therefore, for any attainable transcript \(\mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q} _\mathbf {E},{\mathbf {P}})\), the probability that the ideal world is consistent with \(\mathcal {Q}\) is (19) \(\begin{eqnarray} \frac{1}{ \prod _{L\in \lbrace 0,1\rbrace ^\nu }(2^{wn})_{T_L} }\times \frac{1}{ 2^{|\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} |n} } \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ] . \end{eqnarray}\) For the real world, we also write \((\mathbf {E}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) to denote the event that the cipher \(\mathbf {E}\) and keys \(\mathbf {K}\) are consistent with the values in \(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\). Similarly to Section 4.2, the real-world probability is exactly (20) \(\begin{align} {\Pr }\big [ (\mathbf {E}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {E} \vdash \mathcal {Q} _\mathbf {E} \big ] \times \frac{1}{ \prod _{L\in \lbrace 0,1\rbrace ^\nu }(2^{wn})_{T_L} } \times \frac{1}{ 2^{u n} } \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ], \end{align}\) and the problem also reduces to bounding \(\Pr [ (\mathbf {E}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {E} \vdash \mathcal {Q} _\mathbf {E} ]\).

Internal Evaluation List \(\mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}\). As in Section 4.2, we will show that, conditioned on \(\mathbf {E} \vdash \mathcal {Q} _\mathbf {E}\), the event \((\mathbf {E}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) is equivalent to \(\mathbf {E}\) satisfying a series of new and distinct equations. The conditions for bad transcripts are essentially defined to ensure these equations. We start by explicitly constructing the list \(\mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}\) of such equations. For this, consider any \((i_0,p,z,\star) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\) with \(p = p^*/i_{d^{\prime }} \ne \bot\). Let \(j^* = \lfloor \frac{ i_{d^{\prime }} }{ w } \rfloor\) and \(p_\ell = p^*/ (w j^* + \ell - 1)\) (\(1 \le \ell \le w\)). Then the extended list \(\mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}\) includes an “internal evaluation tuple” \((i_0,p^*, j^*, L^*,x^*,y^*)\), where (\(z^* = \mathsf {Nd} (i_0,p^*)\)): (21) \(\begin{align} L^*:=~& \mathsf {lf} _{p^*, j^*} \big ({\mathsf {left} _{n-\kappa }}\big (z^* \big) , {\mathsf {pp}} _{i_0} \big), \ \ \ \ \ \ \ \ \ \ \ \ x^*:= \mathsf {sf} _{p^*, j^*} \big ({\mathsf {right} _{\kappa }}\big (z^* \big) \big) \nonumber \nonumber\\ y^*:=~& \big (\mathsf {of} ^{-1}\big (z^*, \mathsf {Nd} (i_0,p_1) \big) ~\Vert ~ \cdots ~\Vert ~ \mathsf {of} ^{-1}\big (z^*, \mathsf {Nd} (i_0,p_w) \big) \big) ~\oplus ~ \mathsf {sf} _{p^*, j^*} \big ({\mathsf {right} _{\kappa }}\big (z^* \big) \big). \end{align}\)

Bad Transcripts. An extended transcript \(\mathcal {Q} =(\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}},\mathcal {Q} _\mathbf {E},{\mathbf {P}})\) is bad, if any of the following conditions is fulfilled:

• (B-1) \(\mu \ge C\).

• (B-2) There exist a pair of tuples \(((L,x,y),(i_0^*,p^*,j^*,L^*,x^*,y^*))\in \mathcal {Q} _\mathbf {E} \times \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}\) such that \((L,x)=(L^*,x^*)\), or \((L,y)=(L^*,y^*)\).

• (B-3) There exist distinct \((i_0^*,p^*,j^*,L^*,x^*,y^*),(i_0^{**},p^{**},j^{**},L^{**},x^{**},y^{**})\in \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}\) with \((L^*,x^*)=(L^{**},x^{**})\) or \((L^*,y^*)=(L^{**},y^{**})\).

The bound \(\Pr [\text{(B-1)} ] \le \varepsilon _{\mu }\) also follows from Equation (16) straightforwardly. For (B-2), consider each choice of \(((L,x,y),(i_0^*,p^*,j^*,L^*,x^*,y^*))\in \mathcal {Q} _\mathbf {E} \times \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}\). By the fact that \({\mathsf {right} _\kappa }(z^*)\) is uniform in \(\lbrace 0,1\rbrace ^\kappa\) for \((i_0^*,p^*,z^*,\star) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}\), and that \(\mathsf {sf} _{p^*,j^*} (\star)\) is injective, the probability to have \(x=x^*\) is \(1/2^\kappa\).

The other condition \(y=y^*\) translates into \(\begin{eqnarray*} y = \big (\mathsf {of} ^{-1}\big (r^*, \mathsf {Nd} (i_0^*,p_1^*) \big) ~\big \Vert \cdots \big \Vert ~ \mathsf {of} ^{-1}\big (r^*, \mathsf {Nd} (i_0^*,p_w^*) \big) \big) \oplus \mathsf {sf} _{p^*, j^*} \big (\mathsf {right} _{\kappa }\big (\mathsf {Nd} (i_0^*,p^*)\big) \big), \nonumber \nonumber \end{eqnarray*}\) where \(p_\ell ^*=p^*/ (w j^* + \ell - 1)\) (\(1 \le \ell \le w\)) and \(r^* = \mathsf {left} _{n-\kappa } (\mathsf {Nd} (i_0^*,p^*))\). In the ideal world, \({\mathsf {right} _{\kappa }}(\mathsf {Nd} (i_0^*,p^*))\) is uniform, and is independent from \(\mathsf {left} _{n-\kappa } (\mathsf {Nd} (i_0^*,p^*))\), \(\mathsf {Nd} (i_0^*,p_1), \ldots ,\) \(\mathsf {Nd} (i_0^*,p^*)\) (since \(\mathsf {right} _{\kappa }(\mathsf {Nd} (i_0^*,p^*))\) is the random “dummy” value sampled at the end of the ideal-world interaction). By this and by the injectivity of \(\mathsf {sf} _{p^*, j^*} (\star)\), the probability to have \(y=y^*\) is \(1/2^{\kappa }\).

Finally, note that \(L = \mathsf {lf} _{p^*,j^*} ({\mathsf {left} _{n-\kappa }}(\mathsf {Nd} (i_0^*,p^*)) , {\mathsf {pp}} _{i_0^*})\) is necessary for both \((L,x)=(L^*,x^*)\) and \((L,y)=(L^*,y^*)\). By this, for any \(L\in \lbrace 0,1\rbrace ^{\nu }\), we define \(\begin{align*} \mathcal {Q} _\mathbf {E} ^+[L]:=\big \lbrace x\in \lbrace 0,1\rbrace ^{wn}:(L,x,\star)\in \mathcal {Q} _\mathbf {E} \big \rbrace , \ \ \ \ \ \ \ \ \ \ \ \ \mathcal {Q} _\mathbf {E} ^-[L]:=\big \lbrace y\in \lbrace 0,1\rbrace ^{wn}:(L,\star ,y)\in \mathcal {Q} _\mathbf {E} \big \rbrace . \end{align*}\) Then, the condition (B-2) is equivalent with \(\exists (i_0^*,p^*,j^*,L^*,x^*,y^*)\in \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}: x^* \in \mathcal {Q} _\mathbf {E} ^+[L^*] ~\vee ~ y^* \in \mathcal {Q} _\mathbf {E} ^-[L^*]\), the probability of which is \(\begin{align*} {\Pr }\big [ \text{(B-2)} \mid \lnot \text{(B-1)} \big ] \le ~& \sum _{ (i_0^*,p^*,j^*,L^*,x^*,y^*)\in \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}} \frac{ 2 \big |\mathcal {Q} _\mathbf {E} ^+[L^*]\big | }{2^\kappa } \\ \le ~& \sum _{L\in \lbrace 0,1\rbrace ^{\nu } } \sum _{ (i_0^*,p^*,j^*,L^*,x^*,y^*)\in \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}: \mathsf {lf} _{p^*,j^*} \big (\mathsf {left} _{n - \kappa }(\mathsf {Nd} (i_0^*,p^*)) , {\mathsf {pp}} _{i_0^*} \big) = L } \frac{ 2 \big |\mathcal {Q} _\mathbf {E} ^+[L]\big | }{2^{\kappa }} \\ \le ~& \frac{2C \cdot {T}}{2^{\kappa }} . \end{align*}\) The last inequality follows from \({\sum }_{ L\in \lbrace 0,1\rbrace ^\nu } |\mathcal {Q} _\mathbf {E} ^+[L^*]| = {\sum }_{ L\in \lbrace 0,1\rbrace ^\nu } |\mathcal {Q} _\mathbf {E} ^-[L^*]| = {T}\).

For (B-3), consider each pair \((i_0^*,p^*,j^*,L^*,x^*,y^*),(i_0^{**},p^{**},j^{**},L^{**},x^{**},y^{**})\in \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}\). Due to our restriction on \(\mathsf {sf}\) and \(\mathsf {lf}\), if \((i_0^*,p^*) = (i_0^{**},p^{**}),\) then (\(j^* \ne j^{**}\) and) \(x^* \ne x^{**}\). Thus, we could focus on the case \(p^* \ne p^{**}\), meaning that the probability to have \(\mathsf {sf} _{p^*,j^*} (\mathsf {right} _{\kappa } (\mathsf {Nd} (i_0^*,p^*))) = \mathsf {sf} _{p^{**},j^{**}} (\mathsf {right} _{\kappa } (\mathsf {Nd} (i_0^{**},p^{**})))\) is \(1/2^{\kappa }\) since both \(\mathsf {Nd} (i_0^*,p^*)\) and \(\mathsf {Nd} (i_0^{**},p^{**})\) are independent and uniform. On the other side, the equality \(y^* = y^{**}\) translates into \(\begin{eqnarray*} & \big (\mathsf {of} ^{-1}\big (r^*, \mathsf {Nd} (i_0^*,p_1^*) \big) \Vert \cdots \Vert \mathsf {of} ^{-1}\big (r^*, \mathsf {Nd} (i_0^*,p_w^*) \big) \big) \oplus \mathsf {sf} _{p^*, j^*} \big (\mathsf {right} _{\kappa }\big (\mathsf {Nd} (i_0^*,p^*)\big) \big), \nonumber \nonumber\\ =& \big (\mathsf {of} ^{-1}\big (r^{**}, \mathsf {Nd} (i_0^{**},p_1^{**}) \big) \Vert \cdots \Vert \mathsf {of} ^{-1}\big (r^{**}, \mathsf {Nd} (i_0^{**},p_w^{**}) \big) \big) \oplus \mathsf {sf} _{p^{**}, j^{**}} \big (\mathsf {right} _{\kappa }\big (\mathsf {Nd} (i_0^{**},p^{**})\big) \big), \nonumber \nonumber \end{eqnarray*}\) where \(p_\ell ^*=p^*/ (w j^* + \ell - 1)\) (\(1 \le \ell \le w\)), \(r^* = \mathsf {left} _{n-\kappa } (\mathsf {Nd} (i_0^*,p^*))\), \(p_\ell ^{**}=p^{**}/ (w j^{**} + \ell - 1)\) (\(1 \le \ell \le w\)) and \(r^{**} = \mathsf {left} _{n-\kappa } (\mathsf {Nd} (i_0^{**},p^{**}))\). In the ideal world, \({\mathsf {right} _{\kappa }}(\mathsf {Nd} (i_0^*,p^*))\) and \({\mathsf {right} _{\kappa }}(\mathsf {Nd} (i_0^{**},p^{**}))\) are uniform and independent. By the injectivity of \(\mathsf {sf}\), the probability to have \(y^* = y^{**}\) is \(1/2^{\kappa }\).

Last, \((L^*,x^*)=(L^{**},x^{**})\) and \((L^*,y^*)=(L^{**},y^{**})\) hold only if \(\mathsf {lf} _{p^*,j^*} (\mathsf {left} _{n - \kappa }(\mathsf {Nd} (i_0^*,p^*)) , {\mathsf {pp}} _{i_0^*}) = \mathsf {lf} _{p^{**},j^{**}} (\mathsf {left} _{n - \kappa }(\mathsf {Nd} (i_0^{**},p^{**})) , {\mathsf {pp}} _{i_0^{**}})\). Meanwhile, by our definition Equation (4) and by \(\lnot \text{(B-1)}\), for each pair \((p^*,j^*)\), the number of pairs \((p^{**},j^{**})\) satisfying \(\mathsf {left} _{n - \kappa }(\mathsf {Nd} (i_0^*,p^*)) = \mathsf {left} _{n - \kappa }(\mathsf {Nd} (i_0^{**},p^{**}))\) cannot exceed C. By these, the probability \({\Pr }[ \text{(B-3)} \mid \lnot \text{(B-1)} ]\) is bounded by \(\begin{align*} & \sum _{(i_0^*,p^*,j^*,L^*,x^*,y^*) \in \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}}} \Bigg (\sum _{ \begin{matrix} &(i_0^{**},p^{**},j^{**},L^{**},x^{**},y^{**}) \ne (i_0^*,p^*,j^*,L^*,x^*,y^*) : \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \\ & \mathsf {lf} _{p^*,j^*} \big (\mathsf {left} _{n - \kappa }(\mathsf {Nd} (i_0^*,p^*)) , {\mathsf {pp}} _{ i_0^* } \big) = \mathsf {lf} _{p^{**},j^{**}} \big (\mathsf {left} _{n - \kappa }(\mathsf {Nd} (i_0^{**},p^{**})) , {\mathsf {pp}} _{ i_0^{**} } \big) \end{matrix} } \frac{2}{2^{\kappa }} \Bigg) \\ \le ~& \frac{ 2 C \cdot |\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} | }{ 2^{\kappa } }. \end{align*}\)

In all, a union bound yields (22) \(\begin{align} {\Pr }\big [ T_{\mathrm{id}}\in \Theta _{\mathrm{bad}} \big ]\le \varepsilon _{\mu } + \frac{2C \cdot ({T} + D) }{ 2^{\kappa } } . \end{align}\)

Ratio of Probabilities of Good Transcripts. Fix a good transcript \(\mathcal {Q}\). The idea resembles Section 4.2, concentrating on analyzing \(\Pr [ (\mathbf {E}, \mathbf {K}) \vdash \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} \mid \mathbf {E} \vdash \mathcal {Q} _\mathbf {E} ] = \Pr [ \mathbf {E} \vdash \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}} \mid \mathbf {E} \vdash \mathcal {Q} _\mathbf {E} ]\). Let \(\begin{equation*} \mathcal {Q} _{\mathbf {E}}^{\mathrm{x}} =\big ((i_0^{(1)},p^{(1)},j^{(1)},L^{(1)},x^{(1)},y^{(1)}),\ldots ,(i_0^{(D)},p^{(D)},j^{(D)},L^{(D)},x^{(D)},y^{(D)})\big) \end{equation*}\) in arbitrary order, then the latter probability can be expressed as \(\begin{equation*} \prod _{\ell =1}^{ D } {\Pr }\big [ \mathbf {E} (L^{(\ell)},x^{(\ell)})=y^{(\ell)} \mid \mathbf {E} \vdash \mathcal {Q} _\mathbf {E} \wedge \forall \ell ^{\prime } \lt \ell : \mathbf {E} (L^{(\ell ^{\prime })},x^{(\ell ^{\prime })})=y^{(\ell ^{\prime })}\big ]. \end{equation*}\) Fix some \(\ell\). Since the transcript is good, there is no query of the form \((L^{(\ell)},x^{(\ell)}, \star)\) in \(\mathcal {Q} _\mathbf {E}\) (since (B-2) does not occur), nor is \(\mathbf {E} (L^{(\ell)},x^{(\ell)})\) determined by the fact that \(\mathbf {E} (L^{(\ell ^{\prime })},x^{(\ell ^{\prime })})=y^{(\ell ^{\prime })}\) for all \(\ell ^{\prime }\lt \ell\) (since (B-3) does not occur). Similarly by symmetry, there is no query of the form \((L^{(\ell)}, \star , y^{(\ell)})\) in \(\mathcal {Q} _\mathbf {E}\) (since (B-2) does not occur), nor is \(\mathbf {E} ^{-1}(L^{(\ell)},y^{(\ell)})\) determined by the fact that \(\mathbf {E} (L^{(\ell ^{\prime })},y^{(\ell ^{\prime })})=x^{(\ell ^{\prime })}\) for all \(\ell ^{\prime }\lt \ell\) (since (B-3) does not occur). Thus, we have \(\begin{equation*} {\Pr }\big [ \mathbf {E} (L^{(\ell)},x^{(\ell)})=y^{(\ell)} \mid \mathbf {E} \vdash \mathcal {Q} _\mathbf {E} \wedge \forall \ell ^{\prime } \lt \ell : \mathbf {E} (L^{(\ell ^{\prime })},x^{(\ell ^{\prime })})=y^{(\ell ^{\prime })}\big ] \ge 1/2^{wn} \end{equation*}\) , for all \(\ell\). Finally, it also holds \(|\mathcal {Q} _{\mathbf {E}}^{\mathrm{x}} |= | \lbrace (i_0,p,z,b) \in \mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}}: p \ne \bot \rbrace | / w,\) which resembles Section 4.2. By the preceding, \(\begin{align*} \text{Equation } (20) \ge ~& \Big (\frac{1}{2^{wn}}\Big)^{ D} \times \frac{1}{ \prod _{L\in \lbrace 0,1\rbrace ^\nu }(2^{wn})_{ T_L } } \times \frac{1}{ 2^{u n} } \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ] \\ =~& \Big (\frac{1}{2^{n}}\Big)^{|\mathcal {Q} _\mathsf {Nd} ^{\mathsf {X}} |} \times \frac{1}{ \prod _{L\in \lbrace 0,1\rbrace ^\nu }(2^{wn})_{ T_L } } \times {\Pr }\big [ {\mathbf {P}} \leftarrow \mathsf {KGen} \big ], \end{align*}\) meaning that the probability that the real world is consistent with the transcript is at least Equation (19). This completes the proof.

4.3.2 Indistinguishability of \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E})\) and \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E})\).

For this step, we view \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E})\) as the real world and \((\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E})\) as the ideal world. The core step is to establish pseudorandomness of the constrained keys, which combines the ideas of Sections 4.2.3 and 4.3.1. In all, the bound remains. (23) \(\begin{align} \left| {\Pr }\big [ \mathfrak {D} ^{\mathsf {\$Cons}^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E}} = 1\big ] - {\Pr }\big [ \mathfrak {D} ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {E}} = 1\big ] \right| \le \varepsilon _{\mu } + \frac{2C \cdot ({T} + D) }{ 2^{\kappa } } . \end{align}\) Gathering Equations (18) and (23) yields Equation (17) and completes the proof.

6.5.1 Unlinkability.

Consider any adversary \(\mathfrak {A}_1\) against the \(\mathsf {muHULk}\) security of \(\mathsf {Bip32} ^{\mathbf {KH}}\). By construction, the security game \(\mathsf {G} _1 = \mathsf {Game} _{ \mathsf {Wal} ^\mathbf {KH}, \mathfrak {A}_1, 0 }^{ \mathsf {muHULk}} (\mathbf {G})\) first invokes \(\mathsf {Setup} (\mathcal {G} _{i_0},S_{i_0})\) for \(i_0=1,\ldots ,u\), which derives the u master keys or root nodes \(\mathsf {Nd} (1,\bot) = \mathsf {wsk} _{\bot }^{(1)} = \mathbf {KH} (S_1 ,\) \(\text{``Bitcoin seed''}), \ldots , \mathsf {Nd} (u,\bot) = \mathsf {wsk} _{\bot }^{(u)} = \mathbf {KH} (S_u, \text{``Bitcoin seed''})\) for the u instances. Similarly for the game \(\mathsf {G} _1^* = \mathsf {Game} _{ \mathsf {Wal} ^\mathbf {KH}, \mathfrak {A}_1, 1 }^{ \mathsf {muHULk}} (\mathbf {G})\). We first replace these nodes by uniform and independent strings. After this, we construct an adversary \(\mathfrak {A}_2\) that simulates the \(\mathsf {muHULk}\) security game using the CPRF oracles in front of \(\mathfrak {A}_1\). The advantage of \(\mathfrak {A}_1\) is then bounded by Theorem 4.1. We describe the two steps in the subsequent two paragraphs in turn.

The Initial Derivation. We start by replacing the u 512-bit root nodes \(\mathsf {Nd} (1,\bot),\ldots ,\mathsf {Nd} (u,\bot)\) by u 512-bit independent and uniform strings, and obtain an intermediate game \(\mathsf {G} _2\). The gap between \(\mathsf {G} _1\) and \(\mathsf {G} _2\) is at most \(u ({T} + D) / 2^s + u ^2/2^{s+1}\)—that is, the \(\mathrm{mu}\) PRF security of \(\mathbf {KH} (S , \text{``Bitcoin seed''})\) (viewing S as the secret key):

Similarly, we obtain an intermediate game \(\mathsf {G} _2^*\) from \(\mathsf {G} _1^* = \mathsf {Game} _{ \mathsf {Wal} ^\mathbf {KH}, \mathfrak {A}_1, 1 }^{ \mathsf {muHULk}} (\mathbf {G})\) via replacing the u 512-bit root nodes by random, with a gap at most \(u ({T} + D) / 2^s + u ^2/2^{s+1}\).

\(\mathsf {G} _2\) Versus \(\mathsf {G} _2^*\) Using Theorem 4.1. For the remaining argument, \(\mathfrak {A}_2\) runs \(\mathfrak {A}_1\) and simulates the oracles as follows, and outputs \(\mathfrak {A}_1\)’s decision bit at the end:

• Upon \(\mathfrak {A}_1\) querying \({\mathsf {Crupt}} (i_0,v_{i_1/.../i_{d^{\prime }}}^{(i_0)})\), \(\mathfrak {A}_2\) queries \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}} (i_0 , i_1/.../i_{d^{\prime }})\) to have the constrained key \(\mathsf {Nd} (i_0 , i_1/.../i_{d^{\prime }})\) and the leakages \(\mathsf {left} _{256}(\mathsf {Nd} (i_0,\bot)),\ldots ,\) \(\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_{d^{\prime }}))\). \(\mathfrak {A}_2\) returns \(\bot\) to \(\mathfrak {A}_1\), if any of the \(d^{\prime } + 1\) 256-bit integers \(\mathsf {int} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,\bot))) ,\ldots , \mathsf {int} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_{d^{\prime }})))\) is not in \(\mathbb {Z} _{|\mathbb {G} |}^+\) (recall from Section 6.3 that this is consistent with the actual \(\mathsf {Bip32}\) specification). Otherwise, \(\mathfrak {A}_2\) sets \(sk_{i_1/.../i_{d^{\prime }}}^{(i_0)}\) \(\leftarrow\) \(\mathsf {int} (\mathsf {left} _{256} (\mathsf {Nd} (i_0 , i_1/.../i_{d^{\prime }})))\), \(ch_{i_1/.../i_{d^{\prime }}}^{(i_0)} \leftarrow \mathsf {right} _{256} (\mathsf {Nd} (i_0 , i_1/.../i_{d^{\prime }}))\), and passes \(\mathsf {wsk} _{i_1/.../i_{d^{\prime }}}^{(i_0)} = (sk_{i_1/.../i_{d^{\prime }}}^{(i_0)} , ch_{i_1/.../i_{d^{\prime }}}^{(i_0)})\) to \(\mathfrak {A}_1\).

• Upon \(\mathfrak {A}_1\) querying \({\mathsf {muWSign}} (i_0, m, v_{i_1/.../i_{d^{\prime }}}^{(i_0)})\), \(\mathfrak {A}_2\) queries \(\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}} (i_0 , i_1/.../i_{d^{\prime }})\) for the constrained key \(\mathsf {Nd} (i_0 , i_1/.../i_{d^{\prime }})\) and the leakages \(\mathsf {left} _{256}(\mathsf {Nd} (i_0,\bot)),\ldots ,\) \(\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_{d^{\prime }}))\). If any of these \(d^{\prime } + 1\) integers \(\mathsf {int} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,\bot))) ,\ldots ,\) \(\mathsf {int} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_{d^{\prime }})))\) is not in \(\mathbb {Z} _{|\mathbb {G} |}^+\) and then \(\mathfrak {A}_2\) returns \(\bot\) to \(\mathfrak {A}_1\). Otherwise, \(\mathfrak {A}_2\) computes the \(\text{chain code}\) \(ch_{i_1/.../i_{d^{\prime }}}^{(i_0)} \leftarrow \mathsf {right} _{256} (\mathsf {Nd} (i_0 , i_1/.../i_{d^{\prime }}))\) and the secret signing key \(sk_{i_1/.../i_{d^{\prime }}}^{(i_0)} \leftarrow \mathsf {int} (\mathsf {left} _{256} (\mathsf {Nd} (i_0 , i_1/.../i_{d^{\prime }})))\) and returns \({\mathsf {WSign}} ((sk_{i_1/.../i_{d^{\prime }}}^{(i_0)},ch_{i_1/.../i_{d^{\prime }}}^{(i_0)}), m)\) to \(\mathfrak {A}_1\).

• Upon \(\mathfrak {A}_1\) querying \({\mathsf {PKReq}} (i_0,v_{i_1/.../i_{d^{\prime }}}^{(i_0)})\), \(\mathfrak {A}_2\) pinpoints the longest path in \(\mathcal {G} _{i_0}\) that contains the node \(v_j^{(i_0)}\). Formally, \(\mathfrak {A}_2\) pinpoints \(v_0^{(i_0)} \xrightarrow { i_1 } v_{i_1}^{(i_0)} \xrightarrow { i_2 } ... \xrightarrow { i_{d^{\prime }} } v_{i_1/.../i_{d^{\prime }}}^{(i_0)} \xrightarrow { i_{d^{\prime } + 1} } ... \xrightarrow { i_{d} } v_{i_1/.../i_{d}}^{(i_0)}\) such that the outdegree of \(v_{i_1/.../i_{d}}^{(i_0)}\) is zero. \(\mathfrak {A}_1\) then queries \(\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}} (i_0 , i_1/.../i_{d})\)⁶ to have \(\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_d))\) and the leakages \(\mathsf {left} _{256}(\mathsf {Nd} (i_0,\bot)),\ldots ,\) \(\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_{d^{\prime }})),\ldots\) Again, if any of the \(d^{\prime } + 1\) integers \(\mathsf {int} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,\bot))) ,\ldots , \mathsf {int} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_{d^{\prime }})))\) is not in \(\mathbb {Z} _{|\mathbb {G} |}^+\), then \(\mathfrak {A}_2\) returns \(\bot\) to \(\mathfrak {A}_1\). Otherwise, \(\mathfrak {A}_2\) computes \(sk_{i_1/.../i_{d^{\prime }}}^{(i_0)} \leftarrow \mathsf {int} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_{d^{\prime }})))\) and \(pk_{i_1/.../i_{d^{\prime }}}^{(i_0)} \leftarrow sk_{i_1/.../i_{d^{\prime }}}^{(i_0)} \cdot G\) and returns \(pk_{i_1/.../i_{d^{\prime }}}^{(i_0)}\) to \(\mathfrak {A}_1\).

• Upon \(\mathfrak {A}_1\) querying \(\mathbf {KH}\), \(\mathfrak {A}_2\) simply relays the query and response.

When \(\mathfrak {A}_2\) is interacting with the real world \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {KH})\), \(\mathfrak {A}_1\) is playing with the game \(\mathsf {G} _2\): the actions are exactly the same, despite the gap between the \(\mathsf {GGGM}\) instance and the \(\mathsf {Bip32}\) key tree.

However, when \(\mathfrak {A}_2\) is interacting with the ideal \((\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {KH})\), a public key \(pk_{i_1/.../i_{d^{\prime }}}^{(i_0)}\) returned by \(\mathfrak {A}_2\) due to \(\mathfrak {A}_1\) querying \({\mathsf {PKReq}} (i_0,v_{i_1/.../i_{d^{\prime }}}^{(i_0)})\) query is computed via \(pk_{i_1/.../i_{d^{\prime }}}^{(i_0)} \leftarrow \mathsf {int} (r_{i_1/.../i_{d^{\prime }}}^{(i_0)}) \cdot G\), where \(r_{i_1/.../i_{d^{\prime }}}^{(i_0)} \xleftarrow {\$}\lbrace 0,1\rbrace ^{256}\) is a block of simulated leakage (it corresponds to \(\mathsf {left} _{256}(\mathsf {Nd} (i_0,i_1/.../i_{d^{\prime }}))\) in the real world). This resembles the game \(\mathsf {G} _2^*\), except that \(\mathfrak {A}_2\) may respond \(\mathfrak {A}_1\) with \(\bot\). Denote this event by “\(\mathfrak {A}_2 ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {KH}} \text{ returns } \bot\)”. Then, as long as this event does not occur, the computed key \(pk_{i_1/.../i_{d^{\prime }}}^{(i_0)}\) is uniformly distributed in \(\mathbb {G}\). Moreover, the key computed due to any other query \({\mathsf {PKReq}} (i_0^{\prime },v_{i_1^{\prime }/.../i_{d^{\prime \prime }}^{\prime }}^{(i_0^{\prime })})\) has \(pk_{i_1^{\prime }/.../i_{d^{\prime \prime }}^{\prime }}^{(i_0^{\prime })} \leftarrow \mathsf {int} (r_{i_1^{\prime }/.../i_{d^{\prime \prime }}^{\prime }}^{(i_0^{\prime })}) \cdot G\) and \(r_{i_1^{\prime }/.../i_{d^{\prime \prime }}^{\prime }}^{(i_0^{\prime })}\) is independent from \(r_{i_1/.../i_{d^{\prime }}}^{(i_0)}\). Therefore, as long as the event “\(\mathfrak {A}_2 ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {KH}} \text{ returns } \bot\)” does not occur, \(\mathfrak {A}_2\) perfectly emulates the game \(\mathsf {G} _2^*\) in front of \(\mathfrak {A}_1\)—that is, \(\begin{align*} \Big | {\Pr }\big [\mathsf {G} _2^* = 1\big ] - {\Pr }\big [ \mathfrak {A}_2 ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {KH}} = 1\big ] \Big | \le {\Pr }\big [ \mathfrak {A}_2 ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {KH}} \text{ returns } \bot \big ] \le D \times \Big (1 - \frac{ |\mathbb {G} | - 1 }{ 2^{256} } \Big) , \end{align*}\) and thus \(\begin{align*} \Big | {\Pr }\big [\mathsf {G} _2^* = 1\big ] - {\Pr }\big [\mathsf {G} _2 = 1\big ] \Big | \le ~& \Big | {\Pr }\big [ \mathfrak {A}_2 ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {L}},\mathsf {muEv}_\mathbf {K} ^{\mathsf {L}},\mathbf {KH}} = 1\big ] - {\Pr }\big [ \mathfrak {A}_2 ^{\mathsf {muCo}_\mathbf {K} ^{\mathsf {S}},\mathsf {R} ^{\mathsf {S}},\mathbf {KH}} = 1\big ] \Big | + D \times \Big (1 - \frac{ |\mathbb {G} | - 1 }{ 2^{256} } \Big) . \end{align*}\)

Concrete Bounds. It remains to calculate the concrete bounds. Regardless of the adversarial strategy, it can be seen the effective data complexity cannot exceed \(V(\mathbf {G}) \le D\). For the quantity C, using the uniformness of the private/public keys (in the ideal world) and a multi-collision argument (we defer the details to the next paragraph), when \(C = 256 = 2^8\) and \(D \le |\mathbb {G} |/2\) (so that \(2D/ |\mathbb {G} | \le 1\)), it can be shown that \({\Pr } [ \mu (\mathcal {I}) \ge C ] \le D/2|\mathbb {G} |\). Then, using Theorem 4.1, we obtain (29) \(\begin{align} \Big | {\Pr }\big [\mathsf {G} _2^* = 1\big ] - {\Pr }\big [\mathsf {G} _2 = 1\big ] \Big | \le \frac{D}{|\mathbb {G} |} + \frac{2^9 \cdot ({T} + D) }{2^{256}} + D \times \Big (1 - \frac{ |\mathbb {G} | - 1 }{ 2^{256} } \Big) . \end{align}\) Gathering this with the gaps between \(\mathsf {G} _1\), \(\mathsf {G} _2\), \(\mathsf {G} _1^*,\) and \(\mathsf {G} _2^*\) (which is \(2 \times (u ({T} + D) / 2^s + u ^2/2^{s+1})\)) yields Equation (27).

Proof of \({\Pr } [ \mu (\mathcal {I}) \ge C ] \le D/2|\mathbb {G} |\). For the quantity \(\mu (\mathcal {L})\), we will rely on the uniformness of the private/public keys. In detail, consider any \((i_0,p,j)\ne (i_0^{\prime },p^{\prime },j^{\prime })\). Then,

• Case 1: \(0 \le j \lt 2^{31}\), whereas \(2^{31} \le j^{\prime } \lt 2^{32}\). Then it is impossible to have \(\mathsf {lf} _{p,j} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,p)) , {\mathsf {pp}} _{i_0}) = \mathsf {lf} _{p^{\prime },j^{\prime }} (\mathsf {left} _{256}(\mathsf {Nd} (i_0^{\prime },p^{\prime })) , {\mathsf {pp}} _{i_0^{\prime }})\), since the former has leftmost byte \([0]_8\) while the latter has \([2]_8\) or \([3]_8\).

• Case 2: \(2^{31} \le j \lt 2^{32}\), \(0 \le j^{\prime } \lt 2^{31}\). Then \(\mathsf {lf} _{p,j} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,p)) , {\mathsf {pp}} _{i_0}) \ne \mathsf {lf} _{p^{\prime },j^{\prime }} (\mathsf {left} _{256}(\mathsf {Nd} (i_0^{\prime },p^{\prime })) , {\mathsf {pp}} _{i_0^{\prime }})\) which resembles Case 1.

• Case 3: \(0 \le j,j^{\prime } \lt 2^{31}\). Then \(\mathsf {lf} _{p,j} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,p)) , {\mathsf {pp}} _{i_0}) \ne \mathsf {lf} _{p^{\prime },j^{\prime }} (\mathsf {left} _{256}(\mathsf {Nd} (i_0^{\prime },p^{\prime })) , {\mathsf {pp}} _{i_0^{\prime }})\) holds with probability at most \({\Pr }[ sk,sk^{\prime }\xleftarrow {\$}\mathbb {Z} _{|\mathbb {G} |}: sk = sk^{\prime } ] = 1/|\mathbb {G} |\).

• Case 4: \(2^{31} \le j,j^{\prime } \lt 2^{32}\). Then \(\mathsf {lf} _{p,j} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,p)) , {\mathsf {pp}} _{i_0}) \ne \mathsf {lf} _{p^{\prime },j^{\prime }} (\mathsf {left} _{256}(\mathsf {Nd} (i_0^{\prime },p^{\prime })) , {\mathsf {pp}} _{i_0^{\prime }})\) holds with probability at most \({\Pr }[ pk,pk^{\prime } \xleftarrow {\$}\mathbb {G}: \mathsf {ser} _P(pk) = \mathsf {ser} _P(pk^{\prime }) ]\). The map \(\mathsf {ser} _P : \mathbb {G} \mapsto \lbrace 0,1\rbrace ^{264}\) is bijective, and thus the probability is \(1/|\mathbb {G} |\).

By the preceding, in any case, the probability to have \(\mathsf {lf} _{p,j} (\mathsf {left} _{256}(\mathsf {Nd} (i_0,p)) , {\mathsf {pp}} _{i_0}) = \mathsf {lf} _{p^{\prime },j^{\prime }} (\mathsf {left} _{256}(\mathsf {Nd} (i_0^{\prime },p^{\prime })) , {\mathsf {pp}} _{i_0^{\prime }})\) does not exceed \(1/|\mathbb {G} |\). Thus, for any integer \(C \ge 2\), \(\begin{align*} {\Pr } \big [ \mu (\mathcal {L}) \ge C \big ] =~& {\Pr } \Big [ \exists (i_0^{(1)},p^{(1)},j^{(1)}),\ldots ,(i_0^{(C)},p^{(C)},j^{(C)}): \mathsf {lf} _{p^{(1)},j^{(1)}} \big (\mathsf {left} _{256}(\mathsf {Nd} (i_0^{(1)},p^{(1)})) , {\mathsf {pp}} _{i_0^{(1)}} \big) \\ & \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ =\cdots = \mathsf {lf} _{p^{(C)},j^{(C)}} \big (\mathsf {left} _{256}(\mathsf {Nd} (i_0^{(C)},p^{(C)})) , {\mathsf {pp}} _{i_0^{(C)}} \big) \Big ] \\ \le ~& { D \choose C } \cdot \Big (\frac{1}{|\mathbb {G} |} \Big)^{C-1} . \end{align*}\) For \(C = 256\), using \(|\mathbb {G} | \lt 2^{256}\) in our context and as long as \(D \le |\mathbb {G} |/2\) (so that \(2D/ |\mathbb {G} | \le 1\)), it further holds \(\begin{align*} {\Pr } \big [ \mu (\mathcal {L}) \ge C \big ] \le \frac{ |\mathbb {G} | }{C!}\Big (\frac{D}{|\mathbb {G} |} \Big)^{C} \le \frac{ 1 }{C!}\Big (\frac{2D}{|\mathbb {G} |} \Big)^{256} \le \frac{1}{256!} \frac{2D}{|\mathbb {G} |} \le \frac{D}{2|\mathbb {G} |} . \end{align*}\)

6.5.2 Unforgeability.

Let \(\mathsf {G} _1 = \mathsf {Game} _{ \mathsf {Wal} ^{\mathbf {KH}}, \mathfrak {A}_1}^{ \mathsf {muHEUF}} (\mathbf {G})\) be the real hierarchical unforgeability game. We modify \(\mathsf {G} _1\) by replacing the oracles \(\mathsf {PKReq}\) and \(\mathsf {muWSign}\) with the oracles \(\mathsf {PKReq}\) and \(\mathsf {muWSign}\) with \(b=0\) in Figure 8. Denote by \(\mathsf {G} _2\) the obtained modified game. It is easy to see that the gap between \(\mathsf {G} _1\) and \(\mathsf {G} _2\) is the already established unlinkability bound—that is, \(\begin{align*} \Big | {\Pr }\big [\mathsf {G} _2 = 1\big ] - {\Pr }\big [\mathsf {G} _1 = 1\big ] \Big | \le ~& \frac{ 2 u ({T} + D) }{ 2^s } + \frac{ u ^2 }{ 2^s } + \frac{D}{|\mathbb {G} |} + \frac{2^9 \cdot ({T} + D) }{2^{256}} + D \times \Big (1 - \frac{ |\mathbb {G} | - 1 }{ 2^{256} } \Big) . \end{align*}\) Signing keys generated in the game \(\mathsf {G} _2\) are independent and uniformly distributed. Thus, the forgery probability \({\Pr }[\mathsf {G} _2 = 1]\) is bounded by the mu existential unforgeability security of the signature in use (see Definition 2.2). Informally, consider an adversary \(\mathfrak {A}_2\) having access to \(q_S\) signing oracles of the signature instantiated with \(q_S\) independent secret keys, and it makes \(q_S\) signing queries and runs in time \(O(t_{\mathfrak {A}_1})\) and succeeds as long as it forges for any of the \(q_S\) keys. If the signature is \((q_S, q_S, O(t + D), \varepsilon _\mathsf {muUFCMA})\)-\(\mathrm{mu}\) unforgeable, then the success probability of \(\mathfrak {A}_2\) is bounded by \(\varepsilon _\mathsf {muUFCMA}\). These establish the bound in Equation (28).