Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The gold standard in provable security is to demonstrate security in the standard model. However, proofs in the standard model sometimes rely on non-standard hardness assumptions. In such situations, it is essential to prove that the hardness assumptions used in the security proofs meet some minimal requirements, for instance the absence of algebraic attacks. The accepted method for validating new DDH-like assumptions is to show absence of generic attacks, i.e. attacks that solely exploit the underlying algebraic structure, using the Generic Group Model [32, 33, 35, 38] or its bilinear and multilinear variants [11, 17]. The Generic Group Model provides an algebraic setting for describing a wide class of DDH-like assumptions, and is supported by so-called Master Theorems that give a purely algebraic condition that ensures the security of an assumption in the Generic Group Model (or its variants). Very roughly, the proof of the Master Theorems uses the Schwartz-Zippel Lemma to prove a security reduction between the Generic Group Model and a Symbolic Generic Group Model, in which the security experiment is purely deterministic. Security in the Symbolic Generic Group Model is trivially equivalent to a purely algebraic condition. For instance, the algebraic condition for a decisional assumption requires to prove that the two sets of polynomials extracted from the left and right games have the same linear dependencies. Therefore, and unavoidably, the difficulty of checking the algebraic condition increases as the assumption becomes more complex, as witnessed by unfortunate failures [24, 28, 39]. For some recent hypotheses, several pages of error-prone calculations are required for proving that the algebraic condition holds, and several authors have used computer algebra systems to carry part of the verifications. These examples suggest the importance of building general tools to assist proofs of security assumptions in the Generic Group Model. One such tool is the Generic Group Analyzer [11], which uses SMT solvers and computer algebra systems to analyze DDH-like assumptions. The tool takes as input a description of an assumption and either returns an algebraic attack or a concrete probability bound if the assumption is secure. The Generic Group Analyzer primarily works for non-interactive assumptions, in which the adversary can only call the oracles which perform the algebraic operations.

The Generic Group Model can also be used for proving the security of cryptographic constructions, such as signature schemes and algebraic MACs, against algebraic attacks. In this context, the adversary has access to oracles for performing signatures, verification, etc. The Generic Group Analyzer also provides support for such problems, but is inherently limited to oracles which do not take handles to group elements as inputs. This support can be used for analyzing simple interactive assumptions. Subsequent extensions of the Generic Group Analyzer overcome this limitation by providing support for oracles that take handles as inputs, and by allowing adversaries to make a bounded number of oracle queries [12]. Using this extension, Barthe et al. [12] synthesize (in the Type II-setting) structure-preserving signatures that are secure against adversaries that can make a bounded number of signing queries. Their approach is based on an algebraic characterization of security, using a vector space whose dimension increases by one for each query. Therefore, their approach is limited to a small number of queries, and an alternative approach must be used for proving security notions which do not impose a bound on the number of queries.

The first main contribution of this paper is to extend the Master Theorem to a general setting where adversaries can make arbitrarily many queries to oracles with group inputs, and where the winning conditions can be described using a rich language. As for simpler Master Theorems, our Master Theorem yields a sufficient condition for the security of cryptographic constructions. However, this simpler condition cannot be expressed in finite-dimensional linear algebra: informally, each adversarial query to an oracle taking group elements as inputs increases the dimension of the system to be analyzed, and therefore allowing arbitrarily many queries leads to a system that is not finite-dimensional. As a consequence, the algebraic approach of the Generic Group Analyzer cannot be used to analyze automatically sufficient conditions given by the Master Theorem.

The second main contribution of this paper is an automated method for proving the validity of these conditions, using a combination of methods from constraint solving, computer algebra, and symbolic cryptography. Building on these two contributions, we implement an analyzer which subsumes the Generic Group Analyzer for interactive assumptions and is able to analyze many cryptographic constructions, including signatures and message authentication codes.

Technical Overview. In more detail, our contributions are as follows.

First, we define a language to express security experiments in the Generic Group Model where the adversary can make an unbounded number of queries to oracles; moreover, our model allows oracles to take group values as inputs. In addition, we define a rich language of winning conditions. We then establish a Master Theorem, which states that a generic algorithm is secure with respect to a security goal expressed using our language of winning conditions, if the constraint system extracted from the security experiment, given by the algorithm and the winning condition, has no computable solution. Informally, the notion of computable solution provides an algebraic counterpart to the notion of deducibility used in the symbolic (a.k.a. Dolev-Yao) approach to cryptography; more technically, this notion is based on an inductive definition of the adversary’s knowledge throughout execution of the algorithm. From a broader perspective, our Master Theorem provides a novel light on the relationship between different cryptographic models, by showing a general relationship between the Generic Group Model and the symbolic model. Note that, for the sake of simplicity, we focus on group settings with bilinear pairings; however, we believe that our model and Master Theorem can naturally extend to the case of multilinear maps.

Second, we define an automated method for proving the absence of computable solutions of constraint systems. Our language of constraints supports algebraic expressions that are generally not considered by prior work on the symbolic model. Therefore, we cannot use previous constraint-solving methods developed for reasoning about cryptographic protocols in the symbolic model. Rather, we define a specialized method which combines general purpose algebraic computations and specialized steps. The algebraic computations are performed using Gröbner bases, whereas the specialized steps include simplifications related to big operators and case distinctions. The latter can be used to add new equations to constraint systems and thus to trigger new simplifications. Case distinctions are an essential ingredient for the success of our method: they yield compact proofs that follow the structure of pen-and-paper arguments found in the literature. Of course, the use of case distinctions is not new in automated deduction; it is at the core of Staalmarck’s method, an empirically successful method for propositional logic. However, its use in our setting appears to be new.

Third, we implement our method and evaluate its effectiveness on a sizable set of case studies. Our tool uses off-the-shelf computer algebra systems to perform Gröbner bases computations. However, it draws its efficiency from a finely tuned heuristics for carrying case distinctions. We evaluate our tool on structure-preserving signatures, in all settings (Type I, Type II and Type III). Our tool is able to prove unbounded security of many structure-preserving signatures from the literature, as well as of the algebraic MACs from Chase, Meiklejohn and Zaverucha [18], and of the short randomizable signatures from Pointcheval and Sanders [34]. Furthermore, it also proves unbounded security for most of the examples proved 2-time secure in [12] (these examples were generated automatically using synthesis techniques). Moreover, we also adapt the synthesis tool from [12] to generate structure-preserving signatures in the Type III setting and use our tool to prove security for more than a 100 such schemes.

Related Work. The Generic Group Model was introduced by Nechaev [33], Shoup [38] and Maurer [32], following distinct but equivalent approaches [29]. The original approach by Nechaev and Shoup lets the adversary access a randomly selected representation of group elements; in contrast, Maurer’s approach requires the adversary to perform all algebraic operations via oracles, and uses handles as symbolic representations of group elements known to the adversary. We opt for the second approach, for its distinctively symbolic flavour. These works establish lower complexity bounds for the generic discrete logarithms and the generic hardness of Diffie-Hellman like assumptions. As for us, they use the Schwartz-Zippel Lemma for transforming their original problem into an algebraic one. This approach was extended by Boneh, Boyen and Goh [17]. First, their Generic Group Model focuses on bilinear groups. Second, they consider a general class of assumptions, and provide the first Master Theorem, which provides a systematic method for extracting algebraic conditions of security from assumptions. Their Master Theorem was subsequently extended in many directions. The most relevant works are those that involve the use of computer tools for verifying algebraic conditions. Notably, Freeman [23] verifies the hardness of two assumptions using Magma.

Shoup [38] and Schnorr and Jakobsson [36, 37] were among the first to use the Generic Group Model for proving the security of crytographic constructions. Specifically, Shoup proves (generic) security of an identification scheme, whereas Schnorr and Jakobsson consider signed ElGamal encryption and blind discrete log signatures. More recently, the Generic Group Model has also become an important tool for analyzing the security of pairing-based cryptographic constructions. Chase, Meiklejohn and Zaverucha [18] propose a class of algebraic MACs and prove their generic security. Several authors use the Generic Group Model for proving the generic security of structure-preserving signatures [1]. Groth [26] proposes new fully-structure-preserving signatures [6] and proves their generic security. Similarly, Fuchsbauer, Hanser and Slamanig [25] define a structure-preserving signature on equivalence classes and prove its generic security. Furthermore, the Generic Group Model gives a convenient setting for establishing lower bounds on the complexity of structure-preserving signatures [2, 4, 5, 12]. In a similar spirit, the Generic Group Model has been used for proving the correctness of translations of signature schemes from Type I to Type III [3, 5, 7].

It is also worth pointing to a recent examination of the efficiency of pairing-based implementations. Based on a practical evaluation of the efficiency of state-of-the-art implementations of pairings, Chatterjee and Menezes [19] argue that Type III pairings are more efficient than their Type II counterparts, and should be favoured in implementations. Their observation justifies the need to transpose existing results and tools for the Type II setting to the Type III setting, and has motivated the application of our methods to the latter.

Several works have developed or used tools for reasoning about the Generic Group Model. As already mentioned, the Generic Group Analyzer [11] implements an automated method for analyzing assumptions. Moreover, a subsequent extension of the analyzer [12] supports the automated analysis of security of structure-preserving security against adversaries that make a bounded number of queries. In practice, the tool only terminates for small bounds on the number of queries. While these works are the most closely related to ours, there have been previous works that apply computer tools to the Generic Group Model. Barthe, Cederquist and Tarento [9, 15] were the first to use formal verification tools for analyzing the security of hardness assumptions and cryptographic constructions in the Generic Group Model. Their work uses the Coq proof assistant, and provides no support for automation. Freeman [23] reports on using computer algebra systems to prove the validity of new hardness assumptions in the Generic Group Model. Beyond the Generic Group Model, there exist several tools for synthesizing constructions, such as encryption schemes, modes of operations, tweakable blockciphers, and structure-preserving signatures in the Type II setting [10, 12, 27, 31], automated transformation of existing constructions, including signature schemes [3, 7, 8], and verification of security proofs [13, 14, 16]. In particular, [14] introduce AutoG&P, a highly automated framework for proving the security of pairing-based cryptographic primitives; the focus of [14] is on encryption schemes, but their methods are also applicable to signatures and MACs. AutoG&P and \(\mathsf {gga}^{\infty }\) are complementary in two different ways. First, \(\mathsf {gga}^{\infty }\) focuses on full automation in the Generic Group Model while AutoGP provides partial automation in the Standard model. Second, and more interestingly, some of our techniques for equational reasoning could be used to achieve more automation in AutoG&P, whereas it could be possible to use techniques from AutoG&P as a fallback solution when full automation fails in \(\mathsf {gga}^{\infty }\).

2 Preliminaries

In this section, we give some background on bilinear groups and define the notation used throughout the paper.

2.1 Bilinear Groups

We consider bilinear groups \(\mathcal {G} = (\mathbb {G}_{{\mathsf{1}}}, \mathbb {G}_{{\mathsf{2}}}, \mathbb {G}_{{\mathsf{t}}},e: \mathbb {G}_{{\mathsf{1}}} \times \mathbb {G}_{{\mathsf{2}}} \rightarrow \mathbb {G}_{{\mathsf{t}}})\). For Type I, \(\mathbb {G}_{{\mathsf{1}}} = \mathbb {G}_{{\mathsf{2}}}\) and for Type II, there is an additional isomorphism \(\varPsi : \mathbb {G}_{{\mathsf{2}}}\rightarrow \mathbb {G}_{{\mathsf{1}}}\). We use additive notation for all three groups and use \(P_{{\mathsf{1}}}, P_{{\mathsf{2}}}, P_{{\mathsf{t}}}\) to denote their generators. For \(a \in \mathbb {F}_p\), we use \(\llbracket a \rrbracket _i\) to denote the implicit representation \(a P_i\) of a in \(\mathbb {G}_i\) following [21].

2.2 Notation

We define \(a S = \{a s \mid s \in S\}\) and \(S S'= \{s s' \mid s \in S \wedge s' \in S'\}\). For a set S, we write \(S^*\) to denote vectors of elements in S. We define [n] as the range \(\{1,\dots ,n\}\) for an arbitrary \(n\in \mathbb {N}\). We use v to denote a vector and \({{\varvec{v}}}_{(i)}\) to denote the i-th element. We assume given a set of uniform variables \(\mathsf {UVar}\), a set of handle variables \(\mathsf {HVar}= \mathsf {HVar}_{{\mathsf{1}}} \uplus \mathsf {HVar}_{{\mathsf{2}}} \uplus \mathsf {HVar}_{{\mathsf{t}}}\), a set of parameter variables \(\mathsf {PVar}\), and a set of index variables \(\mathsf {IVar}\). We use \( ty (h) \in \{{\mathsf{1}},{\mathsf{2}},{\mathsf{t}}\}\) to denote the type of a handle variable, i.e., \( ty (h) = i\) iff \(h \in \mathsf {HVar}_{i}\).

We use \(R[{{\varvec{X}}}^{\pm 1}]\) to denote the set of Laurent polynomials over the ring R with variables in X. We also use the shorthand \(R[{{\varvec{Y}}}, {{\varvec{X}}}^{\pm 1}]\) for \((R[{{\varvec{Y}}}])[{{\varvec{X}}}^{\pm 1}]\) to denote nested polynomial rings. We use a similar notation \( Mon [{{\varvec{X}}}^{\pm 1},{{\varvec{Y}}}]\) for Laurent monomials. We write \(\deg _V(M)\) to denote the degree of V in the Laurent monomial M. We write \( coeff _M(F)\) to denote the coefficient of the Laurent monomial M in the Laurent polynomial F.

For a term t possibly containing variables, we write \(t[x \mapsto t']\) to denote the result of substituting all occurrences of the variable x in t with \(t'\). A context C is a term with a distinguished variable \(\Box \) which denotes a hole that can be filled in by an arbitrary term. We assume the hole occurs exactly once in a context. We use \(C[t]\) to denote the term obtained by plugging t into \(C's\) hole.

3 Translating Security Experiments into Constraints

In this section, we first present a language to define security experiments in the Generic Group Model. Next, we define the language of winning constraints. Winning constraints are formulas that characterize if an adversary can win a security experiment. Finally, we present a translation procedure from security experiments to winning constraints.

3.1 Security Experiment Definition

We first present the language that we use to define security experiments. Afterwards, we define the corresponding games in the Generic Group Model and the symbolic group model (see [11]). We will exploit that the generic and symbolic games are indistinguishable and use the symbolic game to perform our analysis.

Definition 1

(Security experiment). A security experiment is defined by a tuple \( SE = (t, ainp , odef , wcond )\) where

  • the group type is defined by \(t \in \) {I,II,III},

  • the adversary input is defined by \( ainp = ({{\varvec{X}}},(\varvec{F_{{\mathsf{1}}}},\varvec{F_{{\mathsf{2}}}}, \varvec{F_{{\mathsf{t}}}}))\) for

    • global uniform variables \({{\varvec{X}}} \in \mathsf {UVar}^*\) and

    • input polynomials \(\varvec{F_i} \in \mathbb {Z}[{{\varvec{X}}}^{\pm 1}]^*\),

  • the oracle is defined by \( odef = ({{\varvec{a}}},{{\varvec{h}}},{{\varvec{R}}}, (\varvec{H_{{\mathsf{1}}}},\varvec{H_{{\mathsf{2}}}},\varvec{H_{{\mathsf{t}}}}))\) for

    • arguments \({{\varvec{a}}} \in \mathsf {PVar}^*\) and oracle handles \({{\varvec{h}}} \in \mathsf {HVar}^*\),Footnote 1

    • oracle uniform variables \({{\varvec{R}}} \in \mathsf {UVar}^*\), and

    • oracle polynomials \(\varvec{H_i} \in \mathbb {Z}[{{\varvec{X}}}^{\pm 1},{{\varvec{R}}}^{\pm 1},{{\varvec{a}}},{{\varvec{h}}}]^*\), and

  • the winning condition is defined by \( wcond = ({\hat{{{\varvec{a}}}}},{\hat{{{\varvec{H}}}}},{{\varvec{W}}}^=, {{\varvec{W}}}^{\ne })\) for

    • winning arguments \({\hat{{{\varvec{a}}}}} \in \mathsf {PVar}^*\) and winning handles \({\hat{{{\varvec{h}}}}} \in \mathsf {HVar}^*\), and

    • winning (in)equalities \({{\varvec{W}}}^=, {{\varvec{W}}}^{\ne } \in \) \(\mathbb {Z}[{{\varvec{X}}}^{\pm 1},{{\varvec{R}}}^{\pm 1},{{\varvec{a}}},{{\varvec{h}}},{\hat{{{\varvec{a}}}}},{\hat{{{\varvec{h}}}}}]^*\).

Intuitively, the adversary input represents the values given initially to the adversary. This usually includes the public parameters and the public keys. The oracle is defined by arguments and oracle handles that represent the oracle input; uniform variables that denote randomness sampled by the oracle; and oracle polynomials that denote the oracle response. Finally, the winning condition is defined by winning arguments that represent the forgery that the adversary must produce; and winning (in)equalities that characterize valid forgeries.

We define the corresponding generic group game \(\mathsf {G^{gen}}( SE )\) as follows:

  1. 1.

    Sample the vector \({{\varvec{x}}} \in (\mathbb {F}_p^{\times })^{|{{\varvec{X}}}|}\), compute the adversary inputs \(\llbracket \varvec{F_i}({{\varvec{x}}}) \rrbracket _i \in \mathbb {G}_i^{|\varvec{F_i}|}\) (for \(i \in \{{\mathsf{1}},{\mathsf{2}},{\mathsf{t}}\}\)), and call the adversary \(\mathcal {A}\) with the corresponding handles.

  2. 2.

    The adversary \(\mathcal {A}\) can perform \(q_g\) queries to perform group operations (for group type t), an unbounded number of equality queries, and q queries to an oracle that implements \( odef \). The oracle for \( odef \) takes scalars \({{\varvec{v}}} \in \mathbb {F}_p^{|{{\varvec{a}}}|}\) for \({{\varvec{a}}}\) and a vector of handles to group elements \({{\varvec{U}}}\) for \({{\varvec{h}}}\). We use \({{\varvec{u}}}\) to denote the discrete logarithms of \({{\varvec{U}}}\), i.e., for all \(j \in [|{{\varvec{h}}}|]\), \(\llbracket \varvec{u}_{(j)} \rrbracket _i = {{\varvec{U}}}_{(j)}\) where \(i = ty ({{\varvec{h}}}_{(j)})\). Then it samples \({{\varvec{r}}} \in (\mathbb {F}_p^{\times })^{|{{\varvec{R}}}|}\) and returns handles to \(\llbracket \varvec{H_i}({{\varvec{x}}},{{\varvec{v}}},{{\varvec{u}}},{{\varvec{r}}}) \rrbracket _i \in \mathbb {G}_i^{|\varvec{H_i}|}\). We use \({{\varvec{v}}}^{(j)}\), \({{\varvec{u}}}^{(j)}\), \({{\varvec{r}}}^{(j)}\) to denote the corresponding values used in the j-th query.

  3. 3.

    The adversary \(\mathcal {A}\) returns scalars \({\hat{{{\varvec{v}}}}} \in \mathbb {F}_p^{|{\hat{{{\varvec{a}}}}}|}\) for \({\hat{{{\varvec{a}}}}}\) and handles to group elements \({\hat{{{\varvec{U}}}}}\) for \({\hat{{{\varvec{h}}}}}\). Again, we denote the discrete logarithms of \({\hat{{{\varvec{U}}}}}\) with \({\hat{{{\varvec{u}}}}}\). The adversary wins if for \({}\bowtie {} \in \{=,\ne \}\), \(w \in {{\varvec{W}}}^{\bowtie }\), and \(j \in [q]\), it holds that \(w({{\varvec{x}}},{{\varvec{r}}}^{(j)},{{\varvec{v}}}^{(j)},{{\varvec{u}}}^{(j)},{\hat{{{\varvec{v}}}}},{\hat{{{\varvec{u}}}}}) \bowtie 0\).

Note that additional care must be taken to ensure that the oracles and winning conditions are efficiently computable using scalar multiplication, addition, application of isomorphisms, and application of bilinear maps. For example, it is possible to specify an oracle that takes a handle to an element \(\llbracket v \rrbracket _{{\mathsf{t}}} \in \mathbb {G}_{{\mathsf{t}}}\) and returns \(\llbracket v \rrbracket _{{\mathsf{1}}} \in \mathbb {G}_{{\mathsf{1}}}\), which cannot be efficiently computed in most bilinear groups of interest.

The symbolic game \(\mathsf {G^{sym}}( SE )\) is defined similarly, but internally uses Laurent polynomials \(f({{\varvec{X}}})\) instead of group elements \(\llbracket f({{\varvec{x}}}) \rrbracket _i\). It is completely deterministic since it uses formal variables \({{\varvec{X}}}\) to represent the initially sampled values and indexed formal variables \({{\varvec{R}}}^{(j)}\) to represent the values sampled in the oracle.

Formally, we define \(\mathsf {G^{sym}}( SE )\) as follows:

  1. 1.

    Store the polynomials \(\varvec{F_i}({{\varvec{X}}}) \in \mathbb {Z}[{{\varvec{X}}}^{\pm 1}]^{|\varvec{F_i}|}\) in the list for the group \(\mathbb {G}_i\) (for \(i \in \{{\mathsf{1}},{\mathsf{2}},{\mathsf{t}}\}\)) and call the adversary \(\mathcal {A}\) with the corresponding handles.

  2. 2.

    The oracles for group operations and equality checks provide the same interface as in the generic model, but perform all computations in the ring of Laurent polynomials. The oracle for \( odef \) takes (in the j-th query) scalars \({{\varvec{v}}} \in \mathbb {F}_p^{|{{\varvec{a}}}|}\) for \({{\varvec{a}}}\) and handles to polynomials

    $$ {{\varvec{u}}} \in \mathbb {Z}[{{\varvec{X}}}^{\pm 1},({{\varvec{R}}}^{(1)})^{\pm 1},\ldots ,({{\varvec{R}}}^{(j-1)})^{\pm 1}]^{|\varvec{h_i}|} $$

    for \({{\varvec{h}}}\). It returns handles to polynomials

    $$ \varvec{H_i}({{\varvec{X}}},{{\varvec{v}}},{{\varvec{u}}},\varvec{R^{(j)}}) \in \mathbb {Z}[{{\varvec{X}}}^{\pm 1},({{\varvec{R}}}^{(1)})^{\pm 1},\ldots ,({{\varvec{R}}}^{(j)})^{\pm 1}]^{|\varvec{H_i}|}\text {.} $$
  3. 3.

    The adversary \(\mathcal {A}\) returns scalars \({\hat{{{\varvec{v}}}}} \in \mathbb {F}_p^{|{\hat{{{\varvec{a}}}}}|}\) for \({\hat{{{\varvec{a}}}}}\) and handles to polynomials

    $$ {\hat{{{\varvec{u}}}}} \in \mathbb {Z}[{{\varvec{X}}}^{\pm 1},({{\varvec{R}}}^{(1)})^{\pm 1},\ldots ,({{\varvec{R}}}^{(q)})^{\pm 1}]^{|{\hat{{{\varvec{h}}}}_i}|} $$

    for \({\hat{{{\varvec{h}}}}}\). He wins if for \({}\bowtie {} \in \{=,\ne \}\), \(w \in {{\varvec{W}}}^{\bowtie }\), and \(j \in [q]\), it holds that \(w({{\varvec{X}}},{{\varvec{R}}}^{(j)}, {{\varvec{v}}}^{(j)}, {{\varvec{u}}}^{(j)}, {\hat{{{\varvec{v}}}}}, {\hat{{{\varvec{u}}}}} ) \bowtie 0\).

Fig. 1.
figure 1

SPS-scheme from [19] in Type III setting.

Full size image

Example 1

We can formalize the EUF-CMA security of the scheme in Fig. 1 using the security experiment \( SE = (t, ainp , odef , wcond )\) defined as follows:

  • the group type is \(t = \text {III}\)

  • the adversary input is \( ainp = ({{\varvec{X}}},(\varvec{F_{{\mathsf{1}}}},\varvec{F_{{\mathsf{2}}}}, \varvec{F_{{\mathsf{t}}}}))\) where

    • \({{\varvec{X}}} = (v,w)\) (for \(v,w \in \mathsf {UVar}\)), \(\varvec{F_{{\mathsf{1}}}} = (1,v, w)\), \(\varvec{F_{{\mathsf{2}}}} = (1)\), \(\varvec{F_{{\mathsf{t}}}} = (1)\)

  • the oracle is \( odef = ({{\varvec{a}}},{{\varvec{h}}},{{\varvec{R}}}, (\varvec{H_{{\mathsf{1}}}},\varvec{H_{{\mathsf{2}}}},\varvec{H_{{\mathsf{t}}}}))\) where

    • \({{\varvec{a}}} = ()\), \({{\varvec{h}}} = (m)\) (for \(m \in \mathsf {HVar}_{2})\),

    • \({{\varvec{R}}} = (r)\) (for \(r \in \mathsf {UVar}\))

    • \(\varvec{H_{{\mathsf{1}}}} = (r)\), \(\varvec{H_{{\mathsf{2}}}} = (r,\ m v + w + r^2)\), \(\varvec{H_{{\mathsf{t}}}} = ()\)

  • the winning condition is \( wcond = ({\hat{{{\varvec{a}}}}},{\hat{{{\varvec{h}}}}},{{\varvec{W}}}^=,{{\varvec{W}}}^{\ne })\) where

    • \({\hat{{{\varvec{a}}}}} = ()\), \({\hat{{{\varvec{h}}}}} = (\hat{m}, \hat{t}_1, \hat{t}_2, \hat{s})\) and (for \(\hat{t}_1 \in \mathsf {HVar}_{{\mathsf{1}}}\) \(\hat{m}, \hat{t}_2, \hat{s} \in \mathsf {HVar}_{{\mathsf{2}}}\)),

    • \({{\varvec{W}}}^{=} = (\hat{s} - \hat{m} v - w - \hat{t}_1\hat{t}_2,\, \hat{t}_{1} - \hat{t}_{2})\), \({{\varvec{W}}}^{\ne } = (\hat{m}-m^{(j)})\) \(\blacksquare \)

3.2 Winning Constraints

We first define the language of winning constraints, a class of formulas that can be used to characterize if an adversary can win the symbolic game \(\mathsf {G^{sym}}( SE )\). Then we define the set of solutions of a winning constraint and present a set of simplication rules that preserve the set of solutions.

Fig. 2.
figure 2

Grammar for winning constraints (for \(k \in \mathsf {IVar}, K \subset \mathsf {IVar}\)). For every \(\mathsf {Coeff}(\mathcal {E})\), \(\mathcal {E}\) does not contain the symbol \(\mathsf {Coeff}\).

Full size image

Definition 2

(Winning constraints). The language of winning constraints is defined by the grammar given in Fig. 2. We distinguish between bound index variables and free index variables depending on whether they are bound by \(\forall \)/\(\varSigma \). We write \( ivars (\mathcal {C})\) to denote the free index variables in the constraint \(\mathcal {C}\).

Intuitively, atomic constraints \(\mathcal {E}= 0\) represent polynomial equalities. In the quantifications \(\forall k \notin K\) and \(\sum _{k \notin K}\), the index variable k ranges over all elements in [q] except for the valuations of the index variables in K. Uniform variables \(R/R_{[k]}\) are treated like formal variables, parameters \(\rho /\rho _{[k]}\) can be instantiated with integers, handle variables \(Y_{[k]}\) can be instantiated with Laurent polynomials over uniform variables, and the arithmetic operations are interpreted in the ring of Laurent polynomials over \(\mathbb {F}_p\) for a prime p. An expression \(\mathsf {Coeff}_{\mathcal {M}}(\mathcal {E})\) represents the coefficient of the monomial \(\mathcal {M}\) in the expression \(\mathcal {E}\) after the parameters and handle variables in \(\mathcal {E}\) are instantiated. The resulting Laurent polynomial after instantiation contains only (indexed) uniform variables. Formally, the set of solutions of a winning constraint is defined as follows.

Definition 3

(Solutions of winning constraints). A structure \(s = (p,q,\sigma ,\delta ,\chi ,\xi )\) for a prime number p, a natural number q, a valuation \(\sigma : \mathsf {IVar}\rightarrow [q]\) for (free) index variables, valuations \(\delta : \mathsf {PVar}\rightarrow \mathbb {F}_p\) and \(\chi : \mathsf {PVar}\times [q] \rightarrow \mathbb {F}_p\) for the parameters, and a valuation \(\xi : \mathsf {HVar}\times [q] \rightarrow \mathbb {F}_p[\mathsf {UVar}^{\pm 1},\mathsf {UVar}_{[1]}^{\pm 1},\ldots , \mathsf {UVar}_{[q]}^{\pm 1}]\) for the handle variables is a solution for a winning constraint \(\mathcal {C}\) if \( eval _{s}(\mathcal {C}) = true\) for the function \( eval \) defined in Fig. 3.

Fig. 3.
figure 3

Definition of the evaluation function \( eval _s\) for \(s = (p,q,\sigma ,\delta ,\chi ,\xi )\), where \(R \in \mathsf {UVar}\), \(\otimes \in \{=, \ne , \wedge ,*,+\}\) are interpreted as the corresponding boolean operations/arithmetic operations in the ring of Laurent polynomials over \(\mathbb {F}_p\) and \(s_{k,K,i}\) defined as follows. Let \(\{v_1, \ldots v_{q - |K|}\} = [q] \setminus \sigma (K)\), then \(s_{k,K,i} = (p,q,\sigma ',\delta ,\chi ,\xi )\) where \(\sigma ' = \sigma [k \mapsto v_i]\) for \(i \in \{1,\ldots ,q -|K|\}\).

Full size image

3.3 Translation from Security Experiments to Winning Constraints

We define the translation function to convert a security experiment definition into winning constraints. The translation is sound and complete with respect to a certain class of solutions. Roughly, this means that there is an efficient attackerFootnote 2 on the security experiment in the Generic Group Model with non-negligible winning probability iff there is a solution for the translated winning constraints where handle variables are instantiated with “computable” Laurent polynomials.

To simplify the presentation, we assume that for all security experiments in Type II, it holds that \(\varvec{F_{{\mathsf{2}}}} \subseteq \varvec{F_{{\mathsf{1}}}}\) and \(\varvec{H_{{\mathsf{2}}}} \subseteq \varvec{H_{{\mathsf{1}}}}\) which allows us to ignore the isomorphism \(\varPsi \). Similarly, we assume for Type I that \(\varvec{F_{{\mathsf{1}}}} = \varvec{F_{{\mathsf{2}}}}\) and \(\varvec{H_{{\mathsf{1}}}} = \varvec{H_{{\mathsf{2}}}}\) which allows us to ignore that \(\mathbb {G}_{{\mathsf{1}}} = \mathbb {G}_{{\mathsf{2}}}\).

First, note that \({{\varvec{W}}^{\bowtie }} \subset \mathbb {Z}[{{\varvec{X}}}^{\pm 1}, {{\varvec{R}}}^{\pm 1}, {{\varvec{a}}}, {{\varvec{h}}}, {\hat{{{\varvec{a}}}}}, {\hat{{{\varvec{h}}}}} ]\) where \({{\varvec{X}}}, {{\varvec{R}}} \in \mathsf {UVar}^*\), \({{\varvec{a}}}, {\hat{{{\varvec{a}}}}} \in \mathsf {PVar}^*\), and \({{\varvec{h}}}, {\hat{{{\varvec{h}}}}} \in \mathsf {HVar}^*\). For an index variable \(j \in \mathsf {IVar}\), we write \({{\varvec{R}}}_{[j]}\) to denote the vector \(({{\varvec{R}}}_{(1)[j]},\ldots ,{{\varvec{R}}}_{(|{{\varvec{R}}}|)[j]})\) of indexed uniform variables. Similarly, we write \(\varvec{a}_{[j]}\) and \({{\varvec{h}}}_{[j]}\). For our translation, we instantiante each winning handle variable \({\hat{{{\varvec{h}}}}}_{(u)} \in \mathsf {HVar}_{{\mathsf{1}}} \cup \mathsf {HVar}_{{\mathsf{2}}}\) with a linear combination of polynomials in the adversary input and in the oracle output. Formally, we define the vector \({{\varvec{E}}}\) of expressions as follows. For \(u \in [|{\hat{{{\varvec{h}}}}}|]\) such that \({\hat{{{\varvec{h}}}}}_{(u)} \in \mathsf {HVar}_{{\mathsf{1}}}\) and \(l = |\varvec{H_{{\mathsf{1}}}}|\), we define

$$\begin{aligned} \varvec{E}_{(u)} ={}&\rho ^{({\mathsf{1}},u,1)} \varvec{F_{{\mathsf{1}}}}_{(1)}({{\varvec{X}}}) + \ldots + \rho ^{({\mathsf{1}},u,|\varvec{F_{{\mathsf{1}}}}|)} \varvec{F_{{\mathsf{1}}}}_{(|\varvec{F_{{\mathsf{1}}}}|)}({{\varvec{X}}}) +{} \\&\sum _k \tau _{[k]}^{({\mathsf{1}},u,1)} \varvec{H_{{\mathsf{1}}}}_{(1)}({{\varvec{X}}},{{\varvec{R}}}_{[k]},{{\varvec{a}}}_{[k]},{{\varvec{h}}}_{[k]}) + \ldots +{} \\&\sum _{k} \tau _{[k]}^{({\mathsf{1}},u,l)} \varvec{H_{{\mathsf{1}}}}_{(l)}({{\varvec{X}}},{{\varvec{R}}}_{[k]}, {{\varvec{a}}}_{[k]}, {{\varvec{h}}}_{[k]}) \end{aligned}$$

where \(\rho ^{({\mathsf{1}},u,n)}\) and \(\tau ^{({\mathsf{1}},u,n)}\) are distinct fresh parameter variables. For \(u \in [|{\hat{{{\varvec{h}}}}}|]\) such that \({\hat{{{\varvec{h}}}}}_{(u)} \in \mathsf {HVar}_{{\mathsf{2}}}\), we define \({{\varvec{E}}}_{(u)}\) analogously. For \(u \in [|{\hat{{{\varvec{h}}}}}|]\) such that \({\hat{{{\varvec{h}}}}}_{(u)} \in \mathsf {HVar}_{{\mathsf{t}}}\), we define \({{\varvec{E}}}_{(u)}\) analogously additionally taking products of polynomials from \(\mathbb {G}_{{\mathsf{1}}}\) and \(\mathbb {G}_{{\mathsf{2}}}\) into account. We define the winning constraint derived from \( SE \) as

$$ toConstr ( SE ) = \bigwedge _{w \in {{\varvec{W}}^{\bowtie }}}\forall j. \left( w({{\varvec{X}}}, {{\varvec{R}}}_{[j]}, {{\varvec{a}}}_{[j]}, {{\varvec{h}}}_{[j]}, {\hat{{{\varvec{a}}}}}, {{\varvec{E}}} ) \bowtie 0 \right) . $$

A priori, the notion of solution for winning constraints does not restrict the set of Laurent polynomials that can be used to instantiate the handle variables in \(\varvec{h}_{[j]}\). Since we are only interested in solutions where the instantiations of handle variables are computable, we now define the notion of constrained solution.

Definition 4

(Constrained solutions of winning constraints). A solution is constrained by sequences of sets \(\{K_j^{(i)}\}_{j \in \mathbb {N}}\) of Laurent polynomials \((\text {for}~i \in \{{\mathsf{1}},{\mathsf{2}},{\mathsf{t}}\})\) if for all \(i \in \{{\mathsf{1}},{\mathsf{2}},{\mathsf{t}}\}\), \(Y \in \mathsf {HVar}_i\), and \(j \in [q]\), it holds that \(\xi (Y,j) \in K_j^{(i)}\).

Since we are interested in solutions constrained by computable Laurent polynomials, we next define the sequences of computable polynomials. We use \(\langle S \rangle \) to denote the vector space over \(\mathbb {F}_p\) generated by S.

Definition 5

(Computable polynomials). The sequences of computable polynomials for a security experiment

$$ SE = (t ,{{\varvec{X}}},(\varvec{F_{{\mathsf{1}}}},\varvec{F_{{\mathsf{2}}}}, \varvec{F_{{\mathsf{t}}}})) ,({{\varvec{a}}},{{\varvec{h}}},{{\varvec{R}}},(\varvec{H_{{\mathsf{1}}}},\varvec{H_{{\mathsf{2}}}},\varvec{H_{{\mathsf{t}}}})) , wcond ) $$

are defined as follows:

$$\begin{aligned} \mathcal {K}_{0}^{ SE ,(i)} ={}&\langle toSet (\varvec{F_{i}}) \rangle&\text {for } i \in \{{\mathsf{1}},{\mathsf{2}}\} \\ \mathcal {K}_{0}^{ SE ,({\mathsf{t}})} ={}&\langle toSet (\varvec{F_{{\mathsf{t}}}}) \cup (\mathcal {K}_{0}^{ SE ,({\mathsf{1}})}*\mathcal {K}_{0}^{ SE ,({\mathsf{2}})}) \rangle&\\ \end{aligned}$$
$$\begin{aligned} \mathcal {K}_{j + 1}^{ SE ,(i)} ={}&\langle \mathcal {K}_{j}^{ SE ,(i)} \cup {}&\text {for } j \ge 0, i \in \{{\mathsf{1}},{\mathsf{2}}\} \\&\{ H({{\varvec{X}}}, {{\varvec{v}}}, {{\varvec{E}}}, {{\varvec{R}}}^{(j + 1)}) \mid H \in {{\varvec{H}}}_i \wedge {}&\\&\quad {{\varvec{v}}} \in \mathbb {F}_p^{|{{\varvec{a}}}|} \wedge |{{\varvec{E}}}| = |{{\varvec{h}}}| \wedge {{\varvec{E}}}_{(u)} \in \mathcal {K}_{j}^{ SE ,( ty ({{\varvec{h}}}_{(u)}))} \} \rangle&\\ \mathcal {K}_{j + 1}^{ SE ,({\mathsf{t}})} ={}&\langle \mathcal {K}_{j}^{ SE ,({\mathsf{t}})} \cup (\mathcal {K}_{j+1}^{ SE ,({\mathsf{1}})}*\mathcal {K}_{j+1}^{ SE ,({\mathsf{2}})}) \cup {}&\text {for } j \ge 0 \\&\{ H({{\varvec{X}}}, {{\varvec{v}}} , {{\varvec{E}}}, {{\varvec{R}}}^{(j + 1)}) \mid H \in {{\varvec{H}}}_{{\mathsf{t}}} \wedge {}&\\&\quad {{\varvec{v}}} \in \mathbb {F}_p^{|{{\varvec{a}}}|} \wedge |{{\varvec{E}}}| = |{{\varvec{h}}}| \wedge {{\varvec{E}}}_{(u)} \in \mathcal {K}_{j}^{ SE ,( ty ({{\varvec{h}}}_{(u)}))} \} \rangle&\end{aligned}$$

The definition is always valid for Type III. For Types I and II, it is valid under the previously stated assumptions on \(\varvec{F_i}\) and \(\varvec{H_i}\). We say a solution s is an \( SE \)-computable solution if it is constrained by \((\mathcal {K}_{j}^{ SE ,(i)})_{j,i}\).

Theorem 1

(Soundness and Completeness of Translation). Let \(p \approx 2^\lambda \) and \(q_g, q\) polynomial in \(\lambda \). Then the winning probability in the generic group game \(\mathsf {G^{gen}}( SE )\) with a group of order p is negligible in \(\lambda \) for all adversaries that perform at most \(q_g\) (resp. q) queries iff there is no \( SE \)-computable solution for \( toConstr (SE)\).

Proof

(Sketch). For all concrete values of \(q_g\), q, and SE we can use the master theorem for interactive assumptions from [11] (more precisely, the extended version for handles from [22]) to obtain an algebraic criterion that is equivalent to the security of the construction. By unfolding the definitions of \( toConstr \) and \( eval \), we can verify that the criterion is true for all bounds on the number of oracle-queries iff there is no \( SE \)-computable solution for \( toConstr (SE)\).    \(\square \)

Example 2

The translation of the security experiment for the example in Fig. 1 to winning constraints is

$$\begin{aligned}&\hat{S} - \hat{M} * V - W - \hat{T}_{1} * \hat{T}_{2}= 0 \ \ \ \wedge \ \ \ \hat{T}_{1} - \hat{T}_{2} = 0 \ \ \ \wedge \ \ \ \forall k. \ \hat{M} - M_{[k]} \ne 0 \end{aligned}$$

where \(V,W,R \in \mathsf {UVar}\) and \(M \in \mathsf {HVar}_2\), \(\mu , \mu ', \mu '', \rho , \rho ', \rho '', \rho ''', \tau , \tau ', \tau '', \gamma , \gamma ', \gamma '' \in \mathsf {PVar}\), and \(\hat{M}, \hat{S}_1, \hat{S}_2, \hat{S}_3\) are defined as

$$\begin{aligned} \hat{M}&= \mu + \sum _{k} \mu '_{[k]}*R_{[k]} + \sum _{k}\mu ''_{[k]}* (M_{[k]}*V + W + R_{[k]}^{2}), \\ \hat{T}_1&= \rho + \sum _{k} \rho '_{[k]}*R_{[k]} + \rho '' *V + \rho '''*W , \\ \hat{T}_2&= \tau + \sum _{k} \tau '_{[k]}*R_{[k]} + \sum _{k}\tau ''_{[k]}* (M_{[k]}*V + W + R_{[k]}^{2}), \text { and } \\ \hat{S}&= \gamma + \sum _{k} \gamma '_{[k]}*R_{[k]} + \sum _{k}\gamma ''_{[k]}* (M_{[k]}*V + W + R_{[k]}^{2}). \end{aligned}$$

We first outline the sequence of computable monomials for \(\mathbb {G}_{{\mathsf{1}}}\):

For \(\mathbb {G}_{{\mathsf{2}}}\), the sequence looks as follows:

For \(\mathbb {G}_{{\mathsf{t}}}\), only the first line of the definition (computable earlier or product of computable in \(\mathbb {G}_{{\mathsf{1}}}\) and computable in \(\mathbb {G}_{{\mathsf{2}}}\)) is non-empty. \(\blacksquare \)

4 Constraint Solving

In this section, we define an algorithm that takes a winning constraint and tries to derive a contradiction thereby showing that the winning constraint has no solution. Our algorithm uses constraint solving rules to perform a complete search for solutions using simplification rules and case distinctions. We first give the rules and then describe a strategy to apply the rules in Sect. 5. We begin by describing a set of simplification rules for constraints that exploit logical equivalences to bring a constraint into a simplified form. Next, we describe a set of rules for introducing and simplifying \(\mathsf {Coeff}\) constraints. Then, we describe our rules for performing case distinctions followed by describing a procedure for equational simplification based on Gröbner Basis techniques. We conclude by giving a worked out example.

4.1 Constraint Solving Rules and Soundness

We use the notation \(\mathcal {C}\leadsto _{ SE }\mathcal {C}_1 \vee \ldots \vee \mathcal {C}_k\) to denote the constraint solving rule that “simplifies” the constraint \(\mathcal {C}\) into the disjunction of constraints \(\mathcal {C}_1\), ..., \(\mathcal {C}_k\). The constraint solving rule might depend on the security experiment \( SE \). Our rules are sound in the following sense: If there exists an \( SE \)-solution s for \(\mathcal {C}\), then there is an \(i \in \{1,\ldots ,k\}\) such that there exists an \( SE \)-solution \(s'\) for \(\mathcal {C}_i\). The solution \(s'\) is usually very similar to s, but might, for example, perform an additional query with trivial parameters. We use \(\mathcal {C}\leadsto _{ SE }\bot \) to denote that \(\mathcal {C}\) can be simplified to the empty disjunction, which is equivalent to false.

We say a constraint \(\mathcal {C}\) is contradictory if there is either a rule \(\mathcal {C}\leadsto _{ SE }\bot \) or there is a rule \(\mathcal {C}\leadsto _{ SE }\mathcal {C}_1 \vee \ldots \vee \mathcal {C}_k\) such that for all \(i \in \{1,\ldots ,k\}\), the constraint \(\mathcal {C}_i\) is contradictory. Since all rules are sound, we obtain that if \(\mathcal {C}\) is contradictory, then \(\mathcal {C}\) has no solution.

4.2 Simplification Rules

To exploit the equivalence \(e = e'\) given in Fig. 5, we define a corresponding constraint solving rule \(C[e] \leadsto _{ SE }C[e']\) for each of them. The rules up to and including the equivalences for \(\mathsf {Coeff}\) can be used to bring every winning constraint into simplified form (see Fig. 4). Additionally, we assume given rules for the axioms of commutative rings with respect to \(0,1,*\) and \(+\).

Fig. 4.
figure 4

Grammar for simplified winning constraints where \(\rho \in \mathsf {PVar}, R \in \mathsf {UVar}, Y \in \mathsf {HVar}, k \in \mathsf {IVar}\). Conjunctions, sums, and products cannot by empty, but they can have a single argument. All bound variables must occur in the body. A monomial never contains a uniform variable and its inverse and never contains 1 unless it is equal to 1.

Full size image
Fig. 5.
figure 5

Equivalences for simplifying constraints where \(K_2'\) is defined as \(K_2 \setminus \{k_1\}\) and \(K_1'\) is defined as \(K_1 \cup \{k_2\}\) if \(k_1 \in K_2\) and \(K_1\) otherwise.

Full size image

The remaining rules are useful to enable the application of other rules. The first remaining set of rules allows to swap binders, which might be required before applying rules that expect a certain binder to be in outermost position. To preserve the well-formedness of constraints, we adapt the index exception sets K as shown below. The second remaining set of rules allows us to add exceptions to binders. This might also benefit the applicability of other rules.

4.3 Introducing and Simplifying \(\mathsf {Coeff}\) Constraints

In this section, we describe how to introduce and simplify constraints that involve \(\mathsf {Coeff}\) expressions. To define our constraint solving rules, we define three functions that filter variables in monomials.

The functions

  • \( umon : Mon [\mathsf {UVar}^{\pm 1}, \mathsf {HVar}, \mathsf {PVar}] \rightarrow Mon [\mathsf {UVar}^{\pm 1}]\),

  • \( hmon : Mon [\mathsf {UVar}^{\pm 1}, \mathsf {HVar}, \mathsf {PVar}] \rightarrow Mon [\mathsf {HVar}]\), and

  • \( pmon : Mon [\mathsf {UVar}^{\pm 1}, \mathsf {HVar}, \mathsf {PVar}] \rightarrow Mon [\mathsf {PVar}]\).

keep the exponents for the desired type of variables and set the exponents of all other variables to zero.

Fig. 6.
figure 6

Rules for introducing and simplifying \(\mathsf {Coeff}\) expressions

Full size image

The constraint solving rules are given in Fig. 6. The first rule exploits that if a polynomial is equal to zero, then when interpreting the polynomial as a polynomial over uniform variables, the coefficients for all monomials must be zero. The remaining two rules allow to simplify \(\mathsf {Coeff}\) expressions. The first rule deals with the case where \(\mathcal {E}\) does not contain any handle variables and \(\mathcal {M}\) is equal to the monomial over uniform variables contained in \(\mathcal {E}\). The second rule deals with the case where it is possible to prove that there is no (\( SE \)-computable) instantiation of the handle variables in \(\mathcal {E}\) such that the resulting Laurent polynomial contains the monomial \(\mathcal {M}\). The rule makes uses the \(\mathsf {contMon}\) constraint. We will present the rules for showing that such a constraint is contradictory in the next section.

Example 3

Consider the constraint \(\varGamma \) such that

$$ \varGamma = (\sum _{j} \rho _{[j]} R_{[j]} = 0) \wedge \varGamma ' $$

We can simplify the constraint as follows:

$$\begin{aligned} \varGamma \leadsto _{ SE }{}&\varGamma \wedge \forall i.\, \mathsf {Coeff}_{R_{[i]}}(\sum _{j}\rho _{[j]} R_{[j]}) = 0&[{\textsf {coeff-1}}] \\ \leadsto _{ SE }{}&\varGamma \wedge \forall i.\, \mathsf {Coeff}_{R_{[i]}}((\sum _{j \notin \{i\}}\rho _{[j]} R_{[j]}) + \rho _{[i]} R_{[i]}) = 0&[{\textsf {split-2}}] \\ \leadsto _{ SE }{}&\varGamma \wedge \forall i.\, \mathsf {Coeff}_{R_{[i]}}(\sum _{j \notin \{i\}}\rho _{[j]} R_{[j]}) + \mathsf {Coeff}_{R_{[i]}}(\rho _{[i]} R_{[i]}) = 0&[{\textsf {equiv-11}}] \\ \leadsto _{ SE }{}&\varGamma \wedge \forall i.\, \mathsf {Coeff}_{R_{[i]}}(\sum _{j \notin \{i\}}\rho _{[j]} R_{[j]}) + \rho _{[i]} = 0&[{\textsf {coeff-2}}] \\ \leadsto _{ SE }{}&\varGamma \wedge \forall i.\, (\sum _{j \notin \{i\}} \mathsf {Coeff}_{R_{[i]}}(\rho _{[j]} R_{[j]})) + \rho _{[i]} = 0&[{\textsf {equiv-12}}] \\ \leadsto _{ SE }{}&\varGamma \wedge \forall i.\, (\sum _{j \notin \{i\}} 0) + \rho _{[i]} = 0&[{\textsf {coeff-3}}] \\ \leadsto _{ SE }{}&\varGamma \wedge \forall i.\, \rho _{[i]} = 0&[\textsf {equiv-ring}] \end{aligned}$$

For the step using [coeff-3], we exploit that \(\mathsf {contMon}_{R_{[i]}/R_{[j]}}(1) \leadsto _{ SE }\bot \) and that \(j \notin \{i\}\) ensures that these index variables will never be instantiated with the same value in the given context. We will give the required rules in the next section. Then, our Gröbner-Basis based simplification algorithm will replace \(\rho _{[j]}\) by 0 in \(\varGamma \) for arbitrary index variables j. \(\blacksquare \)

Proving Coeff to be zero for all SE solutions. In this section, we describe a method to check if \(\mathsf {Coeff}_{\mathcal {M}}(\mathcal {E})\) can be simplified to 0, i.e., for all SE-computable solutions \(s=(p,q,\sigma ,\delta ,\chi ,\xi )\), it holds that \( coeff _{\sigma (\mathcal {M})}( eval _s(\mathcal {E})) = 0\). As in previous sections, we describe our approach for Type III, but stress that it can be adapted to Type I and Type II, e.g., by transforming the security experiment to make the isomorphisms redundant. We assume that the oracle definitions are efficiently computable and only return handles to elements of \(\mathbb {G}_{{\mathsf{1}}}\) and \(\mathbb {G}_{{\mathsf{2}}}\). Furthermore, we assume that the winning condition only uses handles to elements of \(\mathbb {G}_{{\mathsf{1}}}\) and \(\mathbb {G}_{{\mathsf{2}}}\). This covers most cryptographic constructions of interest (including all SPS schemes). In this case, we never have to deal with handle variables from \(\mathsf {HVar}_{{\mathsf{t}}}\) and for \(i \in \{{\mathsf{1}},{\mathsf{2}}\}\), the polynomials \({{\varvec{H}}}_{i}\) defining the oracle return values contain only handle variables from \(\mathsf {HVar}_i\). We distinguish three cases for \(\mathsf {contMon}_{\mathcal {M}}(\mathcal {E})\): (i) \(\deg (\mathcal {E}) = 0\), (ii) \(\deg (\mathcal {E}) = 1\), and (iii) \(\deg (\mathcal {E}) > 1\).

Case (i): We use the rule

$$ \mathsf {contMon}_{\mathcal {M}}(1) \leadsto _{ SE }\bot \quad \text {if }\mathcal {M}\ne 1. $$

Here, we require that distinct index variables must be instantiated with distinct values, which is ensured by the side condition of the \(\mathsf {Coeff}\)-(3) rule.

Case (ii): We have \(\mathcal {E}= Y_{[j]}\) for \(Y \in \mathsf {HVar}_i\), \(j \in \mathsf {IVar}\), and \(i \in \{{\mathsf{1}},{\mathsf{2}}\}\). We must prove that the monomial \(\mathcal {M}\) is not computable in i before query j, i.e., it is impossible (in the symbolic group model) to obtain a handle h for \(\mathbb {G}_i\) that points to a polynomial F with \(m \in mons (F)\) before the j-th oracle query. We perform a proof by contradiction that covers all cases on how a given monomial \(\mathcal {M}\) can be computed. We write \(\mathsf {canMult}_{i,\{j_1,\ldots ,j_n\}}(m)\) if it is possible to perform the multiplication of a given monomial with m using oracle queries with query-indices distinct from \(\{j_1,\ldots ,j_n\}\). For example, if we have an oracle that returns a handle to \(Y*R_{[j]} + W\) in \(\mathbb {G}_{{\mathsf{1}}}\) (where \(Y \in \mathsf {HVar}_{{\mathsf{1}}}, R, W \in \mathsf {UVar}\)), then \(\mathsf {canMult}_{{\mathsf{1}},\{j_1\}}(R_{[j_2]} * R_{[j_3]})\) is true since we can call the oracle for indices \(j_2\) and \(j_3\) to perform a multiplication with \(R_{[j_2]}\) and \(R_{[j_3]}\). In contrast, \(\mathsf {canMult}_{{\mathsf{1}},\{j_1\}}(R_{[j_1]}* R_{[j_2]} * R_{[j_3]})\) is false because we cannot multiply with \(R_{[j_1]}\) if using the oracle for query index \(j_1\) is forbidden. To formalize this reasoning, we define a set of rules to reduce a constraint \(\mathsf {contMon}_{m}(Y_{[j]})\) to a disjunction of constraints \(\mathsf {canMult}_{i,J}(m)\) such that \( ivars (m) = \emptyset \).

We define the set \(\mathcal {SM}^{ SE }_i\) of start monomials for a security experiment \( SE \) and group index i as \( mons ({{\varvec{F}}}_i) \cup ( mons ({{\varvec{H}}}_i) \cap Mon [\mathsf {UVar}^{\pm 1}])\) where the \({{\varvec{H}}}_i\) are considered as polynomials over handle and uniform variables. We define the set \(\mathcal {TM}^{ SE }_i\) of transformation monomials for a security experiment \( SE \) and a group index i as \(\{ m \mid Y*m \in mons ({{\varvec{H}}}_i) \wedge Y \in \mathsf {HVar}_i \} \subseteq Mon [\mathsf {UVar}^{\pm 1}]\). For both sets, we partition the previously defined sets into \(\mathcal {SM}^{ SE }_{i} = \mathcal {SM}^{ SE }_{i,glob} \uplus \mathcal {SM}^{ SE }_{i,orcl}\) and \(\mathcal {TM}^{ SE }_{i} = \mathcal {TM}^{ SE }_{i,glob} \uplus \mathcal {TM}^{ SE }_{i,orcl}\) where the glob-sets contain all monomials that contain only global uniform variables and the orcl-sets contain all monomials that contain at least one oracle uniform variable. For monomials m, we write m[j] to denote the monomial where all oracle uniform variables Y are replaced with their indexed versions \(Y_{[j]}\). We also use the same notation for sets of monomials.

Fig. 7.
figure 7

Rules for dealing with \(\mathsf {contMon}\). We use \(m/m'\) to denote the corresponding reduced Laurent monomial

Full size image

We can now define the rules given in Fig. 7. The first rule captures that to compute the monomial \(\tilde{m}\) in i before query j, the adversary must start with a monomial \(m'\) (in \(m_1,\ldots ,m_l,\hat{m_1}[j_1],\ldots \)) and then use oracle queries to achieve an indirect multiplication of \(m'\) by \(\tilde{m} / m'\). Here, the monomials \(m_i\) are either monomials included in the adversary input or monomials included in the oracle return values that do not depend on handles and do not contain oracle uniform variables. The monomials \(\hat{m_i}[j_u]\) are monomials included in the oracle return values that do not depend on handles and that contain oracle uniform variables. The set of forbidden query indices for the indirect multiplication takes into account that j can never be used and that \(j_u\) cannot be used if a monomial with index \(j_u\) is used as the start monomial.

The second rule is applicable whenever \(\tilde{m}\) contains an indexed uniform variable \(R_{[j]}\) such that \(j \notin J\). In this case, the j-th query must be used to perform an indirect multiplication that cancels out \(R_{[j]}\) and we perform a case distinction on all monomial multiplications containing oracle uniform variables that can be performed by the oracle. For all cases where this step does not cancel out all variables indexed with j, we can use the third rule that formalizes the following fact: If the j-th query is forbidden, there is no way to cancel out a uniform variable with index j.

It is not hard to see that we can reduce all constraints to \(\mathsf {canMult}_{i,J}(\tilde{m})\) such that \( ivars (\tilde{m}) = \emptyset \): If \( ivars (\tilde{m})\) non-empty, then either there is a \(j \in ivars (\tilde{m}) \cap J\) and we can conclude with the last rule or we can apply the second rule and add an index \(j\in ivars (\tilde{m})\) to J. To check if a constraint \(\mathsf {canMult}_{i,J}(\tilde{m})\) with \( ivars (\tilde{m}) = \emptyset \) is unsatisfiable, we translate the constraint into a system of linear equations that formalizes the following idea. Let \(\{m_1, \ldots , m_l\} = \mathcal {TM}^{ SE }_{i,glob}\), then all indirect multiplications that do not introduce indexed uniform variables are of the form

$$ m_1^{\delta _1}*\ldots *m_l^{\delta _l} $$

for \(\delta _i \in \mathbb {N}\). This corresponds to using the i-th transformation \(\delta _i\) times to achieve a multiplication with \(m_i^{\delta _i}\). To check if there exist \(\delta _1, \ldots , \delta _l \in \mathbb {N}\) such that

$$ \tilde{m} = m_1^{\delta _1}*\ldots *m_l^{\delta _l} $$

we check if the linear system of equations

$$\begin{aligned}&\deg _{V_1}(\tilde{m}) = \deg _{V_1}(m_1)*\delta _1 + \ldots + \deg _{V_1}(m_l)*{\delta _l} \\&\ldots \\&\deg _{V_n}(\tilde{m}) = \deg _{V_n}(m_1)*\delta _1 + \ldots + \deg _{V_n}(m_l)*{\delta _l} \end{aligned}$$

has a solution over \(\mathbb {N}\) where \(\{V_1, \ldots , V_n\}\) is the set of uniform variables that occur in \(\tilde{m}, m_1, \ldots , m_l\).

Case (iii): The last case can be handled by generalizing the previous case. We sketch how to achieve this, the full description will be included in the full version of this paper. We have \(\mathcal {E}= (Y_1)_{[j_1]}*\ldots *(Y_n)_{[j_n]}\) for \(Y_u \in \mathsf {HVar}_{i_u}\), \(j_u \in \mathsf {IVar}\), and \(i_u \in \{{\mathsf{1}},{\mathsf{2}}\}\). To extend the method from Case (ii), we use adapted set of start monomials and transformation monomials that take cancellations between these values for the different handles into account. For example, the set of transformation monomials is the product of transformation monomial sets for \(j_1\), ..., \(j_n\) also allowing any set to be replaced by \(\{1\}\).

Example 4

We will show that \(\mathsf {contMon}_{R_{[i]}/V}(M_{[k]})\) is contradictory for the security experiment \( SE \) defined in Example 1. Note that \(M_{[k]} \in \mathsf {HVar}_{{\mathsf{2}}}\) and the monomial sets for this group are:

$$\begin{aligned} \mathcal {SM}^{ SE }_{{\mathsf{2}},glob}&= \{1, W\}&\mathcal {SM}^{ SE }_{{\mathsf{2}},orcl}&= \{R, R^2\} \\ \mathcal {TM}^{ SE }_{{\mathsf{2}},glob}&= \{ V\}&\mathcal {TM}^{ SE }_{{\mathsf{2}},orcl}&= \emptyset \end{aligned}$$

By applying the first rule in Fig. 7 we have:

$$\begin{aligned}&\mathsf {contMon}_{R_{[i]}/V}(M_{[k]}) \leadsto _{ SE }{}&\\&\quad \mathsf {canMult}_{{\mathsf{2}},\{k\}}(R_{[i]}V^{-1}) \, \vee \, \mathsf {canMult}_{{\mathsf{2}},\{k\}}(R_{[i]}V^{-1}W^{-1})\, \vee&\text {(div. by }1 \text { and } W) \\&\quad \mathsf {canMult}_{{\mathsf{2}},\{k,i\}}(V^{-1}) \, \vee \, \mathsf {canMult}_{{\mathsf{2}},\{k,i\}}(V^{-1}R_{[i]}^{-1})&\text {(div. by } R_{[i]} \text { and } R_{[i]}^{2}) \end{aligned}$$

Now, since \(\mathcal {TM}^{ SE }_{{\mathsf{2}},orcl} = \emptyset \), the second rule in Fig. 7 gives us:

$$\begin{aligned}&\mathsf {canMult}_{{\mathsf{2}},\{k\}}(R_{[i]}V^{-1}) \leadsto _{ SE }{} \bot \\&\mathsf {canMult}_{{\mathsf{2}},\{k\}}(R_{[i]}V^{-1}W^{-1}) \leadsto _{ SE }{} \bot \end{aligned}$$

Additionally,

$$ \mathsf {canMult}_{{\mathsf{2}},\{k,i\}}(V^{-1}R_{[i]}^{-1}) \leadsto _{ SE }{} \bot $$

because \(\{k,i\} \cap ivars (V^{-1}R_{[i]}^{-1}) \ne \emptyset \). Our problem has been reduced to compute

$$ \mathsf {canMult}_{{\mathsf{2}},\{k,i\}}(V^{-1}) $$

so we define the system of equations:

$$ \deg _{V}(V^{-1}) = \deg _{V}(V)*\delta _1 $$

where \(\delta _{1} \in \mathbb {N}\). The equation is \(-1 = 1*\delta _1\) and it reduces to \(\bot \). This analysis proves that \(\mathsf {contMon}_{R_{[i]}/V}(M_{[k]}) \leadsto _{ SE }{} \bot \), i.e., the handle variable \(M_{[k]}\) cannot contain the monomial \(R_{[i]}/V\).

4.4 Case Distinctions and Contradictions

The rules for case distinctions and contradictions are given in Fig. 8. The first rule is applicable whenever we can express the left-hand-side of an equality with 0 as a product of the two factors \(\mathcal {E}_1\) and \(\mathcal {E}_2\). Since we reason about elements of an integral domain, we can conclude that at least one of the factors must be equal to 0. The second rule formalizes that if \(\mathcal {C}'\) is true for some i, then it is either true for some \(i \ne j\) or it is true for \(i=j\). The third rule formalizes that for all expressions \(\mathcal {E}\), the expression is either equal to 0 or not. We only apply this rule with an \(\mathcal {E}\) that already occurs as a subterm of C. In most cases \(\mathcal {E}= \rho \) for \(\rho \in \mathsf {PVar}\). The final case distinction rule deals with indexed parameter variables \(\rho _{[i]}\). Either \(\rho _{[i]}\) is equal to zero for all indices not in K or there is an index j not in K such that \(\rho _{[j]}\) is not zero. The rule uses \(\varDelta \) to denote all existential bindings in the constraint.

Fig. 8.
figure 8

Rules for performing case distinctions and contradictions.

Full size image

The two contradiction rules are straightforward. The first rule states that a non-zero constant c is not equal to zero. We keep track of applications of this rule to obtain a lower bound on the prime p for which our proof is valid. The second rule just formalizes that zero is always equal to itself.

4.5 Gröbner Basis Simplification

Before applying the Gröbner Basis simplification, we ensure that all \(\forall \)-quantifiers use the same binders \(\varDelta \) and that all index exception sets are maximal for \(\varDelta \). This might require renaming of variables, extending the index exception sets, and introducing unused variables. For the \(\sum \)-binders \(\hat{\varDelta }_u\), we assume for all uv that (i) \(\hat{\varDelta }_u = \hat{\varDelta }_v\), (ii) \(\hat{\varDelta }_u\) is a prefix of \(\hat{\varDelta }_v\), or (iii) vice versa.

The resulting constraint system can be rearranged to have the following form

$$\begin{aligned} \exists \nabla .\,&(\forall \varDelta .\, \mathcal {E}_1 = 0) \wedge \ldots \wedge (\forall \varDelta .\, \mathcal {E}_l = 0) \wedge {} \\&(\forall \varDelta .\, \hat{\mathcal {E}}_1 \bowtie _1 0) \wedge \ldots \wedge (\forall \varDelta .\, \hat{\mathcal {E}}_{\hat{l}} \bowtie _{\hat{l}} 0) \end{aligned}$$

where the \(\mathcal {E}_u\) are expressions that do not contain handle variables, uniform variables, or \(\mathsf {Coeff}\) expressions, which we call parameter equality polynomials. The \(\hat{\mathcal {E}}_u\) denote the remaining expressions. We want to move all the \(\mathcal {E}_u\) under a single quantifier for simplification. To take renamings of the bound variables into account, we ensure beforehand that for all \(\mathcal {E}_u\) and all permutations of the \(\forall \)-bound variables, the resulting expression is already included. For example, given

$$ \forall j_1, j_2 \notin \{j_1\}.\, \rho _{[j_1]}*\rho '_{[j_2]}=0 \wedge \forall j_1, j_2 \notin \{j_1\}.\, \rho _{[j_2]}*\rho '_{[j_1]} - \alpha =0 $$

it is usually useful to add at least the permutation

$$ \forall j_1, j_2 \notin \{j_1\}.\, \rho _{[j_1]}*\rho '_{[j_2]} - \alpha = 0 $$

before moving everything under a common quantifier since this yields the shared monomial \(\rho _{[j_1]}*\rho '_{[j_2]}\). After moving the parameter equality polynomials under the same quantifier, we get:

$$\begin{aligned} \exists \nabla .\,&(\forall \varDelta .\, \mathcal {E}_1 = 0 \wedge \ldots \wedge \mathcal {E}_l = 0) \wedge {} \\&(\forall \varDelta .\, \hat{\mathcal {E}}_1 \bowtie _1 0) \wedge \ldots \wedge (\forall \varDelta .\, \hat{\mathcal {E}}_{\hat{l}} \bowtie _{\hat{l}} 0) \end{aligned}$$

Now, we move non-indexed parameters in monomials out of the \(\sum \)-binder and consistently replace non-bound parameters and \(\sum \)-expressions with variables \(X_v\). We call the corresponding mapping \(\sigma \) and use \(g_u\) to denote polynomial resulting from \(\mathcal {E}_u\). We can revert this abstraction process by applying \(\sigma \), i.e., \(\sigma (g_u) = \mathcal {E}_u\). Next, we compute the Gröbner Basis (over \(\mathbb {Z}\)) of the ideal \(\langle g_1, \ldots , g_l \rangle \) which we denote with \(I=\langle g'_1, \ldots , g'_{l'} \rangle \). By the properties of the Gröbner Basis, we know that

$$ (g_1 = 0 \wedge \ldots \wedge g_{l} = 0 ) \Leftrightarrow (g'_1 = 0 \wedge \ldots \wedge g'_{l'} = 0) $$

and hence

$$ (\mathcal {E}_1 = 0 \wedge \ldots \wedge \mathcal {E}_{l} = 0 ) \Leftrightarrow (\mathcal {E}'_1 = 0 \wedge \ldots \wedge \mathcal {E}'_{l'} = 0) $$

for \(\mathcal {E}'_u = \sigma (g_u)\) which we exploit to simplify the parameter equality polynomials. For computing the Gröbner Basis, we use a monomial order that prefers to eliminate abstracted \(\sum \) expressions. Next, we use the Gröbner Basis to simplify the expressions \(\forall \varDelta .\, \hat{\mathcal {E}}_u \bowtie _u 0\). If \(\hat{\mathcal {E}}_u\) uses all variables in \(\varDelta \), we use an extension \(\sigma '\) of \(\sigma \) to abstract \(\hat{\mathcal {E}}_u\) to the polynomial f and define \(f'\) as the result of reducing f modulo the Gröbner Basis I. As before, we define the simplified \(\hat{\mathcal {E}}'_u\) as \(\sigma '(f')\). Often, it is very useful to also simplify below \(\sum \)-binders. We use an example to illustrate how this works.

Example 5

Assume \(\nabla = j_1\), \(\varDelta = j_2 \notin \{j_1\}\), \(I = \langle X_1* X_2 \rangle \), \(\sigma = \{ X_1 \mapsto \rho _{[j_1]}, X_1 \mapsto \rho '_{[j_2]} \}\), and

$$\begin{aligned} \mathcal {E}_1 = (\sum _{j_3 \notin \{j_1\}} \rho _{[j_1]} * \rho '_{[j_3]} = 0). \end{aligned}$$

Then we use \(\forall j_2 \notin \{j_1\}.\, \rho _{[j_1]} * \rho '_{[j_2]} = 0\) to rewrite \(\rho _{[j_1]} * \rho '_{[j_3]}\) to 0 below \(\sum _{j_3 \notin \{j_1\}}\) by instantiating \(j_2\) with \(j_3\) (both have the same exception \(j_1\)). \(\blacksquare \)

4.6 Example: Proof of EUF-CMA for SPS

In this section show how our constraint solving rules can be used to prove (unbounded) \(\mathsf {EUF}\)-\(\mathsf {CMA}\) security of the signature scheme in Fig. 1. The winning constraints for the associated security experiment \( SE \) are already given in Example 2. To prove \(\mathsf {EUF}\)-\(\mathsf {CMA}\) security in the Generic Group Model, we must show that the following constraint has no \( SE \)-computable solution

$$\begin{aligned}&\gamma + \sum _{k} \gamma '_{[k]}*R_{[k]} + \sum _{k}\gamma ''_{[k]}* (M_{[k]}*V + W + R_{[k]}^{2}) \nonumber \\&- ( ( \tau + \sum _{k} \tau '_{[k]}*R_{[k]} + \sum _{k}\tau ''_{[k]}* (M_{[k]}*V + W + R_{[k]}^{2}) ) \nonumber \\&\qquad * ( \rho + \sum _{k} \rho '_{[k]}*R_{[k]} + \rho '' *V + \rho '''*W ) + \hat{M} * V + W) = 0 \end{aligned}$$
(1)
$$\begin{aligned} \wedge \quad&\rho + \sum _{k} \rho '_{[k]}*R_{[k]} + \rho '' * V + \rho '''*W \nonumber \\&- ( \tau + \sum _{k} \tau '_{[k]}*R_{[k]} + \sum _{k}\tau ''_{[k]}* (M_{[k]}*V + W + R_{[k]}^{2}) ) = 0 \end{aligned}$$
(2)
$$\begin{aligned} \wedge \quad&\forall k. \, \hat{M} - M_{[k]} \ne 0 \end{aligned}$$
(3)

where \(\hat{M}\) is defined as

$$ \hat{M} = \mu + \sum _{k} \mu '_{[k]}*R_{[k]} + \sum _{k}\mu ''_{[k]}* (M_{[k]}*V + W + R_{[k]}^{2}). $$

Instead of immediately simplifying everything using the equivalences in Fig. 5, we first apply the rule [coeff-1] where \(\mathcal {M}= R_{[i]}^2\) and \(\mathcal {E}\) is the Eq. (2). After simplifying the resulting \(\mathsf {Coeff}\) expressions (see Example 4), we get the new equation \(\forall i. -\tau ''_{[i]} = 0\). Our Gröbner Basis simplification replaces every occurrence of \(\tau ''_{i}\) by 0. This results in the following new constraint:

$$\begin{aligned}&\gamma + \sum _{k} \gamma '_{[k]}*R_{[k]} + \sum _{k}\gamma ''_{[k]}* (M_{[k]}*V + W + R_{[k]}^{2}) \nonumber \\&- ( ( \tau + \sum _{k} \tau '_{[k]}*R_{[k]}) *( \rho + \sum _{k} \rho '_{[k]}*R_{[k]} + \rho '' *V + \rho '''*W ) \nonumber \\&\qquad + \hat{M} * V + W) = 0 \end{aligned}$$
(1)
$$\begin{aligned} \wedge \quad&\rho + \sum _{k} \rho '_{[k]}*R_{[k]} + \rho '' * V + \rho '''*W - ( \tau + \sum _{k} \tau '_{[k]}*R_{[k]}) = 0 \end{aligned}$$
(2)
$$\begin{aligned} \wedge \quad&\forall k. \, \hat{M} - M_{[k]} \ne 0 \end{aligned}$$
(3)

Now, we can apply the rule [coeff-1] where \(\mathcal {E}\) is the left hand side of Eq. (2) and for different monomials \(\mathcal {M}\), we obtain the following new equations:

After this, we basically got rid of Eq. (2) and our Gröbner Basis simplification yields:

$$\begin{aligned}&\gamma + \sum _{k} \gamma '_{[k]}*R_{[k]} + \sum _{k}\gamma ''_{[k]}* (M_{[k]}*V + R_{[k]}^{2} + W) \nonumber \\&- ( \tau ^2 + (2\sum _{k} \tau * \tau '_{[k]}*R_{[k]}) + \sum _{k,k'\notin \{k\}} \tau '_{[k]}*\tau '_{[k']}*R_{[k]}*R_{[k']} \nonumber \\&\qquad + \sum _{k} \tau '^{2}_{[k]}*R_{[k]}^2 + \hat{M} * V + W) = 0 \end{aligned}$$
(1)
$$\begin{aligned} \wedge \quad&\forall k. \, \hat{M} - M_{[k]} \ne 0 \end{aligned}$$
(2)

We now apply the rule [coeff-1] where \(\mathcal {E}\) is expression in Eq. (1) obtaining the following new equations:

$$\begin{aligned}&\wedge \quad \sum _{k} \gamma ''_{[k]} - 1 = 0&\text {for } \mathcal {M}= W \end{aligned}$$
(3)
$$\begin{aligned}&\wedge \quad \forall k. \, \gamma ''_{[k]} - \tau '^{2}_{[k]} = 0&\text {for } \mathcal {M}= R_{[k]}^2 \end{aligned}$$
(4)
$$\begin{aligned}&\wedge \quad \forall k. \, \forall k' \notin \{k\}.\, 2*\tau '_{[k]}*\tau '_{[k']} = 0&\text {for } \mathcal {M}= R_{[k]}R_{[k']} \end{aligned}$$
(5)

Then, we apply the rule [dist-4] with \(K = \emptyset \) to perform a case distinction on the parameter \(\tau '\):

$$\begin{aligned}&\quad \forall k. \, \tau '_{[k]} = 0 \wedge \varGamma&\text {(case 1)}\\ \vee&\quad \exists k^{*}. \, \tau '_{[k^{*}]} \ne 0 \wedge \varGamma&\text {(case 2)} \end{aligned}$$

Here, \(\varGamma \) represents the conjunction of our previous five equations. In case 1, the Gröbner Basis simplification results in the system

$$\begin{aligned}&\gamma + \sum _{k} \gamma '_{[k]}*R_{[k]} - \tau ^2 - \hat{M} * V - W = 0 \end{aligned}$$
(1)
$$\begin{aligned} \wedge \quad&\forall k. \, \hat{M} - M_{[k]} \ne 0 \end{aligned}$$
(2)
$$\begin{aligned} \wedge \quad&- 1 = 0 \end{aligned}$$
(3)

which simplifies to \(\bot \) after applying rule [false-1] to Eq. (3).

In case 2, Gröbner Basis simplification yields:

$$\begin{aligned} \exists k^{*}.&\nonumber \\&\gamma + \sum _{k} \gamma '_{[k]}*R_{[k]} + M_{[k^{*}]}*V - \tau ^{2} - 2 \tau R_{[k^{*}]} - \hat{M} * V \end{aligned}$$
(1)
$$\begin{aligned} \wedge \quad&\forall k. \, \hat{M} - M_{[k]} \ne 0 \end{aligned}$$
(2)

We apply the rule [coeff-1] where \(\mathcal {E}\) is the left hand side of Eq. (1) for different monomials as \(\mathcal {M}\), obtaining:

After simplifying the system, we obtain:

$$\begin{aligned}&M_{[k^{*}]}*V - \hat{M} * V = 0 \end{aligned}$$
(1)
$$\begin{aligned} \wedge \quad&\forall k. \, \hat{M} - M_{[k]} \ne 0 \end{aligned}$$
(2)

Applying the rule [dist-1] to Eq. (1) we obtain two cases:

$$ \begin{array}{ll} \exists k^{*}. &{} \\ &{} V = 0\\ \wedge \quad &{} \forall k. \, \hat{M} - M_{[k]} \ne 0 \end{array} \qquad \bigvee \qquad \begin{array}{ll} \exists k^{*}. &{} \\ &{} M_{[k^{*}]} - \hat{M} = 0\\ \wedge \quad &{} \forall k. \, \hat{M} - M_{[k]} \ne 0 \end{array} $$
$$ \text {(case 2.1)}\qquad \qquad \text {(case 2.2)} $$

In case 2.1, after applying [coeff-1] for \(\mathcal {M}= V\) to the first equation and simplifying, we obtain the equation \(1=0\) that reduces to \(\bot \) according to rule [false-1].

Finally, in case 2.2 we apply the rule [split-2] and we get the system:

$$\begin{aligned}&M_{[k^{*}]} - \hat{M} = 0 \\ \wedge \quad&\forall k\not \in \{k^{*}\}. \, \hat{M} - M_{[k]} \ne 0\\ \wedge \quad&\hat{M} - M_{[k^{*}]} \ne 0 \end{aligned}$$

Our Gröbner Basis simplification will reduce it to,

$$\begin{aligned}&0 \ne 0 \wedge (\forall k\not \in \{k^{*}\}. \, \hat{M} - M_{[k]} \ne 0) \end{aligned}$$

which reduces to \(\bot \) according to rule [false-2].

5 Implementation and Case Studies

We have implemented the described algorithm in the \(\mathsf {gga}^{\infty }\) toolFootnote 3 and have evaluated its effectiveness and performance on cryptographic constructions from the literature (presented in Table 1) and automatically synthesized schemes (presented in Table 2). The source code is written in OCaml and uses the computer algebra system SAGE [40] for Gröbner Basis computations and the SMT solver Z3 [20] for checking the satisfiability of linear equations over the natural numbers. Although the code reproduces the algorithm as it is described in this paper, it also implements some optimizations and additional rules to derive contradictions, that will be further explained in the full version of this paper.

The tool takes an input file such as the one shown in Fig. 9 and performs a proof search using our constraint solving rules guided by a heuristic. If the search is successful, the tool returns a representation of the proof tree. To ensure termination, we establish a timeout of 1000 s.

Fig. 9.
figure 9

Input file for the Type III re-randomizable SPS scheme from Fig. 1

Full size image

5.1 Case Studies

We analyze the security of cryptographic constructions from the literature and collect the results in Table 1. The first five entries do not require support for oracles that take handles and are therefore also in the scope of the tool presented in [11]. For the first four entries, both the tool from [11] and \(\mathsf {gga}^{\infty }\) prove unbounded security. For the fifth example, \(\mathsf {gga}^{\infty }\) succeeds, whereas the tool from [11] fails to find a proof.

Table 1. Case studies (last column denotes time for fully automated proof).
Full size table

The remaining examples are all outside the scope of the tool from [11]. First, we analyze the Message Authentication Codes proposed in [18]. They propose two MACs (instead of public key signatures) as the basis for their anonymous credential system. One of them is proven secure in the Generic Group Model and the other under the decisional Diffie-Hellman (DDH) assumption. Our tool confirms the first proof and finds a proof in the Generic Group Model for the second constructionFootnote 4.

We also prove security for a number of structure-preserving signature schemes. First, we analyze the scheme proposed in [2] for bilinear groups of Type III.

Then, we analyze the re-randomizable scheme from [4] for Type II and Type III. Next, we prove \(\mathsf {sEUF}\)-\(\mathsf {CMA}\)security of the unified SPS signature scheme proposed in [5], which is secure in all three settings. We also prove \(\mathsf {EUF}\)-\(\mathsf {CMA}\) security of its re-randomizable version (randomization tokens are given to the adversary). Later, we analyze the translation of the scheme for Type III proposed in [19]. We also consider the Type II scheme from [12].

Finally, we analyze two instances of fully structure-preserving signature schemes proposed in [26].

To evaluate our tool on a wider range of examples, we also make use of the synthesis tool for structure-preserving signature schemes presented in [12]. We take the existing results for Type II from [12] and use our tool to analyze (unbounded) \(\mathsf {EUF}\)-\(\mathsf {CMA}\)-security for all schemes where the tool from [12] succeeds to prove 2-\(\mathsf {EUF}\)-\(\mathsf {CMA}\) security. We also extend the synthesis tool to generate new schemes in Type III and apply our tool to those schemes that can be proven 2-\(\mathsf {EUF}\)-\(\mathsf {CMA}\) secure with the tool from [12]. The results for both Type II and Type III are summarized in Table 2. We classify the schemes in different groups, depending on the shape of the verification equations (first column). The column 2-secure represents the number of schemes of each group that are proven 2-\(\mathsf {EUF}\)-\(\mathsf {CMA}\)  secure using the tool from [12], while the column \(\infty \)-secure represents the number of schemes of each group that are proven \(\mathsf {EUF}\)-\(\mathsf {CMA}\) secure using our tool (for all bounds that are polynomial in the security parameter).

Table 2. Synthesis results for SPS schemes in Type II and Type III with \(r,v,w \mathop {\leftarrow }\limits ^{\$}\mathbb {Z}_p\), verification keys \(V= g_1^v,W = g_1^w \in \mathbb {G}_{\mathsf{1}}\), message \(M=g_2^m\in \mathbb {G}_{\mathsf{2}}\) and signatures \(S_1=g_1^{s_1} \in \mathbb {G}_{\mathsf{1}}\), \(S_2=g_2^{s_2}, S_3=g_2^{s_3} \in \mathbb {G}_{\mathsf{2}}\).
Full size table