key: cord-0061113-6zepmkwf
authors: Ghoshal, Ashrujit; Tessaro, Stefano
title: On the Memory-Tightness of Hashed ElGamal
date: 2020-03-25
journal: Advances in Cryptology - EUROCRYPT 2020
DOI: 10.1007/978-3-030-45724-2_2
sha: dc2f6eb2d3a7ca4266357c7396ea075685991fe4
doc_id: 61113
cord_uid: 6zepmkwf

We study the memory-tightness of security reductions in public-key cryptography, focusing in particular on Hashed ElGamal. We prove that any straightline (i.e., without rewinding) black-box reduction needs memory which grows linearly with the number of queries of the adversary it has access to, as long as this reduction treats the underlying group generically. This makes progress towards proving a conjecture by Auerbach et al. (CRYPTO 2017), and is also the first lower bound on memory-tightness for a concrete cryptographic scheme (as opposed to generalized reductions across security notions). Our proof relies on compression arguments in the generic group model.

Security proofs rely on reductions, i.e., they show how to transform an adversary A breaking a scheme into an adversary B solving some underlying assumed-tobe-hard problem. Generally, the reduction ought to be tight -the resources used by B, as well as the attained advantage, should be as close as possible to those of A. Indeed, the more resources B needs, or the smaller its advantage, the weaker the reduction becomes.

Auerbach et al. [2] were the first to explicitly point out that memory resources have been ignored in reductions, and that this leads to a loss of quality in security results. Indeed, it is conceivable that A's memory is naturally bounded (say, at most 2 64 bits), and the underlying problem is very sensitive to memory. For example, the best-known algorithm for discrete logarithms in a 4096-bit prime field runs in time (roughly) 2 156 using memory 2 80 . With less memory, the best algorithm is the generic one, requiring time Θ( √ p) ≈ 2 2048 . Therefore, if B also uses memory at most 2 64 , we can infer a larger lower bound on the necessary time complexity for A to break the scheme, compared to the case where B uses 2 100 bits instead.

What can be memory-tight? One should therefore target reductions that are memory-tight, i.e., the memory usage of B is similar to that of A. 1 The work of Auerbach et al. [2] , and its follow-up by Wang et al. [13] , pioneered the study of memory-tight reductions. In particular, and most relevant to this work, they show negative results (i.e., that certain reductions cannot be memory tight) using streaming lower bounds. Still, these lower bounds are tailored at general notions (e.g., single-to multichallenge reductions), and lower bounds follow from a natural connection with classical frequency problems on streams. This paper tackles the more ambitious question of proving impossibility of memory-tight reductions for concrete schemes, especially those based on algebraic structures. This was left as an open problem by prior works. [2] , we consider here the CCA-security of Hashed ElGamal. In its KEM variant, the scheme is based on a cyclic group G = g -the secret key sk is a random element from Z |G| , whereas the public key is pk = g sk . Then, encapsulation produces a ciphertext-key pair C ← g r , K ← H(pk r ).

for r ← Z |G| and a hash function H : G → {0, 1} . Decapsulation occurs by computing K ← H(C sk ).

The CCA-security of Hashed ElGamal in the random-oracle model was proved by Abdalla, Bellare, and Rogaway [1] based on the Strong Diffie-Hellman (SDH) assumption (also often called GapDH), and we briefly review the proof. 2 First, recall that in the SDH assumption, the attacker is asked to compute g uv from g u and g v , given additionally access to a decision oracle O v which on input h, y ∈ G, tells us whether h v = y.

The reduction sets the Hashed ElGamal public-key to pk = g v (setting implicitly sk = v), the challenge ciphertext to be C * = g u , and the corresponding key K * to be a random string. Then, it simulates both the random oracle and the decapsulation oracle to the adversary A (which is run on inputs pk, C * and K * ), until a random-oracle query for g uv is made (this can be detected using the O v oracle). The challenge is to simulate both oracles consistently: As the reduction cannot compute discrete logarithms, it uses the oracle O v to detect whether a random-oracle query X and a decapsulation query C i satisfy O v (C i , X) = true, and, if this is the case, answers them with the same value.

This reduction requires memory to store all prior decapsulation and randomoracle queries. Unlike other reductions, the problem here is not to store the random-oracle output values (which could be compressed using a PRF), but the actual inputs to these queries, which are under adversarial control. This motivates the conjecture that a reduction using little memory does not exist, but the main challenge is of course to prove this is indeed the case.

Our result, in summary. We provide a memory lower bound for reductions that are generic with respect to the underlying group G. Specifically, we show the existence of an (inefficient) adversary A in the generic group model (GGM) which breaks the CCA security of Hashed ElGamal via O(k) random oracle/decapsulation queries, but such that no reduction using less than k · λ bits of memory can break the SDH assumption even with access to A, where λ is the bit-size of the underlying group elements.

Our lower bound is strong in that it shows we do not even have a trade-off between advantage and memory, i.e., if the memory is smaller than k ·λ, then the advantage is very small, as long as the reduction makes a polynomial number of queries to O v and to the generic group oracle. It is however also important to discuss two limitations of our lower bound. The first one is that the reduction -which receives g, g v in the SDH game -uses pk = g v as the public key to the Hashed ElGamal adversary. The second one is that the reduction is straightline, i.e., it does not perform any rewinding.

We believe that our impossibility result would extend even when the reduction is not straightline. However, allowing for rewinding appears to be out of reach of our techniques. Nonetheless, we do conjecture a lower bound on the memory of Ω(k log k) bits, and discuss the reasoning behind our conjecture in detail in the full version.

We stress that our result applies to reductions in the GGM, but treats the adversary as a black box. This captures reductions which are black-box in their usage of the group and the adversary. (In particular, the reduction cannot see generic group queries made by the adversary, as in a GGM security proofs.) Looking at the GGM reduces the scope of our result. However, it is uncommon for reductions to depend on the specifics of the group, although our result can be bypassed for specific groups, e.g., if the group has a pairing.

Concurrent related work. Concurrently to our work, Bhattacharyya [4] provides memory-tight reductions of KEM-CCA security for variants of Hashed ElGamal. At first glance, the results seem to contradict ours. However, they are entirely complementary -for example, a first result shows a memory tight reduction for the KEM-CCA security of the "Cramer-Shoup" variant of Hashed ElGamal -this variant differs from the (classical) Hashed ElGamal we consider here and is less efficient. The second result shows a memory-tight reduction for the version considered in this paper, but assumes that the underlying group has a pairing. This is a good example showing our result can be bypassed for specific groups i.e. groups with pairings, but we also note that typical instantiations of the scheme are on elliptic curves for which no pairing exists.

We give a high-level overview of our techniques here. We believe some of these to be novel and of broader interest in providing other impossibility results.

The shuffling game. Our adversary against Hashed ElGamal 3 A first attempts to detect whether the reduction is using a sufficient amount of memory. The adversary A is given as input the public key g v , as well as g u , as well as a string C * ∈ {0, 1} , which is either a real encapsulation or a random string. It first samples k values i 1 , . . . , i k from Z p . It then:

(1) Asks for decapsulation queries for C j ← g ij , obtaining values K j , for j ∈ [k] (2) Picks a random permutation π :

After this, the adversary checks whether K j = H π(j) for all j ∈ [k], and if so, it continues its execution, breaking the ODH assumption (inefficiently). If not, it just outputs a random guess.

The intuition here is that no reduction using substantially less than k · log p bits succeeds in passing the above test -in particular, because the inputs C j and V j are (pseudo-)random, and thus incompressible. If the test does not pass, the adversary A is rendered useless, and thus not helpful to break SDH. Remark 1. The adversary here is described in a way that requires secret randomness, not known to the reduction, and it is easier to think of A in this way. We will address in the body how to generically make the adversary deterministic.

We stress that this adversary requires memory -it needs to remember the answers C 1 , . . . , C k . However, recall that we adopt a black-box approach to memory-tightness, where our requirement is that the reduction itself uses little memory, regardless of the memory used by the adversary. We also argue this is somewhat necessary -it is not clear how to design a reduction which adapts its memory usage to the adversary, even if given this information in a non-black-box manner. Also, we conjecture different (and much harder to analyze) memoryless adversaries exist enabling a separation. An example is multi-round variant, where each round omits (2), and (3) only asks a single query H(V j ) for a random j ←$ [k], and checks consistency. Intuitively, the chance of passing each round is roughly k log p/s, but we do not know how to make this formal.

Introducing the GGM. Our intuition is however false for an arbitrary group. For instance, if the discrete logarithm (DL) problem is easy in the group, then the reduction can simply simulate the random oracle via a PRF, as suggested in [2] . Ideally, we could prove that if the DL problem is hard in G, then any PPT reduction given access to A and with less than k · log p bits of memory fails to break SDH. 4 Unfortunately, it will be hard to capture a single hardness property of G sufficient for our proof to go through. Instead, we will model the group via the generic group model (GGM) [9, 11] : We model a group of prime order p defined via a random injection σ : Z p → L. An algorithm in the model typically has access to σ(1) (in lieu of g) and an evaluation oracle which on input a, b ∈ L returns σ(σ −1 (a) + σ −1 (b)). (We will keep writing g i instead of σ(i) in the introduction, for better legibility.)

The permutation game. In order to fool A, the reduction can learn information about π via the O v oracle. For example, it can try to input C j = g ij and V j = g vi π(j ) (both obtained from A's queries), and O v (C j , V j ) = true if and only if π(j ) = j. More generally, the reduction can compute, for any a = (a 1 , . . . , a k ) and b = (b 1 , . . . , b k ),

, which we write as b = π( a). We abstract this specific strategy in terms of an informationtheoretic game -which we refer to as the permutation game -which gives the adversary access to an oracle O which takes as inputs pairs of vectors ( a, b) from Z k p , and returns true iff b = π( a) for a secret permutation π. The goal of the adversary is to recover π.

Clearly, a strategy can win with O(k 2 ) oracle queries ( e i , e j ) for all i, j, where e i ∈ Z k p is the unit vector with a 1 in the i-th coordinate, and 0 elsewhere. This strategy requires in particular querying, in its first component, vectors which have rank k. Our first result will prove that this is necessary -namely, assume that an adversary makes a sequence of q queries ( x 1 , y 1 ), . . . , ( x q , y q ) such that the rank of x 1 , . . . , x p is at most , then the probability to win the permutation game is of the order O(q /k!). We will prove this via a compression argument.

Note that roughly, this bound tells us that to win with probability and q queries to the oracle, the attacker needs = Ω k log k − log(1/ ) log(q) .

A reduction to the permutation game. We will think of the execution of the reduction against our adversary as consisting of two stages -we refer to them as R 1 and R 2 . The former learns the decapsulation queries g i1 , . . . , g i k , whereas the latter learns the RO queries g i π(1) v , . . . , g i π(k) v , and (without loss of generality) attempts to guess the permutation π. We will lower bound the size of the state φ that R 1 passes on to R 2 . Both stages can issue O v and Eval queries. Note that non-trivial O v queries (i.e., those revealing some information about the permutation), are (except with very small probability) issued by R 2 , since no information about π is ever revealed to R 1 . As one of our two key steps, we will provide a reduction from the execution of R 1 , R 2 against A in the GGM to the permutation game -i.e., we build an adversary D for the latter game simulating the interaction between R 1 , R 2 and A, and such that R 1 , R 2 "fooling" A results in D guessing the permutation.

Memory vs. rank. The main question, however, is to understand the complexity of D in the permutation game, and in particular, the rank of the first component of its queries -as we have seen above, this affects its chance of winning the game.

To do this, we will take a slight detour, and specifically consider a set Z ⊆ L of labels (i.e., outputs of σ) that the reduction R 2 comes up with (as inputs to either of Eval or O v ) on its own (in the original execution), i.e., no earlier Eval query of R 2 returned them, and that have been previously learnt by R 1 as an output of its Eval queries. (The actual definition of Z is more subtle, and this is due to the ability of the adversary to come up with labels without knowing the corresponding pre-image.)

Then, we will show two statements about Z:

(i) On the one hand, we show that the rank of the oracle queries of the adversary D is upper bound by |Z| in its own simulation of the execution of R 1 , R 2 with A. (ii) On the other hand, via a compression argument, we prove that the size of Z is related to the length of φ, and this will give us our final upper bound. This latter statement is by itself not very surprising -one can look at the execution of R 2 , and clearly every label in Z that appears "magically" in the execution must be the result of storing them into the state φ. What makes this different from more standard compression arguments is the handling of the generic group model oracle (which admits non-trivial operations). In particular, our compression argument will compress the underlying map σ, and we will need to be able to figure out the pre-images of these labels in Z. We give a very detailed technical overview in the body explaining the main ideas.

Memory-Tight AGM Reduction. The Algebraic Group Model (AGM) was introduced in [8] . AGM reductions make strong extractability assumptions, and the question of their memory-tightness is an interesting one. In the full version we construct a reduction to the discrete logarithm problem that runs an adversary against the KEM-CCA security of Hashed ElGamal in the AGM such that the reduction is memory-tight but not tight with respect to advantage. We note that the model of our reduction is different than a (full-fledged) GGM reduction which is not black-box, in that it can observe the GGM queries made by the adversary. Our result does not imply any impossibility for these. In turn, AGM reductions are weaker, but our results do not imply anything about them, either.

In this section, we review the formal definition of the generic group model. We also state ODH and SDH as introduced in [1] in the generic group model.

Notation. Let N = {0, 1, 2, · · · } and, for k ∈ N, let [k] = {1, 2, · · · , k}. We denote by InjFunc(S 1 , S 2 ) the set of all injective function from S 1 to S 2 . We also let * denote a wildcard element. For example ∃t : (t, * ) ∈ T is true if the set T contains an ordered pair whose first element is t (the type of the wildcard element shall be clear from the context). Let S k denote the set of all permutations on [k] . We use f :

We shall use pseudocode descriptions of games inspired by the code-based framework of [3] . The output of a game is denoted using the symbol ⇒. In all games we assume the flag bad is set to false initially. In pseudocode, we denote random sampling using ←$ , assignment using ← and equality check using =. In games that output boolean values, we use the term"winning" the game to mean that the output of the game is true.

We also introduce some linear-algebra notation. Let S be a set vectors with equal number of coordinates. We denote the rank and the linear span of the vectors by rank(S) and span(S) respectively. Let x, y be vectors of dimension k. We denote z of dimension 2k which is the concatenation of x, y as z = ( x, y). We denote the element at index i of a vector x as x[i].

The generic group model [11] captures algorithms that do not use any special property of the encoding of the group elements, other than assuming every element of the group has a unique representation, and that the basic group operations are allowed. This model is useful in proving lower bounds for some problems, but we use it here to capture reductions that are not specific to the underlying group.

More formally, let the order of the group be a large prime p. Let Z p = {0, 1, 2, · · · , p − 1}. Let L ⊂ {0, 1} * be a set of size p, called the set of labels. Let σ be a random injective mapping from Z p to L. The idea is that now every group element in Z p is represented by a label in L. An algorithm in this model takes as input σ(1), σ(x 1 ), σ(x 2 ), · · · , σ(x n ) for some x 1 , · · · , x n ∈ Z p (and possibly other inputs which are not group elements). The algorithm also has access to an oracle named Eval which takes as input two labels a, b ∈ L and returns c = σ(σ −1 (a) + σ −1 (b)). Note that for any d, given σ(x i ), σ(d · x i ) can be computed using O(log d) queries to Eval. We denote this operation as Exp(σ(x i ), d). We assume that all labels queried by algorithms in the generic group model are valid i.e. all labels queried by algorithms in the generic group model are in L. 5 Oracle Diffie-Hellman assumption (ODH). We first formalize the Oracle Diffie-Hellman Assumption (ODH) [1] , which we are going to use in lieu of the CCA security of Hashed ElGamal. Suppose, a group has generator g and order p. The domain of hash function H is all finite strings and range is {0, 1} hLen .

The assumption roughly states for u, v ←$ Z p , W ←$ {0, 1} hLen , the distributions (g u , g v , H(g uv )) and (g u , g v , W ) are indistinguishable to an adversary who has access to the oracle H v where H v (g x ) returns H(g xv ) with the restriction that it is not queried on g u . Strong Diffie-Hellman Assumption (SDH). This is a stronger version of the classical CDH assumption. This assumption roughly states that CDH is hard

We formally define the game G SDH-GG in the generic group model in Fig. 1 . The advantage of violating SDH is defined as

Note in particular that one can upper bound this advantage unconditionally. We shall drop the L from the subscript of advantages and games henceforth since the set of labels L remains the same throughout our paper.

Black Box reductions in the GGM. We consider black-box reductions in the generic group model. We will limit ourselves to an informal description, but this can easily be formalized within existing formal frameworks for reductions (see e.g. [10] ). We let the reduction R access an adversary A, and denote by R A the resulting algorithm -understood here is that R supplies inputs, answers queries, etc. In addition, we let R and A access the Eval oracle available in the GGM. We stress that the GGM oracle is not under the reduction's control heretypically, the reduction itself will break a (hard) problem in the GGM with help of A. We will allow (for simplicity) A to be run depending on some secret private coins 6 not accessible by R. Reductions can run A several times (with fresh private coins). We call a reduction straigthline if it only runs A once. In our case, the reduction R will be playing G SDH-GG p,hLen . It receives as inputs σ(1), U = σ(u), V = σ(v), and has access to the Eval, O v oracles, as well as an adversary A for G ODH-REAL-GG p,hLen or G ODH-RAND-GG p,hLen . The reduction needs therefore to supply inputs (σ(1), U , V , W ) to A, and to answer its queries to the oracles H v , as well as queries to H. We will call such a reduction restricted if it is straightline and V = V .

In our lower bound proof we use the compression lemma that was formalized in [7] which roughly means that it is impossible to compress every element in a set with cardinality c to a string less than log c bits long, even relative to a random string. We state the compression lemma here as a proposition.

Encode : X × R → Y and a (not necessarily efficient) decoding procedure

then log |Y| log |X | − log(1/ ).

Let p(X 1 , · · · , X n ) be a n variate polynomial. We denote by p(x 1 , · · · , x n ) the evaluation of p at the point (x 1 , · · · , x n ) throughout the paper. The polynomial ring in variables X 1 , · · · , X n over the field Z p is denoted by Z p [X 1 , · · · , X n ].

A key-encapsulation mechanism (KEM) consists of three probabilistic polynomial time (PPT) algorithms Gen, Encap, Decap. The key generation algorithm Gen is probabilistic and outputs a key-pair (pk, sk). The encapsulation algorithm Encap is a probabilistic algorithm that takes pk as input and outputs a ciphertext c and a key K where K ∈ K for some non-empty set K. The decapsulation algorithm Decap is a deterministic algorithm that takes as input the secret key sk and a ciphertext c outputs a key K ∈ K if (sk, c) is a valid secret keyciphertext pair and ⊥ otherwise. For correctness, it is required that for all pairs (pk, sk) output by Gen, if (K, c) is output by Encap(pk) then K is the output of Decap(sk, c).

Single challenge KEM-CCA security. The single challenge CCA security of a KEM is defined by a pair of games called G KEM-CCA-REAL , G KEM-CCA-RAND . In both games a (pk, sk) pair is generated by Gen, and (c, K) is output by the encapsulation algorithm Encap on input pk. The adversary is provided with (pk, c, K) in G KEM-CCA-REAL and with (pk, c, K ) in G KEM-CCA-RAND where K is a randomly sampled element of K. The adversary has access to the decapsulation oracle with sk as the secret key and it can make decapsulation queries on any ciphertext except the ciphertext c and has to output a bit. We define the advantage of violating single challenge KEM-CCA security is defined as the absolute value of the difference of probabilities of the adversary outputting 1 in the two games. A KEM is single challenge CCA-secure if for all non-uniform PPT adversaries the advantage of violating single challenge KEM-CCA security is negligible. 

In this section, we prove a memory lower bound for restricted black-box reductions from ODH to SDH. We stress that the restricted reduction has access only to the H, H v queries of the adversary. As discussed above, the ODH assumption is equivalent to the single-challenge KEM-CCA security of Hashed ElGamal, this proves a memory lower-bound for (restricted) black-box reductions of single challenge KEM-CCA security of Hashed ElGamal to the SDH assumption. 

This result implies that if Adv SDH-GG p,hLen (R A ) is non-negligible for a reduction R making q queries where q is a polynomial in log p, then s = Ω(k log p) i.e. the memory required by any restricted black-box reduction grows with the number of queries by A. Hence, there does not exist any efficient restricted black-box reduction from ODH to SDH that is memory-tight.

In the full version, we discuss how rewinding can slightly improve the memory complexity to (roughly) O(k log k), with heavy computational cost (essentially, one rewinding per oracle query of the adversary). We conjecture this to be optimal, but a proof seems to evade current techniques.

De-randomization. Before we turn to the proof -which also connects several technical lemmas presented across the next sections, let us discuss some aspects of the results. As explained above, our model allows for the adversary A to be run with randomness unknown to R. This aspect may be controversial, but we note that there is a generic way for A to be made deterministic. Recall that A must be inefficient for the separation to even hold true. For example, A can use the injection σ from the generic group model to generate its random coin -say, using σ −1 (a i ) as coins a priori fixed labels a 1 , a 2 , . . .. It is a standardalbeit tedious and omitted -argument to show that unless the reduction ends up querying the pre-images (which happens with negligible probability only), the σ −1 (a i )'s are good random coins.

Strengthening beyond SDH. We would like to note that our result can be strengthened without much effort to a reduction between ODH and a more general version of SDH. Informally, we can extend our result to every problem which is hard in the generic group model in presence of an O v oracle. For example, this could be a problem where given g, g u , and g v , the attacker needs to output g f (u,v) , where f is (a fixed) two-variate polynomial with degree at least 2. We do not include the proof for the strengthened version for simplicity. However, it appears much harder to extend our result to different types of oracles than O v , as our proof is tailored at this oracle.

Proof. Here, we give the overall structure, the key lemmas, and how they are combined -quantitatively -to obtain the final result.

First off, Lemma 1 establishes that there exists an adversary A such that Adv ODH-GG p,hLen (A) is close to 1, which we will fix (i.e., when we refer to A, we refer to the one guaranteed to exist by the lemma). The proof of Lemma 1 is in Sect. 4.1 and the proof of Lemma 2 is in Sect. 4.2. A and a function 1 (p, hLen) such that is negligible in log p, hLen, and Adv ODH-GG p,hLen (A) = 1 − 1 (p, hLen). After that, we introduce a game, called G 1 and described in Fig. 3 in Sect. 4.2. Very informally, this is a game played by a two-stage adversary R 1 , R 2 which can pass a state to each other of size s bits and have access to the Eval, O v oracles. The game captures the essence of the reduction R the adversary A of having a sufficient amount of memory. This is made formal in Lemma 2, where we show that the probability of the reduction R winning the SDH-GG game while running A is bounded by the probability of winning G 1 . 

We introduce Games G 2 , G 3 in Fig. 4 in Sect. 4.2. These games are identical to G 1 except for the condition to output true. The condition to output true in these games are disjoint and the disjunction of the two conditions is equivalent to the condition to output true in G 1 . A little more specifically, both games depend on a parameter l, which can be set arbitrarily, and in G 3 and G 2 the winning condition of G 1 is strengthened by additional ensuring that a certain set defined during the execution of the game is smaller or larger than l, respectively. Therefore, tautologically,

We now prove the following two lemmas below, in Sects. 4 

We let,

Setting c = log q log k and l = k 4c , q l k! k k/4 k! . By Sterling's approximation k! k k+1/2 e −k . Therefore,

where c = 4 log q log k . Assuming q k (and thus q > e 4 > 2), we get,

In this section, we construct the ODH adversary A needed for the proof.

Adv ODH-GG p,hLen (A) = 1 − 1 (p, hLen).

The adversary A is formally defined in Fig. 2 . The proof of Lemma 1 itself is deferred to the full version. Adversary A samples i 1 , · · · , i k from Z p , and computes σ(i j ), σ(i j · v) for all j in , H v (σ(i j )) = H(σ(i j ·v)), A computes the discrete logarithm of V outputs the correct answer. Otherwise it returns a bit uniformly at random. Note that A is inefficient, but only if it is satisfied from the responses it gets from the reduction using it.

The Game G 1 . We first introduce the two-stage game G 1 played by a pair of adversaries R 1 and R 2 . (With some foresight, these are going to be two stages of the reduction.) It is formally described in Fig. 3 . Game G 1 involves sampling σ, i 1 , · · · , i k , v from Z p , then running R 1 , followed by sampling permutation π from S k and then running R 2 . The first stage R 1 has inputs σ(i 1 ), · · · , σ(i k ) and it outputs a state φ of s bits along with k strings in {0, 1} hLen . The second stage R 2 has inputs φ, σ(i π(1) · v), · · · , σ(i π(k) · v) and it outputs k strings in {0, 1} hLen . Both the stages R 1 , R 2 have access to oracles Eval, O v . Game G 1 outputs true if all the k strings output by R 1 are distinct, and if all the k strings output by R 2 are distinct, and if for all j ∈ [k], the j th string output by R 2 is identical to the π(j) th string output by R 1 . Additionally, G 1 involves some bookkeeping. The Eval, O v oracles in G 1 take an extra parameter named from as input which indicates whether the query was from R 1 or R 2 . Fig. 3 . Game G1. We use the phrase R1, R2 win G1 to mean G1 ⇒ true. We shall use this convention for all games in the paper that output boolean values.

We introduce the phrase "seen by" before describing the bookkeeping. A label has been "seen by" R 1 if it was an input to R 1 , queried by R 1 or an answer to a previously made Eval(., ., 1) query. A label has been "seen by" R 2 if it was an input to R 2 , queried by R 2 or an answer to a previously made Eval(., ., 2) query. We describe the sets X , Y 1 , Y 2 , Z which are used for bookkeeping in G 1 .

-The labels in X are answers to Eval(., ., 1) queries such that it has not yet been "seen by" R 1 before the query. -Y 1 contains all the labels that are input to R 1 , queried by R 1 or answers to Eval(., ., 1) queries i.e. it is the set of labels "seen by" R 1 . -Y 2 contains all the labels that are input to R 2 , queried by R 1 or answers to Eval(., ., 2) queries i.e. it is the set of labels "seen by" R 2 . -All labels in Z are queried by R 2 and have not been "seen by" R 2 before the query and are in X

The following lemma tells us that we can (somewhat straightforwardly) take a reduction as in the theorem statement, and transform it into an equivalent pair R 1 , R 2 of adversaries for G 1 . The point here is that the reduction is very unlikely to succeed in breaking the SDH assumption without doing an effort equivalent to winning G 1 to get A's help -otherwise, it is left with breaking SDH directly in the generic group model, which is hard. The proof is deferred to the full version. 

The Games G 2 and G 3 . In Fig. 4 we define G 2 , G 3 which have an added check on the cardinality of Z to output true. Everything else remains unchanged (in particular Eval, O v are unchanged from G 1 and we do not specify them again here). The statement within the thinner box is present only in G 3 and statement within the thicker box is present only in G 2 . The changes from G 1 have been highlighted. We shall follow these conventions of using boxes and highlighting throughout the paper. The games G 2 , G 3 are identical to G 1 except for the condition to output true. Since this disjunction of the conditions to output true in G 2 , G 3 is equivalent to the condition to output true in G 1 , and the conditions to output true in G 2 , G 3 are disjoint, we have,

Recall we are going to prove the following lemma. We introduce a new game -called the permutation game and denoted PGin order to upper bound Pr [G 2 ⇒ true]. In the rest of this proof, we are going to first define the game, and upper bound the winning probability of an adversary. Then, we are going to reduce an adversary for G 2 to one for PG.

The Permutation Game. In Game PG, an adversary has to guess a randomly sampled permutation π over [k]. The adversary has access to an oracle that takes as input two vectors of length k and returns true if the elements of the first vector, when permuted using π, results in the second vector and false otherwise. Figure 5 formally describes the game PG.

In the following, we say an adversary playing PG is a (q, l)-query adversary if it makes at most q queries to O, and the rank of the vectors that were the first argument to the O queries returning true is at most l.

The following lemma -which we prove via a compression argument -yields an upper bound on the probability of winning the game for a (q, l)-query adversary.

For a (q, l)-query adversary A playing PG the following is true.

Proof. We construct an encoding of π by running adversary A. In order to run A, all the O queries need to be correctly answered. This can be naively done by storing the sequence number of queries whose answers are true. In fact, of all such queries, we need to just store the sequence number of just those whose first argument is not in the linear span of vectors which were the first argument of previous such queries i.e. we store the sequence number of only those O queries returning true whose first argument form a basis of the first argument of all O queries returning true. This approach works because for every vector x, there is only a unique vector y such that O( x, y) = 1. The random tape of the adversary can be derived using the common randomness of Encode, Decode and hence the adversary produces identical queries and output. For simplicity, we do not specify this explicitly in the algorithms and treat A as deterministic.

The formal description of the algorithms Encode, Decode are in Fig. 6 .

Observe that S is a basis of vectors x such that O( x, y) = true. Note that for an O( x, y) query returning true, if x ∈ S then the sequence number of the query is stored in enc. Therefore, ( x, y) ∈ S in Decode. Again, for an O( x, y) query returning true, if x ∈ S then the sequence number of the query is not stored in enc and therefore ( x, y) ∈ S . So, for an O( x, y) query returning true, The encoding is a set of |S| query sequence numbers. Since there are at most q queries, the encoding space is at most q |S| . Using X to be the set S k , Y to be the set of all possible encodings, R to be the set of random tapes of A, it follows from Proposition 1 that,

Since the simulation of O( x, y) is perfect in Decode, decoding is successful if PG(A) ⇒ true. Therefore,

Since A is a (q, l)-query adversary, |S| l. Thus, we have, Reduction to PG. We next show that the Pr [G 2 ⇒ true] is upper bounded in terms of the probability of a (q, l)-query adversary winning the game PG.

There exists a (q, l)-query adversary D against the permutation game PG such that

Proof. We transform R 1 , R 2 playing G 2 to an adversary D playing the game PG through a sequence of intermediate games and use the upper bound on the probability of winning the game PG established previously to prove an upper bound on Pr [G 2 ⇒ true]. In order to make the pseudocode for subsequent games compact we define the two subroutines PopulateSetsEval, PopulateSetsO v and invoke them from Eval, O v . The subroutines PopulateSetsEval, PopulateSetsO v are formally described in Fig. 7 .

The game G 4 . We next describe game G 4 where we introduce some additional bookkeeping. In G 4 , every valid label that is an input to R 1 , R 2 or queried by R 1 , R 2 or an answer to a query of R 1 , R 2 , is mapped to a polynomial in Z p [I 1 , · · · , I k , V, T 1 , · · · , T 2q ] where q is the total number of Eval, O v queries made by R 1 , R 2 . The polynomial associated with label a is denoted by p a . Similarly, we define Λ to be a mapping from polynomials to labels. For all labels a ∈ L, Λ(p a ) = a. The mapping from labels to polynomials is done such that for every label a mapped to p a , σ −1 (a) = p a (i 1 , · · · , i k , v, t 1 , · · · , t 2q ).

For compactness, let us denote (i 1 , · · · , i k , v, t 1 , · · · , t 2q ) by i. Before running

, · · · , p σ(i k ·v) are assigned polynomials 1, V, I 1 , · · · , I k , I 1 V, · · · , I k V respectively and for all other labels a ∈ L, p a = ⊥.

The function Λ is defined accordingly. For labels a queried by R 1 , R 2 that have not been previously mapped to any polynomial (i.e. p a = ⊥), p a is assigned T new (new starting from 1 and being incremented for every such label queried), the variable t new is assigned the pre-image of the label and Λ(T new ) is assigned a.

Since there are q queries (each with two inputs), there can be at most 2q labels that had not previously been mapped to any polynomial. Hence, the polynomials have variables I 1 , · · · , I k , V, T 1 , · · · , T 2q .

For an Eval(a, b, .) query where c = σ(σ −1 (a) + σ −1 (b)), let p = p a + p b . From the definition of p, we have that p ( i) = σ −1 (a) + σ −1 (b). If Λ(p ) = ⊥, then by definition of Λ, we have Λ(p ) = c. If Λ(p ) = ⊥, then exactly one of the following two must be true.

1. The label c has been mapped to a polynomial which is different from p . In this case p c ( i) = p ( i) and Λ(p ) is assigned c. 2. The label c has not been mapped to any polynomial. In this case, p c is assigned p and Λ(p ) is assigned c.

The label Λ(p ) is returned as the answer of the Eval query. Note that the output of Eval is c = σ(σ −1 (a) + σ −1 (b)) in all cases, i.e. it is the same as the output of Eval in G 2 .

For an O v (a, b, . ) query, we first assign the boolean value V p a = p b to ans. Note that if ans is true, then v · σ −1 (a) = σ −1 (b). However, we might have that v · σ −1 (a) = σ −1 (b) and V p a = p b . When this happens, the boolean value v(p a ( i) = p b ( i)) is assigned to ans. Oracle O v returns ans. From the definition of p, it follows that the value returned by

is the same as the output of O v in G 2 . Figure 8 formally describes G 4 . The changes in G 4 compared to G 2 have been highlighted. We have already pointed out that the outputs of O v , Eval in G 4 are identical to those in G 2 . Since the other changes involve only additional bookkeeping, the outputs of G 2 , G 4 are identical. Therefore

The game G 11 .We introduce a new game named G 11 in Fig. 9 . Initially, for all polynomials p, Λ(p) = ⊥. In this game Λ(1), Λ(V ), Λ(I j )'s, and Λ(V I j )'s are assigned distinct labels sampled from L. Adversary R 1 is run with input labels Λ(1), Λ(V ), Λ(I 1 ), · · · , Λ(I k ) and R 2 has input labels Λ(1), Λ(V ), Λ(I π(1) · V ), · · · , Λ(I π(k) · V ). The bookkeeping is identical to that in G 4 . Observe from the pseudocode that the mapping Λ is injective in this game and hence Λ −1 is well defined. For every Eval or O v query, if for the input label l, Λ −1 (l) is ⊥, then l is assigned to Λ(T new ). For every such input label, new is incremented. For an Eval(a, b, .) 

is returned as answer. For O v (a, b, .) , query true is returned iff V Λ −1 (a) and Λ −1 (b) are the same polynomials.

We 

The proof of Lemma 7 has been deferred to the full version.

The Adversary D. Next, we construct the adversary D that plays PG by simulating G 11 to R 1 , R 2 , where the permutation π is the secret permutation The sets S and Z have no effect on the behavior, and are only used in the analysis of D. The symbol ABORT indicates that D aborts and outputs ⊥.

from PG. As we will discuss below, the core of the adversary D will boil down to properly simulating the O v oracle using the O oracle from PG and simulating the labels σ(i π(j) ) (and the associated polynomials) correctly without knowing π. After a correct simulation, D will simply extract the permutation π. To see how this can be done, let us first have a closer look at G 11 . Let us introduce the shorthand K j = V I π(j) for j ∈ [k]. With this notation, every polynomial input to or output from Eval is a linear combination of the monomials 1, I 1 , . . . , I k , V, K 1 , . . . , K k , T 1 , T 2 , . . . . Now, it is convenient to slightly rethink the check of whether V p a = p b within O v with this notation. First off, we observe that if either of the polynomial contains a monomial of the form T i , the check fails. In fact, it is immediately clear that the check can only possibly succeed is if p a is a linear combination of 1 and the I j 's and p b is a linear combination of V and the K j 's. Now, assume that p a (I 1 , . . . , This leads naturally to the adversary D, which we formally describe in Fig. 11 . The adversary will simply sample labels f 1 , . . . , f k for σ(v · i π(1) ), . . . , σ(v · i π(k) ), and associate with them polynomials in the variables K 1 , . . . , K j . Other than that, it simulates the game G 11 , with the exception that the check V · p a = p b is not implemented using the above approach -summarized in Fig. 10 . Note that D aborts when |S| = l and makes at most q queries to O. Thus D is a-query adversary against PG. If D does not abort, then its simulation of G 11 is perfect. If G 11 ⇒ true and D does not abort, then win shall be true and D will output the correct π.

The rest of the proof will now require proving that whenever G 11 outputs true our adversary D will never abort due to the check |S| = l. Since G 11 ⇒ true only if |Z| < l, the following lemma implies that D does not abort if G 11 ⇒ true.

Let ( x 1 , y 1 ), · · · , ( x u , y u ) be the queries made by D to O which return true. Then,

The proof of Lemma 8 has been deferred to the full version.

We have established that if G 11 outputs true, then D will not abort and hence D simulates G 11 to R 1 , R 2 perfectly. If win = true in G 11 , the checks by D succeed and D outputs the correct permutation and wins PG. Therefore, D is a (q, l)-query adversary such that PG(D) ⇒ true if G 11 ⇒ true. Hence,

Combining Lemma 7 and (4), (5) we get,

Combining (3) and (6), we get, 

Recall that we need to prove the following lemma, which we do by using a compression argument.

G 12 , G 13 and given that bad is not set to true, G 13 returns true whenever G 12 returns true. Therefore,

It is not hard to show (details in the full version) that the probability of bad being set to true in RestrictedSample is at most k 2 +k+2 p . Since in G 13 bad is set only in RestrictedSample, the probability of bad being set to true is the same. Hence, we get,

The compression argument. We assume Pr [G 13 ⇒ true] = 2 . We say a σ is "good" in G 13 if Pr G 13 ⇒ true σ was sampled in G 13 .

It follows from Markov's inequality that at least fraction of σ's are "good".

The following lemma captures the essence of our compression argument.

If the state output by R 1 has size s bits, all the "good" σ's can be encoded in an encoding space of size at most

and decoded correctly with probability .

We next give some intuition regarding how we achieve compression and defer the formal proof of Lemma 9 to the full version.

Intuition regarding compression. Observe in G 13 , the labels in Z were queried by R 2 (these labels were not seen by R 2 before they were queried) and were answers to R 1 and were not seen by R 1 before the query. The core idea is that for all a ∈ L \ Z, we store exactly one of a or its pre-image in the encoding and for all labels in Z, we store neither the label nor its pre-image. Since R 2 queries all the labels in Z, these labels can be found by running R 2 while decoding. Since all the labels in Z are answers to queries of R 1 and were not seen by R 1 before the query, their pre-images can be figured out while running R 1 .

High level outlines of Encode, Decode. In Encode, we simulate the steps of G 13 to R 1 , R 2 , including bookkeeping and then run R 1 again assuming the particular σ we are compressing is sampled in G 13 . In Decode, we run R 2 and then R 1 to recover σ. We treat the values i 1 , · · · , i k , v, π as part of the common randomness provided to Encode, Decode (we assume they are sampled from the same distribution they are sampled from in G 13 ). The random tapes of R 1 , R 2 can also be derived from the common randomness of Encode, Decode. For simplicity, we do not specify this explicitly in the algorithms and treat R 1 , R 2 as deterministic.

Running R 2 . First off, we assume that R 1 queries labels that it has "seen" before and R 2 queries labels that R 1 has "seen" or it has "seen" before. We shall relax this assumption later. Ideally, we would want to just store only φ, the inputs labels to R 2 and the labels that are answers to R 2 's queries. We append the input labels of R 2 and labels that are answers to its Eval queries that it has not "seen" before to a list named Labels. However, it is easy to see that this information is not enough to answer O v queries during decoding, as answering O v queries inherently requires knowledge about pre-images of R 2 . This naturally leads to the idea of maintaining a mapping of all the labels "seen by" R 2 to their pre-images.

The mapping T of labels to pre-image expressions. The pre-images of input labels and the labels that were results of sequence of Eval queries on its input labels by R 2 , are known. However, R 2 might query labels which were neither an input to it nor an answer to one of its Eval queries. Such a label is in Z since we have assumed that all labels queried by R 2 were "seen by" R 1 or "seen by" R 2 before. We represent the pre-images of labels in Z using a placeholder variable X n where n is incremented for every such label. Note that the pre-image of every label seen by R 2 can be expressed as a linear polynomial in the X n 's (these linear polynomials are referred to as pre-image expressions from hereon). Therefore we maintain a mapping of all labels "seen by" and their pre-image expressions in a list of tuples named T. Our approach is inspired by a similar technique used by Corrigan-Gibbs and Kogan in [5] . Like in [5] , we stress that the mapping T is not a part of the encoding.

For Eval queries, we can check if there is a tuple in T whose pre-image expression is the sum of the pre-image expressions of the input labels. If that is the case, we return the label of such a tuple. Otherwise, we append the answer label to Labels. For O v queries, we can return true if the pre-image expression of the first input label multiplied by v gives the pre-image expression of the second input label. Otherwise we return false.

Surprises.There is a caveat, however. There might arise a situation that the label which is the answer to the Eval query is present in T but its pre-image expression is not the sum of the pre-image expressions of the input labels. We call such a situation a "surprise" and we call the answer label in that case a "surprise label". For O v queries, there might be a surprise when the answer of the O v query is true but the pre-image expression of the first input label multiplied by v is different pre-image expression of the second input label. In this case we call the second input label the surprise label. We assign a sequence number to each query made by R 2 , starting from 1 and an index to each tuple in T, with the indices being assigned to tuples in the order they were appended to T. To detect the query where the surprise happens, we maintain a set named Srps 1 that contains tuples of query sequence numbers and indices of the surprise label in T. This set Srps 1 is a part of the encoding. Note that whenever there is a surprise, it means that two different pre-image expressions evaluate to the same value. Since these two pre-image expressions are linear polynomials, at least one variable can be eliminated from T by equating the two pre-image expressions.

Running R 1 . Now that we have enough information in the encoding to run R 2 , we consider the information we need to add to the encoding to run R 1 after R 2 is run. First, we need to provide R 1 its input labels. Our initial attempt would be to append the input labels of R 1 (except σ(1), σ(v) , which are already present) to Labels. However, some of these input labels to R 1 might have already been "seen by" R 2 . Since all labels "seen by" R 2 are in T, we need a way to figure out which of σ(i j )'s are in T. Note that such a label was either queried by R 2 or an answer to a query of R 2 (cannot have been an input to R 2 given the restrictions on i 1 , · · · , i k , v). Suppose q was the sequence number of the query in which σ(i j ) was queried or an answer. The tuple (q, b, j) is added to the set Inputs where b can take values {1, 2, 3} depending on whether σ(i j ) was the first input label, the second input label or the answer label respectively. This set Inputs is a part of the encoding. The rest of the labels σ(i j ), which do not appear in T, are added to T with their pre-images and the labels are appended to Labels. Note that for all queries of R 1 , it follows from our assumption that the input labels will be in T. For every surprise, we add a tuple of sequence number and an index in T to the set Srps 2 .

Relaxing the assumption. When we allow R 2 to query labels it has not seen before or R 1 has not seen, there are two issues. First, we need to add a tuple for the label in T (since T, by definition contains a tuple for all labels queried by R 2 ). We solve this issue by adding the tuple made of the label and its pre-image. We have no hope of recovering the pre-image later, hence, we append the preimage to a list named Vals. This list needs to be a part of the encoding since the pre-image of the label needs to be figured out to be added to T during decoding. For queries of R 1 , if the input label is not present in T, we do the same thing. The second issue that comes up when we relax the assumption is that we need to distinguish whether an input label was in Z or not. We solve this issue by maintaining a set of tuples named Free. For all labels in Z that are not an input label to R 1 , we add the tuple consisting of the sequence number of the query of R 2 and b to Free where b set to 1 indicates it was the first input label and b set to 2 indicates it was the second input label.

The final steps. The labels the are absent in T are appended to a list named RLabels. If |Z| < l, a fixed encoding D (the output of Encode for some fixed σ when |Z| l) is returned. Otherwise the encoding of σ consisting of Labels, RLabels, Vals, Inputs, Srps 1 , Srps 2 , Free, φ is returned.

Wrapping up.The set of all "good" σ's has size at least p! (where we have used that the total number of injective functions from Z p → L is p!). Using X to be the set of the "good" σ's, Y to be the set of encodings, R to be the set of cartesian product of the domains of i 1 , · · · , i k , v, π, the set of all random tapes of R 1 the set of all random tapes of R 2 and L, it follows from Lemma 9 and

The Oracle Diffie-Hellman assumptions and an analysis of DHIES

Memory-tight reductions

The security of triple encryption and a framework for code-based game-playing proofs

Memory-tight reductions for practical key encapsulation mechanisms

The discrete-logarithm problem with preprocessing

Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack

Time space tradeoffs for attacks against oneway functions and PRGs

The algebraic group model and its applications

Abstract models of computation in cryptography

Notions of reducibility between cryptographic primitives

Lower bounds for discrete logarithms and related problems

A proposal for an ISO standard for public key encryption

Memory lower bounds of reductions revisited

If the size of the state φ output by R 1 is s bits and (R 1 , R 2 ) make q queries in total in G 3 , then Acknowledgements. We thank the anonymous reviewers of EUROCRYPT 2020 for helpful comments. This work was partially supported by NSF grants CNS-1553758 (CAREER), CNS-1719146, and by a Sloan Research Fellowship.

Proof. Our proof does initial game hopping, with easy transitions. It first introduces a new game, G 12 ( Fig. 12 ) whose minor difference from game G 3 is that it samples i 1 , · · · , i k , v using RestrictedSample which was previously used in game G 11 . It adds a bad flag while samplingThe bad event does not affect the output of G 12 in any way. Observe that even though the sampling of i 1 , · · · , i k , v is written in a different manner in G 12 , it is identical to that in G 3 . In all other respects these two games are identical.Games G 12 , G 13 differ in the procedure RestrictedSample and the condition to return true. Note that the conditions of bad being set to true is identical inWe have from Lemma 9 that Pr [Decoding is correct] . Therefore,.Since Pr [G 13 ] = 2 , using (7) and (8) we have,

Despite a clear restriction of our result to straightline reductions, we believe the main contribution of this work is the introduction of novel techniques for proving lower bounds on the memory of reductions that will find wider applicability. In particular, we clearly departed from the framework of prior works [2, 13] tailored at the usage of lower bounds for streaming algorithms, and provided the first lower bound for "algebraic" proofs in the public-key domain. The idea of a problem-specific proof of memory could be helpful elsewhere.Of course, there are several open problems. It seems very hard to study the role of rewinding for such reductions. In particular, the natural approach is to resort to techniques from communication complexity (and their incarnation as streaming lower bounds), as they are amenable to the multi-pass case. The simple combinatorial nature of these lower bounds however is at odds with the heavily structured oracles we encounter in the generic group model. Another problem we failed to solve is to give an adversary A in our proof which uses little memorywe discuss a candidate in the body, but analyzing it seems to give us difficulties similar to those of rewinding. This latter point makes a clear distinction, not discussed by prior works, between the way in which we prove memory-tightness (via reductions using small memory), and its most general interpretation, as defined in [2] , which would allow the reduction to adapt its memory usage to that of A.