# Reductions

We use *reductions* to relate the hardness of winning various games.
To show that problem $Y$ is at least as hard as problem $X$, we construct a reduction: a PPT algorithm that solves $X$ using any algorithm that solves $Y$ as a subroutine.
This reduces problem $X$ to $Y$: if there were an efficient algorithm that solves $Y$, we would also have an efficient algorithm that solves $X$.
By contrapositive, if there is no efficient solver for $X$, then there is no efficient solver for $Y$.[^1]

[^1]: Equivalently, cryptographers sometimes say that the security of $Y$ reduces to the security of $X$.

We illustrate the concept of reductions through a series of examples.

:::{note} Game: PreimageEither
:label: game-preimage-either

$$
\begin{array}{l}
\underline{\mathsf{Game~PreimageEither}^{\mathcal{A}}_{\mathsf{H}}(1^\lambda):} \\
\kappa \leftarrow \mathsf{H.Gen}(1^\lambda) \\
x_1, x_2 \xleftarrow{\$} \{0, 1\}^\lambda \\
y_1 \leftarrow \mathsf{H.Eval}(\kappa, x_1) \\
y_2 \leftarrow \mathsf{H.Eval}(\kappa, x_2) \\
x \leftarrow \mathcal{A}(\kappa, y_1, y_2) \\
\text{return } \mathsf{H.Eval}(\kappa, x) = y_1 \vee \mathsf{H.Eval}(\kappa, x) = y_2
\end{array}
$$

Game for finding the preimage of either of two given values under the hash function.
:::

:::{note} Definition
:label: def-preimage-either-advantage

For $\mathsf{Game~PreimageEither}^{\mathcal{A}}_{\mathsf{H}}$ as defined above, we define the advantage of $\mathcal{A}$ as

$$
\mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{A}, \mathsf{H}} \stackrel{\text{def}}{=} \Pr[\mathsf{PreimageEither}^{\mathcal{A}}_{\mathsf{H}} = 1].
$$
:::

:::{important} Proposition
:label: prop-preimage-either

Let $\mathsf{H}$ be a hash function. If for all PPT adversaries $\mathcal{A}$, it holds that

$$
\mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{A}, \mathsf{H}} = \mathsf{negl}
$$

then $\mathsf{H}$ is preimage-resistant.
:::

:::{dropdown} **Proof**

We prove the contrapositive statement (which is equivalent to the statement in the proposition):
If $\mathsf{H}$ is not preimage-resistant, then there exists a PPT algorithm $\mathcal{B}$ that wins $\mathsf{Game~PreimageEither}^{\mathcal{B}}_{\mathsf{H}}$ with non-negligible probability.

If $\mathsf{H}$ is not preimage-resistant, then there exists a PPT algorithm $\mathcal{A}$ that wins $\mathsf{Game~Preimage}^{\mathcal{A}}_{\mathsf{H}}$ with non-negligible probability.
Let $\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}$ be the algorithm defined below.
It gets both challenges $y_1, y_2$, runs $\mathcal{A}$ on $y_1$ and returns its output.

$$
\begin{array}{l}
\underline{\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}(\kappa, y_1, y_2):} \\
x \leftarrow \mathcal{A}(\kappa, y_1) \\
\text{return } x
\end{array}
$$

The success probability of $\mathcal{B}$ is at least that of $\mathcal{A}$.
When $\mathcal{A}$ successfully finds a preimage of $y_1$, then $\mathcal{B}$ succeeds in $\mathsf{Game~PreimageEither}$.
Additionally, there is a non-zero probability that $\mathsf{H.Eval}(\kappa, x) = y_2$ even when $\mathsf{H.Eval}(\kappa, x) \neq y_1$.
Therefore, $\mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}, \mathsf{H}} \ge \mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{A}, \mathsf{H}}$.
Since $\mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{A}, \mathsf{H}}$ is non-negligible and $\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}$ is PPT, we have found a PPT algorithm with non-negligible advantage for $\mathsf{Game~PreimageEither}$.
:::

:::{important} Proposition
:label: prop-preimage-either-reverse

Let $\mathsf{H}$ be a preimage-resistant hash function.
Then $\mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{A}, \mathsf{H}}$ is negligible for all PPT adversaries $\mathcal{A}$.
More precisely, for any PPT adversary $\mathcal{A}$ against $\mathsf{Game~PreimageEither}$ of $\mathsf{H}$, there exists a PPT adversary $\mathcal{B}$ against the preimage-resistance of $\mathsf{H}$ such that

$$
\mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{A}, \mathsf{H}} \leq 2\mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}, \mathsf{H}}.
$$
:::

The proof is left as an exercise (see Exercise 1 below).

## Collision Resistance

:::{note} Game: Collision
:label: game-collision

$$
\begin{array}{l}
\underline{\mathsf{Game~Collision}^{\mathcal{A}}_{\mathsf{H}}(1^\lambda):} \\
\kappa \leftarrow \mathsf{H.Gen}(1^\lambda) \\
(x,x') \leftarrow \mathcal{A}(\kappa) \\
\text{return } (x \neq x' \wedge \mathsf{H.Eval}(\kappa, x) = \mathsf{H.Eval}(\kappa, x'))
\end{array}
$$

Game for finding a collision under the hash function.
:::

:::{note} Definition: Collision-resistance
:label: def-collision-resistance

Hash function $\mathsf{H}$ is collision-resistant if for any PPT algorithm $\mathcal{A}$,

$$
\mathsf{Adv}^{\mathsf{Coll}}_{\mathcal{A}, \mathsf{H}} \stackrel{\text{def}}{=} \Pr[\mathsf{Collision}^{\mathcal{A}}_{\mathsf{H}} = 1] = \mathsf{negl}.
$$
:::

:::{important} Theorem: Collision-resistance implies preimage-resistance
:label: thm-collision-implies-preimage

Let $\mathsf{H}$ be a collision-resistant hash function. Then $\mathsf{H}$ is preimage-resistant.
More precisely, for any PPT adversary $\mathcal{A}$ against $\mathsf{Game~Preimage}$ of $\mathsf{H}$, there exists a PPT adversary $\mathcal{B}$ against $\mathsf{Game~Collision}$ of $\mathsf{H}$ such that

$$
\mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{A}, \mathsf{H}} \le \mathsf{Adv}^{\mathsf{Coll}}_{\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}, \mathsf{H}} + 2^{-\lambda}.
$$
:::

The proof is left as an exercise (see Exercise 2 below).

## Exercises

:::{exercise}
:label: ex-preimage-either-reverse

Prove Proposition [](#prop-preimage-either-reverse).

*Hint:* Construct a reduction that randomly places the challenge in either the first or second position.
:::

:::{dropdown} **Solution**

We prove the contrapositive statement:
If there exists a PPT algorithm $\mathcal{A}$ that wins $\mathsf{Game~PreimageEither}^{\mathcal{A}}_{\mathsf{H}}$ with non-negligible probability, then $\mathsf{H}$ is not preimage-resistant.
Let $\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}$ be an algorithm that runs $\mathcal{A}$ and returns its output:

$$
\begin{array}{l}
\underline{\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}(\kappa, y):} \\
x_2 \xleftarrow{\$} \{0, 1\}^{\lambda} \\
y_2 \leftarrow \mathsf{H.Eval}(\kappa, x_2) \\
b \xleftarrow{\$} \{0, 1\} \\
\text{if } b = 0 \text{ then} \\
\quad x \leftarrow \mathcal{A}(\kappa, y, y_2) \\
\text{else} \\
\quad x \leftarrow \mathcal{A}(\kappa, y_2, y) \\
\text{return } x
\end{array}
$$

Let $E_i$ denote the event that $\mathcal{A}$ outputs a preimage of its $i$-th input ($i \in \{1, 2\}$).
By definition, $\mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{A}, \mathsf{H}} = \Pr[E_1 \vee E_2] \leq \Pr[E_1] + \Pr[E_2]$ (union bound; equality holds when $y_1 \neq y_2$).

Since $x_1$ and $x_2$ are chosen uniformly and independently in the PreimageEither game (and thus $y_1$ and $y_2$ are independent samples from the image of $\mathsf{H}$), by symmetry: $\Pr[E_1] = \Pr[E_2]$.

Therefore: $\mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{A}, \mathsf{H}} \leq 2 \cdot \Pr[E_1]$.

Now consider $\mathcal{B}$'s success probability. With probability $\frac{1}{2}$, it places the challenge $y$ in position 1 (calling $\mathcal{A}(\kappa, y, y_2)$), and with probability $\frac{1}{2}$, it places $y$ in position 2 (calling $\mathcal{A}(\kappa, y_2, y)$).
Since in both games $y$ comes from $\mathsf{H.Eval}(\kappa, x)$ for uniform $x$, and $y_2$ comes from $\mathsf{H.Eval}(\kappa, x_2)$ for uniform $x_2$, $\mathcal{B}$ perfectly simulates the PreimageEither game distribution. Thus $\mathcal{B}$ succeeds with probability:

$$
\mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}, \mathsf{H}} = \frac{1}{2} \cdot \Pr[E_1] + \frac{1}{2} \cdot \Pr[E_2] = \Pr[E_1] \geq \frac{1}{2} \cdot \mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{A}, \mathsf{H}}.
$$

Since $\mathsf{Adv}^{\mathsf{PreIE}}_{\mathcal{A}, \mathsf{H}}$ is non-negligible and $\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}$ is PPT, $\mathsf{H}$ is not preimage-resistant.
:::

:::{exercise}
:label: ex-collision-implies-preimage

Prove Theorem [](#thm-collision-implies-preimage) (collision-resistance implies preimage-resistance).

*Hint:* Construct a reduction that samples a random $x$, computes $y = \mathsf{H.Eval}(\kappa, x)$, and uses the preimage-finding adversary to find $x'$ such that $\mathsf{H.Eval}(\kappa, x') = y$. What is the probability that $x = x'$?
:::

:::{dropdown} **Solution**

We prove the contrapositive statement:
If $\mathsf{H}$ is not preimage-resistant, then there exists a PPT algorithm $\mathcal{A}$ that wins $\mathsf{Game~Preimage}^{\mathcal{A}}_{\mathsf{H}}$ with non-negligible probability.
Let $\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}$ be an algorithm that runs $\mathcal{A}$ and returns its output:

$$
\begin{array}{l}
\underline{\mathcal{B}^{\mathcal{A}}_{\mathsf{H}}(\kappa):} \\
\text{1. } x \xleftarrow{\$} \{0, 1\}^{2\lambda} \\
\text{2. } y \stackrel{\text{def}}{=} \mathsf{H.Eval}(\kappa, x) \\
\text{3. } x' \leftarrow \mathcal{A}(\kappa, y) \\
\text{4. } \textbf{assert } x \neq x' \\
\text{5. } \text{return } (x, x')
\end{array}
$$

If $\mathcal{A}$ succeeds and $\mathcal{B}$ does not abort in line 4, then $\mathcal{B}$ wins game $\mathsf{Collision}^{\mathcal{B}}_{\mathsf{H}}$, or more precisely:

$$
\begin{aligned}
\Pr[\mathsf{Collision}^{\mathcal{B}}_{\mathsf{H}} = 0] &= \Pr[\mathsf{Preimage}^{\mathcal{A}}_{\mathsf{H}} = 0 \vee \mathcal{B} \text{ aborts at line 4}] \\
&\le \Pr[\mathsf{Preimage}^{\mathcal{A}}_{\mathsf{H}} = 0] + \Pr[\mathcal{B} \text{ aborts at line 4}]
\end{aligned}
$$

using union bound.
Then, by the definition of $\mathsf{Adv}^{\mathsf{Coll}}_{\mathcal{B}, \mathsf{H}}$ and $\mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{A}, \mathsf{H}}$ we have

$$
\begin{aligned}
1 - \mathsf{Adv}^{\mathsf{Coll}}_{\mathcal{B}, \mathsf{H}} &\le 1 - \mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{A}, \mathsf{H}} + \Pr[\mathcal{B} \text{ aborts at line 4}]
\end{aligned}
$$

and

$$
\mathsf{Adv}^{\mathsf{Coll}}_{\mathcal{B}, \mathsf{H}} \ge \mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{A}, \mathsf{H}} - \Pr[\mathcal{B} \text{ aborts at line 4}].
$$

We now show that $\Pr[\mathcal{B} \text{ aborts at line 4}] = \mathsf{negl}$.
Let us denote this event by $A$.
Let $B_y$ denote the event that $\mathsf{H.Eval}(\kappa, x) = y$ and $\text{Im} \mathsf{H.Eval}(\kappa, \cdot)$ be the image of $\mathsf{H.Eval}$ for a fixed $\kappa$.
Then, by the law of total probability and the definition of conditional probability we have

$$
\begin{aligned}
\Pr[A] &= \sum_{y \in \text{Im} \mathsf{H.Eval}(\kappa, \cdot)} \Pr[A \wedge B_y] \\
&= \sum_{y \in \text{Im} \mathsf{H.Eval}(\kappa, \cdot)} \Pr[B_y] \Pr[A \mid B_y]
\end{aligned}
$$

Let $H^{-1}(y) = \{x \in \{0, 1\}^{2\lambda} : H(x) = y\}$, i.e., the preimage of $y$.
Since $x$ is uniformly random from a set of size $2^{2\lambda}$, the probability $\Pr[B_y]$ that $\mathsf{H.Eval}(\kappa, x) = y$ is $\frac{|\mathsf{H}^{-1}(y)|} {2^{2\lambda}}$.
Also, the probability $\Pr[A \mid B_y]$ that the sampled value $x$ matches the adversary's answer $x'$ given that $\mathsf{H.Eval}(\kappa, x) = y$ is $\frac{1}{|\mathsf{H}^{-1}(y)|}$.
Therefore, we have

$$
\begin{aligned}
\Pr[A] &= \sum_{y \in \text{Im} \mathsf{H.Eval}(\kappa, \cdot)} \frac{|\mathsf{H}^{-1}(y)|} {2^{2\lambda}} \frac{1}{|\mathsf{H}^{-1}(y)|} \\
&= \sum_{y \in \text{Im} \mathsf{H.Eval}(\kappa, \cdot)} \frac{1} {2^{2\lambda}} \\
&= \frac{|\text{Im} \mathsf{H.Eval}(\kappa, \cdot)|} {2^{2\lambda}} \\
&\le \frac{2^{\lambda}}{2^{2\lambda}} = 2^{-\lambda}
\end{aligned}
$$

which is negligible.

Since $\mathsf{Adv}^{\mathsf{PreI}}_{\mathcal{A}, \mathsf{H}}$ is not negligible and $\Pr[\mathcal{B} \text{ aborts}] = \mathsf{negl}$, $\mathsf{Adv}^{\mathsf{Coll}}_{\mathcal{B}, \mathsf{H}}$ is not negligible.
Since $\mathcal{B}$ is PPT, $\mathsf{H}$ is not collision-resistant.
:::

:::{exercise}
:label: ex-target-collision

**Optional:** Describe target collision resistance, extended target collision resistance, and multi-target collision resistance (see HÃ¼lsing, Rijneveld, and Song, PKC 2016) in your own words and discuss their security against classical and quantum attacks (see Table 1 in the referenced paper).
:::

:::{exercise}
:label: ex-metareduction

**Optional:** Drijvers et al. (S&P 2019) give a *metareduction* showing that MuSig(1) (Drijvers et al., DCC 2019) without the first nonce-commitment round cannot be proven secure under the one-more discrete logarithm (OMDL) assumption.
Interpret Theorem 1 and Figure 2 in their paper.
Complete the following informal statement: If there exists an algorithm $\mathcal{B}$ that reduces $n$-OMDL to the EUF-CMA security of the MuSig(1) variant, then there exists a reduction $\mathcal{M}$ and a forger $\mathcal{F}$ that solve the _____ problem.
:::

:::{dropdown} **Solution**

$(n + k)$-OMDL
:::