procedure OnLeftQuery(x): G6 subroutine MakeLadder(x) G6 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 s−q1 ← Random()
BuildXprime() For i = −q1 to q1 − 1
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} si+1 ← ROsub(si)
ROsub(x) FillInRungs(x, s0)
Y ← Y ∪ {x, G[x]}
Finalization() subroutine ROsub(x)
Ret G[x]
If G[x] Ret G[x]
Ret G[x] ← Random()
procedure OnRightQuery(x): subroutine SimROsub(x)
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 SetTable(G, x, ROsub(x))
BuildXprime() Ret G[x]
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} subroutine Random()
x0 ← x
For i = 0 to q1 y ←$ {0, 1}n
BuildXprime()
If g[xi] = ⊥ then If y ∈ X ∪ X′ then Abort
y ← G−i[g[xi]] X ← X ∪ {y}
FillInRungs(x, y) NumCallsToRandom + +
Break // (For loop) Ret y
xi+1 ← ROsub(xi) subroutine SetTable(T, x, y)
If i > q1
If T[x] and T[x] = y then Ret
MakeLadder(x) T[x] = y
Y ← Y ∪ {x, g[x]} T−1[y] = x
Finalization()
Ret g[x] subroutine BuildXprime()
subroutine FillInRungs(x, y) X′ ← ∅
While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
x0 ← x, x1 ← y
SetTable(g, x0, x1) z ←$ {0, 1}n\(X ∪ X′)
For i = 1 to 2q1 + 1 X′ ← X′ ∪ {z}
xi+1 ← SimROsub(xi−1) subroutine Finalization()
SetTable(g, xi, xi+1)
While NumCallsToRandom < MAX CALLS do
Random()
Figure 22: Game G6 for the proof of Theorem 3.3.
55
procedure OnLeftQuery(x): G7 subroutine MakeLadder(x) G7 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 s−q1 ← Random()
BuildXprime() For i = −q1 to q1 − 1
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} si+1 ← ROsub(si)
ROsub(x) FillInRungs(x, s0)
Y ← Y ∪ {x, G[x]}
Finalization() subroutine ROsub(x)
Ret G[x]
If G[x] Ret G[x]
procedure OnRightQuery(x): G[x] ← Random()
SetTable(G, x, G[x])
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 Ret G[x]
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort subroutine Random()
X ← X ∪ {x}
x0 ← x y ←$ {0, 1}n
For i = 0 to q1 BuildXprime()
If y ∈ X ∪ X′ then Abort
If g[xi] = ⊥ then X ← X ∪ {y}
y ← G−i[g[xi]] NumCallsToRandom + +
FillInRungs(x, y) Ret y
Break // (For loop)
subroutine SetTable(T, x, y)
xi+1 ← ROsub(xi)
If i > q1 If T[x] and T[x] = y then Ret
T[x] = y
MakeLadder(x) T−1[y] = x
Y ← Y ∪ {x, g[x]}
Finalization() subroutine BuildXprime()
Ret g[x]
X′ ← ∅
subroutine FillInRungs(x, y) While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
x0 ← x, x1 ← y z ←$ {0, 1}n\(X ∪ X′)
SetTable(g, x0, x1) X′ ← X′ ∪ {z}
For i = 1 to 2q1 + 1
subroutine Finalization()
xi+1 ← ROsub(xi−1)
SetTable(g, xi, xi+1) While NumCallsToRandom < MAX CALLS do
Random()
Figure 23: Game G7 for the proof of Theorem 3.3.
56
procedure OnLeftQuery(x): G8 subroutine MakeLadder(x) G8 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 s−q1 ← Random()
BuildXprime() For i = −q1 to q1 − 1
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} si+1 ← ROsub(si)
ROsub(x) ℓ←0
Y ← Y ∪ {x, G[x]} While G(−ℓ)[x] = ⊥
Finalization()
Ret G[x] ℓ←ℓ+1
For i = −q1 to −ℓ
procedure OnRightQuery(x):
G−1[si] ← ⊥
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 If i > ℓ then G[si] ← ⊥
BuildXprime() FillInRungs(x, s0)
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} subroutine ROsub(x)
x0 ← x
For i = 0 to q1 If G[x] Ret G[x]
G[x] ← Random()
If g[xi] = ⊥ then SetTable(G, x, G[x])
y ← G−i[g[xi]] Ret G[x]
FillInRungs(x, y)
Break // (For loop) subroutine Random()
xi+1 ← ROsub(xi) y ←$ {0, 1}n
If i > q1 BuildXprime()
If y ∈ X ∪ X′ then Abort
MakeLadder(x) X ← X ∪ {y}
Y ← Y ∪ {x, g[x]} NumCallsToRandom + +
Finalization() Ret y
Ret g[x]
subroutine SetTable(T, x, y)
subroutine FillInRungs(x, y)
If T[x] and T[x] = y then Ret
x0 ← x, x1 ← y T[x] = y
SetTable(g, x0, x1) T−1[y] = x
For i = 1 to 2q1 + 1
subroutine BuildXprime()
xi+1 ← ROsub(xi−1)
SetTable(g, xi, xi+1) X′ ← ∅
While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
subroutine Finalization()
While NumCallsToRandom < MAX CALLS do
Random()
Figure 24: Game G8 for the proof of Theorem 3.3.
57
procedure OnLeftQuery(x): G9 subroutine MakeLadder(x) G9 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
BuildXprime() While G(−ℓ)[x] = ⊥
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} ℓ←ℓ+1
ROsub(x) s−ℓ ← Random()
Y ← Y ∪ {x, G[x]} For i = −ℓ to q1 − 1
Finalization()
Ret G[x] si+1 ← ROsub(si)
FillInRungs(x, s0)
procedure OnRightQuery(x): subroutine ROsub(x)
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 If G[x] Ret G[x]
BuildXprime() G[x] ← Random()
If x ∈ (X ∪ X′)\Y then Abort SetTable(G, x, G[x])
X ← X ∪ {x} Ret G[x]
x0 ← x
For i = 0 to q1 subroutine Random()
If g[xi] = ⊥ then y ←$ {0, 1}n
y ← G−i[g[xi]] BuildXprime()
FillInRungs(x, y) If y ∈ X ∪ X′ then Abort
Break // (For loop) X ← X ∪ {y}
NumCallsToRandom + +
xi+1 ← ROsub(xi) Ret y
If i > q1
subroutine SetTable(T, x, y)
MakeLadder(x)
Y ← Y ∪ {x, g[x]} If T[x] and T[x] = y then Ret
Finalization() T[x] = y
Ret g[x] T−1[y] = x
subroutine FillInRungs(x, y) subroutine BuildXprime()
x0 ← x, x1 ← y X′ ← ∅
SetTable(g, x0, x1) While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
For i = 1 to 2q1 + 1
z ←$ {0, 1}n\(X ∪ X′)
xi+1 ← ROsub(xi−1) X′ ← X′ ∪ {z}
SetTable(g, xi, xi+1)
subroutine Finalization()
While NumCallsToRandom < MAX CALLS do
Random()
Figure 25: Game G9 for the proof of Theorem 3.3.
58
procedure OnLeftQuery(x): G10 subroutine MakeLadder(x) G10 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
While G(−ℓ)[x] = ⊥
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort ℓ←ℓ+1
s−ℓ ← Random()
X ← X ∪ {x} For i = −ℓ to q1 − 1
ROsub(x, ⊥) si+1 ← Random()
ROsub(si, si+1)
Y ← Y ∪ {x, G[x]} FillInRungs(x, s0)
Finalization()
Ret G[x]
procedure OnRightQuery(x): subroutine ROsub(x, z)
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 If G[x] Ret G[x]
BuildXprime() If z = ⊥ then z ← Random()
If x ∈ (X ∪ X′)\Y then Abort SetTable(G, x, z)
X ← X ∪ {x} Ret G[x]
x0 ← x
For i = 0 to q1 subroutine Random()
If g[xi] = ⊥ then y ←$ {0, 1}n
y ← G−i[g[xi]] BuildXprime()
FillInRungs(x, y) If y ∈ X ∪ X′ then Abort
Break // (For loop) X ← X ∪ {y}
NumCallsToRandom + +
xi+1 ← ROsub(xi, ⊥) Ret y
If i > q1
subroutine SetTable(T, x, y)
MakeLadder(x)
Y ← Y ∪ {x, g[x]} If T[x] and T[x] = y then Ret
Finalization() T[x] = y
Ret g[x] T−1[y] = x
subroutine FillInRungs(x, y) subroutine BuildXprime()
x0 ← x, x1 ← y X′ ← ∅
SetTable(g, x0, x1) While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
For i = 1 to 2q1 + 1
z ←$ {0, 1}n\(X ∪ X′)
xi+1 ← ROsub(xi−1) X′ ← X′ ∪ {z}
SetTable(g, xi, xi+1)
subroutine Finalization()
While NumCallsToRandom < MAX CALLS do
Random()
Figure 26: Game G10 for the proof of Theorem 3.3.
59
procedure OnLeftQuery(x): G11 subroutine MakeLadder(x) G11 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
While G(−ℓ)[x] = ⊥
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort ℓ←ℓ+1
s−ℓ ← Random()
X ← X ∪ {x} For i = −ℓ to q1 − 1
ROsub(x, ⊥) si+1 ← Random()
ROsub(si, si+1)
Y ← Y ∪ {x, G[x]} FillInRungs(x, s0)
Finalization()
Ret G[x]
procedure OnRightQuery(x): subroutine ROsub(x, z)
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 If G[x] Ret G[x]
BuildXprime() If z = ⊥
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} If g[x]
x0 ← x gProxy[x] ← g[x]
For i = 0 to q1
If gProxy[x] = ⊥
If g[xi] = ⊥ then gProxy[x] ← Random()
y ← G−i[g[xi]] gProxy[x].fresh ← true
FillInRungs(x, y)
Break // (For loop) z ← Random()
SetTable(G, x, z)
xi+1 ← ROsub(xi, ⊥) Ret G[x]
If i > q1
subroutine Random()
MakeLadder(x) y ←$ {0, 1}n
Y ← Y ∪ {x, g[x]} BuildXprime()
Finalization() If y ∈ X ∪ X′ then Abort
Ret g[x] X ← X ∪ {y}
NumCallsToRandom + +
subroutine FillInRungs(x, y) Ret y
x0 ← x, x1 ← y subroutine SetTable(T, x, y)
SetTable(g, x0, x1)
For i = 1 to 2q1 + 1 If T[x] and T[x] = y then Ret
T[x] = y
xi+1 ← ROsub(xi−1) T−1[y] = x
SetTable(g, xi, xi+1)
subroutine BuildXprime()
X′ ← ∅
While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
subroutine Finalization()
While NumCallsToRandom < MAX CALLS do
Random()
Figure 27: Game G11 for the proof of Theorem 3.3.
60
procedure OnLeftQuery(x): G12 subroutine MakeLadder(x) G12 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
While G(−ℓ)[x] = ⊥
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort ℓ←ℓ+1
s−ℓ ← GetFresh(gProxy, G−ℓ[x])
X ← X ∪ {x} For i = −ℓ to q1 − 1
ROsub(x, ⊥) si+1 ← GetFresh(gProxy, Gi+1[x])
Y ← Y ∪ {x, G[x]} ROsub(si, si+1)
Finalization() FillInRungs(x, s0)
Ret G[x]
procedure OnRightQuery(x): subroutine ROsub(x, z)
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 If G[x] Ret G[x]
BuildXprime() If z = ⊥
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} If g[x]
x0 ← x gProxy[x] ← g[x]
For i = 0 to q1
If gProxy[x] = ⊥
If g[xi] = ⊥ then gProxy[x] ← Random()
y ← G−i[g[xi]] gProxy[x].fresh ← true
FillInRungs(x, y)
Break // (For loop) z ← Random()
SetTable(G, x, z)
xi+1 ← ROsub(xi, ⊥) Ret G[x]
If i > q1
subroutine Random()
MakeLadder(x) y ←$ {0, 1}n
Y ← Y ∪ {x, g[x]} BuildXprime()
Finalization() If y ∈ X ∪ X′ then Abort
Ret g[x] X ← X ∪ {y}
NumCallsToRandom + +
subroutine FillInRungs(x, y) Ret y
x0 ← x, x1 ← y subroutine SetTable(T, x, y)
SetTable(g, x0, x1)
For i = 1 to 2q1 + 1 If T[x] and T[x] = y then Ret
T[x] = y
xi+1 ← ROsub(xi−1) T−1[y] = x
SetTable(g, xi, xi+1)
subroutine BuildXprime()
subroutine Finalization() X′ ← ∅
While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
While NumCallsToRandom < MAX CALLS do
Random() z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
subroutine GetFresh(T, x)
If T[x] and T[x].fresh = true
T[x].fresh = false
Ret T[x]
Ret Random()
Figure 28: Game G12 for the proof of Theorem 3.3.
61
procedure OnLeftQuery(x): G13 subroutine MakeLadder(x) G13 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
While G(−ℓ)[x] = ⊥
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort ℓ←ℓ+1
s−ℓ ← gProxy[G−ℓ[x]]
X ← X ∪ {x} For i = −ℓ to q1 − 1
ROsub(x, ⊥) si+1 ← gProxy[Gi+1[x]]
ROsub(si, si+1)
Y ← Y ∪ {x, G[x]} FillInRungs(x, s0)
Finalization()
Ret G[x]
procedure OnRightQuery(x): subroutine ROsub(x, z)
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 If G[x] Ret G[x]
BuildXprime() If z = ⊥
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} If g[x]
x0 ← x gProxy[x] ← g[x]
For i = 0 to q1
If gProxy[x] = ⊥
If g[xi] = ⊥ then gProxy[x] ← Random()
y ← G−i[g[xi]]
FillInRungs(x, y) z ← Random()
Break // (For loop) SetTable(G, x, z)
Ret G[x]
xi+1 ← ROsub(xi, ⊥)
If i > q1 subroutine Random()
MakeLadder(x) y ←$ {0, 1}n
Y ← Y ∪ {x, g[x]} BuildXprime()
Finalization() If y ∈ X ∪ X′ then Abort
Ret g[x] X ← X ∪ {y}
NumCallsToRandom + +
subroutine FillInRungs(x, y) Ret y
x0 ← x, x1 ← y subroutine SetTable(T, x, y)
SetTable(g, x0, x1)
For i = 1 to 2q1 + 1 If T[x] and T[x] = y then Ret
T[x] = y
xi+1 ← ROsub(xi−1) T−1[y] = x
SetTable(g, xi, xi+1)
subroutine BuildXprime()
subroutine Finalization()
X′ ← ∅
While NumCallsToRandom < MAX CALLS do While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
Random()
z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
Figure 29: Game G13 for the proof of Theorem 3.3.
62
procedure OnLeftQuery(x): G14 subroutine MakeLadder(x) G14 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
While G(−ℓ)[x] = ⊥
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort ℓ←ℓ+1
s−ℓ ← gProxy[G−ℓ[x]]
X ← X ∪ {x} For i = −ℓ to q1 − 1
ROsub(x, ⊥) si+1 ← gProxy[Gi+1[x]]
ROsub(si, si+1)
Y ← Y ∪ {x, G[x]} FillInRungs(x, s0)
Finalization()
Ret G[x]
procedure OnRightQuery(x): subroutine ROsub(x, z)
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 If G[x] Ret G[x]
BuildXprime() If z = ⊥
If x ∈ (X ∪ X′)\Y then Abort
X ← X ∪ {x} If g[x]
x0 ← x gProxy[x] ← g[x]
For i = 0 to q1
If gProxy[x] = ⊥
If g[xi] = ⊥ then gProxy[x] ← Random()
y ← G−i[g[xi]]
FillInRungs(x, y) z ← Random()
Break // (For loop) gProxy[gProxy[x]] ← z
SetTable(G, x, z)
xi+1 ← ROsub(xi, ⊥) Ret G[x]
If i > q1
subroutine Random()
MakeLadder(x)
Y ← Y ∪ {x, g[x]} y ←$ {0, 1}n
Finalization() BuildXprime()
Ret g[x] If y ∈ X ∪ X′ then Abort
X ← X ∪ {y}
subroutine FillInRungs(x, y) NumCallsToRandom + +
Ret y
x0 ← x, x1 ← y
SetTable(g, x0, x1) subroutine SetTable(T, x, y)
For i = 1 to 2q1 + 1
If T[x] and T[x] = y then Ret
xi+1 ← ROsub(xi−1) T[x] = y
SetTable(g, xi, xi+1) T−1[y] = x
subroutine Finalization() subroutine BuildXprime()
While NumCallsToRandom < MAX CALLS do X′ ← ∅
Random() While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
Figure 30: Game G14 for the proof of Theorem 3.3.
63
procedure OnLeftQuery(x): G15 subroutine MakeLadder(x) G15 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
While G(−ℓ)[x] = ⊥
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort ℓ←ℓ+1
s−ℓ ← gProxy[G−ℓ[x]]
X ← X ∪ {x} For i = −ℓ to q1 − 1
ROsub(x) si+1 ← ROsub(si)
FillInRungs(x, s0)
Y ← Y ∪ {x, G[x]}
Finalization()
Ret G[x] subroutine ROsub(x)
procedure OnRightQuery(x): If G[x] Ret G[x]
If gProxy[x]
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3
BuildXprime() y ← gProxy[x]
If x ∈ (X ∪ X′)\Y then Abort else
X ← X ∪ {x}
x0 ← x y ← gProxy[x] ← Random()
For i = 0 to q1 If gProxy[y]
If g[xi] = ⊥ then z ← gProxy[y]
y ← G−i[g[xi]] else
FillInRungs(x, y)
Break // (For loop) z ← gProxy[y] ← Random()
SetTable(G, x, z)
xi+1 ← ROsub(xi) Ret G[x]
If i > q1
subroutine Random()
MakeLadder(x)
Y ← Y ∪ {x, g[x]} y ←$ {0, 1}n
Finalization() BuildXprime()
Ret g[x] If y ∈ X ∪ X′ then Abort
X ← X ∪ {y}
subroutine FillInRungs(x, y) NumCallsToRandom + +
Ret y
x0 ← x, x1 ← y
SetTable(g, x0, x1) subroutine SetTable(T, x, y)
For i = 1 to 2q1 + 1
If T[x] and T[x] = y then Ret
xi+1 ← ROsub(xi−1) T[x] = y
SetTable(g, xi, xi+1) T−1[y] = x
subroutine Finalization() subroutine BuildXprime()
While NumCallsToRandom < MAX CALLS do X′ ← ∅
Random() While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
Figure 31: Game G15 for the proof of Theorem 3.3.
64
procedure OnLeftQuery(x): G16 subroutine MakeLadder(x) G16 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
While G(−ℓ)[x] = ⊥
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort ℓ←ℓ+1
s−ℓ ← g[G−ℓ[x]]
X ← X ∪ {x} For i = −ℓ to q1 − 1
ROsub(x) si+1 ← ROsub(si)
FillInRungs(x)
Y ← Y ∪ {x, G[x]}
Finalization()
Ret G[x] subroutine ROsub(x)
procedure OnRightQuery(x): If G[x] Ret G[x]
If g[x]
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3
BuildXprime() y ← g[x]
If x ∈ (X ∪ X′)\Y then Abort else
X ← X ∪ {x}
x0 ← x y ← Random()
For i = 0 to q1 SetTable(g, x, y)
If g[y]
If g[xi] = ⊥ and g[xi].KnownToSim then z ← g[y]
FillInRungs(x) else
Break // (For loop) z ← Random()
SetTable(g, y, z)
xi+1 ← ROsub(xi) SetTable(G, x, z)
If i > q1 Ret G[x]
MakeLadder(x) subroutine Random()
Y ← Y ∪ {x, g[x]}
Finalization() y ←$ {0, 1}n
Ret g[x] BuildXprime()
If y ∈ X ∪ X′ then Abort
subroutine FillInRungs(x) X ← X ∪ {y}
NumCallsToRandom + +
x0 ← x Ret y
x1 ← g[x0]
g[x0].KnownToSim ← true subroutine SetTable(T, x, y)
For i = 1 to 2q1 + 1
If T[x] and T[x] = y then Ret
xi+1 ← ROsub(xi−1) T[x] = y
g[xi].KnownToSim ← true T−1[y] = x
subroutine Finalization() subroutine BuildXprime()
While NumCallsToRandom < MAX CALLS do X′ ← ∅
Random() While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
Figure 32: Game G16 for the proof of Theorem 3.3.
65
procedure OnLeftQuery(x): G17 subroutine MakeLadder(x) G17 (cont.)
NumCallsToRandom ← 0; MAX CALLS ← 2 ℓ←0
While g(−2ℓ)[x] = ⊥
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort ℓ←ℓ+1
s−ℓ ← g[g−2ℓ[x]]
X ← X ∪ {x} For i = −ℓ to q1 − 1
ROsub(x) si+1 ← ROsub(si)
FillInRungs(x)
Y ← Y ∪ {x, g[g[x]]}
Finalization()
Ret g[g[x]] subroutine ROsub(x)
procedure OnRightQuery(x): If g[x]
y ← g[x]
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3
BuildXprime() else
If x ∈ (X ∪ X′)\Y then Abort y ← Random()
X ← X ∪ {x} SetTable(g, x, y)
x0 ← x
For i = 0 to q1 If g[y]
z ← g[y]
If g[xi] = ⊥ and g[xi].KnownToSim then
FillInRungs(x) else
Break // (For loop) z ← Random()
SetTable(g, y, z)
xi+1 ← ROsub(xi)
If i > q1 Ret z
MakeLadder(x) subroutine Random()
Y ← Y ∪ {x, g[x]}
Finalization() y ←$ {0, 1}n
Ret g[x] BuildXprime()
If y ∈ X ∪ X′ then Abort
subroutine FillInRungs(x) X ← X ∪ {y}
NumCallsToRandom + +
x0 ← x Ret y
x1 ← g[x0]
g[x0].KnownToSim ← true subroutine SetTable(T, x, y)
For i = 1 to 2q1 + 1
If T[x] and T[x] = y then Ret
xi+1 ← ROsub(xi−1) T[x] = y
g[xi].KnownToSim ← true T−1[y] = x
subroutine Finalization() subroutine BuildXprime()
While NumCallsToRandom < MAX CALLS do X′ ← ∅
Random() While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
Figure 33: Game G17 for the proof of Theorem 3.3.
66
procedure OnLeftQuery(x): G18 subroutine ROsub(x) G18
NumCallsToRandom ← 0; MAX CALLS ← 2 If g[x]
y ← g[x]
BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort else
y ← g[x] ← Random()
X ← X ∪ {x}
If g[y]
ROsub(x) z ← g[y]
Y ← Y ∪ {x, g[g[x]]} else
z ← g[y] ← Random()
Finalization()
Ret z
Ret g[g[x]]
procedure OnRightQuery(x): subroutine Random()
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 y ←$ {0, 1}n
BuildXprime() BuildXprime()
If x ∈ (X ∪ X′)\Y then Abort If y ∈ X ∪ X′ then Abort
X ← X ∪ {x} X ← X ∪ {y}
x0 ← x NumCallsToRandom + +
For i = 0 to q1 Ret y
If g[xi] = ⊥ and g[xi].KnownToSim then subroutine BuildXprime()
FillInRungs(x)
Break // (For loop) X′ ← ∅
While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
xi+1 ← ROsub(xi)
If i > q1 z ←$ {0, 1}n\(X ∪ X′)
X′ ← X′ ∪ {z}
FillInRungs(x)
Y ← Y ∪ {x, g[x]}
Finalization()
Ret g[x]
subroutine FillInRungs(x)
x0 ← x
x1 ← g[x0]
g[x0].KnownToSim ← true
For i = 1 to 2q1 + 1
xi+1 ← ROsub(xi−1)
g[xi].KnownToSim ← true
subroutine Finalization()
While NumCallsToRandom < MAX CALLS do
Random()
Figure 34: Game G18 for the proof of Theorem 3.3.
67
procedure OnLeftQuery(x): G19 G20 subroutine ROsub(x) G19 G20
NumCallsToRandom ← 0; MAX CALLS ← 2 If g[x]
y ← g[x]
BuildXprime()
If x ∈ (X ∪ X′)\Y else
y ← g[x] ← Random()
bad ← true
If g[y]
Abort z ← g[y]
X ← X ∪ {x} else
z ← g[y] ← Random()
ROsub(x)
Ret z
Y ← Y ∪ {x, g[g[x]]}
Finalization()
Ret g[g[x]] subroutine Random()
procedure OnRightQuery(x): y ←$ {0, 1}n
BuildXprime()
NumCallsToRandom ← 0; MAX CALLS ← 4q1 +3 If y ∈ X ∪ X′
BuildXprime()
If x ∈ (X ∪ X′)\Y bad ← true
Abort
bad ← true X ← X ∪ {y}
NumCallsToRandom + +
Abort Ret y
X ← X ∪ {x}
x0 ← x subroutine BuildXprime()
For i = 1 to 2q1 + 1
X′ ← ∅
ROsub(xi−1) While |X| + |X′| < (4q1 + 3)q2 + 2q1 do
xi ← g[xi−1]
g[xi−1].KnownToSim ← true z ←$ {0, 1}n\(X ∪ X′)
g[xi].KnownToSim ← true X′ ← X′ ∪ {z}
Y ← Y ∪ {x, g[x]}
Finalization()
Ret g[x]
subroutine Finalization()
While NumCallsToRandom < MAX CALLS do
Random()
Figure 35: Games G19 and G20 for the proof of Theorem 3.3.
68
procedure OnLeftQuery(x): G21 procedure OnLeftQuery(x): G22
ROsub(x) ROsub(x)
Ret g[g[x]] Ret g[g[x]]
procedure OnRightQuery(x): procedure OnRightQuery(x):
x0 ← x If g[x] = ⊥
For i = 1 to 2q1 + 1 g[x] ←$ {0, 1}n
ROsub(xi−1) Ret g[x]
xi ← g[xi−1]
Ret g[x] subroutine ROsub(x)
subroutine ROsub(x) If g[x] = ⊥
g[x] ←$ {0, 1}n
If g[x] = ⊥
g[x] ← Random() y ← g[x]
If g[y] = ⊥
y ← g[x]
If g[y] = ⊥ g[y] ←$ {0, 1}n
Ret g[y]
g[y] ← Random()
z ← g[y]
Ret z
subroutine Random()
y ←$ {0, 1}n
Ret y
Figure 36: Games G21 and G22 for the proof of Theorem 3.3.
69
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
A preliminary version of this work appeared in Advances in Cryptology – Crypto 2012. This is the full version. To Hash or Not to Hash Again? (In)differentiability ...
Discover the best professional documents and content resources in AnyFlip Document Base.
Search