states that If a PPT adversary with a random tape and a random oracle , is able to produce a forgery/break a scheme with non-negligible probability, then it can break the scheme again with same random tape and different random oracle with non-negligible probability.
- What input and output does A take?
- where is the input to the scheme, denotes oracle queries, and is the random tape that is used to generate randomness for .
- A outputs index and forgery .
- What does the index represents?
- When , it means that was able to successfully produce a forgery for a scheme.
- Does the input to A gets changed?
- What does the random tape do? Why is it same in both scenarios?
Let where is the input to the scheme, denotes oracle queries, and is the random tape that is used to generate randomness for , and outputs . Let be the probability that is able to output .1
Let’s define Forking algorithm :
- Pick a random tape for .
- Pick h_{1},\dots,h_{q} \xleftarrow{\}H$.
- Run adversary on inputs to get outputs .
- If , output , halt. This means adversary was not able to break the scheme.
- Pick h'_{i},\dots,h'_{q} \xleftarrow{\}H$
- Run .
- If and , then output . This means if was able to break the scheme at same index, with a different forgery, then output the two forgeries.
Let denote probability that will output , then .
The index can be thought as a fork in the algorithm, where probability that some of initial inputs and query remains same is denoted by , then adversary re-generates the inputs after the branching point, but are generated from some random oracle.
More intuitively, can be thought as probabilistic algorithm that uses adversary to create forgery for a signature algorithm. Now, on input , simulates random oracle for , and answers its queries the first time honestly, sampling uniformly from set . is able to output a forged signature for input. Now, rewinds to index, and simulate a random oracle for the rest of the run. If outputs another forged signature , then is successful.