Confusion in proof details of General Forking Lemma in paper [BN06]

Question

In ACM CCS 2006, Mihir Bellare and Gregory Neven gave an elegant proof of General Forking Lemma [https://doi.org/10.1145/1180405.1180453]. However, it makes me really confused about steps to prove $\Pr[I'=I \land I \geq 1]\geq acc(x)^2/q$ in Page 11 of [BN06]. Although I try my best, it seems I can't understand why we can get Step 2 from Step 1 shown in the figure. Especially, why we can get $\frac{1}{\lvert\mathcal{R}\rvert\cdot \lvert H\rvert^{i-1}}$If you could offer some idea, I will appreciate it very much.

Answer 1

The term $\frac{1}{\lvert\mathcal{R}\rvert\cdot \lvert H\rvert^{i-1}}$ is the inverse of the number of possible tuples $\rho,h_1,\dots,h_{i-1}$ that the inner sum is over - in particular, they expand the probability to be the average probability over all possible shared histories, since all are equally likely.

Answer 2

The equality in step 2 can be found from a direct computation. Let's make a few observations first: We view $\mathtt{A}$ as a deterministic function from $X \times H^q \times R \to [0,q]$ ($\mathtt{A}$'s output is deterministic once we fix the hash values and the $\mathtt{A}$ random tape). In the following, we'll view the hash values as split into two parts that we'll denote as $h^*_{1}, h^*_{2}$. This split will depend on a value $i$ so that $h^*_{1} = h_{1},\ldots, h_{i-1}$ and $h^*_{2} = h_{i},\ldots, h_{q}$. Furthermore, $I, I'$ are random variables corresponding to $\mathtt{A}$'s output on $(x, h^q, \rho)$. For a given $x$, we can compute the probability distribution of $I$. Let $\mathcal{I}$ be the indicator function, then: $$\Pr[I = i] = \sum_{h^*_{1}, h^*_{2}, \rho} \frac{1}{|H|^q*R}\mathcal{I}(A(x,h^*_{1}, h^*_{2}, \rho) = i).$$ Now we want to compute $\Pr[I = I' = i]$. $I$ and $I'$ correspond to related experiment with the difference that for $I'$, $\mathtt{A}$ takes as input $(x, h^*_{1}, h'^*_{2}, \rho)$ where $h'^*_{2}$ is sampled independently anew. So we have $$\Pr[I = I' = i] = \sum_{h^*_{1}, h^*_{2}, h'^*_{2}, \rho} \frac{1}{|H|^q*R*|H|^{q-i+1}}\times\mathcal{I}(A(x,h^*_{1}, h^*_{2}, \rho) = i)\times\mathcal{I}(A(x,h^*_{1}, h'^*_{2}, \rho) = i).$$ Next we "factor out" $h^*_{1}$ and get the $$\begin{align} \Pr[I = I' = i] &= \sum_{h^*_{1}, \rho} \frac{1}{|H|^{i-1}*R} \sum_{h^*_{2}, h'^*_{2}} \frac{1}{|H|^{q-i+1}*|H|^{q-i+1}}\times\mathcal{I}(A(x,h^*_{1}, h^*_{2}, \rho) = i)\times\mathcal{I}(A(x,h^*_{1}, h'^*_{2}, \rho) = i) \\ &= \sum_{h^*_{1}, \rho} \frac{1}{|H|^{i-1}*R} \sum_{h^*_{2}, h'^*_{2}} \frac{1}{|H|^{q-i+1}*|H|^{q-i+1}}\times\mathcal{I}(A(x,h^*_{1}, h^*_{2}, \rho) = i)\times\mathcal{I}(A(x,h^*_{1}, h'^*_{2}, \rho) = i) \\ \\ &= \sum_{h^*_{1}, \rho} \frac{1}{|H|^{i-1}*R} \sum_{h^*_{2}, h'^*_{2}} \frac{1}{|H|^{q-i+1}}\mathcal{I}(A(x,h^*_{1}, h^*_{2}, \rho) = i) \sum_{h'^*_{2}}\frac{1}{|H|^{q-i+1}}\times\mathcal{I}(A(x,h^*_{1}, h'^*_{2}, \rho) = i) \end{align}$$ Now let's define $X_{i}(h^*_{1}, \rho) = \sum_{h'^*_{2}}\frac{1}{|H|^{q-i+1}}\times\mathcal{I}(A(x,h^*_{1}, h'^*_{2}, \rho) = i)$, then we have $$\begin{align} \Pr[I = I' = i] &= \sum_{h^*_{1}, \rho} \frac{1}{|H|^{i-1}*R} \sum_{h^*_{2}, h'^*_{2}} \frac{1}{|H|^{q-i+1}}\mathcal{I}(A(x,h^*_{1}, h^*_{2}, \rho) = i)*X_{i}(h^*_{1}, \rho) \\ &= \sum_{h^*_{1}, \rho} \frac{1}{|H|^{i-1}*R} * X_{i}(h^*_{1}, \rho) \sum_{h^*_{2}, h'^*_{2}} \frac{1}{|H|^{q-i+1}}\mathcal{I}(A(x,h^*_{1}, h^*_{2}, \rho) = i) \\ &= \sum_{h^*_{1}, \rho} \frac{1}{|H|^{i-1}*R} * X_{i}(h^*_{1}, \rho) * X_{i}(h^*_{1}, \rho) \end{align}$$