Pseudo-free families of finite computational elementary abelian p-groups

2.1 General preliminaries

In this paper, ℕ denotes the set of all nonnegative integers. Let m,n∈ℕ. For a set X, we denote by Xn the set of all (ordered) n-tuples of elements from X and by Xm×n the set of all m×n matrices over X. When necessary, we consider tuples as matrices with one row. As usual, (xi,j) denotes the m×n matrix (for some specified m and n) whose (i,j) entry is xi,j for all i∈{1,…,m} and j∈{1,…,n}. The transpose of a matrix M is denoted by M𝖳.

We consider elements of {0,1}n as bit strings of length n. Furthermore, let {0,1}≤n=⋃i=0n{0,1}i and {0,1}*=⋃i=0∞{0,1}i. If u,v∈{0,1}*, then we denote by |u| the length of u and by uv the concatenation of u and v. The unary representation of n, i.e., the string of n ones, is denoted by 1n. Similarly, 0n denotes the string of n zeros.

Let I be a set. Suppose each i∈I is assigned an object qi. Then we denote by (qi∣i∈I) the family of all such objects and by {qi∣i∈I} the set of all elements of this family.

When necessary, we assume that all “finite” objects (e.g., integers, tuples of integers, tuples of tuples of integers) are represented by bit strings in some natural way. Sometimes we identify such objects with their representations. Unless otherwise specified, integers are represented by their binary expansions.

Throughout the paper, p denotes an arbitrary fixed prime number. Also, we denote by ℤp the set {0,…,p-1}. If necessary, this set is considered as a field under addition and multiplication modulo p or as the additive group of this field. The intended meaning will be clear from the context.

In this paper, we deal with elementary abelian p-groups. Recall that a group G is called an elementary abelian p-group if G is abelian and p⁢g=0 for any g∈G. (We use additive notation for abelian groups.) In fact, elementary abelian p-groups are the same as vector spaces over the field ℤp. Therefore a group is an elementary abelian p-group if and only if it is isomorphic to a direct power of the additive group of this field. For any n∈ℕ and any group G, Gn denotes the nth direct power of G. If S is a system of elements of a group, then we denote by 〈S〉 the subgroup of this group generated by S.

For convenience, we say that a function π:ℕ→ℕ∖{0} is a polynomial if there exist c∈ℕ∖{0} and d∈ℕ such that π⁢(n)=c⁢nd for any n∈ℕ∖{0} (π⁢(0) can be an arbitrary positive integer).

2.2 Probabilistic preliminaries

Let 𝒳 be a probability distribution on a finite or countably infinite sample space X. Then we denote by supp⁡𝒳 the support of 𝒳, i.e., the set {x∈X∣Pr𝒳⁡{x}≠0}. In many cases, one can consider 𝒳 as a distribution on supp⁡𝒳. Suppose α is a function from X to a finite or countably infinite set Y. Then α can be considered as a random variable. The distribution of this random variable is denoted by α⁢(𝒳). Recall that this distribution is defined by Prα⁢(𝒳)⁡{y}=Pr𝒳⁡α-1⁢(y) for each y∈Y.

We use the notation 𝐱1,…,𝐱n←𝒳 to indicate that 𝐱1,…,𝐱n (denoted by upright bold letters) are independent random variables distributed according to 𝒳. We assume that these random variables are independent of all other random variables defined in such a way. Furthermore, all occurrences of an upright bold letter (possibly indexed or primed) in a probabilistic statement refer to the same (unique) random variable. Of course, all random variables in a probabilistic statement are assumed to be defined on the same sample space. Other specifics of random variables do not matter for us. Note that the probability distribution 𝒳 in this notation can be random. For example, suppose (𝒳i∣i∈I) is a probability ensemble consisting of distributions on the set X, where the set I is also finite or countably infinite. Moreover, let ℐ be a probability distribution on I. Then 𝐢←ℐ and 𝐱←𝒳𝐢 mean that the joint distribution of the random variables 𝐢 and 𝐱 is given by Pr⁡[𝐢=i,𝐱=x]=Prℐ⁡{i}⁢Pr𝒳i⁡{x} for each i∈I and x∈X.

For any n∈ℕ, we denote by 𝒳n the distribution of (𝐱1,…,𝐱n), where 𝐱1,…,𝐱n←𝒳. Similarly, for arbitrary m,n∈ℕ, 𝒳m×n denotes the distribution of (𝐱i,j), where 𝐱i,j←𝒳 for all i∈{1,…,m} and j∈{1,…,n}.

The notation x1,…,xn←𝒳 indicates that x1,…,xn (denoted by upright medium-weight letters) are fixed elements of the set X chosen independently at random according to the distribution 𝒳.

Let ℛ and 𝒮 be probability distributions on the set X. Then the statistical distance (also known as variation distance) between ℛ and 𝒮 is defined as

It is well known that Δ⁢(ℛ,𝒮)=maxM⊆X⁡|Prℛ⁡M-Pr𝒮⁡M|. See also, e.g., [16, Section 8.8] or [10, Lecture 7].

For a nonempty finite set Z, we denote by 𝒰⁢(Z) the uniform probability distribution on Z.

2.3 Computational and cryptographic preliminaries

We need to generate random elements y←𝒰⁢(ℤp). But if p≠2, then there is no probabilistic bounded-time algorithm (in the standard sense) that does this (see [16, Exercise 9.4]). For this reason, we slightly modify the standard definition of a probabilistic algorithm. The only modification we make to this definition is allowing a probabilistic algorithm to use random elements y←𝒰⁢(ℤp) instead of random bits b←𝒰⁢({0,1}). (Recall that p is fixed.) Unless otherwise specified, probabilistic algorithms considered in this paper use random elements of ℤp. Note that there exists a probabilistic polynomial-time algorithm A such that A uses random bits and for any n∈ℕ the statistical distance between the distribution of A⁢(1n) and 𝒰⁢(ℤp) is at most 2-n (see [16, Algorithm RN′, Section 9.2]). Similarly, it is easy to see that there exists a probabilistic polynomial-time algorithm B such that B uses random elements of ℤp and for any n∈ℕ the statistical distance between the distribution of B⁢(1n) and 𝒰⁢({0,1}) is at most p-n. This shows that the computational power of probabilistic polynomial-time algorithms using random elements of ℤp is almost the same as that of such algorithms using random bits.

Let 𝒳=(𝒳i∣i∈I) be a probability ensemble consisting of distributions on {0,1}*, where I⊆{0,1}* or I⊆ℕ. Then 𝒳 is called polynomial-time samplable (or polynomial-time constructible) if there exists a probabilistic polynomial-time algorithm A such that for every i∈I the distribution of A⁢(i) (if I⊆{0,1}*) or A⁢(1i) (if I⊆ℕ) coincides with 𝒳i. It is evident that if 𝒳 is polynomial-time samplable, then there exists a polynomial π satisfying supp⁡𝒳i⊆{0,1}≤π⁢(|i|) (if I⊆{0,1}*) or supp⁡𝒳i⊆{0,1}≤π⁢(i) (if I⊆ℕ) for any i∈I.

Suppose K is an infinite set of nonnegative integers, D is a subset of {0,1}*, and 𝒟=(𝒟k∣k∈K) is a polynomial-time samplable probability ensemble consisting of distributions on D. Let ℰk be the distribution of (1k,𝐝), where k∈K and 𝐝←𝒟k, and let ℰ=(ℰk∣k∈K). Then ℰ is a polynomial-time samplable probability ensemble. Also, denote ⋃k∈Ksupp⁡ℰk by E. That is, E={(1k,d)∣k∈K,d∈supp⁡𝒟k}. This notation is used throughout the paper.

A function ϵ:K→{r∈ℝ∣r≥0} is called negligible if for every polynomial π there exists a nonnegative integer n such that ϵ⁢(k)≤1/π⁢(k) whenever k∈K and k≥n. We denote by negl an unspecified negligible function on K. Any (in)equality containing negl⁡(k) is meant to hold for all k∈K.

Let (𝐫k∣k∈K) and (𝐬k∣k∈K) be probability ensembles consisting of random variables that take values in {0,1}*. Then these ensembles are said to be computationally indistinguishable (or indistinguishable in polynomial time) if for any probabilistic polynomial-time algorithm A,

Furthermore, two probability ensembles (ℛk∣k∈K) and (𝒮k∣k∈K) consisting of distributions on {0,1}* are said to be computationally indistinguishable (or indistinguishable in polynomial time) if (𝐫k∣k∈K) and (𝐬k∣k∈K) are computationally indistinguishable, where 𝐫k←ℛk and 𝐬k←𝒮k for all k∈K.

Let d∈D. It is evident that if ϕd is a homomorphism from Hd to a group Gd⊆{0,1}*, then ∘d is well defined and coincides with the restriction of the multiplication in Gd to the subgroup ϕd⁢(Hd). Also, it is easy to see that the operation ∘d is well defined if and only if ϕd-1⁢(ϕd⁢(1)) is a normal subgroup of Hd and ϕd-1⁢(ϕd⁢(y))=y⁢ϕd-1⁢(ϕd⁢(1)) for all y∈Hd. In particular, this holds if ϕd is one-to-one.

We emphasize that a homomorphic family of functions does not just consist of group homomorphisms. It is also required that multiplication, inversion, and computing the identity element in the group ϕd⁢(Hd) can be performed in polynomial time when d is given. Note that we use the term “homomorphic family of functions” by analogy with the term “homomorphic encryption”.

We will use Definition 2.1 in the case when Hd is an elementary abelian p-group for each d∈D. In this case, of course, we will switch to additive notation. It is evident that if Hd is an elementary abelian p-group and ∘d is well defined, then ϕd⁢(Hd) is an elementary abelian p-group under ∘d as a homomorphic image of Hd.

Note that the restriction of any polynomial to a set I⊆ℕ is a polynomial parameter on I.

Let Φ=(ϕd:Yd→{0,1}*∣d∈D) be a family of functions such that there exists a polynomial η satisfying Yd⊆{0,1}≤η⁢(|d|) for all d∈D. Recall that the family Φ is called polynomial-time computable if the function (d,y)↦ϕd⁢(y) (where d∈D and y∈Yd) is polynomial-time computable. Moreover, recall that a collision for a function ϕ is a pair of distinct elements in its domain having the same image under ϕ.

In particular, if ϕd is one-to-one for each d∈D, then Φ is collision-intractable with respect to 𝒟.

We use the term “one-way family of functions” instead of the more common term “family of one-way functions” because one-wayness is a property of the whole family of functions rather than of its individual members. For the same reason, we use the terms “homomorphic family of functions” and “collision-intractable family of functions”.

The next lemma is well known.

Lemma 2.7 can be proved using an argument similar to that used in [6, proof of Proposition 8.4] (see also [6, Proposition 8.2]). We will apply Lemma 2.7 to families Φ consisting of group homomorphisms that are not one-to-one. It is evident that if ϕ is such a homomorphism defined on a group Y, then ϕ-1⁢(ϕ⁢(y))≠{y} for all y∈Y.

We need the following variant of the well-known Goldreich–Levin theorem for ℤp.

Note that for any y=(y1,…,yn)∈ℤpn and z=(z1,…,zn)∈ℤpn (where n∈ℕ), y⁢z𝖳 is the inner product of y and z over the field ℤp, i.e., y1⁢z1+…+yn⁢zn.

3.1 Families of computational elementary abelian p-groups

Loosely speaking, a family of computational groups consists of groups Gd (where d∈D) whose elements are represented by bit strings in such a way that equality testing, multiplication, inversion, computing the identity element, and sampling random elements in Gd can be performed efficiently when d is given. See [1, Definition 3.1] for a formal definition of a family of computational groups. In this paper, we consider only families (Gd∣d∈D) of computational elementary abelian p-groups such that the following additional conditions hold:

1. For any d∈D, each element of Gd is represented by a single bit string. Hence we can assume that Gd⊆{0,1}* and that the representation of each element g∈Gd is g itself.

2. There exists a polynomial η such that Gd⊆{0,1}≤η⁢(|d|) for all d∈D. In this case, the family of computational groups has exponential size, i.e., there exists a polynomial η′ such that |Gd|≤2η′⁢(|d|) for all d∈D. See also [1, Definition 3.2]. As noted in [1], pseudo-free families that do not have exponential size per se are of little interest.

Now we give a formal definition of a family of computational elementary abelian p-groups (with the above restrictions).

For example, if ρ is a polynomial parameter on D, then ((ℤpρ⁢(d),𝒰(ℤpρ⁢(d)))∣d∈D) is a family of computational elementary abelian p-groups. Note that before Definition 3.1 we do not specify the distributions on the sets of representations of group elements when speaking of families of computational groups. This is because these distributions do not matter for us there.

In the rest of the paper, Γ=((Gd,𝒢d)∣d∈D) denotes a family of computational elementary abelian p-groups.

3.2 Pseudo-free families of computational elementary abelian p-groups

Suppose F∞,∞ is the elementary abelian p-group with basis a1,a2,…,x1,x2,… (as a vector space over the field ℤp). We consider F∞,∞ as a free group in the variety of all elementary abelian p-groups. Furthermore, let F∞=〈a1,a2,…〉, Fm,n=〈a1,…,am,x1,…,xn〉, and Fm=Fm,0=〈a1,…,am〉 for any m,n∈ℕ. It is well known that ai and xj (for all i,j∈ℕ∖{0}) can be considered as variables taking values in an arbitrary elementary abelian p-group G. Namely, suppose w=∑i=1∞yi⁢ai+∑j=1∞zj⁢xj∈F∞,∞, where yi,zj∈ℤp for all i,j∈ℕ∖{0}. Here, of course, y1,y2,…,z1,z2,… are uniquely determined by w and the sets Iw={i∈ℕ∖{0}∣yi≠0} and Jw={j∈ℕ∖{0}∣zj≠0} are finite. Assume that w∈Fm,n for some m,n∈ℕ. (This means that yi=zj=0 for all i>m and j>n.) Let g=(g1,…,gm,…) be an m′-tuple, where m′≥m, or an infinite sequence of elements of G. Similarly, let h=(h1,…,hn,…) be an n′-tuple, where n′≥n, or an infinite sequence of elements of G. Then the element w⁢(g;h)∈G is defined as y1⁢g1+…+ym⁢gm+z1⁢h1+…+zn⁢hn. Whenever n=0, we omit the semicolon in this notation, i.e., we write w⁢(g) instead of w(g;). Note that w=w⁢(a;x), where, of course, a=(a1,a2,…) and x=(x1,x2,…).

In this paper, we use either of the two following representations of the element w for computational purposes:

1. (((i1,yi1),…,(is,yis)),((j1,zj1),…,(jt,zjt))), where {i1,…,is}=Iw, i1<⋯<is, {j1,…,jt}=Jw, and j1<…<jt.

2. ((y1,…,ym),(z1,…,zn)), where m=max⁡Iw and n=max⁡Jw. Here we put max⁡∅=0.

All our results depending on such a representation hold for both representations defined above. Note that every element of F∞,∞ has a unique representation of each of the above forms.

Let G be an elementary abelian p-group and let g=(g1,…,gm)∈Gm, where m∈ℕ. Denote by Σ⁢(G,g) the set of all tuples ((v1,w1),…,(vs,ws),h) such that the following conditions hold:

1. s∈ℕ∖{0}, h∈Gn for some n∈ℕ, and v1,w1,…,vs,ws∈Fm,n.

2. The system of equations

   vi⁢(a;x)=wi⁢(a;x),i=1,…,s,

   over variables x1,…,xn is unsatisfiable in Fm (or, equivalently, in F∞).

3. vi⁢(g;h)=wi⁢(g;h) in G for all i∈{1,…,s}.

A more general definition of a pseudo-free family of computational groups (in an arbitrary variety 𝔙 of groups with respect to 𝒟 and a representation for elements of the 𝔙-free group by bit strings) was given in [1, Definition 3.3]. Our Definition 3.5 is a special case of that definition (in the variety of all elementary abelian p-groups and with respect to the above representations for elements of F∞,∞).

3.3 Weak pseudo-freeness and its equivalence to pseudo-freeness for families of computational elementary abelian p-groups

We define a weakly pseudo-free family of computational elementary abelian p-groups similarly to the definition of a weakly pseudo-free family of computational groups given by Rivest in [14, Slide 11]. For an elementary abelian p-group G and a tuple g=(g1,…,gm)∈Gm, where m∈ℕ, let

The condition of the next definition is obtained from the condition of Definition 3.5 by replacing Σ⁢(G𝐝,𝐠) by Σ′⁢(G𝐝,𝐠).

In what follows, bearing in mind Theorem 3.7, we do not use the terms “weakly pseudo-free” and “weak pseudo-freeness” when speaking of families of computational elementary abelian p-groups.

3.4 Some remarks