Skip to content
BY 4.0 license Open Access Published by De Gruyter November 25, 2020

Pseudo-free families of computational universal algebras

  • Mikhail Anokhin EMAIL logo

Abstract

Let Ω be a finite set of finitary operation symbols. We initiate the study of (weakly) pseudo-free families of computational Ω-algebras in arbitrary varieties of Ω-algebras. A family (Hd | dD) of computational Ω-algebras (where D ⊆ {0, 1}*) is called polynomially bounded (resp., having exponential size) if there exists a polynomial η such that for all dD, the length of any representation of every hHd is at most η(|d|)( resp., |Hd|2η(|d|)). First, we prove the following trichotomy: (i) if Ω consists of nullary operation symbols only, then there exists a polynomially bounded pseudo-free family; (ii) if Ω = Ω0 ∪ {ω}, where Ω0 consists of nullary operation symbols and the arity of ω is 1, then there exist an exponential-size pseudo-free family and a polynomially bounded weakly pseudo-free family; (iii) in all other cases, the existence of polynomially bounded weakly pseudo-free families implies the existence of collision-resistant families of hash functions. In this trichotomy, (weak) pseudo-freeness is meant in the variety of all Ω-algebras. Second, assuming the existence of collision-resistant families of hash functions, we construct a polynomially bounded weakly pseudo-free family and an exponential-size pseudo-free family in the variety of all m-ary groupoids, where m is an arbitrary positive integer.

MSC 2010: 94A60; 08A70; 08A62; 68Q17

1 Introduction

Informally, a family of computational groups is a family of groups whose elements are represented by bit strings in such away that equality testing, multiplication, inversion, computing the identity element, and generating random elements can be performed efficiently. Loosely speaking, a family of computational groups is called pseudo-free if, given a random member G of the family (for a given security parameter) and random elements g1, . . . , gmG, it is computationally hard to find a system of group equations

(1) vi(a1,,am;x1,,xn)=wi(a1,,am;x1,,xn),i{1,,s},

in the variables x1, . . . , xn together with elements h1, . . . , hnG such that (1) is unsatisfiable in the free group freely generated by a1, . . . , am, but

vi(g1,,gm;h1,,hn)=wi(g1,,gm;h1,,hn)

in G for all i ∈ {1, . . . , s}. If a family of computational groups satisfies this definition with the additional requirement that n = 0 (i.e., that the equations in (1) be variable-free), then this family is said to be weakly pseudo-free. Of course, (weak) pseudo-freeness depends heavily on the form in which system (1) is required to be found, i.e., on the representation of such systems.

The notion of pseudo-freeness (which is a variant of weak pseudo-freeness in the above sense) was introduced by Hohenberger in [19, Section 4.5] (for black-box groups). Rivest gave formal definitions of a pseudo-free family of computational groups (see [26, Definition 2], [27, Slide 17]) and a weakly pseudo-free one (see [27, Slide 11]). Note that the definitions of (weak) pseudo-freeness in those works are based on single group equations rather than systems of group equations. For motivation of the study of pseudo-freeness, we refer the reader to [19, 22, 26].

Let Ω be a finite set of finitary operation symbols and let 𝔙 be a variety of Ω-algebras. (See Subsection 2.2 for definitions.) Then the notions of pseudo-freeness and weak pseudo-freeness can be naturally extended to families of computational Ω-algebras in the variety 𝔙. Informally, a family of computational Ω-algebras is a family of Ω-algebras whose elements are represented by bit strings in such a way that equality testing, the fundamental operations, and generating random elements can be performed efficiently. To define a (weakly) pseudo-free family of computational Ω-algebras in 𝔙, we require that all Ω-algebras in the family belong to 𝔙 and replace the free group by the 𝔙-free Ω-algebra in the above definition of a (weakly) pseudo-free family of groups. In this case, vi(a1, . . . , am; x1, . . . , xn) and wi(a1, . . . , am; x1, . . . , xn) in (1) are elements of the 𝔙-free Ω-algebra freely generated by a1, . . . , am, x1, . . . , xn. Of course, (weakly) pseudo-free families in different varieties are completely different objects.

1.1 Related work

Until now, researchers have considered pseudo-freeness (in various versions) only in the varieties of all groups [1, 1719, 26, 27], of all abelian groups [3, 9, 12, 13, 14, 1820, 22, 26, 27], and of all elementary abelian p-groups, where p is a prime [2]. A survey of some results concerning pseudo-freeness can be found in [11, Chapter 1]. Here we give some examples of candidates for (weakly) pseudo-free families of computational groups. These families are presented in the form ((Gd, 𝒢d) | dD), where D ⊆ {0, 1}*, Gd is a group whose every element is represented by a single bit string of length polynomial in the length of d, and 𝒢d is a probability distribution on Gd (dD). Of course, multiplication, inversion, and computing the identity element in Gd are required to be performed efficiently when d is given. Furthermore, given (d, 1k), one can efficiently generate random elements of Gd according to a probability distribution that is statistically 2k-close to 𝒢d. For a positive integer n, denote by ℤn the set {0, . . . , n − 1} considered as a ring under addition and multiplication modulo n and by n the group of units of ℤn. Also, let 𝕊n and 𝕆n be the subgroups of squares in n  (i.e., {z2modnzn}) and of elements of odd order in n, respectively. We denote by 𝒰(Y) the uniform probability distribution on a nonempty finite set Y.

Suppose N is the set of all products of two distinct primes. Rivest conjectured that the family n,Un nN) is pseudo-free in the variety 𝔄 of all abelian groups (super-strong RSA conjecture, see [26, Conjecture 1], [27, Slide 18]). A natural candidate for a pseudo-free family in the variety of all groups is ((GL2(ℤn), 𝒰(GL2(ℤn))) | nN), where GL2(ℤn) is the group of invertible 2 × 2 matrices over ℤn (see [8]). If both p and 2p+1 are prime numbers, then p is called a Sophie Germain prime and 2p+1 is said to be a safe prime. Let S be the set of all products of two distinct safe primes. Micciancio [22] proved that the family n,U𝕊nnS is pseudo-free in 𝔄 under the strong RSA assumption for S as the set of moduli. Informally, the last assumption is that, given a random nS (for a given security parameter) and a uniformly random gn, it is computationally hard to find an integer e ≥ 2 together with an eth root of g in n. It is easy to see that if nS and the prime factors of n are different from 5, then 𝕊n = 𝕆n. Therefore the above result of Micciancio remains valid if we replace 𝕊n by 𝕆n in it. The same result as in [22], but with slightly different representations of group elements by bit strings and different distributions of random elements of the groups, was obtained by Jhanwar and Barua [20]. Moreover, Catalano, Fiore, and Warinschi [9] proved that under the same assumption as in the above result of Micciancio, the family n,U𝕊nnS satisfies an apparently stronger condition than pseudo-freeness in 𝔄. That condition, called adaptive pseudo-freeness, was introduced in [9].

Note that it is unknown whether the set S is infinite. Indeed, this holds if and only if there are infinitely many Sophie Germain primes, which is a well-known unproven conjecture in number theory. Thus, the assumption used in [9, 20, 22] is very strong.

Assume that finding a nontrivial divisor of a random number in some set C of composite numbers (for a given security parameter) is a computationally hard problem. Then Anokhin [3] proved that the family ((𝕆n , 𝒰(𝕆n)) | nC) is weakly pseudo-free in 𝔄. It is evident that this result also holds for n,U𝕆nnC. Compared to the above result of Micciancio, this is a weaker statement, but it is proved under a much weaker cryptographic assumption.

There are many constructions of cryptographic objects based on classical algebraic structures (e.g., groups). However, to the best of our knowledge, there are only a few works concerning both universal algebra and cryptography. Probably the first such work is by Artamonov and Yashchenko [5]. In that work, the authors introduced and studied the notion of a pk-algebra that naturally formalizes the syntax of a one-round two-party key agreement scheme. See also the extended version [4] of [5]. Partala [25] proposed a generalization of the well-known Diffie–Hellman key agreement scheme based on universal algebras. Moreover, he considered some approaches to the instantiation of the proposed scheme. Loosely speaking, that scheme is secure if it is computationally hard to compute images under an unknown homomorphism (in a certain setting). See also [23] (a preliminary version of [25]) and the thesis [24].

1.2 Organization of the paper and our contributions

In this paper, we initiate the study of (weakly) pseudo-free families of computational Ω-algebras in arbitrary varieties of Ω-algebras. We hope that the study of these families will open up new opportunities in mathematical cryptography.

The rest of the paper is organized as follows. Section 2 contains notation, basic definitions, and general results used in the paper. In Section 3, we formally define and discuss (weakly) pseudo-free families of computational Ω-algebras and related notions. In particular, the results of Subsections 3.43.5 can be considered as tools for constructing (weakly) pseudo-free families of computational Ω-algebras.

Let 𝔒 denote the variety of all Ω-algebras. In Section 4, we study the following question: When polynomially bounded (weakly) pseudo-free families in 𝔒 exist unconditionally? A family 𝙷 = (Hd | dD) of computational Ω-algebras (where D ⊆ {0, 1}*) is called polynomially bounded if there exists a polynomial η such that the length of any representation of every hHd is at most η(|d|) for all dD. (See also Definition 3.3.) Furthermore, the family 𝙷 is said to have exponential size if there exists a polynomial η such that |Hd|2η(|d|) for all dD. (See Definition 3.2.) It should be noted that a (weakly) pseudo-free family can have applications in cryptography only if it is polynomially bounded or at least has exponential size. (Weakly) pseudo-free families that do not have exponential size per se are of little interest; they can be constructed unconditionally (see Subsection 3.4). Loosely speaking, the main results of Section 4 can be summarized as follows:

  1. If Ω consists of nullary operation symbols only, then there exists a polynomially bounded pseudo-free family in 𝔒.

  2. Assume that Ω = Ω0 ∪ {ω}, where Ω0 consists of nullary operation symbols and the arity of ω is 1. Then there exist an exponential-size pseudo-free family and a polynomially bounded weakly pseudo-free family (both in 𝔒).

  3. In all other cases, the existence of polynomially bounded weakly pseudo-free families in 𝔒 implies the existence of collision-resistant families of hash functions. Thus, in these cases, such weakly pseudo-free families cannot be constructed unconditionally.

Moreover, the (weakly) pseudo-free families in results (i)–(ii) have unique representations of elements, i.e., each element of any Ω-algebra in these families is represented by a single bit string. (See Definition 3.4.) This property seems to be useful in applications. For precise statements of these results, see Subsection 4.3 and references therein.

In Section 5, we consider the case where Ω consists of a single operation symbol of arbitrary arity m ≥ 1. In this case, Ω-algebras are called m-ary groupoids. Assuming the existence of collision-resistant families of hash functions, we construct a polynomially bounded weakly pseudo-free family and an exponential-size pseudo-free family in the variety of all m-ary groupoids. Moreover, the first family has unique representations of elements. Combining this with the results of Section 4, we obtain that for arbitrary m ≥ 2, polynomially bounded weakly pseudo-free families in the variety of all m-ary groupoids exist if and only if collision-resistant families of hash functions exist. The same holds if the weakly pseudo-free families are additionally required to have unique representations of elements. These results are stated loosely here; for precise statements, we refer the reader to Subsections 5.15.2.

Finally, Section 6 concludes and suggests some directions for future research.

2 Preliminaries

2.1 General preliminaries

In this paper, ℕ denotes the set of all nonnegative integers. Let n ∈ ℕ. For a set Y, we denote by Yn the set of all (ordered) n-tuples of elements from Y. The operation of disjoint union is denoted by ⊔. We consider elements of {0, 1}n as bit strings of length n. Furthermore, let {0,1}n=i=0n{0,1}i and {0,1}=i=0{0,1}i. If u, v ∈ {0, 1}*, then we denote by |u| the length of u and by uv the concatenation of u and v. The unary representation of n, i.e., the string of n ones, is denoted by 1n. Similarly, 0n denotes the string of n zeros.

Let I be a set. Suppose each iI is assigned an object qi. Then we denote by (qi | iI) the family of all such objects and by {qi | iI} the set of all elements of this family.

When necessary, we assume that all “finite” objects (e.g., integers, tuples of integers, tuples of tuples of integers) are represented by bit strings in some natural way. Sometimes we identify such objects with their representations. Unless otherwise specified, integers are represented by their binary expansions.

Suppose ϕ is a function. We denote by dom ϕ the domain of ϕ. Also, we use the same notation for ϕ and for the function (y1, . . . , yn) ↦ (ϕ(y1), . . . , ϕ(yn)), where n ∈ ℕ and (y1, . . . , yn) ∈ (dom ϕ)n.

Let ρ be a function from a subset of {0, 1}* onto a set S and let sS. Then, unless otherwise specified, [s]ρ denotes an arbitrary preimage of s under ρ. A similar notation was used by Boneh and Lipton in [6] and by Hohenberger in [19]. In general, [s]ρ denotes many strings in {0, 1}* unless ρ is one-to-one. We use any of these strings as a representation of s for computational purposes.

For convenience, we say that a function π: ℕ → ℕ \ {0} is a polynomial if there exist c ∈ ℕ \ {0} and d ∈ ℕ such that π(n) = cnd for any n ∈ ℕ \ {0} (π(0) can be an arbitrary positive integer). Of course, every polynomial growth function from ℕ to ℝ+ = {r ∈ ℝ | r ≥ 0} can be upper bounded by a polynomial in this sense. Therefore this restricted notion of a polynomial is sufficient for our purposes.

2.2 Algebraic preliminaries

In this subsection, we recall the basic definitions and simple facts from universal algebra. For a detailed introduction to this subject, the reader is referred to standard books, e.g., [10], [7], or [28].

Throughout the paper, Ω denotes a set of finitary operation symbols. Each ωΩ is assigned a non-negative integer called the arity of ω and denoted by ar ω. An Ω-algebra is a set H called the carrier (or the underlying set) together with a family (ω^:HarωHωΩ) of finitary operations on H called the fundamental operations. For simplicity of notation, the fundamental operation ω^ associated with a symbol ω Ω will be denoted by ω. Furthermore, we denote an Ω-algebra and its carrier by the same symbol.

Let H be an Ω-algebra. A set GH is called a subalgebra of H if it is closed under the fundamental operations of H. If S is a system of elements of H, then we denote by 〈S〉 the subalgebra of H generated by S, i.e., the smallest subalgebra of H containing S.

An equivalence relation θ on H is said to be a congruence (on H) if

h1,h1,,harω,harωθωh1,,harω,ωh1,,harωθ

for any ωΩ and h1,h1,,harω,harωH. Suppose θ is a congruence on H. For arbitrary hH, we denote by h/θ the equivalence class of h under θ. Moreover, let H/θ = {h/θ | hH}. Then H/θ is an Ω-algebra whose fundamental operations are well defined as follows:

ωh1/θ,,harω/θ=ωh1,,harω/θ,ωΩ,h1,,harωH.

This Ω-algebra is called the quotient algebra of H by θ. Also, let θ={(h,h)θhh}. If ρ : YH, then ρ/θ denotes the function yρ(y)/θ, where yY.

A homomorphism of H to an Ω-algebra L is a function ϕ: HL such that for every ωΩ and h1, . . . , har ωH,

ϕ(ω(h1,,harω))=ω(ϕ(h1),,ϕ(harω)).

If a homomorphism of H onto L is one-to-one, then it is called an isomorphism. Let ϕ: HL be a homomorphism. Then its kernel is defined as {(h,h)H2ϕ(h)=ϕ(h)}. It is evident that the kernel of ϕ is a congruence on H. For example, if θ is a congruence on H, then hh/θ (where hH) is a homomorphism of H onto H/θ (called the natural homomorphism) with kernel θ.

An Ω-algebra with only one element is said to be trivial. It is obvious that all trivial Ω-algebras are isomorphic.

If Ω = {ω}, where ar ω = m ≥ 1, then Ω-algebras are called m-ary groupoids (or m-groupoids). When m = 2, these Ω-algebras are called simply groupoids. Note that some authors consider m-ary groupoids only for m ≥ 2.

Put Ω0 = {ωΩ | ar ω = 0} .We note that if Ω0 = ∅, then an Ω-algebra can be empty. Whenever ωΩ0, it is common to write ω instead of ω().

Let Z be a set of objects called variables. We always assume that any variable is not in Ω. The set Tm(Z) of all Ω-terms (or simply terms) over Z is defined as the smallest set such that Ω0Z ⊆ Tm(Z) and if ωΩ\Ω0 and v1, . . . , var ω ∈ Tm(Z), then the formal expression ω(v1, . . . , var ω) is in Tm(Z). The Ω-terms can be considered as strings over the alphabet consisting of all symbols from ΩZ, parentheses, and comma. Of course, Tm(Z) is an Ω-algebra under the natural fundamental operations. This Ω-algebra is called the Ω-term algebra over Z.

Suppose v ∈ Tm(Z). Then the set subt(v) of subterms of the term v is defined inductively as follows:

subt(v)={v} if vΩ0Z,{v}i=1ar ωsubtvi if v=ωv1,,var ω,ωΩΩ0,and v1,,var ωTm(Z).

Let the string P(v) over ΩZ be obtained from the term v by removing all parentheses and commas. The string P(v) is known as the term v written in Polish notation. It is well known that the function vP(v) (v ∈ Tm(Z)) is one-to-one. Moreover, if the arities of operation symbols occurring in v are known, then v can be easily recovered from P(v). See [10, Chapter III, Section 2] for details, although in that book reverse Polish notation is used.

Consider the case where Z = {z1, z2, . . . }, where z1, z2, . . . are distinct. Assume that v ∈ Tm({z1, . . . , zm}) for some m ∈ ℕ. Furthermore, let h1, . . . , hmH. Then the element v(h1, . . . , hm) ∈ H is defined inductively in the natural way. It is easy to see that {v(h1, . . . , hm) | v ∈ Tm({z1, . . . , zm})} = 〈h1, . . . , hm〉.

An identity (or a law) over Ω is a closed first-order formula of the form ∀ z1, . . . , zm (v = w), where v, w ∈ Tm({z1, . . . , zm}) (m ∈ ℕ). A class 𝔙 of Ω-algebras is said to be a variety if it can be defined by a set ϒ of identities. This means that for any Ω-algebra G, G ∈ 𝔙 if and only if G satisfies all identities in ϒ. By the famous Birkhoff variety theorem (see, e.g., [10, Chapter IV, Theorem 3.1], [7, Chapter II, Theorem 11.9], or [28, Subsection 3.2.3, Theorem 21]), a class of Ω-algebras is a variety if and only if it is closed under taking subalgebras, homomorphic images, and direct products. Note that if a class of Ω-algebras is closed under taking direct products, then it contains a trivial Ω-algebra as the direct product of the empty family of Ω-algebras. Recall that if (Hi | iI) is a family of Ω-algebras, then the fundamental operations of the direct product of this family are defined as follows:

ω((h1,iiI),,(harω,iiI))=(ω(h1,i,,harω,i)iI),

where ωΩ and h1,i, . . . , har ω,iHi (iI).

The variety consisting of all Ω-algebras with at most one element is said to be trivial; all other varieties of Ω-algebras are called nontrivial. The trivial variety is defined by the identity ∀ z1, z2 (z1 = z2). When Ω0 = ∅, the trivial variety contains not only trivial Ω-algebras, but also the empty Ω-algebra. If 𝔈 is a class of Ω- algebras, then the variety generated by 𝔈 is the smallest variety of Ω-algebras containing 𝔈. This variety is defined by the set of all identities holding in all Ω-algebras in 𝔈.

Let 𝔙 be a variety of Ω-algebras. Then an Ω-algebra F ∈ 𝔙 is said to be 𝔙-free if it has a generating system (fi | iI) such that for every system of elements (gi | iI) of any Ω-algebra G ∈ 𝔙 there exists a homomorphism α : FG satisfying α(fi) = gi for all iI (evidently, this homomorphism α is unique). Any generating system (fi | iI) with this property is called free and the Ω-algebra F is said to be freely generated by every such system. It is well known (see, e.g., [10, Chapter IV, Corollary 3.3], [7, Chapter II, Definition 10.9 and Theorem 10.10], or [28, Subsection 3.2.3, Theorem 16]) that for any set I there exists a unique 𝔙-free Ω-algebra (up to isomorphism) with a free generating system indexed by I. It is easy to see that if 𝔙 is nontrivial, then for each free generating system (fi | iI) of a 𝔙-free Ω-algebra, fi are distinct. In this case, one can consider free generating systems as sets.

We denote by F∞,∞(𝔙) the 𝔙-free Ω-algebra freely generated by a1, a2, . . . , x1, x2, . . . . Of course, if 𝔙 is nontrivial, then the elements of this free generating system are assumed to be distinct. Furthermore, suppose m, n ∈ ℕ and let F(𝔙) = 〈a1, a2, . . . 〉, Fm,n(𝔙) = 〈a1, . . . , am, x1, . . . , xn〉, and Fm(𝔙) = Fm,0(𝔙) = 〈a1, . . . , am〉. For elements of Fm,n(𝔙), we use the notation v(a1, . . . , am; x1, . . . , xn) = v(a; x), where v is an Ω-term. It is well known that ai and xj can be considered as variables taking values in arbitrary Ω-algebra G ∈ 𝔙. That is, for any v(a; x) ∈ Fm,n(𝔙), g1, . . . , gmG, and h1, . . . , hnG (separated from g1, . . . , gm), the element v(g1, . . . , gm; h1, . . . , hn) ∈ G is well defined as α(v(a; x)), where α is the unique homomorphism of Fm,n(𝔙) to G such that α(ai) = gi and α(xj) = hj for each i ∈ {1, . . . , m} and j ∈ {1, . . . , n}. If g = (g1, . . . , gm) and h = (h1, . . . , hn), then we sometimes write v(g; h) instead of v(g1, . . . , gm; h1, . . . , hn). Whenever n = 0, we omit the semicolon in the above notation (e.g., v(a) = v(a; ) for any v(a;) ∈ F(𝔙)).

Denote by 𝔒 the variety of all Ω-algebras. We write F∞,∞, F, Fm,n, and Fm instead of F∞,∞(𝔒), F(𝔒), Fm,n(𝔒), and Fm(𝔒), respectively. These Ω-algebras are the Ω-term algebras over the respective sets of variables.

2.3 Probabilistic preliminaries

Let 𝒴 be a probability distribution on a finite or countably infinite sample space Y. Then we denote by supp 𝒴 the support of 𝒴, i.e., the set {yY | Pr𝒴{y} ≠ 0}. In many cases, one can consider 𝒴 as a distribution on supp 𝒴. Suppose α is a function from Y to a finite or countably infinite set Z. Then the image of 𝒴 under α, which is a probability distribution on Z, is denoted by α(𝒴). This distribution is defined by Prα(𝒴){z} = Pr𝒴 α−1(z) for each zZ.

We use the notation y1, . . . , yn ∼ 𝒴 to indicate that y1, . . . , yn (denoted by upright bold letters) are independent random variables distributed according to 𝒴. We assume that these random variables are independent of all other random variables defined in such a way. Furthermore, all occurrences of an upright bold letter (possibly indexed or primed) in a probabilistic statement refer to the same (unique) random variable. Of course, all random variables in a probabilistic statement are assumed to be defined on the same sample space. Other specifics of random variables do not matter for us. Note that the probability distribution 𝒴 in this notation can be random. For example, suppose (𝒴i | iI) is a probability ensemble consisting of distributions on the set Y, where the set I is finite or countably infinite. Moreover, let 𝓘 be a probability distribution on I. Then i ∼ 𝓘 and y ∼ 𝒴i mean that the joint distribution of the random variables i and y is given by Pr[i=i,y=y]=PrJ{i}Pryi{y} for each iI and yY.

The notation y1, . . . , yn ← 𝒴 indicates that y1, . . . , yn (denoted by upright medium-weight letters) are fixed elements of the set Y chosen independently at random according to the distribution 𝒴.

For any n ∈ ℕ, we denote by 𝒴n the distribution of (y1, . . . , yn), where y1, . . . , yn ∼ 𝒴. Furthermore, if Z is a nonempty finite set, then 𝒰(Z) denotes the uniform probability distribution on Z.

The collision probability CP(𝒴) of the probability distribution 𝒴 is defined by

CP(y)=yY(Pry{y})2=Pry=y,

where y, y′ ∼ 𝒴. The next lemma is well known.

Lemma 2.1

Let Z be a finite set and let 𝒵 be a probability distribution on Z. Then CP(𝒵) ≥ 1/|Z|. Furthermore, CP(𝒵) = 1/|Z| if and only if 𝒵 = 𝒰(Z).

Proof. It is easy to see that

CP(Z)1|Z|=zZ(PrZ{z}1|Z|)2.

The lemma follows immediately from this. □

2.4 Cryptographic preliminaries

Let 𝒴 = (𝒴i | iI) be a probability ensemble consisting of distributions on {0, 1}*, where I ⊆ {0, 1}*. Then 𝒴 is called polynomial-time samplable (or polynomial-time constructible) if there exists a probabilistic polynomial-time algorithm A such that for every iI the distribution of A(i) coincides with 𝒴i. It is easy to see that if 𝒴 is polynomial-time samplable, then there exists a polynomial π satisfying supp 𝒴i ⊆ {0, 1}π(|i|) for any iI. Furthermore, let 𝒵 = (𝒵j | jJ) be a probability ensemble consisting of distributions on {0, 1}*, where J ⊆ ℕ. Unless otherwise specified, when we speak of polynomial-time samplability of 𝒵, we assume that the indices are represented in binary. If, however, these indices are represented in unary, then we specify this explicitly. Thus, the ensemble 𝒵 is called polynomial-time samplable when the indices are represented in unary if there exists a probabilistic polynomial-time algorithm B such that for every jJ the distribution of B(1j) coincides with 𝒵j.

Suppose K is an infinite subset of ℕ, D is a subset of {0, 1}*, and 𝒟 = (𝒟k | kK) is a probability ensemble consisting of distributions on D. We always assume that 𝒟 is polynomial-time samplable when the indices are represented in unary. Furthermore, put 1K = {1k | kK}. This notation is used throughout the paper.

A function ν : K → ℝ+ is called negligible if for every polynomial π there exists a nonnegative integer n such that ν(k) ≤ 1/π(k) whenever kK and kn. Of course, if ϵ, ν : K → ℝ+, ν is negligible, and ϵ(k) ≤ ν(k) for all sufficiently large kK, then ϵ is also negligible. Moreover, it is easy to see that if ν, ν′ : K → ℝ+ are negligible and η is a polynomial, then ν(k)+ν′(k) and η(k)ν(k) are negligible as functions of kK. We denote by negl an unspecified negligible function on K. Any (in)equality containing negl(k) is meant to hold for all kK.

Definition 2.2

(polynomial parameter; see also [21, Preliminaries]). A function ξ : D → ℕ is called a polynomial parameter on D if the function d ↦ 1ξ(d) (dD) is polynomial-time computable. It is easy to see that the function ξ is a polynomial parameter on D if and only if it is polynomial-time computable and there exists a polynomial π satisfying ξ(d) ≤ π(|d|) for all dD. A function η : I → ℕ, where I ⊆ ℕ, is said to be a polynomial parameter on I if the function 1iη(i)(iI) is a polynomial parameter on the set {1i | iI} in the above sense, i.e., the function 1i1η(i)(iI) is polynomial-time computable.

To avoid confusion, we always specify the domain of a polynomial parameter. Note that the restriction of any polynomial to a set I ⊆ ℕ is a polynomial parameter on I.

Definition 2.3

(family of hash functions). Assume that D=kKDk. For each dD, define κ(d) to be the unique kK such that dDk. Suppose the following two conditions hold:

  1. There exists a polynomial π such that Dk{0,1}π(k) for any kK.

  2. The function к : DK defined above is a polynomial parameter on D.

Furthermore, let ξ and η be polynomial parameters on K. Then a family (ϕd:{0,1}ξ(κ(d)){0,1}η(κ(d))d D) of functions is said to be a family of hash functions if this family is polynomial-time computable (i.e., the function (d,y)ϕd(y), where dD and y{0,1}ξ(κ(d)), is polynomial-time computable) and ξ(k) > η(k) for all kK.

In what follows, we use the assumptions and notation of Definition 2.3 when speaking of families of hash functions. In this case, we also assume that for every kK, 𝒟k is a probability distribution on Dk.

Recall that a collision for a function ϕ is a pair (y, z) ∈ (dom ϕ)2 such that yz and ϕ(y) = ϕ(z).

Definition 2.4

(collision-resistant family of hash functions). A family (ϕd:{0,1}ξ(k(d)){0,1}η(κ(d))d D) of hash functions is called collision-resistant (or collision-intractable) with respect to 𝒟 if for any probabilistic polynomial-time algorithm A, Pr[A(d) is a collision for ϕd] = negl(k), where d ∼ 𝒟k.

Note that the algorithm A in Definition 2.4 can compute 1k as 1κ(d).

We use the term “collision-resistant family of hash functions” instead of the more common term “family of collision-resistant hash functions” because collision resistance is a property of the whole family of hash functions rather than of its individual members.

Remark 2.5

Let (ϕd:{0,1}ξ(x(d)){0,1}η(κ(d))dD) be a family of hash functions. Assume that this family is collision-resistant with respect to 𝒟. Suppose A is a probabilistic polynomial-time algorithm that on input dD chooses y,yU{0,1}ξ(k(d)) and outputs y,y. Let kK,dDk, and y,yU{0,1}ξ(k). Then

negl(k)=Pr[A(d) is a collision for ϕd]=Pr[ϕd(y)=ϕd(y)]Pr[y=y]12η(k)12ξ(k)12n(k)12n(k)+1=2η(k)2

(see Lemma 2.1) and hence 2η(k) = negl(k).

The next lemma is well known and can be proved using a variant of the Merkle–Damgård construction (see, e.g., [16, Subsubsection 6.2.3.2]). For completeness, we give a short proof of this lemma.

Lemma 2.6

Let (ϕd:{0,1}ξ(κ(d)){0,1}η(κ(d))dD) be a family of hash functions that is collision-resistant with respect to 𝒟. Suppose ξ′ is a polynomial parameter on K satisfying ξ′(k) > η(k) for all kK. Then there exists a family (ϕd:{0,1}ξ(κ(d)){0,1}η(κ(d))dD) of hash functions that is collision-resistant with respect to 𝒟.

Proof. For each kK, put β(k)=ξ(k)/(ξ(k)η(k)) and δ(k)=β(k)(ξ(k)η(k))ξ(k). Then β and δ are polynomial parameters on K.

Let dD, k = κ(d), and y{0,1}ξ(k). Express y0δ(k) as y1yβ(k), where y1,,yβ(k){0,1}ξ(k)η(k). Define γi(y){0,1}η(k) inductively as follows:

γ0(y)=0η(k),γi(y)=ϕd(yiγi1(y)) for i{1,,β(k)}.

Then we put ϕd(y)=γβ(k)(y). It is evident that (ϕddD) is a family of hash functions.

Suppose (y, z) is a collision for ϕd. Let y0δ(k)=y1yβ(k) and z0δ(k) = z1 . . . zβ(k), where yi , zi ∈ {0, 1}ξ(k)−η(k) for all i ∈ {1, . . . , β(k)}. Since y0δ(k)z0δ(k), there exists an i ∈ {1, . . . , β(k)} such that yiγi1(y)ziγi1(z). Choose the largest such i. Then it is easy to see that (yiγi1(y),ziγi1(z)) is a collision for ϕd. This implies that the family (ϕddD) is collision-resistant with respect to 𝒟. □

3 (Weakly) pseudo-free families of computational Ω-algebras: Definitions and properties

From now on, we assume that Ω is finite and that algorithms can work with its elements. Let H = ((Hd, ρd, 𝓡d) | dD) be a family of triples, where Hd is an Ω-algebra, ρd is a function from a subset of {0, 1}* onto Hd, and 𝓡d is a probability distribution on dom ρd for any dD. If Hd ⊆ {0, 1}* and ρd is the identity function on Hd, then we denote this function simply by id because its domain is clear.

3.1 Families of computational Ω-algebras

Definition 3.1

(family of computational Ω-algebras). The family 𝙷 is called a family of computational Ω- algebras if the following conditions hold:

  1. There exists a deterministic polynomial-time algorithm that, given dD and [g]ρd,[h]ρd, (for any g, hHd), decides whether g = h.

  2. For every ωΩ there exists a deterministic polynomial-time algorithm that, given dD and [h1]ρd,,[harω]ρd (where h1, . . . , har ωHd), computes [ω(h1,,harω)]ρd.

  3. The probability ensemble (𝓡d | dD) is polynomial-time samplable.

Definition 3.2

(family having exponential size). The family 𝙷 is said to have exponential size if there exists a polynomial η such that |Hd| ≤ 2η(|d|) for all dD.

Of course, exponential size is a property of the family (Hd | dD), but it is convenient to define this property for families of the form ((Hd, ρd, 𝓡d) | dD).

Definition 3.3

(polynomially bounded family). We say that the family 𝙷 is polynomially bounded if there exists a polynomial η such that dom ρd{0,1}η(|d|) for all dD.

It is obvious that if 𝙷 is polynomially bounded, then 𝙷 has exponential size.

Definition 3.4

(family having unique representations of elements). The family 𝙷 is said to have unique representations of elements if the function ρd is one-to-one for each dD.

Remark 3.5

Suppose 𝙷 has unique representations of elements. Then we can assume that for every dD, Hd ⊆ {0, 1}* and the unique representation of each element hHd is h itself. In other words, we consider the family ((dom ρd, id, 𝓡d) | dD) instead of 𝙷. Here dom ρd denotes the unique Ω-algebra such that ρd is an isomorphism of this Ω-algebra onto Hd (dD).

3.2 (Weakly) pseudo-free families of computational Ω-algebras

Throughout the paper, we denote by 𝔙 a variety of Ω-algebras and by σ a function from a subset of {0, 1}* onto F∞,∞(𝔙). Also, suppose s ∈ ℕ\ {0}, H ∈ 𝔙, ρ is a function from a subset of {0, 1}* onto H, and gHm, where m ∈ ℕ \ {0}. Then we denote by Σs(H,𝔙, σ, ρ, g) the set of all tuples

(([v1]σ,[w1]σ),,([vs]σ,[ws]σ),([h1]ρ,,[hn]ρ))

such that the following conditions hold:

  1. n ∈ ℕ, vi , wiFm,n(𝔙) for all i ∈ {1, . . . , s}, and hjH for all j ∈ {1, . . . , n};

  2. the system of equations

vi(a;x)=wi(a;x),i{1,,s},

in the variables x1, . . . , xn is unsatisfiable in Fm(𝔙) (or, equivalently, in F(𝔙));

  1. vi(g; h) = wi(g; h) in H for each i ∈ {1, . . . , s}, where h = (h1, . . . , hn).

Furthermore, let ΣS(H,V,σ,g) be the set of all tuples (([v1]σ, [w1]σ), . . . , ([vs]σ, [ws]σ)) such that

  1. vi , wiFm(𝔙) for all i ∈ {1, . . . , s},

  2. vjwj for some j ∈ {1, . . . , s}, and

  3. vi(g) = wi(g) in H for each i ∈ {1, . . . , s}.

Note that in the above definitions of Σs() and Σs(),[vi]σ,[wi]σ(i{1,,s}), and [hj]ρ (j ∈ {1, . . . , n}) denote all preimages rather than arbitrarily chosen ones.

It is evident that (p1,,ps)Σs(H,V,σ,g) if and only if (p1, . . . , ps , ()) ∈ Σs(H,𝔙, σ, ρ, g) (the last condition does not depend on ρ). Of course, () denotes the empty tuple. Thus, ΣS(H,V,σ,g) is obtained from Σs(H,𝔙, σ, ρ, g) by imposing the restriction n = 0 and removing the last element () of the tuples. Elements of Σ1(H,V,σ,g) will be written as ([v]σ, [w]σ) instead of (([v]σ, [w]σ)). Moreover, let

Σ(H,V,σ,ρ,g)=S=1Σs(H,V,σ,ρ,g) and Σ(H,V,σ,g)=S=1ΣS(H,V,σ,g).

We say that the family 𝙷 = ((Hd, ρd, 𝓡d) | dD) is in 𝔙 if Hd ∈ 𝔙 for all dD. In this subsection, we assume that 𝙷 is a family of computational Ω-algebras in 𝔙.

Definition 3.6

(pseudo-free family). The family 𝙷 is called pseudo-free in 𝔙 with respect to 𝒟 and σ if for any polynomial π and any probabilistic polynomial-time algorithm A,

Pr[A(1k,d,r)Σ(Hd,V,σ,ρd,ρd(r))]=negl(k),

where dDk and rRdπ(k).

Remark 3.7

If 𝔙 is trivial, then Σ(H,𝔙, σ, ρ, g) = ∅ for any H ∈ 𝔙, any function ρ from a subset of {0, 1}* onto H, and any gHm, where m ∈ ℕ \ {0}. Therefore, in this case the considered family 𝙷 of computational Ω-algebras is always pseudo-free in 𝔙 with respect to 𝒟 and σ.

The condition of the next definition is obtained from the condition of Definition 3.6 by replacing Σ(. . . ) by Σ′(. . . ).

Definition 3.8

(weakly pseudo-free family). The family 𝙷 is called weakly pseudo-free in 𝔙 with respect to 𝒟 and σ if for any polynomial π and any probabilistic polynomial-time algorithm A,

Pr[A(1k,d,r)Σ(Hd,V,σ,ρd(r))]=negl(k),

where dDk and rRdπ(k).

Remark 3.9

Let s ∈ ℕ \ {0}. Define the notion of s-pseudo-freeness (resp., weak s-pseudo-freeness) in 𝔙 with respect to 𝒟 and σ by replacing Σ(. . . ) by Σs(. . . ) in Definition 3.6 (resp., Σ() by Σs() in Definition 3.8). We consider (weak) s-pseudo-freeness only when s is a constant. Note that in many works (see, e.g., [19, 20, 22, 26, 27]), pseudo-freeness (resp., weak pseudo-freeness) is understood as 1-pseudo-freeness (resp., weak 1-pseudo-freeness). It is evident that any pseudo-free (resp., weakly pseudo-free) family of computational Ω-algebras in 𝔙 with respect to 𝒟 and σ is also s-pseudo-free (resp., weakly s-pseudo-free) in 𝔙 with respect to 𝒟 and σ. Rivest remarked that in the variety of all groups, 1-pseudo-freeness is equivalent to pseudo-freeness (see [26, Subsection 5.1]). Micciancio obtained the same result for the variety of all abelian groups (see [22, Corollary 1]).Moreover, Anokhin proved that in the variety of all elementary abelian p-groups, where p is an arbitrary prime, any weakly 1-pseudo-free family of computational groups is pseudo-free (see [2, Theorem 3.7]). Note that these results hold only under certain additional conditions.

Suppose H ∈ 𝔙 and gHm, where m ∈ ℕ \ {0}. It is easy to see that if (r1, . . . , rt) ∈ Σ′(H,𝔙, σ, g) (where t ∈ ℕ \ {0} and ri ∈ (dom σ)2 for all i{1,,t}) and jU1,,2log2t, then

Pr[j{1,,t},rjΣ1(H,V,σ,g)]12[log2t]12t.

Hence weak 1-pseudo-freeness in 𝔙 with respect to 𝒟 and σ is equivalent to weak pseudo-freeness in 𝔙 with respect to 𝒟 and σ.

It is obvious that if 𝙷 is pseudo-free (resp., s-pseudo-free) in 𝔙 with respect to 𝒟 and σ, then 𝙷 is weakly pseudo-free (resp., weakly s-pseudo-free) in 𝔙 with respect to 𝒟 and σ.

We say that the algorithm A from Definition 3.6 (resp., Definition 3.8) tries to break the pseudo-freeness (resp., weak pseudo-freeness) of the family 𝙷. The same terminology will be used for (weak) s-pseudo-freeness.

Remark 3.10

(see also [1, Remark 3.6]). Assume that the family 𝙷 is weakly 1-pseudo-free in 𝔙 with respect to 𝒟 and σ. Let D′ be a subset of D such that {Hd | dD′} does not generate the variety 𝔙. Then there exist distinct elements v, wFm(𝔙) (for some m ∈ ℕ \ {0}) such that v(g) = w(g) for all dD and gHdm. It is evident that ([v]σ,[w]σ)Σ1(Hd,V,σ,g) for every dD and gHdm. This implies that PrDkD=negl(k). Thus, we see that if D′ is a subset of D such that PrDkD is not negligible as a function of kK (in particular, if D′ = D), then {Hd | dD′} generates the variety 𝔙. This shows that the family 𝙷 can be weakly 1-pseudo-free (with respect to 𝒟 and σ) only in the variety generated by {Hd | dD}.

Remark 3.11

Recall that 𝙷 = ((Hd, ρd, 𝓡d) | dD) is a family of computational Ω-algebras in 𝔙. For each dD, let Sd be a subset of dom ρd such that ρd(Sd) = Hd and supp 𝓡dSd. Also, assume that for every ωΩ there exists a deterministic polynomial-time algorithm that, given dD and [h1]ρd,,[harω]ρdSd (where h1, . . . , har ωHd), computes [ω(h1,,harω)]ρdSd. Then H=Hd,ρdsd,RddD is a family of computational Ω-algebras in 𝔙. Moreover, if 𝙷 is pseudo-free (resp., weakly pseudo-free) in 𝔙 with respect to 𝒟 and σ, then 𝙷′ is also pseudo-free (resp., weakly pseudo-free) in 𝔙 with respect to 𝒟 and σ. For weak pseudo-freeness, the converse also holds.

3.3 Two examples of the function σ

In this subsection, we introduce two functions nat and SLP. In what follows, we will often assume that σ = nat or σ = SLP.

Example 3.12

(natural representation). Denote by T∞,∞ the Ω-term algebra over the set {a1,a2,,x1,x2,} of distinct variables. Let v(a; x) be an arbitrary element of F∞,∞(𝔙), where vT∞,∞. In general, unless 𝔙 = 𝔒, the term v is not uniquely determined by v(a; x). We represent v(a; x) by the term v written in Polish notation. Moreover, we encode each variable bi by bi¯=bbini, where b{a,x}, i ∈ ℕ \ {0}, and bin i is the binary representation of i without leading zeros. More formally, consider the term v as a string over the alphabet consisting of all symbols from Ωbib{a,x},iN{0}, parentheses, and comma. Let be obtained from v by removing all parentheses and commas and replacing all occurrences of bi by bi¯ for every b{a,x} and i ∈ ℕ \ {0}, where bi¯ is defined above. Then v is a one-to-one function from T∞,∞ to the set of all strings over the finite alphabet Ω{a,x,0,1}. It is convenient to use as a representation of v(a; x) for computational purposes. We call this representation natural and denote the function v¯v(a;x), where vT∞,∞, by nat. Of course, the function nat is well defined. For each m ∈ ℕ, let natm be the restriction of nat to a1,,am¯. Then nat and natm are functions onto F∞,∞(𝔙) and Fm(𝔙), respectively.

Assume that 𝔙 = 𝔒. In this case, the function nat is one-to-one. For every i ∈ ℕ \ {0}, we identify ai with ai and xi with xi. Then nat1(w)=w¯ for all wF∞,∞. This allows us to simplify the notation.

Example 3.13

(representation by straight-line programs). By a straight-line program over F∞,∞(𝔙) we mean a sequence (u1, . . . , un) of tuples such that n ∈ ℕ \ {0} and for any i ∈ {1, . . . , n}, either ui = (b, m), where b ∈ {a, x} and m ∈ ℕ \ {0}, or ui = (ω, m1, . . . , mar ω), where ωΩ and m1, . . . , mar ω ∈ {1, . . . , i − 1}. Here a and x are considered as symbols that are not in Ω. Any straight-line program u = (u1, . . . , un) over F∞,∞(𝔙) naturally defines the sequence (v1, . . . , vn) of elements of F∞,∞(𝔙) by induction. Namely, for every i ∈ {1, . . . , n}, we put vi = bm if ui = (b, m) and vi=ω(vm1,,vmarω) if ui = (ω, m1, . . . , mar ω), where b, m, ω, and m1, . . . , mar ω are as above. The straight-line program u is said to represent the element vn. We denote by SLP the function uvn, where u = (u1, . . . , un) is a straight-line program over F∞,∞(𝔙) and vn is defined above. It is evident that SLP is a function onto F∞,∞(𝔙). Note that this method of representation (for elements of the free group) was used in [19].

Remark 3.14

Assume that 𝔙 = 𝔒. Unlike nat, the function SLP is not one-to-one. However, there exists a deterministic polynomial-time algorithm that, given [v]SLP and [w]SLP (where v, wF∞,∞), decides whether v = w. This algorithm can be easily constructed using the following observation: For any b, c ∈ {a, x}, i, j ∈ ℕ \ {0}, ω, μΩ, and v1, . . . , var ω, w1, . . . , war μF∞,∞, we have

  1. bi = cj if and only if b = c and i = j;

  2. biω(v1, . . . , var ω);

  3. ω(v1, . . . , var ω) = μ(w1, . . . , war μ) if and only if ω = μ and vi = wi for all i ∈ {1, . . . , ar ω}.

Remark 3.15

As in Remark 3.14, assume that 𝔙 = 𝔒. Let u = (u1, . . . , un) be a straight-line program over F∞,∞ and let (v1, . . . , vn) be the sequence of elements of F∞,∞ naturally defined by u as in Example 3.13, i.e., vi = SLP(u1, . . . , ui) for all i ∈ {1, . . . , n}. Then an easy induction on n shows that subt(vn) ⊆ {v1, . . . , vn}. Moreover, there exists a deterministic polynomial-time algorithm that, given u, computes (j1, . . . , jl) such that 1 ≤ j1 < · · · < jln and subt(vn)={vj1,,vjl}. Indeed, let Γu be the directed acyclic graph with vertex set {1, . . . , n} in which (i, j) is an edge (i.e., ij) if and only if ui = (ω, m1, . . . , mar ω) (where ωΩ and m1, . . . , mar ω ∈ {1, . . . , i − 1}) and j ∈ {m1, . . . , mar ω}. Then it is easy to see (using induction on n) that

subt(vn)={vjj is reachable from n in Γu}.

The set of all vertices reachable from n in Γu can be found in time polynomial in n using breadth-first search or depth-first search.

Remark 3.16

It is easy to see that, given [w]nat for arbitrary wF∞,∞(𝔙), one can compute [w]SLP in polynomial time. Therefore pseudo-freeness (resp., weak pseudo-freeness) in 𝔙 with respect to 𝒟 and SLP implies pseudo-freeness (resp., weak pseudo-freeness) in 𝔙 with respect to 𝒟 and nat. The same holds for (weak) s-pseudo-freeness for arbitrary s ∈ ℕ \ {0}. However, the inverse transformation [w]SLP[w]nat, in general, cannot be performed in polynomial time. This is because the unique representation [w]nat (when 𝔙 = 𝔒) can have length exponential in the length of the binary representation of [w]SLP. For example, assume that 𝔙 = 𝔒 and Ωζ , ω, where ar ζ = 0 and ar ω = 2. For each n ∈ ℕ, let wn = SLP((ζ), (ω, 1, 1), . . . , (ω, n, n)). This means that w0 = ζ and wn+1 = ω(wn , wn). Then an induction on n shows that the length of wn¯=nat1(wn) (as a string over Ω) is 2n+1 − 1.

3.4 Certain families of 𝔙-free Ω-algebras are pseudo-free

The next lemma is similar to Lemma 3.8 in [1].

Lemma 3.17

For each u ∈ 1K, suppose τu is a function from a subset of {0, 1}* onto Fγ(u)(V) (where γ: 1K → ℕ \ {0}) and 𝓕u is a probability distribution on dom τu. Assume that the following conditions hold:

  1. F=Fγ(u)(V),τu,Fuu1K is a family of computational Ω-algebras;

  2. τu(supp𝓕u) ⊆ {a1, . . . , aγ(u)} for all u ∈ 1K;

  3. CPτ1kF1k=negl(k).

Then 𝙵 is pseudo-free in 𝔙 with respect to (𝒰({1k}) | kK) and σ.

Proof. Suppose π is a polynomial and A is a probabilistic polynomial-time algorithm trying to break the pseudo-freeness of 𝙵. Let kK and f1, . . . , fπ(k) ∈ supp F1k. Assume that

A(1k,1k,(f1,,fπ(k)))Σ(Fγ(1k)(V),V,σ,τ1k,(τ1k(f1),,τ1k(fπ(k)))).

Then, in particular, there exist v1,,vs,w1,,wsFπ(k),n(V) (for some s ∈ ℕ\ {0} and n ∈ ℕ) such that the system of equations

vi(a1,,aπ(k);x1,,xn)=wi(a1,,aπ(k);x1,,xn),i{1,,s},

is unsatisfiable in F(𝔙), but the system

vi(τ1k(f1),,τ1k(fπ(k));x1,,xn)=wi(τ1k(f1),,τ1k(fπ(k));x1,,xn),i{1,,s},

is satisfiable even in Fγ(1k)(V). Here, of course, x1, . . . , xn are considered as variables. Since {τ1k(f1),, τ1k(fπ(k))}{a1,,aγ(1k)} (see condition (ii)), this implies that τ1k(f1),,τ1k(fπ(k)) are not distinct. Hence,

PrA1k,1k,f1,,fπ(k)ΣFγ1k(V),V,σ,τ1k,τ1kf1,,τ1kfπ(k)Prτ1kf1,,τ1kfπ(k) are not distinct π(k)(π(k)1)2CPτ1kF1k=negl(k),

where f1,,fπ(k)F1k. (Here we use condition (iii).) Thus, the family 𝙵 is pseudo-free in 𝔙 with respect to U1kkK and σ.

In the next corollary, ai¯=nat1(ai) (see Example 3.12).

Corollary 3.18

Let η be a polynomial parameter on K such that 2η(k) = negl(k). Then

F=F2η(|u|),nat2η(|u|),Ua1¯,,a2η(|u|)¯u1K

is a pseudo-free family of computational Ω-algebras in 𝔒 with respect to U1kkK and σ.

Proof. It is easy to see that 𝙵 is a family of computational Ω-algebras. Furthermore, CPUa1,,a2η(k)= 2η(k)=negl(k) by Lemma 2.1. Hence the corollary follows from Lemma 3.17. □

3.5 (Weakly) pseudo-free families of quotient algebras

In this subsection, as in Subsection 3.2, we assume that the family 𝙷 = ((Hd, ρd, 𝓡d) | dD) is a family of computational Ω-algebras in 𝔙.

Definition 3.19

(σ-compatible family). We call the family 𝙷 σ-compatible if there exists a deterministic polynomial-time algorithm that, given

(d,[u]σ,([g1]ρd,,[gm]ρd),([h1]ρd,,[hn]ρd))

for any dD, uFm,n(𝔙) (m, n ∈ ℕ), and g1, . . . , gm, h1, . . . , hnHd, computes [u(g1,,gm;h1,,hn)]ρd.

Note that if the family 𝙷 is polynomially bounded, then it is SLP-compatible and hence nat-compatible (see Remark 3.16).

In Lemmas 3.20 and 3.21 below, let (𝓔d | dD) be a polynomial-time samplable probability ensemble such that for every dD, 𝓔d is a probability distribution on a set Ed{0,1}ξ(|d|), where ξ is a fixed polynomial. (We can let Ed = supp 𝓔d for all dD.) Furthermore, suppose each pair (d, e) with dD and eEd is assigned a congruence θd,e on Hd. Finally, we denote by Dk the distribution of the random variable (d,e), where dDk and eεd(kK).

The next lemma is similar to Theorem 3.7 in [1].

Lemma 3.20

Assume that the following conditions hold:

  1. There exists a deterministic polynomial-time algorithm that, given dD, eEd, and [g]ρd,[h]ρd (where g, hHd), decides whether (g, h) ∈ θd,e.

  2. If d ∼ 𝒟k and e ∼ 𝓔d, then for any probabilistic polynomial-time algorithm A,

Pr[A(1k,d,e)=([y]ρd,[z]ρd)s.t. (y,z)θd,e]=negl(k).

Also, suppose the family 𝙷 is σ-compatible and pseudo-free (resp., weakly pseudo-free) in 𝔙 with respect to 𝒟 and σ. Then 𝙷′ = ((Hd/θd,e , ρd/θd,e, 𝓡d) | dD, eEd) is a pseudo-free (resp., weakly pseudo-free) family of computational Ω-algebras in 𝔙 with respect to DkkK and σ.

Proof. It is evident that for any dD, eEd, and hHd, the set (ρd/θd,e)−1(h/θd,e), where h/θd,e is considered as an element of Hd/θd,e, coincides with the set ρd1(h/θd,e), where h/θd,e is considered as a subset of Hd. This together with condition (i) implies that 𝙷′ is a family of computational Ω-algebras.

We consider only the case where 𝙷 is pseudo-free. When 𝙷 is weakly pseudo-free, the proof is the same, mutatis mutandis. Suppose π is a polynomial and A is a probabilistic polynomial-time algorithm trying to break the pseudo-freeness of 𝙷′. Let B be a probabilistic polynomial-time algorithm (trying to break the pseudo-freeness of 𝙷) that on input (1k , d, r) for arbitrary kK, d ∈ supp 𝒟k, and rsuppRdπ(k) chooses e ← 𝓔d, runs A on input (1k , (d, e), r), and returns the output of A (if it exists). Furthermore, suppose C is a probabilistic polynomial-time algorithm (trying to violate condition (ii)) that on input (1k , d, e) for every kK, d ∈ supp 𝒟k, and e ∈ supp 𝓔d proceeds as follows:

  1. Choose rRdπ(k).

  2. Run A on input (1k , (d, e), r). Assume that the output is

    (2) (([v1]σ,[w1]σ),,([vs]σ,[ws]σ),(q1,,qn)),

    where s ∈ ℕ \ {0}, n ∈ ℕ, vi , wiFπ(k),n(𝔙) for all i ∈ {1, . . . , s}, and qj=[hj]ρd=[hj/θd,e]ρd/θd,e (hjHd) for all j ∈ {1, . . . , n}. Note that, in general, the algorithm C cannot check this condition. However, if it is not true, then further execution of C does not matter.

  3. Compute [vi(ρd(r);h)]ρd and [wi(ρd(r);h)]ρd for all i ∈ {1, . . . , s}, where h = (h1, . . . , hn). (This can be done in deterministic polynomial time because 𝙷 is σ-compatible.)

  4. If there exists an i ∈ {1, . . . , s} such that vi(ρd(r); h) ≠ wi(ρd(r); h), then output ([vi(ρd(r);h)]ρd,[wi(ρd(r);h)]ρd) for some such i. Otherwise, the algorithm C fails.

Assume that the algorithm A is invoked by B or C on input (1k , (d, e), r) (where kK, d ∈ supp 𝒟k, e ∈ supp 𝓔d, and r ∈ (supp𝓡d)π(k)) and that the output of A (denoted by u) is in Σ(Hd/θd,e ,𝔙, σ, ρd/θd,e, (ρd/θd,e)(r)). In particular, this means that u has the form (2) and (vi(ρd(r); h), wi(ρd(r); h)) ∈ θd,e for all i ∈ {1, . . . , s}. If vi(ρd(r); h) = wi(ρd(r); h) for every i ∈ {1, . . . , s}, then the algorithm B outputs uΣ(Hd,𝔙, σ, ρd, ρd(r)). Otherwise, the algorithm C outputs a pair ([y]ρd , [z]ρd ) such that (y,z)θd,e. Hence,

PrA1k,(d,e),rΣHd/θd,e,V,σ,ρd/θd,e,ρd/θd,e(r)PrB1k,d,rΣHd,V,σ,ρd,ρd(r)+PrC1k,d,e=[y]ρd,[z]ρds.t.(y,z)θde=negl(k)+negl(k)=negl(k),

where kK, d ∼ 𝒟k, e ∼ 𝓔d, and rRdπ(k). Thus, 𝙷′ is pseudo-free in 𝔙 with respect to DkkK and σ. □

Lemma 3.21

Assume that the following conditions hold:

  1. There exists a deterministic polynomial-time algorithm that, given dD, eEd, and [g]ρd , [h]ρd (where g, hHd), decides whether (g, h) ∈ θd,e (as in Lemma 3.20).

  2. For any polynomial π and any probabilistic polynomial-time algorithm A,

PrA1k,d,e,r=[v]σ,[w]σs.t.v,wFπ(k)(V)andvρd(r),wρd(r)θd,e=negl(k),

where dDk,eεd,andrRdπ(k).

Also, suppose the family 𝙷 is weakly pseudo-free in 𝔙 with respect to 𝒟 and σ. Then 𝙷′ = ((Hd/ θd,e , ρd/θd,e, 𝓡d) | dD, eEd) is a weakly pseudo-free family of computational Ω-algebras in 𝔙 with respect to Dkk K) and σ.

Proof. As in the proof of Lemma 3.20, we see that 𝙷′ is a family of computational Ω-algebras.

Let π be a polynomial and let A be a probabilistic polynomial-time algorithm trying to break the weak pseudo-freeness of 𝙷′. Suppose B is a probabilistic polynomial-time algorithm (trying to break the weak pseudo-freeness of 𝙷) that on input (1k , d, r) for arbitrary kK, d ∈ supp 𝒟k, and rsuppRdπ(k) chooses e ← 𝓔d, runs A on input (1k , (d, e), r), and returns the output of A (if it exists). Furthermore, let C be a probabilistic polynomial-time algorithm (trying to violate condition (ii)) that on input (1k , d, e, r) for every kK, d ∈ supp 𝒟k, e ∈ supp 𝓔d, and r ∈ (supp𝓡d)π(k) proceeds as follows:

  1. Run A on input (1k , (d, e), r). Assume that the output is (p1, . . . , ps), where s ∈ ℕ \ {0} and pi ∈ (dom σ)2 for all i ∈ {1, . . . , s}. Note that, in general, the algorithm C cannot check this condition. However, if it is not true, then further execution of C does not matter.

  2. Choose jU({1,,2log2s}).

  3. If j ∈ {1, . . . , s}, then output pj. Otherwise, the algorithm C fails.

Assume that the algorithm A is invoked by B or C on input (1k , (d, e), r) (where kK, d ∈ supp 𝒟k, e ∈ supp 𝓔d, and r ∈ (supp𝓡d)π(k)) and that the output of A is

u=(([v1]σ,[w1]σ),,([vs]σ,[ws]σ))Σ(Hd/θd,e,V,σ,(ρd/θd,e)(r)).

This means that s\{0},vi,wiFπ(k)(V) for all i ∈ {1, . . . , s}, vjwj for some j ∈ {1, . . . , s}, and (vi(ρd(r)), wi(ρd(r))) ∈ θd,e for each i ∈ {1, . . . , s}. For brevity, put

Π(k,d,e,r)={([v]σ,[w]σ)v,wFπ(k)(V),(v(ρd(r)),w(ρd(r)))θd,e}.

Here [v]σ and [w]σ denote all preimages of v and w, respectively, rather than arbitrarily chosen ones. Moreover, let vu(g) = (v1(g), . . . , vs(g)) and wu(g) = (w1(g), . . . , ws(g)) for arbitrary gHdπ(K). Choose a polynomial η satisfying 2log2sη(k). If vu(ρd(r))=wu(ρd(r)), then the algorithm B outputs uΣ′(Hd,𝔙, σ, ρd(r)). Assume that vu(ρd(r)) ≠ wu(ρd(r)). Then it is evident that the algorithm C outputs an element of Π(k, d, e, r) if and only if j ∈ {1, . . . , s} and vj(ρd(r)) ≠ wj(ρd(r)), where j is defined in step (2) of C. This shows that

Pr[C(1k,d,e,r)Π(k,d,e,r)A(1k,(d,e),r)=u]=Pr[j{1,,s},vj(ρd(r))wj(ρd(r))]12log2s1η(k),

where jU({1,,2log2s}.(The random bits of the algorithm A are considered as a part of the random bits of the algorithm C.) Hence,

Pr[A(1k,(d,e),r)=u]η(k)Pr[C(1k,d,e,r)Π(k,d,e,r),A(1k,(d,e),r)=u]

and

PrA1k,(d,e),r=uΣHd/θd,e,V,o,ρd/θd,e(r) s.t. vuρd(r)wuρd(r)η(k)PrC1k,d,e,rΠ(k,d,e,r).

Therefore we have

PrA1k,(d,e),rΣHd/θd,e,V,σ,ρd/θd,e(r)=PrA1k,(d,e),r=uΣHd/θd,e,V,σ,ρd/θd,e(r) s.t. vuρd(r)=wuρd(r)+PrA1k,(d,e),r=uΣHd/θd,e,V,σ,ρd/θd,e(r) s.t. vuρd(r)wuρd(r)PrB1k,d,rΣHd,V,σ,ρd(r)+η(k)PrC1k,d,e,rΠ(k,d,e,r)=negl(k)+η(k)negl(k)=negl(k),

where kK,dDk,eεd, and rRdπ(k). Thus, 𝙷′ is weakly pseudo-free in 𝔙 with respect to (DkkK) and σ.

4 When polynomially bounded (weakly) pseudo-free families in 𝔒 exist unconditionally?

In this section, we mostly consider the case where 𝔙 = 𝔒. Recall that w¯=nat1(w) for any wF∞,∞ (see Example 3.12).

4.1 Unconditional results

Remark 4.1

Assume Ω that consists of nullary operation symbols only. By Corollary 3.18,

F=F2|u|,nat2|u|,Ua1¯,,a2|u|¯u1K

is a pseudo-free family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and σ. Also, 𝙵 has unique representations of elements. Furthermore, it is easy to see that F2k=Ω{a1,,a2k} for all kK. Therefore each string (over the alphabet Ω{a,0,1}) in dom  nat 2k has length at most k + 2. This shows that 𝙵 is polynomially bounded.

Remark 4.2

Assume that Ω=Ω0{ω}, where Ω0 consists of nullary operation symbols and ar ω = 1. For arbitrary n ∈ ℕ, denote by ωn the n-fold composition of ω with itself. It is easy to see that every element of F can be uniquely represented as ωi(b), where i ∈ ℕ and bΩ0a1,a2,.

Let kK. Denote by θ1k the following binary relation on F2k :

{(v,w)F2k2v=w or v=ωi(b),w=ωj(b), where i,j2k,bΩ0{a1,,a2k}}.

This relation is a congruence on F2k . The equivalence classes under θ1k are

{ω0(b)},,{ω2k1(b)},{ω2k(b),ω2k+1(b),},

where b ranges over Ω0a1,,a2k.

By Corollary 3.18,

F=F2|u|,nat2|u|,Ua1¯,,a2|u|¯u1K

is a pseudo-free family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and nat. We observe that, given (1k , , ) (where v, wF2k ), one can decide whether (v, w) ∈ θ1k in deterministic polynomial time. Also, if (v,w)θ1k, then both v¯ and w¯ have length at least 2k+1 as strings over Ω⊔{a, 0, 1}. This implies that for any probabilistic polynomial-time algorithm A, we have Pr[A(1k,1k)=(v¯,w¯) s.t. (v,w)θ1k]=0 for all sufficiently large kK. Moreover, it is easy to see that the family 𝙵 is nat-compatible. Thus, by Lemma 3.20,

F=F2|u|/θu,nat2|u|/θu,Ua1¯,,a2|u|¯u1K

is a pseudo-free family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and nat. (We apply this lemma to 𝙷 = F, Eu = {e}, where e ∈ {0, 1}* is arbitrary, 𝓔u = 𝒰(Eu), and θu,e = θu for all u ∈ 1K. Since e is fixed, we omit it.) The family 𝙵′ has exponential size because F2k/θ1k=2k+1Ω0+2k for all kK. But this family is not polynomially bounded and does not have unique representations of elements. The last disadvantage can be overcome by restricting the function nat2|u| to the set

Su={ωi(b)¯i{0,,2|u|},bΩ0{a1,,a2|u|}},

where u ∈ 1K. Namely, let

F=((F2|u|/θu,(nat2|u||Su)/θu,U({a1¯,,a2|u|¯}))u1K).

Then by Remark 3.11, 𝙵″ is a pseudo-free family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and nat (note that (nat2|u||Su)/θu=(nat2|u|/θu)|Su for all u1K). This family has exponential size and unique representations of elements, but is not polynomially bounded.

Remark 4.3

In this remark, as in Remark 4.2, we assume that Ω=Ω0{ω}, where Ω0 consists of nullary operation symbols and ar ω = 1. Also, we use the notation of Remark 4.2.

Let kK. Define the function δ1k by δ1k(i,b¯)=ωi(b) for each i ∈ ℕ and bΩ0{a1,,a2k}. This function provides a more succinct representation of elements of F2k than  nat 2k. By Lemma 3.17,

F=((F2|u|,δu,U({(0,a1¯),,(0,a2|u|¯)}))u1K)

is a pseudo-free (and hence weakly pseudo-free) family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and SLP. Of course, given 1k and [v]δ1k,[w]δ1k (where v,wF2k), one can decide whether (v,w)θ1k in deterministic polynomial time. Suppose v, wFm and f ∈ {a1, . . . , a2k}m (where m ∈ ℕ) are such that (v(f),w(f))θ1k. Let v = ωi(b) and w = ωj(c), where i, j ∈ ℕ and b,cΩ0a1,,am. Then v(f) = ωi(b(f)) and w(f) = ωj(c(f)), where b(f),c(f)Ω0{a1,,a2k}. Therefore we have i, j ≥ 2k. It is evident that subt(v) = {ωl(b) | l ∈ {0, . . . , i}} and subt(w) = {ωl(c) | l ∈ {0, . . . , j}}. Hence it follows from Remark 3.15 that if (u1,,un)SLP1(v)SLP1(w), then n ≥ min{i, j} + 1 ≥ 2k + 1. This implies that for any polynomial π and any probabilistic polynomial-time algorithm A,

PrA1k,1k,r=[v]SLP,[w]SLP s.t. v,wFπ(k) and vδ1k(r),wδ1k(r)θ1k=0

for all sufficiently large kK, where rU({(0,a1¯),,(0,a2k¯)})π(k). Thus, by Lemma 3.21,

F=((F2|u|/θu,δu/θu,U({(0,a1¯),,(0,a2|u|¯)}))u1K)

is a weakly pseudo-free family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and SLP. (As in Remark 4.2, we apply this lemma to 𝙷 = 𝙵, Eu = {e}, where e ∈ {0, 1}* is arbitrary, 𝓔u = 𝒰(Eu), and θu,e = θu for all u ∈ 1K. Since e is fixed, we omit it.) The family 𝙵′ has exponential size, but is not polynomially bounded and does not have unique representations of elements. However, we can overcome both of these disadvantages by restricting the function 𝛿u to the set Su={(i,b¯)i{0,,2|u|},b Ω0{a1,,a2|u|}}, where u1K. Namely, let

F=((F2|u|/θu,(δu|Su)/θu,U({(0,a1¯),,(0,a2|u|¯)}))u1K).

Then by Remark 3.11, 𝙵″ is a weakly pseudo-free family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and SLP (note that (δu|Su)/θu = (δu/θu)|Su for all u ∈ 1K). It is easy to see that the family 𝙵″ is polynomially bounded and has unique representations of elements.

Note that neither 𝙵′ nor 𝙵″ is 1-pseudo-free in 𝔒 with respect to (𝒰({1k}) | kK) and nat. This is because the equation x1 = ω(x1) is unsatisfiable in F, but ω2|u|(a1)/θu=δu(2|u|,a1¯)/θu is a solution to this equation in F2|u|/θuu1K. In particular, neither 𝙵′ nor 𝙵″ is pseudo-free in 𝔒 with respect to (𝒰({1k}) | kK) and SLP (see Remarks 3.16 and 3.9).

4.2 Some cases where the existence of weakly pseudo-free families implies the existence of collision-resistant families of hash functions

Construction 4.4

Suppose χ:nN{0,1}nF(V) is a function satisfying the following conditions:

  1. N is an infinite polynomial-time enumerable subset of ℕ. This means that the function i ↦ min{nN | n > i} is a polynomial parameter on ℕ (see [15, Subsubsection 2.2.3.1]).

  2. There exists a deterministic polynomial-time algorithm that, given ynN{0,1}n, computes [χ(y)]nat.

  3. There exists a polynomial γ such that χ({0,1}n)Fγ(n)(V) for all nN.

  4. For any nN,χ|{0,1}n is one-to-one.

Also, let 𝙷 = ((Hd, ρd, 𝓡d) | dD) be a polynomially bounded family of computational Ω-algebras in 𝔙 (see Subsection 3.2). Choose a polynomial parameter η on K such that dom ρd{0,1}η(k) for each kK and d ∈ supp 𝒟k. Denote by ξ the polynomial parameter k ↦ min{nN | n > η(k) + 1} on K (see condition (i)). Then ξ(k) ∈ N and ξ(k) > η(k) + 1 for all kK.

For any n ∈ ℕ, let αn be the one-to-one function from {0, 1}n onto {0,1}n+1\{0n+1} defined by αn(y) = y10n|y| for all y{0,1}n. Then the function (1n , y) ↦ αn(y), where n ∈ ℕ and y ∈ {0, 1}n, is polynomial-time computable.

Choose a polynomial π such that χ({0,1}ξ(k))Fπ(k)(V) for all kK. Condition (iii) implies that such a polynomial exists. Put

Ek={(1k,d,r)dsuppDk,r(domρd)π(k)},

where kK, and E=kKEk. For each eE, define κ(e) to be the unique kK such that eEk. It is easy to see that Ek{0,1}ζ(k) for all kK, where ζ is a fixed polynomial, and κ is a polynomial parameter on E, as in Definition 2.3. Finally, let

ϕ(1k,d,r)(y)=αη(k)([χ(y)(ρd(r))]ρd),

for every kK, d ∈ supp 𝒟k, r ∈ (dom ρd)π(k), and y ∈ {0, 1}ξ(k). Here [χ(y)(ρd(r))]ρd denotes the preimage of χ(y)(ρd(r)) under ρd computed by the following deterministic polynomial-time algorithm:

  1. Given y, compute [χ(y)]nat (see condition (ii)).

  2. Given d, [χ(y)]nat, and r, compute and output [χ(y)(ρd(r))]ρd. (This can be done in deterministic polynomial time because 𝙷 is nat-compatible.)

Thus, Φ=(ϕe:{0,1}ξ(k(e)){0,1}η(κ(e))+1eE) is a family of hash functions.

Theorem 4.5

Let 𝙷, π, and Φ be as in Construction 4.4. Assume that the family 𝙷 is weakly 1-pseudo-free in 𝔙 with respect to 𝒟and nat. For each kK, denote by 𝓔k the distribution of the random variable (1k , d, r), where dDk and rRdπ(k). Then the family Φ is collision-resistant with respect to 𝓔 = (𝓔k | kK). (It is evident that the probability ensemble 𝓔 is polynomial-time samplable when the indices are represented in unary.)

Proof. Let A be a probabilistic polynomial-time algorithm trying to find collisions for Φ. Suppose B is a probabilistic polynomial-time algorithm (trying to break the weak 1-pseudo-freeness of 𝙷) that on input e = (1k , d, r) for every kK, d ∈ supp 𝒟k, and r ∈ (supp𝓡d)π(k) proceeds as follows:

  1. Run A on input e. Assume that the output is a collision (y, z) for the function ϕe. If this is not true, then B fails.

  2. Compute and output ([χ(y)]nat, [χ(z)]nat), where χ is related to π and Φ as in Construction 4.4. (It is easy to see that this pair is in Σ1(Hd,V, nat, ρd(r)).)

Let kK,dDk, and rRdπ(k). Then the random variable e = (1k , d, r) is distributed according to 𝓔k. Furthermore, we have

Pr[A(e) is a collision for ϕe]=Pr[B(1k,d,r)Σ1(Hd,V, nat ,ρd(r))]=negl(k)

because 𝙷 is weakly 1-pseudo-free in 𝔙 with respect to 𝒟 and nat. Thus, the family Φ is collision-resistant with respect to 𝓔. □

Corollary 4.6

Assume that there exists a function χ:nN{0,1}nF(V) satisfying conditions ( i)–(iv) of Construction 4.4. Then the existence of polynomially bounded weakly 1-pseudo-free families of computational Ω-algebras in 𝔙 with respect to 𝒟 and nat implies the existence of collision-resistant families of hash functions (with respect to some probability ensemble that is indexed by K and is polynomial-time samplable when the indices are represented in unary).

Corollary 4.6 follows immediately from Theorem 4.5.

Remark 4.7

Here are some cases where a function χ:nN{0,1}nF(V) satisfying conditions (i)–(iv) of Construction 4.4 exists:

  1. Ωω, where ar ω = 2, and 𝔙 is a nontrivial variety of Ω-algebras such that any H ∈ 𝔙 is a groupoid with an identity element (denoted by 1H) under ω. (In particular, this holds if 𝔙 is a nontrivial variety of monoids, loops, groups, or rings.) In this case, the required function χ : {0, 1}*F(𝔙) can be defined as follows. For any y ∈ {0, 1}*, let {i1, . . . , im} (where i1 < · · · < im) be the set of all i ∈ {1, . . . , |y|} such that the ith bit of y is 1. Then

    χ(y)={1F(V) if m=0,ai1 if m=1,ω(ω(ω(ai1,ai2),ai3),,aim) if m2.

    Choose an Ω-algebra H ∈ 𝔙 with at least two elements. Furthermore, let hH \ {1H}. Suppose y and z are distinct bit strings of the same length. We assume that the jth bits of y and z are 0 and 1, respectively. Let α be the homomorphism of F(𝔙) to H such that α(aj) = h and α(ai) = 1H for all i ∈ ℕ \ { j}. Then it is easy to see that α(χ(y))=1Hh=α(χ(z)) and hence χ(y)χ(z). (We note that α(1F(V))=ω(α(1F(V)),α(aj+1))=α(aj+1)=1H.) Thus, χ|{0,1}n is one-to-one for every n ∈ ℕ.

  2. Ωω0,ω1, where ar ω0 = ar ω1 = 1 and ω0ω1, and 𝔙 = 𝔒. In this case, the required function χ : {0, 1}*F can be defined by χ(y)=ωyn(ωy2(ωy1(a1))) for all y = y1 . . . yn ∈ {0, 1}*, where n ∈ ℕ and y1, . . . , yn ∈ {0, 1}.

  3. Ωω, where ar ω = m ≥ 2, and 𝔙 = 𝔒. In this case, the required function χ : {0, 1}*F can be defined inductively as follows:

χ(ϵ)=a1,χ(y0)=χ(y),χ(y1)=ω(a|y|+1,,a|y|+1m1 times ,χ(y))

where ϵ is the empty string and y ∈ {0, 1}*. Using induction on |z|, it is easy to see that for any z ∈ {0, 1}* and any i ∈ {1, . . . , |z|}, the ith bit of z is 1 if and only if χ(z) contains a subterm of the form ω(ai , . . . , ai , v), where vF. This implies that for each n ∈ ℕ, χ|{0,1}n is one-to-one.

By Corollary 4.6, in any of these cases, the existence of polynomially bounded weakly 1-pseudo-free families of computational Ω. algebras in 𝔙 with respect to 𝒟 and nat implies the existence of collision-resistant families of hash functions (with respect to some probability ensemble that is indexed by K and is polynomial-time samplable when the indices are represented in unary).

4.3 Summary of results

The main results of this section can be summarized as follows:

  1. Assume that Ω consists of nullary operation symbols only. Then there exists a polynomially bounded pseudo-free family of computational Ω. algebras in 𝔒 with respect to (𝒰({1k}) | kK) and σ. Moreover, this family has unique representations of elements. See Remark 4.1.

  2. Assume that Ω=Ω0{ω}, where Ω0 consists of nullary operation symbols and ar ω = 1. Then there exist

  3. an exponential-size pseudo-free family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and nat and

  4. a polynomially bounded weakly pseudo-free family of computational Ω-algebras in 𝔒 with respect to (𝒰({1k}) | kK) and SLP.

    Moreover, both of these families have unique representations of elements. See Remarks 4.2 and 4.3.

  5. In all other cases, the existence of polynomially bounded weakly pseudo-free families of computational Ω. algebras in 𝔒 with respect to 𝒟 and nat implies the existence of collision-resistant families of hash functions (with respect to some probability ensemble that is indexed by K and is polynomial-time samplable when the indices are represented in unary). See Corollary 4.6 and Remark 4.7 (cases (ii) and (iii)). Note that by Remark 3.9, weak pseudo-freeness in 𝔒 with respect to 𝒟 and nat is equivalent to weak 1-pseudo-freeness in 𝔒 with respect to 𝒟 and nat.

5 (Weakly) pseudo-free families in the variety of all m-ary groupoids

In this section, we assume that Ω={ω}, where ar ω = m is an arbitrary positive integer. In other words, we consider m-ary groupoids. In particular, 𝔒 is the variety of all m-ary groupoids.

Lemma 5.1

Let G be an m-ary groupoid and let g = (g1, . . . , gn) ∈ Gn, where n ∈ ℕ. Assume that g1, . . . , gn are distinct and that giω(Gm) for all i ∈ {1, . . . , n}. Also, suppose v and w are distinct elements of Fn such that v(g) = w(g). Then there exist v1, . . . , vm, w1, . . . , wmFn such that the following two conditions hold:

  1. ω(v1, . . . , vm) ∈ subt(v) and ω(w1, . . . , wm) ∈ subt(w);

  2. (v1(g), . . . , vm(g)) ≠ (w1(g), . . . , wm(g)), but ω(v1(g), . . . , vm(g)) = ω(w1(g), . . . , wm(g)).

Proof. Denote by V the set of all vFn satisfying the following condition:

wFn(vw,v(g)=w(g)v1,,vm,w1,,wmFn s.t. conditions (i) and (ii) hold).

To prove the lemma, it suffices to show that {a1,,an}V and that V is an m-ary subgroupoid (i.e., subalgebra) of Fn.

If v ∈ {a1, . . . , an}, then the assumptions on g imply that for any wFn, we have v = w or v(g) ≠ w(g). This shows that {a1, . . . , an}⊆ V.

Let v1,,vmV and v=ω(v1,,vm). Also, suppose w is an element of Fn such that vw and v(g) = w(g). Then it follows from the assumptions on g that w=ω(w1,,wm), where w1,,wmFn. If (v1(g),,vm(g))(w1(g),,wm(g)), then conditions (i) and (ii) hold for vi=vi and wi=wi(i {1, . . . , m}). Otherwise, choose an index j ∈ {1, . . . , m} satisfying vjwj; such an index exists because vw. In this case, conditions (i) and (ii) hold for some v1, . . . , vm, w1, . . . , wmFn such that ω(v1, . . . , vm) ∈ subt(vj) and ω(w1,,wm)subt(wj). This is because vjV,vjwj, and vj(g)=wj(g). Thus, we obtain that vV. This shows that V is an m-ary subgroupoid of Fn. □

In Subsections 5.15.2 below, we use the assumptions and notation of Definition 2.3. In these subsections, we also assume that suppDkDk for every kK.

5.1 Constructing a polynomially bounded weakly pseudo-free family from a collision-resistant family of hash functions

Construction 5.2

Suppose Ψ=ψd:{0,1}mξ(κ(d)){0,1}η(κ(d))dD is a family of hash functions, where ξ and η are polynomial parameters on K satisfying ξ(k) > η(k) for all kK. Then for every dD, let Gd be the m-ary groupoid with carrier {0, 1}ξ(κ(d)) and fundamental operation defined by

ω(g1,,gm)=ψd(g1gm)1ξ(κ(d))η(κ(d)),g1,,gm{0,1}ξ(κ(d)).

Finally, put Mk={0,1}η(k)0ξ(k)η(k) for each kK.

Theorem 5.3

Let Ψ, Gd (dD), and Mk (kK) be as in Construction 5.2. Assume that the family is collision-resistant with respect to 𝒟. Then G=((Gd,id,U(Mk(d)))dD) is a polynomially bounded weakly pseudo-free family of computational m-ary groupoids in 𝔒 with respect to 𝒟 and SLP.

Proof. It is easy to see that 𝙶 is a polynomially bounded family of computational m-ary groupoids. Let π be a polynomial and let A be a probabilistic polynomial-time algorithm trying to break the weak 1-pseudo-freeness of G. Suppose B is a probabilistic polynomial-time algorithm (trying to find collisions for Ψ) that on input dD proceeds as follows:

  1. Choose g1, . . . , gπ(k) ← 𝒰(Mk), where k = κ(d). If g1, . . . , gπ(k) are distinct, then put g = (g1, . . . , gπ(k)). Otherwise, the algorithm B fails.

  2. Run A on input (1k , d, g). Assume that the output is ([v]SLP,[w]SLP)Σ1(Gd,O,SLP,g). (Remark 3.14 implies that B can check this condition). If this is not true, then B fails.

  3. Find (by exhaustive search) a pair

    (([v1]SLP,,[vm]SLP),([w1]SLP,,[wm]SLP))

    of m-tuples such that the following conditions hold:

    1. ω(v1, . . . , vm) ∈ subt(v) and ω(w1, . . . , wm) ∈ subt(w);

    2. (v1(g), . . . , vm(g)) ≠ (w1(g), . . . , wm(g)), but ω(v1(g), . . . , vm(g)) = ω(w1(g), . . . , wm(g)).

    By Lemma 5.1, such a pair exists. (We note that giω(Gdm) for all i ∈ {1, . . . , π(k)}. This is because the last bits of gi and of any string in ω(Gdm) are 0 and 1, respectively.) The exhaustive search can be performed in polynomial time by Remark 3.15.

  4. Output (v1(g) . . . vm(g), w1(g) . . . wm(g)). (By the last condition of the previous step, together with the definition of ω on Gd, it is a collision for ψd.)

Let kK, d ∼ 𝒟k, g1, . . . , gπ(k) ∼ 𝒰(Mk), and g = (g1, . . . , gπ(k)). Then

PrA1k,d,gΣ1Gd,O,SLP,g=PrA1k,d,gΣ1Gd,O,SLP,g,g1,,gπ(k) are distinct +PrA1k,d,gΣ1Gd,O,SLP,g,g1,,gπ(k) are not distinct PrB(d) is a collision for ψd+π(k)(π(k)1)2η(k)+1=negl(k)+negl(k)=negl(k)

because Ψ is collision-resistant with respect to 𝒟 and 2η(k)=negl(k) (see Remark 2.5). Thus, the family 𝙶 is weakly pseudo-free in 𝔒 with respect to 𝒟 and SLP (see Remark 3.9). □

Corollary 5.4

Assume that m ≥ 2. Then the following conditions are equivalent:

  1. There exists a collision-resistant family of hash functions with respect to some probability ensemble that is indexed by K and is polynomial-time samplable when the indices are represented in unary.

  2. There exists a polynomially bounded weakly pseudo-free family of computational m-ary groupoids in 𝔒 with respect to some probability ensemble (with the same properties as in condition (i)) and SLP.

  3. The same as condition (ii), but with nat instead of SLP.

Proof. The implication (i) =⇒ (ii) follows from Lemma 2.6 and Theorem 5.3. The implication (ii) =⇒ (iii) follows from Remark 3.16. Finally, the implication (iii) =⇒ (i) follows from Corollary 4.6 and Remark 4.7 (case (iii)). □

Remark 5.5

Note that the family 𝙶 in Theorem 5.3 has unique representations of elements. Therefore Corollary 5.4 remains valid if we require that the weakly pseudo-free families in conditions (ii) and (iii) additionally have unique representations of elements.

5.2 Constructing an exponential-size pseudo-free family from a collision-resistant family of hash functions

Construction 5.6

Suppose Ψ=(ψd:{0,1}mξ(k(d)){0,1}η(κ(d))dD) and Gd (dD) are as in Construction 5.2. Let dD and k = κ(d). For each n{0,,2η(k)1}, denote by βk(n){0,1}η(k) the binary representation of length η(k) of n (with enough leading zeros to obtain η(k) bits). Thus, βk is a one-to-one function from {0,,2η(k)1} onto {0,1}η(k). Suppose λd is the homomorphism of F2η(k) to Gd such that λd(ai)=βk(i1)0ξ(k)η(k) for all i{1,,2η(k)} and θd is the kernel of this homomorphism.

Recall that w¯=nat1(w) for any wF∞,∞ (see Example 3.12).

Theorem 5.7

Let Ψ, η, and θd (dD) be as in Construction 5.6. Assume that the family 𝛹 is collision-resistant with respect to 𝒟. Then

Q=F2η(k(d))/θd,nat2η(k(d))/θd,Ua1¯,,a2η(k(d))¯dD

is a pseudo-free family of computational m-ary groupoids in 𝔒 with respect to 𝒟 and nat. Moreover, the family 𝚀 has exponential size.

Proof. Remark 2.5 shows that 2η(k) = negl(k). Therefore, by Corollary 3.18,

F=F2η(u),nat2η(u),Ua1¯,,a2η(|u|)¯u1K

is a pseudo-free family of computational m-ary groupoids in 𝔒 with respect to (𝒰({1k}) | kK) and nat. Furthermore, it is easy to see that 𝙵 is nat-compatible.

Suppose λd (dD) is as in Construction 5.6. It is not hard to show that, given (d,v¯) (where dD and vF2η(κ(d)), one can compute λd(v) in polynomial time. Hence there exists a deterministic polynomial-time algorithm that, given (1k , d, , ), where kK, dDk, and v,wF2η(k), decides whether (v, w) ∈ θd.

Let A be a probabilistic polynomial-time algorithm trying to violate condition (ii) of Lemma 3.20. Suppose B is a probabilistic polynomial-time algorithm (trying to find collisions for Ψ) that on input dD proceeds as follows:

  1. Run A on input (1k , 1k , d), where k = κ(d). Let g = λd(a1, . . . , a2η(k) ). Assume that the output is (, ) such that (v,w)θd. (It is easy to see that B can check this condition.) If this is not true, then B fails.

  2. Find (by exhaustive search) a pair ((v1¯,,vm¯),(w1¯,,wm¯)) of m-tuples such that the following conditions hold:

    1. ω(v1, . . . , vm) ∈ subt(v) and ω(w1, . . . , wm) ∈ subt(w);

    2. (v1(g), . . . , vm(g)) ≠ (w1(g), . . . , wm(g)), but ω(v1(g), . . . , vm(g)) = ω(w1(g), . . . , wm(g)). (Of course, subt(v) ∪ subt(w) ⊆ 〈ai1 , . . . , ain 〉, where 1 ≤ i1 < · · · < in ≤ 2η(k) and nπ(k) for some fixed polynomial π.)

    By Lemma 5.1, such a pair exists. (We note that the elements of the 2η(k)-tuple g are distinct. Moreover, these elements are not in ω(Gdm) because the last bits of each such element and of any element in ω(Gdm) are 0 and 1, respectively. See also step (3) of the algorithm B in the proof of Theorem 5.3.)

  3. Output (v1(g) . . . vm(g), w1(g) . . . wm(g)). (By the last condition of the previous step, together with the definition of ω on Gd, it is a collision for ψd. See also step (4) of the algorithm B in the proof of Theorem 5.3.)

Let kK and d ∼ 𝒟k. Then

Pr[A(1k,1k,d)=(v¯,w¯) s.t. (v,w)θd]=Pr[B(d) is a collision for ψd]=negl(k)

because 𝛹 is collision-resistant with respect to 𝒟.

For every kK, denote by Dk the distribution of the random variable (1k , d), where d ∼ 𝒟k. It follows from the above and from Lemma 3.20 that

F=((F2η(|u|)/θd,nat2η(|u|)/θd,U({a1¯,,a2η(|u|)¯}))u1K,dD|u|)

is a pseudo-free family of computational m-ary groupoids in 𝔒 with respect to (DkkK) and nat.

For each dD, put α(d) = (1κ(d), d). Then α is a one-to-one function from D onto {(u, d) | u ∈ 1K, dD|u|}. Both α and α−1 are polynomial-time computable. Therefore the family 𝙵′ can be indexed by D instead of {(u, d) | u ∈ 1K, dD|u|}. Furthermore, α1(Dk)=Dk for all kK. Thus, we see that 𝚀 is a pseudo-free family of computational m-ary groupoids in 𝔒 with respect to 𝒟 and nat. Moreover, the family 𝚀 has exponential size because |F2η(κ(d))/θd||Gd|=2ξ(κ(d)) for all dD, where κ and ξ are polynomial parameters on D and K, respectively.

6 Conclusion

We have initiated the study of (weakly) pseudo-free families of computational Ω-algebras in arbitrary varieties of Ω-algebras. We hope that the assumption of the existence of polynomially bounded or exponential-size (weakly) pseudo-free families in an appropriate variety of Ω-algebras will be useful in mathematical cryptography. The results of the paper show that this assumption can be quite strong, but not unrealistic. Moreover, this assumption can hold in a post-quantum world (see Subsections 5.15.2).

Here are some suggestions for further research:

  1. Find applications of (weakly) pseudo-free families of computational Ω-algebras. For example, construct a cryptographic primitive or a secure cryptographic protocol from a polynomially bounded or exponential-size (weakly) pseudo-free family in a suitable variety of Ω-algebras. See Subsection 4.2 for results in this direction.

  2. Construct a polynomially bounded or exponential-size (weakly) pseudo-free family in some interesting variety of Ω-algebras under a standard cryptographic assumption. See Subsections 5.15.2 for results in this direction.

  3. Modify the definition of a (weakly) pseudo-free family of computational Ω-algebras to make this definition more useful.

Acknowledgement

I would like to thank the anonymous reviewer for many comments that have helped to improve the presentation of the paper and to fix a small error in the proof of Lemma 3.21.

References

[1] M. Anokhin, Constructing a pseudo-free family of finite computational groups under the general integer factoring intractability assumption, Groups Complex. Cryptol. 5 (2013), 53–74, erratum: Groups Complex. Cryptol. 11 (2019), 133–134.10.1515/gcc-2013-0003Search in Google Scholar

[2] M. Anokhin, Pseudo-free families of finite computational elementary abelian p-groups, Groups Complex. Cryptol. 9 (2017), 1–18.10.1515/gcc-2017-0001Search in Google Scholar

[3] M. Anokhin, A certain family of subgroups of n is weakly pseudo-free under the general integer factoring intractability assumption, Groups Complex. Cryptol. 10 (2018), 99–110.10.1515/gcc-2018-0007Search in Google Scholar

[4] V. A. Artamonov, A. A. Klyachko, V. M. Sidelnikov and V. V. Yashchenko, Algebraic aspects of key generation systems, in: Error Control, Cryptology, and Speech Compression (ECCSP 1993), Lecture Notes in Comput. Sci. 829, pp. 1–5, Springer, 1994.10.1007/3-540-58265-7_1Search in Google Scholar

[5] V. A. Artamonov and V. V. Yashchenko, Multibasic algebras in public key distribution systems (Russian), Uspekhi Mat. Nauk 49 (1994), 149–150, English translation: Russian Math. Surveys, 49 (1994), 145–146.Search in Google Scholar

[6] D. Boneh and R. J. Lipton, Algorithms for black-box fields and their application to cryptography, in: Advances in Cryptology—CRYPTO’96, Lecture Notes in Comput. Sci. 1109, pp. 283–297, Springer, 1996.Search in Google Scholar

[7] S. Burris and H. P. Sankappanavar, A Course in Universal Algebra, the Millennium ed, available at http://www.math.uwaterloo.ca/~snburris/htdocs/ualg.html 2012.Search in Google Scholar

[8] R. Canetti and V. Vaikuntanathan, Obfuscating branching programs using black-box pseudo-free groups, Cryptology ePrint Archive http://eprint.iacr.org/ Report 2013/500, 2013.Search in Google Scholar

[9] D. Catalano, D. Fiore and B. Warinschi, Adaptive pseudo-free groups and applications, in: Advances in Cryptology—EUROCRYPT 2011, Lecture Notes in Comput. Sci. 6632, pp. 207–223, Springer, 2011.Search in Google Scholar

[10] P. M. Cohn, Universal Algebra,Mathematics and Its Applications 6, D. Reidel Publishing Company, Dordrecht–Boston–London, 1981.10.1007/978-94-009-8399-1Search in Google Scholar

[11] M. Fukumitsu, Pseudo-free groups and cryptographic assumptions, Ph.D. thesis, Department of Computer and Mathematical Sciences, Graduate School of Information Sciences, Tohoku University, January 2014.Search in Google Scholar

[12] M. Fukumitsu, S. Hasegawa, S. Isobe, E. Koizumi and H. Shizuya, Toward separating the strong adaptive pseudo-freeness from the strong RSA assumption, in: Information Security and Privacy (ACISP 2013), Lecture Notes in Comput. Sci. 7959, pp. 72–87, Springer, 2013.Search in Google Scholar

[13] M. Fukumitsu, S. Hasegawa, S. Isobe and H. Shizuya, On the impossibility of proving security of strong-RSA signatures via the RSA assumption, in: Information Security and Privacy (ACISP 2014), Lecture Notes in Comput. Sci. 8544, pp. 290–305, Springer, 2014.Search in Google Scholar

[14] M. Fukumitsu, S. Hasegawa, S. Isobe and H. Shizuya, The RSA group is adaptive pseudo-free under the RSA assumption, IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, Special Section on Cryptography and Information Security E97.A (2014), 200–214.10.1587/transfun.E97.A.200Search in Google Scholar

[15] O. Goldreich, Foundations of Cryptography. Volume 1: Basic Tools, Cambridge University Press, 2001.10.1017/CBO9780511546891Search in Google Scholar

[16] O. Goldreich, Foundations of Cryptography. Volume 2: Basic Applications, Cambridge University Press, 2004.10.1017/CBO9780511721656Search in Google Scholar

[17] S. Hasegawa, S. Isobe, H. Shizuya and K. Tashiro, On the pseudo-freeness and the CDH assumption, Int. J. Inf. Secur. 8 (2009), 347–355.10.1007/s10207-009-0087-0Search in Google Scholar

[18] T. Hirano and K. Tanaka, Variations on pseudo-free groups, Tokyo Institute of Technology, Department of Mathematical and Computing Sciences, Research Reports on Mathematical and Computing Sciences, Series C: Computer Science, no. C-239, January 2007.Search in Google Scholar

[19] S. R. Hohenberger, The cryptographic impact of groups with infeasible inversion, Master’s thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology, May 2003.Search in Google Scholar

[20] M. P. Jhanwar and R. Barua, Sampling from signed quadratic residues: RSA group is pseudofree, in: Progress in Cryptology— INDOCRYPT 2009, Lecture Notes in Comput. Sci. 5922, pp. 233–247, Springer, 2009.Search in Google Scholar

[21] M. Luby, Pseudorandomness and Cryptographic Applications, Princeton Computer Science Notes, Princeton University Press, Princeton, 1996.10.1515/9780691206844Search in Google Scholar

[22] D. Micciancio, The RSA group is pseudo-free, J. Cryptology 23 (2010), 169–186.10.1007/11426639_23Search in Google Scholar

[23] J. Partala, Key agreement based on homomorphisms of algebraic structures, Cryptology ePrint Archive (http://eprint.iacr.org/), Report 2011/203, 2011.Search in Google Scholar

[24] J. Partala, Algebraic methods for cryptographic key exchange, Ph.D. thesis, Department of Computer Science and Engineering, Faculty of Information Technology and Electrical Engineering, University of Oulu, March 2015.Search in Google Scholar

[25] J. Partala, Algebraic generalization of Diffi;e–Hellman key exchange, J. Math. Cryptol. 12 (2018), 1–21.10.1515/jmc-2017-0015Search in Google Scholar

[26] R. L. Rivest, On the notion of pseudo-free groups, in: Theory of Cryptography (TCC 2004), Lecture Notes in Comput. Sci. 2951, pp. 505–521, Springer, 2004.Search in Google Scholar

[27] R. L. Rivest, On the notion of pseudo-free groups, available at https://people.csail.mit.edu/rivest/pubs/Riv04e.slides.pdf https://people.csail.mit.edu/rivest/pubs/Riv04e.slides.ppt and http://people.csail.mit.edu/rivest/Rivest-TCC04-PseudoFreeGroups.ppt February 2004, Presentation of [26].10.1007/978-3-540-24638-1_28Search in Google Scholar

[28] W. Wechler, Universal Algebra for Computer Scientists, EATCS Monographs on Theoretical Computer Science 25, Springer, Berlin et al., 1992.10.1007/978-3-642-76771-5Search in Google Scholar

A Table of notation

For the convenience of the reader, we briefly recall the notation introduced in Sections 23 (in order of appearance).

= {0, 1, . . . }
Yn the set of all (ordered) n-tuples of elements from a set Y
the operation of disjoint union
{0, 1}n =i=0n{0,1}i
{0, 1}* =i=0{0,1}i
|u| the length of a bit string u
uv the concatenation of bit strings u and v
1n the string of n ones
0n the string of n zeros
dom ϕ the domain of a function ϕ
[s]ρ an arbitrary preimage of s under ρ (unless otherwise specified)
Ω a set of finitary operation symbols (from Section 3 on, ϕ is finite)
ar ω the arity of ωΩ
S the subalgebra generated by S
h/θ the equivalence class of h under θ
H/θ the quotient algebra {h/θ | hH} of an Ω-algebra H by a congruence θ
θ = {(h, h′) ∈ θ | hh′}
ρ/θ the function yρ(y)/θ
Ω0 the set of all nullary operation symbols in
Tm(Z) the Ω-term algebra over Z
subt(v) the set of all subterms of a term v
𝔙 a variety of Ω algebras
F∞,∞(𝔙) the 𝔙-free Ω. algebra freely generated by a1, a2, . . . , x1, x2, . . .
F(𝔙) = 〈a1, a2, . . . 〉
Fm,n(𝔙) = 〈a1, . . . , am, x1, . . . , xn
Fm(𝔙) = Fm,0(𝔙) = 〈a1, . . . , am
v(a; x) = v(a1, . . . , am; x1, . . . , xn) for vFm,n(𝔙)
v(g; h) = v(g1, . . . , gm; h1, . . . , hn) for vFm,n(𝔙), g = (g1, . . . , gm) ∈ Gm, and h = (h1, . . . , hn) ∈ Gn, where G ∈ 𝔙
v(a) = v(a1, . . . , am) for vFm(𝔙)
v(g) = v(g1, . . . , gm) for vFm(𝔙) and g = (g1, . . . , gm) ∈ Gm, where G ∈ 𝔙
𝔒 the variety of all Ω-algebras
F∞,∞ = F∞,∞(𝔒)
F = F(𝔒)
Fm,n = Fm,n(𝔒)
Fm = Fm(𝔒)
supp 𝒴 the support of a probability distribution 𝒴 on a finite or countably infinite sample space Y, i.e., {yY | Pr𝒴{y} ≠0}
α(𝒴) the image of a probability distribution 𝒴 under a function α
y1, . . . , yn ∼ 𝒴 means that y1, . . . , yn are independent random variables distributed according to 𝒴
y1, . . . , yn ← 𝒴 means that y1, . . . , yn are fixed elements chosen independently at random according to 𝒴
𝒴n the distribution of (y1, . . . , yn), where y1, . . . , yn ∼ 𝒴
𝒰(Z) the uniform probability distribution on Z
CP(𝒴) the collision probability of 𝒴, i.e., Pr[y = y′], where y, y′ ∼ 𝒴
K an infinite subset of ℕ
D a subset of {0, 1}*
𝒟 = (𝒟k | kK) a polynomial-time samplable (when the indices are represented in unary) probability ensemble consisting of distributions on D
1K = {1k | kK}
negl an unspecified negligible function on K
σ a function from a subset of {0, 1}* onto F∞,∞(𝔙)
Σs(H,𝔙, σ, ρ, g) the set defined in Subsection 3.2
ΣS(H,V,σ,g) the set defined in Subsection 3.2
Σ(H,𝔙, σ, ρ, g) =s=1s(H,V,σ,ρ,g)
Σ′(H,𝔙, σ, g) =s=1s'(H,V,σ,g)
v¯ an Ω term v over {a1,a2,,x1,x2,} (or {a1, a2, . . . , x1, x2, . . . } when 𝔙 = 𝔒) written in Polish notation, where the indices of variables are represented in binary (see Example 3.12)
nat the function v¯v(a;x) that provides the natural representation of elements of F∞,∞(𝔙) (see Example 3.12)
natm the restriction of nat to a1,,am¯.(see Example 3.12)
SLP the function that provides the representation of elements of F∞,∞(𝔙) by straight-line programs (see Example 3.13)
Received: 2018-12-05
Accepted: 2020-06-16
Published Online: 2020-11-25

© 2020 M. Anokhin, published by De Gruyter

This work is licensed under the Creative Commons Attribution 4.0 International License.

Downloaded on 4.3.2024 from https://www.degruyter.com/document/doi/10.1515/jmc-2020-0014/html
Scroll to top button