Remark 3.5.

Assume that the family of computational groups ((Gd,ρd,ℛd)|d∈D) is pseudo-free in 𝔙 with respect to 𝒟 and σ. In this remark, we need the following additional assumptions:

1. The variety 𝔙 is nontrivial (as in Remark 3.4).

2. There exists a deterministic polynomial-time algorithm that, given integers b1,…,bm∈{0,1}, computes [a1b1⁢…⁢ambm]σ (as in Remark 3.4).

3. There exists a polynomial η such that dom⁡ρd⊆{0,1}η⁢(k) for all k∈K and d∈supp⁡𝒟k.

Let π be a polynomial such that π⁢(k)>η⁢(k) for any k∈K. Suppose k∈K. Denote by Wk the set of all pairs (d,(r1,…,rπ⁢(k))) such that d∈supp⁡𝒟k and r1,…,rπ⁢(k)∈dom⁡ρd. For every w∈Wk, let ψk,w be a mapping defined as in Remark 3.4. Moreover, we choose these mappings so that, given (1k,w) (where w∈Wk) and y∈{0,1}π⁢(k), ψk,w⁢(y) can be computed in deterministic polynomial time. Also, suppose 𝒲k is the distribution of the random variable (𝐝,(𝐫1,…,𝐫π⁢(k))), where 𝐝←𝒟k and 𝐫1,…,𝐫π⁢(k)←ℛ𝐝. Of course, the probability ensemble (𝒲k|k∈K) is polynomial-time samplable. Then Remark 3.4 implies that the family (ψk,w|k∈K,w∈Wk) is a collision-intractable (or collision-resistant) hash function family with respect to (𝒲k|k∈K). Namely, the following conditions hold:

1. For all k∈K and w∈Wk, ψk,w maps {0,1}π⁢(k) into {0,1}η⁢(k), where π⁢(k)>η⁢(k).

2. Given (1k,w) (where k∈K and w∈Wk) and y∈{0,1}π⁢(k), ψk,w⁢(y) can be computed in deterministic polynomial time.

3. If 𝐰←𝒲k, then for any probabilistic polynomial-time algorithm A,

   Pr⁡(A⁢(1k,𝐰)⁢ is a collision for ⁢ψk,𝐰)

   is negligible as a function of k∈K.