Pseudo-free families and cryptographic primitives

1.1 Related work

Most researchers consider pseudo-freeness (in various versions) in the varieties of all groups [1,2,3,8,9,10], of all Abelian groups [1,2, 3 4,6,8,11,12,13, 14,15], and of all elementary Abelian p -groups, where p is a prime [16]. Anokhin [7] initiated the study of (weakly) pseudo-free families of computational Ω -algebras in arbitrary varieties of Ω -algebras. In our opinion, the study of these families opens up new opportunities for using (weak) pseudo-freeness in mathematical cryptography.

Let H = ( H d ∣ d ∈ D ) be a family of computational Ω -algebras, where D ⊆ { 0 , 1 } ∗ . (We specify only the Ω -algebras here.) This family is said to have exponential size if there exists a polynomial ξ such that ∣ H d ∣ ≤ 2 ξ ( ∣ d ∣ ) for all d ∈ D (see also [7, Definition 3.2]). The family H is called polynomially bounded if there exists a polynomial η such that the length of any representation of every h ∈ H d is at most η ( ∣ d ∣ ) for all d ∈ D (see also [7, Definition 3.3]). Of course, if H is polynomially bounded, then it has an exponential size. It should be noted that a (weakly) pseudo-free family can have applications in cryptography only if it is polynomially bounded or at least has an exponential size. (Weakly) pseudo-free families that do not have exponential size per se are of little interest; they can be constructed unconditionally (see [7, Section 3.4]). Finally, the family H is said to have unique representations of elements if for every d ∈ D , each element of H d is represented by a unique bit string (see also [7, Definition 3.4]). This property seems to be useful in applications.

Micciancio [4] proved that a specific polynomially bounded family of computational Abelian groups having unique representations of elements is pseudo-free in the variety A of all Abelian groups under a certain very strong number-theoretic hardness assumption. The same result, but with slightly different representations of group elements by bit strings and different distributions of random elements of the groups, was obtained by Jhanwar and Barua [11]. Moreover, Catalano et al. [12] proved that under the same assumption as in [4], the family of computational Abelian groups from that work satisfies an apparently stronger condition than pseudo-freeness in A . That condition, called adaptive pseudo-freeness, was introduced in [12]. Anokhin [10] constructed an exponential-size pseudo-free family in the variety of all groups under the general integer factoring intractability assumption. Also, he proved that a certain polynomially bounded family of computational Abelian groups having unique representations of elements is weakly pseudo-free in A under the general integer factoring intractability assumption (see [6]). Compared to the aforementioned result of Micciancio, this is a weaker statement, but it is proved under a much weaker cryptographic assumption.

There are many constructions of cryptographic objects based on classical algebraic structures (e.g., groups). However, to the best of our knowledge, there are only a few works concerning both universal algebra and cryptography. Probably, the first such work is by Artamonov and Yashchenko [17]. In that work, the authors introduced and studied the notion of a pk-algebra that naturally formalizes the syntax of a one-round two-party key agreement scheme. See also the extended version [18] of [17]. Partala [19] proposed a generalization of the well-known Diffie–Hellman key agreement scheme based on universal algebras. Moreover, he considered some approaches to the instantiation of the proposed scheme. Loosely speaking, that scheme is secure if it is computationally hard to compute images under an unknown homomorphism (in a certain setting). See also [20] (a preliminary version of [19]) and the thesis [21].

In this article, we address the following natural questions:

1. Which cryptographic primitives can be constructed from polynomially bounded pseudo-free families (in appropriate varieties of Ω -algebras for suitable finite sets Ω of finitary operation symbols)?

2. In which varieties of Ω -algebras can polynomially bounded pseudo-free families be constructed from standard cryptographic primitives?

Let O denote the variety of all Ω -algebras. In some (not very interesting) cases, polynomially bounded (weakly) pseudo-free families in O exist unconditionally. Namely, if Ω consists of nullary operation symbols only, then there exists a polynomially bounded pseudo-free family in O . This family consists of free Ω -algebras. Now assume that Ω = Ω 0 ∪ { ω } , where Ω 0 consists of nullary operation symbols and the arity of ω is 1. Then, in O , there exist an exponential-size pseudo-free family and a polynomially bounded weakly pseudo-free family. All these three families have unique representations of elements. See [7, Section 4.1] for details.

In many natural cases, collision-resistant hash function families can be constructed from polynomially bounded weakly pseudo-free families in V (see [7, Section 4.2]; note that by [7, Remark 3.9], weak 1-pseudo-freeness is equivalent to weak pseudo-freeness in the same variety). In particular, we can do this if at least one of the following conditions holds (see [7, Remark 4.7]):

1. Ω contains a binary operation symbol ω and V is a nontrivial variety of Ω -algebras such that any Ω -algebra in V is a groupoid with an identity element under ω . (Of course, this holds if V is a nontrivial variety of monoids, loops, groups, or rings.)

2. Ω contains two distinct unary operation symbols and V = O .

3. Ω contains an m -ary operation symbol, where m ≥ 2 , and V = O .

Assume that Ω consists of a single m -ary operation symbol, where m ≥ 1 . In other words, we consider m -ary groupoids. Furthermore, assume the existence of collision-resistant hash function families. Then, in O , there exist a polynomially bounded weakly pseudo-free family having unique representations of elements and an exponential-size pseudo-free family. See [7, Sections 5.1–5.2] for details. As we have already seen, if m = 1 , then such (weakly) pseudo-free families exist unconditionally.

From now on, we assume that all families of computational Ω -algebras are polynomially bounded and have unique representations of elements. Hence, we can assume that every family of computational Ω -algebras has the form ( ( H d , ℋ d ) ∣ d ∈ D ) , where D ⊆ { 0 , 1 } ∗ , H d is an Ω -algebra such that H d ⊆ { 0 , 1 } ≤ η ( ∣ d ∣ ) for some fixed polynomial η , and ℋ d is a probability distribution on H d for any d ∈ D . Thus, the unique representation of each element h ∈ H d ( d ∈ D ) is h itself.

Suppose p is an arbitrary fixed prime number and let A p be the variety of all elementary Abelian p -groups. Then pseudo-free families in A p exist if and only if certain homomorphic collision-resistant p -ary hash function families exist or, equivalently, certain homomorphic one-way families of functions exist. See [16, Theorem 4.12] for details. Note that pseudo-freeness in A p is equivalent to weak pseudo-freeness in A p for families of computational elementary Abelian p -groups (see [16, Theorem 3.7]).

1.2 Our contributions and organization of the article

This article continues the study initiated in [7]. Our main results are as follows:

1. Assume that Ω consists of a single unary operation symbol ω . (In this case, Ω -algebras are called mono-unary algebras.) Suppose ( ( H d , ℋ d ) ∣ d ∈ D ) is a 1-pseudo-free (in particular, pseudo-free) family of computational mono-unary algebras in O such that ω is a permutation of H d for each d ∈ D , and the probability ensemble ( ℋ d ∣ d ∈ D ) is pseudo-uniform in the sense of Definition 2.4. Then, ( ω : H d → H d ∣ d ∈ D ) is a one-way family of permutations (see Theorem 4.2). Conversely, if there exists a one-way family of permutations, then there exists a pseudo-free family of computational mono-unary algebras in O such that the fundamental operation of any mono-unary algebra in this family is a permutation (see Corollary 4.7). The construction of this pseudo-free family is explicit.

2. Assume that Ω consists of m distinct unary operation symbols ω 1 , … , ω m , where m ≥ 2 . (In this case, Ω -algebras are called m -unary algebras.) Suppose ( ( H d , ℋ d ) ∣ d ∈ D ) is a 1-pseudo-free (in particular, pseudo-free) family of computational m -unary algebras in O such that ω 1 , … , ω m are permutations of H d for each d ∈ D and the probability ensemble ( ℋ d ∣ d ∈ D ) is pseudo-uniform in the sense of Definition 2.4. Then ( ( ω 1 , … , ω m : H d → H d ) ∣ d ∈ D ) is a claw resistant family of m -tuples of permutations (see Theorem 5.2). Conversely, if there exists a claw resistant family of m -tuples of permutations, then there exists a pseudo-free family of computational m -unary algebras in O such that the fundamental operations of any m -unary algebra in this family are permutations (see Corollary 5.5). The construction of this pseudo-free family is explicit.

3. Assume that Ω consists of a single unary operation symbol ω and two distinct binary operation symbols ε and δ . Let V be the variety generated by all finite Ω -algebras satisfying the identity ∀ z 1 , z 2 ( δ ( z 1 , ε ( ω ( z 1 ) , z 2 ) ) = z 2 ) . Suppose ( ( H d , ℋ d ) ∣ d ∈ D ) is a 1-pseudo-free (in particular, pseudo-free) family of computational Ω -algebras in V such that ω is a permutation of H d for each d ∈ D and the probability ensemble ( ℋ d ∣ d ∈ D ) is pseudo-uniform in the sense of Definition 2.4. For every d ∈ D and h , y ∈ H d , put ψ d , h ( y ) = ε ( h , y ) in H d . Then, ( ψ d , h ∣ d ∈ D , h ∈ H d ) is a family of trapdoor permutations (see Theorem 6.2).

We emphasize that in the introduction, all the results are stated loosely. In particular, we ignore the probability distribution (depending on the security parameter) according to which the index d is sampled. Also, we do not specify the representation of elements of the ( V -)free Ω -algebra by bit strings. (This representation is used for representing systems of the form (1).) For precise statements, we refer the reader to the cited works and to Sections 3–6 of this article.

The rest of this article is organized as follows. Section 2 contains notation, basic definitions, and general results used in this article. In particular, in Section 2.5, we formally define families of computational Ω -algebras (with the aforementioned restrictions), as well as pseudo-free and s -pseudo-free ones. The main result of Section 3 is as follows: If the arity of any operation symbol in Ω is at most 1, then for each positive integer s , pseudo-freeness in O is equivalent to s -pseudo-freeness in O for families of computational Ω -algebras with one to one unary fundamental operations (see Corollary 3.4). This result is used in Sections 4 and 5 and may be interesting in its own right. In Sections 4–6, we prove main results (i)–(iii), respectively. Section 7 concludes and suggests some directions for future research. Finally, in Appendix A, we briefly recall the notation introduced in Section 2.

2.1 General preliminaries

In this article, N denotes the set of all nonnegative integers. The operation of disjoint union is denoted by ⊔ . Let Y be a set and let n ∈ N . We denote by Y n the set of all (ordered) n -tuples of elements from Y . Furthermore, we put Y ≤ n = ⨆ i = 0 n Y i and Y ∗ = ⨆ i = 0 ∞ Y i . In particular, ∅ ∗ consists only of the empty tuple.

For some sets Y , we consider elements of Y ∗ as strings over Y . In particular, we do this for { 0 , 1 } . Suppose u , v are strings over a set. Then, we denote by ∣ u ∣ the length of u and by u v the concatenation of u and v . Moreover, u n denotes the concatenation of n copies of u . In particular, the unary representation of n , i.e., the string of n ones, is denoted by 1 n . Also, we write u ⊑ v whenever u is a prefix of v , i.e., v = u w for some (unique) string w . The notation u ⊏ v means that u ⊑ v and u ≠ v .

Let I be a set. Suppose each i ∈ I is assigned an object q i . Then, we denote by ( q i ∣ i ∈ I ) the family of all such objects and by { q i ∣ i ∈ I } the set of all elements of this family.

When necessary, we assume that all “finite” objects (e.g., integers, tuples of integers, tuples of tuples of integers) are represented by bit strings in some natural way. Sometimes we identify such objects with their representations. Unless otherwise specified, integers are represented by their binary expansions.

Suppose ϕ is a function. We denote by dom ϕ the domain of ϕ . Also, we use the same notation for ϕ and for the function ( z 1 , … , z n ) ↦ ( ϕ ( z 1 ) , … , ϕ ( z n ) ) , where n ∈ N and z 1 , … , z n ∈ dom ϕ . The identity function on the set Y is denoted by id Y .

Let ρ be a function from a subset of { 0 , 1 } ∗ onto a set S and let s ∈ S . Then, unless otherwise specified, [ s ] ρ denotes an arbitrary preimage of s under ρ . A similar notation was used by Boneh and Lipton in [22] and by Hohenberger in [1]. In general, [ s ] ρ denotes many strings in { 0 , 1 } ∗ unless ρ is one to one. We use any of these strings as a representation of s for computational purposes.

For convenience, we say that a function π : N → N ⧹ { 0 } is a polynomial if there exist c ∈ N ⧹ { 0 } and d ∈ N such that π ( n ) = c n d for any n ∈ N ⧹ { 0 } ( π ( 0 ) can be an arbitrary positive integer). Of course, every polynomial growth function from N to R + = { r ∈ R ∣ r ≥ 0 } can be upper bounded by a polynomial in this sense. Therefore, this restricted notion of a polynomial is sufficient for our purposes. For any c ∈ N ⧹ { 0 } , the constant polynomial n ↦ c ( n ∈ N ) is denoted by c .

2.2 Algebraic preliminaries

In this subsection, we recall the basic definitions and simple facts from the universal algebra. For a detailed introduction to this topic, the reader is referred to standard books, e.g., [23,24,25].

Throughout this article, Ω denotes a set of finitary operation symbols. Each ω ∈ Ω is assigned a nonnegative integer called the arity of ω and denoted by ar ω . An Ω -algebra is a set H called the carrier (or the underlying set) together with a family ( ω ^ : H ar ω → H ∣ ω ∈ Ω ) of finitary operations on H called the fundamental operations. We often denote an Ω -algebra and its carrier by the same symbol.

Let H be an Ω -algebra. Then, its fundamental operation associated with a symbol ω ∈ Ω will be denoted by ω H or simply by ω . A subset of H is called a subalgebra of H if it is closed under the fundamental operations of H . If S is a system of elements of H , then we denote by ⟨ S ⟩ the subalgebra of H generated by S , i.e., the smallest subalgebra of H containing S .

Suppose G is an Ω -algebra. A homomorphism of G to H is a function ϕ : G → H such that for every ω ∈ Ω and g 1 , … , g ar ω ∈ G ,

If a homomorphism of G onto H is one to one, then it is called an isomorphism. Of course, the Ω -algebras G and H are said to be isomorphic if there exists an isomorphism of G onto H .

Let ( H i ∣ i ∈ I ) be a family of Ω -algebras. Recall that the fundamental operations of the direct product of this family are defined as follows:

where ω ∈ Ω and h 1 , i , … , h ar ω , i ∈ H i for all i ∈ I . In particular, the direct product of G and H is the Ω -algebra with carrier G × H and the following fundamental operations:

where ω ∈ Ω , g 1 , … , g ar ω ∈ G , and h 1 , … , h ar ω ∈ H .

An Ω -algebra with only one element is said to be trivial. It is obvious that all trivial Ω -algebras are isomorphic.

For every i ∈ N , put Ω i = { ω ∈ Ω ∣ ar ω = i } . We note that if Ω 0 = ∅ , then an Ω -algebra may be empty. Whenever ω ∈ Ω 0 , it is common to write ω instead of ω ( ) .

We consider elements of Ω 1 ∗ as strings over Ω 1 . Of course, Ω 1 ∗ is a free monoid under the concatenation operation. This monoid naturally acts (from the left) on H as follows:

where n ∈ N , ω 1 , … , ω n ∈ Ω 1 , and h ∈ H . It is evident that if all unary fundamental operations of H are one to one, then u h = u h ′ ⇔ h = h ′ for any u ∈ Ω 1 ∗ and h , h ′ ∈ H . We will tacitly use this fact in the sequel.

Let Z be a set of objects called variables. We always assume that any variable is not in Ω . The set Tm ( Z ) of all Ω -terms (or simply terms) over Z is defined as the smallest set such that Ω 0 ⊔ Z ⊆ Tm ( Z ) and if ω ∈ Ω ⧹ Ω 0 and v 1 , … , v ar ω ∈ Tm ( Z ) , then the formal expression ω ( v 1 , … , v ar ω ) is in Tm ( Z ) . The Ω -terms can be considered as strings over the alphabet consisting of all symbols from Ω ⊔ Z , parentheses, and comma. Of course, Tm ( Z ) is an Ω -algebra under the natural fundamental operations. This Ω -algebra is called the Ω -term algebra over Z .

Suppose v ∈ Tm ( Z ) . Let the string P ( v ) over Ω ⊔ Z be obtained from v by removing all parentheses and commas. The string P ( v ) is known as the term v written in Polish notation. It is well known that the function v ↦ P ( v ) ( v ∈ Tm ( Z ) ) is one to one. Moreover, if the arities of the operation symbols occurring in v are known, then v can be easily recovered from P ( v ) . See [23, Chapter III, Section 2] for details; however, in that book, reverse Polish notation is used.

Consider the case where Z = { z 1 , z 2 , … } , where z 1 , z 2 , … are distinct. Assume that v ∈ Tm ( { z 1 , … , z m } ) for some m ∈ N . Furthermore, let h 1 , … , h m ∈ H . Then, the element v ( h 1 , … , h m ) ∈ H is defined inductively in the natural way. It is easy to see that { v ( h 1 , … , h m ) ∣ v ∈ Tm ( { z 1 , … , z m } ) } = ⟨ h 1 , … , h m ⟩ .

An identity (or a law) over Ω is a closed first-order formula of the form ∀ z 1 , … , z m ( v = w ) , where m ∈ N and v , w ∈ Tm ( { z 1 , … , z m } ) . A class V of Ω -algebras is said to be a variety if it can be defined by a set ϒ of identities (over Ω ). This means that for any Ω -algebra G , G ∈ V if and only if G satisfies all identities in ϒ . By the famous Birkhoff variety theorem (see, e.g., [23, Chapter IV, Theorem 3.1], [24, Chapter II, Theorem 11.9], or [25, Section 3.2.3, Theorem 21]), a class of Ω -algebras is a variety if and only if it is closed under taking subalgebras, homomorphic images, and direct products. Note that if a class of Ω -algebras is closed under taking direct products, then it contains a trivial Ω -algebra as the direct product of the empty family of Ω -algebras. A quasi-identity over Ω is defined as a closed first-order formula of the form ∀ z 1 , … , z m ( v 1 = w 1 ∧ ⋯ ∧ v s = w s → v = w ) , where m , s ∈ N and v 1 , w 1 , … , v s , w s , v , w ∈ Tm ( { z 1 , … , z m } ) .

The variety consisting of all Ω -algebras with at most one element is said to be trivial; all other varieties of Ω -algebras are called nontrivial. The trivial variety is defined by the identity ∀ z 1 , z 2 ( z 1 = z 2 ) . When Ω 0 = ∅ , the trivial variety contains not only trivial Ω -algebras, but also the empty Ω -algebra. If C is a class of Ω -algebras, then the variety generated by C is the smallest variety of Ω -algebras containing C . This variety is defined by the set of all identities holding in all Ω -algebras in C .

Let V be a variety of Ω -algebras. Then, an Ω -algebra F ∈ V is said to be V -free if it has a generating system ( f i ∣ i ∈ I ) such that for every system of elements ( g i ∣ i ∈ I ) of any Ω -algebra G ∈ V , there exists a homomorphism α : F → G satisfying α ( f i ) = g i for all i ∈ I (evidently, this homomorphism α is unique). Any generating system ( f i ∣ i ∈ I ) with this property is called free, and the Ω -algebra F is said to be freely generated by every such system. It is well known (see, e.g., [23, Chapter IV, Corollary 3.3], [24, Chapter II, Definition 10.9 and Theorem 10.10], or [25, Section 3.2.3, Theorem 16]) that for any set I , there exists a unique V -free Ω -algebra (up to isomorphism) with a free generating system indexed by I . It is easy to see that if V is nontrivial, then for each free generating system ( f i ∣ i ∈ I ) of a V -free Ω -algebra, f i are distinct. In this case, one can consider free generating systems as sets.

We denote by F ∞ , ∞ ( V ) the V -free Ω -algebra freely generated by a 1 , a 2 , … , x 1 , x 2 , … . Of course, if V is nontrivial, then the elements of this free generating system are assumed to be distinct. Furthermore, suppose m , n ∈ N and let a = { a 1 , a 2 , … } , x = { x 1 , x 2 , … } , a m = { a 1 , … , a m } , x n = { x 1 , … , x n } , F ∞ ( V ) = ⟨ a ⟩ , F m , n ( V ) = ⟨ a m ⊔ x n ⟩ , and F m ( V ) = F m , 0 ( V ) = ⟨ a m ⟩ . For elements of F m , n ( V ) , we use the notation v ( a 1 , … , a m ; x 1 , … , x n ) = v ( a ; x ) , where v is an Ω -term. It is well known that a i and x j can be considered as variables taking values in arbitrary Ω -algebra G ∈ V . That is, for any v ( a ; x ) ∈ F m , n ( V ) , g 1 , … , g m ∈ G , and h 1 , … , h n ∈ G (separated from g 1 , … , g m ), the element v ( g 1 , … , g m ; h 1 , … , h n ) ∈ G is well defined as α ( v ( a ; x ) ) , where α is the unique homomorphism of F m , n ( V ) to G such that α ( a i ) = g i and α ( x j ) = h j for each i ∈ { 1 , … , m } and j ∈ { 1 , … , n } . If g = ( g 1 , … , g m ) and h = ( h 1 , … , h n ) , then we sometimes write v ( g ; h ) instead of v ( g 1 , … , g m ; h 1 , … , h n ) . Whenever n = 0 , we omit the semicolon in the aforementioned notation (e.g., v ( a ) = v ( a ; ) for any v ( a ; ) ∈ F ∞ ( V ) ).

Unless otherwise specified, equations and systems of equations of the form v ( a ; x ) = w ( a ; x ) , where v , w ∈ F ∞ , ∞ ( V ) , are considered in the variables in x .

Denote by O the variety of all Ω -algebras. We write F ∞ , ∞ , F ∞ , F m , n , and F m instead of F ∞ , ∞ ( O ) , F ∞ ( O ) , F m , n ( O ) , and F m ( O ) , respectively. These Ω -algebras are the Ω -term algebras over the respective sets of variables.

2.3 Probabilistic preliminaries

Let Y be a probability distribution on a finite or countably infinite sample space Y . Then, we denote by supp Y the support of Y , i.e., the set { y ∈ Y ∣ Pr Y { y } ≠ 0 } . In many cases, one can consider Y as a distribution on supp Y . The same notation will be used for random variables taking values in Y . Namely, if y is such a random variable, then supp y is the support of the distribution of y .

Suppose Z is a finite or countably infinite set and α is a function from Y to Z . Then, the image of Y under α , which is a probability distribution on Z , is denoted by α ( Y ) . This distribution is defined by Pr α ( Y ) { z } = Pr Y α − 1 ( z ) for each z ∈ Z . Note that if a random variable y is distributed according to Y , then the random variable α ( y ) is distributed according to α ( Y ) .

We use the notation y 1 , … , y n ∼ Y to indicate that y 1 , … , y n (denoted by upright bold letters) are independent random variables distributed according to Y . We assume that these random variables are independent of all other random variables defined in such a way. Furthermore, all occurrences of an upright bold letter (possibly indexed or primed) in a probabilistic statement refer to the same (unique) random variable. Of course, all random variables in a probabilistic statement are assumed to be defined on the same sample space. Other specifics of random variables do not matter for us. Note that the probability distribution Y in this notation can be random. For example, suppose ( Y i ∣ i ∈ I ) is a probability ensemble consisting of distributions on the set Y , where the set I is finite or countably infinite. Moreover, let ℐ be a probability distribution on I . Then, i ∼ ℐ and y ∼ Y i mean that the joint distribution of the random variables i and y is given by Pr [ i = i , y = y ] = Pr ℐ { i } Pr Y i { y } for each i ∈ I and y ∈ Y .

By a probabilistic function from Y to Z , we mean a function from Y to the set of all probability distributions on Z . If ℱ is a probabilistic function from Y to Z , then ℱ ( Y ) is the probability distribution on Z such that for each z ∈ Z , Pr ℱ ( Y ) { z } = E y Pr ℱ ( y ) { z } , where the expectation is taken with respect to y distributed according to Y . In other words, if we consider the probability ensemble ( ℱ ( y ) ∣ y ∈ Y ) and define random variables y ∼ Y and z ∼ ℱ ( y ) (see the previous paragraph), then ℱ ( Y ) is the distribution of z . Alternatively, a probabilistic function from Y to Z can be defined as a function Π : Y × Z → R + such that ∑ z ∈ Z Π ( y , z ) = 1 for all y ∈ Y . It is easy to see that this definition is essentially equivalent to the original one.

Suppose each i ∈ { 1 , … , n } (where n ∈ N ) is assigned a probability distribution Y i on a finite or countably infinite sample space Y i . Then, the probability distribution Y 1 × ⋯ × Y n on Y 1 × ⋯ × Y n is defined as the distribution of a random variable ( y 1 , … , y n ) , where y i ∼ Y i for every i ∈ { 1 , … , n } . (Of course, the distribution of this random variable does not depend on the choice of independent random variables y 1 , … , y n distributed according to Y 1 , … , Y n , respectively.) In particular, Y n = Y × ⋯ × Y , where Y occurs n times. Furthermore, for a nonempty finite set Z , U ( Z ) denotes the uniform probability distribution on Z .

The notation y 1 , … , y n ← Y indicates that y 1 , … , y n are fixed elements of the set Y chosen independently at random according to the distribution Y .

Let ℛ and S be probability distributions on the sample space Y . Then, the statistical distance (also known as variation distance) between ℛ and S is defined as follows:

The following properties of the statistical distance are well known and/or can be proved straightforwardly:

1. Δ ( ℛ , S ) = max M ⊆ Y ∣ Pr ℛ M − Pr S M ∣ .

2. Δ is a metric on the set of all probability distributions on Y .

3. If ℱ is a probabilistic function from Y to Z , then Δ ( ℱ ( ℛ ) , ℱ ( S ) ) ≤ Δ ( ℛ , S ) . (In particular, this holds for deterministic functions.)

2.4 Cryptographic preliminaries

Let P = ( P i ∣ i ∈ I ) be a probability ensemble consisting of distributions on { 0 , 1 } ∗ , where I ⊆ { 0 , 1 } ∗ . Then, P is called polynomial-time samplable (or polynomial-time constructible) if there exists a probabilistic polynomial-time algorithm A such that for every i ∈ I the random variable A ( i ) is distributed according to P i . It is easy to see that if P is polynomial-time samplable, then there exists a polynomial π satisfying supp P i ⊆ { 0 , 1 } ≤ π ( ∣ i ∣ ) for any i ∈ I . Furthermore, let Q = ( Q j ∣ j ∈ J ) be a probability ensemble consisting of distributions on { 0 , 1 } ∗ , where J ⊆ N . Usually, when it comes to polynomial-time samplability of Q , the indices are assumed to be represented in binary. If, however, these indices are represented in unary, then we specify this explicitly. Thus, the ensemble Q is called polynomial-time samplable when the indices are represented in unary if there exists a probabilistic polynomial-time algorithm B such that for every j ∈ J the random variable B ( 1 j ) is distributed according to Q j .

Suppose K is an infinite subset of N , D is a subset of { 0 , 1 } ∗ , and D = ( D k ∣ k ∈ K ) is a probability ensemble consisting of distributions on D . We assume that D is polynomial-time samplable when the indices are represented in unary. This notation is used throughout the article.

A function ν : K → R + is called negligible if for every polynomial π , there exists a nonnegative integer n such that ν ( k ) ≤ 1 / π ( k ) whenever k ∈ K and k ≥ n . Of course, if ε , ν : K → R + , ν is negligible, and ε ( k ) ≤ ν ( k ) for all sufficiently large k ∈ K , then ε is also negligible. Moreover, it is easy to see that if ν , ν ′ : K → R + are negligible and η is a polynomial, then ν ( k ) + ν ′ ( k ) and η ( k ) ν ( k ) are negligible as functions of k ∈ K . We denote by negl an unspecified negligible function on K . Any (in)equality containing negl ( k ) is meant to hold for all k ∈ K .

Suppose Y and Z are finite or countably infinite sets, as in Section 2.3. Let ( ℛ k ∣ k ∈ K ) and ( S k ∣ k ∈ K ) be probability ensembles consisting of distributions on Y . Then, these ensembles are called statistically indistinguishable if Δ ( ℛ k , S k ) = negl ( k ) . The properties of the statistical distance listed at the end of Section 2.3 imply the following properties of statistical indistinguishability:

1. If ( ℛ k ∣ k ∈ K ) and ( S k ∣ k ∈ K ) are statistically indistinguishable and ( M k ∣ k ∈ K ) is a family of subsets of Y , then ∣ Pr ℛ k M k − Pr S k M k ∣ = negl ( k ) .

2. Statistical indistinguishability is an equivalence relation on the set of all probability ensembles indexed by K and consisting of distributions on Y .

3. If ( ℛ k ∣ k ∈ K ) and ( S k ∣ k ∈ K ) are statistically indistinguishable and ( ℱ k ∣ k ∈ K ) is a family of probabilistic functions from Y to Z , then ( ℱ k ( ℛ k ) ∣ k ∈ K ) and ( ℱ k ( S k ) ∣ k ∈ K ) are statistically indistinguishable. (In particular, this holds for families of deterministic functions.)

The notion of statistical indistinguishability can be naturally extended to probability ensembles indexed by K and consisting of random variables that take values in Y . Namely, suppose v k and w k (where k ∈ K ) are random variables taking values in Y . Let V k and W k be the distributions of v k and w k , respectively. Then, ( v k ∣ k ∈ K ) and ( w k ∣ k ∈ K ) are said to be statistically indistinguishable if ( V k ∣ k ∈ K ) and ( W k ∣ k ∈ K ) are statistically indistinguishable. In this case, we write v k ≈ s w k .

Suppose ( r k ∣ k ∈ K ) and ( s k ∣ k ∈ K ) are probability ensembles consisting of random variables taking values in { 0 , 1 } ∗ . Then, these ensembles are called computationally indistinguishable (or polynomial-time indistinguishable) if for any probabilistic polynomial-time algorithm A ,

In this case, we write r k ≈ c s k .

For each k ∈ K , let ℛ k and S k be the distributions of r k and s k , respectively. Of course, computational indistinguishability of ( r k ∣ k ∈ K ) and ( s k ∣ k ∈ K ) depends only on the probability ensembles ( ℛ k ∣ k ∈ K ) and ( S k ∣ k ∈ K ) . Therefore, the notion of computational indistinguishability can be naturally extended to probability ensembles indexed by K and consisting of distributions on { 0 , 1 } ∗ . Namely, such probability ensembles ( V k ∣ k ∈ K ) and ( W k ∣ k ∈ K ) are said to be computationally indistinguishable if v k ≈ c w k , where v k ∼ V k and w k ∼ W k for all k ∈ K .

The following properties of computational indistinguishability are well known and/or can be proved straightforwardly:

1. If r k ≈ s s k , then r k ≈ c s k .

2. Computational indistinguishability is an equivalence relation on the set of all probability ensembles indexed by K and consisting of distributions on { 0 , 1 } ∗ .

3. If r k ≈ c s k and B is a probabilistic polynomial-time algorithm, then B ( 1 k , r k ) ≈ c B ( 1 k , s k ) .

Throughout this article, by indistinguishability, we mean either statistical or computational indistinguishability. Note that after choosing one of these types of indistinguishability, we use only this type. Whenever ( r k ∣ k ∈ K ) and ( s k ∣ k ∈ K ) are indistinguishable, we write r k ≈ s k .

Let ( Y d ∣ d ∈ D ) be a family of subsets of { 0 , 1 } ∗ .