ISSN Technical Report L Self-Denable Claw Free Functions Takeshi Koshiba and Osamu Watanabe TR May Department of Computer Science Tok

Transcription

1 ISSN Technical Report L Self-Denable Claw Free Functions Takeshi Koshiba and Osamu Watanabe TR May Department of Computer Science Tokyo Institute of Technology ^Ookayama Meguro Tokyo 152, Japan cthe author(s) of this report reserves all the rights.

2 Dept. of Computer Science, Tokyo Institute of Technology Technical Report 7TR0006 Title: Self-Denable Claw Free Functions Author: Takeshi Koshiba 1 and Osamu Watanabe 2 Aliation: 1. High Performance Computing Research Center, Fujitsu Laboratories Ltd., Abstract. Kawasaki-shi Nakahara-ku Kamikodanaka 4-1-1, Kanagawa , Japan (koshiba@flab.fujitsu.co.jp) 2. Department of Computer Science, Tokyo Institute of Technology (watanabe@titech.ac.jp) We propose a new type of claw free function family, a pseudo self-denable claw free function family, which provides, by Damgard's construction, a collision intractable hash function family that is more suitable in several cryptographic applications such as digital signature, bit commitment, etc. We give an example of self-denable claw free function families based on the hardness of some number theoretic problem. We also show some concrete situation where our claw free notion is indeed necessary. 1. Introduction One-way hash functions are widely used in many cryptographic applications such as digital signature, bit commitment, etc. In some applications, one-wayness is insucient, and we need some additional requirements such as \collision intractability". In [Dam88b], Damgard introduced the notion of \claw free", and showed a way to construct a collision intractable family of hash functions from a family of claw free permutations. He also showed [Dam88a, Dam88b] some examples of families of claw free permutations based on the average-case hardness of some number theoretic problems. Roughly speaking, a family H of hash functions is called collision intractable if it is impossible to nd a pair x 6= y such that h(x) = h(y) for a given h 2 H. Similarly, a family CF of pairs of permutations is called claw free if it is impossible to nd a claw pair (x; y) such that x 6= y and f 1 (x) = f 2 (y) for a given (f 1 ; f 2 ) 2 CF. Ogata and Kurosawa pointed out [OK3] that there are two types of claw freeness, which they call \weak" and \strong". While it is impossible to nd a claw pair (x; y) from (f 1 ; f 2 ), it may be possible, for \weakly" claw free permutation families, to generate (f 1 ; f 2 ; x; y) such that (x; y) is a claw pair of (f 1 ; f 2 ) 2 CF. On the other hand, generating such (f 1 ; f 2 ; x; y) is also hard for \strongly" claw free permutation families. The motivation of introducing the notion of \strongly claw freeness" is to discuss a property that is required for some applications. Here we extract such a property as \selfdenability". Roughly speaking, a claw free permutation family (resp., a hash function family) is called self-denable if a cryptographic protocol can allow the participants of the 1

3 protocol to generate a claw free pair (resp., a hash function) by themselves. From this view point, we observe that the \strong claw freeness" of Ogata and Kurosawa is not yet sucient, and thus, we introduce a new notion, called \pseudo self-denable claw freeness ". Though pseudo self-denable claw free permutation families are not yet perfectly \selfdenable", we show that they are practically good enough for many situations. We show one candidate of pseudo self-denable claw free permutation families based on some number theoretic problem. More specically, its \pseudo self-denable claw freeness" is reduced to the hardness of nding the rth root of 1 modulo p in some specic domain, for a given k bit prime number p, and k=d bit prime number r (where d 2 is some constant) such that gcd(p 0 1; r 2 ) = r. Preliminaries Here we dene notions and notations used in this paper. We omit explaining the basic notions and notations in computational complexity theory. For each binary string w 2 f0; 1g 3, jwj denotes the length of w. For each set S, ksk denotes the cardinality of S. We write, e.g., Pr x2x f1 1 1g to denote the probability that (1 1 1) occurs when x is chosen uniformly at random from X. Also for any randomized algorithm A, we write, e.g., Pr A f1 1 1g to denote the probability that (1 1 1) occurs in the execution of A. In this paper, we consider only functions from f0; 1g 3 to f0; 1g 3. For any function f, we say that f is length regular if we have jf(x)j = jf(y)j for any pair of x and y in the domain of f such that jxj = jyj. Throughout this paper, we assume that functions are length regular. For claw free functions, we often consider a nite permutation; that is, a one-to-one and onto function on some nite domain. When discussing a family of nite functions, we assume that each function in the family is represented (or specied) in some way, and that such representation is coded by a binary string. In the most general sense, we may consider a circuit representation; that is, a function f is represented by a combinatorial circuit computing f. But we may also use simpler representations depending on the context. In the following, we do not distinguish a function itself and its representation. We usually measure computational complexity in terms of input size. Here we generalize it and measure computational complexity in terms of security parameter, some number k that is polynomially related to input length n. We may assume that k n. 2. Three Denitions for Claw Free Functions Ogata and Kurosawa [OK3] pointed out that there is a stronger notion of claw freeness than the original one dened in [GMR88]. Here we propose yet stronger claw freeness. In this section, we state these three denitions of claw freeness and compare them with 2

4 examples. First we recall the original denition in [GMR88]. Here and throughout this paper, we consider only uniform generation of instances and functions. Also we discuss only claw free pairs of functions. (Here, in order to keep consistency with the next denition, we follow the denition in [OK3].) Denition 2.1. A family of claw free pairs of functions (or more simply, a claw free function family) is a family CF = S k1 CF k of pairs of nite functions with the following properties: (1) CF k = S m2m k CF k;m, where each CF k;m consists of pairs of nite length regular functions on some domain D(m). Here M k is a nite set of values, e.g., the set of k bit prime numbers, that determine the domain of claw free functions. There is a polynomial-time randomized algorithm d such that d(m) generates an element of D(m) uniformly at random. (We assume that k (resp., m) is uniquely determined from m 2 M k (resp., (f 0 ; f 1 ) 2 CF k;m.) (2) There is a deterministic algorithm F such that for any k 1, any m 2 M k, any (f 0 ; f 1 ) 2 CF k;m, and any x 2 D(m), F (f i ; x) computes f i (x) within polynomial-time in k + jmj + jf i j + jxj. (3) There are expected polynomial-time randomized algorithms G 1 and G 2 such that (i) G 1 (0 k ) generates m 2 M k uniformly at random, and (ii) for any m 2 M k, G 2 (m) generates (f 0 ; f 1 ) 2 CF k;m uniformly at random. (4) For any polynomial-time randomized algorithm A, the probability that A computes a claw pair for a given (f 0 ; f 1 ) 2 CF k is negligible. More specically, the following holds with some super polynomial function (k), i.e., some that grows faster than any polynomial. Remark. Pr f A(f 0 ; f 1 ) = (x; y) such that f 0 (x) = f 1 (y) g < 1=(k): A; m2m k ; (f 0 ;f 1 )2CFk;m In this denition (and Denition 2.3), it is not necessary to split the class CF k into subclasses CF k;m ; that is, instead of considering two generators, we can simply consider one generator G = G 2 G 1. We chose this denition for the discussion below and for keeping consistency with the next denition. Although it is hard to compute a claw pair for a given (f 0 ; f 1 ) 2 CF k;m, it may be easy if one is allowed to generate (f 0 ; f 1 ) together with a claw pair. That is, the following problem might be easy. Function & Claw Pair Generation: Input: m 2 M k for some k 1. Output: (f 0 ; f 1 ; x; y) such that (f 0 ; f 1 ) 2 CF k;m, x 6= y 2 D(m), and f 0 (x) = f 1 (y). 3

5 Let us consider some situation where easy solution to this problem might cause some problem. (See Section 4 for a concrete example.) Claw free permutation families are used to dene \collision intractable" hash function families, and such hash function families are used, for example, to reduce the size of a message before applying some digital signature scheme. Now suppose that the Function & Claw Pair Generation Problem is easy for a given claw free permutation family. Then someone who wants to send a message must be given a claw free permutation pair by a message receiver or some reliable third party. That is, the sender cannot dene a claw free permutation pair by himself. Ogata and Kurosawa [OK3] pointed out this problem and dened the following stronger notion of claw freeness. (Though this notion is called strong claw freeness in their paper, we give a dierent name to it here, because we dene a yet stronger notion.) Denition 2.2. A family of weakly self-denable claw free pairs of functions (or more simply, a weakly self-denable claw free function family) is a family CF = S k1 CF k of pairs of nite functions with the following properties: (1) (3) are the same as Denition 2.1. (4) It is hard to solve the Function & Claw Pair Generation Problem. That is, for any polynomial-time randomized algorithm A, the following holds with some super polynomial function (k). 8 < Pr A; m2m k : A(m) = (f 0; f 1 ; x; y) such that (f 0 ; f 1 ) 2 CF k;m, x 6= y 2 D(m), and f 0 (x) = f 1 (y) = ; < 1=(k): At this point, we state some examples for illustrating the dierence of these two notions. The following two examples are from [Dam88b]. First we introduce some notations. For any positive integer p, let Z p = f0; 1;... ; p01g and Z 3 p = fz 2 f1; 2;... ; p 0 1g : gcd(z; p) = 1g. We can view Z p as an additive group and Z 3 p as a multiplicative group. We dene the following sets. PN(k) = f p : p is a prime number and of k-bit length g; BL(k) = f p 1 q : p; q 2 PN(k) and p q 3 (mod 4) g; QR(m) = f x 2 Z 3 m : x z 2 (mod m) for some z 2 Z 3 m g: Example 2.1. Dene sets and a family of permutation pairs as follows. Then it satises Denition 2.1, i.e., the denition of claw free permutation families. (For the condition (4), we need to assume that the factorization problem is hard.) M (1) k = BL(k); D (1) (m) = QR(m); and CF (1) k;m = 8 < : (f 0; f 1 ) : and f 0 (x) = a 0 x 2 mod m; and f 1 (x) = a 1 x 2 mod m for some a 0 6= a 1 2 QR(m) = ; : 4

6 In the above example, although it is hard to nd a claw pair for a given (f 0 ; f 1 ), it is easy to generate (f 0 ; f 1 ; x; y) such that x 6= y and f 0 (x) = f 1 (y). That is, we can construct a polynomial-time algorithm A such that for any m 2 M (1) k, A(m) generates (f 0 ; f 1 ; x; y) such that (f 0 ; f 1 ) 2 CF (1) k;m, x 6= y 2 D (1) (m), and f 0 (x) = f 1 (y). This problem is partially solved in the following example. Example 2.2. Dene sets and a family of permutation pairs as follows. Then it satises Denition 2.2, i.e., the denition of weakly self-denable claw free permutation families. M (2) k = BL(k); D (2) (m) = QR(m); and CF (2) k;m = 8 < : (f 0; f 1 ) : f 0 (x) = (a 0 x) 2 mod m; and f 1 (x) = (a 1 x) 2 mod m; for some a 0 ; a 1 2 Z 3 m such that (a 0 a 1 =m) = 01 where (a=m) is the Jacobi symbol of a w.r.t. m. = ; ; Note here that the generator G (2) 1 in the condition (3) of Denition 2.2 is a randomized algorithm that outputs m = p 2 q from two randomly generated prime numbers p; q 2 PN(k). Also for the condition (4), we need to assume that the factorization problem is hard. For the above claw free permutation family, it is hard to generate (f 0 ; f 1 ; x; y) such that such that x 6= y and f 0 (x) = f 1 (y) from a given m 2 M (2) k. This problem is reduced to factorizing m. On the other hand, if one knows the factorization of m, then it is easy to generate such (f 0 ; f 1 ; x; y). Note that such information can be found in the random sequence used by the generator G (2) 1. Thus, for using a weakly self-denable claw free permutation family, a message sender cannot generate m by himself. Although he can generate a function pair by himself, he still needs to be given m 2 M (2) k from someone whom a receiver can trust. To avoid this situation, we introduce a yet stronger notion of claw freeness. Denition 2.3. A family of pseudo self-denable claw free pairs of functions (or more simply, a self-denable claw free function family) is a family CF = S k1 CF k of pairs of nite functions with the following properties: (1) (3) are the same as Denition 2.1. (4) It is hard to solve the Function & Claw Pair Generation Problem even though the random seed of G 1 is given. That is, for any polynomial-time randomized algorithm A, the following holds with some super polynomial function (k). (See below for the denition of R k.) 8 < Pr A; s2r k : A(s) = (f 0; f 1 ; x; y) such that (f 0 ; f 1 ) 2 CF k;m, x 6= y 2 D(m), and f 0 (x) = f 1 (y) 5 = ; < 1=(k):

7 Remark. Here we consider the following \almost" equivalent but a bit technical condition for the condition (3). (3 0 ) There are polynomial-time randomized algorithms G 1 and G 2 that satisfy the following properties with some super polynomial function (k). (a) G 1 (0 k ) yields either? or m 2 M k, and G 2 (m) yields either? or (f 0 ; f 1 ) 2 CF k;m. (b) The probability that G 1 (0 k ) (resp., G 2 (m)) yields? is less than 1=(k). (c) If the probability that m 2 M k (resp., (f 0 ; f 1 ) 2 CF k;m ) is generated is \almost" the same. That is, the dierence among each m (resp., among each (f 0 ; f 1 ) 2 CF k;m ) is less than 1=(k). We may assume that G 1 (0 k ) always use a binary sequence of some xed length for its random seed. Let R k denote the set of random seeds used in the computation of G 1 (0 k ). For any s 2 R k, let G 1 (0 k ; s) denote the output of G 1 on input 0 k with random seed s 2 R k. The dierence between Denition 2.2 and Denition 2.3 is subtle. Here we illustrate this dierence with a simple but (maybe) unrealistic example. (We will show in the next section more realistic example satisfying the above conditions.) Example 2.3. Assume that it is randomized polynomial-time computable to test whether a given number m is a product of two primes with the same bits. (We should note here that this assumption may be unrealistic.) Consider again the family of pairs of permutations dened in Example 2.2. This time, by using our assumption, we can construct the following generator G (3) 1 : (i) G (3) 1 (0 k ) generates a 2k bit integer uniformly at random, (ii) tests whether it is a product of two k bit primes, and (iii) outputs the generated number if the result of the test is armative, and repeat from (i) again, otherwise. Clearly, G (3) 1 (0 k ) generates every m 2 M (2) k with the same probability in expected polynomial-time. Thus, it is easy to modify it to G 0 1 that satises the above condition (3 0 ). On the other hand, it is not hard to see that the condition (4) of Denition 2.3 is also satised with this G 0 1. The key point here is that from the random seed of G 0 1, it is impossible to obtain the factorization of the generated number m (unless the factorization is indeed polynomial-time computable). Note that our condition does not rule out the possibility that one can produces, within polynomial-time in k, a random seed s 2 R k such that he can easily solve the Function & Claw Pair Generation Problem on m = G 1 (s). Hence, our notion does not provide the ideal claw freeness. Nevertheless, we can give some reasonable solution to the problematic situation discussed above. For example, if the protocol requires a message sender to use some specic random seed for G 1, e.g., the bit sequence starting from the tth bit of the 6

8 binary expansion of, where t is the time of sending the message, then it may be quite unlikely that the sender can select his favorable seed. 3. Another rth Root Problem In some cases, given one solution of a problem, it is hard to nd \another" solution of the problem. Finding one element x of a claw pair (x; y) from the other element y is related to such \Another Solution Problem". Here we consider one such problem. Based on the assumption that the problem is hard, we show an example of pseudo self-denable claw free permutation family. Our problem is related to the problem of computing the rth root modulo p. Consider any p 2 PN(k); i.e., p is an k bit prime number. Let r < p be also any prime number such that gcd(p 0 1; r 2 ) = r. We assume that r is large, say, r 2 PN(k=d), where d 2 is some constant. Then we can show that every element z 2 Z 3 p has r rth roots if some root exists. Here we consider the problem of nding, from a given rth root of z, another rth root of z in some specied domain. For our discussion, let us introduce the following sets. P k = f (p; r) : p 2 PN(k), r 2 PN(k=d), and gcd(p 0 1; r 2 ) = r g; RES(p; r) = f x 2 Z 3 p : x z r (mod p) for some z 2 Z 3 p g; mv(p; r) = minf x 2 Z 3 p : x 62 RES(p; r) g; and g RES(p; r) = f x 1 mv(p; r) : x 2 RES(p; r) g: Now state our problem formally. Another rth Root (in the specied domain): Input: (p; r) 2 P k, mv(p; r), and x 2 RES(p; r). Output: y 2 RES(p; g r) such that y r x r (mod p). Let z = x r mod p. Then both x and y are rth roots of z; that is, our problem is to nd, from given one rth root x of z in RES(p; r), another rth root y of z in RES(p; g r). Note that the problem is easy if some rth root is asked. Such a problem is solvable in the following way: First compute a generator of Z 3 p, and let = (p01)=r. Note that can be found eciently with high probability. Then we can show that fx; x;... ; x r01 g is the set of all rth roots of z. Thus, for example, x is another rth root of z. On the other hand, since r is large and hence there are many rth roots, it takes enormous time if we searches for y 2 RES(p; g r) exhaustively. In this paper, we assume that this problem is intractable on average. More specically, for any polynomial-time randomized algorithm B, we assume that the following holds with some super polynomial function (k). 7

9 Prf B(p; r; mv(p; r); x) = y 2 g RES(p; r) such that x r y r (modp) g < 1=(k): Where the probability is taken over random choice of p 2 PN(k), r 2 PN(k=d), x 2 RES(p; r), and the internal random sequence of B. Although x is given as a part of input, the diculty of the problem does not change even if x is xed. That is, the problem is essentially the same as the one asking the rth root of 1 in RES(p; g r). (The proof is easy and we omit it here.) Fact 1. The Another rth Root Problem is polynomial-time solvable if and only if it is solvable for the case x = 1. Now based on our hardness assumption, we dene one example of pseudo self-denable claw free permutation family, which is dened as follows. M k = f (p; r; mv(p; r)) : (p; r) 2 P k g; D(m) = RES(p; r); and CF k;m = 8 < : (f 0; f 1 ) : f 0 (x) = x r mod p; and f 1 (x) = (cx) r mod p; for some c 2 RES(p; g r) Theorem 3.1. Suppose that the Another rth Root Problem is hard as described above. Then the above family CF satises the conditions for pseudo-self-denable claw free permutation family. Proof. We show that the conditions (3) and (4) hold. First we dene G 1. For a given 0 k, k 1, G 1 rst randomly generates p 2 PN(k) and r 2 PN(k=d) such that gcd(p 0 1; r 2 ) = r. Then it searches from u = 2 for the smallest u such that u 62 RES(p; r), namely, mv(p; r). Note that u 2 RES(p; r) if and only if u (p01)=r 1 (modp); thus, the test of u 2 RES(p; r) is easy. On the other hand, the following fact guarantees that u 62 RES(p; r) must be found in 2; :::; k 2. Thus, G 1 runs in polynomial-time in k. Fact 2. For any suciently large k, and for any p 2 PN(k) and r 2 PN(k=d), there exists some u 62 RES(p; r) such that u k 3d ; that is, mv(p; r) k 3d. = ; : Next we dene G 2. For a given m = (p; r; mv(p; r)), G 2 just generates u 2 Zp 3 randomly, and computes u r mod p, which is an element of RES(p; r). Then G 2 outputs (f 0 ; f 1 ), where f 1 is dened with c = u1mv(p; r). Clearly, c is chosen uniformly at random from RES(p; g r); thus, G 2 (m) generates (f 0 ; f 1 ) 2 CF k;m randomly. Finally, for showing the hardness condition, suppose that there exists a polynomialtime randomized algorithm A that solves the Function & Claw Pair Generation Problem 8

10 with non-negligible probability when a seed of G 1 is given. Then for given p, r, and mv(p; r), we can nd the rth root of 1 in g RES(p; r) as follows: First compute a seed of G 1 on which G 1 (0 k ) produces p and r. (One can compute such a seed in randomized polynomial-time.) Next run A on s. Then with non-negligible probability, we can get (f 0 ; f 1 ; x; y) such that f 0 (x) = f 1 (y); that is, x r (cy) r (modp) for some c 2 RES(p; g r). Now it is easy to see that cyx 01 is the rth root of 1 that is in RES(p; g r). tu Fact 2. Let q be the largest prime number such that all primes q are in RES(p; r); that is, the next prime q + of q is the smallest prime 62 RES(p; r). Note that q + q 2 and that mv(p; r) q + ; thus, the fact follows if we prove that q (log p) 1:5d ( k 1:5d ). Consider the following set S. S = f (e 2 ; e 3 ;... ; e q ) : 2 e 2 3 e q e q p g = f (e 2 ; e 3 ;... ; e q ) : e 2 log 2 + e 3 log e q log q log pg: Note here that any number of the form 2 e 2 3 e q eq is in RES(p; r), because a 2 RES(p; r) implies a e 2 RES(p; r) for any e 0. Thus, we have ksk kf (e 2 ; e 3 ;... ; e q ) : e 2 + e e q log p log q gk: For simplicity, we set s = log p= log q, and let t be the number of primes less than or equal to q. (Note that t c 0 q= log q for some c 0 > 0.) Then we have ksk t H 1 + t H t H s = t C t+s01 C s t+s01 C s (t=s) s : (Here H and C denote the operations of repeated combination and combination respectively.) Since gcd(p 0 1; r 2 ) = r, kres(p; r)k = (p 0 1)=r. Thus, we have p r > p 0 1 r > ksk t s s c 0 q s log q! s : Then, by simple transformations, we obtain q < 2 (log p= log r)(log log p0log c 0) 2 d(1+d=(k0d))(log log p0log c 0) c(log p) d(1+d=(k0d)) ; where c is some constant. Therefore, we have q < (log p) 1:5d for suciently large p. tu 4. Applications Here we show some concrete situation where pseudo self-denable claw free permutation families are more useful than those satisfying weaker conditions.

11 As explained briey in the previous sections, a claw free permutation family provides a family of collision intractable hash functions. Furthermore, it is easy to see that the dierence of three claw free notions is kept in the obtained hash function family. Here modifying the original denition in [Dam88b], we dene the notion of collision intractable hash function family that corresponds to the pseudo self-denable claw freeness. (The reader can easily infer the other two denitions corresponding to the weaker claw free notions; thus, we omit them here.) Denition 4.1. A family of pseudo self-denable and collision intractable hash functions (or more simply, a collision intractable hash function family) is a family H = S k1 H k of pairs of nite functions with the following properties: (1) Each H k consists of functions h from f0; 1g 3 to some nite set R(h). (2) There is a deterministic algorithm H such that for any k 1, any h 2 H k, and any x 2 f0; 1g 3, H(h; x) computes h(x) within polynomial-time in k + jhj + jxj. (3) There is an expected polynomial-time randomized algorithm G such that G(0 k ) generates h 2 H k uniformly at random. (In practice, we may relax this condition slightly as in Denition 2.3. Let R k denote the set of random seeds used by G on input 0 k.) (4) For any polynomial-time randomized algorithm A, the following holds with some super polynomial function (k). Pr A; s2r k 8 < : A(s) = (h; x; y) such that h 2 H k, x 6= y 2 f0; 1g 3, and h(x) = h(y) = ; < 1=(k): It is easy to check that Damgard's construction [Dam88b, GMR88] works to dene a hash function family of this type from a given pseudo self-denable claw free permutation family. Proposition 4.2. From any family of pseudo self-denable claw free permutations, we can dene a family of pseudo self-denable and collision intractable hash functions. We demonstrate one example where our collision intractable hash function families have some advantage over weaker ones. Example 4.1. (Non-interactive Identication Proof) In order to simplify our discussion, we modify the non-interactive zero-knowledge proof protocol explained in [Sch4], and dene the following protocol for Peggy's identication. (Notice that this protocol may not be real zero-knowledge; but since one-way function is used, we may assume that Peggy's secret is not revealed.) 10

12 Let f be any one-way function. Let X be an instance of a hard problem for which a prover Peggy knows its answer x, and let h be a collision intractable hash function in H k that Peggy picks. (1) Peggy transforms X into m dierent isomorphic problems Y 1 ; ::; Y m, and then she solves them by using her knowledge of x. (Let y 1 ; :::; y m be the obtained answers to Y 1 ; :::; Y m.) (2) Peggy computes z i = f(y i ) for each i, 1 i m. She also computes r = h(y 1 Y Y m ). (3) For each i, 1 i m, dene w i as follows: If the ith bit of r is 0, then w i is the witness for showing that X is isomorphic to Y i. On the other hand, if the ith bit of r is 1, then w i is y i, i.e., the answer to Y i. (4) Peggy publishes X, h, Y 1 ; :::; Y m, z 1 ; :::; z m, r, and w 1 ; :::; w m. Then whoever interested can verify steps (1) through (3) as well as the correctness of witnesses w 1 ; :::; w m. Here the self-denability of hash functions is important. Suppose that Peggy could pick h so that she can change Y i without changing the value r = h(y 1 Y Y m ). Then she would be able to choose, for each Y i, either some problem isomorphic to X, or some problem for which she knows the answer, depending on the ith bit of r; thereby, convincing the verier without knowing any answer to X. In order to avoid this possibility, Peggy should use a hash function given from some reliable source. The problem like this does not occur if the hash function family is pseudo self-denable. For example, if Peggy has to select the random seed of G 1 (for creating h) following some specied procedure, then it is unlikely that Peggy can select a hash function for which she can also create some collision pair easily. Acknowledgments The authors would like to thank Dr. Kazuhiro Yokoyama of Fujitsu Lab. for helping them for proving Fact 2. They also thank Mr. Osamu Nakahara of Tokyo Inst. of Tech. for giving some pointer to an application area to them. References [Dam88a] Ivan Bjerre Damgard. The Application of Claw Free Functions in Cryptography. PhD thesis, Computer Science Department, Aarhus University, 188. [Dam88b] Ivan Bjerre Damgard. Collision free hash functions and public key signature schemes. In EUROCRYPT'87, Springer-Verlag, Lecture Notes in Computer Science, Vol. 304, pp. 203{216,

13 [GMR88] [NY8] [OK3] Sha Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing, Vol. 17, No. 2, pp. 281{308, 188. Moni Naor and Moti Yung. Universal one-way hash functions and their cryptographic applications. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing, ACM Press, pp. 33{43, 18. Wakaha Ogata and Kaoru Kurosawa. On claw free families. In ASIACRYPT'1 Springer-Verlag, Lecture Notes in Computer Science, Vol. 73, pp. 111{123, 13. [Sch4] Bruce Schneier. Applied Cryptography, John Wiley & Sons, Inc.,