Pseudo-Free Families of Finite Computational Elementary Abelian p-groups

Transcription

1 Pseuo-Free Families of Finite Computational Elementary Abelian p-groups Mikhail Anokhin Information Security Institute, Lomonosov University, Moscow, Russia Abstract We initiate the stuy of (weakly) pseuo-free families of computational elementary abelian p- groups, where p is an arbitrary fixe prime. We restrict ourselves to families of computational elementary abelian p-groups G such that for every inex, each element of G is represente by a single bit string of length polynomial in the length of. First, we prove that pseuo-freeness an weak pseuo-freeness for families of computational elementary abelian p-groups are equivalent. Secon, we give some necessary an sufficient conitions for a family of computational elementary abelian p-groups to be pseuo-free (provie that at least one of two aitional conitions hols). These necessary an sufficient conitions are formulate in terms of collision-intractability or one-wayness of certain homomorphic families of knapsack functions. Thir, we establish some necessary an sufficient conitions for the existence of pseuo-free families of computational elementary abelian p-groups. With one exception, these conitions are the existence of certain homomorphic collision-intractable families of p-ary hash functions or certain homomorphic one-way families of functions. As an example, we construct a Diffie-Hellman-like key agreement protocol from an arbitrary family of computational elementary abelian p-groups. Unfortunately, we o not know whether this protocol is secure uner reasonable assumptions. Keywors: Family of computational groups, pseuo-free family of computational groups, weakly pseuo-free family of computational groups, elementary abelian p-group, homomorphic family of functions, collision-intractable family of functions, one-way family of functions, family of p-ary hash functions. Contents 1 Introuction 2 2 Preliminaries General Preliminaries Probabilistic Preliminaries Computational an Cryptographic Preliminaries (Weakly) Pseuo-Free Families of Computational Elementary Abelian p-groups Families of Computational Elementary Abelian p-groups Pseuo-Free Families of Computational Elementary Abelian p-groups Weak Pseuo-Freeness an Its Equivalence to Pseuo-Freeness for Families of Computational Elementary Abelian p-groups Some Remarks This is a preliminary version of the paper (with the same title) publishe in Groups Complexity Cryptology, 9(1):1 18, May

2 4 Necessary an Sufficient Conitions for Pseuo-Freeness an for the Existence of Pseuo-Free Families The Functions kn G,g, the Families Kn ρ Γ, an the Probability Ensembles Iρ D,Γ Auxiliary Results Putting It All Together A Diffie-Hellman-Like Key Agreement Protocol Problems for Further Research 17 1 Introuction Informally, a family of computational groups is a family of groups whose elements are represente by bit strings in such a way that equality testing, multiplication, inversion, computing the ientity element, an sampling ranom elements can be performe efficiently. Loosely speaking, a family of computational groups is calle pseuo-free if, given a ranom group G in the family (for an arbitrary value of the security parameter) an ranom elements g 1,..., g m G, it is computationally har to fin a system of group equations v i (a 1,..., a m ; x 1,..., x n ) = w i (a 1,..., a m ; x 1,..., x n ), i = 1,..., s, (1.1) an elements h 1,..., h n G such that (1.1) is unsatisfiable in the free group freely generate by a 1,..., a m (over variables x 1,..., x n ), but v i (g 1,..., g m ; h 1,..., h n ) = w i (g 1,..., g m ; h 1,..., h n ) in G for all i {1,..., s}. If a family of computational groups satisfies this efinition with the aitional requirement that n = 0 (i.e., that the equations in (1.1) be variable-free), then this family is sai to be weakly pseuo-free. Of course, (weak) pseuo-freeness epens heavily on the form in which system (1.1) is require to be foun, i.e., on the representation of such systems. The notion of pseuo-freeness (which is a variant of weak pseuo-freeness in the above sense) was introuce by Hohenberger in [Hoh03, Section 4.5] (for black-box groups). Rivest gave formal efinitions of a pseuo-free family of computational groups (see [Riv04a, Definition 2], [Riv04b, Slie 17]) an a weakly pseuo-free one (see [Riv04b, Slie 11]). Note that the efinitions of (weak) pseuo-freeness in those works are base on single group equations rather than systems of group equations. For motivation of the stuy of pseuo-freeness, we refer the reaer to [Hoh03, Riv04a, Mic10]. Also, the above cite works contain efinitions of (weak) pseuo-freeness in the variety A of all abelian groups (using ifferent terminology). (A variety of groups can be efine as a class of groups that is close uner taking subgroups, homomorphic images, an cartesian proucts. In particular, any variety of groups contains the trivial group because this group is the cartesian prouct of the empty family of groups.) Note that most works on pseuo-free families of computational groups eal with pseuo-freeness in A. To efine a (weakly) pseuo-free family in A, it is natural to require that all groups in the family be abelian an to replace the free group by the free abelian group in the above efinition of a (weakly) pseuo-free family. Similarly, we can efine a (weakly) pseuo-free family in an arbitrary variety V of groups. To o this, we require that all groups in the family belong to V an replace the free group by the V-free group in the above efinition of a (weakly) pseuo-free family. See [Ano13, Definition 3.3] for a formal efinition of a pseuo-free family of computational groups in an arbitrary variety of groups. Of course, pseuo-free families of computational groups in ifferent varieties are completely ifferent objects. A survey of results concerning pseuo-freeness can be foun in [Fuk14, Chapter 1]. In this paper, we stuy (weakly) pseuo-free families of computational groups in the variety of all elementary abelian p-groups, where p is an arbitrary fixe prime number. We call these families (weakly) pseuo-free families of computational elementary abelian p-groups. Note that we restrict ourselves to families (G D) of computational elementary abelian p-groups (where D {0, 1} ) such that for every D, each element of G is represente by a single bit string of length polynomial in. Hence we can assume that G {0, 1} η( ) for some polynomial η an that the representation of each element g G is g itself (see Definition 3.1). Let (H i i I) (where I {0, 1} ) be a weakly pseuo-free family of finite computational groups in an arbitrary variety of infinite exponent (or, in another terminology, of exponent zero), e.g., in the 2

3 variety of all groups or all abelian groups. (The exponent of a variety V of groups is equal to the orer of a free generator of the V-free group.) Assume that, given a positive integer n, a representation of the variable-free equation a n 1 = 1 can be compute in polynomial time. Then it is easy to prove that the problem of fining H i for a given i I is computationally har (see [Riv04a, Subsection 4.1] or [Riv04b, Slie 12] for a guieline). It can be expecte that this oes not necessarily hol for (weakly) pseuo-free families of finite computational groups in varieties of finite exponent (provie that such families exist). In particular, this applies to (weakly) pseuo-free families of computational elementary abelian p-groups (see Corollary 4.8 an Remark 4.9). Note that the problem of extening the theory of pseuo-freeness to families of computational groups of easily computable orer was pose by Rivest (see [Riv04a, Section 7], [Riv04b, Slie 22]). The main contributions of this paper are as follows: The equivalence of pseuo-freeness an weak pseuo-freeness for families of computational elementary abelian p-groups (see Theorem 3.7). This enables us to use the efinition of weak pseuofreeness (which is more convenient for our purposes than the efinition of pseuo-freeness) for proving results concerning pseuo-freeness. Bearing in min this equivalence, we o not use the terms weakly pseuo-free an weak pseuo-freeness when speaking of families of computational elementary abelian p-groups after the proof of Theorem 3.7. Some necessary an sufficient conitions for a family Γ of computational elementary abelian p-groups to be pseuo-free, provie that at least one of two aitional conitions hols (see Theorem 4.11). These necessary an sufficient conitions are formulate in terms of collision-intractability or onewayness of certain homomorphic families Kn γ Γ of functions, where γ is a polynomial parameter. See Subsection 4.1 for the efinition of these families of functions. Some necessary an sufficient conitions for the existence of pseuo-free families of computational elementary abelian p-groups (see Theorem 4.12). With one exception, these conitions are the existence of certain homomorphic collision-intractable families of p-ary hash functions or certain homomorphic one-way families of functions. In Subsection 4.4, we construct a Diffie-Hellman-like key agreement protocol from an arbitrary family of computational elementary abelian p-groups. Also, the protocol uses a polynomial parameter ρ. Unfortunately, we o not know whether this protocol is secure (in some natural sense) uner reasonable assumptions on the unerlying family of computational elementary abelian p-groups an the polynomial parameter ρ. We leave this for further research (see Problem 5.3). The rest of the paper is organize as follows. Section 2 contains notation, basic efinitions, an general results use in the paper. In Section 3, we formally efine an iscuss families of computational elementary abelian p-groups (with the above restrictions), as well as pseuo-free an weakly pseuo-free ones. Also, Section 3 contains the proof of equivalence of pseuo-freeness an weak pseuo-freeness for families of computational elementary abelian p-groups. In Section 4, we give some necessary an sufficient conitions for pseuo-freeness an for the existence of pseuo-free families of computational elementary abelian p- groups. Finally, Section 5 contains some problems concerning families of computational elementary abelian p-groups. We suggest these problems for further research. 2 Preliminaries 2.1 General Preliminaries In this paper, N enotes the set of all nonnegative integers. Let m, n N. For a set X, we enote by X n the set of all (orere) n-tuples of elements from X an by X m n the set of all m n matrices over X. When necessary, we consier tuples as matrices with one row. As usual, (x i,j ) enotes the m n matrix (for some specifie m an n) whose (i, j) entry is x i,j for all i {1,..., m} an j {1,..., n}. The transpose of a matrix M is enote by M T. We consier elements of {0, 1} n as bit strings of length n. Furthermore, let {0, 1} n = n i=0 {0, 1}i an {0, 1} = i=0 {0, 1}i. If u, v {0, 1}, then we enote by u the length of u an by uv the concatenation of u an v. The unary representation of n, i.e., the string of n ones, is enote by 1 n. Similarly, 0 n enotes the string of n zeros. 3

4 Let I be a set. Suppose each i I is assigne an object q i. Then we enote by (q i i I) the family of all such objects an by {q i i I} the set of all elements of this family. When necessary, we assume that all finite objects (e.g., integers, tuples of integers, tuples of tuples of integers) are represente by bit strings in some natural way. Sometimes we ientify such objects with their representations. Unless otherwise specifie, integers are represente by their binary expansions. Throughout the paper, p enotes an arbitrary fixe prime number. Also, we enote by Z p the set {0,..., p 1}. If necessary, this set is consiere as a fiel uner aition an multiplication moulo p or as the aitive group of this fiel. The intene meaning will be clear from the context. In this paper, we eal with elementary abelian p-groups. Recall that a group G is calle an elementary abelian p-group if G is abelian an pg = 0 for any g G. (We use aitive notation for abelian groups.) In fact, elementary abelian p-groups are the same as vector spaces over the fiel Z p. Therefore a group is an elementary abelian p-group if an only if it is isomorphic to a irect power of the aitive group of this fiel. For any n N an any group G, G n enotes the nth irect power of G. If S is a system of elements of a group, then we enote by S the subgroup of this group generate by S. For convenience, we say that a function π : N N \ {0} is a polynomial if there exist c N \ {0} an N such that π(n) = cn for any n N \ {0} (π(0) can be an arbitrary positive integer). 2.2 Probabilistic Preliminaries Let X be a probability istribution on a finite or countably infinite sample space X. Then we enote by supp X the support of X, i.e., the set {x X Pr X {x} = 0}. In many cases, one can consier X as a istribution on supp X. Suppose α is a function from X to a finite or countably infinite set Y. Then α can be consiere as a ranom variable. The istribution of this ranom variable is enote by α(x ). Recall that this istribution is efine by Pr α(x ) {y} = Pr X α 1 (y) for each y Y. We use the notation x 1,..., x n X to inicate that x 1,..., x n (enote by upright bol letters) are inepenent ranom variables istribute accoring to X. We assume that these ranom variables are inepenent of all other ranom variables efine in such a way. Furthermore, all occurrences of an upright bol letter (possibly inexe or prime) in a probabilistic statement refer to the same (unique) ranom variable. Of course, all ranom variables in a probabilistic statement are assume to be efine on the same sample space. Other specifics of ranom variables o not matter for us. Note that the probability istribution X in this notation can be ranom. For example, suppose (X i i I) is a probability ensemble consisting of istributions on the set X, where the set I is also finite or countably infinite. Moreover, let I be a probability istribution on I. Then i I an x X i mean that the joint istribution of the ranom variables i an x is given by Pr[i = i, x = x] = Pr I {i} Pr Xi {x} for each i I an x X. For any n N, we enote by X n the istribution of (x 1,..., x n ), where x 1,..., x n X. Similarly, for arbitrary m, n N, X m n enotes the istribution of (x i,j ), where x i,j X for all i {1,..., m} an j {1,..., n}. The notation x 1,..., x n X inicates that x 1,..., x n (enote by upright meium-weight letters) are fixe elements of the set X chosen inepenently at ranom accoring to the istribution X. Let R an S be probability istributions on the set X. Then the statistical istance (also known as variation istance) between R an S is efine as (R, S) = 1 Pr R {x} Pr S {x}. 2 x X It is well known that (R, S) = max M X Pr R M Pr S M. See also, e.g., [Sho08, Section 8.8] or [Lub96, Lecture 7]. For a nonempty finite set Z, we enote by U(Z) the uniform probability istribution on Z. 2.3 Computational an Cryptographic Preliminaries We nee to generate ranom elements y U(Z p ). But if p 2, then there is no probabilistic bounetime algorithm (in the stanar sense) that oes this (see [Sho08, Exercise 9.4]). For this reason, we slightly moify the stanar efinition of a probabilistic algorithm. The only moification we make to this efinition is allowing a probabilistic algorithm to use ranom elements y U(Z p ) instea of ranom bits b U({0, 1}). (Recall that p is fixe.) Unless otherwise specifie, probabilistic algorithms consiere 4

5 in this paper use ranom elements of Z p. Note that there exists a probabilistic polynomial-time algorithm A such that A uses ranom bits an for any n N the statistical istance between the istribution of A(1 n ) an U(Z p ) is at most 2 n (see Algorithm RN in [Sho08, Section 9.2]). Similarly, it is easy to see that there exists a probabilistic polynomial-time algorithm B such that B uses ranom elements of Z p an for any n N the statistical istance between the istribution of B(1 n ) an U({0, 1}) is at most p n. This shows that the computational power of probabilistic polynomial-time algorithms using ranom elements of Z p is almost the same as that of such algorithms using ranom bits. Let X = (X i i I) be a probability ensemble consisting of istributions on {0, 1}, where I {0, 1} or I N. Then X is calle polynomial-time samplable (or polynomial-time constructible) if there exists a probabilistic polynomial-time algorithm A such that for every i I the istribution of A(i) (if I {0, 1} ) or A(1 i ) (if I N) coincies with X i. It is evient that if X is polynomial-time samplable, then there exists a polynomial π satisfying supp X i {0, 1} π( i ) (if I {0, 1} ) or supp X i {0, 1} π(i) (if I N) for any i I. Suppose K is an infinite set of nonnegative integers, D is a subset of {0, 1}, an D = (D k k K) is a polynomial-time samplable probability ensemble consisting of istributions on D. Let E k be the istribution of (1 k, ), where k K an D k, an let E = (E k k K). Then E is a polynomial-time samplable probability ensemble. Also, enote k K supp E k by E. That is, E = {(1 k, ) k K, supp D k }. This notation is use throughout the paper. A function ϵ: K {r R r 0} is calle negligible if for every polynomial π there exists a nonnegative integer n such that ϵ(k) 1/π(k) whenever k K an k n. We enote by negl an unspecifie negligible function on K. Any (in)equality containing negl(k) is meant to hol for all k K. Let (r k k K) an (s k k K) be probability ensembles consisting of ranom variables that take values in {0, 1}. Then these ensembles are sai to be computationally inistinguishable (or inistinguishable in polynomial time) if for any probabilistic polynomial-time algorithm A, Pr[A(1 k, r k ) = 1] Pr[A(1 k, s k ) = 1] = negl(k). Furthermore, two probability ensembles (R k k K) an (S k k K) consisting of istributions on {0, 1} are sai to be computationally inistinguishable (or inistinguishable in polynomial time) if (r k k K) an (s k k K) are computationally inistinguishable, where r k R k an s k S k for all k K. Definition 2.1. Suppose (H D) is a family of groups. We call a family (ϕ : H {0, 1} D) of functions homomorphic if the following two conitions hol: (i) For any D, the operation in ϕ (H ) given by ϕ (y) ϕ (z) = ϕ (yz), where y, z H, is well efine. (Hence for every D, ϕ (H ) is a group uner an ϕ is a homomorphism from H onto this group.) (ii) The functions (, v, w) v w, (, v) v 1 (in the group ϕ (H )), an ϕ (1), where D an v, w ϕ (H ), are polynomial-time computable. (Here, of course, ϕ (1) is the ientity element of the group ϕ (H ).) Let D. It is evient that if ϕ is a homomorphism from H to a group G {0, 1}, then is well efine an coincies with the restriction of the multiplication in G to the subgroup ϕ (H ). Also, it is easy to see that the operation is well efine if an only if ϕ 1 (ϕ (1)) is a normal subgroup of H an ϕ 1 (ϕ (y)) = yϕ 1 (ϕ (1)) for all y H. In particular, this hols if ϕ is one-to-one. We emphasize that a homomorphic family of functions oes not just consist of group homomorphisms. It is also require that multiplication, inversion, an computing the ientity element in the group ϕ (H ) can be performe in polynomial time when is given. Note that we use the term homomorphic family of functions by analogy with the term homomorphic encryption. We will use Definition 2.1 in the case when H is an elementary abelian p-group for each D. In this case, of course, we will switch to aitive notation. It is evient that if H is an elementary abelian p-group an is well efine, then ϕ (H ) is an elementary abelian p-group uner as a homomorphic image of H. Definition 2.2 (see also [Lub96, Preliminaries]). A function ρ: D N is calle a polynomial parameter (on D) if the function 1 ρ() ( D) is polynomial-time computable. It is easy to see that the function ρ is a polynomial parameter if an only if it is polynomial-time computable an there exists a polynomial π satisfying ρ() π( ) for all D. A function η : I N, where I N, is sai to be a polynomial parameter (on I) if the function 1 i η(i) (i I) is a polynomial parameter on the set {1 i i I} in the above sense. 5

6 Note that the restriction of any polynomial to a set I N is a polynomial parameter on I. Example 2.3. We will use the following types of polynomial parameters on E: (1 k, ) η(k), where η is a polynomial parameter on K (in particular, a polynomial restricte to K). (1 k, ) ρ(), where ρ is a polynomial parameter on D. Remark 2.4. Suppose (R D) an (S D) are polynomial-time samplable probability ensembles consisting of istributions on {0, 1}. Let σ be a polynomial parameter on E an let, for k K, D k, r 0,..., r σ(1 k,) R, an s 0,..., s σ(1 k,) S. Assume that the probability ensembles ((, r 0 ) k K) an ((, s 0 ) k K) are computationally inistinguishable. A stanar hybri argument (see [Gol01, proof of Theorem 3.2.6]) shows that the probability ensembles ((, r 1,..., r σ(1 k,)) k K) an ((, s 1,..., s σ(1k,)) k K) are computationally inistinguishable. (It suffices to prove this in the case when σ(1 k, ) = π(k) for all (1 k, ) E, where π : K {p l l N} is a polynomial parameter.) Let Φ = (ϕ : Y {0, 1} D) be a family of functions such that there exists a polynomial η satisfying Y {0, 1} η( ) for all D. Recall that the family Φ is calle polynomial-time computable if the function (, y) ϕ (y) (where D an y Y ) is polynomial-time computable. Moreover, recall that a collision for a function ϕ is a pair of istinct elements in its omain having the same image uner ϕ. Definition 2.5. The family Φ is calle collision-intractable (or collision-resistant) with respect to D if for any probabilistic polynomial-time algorithm A, Pr[A(1 k, ) is a collision for ϕ ] = negl(k), where D k. In particular, if ϕ is one-to-one for each D, then Φ is collision-intractable with respect to D. Definition 2.6. Suppose (Y D) is a polynomial-time samplable probability ensemble, where Y is a probability istribution on Y for any D. Then the family Φ is sai to be one-way with respect to D an (Y D) if it is polynomial-time computable an for any probabilistic polynomial-time algorithm A, Pr[A(1 k,, ϕ (y)) ϕ 1 (ϕ (y))] = negl(k), where D k an y Y. We use the term one-way family of functions instea of the more common term family of oneway functions because one-wayness is a property of the whole family of functions rather than of its iniviual members. For the same reason, we use the terms homomorphic family of functions an collision-intractable family of functions. The next lemma is well known. Lemma 2.7. Suppose the family Φ is polynomial-time computable an collision-intractable with respect to D. Also, assume that the following conitions hol: Y for all D. The probability ensemble (U(Y ) D) is polynomial-time samplable. For D k an y U(Y ), where k K, we have Pr[ϕ 1 (ϕ (y)) = {y}] = negl(k). Then the family Φ is one-way with respect to D an (U(Y ) D). Lemma 2.7 can be prove using an argument similar to that use in the proof of Proposition 8.4 in [GB08] (see also [GB08, Proposition 8.2]). We will apply Lemma 2.7 to families Φ consisting of group homomorphisms that are not one-to-one. It is evient that if ϕ is such a homomorphism efine on a group Y, then ϕ 1 (ϕ(y)) {y} for all y Y. We nee the following variant of the well-known Golreich-Levin theorem for Z p. Lemma 2.8 (follows from [DGK + 10, Theorem 1]). Suppose (ψ : Z ρ() p {0, 1} D) is a oneway family of functions with respect to D an (U(Zp ρ() ) D), where ρ is a polynomial parameter on D. For every k K, let D k, y, z U(Z ρ() p ), an t U(Z p ). Then the probability ensembles ((, ψ (y), z, yz T ) k K) an ((, ψ (y), z, t) k K) are computationally inistinguishable. 6

7 Note that for any y = (y 1,..., y n ) Z n p an z = (z 1,..., z n ) Z n p (where n N), yz T is the inner prouct of y an z over the fiel Z p, i.e., y 1 z y n z n. Definition 2.9. Let (I k k K) be a pairwise isjoint family of nonempty subsets of {0, 1} an let I = k K I k. For each i I, efine κ(i) as the unique k K such that i I k. Assume that the following two conitions hol: There exists a polynomial π such that I k {0, 1} π(k) for any k K. The function κ: I K efine above is a polynomial parameter. Moreover, suppose σ an τ are polynomial parameters on K. Then a family (χ i : Z σ(κ(i)) p Z τ(κ(i)) p i I) of functions is calle a family of p-ary hash functions if this family is polynomial-time computable an σ(k) > τ(k) for all k K. 3 (Weakly) Pseuo-Free Families of Computational Elementary Abelian p-groups 3.1 Families of Computational Elementary Abelian p-groups Loosely speaking, a family of computational groups consists of groups G (where D) whose elements are represente by bit strings in such a way that equality testing, multiplication, inversion, computing the ientity element, an sampling ranom elements in G can be performe efficiently when is given. See [Ano13, Definition 3.1] for a formal efinition of a family of computational groups. In this paper, we consier only families (G D) of computational elementary abelian p-groups such that the following aitional conitions hol: For any D, each element of G is represente by a single bit string. Hence we can assume that G {0, 1} an that the representation of each element g G is g itself. There exists a polynomial η such that G {0, 1} η( ) for all D. In this case, the family of computational groups has exponential size, i.e., there exists a polynomial η such that G 2 η ( ) for all D. See also [Ano13, Definition 3.2]. As note in [Ano13], pseuo-free families that o not have exponential size per se are of little interest. Now we give a formal efinition of a family of computational elementary abelian p-groups (with the above restrictions). Definition 3.1. Let ((G, G ) D) be a family of pairs, where G {0, 1} is an elementary abelian p-group an G is a probability istribution on G for any D. Then this family is sai to be a family of computational elementary abelian p-groups if the following conitions hol: There exists a polynomial η such that G {0, 1} η( ) for all D. There exists a eterministic polynomial-time algorithm that, given D an g, h G, computes g + h in G. The probability ensemble (G D) is polynomial-time samplable. For example, if ρ is a polynomial parameter on D, then ((Z ρ() p, U(Z ρ() p )) D) is a family of computational elementary abelian p-groups. Note that before Definition 3.1 we o not specify the istributions on the sets of representations of group elements when speaking of families of computational groups. This is because these istributions o not matter for us there. In the rest of the paper, Γ = ((G, G ) D) enotes a family of computational elementary abelian p-groups. Remark 3.2. It is evient that, given D an g G, g (in G ) can be compute in polynomial time as (p 1)g. Moreover, the ientity element of G can also be compute in polynomial time from D as pg for an arbitrary element g G (which can be obtaine by sampling from the istribution G ). 7

8 Remark 3.3. Suppose ((H, H ) D) is a family of computational elementary abelian p-groups an Φ = (ϕ : H {0, 1} D) is a polynomial-time computable family of functions. Assume that Φ satisfies Conition (i) of Definition 2.1 an that the function (, v, w) v w ( D, v, w ϕ (H )) is polynomial-time computable, where is efine in this conition. Then it is easy to see that ((ϕ (H ), ϕ (H )) D) is a family of computational elementary abelian p-groups. Furthermore, Remark 3.2 shows that Φ also satisfies Conition (ii) of Definition 2.1. Thus, the family Φ is homomorphic. 3.2 Pseuo-Free Families of Computational Elementary Abelian p-groups Suppose F, is the elementary abelian p-group with basis a 1, a 2,..., x 1, x 2,... (as a vector space over the fiel Z p ). We consier F, as a free group in the variety of all elementary abelian p-groups. Furthermore, let F = a 1, a 2,..., F m,n = a 1,..., a m, x 1,..., x n, an F m = F m,0 = a 1,..., a m for any m, n N. It is well known that a i an x j (for all i, j N \ {0}) can be consiere as variables taking values in an arbitrary elementary abelian p-group G. Namely, suppose w = i=1 y ia i + j=1 z jx j F,, where y i, z j Z p for all i, j N\{0}. Here, of course, y 1, y 2,..., z 1, z 2,... are uniquely etermine by w an the sets I w = {i N \ {0} y i 0} an J w = {j N \ {0} z j 0} are finite. Assume that w F m,n for some m, n N. (This means that y i = z j = 0 for all i > m an j > n.) Let g = (g 1,..., g m,... ) be an m -tuple, where m m, or an infinite sequence of elements of G. Similarly, let h = (h 1,..., h n,... ) be an n -tuple, where n n, or an infinite sequence of elements of G. Then the element w(g; h) G is efine as y 1 g y m g m + z 1 h z n h n. Whenever n = 0, we omit the semicolon in this notation, i.e., we write w(g) instea of w(g;). Note that w = w(a; x), where, of course, a = (a 1, a 2,... ) an x = (x 1, x 2,... ). In this paper, we use either of the two following representations of the element w for computational purposes: (((i 1, y i1 ),..., (i s, y is )), ((j 1, z j1 ),..., (j t, z jt ))), where {i 1,..., i s } = I w, i 1 < < i s, {j 1,..., j t } = J w, an j 1 < < j t. ((y 1,..., y m ), (z 1,..., z n )), where m = max I w an n = max J w. Here we put max = 0. All our results epening on such a representation hol for both representations efine above. Note that every element of F, has a unique representation of each of the above forms. Remark 3.4. By a straight-line program over F, we mean a sequence (u 1,..., u n ) of tuples such that for any l {1,..., n}, either u l = (b, m), where b {a, x} an m N \ {0}, or u l = (i, j, +), where i, j {1,..., l 1}. Here a, x, an + are consiere as symbols. A straight-line program (u 1,..., u n ) over F, naturally efines the sequence (v 1,..., v n ) of elements of F, by inuction. Namely, for every l {1,..., n}, we put v l = b m if u l = (b, m) an v l = v i + v j if u l = (i, j, +), where b, m, i, an j are as above. Then the straight-line program (u 1,..., u n ) represents the element v n. Note that we o not nee tuples u l of the form (i, ) efining v l = v i (where i {1,..., l 1}) because they can be replace by sequences of at most 2 log 2 (p 1) tuples of the form (i, j, +). Also, 0 can be represente by a straight-line program over F, consisting of one tuple of the form (b, m) an at most 2 log 2 p tuples of the form (i, j, +). It is easy to see that, given a straight-line program over F, representing an element w F,, the first of the above representations of w can be compute in polynomial time. Conversely, given the first of the above representations of an element w F,, a straight-line program over F, representing w can also be compute in polynomial time. This is why we o not use the representation of elements of F, by straight-line programs over F, for computational purposes (unlike [Hoh03]). Let G be an elementary abelian p-group an let g = (g 1,..., g m ) G m, where m N. Denote by Σ(G, g) the set of all tuples ((v 1, w 1 ),..., (v s, w s ), h) such that the following conitions hol: s N \ {0}, h G n for some n N, an v 1, w 1,..., v s, w s F m,n. The system of equations v i (a; x) = w i (a; x), i = 1,..., s, over variables x 1,..., x n is unsatisfiable in F m (or, equivalently, in F ). v i (g; h) = w i (g; h) in G for all i {1,..., s}. 8

9 Definition 3.5. The family Γ of computational elementary abelian p-groups is calle pseuo-free with respect to D if for any polynomial π an any probabilistic polynomial-time algorithm A, Pr[A(1 k,, g) Σ(G, g)] = negl(k), where D k an g G π(k). A more general efinition of a pseuo-free family of computational groups (in an arbitrary variety V of groups with respect to D an a representation for elements of the V-free group by bit strings) was given in [Ano13, Definition 3.3]. Our Definition 3.5 is a special case of that efinition (in the variety of all elementary abelian p-groups an with respect to the above representations for elements of F, ). 3.3 Weak Pseuo-Freeness an Its Equivalence to Pseuo-Freeness for Families of Computational Elementary Abelian p-groups We efine a weakly pseuo-free family of computational elementary abelian p-groups similarly to the efinition of a weakly pseuo-free family of computational groups given by Rivest in [Riv04b, Slie 11]. For an elementary abelian p-group G an a tuple g = (g 1,..., g m ) G m, where m N, let Σ (G, g) = {v F m ((v, 0), ()) Σ(G, g)} = {v F m \ {0} v(g) = 0}. The conition of the next efinition is obtaine from the conition of Definition 3.5 by replacing Σ(G, g) by Σ (G, g). Definition 3.6. The family Γ of computational elementary abelian p-groups is sai to be weakly pseuofree with respect to D if for any polynomial π an any probabilistic polynomial-time algorithm A, Pr[A(1 k,, g) Σ (G, g)] = negl(k), where D k an g G π(k). Theorem 3.7. The family Γ is pseuo-free with respect to D if an only if it is weakly pseuo-free with respect to D. Proof. It is sufficient to construct eterministic polynomial-time algorithms B an C such that for every D, g G m (where m N), u Σ(G, g), an v Σ (G, g), we have B(u) Σ (G, g) an C(v) Σ(G, g). Let D an g G m, where m N. Also, let u = ((v 1, w 1 ),..., (v s, w s ), h) Σ(G, g), where s N \ {0}, h G n for some n N, an v i, w i F m,n for all i {1,..., s}. Suppose B is a eterministic polynomial-time algorithm that procees on input u as follows: 1. By rearranging the scalar multiples of a 1,..., a m, x 1,..., x n in v i (a; x) an w i (a; x), transform the system of equations v i (a; x) = w i (a; x), i = 1,..., s, (3.1) into an equivalent system of the form where v i (x) x 1,..., x n an w i (a) F m for all i {1,..., s}. v i(x) = w i(a), i = 1,..., s, (3.2) 2. By using Gaussian elimination, transform system (3.2) into an equivalent system of the form x nj + v j (x) = w j (a), j = 1,..., t, 0 = w l (a), l = t + 1,..., s, where 1 n 1 < < n t n, 0 t s, v j (x) x n j+1,..., x n for all j {1,..., t}, w i (a) F m for all i {1,..., s}. (Since (3.1) is unsatisfiable in F m, this system is also unsatisfiable in this group. This means that w l (a) 0 for some l {t + 1,..., s}.) 3. Choose an inex l {t + 1,..., s} such that w l (a) 0 (see the previous item) an return w l (a). (It is easy to see that w l (g) = 0. Therefore, B(u) Σ (G, g).) Let v Σ (G, g). Suppose C is a eterministic polynomial-time algorithm that returns ((v, 0), ()) on input v. Then C(v) Σ(G, g). 9

10 In what follows, bearing in min Theorem 3.7, we o not use the terms weakly pseuo-free an weak pseuo-freeness when speaking of families of computational elementary abelian p-groups. Remark 3.8. For an elementary abelian p-group G an a tuple g = (g 1,..., g m ) G m, where m N, let Λ(G, g) = {(y 1,..., y m ) Z m p \ {0} y 1 g y m g m = 0}. It is easy to see that the conition of Definition 3.6 (an by Theorem 3.7, the conition of Definition 3.5 as well) hols if an only if for any polynomial π an any probabilistic polynomial-time algorithm A, Pr[A(1 k,, g) Λ(G, g)] = negl(k), where D k an g G π(k). In the sequel, we use only the last conition as a characterization of families of computational elementary abelian p-groups that are pseuofree with respect to D. Note that this conition oes not epen on the representation of elements of F,. 3.4 Some Remarks Remark 3.9. Let Ξ be a set of polynomial parameters on E such that for any polynomial π there exists a polynomial parameter ξ Ξ satisfying π(k) ξ(1 k, ) for all (1 k, ) E. For example, we can take the set of all polynomial parameters on E as Ξ. Replace the polynomial π by ξ Ξ an π(k) by ξ(1 k, ) in the conition efine in Remark 3.8. Then the moifie version of this conition is equivalent to the original one. The same hols for the conitions of Definitions 3.5 an 3.6. We prove that if the family Γ satisfies the original version of the conition efine in Remark 3.8, then it satisfies the moifie version of this conition. The converse an the equivalence of the two versions for the conitions of Definitions 3.5 an 3.6 can be prove similarly. Let ξ Ξ an let A be a probabilistic polynomial-time algorithm. Choose a polynomial π such that ξ(1 k, ) π(k) for all (1 k, ) E. Suppose B is a probabilistic polynomial-time algorithm that procees on input (1 k,, g) for every k K, supp D k, an g = (g 1,..., g π(k) ) G π(k) as follows: 1. Invoke A on input (1 k,, g ), where g = (g 1,..., g ξ(1k,)). 2. If A returns a ξ(1 k, )-tuple of elements of Z p, then return this tuple right-pae with π(k) ξ(1 k, ) zeros (to obtain a π(k)-tuple of elements of Z p ). Otherwise, the algorithm B fails. It is evient that B(1 k,, g) Λ(G, g) if an only if A(1 k,, g ) Λ(G, g ). Therefore, Pr[A(1 k,, g ) Λ(G, g )] = Pr[B(1 k,, g) Λ(G, g)] = negl(k), where D k, g 1,..., g π(k) G, g = (g 1,..., g ξ(1 k,)), an g = (g 1,..., g π(k) ). Remark Let G 1 k, = G an G 1 k, = G for each (1 k, ) E. Then ((G e, G e ) e E) is a family of computational elementary abelian p-groups. Furthermore, this family is pseuo-free with respect to E if an only if the family Γ is pseuo-free with respect to D. By Remark 3.10, we can use both D an E as an inex set for the family Γ when stuying or using its pseuo-freeness. The avantage of using E is that it is the union of the pairwise isjoint family (supp E k k K) satisfying the requirements of Definition 2.9. Therefore E is suitable for inexing families of p-ary hash functions. But we use D (except in the proof of Theorem 4.12) because we prefer to separate Γ from the probability ensemble D. Remark Let ρ: D N \ {0} be a polynomial parameter. It is obvious that Γ ρ = ((G ρ(), G ρ() ) D) is a family of computational elementary abelian p-groups. Moreover, if the family Γ is pseuo-free with respect to D, then the family Γ ρ is also pseuo-free with respect to D. Inee, suppose π is a polynomial an A is a probabilistic polynomial-time algorithm. Let B be a probabilistic polynomial-time algorithm that procees on input (1 k,, g) for every k K, supp D k, an g = (g 1,..., g π(k) ) G π(k) as follows: 1. Choose g i,j G for all i {1,..., π(k)} an j {2,..., ρ()}. 2. Invoke A on input (1 k,, (v 1,..., v π(k) )), where v i = (g i, g i,2,..., g i,ρ() ) for any i {1,..., π(k)}. 3. Return the output of A (if it exists). 10

11 It is evient that Λ(G ρ(), (v 1,..., v π(k) )) Λ(G, g). Therefore, Pr[A(1 k,, v) Λ(G ρ(), v)] Pr[B(1 k,, g) Λ(G, g)] = negl(k), where D k, v (G ρ() ) π(k), an g G π(k). 4 Necessary an Sufficient Conitions for Pseuo-Freeness an for the Existence of Pseuo-Free Families 4.1 The Functions kn G,g, the Families Kn ρ Γ, an the Probability Ensembles Iρ D,Γ Let G be an elementary abelian p-group an let g = (g 1,..., g m ) G m, where m N. Then we efine the function kn G,g : Z m p G by kn G,g (y) = y 1 g y m g m for all y = (y 1,..., y m ) Z m p. The function kn G,g can be consiere as a knapsack function (see [MM11]). But, unlike many other variants of knapsack functions an like iscrete exponential functions, kn G,g is a group homomorphism. Also, it is obvious that, given D, g G m, an y Zm p, kn G,g(y) can be compute in polynomial time. Suppose ρ is a polynomial parameter on D. Then we enote by Kn ρ Γ the family (kn G,g D, g G ρ() ). Of course, Kn ρ Γ epens only on (G D) an ρ. We use the notation with Γ an ρ because of its convenience. It is easy to see that Kn ρ Γ is homomorphic an polynomial-time computable. Moreover, for any k K, let I ρ D,Γ,k be the istribution of (, g), where D k an g G ρ(). The probability ensemble (I ρ D,Γ,k k K) is enote by Iρ D,Γ. For brevity, we use (U(Zρ()) D) as a shorthan for (U(Z ρ() p (U(Z ρ() p ) D, g G ρ() ) when speaking of the one-wayness of Kn ρ Γ with respect to Iρ D,Γ an ) D). This notation is use throughout the paper. By the problem of inverting kn G,g we mean the problem of fining an element in kn 1 G,g(f) when given (, g, f), where D, g G m, an f kn G,g(Z m p ) (m N). The next three remarks show that this problem has some nice properties. Remark 4.1. Since kn G,g is a group homomorphism, the problem of inverting this function is ranom self-reucible. Namely, there exists a probabilistic polynomial-time oracle algorithm A such that for any D, g G m, f kn G,g(Z m p ) (m N), an any probabilistic oracle O, we have Pr[A O (, g, f) kn 1 G,g (f)] = Pr[O(kn G,g(y)) kn 1 G,g (kn G,g(y))], where y U(Z m p ). This means that if O returns a preimage of kn G,g(y) uner kn G,g with some probability δ(, g), then A O computes a preimage of any f kn G,g(Z m p ) uner kn G,g with the same probability δ(, g). A similar result for the iscrete logarithm problem is well known. The require algorithm A is similar to the algorithm in [Lub96, Lecture 4] for the iscrete logarithm problem. The algorithm A procees on input (, g, f), where, g, an f are as above, as follows: 1. Choose u U(Z m p ). 2. Query the oracle on f + kn G,g(u). If the oracle returns a tuple z Z m p, then return z u (compute in Z m p ). Otherwise, the algorithm A fails. The above result follows from the obvious fact that if f = kn G,g(y) for some y Z m p an u U(Z m p ), then f + kn G,g(u) = kn G,g(y + u), where y + u is istribute uniformly on Z m p. Remark 4.2. The problem of inverting kn G,g is self-reucible in the following sense. For every D, let O be an oracle that on input (b, h) G n G (n N) returns 1 if h kn G,b(Z n p ) an 0 otherwise. Then there exists a eterministic polynomial-time oracle algorithm A such that A O (, g, f) kn 1 G,g (f) for all D, g G m, an f kn G,g(Z m p ) (m N). This fact seems to be well known (even for knapsack functions with polynomially boune input coefficients; such knapsack functions are consiere in [MM11]). But we provie a proof of it (for kn G,g) for completeness an for the convenience of the reaer. Let, g = (g 1,..., g m ), an f be as above. The require algorithm A on input (, g, f) successively fins (by exhaustive search an using the oracle O ) some elements y 1,..., y m Z p such that f y 1 g 1 y i g i kn G,(g i+1,...,g m)(z m i p ) for all i {1,..., m}. Then the algorithm A returns y = (y 1,..., y m ). By construction, we have kn G,g(y) = f. It is easy to see that such elements y 1,..., y m exist. p 11

12 Remark 4.3. There exists a eterministic polynomial-time oracle algorithm A such that for any D, g = (g 1,..., g m ) G m, f kn G,g(Z m p ) (m N), an any basis b of G, we have A kn 1 G,b (, g, f) kn 1 G,g (f). (It is evient that if b = (b 1,..., b n ) G n is a basis of G, then kn G,b is a group isomorphism from Z n p to G.) Namely, the algorithm A on input (, g, f) (where, g, an f are as above) returns a solution (y 1,..., y m ) Z m p to the system of linear equations y 1 kn 1 G,b (g 1) + + y m kn 1 G,b (g m) = kn 1 G,b(f). In particular, this implies the following fact: If β is a polynomial-time computable function on D such that β() is a basis of G for all D, then the problem of inverting kn G,g is Cook-reucible to its special case when g = β(). The problem of inverting kn G,g might be of inepenent interest. One of the purposes of this paper is to raw attention to this problem. See also Problem 5.4 below. 4.2 Auxiliary Results The proof of the next lemma is similar to that of Theorem 2.2 in [IN96]. Lemma 4.4. Suppose ρ is a polynomial parameter on D such that the family Kn ρ Γ is one-way with respect to I ρ D,Γ an (U(Zρ() p ) D). For every k K, let D k, g 1,..., g ρ(), h G, u 1,..., u ρ(), v U(G ), y U(Z ρ() p ), g = (g 1,..., g ρ() ), an u = (u 1,..., u ρ() ). Assume that ((, g, h) k K) an ((, u, v) k K) are computationally inistinguishable. (4.1) Then the probability ensembles ((, g, kn G,g(y)) k K) an ((, g, h) k K) are computationally inistinguishable. Proof. Suppose (e k k K) an (f k k K) are probability ensembles consisting of ranom variables taking values in {0, 1}. For brevity, we write e k f k if these probability ensembles are computationally inistinguishable. Let z U(Z ρ() p ) an t U(Z p ). Then (4.1) an Lemma 2.8 imply that (, u, v, kn G,u(y), z, yz T ) (, g, h, kn G,g(y), z, yz T ) (, g, h, kn G,g(y), z, t) (, u, v, kn G,u(y), z, t). (4.2) Suppose A is a probabilistic polynomial-time algorithm. Let B be a probabilistic polynomial-time algorithm that procees on input (1 k,, u, v, f, z, t) for every k K, supp D k, u = (u 1,..., u ρ() ) G ρ(), v G, f kn G,u(Z ρ() p 1. For all i {1,..., ρ()}, compute u i = u i + z i v. ), z = (z 1,..., z ρ() ) Z ρ() p, an t Z p as follows: 2. Invoke A on input (1 k,, u, f + tv), where u = (u 1,..., u ρ() ). 3. Return the output of A (if it exists). It is evient that if f = kn G,u(y), where y Z ρ() p, then f + tv = kn G,u (y) + (t yzt )v. Let u i = u i + z i v for all i {1,..., ρ()} an u = (u 1,..., u ρ() ). It is easy to see that the ranom variable (, u, y) has the same istribution as (, u, y). Therefore, Pr[B(1 k,, u, v, kn G,u(y), z, yz T ) = 1] = Pr[A(1 k,, u, kn G,u (y)) = 1] = Pr[A(1 k,, u, kn G,u(y)) = 1]. (4.3) Furthermore, conitione on t yz T, the ranom variables (, u, kn G,u (y) + (t yzt )v) an (, u, v) are ientically istribute. Hence, Pr[B(1 k,, u, v, kn G,u(y), z, t) = 1] = Pr[A(1 k,, u, kn G,u (y) + (t yzt )v) = 1] = Pr[A(1 k,, u, kn G,u (y) + (t yzt )v) = 1 t = yz T ] Pr[t = yz T ] + Pr[A(1 k,, u, kn G,u (y) + (t yzt )v) = 1 t yz T ] Pr[t yz T ] = 1 p Pr[A(1k,, u, kn G,u(y)) = 1] + p 1 Pr[A(1 k,, u, v) = 1]. (4.4) p 12

13 It follows from (4.2) (4.4) that Pr[A(1 k,, u, kn G,u(y)) = 1] Pr[A(1 k,, u, v) = 1] = p p 1 Pr[B(1k,, u, v, kn G,u(y), z, yz T ) = 1] Pr[B(1 k,, u, v, kn G,u(y), z, t) = 1] = negl(k). Therefore, (, u, kn G,u(y)) (, u, v). On the other han, (4.1) implies that (, g, kn G,g(y)) (, u, kn G,u(y)) an (, u, v) (, g, h). Thus, (, g, kn G,g(y)) (, g, h). Note that Lemma 4.4 is very close to a special case of Lemma 4.2 in [MM11] (or Corollary 1 in the preliminary version of that paper). We provie a proof of Lemma 4.4 for completeness an for the convenience of the reaer. Remark 4.5. For every k K, let D k, h G, an v U(G ), as in Lemma 4.4. By Remark 2.4 (with σ of the secon type given in Example 2.3), if (U(G ) D) is polynomial-time samplable an ((, h) k K) an ((, v) k K) are computationally inistinguishable, then Conition (4.1) hols for any polynomial parameter ρ on D. Moreover, if max supp Dk (G, U(G )) = negl(k), then it is easy to see that the statistical istance between the istributions of (, g, h) an (, u, v) (in the notation of Lemma 4.4) is negligible as a function of k K. Therefore in this case Conition (4.1) also hols for any polynomial parameter ρ on D. Lemma 4.6. Assume that the family Γ is pseuo-free with respect to D. Then for any polynomial parameter ρ on D, the family Kn ρ Γ is collision-intractable with respect to Iρ D,Γ. Proof. Suppose ρ is a polynomial parameter on D an A is a probabilistic polynomial-time algorithm. Let B be a probabilistic polynomial-time algorithm that procees on input (1 k,, g) for every k K, supp D k, an g G ρ() as follows: 1. Invoke A on input (1 k,, g). 2. If A returns a pair (y, y ) Zp ρ() algorithm B fails. Z ρ() p, then return y y (compute in Zp ρ() ). Otherwise, the It is evient that B(1 k,, g) Λ(G, g) if an only if A(1 k,, g) is a collision for kn G,g. This implies that Pr[A(1 k,, g) is a collision for kn G,g] = Pr[B(1 k,, g) Λ(G, g)] = negl(k), where D k an g G ρ(). Here the secon probability is negligible by Remark 3.9 with Ξ being the set of all polynomial parameters on E. We apply the moification (accoring to Remark 3.9) of the conition efine in Remark 3.8 to the polynomial parameter (1 k, ) ρ() on E (see the secon type of polynomial parameters given in Example 2.3). Lemma 4.7. Let ((H, H ) D) be a family of computational elementary abelian p-groups. Also, suppose Φ = (ϕ : H G D) is a family of functions such that the following conitions hol: For any D, ϕ is a homomorphism. The family Φ is one-way with respect to D an (H D). For D k, g G, an h H, the probability ensembles ((, g) k K) an ((, ϕ (h)) k K) are computationally inistinguishable. Then the family Γ is pseuo-free with respect to D. Proof. Suppose π : K {p l l N} is a polynomial parameter an A is a probabilistic polynomial-time algorithm. Let B be a probabilistic polynomial-time algorithm that procees on input (1 k,, f) for every k K, supp D k, an f ϕ (H ) as follows: 1. Choose i U({1,..., π(k)}) an r 1,..., r i 1, r i+1,..., r π(k) H. 2. Invoke A on input (1 k,, w), where w = (ϕ (r 1 ),..., ϕ (r i 1 ), f, ϕ (r i+1 ),..., ϕ (r π(k) )). 13

14 3. If A returns a tuple (z 1,..., z π(k) ) Z π(k) p, where z i 0, then return z 1 i (z 1 r 1 + +z i 1 r i 1 + z i+1 r i z π(k) r π(k) ) (of course, z 1 i is compute in the fiel Z p ). Otherwise, the algorithm B fails. Let k K, i U({1,..., π(k)}), D k, r 1,..., r π(k), h H, v G π(k), an w = (ϕ (r 1 ),..., ϕ (r i 1 ), ϕ (h), ϕ (r i+1 ),..., ϕ (r π(k) )). It is evient that B(1 k,, f) ϕ 1 (f) if an only if A(1k,, w) = (z 1,..., z π(k) ) Λ(G, w), where z i 0. This implies that Pr[B(1 k,, ϕ (h)) ϕ 1 (ϕ (h))] = Pr[A(1 k,, w) = (z 1,..., z π(k) ) Λ(G, w), z i 0]. (4.5) Denote by ν(v) the number of ranom elements of Z p use by the algorithm A on input v. Let s U(Z ν(1k,,w) p ) represent the sequence of ranom elements of Z p use by A on input (1 k,, w). It is easy to see that the ranom variables (, w, s) an i are inepenent. Therefore, Pr[A(1 k,, w) = (z 1,..., z π(k) ) Λ(G, w), z i 0] 1 π(k) Pr[A(1k,, w) Λ(G, w)]. (4.6) By Remark 2.4 (with σ of the first type given in Example 2.3), the probability ensembles ((, v) k K) an ((, w) k K) are computationally inistinguishable. (It is obvious that (, w) an (, (ϕ (r 1 ),..., ϕ (r π(k) ))) are ientically istribute.) Hence, It follows from (4.5) (4.7) that Pr[A(1 k,, v) Λ(G, v)] Pr[A(1 k,, w) Λ(G, w)] + negl(k). (4.7) Pr[A(1 k,, v) Λ(G, v)] π(k) Pr[B(1 k,, ϕ (h)) ϕ 1 (ϕ (h))] + negl(k) = negl(k). By Remark 3.9, Γ is pseuo-free with respect to D. Here we use this remark with Ξ being the set of all functions ξ : E N such that there exists a polynomial parameter ξ : K {p l l N} satisfying ξ(1 k, ) = ξ (k) for all (1 k, ) E. The next corollary follows from Remark 3.3 an Lemma 4.7. Corollary 4.8. Let ((H, H ) D) be a family of computational elementary abelian p-groups. Also, suppose (ϕ : H {0, 1} D) is a homomorphic family of functions that is one-way with respect to D an (H D). Then ((ϕ (H ), ϕ (H )) D) is a pseuo-free family of computational elementary abelian p-groups with respect to D, where ϕ (H ) is consiere as an elementary abelian p-group uner the operation efine in Conition (i) of Definition 2.1. Remark 4.9. Corollary 4.8 can be consiere as a tool for constructing pseuo-free families of computational elementary abelian p-groups. For example, assume that there exist a family ((H, H ) D) of computational elementary abelian p-groups an a family Φ = (ϕ : H {0, 1} D) of functions such that the following conitions hol: Φ is one-way with respect to D an (H D). For any D, ϕ is one-to-one. (Hence, Φ satisfies Conition (i) of Definition 2.1.) There exists a eterministic polynomial-time algorithm that, given D an v, w ϕ (H ), computes ϕ (ϕ 1 (v) + ϕ 1(w)). (Hence by Remark 3.3, Φ satisfies Conition (ii) of Definition 2.1.) Then Corollary 4.8 enables us to construct a pseuo-free family of computational elementary abelian p-groups with respect to D. Moreover, we can conjecture that a family Φ satisfying the above conitions exists even in the case when H = Z ρ() p an H = U(Z ρ() p ) for all D, where ρ is an appropriate polynomial parameter on D. Lemma Suppose there exists a polynomial parameter ρ on D such that the following two conitions hol: 14