Problem Amplifications and Reductions

In this subsection, we consider GHID and GHI problems with a set of points S =

{(g1, h1), . . . , (gs, hs)} such that g1, . . . , gs H-generate G and S interpolates in a

group homomorphism f . Note that this homomorphism is unique by Lemma 4.1.3.

4. MOVA Undeniable Signature

Amplification of the GHI and GHID Problems

We show here how GHI and GHID problem solvers can be amplified so that both problems can be perfectly solved under certain conditions.

GHID Amplification. Here, we need to assume that H is cyclic and has a prime order. For any integer n and any set {(x1, y1), . . . (xn, yn)} ∈ (G × H)n, we explain

how one can correctly decide whether f (xi) = yi for all i = 1, . . . , n or not with an

overwhelming probability, using an n-S-GHID distinguisher D with an advantage

ε > 0. For this purpose, the main task consists in generating an n-S-GHID instance

from {(x1, y1), . . . (xn, yn)} such that this one is of type T0 if f (xi) = yi for all

i = 1, . . . , n and of type T1 otherwise. We generate such an instance by picking

ri ∈U G, ai,j ∈U Zd uniformly at random for i = 1, . . . , n, j = 1, . . . , s + n and by

setting

x0

i := dri+ ai,1g1+ · · · + ai,sgs+ ai,s+1x1+ · · · + ai,s+nxn

and

y0

i := ai,1h1+ · · · + ai,shs+ ai,s+1y1+ · · · + ai,s+nyn.

Note that if f (xi) = yi for i = 1, . . . , n, then the above instance is of type T0, since x0

i is uniformly distributed for i = 1, . . . , n by Lemma 4.1.9 and f (x0i) = yi0

for i = 1, . . . , n due to the homomorphic property of f . On the other hand, if

f (xj) 6= yj for at least one j, the above instance is of type T1 provided that H is a cyclic group of a prime order. Namely, we are ensured that ai,s+j(f (xj) − yj) can

take any value of H in this case. Therefore, the value y0

i is independent from x0i for

any i, which shows that the instance defined by x0

i and yi0 for i = 1, . . . , n is of type

T1. As in the article of Boneh [19] about the decision Diffie-Hellman problem, we can correctly determine whether f (xi) = yi for i = 1, . . . , n or not with an overwhelming

probability in polynomial time. We summarize this technique below. We need to consider two experiments. The first one consists in generating k instances as above and feeding them to D. Let w1 be the random variable counting the number of times

D decides that the instance was of type T0. In a second experiment, we generate k random instances of type T1 and feed them to D. Let w2 be the number of “type

T0” answers by D. One can decide whether f (xi) = yi for i = 1, . . . , n, by testing

whether |w1 − w2| is greater than a given threshold. An adequate choice of the threshold value allows to succeed with an overwhelming success probability.

GHIP Amplification. We can amplify the success probability of a 1-S-GHIP solver A to an overwhelming success probability by directly applying results of Lemma 4.1.13. This amplification technique works in polynomial time provided that

A has a success probability greater than 1/p + θ, where θ is non-negligible. Since an n-S-GHIP instance consists in n independent 1-S-GHIP instances, one can assume

4.1. Interpolation of Group Homomorphisms

that an n-S-GHIP solver solves every component with the same probability. Hence, amplification techniques work for n-S-GHIP provided that the solver succeeds with a probability greater than 1/pn_{+ θ.}

These amplification results show that GHID and GHI problems can be related to their non-probabilistic variants if certain conditions are fullfiled. When H is cyclic of prime order, GHID distinguishers can be used to determine whether any set {(x1, y1), . . . , (xn, yn)} ∈ (G × H)n interpolates in f . When GHIP solvers are

good enough, one can evaluate f on any given points (x1, . . . , yn) ∈ Gn.

We are now in position to show that these non-probabilistic versions can be interpreted in terms of languages so that they can be analyzed using tools of the theory of complexity.

Non-Probabilistic GHI and GHID Problems are in N P ∩ co-N P

We associate a language L to the 1-S-GHID problem which is composed of any instance (x, y) ∈ G × H such that f (x) = y. We show that L is in N P. In order to decide whether a given pair (x, y) lies in L in polynomial time, it suffices to provide a witness containing the coefficients r ∈ G, a1, . . . , as∈ Zd such that

x = dr + a1g1+ · · · + asgs. (4.12)

Namely, by the assertion 5 of Lemma 4.1.3, such a representation always exists and checking the validity of the following equation

y = a1h1+ · · · + ashs

directly provides the answer. Note that this is the case also for instances (x, y) 6∈ L. As a consequence of this, we deduce that the non-probabilistic variant of the 1-S- GHID problem lies in N P ∩ co-N P. This result generalizes in a straightforward way to the n-S-GHID problems with any n ∈ N.

To proceed in a similar way for the 1-S-GHI problem, we first define some closely related decisional problems. Assume that the group H is equipped with a totally ordered relation denoted 4 and consider the language

Lh := {x ∈ G | f (x) 4 h}

for any h ∈ H. We note that if one is able to decide whether x ∈ Lh for any x ∈ G

and h ∈ H, then one can easily compute f (x) by dichotomy. As above, we can show that coefficients r ∈ G, a1, . . . , as ∈ Zd satisfying (4.12) provides a witness for x

with respect to Lh for any h ∈ H. This shows that non-probabilistic GHI problems

can be easily represented with languages lying in N P ∩ co-N P.

4. MOVA Undeniable Signature

Remark 4.1.14. In the above discussion, we did not specify to which parameter, the term “polynomial” refers to. To formally specify this, we can consider a family of problems indexed by a parameter k and whose respective instances are of size k. So, we should consider such a family of n-Sk-GHID (resp. GHI) problems with some

groups Gk and Hk satisfying the above required properties.

Reductions to MSR Problem

Note that finding the coefficients a1, . . . , asin (4.12) suffices to solve the 1-S-GHI and

1-S-GHID problems with the input x. Namely, these coefficients allow to compute

a1h1 + · · · + ashs which readily gives the answer of the 1-S-GHI and 1-S-GHID

problems. Since the coefficients a1, . . . , as can be found by solving a (d, S)-MSR

problem on x, the n-S-GHI and n-S-GHID problems reduce to (d, S)-MSR problem.