Appendix 1: Proof of Theorem 7
We split the theorem in several lemmas.
Lemma 15
\((k+1)\text{- }\textsf {PDDH} \Rightarrow k\text{- }\textsf {Casc}\).
Proof
The idea of the proof is that an instance of the \((k+1)\text{- }\textsf {PDDH}\) problem can be viewed as an instance of the \(\mathcal {C}\)-\(\textsf {MDDH}\) problem with a non-uniform distribution of \(\vec {w}\). A suitable re-randomization of \(\vec {w}\) yields the result. Let \((\mathcal {G},[x_1],\ldots ,[x_{k+1}],[z])\) be a \((k+1)\text{- }\textsf {PDDH}\) instance with either \(z\in \mathbb {Z}_q\) uniform or \(z=x_1\cdots x_{k+1}\). We will construct a \(k\text{- }\textsf {Casc}\) instance from that, setting \([{{\mathbf {{A}}}}]\) as follows:
$$\begin{aligned} {[}{{\mathbf {{A}}}}]= \left( \begin{array}{ccccc} {[}x_{1}] &{} [0] &{} \ldots &{} [0] &{} [0] \\ {[}1] &{} [x_{2}] &{} \ldots &{} [0] &{} [0] \\ {[}0] &{} [1] &{} \ddots &{} &{} [0] \\ \vdots &{} &{} \ddots &{} &{} \vdots \\ {[}0] &{} [0] &{} \ldots &{} [1] &{} [x_{k}] \\ {[}0] &{} [0] &{} \ldots &{} 0 &{} [1] \\ \end{array}\right) , \end{aligned}$$
Let \([\vec {b}^{\top }]:=\left( (-1)^{k+1}[z],[0],[0],\ldots ,[0],[x_{k+1}]\right) ^T\). Since \({{\mathbf {{A}}}}\) has full rank, \(\vec {b}\) is in the span of the columns of \({{\mathbf {{A}}}}\) if and only if \(\det ({{\mathbf {{A}}}}\Vert \vec {b})= 0\). Since \(\det ({{\mathbf {{A}}}}\Vert \vec {b})= x_1\cdots x_k - z\), this depends on the distribution of z as desired. To obtain a properly distributed \(k\text{- }\textsf {Casc}\) instance \((\mathcal {G},[{{\mathbf {{A}}}}],[\vec {b}'])\), we set \([\vec {b}'] = [\vec {b}]+\sum _i w_i [\vec {a_i}]\) for uniform \(w_i\in \mathbb {Z}_q\). Clearly, if \(\vec {b}\) is in the span of the columns of \({{\mathbf {{A}}}}\), \(\vec {b}'\) will be a uniform element in the span of the columns of \({{\mathbf {{A}}}}\), whereas if it is not, \(\vec {b}'\) will be uniform in all of \(\mathbb {Z}_q^{k+1}\). \(\square \)
Lemma 16
\((k+1)\text{- }\textsf {EDDH} \Rightarrow k\text{- }\textsf {SCasc}\).
Proof
The proof is analogous to the proof of the preceding Lemma 15. Let \((\mathcal {G},[x],[z])\) be a \((k+1)\text{- }\textsf {EDDH}\) instance with either \(z\in \mathbb {Z}_q\) uniform or \(z=x^{k+1}\). We will construct a \(k\text{- }\textsf {SCasc}\) instance from that, defining \([{{\mathbf {{A}}}}]\) as the following \(k\times (k+1)\)-matrix:
$$\begin{aligned}{}[{{\mathbf {{A}}}}]= \left( \begin{array}{ccccc} {[}x] &{} [0] &{} \ldots &{} [0] &{} [0] \\ {[}1] &{} [x] &{} \ldots &{} [0] &{} [0] \\ {[}0] &{} [1] &{} \ddots &{}&{} [0] \\ \vdots &{} &{} \ddots &{} &{} \vdots \\ {[}0] &{} [0] &{} \ldots &{} [1] &{} [x] \\ {[}0] &{} [0] &{} \ldots &{} [0] &{} [1] \end{array}\right) , \end{aligned}$$
Set \([\vec {b}^{\top }]:=\left( (-1)^{k+1}[z],[0],[0],\ldots ,[0],[x]\right) \). As above, \(\vec {b}\) is in the span of the columns of \({{\mathbf {{A}}}}\) if and only if \(z=x^{k+1}\). To obtain a properly distributed \(k\text{- }\textsf {SCasc}\) instance \((\mathcal {G},[{{\mathbf {{A}}}}],[\vec {b}'])\), we set \([\vec {b}']=[\vec {b}]+\sum _i w_i[\vec {a_i}]\) for uniform \(w_i\in \mathbb {Z}_q\). \(\square \)
Lemma 17
In k-linear groups, \(k\text{- }\textsf {Casc} \Rightarrow k\text{- }\textsf {MLDDH}\).
Proof
Assume for the purpose of contradiction that \(k\text{- }\textsf {MLDDH}\) does not hold. To break the \(k\text{- }\textsf {Casc}\) problem, we are given an instance \([{{\mathbf {{A}}}}], [\vec {z}]\), where \({{\mathbf {{A}}}}\leftarrow \mathcal {C}_k\) and we have to distinguish between \(\vec {z} = {{\mathbf {{A}}}}\vec {w}\) for uniform \(\vec {w}\) and uniform \(\vec {z}\). Or, equivalently, we have to test if the determinant of matrix \({{\mathbf {{B}}}}={{\mathbf {{A}}}}||\vec {z}\in \mathbb {Z}_q^{(k+1) \times (k+1)}\) is zero. But \(\det {{\mathbf {{B}}}}\) is just the determinant polynomial of \(k\text{- }\textsf {Casc}\) defined in Sect. 3.3 and explicitly computed in the proof of Theorem 6. Namely,
$$\begin{aligned} \det {{\mathbf {{B}}}}= & {} \mathfrak {d}(a_1,\ldots ,a_k,z_1,\ldots ,z_{k+1}) = a_1\cdots a_k z_{k+1}-a_1\cdots a_{k-1}z_k + \cdots + (-1)^{k}z_1 \\= & {} a_1 \cdots a_k z_{k+1} +R_k(a_1, \ldots , a_k, z_1, \ldots , z_{k+1}), \end{aligned}$$
where \(R_k\) is a polynomial of degree k.
Hence, to test whether \(\det ({{\mathbf {{B}}}})=0\), we compute \([b]_{T_k}=[-R_k(a_1, \ldots , a_k, z_1, \ldots , z_{k+1})]_{T_k}\) using the k-linear map, and then we use the oracle \(k\text{- }\textsf {MLDDH}([a_1], \ldots , [a_k], [z_{k+1}], [b]_{T_k})\) to check if \(a_1 \cdots a_k z_{k+1}=-b\). \(\square \)
Lemma 18
\(k\text{- }\textsf {SCasc} \Rightarrow k\text{- }\textsf {Casc}\), \(k\text{- }\textsf {ILin} \Rightarrow k\text{- }\textsf {Lin}\)
Proof
Both implications follow by simple re-randomization arguments. A \(k\text{- }\textsf {SCasc}\) instance \(([a_1],\ldots ,[a_k], [a_1 w_1], [w_1+a_2w_2], \ldots , [w_{k-1}+a_k w_k], [w_k])\) can be transformed into a \(k\text{- }\textsf {Casc}\) instance by picking \(\alpha _1, \alpha _2,\ldots ,\alpha _{k}\leftarrow \mathbb {Z}_q^*\) and computing \(([a\alpha _1],[a\alpha _2],\ldots ,[a\alpha _k], [a w_1], [\frac{w_1+aw_2}{\alpha _1}], \ldots , [\frac{w_{k-1}+a_k w_k}{\alpha _1\cdots \alpha _{k-1}}],[\frac{w_k}{\alpha _1\cdots \alpha _k}])\). Similarly, a \(k\text{- }\textsf {ILin}\) instance \(([a], [a w_1],[(a+1)w_2], \ldots , [(a+k-1) w_k], [w_1+\cdots +w_k])\) can be transformed into a \(k\text{- }\textsf {Lin}\) instance by picking random \(\alpha _1,\alpha _2,\ldots ,\alpha _{k}\leftarrow \mathbb {Z}_q^*\) and computing \(([a\alpha _1],[(a+1)\alpha _2],\ldots ,[(a+k-1)\alpha _k], [a w_1\alpha _1],[(a+1)w_2\alpha _2], \ldots , [(a+k-1) w_k\alpha _k], [w_1+\cdots +w_k])\). \(\square \)
Lemma 19
\(k\text{- }\textsf {Casc} \Rightarrow (k+1)\text{- }\textsf {Casc}\), \(k\text{- }\textsf {SCasc} \Rightarrow (k+1)\text{- }\textsf {SCasc}\)
Proof
To show the first implication, we transform a given instance of the \(k\text{- }\textsf {Casc}\) problem \(\mathcal {D}_1=([a_1],\ldots ,[a_k], [a_1 w_1], [w_1+a_2w_2], \ldots , [w_{k-1}+a_k w_k], [w_k])\) into an instance of the \((k+1)\text{- }\textsf {Casc}\) problem by picking uniform \(w_{k+1} \leftarrow \mathbb {Z}_q\) and \([a_{k+1}] \leftarrow \mathbb {G}\) and computing \(\mathcal {D}_2=([a_1],\ldots ,[a_{k+1}],[a_1 w_1], [w_1+a_2w_2], \ldots , [w_{k-1}+a_k w_k], [w_k+a_{k+1} w_{k+1}], [w_{k+1}])\). Note that \(\mathcal {D}_2\) is pseudo-random if and only if \(\mathcal {D}_1\) is pseudo-random. The same reduction also works in the symmetric case. \(\square \)
Appendix 2: Proofs for the Generic Hardness results
In this section, we give the remaining proofs for the results on the \(\mathcal {D}_{\ell ,k}\)-\(\textsf {MDDH}\) assumption in generic m-linear groups from Sect. 3.3. We refer to reader to, e.g., [11] for necessary background on the algebraic material such as polynomial rings, ideals, Gröbner bases, varieties and irreducibility used in this section. Note that in this paper irreducibility is not implicit in the definition of a variety.
Recall that our setup is that \(\mathcal {D}_{\ell ,k}\) is a matrix distribution which outputs \(a_{i,j}=\mathfrak {p}_{i,j}(\vec {t})\) for uniform \(\vec {t}\in \mathbb {Z}_q^d\) and possibly multivariate polynomials
\(\mathfrak {p}_{i,j}\), whose degree does not depend on \(\lambda \) and hence not on q. The distributions \(([{{\mathbf {{A}}}}],[\vec {z}]=[{{\mathbf {{A}}}}\vec {\omega }])\) respectively \(([{{\mathbf {{A}}}}],[\vec {z}]=[\vec {u}])\) for \({{\mathbf {{A}}}}\leftarrow \mathcal {D}_{\ell ,k},\vec {\omega }\leftarrow \mathbb {Z}_q^k,\vec {u}\leftarrow \mathbb {Z}_q^\ell \) are denoted by \(\mathcal {D}^0\) respectively \(\mathcal {D}^1\). In order to describe all of these data, we consider the polynomial ring \(\mathcal {R}=\mathbb {Z}_q[\vec {A},\vec {Z},\vec {T},\vec {W}]\), introducing formal variables \(\vec {A}=A_{1,1},\ldots ,A_{\ell ,k}\) to describe the matrix \({{\mathbf {{A}}}}\), \(\vec {Z}=Z_1,\ldots ,Z_\ell \) to describe the vector \(\vec {z}\), \(\vec {T}=T_1,\ldots T_d\) for some d to describe the underlying t’s used to sample the \(a_{i,j}\)’s via \(a_{i,j}=\mathfrak {p}_{i,j}(\vec {t})\), and formal variables \(\vec {W}=W_1,\ldots ,W_k\) to describe \(\vec {\omega }\) (which only appears in \(\mathcal {D}^0\)). Note that we shorthand write \(\vec {A}\) for the collection of all \(A_{i,j}\)’s if the structure as a matrix is not crucial. Furthermore, we write \({{\mathbf {{A}}}}= \varvec{\mathfrak {p}}(\vec {t})\) or \(\vec {a} = \vec {\mathfrak {p}}(\vec {t})\), meaning that \(a_{i,j}=\mathfrak {p}_{i,j}(\vec {t})\). We further consider the polynomial subring \(\mathcal {S}=\mathbb {Z}_q[\vec {A},\vec {Z}]\subset \mathcal {R}\) to describe the publicly known expressions. We can now encode our distributions \(\mathcal {D}^0\) and \(\mathcal {D}^1\) by polynomials in the following way: let \(\mathfrak {f}_{i,j} =A_{i,j}-\mathfrak {p}_{i,j}(\vec {T})\) and \(\mathfrak {g}_i=Z_i - \sum _j \mathfrak {p}_{i,j}(\vec {T})W_j\). Let \(G_0\) be the set of all \(\mathfrak {f}\)’s and \(\mathfrak {g}\)’s, whereas \(G_1\) only consists of the \(\mathfrak {f}\)’s, but not the \(\mathfrak {g}\)’s. The generators \(G_b\) span the ideals \(\mathcal {I}_b\) over \(\mathcal {R}\), which encode all the relations in \(\mathcal {D}^b\) for \(b\in \{0,1\}\). Of course, \(\mathcal {I}_1\subset \mathcal {I}_0\).
We consider \(\mathcal {J}_b=\mathcal {I}_b\cap \mathcal {S}\), which are ideals in \(\mathcal {S}\) encoding the relations between the known data. We will show that \((\mathcal {J}_b)_{\le m}\), where \(_{\le m}\) denotes restriction to total degree at most m, captures exactly what can be generically computed by an adversary performing only polynomially many group and m-linear pairing operations:
Appendix 2.1: Proof of Theorem 3
Let \(\mathcal {D}_{\ell ,k}\) be a matrix distribution with polynomial defining equations and \(\mathcal {I}_0,\mathcal {I}_1\) be as above. Then the \(\mathcal {D}_{\ell ,k}\)-\(\textsf {MDDH}\) assumption holds in generic m-linear groups if and only if \(\mathcal {J}_0\) and \(\mathcal {J}_1\) are equal up to total degree m, i.e., \((\mathcal {J}_0)_{\le m}= (\mathcal {J}_1)_{\le m}\).
Proof
The proof is analogous to the one from [2, 9], apart from being stated more algebraically. Let D be a ppt distinguisher with input from \(\mathcal {D}^b\) for either \(b=0\) or \(b=1\). Let \(\kappa =\text {poly}(\lambda )\) be an upper bound on the number of D’s oracle queries and initial input group elements. We will replace the oracles D has access to, show that this replacement can only be detected with negligible probability and show that D’s advantage with the replaced oracles is zero.
Our replacement of D’s oracles is as follows: We replace (the random representation of) \(\mathbb {G}\) and its associated oracles by (a random representationFootnote 10 of) the quotient \(Q=\mathcal {R}/\mathcal {I}_b\). Similarly \(\mathbb {G}_T\) is replaced by an isomorphic copy \(Q'\) of \(\mathcal {R}/\mathcal {I}_b\) (with another random representation independent from the one for \(\mathbb {G}\)). The oracle for e is replaced by an oracle computing the product in Q and outputting the (representation of the) associated element in \(Q'\). The initial elements \([a_{i,j}]\) respectively \([z_i]\) are replaced by \(\pi (A_{i,j})\in Q\) respectively \(\pi (Z_i)\in Q\), where \(\pi \) respectively \(\pi '\) denotes the projection \(\pi :\mathcal {R}\rightarrow Q\) respectively \(\pi ':\mathcal {R}\rightarrow Q'\). The generators g and \(g_T\) are replaced by \(\pi (1)\in Q\) and \(\pi '(1)\in Q'\). The representations of Q and \(Q'\) are as usual defined on demand by keeping a list of all elements queried so far and choosing random representations for new elements; queries with representations as input that have not been previously defined produce an invalid answer \(\perp \), as do queries using the wrong isomorphic copy and/or mixing them. Note that we assume here that in the random group model the representations are sufficiently long, say a generous \(\ge 5\log q\), such that representations are hard to guess and the sets of representations for G and \(G_T\) are disjoint with overwhelming probability.
By Buchberger’s First Criterion [11], the given generating set \(G_b\) is actually a Gröbner basis with respect to any lexicographic ordering, where any \(Z_i\)’s are larger than any \(A_{i,j}\)’s and both are larger than any \(T_i\)’s or \(W_i\)’s. We identify elements from \(\mathcal {R}/\mathcal {I}_b\) by their remainders modulo \(G_b\). Note that computing this remainder just means replacing any occurrence of \(A_{i,j}\) by \(\mathfrak {p}_{i,j}\) and, if \(b=0\), additionally replacing \(Z_i\) by \(\sum _j \mathfrak {p}_{i,j}W_j\).
After D has run, we sample \(\vec {t}\leftarrow \mathbb {Z}_q^d,\vec {\omega }\leftarrow \mathbb {Z}_q^k, \vec {u}\leftarrow \mathbb {Z}_q^\ell \). For any remainder \(\mathfrak {h}\in Q\), define \(\mathrm {ev}(\mathfrak {h})\) as \(\mathrm {ev}(\mathfrak {h})=[\mathfrak {h}(0,\vec {u},\vec {t},\vec {\omega })]\in \mathbb {G}\), where we plug in \(\vec {u}\) for \(\vec {Z}\), \(\vec {t}\) for \(\vec {T}\) and \(\vec {\omega }\) for \(\vec {W}\). Note that there are no \(A_{i,j}\)’s in \(\mathfrak {h}\) and in the case \(b=0\) no \(Z_i\)’s occur either. For \(\mathfrak {h}'\in Q'\), we define \(\mathrm {ev}(\mathfrak {h'})\in \mathbb {G}_T\) analogously.
Since D can only apply e in Q, but not in \(Q'\), any element seen in Q by D can be written as a sum of elements initially presented to D. Elements seen in \(Q'\) can be written as sums of m-fold products of such elements. So let \(\mathfrak {k}_1,\ldots ,\mathfrak {k}_r\in \mathcal {S}_{\le 1}\) and \(\mathfrak {k}'_1,\ldots ,\mathfrak {k}'_{r'}\in \mathcal {S}_{\le m}\) with \(r+r'\le \kappa \) be the elements constructed by D. Let \(\mathfrak {h}_i:=\mathfrak {k}_i \hbox { mod } \mathcal {I}_b \in Q\) and \(\mathfrak {h}'_i:=\mathfrak {k}'_i \hbox { mod }\mathcal {I}_b\in Q'\). The distinct elements among the \(\mathfrak {h}_i\) and \(\mathfrak {h}'_i\) are exactly the distinct elements from Q respectively \(Q'\) seen by D, whereas the \(\mathfrak {k}_i\) and \(\mathfrak {k}'_i\) keep track of how D constructed those. Note that the \(\hbox {mod } \mathcal {I}_b\) map need not be injective on \(\mathcal {S}_{\le m}\).
Since computing \(\hbox {mod } \mathcal {I}_b\) is just a replacement of each \(A_{i,j}\) and possibly \(Z_i\) by a polynomial of degree at most \(\mathrm {deg}+1\), the total degree of all remainders \(\mathfrak {h}_i\) and \(\mathfrak {h}'_i\) is bounded by the constant \((\mathrm {deg}+1)^m\), where \(\mathrm {deg}\) is the upper bound on the total degree of the \(\mathfrak {p}_{i,j}\), which is independent of the security parameter \(\lambda \) by assumption. Let \(\mathtt {Good}\) denote the event that for all \(\mathfrak {h}_i\ne \mathfrak {h}_j\) we have \(\mathrm {ev}(\mathfrak {h}_i)\ne \mathrm {ev}(\mathfrak {h}_j)\) and for all \(\mathfrak {h}'_i\ne \mathfrak {h}'_j\) we have \(\mathrm {ev}(\mathfrak {h}'_i)\ne \mathrm {ev}(\mathfrak {h}'_j)\). By construction, if \(\mathtt {Good}\) occurs, the view of D with the replaced oracles is identical to the view if D would have had access to the original oracles. Since each such equality \(\mathrm {ev}(\mathfrak {h}_i)=\mathrm {ev}(\mathfrak {h}_j)\) or \(\mathrm {ev}(\mathfrak {h}'_i) = \mathrm {ev}(\mathfrak {h}'_j)\) is a nonzero polynomial equation of total degree at most \((\mathrm {deg}+1)^m\) in uniformly chosen unknowns from \(\mathbb {Z}_q\), each one holds only with probability at most \(\frac{(\text {deg}+1)^m}{q}=\text {negl}(\lambda )\). Since there are only polynomially many pairs \(i\ne j\), \(\mathtt {Good}\) occurs with overwhelming probability of at least \(1-\frac{\kappa (\kappa -1)(\text {deg}+1)^m}{2q}\). Furthermore, D’s view can only depend on b if we have \(\mathfrak {k}_i - \mathfrak {k}_j \equiv 0 \hbox { mod } \mathcal {I}_0\) but \(\mathfrak {k}_i - \mathfrak {k}_j \not \equiv 0 \hbox { mod } \mathcal {I}_1\) (or the analogous in \(Q'\)) for some elements \(\mathfrak {k}_i,\mathfrak {k}_j\) constructed by D. We know that any \(\mathfrak {k}_i\) or \(\mathfrak {k}'_i\) is in \(\mathcal {S}_{\le m}\). So, since \(\mathcal {I}_0\cap \mathcal {S}_{\le m}=(\mathcal {J}_0)_{\le m}=(\mathcal {J}_1)_{\le m}=\mathcal {I}_1\cap \mathcal {S}_{\le m}\), D’s view (with the replaced oracles) does not depend on b.
For the other direction of the theorem, note that if there exists \(\mathfrak {k}\in (\mathcal {J}_0)_{\le m}\setminus (\mathcal {J}_1)_{\le m}\) then it is easy to construct a ppt distinguisher D that computes \(h=[\mathfrak {k}(a_{i,j},z_i)]_T\in \mathbb {G}_T\). If \(b=0\), we always have \(h=[0]_T\) whereas if \(b=1\), we have \(h=[0]_T\) only with probability at most \(\frac{(\mathrm {deg}+1)^m}{q}=\text {negl}(\lambda )\). \(\square \)
The ideals \(\mathcal {J}_0\) and \(\mathcal {J}_1\) can be computed from \(\mathcal {I}_0\) and \(\mathcal {I}_1\) using elimination theory. If we use Gröbner bases for that, the condition \((\mathcal {J}_0)_{\le m}=(\mathcal {J}_1)_{\le m}\) can be rephrased as follows:
Lemma 20
Let notation be as before and \(m>0\). Let \(<\) be an elimination order on the monomials of \(\mathcal {R}\) such that any monomial containing any \(T_{i}\) or \(W_i\) is larger than any monomial from \(\mathcal {S}\). Further assume that, restricted to the monomials of \(\mathcal {S}\), \(<\) sorts by total degree first. Let \(H_0\) respectively \(H_1\) be reduced Gröbner bases for \(\mathcal {I}_0\) respectively \(\mathcal {I}_1\) w.r.t. \(<\). Then the following are equivalent:
-
1.
\((\mathcal {J}_0)_{\le m}=(\mathcal {J}_1)_{\le m}\)
-
2.
\(H_0\cap \mathcal {S}_{\le m} = H_1\cap \mathcal {S}_{\le m}\)
-
3.
\(H_0\cap \mathcal {S}_{\le m}\) does not involve any \(Z_i\)’s.
-
4.
There exists a not necessarily reduced Gröbner basis \(H'_0\) for \(\mathcal {I}_0\) such that \(H'_0\cap \mathcal {S}_{\le m}\) does not involve any \(Z_i\)’s.
Proof
First, note that by the elimination theorem of Gröbner bases [11], \(\mathcal {J}_b\) is an ideal over \(\mathcal {S}\) with reduced Gröbner basis \(H_b\cap \mathcal {S}\).
-
\((1)\Rightarrow (2):\) Assume \((\mathcal {J}_0)_{\le m}=(\mathcal {J}_1)_{\le m}\). Let \(\mathfrak {h}\in H_0\cap \mathcal {S}_{\le m}\), but assume toward a contradiction \(\mathfrak {h}\notin H_1\cap \mathcal {S}_{\le m}\). Since \(\mathfrak {h}\in \mathcal {I}_1\cap \mathcal {S}_{\le m}\), there must be some \(\mathfrak {k}\in H_1\cap \mathcal {S}, \mathfrak {k}\ne \mathfrak {h}\) such that the leading term of \(\mathfrak {k}\) divides the leading term of \(\mathfrak {h}\). By assumption, \(<\) sorts by total degree first, so the total degree of \(\mathfrak {k}\) is at most m. Hence \(\mathfrak {k}\in \mathcal {I}_0\cap \mathcal {S}_{\le m}\) with leading term diving that of \(\mathfrak {h}\), contradicting the reducedness of \(H_0\cap \mathcal {S}\). The other inclusion \(H_1\cap \mathcal {S}_{\le m}\subset H_0\cap \mathcal {S}_{\le m}\) is analogous.
-
\((2)\Rightarrow (3):\)
\(H_1\) does not involve any \(Z_i\)’s, since the generating set \(G_1\) does not.
-
\((3)\Rightarrow (4):\) Obvious.
-
\((4)\Rightarrow (1):\) Assume \(H'_0\cap \mathcal {S}_{\le m}\) does not involve any \(Z_i\). We first show that for any \(\mathfrak {h}\in H'_0\cap \mathcal {S}_{\le m}\) we have \(\mathfrak {h}\in \mathcal {I}_1\). To see this, write \(\mathfrak {h}=\sum _{i,j}\mathfrak {c}_{i,j}\mathfrak {f}_{i,j} + \sum _i \mathfrak {d}_i \mathfrak {g}_i\) as a linear combination in our original generators \(G_0\) with polynomial coefficients \(\mathfrak {c}_{i,j},\mathfrak {d}_i\in \mathcal {R}\). Plugging in 0 for all \(W_i\)’s and \(Z_i\)’s into this equation does not affect \(\mathfrak {h}\) by assumption and eliminates all \(\mathfrak {g}_i\), so we obtain \(\mathfrak {h}=\sum _{i,j}\mathfrak {c}'_{i,j}\mathfrak {f}_{i,j}\) for some \(\mathfrak {c}'_{i,j}\) showing \(\mathfrak {h}\in \mathcal {I}_1\).
Now let \(\mathfrak {k}\in \mathcal {I}_0\cap \mathcal {S}_{\le m}=(\mathcal {J}_0)_{\le m}\) be arbitrary. Since \(H'_0\cap \mathcal {S}\) is a Gröbner basis w.r.t to \(<\), which sorts by total degree first, we have \(\mathfrak {k}=\sum _i \mathfrak {e}_i\mathfrak {h_i}\) for some \(\mathfrak {e}_i\in \mathcal {S}\) and \(\mathfrak {h}_i\in H'_0\cap \mathcal {S}_{\le \deg \mathfrak {k}}\). Since we have shown that all the \(\mathfrak {h_i}\) that appear here are in \(\mathcal {I}_1\), we have \(\mathfrak {k}\in \mathcal {I}_1\), showing \((\mathcal {J}_0)_{\le m}\subset (\mathcal {J}_1)_{\le m}\). The other inclusion is trivial. \(\square \)
Appendix 2.2: Proof of Theorem 4 and Generalizations
Theorem 4 will follow as a corollary from the following lemma, which is a generalization to nonlinear \(\mathfrak {p}_{i,j}\) and non-irreducible \(\mathfrak {d}\):
Lemma 21
Let notation be as before. We assume that \(\ell =k+1\) and \({{\mathbf {{A}}}}\) can be full rank for some values of \(\vec {t}\). Let \(\mathfrak {d}\) be the determinant of \((\varvec{\mathfrak {p}}(\vec {T})\Vert \vec {Z})\) as a polynomial in \(\vec {Z},\vec {T}\) and consider the ideal \(\mathcal {J}:=\mathcal {I}_0\cap \mathbb {Z}_q[\vec {A},\vec {Z},\vec {T}]\) over \(\mathbb {Z}_q[\vec {A},\vec {Z},\vec {T}]\). Then there exists a unique (up to scalar) decomposition \(\mathfrak {d}=\mathfrak {c}\cdot \mathfrak {d}_0\) over \(\mathbb {Z}_q\), where \(\mathfrak {c}\) only involves the \(\vec {T}\) and \(\mathfrak {d}_0\) is irreducible over the algebraic closure \(\overline{\mathbb {Z}_q}\). Furthermore, \(\mathcal {J}\) is generated by \(G_1\) and \(\mathfrak {d}_0\).
Proof
Since \({{\mathbf {{A}}}}\) can be full rank, there exists some \(\vec {z},\vec {t}\) with \(\mathfrak {d}(\vec {z},\vec {t})\ne 0\), so \(\mathfrak {d}\) is not the zero polynomial. For the existence and uniqueness of \(\mathfrak {c}\) and \(\mathfrak {d}_0\), consider the (up to scalar) unique decomposition \(\mathfrak {d}=\mathfrak {c}_1^{e_1}\mathfrak {c}_2^{e_2}\cdots \mathfrak {c}_s^{e_s}\) of \(\mathfrak {d}\) into distinct irreducible polynomials \(\mathfrak {c}_i\) in \(\overline{\mathbb {Z}_q}[\vec {Z},\vec {T}]\). Since \(\mathfrak {d}\) is linear in the \(Z_i\)’s, only one factor, w.l.o.g. \(\mathfrak {c}_s\) with \(e_s=1\), can contain any of the \(Z_i\)’s. Note that this implies that \(\mathfrak {c}_s\) is linear in the \(Z_i\)’s as well. So we have the up to scalar unique decomposition \(\mathfrak {d}(\vec {Z},\vec {T})=\mathfrak {c}(\vec {T})\mathfrak {d}_0(\vec {Z},\vec {T})\) with \(\mathfrak {d}_0=\mathfrak {c}_s\) and \(\mathfrak {c}=\mathfrak {c}_1^{e_1}\cdots \mathfrak {c}_{s-1}^{e_{s-1}}\), which has the desired properties, provided that \(\mathfrak {d}_0\) and \(\mathfrak {c}\) actually have coefficients in the base field \(\mathbb {Z}_q\) rather than \(\overline{\mathbb {Z}_q}\).
To show the latter, write \(\mathfrak {d}=\sum _i \mathfrak {a}_i Z_i\) with \(\mathfrak {a}_i\in \mathbb {Z}_q[\vec {T}]\). By construction, \(\mathfrak {c}\) divides \(\mathfrak {d}\) and \(\mathfrak {c}\) involves no \(\vec {Z}\). Plugging in \(Z_i=1\) for \(i=i_0\) and \(Z_i=0\) for \(i\ne i_0\) into \(\mathfrak {d}=\mathfrak {c}\cdot \mathfrak {d}_0\) shows that \(\mathfrak {c}\), and consequently \(\mathfrak {c}_j^{e_j}\), divides \(\mathfrak {a}_{i_0}\). So, for all \(1\le i \le \ell , 1\le j \le s-1\) we have \(\mathfrak {a}_i = \mathfrak {c}_j^{e_j}\cdot \mathfrak {b}_{i,j}\) for some \(\mathfrak {b}_{i,j}\in \overline{\mathbb {Z}_q}[\vec {T}]\) and indeed \(\mathfrak {c}\) is nothing but the \(\gcd \) of the \(\mathfrak {a}_i\). Since \(\mathfrak {a}_i\in \mathbb {Z}_q[\vec {T}]\), it follows that \(\sigma (\mathfrak {a}_i)=\mathfrak {a}_i = \sigma (\mathfrak {c}_j)^{e_j}\cdot \sigma (\mathfrak {b}_{i,j})\), where \(\sigma \) is the (coefficient-wise) Frobenius. So \(\sigma (\mathfrak {c}_j)^{e_j}\) divides each \(\mathfrak {a}_i\), hence every Frobenius-conjugate must appear (up to scalar) in the decomposition \(\mathfrak {c}=\mathfrak {c}_1^{e_1}\cdots \mathfrak {c}_{s-1}^{e_{s-1}}\) with the same multiplicity. This shows that we can choose \(\mathfrak {c}\in \mathbb {Z}_q[\vec {T}]\) after adjusting scalars. It follows that \(\mathfrak {d}_0=\tfrac{\mathfrak {d}}{\mathfrak {c}}\) is also in the base field.
For the second part of the lemma, we first observe that both ideals \(\mathcal {I}_0\) and \(\mathcal {I}_1\) are radical: Since they can be generated by polynomials of the form \(A_{i,j} - \mathfrak {p}_{i,j}(\vec {T}), Z_{i} - \mathfrak {q}_i(\vec {T},\vec {W})\) expressing one set of variables as functions of another disjoint set of variables, the quotient \(\mathcal {R}/\mathcal {I}_0\) respectively \(\mathcal {R}/\mathcal {I}_1\) is isomorphic to \(\mathbb {Z}_q[\vec {T},\vec {W}]\) respectively \(\mathbb {Z}_q[\vec {Z},\vec {T},\vec {W}]\). Since these quotients have no nilpotent elements, the ideals \(\mathcal {I}_0,\mathcal {I}_1\) are radical. It follows that \(\mathcal {J}\) is radical, since intersection with a polynomial subring preserves being radical. Since \(\mathfrak {d}_0\) is irreducible, the quotient \(\mathbb {Z}_q[\vec {A},\vec {Z},\vec {T}]/(G_1,\mathfrak {d}_0)\), which is isomorphic to \(\mathbb {Z}_q[\vec {Z},\vec {T}]/(\mathfrak {d}_0)\), contains no nilpotent elements, hence the ideal generated by \(\mathcal {I}_1\) and \(\mathfrak {d}_0\) in \(\mathbb {Z}_q[\vec {A},\vec {Z},\vec {T}]\) is radical. It thus suffices to consider the corresponding varieties (all varieties are over the algebraic closure \(\overline{\mathbb {Z}_q}\)) \(V(G_1,\mathfrak {d}_0)\) and \(V(\mathcal {J})\) by the Nullstellensatz. Let \(V(\mathcal {I}_1)\) be the variety associated with \(\mathcal {I}_1\). By the Closure Theorem [11], the variety \(V(\mathcal {J})\) associated with \(\mathcal {J}\) is given by the Zariski closure of \(\{(\vec {a},\vec {z},\vec {t})\in V(\mathcal {I}_1)\mid \exists \vec {\omega },\text { s.t.}\, z_i=\sum _j \omega _j a_{i,j} \}\). Let us start by showing \(V(G_1,\mathfrak {d}_0)\subset V(\mathcal {J})\):
If for some value of \(\vec {t}\), \(\mathfrak {c}(\vec {t})=0\), then \(\det (\varvec{\mathfrak {p}}(\vec {t})\Vert \vec {z})=0\) for all values of \(\vec {z}\), hence \(\varvec{\mathfrak {p}}(\vec {t})\) has rank \(<k\). Consider the variety \(V_\text {bad}\) of all \((\vec {a},\vec {z},\vec {t})\in V(\mathcal {I}_1)\) such that \({{\mathbf {{A}}}}= (a_{i,j})\) has rank \(<k\), which is indeed an algebraic set (consider \(\det ({{\mathbf {{A}}}}\Vert \vec {e}_i)=0\) for canonical basis vectors \(\vec {e}_i\)) and \(V_\text {bad}\supset V(\mathfrak {c},\mathcal {I}_1)\). Outside of this bad set, \({{\mathbf {{A}}}}=\varvec{\mathfrak {p}}(\vec {t})\) has full rank k and hence there exists \(\vec {\omega }\) such that \(\vec {z}={{\mathbf {{A}}}}\cdot \vec {\omega }\) if and only if \(\det ({{\mathbf {{A}}}}\Vert \vec {z})=0\), or equivalently, since \(\mathfrak {c}(\vec {t})\ne 0\), \(\mathfrak {d}_0(\vec {z},\vec {t})=0\). It follows that \(V(G_1,\mathfrak {d}_0)\setminus V_\text {bad} \subset V(\mathcal {J})\). By the same argument as in the previous paragraph, since \(\mathfrak {d}_0\) is irreducible over \(\overline{\mathbb {Z}_q}\), the quotient \(\overline{\mathbb {Z}_q}[\vec {A},\vec {Z},\vec {T}]/(G_1,\mathfrak {d}_0)\cong \overline{\mathbb {Z}_q}[\vec {Z},\vec {T}]/(\mathfrak {d}_0)\) has no zero divisors and so \(V(G_1,\mathfrak {d}_0)\) is irreducible. Since \((\vec {a},\vec {0},\vec {t})\in V(G_1,\mathfrak {d}_0)\) for any \(\vec {t}\) with \(\varvec{\mathfrak {p}}(\vec {t})\) full rank, we have \(V_\text {bad}\nsupseteq V(G_1,\mathfrak {d}_0)\). From this and the irreducibility of \(V(G_1,\mathfrak {d}_0)\), we can then deduce that the Zariski closure of \(V(G_1,\mathfrak {d}_0)\setminus V_\text {bad} \subset V(\mathcal {J})\) is all of \(V(G_1,\mathfrak {d}_0)\), so we have \(V(G_1,\mathfrak {d}_0)\subset V(\mathcal {J})\).
For the other direction, consider \((\vec {a},\vec {z},\vec {t})\) such that \(\vec {a}=\vec {\mathfrak {p}}(\vec {t})\) and there exists \(\vec {\omega }\) with \(z_i=\sum _j \omega _j a_{i,j}\). We need to show \(\mathfrak {d}_0(\vec {z},\vec {t})=0\). For this, note that \(\det (\varvec{\mathfrak {p}}(\vec {T})\Vert \sum _j W_j \mathfrak {p}_{i,j}(\vec {T}))\) is the zero polynomial. So \(\mathfrak {d}(\sum _j W_j\mathfrak {p}_{i,j}(\vec {T}),\vec {T})=\mathfrak {c}(\vec {T})\cdot \mathfrak {d}_0(\sum _j W_j\mathfrak {p}_{i,j}(\vec {T}))\) is the zero polynomial. Since \(\mathfrak {c}(\vec {T})\) is not the zero polynomial, as otherwise \(\mathfrak {d}(\vec {Z},\vec {T})\) would be the zero polynomial, we have that \(\mathfrak {d}_0(\sum _j W_j\mathfrak {p}_{i,j}(\vec {T}),\vec {T})\) is the zero polynomial. It follows that \(\mathfrak {d}_0(\vec {z},\vec {t})=\mathfrak {d}_0(\sum _j \omega _j \mathfrak {p}_{i,j}(\vec {t}),\vec {t})=0\), finishing the proof of \(V(G_1,\mathfrak {d}_0)\supset V(\mathcal {J})\). \(\square \)
This lemma allows us to easily prove Theorem 4, which states:
Let \(\ell =k+1\) and \(\mathcal {D}_{k+1,k}\) be a matrix distribution, which outputs matrices \({{\mathbf {{A}}}}=\varvec{\mathfrak {p}}(\vec {t})\) for uniform \(\vec {t}\). Let \(\mathfrak {d}\) be the determinant of \((\varvec{\mathfrak {p}}(\vec {T})\Vert \vec {Z})\) as a polynomial in \(\vec {Z},\vec {T}\).
-
1.
If the matrices output by \(\mathcal {D}_{k+1,k}\) always have full rank (not just with overwhelming probability), even for \(t_i\) from the algebraic closure \(\overline{\mathbb {Z}_q}\), then \(\mathfrak {d}\) is irreducible over \(\overline{\mathbb {Z}_q}\).
-
2.
If all \(\mathfrak {p}_{i,j}\) have degree at most 1, \(\mathfrak {d}\) is irreducible over \(\overline{\mathbb {Z}_q}\) and the total degree of \(\mathfrak {d}\) is \(k+1\), then the \(\mathcal {D}_{k+1,k}\)-\(\textsf {MDDH}\) assumption holds in generic
k-linear groups.
Proof
Let notation be as in the lemmas above.
-
(1):
If \(\mathfrak {c}\) is non-constant, it would have some roots \((\vec {z},\vec {t})\) in \(\overline{\mathbb {Z}_q}\). At these roots \(\varvec{\mathfrak {p}}(\vec {t})\) can’t have full rank, since \(\det (\varvec{\mathfrak {p}}(\vec {t})\Vert \vec {z})=0\) for all \(\vec {z}\). Hence \(\mathfrak {d}=\mathfrak {d}_0\), which is irreducible over \(\overline{\mathbb {Z}_q}\).
-
(2):
W.l.o.g. we may assume that \(\vec {\mathfrak {p}}\) is injective (otherwise we drop some T-variables), so we can express the \(T_i\)’s as linear polynomials in the \(A_{i,j}\)’s. Computing a Gröbner basis (for an appropriate elimination ordering) for \(\mathcal {J}_0 = \mathcal {J}\cap \mathcal {S}\) from \(\mathcal {J}\) just means expressing all \(T_i\)’s by \(A_{i,j}\)’s. Since \(\mathcal {J}\) is generated by \(\mathfrak {d}=\mathfrak {d}_0\) and \(G_1\) by the above Lemma 21, a Gröbner basis for \(\mathcal {J}_0\) is just given by \(G_1\) and \(\mathfrak {d}\), expressed by the \(A_{i,j}\)’s. Since this invertible linear variable substitution does not change total degree, the theorem follows.
\(\square \)
Appendix 3: Proof of Theorem 10
The proof is rather technical because we need an explicit construction of a sequence of subspaces with special properties. The key idea is using a consequence of Lemma 9: for any nontrivial subspace \(U\subset \mathbb {Z}_q^k\), \(\dim (f_0(U)+f_1(U)) > \dim U\), and for any nontrivial subspace \(V\subset f_0(\mathbb {Z}_q^k)\cap f_1(\mathbb {Z}_q^k)\), \(\dim (f_0^{-1}(V)+f_1^{-1}(V)) > \dim V\). This allows us to build a sequence of subspaces with strictly increasing dimensions having some interesting properties. We will then use these subspaces to build the bases claimed in the theorem.
Consider the following sequences of subspaces, for a suitable value of \(m\in \mathbb {Z}\)
$$\begin{aligned} U_1\subset U_2 \subset \cdots \subset U_m = \mathbb {Z}_q^k\;; \qquad V_1\subset V_2 \subset \cdots \subset V_m \subset \mathbb {Z}_q^{k+1} \end{aligned}$$
such that \(V_i = f_0(U_i)\cap f_1(U_i)\) and \(U_{i-1} = f_0^{-1}(V_i)\cap f_1^{-1}(V_i)\). The sequences are well defined because we know that \(V_i\subset f_0(U_i)\) and \(U_{i-1}\subset f_0^{-1}(V_i)\), and then \(U_{i-1}\subset f_0^{-1}(V_i)\subset f_0^{-1}(f_0(U_i)) = U_i\), since \(f_0\) is injective, and similarly \(V_{i-1}\subset f_0(U_{i-1})\subset f_0(f_0^{-1}(V_i)) \subset V_i\). On the other hand, from the injectivity of the maps \(\dim U_i = \dim f_0(U_i) = \dim f_1(U_i)\) and \(\dim V_i = \dim f_0^{-1}(V_i) = \dim f_1^{-1}(V_i)\). Now, by Lemma 9 we know that \(f_0(U_i)\ne f_1(U_i)\), if \(U_i\) is nontrivial, and similarly \(f_0^{-1}(V_i)\ne f_1^{-1}(V_i)\), if \(V_i\) is nontrivial. Therefore, if \(\dim V_i > 0\) then
$$\begin{aligned} \dim U_{i-1} = \dim \left( f_0^{-1}(V_i)\cap f_1^{-1}(V_i)\right) < \dim V_i \end{aligned}$$
and if \(\dim U_i > 0\) then
$$\begin{aligned} \dim V_i = \dim \left( f_0(U_i)\cap f_1(U_i)\right) < \dim U_i \end{aligned}$$
On the other hand, since \(f_0^{-1}(V_i)\subset U_i\) and \(f_1^{-1}(V_i)\subset U_i\) then \(f_0^{-1}(V_i)+f_1^{-1}(V_i)\subset U_i\), and analogously \(f_0(U_i)+f_1(U_i)\subset V_{i+1}\). Putting all equations together, if \(U_i\) is nontrivial,
$$\begin{aligned} 1 \le \dim U_i - \dim V_i= & {} \dim U_i - \dim (f_0(U_i)\cap f_1(U_i)) \\= & {} \dim (f_0(U_i)+f_1(U_i)) - \dim U_i \le \dim V_{i+1} - \dim U_i \end{aligned}$$
and similarly, if \(V_i\) is nontrivial, \(1 \le \dim V_i - \dim U_{i-1} \le \dim U_i - \dim V_i\). But
$$\begin{aligned} \dim U_m - \dim V_m = \dim (f_0(U_m)+f_1(U_m)) - \dim U_m = \dim \mathbb {Z}_q^{k+1} - \dim \mathbb {Z}_q^k = 1 \end{aligned}$$
and then all the equalities hold. As a consequence, if k is even, taking \(k=2m\) we have shown that \(\dim V_i = 2i-1\) and \(\dim U_i = 2i\). Otherwise, we take \(k=2m-1\) and \(\dim V_i = 2i-2\) and \(\dim U_i = 2i-1\) (hence, \(V_1\) is trivial here).
In addition, the previous equalities of dimensions imply the corresponding equalities of subspaces \(U_i = f_0^{-1}(V_i)+f_1^{-1}(V_i)\) and \(V_{i+1} = f_0(U_i)+f_1(U_i)\), which in particular mean that a generating set of \(U_i\) can be constructed by computing the preimages of a generating set in \(V_i\) for both \(f_0\) and \(f_1\) (these preimages always exist for vectors in any \(V_i \subset V_m = f_0(U_m)\cap f_1(U_m)\)). Similarly, we can build a generating set of \(V_{i+1}\) by applying \(f_0\) and \(f_1\) to a generating set of \(U_i\). We will also use the fact that \(\mathbb {Z}_q^{m+1} = f_0(U_m)+f_1(U_m)\) to complete a basis of \(\mathbb {Z}_q^{k+1}\).
At this point, we have constructed two sequences of subspaces which dimensions grow regularly, and we can build bases of the spaces by cleverly picking vectors from them. We consider separately the cases k even and k odd.
For \(k=2m\), we know that \(\dim V_1 = 1\). Let \(\vec {y}\in \mathbb {Z}_q^{k+1}\) be a nonzero vector in \(V_1\). Then, \(\vec {x}_0=f_0^{-1}(\vec {y})\) and \(\vec {x}_1=f_1^{-1}(\vec {y})\) form a basis of \(U_1\), since it is a generating set and \(\dim U_1 = 2\). Similarly, we build a generating set \(\{f_1(\vec {x}_0),f_0(\vec {x}_0),f_1(\vec {x}_1),f_0(\vec {x}_1)\}\) of \(V_2\), but actually \(f_0(\vec {x}_0) = f_1(\vec {x}_1) = \vec {y}\). Since \(\dim V_2=3\) we know that the three different vectors form a basis. Observe that we can write it as \(\{(f_1\circ f_0^{-1})(\vec {y}),\vec {y},(f_0\circ f_1^{-1})(\vec {y})\}\), where \(f_0^{-1}\) (and similarly \(f_1^{-1}\)) denotes here the inverse map of \(f_0\) restricted to its image \(f_0(\mathbb {Z}_q^k)\), so it is well defined on any subspace \(V_i\). Now, computing the preimages for \(f_0\) and \(f_1\) and removing the repeated vectors we can build a basis of \(U_2\). Following the same procedure iteratively, we can build the bases
$$\begin{aligned} B_1= & {} \left\{ (f_0^{-1}\circ f_1)^{m-1}(\vec {x}_0),\ldots ,(f_0^{-1}\circ f_1)(\vec {x}_0),\vec {x}_0,\vec {x}_1,(f_1^{-1}\circ f_0)(\vec {x}_1), \right. \\&\left. \ldots ,(f_1^{-1}\circ f_0)^{m-1}(\vec {x}_1) \right\} \end{aligned}$$
and
$$\begin{aligned} B_2=\{(f_1\circ f_0^{-1})^m(\vec {y}),\ldots ,(f_1\circ f_0^{-1})(\vec {y}),\vec {y},(f_0\circ f_1^{-1})(\vec {y}),\ldots ,(f_0\circ f_1^{-1})^m(\vec {y})\} \end{aligned}$$
of \(\mathbb {Z}_q^{k}\) and \(\mathbb {Z}_q^{k+1}\), respectively, with the property that the images of the vectors in \(B_1\) by \(f_0\) are exactly the last k vectors in \(B_2\), and the images of the vectors in \(B_1\) by \(f_1\) are exactly the first k vectors in \(B_2\). This is the same as saying that \(f_0\) and \(f_1\) are represented in those bases by the matrices \({{\mathbf {{J_0}}}}\) and \({{\mathbf {{J_1}}}}\), respectively.
The proof for the odd case \(k=2m-1\) proceeds similarly, but starting from a nonzero vector \(\vec {x}\in U_1\), computing the two images \(\vec {y}_0 = f_0(\vec {x})\) and \(\vec {y}_1 = f_1(\vec {x})\), and then applying the same iterative procedure as before to obtain the bases
$$\begin{aligned} B_1= & {} \left\{ (f_0^{-1}\circ f_1)^{m-1}(\vec {x}),\ldots ,(f_0^{-1}\circ f_1)(\vec {x}),\vec {x},(f_1^{-1}\circ f_0)(\vec {x}), \right. \\&\left. \ldots ,(f_1^{-1}\circ f_0)^{m-1}(\vec {x}) \right\} \end{aligned}$$
and
$$\begin{aligned} B_2= & {} \left\{ (f_1\circ f_0^{-1})^m(\vec {y}_1),\ldots ,(f_1\circ f_0^{-1})(\vec {y}_1),\vec {y}_1,\vec {y}_0,(f_0\circ f_1^{-1})(\vec {y}_0), \right. \\&\left. \ldots ,(f_0\circ f_1^{-1})^m(\vec {y}_0) \right\} \end{aligned}$$
of \(\mathbb {Z}_q^{k}\) and \(\mathbb {Z}_q^{k+1}\), respectively, with exactly the same property as before.
Appendix 4: Subgroup Membership Proofs for \(\mathbf{2}\text{- }\textsf {Lin}\)
In this section we exemplify our approach from Sect. 6.1 for the \(2\text{- }\textsf {Lin}\) case. Let
$$\begin{aligned} {{\mathbf {{A}}}}= \left( \begin{array}{cc} a_1 &{} 0 \\ 0 &{} a_2 \\ 1 &{} 1 \\ \end{array}\right) =(\vec {u}_1, \vec {u}_2), \qquad \qquad {{\mathbf {{A}}}} \leftarrow \mathcal {L}_2, \end{aligned}$$
and
$$\begin{aligned} {[}{{\mathbf {{u}}}}_3] = \left\{ \begin{array}{ll} {[}w_1\vec {u}_1+w_2\vec {u}_2] &{} \text {binding key (soundness setting)} \\ {[}w_1\vec {u}_1+w_2\vec {u}_2-(0,0,1)^{\top }] &{} \text {hiding key (WI setting)} \end{array},\right. \end{aligned}$$
for \(w_1,w_2\leftarrow \mathbb {Z}_q\). We exemplify our new approach to prove \([\Phi ] \in \mathcal {L}_{{{\mathbf {{A}}}},\mathcal {PG}} \subset \mathbb {G}^3\). To simplify the notation, we define \(\vec {v}:=\vec {u}_3+(0,0,1)^{\top }\). With this notation, \([\iota '(x)]:=[x \vec {v}]\).
Standard Groth–Sahai proof. In the standard approach, used for instance in [35], the prover will show that there are two values \(r_1,r_2 \in \mathbb {Z}_q\) such that the following equations hold:
$$\begin{aligned} {[}r_{1}a_{1}{]}= & {} {[}\Phi _{1}{]} \end{aligned}$$
(9)
$$\begin{aligned} {[}r_{2}a_{2}{]}= & {} {[}\Phi _{2}{]} \end{aligned}$$
(10)
$$\begin{aligned} {[}r_{1}+r_{2}{]}= & {} {[}\Phi _{3}{]}. \end{aligned}$$
(11)
Therefore, we are in the setting of multiscalar multiplication with \(A_1=\mathbb {Z}_q\) and \(A_2=\mathbb {G}\). The proof consists of the commitments to \(r_1,r_2\), which are two vectors \([\vec {c}_{r_1}],[\vec {c}_{r_2}]\in \mathbb {G}^3\) such that
$$\begin{aligned} (\vec {c}_{r_1}, \vec {c}_{r_2})= (\iota '(r_1), \iota '(r_2))+ {{\mathbf {{A}}}} \left( \begin{array}{cc} s_{11} &{} s_{12} \\ s_{21} &{} s_{22} \\ \end{array}\right) = (r_1 \vec {v}, r_2 \vec {v})+ {{\mathbf {{A}}}} \left( \begin{array}{cc} s_{11} &{} s_{12} \\ s_{21} &{} s_{22} \\ \end{array}\right) \end{aligned}$$
and the vector
$$\begin{aligned}{}[\vec {\pi }_{(r_1,r_2)}]= & {} \left[ \left( (a_1,0){{\mathbf {{S}}}}^{\top }, \ (0,a_2) {{\mathbf {{S}}}}^{\top }, (1,1) {{\mathbf {{S}}}}^{\top } \right) \right] \\= & {} ([s_{11}a_1], [s_{21} a_1], [s_{12}a_2], [s_{22} a_2], [s_{11}+s_{12}], [s_{21}+s_{22}]). \end{aligned}$$
Therefore, in total, the proof requires 12 group elements.
To simulate the proof, we proceed as if we were proving that the equations
$$\begin{aligned}{}[r_1a_1]&=[\delta \Phi _1] \\ [r_2a_2]&=[\delta \Phi _2] \\ [r_1+r_2]&=[\delta \Phi _3], \end{aligned}$$
are satisfied by the all zero witness, with the commitment to \(\delta =0\) being \(\textsf {com}'_{[{{\mathbf {{U}}}}],\vec {z}}(0; (w_1,w_2)^{\top })\), which, in the witness indistinguishability setting, is equal to \([\iota '(1)]=[\vec {v}]=[{{\mathbf {{A}}}}\vec {w}]\).
New approach. To construct the proof, the prover needs to sample uniformly at random from the space \(\mathcal {H}:=\{ {{\mathbf {{H}}}} \in \mathbb {Z}_q^{2 \times 2}: {{\mathbf {{H}}}}+{{\mathbf {{H}}}}^{\top }={{\mathbf {{0}}}}\}\). To sample \({{\mathbf {{H}}}} \leftarrow \mathcal {H}\), pick a random value \(h \leftarrow \mathbb {Z}_q\) and define \({\mathbf{H}}=\left( \begin{array}{cc} 0 &{} \quad h \\ -h &{} \quad 0 \\ \end{array}\right) \). The proof is then defined as:
$$\begin{aligned}{}[\varvec{\Pi }]=[\vec {u}_{3} (r_1,r_2) + {{\mathbf {{A}}}} {{\mathbf {{H}}}}]= \left( \begin{array}{cc} {[}r_1 v_{1}] &{} [r_2 v_{1}+ha_1] \\ {[}r_1 v_{2}-a_2h] &{} [r_2 v_{2}] \\ {[}r_1 v_{3}-h] &{} [r_2 v_{3}+h] \\ \end{array}\right) \end{aligned}$$
The proof consists of six group elements, as claimed.
For simulation, we sample some \({{\mathbf {{H}}}}'\leftarrow \mathcal {H}\) as before and we define:
$$\begin{aligned}{}[\varvec{\Pi }_{\mathrm{sim}}]=[\vec {\Phi }(w_1,w_2)+ {{\mathbf {{A}}}} {{\mathbf {{H'}}}}]. \end{aligned}$$
Appendix 5: Concrete Examples from the \(\varvec{k}\text{- }\textsf {SCasc}\) Assumption
As we promote the \(k\text{- }\textsf {SCasc}\) Assumption as a replacement of the \(k\text{- }\textsf {Lin}\) assumption, we give two concrete instantiations of a KEM and a PRF based on it.
Appendix 5.1: Key Encapsulation
We build a \(\textsf {KEM}_{\textsf {Gen},\mathcal {SC}_{k}}\) from \(k\text{- }\textsf {SCasc}\) (Example 4).
-
\(\textsf {Gen}(1^\lambda )\) runs \(\mathcal {G}\leftarrow \textsf {Gen}(1^\lambda )\) and picks \(a \leftarrow \mathbb {Z}_q\). The public/secret key is
$$\begin{aligned} pk =(\mathcal {G}, ([a]) \in \mathbb {G}), \quad sk = a \in \mathbb {Z}_q. \end{aligned}$$
-
\(\textsf {Enc}_ pk \) picks \(\vec {w} \leftarrow \mathbb {Z}_q^k\). The ciphertext/key pair is
$$\begin{aligned}{}[\vec {c}]= \left( [a w_1], [w_1+a w_2] \ldots , [w_{k-1}+a w_k]\right) ^T \in \mathbb {G}^k, \quad [K] = [w_k] \in \mathbb {G}. \end{aligned}$$
-
\(\textsf {Dec}_ sk ([\vec {c}] \in \mathbb {G}^k)\) recomputes the key as
$$\begin{aligned}{}[K] = \left[ \vec {x}^\top \vec {c}\right] \in \mathbb {G}, \end{aligned}$$
where the transformation vector \(\vec {x} \in \mathbb {Z}_q^k\) is computed from a as \(x_i = \frac{(-1)^{k-i}}{a^{k-i}}\) (such that \(\vec {x}^\top {{\mathbf {{A}}}}_0 = (0, \ldots , 0,1)^T\) where \({{\mathbf {{A}}}}_0\) consists of the top k rows of matrix \({{\mathbf {{A}}}}\) from Example 4).
Security of \(\textsf {KEM}_{\textsf {Gen},\mathcal {SC}_{k}}\) follows from Theorem 11. Note that the size of the public/secret key is constant, compared to linear (in k) for the \(k\text{- }\textsf {Lin}\)-based KEM [23, 45]. The ciphertext size remains the same, however.
Appendix 5.2: Pseudo-Random Function
We build \(\textsf {PRF}_{\textsf {Gen},\mathcal {SC}_{k}}=(\textsf {Gen},\textsf {F})\) from \(k\text{- }\textsf {SCasc}\).
-
\(\textsf {Gen}(1^\lambda )\) runs \(\mathcal {G}\leftarrow \textsf {Gen}(1^\lambda )\) and picks \(a_{i,j}\leftarrow \mathbb {Z}_q\) for \(1\le i \le n\), \(1 \le j \le k\) and \(\vec {h} \leftarrow \mathbb {Z}_q^k\). The secret key is \(K=((a_{i,j}), \vec {h})\).
-
\(\textsf {F}_K(x)\) computes
$$\begin{aligned} \textsf {F}_K(x) = \left[ \prod _{i : x_i=1} {{\mathbf {{T}}}}_i \cdot \vec {h}\right] \in \mathbb {G}^k, \end{aligned}$$
where
$$\begin{aligned} {{\mathbf {{T}}}}_i = \left( \begin{array}{llll} \frac{(-1)^{k-1}}{a_{i,1}^{k}}&{} \ldots &{} \frac{-1}{a_{i,1}^2} &{}\frac{1}{a_{i,1}} \\ \vdots &{} &{} \vdots &{} \vdots \\ \frac{(-1)^{k-1}}{a_{i,k}^{k}}&{} \ldots &{} \frac{-1}{a_{i,k}^2}&{} \frac{1}{a_{i,k}} \\ \end{array} \right) \in \mathbb {Z}_q^{k\times k}, \end{aligned}$$
where the transformation matrices \({{\mathbf {{T}}}}_{i,j}\) of \({{\mathbf {{A}}}}_{i,j} \leftarrow \mathcal {SC}_k\) are the row vectors of \({{\mathbf {{T}}}}_i\). Security of \(\textsf {PRF}_{\textsf {Gen},\mathcal {SC}_{k}}\) follows from Theorem 12. Note that the size of the secret key K is nk, compared to \(nk^2\) for the \(k\text{- }\textsf {Lin}\)-based PRF [6].
Observe that if we add the restriction \(a_{i,j}\ne 0\), we can rewrite \({{\mathbf {{T}}}}_i\) as
$$\begin{aligned} {{\mathbf {{T}}}}_i = -\left( \begin{array}{llll} b_{i,1}^{k}&{} \ldots &{} b_{i,1}^2 &{} b_{i,1} \\ \vdots &{} &{} \vdots &{} \vdots \\ b_{i,k}^{k}&{} \ldots &{} b_{i,k}^2&{} b_{i,k} \\ \end{array} \right) , \end{aligned}$$
where now \(b_{i,j}=-\frac{1}{a_{i,j}}\) are random nonzero elements. If we associate \(\vec {h}=(h_1,h_2,\ldots ,h_k)\) to the polynomial \(\mathfrak {h}=h_1 X^k+\cdots + h_{k-1} X^2 + h_k X\in \mathbb {Z}_q[X]\), then \({{\mathbf {{T}}}}_i\vec {h} = -(\mathfrak {h}(b_{i,1}),\ldots ,\mathfrak {h}(b_{i,k}))\), and the PRF can be interpreted as a sequence of transformations applied to a random polynomial. More specifically, for every bit \(x_i=1\), the i-th step replaces the coefficients of a polynomial by its evaluations (up to the sign) at some random points \(b_{i,1},\ldots ,b_{i,k}\).