4

From the Linkable Ring Signatures paper:

Let $G = \langle g\rangle$ be a cyclic group of prime order $q$ such that the underlying discrete logarithm problem (DLP) is hard. Let $H_1 : {0, 1}^∗ \to \mathbb Z_q$ and $H_2 : {0, 1}^∗ \to G$ be distinct hash functions viewed as random oracles. Assume that for any $\alpha\in\{0, 1\}^*$, the discrete-log of $H_2(\alpha)$ to the base $g$ is intractable.

For that, as suggested on my previous question, I'll pick a large Sophie Germain Prime $q$ such that $2^{q} \bmod {(2q+1)} = 1$, with $2$ as the group generator. It would be tempting to define $H_2(a) = g^{H(a)}$, where $H$ is a hash function distinct from $H_1$. That would not work as intended, though, because, under that construction, $log_g(H_2(a)) = H(a)$. How can I, thus, construct an appropriate definition for $H_2$ on that problem?

Community
  • 1
MaiaVictor
  • 1,365
  • 8
  • 16

1 Answers1

7

The obvious way to create such a hash function would be to first define a hash function $H$ (distinct from $H_1$) that generates as output an integer in the range $[2, q]$, and then define $H_2(x) = H(x)^2 \bmod (2q+1)$ (that is, square $H(x)$ modulo $2q+1$).

If we treat $H$ as a random oracle, then $H_2(x)$ is a random element (uniformly distributed, other than 1) of the subgroup of $\mathbb Z^*_{2q+1}$ that consists of quadratic residues. We can see this is a random element because each possible value of $H(x)$ yields a distinct quadratic residue, and there are $q-1$ subgroup elements (other than 1), and so each output is generated with equal probability.

This subgroup is the order $q$ subgroup has that you're thinking of, and if the DLP is hard, then it's hard to solve DLP on random elements.

poncho
  • 154,064
  • 12
  • 239
  • 382