New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators

Abstract

A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs (ITCS ’15), can be used to hash a long string x to a short digest \(y = H_{\mathsf {hk}}(x)\) using a public hashing-key \(\mathsf {hk}\). Furthermore, there is a way to set up the hash key \(\mathsf {hk}\) to make it statistically binding on some arbitrary hidden position i, meaning that: (1) the digest y completely determines the i’th bit (or symbol) of x so that all pre-images of y have the same value in the i’th position, (2) it is computationally infeasible to distinguish the position i on which \(\mathsf {hk}\) is statistically binding from any other position \(i'\). Lastly, the hash should have a local opening property analogous to Merkle-Tree hashing, meaning that given x and \(y = H_{\mathsf {hk}}(x)\) it should be possible to create a short proof \(\pi \) that certifies the value of the i’th bit (or symbol) of x without having to provide the entire input x. A similar primitive called a positional accumulator, introduced by Koppula, Lewko and Waters (STOC ’15) further supports dynamic updates of the hashed value. These tools, which are interesting in their own right, also serve as one of the main technical components in several recent works building advanced applications from indistinguishability obfuscation (iO).

The prior constructions of SSB hashing and positional accumulators required fully homomorphic encryption (FHE) and iO respectively. In this work, we give new constructions of these tools based on well studied number-theoretic assumptions such as DDH, Phi-Hiding and DCR, as well as a general construction from lossy/injective functions.

K. Pietrzak—Research supported by ERC starting grant (259668-PSPC)

B. Waters—Supported by NSF CNS-1228599 and CNS-1414082. DARPA SafeWare, Google Faculty Research award, the Alfred P. Sloan Fellowship, Microsoft Faculty Fellowship, and Packard Foundation Fellowship.

D. Wichs—Research supported by NSF grants CNS-1347350, CNS-1314722, CNS- 1413964.

1 Introduction

SSB Hashing. A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs [HW15], can be used to create a short digest \(y= H_{\mathsf {hk}}(x)\) of some long input \(x = (x[0],\ldots ,x[L-1]) \in \Sigma ^L\), where \(\Sigma \) is some alphabet. The hashing key \(\mathsf {hk}\leftarrow \mathsf {Gen}(i)\) can be chosen by providing a special “binding index” i and this ensures that the hash \(y = H_{\mathsf {hk}}(x)\) is statistically binding for the i’th symbol, meaning that it completely determines the value x[i]. In other words, even though y has many preimages \(x'\) such that \(H_{\mathsf {hk}}(x')=y\), all of these preimages agree in the i’th symbol \(x'[i] = x[i]\). The index i on which the hash is statistically binding should remain computationally hidden given the hashing key \(\mathsf {hk}\). This is formalized analogously to semantic security so that for any indices \(i,i'\) the hashing keys \(\mathsf {hk}\leftarrow \mathsf {Gen}(i)\) and \(\mathsf {hk}' \leftarrow \mathsf {Gen}(i')\) should be computationally indistinguishable. Moreover, we will be interested in SSB hash functions with a “local opening” property that allows us to prove that j’th symbol of x takes on some particular value \(x[j]= u\) by providing a short opening \(\pi \). This is analogous to Merkle-Tree hashing, where it is possible to open the j’th symbol of x by providing a proof \(\pi \) that consists of the hash values associated with all the sibling nodes along the path from the root of the tree to the j’th leaf. In the case of SSB hashing, when \(j=i\) is the “binding index”, there should (statistically) exist only one possible value that we can open x[j] to by providing a corresponding proof.

Positional Accumulators. A related primitive called a positional accumulator, was introduced at the same time as SSB hashing by Koppula, Lewko and Waters [KLW15]. Roughly speaking, it includes the functionality of SSB hashing along with the ability to perform “local updates” where one can very efficiently update the hash \(y = H_{\mathsf {hk}}(x)\) if a particular position x[j] is updated. Again, this is analogous to Merkle-Tree hashing, where it is possible to update the j’th symbol of x by only updating the hash values along the path from the root of the tree to the j’th leaf.¹

Applications of SSB Hashing and Positional Accumulators. The above tools, which are interesting in their own right, turn out to be extremely useful in several applications when combines with indistinguishability obfuscation (iO) [BGI+12, GGH+13]. An iO scheme can be used to obfuscate a program (given by a circuit) so that the obfuscations of any two functionally equivalent programs are indistinguishable. Although this notion of obfuscation might a-priori seem too week to be useful, recent work has shown it to be surprisingly powerful (see e.g., [SW14]). Very recently, several results showed how to use iO in conjunction with SSB hashing and positional accumulators to achieve various advanced applications. The work of [HW15] uses SSB hashing and iO to construct the first general Multi-Party Computation (MPC) protocols in the semi-honest model where the communication complexity essentially matches that of the best insecure protocol for the same task. The work of [KLW15] uses positional accumulators and iO to construct succinct garbling for Turing Machines, and recent work extends this approach to RAM programs [CH15, CCC+15]. Lastly, the work of [Zha14] uses SSB hashing and iO to construct the first adaptively secure broadcast encryption with short system parameters.

Example: The Power of iO + SSB. To see the usefulness of combining iO and SSB hashing (or positional accumulators), let’s take a simple illustrative example, adapted from [HW15].² Imagine that Alice has a (small) secret circuit C, and both Alice and Bob know a public value \(x \in \Sigma ^L\). Alice wishes to communicate the values \(\{ C(x[i])\}_{i \in [L]}\) to Bob while hiding some information about C. In particular, Bob shouldn’t learn whether Alice has the circuit C or some other \(C'\) that satisfies \(C(x[i]) = C'(x[i])\) for each \(i \in [L]\). Note that C and \(C'\) may not be functionally equivalent and they only agree on the inputs \(\{x[i]\}_{i \in [L]}\) but might disagree on other inputs. A naive secure solution would be for Alice to simply send the outputs \(\{ C(x[i])\}_{i \in [L]}\) to Bob, but this incurs communication proportional to L. An insecure but communication-efficient solution would be for Alice to just send the small circuit C to Bob. Can we get a secure solution with comparable communication independent of L? Simply sending an obfuscated copy of C is not sufficient since the circuits \(C,C'\) are not functionally equivalent and therefore their obfuscations might be easily distinguishable. However it is possible to achieve this with iO and SSB hashing. Alice can send an obfuscation of a circuit that has the hash \(y = H_{\mathsf {hk}}(x)\) hard-coded and takes as input a tuple \((j, u, \pi )\): it checks that \(j \in [L]\) and that \(\pi \) is a valid opening to \(x[j] =u\) and if so outputs C(u). Bob can evaluate this circuit on the values \(\{x[j]\}_{j \in [L]}\) by providing the appropriate openings. It is possible to show that the above hides whether Alice started with C or \(C'\). The proof proceeds in a sequence of L hybrids where in the i’th hybrid we obfuscate a circuit \(C_i\) that runs \(C'\) instead of C when \(j \le i\) and otherwise runs C. To go from hybrid i to \(i+1\) we first switch the SSB hash key \(\mathsf {hk}\) to be binding in position \(i+1\) and then we can switch from obfuscating \(C_i\) to \(C_{i+1}\) by arguing that these are functionally equivalent; they only differ in the code they execute for inputs of the form \((j=i+1, u,\pi )\) where \(\pi \) is a valid proof but in this case, by the statistical binding property, the only possible value u for which a valid proof \(\pi \) exists is the unique value \(u=x[j]\) for which both circuits produce the same output \(C(x[j]) = C'(x[j])\).

Prior Constructions of SSB and Positional Accumulators. The work of [HW15] constructed a SSB hash by relying on fully homomorphic encryption (FHE). Roughly speaking the construction combines FHE with Merkle Hash Trees. To hash some value \(x = (x[0],\ldots ,x[L-1])\) the construction creates a full binary tree of height \(\log L\) (for simplicity, assume L is a power of 2) and deterministically associates a ciphertext with each node of the tree. The L leaf nodes will be associated with some deterministically created encryptions of the values \(x[0],\ldots ,x[L-1]\), say by using all 0 s for the random coins of the encryption procedure. The hash key \(\mathsf {hk}\) consists of an encryption of a path from the root of the tree to the i’th leaf where i is the binding index; concretely it contains \(\log L\) FHE ciphertexts \((ct_1,\ldots ,ct_{\log L})\) which encrypt bits \(\beta _1,\ldots ,\beta _{\log L}\) corresponding to the binary representation of the binding index i so that \(\beta _i = 0\) denotes “left” and \(\beta _i = 1\) denotes “right”. The ciphertext associated with each non-leaf node are computed homomorphically to ensure that the value x[i] is contained in each ciphertext along the path from the root to the i’th leaf. Concretely, the ciphertext associated with some node at level j is determined by a homomorphic computation which takes the two child ciphertexts \(c_{0}\) (left) and \(c_{1}\) (right) encrypting some values \(m_0,m_1\) and the ciphertext \(ct_i\) contained in \(\mathsf {hk}\) which encrypts \(\beta _i\) and homomorphically produces a ciphertext encrypting \(m_{\beta _i}\). (For technical reasons, the actual construction is a bit more complicated and needs to use a different FHE key at each level of the tree – see [HW15] for full details.) This ensures that the binding index i is hidden by the semantic security of FHE and the statistically binding property follows by the correctness of FHE.

The work of [KLW15] constructs positional accumulators by also relying on a variant of Merkle Trees. However, instead of FHE, it relies on standard public-key encryption and iO. (It is relatively easy to see that the scheme of [HW15] would also yield an alternate construction of a positional accumulator).

1.1 Our Results

In this work we give new constructions of SSB hashing and positional accumulators from a wide variety of well studied number theoretic assumptions such as DDH, DCR (decisional composite residuocity), \(\phi \)-hiding, LWE and others.

Two-to-One SSB. We first abstract out the common Merkle-tree style approach that is common to both SSB hashes and positional accumulators, and identify a basic underlying primitive that we call a two-to-one SSB hash, which can be used to instantiate this approach. Intuitively a two-to-one SSB hash takes as input \(x = (x[0], x[1]) \in \Sigma ^2\) consisting of just two alphabet symbols and outputs a value \(y = H_{\mathsf {hk}}(x)\) which is not much larger than a single alphabet symbol. The key \(\mathsf {hk}\) can be set up to be statistically binding on either position 0 or 1.

Instantiations of Two-to-One SSB. We show how to instantiate a two-to-one SSB hash from the DDH assumption and the decisional composite residuocity (DCR) assumption. More generally, we show how to instantiate a (slight variant of) two-to-one SSB hash from any lossy/injective function. This is a family of functions \(f_{\mathsf {pk}}(x)\) where the public key \(\mathsf {pk}\) can be picked in one of two indistinguishable modes: in injective mode, the function \(f_{\mathsf {pk}}(x)\) is an injective function and in lossy mode \(f_{\mathsf {pk}}(x)\) it is a many-to-one function. To construct a two-to-one SSB hash from injective/lossy function we pick two public keys \(\mathsf {hk}= (\mathsf {pk}_0,\mathsf {pk}_1)\) and define \(H_{\mathsf {hk}}(x[0],x[1]) = h( f_{\mathsf {pk}_0}(x[0]), f_{\mathsf {pk}_1}(x[1]))\) where h is a universal hash function. To make the \(\mathsf {hk}\) binding on index 0 we choose \(\mathsf {pk}_0\) to be injective and \(\mathsf {pk}_1\) to be lossy and to make is binding on index 1 we do the reverse. With appropriate parameters, we can ensure that the statistically binding property holds with overwhelming probability over the choice of h.

From Two-to-One SSB to Full SSB and Positional Accumulators. We can instantiate a (full) SSB hash with arbitrary input size \(\Sigma ^L\) by combining two-to-one SSB hashes in a Merkle Tree, with a different key at each level. To make the full SSB binding at some location i, we choose the hash keys at each level to be binding on either the left or right child in such a way that they are binding along the path from the root of the tree to the leaf at position i. This allows us to “locally open” the j’th position of the input in the usual way, by giving the hash values of all the siblings along the path from the root to the j’th leaf. If \(j=i\) is the binding index, then there is a unique value \(x[j]=u\) for which there is a valid opening. To get positional accumulators, we use the fact that we can also locally update the hashed value by modifying one location x[j] and only updating the hashes along the path from the root to the j’th leaf.

A Flatter Approach. We also explore a different approach for achieving SSB hashing from the \(\phi \)-hiding assumption, which does not go through a Merkle-Tree type construction. Roughly our approach uses a construction is structurally similar to standard constructions RSA accumulators [BdM93]. However, we construct a modus N to be such that for some given prime exponent e we have that e divides \(\phi (N)\). This means that if \(y \in \mathbb {Z}_N\) is not an e-th residue \(\mod N\), then there exists no value \(\pi \in \mathbb {Z}_{N}\) where \(\pi ^e = y\). This will lead to our statistical binding property as we will leverage this fact to make the value e related to an index we wish to be binding on. Index hiding will follow from the \(\phi \)-hiding assumption.

2 Preliminaries

SSB Hash (with Local Opening). Our definition follows that of [HW15], but whereas that work only defined SSB hash which included the local opening requirement by default, it will be convenient for us to also separately define a weaker variant which does not require the local opening property.

Definition 2.1

(SSB Hash). A somewhere statistically binding (SSB) hash consists of PPT algorithms \(\mathcal {H}= (\mathsf {Gen}, H)\) and a polynomial \(\ell (\cdot ,\cdot )\) denoting the output length.

• \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, L, i)\): Takes as input a security parameter \(\lambda \) a block-length s an input-length \(L \le 2^\lambda \) and an index \(i \in \{0,\ldots ,L-1\}\) (in binary) and outputs a public hashing key \(\mathsf {hk}\). We let \(\Sigma = \{0,1\}^s\) denote the block alphabet. The output size is \(\ell = \ell (\lambda ,s)\) and is independent of the input-length L.

• \(H_{\mathsf {hk}}: \Sigma ^L \rightarrow \{0,1\}^{\ell }\): A deterministic poly-time algorithm that takes as input \(x = (x[0], \ldots , x[L-1]) \in \Sigma ^L\) and outputs \(H_{\mathsf {hk}}(x) \in \{0,1\}^{\ell }\).

We require the following properties:

• Index Hiding: We consider the following game between an attacker \(\mathcal {A}\) and a challenger:

• The attacker \(\mathcal {A}(1^\lambda )\) chooses parameters \(1^s,L\) and two indices \(i_0, i_1 \in \{0,\ldots ,L-1\}\).

• The challenger chooses a bit \(b \leftarrow \{0,1\}\) and sets \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda ,1^s,L, i_b)\).

• The attacker \(\mathcal {A}\) gets \(\mathsf {hk}\) and outputs a bit \(b'\).

We require that for any PPT attacker \(\mathcal {A}\) we have \(|\Pr [ b = b'] - \frac{1}{2}| \le \text {negl}(\lambda )\) in the above game.

• Somewhere Statistically Binding: We say that \(\mathsf {hk}\) is statistically binding for an index \(i \in [L]\) if there do not exist any values \(x,x' \in \Sigma ^L\) with \(x[i] \ne x'[i]\) such that \(H_{\mathsf {hk}}(x) = H_{\mathsf {hk}}(x')\). We require that for any parameters s, L and any integer \(i \in \{0,\ldots ,L-1\}\) we have:

  $$ \Pr [ \mathsf {hk} \text{ is } \text{ statistically } \text{ binding } \text{ for } \text{ index } i~:~ \mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda ,1^s,L, i)] \ge 1- \text {negl}(\lambda ). $$

  We say that the hash is perfectly binding if the above probability is 1.

Definition 2.2

(SSB Hash with Local Opening). An SSB Hash with local opening \(\mathcal {H}= (\mathsf {Gen}, H, \mathsf {Open}, \mathsf {Verify})\) consists of an SSB hash \((\mathsf {Gen},H)\) with output size \(\ell (\cdot ,\cdot )\) along with two additional algorithms \(\mathsf {Open}, \mathsf {Verify}\) and an opening size \(p(\cdot ,\cdot )\). The additional algorithms have the following syntax:

• \(\pi \leftarrow \mathsf {Open}(\mathsf {hk},x,j)\): Given the hash key \(\mathsf {hk}\), \(x \in \Sigma ^L\) and an index \(j \in \{0,\ldots ,L-1\}\), creates an opening \(\pi \in \{0,1\}^p\). The opening size \(p = p(\lambda ,s)\) is a polynomial which is independent of the input-length L.

• \(\mathsf {Verify}(\mathsf {hk}, y, j, u , \pi )\): Given a hash key \(\mathsf {hk}\) a hash output \(y \in \{0,1\}^{\ell }\), an integer index \(j \in \{0,\ldots ,L-1\}\), a value \(u \in \Sigma \) and an opening \(\pi \in \{0,1\}^{p}\), outputs a decision \(\in \{\mathsf {accept},\mathsf {reject}\}\). This is intended to verify that a pre-image x of \(y=H_{\mathsf {hk}}(x)\) has \(x[j] = u\).

We require the following two additional properties.

• Correctness of Opening: For any parameters s, L and any indices \(i,j \in \{0,\ldots ,L-1\}\), any \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, L, i)\), \(x \in \Sigma ^L\), \(\pi \leftarrow \mathsf {Open}(\mathsf {hk},x,j)\): we have \(\mathsf {Verify}(\mathsf {hk}, H_{\mathsf {hk}}(x), j, x[j], \pi ) = \mathsf {accept}\)

• Somewhere Statistically Binding w.r.t. Opening: ³ We say that \(\mathsf {hk}\) is statistically binding w.r.t opening (abbreviated SBO) for an index i if there do not exist any values \(y, u \ne u', \pi , \pi '\) s.t.

  $$\mathsf {Verify}(\mathsf {hk}, y, i, u , \pi ) = \mathsf {Verify}(\mathsf {hk}, y, i, u', \pi ') = \mathsf {accept}.$$

  We require that for any parameters s, L and any index \(i \in \{0,\ldots ,L-1\}\)

  $$ \Pr [ \mathsf {hk} \text{ is } \text{ SBO } \text{ for } \text{ index } i~:~ \mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda ,1^s, L, i) ] \ge 1 - \text {negl}(\lambda ). $$

  We say that the hash is perfectly binding w.r.t. opening if the above probability is 1.

Fixed-Parameter Variants. The above definitions allow for a flexible input-length L and block-length s specified by the user as inputs to the \(\mathsf {Gen}\) algorithm. This will be the default throughout the paper, but we also consider variants of the above definition with a fixed-input-length L and/or fixed-block-length s where these values cannot be specified by the user as inputs to the \(\mathsf {Gen}\) algorithm but are instead set to some fixed value (a constant or polynomial in the security parameter \(\lambda \)) determined by the scheme. In the case of a fixed-input-length variant, the definitions are non-trivial if the output-length \(\ell \) and opening-size p satisfy \(\ell ,p < L \cdot s\).

Discussion. There are several constructions of SSB hash that do not provide local opening. For example, any PIR scheme can be used to realize an SSB hash without local opening. The hash key \(\mathsf {hk}\) consists of a PIR query for index i and the hash \(H_{\mathsf {hk}}(x)\) simply computes the PIR response using database x. Unfortunately, we do not know how to generically add a local opening capability to such SSB hash constructions.

3 Two-to-One SSB Hash

As our main building block, we rely on a notion of a “two-to-one SSB hash”. Informally, this is a fixed-input-length and flexible-block-size SSB hash (we do not require local opening) that maps two input blocks (\(L=2\)) to an output which is roughly the size of one block (up to some small multiplicative and additive factors).

Definition 3.1

(Two-to-One SSB Hash). A two-to-one SSB hash is an SSB hash with a fixed input-length \(L=2\) and flexible block-length s. The output-length is \(\ell (\lambda , s) = s \cdot (1 + 1/\varOmega (\lambda )) + \textsc {poly}(\lambda )\).

We give three constructions of a Two-to-One SSB Hash systems. Our first construction is built from the DDH-hard groups with compact representation. This construction achieves perfect binding. Our next construction is built from the DCR assumption. Lastly, we generalize our approach by showing a (variant of) Two-to-One SSB hashing that can work from any lossy function. We note that lossy functions can be built from a variety of number theoretic primitives including DDH (without compact representation), Learning with Errors, and the \(\phi \)-hiding assumption.

Remark: Impossibility without Overhead. We note that the need for some “slack” is inherent in the above definition and we cannot get a two-to-one SSB hash where the output is exactly \(\ell (\lambda ,s) = s\) matching the size of one of the inputs. This is because in that case, if we choose \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, i=0)\) then for each \(x_0 \in \{0,1\}^s\) there is a unique choice of \(y \in \{0,1\}^s\) such that \(H_{\mathsf {hk}}(x_0,x_1) = y\) no matter what \(x_1\) is. In other words, the function \(H_{\mathsf {hk}}(x_0,x_1)\) does not depend on the argument \(x_1\). Symmetrically, if \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, i=1)\) then the function \(H_{\mathsf {hk}}(x_0,x_1)\) does not depend on the argument \(x_0\). These two cases are easy to distinguish.

3.1 Two-to-One SSB Hash from DDH

DDH Hard Groups and Representation Overhead. Let \(\mathcal {G}\) be a PPT group generator algorithm that takes as input the security parameter \(1^{\lambda }\) and outputs a pair \({\mathbb G},p\) where \({\mathbb G}\) is a group description of prime order p for \(p \in \varTheta (2^{\lambda })\).

Assumption 1

(Decision Diffie-Hellman Assumption). Let \(({\mathbb G},p) \leftarrow \mathcal {G}(1^{\lambda })\) and \(b\leftarrow \{0,1\}\). Choose a random generator \(g \in G\) and random \(x,y \in \mathbb {Z}_p\) Let \(T \leftarrow {\mathbb G}\) if \(b=0\), else \(T \leftarrow g^{xy}\). The advantage of algorithm \(\mathcal {A}\) in solving the decision Diffie-Hellman problem is defined as

$$ \mathsf {Adv}_{\mathcal {A}} = \left| Pr[b \leftarrow \mathcal {A}({\mathbb G}, p, g, g^x, g^y, T)] - \frac{1}{2} \right| .$$

We say that the Decision-Diffie Hallman assumption holds if for all PPT \(\mathcal {A}\), \(\mathsf {Adv}_{\mathcal {A}}\) is negligible in \(\lambda \).

Representation Overhead of Group Elements. In this work we will be concerned with how efficiently (prime order) group elements are represented. We are interested in the difference between the number of bits to represent a group element and \(\lfloor \lg ( p ) \rfloor \). In our definition we consider the bit representation of a group to be intrinsic to a particular group description.

Definition 3.2

(Representational Overhead). Consider a family of prime order groups output from some group generation algorithm \(\mathcal {G}(1^{\lambda })\) that outputs a group of prime order p for \(2^\lambda < p < 2^{\lambda +1}\). Notice that for a generator g in such a group that \(g^i \ne g^j\) for \(i, j \in [0, 2^{\lambda }]\) and \(i \ne j\). (I.e. no “wraparound” happens.)

We define the representational overhead \(\delta (\lambda )\) to be the function which expresses maximum difference between the number of bits used to represent a group element of \({\mathbb G}\) and \(\lambda \), where \({\mathbb G},p \leftarrow \mathcal {G}(1^{\lambda })\).

For this work we are interested in families of groups who representational overhead \(\delta (\lambda )\) is some constant c. Examples of these include groups generated from strong primes and certain elliptic curve groups.

Construction of Two-to-One SSB. We now describe our Two-To-One SSB Hash. We will use a group generation algorithm \(\mathcal {G}\) that has constant representational overhead c as defined in Definition 3.2. Consider a matrix \(\mathbf {M}\) over \(\mathbb {Z}_p\) and group generator g of order p we will use the notation \(g^{\mathbf {M}}\) as short hand for giving out g raised to each element of \(\mathbf {M}\).

The construction sets up a hash function key \(\mathsf {hk}\) for a function that takes two s bit inputs \(x_A\) and \(x_B\). If the index bit \(\beta =0\) it will be statistically binding on \(x_A\); otherwise it is statistically binding on \(x_B\). At a high level the construction setup is intuitively similar to the Lossy trapdoor function algorithms of Peikert and Waters [PW08] where the setup creates two functions — one injective and the other lossy and assigns whether the lossy function corresponds to the A or B input according to the index bit \(\beta \).

There are two important differences from the basic PW construction. First the PW construction encrypted the input bit by bit. This low rate of encoding was needed in order to recover the input from a trapdoor in [PW08], but a trapdoor is not required for our hash function. Here we cram in as many bits into a group element as possible. This is necessary to satisfy the SSB output size properties. We note [BHK11] pack bits in a similar manner. The second property we have is that the randomness used to generate both the injective and lossy function is correlated such that we can intuitively combine the outputs of each into one output where the output length is both small and maintains the committing property of the injective function. We note that our description describes the procedures directly and the connection to injective and lossy functions is given for intuition, but not made formal.

\(\mathsf {Gen}_{\text {Two-to-One}}(1^\lambda , 1^s, \beta \in \{0,1\})\)

The generation algorithm first sets \(t = \max (\lambda , \lfloor \sqrt{s \cdot c} \rfloor )\). (The variable t will be the number of bit each group element can uniquely represent.) It then calls \(\mathcal {G}(1^t) \rightarrow ({\mathbb G},p)\) with \(2^t < p < 2^{t+1}\) and chooses a random generator \(g \in {\mathbb G}\).

Next, it lets \(d = \lceil \frac{s}{t} \rceil \). It then chooses random \(w_1, \ldots , w_d \in \mathbb {Z}_p\), two random column vectors \(\mathbf {a} = (a_{1}, \ldots , a_{d}) \in \mathbb {Z}_p^d\) and \(\mathbf {b} = (b_{1}, \ldots , b_{d}) \in \mathbb {Z}_p^d\). We let \(\tilde{\mathbf {A}}\) be the \(d \times d\) matrix over \(\mathbb {Z}_p\) where the (i, j)-th entry is \(a_i \cdot w_{j} \) and \(\tilde{\mathbf {B}}\) be the \(d \times d\) matrix over \(\mathbb {Z}_p\) where the (i, j)-th entry is \(b_i \cdot w_{j} \). Finally, let \(\mathbf {A}\) be \(\tilde{\mathbf {A}} + (1-\beta ) \cdot \mathbf {I}\) and \(\mathbf {B}\) be \(\tilde{\mathbf {B}} + \beta \cdot \mathbf {I}\) where \(\mathbf {I}\) is the identity matrix. (I.e. we add in the identity matrix to \(\tilde{\mathbf {A}}\) to get the \(\mathbf {A}\) matrix if the selection bit \(\beta =0\); otherwise, if \(\beta =1\) add in the identity matrix to \(\tilde{\mathbf {B}}\) to get \(\mathbf {B}\).)

The hash key is \(\mathsf {hk}= (g^{\mathbf {a}}, g^{\mathbf {b}}, g^{\mathbf {A}}, g^{\mathbf {B}} )\).

\(H_{\mathsf {hk}}: \{0,1\}^s \times \{0,1\}^s \rightarrow {\mathbb G}^{d+1}\)

The hash function algorithm takes in two inputs \(x_A \in \{0,1\}^s\) and \(x_B \in \{0,1\}^s\). We can view the bitstrings \(x_A\) and \(x_B\) each as consisting of d blocks each of t bits (except the last block which may be less). The function first parses these each as row vectors \(\mathbf {x}_A = ( x_{A,1}, \ldots , x_{A,d})\) and \(\mathbf {x}_B = (x_{B,1}, \ldots , x_{B,d})\). These have the property that for \(j \in [d]\) we have \(x_{A,j}\) is an integer \(< 2^t \le p\) representing the \(j-th\) block of bits as an integer.

Next, it computes

$$ V = g^{ \mathbf {x}_A \mathbf {a} +\mathbf {x}_B \mathbf {b}} , \ Y = g^{ \mathbf {x}_A \mathbf {A} +\mathbf {x}_B \mathbf {B}}. $$

We observe that V is one group element in \({\mathbb G}\) and Y is a vector of d group elements. Thus the output size of the hash is \((d+1) \cdot (t+c)\) bits.

Analysis. We now analyze the size overhead, index hiding and binding properties of the hash function.

Overhead. The output of the hash function is \(d+1\) group elements each of which takes \(t+c\) bits to represent for a total output size of \((d+1)(t+c)\) bits. In the case where \(\lfloor \sqrt{s \cdot c} \rfloor \ge \lambda \), we can plug in our parameter choices for t, d and see that the outputsize \(\ell (\lambda , s) = s+ \mathcal {O} ( \sqrt{s} )\), thus matching the requirements of Definition 3.1. In the case where \(\lfloor \sqrt{s \cdot c} \rfloor < \lambda \) we have that \(\ell (\lambda , s) = s+ \mathcal {O}( \lambda )\) thus also matching our definition.

Somewhere Statistically Binding. We show that the hash function above is selectively binding respective to the bit \(\beta \). We demonstrate this for the \(\beta =0\) case. The \(\beta =1\) case follows analogously.

Suppose a hash key \(\mathsf {hk}\) were setup according to the process \(\mathsf {Gen}_{\mathrm {Two-to-One}}\) as above with the input \(\beta =0\). Now consider the evaluation \(H_{\mathsf {hk}}(x_A, x_B) = \left( V, Y= (Y_1, \ldots , Y_d) \right) \). We have that for all \(j \in [1,d]\) that \(Y_j / V^{w_j}= g^{x_{A,j}}\). Let’s verify this claim. First from the hash definition we can work out that

$$V= g^{\Sigma _{i \in [d]} x_{A,i} a_i + x_{B,i} b_i }$$

and

$$Y_j = g^{ x_{A,j} + \Sigma _{i \in [d]} x_{A,i} (a_i w_j) + x_{B,i} (b_i w_j) } = g^{ x_{A,j}} g^{ w_j (\Sigma _{i \in [d]} x_{A,i} a_i + x_{B,i} b_i ) }.$$

The claim that \(Y_j / V^{w_j}= g^{x_{A,j}}\) follows immediately from these equations.

Now suppose that we are given two inputs \((x_A, x_B)\) and \((x'_A, x'_B)\) such that \(x_A \ne x'_A\) There must then exist some j such that \(x_{A,j} \ne x'_{A,j}\). Let \(H_{\mathsf {hk}}(x_A, x_B) = \left( V, Y= (Y_1, \ldots , Y_d) \right) \) and \(H_{\mathsf {hk}}(x'_A, x'_B) = \left( V', Y'= (Y'_1, \ldots , Y'_d) \right) \). From the above claim it follows that \(Y_j / V^{w_j}= g^{x_{A,j}}\) and \(Y_j / V^{w_j}= g^{x'_{A,j}}\). Therefore \((V, Y_j) \ne (V', Y'_j)\) and the outputs of the hashes are distinct.

Index Hiding. We now prove index hiding. To do this we define \(\mathsf {Game}~_{\mathrm {normal}}\) to be the normal index hiding game on the two-to-one construction and \(\mathsf {Game}~_{\mathrm {random}}\) to be the index hiding game, but where the matrices \(\tilde{\mathbf {A}}\) and \(\tilde{\mathbf {B}}\) are chosen randomly when constructing the hash function \(\mathsf {hk}\).

We first argue that if the decision Diffie-Hellman assumption holds, then the advantage of any PPT attacker \(\mathcal {A}\) in \(\mathsf {Game}~_{\mathrm {normal}}\) must be negligibly close to its advantage in \(\mathsf {Game}~_{\mathrm {random}}\). To show this we apply a particular case of the decision matrix linear assumption family introduced by Naor and Segev [NS12]. They show (as part of a more general theorem) that if the decision Diffie-Hellman assumption holds that a PPT attacker cannot distinguish if a \(2d \times (d+1)\) matrix \(\mathbf {M}\) over \(\mathbb {Z}_p\) was sampled randomly from the set of rank 1 matrices or rank \(d+1\) matrices given \(g^\mathbf {M}\).

Suppose that the difference of advantage for some attacker in \(\mathsf {Game}~_{\mathrm {normal}}\) and \(\mathsf {Game}~_{\mathrm {random}}\) is some non-negligible function of \(\lambda \). Then we construct an algorithm \(\mathcal {B}\) on the above decision matrix linear assumption. \(\mathcal {B}\) receives a challenge \(g^{\mathbf {M}}\) and breaks this into \(g^{\mathbf {M}_A}\) and \(g^{\mathbf {M}_B}\) where \(\mathbf {M}_A\) is the top half of the matrix \(\mathbf {M}\) and \(\mathbf {M}_B\) is the bottom half. It then takes \(g^{\mathbf {a}}\) from the first column of \(g^{\mathbf {M}_A}\) and \(g^{\tilde{\mathbf {A}}}\) as the remaining d columns. Similarly, \(\mathcal {B}\) takes \(g^{\mathbf {b}}\) from the first column of \(g^{\mathbf {M}_B}\) and \(g^{\tilde{\mathbf {B}}}\) as the remaining d columns. It then samples a random index \(\beta \in \{0,1\}\) and continues to use these values in executing \(\mathsf {Gen}_{\mathrm {Two-to-One}}\), giving the hash key \(\mathsf {hk}\) to the attack algorithm.

If \(g^{\mathbf {M}}\) were sampled as a rank 1 matrix, then the view of the attacker is the same as executing \(\mathsf {Game}~_{\mathrm {normal}}\). Otherwise, if \(g^{\mathbf {M}}\) were sampled as a rank \(d+1\) matrix the attacker’s view is statistically close to \(\mathsf {Game}~_{\mathrm {random}}\) (as choosing a random rank \(d+1\) matrix is statistically close to choosing a random matrix). If the attacker \(\mathcal {A}\) correctly guesses \(\beta '=\beta \), then \(\mathcal {B}\) guesses the matrix was rank 1, else it guesses it was rank \(d+1\). If the difference in advantage of \(\mathcal {A}\) in the two games is non-neglgibile, then \(\mathcal {B}\) has a non-negligible advantage in the decision matrix game.

Finally, we see that in \(\mathsf {Game}~_{\mathrm {random}}\) any attacker’s advantage must be 0 as the distributions of the outputs are independent of \(\beta \).

3.2 Two-to-One SSB Hash from DCR

We can also construct a two-to-one hash with perfect binding from the decisional composite residuocity (DCR) assumption. We do so by relying on the Damgård-Jurik cryptosystem [DJ01] which is itself a generalization of the Pallier cryptosystem based on the DCR assumption [Pai99]. We rely on the fact that this cryptosystem is additively homomorphic and “length flexible”, meaning that it has a small ciphertext expansion. When we plug this construction of a two-to-one SSB hash into our full construction of SSB hash with local opening, we essentially get the private-information retrieval (PIR) scheme of Lipmaa [Lip05]. Note that, in general, PIR implies SSB hash but only without local opening. However, the particular PIR construction of [Lip05] already has a tree-like structure which enables efficient local opening.

Damgård-Jurik. The Damgård-Jurik cryptosystem consists of algorithms \((\mathsf {KeyGen},\) \(\mathsf {Enc},\) \(\mathsf {Dec})\). The key generation \((\mathsf {pk},\mathsf {sk}) \leftarrow \mathsf {KeyGen}(1^\lambda )\) generates a public key \(\mathsf {pk}= n = pq\) which is a product of two primes p, q and \(\mathsf {sk}= (p,q)\). For any (polynomial) w the scheme can be instantiated to have plaintext space \(\mathbb {Z}_{n^w}\) and ciphertext space \(\mathbb {Z}^*_{n^{w+1}}\). The encryption/decryption procedures \(c = \mathsf {Enc}_{\mathsf {pk}}(m;r)\) and \(\mathsf {Dec}_{sk}(c)\) satisfy perfect correctness so that for all \(m \in \mathbb {Z}_{n^w}\) and all possible choices of the randomness r we have \(\mathsf {Dec}_{\mathsf {sk}}(\mathsf {Enc}_{\mathsf {pk}}(m;r)) = m\). Moreover the scheme is additively homomorphic, meaning that there is an operation \(\oplus \) such that \(\mathsf {Enc}_{\mathsf {pk}}(m;r) \oplus \mathsf {Enc}_{\mathsf {pk}}(m';r') = \mathsf {Enc}_{\mathsf {pk}}(m+m'; r'')\) for some \(r''\) (the operation \(+\) is in the ring \(\mathbb {Z}_{n^{w}}\)). Similarly, we can define homomorphic subtraction \(\ominus \). Furthermore, by performing repeated addition we can also implement an operation \(\otimes \) that allows for multiplication by a plaitnext element \(\mathsf {Enc}_{\mathsf {pk}}(m;r)\otimes m' = \mathsf {Enc}_{\mathsf {pk}}(m \cdot m'; r')\) for some \(r'\) (the operation \(\cdot \) is in the ring \(\mathbb {Z}_{n^{w}}\)). The semantic security of the cryptosystem holds under the DCR assumption.

Construction of Two-to-One SSB. We use the Damgård-Jurik cryptosystem to construct an SSB hash as follows.

• \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, \beta \in \{0,1\})\) Choose \((\mathsf {pk}, \mathsf {sk}) \leftarrow \mathsf {KeyGen}(1^\lambda )\) to be a Damgård-Jurik public/secret key. We assume (without loss of generality) that the modulus n satisfies \(n > 2^\lambda \). Set the parameter w which determines the plaintext space \(\mathbb {Z}_{n^w}\) and the ciphertext space \(\mathbb {Z}^*_{n^{w+1}}\) to be \(w = \lceil s/ \log n \rceil \) so that we can interpret \(\{0,1\}^s\) as a subset of \(\mathbb {Z}_{n^w}\). Choose \(c \leftarrow \mathsf {Enc}_{\mathsf {pk}}(\beta )\) and output \(\mathsf {hk}= (\mathsf {pk}, c)\).

• \(H_{\mathsf {hk}}(x_0,x_1)\): Parse \(\mathsf {hk}= (\mathsf {pk}, c)\) and interpret the values \(x_0,x_1 \in \{0,1\}^s\) as ring elements \(x_0,x_1 \in \mathbb {Z}_{n^w}\). Define the value \(\mathbf {1}_{ct} = \mathsf {Enc}_{\mathsf {pk}}(1;r_0)\) to be a fixed encryption of 1 using some fixed randomness \(r_0\) (say, all 0s). Compute \(c^* := (x_1 \otimes c) \oplus (x_0 \otimes (\mathbf {1}_{ct} \ominus c))\). By the homomorphic properties of encryption, \(c^*\) is an encryption of \(x_{\beta }\).

Theorem 3.3

The above construction is a two-to-one SSB hash with perfect binding under the DCR assumption.

Proof

The index hiding property follows directly from the semantic security of the Damgård-Jurik cryptosystem, which in turn follows from the DCR assumption.

The perfect binding property follows from the perfect correctness of the cryptosystem. In particular, if \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, \beta )\) then \(y = H_{\mathsf {hk}}(x_0,x_1)\) satisfies \(y = \mathsf {Enc}_{\mathsf {pk}}(x_{\beta }; r)\) for some r which perfectly determines \(x_{\beta }\).

Lastly, the output size of the hash function is

$$\begin{aligned} \ell (s,\lambda )= & {} (w+1)\lceil \log n \rceil = (\lceil s/ \log n \rceil + 1) \lceil \log n \rceil \\\le & {} (1 + 1/\log n)s + O(\log n) = (1 + 1/\varOmega (\lambda ))s + \mathsf {poly}(\lambda ). \end{aligned}$$

3.3 SSB with Local Opening from Two-to-One SSB

We now show how to construct a SSB hash with local opening from a two-to-one SSB hash via the “Merkle Tree” construction. Assume that \(\mathcal {H}= (\mathsf {Gen}, H)\) is a two-to-one SSB hash family with output length give by \(\ell (s,\lambda )\). We use this hash function in a Merkle-Tree to construct an SSB hash with local opening \(\mathcal {H}^* = (\mathsf {Gen}^*, H^*, \mathsf {Open}, \mathsf {Verify})\) as follows.

• \(\mathsf {hk}\leftarrow \mathsf {Gen}^*(1^\lambda , 1^s, L, i)\): Let \((b_q,\ldots ,b_1)\) be the binary representation of i (with \(b_1\) being the least significant bit) where \(q = \lceil \log L \rceil \). For \(j \in [q]\) define the block-lengths \(s_1,\ldots ,s_q\) where \(s_1 = s\) and \(s_{j+1} = \ell (s_j, \lambda )\). Choose \(\mathsf {hk}_j \leftarrow \mathsf {Gen}(1^\lambda , 1^{s_j}, b_j)\) and output \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\).

• \(y = H^*_{\mathsf {hk}}(x)\): For \(x = (x[0],\ldots ,x[L-1]) \in \Sigma ^L\), \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\) proceed as follows. Define T to be a complete binary tree of height q where level 0 of the tree denotes the leaves and level q denotes the root. We will assign a label to each vertex in the tree. The L leaf vertices are assigned the labels \(x[0],\ldots ,x[L-1]\). The rest of the labels are assigned inductively where each non-leaf vertex v at level j of the tree with children that have labels \(x'_0, x'_1\) gets assigned the label \(H_{\mathsf {hk}_j}(x'_0, x'_1)\). The output of the hash is the label y assigned to the root of the tree.

• \(\pi = \mathsf {Open}(\mathsf {hk},x,j)\): Compute the labeled tree T as above. Output the labels of all the sibling nodes along the path from the root to the j’th leaf.

• \(\mathsf {Verify}(\mathsf {hk}, y, j, u , \pi )\): Recompute all of the labels of the nodes in the tree T that lie on the path from the root to the j’th leaf by using the value u for that leaf and the values given by \(\pi \) as the labels of all the sibling nodes along the path. Check that the recomputed label on the root of the tree is indeed y.

Theorem 3.4

If \(\mathcal {H}\) is a two-to-one SSB hash then \(\mathcal {H}^*\) is a SSB hash with local opening.

Proof

Firstly, the index hiding property of \(\mathcal {H}^*\) follows directly from that of \(\mathcal {H}\) via q hybrid arguments. In particular, if \(i_0 = (b^0_q,\ldots ,b^0_1)\) and \(i_1 = (b^1_q,\ldots ,b^1_1)\) are the two indices chosen by the attacker during the security game for index hiding, then we can prove the indistinguishability of \(\mathsf {hk}^0 \leftarrow \mathsf {Gen}^*(1^\lambda , L,s,i_0)\) and \(\mathsf {hk}^1 \leftarrow \mathsf {Gen}^*(1^\lambda , L,s,i_1)\) via q hybrid games where we switch the component keys \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\) from being chosen as \(\mathsf {hk}_j \leftarrow \mathsf {Gen}(1^\lambda , 1^s, b^0_j)\) to \(\mathsf {hk}_j \leftarrow \mathsf {Gen}(1^\lambda ,1^s, b^1_j)\).

Secondly, to show that \(\mathcal {H}^*\) is somewhere statistically binding w.r.t. opening, assume that there exist some \(y, u \ne u', \pi , \pi '\) s.t. \(\mathsf {Verify}(\mathsf {hk}, y, i, u , \pi ) = \mathsf {Verify}(\mathsf {hk}, y, i, u', \pi ') = \mathsf {accept}\). Recall that the verification procedure assigns labels to all the nodes along the path from the root to the i’th leaf. During the two runs of the verification procedure with the above inputs, let \(0 < j \le q\) be the lowest level at which both runs assign the same label w to the node at level j (this must exist since the root at level q is assigned the same label y in both runs and the leafs at level 0 are assigned different values \(u,u'\) in the two runs). Let \(v,v'\) be the two different labels assigned to the node at level \(j-1\) by the two runs. Then \(w = H_{\mathsf {hk}_j}(x) = H_{\mathsf {hk}_j}(x')\) for some \(x,x' \in \Sigma ^2\) such that \(x[b_j] = v \ne x'[b_j] = v'\). This means that \(\mathsf {hk}_j\) is not statistically binding on the index \(b_j\), but this can only happen with negligible probability by the somewhere statistically binding property of the 2-to-1 SSB hash \(\mathcal {H}\). Therefore \(\mathcal {H}^*\) is somewhere statistically binding w.r.t. opening.

Lastly, the output length of \(\mathcal {H}^*\) is given by \(\ell ^*(s,\lambda ) = s_{q+1}\) where \(s_1 = s\) and for each other \(j \in [q]\), \(s_{j+1} = \ell (s_j, \lambda )\). The output length of a SSB hash guarantees that \(\ell (s_j, \lambda ) = s_j(1 + 1/\varOmega (\lambda )) + a(\lambda )\) where \(a(\cdot )\) is some fixed polynomial. This ensures that

$$\ell ^*(s,\lambda ) = s(1 + 1/\varOmega (\lambda ))^q + a(\lambda ) \sum _{j=0}^{q-1} (1 + 1/\varOmega (\lambda ))^j = O(s) + a(\lambda ) O(\lambda )$$

is polynomial in \(s,\lambda \). We rely on the fact that \(q \le \lambda \) to argue that \((1 + 1/\varOmega (\lambda ))^q \le (1 + 1/\varOmega (\lambda ))^\lambda = O(1)\).

Fig. 1.

Illustration of the SSB hash from a lossy function with key \(\mathsf {hk}\leftarrow \mathsf {Gen}^*(1^\lambda ,1^s,L=2^q, i,\Lambda )\), i.e., \(H_\mathsf {hk}(x)\) perfectly binds \(x[i=2]\). For every level \(j\in \{1,\ldots ,q\}\) we sample a pairwise independent function \(h_j:\{0,1\}^{2m'}\rightarrow \{0,1\}^m\), where \(m=2(s+q\Lambda )+\lambda \) for a statistical security parameter \(\lambda \), and two functions \(\mathsf {hk}_j^0,\mathsf {hk}_j^1:\{0,1\}^{m}\rightarrow \{0,1\}^{m'}\) from an \((m,\Lambda )\)-lossy family of functions, one lossy and one injective (we decide which one of the two is the injective one such that the path from the perfectly binded value – here x[2] – to the root only contains injective functions). The injective and lossy functions are shown in green and red, respectively. The SBB hash is now a Merkle-hash with the hash function \(H_j(a,b)=h_j(\mathsf {hk}_j^0(a),\mathsf {hk}_j^1(b))\) used in level j. An edge label t in the figure means that there are at most \(2^t\) possible values at this point, e.g., there are \(2^s\) values of the form \(x[0]\Vert 0^{m-s}\) and the output of a lossy function like \(\mathsf {hk}_1^1\) has at most \(2^\Lambda \) values. To locally open a value, say x[2], we reveal x[2] all the siblings of the nodes on the path from x[2] to the root, those are marked with \(\surd \) in the figure.

4 SSB Hash from Lossy Functions

In this section we describe a simple construction of an SSB Hash with local opening, the main tool we’ll use are lossy functions, introduced by Peikert and Waters [PW08]. They actually introduced the stronger notion of lossy trapdoor functions, where a trapdoor allowed to invert functions with injective keys, we only need the lossiness property, but no trapdoors.

Definition 4.1

An \((m,\Lambda )\)-lossy function is given by a tuple of PPT algorithms

• For \(m,\Lambda \in \mathbb {N}\) and \(\mathsf{mode}\in \{\mathsf{injective}=1,\mathsf{lossy}=0\}\), \(\mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{mode})\) outputs a key \(\mathsf {hk}\).

• Every such key \(\mathsf {hk}\) defines a function \(\mathsf {hk}(.):\{0,1\}^m\rightarrow \{0,1\}^{m'}\) (for some \(m'\ge m\)).

We have the following three properties:

• injective: If \(\mathsf {hk}\leftarrow \mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{injective})\), then \(\mathsf {hk}(.)\) is injective.

• lossy: If \(\mathsf {hk}\leftarrow \mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{lossy})\), then \(\mathsf {hk}(.)\)’s output domain has size \(\le 2^\Lambda \), i.e.

  $$ |\{y\ :\ \exists x\in \{0,1\}^m, \mathsf {hk}(x)=y\}|\le 2^\Lambda $$

• indistinguishable: Lossy and injective keys are computationally indistinguishable. More concretely, think of \(\Lambda \) as a security parameter and let \(m=\mathsf {poly}(\Lambda )\), then the advantage of any PPT adversary in distinguishing \(\mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{injective})\) from \(\mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{lossy})\) is negligible in \(\Lambda \).

The Construction. Our construction \((\mathsf {Gen}^*, H^*, \mathsf {Open}, \mathsf {Verify})\) is illustrated in Fig. 1, we define it formally below.

• \(\mathsf {hk}\leftarrow \mathsf {Gen}^*(1^\lambda ,1^s,L=2^q, i,\Lambda )\): Set \(m=2(s+q\Lambda )+\lambda \). For \(i \in \{0,\ldots ,2^q-1\}\), let \((b_q,\ldots ,b_1)\) be the binary representation of i (with \(b_1\) being the least significant bit).

  For every j: Choose \(\mathsf {hk}^0_i \leftarrow \mathsf{Gen}_\mathsf{LF}(m,\Lambda ,1-b_j)\) and \(\mathsf {hk}^1_i\leftarrow \mathsf{Gen}_\mathsf{LF}(m,\Lambda ,b_j)\). Sample a pairwise independent hash function \(h_j:\{0,1\}^{2m'}\rightarrow \{0,1\}^m\) and let \(\mathsf {hk}_j=(\mathsf {hk}^0_j,\mathsf {hk}^1_j,h_j)\). Each \(\mathsf {hk}_j\) defines a mapping \(H_j:\{0,1\}^{2m}\rightarrow \{0,1\}^m\) defined as

  $$ H_j(a,b)= h_j(\mathsf {hk}^0_j(a),\mathsf {hk}^1_j(b)) $$

  Output \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\).

• \(H^*_{\mathsf {hk}}(x)\): For \(x = (x[0],\ldots ,x[2^q-1]) \in \{0,1\}^{s\cdot 2^q}\), \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\) proceed as follows. Define T to be a complete binary tree of height q where level 0 of the tree denotes the leaves and level q denotes the root. We will assign a label to each vertex in the tree. The \(2^q\) leaf vertices are assigned the labels \(x[0]\Vert 0^{m-s},\ldots ,x[2^q-1]\Vert 0^{m-s}\) (i.e., the input blocks padded to length m). The rest of the labels are assigned inductively where each non-leaf vertex v at level j of the tree with children that have labels \(x'_0, x'_1\) gets assigned the label \(y = H_j(x'_0, x'_1)\). The output \(H^*_\mathsf {hk}(x)\) is the root of the tree.

• \(\pi =\mathsf {Open}(\mathsf {hk},x,j)\): Compute the labeled tree T as above. Output the labels of all the sibling nodes along the path from the root to the j’th leaf. Figure 1 the values to be opened to reveal x[2] are marked with \(\surd \).

• \(\mathsf {Verify}(\mathsf {hk}, y, j, u , \pi )\): Recompute all of the labels of the nodes in the tree T that lie on the path from the root to the j’th leaf by using the value u for that leaf and the values given by \(\pi \) as the labels of all the sibling nodes along the path. Check that the recomputed label on the root of the tree is indeed y.

Theorem 4.2

The construction of a SSB Hash (with local opening) described below, which maps \(L=2^q\) blocks of length s bits to a hash of size \(m=2(s+q\Lambda )+\lambda \) bits where \(\lambda \) is a statistical security parameter and we assume \((m,\Lambda )\)-lossy functions, is secure. More concretely, the somewhere statistically binding property holds with probability

$$ 1-q/2^\lambda $$

over the choice of the hash key, and the index hiding property can be reduced to the indistinguishability property of the lossy function losing a factor q.

Proof

The index hiding property follows immediately from the indsitinguishability of injective and lossy modes.

To show that the hash is somewhere statistically binding, consider a key \(\mathsf {hk}\leftarrow \mathsf {Gen}^*(1^\lambda ,1^s,L=2^q, i,\Lambda )\). We must prove that with overwhelming probability no hash \(y\in \{0,1\}^{2(s+q\cdot \Lambda )+\lambda }\) exists where \(\mathsf {Verify}(\mathsf {hk}, y, i, u , \pi )=\mathsf {Verify}(\mathsf {hk},y,i,u',\pi ')=\mathsf {accept}\) for some \(u\ne u'\), that is, x[i] can be opened to u and \(u'\).

In a nutshell, the reason why with high probability (over the choice of \(\mathsf {hk}\)) the hash \(H_\mathsf {hk}\) is perfectly binding on its ith coordinate is that the value x[i] at the leaf of the tree only passes through two kinds of functions on its way to the root: injective functions and pairwise independent hashes. Clearly, no information can be lost when passing through an injective function. And every time the value passes through some hash \(h_j\), the other half of the input is the output of a lossy function, and thus can take at most \(2^\Lambda \) possible values. Thus even as we arrive at the root, there are only \(2^{s+q\cdot \Lambda }\) possible values. We now set the output length \(m=2(s+q\cdot \Lambda )+\lambda \) of the \(h_j\)’s so that \(2^m\) is a larger – by a factor \(2^\lambda \) – than the square of the possible values. This then suffices to argue that every \(h_j\) will be injective on its possible inputs (recall that there are at most \(2^{s+q\cdot \Lambda }\) of them) with probability \(\ge 1-2^{-\lambda }\).

For the formal proof it’s convenient to consider the case \(i=0\) (i.e., the leftmost value should be perfectly binding). Let \(\pi =(w_1,\ldots ,w_q)\) and \(\pi '=(w'_1,\ldots ,w'_q)\) be two openings for values \(x[0]\ne x'[0]\), we’ll prove that with probability \(q/2^\lambda \) (over the choice of \(\mathsf {hk}\)) the verification procedure will compute different hashes corresponding to any two such openings (i.e., for every opening \((\pi ,x[0])\), there’s at most one y which makes \(\mathsf {Verify}(\mathsf {hk},y,i=0,x[0],\pi )\) accept), and thus the hash is perfectly binding on index 0.

Let \(v_0=x[i]\Vert 0^{m-s}\) and for \(j=1,\ldots ,q\) define \(v_j = h_j(\mathsf {hk}_j^0(v_{j-1}),\mathsf {hk}_j^1(w_j))\), the \(v'_j\)’s are defined analogously for the other opening. Note that \(v_q\) is the final hash value, so we have to show that \(v_q\ne v'_q\).

We will do so by induction, first, we claim that (for any \(\mathsf {hk}\)) there are at most \(2^{s+j\cdot \Lambda }\) possible values \(v_j\) can take. This is true for \(j=0\) as \(v_0=x[0]\Vert 0^{m-s}\) can take exactly \(2^s\) values by definition. Assume it holds for \(j-1\) and let \(S_{j-1},|S_{j-1}|\le 2^{s+(j-1)\Lambda }\) denote the set of values \(v_{j-1}\) can take, then

$$\begin{aligned} |S_j|= & {} |\left\{ h_j(\mathsf {hk}_j^0(v_{j-1}),\mathsf {hk}_j^1(z))\ :\ v_{j-1}\in S_{j-1}, z\in \{0,1\}^m)\right\} |\end{aligned}$$

(1)

$$\begin{aligned}\le & {} |\{(v_{j-1},\mathsf {hk}_j^1(z))\ :\ v_{j-1}\in S_{j-1}, z\in \{0,1\}^m))\}|\end{aligned}$$

(2)

$$\begin{aligned}\le & {} |S_{j-1}|\cdot 2^\Lambda \end{aligned}$$

(3)

$$\begin{aligned}\le & {} 2^{s+j\Lambda } \end{aligned}$$

(4)

where the first step follows by definition of the set \(S_j\), the second step follows as applying deterministic functions cannot increase the number of possible values, the third step follows as \(\mathsf {hk}_j^1(.)\) is lossy and thus can take at most \(2^\Lambda \) possible values. The last step follows by the induction hypothesis for \(j-1\).

For the proof we will think of the hash key \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\), where \(\mathsf {hk}_j=(\mathsf {hk}^0_j,\mathsf {hk}^1_j,h_j)\), as being lazy sampled. Initially, we sample all the \(\mathsf {hk}_j^0,\mathsf {hk}_j^1\) keys. Let \(L_j\subset \{0,1\}^m\) denote the range of the (lossy) \(\mathsf {hk}^1_j(.)\) functions, note that \(|L_j|\le 2^\Lambda \) for all j. The \(h_j\)’s will be sampled one by one in each induction step below.

Assume so far he have sampled \(h_1,\ldots ,h_{j-1}\), and so far for any openings where \(x[0]\ne x'[0]\) we had \(v_j\ne v'_j\). For \(j=0\) this holds as \(x[0]\ne x'[0]\) implies \(v_0=x[0]\Vert 0^{m-s}\ne x'[0]\Vert 0^{m-s}\).

The inputs to the function \(h_j\) (which is still to be sampled) are from \(I_{j-1}=h_j^0(S_{j-1})\times L_{j-1}\), which (as shown above) contains at most \(|S_{j-1}|\cdot |L_{j-1}| \le 2^{s+(j-1)\Lambda }2^\Lambda =2^{s+j\cdot \Lambda }\) elements.

We now sample the pairwise independent hash \(h_j\), as it has range \(2^m\) the probability that any two elements \((v,l)\ne (v',l')\in I_{j-1}\) collide⁴ is \(2^{-m}\), taking the union bound over all pairs of elements we get

$$ 2^{2(s+j\cdot \Lambda )}/2^m\le 2^{-\lambda } $$

Taking the union bound, we get that the probability that the induction fails for any of the q steps is \(q/2^\lambda \) as claimed.

5 SSB from \(\phi \)-hiding

We now move on to building SSB from the \(\phi \)-hiding assumption [CMS99]. This construction will be qualitatively different from the prior ones in that we will not employ a Merkle tree type structure for proving and verifying opens. In contrast a hash output will consist of two elements \(\mathbb {Z}_{N_0}^*\) and \(\mathbb {Z}_{N_1}^*\) for RSA primes \(N_0,N_1\). An opening will consist of a single element of either \(\mathbb {Z}_{N_0}^*\) or \(\mathbb {Z}_{N_1}^*\).

Our construction is structurally similar to standard constructions RSA accumulators [BdM93]. Intuitively, the initial hash key will consist of two RSA moduli \(N_0, N_1\) as well as two group elements \(h_0, h_1\) and keys \(K_0, K_1\) which hash to prime exponents. To compute the hash on input \(x \in \{0,1\}^{L}\) let \(S_0 = \{ i : x[i] =0 \}\) be the set of all indices where the i-th bit is 0 and \(S_1 = \{ i : x[i] =1 \}\) be the set of indices where the i-th bit is 1. The function computes the output

$$ y_0 = h_0^{\prod _{i \in S_0} F_{K_0}(i) } \mod N_0, \quad y_1 = h_1^{\prod _{i \in S_1} F_{K_1}(i) } \mod N_1 . $$

To prove that the j-th bit was 0 the open algorithm will give the \(F_{K_0}(j)\)-th root of \(y_0\). It computes this by letting \(S_0 = \{ i : x[i] =0 \}\) and setting \( \pi = h_0^{\prod _{ \mathbf { i \ne j} \in S_0} F_{K_0}(i) } \mod N_0\). A proof can be checked by simply checking if \(y_0 \mathop {=}\limits ^{?} \pi ^{ F_{K_0}(j)} \mod N_0\). (Proving an opening of 1 follows analogously).

The algorithms as described above very closely match a traditional RSA accumulator. The key distinction is that we can achieve statistical binding on index j by setting \(N_0\) such that \({K_0}(j)\) divides \(\phi (N_0)\) (and similarly for \(N_1\)). The idea is that in this setting if \(y_0\) is not an \({K_0}(j)\)-th residue then there will not exist a value \(\pi \) such that \(y_0 \mathop {=}\limits ^{?} \pi ^{ F_{K_0}(j)} \mod N_0\). The index-hiding property will follow from the \(\phi \)-hiding assumption.

5.1 RSA and \(\phi \)-hiding Preliminaries

We begin by developing our notation and statement of the \(\phi \)-hiding assumption both of which follow closely to Kiltz, O’Neill, and Smith [KOS10]. We let \(\mathcal {P}_k\) denote the set of odd primes that are less than \(2^k\). In addition, we let \((N,p,q) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_k\) be the process of choosing two primes p, q uniformly from \(\mathcal {P}_k\) and letting \(N=pq\). Further we let \((N,p,q) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_k[p =1 \mod e]\) be the be the process of choosing two primes p, q uniformly from \(\mathcal {P}_k\) with the constraint that \(p=1 \mod e\), then letting \(N=pq\).

We can now state the \(\phi \)-hiding assumption relative to some constant \(0 < c < .5\). Consider the following distributions relative to a security parameter \(\lambda \).

$$\begin{aligned} \mathcal {R}&= \{ (e,N) : e, e' \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }; (N,p,q) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_\lambda [p =1 \mod e'] \} \\ \mathcal {L}&= \{ (e,N) : e \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }; (N,p,q) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_\lambda [p =1 \mod e] \} \end{aligned}$$

Cachin, Micali and Stadler [CMS99] show that the two distributions can be efficiently sampled if the Extended Riemann Hypothesis holds. The \(\phi \)-hiding assumption states that for all \(c \in (0,.5)\) no PPT attacker can distinguish between the two distributions with better than negligible in \(\lambda \) probability.

5.2 Conforming Function

Before we give our construction we need one further abstraction. For any integer L we require the ability to sample a keyed hash function \(F(K, \cdot )\) that hashes from an integer \(i \in [0, L-1]\) to a random prime in \(\mathcal {P}_{c \lambda }\). Furthermore, the function should have the property that it is possible to sample the key K in such a way that for a single pair \(i^* \in [0, L-1]\) and \(e^* \in \mathcal {P}_{c \lambda }\) \(F(K, i^*)=e^*\). Moreover such programming should be undetectable if \(e^*\) is chosen at random from \(\mathcal {P}_{c \lambda }\).

We give the definitions of such a function system here and show how to construct one in Appendix A. A conforming function system is parameterized by a constant \(c \in (0,.5)\) and has three algorithms.

\(\textsc {Sample-Normal} (1^\lambda , L ) \rightarrow K\)

Takes in a security parameter \(\lambda \) and a length L (in binary) and outputs a function key K.

\(\textsc {Sample-Program} (1^\lambda , L, i^*, e^* ) \rightarrow K \)

Takes in a security parameter \(\lambda \) and a length L (in binary) as well as a program index \(i^* \in [0, L-1]\) and \(e^* \in \mathcal {P}_{c \lambda }\). It outputs a function key K.

\(F_K : i \rightarrow \mathcal {P}_{c \lambda }\)

If \(\textsc {Sample-Normal} (1^\lambda , L ) \rightarrow K\), then \(F_K\) takes in an index \(i \in [0,L-1]\) and outputs a prime from \(\mathcal {P}_{c \lambda }\).

Properties. Such a system will have four properties:

• Efficiency. The programs \(\textsc {Sample-Normal}\) and \(\textsc {Sample-Program}\) run in time polynomial in \(\lambda \) and L. Let \(\textsc {Sample-Normal} (1^\lambda , L ) \rightarrow K\), then \(F_K\) runs in time polynomial in \(\lambda \) and \(\lg (L)\).

• Programming at \(\varvec{i^{*}.}\) For some \(\lambda , L, i^*, e^*\) let \(\textsc {Sample-Program} (1^\lambda , L, i^*, e^* ) \rightarrow K\). Then \(F_K(i^*) = e^*\) with all but negligible probability in \(\lambda \).

• Non colliding at \(\varvec{i^{*}.}\) For some \(\lambda , L, i^*, e^*\) let \(\textsc {Sample-Program} (1^\lambda , L, i^*, e^* ) \rightarrow K\). Then for any \(i \ne i^*\) the probability that \(F_K(i^*) = F_K(i)\) is negligible in \(\lambda \).

• Indistinguishability of Setup. For any \(L, i^*\) consider the following two distributions:

  $$\begin{aligned} \mathcal {R}_{L,i^*}&= \{ K : e^* \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }; \textsc {Sample-Normal} (1^\lambda , L ) \rightarrow K \} \\ \mathcal {L}_{L,i^*}&= \{ K : e^* \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }; \textsc {Sample-Program} (1^\lambda , L, i^*, e^* ) \rightarrow K \} \end{aligned}$$

  The indistinguishability of setup property states that all PPT adversaries have a most a negligible advantage in distinguishing between the two distributions for all \(L, i^*\).

5.3 Our \(\phi \)-hiding SSB Construction

We now present our \(\phi \)-hiding based SSB construction. Our construction is for an alphabet of a single bit, thus s is implicitly 1 and omitted from our notation. In addition, the construction is parameterized relative to some constant \(c \in (0,.5)\).

\(\mathsf {Gen}(1^\lambda , L, i^*)\)

The generation algorithm first samples two random primes \(e_0, e_1 \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }\). Next, it sets up two conforming functions as \(\textsc {Sample-Program}\) \((1^\lambda , L, i^*, e_0 ) \rightarrow K_0\) and \(\textsc {Sample-Program}\) \((1^\lambda , L, i^*, e_1 ) \rightarrow K_1\). Then it samples \((N_0 ,p_0 ,q_0) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_k[p_0 =1 \mod e_0]\) and \((N_1 ,p_1, q_1) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_k[p_1 =1 \mod e_1]\). Finally, it chooses \(h_0 \in Z_{N_0}^* \) randomly with the constraint that \(h_0^{(p_0-1)/e_0} \ne 1 \mod p_0\) and \(h_1 \in Z_{N_1}^* \) randomly with the constraint that \(h_1^{(p_1 - 1)/e_1} \ne 1 \mod p_1\).

It outputs the hash key as \(\mathsf {hk}= \{L, (N_0, N_1), (K_0, K_1), (h_0, h_1) \}\).

\(H_{\mathsf {hk}}: \{0,1\}^L \rightarrow \mathbb {Z}_{N_0}^*, \mathbb {Z}_{N_1}^* \):

On input \(x \in \{0,1\}^{L}\) let \(S_0 = \{ i : x[i] =0 \}\) be the set of all indices where the i-th bit is 0 and \(S_1 = \{ i : x[i] =1 \}\) be the set of indices where the i-th bit is 1. The function computes

$$ y_0 = h_0^{\prod _{i \in S_0} F_{K_0}(i) } \mod N_0, \quad y_1 = h_1^{\prod _{i \in S_1} F_{K_1}(i) } \mod N_1 . $$

The hash output is \(y= (y_0, y_1)\).

We note that the computation in practice will be done by iteratively with repeated exponentiation as opposed to computing the large integer \(\prod _{i \in S_0} F_{K_0}(i)\) up front.

\(\mathsf {Open}(\mathsf {hk},x,j)\):

If \(x_j=0\) it first lets \(S_0 = \{ i : x[i] =0 \}\). Then it computes

$$ \pi = h_0^{\prod _{ \mathbf { i \ne j} \in S_0} F_{K_0}(i) } \mod N_0. $$

Otherwise, if \(x_j=1\) it first lets \(S_1 = \{ i : x[i] =1 \}\). Then it computes

$$ \pi = h_1^{\prod _{ \mathbf { i \ne j} \in S_1} F_{K_1}(i) } \mod N_1. $$

\(\mathsf {Verify}(\mathsf {hk}, y=(y_0, y_1), j, b \in \{0,1\}, \pi )\):

The verify algorithm checks

$$ y_b \mathop {=}\limits ^{?} \pi ^{ F_{K_b}(j)} \mod N_b. $$

Properties. We now show that the above construction meets the required properties for SSB with local opening. One minor difference from the original definition is that we weaken the statistically binding requirement. Previously, we wanted the binding property to hold for any hash digest y, even one which does not correspond to a correctly generated hash output. In the version we achieve here, we require that \(y = H_{\mathsf {hk}}(x)\) for some x. We define the property formally below.

• Weak Somewhere Statistically Binding w.r.t. Opening: We say that \(\mathsf {hk}\) is weak statistically binding w.r.t opening (abbreviates wSBO) for an index i if there do not exist any values \(x \in \Sigma ^L, u' \ne x[i], \pi '\) s.t. \(\mathsf {Verify}(\mathsf {hk}, H_{\mathsf {hk}}(x), i, u' , \pi )= \mathsf {accept}\). We require that for any parameters s, L and any index \(i \in \{0,\ldots ,L-1\}\)

  $$ \Pr [ \mathsf {hk} \text{ is } \text{ wSBO } \text{ for } \text{ index } i~:~ \mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda ,1^s, L, i) ] \ge 1 - \text {negl}(\lambda ). $$

  We say that the hash is perfectly binding w.r.t. opening if the above probability is 1.

Correctness of Opening. Consider any \(\mathsf {hk}\) generated from the setup algorithm and let \(\pi \) be the output from a call to \(\mathsf {Open}(\mathsf {hk},x,j)\) for some x, j where that \(x[j]=b \in \{0,1\}\). Then \(y_b = h_b^{\prod _{i \in S_b} F_{K_b}(i) } \mod N_b\) and \(\pi = h_b^{\prod _{ \mathbf { i \ne j} \in S_b} F_{K_b}(i) } \mod N_b\). It follows that \(\pi ^{ F_{K_b}(j)} = y_b \mod N_b\).

Weak Somewhere Statistically Binding with Respect to Opening. Suppose that \(\mathsf {Gen}(1^\lambda , L, i^*) \rightarrow \mathsf {hk}\). We argue that with all but negligible probability for all inputs \(x \in \{0,1\}^L\) that the function is statistically binding with respect to opening.

Consider a particular input x where \(x[i^*]=1-b\) and \(H_{\mathsf {hk}}(x)=y=(y_0, y_1)\). We want to show that there does not exist a value \(\pi \) such that \(\mathsf {Verify}(\mathsf {hk}, y=(y_0, y_1), i^*, b \in \{0,1\}, \pi )=1\). Let \(e_b \in \mathcal {P}_{c \lambda }\) be the prime value chosen at hash function setup. By the setup process we have that \(e_b | p_b-1\) and that of \(e_b=F_{K_b}(i^*)\). The latter follows from the Programming at \(i^*\) property of the conforming hash function. Therefore we have that \((\pi ^{e_b})^{(p_b - 1)/e_b} = 1 \mod p_1\) (i.e. \(\pi ^{e_b}\) is an \(e_b\)-th residue mod \(p_b\)).

Recall that \(y_b = h_b^{\prod _{i \in S_b} F_{K_b}(i) } \mod N_b\). Let \(\alpha = \prod _{i \in S_b} F_{K_b}(i)\). By the non-colliding property of F coupled with the fact that \(x[i^*] \ne b\) and thus \(i^* \notin S_b\) with all but negligible probability for all \(i \in S_b\) we have that \(F_{K_b}(i)\) is a prime \(\ne e_b\). Therefore \(\alpha \) is relatively prime to \(e_b\). Since \(h_b\) was chosen to not be a \(e_b\)-th residue mod \(p_b\) and \(\alpha \) is relatively prime to \(e_b\) it follows that \(y_b = h_b^{\alpha } \) is also not an \(e_b\)-th residue mod \(p_b\). However, since \(\pi ^{e_b}\) is an \(e_b\)-th residue mod \(p_b\), it cannot be equal to \(y_b\) and the verification test will fail.

Index Hiding.

We sketch a simple proof of index hiding via a sequence of games. We begin by defining the sequence.

• \(\mathsf {Game}~_0\): The Index Hiding game on our construction.

• \(\mathsf {Game}~_1\): Same as \(\mathsf {Game}~_0\) except that an additional prime \(e'_0 \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }\) is sampled and \((N_0, p_0, q_0) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_\lambda [p =1 \mod e'_0]\). Note that we still sample \((1^\lambda , L, i_b, e_0 ) \rightarrow K_0\) where w.h.p \(e_0 \ne e'_0\). additional prime \(e'_1 \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }\) is sampled and \((N_1, p_1, q_1) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_\lambda [p =1 \mod e'_1]\). Note that we still sample \((1^\lambda , L, i_b, e_1 ) \rightarrow K_1\) where w.h.p \(e_1 \ne e'_1\).

• \(\mathsf {Game}~_3\): Same as \(\mathsf {Game}~_2\) except that \(K_0\) is sampled as \(\textsc {Sample-Normal} (1^\lambda , L ) \rightarrow K_0\).

• \(\mathsf {Game}~_4\): Same as \(\mathsf {Game}~_3\) except that \(K_1\) is sampled as \(\textsc {Sample-Normal} (1^\lambda , L ) \rightarrow K_1\).

It follows directly from the \(\phi \)-hiding assumption that no PPT attacker can distinguish between \(\mathsf {Game}~_1\) and \(\mathsf {Game}~_1\) and that no attacker can distinguish between \(\mathsf {Game}~_1\) and \(\mathsf {Game}~_2\). At this point the primes \(e_0\) and \(e_1\) are used only in the programming of the hash function and are not reflected in the choice of the RSA moduli. For this reason we can now use the Indistinguishability of Setup property of the conforming has to show that no PPT attack can distinguish between \(\mathsf {Game}~_2\) and \(\mathsf {Game}~_3\) and \(\mathsf {Game}~_3\) and \(\mathsf {Game}~_4\). Finally, we observe that the index \(i_b\) is not used at \(\mathsf {Game}~_4\) and thus the bit b is hidden from the attacker’s view.

6 Positional Accumulators

In the full version of this paper, we also discuss how to extend some the above results to positional accumulators. In particular, we show how to construct positional accumulators from a (perfectly binding) two-to-one SSB hash. The construction can also be naturally extended to one based on lossy functions.

A Constructing a Conforming Function

We now give our construction of a conforming hash function per the definition given in Sect. 5.2.

Recall, our goal is to construct a keyed hash function \(F(K, \cdot )\) that hashes from an integer \(i \in [0, L-1]\) to a prime in \(\mathcal {P}_{c \lambda }\). Furthermore, the function should have the property that it is possible to sample the key K in such a way that for a single pair \(i^* \in [0, L-1]\) and \(e^* \in \mathcal {P}_{c \lambda }\) we have \(F(K, i^*)=e^*\). (The constant \(c \in (0,.5)\) is considered a parameter of the system.) Moreover, such programming should be undetectable if \(e^*\) is sampled at random from \(\mathcal {P}_{c \lambda }\).

Our construction below is a simple implementation of this abstraction and all properties are statistically guaranteed (i.e. we do not require any computational assumptions).

\(\textsc {Sample-Normal} (1^\lambda , L ) \rightarrow K\)

We first let \(B= 2^{ \lfloor c \lambda \rfloor }\) and let \(T = \lambda ^2\). The algorithm chooses random \(w_1, \ldots , w_T \in [0, B-1]\). The key K is set as \(K= ( \lambda , w_1, \ldots , w_T)\).

\(\textsc {Sample-Program} (1^\lambda , L, i^*, e^* ) \rightarrow K \)

We first let \(B= 2^{ \lfloor c \lambda \rfloor }\) and let \(T = \lambda ^2\). Initialize a bit (local to this computation) \(\textsc {programmed}\) to be 0. Then proceed in the following manner:

For \(j=1\) to T if \(\textsc {programmed}\mathop {=}\limits ^{?}1\) choose \(v_j\) randomly in \([0,B-1]\) and set \(w_j = v_j - i^* \mod B\). This corresponds to the case where the value \(e^*\) was “already programmed”. Else, if \(\textsc {programmed}\mathop {=}\limits ^{?}0\), it first chooses \(v_j\) randomly in \([0,B-1]\). If \(v_j\) is not prime it simply sets \(w_j = v_j - i^* \mod B\). Otherwise, it sets \(w_j = e^* - i^* \mod B\) and flips the bit \(\textsc {programmed}\) to 1 so that \(e^*\) will not be programmed in again.

The key K is output as \(K= ( \lambda , w_1, \ldots , w_T)\).

\(F_K : i \rightarrow \mathcal {P}_{c \lambda }\)

The function proceeds as follows. Starting at \(j=1\) to T the function tests if \(w_j+ i\) is a prime (i.e. is in \(\mathcal {P}_{c \lambda }\)). If so it outputs \(w_j+i\) and halts. Otherwise, it increments j and tests again. If j goes past T and no primes have been found, the algorithm outputs a default prime \(3 \in \mathcal {P}_{c \lambda }\).⁵

Properties. We now confirm that our function meets all the required properties.

• Efficiency. The programs \(\textsc {Sample-Normal}\) chooses T random values where T is polynomial in \(\lambda \) and \(\textsc {Sample-Program}\) also chooses T random values as well as performing up to T primality tests. The keysizes of both are T integers in [0, B]. Thus the running times and keysizes are polynomial in \(\lambda \) and \(\lg (L)\).

• Programming at \(\varvec{i^{*}.}\) Consider a call to \(\textsc {Sample-Program} (1^\lambda , L, i^*, e^* ) \rightarrow K\). The function \(F_K(i^*)\) will resolve to the smallest j such that \(w_j+i^*\) is a prime (if any of these are a prime). By the design of \(\textsc {Sample-Program}\) this will be \(e^*\) since it puts in \(w_j = e^* - i^* \mod B\) the first time a prime is sampled. In constructing the function if all \(v_j\) sampled were composite then \(F_K(i^*) \ne e^*\), however, this will only occur with negligible probability since the probability of choosing T random integers in \(2^{ \lfloor c \lambda \rfloor }\) and none of them being prime is negligible.

• Non colliding at \(\varvec{i^{*}.}\) For some \(\lambda , L, i^*, e^*\) let \(\textsc {Sample-Program} (1^\lambda , L, i^*, e^* ) \rightarrow K\). Let’s assume that \(F_K(i^*)=e^*\). We first observe that the chances that there exist any pairs \((i_0,j_0) \ne (i_1, j_1)\) such that \(w_{j_0} + i_0 = w_{j_1} +i_1\) is negligible. We consider the probability of this happening on an arbitrary pair and them apply the union bound. Consider a pair \((i_0,j_0) \ne (i_1, j_1)\) If \(j_0 = j_1\) this cannot happen since the two terms differ by \(i_1 - i_0\). Otherwise, we notice that the probability of a particular pair colliding is at most 1 / B (which is negligible) since \(v_{j_0}\) and \(v_{j_1}\) are chosen independently at random. Since there are at most a polynomial \(\left( {\begin{array}{c}T \cdot L\\ 2\end{array}}\right) \) such pairs the chances that any collide is negligible. It follows that the chances of \(F_K(i^*) = F_K(i)\) for \(i=i^*\) is negligible since the above condition would be necessary for this to occur.

• Indistinguishability of Setup. For any \(L, i^*\) consider the following two distributions:

  $$\begin{aligned} \mathcal {R}_{L,i^*}&= \{ K : e^* \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }; \textsc {Sample-Normal} (1^\lambda , L ) \rightarrow K \} \\ \mathcal {L}_{L,i^*}&= \{ K : e^* \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }; \textsc {Sample-Program} (1^\lambda , L, i^*, e^* ) \rightarrow K \} \end{aligned}$$

  We argue that these two distributions are identical for all \(L, i^*\). We show this by also considering an intermediate distribution \(\mathcal {I}_{L,i^*}\). This distribution is generated by randomly sampling \(v_j\) in \([0,B-1]\) and setting \(w_j = v_j - i^* \mod B\). This distribution is clearly equivalent to the \(\textsc {Sample-Normal}\) distribution as for all j selecting \(w_j\) randomly and selecting \(v_j\) randomly and setting \(w_j = v_j - i^* \mod B\) both result in \(w_j\) being chosen uniformly at random. We now argue that this intermediate distribution is equivalent to the \(\mathcal {L}_{L,i^*}\) distribution which is equivalent to calling \(\textsc {Sample-Program}\) with sampling \(e^*\) randomly from \(\mathcal {P}_{c \lambda }\). We will step through an execution of \(\textsc {Sample-Program}\) and argue that at each step j from \(j=1,\ldots ,T\) \(v_j\) is chosen randomly from \([0,B-1]\) independently of all other \(v_{j'}\) for \(j' < j\). Consider an execution starting with \(j=1\) and \(\textsc {programmed}= 0\) and for our exposition let’s consider that \(e^* \in \mathcal {P}_{c \lambda }\) has not been sampled yet. While \(\textsc {programmed}\mathop {=}\limits ^{?}0\) the algorithm samples \(v_j\) is sampled at random. If \(v_j\) is composite it is kept and put in the key, otherwise if it is prime in \(\mathcal {P}_{c \lambda }\), \(v_j\) is replaced with \(e^*\) as another randomly sampled prime. Thus, for any composite value x the probability that \(w_j + i^* =x\) is 1 / B and for any prime value x the probability that \(w_j + i^*=x\) is also 1 / B. The reason is that replacing any sampled prime with a different randomly sampled prime does not change the distribution. After \(\textsc {programmed}\) is set to 1 all further \(v_j\) values are chosen uniformly at random.

Remark A.1

We note that the Indistinguishability of Setup property holds perfectly while the programmability property holds statistically. One way to flip this is to always program \(v_{T}=e^*\) at the end if if \(e^*\) has not been programmed in already.