New Realizations of Somewhere Statistically Binding Hashing and Positional Accumulators
Abstract
A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs (ITCS ’15), can be used to hash a long string x to a short digest \(y = H_{\mathsf {hk}}(x)\) using a public hashingkey \(\mathsf {hk}\). Furthermore, there is a way to set up the hash key \(\mathsf {hk}\) to make it statistically binding on some arbitrary hidden position i, meaning that: (1) the digest y completely determines the i’th bit (or symbol) of x so that all preimages of y have the same value in the i’th position, (2) it is computationally infeasible to distinguish the position i on which \(\mathsf {hk}\) is statistically binding from any other position \(i'\). Lastly, the hash should have a local opening property analogous to MerkleTree hashing, meaning that given x and \(y = H_{\mathsf {hk}}(x)\) it should be possible to create a short proof \(\pi \) that certifies the value of the i’th bit (or symbol) of x without having to provide the entire input x. A similar primitive called a positional accumulator, introduced by Koppula, Lewko and Waters (STOC ’15) further supports dynamic updates of the hashed value. These tools, which are interesting in their own right, also serve as one of the main technical components in several recent works building advanced applications from indistinguishability obfuscation (iO).
The prior constructions of SSB hashing and positional accumulators required fully homomorphic encryption (FHE) and iO respectively. In this work, we give new constructions of these tools based on well studied numbertheoretic assumptions such as DDH, PhiHiding and DCR, as well as a general construction from lossy/injective functions.
1 Introduction
SSB Hashing. A somewhere statistically binding (SSB) hash, introduced by Hubáček and Wichs [HW15], can be used to create a short digest \(y= H_{\mathsf {hk}}(x)\) of some long input \(x = (x[0],\ldots ,x[L1]) \in \Sigma ^L\), where \(\Sigma \) is some alphabet. The hashing key \(\mathsf {hk}\leftarrow \mathsf {Gen}(i)\) can be chosen by providing a special “binding index” i and this ensures that the hash \(y = H_{\mathsf {hk}}(x)\) is statistically binding for the i’th symbol, meaning that it completely determines the value x[i]. In other words, even though y has many preimages \(x'\) such that \(H_{\mathsf {hk}}(x')=y\), all of these preimages agree in the i’th symbol \(x'[i] = x[i]\). The index i on which the hash is statistically binding should remain computationally hidden given the hashing key \(\mathsf {hk}\). This is formalized analogously to semantic security so that for any indices \(i,i'\) the hashing keys \(\mathsf {hk}\leftarrow \mathsf {Gen}(i)\) and \(\mathsf {hk}' \leftarrow \mathsf {Gen}(i')\) should be computationally indistinguishable. Moreover, we will be interested in SSB hash functions with a “local opening” property that allows us to prove that j’th symbol of x takes on some particular value \(x[j]= u\) by providing a short opening \(\pi \). This is analogous to MerkleTree hashing, where it is possible to open the j’th symbol of x by providing a proof \(\pi \) that consists of the hash values associated with all the sibling nodes along the path from the root of the tree to the j’th leaf. In the case of SSB hashing, when \(j=i\) is the “binding index”, there should (statistically) exist only one possible value that we can open x[j] to by providing a corresponding proof.
Positional Accumulators. A related primitive called a positional accumulator, was introduced at the same time as SSB hashing by Koppula, Lewko and Waters [KLW15]. Roughly speaking, it includes the functionality of SSB hashing along with the ability to perform “local updates” where one can very efficiently update the hash \(y = H_{\mathsf {hk}}(x)\) if a particular position x[j] is updated. Again, this is analogous to MerkleTree hashing, where it is possible to update the j’th symbol of x by only updating the hash values along the path from the root of the tree to the j’th leaf.^{1}
Applications of SSB Hashing and Positional Accumulators. The above tools, which are interesting in their own right, turn out to be extremely useful in several applications when combines with indistinguishability obfuscation (iO) [BGI+12, GGH+13]. An iO scheme can be used to obfuscate a program (given by a circuit) so that the obfuscations of any two functionally equivalent programs are indistinguishable. Although this notion of obfuscation might apriori seem too week to be useful, recent work has shown it to be surprisingly powerful (see e.g., [SW14]). Very recently, several results showed how to use iO in conjunction with SSB hashing and positional accumulators to achieve various advanced applications. The work of [HW15] uses SSB hashing and iO to construct the first general MultiParty Computation (MPC) protocols in the semihonest model where the communication complexity essentially matches that of the best insecure protocol for the same task. The work of [KLW15] uses positional accumulators and iO to construct succinct garbling for Turing Machines, and recent work extends this approach to RAM programs [CH15, CCC+15]. Lastly, the work of [Zha14] uses SSB hashing and iO to construct the first adaptively secure broadcast encryption with short system parameters.
Example: The Power of iO + SSB. To see the usefulness of combining iO and SSB hashing (or positional accumulators), let’s take a simple illustrative example, adapted from [HW15].^{2} Imagine that Alice has a (small) secret circuit C, and both Alice and Bob know a public value \(x \in \Sigma ^L\). Alice wishes to communicate the values \(\{ C(x[i])\}_{i \in [L]}\) to Bob while hiding some information about C. In particular, Bob shouldn’t learn whether Alice has the circuit C or some other \(C'\) that satisfies \(C(x[i]) = C'(x[i])\) for each \(i \in [L]\). Note that C and \(C'\) may not be functionally equivalent and they only agree on the inputs \(\{x[i]\}_{i \in [L]}\) but might disagree on other inputs. A naive secure solution would be for Alice to simply send the outputs \(\{ C(x[i])\}_{i \in [L]}\) to Bob, but this incurs communication proportional to L. An insecure but communicationefficient solution would be for Alice to just send the small circuit C to Bob. Can we get a secure solution with comparable communication independent of L? Simply sending an obfuscated copy of C is not sufficient since the circuits \(C,C'\) are not functionally equivalent and therefore their obfuscations might be easily distinguishable. However it is possible to achieve this with iO and SSB hashing. Alice can send an obfuscation of a circuit that has the hash \(y = H_{\mathsf {hk}}(x)\) hardcoded and takes as input a tuple \((j, u, \pi )\): it checks that \(j \in [L]\) and that \(\pi \) is a valid opening to \(x[j] =u\) and if so outputs C(u). Bob can evaluate this circuit on the values \(\{x[j]\}_{j \in [L]}\) by providing the appropriate openings. It is possible to show that the above hides whether Alice started with C or \(C'\). The proof proceeds in a sequence of L hybrids where in the i’th hybrid we obfuscate a circuit \(C_i\) that runs \(C'\) instead of C when \(j \le i\) and otherwise runs C. To go from hybrid i to \(i+1\) we first switch the SSB hash key \(\mathsf {hk}\) to be binding in position \(i+1\) and then we can switch from obfuscating \(C_i\) to \(C_{i+1}\) by arguing that these are functionally equivalent; they only differ in the code they execute for inputs of the form \((j=i+1, u,\pi )\) where \(\pi \) is a valid proof but in this case, by the statistical binding property, the only possible value u for which a valid proof \(\pi \) exists is the unique value \(u=x[j]\) for which both circuits produce the same output \(C(x[j]) = C'(x[j])\).
Prior Constructions of SSB and Positional Accumulators. The work of [HW15] constructed a SSB hash by relying on fully homomorphic encryption (FHE). Roughly speaking the construction combines FHE with Merkle Hash Trees. To hash some value \(x = (x[0],\ldots ,x[L1])\) the construction creates a full binary tree of height \(\log L\) (for simplicity, assume L is a power of 2) and deterministically associates a ciphertext with each node of the tree. The L leaf nodes will be associated with some deterministically created encryptions of the values \(x[0],\ldots ,x[L1]\), say by using all 0 s for the random coins of the encryption procedure. The hash key \(\mathsf {hk}\) consists of an encryption of a path from the root of the tree to the i’th leaf where i is the binding index; concretely it contains \(\log L\) FHE ciphertexts \((ct_1,\ldots ,ct_{\log L})\) which encrypt bits \(\beta _1,\ldots ,\beta _{\log L}\) corresponding to the binary representation of the binding index i so that \(\beta _i = 0\) denotes “left” and \(\beta _i = 1\) denotes “right”. The ciphertext associated with each nonleaf node are computed homomorphically to ensure that the value x[i] is contained in each ciphertext along the path from the root to the i’th leaf. Concretely, the ciphertext associated with some node at level j is determined by a homomorphic computation which takes the two child ciphertexts \(c_{0}\) (left) and \(c_{1}\) (right) encrypting some values \(m_0,m_1\) and the ciphertext \(ct_i\) contained in \(\mathsf {hk}\) which encrypts \(\beta _i\) and homomorphically produces a ciphertext encrypting \(m_{\beta _i}\). (For technical reasons, the actual construction is a bit more complicated and needs to use a different FHE key at each level of the tree – see [HW15] for full details.) This ensures that the binding index i is hidden by the semantic security of FHE and the statistically binding property follows by the correctness of FHE.
The work of [KLW15] constructs positional accumulators by also relying on a variant of Merkle Trees. However, instead of FHE, it relies on standard publickey encryption and iO. (It is relatively easy to see that the scheme of [HW15] would also yield an alternate construction of a positional accumulator).
1.1 Our Results
In this work we give new constructions of SSB hashing and positional accumulators from a wide variety of well studied number theoretic assumptions such as DDH, DCR (decisional composite residuocity), \(\phi \)hiding, LWE and others.
TwotoOne SSB. We first abstract out the common Merkletree style approach that is common to both SSB hashes and positional accumulators, and identify a basic underlying primitive that we call a twotoone SSB hash, which can be used to instantiate this approach. Intuitively a twotoone SSB hash takes as input \(x = (x[0], x[1]) \in \Sigma ^2\) consisting of just two alphabet symbols and outputs a value \(y = H_{\mathsf {hk}}(x)\) which is not much larger than a single alphabet symbol. The key \(\mathsf {hk}\) can be set up to be statistically binding on either position 0 or 1.
Instantiations of TwotoOne SSB. We show how to instantiate a twotoone SSB hash from the DDH assumption and the decisional composite residuocity (DCR) assumption. More generally, we show how to instantiate a (slight variant of) twotoone SSB hash from any lossy/injective function. This is a family of functions \(f_{\mathsf {pk}}(x)\) where the public key \(\mathsf {pk}\) can be picked in one of two indistinguishable modes: in injective mode, the function \(f_{\mathsf {pk}}(x)\) is an injective function and in lossy mode \(f_{\mathsf {pk}}(x)\) it is a manytoone function. To construct a twotoone SSB hash from injective/lossy function we pick two public keys \(\mathsf {hk}= (\mathsf {pk}_0,\mathsf {pk}_1)\) and define \(H_{\mathsf {hk}}(x[0],x[1]) = h( f_{\mathsf {pk}_0}(x[0]), f_{\mathsf {pk}_1}(x[1]))\) where h is a universal hash function. To make the \(\mathsf {hk}\) binding on index 0 we choose \(\mathsf {pk}_0\) to be injective and \(\mathsf {pk}_1\) to be lossy and to make is binding on index 1 we do the reverse. With appropriate parameters, we can ensure that the statistically binding property holds with overwhelming probability over the choice of h.
From TwotoOne SSB to Full SSB and Positional Accumulators. We can instantiate a (full) SSB hash with arbitrary input size \(\Sigma ^L\) by combining twotoone SSB hashes in a Merkle Tree, with a different key at each level. To make the full SSB binding at some location i, we choose the hash keys at each level to be binding on either the left or right child in such a way that they are binding along the path from the root of the tree to the leaf at position i. This allows us to “locally open” the j’th position of the input in the usual way, by giving the hash values of all the siblings along the path from the root to the j’th leaf. If \(j=i\) is the binding index, then there is a unique value \(x[j]=u\) for which there is a valid opening. To get positional accumulators, we use the fact that we can also locally update the hashed value by modifying one location x[j] and only updating the hashes along the path from the root to the j’th leaf.
A Flatter Approach. We also explore a different approach for achieving SSB hashing from the \(\phi \)hiding assumption, which does not go through a MerkleTree type construction. Roughly our approach uses a construction is structurally similar to standard constructions RSA accumulators [BdM93]. However, we construct a modus N to be such that for some given prime exponent e we have that e divides \(\phi (N)\). This means that if \(y \in \mathbb {Z}_N\) is not an eth residue \(\mod N\), then there exists no value \(\pi \in \mathbb {Z}_{N}\) where \(\pi ^e = y\). This will lead to our statistical binding property as we will leverage this fact to make the value e related to an index we wish to be binding on. Index hiding will follow from the \(\phi \)hiding assumption.
2 Preliminaries
SSB Hash (with Local Opening). Our definition follows that of [HW15], but whereas that work only defined SSB hash which included the local opening requirement by default, it will be convenient for us to also separately define a weaker variant which does not require the local opening property.
Definition 2.1
(SSB Hash). A somewhere statistically binding (SSB) hash consists of PPT algorithms \(\mathcal {H}= (\mathsf {Gen}, H)\) and a polynomial \(\ell (\cdot ,\cdot )\) denoting the output length.

\(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, L, i)\): Takes as input a security parameter \(\lambda \) a blocklength s an inputlength \(L \le 2^\lambda \) and an index \(i \in \{0,\ldots ,L1\}\) (in binary) and outputs a public hashing key \(\mathsf {hk}\). We let \(\Sigma = \{0,1\}^s\) denote the block alphabet. The output size is \(\ell = \ell (\lambda ,s)\) and is independent of the inputlength L.

\(H_{\mathsf {hk}}: \Sigma ^L \rightarrow \{0,1\}^{\ell }\): A deterministic polytime algorithm that takes as input \(x = (x[0], \ldots , x[L1]) \in \Sigma ^L\) and outputs \(H_{\mathsf {hk}}(x) \in \{0,1\}^{\ell }\).

Index Hiding: We consider the following game between an attacker \(\mathcal {A}\) and a challenger:

The attacker \(\mathcal {A}(1^\lambda )\) chooses parameters \(1^s,L\) and two indices \(i_0, i_1 \in \{0,\ldots ,L1\}\).

The challenger chooses a bit \(b \leftarrow \{0,1\}\) and sets \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda ,1^s,L, i_b)\).

The attacker \(\mathcal {A}\) gets \(\mathsf {hk}\) and outputs a bit \(b'\).
We require that for any PPT attacker \(\mathcal {A}\) we have \(\Pr [ b = b']  \frac{1}{2} \le \text {negl}(\lambda )\) in the above game.
 Somewhere Statistically Binding: We say that \(\mathsf {hk}\) is statistically binding for an index \(i \in [L]\) if there do not exist any values \(x,x' \in \Sigma ^L\) with \(x[i] \ne x'[i]\) such that \(H_{\mathsf {hk}}(x) = H_{\mathsf {hk}}(x')\). We require that for any parameters s, L and any integer \(i \in \{0,\ldots ,L1\}\) we have:We say that the hash is perfectly binding if the above probability is 1.$$ \Pr [ \mathsf {hk} \text{ is } \text{ statistically } \text{ binding } \text{ for } \text{ index } i~:~ \mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda ,1^s,L, i)] \ge 1 \text {negl}(\lambda ). $$
Definition 2.2

\(\pi \leftarrow \mathsf {Open}(\mathsf {hk},x,j)\): Given the hash key \(\mathsf {hk}\), \(x \in \Sigma ^L\) and an index \(j \in \{0,\ldots ,L1\}\), creates an opening \(\pi \in \{0,1\}^p\). The opening size \(p = p(\lambda ,s)\) is a polynomial which is independent of the inputlength L.

\(\mathsf {Verify}(\mathsf {hk}, y, j, u , \pi )\): Given a hash key \(\mathsf {hk}\) a hash output \(y \in \{0,1\}^{\ell }\), an integer index \(j \in \{0,\ldots ,L1\}\), a value \(u \in \Sigma \) and an opening \(\pi \in \{0,1\}^{p}\), outputs a decision \(\in \{\mathsf {accept},\mathsf {reject}\}\). This is intended to verify that a preimage x of \(y=H_{\mathsf {hk}}(x)\) has \(x[j] = u\).
We require the following two additional properties.

Correctness of Opening: For any parameters s, L and any indices \(i,j \in \{0,\ldots ,L1\}\), any \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, L, i)\), \(x \in \Sigma ^L\), \(\pi \leftarrow \mathsf {Open}(\mathsf {hk},x,j)\): we have \(\mathsf {Verify}(\mathsf {hk}, H_{\mathsf {hk}}(x), j, x[j], \pi ) = \mathsf {accept}\)
 Somewhere Statistically Binding w.r.t. Opening: ^{3} We say that \(\mathsf {hk}\) is statistically binding w.r.t opening (abbreviated SBO) for an index i if there do not exist any values \(y, u \ne u', \pi , \pi '\) s.t.We require that for any parameters s, L and any index \(i \in \{0,\ldots ,L1\}\)$$\mathsf {Verify}(\mathsf {hk}, y, i, u , \pi ) = \mathsf {Verify}(\mathsf {hk}, y, i, u', \pi ') = \mathsf {accept}.$$We say that the hash is perfectly binding w.r.t. opening if the above probability is 1.$$ \Pr [ \mathsf {hk} \text{ is } \text{ SBO } \text{ for } \text{ index } i~:~ \mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda ,1^s, L, i) ] \ge 1  \text {negl}(\lambda ). $$
FixedParameter Variants. The above definitions allow for a flexible inputlength L and blocklength s specified by the user as inputs to the \(\mathsf {Gen}\) algorithm. This will be the default throughout the paper, but we also consider variants of the above definition with a fixedinputlength L and/or fixedblocklength s where these values cannot be specified by the user as inputs to the \(\mathsf {Gen}\) algorithm but are instead set to some fixed value (a constant or polynomial in the security parameter \(\lambda \)) determined by the scheme. In the case of a fixedinputlength variant, the definitions are nontrivial if the outputlength \(\ell \) and openingsize p satisfy \(\ell ,p < L \cdot s\).
Discussion. There are several constructions of SSB hash that do not provide local opening. For example, any PIR scheme can be used to realize an SSB hash without local opening. The hash key \(\mathsf {hk}\) consists of a PIR query for index i and the hash \(H_{\mathsf {hk}}(x)\) simply computes the PIR response using database x. Unfortunately, we do not know how to generically add a local opening capability to such SSB hash constructions.
3 TwotoOne SSB Hash
As our main building block, we rely on a notion of a “twotoone SSB hash”. Informally, this is a fixedinputlength and flexibleblocksize SSB hash (we do not require local opening) that maps two input blocks (\(L=2\)) to an output which is roughly the size of one block (up to some small multiplicative and additive factors).
Definition 3.1
(TwotoOne SSB Hash). A twotoone SSB hash is an SSB hash with a fixed inputlength \(L=2\) and flexible blocklength s. The outputlength is \(\ell (\lambda , s) = s \cdot (1 + 1/\varOmega (\lambda )) + \textsc {poly}(\lambda )\).
We give three constructions of a TwotoOne SSB Hash systems. Our first construction is built from the DDHhard groups with compact representation. This construction achieves perfect binding. Our next construction is built from the DCR assumption. Lastly, we generalize our approach by showing a (variant of) TwotoOne SSB hashing that can work from any lossy function. We note that lossy functions can be built from a variety of number theoretic primitives including DDH (without compact representation), Learning with Errors, and the \(\phi \)hiding assumption.
Remark: Impossibility without Overhead. We note that the need for some “slack” is inherent in the above definition and we cannot get a twotoone SSB hash where the output is exactly \(\ell (\lambda ,s) = s\) matching the size of one of the inputs. This is because in that case, if we choose \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, i=0)\) then for each \(x_0 \in \{0,1\}^s\) there is a unique choice of \(y \in \{0,1\}^s\) such that \(H_{\mathsf {hk}}(x_0,x_1) = y\) no matter what \(x_1\) is. In other words, the function \(H_{\mathsf {hk}}(x_0,x_1)\) does not depend on the argument \(x_1\). Symmetrically, if \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, i=1)\) then the function \(H_{\mathsf {hk}}(x_0,x_1)\) does not depend on the argument \(x_0\). These two cases are easy to distinguish.
3.1 TwotoOne SSB Hash from DDH
DDH Hard Groups and Representation Overhead. Let \(\mathcal {G}\) be a PPT group generator algorithm that takes as input the security parameter \(1^{\lambda }\) and outputs a pair \({\mathbb G},p\) where \({\mathbb G}\) is a group description of prime order p for \(p \in \varTheta (2^{\lambda })\).
Assumption 1
Representation Overhead of Group Elements. In this work we will be concerned with how efficiently (prime order) group elements are represented. We are interested in the difference between the number of bits to represent a group element and \(\lfloor \lg ( p ) \rfloor \). In our definition we consider the bit representation of a group to be intrinsic to a particular group description.
Definition 3.2
(Representational Overhead). Consider a family of prime order groups output from some group generation algorithm \(\mathcal {G}(1^{\lambda })\) that outputs a group of prime order p for \(2^\lambda < p < 2^{\lambda +1}\). Notice that for a generator g in such a group that \(g^i \ne g^j\) for \(i, j \in [0, 2^{\lambda }]\) and \(i \ne j\). (I.e. no “wraparound” happens.)
We define the representational overhead \(\delta (\lambda )\) to be the function which expresses maximum difference between the number of bits used to represent a group element of \({\mathbb G}\) and \(\lambda \), where \({\mathbb G},p \leftarrow \mathcal {G}(1^{\lambda })\).
For this work we are interested in families of groups who representational overhead \(\delta (\lambda )\) is some constant c. Examples of these include groups generated from strong primes and certain elliptic curve groups.
Construction of TwotoOne SSB. We now describe our TwoToOne SSB Hash. We will use a group generation algorithm \(\mathcal {G}\) that has constant representational overhead c as defined in Definition 3.2. Consider a matrix \(\mathbf {M}\) over \(\mathbb {Z}_p\) and group generator g of order p we will use the notation \(g^{\mathbf {M}}\) as short hand for giving out g raised to each element of \(\mathbf {M}\).
The construction sets up a hash function key \(\mathsf {hk}\) for a function that takes two s bit inputs \(x_A\) and \(x_B\). If the index bit \(\beta =0\) it will be statistically binding on \(x_A\); otherwise it is statistically binding on \(x_B\). At a high level the construction setup is intuitively similar to the Lossy trapdoor function algorithms of Peikert and Waters [PW08] where the setup creates two functions — one injective and the other lossy and assigns whether the lossy function corresponds to the A or B input according to the index bit \(\beta \).
There are two important differences from the basic PW construction. First the PW construction encrypted the input bit by bit. This low rate of encoding was needed in order to recover the input from a trapdoor in [PW08], but a trapdoor is not required for our hash function. Here we cram in as many bits into a group element as possible. This is necessary to satisfy the SSB output size properties. We note [BHK11] pack bits in a similar manner. The second property we have is that the randomness used to generate both the injective and lossy function is correlated such that we can intuitively combine the outputs of each into one output where the output length is both small and maintains the committing property of the injective function. We note that our description describes the procedures directly and the connection to injective and lossy functions is given for intuition, but not made formal.
\(\mathsf {Gen}_{\text {TwotoOne}}(1^\lambda , 1^s, \beta \in \{0,1\})\)
The generation algorithm first sets \(t = \max (\lambda , \lfloor \sqrt{s \cdot c} \rfloor )\). (The variable t will be the number of bit each group element can uniquely represent.) It then calls \(\mathcal {G}(1^t) \rightarrow ({\mathbb G},p)\) with \(2^t < p < 2^{t+1}\) and chooses a random generator \(g \in {\mathbb G}\).
Next, it lets \(d = \lceil \frac{s}{t} \rceil \). It then chooses random \(w_1, \ldots , w_d \in \mathbb {Z}_p\), two random column vectors \(\mathbf {a} = (a_{1}, \ldots , a_{d}) \in \mathbb {Z}_p^d\) and \(\mathbf {b} = (b_{1}, \ldots , b_{d}) \in \mathbb {Z}_p^d\). We let \(\tilde{\mathbf {A}}\) be the \(d \times d\) matrix over \(\mathbb {Z}_p\) where the (i, j)th entry is \(a_i \cdot w_{j} \) and \(\tilde{\mathbf {B}}\) be the \(d \times d\) matrix over \(\mathbb {Z}_p\) where the (i, j)th entry is \(b_i \cdot w_{j} \). Finally, let \(\mathbf {A}\) be \(\tilde{\mathbf {A}} + (1\beta ) \cdot \mathbf {I}\) and \(\mathbf {B}\) be \(\tilde{\mathbf {B}} + \beta \cdot \mathbf {I}\) where \(\mathbf {I}\) is the identity matrix. (I.e. we add in the identity matrix to \(\tilde{\mathbf {A}}\) to get the \(\mathbf {A}\) matrix if the selection bit \(\beta =0\); otherwise, if \(\beta =1\) add in the identity matrix to \(\tilde{\mathbf {B}}\) to get \(\mathbf {B}\).)
The hash key is \(\mathsf {hk}= (g^{\mathbf {a}}, g^{\mathbf {b}}, g^{\mathbf {A}}, g^{\mathbf {B}} )\).
\(H_{\mathsf {hk}}: \{0,1\}^s \times \{0,1\}^s \rightarrow {\mathbb G}^{d+1}\)
The hash function algorithm takes in two inputs \(x_A \in \{0,1\}^s\) and \(x_B \in \{0,1\}^s\). We can view the bitstrings \(x_A\) and \(x_B\) each as consisting of d blocks each of t bits (except the last block which may be less). The function first parses these each as row vectors \(\mathbf {x}_A = ( x_{A,1}, \ldots , x_{A,d})\) and \(\mathbf {x}_B = (x_{B,1}, \ldots , x_{B,d})\). These have the property that for \(j \in [d]\) we have \(x_{A,j}\) is an integer \(< 2^t \le p\) representing the \(jth\) block of bits as an integer.
Analysis. We now analyze the size overhead, index hiding and binding properties of the hash function.
Overhead. The output of the hash function is \(d+1\) group elements each of which takes \(t+c\) bits to represent for a total output size of \((d+1)(t+c)\) bits. In the case where \(\lfloor \sqrt{s \cdot c} \rfloor \ge \lambda \), we can plug in our parameter choices for t, d and see that the outputsize \(\ell (\lambda , s) = s+ \mathcal {O} ( \sqrt{s} )\), thus matching the requirements of Definition 3.1. In the case where \(\lfloor \sqrt{s \cdot c} \rfloor < \lambda \) we have that \(\ell (\lambda , s) = s+ \mathcal {O}( \lambda )\) thus also matching our definition.
Somewhere Statistically Binding. We show that the hash function above is selectively binding respective to the bit \(\beta \). We demonstrate this for the \(\beta =0\) case. The \(\beta =1\) case follows analogously.
Now suppose that we are given two inputs \((x_A, x_B)\) and \((x'_A, x'_B)\) such that \(x_A \ne x'_A\) There must then exist some j such that \(x_{A,j} \ne x'_{A,j}\). Let \(H_{\mathsf {hk}}(x_A, x_B) = \left( V, Y= (Y_1, \ldots , Y_d) \right) \) and \(H_{\mathsf {hk}}(x'_A, x'_B) = \left( V', Y'= (Y'_1, \ldots , Y'_d) \right) \). From the above claim it follows that \(Y_j / V^{w_j}= g^{x_{A,j}}\) and \(Y_j / V^{w_j}= g^{x'_{A,j}}\). Therefore \((V, Y_j) \ne (V', Y'_j)\) and the outputs of the hashes are distinct.
Index Hiding. We now prove index hiding. To do this we define \(\mathsf {Game}~_{\mathrm {normal}}\) to be the normal index hiding game on the twotoone construction and \(\mathsf {Game}~_{\mathrm {random}}\) to be the index hiding game, but where the matrices \(\tilde{\mathbf {A}}\) and \(\tilde{\mathbf {B}}\) are chosen randomly when constructing the hash function \(\mathsf {hk}\).
We first argue that if the decision DiffieHellman assumption holds, then the advantage of any PPT attacker \(\mathcal {A}\) in \(\mathsf {Game}~_{\mathrm {normal}}\) must be negligibly close to its advantage in \(\mathsf {Game}~_{\mathrm {random}}\). To show this we apply a particular case of the decision matrix linear assumption family introduced by Naor and Segev [NS12]. They show (as part of a more general theorem) that if the decision DiffieHellman assumption holds that a PPT attacker cannot distinguish if a \(2d \times (d+1)\) matrix \(\mathbf {M}\) over \(\mathbb {Z}_p\) was sampled randomly from the set of rank 1 matrices or rank \(d+1\) matrices given \(g^\mathbf {M}\).
Suppose that the difference of advantage for some attacker in \(\mathsf {Game}~_{\mathrm {normal}}\) and \(\mathsf {Game}~_{\mathrm {random}}\) is some nonnegligible function of \(\lambda \). Then we construct an algorithm \(\mathcal {B}\) on the above decision matrix linear assumption. \(\mathcal {B}\) receives a challenge \(g^{\mathbf {M}}\) and breaks this into \(g^{\mathbf {M}_A}\) and \(g^{\mathbf {M}_B}\) where \(\mathbf {M}_A\) is the top half of the matrix \(\mathbf {M}\) and \(\mathbf {M}_B\) is the bottom half. It then takes \(g^{\mathbf {a}}\) from the first column of \(g^{\mathbf {M}_A}\) and \(g^{\tilde{\mathbf {A}}}\) as the remaining d columns. Similarly, \(\mathcal {B}\) takes \(g^{\mathbf {b}}\) from the first column of \(g^{\mathbf {M}_B}\) and \(g^{\tilde{\mathbf {B}}}\) as the remaining d columns. It then samples a random index \(\beta \in \{0,1\}\) and continues to use these values in executing \(\mathsf {Gen}_{\mathrm {TwotoOne}}\), giving the hash key \(\mathsf {hk}\) to the attack algorithm.
If \(g^{\mathbf {M}}\) were sampled as a rank 1 matrix, then the view of the attacker is the same as executing \(\mathsf {Game}~_{\mathrm {normal}}\). Otherwise, if \(g^{\mathbf {M}}\) were sampled as a rank \(d+1\) matrix the attacker’s view is statistically close to \(\mathsf {Game}~_{\mathrm {random}}\) (as choosing a random rank \(d+1\) matrix is statistically close to choosing a random matrix). If the attacker \(\mathcal {A}\) correctly guesses \(\beta '=\beta \), then \(\mathcal {B}\) guesses the matrix was rank 1, else it guesses it was rank \(d+1\). If the difference in advantage of \(\mathcal {A}\) in the two games is nonneglgibile, then \(\mathcal {B}\) has a nonnegligible advantage in the decision matrix game.
Finally, we see that in \(\mathsf {Game}~_{\mathrm {random}}\) any attacker’s advantage must be 0 as the distributions of the outputs are independent of \(\beta \).
3.2 TwotoOne SSB Hash from DCR
We can also construct a twotoone hash with perfect binding from the decisional composite residuocity (DCR) assumption. We do so by relying on the DamgårdJurik cryptosystem [DJ01] which is itself a generalization of the Pallier cryptosystem based on the DCR assumption [Pai99]. We rely on the fact that this cryptosystem is additively homomorphic and “length flexible”, meaning that it has a small ciphertext expansion. When we plug this construction of a twotoone SSB hash into our full construction of SSB hash with local opening, we essentially get the privateinformation retrieval (PIR) scheme of Lipmaa [Lip05]. Note that, in general, PIR implies SSB hash but only without local opening. However, the particular PIR construction of [Lip05] already has a treelike structure which enables efficient local opening.
DamgårdJurik. The DamgårdJurik cryptosystem consists of algorithms \((\mathsf {KeyGen},\) \(\mathsf {Enc},\) \(\mathsf {Dec})\). The key generation \((\mathsf {pk},\mathsf {sk}) \leftarrow \mathsf {KeyGen}(1^\lambda )\) generates a public key \(\mathsf {pk}= n = pq\) which is a product of two primes p, q and \(\mathsf {sk}= (p,q)\). For any (polynomial) w the scheme can be instantiated to have plaintext space \(\mathbb {Z}_{n^w}\) and ciphertext space \(\mathbb {Z}^*_{n^{w+1}}\). The encryption/decryption procedures \(c = \mathsf {Enc}_{\mathsf {pk}}(m;r)\) and \(\mathsf {Dec}_{sk}(c)\) satisfy perfect correctness so that for all \(m \in \mathbb {Z}_{n^w}\) and all possible choices of the randomness r we have \(\mathsf {Dec}_{\mathsf {sk}}(\mathsf {Enc}_{\mathsf {pk}}(m;r)) = m\). Moreover the scheme is additively homomorphic, meaning that there is an operation \(\oplus \) such that \(\mathsf {Enc}_{\mathsf {pk}}(m;r) \oplus \mathsf {Enc}_{\mathsf {pk}}(m';r') = \mathsf {Enc}_{\mathsf {pk}}(m+m'; r'')\) for some \(r''\) (the operation \(+\) is in the ring \(\mathbb {Z}_{n^{w}}\)). Similarly, we can define homomorphic subtraction \(\ominus \). Furthermore, by performing repeated addition we can also implement an operation \(\otimes \) that allows for multiplication by a plaitnext element \(\mathsf {Enc}_{\mathsf {pk}}(m;r)\otimes m' = \mathsf {Enc}_{\mathsf {pk}}(m \cdot m'; r')\) for some \(r'\) (the operation \(\cdot \) is in the ring \(\mathbb {Z}_{n^{w}}\)). The semantic security of the cryptosystem holds under the DCR assumption.
Construction of TwotoOne SSB. We use the DamgårdJurik cryptosystem to construct an SSB hash as follows.

\(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, \beta \in \{0,1\})\) Choose \((\mathsf {pk}, \mathsf {sk}) \leftarrow \mathsf {KeyGen}(1^\lambda )\) to be a DamgårdJurik public/secret key. We assume (without loss of generality) that the modulus n satisfies \(n > 2^\lambda \). Set the parameter w which determines the plaintext space \(\mathbb {Z}_{n^w}\) and the ciphertext space \(\mathbb {Z}^*_{n^{w+1}}\) to be \(w = \lceil s/ \log n \rceil \) so that we can interpret \(\{0,1\}^s\) as a subset of \(\mathbb {Z}_{n^w}\). Choose \(c \leftarrow \mathsf {Enc}_{\mathsf {pk}}(\beta )\) and output \(\mathsf {hk}= (\mathsf {pk}, c)\).

\(H_{\mathsf {hk}}(x_0,x_1)\): Parse \(\mathsf {hk}= (\mathsf {pk}, c)\) and interpret the values \(x_0,x_1 \in \{0,1\}^s\) as ring elements \(x_0,x_1 \in \mathbb {Z}_{n^w}\). Define the value \(\mathbf {1}_{ct} = \mathsf {Enc}_{\mathsf {pk}}(1;r_0)\) to be a fixed encryption of 1 using some fixed randomness \(r_0\) (say, all 0s). Compute \(c^* := (x_1 \otimes c) \oplus (x_0 \otimes (\mathbf {1}_{ct} \ominus c))\). By the homomorphic properties of encryption, \(c^*\) is an encryption of \(x_{\beta }\).
Theorem 3.3
The above construction is a twotoone SSB hash with perfect binding under the DCR assumption.
Proof
The index hiding property follows directly from the semantic security of the DamgårdJurik cryptosystem, which in turn follows from the DCR assumption.
The perfect binding property follows from the perfect correctness of the cryptosystem. In particular, if \(\mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda , 1^s, \beta )\) then \(y = H_{\mathsf {hk}}(x_0,x_1)\) satisfies \(y = \mathsf {Enc}_{\mathsf {pk}}(x_{\beta }; r)\) for some r which perfectly determines \(x_{\beta }\).
3.3 SSB with Local Opening from TwotoOne SSB
We now show how to construct a SSB hash with local opening from a twotoone SSB hash via the “Merkle Tree” construction. Assume that \(\mathcal {H}= (\mathsf {Gen}, H)\) is a twotoone SSB hash family with output length give by \(\ell (s,\lambda )\). We use this hash function in a MerkleTree to construct an SSB hash with local opening \(\mathcal {H}^* = (\mathsf {Gen}^*, H^*, \mathsf {Open}, \mathsf {Verify})\) as follows.

\(\mathsf {hk}\leftarrow \mathsf {Gen}^*(1^\lambda , 1^s, L, i)\): Let \((b_q,\ldots ,b_1)\) be the binary representation of i (with \(b_1\) being the least significant bit) where \(q = \lceil \log L \rceil \). For \(j \in [q]\) define the blocklengths \(s_1,\ldots ,s_q\) where \(s_1 = s\) and \(s_{j+1} = \ell (s_j, \lambda )\). Choose \(\mathsf {hk}_j \leftarrow \mathsf {Gen}(1^\lambda , 1^{s_j}, b_j)\) and output \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\).

\(y = H^*_{\mathsf {hk}}(x)\): For \(x = (x[0],\ldots ,x[L1]) \in \Sigma ^L\), \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\) proceed as follows. Define T to be a complete binary tree of height q where level 0 of the tree denotes the leaves and level q denotes the root. We will assign a label to each vertex in the tree. The L leaf vertices are assigned the labels \(x[0],\ldots ,x[L1]\). The rest of the labels are assigned inductively where each nonleaf vertex v at level j of the tree with children that have labels \(x'_0, x'_1\) gets assigned the label \(H_{\mathsf {hk}_j}(x'_0, x'_1)\). The output of the hash is the label y assigned to the root of the tree.

\(\pi = \mathsf {Open}(\mathsf {hk},x,j)\): Compute the labeled tree T as above. Output the labels of all the sibling nodes along the path from the root to the j’th leaf.

\(\mathsf {Verify}(\mathsf {hk}, y, j, u , \pi )\): Recompute all of the labels of the nodes in the tree T that lie on the path from the root to the j’th leaf by using the value u for that leaf and the values given by \(\pi \) as the labels of all the sibling nodes along the path. Check that the recomputed label on the root of the tree is indeed y.
Theorem 3.4
If \(\mathcal {H}\) is a twotoone SSB hash then \(\mathcal {H}^*\) is a SSB hash with local opening.
Proof
Firstly, the index hiding property of \(\mathcal {H}^*\) follows directly from that of \(\mathcal {H}\) via q hybrid arguments. In particular, if \(i_0 = (b^0_q,\ldots ,b^0_1)\) and \(i_1 = (b^1_q,\ldots ,b^1_1)\) are the two indices chosen by the attacker during the security game for index hiding, then we can prove the indistinguishability of \(\mathsf {hk}^0 \leftarrow \mathsf {Gen}^*(1^\lambda , L,s,i_0)\) and \(\mathsf {hk}^1 \leftarrow \mathsf {Gen}^*(1^\lambda , L,s,i_1)\) via q hybrid games where we switch the component keys \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\) from being chosen as \(\mathsf {hk}_j \leftarrow \mathsf {Gen}(1^\lambda , 1^s, b^0_j)\) to \(\mathsf {hk}_j \leftarrow \mathsf {Gen}(1^\lambda ,1^s, b^1_j)\).
Secondly, to show that \(\mathcal {H}^*\) is somewhere statistically binding w.r.t. opening, assume that there exist some \(y, u \ne u', \pi , \pi '\) s.t. \(\mathsf {Verify}(\mathsf {hk}, y, i, u , \pi ) = \mathsf {Verify}(\mathsf {hk}, y, i, u', \pi ') = \mathsf {accept}\). Recall that the verification procedure assigns labels to all the nodes along the path from the root to the i’th leaf. During the two runs of the verification procedure with the above inputs, let \(0 < j \le q\) be the lowest level at which both runs assign the same label w to the node at level j (this must exist since the root at level q is assigned the same label y in both runs and the leafs at level 0 are assigned different values \(u,u'\) in the two runs). Let \(v,v'\) be the two different labels assigned to the node at level \(j1\) by the two runs. Then \(w = H_{\mathsf {hk}_j}(x) = H_{\mathsf {hk}_j}(x')\) for some \(x,x' \in \Sigma ^2\) such that \(x[b_j] = v \ne x'[b_j] = v'\). This means that \(\mathsf {hk}_j\) is not statistically binding on the index \(b_j\), but this can only happen with negligible probability by the somewhere statistically binding property of the 2to1 SSB hash \(\mathcal {H}\). Therefore \(\mathcal {H}^*\) is somewhere statistically binding w.r.t. opening.
4 SSB Hash from Lossy Functions
In this section we describe a simple construction of an SSB Hash with local opening, the main tool we’ll use are lossy functions, introduced by Peikert and Waters [PW08]. They actually introduced the stronger notion of lossy trapdoor functions, where a trapdoor allowed to invert functions with injective keys, we only need the lossiness property, but no trapdoors.
Definition 4.1

For \(m,\Lambda \in \mathbb {N}\) and \(\mathsf{mode}\in \{\mathsf{injective}=1,\mathsf{lossy}=0\}\), \(\mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{mode})\) outputs a key \(\mathsf {hk}\).

Every such key \(\mathsf {hk}\) defines a function \(\mathsf {hk}(.):\{0,1\}^m\rightarrow \{0,1\}^{m'}\) (for some \(m'\ge m\)).

injective: If \(\mathsf {hk}\leftarrow \mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{injective})\), then \(\mathsf {hk}(.)\) is injective.
 lossy: If \(\mathsf {hk}\leftarrow \mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{lossy})\), then \(\mathsf {hk}(.)\)’s output domain has size \(\le 2^\Lambda \), i.e.$$ \{y\ :\ \exists x\in \{0,1\}^m, \mathsf {hk}(x)=y\}\le 2^\Lambda $$

indistinguishable: Lossy and injective keys are computationally indistinguishable. More concretely, think of \(\Lambda \) as a security parameter and let \(m=\mathsf {poly}(\Lambda )\), then the advantage of any PPT adversary in distinguishing \(\mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{injective})\) from \(\mathsf{Gen}_\mathsf{LF}(m,\Lambda ,\mathsf{lossy})\) is negligible in \(\Lambda \).
The Construction. Our construction \((\mathsf {Gen}^*, H^*, \mathsf {Open}, \mathsf {Verify})\) is illustrated in Fig. 1, we define it formally below.

\(\mathsf {hk}\leftarrow \mathsf {Gen}^*(1^\lambda ,1^s,L=2^q, i,\Lambda )\): Set \(m=2(s+q\Lambda )+\lambda \). For \(i \in \{0,\ldots ,2^q1\}\), let \((b_q,\ldots ,b_1)\) be the binary representation of i (with \(b_1\) being the least significant bit).
For every j: Choose \(\mathsf {hk}^0_i \leftarrow \mathsf{Gen}_\mathsf{LF}(m,\Lambda ,1b_j)\) and \(\mathsf {hk}^1_i\leftarrow \mathsf{Gen}_\mathsf{LF}(m,\Lambda ,b_j)\). Sample a pairwise independent hash function \(h_j:\{0,1\}^{2m'}\rightarrow \{0,1\}^m\) and let \(\mathsf {hk}_j=(\mathsf {hk}^0_j,\mathsf {hk}^1_j,h_j)\). Each \(\mathsf {hk}_j\) defines a mapping \(H_j:\{0,1\}^{2m}\rightarrow \{0,1\}^m\) defined asOutput \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\).$$ H_j(a,b)= h_j(\mathsf {hk}^0_j(a),\mathsf {hk}^1_j(b)) $$ 
\(H^*_{\mathsf {hk}}(x)\): For \(x = (x[0],\ldots ,x[2^q1]) \in \{0,1\}^{s\cdot 2^q}\), \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\) proceed as follows. Define T to be a complete binary tree of height q where level 0 of the tree denotes the leaves and level q denotes the root. We will assign a label to each vertex in the tree. The \(2^q\) leaf vertices are assigned the labels \(x[0]\Vert 0^{ms},\ldots ,x[2^q1]\Vert 0^{ms}\) (i.e., the input blocks padded to length m). The rest of the labels are assigned inductively where each nonleaf vertex v at level j of the tree with children that have labels \(x'_0, x'_1\) gets assigned the label \(y = H_j(x'_0, x'_1)\). The output \(H^*_\mathsf {hk}(x)\) is the root of the tree.

\(\pi =\mathsf {Open}(\mathsf {hk},x,j)\): Compute the labeled tree T as above. Output the labels of all the sibling nodes along the path from the root to the j’th leaf. Figure 1 the values to be opened to reveal x[2] are marked with \(\surd \).

\(\mathsf {Verify}(\mathsf {hk}, y, j, u , \pi )\): Recompute all of the labels of the nodes in the tree T that lie on the path from the root to the j’th leaf by using the value u for that leaf and the values given by \(\pi \) as the labels of all the sibling nodes along the path. Check that the recomputed label on the root of the tree is indeed y.
Theorem 4.2
Proof
The index hiding property follows immediately from the indsitinguishability of injective and lossy modes.
To show that the hash is somewhere statistically binding, consider a key \(\mathsf {hk}\leftarrow \mathsf {Gen}^*(1^\lambda ,1^s,L=2^q, i,\Lambda )\). We must prove that with overwhelming probability no hash \(y\in \{0,1\}^{2(s+q\cdot \Lambda )+\lambda }\) exists where \(\mathsf {Verify}(\mathsf {hk}, y, i, u , \pi )=\mathsf {Verify}(\mathsf {hk},y,i,u',\pi ')=\mathsf {accept}\) for some \(u\ne u'\), that is, x[i] can be opened to u and \(u'\).
In a nutshell, the reason why with high probability (over the choice of \(\mathsf {hk}\)) the hash \(H_\mathsf {hk}\) is perfectly binding on its ith coordinate is that the value x[i] at the leaf of the tree only passes through two kinds of functions on its way to the root: injective functions and pairwise independent hashes. Clearly, no information can be lost when passing through an injective function. And every time the value passes through some hash \(h_j\), the other half of the input is the output of a lossy function, and thus can take at most \(2^\Lambda \) possible values. Thus even as we arrive at the root, there are only \(2^{s+q\cdot \Lambda }\) possible values. We now set the output length \(m=2(s+q\cdot \Lambda )+\lambda \) of the \(h_j\)’s so that \(2^m\) is a larger – by a factor \(2^\lambda \) – than the square of the possible values. This then suffices to argue that every \(h_j\) will be injective on its possible inputs (recall that there are at most \(2^{s+q\cdot \Lambda }\) of them) with probability \(\ge 12^{\lambda }\).
For the formal proof it’s convenient to consider the case \(i=0\) (i.e., the leftmost value should be perfectly binding). Let \(\pi =(w_1,\ldots ,w_q)\) and \(\pi '=(w'_1,\ldots ,w'_q)\) be two openings for values \(x[0]\ne x'[0]\), we’ll prove that with probability \(q/2^\lambda \) (over the choice of \(\mathsf {hk}\)) the verification procedure will compute different hashes corresponding to any two such openings (i.e., for every opening \((\pi ,x[0])\), there’s at most one y which makes \(\mathsf {Verify}(\mathsf {hk},y,i=0,x[0],\pi )\) accept), and thus the hash is perfectly binding on index 0.
Let \(v_0=x[i]\Vert 0^{ms}\) and for \(j=1,\ldots ,q\) define \(v_j = h_j(\mathsf {hk}_j^0(v_{j1}),\mathsf {hk}_j^1(w_j))\), the \(v'_j\)’s are defined analogously for the other opening. Note that \(v_q\) is the final hash value, so we have to show that \(v_q\ne v'_q\).
For the proof we will think of the hash key \(\mathsf {hk}= (\mathsf {hk}_1,\ldots ,\mathsf {hk}_q)\), where \(\mathsf {hk}_j=(\mathsf {hk}^0_j,\mathsf {hk}^1_j,h_j)\), as being lazy sampled. Initially, we sample all the \(\mathsf {hk}_j^0,\mathsf {hk}_j^1\) keys. Let \(L_j\subset \{0,1\}^m\) denote the range of the (lossy) \(\mathsf {hk}^1_j(.)\) functions, note that \(L_j\le 2^\Lambda \) for all j. The \(h_j\)’s will be sampled one by one in each induction step below.
Assume so far he have sampled \(h_1,\ldots ,h_{j1}\), and so far for any openings where \(x[0]\ne x'[0]\) we had \(v_j\ne v'_j\). For \(j=0\) this holds as \(x[0]\ne x'[0]\) implies \(v_0=x[0]\Vert 0^{ms}\ne x'[0]\Vert 0^{ms}\).
The inputs to the function \(h_j\) (which is still to be sampled) are from \(I_{j1}=h_j^0(S_{j1})\times L_{j1}\), which (as shown above) contains at most \(S_{j1}\cdot L_{j1} \le 2^{s+(j1)\Lambda }2^\Lambda =2^{s+j\cdot \Lambda }\) elements.
5 SSB from \(\phi \)hiding
We now move on to building SSB from the \(\phi \)hiding assumption [CMS99]. This construction will be qualitatively different from the prior ones in that we will not employ a Merkle tree type structure for proving and verifying opens. In contrast a hash output will consist of two elements \(\mathbb {Z}_{N_0}^*\) and \(\mathbb {Z}_{N_1}^*\) for RSA primes \(N_0,N_1\). An opening will consist of a single element of either \(\mathbb {Z}_{N_0}^*\) or \(\mathbb {Z}_{N_1}^*\).
The algorithms as described above very closely match a traditional RSA accumulator. The key distinction is that we can achieve statistical binding on index j by setting \(N_0\) such that \({K_0}(j)\) divides \(\phi (N_0)\) (and similarly for \(N_1\)). The idea is that in this setting if \(y_0\) is not an \({K_0}(j)\)th residue then there will not exist a value \(\pi \) such that \(y_0 \mathop {=}\limits ^{?} \pi ^{ F_{K_0}(j)} \mod N_0\). The indexhiding property will follow from the \(\phi \)hiding assumption.
5.1 RSA and \(\phi \)hiding Preliminaries
We begin by developing our notation and statement of the \(\phi \)hiding assumption both of which follow closely to Kiltz, O’Neill, and Smith [KOS10]. We let \(\mathcal {P}_k\) denote the set of odd primes that are less than \(2^k\). In addition, we let \((N,p,q) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_k\) be the process of choosing two primes p, q uniformly from \(\mathcal {P}_k\) and letting \(N=pq\). Further we let \((N,p,q) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_k[p =1 \mod e]\) be the be the process of choosing two primes p, q uniformly from \(\mathcal {P}_k\) with the constraint that \(p=1 \mod e\), then letting \(N=pq\).
5.2 Conforming Function
Before we give our construction we need one further abstraction. For any integer L we require the ability to sample a keyed hash function \(F(K, \cdot )\) that hashes from an integer \(i \in [0, L1]\) to a random prime in \(\mathcal {P}_{c \lambda }\). Furthermore, the function should have the property that it is possible to sample the key K in such a way that for a single pair \(i^* \in [0, L1]\) and \(e^* \in \mathcal {P}_{c \lambda }\) \(F(K, i^*)=e^*\). Moreover such programming should be undetectable if \(e^*\) is chosen at random from \(\mathcal {P}_{c \lambda }\).
We give the definitions of such a function system here and show how to construct one in Appendix A. A conforming function system is parameterized by a constant \(c \in (0,.5)\) and has three algorithms.
\(\textsc {SampleNormal} (1^\lambda , L ) \rightarrow K\)
Takes in a security parameter \(\lambda \) and a length L (in binary) and outputs a function key K.
\(\textsc {SampleProgram} (1^\lambda , L, i^*, e^* ) \rightarrow K \)
Takes in a security parameter \(\lambda \) and a length L (in binary) as well as a program index \(i^* \in [0, L1]\) and \(e^* \in \mathcal {P}_{c \lambda }\). It outputs a function key K.
\(F_K : i \rightarrow \mathcal {P}_{c \lambda }\)
If \(\textsc {SampleNormal} (1^\lambda , L ) \rightarrow K\), then \(F_K\) takes in an index \(i \in [0,L1]\) and outputs a prime from \(\mathcal {P}_{c \lambda }\).

Efficiency. The programs \(\textsc {SampleNormal}\) and \(\textsc {SampleProgram}\) run in time polynomial in \(\lambda \) and L. Let \(\textsc {SampleNormal} (1^\lambda , L ) \rightarrow K\), then \(F_K\) runs in time polynomial in \(\lambda \) and \(\lg (L)\).

Programming at \(\varvec{i^{*}.}\) For some \(\lambda , L, i^*, e^*\) let \(\textsc {SampleProgram} (1^\lambda , L, i^*, e^* ) \rightarrow K\). Then \(F_K(i^*) = e^*\) with all but negligible probability in \(\lambda \).

Non colliding at \(\varvec{i^{*}.}\) For some \(\lambda , L, i^*, e^*\) let \(\textsc {SampleProgram} (1^\lambda , L, i^*, e^* ) \rightarrow K\). Then for any \(i \ne i^*\) the probability that \(F_K(i^*) = F_K(i)\) is negligible in \(\lambda \).
 Indistinguishability of Setup. For any \(L, i^*\) consider the following two distributions:The indistinguishability of setup property states that all PPT adversaries have a most a negligible advantage in distinguishing between the two distributions for all \(L, i^*\).$$\begin{aligned} \mathcal {R}_{L,i^*}&= \{ K : e^* \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }; \textsc {SampleNormal} (1^\lambda , L ) \rightarrow K \} \\ \mathcal {L}_{L,i^*}&= \{ K : e^* \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }; \textsc {SampleProgram} (1^\lambda , L, i^*, e^* ) \rightarrow K \} \end{aligned}$$
5.3 Our \(\phi \)hiding SSB Construction
We now present our \(\phi \)hiding based SSB construction. Our construction is for an alphabet of a single bit, thus s is implicitly 1 and omitted from our notation. In addition, the construction is parameterized relative to some constant \(c \in (0,.5)\).
\(\mathsf {Gen}(1^\lambda , L, i^*)\)
The generation algorithm first samples two random primes \(e_0, e_1 \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }\). Next, it sets up two conforming functions as \(\textsc {SampleProgram}\) \((1^\lambda , L, i^*, e_0 ) \rightarrow K_0\) and \(\textsc {SampleProgram}\) \((1^\lambda , L, i^*, e_1 ) \rightarrow K_1\). Then it samples \((N_0 ,p_0 ,q_0) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_k[p_0 =1 \mod e_0]\) and \((N_1 ,p_1, q_1) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_k[p_1 =1 \mod e_1]\). Finally, it chooses \(h_0 \in Z_{N_0}^* \) randomly with the constraint that \(h_0^{(p_01)/e_0} \ne 1 \mod p_0\) and \(h_1 \in Z_{N_1}^* \) randomly with the constraint that \(h_1^{(p_1  1)/e_1} \ne 1 \mod p_1\).
It outputs the hash key as \(\mathsf {hk}= \{L, (N_0, N_1), (K_0, K_1), (h_0, h_1) \}\).
\(H_{\mathsf {hk}}: \{0,1\}^L \rightarrow \mathbb {Z}_{N_0}^*, \mathbb {Z}_{N_1}^* \):
We note that the computation in practice will be done by iteratively with repeated exponentiation as opposed to computing the large integer \(\prod _{i \in S_0} F_{K_0}(i)\) up front.
\(\mathsf {Open}(\mathsf {hk},x,j)\):
 Weak Somewhere Statistically Binding w.r.t. Opening: We say that \(\mathsf {hk}\) is weak statistically binding w.r.t opening (abbreviates wSBO) for an index i if there do not exist any values \(x \in \Sigma ^L, u' \ne x[i], \pi '\) s.t. \(\mathsf {Verify}(\mathsf {hk}, H_{\mathsf {hk}}(x), i, u' , \pi )= \mathsf {accept}\). We require that for any parameters s, L and any index \(i \in \{0,\ldots ,L1\}\)We say that the hash is perfectly binding w.r.t. opening if the above probability is 1.$$ \Pr [ \mathsf {hk} \text{ is } \text{ wSBO } \text{ for } \text{ index } i~:~ \mathsf {hk}\leftarrow \mathsf {Gen}(1^\lambda ,1^s, L, i) ] \ge 1  \text {negl}(\lambda ). $$
Weak Somewhere Statistically Binding with Respect to Opening. Suppose that \(\mathsf {Gen}(1^\lambda , L, i^*) \rightarrow \mathsf {hk}\). We argue that with all but negligible probability for all inputs \(x \in \{0,1\}^L\) that the function is statistically binding with respect to opening.
Consider a particular input x where \(x[i^*]=1b\) and \(H_{\mathsf {hk}}(x)=y=(y_0, y_1)\). We want to show that there does not exist a value \(\pi \) such that \(\mathsf {Verify}(\mathsf {hk}, y=(y_0, y_1), i^*, b \in \{0,1\}, \pi )=1\). Let \(e_b \in \mathcal {P}_{c \lambda }\) be the prime value chosen at hash function setup. By the setup process we have that \(e_b  p_b1\) and that of \(e_b=F_{K_b}(i^*)\). The latter follows from the Programming at \(i^*\) property of the conforming hash function. Therefore we have that \((\pi ^{e_b})^{(p_b  1)/e_b} = 1 \mod p_1\) (i.e. \(\pi ^{e_b}\) is an \(e_b\)th residue mod \(p_b\)).
Recall that \(y_b = h_b^{\prod _{i \in S_b} F_{K_b}(i) } \mod N_b\). Let \(\alpha = \prod _{i \in S_b} F_{K_b}(i)\). By the noncolliding property of F coupled with the fact that \(x[i^*] \ne b\) and thus \(i^* \notin S_b\) with all but negligible probability for all \(i \in S_b\) we have that \(F_{K_b}(i)\) is a prime \(\ne e_b\). Therefore \(\alpha \) is relatively prime to \(e_b\). Since \(h_b\) was chosen to not be a \(e_b\)th residue mod \(p_b\) and \(\alpha \) is relatively prime to \(e_b\) it follows that \(y_b = h_b^{\alpha } \) is also not an \(e_b\)th residue mod \(p_b\). However, since \(\pi ^{e_b}\) is an \(e_b\)th residue mod \(p_b\), it cannot be equal to \(y_b\) and the verification test will fail.
Index Hiding.
We sketch a simple proof of index hiding via a sequence of games. We begin by defining the sequence.

\(\mathsf {Game}~_0\): The Index Hiding game on our construction.

\(\mathsf {Game}~_1\): Same as \(\mathsf {Game}~_0\) except that an additional prime \(e'_0 \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }\) is sampled and \((N_0, p_0, q_0) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_\lambda [p =1 \mod e'_0]\). Note that we still sample \((1^\lambda , L, i_b, e_0 ) \rightarrow K_0\) where w.h.p \(e_0 \ne e'_0\). additional prime \(e'_1 \mathop { \leftarrow }\limits ^{\$} \mathcal {P}_{c \lambda }\) is sampled and \((N_1, p_1, q_1) \mathop { \leftarrow }\limits ^{\$} \mathcal {RSA}_\lambda [p =1 \mod e'_1]\). Note that we still sample \((1^\lambda , L, i_b, e_1 ) \rightarrow K_1\) where w.h.p \(e_1 \ne e'_1\).

\(\mathsf {Game}~_3\): Same as \(\mathsf {Game}~_2\) except that \(K_0\) is sampled as \(\textsc {SampleNormal} (1^\lambda , L ) \rightarrow K_0\).

\(\mathsf {Game}~_4\): Same as \(\mathsf {Game}~_3\) except that \(K_1\) is sampled as \(\textsc {SampleNormal} (1^\lambda , L ) \rightarrow K_1\).
It follows directly from the \(\phi \)hiding assumption that no PPT attacker can distinguish between \(\mathsf {Game}~_1\) and \(\mathsf {Game}~_1\) and that no attacker can distinguish between \(\mathsf {Game}~_1\) and \(\mathsf {Game}~_2\). At this point the primes \(e_0\) and \(e_1\) are used only in the programming of the hash function and are not reflected in the choice of the RSA moduli. For this reason we can now use the Indistinguishability of Setup property of the conforming has to show that no PPT attack can distinguish between \(\mathsf {Game}~_2\) and \(\mathsf {Game}~_3\) and \(\mathsf {Game}~_3\) and \(\mathsf {Game}~_4\). Finally, we observe that the index \(i_b\) is not used at \(\mathsf {Game}~_4\) and thus the bit b is hidden from the attacker’s view.
6 Positional Accumulators
In the full version of this paper, we also discuss how to extend some the above results to positional accumulators. In particular, we show how to construct positional accumulators from a (perfectly binding) twotoone SSB hash. The construction can also be naturally extended to one based on lossy functions.
Footnotes
 1.
The formal definitions of SSB hashing and positional accumulators as given in [HW15, KLW15] are technically incomparable. On a high level, the latter notion requires additional functionality in the form of updates but only insists on a weaker notion of security which essentially corresponds to “target collision resistance” where the target hash value is computed honestly. In this work, we construct schemes that achieve the best of both worlds, having the additional functionality and the stronger security.
 2.
The contents of this paragraph and the notion of iO are not essential to understand the results of the paper, but we provide it to give some intuition for how SSB hashing and positional accumulators are used in conjunction with iO in prior works to get the various applications described above.
 3.
Note that the “somewhere stat. binding w.r.t. opening” property implies the basic “somewhere stat. binding” property of SSB hash.
 4.
Note that we prove something slightly stronger than required as we only need to consider pairs where \(v\ne v'\).
 5.
Note there is nothing special about choosing 3. Any default prime would suffice.
References
 [BdM93]Benaloh, J.C., de Mare, M.: Oneway accumulators: a decentralized alternative to digital signatures. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994)CrossRefGoogle Scholar
 [BGI+12]Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 [BHK11]Braverman, M., Hassidim, A., Kalai, Y.T.: Leaky pseudoentropy functions. In: Proceedings of the Innovations in Computer Science  ICS 2010, Tsinghua University, Beijing, China, 7–9 January 2011, pp. 353–366 (2011)Google Scholar
 [CCC+15]Chen, Y.C., Chow, S.S., Chung, K.M., Lai, R.W., Lin, W.K., Zhou, H.S.: Computationtrace indistinguishability obfuscation and its applications. Cryptology ePrint Archive, Report 2015/406 (2015). http://eprint.iacr.org/
 [CH15]Canetti, R., Holmgren, J.: Fully succinct garbled RAM. Cryptology ePrint Archive, Report 2015/388 (2015). http://eprint.iacr.org/
 [CMS99]Cachin, C., Micali, S., Stadler, M.A.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 402. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 [DJ01]Damgård, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic publickey system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 [GGH+13]Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013)Google Scholar
 [HW15]Hubacek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: Proceedings of the 2015 Conference on Innovations in Theoretical Computer Science, ITCS 2015, Rehovot, Israel, 11–13 January 2015, pp. 163–172 (2015)Google Scholar
 [KLW15]Koppula, V., Lewko, A.B., Waters, B.: Indistinguishability obfuscation for turing machines with unbounded memory. In: STOC (2015)Google Scholar
 [KOS10]Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSAOAEP under chosenplaintext attack. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 295–313. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 [Lip05]Lipmaa, H.: An oblivious transfer protocol with logsquared communication. In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 [NS12]Naor, M., Segev, G.: Publickey cryptosystems resilient to key leakage. SIAM J. Comput. 41(4), 772–814 (2012)MathSciNetCrossRefzbMATHGoogle Scholar
 [Pai99]Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 [PW08]Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, 17–20 May 2008, pp. 187–196 (2008)Google Scholar
 [SW14]Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: STOC, pp. 475–484 (2014)Google Scholar
 [Zha14]Zhandry, M.: Adaptively secure broadcast encryption with small system parameters. In: IACR Cryptology ePrint Archive 2014, p. 757 (2014)Google Scholar