Efficient Range-Trapdoor Functions and Applications: Rate-1 OT and More

Garg, Sanjam; Hajiabadi, Mohammad; Ostrovsky, Rafail

doi:10.1007/978-3-030-64375-1_4

Sanjam Garg¹⁰,
Mohammad Hajiabadi¹¹ &
Rafail Ostrovsky¹²

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12550))

Included in the following conference series:

Theory of Cryptography Conference

843 Accesses
10 Citations

Abstract

Substantial work on trapdoor functions (TDFs) has led to many powerful notions and applications. However, despite tremendous work and progress, all known constructions have prohibitively large public keys.

In this work, we introduce new techniques for realizing so-called range-trapdoor hash functions with short public keys. This notion, introduced by Döttling et al. [Crypto 2019], allows for encoding a range of indices into a public key in a way that the public key leaks no information about the range, yet an associated trapdoor enables recovery of the corresponding input part.

We give constructions of range-trapdoor hash functions, where for a given range I the public key consists of O(n) group elements, improving upon O(n|I|) achieved by Döttling et al. Moreover, by designing our evaluation algorithm in a special way involving Toeplitz matrix multiplication and by showing how to perform fast-Fourier transforms in the exponent, we arrive at $O(n \log n)$ group operations for evaluation, improving upon $O(n^2)$, required of previous constructions. Our constructions rely on power-DDH assumptions in pairing-free groups.

As applications of our results we obtain

1.
The first construction of (rate-1) lossy TDFs with public keys consisting of a linear number of group elements (without pairings).
2.
Rate-1 string OT with receiver communication complexity of O(n) group elements, where n is the sender’s message size, improving upon $O(n^2)$ [Crypto 2019].
3.
Two-round private-information retrieval protocols for one-bit records, where for a server of N bits, the client’s message consists of $O(\lambda ) \mathsf {polylog}(N)$ group elements, improving upon $O(\lambda ^2 ) \mathsf {polylog}(N)$.
4.
Semi-compact homomorphic encryption for branching programs: A construction of homomorphic encryption for branching programs, with ciphertexts consisting of $O(\lambda n d^2)$ group elements, improving upon $O(\lambda ^2 n d^3)$. Here $\lambda $ denotes the security parameter, n the input size and d the depth of the program.

S. Garg—University of California, Berkeley. supported in part from DARPA/ARL SAFEWARE Award W911NF15C0210, AFOSR Award FA9550-15-1-0274, AFOSR Award FA9550-19-1-0200, AFOSR YIP Award, NSF CNS Award 1936826, DARPA and SPAWAR under contract N66001-15-C-4065, a Hellman Award and research grants by the Okawa Foundation, Visa Inc., and Center for Long-Term Cybersecurity (CLTC, UC Berkeley). The views expressed are those of the author and do not reflect the official policy or position of the funding agencies.

R. Ostrovsky—University of California, Los Angeles. Supported by DARPA SPAWAR contract N66001-15-C-4065.

You have full access to this open access chapter, Download conference paper PDF

Rate-1 Trapdoor Functions from the Diffie-Hellman Problem

Trapdoor Hash Functions and Their Applications

Privacy-Preserving Range Queries from Keyword Queries

1 Introduction

Trapdoor cryptosystems are at the heart of modern cryptography. What is common among all these cryptosystems is the notion of a trapdoor key, which allows a certain computation to be inverted. The exact formulation of what inversion means specifies the strength of the notion.

For example, trapdoor functions (TDFs) extend the functionality of public-key encryption (PKE) by requiring the inversion algorithm to recover the entire input. This extension makes the notion relatively versatile, enabling applications (from variants of TDFs) including CCA2-secure PKE, selective-opening security and designated-verifier non-interactive (NIZK) [PW08, BFOR08, BHY09, LQR+19], which are currently out of reach of the basic PKE primitives.

Perhaps not surprisingly, trapdoor systems that demand a richer functionality are harder to realize, and in cases this is possible, the resulting realizations come with poor efficiency. For instance, while for PKE we have a plethora of instantiations with close to optimal public-key, secret-key and ciphertext sizes, the situation for TDFs is much different. Concretely, the public keys of all DDH-based TDFs consist of $O(n^2)$ group elements, where n is the input size, lagging behind their PKE counterparts, which consist of a constant number of group elements. Although recent works [GH18, GGH19, DGI+19, DGH+19] showed how to make the image size of TDFs almost the same as the input size, they too are stuck with the $O(n^2)$ group elements overhead for the public key. As we will see later, this is due to a lack of batching techniques for TDF keys. Our goal, in this work, is to develop techniques that help us mitigate this issue. We will do this in a way general enough to be applicable not just to TDFs, but also to more advanced primitives, such as lossy TDFs [PW08] and trapdoor hash functions [DGI+19].

Trapdoor Hash (TDH) Functions. Recently, Döttling, Garg, Ishai, Malavolta, Mour and Ostrovsky introduced a primitive, called trapdoor hash functions [DGI+19], and showed extensive applications of this notion, including lossy TDFs, rate-1 oblivious transfer (OT), private information retrieval (PIR) with low communication complexity and more. In its simplest form, a TDH scheme comes with a length-compressing hash function $\mathsf {H}_\mathsf {hk}:\{0,1\}^n \rightarrow \{0,1\}^\lambda $ and an evaluation algorithm $\mathsf {E}$. The scheme allows one to generate an evaluation/trapdoor key $(\mathsf {ik} _i , \mathsf {tk} _i)$ for any particular index $i \in [n]$ in such a way that (1) the output of $\mathsf {E}(\mathsf {ik} _i, \mathsf {x})$ is a single bit, (2) using $\mathsf {tk} _i$, one may retrieve the value of $\mathsf {x}_i$ from $\mathsf {H}(\mathsf {hk}, \mathsf {x}) \in \{0,1\}^\lambda $ and $\mathsf {E}(\mathsf {ik} _i, \mathsf {x}) \in \{0,1\}$ and (3) $\mathsf {ik} _i$ hides the index i.

Usefulness of Trapdoor Hash. To show the utility of this notion, let us sketch a construction of lossy TDFs using this primitive, given by [DGI+19]. Consider a sequence of TDH-evaluation keys $\mathsf {ik} _1, \dots , \mathsf {ik} _{n/2}$ generated for the range of indices [1, n/2] and suppose we additionally include a message $\mathsf {x}^* \xleftarrow {\$}\{0,1\}^{n/2}$ as part of the public key. Assume the input $\mathsf {x}$ to the lossy TDF has n/2 bits. To evaluate $\mathsf {x}$, form a bigger string $\mathsf {x}' := (\mathsf {x}|| \mathsf {x}^*) \in \{0,1\}^n$ and return $(\mathsf {H}(\mathsf {hk}, \mathsf {x}'), \mathsf {E}(\mathsf {ik} _1,\mathsf {x}') , \dots , \mathsf {E}(\mathsf {ik} _{n/2} , \mathsf {x}'))$.^{Footnote 1} Using the trapdoor keys of $\mathsf {ik} _1, \dots , \mathsf {ik} _{n/2}$, we may recover $\mathsf {x}$. Now if we switch the evaluation keys to $\mathsf {ik} _{n/2+1}, \dots , \mathsf {ik} _n$ corresponding to the second-half range of indices, then we will statistically lose information about $\mathsf {x}$. The reason is that $n/2-\lambda $ bits of information are lost about $\mathsf {x}$.

Rate-1 Two-Round Oblivious Transfer (OT): Another important application of trapdoor hash is in realizing rate-1 two-round OT protocols [DGI+19]. We say that an OT protocol achieves rate-1 if the ratio $|\mathsf {m}_0| / |\mathsf {ots} |$ asymptotically approaches one, where $\mathsf {ots} $ is the sender’s protocol message on a pair of inputs $(\mathsf {m}_0 \in \{0,1\}^n, \mathsf {m}_1 \in \{0,1\}^n)$ and on the corresponding message $\mathsf {otr} $ of the receiver. As shown by Ishai and Paskin [IP07], rate-1 OT leads to constructions of semi-compact homomorphic encryption for branching programs (where the ciphertext size grows only with the depth as opposed to the size of the program) as well as communication-efficient private-information retrieval (PIR) protocols. All these applications rely on the rate-1 property of the OT in a crucial way, allowing one to sequentially pass $\mathsf {ots} $ as an input to a new OT-sender’s message and pass the resulting $\mathsf {ots} $ to the next sender’s message and so on; this can continue for a polynomial number of times without having an exponential-size blowup. Trapdoor hash schemes provide an elegant way for realizing rate-1 OT [DGI+19]. Specifically, if the size of each message of the sender is n, the receiver on an input bit b sends n evaluations key $\mathsf {ek}_1, \dots , \mathsf {ek}_n$ corresponding to either indices in [1, n] or $[n+1, \dots , 2n]$. The sender then returns $(\mathsf {H}(\mathsf {hk}, \mathsf {m}_0 || \mathsf {m}_1)) , \mathsf {E}(\mathsf {ek}_1, \mathsf {m}_0 || \mathsf {m}_1), \dots , \mathsf {E}(\mathsf {ek}_n, \mathsf {m}_0 || \mathsf {m}_1)$. The receiver may then use his trapdoors to recover the corresponding message.^{Footnote 2} We have $|\mathsf {ots} | = n + \mathsf {poly}(\lambda )$, where $\mathsf {poly}$ is a fixed function, and hence the protocol has rate-1 (asymptotically). Döttling et al. [DGI+19] used the above protocol to get the first constructions of rate-1 OT from DDH, OR and LWE.

Lack of Batching Techniques for Evaluation Keys. In the examples above, the public key of the lossy TDF or the receiver’s message in the OT protocol each consists of O(n) TDH-evaluation keys. Under DDH instantiations of TDH [DGI+19], an evaluation key for any given index has O(n) group elements, resulting in $O(n^2)$ group elements for the whole range, an overhead alluded to earlier. Moreover, lack of batching methods affects similarly the other applications: the ciphertext size in the case of homomorphic encryption for branching programs, and the client’s message size in the case of PIR. While bilinear maps may open up venues for batching-style tricks [BW10, DGI+19], it is not clear how to do so without pairings. (See Sect. 1.3 for more details.)

Obtaining Linear-Sized Public Keys Asymptotically. We note that if one’s goal is solely to obtain TDFs with public-key size linear in input size, that is easy to do by making the input larger; e.g., $\mathsf {TDF} (\mathsf {ik}, \mathsf {x}_1 || \dots || \mathsf {x}_n) = \mathsf {TDF} (\mathsf {ik}, \mathsf {x}_1) || \cdots || \mathsf {TDF} (\mathsf {ik} _n, \mathsf {x}_n)$. Similarly, one may make the size of the receiver’s message $\mathsf {otr} $ in an OT protocol almost the same as that of the sender’s input, by making each of the sender’s input consist of (sufficiently) many blocks of messages and re-using $\mathsf {otr} $ across each opposite pair of them. These results are only for the asymptotic case, falling short in concrete cases. For example, increasing the size of the sender’s input messages (so to make the size of $\mathsf {otr} $ close to that of the sender’s message) translates into larger homomorphically-evaluated ciphertexts for branching programs.

1.1 Our Results

In this work, we will mitigate the above-mentioned issue, through efficient realizations of a new notion of range-trapdoor hash, which we introduce next.

Range-Trapdoor Hash. We introduce a notion called range-trapdoor hash functions, which is an immediate generalization of TDH schemes for index functions. In particular, under range-trapdoor hash, one would issue evaluation keys $\mathsf {ek}_I$ (based on a public parameter) for a range of indices $I = [i+1, ..., i+s ]$, in such a way that given $\mathsf {ek}_I$’s trapdoor key, one can recover $\mathsf {x}[I] := (\mathsf {x}_{i+1}, \dots , \mathsf {x}_{i+s})$ from $\mathsf {H}(\mathsf {hk}, \mathsf {x})$ and $\mathsf {E}(\mathsf {ek}_I, \mathsf {x})$. We require that $\mathsf {ek}_I$ should hide I (except for |I|) and that $|\mathsf {E}(\mathsf {ek}_I, \mathsf {x})| = |I|$. Under Diffie-Hellman type assumptions, we seek realizations where $\mathsf {ek}_I$ consists only of O(n) group elements, as opposed to O(n|I|).

Our Construction. We give constructions of range-trapdoor hash schemes, where on inputs of length n, an encoding key for a given range $I \subseteq [n]$ consists of O(n) group elements, irrespective of |I|. Our construction relies on the 2n-power DDH assumption—namely, that the distribution $(g, g^a, g^{a^2}, \dots , g^{a^{2n}})$ should be pseudorandom, where g is a random generator of the group and a is a uniformly-random exponent. This notion has been used in some previous works, e.g., [BB04, DY05, CNs07, AHI11, BMZ19], but for different purposes.

In addition to obtaining a smaller $\mathsf {ek}_I$, we obtain efficiency improvements in the computation time of the evaluation algorithm. Specifically, while the evaluation algorithm of [DGI+19] requires O(n|I|) group operations (among some other private-key operations), the number of public-key operations in our construction is only $O(n \log |I|)$. At a high level, we achieve this by designing our range-trapdoor hash scheme in a structured way, so that the evaluation involves multiplying a Toeplitz matrix (given in the exponent) with an input vector $\mathsf {x}^T$. Since Toeplitz matrices are closely related to circulant matrices which are amenable to the fast-Fourier transform, we show how to do this matrix multiplication in a fast way using (inverse) discrete Fourier transform (IDFT/DFT) modulo $\mathbb {Z}_p$ in the exponent.

Applications: Rate-1 Two-Message String OT and More. Our techniques yield a construction of string OT with rate-1 from the power-DDH assumption with improved communication and computation. Specifically, in our two round protocol the communication from receiver to sender consists of a linear (in sender’s message size) number of group elements. The previous work of [DGI+19] required a quadratic number of group elements by relying on DDH. Additionally, our construction also improves the computational cost of the sender—namely, our construction improves the computational effort of the sender from quadratic to quasi-linear. This allows us to obtain the following new results:

1.
Lossy Trapdoor Functions: We obtain the first construction of lossy trapdoor functions [PW08], where on inputs of size n, the public key consists of O(n) group elements. All previous (even non-lossy) TDF constructions from pairing-free groups had public keys with $O(n^2)$ group elements.
2.
Semi-Compact Homomorphic Encryption for Branching Programs: A construction of public-key homomorphic encryption for branching programs, with ciphertexts consisting of $O(\lambda n d^2)$ group elements, improving upon $O(\lambda ^2 n d^3)$ [DGI+19], where d denotes the depth of the program. We achieve this by plugging our rate-1 OT scheme into the homomorphic encryption construction of [IP07]. See Table 1.
3.
Private Information Retrieval: For a database of N bits, we get a two-message PIR protocol with total communication complexity that grows only polylogarithmically with the database size, and with a client’s message consisting of $O (\lambda ) \mathsf {polylog} (N) $ group elements, improving upon $O(\lambda ^2) \mathsf {polylog} (N)$, given by [DGI+19]. See Table 2.

Table 1. Bit complexity for branching programs. The size of public keys, secret keys and homomorphically-evaluated ciphertexts in both schemes are the same. Here $p = \varTheta (2^\lambda )$ is the group order, n is the input size of the program and d is the depth of the branching program.

Full size table

Table 2. Bit complexity: $p = \varTheta (2^\lambda )$ is the order of the group and n is the bit size of each of the sender’s message (in the case of OT) and N is the database size (in the case of PIR).

Full size table

1.2 Related Work and Open Problems

As mentioned above, Döttling et al. [DGI+19] introduced the notion of trapdoor hash, and used it to build several new primitives. Among others, they obtained the first DDH-based and QR-based constructions of PIR for one-bit records with a total communication complexity that grows polylogarithmically with the database size; i.e., it is $\mathsf {p}(\lambda ) \mathsf {polylog}(N))$ for a fixed function $\mathsf {p}$, where N is the database size and $\lambda $ is the security parameter. Previously, such protocols were only known under DCR, LWE and $\varPhi $-hiding assumptions [CMS99, Cha04, Lip05, OS07].

A recent result by Brakerski, Koppula and Mour [BKM20] shows how to build correlation-intractable hash functions for constant-degree functions from trapdoor hash schemes. This result is used in conjunction with appropriate commitment schemes (which can in turn be built from LPN) in order to instantiate the Fiat-Shamir paradigm for obtaining NIZK for all NP.

The notion of trapdoor hash builds on tools that were developed in the context of trapdoor function constructions [GH18, GGH19], as well as those developed in the context of identity-based encryption (IBE) [DG17b, DG17a, BLSV18, DGHM18].

Variants of TDFs are typically used as CCA-enhancing tools [PW08, RS09, GH18, GGH19]. Koppula and Waters [KW19] showed that for CCA applications, full randomness recovery, a feature provided by TDF-based tools, is not necessary. They gave a generic transformation from CPA to CCA for PKE and attribute-based encryption (ABE) using hinting pseudorandom generators (PRGs). The notion of hinting PRGs was later used in subsequent works in contexts such as designated-verifier NIZK [LQR+19] and CCA key-dependent-message (KDM) security [KMT19]. Boyen and Waters show that in the bilinear setting one may shorten the public key of lossy-TDF construction from a quadratic number of group elements to linear [BW10].

Concurrent Work. In independent and concurrent work, Goyal, Vusirikala and Waters [GVW19] give constructions of primitives such as hinting PRGs [KW19] and one-way function with encryption (OWFE) [GH18] with short public-parameter and ciphertext sizes. In terms of Diffie-Hellman related assumptions, they give (1) a construction of hinting PRGs from power-DDH-related assumptions (without pairings) with public parameters of O(n) group elements and (2) a construction of OWFE from pairing-based power-DDH-related assumptions with public parameters of O(n) group elements and ciphertexts of one group element. Specifically, their result (2) also leads to a construction of TDFs (and deterministic encryption) with public keys of O(n) group elements and images of O(n) bits. In contrast, in our work we do not use pairings, but focus primitives such as lossy TDFs and range-trapdoor hash schemes, which have applications in constructing OT and PIR.

Open Problems. The main open problem is to achieve the same results from DDH, LWE or QR. Also, it would be interesting to see if one can strengthen DDH (along the generalization of power-DDH from plain-DDH) which would allow one to build trapdoor-hash schemes beyond constant-degree polynomials (even without the range-compactness property).

1.3 Technical Overview

It will be instructive to give an overview of our results in the context of lossy TDFs and then to adapt them to the trapdoor-hash setting. Let us review an optimized version of the DDH-based lossy TDF of [PW08], given by [FGK+10]. Recall that in a group with a generator g, if we have an encoding $[\varvec{\mathsf {M}}] = g^{\varvec{\mathsf {M}}}$ of an invertible matrix $\varvec{\mathsf {M}}$ of exponents, we may encode any column vector $\mathsf {X}$ of bits by computing $\varvec{\mathsf {M}} \cdot \mathsf {X}$ in the exponent. One may invert using $\varvec{\mathsf {M}}^{-1}$. Lossiness is argued by making the matrix $\varvec{\mathsf {M}}$ rank one. The downside of this scheme is that a public key and an image point consist of, respectively, $n^2$ and n group elements, which is rather large. Recent works [GH18, GGH19], which in turn inspired the notion of TDH, showed how to make the image size linear in input size, but they still leave us with public keys of $O(n^2)$ group elements.

Parallels from Ideal Lattices? To make the public keys smaller, one may be tempted to draw inspirations from ideal lattices [LPR10, LPR13], and especially the way ring-LWE is used to shorten public keys. Sample a vector $\varvec{\mathsf {v}} := (g_1, \dots , g_n)$ and expand $\varvec{\mathsf {v}}$ into a “circulant-like” matrix

$$\begin{aligned} \varvec{\mathsf {M}} := \begin{pmatrix} g_1 &{} g_2 &{} \dots &{} g_{n-1} &{} g_n \\ g_2 &{} g_3 &{} \dots &{} g_n &{} g_1 \\ \vdots &{} \vdots &{} \vdots &{} \vdots &{} \vdots \\ g_n &{} g_1 &{} \ldots &{} g_{n-2} &{} g_{n-1} \end{pmatrix}, \end{aligned}$$

(1)

and use $\varvec{\mathsf {M}}$ as the public key of the TDF given above. The problem with this approach is that we do not know how to prove one-wayness. Even if there is a clever way to prove one-wayness, this approach does not appear to scale to give us more advanced schemes such as lossy TDFs, (range) trapdoor hash schemes, or TDFs with linear-sized outputs.

Circulant Structure Using Power DDH. We show how to work out the above intuition by relying on the power DDH assumption. Specifically, we give a way of expanding two vectors $(\varvec{\mathsf {v}} \in \mathbb {G}^{n} , \varvec{\mathsf {w}} \in \mathbb {G}^{2n-1})$ into an $(n+1) \times n$ matrix, and two indistinguishable distributions over $(\varvec{\mathsf {v}}, \varvec{\mathsf {w}})$, where under one distribution we can invert, while under the other, we will lose information.

Given two vectors $\varvec{\mathsf {v}} = (v_1, \dots , v_{n}) \in \mathbb {G}^{n}$ and $\varvec{\mathsf {w}} = (w_1, \dots , w_{2n-1}) \in \mathbb {G}^{2n-1}$, we expand them into an $(n+1) \times n$ matrix $\varvec{\mathsf {M}} = \mathsf {Expand} (\varvec{\mathsf {v}}, \varvec{\mathsf {w}})$ as follows:

$$\begin{aligned} \varvec{\mathsf {M}} := \begin{pmatrix} \varvec{\mathsf {m}}_1 \\ \varvec{\mathsf {m}}_2 \\ \vdots \\ \varvec{\mathsf {m}}_{n+1} \end{pmatrix} := \begin{pmatrix} v_1 &{} v_2 &{} \ldots &{} v_n \\ w_{n} &{} w_{n+1} &{} \ldots &{} w_{2n-1} \\ w_{n-1} &{} w_{n} &{} \ldots &{} w_{2n-2} \\ \vdots &{} \vdots &{} \ldots &{} \vdots \\ w_1 &{} w_2 &{} \ldots &{} w_n \\ \end{pmatrix} \in \mathbb {G}^{(n+1) \times n} \end{aligned}$$

(2)

To evaluate an input $\mathsf {x}\in \{0,1\}^n$ using $\varvec{\mathsf {M}} $, return $(\mathsf {x}\cdot \varvec{\mathsf {m}}_1 , \dots , \mathsf {x}\cdot \varvec{\mathsf {m}}_{n+1} )$, where $\mathsf {x}\cdot \varvec{\mathsf {v}} := \prod _{i=1}^n v_i^{\mathsf {x}_i}$. Define the lossy distribution $\mathsf {lossy} $ as

$$\begin{aligned} \mathsf {lossy} ~~&\varvec{\mathsf {v}} := (g^{\alpha }, g^{\alpha ^2} , \dots , g^{\alpha ^n}) \\&\varvec{\mathsf {w}} := (g^{r \alpha }, g^{r \alpha ^2} , \dots , g^{r \alpha ^{2n-1}}). \end{aligned}$$

If $(\varvec{\mathsf {v}}, \varvec{\mathsf {w}}) \xleftarrow {\$}\mathsf {lossy} $, then $\varvec{\mathsf {M}} := \mathsf {Expand} (\varvec{\mathsf {v}}, \varvec{\mathsf {w}})$ will be of rank one, statistically losing information about $\mathsf {x}$. We set the real (i.e., injective) distribution by putting a bump g on the nth element of $\varvec{\mathsf {w}}$:

$$\begin{aligned} {} \mathsf {real} ~~ \varvec{\mathsf {v}} := (g^{\alpha }, g^{\alpha ^2} , \dots , g^{\alpha ^n}) \end{aligned}$$

(3)

(4)

To see how to invert in injective mode, notice that the matrix $\varvec{\mathsf {M}} := \mathsf {Expand} (\varvec{\mathsf {v}}, \varvec{\mathsf {w}})$ is

(5)

where the bump propagates as indicated. Using the trapdoor values $\alpha $ and r, we show how to recover the ith bit of $\mathsf {x}$ from the image $\mathsf {u}:= (g_h, g_1, \dots , g_n) := (\mathsf {x}\cdot \varvec{\mathsf {m}}_1 , \dots , \mathsf {x}\cdot \varvec{\mathsf {m}}_{n+1} ) $. To do this, notice that the bump that affects the ith bit of $\mathsf {x}$ occurs in row $i+1$ of matrix $\varvec{\mathsf {M}}$, which is off the first row by an exponent $r \alpha ^{n-i}$ (excluding the bump). Thus, we may compute $g^{\mathsf {x}_i} \in \{ g^0, g^1\}$ as

$$\begin{aligned} g^{\mathsf {x}_i} = \frac{g_{i}}{g_h^{r \alpha ^{n-i}}} \in \{g^0, g^1\}. \end{aligned}$$

(6)

Finally, the indistinguishability between $\mathsf {lossy} $ and $\mathsf {real} $ follows from $(2n-1)$-power DDH, which implies that the distribution $((g^{\alpha }, g^{\alpha ^2} , \dots , g^{\alpha ^{2n-1}}), (g^{r \alpha }, g^{r \alpha ^2} , \dots , g^{r \alpha ^{2n-1}}))$ is pseudorandom: the pseudorandom of the first vector comes from $2n-1$-power DDH and the pseudorandomness of the second one is implied by the fact that t-power (for $t \ge 3$) implies DDH (Lemma 1).

Source of Computational Efficiency. Excluding the first row of matrix $\varvec{\mathsf {M}}$, the rest of the matrix is Toeplitz-like, which, if given in the clear as opposed to in the exponent, can be multiplied with any given vector in time $O(n \log n)$ using discrete FFT techniques. We observe that this computation may in fact be carried out in the exponent, enabling a relatively fast way of $O(n \log n)$ group exponentiations for evaluating an input. See Sect. 4 for more details.

Making the Image Shorter. The public key of the above lossy TDF has O(n) group elements, a goal we had set before. The image, however, is quite large, consisting of $n+1$ group elements. We now show how to use image-shrinking techniques of Garg, Gay and Hajiabadi [GGH19] (later improved by Döttling et al. [DGI+19]) in order to make the image size linear in input size. Looking ahead, this will allow us to make $|\mathsf {E}(\mathsf {ek}_I, \mathsf {x})| = |I|$, where $\mathsf {ek}_I$ is the TDH-evaluation key for a range I. For concreteness, let us focus on how to recover the first bit $\mathsf {x}_1$ from a succinct output. If the corresponding (long) image of $\mathsf {x}$ is $\mathsf {u}:= (g_h, g_1, \dots , g_n)$, then for recovering $\mathsf {x}_1$ we have to look at $g_h$ and $g_1$: we either have $g_1 = g_h^{r \alpha ^{n-1}}$, in which case $\mathsf {x}_n =0$, or $g_1 = g g_h^{r \alpha ^{n-1}} $, in which case $\mathsf {x}_n = 1$ (or informally, $\mathsf {x}_n$ has hit the bump). Now instead of outputting one whole group element $g_1$, we output a single bit, corresponding to the output of a hint function $\varPhi _k : \mathbb {G}\rightarrow \{0,1\}$ on $g_1$. This function guarantees that for any $g^* \in \mathbb {G}$, the probability that $\varPhi _k(g^*) = \varPhi _k(g^* g)$ (a.k.a., the hung probability) is very small, where k is chosen at random (and included in the public key). The inverter will then match $\varPhi _k(g_1)$, comes as part of the image, against $\varPhi _k(g_h^r)$ and $\varPhi _k(g_h^r g)$, hence decoding $\mathsf {x}_1$. Garg, Gay and Hajiabadi [GGH19] gave a function $\varPhi $ which outputs a constant c number of bits (instead of a single bit) with hung probability being $\textstyle {\frac{1}{2^c}}$. Later, Döttling et al. [DGI+19] substantially improved this by making $\varPhi $ output a single bit with hung probability being at most $\textstyle {\frac{1}{n^c}}$, for any desired constant c. They achieved this by using a PRF-based distance-function technique from [BGI16]. Finally, since the inversion algorithm may fail (i.e., be hung) for some indices, we pre-process the TDF input using erasure-correcting codes, making the task of decoding easier.

Adaptation to the Trapdoor Hash Setting. The lossy TDF sketched above (without erasure-correcting codes) lends itself naturally into the range TDH setting. Recall that for range trapdoor hash, we encode an index range $I = [s+1, s+t]$ into an encoding key $\mathsf {ek}$ in such a way that (1) $\mathsf {ek}$ only reveals |I| and (2) Using the associated trapdoors, one can recover each bit of $\mathsf {x}[I]$ with high probability from $\mathsf {H}(\mathsf {hk}, \mathsf {x})$ and $\mathsf {E}(\mathsf {ek}, \mathsf {x}) \in \{0,1\}^{|I|}$. Moreover, $\mathsf {ek}$ should only contain O(n) group elements (as opposed to O(n|I|)).

We achieve range-trapdoor hash by carefully placing the bump in a coordinate which enables recovery of exactly $\mathsf {x}[I]$, but nothing more. First, let $\mathsf {hk}:= \varvec{\mathsf {v}} := (g^{\alpha }, g^{\alpha ^2} , \dots , g^{\alpha ^n})$ and define $\mathsf {H}(\mathsf {hk}, \mathsf {x}) = \mathsf {x}\cdot \varvec{\mathsf {v}} $. Assuming $I = [s+1, s+t]$ and noting that $|I| = t$, set $\mathsf {ek}:= (\varvec{\mathsf {w}}, t)$, where

(7)

obtained from $\mathsf {hk}$ by raising every element to the power of r and putting the bump g in the $(s+t)$’th coordinate. Now to evaluate $\mathsf {x}$ on $\mathsf {ek}:= (\varvec{\mathsf {w}} , t+1)$, return

$$(\mathsf {x}\cdot \varvec{\mathsf {w}}[t, n+t-1], \mathsf {x}\cdot \varvec{\mathsf {w}}[t-1, n+t-2], \dots , \mathsf {x}\cdot \varvec{\mathsf {w}}[1,n] ) \in \mathbb {G}^n,$$

where $\varvec{\mathsf {w}}[i,j]$ denotes the elements of $\varvec{\mathsf {w}}$ which are in the range $\{i, i+1, \dots ,j\}$. Given $\alpha $ and r we may recover all the bits $\mathsf {x}[s, s+t]$. The only remaining thing is that the output of $\mathsf {E}$ consists of t group elements, as opposed to t bits. We make it consist of t bits by using image-shrinking techniques described above.

2 Preliminaries

Notation. We use $\lambda $ for the security parameter. We use ${\mathop {\equiv }\limits ^{c}} $ to denote computational indistinguishability and use $\equiv $ to denote two distributions are identical. For a distribution $\mathcal {S}$ we use $x \xleftarrow {\$}\mathcal {S}$ to mean x is sampled according to $\mathcal {S}$ and use $y \in \mathcal {S}$ to mean $y \in \sup (\mathcal {S}) $, where $\sup $ denotes the support of a distribution. For a set $\mathsf {S}$ we overload the notation to use $x \xleftarrow {\$}\mathsf {S}$ to indicate that x is chosen uniformly at random from $\mathsf {S}$. If $ \mathsf {A}(x_1, \dots , x_n )$ is a randomized algorithm, then $\mathsf {A} (a_1, \dots , a_n)$, for deterministic inputs $a_1, \dots , a_n$, denotes the random variable obtained by sampling random coins r uniformly at random and returning $\mathsf {A}(a_1, \dots , a_n; r)$. We use $[n] := \{1, \dots , n\}$ and $[i, i+s] := \{i, i+1, \dots , i+s\}$. For a vector $\varvec{\mathsf {v}} = (v_1, \dots , v_n)$ we define $\varvec{\mathsf {v}}[i , i+s] := (v_i, v_{i+1}, \dots , v_{i+s})$.

2.1 Standard Definitions and Lemmas

Definition 1

(Trapdoor functions (TDFs)). Let $n = n(\lambda )$ be a polynomial. A family of trapdoor functions $\mathsf {TDF} $ with domain $\{0,1\}^n$ consists of three PPT algorithms $ \mathsf {TDF}.\mathsf {KG}$, $ \mathsf {TDF}.\mathsf {F} $ and $ \mathsf {TDF}.\mathsf {F^{-1}} $ with the following syntax and security properties.

$\mathsf {TDF}.\mathsf {KG}(1^\lambda )$: Takes $1^\lambda $ as input, and outputs a pair $(\mathsf {ik}, \mathsf {tk})$ of index/trapdoor keys.
$\mathsf {TDF}.\mathsf {F} (\mathsf {ik}, \mathsf {x})$: Takes an index key $\mathsf {ik} $ and a domain element $\mathsf {x} \in \{0,1\}^n$ and deterministically outputs an image element $\mathsf {u}$.
$\mathsf {TDF}.\mathsf {F^{-1}} (\mathsf {tk}, \mathsf {u})$: Takes a trapdoor key $\mathsf {tk} $ and an image element $\mathsf {u}$ and outputs a value $\mathsf {x} \in \{0,1\}^n \cup \{ \bot \}$.

We require the following properties.

Correctness: $\Pr [\exists \mathsf {x} \in \{0,1\}^n \text { s.t. } \mathsf {TDF}.\mathsf {F^{-1}} (\mathsf {tk}, \mathsf {TDF}.\mathsf {F} (\mathsf {ik}, \mathsf {x})) \ne \mathsf {x}] = \mathsf{negl}(\lambda ),$ where the probability is taken over $(\mathsf {ik}, \mathsf {tk}) \xleftarrow {\$}\mathsf {TDF}.\mathsf {KG}(1^\lambda )$.
One-wayness: For any PPT adversary $\mathcal {A}$: $\Pr [\mathcal {A}(\mathsf {ik}, \mathsf {u}) = \mathsf {x}] = \mathsf{negl}(\lambda )$, where $(\mathsf {ik}, \mathsf {tk}) \xleftarrow {\$}\mathsf {TDF}.\mathsf {KG}(1^\lambda )$, $\mathsf {x} \xleftarrow {\$}\{0,1\}^n$ and $\mathsf {u}:= \mathsf {TDF}.\mathsf {F} (\mathsf {ik}, \mathsf {x})$.

Definition 2

(Lossy TDFs [PW08, PW11]). An (n, k)-lossy TDF ((n, k)-LTDF) is given by four PPT algorithms $\mathsf {TDF}.\mathsf {KG}$, $\mathsf {TDF}.\mathsf {KG}_\mathrm {ls}$, $\mathsf {TDF}.\mathsf {F} $, $\mathsf {TDF}.\mathsf {F^{-1}} $, where $\mathsf {TDF}.\mathsf {KG}_\mathrm {ls}(1^\lambda )$ only outputs a single key (as opposed to a pair of keys), and where the following properties hold:

Correctness in real mode. The TDF $(\mathsf {TDF}.\mathsf {KG}, \mathsf {TDF}.\mathsf {F}, \mathsf {TDF}.\mathsf {F^{-1}})$ satisfies correctness in the sense of Definition 1.
k-Lossiness. For all but negligible probability over the choice of $\mathsf {ik} _{\mathrm {ls}} \xleftarrow {\$}\mathsf {TDF}.\mathsf {KG}_\mathrm {ls}(1^\lambda )$, we have $|\mathsf {TDF}.\mathsf {F} (\mathsf {ik} _{\mathrm {ls}}, \{0,1\}^n) | \le 2^k$, where we use $\mathsf {TDF}.\mathsf {F} (\mathsf {ik} _{\mathrm {ls}}, \{0,1\}^n)$ to denote the set of all images of $\mathsf {TDF}.\mathsf {F} (\mathsf {ik} _{\mathrm {ls}}, \cdot )$.
Indistinguishability of real and lossy modes. We have $\mathsf {ik} {\mathop {\equiv }\limits ^{c}} \mathsf {ik} _{\mathrm {ls}} $, where $(\mathsf {ik}, *) \xleftarrow {\$}\mathsf {TDF}.\mathsf {KG}(1^\lambda )$ and $\mathsf {ik} _{\mathrm {ls}} \xleftarrow {\$}\mathsf {TDF}.\mathsf {KG}_\mathrm {ls}(1^\lambda )$.

Lossiness Rate. In the definition above, we refer to the fraction $1 - k/n$ as the lossiness rate, describing the fraction of the bits lost. Ideally, we want this fraction to be as close to 1 as possible, e.g., $1 - o(1)$.

Expansion Rate. In the definition above, we refer to n/|u| as the expansion rate, and say the scheme has rate 1 if this fraction approaches one asymptotically.

2.2 Computational Assumptions

We review the power DDH assumption, used in our constructions. This notion is a variant of the t-Diffie-Hellman Inversion (t-DHI) problem [BB04]: given $(g, g^{\alpha } , \dots , g^{\alpha ^t} )$ the adversary should distinguish $g^{1/\alpha }$ from random. Under our variant, we require the whole distribution $(g^{1/\alpha } , g, g^{\alpha } , \dots , g^{\alpha ^t} )$ to be pseudorandom. We present this version, called power-DDH [CNs07], below.

Definition 3

(t-power DDH assumption [CNs07, AHI11]). Let $\mathsf {G}$ be a group-generator scheme, which on input $1^\lambda $ outputs $(\mathbb {G}, p, g)$, where $\mathbb {G}$ is the description of a group, p is the order of the group which is always a prime number and g is a generator for the group. Let $t := t(\lambda )$. We say that $\mathsf {G}$ is t-DDH-hard if the distribution $(g, g^\alpha , \dots , g^{\alpha ^t})$ is pseudorandom, where $(\mathbb {G}, p, g) \xleftarrow {\$}\mathsf {G}(1^\lambda )$ and $\alpha \xleftarrow {\$}\mathbb {Z}_p$.

Boneh and Boyen [BB04] show that t-DHI implies the so-called $(t+1)$-generalized Diffie-Hellman ($(t+1)$-generalized DH): given $(g, g^{a_1}, \dots , g^{a_t})$ and an oracle that for any given proper subset $S \subset [t]$ returns $g^{\varPi _{i \in S} a_i }$, the adversary should distinguish $g^{a_1 ... a_t}$ from random. The following lemma gives an adaptation of this lemma to the power-DDH setting for a very simple case: namely that power-DDH hadrness implies DDH hardness.

Lemma 1

Let $\mathsf {G}$ be t-power DDH hard. Then $(g_1, g_1^\alpha , \dots , g_1^{\alpha ^t})$ is pseudorandom, where $(\mathbb {G}, p, g) \xleftarrow {\$}\mathsf {G}(1^\lambda )$, $g_1 \xleftarrow {\$}\mathbb {G}$ and $\alpha \xleftarrow {\$}\mathbb {Z}_p$.^{Footnote 3} Also, for any $t \ge 3$, if a group is t-power DDH hard, it is also DDH-hard.

Proof

The first part of the lemma follows straightforwardly using random self reducibility. The second part follows immediately from techniques of [BB04], but we give the proof for completeness. Notice that if a group is $t+1$-power DDH hard, then it is also t-power DDH hard. Thus, it suffices to show that 3-power DDH hardness implies DDH hardness. Suppose for a group $\mathbb {G}$ there is a DDH adversary $\mathcal {A}$ that can distinguish $(g, g^a, g^b, g^{ab})$ from random. We want to use $\mathcal {A}$ to distinguish $(g, g^{\alpha }, g^{\alpha ^2} , g^{\alpha ^3})$ from random, hence breaking 3-power DDH hardness. The problem is that $\mathcal {A}$ is only guaranteed to work as long as the two exponents a and b are chosen uniformly at random—while in the 3-power DDH case the two exponents $\alpha $ and $\alpha ^2$ are correlated.

To fix the above problem, we use the random-self reducibility of DDH [NR97]. That is, letting $(g, g_1, g_2, g_3) $ be the challenge tuple, we sample $r_1, r_2 \xleftarrow {\$}\mathbb {Z}_p$ and call $\mathcal {A}$ on $(g, g_1^{r_1}, g_2^{r_2}, g_3^{r_1 r_2})$.

It is easy to see that the above transformation converts a 3-power DDH tuple into a random DDH tuple, and converts a random tuple into another random tuple. $\square $

2.3 Standard Lemmas

Lemma 2

(Chernoff inequality). Let X be binomially distributed with parameters $n \in \mathbb {N} $ and $p \in [0,1]$. Assuming $p' > p$:

$$ \Pr [X > 2 p'n] < e^{-p' n / 3}. $$

In some of our proofs, we need to use a version of Chernoff bounds involving Bernoulli variables which are not necessarily independent, but where each of them has a bounded probability of success, conditioned on any fixed sequence of outcomes of the others. We give such a version of the Chernoff inequality below, and prove it by relying on Lemma 2.

Lemma 3

(Chernoff inequality with bounded dependence). Let $X_1, \ldots ,X_n$ be Bernoulli variables (not necessarily independent), where for all i, and for all values $b_1, \dots , b_{i-1}, b_{i+1}, \dots , b_n$:

$$\begin{aligned} \Pr [X_i = 1 \mid X_1 = b_1, \dots , X_{i-1} = b_{i-1}, X_{i+1} = b_{i+1}, \dots , X_{n} = b_{n} ] \le p. \end{aligned}$$

(8)

Assuming $p' > p$:

$$ \Pr [\sum _{i \in [n]}X_i > 2 p' n] < e^{-p' n / 3}. $$

Proof

We will define n random variables $X'_1, \dots , X'_n$ and also n independent i.i.d. boolean random variables $Y_1, \dots , Y_n$, where $\Pr [Y_1] = p$, and where

1.
$(X'_1, \dots , X'_n)$ is identically distributed as $(X_1, \dots , X_n)$; and
2.
for all $i \in [n]$, $X'_i \le Y_i$.

Thus

$$ \Pr _{(X_1, \dots , X_n)}[\sum _{i \in [n]}X_i> 2 p' n] = \Pr _{(X'_1, \dots , X'_n)}[\sum _{i \in [n]}X'_i> 2 p' n] \le \Pr [\sum _{i \in [n]}Y_i > 2 p' n] < e^{-p' n / 3}, $$

where the last inequality comes from Lemma 2.

To define $Y_i$, let $U_i$ for $i \in [n]$ be i.i.d. real-valued random variables, each uniformly distributed over [0, 1]. For $i \in [n]$ let $Y_i$ be the Bernouli random variable where $Y_i = 1$ iff $U_i \le p$.

For $b_1, \dots , b_{i-1} \in \{0,1\}$ define $\mathcal {Z} = \Pr [X_1]$ and

$$ \mathcal {Z}(b_1, \dots , b_{i-1}) = \Pr [X_i = 1 | X_1 = b_1, \dots , X_{i-1} = b_{i-1}] . $$

We may now represent the joint distribution $(X_1, \dots , X_n)$ as

$$\begin{aligned} (X'_1, \dots , X'_n) := (U_1 \le \mathcal {Z}, U_2 \le \mathcal {Z}(X_1), \dots , U_n \le \mathcal {Z}(X_1, \dots , X_{n-1})), \end{aligned}$$

(9)

where $A \le B$ is the Bernoulli random variable which is one if and only if $A \le B$.

We now show that whenever $U_i \le \mathcal {Z}(X_1, \dots , X_{i-1}) $, we have $Y_i = 1$, as desired. To see this, recall that by Eq. 8 $\mathcal {Z}(X_1, \dots , X_{i-1}) \le p$. Thus, whenever $U_i \le \mathcal {Z}(X_1, \dots , X_{i-1}) $, we have $U_i \le p$, which means $Y_i = 1$. The proof is now complete. $\square $

2.4 Error Correcting Codes

Definition 4

($(n, m , s)_2$-Codes). We recall the notion of $(n, m , s)_2$ erasure-correcting codes. Such a code is given by efficiently computable functions $(\mathsf {Encode}, \mathsf {Decode})$, where $\mathsf {Encode}: \{0,1\}^n \rightarrow \{0,1\}^{m}$, and where

1.
Minimum distance. For any two distinct $\mathsf {x}_1, \mathsf {x}_2 \in \{0,1\}^n$, $\mathsf {H_{\mathrm {dst}}} (\mathsf {Encode}(\mathsf {x}_1) ,\mathsf {Encode}(\mathsf {x}_2)) \ge s$, where $\mathsf {H_{\mathrm {dst}}} $ denotes the Hamming distance.
2.
Erasure correction. For any $\mathsf {x}\in \{0,1\}^n$, letting $\mathsf {z} := \mathsf {Encode}(\mathsf {x})$, given any string $\mathsf {z}' \in \{0,1 , \bot \}^m$, which has at most $s-1$ $\bot $ symbols, and whose all non-$\bot $ symbols agree with $\mathsf {z}$, we have $\mathsf {Decode} (\mathsf {z}') = \mathsf {x}$.

We are interested in rate-1 codes (that is, n/m approaches 1 asymptotically) with fast encoding and decoding algorithms. If we are willing to settle for a constant rate (as opposed to rate 1), there are binary concatenated codes which are linear time for both encoding and decoding; see, e.g., [GI05], Theorem 6. For rate-1 binary codes, we use the following code from [CDD+16].

Theorem 1

([CDD+16], Theorem 6). Fix a finite field $\mathbb {F}$ of constant size. There exists a constant $\upsilon > 0 $ and a family of $\mathbb {F}$-linear codes $\mathrm {C} = \{\mathrm {C} _s \}_s$ with codeword length $O(s^2)$, rate $1 - \textstyle {\frac{1}{s^\upsilon }}$ and minimum distance at least s. Moreover, $\mathrm {C} $ admits a linear-time computable encoding algorithm $\mathsf {Encode}$.

3 Lossy TDFs with Short Public Keys from Power DDH

As a warm-up to our range-trapdoor hash construction, we first give a construction of rate-1 lossy TDFs from the O(n)-power DDH assumption, wherein a public key has only O(n) group elements.

For our construction, we need a function $\varPhi :\mathbb {G}\rightarrow \{0,1\}$ which has the property that for any group element h, $\varPhi (h) \ne \varPhi (h g)$ with high probability. The work of Boyle, Gilboa and Ishai [BGI16] gives such a function. Below we review an adaptation of this function to the binary output space, as done by [DGI+19]. In what follows, we use $\mathsf {LSB} (i)$ to denote the least significant bit of i.

Distance Function $\mathsf {Dist} _{\mathbb {G},g}(h,\delta ,M,f)$ [BGI16]. Given a group $\mathbb {G}$ with a generator g, a group element h, a value $0< \delta < 1$, integer $M \ge 1$ and a function $f : \mathbb {G}\rightarrow \{0,1\}^{\log (2M / \delta )}$, we define a function $\mathsf {Dist} $ as follows:

1.
Let $T := [2 M \log _e(2 / \delta )] / \delta $ and set $i := 0$.
2.
While $i \le T$:
1. (a)
  if $f(h g^i) = 0^{\log (2M / \delta )}$, then output $\mathsf {LSB} (i)$, otherwise set $i = i+1$.
3.
Output $\mathsf {LSB} (i)$.

T-Close/Far Group Elements. For an integer T, we say two group elements $g_1$ and $g_2$ are T-close with respect to g if $g_2 \in \{g_1, g_1 g, \dots , g_1 g^T \}$ or $g_1 \in \{g_2, g_2 g, \dots , g_2 g^T \}$. We say $g_1$ and $g_2$ are at least $(T+1)$-far with respect to g if $g_1$ and $g_2$ are not T-close with respect to g. When g is clear from the context, we simply say $g_1$ and $g_2$ are T-far/T-close.

The following lemma is from [BGI16], giving a distance function, defined based on a randomly chosen function f, which serves a hint bit in our construction (i.e., the function $\varPhi $ described above). We will later replace such a random function with a PRF.

Lemma 4

(Proposition 3.2 in [BGI16]). Let $\mathbb {G}$ be a group of prime order p, $g \in \mathbb {G}$, $M \in \mathbb {N}$, $\delta > 0 $ and assume $[2 M \log _e{(2/\delta )}] / \delta < p$. Let $\mathsf {RF} $ be the set of all functions $f: \mathbb {G}\rightarrow \{0,1\}^{\lceil \log (2M / \delta )\rceil }$. Then for any integer $x \le M$ and $h \in \mathbb {G}$

$$\begin{aligned} \Pr _{f \xleftarrow {\$}\mathsf {RF}}\left[ \mathsf {Dist} _{\mathbb {G}, g}(h, \delta , M, f) = \mathsf {LSB} (x) - \mathsf {Dist} _{\mathbb {G}, g}(h g^x, \delta , M, f) \right] \ge 1- \delta . \end{aligned}$$

(10)

Moreover, for any set of group elements $h_1, \dots , h_m$ which are mutually at least $(T+2)$-far, the events $\mathsf {Success} _1, \dots , \mathsf {Success} _m$ are independent, where $\mathsf {Success} _i$ is the event that $\mathsf {Dist} _{\mathbb {G}, g}(h_i, \delta , M, f) = 1 - \mathsf {Dist} _{\mathbb {G}, g}(h_i g, \delta , M, f)$.

Proof

The first part of the lemma was proved in [BGI16]. The second part follows because (1) f is chosen at random and (2) for any group element h, the outputs of $\mathsf {Dist} _{\mathbb {G}, g}(h, \delta , M, f)$ and $\mathsf {Dist} _{\mathbb {G}, g}(hg, \delta , M, f)$ only depend on the outputs of f on $\{h, h g, h g^2, \dots , h g^{T+1} \} $. $\square $

Notation. For $\mathsf {x}\in \{0,1\}^n$ and $\varvec{\mathsf {v}} := (g_1, \dots , g_n) \in \mathbb {G}^n$ we define $\mathsf {x}\cdot \varvec{\mathsf {v}} := \prod _{i=1}^n g_i^{\mathsf {x}_i}$.

Construction 2

(Doubly-Linear lossy TDF). Let $\mathsf {G}$ be a group scheme and let $(\mathsf {Encode}, \mathsf {Decode})$ for $\mathsf {Encode}:\{0,1\}^n \rightarrow \{0,1\}^m$ be an ECC code. Let $\ell := \log (2 / \delta ) $ and let $\mathsf {PRF}: \mathbb {G}\rightarrow \{0,1\}^\ell $ be a PRF with key space $\{0,1\}^\lambda $. We will instantiate the value of $\delta $ later.

$\mathsf {TDF}.\mathsf {KG}(1^\lambda )$:
1. 1.
  Sample $(\mathbb {G}, p, g) \xleftarrow {\$}\mathsf {G}(1^\lambda )$. Sample $\alpha , r \xleftarrow {\$}\mathbb {Z}_p$ and set
  $$\begin{aligned} {} \varvec{\mathsf {v}} := ( g^\alpha , g^{\alpha ^2} , \dots , g^{\alpha ^{m}}) \end{aligned}$$
  (11)
  
  (12)
2. 2.
  Sample a key $K \xleftarrow {\$}\{0,1\}^\lambda $ for $\mathsf {PRF} $.
3. 3.
  Set $\mathsf {ik}:= (K, g , \varvec{\mathsf {v}}, \varvec{\mathsf {w}})$ and $\mathsf {tk}: = (K , g , \alpha , r)$. Return $(\mathsf {ik}, \mathsf {tk})$.
$\mathsf {TDF}.\mathsf {KG}_\mathrm {ls}(1^\lambda )$: Return $\mathsf {ik} _{\mathrm {ls}}:= (g, \varvec{\mathsf {v}} , \varvec{\mathsf {w}}' )$, where g, $\varvec{\mathsf {v}}$ are as above, and
$$\begin{aligned} \varvec{\mathsf {w}}' := (g^{r \alpha }, g^{r \alpha ^2} , \dots , g^{r \alpha ^{2 m-1}}). \end{aligned}$$
(13)
$\mathsf {TDF}.\mathsf {F} (\mathsf {ik}, \mathsf {x}\in \{0,1\}^n)$: Parse $\mathsf {ik}:= (g , \varvec{\mathsf {v}} , \varvec{\mathsf {w}})$ and $\mathsf {z} := \mathsf {Encode}(\mathsf {x})$. For $1 \le i \le m$
1. 1.
  Let $\varvec{\mathsf {w}}'_i = \varvec{\mathsf {w}}[m+1-i, 2m-i]$.
2. 2.
  Let $g_i = \mathsf {z} \cdot \varvec{\mathsf {w}}'_i $.
3. 3.
  Let $b_i := \mathsf {Dist} _{\mathbb {G}, g}(g_i, \delta , 1, \mathsf {PRF} _K)$.
Let $g_c := \mathsf {z} \cdot \varvec{\mathsf {v}}$ and return
$$\begin{aligned} \mathsf {u}:= (g_c, b_1, \dots , b_m). \end{aligned}$$
(14)
$\mathsf {TDF}.\mathsf {F^{-1}} (\mathsf {tk}, \mathsf {u})$: Parse $\mathsf {u}:= (g_c, b_1, \dots , b_m)$. Recover $\mathsf {z}$ bit-by-bit as follows. For $i \in [m]$:
1. 1.
  Let $g_{i,0} = g_c^{r \alpha ^{m-i}}$ and $g_{i,1} = g_{i,0} g$.
2. 2.
  If
  1. (a)
    $\mathsf {Dist} _{\mathbb {G}, g}(g_{i,0}, \delta , 1, \mathsf {PRF} _K) = \mathsf {Dist} _{\mathbb {G}, g}(g_{i,1}, \delta , 1, \mathsf {PRF} _K)$, then set $\mathsf {z}_i = \bot $;
  2. (b)
    Else, let b the bit for which $\mathsf {Dist} _{\mathbb {G}, g}(g_{i,b}, \delta , 1, \mathsf {PRF} _K) = b_i$, and set $\mathsf {z}_i = b$.
Return $\mathsf {Decode} (\mathsf {z})$.

We now prove all the required properties of the scheme.

Lemma 5

(Mode indistinguishability). We have $\mathsf {ik} {\mathop {\equiv }\limits ^{c}} \mathsf {ik} _{\mathrm {ls}} $, where $\mathsf {ik} \xleftarrow {\$}\mathsf {TDF}.\mathsf {KG}(1^\lambda )$ and $\mathsf {ik} _{\mathrm {ls}} \xleftarrow {\$}\mathsf {TDF}.\mathsf {KG}_\mathrm {ls}$.

Proof

Follows immediately from $(2m-1)$-power DDH (Lemma 1). $\square $

Lemma 6

(Lossiness). Assuming p is the oder of the group, for any $\mathsf {ik} _{\mathrm {ls}} \in \mathsf {TDF}.\mathsf {KG}_\mathrm {ls}(1^\lambda )$,

$$\begin{aligned} | \mathsf {TDF}.\mathsf {F} (\mathsf {ik} _{\mathrm {ls}}, \{0,1\}^n)| \le p. \end{aligned}$$

Proof

Parse $\mathsf {ik} _{\mathrm {ls}}:= (g, \varvec{\mathsf {v}} , \varvec{\mathsf {w}}' )$, where $\varvec{\mathsf {v}}$ is sampled as in Eq. 11 and $\varvec{\mathsf {w}}'$ is sampled as in Eq. 13. We claim the following: for any $\mathsf {x}', \mathsf {x}' \in \{0,1\}^n$, letting $\mathsf {z} := \mathsf {Encode}(\mathsf {x})$ and $ \mathsf {z}' := \mathsf {Encode}(\mathsf {x}')$, if $\mathsf {z} \cdot \varvec{\mathsf {v}} = \mathsf {z}' \cdot \varvec{\mathsf {v}}$, then $\mathsf {TDF}.\mathsf {F} (\mathsf {ik} _{\mathrm {ls}}, \mathsf {x}) = \mathsf {TDF}.\mathsf {F} (\mathsf {ik} _{\mathrm {ls}}, \mathsf {x}) $. Assuming the claim holds, the lemma follows immediately. This is because, under the lossy key $\mathsf {ik} _{\mathrm {ls}} $, once the first component $g_c$ of the image $\varvec{\mathsf {u}} := (g_c, \dots )$ is determined, the rest of the output is uniquely determined. To prove the claim, suppose $g_c = \mathsf {z} \cdot \varvec{\mathsf {v}} = \mathsf {z}' \cdot \varvec{\mathsf {v}} $. Notice that the group element $g_i$ computed in Line 2 of $\mathsf {TDF}.\mathsf {F} $ is equal to the fixed element $g_c^{r \alpha ^{m-i}}$, irrespective of whether the underlying input is $\mathsf {x}$ or $\mathsf {x}'$. This follows from the way $\varvec{\mathsf {w}}'$ is formed (Eq. 13). The proof is now complete. $\square $

Lemma 7

(Correctness). Let $(\mathsf {Encode}, \mathsf {Decode})$ be an $(n, m , s)_2$ code, where $n = \lambda +\omega (\log \lambda )$. Assuming $\delta \le \textstyle {\frac{s-1}{2m}}$ and $T := [2 \log _e(2 / \delta )] / \delta = \mathsf {poly}(\lambda )$, for any input $\mathsf {x}$:

$$\begin{aligned} \beta (\lambda ) := \Pr _{(\mathsf {ik}, \mathsf {tk}) }[\mathsf {TDF}.\mathsf {F^{-1}} (\mathsf {tk}, \mathsf {TDF}.\mathsf {F} (\mathsf {ik}, \mathsf {x})) \ne \mathsf {x}] \le \frac{1}{\mathsf {e}^{\frac{s-1}{6}}} + \mathsf{negl}(\lambda ) , \end{aligned}$$

(15)

where the probability is taken over $(\mathsf {ik}, \mathsf {tk}) \xleftarrow {\$}\mathsf {TDF}.\mathsf {KG}(1^\lambda )$. In particular, by setting $n = \lambda +\omega (\log \lambda )$, $s \in \omega (\log \lambda )$ and $\delta \le \textstyle {\frac{s-1}{2m}}$, we will have a negligible inversion error.

Proof

Fix $\mathsf {x}\in \{0,1\}^n$ and let $\mathsf {z} := \mathsf {Encode}(\mathsf {x})$. Consider a variant of Construction 2, in which we replace the PRF $\mathsf {PRF} _K$ with a truly random function $f: \mathbb {G}\xleftarrow {\$}\{0,1\}^{\ell }$. (Recall that $\ell = {\log (2 / \delta )}$.) That is, in this variant, calls of the form $\mathsf {Dist} _{\mathbb {G}, g}(g_i, \delta , 1, K)$ are replaced with $\mathsf {Dist} _{\mathbb {G}, g}(g_i, \delta , 1, f)$. Let $\beta '$ be the probability that $\mathsf {TDF}.\mathsf {F^{-1}} (\mathsf {tk}, \mathsf {TDF}.\mathsf {F} (\mathsf {ik}, \mathsf {x})) \ne \mathsf {x}$ in this experiment. We will show $\beta ' \le \textstyle {\frac{1}{\mathsf {e}^{\frac{s-1}{6}}}} + \mathsf{negl}(\lambda ) $. By PRF security we have $\beta \le \beta ' + \mathsf{negl}(\lambda )$, and thus Eq. 15 will follow. The reason that we can use PRF security here (despite the fact that K is given in the clear in $\mathsf {ik} $) is that the procedure $\mathsf {Dist} $ may efficiently be computed via only blackbox access to $\mathsf {PRF} _K$ (resp., f alternatively) and that we evaluate $\mathsf {PRF} _K$ on inputs generated independently of K.

For an index $i \in [m]$, let $g_i = \mathsf {z} \cdot \varvec{\mathsf {w}}'_i $ be the group element computed in Line 2 of $\mathsf {TDF}.\mathsf {F} $, and let $g_{i,0} = g_c^{r \alpha ^{m-i}}$ and $g_{i,1} = g_{i,0} g$ be the two corresponding group elements computed during inversion. Notice that $g_i = g_{i, \mathsf {z}_i}$.

For $i \in [m]$, let the indicator variable

$$\mathsf {Fail} _i =1 \Leftrightarrow \mathsf {Dist} _{\mathbb {G}, g}(g_{i,0}, \delta , 1, f) = \mathsf {Dist} _{\mathbb {G}, g}(g_{i,1}, \delta , 1, f).$$

Notice that $\mathsf {Fail} _i = 1$ iff we fail to recover $\mathsf {z}_i$. For all i, by setting $M=1$ in Lemma 4, $\Pr [\mathsf {Fail} _i] < \delta $, and hence $\Pr [\mathsf {Fail} _i] < p'$, where $p' = \textstyle {\frac{s-1}{2m}}$.

Let $\mathsf {Fail} = \sum _{i \in [m]} \mathsf {Fail} _i$. Inversion fails if $\mathsf {Fail} > s-1$. We may now be tempted to use Lemma 2 to bound the probability that $\mathsf {Fail} > s-1$. The problem is that the events $\mathsf {Fail} _i$’s may not be independent. Thus, we define an event $\mathsf {Bad} $ which captures all the dependencies, and then we will argue that conditioned on $\overline{\mathsf {Bad}}$, the events $\{\mathsf {Fail} _i\}_{i \in [m]}$ are independent.

$\mathsf {Bad} $: there are two distinct indices $i, j \in [m]$ such that $g_{i,0}$ and $g_{j,0}$ are $(T+1)$-close, where $T := [2 \log _e(2 / \delta )] / \delta $.

By Lemma 4 we know that conditioned on $\overline{\mathsf {Bad}}$, the events $\mathsf {Fail} _i$’s are independent. Below we will show $\Pr [\mathsf {Bad} ] = \mathsf{negl}(\lambda )$, but assuming this for now:

$$\begin{aligned} \Pr [\mathsf {Fail}> s-1] \le \Pr [\mathsf {Bad} ] + \Pr [\mathsf {Fail} > 2 p' m \mid \overline{\mathsf {Bad}} ] <^* \mathsf{negl}(\lambda ) + \frac{1}{\mathsf {e}^{p' m /3}} = \mathsf{negl}(\lambda ) + \frac{1}{\mathsf {e}^{\frac{s-1}{6}}}, \end{aligned}$$

where the inequality marked with * follows from Lemma 2, noting that conditioned on $\overline{\mathsf {Bad}}$, the events $\{\mathsf {Fail} _i\}_{i \in [m]}$ are independent.

We are now left to prove $\Pr [\mathsf {Bad} ] = \mathsf{negl}(\lambda )$. Recall that $(g_{1,0}, \dots , g_{m,0}) = (g_c^{r \alpha ^{m-1}}, \dots , g_c^{r \alpha ^0})$. Notice that $g_c \ne 1$ except with negligible probability, and thus $g_c^r$ is statistically close to a uniformly random group element. By Lemma 1

$$(g_{1,0}, \dots , g_{m,0}) = (g_c^{r \alpha ^{m-1}}, \dots , g_c^{r \alpha ^0}) {\mathop {\equiv }\limits ^{c}} (g'_1, \dots , g'_m),$$

where $g'_i$’s are random group elements. When replacing $\{g_{i,0}\}_{i \in [m]}$ with $\{g'_i\}_{i \in [m]}$ the probability of the event $\mathsf {Bad} $ becomes negligible. (This is because $T = \mathsf {poly}(\lambda )$). Thus, the event $\mathsf {Bad} $ with $g_{i,0}$’s should also be negligible. $\square $

3.1 Running Time of Our Lossy TDFs

We count the number of public-key operations (i.e., group operations) involved in the computation of $\mathsf {TDF}.\mathsf {F} $. (The other operations involved in $\mathsf {TDF}.\mathsf {F} $ are either private-key, i.e., PRF evaluations, or information theoretic; i.e., error correcting codes).^{Footnote 4} For $\mathsf {TDF}.\mathsf {F} $, in Line 2, one may compute the group elements $g_i = \mathsf {z} \cdot \varvec{\mathsf {w}}'_i$ one at a time, by using m group multiplications for each of them, hence $O(m^2)$ group multiplications in total. We observe that the computations of all $g_i$’s together may be thought of as multiplying a Toeplitz matrix $g^{\varvec{\mathsf {M}}} \in \mathbb {G}^{m \times m}$, given in the exponent, with a given vector $\mathsf {z}^T $ of bits. It is known that one can compute $\varvec{\mathsf {M}} \times \mathsf {z}^T \pmod {p}$ in $O(m \log m)$ time using (inverse) discrete Fourier transform (IDFT/DFT) modulo p. In Sect. 4 we show how to carry out this computation in the exponent, at the cost of $O(m \log m)$ group exponentiations.

Comparison with the Trivial Approach. As mentioned above, the trivial computation takes $O(m^2)$ group multiplications. Our FFT-based approach takes $O(m \log m)$ group exponentiations, which translate into $O(m \lambda \log m)$ multiplications, assuming $|\mathbb {G}| = 2^\lambda $. Thus, we obtain improvements when $ \lambda \log m \in \omega (m)$. We also note that the reason that the trivial approach takes $O(m \log m)$ multiplications (as opposed to exponentiations) is that we multiply with a bit vector, translating into multiplications. In applications where the entries of the given vector are integers modulo p, the trivial approach will take $O(m^2)$ exponentiations, while our FFT-based approach still takes $O(m \log m)$ exponentiations. This observation may be useful in future work.

4 Fast Fourier Transform in the Exponent

In this section we show how to perform FFT in the exponent in order to have a fast algorithm for multiplying a circulant or a Toeplitz matrix, given in the exponent, with a vector of integers, with the result being computed in the exponent. We begin with some basic background.

For a vector $\varvec{\mathsf {u}}$ of integers and a group element g we use $g^{\varvec{\mathsf {u}}}$ to mean element-wise exponentiation.

Lemma 8

(Primitive nth root of unity mod p). We say $w \in \mathbb {Z}_p$ is a primitive nth root of unity mod p if $w^n \equiv 1 \pmod {p}$ and for all $i \in [n-1]$, $w^i \not \equiv 1 \pmod {p}$. If p is prime, then $\mathbb {Z}_p$ has a primitive nth root of unity if and only if $p \equiv 1 \pmod {n}$.

(Inverse) Discrete Fourier Modulo $\mathbb {Z}_p$. Let $w \in \mathbb {Z}_p$ be a primitive nth root of unity modulo p (Lemma 8). The discrete fourier transform (DFT) of $(y_0, \dots , y_{n-1}) \in \mathbb {Z}_p^n$, denoted $\mathsf {DFT} (y_0, \dots , y_{n-1})$, is $(d_0, \dots , d_{n-1}) \in \mathbb {Z}_p^n$, where for $k \in \{0 \} \cup [n-1]$:

$$\begin{aligned} d_k = \sum _{j=0}^{n-1} y_j w^{-jk} \pmod p. \end{aligned}$$

(16)

The inverse discrete Fourier transform (IDFT) inverts the above process. For $(d_0, \dots , d_{n-1}) \in \mathbb {Z}_p^n$, $\mathsf {IDFT} (d_0, \dots , d_{n-1}) $ is defined to be $ (y_0, \dots , y_{n-1})$, where for $k \in \{0 \} \cup [n-1]$

$$\begin{aligned} y_k = n^{-1} \sum _{j=0}^{n-1} d_j w^{jk} \pmod p. \end{aligned}$$

(17)

For all $(y_0, \dots , y_{n-1}) \in \mathbb {Z}_p^n$, $\mathsf {IDFT} (\mathsf {DFT} (y_0, \dots , y_{n-1})) = (y_0, \dots , y_{n-1}) $.

A major step in performing fast circulant matrix multiplication involves computing DFT and IDFT in a fast way.

Computing (I)DFT in the Exponent. For $\varvec{\mathsf {y}} := (y_0, \dots , y_{n-1}) \in \mathbb {Z}_p^n$, we would like to compute $\mathsf {DFT} (\varvec{\mathsf {y}})$ in the exponent; i.e., to compute $g^{\mathsf {DFT} (\varvec{\mathsf {Y}})}$ from $g^{\varvec{\mathsf {y}}}$. Since $\mathsf {DFT} (\varvec{\mathsf {y}})$ is a linear function in the entries of $\varvec{\mathsf {y}}$ and w is a fixed integer, we may compute each component of $\mathsf {DFT} (\varvec{\mathsf {y}})$ using n exponentiations, resulting in a total of $O(n^2)$ exponentiations. There is, however, a faster, recursive way of doing this using $O(n \log n)$ exponentiations.

Let $f = w^{-1}$, and note that f is also a primitive nth root of unity. Computing $\mathsf {DFT} (\varvec{\mathsf {y}})$ amounts to evaluating a degree $n-1$ polynomial $p(x) = \sum _{j=0}^{n-1} y_j x^j $ at $(p(1), p(f), \dots , p(f^{n-1}))$. We may now evaluate these n invocations in time $O(n \log n)$ using divide-and-conquer. Specifically, letting $n = 2 t$, we can find two degree $t-1 = n/2-1$ polynomials $p_{\mathsf {even}}$ and $p_{\mathsf {odd}}$ such that

(a)
$p(f^{2k}) = p_{\mathsf {even}}(f^{2k})$ for $k \in \{0\} \cup [t-1]$; and
(b)
$p(f^{2k+1}) = p_{\mathsf {odd}}(f^{2k})$ for $k \in \{0\} \cup [t-1]$.

Now since $f^2$ is a primitive t’th root of unity and since the degree of each of $p_{\mathsf {even}}$ and $p_{\mathsf {odd}}$ is $t-1$, we can recursively continue this process. We now explain how to find $p_{\mathsf {even}}$ and $p_{\mathsf {odd}}$.

Specifically, $p_\mathsf {even} (x) := \sum _{j=0}^{t-1} \alpha _j x^j$ and $p_\mathsf {odd} (x) := \sum _{j=0}^{t-1} \beta _j x^j$, where

$$\begin{aligned} \alpha _j := y_j + y_{j+t} ~~~~~~~~~~~ \beta _j := (y_j - y_{j+t}) f^j. \end{aligned}$$

(18)

We now show why $p_{\mathsf {even}}$ and $p_{\mathsf {odd}}$ satisfy Items (a) and (b) above.

$$\begin{aligned} p({f^{2k}}) = \sum _{j=0}^{t-1} y_j f^{2kj} + \sum _{j = t}^{n-1} y_{j} f^{2kj}&= \sum _{j=0}^{t-1} (y_j f^{2kj} + y_{j+t} f^{2k(j+t)}) = \sum _{j=0}^{t-1} ( y_j f^{2kj} + y_{j+t}f^{2kj} f^{kn}) \nonumber \\ {}&\quad = \sum _{j=0}^{t-1} ( y_j + y_{j+t}) f^{2kj} = p_{\mathsf {even}}(f^{2k}). \end{aligned}$$

(19)

$$\begin{aligned}&p(f^{2k+1}) = \sum _{j=0}^{t-1} (y_j f^{(2k+1)j} + y_{j+t} f^{(2k+1)(j+t)}) = \sum _{j=0}^{t-1} (y_j f^j) f^{2kj} + (y_{j+t} f^j)f^{2kj}f^{kn+t} \nonumber \\&=^* \sum _{j=0}^{t-1} (y_j f^j) f^{2kj} + (y_{j+t} f^j)f^{2kj}(-1) = \sum _{j=0}^{t-1} (y_j - y_{j+t}) f^{(2k+1)j} = p_{\mathsf {odd}}(f^{2k}), \end{aligned}$$

(20)

where the equation marked with * follows from the fact that $f^t = f^{n/2} = -1$. Finally, notice that given $\varvec{\mathsf {y}} := (y_0, \dots , y_{n-1})$ in the exponent (i.e., given $g^{\varvec{\mathsf {y}}}$), the coefficients of $p_{\mathsf {even}}$ and $p_{\mathsf {odd}}$ (Eq. 18) can also be computed in the exponent. Thus, we have the following lemma.

Lemma 9

(DFT/IDFT in the exponent). Let n be a power of two, let p be a prime number satisfying $p \equiv 1 \pmod n$ and let $\mathbb {G}$ be group of order p with a generator g. Let $w \in \mathbb {Z}_p$ be a primitive nth root of unity modulo p (which exists by Lemma 8). For any $\varvec{\mathsf {y}} \in \mathbb {Z}_p^n$ we may compute $g^{\mathsf {DFT} (\varvec{\mathsf {y}})}$ from $g^{\varvec{\mathsf {y}}}$ using $O(n \log n)$ group exponentiations. The same holds for computing $g^{\mathsf {IDFT} (\varvec{\mathsf {y}})}$.

Circulant Matrices. Let $\varvec{\mathsf {v}} = (v_0, \dots , v_{n-1}) $ be a vector of dimension n. The circulant matrix of $\varvec{\mathsf {v}}$, denoted $\mathsf {Rot}{(}\varvec{\mathsf {v}})$, is

$$\begin{aligned} \mathsf {Rot}{(}\varvec{\mathsf {v}}) := \begin{pmatrix} v_0 &{} v_{n-1} &{} v_{n-2} &{} \ldots &{} v_3 &{} v_2 &{} v_1 \\ v_1 &{} v_0 &{} v_{n-1} &{} \ldots &{} v_4 &{} v_3 &{} v_2 \\ v_2 &{} v_1 &{} v_0 &{} \ldots &{} v_5 &{} v_4 &{} v_3 \\ \vdots &{} \vdots &{} \vdots &{} \ldots &{} \vdots &{} \vdots &{} \vdots \\ v_{n-1} &{} v_{n-2} &{} v_{n-3} &{} \ldots &{} v_0 &{} v_{n-1} &{} v_{n-2} \\ v_{n-2} &{} v_{n-3} &{} v_{n-4} &{} \ldots &{} v_1 &{} v_0 &{} v_{n-1} \\ v_{n-1} &{} v_{n-2} &{} v_{n-3} &{} \ldots &{} v_2 &{} v_1 &{} v_0 \end{pmatrix} \end{aligned}$$

(21)

Lemma 10

(Circulant matrix multiplication in the exponent). Let n, p, $\mathbb {G}$ and w be as in Lemma 9. Let $\varvec{\mathsf {u}} := (u_0, \dots , u_{n-1}) \in \mathbb {Z}_p^n $ and $\varvec{\mathsf {v}} := (v_0, \dots , v_{n-1}) \in \mathbb {Z}_p^{n}$ and $\varvec{\mathsf {M}} := \mathsf {Rot}{(}\varvec{\mathsf {v}})$. Then we can compute $g^{\varvec{\mathsf {M}} \varvec{\mathsf {u}}^{\mathsf {T}}}$ from $g^{\varvec{\mathsf {v}}}$ and $\varvec{\mathsf {u}}$ via $O(n \log n)$ group exponentiations.

Proof

Throughout the proof, we may use negative indices, with the understanding the index is taken modulo n. For example, we may write $u_{-1}$ for $u_{n-1}$. Given $g^{\varvec{\mathsf {v}}}$ and $\varvec{\mathsf {u}}$, for $k \in \{0\} \cup [n-1]$ we need to compute $g^{h_k}$, where

$$\begin{aligned} h_k = \sum _{i=0}^{n-1} v_j u_{k-j}. \end{aligned}$$

(22)

Let $(a_0, \dots , a_{n-1})$ and $(b_0, \dots , b_{n-1})$ be the discrete fourier transform of the two sequences $(v_0, \dots , v_{k-1})$ and $(u_0, \dots , u_{k-1})$, respectively. That is, for $k \in \{0, \dots , n-1\}$

$$ a_k = \sum _{j =0}^{n-1} v_j w^{-jk} \pmod {p}~~~~~~~~ b_k = \sum _{j = 0}^{n-1} u_j w^{-jk} \pmod {p}. $$

It is well-known that the inverse fourier transform of $(a_0 b_0, \dots , a_{n-1} b_{n-1})$ gives us the values $(h_0, \dots , h_{n-1})$. That is, for $k \in \{0\} \cup [n-1]$

$$\begin{aligned} (h_0, \dots , h_{n-1}) = \mathsf {IDFT} (a_0 b_0, \dots , a_{n-1} b_{n-1}). \end{aligned}$$

(23)

By Lemma 9 we can perform all the above steps via $O(n \log n)$ exponentiations.

$\square $

Fast Toeplitz Matrix Multiplication. We now show how to perform fast Topelitz matrix multiplication in the exponent, via a well-known conversion to circulant matrices. See [BDD+00] for further conversions. For $\varvec{\mathsf {x}} := (x_1, \dots , x_{2n-1}) \in \mathbb {Z}_p^{2n-1}$ we define

$$\begin{aligned} \mathsf {Toep}(\varvec{\mathsf {x}}) := \begin{pmatrix} x_n &{} x_{n-1} &{} \ldots &{} x_1 \\ x_{n+1} &{} x_{n} &{} \ldots &{} x_2 \\ \vdots &{} \vdots &{} \ldots &{} \vdots \\ x_{2n-1} &{} x_{2n-2} &{} \ldots &{} x_n \end{pmatrix} . \end{aligned}$$

(24)

Let $\varvec{\mathsf {M}} := \mathsf {Toep}(\varvec{\mathsf {x}})$ and $\varvec{\mathsf {y}} \in \mathbb {Z}_p^n$. We show how to compute $g^{\varvec{\mathsf {M}} \varvec{\mathsf {y}}}$ from $g^{\varvec{\mathsf {M}}}$ and $\varvec{\mathsf {y}}$. Toward this, define

$$\begin{aligned} \varvec{\mathsf {S}} := \begin{pmatrix} 0 &{} x_1 &{} x_2 &{} \ldots &{} x_{n-1} \\ x_{2n-1} &{} 0 &{} x_1 &{} \ldots &{} x_{n-2} \\ x_{2n-2} &{} x_{2n-1} &{} 0 &{} \ldots &{} x_{n-3} \\ \vdots &{} \vdots &{} \ldots &{} \vdots \\ x_{n+1} &{} x_{n+2} &{} x_{n+3} &{} \ldots &{} 0 \end{pmatrix} \in \mathbb {Z}_p^{n \times n}. \end{aligned}$$

(25)

Let $\varvec{\mathsf {T}} := \begin{pmatrix} \varvec{\mathsf {M}} &{} \varvec{\mathsf {S}} \\ \varvec{\mathsf {S}} &{} \varvec{\mathsf {M}} \end{pmatrix} \in \mathbb {Z}_p^{2n \times 2n}. $ Note that $\varvec{\mathsf {T}}$ is a circulant matrix. We have $\varvec{\mathsf {M}} \begin{pmatrix} \varvec{\mathsf {y}} \\ 0_{n \times 1 }\end{pmatrix} = \begin{pmatrix} \varvec{\mathsf {T}} \varvec{\mathsf {y}} \\ \varvec{\mathsf {S}} \varvec{\mathsf {y}} \end{pmatrix} $. Thus, we may compute $\varvec{\mathsf {M}} \varvec{\mathsf {y}}$ in the exponent via $O(n \log n)$ group exponentiations. Thus, we have the following lemma.

Lemma 11

(Toeplitz matrix multiplication in the exponent). Let n, p, $\mathbb {G}$ and w be as in Lemma 9. Let $\varvec{\mathsf {u}} := (u_0, \dots , u_{n-1}) \in \mathbb {Z}_p^n $ and $\varvec{\mathsf {v}} := (v_0, \dots , v_{n-1}) \in \mathbb {Z}_p^{n}$ and $\varvec{\mathsf {M}} := \mathsf {Toep}(\varvec{\mathsf {v}})$. Then we can compute $g^{\varvec{\mathsf {M}} \varvec{\mathsf {u}}^{\mathsf {T}}}$ from $g^{\varvec{\mathsf {M}}}$ and $\varvec{\mathsf {u}}$ using $O(n \log n)$ group exponentiations.

5 Range-Trapdoor Hash Functions

In this section we define the notion of range-trapdoor hash functions and give a construction of this notion with short evaluation keys. This notion generalizes the notion of trapdoor hash functions for index keys [DGI+19]. We say that an index set I is a range set if ${I} = \{ s+1, \dots , s+t\}$ for some integers s and t. We now give the definition of range-trapdoor hash for the special case where we output a single-bit hint for every index in the range set.

Definition 5

(Range Trapdoor Hash). An n-bit input, range-trapdoor hash is a tuple of PPT algorithms $\mathcal {H} = (\mathsf {S}, \mathsf {KG}, \mathsf {H}, \mathsf {E}, \mathsf {D})$ with the following syntax, correctness and security properties.

$\mathsf {S}(1^\lambda , n)$: Takes the security parameter $1^\lambda $ and input length n, and outputs a hashing key $\mathsf {hk}$ and a trapdoor key $\mathsf {thk}$.
$\mathsf {KG}(\mathsf {hk}, {I})$: Takes $\mathsf {hk}$ and a range of indices ${I} = [s+1, \dots , s+t] \subseteq [n]$ as input, and outputs an evaluation key $\mathsf {ek}$ and a trapdoor key $\mathsf {tk} $. We assume $\mathsf {ek}$ contains |I|; i.e., $\mathsf {ek}:= (|{I}|, \dots )$, and also assume $\mathsf {tk}:= ({I}, \dots )$.
$\mathsf {H}(\mathsf {hk}, \mathsf {x}; \rho )$: Takes $\mathsf {hk}$, a message $\mathsf {x}\in \{0,1\}^n$ and randomness $\rho $ as input, and outputs a hash value $\mathsf {h}$.
$\mathsf {E}(\mathsf {ek}, \mathsf {x}; \rho )$: Takes an evaluation key $\mathsf {ek}$, message $\mathsf {x}$ and randomness $\rho $ as input, and outputs a hint value $\mathsf {e} \in \{0,1\}^{|I|} $.
$\mathsf {D}(\mathsf {thk}, \mathsf {tk}, \mathsf {h}, \mathsf {e})$: Takes as input a hash-trapdoor key $\mathsf {thk}$, a trapdoor key $\mathsf {tk}:= ({I}, \dots )$, a hash value $\mathsf {h}$ and a hint value $\mathsf {e}$, and deterministically outputs |I| pairs of 0/1-encodings $(\mathsf {e}_{i,0}, \mathsf {e}_{i,1}) \in \{0,1\}\times \{0,1\}$, for $i \in [|I|]$.

We require the following properties.

Correctness: For $0 \le \epsilon < 1$ we say $\mathcal {H}$ is $1-\epsilon $ correct (or has $\epsilon $ decryption error) if for any n, any range set ${I} := [ s+1, s+t] \subseteq [n]$, both the following conditions hold:
1. 1.
  For any $i \in [t]$ and for any input $\mathsf {x}\in \{0,1\}^n$, $\Pr [\mathsf {e}_i = \mathsf {e}_{i, \mathsf {x}[s+i]}] = 1$; and
2. 2.
  For any input $\mathsf {x}\in \{0,1\}^n$, any $i \in [t]$ and any $b_j \in \{0,1\}$ for $j \in [t] \setminus \{i\}$:
  $$\begin{aligned} \Pr [\mathsf {Fail} _i = 1 \mid \mathsf {Fail} _j = b_j \text { for } j \in [t]/\{i\}] \le \epsilon + \mathsf{negl}(\lambda ), \end{aligned}$$
  (26)
  where for $i \in [t]$, $\mathsf {Fail} _i$ is an indicator variable, defined as $\mathsf {Fail} _i = 1$ if $\mathsf {e}_i = \mathsf {e}_{i,1-\mathsf {x}[s+i]}$,
where $(\mathsf {hk}, \mathsf {thk}) \xleftarrow {\$}\mathsf {S}(1^\lambda , n)$, $(\mathsf {ek}, \mathsf {tk}) \xleftarrow {\$}\mathsf {KG}(\mathsf {hk}, {I})$, $\rho \xleftarrow {\$}\{0,1\}^*$, $\mathsf {h} := \mathsf {H}(\mathsf {hk}, \mathsf {x}; \rho )$, $\mathsf {e} := \mathsf {E}(\mathsf {ek}, \mathsf {x}; \rho )$, $(\mathsf {e}_{i,0} , \mathsf {e}_{i,1})_{i \in [t]} := \mathsf {D}(\mathsf {thk}, \mathsf {tk}, \mathsf {h}, \mathsf {e})$.
Range privacy: For any n and any two range sets ${I}, {I}' \subseteq [n]$ satisfying $|{I}| = |{I}'|$, $(\mathsf {hk}, \mathsf {ek}) {\mathop {\equiv }\limits ^{c}} (\mathsf {hk}', \mathsf {ek}')$, where $(\mathsf {hk}, *) \xleftarrow {\$}\mathsf {S}(1^\lambda , n)$, $(\mathsf {ek}, *) \xleftarrow {\$}\mathsf {KG}(\mathsf {hk}, {I})$ and $(\mathsf {ek}', *) \xleftarrow {\$}\mathsf {KG}(\mathsf {hk}, {I}')$.
Input privacy: Fix polynomial $n := n(\lambda )$. For any two inputs $\mathsf {x}, \mathsf {x}' \in \{0,1\}^n$, $(\mathsf {hk}, \mathsf {h}) {\mathop {\equiv }\limits ^{c}} (\mathsf {hk}, \mathsf {h}')$, where $(\mathsf {hk}, *) \xleftarrow {\$}\mathsf {S}(1^\lambda , n)$, $\mathsf {h} \xleftarrow {\$}\mathsf {H}(\mathsf {hk}, \mathsf {x}) $ and $\mathsf {h}' \xleftarrow {\$}\mathsf {H}(\mathsf {hk}, \mathsf {x}') $.
Compactness: There exists a polynomial $\mathsf {poly}(\lambda )$ such that for all $n := n(\lambda )$, $|\mathsf {H}(\mathsf {hk}, \mathsf {x})| \le \mathsf {poly}(\lambda )$, where $(\mathsf {hk}, *) \xleftarrow {\$}\mathsf {S}(1^\lambda , n)$ and $\mathsf {x}\in \{0,1\}^n$.

We note the following remark.

Remark 3

For decryption we also require a trapdoor key $\mathsf {thk}$ associated with $\mathsf {hk}$. This will be required in our construction. In contrast, the notion of trapdoor hash as defined in [DGI+19] does not require a trapdoor for the hash function in order to perform decryption. Nonetheless, all applications stated in [DGI+19] still hold with respect to our definition.

Implicit in the work of [DGI+19] is the following construction of range-trapdoor hash.

Lemma 12

(Theorem 4.3 of [DGI+19]). Assuming DDH, there exists a range-trapdoor hash scheme where for inputs of length n, an evaluation key for a range set I consists of O(n|I|) group elements.

We give the following corollary, which helps one in bounding the number of $\mathsf {Fail} _i$’s in situations where, e.g., we need to do error correction, such as the rate-1 OT application. We say $\epsilon > \mathsf{negl}(\lambda )$ if $\epsilon $ is not a negligible function.

Lemma 13

Assuming a trapdoor hash scheme $\mathcal {H} = (\mathsf {S}, \mathsf {KG}, \mathsf {H}, \mathsf {E}, \mathsf {D})$ has decryption error $\epsilon $, and that $\epsilon > \mathsf{negl}(\lambda )$, then for any constant $c > 1$:

$$ \Pr [\mathsf {Fail} > 2 c \epsilon |I|] < e^{-c \epsilon |I| / 3}, $$

where $\mathsf {Fail}:= \sum _{i=1}^{|I|} \mathsf {Fail} _i$ and $\mathsf {Fail} _i$ is defined in the correctness condition of Definition 5.

Proof

The proof follows immediately from the bounded-dependence version of the Chernoff bound (Lemma 3). $\square $

We now show how to adapt our batching technique from Sect. 3 to obtain range-trapdoor hash schemes, where the evaluation key consists of O(n) group elements, as opposed to O(n|I|) group elements given by [DGI+19]. As we will see in Sect. 6, this size reduction results in a shorter receiver’s message in rate-1 OT protocols and shorter ciphertexts in homomorphic encryption for branching programs.

5.1 Range-Trapdoor Hash with Linear-Sized Evaluation Keys

Construction 4

Let $\epsilon \in [0,1)$ be the decryption error we are wiling to tolerate. Let $\ell := \log (2 / \epsilon ) $, $\mathsf {G}$ be a group scheme and $\mathsf {PRF}: \mathbb {G}\rightarrow \{0,1\}^\ell $ a PRF with key space $\{0,1\}^\lambda $.

$\mathsf {S}(1^\lambda , n)$: and $(\mathbb {G}, p, g) \xleftarrow {\$}\mathsf {G}(1^\lambda )$. Sample $\alpha \xleftarrow {\$}\mathbb {Z}_p$, set $\mathsf {thk}:= \alpha $ and $\mathsf {hk}:= (\mathbb {G}, p, g, \varvec{\mathsf {v}} )$, where $\varvec{\mathsf {v}} := ( g^\alpha , g^{\alpha ^2} , \dots , g^{\alpha ^{2n}})$. Return $(\mathsf {hk}, \mathsf {thk})$.
$\mathsf {KG}(\mathsf {hk}, {I})$: Sample a key $K \xleftarrow {\$}\{0,1\}^\lambda $ for $\mathsf {PRF} $. Let ${I} = [s+1, s+t] $. Parse $\mathsf {hk}:= (\mathbb {G}, p, g, \varvec{\mathsf {v}})$, where $\varvec{\mathsf {v}} := ( g_1, \dots , g_{2n})$. Sample $r \xleftarrow {\$}\mathbb {Z}_p$ and let
Set $\mathsf {ek}:= (t , \varvec{\mathsf {w}} , K)$ and $\mathsf {tk}:= ({I} ,r , K)$.
$\mathsf {H}(\mathsf {hk}, \mathsf {x}; \rho )$: Parse $\mathsf {hk}:= (\mathbb {G}, p, g, \varvec{\mathsf {v}})$, where $\varvec{\mathsf {v}} := ( g_1, \dots , g_{2n})$. Let $\varvec{\mathsf {v}}' := (g_1, \dots , g_n)$, and return $(\mathsf {x}\cdot \varvec{\mathsf {v}}') g_1^\rho $.
$\mathsf {E}(\mathsf {ek}, \mathsf {x}; \rho )$: Parse $\mathsf {ek}:= ( t , \varvec{\mathsf {w}} , K)$, where $t \in \mathbb {N}$ and $\varvec{\mathsf {w}} \in \mathbb {G}^{2n}$. Parse $\varvec{\mathsf {w}} := (w_1, \dots , w_{2n})$. For $i \in [t]$:
1. 1.
  let $\varvec{\mathsf {w}}'_i = (w_{1+t-i}, \dots , w_{n+t-i}) \in \mathbb {G}^n$;
2. 2.
  let $g'_i := (\mathsf {x}\cdot \varvec{\mathsf {w}}'_i ) w_{1+t-i}^\rho $;
3. 3.
  let $b_i := \mathsf {Dist} _{\mathbb {G}, g}(g'_i, \epsilon , 1, \mathsf {PRF} _K)$.
Return $(b_t, \dots , b_{1})$.
$\mathsf {D}(\mathsf {thk}, \mathsf {tk}, \mathsf {h}, \mathsf {e})$: Parse $\mathsf {thk}:= \alpha $, $\mathsf {tk}:= ({I} ,r , K)$ and $I := [s+1, s+t]$. For $i \in [t]$, set $\mathsf {e}_{i,0} := \mathsf {Dist} _{\mathbb {G}, g}(\mathsf {h}^{r \alpha ^{t-i}}, \epsilon , 1, \mathsf {PRF} _K) $ and $\mathsf {e}_{i,1} := \mathsf {Dist} _{\mathbb {G}, g}(g \mathsf {h}^{r \alpha ^{t-i}}, \epsilon , 1, \mathsf {PRF} _K) $. Return $((\mathsf {e}_{1,0} , \mathsf {e}_{1,1}) , \dots ,(\mathsf {e}_{t,0} , \mathsf {e}_{t,1}) ) $.

The compactness of the scheme is clear. Range privacy follows from 2n-power DDH. We now prove the input privacy and correctness of the scheme.

Lemma 14

(Input privacy). The scheme provides perfect input privacy: for any two inputs $\mathsf {x}, \mathsf {x}' \in \{0,1\}^n$, $(\mathsf {hk}, \mathsf {h}) \equiv (\mathsf {hk}, \mathsf {h}')$, where $(\mathsf {hk}, *) \xleftarrow {\$}\mathsf {S}(1^\lambda , n)$, $\mathsf {h} \xleftarrow {\$}\mathsf {H}(\mathsf {hk}, \mathsf {x}) $ and $\mathsf {h}' \xleftarrow {\$}\mathsf {H}(\mathsf {hk}, \mathsf {x}) $.

Proof

We need to show $(\varvec{\mathsf {v}} , (\mathsf {x}\cdot \varvec{\mathsf {v}}) g^{\alpha \rho })$ is independent of $\mathsf {x}$, where $\varvec{\mathsf {v}} := ( g^\alpha , g^{\alpha ^2} , \dots , g^{\alpha ^{2n}})$ and $\rho \xleftarrow {\$}\mathbb {Z}_p$. This immediately follows from the presence of the masking exponent $\rho $. $\square $

Lemma 15

(Correctness). Assuming $T := [2 \log _e{(2/\epsilon )}] / \epsilon = \mathsf {poly}(\lambda )$ (which is satisfied if $\epsilon $ is an inverse polynomial), the range TDH scheme provides $(1-\epsilon )$ correctness.

Proof

Fix n, I, $\mathsf {x}\in \{0,1\}^n$ and suppose ${I} = [s+1, s+t] $. We need to prove Conditions 1 and 2 of the correctness definition. For $i \in [t]$ let $g'_i$ be computed as in $\mathsf {E}$ (Line 2 of $\mathsf {E}$’s procedure) and let $g_{i,0} = \mathsf {h}^{r \alpha ^{t-i}}$ and $g_{i,1} = g \mathsf {h}^{r \alpha ^{t-i}}$.

First, we claim $g'_i = g_{i, \mathsf {x}[s+i]}$, which proves Condition 1 of the correctness definition. To see why this claim holds, recall that

and that $\mathsf {h} = (\mathsf {x}\cdot \varvec{\mathsf {v}}') g^{\alpha \rho }$, $g'_i := (\mathsf {x}\cdot \varvec{\mathsf {w}}'_{i} ) w_{1+t-i}^\rho $. Letting $b = \mathsf {x}[s+i] $:

$$\begin{aligned} g_{i, \mathsf {x}[s+i]} = g^{b} \mathsf {h}^{r \alpha ^{t-i}}&= g^b ((\mathsf {x}\cdot \varvec{\mathsf {v}}') g^{\alpha \rho })^{r \alpha ^{t-i}} = g^b (\mathsf {x}\cdot \varvec{\mathsf {v}}')^{r \alpha ^{t-i}} (g^{r \alpha ^{t-i+1}})^\rho \nonumber \\&\quad = g^b (\mathsf {x}\cdot \varvec{\mathsf {v}}')^{r \alpha ^{t-i}} w_{1+t-i}^\rho = (\mathsf {x}\cdot \varvec{\mathsf {w}}'_i ) w_{1+t-i}^\rho = g'_i, \end{aligned}$$

(27)

as desired.

We now prove Condition 2 of the correctness definition. Fix $\mathsf {x}\in \{0,1\}^n$, $i \in [t]$ and $b_j \in \{0,1\}$ for $j \in [t] \setminus \{i\}$, and let

$$\begin{aligned} \beta := \Pr [\mathsf {Fail} _i = 1 \mid \mathsf {Fail} _j = b_j \text { for } j \in [t]/\{i\}]. \end{aligned}$$

(28)

Consider a variant of Construction 4, in which we replace the PRF $\mathsf {PRF} _K$ with a truly random function $f: \mathbb {G}\xleftarrow {\$}\{0,1\}^{\ell }$. That is, in this variant, calls of the form $\mathsf {Dist} _{\mathbb {G}, g}(g_i, \epsilon , 1, K)$ are replaced with $\mathsf {Dist} _{\mathbb {G}, g}(g_i, \epsilon , 1, f)$. Let $\beta '$ be the probability that

$$\begin{aligned} \Pr [\mathsf {Fail} _i = 1 \mid \mathsf {Fail} _j = b_j \text { for } j \in [t]/\{i\}] \end{aligned}$$

(29)

in the experiment where we replace $\mathsf {PRF} _K$ with a random f. We will show $\beta ' \le \epsilon + \mathsf{negl}(\lambda ) $. By PRF security we have $\beta \le \beta ' + \mathsf{negl}(\lambda )$, and thus Eq. 28 will follow. The reason that we can use PRF security here (despite the fact that K is given in the clear in $\mathsf {ik} $) is that the procedure $\mathsf {Dist} $ may efficiently be computed via only blackbox access to $\mathsf {PRF} _K$ (resp., f alternatively) and that we evaluate $\mathsf {PRF} _K$ on inputs generated independently of K.

To bound the probability in Eq. 29 we first define an event $\mathsf {Bad} $ which captures all the dependencies. Then we will argue that conditioned on $\overline{\mathsf {Bad}}$, the events $\{\mathsf {Fail} _j\}_{j \in [t]}$ are independent. To give some intuition, first notice that $\mathsf {Fail} _j$ holds iff

$$\begin{aligned} \mathsf {Dist} _{\mathbb {G}, g}(g_{j,0}, \epsilon , 1, f) = \mathsf {Dist} _{\mathbb {G}, g}(g_{j,0} g, \epsilon , 1, f), \end{aligned}$$

(30)

where recall that $g_{j,0} = \mathsf {h}^{r \alpha ^{t-j}}$. Also, by definition of $\mathsf {Dist} $, the outputs of the two distance functions of Eq. 30 are only dependent on the outputs of f on group elements $\{g_{j,0}, g_{j,0} g, \dots , g_{j,0} g^{T+1} \}$, where $T := [2 \log _e(2 / \epsilon )] / \epsilon $. Since f is chosen at random, we will have dependencies across $\mathsf {Fail} _j$’s only when the following event $\mathsf {Bad} $ holds:

$\mathsf {Bad} $: there are two distinct indices $j, h \in [t]$ such that $g_{j,0}$ and $g_{h,0}$ are $(T+1)$-close, where $T := [2 \log _e(2 / \epsilon )] / \epsilon $.

By Lemma 4

$$\begin{aligned} \Pr [\mathsf {Fail} _i = 1 \mid \overline{\mathsf {Bad}} \wedge \mathsf {Fail} _j = b_j \text { for } j \in [t]/\{i\} ] = \Pr [\mathsf {Fail} _i = 1] \le \epsilon . \end{aligned}$$

(31)

Below we will show $\Pr [\mathsf {Bad} ] = \mathsf{negl}(\lambda )$, and this will allow us to conclude

$$\begin{aligned}&\Pr [\mathsf {Fail} _i = 1 \mid \mathsf {Fail} _j = b_j \text { for } j \in [t]/\{i\}] \le \Pr [\mathsf {Bad} ] + \Pr [\mathsf {Fail} _i = 1 \wedge \overline{\mathsf {Bad}} \mid \mathsf {Fail} _j = b_j \text { for } j \in [t]/\{i\}] \nonumber \\&\le \mathsf{negl}(\lambda ) + \Pr [\mathsf {Fail} _i = 1 \mid \overline{\mathsf {Bad}} \wedge \mathsf {Fail} _j = b_j \text { for } j \in [t]/\{i\}] = \epsilon + \mathsf{negl}(\lambda ), \end{aligned}$$

(32)

as desired. It only remains to show $\Pr [\mathsf {Bad} ] = \mathsf{negl}(\lambda )$. Recall that $(g_{1,0}, g_{2,0} , \dots , g_{t,0}) = (\mathsf {h}^{r }, \mathsf {h}^{r \alpha } \dots , \mathsf {h}^{r \alpha ^{t-1}})$. Notice that $\mathsf {h} \ne 1$ except with negligible probability, and thus $\mathsf {h}^r$ is statistically close to a uniformly random group element. By Lemma 1

$$(g_{1,0}, g_{2,0}, \dots , g_{t,0}) = (\mathsf {h}^{r \alpha ^{t-1}}, \mathsf {h}^{r \alpha ^{t-2}} , \dots , \mathsf {h}^{r }) {\mathop {\equiv }\limits ^{c}} (g'_1, g'_2 , \dots , g'_t),$$

where $g'_i$’s are random group elements. When replacing $\{g_{i,0}\}_{i \in [t]}$ with $\{g'_i\}_{i \in [t]}$, the probability of the event $\mathsf {Bad} $ becomes negligible. (This is because $T = \mathsf {poly}(\lambda )$.) Thus, the event $\mathsf {Bad} $ with $g_{j,0}$’s should also be negligible. $\square $

Running Time: We specify the running time for tolerated error $\epsilon = \textstyle {\frac{1}{n^c}}$. For $\mathsf {E}$, we can compute all the values $\mathsf {x}\cdot \varvec{\mathsf {w'}}_i$ altogether with total $O(n \log |I|)$ exponentiations by Lemma 11. Also, we spend |I| exponentiations for computing $w_i^\rho $ for $i \in [I]$. Thus, the total number of group operations is $O(n \log |I|)$ exponentiations.

6 Applications of Range-Trapdoor Hash

In this section we review the applications of our range-trapdoor hash scheme.

A two-round OT protocol consists of three PPT algorithms $(\mathsf {OT} _1, \mathsf {OT} _2, \mathsf {OT} _3)$, where $(\mathsf {OT} _1, \mathsf {OT} _3)$ are the two-stage algorithms run by the receiver, and $\mathsf {OT} _2$ is run by the sender. We will be concerned with honest-but-curious security (for both parties), and the corresponding definitions of security are standard. We use $\mathsf {otr} $ and $\mathsf {ots} $ to denote the receiver’s and sender’s message, respectively.

For an OT protocol $\mathsf {OT} $ where the size of each message of the sender is n, we call $\textstyle {\frac{|n|}{|\mathsf {ots} |}}$ the download rate of the protocol. We say $\mathsf {OT} $ is rate-1 if $\textstyle {\frac{|n|}{|\mathsf {ots} |}}$ asymptotically approaches one.

As shown in [IP07], a rate-1 OT implies homomorphic encryption for branching programs with semi-compactness: the size of ciphertexts only grows with the depth of the program, as opposed to the size.

Let us first present the implication of our results with respect to rate-1 OTs. Implicit in the work of [DGI+19] is a construction of rate-1 OT from range trapdoor-hash schemes; see Constructions 5.1 and 5.2 of [DGI+19]. This result of [DGI+19], combined with Lemma 4, gives us the following.

Corollary 1

(Rate-1 OT with short receiver’s message). Let $\mathsf {G}$ be a group scheme, where the size of a group element is $O(\lambda )$. Fix a message-size function $t(\lambda ) \in \omega (\lambda )$. Assuming 2t-power DDH, there is a rate-1 two-round honest-but-curios OT protocol with sender’s input $(\mathsf {m}_0, \mathsf {m}_1) \in (\{0,1\}^t , \{0,1\}^t )$ and receiver’s input $b \in \{0,1\}$, where the receiver’s message $\mathsf {otr} $ consists of O(t) group elements.

Comparison to [DGI+19]. The work of [DGI+19] gives a DDH-based rate-1 OT, where in the parameter regime of Lemma 1, $\mathsf {otr} $ consists of $O(t^2)$ group elements. Our efficiency improvement stems from shorter evaluation keys: for a range set I, our scheme’s evaluation key contains O(n) group elements, as opposed to O(n|I|) group elements given by [DGI+19]. See Lemma 12.

Improving Upload Rate. As noted in [DGI+19], asymptotically speaking, one may make the length of $|\mathsf {otr} |$ as close as possible to $|\mathsf {m}_0|$ (i.e., achieving upload rate 1, defined as $|\mathsf {m}_0|/|\mathsf {otr} |$) by re-using $\mathsf {otr} $ and making the input size of the sender larger. For example, assuming $|\mathsf {m}_0| = |\mathsf {m}_1| = O(\lambda ^2)$, one may give a two-round OT based on DDH with both download and upload rates being 1. However, in concrete applications (e.g., homomorphic encryption for branching programs), the OT ends up being applied on sender’s messages of much smaller asymptotic size, and thus improving the efficiency for this smaller regime leads to efficiency improvements in those applications.

Homomorphic Encryption for Branching Programs with Shorter Ciphertexts. Ishai and Paskin [IP07] show how to build semi-compact homomorphic encryption for bounded-depth branching programs from rate-1 OT. Semi-compact means that the size of a ciphertexts grows only with the depth and the input size, and is independent of the program size otherwise. For the OT protocol, let $\mathsf {size}_r(\lambda , n)$ denote the size of $\mathsf {otr} $ when the length of each of sender’s message is n. Assuming the input size is n and the depth of the branching program is at most d, the size of a ciphertext is $nd \,\times \, \mathsf {size}_r(\lambda , t)$, where $t \in O(\lambda d)$. The result of [DGI+19] gives a DDH-based semi-compact encryption for branching programs with ciphertexts consisting of $O( \lambda ^2 n d^3)$ group elements. Applying Corollary 1, our ciphertexts will contain $O(\lambda n d^2)$ group elements.

Corollary 2

Assuming t-power DDH, there exists a PKE scheme for branching programs of depth d and input size n, where a ciphertext consists of $O(\lambda n d)$ group elements.

Private Information Retrieval (PIR) with Improved Communication. A PIR protocol involves a server, holding $N = 2^d$ blocks $(m_1, \dots , m_N)$, each of length $\beta $, and a client, holding an index $i \in [N]$. The goal is to allow the client to retrieve $m_i$ while keeping i hidden from the server. We would like to achieve this while minimizing communication complexity. Ishai and Paskin [IP07] gives a two-round block single-server PIR (one message from each side), achieving download rate 1, from rate-1 OT. The download rate of a PIR is defined as the ratio between the server’s message and $\beta $. The size of the client’s message is $O(\mathsf {size}_r(\lambda , \beta ) \log N)$, where $\beta \in O(\lambda \log N)$, and recall that $\mathsf {size}_r$ denotes the size parameter of the receiver’s message in the underlying OT protocol. Thus, under DDH, the rate-1 OT of [DGI+19] gives rise to a PIR, where the client’s message consists of $O(\lambda ^2 \mathsf {polylog} (N))$ group elements. Using Corollary 1 and under the power DDH assumption, the client’s message will have $O(\lambda \mathsf {polylog} (N))$ group elements.

Notes

1.
Here for simplicity we assume that $\mathsf {E}$ is deterministic and that each trapdoor enables perfect recovery of the underlying indexed bit. Under the actual definition, the function $\mathsf {E}$ should be randomized, so as to provide the desired privacy guarantees, needed by OT, etc applications. This issue can be handled by using a fixed randomness for the sketched construction.
2.
Again, we are giving an over-simplified construction, by assuming that decryption has perfect correctness. Moreover, in the actual construction, the function $\mathsf {H}$ should be randomized, so to provide sender privacy.
3.
Notice that the only difference between this version and the standard t-power DDH assumption is that the element $g_1$ is now also chosen uniformly at random—as opposed to it being g, the fixed group generator.
4.
We only focus on $\mathsf {TDF}.\mathsf {F} $, because $\mathsf {TDF}.\mathsf {F^{-1}} $ may be done using n group exponentiations, which seems hard to improve.

References

Applebaum, B., Harnik, D., Ishai, Y.: Semantic security under related-key attacks and applications. In: ICS 2011, pp. 45–60, Tsinghua University Press, Beijing, China, 7–9 January 2011
Google Scholar
Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14
Chapter Google Scholar
Bai, Z., Demmel, J., Dongarra, J., Ruhe, A., van der Vorst, H.: Templates for the Solution of Algebraic Eigenvalue Problems: A Practical Guide. SIAM (2000)
Google Scholar
Bellare, M., Fischlin, M., O’Neill, A., Ristenpart, T.: Deterministic encryption: definitional equivalences and constructions without random oracles. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 360–378. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_20
Chapter Google Scholar
Boyle, E., Gilboa, N., Ishai, Y.: Breaking the circuit size barrier for secure computation under DDH. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part I. LNCS, vol. 9814, pp. 509–539. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53018-4_19
Chapter Google Scholar
Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01001-9_1
Chapter Google Scholar
Brakerski, Z., Koppula, V., Mour, T.: NIZK from LPN and trapdoor hash via correlation intractability for approximable relations. Cryptology ePrint Archive, Report 2020/258 (2020). https://eprint.iacr.org/2020/258
Brakerski, Z., Lombardi, A., Segev, G., Vaikuntanathan, V.: Anonymous IBE, leakage resilience and circular security from new assumptions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 535–564. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_20
Chapter Google Scholar
Bartusek, J., Ma, F., Zhandry, M.: The distinction between fixed and random generators in group-based assumptions. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 801–830. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_27
Chapter MATH Google Scholar
Boyen, X., Waters, B.: Shrinking the keys of discrete-log-type lossy trapdoor functions. In: Zhou, J., Yung, M. (eds.) ACNS 2010. LNCS, vol. 6123, pp. 35–52. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13708-2_3
Chapter Google Scholar
Cascudo, I., Damgård, I., David, B., Döttling, N., Nielsen, J.B.: Rate-1, linear time and additively homomorphic UC commitments. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016, Part III. LNCS, vol. 9816, pp. 179–207. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53015-3_7
Chapter Google Scholar
Chang, Y.-C.: Single database private information retrieval with logarithmic communication. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 50–61. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_5
Chapter Google Scholar
Cachin, C., Micali, S., Stadler, M.: Computationally private information retrieval with polylogarithmic communication. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 402–414. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_28
Chapter Google Scholar
Camenisch, J., Neven, G., shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_33
Chapter Google Scholar
Döttling, N., Garg, S.: From selective IBE to full IBE and selective HIBE. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 372–408. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70500-2_13
Chapter Google Scholar
Döttling, N., Garg, S.: Identity-based encryption from the Diffie-Hellman assumption. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 537–569. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_18
Chapter Google Scholar
Döttling, N., Garg, S., Hajiabadi, M., Liu, K., Malavolta, G.: Rate-1 trapdoor functions from the Diffie-Hellman problem. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019, Part III. LNCS, vol. 11923, pp. 585–606. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34618-8_20
Chapter Google Scholar
Döttling, N., Garg, S., Hajiabadi, M., Masny, D.: New constructions of identity-based and key-dependent message secure encryption schemes. In: Abdalla, M., Dahab, R. (eds.) PKC 2018, Part I. LNCS, vol. 10769, pp. 3–31. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_1
Chapter MATH Google Scholar
Döttling, N., Garg, S., Ishai, Y., Malavolta, G., Mour, T., Ostrovsky, R.: Trapdoor hash functions and their applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 3–32. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_1
Chapter Google Scholar
Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_28
Chapter Google Scholar
Freeman, D.M., Goldreich, O., Kiltz, E., Rosen, A., Segev, G.: More constructions of lossy and correlation-secure trapdoor functions. In: Nguyen, P.Q., Pointcheval, D. (eds.) PKC 2010. LNCS, vol. 6056, pp. 279–295. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13013-7_17
Chapter Google Scholar
Garg, S., Gay, R., Hajiabadi, M.: New techniques for efficient trapdoor functions and applications. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019, Part III. LNCS, vol. 11478, pp. 33–63. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_2
Chapter Google Scholar
Garg, S., Hajiabadi, M.: Trapdoor functions from the computational Diffie-Hellman assumption. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 362–391. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96881-0_13
Chapter Google Scholar
Guruswami, V., Indyk, P.: Linear-time encodable/decodable codes with near-optimal rate. IEEE Trans. Inf. Theory 51(10), 3393–3400 (2005)
Article MathSciNet Google Scholar
Goyal, R., Vusirikala, S., Waters, B.: New constructions of hinting PRGs, OWFs with encryption, and more. Cryptology ePrint Archive, Report 2019/962 (2019). https://eprint.iacr.org/2019/962
Ishai, Y., Paskin, A.: Evaluating branching programs on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 575–594. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_31
Chapter Google Scholar
Kitagawa, F., Matsuda, T., Tanaka, K.: CCA security and trapdoor functions via key-dependent-message security. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 33–64. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_2
Chapter Google Scholar
Koppula, V., Waters, B.: Realizing chosen ciphertext security generically in attribute-based encryption and predicate encryption. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part II. LNCS, vol. 11693, pp. 671–700. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_23
Chapter MATH Google Scholar
Lipmaa, H.: An oblivious transfer protocol with log-squared communication. In: Zhou, J., Lopez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 314–328. Springer, Heidelberg (2005). https://doi.org/10.1007/11556992_23
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_1
Chapter Google Scholar
Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_3
Chapter Google Scholar
Lombardi, A., Quach, W., Rothblum, R.D., Wichs, D., Wu, D.J.: New constructions of reusable designated-verifier NIZKs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 670–700. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_22
Chapter Google Scholar
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th FOCS, Miami Beach, Florida, 19–22 October 1997, pp. 458–467. IEEE Computer Society Press (1997)
Google Scholar
Ostrovsky, R., Skeith, W.E.: A survey of single-database private information retrieval: techniques and applications. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 393–411. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71677-8_26
Chapter Google Scholar
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: 40th ACM STOC, Victoria, BC, Canada, 17–20 May 2008, pp. 187–196. ACM Press (2008)
Google Scholar
Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. SIAM J. Comput. 40(6), 1803–1844 (2011)
Article MathSciNet Google Scholar
Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_25
Chapter Google Scholar

Download references

Author information

Authors and Affiliations

University of California, Berkeley, USA
Sanjam Garg
Penn State University, State College, USA
Mohammad Hajiabadi
UCLA, Los Angeles, USA
Rafail Ostrovsky

Authors

Sanjam Garg
View author publications
You can also search for this author in PubMed Google Scholar
Mohammad Hajiabadi
View author publications
You can also search for this author in PubMed Google Scholar
Rafail Ostrovsky
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad Hajiabadi .

Editor information

Editors and Affiliations

Cornell Tech, New York, NY, USA
Rafael Pass
Institute of Science and Technology Austria, Klosterneuburg, Austria
Krzysztof Pietrzak

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Garg, S., Hajiabadi, M., Ostrovsky, R. (2020). Efficient Range-Trapdoor Functions and Applications: Rate-1 OT and More. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12550. Springer, Cham. https://doi.org/10.1007/978-3-030-64375-1_4

Download citation

DOI: https://doi.org/10.1007/978-3-030-64375-1_4
Published: 09 December 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64374-4
Online ISBN: 978-3-030-64375-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Efficient Range-Trapdoor Functions and Applications: Rate-1 OT and More

Abstract

Similar content being viewed by others

Rate-1 Trapdoor Functions from the Diffie-Hellman Problem

Trapdoor Hash Functions and Their Applications

Privacy-Preserving Range Queries from Keyword Queries

1 Introduction

1.1 Our Results

1.2 Related Work and Open Problems

1.3 Technical Overview

2 Preliminaries

2.1 Standard Definitions and Lemmas

Definition 1

Definition 2

2.2 Computational Assumptions

Definition 3

Lemma 1

Proof

2.3 Standard Lemmas

Lemma 2

Lemma 3

Proof

2.4 Error Correcting Codes

Definition 4

Theorem 1

3 Lossy TDFs with Short Public Keys from Power DDH

Lemma 4

Proof

Construction 2

Lemma 5

Proof

Lemma 6

Proof

Lemma 7

Proof

3.1 Running Time of Our Lossy TDFs

4 Fast Fourier Transform in the Exponent

Lemma 8

Lemma 9

Lemma 10

Proof

Lemma 11

5 Range-Trapdoor Hash Functions

Definition 5

Remark 3

Lemma 12

Lemma 13

Proof

5.1 Range-Trapdoor Hash with Linear-Sized Evaluation Keys

Construction 4

Lemma 14

Proof

Lemma 15

Proof

6 Applications of Range-Trapdoor Hash

Corollary 1

Corollary 2

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation