CNF-FSS and Its Applications

Abstract

Function Secret Sharing (FSS), introduced by Boyle, Gilboa and Ishai [BGI15], extends the classical notion of secret-sharing a value to secret sharing a function. Namely, for a secret function f (from a class \(\mathcal F\)), FSS provides a sharing of f whereby succinct shares (“keys”) are distributed to a set of parties, so that later the parties can non-interactively compute an additive sharing of f(x), for any input x in the domain of f. Previous work on FSS concentrated mostly on the two-party case, where highly efficient schemes are obtained for some simple, yet extremely useful, classes \(\mathcal F\) (in particular, FSS for the class of point functions, a task referred to as DPF – Distributed Point Functions [GI14, BGI15]).

In this paper, we concentrate on the multi-party case, with \(p\ge 3\) parties and t-security (\(1\le t<p\)). First, we introduce the notion of CNF-DPF (or, more generally, CNF-FSS), where the scheme uses the CNF version of secret sharing (rather than additive sharing) to share each value f(x). We then demonstrate the utility of CNF-DPF by providing several applications. Our main result shows how CNF-DPF can be used to achieve substantial asymptotic improvement in communication complexity when using it as a building block for constructing standard (t, p)-DPF protocols that tolerate \(t>1\) (semi-honest) corruptions (of the p parties). For example, we build a 2-out-of-5 secure (standard) DPF scheme of communication complexity \(O(N^{1/4})\), where N is the domain size of f (compared with the current best-known of \(O(N^{1/2})\) for (2, 5)-DPF). More generally, with \(p>dt\) parties, we give a (t, p)-DPF whose communication grows as \(O(N^{1/2d})\) (rather than \(O(\sqrt{N})\) that follows from the \((p-1,p)\)-DPF scheme of [BGI15]). (We ignore here terms that depend on the number of parties, p, the security parameter, etc. See precise statements in the main body of the paper below)

We also present a 1-out-of-3 secure CNF-DPF scheme, in which each party holds two of the three keys, with poly-logarithmic communication complexity. These results have immediate implications to scenarios where (multi-server) DPF was shown to be applicable. For example, we show how to use such a scheme to obtain asymptotic improvement (\(O(\log ^2N)\) versus \(O(\sqrt{N})\)) in communication complexity over the 3-party protocol of [BKKO20].

P. Bunn—This work was supported by DARPA and NIWC Pacific under contract N66001-15-C-4065. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes not withstanding any copyright notation thereon. The views, opinions, and/or findings expressed are those of the author(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

E. Kushilevitz—Supported by ISF grant 2774/20, BSF grant 2018393, and NSF-BSF grant 2015782.

R. Ostrovsky—Supported in part by DARPA under Cooperative Agreement HR0011-20-2-0025, by DARPA and NIWC Pacific under contract N66001-15-C-4065, NSF grant CNS-2001096, US-Israel BSF grant 2015782, Google Faculty Award, JP Morgan Faculty Award, IBM Faculty Research Award, Xerox Faculty Research Award, OKAWA Foundation Research Award, B. John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Research Award and Sunday Group. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes not withstanding any copyright annotation therein. The views, opinions, and/or findings expressed are those of the author(s) and should not be interpreted as representing the official views or policies of the Department of Defense or the U.S. Government.

A Proof of Theorem 9

We argue how the scheme described in Sect. 4.3 enjoys the stated communication complexity and satisfies each of the requisite properties of CNF-DPF (see Definition 2).

Communication. The size of each Gen key is \(O(m + \lambda \log ^2(N))\):

• \(O(\lambda )\) for each of the original PRG seeds \(\{x^{\mathcal {P}}, y^{\mathcal {P}}, z^{\mathcal {P}}\}\).

• O(1) for the four control bits on the root node \(\{b^{\mathcal {P}}, b ^{\mathcal {P}_R}, c^{\mathcal {P}}, c^{\mathcal {P}_R}\}\).

• O(m) for the \(W \in \mathbb {G} \) (recall \(m = \log (|\mathbb {G}|)\)).

• For each \(1 \le l \le \log (N)\): \(O(\lambda \log (N))\) for the collection of MS-DPF\(^+\) keys \(\{\kappa ^{\mathcal {P}}_l, \widehat{\kappa }^{\mathcal {P}}_l\}\) (see Claim 8). Adding these costs for each level l yields total cost of these keys: \(O(\lambda \log ^2(N))\).

Consistency. That the protocol of Sect. 4.3 satisfies the Consistency property of CNF-FSS (see Definition 2) requires showing, among other things, that for each \(\mathcal {P} \in [3]\) and for each \(\widehat{P} := \mathcal {P}_R\), that the control bits observe CNF-sharing:

$$\begin{aligned} b^{\mathcal {P}_R}_{\nu } = b^{\widehat{\mathcal {P}}}_{\nu } \quad \text {and} \quad c^{\mathcal {P}_R}_{\nu } = c^{\widehat{\mathcal {P}}}_{\nu } \end{aligned}$$

(18)

In other words, (18) is emphasizing that the formulas for \(b^{\mathcal {P}_R}_{\nu }\) and \(c^{\mathcal {P}_R}_{\nu }\) in (the bottom equations of) (13) and (14) generate the same bits as (the top equations of) the corresponding formulas for \(b^{\widehat{\mathcal {P}}}_{\nu }\) and \(c^{\widehat{\mathcal {P}}}_{\nu }\) in (13) and (14), for \(\widehat{\mathcal {P}} = \mathcal {P}_R\). For example, when computing the bottom formulas of (13) and (14) for \(\mathcal {P} = \mathcal {P}_1\), the values output there (which are for \(\mathcal {P}_R = \mathcal {P}_2\)) match the values that are output for key \(\mathcal {P}_2\) in (the top part of) the equations (13) and (14).

We make an inductive argument to demonstrate CNF-sharing of the control bits (as per (18)) holds for all nodes \(\nu \). At the root, (18) is true by construction of values \(\{ b^{\mathcal {P}}_{\nu }\}\) and \(\{ c^{\mathcal {P}}_{\nu }\}\) in Step 1 of the Gen algorithm. Now for any non-root node \(\nu \), let \(\mu \) denote its parent, and assume that (18); we use the formulas in (13) and (14) to demonstrate that (18) also holds for \(\nu \). To fix notation, fix \(\mathcal {P} \in [3]\), and let \(\widehat{\mathcal {P}} = \mathcal {P}_R\) denote the right key of \(\mathcal {P}\).

• \(\underline{\mathrm{Case 1:}\, \mu \, \mathrm{is }\,\textit{off-path}}\). In the Correctness argument above, we demonstrated that (2) is satisfied for the seeds on every node. Since \(\mu \) is off-path: \(x^{\mathcal {P}}_{\mu } = z^{\widehat{\mathcal {P}}}_{\mu }\), \(y^{\mathcal {P}}_{\mu } = x^{\widehat{\mathcal {P}}}_{\mu }\), and \(z^{\mathcal {P}}_{\mu } = y^{\widehat{\mathcal {P}}}_{\mu }\). Plugging in these relations into (13) for \(b^{\mathcal {P}_R}_{\nu }\):

  $$\begin{aligned} \underline{\text {If }\nu \text { is }{} \textit{left} \text { child of }\mu \text {:}} \quad b^{\mathcal {P}_R}_{\nu }&= c^{\mathcal {P}_R}_{\mu } \cdot r_l \oplus H_L(y^{\mathcal {P}}_{\mu }) \oplus H_L(z^{\mathcal {P}}_{\mu }) \\&= c^{\widehat{\mathcal {P}}}_{\mu } \cdot r_l \oplus H_L(x^{\widehat{\mathcal {P}}}_{\mu }) \oplus H_L(y^{\widehat{\mathcal {P}}}_{\mu }) = b^{\widehat{\mathcal {P}}}_{\nu } \\ \underline{\text {If }\nu \text { is }{} \textit{right} \text { child of }\mu \text {:}} \quad b^{\mathcal {P}_R}_{\nu }&= c^{\mathcal {P}_R}_{\mu } \cdot s_l \oplus H_R(y^{\mathcal {P}}_{\mu }) \oplus H_R(z^{\mathcal {P}}_{\mu }) \\&= c^{\widehat{\mathcal {P}}}_{\mu } \cdot s_l \oplus H_R(x^{\widehat{\mathcal {P}}}_{\mu }) \oplus H_R(y^{\widehat{\mathcal {P}}}_{\mu }) = b^{\widehat{\mathcal {P}}}_{\nu } \end{aligned}$$

  where we have applied the inductive argument that \(c^{\mathcal {P}_R}_{\mu } = c^{\widehat{\mathcal {P}}}_{\mu }\) for parent node \(\mu \) for the center equality of each case above.

• \(\underline{\text {Case 2:}\, \mu \text { is }{} \textit{on-path}}\). Since \(\mu \) is on-path: \(z^{\mathcal {P}}_{\mu } = x^{\widehat{\mathcal {P}}}_{\mu }\) and \(y^{\mathcal {P}}_{\mu } = y^{\widehat{\mathcal {P}}}_{\mu }\). Plugging in these relations into (13) for \(b^{\mathcal {P}_R}_{\nu }\):

  $$\begin{aligned} \underline{\text {If }\nu \text { is }{} \textit{left} \text { child of }\mu \text {:}} \quad b^{\mathcal {P}_R}_{\nu }&= c^{\mathcal {P}_R}_{\mu } \cdot r_l \oplus H_L(y^{\mathcal {P}}_{\mu }) \oplus H_L(z^{\mathcal {P}}_{\mu }) \\&= c^{\widehat{\mathcal {P}}}_{\mu } \cdot r_l \oplus H_L(y^{\widehat{\mathcal {P}}}_{\mu }) \oplus H_L(x^{\widehat{\mathcal {P}}}_{\mu }) = b^{\widehat{\mathcal {P}}}_{\nu } \\ \underline{\text {If }\nu \text { is }{} \textit{right} \text { child of }\mu \text {:}} \quad b^{\mathcal {P}_R}_{\nu }&= c^{\mathcal {P}_R}_{\mu } \cdot s_l \oplus H_R(y^{\mathcal {P}}_{\mu }) \oplus H_R(z^{\mathcal {P}}_{\mu }) \\&= c^{\widehat{\mathcal {P}}}_{\mu } \cdot s_l \oplus H_R(y^{\widehat{\mathcal {P}}}_{\mu }) \oplus H_R(x^{\widehat{\mathcal {P}}}_{\mu }) = b^{\widehat{\mathcal {P}}}_{\nu } \end{aligned}$$

The argument that \(c^{\mathcal {P}_R}_{\nu } = c^{\widehat{\mathcal {P}}}_{\nu }\) is similar, using \(t_l\) fori \(r_l\), \(u_l\) for \(s_l\), and \(\widehat{H}\) for H.

With (18) verified, Consistency follows immediately from the invariants of (2), both for the case \(\nu \) is on-path (i.e. \(\beta =\alpha \)) and off-path (i.e. \(\beta \ne \alpha \)); see (17).

Security. We provide a sketch of the proof here, which captures the intuition of the argument; the full proof is relegated to the extended version.

We argue that the components of any Gen key \(\kappa ^{\mathcal {P}}\) (see (12)) are independent from each other and either truly random or masked with pseudorandom values whose seeds are known only to other parties (and not to party \(\mathcal {P}\)). In fact, the information of \(\kappa ^{\mathcal {P}}\) related to the root node is randomly chosen, and the information related to the other levels of the tree is masked using pseudorandom values not known to \(\mathcal {P}\). Based on this, a simulator that simply outputs random values according to the key structure will satisfy Definition 2, which we recall here (updated for our case of security threshold \(t=1\)):

$$\begin{aligned} \left\{ \{\kappa _1, \dots , \kappa _p\} \leftarrow _R \mathsf {Gen}(1^{\lambda }, f_{\alpha ,v}) \;: \;\kappa _i \right\} \;\approx _C \;\left\{ \kappa \leftarrow _R \mathsf {Sim}(1^{\lambda }, D, \mathbb {G}) \right\} . \end{aligned}$$

(19)

The proof follows an inductive argument (on the depth of the binary tree), and argues that assuming a simulator that outputs random values satisfies (19) for depth \(l-1\), the extra values output by Gen in (12) for level l do not threaten the validity of the same simulator (i.e. one that is simply outputting random values) for the extra layer of the tree. More concretely, we will demonstrate the existence of a related simulator²¹:

$$\begin{aligned} \forall 1 \le l \le \log {N}: \quad&\left\{ \{\kappa ^{\mathcal {P}_1}, \kappa ^{\mathcal {P}_2}, \kappa ^{\mathcal {P}_3} \} \leftarrow _R \mathsf {Gen}(1^{\lambda }, f_{\alpha ,v}) \;: \;((\kappa ^{\mathcal {P}})_l, \;x^{\mathcal {P}_L}_{\nu _l}) \right\} \;\approx _C \;\quad \nonumber \\&\left\{ (\kappa )_l \leftarrow _R \mathsf {Sim}(1^{\lambda }, D, \mathbb {G}), \;x \leftarrow _R \{0, 1\}^{\lambda } \;: \;((\kappa )_l, \;x) \right\} , \end{aligned}$$

(20)

where \(\nu _l\) refers to the on-path node at level l, \((\kappa ^{\mathcal {P}})_l\) refers to the components of key \(\kappa ^{\mathcal {P}}\) from Gen steps 1–3 through level l (i.e. everything from (12) except the final correction word W and the per-level values for levels in \([l+1..\log {N}]\)), and \(x^{\mathcal {P}_L}_{\nu _l}\) refer to the seed values x on node \(\nu _l\) that are associated with the key \(\kappa ^{\mathcal {P}_L}\) to the left of the provided key \(\kappa ^{\mathcal {P}}\).²² The reason that the existence of a simulator as per (20) (and more specifically, where this simulator simply outputs random values as per the structure of \((\kappa ^{\mathcal {P}})_l\)) implies the existence of a simulator as per (19) is based on the formulas dictating how the Gen algorithm computes the extra seed values on level l: \(\{\kappa ^{\mathcal {P}}_l \}, \;\{ \widehat{\kappa }^{\mathcal {P}}_l \}, \;\{r_l, s_l, t_l, u_l\}\). Namely, investigating the formulas for these extra values on level l ((7), (8), (9), and (10)), each formula has a term involving \(x^{\mathcal {P}_L}_{\mu }\) for the value of \(x^{\mathcal {P}_L}\) on node \(\mu \) on level \(l-1\), and consequently as long as the value of \(x^{\mathcal {P}_L}_{\mu }\) on parent level \(l-1\) cannot be distinguished from uniform, the new Gen key values on level l: \(\{\kappa ^{\mathcal {P}}_l \}, \;\{ \widehat{\kappa }^{\mathcal {P}}_l \}, \;\{r_l, s_l, t_l, u_l\}\) will also be indistinguishable from uniform. Notice that for each \(1 \le l \le \log {N}\), (20) explicitly excludes the final correction word W from both sides. However, the last step of the argument has the same spirit, whereby the existence of the \(x_{\nu }^{\mathcal {P}_L}\) term (for on-path leaf node \(\nu \)) in W implies that W is indistinguishible from uniform.

We proceed with an inductive argument, demonstrating that all the values output by the Gen algorithm respect the security invariant, and then demonstrate how the security invariant implies that all values output by the Gen algorithm appear uniformly random (and independent of one another).

• Step 1: Values at Root. The seeds \(\{x^{\mathcal {P}}, y^{\mathcal {P}}, z^{\mathcal {P}}\}\) are chosen uniformly at random (subject to the constraint in (2), i.e. that there is a single common seed \(y^{\mathcal {P}}\) that is common across all three keys, and that the other two seeds of each key overlap with exactly one of the seeds from each of the other two keys) and, in particular, the seeds are chosen independently from the point function \(f_{\alpha ,v}\) parameters, \({\alpha }\) and v. Similarly, the sibling control bits \(\{b^{\mathcal {P}}, b^{\mathcal {P}_R}\}\) and on-path control bits \(\{c^{\mathcal {P}}, c^{\mathcal {P}_R}\}\) are also chosen uniformly at random (subject to the constraint in (6)) and independently from the parameters \(\alpha \) and v.

• \(\underline{\text {Step 2.i: For each} 1 \le l \le \log (N)\mathrm{: MS-DPF}^{+} \mathrm{keys }\, \{\kappa ^{\mathcal {P}}_l, \widehat{\kappa }^{\mathcal {P}}_l\}}\).

  Note that the security of the underlying MS-DPF\(^+\) schemes for \(f_l\) and \(\widehat{f}_l\) ensure that \(\{v^{\mathcal {P}_L}_l, v^{\mathcal {P}_R}_l\}\) and \(\{\widehat{v}^{\mathcal {P}_L}_l, \widehat{v}^{\mathcal {P}_R}_l\}\) cannot be distinguished from random even for someone holding \((\kappa ^{\mathcal {P}})_l\) (and thus holding \(\kappa ^{\mathcal {P}}_l\) and \(\widehat{\kappa }^{\mathcal {P}}_l\), which in particular reveals \(v^{\mathcal {P}}_l = (v^{\mathcal {P}}_L, v^{\mathcal {P}}_R)\) and \(\widehat{v}^{\mathcal {P}}_l\); see (7)–(8)). That \(\widehat{v}^{\mathcal {P}}_l\) do not leak information about parameters \(\alpha \) or v follows from the fact that (8) indicates that \(\widehat{v}^{\mathcal {P}}_l\) is uniformly random. Meanwhile, that \(v^{\mathcal {P}}_l = (v^{\mathcal {P}}_L, v^{\mathcal {P}}_R)\) does not leak information about parameters \(\alpha \) or v is argued as follows: For the base case (\(l=1\)), the formula for \(v^{\mathcal {P}_L}\) indicates dependence on \(G_L(x^{\mathcal {P}_L}_{\mu })\) (respectively \(v^{\mathcal {P}_R}\) depends on \(G_R(x^{\mathcal {P}_L}_{\mu })\)), where \(\mu \) is the on-path node on the parent level, i.e. \(\mu \) is the root node if \(l=1\). Since (as mentioned in Step 1 above) \(x^{\mathcal {P}_L}_{\mu }\) cannot be distinguished from uniform by information in \(\kappa ^{\mathcal {P}}\), it follows that \(v^{\mathcal {P}}_l\) also cannot be distinguished from uniform (also, pseudorandomness of \(G = (G_L, G_R)\) implies there is no dependence on the two components \((v^{\mathcal {P}}_L, v^{\mathcal {P}}_R)\) of \(v^{\mathcal {P}}_l\)). For the inductive case (\(1 < l \le \log {N}\)), we follow the same argument, except now we use the Security Invariant (20) (plus pseudorandomness of the PRG G) inductively to argue that \(x^{\mathcal {P}_L}_{\mu }\) from the parent level \(l-1\) cannot be distinguished from uniform, and therefore \(v^{\mathcal {P}}_l\) also appears uniformly random.

• \(\underline{\text {Step 2.ii: For each} 1 \le l \le \log (N)\mathrm{: Correction Bits}\, \{r_l, s_l, t_l, u_l\}}\).

  As can be seen in (10), each correction bit depends on one of the values \(\{h_L, h_R, \widehat{h}_L, \widehat{h}_R\}\), and, as per (9), each of these values in turn appears uniformly random due to its dependence on \(x^{\mathcal {P}_L}_{\mu }\) for parent node \(\mu \) (as was argued above in Step 2.i). Furthermore, pseudorandomness of \(H, \widehat{H}\) implies that there is no dependency between the correction bit values and any other values dealt as part of the Gen key \(\kappa ^{\mathcal {P}}\).

• \(\underline{\text {Step 3: Final Correction Word } W}\).

  While \(W = v \oplus \widehat{G}(x^{\mathcal {P}_1}_{\widehat{\nu }}) \oplus \widehat{G}(x^{\mathcal {P}_2}_{\widehat{\nu }}) \oplus \widehat{G}(x^{\mathcal {P}_3}_{\widehat{\nu }} )\oplus \widehat{G}(y^{\mathcal {P}_1}_{\widehat{\nu }})\) involves the secret parameter v, the Security Invariant applied to on-path leaf node \(\widehat{\nu }\) implies that W contains a term (\(x^{\mathcal {P}_L}_{\widehat{\nu }}\)) that cannot be distinguished from random by \(\mathcal {P}\), and therefore v remains completely hidden. Furthermore, pseudorandomness of \(\widehat{G}\) implies that there is no dependency between W and any other values dealt as part of the Gen key \(\kappa ^{\mathcal {P}}\).

Correctness. We demonstrate for any input \(\beta \in D\) and for each \(\mathcal {P} \in [3]\):

$$\begin{aligned}&\sum _{\mathcal {P}} \mathsf {Eval}(\mathcal {P}, \kappa ^{\mathcal {P}}, \beta ) = \left\{ \begin{array}{ll} (0_{\mathbb {G}}, 0_{\mathbb {G}}) \quad &{} \text {if }\beta \ne \alpha \\ (v, v) \quad &{} \text {if }\beta = \alpha \end{array} \right. \end{aligned}$$

(21)

(Recall that in a (1, 3)-CNF scheme, \({\mathsf {Eval}}\) outputs for each party a pair of values, one per key, and the sum of all left values and the sum of all right values should both equal \(f(\beta )\), which for DPF is either \(0_{\mathbb {G}}\) or v, depending on whether input \(\beta \) equals \(\alpha \).) To show (21) holds, we first show that at every iteration of Step 1 of the Eval procedure, that the values \(\{x^{\mathcal {P}}_{\nu }, y^{\mathcal {P}}_{\nu }, z^{\mathcal {P}}_{\nu } \}\) and \(\{b^{\mathcal {P}}_{\nu }, b^{\mathcal {P}_R}_{\nu },c^{\mathcal {P}}_{\nu },c^{\mathcal {P}_R}_{\nu }\}\) respect the invariants listed in tables (2) and (6), respectively. Then, once this is shown, (21) follows immediately since:

$$\begin{aligned} \text {Firs}&\text {t} \text { coordinate of} \;\;\bigoplus \limits _{\mathcal {P}} \genfrac{}{}{0.0pt}0{}{\scriptstyle {\mathbb {G}}}\mathsf {Eval}(\mathcal {P}, \kappa ^{\mathcal {P}}, \beta ):\nonumber \\ =&\;\bigoplus \limits _{\mathcal {P}} \genfrac{}{}{0.0pt}0{}{\scriptstyle {\mathbb {G}}} \left( \widehat{G}(x^{\mathcal {P}}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}}_{\nu }) \oplus _{\scriptscriptstyle {\mathbb {G}}} c^{\mathcal {P}}_{\nu } \cdot W \right) \nonumber \\ =&\;\left( \left( \widehat{G}(x^{\mathcal {P}_1}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_1}_{\nu }) \right) \oplus _{\scriptscriptstyle {\mathbb {G}}} \left( \widehat{G}(x^{\mathcal {P}_2}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_2}_{\nu }) \right) \oplus _{\scriptscriptstyle {\mathbb {G}}} \left( \widehat{G}(x^{\mathcal {P}_3}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_3}_{\nu }) \right) \right) \oplus _{\scriptscriptstyle {\mathbb {G}}} \nonumber \\&W \cdot \bigoplus \limits _{\mathcal {P}} \genfrac{}{}{0.0pt}0{}{\scriptstyle {\mathbb {G}}} c^{\mathcal {P}}_{\nu } \nonumber \\ =&\;\left( \left( \widehat{G}(x^{\mathcal {P}_1}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_1}_{\nu }) \right) \oplus _{\scriptscriptstyle {\mathbb {G}}} \left( \widehat{G}(x^{\mathcal {P}_2}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_2}_{\nu }) \right) \oplus _{\scriptscriptstyle {\mathbb {G}}} \left( \widehat{G}(x^{\mathcal {P}_3}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_3}_{\nu }) \right) \right) \oplus _{\scriptscriptstyle {\mathbb {G}}} \nonumber \\& (v \oplus _{\scriptscriptstyle {\mathbb {G}}} Q) \cdot \bigoplus \limits _{\mathcal {P}} \genfrac{}{}{0.0pt}0{}{\scriptstyle {\mathbb {G}}} c^{\mathcal {P}}_{\nu } \end{aligned}$$

(22)

Notice from (2) that:

$$\begin{aligned}&\left( \widehat{G}(x^{\mathcal {P}_1}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_1}_{\nu })\right) \oplus _{\scriptscriptstyle {\mathbb {G}}} \left( \widehat{G}(x^{\mathcal {P}_2}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_2}_{\nu })\right) \oplus _{\scriptscriptstyle {\mathbb {G}}} \left( \widehat{G}(x^{\mathcal {P}_3}_{\nu }) \ominus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(y^{\mathcal {P}_3}_{\nu })\right) \\&\quad = \left\{ \begin{array}{ll} \widehat{G}(x^{\mathcal {P}_1}_{\nu })) \oplus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(x^{\mathcal {P}_2}_{\nu })) \oplus _{\scriptscriptstyle {\mathbb {G}}} \widehat{G}(x^{\mathcal {P}_3}_{\nu })) \ominus _{\scriptscriptstyle {\mathbb {G}}} 3 \cdot \widehat{G}(y^{\mathcal {P}_1}_{\nu })) = Q \quad &{} \text {if }\beta =\alpha \\ 0_{\mathbb {G}} &{} \text {if }\beta \ne \alpha \end{array}\right. \end{aligned}$$

Also, notice that (6) implies that²³:

$$\begin{aligned} \bigoplus \limits _{\mathcal {P}} \genfrac{}{}{0.0pt}0{}{\scriptstyle {\mathbb {G}}} c^{\mathcal {P}}_{\nu } = \left\{ \begin{array}{ll} 1 \quad &{} \text {if }\widehat{\nu } = \nu \text { is } \textit{on-path} \;\Leftrightarrow \;\beta = \alpha \\ 0 \quad &{} \text {if }\widehat{\nu } \ne \nu \text { is } \textit{off-path} \;\Leftrightarrow \;\beta \ne \alpha \end{array}\right. \end{aligned}$$

(23)

Thus (22) becomes:

$$\begin{aligned}&\text {First coordinate of} \;\;\bigoplus \limits _{\mathcal {P}} \genfrac{}{}{0.0pt}0{}{\scriptstyle {\mathbb {G}}} \mathsf {Eval}(\mathcal {P}, \kappa ^{\mathcal {P}}, \beta ): \nonumber \\&=\left\{ \begin{array}{ll} Q \oplus _{\scriptscriptstyle {\mathbb {G}}} (v \oplus _{\scriptscriptstyle {\mathbb {G}}} Q) \cdot 1 \;= \;v \quad &{} \text {if }\beta = \alpha \\ 0_{\mathbb {G}} \oplus _{\scriptscriptstyle {\mathbb {G}}} (v \oplus _{\scriptscriptstyle {\mathbb {G}}} Q) \cdot 0 \;= \;0_{\mathbb {G}} \quad &{} \text {if }\beta \ne \alpha \end{array}\right. \end{aligned}$$

(24)

Meanwhile, the case for the second coordinate of \(\sum _{\mathcal {P}} \mathsf {Eval}(\mathcal {P}, \kappa ^{\mathcal {P}}, \beta )\) is similar, since the \(\{c^{\mathcal {P}_R}_{\nu }\}\) obey (6) in the same way that \(\{c^{\mathcal {P}}_{\nu }\}\) do, and the symmetry (in terms of (2)) of each key’s first two PRG seeds \(\{x^{\mathcal {P}}_{\nu }, y^{\mathcal {P}}_{\nu }\}\) and each key’s second two PRG seeds \(\{y^{\mathcal {P}}_{\nu }, z^{\mathcal {P}}_{\nu }\}\).

Thus, it remains to show that the invariants of (2) and (6) apply at every node in the binary tree. We argue this fact recursively, by demonstrating that as long as the invariants (2) and (6) hold on a parent node \(\mu \), then these invariants will continue to hold for both of \(\mu \)’s children. We kick off the recursive argument by noting that the root note (which is necessarily on-path) satisfies (2) and (6) by construction (see Step 1 of the \(\mathsf {Gen}\) algorithm). For the inductive step, consider an arbitrary node \(\nu \) on level \(1 \le l \le \log (N)\), and let \(\mu \) denote \(\nu \)’s parent. We do a case analysis based on whether \(\nu \) is the left or right child of \(\mu \):

.

\(\underline{\mathbf {Sibling\, Control\, Bits}\, \{b^{\mathcal {P}}_{\nu }\}}\).

Looking at formula (13) for generating the sibling control bits \(\{b^{\mathcal {P}}_{\nu }, b^{\mathcal {P}_R}_{\nu }\}\) on \(\nu \):

$$\begin{aligned} \sum _{\mathcal {P}} b^{\mathcal {P}}_{\nu } =&\sum _{\mathcal {P}} \left( c^{\mathcal {P}}_{\mu } \cdot r_l \oplus H_L(x^{\mathcal {P}}_{\mu }) \oplus H_L(y^{\mathcal {P}}_{\mu })\right) \nonumber \\ =&\;r_l \cdot \sum _{\mathcal {P}} c^{\mathcal {P}}_{\mu } \quad \oplus \nonumber \\&\;\left( \left( H_L(x^{\mathcal {P}_1}_{\mu }) \oplus H_L(y^{\mathcal {P}_1}_{\mu }) \right) \oplus \left( H_L(x^{\mathcal {P}_2}_{\mu }) \oplus H_L(y^{\mathcal {P}_2}_{\mu }) \right) \oplus \left( H_L(x^{\mathcal {P}_3}_{\mu }) \oplus H_L(y^{\mathcal {P}_3}_{\mu }) \right) \right) \nonumber \\ =&\left\{ \begin{array}{ll} r_l \oplus h_L &{} \text {if }\mu \text { is } \textit{on-path} \\ 0 &{} \text {if }\mu \text { is } \textit{off-path} \end{array}\right. \end{aligned}$$

(25)

where we have used in (25) that \(\sum _{\mathcal {P}} c^{\mathcal {P}}_{\mu } = 1\) if parent node \(\mu \) is on-path and otherwise the sum equals zero (as per (6)); and from (2) that:

$$\begin{aligned}&\left( H_L(x^{\mathcal {P}_1}_{\mu }) \oplus H_L(y^{\mathcal {P}_1}_{\mu })\right) \oplus \left( H_L(x^{\mathcal {P}_2}_{\mu }) \oplus H_L(y^{\mathcal {P}_2}_{\mu })\right) \oplus \left( H_L(x^{\mathcal {P}_3}_{\mu }) \oplus H_L(y^{\mathcal {P}_3}_{\mu })\right) \\&\quad = \left\{ \begin{array}{ll} H_L(x^{\mathcal {P}_1}_{\mu })) \oplus H_L(x^{\mathcal {P}_2}_{\mu })) \oplus H_L(x^{\mathcal {P}_3}_{\mu })) \oplus H_L(y^{\mathcal {P}_1}_{\mu })) = h_L \quad &{} \text {if }\mu \text { is }{} \textit{on-path} \\ 0 &{} \text {if }\mu \text { is }{} \textit{off-path} \end{array}\right. \end{aligned}$$

Thus, if \(\mu \) is off-path, then both \(\nu \) and its sibling are also off-path, and \(\{b^{\mathcal {P}}_{\nu }\}\) satisfies the requisite property of (6). Meanwhile, if \(\mu \) is on-path, then exactly one of \(\nu \) or its sibling is on-path. Since we are in the case that \(\nu \) is the left child of \(\mu \), then \(\nu \) is on-path if and only if \(\alpha _l = 0\). In particular if \(\mu \) is on-path:

$$\begin{aligned} \sum _{\mathcal {P}} b^{\mathcal {P}}_{\nu } = r_l \oplus h_L = \left\{ \begin{array}{ll} h_L \oplus h_L = 0 \quad &{} \text {if }\alpha _l = 0 \;\Leftrightarrow \nu \text {'s }{} \textit{sibling} \text { is off-path}\\ 1 \oplus h_L \oplus h_L = 1 \quad &{} \text {if }\alpha _l = 1 \;\Leftrightarrow \nu \text {'s }{} \textit{sibling} \text { is on-path} \end{array}\right. \end{aligned}$$

where we used (10) to replace \(r_l\) conditioned on whether \(\alpha _l\) is 0 or 1. The argument for the “right” sibling control bits \(\{b^{\mathcal {P}_R}_{\nu }\}\) mirrors the above argument, since \(\sum _{\mathcal {P}} c^{\mathcal {P}}_{\mu } = \sum _{\mathcal {P}} c^{\mathcal {P}_R}_{\mu }\) (per (18)) and \(\{(x^{\mathcal {P}}_{\mu }, y^{\mathcal {P}}_{\mu })\}_{\mathcal {P}} = \{(y^{\mathcal {P}}_{\mu }, z^{\mathcal {P}}_{\mu })\}_{\mathcal {P}}\) (per (2)).

\(\underline{\mathbf {On{\text {-}}Path\, Control\, Bits}\, \{c^{\mathcal {P}}_{\nu }\}}\).

Looking at formula (14) for generating the on-path control bits \(\{c^{\mathcal {P}}_{\nu }, c^{\mathcal {P}_R}_{\nu }\}\) on \(\nu \):

$$\begin{aligned} \sum _{\mathcal {P}} c^{\mathcal {P}}_{\nu } =&\sum _{\mathcal {P}} \left( c^{\mathcal {P}}_{\mu } \cdot t_l \oplus \widehat{H}_L(x^{\mathcal {P}}_{\mu }) \oplus \widehat{H}_L(y^{\mathcal {P}}_{\mu })\right) \nonumber \\ =&\;t_l \cdot \sum _{\mathcal {P}} c^{\mathcal {P}}_{\mu } \quad \oplus \nonumber \\&\;\left( \left( \widehat{H}_L(x^{\mathcal {P}_1}_{\mu }) \oplus \widehat{H}_L(y^{\mathcal {P}_1}_{\mu }) \right) \oplus \left( \widehat{H}_L(x^{\mathcal {P}_2}_{\mu }) \oplus \widehat{H}_L(y^{\mathcal {P}_2}_{\mu }) \right) \oplus \left( \widehat{H}_L(x^{\mathcal {P}_3}_{\mu }) \oplus \widehat{H}_L(y^{\mathcal {P}_3}_{\mu }) \right) \right) \nonumber \\ =&\left\{ \begin{array}{ll} t_l \oplus \widehat{h}_L &{} \text {if }\mu \text { is } \textit{on-path} \\ 0 &{} \text {if }\mu \text { is } \textit{off-path} \end{array}\right. \end{aligned}$$

(26)

where we have used in (26) that \(\sum _{\mathcal {P}} c^{\mathcal {P}}_{\mu } = 1\) if parent node \(\mu \) is on-path and otherwise the sum equals zero (per (6)); and from (2) that:

$$\begin{aligned}&\left( \widehat{H}_L(x^{\mathcal {P}_1}_{\mu }) \oplus \widehat{H}_L(y^{\mathcal {P}_1}_{\mu })\right) \oplus \left( \widehat{H}_L(x^{\mathcal {P}_2}_{\mu }) \oplus \widehat{H}_L(y^{\mathcal {P}_2}_{\mu })\right) \oplus \left( \widehat{H}_L(x^{\mathcal {P}_3}_{\mu }) \oplus \widehat{H}_L(y^{\mathcal {P}_3}_{\mu })\right) \\&\quad = \left\{ \begin{array}{ll} \widehat{H}_L(x^{\mathcal {P}_1}_{\mu })) \oplus \widehat{H}_L(x^{\mathcal {P}_2}_{\mu })) \oplus \widehat{H}_L(x^{\mathcal {P}_3}_{\mu })) \oplus \widehat{H}_L(y^{\mathcal {P}_1}_{\mu })) = \widehat{h}_L \quad &{} \text {if }\mu \text { is }{} \textit{on-path} \\ 0 &{} \text {if }\mu \text { is }{} \textit{off-path} \end{array}\right. \end{aligned}$$

Thus, if \(\mu \) is off-path, then both \(\nu \) and its sibling are also off-path, and \(\{c^{\mathcal {P}}_{\nu }\}\) satisfies the requisite property of (6). Meanwhile, if \(\mu \) is on-path, then exactly one of \(\nu \) or its sibling is on-path. Since we are in the case that \(\nu \) is the left child of \(\mu \), then \(\nu \) is on-path if and only if \(\alpha _l = 0\). In particular if \(\mu \) is on-path:

$$\begin{aligned} \sum _{\mathcal {P}} c^{\mathcal {P}}_{\nu } = t_l \oplus \widehat{h}_L = \left\{ \begin{array}{ll} 1 \oplus \widehat{h}_L \oplus \widehat{h}_L = 1 \quad &{} \text {if }\alpha _l = 0 \;\Leftrightarrow \nu \text { is on-path}\\ \widehat{h}_L \oplus \widehat{h}_L = 0 \quad &{} \text {if }\alpha _l = 1 \;\Leftrightarrow \nu \text { is off-path} \end{array}\right. \end{aligned}$$

where we used (10) to replace \(t_l\) conditioned on whether \(\alpha _l = 0\) or \(\alpha _l = 1\). The argument for the “right” sibling control bits \(\{c^{\mathcal {P}_R}_{\nu }\}\) mirrors the above argument, since \(\sum _{\mathcal {P}} c^{\mathcal {P}}_{\mu } = \sum _{\mathcal {P}} c^{\mathcal {P}_R}_{\mu }\) (per (18)) and \(\{(x^{\mathcal {P}}_{\mu }, y^{\mathcal {P}}_{\mu })\}_{\mathcal {P}} = \{(y^{\mathcal {P}}_{\mu }, z^{\mathcal {P}}_{\mu })\}_{\mathcal {P}}\) (per (2)).

\(\underline{\mathbf {Seeds}\, \{x^{\mathcal {P}}_{\nu }, y^{\mathcal {P}}_{\nu }, z^{\mathcal {P}}_{\nu }\}}\).

Demonstrating that the formulas for the next-level seeds in (15)–(16) maintain the seed invariants of (2) is straightforward, but requires a case analysis based on whether the current node is on-path or off-path.

Case Analysis of Correctness for 1-out-of-3 CNF-DPF.

We prove the new seed values on \(\nu \), computed as per (15)–(16), obey (2) by doing a case analysis, broken down by \(\nu \)’s location (on-path, sibling is on-path, both self and sibling are off-path), as well as on the \(\{b^{\mathcal {P}}_{\nu }, b^{\mathcal {P}_R}_{\nu }\}\) values on \(\nu \). Before proceeding, recall the notation for \(w^{\mathcal {P}}_{*}\) (see Step (1c) of the Eval algorithm): the first (respectively last) \(\lambda \) bits of \(\mathsf {Eval}(\kappa ^{\mathcal {P}}_l, \nu )\) if \(\nu \) is the left (respectively right) child of its parent, where \(\kappa ^{\mathcal {P}}_l\) denotes the MS-DPF\(^+\) key for level l (see (7) in Step 2 of the Gen algorithm); and also the notation for \(\widehat{w}^{\mathcal {P}}_{\nu } = \mathsf {Eval}(\widehat{\kappa }^{\mathcal {P}}_l, \nu )\), and for \(G_{*} = G_L\) (resp. \(G_R\)) if \(\nu \) is the left (resp. right) child of its parent.

For each case below, we present a table which shows what each key’s new seed values on node \(\nu \) will be, given \(\nu \)’s position (on/off path) and the seed values that were present on \(\nu \)’s parent node \(\mu \). The tables indicate, for each key, which seed formula ((15) vs. (16)) are used to derive the new seed values on \(\nu \).

\(\underline{\text {Case A: Parent}\,\mu \,\text {is off-path}}\). Because parent node \(\mu \) is off-path, its position (at depth \(l-1\)) does not correspond to the DPF index \((\alpha )_{l-1}\) of MS-DPF\(^+\) function \(f_l\); and similarly, neither of its children nodes are at position \((\alpha )_{l}\), and therefore they do not correspond to the DPF index of \(\widehat{f}_{l}\). Therefore, \(w^{\mathcal {P}_1}_{*} = w^{\mathcal {P}_2}_{*} = w^{\mathcal {P}_3}_{*}\) and \(\widehat{w}^{\mathcal {P}_1}_{\nu } =\widehat{w}^{\mathcal {P}_2}_{\nu } = \widehat{w}^{\mathcal {P}_3}_{\nu }\) (by definition of \(f_l\) and \(\widehat{f}_l\); see Step 2 of the Gen algorithm), and so we suppress player superscripts and write simply \(w_{*}\) and \(\widehat{w}_{\nu }\). Also, since \(\mu \) is off-path, the seeds on \(\mu \) satisfy invariant (2), and for convenience we will denote the three keys’ seeds on off-path parent node \(\mu \) as: \(\kappa ^{\mathcal {P}_1} = \{ a, b, c\}\), \(\kappa ^{\mathcal {P}_2} = \{ b, c, a\}\), \(\kappa ^{\mathcal {P}_3} = \{ c, a, b\}\). Finally, since \(\mu \) is off-path, so is \(\nu \) and its sibling, and thus by the invariant of (6), we have that \(\bigoplus _{\mathcal {P}} b^{\mathcal {P}}_{\nu } = 0\). Thus, there are four possibilities for the values of \((b^{\mathcal {P}_1}_{\nu }, b^{\mathcal {P}_2}_{\nu }, b^{\mathcal {P}_3}_{\nu })\): (0, 0, 0), (0, 1, 1), (1, 0, 1), or (1, 1, 0). We do a case-analysis just of the first two; the latter two are similar to the second:

$$\begin{aligned} \text {Case A.1: }\{b^{\mathcal {P}}_{\nu }\} = (0, 0, 0):&\qquad \begin{array}{r|c|c|c} &{} \kappa ^{\mathcal {P}_1} \;\text {(via (16))} &{} \kappa ^{\mathcal {P}_2} \;\text {(via (16))}&{} \kappa ^{\mathcal {P}_3} \;\text {(via (16))}\\ \hline &{} &{} &{} \\ x^{\mathcal {P}}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } &{} G_{*}(c) \oplus \widehat{w}_{\nu } \\ \hline &{} &{} &{} \\ y^{\mathcal {P}}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } &{} G_{*}(c) \oplus \widehat{w}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } \\ \hline &{} &{} &{} \\ z^{\mathcal {P}}_{\nu } &{} G_{*}(c) \oplus \widehat{w}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } \end{array} \\ \text {Case A.2: }\{b^{\mathcal {P}}_{\nu }\} = (0, 1, 1):&\qquad \begin{array}{r|c|c|c} &{} \kappa ^{\mathcal {P}_1} \;\text {(via (15))} &{} \kappa ^{\mathcal {P}_2} \;\text {(via (16))}&{} \kappa ^{\mathcal {P}_3} \;\text {(via (15))}\\ \hline &{} &{} &{} \\ x^{\mathcal {P}}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } &{} w_* \oplus \widehat{w}_{\nu } \\ \hline &{} &{} &{} \\ y^{\mathcal {P}}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } &{} w_* \oplus \widehat{w}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } \\ \hline &{} &{} &{} \\ z^{\mathcal {P}}_{\nu } &{} w_* \oplus \widehat{w}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } \end{array} \end{aligned}$$

\(\underline{\text {Case B: Parent } \mu \text { is on-path; } \nu \text { is on-path}}\). Because parent node \(\mu \) is on-path, its position (at depth \(l-1\)) corresponds to the DPF index \((\alpha )_{l-1}\) of MS-DPF\(^+\) function \(f_l\); and similarly \(\nu \) on-path means that its position is \((\alpha )_{l}\) which corresponds to the DPF index of \(\widehat{f}_{l}\). Therefore, \(w^{\mathcal {P}}_{*}\) follows (7) and \(\widehat{w}^{\mathcal {P}}_{\nu }\) follows (8):

$$\begin{aligned} w^{\mathcal {P}}_{*} = \left\{ \begin{array}{ll} {v}^{\mathcal {P}}_L = G_L(x^{\mathcal {P}_L}_{\mu }) \oplus q_l \oplus p_l \quad &{} \text {if }\nu \text { is the }{} \textit{left} \text { child} \\ {v}^{\mathcal {P}}_R = G_R(x^{\mathcal {P}_L}_{\mu }) \oplus q_l \oplus p_l \quad &{} \text {if } \nu \text { is the }{} \textit{right} \text { child} \end{array} \right. \end{aligned}$$

(27)

$$\begin{aligned} \widehat{w}^{\mathcal {P}}_{\nu } = \widehat{v}^{\mathcal {P}}_l = \left\{ \begin{array}{ll} p_l \;&{} \text {if }b^{\mathcal {P}}_{\nu } = 0 \\ q_l \;&{} \text {if }b^{\mathcal {P}}_{\nu } = 1 \end{array} \right. \end{aligned}$$

(28)

where \(\{p_l, q_l\}\) are uniform random values chosen for each level \(1 \le l \le \log (N)\), and we have used that, since \(\nu \) is on-path, then \(\alpha _l = 1\) (respectively \(\alpha _l = 0\)) when \(\nu \) is the left child (respectively right child) of \(\mu \). Also, since \(\mu \) is on-path, the seeds on \(\mu \) satisfy invariant (2), and for convenience we will denote the three keys’ seeds on on-path parent node \(\mu \) as: \(\kappa ^{\mathcal {P}_1} = \{ a, d, b\}\), \(\kappa ^{\mathcal {P}_2} = \{ b, d, c\}\), \(\kappa ^{\mathcal {P}_3} = \{ c, d, a\}\). Finally, since \(\nu \) is on-path, its sibling is off-path, and thus by the invariant of (6), we have that \(\bigoplus _{\mathcal {P}} b^{\mathcal {P}}_{\nu } = 0\). Thus, there are four possibilities for the values of \((b^{\mathcal {P}_1}_{\nu }, b^{\mathcal {P}_2}_{\nu }, b^{\mathcal {P}_3}_{\nu })\): (0, 0, 0), (0, 1, 1), (1, 0, 1), or (1, 1, 0). We do a case-analysis just of the first two; the latter two are similar to the second:

$$\begin{aligned} \text {Case B.1: }\{b^{\mathcal {P}}_{\nu }\} = (0, 0, 0):&\qquad \begin{array}{r|c|c|c} &{} \kappa ^{\mathcal {P}_1} \;\text {(via (16))} &{} \kappa ^{\mathcal {P}_2} \;\text {(via (16))}&{} \kappa ^{\mathcal {P}_3} \;\text {(via (16))}\\ \hline &{} &{} &{} \\ x^{\mathcal {P}}_{\nu } &{} G_{*}(a) \oplus p_l &{} G_{*}(b) \oplus p_l &{} G_{*}(c) \oplus p_l \\ \hline &{} &{} &{} \\ y^{\mathcal {P}}_{\nu } &{} G_{*}(d) \oplus p_l &{} G_{*}(d) \oplus p_l &{} G_{*}(d) \oplus p_l \\ \hline &{} &{} &{} \\ z^{\mathcal {P}}_{\nu } &{} G_{*}(b) \oplus p_l &{} G_{*}(c) \oplus p_l &{} G_{*}(a) \oplus p_l \end{array} \\ \text {Case B.2: }\{b^{\mathcal {P}}_{\nu }\} = (0, 1, 1):&\qquad \begin{array}{r|c|c|c} &{} \kappa ^{\mathcal {P}_1} \;\text {(via (15))} &{} \kappa ^{\mathcal {P}_2} \;\text {(via (16))}&{} \kappa ^{\mathcal {P}_3} \;\text {(via (15))}\\ \hline &{} &{} &{} \\ x^{\mathcal {P}}_{\nu } &{} G_{*}(d) \oplus q_l &{} G_{*}(c) \oplus p_l &{} G_{*}(b) \oplus p_l \\ \hline &{} &{} &{} \\ y^{\mathcal {P}}_{\nu } &{} G_{*}(a) \oplus q_l &{} G_{*}(a) \oplus q_l &{} G_{*}(a) \oplus q_l \\ \hline &{} &{} &{} \\ z^{\mathcal {P}}_{\nu } &{} G_{*}(c) \oplus p_l &{} G_{*}(b) \oplus p_l &{} G_{*}(d) \oplus q_l \end{array} \end{aligned}$$

\(\underline{\text {Case C:} \mu \text { is on-path, } \nu \text { is off-path}}\). Because parent node \(\mu \) is on-path, its position (at depth \(l-1\)) corresponds to the DPF index \((\alpha )_{l-1}\) of MS-DPF\(^+\) function \(f_l\); and similarly \(\nu \) off-path means that its position is does not correspond to \((\alpha )_l\), the DPF index of \(\widehat{f}_{l}\). Therefore, \(\widehat{w}^{\mathcal {P}_1}_{\nu } =\widehat{w}^{\mathcal {P}_2}_{\nu } = \widehat{w}^{\mathcal {P}_3}_{\nu }\) (by definition of \(\widehat{f}_l\); see Step 2 of the Gen algorithm), and so we suppress player superscripts and write simply \(\widehat{w}_{\nu }\). Meanwhile, per (7) we have that \(w^{\mathcal {P}}_{*} = {v}^{\mathcal {P}}_L = G_L(x^{\mathcal {P}_L}_{\mu })\) if \(\nu \) is the left child, and otherwise \(w^{\mathcal {P}}_{*} = {v}^{\mathcal {P}}_R = G_R(x^{\mathcal {P}_L}_{\mu })\), since \(\nu \) is off-path and parent \(\mu \) is on-path, then \(\alpha _l = 1\) (respectively \(\alpha _l = 0\)) when \(\nu \) is the left child (respectively right child) of \(\mu \). Also, since \(\mu \) is on-path, the seeds on \(\mu \) satisfy invariant (2), and for convenience we will denote the three keys’ seeds as above. Finally, since \(\nu \) is off-path but parent node \(\mu \) is on-path, the sibling of \(\nu \) must be on-path, and thus by the invariant of (6), we have that \(\bigoplus _{\mathcal {P}} b^{\mathcal {P}}_{\nu } = 1\). Thus, there are four possibilities for the values of \((b^{\mathcal {P}_1}_{\nu }, b^{\mathcal {P}_2}_{\nu }, b^{\mathcal {P}_3}_{\nu })\): (1, 1, 1), (0, 0, 1), (0, 1, 0), or (1, 0, 0). We do a case-analysis just of the first two; the latter two are similar to the second:

$$\begin{aligned} \text {Case C.1: }\{b^{\mathcal {P}}_{\nu }\} = (1, 1, 1):&\qquad \begin{array}{r|c|c|c} &{} \kappa ^{\mathcal {P}_1} \;\text {(via (16))} &{} \kappa ^{\mathcal {P}_2} \;\text {(via (16))}&{} \kappa ^{\mathcal {P}_3} \;\text {(via (16))}\\ \hline &{} &{} &{} \\ x^{\mathcal {P}}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } &{} G_{*}(c) \oplus \widehat{w}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } \\ \hline &{} &{} &{} \\ y^{\mathcal {P}}_{\nu } &{} G_{*}(c) \oplus \widehat{w}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } \\ \hline &{} &{} &{} \\ z^{\mathcal {P}}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } &{} G_{*}(c) \oplus \widehat{w}_{\nu } \end{array} \\ \text {Case C.2: }\{b^{\mathcal {P}}_{\nu }\} = (0, 0, 1):&\qquad \begin{array}{r|c|c|c} &{} \kappa ^{\mathcal {P}_1} \;\text {(via (16))} &{} \kappa ^{\mathcal {P}_2} \;\text {(via (15))}&{} \kappa ^{\mathcal {P}_3} \;\text {(via (15))}\\ \hline &{} &{} &{} \\ x^{\mathcal {P}}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } &{} G_{*}(d) \oplus \widehat{w}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } \\ \hline &{} &{} &{} \\ y^{\mathcal {P}}_{\nu } &{} G_{*}(d) \oplus \widehat{w}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } \\ \hline &{} &{} &{} \\ z^{\mathcal {P}}_{\nu } &{} G_{*}(b) \oplus \widehat{w}_{\nu } &{} G_{*}(a) \oplus \widehat{w}_{\nu } &{} G_{*}(d) \oplus \widehat{w}_{\nu } \end{array} \end{aligned}$$

.

The argument for this case is essentially identical to Case 1, making the symmetric replacements of \(H_L \rightarrow H_R\), \(r_l \rightarrow s_l\), and \(t_l \rightarrow u_l\). Details are provided in the full version.    \(\square \)