Hash which can be used to verify one of multiple inputs?

Question

Is there a hash function H1 which, when given inputs a, b, etc., produces output Z, and an H2 which can verify any one of a, b, etc. when given Z like this:

H1(a, b) => Z
H2(Z, a) => true
H2(Z, b) => true
H2(Z, c) => false

And where Z is (currently thought to be) cryptographically secure (i.e., modifying Z in any knowable way makes H2 return false for any of the provided inputs)?

Edit: An additional condition which I forgot to articulate originally. a cannot be derived from b and Z, and b from a and Z. Without this condition, we can just use Shamir's Secret Sharing, with a k value of 1, a randomly generated secret Z and a, b, etc are our n values.

Answer 1

What you are looking for reminds me of one-way accumulator functions [1]. Basically, a one-way accumulator permits to prove the membership of an element $x$ to a set $S$ without revealing the actual members of the set. See for example this definition from [2]:

The most common form of one-way accumulator is defined by starting with a “seed” value $y_0$, which signifies the empty set, and then defining the accumulation value incrementally from $y_0$ for a set of elements $S = \{x_1,···,x_n\}$, so that $y_i = f(y_{i−1},x_i)$, where $f$ is a one-way function whose final value does not depend on the order of the $x_i$'s. [...] Because of the commutative nature of $f$ , a source can digitally sign the value of $y_n$ so as to enable a third party to produce a short proof for any element $x_i$ belonging to $S$ [...]. A well-known example of a one-way accumulator function $f$ is the exponential accumulator $exp(y,x) = y^x \mod N$, for suitably-chosen values of the seed $y_0$ and modulus $N$. In particular, choosing $N = pq$ for two strong primes $p$ and $q$ makes the accumulator function $exp$ as difficult to break as RSA cryptography [1].

Update: Let's see an example using the $exp$ function defined above. Suppose $a$, $b$, and $c$ are inputs, and that $y_0$ and $N$ are chosen properly. Then the accumulator algorithm $H_1$ will do the following:

1. Compute $s = a \cdot b \cdot c$ and $y = exp(y,s) = y_0^s = y_0^{abc}$
2. For each element $i$ in the input, compute $y_i = exp(y,1/i) = y^{1/i}$. For example, $y_a = y_0^{bc}$.
3. Output $z = (y,y_a,y_b,y_c)$.

Now, if you want to check if some element $x$ belongs to the original collection, you just have to check if for any of the partial results $y_i$, the equation $y = exp(y_i,x)$ holds. For example, if you try with $a$, then equation $y = exp(y_a,a)$ holds, since $exp(y_a,a) = (y_a)^a = (y_0^{bc})^a = y_0^{abc} = y$. On the contraty, if you try with $d$ different to $a$, $b$ and $c$, then none of the equations hold.

The problem with this solution is that output $z$ grows linearly with the size of the set of members.

---

References:

[1] Benaloh, J., & De Mare, M. (1994, January). One-way accumulators: A decentralized alternative to digital signatures. In Advances in Cryptology—EUROCRYPT’93 (pp. 274-285)

[2] Goodrich, M. T., Tamassia, R., & Hasić, J. (2002). An Efficient Dynamic and Distributed Cryptographic Accumulator*. In Information Security (pp. 372-388).

Answer 2

I can propose this (just invented it on paper): ($h$ is some hash function, like SHA1, $||$ is concatenation, $+$ is usual sum (xor is ok too)):

H1(a, b) = (h(a) + h(b)) || h(h(a)) || h(h(b))

For H2, either from $a$ or from $b$ we can derive the all $h(a), h(h(a)), h(b), h(h(b))$ and check the hash.

Also, if we assume that input pair is not ordered, to avoid trivial forgery by swapping $h(h(a))$ and $h(h(b))$ we may force order on them (e.g. force $h(a) \le h(b)$, so that $H1(a, b) = H1(b, a)$).

Intuition about security: from $h(h(a))$ one can't derive information about $h(a)$ (same for $b$). So attacker can't replace any of $h(a)$ or $h(b)$ in the sum with his hash.

UPDATE: I realized it has a simple flaw. Given $H1(a,b),H1(b,c),H1(a,c)$ we can easily get (from sums) $h(a),h(b),h(c)$ and use them to make hashes.

Answer 3

Alternatively, let $H$ be a hash function (in the ordinary sense) from the input space to $[0,2^N)$ for some $N$, and for $0 \leq x < 2^N$ let $f(x)$ be the smallest prime greater than $2^N + x$. (Here $N$ is determined by the security parameter. You can have 'probable prime' instead, where the precise definition of that will also depend on the security parameter.) Then let $H_1(a,b) = f(H(a)) \cdot f(H(b))$, and let $H_2(Z,a)$ be true iff. $f(H(a))$ divides $Z$.

Again, this suffers from the drawback that the image space grows linearly with the number of inputs.