In trying to cook up a toy/reference implementation of a Lamport signature, I've run into the following puzzle:
The author requires, to generate a signature, a one-way function $G:M\to \binom{\{1, \cdots, n'\}}{n''}$; that is, to map messages to $n''$-element subsets of the user's $n'$-element key.
The author himself only bothered to propose an awkward partial function based on iterative integer division with few usefulness guarantees
Other implementers have proposed functions that constrain $n'=2n''$ and use each bit of an $n:=n''$-bit digest of the message to select from each pair of elements $(k_{2i-1}, k_{2i})$ of the user's key
However, I'm wondering if there is a bijective function that exists for this (likely imposing a different constraint on the values of $n'$ and $n''$). The author himself "hope[s] that someone can find a more elegant method" for this mapping.
So if there are exactly $\binom{n'}{n''}$ possible signatures that might be produced—which are $n''$-element subsets of an $n'$-element Lamport key—and we assume that $G$ will be constructed from an existing $n$-bit cryptographic hash function $\phi_n$—which will have a range of $\left\{0,1\right\}^n$—I suppose the question of whether any bijective construction of $G$ from $\phi_n$ exists reduces to the question of whether any natural-number solutions to this exist:
$$2^n=\binom{n'}{n''}$$
Wolfram Alpha suggests some trivial, small solutions (such as $(3,8,7)$) but I'm unclear whether solutions to this exist with the following criteria-
at the scale of cryptographic usefulness ($n\sim256$)
nontrivially ($n'-n''>1,n''>1$)
Do any such solutions exist? What are some examples, or a canonical example? (Have I even proposed the right equation?—If not, ditto the above, but for the appropriate equation for the case of constructing $G$ for a Lamport signature.)
