one-way functions david lagakos yutao zhong april 2, 2001

One-Way Functions

David Lagakos

Yutao Zhong

April 2, 2001

•What are one-way functions?

•Do they exist?

•One-to-one one-way functions

•“Spiffy” One-Way functions

•An application to cryptography

Topics

y]. f(x) and |)yq(| |xx)[|range(f))( y(

q) polynomial ( if is ** :f

function nontotal) (possibly a say We :Def

honestΣΣ

:1f :2f

Honesty

10

1

1010011

01

0

1

0n if |x|=2n for some

n

1 otherwise

.

ΣΣ

yf(g(y)) 2.

and domain(f),g(y) domain(g), y1.

:range(f))y(

g) function computable time-polynomial ( if

is**:f

function nontotal) (possibly A :Def

invertible time-polynomial

Polynomial-time Invertibility

f3(x) = ceiling(log(log(log(max(|x|,4)))))

honest. is f 3.

and ,invertible time-polynomial NOT is f 2.

,computable time-polynomial is f 1.

:if is

**:f function nontotal) (possibly A

way-one

ΣΣ

Definition of a One-way Function

:q and p primes Given

A One-way Function ‘Candidate’

qpq)f(p,

(Note that primality can be verified quickly.)

PNP

exist functions way-One

Do one-way functions exist?

Theorem:

way.-one is f Claim

N(x). of path accepting an NOT w if 1x outputs

N(x) of path accepting an is w if 0x outputs )wx,f(

:follows as ** map f Let

.*** function pairing nice'' a is ,

N. of runtime the bounding polynomial p

A. L(N) s.t. NPTM a is N P,-NP A

ΣΣ

ΣΣΣ

)( :Proof

:invertible time polynomial not is f

)QED( .invertible time-p not is f P! A But

REJECT." else

ACCEPT; then N(y) for

path accepting an is w' and y y'If

.w',y' pair a as g(0y) interpret Otherwise

REJECT. then domain(g) 0y if y,input On"

:PA show can we Then

time). polynomial (in f inverts g Assume

P.-NPA Claim

A)etc,z,1010011,z,10

z0)f(10100110 (so

z}y)f(pre

and |)]zq(| |pre||yy)[|( | prez,{ A

f. for polynomial honesty the is q

function way-one a is f

:)( Proof

)QED( |).zq(| most at length of are Inverses

bit. one yieldsquestions of round'' Each

etc. A?"z,0" and A?"z,1" ask not, If

z. inverted have we so, if z?")f(" ask so, if

done. rewe' not, if A?"z," :Ask

:search prefix a using

time) polynomial (in f invert could we were, it If

z})y)f(pre

and |)]zq(||pre| |yy)[|( | prez,{ A

(

P A

“Sister” Theorem

paths]. accepting no has L)[N(x)x( 2.

and path], accepting one exactly has L)[N(x)x( 1.

:that such

N NPTM a is there if in is L language A :Def

UP

PUP

exist functions way-one one-to-One:Theorem

“Spiffy” one-way functions Motivation: cryptography

Properties 2-ary one-way Strongly noninvertible Total Commutative Associative

Claim:

One-way function exists iff “spiffy” one-way function exists

)ΣΣ(Σ ***

Definitions for 2-ary functions

f is honest if

f is (polynomial-time) invertible if

***:f function ary2 ΣΣΣ

)x x,( range(f))y( q) polynomial( y])xf(x,|)yq(||x||x[|

range(f))yg)( function computable time-polynomial (

y)))second(g(yy)),f(first(g( 3.

domain(f))))second(g(y)),(first(g(y 2.

domain(g) y1.

2-ary One-way functions

1. f is polynomial-time computable

2. f is NOT polynomial-time invertible

3. f is honest

if is :f :Def *** way-oneΣΣΣ

Strong Noninvertibility

is strongly

(polynomial-time) noninvertible if

it is s-honest

given the output and even one of the

inputs, the other input cannot in

general be computed in polynomial

time

***:f :Def ΣΣΣ

“S-Honesty”

y])b)b)[f(a,(:ay,( q) polynomial( 1.

y])bf(a,|)a||yq(||b)[|b(

y])b)a)[f(a,(:by,( q) polynomial2.(

y]b),af(|)b||yq(||a)[|a(

if is :f function A:Def *** honest-sΣΣΣ

Strong Noninvertibility

is strongly

(polynomial-time) noninvertible if

it is s-honest

given the output and even one of the

inputs, the other input cannot in

general be computed in polynomial

time

***:f :Def ΣΣΣ

Associativity & Commutativity

Def: total function is associative if

Def: total function is commutative if

***:f ΣΣΣ

***:f ΣΣΣ

x)]f(y,y)y)[f(x,x,(

z))]f(y,f(x,z)y),z)[f(f(x,y,x,(

Theorem

One-way functions exist if and only if

strongly noninvertible, total,

commutative, associative, 2-ary one-

way functions exist.

Proposition

The following are equivalent:1. One-way functions exist2. 2-ary one-way functions exist3.

NPP

(1)(2) second(z)),f(first(z)g(z)

strongly non-invertible, commutative, associative, 2-ary one-way function exists

Proof:

each computation path of N(x) has exactly p(|x|) bits

( p(n)>n )

W(x): the set of all witness for x

P-NP)NL(:N NPTM

NPP

NPP

)NL(L(N):N NPTM

W(x)L(N)x

:)Proof(

strongly noninvertible one-way commutative associative

f (u,v) =

<x,min(w1,w2)>

<x,x>

<t,t1> otherwise

W(x)w2}{w1,

w2x,vw1x,u if

}]wx,,xx,{v}[{u,

W(x))wif(

Claim: f is the function we need

L(N)t string, fixed:t

d)(cont' :)Proof(

Eve

An Application to Cryptography

Alice

Bob

y, f(x,y)

x,y

f(y,z)

f(x,f(y,z))

f(f(x,y),z)

z

k =010011011

iii mkm'

iii kmm'

Alice

Bob

Using the Secret Key

m’m =110101010k =010011011m’ =100110001 m’ =100110001

k =010011011m =110101010

Conclusions

One-way functions are easy to compute and

hard to invert.

Proving that one-way functions exist is the

same as proving that P and NP are different.

Special types of one-way functions, like

“Spiffy” one-way functions, can have quite

useful applications in cryptography.