one-way functions david lagakos yutao zhong april 2, 2001
TRANSCRIPT
![Page 1: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/1.jpg)
One-Way Functions
David Lagakos
Yutao Zhong
April 2, 2001
![Page 2: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/2.jpg)
•What are one-way functions?
•Do they exist?
•One-to-one one-way functions
•“Spiffy” One-Way functions
•An application to cryptography
Topics
![Page 3: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/3.jpg)
y]. f(x) and |)yq(| |xx)[|range(f))( y(
q) polynomial ( if is ** :f
function nontotal) (possibly a say We :Def
honestΣΣ
:1f :2f
Honesty
10
1
1010011
01
0
1
0n if |x|=2n for some
n
1 otherwise
![Page 4: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/4.jpg)
.
ΣΣ
yf(g(y)) 2.
and domain(f),g(y) domain(g), y1.
:range(f))y(
g) function computable time-polynomial ( if
is**:f
function nontotal) (possibly A :Def
invertible time-polynomial
Polynomial-time Invertibility
f3(x) = ceiling(log(log(log(max(|x|,4)))))
![Page 5: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/5.jpg)
honest. is f 3.
and ,invertible time-polynomial NOT is f 2.
,computable time-polynomial is f 1.
:if is
**:f function nontotal) (possibly A
way-one
ΣΣ
Definition of a One-way Function
![Page 6: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/6.jpg)
:q and p primes Given
A One-way Function ‘Candidate’
qpq)f(p,
(Note that primality can be verified quickly.)
![Page 7: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/7.jpg)
PNP
exist functions way-One
Do one-way functions exist?
Theorem:
![Page 8: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/8.jpg)
way.-one is f Claim
N(x). of path accepting an NOT w if 1x outputs
N(x) of path accepting an is w if 0x outputs )wx,f(
:follows as ** map f Let
.*** function pairing nice'' a is ,
N. of runtime the bounding polynomial p
A. L(N) s.t. NPTM a is N P,-NP A
ΣΣ
ΣΣΣ
)( :Proof
![Page 9: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/9.jpg)
:invertible time polynomial not is f
)QED( .invertible time-p not is f P! A But
REJECT." else
ACCEPT; then N(y) for
path accepting an is w' and y y'If
.w',y' pair a as g(0y) interpret Otherwise
REJECT. then domain(g) 0y if y,input On"
:PA show can we Then
time). polynomial (in f inverts g Assume
![Page 10: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/10.jpg)
P.-NPA Claim
A)etc,z,1010011,z,10
z0)f(10100110 (so
z}y)f(pre
and |)]zq(| |pre||yy)[|( | prez,{ A
f. for polynomial honesty the is q
function way-one a is f
:)( Proof
![Page 11: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/11.jpg)
)QED( |).zq(| most at length of are Inverses
bit. one yieldsquestions of round'' Each
etc. A?"z,0" and A?"z,1" ask not, If
z. inverted have we so, if z?")f(" ask so, if
done. rewe' not, if A?"z," :Ask
:search prefix a using
time) polynomial (in f invert could we were, it If
z})y)f(pre
and |)]zq(||pre| |yy)[|( | prez,{ A
(
P A
![Page 12: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/12.jpg)
“Sister” Theorem
paths]. accepting no has L)[N(x)x( 2.
and path], accepting one exactly has L)[N(x)x( 1.
:that such
N NPTM a is there if in is L language A :Def
UP
PUP
exist functions way-one one-to-One:Theorem
![Page 13: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/13.jpg)
“Spiffy” one-way functions Motivation: cryptography
Properties 2-ary one-way Strongly noninvertible Total Commutative Associative
Claim:
One-way function exists iff “spiffy” one-way function exists
)ΣΣ(Σ ***
![Page 14: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/14.jpg)
Definitions for 2-ary functions
f is honest if
f is (polynomial-time) invertible if
***:f function ary2 ΣΣΣ
)x x,( range(f))y( q) polynomial( y])xf(x,|)yq(||x||x[|
range(f))yg)( function computable time-polynomial (
y)))second(g(yy)),f(first(g( 3.
domain(f))))second(g(y)),(first(g(y 2.
domain(g) y1.
![Page 15: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/15.jpg)
2-ary One-way functions
1. f is polynomial-time computable
2. f is NOT polynomial-time invertible
3. f is honest
if is :f :Def *** way-oneΣΣΣ
![Page 16: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/16.jpg)
Strong Noninvertibility
is strongly
(polynomial-time) noninvertible if
it is s-honest
given the output and even one of the
inputs, the other input cannot in
general be computed in polynomial
time
***:f :Def ΣΣΣ
![Page 17: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/17.jpg)
“S-Honesty”
y])b)b)[f(a,(:ay,( q) polynomial( 1.
y])bf(a,|)a||yq(||b)[|b(
y])b)a)[f(a,(:by,( q) polynomial2.(
y]b),af(|)b||yq(||a)[|a(
if is :f function A:Def *** honest-sΣΣΣ
![Page 18: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/18.jpg)
Strong Noninvertibility
is strongly
(polynomial-time) noninvertible if
it is s-honest
given the output and even one of the
inputs, the other input cannot in
general be computed in polynomial
time
***:f :Def ΣΣΣ
![Page 19: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/19.jpg)
Associativity & Commutativity
Def: total function is associative if
Def: total function is commutative if
***:f ΣΣΣ
***:f ΣΣΣ
x)]f(y,y)y)[f(x,x,(
z))]f(y,f(x,z)y),z)[f(f(x,y,x,(
![Page 20: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/20.jpg)
Theorem
One-way functions exist if and only if
strongly noninvertible, total,
commutative, associative, 2-ary one-
way functions exist.
![Page 21: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/21.jpg)
Proposition
The following are equivalent:1. One-way functions exist2. 2-ary one-way functions exist3.
NPP
(1)(2) second(z)),f(first(z)g(z)
![Page 22: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/22.jpg)
strongly non-invertible, commutative, associative, 2-ary one-way function exists
Proof:
each computation path of N(x) has exactly p(|x|) bits
( p(n)>n )
W(x): the set of all witness for x
P-NP)NL(:N NPTM
NPP
NPP
)NL(L(N):N NPTM
W(x)L(N)x
:)Proof(
![Page 23: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/23.jpg)
strongly noninvertible one-way commutative associative
f (u,v) =
<x,min(w1,w2)>
<x,x>
<t,t1> otherwise
W(x)w2}{w1,
w2x,vw1x,u if
}]wx,,xx,{v}[{u,
W(x))wif(
Claim: f is the function we need
L(N)t string, fixed:t
d)(cont' :)Proof(
![Page 24: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/24.jpg)
Eve
An Application to Cryptography
Alice
Bob
y, f(x,y)
x,y
f(y,z)
f(x,f(y,z))
f(f(x,y),z)
z
![Page 25: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/25.jpg)
k =010011011
iii mkm'
iii kmm'
Alice
Bob
Using the Secret Key
m’m =110101010k =010011011m’ =100110001 m’ =100110001
k =010011011m =110101010
![Page 26: One-Way Functions David Lagakos Yutao Zhong April 2, 2001](https://reader035.vdocuments.us/reader035/viewer/2022062620/551af9f9550346f70d8b5231/html5/thumbnails/26.jpg)
Conclusions
One-way functions are easy to compute and
hard to invert.
Proving that one-way functions exist is the
same as proving that P and NP are different.
Special types of one-way functions, like
“Spiffy” one-way functions, can have quite
useful applications in cryptography.