]> Cryptography - One-Way Functions

## Asymptotic Definition

A one-way function $F$ provides the following interface:

• $F.\mathrm{gen}\left(t\right):{ℤ}^{+}\to \left\{0,1{\right\}}^{*}$ is a randomized polynomial time algorithm in $t$ such that given a security parameter $t$, it outputs a function description $\lambda \in \left\{0,1{\right\}}^{*}$.

• $F.\mathrm{in}\left(\lambda \right)$ the input space to ${F}_{\lambda }$

• $F.\mathrm{out}\left(\lambda \right)$ the output space of ${F}_{\lambda }$

• $F.\mathrm{eval}\left(\lambda ,X\right)={F}_{\lambda }\left(X\right):F.\mathrm{in}\left(\lambda \right)\to F.\mathrm{out}\left(\lambda \right)$

Security: For a randomized algorithm $A$ define:

${\mathrm{Adv}}_{A,F}\left(t\right)=\mathrm{Pr}\left[{F}_{\lambda }\left(A\left({F}_{\lambda }\left(x\right)\right)\right)={F}_{\lambda }\left(X\right)\mid \lambda ←F.\mathrm{gen}\left(t\right),X←F.\mathrm{in}\left(\lambda \right)\right]$

Defintion: $F$ is a one-way function if ${\mathrm{Adv}}_{A,F}\left(t\right)$ is negligible.

A one-way permutation $\pi$ is a one-way function where for all $\lambda \in \left\{0,1{\right\}}^{*}$ with $\pi .\mathrm{in}\left(\lambda \right)=\pi .\mathrm{out}\left(\lambda \right)$ and ${\pi }_{\lambda }$ is one-to-one.

Example: ${\pi }^{\mathrm{RSA}}.\mathrm{gen}\left(t\right)$: generate two $t$-bit primes $p,q$ such that $p=q=2\left(\mathrm{mod}3\right)$, output $\lambda =⟨N=\mathrm{pq}⟩$.

${\pi }^{\mathrm{RSA}}.\mathrm{in}\left(\lambda \right)={\pi }^{\mathrm{RSA}}.\mathrm{out}\left(\lambda \right)={ℤ}_{N}^{*}$

${\pi }^{\mathrm{RSA}}.\mathrm{eval}\left(X\right)={X}^{3}\mathrm{mod}N$

Problem: ${F}^{\mathrm{DES}}$ defined by ${F}^{\mathrm{DES}}\left(K\right)={\mathrm{DES}}_{K}\left(0\right)$ is not an asymptotically one-way function, as it does not depend on security parameters. == Fixed Security Parameter Definition == Definition: $f:\left\{0,1{\right\}}^{n}\to \left\{0,1{\right\}}^{n}$ is $\left(t,\epsilon \right)$-one-way if there exists an "efficient" algorithm for evaluating $f$, and for all probabilistic $t$-time algorithms $A$, we have

$\mathrm{Pr}\left[F\left(A\left(F\left(X\right)\right)\right)=F\left(X\right)\mid X←\left\{0,1{\right\}}^{n}\right]<\epsilon .$

Then ${F}^{\mathrm{DES}}\left(K\right)={\mathrm{DES}}_{K}\left(0\right)$ is $\left(t,\epsilon \right)$-one-way for some $t,\epsilon$. Note: One-way functions/permutations are considered "fast" primitives.

## Amplification of One-wayness

Suppose $f:\left\{0,1{\right\}}^{n}\to \left\{0,1{\right\}}^{m}$ is $\left(t,\epsilon \right)$ one-way.

Define: ${g}_{1}\left(x,y\right)=f\left(x\right)\mid \mid f\left(y\right),{g}_{2}\left(x,y\right)=f\left(x\right)\oplus f\left(y\right)$.

Theorem: If $f\left(x\right)$ is $\left(t,\epsilon \right)$-one-way then ${g}_{1}\left(x,y\right)$ is $\left(\left({\epsilon }^{2}/4\right)t,6{\epsilon }^{2}\right)$-one-way.

One-wayness of ${g}_{2}$ follows from Yao's XOR lemma.

## Applications of One-way functions

Using the Blum-Micali Generator, one-way functions can be used to construct Pseudo Random Number Generators, which enable us to construct Pseudo Random Functions (by using the GGM method for example), which in turn can be used to make Pseudo Random Permutations via the Luby-Rackoff construction.

One-way functions also imply (inefficient) signature schemes.

## Nonapplications of One-way functions

It is known that one-way functions are not sufficient for the following.

• Collision resistant hash functions

• Key exchange