Leo Reyzin. Notes for BU CAS CS 538.
1
6
General One-Way and Trapdoor Functions
In this section, we will try to generalize what we’ve seen so far. For example, we know how to build a secure
encryption out of RSA, but what exactly is RSA itself? In modern terms, it is a trapdoor permutation
family, which we de±ne below.
6.1
One-Way Functions
Let us ±rst introduce one-way functions. We’ve actually seen concrete examples of them before; this is just
a generalization, so we can talk of a one-way function
f
independent of its particular implementation.
Defnition 1.
Afunct
ion
f
:
{
0
,
1
}
*
→{
0
,
1
}
*
is one-way if
1. it is polynomial-time computable;
2. it is hard to invert, i.e., for all probabilistic polynomial-time
A
there exists a negligible function
η
such
that, for all
k
,Pr
[
f
(
A
(
f
(
x
)
,
1
k
)) =
f
(
x
)]
≤
η
(
k
), where the probability is taken over a random choice
of
k
-bit string
x
and coin tosses of
A
.
Note that it’s important that we are not requiring
A
to ±nd
x
; rather, any inverse of
f
(
x
) is ±ne. Of course,
if
f
is a permutation (i.e., a bijective function), then it would be equivalent to require
A
to ±nd
x
, because
x
is the only inverse of
f
(
x
).
Note also the importance of selecting the input to
A
: the input is not selected uniformly at random;
rather,
x
is selected uniformly at random, and the input is
f
(
x
). Of course, again, if
f
is a permutation,
then the two are equivalent.
An example is the following
f
: split the
k
-bit input into strings
a
of length
±
k/
2
²
and
b
of length
³
k/
2
´
,
and output
c
=
ab
. The inverter
A
would have to ±nd two
large
factors of
c