We now show that a claw-free collection (of functions) does exist under the assumption that integer factorization is infeasible. In the following description, we use the structural properties of Blum integers (i.e., products of two primes both congruent to 3 mod 4), which are further discussed in Appendix A. In particular, for a Blum integerN, it holds that
• the Jacobi symbol of−1 modN equals 1, and
• half of the square roots of each quadratic residue have Jacobi symbol 1.
Let JN+1 (resp., JN−1) denote the set of residues in the multiplicative group modulo N with Jacobi symbol+1 (resp.,−1).
The index set of the collection consists of all Blum integers that are composed of two primes of the same length. The index-selecting algorithm, on input 1n, uniformly
selects such an integer by uniformly selecting two (n-bit) primes, each congruent to 3 mod 4, and outputting their product, denotedN. Both functions of indexN, denoted f0 N
and f1
N, consist of squaring moduloN, but their corresponding domains are disjoint.
The domain of function fNσ equals the set JN(−1)σ. The domain-sampling algorithm, denoted D, uniformly selects an element of the corresponding domain in the natural
2.4. ONE-WAY FUNCTIONS: VARIATIONS
manner. Specifically, on input (σ,N), algorithm D uniformly selects polynomially many residues modN and outputs the first residue with Jacobi symbol (−1)σ.
The reader can easily verify that both f0
N(D(0,N)) and fN1(D(1,N)) are uniformly
distributed over the set of quadratic residues mod N. The difficulty of forming claws follows from the fact that a claw yields two residues,x ∈JN+1 andy∈JN−1, such that
their squares modulo N are equal (i.e., x2 ≡y2 (mod N)). Since −1∈ J+1 N (and
the latter is a multiplicative subgroup), it follows that y≡ ±x (mod N), and so the greatest common divisor (g.c.d.) ofy±xandN yields a factorization of N.
The foregoing collection consists of pairs of functions that are 2-to-1 (and are defined over disjoint domains). To obtain a collection of claw-freepermutations, we slightly modify the collection as follows. The index set consists of Blum integers that are the products of two primes P and Q of the same length, so that P≡3 (mod 8) and Q ≡7 (mod 8). For such composites, neither 2 nor−2 is a quadratic residue modulo N = P·Q(and in fact±2∈ JN−1). Consider the functions fN0 and fN1defined over the
set, denotedQN, of quadratic residues moduloN:
fNσ(x)def=4σ·x2mod N (2.14)
Clearly, both f0
N and fN1 arepermutationsover QN. The difficulty of forming claws
follows from the fact that a claw yields two quadratic residues,x andy, so thatx2≡
4y2 (mod N). Thus, (x/y)2≡4 (mod N), and so (2−(x/y))·(2+(x/y))≡0
(mod N). Since±2∈/ QN (and the latter is a multiplicative subgroup), it follows that
(x/y)≡ ±2 (mod N), and so the g.c.d. of (2±x·y−1mod N) and N yields the factorization ofN.
The foregoing collections arenotknown to possess the additional property of having an efficiently recognizable index set. In particular, it is not even known how to efficiently distinguish products of two primes from products of more than two primes.
2.4.6.∗On Proposing Candidates
Although we do believe that one-way functions exist, theirmereexistence does not suffice for practical applications. Typically, an application that is based on one-way functions requires the specification of a concrete (candidate one-way) function.9Hence,
the problem of proposing reasonable candidates for one-way functions is of great practical importance. Everyone understands that such a reasonable candidate (for a one-way function) should have a very efficient algorithm for evaluating the function. In case the “function” is presented as a collection of one-way functions, the domain sampler and function-evaluation algorithm should be very efficient (whereas for index sampling, “moderate efficiency” may suffice). However, people seem less careful about seriously consideringthe difficulty of inverting the candidates that they propose. We stress that the candidate has to be difficult to invert on “the average” and not only in the worst case, and “the average” is taken with respect to the instance-distribution determined by the candidate function. Furthermore, “hardness on the average” (unlike
9As explained in Section 2.4.1, the observation concerning the existence of a universal one-way function is of
COMPUTATIONAL DIFFICULTY
worst-case analysis) is extremely sensitive to the instance-distribution. Hence, one has to be extremely careful in deducing average-case complexity with respect to one distribution from the average-case complexity with respect to another distribution. The short history of the field contains several cases in which this point has been ignored, and consequently bad suggestions have been made.
Consider, for example, the following (bad) suggestion to base one-way functions on the conjectured difficulty of the Graph Isomorphism problem. Let FGI(G, π)=
(G, πG), whereGis an undirected graph,π is a permutation on its vertex set, andπG denotes the graph resulting by renaming the vertices ofG usingπ (i.e., (π(u), π(v)) is an edge inπGif and only if (u, v) is an edge inG). Although it is indeed believed that Graph Isomorphism cannot be solved in polynomial time, it is easy to see thatFGI
is easy to invert in most instances (e.g., use vertex-degree statistics to determine the isomorphism). That is, the conjectured worst-case hardness does not imply an average- case hardness for the uniform distribution. Furthermore, even if the problem is hard on the average with respect tosomedistribution, one has to specify this distribution and propose an efficient algorithm for sampling according to it.