Tight lower bounds on the ambiguity of strong, total, associative, one-way functions

摘要

We study the ambiguity, or “many-to-one”-ness, of two-argument, one-way functions that are strong (that is, hard to invert even if one of their arguments is given), total, and associative. Such powerful one-way functions are the basis of a cryptographic paradigm described by Rabi and Sherman (Inform. Process. Lett. 64(2) (1997) 239) and were shown by Hemaspaandra and Rothe (J. Comput. System Sci. 58(3) (1999) 648) to exist exactly if standard one-way functions exist.Rabi and Sherman (1997) show that no total, associative function defined over a universe having at least two elements is one-to-one. We show that if P≠UP, then, for every d∈N+, there is an O(log1dn)-to-one, strong, total, associative, one-way function σd. We argue that this bound is tight in the sense that any total, associative function having similar properties to σd but not necessarily strong or one-way must have at least the same order of magnitude of ambiguity as σd has. We demonstrate that the techniques used in proving the above-stated results easily apply to other classes of total, associative functions.We provide a complete characterization for the existence of strong, total, associative, one-way functions whose ambiguity approaches the lower bounds we provide. We say a language is in PolylogP if there exists a polynomial-time Turing machine M accepting the language such that for some d∈R+ it holds that M has on each string x at most O(logdn) accepting paths, where n=|x|. We show that P≠PolylogP if and only for some d∈R+ there exists an O(logdn)-to-one, strong, total, associative, one-way function.