patternMinor
If xor-ing a one way function with different input, is it still a one way function?
Viewed 0 times
xoringwithwayfunctioninputdifferentonestill
Problem
Suppose $f(x)$ is a one way function. What about $h(x)=f(x_1) \, \oplus \,f(x_2)$, where $x=x_1 || x_2$ and $\lvert x_1 \rvert = \lvert x_2\rvert$?
- $\oplus$ is exclusive disjunction (xor)
- $||$ is concatenation
- $|u|$ is the length of $u$
Solution
The function $h$ may not be one-way anymore.
We construct a counter example—a specific one way $f$ whose $h$ is not one-way anymore—in the following way.
Assume $g$ is a one-way function that preserves size, and define $f$ on input $w=bx_1x_2$ in the following way,
$$f(bx_1x_2) = \begin{cases} g(x_1)\,x_2 & b=0 \\ x_1\, g(x_2) & b=1 \end{cases}$$
(assuming $b\in\{0,1\}$ and $|x_1|=|x_2|$.)
It is easy to see that $f$ is also one-way — to invert it, you need to either invert $g$ on the first half or invert $g$ on the second half.
Now we show how to invert $h$. Assume you are given $h(u,v)=Z$, we write it as $h(u,v)= z_1z_2$ with $|z_1|=|z_2|=n$.
Then a possible preimage of $Z$ is
$$u=0 \,0^n \,\langle g(0^n)\oplus z_2\rangle$$
$$v=1 \, \langle g(0^n)\oplus z_1\rangle \, 0^n$$
because $f(u) = g(0^n)\, \langle g(0^n)\oplus z_2\rangle$ and
$f(v) = \langle g(0^n)\oplus z_1\rangle \, g(0^n)$ thus their XOR gives
exactly $z_1\,z_2$ as required.
We construct a counter example—a specific one way $f$ whose $h$ is not one-way anymore—in the following way.
Assume $g$ is a one-way function that preserves size, and define $f$ on input $w=bx_1x_2$ in the following way,
$$f(bx_1x_2) = \begin{cases} g(x_1)\,x_2 & b=0 \\ x_1\, g(x_2) & b=1 \end{cases}$$
(assuming $b\in\{0,1\}$ and $|x_1|=|x_2|$.)
It is easy to see that $f$ is also one-way — to invert it, you need to either invert $g$ on the first half or invert $g$ on the second half.
Now we show how to invert $h$. Assume you are given $h(u,v)=Z$, we write it as $h(u,v)= z_1z_2$ with $|z_1|=|z_2|=n$.
Then a possible preimage of $Z$ is
$$u=0 \,0^n \,\langle g(0^n)\oplus z_2\rangle$$
$$v=1 \, \langle g(0^n)\oplus z_1\rangle \, 0^n$$
because $f(u) = g(0^n)\, \langle g(0^n)\oplus z_2\rangle$ and
$f(v) = \langle g(0^n)\oplus z_1\rangle \, g(0^n)$ thus their XOR gives
exactly $z_1\,z_2$ as required.
Context
StackExchange Computer Science Q#10415, answer score: 8
Revisions (0)
No revisions yet.