## Candidate One-Way Functions Based on Expander Graphs

### Cached

### Download Links

- [www.wisdom.weizmann.ac.il]
- [www.wisdom.weizmann.ac.il]
- DBLP

### Other Repositories/Bibliography

Venue: | In Electronic Colloquium on Computational Complexity (ECCC |

Citations: | 35 - 1 self |

### BibTeX

@INPROCEEDINGS{Goldreich_candidateone-way,

author = {Oded Goldreich},

title = {Candidate One-Way Functions Based on Expander Graphs},

booktitle = {In Electronic Colloquium on Computational Complexity (ECCC},

year = {},

pages = {2000}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We suggest a candidate one-way function using combinatorial constructs such as expander graphs. These graphs are used to determine a sequence of small overlapping subsets of input bits, to which a hard-wired random predicate is applied. Thus, the function is extremely easy to evaluate: All that is needed is to take multiple projections of the input bits, and to use these as entries to a look-up table. It is feasible for the adversary to scan the look-up table, but we believe it would be infeasible to find an input that fits a given sequence of values obtained for these overlapping projections. The conjectured difficulty of inverting the suggested function does not seem to follow from any well-known assumption. Instead, we propose the study of the complexity of inverting this function as an interesting open problem, with the hope that further research will provide evidence to our belief that the inversion task is intractable.

### Citations

628 |
How to construct random functions
- Goldreich, Goldwasser, et al.
- 1986
(Show Context)
Citation Context ...task even harder, as well as serves as a starting point for the next item. 6 3. Modifying the construction to obtained a “keyed”-function with the hope that the result is a pseudorandom function (cf. =-=[9]-=-). The idea is to let the key specify the (random) predicate P. We stress that this modification is applied to the iterated function, not to the basic one. 7 We suggest using Θ(log n) iteration; in pr... |

288 | Hardness vs. randomness
- Nisan, Wigderson
- 1994
(Show Context)
Citation Context ...esolution will require exponential-time to invert our function [Avi Wigderson, private communication, 2000]. 8 5.3 Inspiration Our construction was inspired by the construction of Nisan and Wigderson =-=[11]-=-; however, we deviate from the latter work in two important aspects: 1. Nisan and Wigderson reduce the security of their construction to the hardness of the predicate in use. In our construction, the ... |

171 |
λ1, isoperimetric inequalities for graphs, and superconcentrators
- Alon, Milman
- 1985
(Show Context)
Citation Context ... issue is to provide, for any fixed k and h, a good upper bound on the probability that a specific set of k vertices has less than h neighbors. 3 The expansion is computed from the eigenvalues, as in =-=[5]-=-. Actually, we use the stronger bound provided by [4, Thm. 2.3] rather than the simpler (and better known) bound. Specifically, the lower bounds in [4, Thm. 2.3] are on the size of the neighborhood of... |

98 |
Explicit construction of linear size superconcentrators
- Gabber, Galil
- 1981
(Show Context)
Citation Context ...n expanders Note that p = 5 and p = 13 are the only admissible choices for ℓ ≤ 16. Larger values of q may be used, but this will only yield larger value of n. Using the simple expander of Gaber–Galil =-=[8]-=-. Another nasty surprise is that the easy-to-handle expander of Gaber–Galil performs very poorly on our range of parameters. This expander has degree 7 (i.e., ℓ = 7), and can be constructed for any n ... |

13 | Goldreich’s one-way function candidate and myopic backtracking algorithms
- Cook, Etesami, et al.
- 2009
(Show Context)
Citation Context ...s idea to the original function will definitely fail. In that case, by using 2 ℓ queries (and inspecting only one bit of the answers) we can easily retrieve the key P. 8 This conjecture was proved in =-=[7]-=-. We mention that in the original posting of this work we expressed the opinion that this direction requires further investigation. 9 We comment that it is not clear whether the Nisan and Wigderson co... |

10 | Public-key cryptography from different assumptions
- Applebaum, Barak, et al.
- 2010
(Show Context)
Citation Context ...ao showed [6] that a necessary requirement for security is using a balanaced predicate P (i.e., P such that |{z ∈ {0, 1} ℓ : P(z) = 1}| = 2 ℓ−1 ). The use of balanaced predicates is also advocated in =-=[1, 7]-=-. Acknowledgments We are grateful to Noga Alon, Adi Shamir, Luca Trevisan, and Avi Wigderson for useful discussions. 10 In an asymptotic generalization of the scheme, inversion takes time linear in th... |

7 | On the security of goldreich’s one-way function
- Bogdanov, Qiao
- 2009
(Show Context)
Citation Context ... random predicate P is the best possible choice for our proposal. In particular, generalizing our proposal to functions with m = O(n) output bits (rather than n output bits), Bogdanov and Qiao showed =-=[6]-=- that a necessary requirement for security is using a balanaced predicate P (i.e., P such that |{z ∈ {0, 1} ℓ : P(z) = 1}| = 2 ℓ−1 ). The use of balanaced predicates is also advocated in [1, 7]. Ackno... |

4 |
Eigenvalues, Geometric Expanders, Sorting in
- Alon
- 1986
(Show Context)
Citation Context ...states the probability that a random construction (with given n and ℓ) does not achieve the stated expansion. Actually, we only provide upper bounds on these probabilities. Alon’s Geometric Expanders =-=[4]-=-. These constructions do not allow ℓ = O(log n), but rather ℓ that is polynomially related to n. Still for our small numbers we get meaningful results, when using ℓ = q + 1 and n = q 2 + q + 1, where ... |