# Claw-free permutation

In mathematical and computer science field of cryptography, a group of three numbers (x,y,z) is said to be a claw of two permutations f0 and f1 if

f0(x) = f1(y) = z.

A pair of permutations f0 and f1 are said to be claw-free if there is no efficient algorithm for computing a claw.

The terminology claw free was introduced by Goldwasser, Micali, and Rivest in their 1984 paper, "A Paradoxical Solution to the Signature Problem" [1] (and later in a more complete journal paper [2]), where they showed that the existence of claw-free pairs of trapdoor permutations implies the existence of digital signature schemes secure against adaptive chosen-message attack. This construction was later superseded by the construction of digital signatures from any one-way trapdoor permutation[3]. The existence of trapdoor permutations does not by itself imply claw-free permutations exist[4]; however, it has been shown that claw-free permutations do exist if factoring is hard[citation needed].

The general notion of claw-free permutation (not necessarily trapdoor) was further studied by Ivan Damgård in his PhD thesis The Application of Claw Free Functions in Cryptography (Aarhus University, 1988), where he showed how to construct Collision Resistant Hash Functions from claw-free permutations.[5] The notion of claw-freeness is closely related to that of collision resistance in hash functions. The distinction is that claw-free permutations are pairs of functions in which it is hard to create a collision between them, while a collision-resistant hash function is a single function in which it's hard to find a collision, i.e. a function H is collision resistant if it's hard to find a pair of distinct values x,y such that

H(x) = H(y).

In the hash function literature, this is commonly termed a hash collision. A hash function where collisions are difficult to find is said to have collision resistance.

## Constructions

### Bit commitment

Given a pair of claw-free permutations f0 and f1 it is straightforward to create a commitment scheme. To commit to a bit b the sender chooses a random x, and calculates fb(x). Since both f0 and f1 share the same domain (and range), the bit b is statistically hidden from the receiver. To open the commitment, the sender simply sends the randomness x to the receiver. The sender is bound to his bit because opening a commitment to 1 − b is exactly equivalent to finding a claw. Notice that like the construction of Collision Resistant Hash functions, this construction does not require that the claw-free functions have a trapdoor.

### References

1. ^ Goldwasser, Shafi; Micali, Silvio; Rivest, Ronald L. (1984). "A Paradoxical Solution to the Signature Problem". Proceedings of FOCS: 441–448.
2. ^ Goldwasser, Shafi; Micali, Silvio; Rivest, Ronald L. (April 1988). "A digital signature scheme secure against adaptive chosen-message attacks". SIAM J. Computing 17 (2): 281–308. CiteSeerX: 10.1.1.20.8353.
3. ^ Bellare, Mihir; Micali, Silvio. How to sign given any trapdoor permutation.
4. ^ Dodis, Yevgeniy; Reyzin, Leonid (2002). On the Power of Claw-Free Permutations. CiteSeerX: 10.1.1.19.6331.
5. ^ Damgard, Ivan. "Collision Free Hash Functions and Public Key Signature Schemes". EUROCRYPT '87.
6. ^ Koshiba, Takeshi (1996). Self-Definable Claw Free Functions.