Claw-free permutation: Difference between revisions
Beamishboy (talk | contribs) |
Beamishboy (talk | contribs) No edit summary |
||
| Line 1: | Line 1: | ||
In [[Mathematics|mathematical]] and [[computer science]] field of [[cryptography]], a group of three numbers ''(x,y,z)'' is said to be a '''claw''' of two permutations ''f<sub>0</sub>'' and ''f<sub>1</sub>'' if |
In [[Mathematics|mathematical]] and [[computer science]] field of [[cryptography]], a group of three numbers ''(x,y,z)'' is said to be a '''claw''' of two permutations ''f<sub>0</sub>'' and ''f<sub>1</sub>'' if |
||
:''f''<sub>0</sub>(''x'') = ''f''<sub>1</sub>(''y'') = ''z''. |
:''f''<sub>0</sub>(''x'') = ''f''<sub>1</sub>(''y'') = ''z''. |
||
A pair of permutations ''f''<sub>0</sub> and ''f''<sub>1</sub> are said to be '''claw-free''' if there is no efficient algorithm for computing a claw. |
|||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
| ⚫ | In his original work, Damgård constructed [[Cryptographic_hash_function|Collision Resistant Hash Functions]] from claw-free permutations. In subsequent work{{ref|GMR88}, the existence of '''claw-free permutations''' with trapdoors was proven to imply secure digital signatures, for which [[existential forgery]] is not possible. This construction was later superseded by the construction of digital signatures from any one-way trapdoor permutation{{ref|BM92}}. The existence of [[trapdoor permutation]]s does not by itself imply claw-free permutations exist{{ref|DR}}; however, it has been shown that claw-free permutations do exist if factoring is hard. |
||
It is also often cryptographically important for a [[hash function]] to be claw-free, in the sense that it is difficult to create a pair ''(x,y)'' such that |
|||
The notion of claw-freeness is closely related to that of collision resistance in hash functions. The distinction is that claw-free permutations are ''pairs'' of functions in which it is hard to create a collision between them, while a collision-resistant hash function is a single function in which it's hard to find a collision, i.e. a function ''H'' is collision resistant if it's hard to find a pair of distinct values ''x'',''y'' such that |
|||
:''H''(''x'') = ''H''(''y''). |
:''H''(''x'') = ''H''(''y''). |
||
In the hash function literature, this is commonly termed a [[hash collision]]. A hash function where collisions are difficult to educe is said to have [[collision resistance]]. |
In the hash function literature, this is commonly termed a [[hash collision]]. A hash function where collisions are difficult to educe is said to have [[collision resistance]]. |
||
==Constructions== |
|||
===Bit Commitment=== |
|||
Given a pair of claw-free permutations ''f''<sub>0</sub> and ''f''<sub>1</sub> it is straightforward to create a [[commitment scheme]]. To commit to a bit ''b'' the sender chooses a random ''x'', and calculates ''f''<sub>b</sub>''(x)''. Since both ''f''<sub>0</sub> and ''f''<sub>1</sub> share the same domain (and range), the bit ''b'' is statistically hidden from the receiver. To open the commitment, the sender simply sends the randomness ''x'' to the receiver. The sender is bound to his bit because opening a commitment to ''1-b'' is exactly equivalent to finding a claw. Notice that like the construction of Collision Resistant Hash functions, this construction does not require that the claw-free functions have a trapdoor. |
|||
===References=== |
===References=== |
||
| ⚫ | |||
# {{note|koshiba}} Takeshi Koshiba, [http://citeseer.ist.psu.edu/koshiba96selfdefinable.html Self-Definable Claw Free Functions], 1996. |
# {{note|koshiba}} Takeshi Koshiba, [http://citeseer.ist.psu.edu/koshiba96selfdefinable.html Self-Definable Claw Free Functions], 1996. |
||
# {{note|GMR88}} S. Goldwasser, [[S. Micali]], and [[Ronald L. Rivest]]. [http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.20.8353 A digital signature scheme secure against adaptive chosen-message attacks]. ''SIAM J. Computing'', 17(2):281-308, April 1988. |
# {{note|GMR88}} S. Goldwasser, [[S. Micali]], and [[Ronald L. Rivest]]. [http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.20.8353 A digital signature scheme secure against adaptive chosen-message attacks]. ''SIAM J. Computing'', 17(2):281-308, April 1988. |
||
# [http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.19.6331 On the Power of Claw-Free Permutations] Yevgeniy Dodis, Leonid Reyzin, 2002 |
#{{note|DR}} [http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.19.6331 On the Power of Claw-Free Permutations] Yevgeniy Dodis, Leonid Reyzin, 2002 |
||
#{{note|BM92}} [http://portal.acm.org/citation.cfm?id=147508.147537 How to sign given any trapdoor permutation] Mihir Bellare, Silvio Micali. |
|||
| ⚫ | |||
[[Category:Theory of cryptography]] |
[[Category:Theory of cryptography]] |
||
Revision as of 01:50, 21 November 2008
In mathematical and computer science field of cryptography, a group of three numbers (x,y,z) is said to be a claw of two permutations f0 and f1 if
- f0(x) = f1(y) = z.
A pair of permutations f0 and f1 are said to be claw-free if there is no efficient algorithm for computing a claw.
The terminology claw free was introduced by Ivan Damgård in his PhD thesis The Application of Claw Free Functions in Cryptography, Aarhus University, 1988.[1]
In his original work, Damgård constructed Collision Resistant Hash Functions from claw-free permutations. In subsequent work{{ref|GMR88}, the existence of claw-free permutations with trapdoors was proven to imply secure digital signatures, for which existential forgery is not possible. This construction was later superseded by the construction of digital signatures from any one-way trapdoor permutation[2]. The existence of trapdoor permutations does not by itself imply claw-free permutations exist[3]; however, it has been shown that claw-free permutations do exist if factoring is hard.
The notion of claw-freeness is closely related to that of collision resistance in hash functions. The distinction is that claw-free permutations are pairs of functions in which it is hard to create a collision between them, while a collision-resistant hash function is a single function in which it's hard to find a collision, i.e. a function H is collision resistant if it's hard to find a pair of distinct values x,y such that
- H(x) = H(y).
In the hash function literature, this is commonly termed a hash collision. A hash function where collisions are difficult to educe is said to have collision resistance.
Constructions
Bit Commitment
Given a pair of claw-free permutations f0 and f1 it is straightforward to create a commitment scheme. To commit to a bit b the sender chooses a random x, and calculates fb(x). Since both f0 and f1 share the same domain (and range), the bit b is statistically hidden from the receiver. To open the commitment, the sender simply sends the randomness x to the receiver. The sender is bound to his bit because opening a commitment to 1-b is exactly equivalent to finding a claw. Notice that like the construction of Collision Resistant Hash functions, this construction does not require that the claw-free functions have a trapdoor.
References
- ^ Collision Free Hash Functions and Public Key Signature Schemes Ivan Damgard, EUROCRYPT '87
- ^ Takeshi Koshiba, Self-Definable Claw Free Functions, 1996.
- ^ S. Goldwasser, S. Micali, and Ronald L. Rivest. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing, 17(2):281-308, April 1988.
- ^ On the Power of Claw-Free Permutations Yevgeniy Dodis, Leonid Reyzin, 2002
- ^ How to sign given any trapdoor permutation Mihir Bellare, Silvio Micali.
.svg){kind=small} | This combinatorics-related article is a stub. You can help Wikipedia by expanding it. |