Arguments for existence of one-way functions

Question

I have read in several papers that the existence of one-way functions is widely believed. Can someone shed light on why this is the case? What arguments do we have for supporting the existence of one-way functions?

Answer 1

Here's an argument that one-way functions should be hard to invert. Suppose there is a class of 3-SAT problems with planted solutions that are hard to solve. Consider the following map:

$$(x, r) \rightarrow s$$

where $x$ is any string of bits, $r$ is a string of bits (you could use these to seed a random number generator, or you can ask for as many random bits as you need) and $s$ is a $k$-SAT problem having $x$ as a planted solution, where the random number generator determines exactly which $k$-SAT problem you choose. To invert this one-way function, you need to solve a $k$-SAT problem with a planted solution.

This argument shows that inverting a one-way function is as hard as solving $k$-SAT problems with planted solutions. And since $k$-SAT is an NP-complete problem, if you can figure out how to construct hard instances with planted solutions for any NP problem, you can plant solutions in $k$-SAT formulas.

It has not been proven that it's possible to come up with a class of NP-complete problems with planted solutions that are just as hard as arbitrary NP-complete problems (and even if this is true, it's going to be incredibly hard to prove), but people definitely know how to plant solutions in $k$-SAT problems in ways that nobody currently knows how to solve.

ADDED: I now realize that this connection was already given (in more detail) in Abadi, Allender, Broder, Feigenbaum, and Hemachandra; they point out that one-way functions can give solved hard instances of SAT, and vice versa.

Putting it in more informal language, the non-existence of one-way functions shows that truly hard puzzles can't exist. If there is a type of puzzle where somebody can come up with both a puzzle and its solution algorithmically, then there is also a polynomial-time algorithm for finding a solution to the puzzle. This seems very counter-intuitive to me. Of course, a polynomial gap could exist; it might be the case that if creating the puzzle took $n$ steps, then solving it might take $O(n^3)$ steps. However, my intuition says that there should be a superpolynomial gap.

Answer 2

I'll give a short answer: The existence of seemingly-hard problems, such as FACTORING or DISCRETE LOG made theorists believe that OWF exist. In particular, they tried for decades (since 1970s) to find efficient (probabilistic polynomial-time) algorithms for such problems, but no attempt succeeded. This reasoning is very similar to why most researchers believe that P ≠ NP.

Answer 3

Sasho's argument relies on the eternal P=NP problem for which no consensus currently exists.

However, if we follow C. Shannon's cryptanalysis of the one-time pad, declassified in 1947, that is: there is no mathematically secure encryption algorithm other than the one time pad. His argument is based on the idea that, if we have a truly random sequence of numbers $r_1,r_2,r_3,\ldots,r_n$ and for some sequence to encrypt, $s_1,s_2,s_3,\ldots,s_n$, we encrypt as follows:

$f(r_i,s_i) = r_i \oplus s_i = c_i$

If the sequence is truly random, we would try to compute $f^{-1}(r_i,s_i)$ and the result would then be that all sequences are equiprobable.

We could mimic Shannon's result for one-way functions.

The function is the map $f:\mathbb{Z}/n\mathbb{Z}\times \mathbb{Z}/n\mathbb{Z}\rightarrow\mathbb{Z}/n\mathbb{Z}$ and the inverse function is the map $f:\mathbb{Z}/n\mathbb{Z}\rightarrow\mathbb{Z}/n\mathbb{Z}\times \mathbb{Z}/n\mathbb{Z}$.

The catch is that we do not know if there exists truly random numbers as the question is equivalent to Einstein's comment on "God does not play dices".

However, for all purposes, a random number generator based on a physical process is considered random enough by experts.

This said, the moment we are trying to reverse $(c_i,r_i)$, that is, the random numbers are no longer secret, reversal is trivial.

Furthermore, this one-way function does not have the nice properties of most cryptographically-secure hashing functions such as collision-resistance. Moreover, we have the situation that $f(r_i,s_k)\neq f(r_j,s_k)$. This means that a same value $s_k$ gets hashed to two different values. And $f(r_i,s_i) = f(r_j,s_j)$ is common.

Answer 4

Would it be as easy as suggesting for example the Sine function?

Because for a given input and output the input can be increased or decreased by 360 degrees (or 2 pi if you're into radians) it is many-to-one, so you can never be sure which input you had?

Do tell me if I've misunderstood the question though.