Self-masking for hardening inversions

The question of whether one-way functions (i.e., functions that are easy to compute but hard to invert) exist is arguably one of the central problems in complexity theory, both from theoretical and practical aspects. While proving that such functions exist could be hard, there were quite a few attempts to provide functions that are one way “in practice”, namely, they are easy to compute, but there are no known polynomial time algorithms that compute their (generalized) inverse (or that computing their inverse is as hard as notoriously difficult tasks, like factoring very large integers). In this paper, we introduce the self-masking technique, which converts polynomial time computable functions to functions that are likely to be harder to invert. The technique is first defined for univalent functions (note that one way functions that are univalent are basic ingredients for cryptographic protocols). Informally, a self masked version of a univalent function f, denoted [f], replaces two masking substrings of f(x) by their XOR. The masking substrings are critical if [f] remains univalent (w.h.p.). Thus, when the masking substrings are critical, inverting [f](x) is at least as hard as reconstructing the masking substrings from their XOR. We apply this technique to functions based on variants of the subset sum problem and obtain functions that resist known techniques for inverting the original, unmasked functions (see, e.g., [13]). Applications of this technique to other functions, as well as its extension to multivalent functions, are also discussed.