Associative One-Way Functions: A New Paradigm for Secret-Key Agreement and Digital Signatures

We propose associative one-way functions as a new cryptographic paradigm for exchanging secret keys and for signing digital documents. First, we precisely deene these functions and establish some of their basic properties. Next, generalizing a theorem of Selman, we constructively prove that they exist if and only if P 6 = NP. In addition, we exhibit an implementation based on integer multiplication. We present a novel protocol that enables two parties to agree on a secret key, and we discuss the security of this protocol. Finally, we generalize our protocol to enable two or more parties to agree on a secret key, and we present a similar protocol for signing documents. Given any honest binary function : S S ! S on the message space S = f0; 1g , we say that is associative one-way if: 1) for all x; y; z 2 S, x(yz) = (xy)z; and 2) is polynomial-time computable, but inverting is not. We say that is strong if inverting x y remains hard when given x or y. With any strong associative one-way function on the message space M = f0; 1g n , Alice and Bob can agree on a secret key in M as follows. 1) Alice selects x; y 2 M at random and sends xy and y to Bob. 2) Bob selects z 2 M at random and sends y z to Alice. 3) Alice computes k A = x(yz) and Bob computes k B = (xy)z. The associativity of implies k A = k B , which value Alice and Bob adopt as their secret key. For digital signatures, Alice selects a pair of numbers x A ; y A 2 M at random, places (y A ; x A y A) in an authenticated public directory , and keeps x A secret. To sign any message m 2 M, Alice computes m x A. To verify the message-signature pair (m; m x A), Bob obtains y A and x A y A from the public directory and checks if (m x A) y A = m (x A y A).