**Hardness of Computing Individual Bits for One-way Functions on Elliptic Curves**

*Alexandre Duc and Dimitar Jetchev*

**Abstract: **We prove that if one can predict any of the bits of the input to an elliptic curve based one-way function over a finite field, then we can invert the function. In particular, our result implies that if one can predict any of the bits of the input to a classical pairing-based one-way function with non-negligible advantage over a random guess then one can efficiently invert this function and thus, solve the Fixed Argument Pairing Inversion problem (FAPI-1/FAPI-2). The latter has implications on the security of various pairing-based schemes such as the identity-based encryption scheme of BonehFranklin, Hess’ identity-based signature scheme, as well as Joux’s three-party one-round key agreement protocol. Moreover, if one can solve FAPI-1 and FAPI-2 in polynomial time then one can solve the Computational Diffie–Hellman problem (CDH) in polynomial time.
Our result implies that all the bits of the functions defined above are hard-to-compute assuming these functions are one-way. The argument is based on a list-decoding technique via discrete Fourier transforms due to Akavia–Goldwasser–Safra as well as an idea due to Boneh–Shparlinski.

**Category / Keywords: **One-way function, hard-to-compute bits, bilinear pairings, elliptic curves, fixed argument pairing inversion problem, Fourier transform, list decoding.

**Publication Info: **CRYPTO 2012 paper full version

**Date: **received 17 Jun 2011, last revised 21 May 2012

**Contact author: **dimitar jetchev at epfl ch

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | PDF | BibTeX Citation

**Version: **20120521:092451 (All versions of this report)

**Short URL: **ia.cr/2011/329

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]