Is $f(x)\oplus x$ a one-way function?

Question

Given that $f$ is a OWF and $|f(x)|=|x|$ for all $x$, is $g(x)=f(x)\oplus x$ necessarily also a OWF?

Answer 1

While poncho's answer gives an interesting example, why this can go wrong in practice, it does not necessarily answer the question from a theoretical point of view. After all, we don't know whether $f(x) = AES_k(x) \oplus x$ is one-way. (Even if it might be reasonable to assume that.)

So, let's give a theoretical example. Assume that a one-way function $h$ exists where in- and output length are the same. We call this length $n/2$. I.e. we have a one-way function $$h : \{0,1\}^{n/2} \to \{0,1\}^{n/2}.$$

From this function, we now construct a new function $$f : \{0,1\}^{n} \to \{0,1\}^{n}$$ as follows: $$f(x_1\Vert x_2) = 0^{n/2}\Vert h(x_1),$$ where $|x_1|=|x_2|=n/2$.

It is easy to show via reduction that $f$ is one-way whenever $h$ is one-way. Let $\mathcal{A}$ be an attacker against the one-wayness of $f$, then we construct an attacker $\mathcal{B}$ against the one-wayness of $h$ as follows: Upon input of $y$, $\mathcal{B}$ invokes $\mathcal{A}$ on input $0^{n/2}\Vert y$. Eventually, $\mathcal{A}$ outputs $x_1'\Vert x_2'$ and $\mathcal{B}$ outputs $x_1'$.

It is trivial to see that if $\mathcal{A}$ runs in polynomial time (in input length $n$) then $\mathcal{B}$ also runs in polynomial time (in input length $n/2$).

It is also easy to see the following holds: $$\Pr[\mathcal{B}(y) \in h^{-1}(y)] = \Pr[\mathcal{A}(0^{n/2}\Vert y) \in f^{-1}(0^{n/2}\Vert y)].$$ Therefore it follows that $f$ is one-way whenever $h$ is.

Now lets use this function $f$ in the proposed construction:

$$g(x) = f(x)\oplus x = (0^{n/2}\Vert h(x_1) ) \oplus x_1\Vert x_2 = x_1\Vert (h(x_1)\oplus x_2)$$

This is obviously not one-way. An attacker upon seeing an image $x_1\Vert y$ can simply output $x_1\Vert (y\oplus h(x_1))$ as a valid preimage.

Answer 2

No, you can find $f$ such that $f(x)$ is a OWF, but $f(x)\oplus x$ is not.

One example would be $f(x) = AES_k(x) \oplus x$ (for a public key $k$, perhaps the all-zeros key). $f(x)$ is believed to be one way; as there is no known practical way, given a value $y$, to find an $x$ with $f(x) = y$. However, $g(x) = f(x) \oplus x = AES_k(x)$ is easy to invert (because we know the AES key $k$).