Bounds on the Efficiency of Generic Cryptographic Constructions∗ Rosario Gennaro† Yael Gertner‡ Jonathan Katz§ Luca Trevisan¶ Abstract A central focus of modern cryptography is the construction of efficient, “high-level” cryptographic tools (e.g., encryption schemes) from weaker, “low-level” cryptographic primitives (e.g., one-way functions). Of interest are both the existence of such constructions, and their efficiency. Here, we show essentially-tight lower bounds on the best possible efficiency of any black-box construction of some fundamental cryptographic tools from the most basic and widely-used cryptographic primitives. Our results hold in an extension of the model introduced by Impagliazzo and Rudich, and improve and extend earlier results of Kim, Simon, and Tetali. We focus on constructions of pseudorandom generators, universal one-way hash functions, and digital signatures based on one-way permutations, as well as constructions of public- and private-key encryption schemes based on trapdoor permutations. In each case, we show that any black-box construction beating our efficiency bound would yield the unconditional existence of a one-way function and thus, in particular, prove P 6= N P . 1 Introduction A central focus of modern cryptography is the construction of “high-level” cryptographic protocols and tools that are both provably secure and efficient. Generally speaking, work proceeds along two lines: (1) demonstrating the feasibility of a particular construction, based on the weakest possible primitive; and (2) improving the efficiency of such constructions, either based on the weakest primitive for which a construction is known or perhaps by assuming the existence of a stronger primitive. The first of these approaches has been immensely successful; for example, the existence of one-way functions is known to be sufficient for constructing pseudorandom generators [8, 42, 22, 27], pseudorandom functions [21], ∗ This work appeared in preliminary form as [15, 14]. rosario@watson.ibm.com. IBM T.J. Watson Research Center. ‡ ygertner@uiuc.edu. Department of Psychology, University of Illinois at Urbana-Champaign. Work done while in the Dept. of Computer and Information Science, University of Pennsylvania. § jkatz@cs.umd.edu. Department of Computer Science, University of Maryland. Portions of this work were done while at DIMACS. ¶ luca@eecs.berkeley.edu. Computer Science Division, UC Berkeley. Work done while at Columbia University. This research was supported by NSF grant CCR 9984703. † 1 universal one-way hash functions and digital signature schemes [36, 38], private-key encryption schemes and message-authentication codes [20], and commitment schemes [35]. In each of these cases one-way functions are also known to be necessary [30, 38], thus exactly characterizing the feasibility of these constructs. Unfortunately, progress on the second approach — i.e., improving the efficiency of these constructions — has been much less successful. Indeed, while the constructions referenced above are all important from a theoretical point of view, their practical impact has been limited due to their inefficiency. In practice, more efficient constructions based on stronger assumptions (or, even worse, heuristic solutions with no proofs of security) tend to be used. Furthermore, relying on stronger assumptions (or resorting to heuristic solutions) seems necessary to obtain improved efficiency; for each of the examples listed above, no provablysecure constructions based on general assumptions are known which improve upon the efficiency of the initial solutions. This trade-off between the efficiency of a cryptographic construction and the strength of the complexity assumption on which it relies motivates the question: How efficient can cryptographic constructions be when based on general assumptions? We show in this paper that, in fact, the efficiency of many of the known constructions based on general assumptions cannot be improved without using non-black-box techniques, or finding an unconditional proof that one-way functions exist (and hence proving P 6= N P ). Our results hold in a generalization of the Impagliazzo-Rudich model [31], introduced by those authors in the context of proving impossibility results for the existence of certain black-box cryptographic constructions (see Section 1.3 for further discussion). Following their work, a number of additional black-box impossibility results have appeared [40, 41, 16, 32, 17, 13]. Kim, Simon, and Tetali [33] initiated work focused on bounding the efficiency of black-box cryptographic constructions (rather than their existence), and their work provided the original inspiration for our research. We compare our results with those of Kim, et al. in the following section. 1.1 Our Results Informally, we say a permutation π : {0, 1}n → {0, 1}n is one-way with security S if any circuit of size1 at most S inverts π with probability less than 1/S (one can think of S as a slightly super-polynomial function of n but our results hold for any choice of S). In this work, we consider two types of black-box constructions, described informally now and discussed in more detail in Section 1.3. Following the terminology introduced in [37], a semi black-box construction (based on a one-way permutation) is an oracle procedure P (·) such that, for any one-way permutation f given as an oracle, (1) P f has the desired functionality and (2) P f is “secure” (in some appropriate sense) against every efficient (oracle) adversary Af even when considering adversaries given oracle access to f . In contrast, a weak black-box construction is an oracle procedure P (·) satisfying (1) as before but for which, for any oneway permutation f given as an oracle, the only guarantee is that (2) P f is “secure” against efficient adversaries A that are not given oracle access to f . Both notions preclude using the code (or circuit) of the one-way permutation f in the construction; roughly speaking (see [37] for further elaboration), semi black-box constructions also rule out the use of 1 We let the size of a circuit refer to the number of gates the circuit has. 2 the adversary’s code in the security reduction (whereas weak black-box constructions do not). Clearly, any semi black-box construction is also a weak black-box construction and so impossibility results for the latter are stronger than impossibility results for the former. Given these definitions, our results may be summarized informally as follows. Pseudorandom generators (PRGs). Let U ℓ denote the uniform distribution over ℓ-bit strings. A PRG is a deterministic, length-increasing function G : {0, 1} ℓ → {0, 1}ℓ+k such that G(Uℓ ) is computationally indistinguishable (by poly-time algorithms) from U ℓ+k . The notion of a PRG was introduced by Blum and Micali [8] and Yao [42], who showed that PRGs can be constructed from any one-way permutation. This was subsequently improved by Håstad, et al. [27], who show that a PRG can be constructed from any one-way function. The Blum-Micali-Yao construction, using a later improvement of Goldreich and Levin [22] (see also [18, Section 2.5.3]), requires Θ(k/ log S) invocations of a one-way permutation with security S in order to construct a PRG stretching its input by k bits. This is the best known efficiency for constructions based on arbitrary one-way permutations. We show that this is essentially the best efficiency that can be obtained using black-box constructions. More formally, we show that any weak black-box construction of a PRG that stretches its input by k bits while making o(k/ log S) invocations of a one-way permutation with security S implies the unconditional existence of a PRG (i.e., without any invocations of the one-way permutation). Put another way, the only way to design a more efficient construction of a PRG is to design a PRG from scratch! This would in particular imply the unconditional existence of a one-way function, as well as a proof that P 6= N P . (Families of ) universal one-way hash functions (UOWHFs). A UOWHF H = {h s } is a family of length-decreasing functions (all defined over the same domain and range) such that for any input x and random choice of h i ∈ H it is hard to find a collision (i.e., an x′ 6= x such that hi (x′ ) = hi (x)). UOWHFs were introduced by Naor and Yung [36], who show that UOWHFs suffice to construct secure signature schemes and furthermore show how to construct the former from any one-way permutation. Rompel [38] later gave a construction of UOWHFs, and hence signature schemes, based on any one-way function. The Naor-Yung construction requires one invocation of the one-way permutation per bit of compression; that is, if hi : {0, 1}ℓ+k → {0, 1}ℓ (for all hi ∈ H), then evaluating hi requires k invocations of the one-way permutation. This can be improved easily to obtain a construction making Θ(k/ log S) invocations to compress by k bits. We show that this, too, is essentially optimal. In particular, any semi black-box construction of a UOWHF whose hash functions compress their input by k bits yet can be evaluated using o(k/ log S) invocations of a one-way permutation (with security S) implies the unconditional existence of a UOWHF. Since the existence of UOWHFs implies the existence of one-way functions, this consequence would again imply a proof of P 6= N P . This improves upon the work of Kim, Simon,pand Tetali [33], who show a similar result but only for the case of constructions making o( k/ log S) invocations of a one-way permutation. Encryption schemes. PRGs and UOWHFs may be viewed as 1-party, or “stand-alone”, cryptographic primitives for which there is no inherent notion of “interaction”. We also explore the efficiency of 2-party protocols, including those used in a “public-key” setting. A public-key encryption scheme for m-bit messages is semantically-secure [25] if for any two messages M0 , M1 ∈ {0, 1}m the distribution over encryptions of M 0 is computationally 3 indistinguishable from the distribution over encryptions of M 1 , even when given the public key as input. A similar definition (but with no public key) holds for the case of private-key encryption. Public-key encryption schemes constructed using the hard-core bit paradigm [8, 7, 22, 42] require Θ(m/ log S) invocations of a trapdoor permutation to encrypt an mbit message. Similarly, private-key encryption schemes constructed using this paradigm require Θ( m−k log S ) invocations of a one-way permutation, where k is the length of the shared key. The same bound holds in the private-key case even if one is willing to use the stronger assumption of a trapdoor permutation. We show that the above constructions are essentially the best possible (at least, for the notions of security considered above). For the case of public-key encryption, we show that any weak black-box construction supporting encryption of m-bit messages requires Ω(m/ log S) invocations of the trapdoor permutation for the encryption algorithm alone (i.e., in addition to any invocations made during the key-generation phase). Using related techniques, we also show that any weak black-box construction of a private-key encryption scheme — even when based on trapdoor permutations — which securely encrypts m-bit messages using a k-bit key must query its permutation oracle Ω( m−k log S ) times. In each case, we show that any weak black-box construction beating our bound would imply the unconditional existence of a one-way function (from which a secure private-key encryption scheme, with no reliance on an oracle, can be derived), and hence a proof that P 6= N P . Signature schemes. We say a one-time signature scheme is secure if no efficient adversary can forge a valid signature on a new message after seeing a signature on a single, random message (we remark that it is easy to covert any such scheme to one that is secure when an adversary sees a signature on a single, chosen message: run two of the “basic” schemes in parallel to obtain keys (P K1 , SK1 ), (P K2 , SK2 ) and set P K = (P K1 , P K2 ); to sign a message M ∈ {0, 1}m choose random r ∈ {0, 1}m , sign r using SK1 , sign r ⊕ M using SK2 , and output both signatures). Of course, lower bounds on one-time schemes immediately extend to schemes satisfying stronger definitions of security [26]. We show that in any semi black-box construction of a one-time signature scheme for messages of length m based on a one-way permutation, the verification algorithm must evaluate the one-way permutation Ω(m/ log S) times. As before, any semi black-box construction beating our bound implies the unconditional existence of a one-way function (from which a secure signature scheme requiring no oracle access can be constructed). We observe that there exist one-time signature schemes essentially meeting our lower bound; see Section 4.5 for further discussion. 1.2 Overview of Our Techniques We prove our results in an extension of the model of Impagliazzo and Rudich [31, 39]. Among other things, Impagliazzo and Rudich prove that a semi black-box construction of a secure key-exchange protocol based on a one-way permutation would inherently yield a proof that P 6= N P , and hence it is presumably “hard” to come up with such a construction. (This was later strengthened by Reingold, et al. [37], who proved unconditionally that there exists no semi black-box construction of a key-exchange protocol based on one-way permutations.) Our results are in the same vein, but are in many respects even stronger. For one, some of our impossibility results concern the larger class of weak black-box constructions. Furthermore, 4 in all cases we show that constructions beating our bounds would imply the unconditional existence of a one-way function; this is stronger than the results of Impagliazzo-Rudich both because the existence of a one-way function is not known to be implied by P 6= N P , and also because (in all but one case) a one-way function suffices to give an unconditional construction of the object under consideration. Finally, we stress that Impagliazzo and Rudich were concerned with the question of feasibility, while we are concerned with questions of efficiency. Each of our proofs hinges on a technical result that has not been stated or proved previously: a random permutation on t-bit strings is, with high probability, one-way with security 2Ω(t) even against non-uniform adversaries. For the related case of random functions, a similar result has been proven by Impagliazzo and Rudich [31] in the (much simpler) uniform case, and by Impagliazzo [29] in the non-uniform case. 2 We also show a similar result for the case of trapdoor permutations. Using this result, we now describe the intuition behind our lower bound using the case of PRGs as an example. Given a secure construction G of a PRG having oracle access to a one-way permutation over n-bit strings, we run G with a permutation oracle that randomly permutes its first t = Θ(log S) bits while leaving the remaining n − t bits unchanged. It follows from the technical result above that with high probability such a permutation is one-way with security S, and hence G is secure when run with a permutation chosen from this distribution. Let q be the number of queries made by G to its oracle. The key point of our proof is to notice that the answers to these q oracle queries can be “simulated” by a deterministic function G′ itself (i.e., without access to any oracle) if q · t random bits, representing the t-prefixes of the q answers to G’s oracles queries, are included as part of the seed of G′ . The distribution on the output of G′ (over random choice of seed) is essentially identical to that of the output of G (over random seed, and random choice of oracle as above), and is thus indistinguishable from uniform. Finally, if q is “small” then the seed-length does not grow “too much” and the input of G ′ remains shorter than its output. But this means that G′ is an unconditional PRG which does not require any oracle access (a corollary of which is a proof that P 6= N P ). Additional technical work is needed to prove our bounds on UOWHFs, public-key encryption schemes, and digital signature schemes. In the latter two cases in particular, which are in a “public-key” setting, there is no “seed” as part of which to include the necessary randomness for answering oracle queries, and thus no immediate way to apply the above technique. The proofs of our lower bounds in these cases follow a slightly different approach. In the case of public-key encryption, for example, we show that a scheme making fewer than the prescribed number of queries can be used to construct (unconditionally) a secure private-key encryption scheme in which the key is shorter than the message. Moving from the public-key to the private-key setting circumvents the issues above, and enables the necessary randomness to be included as part of the shared key without compromising the functionality or the security of the scheme. Unfortunately, our result in this case is somewhat weaker than what we obtain in all other cases; namely, we show that a public-key encryption scheme making “few” black-box oracle queries exists only if a secure privatekey encryption scheme (or, equivalently, a one-way function) exists unconditionally. This 2 Although one could derive our result from Impagliazzo’s result and the fact that a random function is indistinguishable from a random permutation, our proof is quite different and a bit simpler. 5 is, of course, weaker than showing the unconditional existence of a secure public-key encryption scheme. We stress that for the case of PRGs, UOWHFs, private-key encryption schemes, and signature schemes, constructions beating our bounds imply the existence of an unconditional construction for each of these tasks. 1.3 Black-Box Lower Bounds and Impossibility Results We provide here a brief discussion regarding the notion of “black-box constructions”. Our presentation adapts the recent definitional work of Reingold, et al. [37], simplifying their definitions when appropriate for the present context. The discussion here is relatively informal, and we have chosen to provide definitions specific to each primitive in the relevant sub-sections of Section 4 rather than providing a single, generic definition as in [37]. At a high level, a construction P of a primitive based on, say, a one-way permutation is a procedure which takes as “input” a permutation f and outputs a (description of a) circuit 3 having some desired functionality. Informally, a construction P uses f as a black-box if P relies only on the input/output characteristics of the provided function f and not on any internal structure of the circuit computing f ; formally, this means the construction can be described as an oracle procedure P (·) such that P f itself realizes the desired functionality. In addition to correctness (i.e., the requirement that P f has the desired functionality for any permutation f ), a construction also provides some guarantee with regard to the security of the resulting implementation P f . We say P is a semi black-box construction if the following holds: For any hard-to-invert permutation f , the implementation P f is “secure” (in some sense appropriate for the primitive being constructed) against all efficient adversaries, even those given oracle access to f . In contrast, P is a weak black-box construction if the following relaxed definition holds: For any hard-to-invert permutation f , the implementation P f is “secure” against all efficient adversaries (who are not given oracle access to f ). The distinction between whether an adversary is given oracle access to f or not is important since the above are required to hold even when f is not efficiently computable (and so the only way for an efficient adversary to evaluate f , in general, may be via oracle access to f ). We hasten to point out, however, that even weak black-box constructions suffice to give implementations with meaningful security guarantees in the real world: in this case, f will be efficiently-computable and furthermore an explicit circuit for f will be known; hence, it is irrelevant whether an adversary is given oracle access to f or not. Clearly, any semi black-box construction is also a weak black-box construction and hence impossibility results for the latter are stronger. Indeed, Reingold, et al. [37] show that (1) a semi black-box construction of key-exchange from one-way functions is unconditionally impossible, yet (2) (informally) if the statement “one-way functions imply key exchange” is true, then there does exist a weak black-box construction of key exchange (for a singlebit key) from one-way functions. Roughly speaking, a difference between semi black-box 3 For simplicity, the present discussion is phrased in terms of circuits rather than Turing machines although similar definitions could be made in the latter case as well. 6 and weak black-box constructions is with regard to whether the circuits of adversaries attacking P f can be used in the security reduction (i.e., the proof that P is secure). In more detail: typical security proofs for a construction P proceed by showing via reduction how any efficient adversary AP “breaking” the security of P f can be used to construct an efficient adversary Af inverting f . Since the latter is impossible by assumption on f , this implies that no AP with the claimed properties exists. If the reduction relies only on the input/output characteristics of A P , we refer to this as a reduction which uses the adversary as a black-box. In contrast, a reduction which relies on knowledge of the circuit for A P is said to make non-black-box use of the adversary. A security reduction for a weak black-box construction may potentially make non-black-box use of the adversary. As argued in [37], however, security reductions for semi black-box constructions are essentially restricted to using the adversary as a black-box (see [37] for further discussion). Non-black-box constructions. Black-box constructions form an important subclass, since most cryptographic constructions are black-box (indeed, most known constructions are fully black-box [37], a notion which is even more restrictive than semi black-box). We stress, however, that a number of non-black-box cryptographic constructions are known. 4 The examples of which we are aware occur in two ways: due to the use of generic zeroknowledge proofs (of knowledge) [23, 12, 4] or due to the use of generic protocols for secure computation [43, 24]. As an illustrative example: let L f denote the image of a function def f ; i.e., Lf = {y|y = f (x)}. A cryptographic protocol which utilizes a zero-knowledge proof that y ∈ Lf (for f a one-way function, say) requires the parties to agree on a circuit computing f and is thus inherently non-black-box. 5 Examples of non-black-box constructions where zero-knowledge proofs of this sort are used include a construction of an identification protocol based on one-way functions [12], a signature scheme based on non-interactive zero-knowledge [5], and all known constructions of chosen-ciphertext-secure encryption schemes from trapdoor permutations (e.g., [11]). Furthermore, protocols for distributed computation (without honest majority) tolerating computationally-bounded, malicious adversaries [24, 43] are themselves non-black-box 6 (this is in contrast to the case of zero-knowledge proofs; cf. footnote 5). Knowledge of the circuit computing f is also necessary if one wants to evaluate f in a secure, distributed fashion (e.g., if two parties with respective inputs x 1 , x2 want to evaluate y = f (x1 ⊕ x2 ) without revealing any more information about their inputs than what is revealed by y itself). Thus, a generic construction of a threshold cryptosystem [10] based on a family F of trapdoor permutations (in which the parties share the trapdoor for inverting a single member of this family) would inherently make non-black-box use of the underlying circuit(s) for F . Another example is a result of Beaver [3] which makes non-black-box use 4 We focus here on constructions making non-black-box use of an underlying function f , rather than on constructions whose security analysis makes non-black-box use of the adversary (as in [1, 2]). 5 Note that constructions of zero-knowledge proofs for N P (e.g., [23]) are themselves black-box in their usage of primitives such as one-way functions. The issue is that a proof for the language of interest — e.g., Lf in the example in the text — cannot be given unless a (poly-size) circuit computing f is available. 6 For example: although the well-known protocol for oblivious transfer secure against semi-honest adversaries [19, Sec. 7.3.2] makes black-box use of trapdoor permutations, adapting the protocol (using zeroknowledge proofs) to ensure security against malicious adversaries involves non-black-box use of the circuit for the trapdoor permutation. 7 of a one-way function f to extend “few” oblivious transfers into “many”. Given the above, a black-box impossibility result cannot be said to rule out the feasibility of a particular construction. Yet, it is unclear how non-black-box techniques can help outside the domains mentioned above (i.e., generic use of zero-knowledge proofs or secure computation). Furthermore, a black-box impossibility result is useful insofar as it indicates the type of techniques that will be necessary to achieve a desired result, or, conversely, the type of techniques that are ruled out. Finally, it is fair to say that non-black-box constructions are much less efficient than black-box ones (this is certainly the case for all the examples given above, and we are aware of no exceptions), and thus a black-box impossibility result does seem to rule out constructions likely to be practical. 1.4 Future Work and Open Problems This work suggests a number of intriguing research directions. The results given here suggest that assuming only the existence of one-way permutations (or, in some cases, even trapdoor permutations) may be too weak of a computational hypothesis to obtain efficient cryptographic constructions. Thus, stronger assumptions may be needed to build practical schemes. It is important to explore the “minimal” such assumptions necessary to achieve greater efficiency, as well as to bound the maximum achievable efficiency even when such stronger assumptions are made. For example: what additional efficiency is possible if homomorphic one-way permutations (i.e., permutations over a group G satisfying f (ab) = f (a)f (b) for all a, b ∈ G) are assumed? In a related vein, it will be interesting to explore more efficient constructions based on specific number-theoretic assumptions. As will be evident from our proof techniques, the efficiency limitations of constructions based on arbitrary (trapdoor) one-way permutations stem from the fact that a one-way permutation may have security S even if it has only Θ(log S) “hard-core” bits. (Actually, we use “pathological” functions of this form to prove our lower bounds.) But specific one-way permutations and trapdoor permutations with Θ(n) hard-core bits are known under suitable number-theoretic assumptions (e.g., [28, 9]). Given such functions, we know how to construct PRGs and semantically-secure private- and public-key encryption schemes with improved efficiency. It remains open, however, whether such functions can also be used to improve the efficiency of digital signature schemes or (say) public-key encryption schemes achieving chosen-ciphertext security. The present work also leaves some more concrete open questions. First, can bounds on the efficiency of other cryptographic constructions (e.g., commitment schemes) also be given? Additionally, our lower bounds essentially match known upper bounds only for schemes achieving relatively weak notions of security: namely, semantic security for encryption of a single message in the case of encryption and one-time security for the case of signatures. What can be said about schemes achieving stronger notions of security? Examples of interest include private-key encryption schemes secure when polynomially-many messages are encrypted (this seems related to the efficiency of pseudorandom functions, for which a gap remains between known upper and lower bounds), public-key encryption schemes satisfying various flavors of non-malleability/security against chosen-ciphertext attacks, and signature schemes secure when polynomially-many messages are signed. Finally, our bound for signatures pertains to the efficiency of signature verification. It 8 would be nice to have corresponding bounds for the efficiency of key-generation/signing. 2 Definitions and Preliminaries In this section, we review some notation and definitions for the various standard cryptographic primitives considered in this work. Appropriate definitions of “black-box” constructions are deferred to the relevant sections containing our lower bounds. In what follows, we consider a number of definitions of “(S, ε)-security” having the form “no circuit of size S can have advantage better than ε”, where “advantage” is defined in some appropriate way. In each of the cases considered here, the existence of an (S, ε)-secure scheme for any ε < 1 implies the existence of an (S ′ , ε′ )-secure scheme for an arbitrarily small ε′ > 0. For this reason, in all our lower bounds we content ourselves with showing the existence of an (S, ε)-secure construction for an arbitrary ε < 1. All our results are stated and proved in the non-uniform setting for simplicity only; we stress that they extend immediately to the uniform setting as well. Indeed, it is for this reason that we claim that constructions beating our efficiency bounds imply the existence of one-way functions and P 6= N P . For example: Theorem 4.2 states only that the existence of a certain PRG construction G(·) : {0, 1}ℓ → {0, 1}ℓ+k based on a permutation ′ π : {0, 1}n → {0, 1}n implies the unconditional existence of a PRG G ′ : {0, 1}ℓ → {0, 1}ℓ+k . Essentially the same proof, however, also shows that a certain construction of a PRG family (·) {Gi : {0, 1}ℓ(i) → {0, 1}ℓ(i)+k(i) } based on a one-way permutation family {π i : {0, 1}n(i) → (·) {0, 1}n(i) }, where Gi can be evaluated by a uniform algorithm in polynomial time (in i), ′ implies the unconditional existence of a PRG family {G ′i : {0, 1}ℓ (i) → {0, 1}ℓ(i)+k(i) }, where again each G′i can be evaluated by a uniform algorithm in polynomial time. 2.1 One-Way Permutations and Trapdoor Permutations One-way functions/permutations. We say that a function π : {0, 1} n → {0, 1}n is (S, ε)-one way if for every circuit A of size ≤ S we have Pr x [A(f (x)) ∈ f −1 (f (x))] ≤ ε. When f is given as an oracle, we provide A with access to f and write this as A f . To reduce the number of parameters, we will call a function S-hard if it is (S, 1/S)-one way. Let Πt denote the set of all permutations over {0, 1} t . In Section 3.1 we prove: Theorem 2.1 For all sufficiently large t, a random π ∈ Π t is 2t/5 -hard with probability at t/2 least 1 − 2−2 . For t ≤ n, let Πt,n denote the subset of Πn such that π ∈ Πt,n iff π(a, b) = (π̂(a), b) for some π̂ ∈ Πt (that is, π permutes the first t bits of its input, while leaving the remaining n − t bits fixed). An immediate corollary of the above theorem is that if t = 5 log S, then for any n ≥ t a random π ∈ Πt,n is S-hard with very high probability. Corollary 2.2 For all sufficiently large t and any n ≥ t, a random π ∈ Π t,n is 2t/5 -hard t/2 with probability greater than 1 − 2−2 . (One-way) trapdoor permutations. Our model for trapdoor permutations is somewhat more involved. We represent a family of trapdoor permutations as a tri-partite oracle 9 τ = (G, F, F −1 ). Informally, G corresponds to the key generation oracle which when queried on a string td (intended as a “trapdoor”) produces the corresponding public key k. The oracle F is the actual trapdoor permutation, which will be queried on key k and an input x. The oracle F −1 allows inversion of F ; i.e., if G(td) = k and F (k, x) = y, then F −1 (td, y) = x. More formally, consider the class Tn = {τ | τ = (G, F, F −1 )} where: • G ∈ Πn is a permutation over {0, 1}n . (Having G map trapdoors to keys rather than having G map “seeds” to a (trapdoor, key) pair does not affect our results.) • F : {0, 1}n × {0, 1}n → {0, 1}n is an oracle such that, for each k ∈ {0, 1}n , F (k, ·) is a permutation on {0, 1}n . • F −1 : {0, 1}n × {0, 1}n → {0, 1}n is an oracle defined as follows: F −1 (td, y) returns the unique x such that G(td) = k and F (k, x) = y. A uniformly random τ = (G, F, F −1 ) ∈ Tn is chosen in the natural way: G is chosen at random from Πn and, for each k ∈ {0, 1}n , the permutation F (k, ·) is chosen independently at random from Πn . We say that trapdoor permutation family τ = (G, F, F −1 ) is (S, ε)trapdoor one way if for every circuit A of size ≤ S we have Pr [k := G(td) : Aτ (k, F (k, x)) = x] ≤ ε. x,td We say that τ is S-trapdoor one way if it is (S, 1/S)-trapdoor one way. When clear from the context, we will also say that τ is S-hard. Although technically one must always speak of families of trapdoor permutations, we will often abuse terminology and simply refer to a τ ∈ Tn as a trapdoor permutation. In Section 3.2, we prove the following analogue of Theorem 2.1 for trapdoor permutations: Theorem 2.3 For all sufficiently large t, a random τ ∈ T t is 2t/5 -hard with probability t/2 greater than 1 − 2−2 . For t ≤ n, we let Tt,n be the subset of Tn defined as follows: τ = (G, F, F −1 ) ∈ Tt,n iff: • G ∈ Πt,n , and thus G(tda , tdb ) = (Ĝ(tda ), tdb ) for some Ĝ ∈ Πt . • F ((ka , kb ), (xa , xb )) = (F̂ (ka , xa ), xb ), where F̂ (ka , ·) ∈ Πt . Equivalently, F (k, ·) ∈ Πt,n and furthermore this permutation is determined by the first t bits of k. • As before, F −1 (td, y) returns the unique x such that G(td) = k and F (k, x) = y. An immediate corollary of Theorem 2.3 is that if t = 5 log S, then for any n ≥ t a random τ ∈ Tt,n is S-hard with very high probability. Corollary 2.4 For all sufficiently large t and any n ≥ t, a random τ ∈ T t,n is 2t/5 -hard t/2 with probability greater than 1 − 2−2 . 10 2.2 Pseudorandom Generators Two distributions X, Y are (S, ε)-indistinguishable if for every distinguishing circuit Dist of size at most S we have Pr [Dist(x) = 1] − Pr [Dist(y) = 1] ≤ ε. x∈X y∈Y (S,ε) We also write this as X ≈ Y . We say a function G : {0, 1}ℓ → {0, 1}ℓ+k is an (Sg , ε)secure PRG if G(Uℓ ) is (Sg , ε)-indistinguishable from Uℓ+k , where Un denotes the uniform distribution over {0, 1}n . 2.3 Universal One-Way Hash Functions As discussed in the Introduction, a family of universal one-way hash functions (UOWHFs) is a family H of length-decreasing functions such that, for a random function h ∈ H and a random point x in the domain, it is hard (given h, x) to find x ′ 6= x such that h(x′ ) = h(x). More formally, a family H = {hs : {0, 1}ℓ+k → {0, 1}ℓ }s∈{0,1}r of functions is an (S, ε)UOWHF if for every circuit A of size at most S we have ^ Pr[A(s, x, hs (x)) = x′ : x′ 6= x hs (x′ ) = hs (x)] ≤ ε. s,x We will represent such a family as a single function H : {0, 1} r × {0, 1}ℓ+k → {0, 1}ℓ where H(s, x) = hs (x). 2.4 Public- and Private-Key Encryption Public-key encryption. A public-key encryption scheme for m-bit messages is a tuple of algorithms PKE = (Gen, Enc, Dec) having the following functionality: • The key generation algorithm Gen is a probabilistic algorithm which generates a key pair (pk, sk). We say pk is the public key and sk is the secret key. • The encryption algorithm Enc is a probabilistic algorithm which, on input a public key pk and a message M ∈ {0, 1}m , outputs a ciphertext C. • The decryption algorithm Dec is a deterministic algorithm which, on input a secret key sk and a ciphertext C, outputs either a message M ∈ {0, 1} m or ⊥. We also require perfect correctness; that is, for all (pk, sk) output by Gen, all M ∈ {0, 1} m , and all C output by Enc(pk, M ), we have Dec(sk, C) = M . (Our results can be modified appropriately for the case of decryption schemes with error; see the remark following Lemma 4.6.) For M ∈ {0, 1}m , let PKE(M ) denote the distribution on the view of an adversary eavesdropping on the encryption of message M ; i.e., def PKE(M ) = {(pk, sk) ← Gen; C ← Enc(pk, M ) : (pk, C)} . 11 We say that PKE is (Se , ε)-secure if for all M0 , M1 ∈ {0, 1}m we have (Se ,ε) PKE(M0 ) ≈ PKE(M1 ). Note that this corresponds to a definition of indistinguishability, or semantic security [25]. The above can be extended in the natural way to allow for interactive encryption schemes. However, since we do not explicitly consider interactive public-key encryption in this work and since a formal definition of interactive encryption in the private-key setting is given below, we omit the details. Private-key encryption. The model for private-key encryption is an appropriate modification of the above. A private-key encryption scheme for m-bit messages using k-bit keys is a pair of algorithms SKE = (Enc, Dec), where: • The encryption algorithm Enc is a probabilistic algorithm which, on input a key sk ∈ {0, 1}k and a message M ∈ {0, 1}m , outputs a ciphertext C. • The decryption algorithm Dec is a deterministic algorithm which, on input a key sk ∈ {0, 1}k and a ciphertext C, outputs either a message M ∈ {0, 1} m or ⊥. As in the public-key case, we require perfect correctness: i.e., for all sk ∈ {0, 1} k , all M ∈ {0, 1}m , and all C output by Enc(sk, M ), we have Dec(sk, C) = M . (Our results can be modified appropriately for the case of decryption schemes with error; see the remark following Lemma 4.6.) For M ∈ {0, 1}m , denote by SKE(M ) the probability distribution over the view of an adversary eavesdropping on the encryption of message M (where the shared key sk is chosen uniformly at random); i.e., n o def SKE(M ) = sk ← {0, 1}k ; C ← Enc(sk, M ) : C . We say that SKE is (Se , ε)-secure if for all M0 , M1 ∈ {0, 1}m we have: (Se ,ε) SKE(M0 ) ≈ SKE(M1 ). The above can be extended to allow for interactive encryption in the natural way. In this case, Enc and Dec represent interactive Turing machines operating in a sequence of rounds. d For notational convenience, we let T ← Enc(sk, M ) denote the experiment in which random coins ω1 , ω2 are chosen for Enc and Dec, respectively, and T is the transcript resulting from d the interaction of Enc(sk, M ; ω 1 ) with Dec(sk; ω2 ). We also let M ′ ← Dec(sk, M ) denote the final output of Dec at the conclusion of the above experiment. Perfect correctness requires d that Dec(sk, M ) = M with probability 1. In the interactive setting, SKE(M ) denotes the distribution n o def d SKE(M ) = sk ← {0, 1}k ; T ← Enc(sk, M) : T ; definitions for (Se , ε)-security follow in the obvious way. 12 2.5 Signature Schemes A signature scheme for m-bit messages is a tuple of algorithms SIG = (Gen, Sign, Vrfy) having the following functionality: • The key generation algorithm Gen is a probabilistic algorithm which generates a key pair (P K, SK). We say that P K is the public key and SK is the secret key. • The signing algorithm Sign is a probabilistic algorithm which, on input SK and a message M ∈ {0, 1}m , outputs a signature σ. • The verification algorithm Vrfy is a deterministic algorithm which, on input P K, a message M , and a signature σ, outputs a single bit. We also require that for all (P K, SK) output by Gen, all M ∈ {0, 1} m , and all σ output by Sign(SK, M ) we have Vrfy(P K, M, σ) = 1. Our definition of security for signature schemes is extremely weak: we only require security against existential forgery for an adversary who gets a signature on a single, random message (i.e., we consider a one-time signature scheme secure under random-message attack ). Our lower bounds apply even to “weakly-secure” schemes of this type. Since any signature scheme secure against adaptive chosen-message attack (cf. [26]) trivially achieves this “weak” level of security, our results immediately imply a bound for the more general case. Formally, signature scheme SIG is (S Σ , ε)-secure if for all circuits A of size at most SΣ we have   (P K, SK) ← Gen; M ← {0, 1}m ; Pr  σ ← Sign(SK, M ); (MV′ , σ ′ ) := A(P K, M, σ) :  ≤ ε. Vrfy(P K, M ′ , σ ′ ) = 1 M ′ 6= M 3 “Hardness” of Random (Trapdoor) Permutations In this section, we state and prove two key technical theorems which show that a random permutation π ∈ Πt and a random trapdoor permutation τ ∈ T t are exponentially “hard” with all but negligible probability for t large enough. Before doing so, we first state the following bound on the number of oracle circuits of a given size S: Lemma 3.1 The number of circuits of size S having input/output length n and oracle access to a function f : {0, 1}n → {0, 1}n is at most 22S+(S+1)n(log(Sn+n)+1) . Proof A circuit of the form considered here consists of three types of gates: “and” gates, “or” gates, and “oracle” gates; the first two have in-degree 2 and out-degree 1, while “oracle” gates have in-degree and out-degree n. A circuit may be specified by listing for each gate: (1) its type; and (2) for each of this gate’s at most n input wires, the source of the wire (which may be the output wire of another gate or one of the input wires of the circuit) and whether its value is complemented. Finally, for each of the n output wires of the circuit one must also specify the source of this wire and whether its value is complemented. The information associated with each gate can be specified using at most 2 + n(log(Sn + n) + 1) bits (per gate), while the information associated with each output wire can be specified using at most an additional log(Sn + n) + 1 bits. The lemma follows. 13 3.1 “Hardness” of Random Permutations We now prove Theorem 2.1, restated for convenience. Theorem For all sufficiently large t, a random π ∈ Π t is 2t/5 -hard with probability at least t/2 1 − 2−2 . Proof We begin by showing that given any (π, A) such that A inverts π with “high” probability, the permutation π has a “short” description (given A). Claim Let A be a circuit that makes q queries to a permutation π : {0, 1} t → {0, 1}t , and for which Pry [Aπ (y) = π −1 (y)] ≥ ε. Then π can be described using at most  t
2 + log (2t − a)! 2 log a bits (given A), where a = ε2t /(q + 1). Proof (of claim) Let N = 2t . Consider the set I of at least εN points on which A is able to invert π, after making q queries to π. We argue that there exists a set Y ⊆ I such that |Y | ≥ a and such that the value of π −1 is completely determined by the circuit A, the sets def Y and X = π −1 (Y ), and the value of π −1 on all points in {0, 1}t \ Y . Define Y via the following process: initially Y is empty, and all elements in I are candidates for inclusion in Y . Take the lexicographically first element y from I, and place it in Y . Next, simulate the computation of A π (y) and let x1 , . . . , xq be the queries made by A to π (we assume without loss of generality that they are different), and y 1 , . . . , yq be the corresponding answers (i.e., y i = π(xi )). If y 6∈ {yi }qi=1 , then remove y1 , . . . , yq from I. If y = yi for some i, then remove y1 , . . . , yi−1 from I. Then take the lexicographically smallest of the remaining elements of I, put it into Y , etc. At any step of the construction, one element is added to Y and at most q are removed from I. Since I initially contains at least εN elements, in the end we have |Y | ≥ ⌈εN/q⌉ > εN/(q + 1). We claim that given descriptions of the sets Y and X = π −1 (Y ), the values of π on {0, 1}t \ X, and the circuit A, it is possible to invert (or, equivalently, compute) π everywhere. For y 6∈ Y , the value of π −1 (y) is explicitly given. The values of π −1 on Y can be reconstructed sequentially for all y ∈ Y , taken in lexicographic order, as follows: Simulate the computation of Aπ (y). By construction of Y , during its computation A π (y) will query π either on points not in X, on points x ∈ X for which π(x) < lex y, or on the point x ∈ X for which π(x) = y. In the first two cases, we have enough information to continue the simulation. In the last case, the query itself gives the desired answer π −1 (y). In all possible cases, we have enough information to reconstruct π −1 (y).
Describing Y , X, and the values of π on {0, 1} t \ X requires 2 log |YN | + log ((N − |Y |)!) bits, which is at most the number of bits claimed. Given the above claim, we may now easily prove the theorem. Let A be an oracle circuit of size at most S = 2t/5 . Note that A will make at most q = 2t/5 queries to π. Let N = 2t . From the claim, we see that the fraction of permutations π ∈ Π t such that Pr[Aπ (π(x)) = x] ≥ 2−t/5 x 14 (1) is at most N
2 a (N − a)! N! = N
a a! , where a = 2−t/5 2t /(2t/5 + 1) ≥ N 3/5 /2. Using the inequalities a! ≥ (a/e)a and (eN/a)a , we may derive the following upper bound on the above expression:  2 a  2 a N
4e e N 3/5 a ≤ < 2−a < 2−N /2 < 2 1/5 a! a N N
a ≤ for all sufficiently large N . 1/5 By Lemma 3.1 there are at most 22S+(S+1)t(log(St+t)+1) = 2O(N ) circuits of size S e (where the O-notation suppresses polylogarithmic factors). A union bound thus shows that the probability over a random choice of π ∈ Π t that there exists a circuit of size S for which Equation (1) holds is at most 2O(N 1/5 ) · 2−N 3/5 /2 < 2−N 1/2 for all sufficiently large N . 3.2 “Hardness” of Random Trapdoor Permutations We now prove an analogue of the above theorem for trapdoor permutations. (This is Theorem 2.3, restated for convenience.) Theorem For all sufficiently large t, a random τ ∈ T t is 2t/5 -hard with probability greater t/2 than 1 − 2−2 . Proof The proof is substantially similar to the proof of Theorem 2.1. We first prove: Claim Let A be a circuit making q queries to a trapdoor permutation τ ∈ T t and for which Prk,y [Aτ (k, y) = x ∧ F (k, x) = y] ≥ ε. Then τ can be described using at most  t
2 t t + log (2t − a)! 1 + 2 log(2 !) + t + 2 log a bits (given A), where a = ε2t /(2q + 1). Proof (of claim) Let N = 2t , and let Q(k, y) denote the event that Aτ (k, y) queries either G(td) or F −1 (td, y ′ ) where y ′ is arbitrary and G(td) = k. Also, we say “A τ inverts (k, y)” if Aτ (k, y) = x such that F (k, x) = y. There are two possibilities: either Pr[Aτ inverts (k, y) ∧ Q(k, y)] ≥ ε/2 or k,y Pr[Aτ inverts (k, y) ∧ Q(k, y)] ≥ ε/2. k,y (2) Consider the first case. Here, there certainly exists a ŷ for which it is the case that Prk [Aτ inverts (k, ŷ) ∧ Q(k, ŷ)] ≥ ε/2. Proceeding as in the proof of Theorem 2.1, we will specify G using a “small” number of bits. Let I be the set of at least εN/2 points (k, ŷ) on which Aτ inverts (k, ŷ) and Q(k, ŷ) occurs. Define a set K ⊆ I via the following process: initially K is empty, and all elements in I are candidates for inclusion in K. Take 15 the lexicographically first element (k, ŷ) from I, and place it in K. Next, simulate the computation of Aτ (k, ŷ). Since Q(k, ŷ) occurs, we know that there is a query i of the form G(td) or F −1 (td, y ′ ), where G(td) = k. Looking at each of the preceding i − 1 queries, for each query of the form G(td′ ) with answer k ′ remove (k ′ , ŷ) from I. For each query of the form F −1 (td′ , y ′ ) let G(td′ ) = k ′ and remove (k ′ , ŷ) from I. Then take the lexicographically smallest of the remaining elements of I, put it into K, etc. At any step of the construction, one element is added to K and at most q are removed from I. Since I initially contains at least εN/2 elements, in the end we have |K| ≥ ⌈εN/2q⌉ > εN/(2q + 1). Exactly as in the proof of Theorem 2.1 (and so we omit the details), the permutation G is completely specified given A, ŷ, descriptions of K and G −1 (K), the values of G−1 on
N {0, 1}t \ K, and the values of F on all points. This requires 2 log |K| + log ((N − |K|)!) bits plus an additional 2t log(2t !) bits to specify F . Using an additional bit to specify that we are in the first case, we can completely specify τ in at most the number of bits claimed. Consider next the second case of Equation (2). Here, there must exist a k̂ for which Pry [Aτ inverts (k̂, y) ∧ Q(k̂, y)] ≥ ε/2. Now, we specify F (k̂, ·) using a “small” number of bits. Let I be the set of at least εN/2 points ( k̂, y) on which Aτ inverts (k̂, y) and Q(k̂, y) does not occur. Define a set Y ⊆ I via the following process: initially Y is empty, and all elements in I are candidates for inclusion in Y . Take the lexicographically first element (k̂, y) from I, and place it in Y . Next, simulate the computation of A τ (k̂, y). Consider the ℓ ≤ q queries made by A of the form {F (k̂, xi )} with corresponding answers {y i }. If j−1 y 6∈ {yi }ℓi=1 then remove {(k̂, yi )}ℓi=1 from Y . If y = yj for some j, then remove {(k̂, yi )}i=1 from Y . Then take the lexicographically smallest of the remaining elements of I, put it into Y , etc. At any step of the construction, one element is added to Y and at most q are removed from I. Since I initially contains at least εN/2 elements, in the end we have |Y | ≥ ⌈εN/2q⌉ > εN/(2q + 1). Following the proof of Theorem 2.1, the permutation F ( k̂, ·) is completely specified given A, descriptions of Y and the set X such that F ( k̂, X) = Y , the value of F (k̂, ·) on {0, 1}t \X, the values of G at all points, and the values of F (k, ·) at all points for all k 6= k̂. (We omit the details, but remark that we crucially use the fact that in the computation of A τ (k̂, y) with y ∈ Y we are guaranteed that Q(k̂, y) does not occur and, in particular, A does not make N
−1 ′ a query of the form F (td, y ) with G(td) = k̂.) This requires 2 log |Y | + log ((N − |Y |)!) bits plus log(2t !) bits to specify G and (2t − 1) log(2t !) bits to specify F (k, ·) for k 6= k̂. Using an additional t bits to specify k̂, as well as a bit to specify that we are in the second case, we have that τ is specified in at most the number of bits claimed. Proceeding as in Theorem 2.1, let A be an oracle circuit of size at most S = 2 t/5 and note that A makes at most q = 2t/5 queries to τ . Let N = 2t . From the claim, we see that the fraction of τ ∈ Tt such that Prk,y [Aτ inverts (k, y)] ≥ 2−t/5 is at most
2t+1 Na 3/5 ≤ 2−N /4 a! for sufficiently large N , where a = 2−t/5 2t /(2t/5+1 + 1) and using the fact that a ≥ N 3/5 /4. Applying Lemma 3.1 (and taking into account that A here has input length 2t, output length t, and access to three oracles some of which are functions from {0, 1} 2t to {0, 1}t ), 1/5 there are at most 2O(N ) circuits of size S. A union bound thus shows that the probability 16 over a random choice of π ∈ Πt that there exists a circuit of size S for which Equation (1) holds is at most 1/5 3/5 1/2 2O(N ) · 2−N /4 < 2−N for all sufficiently large N . 4 4.1 Lower Bounds Pseudorandom Generators In this section we show our lower bound for PRG constructions, defined formally as follows. Definition 4.1 A PRG construction from a one-way permutation is an oracle procedure G(·) : {0, 1}ℓ → {0, 1}ℓ+k that expects as an oracle a permutation π ∈ Π n . We refer to k as the stretch of G. We say G(·) is an (Sp , Sg , ε)-OWP-to-PRG weak black-box construction if for every permutation π that is Sp -hard, Gπ is an (Sg , ε)-secure PRG. For any (Sp , Sg , ε)-OWP-to-PRG weak black-box construction with stretch k, we prove that unless G queries π on at least Ω(k/ log S p ) points, it is possible to derive an unconditional construction of a pseudorandom generator. Before giving the proof, we provide some intuition. The basic idea of the proof is as follows: let t = Θ(log S p ). First, note that if G uses as an oracle π ∈ Πt,n chosen uniformly at random, then G is an (S g , ε)-secure PRG with all but negligible probability (since a random permutation from Π t,n is Sp -hard with all but negligible probability). Now, if G queries the oracle at only a few (say, q) points, we can encode the answers to these queries in the seed of the PRG itself. Furthermore, this encoding is “short” since only t bits are needed to answer a query to π ∈ Π t,n . We thus ′ obtain a PRG G′ : {0, 1}ℓ → {0, 1}ℓ+k which uses no oracle at all, but which is able to “simulate” the computation of G when using a random permutation oracle. The desired bound comes from the fact that G′ still stretches its input provided that ℓ ′ is smaller than ℓ + k. But ℓ′ = ℓ + qt since qt bounds the number of bits needed to encode the t-bit answers to G’s q queries. Theorem 4.2 Let G(·) : {0, 1}ℓ → {0, 1}ℓ+k be an (Sp , Sg , ε)-OWP-to-PRG weak black-box construction that makes q queries to an oracle π ∈ Π n . If q < k/(5 log Sp ) then there exists 2 ′ an (Sg , ε + 2−Sp + q 2 /Sp5 )-secure PRG G′ : {0, 1}ℓ → {0, 1}ℓ+k with ℓ′ < ℓ + k. Proof Since G(·) is an (Sp , Sg , ε)-OWP-to-PRG construction, this means that if π : n {0, 1} → {0, 1}n is Sp -hard then for any distinguisher T of size at most S g we have Pr [T (x) = 1] − Pr [T (Gπ (s)) = 1] ≤ ε. x∈Uℓ+k s∈Uℓ Let t = 5 log Sp . From Corollary 2.2 we know that a random permutation π ∈ Π t,n is t/2 Sp -hard with probability greater than 1 − 2−2 . An averaging argument thus shows that 17 for any circuit T of size at most Sg we have t/2 Pr [T (x) = 1] − Pr [T (Gπ (s)) = 1] < ε + 2−2 x∈Uℓ+k π∈Πt,n . (3) s∈Uℓ Recall that any π ∈ Πt,n operates only on its first t input bits; i.e., any such π satisfies π(a, b) = (π̂(a), b) where π̂ is a permutation over {0, 1} t . Without loss of generality, we now assume that G always queries π with strings having distinct t-prefixes. Indeed, for any G b with essentially the same running time, such asking arbitrary queries, one can construct a G b simulates the answer that if G asks (a, b) with a equal to the t-prefix of a previous query, G without querying π using the previously-obtained value of π̂(a). In general the behavior of b is different than that of G, but when we restrict to π ∈ Π t,n they are equivalent. G By assumption, G queries π at most q < k/t times. We now construct G ′ which takes def as input a seed s′ of length ℓ′ = ℓ + qt < ℓ + k. Let s denote the first ℓ bits of s ′ , and let y1 , . . . , yq ∈ {0, 1}t denote the remaining qt bits. We then define def G′ (s′ ) = G′ (s, y1 , . . . , yq ) = Gy1 ,...,yq (s), where the notation Gy1 ,...,yq (s) denotes the computation of G(·) (s) when its ith oracle query xi = (ai , bi ) (with |ai | = t) is answered with (yi , b). (Here we use the fact that the t-prefixes of G’s queries are distinct.) G′ stretches its input by at least one bit, and requires no oracle access. Furthermore, Pr [T (Gπ (s)) = 1] − ′Pr [T (G′ (s′ )) = 1] ≤ 2 · Pry~∈{0,1}qt [Coll], π∈Πt,n s∈Uℓ s ∈Uℓ′ where we let ~y = y1 , . . . , yq and Coll denotes the event that these q values are not distinct. An easy “birthday problem” calculation shows that Pr y~∈{0,1}qt [Coll] ≤ q 2 /2t+1 , which together with Equation (3) implies the statement of the theorem. 4.2 Universal One-Way Hash Functions In this section we prove lower bounds for constructions of universal one-way hash functions based on one-way permutations. The formal definition of such constructions follows. Definition 4.3 A construction of a UOWHF from a one-way permutation is an oracle procedure H (·) (·, ·) that expects as an oracle a permutation π ∈ Π n and is given inputs s ∈ {0, 1}r and x ∈ {0, 1}ℓ+k . The output is H π (s, x) ∈ {0, 1}ℓ . We refer to k as the compression of H. We say H is an (Sp , Sh , ε)-OWP-to-UOWHF semi black-box construction if for every π that is Sp -hard, H π is an (Sh , ε)-UOWHF even for circuits given oracle access to π. We show that if there exists an (Sp , Sh , ε)-OWP-to-UOWHF semi black-box construction with compression k making q < k/(5 log S p ) queries to its oracle π, then it is possible to derive an unconditionally-secure construction of a UOWHF (i.e., without any access to π). 18 As in the case of PRGs, we first observe that H π is secure when π is chosen uniformly at random from Πt,n , for t = 5 log S. We then show that the computation of H π for random π ∈ Πt,n can be simulated by an H ′ (without any oracle access) by including as part of the key for H ′ the t-prefixes of the answers for the q queries H makes to π. Furthermore, we include in the output of H ′ the t-prefixes of the q queries themselves. The crux of the proof is to show that H ′ is a UOWHF. As some intuition toward this, note that since the t-prefixes of the queries (resp., answers) are included with the output (resp., key), an adversary finding a collision in H ′ is bound to these particular values. Hence, any collision in H ′ is also a collision in H π . Since ℓ + qt < ℓ + k (and hence H ′ is length-decreasing) whenever q < k/(5 log Sp ), this yields the desired bound. Theorem 4.4 Let H (·) : {0, 1}r × {0, 1}ℓ+k → {0, 1}ℓ be an (Sp , Sh , ε)-OWP-to-UOWHF semi black-box construction that makes q queries to an oracle π ∈ Π n . If q < k/(5 log Sp ) 2 ′ then there exists an (Sh − SH , ε + 2−Sp + q 2 /2Sp5 )-secure UOWHF H ′ : {0, 1}r × {0, 1}ℓ+k → ′ {0, 1}ℓ with ℓ′ < ℓ + k, where SH is the size of the circuit computing H. Proof Since H (·) is an (Sp , Sh , ε)-OWP-to-UOWHF construction, this means that if π ∈ Πn is Sp -hard then any circuit A of size ≤ S h finds a collision with probability at most ε; that is h i ^ Pr Aπ (s, z, H π (s, z)) = z ′ : z ′ 6= z H π (s, z ′ ) = H π (s, z) ≤ ε. s∈Ur z∈Uℓ+k We say that z ′ as above is a collision exactly when z ′ 6= z but H π (s, z ′ ) = H π (s, z). We now restrict the class of adversaries A under consideration: we consider adversaries that do not access π arbitrarily, but are instead simply given the t-prefixes of the queries and answers made during the computation of H π (s, z). Since such restricted adversaries can be simulated by general adversaries with overhead S H (recall that this is the size of the circuit computing H), we have that if π is S p -hard and A is a circuit of size ≤ Sh − SH then   Pr A(s, y1 , . . . , yq , z, H π (s, z), x1 , . . . , xq ) = z ′ : z ′ is a collision ≤ ε, s∈Ur z∈Uℓ+k where x1 , . . . , xq are the t-prefixes of the q queries made to π during computation of H π (s, z), and y1 , . . . , yq are the t-prefixes of the corresponding answers. Let t = 5 log Sp . From Corollary 2.2 we know that a random permutation π ∈ Π t,n is t/2 Sp -hard with probability greater than 1 − 2−2 . An averaging argument thus shows that for any circuit A of size ≤ Sh − SH we have   t/2 A(s, y1 , . . . , yq , z, H π (s, z), x1 , . . . , xq ) = z ′ : z ′ is a collision < ε + 2−2 . (4) Pr π∈Πt,n s∈Ur , z∈Uℓ+k As in the proof of Theorem 4.2, we may assume without loss of generality that H queries ′ ′ π on points with distinct t-prefixes. Consider the function H ′ : {0, 1}r ×{0, 1}ℓ+k → {0, 1}ℓ defined as follows, where r ′ = r + qt and ℓ′ = ℓ + qt: def H ′ (s′ , z) = H ′ ((s, y1 , . . . , yq ), z) = H y1 ,...,yq (s, z), x1 , . . . , xq , 19 where by H y1 ,...,yq (s, z) we mean the computation of H (·) (s, z) when its ith oracle query (ai , bi ) (with |ai | = t) is answered with (yi , bi ), and where xi , . . . , xq denote the t-prefixes of the q oracle queries made (i.e., xi = ai ). Note that if q < k/t then ℓ′ < ℓ + k, so H ′ (s′ , ·) is a length-decreasing function. By definition of H ′ , if H ′ ((s, y1 , . . . , yq ), z) = H ′ ((s, y1 , . . . , yq ), z ′ ) then H π (s, z) = H π (s, z ′ ) for any π satisfying π(x1 ) = y1 , . . . , π(xq ) = yq . Thus, h i ^ Pr A(s′ , z, H ′ (s′ , z)) = z ′ : z ′ 6= z H ′ (s′ , z ′ ) = H ′ (s′ , z) s′ ∈U ′ r z∈Uℓ+k ≤ Pr π∈Πt,n s∈Ur , z∈Uℓ+k  A(s, y1 , . . . , yq , z, H π (s, z), x1 , . . . , xq ) = z ′ : z ′ is a collision  + Pry~∈{0,1}qt [Coll], where Coll denotes the event that the q values y 1 , . . . , yq are not distinct.7 Equation (4) and a simple “birthday problem” calculation give the result stated in the theorem. 4.3 Public-Key Encryption Definition 4.5 A construction of a public-key encryption scheme based on trapdoor permutations is a tuple of oracle procedures PKE (·) = (Gen(·) , Enc(·) , Dec(·) ) such that, for all τ ∈ Tn , the resulting PKE τ satisfies the functional definition of a public-key encryption scheme (the construction may be for either an interactive or a non-interactive encryption scheme, as it does not affect our results). We say PKE (·) is an (Sp , Se , ε)-TDP-to-PKE weak black-box construction if for every oracle τ ∈ Tn that is Sp -trapdoor one way, PKE τ is (Se , ε)-secure. We prove that for any such construction which encrypts messages of length m, unless Encτ queries τ at least Ω(m/ log Sp ) times there exists a one-way function which does not require any oracle access. Our proof proceeds by showing that unless Enc τ makes at least Ω(m/ log Sp ) queries to τ , we can explicitly construct an interactive, private-key encryption scheme (Enc′ , Dec′ ) requiring no access to the oracle and in which the encrypted message is longer than the shared key. Using a previous result of Impagliazzo and Luby [30] (see also Lemma 4.6), this implies the existence of a one-way function. As in the previous proofs, we first observe that a random τ ∈ T t,n is Sp -hard with all but negligible probability when t = 5 log S p (cf. Corollary 2.4). To construct an interactive, private-key encryption scheme without access to an oracle, we have the parties “simulate” a random τ by appropriately choosing random t-prefixes for the answers to their queries, as needed. The bits to simulate τ cannot be included in the private key, since the encryption and decryption algorithms may make their queries in different order and, indeed, may make different queries altogether. However, we must somehow ensure consistency between the 7 In fact — in contrast to the seemingly-similar situation arising in the proof of Theorem 4.2 — there is no need to conserve random bits here since the values y1 , . . . , yq are included as part of the key and not the output (and the length of the key is irrelevant for our purposes). A tighter security reduction is possible by lowering Pr[Coll]; for example, by including random values y1 , . . . , y2q in the key and using the first q distinct values (when they exist) to answer the queries of H. 20 oracle answers of the sender and receiver. A possibility that comes to mind is to have each party include, along with each protocol message it sends to the other party, a list of tprefixes for the queries and answers generated thus far in accessing τ . In this case, however, privacy is no longer guaranteed as the queries may reveal information about the plaintext message. But this is easily be remedied in the private-key setting: the parties simply share a sufficiently-long one-time pad in advance and then “encrypt” their queries and answers using this pad. Let qg be the number of queries made to τ by Gen, and let q e be the number of queries made by Enc. The private-key encryption scheme outlined above requires a shared key of size roughly O(t) · (qg + qe ) to encrypt an m-bit message. Recalling the result of Impagliazzo and Luby [30], if O(t) · (qg + qe ) < m then the key is shorter than the message and a oneway function exists. This already gives a “weak” lower bound. To obtain the better lower bound qe < m/O(t) (so that we bound the efficiency of encryption alone), additional work is needed; details are given in the proof of Theorem 4.7. We begin by showing that the existence of a private-key encryption scheme (Enc, Dec) which securely encrypts messages longer than the shared key implies the existence of a one-way function. Although this result is already known [30] (without the concrete bounds given below), we give a much simpler and more direct proof. We stress that the result applies even in the case of interactive encryption. Lemma 4.6 Let (Enc, Dec) be an (S, ε)-secure private-key encryption scheme for messages of length m using a shared key of length k < m. Let S Enc be the size of the circuit needed to run the encryption protocol (i.e., the size of the circuit for Enc in the non-interactive case, or the combined sizes of the circuits for Enc and Dec in the interactive setting). Then for any ℓ ∈ there exists a function f which is (S − ℓS Enc , ℓε + 2−ℓ(m−k) )-one way. ✁ Proof We prove the lemma for the case of interactive encryption, which implies the same result for the degenerate, non-interactive case as well. First note that, via standard hybrid argument, running ℓ parallel copies of (Enc, Dec) using ℓ independent keys yields an (S, ℓε)secure private-key encryption scheme for messages of length ℓm in which the shared key has length ℓk. Let SKE ℓ = (Encℓ , Decℓ ) denote this modified scheme. d ℓ (sk, M ; ω1 , ω1 )kM , where ω1 , ω2 represent the ranDefine f by f (sk, M, ω1 , ω2 ) = Enc dom coins used by Encℓ and Decℓ , respectively. We claim that this function is (S ′ , ε′ )-one way, where S ′ = S − ℓSEnc and ε′ = ℓε + 2−ℓ(m−k) . If not, then there is an algorithm B of size at most S ′ for which SuccB,f > ε′ , where def SuccB,f = h i d ℓ (sk, M ) : B(T kM ) ∈ f −1 (T kM ) . Pr sk ← {0, 1}ℓk ; M ← {0, 1}ℓm ; T ← Enc We show how such a B can be used to construct an algorithm A of size at most S for which SuccA,SKE ℓ > ℓε, where def SuccA,SKE ℓ = Pr M0 ,M1 ∈{0,1}ℓm [A(M0 , M1 , T ) = 1] − Pr M0 ,M1 ∈{0,1}ℓm T ∈SKE ℓ (M1 ) T ∈SKE ℓ (M0 ) 21 [A(M0 , M1 , T ) = 1] . This implies that there exist two messages M 0 , M1 for which A can distinguish encryptions of M0 from encryptions of M1 with probability better than ℓε, contradicting the assumed security of (Encℓ , Decℓ ). Thus, we are done once we have demonstrated such an A. Define A as follows: on input (M0 , M1 , T ), algorithm A runs B(T kM0 ) to obtain the ? result sk ′ kM ′ kω1′ kω2′ . It then checks whether f (sk ′ , M ′ , ω1′ , ω2′ ) = T kM0 . If so (i.e., B has succeeded in inverting f ), then A outputs 0. Otherwise, A outputs 1. Note that |A| = |B| + ℓSEnc ≤ S, as required. First, note that Pr M0 ,M1 ∈{0,1}ℓm [A(M0 , M1 , T ) = 0] = SuccB,f > ε′ . T ∈SKE ℓ (M0 ) For a transcript T , we say (sk, M ) is consistent with T if there exist ω 1 , ω2 such that d ℓ (sk, M ; ω1 , ω2 ). We have: T = Enc Pr M0 ,M1 ∈{0,1}ℓm [A(M0 , M1 , T ) = 1] T ∈SKE ℓ (M1 ) ≤ Pr[sk ← {0, 1}ℓk ; M0 , M1 ← {0, 1}ℓm ; d ℓ (sk, M1 ) : ∃sk′ s.t. (sk ′ , M0 ) is consistent with T ] T ← Enc X ≤ Pr[sk ← {0, 1}ℓk ; M0 , M1 ← {0, 1}ℓm ; sk ′ ∈{0,1}ℓk d ℓ (sk, M1 ) : (sk ′ , M0 ) is consistent with T ]. T ← Enc Perfect correctness of the encryption scheme implies that for any sk, T there is at most one value of M ∈ {0, 1}ℓm such that (sk, M ) is consistent with T . Using this and the fact that M0 is chosen at random independent of anything else gives: X [A(M0 , M1 , T ) = 1] ≤ 2−ℓm Pr M0 ,M1 ∈{0,1}ℓm sk ′ ∈{0,1}ℓk T ∈SKE ℓ (M1 ) = 2ℓ(k−m) . Putting everything together shows that Succ A,SKE ℓ > ε′ −2ℓ(k−m) ≥ ℓε, giving the desired contradiction. We remark that an analog of the above lemma is known to hold also for the case of (interactive) private-key encryption schemes with error [30]. This, in turn, implies results analogous to those of Theorems 4.7 and 4.9 for black-box constructions of encryption schemes with error. However, as we were unable to simplify the proof of [30] in this setting (and as the concrete bounds on the resulting one-way function are rather unwieldy) we do not explicitly focus on the case of encryption schemes with error here. Our main result of this section follows. The theorem is stated for the case of noninteractive public-key encryption, but the proof immediately extends to the case of interactive public-key encryption as well (where q e will in this case refer to the total number of queries made by sender and receiver during the encryption protocol, and S Enc will refer to the sizes of Enc and Dec jointly). 22 Theorem 4.7 Let PKE (·) = (Gen(·) , Enc(·) , Dec(·) ) be an (Sp , Se , ε)-TDP-to-PKE weak blackbox construction for messages of length m, and let t = 5 log S p . Assume Gen makes qg queries to an oracle τ ∈ Tn and Enc makes qe queries to τ ; set ℓ = 2 · ⌈5tqg / (m − 5tqe )⌉. 2 Assume further that ε < (1/4−2−Sp )/ℓ. If qe < m/5t, then there exists an (Se −3ℓSEnc , 3/4)one-way function (without access to any oracle), where S Enc is the size of the circuit for Enc. Proof Note that we did not try to optimize the constants in the proof or the required bound on ε. In applications of cryptographic interest, S p and Se are typically super-polynomial, SEnc , qg , qe , and m are (small) polynomials, and ε is negligible; thus, 2 ε ≪ (1/4 − 2−Sp )/ℓ and Se ≫ 3ℓSEnc anyway. Let PKE (·) = (Gen(·) , Enc(·) , Dec(·) ). As in the proof of Lemma 4.6, for any ℓ ∈ we (·) (·) (·) (·) may construct a public-key encryption scheme PKE ℓ = (Genℓ , Encℓ , Decℓ ) for ℓm-bit messages in the natural way; furthermore, we may set Gen ℓ = Gen since we are now in the public-key setting and so key generation need only be done once. It is easy to see (via (·) hybrid argument) that PKE ℓ is an (Sp , Se − ℓSEnc , ℓε)-TDP-to-PKE construction, where the number of queries made by Genℓ is qg and the number of queries made by Enc ℓ is at most ℓqe . Set ℓ = 2 · ⌈5t qg /(m − 5t qe )⌉ as in the statement of the theorem, and let S ′ = Se − ℓSEnc 2 (·) and ε′ = ℓε + 2−Sp . We use PKE ℓ to construct an (S ′ , ε′ )-secure interactive, private-key ′ encryption scheme SKE = (Enc , Dec′ ) for ℓm-bit messages in which the shared key will have length 5t · (qg + ℓqe ). Furthermore, SKE will require no access to the trapdoor permutation oracle. Finally, we have 5t · (q g + ℓqe ) < ℓm (in fact, ℓm − 5t · (qg + ℓqe ) ≥ 1) and ε′ < 1/4; thus, application of Lemma 4.6 (with ℓ = 1 there) yields the desired result. (·) Security of PKE ℓ implies that if τ is Sp -hard then, for any circuit B of size ≤ S ′ and for any messages M0 , M1 ∈ {0, 1}ℓm we have ✁ Pr v∈PKE τℓ (M0 ) [B(v) = 1] − Pr [B(v) = 1] ≤ ℓε. v∈PKE τℓ (M1 ) Corollary 2.4 shows that a random τ ∈ Tt,n is Sp -hard except with probability less than 2 2−Sp . A straightforward averaging argument thus shows that for any circuit B of size ≤ S ′ and for any messages M0 , M1 ∈ {0, 1}ℓm we have: Pr τ ∈Tt,n v∈PKE τℓ (M0 ) [B(v) = 1] − 2 Pr τ ∈Tt,n v∈PKE τℓ (M1 ) [B(v) = 1] < ℓε + 2−Sp = ε′ . (5) As mentioned in the discussion at the beginning of this section, our private-key encryption scheme SKE will “simulate” a random τ ∈ T t,n for algorithms Gen, Encℓ , and Decℓ . We achieve this simulation using a “simulation procedure” SIM which ensures consistency of the answers to all oracle queries. This procedure takes as input a list L of (appropriate prefixes of) previous oracle queries and answers; before answering any query, SIM examines L and ensures that the answer it gives will not generate any inconsistencies. After answering a query, L is updated accordingly. As an example, if query tdkb to G was answered by kkb 23 (where |td| = |k| = t), then subsequent query td ′ kb′ to G must be answered by k ′ kb′ where k′ = k iff td′ = td. A more involved procedure is needed to answer queries to F and F −1 . We now describe the details of this simulation. SIM(L): • On query G(tdkb) (where |td| = t): if ∃k s.t. (td, k) ∈ L, return kkb. Otherwise pick random k ∈ {0, 1}t such that ∀td′ : (td′ , k) 6∈ L, return kkb, and store (td, k) in L. • On query F (kkb, xkb′ ) (where |k| = |x| = t): 1. if ∃y s.t. (k, x, y) ∈ L, return ykb′ . 2. Otherwise, if ∃td s.t. (td, k) ∈ L, choose random y ∈ {0, 1} t such that ∀x′ : (k, x′ , y) 6∈ L, return ykb′ , and store (k, x, y) in L. 3. Otherwise, choose random td ∈ {0, 1}t such that ∀k ′ : (td, k ′ ) 6∈ L, choose random y ∈ {0, 1}t , return ykb′ , and store (k, td) and (k, x, y) in L. • On query F −1 (tdkb, ykb′ ) (where |tk| = |y| = t): 1. if ∃k, x s.t. (td, k), (k, x, y) ∈ L, return xkb ′ 2. Otherwise, if ∃k s.t. (td, k) ∈ L, choose random x ∈ {0, 1} t such that ∀y ′ : (k, x, y ′ ) 6∈ L, return xkb′ , and store (k, x, y) in L 3. Otherwise, choose random k ∈ {0, 1}t such that ∀td′ : (td′ , k) 6∈ L, choose random x ∈ {0, 1}t , return xkb′ , and store (td, k) and (k, x, y) in L Note that each time a query is answered, at most 5t bits are stored in L. Construct SKE as follows. Parse the shared key s as (s 1 , s2 ) where |s1 | = 5tqg and |s2 | = 5tℓqe . To encrypt message M , the receiver Dec′ begins by initializing list L := ∅. The receiver then computes (pk, sk) ← Gen SIM(L) (updating L in the process) and sends pk, s1 ⊕ L to the sender. The receiver stores sk, L for later use. Upon receiving the first message pk, ŝ1 , the sender computes L1 := s1 ⊕ ŝ1 and sets L := L1 . The sender then SIM(L) (pk, M ) and sets L2 := L\L1 . Finally, Enc′ sends C, s2 ⊕ L2 to computes C ← Encℓ the receiver. Upon receiving message C, ŝ 2 , the receiver decrypts by setting L 2 := s2 ⊕ ŝ2 and L := L0 ∪ L2 (here, L0 is the list stored by the receiver from the first stage). The SIM(L) (sk, C). receiver can then compute M := Dec ℓ It is clear that SKE has correct decryption. We now show that the scheme is (S ′ , ε′ )secure. Assume toward a contradiction that there exists a circuit A of size ≤ S ′ and messages M0 , M1 ∈ {0, 1}ℓm such that Pr [A(v) = 1] − v∈SKE(M0 ) Pr v∈SKE(M1 ) [A(v) = 1] > ε′ . We construct circuit B attacking PKE ℓ as follows. On input pk, C, circuit B picks random strings ŝ1 , ŝ2 where |ŝ1 | = 5tqg and |ŝ2 | = 5tℓqe . Then, B outputs A(pk, ŝ1 , C, ŝ2 ). Because the keys s1 , s2 of SKE are used as a one-time pad, it is easy to see that, for b ∈ {0, 1}: Pr τ ∈Tt,n [B(pk, C) = 1] = (pk,C)∈PKE τℓ (Mb ) 24 Pr [A(v) = 1]. v∈SKE(Mb ) Thus, the advantage of B is equal to the advantage of A (which is greater than ε ′ ), contradicting Equation (5). 4.4 Private-Key Encryption The techniques of the previous section can be adapted to show a similar lower bound for private-key encryption schemes based on trapdoor permutations; note that trapdoor permutations generalize one-way permutations (which are sufficient for private-key encryption), and therefore our result shows that improved efficiency cannot be obtained in this case even by assuming a stronger primitive. Definition 4.8 A construction of a private-key encryption scheme based on trapdoor permutations is a pair of oracle procedures SKE (·) = (Enc(·) , Dec(·) ) such that, for all τ ∈ Tn , the resulting SKE τ satisfies the functional definition of a private-key encryption scheme given earlier (again, the construction may yield either an interactive or a non-interactive scheme). We say SKE (·) is an (Sp , Se , ε)-TDP-to-SKE weak black-box construction if for every τ ∈ Tn that is Sp -hard, SKE τ is (Se , ε)-secure. Suppose a construction of this type exists which encrypts m-bit messages using a shared m−k key of length k. We show that unless Enc τ queries τ at least q = Ω( log Sp ) times, then an unconditional one-way function exists. This matches the known upper bound, even for schemes constructed using one-way permutations. The proof is similar to that of Theorem 4.7, in that we convert SKE (·) to a private-key encryption scheme SKE ′ that does not access an oracle at all. The only difference between the proof here and the proof of Theorem 4.7 is that here the parties need to share a k-bit key in addition to the one-time pad used to encrypt their “simulated” queries and answers to the oracle. Set t = 5 log Sp . The resulting SKE ′ requires a shared key of length k + 5tq and encrypts an m-bit message. As before, then, if k + 5tq < m we obtain a private-key encryption scheme (making no oracle queries) in which the message is longer than the key. By Lemma 4.6, this implies the existence of a one-way function. The following theorem is stated for the case of non-interactive private-key encryption, but the proof immediately extends to the case of interactive private-key encryption as well. Theorem 4.9 Let SKE (·) = (Enc(·) , Dec(·) ) be an (Sp , Se , ε)-TDP-to-SKE weak black-box construction for messages of length m using a key of length k in which Enc makes q queries −Sp2 )-secure to an oracle τ ∈ Tn . Let t = 5 log Sp . If q < m−k 5t then there exists an (Se , ε + 2 private-key encryption scheme in which the message is longer than the key, without access to any oracle. Proof The proof is substantially similar to the proof of Theorem 4.7, so the discussion here will be somewhat terse. Let t = 5 log S p . As in the previous proof, security of the given construction and a straightforward averaging argument imply that for any circuit B of size ≤ Se and for any messages M0 , M1 ∈ {0, 1}m we have: Pr τ ∈Tt,n [B(v) = 1] − v∈SKE τ (M0 ) Pr τ ∈Tt,n v∈SKE τ (M1 ) 25 2 [B(v) = 1] < ε + 2−Sp . 2 We now construct an (Se , ε + 2−Sp )-secure private-key encryption scheme SKE ′ = def (Enc′ , Dec′ ) for m-bit messages in which the shared key has length k ′ = k + 5t · q. Furthermore, SKE ′ requires no oracle access. If q < (m − k)/5t, then k ′ < m and we obtain the desired result. The approach for constructing SKE ′ is exactly as in Theorem 4.7 (and as discussed earlier in this section), and in particular we use the same simulation procedure SIM as there. SKE ′ is constructed as follows: The shared key s of length k ′ is parsed as (s1 , s2 ) where |s1 | = k and |s2 | = 5t · q. To encrypt message M , the sender initializes L := ∅, computes C ← EncSIM(L) (s1 , M ) (updating L in the process), and then sends C, s 2 ⊕ L to the receiver. The receiver obtains ciphertext C, L̂, recovers L = L̂ ⊕ s2 , and then computes M = DecSIM(L) (s1 , C). It is not hard to see that SKE ′ has correct decryption. Arguing exactly as in Theorem 4.7 2 we see that SKE ′ is (Se , ε + 2−Sp )-secure, completing the proof of the theorem. 4.5 Signature Schemes We now demonstrate a lower bound on the efficiency of signature verification for any signature scheme based on one-way permutations. Definition 4.10 A construction of a digital signature scheme for m-bit messages (based on one-way permutations) is a tuple of procedures SIG (·) = (Gen(·) , Sign(·) , Vrfy(·) ) such that, for all π ∈ Πn , the resulting SIG π satisfies the functional definition of a signature scheme given earlier. We say SIG (·) is an (Sp , SΣ , ε)-OWP-to-signature semi black-box construction if for every oracle π ∈ Πn that is Sp -hard, SIG π is (SΣ , ε)-secure, where this must hold even for circuits given access to π. Given a construction of this sort, we prove that unless Vrfy queries π at least Ω(m/ log S p ) times, then it is possible to construct from SIG a one-way function which does not access any oracle. Note that this one-way function could then be used to construct an secure signature scheme (which requires no oracle access) [38]. We start with an informal overview of our proof technique. As a first attempt to construct a one-way function from the verification algorithm, one might define F1 (P K, M, σ) = P KkVrfy(·) (P K, M, σ). Intuitively, this function is difficult to invert on elements of the form P Kk1 if P K is a valid and randomly-generated public key, since inverting the function on points of this form is equivalent to signature forgery. As presently defined, however, evaluating F 1 requires calls to π; however, our goal is to construct a function which does not require access to any oracle. As in the previous section, though, one may observe that π is S p -hard (and thus SIG is secure) when π is uniformly chosen from Π t,n for t = 5 log Sp (cf. Corollary 2.2). So, if Vrfy makes q queries to π, then specifying qt bits as the answers to these queries removes any need to query the oracle. Based on this, one might consider the function F2 (P K, y1 , . . . , yq , M, σ) = P Kky1 k · · · kyq kx1 k · · · kxq kVrfyy1 ,...,yq (P K, M, σ), 26 (6) where |y1 | = · · · = |yq | = |x1 | = · · · = |xq | = t and the ith query xi kbi of Vrfy is answered with yi kbi (we assume without loss of generality that Vrfy queries π with strings having distinct t-prefixes). The intuition, as before, is that F 2 is difficult to invert on elements of the form P Kk~y k~xk1 if P K, ~y , and ~x are chosen appropriately. Now, however, another problem arises. In order for F 2 to qualify as a one-way function, it must be hard to invert F2 (P K, ~y , M, σ) when P K, ~y , M, σ are sampled from an efficiently sampleable distribution (cf. Lemma 4.12, below). More specifically, a proof of one-wayness will need to show how to efficiently sample P K, ~y , M, σ such that inverting the value F2 (P K, ~y , M, σ) results in a signature forgery and hence a contradiction. A necessary condition for inversion to result in signature forgery is that Vrfy y~ (P K, M, σ) = 1. Generating P K, ~y , M, σ such that this holds is easy if we have the secret key SK; but then inverting F2 and forging a signature does not yield the desired contradiction! Instead, in the proof we will obtain M, σ from the signer. In this case, however, inverting F2 (P K, ~y , M, σ) does not result in a forgery if it results in the same message/signature pair M, σ. We come now to the crux of our proof. If the number of queries is “small”, we show that inversion of F2 yields a different message M ′ (and thus a successful forgery) with noticeable probability. More precisely, for randomly-generated P K, ~y , ~x, σ, let Y = P Kk~y k~xk1 = F2 (P K, ~y , M, σ). P If |~x| = qi=1 |xi | < |M |, then (on average) there exists an element P Kk~y kM ′ kσ ′ ∈ F2−1 (Y ) with M ′ 6= M ; hence inverting Y results in a forgery with noticeable probability. This idea is formalized in the proof of the following theorem. Theorem 4.11 Let SIG (·) be an (Sp , SΣ , ε)-OWP-to-signature semi black-box construction for messages of length m in which Vrfy makes q queries to an oracle π ∈ Π n , algorithms 2 Gen, Sign, and Vrfy jointly make q̂ queries to π, and ε < 1/4 − 2 −Sp . If q < m/(5 log Sp ) then there exists an (SΣ − SGen − SSign − 2SVrfy , 3/4 + q̂ 2 /2Sp5 )-one-way function (without access to a permutation oracle), where S Gen , SSign ,and SVrfy are the sizes of the circuits for Gen, Sign, and Vrfy, respectively. Proof As in Theorem 4.7, we did not try to optimize the constants in the proof or the required bound on ε. In applications of cryptographic interest, one will anyway have 2 SΣ ≫ SGen + SSign + 2SVrfy and ε ≪ 1/4 − 2−Sp . We first present a technical lemma showing that the existence of a function which is one-way over an efficiently sampleable domain implies the existence of a function which is one-way under the definition of Section 2.1. Lemma 4.12 Let D be a distribution sampleable by a circuit of size S D and let f be a function such that for every circuit A of size ≤ S we have: Pr[x ← D : A(f (x)) ∈ f −1 (f (x))] ≤ δ. Then there exists a function fˆ that is (S − SD , δ)-one way. Proof (of lemma) We equate the distribution D with the circuit of size S D which samples it; i.e., {D(r)} ≡ D (where r is a string of the appropriate length chosen uniformly at 27 def random). Define fˆ(r) = f (D(r)). We claim that fˆ is (S − SD , δ)-one way. Assume the contrary. Then there exists a circuit  of size at most S − SD for which Prr [Â(fˆ(r)) ∈ fˆ−1 (fˆ(r))] > δ. def Toward a contradiction, define a circuit A as follows: A(y) = D(Â(y)). Notice that |A| ≤ S. Furthermore, Pr[x ← D : A(f (x)) ∈ f −1 (f (x))] = Prr [x := D(r) : f (A(f (x))) = f (x)] = Prr [f (A(fˆ(r))) = fˆ(r)] = Prr [fˆ(Â(fˆ(r))) = fˆ(r)] = Prr [Â(fˆ(r)) ∈ fˆ−1 (fˆ(r))] > δ. The proof of the theorem proceeds by using SIG to construct a function F along with a distribution D such that for every circuit A of size ≤ S Σ − SVrfy we have: Pr[X ← D : A(F (X)) ∈ F −1 (F (X))] ≤ ε + 2−Sp + 1/2 + q̂ 2 /2Sp5 < 3/4 + q̂ 2 /2Sp5 . (7) Furthermore, D will be computable by a circuit of size S Gen + SSign + SVrfy . Applying Lemma 4.12 then yields the desired result. Since SIG (·) is an (Sp , SΣ , ε)-OWP-to-signature construction, if π is S p -hard then, for any circuit B of size ≤ SΣ we have Succπ,B ≤ ε where def Succπ,B = Pr [(P K, SK) ← Genπ ; M ← {0, 1}m ; σ ← Signπ (SK, M ); (M ′ , σ ′ ) := B π (P K, M, σ) :  Vrfyπ (P K, M ′ , σ ′ ) = 1 ∧ M ′ 6= M . Let t = 5 log Sp . Corollary 2.2 shows that a random π ∈ Πt,n is Sp -hard except with 2 probability less than 2−Sp . An averaging argument then implies that for any circuit B of 2 size ≤ SΣ we have Succ∗B < ε + 2−Sp where Succ∗B is defined analogously to Succπ,B except that the probability is now taken over random choice of π ∈ Π t,n as well. Define a function F as in Equation (6), repeated here for convenience: F (P K, ~y , M, σ) = P Kk~y k~xkVrfy y~ (P K, M, σ), where ~y = (y1 , . . . , yq ), ~x = (x1 , . . . , xq ), |y1 | = · · · = |yq | = |x1 | = · · · = |xq | = t, and the ith query xi kbi of Vrfy is answered with yi kbi . (As in the proof of Theorem 4.2, we assume Vrfy queries its oracle on points having distinct t-prefixes.) We also define distribution D by the following experiment which depends on uniformly distributed coins r g , rs (of some appropriate length), ry ∈ {0, 1}q̂t (parsed as a sequence of t-bit strings ŷ 1 , . . . , ŷq̂ ∈ {0, 1}t ), and M ∈ {0, 1}m :   (P K, SK) := Gen(rg ); : P Kk~y kM kσ . σ := Sign(SK, M ; rs ); Vrfy(P K, M, σ) 28 In the above experiment, the coins ry = ŷ1 , . . . , ŷq̂ are used to give a simulation8 of a random π ∈ Πt,n which is consistent across the executions of Gen, Sign, and Vrfy. The component yi of y~ is the t-prefix of the answer given in response to the i th query of Vrfy. Note that D is computable by a circuit of size essentially S Gen + SSign + SVrfy . We claim that F satisfies the requirement expressed in Equation (7). Assume toward a contradiction that there exists a circuit A of size ≤ S Σ − SVrfy for which Equation (7) does not hold. We use A to construct an algorithm B which — given P K, a random message M , and a signature σ on M — forges a valid signature on a new message M ′ with “high” probability. B π (P K, M, σ) first runs Vrfy(P K, M, σ), answering the queries of Vrfy by forwarding them to π. Let ~x be the t-prefixes of the queries made by Vrfy, and let ~y be the t-prefixes of the corresponding answers. Define X = P Kk~y kM kσ and Y = P Kk~y k~xk1; note that Y = F (X). Finally, algorithm B computes P K ′ k~y ′ kM ′ kσ ′ = A(Y ) and outputs (M ′ , σ ′ ). We clearly have |B| ≤ SΣ . B outputs a successful forgery if both F (P K ′ k~y ′ kM ′ kσ ′ ) = Y and M ′ 6= M hold. To see this, note that the first condition implies ~y = ~y ′ , and hence Vrfyy~ (P K, M ′ , σ ′ ) = 1 and furthermore Vrfy makes queries with t-prefixes ~x. Thus, Vrfy π (P K, M ′ , σ ′ ) = 1. If furthermore M ′ 6= M , then (M ′ , σ ′ ) is a successful forgery. Finally, the distribution on X — over random choice of π ∈ Πt,n — is statistically close to distribution D, where the difference is due to the fact that the ŷ 1 , . . . , ŷq̂ used in the experiment defining D may not be distinct. This accounts for the term q̂ 2 /2Sp2 in the analysis below (obtained using a simple “birthday problem” calculation), but see footnote 7. Let Eq be the event that M ′ = M . Then Succ∗B ≥ = Pr [Y = F (X); X ′ = A(Y ) : X ′ ∈ F −1 (Y ) ∧ Eq] − q̂ 2 /2Sp5 X←D Pr [Y = F (X); X ′ = A(Y ) : X ′ ∈ F −1 (Y )] X←D − Pr [Y = F (X); X ′ = A(Y ) : X ′ ∈ F −1 (Y ) ∧ Eq] − q̂ 2 /2Sp5 X←D −Sp > ε+2 + 1/2 − Pr[X ← D; P Kk~y k~xk1 = F (X); P K ′ k~y ′ kM ′ kσ ′ = A(P Kk~y k~xk1) : M ′ = M ] = ε + 2−Sp + 1/2 X − Pr[X ← D; P Kk~y k~xk1 = F (X); ~ z P K ′ k~y ′ kM ′ kσ ′ = A(P Kk~y k~xk1) : M ′ = M ∧ ~x = ~z ], where the sum is over ~z consisting of q distinct t-bit strings. Substituting ~z for ~x in part of the final equation above gives Succ∗B ≥ ε + 2−Sp + 1/2 X − Pr[X ← D; P Kk~y k~xk1 = F (X); ~ z 8 Simulating a random π ∈ Πt,n is done as expected: the oracle query xj kb with the j th distinct tprefix across the executions of Gen, Sign, and Vrfy is answered with ŷ j kb, and an oracle query xkb with a previously-used t-prefix is answered in a consistent manner in the obvious way. 29 P K ′ k~y ′ kM ′ kσ ′ = A(P Kk~y k~z k1) : M ′ = M ∧ ~x = ~z ] ≥ ε + 2−Sp + 1/2 X − Pr[X ← D; P Kk~y k~xk1 = F (X); ~ z P K ′ k~y ′ kM ′ kσ ′ = A(P Kk~y k~z k1) : M ′ = M ]. In this last equation we may note that A has no information about M , which is chosen at random from {0, 1}m independently of P K, ~y , and ~z. Therefore: X 2−m . (8) Succ∗B ≥ ε + 2−Sp + 1/2 − ~ z 2t
Noting that there are q < 2qt ≤ 2m−1 terms in the sum of Equation (8), we derive the contradiction Succ∗B > ε + 2−Sp . Upper bounds on the efficiency of signature schemes. As mentioned in the Introduction, our lower bounds focus on the efficiency of signature verification. We briefly observe some upper bounds on the efficiency of verification for one-time signatures (satisfying the notion of security considered here) on m-bit messages. The Lamport scheme [34] requires m invocations of a one-way permutation to verify a signature. Instead of signing bit-by-bit, the scheme can be modified to sign block-by-block. When basing the construction on an S-hard one-way permutation, it is possible to obtain provable security using blocks of length Θ(log(S/m)); this gives a signature scheme requiring only Θ(m/ log(S/m)) invocations for verification. When S is polynomial, this is essentially optimal as far as verification is concerned (although the key-generation time and public-key size are prohibitive); however, the resulting scheme does not even run in polynomial time when S is super-polynomial. An alternate approach is to include a universal one-way hash function h s as part of the public key, and to use the (basic) Lamport scheme to sign h s (M ). Verification now requires evaluation of hs followed by a verification in the underlying Lamport scheme. Since h s can be used to compress an arbitrary-length message to an n-bit string (when using an S-hard permutation on n bits) [36], we obtain a verification complexity of Θ(n + (m − n)/ log S) when m ≥ n. References [1] B. Barak. How to Go Beyond the Black-Box Simulation Barrier. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 106–115, 2001. [2] B. Barak. Constant-Round Coin-Tossing with a Man in the Middle, or Realizing the Shared Random String Model. 43rd IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 345–355, 2002. [3] D. Beaver. Correlated Pseudorandomness and the Complexity of Private Computations. 28th ACM Symposium on Theory of Computing (STOC), ACM, pp. 479–488, 1996. 30 [4] M. Bellare and O. Goldreich. On Defining Proofs of Knowledge. Adv. in Cryptology — Crypto 1992, LNCS vol. 740, Springer-Verlag, pp. 390–420, 1993. [5] M. Bellare and S. Goldwasser. New Paradigms for Digital Signatures and Message Authentication Based on Non-Interactive Zero-Knowledge Proofs. Adv. in Cryptology — Crypto 1989, LNCS vol. 435, Springer-Verlag, pp. 194–211, 1990. [6] M. Bellare, S. Halevi, A. Sahai, and S. Vadhan. Many-to-one Trapdoor Functions and their Relation to Public-Key Cryptosystems. Adv. in Cryptology — Crypto 1998, LNCS vol. 1462, Springer-Verlag, pp. 283–298, 1998. [7] M. Blum and S. Goldwasser. An Efficient Probabilistic Encryption Scheme Which Hides All Partial Information. Adv. in Cryptology — Crypto ’84, LNCS vol. 263, SpringerVerlag, pp. 289–302, 1985. [8] M. Blum and S. Micali. How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits. SIAM J. Computing 13(4): 850–864, 1984. [9] D. Catalano, R. Gennaro, and N. Howgrave-Graham. Paillier’s Trapdoor Function Hides up to O(n) Bits. J. Cryptology 15(4): 251–269, 2002. [10] Y. Desmedt and Y. Frankel. Threshold Cryptosystems. Adv. in Cryptology — Crypto 1989, LNCS vol. 435, Springer-Verlag, pp. 307–315, 1990. [11] D. Dolev, C. Dwork, and M. Naor. Non-Malleable Cryptography. SIAM J. Computing 30(2): 391–437, 2000. [12] U. Feige, A. Fiat, and A. Shamir. Zero-Knowledge Proofs of Identity. J. Cryptology 1(2): 77–94, 1988. [13] M. Fischlin. On the Impossibility of Constructing Non-Interactive Statistically-Secret Protocols From any Trapdoor One-Way Function. Cryptographers’ Track — RSA 2002, LNCS vol. 2271, pp. 79–95, 2002. [14] R. Gennaro, Y. Gertner, and J. Katz. Lower Bounds on the Efficiency of Encryption and Digital Signature Schemes. 35th ACM Symposium on Theory of Computing (STOC), ACM, pp. 417–425, 2003. [15] R. Gennaro and L. Trevisan. Lower bounds on the Efficiency of Generic Cryptographic Constructions. 41st IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 305–313, 2000. [16] Y. Gertner, S. Kannan, T. Malkin, O. Reingold, and M. Viswanathan. The Relationship between Public-Key Encryption and Oblivious Transfer. 41st IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 325–335, 2000. [17] Y. Gertner, T. Malkin, and O. Reingold. On the Impossibility of Basing Trapdoor Functions on Trapdoor Predicates. 42nd IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 126–135, 2001. 31 [18] O. Goldreich. Foundations of Cryptography, vol. 1: Basic Tools. Cambridge University Press, Cambridge, UK, 2001. [19] O. Goldreich. Foundations of Cryptography, vol. 2: Basic Applications. Cambridge University Press, Cambridge, UK, 2004. [20] O. Goldreich, S. Goldwasser, and S. Micali. On the Cryptographic Applications of Random Functions. Adv. in Cryptology — Crypto ’84, LNCS vol. 263, Springer-Verlag, pp. 276–288, 1985. [21] O. Goldreich, S. Goldwasser, and S. Micali. How to Construct Random Functions. J. ACM 33(4): 792–807, 1986. [22] O. Goldreich and L. Levin. Hard-Core Predicates for any One-Way Function. 21st ACM Symposium on Theory of Computing (STOC), ACM, pp. 25–32, 1989. [23] O. Goldreich, S. Micali, and A. Wigderson. Proofs that Yield Nothing but Their Validity or All Languages in NP Have Zero-Knowledge Proof Systems. J. ACM 38(3): 691–729, 1991. [24] O. Goldreich, S. Micali, and A. Wigderson. How to Play Any Mental Game or A Completeness Theorem for Protocols with Honest Majority. 19th ACM Symposium on Theory of Computing (STOC), ACM, pp. 218–229, 1987. [25] S. Goldwasser and S. Micali. Probabilistic Encryption. J. Computer and System Sciences 28(2): 270–299, 1984. [26] S. Goldwasser, S. Micali, and R. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen Message Attacks. SIAM J. Computing 17(2): 281–308, 1988. [27] J. Håstad, R. Impagliazzo, L. Levin, and M. Luby. A Pseudorandom Generator From any One-Way Function. SIAM J. Computing 28(4): 1364–1396, 1999. [28] J. Håstad, A. Schrift, and A. Shamir. The Discrete Logarithm Modulo a Composite Hides O(n) Bits. J. Computer and System Sciences 47(3): 376–404, 1993. [29] R. Impagliazzo. Very Strong One-Way Functions and Pseudo-random Generators Exist Relative to a Random Oracle. Manuscript, 1996. [30] R. Impagliazzo and M. Luby. One-Way Functions are Essential for Complexity-Based Cryptography. 30th IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 230–235, 1989. [31] R. Impagliazzo and S. Rudich. Limits on the Provable Consequences of One-Way Permutations. 21st ACM Symposium on Theory of Computing (STOC), ACM, pp. 44–61, 1989. [32] J. Kahn, M.E. Saks, and C.D. Smyth. A Dual Version of Reimer’s Inequality and a Proof of Rudich’s Conjecture. 15th IEEE Conference on Computational Complexity, IEEE, pp. 98–103, 2000. 32 [33] J.H. Kim, D.R. Simon, and P. Tetali. Limits on the Efficiency of One-Way PermutationBased Hash Functions. 40th IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 535–542, 1999. [34] L. Lamport. Constructing Digital Signatures From a One-Way Function. Technical Report CSL-98, SRI International, 1979. [35] M. Naor. Bit Commitment Using Pseudorandom Generators. J. Cryptology 4(2): 151– 158, 1991. [36] M. Naor and M. Yung. Universal One-Way Hash Functions and Their Cryptographic Applications. 21st ACM Symposium on Theory of Computing (STOC), ACM, pp. 33– 43, 1989. [37] O. Reingold, L. Trevisan, and S. Vadhan. Notions of Reducibility Between Cryptographic Primitives. 1st Theory of Cryptography Conference, LNCS vol. 2951, SpringerVerlag, pp. 1–20, 2004. [38] J. Rompel. One-Way Functions are Necessary and Sufficient for Secure Signatures. 22nd ACM Symposium on Theory of Computing (STOC), ACM, pp. 387–394, 1990. [39] S. Rudich. Limits on the Provable Consequences of One-Way Functions. PhD thesis, University of California at Berkeley, 1988. [40] S. Rudich. The Use of Interaction in Public Cryptosystems. Adv. in Cryptology — Crypto 1991, LNCS vol. 576, Springer-Verlag, pp. 242–251, 1992. [41] D.R. Simon. Finding Collisions on a One-Way Street: Can Secure Hash Functions be Based on General Assumptions? Adv. in Cryptology — Eurocrypt 1998, LNCS vol. 1403, Springer-Verlag, pp. 334–345, 1998. [42] A. C.-C. Yao. Theory and Application of Trapdoor Functions. 23rd IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 80–91, 1982. [43] A. C.-C. Yao. How to Generate and Exchange Secrets. 27th IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, pp. 162–167, 1986. 33