## On hardness amplification of one-way functions (2005)

### Cached

### Download Links

- [www.cs.columbia.edu]
- [www.cs.berkeley.edu]
- [www1.cs.columbia.edu]
- [www.iacr.org]
- [www.iacr.org]
- [www.cs.berkeley.edu]
- [theory.stanford.edu]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proc. 2nd TCC |

Citations: | 13 - 4 self |

### BibTeX

@INPROCEEDINGS{Lin05onhardness,

author = {Henry Lin and Luca Trevisan and Hoeteck Wee},

title = {On hardness amplification of one-way functions},

booktitle = {In Proc. 2nd TCC},

year = {2005},

pages = {34--49},

publisher = {Springer}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. We continue the study of the efficiency of black-box reductions in cryptography. We focus on the question of constructing strong one-way functions (respectively, permutations) from weak one-way functions (respectively, permutations). To make our impossibility results stronger, we focus on the weakest type of constructions: those that start from a weak one-way permutation and define a strong one-way function. We show that for every “fully black-box ” construction of a ɛ(n)-secure function based on a (1 − δ(n))-secure permutation, if q(n) is the number of oracle queries used in the construction and ℓ(n) is the input length of the new function, then we have q ≥ Ω ( 1 1 · log) and ℓ ≥ n + Ω(log 1/ɛ) − δ ɛ O(log q). This result is proved by showing that fully black-box reductions of strong to weak one-way functions imply the existence of “hitters ” and then by applying known lower bounds for hitters. We also show a sort of reverse connection, and we revisit the construction of Goldreich et al. (FOCS 1990) in terms of this reverse connection. Finally, we prove that any “weakly black-box ” construction with parameters q(n) and ℓ(n) better than the above lower bounds implies the unconditional existence of strong one-way functions (and, therefore, the existence of a weakly black-box construction with q(n) = 0). This result, like the one for fully black-box reductions, is proved by reasoning about the function defined by such a construction when using the identity permutation as an oracle. 1

### Citations

760 | A pseudorandom generator from any one-way function
- H̊astad, Impagliazzo, et al.
- 1999
(Show Context)
Citation Context ...ations. 1.1 Efficiency of Cryptographic Reductions Several fundamental results in the foundations of cryptography, most notably the proof that pseudorandom generators exist if one-way functions exist =-=[HILL99]-=-, are proved via constructions and reductions that are too inefficient to be used ⋆ Work supported by US-Israel BSF Grant 2002246. J. Kilian (Ed.): TCC 2005, LNCS 3378, pp. 34–49, 2005. c○ Springer-Ve... |

530 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ...ersary R (·) such that Rf inverts f() on a ≥ 1 − δ(n) fraction of inputs. Impossibility of Fully Black-Box Constructions. Our first main result is as follows. 2 This approach is typically credited to =-=[Yao82]-=-.s38 H. Lin, L. Trevisan, and H. Wee Theorem 1. Let F (·) be a fully black-box construction of ɛ(n)-secure functions from (1−δ(n))-secure permutations, let ℓ be the input length of F () , n the length... |

172 | Limits on the Provable Consequences of One-way Permutations
- Impagliazzo, Rudich
- 1988
(Show Context)
Citation Context ...nerators from one-way permutations and of signature schemes and encryption schemes from trapdoor permutations. The study of limitations of black-box reductions was initiated by Impagliazzo and Rudich =-=[IR89]-=-, who showed that key agreement and public-key encryption cannot be based on one-way functions or one-way permutations using blackbox reductions. Several other impossibility results for black-box redu... |

157 |
Pseudorandomness and cryptographic applications
- Luby, Luby
- 1996
(Show Context)
Citation Context ... than the input length of the original function. (In a security-preserving construction, the input length of the new function would be linear in the input length of the original one.) See for example =-=[Lub96]-=- for a discussion of “security preserving” reductions and the importance, in a cryptographic reduction, of not increasing the input length of the new primitive by too much. For one-way permutations, w... |

120 |
One-way Functions are Essential for Complexity Based Cryptography
- Impagliazzo, Luby
- 1989
(Show Context)
Citation Context ...usion that either G id isa(2δ, 2ɛ)-hitter or that one-way functions exist uncondtionally. The proof would have followed along the lines of the proof of Lemma 3, using a result of Impagliazzo and Luby =-=[IL89]-=- to construct a polynomial time algorithm that approximates algorithm A in thes48 H. Lin, L. Trevisan, and H. Wee proof of Lemma 3 assuming that one-way functions do not exist. We will give more detai... |

69 | Foundations of Cryptography : Volume 1 - Goldreich - 2001 |

68 | A Sample of Samplers: A Computational Perspective on Sampling (survey
- Goldreich
- 1997
(Show Context)
Citation Context ...tions. To prove Theorem 1, we first show that a fully black-box reduction of strong to weak one-way functions or permutations implies the existence of a disperser, or a “hitter” in the terminology of =-=[Gol97]-=- with efficiency parameters that depend on the efficiency of the reduction. A hitter is a randomized algorithm that outputs a small number of strings in {0, 1} n such that for every sufficiently dense... |

68 | Lower Bounds on the Efficiency of Generic Cryptographic Constructions
- Gennaro, Trevisan
- 2000
(Show Context)
Citation Context ...ucting a cryptographic primitive from another was by Kim, Simon and Tetali [KST99], in the context of constructing one-way hash functions from one-way permutations. Later work by Gennaro and Trevisan =-=[GT00]-=- and by Gennaro, Gertner and Katz [GGK03] has focused on constructions of pseudorandom generators from one-way permutations and of signature schemes and encryption schemes from trapdoor permutations. ... |

56 | The Relationship between Public Key Encryption and Oblivious Transfer - Gertner, Kannan, et al. - 2000 |

54 | Security Preserving Amplification of Hardness - Goldreich, Impagliazzo, et al. - 1990 |

38 | On the Impossibility of Basing Trapdoor Functions on Trapdoor Predicates
- Gertner, Malkin, et al.
- 2001
(Show Context)
Citation Context ...ations based on one-way functions, a result of Rudich [Rud91] ruling out round-reduction procedures in public key encryption, and results of Gertner et al. [GKM + 00] and Gertner, Malkin and Reingold =-=[GMR01]-=- giving a hierarchy of assumptions in public key encryption that cannot be proved equivalent using black-box reductions. 1.2 Black-Box Constructions To illustrate the definition of a black-box constru... |

32 | Limits on the Provable Consequences of One-Way Functions
- Rudich
- 1989
(Show Context)
Citation Context ...encryption cannot be based on one-way functions or one-way permutations using blackbox reductions. Several other impossibility results for black-box reductions are known, including a result of Rudich =-=[Rud88]-=- and Khan, Saks, and Smyth [KSS00] ruling out constructions of one-way permutations based on one-way functions, a result of Rudich [Rud91] ruling out round-reduction procedures in public key encryptio... |

24 | Tight bounds for depthtwo superconcentrators - Radhakrishnan, Ta-Shma - 1997 |

24 | Almost optimal dispersers
- Ta-Shma
- 2002
(Show Context)
Citation Context ...heorem 4. [Gol97] There exists a polynomial time computable (δ, ɛ)-hitter with sample complexity O( 1 δ log 1 ɛ ) and randomness complexity 2n + O(log 1 ɛ ). The construction of dispersers of Ta-Shma =-=[TS98]-=- give even tighter bounds. 2.4 Hardness of Inverting Random Permutations We begin by establishing that a permutation that is a random permutation on a subset of {0, 1} n of density 2δ and is the ident... |

19 | Very strong one-way functions and pseudo-random generators exist relative to a random oracle. (manuscript - Impagliazzo - 1996 |

18 | A dual version of reimer’s inequality and a proof of rudich’s conjecture
- Kahn, Saks, et al.
(Show Context)
Citation Context ...way functions or one-way permutations using blackbox reductions. Several other impossibility results for black-box reductions are known, including a result of Rudich [Rud88] and Khan, Saks, and Smyth =-=[KSS00]-=- ruling out constructions of one-way permutations based on one-way functions, a result of Rudich [Rud91] ruling out round-reduction procedures in public key encryption, and results of Gertner et al. [... |

13 |
The use of interaction in public cryptosystems
- Rudich
- 1991
(Show Context)
Citation Context ... black-box reductions are known, including a result of Rudich [Rud88] and Khan, Saks, and Smyth [KSS00] ruling out constructions of one-way permutations based on one-way functions, a result of Rudich =-=[Rud91]-=- ruling out round-reduction procedures in public key encryption, and results of Gertner et al. [GKM + 00] and Gertner, Malkin and Reingold [GMR01] giving a hierarchy of assumptions in public key encry... |

12 | Bounds on the efficiency of encryption and digital signatures
- Gennaro, Gertner, et al.
- 2002
(Show Context)
Citation Context ...other was by Kim, Simon and Tetali [KST99], in the context of constructing one-way hash functions from one-way permutations. Later work by Gennaro and Trevisan [GT00] and by Gennaro, Gertner and Katz =-=[GGK03]-=- has focused on constructions of pseudorandom generators from one-way permutations and of signature schemes and encryption schemes from trapdoor permutations. The study of limitations of black-box red... |

7 |
Salil Vadhan. Notions of reducibility between cryptographic primitives
- Reingold, Trevisan
- 2004
(Show Context)
Citation Context ...the reduction would not fit the above model. This model, in which both the “one-way function” f() and the adversary E are allowed to be of arbitrary complexity, is called the fully black-box model in =-=[RTV04]-=-. In all the above cited papers [IR89, Rud88, Rud91, KST99, KSS00, GT00, GKM + 00, GMR01, GGK03], as well as in the results of this paper, fully black-box reductions are ruled out unconditionally. A l... |

1 |
Limits on the efficiency of oneway permutations-based hash functions
- Kim, Simon, et al.
- 1999
(Show Context)
Citation Context ...namely “black-box” constructions and reductions. The first proof of a lower bound to the efficiency of a reduction for constructing a cryptographic primitive from another was by Kim, Simon and Tetali =-=[KST99]-=-, in the context of constructing one-way hash functions from one-way permutations. Later work by Gennaro and Trevisan [GT00] and by Gennaro, Gertner and Katz [GGK03] has focused on constructions of ps... |