## Limits on the Provable Consequences of One-way Permutations (1989)

### Cached

### Download Links

- [dsns.csie.nctu.edu.tw]
- [www.cs.cmu.edu]
- [www.cse.ucsd.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 172 - 0 self |

### BibTeX

@INPROCEEDINGS{Impagliazzo89limitson,

author = {Russell Impagliazzo and Steven Rudich},

title = {Limits on the Provable Consequences of One-way Permutations},

booktitle = {},

year = {1989},

pages = {44--61}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present strong evidence that the implication, "if one-way permutations exist, then secure secret key agreement is possible" is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where dl parties have access to a black box or a randomly selected permutation. Being totally random, this permutation will be strongly oneway in provable, information-thevretic way. We show that, if P = NP, no protocol for secret key agreement is secure in such setting. Thus, to prove that a secret key greement protocol which uses a one-way permutation as a black box is secure is as hrd as proving F NP. We also obtain, as corollary, that there is an oracle relative to which the implication is false, i.e., there is a one-way permutation, yet secret-exchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any one-way permutation. Our results present a general framework for proving statements of the form, "Cryptographic application X is not likely possible based solely on complexity assumption Y." 1

### Citations

3213 | A Method for Obtaining Digital Signatures and Public Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...er assumption that one-way permutations exist. This should be of some concern to cryptographers, in that there are very few conjectured trapdoor functions that have withstood serious crypto-analysis (=-=[RSA78]-=- and variants being the exceptions) and there are few secret agreement methods not based on trapdoor functions (basically all variants on [DH76] ). Since all current methods are based on number theory... |

2990 | New directions in cryptography - Diffie, Hellman - 1976 |

1251 | Probabilistic Encryption - Goldwasser, Micali - 1984 |

866 | Algorithms for quantum computation: Discrete logarithms and factoring
- Shor
- 1994
(Show Context)
Citation Context ...e all current methods are based on number theory, it is possible that a new advance in this subject could eliminate all current methods of secret agreement at once. (For another potential threat, see =-=[Shor84]-=-.) Already, improved algorithms have forced key sizes in secret agreement protocols beyond what was believed unbreakable at the time RSA was introduced ([DDLM93]). We provide strong evidence that it w... |

668 | How to construct random functions - Goldreich, Goldwasser, et al. - 1986 |

626 | Micali: How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits - Blum, Silvio - 1984 |

540 | How to Play any Mental Game – A Completeness Theorem for Protocols with Honest Majority - Goldreich, Micali, et al. - 1987 |

530 |
Theory and applications of trapdoor functions
- Yao
- 1982
(Show Context)
Citation Context ... commitment with strong sender is possible Collision free functions exist Table 1: ular, it is known that the existence of a one-way permutation implies the following: pseudo-random generators exist (=-=[Yao82]-=-), private-key encryption is possible ([GM84, GGM84, LR86]), strong committer bit commitment is possible ([Yao82, GMW87]), telephone coin flipping is possible ([Blu82]), and electronic signatures are ... |

322 | M.: Universal One-Way Hash Functions and their Cryptographic Applications
- Naor, Yung
- 1989
(Show Context)
Citation Context ...-key encryption is possible ([GM84, GGM84, LR86]), strong committer bit commitment is possible ([Yao82, GMW87]), telephone coin flipping is possible ([Blu82]), and electronic signatures are possible (=-=[NY]-=-). All of the preceding results relativize. We construct an oracle O relative to which one-way permutations exist, but for which no secret agreement protocol is secure. From relativized versions of th... |

321 |
Minimum disclosure proofs of knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ...] ), electronic signatures ( [DH76] , [GMR84] ), private-key cryptography ( [GM84, GGM84, LR86, Rac88]), bitcommitment (both the strong committer version ( [GMW87] ) and the strong receiver version ( =-=[BCC87]-=- ) ), identification ( [DH76], [FFS86] ), electronic voting ( [Ben87]), oblivious transfer ( [Blu81, Rab81] ), and secret agreement itself ( [DH76, Mer78] ). General assumptions which have been used i... |

319 | How to Exchange Secrets by Oblivious Transfer - Rabin - 1981 |

311 | Algebraic methods for interactive proof systems
- Lund, Fortnow, et al.
- 1992
(Show Context)
Citation Context ...ld relative to any oracle). Non-relativizing proofs are few and far between not only in cryptography, but in complexity theory as a whole (although admittedly not as few as there were a few years ago =-=[LFKN90]-=-,[Sha90]). Since the technique of examining complexity relative to an oracle was introduced in [BGS75], relativization results have been used to provide evidence for the difficulty of resolving questi... |

302 | How to construct pseudorandom permutations from pseudorandom functions - Luby, Rackoff - 1988 |

234 |
Veriable Secret-Ballot Elections
- Benaloh
- 1987
(Show Context)
Citation Context ...aphy ( [GM84, GGM84, LR86, Rac88]), bitcommitment (both the strong committer version ( [GMW87] ) and the strong receiver version ( [BCC87] ) ), identification ( [DH76], [FFS86] ), electronic voting ( =-=[Ben87]-=-), oblivious transfer ( [Blu81, Rab81] ), and secret agreement itself ( [DH76, Mer78] ). General assumptions which have been used in cryptography include the existence of : one-way permutations ( [P74... |

207 | One-Way Functions are Necessary and Sufficient for Secure Signatures - Rompel - 1990 |

145 |
Secure Communications over Insecure Channels
- Merkle
- 1978
(Show Context)
Citation Context ..., as long as this time is polynomial. However, in real life, a protocol taking a large degree polynomial time to break may be almost as good as one secure against any polynomial time adversary. Merkle=-=[Mer78]-=- has suggested a protocol, based on any one-way function, the breaking of which would require an eavesdropper to take time quadratic 20 in the time taken by the participants. (Here, time is measured a... |

121 | Coin Flipping by Telephone: A Protocol for Solving Impossible Problems - Blum - 1982 |

120 | One-way Functions are Essential for Complexity Based Cryptography - Impagliazzo, Luby - 1989 |

50 |
Relativizations of the P=?NP question
- Baker, Gill, et al.
- 1975
(Show Context)
Citation Context ...le). Non-relativizing proofs are few and far between not only in cryptography, but in complexity theory as a whole. Since the technique of examining complexity relative to an oracle was introduced in =-=[BGS75]-=-, relativization results have been used to provide evidence for the difficulty of resolving questions in complexity theory [BG81]. (We will later briefly discuss the possibility that a non-relativizin... |

43 | Direct Minimum-Knowledge Computations - Impagliazzo, Yung - 1988 |

35 | A “Paradoxical” Solution to the Signature Problem - Goldwasser, Micali, et al. - 1984 |

32 | Limits on the Provable Consequences of One-Way Functions
- Rudich
- 1989
(Show Context)
Citation Context ...hic assumptions each having different implications. The picture of black box reduction is not complete. For example, it is open whether a one-way permutation can be based on a one-way function. Rudich=-=[Rud88]-=- has shown that if a certain unproven combinatorial conjecture holds then there is no such black box reduction. The possibility of a non black box reduction from one-way functions to secret key agreem... |

31 | Relativized Cryptography - Brassard - 1983 |

29 | Pseudorandom Number Generation from any OneWay Function - Impagliazzo, Levin, et al. - 1989 |

23 | Three applications of the oblivious transfer: Part I: Coin flipping by the telephone; part II: How to exchange secrets; part III: How to send certified electronic mail - Blum - 1981 |

22 | Valiant and V. Vazirani.Random Generation of Combinatorial Structures from a Uniform Distribution - Jerrum, L - 1986 |

20 |
Relative to a random oracle A, P A 6= NP A 6= co \Gamma NP A with probability 1
- Bennett, Gill
- 1981
(Show Context)
Citation Context ...nique of examining complexity relative to an oracle was introduced in [BGS75], relativization results have been used to provide evidence for the difficulty of resolving questions in complexity theory =-=[BG81]-=-. (We will later briefly discuss the possibility that a non-relativizing proof basing secure secret agreement on a one-way permutation can be found.) Relativized complexity has not been frequently use... |

14 | On the factorization of RSA-120
- Denny, Dodson, et al.
- 1994
(Show Context)
Citation Context ...ce. (For another potential threat, see [Shor84].) Already, improved algorithms have forced key sizes in secret agreement protocols beyond what was believed unbreakable at the time RSA was introduced (=-=[DDLM93]-=-). We provide strong evidence that it will be difficult to prove that secure secret agreement is possible assuming only that a one-way permutation exists. We model the existence of a one-way permutati... |

7 | Secure communication over an insecure channel.” Common. Ass - Merkle - 1978 |

7 | A Time-Luck Tradeoff in Relativized Cryptography - Brassard - 1981 |

5 |
Rivest: A "Paradoxical" Solution to the Signature
- Goldwasser, Micali, et al.
- 1984
(Show Context)
Citation Context ...y will still be able to follow the general idea of the following discussion. Cryptographic tasks to be discussed here include: coin flipping by telephone ( [Blu82] ), electronic signatures ( [DH76] , =-=[GMR84]-=- ), private-key cryptography ( [GM84, GGM84, LR86, Rac88]), bitcommitment (both the strong committer version ( [GMW87] ) and the strong receiver version ( [BCC87] ) ), identification ( [DH76], [FFS86]... |

2 | An optimally secure relativized cryptosystem. Advances in Cryptography, a Report on CRYPTO 81 - Brassard - 1982 |

2 | A basic theory of public and private cryptosystems - Rackoff - 1988 |

2 |
Perfect Zero-Knowledge Arguments for
- Naor, Ostrovsky, et al.
- 1992
(Show Context)
Citation Context ...o-random generators exist ([Yao82]), private-key encryption is possible ([GM84, GGM84, LR86]), strong commiter bit commitment is possible ([Yao82, GMW87]), strong receiver bit commitment is possible (=-=[NOVY92]-=-), telephone coin flipping is possible ([Blu82]), and electronic signatures are possible ([NY89]). All of the preceding results relativize. We construct an oracle O relative to which one-way permutati... |

1 | Relative to a random oracle A, P'4neNP'4neCo - NP '4 with probability 1 - Bennett, Gill - 1981 |

1 | Springer-Verlag [Ben87] [Blu81] [Blu82] IBM84] [Brai [Bra83] [CKS81] [DH76] [FFSS6] [GGM84] [GMW87] [GM84] [GM1%84 - Copyright - 1998 |

1 | Relativized cryptography - Brassaxd - 1983 |

1 | Zero-knowledge proofs of identity. STOC - Feige, Fiat, et al. - 1987 |

1 | Springer-Verlag [I88] [jvvs6] [Mer78] [NY] [P741 [RabSl] [Rac88] [Yax)82] R.. Impagliazzo Proofs that relativize, and proofs that do not. Unpublished manuscript - Copyright - 1998 |

1 | Purdy A high security log-in procedure - P - 1974 |

1 |
Proofs that relativize, and proofs that do not. Unpublished manuscript
- Impagliazzo
- 1988
(Show Context)
Citation Context ...nctions (by relativizing techniques) [HILL91, IL89, Rom90, Naor89]. Some caution is needed in interpreting these results, since at least one non-relativizing construction in cryptography is known. In =-=[I88] it is sho-=-wn that the theorem proved in [GMW87], 3 "the existence of a one-way permutation implies the existence of zero-knowledge protocols for all languages in NP ", fails with respect to a random p... |

1 |
The Number of Rounds of Interaction in Secret-key Agreement Protocols
- Rudich
- 1991
(Show Context)
Citation Context ...sly given a list of applications at least as strong as secret key agreement; that these are unlikely to be a consequences of the existence of a one-way permutation follows from the result here. Rudich=-=[Rud91]-=- has shown that, from the point of view of black box reducibility, it is not possible to base a k-round secret key agreement protocol on a secret key agreement protocol requiring k + 1 rounds. Thus, i... |