Advances in Cryptology – CRYPTO 2010

Volume 6223 of the series Lecture Notes in Computer Science pp 649-665

Time Space Tradeoffs for Attacks against One-Way Functions and PRGs

  • Anindya DeAffiliated withUniversity of California at Berkeley
  • , Luca TrevisanAffiliated withUniversity of California at Berkeley and Stanford University
  • , Madhur TulsianiAffiliated withInstitute for Advanced Study, Princeton


We study time space tradeoffs in the complexity of attacks against one-way functions and pseudorandom generators.

Fiat and Naor [7] show that for every function f: [N]→[N], there is an algorithm that inverts f everywhere using (ignoring lower order factors) time, space and advice at most N 3/4.

We show that an algorithm using time, space and advice at most
$$ \max \{ \epsilon^{\frac 54} N^{\frac 34} \ , \ \sqrt{\epsilon N} \} $$
exists that inverts f on at least an ε fraction of inputs. A lower bound of \(\tilde \Omega(\sqrt { \epsilon N })\) also holds, making our result tight in the “low end” of \(\epsilon \leq \sqrt[3]{\frac{1}{N}}\).

(Both the results of Fiat and Naor and ours are formulated as more general trade-offs between the time and the space and advice length of the algorithm. The results quoted above correspond to the interesting special case in which time equals space and advice length.)

We also show that for every length-increasing generator G:[N] →[2N] there is a algorithm that achieves distinguishing probability ε between the output of G and the uniform distribution and that can be implemented in polynomial (in logN) time and with advice and space O(ε 2 ·NlogN). We prove a lower bound of S·T ≥ Ω(ε 2 N) where T is the time used by the algorithm and S is the amount of advice. This lower bound applies even when the distinguisher has oracle access to G.

We prove stronger lower bounds in the common random string model, for families of one-way permutations and of pseudorandom generators.


One-way functions pseudorandom generators random permutations time-space tradeoffs