TCC 2016: Theory of Cryptography pp 169-191

# Towards Non-Black-Box Separations of Public Key Encryption and One Way Function

Conference paper

DOI: 10.1007/978-3-662-53644-5_7

Volume 9986 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Dachman-Soled D. (2016) Towards Non-Black-Box Separations of Public Key Encryption and One Way Function. In: Hirt M., Smith A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science, vol 9986. Springer, Berlin, Heidelberg

## Abstract

Separating public key encryption from one way functions is one of the fundamental goals of complexity-based cryptography. Beginning with the seminal work of Impagliazzo and Rudich (STOC, 1989), a sequence of works have ruled out certain classes of reductions from public key encryption (PKE)—or even key agreement—to one way function. Unfortunately, known results—so called black-box separations—do not apply to settings where the construction and/or reduction are allowed to directly access the code, or circuit, of the one way function. In this work, we present a meaningful, non-black-box separation between public key encryption (PKE) and one way function.

Specifically, we introduce the notion of $$\mathsf {BBN}^-$$ reductions (similar to the $$\mathsf {BBN}$$p reductions of Baecher et al. (ASIACRYPT, 2013)), in which the construction E accesses the underlying primitive in a black-box way, but wherein the universal reduction $${{\mathbb R}}$$ receives the efficient code/circuit of the underlying primitive as input and is allowed oracle access to the adversary $$\mathsf {Adv}$$. We additionally require that the functions describing the number of oracle queries made to $$\mathsf {Adv}$$, and the success probability of $${{\mathbb R}}$$ are independent of the run-time/circuit size of the underlying primitive. We prove that there is no non-adaptive, $$\mathsf {BBN}^-$$reduction from PKE to one way function, under the assumption that certain types of strong one way functions exist. Specifically, we assume that there exists a regular one way function f such that there is no Arthur-Merlin protocol proving that $$z \notin \mathsf {Range}(f)$$, where soundness holds with high probability over “no instances,” $$y \sim f(U_n)$$, and Arthur may receive polynomial-sized, non-uniform advice. This assumption is related to the average-case analogue of the widely believed assumption $$\mathsf {coNP}\not \subseteq \mathbf {NP}/{\mathrm{poly}}$$.