Towards Non-Black-Box Separations of Public Key Encryption and One Way Function

Conference paper

DOI: 10.1007/978-3-662-53644-5_7

Volume 9986 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Dachman-Soled D. (2016) Towards Non-Black-Box Separations of Public Key Encryption and One Way Function. In: Hirt M., Smith A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science, vol 9986. Springer, Berlin, Heidelberg

Abstract

Separating public key encryption from one way functions is one of the fundamental goals of complexity-based cryptography. Beginning with the seminal work of Impagliazzo and Rudich (STOC, 1989), a sequence of works have ruled out certain classes of reductions from public key encryption (PKE)—or even key agreement—to one way function. Unfortunately, known results—so called black-box separations—do not apply to settings where the construction and/or reduction are allowed to directly access the code, or circuit, of the one way function. In this work, we present a meaningful, non-black-box separation between public key encryption (PKE) and one way function.

Specifically, we introduce the notion of \(\mathsf {BBN}^-\) reductions (similar to the \(\mathsf {BBN}\)p reductions of Baecher et al. (ASIACRYPT, 2013)), in which the construction E accesses the underlying primitive in a black-box way, but wherein the universal reduction \({{\mathbb R}}\) receives the efficient code/circuit of the underlying primitive as input and is allowed oracle access to the adversary \(\mathsf {Adv}\). We additionally require that the functions describing the number of oracle queries made to \(\mathsf {Adv}\), and the success probability of \({{\mathbb R}}\) are independent of the run-time/circuit size of the underlying primitive. We prove that there is no non-adaptive, \(\mathsf {BBN}^-\)reduction from PKE to one way function, under the assumption that certain types of strong one way functions exist. Specifically, we assume that there exists a regular one way function f such that there is no Arthur-Merlin protocol proving that \(z \notin \mathsf {Range}(f)\), where soundness holds with high probability over “no instances,” \(y \sim f(U_n)\), and Arthur may receive polynomial-sized, non-uniform advice. This assumption is related to the average-case analogue of the widely believed assumption \(\mathsf {coNP}\not \subseteq \mathbf {NP}/{\mathrm{poly}}\).

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.University of MarylandCollege ParkUSA