Enhancements are Blackbox Non-trivial: Impossibility of Enhanced Trapdoor Permutations from Standard Trapdoor Permutations

Hajiabadi, Mohammad

doi:10.1007/978-3-030-03807-6_17

Mohammad Hajiabadi^15,16

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11239))

Included in the following conference series:

Theory of Cryptography Conference

831 Accesses

Abstract

Trapdoor permutations (TDP) are a fundamental primitive in cryptography. Several variants of this notion have emerged as a result of different applications. However, it is not clear whether these variants can be based on the standard notion of TDPs.

We study the question of whether enhanced trapdoor permutations can be based on classical trapdoor permutations. The main motivation of our work is in the context of existing TDP-based constructions of oblivious transfer and non-interactive zero knowledge protocols, which require enhancements to the classical TDP notion. We prove that these enhancements are non-trivial, in the sense that there does not exist fully blackbox constructions of enhanced TDPs from classical TDPs.

On the technical side, we show that the enhanced TDP security of any construction in the random TDP oracle world can be broken via a polynomial number of queries to the TDP oracle as well as a weakening oracle, which provides inversion with respect to randomness. We also show that the standard one-wayness of the random TDP oracle stays intact in the presence of this weakening oracle.

You have full access to this open access chapter, Download conference paper PDF

Oblivious Transfer from Trapdoor Permutations in Minimal Rounds

On the Impossibility of Basing Public-Coin One-Way Permutations on Trapdoor Permutations

Injective Trapdoor Functions via Derandomization: How Strong is Rudich’s Black-Box Barrier?

Article 11 August 2021

1 Introduction

Trapdoor permutations (TDPs) [RSA78, Rab79] are a family of permutations, where each permutation in the family is easy to compute given the underlying index key, and also easy to invert given a corresponding trapdoor key. The classical notion of one-wayness for TDPs states that it is hard to invert a randomly chosen permutation from the family on a random image. While classical TDPs suffice for many applications, such as public-key encryption (PKE) [Yao82], parallel constructions of pseudorandom synthesizers [NR99], etc., for certain applications we need to strengthen this basic one-wayness notion. The main reason is that in protocols in which TDPs are used, the adversary may sometimes have some side information about the underlying image element, which may give her some advantage.

Technically, TDPs come with a sampling algorithm $\mathsf {S}$, which, on input an index key $\mathrm {IK}$ and random coins $\mathrm {R}$, outputs an element from the domain $\mathsf {Dom}_{\mathrm {ik}}$ of the permutation $\mathsf {E}({\mathrm {IK}}, \cdot )$. We call a TDP enhanced if it is hard to find the pre-image of a random image element $\mathrm {Y}:= \mathsf {S}(\mathrm {IK}; \mathrm {R})$ even if the inverter is given the randomness $\mathrm {R}$ (along with $\mathrm {IK}$). Intuitively, enhanced TDPs allow a sampler, given only the underlying index key, to sample an image point obliviously to its pre-image: if we sample $\mathrm {Y}= \mathsf {S}(\mathrm {IK}; \mathrm {R})$ for a random $\mathrm {R}$, then even given $\mathrm {R}$, we are still oblivious to the corresponding pre-image of $\mathrm {Y}$.

To see when this need of enhancement arises, consider the classical construction of hones-but-curious oblivious transfer (OT) protocols [EGL82, GMW87]. In this setting, a receiver $\mathsf {Alice}(\mathrm {b}, \cdot )$ with input bit $\mathrm {b}$ wishes to secretly learn the message $\mathrm {m}_\mathrm {b}$ of $\mathsf {Bob}$’s two messages $(\mathrm {m}_0, \mathrm {m}_1)$. She does so by sending two image elements $\mathrm {Y}_1$ and $\mathrm {Y}_2$ of a TDP $\mathsf {E}(\mathrm {IK},\cdot )$, where $\mathrm {IK}$’s trapdoor key is only known to $\mathsf {Bob}$, in such a way that $\mathsf {Alice}$ knows the pre-image of $\mathrm {Y}_\mathrm {b}$ but not of $\mathrm {Y}_{1-\mathrm {b}}$. She does so by sampling $\mathrm {Y}_{1-\mathrm {b}}$ obliviously and by sampling $\mathrm {Y}_\mathrm {b}$ by applying $\mathsf {E}({\mathrm {IK}}, \cdot )$ on a random domain element $\mathrm {X}$. $\mathsf {Bob}$ sends to $\mathsf {Alice}$ encryptions $\mathrm {c}_1$ and $\mathrm {c}_2$ of the two bits $\mathrm {m}_0$ and $\mathrm {m}_1$ under the standard TDP-based PKE construction, using $\mathrm {Y}_0$ and $\mathrm {Y}_1$ as the ‘encoded randomness.’ $\mathsf {Alice}$ can open $\mathrm {c}_{\mathrm {b}}$ to recover $\mathrm {Y}_{\mathrm {b}}$. In order to ensure privacy for $\mathsf {Bob}$, we need to assume that the underlying TDP is enhanced one-way.

The need for strengthening the notion of TDPs was first discovered by Bellare and Yung [BY93], noting that the previous TDP-based non-interactive zero knowledge (NIZK) construction in [FLS90] requires the set of valid permutations to be certifiable. Goldreich [Gol04] was the first to realize the need for enhanced TDPs in the context of OT constructions. It was also later discovered that for the TDP-based non-interactive zero knowledge (NIZK) protocol [FLS90] the zero-knowledge property relies on the TDP being doubly enhanced [Gol11], in addition to the certifiability property. Informally, doubly-enhanced TDPs are enhanced TDPs that provide the feature that given an index key $\mathrm {IK}$ it is possible to sample random coins $\mathrm {R}_{y}$ together with the pre-image of $\mathsf {S}(\mathrm {IK}, \mathrm {R}_y)$. As noted in [Gol11, GR13] the main reason these requirements were not noticed earlier is because TDPs had implicitly been assumed to be permutations over $\{0,1\}^\mathrm {\kappa }$ (or over domains which enable trivial sampling algorithms). While these idealized TDPs are doubly enhanced, we do not have any candidate constructions for them.

Faced with this difficulty, Haitner [Hai04] gives a more complicated OT protocol which works with respect to any classical TDP with dense domains. It is not however clear whether such TDPs can be built from classical one-way TDPs.

In summary, the possibility of basing OT or NIZK on classical TDPs remains unknown. One way to address these is to investigate whether enhanced TDPs can be constructed from standard TDPs.

1.1 Our Result and Discussion

We take a first step toward understanding the relationships between various notions of TDPs. Our main result shows that enhanced TDPs cannot be constructed from classical TDPs in a fully blackbox way (in the taxonomy of [RTV04]). We give an overview of our result and techniques in Sect. 1.2. In what follows, we discuss the significance of our work.

TDPs are rather coarse as a primitive, since the set of assumptions from which TDPs can be built is relatively small, being limited to factoring-related assumptions [RSA78, Rab79] and obfuscation-based assumptions [BPW16]. Also, variants of the popular RSA and Rabin TDPs (see e.g., [KKM12]) as well as variants of iO-based TDPs are already doubly enhanced [GR13, BPW16].^{Footnote 1} Given this state of affairs, one may ask about the motivations of this work. We provide the following motivations.

In a similar vein, Hsiao and Reyzin [HR04] draw attention to the distinction between secret-coin collision resistant hash functions (CRHF) and public-coin CRHF by showing that the latter cannot be constructed from the former in a blackbox way. Prior to their work, these two notions had been deemed to be equivalent. In some sense, our result shows that a similar situation relating to public-versus-secret coins holds in the TDP setting as well, emphasizing the need of rigorously showing which version is required in each application and achieved by a future construction.
Goldreich and Rothblum [Gol11] show that the TDP-based PKE construction, when instantiated with enhanced TDPs, offer properties, such as oblivious ciphertext samplability, that have useful applications. This gives applications beyond the OT and NIZK settings, and serves as another motivation for studying the possibility of basing enhanced TDPs on standard TDPs.
TDPs turn out to be tricky objects to define, because after several decades of research, still new aspects of this primitive are revealed, which turn out to be required by some applications, but which were overlooked before. (See for example the recent work of [CL17]). Faced with this landscape of TDP with various properties, from a theoretical point of view, one would like to understand to what extent these notions relate to each other, elucidating and simplifying the landscape.

Open Problems. Our work leads to the following open problem: is it possible to prove that OT cannot be based on standard TDPs in a blackbox way? Since our work removes one path toward this goal, our techniques may be useful in an eventual separation (if at all possible).

Other Related Work. There is a rich body of research on understanding the limitations of TDPs. In particular, we know that TDPs cannot be used in a blackbox way to construct two-message statistically-hiding commitments [Fis02], identity-based encryption [BPR+08], correlated-secure trapdoor functions [Vah10] and verifiable random functions [FS12]. To the best of our knowledge, all these separations still hold even if the base TDP is doubly enhanced. Haitner et al. [HHRS07] give lower-bounds on the round complexity of statistically-hiding commitments making blackbox use of TDPs. There is a positive construction of TDPs from indistinguishability obfuscations (IO) and one-way functions [BPW16], which is not so-called domain invariant. The result of Asharov and Segev [AS16] justifies this, showing that current non-blackbox iO-based techniques are not sufficient to give us domain-invariant TDPs.

Gertner et al. [GKM+00] show that TDPs cannot be built from trapdoor functions (TDFs) in a blackbox way. Their result is incomparable to ours (and their techniques are also different), because their base primitive is TDFs, and in their proof they make essential of the fact that the domain of a TDF can be different from the range. Our result in contrast is about a separation between two notions of TDPs.

1.2 Technical Overview

As common in blackbox impossibility results, we will prove our impossibility by giving an oracle relative to which the base primitive exists, but not the target primitive. Consider a random TDP oracle $\mathbf {O}= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$ with the following sub-oracles. The key-generation oracle $\mathbf {g}: \{0,1\}^\mathrm {\kappa }\mapsto \{0,1\}^\mathrm {\kappa }$ is a random injective function mapping a trapdoor key $\mathrm {tk}$ to an index key $\mathrm {ik}$. The evaluation oracle $\mathbf {e}(\mathrm {ik}, \cdot ) : \{0,1\}^{5 \mathrm {\kappa }} \mapsto \{0,1\}^{5 \mathrm {\kappa }}$ on an index key $\mathrm {ik}$ is defined over all elements in $\{0,1\}^{5 \mathrm {\kappa }}$; however, $\mathbf {e}(\mathrm {ik}, \cdot )$ is a permutation only over a sparse subset $\mathsf {Dom}_{\mathrm {ik}}$ of $\{0,1\}^{5 \mathrm {\kappa }}$, where $|\mathsf {Dom}_{\mathrm {ik}}| = 2^\mathrm {\kappa }$ (hence the name sparseness). That is, we have $\mathbf {e}(\mathrm {ik}, \mathsf {Dom}_{\mathrm {ik}}) = \mathsf {Dom}_{\mathrm {ik}}$.

The sampling oracle $\mathbf {s}(\mathrm {ik}, \cdot )$ is a random injective function which allows us to sample from $\mathsf {Dom}_{\mathrm {ik}}$: given a string $\mathrm {r}\in \{0,1\}^\mathrm {\kappa }$, $\mathbf {s}(\mathrm {ik}, \mathrm {r})$ returns an element in $\mathsf {Dom}_{\mathrm {ik}}$. Finally, the inversion oracle $\mathbf {d}$ is defined in a manner consistent with the other oracles.

The Oracle $\mathbf {O}$ by Itself is Too Strong. Such a randomly chosen oracle $\mathbf {O}$ is overly strong, satisfying already all enhanced forms of one-wayness. Thus, it cannot be taken as is for deriving an impossibility. To address this problem, we will add a weakening oracle $\mathbf {u}$, which does not harm the standard one-wayness of $\mathbf {O}$, but which helps us break the enhanced one-wayness of any blackbox construction $(\mathsf {G}^{\mathbf {O}}, \mathsf {S}^{\mathbf {O}}, \mathsf {E}^{\mathbf {O}}, \mathsf {D}^{\mathbf {O}} )$. Our blackbox separation will then follow from this.

Intuition Behind the Weakening Oracle $\mathbf {u}$. As a starter, suppose we are content with $\mathbf {u}$ only breaking the enhanced one-wayness of $\mathbf {O}$ (as opposed to any TDP construction from $\mathbf {O}$). Thus, $\mathbf {u}$ should provide help for an inverter who has the randomness of the challenge image. A natural choice for $\mathbf {u}$ would be the following: on input $\mathbf {u}(\mathrm {ik}, \mathrm {r})$, let $\mathrm {y}:= \mathbf {s}(\mathrm {ik}, \mathrm {r})$ and return $\mathrm {x}\in \mathsf {\mathsf {Dom}_{\mathrm {ik}}}$ for which we have $\mathbf {e}(\mathrm {ik}, \mathrm {x}) = \mathrm {y}$.

Indeed, the above oracle $\mathbf {u}$ breaks the enhanced one-wayness of $\mathbf {O}$. We can also see that the oracle $\mathbf {u}$ does not harm the standard one-wayness of $\mathbf {O}$. This is because of the sparse and random nature of the outputs of the oracles, making the oracle $\mathbf {u}$ effectively useless for standard one-wayness. However, this oracle $\mathbf {u}$ is not much useful beyond this simple scenario. In particular, imaging a self-composing TDP construction, whose evaluation algorithm $\mathsf {E}^\mathbf {e}$ is the self-composition of $\mathbf {e}(\mathrm {ik}, \cdot )$; i.e., $\mathsf {E}^\mathbf {e}(\mathrm {ik}, \mathrm {x}) = \mathbf {e}(\mathrm {ik}, \mathbf {e}(\mathrm {ik}, \mathrm {x}))$. An adversary $\mathcal {A}$ against enhanced one-wayness is given $(\mathrm {ik}, \mathrm {r}, \mathrm {y})$, and should find $\mathrm {x}$ such that $\mathrm {y}= \mathbf {e}(\mathrm {ik}, \mathbf {e}( \mathrm {ik}, \mathrm {x}))$. Given the randomness $\mathrm {r}$, the adversary $\mathcal {A}$ can find $\mathrm {x}_0$ such that $\mathbf {e}(\mathrm {ik}, \mathrm {x}_0) = \mathrm {y}$ by calling $\mathbf {u}(\mathrm {ik}, \mathrm {r})$, but $\mathcal {A}$ cannot continue to get to $\mathrm {x}$, because $\mathcal {A}$ does not have the randomness of $\mathrm {x}_0$.

Description of the Oracle $\mathbf {u}$. The above discussion directs us toward a natural choice of $\mathbf {u}$: on input $(\mathrm {ik}, \mathrm {r})$, letting $\mathrm {y}:= \mathbf {s}(\mathrm {ik}, \mathrm {r})$, the oracle $\mathbf {u}(\mathrm {ik}, \mathrm {r})$ returns the randomness of the pre-image of $\mathrm {y}$, not the pre-image itself. That is, letting $\mathrm {x}\in \mathsf {Dom}_{\mathrm {ik}}$ be such that $\mathbf {e}(\mathrm {ik},\mathrm {x}) = \mathrm {y}$, the oracle $\mathbf {u}(\mathrm {ik},\mathrm {r})$ returns $\mathrm {r}_0$, where $\mathbf {s}(\mathrm {ik},\mathrm {r}_0) = \mathrm {x}$.

Returning to the construction example above, it is not hard to see that this new oracle $\mathbf {u}$ not only breaks the enhanced one-wayness of the self-composition construction, but that of more general k-composition constructions, in which we compose $\mathbf {e}(\mathrm {ik}, \cdot )$ k times. One would just need to sequentially call $\mathbf {u}$ k times to get down to the base pre-image.

The Construction does not Call $\mathbf {u}$ Itself. We will assume that the construction $(\mathsf {G}^\mathbf {O}, \mathsf {S}^\mathbf {O}, \mathsf {E}^\mathbf {O}, \mathsf {D}^\mathbf {O})$, which we want to show that can be broken by a polynomial number of queries to $(\mathbf {O}, \mathbf {u})$, does not call $\mathbf {u}$ itself. This is sufficient for deriving a fully blackbox separation because the base oracle $\mathbf {O}$ by itself is a one-way TDP against all poly-query adversaries with access to $(\mathbf {O}, \mathbf {u})$. Our separation model is close to those of [GMR01, HR04], which only rule out fully-blackbox constructions, as opposed to the earlier models of [IR89, Sim98, GKM+00], which also rule out relativizing reductions.

Main Techniques. We now give a high-level sketch of how to attack a general construction $(\mathsf {G}^\mathbf {O}, \mathsf {S}^\mathbf {O}, \mathsf {E}^\mathbf {O}, \mathsf {D}^\mathbf {O})$. Let $(\mathrm {IK}, \mathrm {R})$ be the challenge input to the adversary: if $\mathrm {Y}:= \mathsf {S}^\mathbf {O}(\mathrm {IK}; \mathrm {R})$, the adversary should invert $\mathrm {Y}$ w.r.t. $\mathrm {IK}$. The main difficult part in inverting $\mathrm {Y}$ is to reply to queries for which we need to invert some image $\mathrm {y}$ w.r.t. the oracle $\mathbf {e}(\mathrm {ik}, \cdot )$. We denote such queries as $\mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y})$: namely, if $\mathbf {e}(\mathrm {ik}, \mathrm {x}) = \mathrm {y}$, then $\mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y}) = \mathrm {x}$.

As in the above k-composition construction example, suppose (informally) one can start the decryption execution of $\mathrm {Y}$ without having the underlying inversion key; namely, it is just a matter of answering a few oracle queries of the form $\mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y})$ for various $(\mathrm {ik}, \mathrm {y})$. Roughly, for any meaningful query $\mathrm {qu} := \mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y})$ during this execution we will have two cases: (I) $\mathrm {y}$ was generated during the process which produced $(\mathrm {IK}, *) \xleftarrow {\$}\mathsf {G}^\mathbf {O}(1^\mathrm {\kappa })$: namely, during this process there was a query/response $((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ or $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {y})$ for some $\mathrm {x}$ and $\mathrm {r}$, and (II) $\mathrm {y}$ was generated during the execution of $\mathrm {Y}:= \mathsf {S}^\mathbf {O}(\mathrm {IK}; \mathrm {R})$.

We will show that cases (I) and (II) are the only likely cases; this is roughly because otherwise one can forge such a valid $(\mathrm {ik}, \mathrm {y})$ without making a corresponding query: This is very unlikely because of the sparseness of the oracle outputs.

Let $\mathsf {Q}_s$ be the set of all queries/responses during $\mathsf {S}^\mathbf {O}(\mathrm {IK}; \mathrm {R})$. If during the inversion of $\mathrm {Y}$ Case (II) holds, then either $((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ in $\mathsf {Q}_s$, in which case the answer to the query $\mathrm {qu}$ is clear, or $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {y})$ is in $\mathsf {Q}_s$, which can be used along with the oracle $\mathbf {u}$ to reply to the query $\mathsf {qu}$.

The main difficult part of our analysis involves handling Case (I): in this case the adversary does not have enough information to reply to $\mathrm {qu}$ correctly. At a high-level, our solution is as follows. We will distinguish between two types of such $\mathrm {qu}$ queries: important and immaterial. We say $\mathrm {qu}$ is important if a query/response $((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y})$ or $((\mathrm {ik}, *) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ happens with ‘good’ probability during a random execution of $\mathrm {X}' \xleftarrow {\$}\mathsf {S}^{\mathbf {O}}(\mathrm {IK})$ followed by $\mathsf {E}^{\mathbf {O}}(\mathrm {IK}, \mathrm {X}')$. If $\mathrm {qu}$ is important, then $\mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y})$ is likely to be determined by performing these two preceding executions many times. If $\mathrm {qu}$ is immaterial (namely, it will not be picked up during these many sample executions), then we will show that during the inversion of $\mathrm {Y}$ one may reply to $\mathrm {qu}$ with a random answer without making the result of the overall inversion of $\mathrm {Y}$ significantly skewed. The intuition is: in this case neither of $((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y})$ and $((\mathrm {ik}, *) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ are likely to happen during the sampling algorithm that produced the challenge pre-image $\mathrm {X}$ and during $\mathsf {E}^\mathbf {O}(\mathrm {IK}, \mathrm {X})$ which results in $\mathrm {Y}$. We will use this intuition to build hybrid oracles, denoted $\mathbf {O}\Diamond \widetilde{\mathbf {O}}$, which provide random answers to such immaterial queries but relative to which all of $\mathrm {IK}$, $\mathrm {X}$ and $\mathrm {Y}$ are valid.

In Sect. 4 we will give a more concrete overview of our techniques and approach by showing how to break the enhanced one-wayness of any construction whose oracle access is of the form $(\mathsf {G}^\mathbf {g}, \mathsf {S}^\mathbf {s}, \mathsf {E}^\mathbf {e}, \mathsf {D}^\mathbf {d})$. We will then give the general attack against all constructions in Sect. 5.

2 Preliminaries

If $\mathcal {D} $ is a distribution, we use $\mathrm {x} \xleftarrow {\$}\mathcal {D}$ to indicate $\mathrm {x}$ is sampled according to $\mathcal {D}$ and we use $\mathrm {x}' \in \mathcal {D}$ to indicate $\mathrm {x}' \in \mathsf {support}(\mathcal {D})$. If $ \mathsf {R}(\mathrm {x}_1, \dots , \mathrm {x}_n )$ is a randomized algorithm, then $\mathsf {R}(\mathrm {a}_1, \dots , \mathrm {a}_n)$ denotes the random variable $\mathsf {R}(\mathrm {a}_1, \dots , \mathrm {a}_n; \mathrm {r})$, where $\mathrm {r}\xleftarrow {\$}\{0,1\}^*$.

If f is a function and $\mathsf {Dom}$ is a set, then $f(\mathsf {Dom}) {\mathop {=}\limits ^{\vartriangle }}\{f(x) \mid x \in \mathsf {Dom}\}$.

We start with the definition of a family of trapdoor permutations. Each function $\mathsf {E}(\mathrm {IK}, \cdot )$ in the family acts as a permutation over a domain $\mathsf {Dom}_{\mathrm {IK}} \subseteq \{0,1\}^w$ (for some fixed polynomial w specified by the permutation family), where the domain $\mathsf {Dom}_{\mathrm {IK}}$ may possibly depend on $\mathrm {IK}$. Moreover, this induced permutation can be inverted using any matching trapdoor key for $\mathrm {IK}$. Finally, there is a sampling algorithm $\mathsf {S}$, where $\mathsf {S}(\mathrm {IK})$ allows one to sample from $\mathsf {Dom}_{\mathrm {IK}}$.

Definition 1

(Trapdoor Permutations). Let $w = w(\mathrm {\kappa })$ be an arbitrary polynomial. A family of trapdoor permutations $\mathsf {TDP} $ consists of four PPT algorithms $\mathsf {G}$, $\mathsf {S}$, $\mathsf {E}$ and $\mathsf {D}$ defined as follows.

$\mathsf {G}(1^\mathrm {\kappa })$: The key generation algorithm $\mathsf {G}$ takes as input a security parameter $1^\mathrm {\kappa }$ and outputs a pair $(\mathrm {IK}, \mathrm {TK})$ of index/trapdoor keys.
$\mathsf {S}(\mathrm {IK}; \mathrm {R})$: The sampling algorithm $\mathsf {S}$ takes as input an index key $\mathrm {IK}$ and randomness $\mathrm {R}\in \{0,1\}^\mathrm {\kappa }$ and outputs an element $\mathrm {X}\in \{0,1\}^w$. We use $\mathsf {Dom}_{\mathrm {IK}}$ to denote the set of values $\mathrm {X}$ which are outputted by $\mathsf {S}(\mathrm {IK}; \cdot )$.
$\mathsf {E}(\mathrm {IK}, \mathrm {X})$: The evaluation algorithm $\mathsf {E}$ takes as input an index key $\mathrm {IK}$ and an element $\mathrm {X}\in \{0,1\}^w$ and outputs $\mathrm {Y}\in \{0,1\}^w \cup \{ \bot \}$.
$\mathsf {D}(\mathrm {TK}, \mathrm {Y})$: The inversion algorithm $\mathsf {D}$ takes as input a trapdoor key $\mathrm {TK}$, and an element $\mathrm {Y}\in \{0,1\}^w$ and outputs $\mathrm {X}\in \{0,1\}^w \cup \{ \bot \}$.

We will now define the notion of correctness, as well as two one-wayness notions. As terminology, we say that an index key $\mathrm {IK}$ is valid if $(\mathrm {IK}, *) = \mathsf {G}(1^\mathrm {\kappa }; \mathrm {R})$ for some randomness $\mathrm {R}$.

Correctness. For any valid index key $\mathrm {IK}$, the function $\mathsf {E}(\mathrm {IK}, \cdot )$ induces a permutation over $\mathsf {Dom}_{\mathrm {IK}}$. Moreover, for any security parameter $\mathrm {\kappa }$ we have $ \Pr [\mathsf {D}(\mathrm {TK}, \mathsf {E}(\mathrm {IK}, \mathrm {X})) = \mathrm {X}] = 1$, where $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}(1^\mathrm {\kappa }) $, $\mathrm {R}\xleftarrow {\$}\{0,1\}^\mathrm {\kappa }$ and $\mathrm {X}:= \mathsf {S}(\mathrm {IK}; \mathrm {R})$.
Standard one-wayness. For any PPT adversary we have $\mathcal {A}$ $\Pr [\mathcal {A}(\mathrm {IK}, \mathrm {Y}) = \mathsf {D}(\mathrm {TK}, \mathrm {Y})] = {\text {negl}}(\mathrm {\kappa })$, where $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}(1^\mathrm {\kappa })$, $\mathrm {R}\xleftarrow {\$}\{0,1\}^\mathrm {\kappa }$ and $\mathrm {Y}:= \mathsf {S}(\mathrm {IK}; \mathrm {R})$.
Enhanced one-wayness. For any PPT adversary $\mathcal {A}$.
$$\begin{aligned} \Pr [\mathcal {A}(\mathrm {IK}, \mathrm {Y}, \mathrm {R}) = \mathsf {D}(\mathrm {TK}, \mathrm {Y})] = {\text {negl}}(\mathrm {\kappa }), \end{aligned}$$
where $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}(1^\mathrm {\kappa })$, $\mathrm {R}\xleftarrow {\$}\{0,1\}^\mathrm {\kappa }$, $\mathrm {Y}:= \mathsf {S}(\mathrm {IK}; \mathrm {R})$. Note that $\mathrm {Y}$ can be computed from $\mathrm {IK}$ and $\mathrm {R}$, but we include it separately just for notational convenience.

We now define the notion of fully-blackbox constructions, tailored to our setting. See [RTV04, BBF13] for more general notions.

Definition 2

(Fully blackbox constructions). A fully-blackbox (shortly, a blackbox) construction of an enhanced TDP from a standard TDP consists of a PPT oracle-aided construction $(\mathsf {G}, \mathsf {S}, \mathsf {E}, \mathsf {D})$ and a PPT oracle-aided reduction algorithm $\mathsf {Red}$ satisfying the following. For any correct TDP oracle $\mathbf {O} = (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$ (where correctness is defined in Definition 1) we have

1.
Correctness: $(\mathsf {G}^\mathbf {O}, \mathsf {S}^\mathbf {O}, \mathsf {E}^\mathbf {O}, \mathsf {D}^\mathbf {O})$ is a correct TDP;
2.
Security: for any adversary $\mathcal {A}$ breaking the enhanced one-wayness of the oracle-aided scheme $(\mathsf {G}^\mathbf {O}, \mathsf {S}^\mathbf {O}, \mathsf {E}^\mathbf {O}, \mathsf {D}^\mathbf {O})$, the oracle algorithm $\mathsf {Red}^{\mathbf {O}, \mathcal {A}}$ breaks the standard one-wayness of $\mathbf {O}$.

3 Main Theorem and Proofs Roadmap

In this section we describe our main theorem and the roadmap of the proofs.

As common in impossibility results, we prove our main theorem by showing the existence of an oracle relative to which the base primitive exists (namely, standard TDPs), but not the target primitive (namely, enhanced TDPs). Technically, our separation model is closest to that of [HR04], which only results in fully-blackbox separations, as opposed to the more general relativizing separations, considered in most previous work, e.g., [IR89, Sim98, GKM+00].

Theorem 1

(Impossibility of Enhanced TDPs from Standard TDPs). There exists oracles $(\mathbf {O}, \mathbf {u}, \mathbf {v})$, where $\mathbf {O}:= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$, such that both the following conditions hold.

1.
$\mathbf {O}$ is a standard TDP against every polynomial-query adversary $\mathcal {A}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$: That is, the probability that $\mathcal {A}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(\mathrm {ik}, \mathrm {y}) = \mathrm {x}$ is at most negligible, where $(\mathrm {ik}, \mathrm {tk}) \xleftarrow {\$}\mathbf {g}(1^\mathrm {\kappa }) $, $\mathrm {x}\xleftarrow {\$}\mathbf {s}(\mathrm {ik})$ and $\mathrm {y}:= \mathbf {e}(\mathrm {ik}, \mathrm {x})$.
2.
The enhanced one-wayness of any construction $(\mathsf {G}^\mathbf {O}, \mathsf {S}^\mathbf {O}, \mathsf {E}^\mathbf {O}, \mathsf {D}^\mathbf {O})$ can be broken by a poly-query adversary $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$. That is, the probability that $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(\mathrm {IK},\mathrm {R}, \mathrm {Y}) = \mathsf {D}^{\mathbf {O}}(\mathrm {TK}, \mathrm {Y})$ is non-negligible, where $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}^\mathbf {O}(1^\mathrm {\kappa }) $, $\mathrm {R}\xleftarrow {\$}\{0,1\}^*$ and $\mathrm {Y}:= \mathsf {S}^\mathbf {O}(\mathrm {IK}; \mathrm {R})$.

As a result, there exists no fully-blackbox construction of enhanced TDPs from standard TDPs.

Roadmap: Proof of Theorem 1. The “as a result” part follows immediately from Parts 1 and 2 of the theorem, and thus we focus on proving these two parts. (For completeness, we show how to derive the “as a result” part below.) As common in impossibility results, we show the existence of the oracles $(\mathbf {O}, \mathbf {u}, \mathbf {v})$, required by Theorem 1, by first describing a distribution of oracles, and then proving results for oracles randomly chosen from this distribution. We will first start by describing a distribution $\varPsi $ of oracles $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$. A randomly chosen $\mathbf {O}= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$ from this distribution will allow one to implement an ideal version of a TDP, which not only satisfies standard one-wayness, but also enhanced-one-wayness. We then introduce two weakening oracles $\mathbf {u}$ and $\mathbf {v}$, so that the oracle $\mathbf {O}$ still provides standard one-wayness in the presence of $\mathbf {u}$ and $\mathbf {v}$, but the enhanced one-wayness of any TDP construction instantiated with $\mathbf {O}$ can be broken by making a polynomial number of queries to $(\mathbf {O}, \mathbf {u}, \mathbf {v})$.

In the following definition, whenever we say a function $f :\mathsf {Dom} \rightarrow \mathsf {Ran}$ with property P (e.g., injectivity) is a randomly chosen function we mean f is chosen uniformly at random from the space of all functions from $\mathsf {Dom}$ to $\mathsf {Ran}$ having property P.

Definition 3

We define an oracle distribution $\varPsi $ that produces an ensemble of oracles $(\mathbf {O}_\mathrm {\kappa }, \mathbf {u}_\mathrm {\kappa }, \mathbf {v}_\mathrm {\kappa })_{\mathrm {\kappa }}$. For all $\mathrm {\kappa }$ and all $\mathrm {ik}\in \{0,1\}^\mathrm {\kappa }$, choose a set $\mathsf {D_{\mathrm {ik}}} $ uniformly at random under the conditions that $\mathsf {D_{\mathrm {ik}}} \subseteq \{0,1\}^{5 \mathrm {\kappa }}$ and that $|\mathsf {D_{\mathrm {ik}}}| = 2^\mathrm {\kappa }$.

$\mathbf {g}_\mathrm {\kappa }:\{0,1\}^{\mathrm {\kappa }} \rightarrow \{0,1\}^{\mathrm {\kappa }}$ is a random injective function, mapping a trapdoor key to an index key.
$\mathbf {s}_\mathrm {\kappa }:\{0,1\}^{\mathrm {\kappa }} \times \{0,1\}^\mathrm {\kappa }\rightarrow \{0,1\}^{5\mathrm {\kappa }}$ is a random function, where for all $\mathrm {ik}\in \{0,1\}^\mathrm {\kappa }$: $\mathbf {s}_\mathrm {\kappa }(\mathrm {ik}, \cdot )$ is 1-1 and for all $\mathrm {r}\in \{0,1\}^\mathrm {\kappa }$: $\mathbf {s}_\mathrm {\kappa }(\mathrm {ik},r) \in \mathsf {D_{\mathrm {ik}}}$.
$\mathbf {e}_\mathrm {\kappa }:\{0,1\}^{\mathrm {\kappa }} \times \{0,1\}^{5\mathrm {\kappa }} \rightarrow \{0,1\}^{5\mathrm {\kappa }} \cup \{\bot \}$ is a random function, satisfying the following two conditions: for all $\mathrm {ik}\in \{0,1\}^{\mathrm {\kappa }}$: $\mathbf {e}_\mathrm {\kappa }(\mathrm {ik}, \mathsf {D_{\mathrm {ik}}}) = \mathsf {D_{\mathrm {ik}}}$ and for all $\mathrm {x}\notin \mathsf {D_{\mathrm {ik}}}$: $\mathbf {e}_\mathrm {\kappa }(\mathrm {ik}, \mathrm {x}) = \bot $.
$\mathbf {d}_\mathrm {\kappa }:\{0,1\}^{\mathrm {\kappa }} \times \{0,1\}^{5\mathrm {\kappa }} \rightarrow \{0,1\}^{5\mathrm {\kappa }} \cup \{\bot \}$ is a function, where $\mathbf {d}_\mathrm {\kappa }(\mathrm {tk}, \mathrm {y})$ is defined as follows. Letting $\mathrm {ik}:= \mathbf {g}_\mathrm {\kappa }(\mathrm {tk})$, if $\mathrm {y}\in \mathsf {D_{\mathrm {ik}}}$, then letting $\mathrm {x}$ be the unique string satisfying $\mathbf {e}_\mathrm {\kappa }(\mathrm {ik}, \mathrm {x}) = \mathrm {y}$, set $\mathbf {d}_\mathrm {\kappa }(\mathrm {tk}, \mathrm {y}) := \mathrm {x}$. Otherwise (i.e., if $\mathrm {y}\notin \mathsf {D_{\mathrm {ik}}}$), set $\mathbf {d}_\mathrm {\kappa }(\mathrm {tk}, \mathrm {y}) := \bot $.
$\mathbf {u}_\mathrm {\kappa }:\{0,1\}^{\mathrm {\kappa }} \times \{0,1\}^{\mathrm {\kappa }} \rightarrow \{0,1\}^\mathrm {\kappa }$ is defined as follows. For $\mathrm {ik}\in \{0,1\}^{\mathrm {\kappa }}$ and $\mathrm {r}\in \{0,1\}^\mathrm {\kappa }$, letting $\mathrm {y}:= \mathbf {s}_\mathrm {\kappa }(\mathrm {ik},\mathrm {r})$ and $\mathrm {r}_0$ be such that $\mathrm {y}= \mathbf {e}_\mathrm {\kappa }(\mathrm {ik}, \mathbf {s}_\mathrm {\kappa }(\mathrm {ik},\mathrm {r}_0))$, set $\mathbf {u}_\mathrm {\kappa }(\mathrm {ik}, \mathrm {r}) := \mathrm {r}_0$.
$\mathbf {v}_\mathrm {\kappa }:\{0,1\}^\mathrm {\kappa }\times \{0,1\}^{5\mathrm {\kappa }} \rightarrow \{\bot , \top \}$ is defined as follows: $\mathbf {v}_\mathrm {\kappa }(\mathrm {ik}, \mathrm {x})$ checks whether the given input $\mathrm {x}$ is in $\mathsf {D_{\mathrm {ik}}}$ or not: set $\mathbf {v}_\mathrm {\kappa }(\mathrm {ik}, \mathrm {x}) := \top $ if $\mathrm {x}\in \mathsf {D_{\mathrm {ik}}}$, and $\mathbf {v}_\mathrm {\kappa }(\mathrm {ik}, \mathrm {x}) := \bot $, otherwise.

Redundancy of the Oracle $\mathbf {v}_{\mathrm {\kappa }}$. Note that the oracle $\mathbf {v}_\mathrm {\kappa }$ can be simulated by $\mathbf {e}_\mathrm {\kappa }$. We only include this oracle as it will simplicity notation.

Convention and Notation. We will often drop the security parameter $\mathrm {\kappa }$ as a sub-index to the oracles whenever the underlying security parameter is clear from the context. For an oracle algorithm $A^{\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}}$ we use notation such as $(\mathrm {qu} \xrightarrow [\mathbf {g}]{} \mathrm {an})$ to indicate that $\mathcal {A}$ queries $\mathbf {g}$ on $\mathrm {qu}$ and receives $\mathrm {an}$ as the answer. We also use $(\mathrm {qu} \xrightarrow [\mathbf {g}]{} \; ?)$ to indicate that the query $\mathrm {qu}$ is asked.

We will now give a simple-information theoretic lemma showing that a randomly chosen TDP $\mathbf {O}$ is standard one-way even in the presence of the oracle $\mathbf {u}$. The proof of the following theorem is based on simple information theoretic arguments and so is omitted.

Lemma 1

($\mathbf {O}$ is one-way relative to $(\mathbf {O}, \mathbf {u}, \mathbf {v})$). For any polynomial query adversary $\mathcal {A}$ we have

$$\begin{aligned} \Pr [\mathcal {A}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(\mathrm {ik},\mathrm {y}) = \mathrm {x}\,\,{ and\,\, } \mathbf {e}(\mathrm {ik},\mathrm {x}) = \mathrm {y}] \le \textstyle {\frac{1}{2^{\mathrm {\kappa }/3}}}, \end{aligned}$$

where $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}) \leftarrow \varPsi $, $\mathbf {O}:= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$, $\mathrm {tk}\xleftarrow {\$}\{0,1\}^\mathrm {\kappa }$ and $\mathrm {ik}= \mathbf {g}(\mathrm {tk})$. This bound holds so long as $\mathcal {A}$ is poly-query bounded (and unbounded otherwise).

The following lemma shows how to break the enhanced one-wayness of any candidate construction.

Lemma 2

(Breaking enhanced one-wayness of any construction). Let $( \mathsf {G}, \mathsf {S}, \mathsf {E}, \mathsf {D})$ be a candidate blackbox construction of a TDP. There exists a polynomial query adversary $\mathsf {Break}$ such that

$$\begin{aligned} \Pr [\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa }, \mathrm {IK}, \mathrm {R}, \mathrm {Y}) = \mathrm {X}] \ge 1 -\frac{1}{\mathrm {\kappa }^2}, \end{aligned}$$

where $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}) \xleftarrow {\$}\varPsi $, $\mathbf {O}:= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$, $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}^{\mathbf {O}}(1^\mathrm {\kappa })$, $\mathrm {R}\xleftarrow {\$}\{0,1\}^*$, $\mathrm {Y}:= \mathsf {S}^{\mathbf {O}}(\mathrm {IK}; \mathrm {R})$ and $\mathrm {X}:= \mathsf {D}^{\mathbf {O}}(\mathrm {TK}, \mathrm {Y})$.

Completing the Proof of Theorem 1. The proof of Theorem 1 follows easily by combining Lemmas 1 and 2, as given below.

Proof (of Theorem 1)

We will first prove the “as a result” part of the theorem. Suppose to the contrary that there exists an enhanced TDP construction $(\mathsf {G}, \mathsf {S}, \mathsf {E}, \mathsf {D})$, and let $\mathsf {Red}$ be the PPT security reduction algorithm guaranteed to exist by Definition 2. Let $(\mathbf {O}, \mathbf {u}, \mathbf {v})$ be the oracle shown to exist by Parts 1 and 2 of the theorem. By Part 2 of the theorem we know that there exists a polynomial query adversary $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$ which breaks the enhanced one-wayness of $(\mathsf {G}^\mathbf {O}, \mathsf {S}^\mathbf {O}, \mathsf {E}^\mathbf {O}, \mathsf {D}^\mathbf {O})$. Thus, by definition of blackbox constructions, $\mathsf {Red}^{\mathsf {Break}, \mathbf {O}}$ should break the standard one-wayness of $\mathbf {O}$. This however is a contradiction to Part 1, because $\mathsf {Red}^{\mathsf {Break}, \mathbf {O}}$ can be simulated by a polynomial query adversary $\mathcal {A}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$.

We now prove Parts 1 and 2. To show the existence of the oracles $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$ required by the theorem, we show

1.
For a measure-one of oracles $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$, the oracle $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$ is standard oneway against all polynomial-query adversaries with oracle access to $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$.
2.
For a measure-one of oracles $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$, the adversary $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$ breaks the enhanced one-wayness of $( \mathsf {G}^\mathbf {O}, \mathsf {S}^\mathbf {O}, \mathsf {E}^\mathbf {O}, \mathsf {D}^\mathbf {O})$.

The above two statements implies the existence of a specific oracle $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$, meeting the requirement of the theorem.

We show how to derive Condition 2 from Lemma 2. The proof of Condition 1 follows similarly from Lemma 1.

By Lemma 2 we have

(1)

Using a simple averaging argument we may obtain

(2)

Thus, for at most a $\textstyle {\frac{1}{\mathrm {\kappa }^{1.5}}}$ fraction of all oracles $(\mathbf {O}, \mathbf {u}, \mathbf {v})$, the adversary $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$, on security parameter $1^\mathrm {\kappa }$, recovers the pre-image correctly with probability less than $\textstyle {\frac{1}{\mathrm {\kappa }^3}}$. Since $\textstyle {\sum \frac{1}{\mathrm {\kappa }^{1.5}}}$ converges, by the Borel-Cantelli Lemma we have that for a measure-one of oracles $ (\mathbf {O}, \mathbf {u}, \mathbf {v}) $, the adversary $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$ breaks the enhanced-onewayness of $( \mathsf {G}^\mathbf {O}, \mathsf {S}^\mathbf {O}, \mathsf {E}^\mathbf {O}, \mathsf {D}^\mathbf {O})$: for all sufficiently large $\mathrm {\kappa }$, the adversary recovers $\mathrm {X}$ from $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa }, \mathrm {IK}, \mathrm {R}, \mathrm {Y})$ with probability at least $\textstyle {\frac{1}{\mathrm {\kappa }^3}}$. $\square $

Roadmap for the Proof of Lemma 2. We are left with proving Lemma 2, which constitutes the main technical bulk of our work. As a warp up, first in Sect. 4 we will prove and give an overview of our techniques for a special case of Lemma 2: that in which the oracle access of the construction is of the form $( \mathsf {G}^\mathbf {g}, \mathsf {S}^\mathbf {s}, \mathsf {E}^\mathbf {e}, \mathsf {D}^\mathbf {d})$. Then, we will give the proof for the general case in Sect. 5.

4 Proof of Lemma 2: Special Case $(\mathsf {G}^\mathbf {g}, \mathsf {S}^\mathbf {s}, \mathsf {E}^\mathbf {e}, \mathsf {D}^\mathbf {d})$

In this section we show how to break the enhanced one-wayness of a simple class of TDP constructions, those in which the oracle access is of the form $(\mathsf {G}^{\mathbf {g}}, \mathsf {S}^{\mathbf {s}}, \mathsf {E}^{\mathbf {e}}, \mathsf {D}^{\mathbf {d}})$. We call such constructions type-1. We first start with a general overview.

Setup. The input to the adversary $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$ is $(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$, where $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}^\mathbf {g}(1^\mathrm {\kappa })$, $\mathrm {R}\xleftarrow {\$}\{0,1\}^*$ and $\mathrm {Y}:= \mathsf {S}^\mathbf {s}(\mathrm {IK}; \mathrm {R})$. The goal of $\mathsf {Break}$ is to find $\mathrm {X}$ such that $\mathrm {X}:= \mathsf {D}^\mathbf {d}(\mathrm {TK}, \mathrm {Y})$.

High-Level Idea of $\mathsf {Break}$’s Strategy. Consider a partial fake oracle $\mathbf {g}'$ and randomness $\mathrm {R}'$ under which we have $\mathsf {G}^{\mathbf {g}'}(\mathrm {R}') = (\mathrm {IK}, \widetilde{\mathrm {TK}})$ for some $\widetilde{\mathrm {TK}}$. By a partial oracle we mean an oracle that is defined only on a small set of all queries, those that occur exactly during the execution of $\mathsf {G}^{\mathbf {g}'}(\mathrm {R}')$. Such a fake oracle $\mathbf {g}'$ and corresponding matching randomness $\mathrm {R}'$ can be found by doing expensive offline computation and without interacting at all with the real oracles $(\mathbf {O}, \mathbf {u}, \mathbf {v})$.

Now consider the effect of super-imposing $\mathbf {g}'$ on the real oracle $\mathbf {g}$ to get an oracle $\widetilde{\mathbf {g}}$. This oracle $\widetilde{\mathbf {g}}$ is defined according to $\mathbf {g}'$ on all queries defined in $\mathbf {g}'$, and otherwise is defined as in $\mathbf {g}$.

For this perturbed oracle $\widetilde{\mathbf {g}}$, we will define a correspondingly perturbed oracle $\widetilde{\mathbf {d}}$ so that $(\widetilde{\mathbf {g}}, \mathbf {s}, \mathbf {e}, \widetilde{\mathbf {d}})$ is a valid TDP. Now since we know $\mathsf {G}^{\widetilde{\mathbf {g}}}(\mathrm {R}') = (\mathrm {IK}, \widetilde{\mathrm {TK}})$, we must have $\mathrm {X}= \mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}}, \mathrm {Y})$, and thus recovering the challenge pre-image $\mathrm {X}$ amounts to one’s ability to perform the execution of $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}}, \mathrm {Y})$ by only making a polynomial number queries to $(\mathbf {O}, \mathbf {u}, \mathbf {v})$. As we will see, the naive way of performing this execution will result in an exponential number of queries to $(\mathbf {O}, \mathbf {u}, \mathbf {v})$. Our main technique will allow us to get around this problem by making use of the oracle $\mathbf {u}$ and knowledge of $\mathrm {R}$ (which is the randomness underlying the image point $\mathrm {Y}$).

Organization of Section 4. In Sect. 4.1 we will give a more detailed (but still informal) overview of the above approach for the case in which each of the algorithms $(\mathsf {G}, \mathsf {S}, \mathsf {E}, \mathsf {D})$ makes only one query. We will then formally describe an attack against any candidate many-query construction $(\mathsf {G}^\mathbf {g}, \mathsf {S}^\mathbf {s}, \mathsf {E}^\mathbf {e}, \mathsf {D}^\mathbf {d})$ in the next two subsections.

4.1 General Overview: One Query Case

We will now give a concrete overview of the above abstract approach for the following type of construction: We assume each of the algorithms $(\mathsf {G}^\mathbf {g}, \mathsf {S}^\mathbf {s}, \mathsf {E}^\mathbf {e}, \mathsf {D}^\mathbf {d})$ makes only one query. The input to the adversary $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$ is $(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$, where $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}^\mathbf {g}(1^\mathrm {\kappa })$, $\mathrm {R}\xleftarrow {\$}\{0,1\}^*$ and $\mathrm {Y}:= \mathsf {S}^\mathbf {s}(\mathrm {IK}; \mathrm {R})$. Let $\mathrm {X}$ denote $\mathsf {Break}$’s challenge image point; namely, we have $\mathsf {E}^{\mathbf {e}}(\mathrm {IK}, \mathrm {X}) = \mathrm {Y}$.

We sketch the main steps taken by $\mathsf {Break}$, and will explain about each of them.

Sampling a Fake Oracle and a Trapdoor Key. Sample an oracle $\mathbf {g}'$ and a randomness value $\mathrm {R}'$ uniformly at random in such a way that

$$\begin{aligned} \mathsf {G}^{\mathbf {g}'}(1^\mathrm {\kappa }; \mathrm {R}') = (\mathrm {IK}, \widetilde{\mathrm {TK}}), \end{aligned}$$

(3)

for some $\widetilde{\mathrm {TK}}$. Since $\mathsf {G}$ makes only one query, we may think of $\mathbf {g}'$ as only one query/response pair $\mathsf {qa} := (\mathrm {tk} \xrightarrow [\mathbf {g}]{} \mathrm {ik})$. Thus, we may write Eq. 3 as $\mathsf {G}^{\mathsf {qa}}(1^\mathrm {\kappa }; \mathrm {R}') = (\mathrm {IK}, \widetilde{\mathrm {TK}})$.

Defining the Oracle $\widetilde{\mathbf {g}}$. Consider an oracle $\widetilde{\mathbf {g}} := \mathsf {qa} \Diamond ^* \mathbf {g}$, where the composed oracle $\mathsf {qa} \Diamond ^* \mathbf {g}$ is defined as follows: $(\mathsf {qa} \Diamond ^* \mathbf {g})(\mathrm {tk}') = \mathrm {ik}$ if $\mathrm {tk}' = \mathrm {tk}$; otherwise, $(\mathsf {qa} \Diamond ^* \mathbf {g})(\mathrm {tk}') = \mathbf {g}(\mathrm {tk}')$. Briefly, the oracle $\mathsf {qa} \Diamond ^* \mathbf {g}$ first forwards a given query to $\mathsf {qa}$, and if the query is not defined there, the query will be forwarded to $\mathbf {g}$.

Defining the Oracle $\widetilde{\mathbf {d}}$. We now define $\widetilde{\mathbf {d}}$ in such a way that $(\widetilde{\mathbf {g}} , \mathbf {s}, \mathbf {e}, \widetilde{\mathbf {d}})$ forms a valid TDP oracle. For any $\mathrm {tk}'$ and $\mathrm {y}'$, the value of $\widetilde{\mathbf {d}}(\mathrm {tk}' , \mathrm {y}') $ is formed as follows. Letting $\mathrm {ik}' = \widetilde{\mathbf {g}}(\mathrm {tk}')$:

If $\mathbf {v}(\mathrm {ik}', \mathrm {y}') = \bot $, then set $\widetilde{\mathbf {d}}(\mathrm {tk}' , \mathrm {y}') = \bot $;
Otherwise, letting $\mathrm {x}'$ be the unique string for which we have $\mathbf {e}(\mathrm {ik}' , \mathrm {x}') = \mathrm {y}'$, set $\widetilde{\mathbf {d}}(\mathrm {tk}' , \mathrm {y}') = \mathrm {x}'$. Note that since we know $\mathbf {v}(\mathrm {ik}', \mathrm {y}') = \top $ (because otherwise the previous check would hold), by definition of $\mathbf {e}$ (Definition 3) such $\mathrm {x}'$ does exist and it is unique.

Performing the Execution $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}} , \mathrm {Y}) $ is Enough. It is straightforward to verify that $(\widetilde{\mathbf {g}} , \mathbf {s}, \mathbf {e}, \widetilde{\mathbf {d}})$ forms a valid TDP oracle. Moreover, by definition of $\widetilde{\mathbf {g}}$ and $\mathrm {R}'$, we have $\mathsf {G}^{\widetilde{\mathbf {g}}}(\mathrm {R}') = (\mathrm {IK}, \widetilde{\mathrm {TK}})$. Now since $\mathsf {E}^{\mathbf {e}}(\mathrm {IK}, \mathrm {X}) = \mathrm {Y}$, by completeness of the construction, we will have $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}} , \mathrm {Y}) = \mathrm {X}$, where $\mathrm {X}$ is $\mathsf {Break}$’s challenge image point.

Executing $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}} , \mathrm {Y}) $ efficiently? Can we execute $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}} , \mathrm {Y}) $ by making only a polynomial number of queries to $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u})$? Let us look at all the possibilities for a possible encountered query $ ((\mathrm {tk}' , \mathrm {y}') \xrightarrow [\widetilde{\mathbf {d}}]{} \; ?)$ below. Let $\mathrm {ik}' := \widetilde{\mathbf {g}}(\mathrm {tk}')$, which can be computed by making at most one query to $\mathbf {g}$.

1.
Simple case: $\mathrm {ik}' \ne \mathrm {ik}$ (recall that $\mathrm {ik}$ is defined in the query/response set $\mathsf {qa}$, which in turn forms $\widetilde{\mathbf {g}}$): in this case by inspection we can see that we indeed have $\mathbf {d}(\mathrm {tk}' , \mathrm {y}') = \widetilde{\mathbf {d}}(\mathrm {tk}' , \mathrm {y}')$, and so the answer can be determined by calling $\mathbf {d}$ directly.
2.
Simple case: $\mathrm {ik}' = \mathrm {ik}$ and $\mathbf {v}(\mathrm {ik}, \mathrm {y}') = \bot $: in this case we can again easily see that $\mathbf {d}(\mathrm {tk}' , \mathrm {y}') = \bot $.
3.
Problematic case: $\mathrm {ik}' = \mathrm {ik}$ and $\mathbf {v}(\mathrm {ik}, \mathrm {y}') \ne \bot $: in this case $\mathsf {Break}$ cannot right away compute the value of $\widetilde{\mathbf {d}}(\mathrm {tk}', \mathrm {y}')$ because in order to do so, $\mathsf {Break}$ must find an $\mathrm {x}'$ such that $\mathbf {e}(\mathrm {ik}, \mathrm {x}') = \mathrm {y}'$.

The Oracle $\mathbf {u}$ and Randomness $\mathrm {R}$ to the Rescue. From the above discussion, the attacker $\mathsf {Break}$ only needs to handle Case 3. That is, from the pair $(\mathrm {ik}, \mathrm {y}')$, upon which Line 3 is hit, and without knowledge of $\mathrm {ik}$’s trapdoor key $\mathbf {g}^{-1}(\mathrm {ik})$, the attacker $\mathsf {Break}$ should find an $\mathrm {x}'$ such that $\mathbf {e}(\mathrm {ik}, \mathrm {x}') = \mathrm {y}'$. Recall that $\mathsf {D}$ makes only one query, and so if $\mathsf {Break}$ gets past this “one-time” problematic case, it will be done.

Recall that the input to $\mathsf {Break}$ is $(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$, where $\mathrm {R}$ is the randomness underlying the image point $\mathrm {Y}$. We claim that with all but negligible probability the following must hold: letting $(\mathrm {ik}, \mathrm {y}')$ be the pair upon which Line 3 was hit, during the execution of $\mathsf {S}^{\mathbf {s}}(\mathrm {IK}; \mathrm {R})$ we must have a query/response pair $(\mathrm {(\mathrm {ik},\mathrm {r})} \xrightarrow [\mathbf {s}]{} \mathrm {y}')$ for some $\mathrm {r}$. Assuming that this claim holds, $\mathsf {Break}$ may then simply call $\textstyle {((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {u}]{} \; ?)}$ to get $\mathrm {r}'$, and then call $\textstyle {((\mathrm {ik}, \mathrm {r}') \xrightarrow [\mathbf {s}]{} \; ?)}$ to get $\mathrm {x}'$, completing its attack.

It remains to prove the above claim. We show that if the claim does not hold, then one may efficiently produce a pair $(\mathrm {ik}' , \mathrm {y}')$, where $\mathrm {y}'$ is a valid image of $ \mathbf {s}(\mathrm {ik}', *)$, without ever calling $\mathbf {s}(\mathrm {ik}', \cdot )$ on the corresponding pre-image of $\mathrm {y}'$, and without ever calling $\mathbf {e}$ and $\mathbf {d}$ at all. Due to the sparse and random nature of the oracle $\mathbf {s}$, the probability of this event is at most negligible. To produce $(\mathrm {ik}', \mathrm {y}')$, do the following.

Sample $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}^\mathbf {g}(1^\mathrm {\kappa })$, $\mathrm {R}\xleftarrow {\$}\{0,1\}^*$ and set $\mathrm {Y}:= \mathsf {S}^{\mathbf {s}}(\mathrm {IK}; \mathrm {R})$.
Form $\widetilde{\mathrm {TK}}$ and $\widetilde{\mathbf {d}}$ as above. (This step is done offline, without interacting with the real oracles).
Run $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}} , \mathrm {Y})$ and as soon as as query $((\mathrm {tk}', \mathrm {y}') \xrightarrow [\widetilde{\mathbf {d}}]{} \; ?)$ is made, return $(\mathrm {ik}' , \mathrm {y}')$, where $\mathrm {ik}' := \mathbf {g}(\mathrm {tk}')$.

Our claim about the pair $(\mathrm {ik}', \mathrm {y})$ now follows.

4.2 Definitions and Simple Lemmas

In this section we will give some definitions and simple lemmas, which will then be used in Sect. 4.3. Some of these were informally reviewed in Sect. 4.1.

TDP-Valid and $\varPsi $-Valid Oracles. Recall the distribution $\varPsi $ on oracles $(\mathbf {O}, \mathbf {u}, \mathbf {v})$ given in Definition 3. We say that an oracle $\mathbf {O}_1 := (\mathbf {g}_1, \mathbf {s}_1, \mathbf {e}_1, \mathbf {d}_1)$ is $\varPsi $-valid if $\mathbf {O}_1$ is a possible output of $\varPsi $. This means in particular that the input and output sizes of the sub-routines of $\mathbf {O}_1$ match those specified in Definition 3. We say that an oracle $\mathbf {O}_2 := (\mathbf {g}_2, \mathbf {s}_2, \mathbf {e}_2, \mathbf {d}_2)$ is TDP valid if $\mathbf {O}_2$ satisfies the completeness condition of Definition 1. Note that if an oracle is $\varPsi $-valid then it is also TDP-valid, but the converse is not true.

Similarly, we say that a partial oracle $\mathbf {O}'$ (which is not defined on all points) is $\varPsi $-valid (resp., TDP-valid) if there exists a full $\varPsi $-valid (resp., a full TDP-valid) oracle $\mathbf {O}$ such that $\mathbf {O}' \subseteq \mathbf {O}$. Here, $\mathbf {O}' \subseteq \mathbf {O}$ means that $\mathbf {O}$ agree with $\mathbf {O}'$.

Definition 4

(Composed Oracles $\Diamond ^*$). Let $\mathbf {O}:= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$ be a $\varPsi $-valid oracle and let

$$\begin{aligned} \mathbf {g}' := \{ (\mathrm {tk}_1 \xrightarrow [\mathbf {g}]{} \mathrm {ik}_1), \dots , (\mathrm {tk}_w \xrightarrow [\mathbf {g}]{} \mathrm {ik}_w) \} \end{aligned}$$

be a partial $\varPsi $-valid oracle consisting of only $\mathbf {g}$-type queries. We define the composed oracle $ \mathbf {g}' \Diamond ^* \mathbf {O}:= (\widetilde{\mathbf {g}} , \mathbf {s}, \mathbf {e}, \widetilde{\mathbf {d}})$, which has perturbed key-generation and inversion oracles, as follows.

$\widetilde{\mathbf {g}}(\cdot )$: for a given $\mathrm {tk}$, let $\widetilde{\mathbf {g}}(\mathrm {tk}) {\mathop {=}\limits ^{\vartriangle }}\mathrm {ik}_i$ if $\mathrm {tk}= \mathrm {tk}_i$ for $i \in [w]$; otherwise, $\widetilde{\mathbf {g}}(\mathrm {tk}) {\mathop {=}\limits ^{\vartriangle }}\mathbf {g}(\mathrm {tk})$.
$\widetilde{\mathbf {d}}(\cdot , \cdot )$: for a given pair $(\mathrm {tk}, \mathrm {y})$, define $\widetilde{\mathbf {d}}(\mathrm {tk}, \mathrm {y}) $ as follows. Assuming $\mathrm {ik}= \widetilde{\mathbf {g}}(\mathrm {tk})$, let $\widetilde{\mathbf {d}}(\mathrm {tk}, \mathrm {y}) {\mathop {=}\limits ^{\vartriangle }}\mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y})$. Here, $\mathbf {e}^{-1}(\mathrm {ik}, \cdot )$ is the inverse function of $\mathbf {e}(\mathrm {ik}, \cdot )$—i.e., $\mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y}) = \mathrm {x}$ if for some $\mathrm {x}$, $\mathbf {e}(\mathrm {ik}, \mathrm {x}) = \mathrm {y}$; otherwise, $\mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y}) = \bot $. Note that by definition of $\varPsi $, the function $\mathbf {e}^{-1}(\mathrm {ik}, \cdot )$ is indeed well-defined.

It is straightforward to verify that the operation $\Diamond ^*$ preserves completeness.

Lemma 3

Let $\mathbf {O}$ and $\mathbf {g}'$ be as in Definition 4. Then, the composed oracle $\mathbf {g}' \Diamond ^* \mathbf {O}$ is TDP-valid.

Proof

The proof is straightforward and so is omitted. $\square $

Consider a random $\varPsi $-valid oracle $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$. Imagine an adversary that wants to come up with a pair $(\mathrm {ik}, \mathrm {y}) \in \{0,1\}^\mathrm {\kappa }\times \{0,1\}^{5 \mathrm {\kappa }}$ of an index-key/image such that $\mathrm {y}$ lies in the support of $\mathbf {s}(\mathrm {ik})$. The following lemma shows that the probability that an adversary can do this in non-trivial way is exponentially small.

Lemma 4

For any polynomial query oracle adversary $\mathcal {B}$ with access only to the oracles $(\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v})$ we have

$$\begin{aligned} \Pr \left[ (\mathrm {ik}, \mathrm {y}) \xleftarrow {\$}\mathcal {B}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa }) \text { s.t. } \left( ((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y}) \notin \mathsf {Que} \right) \wedge \left( \mathbf {v}(\mathrm {ik}, \mathrm {y}) = \top \right) \wedge \left( |\mathrm {ik}| = \mathrm {\kappa }\right) ) \right] \le \frac{1}{2^{3 \mathrm {\kappa }}}, \end{aligned}$$

(4)

where $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}) \xleftarrow {\$}\varPsi $ and $\mathsf {Que}$ is the set of all query/response pairs that $\mathcal {B}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}$ makes. We stress that $\mathcal {B}$ is not allowed to make $\mathbf {e}$ or $\mathbf {d}$ queries.^{Footnote 2}

Proof

The proof is based on a simple information-theoretic argument and so we sketch the main idea. Assume w.l.o.g. that $\mathcal {B}$ before returning its guess $(\mathrm {ik}, \mathrm {y})$, it calls the oracle $\mathbf {v}$ on $(\mathrm {ik}, \mathrm {y})$. This only increases the number of queries by one.

At any point of execution, say the next query of $\mathcal {B}$ is a hit if the next query is a $\mathbf {v}$ query, say $((\mathrm {ik}', \mathrm {y}' ) \xrightarrow [\mathbf {v}]{} \; ?)$, which is a valid forgery; namely, (a) $((\mathrm {ik}', *) \xrightarrow [\mathbf {s}]{} \mathrm {y}') \notin \mathsf {Que}$, (b) $|\mathrm {ik}'| = \mathrm {\kappa }$ and (c) $\mathbf {v}(\mathrm {ik}', \mathrm {y}') = \top $.

At any point, the probability that the next query is a hit given we had no hits before is at most $\displaystyle {\frac{2^\mathrm {\kappa }}{2^{5 \mathrm {\kappa }} - 2^\mathrm {\kappa }}}$. The proof now follows by a union bound. $\square $

4.3 Many-Query Case

Fix the candidate type-1 construction $(\mathsf {G}^\mathbf {g}, \mathsf {S}^\mathbf {s}, \mathsf {E}^\mathbf {e}, \mathsf {D}^\mathbf {d})$. We will build an adversary $\mathsf {Break}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}$ which breaks the enhanced one-wayness of $(\mathsf {G}^{\mathbf {g}}, \mathsf {S}^{\mathbf {s}}, \mathsf {E}^{\mathbf {e}}, \mathsf {D}^{\mathbf {d}})$ by making a polynomial number of queries to its oracles. The attacker $\mathsf {Break}$ does not need to call the oracles $\mathbf {e}$ and $\mathbf {d}$ during its attack, so we did not put them as superscripts to $\mathsf {Break}$.

For simplicity we assume the following for all constructions $(\mathsf {G}, \mathsf {S}, \mathsf {E}, \mathsf {D})$ discussed in this paper. This assumption is made only for simplicity and all our results can be proved without it.

Assumption 2

Each of the algorithms $\mathsf {G}^{\mathbf {O}}$, $\mathsf {S}^{\mathbf {O}}$, $\mathsf {E}^{\mathbf {O}}$ and $\mathsf {D}^{\mathbf {O}}$ on a security parameter $1^\mathrm {\kappa }$ call their oracle $\mathbf {O}$ always on the same security parameter $1^\mathrm {\kappa }$.

We will now describe the attacker $\mathsf {Break}$. We will use notation and concepts from Definition 4.

Attacker $\mathsf {Break}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$:

Oracles: $(\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v})$,where $ (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}) \xleftarrow {\$}\varPsi $. Set $\mathbf {O}:= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$.

Input: $(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$, where $(\mathrm {IK}, *) \xleftarrow {\$}\mathsf {G}^{\mathbf {g}}(1^\mathrm {\kappa })$, $\mathrm {R}\xleftarrow {\$}\{0,1\}^\mathrm {\kappa }$ and $\mathrm {Y}:= \mathsf {S}^{\mathbf {s}}(\mathrm {IK}; \mathrm {R})$.

Operations:

1.
Sample (in an offline manner) a pair $(\mathbf {g}' , \mathrm {R}')$ uniformly at random, where $\mathbf {g}'$ is a partial $\varPsi $-valid oracle and $\mathrm {R}' \in \{0,1\}^\mathrm {\kappa }$, under the condition that $(\mathrm {IK}, \widetilde{\mathrm {TK}}) = \mathsf {G}^{\mathbf {g}'}(1^\mathrm {\kappa }; \mathrm {R}')$, for some $\widetilde{\mathrm {TK}}$. Let $\mathbf {g}' \Diamond ^* \mathbf {O}:= (\widetilde{\mathbf {g}} , \mathbf {s}, \mathbf {e}, \widetilde{\mathbf {d}} )$ be formed as in Definition 4.
2.
Let $\mathsf {L} := \emptyset $. Run $\mathsf {S}^{\mathbf {s}}( \mathrm {IK}; \mathrm {R})$ and for any query/response pair $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {y})$ made, add $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {y})$ to $\mathsf {L}$.
3.
Simulate the execution of $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}}, \mathrm {Y})$ using the oracles $\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}$ as follows. For any encountered query $\mathsf {qu}:= ((\mathrm {tk}, \mathrm {y}) \xrightarrow [\widetilde{\mathbf {d}}]{} \; ?)$, first compute $\widetilde{\mathbf {g}}(\mathrm {tk})$ to get $\mathrm {ik}$; this can be done by making at most one query to $\mathbf {g}$. Then,
1. (a)
  if $\mathbf {v}(\mathrm {ik}, \mathrm {y}) = \bot $, then reply to $\mathsf {qu}$ with $\bot $ and continue the execution;
2. (b)
  else if $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {y}) \in \mathsf {L}$ for some $\mathrm {r}$, then call $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {u}]{} \; ?)$ to receive $\mathrm {r}_0$ and call $ ((\mathrm {ik},\mathrm {r}_0) \xrightarrow [\mathbf {s}]{} \; ?)$ to get $\mathrm {x}$. Return $\mathrm {x}$ as the response to the query $\mathsf {qu}$, add $((\mathrm {ik},\mathrm {r}_0) \xrightarrow [\mathbf {s}]{} \mathrm {x})$ to $\mathsf {L}$ and continue the execution.
3. (c)
  else (i.e., if $\mathbf {v}(\mathrm {ik}, \mathrm {y}) = \top $ and $((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y}) \notin \mathsf {L}$), then halt the execution and return $\mathsf {Fail}$.
4.
If the simulation has not halted yet, return $\widetilde{\mathrm {X}}$, the output of $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}}, \mathrm {Y})$.

Theorem 3

The attacker $\mathsf {Break}$ is successful with probability at least $1 - \textstyle {\frac{1}{2^{3\mathrm {\kappa }}}}$. Namely,

$$\begin{aligned} \Pr [\mathsf {Break}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}(\mathrm {IK}, \mathrm {R}, \mathrm {Y}) = \mathrm {X}] \ge 1 - \frac{1}{2^{3\mathrm {\kappa }}}, \end{aligned}$$

where the probability is taken over $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}) \leftarrow \varPsi $, $(\mathrm {IK}, \mathrm {TK}) \leftarrow \mathsf {G}^{\mathbf {g}}(1^\mathrm {\kappa }) $, $\mathrm {R}\leftarrow \{0,1\}^\mathrm {\kappa }$, $\mathrm {Y}:= \mathsf {S}^{\mathbf {s}}(\mathrm {IK}, \mathrm {R}) $ and $\mathrm {X}:= \mathsf {D}^{\mathbf {d}}(\mathrm {TK}, \mathrm {Y})$.

Proof Roadmap. We show that if the execution of $\mathsf {Break}$ never halts due to Line 3c, then the retrieved string $\widetilde{\mathrm {X}}$ is indeed the correct pre-image of $\mathrm {Y}$. We will then show that the probability that Line 3c is ever hit (which we call the event $\mathrm {Bad}$) is at most $\displaystyle {\frac{1}{2^{3 \mathrm {\kappa }}}}$, by “reducing” it to Lemma 4. These two will complete the proof.

Lemma 5

Let $\mathrm {Bad}$ be the event that line (3c) is hit during the execution of $\mathsf {Break}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$. Then

$$\begin{aligned} \Pr [\mathrm {Bad}] \le \frac{1}{2^{3 \mathrm {\kappa }}}, \end{aligned}$$

where the probability is taken over $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}) \leftarrow \varPsi $, $(\mathrm {IK}, *) \leftarrow \mathsf {G}^{\mathbf {g}}(1^\mathrm {\kappa }) $, $\mathrm {R}\leftarrow \{0,1\}^\mathrm {\kappa }$, $\mathrm {Y}:= \mathsf {S}^{\mathbf {s}}(\mathrm {IK}, R) $ and over $\mathsf {Break}$’s random coins.

We first show how to derive Theorem 3 from Lemma 5 and we will then prove Lemma 5.

Proof of Theorem 3. All probabilities that appear below are taken over the variables sampled in the theorem. We claim

$$\begin{aligned} \alpha {\mathop {=}\limits ^{\vartriangle }}\Pr [\mathsf {Break}^{ \mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}(\mathrm {IK}, \mathrm {R}, \mathrm {Y}) = X \mid \overline{\mathrm {Bad}}] = 1. \end{aligned}$$

Assuming the claim is true, we may combine it with Lemma 5 to get

$$\begin{aligned} \Pr [\mathsf {Break}^{ \mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}(\mathrm {IK}, \mathrm {R}, \mathrm {Y}) = X ] \ge (1-\frac{1}{2^{3 \mathrm {\kappa }}}) \alpha = 1 - \frac{1}{2^{3 \mathrm {\kappa }}}, \end{aligned}$$

as desired. To prove the above claim first note that by Lemma 3 we have $\mathbf {g}' \Diamond ^* \mathbf {O}:= (\widetilde{\mathbf {g}} , \mathbf {s}, \mathbf {e}, \widetilde{\mathbf {d}} )$ is a valid TDP-oracle, where $\mathbf {g}'$ is formed in Step 1 of $\mathsf {Break}$’s execution. Moreover, recall that $\mathrm {Y}= \mathsf {E}^{\mathbf {e}}(\mathrm {IK}, X)$ and that $(\mathrm {IK}, \widetilde{\mathrm {TK}}) \in \mathsf {G}^{\widetilde{\mathbf {g}}}(1^\mathrm {\kappa })$. Thus, by the correctness condition of the blackbox construction $(\mathsf {G}, \mathsf {S}, \mathsf {E}, \mathsf {D})$ (Definition 2) we have $X = \mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}}, \mathrm {Y})$. The claim now follows by noting that if the event $\mathrm {Bad}$ does not hold, then the simulated execution of $\mathsf {D}^{\widetilde{\mathbf {d}}}(\widetilde{\mathrm {TK}}, \mathrm {Y})$ performed by $\mathsf {Break}$ proceeds identically to the real decryption. The proof is now complete. $\square $

Proof of Lemma 5. Let $\beta := \Pr [\mathrm {Bad}]$. We show how to construct an adversary $\mathcal {B}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}$ with oracle access to $(\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v})$ which makes a poly number of queries and with probability at least $\beta $ forges some $(\mathrm {ik}, \mathrm {y}) \in \{0,1\}^\mathrm {\kappa }\times \{0,1\}^{5\mathrm {\kappa }}$ in the sense of Lemma 4. Applying the lemma we will then obtain $\beta \le \textstyle {\frac{1}{2^{3 \mathrm {\kappa }}}}$, as desired.

The adversary $\mathcal {B}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa })$ first samples a random input $(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$ for $\mathsf {Break}$: namely, $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}^\mathbf {g}(1^\mathrm {\kappa })$, $\mathrm {R}\xleftarrow {\$}\{0,1\}^*$ and $\mathrm {Y}:= \mathsf {S}^\mathbf {s}(\mathrm {IK}; \mathrm {R})$. Then, $\mathcal {B}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}$ simulates the execution of $\mathsf {Break}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$ with the only deviation that whenever $\mathsf {Break}$’s execution hits Line (3c) with the underlying strings $\mathrm {ik}$ and $\mathrm {y}$, then $\mathcal {B}$ halts and returns $(\mathrm {ik}, \mathrm {y})$. If $\mathsf {Break}$’s execution is successfully completed without ever hitting Line (3c), then $\mathcal {B}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}$ gives up and returns $\bot $. Let $\mathsf {Que}$ be the set of all query/response pairs that $\mathsf {Break}^{\mathbf {g}, \mathbf {s}, \mathbf {u}, \mathbf {v}}$ makes to its oracles, and note $|\mathsf {Que}|$ is polynomial.

Validity of $\mathcal {B}$’s Forgery Output. As per Lemma 4, we need to show three things: that, (a) $((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y}) \notin \mathsf {Que}$, (b) $\mathbf {v}(\mathrm {ik}, \mathrm {y}) = \top $ and (c) $|\mathrm {ik}| = \mathrm {\kappa }$.

Condition (a) holds because for any $\mathbf {s}$ query $((\mathrm {ik}', \mathrm {r}') \xrightarrow [\mathbf {s}]{} \mathrm {y}') $ ever made by $\mathcal {B}$, this query/response is added to the set $\mathsf {L}$. By the underlying if-condition of Line (3c), we have $((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y}) \notin \mathsf {L}$ and hence $((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y}) \notin \mathsf {Que}$. Condition (b) also holds immediately by the underlying if-condition of Line (3c). Finally, by Assumption 2 $|\mathrm {ik}| = \mathrm {\kappa }$. To see this, recall from the description of $\mathsf {Break}$ that $\mathrm {ik}= \widetilde{\mathbf {g}}(\mathrm {tk})$ and that $|\mathrm {tk}| = \mathrm {\kappa }$. Thus, by definition of $\widetilde{\mathbf {g}}$ we have $|\mathrm {ik}| = \mathrm {\kappa }$, as desired. The proof is now complete. $\square $

5 Proof of Lemma 2: General Case

Sketch of the Attack. Let $(\mathrm {IK}, \mathrm {R}, \mathrm {Y})$ be the inputs to $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}$, where $(\mathrm {IK}, \mathrm {TK}) \xleftarrow {\$}\mathsf {G}^\mathbf {O}(1^\mathrm {\kappa })$ and $\mathrm {Y}:= \mathsf {S}^{\mathbf {O}}(\mathrm {IK}; \mathrm {R}) $. Let $\mathsf {Q}$ be the set of all query/response pairs during $\mathsf {S}^{\mathbf {O}}(\mathrm {IK}; \mathrm {R}) = \mathrm {Y}$. Let $\mathrm {X}:= \mathsf {D}^\mathbf {O}(\mathrm {TK}, \mathrm {Y})$. Let us first try to proceed as before: sample $(\mathbf {O}', \widetilde{\mathrm {TK}})$ such that $(\mathrm {IK}, \widetilde{\mathrm {TK}}) \xleftarrow {\$}\mathsf {G}^{\mathbf {O}'}(1^\mathrm {\kappa })$ and attempt to perform $\mathsf {D}^{\mathbf {O}' \Diamond ^* \mathbf {O}}$. However, things are not as simple as before. Previously, we were able to show that for any meaningful query which asks for the value of $\mathbf {e}^{-1}(\mathrm {ik}, \mathrm {y})$, we must have $((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y})$, and so $\mathsf {Break}$ can simulate the answer using $\mathbf {u}$. However, this does not hold here, because $\mathrm {y}$ may be coming from the queries made by $\mathsf {G}^\mathbf {O}$, to which $\mathsf {Break}$ does not have access.

Our solution at a high level is as follows. We work with a partial oracle $\widetilde{\mathbf {O}}$ for which initially we have $(\mathrm {IK}, \widetilde{\mathrm {TK}}) \xleftarrow {\$}\mathsf {G}^{\widetilde{\mathbf {O}}}(1^\mathrm {\kappa })$. This oracle will then be used to invert $\mathrm {Y}$ (using $\widetilde{\mathrm {TK}}$) as the secret key, but since $\widetilde{\mathbf {O}}$ is not necessarily defined on all encountered queries (since it is a partial oracle) we need to “make up” answers as we go on in a consistent manner. Ideally, we would like to produce answers by directly resorting to $\mathbf {O}$, so to make the whole execution as close to the real execution as possible. However, this is not always possible, and so at times we need to fake some answers. Whenever, a new answer is generated (either by directly calling $\mathbf {O}$ or by faking it) we add the new query/answer pair to $\widetilde{\mathbf {O}}$ and will continue. Let us elaborate more.

Consider the execution of $\mathsf {D}^{\widetilde{\mathbf {O}}}(\widetilde{\mathrm {TK}}, \mathrm {Y})$: Suppose we encounter a query $\mathrm {qu}$ that is not defined in $\widetilde{\mathbf {O}}$ yet. We have two cases. If $\mathrm {qu}$ is of type $\mathbf {g}$, $\mathbf {s}$ or $\mathbf {e}$—namely, a query which does not require any “trapdoor” information to reply to—we will use the oracle $\mathbf {O}$ directly to answer to this query but with some case to make sure we do not introduce inconsistencies. (Remember that $\widetilde{\mathbf {O}}$ fakes some answers, so “blind” use of $\mathbf {O}$ may potentially creat inconsistencies.) If, however, $\mathrm {qu}$ is of $\mathbf {d}$-type, we will make use of our trapdoor-based accumulated knowledge of the oracle $\mathbf {O}$ along with the oracle $\mathbf {u}$ if we happened to have the required information. Let us give a more detailed explanation.

1.
Suppose $\mathrm {qu} := ((\mathrm {ik}', \mathrm {r}') \xrightarrow [\mathbf {s}]{} \; ?)$, but $\widetilde{\mathbf {O}}(\mathrm {qu})$ is not defined yet. Suppose $\mathrm {x}' = \mathbf {s}(\mathrm {ik}', \mathrm {r}')$. We may think we can simply reply to $\mathrm {qu}$ with $\mathrm {x}'$ and add the query/response pair $\mathrm {qua} := ((\mathrm {ik}', \mathrm {r}') \xrightarrow [\mathbf {s}]{} \mathrm {x}')$ to $\widetilde{\mathbf {O}}$. However, we may get the following problem: There may already be a (fake) query/response $\mathrm {qua}_1 := ((\mathrm {ik}', \mathrm {x}') \xrightarrow [\mathbf {e}]{} \bot ) \in \widetilde{\mathbf {O}}$, which would be inconsistent with $\mathrm {qua}$. Thus, $\widetilde{\mathbf {O}} \cup \{\mathrm {qua} \}$ will not be TDP-consistent, and so we cannot guarantee correct inversion w.r.t. this oracle. We handle this as follows: In case of such inconsistencies, we will reply to $\mathsf {qu}$ with a random answer (which is unlikely to create inconsistencies) and will add the result to $\widetilde{\mathbf {O}}$.

A same situation may hold for an $\mathbf {e}$ query and we will handle such inconsistencies in a similar manner. For $\mathbf {g}$ queries, however, we will preempt the possibility of inconsistencies by putting $\mathsf {Break}$ in “normal form”; see Assumption 5.
2.
Suppose $\mathrm {qu} := ((\mathrm {tk}', \mathrm {y}') \xrightarrow [\mathbf {d}]{} \; ?)$, and $\mathrm {qua} := (\mathrm {tk}' \xrightarrow [\mathbf {g}]{} \mathrm {ik}) \in \widetilde{\mathbf {O}}$. (We will force $\mathrm {qua}$ to already be in $\widetilde{\mathbf {O}}$ by putting $\mathsf {Break}$ in normal form.) We have two cases: (a) trapdoor-available: $\mathbf {g}(\mathrm {tk}') = \mathrm {ik}$ (i.e., $\mathrm {tk}'$ is the real trapdoor key); or (b) trapdoor-absent: $\mathbf {g}(\mathrm {tk}') \ne \mathrm {ik}$: That is, the trapdoor key $\mathrm {tk}'$ has been “faked” before.

If case (a) holds, we call the real oracle $\mathbf {O}$ on $\mathsf {qu}$ and will use the result as is if it leads to no inconsistencies—we, however, now have many more cases of inconsistencies, as compared to Part 1; if an inconsistency occurs, we will fake the answer.

For case (b) we need to resort to our side trapdoor-information about $\mathbf {O}$ (e.g., set $\mathsf {Q}$ above: the set of all query/response pairs during $\mathsf {S}^{\mathbf {O}}(\mathrm {IK}; \mathrm {R}) = \mathrm {Y}$). Also, to handle case (b), we will also need to collect all frequent trapdoor information that happen during random executions of $\mathsf {S}^\mathbf {O}$ and $\mathsf {E}^\mathbf {O}$. This collection of information is done in Step 1 of the algorithm $\mathsf {Break}$.

For our analysis, we will show w.h.p. the union of $\widetilde{\mathbf {O}}_{\mathrm {uni}} {\mathop {=}\limits ^{\vartriangle }}\widetilde{\mathbf {O}} \cup \mathsf {W}_1 \cup \mathsf {W}_2$ is TDP-valid, where $\mathsf {W}_1$ is the (hidden) set of all queries/responses made to sample the challenge pre-image $\mathrm {X}$ and $\mathsf {W}_2$ is the (hidden) set of all query/response pairs in $\mathsf {E}^\mathbf {O}(\mathrm {IK}, \mathrm {X})$. Note that $\mathsf {W}_1$ and $\mathsf {W}_2$ are not available to $\mathsf {Break}$ (which is the reason we called them hidden). Proving this will show that w.h.p. the decrypted result, $\widetilde{\mathrm {X}}$, by $\mathsf {Break}$ will be equal to $\mathrm {X}$. This is because relative to $\widetilde{\mathbf {O}}_{\mathrm {uni}}$, $(\mathrm {IK}, \widetilde{\mathrm {TK}})$ is valid, $\mathrm {X}$ is valid (i.e., outputted by $\mathsf {S}^{\widetilde{\mathbf {O}}_{\mathrm {uni}}}(\mathrm {IK})$), $\mathrm {Y}= \mathsf {E}^\mathbf {O}(\mathrm {IK}, \mathrm {X})$ and $\widetilde{\mathrm {X}} = \mathsf {D}^\mathbf {O}(\widetilde{\mathrm {TK}} , \mathrm {Y})$.

We now proceed to describe the attack formally. We start with the following assumption.

Assumption 4

We assume that $\mathsf {G}^{\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}}$ never calls the oracle $\mathbf {d}$. (It can predict the answer with high probability.) For notational convenience we keep $\mathbf {d}$ as a superscript to $\mathsf {G}$.

We first start by describing two procedures that will be used by $\mathsf {Break}$. The first procedure samples many executions of $\mathsf {S}$ and $\mathsf {E}$ in order to collect frequent trapdoors. The second procedure allows one to sample a fake secret key w.r.t. a priori information about the real oracle $\mathbf {O}$.

Definition 5

(Sampling frequent queries). We define a probabilistic oracle procedure $\mathsf {SFreq}^{\mathbf {O}}$:

Input: $(1^\mathrm {\kappa }, p, \mathrm {IK})$, where p is an integer.
Output: A set of query/response pairs $\mathsf {Freq} \leftarrow \mathsf {SFreq}^{\mathbf {O}}(1^\mathrm {\kappa }, p, \mathrm {IK})$ sampled as follows. Let $\mathsf {Freq} = \emptyset $. Do the following p times:
- Sample $\mathrm {X}\leftarrow \mathsf {S}^{\mathbf {O}}(\mathrm {IK})$ and execute $\mathsf {E}^{\mathbf {O}}(\mathrm {IK}, \mathrm {X})$ and record all query/response pairs to $\mathsf {Freq}$.

Definition 6

We define the procedure $\mathsf {SOrc}$.

Input: $(\mathsf {Freq} , \mathrm {IK})$: A set of query/answer pairs $\mathsf {Freq}$ and an index key $\mathrm {IK}$.
Output: $(\mathrm {TK}' , \mathsf {Q}_g, \mathsf {Q}_s, \mathsf {Q}_e)$, produced as follows. $\mathsf {Q_e}$ sampled as follows. Sample a $\varPsi $-generated $\mathbf {O}' = (\mathbf {g}', \mathbf {s}', \mathbf {e}', \mathbf {d}')$ and $\mathrm {TK}'$ uniformly at random subject to the conditions that (a) $\mathbf {O}'$ is consistent with $\mathsf {Freq}$ (i.e., $\mathbf {O}' \cup \mathsf {Freq}$ is a valid TDP) and (b) $\mathsf {G}^{\mathbf {O}'} = (\mathrm {IK}, \mathrm {TK}')$. Let $\mathsf {Q}_g$, $\mathsf {Q}_s$ and $\mathsf {Q}_e$ contain, respectively, the $\mathbf {g}$, $\mathbf {s}$ and $\mathbf {e}$ query/response pairs made during the execution of $\mathsf {G}^{\mathbf {O}'} $. (Recall that by Assumption 4 no $\mathbf {d}$ queries are made).

We need the following normal-form condition for our attack algorithm.

Assumption 5

We assume the following for any oracle algorithm $\mathsf {A}$ with oracle access to $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$: Any query $((\mathrm {tk}, \mathrm {y}) \xrightarrow [\mathbf {d}]{} \; ?)$ is preceded by a query $(\mathrm {tk} \xrightarrow [\mathbf {g}]{} \; ?)$. Moreover, if $\mathbf {d}(\mathrm {tk},\mathrm {y}) = \mathrm {x}\ne \bot $, then $\mathsf {A}$ will make the query $((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \; ?)$ after making the query $((\mathrm {tk}, \mathrm {y}) \xrightarrow [\mathbf {d}]{} \; ?)$.

Partial Oracles. In the algorithm $\mathsf {Break}$ below we will work with partial oracles, defined only on a subset of their input queries. Specifically, for a partial oracle $\widetilde{\mathbf {O}}$ we define the following notation: We write $\widetilde{\mathbf {O}}(\mathrm {qu}) = \mathrm {null}$ to indicate $\widetilde{\mathbf {O}}$ is not defined on the query $\mathrm {qu}$. This should not be confused with $\widetilde{\mathbf {O}}(\mathrm {qu}) = \bot $ as we use $\widetilde{\mathbf {O}}(\mathrm {qu}) = \bot $ to indicate that the output of $\widetilde{\mathbf {O}}(\mathrm {qu})$ is a fixed invalid symbol. We say $\widetilde{\mathbf {O}}$ is TDP consistent, if there exists a full TDP oracle $\widetilde{\mathbf {O}}_{\mathrm {full}}$ such that $\widetilde{\mathbf {O}} \subseteq \widetilde{\mathbf {O}}_{\mathrm {full}}$.

Parameter $\gamma $. For any $\varPsi $-valid oracle $\mathbf {O}$ we assume that each of the algorithms $\mathsf {G}^{\mathbf {O}}$, $\mathsf {S}^{\mathbf {O}}$, $\mathsf {E}^{\mathbf {O}}$ and $\mathsf {D}^{\mathbf {O}}$ on inputs corresponding to the security parameter $1^\mathrm {\kappa }$ make exactly $\mathrm {\kappa }^{\gamma }$ oracle queries.

The Attack Algorithm $\mathsf {Break}^{\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}}$: We describe all components of the attack algorithm.

Oracles. $(\mathbf {O}, \mathbf {u}, \mathbf {v})$. Parse $\mathbf {O}:= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$.

Input. $(1^\mathrm {\kappa }, \mathrm {IK}, \mathrm {R})$

Output. $(\widetilde{\mathrm {X}} , \mathsf {Freq}, \widetilde{\mathbf {O}})$.^{Footnote 3}

1.
Sample $\mathsf {Freq} \leftarrow \mathsf {SFreq}^{\mathbf {O}}(1^\mathrm {\kappa }, \mathrm {\kappa }^{2 \gamma +8}, \mathrm {IK})$. Let $\widetilde{\mathbf {O}}$ and $\mathsf {Real}$ be two partial oracles, both initially empty.
2.
Sample $(\widetilde{\mathrm {TK}} , \mathsf {Q_g}, \mathsf {Q_s}, \mathsf {Q_e}) \leftarrow \mathsf {SOrc}(\mathsf {Freq}, \mathrm {IK}) $. Add $ \mathsf {Q_g} \cup \mathsf {Q_s} \cup \mathsf {Q_e} \cup \mathsf {Freq}$ to $\widetilde{\mathbf {O}}$.
3.
Run $\mathsf {S}^{\mathbf {O}}(\mathrm {R})$—which gives us the challenge image $\mathrm {Y}$—and add all the underlying query/response pairs to $\mathsf {Real}$. Also, add all elements of $\mathsf {Freq}$ to $\mathsf {Real}$. From this point on, all the queries made to the real oracles $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$ will be recorded in $\mathsf {Real}$.
4.
Simulate the execution of $\mathsf {D}^{\cdot }(\widetilde{\mathrm {TK}} , \mathrm {Y})$ and answer an encountered query $\mathrm {qu}$ as follows:
1. 4.1
  Already answered in $\widetilde{\mathbf {O}}$: if for some $\mathrm {ans}$, $(\mathrm {qu} , \mathrm {ans}) \in \widetilde{\mathbf {O}}$, then reply to $\mathrm {qu}$ with $\mathrm {ans}$;
2. 4.2
  $\mathbf {g}$-type query: if $\mathrm {qu}$ is of $\mathbf {g}$-type, then reply to $\mathrm {qu}$ by calling the real oracle $\mathbf {g}$ and add the query/response pair to $\widetilde{\mathbf {O}}$;
3. 4.3
  $\mathbf {s}$-type query: if $\mathrm {qu} := ((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \; ?)$, then call $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {x})$. If $ ( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} \bot ) \notin \widetilde{\mathbf {O}}$, then reply to $\mathrm {qu}$ with $\mathrm {x}$ and add $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {x})$ to $\widetilde{\mathbf {O}}$. Otherwise, reply to $\mathrm {qu}$ with $\mathrm {x}' \leftarrow \{0,1\}^{5\mathrm {\kappa }}$ and add $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {x}')$ to $\widetilde{\mathbf {O}}$.
4. 4.4
  $\mathbf {e}$-type query: if $\mathrm {qu} := ((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \; ?)$ for some $\mathrm {ik}$ and $\mathrm {x}$: Call the real oracle $((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \; ?)$ to get $\mathrm {y}$;
  1. 4.4.1
    if $\mathrm {y}= \bot $ or $((*,*) \xrightarrow [\mathbf {e}]{} \mathrm {y}) \notin \widetilde{\mathbf {O}}$, then reply to $\mathrm {qu}$ with $\mathrm {y}$ add $((\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ to $\widetilde{\mathbf {O}}$;
  2. 4.4.2
    Otherwise, reply to $\mathrm {qu}$ with a random $\mathrm {y}' \leftarrow \{0,1\}^{5\mathrm {\kappa }}$ and add $((\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y}')$ to $\widetilde{\mathbf {O}}$.
5. 4.5
  $\mathbf {d}$-type query: if $\mathrm {qu} := ((\mathrm {tk}, \mathrm {y}) \xrightarrow [\mathbf {d}]{} \; ?)$ for some $\mathrm {tk}$ and $\mathrm {y}$: letting $\mathrm {ik}$ be such that $(\mathrm {tk} \xrightarrow [\mathbf {g}]{} \mathrm {ik}) \in \widetilde{\mathbf {O}}$.
  1. 4.5.1
    if $((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y}) \in \widetilde{\mathbf {O}}$, then reply to $\mathrm {qu}$ with x and add $((\mathrm {tk}, \mathrm {y}) \xrightarrow [\mathbf {d}]{} \mathrm {x})$ to $\widetilde{\mathbf {O}}$.
  2. 4.5.2
    else if $((\mathrm {ik}, \mathrm {y}) \xrightarrow [\mathbf {e}]{} \bot ) \in \widetilde{\mathbf {O}}$ then reply to $\mathrm {qu}$ with $\bot $ and add $((\mathrm {tk}, \mathrm {y}) \xrightarrow [\mathbf {d}]{} \bot )$ to $\widetilde{\mathbf {O}}$.
  3. 4.5.3
    otherwise,
    1. 4.5.3.1
      if for some $\mathrm {tk}'$: $(\mathrm {tk}' \xrightarrow [\mathbf {g}]{} \mathrm {ik}) \in \mathsf {Real}$ then call $((\mathrm {tk}',\mathrm {y}) \xrightarrow [\mathbf {d}]{} \; ?)$ to get x:
      
      (A) if $((\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} *) \notin \widetilde{\mathbf {O}}$, then reply to $\mathrm {qu}$ with x and add $( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ to $\widetilde{\mathbf {O}}$.
      
      (B) if $( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} *) \in \widetilde{\mathbf {O}}$ then reply to $\mathrm {qu}$ with a random $\mathrm {x}' \leftarrow \{0,1\}^{5\mathrm {\kappa }}$ and add $((\mathrm {ik},\mathrm {x}') \xrightarrow [\mathbf {e}]{} \mathrm {y})$ to $\widetilde{\mathbf {O}}$.
    2. 4.5.3.2
      else if $((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y}) \in \mathsf {Real}$, then
      
      (A) if $( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} *) \notin \widetilde{\mathbf {O}}$ then reply to $\mathrm {qu}$ with x and add $( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ to $\widetilde{\mathbf {O}}$.
      
      (B) if $( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} *) \in \widetilde{\mathbf {O}}$ then reply to $\mathrm {qu}$ with a random $\mathrm {x}' \leftarrow \{0,1\}^{5\mathrm {\kappa }}$ and add $((\mathrm {ik},\mathrm {x}') \xrightarrow [\mathbf {e}]{} \mathrm {y})$ to $\widetilde{\mathbf {O}}$.
    3. 4.5.3.3
      else if for some r: $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \mathrm {y}) \in \mathsf {Real}$, then call $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {u}]{} \; ?) $ to get $\mathrm {r}_0$ and call $((\mathrm {ik}, \mathrm {r}_0) \xrightarrow [\mathbf {s}]{} \; ?)$ to get $\mathrm {x}_0$:
      
      (A) if $( (\mathrm {ik},\mathrm {x}_0) \xrightarrow [\mathbf {e}]{} *) \notin \widetilde{\mathbf {O}}$, then reply to $\mathrm {qu}$ with $\mathrm {x}_0$ and add $( (\mathrm {ik},\mathrm {x}_0) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ to $\widetilde{\mathbf {O}}$.
      
      (B) if $((\mathrm {ik},\mathrm {x}_0) \xrightarrow [\mathbf {e}]{} *) \in \widetilde{\mathbf {O}}$, then reply to $\mathrm {qu}$ with a random $\mathrm {x}' \leftarrow \{0,1\}^{5\mathrm {\kappa }}$ and add $((\mathrm {ik},\mathrm {x}') \xrightarrow [\mathbf {e}]{} \mathrm {y})$ to $\widetilde{\mathbf {O}}$.
    4. 4.5.3.4
      else if $\mathbf {v}(\mathrm {ik}, \mathrm {y}) = \bot $ then reply to $\mathrm {qu}$ with $\bot $;
    5. 4.5.3.5
      otherwise, reply to $\mathrm {qu}$ with a random $\mathrm {x}' \leftarrow \{0,1\}^{5\mathrm {\kappa }}$ and add both of $((\mathrm {tk}, \mathrm {y}) \xrightarrow [\mathbf {d}]{} \mathrm {x}')$ and $((\mathrm {ik}, \mathrm {x}') \xrightarrow [\mathbf {e}]{} \mathrm {y})$ to $\widetilde{\mathbf {O}}$.
5.
Letting $\widetilde{\mathrm {X}}$ be the result of the simulated execution of $\mathsf {D}^{\cdot }(\widetilde{\mathrm {TK}} , Y)$, return $(\widetilde{\mathrm {X}} , \mathsf {Freq} , \widetilde{\mathbf {O}})$.

5.1 Proof of Attack Effectiveness

We now focus on proving Lemma 2. We first start with a simple information theoretic lemma, which generalizes Lemma 4 to the case in which the “forger” may call all the underlying oracles. For that lemma, we need the following definition.

Definition 7

Let $\mathsf {Q}$ be a set of query/response pairs obtained from oracles $(\mathbf {g},\mathbf {s},\mathbf {e},\mathbf {d},\mathbf {u},\mathbf {v})$. We say that $(\mathrm {ik},\mathrm {x})$ is embedded in $\mathsf {Q}$ if

$((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {x}) \in \mathsf {Q}$, or
$((\mathrm {ik}, *) \xrightarrow [\mathbf {e}]{} \mathrm {x}) \in \mathsf {Q}$ or
for some $\mathrm {tk}$: $(\mathrm {tk} \xrightarrow [\mathbf {g}]{} \mathrm {ik}) \in \mathsf {Q}$ and $((\mathrm {tk}, *) \xrightarrow [\mathbf {d}]{} \mathrm {x}) \in \mathsf {Q}$.

The following lemma generalizes Lemma 4. The proof again follows using standard information-theoretic arguments and so is omitted.

Lemma 6

Let $\mathcal {B}$ be a a polynomial-query oracle adversary. We have

$$\begin{aligned}&\Pr _{(\mathbf {O}, \mathbf {u}, \mathbf {v}) \leftarrow \varPsi }[(\mathrm {ik}, \mathrm {y}) \xleftarrow {\$}\mathcal {B}^{\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa }) \text { s.t. } |\mathrm {ik}| = \mathrm {\kappa }\nonumber \\&\quad \quad \quad \quad \,\,{ and \,\,}\,\, \mathbf {v}(\mathrm {ik}, \mathrm {y}) = \top \,\,{ and\,\, }\,\, (\mathrm {ik},\mathrm {y}) \,\,{ is\,\, not\,\, embedded\,\, in\,\, }\,\, \mathsf {Que} ] \le \frac{1}{2^{3 \mathrm {\kappa }}}, \end{aligned}$$

(5)

where $\mathsf {Que}$ is the set of all query/answer pairs of $\mathcal {B}$.

We define the following environment that specifies a random choice of the oracles $(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v})$ as well as random variables used to form a random input to an adversary against enhanced one-wayness of the construction.

Environment. The environment $\mathsf {Env}(\mathrm {\kappa })$ specifies the following random variables: $(\mathrm {IK}, \mathsf {Query} , \mathrm {R}_y, \mathrm {Y}, \mathrm {R}_x , \mathrm {X}, \mathbf {O})$:

$(\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d}, \mathbf {u}, \mathbf {v}) \leftarrow \varPsi $. Let $\mathbf {O}:= (\mathbf {g}, \mathbf {s}, \mathbf {e}, \mathbf {d})$;
$(\mathrm {IK}, \mathrm {TK}) \leftarrow \mathsf {G}^{\mathbf {O}}(1^\mathrm {\kappa })$ and let $\mathsf {Query}$ be the set of all query/response pairs asked during the execution;
$\mathrm {R}_y \leftarrow \{0,1\}^*$;
$\mathrm {Y}:= \mathsf {S}^{\mathbf {O}}(\mathrm {IK}, \mathrm {R}_y)$;
$\mathrm {X}:= \mathsf {D}^{\mathbf {O}}(\mathrm {TK}, \mathrm {Y})$
$\mathrm {R}_x \leftarrow \mathsf {S}$, where
$$\begin{aligned} \mathsf {S} := \{ \mathrm {R}\mid \mathsf {S}^{\mathbf {O}}(\mathrm {IK},\mathrm {R}) = \mathrm {X}\}. \end{aligned}$$

Notation $\mathsf {HitQ}$. For an oracle algorithm $\mathsf {A}^{\mathbf {O}}$ we let $\mathsf {HitQ}(\mathsf {A}^{\mathbf {O}}(\mathrm {X}))$ denote the set of all query response pairs made during the execution of $\mathsf {A}^\mathbf {O}(\mathrm {X})$. If $\mathsf {A}$ is a randomized algorithm, then $\mathsf {HitQ}(\mathsf {A}^{\mathbf {O}}(\mathrm {X}))$ will be a random variable.

Notation $\Diamond $. For a partial oracle $\widetilde{\mathbf {O}}$ and full oracle $\mathbf {O}$ we let $\widetilde{\mathbf {O}} \Diamond \mathbf {O}$ denote the oracle that responds to a query $\mathrm {qu}$ as follows: if $\widetilde{\mathbf {O}}(\mathrm {qu}) \ne \mathrm {null}$ then $\widetilde{\mathbf {O}} \Diamond \mathbf {O}(\mathrm {qu}) = \widetilde{\mathbf {O}}(\mathrm {qu})$; otherwise, $\widetilde{\mathbf {O}} \Diamond \mathbf {O}(\mathrm {qu}) = \mathbf {O}(\mathrm {qu})$. Note that even if both $\widetilde{\mathbf {O}}$ and $\mathbf {O}$ are TDP consistent, $\widetilde{\mathbf {O}} \Diamond \mathbf {O}$ is not necessarily so.

Lemma 7

Let $(\mathrm {IK}, \mathsf {Query} , \mathrm {R}_y, \mathrm {Y}, \mathrm {R}_x , \mathrm {X}, \mathbf {O}, \mathbf {u}, \mathbf {v}) \leftarrow \mathsf {Env}(\mathrm {\kappa })$ and $(\widetilde{\mathrm {X}} , \mathsf {Freq} , \widetilde{\mathbf {O}} ) \leftarrow \mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa }, \mathrm {IK},\mathrm {R})$.

1.
$$\begin{aligned} \Pr [\mathrm {X}= \mathsf {S}^{\widetilde{\mathbf {O}} \Diamond \mathbf {O}}(\mathrm {IK}, \mathrm {R}_\mathrm {x}) \text { and } \mathsf {E}^{\widetilde{\mathbf {O}}\Diamond \mathbf {O}}(\mathrm {IK}, \mathrm {X}) = \mathrm {Y}] \ge 1- \frac{1}{4 \mathrm {\kappa }^2} \end{aligned}$$
(6)
2.
Letting
$$\begin{aligned} \mathsf {ALLQ} := \widetilde{\mathbf {O}} \cup \mathsf {HitQ}(\mathsf {S}^{\widetilde{\mathbf {O}} \Diamond \mathbf {O}}(\mathrm {IK}, \mathrm {R}_\mathrm {x})) \cup \mathsf {HitQ}(\mathsf {E}^{\widetilde{\mathbf {O}}\Diamond \mathbf {O}}(\mathrm {IK}, \mathrm {X}) ) \end{aligned}$$
we have $\Pr [\mathsf {ALLQ} \text { is TDP consistent }] \ge 1- \frac{1}{2 \mathrm {\kappa }^2}$.

Let us first show how to use Lemma 7 to prove Lemma 2. We will then prove Lemma 7.

Proof

(Proof of Lemma 2). Let all the variables be sampled as in Lemma 2. Let $\mathrm {R}_x \leftarrow \mathsf {S}$, where

$$\begin{aligned} \mathsf {S} := \{ \mathrm {R}\mid \mathsf {S}^{\mathbf {O}}(\mathrm {IK},\mathrm {R}) = \mathrm {X}\}. \end{aligned}$$

Let $\mathrm {Evnt}_1$ and $\mathrm {Evnt}_2$ denote the events of Parts 1 and 2 of Lemma 7. That is,

$\mathrm {Evnt}_1: \mathrm {X}= \mathsf {S}^{\widetilde{\mathbf {O}} \Diamond \mathbf {O}}(\mathrm {IK}, \mathrm {R}_\mathrm {x}) \text { and } \mathsf {E}^{\widetilde{\mathbf {O}}\Diamond \mathbf {O}}(\mathrm {IK}, \mathrm {X}) = \mathrm {Y}$
$\mathrm {Evnt}_2: \mathsf {ALLQ} \text { is TDP consistent }$.

We claim if $\mathrm {Evnt}_1 \wedge \mathrm {Evnt}_2$ holds, then $\widetilde{\mathrm {X}} = \mathrm {X}$. This implies our result since

$$\begin{aligned} \Pr [\widetilde{\mathrm {X}} = \mathrm {X}] \ge \Pr [\mathrm {Evnt}_1 \wedge \mathrm {Evnt}_2] \ge 1 - \Pr [\overline{\mathrm {Evnt}_1}] - \Pr [\overline{\mathrm {Evnt}_2}] \ge 1- \frac{1}{\mathrm {\kappa }^2}. \end{aligned}$$

It remains to prove the above claim. We show if $\mathrm {Evnt}_1 \wedge \mathrm {Evnt}_2$ then (I) $\mathsf {ALLQ}$ is TDP consistent, (II) $(\mathrm {IK}, \widetilde{\mathrm {TK}}) \in \mathsf {G}^{\mathsf {ALLQ}}(1^\mathrm {\kappa })$, (III) $\widetilde{\mathrm {X}} = \mathsf {D}^{\mathsf {ALLQ}}(\widetilde{\mathrm {TK}} , Y) $, (IV) $\mathrm {X}= \mathsf {S}^{\mathsf {ALLQ}}(\mathrm {IK}, \mathrm {R}_\mathrm {x}) $, (V) $ \mathsf {E}^{\mathsf {ALLQ}}(\mathrm {IK}, \mathrm {X}) = \mathrm {Y}$. Then, by the correctness of the construction $(\mathsf {G}, \mathsf {S}, \mathsf {E}, \mathsf {D})$ we obtain $\widetilde{\mathrm {X}} = \mathrm {X}$, and the proof will be complete.

First, note that (I) follows by definition of $\mathrm {Evnt}_2$.

To prove (II) and (III), first note that we have $ (\mathrm {IK}, \widetilde{\mathrm {TK}}) \in \mathsf {G}^{\widetilde{\mathbf {O}}}(1^\mathrm {\kappa })$ and $\widetilde{\mathrm {X}} = \mathsf {D}^{\widetilde{\mathbf {O}}}(\widetilde{\mathrm {TK}} , \mathrm {Y})$. Now since $\widetilde{\mathbf {O}} \subseteq \mathsf {AllQ}$ and since $\mathsf {ALLQ}$ is TDP consistent, we have $(\mathrm {IK}, \widetilde{\mathrm {TK}}) \in \mathsf {G}^{\mathsf {ALLQ}}$ and $\widetilde{\mathrm {X}} = \mathsf {D}^{\mathsf {ALLQ}}(\widetilde{\mathrm {TK}} , \mathrm {Y}) $. Note that the mere fact that $\widetilde{\mathbf {O}} \subseteq \mathsf {ALLQ}$ will not be sufficient to conclude these two last statements (II) and (III); the reason is that there may be collisions between $\widetilde{\mathbf {O}}$ and $\mathsf {ALLQ} \setminus \widetilde{\mathbf {O}}$ (e.g., a query $\mathrm {qu}$ may receive different responses from the two oracles), rendering the corresponding executions ambiguous.

Similarly, from the facts that $\mathsf {ALLQ}$ is TDP consistent and that $\mathrm {Evnt}_1$ holds, we conclude (IV) and (V). $\square $

We now show how to prove Lemma 7, starting with Part 1. We give the proof of Part 2 of the lemma in the full version. To this end, we define some variables and events to help us describe things more concisely.

Sub-oracles $\widetilde{\mathbf {O}_1}$, $\widetilde{\mathbf {O}_2}$, $\widetilde{\mathbf {O}_3}$, $\widetilde{\mathbf {O}_4}$ and set $\mathsf {Rand}$. We define four sub-oracles of $\widetilde{\mathbf {O}}$, which capture some of the query/response pairs that were added to $\widetilde{\mathbf {O}}$ as a result of faking answers for those queries that created conflict with the real oracle $\mathbf {O}$. Recall that for removing such conflicts, we sampled elements uniformly at random from $\{0,1\}^{5 \mathrm {\kappa }}$ and used those for faking answers. Informally, the set $\mathsf {Rand}$ contain those points sampled for these purposes. We now formally define these pieces of notation.

$\widetilde{\mathbf {O}_1}$: We let $\widetilde{\mathbf {O}_1}$ contain any query/response pair $( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y}')$ added to $\widetilde{\mathbf {O}}$ as a result of Line 4.4.2..
$\widetilde{\mathbf {O}_2}$: We let $\widetilde{\mathbf {O}_2}$ contain any query/response pair added to $\widetilde{\mathbf {O}}$ as a result of Condition (B) of Line 4.5.3.1..
$\widetilde{\mathbf {O}_3}$: We let $\widetilde{\mathbf {O}_3}$ contain any query/response pair added to $\widetilde{\mathbf {O}}$ as a result of Condition (B) of Line 4.5.3.3..
$\widetilde{\mathbf {O}_4}$: We let $\widetilde{\mathbf {O}_4}$ contain any query/response pair $( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y})$ added to $\widetilde{\mathbf {O}}$ as a result of Line 4.5.3.5..
$\mathsf {Rand}$: We let $\mathsf {Rand}$ contain all $\mathrm {x}$ such that $((*, \mathrm {x}) \xrightarrow [\mathbf {e}]{} *) \in \widetilde{\mathbf {O}_2} \cup \widetilde{\mathbf {O}_3}$ or $((*, *) \xrightarrow [\mathbf {e}]{} \mathrm {x}) \in \widetilde{\mathbf {O}_1}$. Intuitively, the set $\mathsf {Rand}$ contains all points that were sampled uniformly at random for making up fake answers.

Events $\mathrm {Surp}_1$, $\mathrm {Surp}_2$, $\mathrm {Surp}_3$, $\mathrm {Surp}_4$. We define some events which we will prove can only happen with negligible probability.

$\mathrm {Surp}_1$: the event that for some $((\mathrm {ik}, *) \xrightarrow [\mathbf {e}]{} \mathrm {y}') \in \widetilde{\mathbf {O}_1}$ we have $\mathbf {v}(\mathrm {ik},\mathrm {y}') = \top $ or for some $((\mathrm {ik}, \mathrm {x}') \xrightarrow [\mathbf {e}]{} *) \in \widetilde{\mathbf {O}_2} \cup \widetilde{\mathbf {O}_3} \cup \widetilde{\mathbf {O}_4}$ we have $\mathbf {v}(\mathrm {ik},\mathrm {x}') = \top $.
$\mathrm {Surp}_2$: the event that during the execution $\mathsf {S}^{\mathbf {O}}(\mathrm {IK}; \mathrm {R}_\mathrm {x})$ a query $\mathrm {qu} = ((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \; ?)$ or a query $((*, \mathrm {x}) \xrightarrow [\mathbf {d}]{} \; ?)$ is made where $\mathrm {x}\in \mathsf {Rand}$;
$\mathrm {Surp}_3$: the event that there exists $((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y}) \in \widetilde{\mathbf {O}_4}$ such that $(\mathrm {ik},\mathrm {y})$ is not embedded in $\mathsf {Query}$.
$\mathrm {Surp}_4$: For $\mathrm {x}\ne \mathrm {x}'$ and $\mathrm {y}\ne \bot $: $( (\mathrm {ik},\mathrm {x}) \xrightarrow [\mathbf {e}]{} \mathrm {y}) \in \widetilde{\mathbf {O}}$ and $((\mathrm {ik},\mathrm {x}') \xrightarrow [\mathbf {e}]{} \mathrm {y}) \in \widetilde{\mathbf {O}}$.

Let $\mathrm {Surp} = \mathrm {Surp}_1 \vee \mathrm {Surp}_2 \vee \mathrm {Surp}_3 \vee \mathrm {Surp}_4$.

Set $\mathsf {Dif}$. Let $\mathsf {Q} := \mathsf {Q_g} \cup \mathsf {Q_s} \cup \mathsf {Q_e}$, where recall that the sets $ \mathsf {Q_g}$, $ \mathsf {Q_s}$ and $ \mathsf {Q_e}$ are formed during Line 2 of the algorithm $\mathsf {Break}$. Let $\mathsf {Dif}$ be the set of queries formed as follows: For any query/response pair $(\mathrm {qu} \xrightarrow [*]{} *) \in \mathsf {Q}$, add the query $\mathrm {qu} $ to $\mathsf {Dif}$. Moreover, for any $(\mathrm {ik},\mathrm {x})$ that occurs in $\mathsf {Query} \cup \mathsf {Q}$:

(A)
if for some $\mathrm {r}$: $\mathbf {s}(\mathrm {ik},\mathrm {r}) = \mathrm {x}$ add $((\mathrm {ik}, \mathrm {r}) \xrightarrow [\mathbf {s}]{} \; ?)$ to $\mathsf {Dif}$;
(B)
add $((\mathrm {ik}, \mathrm {x}) \xrightarrow [\mathbf {e}]{} \; ?)$ to $\mathsf {Dif}$;
(C)
add $((\mathrm {tk}, \mathrm {x}) \xrightarrow [\mathbf {d}]{} \; ?)$ to $\mathsf {Dif}$, where $\mathrm {tk}= \mathbf {g}^{-1}(\mathrm {ik})$;
(D)
if for some $\mathrm {x}'$: $\mathbf {e}(\mathrm {ik}, \mathrm {x}') = \mathrm {x}$, add $((\mathrm {ik}, \mathrm {x}') \xrightarrow [\mathbf {e}]{} \; ?)$ to $\mathsf {Dif}$.^{Footnote 4}

Events $\mathrm {Match}$ and $\mathrm {MissQ}$. Equipped with the set $\mathsf {Dif}$ we now define the following two events.

$\mathrm {Match}$: $\widetilde{\mathbf {O}} \Diamond \mathbf {O}$ agrees with $ \mathsf {HitQ}(\mathsf {S}^{\mathbf {O}}(\mathrm {IK}; \mathrm {R}_\mathrm {x})) \cup \mathsf {HitQ}( \mathsf {E}^{\mathbf {O}}(\mathrm {IK}, \mathrm {X})) $.
$\mathrm {MissQ}$:
$$\begin{aligned} \exists \langle qu \rangle \in \mathsf {Dif} \text { s.t. } \langle qu \rangle \notin \mathsf {Freq} \text { and } \langle qu \rangle \in \mathsf {HitQ}(\mathsf {S}^{\mathbf {O}}(\mathrm {IK}; \mathrm {R}_\mathrm {x})) \cup \mathsf {HitQ}( \mathsf {E}^{\mathbf {O}}(\mathrm {IK}, \mathrm {X})). \end{aligned}$$

Lemma 8

If $\overline{\mathrm {Match}}$ holds, then $\mathrm {MissQ} \vee \mathrm {Surp}$ holds.

Lemma 9

We have $\Pr [\mathrm {MissQ}] \le \textstyle {\frac{1}{8\mathrm {\kappa }^2}}$.

Lemma 10

We have $\Pr [\mathrm {Surp}] \le \textstyle {\frac{1}{2^{\mathrm {\kappa }}}}$.

Proof (of Part 1 of Lemma 7)

Let $\alpha (n)$ denote the probability of this part of the lemma. We have $\alpha (n) \ge \Pr [\mathrm {Match}]$. From Lemmas 8, 9 and 10 $\Pr [\overline{\mathrm {Match}}] \le \textstyle {\frac{1}{4\mathrm {\kappa }^2}} $. The proof is complete. $\square $

We give the proof of Lemma 8 in the full version. We now prove Lemma 9, for which we will use the following standard lemma.

Lemma 11

Let $x_1, \dots , x_{t+1}$ be independent, Bernoulli random variables, where $\Pr [x_i = 1] = p $, for all $i \le t+1$. Then

$$\begin{aligned} \Pr [x_1 = 0 \wedge \cdots \wedge x_t = 0 \wedge x_{t+1} = 1] \le \frac{1}{t}. \end{aligned}$$

Proof (of Lemma 9)

Let $\mathsf {Exec}^{\mathbf {O}}(\mathrm {IK})$ be the following random execution: Sample $\mathrm {X}' \leftarrow \mathsf {S}^{\mathbf {O}}(\mathrm {IK})$ and run $\mathsf {E}^{\mathbf {O}}(\mathrm {IK},\mathrm {X}')$. Recall that $\mathsf {Freq}$ is formed by running $\mathsf {Exec}^{\mathbf {O}}(\mathrm {IK})$ independently $t := \mathrm {\kappa }^{2 \gamma +8}$ times. Also, note that $\mathrm {R}_x$ is a uniformly random string, and thus $(\mathsf {S}^{\mathbf {O}}(\mathrm {IK}; \mathrm {R}_\mathrm {x}); \mathsf {E}^{\mathbf {O}}(\mathrm {IK}, X) )$ corresponds to a random execution of $\mathsf {Exec}^{\mathbf {O}}(\mathrm {IK})$.

Using simple inspection, we may verify $|\mathsf {Dif}| \le 6 \mathrm {\kappa }^{\gamma } $. Now applying Lemma 11 for each element of $\mathsf {Dif}$ and taking a union bound, we will have $\Pr [\mathrm {MissQ}] \le 6 \mathrm {\kappa }^{\gamma }\textstyle {\frac{1}{\mathrm {\kappa }^{2 \gamma +8}}} \le \textstyle {\frac{1}{8\mathrm {\kappa }^2}}$, as desired. $\square $

Proof (of Lemma 10)

We can easily show that each of the events $\mathrm {Surp}_1$, $\mathrm {Surp}_2$ and $\mathrm {Surp}_4$ happens with probability at most $\textstyle {\frac{1}{2^{3n}}}$: Arguing about the probability of each of these events amounts to arguing that a randomly chosen element in $\{0,1\}^{5 \mathrm {\kappa }}$ happens to lie in a sparse subset of $\{0,1\}^{5 \mathrm {\kappa }}$. Thus, we omit the details for these parts.

We focus on bounding the probability of $\mathrm {Surp}_3$. Recall that

$\mathrm {Surp}_3$: a query $((\mathrm {tk}, \mathrm {y}) \xrightarrow [\mathbf {d}]{} \; ?)$ is made for which Line 4.5.3.5. is hit and for which $(\mathrm {ik},\mathrm {y})$ is not embedded in $\mathsf {Query}$, where $(\mathrm {ik},\mathrm {y})$ is defined as in Line 4.5.3.5.. Also, recall that the notion of embeddedness from Definition 7.

We will show that whenever the event $\mathrm {Surp}_3$ holds, we can forge a pair $(\mathrm {ik},\mathrm {y})$ in the sense of Lemma 4, obtaining $\Pr [\mathrm {Surp}_3] \le \textstyle {\frac{1}{2^{3n}}} $.

In order for Line 4.5.3.5.—during the simulated execution of $\mathsf {D}^{\cdot }(\widetilde{\mathrm {TK}} , \mathrm {Y})$—to be hit with the underlying values $(\mathrm {ik},\mathrm {y})$, all of the following must hold at that point:

(I)
$((\mathrm {ik}, *) \xrightarrow [\mathbf {e}]{} \mathrm {y}) \notin \mathsf {Real}$—this is because otherwise Line 4.5.3.2. would have been hit.
(II)
$((\mathrm {ik}, *) \xrightarrow [\mathbf {s}]{} \mathrm {y}) \notin \mathsf {Real}$—this is because otherwise Line 4.5.3.3. would have been hit.
(III)
$((\mathrm {tk}_{\mathrm {real}}, *) \xrightarrow [\mathbf {d}]{} *) \notin \mathsf {Real}$, where $\mathrm {tk}_{\mathrm {real}} = \mathbf {g}^{-1}(\mathrm {ik})$—this is because otherwise Line 4.5.3.1. would have been hit (by Assumption 5).
(IV)
$\mathbf {v}(\mathrm {ik},\mathrm {y}) = \top $—this is because otherwise Line 4.5.3.4. would have been hit.

We now show show how the above conditions enable us to forge in the sense of Lemma 4. In particular, the above conditions immediately imply that $(\mathrm {ik},\mathrm {y})$ is not embedded in $\mathsf {Real}$. Also, notice that the set $\mathsf {Real}$ contains all those query/response pairs made by $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa }, \mathrm {IK},\mathrm {R})$ (to its real oracles) up to the point the event $\mathrm {Surp}_3$ holds. Moreover, since $\mathrm {Surp}_3$ holds, then, by definition, the pair $(\mathrm {ik},\mathrm {y})$ is not embedded in $\mathsf {Query}$ either, which contains all the query/response pairs used to produce $\mathrm {IK}$. We may now design a forgery attack as follows. The forger $\mathcal {B}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa })$ first samples $(\mathrm {IK}, *) \leftarrow \mathsf {G}^{\mathbf {O}}(1^\mathrm {\kappa }) $ and then simulates $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa }, \mathrm {IK},\mathrm {R})$ for $\mathrm {R}\leftarrow \{0,1\}^*$. Whenever the event $\mathrm {Surp}_3$ holds with the underlying pair $(\mathrm {ik},\mathrm {y})$, then $\mathcal {B}$ will halt and return $(\mathrm {ik},\mathrm {y})$. Note that $\mathsf {Break}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa }, \mathrm {IK},\mathrm {R})$ can efficiently recognize the occurrence of the event $\mathrm {Surp}_3$. The success probability of $\mathcal {B}^{\mathbf {O}, \mathbf {u}, \mathbf {v}}(1^\mathrm {\kappa })$ is the probability that $\mathrm {Bad}$ holds. $\square $

Notes

1.
The TDP construction in [BPW16] does not satisfy doubly-enhanced one-wayness, but a relaxed version of it, which nevertheless suffices for their respective application.
2.
We may define and prove a version of this lemma which allows the adversary $\mathcal {B}$ to also make $\mathbf {e}$ and $\mathbf {d}$ queries. This current version however suffices for what we need for the simple separation we show in this section.
3.
$\widetilde{\mathrm {X}}$ is the final result of inversion. The other two outputs, namely $\mathsf {Freq}, \widetilde{\mathbf {O}}$, are partial oracles, which are included in the output so to help us later state our security statements easier.
4.
Note that we do not claim that $\mathsf {Dif}$ can be built efficiently. We merely introduce $\mathsf {Dif}$ to define a related event.

References

Asharov, G., Segev, G.: On constructing one-way permutations from indistinguishability obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 512–541. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49099-0_19
Chapter MATH Google Scholar
Baecher, P., Brzuska, C., Fischlin, M.: Notions of black-box reductions, revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 296–315. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-42033-7_16
Chapter Google Scholar
Boneh, D., Papakonstantinou, P.A., Rackoff, C., Vahlis, Y., Waters, B.: On the impossibility of basing identity based encryption on trapdoor permutations. In: 49th FOCS, 25–28 October 2008, Philadelphia, PA, USA, pp. 283–292. IEEE Computer Society Press (2008)
Google Scholar
Bitansky, N., Paneth, O., Wichs, D.: Perfect structure on the edge of chaos. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 474–502. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_20
Chapter MATH Google Scholar
Bellare, M., Yung, M.: Certifying cryptographic tools: the case of trapdoor permutations. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 442–460. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_31
Chapter Google Scholar
Canetti, R., Lichtenberg, A.: Certifying trapdoor permutations, revisited. Cryptology ePrint Archive, Report 2017/631 (2017). http://eprint.iacr.org/2017/631
Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) CRYPTO 1982, Santa Barbara, CA, USA, pp. 205–210. Plenum Press, New York (1982)
Chapter Google Scholar
Fischlin, M.: On the impossibility of constructing non-interactive statistically-secret protocols from any trapdoor one-way function. In: Preneel, B. (ed.) CT-RSA 2002. LNCS, vol. 2271, pp. 79–95. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45760-7_7
Chapter Google Scholar
Feige, U., Lapidot, D., Shamir, A.: Multiple non-interactive zero knowledge proofs based on a single random string (extended abstract). In: 31st FOCS, 22–24 October 1990, St. Louis, Missouri, pp. 308–317. IEEE Computer Society Press (1990)
Google Scholar
Fiore, D., Schröder, D.: Uniqueness is a different story: impossibility of verifiable random functions from trapdoor permutations. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 636–653. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28914-9_36
Chapter MATH Google Scholar
Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: 41st FOCS, 12–14 November 2000, Redondo Beach, CA, USA, pp. 325–335. IEEE Computer Society Press (2000)
Google Scholar
Gertner, Y., Malkin, T., Reingold, O.: On the impossibility of basing trapdoor functions on trapdoor predicates. In: 42nd FOCS, 14–17 October 2001, pp. 126–135, Las Vegas, NV, USA. IEEE Computer Society Press (2001)
Google Scholar
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC, pp. 218–229, 25–27 May 1987, New York City, NY, USA. ACM Press, New York (1987)
Google Scholar
Goldreich, O.: Foundations of Cryptography: Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)
Book Google Scholar
Goldreich, O.: Basing non-interactive zero-knowledge on (enhanced) trapdoor permutations: the state of the art. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation. LNCS, vol. 6650, pp. 406–421. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22670-0_28
Chapter Google Scholar
Goldreich, O., Rothblum, R.D.: Enhancements of trapdoor permutations. J. Cryptol. 26(3), 484–512 (2013)
Article MathSciNet Google Scholar
Haitner, I.: Implementing oblivious transfer using collection of dense trapdoor permutations. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 394–409. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_22
Chapter MATH Google Scholar
Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols - a tight lower bound on the round complexity of statistically-hiding commitments. In: 48th FOCS, pp. 669–679, 20–23 October 2007, Providence, RI, USA. IEEE Computer Society Press (2007)
Google Scholar
Hsiao, C.-Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-28628-8_6
Chapter Google Scholar
Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st ACM STOC, 15–17 May, Seattle, WA, USA, pp. 44–61. ACM Press (1989)
Google Scholar
Kakvi, S.A., Kiltz, E., May, A.: Certifying RSA. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 404–414. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_25
Chapter Google Scholar
Naor, M., Reingold, O.: Synthesizers and their application to the parallel construction of pseudo-random functions. J. Comput. Syst. Sci. 58(2), 336–375 (1999)
Article MathSciNet Google Scholar
Rabin, M.O.: Digital signatures and public key functions as intractable as factorization. Technical report MIT/LCS/TR-212, Massachusetts Institute of Technology, January 1979
Google Scholar
Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signature and public-key cryptosystems. Commun. Assoc. Comput. Mach. 21(2), 120–126 (1978)
MathSciNet MATH Google Scholar
Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_1
Chapter MATH Google Scholar
Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054137
Chapter Google Scholar
Vahlis, Y.: Two Is a crowd? a black-box separation of one-wayness and security under correlated inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 165–182. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_11
Chapter MATH Google Scholar
Yao, A.C.-C.: Theory and applications of trapdoor functions (extended abstract). In: 23rd FOCS, pp. 80–91, 3–5 November, Chicago, Illinois. IEEE Computer Society Press (1982)
Google Scholar

Download references

Acknowledgements

I am grateful to the anonymous reviewers for their useful comments, and especially to one reviewer for their very elaborate comments. I would also like to thank Bruce Kapron for commenting on an earlier draft of the paper.

Author information

Authors and Affiliations

University of California Berkeley, Berkeley, USA
Mohammad Hajiabadi
University of Virginia, Charlottesville, USA
Mohammad Hajiabadi

Authors

Mohammad Hajiabadi
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mohammad Hajiabadi .

Editor information

Editors and Affiliations

Ben Gurion University, Beer Sheva, Israel
Amos Beimel
University of Warsaw, Warsaw, Poland
Stefan Dziembowski

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Hajiabadi, M. (2018). Enhancements are Blackbox Non-trivial: Impossibility of Enhanced Trapdoor Permutations from Standard Trapdoor Permutations. In: Beimel, A., Dziembowski, S. (eds) Theory of Cryptography. TCC 2018. Lecture Notes in Computer Science(), vol 11239. Springer, Cham. https://doi.org/10.1007/978-3-030-03807-6_17

Download citation

DOI: https://doi.org/10.1007/978-3-030-03807-6_17
Published: 04 November 2018
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-03806-9
Online ISBN: 978-3-030-03807-6
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Enhancements are Blackbox Non-trivial: Impossibility of Enhanced Trapdoor Permutations from Standard Trapdoor Permutations

Abstract

Similar content being viewed by others

Oblivious Transfer from Trapdoor Permutations in Minimal Rounds

On the Impossibility of Basing Public-Coin One-Way Permutations on Trapdoor Permutations

Injective Trapdoor Functions via Derandomization: How Strong is Rudich’s Black-Box Barrier?

1 Introduction

1.1 Our Result and Discussion

1.2 Technical Overview

2 Preliminaries

Definition 1

Definition 2

3 Main Theorem and Proofs Roadmap

Theorem 1

Definition 3

Lemma 1

Lemma 2

Proof (of Theorem 1)

4 Proof of Lemma 2: Special Case \((\mathsf {G}^\mathbf {g}, \mathsf {S}^\mathbf {s}, \mathsf {E}^\mathbf {e}, \mathsf {D}^\mathbf {d})\)

4.1 General Overview: One Query Case

4.2 Definitions and Simple Lemmas

Definition 4

Lemma 3

Proof

Lemma 4

Proof

4.3 Many-Query Case

Assumption 2

Theorem 3

Lemma 5

5 Proof of Lemma 2: General Case

Assumption 4

Definition 5

Definition 6

Assumption 5

5.1 Proof of Attack Effectiveness

Definition 7

Lemma 6

Lemma 7

Proof

Lemma 8

Lemma 9

Lemma 10

Proof (of Part 1 of Lemma 7)

Lemma 11

Proof (of Lemma 9)

Proof (of Lemma 10)

Notes

References

Acknowledgements

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation