# Limits on the Provable Consequences of One-way Permutations

## Abstract

We present strong evidence that the implication, “if one-way permutations exist, then secure secret key agreement is possible”, is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where all parties have access to a black box for a randomly selected permutation. Being totally random, this permutation will be strongly one-way in a provable, information-theoretic way. We show that, if *P* = *NP*, no protocol for secret key agreement is secure in such a setting. Thus, to prove that a secret key agreement protocol which uses a one-way permutation as a black box is secure is as hard as proving *P* ≠ *NP*. We also obtain, as a corollary, that there is an oracle relative to which the implication is false, i.e., there is a one-way permutation, yet secret-exchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any one-way permutation. Our results present a general framework for proving statements of the form, “Cryptographic application *X* is not likely possible based solely on complexity assumption *Y*.”

## Keywords

Random Oracle Satisfying Assignment Oblivious Transfer Uniform Generation Oracle Query## References

- [BGS75]T. Baker, J. Gill, and R. Solovay. Relativizations of the P=NP question. SIAM J. Comp., 4 (1975) pp. 431–442.CrossRefzbMATHMathSciNetGoogle Scholar
- [BG81]C. H. Bennett and J. Gill. Relative to a random oracle
*A, P*^{A}*neNP*^{A}*neCo*—*NP*^{A}with probability 1. SIAM J. Comp. 10 (1981)Google Scholar - [BCC87]G. Brassard, D. Chaum, and C. Crépeau. Minimum disclosure proofs of knowledge. Technical Report PM-RS710, Centre for Mathematics and Computer Science, Amsterdam, The Netherlands, 1987.Google Scholar
- [Ben87]J. Cohen Benaloh.
*Verifiable Secret-Ballot Elections*. PhD thesis, Yale University, Sept 1987. YALEU/DCS/TR-561.Google Scholar - [Blu81]M. Blum. Three applications of the oblivious transfer: Part i: Coin flipping by telephone; part ii: How to exchange secrets; part iii: How to send certified electronic mail. Department of EECS, University of California, Berkeley, CA, 1981.Google Scholar
- [Blu82]M. Blum. Coin flipping by telephone: A protocol for solving impossible problems. In
*Proceedings of the 24th IEEE Computer Conference (Com-pCon)*, pages 133–137, 1982. reprinted in*SIGACT News*, vol. 15, no. 1, 1983, pp. 23–27.Google Scholar - [BM84]M. Blum and S. Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comp. 13 (1984) pp. 850–864CrossRefzbMATHMathSciNetGoogle Scholar
- [Bra]G. Brassard. An optimally secure relativized cryptosystem.
*Advances in Cryptography, a Report on CRYPTO 81*, Technical Report no. 82-04, Department of ECE, University of California, Santa Barbara, CA, 1982, pp. 54–58; reprinted in*SIGACT News*vol. 15, no. 1, 1983, pp. 28–33.Google Scholar - [Bra83]G. Brassard. Relativized cryptography.
*IEEE Transactions on Information Theory*, IT-19:877–894, 1983.CrossRefMathSciNetGoogle Scholar - [CKS81]A.K. Chandra, D. Kozen, and L. Stockmeyer. Alternation.
*JACM*, 28:114–133, 1981.CrossRefzbMATHMathSciNetGoogle Scholar - [DH76]W. Diffie and M. E. Hellman. New directions in cryptography.
*IEEE Transactions on Information Theory*, IT-22:644–654, 1976.CrossRefMathSciNetGoogle Scholar - [FFS86]U. Feige, A. Fiat and A. Shamir. Zero-knowledge proofs of identity. STOC, 1987.Google Scholar
- [GGM84]O. Goldreich, S. Goldwasser, and S. Micali. How to construct random functions. In
*Proceedings of the 25th Annual Foundations of Computer Science*. ACM, 1984.Google Scholar - [GMW87]O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game or a completeness theorem for proto cols with honest majority. In
*Proceedings of the 19th Annual Symposium on Theory of Computing*. ACM, 1987.Google Scholar - [GM84]S. Goldwasser and S. Micali. Probabalistic Encryption.
*JCSS*, 28:270–299, 1984.zbMATHMathSciNetGoogle Scholar - [GMR84]S. Goldwasser, S. Micali, and R. Rivest. A “paradoxical” solution to the signature problem. In
*Proceedings of the 25th Annual Foundations of Computer Science*. ACM, 1984.Google Scholar - [I88]R. Impagliazzo Proofs that relativize, and proofs that do not. Unpublished manuscript, 1988.Google Scholar
- [IY87]R. Impagliazzo and M. Yung. Direct minimum-knowledge computations. In
*Proceedings of Advances in Cryptography*. CRYPTO, 1987.Google Scholar - [JVV86]Mark Jerrum, Leslie Valiant, and Vijay Vazirani. Random generation of combinatorial structures from a uniform distribution.
*Theoretical Computer Science*, 43:169–188, 1986.CrossRefzbMATHMathSciNetGoogle Scholar - [LR86]M. Luby and C. Rackoff. How to construct pseudo-random permutations from pseudo-random functions. In
*Proceedings of the Eighteenth Annual ACM Symposium on Theory of Computing*, 1986.Google Scholar - [Mer78]R. C. Merkle. Secure communications over insecure channels.
*CACM*, 21(4):294–299, April 1978.Google Scholar - [NY]M. Naor and M. Yung. Universal One-Way Hash Functions and Their Applications. These precedings.Google Scholar
- [P74]G. P. Purdy A high security log-in procedure.
*CACM*, 17:442–445, 1974.MathSciNetGoogle Scholar - [Rab81]M. O. Rabin. How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard University, 1981.Google Scholar
- [Rac88]C. Rackoff. A basic theory of public and private cryptosystems. CryptoGoogle Scholar
- [Yao82]A.C. Yao. Theory and applications of trapdoor functions. In
*Proceedings of the 23rd Annual Symposium on Foundations of Computer Science*, pages 80–91. IEEE, 1982.Google Scholar