The Function-Inversion Problem: Barriers and Opportunities

  • Henry Corrigan-Gibbs
  • Dmitry KoganEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11891)


The task of function inversion is central to cryptanalysis: breaking block ciphers, forging signatures, and cracking password hashes are all special cases of the function-inversion problem. In 1980, Hellman showed that it is possible to invert a random function \(f{:}\,[N] \rightarrow [N]\) in time \(T = \widetilde{O}(N^{2/3})\) given only \(S = \widetilde{O}(N^{2/3})\) bits of precomputed advice about f. Hellman’s algorithm is the basis for the popular “Rainbow Tables” technique (Oechslin 2003), which achieves the same asymptotic cost and is widely used in practical cryptanalysis.

Is Hellman’s method the best possible algorithm for inverting functions with preprocessed advice? The best known lower bound, due to Yao (1990), shows that \(ST = \widetilde{\Omega }(N)\), which still admits the possibility of an \(S = T = \widetilde{O}(N^{1/2})\) attack. There remains a long-standing and vexing gap between Hellman’s \(N^{2/3}\) upper bound and Yao’s \(N^{1/2}\) lower bound. Understanding the feasibility of an \(S = T = N^{1/2}\) algorithm is cryptanalytically relevant since such an algorithm could perform a key-recovery attack on AES-128 in time \(2^{64}\) using a precomputed table of size \(2^{64}\).

For the past 29 years, there has been no progress either in improving Hellman’s algorithm or in strengthening Yao’s lower bound. In this work, we connect function inversion to problems in other areas of theory to (1) explain why progress may be difficult and (2) explore possible ways forward.

Our results are as follows:
  • We show that any improvement on Yao’s lower bound on function-inversion algorithms will imply new lower bounds on depth-two circuits with arbitrary gates. Further, we show that proving strong lower bounds on non-adaptive function-inversion algorithms would imply breakthrough circuit lower bounds on linear-size log-depth circuits.

  • We take first steps towards the study of the injective function-inversion problem, which has manifold cryptographic applications. In particular, we show that improved algorithms for breaking PRGs with preprocessing would give improved algorithms for inverting injective functions with preprocessing.

  • Finally, we show that function inversion is closely related to well-studied problems in communication complexity and data structures. Through these connections we immediately obtain the best known algorithms for problems in these domains.



We would like to thank Dan Boneh for encouraging us to investigate whether Hellman’s method can be improved and for his continued advice as we undertook this project. Iftach Haitner gave us meaningful guidance on our research process early on and, along with Ronen Shaltiel, suggested many possible approaches towards proving new lower bounds. Joshua Brakensiek, Joshua Brody, Clément Canonne, Andrew Drucker, Michael Kim, Peter Bro Miltersen, Ilya Mironov, Omer Reingold, Avishay Tal, Li-Yang Tan, and David Wu made a number of suggestions that improved the presentation of our results. Finally, we would like to thank the anonymous TCC reviewers for their many constructive comments. This work was supported by CISPA, DARPA, NSF, ONR, and the Simons Foundation.


  1. 1.
    Abusalah, H., Alwen, J., Cohen, B., Khilko, D., Pietrzak, K., Reyzin, L.: Beyond Hellman’s time-memory trade-offs with applications to proofs of space. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 357–379. Springer, Cham (2017). Scholar
  2. 2.
    Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple construction of almost k-wise independent random variables. Random Struct. Algorithms 3(3), 289–304 (1992). Scholar
  3. 3.
    Babai, L., Hayes, T.P., Kimmel, P.G.: The cost of the missing bit: communication complexity with help. Combinatorica 21(4), 455–488 (2001). Scholar
  4. 4.
    Barbay, J., He, M., Munro, J.I., Satti, S.R.: Succinct indexes for strings, binary relations and multilabeled trees. ACM Trans. Algorithms 7(4), 52:1–52:27 (2011). Scholar
  5. 5.
    Barkan, E., Biham, E., Shamir, A.: Rigorous bounds on cryptanalytic time/memory tradeoffs. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 1–21. Springer, Heidelberg (2006). Scholar
  6. 6.
    Beigel, R., Tarui, J.: On ACC. Comput. Complex. 4, 350–366 (1994). Scholar
  7. 7.
    Biryukov, A., Shamir, A.: Cryptanalytic time/memory/data tradeoffs for stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 1–13. Springer, Heidelberg (2000). Scholar
  8. 8.
    Biryukov, A., Shamir, A., Wagner, D.: Real time cryptanalysis of A5/1 on a PC. In: Goos, G., Hartmanis, J., van Leeuwen, J., Schneier, B. (eds.) FSE 2000. LNCS, vol. 1978, pp. 1–18. Springer, Heidelberg (2001). Scholar
  9. 9.
    Boyle, E., Naor, M.: Is there an oblivious RAM lower bound? In: ITCS (2016).
  10. 10.
    Brody, J.: The maximum communication complexity of multi-party pointer jumping. In: CCC (2009).
  11. 11.
    Brody, J., Chakrabarti, A.: Sublinear communication protocols for multi-party pointer jumping and a related lower bound. In: STACS (2008).
  12. 12.
    Brody, J., Dziembowski, S., Faust, S., Pietrzak, K.: Position-based cryptography and multiparty communication complexity. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 56–81. Springer, Cham (2017). Scholar
  13. 13.
    Brody, J., Larsen, K.G.: Adapt or die: polynomial lower bounds for non-adaptive dynamic data structures. Theory Comput. 11(19), 471–489 (2015). Scholar
  14. 14.
    Brody, J., Sanchez, M.: Dependent random graphs and multi-party pointer jumping. In: APPROX/RANDOM (2015).
  15. 15.
    Chandra, A.K., Furst, M.L., Lipton, R.J.: Multi-party protocols. In: STOC (1983). Scholar
  16. 16.
    Cherukhin, D.Y.: Lower bounds for the complexity of Boolean circuits of finite depth with arbitrary elements. Discret. Math. Appl. 23(4), 39–47 (2011). Scholar
  17. 17.
    Clark, D.R., Munro, J.I.: Efficient suffix trees on secondary storage. In: SODA (1996)Google Scholar
  18. 18.
    Coretti, S., Dodis, Y., Guo, S.: Non-uniform bounds in the random-permutation, ideal-cipher, and generic-group models. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 693–721. Springer, Cham (2018). Scholar
  19. 19.
    Coretti, S., Dodis, Y., Guo, S., Steinberger, J.: Random oracles and non-uniformity. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 227–258. Springer, Cham (2018). Scholar
  20. 20.
    Damm, C., Jukna, S., Sgall, J.: Some bounds on multiparty communication complexity of pointer jumping. Comput. Complex. 7(2), 109–127 (1998). Scholar
  21. 21.
    De, A., Trevisan, L., Tulsiani, M.: Time space tradeoffs for attacks against one-way functions and PRGs. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 649–665. Springer, Heidelberg (2010). Scholar
  22. 22.
    Demaine, E.D., López-Ortiz, A.: A linear lower bound on index size for text retrieval. J. Algorithms 48(1), 2–15 (2003). Scholar
  23. 23.
    Dodis, Y., Guo, S., Katz, J.: Fixing cracks in the concrete: random oracles with auxiliary input, revisited. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 473–495. Springer, Cham (2017). Scholar
  24. 24.
    Dodis, Y., Steinberger, J.: Message authentication codes from unpredictable block ciphers. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 267–285. Springer, Heidelberg (2009). Scholar
  25. 25.
    Drucker, A.: Limitations of lower-bound methods for the wire complexity of Boolean operators. In: CCC (2012).
  26. 26.
    Dvir, Z., Golovnev, A., Weinstein, O.: Static data structure lower bounds imply rigidity. In: STOC (2019).
  27. 27.
    Fiat, A., Naor, M.: Rigorous time/space tradeoffs for inverting functions. In: STOC (1991).
  28. 28.
    Fiat, A., Naor, M.: Rigorous time/space trade-offs for inverting functions. SIAM J. Comput. 29(3), 790–803 (1999). Scholar
  29. 29.
    Gál, A., Miltersen, P.B.: The cell probe complexity of succinct data structures. In: ICALP (2003). Scholar
  30. 30.
    Gál, A., Miltersen, P.B.: The cell probe complexity of succinct data structures. Theoret. Comput. Sci. 379(3), 405–417 (2007). Scholar
  31. 31.
    Geary, R.F., Raman, R., Raman, V.: Succinct ordinal trees with level-ancestor queries. ACM Trans. Algorithms 2(4), 510–534 (2006). Scholar
  32. 32.
    Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005). Scholar
  33. 33.
    Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: FOCS (2000).
  34. 34.
    Goldreich, O.: Towards a theory of software protection and simulation by oblivious RAMs. In: STOC (1987).
  35. 35.
    Goldreich, O.: Foundations of Cryptography, vol. 1. Cambridge University Press, New York (2006)zbMATHGoogle Scholar
  36. 36.
    Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993). Scholar
  37. 37.
    Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: STOC (1989).
  38. 38.
    Goldreich, O., Ostrovsky, R.: Software protection and simulation on oblivious RAMs. J. ACM 43(3), 431–473 (1996). Scholar
  39. 39.
    Golovnev, A., Guo, S., Horel, T., Park, S., Vaikuntanathan, V.: 3SUM with preprocessing: algorithms, lower bounds and cryptographic applications. arXiv:1907.08355 [cs.DS] (2019).
  40. 40.
    Golynski, A.: Stronger lower bounds for text searching and polynomial evaluation (2007).
  41. 41.
    Golynski, A.: Cell probe lower bounds for succinct data structures. In: SODA (2009).
  42. 42.
    Goyal, N., Saks, M.: A parallel search game. Random Struct. Algorithms 27(2), 227–234 (2005). Scholar
  43. 43.
    Grossi, R., Orlandi, A., Raman, R.: Optimal trade-offs for succinct string indexes. In: ICALP (2010). Scholar
  44. 44.
    Haitner, I., Mazor, N., Oshman, R., Reingold, O., Yehudayoff, A.: On the communication complexity of key-agreement protocols. In: ITCS (2019).
  45. 45.
    He, M., Munro, J.I., Satti, S.R.: Succinct ordinal trees based on tree covering. ACM Trans. Algorithms 8(4), 42:1–42:32 (2012). Scholar
  46. 46.
    Hellman, M.: A cryptanalytic time-memory trade-off. IEEE Trans. Inf. Theory 26(4), 401–406 (1980). Scholar
  47. 47.
    Håstad, J., Goldmann, M.: On the power of small-depth threshold circuits. Comput. Complex. 1, 113–129 (1991). Scholar
  48. 48.
    Impagliazzo, R.: Relativized separations of worst-case and average-case complexities for NP. In: CCC (2011).
  49. 49.
    Jacobson, G.: Space-efficient static trees and graphs. In: FOCS (1989).
  50. 50.
    Jukna, S.: Boolean Function Complexity. Algorithms and Combinatorics, vol. 27. Springer, Heidelberg (2012). Scholar
  51. 51.
    Jukna, S., Schnitger, G.: Min-rank conjecture for log-depth circuits. J. Comput.Syst. Sci. 77(6), 1023–1038 (2011). Scholar
  52. 52.
    Kopelowitz, T., Porat, E.: The strong 3SUM-INDEXING conjecture is false. arXiv:1907.11206 [cs.DS] (2019).
  53. 53.
    Kushilevitz, E., Nisan, N.: Communication Complexity. Cambridge University Press, New York (1997)zbMATHGoogle Scholar
  54. 54.
    Larsen, K.G., Nielsen, J.B.: Yes, there is an oblivious RAM lower bound!. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 523–542. Springer, Cham (2018). Scholar
  55. 55.
    Levin, L.A.: One-way functions and pseudorandom generators. Combinatorica 7(4), 357–363 (1987). Scholar
  56. 56.
    Liang, H.: Optimal collapsing protocol for multiparty pointer jumping. Theory Comput. Syst. 54(1), 13–23 (2014). Scholar
  57. 57.
    Miltersen, P.B.: On the cell probe complexity of polynomial evaluation. Theoret. Comput. Sci. 143(1), 167–174 (1995). Scholar
  58. 58.
    Munro, J.I., Raman, R., Raman, V., Rao, S.S.: Succinct representations of permutations and functions. Theoret. Comput. Sci. 438, 74–88 (2012). Scholar
  59. 59.
    Narayanan, A., Shmatikov, V.: Fast dictionary attacks on passwords using time-space tradeoff. In: CCS (2005).
  60. 60.
    Nayebi, A., Aaronson, S., Belovs, A., Trevisan, L.: Quantum lower bound for inverting a permutation with advice. Quantum Inf. Comput. 15(11–12), 901–913 (2015)MathSciNetGoogle Scholar
  61. 61.
    Oechslin, P.: Making a faster cryptanalytic time-memory trade-off. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 617–630. Springer, Heidelberg (2003). Scholar
  62. 62.
    Ostrovsky, R.: Efficient computation on oblivious RAMs. In: STOC (1990).
  63. 63.
    Pudlák, P., Rödl, V., Sgall, J.: Boolean circuits, tensor ranks, and communication complexity. SIAM J. Comput. 26(3), 605–633 (1997). Scholar
  64. 64.
    Sadakane, K., Grossi, R.: Squeezing succinct data structures into entropy bounds. In: SODA (2006).
  65. 65.
    Unruh, D.: Random oracles and auxiliary input. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 205–223. Springer, Heidelberg (2007). Scholar
  66. 66.
    Valiant, L.G.: Graph-theoretic arguments in low-level complexity. In: Gruska, J. (ed.) MFCS 1977. LNCS, vol. 53, pp. 162–176. Springer, Heidelberg (1977). Scholar
  67. 67.
    Valiant, L.G.: Why is Boolean complexity theory difficult. In: London Mathematical Society Lecture Note Series, vol. 169, pp. 84–94 (1992).
  68. 68.
    Viola, E.: On the power of small-depth computation. Found. Trends Theoret. Comput. Sci. 5(1), 1–72 (2009). Scholar
  69. 69.
    Viola, E.: Lower bounds for data structures with space close to maximum imply circuit lower bounds. Electronic Colloquium on Computational Complexity (ECCC), Report 2018/186 (2018)Google Scholar
  70. 70.
    Viola, E., Wigderson, A.: One-way multiparty communication lower bound for pointer jumping with applications. Combinatorica 29(6), 719–743 (2009). Scholar
  71. 71.
    Wee, H.: On obfuscating point functions. In: STOC (2005).
  72. 72.
    Weiss, M., Wichs, D.: Is there an oblivious RAM lower bound for online reads? Cryptology ePrint Archive, Report 2018/619 (2018)Google Scholar
  73. 73.
    Weiss, M., Wichs, D.: Is there an oblivious RAM lower bound for online reads? In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 603–635. Springer, Cham (2018). Scholar
  74. 74.
    Yao, A.C.: Some complexity questions related to distributive computing (preliminary report). In: STOC (1979).
  75. 75.
    Yao, A.C.: Should tables be sorted? J. ACM 28(3), 615–628 (1981). Scholar
  76. 76.
    Yao, A.C.: Theory and applications of trapdoor functions. In: FOCS (1982).
  77. 77.
    Yao, A.C.: Coherent functions and program checkers (extended abstract). In: STOC (1990).
  78. 78.
    Yao, A.C.: On ACC and threshold circuits. In: FOCS (1990).

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Stanford UniversityStanfordUSA

Personalised recommendations