Skip to main content

On Derandomizing Yao’s Weak-to-Strong OWF Construction

  • 753 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 13043)


The celebrated result of Yao (Yao, FOCS’82) shows that concatenating \(n\cdot p(n)\) copies of a weak one-way function (OWF) f, which can be inverted with probability \(1-\tfrac{1}{p(n)}\), suffices to construct a strong OWF g, showing that weak and strong OWFs are black-box equivalent. This direct product theorem for hardness amplification of OWFs has been very influential. However, the construction of Yao is not security-preserving, i.e., the input to g needs to be much larger than the input to f. Understanding whether a larger input is inherent is a long-standing open question.

In this work, we explore necessary features of constructions which achieve short input length by proving the following: for any direct product construction of a strong OWF g from a weak OWF f, which can be inverted with probability \(1-\tfrac{1}{p(n)}\), the input size of g must grow as \(\varOmega (p(n))\). By direct product construction, we refer to any construction with the following structure: the construction g executes some arbitrary pre-processing function (independent of f) on its input, obtaining a vector \((y_1, \cdots , y_l)\), and outputs \(f(y_1), \cdots , f(y_l)\). Note that Yao’s construction is obtained by setting the pre-processing to be the identity. Our result generalizes to functions g with post-processing, as long as the post-processing function is not too lossy. Thus, in essence, any weak-to-strong OWF hardness amplification must either (1) be very far from security-preserving, (2) use adaptivity, or (3) must be very far from a direct-product structure (in the sense of having a very lossy post-processing of the outputs of f).

On a technical level, we use ideas from lower bounds for secret-sharing to prove the impossibility of derandomizing Yao in a black-box way. Our results are in line with Goldreich, Impagliazzo, Levin, Venkatesan, and Zuckerman (FOCS 1990) who derandomize Yao’s construction for regular weak OWFs by evaluating the OWF along a random walk on an expander graph—the construction is adaptive, since it alternates steps on the expander graph with evaluations of the weak OWF.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD   89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions


  1. 1.

    In a security-preserving construction, the input length of the strong OWF is linear in that of the weak OWF.


  1. Attrapadung, N., Matsuda, T., Nishimaki, R., Yamada, S., Yamakawa, T.: Constrained PRFs for \(\rm NC^1\) in traditional groups. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018, Part II. LNCS, vol. 10992, pp. 543–574. Springer, Heidelberg (2018)

    Google Scholar 

  2. Babai, L., Fortnow, L., Lund, C.: Non-deterministic exponential time has two-prover interactive protocols. Comput. Complex. 1(1), 3–40 (1991)

    CrossRef  Google Scholar 

  3. Babai, L., Fortnow, L., Nisan, N., Wigderson, A.: BPP has subexponential time simulations unlessexptime has publishable proofs. Comput. Complex. 3(4), 307–318 (1993)

    CrossRef  Google Scholar 

  4. Baecher, P., Brzuska, C., Fischlin, M.: Notions of black-box reductions, revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 296–315. Springer, Heidelberg (2013).

    CrossRef  Google Scholar 

  5. Blundo, C., Santis, A.D., Vaccaro, U.: Randomness in distribution protocols. Inf. Comput. 131(2), 111–139 (1996)

    CrossRef  MathSciNet  Google Scholar 

  6. Canetti, R., Rivest, R., Sudan, M., Trevisan, L., Vadhan, S., Wee, H.: Amplifying collision resistance: a complexity-theoretic treatment. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 264–283. Springer, Heidelberg (2007).

    CrossRef  Google Scholar 

  7. Döttling, N., Garg, S., Ishai, Y., Malavolta, G., Mour, T., Ostrovsky, R.: Trapdoor hash functions and their applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019, Part III. LNCS, vol. 11694, pp. 3–32. Springer, Cham (2019).

    CrossRef  Google Scholar 

  8. Gennaro, R., Gertner, Y., Katz, J.: Lower bounds on the efficiency of encryption and digital signature schemes. In: 35th ACM STOC, pp. 417–425. ACM Press, June 2003

    Google Scholar 

  9. Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: 41st FOCS, pp. 305–313. IEEE Computer Society Press, November 2000

    Google Scholar 

  10. Goldreich, O., Impagliazzo, R., Levin, L.A., Venkatesan, R., Zuckerman, D.: Security preserving amplification of hardness. In: 31st FOCS, pp. 318–326. IEEE Computer Society Press, October 1990

    Google Scholar 

  11. Goldreich, O., Nisan, N., Wigderson, A.: On yao’s xor lemma. Technical report TR95-050, Electronic Colloquium on Computational Complexity (1995)

    Google Scholar 

  12. Goyal, V., O’Neill, A., Rao, V.: Correlated-input secure hash functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 182–200. Springer, Heidelberg (2011).

    CrossRef  Google Scholar 

  13. Haitner, I., Reingold, O., Vadhan, S.P.: Efficiency improvements in constructing pseudorandom generators from one-way functions. In: Schulman, L.J. (ed.) 42nd ACM STOC, pp. 437–446. ACM Press, June 2010

    Google Scholar 

  14. Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)

    CrossRef  MathSciNet  Google Scholar 

  15. Healy, A., Vadhan, S.P., Viola, E.: Using nondeterminism to amplify hardness. In: Babai, L. (ed.) 36th ACM STOC, pp. 192–201. ACM Press, June 2004

    Google Scholar 

  16. Hemenway, B., Lu, S., Ostrovsky, R.: Correlated product security from any one-way function. In: Fischlin, M., Buchmann, J., Manulis, M. (eds.) PKC 2012. LNCS, vol. 7293, pp. 558–575. Springer, Heidelberg (May (2012)

    Google Scholar 

  17. Hsiao, C.-Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004).

    CrossRef  Google Scholar 

  18. Impagliazzo, R.: Hard-core distributions for somewhat hard problems. In: 36th FOCS, pp. 538–545. IEEE Computer Society Press, October 1995

    Google Scholar 

  19. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st ACM STOC, pp. 44–61. ACM Press, May 1989

    Google Scholar 

  20. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, New York (1990).

    CrossRef  Google Scholar 

  21. Impagliazzo, R., Wigderson, A.: P = BPP if E requires exponential circuits: derandomizing the XOR lemma. In: 29th ACM STOC, pp. 220–229. ACM Press, May 1997

    Google Scholar 

  22. Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003).

    CrossRef  Google Scholar 

  23. Kim, J.H., Simon, D.R., Tetali, P.: Limits on the efficiency of one-way permutation-based hash functions. In: 40th FOCS, pp. 535–542. IEEE Computer Society Press, October 1999

    Google Scholar 

  24. Lin, H., Trevisan, L., Wee, H.: On hardness amplification of one-way functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 34–49. Springer, Heidelberg (2005).

    CrossRef  MATH  Google Scholar 

  25. Lipton, R.: New directions in testing. Distrib. Comput. Cryptogr. 2, 191–202 (1991)

    MathSciNet  MATH  Google Scholar 

  26. Lu, C.-J.: On the complexity of parallel hardness amplification for one-way functions. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 462–481. Springer, Heidelberg (2006).

    CrossRef  Google Scholar 

  27. Lu, C.-J.: On the security loss in cryptographic reductions. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 72–87. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  28. Mahmoody, M., Mohammed, A., Nematihaji, S., Pass, R., Shelat, A.: A note on black-box separations for indistinguishability obfuscation. Cryptology ePrint Archive, Report 2016/316 (2016).

  29. Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004).

    CrossRef  MATH  Google Scholar 

  30. Rosen, A., Segev, G.: Chosen-ciphertext security via correlated products. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 419–436. Springer, Heidelberg (2009).

    CrossRef  Google Scholar 

  31. Shaltiel, R., Viola, E.: Hardness amplification proofs require majority. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 589–598. ACM Press, May 2008

    Google Scholar 

  32. Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998).

    CrossRef  Google Scholar 

  33. Sudan, M., Trevisan, L., Vadhan, S.: Pseudorandom generators without the XOR lemma. J. Comput. Syst. Sci. 62(2), 236–266 (2001)

    CrossRef  MathSciNet  Google Scholar 

  34. Trevisan, L.: List-decoding using the XOR lemma. In: 44th FOCS, pp. 126–135. IEEE Computer Society Press, October 2003

    Google Scholar 

  35. Trevisan, L.: On uniform amplification of hardness in NP. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 31–38. ACM Press, May 2005

    Google Scholar 

  36. Vadhan, S.P., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: Karloff, H.J., Pitassi, T. (eds.) 44th ACM STOC, pp. 817–836. ACM Press, May 2012

    Google Scholar 

  37. Viola, E.: The complexity of constructing pseudorandom generators from hard functions. Comput. Complex. 13(3–4), 147–188 (2005)

    Google Scholar 

  38. Wee, H.: One-way permutations, interactive hashing and statistically hiding commitments. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 419–433. Springer, Heidelberg (2007).

    CrossRef  Google Scholar 

  39. Wichs, D.: Barriers in cryptography with weak, correlated and leaky sources. In: Kleinberg, R.D. (ed.) ITCS 2013, pp. 111–126. ACM, January 2013

    Google Scholar 

  40. Yao, A.C.C.: Theory and applications of trapdoor functions (extended abstract). In: 23rd FOCS, pp. 80–91. IEEE Computer Society Press, November 1982

    Google Scholar 

Download references


We thank the anonymous reviewers for valuable comments. Parts of this work have been funded by the Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) - SFB 1119 - 236615297 and by the Academy of Finland.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Chris Brzuska .

Editor information

Editors and Affiliations


A Additional Lemmas and Proofs

Lemma 23

(Averaging Argument). Let \(A_n\) and \(B_n\) be probability distributions that depend on natural number n (e.g. uniform distribution over \(\{0,1\}^n\)). For convenience, we write \(A := A_n, B:= B_n\). Let \(E(\cdot ,\cdot )\) be any event.

If , where \(c>0\) constant, then there exist constants \( d,d' > 0\) s.t.

The proof is standard, we defer it to the full version.

Lemma 24

(Small Entropy w.h.p.). If then

where .

The proof is a direct application of Markov bound, we defer it to the full version.

Lemma 25

(Predictable Inputs). If



Since \(4n< \mathbf {p}(m)\), we get that


Let \(S_{h,e}\subseteq \{0,1\}^m\) be defined as

where we define below. Using (19) and the definition of conditional Shannon entropy, we get that

where \(\log \) is the base-2 logarithm and

$$p_e(s') := \mathsf {pre}(s')_{\pi \left( \frac{l}{\mathbf {p}(m)}+1\right) },... , \mathsf {pre}(s')_{\pi \left( l\right) }$$


$$\begin{aligned} p_h(s'):=\mathsf {pre}(s')_{\pi \left( 1\right) },\dots ,\mathsf {pre}(s')_{\pi \left( \frac{l}{\mathbf {p}(m)}\right) }. \end{aligned}$$


which proves the statement.    \(\square \)

B Proof of Theorem 18 (\(\mathsf {F}\) is a weak OWF)

In order to prove Theorem 18, we need to show that \(\mathsf {F}\) is weak OWF with inversion probability \(1-1/2\mathbf {c}\mathbf {p}(m)\) with all but small constant probability. Namely, we need to show that for all polynomials \(\mathbf {p}\), for all poly-query \(\mathcal {A}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}\), for all adversaries \(\mathcal {R}\) making polynomially many (in \(m\)) queries to the oracles \(\mathsf {F},\mathsf {PSPACE},\mathsf {INV},\mathcal {A}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}\),


where \(\mathsf {SuccInv}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}_{\mathcal {A},\mathcal {R}}\) is defined as


Fix \(\mathbf {p}\), \(\mathcal {R}\) and \(\mathcal {A}\). Since \(\mathcal {A}\) and \(\mathcal {R}\) both make polynomially many queries to the same oracles, \(\mathcal {R}\) can simply simulate \(\mathcal {A}\). Thus, w.l.o.g., we can assume that \(\mathcal {R}\) only makes queries to \(\mathsf {F}\), \(\mathsf {PSPACE}\) and \(\mathsf {INV}\). Additionally, we consider \(\mathcal {R}\) to be a computationally unbounded algorithm so that w.l.o.g., we can assume that it does not make queries to the \(\mathsf {PSPACE}\) oracle.

Let q be a polynomial such that adversary \(\mathcal {R}\) makes exactly \(q(m)\) queries to the oracle \(\mathsf {F}\) and an arbitrary number of queries to \(\mathsf {INV}\). Since we let the adversary \(\mathcal {R}\) make an arbitrary number of queries to \(\mathsf {INV}\), that is, the adversary can be assumed to know the \(\mathsf {EASY}_\mathsf {in}^m\) and \(\mathsf {EASY}_\mathsf {out}^m\) and how \(\mathsf {F}\) maps \(\mathsf {EASY}_\mathsf {in}^m\) to \(\mathsf {EASY}_\mathsf {out}^m\) completely. This only makes the adversary stronger. Importantly, using \(\mathsf {INV}\) does not give the adversary any information on \(\mathsf {F}\) on the hard values (only the fact that the values are hard).

Denote the preimages to \(\mathsf {F}\) queries by \(x_1,...,x_{q(m)}\) and the adversary’s guess for the pre-image of its input y by \(x_{q(m)+1}\).

Next, we apply an averaging argument. Consider the random variable

$$\begin{aligned} \mathsf {SuccInv}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}_{\mathcal {A},\mathcal {R}} \end{aligned}$$

which maps to the probability that

$$\begin{aligned} \mathcal {R}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV},\mathcal {A}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}} \end{aligned}$$

inverts \(\mathsf {F}\) over the randomness of \(\mathcal {R}\), \(\mathcal {A}\) and sampling x. Then, by the previous analysis, the expected value \(\mu \) of \(\mathsf {SuccInv}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}_{\mathcal {A},\mathcal {R}}\) is at most \(1-\epsilon \) for \(\epsilon :=\frac{1}{2\mathbf {p}(m)}\). Using Markov inequality on \(1-\mathsf {SuccInv}^{\mathsf {F},\mathsf {PSPACE},\mathsf {INV}}_{\mathcal {A},\mathcal {R}}\), we obtain that

for any c.    \(\square \)

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Brzuska, C., Couteau, G., Karanko, P., Rohrbach, F. (2021). On Derandomizing Yao’s Weak-to-Strong OWF Construction. In: Nissim, K., Waters, B. (eds) Theory of Cryptography. TCC 2021. Lecture Notes in Computer Science(), vol 13043. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-90452-4

  • Online ISBN: 978-3-030-90453-1

  • eBook Packages: Computer ScienceComputer Science (R0)