Structure vs. Hardness Through the Obfuscation Lens
 8 Citations
 3k Downloads
Abstract
Much of modern cryptography, starting from publickey encryption and going beyond, is based on the hardness of structured (mostly algebraic) problems like factoring, discrete log or finding short lattice vectors. While structure is perhaps what enables advanced applications, it also puts the hardness of these problems in question. In particular, this structure often puts them in low complexity classes such as \({\textsf {NP}} \cap {\textsf {coNP}}\) or statistical zeroknowledge (SZK).
Is this structure really necessary? For some cryptographic primitives, such as oneway permutations and homomorphic encryption, we know that the answer is yes—they imply hard problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) and \({\textsf {SZK}}\), respectively. In contrast, oneway functions do not imply such hard problems, at least not by fully blackbox reductions. Yet, for many basic primitives such as publickey encryption, oblivious transfer, and functional encryption, we do not have any answer.
We show that the above primitives, and many others, do not imply hard problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) or \({\textsf {SZK}}\) via fully blackbox reductions. In fact, we first show that even the very powerful notion of Indistinguishability Obfuscation (IO) does not imply such hard problems, and then deduce the same for a large class of primitives that can be constructed from IO.
Keywords
Indistinguishability obfuscation Statistical zeroknowledge \({\textsf {NP}}\cap \mathsf {coNP}\) Structured hardness Collisionresistant hashing1 Introduction
The last four decades of research in cryptography has produced a host of fantastic objects, starting from oneway functions and permutations to publickey encryption [DH76, RSA78, GM82] and zeroknowledge proofs [GMR85] in the 1980s, all the way to fully homomorphic encryption [RAD78, Gen09, BV11] and indistinguishability obfuscation [BGI+01, GGH+13a] in the modern day.
Thus, a fundamental question in cryptography is what type of structure is necessary for different primitives? Indeed, the answer to this question may be crucial to our understanding of what are the minimal assumptions required to construct these primitives. While there may be different ways of approaching this question, one main approach, which is also taken in this work, has been through the eyes of complexity theory. That is, we wish to understand which cryptographic primitives require hardness in low (and so called structured) complexity classes such as \({\textsf {NP}} \cap {\textsf {coNP}}\), \({\textsf {TFNP}}\) (the class of total \({\textsf {NP}}\) search problems), or \({\textsf {SZK}}\) (the class of problems with statistical zeroknowledge proofs).[...] based on the currently well studied schemes, structure is strongly associated with (and perhaps even implied by) public key cryptography. This is troubling news, since it makes public key crypto somewhat of an “endangered species” that could be wiped out by a surprising algorithmic advance. Therefore the question of whether structure is inherently necessary for public key crypto is not only of mathematical interest but also of practical importance as well.
Aiming to answer this question, one line of research demonstrates that, for some cryptographic primitives, hardness in structured complexity classes is indeed necessary. The existence of oneway permutations (OWPs) requires a hard problem in \({\textsf {NP}} \cap {\textsf {coNP}}\) [Bra79]; the same holds for restricted cases of publickey encryption schemes satisfying specific structural properties (e.g. ciphertext certification) [Bra79, GG98]; homomorphic encryption schemes and noninteractive computational private information retrieval schemes imply hard problems in \({\textsf {SZK}}\) [BL13, LV16]; and indistinguishability obfuscation schemes imply a hard problem in \({\textsf {PPAD}}\subseteq {\textsf {TFNP}}\) (assuming \({\textsf {NP}}\not \subseteq \mathsf{ioBPP}\)) [BPR15].
Yet, for many primitives such hardness is not known to be inherent. While this is perhaps expected for OWFs, it is also the case for seemingly structured primitives such as collisionresistant hash functions, oblivious transfer, and general publickey encryption schemes. Do these primitives require hardness in structured complexity classes? Can we prove that they do or that they don’t?
BlackBox Separations. Formalizing this question in a meaningful way requires care. Indeed, it may be easy to formalize a statement of the form “the existence of crypto primitive \(\mathcal {P}\) implies hardness in a complexity class \(\mathcal {C}\)”: one just needs to show a reduction from breaking \(\mathcal {P}\) to solving problems in \(\mathcal {C}\). However, it is not clear how to prove statements of the form “the existence of crypto primitive \(\mathcal {P}\) does not imply hardness in a complexity class \(\mathcal {C}\)”. For example, it is commonly believed that \({\textsf {NP}} \cap {\textsf {coNP}}\) does contain hard problems. So in a trivial logical sense the existence of such problems is implied by any primitive \(\mathcal {P}\). Instead, we follow the methodology of blackbox separations, whose study in cryptography was pioneered by Impagliazzo and Rudich [IR89]. Faced with a similar problem of how to show that a primitive \(\mathcal {P}\) (OWFs) cannot be used to construct another primitive \(\mathcal {P}'\) (publickey encryption), they prove this cannot be shown through blackbox reductions—cryptography’s de facto technique for showing such implications.
A bit more elaborately, a fully blackbox reduction [RTV04] of a primitive (or, in our case, a problem) \(\mathcal {P}'\) to a primitive \(\mathcal {P}\) consists of a blackbox construction and a blackbox security reduction. The construction of \(\mathcal {P}'\) from \(\mathcal {P}\) does not exploit the actual implementation of primitive \(\mathcal {P}\), but rather just its inputoutput interface. The security reduction can use any adversary that breaks (or, in our case, solves) \(\mathcal {P}'\) to break \(\mathcal {P}\), and is oblivious to the implementation of the adversary (as well as of that of \(\mathcal {P}\)).
Following [IR89], there has been a rich study of blackbox separations in cryptography (see, e.g., [Rud91, Sim98, KST99, GKM+00, GT00, GMR01, BT03, RTV04, HR04, GGKT05, Pas06, GMM07, BM09, HH09, BKSY11, DLMM11, KSS11, GKLM12, DHT12, BBF13, Fis12, Pas13, BB15, HHRS15] and many others). Most of this study has been devoted to establishing separations between different cryptographic primitives. (In particular, the most relevant to us are the recent works of Asharov and Segev [AS15, AS16] that study blackbox separations for indistinguishability obfuscation, which we elaborate on below.) Some of this study puts limitations on basing cryptographic primitives on NPhardness [GG98, AGGM06, MX10, HMX10, BL13, BB15, LV16].
Going back to our main question of which primitives require structured hardness, we know the following.

As described above, OWPs imply a hard problem in \( {\textsf {NP}} \cap {\textsf {coNP}}\) [Bra79], homomorphic encryption and PIR imply hard problems in \( {\textsf {SZK}}\) [BL13, LV16] and IO (with OWFs) implies a hard problem in \( {\textsf {PPAD}}\) [BPR15] via blackbox reductions.

On the flip side, we know that there are no blackbox reductions from hard problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) to OWFs [BI87, Rud88], and from hardonaverage problems in \({\textsf {SZK}}\) to OWPs (corollary from [Ost91, OV08, HHRS15]).
For more advanced primitives, most notably (general) publickey encryption, we do not have results in either direction. In fact, many existing constructions are based on problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) or \({\textsf {SZK}}\). We are thus left with (quite basic) primitives at an unclear state; as far as we know, they may very well imply hard problems in structured complexity classes, even by blackbox reductions.
1.1 Our Results
We revisit the relationship between two structured complexity classes, statistical zeroknowledge (\({\textsf {SZK}}\)) and \({\textsf {NP}} \cap {\textsf {coNP}}\), and cryptographic primitives. In broad strokes, we show that there are no fully blackbox reductions of hard problems in these classes to any one of a variety of cryptographic primitives, including (general) publickey encryption, oblivious transfer, deniable encryption, and functional encryption. More generally, we separate \({\textsf {SZK}}\) and \({\textsf {NP}} \cap {\textsf {coNP}}\) from indistinguishability obfuscation (IO). Then, leveraging on the fact that IO can be used to construct a wide variety of cryptographic primitives in a blackbox way, we derive corresponding separations for these primitives.^{1} One complexitytheoretic corollary of this result is a separation between \({\textsf {SZK}}\) and \({\textsf {NP}} \cap {\textsf {coNP}}\) from the class \({\textsf {PPAD}}\) [MP91] that captures the complexity of computing Nash Equilibria.
On the positive side, we construct collisionresistant hash functions from a strong form of \({\textsf {SZK}}\)hardness and IO. It was previously known [AS15] that IO by itself does not imply collisionresistant hashing in a blackbox way; we show that it does if one adds \({\textsf {SZK}}\)hardness as a “catalyst”.
We now go into more detail on each of the results.
Statistical ZeroKnowledge and Cryptography. The notion of statistical zeroknowledge proofs was introduced in the seminal work of Goldwasser et al. [GMR85]. The class of promise problems with statistical zeroknowledge proofs (SZK) can be characterized by several complete problems, such as statistical difference [SV03] and entropy difference [GV99]. \({\textsf {SZK}}\) hardness is known to follow from various numbertheoretic problems that are commonly used in cryptography, such as Discrete Logarithms [GK93], Quadratic Residuosity [GMR85], Lattice Problems [GG98, MV03] as well as problems like Graph Isomorphism [GMW91]. As mentioned, we also know that a handful of cryptographic primitives such as homomorphic encryption [BL13], private information retrieval [LV16] and rerandomizable encryption imply hardness in \({\textsf {SZK}}\). (On the other hand, \({\textsf {SZK}}\subseteq {\textsf {AM}}\cap {\textsf {coAM}}\) [For89, AH91], and thus, \({\textsf {SZK}}\) cannot contain \({\textsf {NP}}\)hard problems, unless the polynomial hierarchy collapses [BHZ87].)
We ask more generally which cryptographic primitives can be shown to imply such hardness, with the intuition that such primitives are structured in a certain way. In particular, whereas one may not expect a seemingly unstructured object like OWFs to imply such hardness, what can we say for instance about OWPs, publickey encryption, or even IO (which has proven to be powerful enough to yield almost any known cryptographic goal)?
We prove that none of these primitives imply such hardness through blackbox reductions.
Theorem 1.1
(Informal). There is no fully blackbox reduction of any (even worstcase) hard problem in \({\mathsf {SZK}}\) to IO and OWPs.
Corollary 1.2
(from [SW14, Wat15], Informal). There is no such reduction to (general) publickey encryption, oblivious transfer, deniable encryption, functional encryption, or any other object that has a blackbox reduction to IO and OWPs.
We would like to elaborate a bit more on what a blackbox construction of a hard problem in \({\textsf {SZK}}\) means. We shall focus on the characterization of \({\textsf {SZK}}\) by the statistical difference promise problem [SV03]. In this problem, an instance is a pair of circuit samplers \(C_0,C_1:\left\{ 0,1\right\} ^n\rightarrow \left\{ 0,1\right\} ^m\) which induce distributions \(\varvec{C}_0 \) and \(\varvec{C}_1\) where the distribution \(\varvec{C}_b\) obtained by evaluating the circuit \(C_b\) on a uniformly random input. The promise is that the statistical distance \(s=\mathsf {\Delta }(\varvec{C}_0,\varvec{C}_1)\) of the corresponding distributions is either large (say, \(s\ge 2/3\)) or small (say, \(s\le 1/3\)). The problem, named \(\mathbf {SD}^{1/3,2/3}\) (or just \(\mathbf {SD}\)), is to decide which is the case.
Let us look at a specific example of the construction of such a problem from rerandomizable encryption. In a (say, symmetrickey) rerandomizable encryption scheme, on top of the usual encryption and decryption algorithms \(({\textsf {Enc}},{\textsf {Dec}})\) there is a ciphertext rerandomization algorithm \({\textsf {ReRand}}\) that can statistically refresh ciphertexts. Namely, for any ciphertext \({\textsf {CT}}\) encrypting a bit b, \({\textsf {ReRand}}({\textsf {CT}})\) produces a ciphertext that is statistically close to a fresh encryption \({\textsf {Enc}}_{{\textsf {sk}}}(b)\). This immediately gives rise to a hard statistical difference problem [BL13]: given a pair of ciphertexts \(({\textsf {CT}}_0,{\textsf {CT}}_1)\), decide whether the corresponding rerandomized distributions given by the circuits \((C_0(\cdot ),C_1(\cdot )):=({\textsf {ReRand}}({\textsf {CT}}_0;\cdot ),{\textsf {ReRand}}({\textsf {CT}}_1;\cdot ))\) are statistically far or close. Indeed, this corresponds to whether they encrypt the same bit or not, which is hard to decide by the security of the encryption scheme.
A feature of this reduction of hard statistical difference instances to rerandomizable encryption is that, similarly to most reductions in cryptography, it is fully blackbox [RTV04] in the sense that the circuits \(C_0,C_1\) only make blackbox use of the encryption scheme’s algorithms, and can in fact be represented as oracleaided circuits \((C_0^{{\textsf {ReRand}}(\cdot )},C_1^{{\textsf {ReRand}}(\cdot )})\). Furthermore, “hardness” can be shown by a blackbox security proof that can use any decider for the problem in a blackbox way to break the underlying encryption scheme. More generally, one can consider the statistical difference problem relative to different oracles implementing different cryptographic primitives and ask when can hardness be shown based on a blackbox reduction. Theorem 1.1 rules out such reductions relative to IO and OWPs (and everything that follows from these in a fully blackbox way). For more details, see Sect. 1.2 and the full version.
\({\textsf {NP}} \cap {\textsf {coNP}}\) and Cryptography. Hard (on average) problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) are known to follow based on several numbertheoretic problems in cryptography, such as Discrete Log, Factoring and Lattice Problems [Has88, LLJS90, AR04]. As in the previous section for \({\textsf {SZK}}\), we are interested in understanding which cryptographic primitives would imply such hardness, again with the intuition that this implies structure. For instance, it is known [Bra79] that any OWP \(f:\left\{ 0,1\right\} ^n\rightarrow \left\{ 0,1\right\} ^n\) implies a hard problem in \({\textsf {NP}} \cap {\textsf {coNP}}\), e.g. given an index \(i \in [n]\) and an image f(x) find the ith preimage bit \(x_i\). In contrast, Blum and Impagliazzo [BI87] and Rudich [Rud88] proved that seemingly unstructured objects like OWFs do not imply hardness in \({\textsf {NP}} \cap {\textsf {coNP}}\) by fully blackbox reductions. In this context, a fully blackbox reduction essentially means that the nondeterministic verifiers only make blackbox use of the OWF (or OWP in the previous example) and the reduction establishing the hardness is also blackbox (in both the decider and the OWF).^{2}
But what about more structured primitives such as publickey encryption, oblivious transfer, or even IO? We rule out fully blackbox reductions from OWFs (or even injective OWFs) and IO to hard problems in \({\textsf {NP}} \cap {\textsf {coNP}}\). Hence, also for the other primitives, which can be constructed from IO (with OWFs) in a fully blackbox way.
Theorem 1.3
(Informal). There is no fully blackbox reduction of any (even worstcase) hard problem in \({\mathsf {NP}} \cap {\mathsf {coNP}}\) to IO and OWFs.
Corollary 1.4
(from [SW14, Wat15] Informal). There is no such reduction to (general) publickey encryption, oblivious transfer, deniable encryption, functional encryption, or any other object that has a blackbox reduction to IO and OWFs.
Our approach also gives a new (rather different) proof to the original separation between OWFs and \({\textsf {NP}} \cap {\textsf {coNP}}\) [BI87, Rud88]. For more details, see Sect. 1.2 and the full version.
We remark that unlike our result for \({\textsf {SZK}}\) (which ruled out hard promise problems), the above result only rules out hard languages in \({\textsf {NP}} \cap {\textsf {coNP}}\). Indeed, Even et al. [ESY84] demonstrated promise problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) that are \({\textsf {NP}}\)hard. Hence even the assumption \( {\textsf {P}}\ne {\textsf {NP}}\) (let alone OWFs) gives us hard promise problems in \( {\textsf {NP}} \cap {\textsf {coNP}}\). (See [Gol06] for further reading.)
Relation to the Work of Asharov and Segev.The flood of IO applications following, starting from [GGH+13b, SW14], has lead many to conjecture that IO may be “complete for cryptography” (assuming also OWFs, or just \({\textsf {NP}}\not \subseteq \mathsf{ioBBP}\) [KMN+14]). Nevertheless, some cryptographic goals could not be constructed based on IO.
Asharov and Segev [AS15, AS16] were the first to initiate a formal study to understand the limits of IO. Our separations for IO are based on their framework [AS15]. We aim to draw the complexitytheoretic boundaries of IO. Indeed, blackbox separations from IO require some care, given that the typical use of IO makes nonblackbox use of the circuits it obfuscates and thus any associated cryptographic primitive such as OWFs. The AsharovSegev framework considers obfuscators that take as input circuits with OWF (or OWP) gates. They observe, most known IObased constructions fall into this category. Thus, a separation in this model allows deriving the corresponding separations between \({\textsf {SZK}}\) or \({\textsf {NP}} \cap {\textsf {coNP}}\) and a wide variety of cryptographic primitives. See Sect. 1.2 for more details.
In terms of results, they show that collisionresistant hashing and (domain invariant) OWPs do not have blackbox reductions to IO (and OWFs). Our separation of IO and \({\textsf {NP}} \cap {\textsf {coNP}}\) is more general and implies their previous result for OWPs (and gives a rather different proof for this fact). Their result for collisionresistant hashing is not captured by our results (indeed collisionresistance is not known to imply hardness in either \({\textsf {SZK}}\) or \({\textsf {NP}} \cap {\textsf {coNP}}\)). We also stress that our separation of \({\textsf {SZK}}\) from IO and OWPs does not follow from their results; indeed, SZKhardness is not known to imply collisionresistance.^{3}
Indistinguishability Obfuscation: Perspective. Since the breakthrough of [GGH+13b], the notion of IO has been extensively studied. While we already understand that IO has far reaching implications, our understanding of how it can be constructed and under what assumptions is still at an early stage. Indeed, basing IO on solid foundations is one of cryptography’s greatest challenges today. In this context, we stress that the results presented in this work hold regardless of the state of existing candidates. In fact, even if it turned out that there is no secure realization of IO, the separation of \({\textsf {SZK}}\) and \({\textsf {NP}} \cap {\textsf {coNP}}\) from primitives such as publickey encryption, which follow from IO, still holds. The expressiveness of IO (established in [GGH+13b, SW14] and onwards) allows us to prove many separations in one shot. (Indeed, three years ago we would have probably addressed each primitive separately.)
As for the search for candidates itself, while at this point candidates are based on latticerelated problems that do break in SZK, our work suggests the theoretical possibility that IO candidates may not require such structure. A similar conclusion is true of course for the much more basic and longstudied question of publickey encryption. Almost all known publickey encryption candidates rely on very algebraic assumptions (that do break in \( {\textsf {SZK}}\) or \({\textsf {NP}} \cap {\textsf {coNP}}\)). Constructing public key encryption from less structured assumptions remains a fascinating open question. While there has been initial steps trying to diverge from such structure [Ale03, ABW10], there is yet a long way to go.
On \({\textsf {TFNP}}\) vs. \({\textsf {NP}} \cap {\textsf {coNP}}\). One of the corollaries of our result is a separation between \({\textsf {SZK}}\) and \({\textsf {NP}} \cap {\textsf {coNP}}\) from the complexity class \({\textsf {PPAD}}\). \({\textsf {PPAD}}\), a subclass of total \({\textsf {NP}}\) search problems called \({\textsf {TFNP}}\) [MP91], was defined by Papadimitriou [Pap94] and has been shown to capture the complexity of computing Nash equilibria [DGP06, CDT09]. It was recently shown [BPR15] that IO and injective OWFs can be used (in a blackbox way) to construct hard problems in \({\textsf {PPAD}}\). Put together with our separation, we get that there is no blackbox construction of an \({\textsf {SZK}}\) (resp. \({\textsf {NP}} \cap {\textsf {coNP}}\)) hard problem from \({\textsf {PPAD}}\)hardness.^{4}
Given that \({\textsf {TFNP}}\), which contains \({\textsf {PPAD}}\), is commonly thought of as a search version of \({\textsf {NP}} \cap {\textsf {coNP}}\), it is interesting to note that the result shows that hardness in \({\textsf {NP}} \cap {\textsf {coNP}}\) (of decisional problems) does not follow from hardness in \({\textsf {TFNP}}\) (aka, hardness of search problems) in a blackbox way. Namely, there is no blackbox “searchtodecision reduction” between these classes.
The Positive Result: CollisionResistant Hashing from Strong \({\textsf {SZK}}\) Hardness. We end our paper with a positive result. While most of our focus has been on showing that hardness in \({\textsf {SZK}}\) and \({\textsf {NP}} \cap {\textsf {coNP}}\) does not follow from cryptography, here we ask the “inverse question”, namely whether certain cryptographic primitives can be built from other cryptographic primitives together with hardness in certain structured complexity classes. Little is known in this direction with the exception of the beautiful work of Ostrovsky [Ost91] which constructs a OWF from averagecase \({\textsf {SZK}}\)hardness, and the recent work of Applebaum and Raykov [AR16] who showed that averagecase hardness in the subclass \(\mathsf {PRE}\subseteq \mathsf {SRE}\subseteq {\textsf {SZK}}\) of languages with a perfect randomized encoding gives us collisionresistant hashing.
We construct collisionresistant hashing from a strong form of \({\textsf {SZK}}\)hardness and IO. It was previously known [AS15] that IO by itself does not imply collisionresistant hashing in a blackbox way; we show that it does if one adds \({\textsf {SZK}}\)hardness as a “catalyst”. Slightly more precisely, in the \({\textsf {SZK}}\)complete problem \(\mathbf {SD}^{1/3,2/3}\) is required to distinguish between distributions that are 1 / 3close from ones that are 2 / 3far. We show that IO together with averagecase hardness of \(\mathbf {SD}^{0,1}\) (a stronger assumption) implies collisionresistant hashing.
Theorem 1.5
(Informal). Assuming averagecase hardness of \(\mathbf {SD}^{0,1}\) and the existence of IO, there is a collisionresistant hashing scheme.
Organization. Due to the paucity of space, most of the proofs are deferred to the full version. We give an overview of the methodology and techniques used in the following Sect. 1.2. The blackbox separation between \( {\textsf {SZK}}\) and IO (plus OWPs) is stated in Sect. 2. The separation between \( {\textsf {NP}} \cap {\textsf {coNP}}\) and IO (plus injective OWFs) is described in Sect. 3.
1.2 Overview of Techniques
We now give an overview of our approach and main ideas. We start by discussing how to capture fully blackbox constructions in the context of indistinguishability obfuscation following [AS15]. We then recall the common methodology for ruling out blackbox constructions [IR89, RTV04, BBF13], and explain the main ideas behind our impossibility results for \({\textsf {SZK}}\) and \({\textsf {NP}} \cap {\textsf {coNP}}\). In the last part of this section, we outline the construction of collisionresistant hashing from indistinguishability obfuscation and \({\textsf {SZK}}\)hardness and the main ideas behind it.
Indistinguishability Obfuscation and BlackBox Constructions. Traditionally, when thinking about a blackbox construction of one cryptographic primitive \(\mathcal {P}'\) (e.g., a pseudorandom generator) from a primitive \(\mathcal {P}\) (e.g., a oneway function), we mean that all algorithms in the construction of \(\mathcal {P}'\) invoke \(\mathcal {P}\) as a blackbox, oblivious of its actual implementation. This is hardly the case in constructions based on indistinguishability obfuscation where circuits that explicitly invoke the primitive \(\mathcal {P}\) may be obfuscated.
Nonetheless, as observed by Asharov and Segev [AS15], in almost all existing constructions, the code implementing \(\mathcal {P}\) is used in a very restricted manner. Typically, obfuscated circuits can be implemented as oracle aided circuits \(C^{\mathcal {P}}\) that are completely blackbox in \(\mathcal {P}\), where \(\mathcal {P}\) is some lowlevel primitive, such as a oneway function. Indeed, in most cases the circuits obfuscated are symmetrickey primitives, such as puncturable pseudorandom functions [SW14], which can be constructed in a blackbox way from oneway functions (in some constructions more structured lowlevel primitives may be used, like injective oneway functions, or oneway permutations). Furthermore, in these constructions, the obfuscator \(i\mathcal {O}\) itself is also treated as a blackbox.
Accordingly, almost all existing constructions based on indistinguishability obfuscation can be cast into a model in which indistinguishability obfuscation exists for oracleaided circuits \(C^{\mathcal {P}}\), where \(\mathcal {P}\) is say a oneway function, and both \(\mathcal {P}\) and the obfuscator \(i\mathcal {O}\) can only be accessed as blackboxes. On top of that, they can be proven secure in this model by a blackbox reduction that makes blackbox use of \((\mathcal {P}, i\mathcal {O})\) and any attacker against the constructed primitive \(\mathcal {P}'\). Such constructions where both the construction itself and the reduction are blackbox are called fully blackbox constructions [RTV04]. Following Asharov and Segev [AS15, AS16], we shall prove our results in this model, ruling out blackbox constructions of hard problems in \({\textsf {SZK}}\) and \({\textsf {NP}} \cap {\textsf {coNP}}\) based on indistinguishability obfuscation for oracleaided circuits. Further details follow.

relative to \(\varPsi \), there exists a construction \(C_{\mathcal {P}}^{\varPsi }\) realizing \(\mathcal {P}\) that is secure in the presence of \(\mathcal {A}\),

but any construction \(C_{\mathcal {P}'}^{\varPsi }\) realizing \(\mathcal {P}'\) can be broken in the presence of \(\mathcal {A}\).
Indeed, if such oracles \((\varPsi ,\mathcal {A})\) exist, then no efficient reduction will be able to use (as a blackbox) the attacker \(\mathcal {A}\) against \(\mathcal {P}'\) to break \(\mathcal {P}\) (as the construction of \(\mathcal {P}\) is secure in the presence of \(\mathcal {A}\)). In our case, we would like to apply this paradigm rule out blackbox constructions of hard instances in either \({\textsf {SZK}}\) or \({\textsf {NP}} \cap {\textsf {coNP}}\) from a lowlevel primitive (e.g. a oneway function) indistinguishability obfuscation for oracleaided circuits. We next outline the main ideas behind the construction and analysis of the oracles \((\varPsi ,\mathcal {A})\) in each of the two cases.
Ruling out BlackBox Constructions of Hard \({\textsf {SZK}}\) Problems. As explained in the previous section, we focus on the characterization of \({\textsf {SZK}}\) by its complete problem: the statistical difference problem \(\mathbf {SD}\) [SV03]. We demonstrate oracles \((\varPsi ,\mathcal {A})\) such that relative to \(\varPsi \) there exist constructions of oneway permutations (OWPs) and IO for circuits with OWP gates, and these constructions are secure in the presence of \(\mathcal {A}\). At the same time, \(\mathcal {A}\) will decide (in the worstcase) \(\mathbf {SD}^{\varPsi }\). Since \(\mathbf {SD}\) is complete for \({\textsf {SZK}}\) in a relativizing manner, deciding \(\mathbf {SD}^\varPsi \) suffices to break \({\textsf {SZK}}^\varPsi \). That is, \(\mathcal {A}\) will decide all instances \((C_0^{\varPsi },C_1^{\varPsi })\) of circuit samplers that only use the IO and OWPs realized by \(\varPsi \) in a blackbox manner. We next explain how each of the two are constructed.
 1.
\( f \) is a random permutation, realizing the oneway permutation primitive.
 2.
\(\mathcal {O}\) is a random injective function, realizing the obfuscation algorithm. It takes as input an oracleaided circuit \(C^{(\cdot )}\) along with randomness r and outputs an obfuscation \({\widehat{C}} = \mathcal {O}(C,r)\).
 3.
Open image in new window realizes evaluation of obfuscated circuits. On input \(({\widehat{C}},x)\), it inverts \(\mathcal {O}\) to find (C, r), and outputs \(C^ f (x)\). If \({\widehat{C}}\) is not in the image of \(\mathcal {O}\), it returns \(\bot \).
The above construction readily satisfies the syntactic (or “functionality”) requirements of oneway permutations and indistinguishability obfuscation. Furthermore, using standard techniques, it is not hard to show that relative to \(\varPsi \), the function \( f \) is oneway and \(\mathcal {O}\) satisfies IO indistinguishability requirement. The challenge is to now come up with an oracle \(\mathcal {A}\) that, on one hand, will decide \(\mathbf {SD}^\varPsi \), but on the other, will not compromise the security of the latter primitives.
Recall that deciding \(\mathbf {SD}^{\varPsi }\) means that given two oracleaided circuit samplers \((C_0,C_1)\) such that the statistical distance of the corresponding distributions \((\varvec{C}_0^{\varPsi },\varvec{C}_1^{\varPsi })\) is \(s=\mathsf {\Delta }(\varvec{C}_0^{\varPsi },\varvec{C}_1^{\varPsi })\in [0,\frac{1}{3}]\cup [\frac{2}{3},1]\), the oracle \(\mathcal {A}\) must decide in which of the two intervals s lies, whereas if the promise is not satisfied and \(s\in (\frac{1}{3},\frac{2}{3})\), there is no requirement whatsoever. With this in mind, a first naive attempt would be the following. \(\mathcal {A}\) will have unbounded access to \(\varPsi \), give a query \((C_0,C_1)\), it would compute \(s=\mathsf {\Delta }(\varvec{C}_0,\varvec{C}_1)\), and simply say whether \(s<\frac{1}{2}\) or \(s\ge \frac{1}{2}\). While such an oracle would definitely decide \(\mathbf {SD}^\varPsi \), it is not too hard to show that it is simply too powerful, and would not only break IO and OWPs, but would, in fact, allow solving any problem in \({\textsf {NP}}^\varPsi \) (or even in \({\mathsf {PP}}^{\varPsi }\)). Other naive attempts such as refusing to answer outside the promise intervals, encounter a similar problem.
Intuitively, choosing the threshold t at random, for each query \((C_0,C_1)\), guarantees that with high probability t is “far” from the corresponding statistical distance \(s=\mathsf {\Delta }(C_0^{\varPsi },C_1^{\varPsi })\). Thus, changing the oracle \(\varPsi \) on, say, a single input x, such as the preimage of an OWP challenge \( f (x)\), should not significantly change s and will not affect the oracle’s answer; that is, unless the circuits query \(\varPsi \) on x with high probability to begin with. We give a reduction showing that we can always assume that \((C_0,C_1)\) are “smooth”, in the sense that they do not make any specific query to \(\varPsi \) with too high probability.
Following this intuition, we are able to show that through such local changes that go undetected by \({\mathsf {\mathsf {StaDif}}}^{\varPsi }\), we can move to an ideal world where inverting the OWP or breaking IO can be easily shown to be impossible. We refer the reader to the full version for further details.
Ruling out BlackBox Constructions of Hard \({\textsf {NP}} \cap {\textsf {coNP}}\) Problems. As mentioned earlier, a fully blackbox construction of hard problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) is actually known assuming oneway permutations (OWPs), and cannot be ruled out as in the case of \({\textsf {SZK}}\). Instead, we rule out constructions from (nonsurjective) injective oneway functions (IOWFs) and IO for circuits with IOWF gates. This generalizes several previous results by Blum and Impagliazzo [BI87] and Rudich [Rud88], showing that OWFs do not give hardness in \({\textsf {NP}} \cap {\textsf {coNP}}\), by Matsuda and Matsuura [MM11], showing that IOWFs do not give OWPs (which are a special case of hardness \({\textsf {NP}} \cap {\textsf {coNP}}\)), and by Asharov and Segev [AS16], showing that OWFs and IO for circuits with OWF gates do not give OWPs. In fact, our approach yields a new (and rather different) proof for each one of these results.
We follow a similar methodology to one we used for the case of \({\textsf {SZK}}\). That is, we would like to come up with oracles \((\varPsi ,\mathcal {A})\) such that \(\varPsi \) realizes IOWFs and IO for circuits with IOWFs gates, which are both secure in the presence of \(\mathcal {A}\), whereas blackbox constructions of problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) from these primitives can be easily solved by \(\mathcal {A}\). By blackbox constructions here we mean a pair of efficient oracleaided nondeterministic verifiers \(V_0^{(\cdot )},V_1^{(\cdot )}\) that for every oracle \(\varPsi \) implementing IOWFs and IO, yield colanguages \(\overline{L}^{\varPsi },L^{\varPsi }\) in \({\textsf {NP}} \cap {\textsf {coNP}}[\varPsi ]\).
The requirement that \(V_0,V_1\) give a language in \({\textsf {NP}} \cap {\textsf {coNP}}\) for every oracle implementing IOWFs and IO follows previous modeling [BI87],^{5} and aligns with how we usually think about correctness of blackbox constructions of cryptographic primitives. For instance, the construction of publickey encryption from trapdoor permutations is promised to be correct, for all oracles implementing the trapdoor permutation. Similarly, the construction of hard \({\textsf {NP}} \cap {\textsf {coNP}}\) languages from oneway permutations, give an \({\textsf {NP}} \cap {\textsf {coNP}}\) language for any oracle implementing a permutation.^{6}
We stress that a construction where correctness is only guaranteed for particular (even if natural) oracles may definitely exist. This is for example the case if we only consider implementations of IO similar to those presented above in the context of \({\textsf {SZK}}\). Indeed, in that construction the implementation of IO has an additional property—it allows identifying invalid obfuscations (the Open image in new window oracle would simply return \(\bot \) on such obfuscations). This “verifiability” property coupled with the injectivity of obfuscators actually imply a hard problem in \({\textsf {NP}} \cap {\textsf {coNP}}\) in a blackbox way.^{7} Our separation thus leverages the fact that IO need not necessarily be verifiable, and rules out constructions that are required to be correct for any implementation of IO, even a nonverifiable one.
Accordingly, the oracles Open image in new window that we consider are a tweaked version of the oracles considered in the \({\textsf {SZK}}\) case. Now \({{f}}\) is a random injective function that is expanding, rather than a permutation, the oracle \({{\mathcal {O}}}\) is defined as before, and the oracle Open image in new window is defined as before for valid obfuscations Open image in new window but is allowed to act arbitrarily for invalid obfuscations. As for \(\mathcal {A}\), this time it is trivially implemented by an oracle \(\mathsf {Decide}^\varPsi \) that, given input x, simply returns the unique bit b such that \(V_b(x)=1\), namely it just decides the corresponding language \(L^\varPsi \).
In the results mentioned above [Rud88, MM11, AS16], it is actually shown that any query to such an oracle can be completely simulated with a small number of queries to \(\varPsi \).^{8} We do not show such a simulation process. Instead, we take a different approach inspired by our proof for the \({\textsf {SZK}}\) setting described above. Roughly speaking, we show that somewhat similarly to our statistical difference oracle \({\mathsf {\mathsf {StaDif}}}^{\varPsi }\), the oracle \(\mathsf {Decide}^{\varPsi }\) is also rather robust to random local changes. The main observation here is that for any fixed yesinstance \(x\in L^{\varPsi }\), tweaking \(\varPsi \) at a random input into a new oracle \(\varPsi '\), it is likely that x will still be a yesinstance in \(L^{\varPsi '}\), as long as \(\varPsi '\) is in our allowed family of oracles and \(L^{\varPsi '}\) is indeed in \({\textsf {NP}} \cap {\textsf {coNP}}[\varPsi ']\) (and the same is true for noinstances).
In slightly more detail, fixing a witness w such that \(V_1^{\varPsi }(x,w) = 1\), we can show that since \(V_1\) makes a small number of oracle calls, with high probability tweaking the oracle \(\varPsi \) at a random place will not affect these oracle calls and thus \(V_1^{\varPsi '}(x,w) = V_1^{\varPsi }(x,w)=1\). Then, assuming \(L^{\varPsi '}\) is guaranteed to be in \({\textsf {NP}} \cap {\textsf {coNP}}\), we can deduce that x must still a yesinstance (other witnesses for this fact may be added or disappear, but this does not change the oracle’s answer). In the body, we argue that indeed \(L^{\varPsi '}\in {\textsf {NP}} \cap {\textsf {coNP}}[\varPsi ']\), where we strongly rely on the fact that arbitrary behavior of Open image in new window is permitted on invalid obfuscations.
Once again, we show that through local changes that go undetected by \(\mathsf {Decide}^{\varPsi }\), we can move to an ideal world where inverting the IOWF or breaking IO can be easily shown to be impossible. We refer the reader to Sect. 3 for further details.
Implied Separations. As a result of the two separations discussed above, we can rule out blackbox constructions of hard problems in \({\textsf {SZK}}\) or \({\textsf {NP}} \cap {\textsf {coNP}}\) from various cryptographic primitives or complexity classes. This essentially includes all primitives that have fully blackbox constructions from OWPs (or IOWFs) and IO for circuits with OWP (or IWOF) gates. This includes publickey encryption, oblivious transfer, deniable encryption [SW14], functional encryption [Wat15], delegation, [BGL+15, CHJV15, KLW15], hard (onaverage) \({\textsf {PPAD}}\) instances [BPR15], and more.
We note that there a few applications of IO that do not fall under this characterization. For instance, the construction of IO for Turing machines from IObased succinct randomized encodings [BGL+15, CHJV15, KLW15] involves obfuscating a circuit that itself outputs (smaller) obfuscated circuits. To capture this, we would need to extend the above model to IO for circuits that can also make IO oracle calls (on smaller circuits). Another example is the construction of noninteractive witness indistinguishable proofs from IO [BP15]. There an obfuscated circuit may get as input another obfuscated circuit and would have to internally run it; furthermore, in this application, the code of the obfuscator is used in a (nonblackbox) ZAP. Extending the above model to account for this type of IO applications is an interesting question that we leave for future exploration.
The Positive Result: CollisionResistance from IO and \({\textsf {SZK}}\) Hardness. We now described the main ideas behind our construction of collisionresistant hash functions. The starting point for the construction is the work of Ishai et al. [IKO05] that shows how to construct collisionresistant hash functions from commitments that are additively homomorphic (for simplicity, say over \(\mathbb {F}_2)\). The idea is simple: we can hash \(\ell \) bits to m bits, where m is the size of a single bit commitment and \(\ell \) can be arbitrarily longer, as follows. The hash key is a commitment \(\gamma :=(\mathsf {com}(\beta _1),\dots ,\mathsf {com}(\beta _\ell ))\) to a random vector \(\beta \in \mathbb {F}_2^{\ell }\), and hashing \(x\in \mathbb {F}_2^\ell \), is done by homomorphically computing a commitment to the inner product \(\mathsf{CRH}_{\gamma }(x) = \mathsf {com}(\langle \beta ,x\rangle )\). Intuitively, the reason this works is that any collision in \(\mathsf{CRH}_{\gamma }\) reveals a vector that is orthogonal to \(\beta \) and thus leaks information about it and violating the hiding of the commitment.
At a highlevel, we aim to mimic the above construction based on obfuscation. As a key for the collisionresistant hash we can obfuscate a program \(\varPi _{\beta }\) associated with a random vector \(\beta \) that given x outputs a commitment \(\mathsf {com}(\langle \beta ,x\rangle )\), where the commitment is derandomized using a PRF.^{9} The obfuscation \(i\mathcal {O}(\varPi _{\beta })\) can be thought of as the commitment to \(\beta \), and evaluating this program at x, corresponds to homomorphic evaluation. Despite the clear intuition behind this construction, it is not clear how to prove its security based on IO. In fact, by the work of Asharov and Segev [AS15], it cannot be proven based on a blackbox reduction as long as plain statisticallybinding commitments are used, as these can be constructed from OWPs in a fully blackbox manner, and [AS15] rule out blackbox constructions of collisionresistant hashing from OWPs and IO for circuits with OWP gates.
We show, however, that relying on a relaxed notion of perfectlyhiding commitments, as well as subexponential hardness of IO and puncturable PRFs, the construction can be proven secure. The perfect hiding of the commitment is leveraged in a probabilistic IO argument [CLTV15] that involves a number of hybrids larger than the overall number of commitments. We then observe that these relaxed commitments follow from averagecase hardness of the polar statistical difference problem \(\mathbf {SD}^{0,1}\).^{10}
2 OneWay Permutations, Indistinguishability Obfuscation, and Hardness in SZK
In this section, we ask which cryptographic primitives imply hardness in the class statistical zeroknowledge (SZK). Roughly speaking, we show that oneway permutations (OWPs) and indistinguishability obfuscation (IO), for circuits with OWPgates, do not give rise to a blackbox construction of hard problems in \({\textsf {SZK}}\). This, in turn implies that many cryptographic primitives (e.g., publickey encryption, functional encryption, and delegation), and hardness in certain lowlevel complexity classes (e.g. \({\textsf {PPAD}}\)), also do not yield blackbox constructions of hard problems in \({\textsf {SZK}}\).
We first motivate and define a framework of \({\textsf {SZK}}\) relative to oracles, define fully blackbox constructions of hard \({\textsf {SZK}}\) problems, and then move on to the actual separation.
2.1 SZK and Statistical Difference
The notion of statistical zeroknowledge proofs was introduced in the seminal work of Goldwasser et al. [GMR85]. The class of promise problems with statistical zeroknowledge proofs (SZK) can be characterized by several complete problems, such as statistical difference [SV03] and entropy difference [GV99] (see also [Vad99] and references within). We shall focus on the characterization of \({\textsf {SZK}}\) by the statistical difference problem. Here an instance is a pair of circuit samplers \(C_0,C_1:\left\{ 0,1\right\} ^n\rightarrow \left\{ 0,1\right\} ^m\) with the promise that the statistical distance \(s=\mathsf {\Delta }(\varvec{C}_0,\varvec{C}_1)\) of the corresponding distributions is either large (say, \(s\ge 2/3\)) or small (say, \(s\le 1/3\)). The problem is to decide which is the case.
Hard Statistical Difference Problems from Cryptography: Motivation. \({\textsf {SZK}}\) hardness, and in particular hard statistical difference problems, are known to follow from various numbertheoretic and lattice problems that are commonly used in cryptography, such as Decision DiffieHellman, Quadratic Residuosity, and Learning with Errors. We ask more generally which cryptographic primitives can be shown to imply such hardness, with the intuition that such primitives are structured in a certain way. In particular, whereas one would not expect a completely unstructured object like oneway functions to imply such hardness, what can we say for instance about publickey encryption, or even indistinguishability obfuscation (which has proven to be structured enough to yield almost any known cryptographic goal).
We prove that none of these primitives imply such hardness through the natural class of blackbox constructions and security reductions. To understand what a blackbox construction of a hard statistical difference problem means, let us look at a specific example of the construction of such a problem from rerandomizable encryption. In a (say, symmetrickey) rerandomizable encryption scheme, on top of the usual encryption and decryption algorithms \(({\textsf {Enc}},{\textsf {Dec}})\) there is a ciphertext rerandomization algorithm \({\textsf {ReRand}}\) that can statistically refresh ciphertexts. Namely, for any ciphertext \({\textsf {CT}}\) encrypting a bit b, \({\textsf {ReRand}}({\textsf {CT}})\) produces a ciphertext that is statistically close to a fresh encryption \({\textsf {Enc}}(b)\). Note that this immediately gives rise to a hard statistical difference problem: given a pair of ciphertexts \(({\textsf {CT}},{\textsf {CT}}')\), decide whether the corresponding rerandomized distributions given by the circuits \((C_0(\cdot ),C_1(\cdot )):=({\textsf {ReRand}}({\textsf {CT}};\cdot ),{\textsf {ReRand}}({\textsf {CT}}';\cdot ))\) are statistically far or close. Indeed, this corresponds to whether they encrypt the same bit or not, which is hard to decide by the security of the encryption scheme.
A feature of this construction of hard statistical difference instances is that, similarly to most constructions in cryptography, it is fully blackbox [RTV04] in the sense that the circuits \(C_0,C_1\) only make blackbox use of the encryption scheme’s algorithms, and can in fact be represented as oracleaided circuits \((C_0^{{\textsf {ReRand}}(\cdot )},C_1^{{\textsf {ReRand}}(\cdot )})\). Furthermore, “hardness” can be shown by a blackbox reduction that can use any decider for the problem in a blackbox way to break the underlying encryption scheme. More generally, one can consider the statistical difference problem relative to different oracles implementing different cryptographic primitives and ask when can hardness be shown based on a blackbox reduction. We will rule out such reductions relative to IO and OWPs (and everything that follows from these in a fully blackbox way).
2.2 Fully BlackBox Constructions of Hard SD Problems from IO and OWPs
We start by defining statistical difference problem relative to oracles. In the following definition, for an oracleaided (sampler) circuit \(C^{(\cdot )}\) with nbit input and an oracle \(\varPsi \), we denote by \(\varvec{C}^\varPsi \) the output distribution \(C^\varPsi (r)\) where \(r \leftarrow \left\{ 0,1\right\} ^n\). For two distributions \(\mathbf {X}\) and \(\mathbf {Y}\) we denote their statistical distance by \(\mathsf {\Delta }(\mathbf {X},\mathbf {Y})\).
Definition 2.1
We now formally define the class of constructions and reductions ruled out. That is, fully blackbox constructions of hard statistical distance problems from OWPs and IO for OWPaided circuits. The definition is similar in spirit to those in [AS15, AS16], adapted to our context of \({\textsf {SZK}}\)hardness.
Definition 2.2
 Blackbox security proof: There exist functions \(q_\mathcal {R}(\cdot ), \varepsilon _\mathcal {R}(\cdot )\) such that the following holds. Let \({{f}}\) be any distribution on permutations and let \({{i\mathcal {O}}}\) be any distribution on functions such that \({\widehat{C}}^{{f}}\equiv C^{{f}}\) for any \(C^{(\cdot )}\) and r, where \({\widehat{C}}^{(\cdot )}\,:=\,{{i\mathcal {O}}}(C^{(\cdot )},r)\). Then for any probabilistic oracleaided \(\mathcal {A}\) that decides \(\varPi \) in the worstcase, namely, for all \(n\in \mathbb {N}\) the reduction breaks either \({{f}}\) or \({{i\mathcal {O}}}\), namely, for infinitely many \(n\in \mathbb {N}\) either or where in both \(\mathcal {R}\) makes at most \(q_\mathcal {R}(n)\) queries to any of its oracles \((\mathcal {A},{{f}},{{i\mathcal {O}}})\), and any query \((C_0^{(\cdot )},C_1^{(\cdot )})\) it makes to \(\mathcal {A}\) consists of circuits that also make at most \(q_\mathcal {R}(n)\) queries to their oracles \(({{f}},{{i\mathcal {O}}})\). The random variable \({\mathsf {Exp}}^{\mathsf {iO}}_{({{f}},{{i\mathcal {O}}}), {{i\mathcal {O}}}, \mathcal {C},\mathcal {R}^{\mathcal {A}}}(n)\) represents the reductions winning probability in the IO security game relative to \(({{f}},{{i\mathcal {O}}})\).

Correctness. Typically, we also require certain correctness from the blackbox construction. For instance, in the next section, we shall require that the construction always satisfies the \({\textsf {NP}} \cap {\textsf {coNP}}\) structure. In the above definition, the construction is allowed to yield instances \((C_0^{{{f}},{{i\mathcal {O}}}},C_1^{{{f}},{{i\mathcal {O}}}})\) that do not satisfy the \({\textsf {SZK}}\) promise; namely \((C_0^{{{f}},{{i\mathcal {O}}}},C_1^{{{f}},{{i\mathcal {O}}}})\notin \mathbf {SD}_Y^{{{f}},{{i\mathcal {O}}}}\cup \mathbf {SD}_N^{{{f}},{{i\mathcal {O}}}}\). It is natural to think of more stringent definitions that require that the corresponding problem \(\varPi ^{{{f}},{{i\mathcal {O}}}}\) is nontrivial, in the sense that \(\varPi ^{{{f}},{{i\mathcal {O}}}}\,\cap \,\mathbf {SD}_Y^{{{f}},{{i\mathcal {O}}}}\,\ne \,\emptyset \) and \(\varPi ^{{{f}},{{i\mathcal {O}}}}\,\cap \,\mathbf {SD}_N^{{{f}},{{i\mathcal {O}}}}\,\ne \,\emptyset \) (which is the case for known constructions of SZK hardness from cryptographic primitives). Our impossibility is more general and would, in particular, rule out such definitions as well.

WorstCase vs. AverageCase Hardness. In the above, we address worstcase hardness, in the sense that the reduction \(\mathcal {R}\) has to break the underlying primitives only given a decider \(\mathcal {A}\) that is always correct. One could further ask whether IO and OWPs even imply averagecase hardness in \({\textsf {SZK}}\) (as do many of the algebraic hardness assumptions in cryptography). Ruling out worstcase hardness (as we will do shortly) in particular rules out such averagecase hardness as well.

IO for OracleAided Circuits. Following [AS15, AS16], we consider indistinguishability obfuscation for oracleaided circuits \(C^{f}\) that can make calls to the oneway permutation oracle. This model captures constructions where IO is applied to circuits that use pseudorandom generators, puncturable pseudorandom functions, or injective oneway functions as all of those have fully blackbox constructions from oneway permutations (see further discussion in [AS15]). This includes almost all known constructions from IO, including publickey encryption, deniable encryption [SW14], functional encryption [Wat15], delegation [BGL+15, CHJV15, KLW15], and hard (onaverage) \({\textsf {PPAD}}\) instances [BPR15]. Accordingly, separating \({\textsf {SZK}}\) from IO and OWPs in this model, results in a similar separation between \({\textsf {SZK}}\) and any one of these primitives.
We note that there a few applications though that do not fall under this model. The first is in applications where the obfuscated circuit might itself output (smaller) obfuscated circuit, for instance in the construction of IO for Turing machines from IObased succinct randomized encodings [BGL+15, CHJV15, KLW15]. To capture such applications, one would have to extend the model to also account for circuits with IO gates (and not only OWP gates). A second example is the construction of noninteractive witness indistinguishable proofs from IO [BP15]. There an obfuscated circuit may get as input another obfuscated circuit and would have to internally run it; furthermore, in this application, the code of the obfuscator is used in a (nonblackbox) ZAP. Extending our results (and those of [AS15, AS16]) to these models is an interesting question, left for future work.

Security Loss. In the above definition the functions \(q_\mathcal {R}\) and \(\varepsilon _\mathcal {R}\) capture the security loss of the reduction. Most commonly in cryptography, the query complexity is polynomial \(q_\mathcal {R}(n)=n^{O(1)}\) and the probability of breaking the underlying primitive is inverse polynomial \(\varepsilon _{\mathcal {R}}(n) = n^{O(1)}\). Our lowerbounds will infact apply for exponential \(q_{\mathcal {R}},\varepsilon _{\mathcal {R}}^{1}\). This allows capturing also constructions that rely on subexponentially secure primitives (e.g., [BGL+15, CHJV15, KLW15, BPR15, BPW16]).
Theorem 2.3
Any fully blackbox construction of a statistical difference problem \(\varPi \) from OWPs and IO for circuits with OWP gates has an exponential security loss: \(\max (q_{\mathcal {R}}(n),\varepsilon _{\mathcal {R}}^{1}(n)) \ge \varOmega (2^{n/12})\).
The proof of the theorem follows a common methodology (applied for instance in [HR04, HHRS15, AS15]). We exhibit two (distributions on) oracles \((\varPsi ,{\mathsf {\mathsf {StaDif}}}^{\varPsi })\), where \(\varPsi \) realizes OWPs and IO for circuits with OWP gates, and \({\mathsf {\mathsf {StaDif}}}^{\varPsi }\) that decides \(\mathbf {SD}^{\varPsi }\), the statistical difference problem relative to \(\varPsi \), in the worst case. Since \(\mathbf {SD}\) is complete for \({\textsf {SZK}}\) in a relativizing manner, solving \(\mathbf {SD}^\varPsi \) suffices to break \({\textsf {SZK}}^\varPsi \). We then show that the primitives realized by \(\varPsi \) are (exponentially) secure even in the presence of \({\mathsf {\mathsf {StaDif}}}^{\varPsi }\). Then viewing \({\mathsf {\mathsf {StaDif}}}\) as a worstcase decider \(\mathcal {A}\) (as per Definition 2.2) directly implies Theorem 2.3, ruling out fully blackbox constructions with a subexponential security loss. We defer the oracle description and the proof to the full version.
3 OneWay Functions, Indistinguishability Obfuscation, and Hardness in \({\textsf {NP}} \cap {\textsf {coNP}}\)
In this section, we show that injective oneway functions (IOWFs) and indistinguishability obfuscation (IO), for circuits with IOWFgates, do not give rise to a blackbox construction of hard problems in \({\textsf {NP}} \cap {\textsf {coNP}}\). This can be seen as a generalization of previous separations by Rudich [Rud88], showing that OWFs do not give hardness in \({\textsf {NP}} \cap {\textsf {coNP}}\), by Matsuda and Matsuura [MM11], showing that IOWFs do not give oneway permutations (which are a special case of hardness \({\textsf {NP}} \cap {\textsf {coNP}}\)), and by Asharov and Segev [AS16], showing that OWFs and IO do not give oneway permutations. As in the previous section, the result implies that many cryptographic primitives and hardness in \({\textsf {PPAD}}\), also do not yield blackbox constructions of hard problems in \({\textsf {NP}} \cap {\textsf {coNP}}\).
We first define the framework of \({\textsf {NP}} \cap {\textsf {coNP}}\) relative to oracles, define fully blackbox constructions of hard \({\textsf {NP}} \cap {\textsf {coNP}}\) problems, and then move on to the actual separation.
3.1 \({\textsf {NP}} \cap {\textsf {coNP}}\)
But what about more structured primitives such as publickey encryption, oblivious transfer, or even indistinguishability obfuscation. Indeed, IO (plus OWFs) hasbeen shown to imply hardness in \({\textsf {PPAD}}\) and more generally in the class \({\textsf {TFNP}}\) of total search problems, which is often viewed as the search analog of \({\textsf {NP}} \cap {\textsf {coNP}}\) [MP91]. We will show, however, that fully blackbox constructions do not give rise to a hard problem in \({\textsf {NP}} \cap {\textsf {coNP}}\) from OWFs (or even injective OWFs) and IO for circuits with OWF gates.
3.2 Fully BlackBox Constructions of Hardness in \({\textsf {NP}} \cap {\textsf {coNP}}\) from IO and IOWFs
We start by defining \({\textsf {NP}} \cap {\textsf {coNP}}\) relative to oracles [Rud88]. This, in particular, captures blackbox constructions of such languages from cryptographic primitives, such as oneway functions in [Rud88] or indistinguishability obfuscation, which we will consider in this work.
Definition 3.1
We now formally define the class of constructions and reductions ruled out. That is, fully blackbox constructions of hard problems in \({\textsf {NP}} \cap {\textsf {coNP}}\) from injective oneway functions (IOWFs) and IO for IOWFaided circuits. The definition is similar in spirit to those in [AS15, AS16] and in the Sect. 2, adapted to the context of \({\textsf {NP}} \cap {\textsf {coNP}}\) hardness.
Definition 3.2
 1.
Structure: Let \(\mathfrak {S}\) be the family of all oracles \(({{f}},{{i\mathcal {O}}})\) such that \({{f}}\) is injective and \({{i\mathcal {O}}}\) is a function such that \({\widehat{C}}^{{f}}\equiv C^{{f}}\) for any \(C^{(\cdot )}\in \mathcal {C}\), r, and \({\widehat{C}}^{(\cdot )}\,:=\,{{i\mathcal {O}}}(C,r)\). Then \((V_0,V_1)\) define a language \(L^{{{f}},{{i\mathcal {O}}}}\in {\mathsf {NP}}^{{{f}},{{i\mathcal {O}}}} \cap {\mathsf {coNP}}^{{{f}},{{i\mathcal {O}}}}\) relative to any oracle \(({{f}},{{i\mathcal {O}}}) \in \mathfrak {S}\) (as per Definition 3.1).
 2.Blackbox security proof: There exist functions \(q_\mathcal {R}(\cdot ), \varepsilon _\mathcal {R}(\cdot )\) such that the following holds. Let \(({{f}},{{i\mathcal {O}}})\) be any distribution supported on the family \(\mathfrak {S}\) defined above. Then for any probabilistic oracleaided \(\mathcal {A}\) that decides \(L^{{{f}},{{i\mathcal {O}}}}\) in the worstcase, namely, for all \(n\in \mathbb {N}\) the reduction breaks either \({{f}}\) or \({{i\mathcal {O}}}\), namely, for infinitely many \(n\in \mathbb {N}\) either orwhere in both \(\mathcal {R}\) makes at most \(q_\mathcal {R}(n)\) queries to any of its oracles \((\mathcal {A},{{f}},{{i\mathcal {O}}})\), and for any query x made to \(\mathcal {A}\), the nondeterministic verifiers \(V_0^{{{f}},{{i\mathcal {O}}}}(x),V_1^{{{f}},{{i\mathcal {O}}}}(x)\) make at most \(q_\mathcal {R}(n)\) queries to their oracles (for any nondeterministic choice of a witness w). The random variable \({\mathsf {Exp}}^{\mathsf {iO}}_{({{f}},{{i\mathcal {O}}}), {{i\mathcal {O}}}, \mathcal {C},\mathcal {R}^{\mathcal {A}}}(n)\) represents the reductions winning probability in the IO security game relative to \(({{f}},{{i\mathcal {O}}})\).$$\begin{aligned}&\left \Pr \left[ {\mathsf {Exp}}^{\mathsf {iO}}_{({{f}},{{i\mathcal {O}}}), {{i\mathcal {O}}}, \mathcal {C},\mathcal {R}^{\mathcal {A}}}(n) = 1\right] \frac{1}{2}\right \ge \varepsilon _\mathcal {R}(n), \end{aligned}$$
Remark about Correct Structure. We note that here we explicitly do put a correctness requirement, which we refer to as structure; namely, that the construction yields a language in \({\textsf {NP}} \cap {\textsf {coNP}}\) for any implementation of OWPs and IO. This is different from the setting from Definition 2.2 where we considered promise problems and allowed the construction not to satisfy the promise occasionally.
Concretely, we require that \(V_0,V_1\) give a language in \({\textsf {NP}} \cap {\textsf {coNP}}\) for every oracle implementing IOWFs and IO. This follows the modeling of [BI87],^{11} and aligns with how we usually think about correctness of blackbox constructions of cryptographic primitives. For instance, the construction of publickey encryption from trapdoor permutations is promised to be correct, for all oracles implementing the trapdoor permutation. Similarly, the construction of hard \({\textsf {NP}} \cap {\textsf {coNP}}\) languages from oneway permutations, give an \({\textsf {NP}} \cap {\textsf {coNP}}\) language for any oracle implementing a permutation.
We also note that as in Definition 2.2, our definition addresses worstcase hardness, which makes our impossibility result stronger. See further discussion after Definition 2.2.
Ruling out Fully BlackBox Constructions: A Road Map. Our main result in this section is that fully blackbox constructions of a hard \({\textsf {NP}} \cap {\textsf {coNP}}\) problem from IO and IOWFs do not exist. Furthermore, this holds even if the latter primitives are exponentially secure.
Theorem 3.3
The proof of the theorem follows a similar methodology to the proof of Theorem 2.3. We exhibit two (distributions on) oracles \((\varPsi ,\mathsf {Decide}^{\varPsi })\), where \(\varPsi \) realizes IOWFs and IO for circuits with IOWF gates, and \(\mathsf {Decide}^{\varPsi }\) that decides \(L^{\varPsi } \in {\mathsf {NP}}^{\varPsi } \cap {\mathsf {coNP}}^{\varPsi }\) in the worst case. We then show that the primitives realized by \(\varPsi \) are (exponentially) secure even in the presence of \(\mathsf {Decide}^{\varPsi }\). Then viewing \(\mathsf {Decide}\) as a worstcase decider \(\mathcal {A}\) (as per Definition 3.2) directly implies Theorem 3.3, ruling out fully blackbox constructions with a subexponential security loss.
We defer the formal treatment to the full version.
4 CollisionResistance from IO and SZKHardness
Asharov and Segev [AS15] showed that collisionresistant hashing cannot be constructed from (even subexponentially hard) indistinguishability obfuscation (IO) and oneway permutations (OWPs) relying on common IO techniques. Slightly more accurately, they rule out fully blackbox constructions where (as in previous sections) IO is defined with respect to circuits with OWP oracle gates. In this section, we show that, assuming IO and a strong form of \({\textsf {SZK}}\)hardness, there is indeed a construction of collisionresistant hashing (CRH).
The HighLevel Idea Behind the Construction. The starting point for our construction is the work of Ishai et al. [IKO05] that shows how to construct collisionresistant hash functions from commitments that are additively homomorphic (for simplicity, say over \(\mathbb {F}_2)\). The idea is simple: we can hash \(\ell \) bits to m bits, where m is the size of a single bit commitment and \(\ell \) can be arbitrarily longer, as follows. The hash key is a commitment \(\gamma :=(\mathsf {com}(\beta _1),\dots ,\mathsf {com}(\beta _\ell ))\) to a random vector \(\beta \in \mathbb {F}_2^{\ell }\), and hashing \(x\in \mathbb {F}_2^\ell \), is done by homomorphically computing a commitment to the inner product \(\mathsf{CRH}_{\gamma }(x) = \mathsf {com}(\langle \beta ,x\rangle )\).
This idea can, in fact, be abstracted to work with any commitment scheme wherein given a commitment \(\mathsf {com}(\beta )\) for a random key for a 2universal hash allows to homomorphically compute a commitment \(\mathsf {com}(\mathsf{2UH}_{\beta }(x))\) to the hash at any point x, so that the resulting commitment is compact in the sense that it depends only on the size of \(\mathsf{2UH}_{\beta }(x)\) and not on the size of x. Intuitively, the reason this works is that any collision in \(\mathsf{CRH}_{\gamma }\) implies a collision in the underlying 2universal hash \(\mathsf{2UH}_{\beta }\), which leaks information about the hash key \(\beta \) (concretely, any fixed \(x,x'\) form a collision in a random hash function with small probability) thereby violating the hiding of the commitment.
At a highlevel, we aim to mimic the above construction based on obfuscation. As a key for the collisionresistant hash we can obfuscate a program \(\varPi _{\beta }\) associated with a secret hash key \(\beta \) that given x outputs a commitment \(\mathsf {com}(\mathsf{2UH}_{\beta }(x))\), where the commitment is derandomized using a PRF. The obfuscation \(i\mathcal {O}(\varPi _{\beta })\) can be thought of as the commitment to \(\beta \), and evaluating this program at x, corresponds to homomorphic evaluation. Despite the clear intuition behind this construction, it is not clear how to prove its security based on IO. In fact, by [AS15], it cannot be proven based on a blackbox reduction as long as plain statisticallybinding commitments are used, as these can be constructed from OWPs in a fully blackbox manner.
We show, however, that relying on a relaxed notion of perfectlyhiding commitments, as well as subexponential hardness of IO and puncturable PRFs, the construction can be proven secure. The perfect hiding of the commitment is leveraged in a probabilistic IO argument [CLTV15] that involves a number of hybrids larger than the overall number of commitments. We then observe that these relaxed commitments follow from appropriate averagecase hardness of \({\textsf {SZK}}\).^{12}
Footnotes
 1.
More accurately, these primitives follow from IO and OWFs (OWFs), and accordingly our separation addresses IO and OWFs in conjunction. The concept of a blackbox reduction from IO and OWF requires clarification and discussion. Here we will follow the framework of Asharov and Segev [AS15]. We elaborate below.
 2.
Roughly speaking, [BI87] rule out perfectly correct constructions, where the \({\textsf {NP}} \cap {\textsf {coNP}}\) structure is guaranteed for any implementation of the OWF oracle. In [Rud88], this is generalized also to almost perfectly correct constructions that only work for an overwhelming fraction of OWF oracles. We also rule out constructions that are perfectly correct.
 3.
We note that previous work [Ost91, OV08] does imply that constantround statisticallyhiding commitments have a blackbox reduction to any hardonaverage \({\textsf {SZK}}\) problem. However, [AS15] do not rule these out (but only collisionresistant hashing). We also note that in any case, our result also rules out constructions of worstcase hard \({\textsf {SZK}}\) problems (rather than averagecase hard problems).
 4.
 5.
Rudich [Rud88] also considered a slight relaxation of constructions that are correct for an overwhelming fraction of oracles rather than all.
 6.
We note that this issue does not come up for blackbox constructions of \({\textsf {SZK}}\) promise problems, because the construction is allowed to yield instances that do not obey the promise; there correctness is always guaranteed, and the only question is whether the instances that do satisfy the promise are hard to decide.
 7.
E.g. the language of all valid obfuscations and indices i, such that the ith bit of the obfuscated circuit is 1.
 8.
More accurately, this is the case for Rudich’s result for \({\textsf {NP}} \cap {\textsf {coNP}}\), whereas for the other results that rule out constructions of oneway permutations, one can simulate an analog of \(\mathsf {Decide}\) that inverts the permutation.
 9.
In the body, we describe a slightly more abstract construction where inner product is replaced by an arbitrary 2universal hash function.
 10.
Similar \({\textsf {SZK}}\)hardness is known to imply statisticallyhiding commitments against malicious receivers, but with a larger (constant) number of rounds [OV08].
 11.
Rudich [Rud88] also considered a slight relaxation of constructions that are correct for an overwhelming fraction of oracles rather than all.
 12.
Similar \({\textsf {SZK}}\)hardness is known to imply statisticallyhiding commitments against malicious receivers, but with a larger (constant) number of rounds [OV08].
Notes
Acknowledgements
We thank Gil Segev, Iftach Haitner and Mohammad Mahmoody for elaborately answering our questions regarding existing separation results in cryptography. We also thank the anonymous reviewers for their valuable comments.
References
 [ABW10]Applebaum, B., Barak, B., Wigderson, A.: Publickey cryptography from different assumptions. In: Proceedings of 42nd ACM Symposium on Theory of Computing, STOC 2010, USA, 5–8 June 2010, Cambridge, Massachusetts, pp. 171–180 (2010)Google Scholar
 [AGGM06]Akavia, A., Goldreich, O., Goldwasser, S., Moshkovitz, D.: On basing oneway functions on NPhardness. In: Kleinberg [Kle06], pp. 701–710 (2006)Google Scholar
 [AH91]Aiello, W., Hastad, J.: Statistical zeroknowledge languages can be recognized in two rounds. J. Comput. Syst. Sci. 42(3), 327–345 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
 [Ale03]Alekhnovich, M., More on average case vs approximation complexity. In: 44th Symposium on Foundations of Computer Science (FOCS 2003), 11–14 October 2003, Cambridge, MA, USA, Proceedings [DBL03], pp. 298–307 (2003)Google Scholar
 [AR04]Aharonov, D., Regev, O.: Lattice problems in NP cap coNP. In: 45th Symposium on Foundations of Computer Science (FOCS 2004), 17–19 October 2004, Rome, Italy, Proceedings, pp. 362–371. IEEE Computer Society (2004)Google Scholar
 [AR16]Applebaum, B., Raykov, P.: From private simultaneous messages to zeroinformation arthurmerlin protocols and back. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 65–82. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_3 CrossRefGoogle Scholar
 [AS15]Asharov, G., Segev, G.: Limits on the power of indistinguishability obfuscation and functional encryption. In: Symposium on the Foundations of Computer Science (2015)Google Scholar
 [AS16]Asharov, G., Segev, G.: On constructing oneway permutations from indistinguishability obfuscation. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9563, pp. 512–541. Springer, Heidelberg (2016). doi: 10.1007/9783662490990_19 CrossRefGoogle Scholar
 [Bar13]Barak, B.: Structure vs. combinatorics in computational complexity (2013). http://windowsontheory.org/2013/10/07/structurevscombinatoricsincomputationalcomplexity/
 [BB15]Bogdanov, A., Brzuska, C.: On basing sizeverifiable oneway functions on NPhardness. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 1–6. Springer, Heidelberg (2015). doi: 10.1007/9783662464946_1 Google Scholar
 [BBF13]Baecher, P., Brzuska, C., Fischlin, M.: Notions of blackbox reductions, revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 296–315. Springer, Heidelberg (2013). doi: 10.1007/9783642420337_16 CrossRefGoogle Scholar
 [BGI+01]Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). doi: 10.1007/3540446478_1 CrossRefGoogle Scholar
 [BGL+15]Bitansky, N., Garg, S., Lin, H., Pass, R., Telang, S.: Succinct randomized encodings and their applications. In: Symposium on Theory of Computing, STOC 2015 (2015)Google Scholar
 [BHZ87]Boppana, R.B., Hastad, J., Zachos, S.: Does coNP have short interactive proofs? Inf. Process. Lett. 25(2), 127–132 (1987)MathSciNetCrossRefzbMATHGoogle Scholar
 [BI87]Blum, M., Impagliazzo, R.: Generic oracles and oracle classes. In: Proceedings of 28th Annual Symposium on Foundations of Computer Science, SFCS 1987, pp. 118–126. IEEE Computer Society, Washington (1987)Google Scholar
 [BKSY11]Brakerski, Z., Katz, J., Segev, G., Yerukhimovich, A.: Limits on the power of zeroknowledge proofs in cryptographic constructions. In: Ishai [Ish11], pp. 559–578 (2011)Google Scholar
 [BL13]Bogdanov, A., Lee, C.H.: Limits of provable security for homomorphic encryption. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 111–128. Springer, Heidelberg (2013). doi: 10.1007/9783642400414_7 CrossRefGoogle Scholar
 [BM09]Barak, B., MahmoodyGhidary, M.: Merkle puzzles are optimal—an O(n ^{2})query attack on any key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009). doi: 10.1007/9783642033568_22 CrossRefGoogle Scholar
 [BP15]Bitansky, N., Paneth, O.: ZAPs and noninteractive witness indistinguishability from indistinguishability obfuscation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 401–427. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_16 CrossRefGoogle Scholar
 [BPR15]NBitansky, ., Paneth, O., Rosen, A.: On the cryptographic hardness of finding a nash equilibrium. In: Guruswami, V. (ed.) IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, 17–20 October 2015, Berkeley, CA, USA, pp. 1480–1498. IEEE Computer Society (2015)Google Scholar
 [BPW16]Bitansky, N., Paneth, O., Wichs, D.: Perfect structure on the edge of chaos. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 474–502. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_20 CrossRefGoogle Scholar
 [Bra79]Brassard, G.: Relativized cryptography. In: 20th Annual Symposium on Foundations of Computer Science, 29–31 October 1979, San Juan, Puerto Rico, pp. 383–391. IEEE Computer Society (1979)Google Scholar
 [BT03]Bogdanov, A., Trevisan, L.: On worstcase to averagecase reductions for NP problems. In: 44th Symposium on Foundations of Computer Science (FOCS 2003), 11–14 October 2003, Cambridge, MA, USA, Proceedings [DBL03], pp. 308–317 (2003)Google Scholar
 [BV11]Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. In: Ostrovsky, R. (ed.) FOCS, pp. 97–106. IEEE (2011). (Invited to SIAM Journal on Computing)Google Scholar
 [CDT09]Chen, X., Deng, X., Teng, S.H.: Settling the complexity of computing twoplayer nash equilibria. J. ACM 56(3), 14 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 [CHJV15]Canetti, R., Holmgren, J., Jain, A., Vaikuntanathan, V.: Succinct garbling and indistinguishability obfuscation for RAM programs. In: Proceedings of 47th Annual ACM on Symposium on Theory of Computing, STOC 2015, 14–17 June 2015, Portland, OR, USA, pp. 429–437 (2015)Google Scholar
 [CLTV15]Canetti, R., Lin, H., Tessaro, S., Vaikuntanathan, V.: Obfuscation of probabilistic circuits and applications. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 468–497. Springer, Heidelberg (2015). doi: 10.1007/9783662464977_19 CrossRefGoogle Scholar
 [Cra12]Cramer, R. (ed.): Theory of Cryptography  9th Theory of Cryptography Conference, TCC 2012, 19–21 March 2012, Taormina, Sicily, Italy, Proceedings. LNCS vol. 7194. Springer, Heidelberg (2012)Google Scholar
 [DBL00]Prceedings of 41st Annual Symposium on Foundations of Computer Science, FOCS 2000: 12–14 November 2000. IEEE Computer Society, Redondo Beach (2000)Google Scholar
 [DBL03]Prceedings of 44th Symposium on Foundations of Computer Science (FOCS 2003: 11–14 October 2003. IEEE Computer Society, Cambridge (2003)Google Scholar
 [DGP06]Daskalakis, C., Goldberg, P.W., Papadimitriou, C.H.: The complexity of computing a nash equilibrium. In: Kleinberg [Kle06], pp. 71–78 (2006)Google Scholar
 [DH76]Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
 [DHT12]Dodis, Y., Haitner, I., Tentes, A.: On the instantiability of hashandsign RSA signatures. In: Cramer [Cra12], pp. 112–132 (2012)Google Scholar
 [DLMM11]DachmanSoled, D., Lindell, Y., Mahmoody, M., Malkin, T.: On the blackbox complexity of optimallyfair coin tossing. In: Ishai [Ish11], pp. 450–467 (2011)Google Scholar
 [ESY84]Even, S., Selman, A.L., Yacobi, Y.: The complexity of promise problems with applications to publickey cryptography. Inf. Control 61(2), 159–173 (1984)MathSciNetCrossRefzbMATHGoogle Scholar
 [Fis12]Fischlin, M.: Blackbox reductions and separations in cryptography. In: Mitrokotsa, A., Vaudenay, S. (eds.) AFRICACRYPT 2012. LNCS, vol. 7374, pp. 413–422. Springer, Heidelberg (2012). doi: 10.1007/9783642314100_26 CrossRefGoogle Scholar
 [For89]Fortnow, L.J.: Complexitytheoretic aspects of interactive proof systems. Ph.D. thesis, Massachusetts Institute of Technology (1989)Google Scholar
 [Gen09]Gentry, C.: Fully homomorphic encryption using ideal lattices. In: STOC, pp. 169–178 (2009)Google Scholar
 [GG98]Goldreich, O., Goldwasser, S.: On the possibility of basing cryptography on the assumption that \(p \ne NP\). IACR Cryptology ePrint Archive, 1998:5 (1998)Google Scholar
 [GGH+13a]Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, 26–29 October 2013, Berkeley, CA, USA, pp. 40–49. IEEE Computer Society (2013)Google Scholar
 [GGH+13b]Garg, S., Gentry, C., Halevi, S., Sahai, A., Raikova, M., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS (2013)Google Scholar
 [GGKT05]Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
 [GK93]Goldreich, O., Kushilevitz, E.: A perfect zeroknowledge proof system for a problem equivalent to the discrete logarithm. J. Cryptol. 6(2), 97–116 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
 [GKLM12]Goyal, V., Kumar, V., Lokam, S.V., Mahmoody, M.: On blackbox reductions between predicate encryption schemes. In: Cramer [Cra12], pp. 440–457 (2012)Google Scholar
 [GKM+00]Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, 12–14 November 2000, Redondo Beach, California, USA [DBL00], pp. 325–335 (2000)Google Scholar
 [GM82]Goldwasser, S., Micali, S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: Lewis, H.R., Simons, B.B., Burkhard, W.A., Landweber, L.H. (eds.) Proceedings of 14th Annual ACM Symposium on Theory of Computing, 5–7 May 1982, San Francisco, California, USA, pp. 365–377. ACM (1982)Google Scholar
 [GMM07]Gertner, Y., Malkin, T., Myers, S.: Towards a separation of semantic and CCA security for public key encryption. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 434–455. Springer, Heidelberg (2007). doi: 10.1007/9783540709367_24 CrossRefGoogle Scholar
 [GMR85]Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proofsystems (extended abstract). In: Sedgewick, R. (ed.) Proceedings of 17th Annual ACM Symposium on Theory of Computing, 6–8 May 1985, Providence, Rhode Island, USA, pp. 291–304. ACM (1985)Google Scholar
 [GMR01]Gertner, Y., Malkin, T., Reingold, O.: On the impossibility of basing trapdoor functions on trapdoor predicates. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14–17 October 2001, Las Vegas, Nevada, USA, pp. 126–135. IEEE Computer Society (2001)Google Scholar
 [GMW91]Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity for all languages in NP have zeroknowledge proof systems. J. ACM 38(3), 691–729 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
 [Gol06]Goldreich, O.: On promise problems: a survey. In: Goldreich, O., Rosenberg, A.L., Selman, A.L. (eds.) Theoretical Computer Science. LNCS, vol. 3895, pp. 254–290. Springer, Heidelberg (2006). doi: 10.1007/11685654_12 CrossRefGoogle Scholar
 [GT00]Gennaro, R., Trevisan, L.: Lower bounds on the efficiency of generic cryptographic constructions. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, 12–14 November 2000, Redondo Beach, California, USA [DBL00], pp. 305–313 (2000)Google Scholar
 [GV99]Goldreich, O., Vadhan, S.P.: Comparing entropies in statistical zero knowledge with applications to the structure of SZK. In: Proceedings of 14th Annual IEEE Conference on Computational Complexity, Atlanta, Georgia, USA, 4–6 May 1999, p. 54 (1999)Google Scholar
 [Has88]Hastad, J.: Dual vectors and lower bounds for the nearest lattice point problem. Combinatorica 8(1), 75–81 (1988)MathSciNetCrossRefGoogle Scholar
 [HH09]Haitner, I., Holenstein, T.: On the (im)possibility of key dependent encryption. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 202–219. Springer, Heidelberg (2009). doi: 10.1007/9783642004575_13 CrossRefGoogle Scholar
 [HHRS15]Haitner, I., Hoch, J.J., Reingold, O., Segev, G.: Finding collisions in interactive protocols—tight lower bounds on the round and communication complexities of statistically hiding commitments. SIAM J. Comput. 44(1), 193–242 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
 [HMX10]Haitner, I., Mahmoody, M., Xiao, D.: A new sampling protocol and applications to basing cryptographic primitives on the hardness of NP. In: 2010 IEEE 25th Annual Conference on Computational Complexity (CCC), pp. 76–87. IEEE (2010)Google Scholar
 [HR04]Hsiao, C.Y., Reyzin, L.: Finding collisions on a public road, or do secure hash functions need secret coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105. Springer, Heidelberg (2004). doi: 10.1007/9783540286288_6 CrossRefGoogle Scholar
 [IKO05]Ishai, Y., Kushilevitz, E., Ostrovsky, R.: Sufficient conditions for collisionresistant hashing. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 445–456. Springer, Heidelberg (2005). doi: 10.1007/9783540305767_24 CrossRefGoogle Scholar
 [IR89]Impagliazzo, R., Rudich, S.: Limits on the provable consequences of oneway permutations. In: Proceedings of 21st Annual ACM Symposium on Theory of Computing, pp. 44–61. ACM (1989)Google Scholar
 [Ish11]Ishai, Y. (ed.): Theory of Cryptography  8th Theory of Cryptography Conference, TCC 2011, Providence, RI, USA. LNCS, 28–30 March 2011. Proceedings, vol. 6597. Springer, Heidelberg (2011)Google Scholar
 [Kle06]Kleinberg, J.M. (ed.): Proceedings of 38th Annual ACM Symposium on Theory of Computing, Seattle, WA, USA, 21–23 May 2006. ACM (2006)Google Scholar
 [KLW15]Koppula, V., Lewko, A.B., Waters, B.: Indistinguishability obfuscation for turing machines with unbounded memory. In: Proceedings of 47th Annual ACM on Symposium on Theory of Computing, STOC 2015, 14–17 June 2015, Portland, OR, USA, pp. 419–428 (2015)Google Scholar
 [KMN+14]Komargodski, I., Moran, T., Naor, M., Pass, R., Rosen, A., Yogev, E.: Oneway functions and (im)perfect obfuscation. In: 55th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2014, 18–21 October 2014, Philadelphia, PA, USA, pp. 374–383. IEEE Computer Society (2014)Google Scholar
 [KSS11]Kahn, J., Saks, M.E., Smyth, C.D.: The dual BKR inequality and rudich’s conjecture. Comb. Probab. Comput. 20(2), 257–266 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 [KST99]Kim, J.H., Simon, D.R., Tetali, P.: Limits on the efficiency of oneway permutationbased hash functions. In: 40th Annual Symposium on Foundations of Computer Science, FOCS 1999, 17–18 October 1999, New York, NY, USA, pp. 535–542. IEEE Computer Society (1999)Google Scholar
 [LLJS90]Lagarias, J.C., Lenstra Jr., H.W., Schnorr, C.P.: Korkinzolotarev bases and successive minima of a lattice and its reciprocal lattice. Combinatorica 10(4), 333–348 (1990)MathSciNetCrossRefzbMATHGoogle Scholar
 [LV16]Liu, T., Vaikuntanathan, V.: On basing private information retrieval on NPhardness. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 372–386. Springer, Heidelberg (2016). doi: 10.1007/9783662490969_16 CrossRefGoogle Scholar
 [MM11]Matsuda, T., Matsuura, K.: On blackbox separations among injective oneway functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 597–614. Springer, Heidelberg (2011). doi: 10.1007/9783642195716_36 CrossRefGoogle Scholar
 [MP91]Megiddo, N., Papadimitriou, C.H.: On total functions, existence theorems and computational complexity. Theor. Comput. Sci. 81(2), 317–324 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
 [MV03]Micciancio, D., Vadhan, S.P.: Statistical zeroknowledge proofs with efficient provers: lattice problems and more. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 282–298. Springer, Heidelberg (2003). doi: 10.1007/9783540451464_17 CrossRefGoogle Scholar
 [MX10]Mahmoody, M., Xiao, D.: On the power of randomized reductions and the checkability of sat. In: 2010 IEEE 25th Annual Conference on Computational Complexity (CCC), pp. 64–75. IEEE (2010)Google Scholar
 [Ost91]Ostrovsky, R.: Oneway functions, hard on average problems, and statistical zeroknowledge proofs. In: Proceedings of 6th Annual Structure in Complexity Theory Conference, pp. 133–138. IEEE (1991)Google Scholar
 [OV08]Ong, S.J., Vadhan, S.: An equivalence between zero knowledge and commitments. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 482–500. Springer, Heidelberg (2008). doi: 10.1007/9783540785248_27 CrossRefGoogle Scholar
 [Pap94]Papadimitriou, C.H.: On the complexity of the parity argument and other inefficient proofs of existence. J. Comput. Syst. Sci. 48(3), 498–532 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
 [Pas06]Pass, R.: Parallel repetition of zeroknowledge proofs and the possibility of basing cryptography on NPhardness. In: 21st Annual IEEE Conference on Computational Complexity (CCC 2006), 16–20 July 2006, Prague, Czech Republic, pp. 96–110. IEEE Computer Society (2006)Google Scholar
 [Pas13]Pass, R.: Unprovable security of perfect NIZK and noninteractive nonmalleable commitments. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 334–354. Springer, Heidelberg (2013). doi: 10.1007/9783642365942_19 CrossRefGoogle Scholar
 [RAD78]Rivest, R., Adleman, L., Dertouzos, M.: On data banks and privacy homomorphisms. In: Foundations of Secure Computation, pp. 169–177. Academic Press (1978)Google Scholar
 [RSA78]Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and publickey cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefzbMATHGoogle Scholar
 [RSS16]Rosen, A., Segev, G., Shahaf, I.: Can PPAD hardness be based on standard cryptographic assumptions? In: Electronic Colloquium on Computational Complexity (ECCC), vol. 23, p. 59 (2016)Google Scholar
 [RTV04]Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004). doi: 10.1007/9783540246381_1 CrossRefGoogle Scholar
 [Rud88]Rudich, S.: Limits on the provable consequences of oneway functions. Ph.D. thesis, University of California, Berkeley (1988)Google Scholar
 [Rud91]Rudich, S.: The use of interaction in public cryptosystems. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 242–251. Springer, Heidelberg (1992). doi: 10.1007/3540467661_19 Google Scholar
 [Sim98]Simon, D.R.: Finding collisions on a oneway street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). doi: 10.1007/BFb0054137 Google Scholar
 [SV03]Sahai, A., Vadhan, S.: A complete problem for statistical zero knowledge. J. ACM (JACM) 50(2), 196–249 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 [SW14]Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Shmoys, D.B. (ed.) Symposium on Theory of Computing, STOC 2014, New York, NY, USA, 31 May–03 June 2014, pp. 475–484. ACM (2014)Google Scholar
 [Vad99]Vadhan, S.P.: A study of statistical zeroknowledge proofs. Ph.D. thesis, Massachusetts Institute of Technology (1999)Google Scholar
 [Wat15]Waters, B.: A punctured programming approach to adaptively secure functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 678–697. Springer, Heidelberg (2015). doi: 10.1007/9783662480007_33 CrossRefGoogle Scholar