Lossy Functions Do Not Amplify Well
If f is injective then so is C f .
If f has image size of at most 2 n − ℓ, then C f has image size at most 2 m − L .
The question is whether such C * exists for L/m ≫ ℓ/n. This problem arises naturally in the context of cryptographic “lossy functions,” where the relative lossiness is the key parameter.
We show that for every circuit C * that makes at most t queries to f, the relative lossiness of C f is at most L/m ≤ ℓ/n + O(logt)/n. In particular, no black-box method making a polynomial t = poly(n) number of queries can amplify relative lossiness by more than an O(logn)/n additive term. We show that this is tight by giving a simple construction (cascading with some randomization) that achieves such amplification.
KeywordsImage Size Random Oracle Oblivious Transfer Collision Problem Oracle Query
- 4.Boldyreva, A., Fehr, S., O’Neill, A.: On Notions of Security for Deterministic Encryption, and Efficient Constructions without Random Oracles. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 335–359. Springer, Heidelberg (2008)Google Scholar
- 7.Hemenway, B., Ostrovsky, R.: Lossy trapdoor functions from smooth homomorphic hash proof systems. Electronic Colloquium on Computational Complexity, Report TR09-127 (2009)Google Scholar
- 8.Impagliazzo, R.: A personal view of average-case complexity. In: Structure in Complexity Theory Conference, pp. 134–147 (1995)Google Scholar
- 9.Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 44–61 (1989)Google Scholar
- 10.Kiltz, E., O’Neill, A., Smith, A.: Instantiability of RSA-OAEP under Chosen-Plaintext Attack. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 295–313. Springer, Heidelberg (2010)Google Scholar
- 14.Peikert, C., Waters, B.: Lossy trapdoor functions and their applications. In: Proceedings of the 40th Annual ACM Symposium on Theory of Computing, pp. 187–196 (2008)Google Scholar