(Almost) Optimal Constructions of UOWHFs from 1to1, Regular OneWay Functions and Beyond
 1 Citations
 2.7k Downloads
Abstract
We revisit the problem of blackbox constructions of universal oneway hash functions (UOWHFs) from several typical classes of oneway functions (OWFs), and give respective constructions that either improve or generalize the best previously known.

For any 1to1 oneway function, we give an optimal construction of UOWHFs with key and output length \(\varTheta (n)\) by making a single call to the underlying OWF. This improves the constructions of Naor and Yung (STOC 1989) and De Santis and Yung (Eurocrypt 1990) that need key length \(O(n\cdot \omega ({\log {n})})\).

For any known(almost)regular oneway function with known hardness, we give an optimal construction of UOWHFs with key and output length \(\varTheta (n)\) and a single call to the oneway function.

For any known(almost)regular oneway function, we give a construction of UOWHFs with key and output length \(O(n{\cdot }\omega (1))\) and by making \(\omega (1)\) nonadaptive calls to the oneway function. This improves the construction of Barhum and Maurer (Latincrypt 2012) that requires key and output length \(O(n{\cdot }\omega (\log {n}))\) and \(\omega (\log {n})\) calls.

For any weaklyregular oneway function introduced by Yu et al. at TCC 2015 (i.e., the set of inputs with maximal number of siblings is of an \(n^{c}\)fraction for some constant c), we give a construction of UOWHFs with key length \(O(n{\cdot }{\log }n)\) and output length \(\varTheta (n)\). This generalizes the construction of Ames et al. (Asiacrypt 2012) which requires an unknownregular oneway function (i.e., \(c=0\)).
Along the way, we use several techniques that might be of independent interest. We show that almost 1to1 (except for a negligible fraction) oneway functions and known (almost)regular oneway functions are equivalent in the knownhardness (or nonuniform) setting, by giving an optimal construction of the former from the latter. In addition, we show how to transform any oneway function that is far from regular (but only weakly regular on a noticeable fraction of domain) into an almostregular oneway function.
Keywords
Universal Oneway Hash Functions (UOWHFs) Output Length Noticeable Fraction Negligible Fraction Leftover Hash Lemma1 Introduction
Informally, a family of compressing hash functions, denoted by \(\mathcal {G}\), is called universal oneway, if given a random function \(g\in \mathcal {G}\) and a random (or equivalently, any prefixed) input x, it is infeasible for any efficient algorithm to find any \(x'\ne {x}\) satisfying \(g(x)=g(x')\). The seminal result that oneway functions (OWFs) imply universal oneway hash functions (UOWHFs) [17] constitutes one of the central pieces of modern cryptography. Applications of UOWHFs include basing digital signatures [9] on minimal assumptions (oneway functions), CramerShoup encryption scheme [4], statistically hiding commitment scheme [12, 13], etc.
UOWHFs from any OWFs. The principle possibility result that UOWHFs can be based on any OWF was established by Rompel [17] (with some corrections given in [15, 18]). However, Rompel’s construction was quite complicated and extremely unpractical. In particular, for any oneway function on nbit inputs it requires key length \(\tilde{O}(n^{12})\) and output length \(\tilde{O}(n^{8})\). Haitner et al. [11] improved the construction via the notion of inaccessible entropy [13], and reduced key and output length to \(\tilde{O}(n^{7})\). Therefore, even the best known generic UOWHF constructions (based on arbitrary OWFs) are mainly of theoretical interest and are too inefficient to be of any practical use.
A summary of existing constructions [1, 3, 16, 19] and our work, where KROWF and UROWF are the shorthands for knownregular and unknownregular oneway functions respectively, \(\varepsilon \)hard KROWF additionally assumes that the hardness parameter \(\varepsilon \) of KROWF is known, and \(n^{c}\)WUROWF is the shorthand for weakly unknownregular oneway functions (see Footnote 7 and formally Definition 9).
Assumption  Output Length  Key Length  # of Calls  Type of Call  

[16]  OWP  \(\varTheta (n)\)  \(\varTheta (n)\)  1  nonadaptive 
1to1 OWF  \(\varTheta (n)\)  \(O(\omega (\log {n}){\cdot }n)\)  1  nonadaptive  
[19]  KROWF  \(O(\omega (\log ^2{n})\cdot {n})\)  \(O(\omega (\log ^2{n})\cdot {n})\)  \(O(\omega (\log {n}))\)  adaptive 
[3]  KROWF  \(O(\omega (\log {n})\cdot {n})\)  \(O(\omega (\log {n})\cdot {n})\)  \(O(\omega (\log {n}))\)  nonadaptive 
[1]  UROWF  \(\varTheta (n)\)  \(O(\log {n}\cdot {n})\)  \(\tilde{O}(n)\)  adaptive 
ours  1to1 OWF  \(\varTheta (n)\)  \(\varTheta (n)\)  1  nonadaptive 
ours  \(\varepsilon \)hard KROWF  \(\varTheta (n)\)  \(\varTheta (n)\)  1  nonadaptive 
ours  KROWF  \(O(\omega (1)\cdot {n})\)  \(O(\omega (1)\cdot {n})\)  \(O(\omega (1))\)  nonadaptive 
ours  \(n^{c}\)WUROWF  \(\varTheta (n)\)  \(O(\log {n}\cdot {n})\)  \(\tilde{O}(n^{2c+1})\)  adaptive 
Summary of our constructions. In this paper, we give the following constructions from the respective aforementioned oneway functions. The first two constructions enjoy optimal parameters simultaneously and they are (almost) securitypreserving^{3}, the third achieves parameters that are almost optimal up to an arbitrarily small superconstant factor \(\omega (1)\) (e.g., \(\log \log \log {n}\) or even less), and thus they all improve upon the respective known constructions. The fourth construction generalizes to beyond regular oneway functions (as introduced in [21]) with optimal output length \(\varTheta (n)\) and key length \(O(n\cdot \log {n})\).
 1.
For any 1to1 oneway function, we construct an optimal family of UOWHFs with key and output length \(\varTheta (n)\) and a single OWF call.
 2.
For any knownregular oneway function with known hardness, we give another optimal construction of UOWHFs with key and output length \(\varTheta (n)\) and a single call.
 3.
For any knownregular oneway function, we give a construction of UOWHFs with key and output length \(O(\omega (1){\cdot }n)\) and \(\omega (1)\) nonadaptive calls.
 4.
For any oneway function f that is weakly unknownregular on a noticeable fraction (i.e., \(n^{c}\) for constant c) of domain [21], we give a construction of UOWHFs with key length \(O(n{\cdot }{\log }n)\) and output length \(\varTheta (n)\).
On the efficiency, feasibility and limits. Constructions #1, #2 and #3 are practically relevant as most oneway function candidates turn out to be knownalmostregular or even 1to1. Goldreich, Levin and Nisan [8] showed how to base almost 1to1 (except for a negligible fraction) oneway functions on intractable problems such as RSA and DLP, and thus construction #1 enables to build optimal UOWHFs from those problems. A byproduct of construction #2 is the equivalence of almost 1to1 oneway functions and known(almost)regular oneway functions in certain (knownhardness or nonuniform) settings, where we give an optimal construction of the former from the latter. Moreover, unknown regular oneway functions further reduce the knowledge required about the underlying oneway functions, and the problem of basing cryptographic primitives (PRGs, UOWHFs, etc.) on weaker assumptions is of theoretic interests. It improves our understanding about the feasibility and limits of blackbox reductions. In particular, Holenstein and Sinha [14], Barhum and Holenstein [2] showed that \(\Omega (n/\log {n}\)) blackbox calls to an arbitrary (including unknownregular) oneway function is necessary to construct PRGs and UOWHFs, and the lower bound is matched by explicit constructions of PRGs [10] and UOWHFs [1] respectively. The recent work of [21] carried on this line of research even further by considering a more general class of oneway functions (which they call weakly unknownregular oneway functions), namely, the underlying oneway function can have an arbitrary structure as long as the set of x with maximal number of siblings (i.e., x and \(x'\) are siblings of each other if \(f(x)=f(x')\)) is of noticeable fraction. The authors of [21] gave a construction of PRG with seed length \(O(n\cdot \log {n})\) from weakly unknownregular OWFs. However, their analysis is quite adhoc (see Remark 2), and doesn’t seem to generalize to UOWHFs. As an intermediate step of construction #4, we prove that “iterating such a oneway function (weakly regular on only a noticeable fraction) polynomially many times yields a oneway function that is almostregular on an overwhelming fraction” and thus unify the approach to the two dual objects (i.e., PRGs and UOWHFs).
The roadmap. We outline below the steps to build UOWHFs from the respective oneway function \(f: \{0, 1\}^{n} \rightarrow \{0, 1\}^{l} \) introduced above. We note that the following assumptions (about output length) can be made without loss of generality: \(l\in {O(n)}\) for 1to1 oneway functions and lengthpreservingness (i.e., \(l=n\)) for arbitrary oneway functions. More specifically, any 1to1 oneway function \(f: \{0, 1\}^{n} \rightarrow \{0, 1\}^{l} \) implies a oneway function \(f': \{0, 1\}^{n'\in \varTheta (n)} \rightarrow \{0, 1\}^{l'\in \varTheta (n)} \) that is 1to1 except for a negligible fraction. Any oneway function f with \(\alpha \le f^{1}(y)\le \alpha {\cdot }\beta \) implies another lengthpreserving oneway function \(f': \{0, 1\}^{n'\in \varTheta (n)} \rightarrow \{0, 1\}^{n'} \) with \(\alpha '\le f'^{1}(y)\le \alpha '{\cdot }\beta \) except for a negligible fraction, where the size of range \(\beta \) is preserved, and \(\alpha '\) is efficiently computable if \(\alpha \) is. We refer to [20] for a full proof.
Based on known(almost)regular OWFs. Next, we consider any known(almost)regular OWF f whose hardness parameter is \(\varepsilon \) unknown (i.e., \(\varepsilon \) is negligible but may not be efficiently computable). In this case, we run q independent copies of f, and we get a construction by making q nonadaptive calls with shrinkage \(q\log {n}\), key and output length \(O(q\cdot {n})\), where \(q\in \omega (1)\) can be any efficiently computable superconstant. The parallel repetition technique was also used in similar contexts (e.g., the construction of PRG from any known regular OWF [22]). We refer to Theorem 4 for the detailed construction and proof.
Based on a more general class of OWFs. We show iterating the class of oneway functions introduced in [21] sufficiently many times yields a oneway function \(f'\) that is almostregular, and thus plugging this \(f'\) into the construction of Ames et al. [1] yields a construction of UOWHFs with output length \(\varTheta (n)\) and key length \(O(n\cdot \log {n})\).
2 Preliminaries
Definition 1
Definition 2
(pairwise independent hashing). A family of functions \(\mathcal {H}=\{h: \{0, 1\}^{l} \rightarrow \{0, 1\}^{t} \}\) is pairwise independent if any distinct \(x_1,{x_2}\in \{0, 1\}^{l} \) and any \(v_1,v_2\in \{0, 1\}^{t} \) it holds that \(\Pr _{h\xleftarrow {\$}\mathcal {H}}[~h(x_1)=v_1~{\wedge }~h(x_2)=v_2~]=2^{2t}\).
Definition 3
Definition 4
Definition 5
Definition 6
Definition 7
3 UOWHFs from 1to1 OneWay Functions
3.1 A Technical Lemma and Its Applications
We state below a folklore lemma about universal hashing which is symmetric to the leftover hash lemma.
Lemma 1
We also mention the fact that the input and output lengths of a 1to1 oneway function \(f: \{0, 1\}^{n} \rightarrow \{0, 1\}^{l(n)} \) can be assumed to be linearly related (i.e., \(l(n)={O(n)}\)). For almost regular oneway functions, we can even assume that they are lengthpreserving (i.e., \(l(n)=n\)). We refer to [20] for the proof of Fact 1.
Fact 1
 1.Any 1to1 (t,\(\varepsilon \))oneway function \(f: \{0, 1\}^{n} \rightarrow \{0, 1\}^{l} \) implies a (\(tn^{O(1)}\), \(\varepsilon +\mathsf {poly}(n)\cdot {2^{\kappa }}\))oneway function \(f': \{0, 1\}^{n'\in {\varTheta (n)}} \rightarrow \{0, 1\}^{(n'+\kappa )\in \varTheta (n)} \) which is 1to1 except on a \((\mathsf {poly}(n)\cdot {2^{\kappa }})\)fraction of inputs, i.e.,$$\begin{aligned} \Pr _{x\xleftarrow {\$} \{0, 1\}^{n'} }[~\exists {{x'}}\in \{0, 1\}^{n'} :{x'}\ne {x}~\wedge ~f'(x)=f'({x'})~]~\le ~\mathsf {poly}(n)\cdot {2^{\kappa }} \end{aligned}$$
 2.Any \((2^{r_1},2^{r_2})\)almost regular (t,\(\varepsilon \))oneway function \(f: \{0, 1\}^{n} \rightarrow \{0, 1\}^{l} \) implies a lengthpreserving (\(tn^{O(1)}\),\(\varepsilon +\mathsf {poly}(n)\cdot {2^{(r_1+\kappa )}}\))oneway function \(\bar{f}: \{0, 1\}^{n'\in {\varTheta (n)}} \rightarrow \{0, 1\}^{n'} \) which is \((2^{\kappa +r_1},2^{\kappa +r_2})\)almost regular except on a \((\mathsf {poly}(n)\cdot {2^{(r_1+\kappa )}})\)fraction of inputs, i.e.,$$\begin{aligned} \Pr _{x\xleftarrow {\$}{ \{0, 1\}^{n'} }}[~2^{\kappa +r_1}~\le ~\bar{f}^{1}(\bar{f}(x))~\le ~{2^{\kappa +r_2}}~]~\ge ~1\mathsf {poly}(n)\cdot {2^{(r_1+\kappa )}}. \end{aligned}$$
Therefore, we will assume in the remainder of the paper that the underlying 1to1 oneway function has linear output length (i.e., \(l(n)=O(n)\)) and that the almostregular and weakly unknownregular oneway functions are lengthpreserving (i.e., \(l(n)=n\)).
3.2 UOWHFs from 1to1 OWFs
For a 1to1 OWF \(f: \{0, 1\}^{n} \rightarrow \{0, 1\}^{l} \), we define a cryptographic game between a challenger \(\mathsf{C}\) and an inverter \(\mathsf {Inv}\). That is, \(\mathsf{C}\) samples a random \(y^*\xleftarrow {\$} \{0, 1\}^{l} \) and sends it to \(\mathsf {Inv}\), and \(\mathsf {Inv}\) wins the game iff he comes up with any \(x'\) satisfying \(f(x')=y^*\). Note that even unbounded \(\mathsf {Inv}\) wins this game with advantage no more than \(2^{(ln)}\) (which is probability that \(y^*\in {f( \{0, 1\}^{n} )}\)), and Fact 2 states that the chance to win is even smaller for computationally bounded \(\mathsf {Inv}\).
Fact 2
Proof
Remark 1
(on the proof sketch of Theorem 1). We use a trick to prove Theorem 1. We show that any \(\mathsf{A}\) that \(\varepsilon '\)breaks the TCR of the constructed UOWHF implies an \(\mathsf {Inv}^{\mathsf{A}}\) (of almost the same efficiency as \(\mathsf{A}\)) that wins the above game (i.e., inverting f on a random \(y^*\in \{0, 1\}^{l} \)) with advantage roughly \(2^{nls}\cdot \varepsilon '\). This may seem useless since \(ln\) can be \(\Omega (n)\) or even \(\mathsf {poly}(n)\). However, by Fact 2 this term (i.e., \(2^{nls}\cdot \varepsilon '\)) is actually upper bounded by \(2^{(ln)}\cdot \varepsilon \). The conclusion \(\varepsilon '{\le }2^s{\varepsilon }\) immediately follows by cancelling the factor \((ln)\). In other words, the security bound does not depend on the number of bits truncated (i.e., \(ln+s\)), but only on shrinkage s, and it is tight due to [5].
Theorem 1
Proof
Claim 1
(equivalent sampling). Let the values h, v, x, \(y^*\) be sampled as in Algorithm 1, and conditioned on event Open image in new window , it is equivalent to sample (x, h, v) \(\xleftarrow {\$}\)\( \{0, 1\}^{n} \times \mathcal {H}\times \mathcal {V}\) uniformly and independently and then determine \(y^*:=f(x)v\cdot {h^{1}}\).
Proof of Claim 1. We know that (x, v) is uniformly sampled from \( \{0, 1\}^{n} \times \mathcal {V}\) by definition, and thus it suffices to show that “fix any (x, v), and conditioned on \(y^*\ne {f(x)}\) (i.e., \(Y^*\) is uniform distributed over \( \{0, 1\}^{l} \setminus \{f(x)\}\)), it holds that h is uniform over \(\mathcal {H}\)”. This follows from that \(v\ne \mathbf {0}\) (\(\mathcal {V}\) excludes \(\mathbf {0}\) by definition) and hence \(h=(f(x)Y^*)^{1}\cdot {v}\) is uniform over \( \{0, 1\}^{l} \setminus \{\mathbf {0}\}\), namely, \(h\xleftarrow {\$}\mathcal {H}\). Finally, for any given (x, h, v), one efficiently determines the value \(y^*=f(x)v\cdot {h^{1}}\) due to the arithmetics over the finite field. \(\square \)
4 UOWHFs from Known Regular OWFs
We proceed to the more general case that f is a known almostregular function. Recall that by Fact 1 we can assume WLOG that the underlying almost regular oneway function is lengthpreserving. We first show a construction where the hardness parameter \(\varepsilon \) is known, and then remove the dependency on \(\varepsilon \).
4.1 Compressing the Output Is Necessary but not Sufficient
We attempt to generalize the NaorYung approach for oneway permutations (and 1to1 oneway functions) to almost regular oneway functions by compressing (using \(\mathsf{trunc}\circ {h}\)) the output \(Y=f(X)\) into \({{\mathbf {H}}_{\infty }}(Y)s'\) bits for \(s'\in {O(\log \left( {1}/{\varepsilon }\right) )}\). However, this only gives a weak form of guarantee, as stated in Lemma 2 below, that given a random x it is infeasible for efficient algorithms to find any \(f(x')\ne {f(x)}\) such that \(\mathsf{trunc}({h}(f(x')))=\mathsf{trunc}({h}(f(x)))\). Otherwise said, it does not rule out the possibility that one may easily find \(x'\ne {x}\) satisfying \(f(x')=f(x)\). Hence, compressing the output is only a useful intermediate step to obtain UOWHFs. Lemma 2 below further generalizes Theorem 1 to known(almost)regular functions, whose proof is similar to that of Theorem ref1to1OWF (see [20]).
Lemma 2
4.2 Known (Almost)Regular OWFs with Known Hardness
We first give an optimal construction assuming that the inversion probability upper bound \(\varepsilon \) is known. Note that in addition to hashing the output f(x) (as we did in Lemma 2), we also hash the input x to ensure that no distinct \(x'\) collides with x with respect to the resulting function.
Theorem 2
Proof
4.3 An Alternative Approach to Sect. 4.2
A neater (and perhaps more intuitive) approach is to construct an almost 1to1 oneway function \(f'\) (with input and output lengths \(\varTheta (n)\)) based on f (stated as Theorem 3) and then plug \(f'\) into Theorem 1 (using \(f'\) in place of f)^{7}. This statement is interesting in its own right as it implies that almost 1to1 oneway functions and known(almost)regular oneway functions (with known hardness) are equivalent. Taking a closer look at Theorem 3 we find that this almost 1to1 \(f'\) is also present (as an intermediate function) in construction \(\mathcal {G}_2\) of Theorem 2 (except with slightly different length parameters). Lemmas 3 and 4 state the almost injectiveness and onewayness of \(f'\) respectively, for which we determine a judicious value for d (assuming knowledge about \(\varepsilon \)) in Theorem 3 to achieve injectiveness and onewayness simultaneously.
Theorem 3
4.4 UOWHFs from any Known (Almost)Regular OWFs
Removing the dependency on\(\varepsilon \). Unfortunately, Theorem 2 doesn’t immediately apply to an arbitrary regular function as in general we assume no knowledge about \(\varepsilon \) (other than that \(\varepsilon \) is negligible). To see the difficulty, check the proof of Theorem 2 where the security of the resulting UOWHF is bounded by the sum of two terms, i.e., \(2^{(s's)} ~+~n^c{\cdot }2^{s'+1}\cdot \varepsilon \). Without knowing \(\varepsilon \), one may end up setting some superpolynomial \(2^{s'}\) (to make the first term negligible) which kills the second term \(n^c{\cdot }2^{s'+1}\cdot \varepsilon \). Same problems arise in similar situations (e.g., construction of PRGs from regular OWFs [22]). A remedy for this is parallel repetition: run \(q\in \omega (1)\) copies of f on \(\mathbf {x}=(x_1,\ldots ,x_q)\), apply hashthentruncate (setting \(s'=2\log {n}\)) to every copy \(f(x_i)\), which shrinks the entropies by \(2q\log {n}\) bits and yields a bound \(O(\varepsilon {\cdot }n^{c+2})\). Next, apply a single hashing to \(\mathbf {x}\) that expands \(q{\cdot }\log {n}\) bits (to yield another negligible term \(n^{q}\)). This gives a family of UOWHFs with shrinkage \(2q\log {n}q\log {n}=q\log {n}\), and key and output length \(O(q\cdot {n})\) for any (efficiently computable) \(q\in \omega (1)\). The proof is similar in spirit to that of Theorem 2 (see [20]).
Definition 8
Theorem 4
5 Going Beyond AlmostRegular OWFs
Although (almost) optimal, our foregoing constructions need at least almostregularity, i.e., the oneway function f satisfies \(\alpha \le f^{1}(f(x))\le \alpha \cdot \beta \) for all (or at least an overwhelming portion of) x, where \(\alpha \) is efficiently computable and \(\beta =\mathsf {poly}(n)\) (or at most \(\beta =O(\log \left( {1}/{\varepsilon }\right) )\) for an (\(\varepsilon ^{1}\),\(\varepsilon \))hard f). Complementary to our work, Ames et al. [1] gave an elegant construction from unknown(almost)regular oneway functions, namely, without knowledge about \(\alpha \), for which they pay a cost of much increased number of oneway function calls (i.e., \(O(n/{\log }n)\)) and key length \(O(n\log {n})\). In this section, we further weaken the assumption so that f can have an arbitrary structure (i.e., \(\beta \) is not bounded) as long as the fraction of x’s with (nearly) maximal number of siblings is noticeable.
5.1 A More General Class of OWFs
The following class of oneway functions was introduced in [21] as a relaxation to unknown(almost)regular oneway functions.
Definition 9
5.2 UOWHFs from Beyond AlmostRegular OWFs
We state below the main results of this section, namely, the fourth construction which is based on weakly unknownregular oneway functions (see Definition 9).
Theorem 5
Assume that f is a weakly unknownregular oneway function on an \(n^{c}\)fraction of domain for constant c. Then, there exists an explicit construction of UOWHF family with output length \(\varTheta (n)\), key length \(O(n\cdot {\log }n)\) by making \(n^{2c+1}\cdot \omega (1)\) blackbox calls to f.
The main idea is to transform any weakly unknownregular oneway function f into a family of functions \(\mathcal {F}=\{f_u:u\in \{0, 1\}^{O(n\log {n})} \}\) such that \({\mathcal {F}}\) is almost regular and that it preserves the onewayness of f. \(\mathcal {F}\) is constructed based on (the derandomized version of) the randomized iterate with a succinct description u. Finally, we sample a random \(f_u\xleftarrow {\$}\mathcal {F}\) and plug it into the construction by Ames et al. to get the UOWHFs as desired. We refer to [20] for more details about the explicit construction.
Definition 10
(the randomized iterate [7, 10]). Let \(n\in \mathbb {N}\), function \(f: \{0, 1\}^{n} \rightarrow \{0, 1\}^{n} \), and let \(\mathcal {H}\) be a family of pairwiseindependent lengthpreserving hash functions over \( \{0, 1\}^{n} \). For \(k\in \mathbb {N}\), \(x_1\in \{0, 1\}^{n} \) and vector \(\mathbf {h}^{k}\) = \((h_1,\ldots ,h_{k})\in \mathcal {H}^{k}\), recursively define the \(i^{th}\) randomized iterate by:
The randomized version refers to the case where \(x_1\xleftarrow {\$} \{0, 1\}^{n} \) and \(\mathbf {h}^{k}\xleftarrow {\$}\mathcal {H}^{k}\).
The derandomized version refers to that \(x_1\xleftarrow {\$} \{0, 1\}^{n} \), \(u\xleftarrow {\$} \{0, 1\}^{q\in {O}(n{\cdot }{\log }n)} \), \(\mathbf {h}^{k}:=BSG(u)\), where \(BSG: \{0, 1\}^{q} \rightarrow \{0, 1\}^{k\cdot {\log \mathcal {H}}} \) is a boundedspace generator that \(2^{2n}\)fools every \((2n+1,k,\log \mathcal {H})\)LBP (layered branching program), and \(\log \mathcal {H}\) is the description length of \(\mathcal {H}\) (e.g., 2n bits for concreteness).
Remark 2
(on what is proven in [21]). The authors of [21] introduced weakly unknownregular oneway functions from which they constructed a pseudorandom generator with seed length \(O(n\cdot \log {n})\) based on the randomized iterate. They showed that “every \(k=n^{2c}\cdot {\log {n}}\cdot \omega (1)\) iterations are hardtoinvert”, i.e., for any j it is hard to predict \(x_j\) given \(y_{j+k}=f^{j+k}(x_1,BSG(u))\) and u. A PRG thus follows by outputting \(\log {n}\) hardcore bits for every k iterations. In this paper, we first adapt their findings to show that \(f_u(\cdot )=f^k(\cdot ,BSG(u))\) constitutes a family of oneway functions, i.e., given \(y_k=f_u(x_1)\) and u it is infeasible to find any \(x_1'\) such that \(y_k=f^k(x_1',BSG(u))\). This is stated as Lemma 6. However, it is still insufficient to construct UOWHFs with the onewayness of \(f_u\). We further show in Lemma 7 that a random \(f_u\xleftarrow {\$}\mathcal {F}\) is almost regular (in a slightly weaker sense than Definition 6 but already suffices for our needs).
Following [21], we define the following event and recall some inequalities.
Definition 11
Lemma 5
Lemma 6
Lemma 7
Proof
Fact 3
Proof
Any x satisfying \(0<\bar{f}^{1}(\bar{f}(x))<t\) implies \(0<f_1^{1}(f_1(x))<t\).
Given that \(\mathcal {F}\) is a family of unknown(almost)regular oneway functions with description length \(O(n\cdot \log {n})\), we just plug a random \(f_u\in \mathcal {F}\) into the Ames et al.’s construction [1] to yield a family of UOWHFs with output length \(\varTheta (n)\) and key length \(O(n\cdot \log {n})\). We refer to a more complete version of this work [20], where we put together all the necessary technical details.
Footnotes
 1.
A straightforward calculation suggests that \(\mathcal {G}_{1\text{ }1}\) needs key length \(O(l{\cdot }(ln))\), and we know (see Fact 1) that every 1to1 oneway function implies another oneway function \(f': \{0, 1\}^{n'\in \varTheta (n)} \rightarrow \{0, 1\}^{n'+\omega (\log {n})} \) that is 1to1 except on a negligible fraction of inputs, which implies that the key length of [16, 19] can be pushed to \(O(\omega (\log {n}){\cdot }n)\).
 2.
A function f is regular if every image has the same number (say \(\alpha \)) of preimages, and it is known (resp., unknown) regular if \(\alpha \) is efficiently computable (resp., inefficient to approximate). More generally (as introduced in [21]), f is weakly unknownregular if the fraction of x’s with maximal \(f^{1}(f(x))\) (which is not necessarily efficiently computable) is noticeable. We stress that here “weakly” is used to describe “regularity” (rather than “onewayness” as in “weakly oneway functions”).
 3.
The security of the first UOWHF is essentially the same as the respective OWF, and the security of the second one is roughly a square root of its underlying OWF.
 4.
Given a 1to1 oneway function f, one might think of getting a PRG by hashing \(f(U_n)\) into \(ns\) bits concatenated with \(s+1\) hardcore bits of f, where \(s\in \omega ({\log {n}})\) is the necessary entropy loss due to the leftover hash lemma. This is in general not possible without knowing the exact hardness of the underlying f. See more discussions and the relaxed solutions to this problem by Goldreich [6, Sect. 3.5.1.3].
 5.
More precisely, x is sampled at random and \(x'\) can be any distinct value (i.e., \(x'\ne {x}\)) efficiently computable from x and g.
 6.
In fact, \(\mathcal {H}\) constitutes a family of universal hash permutations. However, our proofs only use the concrete construction of \(\mathcal {H}\) and benefit from its algebraic property over finite fields, rather than assuming a universal \(\mathcal {H}\) plus a constructible property [13] (given any x and y there exists a PPT sampler to output \(h\xleftarrow {\$}\{h\in \mathcal {H}:h(x)=y\}\)).
 7.
Strictly speaking, we need to show that the construction works even if the underlying OWF is only 1to1 on an overwhelming fraction of inputs. The proof is given in [20].
 8.
In fact, our construction #4 only assumes a relaxed condition than (1), i.e., \(\Pr [U_n\in \mathcal {X}_{\max O(\log {n})}\cup \ldots \cup \mathcal {X}_{\max }]\ge {n^{c}}\), so that unknownalmostregular oneway functions become a special case for \(c=0\).
Notes
Acknowledgement
This research work was supported by the National Basic Research Program of China (Grant 2013CB338004). Yu Yu was supported by the National Natural Science Foundation of China Grant (Nos. 61472249, 61103221). Dawu Gu was supported by the National Natural Science Foundation of China Grant (Nos. 61472250, 61402286), the Doctoral Fund of Ministry of Education of China (No. 20120073110094) and the Innovation Program by Shanghai Municipal Science and Technology Commission (No. 14511100300). Xiangxue Li was supported by the National Natural Science Foundation of China (Nos. 61472472, 61272536) and Science and Technology Commission of Shanghai Municipality (Grant 13JC1403500). Jian Weng was supported by NSFC under Grant Nos. 61133014, 61472165 and 61272413, the Program for New Century Excellent Talents in University under Grant No. NCET120680, and the Research Fund for the Doctoral Program of Higher Education of China under Grant No. 20100073110060.
References
 1.Ames, S., Gennaro, R., Venkitasubramaniam, M.: The generalized randomized iterate and its application to new efficient constructions of UOWHFs from regular oneway functions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 154–171. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 2.Barhum, K., Holenstein, T.: A cookbook for blackbox separations and a recipe for UOWHFs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 662–679. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 3.Barhum, K., Maurer, U.: UOWHFs from OWFs: trading regularity for efficiency. In: Hevia, A., Neven, G. (eds.) LatinCrypt 2012. LNCS, vol. 7533, pp. 234–253. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 4.Cramer, R., Shoup, V.: Design and analysis of practical publickey encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
 5.Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
 6.Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge University Press, New York (2001) CrossRefzbMATHGoogle Scholar
 7.Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
 8.Goldreich, O., Levin, L.A., Nisan, N.: On constructing 11 oneway functions. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. LNCS, vol. 6650, pp. 13–25. Springer, Heidelberg (2011) Google Scholar
 9.Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosenmessage attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
 10.Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 22–40. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 11.Haitner, I., Holenstein, T., Reingold, O., Vadhan, S., Wee, H.: Universal oneway hash functions via inaccessible entropy. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 616–637. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 12.Haitner, I., Nguyen, M.H., Ong, S.J., Reingold, O., Vadhan, S.P.: Statistically hiding commitments and statistical zeroknowledge arguments from any oneway function. SIAM J. Comput. 39(3), 1153–1218 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 13.Haitner, I., Reingold, O., Vadhan, S.P., Wee, H.: Inaccessible entropy. In: Proceedings of the 41st ACM Symposium on the Theory of Computing. pp. 611–620 (2009)Google Scholar
 14.Holenstein, T., Sinha, M.: Constructing a pseudorandom generator requires an almost linear Number of calls. In: Proceedings of the 53rd IEEE Symposium on Foundation of Computer Science. pp. 698–707 (2012)Google Scholar
 15.Katz, J., Koo, C.Y.: On constructing universal oneway hash functions from arbitrary oneway functions. IACR Cryptology ePrint Archive (2005). http://eprint.iacr.org/2005/328
 16.Naor, M., Yung, M.: Universal oneway hash functions and their cryptographic applications. In: Johnson, D.S. (ed.) Proceedings of the Twenty First Annual ACM Symposium on Theory of Computing, Seattle, Washington, pp. 33–43, 15–17 May 1989Google Scholar
 17.Rompel, J.: Oneway functions are necessary and sufficient for secure signatures. In: Proceedings of the Twenty Second Annual ACM Symposium on Theory of Computing, Baltimore, Maryland, pp. 387–394, 14–16 May 1990Google Scholar
 18.Rompel, J.: Techniques for computing with lowindependence randomness. Ph.D. thesis, Massachusetts Institute of Technology (1990). http://dspace.mit.edu/handle/1721.1/7582
 19.De Santis, A., Yung, M.: On the design of provablysecure cryptographic hash functions. In: Damgård, I.B. (ed.) EUROCRYPT 1990. LNCS, vol. 473, pp. 412–431. Springer, Heidelberg (1991) CrossRefGoogle Scholar
 20.Yu, Y., Gu, D., Li, X., Weng, J.: (Almost) Optimal Constructions of UOWHFs from 1to1, Regular Oneway Functions and Beyond. Cryptology ePrint Archive, Report 2014/393 (2014). http://eprint.iacr.org/2014/393/
 21.Yu, Y., Gu, D., Li, X., Weng, J.: The randomized iterate, revisited  almost linear seed length PRGs from a broader class of oneway functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015, Part I. LNCS, vol. 9014, pp. 7–35. Springer, Heidelberg (2015) Google Scholar
 22.Yu, Y., Li, X., Weng, J.: Pseudorandom generators from regular oneway functions: new constructions with improved parameters. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 261–279. Springer, Heidelberg (2013) CrossRefGoogle Scholar