Towards Non-Black-Box Separations of Public Key Encryption and One Way Function

  • Dana Dachman-SoledEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9986)


Separating public key encryption from one way functions is one of the fundamental goals of complexity-based cryptography. Beginning with the seminal work of Impagliazzo and Rudich (STOC, 1989), a sequence of works have ruled out certain classes of reductions from public key encryption (PKE)—or even key agreement—to one way function. Unfortunately, known results—so called black-box separations—do not apply to settings where the construction and/or reduction are allowed to directly access the code, or circuit, of the one way function. In this work, we present a meaningful, non-black-box separation between public key encryption (PKE) and one way function.

Specifically, we introduce the notion of \(\mathsf {BBN}^-\) reductions (similar to the \(\mathsf {BBN}\)p reductions of Baecher et al. (ASIACRYPT, 2013)), in which the construction E accesses the underlying primitive in a black-box way, but wherein the universal reduction \({{\mathbb R}}\) receives the efficient code/circuit of the underlying primitive as input and is allowed oracle access to the adversary \(\mathsf {Adv}\). We additionally require that the functions describing the number of oracle queries made to \(\mathsf {Adv}\), and the success probability of \({{\mathbb R}}\) are independent of the run-time/circuit size of the underlying primitive. We prove that there is no non-adaptive, \(\mathsf {BBN}^-\) reduction from PKE to one way function, under the assumption that certain types of strong one way functions exist. Specifically, we assume that there exists a regular one way function f such that there is no Arthur-Merlin protocol proving that \(z \notin \mathsf {Range}(f)\), where soundness holds with high probability over “no instances,” \(y \sim f(U_n)\), and Arthur may receive polynomial-sized, non-uniform advice. This assumption is related to the average-case analogue of the widely believed assumption \(\mathsf {coNP}\not \subseteq \mathbf {NP}/{\mathrm{poly}}\).



We thank Tal Malkin for insightful discussions on the notion of \(\mathsf {BBN}^-\) reductions and the anonymous reviewers for TCC B-2016 for their many helpful comments.


  1. 1.
    Abe, M., Groth, J., Ohkubo, M.: Separating short structure-preserving signatures from non-interactive assumptions. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 628–646. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-25385-0_34 CrossRefGoogle Scholar
  2. 2.
    Akavia, A., Goldreich, O., Goldwasser, S., Moshkovitz, D.: On basing one-way functions on NP-hardness. In: Kleinberg, J.M. (ed.) 38th Annual ACM Symposium on Theory of Computing, pp. 701–710. ACM Press, May 2006Google Scholar
  3. 3.
    Baecher, P., Brzuska, C., Fischlin, M.: Notions of black-box reductions, revisited. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 296–315. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-42033-7_16 CrossRefGoogle Scholar
  4. 4.
    Barak, B.: How to go beyond the black-box simulation barrier. In: 42nd Annual Symposium on Foundations of Computer Science, pp. 106–115. IEEE Computer Society Press, October 2001Google Scholar
  5. 5.
    Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal — an O(n 2)-query attack on any key exchange from a random Oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009). doi: 10.1007/978-3-642-03356-8_22 CrossRefGoogle Scholar
  6. 6.
    Bitansky, N., Dachman-Soled, D., Garg, S., Jain, A., Kalai, Y.T., López-Alt, A., Wichs, D.: Why “Fiat-Shamir for Proofs” lacks a proof. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 182–201. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-36594-2_11 CrossRefGoogle Scholar
  7. 7.
    Bodlaender, H.L., Downey, R.G., Fellows, M.R., Hermelin, D.: On problems without polynomial kernels. J. Comput. Syst. Sci. 75(8), 423–434 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  8. 8.
    Bogdanov, A., Trevisan, L.: On worst-case to average-case reductions for NP problems. In: 44th Annual Symposium on Foundations of Computer Science, pp. 308–317. IEEE Computer Society Press, October 2003Google Scholar
  9. 9.
    Brakerski, Z., Katz, J., Segev, G., Yerukhimovich, A.: Limits on the power of zero-knowledge proofs in cryptographic constructions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 559–578. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19571-6_34 CrossRefGoogle Scholar
  10. 10.
    Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002). doi: 10.1007/3-540-46035-7_18 CrossRefGoogle Scholar
  11. 11.
    Drucker, A.: New limits to classical and quantum instance compression. In: 53rd Annual Symposium on Foundations of Computer Science, pp. 609–618. IEEE Computer Society Press, October 2012Google Scholar
  12. 12.
    Feigenbaum, J., Fortnow, L.: Random-self-reducibility of complete sets. SIAM J. Comput. 22(5), 994–1005 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
  13. 13.
    Fischlin, M., Schröder, D.: On the impossibility of three-move blind signature schemes. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 197–215. Springer, Heidelberg (2010). doi: 10.1007/978-3-642-13190-5_10 CrossRefGoogle Scholar
  14. 14.
    Fortnow, L., Santhanam, R.: Infeasibility of instance compression and succinct PCPs for NP. In: Ladner, R.E., Dwork, C. (eds.) 40th Annual ACM Symposium on Theory of Computing, pp. 133–142. ACM Press, May 2008Google Scholar
  15. 15.
    Fuchsbauer, G., Konstantinov, M., Pietrzak, K., Rao, V.: Adaptive security of constrained PRFs. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 82–101. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-45608-8_5 Google Scholar
  16. 16.
    Garg, S., Bhaskar, R., Lokam, S.V.: Improved bounds on security reductions for discrete log based signatures. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 93–107. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-85174-5_6 CrossRefGoogle Scholar
  17. 17.
    Gentry, C., Wichs, C.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd Annual ACM Symposium on Theory of Computing, pp. 99–108. ACM Press, June 2011Google Scholar
  18. 18.
    Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: 41st Annual Symposium on Foundations of Computer Science, pp. 325–335. IEEE Computer Society Press, November 2000Google Scholar
  19. 19.
    Goldreich, O.: Foundations of Cryptography: Basic Tools, vol. 1. Cambridge University Press, Cambridge (2001)CrossRefzbMATHGoogle Scholar
  20. 20.
    Goldreich, O., Goldwasser, S., Micali, S.: On the cryptographic applications of random functions. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 276–288. Springer, Heidelberg (1985). doi: 10.1007/3-540-39568-7_22 CrossRefGoogle Scholar
  21. 21.
    Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 22–40. Springer, Heidelberg (2006). doi: 10.1007/11818175_2 CrossRefGoogle Scholar
  22. 22.
    Haitner, I., Mahmoody, M., Xiao, D.: A new sampling protocol and applications to basing cryptographic primitives on the hardness of NP. In: Proceedings of the 25th Annual IEEE Conference on Computational Complexity, CCC 2010, 9–12 June 2010, Cambridge, Massachusetts, pp. 76–87 (2010)Google Scholar
  23. 23.
    Harnik, D., Naor, M.: On the compressibility of NP instances and cryptographic applications. In: 47th Annual Symposium on Foundations of Computer Science, pp. 719–728. IEEE Computer Society Press, October 2006Google Scholar
  24. 24.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  25. 25.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st Annual ACM Symposium on Theory of Computing, pp. 44–61. ACM Press, May 1989Google Scholar
  26. 26.
    Lamport, L.: Constructing digital signatures from a one-way function. Technical report SRI-CSL-98, SRI International Computer Science Laboratory, October 1979Google Scholar
  27. 27.
    Paillier, P., Vergnaud, D.: Discrete-log-based signatures may not be equivalent to discrete log. In: Roy, B. (ed.) ASIACRYPT 2005. LNCS, vol. 3788, pp. 1–20. Springer, Heidelberg (2005). doi: 10.1007/11593447_1 CrossRefGoogle Scholar
  28. 28.
    Pass, R.: Limits of provable security from standard assumptions. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd Annual ACM Symposium on Theory of Computing, pp. 109–118. ACM Press, June 2011Google Scholar
  29. 29.
    Pass, R., Tseng, W.-L.D., Venkitasubramaniam, M.: Towards non-black-box lower bounds in cryptography. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 579–596. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-19571-6_35 CrossRefGoogle Scholar
  30. 30.
    Raz, R.: A parallel repetition theorem. SIAM J. Comput. 27(3), 763–803 (1998)MathSciNetCrossRefzbMATHGoogle Scholar
  31. 31.
    Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: 22nd Annual ACM Symposium on Theory of Computing, pp. 387–394. ACM Press, May 1990Google Scholar
  32. 32.
    Seurin, Y.: On the exact security of Schnorr-Type signatures in the random Oracle model. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 554–571. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-29011-4_33 CrossRefGoogle Scholar
  33. 33.
    Shaltiel, R.: Derandomized parallel repetition theorems for free games. In: Proceedings of the 25th Annual IEEE Conference on Computational Complexity, CCC 2010, 9–12 June 2010, Cambridge, Massachusetts, pp. 28–37 (2010)Google Scholar
  34. 34.
    Simon, D.R.: Finding collisions on a one-way street: can secure hash functions be based on general assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 334–345. Springer, Heidelberg (1998). doi: 10.1007/BFb0054137 CrossRefGoogle Scholar
  35. 35.
    Sotakova, M.: Breaking one-round key-agreement protocols in the random Oracle model. Cryptology ePrint Archive, Report 2008/053 (2008).
  36. 36.
    Yap, C.-K.: Some consequences of non-uniform conditions on uniform classes. Theoret. Comput. Sci. 26, 287–300 (1983)MathSciNetCrossRefzbMATHGoogle Scholar
  37. 37.
    Yu, Y., Gu, D., Li, X., Weng, J.: The randomized iterate, revisited - almost linear seed length PRGs from a broader class of one-way functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 7–35. Springer, Heidelberg (2015). doi: 10.1007/978-3-662-46494-6_2 Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.University of MarylandCollege ParkUSA

Personalised recommendations