1 Introduction

Over the last few decades the cryptography community has been successful in constructing a wide variety of cryptographic primitives based on the minimal assumption that one-way functions exist. For example, the existence of one-way functions has been shown equivalent to the existence of private-key encryption schemes [GGM84], pseudorandom functions and permutations [GGM86, LR88, NR99], message authentication codes [GGM86], pseudorandom generators [BM84, HIL+99], universal one-way hash functions and signature schemes [NY89, Rom90], commitment schemes [Nao91, HIL+99, HNO+09], and many other symmetric primitives (also known as “MiniCrypt” primitives [Imp95]).

Despite the great progress in basing symmetric cryptography on one-way functions, the existence of one-way functions is still not known to imply the existence of all symmetric cryptographic primitives. A prime example is that of injective one-way functions (and, in particular, one-way permutations), whose existence seems to require somewhat more structured assumptions (e.g., specific number-theoretic assumptions [GLN11]).Footnote 1 Moreover, the seminal work by Rudich [Rud88], within the framework of Impagliazzo and Rudich modeling black-box constructions [IR89, RTV04], provided substantial evidence that the existence of injective one-way functions may not be “naturally implied” by the existence of arbitrary one-way functions. Specifically, Rudich proved that one-way functions cannot be used in a black-box manner to construct injective one-way functions.Footnote 2

Black-box impossibility results are clearly inherently limited, and do not capture non-black-box techniques (e.g., [GMW86, Yao86, NY90, Bar01, AIK06, BP12, CPS16]). Thus, it may still be the case that one-way functions can be used in a non-black-box manner to construct injective one-way functions (and even one-way permutations). Given that Rudich’s black-box barrier is currently the main evidence for explaining our lack of success in constructing injective one-way functions based on seemingly weaker assumptions, this naturally raises the fundamental question of whether or not Rudich’s black-box barrier can be circumvented using non-black-box techniques.

Significant progress towards obtaining a better understanding of the above question was made in the work of Barak, Ong and Vadhan [BOV07]. Their work demonstrated that derandomization techniques can be fundamentally useful in cryptographic constructions by enabling to eliminate interaction from certain two-message cryptographic protocols. Relying on the existence of a hitting-set generator that fools co-non-deterministic algorithms,Footnote 3 they derandomized Naor’s statistically-binding commitment scheme [Nao91] for obtaining a non-interactive perfectly-binding commitment scheme (in addition, relying on the existence of a hitting-set generator that fools co-non-deterministic circuits, they derandomized Dwork and Naor’s ZAPs [DN07] for obtaining a non-interactive witness-indistinguishable proof system for \(\mathsf{NP}\)).

In particular, as observed by Barak, Ong and Vadhan, a non-interactive perfectly-binding commitment scheme naturally implies a somewhat weak form of an injective one-way function, to which they refer to as a “partially-injective” one-way function. Such a function f is a two-input function f(xy), which is injective with respect to its first input x but not necessarily with respect to its second input y (thus offers significantly weaker structural guarantees compared to an injective one-way function), and for which it is hard to recover x given f(xy) where both x and y are distributed uniformly. This shows that non-black-box techniques are useful for constructing a somewhat weak form of injective one-way functions, but the problem of whether or not such techniques can be useful for constructing (fully) injective one-way functions (and even trapdoor functions) based on seemingly weaker assumptions has been left completely open.

1.1 Our Contributions

We show that non-black-box techniques can be used to circumvent the basic approach underlying Rudich’s long-standing evidence for the difficulty of constructing injective one-way functions (and, in particular, injective trapdoor functions) based on seemingly weaker or unstructured assumptions. In addition, whereas separations between the black-box and non-black-box power of cryptographic constructions were known to exist for private-key primitives [MP12], our work provides in particular such a separation for public-key primitives.

Specifically, we present a cryptographic primitive \(\mathcal {P}\) and prove that it satisfies the following properties:

  • Rudich’s seminal impossibility result shows that \(\mathcal {P}\) cannot be used in a black-box manner to construct an injective one-way function.

  • \(\mathcal {P}\) can be used in a non-black-box manner to construct an injective one-way function assuming the existence of a hitting-set generator that fools deterministic circuits. The non-black-box aspect of our construction is quite modest, asking for an upper bound on the size of \(\mathcal {P}\)’s implementation.

  • Augmenting \(\mathcal {P}\) with a trapdoor algorithm enables a non-black-box construction of an injective trapdoor function (once again, assuming the existence of a hitting-set generator that fools deterministic circuits), while Rudich’s impossibility result still holds.

Generally speaking, a hitting-set generator that fools deterministic circuits is known to exist based on the worst-case assumption that \(\text{ E } = \text{ DTIME }(2^{O(n)})\) has a function of deterministic circuit complexity \(2^{\Omega (n)}\) (see Sect. 2.1 for more details). For our construction, however, it suffices to assume the existence of a hitting-set generator that fools a rather simple computation involving the primitive \(\mathcal {P}\) (two parallel invocations of \(\mathcal {P}\) followed by a comparison of their outputs). Thus, if a hitting-set generator that fools this specific computation is known to exist unconditionally then we do not need to rely on the above worst-case assumption.

Our application of derandomization techniques is inspired mainly by the work of Barak, Ong and Vadhan [BOV07], which on one hand relies on any one-way function, but on the other hand only results in a non-interactive perfectly-binding commitment scheme (offering a significantly weaker structural guarantee when compared to injective one-way functions), and does not seem to enable an extension to public-key primitives (see Sect. 1.3 for an in-depth discussion and comparison to previous applications of derandomization techniques in cryptography).

The Primitive \(\varvec{\mathcal {P}}\). Our primitive \(\mathcal {P}\) is a predicate \(\mathcal {P} : \{0,1\}^* \rightarrow \{0,1\}\) that satisfies two rather natural properties, and we refer to this primitive as a correlated-input balanced one-way predicate. We show that such a predicate \(\mathcal {P}\) can be constructed based on any injective one-way function without relying on any additional assumptions, and thus the existence of such a predicate is unconditionally essential for the existence of an injective one-way function. Therefore, under a standard worst-case hardness assumption, the existence of our primitive is equivalent to that of an injective one-way function, although it is strictly weaker when restricted to black-box constructions.

Moreover, we also show that \(\mathcal {P}\) can be constructed in a black-box manner from various known primitives that are secure against related-secret attacks (e.g., related-key pseudorandom functions and related-seed pseudorandom generators). Although these primitives seem rather unstructured, it turns out that we can rely on their strong security guarantees to achieve the relatively modest structural guarantee of \(\mathcal {P}\), and then apply derandomization techniques to obtain the more robust structure of injective one-way functions.

In addition to the primitive \(\mathcal {P}\), we also introduce a natural “public-key” variant of \(\mathcal {P}\) which is obtained by augmenting \(\mathcal {P}\) with a trapdoor algorithm. We show that this augmented primitive can be constructed based on any injective trapdoor function without relying on any additional assumptions, and thus the existence of this primitive is unconditionally essential for the existence of an injective trapdoor one-way function. Therefore, similarly to the above, under a standard worst-case hardness assumption, the existence of our augmented primitive is equivalent to that of an injective trapdoor function, although it is strictly weaker when restricted to black-box constructions.

Our Approach. The key observation underlying our approach is that Rudich’s black-box impossibility result applies not only to rule out black-box constructions of injective one-way functions from general one-way functions as the underlying primitive class, but in fact from a wide variety of “unstructured” primitive classes. As basic examples, these include one-way functions and “almost-injective” one-way functions,Footnote 4 and obviously do not include injective one-way functions. At a very high level, as we discuss in Sect. 1.2 in more detail, Rudich’s impossibility applies to any primitive class \(\mathfrak {S}\) satisfying the following condition: For any \(\mathcal {O}, \mathcal {O}' \in \mathfrak {S}\) and for any two disjoint sets of inputs X and \(X'\) of polynomial size, there exists an \(\mathcal {O}'' \in \mathfrak {S}\) that agrees with \(\mathcal {O}\) on the set X and agrees with \(\mathcal {O}'\) on the set \(X'\).

Equipped with this observation, a significant part of our effort in this work focuses on carefully identifying a primitive \(\mathcal {P}\) that on one hand is sufficiently unstructured in order to satisfy the above condition, whereas on the other hand it is sufficiently structured in order to yield an injective one-way function (via a non-black-box construction). As we pointed out, one-way functions and almost-injective one-way functions are examples for primitive classes that satisfy the above condition, but it is still a long-standing open problem to use them in order to construct an injective one-way function. Instead, we specifically tailor the properties of our primitive \(\mathcal {P}\) in order to simultaneously satisfy the above condition and yield an injective one-way function via derandomization techniques.

1.2 Overview of Our Approach

In this section we provide an overview of our main contributions. First, we describe our new notion of a correlated-input balanced one-way predicate, as well as our non-black-box construction of an injective one-way function. We emphasize that we view the introduction and the specific formalization of our new primitive as a central contribution given that: (1) it is sufficiently unstructured in order to satisfy the above-mentioned condition for Rudich’s impossibility result, (2) it is sufficiently structured in order to yield an injective one-way function, and (3) its existence is essential for the existence of an injective one-way function.

Then, we describe the application of Rudich’s impossibility proof to correlated-input balanced one-way predicates, and discuss the observation that Rudich’s impossibility result applies to a wide variety of primitives. In fact, we prove a stronger result, showing that there is no black-box construction of a partially-injective one-way function (as defined by Barak, Ong and Vadhan [BOV07]) from these primitives.

Correlated-Input Balanced One-Way Predicates. The new primitive at the heart of our approach is an efficiently-computable predicate \(\mathcal {P}: \{0,1\}^* \rightarrow \{0,1\}\) that can be viewed as a two-input predicate \(\mathcal {P}(x,r)\), where \(r \in \{0,1\}^{\ell (|x|)}\), which satisfies the following two natural requirements with respect to correlated inputs:

  • The first requirement is that the predicate \(\mathcal {P}\) has to be rather balanced in the sense that \(| \Pr [ \mathcal {P}(x,r) = \mathcal {P}(x',r)] - 1/2 |\) is bounded for every distinct \(x, x' \in \{0,1\}^n\), where the probability is taken over the choice of a uniform \(r \in \{0,1\}^{\ell (n)}\).

    This requirement (on its own) is easy to satisfy by making sure that \(\mathcal {P}\) is pair-wise independent over the choice of \(r \in \{0,1\}^{\ell (n)}\). For example, this requirement can be satisfied by defining \(\mathcal {P}(x,r) = \langle f(x) , r \rangle \), where f may be any injective function mapping n-bit inputs to \(\ell (n)\)-bit outputs.

  • The second requirement is that for adversarially-chosen values \(r_1, \ldots , r_T \in \{0,1\}^{\ell (n)}\), the function mapping x to the sequence of values \(\mathcal {P}(x,r_1), \ldots , \mathcal {P}(x, r_T)\) is a one-way function of x.

    This requirement (on its own) is easy to satisfy by making sure that \(\mathcal {P}\) first applies any given one-way function to its first input x, and only then involves its second input r in the computation. For example, this requirement can be satisfied by defining \(\mathcal {P}(x,r) = \langle f(x) , r \rangle \), where f may be any one-way function mapping n-bit inputs to \(\ell (n)\)-bit outputs (note that this predicate fails to satisfy the first requirement whenever f is not an injective function).

The following definition formalizes these two requirements:

Definition 1.1

Let \(\mathcal {P} : \{0,1\}^* \rightarrow \{0,1\}\) be an efficiently-computable predicate, and let \(\ell = \ell (n)\) and \(\delta = \delta (n)\) be functions of the security parameter \(n \in \mathbb {N}\). Then, \(\mathcal {P}\) is a correlated-input \((\ell , \delta )\)-balanced one-way predicate if it satisfies the following two requirements:

  • For any \(n \in \mathbb {N}\) and for any \(x,x' \in \{0,1\}^n\) such that \(x \ne x'\) it holds that

    $$\begin{aligned} \left| \mathop {\Pr }\limits _{r \leftarrow \{0,1\}^{\ell (n)}} \left[ \mathcal {P}(x, r) = \mathcal {P}(x', r) \right] - \frac{1}{2} \right| \le \delta (n) . \end{aligned}$$

  • For any probabilistic polynomial-time algorithm A there exists a negligible function \(\nu (\cdot )\) such that

    $$\begin{aligned} \Pr \left[ \mathsf {Invert}_{\mathcal {P},A}(n) = 1 \right] \le \nu (n) \end{aligned}$$

    for all sufficiently large \(n \in \mathbb {N}\), where the experiment \(\mathsf {Invert}_{\mathcal {P},A}(n)\) is defined as follows:

    1. 1.

      \(\left( \mathsf {state}, r_1, \ldots , r_{T} \right) \leftarrow A(1^n)\) for \(r_1, \ldots , r_T \in \{0,1\}^{\ell (n)}\), where \(T = T(n)\) may be any polynomial determined by A.

    2. 2.

      \(x' \leftarrow A \left( \mathsf {state}, \mathcal {P}\left( x, r_1 \right) ,\ldots , \mathcal {P}\left( x, r_T \right) \right) \) where \(x \leftarrow \{0,1\}^n\).

    3. 3.

      If \(x' = x\) then output 1, and otherwise output 0.

As demonstrated above, each of the two requirements on its own can be easily satisfied, but it seems significantly more difficult to simultaneously satisfy both requirements. However, putting together our examples for predicates that satisfy each requirement on its own, we observe that for any injective one-way function f mapping n-bit inputs to \(\ell (n)\)-bit outputs, it holds that \(\mathcal {P}(x,r) = \langle f(x) , r \rangle \) is a correlated-input \((\ell (n),\delta (n))\)-balanced one-way predicate, where \(\delta (n)=0\).Footnote 5 This shows that the existence of such a predicate is unconditionally essential for the existence of an injective one-way function.

In addition, in the full version of the paper [RS18] we show that the existence of a correlated-input balanced one-way predicate is also implied by that of various primitives that are secure against related-key attacks. These include, for example, related-key pseudorandom functions (e.g., [BK03, Luc04, BC10, LMR14, AW14]) and related-seed pseudorandom generators (e.g., [GL10]). Unlike injective one-way functions, these primitives seem rather unstructured, yet still suffice for constructing correlated-input balanced one-way predicates.

Our Injective One-Way Function. Given any correlated-input \((\ell ,1/4)\)-balanced one-way predicate \(\mathcal {P}\), we present a construction of an injective one-way function by relying on a hitting-set generator H that fools deterministic circuits whose size is roughly that of \(\mathcal {P}\)’s given implementation. Our construction applies to any function \(\ell = \ell (n)\) of the security parameter \(n \in \mathbb {N}\) (recall that \(\ell (n)\) denotes the length of \(\mathcal {P}\)’s second input r), as long as it is upper bounded by some polynomial (e.g., \(\ell (n) = \log ^2(n)\), \(\ell (n)=n^2\)). In what follows we first describe the construction assuming that \(\ell (n) = O(\log n)\), as this case already sheds initial light on some of the main ideas underlying the construction. In fact, assuming that \(\ell (n) = O(\log n)\) the construction is fully black box, and the hitting-set generator is not needed. Then, we show that the construction extends to any polynomial \(\ell (n)\) by relying on a hitting-set generator.

Let \(\mathcal {P}\) be a correlated-input \((\ell ,1/4)\)-balanced one-way predicate where \(\ell (n) = O(\log n)\), and denote by \(r_{n,1}, \ldots , r_{n,L(n)}\) all \(L(n) = 2^{\ell (n)}\) possible \(\ell (n)\)-bit strings for any \(n \in \mathbb {N}\) (note that \(L = L(n)\) is polynomial given that \(\ell (n) = O(\log n)\)). Then, we claim that the function

$$\begin{aligned} g(x) = \left( \mathcal {P}(x,r_{|x|,1}), \ldots , \mathcal {P}(x,r_{|x|,L(|x|)}) \right) \end{aligned}$$

is both injective and one way:

  • The injectivity of g follows from the fact that \(\mathcal {P}\) is balanced: For any distinct \(x,x' \in \{0,1\}^n\), as long as \(\Pr [ \mathcal {P}(x,r) = \mathcal {P}(x',r)] < 1\), where the probability is taken over the choice of a uniform \(r \in \{0,1\}^{\ell (n)}\), this means that there exists at least one value \(r \in \{0,1\}^{\ell (n)}\) for which \(\mathcal {P}(x,r) \ne \mathcal {P}(x',r)\), and therefore \(g(x) \ne g(x')\).

  • The one-wayness of g follows from the fact that \(\mathcal {P}\) is one-way for correlated inputs: For any sequence of values \(r_{1}, \ldots , r_{T}\) the function mapping x to the sequence of values \(\mathcal {P}(x,r_1), \ldots , \mathcal {P}(x, r_T)\) is a one-way function of x. This holds, in particular, for the sequence of values \(r_{n,1}, \ldots , r_{n,L(n)}\), and thus g is a one-way function.

Now suppose that \(\mathcal {P}\) is a correlated-input \((\ell ,1/4)\)-balanced one-way predicate where \(\ell (n)\) may be any polynomial. Here, we can no longer define g as above by enumerating over all possible \(\ell (n)\)-bit strings to be used as \(\mathcal {P}\)’s second input r. All we need, however, is to enumerate over a carefully-chosen set \(r_1, \ldots , r_T\) such that for any distinct \(x, x' \in \{0,1\}^n\) there exists a value \(r \in \{ r_1,\ldots r_T \}\) such that \(\mathcal {P}(x,r) \ne \mathcal {P}(x',r)\). This is exactly the type of guarantee that is provided by a hitting-set generator, and enables us to argue that the following function g is both injective and one way: On input \(x \in \{0,1\}^n\) our function \(g : \{0,1\}^* \rightarrow \{0,1\}^*\) first uses a hitting-set generator H that fools circuits whose size is roughly the size of \(\mathcal {P}\)’s implementation for obtaining a sequence of values \(r_1,\ldots , r_{T(n)} \in \{0,1\}^{\ell (n)}\), and then outputs the value

$$\begin{aligned} g(x) = \left( \mathcal {P}(x,r_1), \ldots , \mathcal {P}(x,r_{T(n)}) \right) . \end{aligned}$$

In Sect. 3 we prove that the injectivity of g follows from the fact that \(\mathcal {P}\) is balanced and H is a hitting-set generator, whereas the one-wayness of g follows from the fact that \(\mathcal {P}\) is one way for correlated inputs as above. Moreover, we show that by augmenting \(\mathcal {P}\) with a trapdoor argument, our construction generalizes to an injective trapdoor function. We refer the reader to Sect. 3 for the formal details.

Applying Rudich’s Impossibility to Correlated-Input Predicates. We now briefly overview Rudich’s approach while pointing out the adjustments required in order to apply it to correlated-input balanced one-way predicates. Let \(\mathcal {O} = \left\{ \mathcal {O}_n \right\} _{n \in \mathbb {N}}\) be an oracle, where each \(\mathcal {O}_n\) is uniformly chosen from some function family \(\mathfrak {S}_n\), and let C be an oracle-aided circuit guaranteeing that \(C^{\mathcal {O}}\) implements an injective function for any \(\mathcal {O} \in \left\{ \mathfrak {S}_n \right\} _{n \in \mathbb {N}}\). In the case of Rudich’s proof, \(\mathfrak {S}_n\) is the family of all functions mapping n bits to n bits, and hence \(\mathcal {O}\) is simply a random length-preserving function. In our case, \(\mathfrak {S}_n\) is the set of all \((\ell (n) = n, \delta (n) = 2^{-n/3})\)-balanced predicates; i.e., predicates taking inputs in \(\{0,1\}^n \times \{0,1\}^n\), such that for every distinct \(x,x' \in \{0,1\}^n\) it holds that \(\left| \Pr _{r \leftarrow \{0,1\}^n} \left[ \mathcal {O}_n(x, r) = \mathcal {O}_n(x', r) \right] - 1/2 \right| \le 2^{-n/3}\). We set \(\ell (n) = n\) for the sake of simplicity, but the proof holds for any super-logarithmic \(\ell \) with minor adjustments.

Rudich’s proof then considers an adversary that makes a polynomial number of queries to \(\mathcal {O}\) and always succeeds in inverting \(C^\mathcal {O}(x^*)\) for any input \(x^*\). On input \(y^*= C^\mathcal {O}(x^*)\), the adversary A proceeds in iterations, where in each iteration it arbitrarily picks a value x and a possible oracle \(\mathcal {O}'\) that is consistent with what it has learned so far on \(\mathcal {O}\), such that \(y^*= C^\mathcal {O'}(x)\). A then checks if \(C^{\mathcal {O}}(x) = y^*\) (if so \(x = x^*\)), and if not, queries \(\mathcal {O}\) with all queries in the execution of \(C^\mathcal {O'}(x)\) that were not already known. The main observation is that in each iteration, the adversary either learns a new query made in the evaluation of \(C^\mathcal {O}(x^*)\), or finds the correct pre-image \(x=x^*\) of \(y^*\). Hence, if C makes at most q oracle queries, then A is guaranteed to find \(x^*\) within \(q+1\) iterations.

In order to prove this main observation, suppose that in some iteration A does not learn a new query made in the evaluation of \(C^\mathcal {O}(x^*)\) nor does it hold that \(x = x^*\). This means that from A’s point of view, the oracles have so far been defined on disjoint sets of inputs. Now, the idea is that \(\mathcal {O}\) and \(\mathcal {O'}\) can be “glued” together to form a third oracle \(\mathcal {O}'' \in \mathfrak {S}\) such that \(C^\mathcal {O''}(x) = C^\mathcal {O''}(x^*) = y^*\), contradicting the injectivity guarantee of C. In the case of Rudich’s proof, this is straightforward: since \(\mathfrak {S}\) is the family of all length-preserving functions, \(\mathcal {O''}\) can simply be any oracle that is consistent with the answers of \(\mathcal {O}\) and \(\mathcal {O'}\) to the queries made during the evaluations of \(C^\mathcal {O}(x^*)\) and \(C^\mathcal {O'}(x)\), respectively, and can be arbitrarily defined everywhere else. In our case, we need to show that we can complete \(\mathcal {O''}\) to be balanced for every input length.

More generally, this shows that Rudich’s proof does not only apply to length-preserving functions or to correlated-input balanced predicates, but in fact to any function family \(\mathfrak {S}\) that is “sufficiently unstructured” in order to guarantee the following property: For any two functions \(\mathcal {O}, \mathcal {O}' \in \mathfrak {S}\) and for any two disjoint sets of “not too short” inputs X and \(X'\) of polynomial size, there exists a function \(\mathcal {O}'' \in \mathfrak {S}\) that agrees with \(\mathcal {O}\) on the set X and agrees with \(\mathcal {O}'\) on the set \(X'\). We have provided two examples for such families: All length-preserving functions (i.e., where \(\mathcal {O}\) a random oracle) and all balanced predicates. Of course, not all families exhibit this property as some primitives—and in particular injective one-way functions—do imply injective one-way functions in a black-box manner. For example, if we consider \(\mathfrak {S} = \{\mathfrak {S}_n\}_{n \in \mathbb {N}}\) where \(\mathfrak {S}_n\) is the set of all permutations on n-bit strings, then this is obviously not the case even for X and \(X'\) of size one. For any \(n \in \mathbb {N}\) and any distinct \(x, x' \in \{0,1\}^n\), if \(\mathcal {O}(x) = \mathcal {O'}(x')\), then no function \(\mathcal {O''} \in \mathfrak {S}\) can agree both with \(\mathcal {O}\) on input x and with \(\mathcal {O'}\) on input \(x'\), as this will contradict the injectivity of \(\mathcal {O''}\).

Two final remarks are in order. First, one still needs to show that our balanced predicate oracle is hard to invert for correlated inputs. Roughly speaking, this follows from the fact that a truly uniform predicate is correlated-input one way, and is also balanced with an overwhelming probability. Second, our proof readily extends to rule out black-box constructions of the seemingly weaker partially-injective one-way functions from our strengthened variant of \(\mathcal {P}\) that is augmented with a trapdoor algorithm. We refer the reader to Sect. 4 for the formal details.

1.3 Related Work

The Power of Black-Box vs. Non-black-Box Constructions. Our work shows a gap between the power of black-box constructions and the power of non-black-box constructions both in the private-key setting and in the public-key setting.

Such a gap in the private-key setting was previously identified by Mahmoody and Pass [MP12] who proved that one-way functions cannot be used in a black-box manner for constructing a non-interactive commitment scheme. Combining their negative result with the above-mentioned positive result of Barak et al. implies that, under a standard worst-case hardness assumption, the existence of a one-way function is equivalent to that of a non-interactive commitment scheme, although it is strictly weaker when restricted to black-box constructions.Footnote 6

Our work identifies such a gap in the public-key setting as well, by showing that augmenting our primitive \(\mathcal {P}\) with a trapdoor algorithm enables a non-black-box construction of a trapdoor function (while Rudich’s impossibility result still holds), whereas the construction of Barak et al. does not seem to enable an extension to the public-key setting. An additional such gap in the public-key setting was identified by Döttling and Garg [DG17] who presented a breakthrough construction of an identity-based encryption scheme based on the computational Diffie-Hellman assumption, circumventing the impossibility result of Papakonstantinou et al. [PRV12] in the generic-group model.

Derandomization in Cryptography. When compared to the work of Barak, Ong and Vadhan [BOV07] and other applications of derandomization in similar scenarios (e.g., [Lau83, Nao91, DN07, DNR04, BV17]), our work exhibits the following main differences.

  • The underlying cryptographic building block and the resulting primitive in our work are incomparable to those in their work: We rely on a seemingly stronger cryptographic building block (specifically, a correlated-input balanced one-way predicate in our work vs. a one-way function in their work), and obtain a seemingly stronger primitive (an injective one-way function in our work vs. a partially-injective one-way function in their work). A natural question that arises in this context is whether or not our two approaches can be combined and yield a non-black-box construction of an injective one-way function based on any one-way function.

  • We rely on the existence of a hitting-set generator that fools deterministic circuits, whereas Barak et al. rely on the seemingly incomparable assumption that there exists a hitting-set generator that fools co-non-deterministic algorithms. In turn, our transformation relies on the assumption that \(\text{ E } = \text{ DTIME }(2^{O(n)})\) has a function of deterministic circuit complexity \(2^{\Omega (n)}\), whereas Barak et al. rely on the assumption that \(\text{ E } = \text{ DTIME }(2^{O(n)})\) has a function that is not computable for infinitely many input lengths by a probabilistic non-deterministic algorithm that runs in sub-exponential time.

  • Following the work of Barak et al. derandomization using pseudorandom generators was also applied in the recent work of Bitansky and Vaikuntanathan [BV17] (both motivated by the classic applications of derandomization techniques in similar settings [Lau83, Nao91, DN07, DNR04]). The common theme underlying these applications is to derandomize an “almost perfectly correct” primitive into a “perfectly correct” one. This seems somewhat incomparable to our work, where our starting point is not an “almost perfectly correct” injective one-way function, but rather our new notion of a correlated-input balanced one-way predicate. Indeed, it would seem that using an “almost perfectly correct” injective one-way function as our starting point is not enough. Consider for example a collection of functions, where all of them are one way, and most of them are injective. A standard attempt to apply derandomization techniques to construct an injective one-way function from such a collection may naturally rely on the following idea: Given an input x, use a hitting-set generator to choose a small subset of the functions in the collection, evaluate all of these functions on the same input x, and concatenate their outputs. The properties of the hitting-set generator indeed guarantee that the resulting function is injective (since at least one of the functions chosen by the generator is injective), but unfortunately there is no guarantee that this function is actually one way. A similar problem will arise when trying to start with a single function that is almost injective in the sense that it has only a few collisions. Our new primitive \(\mathcal {P}\) is just strong enough to enable the construction of an injective one-way function by applying such techniques, yet still weak enough so that Rudich’s black-box separation directly applies to it.

Strengthening the Framework of Black-Box Constructions. In recent years there have been several approaches for extending the framework of black-box impossibility results to capture various non-black-box techniques. For example, Brakerski et al. [BKS+11] and Asharov and Segev [AS15] showed that various non-black-box constructions that are based on non-interactive zero-knowledge proofs and indistinguishability obfuscation [BGI+12, GGH+13], respectively, can in fact be modeled in a black-box manner. This enabled them to prove various limitations on the power of these two primitives even when used in a particular non-black-box manner. Subsequently, Garg et al. [GMM17] refined the framework of Asharov and Segev to also account for “self-calls” of some primitives that might receive circuits as input (e.g., indistinguishability obfuscation).

Baecher, Brzuska and Fischlin [BBF13] considered more fine-grained variants of black-box constructions. Among their definitions, they considered constructions where the correctness or security guarantees need hold only for the case when the underlying primitive or the adversary in the security reduction are assumed to be efficient. They also went a step further, to consider a more subtle definition in which the security reduction may depend on some parameters of the assumed adversary (such as running time, success probability, etc.), even though its access to the adversary may still be black box. These notions seem related to, but do not precisely capture our non-black-box construction of an injective one-way function, which makes use of knowledge of the implementation size of the underlying primitive (with a security proof that makes black-box use of the adversary).

Most relevant to our work is the work of Pass, Tseng and Venkitasubramaniam [PTV11] that rules out constructions of various cryptographic primitives (e.g., one-way permutations, collision-resistant hash functions, constant-round statistically-hiding commitments, and constant-round black-box zero-knowledge proofs for NP) based on one-way functions, where the implementation of the underlying one-way function can be used in an arbitrary manner both within the construction and within the security proof, but the adversary may only be used in a black-box manner within the proof of security.Footnote 7 Their results are based on average-case strengthenings of the traditional assumption that \(\mathsf{coNP}\) is not contained in \(\mathsf{AM}\). As Pass et al. pointed out, their approach does not seem to extend to ruling out constructions of injective one-way functions (as such functions may not be size-verifiable in general).

More recently, the work of Dachman-Soled [Dac16] strengthened the black-box barrier of constructing a public-key encryption scheme based on one-way functions [IR89] by relying on somewhat similar assumptions. Roughly speaking, her work considers non-adaptive constructions, where both the underlying one-way function and the adversary are used in a black-box manner by the construction and the security proof, respectively, but the security proof is allowed to rely on the implementation of the underlying one-way function in an arbitrary manner (this class of constructions seems orthogonal to our construction).

1.4 Open Problems

Circumventing Other Black-Box Barriers. A natural question that arises is whether we can rely on worst-case assumptions and similar techniques to those we use in order to circumvent other known and long-standing black-box impossibility results. In particular, can such techniques be useful in obtaining a key-agreement protocol from any one-way function or from slightly stronger yet symmetric-key primitives, or in constructing collision-resistant hash functions from any one-way function; circumventing the black-box separation results of Impagliazzo and Rudich [IR89] and of Simon [Sim98], respectively? Conversely, can one enhance the aforementioned impossibility results in a way that will provide evidence that such constructions are unlikely to exist? We refer the reader to Sect. 1.3 for a discussion on recent approaches to broaden the black-box separations framework.

Correlated-Input Balanced One-Way Predicates vs. One-Way Functions. Our new primitive \(\mathcal {P}\) seems to be somewhat stronger than “plain” one-way functions, yet at least from a structural point of view, the added requirement is fairly modest and it seems much weaker than the injectivity requirement of injective one-way functions. A central open question is then the following: Can one construct a correlated-input balanced one-way predicate from any one-way function, resulting – when combined with our result (and a worst-case complexity assumption) – in a construction of an injective one-way function from any one-way function? Alternatively, can it be shown that such a construction is impossible in a black-box manner, thus establishing that a black-box barrier between general one-way functions and their injective counterparts still exists?

Per the latter possibility, it seems that the structural properties of \(\mathcal {P}\) are weak enough, so that at least the techniques underlying Rudich’s approach cannot be applied to ruling out black-box constructions of \(\mathcal {P}\) from one-way functions. More broadly, any separation that aims to derive a contradiction to \(\mathcal {P}\)’s balance requirement (the first property in Definition 1.1) will have to fundamentally deviate from Rudich’s technique due to the following observation. Suppose C is a candidate implementation of an \((\ell , \delta )\)-balanced predicate with respect to some oracle \(\mathcal {O}\), and say we partially fix \(\mathcal {O}\) so that the output of \(C^{\mathcal {O}}\) is determined for a subset X of its possible inputs of length \(n+\ell (n)\). Even if X is of exponential size (in n), then \(C^{\mathcal {O}}\) might still be \((\ell , \delta )\)-balanced for a non-negligible \(\delta \), which is enough for our needs of constructing an injective one-way function.

Constructing Correlated-Input Balanced Trapdoor Predicates. In the current state of affairs, candidates for injective trapdoor functions are scarce. Most candidates rely on specific number-theoretic or lattice based assumptions, and general constructions from other cryptographic primitives either rely on very strong assumptions such as sub-exponential indistinguishability obfuscation [BPW16] or are proven in the random oracle model [BHS+98]. We thus view the construction of our trapdoor version of \(\mathcal {P}\) from new assumptions as a very interesting open problem, as this will imply new constructions for injective trapdoor functions. More specifically, can the trapdoor version of \(\mathcal {P}\) be obtained from public-key encryption (perhaps with additional symmetric primitives)? Can enhancing the latter’s security properties help in such a transformation (similarly to the symmetric case, in which we were able to trade strong security guarantees of related-key secure pseudorandom functions for the structural ones of \(\mathcal {P}\))?

Weakening the Derandomization-Related Assumption. Our construction of an injective one-way function is based on the existence of a hitting-set generator, which in turn is known to exist under the assumption of a non-uniform circuit lower bound (namely, that \(\text{ E } = \text{ DTIME }(2^{O(n)})\) has a function of deterministic circuit complexity \(2^{\Omega (n)}\)). Can this assumption be weakened? More specifically, can similar results be obtained using weaker types of hitting-set generators or pseudorandom generators, known to exist under seemingly weaker complexity assumptions? For example, can results of similar nature be based on the seemingly weaker assumption that \(\mathsf{P=BPP}\), which Goldreich [Gol11] showed to yield certain uniform versions of pseudorandom generators?

Implications to Extensions of Rudich’s Work. A variety of extensions have been developed to Rudich’s impossibility result, including for example [BKS+11, MM11, AS15, AS16, BDV17, RSS17]. Our result does not directly imply that all of these extensions may be circumvented as well, since they deal with primitives that seem either significantly stronger than injective one-way functions (e.g., public-key primitives [BKS+11, AS15] and specific forms of injective one-way functions [MM11, AS16]), or incomparable to injective one-way functions (e.g., bounded-TFNP instances [RSS17]), and are currently not known to be implied by our notion of a correlated-input balanced one-way predicate. An interesting problem that arises given these extensions is to extend our approach to such stronger or incomparable primitives.

1.5 Paper Organization

The remainder of this paper is organized as follows. In Sect. 2 we introduce our notation as well as the basic cryptographic primitives that we consider in this paper. In Sect. 3 we present our constructions of an injective one-way function and of an injective trapdoor function. Finally, in Sect. 4 we show that Rudich’s impossibility result applies not only to constructions based on one-way functions, but also to constructions based on correlated-input balanced one-way predicates (and even when augmented with a trapdoor algorithm).

2 Preliminaries

In this section we present the notation and basic definitions that are used in this work. For a distribution X we denote by \(x \leftarrow X\) the process of sampling a value x from the distribution X. Similarly, for a set \(\mathcal {X}\) we denote by \(x \leftarrow \mathcal {X}\) the process of sampling a value x from the uniform distribution over \(\mathcal {X}\). The statistical distance between two distributions X and Y over a finite domain \(\Omega \) is \(\mathsf{SD}(X, Y) = \frac{1}{2} \sum _{\omega \in \Omega } | {X(\omega )} - {Y(\omega )}|\). For an integer \(n \in \mathbb {N}\) we denote by [n] the set \(\{1,\ldots , n\}\). A function \(\nu : \mathbb {N} \rightarrow \mathbb {R}^+\) is negligible if for any polynomial \(p(\cdot )\) there exists an integer N such that for all \(n > N\) it holds that \(\nu (n) \le 1/p(n)\).

2.1 Hitting-Set Generators

We rely on the following standard notion of a hitting-set generator, as formalized by Goldreich et al. [GVW11], for the class of deterministic circuits (see also [Sip88, CG89, And94, ACR+97, LLS+97, ACR98, GVW11] and the references therein).

Definition 2.1

A deterministic polynomial-time algorithm H is a hitting-set generator that fools deterministic circuits if for every \(n, t \in \mathbb {N}\) the generator H on input \(\left( 1^n, 1^t\right) \) outputs a set \(\mathcal {S}\) such that the following hold:

  • \(\mathcal {S} \subseteq \{0,1\}^n\).

  • For every circuit \(C : \{0,1\}^n \rightarrow \{0,1\}\) of size at most t for which

    $$\begin{aligned} \mathop {\Pr }\limits _{x\leftarrow \left\{ 0,1\right\} ^n} \left[ C(x) = 1\right] \ge 1/4 , \end{aligned}$$

    there exists some \(x^*\in \mathcal {S}\) such that \(C(x^*) = 1\).

Any pseudorandom generator [NW94] that fools deterministic circuits and has a logarithmic seed length immediately gives rise to such a hitting-set generator (by having H enumerate over all possible seeds). This implies the following corollary on which we rely for our constructions in Sect. 3:

Corollary 2.2

([NW94, IW97]). If there exists a function \(f \in \text{ DTIME }(2^{O(n)})\) with deterministic circuit complexity \(2^{\Omega (n)}\), then there exists a hitting-set generator that fools deterministic circuits.

2.2 Injective and Partially-Injective One-Way Functions

In this paper we rely on the following standard notions of one-way functions and injective one-way functions (see, for example, [Gol01]), as well as on the notion of partially-injective one-way functions due to Barak, Ong and Vadhan [BOV07].

Definition 2.3

An efficiently-computable function \(f: \{0,1\}^*\rightarrow \{0,1\}^*\) is one way if for every probabilistic polynomial-time algorithm A there exists a negligible function \(\nu (\cdot )\) such that

$$\begin{aligned} \mathop {\Pr }\limits _{x \leftarrow \{0,1\}^n} \left[ A(1^n, f(x)) \in f^{-1}\left( f(x)\right) \right] \le \nu (n) \end{aligned}$$

for all sufficiently large \(n \in \mathbb {N}\).

An injective one-way function is a function that is both injective and one way. Barak, Ong, and Vadhan [BOV07] introduced the following notion of a partially-injective one-way function.

Definition 2.4

([BOV07]). Let \(m=m(n)\) be a function of the security parameter \(n \in \mathbb {N}\). An efficiently-computable function \(f: \{0,1\}^*\times \{0,1\}^*\rightarrow \{0,1\}^*\) is a partially-injective one-way function if it satisfies the following two requiremets:

  1. 1.

    For every \(n \in \mathbb {N}\), every \(x, x' \in \{0,1\}^n\) such that \(x \ne x'\), and every \(y, y' \in \{0,1\}^{m(n)}\), it holds that \(f(x,y) \ne f(x',y')\) (i.e., f is injective with respect to its first input).

  2. 2.

    For every probabilistic polynomial-time algorithm A there exits a negligible function \(\nu (\cdot )\) such that

    $$\begin{aligned} \mathop {\Pr }\limits _{(x, y) \leftarrow \{0,1\}^{n+m(n)} } \left[ A\left( f(x,y)\right) = x\right] \le \nu (n) \end{aligned}$$

    for all sufficiently large \(n\in \mathbb {N}\).

Note that a partially-injective one-way function with \(m(n)=0\) is in fact an injective one-way function, but for general m(n) this notion seems potentially weaker than that of an injective one-way function. Barak et al. observed that any perfectly-binding non-interactive commitment scheme yields a partially-injective one-way function. Since Barak et al. derandomized Naor’s commitment scheme [Nao91] into a perfectly-binding non-interactive one assuming the existence of a hitting-set generator that fools co-non-deterministic algorithms (recall Sect. 2.1), the following corollary follows.

Corollary 2.5

([BOV07]). Assuming the existence of a hitting-set generator that fools co-non-deterministic algorithms, then one-way functions imply partially-injective one-way functions.

2.3 Injective Trapdoor Functions

We also rely in this paper on the following standard notion of a collection of trapdoor functions (see, for example, [Gol01]).

Definition 2.6

Let \(m = m(n)\) be a function of the security parameter \(n \in \mathbb {N}\). A collection of trapdoor functions is a triplet of efficient algorithms \(\mathcal {F} = (G,F,F^{-1})\) satisfying the following requirements:

  1. 1.

    G is a probabilistic algorithm that on input \(1^n\), samples and outputs a public key \(pk \in \{0,1\}^n\) and a corresponding trapdoor \(td\in \{0,1\}^n\).Footnote 8

  2. 2.

    F is a deterministic algorithm that receives as input a public key \(pk \in \{0,1\}^n\) and an additional input value \(x \in \{0,1\}^n\) and outputs a value \(y \in \{0,1\}^{m(n)}\). We require that for every probabilistic polynomial-time algorithm A there exists a negligible function \(\nu \) such that

    $$\begin{aligned} \mathop {\Pr }\limits _{\begin{array}{c} (td, pk) \leftarrow G(1^n) \\ x \leftarrow \{0,1\}^n \end{array}} \left[ F(pk, A(1^n, pk, F(pk,x))) = F(pk, x) \right] \le \nu (n) \end{aligned}$$

    for all sufficiently large \(n\in \mathbb {N}\).

  3. 3.

    \(F^{-1}\) is a deterministic algorithm that on input (tdF(pkx)) has the following guarantee: For any \(n \in \mathbb {N}\), (tdpk) in the range of \(G(1^n)\) and \(x \in \{0,1\}^n\), it holds that \(F^{-1}(td, F(pk, x))\) outputs \(x' \in \{0,1\}^n\) such that \(F(pk, x') = F(pk, x)\).

We say that \(\mathcal {F}\) is a collection of injective trapdoor functions if for every \(n\in \mathbb {N}\) and any (tdpk) in the range of \(G(1^n)\) the function \(F(pk, \cdot )\) is injective.

3 Our Constructions

In this section we present our non-black-box constructions of an injective one-way function (see Sect. 3.1) and an injective trapdoor function (see Sect. 3.2).

3.1 An Injective One-Way Function

In this section we present our non-black-box construction of an injective one-way function from any correlated-input balanced one-way predicate and any hitting-set generator that fools deterministic circuits. More formally, our construction relies on the following two building blocks:

  • A correlated-input \((\ell ,1/4)\)-balanced one-way predicate \(\mathcal {P}\) (recall Definition 1.1), where \(\ell (n)\) may be upper bounded by any fixed polynomial (e.g., \(\ell (n) = \log ^2(n)\), \(\ell (n)=n^2\)). Let \(t = t{(n)}\) be an upper bound on the size of the circuit computing \(\mathcal {P}(x,r)\) for inputs \(x \in \{0,1\}^n\) (recall that \(r \in \{0,1\}^{\ell (n)}\)).

  • A hitting-set generator H that fools deterministic circuits. Denote by \(T = T(n)\) the size of the set \(\mathcal {S}\) that is produced by the generator H on input \((1^{\ell (n)}, 1^{2t(n) + c})\) for a constant c to be determined later. As discussed in Sect. 2.1, such a generator exists based on the worst-case assumption that \(\text{ E } = \text{ DTIME }(2^{O(n)})\) has a function with deterministic circuit complexity \(2^{\Omega (n)}\).

We note that the choice of the constant 1 / 4 that parameterizes both of our building blocks is rather arbitrary. More generally, the construction may rely on any \((\ell , \delta )\)-balanced predicate and on any \(\epsilon \)-hitting-set generator as long as \(\delta + \epsilon \ge 1/2\) (in Definition 2.1 we fixed \(\epsilon \) to be 1 / 4, but the definition readily extends to any \(\epsilon \in [0,1]\)).

The Construction. On input \(x \in \{0,1\}^n\) our function \(g : \{0,1\}^* \rightarrow \{0,1\}^*\) first computes

$$\begin{aligned} H \left( 1^{\ell (n)}, 1^{2t(n) + c} \right) = \left( r_1,\ldots , r_{T(n)}\right) \in \{0,1\}^{\ell (n) \times T(n)}, \end{aligned}$$

where \(c > 0\) is a fixed constant that we determine later on, and then outputs the value

$$\begin{aligned} g(x) = \left( \mathcal {P}(x,r_1), \ldots , \mathcal {P}(x,r_{T(n)}) \right) \in \{0,1\}^{T(n)}. \end{aligned}$$

The following theorem, which is proved in the full version of this work [RS18], states that g is an injective one-way function based on our assumptions on the underlying building blocks \(\mathcal {P}\) and H:

Theorem 3.1

Assuming that \(\mathcal {P}\) is a correlated-input \((\ell ,1/4)\)-balanced one-way predicate and that H is a hitting-set generator that fools deterministic circuits, the function g is an injective one-way function.

3.2 An Injective Trapdoor Function

We now turn to extend our approach to injective trapdoor functions. Loosely speaking, we augment our primitive \(\mathcal {P}\) with a trapdoor algorithm \(\mathcal {P}^{-1}\), and show that an extension of the construction presented in Sect. 3.1 yields an injective trapdoor function. Informally, knowledge of a trapdoor enables \(\mathcal {P}^{-1}\) to find an \(x\in \{0,1\}^n\) such that \(\mathcal {P}(x,r) = b\) for each pair \((r,b) \in \{0,1\}^{\ell (n)}\times \{0,1\}\) in a set S of such pairs that is given as input to the algorithm, with the proviso that S provides “sufficient information” about x. This last condition may be formalized as a boolean set function \(\phi : \left( \{0,1\}^{\ell } \right) ^*\rightarrow \{0,1\}\) with the interpretation that a set is mapped to 1 if and only if it is “sufficiently rich”. Informally, a reasonable choice of a function \(\phi \) should meet two criteria:

  1. 1.

    For every \(n\in \mathbb {N}\), it should be possible to efficiently come up with a set that satisfy \(\phi \). Otherwise, \(\mathcal {P}^{-1}\) seems of little use.

  2. 2.

    \(\phi \) should be monotone; i.e., if \(S \subseteq T\) and \(\phi (S)=1\), then \(\phi (T)=1\). Intuitively, if \(\phi (S)=1\) has the interpretation that S generates “enough information” on x, then surely this is also the case for T.

A natural choice for \(\phi \), which we will adopt in our definition below, is a function that checks whether or not the input set contains a basis for \(\mathbb {F}_2^{\ell (n)}\) (when each element \(r \in \{0,1\}^{\ell (n)}\) is viewed a vector in \(\mathbb {F}_2^{\ell (n)}\)); that is, \(\phi (S) = 1\) if and only if S contains a subset of \(\ell (n)\) linearly independent r’s. This choice, other than satisfying the aforementioned criteria, enables us to construct a correlated-input balanced trapdoor predicate (as will be defined shortly in Definition 3.2) from any injective trapdoor function, making our trapdoor predicate with respect to that choice of \(\phi \) essential for the existence of injective trapdoor functions.

It should be noted, however, that any choice of \(\phi \) that satisfies the above two criteria yields a predicate that can be used in a non-black-box manner to construct an injective trapdoor function via our transformation, yet (a strengthened version of) Rudich’s proof shows that this is not the case when restricting ourselves to black-box constructions. Indeed, in Sect. 4 we show that this augmented variant of \(\mathcal {P}\) cannot be used in a black-box manner to construct even a partially-injective one-way function.

The following definition naturally extends Definition 1.1 by considering a family of predicates equipped with a trapdoor algorithm, as discussed above:

Definition 3.2

Let \(\ell = \ell (n)\) and let \(\delta = \delta (n)\) be functions of the security parameter. A correlated-input \((\ell ,\delta )\)-balanced trapdoor predicate is a triplet \(\mathcal {T}= (G,P,P^{-1})\) of efficiently-computable algorithms such that:

  • The algorithm G on input \(1^n\) outputs a pair \((pk,td)\in \{0,1\}^*\).

  • For every \(n\in \mathbb {N}\) and for every \(pk \in \{0,1\}^*\) produced by \(G(1^n)\), the function \(P(pk, \cdot ,\cdot ) : \{0,1\}^n \times \{0,1\}^{\ell (n)} \rightarrow \{0,1\}\) is an \((\ell ,\delta )\)-balanced predicate. That is, for any \(x,x' \in \{0,1\}^n\) such that \(x \ne x'\) it holds that

    $$\begin{aligned} \left| \mathop {\Pr }\limits _{r \leftarrow \{0,1\}^{\ell (n)}} \left[ \mathcal {P}(pk, x, r) = \mathcal {P}(pk, x', r) \right] - \frac{1}{2} \right| \le \delta (n). \end{aligned}$$

  • For every \(n, T \in \mathbb {N}\), and for every (pktd) that is produced by \(G(1^n)\), the algorithm \(P^{-1}\) satisfies the following guarantee: On input td and \(\left\{ (r_i, b_i)\right\} _{i=1}^{T} \in \left( \{0,1\}^{\ell (n)} \times \{0,1\}\right) ^{T}\), if the set \(\{r_i\}_{i=1}^T\) contains a subset of \(\ell (n)\) linearly independent elements and there exists an \(x \in \{0,1\}^n\) such that \(P(pk, r_i) = b_i\) for every \(i \in [T]\), then \(P^{-1}\) outputs such an x. Otherwise, \(P^{-1}\) outputs \(\bot \).

  • For any probabilistic polynomial-time algorithm A there exists a negligible function \(\nu (\cdot )\) such that

    $$\begin{aligned} \Pr \left[ \mathsf {Invert}_{\mathcal {T},A}(n) = 1 \right] \le \nu (n) \end{aligned}$$

    for all sufficiently large \(n \in \mathbb {N}\), where the experiment \(\mathsf {Invert}_{\mathcal {T},A}(n)\) is defined as follows:

    1. 1.

      \(\left( \mathsf {state}, r_1, \ldots , r_{T} \right) \leftarrow A(1^n, pk)\) for \(r_1, \ldots , r_T \in \{0,1\}^{\ell (n)}\), where \(T = T(n)\) may be any polynomial determined by A and \((pk, td) \leftarrow G(1^n)\).

    2. 2.

      \(x' \leftarrow A \left( \mathsf {state}, P_{pk} \left( x, r_1 \right) ,\ldots , P_{pk} \left( x, r_T \right) \right) \) where \(x \leftarrow \{0,1\}^n\).

    3. 3.

      If \(x' = x\) then output 1, and otherwise output 0.

Observe that the existence of \(\mathcal {T}\) is indeed essential for the existence of an injective trapdoor function. Let \(\mathcal {F} = (G_F,F,F^{-1})\) be any collection of injective trapdoor functions, and consider the construction \(P_{pk}(x,r) = \langle F_{pk}(x),r \rangle \). This is essentially (a keyed version of) the same construction that we had in the symmetric case, and P is thus both balanced for every pk and correlated-input one way for the same reasons as before. As for the inversion algorithm \(P^{-1}\), note that given the construction P, every pair (rb) in the input to \(P^{-1}\) may be interpreted as a linear equation with \(\ell (n)\) variables over \(\mathbb {F}_2\): \(\langle F_{pk}(x), r\rangle = b\). Hence, when the input to \(P^{-1}\) contains \(\ell (n)\) linearly independent r’s (which is only then that it is required to return a pre-image x), it can uniquely recover \(z = F_{pk}(x)\) and invoke \(F_{td}^{-1}\left( z \right) \) to find x.

Similarly to Sect. 3.1, our construction of an injective trapdoor function is based a hitting-set-generator against deterministic circuits H, but we replace the correlated-product \((\ell ,1/4)\)-balanced one-way predicate \(\mathcal {P}\), with a correlated-product \((\ell ,1/4)\)-balanced trapdoor predicate \(\mathcal {T}= (G, P, P^{-1})\). As before, we let \(t = t(n)\) be an upper bound on the size of the circuit computing \(P_{pk}(x,r)\) for \(x \in \{0,1\}^n\) and let \(T= T(n)\) denote the size of \(\mathcal {S} = \{r_1,\ldots ,r_T\}\) - the output set of H on input \((1^{\ell (n)}, 1^{2t(n)+c})\).

The Construction. The construction extends that of an injective one-way function presented in Sect. 3.1. The main difference is that we need to make sure that the output of \(F_{pk}(x)\) encodes “enough information” on x so that we may use \(P^{-1}_{td}\) to implement the inversion algorithm \(F^{-1}_{td}\). To ensure that, when computing \(F_{pk}(x)\), we will also invoke \(P_{pk}\) on \((x,e_{1}),\ldots ,(x,e_{\ell (n)})\), where \(e_1,\ldots ,e_{\ell (n)}\) are the standard basis vectors, interpreted as binary strings of length \(\ell (n)\). The output of \(F_{pk}(x)\) will then consist of two parts: The first part \(P_{pk}(x, r_1),\ldots ,P_{pk}(x,r_T)\) ensures injectivity (as in Sect. 3.1), while the second part \(P_{pk}(x, e_1),\ldots ,P_{pk}(x, e_{\ell (n)})\) ensures efficient invertibility.

Concretely, given the aforementioned ingredients, we construct an injective trapdoor function \(\mathcal {F} = (G_F, F, F^{-1})\) as follows:

  • The algorithm \(G_F\) on input \(1^n\) invokes \(G(1^n)\), and outputs its output (pktd).

  • The algorithm F on input \((pk, x) \in \{0,1\}^n \times \{0,1\}^n\) computes \(H(1^{\ell (n)}, 1^{2t(n)+c}) = (r_1,\ldots ,r_T)\), and outputs

    $$\begin{aligned} F_{pk}(x) = \left( P_{pk}(x, r_1),\ldots P_{pk}(x,r_T),P_{pk}(x,e_1),\ldots ,P_{pk}(x,e_{\ell (n)}) \right) . \end{aligned}$$

  • The algorithm \(F^{-1}\) on input \((td, y) \in \{0,1\}^n \times \{0,1\}^{T+\ell (n)}\) computes \(H(1^{\ell (n)}, 1^{2t(n)+c}) = (r_1,\ldots ,r_T)\), and outputs

    $$\begin{aligned} F^{-1}_{td}(y) = P^{-1}_{td}\left( (r_1, y_1),\ldots , (r_T, y_{T}),(e_1,y_{T+1}),\ldots ,(e_{\ell (n)}, y_{T+\ell (n)}) \right) \end{aligned}$$

    where \(y_i\) denotes the ith bit of y for every \(i \in \{ 1, \ldots , T+\ell (n) \}\).

Theorem 3.3

Assuming that \(\mathcal {T}= (G, P, P^{-1})\) is a correlated-input \((\ell ,1/4)\)-balanced trapdoor predicate and that H is a hitting-set generator that fools deterministic circuits, the triplet \(\mathcal {F} = (G_F, F, F^{-1})\) is an injective trapdoor function.

The proof of Theorem 3.3 can be found in the full version [RS18].

4 Applying Rudich’s Impossibility to Correlated-Input Predicates

In this section we show that Rudich’s impossibility result [Rud88] can be applied to correlated-input balanced trapdoor predicates. That is, we show that there is no black-box construction of an injective one-way function from such a predicate. In fact, we prove a stronger result, showing that there is no black-box construction of a partially-injective one-way function (as defined by Barak, Ong and Vadhan [BOV07]) from such a predicate (recall Definition 2.4). Since any injective trapdoor function is also an injective (and a partially-injective) one-way function, it trivially follows that the former also cannot be constructed in a black-box manner from our predicate. We prove the following theorem:

Theorem 4.1

There is no black-box construction of a partially-injective one-way function based on a correlated-input \((\ell (n), \delta (n))\)-balanced trapdoor predicate, where \(\ell (n)=n\) and \(\delta (n) = 2^{-n/3}\).

We note that, as with Rudich’s original statement, the above theorem applies even to semi-black-box constructions (i.e., cases where the construction itself is black box, but adversaries may be used in a non-black-box manner within the proof of security – see [RTV04] for more details). In addition, we note that our choice of \(\ell (n) = n\) is done purely for simplicity, and our proof applies to any super-logarithmic \(\ell (n)\) (recall that a logarithmic \(\ell (n)\) does imply an injective one-way function in a black-box manner – see Sect. 1.2).

In what follows we first describe the oracle that enables us to prove our result (essentially replacing Rudich’s random function with a random predicate and complementing it with a trapdoor oracle). We describe and analyze (a slightly modified version of) Rudich’s attacker with respect to this oracle, showing that it can invert any partially-injective one-way function. Then, we show that this oracle is an exponentially-secure correlated-input balanced trapdoor predicate for poly-query adversaries. Theorem 4.1 then immediately follows (see, for example, [Rud88, IR89, RTV04]). Throughout our proof we rely on the following standard notion of a q-query algorithm:

Definition 4.2

Let A be an oracle-aided algorithm and let \(q = q(n)\) be a function of the security parameter \(n \in \mathbb {N}\). Then, A is a q-query algorithm if for any \(n \in \mathbb {N}\) it holds that A issues at most q(n) oracle queries when invoked on inputs of length n.

The Oracle. Our oracle is a triplet \(\mathcal {T}= (\mathcal {G}, \mathcal {P}, \mathcal {P}^{-1}) = \{(\mathcal {G}_n, \mathcal {P}_n, \mathcal {P}^{-1}_n)\}_{n \in \mathbb {N}}\) of three sub-routines. For every \(n \in \mathbb {N}\), the functions \(\mathcal {G}_n, \mathcal {P}_n\) and \(\mathcal {P}^{-1}_n\) are defined as follows:

  • The function \(\mathcal {G}_n: \{0,1\}^n \rightarrow \{0,1\}^{n}\) is a uniformly chosen function from \(\{0,1\}^n\) to \(\{0,1\}^{n}\). Looking ahead, \(\mathcal {G}_n\) will be used for mapping trapdoors to corresponding public keys.

  • For any \(pk \in \{0,1\}^{n}\) the function \(\mathcal {P}_n(pk, \cdot , \cdot ):\{0,1\}^{n} \times \{0,1\}^{n} \rightarrow \{0,1\}\) is a predicate sampled uniformly at random from all predicates of suitable input-length that are correlated-input \(\delta (n)\)-balanced, independently of \(\mathcal {P}_n(pk', \cdot , \cdot )\) for any \(pk' \ne pk\). That is, for any \(pk \in \{0,1\}^{n}\), the predicate \(\mathcal {P}_n(pk, \cdot , \cdot )\) is sampled uniformly subject to the condition that for any distinct \(x,x' \in \{0,1\}^n\) it holds that

    $$\begin{aligned} \left| \mathop {\Pr }\limits _{r \leftarrow \{0,1\}^n} \left[ \mathcal {P}_n(pk,x, r) = \mathcal {P}_n(pk,x', r) \right] - \frac{1}{2} \right| \le 2^{-n/3}. \end{aligned}$$

  • For any \(td \in \{0,1\}^{n}\), the function \(\mathcal {P}^{-1}(td, \cdot ): \left( \{0,1\}^{n} \times \{0,1\}\right) ^* \rightarrow \{0,1\}^n \cup \{\bot \}\) is defined as follows. For \(R = \left\{ (r_i, b_i)\right\} _i \in \left( \{0,1\}^{n} \times \{0,1\}\right) ^*\) define the set:

    $$\begin{aligned} X_{td, R} = \left\{ \ x\in \{0,1\}^n: \exists pk\in \{0,1\}^n \text { s.t. } \mathcal {G}(td)=pk \wedge \forall i, \mathcal {P}(pk, x, r_i) = b_i\right\} . \end{aligned}$$

    Then, for every \(R \in \left( \{0,1\}^{n} \times \{0,1\}\right) ^*\), if \(X_{td, R} \ne \emptyset \), \(\mathcal {P}_n^{-1}(td, R)\) returns a uniformly chosen element in the set. Otherwise, it returns \(\bot \).

We denote the set of all such oracles by \(\mathfrak {S}\).

4.1 Inverting Partially-Injective One-Way Functions

Suppose F is an s-size, q-query black-box implementation of a partially-injective one-way function from the oracle \(\mathcal {T}\) for some polynomially bounded \(s = s(n)\) and \(q = q(n)\). We assume without loss of generality that before each query of the form \((td, \{(r_i, b_i)\}_i)\) that F makes to \(\mathcal {P}^{-1}\), it also obtains \(pk = \mathcal {G}(td)\) via a single query to \(\mathcal {G}\), and after learning \(x = \mathcal {P}^{-1}(td, \{(r_i, b_i)\}_i)\) it also queries \(\mathcal {P}\) with \((pk,x,r_i)\) for each \(r_i\) (if \(x = \bot \), we forgo these queries to \(\mathcal {P}\)). Note that as F makes at most q(n) queries to \(\mathcal {P}^{-1}\) and each of which involves at most s(n) values of r, this adds at most \(q(n)\cdot \left( s(n)+1 \right) \) queries to the computation. For ease of notation we simply assume F makes the afore-described queries and continue to bound on the total number of queries made by F by q(n).

The following lemma shows that for every black-box implementation F of a partially-injective one-way function from the oracle \(\mathcal {T}\), there exists a poly-query adversary that on input \(F^\mathcal {T}(x,y)\) always finds x.

Lemma 4.3

Let \(q = q(n), s = s(n)\) and let F be an s-size, q-query algorithm such that for every \(\mathcal {T}\in \mathfrak {S}\) it holds that \(F^{\mathcal {T}}: \{0,1\}^* \rightarrow \{0,1\}^*\) is partially injective. Then, there exists an \(O(q^6 \cdot s^6)\)-query algorithm A such that

$$\begin{aligned} \mathop {\Pr }\limits _{(x, y) \leftarrow \{0,1\}^{n+m(n)} } \left[ A^\mathcal {T}\left( F^\mathcal {T}(x,y)\right) = x\right] = 1 \end{aligned}$$

for all sufficiently large \(n\in \mathbb {N}\).

Consider the following attacker A, that on input \(v^*\) finds \(x^*\) such that there exists some \(y^*\) for which \(F^\mathcal {T}(x^*, y^*) = v^*\):

  • Input: A string \(v^*\in \{0,1\}^*\), which is the output of \(F^\mathcal {T}\) on input \((x^*, y^*) \in \{0,1\}^{n + m(n)}\).

  • Initialize: A initializes a set \(Q(A) = \emptyset \), to hold all query/answer pairs to \(\mathcal {T}\) that A learns throughout the attack.

  • Learning: Let \(n' = 2\log \left( 2q(n) \cdot s(n)\right) \). A queries \(\mathcal {P}\) with all queries of length at most \(3n' = n' + n' + \ell (n')\), and updates Q(A) accordingly.

  • Iteration: A runs \(q(n) + 1\) iterations of the following three steps:

    1. 1.

      Simulation: A finds a possible execution of F that is consistent with Q(A) and \(v^*\). That is, A finds inputs xy, and an oracle \(\widehat{\mathcal {T}}=(\widehat{\mathcal {G}}, \widehat{\mathcal {P}}, \widehat{\mathcal {P}}^{-1}) \in \mathfrak {S}\) that is consistent with Q(A), such that \(F^{\widehat{\mathcal {T}}}(x,y) = v^*\).

    2. 2.

      Evaluation: A evaluates \(F^\mathcal {T}(x,y)\) (note that the evaluation is done with the true oracle \(\mathcal {T}\)). In case \(F^\mathcal {T}(x,y) = v^*\), A terminates and outputs x.

    3. 3.

      Update: A queries the true oracle \(\mathcal {T}\) with all queries made in the execution of \(F^{\widehat{\mathcal {T}}}(x,y)\) and are not in Q(A), and updates Q(A) accordingly. Additionally, for any query of the form \(u = (td, \{(r_i, b_i)\}_i)\) that A makes to (the true oracle) \(\mathcal {P}^{-1}\) in the update phase, it also queries \(\mathcal {P}\) with \((pk,x,r_i)\) for each \(r_i\), where x is the answer to u according to \(\widehat{\mathcal {P}}^{-1}\) (if \(x = \bot \), A forgoes these queries to \(\mathcal {P}\)), and pk is the public-key associated with td according to \(\widehat{\mathcal {G}}\); i.e., \(pk = \widehat{\mathcal {G}}(td)\).Footnote 9

The success and query efficiency of A follow immediately by the following claim, a proof for which is given in the full version [RS18].

Claim 4.4

In each iteration, at least one of the following events occur:

  1. 1.

    A queries \(\mathcal {T}\) with a query that is made by the execution of \(F^\mathcal {T}(x^*, y^*)\), but was not in Q(A) at the beginning of the iteration.

  2. 2.

    A finds \(x^*\) and some y for which \(F^\mathcal {T}(x^*,y) = v^*\), and terminates.

Proof of Lemma 4.3 from Claim 4.4. Since \(F^\mathcal {T}(x^*, y^*)\) makes at most q(n) queries to \(\mathcal {T}\), by Claim 4.4 and the pigeon-hole principle, there exists an iteration in which A finds \(x^*\) and terminates. Moreover, during the learning phase, A queries the oracle with \(O\left( q(n)^6 \cdot s(n)^6\right) \) queries, and in each iteration it queries the oracle with at most \(q(n)\cdot \left( s(n) + 2\right) \) new queries. Since there are at most \(q(n) + 1\) iterations, A is an \(O(q^6 \cdot s^6)\)-query algorithm. \(\square \)

4.2 \({\varvec{\mathcal {T}}}\) is One Way for Correlated Inputs

The proof that the oracle \(\mathcal {T}\) is one way for correlated inputs (according to Definition 3.2) consists of the following two steps. First, we show that a uniformly-chosen predicate (not necessarily balanced) is one way with an extremely high probability. Then, we show that the uniform distribution over predicates is statistically close to the uniform distribution over balanced predicates (for our choice of \(\ell (n)=n\) and \(\delta (n) = 2^{-n/3}\)).

In more detail, recall that the trapdoor and public key in the experiment \(\mathsf {Invert}_{\mathcal {T},A^\mathcal {T}}(n)\) are chosen as follows: First, the trapdoor td is chosen uniformly at random from the set \(\{0,1\}^n\) and then the public key is set to be \(pk = \mathcal {G}(td)\). Now, let \(R_{n}\) denote the uniform distribution over predicates mapping a triplet of strings of length n each, to an output bit (i.e., if \(\mathcal {P}_n\) is a predicate drawn from \(R_{n}\), then for every \(pk \in \{0,1\}^{n}\) and \(x,r \in \{0,1\}^n\) it holds that \(\mathcal {P}(pk,x,r)\) is a uniformly-chosen bit which is independent of the value of \(\mathcal {P}_n\) on all other inputs). The following lemma shows that when \(\mathcal {P}_n\) is sampled from \(R_{n}\), then any poly-query adversary inverts \(\mathcal {P}= \left\{ \mathcal {P}_{n'} \right\} _{n' \in \mathbb {N}}\) on inputs of length n (vis-à-vis Definition 3.2) with probability that is negligible in n, regardless of how \(\mathcal {P}_{-n}\) is chosen (where we use \(\mathcal {P}_{-n}\) to denote \(\mathcal {P}\setminus \left\{ \mathcal {P}_n \right\} \)).

Lemma 4.5

Let \(q = q(n)\) be a function of the security parameter \(n \in \mathbb {N}\). For any q-query algorithm A, any \(n\in \mathbb {N}\) and any fixing of \(\mathcal {P}_{-n}\), it holds that

$$\begin{aligned} \Pr \left[ \mathsf {Invert}_{\mathcal {T},A^\mathcal {T}}(n) = 1 \right] \le \frac{2q(n)}{2^n - q(n) } \end{aligned}$$

where \(\mathcal {P}_n \leftarrow R_{n}\).

The proof of Lemma 4.5 is provided in the full version [RS18].