Oracle Separation in the Non-uniform Model
Ahto Buldas1,2,3, , Sven Laur3 , and Margus Niitsoo1,3
2
1
Cybernetica, Akadeemia tee 21, 12618 Tallinn, Estonia
Tallinn University of Technology, Raja 15, 12618 Tallinn, Estonia
3
University of Tartu, Liivi 2, 50409 Tartu, Estonia
{Ahto.Buldas,Sven.Laur,Margus.Niitsoo}@ut.ee
Abstract. Oracle separation methods are used in cryptography to rule out blackbox reductions between cryptographic primitives. It is sufficient to find an oracle
relative to which the base primitive exists but there are no secure instances of
the constructed primitive. In practice, it is beyond our current reach to construct
a fixed oracle with such properties for most of the reductions because it is difficult to guarantee the existence of secure base primitives. For example, to show
that there exist no black-box reductions from collision-free functions to one-way
permutations we have to show that secure one-way permutations exist relative
to the oracle. However, no deterministic constructions for unconditionally secure
one-way permutations are known yet. To overcome this gap, randomized oracles are used to create random base primitives that are secure on average. After
that, a fixed oracle with the desired properties is extracted from the probability distribution by using non-constructive combinatorial arguments such as the
first Borel-Cantelli lemma. This oracle extraction argument only applies to uniform reductions because it uses the countability of the set of all uniform Turing
machines. In this work, we show how to adapt oracle separation results to the
non-uniform security model. We consider the known separation techniques that
are capable of ruling out the so-called fully black-box reductions and show that
they can be extended to the non-uniform model with only minor modifications.
As almost all separation results known to date fit into our separation framework,
we conclude that they imply non-existence of fully black-box reductions in the
non-uniform model. We also generalize our approach to a certain strong form of
semi-black-box reductions. However, it stays an open question whether it is possible to adapt our technique to the weaker notions of black-box reductions in the
non-uniform model.
1 Introduction
Complex cryptographic protocols are often built from simpler building blocks called
primitives. Usually, the security of such protocols is proved based solely on the security
guarantees of the original primitives independent of their actual implementation details.
Such constructions are called black-box reductions. To date, almost all security proofs
for efficient cryptographic constructions utilize black-box reductions.
This research was supported by the European Regional Development Fund through the Estonian Center of Excellence in Computer Science (EXCS), by Estonian SF grant no. 6944, and
by EU FP6-15964: “AEOLUS”.
J. Pieprzyk and F. Zhang (Eds.): ProvSec 2009, LNCS 5848, pp. 230–244, 2009.
c Springer-Verlag Berlin Heidelberg 2009
Oracle Separation in the Non-uniform Model
231
Although back-box reductions are extremely useful cryptographic tools, there exist
limits on where they can be applied. There are many known cases for which it is proved
that such a reduction cannot exist. This usually means that a very clever proof construction is necessary if the reduction can be achieved at all. As very few of these clever
constructions are known, the power and limits of black-box reductions are of a rather
special interest to many people working in the field.
The first separation result involving black-box reductions was given in 1989 by Impagliazzo and Rudich [5]. They showed that there are no such reductions from key
agreement protocols to one-way functions. Their seminal paper was followed by a long
line of similar types of results [3,4,8]. The approach was even generalized by Kim,
Simon and Tetali [6] to give bounds on reduction efficiency. Though all these results
leave open the existence of more specific security proofs they are still valuable hardness
indicators as they rule out the most obvious approaches.
Non-existence of black-box reductions is commonly shown by oracle separation
techniques. In complexity theory, oracle separation has been widely applied to prove
limits of the proving techniques capable of establishing set-theoretical inclusions between complexity classes. For example, with oracle separation one can easily show that
diagonal arguments are insufficient to solve the famous P vs NP question. This is
done by showing two oracles—one relative to which the conjecture holds and another
for which it does not. In cryptography, oracle separation is used to argue that it is impossible to securely implement a primitive or a protocol P given only black-box access
to a secure low-level primitive f as an instance of a class of primitives Q. This is done
by defining an oracle such that the primitive f remains secure even if the adversary can
access the oracle but any instance Pf of the protocol P being considered is insecure
relative to the oracle.
In classical separation results of complexity theory, oracles are defined as fixed functions that always behave the same way. In cryptographic separations, it is often hard
to explicitly define a fixed separation oracle. For example, if one wishes that one way
functions exist relative to the oracle, an explicit functional description of such function
should then be given (as a part of the oracle). This is however still unreachable for the
state of the art computer science—the existence of one way functions is conjectured but
not yet proved. So, in cryptographic separations we often assume that oracles are chosen randomly from certain probability distributions. We then prove that the separation
statements hold on average and then argue that there exists a particular choice of the
oracle for which the statements hold. For example, one-way functions indeed exist in
the random oracle model because random functions are one-way on average [5].
For modeling (simulating) a random oracle, it is often fruitful to assume that oracles
are stateful— their output on a given input depends not only on the random choices but
also on the previous queries made to the primitive. Such extensions can still be modeled
via deterministic functions by just giving them random coins and their state as an extra
input parameter. However, as the oracle separation results usually construct an oracle
that gives an idealized implementation of the primitive, it makes sense to allow this
oracle to also be either randomized or stateful. This is often modeled by constructing
a large family of suitable deterministic oracles and then analyzing what happens on
average if we pick one of them randomly. The same situation can also be formalized
232
A. Buldas, S. Laur, and M. Niitsoo
by having a large oracle that models the whole family and then giving it access to a
randomness source so it could internally fix which constituent oracle it would use. This
means that the reductions essentially use a randomized oracle.
It would then seem natural that the oracle separation results would also be stated with
respect to the random oracles. However, as the classical separation theorems are adopted
from the classical model, the authors still try to make their oracle choice deterministic.
Such an oracle extraction approach, though, has a big limitation—it usually requires
the use of Borel-Cantelli lemma which only works when there are only countably many
potential adversaries. In brief, non-existence of reductions can only be shown in the
uniform model via this approach, as the set of non-uniform Turing machines is not
countable.
In this paper, we show that in many cases the oracle extraction step is actually unnecessary and propose a new oracle separation approach that is also applicable for
non-uniform and precise reductions. For that, we show that there is a hierarchy of separation results depending on whether we treat cryptographic primitives as deterministic
functions or randomized algorithms. As the main result, we prove that a separation
result for randomized stateless primitives also implies the non-existence of black-box
reductions for deterministic primitives. This means that one can freely use randomized
oracle constructions to establish classical separation results. In particular, all classical
separations [5,8,4] that were proved in the uniform setting can be shown to hold in the
non-uniform and precise settings with just minor restrictions.
2 Preliminaries
By x ← D we mean that x is chosen randomly according to a distribution D. If A is a
probabilistic function or a Turing machine, then x ← A(y) means that x is chosen according to the output distribution of A on an input y. If D1 , . . . , Dm are distributions and
F (x1 , . . . , xm ) is a predicate, then Pr [x1 ← D1 , . . . , xm ← Dm : F (x1 , . . . , xm )]
denotes the probability that F (x1 , . . . , xm ) is true.
We use the Big Oh notation for describing asymptotic properties of functions. In
particular, f (k) = O(1) means that f is bounded and f (k) = k −ω(1) means that f (k)
decreases faster than any polynomial, i.e., f is negligible. A Turing machine M is polytime if it runs in time k O(1) , where k denotes the input size that is mostly referred to as
the security parameter.
By an oracle Turing machine we mean an incompletely specified Turing machine S
that comprises calls to oracles. The description can be completed by defining the oracle
∗
∗
as a function O : {0, 1} → {0, 1} . In this case, the machine is denoted by SO . The
function y ← O(x) does not have to be computable but has a conditional running time
t(x), which does not necessarily reflect the actual amount of computations needed to
produce y from x. The running time of SO comprises the conditional running time of
oracle calls—each call O(x) takes t(x) steps. We assume that all the oracles O are polyO(1)
time, that is t(x) = |x|
, where |x| denotes the bit-length of x. Note that though
the classical complexity-theoretic oracles only require a single step, this more general
notion is appropriate in cryptography where oracles often model abstract adversaries
with running time t. We say that S is a poly-time oracle machine if SO runs in polytime, whenever O is poly-time. By a non-uniform poly-time oracle machine we mean an
Oracle Separation in the Non-uniform Model
233
ordinary poly-time oracle machine S together with a family A = {ak }k∈N of (advice)
bit-strings ak with length k O(1) . For any oracle O and any input x, it is assumed that
SO (x) has access to the advice string a|x| . Usually, the advice strings are omitted for
simplicity, but their presence must always be assumed when S is non-uniform. One of
the most important facts about non-uniform poly-time Turing machines is that there
is an uncountable number of them, whereas there are only countably many ordinary
Turing machines.
3 Primitives
Complex cryptographic constructions can often be decomposed into a few fundamental building blocks that are called primitives. One is usually interested in proving the
security of constructions based solely on the properties of the underlying primitives.
Reingold et al. [7] give a formal definition by considering primitives as families of
functions of type f : {0, 1}∗ → {0, 1}∗ along with a matching between these functions
and Turing machines implementing them. Indeed, for many common primitives such as
one-way permutations or collision-resistant hash functions this formalization coincides
with our intuition—an instance of a primitive is indeed just one function.
In some more complicated cases that actually have more than one type of functionality, it may make more sense to define a primitive as a tuple of functions. However, we
can usually concatenate these functions into one single function—we just use the first
few input bits to tell the function which subfunction we want to use. This means that
we can still formalize the primitive as one single function, although it may be a little
counter-intuitive.
A primitive is usually defined in terms of functional requirements that the instances
of the primitive must satisfy before it makes sense to talk about their security. These
requirements, though, are just syntactic and have nothing to do with security. For example, every permutation is an instance of the one-way permutation primitive, however, it
does not have to be a secure instance.
However, in the context of cryptography we also need to talk about security. Reingold
et al. [7] define security in terms of a relation between primitives and Turing machines
possibly breaking them. That is, a given machine either breaks the given primitive or it
doesn’t. However, many common cryptographic primitives (such as one-way functions)
already have randomness in their security games and thus breakages actually occur with
certain probability. Hence, it makes sense to define the advantage as a function even for
deterministic primitives and Turing machines. The advantage is usually defined in terms
of the security parameter k which is usually tied to the actual input (or output) lengths
used in the function1. All this leads to the following general definition.
Definition 1 (Deterministic primitive). A deterministic primitive P is a set of functions of type f : {0, 1}∗ → {0, 1}∗. Primitives have an advantage function A DVP
k (·, ·),
which given as input the security parameter k ∈ N, an instance f of P, and an oraO
cle Turing machine AO (an adversary) returns a real number A DVP
k (f, A ) ∈ [0, 1]
1
By definition, the functions are required to work for all input lengths. This could be relaxed by
defining some restrictions in the functional requirements part.
234
A. Buldas, S. Laur, and M. Niitsoo
(the advantage of AO ). The function A DVP
k (f, ·) is extended to probabilistic Turing machines by taking the average over their randomness strings, assuming that each fixed
randomness string gives a deterministic poly-time Turing machine for which A DV P () is
O
−ω(1)
.
already defined. We say that AO breaks an instance f of P if A DV P
k (f, A ) = k
O
If for a fixed oracle O no probabilistic poly-time oracle Turing machine A breaks f
then f is said to be secure relative to O.
We emphasize that our definition says nothing about the efficiency of f . The function
may even be non-computable, as long as the advantage that can be gained by any adversary is negligible. Of course, in practice one needs an instantiation of a primitive that is
both efficient and secure. Commonly, it is required that we can compute the function f
with a (uniform) poly-time Turing machine for f to be called efficient.
This definition of a deterministic primitive can naturally be extended to the randomized case in the following way.
Definition 2 (Randomized primitive). Let P be a deterministic primitive. Then the
corresponding randomized primitive Pr is the set
Pr = {f : R × {0, 1}∗ → {0, 1}∗|∀r ∈ R : f (r, ·) ∈ P}
r
r
and A DV P
A DV P
k (f, ·) = E
k (f (r, ·), ·) , where R is a randomness space.
r∈R
In order to define stateful primitives, we must extend the advantage function A DV ()
consistently to state machines. As it is technically cumbersome and yields no additional
insight, we leave it to Appendix A. It is also straightforward to define randomized stateful primitives by combining the two modifications made to the deterministic case. Since
neither of the extensions actually forces us to introduce extra parameters (we can always
take S = {∅} and R = ∅), it is clear that these four classes form a hierarchy in terms
of set inclusions.
4 Reductions
Reductions capture the relations between different security notions. A primitive P can
be reduced to a primitive Q if there exists a construction that given a secure instance of
the primitive Q yields a secure instance of P. Most common cryptographic reductions
are black-box reductions, where an instance f of a primitive Q is treated as an atomic
object in the construction and in the security proof. Despite of the ubiquity, the exact
definition of black-box reductions is somewhat vague in the cryptographic literature.
Impagliazzo and Rudich [5] were the first to informally define the notion of black-box
reductions. A more formal definition was later given by Gertner et al. [3]. In this work,
we consider four sub-notions of black-box reductions.
The first step towards classification of black-box reductions was made by Reingold,
Trevisan and Vadhan [7]. They showed a complex hierarchy of 7 types of different reductions. Our classification is based on their work but leaves out some of the more
general reductions and introduces one that actually arises quite often in practice. Also,
Oracle Separation in the Non-uniform Model
235
we assume that the reduction construction is deterministic whereas the original hierarchy uses probabilistic Turing machines everywhere. This is necessary for reductions
between deterministic primitives as the reduction cannot be allowed any randomization
in that case. If we consider randomized primitives, P can usually be made deterministic
even when it is randomized in essence— the key idea is to use the oracle as a source of
randomness. This approach was already used by Impagliazzo and Rudich [5] in the first
paper about oracle separations in cryptology.
In the first three definitions, the construction of a derived primitive is independent
of the actual implementation of P, whereas the construction itself may depend on the
implementation in the last definition. The reduction in question is uniform if all oracle
machines in the corresponding definition are uniform, otherwise the reduction is nonuniform. We assume that the construction P is always deterministic but the adversaries
are allowed to be randomized.
f
Definition 3. A fully black-box reduction P =⇒ Q is determined by two poly-time oracle machines P and S, satisfying the following two conditions:
(C) If f implements Q then Pf implements P.
(S) For every instance f ∈ Q, if A breaks Pf (as P) then SA,f breaks f (as Q).
In brief, we must to provide a universal oracle algorithm S that can handle all successful adversaries to establish a fully black-box reduction. So-called semi-black-box
reductions weaken this restriction by allowing for some specialization in the security
proofs. The degree to which the specialization can go is different for different authors.
We give two possible definitions, one just slightly stronger than the other.
ss
Definition 4. Strong semi-black-box reduction P =⇒ Q is determined by a poly-time
oracle machine P, satisfying the following two conditions:
(C) If f correctly implements Q then Pf correctly implements P.
(S) For all poly-time oracle machines A there exists a poly-time oracle machine B such
that for every instance f ∈ Q if Af breaks Pf then Bf breaks f .
ws
Definition 5. Weak semi-black-box reduction P =⇒ Q is determined by a poly-time oracle machine P, satisfying the following two conditions:2
(C) If f correctly implements Q then Pf correctly implements P.
(S) For every instance f ∈ Q and a poly-time oracle machine A, there exists a polytime oracle machine B such that if Af breaks Pf then Bf breaks f .
The difference between the two reduction types is very subtle. In the strong case, the
construction of B may non-constructively depend on A and P but it has to be universal
for all f ∈ Q. In the weak case, such a universal B might not exist—the construction of
B may depend on f as well as on A and P. This subtle difference is however extremely
important, as it seems to create a theoretical boundary for at least one general separation
method we show later.
In both semi-black-box reductions P must be universal for all valid instances f ∈ Q
and as such, specific properties of an instance f cannot be used in the construction.
2
This was the reduction given by Reingold et al. [7] as the semi-black-box reduction.
236
A. Buldas, S. Laur, and M. Niitsoo
Variable semi-black-box reductions3 weaken even this restriction so that the constructions of both P and B may depend on the instance f . However, such constructions must
exist for all instances of Q regardless of the actual efficiency of f . If we restrict f in
the following definition to efficiently implementable instances of Q, then we get the
definition of white-box reductions, which is the most general type of reductions.
v
Definition 6. We say that there is a variable semi-black-box reduction P =⇒ Q iff for
any correct implementation f of Q:
(C) there exists a poly-time oracle machine Pf that correctly implements P;
(S) for every instance f ∈ Q and for any poly-time oracle machine A, there exists a
poly-time oracle machine B such that if Af breaks Pf , then Bf breaks f .
These reduction types form a linear hierarchy with fully black-box reductions being
the strongest and white-box reductions being the weakest. Existence of a reduction of
one type also trivially implies the existence of reductions of all weaker types. This
is important as it means that non-existence of a weaker reduction also implies nonexistence of all stronger reductions.
We note that the preceding reduction types are all well-defined for all four primitive
types. Moreover, it is worth noting that the definitions of randomized and stateful primitives are constructed in such a way that once the corresponding deterministic primitive
is fixed and the advantage function for it given, we obtain consistent security definitions
for all types of primitives and thus also the definitions for all types of reductions. Note
that a primitive as an instance of more complex primitive (e.g. deterministic primitive
as a randomized primitive) has exactly the same advantage as in the base case.
Since both randomized and stateful constructions also contain all the deterministic
primitives and the advantages stay the same when switching contexts, it is easy to show
that if no reduction is possible between deterministic primitives then also none can exist
for randomized or stateful cases—a reduction in one of these cases would have to hold
for the deterministic cases as well as they are a subset of both extensions. Analogously if
no reduction between two randomized or two stateful primitives can exist then clearly
no reduction can exist between randomized stateful primitives as any one for them
would imply the existence of one for both sub-classes (Fig. 1).
5 Classical Oracle Separations
Non-existence of black-box reductions does not rule out the existence of generic whitew
box reductions P =⇒ Q. However, the corresponding security proofs must utilize additional properties that cannot be deduced from an abstract description of the primitive.
Hence, non-existence of black-box reductions is a hardness indicator showing that it
is probably not possible to construct a primitive Q form a primitive P without using
additional assumptions about the structure of a primitive P.
The first such non-existence result in cryptography was proved by Impagliazzo and
Rudich [5]. They built an oracle relative to which key agreement does not exist but
one-way permutations do, thus showing the impossibility of black-box reductions of
3
They were called ∀∃-semi-black-box by Reingold et al.
Oracle Separation in the Non-uniform Model
237
key agreement to one-way permutations. There are many other such results known in
cryptography [8,4,3]. Many of these separation results actually proved non-existence of
variable semi-black-box reductions.
To establish non-existence of black-box reductions, one usually constructs an oracle
Of that securely implements the functionality of Q but contradicts the existence of the
desired reduction. To prove this, more than one type of functionality if often required
from the oracle. The functions can still be merged into a single oracle Of and we use the
shorthand Of = (f, g) do emphasize that this has been done. Now, simple negations of
the definitions of black-box reductions give the sufficient conditions for oracle separations. We give two theorems that are used the most often—the weakest and (practically)
the strongest.
Weak Separation (Hsiao-Reyzin [4]). Let Of = (f, g) be an oracle such that f securely
implements a primitive Q. Now if for every poly-time oracle machine P that implements
P when given oracle access to an implementation of Q, there is a poly-time oracle
machine Af,g that breaks Pf as an instance of P, then there are no fully black-box
f
reductions P =⇒ Q.
Strong Separation (Reingold et al. [7]). Let Of = (f ) be an oracle such that f securely implements a primitive Q. Now if for every poly-time oracle machine Pf that
implements P there is a poly-time oracle machine Af that breaks Pf as an instance of
v
P, then there exist no variable semi-black-box reductions P =⇒ Q.
For the weak separation, we can actually supply some extra functionality g along with
the f that can be used by S to help break Pf but to which P construction has no access.
This extra functionality is usually formalized as a separate oracle, but may actually be
thought of as a part of the primitive that is not covered by any functional or security
constraints and may thus be completely useless. As P has to be a general construction
that works for all possible f , it gains nothing by using that part of the primitive and
we may just as easily assume it doesn’t use it. However, the adversary construction
might try to use it, and as we are interested in helping the adversary along, we provide
information useful to him through that part. Since P has no access to it we do not have
to analyze how g might help us in constructing a secure instance of P. This is actually
the main difference between the two separation results.
For the strong separation result, we can still give this extra functionality g in theory.
However, it must be embedded into the calls of f , that is, there must exist a poly-time
oracle machine Wf that implements g. As Reingold et al. [7] demonstrate, this can usually be done and is not really a strong limiting factor. However, the extra functionality g
could possibly be used to increase the security of P and whether this extra help can still
be bounded is what usually determines whether a variable semi-black-box reduction
can be ruled out or not.
The same reduction theorems hold equally well for all the four primitive classes.
As an oracle is used in the place of the original primitive, this also means that using a deterministic oracle rules out the reduction in the deterministic case and using a
randomized oracle rules it out for the randomized case. The corresponding hierarchy
of non-existence results is depicted in Figure 1. Note that non-existence of black-box
reductions for deterministic primitives naturally implies the non-existence of such a
238
A. Buldas, S. Laur, and M. Niitsoo
Randomized
stateful
primitives
Randomized
primitives
T1
–T
3
Stateful
primitives
Deterministic
primitives
.A
p
Ap
Fig. 1. Hierarchy of primitive types with respect to non-existence of reductions
reduction for all other primitive types and thus deterministic oracle constructions provide the strongest negative results. This is probably the reason why all the preceding
work in this field has concentrated on finding a fixed deterministic oracle for the separation theorems. However, in the following we prove that non-existence results for
deterministic and randomized primitives are actually equivalent in many cases and thus
oracle separations using randomized oracles (or a family of oracles) are often just as
powerful as the ones that fix one deterministic oracle.
6 Oracle Extraction Techniques
In practice it is generally difficult to construct deterministic separation oracles. Hence,
most separation results are based on randomized instances Of , which are later converted
to deterministic instances by a clever choice of random coins. In this section, we show
the limitation of such an oracle extraction methodology. Recall that for a randomized
primitive f the advantage is always defined as an average over the randomness space
R. Now, given a randomized oracle construction Of that refutes the existence of some
type of black-box reduction, we need to fix the coins r so that the resulting oracle
∗
O∗f would still provide a secure instance f ∗ ∈ Q but on the construction Pf would
be rendered insecure. This is always possible for fully black-box and semi-black-box
reductions provided that we consider uniform adversaries. The corresponding proof
uses the countability of uniform algorithms and the fundamental Borel-Cantelli lemma
from probability theory.
Lemma 1 (Borel,Cantelli). Let E1 , E2 , E3 , E4 , . . . be a countably infinite sequence of
events.
Let E∞ denote the event that infinitely many of these events take place. If
n Pr [En ] < ∞ then Pr [E∞ ] = 0.
Theorem 1. If we consider security against uniform adversaries, the existence of fully
black-box and (both) semi-black-box reductions for randomized primitives implies the
corresponding existence results for deterministic primitives and vice versa.
Proof. For brevity, we prove the statement of the theorem only for weak semi-blackws
box reductions P =⇒ Q, since the analysis of the other cases is analogous. The simple
Oracle Separation in the Non-uniform Model
239
ws
negation of the definition of P =⇒ Q gives us that either we cannot construct P from Q
at all, or there exists a secure primitive f such that some poly-time adversary A breaks
Pf . The non-constructibility for randomized primitives trivially implies the existence
of deterministic implementations f (r, ·) that cannot be converted to P.
Hence, we have to analyze only the case when f is secure but A can break Pf . This
means that for a subsequence (kn ) ⊂ N the corresponding advantage is A DVP
kn (f, A) ≥
knα . For clarity, assume that each security parameter k, the primitive f uses a different
randomness space Rk . Then for each kn , we can consider a restricted set of random
coins
P
f
f (r,·)
(P
,
A)
≤
2
·
A
DV
(P
,
A)
.
R◦kn = r ∈ Rkn : A DVP
kn
kn
Let Of be a modified primitive that uses the original randomness space Rk for instances
k∈
/ {kn } and corresponding randomness space R◦kn otherwise. Then
A DVQ
kn (Of , B) ≤
A DVQ
2 · A DVQ
nn (f, B)
kn (f, B)
,
≤
◦
knα
Pr r ← Rkn : r ∈ Rkn
◦
α
as A DVQ
nk (·) is a non-negative function and Pr r ← Rkn : r ∈ Rkn ≥ kn /2 . Thus,
the modified primitive Of is still secure as an instance of the primitive Q.
Next, we will fix the randomness r ∈ R◦1 × R◦2 × · · · =: R∗ so that the resulting
deterministic primitive Orf (·) = Of (r, ·) remains secure. For that, it is sufficient to show
that there exist r ∈ R∗ and a constant k0 such that A DVk (Orf , B) ≤ k 2 · A DV k (Of , B)
r
2
for all k > k0 . Let Ek denote the event that A DV Q
k (Of , B) > k · A DV k (Of , B). Then
Q
the event E∞ means that we cannot find k0 such that A DVk (Orf , B) ≤ k 2 ·A DVk (Of , B)
for k > k0 . From the Markov inequality it then follows that
k
1
Q
r
2
Pr [Ek ] =
Pr r ← R∗ : A DV Q
(O
,
B)
>
k
·A
DV
(O
,
B)
≤
<∞ .
f
k
k
f
k2
k
k
Consequently, Lemma 1 implies Pr [E∞ ] = 0. In other words, for each oracle machine
B the set of bad coins RB := {r ∈ R : E∞ holds} has measure zero. As there are only
countably many uniform machines B, the set of all bad coins ∪B RB also has measure
zero. Hence, the set R0 = R\(∪B RB ) is non-empty and thus there exists Orf such
that for every uniform poly-time oracle machine B and for sufficiently large k we have
A DVk (Orf , B) ≤ k 2 · A DV k (Of , B) = k −ω(1) . On the other hand, for any r ∈ R∗ the
r
construction POf is still insecure against A due to the amplification step and we thus
have a contradiction for deterministic primitives.
Note that the proof does not generalize to variable semi-black-box reductions, since
then P is allowed to depend on f and in general it is impossible to find a non-empty
subspace Rnk (where the adversary is guaranteed to be roughly as successful as on average) for all possible constructions P and thus the amplification step can fail. On the other
hand, the oracle extraction step is always applicable. Consequently, we can still use
Or
f , A) =
randomized oracle constructions Of as long as we can guarantee that A DV P
k (P
k −ω(1) for every r ∈ R.
240
A. Buldas, S. Laur, and M. Niitsoo
Non-equivalence in the Non-uniform Security Model. Note that the proof of Theorem 1 holds only if the set of potential adversaries is countable. In the non-uniform
model this no longer holds. As it turns out, there are cases where separation on average
holds in the non-uniform model but it will vanish just as the oracle becomes fixed. As
an illustrative example, consider a “password” protected self-defeating implementation
of a primitive. In principle we are able to define an auxiliary function breakf for almost
any useful primitive Q relative to which f is totally insecure. Moreover, we may add the
functionality breakf to the primitive so that it is protected with “passwords”. Namely,
let Of = (f, g) be a randomized oracle for which f is a secure instance of Q. For g
k
part, we use the randomness to generate an advice string ak ← {0, 1} and then define
g(ak , x) = breakf (x) and g(y, x) = 0 for every y = ak . Then on average f remains
secure, since the probability of correctly guessing the ak is negligible. On the other
hand, if we fix random coins ak , then the non-uniform adversary A with advice ak can
trivially break f .
7 Oracle Separation for Poly-preserving Reductions
One more crucial obstacle for generalizing the separation results to non-uniform reductions is the guarantee condition of the reduction. In the definitions of the reductions
the guarantee condition is too weak—much weaker than what is usually expected when
constructing practical reductions. We will now strengthen the definitions which allows
us to prove the equivalence of non-existence results in the non-uniform model.
Definition 7 (Poly-preserving reductions). We say that a reduction P =⇒ Q is polypreserving if the corresponding mapping A → B in the security guarantee (S) decreases
the advantage by at most a polynomial amount, i.e., there exists c ≥ 1 (the same for all
f and A) such that
c
P
f
.
A DV Q
k (f, B) ≥ A DV k (P , A)
The definition is not too restrictive—for most common reductions, the coefficient c is
between 1 and 2. In fact, the authors are not aware of any reductions that are not polypreserving. Moreover, one is usually concerned with the tightness of the reduction and
thus tries to minimize c. Actually, we do not have to use the power function (·)c —any
convex-cup function that leaves negligible functions negligible will do.
Theorem 2. For poly-preserving reductions, the existence of fully black-box or strong
semi-black-box reductions for randomized primitives implies the corresponding existence results for deterministic primitives and vice versa.
Proof. Obviously any reduction for randomized primitives must also work for the deterministic primitives. Hence, we must consider only the opposite implication. We do
the proof for strong semi-black-box reductions, as the proof for the fully black-box case
is analogous. Assume that there exists a reduction from P to Q for deterministic primitives. Then this reduction can be generalized to randomized primitives. Obviously, Pf
is still a correct implementation of P as Pf (r,·) ∈ P for each r ∈ R. For each adversary
Oracle Separation in the Non-uniform Model
241
A, we can still use the adversary B offered by the deterministic reduction. However,
since the primitive is randomized, we have to re-estimate the advantage
c Q
P
f
r
A
A
A DV Q
(f,
B)
=
E
DV
(f
(r,
·),
B)
≥
E
DV
(P
(r,
·),
A)
k
k
k
r∈Rf
r∈Rf
c c
Pr
f
f
≥
E A DVP
(P
(r,
·),
A)
=
A
DV
(P
,
A)
,
k
k
r∈Rf
where the first inequality follows form the deterministic security guarantee and the second follows from Jensen inequality. The claim follows, as reductions for deterministic
and randomized primitives exist simultaneously.
Sadly, this proof method already fails for weak semi-black-box reductions as it is essential that B is the same for all f (r, ·) and this is not guaranteed by any of the weaker
reductions. However, it still allows us to generalize many of the known non-existence
results to the non-uniform setting.
We note that this approach cannot directly be generalized to stateful oracle constructions. There exists an explicit counterexample (see appendix A), where separation
for stateful primitives does not imply a separation for deterministic functions. At first
glance, the stateful case seems harder to analyze, but it would be interesting to know if
anything at all similar could be shown for it.
Inherently Random Primitives. There are some primitives that are inherently random,
like encryption, message authentication and key exchange. We can still view them as
deterministic constructions f (r, x) by treating randomness r ∈ R◦ as an auxiliary argument. However, the corresponding security game that defines the advantage A DV P (·)
must then initialize this randomness within the game. Again, the advantage is first defined for the game with fixed r and then generalized as an average over the distribution
R◦ . As a result, the construction of any algorithm A is independent of the fixed r ∈ R◦
in the particular case. For such primitives, there is no difference whether we consider
randomized or deterministic primitives as we can pack the extra randomness into R◦ .
In that case, the corresponding randomized primitive can be viewed as a deterministic
one where the randomness required is given to it within the security game. If the game
has many different calls to the primitive, we have to make sure that randomness is used
only in the parts where it is actually supplied. However, if we account for that, we again
have an equivalence result.
Theorem 3. For inherently random primitives, the existence of any type of reductions
for randomized primitives implies the corresponding existence results for deterministic
primitives and vice versa provided that the use of randomness is consistent with the
security game.
8 Practical Separations
As a direct corollary of theorems 1 and 2 we get:
242
A. Buldas, S. Laur, and M. Niitsoo
Theorem 4. If for every deterministic poly-time oracle machine P and every probabilistic poly-time oracle-machine A there is a distribution R of oracle pairs Of = (f, g)
such that for infinitely many k
(1) f implements Q, for all Of ∈ R;
(2) if Pf ∈ P for all Of ∈ R then EOf ←R A DVk (g, Pf ) = k −ω(1) .
(3) EOf ←R A DV k (Ag,f , f ) = k −ω(1) ;
then there exist no uniform fully-black-box reductions and no (potentially non-uniform)
poly-preserving reductions of P to Q. Furthermore, if g can be embedded into f (so that
Of = (f ) and g can be efficiently computed from f and the algorithm for doing so does
not depend on Of or A), then there are no strong semi-black-box reductions between
them, neither uniform nor non-uniform poly-preserving.
Proof. Just note that the conditions together imply the non-existence of a reduction
(either fully black-box or strongly semi-black-box) from Pr to Qr . Then theorems 1 and
2 imply that such reductions also cannot exist in the deterministic case, that is from P
to Q. As the deterministic case is the strongest, this also rules out the reductions in the
other classes.
These results allow us to generalize many known non-existence results into the nonuniform model. The generalization itself is usually rather straightforward, as the proofs
generally study the average case behavior sufficiently before extracting the oracle.
9 Generalizing the Known Constructions
The non-existence theorems in cryptology can roughly be divided into three different
categories.
Classical. These are the classical non-existence results such as the one given by Impagliazzo and Rudich [5] and the one by Gertner et al. [3]. Reductions are made just
by constructing one oracle or oracle family and then showing that in the relativized
world that it creates, Q exists but P does not. As the concept of the reduction is simple and generally only rules out fully black-box reductions, they can nearly trivially be
generalized to the non-uniform model.
Specific. These are the results starting with the work of Simon [8] and continued by
Hsiao and Reyzin [4] and Reingold et al. [7]. They noticed that stronger results can be
obtained by using more involved reduction techniques like embedding or using different
oracles for the construction and the adversary. In these cases the generalization may not
be as trivial as it was for the first type, but it can still usually be done. However, as our theorems are limited to strong semi-black-box reductions, we cannot prove anything below
that bar in the non-uniform model except in the cases that are inherently randomized.
Efficiency Bounds. These are the results [1,2] starting with Kim, Simon and Tetali [6]
that do not rule out reductions but rather say something about their efficiency. They
Oracle Separation in the Non-uniform Model
243
usually still fit within the model first proposed by Impagliazzo and Rudich, but focus
more on exact bounds on security and runtime. As our theorems work in the asymptotic
model, the results would also first need to be translated into this framework before the
theorems could be applied. However, the authors of this paper see no inherent reasons
why this could not be done.
In most cases, some modifications need to be made before our theorems can be applied.
First of all, not all the results listed above use Borel-Cantelli lemma or even oracles
explicitly. If this is the case, they are usually implicitly somewhere in the proofs. For
instance, Kim et al. [6] get a contradiction by showing that a construction for a one-way
function exists that uses no oracles, unless their claim holds. This proof can be made
unconditional by adding a PSPACE oracle to get a world where P = NP and the
existence of a one-way function would actually be a contradiction [5].
Also, the oracle constructions are usually made in such a way that the oracle does
not implement the primitive Q directly but rather a secure instance can be implemented
efficiently with its help. This is usually done to simplify the proof that no secure P can
be constructed with these oracles. However, if this is the case, no secure instance of
P could be obtained from the resulting instance of Q either. Therefore, we can always
assume that the oracle implements the primitive functionality directly, with the other
functions either being embedded or used as a separate oracle g.
10 Conclusions
We showed that oracle separation can be used in the non-uniform model with minor
restrictions that should hold for almost all practical separations anyway. Still, it seems
that with our proof techniques we cannot go below strong semi-black-box reductions
in the non-uniform model. This boundary occurs in a curious place—in between two
semi-black-box reductions, which have not even been clearly differentiated in previous
works. To overcome this barrier is an open problem.
To mention some implications of our work, it follows from [8] that there exist no
(non-uniform) strong semi-black-box reductions from collision-free functions to oneway permutations and from [5,7] that there are no strong semi-black-box reductions
from key agreement to one-way permutations.
It would be interesting to know if something similar (to our results) can be proven
for stateful constructions. The initial results in this direction are not quite promising but
there may still be some clever transformations that might work.
References
1. Gennaro, R., Gertner, Y., Katz, J.: Lower bounds on the efficiency of encryption and digital
signature schemes. In: Proceedings of the thirty-fifth annual ACM symposium on Theory of
computing, pp. 417–425 (2003)
2. Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SIAM journal on Computing 35, 217–246 (2006)
3. Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between
public key encryption and oblivious transfer. In: 41st Annual Symposium on Foundations of
Computer Science, Redondo Beach, California, November 2000, pp. 325–335 (2000)
244
A. Buldas, S. Laur, and M. Niitsoo
4. Hsiao, C.Y., Reyzin, L.: Finding Collisions on a Public Road, or Do Secure Hash Functions
Need Secret Coins? In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 92–105.
Springer, Heidelberg (2004)
5. Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations.
In: Proc. of the Twenty First Annual ACM Symp. on Theory of Comp., pp. 44–61 (1989)
6. Kim, J.H., Simon, D.R., Tetali, P.: Limits on the efficiency of one-way permutation-based hash
functions. In: Proc. of the 40th Annual Symposium on Foundations of Computer Science,
pp. 535–542 (1999)
7. Reingold, O., Trevisan, L., Vadhan, S.: Notions of reducibility between cryptographic primitives. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 1–20. Springer, Heidelberg (2004)
8. Simon, D.: Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based
on General Assumptions? In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403,
pp. 334–345. Springer, Heidelberg (1998)
A Stateful Primitives
A stateful function f : S × {0, 1}∗ → S × {0, 1}∗ where S is the state space and
f (s, x) = (t, y) is accessed as a function fˆs : {0, 1}∗ → {0, 1}∗ where fˆs (x) = y.
Then s and t are the state of the function before and after that access, respectively. We
assume, that in the beginning the state is the empty string and after each call the state
is altered to whatever the stateful function says in the output. As a next step, we must
generalize the advantage function A DV P (·) consistently for stateful instances f ∈ P.
Usually, this step is trivial, as the security game that defines the advantage can also
handle stateful primitives. Otherwise, we have to extend A DV P (·) so that for all stateful
functions f so that for all stateless functions it coincides with the definition for deterministic functions. Secondly, we must generalize the notion of functional requirements.
For that, we need a concept of trace trx (f ), which is just a deterministic function g that
behaves identically on calls x = (x1 , . . . , xk ).
Definition 8 (Stateful primitive). Let P be a deterministic primitive. Then the corresponding stateful primitive Ps is the set Ps = {f : S × {0, 1}∗ → S × {0, 1}∗|∀x ∈
s
{0, 1}∗∗ : trx (f ) ∈ P}. The advantage A DVP
k (f, A) is defined analogously to the
deterministic primitives.
Non-Equivalence Results for Stateful Primitives. It is straightforward to see that
non-existence of a certain black-box reduction does not imply the corresponding nonexistence result for deterministic primitives. As an example, recall that collision resistance implies one-wayness for compressing functions. The latter is not true for the
stateful primitives, since we can define the following oracle Of . Let g be the corresponding extra functionality that is embedded into f . Then the oracle answers only two calls
of g. As the first query, the adversary A can send the construction of P to Of . Since it is
finite it can be encoded as an argument of g. As a second call the adversary A can query
(POf )−1 (x). The oracle replies only if no queries to f are made. Now for obvious reasons no Pf can possibly be a secure one-way function if the adversary is allowed access
to g, yet f still remains collision resistant. Note that embedding g into f is trivial as we
can use two fixed input values x0 and x1 to transfer information to Of .