Limits on the Efficiency of One-Way Permutation-Based Hash Functions

Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF) can be constructed based on a one-way permutation. This construction can be iterated to build a UOWHF which compresses by εn bits, at the cost of εn invocations of the one-way permutation. We show that this construction is not far from optimal, in the following sense: there exists an oracle relative to which there exists a oneway permutation with inversion probability 2 (for any p(n) ∈ ω(log n)), but any construction of an εn-bit-compressing UOWHF requires Ω( √ n/p(n)) invocations of the one-way permutation, on average. (For example, there exists in this relativized world a one-way permutation with inversion probability n, but no UOWHF that invokes it fewer than Ω( √ n/ log n) times.) Thus any proof that a more efficient UOWHF can be derived from a one-way permutation is necessarily non-relativizing; in particular, no provable construction of a more efficient UOWHF can exist based solely on a “black box” one-way permutation. This result can be viewed as a partial justification for the practice of building efficient UOWHFs from stronger primitives (such as collision-intractable hash functions), rather than from weaker primitives such as one-way permutations.