Limits on the E ciency of One-Way Permutation-Based Hash Functions

Naor and Yung show that a one-bit-compressing universal one-way hash function (UOWHF) can be constructed based on a one-way permutation. This construction can be iterated to build a UOWHF which compresses by "n bits, at the cost of "n invocations of the one-way permutation. We show that this construction is not far from optimal, in the following sense: there exists an oracle relative to which there exists a one-way permutation with inversion probability 2 ?p(n) (for any p(n) 2 !(log n)), but any construction of an n-bit-compressing UOWHF requires (p n=p(n)) invocations of the one-way 1 permutation, on average. (For example, there exists in this relativized world a one-way permutation with inversion probability n ?!(1) , but no UOWHF that invokes it fewer than (p n= log n) times.) Thus any proof that a more eecient UOWHF can be derived from a one-way permutation is necessarily non-relativizing; in particular, no provable construction of a more eecient UOWHF can exist based solely on a \black box" one-way permutation. This result can be viewed as a partial justiication for the practice of building eecient UOWHFs from stronger primitives (such as collision-intractable hash functions), rather than from weaker primitives such as one-way permutations.