We present a cryptographic primitive \({\mathcal {P}}\) satisfying the following properties:

• Rudich’s seminal impossibility result (PhD thesis ’88) shows that \({\mathcal {P}}\) cannot be used in a black-box manner to construct an injective one-way function.

• \({\mathcal {P}}\) can be used in a non-black-box manner to construct an injective one-way function assuming the existence of a hitting-set generator that fools deterministic circuits (such a generator is known to exist based on the worst-case assumption that \(\text{ E } = \text{ DTIME }(2^{O(n)})\) has a function of deterministic circuit complexity \(2^{\Omega (n)}\)). The non-black box aspect of our construction only requires a bound on the size of \({\mathcal {P}}\)’s implementation.

• Augmenting \({\mathcal {P}}\) with a trapdoor algorithm enables a non-black-box construction of an injective trapdoor function (once again, assuming the existence of a hitting-set generator that fools deterministic circuits), while Rudich’s impossibility result still holds.

The primitive \({\mathcal {P}}\) and its augmented variant can be constructed based on any injective one-way function and on any injective trapdoor function, respectively, and they are thus unconditionally essential for the existence of such functions. Moreover, \({\mathcal {P}}\) can also be constructed based on various known primitives that are secure against related-key attacks (e.g., pseudorandom functions), thus enabling to base the strong structural guarantees of injective one-way functions on the strong security guarantees of such primitives. Our application of derandomization techniques is inspired mainly by the work of Barak, Ong and Vadhan (CRYPTO ’03), which on one hand relies on any one-way function, but on the other hand only results in a non-interactive perfectly binding commitment scheme (offering significantly weaker structural guarantees compared to injective one-way functions) and does not seem to enable an extension to public-key primitives. The key observation underlying our approach is that Rudich’s impossibility result applies not only to one-way functions as the underlying primitive, but in fact to a variety of “unstructured” primitives. We put forward a condition for identifying such primitives, and then subtly tailor the properties of our primitives such that they are both sufficiently unstructured in order to satisfy this condition, and sufficiently structured in order to yield injective one-way and trapdoor functions. This circumvents the basic approach underlying Rudich’s long-standing evidence for the difficulty of constructing injective one-way functions (and, in particular, injective trapdoor functions) based on seemingly weaker or unstructured assumptions.

我们提出了一个密码原语\({\mathcal {P}}\)满足以下属性：

• Rudich 开创性的不可能结果（博士论文 '88）表明\({\mathcal {P}}\)不能以黑盒方式使用来构造单向单射函数。

• \({\mathcal {P}}\)可以以非黑盒方式使用来构造单向单向函数，假设存在一个欺骗确定性电路的命中集生成器（这种生成器已知存在基于最坏情况假设\(\text{ E } = \text{ DTIME }(2^{O(n)})\)具有确定性电路复杂度的函数\(2^{\Omega (n )}\) )。我们构造的非黑盒方面只需要\({\mathcal {P}}\)实现的大小的界限。

• 使用陷门算法增强\({\mathcal {P}}\)可以实现单射陷门函数的非黑盒构造（再次假设存在一个可以愚弄确定性电路的命中集生成器），而 Rudich 的不可能的结果仍然成立。

原语\({\mathcal {P}}\)及其增强变体可以分别基于任何单射单向函数和任何单射陷门函数构建，因此它们对于此类函数的存在是无条件的。此外，\({\mathcal {P}}\)也可以基于对相关密钥攻击安全的各种已知原语（例如，伪随机函数）来构造，从而能够将单向函数的强结构保证建立在此类原语的强安全保证上。我们对去随机化技术的应用主要受到 Barak、Ong 和 Vadhan (CRYPTO '03) 工作的启发，他们一方面依赖于任何单向函数，但另一方面只会导致非交互式完美绑定承诺方案（与内射单向函数相比，提供明显更弱的结构保证）并且似乎无法扩展公钥原语。我们的方法背后的关键观察是 Rudich 的不可能结果不仅适用于作为底层原语的单向函数，但实际上是各种“非结构化”原语。我们提出了识别这些基元的条件，然后巧妙地调整我们的基元的属性，使它们既足够非结构化以满足这一条件，又足够结构化以产生单向单向和陷门函数。这绕过了 Rudich 长期证据的基本方法，即基于看似较弱或非结构化的假设构建单向单向函数（尤其是单向单向函数）的困难性。并且足够结构化以产生单向和陷门函数。这绕过了 Rudich 长期证据的基本方法，即基于看似较弱或非结构化的假设构建单向单向函数（尤其是单向单向函数）的困难。并且足够结构化以产生单向和陷门函数。这绕过了 Rudich 长期证据的基本方法，即基于看似较弱或非结构化的假设构建单向单向函数（尤其是单向单向函数）的困难性。