##
**Limits on the provable consequences of one-way permutations.**
*(English)*
Zbl 0718.68042

Advances in cryptology - Crypto ’88, Proc. Conf., Santa Barbara, CA/USA 1988, Lect. Notes Comput. Sci. 403, 8-26 (1990).

Summary: We present strong evidence that the implication, “if one-way permutations exist, then secure secret key agreement is possible”, is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model.

We consider a world where all parties have access to a black box for a randomly selected permutation. Being totally random, this permutation will be strongly one-way in a provable, information-theoretic way. We show that, if \(\text{P}=\text{NP}\), no protocol for secret key agreement is secure in such a setting. Thus, to prove that a secret key agreement protocol which uses a one-way permutation as a black box is secure is as hard as proving \(\text{P}\neq \text{NP}\).

We also obtain, as a corollary, that there is an oracle relative to which the implication is false, i.e., there is a one-way permutation, yet secret-exchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any one-way permutation. Our results present a general framework for proving statements of the form, “Cryptographic application X is not likely possible based solely on complexity assumption Y.”

[For the entire collection see Zbl 0709.00023.]

We consider a world where all parties have access to a black box for a randomly selected permutation. Being totally random, this permutation will be strongly one-way in a provable, information-theoretic way. We show that, if \(\text{P}=\text{NP}\), no protocol for secret key agreement is secure in such a setting. Thus, to prove that a secret key agreement protocol which uses a one-way permutation as a black box is secure is as hard as proving \(\text{P}\neq \text{NP}\).

We also obtain, as a corollary, that there is an oracle relative to which the implication is false, i.e., there is a one-way permutation, yet secret-exchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any one-way permutation. Our results present a general framework for proving statements of the form, “Cryptographic application X is not likely possible based solely on complexity assumption Y.”

[For the entire collection see Zbl 0709.00023.]

### MSC:

68Q25 | Analysis of algorithms and problem complexity |

68P25 | Data encryption (aspects in computer science) |

94A60 | Cryptography |