Limits on the efficiency of one-way permutation-based hash functions

Naor and Yung (1989) show that a one-bit-compressing universal one-way hash function (UOWHF) can be constructed based on a one-way permutation. This construction can be iterated to build a UOWHF which compresses by /spl epsiv/n bits, at the cost of /spl epsiv/n invocations of the one-way permutation. The show that this construction is not far from optimal, in the following sense, there exists an oracle relative to which there exists a one-way permutation with inversion probability 2/sup -p(n)/ (for any p(n)/spl isin//spl omega/(log n)), but any construction of an /spl epsiv/n-bit-compressing UOWHF. Requires /spl Omega/(/spl radic/n/p(n)) invocations of the one-way permutation, on average. (For example, there exists in this relativized world a one-way permutation with inversion probability n/sup -/spl omega/(1)/, but no UOWHF that involves it fewer than /spl Omega/(/spl radic/n/log n) times.) Thus any proof that a more efficient UOWHF can be derived from a one-way permutation is necessarily non-relativizing; in particular, no provable construction of a more efficient UOWHF can exist based solely on a "black box" one-way permutation. This result can be viewed as a partial justification for the practice of building efficient UOWHFs from stronger primitives (such as collision intractable hash functions), rather than from weaker primitives such as one-way permutations.