Limits on the efficiency of one-way permutation-based hash functions

Naor and Yung (1989) show that a one-bit-compressing universal one-way hash function (UOWHF) can be constructed based on a one-way permutation. This construction can be iterated to build a UOWHF which compresses by εn bits, at the cost of εn invocations of the one-way permutation. The show that this construction is not far from optimal, in the following sense, there exists an oracle relative to which there exists a one-way permutation with inversion probability 2 ^-p(n) (for any p(n)∈ω(log n)), but any construction of an εn-bit-compressing UOWHF. Requires Ω(√n/p(n)) invocations of the one-way permutation, on average. (For example, there exists in this relativized world a one-way permutation with inversion probability n^-ω(1), but no UOWHF that involves it fewer than Ω(√n/log n) times.) Thus any proof that a more efficient UOWHF can be derived from a one-way permutation is necessarily non-relativizing; in particular, no provable construction of a more efficient UOWHF can exist based solely on a “black box” one-way permutation. This result can be viewed as a partial justification for the practice of building efficient UOWHFs from stronger primitives (such as collision intractable hash functions), rather than from weaker primitives such as one-way permutations