Inaccessible Entropy II: IE Functions and Universal One-Way Hashing

This paper uses a variant of the notion of \emph{inaccessible entropy} (Haitner, Reingold, Vadhan and Wee, STOC 2009), to give an alternative construction and proof for the fundamental result, first proved by Rompel (STOC 1990), that \emph{Universal One-Way Hash Functions (UOWHFs)} can be based on any one-way functions. We observe that a small tweak of any one-way function $f$ is already a weak form of a UOWHF: consider the function $F(x,i)$ that returns the $i$-bit-long prefix of $f(x)$. If $F$ were a UOWHF then given a random $x$ and $i$ it would be hard to come up with $x'\neq x$ such that $F(x,i)=F(x',i)$. While this may not be the case, we show (rather easily) that it is hard to sample $x'$ with almost full entropy among all the possible such values of $x'$. The rest of our construction simply amplifies and exploits this basic property.Combined with other recent work, the construction of three fundamental cryptographic primitives (Pseudorandom Generators, Statistically Hiding Commitments and UOWHFs) out of one-way functions is now to a large extent unified. In particular, all three constructions rely on and manipulate computational notions of entropy in similar ways. Pseudorandom Generators rely on the well-established notion of pseudoentropy, whereas Statistically Hiding Commitments and UOWHFs rely on the newer notion of inaccessible entropy.


Introduction
Unlike the more common notions of computational entropy, e.g., pseudoentropy [15], that are only useful as a lower bound on the "computational entropy" of a distribution, accessible entropy is an upper bound on computational entropy. In particular, it measures the entropy (Shannon, or other types) of the distribution computed by a resource-bounded machine. The inaccessible entropy of the distribution is the gap between its (real) entropy and its accessible entropy. Inaccessible entropy was introduced by Haitner, Reingold, Vadhan, and Wee [10] as a means to give a simpler construction and proof of statistically hiding commitment from one-way functions (reproving the result of [9]), and to construct constant-round statistically hiding commitment from constant-round zero-knowledge proof for NP. In this article introduce simpler variant of their notion to give an alternative construction and proof for the fundamental result, first proved by Rompel [26], that Universal One-Way Hash Functions (UOWHFs) can be based on one-way functions. In an additional result, we reprove the seminal result of Impagliazzo and Levin [18]: a reduction from "uniform distribution" average-case complexity problems to ones with arbitrary (though polynomial samplable one) distributions. The latter is proved using similar techniques to the ones we use to construct UOWHFs from one-way functions, where the source of this similarity is the use of a similar notion of inaccessible entropy. This draws an interesting connection between two seemingly separate lines of research: average-case complexity and universal one-way hash-functions.
We start by discussing our construction of universal one-way hash functions, where the result about average-case complexity is described in Section 1.3. Universal one-way hash functions (UOWHFs), as introduced by Naor and Yung [23], are a weaker form of collision-resistant hash functions; a function family F is collision resistant if given a randomly chosen function f ∈ F, it is infeasible to find any pair of distinct inputs x, x ′ such that f (x) = f (x ′ ). UOWHFs only require target collision resistance, where the adversary must specify one of the inputs x before seeing the description of the function f . We give a formal definition.
Target Collision Resistance: the probability that a ppt (probabilistic polynomial-time) adversary A succeeds in the following game is negligible in k: 3. Let x ′ R ← A(state, z).

4.
A succeeds if x = x ′ and F z (x) = F z (x ′ ). 1 It turns out that this weaker security property suffices for many applications. The most immediate application given in [23] is secure fingerprinting, whereby the pair (f, f (x)) can be taken as a compact "fingerprint" of a large file x, such that it is infeasible for an adversary, seeing the fingerprint, to change the file x to x ′ without being detected. More dramatically, [23] also showed that UOWHFs can be used to construct secure digital signature schemes, whereas all previous constructions (with proofs of security in the standard model) were based on trapdoor functions (as might have been expected to be necessary due to the public-key nature of signature schemes). More recently, UOWHFs have been used in the Cramer-Shoup encryption scheme [8] and in the construction, from one-way functions, of statistically hiding commitment schemes [9,10].
Naor and Yung [23] gave a simple and elegant construction of UOWHFs from any one-way permutation. [28] generalized the construction of [23] to get UOWHFs from regular one-way functions. Rompel [26] gave a more involved construction to prove that UOWHFs can be constructed from an arbitrary one-way function, thereby resolving the complexity of UOWHFs (as one-way functions are the minimal complexity assumption for complexity-based cryptography, and are easily implied by UOWHFs); this remains the state of the art for arbitrary one-way functions. 2 While complications may be expected for constructions from arbitrary one-way functions (due to their lack of structure), Rompel's analysis also feels quite ad hoc. In contrast, the construction of pseudorandom generators from one-way functions in [15], while also somewhat complex, involves natural abstractions (e.g., pseudoentropy) that allow for modularity and measure for what is being achieved at each stage of the construction.
In this paper, we give simpler constructions of UOWHFs from one-way functions, based on (a variant of) the recently introduced notion of inaccessible entropy Haitner et al. [10]. In addition, one of the constructions obtains slightly better efficiency and security than Rompel's original construction.

Inaccessible entropy
For describing our construction, it will be cleaner to work with a variant of UOWHFs where there is a single shrinking function F : {0, 1} n → {0, 1} m (for each setting of the security parameter k) such that it is infeasible to find collisions with random inputs. So in our model an adversary A is given a uniformly random x R ← {0, 1} n , outputs an x ′ such that F(x ′ ) = F(x), and succeeds 3 if x ′ = x. Note that we can assume without loss of generality that x ′ = A(x) is always a preimage of F(x) (A has the option of returning x in case it does not find a different preimage); we refer to an algorithm A with this property as an F-collision finder.
Our construction is based on an information-theoretic view of UOWHFs. The fact that F is shrinking implies that there are many preimages x ′ of F (x) available to A. Indeed, if we consider 1 The ← notation is explained in Section 2.1. Namely, on security parameter 1 k , algorithm A first samples an element x in the function family input domain. Then given (the description of) a function Fz uniformly drawn from the family, algorithm A has to find a collision with x: an element x ′ = x that Fz maps to the same output value. To avoid discussing stateful algorithms, we do not allow A to keep a "state" between the game stages. Rather, we enable it to transfer information between the stages using the auxiliary string state.
2 More details of [26]'s proof are worked out, with some corrections, in [27,20]. 3 It is easy to convert any such function F into a standard UOWHF family by defining Fz(x) = F(z + x).
an (inefficient) adversary A(x) that outputs a uniformly random preimage x ′ R ← F −1 (F(x)) and let X be a random variable uniformly distributed on {0, 1} n , then where H(· | ·) denotes conditional Shannon entropy. (See Section 2 for more definitional details.) We refer to the quantity H(X | F(X)) as the real entropy of F −1 .
On the other hand, target collision resistance means that effectively only one of the preimages is accessible to A. That is for every probabilistic polynomial-time F-collision finder A, we have Pr[A(X) = X] = neg(n), which is equivalent to requiring that: for all probabilistic polynomial-time F-collision finders A. (If A can find a collision X ′ with nonnegligible probability, then it can achieve non-negligible conditional entropy by returning X ′ with probability 1/2 and returning X with probability 1/2.) We refer to the maximum of H(A(X) | X) over all efficient F-collision finders as the accessible entropy of F −1 . We emphasize that accessible entropy refers to an upper bound on a form of computational entropy, in contrast to the Håstad et al. [15] notion of pseudoentropy.
Thus, a natural weakening of the UOWHF property is to simply require a noticeable gap between the real and accessible entropies of F −1 . That is, for every probabilistic polynomial-time F-collision finder A, we have H(A(X) | X) < H(X | F(X)) − ∆, for some noticeable ∆, which we refer to as the inaccessible entropy of F.

Our UOWHF constructions
Our constructions of UOWHFs have two parts. First, we show how to obtain a function with noticeable inaccessible entropy from any one-way function. Second, we show how to build a UOWHF from any function with inaccessible entropy.
OWFs =⇒ inaccessible entropy. Given a one-way function f : {0, 1} n → {0, 1} m , we show that a random truncation of f has inaccessible entropy. Specifically, we define F(x, i) to be the first i bits of f (x).
To see that this works, suppose for contradiction that F does not have noticeable inaccessible entropy. That is, we have an efficient adversary A that on input (x, i) can sample from the set ..i } with almost-maximal entropy, which is equivalent to sampling according to a distribution that is statistically close to the uniform distribution on S(x, i). We can now use A to construct an inverter Inv for f that works as follows on input y: choose x 0 R ← {0, 1} n , and then for i = 1, . . . , n generate a random x i R ← A(x i−1 , i − 1) subject to the constraint that f (x i ) 1,··· ,i = y 1,··· ,i . The latter step is feasible, since we are guaranteed that f (x i ) 1,...,i−1 = y 1,··· ,i−1 by the fact that A is an F-collision finder, and the expected number of trials needed get agreement with y i is at most 2 (since y i ∈ {0, 1}, and y and f (x i ) are statistically close). It is not difficult to show that when run on a random output Y of f , Inv produces an almost-uniform preimage of Y . This contradicts the one-wayness of f . Indeed, we only need f to be a distributional one-way function [19], whereby it is infeasible to generate almost-uniform preimages under f . Inaccessible entropy =⇒ UOWHFs. Once we have a non-negligible amount of inaccessible entropy, we can construct a UOWHF via a series of standard transformations.
1. Repetition: By evaluating F on many inputs, we can increase the amount of inaccessible entropy from 1/poly(n) to poly(n). Specifically, we take F t (x 1 , . . . , x t ) = (F(x 1 ), . . . , F(x t )) where t = poly(n). This transformation also has the useful effect of converting the real entropy of F −1 to real min-entropy: with very high probability x R ← X t , F t (x) has large number of pre-images.
2. Hashing Inputs: By hashing the input to F (namely taking F ′ (x, g) = (F(x), g(x)) for a universal hash function g), we can reduce both the real (min-)entropy and the accessible entropy so that (F ′ ) −1 still has a significant amount of real entropy, but has (weak) target collision resistance (on random inputs).
3. Hashing Outputs: By hashing the output to F (namely taking F ′ (x, g) = g(F(x))), we can reduce the output length of F to obtain a shrinking function that still has (weak) target collision resistance.
There are two technicalities that occur in the above steps. First, hashing the inputs only yields weak target collision resistance; this is due to the fact that accessible Shannon entropy is an average-case measure and thus allows for the possibility that the adversary can achieve high accessible entropy most of the time. Fortunately, this weak form of target collision resistance can be amplified to full target collision resistance using another application of repetition and hashing (similar to [6]).
Second, the hashing steps require having a fairly accurate estimate of the real entropy. This can be handled similarly to [15,26], by trying all (polynomially many) possibilities and concatenating the resulting UOWHFs, at least one of which will be target collision resistant.
A more efficient construction. We obtain a more efficient construction of UOWHFs by hashing the output of the one-way function f before truncating. That is, we define F(x, g, i) = (g, g(f (x)) 1···i ). This function is in the spirit of the function that Rompel [26] uses as a first step, but our function uses three-wise independent hash function instead of n-wise independent one, and enjoys a simpler structure. 4 Our analysis of this function is simpler than Rompel's and can be viewed as providing a clean abstraction of what it achieves (namely, inaccessible entropy) that makes the subsequent transformation to a UOWHF easier.
We obtain improved UOWHF parameters over our first construction for two reasons. First, we obtain a larger amount of inaccessible entropy: (log n)/n bits instead of roughly 1/n 4 bits. Second, we obtain a bound on a stronger form of accessible entropy, which enables us to get full target collision resistance when we hash the inputs, avoiding the second amplification step.
The resulting overall construction yields better parameters than Rompel's original construction. A one-way function of input length n yields a UOWHF with output length O(n 7 ), slightly improving Rompel's bound of O(n 8 ). Additionally, we are able to reduce the key length needed: Rompel's original construction uses a key of length O(n 12 ), whereas our construction only needs a key of length O(n 7 ). If we allow the construction to utilize some nonuniform information (namely an estimate of the real entropy of F −1 ), then we obtain output length O(n 5 ), improving Rompel's bound of O(n 6 ). For the key length, the improvement in this case is from O(n 7 ) to O(n 5 ). Of course, these bounds are still far from practical, but they illustrate the utility of inaccessible entropy in reasoning about UOWHFs, which may prove useful in future constructions (whether based on one-way functions or other building blocks).

Connection to average-case complexity
We use the notion of inaccessible entropy to reprove the following theorem by Impagliazzo and Levin [18], given in the realm of average-case complexity. 18], informal). Assume there exists an NPlanguage that is hard on some (efficiently) samplable distribution for heuristics: every efficient algorithm fails to decide the language correctly on a noticeable part of the distribution. Then there exists a language in NPthat is hard against heuristics on the uniform distribution.
Our proof follows to a large extent the footstep of [18], where the main novelty is formulating the proof in the language of inaccessible entropy, and rephrasing it to make it resembles our proof of UOWHFs from one-way functions. This draws an interesting connection between two seemingly separate lines of research: average-case complexity and universal one-way hash-functions.
As in [18], we prove Theorem 1.2 by proving its search variant: hardness to find a witness for a samplable distribution implies hardness to find a witness on the uniform distribution. Let (R, D) be an NP-search problem (i.e., R is an NPrelation and D is a samplable distribution) that is hard to solve heuristically, and let D be the algorithm sampling instances according to D. For a family of pair-wise independent hash functions G, consider the following NPrelation: Namely, R ′ L (i.e., the language of R ′ ) consists of those random strings x for D such that D(x) is in R L and D(x) is mapped to 0 i by the first i bits of g. While R ′ L might not be hard on the uniform distribution (interpreted a the uniform distribution over random pairs (g, i)), it is not hard to prove that the distribution is "somewhat hard". In particular, it happens noticeably often that i is the "right one for (R, D)"; meaning that for a fixed element in y which might be in the language, exactly one x with D(x) = y satisfies g(x) = 0 i . Conditioned on this event, letting A(·) x being the x part in the witness output by A, it is not hard to show that H(A(G, I) x ) is noticeably less its information theoretic maximum: for any efficient algorithm A, it holds that where (G, I) is the parsing of a random string into a pair (g ∈ G, i), and assuming for simplicity that A never fails to provide a correct witness. Namely, the (accessible) entropy of A is smaller than the (real) entropy of D. Using similar means to the ones used to amplify the initial UOWHFs constructions described in Section 1.2 , the above gap can be amplified to induce hardness over the uniform distribution.

Perspective
The idea of inaccessible entropy was introduced in [10] for the purpose of constructing statistically hiding commitment schemes from one-way functions and from zero-knowledge proofs. There, the nature of statistically hiding commitments necessitated more involved notions of inaccessible entropy than we present here -inaccessible entropy was defined in [10] for interactive protocols, where one considers adversaries that try to generate next-messages or next-blocks of high entropy. (See [14] for a simpler notion of inaccessible entropy that suffices for the one-way functions based commitment part.) Here, we are able to work with a much simpler form of inaccessible entropy (significantly simpler also from the notion considered in [14]). The simplicity comes from the non-interactive nature of UOWHFs (and of solving NPproblems) so we only need to measure the entropy of a single string output by the adversary. Thus, the definitions here can serve as a gentler introduction to the concept of inaccessible entropy.
On the other hand, the many-round notions from [10,14] allow for a useful "entropy equalization" transformation that avoids the need to try all possible guesses for the entropy. We do not know an analogous transformation for constructing UOWHFs. We also note that our simple construction of a function with inaccessible entropy by randomly truncating a one-way function (and its analysis) is inspired by the construction of an "inaccessible entropy generator" from a one-way function in [10].
Finally, with our constructions, the proof that one-way functions imply UOWHFs now parallels those of pseudorandom generators [15,12] and statistically hiding commitments [9,10], with UOWHFs and statistically hiding commitments using dual notions of entropy (high real entropy, low accessible entropy) to pseudorandom generators (low real entropy, high pseudoentropy).

Related work
UOWHFs. Katz and Koo [20] gave a complete write-up of the Rompel [26,27], with some corrections. Prior to our paper, Rompel's result represented the state of the art for UOWHFs from arbitrary one-way functions. Since the initial publication of this work in 2010 [11], there have been several improvements in the setting of regular one-way functions. Ames et al. [1] presented an even more efficient construction of UOWHFs from (unknown) regular one-way functions. Barhum and Maurer [2] gave even a more efficient construction assuming the regularity of the one-way function is known, where Yu et al. [31] improved the result of [2] presenting an almost optimal construction (with respect to the known black-box impossibility results) of UOWHFs from a known regular one-way functions.
Average-case complexity. The notion of average-case complexity was first introduced by Levin [21]. We focus on the result by Impagliazzo and Levin [18] who show that if it is possible use a polynomial time sampler to pick average-case problems which are hard, then there is a different problem which is hard on average for the uniform distribution. We give a different perspective on that proof, and in particular highlight the connections to inaccessible entropy. A good overview of average-case complexity was given by Bogdanov and Trevisan [5].
Recently, Hubácek et al. [17] made a different, and very elegant, connection between constructing UOWHFs from OWFs and average-case hardness on the uniform distribution, showing that a solution to the first challenge implies a solution to the second one. Their approach is surprisingly simple: if OWFs exist, then UOWHFs also exist, which can be seen as a problem that is hard on the uniform distribution (given a UOWHF key and an input, find a colliding input). On the other hand, assuming OWFs do not exist, without loss of generality the sampler of a hard-on-the-average problem can be assumed to output its random coins (indeed, its coins can be sampled from its original output under the assumption that OWFs do not exist). So in both cases, a hard-on-theaverage problem implies a hard-on-the-average problem with respect to the uniform distribution.

Organization of the paper
Formal definitions are given in Section 2, where the notion of inaccessible entropy used through the paper is defined in Section 3. In Section 4 we show how to use any one-way function to get a function with inaccessible entropy, where in Section 5 we use any function with inaccessible entropy to construct UOWHF. Finally, our result for average-case complexity is described in Section 6.

Preliminaries
Most of the material in this section is taken almost verbatim from [10], and missing proofs can be found in that paper.

Notation
All logarithms considered here are in base two. For t ∈ N, we let (1) . We let poly denote the set of all polynomials, and let ppt stand for probabilistic polynomial time. Given a distribution D, we write d R ← D to indicate that d is selected according to D. Similarly, given a finite set S, we write s R ← S to indicate that s is selected according to the uniform distribution on S.

Random variables
Let X and Y be random variables taking values in a discrete universe U . We adopt the convention that when the same random variable appears multiple times in an expression, all occurrences refer to the same instantiation. For example, Pr[X = X] is 1. For an event E, we write X| E to denote the random variable X conditioned on E. The support of a random variable X is Supp(X) := {x : Pr[X = x] > 0}. X is flat if it is uniform on its support. For an event E, we write I(E) for the corresponding indicator random variable, i.e., I(E) is 1 when E occurs and is 0 otherwise.
We write X − Y to denote the statistical difference (also known as variation distance) between X and Y , i.e., We say that X and Y are ε-close if X − Y ≤ ε and ε-far otherwise.

Entropy measures
In this article we shall refer to several measures of entropy. The relation and motivation of these measures is best understood by considering a notion that we will refer to as the sample-entropy: For a random variable X and x ∈ Supp(X), we define the sample-entropy of x with respect to X to be the quantity H The sample-entropy measures the amount of "randomness" or "surprise" in the specific sample x, assuming that x has been generated according to X. Using this notion, we can define the Shannon entropy H(X) and min-entropy H ∞ (X) as follows: We will also discuss the max-entropy H 0 (X) := log(|Supp(X)|). The term "max-entropy" and its relation to the sample-entropy will be made apparent below. It can be shown that H ∞ (X) ≤ H(X) ≤ H 0 (X) with equality if and only if X is flat. Thus, saying H ∞ (X) ≥ k is a strong way of saying that X has "high entropy" and H 0 (X) ≤ k a strong way of saying that X as "low entropy".
Smoothed entropies. Shannon entropy is robust in that it is insensitive to small statistical differences. Specifically, if X and Y are ε-close then |H(X) − H(Y )| ≤ ε · log|U |. For example, if U = {0, 1} n and ε = ε(n) is a negligible function of n (i.e., ε = n −ω(1) ), then the difference in Shannon entropies is vanishingly small (indeed, negligible). In contrast, min-entropy and maxentropy are brittle and can change dramatically with a small statistical difference. Thus, it is common to work with "smoothed" versions of these measures, whereby we consider a random variable X to have high entropy if X is ε-close to some X ′ with H ∞ (X) ≥ k and to have low entropy if X is ε-close to some X ′ with H 0 (X) ≤ k, for some parameter k and a negligible ε. 6 These smoothed versions of min-entropy and max-entropy can be captured quite closely (and more concretely) by requiring that the sample-entropy be large or small, resp., with high probability: 1. Suppose that with probability at least 1 − ε over x R ← X, we have H X (x) ≥ k. Then X is ε-close to a random variable X ′ such that H ∞ (X ′ ) ≥ k.

2.
Suppose that X is ε-close to a random variable X ′ such that H ∞ (X ′ ) ≥ k. Then with probability at least 1 − 2ε over x Think of ε as inverse polynomial or a slightly negligible function in n = log(|U |). The above lemmas show that up to negligible statistical difference and a slightly super-logarithmic number of entropy bits, the min-entropy and the max-entropy are captured by a lower and an upper bound on sample-entropy, respectively.
Conditional entropies. We will also be interested in conditional versions of entropy. For jointly distributed random variables (X, Y ) and (x, y) ∈ Supp(X, Y ), we define the conditional sampleentropy to be H X|Y (x | y) = log(1/Pr[X = x | Y = y]). Then the standard conditional Shannon entropy can be written as: There is no standard definition of conditional min-entropy and max-entropy, or even their smoothed versions. For us, it will be most convenient to generalize the sample-entropy characterizations of smoothed min-entropy and max-entropy given above. Specifically we will think of X as having "high min-entropy" and "low max-entropy" given Y if with probability at least 1 − ε over (x, y) Flattening Shannon entropy. The asymptotic equipartition property in information theory states that for a random variable X t = (X 1 , . . . , X t ), whose marginals X i are independent, with high probability, the sample-entropy H X t (X 1 , . . . , X t ) is close to its expectation. In [15] a quantitative bound on this was shown by reducing it to the Hoeffding bound. (One cannot directly apply the Hoeffding bound, because H X (X) does not have an upper bound, but one can define a related random variable which does.) We use a different bound here, which was proven in [16]. The bound has the advantage that it is somewhat easier to state, even though the proof is longer. We remark that the bound from [15] would be sufficient for our purposes. 1. Let X be a random variable taking values in a universe U , let t ∈ N, and let ε > 2 −t . Then with probability at least 2. Let X, Y be jointly distributed random variables where X takes values in a universe U , let t ∈ N, and let ε > 2 −t . Then with probability at least 1 − ε over (x, y) The statement follows directly from [16, Thm 2].

Hashing
F is explicit if given the description of a function f ∈ F and x ∈ {0, 1} n , the value f (x) can be computed in time poly(n, m). F is constructible if it is explicit and there is a probabilistic polynomial-time algorithm that given x ∈ {0, 1} n , and y ∈ {0, 1} m , outputs a random f It is well-known that there are constructible families of t-wise independent functions in which choosing a function f R ← F uses only t · max{n, m} random bits. Most of the material in this section is taken almost verbatim from [10], and missing proofs can be found in that paper.
A family of functions F is explicit if given the description of a function f ∈ F and x ∈ {0, 1} n , the value f (x) can be computed in time poly(n, m). F is constructible if it is explicit and there is a probabilistic polynomial-time algorithm that given x ∈ {0, 1} n , and y ∈ {0, 1} m , outputs a random f It is well-known that there are constructible families of t-wise independent functions in which choosing a function f R ← F uses only t · max{n, m} random bits.

Inaccessible entropy for inversion problems
In this section we define, following the infomercial description given in the introduction, the real and accessible entropy of the inverse of a function. The inaccessible entropy of the inverse is define as the gap between the two.

Real entropy
For a function F, we define the real entropy of F −1 to be the amount of entropy left in the input after revealing the output. We measure the above entropy using Shanon entropy (average case), min-entropy and max-entropy. Definition 3.1 (real entropy). Let n be a security parameter, and F : {0, 1} n → {0, 1} m a function. We say that F −1 has real Shannon entropy k if where X is uniformly distributed on {0, 1} n . We say that F −1 has real min-entropy at least k if there is a negligible function ε = ε(n) such that We say that F −1 has real max-entropy at most k if there is a negligible function ε = ε(n) such that It is easy to verify that, ignoring negligible terms, the min-entropy of F −1 is at most its Shannonentropy, which in turn is at most its max-entropy, where equality holds only if F is regular. We also note that more concrete formulas for the entropies above are: As our goal is to construct UOWHFs that are shrinking, achieving high real entropy is a natural intermediate step. Indeed, the amount by which F shrinks is a lower bound on the real entropy of F −1 : , 1} m , then the real Shannon entropy of F −1 is at least n − m, and the real min-entropy of F −1 is at least n − m − s for any s = ω(log n).
Proof. For Shannon entropy, we have

Accessible entropy
We define accessible entropy of F −1 using the notion of "collision-finding" algorithm, an algorithm that aims to find a second-pre-image of F (X) with "maximal entropy". The accessible entropy of F will be defined as the entropy of the best efficient collision-finding algorithm.

Definition 3.3 (collision finding algorithm).
For a function F : {0, 1} n → {0, 1} m , an F-collisionfinder is a randomized algorithm A such that for every x ∈ {0, 1} n and coin tosses r for A, we have Note that A is required to always produce an input x ′ ∈ {0, 1} n such that F(x) = F(x ′ ). This is a reasonable constraint because A has the option of outputting x ′ = x if it does not find a true collision. We consider A's goal to be maximizing the entropy of its output x ′ = A(x), given a random input x.
It is easy to see that If we let A be computationally unbounded, then the optimum turns out to equal exactly the real entropy: Then the real Shannon entropy of F −1 equals the maximum of H(A(X; R) | X) over all (computationally unbounded) F-collision finders A, where the random variable X is uniformly distributed in {0, 1} n and R is uniformly random coin tosses for A. That is, where the maximum is taken over all F-collision finders A.
Proof. The "optimal" F-collision finder A that maximizes H(A(X) | X) is the algorithm A that, on input x, outputs a uniformly random element of f −1 (f (x)). Then The notion of accessible entropy simply restricts the above to ppt algorithms. We consider both Shanon and max-entropy variants (since we aim to upper bound the accessible entropy, we care not about the min-entropy variant).
Definition 3.5 (accessible entropy). Let n be a security parameter and F : {0, 1} n → {0, 1} m a function. We say that F −1 has accessible Shannon entropy at most k if for every ppt F-collisionfinder A, we have for all sufficiently large n, where the random variable X is uniformly distributed on {0, 1} n and R is uniformly random coin tosses for A.
We say that F −1 has p-accessible max-entropy at most k if for every ppt F-collision-finder A, there exists a family of sets for all sufficiently large n, where the random variable X is uniformly distributed on {0, 1} n and R is uniformly random coin tosses for A. In addition, if p = ε(n) for some negligible function ε(·), then we simply say that F −1 has accessible max-entropy at most k.
It is easy to verify that, ignoring negligible terms, the accessible Shannon entropy of F −1 is at most its accessible max-entropy, i.e., if the accessible max-entropy of F −1 is at most k, then its accessible Shannon entropy is at most k. (We will later, Section 3.2.1, introduce an in-between variant of accessible entropy; larger than Shanon smaller than max) The reason that having an upper bound on accessible entropy is useful as an intermediate step towards constructing UOWHFs, is that accessible max-entropy 0 is equivalent to target collision resistance (on random inputs): We say that F is q-collision-resistant on random inputs if for every ppt F-collision-finder A, for all sufficiently large n, where the random variable X is uniformly distributed on {0, 1} n and R is uniformly random coin tosses for A. In addition, if q = 1 − ε(n) for some negligible function ε(·), we say that F is collision-resistant on random inputs. Lemma 3.7. Let n be a security parameter and F : {0, 1} n → {0, 1} m be a function. Then, for any p = p(n) ∈ (0, 1), the following statements are equivalent: (1) F −1 has p-accessible max-entropy 0.
In particular, F −1 has accessible max-entropy 0 iff F is collision-resistant on random inputs.
While bounding p-accessible max-entropy with negligible p is our ultimate goal, one of our constructions will work by first giving a bound on accessible Shannon entropy, and then deducing a bound on p-accessible max-entropy for a value of p < 1 using the following lemma: Lemma 3.8. Let n be a security parameter and F : {0, 1} n → {0, 1} m be a function. If F −1 has accessible Shannon entropy at most k, then F −1 has p-accessible max-entropy at most k/p+O(2 −k/p ) for any p = p(n) ∈ (0, 1).
Proof. Fix any ppt F-collision-finder A. From the bound on accessible Shannon entropy, we have Take L(x) to be the set: It is easy to see that |L(x)| ≤ 2 k/p +1 and thus F −1 has p-accessible max-entropy at most k/p + O(2 −k/p ).
Once we have a bound on p-accessible max-entropy for some p < 1, we need to apply several transformations to obtain a function with a good bound on neg(n)-accessible max-entropy.

Accessible average max-entropy
Our second construction (which achieves better parameters), starts with a bound on a different average-case form of accessible entropy, which is stronger than bounding the accessible Shannon entropy. The benefit of this notion it that it can be converted more efficiently to neg(n)-accessible max-entropy, by simply taking repetitions.
To motivate the definition, recall that a bound on accessible Shannon entropy means that the sample entropy . This sample entropy may depend on both the input x and the x ′ output by the adversary (which in turn may depend on its coin tosses). A stronger requirement is to say that we have upper bounds k(x) on the sample entropy that depend only on x. The following definition captures this idea, thinking of k(x) = log|L(x)|. (We work with sets rather than sample entropy to avoid paying the log(1/ε) loss in Lemma 2.2.) Definition 3.9 (accessible average max-entropy). Let n be a security parameter and F : {0, 1} n → {0, 1} m a function. We say that F −1 has accessible average max-entropy at most k if for every ppt F-collision-finder A, there exists a family of sets {L(x)} x∈Supp(X) and a negligible function ε = ε(n) such that x ∈ L(x) for all x ∈ Supp(X), E[log|L(X)|] ≤ k and for all sufficiently large n, where the random variable X is uniformly distributed on {0, 1} n and R is uniformly random coin tosses for A.
It is easy to verify that, ignoring negligible terms, the accessible average max-entropy of F −1 is at least its accessible Shannon entropy and at most its accessible max-entropy.

Inaccessible entropy from one-way functions
We present two constructions of inaccessible entropy functions from one-way functions. The one in Section 4.1 is extremely simple and merely trims the one-way function output. The one in Section 4.2 is somewhat more complicated (in the spirit of the first step of Rompel [26], thought still significantly simpler) that yields a more efficient overall construction.

A direct construction
The goal of this section is to prove the following theorem: We do not know whether the function F −1 has even less accessible Shannon entropy, (say, with a gap of Ω( 1 n )). However, it seems that a significantly stronger bound would require much more effort, and even improving the bound to Ω( 1 n ) does not seem to yield an overall construction which is as efficient as the one resulting from Section 4.2. Therefore we aim to present a proof which is as simple as possible.
We begin with a high-level overview of our approach. Recall from Proposition 3.4 the "optimal" F-collision-finder A that computes F −1 (F(·)). The proof basically proceeds in three steps: 1. First, we show that it is easy to invert f using A (Lemma 4.2).
2. Next, we show that if a F-collision-finder A has high accessible Shannon entropy, then it must behave very similarly to A (Lemma 4.3).
3. Finally, we show that if A behaves very similarly to A, then it is also easy to invert f using A (Lemma 4.4).
We may then deduce that if f is one-way, any F-collision-finder A must have accessible Shannon entropy bounded away from H(Z | F(Z)).
Step 1. Suppose we have an optimal collision finder A(x, i; r) that outputs a uniform random element from F −1 (F(x, i)). In order to invert an element y, we repeat the following process: start with an arbitrary element x (0) and use A to find an element x (1) such that f (x (1) ) has the same first bit as y. In the i'th step find x (i) such that the first i bits of f (x (i) ) equal y 1,...,i (until i = n). This is done more formally in the following algorithm for an arbitrary oracle CF which we set to A in the first lemma we prove. The algorithm ExtendOne does a single step. Besides the new symbol x ′ which we are interested in, ExtendOne also returns the number of calls which it did to the oracle. This is completely uninteresting to the overall algorithm, but we use it later in the analysis when we bound the number of oracle queries made by ExtendOne.

Algorithm ExtendOne
Oracle: An F-collision finder CF.
We first show that with our optimal collision finder A, the inverter inverts with only 2n calls in expectation (even though it can happen that it runs forever). Towards proving that, we define p(b | y 1,...,i−1 ) as the probability that the i'th bit of f (x) equals b, conditioned on the event that Proof. Fix some string y 1,...,i−1 in the image of F. We want to study the expected number of calls If we would know y i , then this expected number of calls would be 1 p(y i |y 1,...,i−1 ) . Since y i = 0 with probability p(0 | y 1,...,i−1 ) we get that the expected number of calls is 1 if either of the probabilities is 0 and p(0 | y 1,...,i−1 ) · 1 p(0|y 1,...,i−1 ) + p(1 | y 1,...,i−1 ) · 1 1|p(y 1,...,i−1 ) = 2 otherwise. Using linearity of expectation we get the result.
Step 2. Given an F-collision finder A, we define ǫ(x, i) to be the statistical distance of the distribution of A(x, i; r) and the the output distribution of A(x, i; r) (which equals the uniform distribution over F −1 (F(x, i))).
We want to show that if A has high accessible Shannon entropy, then A behaves very similarly to A. The next lemma formalizes this by stating that ε(x, i) is small on average (over the uniform random choice of x ∈ {0, 1} n and i ∈ [n]). The lemma follows by applying Jensen's inequality on the well known relationship between entropy gap and statistical distance. Proof.
The first inequality uses the fact that if W is a random variable whose support is contained in a set S and U is the uniform distribution on S, Step 3. We have seen now that Inv A inverts f with 2n calls in expectation and that A behaves similarly to A. We now want to show that Inv A also inverts f efficiently. The main technical difficulty is that even though Inv A makes 2n calls to A in expectation and A and A are close in statistical distance, we cannot immediately deduce an upper bound on the number of calls Inv A makes to A. Indeed, our analysis below exploits the fact that Inv and ExtendOne have a fairly specific structure. We will assume without loss of generality that where A is an optimal collision finder as above. This follows from a standard coupling argument since we do not require A to be polynomial time, and also because we can extend the number of random bits A uses (we assume it just ignores unused ones). To do this, A first computes the statistics of A on input (x, i), and also the result of A(x, i; r). He checks whether A(x, i; r) is one of the elements which occur too often, and outputs a different, carefully chosen one, with appropriate probability if this is the case. We now show that in most executions of ExtendOne it does not matter whether we use A or A (that is, ExtendOne makes the same number of oracle queries to A and A, and outputs the same value).
Note that the oracle algorithm ExtendOne is deterministic, and in the above expressions, R refers to the coin tosses used by the oracles that ExtendOne queries, namely A and A. We stress that the lemma says that both the value x ′ and the number j returned are equal with high probability.
Proof. Let J = J(R) be the second coordinate of the output of ExtendOne A (x, y i , i; R) (i.e., the counter) and J = J (R) the analogous output of ExtendOne A (x, y i , i; R). We write where P J is some distribution over the integers which, as it turns out, we do not need to know. Let now R ′ be the randomness used by A or A in round j. Then, because each iteration of ExtendOne uses fresh independent randomness. Let P be the distribution over {0, 1} n produced by A(x, i; R ′ ), and P * be the (uniform) distribution produced by A(x, i; R ′ ). For p = p(y i | y 1,...,i−1 ) and ε = ε(x, i), it holds that For the penultimate equality, note that Hence, And similarly, x ′ ∈F −1 (y 1,...,i ) max(P (x ′ ), P * (x ′ )) = p + ε.
Collecting the equations and inserting into (2) proves the lemma.
Putting everything together. We can now finish the proof of Theorem 4.1. Consider the following random variables: let X be uniformly drawn from {0, 1} n and let Y = f (X). Run Inv A (Y ) and Inv A (Y ) in parallel, using the same randomness in both executions. Let X (0) , . . . , X (n) be the random variables which have the values assigned to x (0) , . . . , x (n) in the run of Inv A . Finally, let the indicator variables Q i be 1, iff the i'th call to ExtendOne in the above parallel run is the first call such that We proceed to obtain an upper bound on Pr[Q i = 1]. Observe that for all x ∈ {0, 1} n : where the inequality above follows by Lemma 4.4. Averaging over x, we have that for all i = 1, . . . , n: Here, we use the fact that by induction on i, the random variable X i , for i ∈ {0, . . . , n}, is uniformly distributed in {0, 1} n (it is uniform preimage of a uniformly chosen output). Using Equation (3), we have where the last inequality follows from Lemma 4.3. Hence, with probability 1 2 , a run of Inv A and Inv A produce the same output and use the same number of queries to the oracles A. Moreover, the probability that Inv A uses more than 8n oracle queries is at most 1 4 (by applying Markov's inequality on Lemma 4.2). Hence, with probability 1 4 , Inv A inverts f using 8n oracle queries in total, which contradicts the one-wayness of f . In order to make sure that Inv A runs in polynomial time, we just halt it after 8n calls.

A more efficient construction
The following theorem shows that a simplified variant of the first step of [26] (which is also the first step of [20]) yields inaccessible entropy with much stronger guarantees than those obtained in Section 4.1. The function we construct is F(x, g, i) = (g(f (x)) 1,...,i , g), where g : {0, 1} n → {0, 1} n is a three-wise independent function. Since the composition of g and f is still a one-way function, Theorem 4.1 already implies that F −1 has inaccessible entropy. The benefits of the additional hashing step are that 1. we get more inaccessible entropy (Θ(1/n) bits rather thanΘ(1/n 2 ) bits), and 2. we get a bound on accessible average max-entropy rather than accessible Shannon entropy.
These allow for a more efficient and simpler transformation of F into a UOWHF. Proof. Let c be a sufficiently large constant (whose value to be determined later as a function of the constant d in the theorem statement). The sets {L(x, g, i)} x∈{0,1} n ,i∈[n],g∈G realizing the inaccessible entropy of F −1 are defined by where for y ∈ {0, 1} n and i ∈ [n], we let Namely, L(y, i) consists, in addition to y itself, of "i-light" images with respect to f . 7 As a warm-up, it is helpful to write down L(y, i) and L(x, g, i) for the case where f is a one-way permutation. 8 The proof of the theorem immediately follows by the following two claims. 7 Recall that the sample entropy is defined as H f (X) (y) = log(1/Pr[f (X) = y]) = n − log f −1 (y) , so the "heavy" images, where f −1 (y) is large, have low sample entropy. 8 If f is a permutation, then L(y, i) is given by: Claim 4.6. For every ppt F-collision-finder A and every constant c > 0, it holds that where Z is uniformly distributed over D(F ) and R is uniformly distributed over the random coins of A.
Claim 4.7. For any constant c it holds that where Z is uniformly distributed in D(F).

Accessible inputs of F -Proving Claim 4.6
Proof of Claim 4.6. Recall that Z = (X, G, I) is uniformly distributed over D(F ), and that R is uniformly distributed over the random coins of A. Let A 1 denote the first component of A's output. It suffices to show that since the other two output components of A are required to equal (G, I), due to the fact that F(X, G, I) determines (G, I).
We construct an inverter Inv such that for all F-collision-finders A and for c as in Equation (5) we have where Y = f (X), and the proof of Claim 4.6 follows readily from the one-wayness of f .

Inverter Inv A
Oracle: An F-collision finder A.
Observe that Inv can be implemented efficiently by sampling g ′ as follows: pick first z, z * ∈ {0, 1} n such that z 1...i = z * 1...i and use the constructibility of G to pick g with g(f (x)) = z and g(y) = z * .
Then, for all x ∈ {0, 1} n , we have E[|L(x, G, i)|] = 2 n−i for all i ≤ n − c log n and |L(x, g, i)| = 1 for all g ∈ G and all i > n − c log n. This means that the entropy gap between F −1 (F (Z)) and L(X, G, I) is roughly 1 n i>n−c log n n − i = Ω(c 2 log 2 n/n).
We analyze the success probability of Inv A . Using the short hand notation Pr g ′ [· · · ] for Pr where the inequality holds since Pr[f (X) = y] ≥ 2 −i /n c for any y / ∈ L(f (x), i). Next, observe that for any tuple (y, x, i) such that y = f (x), it holds that (where we distinguish Pr g ′ [· · · ] as above from Pr g [· · · ] = Pr The second equality follows by Bayes' rule and the third uses the fact that A is a F-collision finder. The last equality follows since G is two-wise independent (recall we assumed that G is three-wise independent) and f (x) = y.
Combining the two preceding observations, and the fact that f (x) ∈ L(f (x), i), we have that and the proof of the claim follows.

Upper bounding the size of L -Proving Claim 4.7
Recall that Z = (X, G, I) is uniformly distributed over D(F). In the following we relate the size of L(Z) to that of F −1 (F(Z)). We make use of the following property of three-wise independent hash-functions. Then, Note that in the above experiment it is always the case that (g ′ , i ′ ) = (g, i), where z ′ = (x ′ , g ′ , i ′ ).
Proof. Note that with probability 2 −i over g R ← G, it holds that g(f (x * )) 1···i = g(f (x)) 1···i . Henceforth, we condition on this event that we denote by E, and let w = g(f (x * )) 1···i = g(f (x)) 1···i . Observe that for a fixed g satisfying E, it holds that In order to obtain a lower bound on F −1 (F (x, g, i)) , we first consider x ′ such that f (x ′ ) / ∈ {f (x), f (x * )}. By the three-wise independence of G, This implies that the expected number of x ′ such that g(f (x ′ )) = w and f (x ′ ) / ∈ {f (x), f (x * )} is at most 2 n−i . By Markov's inequality, we have that with probability at least 1/2 over g R ← G (conditioned on E), where the second inequality uses the fact that Putting everything together, we have that the probability we obtain x * is at least 2 −i · 1/2 · (4 · 2 n−i ) −1 = 2 −n /8.
We now use Claim 4.8 for proving Claim 4.7.
Proof of Claim 4.7. Let Z ′ = (X ′ , G, I) R ← F −1 (F (Z = (X, G, I))) (note that indeed the second and third coordinates of Z and Z ′ are guaranteed to match). We claim that for proving Claim 4.7 it suffices to show that Indeed, let L(z) := F −1 (F (z)) \ L(z), and compute ∈ Ω c log(n) n .
We prove Equation (13) in two steps. First, observe that for all x: It follows that The last inequality holds since the one-wayness of f yields that Pr x,x * [f (x) = f (x * )] is negligible (otherwise inverting f is trivial). This concludes the the proof of Equation (13), and hence of the claim.

UOWHFs from inaccessible entropy
In this section we show how to construct a UOWHF from any efficiently computable function with a noticeable gap between real Shannon entropy and either accessible average max-entropy or accessible Shannon entropy. Recall that the more efficient construction from Section 4.2 satisfies the former, and the more direct construction from Section 4.1 satisfies the latter. Combined with these constructions, we obtain two new constructions of UOWHFs from any one-way function.
In both cases, we first transform the entropy gap into a noticeable gap between real Shannon entropy and accessible max -entropy. We begin with the construction that starts from a gap between real Shannon entropy and accessible average max-entropy because the transformation involves fewer steps (and is also more efficient). and key length O( n 4 s/∆ 3 · log n) for any s = ω(log n), where n is the security parameter. 9 We first show how to combine this with Theorem 4.5 to get a universal one-way hash function. Overview. The construction proceeds via a series of transformations as outlined in Section 1.2: gap amplification (via repetition), entropy reduction (by hashing inputs) and reducing output length (by hashing outputs). In each of these transformations, we use n 0 to denote the input length of the function F we start with, and n to denote the security parameter.

Gap amplification
Here, we show that a direct product construction increases the gap between real entropy and accessible entropy. Another useful effect of direct product (for certain settings of parameters) is turning real Shannon entropy into real min-entropy, and turning accessible average max-entropy into accessible max-entropy. i. If F −1 has real Shannon entropy at least k, then (F t ) −1 has real min-entropy at least t·k− n· √ st for any s = ω(log n) and t > s.
ii. If F −1 has accessible average max-entropy at most k, then (F t ) −1 has accessible max-entropy at most t · k + n · √ st for any s = ω(log n).
By the bound on the accessible average max-entropy of F −1 , we know that there exists a family of sets {L(x)} such that E log|L(X)| ≤ k, x ∈ L(x), and Pr[A(X) / ∈ L(X)] ≤ neg(n).
Consider the family of sets L ′ (x (t) ) : x (t) ∈ ({0, 1} n ) t given by: By linearity of expectations, we have E log|L ′ (X 1 , . . . , X t )| ≤ t·k. Moreover, by the Chernoff-Hoeffding bound and using the fact that log|L(X)| assumes values in [0, n], we have We claim that this implies that A ′ has accessible max-entropy at most t · k + n √ st. Suppose otherwise, then there exists a non-negligible function ǫ such that which contradicts our assumption on A.

Entropy reduction
Next we describe a construction that given F and any parameter ℓ, reduces the accessible maxentropy of F −1 by roughly ℓ bits, while approximately preserving the gap between real min-entropy and accessible max-entropy. i. Assuming F −1 has real min-entropy at least k, then (F ′ ) −1 has real min-entropy at least k−ℓ−s for any s = ω(log n).
Proof. In the following X and G are uniformly distributed over {0, 1} n and G, respectively.
(a) Pr[g(X) ∈ S g ] ≤ 2 −s (by a union bound over z ∈ S g ); (b) Fix any z / ∈ S g and any x ∈ {0, 1} n such that H X|F (X) (x | F (x)) ≥ k. Then, where the second inequality follows from our assumptions on z and x.
Combining the above two observations and the bound on the real min-entropy of F , it follows that for all g ∈ G, with probability 1 − 2 −s − neg(n) over x R ← X, we have The bound on the real min-entropy of F ′ follows readily.
ii. Given a ppt F ′ -collision-finder A ′ , we construct a ppt F-collision-finder A as follows: On input x, picks a pair (g, r) uniformly at random and output A ′ (x, g; r).
By the bound on the accessible max-entropy of F −1 , we know that there exists a family of where R is uniformly distributed over the random coins of A.
We next bound the size of the set L ′ (x, g). Fix any x ∈ {0, 1} n . For any x ′ = x, pairwise independence of G tells us that Pr[G(x ′ ) = G(x)] = 2 −ℓ . It follows from linearity of expectation that Then, by Markov's inequality, we have Combining the last two inequalities, we obtain The above yields an upper bound of max{k − ℓ + s, 0} on the accessible max-entropy of (F ′ ) −1 .

Reducing output length
The next transformation gives us a way to derive a function that is both length-decreasing and collision-resistant on random inputs.  (F(x))). The following holds: if F −1 has real min-entropy at least ω(log n) and F is collision-resistant on random inputs, then F ′ is collision-resistant on random inputs.
Proof. The bound on real min-entropy implies that there exists a subset S ⊆ {0, 1} n of density at most neg(n), such that for all x / ∈ S it holds that F −1 (F(x)) = n ω(1) . Hence, By the two-wise independent of G, Namely, g(F(x)) uniquely determines F(x) with high probability. In particular, a collision for g • F is also a collision for F. Given any ppt F ′ -collision-finder A ′ , we construct a ppt F-collision-finder A as follows: On input x, pick g and r at random and compute Equation (22) implies that Pr[A ′ (X, G; R) = (A(X; G, R), G)] ≤ neg(n). Therefore, Pr[A ′ (X, G; R) = (X, G)] ≥ 1 − neg(n). Namely, F ′ is also collision-resistant on random inputs.

Additional transformations
We present two more standard transformations that are needed to complete the construction. Proof. Given a ppt adversary A ′ that breaks target collision-resistance of F ′ y , we can construct a ppt adversary A that breaks F as follows: On input x, run A ′ (1 n ) to compute (x 0 , state), and then run A ′ (state, x ⊕ x 0 ) to compute is a collision for F. It then follows quite readily that A breaks F with the same probability that A ′ breaks F ′ y .
The following result of [29] (improving on [23,3]) shows that we can construct target collisionresistant hash functions for arbitrarily long inputs starting from one for a fixed input length. Lemma 5.7 (Increasing the input length [29]). Let n be a security parameter, t = poly(n) be a parameter and let F y : {0, 1} n+log n → {0, 1} n be a family of target collision-resistant hash functions.

Putting everything together
Using these transformations, we can now prove Theorem 5.1.
step 1 (gap amplification): For a parameter t, we define F 1 as Lemma 5.3 yields that this repetition increases both the real and accessible entropies of F 1 by a factor of t (comparing to F). In addition, this repetition converts real Shannon entropy to real min-entropy and accessible average max-entropy to accessible max-entropy (up to additive terms that are sub-linear in t). More precisely, we have the following properties: • F −1 1 has accessible max-entropy at most t · (k real − ∆) + n 0 · √ st.
In steps 2 to 4, the construction uses non-uniform advice k, which corresponds to an approximation to k real . In step 5, we will remove this non-uniform advice via "exhaustive search". Concretely, for steps 2 to 4, we are given k satisfying This means that • F −1 1 has real min-entropy at least t · (k − ∆) + n 0 · √ st + 3s.
This yields a gap of 3s between real min-entropy and accessible max-entropy.
step 2 (entropy reduction): We next apply entropy reduction to F 1 to obtain F 2 (x, g) = (F 1 (x), g, g(x)), where g : {0, 1} n 1 → {0, 1} ℓ is selected from a family of pairwise independent hash functions with ℓ = t · (k − ∆) + n 0 · √ st + s = O(tn 0 ). Lemma 5.4 yields that this additional hashing reduces the real min-entropy and accessible max-entropy by ℓ (up to an additive term of s). More exactly, we have the following properties: • F y uses a key y of length n 3 (n, k).
step 5 (removing non-uniformity): To remove the non-uniform advice k, we "try all possibilities" from 0 to n 0 in steps of size ∆/2, similar to the approach used in [26] (see also [20, Section 3.6]) i. First, we construct κ = n 0 · 2/∆ families of functions G for all k ∈ ∆ 2 , 2 · ∆ 2 , 3 · ∆ 2 , . . . , n 0 . These κ families of functions satisfy the following properties: y is length-decreasing; in particular, G (k) y has input length n 3 (n, k) and output length n 3 (n, k) − log n. Note that G (n 0 ) y has the longest input length, i.e., n 3 (n, i∆/2) ≤ n 3 (n, n 0 ) for all i because ℓ(n, k) increases as a function of k. We may then assume that all κ functions G 1 y , . . . , G κ y have the same input length n 3 (n, n 0 ) and the same output length n 3 (n, n 0 ) − log n by padding "extra part" of the input to the output.
• At least one of the G (k) y is target collision-resistant; this is because k real ∈ [0, n 0 ], and so (23) holds for some k which we picked.
ii. Next, for each k, we construct a family of functions G (k) y from G (k) y with input length κ · n 3 (n, n 0 ), key length O(n 3 (n, n 0 ) · log n) and output length n 3 (n, n 0 ) − log n, by following the construction given by Lemma 5.7. Again, at least one of the G (k) y for k as above is target collision-resistant.
• Moreover, since at least one of G (∆/2) yκ is target collision-resistant, {Gỹ 1 ,...,ỹκ } must also be target collision-resistant. This is because a collision for Gỹ 1 ,...,ỹκ is a collision for each ofG The family {Gỹ 1 ,...,ỹκ } is the universal one-way hash function we wanted to construct, and so this finishes the proof of Theorem 5.1. and key length O( n 8 s 2 /∆ 7 · log n) for any s = ω(log n).

UOWHF via a direct construction
As before, we can use Theorem 5.8 together with results from the previous sections to get a universal one-way hash function. In order to prove Theorem 5.8, we show how to transform a noticeable gap between real Shannon entropy and accessible Shannon entropy to one between real Shannon entropy and accessible max-entropy, and then follow the construction from the previous section. This step is fairly involved as we are unable to show that parallel repetition directly transforms an upper bound on accessible Shannon entropy into one for accessible max-entropy. We proceed by first establishing some additional properties achieved by gap amplification and entropy reduction.
Lemma 5.10 (Gap amplification, continued). Let n be a security parameter and F : {0, 1} n → {0, 1} m be a function. For t ∈ poly(n), let F t be the t-fold direct product of F. Then, the following holds: i. If F −1 has real Shannon entropy at most k, then (F t ) −1 has real max-entropy at most t · k + n · √ st for any s = ω(log n) and t > s.
ii. If F −1 has real min-entropy at least k, then (F t ) −1 has real min-entropy at least t · k.
iii. If F −1 has real max-entropy at most k, then (F t ) −1 has real max-entropy at most t · k.
iv. If F −1 has accessible Shannon entropy at most k, then (F t ) −1 has accessible Shannon entropy at most t · k.
v. If F −1 has accessible max-entropy at most k, then (F t ) −1 has accessible max-entropy at most t · k.
i. Follows readily from Lemma 2.3.
ii. This follows from a union bound and that fact that for all x 1 , . . . , x t : iii. Same as previous part.
iv. Given any ppt F t -collision-finder A ′ , we construct the following ppt F-collision-finder A: On input x, pick a random i in [t] along with random x 1 , . . . , Define the random variables (X ′ 1 , . . . , X ′ t ) = A ′ (X 1 , . . . , X t ). Then, by the bound on accessible Shannon entropy of F −1 v. Analogous to Lemma 5.3 part ii, but simpler, since we do not have to use the Chernoff-Hoeffding bound.
vi. Suppose on the contrary that there exists a ppt F t -collision-finder A ′ that violates the guarantee on accessible max-entropy. For i )) > 2 k ] ≤ t · neg(n) = neg(n). Hence, Since A ′ achieves accessible max-entropy greater than (1 − q/8)tk + t, there must exists a non-negligible function ǫ such that Pr where R ′ is uniformly distributed over the random coins of A ′ . Namely, A ′ finds collisions on at least a 1 − q/8 fraction of the coordinates with non-negligible probability.
To analyze the success probability of A ′ , fix any subset S of {0, 1} n of density q/2. If t = ω(log n/q), then a Chernoff bound yields that

This means that
We may then deduce (following the same calculations in [6, Prop 2]) that where R is uniformly distributed over the random coins of A. By repeating A a sufficient number of times, we may find collisions on random inputs of F with probability 1−q, contradicting our assumption that F is q-collision-resistant on random inputs. Then, ) satisfies the following properties: i. If F −1 has real max-entropy at most k, then (F ′ ) −1 has real max-entropy at most max{k − ℓ + s, 0} for any s = ω(log n).
Proof. In the following X and G are uniformly distributed over {0, 1} n and G, respectively.
i. Fix an x such that F −1 (F(x)) ≤ 2 k . By 2-universal hashing, The bound on the real max-entropy of F −1 and Markov's inequality yield that The bound on the real max-entropy of (F ′ ) −1 follows.
ii. Readily follows from the proof of Lemma 5.4 part ii.

Putting everything together
Proof of Theorem 5.8. Recall that we start out with a function F : {0, 1} n 0 → {0, 1} m 0 with a gap ∆ between real Shannon entropy and accessible Shannon entropy. Let k real denote the real Shannon entropy of F −1 .
step 1 (gap amplification): Let F 1 be the t-fold direct product of F for a sufficiently large t to be determined later. That is, F 1 (x 1 , . . . , x t ) = (F(x 1 ), . . . , F(x t )).
Lemma 5.3 yields that this repetition increases both the real and accessible entropies of F 1 by a factor of t. In addition, the repetition converts real Shannon entropy to real min-entropy and real max-entropy (up to an additive o(t) term). More precisely: where n 1 (n) = t · n and m 1 (n) = t · m.
• F −1 1 has real min-entropy at least t · k real − n 0 √ st and real max-entropy at most t · k real + n 0 √ st.
• F −1 1 has accessible Shannon entropy at most t · k real − t∆. From the next step on, the construction again uses an additional parameter k. We will be especially interested in the case In case this holds, • F −1 1 has accessible Shannon entropy at most tk − t∆. Lemma 3.8 yields that F −1 1 has (1 − ∆/4k)-accessible max-entropy at most tk − t∆/2. 2 ) −1 has real min-entropy at least t · (k real − k + ∆/2) − n 0 √ st − 2s, which is at least and real max-entropy at most t · (k real − k + ∆/2) + n 0 √ st ≤ t · ∆/2 + n 0 √ st.
2 (x t ′ )). By Lemma 5.10, this allows us to amplify the weak collision-resistance property of F (k) 2 to obtain a gap between real min-entropy and accessible max-entropy in F (k) 3 , again assuming Equation (25).
• To remove the non-uniform advice k, we "try all possibilities" from 0 to n 0 in steps of size ∆ 2 /128n 0 .
This finishes the proof of Theorem 5.8.

Connection to average-case complexity
In this section we use the notion of inaccessible entropy to reprove a result by Impagliazzo and Levin [18], given in the realm of average-case complexity. Our proof follows to a large extent the footstep of [18], where the main novelty is formulating the proof in the language of inaccessible entropy, and rephrasing it to make it resembles our proof of UOWHFs from one-way functions. Section 6.1 introduces the basic notion and definitions used through the section, and in particular what "success on the average" means. It also formally describes the result of Impagliazzo and Levin [18], a result that we reprove in Section 6.2.

Preliminaries and the Impagliazzo and Levin result
We start by introducing some basic notions from average-case complexity. 10

Algorithms that err
Let L be some language, and suppose A(y; r) is a randomized algorithm with input y ∈ {0, 1} * , randomness r, and output domain {0, 1, ⊥}. 11 It is useful to think that A(y, ·) is trying to decide L, where 0 and 1 are guesses whether y ∈ L, and ⊥ signals that A refuses to guess. Recall that when defining a worst case complexity class (e.g., BPP), one requires Pr[A(y; R) = L(y)] ≥ 2 3 for any y ∈ {0, 1} * (the choice of the constant 2 3 is somewhat arbitrary). In other words, we require that an algorithm is 2 3 −correct for every input. In contrast, in average-case complexity an algorithm is allowed to be wrong on some inputs. Specifically, the success probability of a decider A is measured not with respect to a single input, but with respect to a distribution over the elements of {0, 1} * .
To make this formal, we first a problem as such a pair of language and distribution family. The problem class HeurBPP (see, e.g., [5,Definition 15]) contains those problems for which there exists an efficient algorithm that is correct on all but a "small" fraction of the inputs. Definition 6.3 (HeurBPP). A problem (L, D) is in HeurBPP, if there exists a four-input algorithm A such that the following holds for every (n, δ) ∈ N × (0, 1]: A(·, 1 n , δ; ·) runs in time p(n, 1/δ) for some p ∈ poly, and In one second we will restrict ourselves to the case that the sampler runs in polynomial time. Then, this means that A is allowed to run in time polynomial in the "sampling complexity" of the instance, and inverse polynomial in the probability with which it is allowed to err.

Samplable distributions
We next study the families of distributions D to consider. While it is most natural to focus on efficiently samplable distributions, the definition of HeurBPP does not pose such limits on the distributions considered; a pair (L, D) can be decided efficiently on average even if sampling the distribution D is a computationally hard problem. For the reduction, however, we restrict ourselves to polynomial-time samplable distributions. This limitation is crucial, since there exist (not efficiently samplable) distributions D with the property that (L, D) ∈ HeurBPP if and only if L ∈ BPP (see [22] or [5,Section 2.5]). Definition 6.4 (Polynomial-time samplable distributions, (NP, PSamp)). A distribution family D = {D n } n∈N is polynomial-time samplable, denoted D ∈ PSamp, if there exists a polynomial-time computable function D and a polynomial p(n), such that D(1 n , U p(n) ) is distributed according to D n for every n ∈ N, where U m is the uniform distribution over m-bit strings.
The product set (NP, PSamp) denotes the set of all pairs (L, D) with L ∈ NP and D ∈ PSamp.
Note that the input U p(n) to D above is the only source of randomness used to sample the elements of D. In the following we make use the distribution family U = {U n } n∈N (clearly, U ∈ PSamp).

Impagliazzo and Levin result
In the above terminology the result of Impagliazzo and Levin [18] can be stated as follows (cf., [5,Thm. 29]): In other words, suppose there exists an average-case hard problem whose distribution is polynomial-time samplable, then there exists an average-case hard problem whose distribution is uniform.

Search problems
The proof of Theorem 6.5 uses the notion of "NP-search problems": For a relation R, let R L be the corresponding language, i.e., R L = {y : ∃w : (y, w) ∈ R}. The notion of heuristics is naturally generalized to NP-search problems. The only change is that in case the algorithm claims y ∈ R L , it additionally has to provide a witness to prove that. A search algorithm A always outputs a pair, and we let A 1 be the first component of this pair, and A 2 be the second component. , 1} * such that the following holds: (1) A 1 is a heuristic for (R L , D) and (2) A 1 (y, 1 n , δ; r) = 1 =⇒ (y, A 2 (y, 1 n , δ; r)) ∈ R.
Algorithm A is called a (randomized) heuristic search algorithm for (R, D).

Search problems vs. decision problems
Suppose (L, D) ∈ (NP, PSamp) is a "difficult decision problem". Then any NP-relation associated with L gives a "difficult NP-search problem", because finding a witness also solves the decision problem.
The converse direction is less obvious (recall that even in worst-case complexity, one invokes self-reducibility). Nevertheless, [4] prove the following (see also [5,Thm. 4.5]): Using Theorem 6.8 the proof of Theorem 6.5 proceeds as follows (see Figure 1): suppose there is a pair (L, D) ∈ (NP, PSamp) \ HeurBPP and let R be an NP-relation for L. Then (R, D) / ∈ SearchHeurBPP (if (R, D) would have a search heuristic algorithm, the first component of this algorithm, that outputs its left hand side output, would place (L, D) ∈ HeurBPP.) The following lemma states that in this case there is a pair (V, U ) / ∈ SearchHeurBPP, and therefore Theorem 6.8 yields the conclusion. Lemma 6.9 (Impagliazzo and Levin [18] main lemma, reproved here). Assume that there exists an NP-search problem (R, D) with D ∈ PSamp such that (R, D) / ∈ SearchHeurBPP, then there is an NP-relation V such that (V, U ) / ∈ SearchHeurBPP.
Intuitively Lemma 6.9 states the following: suppose some sampling algorithm D(1 n , ·) generates hard search problems, then there exist an NP-search problem that is hard over the uniform distribution.
Consider the following application of Lemma 6.9; suppose that one-way functions exist and let f : {0, 1} n → {0, 1} n be a length-preserving one-way function. Let D(1 n , r) be the algorithm that applies f : {0, 1} n → {0, 1} n on the input randomness x = r and outputs f (x), and set D = {D n } n∈N to the corresponding distribution family. Furthermore, consider the NP-search problem given by It is easy to verify that the NP-search problem (R, D) is not in SearchHeurBPP. Lemma 6.9 implies that hard problems exist for some uniform distribution, under the assumption that one-way functions exist. However, we knew this before: if one-way functions exist, then UOWHFs also exist. Let F k be such a family as in Definition 1.1, and consider the relation which asks us to find a non-trivial collision in F z with a given x. By the security property of UOWHF, if we pick (z, x) uniformly at random, then this is a hard problem, and it is possible to show that (V, U ) / ∈ SearchHeurBPP. Thus, Rompel's result gives the conclusion of Lemma 6.9 in case we have the stronger assumption that one-way functions exist.
Given the above, it seems natural to ask whether the strategy used for constructing UOWHF from one-way functions, can be used for proving the general case stated in Lemma 6.9. In the following section we answer the above question in the affirmative. Specifically, we present an alternative proof for Lemma 6.9 following a similar approach to that taken in the first part of this paper for constructing UOWHF from one-way functions.

The Valiant-Vazirani lemma
We make use of the Valiant-Vazirani Lemma, originated in [30]. there is exactly one element x ∈ S with g(x) = 0 k+2 . This follows immediately from the above form.
Proof. The probability that g(x) = 0 k+2 for a fixed x ∈ S is 1 2 k+2 . Conditioned on this event, due to the pairwise independence of G, the probability that any other element of S is mapped to 0 k+2 is at most |S| 1 2 k+2 ≤ 1 2 .

Proving Lemma 6.9 via inaccessible entropy
Recall the basic idea underlying the two constructions of UOWHF from one-way functions presented in the first part of this paper. In a first step, we use the one-way function f to construct a function F that induces a gap between its real and accessible entropy (i.e., F has "inaccessible entropy"). Roughly, the distribution induced by the output of any efficient "collision-finder" algorithm getting a random x and returning a random x ′ ∈ F −1 (F (x)), has a smaller entropy than that induced by random preimage of F (x). Afterwards, we use F to build the UOWHF. We want to redo this first step in the current setting. Now, however, it is not anymore important to talk about collisions. 12 Thus, we can instead define F such that F −1 (y) has some inaccessible entropy for a uniform random y. This is in fact compatible with the construction given in Section 4.2: it is possible to show that the image of F is close to uniform in case i ≈ H f (X) (f (x)) (recall that i is the number of bits hashed out from f (x) in the definition of F ).
Let now (R, D) be an NP search problem with D ∈ PSamp which is not in SearchHeurBPP. We would like to use a similar approach as above to define a relation with limited accessible maxentropy. One might suggest that the following search problem has inaccessible entropy: given a four tuple (n, i, g, z), where g is a pairwise independent hash-function, and z has i bits, find as solution an input x such that g(D(1 n , x)) 1,...,i = z. However, it turns out that one does not in fact need the randomness inherent in the choice of z (note that a typical pairwise independent hash-function XORs the output with a random string anyhow). Instead, it makes no difference to fix z = 0 i , and so we adopt this to simplify the notation, so that the suggested search problem becomes to find x with g(D(1 n , x)) 1,...,i = 0 i for a given triple (n, i, g).
Problems with the above intuition and postprocessing the witness. A moment of thought reveals that there can be cases where this suggested search problem is easy. For example if the sampler D(1 n , x) simply outputs y = x itself, which is possible if finding w with (y, w) ∈ R is difficult for a uniform random y. The solution is easy: ask the solving algorithm to output also a matching witness w with (D(1 n , x), w) ∈ R (ignore invalid outputs).
Thus, the suggested search problem becomes: "given (n, i, g), find (x, w) such that g(D(1 n , x)) 1...i = 0 i and (D(1 n , x), w) ∈ R". The hope is then that this search problem has limited accessible entropy in the coordinate corresponding to x (we do not want to talk about the entropy in w because it arise from the number of witnesses which R has, and at this point we have no control over this number).
There is a last little problem to take care of: it is not obvious how to encode n into the search problem, as (n, i, g) does not look like a uniform bitstring of a certain length, even if i and g look random. However, it is possible to ensure that the length of (i, g) uniquely define n, and we assume that this is done in such a way that n can be easily computed from the length of (i, g).

A Relation with bounded accessible average max-entropy
Using the above discussion, we now finally have enough intuition to define the relation Q. For D ∈ PSamp, we let Canon(D) be an arbitrary polynomial-time sampler for D. Note that the elements of G m in Construction 6.11 have domain m i=0 {0, 1} i . This somewhat unusual requirement is needed since the sampler might output strings of arbitrary lengths (up to n d ).
From now on, we will only consider the case where we have some fixed sampler D in mind. In this case, whenever n is given, we will assume that (i, g) are elements satisfying the conditions in Construction 6.11. Furthermore, we assume without loss of generality that (the encoding of) a uniform random bitstring, of the right length, induces the uniform distribution on G n d × [n d ].

Accessible average max-entropy
We next define what it means for an NP-search problem to have limited accessible max-entropy, with respect to a part of its witness. This notion is modeled by introducing a function f that outputs the "interesting part" of the witness. The real average max-entropy of (Q, D) with respect to f , is the function letting log(0) := −1. 13 In case the relation R and f are clear from the context, we sometimes write S(y) instead of S Q,f (y).
We next define a useful notion of limited accessible max-entropy in this setting. Here, one should think of algorithm A as an algorithm which, on input y produces a witness w with (y, w) ∈ Q. It furthermore "aims" to produce witnesses w for which f (w) has as much entropy as possible. , such that where Γ = Γ Q,f (y, w) equals f (w) in case (y, w) ∈ Q and equals ⊥ otherwise, and The following lemma, proven in Section 6.2.3, states that the relation Q defined in Construction 6.11 has limited accessible max-entropy with respect to the function (x, w) → x. Lemma 6.14 is proven below, and in Section 6.2.4 we use Lemma 6.14 for proving Lemma 6.9. The latter is done by additionally fixing the value of h(x) 1...j , where h is an additional random hash function, and j is a random integer (in a certain range). The ratio is that an algorithm producing (x, w) with h(x) 1...j = 0 j , can be used to access max-entropy roughly 2 j .

Proving Lemma 6.14
The proof of Lemma 6.14 follows similar lines to the proof of Theorem 4.5.
Proof (of Lemma 6.14). Let A be an algorithm that "aims to produce max-entropy for Q". Without loss of generality, we assume that A either outputs a valid witness (x, w) for a given input (i, g) or ⊥. We show how to find infinitely many m ∈ N, ε = ε(m) ∈ (0, 1], and ensemble of set families L m = {L m (i, g)} (i,g)∈Q L m∈N with the properties as required in the lemma (we write L m (i, g) instead of L m (y) because the elements of Q L are pairs (i, g)). Towards achieving the above, consider the following candidate algorithm B for a search heuristics for (R, D). Let β ∈ N be a constant to be determined by the analysis, let d ∈ N be such that n d is an upper bound on the runtime of the sampler D (recall that we have fixed D above) on input (1 n , ·), and let ℓ = ℓ(m, ε) be an upper bound on the running time of A on parameters m and ε. Let m(n) be the description length of a pair in [n d ] × G n d and let ε(n, δ) = (δ(n)/n β ) β .
The following discussion is with respect to any fixed pair (n, δ = δ(n)) from the above infinite set.
We present a family of sets {L m (i, g)} (i,g)∈G n d ×[n d ] for which Equations (26) and (27) holds with respect to algorithm A and f , for the parameters m = m(n), ε = ε(n, δ) = ε(m), and ρ and k as stated in the lemma. Since this holds for any such pair (n, δ) and since m(n) ∈ Ω(n) (and thus, there are infinitely many different m's) the proof of the lemma would follow.
Consider the following set letting D −1 (1 n , y) := x ∈ {0, 1} n d : D(1 n , x) = y and let ℓ = ℓ(m). Note that Y contains all the y's in L for which B 1 is not 2 3 -correct, and the above discussion implies Towards defining the sets {L m (i, g)}, we partition the preimages of the elements in Y into buckets; for i ∈ 0, . . . , n d − 1 let L(i) := x ∈ {0, 1} n d : D(1 n , x) ∈ Y ∩ y : H where H Dn(y) (y) = − log(1/D n (y)) is the sample entropy of y with respect to the distribution D n . In words: L(i) are those x for which y = D(1 n , x) ∈ L is an element for which B(y) is unlikely to produce a witness, and for which y has roughly 2 (n d )−i preimages. For (i, g) ∈ G n d , the set L m (i, g) is defined as L m (i, g) := S(i, g) \ L(i), where S(i, g) is taken from Definition 6.12. In the remaining of the proof we show that, for the right choice of β, Equations (26) and (27) Hence, Equation (27)  Collecting the equations yields the claim.
For the proof of Claim 6.16, we need first a pairwise independence analogue of Claim 4.8. The proof is exactly the same, except a bit simpler as we fix the output w instead of fixing another preimage. We provide it for completeness. Claim 6.17. Let i ∈ [n d ], w ∈ {0, 1} i and x * ∈ {0, 1} n d be such that H f (X) (f (x * )) ≥ i. Then, letting (g • f ) −1 (w) equals the set {x : g(f (x)) 1...i = w} in case this set is not empty, and {⊥} otherwise.

A difficult problem for the uniform distribution
In this section we show how to transform a uniform search problem with a gap between its real and accessible entropy, into a uniform search problem for which no heuristic search algorithm exists (i.e., the problem is not in SearchHeurBPP). Combining it with Lemma 6.14 concludes the proof of Lemma 6.9.
The transformation is achieved by adding additional restriction on the witness of the given search problem. Specifically, requiring its "hash value" with respect to a randomly chosen pairwise independent hash function to be the all zero string.
As in Construction 6.18, we assume that the tuples (y, j, g)'s above can be encoded such that a uniformly random string, of the right length, decodes to a uniformly random tuple in {0, 1} n × [n d + 2] × G n d +2 .  Proof. We assume towards a contradiction that (V, U ) ∈ SearchHeurBPP, and show that (Q, U ) has too high accessible average max-entropy.
Let A be a randomized search heuristics for (V, U ). The following algorithm B contradicts the assumption that (Q, U ) has i.o. ε 2 50m d -accessible average max-entropy at most H Real Q,U ,f (m) − 5εm d with respect to f . Let ℓ = ℓ(n, δ) be an upper bound on the running time of A on parameters n and δ. Let n(m) be the description length of a triplet in {0, 1} m × [m d + 2] × G m d +2 and let δ(m, ε) = ε 2 100m d .