Abstract. We establish a framework for bounding the efficiency of cryptographic reductions in terms of their security transfer. While efficiency bounds for the reductions have been studied for about ten years, the main focus has been the efficiency of the construction mostly measured by the number of calls to the basic primitive by the constructed primitive. Our work focuses on the efficiency of the wrapper construction that builds an adversary for the basic primitive and has black-box access to an adversary for the constructed primitive. We present and prove a general upper bound theorem for the efficiency of black-box reductions. We also provide an example about upper bound for reductions between two security notions of cryptographic hash functions, which gives a negative answer to the open question about the existence of linear-preserving reductions from the so-called hash-then-publish time-stamping schemes to the collision resistance of the underlying hash function.