We initiate a complexity-theoretic study of interactive computational puzzles: 2-player interactive games between a polynomial-time public-coin challenger and an attacker satisfying the following two properties:
- Computational Soundness:
There does not exist a probabilistic polynomial-time (PPT) attacker and polynomial such that succeeds in making
output 1 with probabilityfor all sufficiently large .
There exists a negligible function and an inefficient attacker that on input succeeds in making output 1 with probability for all .
In other words, (a) no polynomial-time attacker, , can make output 1 with inverse polynomial probability, yet (b) there exists a computationally unbounded attacker that makes output 1 with overwhelming probability. We refer to as a -round computational puzzle (or simply a -round puzzle) if satisfies the above completeness and computational soundness conditions, while restricting to communicate with in rounds.
As an example of a 2-round puzzle, let be a one-way permutation and consider a game where samples a random and requires the adversary to output a preimage such that . Since is a permutation, this puzzle has “perfect” completeness—an unbounded attacker can always find a pre-image . By the one-wayness of (and the permutatation property of ), we also have that no adversary can find such an (with inverse polynomial probability), and thus soundness holds.
In fact, the existence of 2-round puzzles is “essentially” equivalent to the existence of an average-case hard problem in
: any 2-round puzzle trivially implies a hard-on-average search problem (w.r.t. the uniform distribution) inand thus by [IL90] also a hard-on-average decision problem in . Furthermore, “almost-everywhere” hard-on-average languages in 111That is, a language in such that for every , no PPT attacker can decide random instances with probability greater than for infinitely many (as opposed to all) . Such an “almost-everywhere” notion is more commonly used in the cryptographic literature. also imply the existence of a 2-round puzzle (by simply sampling many random instances and asking the attacker to provide a witness for at least, say, of the instances).222The reason we need the language to be almost-everywhere hard-on-average is to guarantee that YES instances exists for every sufficiently large input length, or else completeness would not hold.
Proposition 1.1 (informally stated).
The existence of an (almost-everywhere) hard-on-average language in implies the existence of a 2-round puzzle. Furthemore, the existence of a 2-round puzzle implies the existence of a hard-on-average language in .
Thus, 2-round puzzles are “morally” (up to the infinitely-often/almost-everywhere issue) equivalent to the existence of a hard-on-average language in . As such, -round puzzles are a natural way to generalize average-case hardness in .
While the game-based modeling in the notion of a puzzle is common in the cryptographic literature—most notably, it is commonly used to model cryptographic assumptions [Nao03, Pas11, GW11], complexity-theoretic consequences or properties of puzzles have remained largely unexplored. In this work, we initiate such a treatment. Furthermore, we show that such an interactive treatment of average-case complexity leads to a new tool set also for answering “classic” questions regarding average-case hardness in . Most notably, relying on this interactive treatment of puzzles, we demonstrate the following result:
If is (almost everywhere) hard-on-average, then either (1) one-way functions exist, or 2) (i.e., the class of total search problems) is hard-on-average.
1.1 The Round-Complexity of Puzzles
Perhaps the most basic question regarding the existence of interactive puzzles is whether the existence of a -round puzzle is actually a weaker assumption than the existence of a round puzzle. In particular, do interactive puzzles actually generalize beyond just average-case hardness in :
Does the existence of a -round puzzle imply the existence of -round puzzle?
At first sight, one would hope the classic “round-reduction” theorem due to Babai-Moran (BM) [BM88] can be applied to collapse any -round puzzle into a 2-round puzzle (i.e., a hard-on-average problem). Unfortunately, while BM’s round reduction technique indeed works for all information-theoretically sound protocols, Wee [Wee06] demonstrated that BM’s round reduction fails for computationally sound protocols. In particular, Wee shows that black-box proofs of security cannot be used to prove that BM’s transformation preserves soundness even when applied to just 3-round protocols, and demonstrates (under computational assumptions) a concrete 4-round protocol for which BM’s round-reduction results in an unsound protocol.
As BM’s round reduction is the only known round-reduction technique (which does not rely on any assumptions), it was generally conjectured that the existence of a -round puzzle is a strictly stronger assumption than the existence of a -round puzzle—in particular, this would imply the existence of infinitely many worlds between Impagliazzo’s Pessiland and Heuristica [Imp95] (i.e., infinitely many worlds where yet average-case hardness does not exist). Further evidence in this direction comes from a work by Gertner et al. [GKM00] which shows a black-box separation between -round puzzles and -round puzzles for a particular cryptographic task (namely that of a key-agreement scheme).333The example from [GKM00] isn’t quite captured by our notion of a computational puzzle as their challenger is not public coin.
In contrast to the above negative results, our main technical result provides an affirmative answer to the above question—we demonstrates a round-reduction theorem for puzzles.
Theorem 1.1 (informally stated).
For every constant , the existence of a -round puzzle is equivalent to the existence of a -round puzzle.
In particular, as corollary of this result, we get that the assumption that a -round puzzle exists is not weaker than the assumption that average-case hardness in exists:
Corollary 1.2 (informally stated).
The existence of an -round puzzle implies the existence of a hard-on-average problem in .
Perhaps paradoxically, we strongly rely on BM’s round reduction technique, yet we rely on a non-black-box security analysis. Our main technical lemma shows that if infinitely-often one-way functions444Recall that a one-way function is a function that is efficiently computable, yet there does not exist a PPT attacker and polynomial such that inverts with probability for infinitely many inputs lengths . A function is infinitely often one-way if the same conditions hold except that we only require that no PPT attacker succeeds in inverting with probability for all sufficiently large —i.e., it is hard for invert “infinitely often” do not exist (i.e., if we can invert any function for all sufficiently large input lengths), then BM’s round reduction actually works:
Lemma 1.2 (informally stated).
Either infinitely-often one-way functions exist, or BM’s round-reduction transformation turns a -round puzzle into a -round puzzle.
Case 2: (Infinitely-often) one-way functions does not exist. In such a world, by Lemma 1.2, BM’s round reduction preserves soundness of the underlying protocol and thus we have gotten a puzzle with one round less. We can next iterate BM’s round reduction any constant number of times.
A natural question is whether we can collapse more than a constant number of rounds. Our next result—which characterizes the existence of -round puzzles—shows that this is unlikely.
Theorem 1.3 (informally stated).
For every , there exists an -round puzzle if and only if .
In particular, if -round puzzles imply -round puzzles, then by combining Theorem 1.1 and Theorem 1.3, we have that implies the existence of a hard-on-average problem in , which seems unlikely. Theorem 1.3 also shows that the notion of an interactive puzzle (with a super constant-number of rounds) indeed is a non-trivial generalization of average-case hardness in .
Theorem 1.3 follows using standard techniques: Any puzzle can be broken using a oracle (as the optimal strategy can be found using a oracle), so if , it can also be broken by a probabilistic polynomial-time algorithm. For the other direction, recall that worst-case to average-case reductions are known for [FF93, BFNW93]. In other words, there exists a language that is hard-on-average assuming . Additionally, recall that is closed under complement. We then construct a puzzle where first samples a hard instance for and then asks to determine whether and next provide an interactive proof—using [Sha92, LFKN92] which is public-coin—for containment or non containment in . This puzzle clearly satisfies the completeness condition. Computational soundness, on the other hand, follows directly from the hard-on-average property of (and the unconditional soundness of the interactive proof of [Sha92]).
We next present some complexity-theoretic consequences of our treatment of interactive computational puzzles.
1.2 Perfect Completeness and Hardness
We consider two fundamental open problems in complexity theory:
Does the existence of a hard-on-average language in imply the existence of one-way function?
Does the existence of a hard-on-average language in imply the existence of a hard problem in (i.e., the class of total search problems)?
Roughly speaking, our main corollary demonstrates that one of the above open problems has a positive answer. Let us elaborate.
One-way functions from Average-case Hardness
Perhaps the most important open problem in the foundation of Cryptography is whether the existence of a hard-on-average problem in implies the existence of one-way functions. One-way functions are both necessary [IL89] and sufficient for many of the central cryptographic tasks (e.g., pseudorandom generators [HILL99], pseudorandom functions [GGM84], private-key encryption [GM84, BM88]). In more complexity-theoretic terms, one-way functions are equivalent to the existence of an efficient method for sampling hard instances in together with their witnesses.555To see why the existence of such a sampling method implies the existence of one-way functions, consider the function which takes the random coins used by the sampling method and outputs the instance generated by it. Impagliazzo refers to a world where hard-on-average problems in exist, but one-way functions do not, as Pessiland [Imp95].
As far as we know, there are only two approaches towards demonstrating the existence of one-way functions from average-case hardness: (1) Ostrovsky and Wigderson [OW93a] demonstrate such an implication assuming that has zero-knowledge proofs [GMW91], (2) Komargodski et al. [KMN14] demonstrate the implication (in fact, an even stronger implication, showing worst-case hardness of implies one-way functions) assuming the existence of indistinguishability obfuscators [BGI01]. Both of these additional assumptions are not known to imply one-way functions on their own (in fact, they unconditionally exist if ).
Another central problem in complexity theory concerns the hardness of total search problems [MP91]: the class (total function ) is the search analog of with the additional guarantee that any instance has a solution. In other words, is class of search problems in (i.e., ). In recent years,
has attracted extensive attention due to its natural syntactic subclasses that capture the computational complexity of important search problems from algorithmic game theory, combinatorial optimization and computational topology—perhaps most notable among those are the classes[Pap94, GP16], which characterizes the hardness of computing Nash equilibrium [DGP09, CDT09, DP11], and [JPY85], which characterizes the hardness of local search. A central open problem is whether (average-case) hardness implies (average-case) hardness. A recent elegant result by Hubacek, Naor, and Yogev [HNY17] shows that under “derandomization” assumptions [NW94, IW97, MV05, BOV07]—the existence of certain Nisan-Wigderson (NW) [NW94] type pseudorandom generators that fool non-deterministic bounded size circuits— (almost everywhere) average-case hardness of implies average-case hardness of .666Such pseudorandom generators are known to exist based on the assumption that has a function of nondeterministic circuit complexity [MV05]. As a consequence, they showed that in Pessiland, is average-case hard under NW-type derandomization assumptions.
But it remains open whether just average-case hardness of suffices.777They also show that average-case hardness of implies an average-case hard problem in (i.e,. with a non-uniform verifier). In essence, this follows since non-uniformity enables unconditional derandomization. Hubacek et al. also present another condition under which is average-case hard: assuming the existence of one-way functions and non-interactive witness indistinguishable proofs (NIWI) [FS90, DN00, BOV07] for .
Hardness in Pessiland
By using our interactive average-case hardness treatment, we are able to unconditionally show that in Pessiland (where is hard-on-average but one-way functions do not exist), is hard (on average).
More precisely, we show that one of the above open problems must has a positive resolution: The existence of an (almost everywhere) hard-on-average problem in unconditionally implies either (1) one-way functions, or (2) average-case hardness of .
If contains an (almost-everywhere) hard-on-average problem, then either (1) one-way functions exists, or 2) is hard-on-average.
By combining Theorem 1.4 with the result of [HNY17] (that NIWI for and one-way functions imply hardness of ), we get that it suffices to assume NIWI for and an (almost-everywhere) hard-on-average problem in to conclude hardness of . As far as we know, this constitutes the first result where witness indistinguishability [FS90] can be non-trivially used without assuming the existence of one-way functions.
Theorem 1.4 is proven in the following steps: (1) As mentioned above, an (almost-everywhere) hard-on-average problem in yields a 2-round puzzle; (2) We can next use a standard technique from the literature on interactive proofs (namely the result of [FGM89]) to turn this puzzle into a 3-round puzzle with perfect completeness. (3) We next observe that the BM transformation preserves perfect completeness of the protocol. Thus, by Lemma 1.2, either infinitely-often one-way functions exist, or we can get a 2-round puzzle with perfect completeness. (4) We finally observe that the existence of a 2-round puzzle with perfect completeness is (syntactically) equivalent to the existence of a hard-on-average problem in (with respect to the uniform distribution on instances).
The above proof approach actually only concludes a slightly weaker form of Theorem 1.4—we only show that either is hard or infinitely-often one-way functions exist. But we can get the proof also of the stronger conclusion (i.e., conclude the existence of standard (i.e., “almost-everywhere”) one-way functions), by noting that an almost-everywhere hard-on-average language in actually implies an 2-round puzzle satisfying a “almost-everywhere” notion of soundness, and for such “almost-everywhere puzzles”, Lemma 1.2 can be strengthened to show that either one-way functions exist, or BM’s round-reduction works.888More precisely, the variant of Lemma 1.2 says that either one-way functions exist, or the existence of a -round almost-everywhere puzzle yields the existence of a -round puzzle (with the standard, infinitely-often, notion of soundness).
1.3 The Complexity of Non-trivial Public-coin Arguments
Soon after the introduction of interactive proof by Goldwasser, Micali and Rackoff [GMR89] and Babai and Moran [BM88], Brassard, Chaum and Crepeau [BCC88] introduced the notion of an interactive argument. Interactive arguments are defined identically to interactive proofs, but we relax the soundness condition to only hold with respect to non-uniform algorithms (i.e., no non-uniform algorithm can produce proofs of false statements, except with negligible probability).
Interactive arguments have proven extremely useful in the cryptographic literature, most notably due to the feasibility (assuming the existence of collision-resistant hashfunctions) of succinct public-coin argument systems for —namely, argument systems with sublinear, or even polylogarithmic communication complexity [Kil92, Mic00]. Under widely believed complexity assumptions (i.e., not being solvable in subexponential time), interactive proofs cannot be succinct [GH98].
A fundamental problem regarding interactive arguments involves characterizing the complexity of non-trivial argument systems—namely interactive arguments that are not interactive proofs (in other words, the soundness condition is inherently computational). While we do not have an explicit reference for the discussion of non-trivial arguments,999Wee [Wee05] considers a notion of a non-trivial argument, but his notion refers to what today is called a succinct argument. this notion and the problem of understanding whether the existence of non-trivial arguments implies some notion of one-wayness or average-case hardness in has been discussed in community for at least fifteen years.
We focus our attention on public-coin arguments (similar to our treatment of puzzles). Using our interactive-average-case hardness treatment, we are able to establish an “almost-tight” characterization of constant-round public-coin non-trivial arguments.
Theorem 1.5 (informally stated).
The existence of a -round public-coin non-trivial argument for any language implies a hard-on-average language in . Conversely, the existence of a hard-on-average language in implies an (efficient-prover) 2-round public-coin non-trivial argument for .
The first part of the theorem is shown by observing that any public-coin non-trivial argument can be turned into a non-uniform puzzle (where the challenger is a non-uniform algorithm), and next observing that our round-collapse theorem also applies to non-uniform puzzles. The second part follows from the observation that we can take any proof for some language and extending it into a 2-round argument where the verifier samples a random statement from a hard-on-average language and next requiring the prover to provide a witness that either or . Completeness follows trivially, and computational soundness follows directly if is sufficiently hard-on-average (in the sense that it is hard to find witnesses to true statements with inverse polynomial probability). This argument system is not a proof, though, since by the hard-on-average property of , there must exist infinitely many input lengths for which random instances are contained in with inverse polynomial probability.
We finally observe that the existence of -round non-trivial public-coin arguments is equivalent to .
Theorem 1.6 (informally stated).
For every , there exists an (efficient-prover) -round non-trivial public-coin argument (for ) if and only if .
The “only-if” direction follows just as the only-if direction of Theorem 1.3. The “if” direction follows by combining a standard proof with the puzzle from Theorem 1.3 (which becomes sound w.r.t. nu attacker assuming ), and requiring the prover to either provide the witness, or to provide a solution to the puzzle.
Our results reveal that an interactive notion of average-case hardness (i.e., interactive computational puzzles) is intriguing not only in its own right, but also leads to insights into classic questions in complexity theory and cryptography; most notably, we are able to unconditionally establish that is (average-case) hard in Pessiland.
Theorem 1.3 demonstrates that there may exist a natural hierarchy of average-case hard problems between and , characterized by the round complexity of the puzzles. By Theorem 1.1, gaps in the hierarchy need to come from super constant increases in the number rounds. We leave open the intriguing question of characterizing the complexity of -round puzzles for ; most notably, the question of understanding the complexity-theoretic implications of -round puzzles is open.
1.5 Proof Overview for Lemma 1.2
We here provide a proof overview of our main technical lemma. As mentioned, we shall show that if one-way functions do not exist, then Babai-Moran’s round reduction method actually works. Towards this we will rely on two tools:
Pre-image sampling. By the result of Impagliazzo and Levin [IL90], the existence of so-called “distributional one-way functions” (function for which it is hard to sample a uniform pre-image) imply the existence of one-way function. So if one-way functions do not exist, we have that for every efficient function , given a sample for a random input , we can efficiently sample a (close to random) pre-image .
-bit random variablesconditioned on some event that happens with sufficiently large probability , then the conditional distribution of a randomly selected index will be close to uniform. More precisely, the statistical distance will be , so even if is tiny, as long as we have sufficiently many repetitions , the distance will be small.101010Earlier works [HPWP10, CP15] always used Raz’ lemma when was non-negligible. In contrast, we will here use it also when is actually negligible.
To see how we will use these tools, let us first recall the BM transformation (and its proof for the case of information-theoretically sound protocols). To simplify our discussion, we here focus on showing how to collapse a 3-round public-coin protocol between a prover and a public-coin verifier into a 2-round protocol. We denote a transcript of the 3-round protocol where and are the prover messages and is the randomness of the verifier. Let be the length of the prover message. The BM transformation collapses this protocol into a 2-round protocol in the following two steps:
- Step 1: Reducing soundness error:
First, use a form of parallel repetition to make the soundness error (i.e., extremely small). More precisely, consider a 3-round protocol where first still send just , next the verifier picks random strings , and finally needs to provide accepting answers to all of the queries (so that for every , is accepting transcript).
- Step 2: Swap order of messages:
Once the soundness error is small, yet the length of the first message is short, we can simply allow the prover to pick it first message after having . In other words, we now have a 2-round protocol where first picks , then the prover responds by sending . This swapping preserves soundness by a simple union bound: since (by soundness) for every string , the probability over that there exists some accepting response is , it follows that with probability at most over , there exists some that has an accepting (as the number of possible first messages is ). Thus soundness still holds (with a degradation) if we allow to choose after seeing .
For the case of computationally sound protocols, the “logic” behind both steps fail: (1) it is not known how to use parallel repetition to reduce soundness error beyond being negligible, (2) the union bound cannot be applied since, for computationally sound protocols, it is not the case that responses do not exist, rather, they are just hard to find. Yet, as we shall see, using the above tools, we present a different proof strategy. More precisely, to capture computational hardness, we show a reduction from any polynomial-time attacker that breaks soundness of the collapsed protocol with some inverse polynomial probability , to a polynomial-time attacker that breaks soundness of the original 3-round protocol.
starts by sampling a random string and computes ’s response given this challenge . If the response is not an accepting transcript, simply abort; otherwise, take and forward externally as ’s first message. (Since is successful in breaking soundness, we have that won’t abort with probability .) Next, gets a verifier challenge from the external verifier and needs to figure out how to provide an answer to it. If is lucky and is one of the challenges in , then could provide the appropriate message, but this unfortunately will only happen with negligible probability. Rather, will try to get to produce another accepting transcript that (1) still contains as the prover’s first message (i.e., ), and (2) contains in some coordinate of . To do this, will consider the function —which runs (i.e., has its randomness fixed to ) and outputs if is accepting and otherwise—and runs the pre-image sampler for this function on to recover some new verifier challenge, randomness, index tuple which leads to produce a transcript of the desired form, and can subsequently forward externally the ’th coordinate of as its response and convince the external verifier.
So, as long as the pre-image sampler indeed succeeds with high enough probability, we have managed to break soundness of the original 3-round protocol. The problem is that the pre-image sampler is only required to work given outputs that are correctly distributed over the range of the function , and the input that we now feed it may not be so—for instance, perhaps chooses the string as a function of . So, whereas the marginal distribution of both and are correct, the joint distribution is not. In particular, the distribution of conditioned on may be off. We, however, show how to use Raz’s lemma to argue that if the number of repetitions is sufficiently bigger than the length of , the conditional distribution of cannot be too far off from being uniform (and thus the pre-image sampler will work). On a high-level, we proceed as follows:
Note that in the one-way function experiment, we can think of the output distribution of on a random input, as having been produced by first sampling and next, if , sampling conditioned on the event that generates a successful transcript with first-round prover message , and finally sampling a random index and outputting and (and otherwise output ).
Note that by an averaging argument, we have that with probability at least over the choice of , (otherwise, the probability that succeeds would need to be smaller than , which is a contradiction).
Thus, whenever we pick such a “good” (i.e., a such that ), by Raz’ lemma the distribution of for a random can be made close to uniform for any polynomial by choosing to be sufficiently large (yet polynomial). Note that even though the lower bound on is negligible, the key point is that it is independent of and as such we can still rely on Raz lemma by choosing a sufficiently large . (As we pointed out above, this usage of Raz’ lemma even on very “rare” events—with negligible probability mass—is different from how it was previously applied to argue soundness for computationally sound protocols [HPWP10, CP15].)
It follows that conditioned on picking such a “good” , the pre-image sampler will also successfully generate correctly distributed preimages if we feed him where is randomly sampled. But this is exactly the distribution that feeds to the pre-image sampler, so we conclude that with probability over the choice of , will manage to convince the outside verifier with probability close to 1.
This concludes the proof overview for 3-round protocols. When the protocol has more than 3 rounds, we can apply a similar method to collapse the last rounds of the protocol. The analysis now needs to be appropriately modified to condition also on the prefix of the partial execution up until the last rounds.
We assume familiarity with basic concepts such as Turing machines, interactive Turing machine, polynomial-time algorithms, probabilistic polynomial-time algorithms (), non-uniform polynomial-time and non-uniform algorithms. A function is said to be negligible if for every polynomial there exists some such that for all , . For any two random variables and , we let denote the statistical distance between and .
Basic Complexity Classes
Recall that is the class of languages decidable in polynomial time (i.e., there exists a polynomial-time algorithm such that for every , ), is the class of languages decidable in non-uniform polynomial time, and is the class of languages decidable in probabilistic polynomial time with probability (i.e., there exists a such that for every , where we abuse of notation and define if and otherwise.)
We refer to a relation over pairs as being polynomially bounded if there exists a polynomial such that for every , . We denote by the language characterized by the “witness relation” —i.e., iff there exists some such that . We say that a relation is polynomial-time (resp. non-uniform polynomial-time) if is polynomially-bounded and the languages consisting of pairs is in (resp. ). (resp ) is the class of languages for which there exists a polynomial-time (resp. non-uniform polynomial-time) relation such that iff there exists some such that .
A search problem is simply a polynomially-bounded relation. We say that the search problem is solvable in polynomial-time (resp. non-uniform polynomial time) if there exists a polynomial-time (resp. non-uniform polynomial-time) algorithm that for every outputs a “witness” such that . Analogously, is solvable in if there exists some that for every outputs a “witness” such that with probability .
An search problem is total if for every there exists some such that (i.e., every instance has a witness). We refer to (function NP) as the class of search problems and (total-function ) as the class of total search problems.
2.1 One-way functions
We recall the definition of one-way functions (see e.g., [Gol01]). Roughly speaking, a function is one-way if it is polynomial-time computable, but hard to invert for attackers. The standard (cryptographic) definition of a one-way function requires every attacker to fail (with high probability) on all sufficiently large input lengths. We will also consider a weaker notion of an infinitely-often one-way function [OW93a] which only requires the attacker to fail for infinitely many inputs length (in other words, there is no attacker that succeeds on all sufficiently large input lengths, analogously to complexity-theoretic notions of hardness).
Let be a polynomial-time computable function. is said to be a one-way function (OWF) if for every algorithm , there exists a negligible function such that for all ,
is said to be an infinitely-often one-way function (ioOWF) if the above condition holds for infinitely many (as opposed to all).
We may also consider a notion of a non-uniform (a.k.a. “auxiliary-input”) one way function, which is identically defined except that (a) we allow to be computable by a non-uniform , and (b) the attacker is also allowed to be a non-uniform .
2.2 Interactive Proofs and Arguments
We recall basic definitions of interactive proofs [GMR89, BM88] and arguments [BCC88]. An interactive protocol is a pair of interactive Turing machine; we denote by the output of in an interaction between and on common input .
An interactive protocol is an interactive proof system for a language , if is and the following conditions hold:
There exists a negligible function such that for every ,
For every Turing machine , there exists a negligible function such that for every ,
If the soundness condition is relaxed to only hold for all non-uniform , we refer to as an interactive argument for . We refer to as a public-coin proof/argument system if simply sends the outcomes of its coin tosses to the prover (and only performs computation to determine its final verdict).
Whenever , we say that has an efficient prover if there exists some witness relation that characterizes (i.e., ) and a PPT such that satisfies the completeness condition for every .
2.3 Average-Case Complexity
We recall some basic notions from average-case complexity. A distributional problem is a pair where and is a ; we say that is an (resp. ) distributional problem if (resp. . Roughly speaking, a distributional problem is hard-on-average if there does not exist some algorithm that can decide instances drawn from with probability significantly better than .
Definition 2.3 (-hard-on-the-average).
We say that a distributional problem is -hard-on-the-average (-HOA) if there does not exist some such that for every sufficiently large ,
We say that a distributional problem is simply hard-on-the-average (HOA) if it is -HOA for some .
We also define an notion of HOA w.r.t. non-uniform algorithm (nuHAO) in exactly the same way but where we allow to be a non-uniform (as opposed to just a .
The above notion average-case hardness (traditionally used in the complexity-theory literature) is defined analogously to the notion of an infinitely-often one-way function: we simply require every “decider” to fail for infinitely many . For our purposes, we will also rely on an “almost-everywhere” notion of average-case hardness (similar to standard definitions in the cryptography, and analogously to the definition of a one-way function), where we require that every decider fails on all (sufficiently large) input lengths.
Definition 2.4 (almost-everywhere hard-on-the-average (aeHOA)).
We say that a distributional problem is almost-everywhere hard-on-the-average (-aeHOA) if there does not exist some such that for infinitely many ,
We say is almost-everywhere hard-on-the-average (aeHOA) if is -aeHOA for some .
We move on to defining hard-on-the-average search problems. A distributional search problem is a pair where is a search problem and is a . If is an search problem (resp. search problem), we refer to as an distributional (resp. ) search problem.
Definition 2.5 (hard-on-the-average search (SearchHOA)).
We say that a distributional search problem is -hard-on-the-average (-SearchHOA) if there does not exist some such that for every sufficiently large ,
is simply SearchHOA if there exists such that is -SearchHOA.
We can analogously define an almost-everywhere notion, aeSearchHOA, of SearchHAO (by replacing “for every sufficiently large ” with “for infinitely many ”) as well as a non-uniform notion, nuSearchHOA, (by replacing with non-uniform ).
The following lemmas which essentially directly follow from the result of [IL90, BCGL92, Tre05] will be useful to us. (These results were originally only stated for the standard notion of HOA, whereas we will require it also for the almost-everywhere notion; as we explain in more detail in Appendix A, these results however directly apply also for the almost-everywhere notion of HOA.) The first results from [IL90] (combined with [Tre05]) shows that without loss of generality, we can restrict our attention to the uniform distribution over statements ; we denote by a such that simply samples a random string in .
Lemma 2.1 (Private to public distributions).
Suppose there exists a distributional problem that is HOA (resp., aeHOA or nuHAO). Then, there exists a polynomial and an -language such that is HAO (resp. aeHOA or nuHOA).
The next result from [Tre05]) shows that when the distribution over instances is uniform, we can amplify the hardness.
Lemma 2.2 (Hardness amplification).
Let be a polynomial and suppose there exists a distributional -problem that is HOA (resp., aeHOA or nuHOA). Then, for every , there exists some polynomial and language such that is -HOA (resp., -aeHOA or -nuHOA).
Lemma 2.3 (Search to decision).
Suppose there exists a distributional (resp. ) search problem that is SearchHOA (resp., nuSearchHOA). Then, there a polynomial and an (resp. ) language such that is HOA (resp., nuHOA).
3 Interactive Computational Puzzles
Roughly speaking, an interactive computational puzzle is described by an interactive polynomial-time public-coin challenger having the property that (a) there exists an inefficient that succeeds in convincing with probability negligibly close to 1, yet (b) no attacker can make output 1 with inverse polynomial probability for sufficiently large .
Definition 3.1 (interactive puzzle).
An interactive algorithm is referred to as a -round (computational) puzzle if the following conditions hold:
- -round public-coin:
is an (interactive) that on input (a) only communicates in communication rounds, (b) simply sends the outcomes of its coin tosses in each communication round, and (c) only performs some deterministic computation to determine its final verdict (after having received the message in round ).
There exists a (possibly unbounded) Turing machine and a negligible function such that for all ,
- Computational Soundness:
There does not exist a machine and polynomial such that for all sufficiently large ,
In other words, a -round puzzle, , gives rise to an -round public-coin interactive proof (where ) for the “trivial” language with the property that there does not exist a prover that succeeds in convincing the verifier with inverse polynomial probability for all sufficiently large .
We may also define an almost-everywhere notion of a puzzle by replacing “for all sufficiently large ” in the soundness condition with “for infinitely many ”, and a non-uniform notion of a puzzle which allows both and to be non-uniform (as opposed to just ).
A puzzle is said to have perfect completeness if the “completeness error”, , is 0—in other words, the completeness condition holds with probability 1.
One can consider a more relaxed notion of a -puzzle for , where the completeness condition is required to hold with probability for every sufficiently large , and the soundness condition holds with probability for every sufficiently large . But, by “Chernoff-type” parallel-repetition theorems for computationally-sound public-coin protocols [PV12, HPWP10, CL10, CP15], the existence of such a -round -puzzle implies the existence of a -round puzzle. The same holds for almost-everywhere (resp. non-uniform) puzzles.
3.1 Characterizing 2-round Puzzles
In this section we make some basic observations regarding 2-round puzzle; these results mostly follow using standard results in the literature. We begin by observing that the existence of ioOWF imply the existence of 2-round puzzles.
Assume the existence of ioOWFs (resp. non-uniform ioOWF). Then, there exists a -round puzzle (reps. non-uniform puzzle).
Proof: By the result of Rompel [Rom90] (see also [KK05, HHR10]), we have that ioOWFs imply the existence of infinitely-often “second-preimage” resistant hash-function families that compress bits to bits.111111Roughly speaking, a family of public coin hashfunctions having the property that for a random and random input , it is hard for any to find a different of the same length that collides with under (that is, , yet . Rompel’s theorem was only stated for standard OWFs (as opposed to ioOWFs, but the construction and proof directly also works for the infinitely-often variant as well. This, in turn, directly yields a simple 2-round puzzle where the challenger uniformly samples a hashfunction and input and sends to the adversary; accepts a response if , and . Since the hash function is compressing, we have that there exists a negligible function such that with probability , a random will have a “collision” and thus an unbounded can easily find a collision and thus completeness follows. Computational soundness, on the other hand, directly from the (infinitely-often) second-preimage resistance property. The same result holds also if we start with non-uniform ioOWFs, except that we now get a non-uniform puzzle.
We turn to showing that any aeHOA distributional problem implies a 2-round puzzle. (In fact, it even implies an almost-everywhere puzzle.)
Suppose there exists a distributional problem that is aeHOA. Then there exist an (almost-everywhere) -round puzzle.
Proof: Assume there exists a distributional problem such that and is aeHOA. From Lemma 2.2 and Lemma 2.1, we can conclude that there exists a polynomial and a distributional problem that is -aeHOA for . Let be some relation corresponding to . Consider a puzzle where samples a random and accepts a response if . We will show that is a -puzzle which by Remark 3.1 implies the existence of a 2-round almost-everywhere puzzle. To show completeness, consider an inefficient algorithm that on input tries to find a witness (using brute-force) such that and if it is successful sends it to (and otherwise simply aborts). Observe that for all sufficiently large , for a random we have that ; otherwise, can be decided with probability for infinitely many contradicting its -aeHOA property.121212Note that this is where were are crucially relying on the almost-everywhere hardness of the distributional problem. It follows that for all sufficiently large , convinces with probability and thus completeness of follows.
To prove soundness, assume for contradiction that there exists a algorithm such that for infinitely many . Consider the machine that runs and outputs 1 if outputs a valid witness for and otherwise outputs a random bit. By definition, solves the distributional problem with probability for infinitely many , which contradicts the -aeHAO property of .
We now turn to showing that 2-round puzzles imply a HOA distributional problem. It will be useful for the sequel to note that the same result also holds in the non-uniform setting.
Suppose there exists a -round puzzle (resp. a non-uniform puzzle). Then, there exists a distributional problem (resp. distributional problem) that is HOA (resp. nuHOA).
Proof: Let be a 2-round puzzle (resp. 2-round non-uniform puzzle). Let be an upper bound on the amount of randomness used by . Consider the -relation (resp. -relation) that includes all tuples such that given randomness accepts upon receiving , and the sampler that picks a random and outputs . We argue next that is -SearchHOA (resp -nuSearchHOA), which concludes the proof by applying Lemma 2.3. Assume for contradiction that there exists a (resp. non-uniform ) machine that solves with probability for all . By the completeness of , there exists some such that such that for every , . This implies that for all , for at most an fraction of -bit strings , ). In particular, for every , for a random , must output a valid witness for with probability , and can thus be used to break the soundness of the puzzle with probability for all sufficiently large which is a contradiction.
If the 2-round puzzle has perfect completeness, essentially the same proof gives a SearchHOA problem in as the relation constructed in the proof of Lemma 3.4 is total if the puzzle has perfect completeness.
Suppose there exists a -round puzzle (resp. almost-everywhere puzzle) with perfect completeness. Then, there exists some search problem and some such that the distributional search problem that is SearchHAO (aeSearchHAO).
4 The Round-Collapse Theorem
In this section, we prove our main technical lemma—a round-collapse theorem for -round puzzles.
4.1 An Efficient Babai-Moran Theorem
Our main lemma shows that if ioOWF do not exist, the the Babai-Moran transformation preserves computational soundness.
Assume there exists a -round puzzle such that . Then, either there exists an ioOWF, or there exists a -round puzzle. Moreover, if the -round puzzle has perfect completeness, then either there exists an ioOWF, or a -round puzzle with perfect-completeness.
Proof: Consider some -round puzzle and assume for contradiction that ioOWF do not exist. We will show that Babai-Moran’s (BM) [BM88] round reduction works in this setting and thus we can obtain a -round puzzle.
Note that if ioOWF do not exist, every polynomial-time computable function is “invertible” with inverse polynomial probability for all sufficiently long input lengths . In fact, since by [IL90], the existence of distributional one-way functions implies the existence of one-way functions (and this results also works in the infinitely-often setting), we can conclude that if ioOWF do not exist, for any polynomial , and any polynomial-time computable function , there exists a algorithm such that, for sufficiently large , the following distributions are -statistically close.
In this case, we will say that inverts with -statistical closeness. We now proceed to show how to use such an inverter to prove that BM’s round-collapse transformation works on . To simplify notation, we will make the following assumptions that are without loss of generality:
has at least 4 communication rounds and sends the first message; we can always add an initial dummy message to achieve this, while only increasing the number of round by 1. We will then construct a new puzzle that has rounds (which concludes the theorem). Since, in any puzzle, sends the final message, this implies we can assume is even. To make our notations easier to read, we show how to reduce a -round protocol to a rounds.
There exists polynomials such that all messages from are of (the same) length and all the messages from need to be of length (or else rejects). Furthemore, and are polynomial-time computable, and strictly increasing.
We denote by the -message (i.e., the message to be sent in round round) from where is ’s randomness randomness and are bit strings (representing the messages received from in the first rounds). Let be rounded upwards to the next power of two.131313We round to the next power of 2 to make it easy to sample a random number in ; this is just to simplify presentation/analysis We will show that the BM transformation works (if ioOWF do not exist), when using repetitions. More precisely, consider the following -round puzzle challenger that on input proceeds as follows:
If , output (i.e., proceed just like before round );
If , output (i.e., in round , send the original challenge for round as well as a “-wise parallel-repetition” challenge for the original round );
If (i.e., after receiving the message in the last round), output 1 if and only if
for every (i.e., all the parallel instances are accepting),
where is interpreted as
We will show that is a -puzzle, and thus by Remark 3.1 this implies a puzzle with the same number of rounds.
We first define some notation:
Given a transcript of an interaction between and an adversary, we let denote the transcript up to and including the round where (in the emulation done by ) sends it ’st message.
We say that is accepting if
(i.e,. if is accepting in the transcript).
Completeness (in fact with all but negligible probability) follows directly from original proof by Babai-Moran [BM88].
Assume for contradiction that there exists a algorithm that convinces on common input with probability such that for all sufficiently large . Let be a polynomial such that runs in time at most when its first input is . We assume without loss of generality that only sends a real last message if will be accepting it (note that since is public coin, can verify this, so it is without loss of generality), and otherwise sends as its last message.
On a high-level, using and the fact that polynomial-time computable functions are “invertible”, we will construct a such that for sufficiently large , which contradicts the soundness of the original -round puzzle . Towards constructing , we first define a polynomial-time algorithm on which we will apply the inverter . As described in the introduction, we will consider an algorithm that operates on inputs of the form where is an index of one of the parallel sessions and contains the randomness of and . To correctly parse such inputs, let and note that by our assumption on and , this is a strictly increasing and polynomial-time computable function. In the rest of the proof, whenever the security parameter is clear from context, we omit it and let and . Now, consider the machine that on input internally incorporates the code of and proceeds as follows:
finds an such that (simply by enumerating different from 1 up to ). If no such exists, then outputs and halts. Otherwise, interprets as such that , , , , and all the strings are in .
It internally emulates an execution between and on common input and respectively using randomness and