1 Introduction
We initiate a complexitytheoretic study of interactive computational puzzles: 2player interactive games between a polynomialtime publiccoin challenger and an attacker satisfying the following two properties:
 Computational Soundness:

There does not exist a probabilistic polynomialtime (PPT) attacker and polynomial such that succeeds in making
output 1 with probability
for all sufficiently large .  Completeness/Nontriviality:

There exists a negligible function and an inefficient attacker that on input succeeds in making output 1 with probability for all .
In other words, (a) no polynomialtime attacker, , can make output 1 with inverse polynomial probability, yet (b) there exists a computationally unbounded attacker that makes output 1 with overwhelming probability. We refer to as a round computational puzzle (or simply a round puzzle) if satisfies the above completeness and computational soundness conditions, while restricting to communicate with in rounds.
As an example of a 2round puzzle, let be a oneway permutation and consider a game where samples a random and requires the adversary to output a preimage such that . Since is a permutation, this puzzle has “perfect” completeness—an unbounded attacker can always find a preimage . By the onewayness of (and the permutatation property of ), we also have that no adversary can find such an (with inverse polynomial probability), and thus soundness holds.
In fact, the existence of 2round puzzles is “essentially” equivalent to the existence of an averagecase hard problem in
: any 2round puzzle trivially implies a hardonaverage search problem (w.r.t. the uniform distribution) in
and thus by [IL90] also a hardonaverage decision problem in . Furthermore, “almosteverywhere” hardonaverage languages in ^{1}^{1}1That is, a language in such that for every , no PPT attacker can decide random instances with probability greater than for infinitely many (as opposed to all) . Such an “almosteverywhere” notion is more commonly used in the cryptographic literature. also imply the existence of a 2round puzzle (by simply sampling many random instances and asking the attacker to provide a witness for at least, say, of the instances).^{2}^{2}2The reason we need the language to be almosteverywhere hardonaverage is to guarantee that YES instances exists for every sufficiently large input length, or else completeness would not hold.Proposition 1.1 (informally stated).
The existence of an (almosteverywhere) hardonaverage language in implies the existence of a 2round puzzle. Furthemore, the existence of a 2round puzzle implies the existence of a hardonaverage language in .
Thus, 2round puzzles are “morally” (up to the infinitelyoften/almosteverywhere issue) equivalent to the existence of a hardonaverage language in . As such, round puzzles are a natural way to generalize averagecase hardness in .
While the gamebased modeling in the notion of a puzzle is common in the cryptographic literature—most notably, it is commonly used to model cryptographic assumptions [Nao03, Pas11, GW11], complexitytheoretic consequences or properties of puzzles have remained largely unexplored. In this work, we initiate such a treatment. Furthermore, we show that such an interactive treatment of averagecase complexity leads to a new tool set also for answering “classic” questions regarding averagecase hardness in . Most notably, relying on this interactive treatment of puzzles, we demonstrate the following result:
If is (almost everywhere) hardonaverage, then either (1) oneway functions exist, or 2) (i.e., the class of total search problems) is hardonaverage.
1.1 The RoundComplexity of Puzzles
Perhaps the most basic question regarding the existence of interactive puzzles is whether the existence of a round puzzle is actually a weaker assumption than the existence of a round puzzle. In particular, do interactive puzzles actually generalize beyond just averagecase hardness in :
Does the existence of a round puzzle imply the existence of round puzzle?
At first sight, one would hope the classic “roundreduction” theorem due to BabaiMoran (BM) [BM88] can be applied to collapse any round puzzle into a 2round puzzle (i.e., a hardonaverage problem). Unfortunately, while BM’s round reduction technique indeed works for all informationtheoretically sound protocols, Wee [Wee06] demonstrated that BM’s round reduction fails for computationally sound protocols. In particular, Wee shows that blackbox proofs of security cannot be used to prove that BM’s transformation preserves soundness even when applied to just 3round protocols, and demonstrates (under computational assumptions) a concrete 4round protocol for which BM’s roundreduction results in an unsound protocol.
As BM’s round reduction is the only known roundreduction technique (which does not rely on any assumptions), it was generally conjectured that the existence of a round puzzle is a strictly stronger assumption than the existence of a round puzzle—in particular, this would imply the existence of infinitely many worlds between Impagliazzo’s Pessiland and Heuristica [Imp95] (i.e., infinitely many worlds where yet averagecase hardness does not exist). Further evidence in this direction comes from a work by Gertner et al. [GKM00] which shows a blackbox separation between round puzzles and round puzzles for a particular cryptographic task (namely that of a keyagreement scheme).^{3}^{3}3The example from [GKM00] isn’t quite captured by our notion of a computational puzzle as their challenger is not public coin.
In contrast to the above negative results, our main technical result provides an affirmative answer to the above question—we demonstrates a roundreduction theorem for puzzles.
Theorem 1.1 (informally stated).
For every constant , the existence of a round puzzle is equivalent to the existence of a round puzzle.
In particular, as corollary of this result, we get that the assumption that a round puzzle exists is not weaker than the assumption that averagecase hardness in exists:
Corollary 1.2 (informally stated).
The existence of an round puzzle implies the existence of a hardonaverage problem in .
Perhaps paradoxically, we strongly rely on BM’s round reduction technique, yet we rely on a nonblackbox security analysis. Our main technical lemma shows that if infinitelyoften oneway functions^{4}^{4}4Recall that a oneway function is a function that is efficiently computable, yet there does not exist a PPT attacker and polynomial such that inverts with probability for infinitely many inputs lengths . A function is infinitely often oneway if the same conditions hold except that we only require that no PPT attacker succeeds in inverting with probability for all sufficiently large —i.e., it is hard for invert “infinitely often” do not exist (i.e., if we can invert any function for all sufficiently large input lengths), then BM’s round reduction actually works:
Lemma 1.2 (informally stated).
Either infinitelyoften oneway functions exist, or BM’s roundreduction transformation turns a round puzzle into a round puzzle.
We provide a proof outline of Lemma 1.2 in Section 1.5. The proof of Theorem 1.1 now easily follows by considering two cases:

Case 2: (Infinitelyoften) oneway functions does not exist. In such a world, by Lemma 1.2, BM’s round reduction preserves soundness of the underlying protocol and thus we have gotten a puzzle with one round less. We can next iterate BM’s round reduction any constant number of times.
A natural question is whether we can collapse more than a constant number of rounds. Our next result—which characterizes the existence of round puzzles—shows that this is unlikely.
Theorem 1.3 (informally stated).
For every , there exists an round puzzle if and only if .
In particular, if round puzzles imply round puzzles, then by combining Theorem 1.1 and Theorem 1.3, we have that implies the existence of a hardonaverage problem in , which seems unlikely. Theorem 1.3 also shows that the notion of an interactive puzzle (with a super constantnumber of rounds) indeed is a nontrivial generalization of averagecase hardness in .
Theorem 1.3 follows using standard techniques: Any puzzle can be broken using a oracle (as the optimal strategy can be found using a oracle), so if , it can also be broken by a probabilistic polynomialtime algorithm. For the other direction, recall that worstcase to averagecase reductions are known for [FF93, BFNW93]. In other words, there exists a language that is hardonaverage assuming . Additionally, recall that is closed under complement. We then construct a puzzle where first samples a hard instance for and then asks to determine whether and next provide an interactive proof—using [Sha92, LFKN92] which is publiccoin—for containment or non containment in . This puzzle clearly satisfies the completeness condition. Computational soundness, on the other hand, follows directly from the hardonaverage property of (and the unconditional soundness of the interactive proof of [Sha92]).
We next present some complexitytheoretic consequences of our treatment of interactive computational puzzles.
1.2 Perfect Completeness and Hardness
We consider two fundamental open problems in complexity theory:

Does the existence of a hardonaverage language in imply the existence of oneway function?

Does the existence of a hardonaverage language in imply the existence of a hard problem in (i.e., the class of total search problems)?
Roughly speaking, our main corollary demonstrates that one of the above open problems has a positive answer. Let us elaborate.
Oneway functions from Averagecase Hardness
Perhaps the most important open problem in the foundation of Cryptography is whether the existence of a hardonaverage problem in implies the existence of oneway functions. Oneway functions are both necessary [IL89] and sufficient for many of the central cryptographic tasks (e.g., pseudorandom generators [HILL99], pseudorandom functions [GGM84], privatekey encryption [GM84, BM88]). In more complexitytheoretic terms, oneway functions are equivalent to the existence of an efficient method for sampling hard instances in together with their witnesses.^{5}^{5}5To see why the existence of such a sampling method implies the existence of oneway functions, consider the function which takes the random coins used by the sampling method and outputs the instance generated by it. Impagliazzo refers to a world where hardonaverage problems in exist, but oneway functions do not, as Pessiland [Imp95].
As far as we know, there are only two approaches towards demonstrating the existence of oneway functions from averagecase hardness: (1) Ostrovsky and Wigderson [OW93a] demonstrate such an implication assuming that has zeroknowledge proofs [GMW91], (2) Komargodski et al. [KMN14] demonstrate the implication (in fact, an even stronger implication, showing worstcase hardness of implies oneway functions) assuming the existence of indistinguishability obfuscators [BGI01]. Both of these additional assumptions are not known to imply oneway functions on their own (in fact, they unconditionally exist if ).
Hardness
Another central problem in complexity theory concerns the hardness of total search problems [MP91]: the class (total function ) is the search analog of with the additional guarantee that any instance has a solution. In other words, is class of search problems in (i.e., ). In recent years,
has attracted extensive attention due to its natural syntactic subclasses that capture the computational complexity of important search problems from algorithmic game theory, combinatorial optimization and computational topology—perhaps most notable among those are the classes
[Pap94, GP16], which characterizes the hardness of computing Nash equilibrium [DGP09, CDT09, DP11], and [JPY85], which characterizes the hardness of local search. A central open problem is whether (averagecase) hardness implies (averagecase) hardness. A recent elegant result by Hubacek, Naor, and Yogev [HNY17] shows that under “derandomization” assumptions [NW94, IW97, MV05, BOV07]—the existence of certain NisanWigderson (NW) [NW94] type pseudorandom generators that fool nondeterministic bounded size circuits— (almost everywhere) averagecase hardness of implies averagecase hardness of .^{6}^{6}6Such pseudorandom generators are known to exist based on the assumption that has a function of nondeterministic circuit complexity [MV05]. As a consequence, they showed that in Pessiland, is averagecase hard under NWtype derandomization assumptions.But it remains open whether just averagecase hardness of suffices.^{7}^{7}7They also show that averagecase hardness of implies an averagecase hard problem in (i.e,. with a nonuniform verifier). In essence, this follows since nonuniformity enables unconditional derandomization. Hubacek et al. also present another condition under which is averagecase hard: assuming the existence of oneway functions and noninteractive witness indistinguishable proofs (NIWI) [FS90, DN00, BOV07] for .
Hardness in Pessiland
By using our interactive averagecase hardness treatment, we are able to unconditionally show that in Pessiland (where is hardonaverage but oneway functions do not exist), is hard (on average).
More precisely, we show that one of the above open problems must has a positive resolution: The existence of an (almost everywhere) hardonaverage problem in unconditionally implies either (1) oneway functions, or (2) averagecase hardness of .
Theorem 1.4.
If contains an (almosteverywhere) hardonaverage problem, then either (1) oneway functions exists, or 2) is hardonaverage.
By combining Theorem 1.4 with the result of [HNY17] (that NIWI for and oneway functions imply hardness of ), we get that it suffices to assume NIWI for and an (almosteverywhere) hardonaverage problem in to conclude hardness of . As far as we know, this constitutes the first result where witness indistinguishability [FS90] can be nontrivially used without assuming the existence of oneway functions.
Theorem 1.4 is proven in the following steps: (1) As mentioned above, an (almosteverywhere) hardonaverage problem in yields a 2round puzzle; (2) We can next use a standard technique from the literature on interactive proofs (namely the result of [FGM89]) to turn this puzzle into a 3round puzzle with perfect completeness. (3) We next observe that the BM transformation preserves perfect completeness of the protocol. Thus, by Lemma 1.2, either infinitelyoften oneway functions exist, or we can get a 2round puzzle with perfect completeness. (4) We finally observe that the existence of a 2round puzzle with perfect completeness is (syntactically) equivalent to the existence of a hardonaverage problem in (with respect to the uniform distribution on instances).
The above proof approach actually only concludes a slightly weaker form of Theorem 1.4—we only show that either is hard or infinitelyoften oneway functions exist. But we can get the proof also of the stronger conclusion (i.e., conclude the existence of standard (i.e., “almosteverywhere”) oneway functions), by noting that an almosteverywhere hardonaverage language in actually implies an 2round puzzle satisfying a “almosteverywhere” notion of soundness, and for such “almosteverywhere puzzles”, Lemma 1.2 can be strengthened to show that either oneway functions exist, or BM’s roundreduction works.^{8}^{8}8More precisely, the variant of Lemma 1.2 says that either oneway functions exist, or the existence of a round almosteverywhere puzzle yields the existence of a round puzzle (with the standard, infinitelyoften, notion of soundness).
1.3 The Complexity of Nontrivial Publiccoin Arguments
Soon after the introduction of interactive proof by Goldwasser, Micali and Rackoff [GMR89] and Babai and Moran [BM88], Brassard, Chaum and Crepeau [BCC88] introduced the notion of an interactive argument. Interactive arguments are defined identically to interactive proofs, but we relax the soundness condition to only hold with respect to nonuniform algorithms (i.e., no nonuniform algorithm can produce proofs of false statements, except with negligible probability).
Interactive arguments have proven extremely useful in the cryptographic literature, most notably due to the feasibility (assuming the existence of collisionresistant hashfunctions) of succinct publiccoin argument systems for —namely, argument systems with sublinear, or even polylogarithmic communication complexity [Kil92, Mic00]. Under widely believed complexity assumptions (i.e., not being solvable in subexponential time), interactive proofs cannot be succinct [GH98].
A fundamental problem regarding interactive arguments involves characterizing the complexity of nontrivial argument systems—namely interactive arguments that are not interactive proofs (in other words, the soundness condition is inherently computational). While we do not have an explicit reference for the discussion of nontrivial arguments,^{9}^{9}9Wee [Wee05] considers a notion of a nontrivial argument, but his notion refers to what today is called a succinct argument. this notion and the problem of understanding whether the existence of nontrivial arguments implies some notion of onewayness or averagecase hardness in has been discussed in community for at least fifteen years.
We focus our attention on publiccoin arguments (similar to our treatment of puzzles). Using our interactiveaveragecase hardness treatment, we are able to establish an “almosttight” characterization of constantround publiccoin nontrivial arguments.
Theorem 1.5 (informally stated).
The existence of a round publiccoin nontrivial argument for any language implies a hardonaverage language in . Conversely, the existence of a hardonaverage language in implies an (efficientprover) 2round publiccoin nontrivial argument for .
The first part of the theorem is shown by observing that any publiccoin nontrivial argument can be turned into a nonuniform puzzle (where the challenger is a nonuniform algorithm), and next observing that our roundcollapse theorem also applies to nonuniform puzzles. The second part follows from the observation that we can take any proof for some language and extending it into a 2round argument where the verifier samples a random statement from a hardonaverage language and next requiring the prover to provide a witness that either or . Completeness follows trivially, and computational soundness follows directly if is sufficiently hardonaverage (in the sense that it is hard to find witnesses to true statements with inverse polynomial probability). This argument system is not a proof, though, since by the hardonaverage property of , there must exist infinitely many input lengths for which random instances are contained in with inverse polynomial probability.
We finally observe that the existence of round nontrivial publiccoin arguments is equivalent to .
Theorem 1.6 (informally stated).
For every , there exists an (efficientprover) round nontrivial publiccoin argument (for ) if and only if .
The “onlyif” direction follows just as the onlyif direction of Theorem 1.3. The “if” direction follows by combining a standard proof with the puzzle from Theorem 1.3 (which becomes sound w.r.t. nu attacker assuming ), and requiring the prover to either provide the witness, or to provide a solution to the puzzle.
1.4 Perspective
Our results reveal that an interactive notion of averagecase hardness (i.e., interactive computational puzzles) is intriguing not only in its own right, but also leads to insights into classic questions in complexity theory and cryptography; most notably, we are able to unconditionally establish that is (averagecase) hard in Pessiland.
Theorem 1.3 demonstrates that there may exist a natural hierarchy of averagecase hard problems between and , characterized by the round complexity of the puzzles. By Theorem 1.1, gaps in the hierarchy need to come from super constant increases in the number rounds. We leave open the intriguing question of characterizing the complexity of round puzzles for ; most notably, the question of understanding the complexitytheoretic implications of round puzzles is open.
1.5 Proof Overview for Lemma 1.2
We here provide a proof overview of our main technical lemma. As mentioned, we shall show that if oneway functions do not exist, then BabaiMoran’s round reduction method actually works. Towards this we will rely on two tools:

Preimage sampling. By the result of Impagliazzo and Levin [IL90], the existence of socalled “distributional oneway functions” (function for which it is hard to sample a uniform preimage) imply the existence of oneway function. So if oneway functions do not exist, we have that for every efficient function , given a sample for a random input , we can efficiently sample a (close to random) preimage .

Raz’s sampling lemma (from the literature on parallel repetition for 2prover games and interactive arguments [Raz98, HPWP10, CP15]). This lemma states that if we sample uniform
bit random variables
conditioned on some event that happens with sufficiently large probability , then the conditional distribution of a randomly selected index will be close to uniform. More precisely, the statistical distance will be , so even if is tiny, as long as we have sufficiently many repetitions , the distance will be small.^{10}^{10}10Earlier works [HPWP10, CP15] always used Raz’ lemma when was nonnegligible. In contrast, we will here use it also when is actually negligible.
To see how we will use these tools, let us first recall the BM transformation (and its proof for the case of informationtheoretically sound protocols). To simplify our discussion, we here focus on showing how to collapse a 3round publiccoin protocol between a prover and a publiccoin verifier into a 2round protocol. We denote a transcript of the 3round protocol where and are the prover messages and is the randomness of the verifier. Let be the length of the prover message. The BM transformation collapses this protocol into a 2round protocol in the following two steps:
 Step 1: Reducing soundness error:

First, use a form of parallel repetition to make the soundness error (i.e., extremely small). More precisely, consider a 3round protocol where first still send just , next the verifier picks random strings , and finally needs to provide accepting answers to all of the queries (so that for every , is accepting transcript).
 Step 2: Swap order of messages:

Once the soundness error is small, yet the length of the first message is short, we can simply allow the prover to pick it first message after having . In other words, we now have a 2round protocol where first picks , then the prover responds by sending . This swapping preserves soundness by a simple union bound: since (by soundness) for every string , the probability over that there exists some accepting response is , it follows that with probability at most over , there exists some that has an accepting (as the number of possible first messages is ). Thus soundness still holds (with a degradation) if we allow to choose after seeing .
For the case of computationally sound protocols, the “logic” behind both steps fail: (1) it is not known how to use parallel repetition to reduce soundness error beyond being negligible, (2) the union bound cannot be applied since, for computationally sound protocols, it is not the case that responses do not exist, rather, they are just hard to find. Yet, as we shall see, using the above tools, we present a different proof strategy. More precisely, to capture computational hardness, we show a reduction from any polynomialtime attacker that breaks soundness of the collapsed protocol with some inverse polynomial probability , to a polynomialtime attacker that breaks soundness of the original 3round protocol.
starts by sampling a random string and computes ’s response given this challenge . If the response is not an accepting transcript, simply abort; otherwise, take and forward externally as ’s first message. (Since is successful in breaking soundness, we have that won’t abort with probability .) Next, gets a verifier challenge from the external verifier and needs to figure out how to provide an answer to it. If is lucky and is one of the challenges in , then could provide the appropriate message, but this unfortunately will only happen with negligible probability. Rather, will try to get to produce another accepting transcript that (1) still contains as the prover’s first message (i.e., ), and (2) contains in some coordinate of . To do this, will consider the function —which runs (i.e., has its randomness fixed to ) and outputs if is accepting and otherwise—and runs the preimage sampler for this function on to recover some new verifier challenge, randomness, index tuple which leads to produce a transcript of the desired form, and can subsequently forward externally the ’th coordinate of as its response and convince the external verifier.
So, as long as the preimage sampler indeed succeeds with high enough probability, we have managed to break soundness of the original 3round protocol. The problem is that the preimage sampler is only required to work given outputs that are correctly distributed over the range of the function , and the input that we now feed it may not be so—for instance, perhaps chooses the string as a function of . So, whereas the marginal distribution of both and are correct, the joint distribution is not. In particular, the distribution of conditioned on may be off. We, however, show how to use Raz’s lemma to argue that if the number of repetitions is sufficiently bigger than the length of , the conditional distribution of cannot be too far off from being uniform (and thus the preimage sampler will work). On a highlevel, we proceed as follows:

Note that in the oneway function experiment, we can think of the output distribution of on a random input, as having been produced by first sampling and next, if , sampling conditioned on the event that generates a successful transcript with firstround prover message , and finally sampling a random index and outputting and (and otherwise output ).

Note that by an averaging argument, we have that with probability at least over the choice of , (otherwise, the probability that succeeds would need to be smaller than , which is a contradiction).

Thus, whenever we pick such a “good” (i.e., a such that ), by Raz’ lemma the distribution of for a random can be made close to uniform for any polynomial by choosing to be sufficiently large (yet polynomial). Note that even though the lower bound on is negligible, the key point is that it is independent of and as such we can still rely on Raz lemma by choosing a sufficiently large . (As we pointed out above, this usage of Raz’ lemma even on very “rare” events—with negligible probability mass—is different from how it was previously applied to argue soundness for computationally sound protocols [HPWP10, CP15].)

It follows that conditioned on picking such a “good” , the preimage sampler will also successfully generate correctly distributed preimages if we feed him where is randomly sampled. But this is exactly the distribution that feeds to the preimage sampler, so we conclude that with probability over the choice of , will manage to convince the outside verifier with probability close to 1.
This concludes the proof overview for 3round protocols. When the protocol has more than 3 rounds, we can apply a similar method to collapse the last rounds of the protocol. The analysis now needs to be appropriately modified to condition also on the prefix of the partial execution up until the last rounds.
2 Preliminaries
We assume familiarity with basic concepts such as Turing machines, interactive Turing machine, polynomialtime algorithms, probabilistic polynomialtime algorithms (
), nonuniform polynomialtime and nonuniform algorithms. A function is said to be negligible if for every polynomial there exists some such that for all , . For any two random variables and , we let denote the statistical distance between and .Basic Complexity Classes
Recall that is the class of languages decidable in polynomial time (i.e., there exists a polynomialtime algorithm such that for every , ), is the class of languages decidable in nonuniform polynomial time, and is the class of languages decidable in probabilistic polynomial time with probability (i.e., there exists a such that for every , where we abuse of notation and define if and otherwise.)
We refer to a relation over pairs as being polynomially bounded if there exists a polynomial such that for every , . We denote by the language characterized by the “witness relation” —i.e., iff there exists some such that . We say that a relation is polynomialtime (resp. nonuniform polynomialtime) if is polynomiallybounded and the languages consisting of pairs is in (resp. ). (resp ) is the class of languages for which there exists a polynomialtime (resp. nonuniform polynomialtime) relation such that iff there exists some such that .
Search Problems
A search problem is simply a polynomiallybounded relation. We say that the search problem is solvable in polynomialtime (resp. nonuniform polynomial time) if there exists a polynomialtime (resp. nonuniform polynomialtime) algorithm that for every outputs a “witness” such that . Analogously, is solvable in if there exists some that for every outputs a “witness” such that with probability .
An search problem is total if for every there exists some such that (i.e., every instance has a witness). We refer to (function NP) as the class of search problems and (totalfunction ) as the class of total search problems.
2.1 Oneway functions
We recall the definition of oneway functions (see e.g., [Gol01]). Roughly speaking, a function is oneway if it is polynomialtime computable, but hard to invert for attackers. The standard (cryptographic) definition of a oneway function requires every attacker to fail (with high probability) on all sufficiently large input lengths. We will also consider a weaker notion of an infinitelyoften oneway function [OW93a] which only requires the attacker to fail for infinitely many inputs length (in other words, there is no attacker that succeeds on all sufficiently large input lengths, analogously to complexitytheoretic notions of hardness).
Definition 2.1.
Let be a polynomialtime computable function. is said to be a oneway function (OWF) if for every algorithm , there exists a negligible function such that for all ,
is said to be an infinitelyoften oneway function (ioOWF) if the above condition holds for infinitely many (as opposed to all).
We may also consider a notion of a nonuniform (a.k.a. “auxiliaryinput”) one way function, which is identically defined except that (a) we allow to be computable by a nonuniform , and (b) the attacker is also allowed to be a nonuniform .
2.2 Interactive Proofs and Arguments
We recall basic definitions of interactive proofs [GMR89, BM88] and arguments [BCC88]. An interactive protocol is a pair of interactive Turing machine; we denote by the output of in an interaction between and on common input .
Definition 2.2.
An interactive protocol is an interactive proof system for a language , if is and the following conditions hold:
 Completeness:

There exists a negligible function such that for every ,
 Soundness:

For every Turing machine , there exists a negligible function such that for every ,
If the soundness condition is relaxed to only hold for all nonuniform , we refer to as an interactive argument for . We refer to as a publiccoin proof/argument system if simply sends the outcomes of its coin tosses to the prover (and only performs computation to determine its final verdict).
Whenever , we say that has an efficient prover if there exists some witness relation that characterizes (i.e., ) and a PPT such that satisfies the completeness condition for every .
2.3 AverageCase Complexity
We recall some basic notions from averagecase complexity. A distributional problem is a pair where and is a ; we say that is an (resp. ) distributional problem if (resp. . Roughly speaking, a distributional problem is hardonaverage if there does not exist some algorithm that can decide instances drawn from with probability significantly better than .
Definition 2.3 (hardontheaverage).
We say that a distributional problem is hardontheaverage (HOA) if there does not exist some such that for every sufficiently large ,
We say that a distributional problem is simply hardontheaverage (HOA) if it is HOA for some .
We also define an notion of HOA w.r.t. nonuniform algorithm (nuHAO) in exactly the same way but where we allow to be a nonuniform (as opposed to just a .
The above notion averagecase hardness (traditionally used in the complexitytheory literature) is defined analogously to the notion of an infinitelyoften oneway function: we simply require every “decider” to fail for infinitely many . For our purposes, we will also rely on an “almosteverywhere” notion of averagecase hardness (similar to standard definitions in the cryptography, and analogously to the definition of a oneway function), where we require that every decider fails on all (sufficiently large) input lengths.
Definition 2.4 (almosteverywhere hardontheaverage (aeHOA)).
We say that a distributional problem is almosteverywhere hardontheaverage (aeHOA) if there does not exist some such that for infinitely many ,
We say is almosteverywhere hardontheaverage (aeHOA) if is aeHOA for some .
We move on to defining hardontheaverage search problems. A distributional search problem is a pair where is a search problem and is a . If is an search problem (resp. search problem), we refer to as an distributional (resp. ) search problem.
Definition 2.5 (hardontheaverage search (SearchHOA)).
We say that a distributional search problem is hardontheaverage (SearchHOA) if there does not exist some such that for every sufficiently large ,
is simply SearchHOA if there exists such that is SearchHOA.
We can analogously define an almosteverywhere notion, aeSearchHOA, of SearchHAO (by replacing “for every sufficiently large ” with “for infinitely many ”) as well as a nonuniform notion, nuSearchHOA, (by replacing with nonuniform ).
The following lemmas which essentially directly follow from the result of [IL90, BCGL92, Tre05] will be useful to us. (These results were originally only stated for the standard notion of HOA, whereas we will require it also for the almosteverywhere notion; as we explain in more detail in Appendix A, these results however directly apply also for the almosteverywhere notion of HOA.) The first results from [IL90] (combined with [Tre05]) shows that without loss of generality, we can restrict our attention to the uniform distribution over statements ; we denote by a such that simply samples a random string in .
Lemma 2.1 (Private to public distributions).
Suppose there exists a distributional problem that is HOA (resp., aeHOA or nuHAO). Then, there exists a polynomial and an language such that is HAO (resp. aeHOA or nuHOA).
The next result from [Tre05]) shows that when the distribution over instances is uniform, we can amplify the hardness.
Lemma 2.2 (Hardness amplification).
Let be a polynomial and suppose there exists a distributional problem that is HOA (resp., aeHOA or nuHOA). Then, for every , there exists some polynomial and language such that is HOA (resp., aeHOA or nuHOA).
Lemma 2.3 (Search to decision).
Suppose there exists a distributional (resp. ) search problem that is SearchHOA (resp., nuSearchHOA). Then, there a polynomial and an (resp. ) language such that is HOA (resp., nuHOA).
3 Interactive Computational Puzzles
Roughly speaking, an interactive computational puzzle is described by an interactive polynomialtime publiccoin challenger having the property that (a) there exists an inefficient that succeeds in convincing with probability negligibly close to 1, yet (b) no attacker can make output 1 with inverse polynomial probability for sufficiently large .
Definition 3.1 (interactive puzzle).
An interactive algorithm is referred to as a round (computational) puzzle if the following conditions hold:
 round publiccoin:

is an (interactive) that on input (a) only communicates in communication rounds, (b) simply sends the outcomes of its coin tosses in each communication round, and (c) only performs some deterministic computation to determine its final verdict (after having received the message in round ).
 Completeness/Nontriviality:

There exists a (possibly unbounded) Turing machine and a negligible function such that for all ,
 Computational Soundness:

There does not exist a machine and polynomial such that for all sufficiently large ,
In other words, a round puzzle, , gives rise to an round publiccoin interactive proof (where ) for the “trivial” language with the property that there does not exist a prover that succeeds in convincing the verifier with inverse polynomial probability for all sufficiently large .
We may also define an almosteverywhere notion of a puzzle by replacing “for all sufficiently large ” in the soundness condition with “for infinitely many ”, and a nonuniform notion of a puzzle which allows both and to be nonuniform (as opposed to just ).
A puzzle is said to have perfect completeness if the “completeness error”, , is 0—in other words, the completeness condition holds with probability 1.
Remark 3.1.
One can consider a more relaxed notion of a puzzle for , where the completeness condition is required to hold with probability for every sufficiently large , and the soundness condition holds with probability for every sufficiently large . But, by “Chernofftype” parallelrepetition theorems for computationallysound publiccoin protocols [PV12, HPWP10, CL10, CP15], the existence of such a round puzzle implies the existence of a round puzzle. The same holds for almosteverywhere (resp. nonuniform) puzzles.
3.1 Characterizing 2round Puzzles
In this section we make some basic observations regarding 2round puzzle; these results mostly follow using standard results in the literature. We begin by observing that the existence of ioOWF imply the existence of 2round puzzles.
Proposition 3.2.
Assume the existence of ioOWFs (resp. nonuniform ioOWF). Then, there exists a round puzzle (reps. nonuniform puzzle).
Proof: By the result of Rompel [Rom90] (see also [KK05, HHR10]), we have that ioOWFs imply the existence of infinitelyoften “secondpreimage” resistant hashfunction families that compress bits to bits.^{11}^{11}11Roughly speaking, a family of public coin hashfunctions having the property that for a random and random input , it is hard for any to find a different of the same length that collides with under (that is, , yet . Rompel’s theorem was only stated for standard OWFs (as opposed to ioOWFs, but the construction and proof directly also works for the infinitelyoften variant as well. This, in turn, directly yields a simple 2round puzzle where the challenger uniformly samples a hashfunction and input and sends to the adversary; accepts a response if , and . Since the hash function is compressing, we have that there exists a negligible function such that with probability , a random will have a “collision” and thus an unbounded can easily find a collision and thus completeness follows. Computational soundness, on the other hand, directly from the (infinitelyoften) secondpreimage resistance property. The same result holds also if we start with nonuniform ioOWFs, except that we now get a nonuniform puzzle.
We turn to showing that any aeHOA distributional problem implies a 2round puzzle. (In fact, it even implies an almosteverywhere puzzle.)
Lemma 3.3.
Suppose there exists a distributional problem that is aeHOA. Then there exist an (almosteverywhere) round puzzle.
Proof: Assume there exists a distributional problem such that and is aeHOA. From Lemma 2.2 and Lemma 2.1, we can conclude that there exists a polynomial and a distributional problem that is aeHOA for . Let be some relation corresponding to . Consider a puzzle where samples a random and accepts a response if . We will show that is a puzzle which by Remark 3.1 implies the existence of a 2round almosteverywhere puzzle. To show completeness, consider an inefficient algorithm that on input tries to find a witness (using bruteforce) such that and if it is successful sends it to (and otherwise simply aborts). Observe that for all sufficiently large , for a random we have that ; otherwise, can be decided with probability for infinitely many contradicting its aeHOA property.^{12}^{12}12Note that this is where were are crucially relying on the almosteverywhere hardness of the distributional problem. It follows that for all sufficiently large , convinces with probability and thus completeness of follows.
To prove soundness, assume for contradiction that there exists a algorithm such that for infinitely many . Consider the machine that runs and outputs 1 if outputs a valid witness for and otherwise outputs a random bit. By definition, solves the distributional problem with probability for infinitely many , which contradicts the aeHAO property of .
We now turn to showing that 2round puzzles imply a HOA distributional problem. It will be useful for the sequel to note that the same result also holds in the nonuniform setting.
Lemma 3.4.
Suppose there exists a round puzzle (resp. a nonuniform puzzle). Then, there exists a distributional problem (resp. distributional problem) that is HOA (resp. nuHOA).
Proof: Let be a 2round puzzle (resp. 2round nonuniform puzzle). Let be an upper bound on the amount of randomness used by . Consider the relation (resp. relation) that includes all tuples such that given randomness accepts upon receiving , and the sampler that picks a random and outputs . We argue next that is SearchHOA (resp nuSearchHOA), which concludes the proof by applying Lemma 2.3. Assume for contradiction that there exists a (resp. nonuniform ) machine that solves with probability for all . By the completeness of , there exists some such that such that for every , . This implies that for all , for at most an fraction of bit strings , ). In particular, for every , for a random , must output a valid witness for with probability , and can thus be used to break the soundness of the puzzle with probability for all sufficiently large which is a contradiction.
If the 2round puzzle has perfect completeness, essentially the same proof gives a SearchHOA problem in as the relation constructed in the proof of Lemma 3.4 is total if the puzzle has perfect completeness.
Lemma 3.5.
Suppose there exists a round puzzle (resp. almosteverywhere puzzle) with perfect completeness. Then, there exists some search problem and some such that the distributional search problem that is SearchHAO (aeSearchHAO).
4 The RoundCollapse Theorem
In this section, we prove our main technical lemma—a roundcollapse theorem for round puzzles.
4.1 An Efficient BabaiMoran Theorem
Our main lemma shows that if ioOWF do not exist, the the BabaiMoran transformation preserves computational soundness.
Lemma 4.1.
Assume there exists a round puzzle such that . Then, either there exists an ioOWF, or there exists a round puzzle. Moreover, if the round puzzle has perfect completeness, then either there exists an ioOWF, or a round puzzle with perfectcompleteness.
Proof: Consider some round puzzle and assume for contradiction that ioOWF do not exist. We will show that BabaiMoran’s (BM) [BM88] round reduction works in this setting and thus we can obtain a round puzzle.
Note that if ioOWF do not exist, every polynomialtime computable function is “invertible” with inverse polynomial probability for all sufficiently long input lengths . In fact, since by [IL90], the existence of distributional oneway functions implies the existence of oneway functions (and this results also works in the infinitelyoften setting), we can conclude that if ioOWF do not exist, for any polynomial , and any polynomialtime computable function , there exists a algorithm such that, for sufficiently large , the following distributions are statistically close.
In this case, we will say that inverts with statistical closeness. We now proceed to show how to use such an inverter to prove that BM’s roundcollapse transformation works on . To simplify notation, we will make the following assumptions that are without loss of generality:

has at least 4 communication rounds and sends the first message; we can always add an initial dummy message to achieve this, while only increasing the number of round by 1. We will then construct a new puzzle that has rounds (which concludes the theorem). Since, in any puzzle, sends the final message, this implies we can assume is even. To make our notations easier to read, we show how to reduce a round protocol to a rounds.

There exists polynomials such that all messages from are of (the same) length and all the messages from need to be of length (or else rejects). Furthemore, and are polynomialtime computable, and strictly increasing.
We denote by the message (i.e., the message to be sent in round round) from where is ’s randomness randomness and are bit strings (representing the messages received from in the first rounds). Let be rounded upwards to the next power of two.^{13}^{13}13We round to the next power of 2 to make it easy to sample a random number in ; this is just to simplify presentation/analysis We will show that the BM transformation works (if ioOWF do not exist), when using repetitions. More precisely, consider the following round puzzle challenger that on input proceeds as follows:

If , output (i.e., proceed just like before round );

If , output (i.e., in round , send the original challenge for round as well as a “wise parallelrepetition” challenge for the original round );

If (i.e., after receiving the message in the last round), output 1 if and only if
for every (i.e., all the parallel instances are accepting),
where is interpreted as
We will show that is a puzzle, and thus by Remark 3.1 this implies a puzzle with the same number of rounds.
We first define some notation:

Given a transcript of an interaction between and an adversary, we let denote the transcript up to and including the round where (in the emulation done by ) sends it ’st message.

We say that is accepting if
(i.e,. if is accepting in the transcript).
Completeness:
Completeness (in fact with all but negligible probability) follows directly from original proof by BabaiMoran [BM88].
Soundness:
Assume for contradiction that there exists a algorithm that convinces on common input with probability such that for all sufficiently large . Let be a polynomial such that runs in time at most when its first input is . We assume without loss of generality that only sends a real last message if will be accepting it (note that since is public coin, can verify this, so it is without loss of generality), and otherwise sends as its last message.
On a highlevel, using and the fact that polynomialtime computable functions are “invertible”, we will construct a such that for sufficiently large , which contradicts the soundness of the original round puzzle . Towards constructing , we first define a polynomialtime algorithm on which we will apply the inverter . As described in the introduction, we will consider an algorithm that operates on inputs of the form where is an index of one of the parallel sessions and contains the randomness of and . To correctly parse such inputs, let and note that by our assumption on and , this is a strictly increasing and polynomialtime computable function. In the rest of the proof, whenever the security parameter is clear from context, we omit it and let and . Now, consider the machine that on input internally incorporates the code of and proceeds as follows:

finds an such that (simply by enumerating different from 1 up to ). If no such exists, then outputs and halts. Otherwise, interprets as such that , , , , and all the strings are in .

It internally emulates an execution between and on common input and respectively using randomness and