14 research outputs found

    PPAD-Hardness via Iterated Squaring Modulo a Composite

    Get PDF
    We show that, relative to a random oracle, solving the END-OF-LINE problem (which is PPAD-complete) is no easier than computing the function f(N,x,T)=x2Tmod N,f(N,x,T) = x^{2^T} \text{mod } N, where NN is an nn-bit RSA modulus, xZNx\in \mathbb{Z}_N^* and TNT\in\mathbb{N}. It was conjectured by Rivest, Shamir and Wagner, that, unless the factorization of NN is known, the fastest algorithm for computing ff consists of Ω(T)\Omega(T) iterated squaring operations mod NN. Under a milder assumption, namely that computing ff takes nω(1)n^{\omega(1)} time for some (possibly exponentially) large TT, our construction of END-OF-LINE cannot be solved in poly(n)\text{poly}(n) time. We prove our result by reducing ff to (a variant of) the SINK-OF-VERIFIABLE-LINE problem, which is known to imply PPAD (and in fact CLS) hardness. The main building block of our reduction is a recently discovered interactive public-coin proof by Pietrzak for certifying y=f(N,x,T)y=f(N,x,T), which can be made non-interactive using (an analogue of) the Fiat-Shamir heuristic. The value yy can be computed together with the proof in time poly(n)T\text{poly}(n)\cdot T, and the proof can be verified in time poly(n)logT\text{poly}(n) \cdot \text{log} T. The key technical challenge in our setting is to provide a means by which the solution yy together with a proof can be computed in small incremental steps, while the correctness of each intermediate state of this computation can still be verified in time $\text{poly}(n, \text{log} T)

    IST Austria Thesis

    Get PDF
    A search problem lies in the complexity class FNP if a solution to the given instance of the problem can be verified efficiently. The complexity class TFNP consists of all search problems in FNP that are total in the sense that a solution is guaranteed to exist. TFNP contains a host of interesting problems from fields such as algorithmic game theory, computational topology, number theory and combinatorics. Since TFNP is a semantic class, it is unlikely to have a complete problem. Instead, one studies its syntactic subclasses which are defined based on the combinatorial principle used to argue totality. Of particular interest is the subclass PPAD, which contains important problems like computing Nash equilibrium for bimatrix games and computational counterparts of several fixed-point theorems as complete. In the thesis, we undertake the study of averagecase hardness of TFNP, and in particular its subclass PPAD. Almost nothing was known about average-case hardness of PPAD before a series of recent results showed how to achieve it using a cryptographic primitive called program obfuscation. However, it is currently not known how to construct program obfuscation from standard cryptographic assumptions. Therefore, it is desirable to relax the assumption under which average-case hardness of PPAD can be shown. In the thesis we take a step in this direction. First, we show that assuming the (average-case) hardness of a numbertheoretic problem related to factoring of integers, which we call Iterated-Squaring, PPAD is hard-on-average in the random-oracle model. Then we strengthen this result to show that the average-case hardness of PPAD reduces to the (adaptive) soundness of the Fiat-Shamir Transform, a well-known technique used to compile a public-coin interactive protocol into a non-interactive one. As a corollary, we obtain average-case hardness for PPAD in the random-oracle model assuming the worst-case hardness of #SAT. Moreover, the above results can all be strengthened to obtain average-case hardness for the class CLS ⊆ PPAD. Our main technical contribution is constructing incrementally-verifiable procedures for computing Iterated-Squaring and #SAT. By incrementally-verifiable, we mean that every intermediate state of the computation includes a proof of its correctness, and the proof can be updated and verified in polynomial time. Previous constructions of such procedures relied on strong, non-standard assumptions. Instead, we introduce a technique called recursive proof-merging to obtain the same from weaker assumptions

    On the Cryptographic Hardness of Local Search

    Get PDF
    We show new hardness results for the class of Polynomial Local Search problems (PLS): - Hardness of PLS based on a falsifiable assumption on bilinear groups introduced by Kalai, Paneth, and Yang (STOC 2019), and the Exponential Time Hypothesis for randomized algorithms. Previous standard model constructions relied on non-falsifiable and non-standard assumptions. - Hardness of PLS relative to random oracles. The construction is essentially different than previous constructions, and in particular is unconditionally secure. The construction also demonstrates the hardness of parallelizing local search. The core observation behind the results is that the unique proofs property of incrementally-verifiable computations previously used to demonstrate hardness in PLS can be traded with a simple incremental completeness property

    Downward Self-Reducibility in TFNP

    Get PDF
    A problem is downward self-reducible if it can be solved efficiently given an oracle that returns solutions for strictly smaller instances. In the decisional landscape, downward self-reducibility is well studied and it is known that all downward self-reducible problems are in PSPACE. In this paper, we initiate the study of downward self-reducible search problems which are guaranteed to have a solution - that is, the downward self-reducible problems in TFNP. We show that most natural PLS-complete problems are downward self-reducible and any downward self-reducible problem in TFNP is contained in PLS. Furthermore, if the downward self-reducible problem is in TFUP (i.e. it has a unique solution), then it is actually contained in UEOPL, a subclass of CLS. This implies that if integer factoring is downward self-reducible then it is in fact in UEOPL, suggesting that no efficient factoring algorithm exists using the factorization of smaller numbers

    SNARGs and PPAD Hardness from the Decisional Diffie-Hellman Assumption

    Get PDF
    We construct succinct non-interactive arguments (SNARGs) for bounded-depth computations assuming that the decisional Diffie-Hellman (DDH) problem is sub-exponentially hard. This is the first construction of such SNARGs from a Diffie-Hellman assumption. Our SNARG is also unambiguous: for every (true) statement xx, it is computationally hard to find any accepting proof for xx other than the proof produced by the prescribed prover strategy. We obtain our result by showing how to instantiate the Fiat-Shamir heuristic, under DDH, for a variant of the Goldwasser-Kalai-Rothblum (GKR) interactive proof system. Our new technical contributions are (1) giving a TC0TC^0 circuit family for finding roots of cubic polynomials over a special family of characteristic 22 fields (Healy-Viola, STACS \u2706) and (2) constructing a variant of the GKR protocol whose invocations of the sumcheck protocol (Lund-Fortnow-Karloff-Nisan, STOC \u2790) only involve degree 33 polynomials over said fields. Along the way, since we can instantiate Fiat-Shamir for certain variants of the sumcheck protocol, we also show the existence of (sub-exponentially) computationally hard problems in the complexity class PPAD\mathsf{PPAD}, assuming the sub-exponential hardness of DDH. Previous PPAD\mathsf{PPAD} hardness results all required either bilinear maps or the learning with errors assumption

    On Search Complexity of Discrete Logarithm

    Get PDF

    The Cost of Statistical Security in Proofs for Repeated Squaring

    Get PDF

    Certifying Giant Nonprimes

    Get PDF
    GIMPS and PrimeGrid are large-scale distributed projects dedicated to searching giant prime numbers, usually of special forms like Mersenne and Proth. The numbers in the current search-space are millions of digits large and the participating volunteers need to run resource-consuming primality tests. Once a candidate prime NN has been found, the only way for another party to independently verify the primality of NN used to be by repeating the expensive primality test. To avoid the need for second recomputation of each primality test, these projects have recently adopted certifying mechanisms that enable efficient verification of performed tests. However, the mechanisms presently in place only detect benign errors and there is no guarantee against adversarial behavior: a malicious volunteer can mislead the project to reject a giant prime as being non-prime. In this paper, we propose a practical, cryptographically-sound mechanism for certifying the non-primality of Proth numbers. That is, a volunteer can -- parallel to running the primality test for NN -- generate an efficiently verifiable proof at a little extra cost certifying that NN is not prime. The interactive protocol has statistical soundness and can be made non-interactive using the Fiat-Shamir heuristic. Our approach is based on a cryptographic primitive called Proof of Exponentiation (PoE) which, for a group G\mathbb{G}, certifies that a tuple (x,y,T)G2×N(x,y,T)\in\mathbb{G}^2\times\mathbb{N} satisfies x2T=yx^{2^T}=y (Pietrzak, ITCS 2019 and Wesolowski, J. Cryptol. 2020). In particular, we show how to adapt Pietrzak\u27s PoE at a moderate additional cost to make it a cryptographically-sound certificate of non-primality

    SNARGs for Bounded Depth Computations from Sub-Exponential LWE

    Get PDF
    We construct a succinct non-interactive publicly-verifiable delegation scheme for any log-space uniform circuit under the sub-exponential LWE\mathsf{LWE} assumption, a standard assumption that is believed to be post-quantum secure. For a circuit of size SS and depth DD, the prover runs in time poly(S)(S), and the verifier runs in time (D+n)So(1)(D + n) \cdot S^{o(1)}, where nn is the input size. We obtain this result by slightly modifying the GKR\mathsf{GKR} protocol and proving that the Fiat-Shamir heuristic is sound when applied to this modified protocol. We build on the recent works of Canetti et al. (STOC 2019) and Peikert and Shiehian (Crypto 2020), which prove the soundness of the Fiat-Shamir heuristic when applied to a specific (non-succinct) zero-knowledge protocol. As a corollary, by the work of Choudhuri et al. (STOC 2019), this implies that the complexity class PPAD\mathsf{PPAD} is hard (on average) under the sub-exponential LWE\mathsf{LWE} assumption, assuming that #SAT\mathsf{\#SAT} with o(lognloglogn)o(\log n \cdot \log\log n) variables is hard (on average)

    SNARGs for Bounded Depth Computations and PPAD Hardness from Sub-Exponential LWE

    Get PDF
    We construct a succinct non-interactive publicly-verifiable delegation scheme for any log-space uniform circuit under the sub-exponential Learning With Errors (LWE\mathsf{LWE}) assumption. For a circuit C:{0,1}N{0,1}C:\{0,1\}^N\rightarrow\{0,1\} of size SS and depth DD, the prover runs in time poly(S)\mathsf{poly}(S), the communication complexity is Dpolylog(S)D \cdot \mathsf{polylog} (S), and the verifier runs in time (D+N)polylog(S)(D+N) \cdot \mathsf{polylog} (S). To obtain this result, we introduce a new cryptographic primitive: lossy correlation-intractable hash functions. We use this primitive to soundly instantiate the Fiat-Shamir transform for a large class of interactive proofs, including the interactive sum-check protocol and the GKR\mathsf{GKR} protocol, assuming the sub-exponential hardness of LWE\mathsf{LWE}. By relying on the result of Choudhuri et al. (STOC 2019), we also establish the sub-exponential average-case hardness of PPAD\mathsf{PPAD}, assuming the sub-exponential hardness of LWE\mathsf{LWE}
    corecore