Is it Easier to Prove Theorems that are Guaranteed to be True?
aa r X i v : . [ c s . CC ] A p r Is it Easier to Prove Theorems that are Guaranteed to be True?
Rafael Pass ∗ Cornell Tech [email protected]
Muthuramakrishnan Venkitasubramaniam † University of Rochester [email protected]
April 20, 2020
Abstract
Consider the following two fundamental open problems in complexity theory: • Does a hard-on-average language in NP imply the existence of one-way functions? • Does a hard-on-average language in NP imply a hard problem in TFNP (i.e., the class of total NP search problem)?Our main result is that the answer to (at least) one of these questions is yes.Both one-way functions and problems in TFNP can be interpreted as promise-true distri-butional NP search problems—namely, distributional search problems where the sampler onlysamples true statements. As a direct corollary of the above result, we thus get that the existenceof a hard-on-average distributional NP search problem implies a hard-on-average promise-truedistributional NP search problem. In other words, It is no easier to find witnesses (a.k.a. proofs) for efficiently-sampled statements(theorems) that are guaranteed to be true.
This result follows from a more general study of interactive puzzles —a generalization ofaverage-case hardness in NP —and in particular, a novel round-collapse theorem for computationally-sound protocols, analogous to Babai-Moran’s celebrated round-collapse theorem for information-theoretically sound protocols. As another consequence of this treatment, we show that theexistence of O (1)-round public-coin non-trivial arguments (i.e., argument systems that are notproofs) imply the existence of a hard-on-average problem in NP / poly . ∗ Cornell Tech. Supported in part by NSF Award SATC-1704788, NSF Award RI-1703846, and AFOSR AwardFA9550-18-1-0267. This research is based upon work supported in part by the Office of the Director of NationalIntelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via 2019-19-020700006. The viewsand conclusions contained herein are those of the authors and should not be interpreted as necessarily representingthe official policies, either expressed or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government isauthorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotationtherein. † Supported by Google Faculty Research Grant, NSF Award CNS-1618884 and Intelligence Advanced ResearchProjects Activity (IARPA) via 2019-19-020700009. Work done partially at Cornell Tech sponsored by Cornell Techand DIMACS Research Visit Program via DIMACS/Simons Collaboration in Cryptography. ontents G and the Proof of Claim 3 . . . . . . . . . . . . . . . . . . . . . . 214.3 Proof of Claim 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.4 Variations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.5 Characterizing O(1)-Round Public-coin Puzzles . . . . . . . . . . . . . . . . . . . . . 24 TFNP is Hard in Pessiland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Introduction
Even if NP = P , it could be that in practice , NP problems are easy in the sense that the problems weencounter in “real life” come from some distribution that make them easy to solve. The complexity-theoretic study of average-case hardness of NP problems addresses this problem [Lev86, Gur91,BCGL92, IL90]. A particularly appealing abstraction of an average-case analog of NP = P wasprovided by Gurevich in his 1989 essay [Gur89] through his notion of a Challenger-Solver Game . Consider a probabilistic polynomial-time
Challenger C who samples an instance x and provides itto the Solver S . The solver S is supposed to find a witness to x and is said to win if either (1) thestatement x chosen by the challenger is false, or (2) S succeeds in finding a witness w for x . Werefer to the Challenger-Solver game as being hard if no probabilistic polynomial-time (PPT) solversucceeds in winning in the game with inverse polynomial probability. (In other words, such a gamemodels a hard-on-average distributional search problem in NP .) The existence of a hard Challenger-Solver game means that there exists a way to efficiently sample mathematical statements x thatno computationally bounded mathematician can find proofs for. (Impagliazzo [Imp95] considers asimilar type of game between Professor Grauss and young Gauss, where Professor Grauss is tryingto embarrass Gauss by picking mathematical problems that Gauss cannot solve.)But, an unappealing aspect of a Challenger-Solver game (which already goes back to the defini-tion of distributional search problems [BCGL92]) is that checking whether the solver wins cannotnecessarily be efficiently done, as it requires determining whether the sampled instance x is in thelanguage. Does it make the problem easier if we restrict the challenger to always sample truestatements x ? In other words, “Is it easier to find proofs for efficiently-sampled mathematicalstatements that are guaranteed to be true?”
In complexity-theoretic terms:
Does the existence of an hard-on-average distributional search problem in NP imply theexistence of a hard-on-average distributional search problem where the sampler onlysamples true statements ? We refer to distributional search problems where the sampler only samples true statements as promise-true distributional search problems. The above question, and the notion of a promise-truedistributional search problems, actually predates the formal study of average-case complexity: Itwas noted already by Even, Selman and Yacobi [ESY84] in 1984 that for typical applications of(average-case) hardness for NP problems—in particular, for cryptographic applications—we needhardness for instances that are “promised” to be true. As they noted (following [EY80] ), in thecontext of public-key encryption, security is only required for ciphertexts that are sampled as validencryptions of some message. (This motivated [ESY84] to introduce the concept of a promiseproblem; see also [Gol06] for further discussion on this issue and the connection to average-casecomplexity.)Intuitively, restricting to challengers that only sample true statements ought to make the jobof the challenger a lot harder—it now needs to be sure that the sampled instance is true. Thereare two natural methods for the challenger to achieve this task:(a) sampling the statement x together with a witness w (as this clearly enables the challenger tobe sure that x is true); and, Gurevich actually outlines several classes of Challenger-Solver games; we here outline one particular instance ofit, focusing on NP search problems. Or equivalently, to distributions where one can efficiently check when the sampler outputs a false instance. As remarked in [EY80], these type of “problems with a promise” can be traced back even further: they are closelyrelated to what was referred to as a “birdy” problem in [Gin66] and a “partial algorithm problem” in [Ull67], in thestudy of context-free languages NP languages where every statement is true.As noted by Impagliazzo [Gur89, Imp95], the existence of a challenger-solver game satisfying re-striction (a) is equivalent to the existence of one-way functions. But whether the existence of ahard-on-average language in NP implies the existence of one-way functions is arguably the mostimportant open problem in the foundations of Cryptography: One-way functions are both necessary[IL89] and sufficient for many of the central cryptographic tasks (e.g., pseudorandom generators[HILL99], pseudorandom functions [GGM84], private-key encryption [GM84, BM88]). As far aswe know, there are only two approaches towards demonstrating the existence of one-way functionsfrom average-case NP hardness: (1) Ostrovsky and Wigderson [OW93a] demonstrate such an impli-cation assuming that NP has zero-knowledge proofs [GMW91], (2) Komargodski et al. [KMN + NP implies one-way functions) assuming the existence of indistinguishability obfuscators [BGI + NP ⊆ BPP ).A hard challenger-solver game satisfying restriction (b), on the other hand, is syntacticallyequivalent to a hard-on-average problem in the class
TFNP [MP91]: the class
TFNP (total function NP ) is the search analog of NP with the additional guarantee that any instance has a solution.In other words, TFNP is the class of search problems in NP ∩ coNP (i.e., F ( NP ∩ coNP )). Inrecent years, TFNP has attracted extensive attention due to its natural syntactic subclasses thatcapture the computational complexity of important search problems from algorithmic game theory,combinatorial optimization and computational topology—perhaps most notable among those arethe classes
PPAD [Pap94, GP16], which characterizes the hardness of computing Nash equilibrium[DGP09, CDT09, DP11], and
PLS [JPY85], which characterizes the hardness of local search. Acentral open problem is whether (average-case) NP hardness implies (average-case) TFNP hardness.A recent elegant result by Hubacek, Naor, and Yogev [HNY17] shows that under certain strong“derandomization” assumptions [NW94, IW97, MV05, BOV07]—the existence of Nisan-Wigderson(NW) [NW94] type pseudorandom generators that fool circuits with oracle gates to languages inthe second level of the polynomial hierarchy —(almost everywhere) average-case hardness of NP implies average-case hardness of TFNP . Hubacek et al. also present another condition underwhich
TFNP is average-case hard: assuming the existence of one-way functions and non-interactivewitness indistinguishable proofs (NIWI) [FS90, DN00, BOV07] for NP .The above mentioned works thus give complexity-theoretic assumptions (e.g., the existenceof zero-knowledge proofs for NP , or strong derandomization assumption) under which the aboveproblem has a positive resolution. But these assumptions are both complex and strong.Our main result provides a resolution to the above problem without any complexity-theoreticassumption : That is, a function f that can be computed in polynomial time but cannot be efficiently inverted. Such a function f directly yields the desired sampling method: pick a random string r and let x = f ( r ) be the statement and r thewitness. Conversely, to see why the existence of such a sampling method implies a one-way function, consider thefunction f that takes the random coins used by the sampling method and outputs the instance generated by it. Such PRGs are known under the assumption that E = DT IME [2 O ( n ) ] has no 2 ǫn sized Π -circuits, for all ǫ > -circuit is a standard circuit that can additionally perform oracle queries to any language L ∈ Π (i.e.,any language in the second level of the polynomial hierarchy). [HNY17] also show that average-case hardness of NP implies an average-case hard problem in TFNP /poly (i.e,.
TFNP with a non-uniform verifier ). In essence, this follows since non-uniformity enables unconditional derandom-ization. Pedantically, it is not a fully complete resolution as we start with an almost-everywhere hard problem and onlyget an infinitely-often hard problem. But, except for this minor issue, it is a complete resolution. We also note thatearlier results [OW93a, HNY17] also require starting off with an almost-everywhere hard-on-average language in NP . heorem 1.1 (Informally stated) . The existence of an almost-everywhere hard-on-average lan-guage in NP implies the existence of a hard-on-average promise-true distributional search problemin NP . In fact, we demonstrate an even stronger statement. Perhaps surprisingly, we show that withoutloss of generality, the sampler/challenger of the distributional search problem needs to satisfy oneof the above two “natural” restrictions:
Theorem 1.2 (Informally stated) . The existence of an almost-everywhere hard-on-average lan-guage in NP implies either (a) the existence one-way functions, or (b) a hard-on-average TFNP problem.
In other words, in Impagliazzo’s Pessiland [Imp95] (a world where NP is hard-on-average, butone-way functions do not exist), TFNP is unconditionally hard (on average).Towards proving this result, we consider an alternative notion of a Challenger-Solver game,which we refer to as a
Interactive Puzzle . Roughly speaking, there are 2 differences: (1) whetherthe solver wins should always be computationally feasible to determine, and (2) we allow for morethan just 2 rounds of interaction. As we hope to convey, the study of interactive puzzles is intriguingin its own right and yields other applications.
We initiate a complexity-theoretic study of interactive puzzles : 2-player interactive games betweena polynomial-time challenger C and an Solver/Attacker satisfying the following properties: Computational Soundness:
There does not exist a probabilistic polynomial-time (PPT) attacker A ∗ and polynomial p such that A ∗ (1 n ) succeeds in making C (1 n ) output 1 with probability p ( n ) for all sufficiently large n ∈ N . Completeness/Non-triviality:
There exists a negligible function µ and an inefficient attacker A that on input 1 n succeeds in making C (1 n ) output 1 with probability 1 − µ ( n ) for all n ∈ N . Public Verifiability:
Whether C accepts should just be a deterministic function of the transcript.In other words, (a) no polynomial-time attacker, A ∗ , can make C output 1 with inverse polynomialprobability, yet (b) there exists a computationally unbounded attacker A that makes C output 1with overwhelming probability. We refer to C as a k ( · ) -round computational puzzle (or simply a k ( · )-round puzzle) if C satisfies the above completeness and computational soundness conditions,while restricting C (1 n ) to communicate with A in k ( n ) rounds. In this work, we mostly restrict ourattention to public-coin puzzles, where the Challenger’s messages are simply random strings.As an example of a 2-round public-coin puzzle, let f be a one-way permutation and consider agame where C (1 n ) samples a random y ∈ { , } n and requires the adversary to output a preimage x such that f ( x ) = y . Since f is a permutation, this puzzle has “perfect” completeness—anunbounded attacker A can always find a pre-image x . By the one-wayness of f (and the permutationproperty of f ), we also have that no PPT adversary A ∗ can find such an x (with inverse polynomialprobability), and thus soundness holds. If however, f had only been a one-way function and nota permutation, then we can no longer sample a uniform y , but rather must have C first sample a That is, a language in NP such that for every δ >
0, no PPT attacker A can decide random instances withprobability greater than + δ for infinitely many (as opposed to all) n ∈ N . Such an “almost-everywhere” notion ismore commonly used in the cryptographic literature. Following the nomenclature in the cryptographic literature, we use the name Attacker instead of Solver. x and next output y = f ( x ). This 2-round puzzle does not satisfy the public-coin property,but it still have perfect completeness.Its not hard to see that the existence of 2-round (public-coin) puzzles is “essentially” equivalentto the existence of an average-case hard problem in NP : any 2-round public-coin puzzle triviallyimplies a hard-on-average search problem (w.r.t. the uniform distribution) in NP and thus by [IL90]also a hard-on-average decision problem in NP . Furthermore, “almost-everywhere” hard-on-averagelanguages in NP also imply the existence of a 2-round puzzle (by simply sampling many randominstances x and asking the attacker to provide a witness for at least, say, 1 / Proposition 1.1 (informally stated) . The existence of an (almost-everywhere) hard-on-averagelanguage in NP implies the existence of a 2-round puzzle. Furthermore, the existence of a 2-roundpuzzle implies the existence of a hard-on-average language in NP . Thus, 2-round puzzles are “morally” (up to the infinitely-often/almost-everywhere issue) equiv-alent to the existence of a hard-on-average language in NP . As such, k ( · )-round puzzles are a naturalway to generalize average-case hardness in NP . Additionally, natural restrictions of 2-round puzzlescapture natural subclasses of distributional problems in NP : • the existence of a hard-on-average problem in TFNP is syntactically equivalent to the existenceof a 2-round public-coin puzzle with perfect completeness . • the existence of a hard-on-average promise-true distributional search problem is syntacticallyequivalent to a 2-round (private-coin) puzzle with perfect completeness .While the game-based modeling in the notion of a puzzle is common in the cryptographicliterature—most notably, it is commonly used to model cryptographic assumptions [Nao03, Pas11,GW11], complexity-theoretic consequences or properties of puzzles have remained largely unex-plored. Perhaps the most basic question regarding the existence of interactive puzzles is whether the ex-istence of a k -round puzzle is actually a weaker assumption than the existence of a k − NP : Does the existence of a k -round puzzle imply the existence of ( k − -round puzzle? We here focus our attention only on public-coin puzzles. At first sight, one would hope the classic“round-reduction” theorem due to Babai-Moran (BM) [BM88] can be applied to collapse any O (1)-round puzzle into a 2-round puzzle (i.e., a hard-on-average NP problem). Unfortunately, whileBM’s round reduction technique indeed works for all information-theoretically sound protocols,Wee [Wee06] demonstrated that BM’s round reduction fails for computationally sound protocols.In particular, Wee shows that black-box proofs of security cannot be used to prove that BM’stransformation preserves soundness even when applied to just 3-round protocols, and demonstrates(under computational assumptions) a concrete 4-round protocol for which BM’s round-reductionresults in an unsound protocol.As BM’s round reduction is the only known round-reduction technique (which does not rely onany assumptions), it was generally conjectured that the existence of a k -round puzzle is a strictly The reason we need the language to be almost-everywhere hard-on-average is to guarantee that YES instancesexists for every sufficiently large input length, or else completeness would not hold. k + 1)-round puzzle—in particular, this would implythe existence of infinitely many worlds between Impagliazzo’s Pessiland and Heuristica [Imp95](i.e., infinitely many worlds where NP = P yet average-case NP hardness does not exist). Furtherevidence in this direction comes from a work by Gertner et al. [GKM +
00] which shows a black-boxseparation between k -round puzzles and ( k + 1)-round puzzles for a particular cryptographic task(namely that of a key-agreement scheme). In contrast to the above negative results, our main technical result provides an affirmativeanswer to the above question—we demonstrates a round-reduction theorem for puzzles.
Theorem 1.3 (informally stated) . For every constant c , the existence of a k ( · ) -round public-coinpuzzle is equivalent to the existence of a ( k ( · ) − c ) -round public-coin puzzle. In particular, as corollary of this result, we get that the assumption that a O (1)-round public-coinpuzzle exists is not weaker than the assumption that average-case hardness in NP exists: Corollary 1.4 (informally stated) . The existence of an O (1) -round puzzle implies the existence ofa hard-on-average problem in NP . Perhaps paradoxically, we strongly rely on BM’s round reduction technique, yet we rely on a non-black-box security analysis. Our main technical lemma shows that if infinitely-often one-wayfunctions do not exist (i.e., if we can invert any function for all sufficiently large input lengths),then BM’s round reduction actually works: Lemma 1.2 (informally stated) . Either infinitely-often one-way functions exist, or BM’s round-reduction transformation turns a k ( · ) -round puzzle into a ( k ( · ) − -round puzzle. We provide a proof outline of Lemma 1.2 in Section 1.5. The proof of Theorem 1.3 now easilyfollows by considering two cases:
Case 1: (Infinitely-often) one-way functions exists.
In such a world, we can rely onRompel’s construction of a universal one-way hashfunction [NY89, Rom90] to get a 2-roundpuzzle.
Case 2: (Infinitely-often) one-way functions does not exist.
In such a world, by Lemma1.2, BM’s round reduction preserves soundness of the underlying protocol and thus we havegotten a puzzle with one round less. We can next iterate BM’s round reduction any constantnumber of times.A natural question is whether we can collapse more than a constant number of rounds. Ournext result—which characterizes the existence of poly ( n )-round puzzles—shows that this is unlikely. Theorem 1.5 (informally stated) . For every ǫ > , there exists an n ǫ -round (public-coin) puzzleif and only if PSPACE BPP . The example from [GKM +
00] isn’t quite captured by our notion of a computational puzzle as their challenger isnot public coin. Recall that a one-way function f is a function that is efficiently computable, yet there does not exist a PPTattacker A and polynomial p ( · ) such that A inverts f with probability p ( n ) for infinitely many inputs lengths n ∈ N .A function f is infinitely often one-way if the same conditions hold except that we only require that no PPT attacker A succeeds in inverting f with probability p ( n ) for all sufficiently large n ∈ N —i.e., it is hard for invert f “infinitelyoften”
5n particular, if n ǫ -round public-coin puzzles imply O (1)-round public-coin puzzles, then by com-bining Theorem 1.3 and Theorem 1.5, we have that PSPACE BPP implies the existence of ahard-on-average problem in NP , which seems unlikely. Theorem 1.5 also shows that the notion ofan interactive puzzle (with a super constant-number of rounds) indeed is a non-trivial generalizationof average-case hardness in NP . Theorem 1.5 follows using mostly standard techniques. We next present some complexity-theoretic consequences of our treatment of interactive puzzles.
We outline how the round-reduction theorem can be used to prove Theorem 1.2 in the followingsteps: • As mentioned above, an (almost-everywhere) hard-on-average problem in NP yields a 2-roundpuzzle; • We can next use a standard technique from the literature on interactive proofs (namely theresult of [FGM + perfect completeness . • We next observe that the BM transformation preserves perfect completeness of the protocol.Thus, by Lemma 1.2, either infinitely-often one-way functions exist, or we can get a 2-roundpuzzle with perfect completeness. • Finally, as observed above, the existence of a 2-round puzzle with perfect completeness issyntactically equivalent to the existence of a hard-on-average problem in
TFNP (with respectto the uniform distribution on instances).The above proof approach actually only concludes a slightly weaker form of Theorem 1.2—weonly show that either
TFNP is hard or infinitely-often one-way functions exist. As infinitely-oftenone-way functions directly imply 2-round private-coin puzzles with perfect completeness, which (asobserved above) are syntactically equivalent to hard-on-average promise-true distributional searchproblems, this however already suffices to prove Theorem 1.1.We can get the proof also of the stronger conclusion of Theorem 1.2 (i.e., conclude the existenceof standard (i.e., “almost-everywhere”) one-way functions), by noting that an almost-everywherehard-on-average language in NP actually implies an 2-round puzzle satisfying a “almost-everywhere”notion of soundness, and for such “almost-everywhere puzzles”, Lemma 1.2 can be strengthened toshow that either one-way functions exist, or BM’s round-reduction works. Any puzzle C can be broken using a PSPACE oracle (as the optimal strategy can be found using a
PSPACE oracle),so if
PSPACE ⊆ BPP , it can also be broken by a probabilistic polynomial-time algorithm. For the other direction,recall that worst-case to average-case reductions are known for
PSPACE [FF93, BFNW93]. In other words, thereexists a language L ∈ PSPACE that is hard-on-average assuming
PSPACE BPP . Additionally, recall that
PSPACE is closed under complement. We then construct a public-coin puzzle where C first samples a hard instance for L and then asks A to determine whether x ∈ L and next provide an interactive proof—using [Sha92, LFKN92] whichis public-coin—for containment or non containment in L . This puzzle clearly satisfies the completeness condition.Computational soundness, on the other hand, follows directly from the hard-on-average property of L (and theunconditional soundness of the interactive proof of [Sha92]). More precisely, the variant of Lemma 1.2 says that either one-way functions exist, or the existence of a k -roundalmost-everywhere puzzle yields the existence of a k − .4 The Complexity of Non-trivial Public-coin Arguments Soon after the introduction of interactive proof by Goldwasser, Micali and Rackoff [GMR89] andBabai and Moran [BM88], Brassard, Chaum and Crepeau [BCC88] introduced the notion of aninteractive argument . Interactive arguments are defined identically to interactive proofs, but werelax the soundness condition to only hold with respect to non-uniform
PPT algorithms (i.e., no non-uniform
PPT algorithm can produce proofs of false statements, except with negligible probability).Interactive arguments have proven extremely useful in the cryptographic literature, most no-tably due to the feasibility (assuming the existence of collision-resistant hashfunctions) of succinct public-coin argument systems for NP —namely, argument systems with sublinear, or even polyloga-rithmic communication complexity [Kil92, Mic00]. Under widely believed complexity assumptions(i.e., NP not being solvable in subexponential time), interactive proofs cannot be succinct [GH98].A fundamental problem regarding interactive arguments involves characterizing the complexityof non-trivial argument systems—namely interactive arguments that are not interactive proofs (inother words, the soundness condition is inherently computational). As far as we know, the firstexplicit formalization of this question appears in a recent work by Goldreich [Gol18], but the notionof a non-trivial argument has been discussed in the community for at least 15 years. We focus our attention on public-coin arguments (similar to our treatment of puzzles). Us-ing our interactive-average-case hardness treatment, we are able to establish an “almost-tight”characterization of constant-round public-coin non-trivial arguments.
Theorem 1.6 (informally stated) . The existence of a O (1) -round public-coin non-trivial argumentfor any language L implies a hard-on-average language in NP / poly . Conversely, the existenceof a hard-on-average language in NP implies an (efficient-prover) 2-round public-coin non-trivialargument for NP . The first part of the theorem is shown by observing that any public-coin non-trivial argumentcan be turned into a non-uniform public-coin puzzle (where the challenger is a non-uniform
PPT algorithm), and next observing that our round-collapse theorem also applies to non-uniform puzzles.The second part follows from the observation that we can take any NP proof for some language L and extending it into a 2-round non-trivial argument for L where the verifier samples a randomstatement x ′ from a hard-on-average language L ′ and next requiring the prover to provide a witness w that either x ∈ L or x ′ ∈ L ′ . Completeness follows trivially (as we can always provide a normal NP witness proving that x ∈ L , and computational soundness follows directly if L ′ is sufficiently hard-on-average (in the sense that it is hard to find witnesses to true statements with inverse polynomialprobability). This argument system is not a proof, though, since by the hard-on-average propertyof L ′ , there must exist infinitely many input lengths for which random instances are contained in L ′ with inverse polynomial probability.We finally observe that the existence of n ǫ -round non-trivial public-coin arguments is equivalentto PSPACE P / poly . Theorem 1.7 (informally stated) . For every ǫ > , there exists an (efficient-prover) n ǫ -roundnon-trivial public-coin argument (for NP ) if and only if PSPACE P / poly . The “only-if” direction was already proven by Goldreich [Gol18] and follows just as the only-if direction of Theorem 1.5. The “if” direction follows by combining a standard NP proof withthe puzzle from Theorem 1.5 (which becomes sound w.r.t. nu PPT attacker assuming
PSPACE P / poly ), and requiring the prover to either provide the NP witness, or to provide a solution to thepuzzle. Wee [Wee05] also considers a notion of a non-trivial argument, but his notion refers to what today is called asuccinct argument. .5 Proof Overview for Lemma 1.2 We here provide a proof overview of our main technical lemma. As mentioned, we shall show thatif one-way functions do not exist, then Babai-Moran’s round reduction method actually works.Towards this we will rely on two tools: • Pre-image sampling . By the result of Impagliazzo and Levin [IL90], the existence of so-called“distributional one-way functions” (function for which it is hard to sample a uniform pre-image) imply the existence of one-way function. So if one-way functions do not exist, wehave that for every efficient function f , given a sample f ( x ) for a random input x , we canefficiently sample a (close to random) pre-image x ′ . • Raz’s sampling lemma (from the literature on parallel repetition for 2-prover games andinteractive arguments [Raz98, HPWP10, CP15]). This lemma states that if we sample ℓ uniform n -bit random variables R , R , . . . R ℓ conditioned on some event W that happens withsufficiently large probability ǫ , then the conditional distribution R i of a randomly selectedindex i will be close to uniform. More precisely, the statistical distance will be q log( ǫ ) ℓ , soeven if ǫ is tiny, as long as we have sufficiently many repetitions ℓ , the distance will be small. To see how we will use these tools, let us first recall the BM transformation (and its proof forthe case of information-theoretically sound protocols). To simplify our discussion, we here focuson showing how to collapse a 3-round public-coin protocol between a prover P and a public-coinverifier V into a 2-round protocol. We denote a transcript of the 3-round protocol ( p , r , p ) where p and p are the prover messages and r is the randomness of the verifier. Let n = | p | be the lengthof the prover message. The BM transformation collapses this protocol into a 2-round protocol inthe following two steps: Step 1: Reducing soundness error:
First, use a form of parallel repetition to make the sound-ness error 2 − n (i.e., extremely small ). More precisely, consider a 3-round protocol where P first still send just p , next the verifier picks ℓ = n random strings ~r = ( r , . . . , r ℓ ), andfinally P needs to provide accepting answers ~p = ( p , . . . , p ℓ ) to all of the queries ~r (so thatfor every i ∈ [ ℓ ], ( p , r i , p i ) is accepting transcript). Step 2: Swap order of messages:
Once the soundness error is small, yet the length of the firstmessage is short, we can simply allow the prover to pick it first message p after having ~r . Inother words, we now have a 2-round protocol where V first picks ~r , then the prover respondsby sending p , ~p . This swapping preserves soundness by a simple union bound: since (bysoundness) for every string p , the probability over ~r that there exists some accepting response ~r is 2 − n , it follows that with probability at most 2 n × − n = 2 − n over ~r , there exists some p that has an accepting ~p (as the number of possible first messages p is 2 n ). Thus soundnessstill holds (with a 2 n degradation) if we allow P to choose p after seeing ~r .For the case of computationally sound protocols, the “logic” behind both steps fail: (1) it is notknown how to use parallel repetition to reduce soundness error beyond being negligible, (2) theunion bound cannot be applied since, for computationally sound protocols, it is not the case thatresponses ~p do not exist, rather, they are just hard to find. Yet, as we shall see, using the abovetools, we present a different proof strategy. More precisely, to capture computational hardness,we show a reduction from any polynomial-time attacker A that breaks soundness of the collapsed Earlier works [HPWP10, CP15] always used Raz’ lemma when ǫ was non-negligible. In contrast, we will here useit also when ǫ is actually negligible. ǫ , to a polynomial-time attacker B that breakssoundness of the original 3-round protocol. B starts by sampling a random string ~r ′ and computes A ’s response given this challenge( p ′ , ~p ′ ) ← A ( ~r ′ ). If the response is not an accepting transcript, simply abort; otherwise, take p ′ and forward externally as B ’s first message. (Since A is successful in breaking soundness, wehave that B won’t abort with probability ǫ .) Next, B gets a verifier challenge r from the externalverifier and needs to figure out how to provide an answer to it. If B is lucky and r is one of thechallenges r ′ i in ~r ′ , then B could provide the appropriate p message, but this unfortunately willonly happen with negligible probability. Rather, B will try to get A to produce another acceptingtranscript ( p ′′ , ~r ′′ , ~p ′′ ) that (1) still contains p ′ as the prover’s first message (i.e., p ′′ = p ′ ), and (2)contains r in some coordinate i of ~r ′′ . To do this, B will consider the function f ( ~r, z, i )—which runs( p , ~p ) ← A ( ~r ; z ) (i.e., A has its randomness fixed to z ) and outputs ( p , r i ) if ( p , ~r, ~p ) is acceptingand ⊥ otherwise—and runs the pre-image sampler for this function f on ( p ′ , r ) to recover some newverifier challenge, randomness, index tuple ( ~r ′′ , z, i ) which leads A ( ~r ′′ ; z ) to produce a transcript( p ′ , ~r ′′ , ~p ′′ ) of the desired form, and B can subsequently forward externally the i ’th coordinate of ~p ′′ as its response and convince the external verifier.So, as long as the pre-image sampler indeed succeeds with high enough probability, we havemanaged to break soundness of the original 3-round protocol. The problem is that the pre-imagesampler is only required to work given outputs that are correctly distributed over the range of thefunction f , and the input ( p , r ) that we now feed it may not be so—for instance, perhaps A ( ~r )chooses the string p as a function of ~r . So, whereas the marginal distribution of both p and r are correct, the joint distribution is not. In particular, the distribution of r conditioned on p maybe off. We, however, show how to use Raz’s lemma to argue that if the number of repetitions ℓ issufficiently bigger than the length of p , the conditional distribution of r cannot be too far off frombeing uniform (and thus the pre-image sampler will work). On a high-level, we proceed as follows: • Note that in the one-way function experiment, we can think of the output distribution ( p , r )of f on a random input, as having been produced by first sampling p and next, if p = ⊥ ,sampling ~r conditioned on the event W p that A generates a successful transcript with first-round prover message p , and finally sampling a random index i and outputting p and r i (and otherwise output ⊥ ). • Note that by an averaging argument, we have that with probability at least ǫ over the choiceof p , Pr[ W p ] ≥ ǫ n +1 (otherwise, the probability that A succeeds would need to be smallerthan ǫ + 2 n × ǫ n +1 = ǫ , which is a contradiction). • Thus, whenever we pick such a “good” p (i.e., a p such that Pr[ W p ] ≥ ǫ n +1 ), by Raz’ lemmathe distribution of r i for a random i can be made p ( n ) close to uniform for any polynomial p by choosing ℓ to be sufficiently large (yet polynomial). Note that even though the lowerbound on Pr[ W p ] is negligible, the key point is that it is independent of ℓ and as such wecan still rely on Raz lemma by choosing a sufficiently large ℓ . (As we pointed out above,this usage of Raz’ lemma even on very “rare” events—with negligible probability mass—isdifferent from how it was previously applied to argue soundness for computationally soundprotocols [HPWP10, CP15].) • It follows that conditioned on picking such a “good” p , the pre-image sampler will alsosuccessfully generate correctly distributed preimages if we feed him p , r where r is randomlysampled. But this is exactly the distribution that B feeds to the pre-image sampler, so we9onclude that with probability ǫ over the choice of p , B will manage to convince the outsideverifier with probability close to 1.This concludes the proof overview for 3-round protocols. When the protocol has more than 3rounds, we can apply a similar method to collapse the last rounds of the protocol. The analysisnow needs to be appropriately modified to condition also on the prefix of the partial execution upuntil the last rounds. We assume familiarity with basic concepts such as Turing machines, interactive Turing machine,polynomial-time algorithms, probabilistic polynomial-time algorithms (
PPT ), non-uniform polynomial-time and non-uniform
PPT algorithms. A function µ is said to be negligible if for every polynomial p ( · ) there exists some n such that for all n > n , µ ( n ) ≤ p ( n ) . For any two random variables X and Y , we let SD ( X, Y ) = max T ⊆ U | Pr[ X ∈ T ] − Pr[ Y ∈ T ] | denote the statistical distance between X and Y . Basic Complexity Classes
Recall that P is the class of languages L decidable in polynomial time(i.e., there exists a polynomial-time algorithm M such that for every x ∈ { , } ∗ , M ( x ) = L ( x )), P / poly is the class of languages decidable in non-uniform polynomial time, and BPP is the class oflanguages decidable in probabilistic polynomial time with probability 2 / PPT M such that for every x ∈ { , } ∗ , Pr[ M ( x ) = L ( x )] > / L ( x ) = 1 if x ∈ L and L ( x ) = 0 otherwise.)We refer to a relation R over pairs ( x, y ) as being polynomially bounded if there exists a polyno-mial p ( · ) such that for every ( x, y ) ∈ R , | y | ≤ p ( | x | ). We denote by L R the language characterizedby the “witness relation” R —i.e., x ∈ L iff there exists some y such that ( x, y ) ∈ R . We say that arelation R is polynomial-time (resp. non-uniform polynomial-time) if R is polynomially-boundedand the languages consisting of pairs ( x, y ) ∈ R is in P (resp. P / poly ). NP (resp NP / poly ) is theclass of languages L for which there exists a polynomial-time (resp. non-uniform polynomial-time)relation R such that x ∈ L iff there exists some y such that ( x, y ) ∈ R . Search Problems
A search problem R is simply a polynomially-bounded relation; an NP searchproblem R is a polynomial-time relation. We say that the search problem is solvable in polynomial-time (resp. non-uniform polynomial time) if there exists a polynomial-time (resp. non-uniformpolynomial-time) algorithm M that for every x ∈ L R outputs a “witness” y such that ( x, y ) ∈ R .Analogously, R is solvable in PPT if there exists some
PPT M that for every x ∈ L R outputs a“witness” y such that ( x, y ) ∈ R with probability 2 / NP search problem R is total if for every x ∈ { , } ∗ there exists some y such that ( x, y ) ∈ R )(i.e., every instance has a witness). We refer to FNP (function NP ) as the class of NP search problemsand TFNP (total-function NP ) as the class of total NP search problems. We recall the definition of one-way functions (see e.g., [Gol01]). Roughly speaking, a function f is one-way if it is polynomial-time computable, but hard to invert for PPT attackers. Thestandard (cryptographic) definition of a one-way function requires every
PPT attacker to fail (withhigh probability) on all sufficiently large input lengths. We will also consider a weaker notion of an infinitely-often one-way function [OW93a] which only requires the
PPT attacker to fail for infinitely10any inputs length (in other words, there is no
PPT attacker that succeeds on all sufficiently largeinput lengths, analogously to complexity-theoretic notions of hardness).
Definition 2.1.
Let f : { , } ∗ → { , } ∗ be a polynomial-time computable function. f is said tobe a one-way function (OWF) if for every PPT algorithm A , there exists a negligible function µ such that for all n ∈ N , Pr[ x ← { , } n ; y = f ( x ) : A (1 n , y ) ∈ f − ( f ( x ))] ≤ µ ( n ) f is said to be an infinitely-often one-way function (ioOWF) if the above condition holds forinfinitely many n ∈ N (as opposed to all). We may also consider a notion of a non-uniform (a.k.a. “auxiliary-input”) one way function,which is identically defined except that (a) we allow f to be computable by a non-uniform PPT ,and (b) the attacker A is also allowed to be a non-uniform PPT . We recall basic definitions of interactive proofs [GMR89, BM88] and arguments [BCC88]. Aninteractive protocol (
P, V ) is a pair of interactive Turing machine; we denote by h P , P i ( x ) theoutput of P in an interaction between P and P on common input x . Definition 2.2.
An interactive protocol ( P, V ) is an interactive proof system for a language L ⊆{ , } ∗ , if V is PPT and the following conditions hold:
Completeness:
There exists a negligible function µ ( c ˙) such that for every x ∈ L , Pr[ h P, V i ( x ) = 1] ≥ − µ ( | x | ) Soundness:
For every Turing machine P ∗ , there exists a negligible function µ ( · ) such that forevery x L , Pr[ h P ∗ , V i ( x ) = 1] ≤ µ ( | x | ) If the soundness condition is relaxed to only hold for all non-uniform
PPT P ∗ , we refer to ( P, V ) as an interactive argument for L . We refer to ( P, V ) as a public-coin proof/argument system if V simply sends the outcomes of its coin tosses to the prover (and only performs computation todetermine its final verdict).Whenever L ∈ NP , we say that ( P, V ) has an efficient prover if there exists some witnessrelation R that characterizes L (i.e., L R = L ) and a PPT e P such that P ( x ) = e P ( x, w ) satisfies thecompleteness condition for every ( x, w ) ∈ R . We recall some basic notions from average-case complexity. A distributional problem is a pair ( L, D )where L ⊆ { , } ∗ and D is a PPT ; we say that ( L, D ) is an NP (resp. NP / poly ) distributionalproblem if L ∈ NP (resp. L ∈ NP / poly ). Roughly speaking, a distributional problem ( L, D ) ishard-on-average if there does not exist some PPT algorithm that can decide instances drawn from D with probability significantly better than 1 / efinition 2.3 ( δ -hard-on-the-average) . We say that a distributional problem ( L, D ) is δ -hard-on-the-average ( δ -HOA) if there does not exist some PPT A such that for every sufficiently large n ∈ N , Pr[ x ← D (1 n ) : A (1 n , x ) = L ( x )] > − δ We say that a distributional problem ( L, D ) is simply hard-on-the-average (HOA) if it is δ -HOAfor some δ > . We also define an notion of HOA w.r.t. non-uniform
PPT algorithm ( nuHAO ) in exactly thesame way but where we allow A to be a non-uniform PPT (as opposed to just a
PPT .The above notion average-case hardness (traditionally used in the complexity-theory literature)is defined analogously to the notion of an infinitely-often one-way function: we simply require every
PPT “decider” to fail for infinitely many n ∈ N . For our purposes, we will also rely on an “almost-everywhere” notion of average-case hardness (similar to standard definitions in the cryptography,and analogously to the definition of a one-way function), where we require that every decider failson all (sufficiently large) input lengths. Definition 2.4 (almost-everywhere hard-on-the-average (aeHOA)) . We say that a distributionalproblem ( L, D ) is almost-everywhere δ hard-on-the-average ( δ -aeHOA) if there does not exist some PPT A such that for infinitely many n ∈ N , Pr[ x ← D (1 n ) : A (1 n , x ) = L ( x )] > − δ We say ( L, D ) is almost-everywhere hard-on-the-average (aeHOA) if ( L, D ) is δ -aeHOA for some δ > . We move on to defining hard-on-the-average search problems . A distributional search problem is a pair ( R , D ) where R is a search problem and D is a PPT . If R is an NP search problem(resp. NP / poly search problem), we refer to ( R , D ) as an distributional NP (resp. NP / poly ) searchproblem.Finally, we say that a distributional search problem ( R , D ) is promise-true if for every n andevery x in the support of D (1 n ), it holds that x ∈ L R . (That is, D only samples true instances.) Definition 2.5 (hard-on-the-average search (SearchHOA)) . We say that a distributional searchproblem ( R , D ) is δ -hard-on-the-average ( δ -SearchHOA) if there does not exist some PPT A suchthat for every sufficiently large n ∈ N , Pr[ x ← D (1 n ); ( w, x ) ← A (1 n , x ) : (( L R ( x ) = 1) ⇒ ( x, w ) ∈ R )] > − δ ( R , D ) is simply SearchHOA if there exists δ > such that ( R , D ) is δ -SearchHOA. We can analogously define an almost-everywhere notion, aeSearchHOA , of SearchHAO (byreplacing “for every sufficiently large n ∈ N ” with “for infinitely many n ∈ N ”) as well as anon-uniform notion, nuSearchHOA , (by replacing PPT with non-uniform
PPT ).The following lemmas which essentially directly follow from the result of [IL90, BCGL92, Tre05]will be useful to us. (These results were originally only stated for the standard notion of HOA,whereas we will require it also for the almost-everywhere notion; as we explain in more detail inAppendix A, these results however directly apply also for the almost-everywhere notion of HOA.)The first results from [IL90] (combined with [Tre05]) shows that without loss of generality, we canrestrict our attention to the uniform distribution over statements x ; we denote by U p a PPT suchthat U p (1 n ) simply samples a random string in { , } p ( n ) .12 emma 2.1 (Private to public distributions) . Suppose there exists a distributional NP problem ( L, D ) that is HOA (resp., aeHOA or nuHAO). Then, there exists a polynomial p and an NP -language L ′ such that ( L ′ , U p ) is HAO (resp. aeHOA or nuHOA). The next result from [Tre05]) shows that when the distribution over instances is uniform, wecan amplify the hardness.
Lemma 2.2 (Hardness amplification) . Let p be a polynomial and suppose there exists a distribu-tional NP -problem ( L, U p ) that is HOA (resp., aeHOA or nuHOA). Then, for every δ < , thereexists some polynomial p ′ and NP language L ′ such that ( L ′ , U p ′ ) is δ -HOA (resp., δ -aeHOA or δ -nuHOA). Finally, by [BCGL92] (combined with [Tre05], [IL90]) we have a decision-to-search reduction.
Lemma 2.3 (Search to decision) . Suppose there exists a distributional NP (resp. NP / poly ) searchproblem ( R , D ) that is SearchHOA (resp., nuSearchHOA). Then, there a polynomial p and an NP (resp. NP / poly ) language L such that ( L ′ , U p ) is HOA (resp., nuHOA). Roughly speaking, an interactive puzzle is described by an interactive polynomial-time challenger C having the property that (a) there exists an inefficient A that succeeds in convincing C (1 n ) withprobability negligibly close to 1, yet (b) no PPT attacker A ∗ can make C (1 n ) output 1 with inversepolynomial probability for sufficiently large n . Definition 3.1 (interactive puzzle) . An interactive algorithm C is referred to as a k ( · )-round puzzle if the following conditions hold: k ( · ) -round, publicly-verifiability: C is an (interactive) PPT that on input n (a) only communi-cates in k ( n ) communication rounds, and (b) only performs some deterministic computationas a function of the transcript to determine its final verdict. Completeness/Non-triviality:
There exists a (possibly unbounded) Turing machine A and anegligible function µ C ( · ) such that for all n ∈ N , Pr[ hA , Ci (1 n ) = 1] ≥ − µ ( n ) Computational Soundness:
There does not exist a
PPT machine A ∗ and polynomial p ( · ) suchthat for all sufficiently large n ∈ N , Pr[ hA ∗ , Ci (1 n ) = 1] ≥ p ( n )In other words, a k ( · )-round puzzle, C , gives rise to an k ( · )-round interactive proof ( P, V ) (where P = A , V = C ) for the “trivial” language L = { , } ∗ with the property that there does not exista PPT prover that succeeds in convincing the verifier with inverse polynomial probability for allsufficiently large n .We will consider several restricted, or alternative, types of puzzle: • We refer to the puzzle C as being public-coin if C simply sends the outcomes of its coin tossesin each communication round. 13 We may also define an almost-everywhere notion of a puzzle by replacing “for all sufficientlylarge n ∈ N ” in the soundness condition with “for infinitely many n ∈ N ”, and a non-uniform notion of a puzzle C which allows both C and A ∗ to be non-uniform PPT (as opposed to just
PPT ). • Finally, a puzzle C is said to have perfect completeness if the “completeness error”, µ C ( n ), is0—in other words, the completeness condition holds with probability 1. Remark 3.1.
One can consider a more relaxed notion of a ( c ( · ) , s ( · )) -puzzle for c ( n ) > s ( n ) + poly ( n ) , where the completeness condition is required to hold with probability c ( · ) for every sufficientlylarge n ∈ N , and the soundness condition holds with probability s ( · ) for every sufficiently large n ∈ N . But, by “Chernoff-type” parallel-repetition theorems for computationally-sound protocols[PV12, Hai09, HPWP10, CL10, CP15], the existence of such a k ( · ) -round ( c ( · ) , s ( · )) -puzzle impliesthe existence of a k ( · ) -round puzzle. The same holds for almost-everywhere (resp. non-uniform)puzzles. In this section we make some basic observations regarding 2-round public-coin puzzles; these resultsmostly follow using standard results in the literature. We begin by observing that the existence ofioOWF imply the existence of 2-round public-coin puzzles.
Proposition 3.2.
Assume the existence of ioOWFs (resp. non-uniform ioOWF). Then, thereexists a -round public-coin puzzle (reps. non-uniform puzzle). Proof:
By the result of Rompel [Rom90] (see also [KK05, HHR + n bits to n/ This, in turn, directly yields a simple 2-round puzzle where the challenger C (1 n ) uniformly samples a hashfunction h and input x ∈ { , } n and sends ( h, x ) to the adversary; C accepts a response x ′ if | x ′ | = n , x ′ = x and h ( x ′ ) = h ( x ). Since the hash function is compressing,we have that there exists a negligible function µ such that with probability 1 − µ ( n ), a random x ∈ { , } n will have a “collision” x ′ and thus an unbounded A can easily find a collision and thuscompleteness follows. Computational soundness, on the other hand, directly from the (infinitely-often) second-preimage resistance property. The same result holds also if we start with non-uniformioOWFs, except that we now get a non-uniform puzzle.We turn to showing that any aeHOA distributional NP problem implies a 2-round puzzle. (Infact, it even implies an almost-everywhere puzzle.) Lemma 3.3.
Suppose there exists a distributional NP problem ( L, D ) that is aeHOA. Then thereexist an (almost-everywhere) -round public-coin puzzle. Proof:
Assume there exists a distributional problem ( L, D ) such that L ∈ NP and ( L, D ) isaeHOA. From Lemma 2.2 and Lemma 2.1, we can conclude that there exists a polynomial p anda distributional NP problem ( L ′ , U p ) that is δ -aeHOA for δ = . Let R ′ be some NP relationcorresponding to L ′ . Consider a puzzle C where C (1 n ) samples a random x ∈ { , } p ( n ) and accepts Roughly speaking, a family of public coin hashfunctions H having the property that for a random h ∈ H andrandom input x , it is hard for any PPT to find a different x ′ of the same length that collides with x under h (that is, h ( x ) = h ( x ′ ), | x | = | x ′ | yet x = x ′ . Rompel’s theorem was only stated for standard OWFs (as opposed to ioOWFs,but the construction and proof directly also works for the infinitely-often variant as well.
14 response y if ( x, y ) ∈ R ′ . We will show that C is a ( , )-puzzle which by Remark 3.1 impliesthe existence of a 2-round almost-everywhere puzzle. To show completeness, consider an inefficientalgorithm A that on input (1 n , x ) tries to find a witness y (using brute-force) such that ( x, y ) ∈ R ′ and if it is successful sends it to C (and otherwise simply aborts). Observe that for all sufficientlylarge n ∈ N , for a random x ← { , } p ( n ) we have that Pr[ x ∈ L ′ ] > ; otherwise, ( L ′ , U p ) can bedecided with probability 1 − for infinitely many n ∈ N contradicting its -aeHOA property. Itfollows that for all sufficiently large n ∈ N , A convinces C with probability and thus completenessof C follows.To prove soundness, assume for contradiction that there exists a PPT algorithm A ∗ such thatPr[ hA ∗ , Ci (1 n ) = 1] > for infinitely many n . Consider the machine M ( x ) that runs A ∗ (1 | x | , x ) andoutputs 1 if A ∗ outputs a valid witness for x and otherwise outputs a random bit. By definition, M solves the distributional problem ( L ′ , U p ) with probability > + (cid:0) − (cid:1) = = 1 − forinfinitely many n , which contradicts the -aeHAO property of ( L ′ , U p ).We now turn to showing that 2-round puzzles imply a HOA distributional NP problem. It willbe useful for the sequel to note that the same result also holds in the non-uniform setting. Lemma 3.4.
Suppose there exists a -round public-coin puzzle (resp. a non-uniform puzzle). Then,there exists a distributional NP problem (resp. distributional NP / poly problem) that is HOA (resp.nuHOA). Proof:
Let C be a 2-round public-coin puzzle (resp. 2-round non-uniform puzzle). Let ℓ ( · ) be anupper bound on the amount of randomness used by C . Consider the NP -relation (resp. NP / poly -relation) R that includes all tuples (( pad, x ) , y ) such that C (1 | pad | ) given randomness x ∈ ℓ ( | pad | )accepts upon receiving y , and the sampler D (1 n ) that picks a random x ∈ { , } ℓ ( n ) and outputs(1 n , x ). We argue next that ( R , D ) is -SearchHOA (resp -nuSearchHOA), which concludes theproof by applying Lemma 2.3. Assume for contradiction that there exists a PPT (resp. non-uniform
PPT ) machine M that solves ( R , D ) with probability > − = for all n > n . By thecompleteness of C , there exists some A , n such that such that for every n > n , Pr[ hA , Ci (1 n ) =1] > . This implies that for all n > n , for at most an fraction of ℓ ( n )-bit strings x , (1 n , x ) / ∈ L R ).In particular, for every n > max( n , n ), for a random x ∈ { , } ℓ ( n ) , M (1 n , x ) must output a validwitness y for x with probability > − > , and can thus be used to break the soundness of thepuzzle with probability > for all sufficiently large n which is a contradiction.If the 2-round puzzle has perfect completeness, essentially the same proof gives a SearchHOAproblem in TFNP as the relation R constructed in the proof of Lemma 3.4 is total if the puzzle hasperfect completeness. Lemma 3.5.
Suppose there exists a -round public-coin puzzle (resp. almost-everywhere puzzle)with perfect completeness. Then, there exists some search problem R ∈
TFNP and some
PPT D such that the distributional search problem ( R , D ) is SearchHAO (aeSearchHAO). In this section, we prove our main technical lemma—a round-collapse theorem for O (1)-roundpuzzles. Note that this is where were are crucially relying on the almost-everywhere hardness of the distributional problem. .1 An Efficient Babai-Moran Theorem Our main lemma shows that if ioOWF do not exist, the the Babai-Moran transformation preservescomputational soundness.
Lemma 4.1.
Assume there exists a k ( · ) -round public-coin puzzle such that k ( n ) ≥ . Then, eitherthere exists an ioOWF, or there exists a ( k ( · ) − -round public-coin puzzle. Moreover, if the k ( · ) -round puzzle has perfect completeness, then either there exists an ioOWF, or a ( k ( · ) − -roundpublic-coin puzzle with perfect-completeness. Proof:
Consider some k ( · )-round public-coin puzzle C and assume for contradiction that ioOWFdo not exist. We will show that Babai-Moran’s (BM) [BM88] round reduction works in this settingand thus we can obtain a ( k ( · ) − n . In fact, since by [IL90], theexistence of distributional one-way functions implies the existence of one-way functions (and thisresults also works in the infinitely-often setting), we can conclude that if ioOWF do not exist, forany polynomial p ( · ), and any polynomial-time computable function f , there exists a PPT algorithm
Inv such that, for sufficiently large n , the following distributions are p ( n ) -statistically close. • { x ← { , } n : ( x, f ( x )) }• { x ← { , } n ; y = f ( x ) : ( Inv ( y ) , y )) } In this case, we will say that
Inv inverts f with p ( n ) -statistical closeness . We now proceed to showhow to use such an inverter to prove that BM’s round-collapse transformation works on C . Tosimplify notation, we will make the following assumptions that are without loss of generality: • C has at least 4 communication rounds and C sends the first message; we can always add aninitial dummy message to achieve this, while only increasing the number of round by 1. Wewill then construct a new puzzle that has k ( · ) − A sends the final message, this implies we can assume k ( · ) is even. Tomake our notations easier to read, we show how to reduce a 2 k ( · )-round protocol to a 2 k ( · ) − • There exists polynomials ℓ c , ℓ a such that all messages from C (1 n ) are of (the same) length ℓ c ( n )and all the messages from A (1 n ) need to be of length ℓ a ( n ) (or else C rejects). Furthemore, ℓ a ( · ) and ℓ c ( · ) are polynomial-time computable, and strictly increasing.We denote by C (1 n , p , p , . . . , p i ; r C ) the ( i +1) st -message (i.e., the message to be sent in round 2 i +1round) from C where r C is C ’s randomness randomness and p , p , . . . , p i are bit strings (representingthe messages received from A in the first 2 i rounds). Let m ( n ) be ( ℓ a ( n ) + 4)(log( n )) roundedupwards to the next power of two. We will show that the BM transformation works (if ioOWFdo not exist), when using m ( · ) repetitions. More precisely, consider the following (2 k ( · ) − e C that on input (1 n , p , . . . , p i ; r e C ) proceeds as follows:1. If i < k ( n ) −
2, output r i +1 (i.e., proceed just like C before round 2 k ( n ) − i = k ( n ) −
2, output ( r k ( n ) − , r k ( n ) , . . . , r m ( n ) k ( n ) ) (i.e., in round 2 k ( n ) −
3, send the originalchallenge for round 2 k ( n ) − m ( n )-wise parallel-repetition” challenge for theoriginal round 2 k ( n ) − We round to the next power of 2 to make it easy to sample a random number in [ m ( n )]; this is just to simplifypresentation/analysis
16. If i = k ( n ) − C (1 n , p , p , . . . , p k ( n ) − , p ik ( n ) ; r , r , . . . , r k ( n ) − , r ik ( n ) ) = 1for every i ∈ [ m ( n )] (i.e., all the parallel instances are accepting),where r e C is interpreted as ( r , r , . . . , r k ( n ) − , r k ( n ) , . . . , r m ( n ) k ( n ) )We will show that e C is a (99 / , / • Given a transcript T = ( r , p , . . . , p k ( n ) − , r k ( n ) − , r k ( n ) , . . . , r m ( n ) k ( n ) , p k ( n ) − , p k ( n ) , . . . , p m ( n ) k ( n ) )of an interaction between e C and an adversary, we let T ≤ k − = ( r , p , . . . , p k ( n ) − , r k ( n ) − )denote the transcript up to and including the round where C (in the emulation done by e C )sends it ( k ( n ) − • We say that T is accepting if e C ( p , . . . , p k ( n ) − , p k ( n ) − , p k ( n ) , . . . , p m ( n ) k ( n ) ; r , . . . r k ( n ) − , r k ( n ) , . . . , r m ( n ) k ( n ) ) = 1(i.e,. if e C is accepting in the transcript). Completeness:
Completeness (in fact with all but negligible probability) follows directly fromoriginal proof by Babai-Moran [BM88].
Soundness:
Assume for contradiction that there exists a
PPT algorithm A ∗ that convinces e C oncommon input 1 n with probability ǫ ( n ) such that ǫ ( n ) > for all sufficiently large n . Let h ( · ) be apolynomial such that A ∗ runs in time at most h ( n ) when its first input is 1 n . We assume withoutloss of generality that A ∗ only sends a real last message if e C will be accepting it (note that since e C is public coin, A ∗ can verify this, so it is without loss of generality), and otherwise sends ⊥ as itslast message.On a high-level, using A ∗ and the fact that polynomial-time computable functions are “invert-ible”, we will construct a PPT B such that Pr[ h B, Ci (1 n ) = 1] ≥ for sufficiently large n , whichcontradicts the soundness of the original 2 k ( n )-round puzzle C . Towards constructing B , we firstdefine a polynomial-time algorithm M on which we will apply the inverter Inv . As described inthe introduction, we will consider an algorithm M that operates on inputs of the form (1 n , i, r M )where i is an index of one of the m ( n ) parallel sessions and r M contains the randomness of A and e C . To correctly parse such inputs, let ℓ M ( n ) = n + log( m ( n )) + h ( n ) + ℓ c ( n ) · ( k ( n ) − m ( n )) andnote that by our assumption on ℓ c ( n ) and ℓ a ( n ), this is a strictly increasing and polynomial-timecomputable function. In the rest of the proof, whenever the security parameter n is clear fromcontext, we omit it and let k = k ( n ) , ℓ c = ℓ c ( n ) , ℓ a = ℓ a ( n ) , ǫ = ǫ ( n ) , m = m ( n ) and h = h ( n ).Now, consider the machine M that on input u internally incorporates the code of A ∗ and proceedsas follows:1. M finds an n such that ℓ M ( n ) = | u | (simply by enumerating different n from 1 up to | u | ).If no such n exists, then M outputs ⊥ and halts. Otherwise, M interprets u as ( pad, i, r M )such that | pad | = n , | i | = log( m ( n )), r M = ( z, r , r , . . . , r k − , r k , . . . , r mk ), z ∈ { , } h , andall the strings r , r , . . . , r k − , r k , . . . , r mk are in { , } ℓ c .17. It internally emulates an execution between A ∗ and e C on common input 1 n and respectivelyusing randomness z and ( r , r , . . . , r k − , r k , . . . , r mk ). Let T = ( r , p , . . . , p k − , r k − , r k , . . . , r mk , p k − , p k , . . . , p mk )denote the transcript of the interaction.3. If T is accepting, then M outputs (1 | pad | , T ≤ k − , p k − , r ik ) , and otherwise ⊥ .Let Inv be an inverter for M with n statistical-closeness for all sufficiently large n —such an inverterexists due to our assumption on the non-existence of ioOWFs.We are now ready to describe our adversary B for the 2 k -round puzzle. B on input (1 n , r , r , . . . , r i ; r B )proceeds as follows:1. B interprets r B as ( z, pad, s k − , . . . , s mk − ) such that z ∈ { , } h , pad ∈ { , } n and all thestrings s k − , . . . , s mk − are in { , } ℓ c .2. If i < k − B outputs p i = A ∗ (1 n , r , r , . . . , r i ; z ) (i.e., B proceeds just as A ∗ in the first2 k − i = k − k − B lets ( p k − , p k , . . . , p mk ) = A ∗ (1 n , r , r , . . . , r k − , s k , . . . , s mk ; z )and outputs p k − .4. If i = k (i.e., in round 2 k ), then: • B lets T = ( r , p , . . . , p k − , r k − , s k , . . . , s mk , p k − , p k , . . . , p mk ), and lets y = ( pad, T ≤ k − , p k − , r k )if T is accepting and y = ⊥ otherwise. • B lets u ← Inv ( y ) and interprets u as ( pad, j, r M ) where | pad | = n , | j | = log ( m ), and r M = ( z ′ , t , t , . . . , t k − , t k , . . . , t mk ), such that z ′ ∈ { , } h and t , t , . . . , t k − , t k , . . . , t mk are in { , } ℓ c . • B next lets ( q k − , q k , . . . , q mk ) = A ∗ (1 n , r , r , . . . , r k − , t k , . . . , t mk ; z ′ ) and outputs q jk .We now proceed to analyze the success probability of B against C . In particular, we shall show thatfor all sufficiently large n , Pr[ h B, Ci (1 n ) = 1] > which will conclude the proof of Lemma 4.1. Wedenote by View A ∗ ( hA ∗ , e Ci (1 n )) the random variable that represents the view of the adversary A ∗ in an interaction with e C on common input 1 n —for convenience, we describe this view v = ( z, T )by A ∗ ’s random coin tosses z , as well as the transcript T of the interaction between A ∗ and e C . Towards analyzing B , we consider a sequence of hybrid experiments Expt , Expt , Expt , Expt —formally, an experiment defines a probability space and a probability density function over it. Allexperiments will be defined over the same probability space so we can consider the same randomvariables over all of them. To simplify notation, we abuse of notation and let Expt i ( n ) also denotea random variable describing the output of the experiment Expt i ( n ). Expt ( n ) will simply consider an execution between B Inv and C on common input 1 n and willoutput 1 if C is accepting and 0 otherwise; see Figure 1 for a formalization. To simplify the transition This is a bit redundant—as the messages sent by A ∗ can of course be recomputed given just the randomness of A ∗ and the messages from e C , but will simplify notation.
18o later experiments, we formalize
Expt ( n ) as first sampling a full transcript T of an executionbetween A ∗ and e C , keeping only the prefix T ≤ k − (this gives exactly the same distribution as aninteraction between B and C up to round 2 k − r (just as C would in round 2 k − B does. (Weadditionally sample a random index i ∈ [ m ] is not used in the current experiment, but will be usefulin later experiments.) We thus directly have: Claim 1.
Pr[ h B, Ci (1 n ) = 1] = Pr[ Expt ( n ) = 1]We now slowly transform the experiment into one that becomes easy to analyze. See Figure 1for a formal description of the experiments.1. We first define an a “good” event G = W ∩ G ′ , where W is the event that the originallysampled transcript is accepting and G ′ is the event that the “prefix” ( T ≤ k − ,p k − ) is “good”in a well defined sense (roughly speaking, that continuations conditioned T ≤ k − are successfulwith high probability, and that that in such successful continuations p k − is used with not“too low” probability). Expt will next proceeds just like Expt except that we additionallyfail if the event G does not happen. We thus have that the probability of Expt ( n ) outputting1 is at least as high as the probability of Expt ( n ) outputting 1. Claim 2.
Pr[
Expt ( n ) = 1] ≥ Pr[
Expt ( n ) = 1] . Additionally, as we shall show (using an averaging argument), the event G happens withnon-negligible probability, not just in Expt but also in all the other experiments Expt j for j ∈ { , , } (as Step 1 of the experiment remains unchanged in all of them). Claim 3.
For j ∈ { , , } , Pr[ G ] ≥ ǫ , where the probability is over the randomness inexperiment Expt j ( n )2. We next transition to an experiment Expt where instead of choosing the message r k atrandom (as it was in Expt ), we select it as the message in the i ’th repetition of e C ’s k − T , where i is a randomly sampled index i ∈ [ m ].The reason for defining this experiment is that, in it, we are applying the one-way functioninverter on the “right” distribution (just as in the definition of M ). The central claim toshow is that this change does not change the success probability by too much. As discussedin the introduction, we shall prove it using Raz’s sampling lemma. Claim 4.
Pr[
Expt ( n ) = 1] ≥ Pr[
Expt ( n ) = 1] − n ) .
3. Finally, we transition to an experiment
Expt where we employ a perfect inverter PInv —thatalways samples uniform preimages to M , instead of the (imperfect) inverter Inv . It directlyfollows from the fact that
Inv is an inverter with statistical closeness n and that the inverter isapplied to an element that is sampled as a uniform image of M that the statistical distancebetween Expt ( n ) and Expt ( n ) is bounded by n for sufficiently large n . In particular, Claim 5.
For all sufficiently large n , Pr[
Expt ( n ) = 1] ≥ Pr[
Expt ( n ) = 1] − n Note that we here rely on the fact that y = ⊥ when T is not accepting. xperiment Expt ( n ) .
1. Sample ( z, T ) ← View A ∗ ( hA ∗ , e Ci (1 n )); pad ← { , } n ; i ← [ m ]; r ← { , } ℓ c . Interpret T as( r , p , . . . , p k − , r k − , s k , . . . , s mk , p k − , p k , . . . , p mk ).2. Let r k = r and let y = ( pad, T ≤ k − , p k − , r k ) if T is accepting and y = ⊥ otherwise.3. Let u ← Inv ( y ); interpret u as ( pad, j, r M ) where | pad | = n , | j | = log ( m ),and r M = ( z ′ , t , t , . . . , t k − , t k , . . . , t mk ) just as B does and let ( q k − , q k , . . . , q mk ) = A ∗ (1 n , r , r , . . . , r k − , t k , . . . , t mk ; z ′ ).4. Output 1 iff T ′ = ( T ≤ k − , p k − , r k , q jk ) is accepting, and 0 otherwise. Experiment
Expt ( n ) .
1. Sample ( z, T ) ← View A ∗ ( hA ∗ , e Ci (1 n )); pad ← { , } n ; i ← [ m ]; r ← { , } ℓ c . Interpret T as( r , p , . . . , p k − , r k − , s k , . . . , s mk , p k − , p k , . . . , p mk ).2. Let r k = r and let y = ( pad, T ≤ k − , p k − , r k ) if T is accepting and y = ⊥ otherwise.3. Let u ← Inv ( y ); interpret u as ( pad, j, r M ) where | pad | = n , | j | = log ( m ),and r M = ( z ′ , t , t , . . . , t k − , t k , . . . , t mk ) just as B does and let ( q k − , q k , . . . , q mk ) = A ∗ (1 n , r , r , . . . , r k − , t k , . . . , t mk ; z ′ ).4. Output 1 iff T ′ = ( T ≤ k − , p k − , r k , q jk ) is accepting and G holds, and 0 otherwise. Distribution
Expt n
1. Sample ( z, T ) ← View A ∗ ( hA ∗ , e Ci (1 n )); pad ← { , } n ; i ← [ m ]; r ← { , } ℓ c . Interpret T as( r , p , . . . , p k − , r k − , s k , . . . , s mk , p k − , p k , . . . , p mk ).2. Let r k = s ik and let y = ( pad, T ≤ k − , p k − , r k ) if T is accepting and y = ⊥ otherwise.3. Let u ← Inv ( y ); interpret u as ( pad, j, r M ) where | pad | = n , | j | = log ( m ),and r M = ( z ′ , t , t , . . . , t k − , t k , . . . , t mk ) just as B does and let ( q k − , q k , . . . , q mk ) = A ∗ (1 n , r , r , . . . , r k − , t k , . . . , t mk ; z ′ ).4. Output 1 iff T ′ = ( T ≤ k − , p k − , r k , q jk ) is accepting and G holds, and 0 otherwise. Distribution
Expt n
1. Sample ( z, T ) ← View A ∗ ( hA ∗ , e Ci (1 n )); pad ← { , } n ; i ← [ m ]; r ← { , } ℓ c . Interpret T as( r , p , . . . , p k − , r k − , s k , . . . , s mk , p k − , p k , . . . , p mk ).2. Let r k = s ik and let y = ( pad, T ≤ k − , p k − , r k ) if T is accepting and y = ⊥ otherwise.3. Let u ← PInv ( y ); interpret u as ( pad, j, r M ) where | pad | = n , | j | = log ( m ),and r M = ( z ′ , t , t , . . . , t k − , t k , . . . , t mk ) just as B does and let ( q k − , q k , . . . , q mk ) = A ∗ (1 n , r , r , . . . , r k − , t k , . . . , t mk ; z ′ ).4. Output 1 iff T ′ = ( T ≤ k − , p k − , r k , q jk ) is accepting and G holds, and 0 otherwise. Figure 1: Description of intermediate experiments.20. We finally note that in
Expt , there are only two reason the experiment can output 0: (1)The originally sampled transcript T is not accepting (i.e., the event W does not hold); if isis accepting, the perfect inverter will make sure that T ′ is also accepting, or (2) the event G does not hold. Additionally note, since G is defined as W ∩ G ′ , we have that whenever G holds, W holds as well and thus the experiment must output 1. Thus, by Claim 3, we have: Claim 6.
Pr[
Expt ( n ) = 1] ≥ ǫ
85. By combining claims 1, 2, 4, 6, we have that for all sufficiently large n ,Pr[ h B, Ci (1 n ) = 1] = Pr[ Expt ( n ) = 1] ≥ Pr[
Expt ( n ) = 1] ≥ Pr[
Expt ( n ) = 1] − n ) ≥ Pr[
Expt ( n ) = 1] − n ) ≥ ǫ − n ) > G = W ∩ G ′ andproving Claim 3 and Claim 5. G and the Proof of Claim 3 We begin by defining some random variables over the probability space over which
Expt is defined.Note that the probability space is the same for Expt , Expt , Expt and as such random variablesand events over Expt are also defined over all the other experiments. We use boldface to denoterandom variables describing the outcome of variables in the experiments—for instance, we let T denote a random variable describing the value of T as sampled in the experiments.Let W denote the event that T is accepting (i.e., the transcript sampled in Step 1 is accepting)and let Θ be the set of partial transcripts θ such thatPr[ W | T ≤ ( k − = θ ] ≥ ǫ . where the probability is over Expt ( n ). That is, Θ is the set of “good” partial transcripts condi-tioned on which A ∗ has a reasonable probability of succeeding. Note that by a standard averagingargument, we have that such transcripts occur often:Pr[ T ≤ ( k − ∈ Θ] ≥ ǫ . (1)Now, consider the event W p that W holds and p k − = p ; let P ( θ ) be the set of messages p ∈ { , } ℓ a for which Pr[ W p | T ≤ ( k − = θ ] ≥ ǫ ℓ a +2 . In other words, P ( θ ) is the set of “good” (adversary) messages p such that conditioned on thepartial transcript θ , the probability that A ∗ succeeds while using p as its k − ǫ ℓa +2 . As we shall now show using another (standard) averaging argument, for every θ ∈ Θ,we have Pr[ p k − ∈ P ( θ ) | T ≤ ( k − = θ ] ≥ ǫ . (2)21uppose for contradiction that for some θ ∈ Θ, Equation 2 does not hold. Then, we havePr[ W | T ≤ ( k − = θ ] = X p ∈{ , } ℓa Pr[ W p | T ≤ ( k − = θ ]= X p ∈ P ( θ ) Pr[ W p | T ≤ ( k − = θ ] + X p ∈{ , } ℓa − P ( θ ) Pr[ W p | T ≤ ( k − = θ ] ≤ Pr[ p k − ∈ P ( θ ) | T ≤ ( k − = θ ] + X p ∈{ , } ℓa − P ( θ ) Pr[ W p | T ≤ ( k − = θ ] < ǫ X p ∈{ , } ℓa − P ( θ ) Pr[ W p | T ≤ ( k − = θ ] ≤ ǫ X p ∈{ , } ℓa − P ( θ ) ǫ ℓ a +2 ≤ ǫ ℓ a · ǫ ℓ a +2 = ǫ θ ∈ Θ.Next, define G ′ to be the event that T ≤ ( k − ∈ Θ and p k − ∈ P ( T ≤ ( k − ), and define G asholding when W and G ′ both hold (i.e., the originally sampled transcript is accepting and G ′ holds).Note that G ′ in fact implies that W holds (since p k − ∈ P ( T ≤ ( k − ) implies that p k − = ⊥ whichby our assumption on A ∗ means that T must be accepting), thus in fact G ′ = G . By combingEquations 1 and 2, we have:Pr[ G ] = Pr[ G ′ ] = Pr[ T ≤ ( k − ∈ Θ ∧ p k − ∈ P ( T ≤ ( k − )]= Pr[ T ≤ ( k − ∈ Θ] × Pr[ p k − ∈ P ( T ≤ ( k − ) | T ≤ ( k − ∈ Θ] ≥ ǫ × ǫ ǫ Expt ( n ). Finally, note that since Step 1 (whose outcomedetermines whether G happens) remains unchanged in all the experiments, we can conclude thatPr[ G ] ≥ ǫ where the probability is taken over Expt j ( n ) for every j ∈ { , , } , which concludesthe proof of Claim 3. Recall that we need to show that Pr[
Expt ( n ) = 1] ≥ Pr[
Expt ( n ) = 1] − n ) . Observe thatthe only difference between experiments Expt and Expt is that, in Expt , we set r k = r and in Expt , we set r k = s ik . Furthermore, both the experiments sample (( z, T ) , pad, i, r ) from the samedistributions and output 0 whenever G does not hold (which is a function only of T ). It followsthat the statistical distance between Expt ( n ) and Expt ( n ) is bounded by the statistical distanceof Expt ( n ) and Expt ( n ) conditioned on the event G . Note that we can rephrase the event G as G = [ θ ∈ Θ ,p ∈ P ( θ ) W p ∩ ( T ≤ k − = θ )Below, we shall show that for every θ ∈ Θ , p ∈ P ( θ ), it holds that the statistical distance between { Expt ( n ) | T ≤ k − = θ, W p } and { Expt ( n ) | T ≤ k − = θ, W p } is bounded by n ) , which concludesthe proof of Claim 5. 22onsider some θ ∈ Θ , p ∈ P ( θ ) and consider the experiments { Expt ( n ) | T ≤ k − = θ, W p } and { Expt ( n ) | T ≤ k − = θ, W p } . Note both experiments proceed exactly the same after r k isdefined in Step 2, so we can ignore everything that happens after this. Additionally, note that theonly variables that are relevant after this point are pad , T ≤ k − , p k − , i and r . Note that pad , i are both independent of the events T ≤ k − = θ, W p and thus still independently and uniformlysampled in both experiments. T ≤ k − and p k − , on the other hand are fixed (constant) conditionedon T ≤ k − = θ, W p . Thus, to bound the statistical difference between { Expt ( n ) | T ≤ k − = θ, W p } and { Expt ( n ) | T ≤ k − = θ, W p } , it suffices to bound the statistical distance between r k in { Expt ( n ) | T ≤ k − = θ, W p } and r k in { Expt ( n ) | T ≤ k − = θ, W p } . In other words, we need toupper bound, ∆ = SD ( r , s i k | W p ) = SD ( s i k , s i k | W p ) ≤ X j ∈ [ m ] m SD ( s jk , s jk | W p )over { Expt ( n ) | T ≤ k − = θ } since for each j , s jk is sampled uniformly at random, independent of T ≤ k − (and independent of s j ′ k for j ′ = j ). Towards bounding this quantity, we will rely on Raz’ssampling lemma. Lemma 4.2 ([Raz98]) . Let X , . . . , X , be independent random variables on a finite domain U . Let E be an event over ~ X = ( X , . . . , X m ) . Then, m · m X i =1 SD ( X i , X i | E ) ≤ s m · log 1Pr[ E ]By applying Raz’s lemma, we directly get that∆ ≤ s m · log 1Pr[ W p ]where the probability is over { Expt ( n ) | T ≤ k − = θ } . Since by our assumption p ∈ P ( θ ), we havethat the probability of W p conditioned on T ≤ k − = θ is at least ǫ ℓa +2 , thus∆ ≤ r m · ( ℓ a + 2 − log( ǫ )) ≤ n )since ǫ > and m = ( ℓ a + 4)(log( n )) > ( ℓ a + 2 − log( ǫ ))(log( n )) . Using essentially the same proofs, we can directly get the following vacations of 4.1. The firstvariant simply states that the same result holds for almost-everywhere puzzles.
Lemma 4.3 (Almost-everywhere variant 1) . Assume there exists a k ( · ) -round almost-everywherepublic-coin puzzle such that k ( n ) ≥ . Then, either there exists an ioOWF, or there exists a ( k ( · ) − -round almost-everywhere public-coin puzzle. Moreover, if the k ( · ) -round puzzle has perfectcompleteness, then either there exists an ioOWF, or a ( k ( · ) − -round almost-everywhere public-coin puzzle with perfect-completeness. A ∗ succeeds onall sufficiently large input lengths, then it suffices for Inv to work on infinitely many input lengths,to conclude that B Inv works on infinitely many inputs length (thus violating almost-everywheresecurity of the original puzzle).
Lemma 4.4 (Almost-everywhere variant 2) . Assume there exists a k ( · ) -round almost-everywherepublic-coin puzzle such that k ( n ) ≥ . Then, either there exists a OWF, or there exists a ( k ( · ) − -round public-coin puzzle. Moreover, if the k ( · ) -round puzzle has perfect completeness, then eitherthere exists a OWF, or a ( k ( · ) − -round public-coin puzzle with perfect-completeness. We additionally consider a variant for non-uniform puzzles. As the challenger now may be anon-uniform
PPT , the function M that we are required to invert is also a non-uniform PPT andthus we can only conclude the existence of non-uniform OWFs.
Lemma 4.5 (Non-uniform variant) . Assume there exists a k ( · ) -round non-uniform public-coinpuzzle such that k ( n ) ≥ . Then, either there exists a non-uniform ioOWF, or there exists a ( k ( · ) − -round non-uniform public-coin puzzle. We next apply our round-collapse theorem (and its variants) to get a characterization of O (1)-roundpuzzles. This characterization applies to both standard puzzles and non-uniform puzzles. Corollary 4.1.
Assume the existence of a O (1) -round (resp. a O (1) -round non-uniform) public-coin puzzle. Then there exists a -round public-coin puzzle (resp. -round non-uniform public-coinpuzzle) and thus a distributional NP problem (resp. distributional NP / poly problem) that is HOA(resp. nuHOA). Proof:
If (non-uniform) ioOWF exists, then by applying Proposition 3.2 we have that 2-round(non-uniform) public-coin puzzles exist. If (non-uniform) ioOWF do not exist, we can applyLemma 4.1 (Lemma 4.5) iteratively to collapse any constant-round protocol to a 2-round pro-tocol. (Note that we can only apply Lemma 4.1 a constant number of times, as the communicationcomplexity of the resulting protocol grows polynomially with each application.). Thus in eithercase, we conclude that the existence of a O (1)-round (non-uniform) public-coin puzzle implies a2-round (non-uniform) public-coin puzzle. The corollary is concluded by applying Lemma 3.4.We remark that the reason we cannot get an (unconditional) characterization of almost-everywherepuzzles is that ioOWFs. are not known to imply 2-round almost-everywhere puzzles. We observe that the existence of a poly -round public-coin puzzle is equivalent to the statementthat
PSPACE BPP . A consequence of this result (combined with Lemma 3.4) is that any round-collapse theorem that (unconditionally) can transform a polynomial-round puzzle into a O (1)-roundpuzzle, must show the existence of a HAO distributional NP problem based on the assumption that PSPACE BPP (which would be highly unexpected). The transformation still preserves perfect completeness, but this will not be of relevance for us. heorem 5.1. For every ǫ > , there exists an n ǫ -round public-coin puzzle (resp. a non-uniformpuzzle) if and only if PSPACE BPP (resp.
PSPACE P / poly ). Proof:
For the “only-if” direction, note that using the same proof as (the easy direction) in IP = PSPACE [Sha92, LFKN92], we can use a
PSPACE oracle to implement the optimal adversarystrategy in every puzzle and thus (due to the completeness condition of the puzzle) break thesoundness of every puzzle using a
PSPACE oracle. So, if
PSPACE ⊆ BPP , soundness of every puzzlecan be broken in
PPT and thus puzzles cannot exist. (We remark that a very similar statement—inthe language of non-trivial interactive arguments—was already observed by Goldreich [Gol18]; seeSection 7 for more details.)For the “if” direction, recall that by the classic result of [BFNW93] (see also [TV07]), if
PSPACE BPP , then there is
PSPACE language L ′ , constant c ∈ N , and a polynomial p ( · ) suchthat ( L ′ , U p ) is n c -HOA. We will now use this HAO language L ′ together with the fact that by[Sha92, LFKN92] all of PSPACE has a public-coin interactive proof (and the fact that
PSPACE isclosed under complement, to get a puzzle. The puzzle challenger C (1 n ) simply samples a randomstatement x ∈ { , } p ( n ) and sends it to the adversary. The adversary next announces a bit b (determining whether x ∈ L ′ or not) and next if b = 1, C runs the IP verifier for x ∈ L ′ and if b = 0instead runs the IP verifier for x / ∈ L ′ . Due to [Sha92, LFKN92], we may assume without loss ofgenerality that the IP has completeness 1 and soundness error 2 − n . As we shall now argue C isa (1 , − n c )-puzzle which by remark Remark 3.1 implies a puzzle. Completeness follows directlyfrom the completeness of the IP. For soundness, consider a PPT machine A ∗ that convinces C withprobability better than 1 − n c . We construct a machine B that breaks the n c -HAO property of L ′ . B (1 n , x ) simply emulates an interaction between C (1 n ) and A ∗ while fixing C ’s first message to x and accepts x if C is accepting, and rejects otherwise. Since B is feeding A ∗ messages accordingto the same distribution as in the real execution (with C ), we have that A ∗ convinces C in theemulation by B with probability at least 1 − n c . By the soundness of the IP, we have that exceptwith probability 2 − n , whenever the proof is accepting, the bit b must correctly decide x . We con-clude (by a union bound) that B correctly decides x with probability 1 − n c − − n > − n c for allsufficiently large n ∈ N .The non-uniform version of the theorem follows using exactly the same proof. We show that any 2-round public-coin puzzle can be transformed into a 3-round public-coin puzzlewith perfect completeness; next, we shall use this result together with our round-reduction theoremto conclude our main result.
Furer et al. [FGM +
89] showed how to transform any 2-round public-coin proof system into a3-round public-coin proof system with perfect completeness. We will rely on the same protocoltransformation to transform any 2-round puzzle into a 3-round puzzle with perfect completeness.The perfect completeness condition will follow directly from their proof; we simply must argue thatthe transformation also preserves computational soundness (as they only showed that it preservesinformation-theoretic soundness).
Theorem 6.1.
Suppose there exists -round public-coin puzzle. Then there exists a -round public-coin puzzle with perfect completeness. roof: Let C be a 2-round public-coin puzzle. Let ℓ c , ℓ a be polynomials such that the messagefrom C (1 n ) is of length ℓ c ( n ) and the message from A (1 n ) is of length ℓ a ( n ); we assume withoutloss of generality that ℓ c ( n ) >
2. When the security parameter n is clear from the context we willomit it and let ℓ c ( n ) = ℓ c and ℓ a ( n ) = ℓ a .We now apply the Furer et al. [FGM +
89] transformation to this puzzle to create a 3-roundpuzzle e C . The puzzle will proceed by first having the adversary sending ℓ c “pads” z , . . . , z ℓ c ∈ ℓ c to e C ; e C next sends back a random message r e C ∈ { , } ℓ c , and the adversary is next supposed to finda response i, p such that ( r ⊕ z i , p ) is a valid transcript for the original puzzle (i.e., the adversaryneeds to win in one of the parallel “padded” instances of the original puzzle). More formally, e C (1 n , ( z , . . . , z ℓ c ) , ( i, p ); r e C ) = 1 if and only if C (1 n , p ; r e C ⊕ z i ) outputs 1. Perfect completeness of e C follows directly from the original proof by [FGM + C , we have that there exists some adversary A such thatPr[ hA , Ci (1 n ) = 1] ≥ − n for all sufficiently large n ; without loss of A is deterministic. Fix some n > S ⊆ { , } ℓ c be the set of challenges for which A provides anaccepting response; the probability that a random challenge z ∈ { , } ℓ c is inside S is thus at least1 − n . We will show that there exists “pads” z , . . . , z ℓ c such that for every r ∈ { , } ℓ c , thereexists some i such that r ⊕ z i ∈ S , which concludes that an unbounded attacker e A can succeedwith probability 1 (by selecting those pads and next providing an accepting response). Note thatfor every fixed r , for a randomly chosen pad z i , the probability that r ⊕ z i / ∈ S is at most n ; andthus the probability over randomly chosen pads z , . . . , z ℓ c that r ⊕ z i / ∈ S for all i is at most n ℓc .We conclude, by a union bound, that the probability over randomly chosen pads z , . . . , z ℓ c that there exists some r ∈ { , } ℓ c such that r ⊕ z i / ∈ S for all i is at most ℓc n ℓc <
1. Thus, there existspads z , . . . , z ℓ c such that for every r ∈ { , } ℓ c there exists some i such that r ⊕ z i / ∈ S , whichconcludes perfect completeness.We now turn to proving computational soundness. Consider some adversary e A ∗ that succeedsin convincing e C with probability ǫ ( n ) for all n ∈ N . We construct an adversary A ∗ that convinces C with probability ǫ ( n ) ℓ c , which is a contradiction. A ∗ (1 n ) picks a random tape r e A ∗ for e A ∗ , lets( z , . . . , z ℓ c ) = e A ∗ (1 n ; r e A ∗ ), picks a random index i ∈ [ ℓ c ] and outputs z i . Upon receiving a “chal-lenge” r , it lets ( j, p ) = e A ∗ (1 n , r ⊕ z i ; r e A ∗ ) outputs p if i = j and ⊥ otherwise. First, note that inthe emulation by A ∗ , A ∗ feeds e A ∗ the same distribution of messages as e A ∗ would see in a “real”interaction with e C ; thus, we have that the ( j, p ) is an accepting message (w.r.t., the challenge r ⊕ z i )with probability ǫ . Additionally, since r ⊕ z i information-theoretically hides i (as r is completelyrandom), we have that the probability that i = j is ℓ c and furthermore, the event that this happensis independent of whether the message ( j, p ) is accepting. We conclude that A ∗ convinces C withprobability ǫ ( n ) ℓ c , which concludes the soundness proof. We now conclude our main theorem that a hard-on-average language in NP implies hard-on-averagepromise-true distributional search problem.We first show that 2-round public-coin puzzles imply 2-round (private-coin) puzzles with perfectcompleteness: Theorem 6.2.
Suppose there exists -round public-coin puzzle. Then there exists a -round private-coin puzzle with perfect completeness. Proof:
The theorem follows directly by applying our earlier proved results:26
By Theorem 6.1 (perfect completeness through adding a round), a 2-round public-coin puzzleimplies a 3-round public-coin puzzle with perfect completeness. • By Lemma 4.4 (round-collapse lemma), we conclude that either ioOWF exists, or there existsa 2-round public-coin puzzle with perfect completeness. • As ioOWFs trivially imply a 2-round (private-coin) puzzle, the theorem follows.By observing that 2-round private-coin puzzles with perfect completeness are syntactically equiva-lent to a hard-on-average promise-true distributional search problem, and recalling that by Lemma 3.3,aeHOA distributional NP problem implies a 2-round puzzle, we directly get the following corollary: Corollary 6.3.
Suppose there exists a distributional NP problem ( L, D ) that is aeHOA. Then, thereexists a hard-on-average promise-true distributional NP search problem. In other words, “it isn’t easier to prove efficiently-sampled statements that are guaranteed tothe true”.
TFNP is Hard in Pessiland
We next use the same approach to conclude that a hard-on-average language in NP implies either(1) the existence of one-way functions, or (2) the existence of a hard-on-average problem in TFNP . Theorem 6.4.
Suppose there exists a distributional NP problem ( L, D ) that is aeHOA. Then, eitherof the following holds: • There exists a OWF; • There exists some
R ∈
TFNP and some
PPT D such that ( R , D ) is SearchHAO. Proof:
Again, the theorem follows by simply applying our earlier proved results: • From Lemma 3.3, we have that an aeHOA distributional NP problem implies a 2-roundalmost-everywhere puzzle. • By Theorem 6.1 (perfect completeness through adding a round), this implies a 3-round almost-everywhere puzzle with perfect completeness. • Applying Lemma 4.4 (round-collapse, variant 2), we conclude that either one-way functionsexists, or there exists a 2-round public-coin puzzle with perfect completeness. • Finally, by applying Lemma 3.5, a 2-round public-coin puzzle with perfect completenessimplies the existence of some
R ∈
TFNP and some
PPT D such that ( R , D ) is SearchHAO.By replacing the use of Lemma 4.4 with Lemma 4.3 (round-collapse, variant 1), we instead get thefollowing variants. Theorem 6.5.
Suppose there exists a distributional NP problem ( L, D ) that is aeHOA. Then, eitherof the following holds: • There exists an ioOWF; • There exists some
R ∈
TFNP and some
PPT D such that ( R , D ) is aeSearchHAO. Characterizing Non-trivial Public-coin Arguments
We finally apply our round-collapse theorem to arguments systems.
Non-trivial arguments
We first define the notion of a non-trivial argument. Whereas such anotion of a non-trivial argument has been discussed in the community for at least 15 years, as faras we know, the first explicit formalization in the literature appears in a recent work by Goldreich[Gol18]. We simply say that an argument system is non-trivial if it is not a proof systems—i.e.,the computation aspect of the soundness condition is “real”.
Definition 7.1 (non-trivial arguments) . An argument system ( P, V ) for a language L is called non-trivial if ( P, V ) is not an interactive proof system for L . We focus our attention on public-coin arguments . We show that the existence of any O (1)-round public-coin non-trivial argument implies the existence of distributional NP / poly problemthat is nuHAO. Theorem 7.2.
Assume there exists a O (1) -round public-coin non-trivial argument for some lan-guage L . Then, there exists a distributional NP / poly problem that is nuHOA. Proof:
Consider some k -round non-trivial public-coin argument system ( P, V ). We show thatthis implies the existence of a k -round non-uniform puzzle. The theorem next follows by applyingCorollary 4.1.Since ( P, V ) is not a proof system, there must exist a some polynomial p ( · ), an unboundedprover B , and sequences I = { n , n , . . . } and { x n i } i ∈ N such that for all i ∈ N , | x n i | = n i , x n i / ∈ L yet B convinces V on common input x n i with probability p ( n i ) .Now consider the k -round non-uniform puzzle C that for each n receives (1 , x n ) as non-uniformadvice if n ∈ I and otherwise (0 , ⊥ ). Given non-uniform advice ( b, x ), C (1 n ) simply accepts if b = 0 and otherwise runs the verifier V ( x n ). We shall argue that C is a ( p ( n ) , p ( n ) ) puzzle whichby Remark 3.1 implies a puzzle. Completeness follows directly from the existence of B (when b = 0, we have completeness 1 and otherwise, we have completeness p ( n ) by construction). To showsoundness, notice that any non-uniform PPT adversary A ∗ that breaks soundness of the puzzle withprobability p ( n ) for all sufficiently large n , must in particular break it for infinitely many n ∈ I ,and as such breaks the soundness of ( P, V ) for infinitely many x ∈ { , } ∗ − L with probability p ( | x | ) , which contradicts the soundness of ( P, V ).We next remark that the implication is almost tight. The existence of a nuHOA problem in NP (as opposed to NP / poly ) implies a 2-round non-trivial public-coin argument for NP . Lemma 7.1.
Suppose there exists a distributional NP problem ( L ′ , D ) that is nuHOA . Then, forevery language L ∈ NP , there exists a non-trivial 2-round public-coin argument for L with anefficient prover. Proof:
We first observe that by the same proof as for Lemma 3.3, a nuHOA NP problem impliesa 2-round puzzle satisfying a “weak” completeness property, where completeness only holds forinfinitely many n ∈ N , but where soundness holds also against non-uniform PPT algorithms. (Recallthat in the proof of Lemma 3.3, we only relied on the almost-everywhere HOA property of the NP problem to ensure that completeness held for all sufficiently large input lengths.) We next simplycombine this “weakly-complete” puzzle with a standard NP proof for L to get a non-trivial 2-roundargument for L . More precisely, the verifier V ( x ) samples the first message of the puzzle and sendsit to the prover; next the verifier accepts the prover’s response if it is either a witness for x ∈ L (for28ome witness relation for L ), or if the response is a valid response to the puzzle. The honest prover P simply sends a valid witness for x . Completeness of ( P, V ) trivially holds. Soundness holds dueto the soundness of the puzzle (w.r.t. nu
PPT ). By the weak completeness property of the puzzle,we additionally have that (
P, V ) is not an interactive proof (since there are infinitely many inputlengths on which an unbounded prover can find a puzzle solution and thus break soundness).We finally observe that the existence of n ǫ -round non-trivial public-coin arguments is equivalentto PSPACE P / poly . We remark that one direction (that non-trivial arguments imply PSPACE P / poly ) was already previously proven by Goldreich [Gol18]. Theorem 7.3 (informally stated) . For every ǫ > , there exists an (efficient-prover) n ǫ -roundnon-trivial public-coin argument (for NP ) if and only if PSPACE P / poly . Proof:
The “only-if” direction (which was already proven by Goldreich [Gol18]) follows just asthe only-if direction of Theorem 5.1. The “if” direction follows by combining a standard NP proofwith the puzzle from Theorem 5.1 and requiring the prover to either provide the NP witness, or toprovide a solution to puzzle. Round Collapse for Succinct Arguments
We proceed to remark that the proof of our round-collapse theorem also has consequences for succinct [Kil92] and universal [Mic00, BG02] argumentsystems.
Theorem 7.4.
Assume there exists a k -round public-coin (efficient-prover) argument system for L with communication complexity ℓ ( · ) , where k is a constant. Then, either non-uniform ioOWFsexists, or there exists a 2-round public-coin (efficient-prover) argument for L with communicationcomplexity O ( ℓ ( n ) polylog ( n )) k ( n ) − . Proof:
We apply the BM round-collapse transformation to the k -round argument system k − n times (where n is thelength of the statement to be proven). Completeness (also w.r.t. efficient provers) follows directlyfrom the classic proof of the BM round collapse [BM88]. To show soundness, as before, we considera single application of the round-collapse transformation. Consider an adversary that breaks thesoundness of the k − ǫ ( n ) for infinitely many { x n } n ; by[PV12, HPWP10] such an adversary can be turned into an adversary that break the soundnessof a single of the log n repetitions of the protocol obtained after the BM transformation withprobability ǫ ′ ( n ) > for infinitely many { x n } n . If non-uniform ioOWFs does not exist, then wecan rely on the same construction as in the proof of Lemma 4.1 to construct an adversary B ∗ thatbreaks the k -round argument system for the same statements { x n } n with probability , whichcontradicts the soundness of the k -round argument.Note that each step of the round-collapse transformation has a multiplicative overhead of O ( ℓ a ( n ) polylog ( n )) where ℓ a ( n ) bounds the length of the prover messages. Therefore, iterating theround collapse transformation i times will result in a multiplicative overhead of O (( ℓ ( n ) polylog ( n )) i ).Theorem 7.4 thus shows that the existence of a O (1)-round succinct (i.e., with sublinear orpolylogarithmic communication complexity) public-coin argument systems can either be collapsedinto a 2-round public-coin succinct argument for the same language (and while preserving com-munication complexity up to polylogarithmic factors, as well as prover efficiency), or non-uniformioOWF exist.It is worthwhile to also note that if the underlying O (1)-round protocol satisfies some notionof resettable [CGGM00] privacy for the prover (e.g., resettable witness indistinguishability (WI) or29itness hiding (WH) [CGGM00, FS90]), then so will the resulting 2-round protocol. (The reasonwe do not consider resettable zero-knowledge is that due to [OW93b] even just plain zero-knowledgeprotocols for non-trivial languages imply the existence of a non-uniform ioOWF; thus for resettablezero-knowledge, the result would hold vacuously assuming N P BPP . However, it is not knownwhether (resettable) WI or WH arguments for non-trivial languages imply non-uniform ioOWFs.)
We are grateful to Johan H˚astad and Salil Vadhan for discussions about non-trivial arguments backin 2005. We are also very grateful to Eylon Yogev for helpful discussions.
References [BCC88] Gilles Brassard, David Chaum, and Claude Cr´epeau. Minimum disclosure proofs ofknowledge.
J. Comput. Syst. Sci. , 37(2):156–189, 1988.[BCGL92] Shai Ben-David, Benny Chor, Oded Goldreich, and Michael Luby. On the theory ofaverage case complexity.
J. Comput. Syst. Sci. , 44(2):193–219, 1992.[BFNW93] L´aszl´o Babai, Lance Fortnow, Noam Nisan, and Avi Wigderson. BPP has subex-ponential time simulations unless EXPTIME has publishable proofs.
ComputationalComplexity , 3:307–318, 1993.[BG02] Boaz Barak and Oded Goldreich. Universal arguments and their applications. In
IEEEConference on Computational Complexity , pages 194–203, 2002.[BGI +
01] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, Amit Sahai, Salil P.Vadhan, and Ke Yang. On the (im)possibility of obfuscating programs. In
Advances inCryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, SantaBarbara, California, USA, August 19-23, 2001, Proceedings , pages 1–18, 2001.[BM88] L´aszl´o Babai and Shlomo Moran. Arthur-merlin games: A randomized proof system,and a hierarchy of complexity classes.
J. Comput. Syst. Sci. , 36(2):254–276, 1988.[BOV07] Boaz Barak, Shien Jin Ong, and Salil P. Vadhan. Derandomization in cryptography.
SIAM J. Comput. , 37(2):380–400, 2007.[CDT09] Xi Chen, Xiaotie Deng, and Shang-Hua Teng. Settling the complexity of computingtwo-player nash equilibria.
J. ACM , 56(3):14:1–14:57, 2009.[CGGM00] Ran Canetti, Oded Goldreich, Shafi Goldwasser, and Silvio Micali. Resettable zero-knowledge (extended abstract). In
STOC ’00 , pages 235–244, 2000.[CL10] Kai-Min Chung and Feng-Hao Liu. Parallel repetition theorems for interactive argu-ments. In
Theory of Cryptography, 7th Theory of Cryptography Conference, TCC 2010,Zurich, Switzerland, February 9-11, 2010. Proceedings , pages 19–36, 2010.[CP15] Kai-Min Chung and Rafael Pass. Tight parallel repetition theorems for public-coinarguments using kl-divergence. In
Theory of Cryptography - 12th Theory of Cryptog-raphy Conference, TCC 2015, Warsaw, Poland, March 23-25, 2015, Proceedings, PartII , pages 229–246, 2015. 30DGP09] Constantinos Daskalakis, Paul W. Goldberg, and Christos H. Papadimitriou. Thecomplexity of computing a nash equilibrium.
Commun. ACM , 52(2):89–97, 2009.[DN00] Cynthia Dwork and Moni Naor. Zaps and their applications. In , pages 283–293, 2000.[DP11] Constantinos Daskalakis and Christos H. Papadimitriou. Continuous local search. In
Proceedings of the Twenty-Second Annual ACM-SIAM Symposium on Discrete Algo-rithms, SODA 2011, San Francisco, California, USA, January 23-25, 2011 , pages 790–804, 2011.[ESY84] Shimon Even, Alan L. Selman, and Yacov Yacobi. The complexity of promise problemswith applications to public-key cryptography.
Information and Control , 61(2):159–173,1984.[EY80] Shimon Even and Yacov Yacobi. Cryptocomplexity and np-completeness. In
Automata,Languages and Programming, 7th Colloquium, Noordweijkerhout, The Netherlands,July 14-18, 1980, Proceedings , pages 195–207, 1980.[FF93] Joan Feigenbaum and Lance Fortnow. Random-self-reducibility of complete sets.
SIAMJournal on Computing , 22(5):994–1005, 1993.[FGM +
89] Martin F¨urer, Oded Goldreich, Yishay Mansour, Michael Sipser, and Stathis Zachos.On completeness and soundness in interactive proof systems.
Advances in ComputingResearch , 5:429–442, 1989.[FS90] Uriel Feige and Adi Shamir. Witness indistinguishable and witness hiding protocols.In
STOC ’90 , pages 416–426, 1990.[GGM84] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. On the cryptographic applicationsof random functions. In
CRYPTO , pages 276–288, 1984.[GH98] Oded Goldreich and Johan H˚astad. On the complexity of interactive proofs withbounded communication.
Inf. Process. Lett. , 67(4):205–214, 1998.[Gin66] Seymour Ginsburg.
The Mathematical Theory of Context-Free Languages . McGraw-Hill, Inc., USA, 1966.[GKM +
00] Yael Gertner, Sampath Kannan, Tal Malkin, Omer Reingold, and MaheshViswanathan. The relationship between public key encryption and oblivious trans-fer. In , pages 325–335, 2000.[GM84] Shafi Goldwasser and Silvio Micali. Probabilistic encryption.
J. Comput. Syst. Sci. ,28(2):270–299, 1984.[GMR89] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity ofinteractive proof systems.
SIAM Journal on Computing , 18(1):186–208, 1989.[GMW91] Oded Goldreich, Silvio Micali, and Avi Wigderson. Proofs that yield nothing but theirvalidity for all languages in np have zero-knowledge proof systems.
J. ACM , 38(3):691–729, 1991. 31Gol01] Oded Goldreich.
Foundations of Cryptography — Basic Tools . Cambridge UniversityPress, 2001.[Gol06] Oded Goldreich. On promise problems: A survey. In
Theoretical Computer Science,Essays in Memory of Shimon Even , pages 254–290, 2006.[Gol18] Oded Goldreich. On doubly-efficient interactive proof systems.
Foundations and Trendsin Theoretical Computer Science , 13(3):158–246, 2018.[GP16] Paul W. Goldberg and Christos H. Papadimitriou. Towards a unified complexity theoryof total functions. Unpublished manuscript, 2016.[Gur89] Yuri Gurevich. The challenger-solver game: variations on the theme of p=np. In
Logicin Computer Science Column, The Bulletin of EATCS . 1989.[Gur91] Yuri Gurevich. Average case completeness.
J. Comput. Syst. Sci. , 42(3):346–398, 1991.[GW11] Craig Gentry and Daniel Wichs. Separating succinct non-interactive arguments fromall falsifiable assumptions. In
Proceedings of the 43rd ACM Symposium on Theory ofComputing, STOC 2011, San Jose, CA, USA, 6-8 June 2011 , pages 99–108, 2011.[Hai09] Iftach Haitner. A parallel repetition theorem for any interactive argument.
ElectronicColloquium on Computational Complexity (ECCC) , 16:27, 2009.[HHR +
10] Iftach Haitner, Thomas Holenstein, Omer Reingold, Salil P. Vadhan, and Hoeteck Wee.Universal one-way hash functions via inaccessible entropy. In
EUROCRYPT , pages616–637, 2010.[HILL99] Johan H˚astad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudo-random generator from any one-way function.
SIAM J. Comput. , 28(4):1364–1396,1999.[HNY17] Pavel Hub’avcek, Moni Naor, and Eylon Yogev. The journey from NP to TFNP hard-ness. In , pages 60:1–60:21, 2017.[HPWP10] Johan H˚astad, Rafael Pass, Douglas Wikstr¨om, and Krzysztof Pietrzak. An efficientparallel repetition theorem. In
Theory of Cryptography, 7th Theory of CryptographyConference, TCC 2010, Zurich, Switzerland, February 9-11, 2010. Proceedings , pages1–18, 2010.[IL89] Russell Impagliazzo and Michael Luby. One-way functions are essential for complexitybased cryptography (extended abstract). In , pages 230–235, 1989.[IL90] Russell Impagliazzo and Leonid A. Levin. No better ways to generate hard NP instancesthan picking uniformly at random. In , pages812–821, 1990.[Imp95] Russell Impagliazzo. A personal view of average-case complexity. In
Structure inComplexity Theory ’95 , pages 134–147, 1995.32IW97] Russell Impagliazzo and Avi Wigderson.
P = BPP if e requires exponential circuits:Derandomizing the xor lemma. In STOC ’97 , pages 220–229, 1997.[JPY85] David S. Johnson, Christos H. Papadimitriou, and Mihalis Yannakakis. How easyis local search? (extended abstract). In , pages 39–42, 1985.[Kil92] Joe Kilian. A note on efficient zero-knowledge proofs and arguments (extended ab-stract). In
Proceedings of the 24th Annual ACM Symposium on Theory of Computing,May 4-6, 1992, Victoria, British Columbia, Canada , pages 723–732, 1992.[KK05] Jonathan Katz and Chiu-Yuen Koo. On constructing universal one-way hash functionsfrom arbitrary one-way functions. Cryptology ePrint Archive, Report 2005/328, 2005.[KMN +
14] Ilan Komargodski, Tal Moran, Moni Naor, Rafael Pass, Alon Rosen, and Eylon Yo-gev. One-way functions and (im)perfect obfuscation.
IACR Cryptology ePrint Archive ,2014:347, 2014.[Lev86] Leonid A. Levin. Average case complete problems.
SIAM J. Comput. , 15(1):285–286,1986.[LFKN92] Carsten Lund, Lance Fortnow, Howard J. Karloff, and Noam Nisan. Algebraic methodsfor interactive proof systems.
J. ACM , 39(4):859–868, 1992.[Mic00] Silvio Micali. Computationally sound proofs.
SIAM J. Comput. , 30(4):1253–1298, 2000.[MP91] Nimrod Megiddo and Christos H. Papadimitriou. On total functions, existence theoremsand computational complexity.
Theor. Comput. Sci. , 81(2):317–324, 1991.[MV05] Peter Bro Miltersen and N. V. Vinodchandran. Derandomizing arthur-merlin gamesusing hitting sets.
Computational Complexity , 14(3):256–279, 2005.[Nao03] Moni Naor. On cryptographic assumptions and challenges. In
Advances in Cryptology- CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara,California, USA, August 17-21, 2003, Proceedings , pages 96–109, 2003.[NW94] Noam Nisan and Avi Wigderson. Hardness vs randomness.
J. Comput. Syst. Sci. ,49(2):149–167, 1994.[NY89] Moni Naor and Moti Yung. Universal one-way hash functions and their cryptographicapplications. In
STOC ’89 , pages 33–43, 1989.[OW93a] Rafail Ostrovsky and Avi Wigderson. One-way fuctions are essential for non-trivialzero-knowledge. In
ISTCS , pages 3–17, 1993.[OW93b] Rafail Ostrovsky and Avi Wigderson. One-way functions are essential for non-trivialzero-knowledge. In
Theory and Computing Systems, 1993 , pages 3–17, 1993.[Pap94] Christos H. Papadimitriou. On the complexity of the parity argument and other inef-ficient proofs of existence.
J. Comput. Syst. Sci. , 48(3):498–532, 1994.[Pas11] Rafael Pass. Limits of provable security from standard assumptions. In
Proceedings ofthe 43rd ACM Symposium on Theory of Computing, STOC 2011, San Jose, CA, USA,6-8 June 2011 , pages 109–118, 2011.33PV12] Rafael Pass and Muthuramakrishnan Venkitasubramaniam. A parallel repetition the-orem for constant-round arthur-merlin proofs.
TOCT , 4(4):10:1–10:22, 2012.[Raz98] Ran Raz. A parallel repetition theorem.
SIAM Journal on Computing , 27(3):763–803,1998.[Rom90] John Rompel. One-way functions are necessary and sufficient for secure signatures. In
STOC , pages 387–394, 1990.[Sha92] Adi Shamir. IP = PSPACE.
J. ACM , 39(4):869–877, 1992.[Tre05] Luca Trevisan. On uniform amplification of hardness in NP. In
Proceedings of the 37thAnnual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24,2005 , pages 31–38, 2005.[TV07] Luca Trevisan and Salil P. Vadhan. Pseudorandomness and average-case complexityvia uniform reductions.
Computational Complexity , 16(4):331–364, 2007.[Ull67] Joseph S. Ullian. Partial algorithm problems for context free languages.
Informationand Control , 11(1/2):80–101, 1967.[Wee05] Hoeteck Wee. On round-efficient argument systems. In
Automata, Languages andProgramming, 32nd International Colloquium, ICALP 2005, Lisbon, Portugal, July11-15, 2005, Proceedings , pages 140–152, 2005.[Wee06] Hoeteck Wee. Finding pessiland. In
Theory of Cryptography, Third Theory of Cryp-tography Conference, TCC 2006, New York, NY, USA, March 4-7, 2006, Proceedings ,pages 429–442, 2006.
A Some Theorems from Average-Case Complexity
In this section, we provide formal justifications for Lemmas 2.1, 2.2 and 2.3 We recall some previousresults on average-case complexity relevant to our work.
Theorem A.1 ([Tre05]) . Suppose that there exists a NP language L and polynomials ℓ ( · ) and p ( · ) such that ( L, U ℓ ) is p ( n ) -HOA (resp., p ( n ) -aeHOA and p ( n ) -nuHOA). Then there exists a NP language L ′ and polynomial ℓ ′ ( · ) such that ( L ′ , U ℓ ′ ) is − n ) α -HOA (resp., − n ) α -aeHOAand − n ) α -nuHOA). The value α > is an absolute constant. Theorem A.2 ([IL90]) . Suppose there exists a distributional NP search problem ( R , D ) that is p ( n ) -SearchHOA (resp., p ( n ) -aeSearchHOA and p ( n ) -nuSearchHOA) for some polynomial p ( · ) . Thenthere exists a search problem R ′ and polynomials ℓ ( · ) and q ( · ) such that ( R ′ , U ℓ ) is q ( n ) -SearchHOA(resp., q ( n ) -aeSearchHOA and q ( n ) -nuSearchHOA). Theorem A.3 ([BCGL92]) . Suppose that there exists a distributional NP search problem ( R , U ℓ ) that is p ( n ) -SearchHOA (resp., p ( n ) -aeSearchHOA and p ( n ) -nuSearchHOA) for some polynomials p ( · ) and ℓ ( · ) . Then there is a NP -language L ′ and polynomials ℓ ′ ( · ) and q ( · ) such that ( L ′ , U ℓ ′ ) is q ( n ) -HOA (resp., q ( n ) -aeHOA and q ( n ) -nuHOA). If we start with a distributional NP / poly searchproblem ( R , U ℓ ) that is p ( n ) -nuSearchHOA, then we obtain L ′ ∈ NP / poly such that ( L ′ , U ℓ ′ ) is q ( n ) -nuHOA. in that solving instances ofsize ℓ ( n ) in the target language helps solving instances of size n in the source language. We willrequire this stronger property for the reductions to hold in the case of almost-everywhere hardness. Proof of Lemma 2.2.
This follows immediately from Theorem A.1.
Proof of Lemma 2.3.
Suppose there exists a distributional NP -search problem ( R , D ) thatis SearchHOA (resp., aeSearchHOA and nuSearchHOA). By Theorem A.2, there exists a searchproblem R ′ and polynomials ℓ ( · ) , q ( · ) such that ( R ′ , U ℓ ) is q ( n ) -SearchHOA (resp., aeSearchHOAand nuSearchHOA). Next, by Theorem A.3, there is a NP -language L ′ and polynomials ℓ ′ ( · ) and q ′ ( · )such that ( L, U ℓ ) is q ′ ( n ) -HOA (resp. aeHOA and nuHAO), which when combined with Theorem A.1yields a NP language L ′′ and a polynomial ℓ ′′ such that ( L ′ , U ℓ ′′ ) is − n ) α -HOA (resp., aeHOAand nuHAO). This implies that ( L ′′ , U ℓ ′′ ) is HOA (resp., aeHOA and nuHOA). Proof of Lemma 2.1.
Suppose ( L, D ) is a distributional NP problem that is HOA (resp. adistributional NP / poly problem that is nuHOA), then ( R , D ) is SearchHOA (resp., nuSearchHOA)where R is the witness relation corresponding to L . By Lemma 2.3, we can obtain a NP (resp. NP / poly ) language L ′ and polynomial ℓ ′ such that ( L ′ , U ℓ ′ ) is HOA (resp., nuHOA). A length-regular function f : { , } ∗ → { , } ∗ satisfies the properties that: (1) | x | = | y | ⇔ | f ( x ) | = | f ( y ) | ,and(2) | x | < | y | ⇔ | f ( x ) | < | f ( y ) | for any two strings x , y . We require the “length-regular” property for Turing (Cook)reductions where solving an instance x on the target language requires queries the oracle only on instances of size ℓ ( | x | ) on the source language where ℓ is a non-decreasing function.is a non-decreasing function.