Can PPAD Hardness be Based on Standard Cryptographic Assumptions?

Abstract

We consider the question of whether PPAD hardness can be based on standard cryptographic assumptions, such as the existence of one-way functions or public-key encryption. This question is particularly well-motivated in light of new devastating attacks on obfuscation candidates and their underlying building blocks, which are currently the only known source for PPAD hardness. Central in the study of obfuscation-based PPAD hardness is the sink-of-verifiable-line (SVL) problem, an intermediate step in constructing instances of the PPAD-complete problem source-or-sink. Within the framework of black-box reductions, we prove the following results: (i) average-case PPAD hardness (and even SVL hardness) does not imply any form of cryptographic hardness (not even one-way functions). Moreover, even when assuming the existence of one-way functions, average-case PPAD hardness (and, again, even SVL hardness) does not imply any public-key primitive. Thus, strong cryptographic assumptions (such as obfuscation-related ones) are not essential for average-case PPAD hardness. (ii) Average-case SVL hardness cannot be based either on standard cryptographic assumptions or on average-case PPAD hardness. In particular, average-case SVL hardness is not essential for average-case PPAD hardness. (iii) Any attempt for basing the average-case hardness of the PPAD-complete problem source-or-sink on standard cryptographic assumptions must result in instances with a nearly exponential number of solutions. This stands in striking contrast to the obfuscation-based approach, which results in instances having a unique solution. Taken together, our results imply that it may still be possible to base PPAD hardness on standard cryptographic assumptions, but any such black-box attempt must significantly deviate from the obfuscation-based approach: It cannot go through the SVL problem, and it must result in source-or-sink instances with a nearly exponential number of solutions.

A Average-Case SVL Hardness and OWFs Do Not Imply Key Agreement

Based on the techniques developed in Sect. 3, we show that average-case SVL hardness is useless for constructing a key-agreement protocol in a black-box manner, even when assuming the existence of one-way functions. Specifically, we show that in any black-box construction of a key-agreement protocol based on a one-way function and a hard-on-average distribution of SVL instances, we can eliminate the protocol’s need for using the SVL instances. This leads to a black-box construction of key-agreement protocol based on a one-way function, which we can then rule out by invoking the classic result of Impagliazzo and Rudich [27] and its refinement by Barak and Mahmoody-Ghidary [8].

In this section, we model a one-way function as a sequence \(f = \{ f_n \}_{n \in {\mathbb {N}}}\), where for every \(n \in {\mathbb {N}}\) it holds that \(f_n : \{0,1\}^n \rightarrow \{0,1\}^n\). The following definition tailors the standard notion of a fully black-box construction to the specific primitives under consideration.

Definition A.1

A fully black-box construction of a bit-agreement protocol with correctness \(\rho = \rho (n)\) from a one-way function and a hard-on-average distribution of SVL instances consists of a pair of oracle-aided polynomial-time algorithm \((\mathcal {A},\mathcal {B})\), an oracle-aided algorithm M that runs in time \(T_M(\cdot )\), and functions \(\epsilon _{M,1}(\cdot )\) and \(\epsilon _{M,2}(\cdot )\), such that the following conditions hold:

• Correctness: For any function \(f = \{f_n\}_{n \in {\mathbb {N}}}\), for any valid SVL instance \({\mathcal {O}}_\mathsf{SVL}\), and for any \(n \in {\mathbb {N}}\) it holds that

  $$\begin{aligned}&\Pr _{r_{\mathcal {A}}, r_{\mathcal {B}}} \left[ \mathsf{k}_{\mathcal {A}} = \mathsf{k}_{\mathcal {B}} \left| (\mathsf{k}_{\mathcal {A}}, \mathsf{k}_{\mathcal {B}}, \mathsf{Trans}) \leftarrow \langle \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {A}}), \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {B}}) \rangle \right. \right] \\&\quad \ge \frac{1}{2} + \rho (n) . \end{aligned}$$

• Black-box proof of security: For any function \(f = \{f_n\}_{n \in {\mathbb {N}}}\), for any valid SVL instance \({\mathcal {O}}_\mathsf{SVL}= \{(\mathsf{Gen}_n, \mathsf{S}_n, \mathsf{V}_n, L(n))\}_{n \in {\mathbb {N}}}\), for any oracle-aided algorithm E that runs in time \(T_E(\cdot )\), and for any function \(\epsilon _E(\cdot )\), if

  $$\begin{aligned} \left| \Pr \left[ \mathsf {Exp}^\mathsf{KA}_{\left( \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}} \right) , E^{f,{\mathcal {O}}_\mathsf{SVL}}}(n) = 1 \right] - \frac{1}{2} \right| \ge \epsilon _E(n) \end{aligned}$$

  for infinitely many values of \(n \in {\mathbb {N}}\) (recall Definition 2.8 for the description of the experiment \(\mathsf {Exp}^\mathsf{KA}_{\left( \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}} \right) , E^{f,{\mathcal {O}}_\mathsf{SVL}}}\)), then either

  $$\begin{aligned} \Pr \left[ M^{E,f,{\mathcal {O}}_\mathsf{SVL}}\left( f_n(x) \right) \in f^{-1}_n \left( f_n(x)\right) \right] \ge \epsilon _{M,1}\left( T_E(n) / \epsilon _E(n)\right) \cdot \epsilon _{M,2}(n) \end{aligned}$$

  for infinitely many values of \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(x \leftarrow \{0,1\}^n\) and over the internal randomness of M, or

  $$\begin{aligned}&\Pr \left[ M^{E,f,{\mathcal {O}}_\mathsf{SVL}}\left( 1^n, \sigma \right) \text{ solves } \left( \mathsf{S}_n(\sigma ,\cdot ), \mathsf{V}_n(\sigma ,\cdot ), L(n) \right) \right] \\&\quad \ge \epsilon _{M,1}\left( T_E(n) / \epsilon _E(n)\right) \cdot \epsilon _{M,2}(n) \end{aligned}$$

  for infinitely many values of \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(\sigma \leftarrow \mathsf{Gen}_n()\) and over the internal randomness of M.

As in Definition 3.1, we split the security loss in the above definition to an adversary-dependent security loss and an adversary-independent security loss, as this allows us to capture constructions where one of these losses is super-polynomial whereas the other is polynomial. Equipped with the above definition we prove the following theorem:

Theorem A.2

Let \((\mathcal {A},\mathcal {B},M,T_M,\epsilon _{M,1}, \epsilon _{M,2})\) be a fully black-box construction of a bit-agreement protocol with correctness \(\rho (n) = 1/\mathsf{poly}(n)\), for some (arbitrary) polynomial \(\mathsf{poly}(n)\), from a one-way function and a hard-on-average SVL instance. Then, at least one of the following properties holds:

1. 1.

   \(T_M(n)\ge 2^{\zeta n}\) for some constant \(\zeta > 0\) (i.e., the reduction runs in exponential time).

2. 2.

   \(\epsilon _{M,1}(n^c) \cdot \epsilon _{M,2}(n) \le 2^{- n/10}\) for some constant \(c > 1\) (i.e., the security loss is exponential).

As with Theorem 3.2, also here Theorem A.2 rules out (in particular) standard “polynomial-time polynomial-loss” reductions. More generally, the theorem implies that if the running time \(T_M(\cdot )\) of the reduction is sub-exponential and the adversary-dependent security loss \(\epsilon _{M,1}(\cdot )\) is polynomial (as expected), then the adversary-independent security loss \(\epsilon _{M,2}(\cdot )\) must be exponential (thus even ruling out constructions based on one-way function and SVL instances with sub-exponential hardness).

1.1 A.1 Proof Overview

In what follows, we first describe the oracles, denoted f and \({\mathcal {O}}_\mathsf{SVL}\), on which we rely for proving Theorem A.2, and show that they indeed implement a one-way function and a hard-on-average distribution of SVL instances, respectively. Then, we show that any bit-agreement protocol that uses the oracles f and \({\mathcal {O}}_\mathsf{SVL}\) can be attacked. For the remainder of this section we remind the reader that a q-query algorithm is an oracle-aided algorithm A such that for any oracle \({\mathcal {O}}\) and input \(x \in \{0,1\}^*\), the computation \(A^{{\mathcal {O}}}(x)\) consists of at most q(|x|) oracle calls to \({\mathcal {O}}\).

The oracles \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). The oracle f is a sequence \(\{ f_n \}_{n \in {\mathbb {N}}}\) where for every \(n \in {\mathbb {N}}\) the function \(f_n : \{0,1\}^n \rightarrow \{0,1\}^n\) is sampled uniformly from the set of all functions mapping n-bit inputs to n-bit outputs. The oracle \({\mathcal {O}}_\mathsf{SVL}\), sampled independently of f, is as defined in Sect. 3.1. That is, it is a valid SVL instance \(\{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) that is sampled via the following process for every \(n \in {\mathbb {N}}\):

• Let \(L(n) = 2^{n/2}\), \(x_0 = 0^n\), and uniformly sample distinct elements \(x_1, \ldots , x_{L(n)} \leftarrow \{0,1\}^n {\setminus } \{ 0^n \}\).

• The successor function \(\mathsf{S}_n : \{0,1\}^n \rightarrow \{0,1\}^n\) is defined as

  $$\begin{aligned} \mathsf{S}_n(x) = \left\{ \begin{array}{cl} x_{i+1} &{} \text{ if } x=x_i \text{ for } \text{ some } i \in \{0, \ldots , L(n) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$

• The verification function \(\mathsf{V}_n : \{0,1\}^n \times [2^n] \rightarrow \{0,1\}\) is defined in a manner that is consistent with \(\mathsf{S}_n\) (i.e., \(\mathsf{V}_n\) is defined such that the instance is valid).

The oracles f and \({\mathcal {O}}_\mathsf{SVL}\) are sampled independently, and therefore, we immediately obtain the following two corollaries from Claims 3.3 and 5.3 (the first corollary states that f is indeed hard to invert relative to f and \({\mathcal {O}}_\mathsf{SVL}\), and the second corollary A.4 states that \({\mathcal {O}}_\mathsf{SVL}\) is indeed a hard-on-average SVL instance relative to f and \({\mathcal {O}}_\mathsf{SVL}\)):

Corollary A.3

For any fixing of the oracle \({\mathcal {O}}_\mathsf{SVL}\), and for any q(n)-query algorithm M, it holds that

$$\begin{aligned} \Pr \left[ M^{f,{\mathcal {O}}_\mathsf{SVL}}\left( f_n(x) \right) \in f^{-1}_n \left( f_n(x)\right) \right] \le \frac{2(q(n)+1)}{2^n - q(n)} \end{aligned}$$

for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(x \leftarrow \{0,1\}^n\), and over the choice of the oracle \(f = \{ f_n \}_{n \in {\mathbb {N}}}\) as described above.

Corollary A.4

For any fixing of the oracle f, and for any q(n)-query algorithm M, where \(q(n)\le L(n)-1\), it holds that

$$\begin{aligned} \Pr \left[ M^{f, {\mathcal {O}}_\mathsf{SVL}}\left( 1^n\right) \text{ solves } \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \right] \le \frac{(q(n)+1) \cdot L(n)}{2^n - q(n) - 1} \end{aligned}$$

for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) as described above.

Attacking bit-agreement protocols relative to \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). We show that for any oracle-aided bit-agreement protocol \((\mathcal {A},\mathcal {B})\) with correctness \(\rho (n) = 1/\mathsf{poly}(n)\), in which the parties issue at most q(n) oracle queries, and for any \(\delta = \delta (n) > 0\), there exists an attacker that issues roughly \(q^2/\delta ^2\) oracle queries, whose output agrees with Alice’s output with probability \(1/2 + \rho (n)-\delta (n)\). We prove the following claim:

Claim A.5

Let \((\mathcal {A},\mathcal {B})\) be an oracle-aided bit-agreement protocol, in which the parties issue at most \(q = q(n)\) oracle queries, where the input for each query is of length at most q(n) bits, and assume that

$$\begin{aligned}&\Pr _{\genfrac{}{}{0.0pt}{}{f, {\mathcal {O}}_\mathsf{SVL}}{r_{\mathcal {A}}, r_{\mathcal {B}}}} \left[ \mathsf{k}_{\mathcal {A}} = \mathsf{k}_{\mathcal {B}} \left| (\mathsf{k}_{\mathcal {A}}, \mathsf{k}_{\mathcal {B}}, \mathsf{Trans}) \leftarrow \langle \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {A}}), \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {B}}) \rangle \right. \right] \\&\quad \ge \frac{1}{2} + \rho (n) \end{aligned}$$

for all sufficiently large \(n \in {\mathbb {N}}\) and for some function \(\rho (n) > 0\). Then, for any \(\delta = \delta (n) > 0\), there exists an \(\widetilde{O}(q^2/\delta ^2)\)-query algorithm E, such that

$$\begin{aligned} \left| \Pr \left[ \mathsf {Exp}^\mathsf{KA}_{\left( \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}} \right) , E^{f,{\mathcal {O}}_\mathsf{SVL}}}(n) = 1 \right] - \frac{1}{2} \right| \ge \rho (n)-\delta (n) \end{aligned}$$

for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of the oracles f and \({\mathcal {O}}_\mathsf{SVL}\), and over the internal randomness of \(\mathcal {A}\) and \(\mathcal {B}\). Moreover, the algorithm E can be implemented in time polynomial in n, q(n) and \(1/\delta (n)\) given access to a \(\mathsf{PSPACE}\)-complete oracle.

The proof of the claim, which is provided below, is based on adapting the approach underlying our proof of Claim 3.4 to the setting of key-agreement protocols, and then invoking the classic result of Impagliazzo and Rudich [27] and its refinement by Barak and Mahmoody-Ghidary [8]. Specifically, as discussed in Sect. 1.3, during an execution \((\mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}})\) of a given bit-agreement protocol, with an overwhelming probability over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}\), the parties \(\mathcal {A}\) and \(\mathcal {B}\) should not query \({\mathcal {O}}_\mathsf{SVL}\) with any elements on the line \(0^n \rightarrow x_1 \rightarrow \cdots \rightarrow x_{L(n)}\) except for the first q elements \(x_0, x_1, \ldots , x_{q-1}\). This gives rise to a bit-agreement protocol \(({\widetilde{\mathcal {A}}}^f, {\widetilde{\mathcal {B}}}^f)\) that does not require access to the oracle \({\mathcal {O}}_\mathsf{SVL}\): First, \({\widetilde{A}}\) samples a sequence \(x_1, \ldots , x_q\) of q values, and sends these values to \({\widetilde{B}}\). Then, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) run the protocol \((\mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}},\mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}})\) by using the values \(x_1, \ldots , x_q\) instead of accessing \({\mathcal {O}}_\mathsf{SVL}\). At this point, we have a bit-agreement protocol where the parties have access only to a random function f, and thus, we can apply the attacks of Impagliazzo and Rudich [27] and Barak and Mahmoody-Ghidary [8], which we can translate back to attacks on the underlying protocol. The proof of Theorem A.2 then follows from Corollaries A.3 and A.4 and Claim A.5 in a manner identical to the proof of Theorem 3.2 (see Sect. 3.4).

1.2 A.2 Attacking Key-Agreement Protocols Relative to \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\)

In this section, we prove Claim A.5. We start by defining an event capturing the above intuition of “hitting” elements on the line sampled for \({\mathcal {O}}_\mathsf{SVL}\), similarly to event defined in Sect. 3.

The event \(\varvec{\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}}\). Let the oracles f and \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) be distributed as described in Section A.1. Let M be a q-query algorithm. We fix some \(n \in {\mathbb {N}}\), and consider only the queries made to \(\mathsf{S}_n\) and \(\mathsf{V}_n\). We denote by \(\alpha _i\) the random variable corresponding to M’s ith oracle query if this is an \(\mathsf{S}_n\)-query, and denote by \((\alpha _i, k_i)\) the random variable corresponding to M’s ith oracle query if this is a \(\mathsf{V}_n\)-query. Let \(x_0,\dots ,x_{L(n)}\) be the line sampled for \(\left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \). As in Sect. 3, we denote by \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}\) the event in which there exist indices j and \(i\in [L(n)]\) for which \(\alpha _j=x_i\) but \(x_{i-1}\notin \{\alpha _1,\dots ,\alpha _{j-1}\}\). That is, this is the event in which M queries \(({\mathcal {O}}_\mathsf{SVL})_n\) with some \(x_i\) before querying it on \(x_{i-1}\). In particular, note that if the event \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}\) does not occur, then M does not query \(({\mathcal {O}}_\mathsf{SVL})_n\) with \(x_i\) for \(i\in \{q,\dots ,L(n)\}\). Since the oracle \({\mathcal {O}}_\mathsf{SVL}\) is sampled independently of the oracle f, we deduce the following corollary from Claim 3.5:

Corollary A.6

For any fixing of the oracle f, for any q-query algorithm M, and for any \(n \in {\mathbb {N}}\), it holds that

$$\begin{aligned} \Pr \left[ \mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n} \right] \le \frac{q\cdot L(n)}{2^n-q} \end{aligned}$$

where the probability is taken over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\). Moreover, q can be a bound on the number of calls to \(\mathsf{S}_n\) and \(\mathsf{V}_n\).

Removing the oracle \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). Let \((\mathcal {A},\mathcal {B})\) be an oracle-aided bit-agreement protocol as in Claim A.5. For a loss parameter \(\epsilon =\epsilon (n)>0\), we define an oracle-aided bit-agreement protocol \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\) that on input security parameter \(1^n\), and with oracle access to f only, works as follows. First, \({\widetilde{\mathcal {A}}}\) performs the following initialization routine:

1. 1.

   Set \(a(n)=2\log (q(n)^2/\epsilon (n)+1)\).

2. 2.

   For \(1\le i \le a(n)\):

   1. (a)

      Set \(x^i_{0}=0^i\).

   2. (b)

      Uniformly sample distinct elements \(x^i_1, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\).

   3. (c)

      Send the elements \(x^i_1, \ldots , x^i_{L(i)}\) to \({\widetilde{\mathcal {B}}}\).

   4. (d)

      Define the successor function \(\widetilde{\mathsf{S}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as

      $$\begin{aligned} \widetilde{\mathsf{S}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$

      and define the verification function \(\widetilde{\mathsf{V}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \(\widetilde{\mathsf{S}}_i\).

3. 3.

   For \(a(n)< i\le q(n)\):

   1. (a)

      Set \(x^i_{0}=0^i\).

   2. (b)

      Uniformly sample distinct elements \(x^i_1, \ldots , x^i_{q(n)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\).

   3. (c)

      Send the elements \(x^i_1, \ldots , x^i_{q(n)}\) to \({\widetilde{\mathcal {B}}}\).

   4. (d)

      Define the successor function \(\widetilde{\mathsf{S}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as

      $$\begin{aligned} \widetilde{\mathsf{S}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , q(n) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$

      and define the verification function \(\widetilde{\mathsf{V}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \(\widetilde{\mathsf{S}}_i\).

Next, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) emulate the protocol \(\langle \mathcal {A}(1^n),\mathcal {B}(1^n)\rangle \) with respect to the oracle f and the “fake” oracle \(\widetilde{{\mathcal {O}}_\mathsf{SVL}}=\{(\widetilde{\mathsf{S}}_i,\widetilde{\mathsf{V}}_i,L(i))\}_{i=1}^{q(n)}\), and output the outputs of \(\mathcal {A}\) and \(\mathcal {B}\), respectively. We name this phase the emulation phase. Note that by our assumption, \(\mathcal {A}\) and \(\mathcal {B}\) do not query \((\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\) for \(i> q(n)\), so it is okay to leave it undefined. After emulating the protocol, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) output what \(\mathcal {A}\) and \(\mathcal {B}\) output respectively. Note that in the protocol \(({\widetilde{\mathcal {A}}},{\widetilde{B}})\), the parties issue at most q(n) queries. Also, note that in the initialization phase, \({\widetilde{\mathcal {A}}}\) draws \(\sum _{i=1}^{\lfloor a(n)\rfloor }L(i)+q(n)\cdot (q(n)-\lfloor a(n)\rfloor )\) samples, and it holds that

$$\begin{aligned} \sum _{i=1}^{\lfloor a(n)\rfloor }L(i)+q(n)\cdot (q(n)-\lfloor a(n)\rfloor )\le a(n)\cdot 2^{a(n)/2}+q(n)^2 = \widetilde{O}(q(n)^2/\epsilon (n)) \end{aligned}$$

Coupling the protocols. Consider the executions \((\mathsf{k}_{\mathcal {A}}, \mathsf{k}_{\mathcal {B}}, \mathsf{Trans}) \leftarrow \langle \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {A}}), \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {B}}) \rangle \) and \((\mathsf{k}_{{\widetilde{\mathcal {A}}}}, \mathsf{k}_{{\widetilde{\mathcal {B}}}}, {\widetilde{\mathsf{Trans}}}) \leftarrow \langle {\widetilde{\mathcal {A}}}^{f}(1^n; r_{{\widetilde{\mathcal {A}}}}), {\widetilde{\mathcal {B}}}^{f}(1^n; r_{{\widetilde{\mathcal {B}}}}) \rangle \), where f and \({\mathcal {O}}_\mathsf{SVL}\) are sampled as described above. We couple these executions in the following way:⁹

• We sample and use the same oracle f for both executions.

• The randomness of \({\widetilde{A}}\) can be split into two part \(r_{{\widetilde{\mathcal {A}}}}=(r_{{\widetilde{\mathcal {A}}},1},r_{{\widetilde{\mathcal {A}}},2})\), where \(r_{{\widetilde{\mathcal {A}}},1}\) is the randomness used in the initialization phase, and \(r_{{\widetilde{\mathcal {A}}},2}\) is the randomness used in the emulation phase.

• We couple the randomness of the emulation phase with the randomness of the actual execution of \((\mathcal {A},\mathcal {B})\) by \(r_{{\widetilde{\mathcal {A}}},2}=r_{\mathcal {A}}\) and \(r_{{\widetilde{\mathcal {B}}}}=r_{\mathcal {B}}\).

• We couple the oracle \({\mathcal {O}}_\mathsf{SVL}\) with \(r_{{\widetilde{\mathcal {A}}},1}\) (hence with \(\widetilde{{\mathcal {O}}_\mathsf{SVL}}\)) as follows:

• For \(1\le i \le a(n)\), we remind that \({\widetilde{\mathcal {A}}}\) uniformly samples distinct elements \(x^i_1, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\), and that \(x^i_0=0^i\). So we set

  $$\begin{aligned} \mathsf{S}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$

  and set \(\mathsf{V}_i\) in a manner consistent with \(\mathsf{S}_i\). As a result \(({\mathcal {O}}_\mathsf{SVL})_i=(\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\).

• For \(a(n)<i\le q(n)\), we remind that \({\widetilde{\mathcal {A}}}\) uniformly samples distinct elements \(x^i_1, \ldots , x^i_{q(n)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\), and that \(x^i_0=0^i\). So we uniformly sample distinct elements \(x^i_{q(n)+1}, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i, x^i_1, \dots , x^i_{q(n)} \}\), set

  $$\begin{aligned} \mathsf{S}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$

  and set \(\mathsf{V}_i\) in a manner consistent with \(\mathsf{S}_i\). As a result, the line of \((\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\) is a prefix of the line of \(({\mathcal {O}}_\mathsf{SVL})_i\).

• For \(i>q(n)\), \(({\mathcal {O}}_\mathsf{SVL})_i\) is sampled without any coupling.

We split the transcript of the execution of \(({\widetilde{A}},{\widetilde{B}})\) into two parts \({\widetilde{\mathsf{Trans}}}=({\widetilde{\mathsf{Trans}}}_1,{\widetilde{\mathsf{Trans}}}_2)\) where \({\widetilde{\mathsf{Trans}}}_1\) is the transcript of the initialization phase, and \({\widetilde{\mathsf{Trans}}}_2\) is the transcript of the emulation phase. Denote by \(\mathsf {Same}=\mathsf {Same}_{(\mathcal {A},\mathcal {B}),n}\) the event in which \((k_{\mathcal {A}},k_{\mathcal {B}},\mathsf{Trans})=(k_{{\widetilde{A}}},k_{{\widetilde{B}}},{\widetilde{\mathsf{Trans}}}_2)\) holds. We now estimate \(\Pr [\mathsf {Same}]\). If for every \(a(n)\le i\le q(n)\), \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{\langle \mathcal {A}(1^n), \mathcal {B}(1^n) \rangle , i}\) does no occur, then the emulation phase and the actual execution of \((\mathcal {A},\mathcal {B})\) behave the same, so \(\mathsf {Same}\) occurs. Hence,

$$\begin{aligned} \Pr \left[ \lnot \mathsf {Same}\right]\le & {} \sum _{i=a(n)}^{q(n)}\Pr _{\mathcal {A},\mathcal {B},f,{\mathcal {O}}_\mathsf{SVL}}\left[ \mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{\langle \mathcal {A}(1^n), \mathcal {B}(1^n) \rangle , i}\right] \\\le & {} \sum _{i=a(n)}^{q(n)}\frac{q(n)\cdot L(i)}{2^i-q(n)} \\\le & {} \sum _{i=a(n)}^{q(n)}\frac{q(n)}{2^{i/2}-1} \\\le & {} \frac{q(n)^2}{2^{a(n)/2}-1}\\= & {} \epsilon (n) . \end{aligned}$$

In particular, it holds that

$$\begin{aligned} \Pr [\mathsf{k}_{{\widetilde{\mathcal {A}}}} = \mathsf{k}_{{\widetilde{\mathcal {B}}}}] \ge \Pr [\mathsf{k}_{\mathcal {A}} = \mathsf{k}_{\mathcal {B}}] - \Pr [\lnot \mathsf {Same}] \ge \frac{1}{2}+\rho (n)-\epsilon (n) \end{aligned}$$

The adversary E. For defining the adversary E for attacking the protocol \((\mathcal {A},\mathcal {B})\), we make use of the aforementioned result of Barak and Mahmoody-Ghidary.

Theorem A.7

[8, 27] Let \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\) be an oracle-aided bit-agreement protocol, in which the parties issue at most \(q=q(n)\) oracle queries.¹⁰ Suppose that

$$\begin{aligned} \Pr _{f,{\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}}}[\mathsf{k}_{{\widetilde{\mathcal {A}}}} = \mathsf{k}_{{\widetilde{\mathcal {B}}}}] \ge \frac{1}{2}+\rho (n) \end{aligned}$$

where the oracle f is sampled as above, and \((\mathsf{k}_{{\widetilde{\mathcal {A}}}}, \mathsf{k}_{{\widetilde{\mathcal {B}}}}, {\widetilde{\mathsf{Trans}}}) \leftarrow \langle {\widetilde{\mathcal {A}}}^{f}(1^n), {\widetilde{\mathcal {B}}}^{f}(1^n) \rangle \). Let \(0<\delta (n)<\frac{1}{2}+\rho (n)\). Then, there exists a \((16q/\delta )^2\)-query adversary \({\widetilde{E}}\) such that

$$\begin{aligned} \Pr _{f,{\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}}}[\mathsf{k}_{{\widetilde{\mathcal {A}}}} = {\widetilde{E}}^f({\widetilde{\mathsf{Trans}}})] \ge \frac{1}{2}+\rho - \delta \end{aligned}$$

Moreover, the algorithm \({\widetilde{E}}\) can be implemented in time polynomial in n, q and \(1/\delta \) given access to a \(\mathsf{PSPACE}\)-complete oracle.

Now, let \({\widetilde{E}}\) be the adversary from Theorem A.7 applied to our constructed protocol \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\), with loss of \(\delta (n)=\epsilon (n)\). We define an adversary E to the protocol \((\mathcal {A},\mathcal {B})\), that on input \(\mathsf{Trans}\), and with oracle access to f and \({\mathcal {O}}_\mathsf{SVL}=\{(\mathsf{S}_n,\mathsf{V}_n, L(n))\}_{n\in {\mathbb {N}}}\), works as follows:

1. 1.

   Set \(a(n)=2\log (q(n)^2/\epsilon (n)+1)\).

2. 2.

   Initialize an empty transcript \({\widehat{\mathsf{Trans}}}\).

3. 3.

   For \(1\le i \le a(n)\):

   1. (a)

      Set \(x^i_{0}=0^i\).

   2. (b)

      For \(j=1,\dots ,L(i)\): Set \(x^i_{j}=\mathsf{S}_i(x^i_{j-1})\).

   3. (c)

      Append \(x^i_1,\dots ,x^i_{L(i)}\) to the transcript \({\widehat{\mathsf{Trans}}}\) as they were send from Alice to Bob.

   4. (d)

      Define the successor function \({\widehat{\mathsf{S}}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as

      $$\begin{aligned} {\widehat{\mathsf{S}}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$
   5. (e)

      Define the verification function \({\widehat{\mathsf{V}}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \({\widehat{\mathsf{S}}}_i\).

4. 4.

   For \(a(n)< i\le q(n)\):

   1. (a)

      Set \(x^i_{0}=0^i\).

   2. (b)

      For \(j=1,\dots ,q(n)\): Set \(x^i_{j}=\mathsf{S}_i(x^i_{j-1})\).

   3. (c)

      Append \(x^i_1,\dots ,x^i_{q(n)}\) to the transcript \({\widehat{\mathsf{Trans}}}\) as they were send from Alice to Bob.

   4. (d)

      Define the successor function \({\widehat{\mathsf{S}}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as

      $$\begin{aligned} {\widehat{\mathsf{S}}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , q(n) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$
   5. (e)

      Define the verification function \({\widehat{\mathsf{V}}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \({\widehat{\mathsf{S}}}_i\).

5. 5.

   Run \(\mathsf{k}_E\leftarrow {\widetilde{E}}^f(({\widehat{\mathsf{Trans}}},\mathsf{Trans}))\) and output \(\mathsf{k}_E\).

Note that due to our coupling, the definition of \(x^i_j\) in the algorithm is consistent with the above definition of \(x^i_j\) as elements that \({\widetilde{\mathcal {A}}}\) samples. Also, by our coupling of \({\mathcal {O}}_\mathsf{SVL}\) and \(r_{{\widetilde{A}},1}\), it holds that \({\widetilde{\mathsf{Trans}}}_1={\widehat{\mathsf{Trans}}}\). Furthermore, if the event \(\mathsf {Same}\) occurs then it holds that \({\widetilde{\mathsf{Trans}}}_2=\mathsf{Trans}\). Therefore, in that case the execution of \(\mathsf{k}_E\leftarrow {\widetilde{E}}^f(({\widehat{\mathsf{Trans}}},\mathsf{Trans}))\) is the same as \(\mathsf{k}_{{\widetilde{E}}}\leftarrow {\widetilde{E}}^f(({\widetilde{\mathsf{Trans}}}_1,{\widetilde{\mathsf{Trans}}}_2))\), and we have

$$\begin{aligned} \Pr [\mathsf{k}_{E}\ne \mathsf{k}_{\mathcal {A}}]\le \Pr [\mathsf{k}_{{\widetilde{E}}}\ne \mathsf{k}_{{\widetilde{\mathcal {A}}}}]+\Pr [\lnot \mathsf {Same}]\le \left( \frac{1}{2}-\rho (n)+\epsilon (n) \right) +\epsilon (n) , \end{aligned}$$

So it holds that \(\Pr [\mathsf{k}_{E}=\mathsf{k}_{\mathcal {A}}]\ge \frac{1}{2}+\rho (n)-2\cdot \epsilon (n)\), and we choose \(\epsilon (n)=\delta (n)/2\) where \(\delta (n)\) is the desired loss from Claim A.5. The number of oracle queries that E performs is at most

$$\begin{aligned} \widetilde{O}(q(n)^2/\delta (n))+(32q(n)/\delta (n))^2\le \widetilde{O}(q(n)^2/\delta (n)^2) . \end{aligned}$$

Moreover, given oracle access a \(\mathsf{PSPACE}\)-complete oracle, the algorithm E can be implemented to run in time polynomial in n, q and \(1/\delta \). This easily follows from Theorem A.7 and settles the proof of Claim A.5.