Skip to main content

Advertisement

Log in

Can PPAD Hardness be Based on Standard Cryptographic Assumptions?

  • Published:
Journal of Cryptology Aims and scope Submit manuscript

Abstract

We consider the question of whether PPAD hardness can be based on standard cryptographic assumptions, such as the existence of one-way functions or public-key encryption. This question is particularly well-motivated in light of new devastating attacks on obfuscation candidates and their underlying building blocks, which are currently the only known source for PPAD hardness. Central in the study of obfuscation-based PPAD hardness is the sink-of-verifiable-line (SVL) problem, an intermediate step in constructing instances of the PPAD-complete problem source-or-sink. Within the framework of black-box reductions, we prove the following results: (i) average-case PPAD hardness (and even SVL hardness) does not imply any form of cryptographic hardness (not even one-way functions). Moreover, even when assuming the existence of one-way functions, average-case PPAD hardness (and, again, even SVL hardness) does not imply any public-key primitive. Thus, strong cryptographic assumptions (such as obfuscation-related ones) are not essential for average-case PPAD hardness. (ii) Average-case SVL hardness cannot be based either on standard cryptographic assumptions or on average-case PPAD hardness. In particular, average-case SVL hardness is not essential for average-case PPAD hardness. (iii) Any attempt for basing the average-case hardness of the PPAD-complete problem source-or-sink on standard cryptographic assumptions must result in instances with a nearly exponential number of solutions. This stands in striking contrast to the obfuscation-based approach, which results in instances having a unique solution. Taken together, our results imply that it may still be possible to base PPAD hardness on standard cryptographic assumptions, but any such black-box attempt must significantly deviate from the obfuscation-based approach: It cannot go through the SVL problem, and it must result in source-or-sink instances with a nearly exponential number of solutions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1

Similar content being viewed by others

Notes

  1. The name end-of-line is more commonly used in the literature; however, source-or-sink is more accurately descriptive [4].

  2. Recall that although indistinguishability obfuscation does not unconditionally imply the existence of one-way functions [7], it does imply public-key cryptography when assuming the existence of one-way functions [36].

  3. Unless, of course, one allows for artificial manipulations of the instances to generate multiple (strongly related) solutions.

  4. Recall that any hard-on-average distribution of SVL instances can be used in a black-box manner to construct a hard-on-average distribution of instances of a PPAD-complete problem [1, 9]. Thus, our result implies (in particular) that average-case PPAD hardness does not imply one-way functions in a black-box manner.

  5. Formally speaking, as the SVL instance we consider oracle-aided circuits that simply call \({\mathcal {O}}_\mathsf{SVL}\) on their input and output the result.

  6. Recall that constructions in the opposite direction do exist: Any hard-on-average distribution of SVL instances can be used in a black-box manner to construct a hard-on-average distribution of instances of a PPAD-complete problem [1, 9].

  7. Since Q is always consistent with f, and since C is a k-bounded TFNP instance, then in each iteration it holds that \(k_f \le k_g \le k\).

  8. For an explanation regarding the guessing mechanism we refer the reader to the beginning of this section.

  9. To couple two probability distributions means to define a joint distribution whose marginals are exactly those two distributions.

  10. In fact, it is enough to require that each party issues at most q queries.

References

  1. T. Abbot, D. Kane, P. Valiant, On algorithms for Nash equilibria. Unpublished manuscript. http://web.mit.edu/tabbott/Public/final.pdf (2004)

  2. G. Asharov, G. Segev, Limits on the power of indistinguishability obfuscation and functional encryption, in Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science, pp. 191–209 (2015)

  3. G. Asharov, G. Segev, On constructing one-way permutations from indistinguishability obfuscation, in Proceedings of the 13th Theory of Cryptography Conference, pp. 512–541 (2016)

  4. P. Beame, S.A. Cook, J. Edmonds, R. Impagliazzo, T. Pitassi, The relative complexity of NP search problems, in Proceedings of the 27th Annual ACM Symposium on Theory of Computing, pp. 303–314 (1995)

  5. Z. Brakerski, C. Gentry, S. Halevi, T. Lepoint, A. Sahai, M. Tibouchi, Cryptanalysis of the quadratic zero-testing of GGH. Cryptology ePrint Archive, Report 2015/845 (2015)

  6. B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs, in Advances in Cryptology—CRYPTO’01, pp. 1–18 (2001)

  7. B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)

  8. B. Barak, M. Mahmoody-Ghidary, Merkle puzzles are optimal—an O(n\({}^{2}\))-query attack on any key exchange from a random oracle, in Advances in Cryptology—CRYPTO’09, pp. 374–390 (2009)

  9. N. Bitansky, O. Paneth, A. Rosen, On the cryptographic hardness of finding a Nash equilibrium, in Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science, pp. 1480–1498 (2015)

  10. N. Bitansky, O. Paneth, D. Wichs, Perfect structure on the edge of chaos—trapdoor permutations from indistinguishability obfuscation, in Proceedings of the 13th Theory of Cryptography Conference, pp. 474–502 (2016)

  11. X. Chen, X. Deng, S. Teng, Settling the complexity of computing two-player Nash equilibria. J. ACM 56(3) (2009)

  12. J.H. Cheon, P.-A. Fouque, C. Lee, B. Minaud, H. Ryu, Cryptanalysis of the new CLT multilinear map over the integers. Cryptology ePrint Archive, Report 2016/135 (2016)

  13. J. Coron, C. Gentry, S. Halevi, T. Lepoint, H.K. Maji, E. Miles, M. Raykova, A. Sahai, M. Tibouchi, Zeroizing without low-level zeroes: new MMAP attacks and their limitations, in Advances in Cryptology—CRYPTO’15, pp. 247–266 (2015)

  14. J.H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehlé, Cryptanalysis of the multilinear map over the integers, in Advances in Cryptology—EUROCRYPT’15, pp. 3–12 (2015)

  15. S.A. Cook, R. Impagliazzo, T. Yamakami, A tight relationship between generic oracles and type-2 complexity theory. Inf. Comput. 137(2), 159–170 (1997)

  16. J.H. Cheon, J. Jeong, C. Lee, An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without an encoding of zero. Cryptology ePrint Archive, Report 2016/139 (2016)

  17. J.H. Cheon, C. Lee, H. Ryu, Cryptanalysis of the new CLT multilinear maps. Cryptology ePrint Archive, Report 2015/934 (2015)

  18. C. Daskalakis, P.W. Goldberg, C.H. Papadimitriou, The complexity of computing a Nash equilibrium. SIAM J. Comput. 39(1), 195–259 (2009)

  19. S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science, pp. 40–49 (2013)

  20. O. Goldreich, On security preserving reductions—revised terminology. Cryptology ePrint Archive, Report 2000/001 (2000)

  21. O. Goldreich, Foundations of Cryptography—Volume 1: Basic Techniques (Cambridge University Press, 2001)

  22. S. Garg, O. Pandey, A. Srinivasan, Revisiting the cryptographic hardness of finding a Nash equilibrium, in Advances in Cryptology–CRYPTO’16, pp. 579–604 (2016)

  23. I. Haitner, J.J. Hoch, O. Reingold, G. Segev, Finding collisions in interactive protocols—tight lower bounds on the round and communication complexities of statistically hiding commitments. SIAM J. Comput. 44(1), 193–242 (2015)

  24. Y. Hu, H. Jia, Cryptanalysis of GGH map. Cryptology ePrint Archive, Report 2015/301 (2015)

  25. P. Hubácek, M. Naor, E. Yogev, The journey from NP to TFNP hardness, in Proceedings of the 8th Innovations in Theoretical Computer Science Conference (2017)

  26. M.D. Hirsch, C.H. Papadimitriou, S.A. Vavasis, Exponential lower bounds for finding brouwer fix points. J. Complex. 5(4), 379–416 (1989)

  27. R. Impagliazzo, S. Rudich, Limits on the provable consequences of one-way permutations, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 44–61 (1989)

  28. M. Luby, Pseudorandomness and Cryptographic Applications (Princeton University Press, 1996)

  29. B. Minaud, P.-A. Fouque, Cryptanalysis of the new multilinear map over the integers. Cryptology ePrint Archive, Report 2015/941 (2015)

  30. E. Miles, A. Sahai, M. Zhandry, Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. Cryptology ePrint Archive, Report 2016/147 (2016)

  31. C.H. Papadimitriou, On the complexity of the parity argument and other inefficient proofs of existence. J. Comput. Syst. Sci. 48(3), 498–532 (1994)

  32. O. Reingold, L. Trevisan, S.P. Vadhan, Notions of reducibility between cryptographic primitives, in Proceedings of the 1st Theory of Cryptography Conference, pp. 1–20 (2004)

  33. S. Rudich, Limits on the Provable Consequences of One-Way Functions. PhD thesis (EECS Department, University of California, Berkeley, 1988)

  34. D.R. Simon, Finding collisions on a one-way street: can secure hash functions be based on general assumptions? in Advances in Cryptology—EUROCRYPT’98, pp. 334–345 (1998)

  35. R. Savani, B. von Stengel, Exponentially many steps for finding a Nash equilibrium in a bimatrix game, in Proceedings of the 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 258–267 (2004)

  36. A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in Proceedings of the 46th Annual ACM Symposium on Theory of Computing, pp. 475–484 (2014)

Download references

Acknowledgements

We thank Nir Bitansky, Tim Roughgarden, Omer Paneth, and the anonymous reviewers for their insightful comments and suggestions.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ido Shahaf.

Additional information

Communicated by Manoj Prabhakaran.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Alon Rosen: Supported by ISF Grant No. 1399/17 and via Project PROMETHEUS (Grant No. 780701). Gil Segev: Supported by the European Union’s 7th Framework Program (FP7) via a Marie Curie Career Integration Grant (Grant No. 618094), by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253), by the Israel Science Foundation (Grant No. 483/13), by the Israeli Centers of Research Excellence (I-CORE) Program (Center No. 4/11), by the US-Israel Binational Science Foundation (Grant No. 2014632), and by a Google Faculty Research Award. Ido Shahaf: Supported by the Clore Israel Foundation via the Clore Scholars Programme.

A Average-Case SVL Hardness and OWFs Do Not Imply Key Agreement

A Average-Case SVL Hardness and OWFs Do Not Imply Key Agreement

Based on the techniques developed in Sect. 3, we show that average-case SVL hardness is useless for constructing a key-agreement protocol in a black-box manner, even when assuming the existence of one-way functions. Specifically, we show that in any black-box construction of a key-agreement protocol based on a one-way function and a hard-on-average distribution of SVL instances, we can eliminate the protocol’s need for using the SVL instances. This leads to a black-box construction of key-agreement protocol based on a one-way function, which we can then rule out by invoking the classic result of Impagliazzo and Rudich [27] and its refinement by Barak and Mahmoody-Ghidary [8].

In this section, we model a one-way function as a sequence \(f = \{ f_n \}_{n \in {\mathbb {N}}}\), where for every \(n \in {\mathbb {N}}\) it holds that \(f_n : \{0,1\}^n \rightarrow \{0,1\}^n\). The following definition tailors the standard notion of a fully black-box construction to the specific primitives under consideration.

Definition A.1

A fully black-box construction of a bit-agreement protocol with correctness \(\rho = \rho (n)\) from a one-way function and a hard-on-average distribution of SVL instances consists of a pair of oracle-aided polynomial-time algorithm \((\mathcal {A},\mathcal {B})\), an oracle-aided algorithm M that runs in time \(T_M(\cdot )\), and functions \(\epsilon _{M,1}(\cdot )\) and \(\epsilon _{M,2}(\cdot )\), such that the following conditions hold:

  • Correctness: For any function \(f = \{f_n\}_{n \in {\mathbb {N}}}\), for any valid SVL instance \({\mathcal {O}}_\mathsf{SVL}\), and for any \(n \in {\mathbb {N}}\) it holds that

    $$\begin{aligned}&\Pr _{r_{\mathcal {A}}, r_{\mathcal {B}}} \left[ \mathsf{k}_{\mathcal {A}} = \mathsf{k}_{\mathcal {B}} \left| (\mathsf{k}_{\mathcal {A}}, \mathsf{k}_{\mathcal {B}}, \mathsf{Trans}) \leftarrow \langle \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {A}}), \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {B}}) \rangle \right. \right] \\&\quad \ge \frac{1}{2} + \rho (n) . \end{aligned}$$
  • Black-box proof of security: For any function \(f = \{f_n\}_{n \in {\mathbb {N}}}\), for any valid SVL instance \({\mathcal {O}}_\mathsf{SVL}= \{(\mathsf{Gen}_n, \mathsf{S}_n, \mathsf{V}_n, L(n))\}_{n \in {\mathbb {N}}}\), for any oracle-aided algorithm E that runs in time \(T_E(\cdot )\), and for any function \(\epsilon _E(\cdot )\), if

    $$\begin{aligned} \left| \Pr \left[ \mathsf {Exp}^\mathsf{KA}_{\left( \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}} \right) , E^{f,{\mathcal {O}}_\mathsf{SVL}}}(n) = 1 \right] - \frac{1}{2} \right| \ge \epsilon _E(n) \end{aligned}$$

    for infinitely many values of \(n \in {\mathbb {N}}\) (recall Definition 2.8 for the description of the experiment \(\mathsf {Exp}^\mathsf{KA}_{\left( \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}} \right) , E^{f,{\mathcal {O}}_\mathsf{SVL}}}\)), then either

    $$\begin{aligned} \Pr \left[ M^{E,f,{\mathcal {O}}_\mathsf{SVL}}\left( f_n(x) \right) \in f^{-1}_n \left( f_n(x)\right) \right] \ge \epsilon _{M,1}\left( T_E(n) / \epsilon _E(n)\right) \cdot \epsilon _{M,2}(n) \end{aligned}$$

    for infinitely many values of \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(x \leftarrow \{0,1\}^n\) and over the internal randomness of M, or

    $$\begin{aligned}&\Pr \left[ M^{E,f,{\mathcal {O}}_\mathsf{SVL}}\left( 1^n, \sigma \right) \text{ solves } \left( \mathsf{S}_n(\sigma ,\cdot ), \mathsf{V}_n(\sigma ,\cdot ), L(n) \right) \right] \\&\quad \ge \epsilon _{M,1}\left( T_E(n) / \epsilon _E(n)\right) \cdot \epsilon _{M,2}(n) \end{aligned}$$

    for infinitely many values of \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(\sigma \leftarrow \mathsf{Gen}_n()\) and over the internal randomness of M.

As in Definition 3.1, we split the security loss in the above definition to an adversary-dependent security loss and an adversary-independent security loss, as this allows us to capture constructions where one of these losses is super-polynomial whereas the other is polynomial. Equipped with the above definition we prove the following theorem:

Theorem A.2

Let \((\mathcal {A},\mathcal {B},M,T_M,\epsilon _{M,1}, \epsilon _{M,2})\) be a fully black-box construction of a bit-agreement protocol with correctness \(\rho (n) = 1/\mathsf{poly}(n)\), for some (arbitrary) polynomial \(\mathsf{poly}(n)\), from a one-way function and a hard-on-average SVL instance. Then, at least one of the following properties holds:

  1. 1.

    \(T_M(n)\ge 2^{\zeta n}\) for some constant \(\zeta > 0\) (i.e., the reduction runs in exponential time).

  2. 2.

    \(\epsilon _{M,1}(n^c) \cdot \epsilon _{M,2}(n) \le 2^{- n/10}\) for some constant \(c > 1\) (i.e., the security loss is exponential).

As with Theorem 3.2, also here Theorem A.2 rules out (in particular) standard “polynomial-time polynomial-loss” reductions. More generally, the theorem implies that if the running time \(T_M(\cdot )\) of the reduction is sub-exponential and the adversary-dependent security loss \(\epsilon _{M,1}(\cdot )\) is polynomial (as expected), then the adversary-independent security loss \(\epsilon _{M,2}(\cdot )\) must be exponential (thus even ruling out constructions based on one-way function and SVL instances with sub-exponential hardness).

1.1 A.1 Proof Overview

In what follows, we first describe the oracles, denoted f and \({\mathcal {O}}_\mathsf{SVL}\), on which we rely for proving Theorem A.2, and show that they indeed implement a one-way function and a hard-on-average distribution of SVL instances, respectively. Then, we show that any bit-agreement protocol that uses the oracles f and \({\mathcal {O}}_\mathsf{SVL}\) can be attacked. For the remainder of this section we remind the reader that a q-query algorithm is an oracle-aided algorithm A such that for any oracle \({\mathcal {O}}\) and input \(x \in \{0,1\}^*\), the computation \(A^{{\mathcal {O}}}(x)\) consists of at most q(|x|) oracle calls to \({\mathcal {O}}\).

The oracles \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). The oracle f is a sequence \(\{ f_n \}_{n \in {\mathbb {N}}}\) where for every \(n \in {\mathbb {N}}\) the function \(f_n : \{0,1\}^n \rightarrow \{0,1\}^n\) is sampled uniformly from the set of all functions mapping n-bit inputs to n-bit outputs. The oracle \({\mathcal {O}}_\mathsf{SVL}\), sampled independently of f, is as defined in Sect. 3.1. That is, it is a valid SVL instance \(\{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) that is sampled via the following process for every \(n \in {\mathbb {N}}\):

  • Let \(L(n) = 2^{n/2}\), \(x_0 = 0^n\), and uniformly sample distinct elements \(x_1, \ldots , x_{L(n)} \leftarrow \{0,1\}^n {\setminus } \{ 0^n \}\).

  • The successor function \(\mathsf{S}_n : \{0,1\}^n \rightarrow \{0,1\}^n\) is defined as

    $$\begin{aligned} \mathsf{S}_n(x) = \left\{ \begin{array}{cl} x_{i+1} &{} \text{ if } x=x_i \text{ for } \text{ some } i \in \{0, \ldots , L(n) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$
  • The verification function \(\mathsf{V}_n : \{0,1\}^n \times [2^n] \rightarrow \{0,1\}\) is defined in a manner that is consistent with \(\mathsf{S}_n\) (i.e., \(\mathsf{V}_n\) is defined such that the instance is valid).

The oracles f and \({\mathcal {O}}_\mathsf{SVL}\) are sampled independently, and therefore, we immediately obtain the following two corollaries from Claims 3.3 and 5.3 (the first corollary states that f is indeed hard to invert relative to f and \({\mathcal {O}}_\mathsf{SVL}\), and the second corollary A.4 states that \({\mathcal {O}}_\mathsf{SVL}\) is indeed a hard-on-average SVL instance relative to f and \({\mathcal {O}}_\mathsf{SVL}\)):

Corollary A.3

For any fixing of the oracle \({\mathcal {O}}_\mathsf{SVL}\), and for any q(n)-query algorithm M, it holds that

$$\begin{aligned} \Pr \left[ M^{f,{\mathcal {O}}_\mathsf{SVL}}\left( f_n(x) \right) \in f^{-1}_n \left( f_n(x)\right) \right] \le \frac{2(q(n)+1)}{2^n - q(n)} \end{aligned}$$

for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(x \leftarrow \{0,1\}^n\), and over the choice of the oracle \(f = \{ f_n \}_{n \in {\mathbb {N}}}\) as described above.

Corollary A.4

For any fixing of the oracle f, and for any q(n)-query algorithm M, where \(q(n)\le L(n)-1\), it holds that

$$\begin{aligned} \Pr \left[ M^{f, {\mathcal {O}}_\mathsf{SVL}}\left( 1^n\right) \text{ solves } \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \right] \le \frac{(q(n)+1) \cdot L(n)}{2^n - q(n) - 1} \end{aligned}$$

for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) as described above.

Attacking bit-agreement protocols relative to \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). We show that for any oracle-aided bit-agreement protocol \((\mathcal {A},\mathcal {B})\) with correctness \(\rho (n) = 1/\mathsf{poly}(n)\), in which the parties issue at most q(n) oracle queries, and for any \(\delta = \delta (n) > 0\), there exists an attacker that issues roughly \(q^2/\delta ^2\) oracle queries, whose output agrees with Alice’s output with probability \(1/2 + \rho (n)-\delta (n)\). We prove the following claim:

Claim A.5

Let \((\mathcal {A},\mathcal {B})\) be an oracle-aided bit-agreement protocol, in which the parties issue at most \(q = q(n)\) oracle queries, where the input for each query is of length at most q(n) bits, and assume that

$$\begin{aligned}&\Pr _{\genfrac{}{}{0.0pt}{}{f, {\mathcal {O}}_\mathsf{SVL}}{r_{\mathcal {A}}, r_{\mathcal {B}}}} \left[ \mathsf{k}_{\mathcal {A}} = \mathsf{k}_{\mathcal {B}} \left| (\mathsf{k}_{\mathcal {A}}, \mathsf{k}_{\mathcal {B}}, \mathsf{Trans}) \leftarrow \langle \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {A}}), \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {B}}) \rangle \right. \right] \\&\quad \ge \frac{1}{2} + \rho (n) \end{aligned}$$

for all sufficiently large \(n \in {\mathbb {N}}\) and for some function \(\rho (n) > 0\). Then, for any \(\delta = \delta (n) > 0\), there exists an \(\widetilde{O}(q^2/\delta ^2)\)-query algorithm E, such that

$$\begin{aligned} \left| \Pr \left[ \mathsf {Exp}^\mathsf{KA}_{\left( \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}} \right) , E^{f,{\mathcal {O}}_\mathsf{SVL}}}(n) = 1 \right] - \frac{1}{2} \right| \ge \rho (n)-\delta (n) \end{aligned}$$

for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of the oracles f and \({\mathcal {O}}_\mathsf{SVL}\), and over the internal randomness of \(\mathcal {A}\) and \(\mathcal {B}\). Moreover, the algorithm E can be implemented in time polynomial in n, q(n) and \(1/\delta (n)\) given access to a \(\mathsf{PSPACE}\)-complete oracle.

The proof of the claim, which is provided below, is based on adapting the approach underlying our proof of Claim 3.4 to the setting of key-agreement protocols, and then invoking the classic result of Impagliazzo and Rudich [27] and its refinement by Barak and Mahmoody-Ghidary [8]. Specifically, as discussed in Sect. 1.3, during an execution \((\mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}})\) of a given bit-agreement protocol, with an overwhelming probability over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}\), the parties \(\mathcal {A}\) and \(\mathcal {B}\) should not query \({\mathcal {O}}_\mathsf{SVL}\) with any elements on the line \(0^n \rightarrow x_1 \rightarrow \cdots \rightarrow x_{L(n)}\) except for the first q elements \(x_0, x_1, \ldots , x_{q-1}\). This gives rise to a bit-agreement protocol \(({\widetilde{\mathcal {A}}}^f, {\widetilde{\mathcal {B}}}^f)\) that does not require access to the oracle \({\mathcal {O}}_\mathsf{SVL}\): First, \({\widetilde{A}}\) samples a sequence \(x_1, \ldots , x_q\) of q values, and sends these values to \({\widetilde{B}}\). Then, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) run the protocol \((\mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}},\mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}})\) by using the values \(x_1, \ldots , x_q\) instead of accessing \({\mathcal {O}}_\mathsf{SVL}\). At this point, we have a bit-agreement protocol where the parties have access only to a random function f, and thus, we can apply the attacks of Impagliazzo and Rudich [27] and Barak and Mahmoody-Ghidary [8], which we can translate back to attacks on the underlying protocol. The proof of Theorem A.2 then follows from Corollaries A.3 and A.4 and Claim A.5 in a manner identical to the proof of Theorem 3.2 (see Sect. 3.4).

1.2 A.2 Attacking Key-Agreement Protocols Relative to \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\)

In this section, we prove Claim A.5. We start by defining an event capturing the above intuition of “hitting” elements on the line sampled for \({\mathcal {O}}_\mathsf{SVL}\), similarly to event defined in Sect. 3.

The event \(\varvec{\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}}\). Let the oracles f and \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) be distributed as described in Section A.1. Let M be a q-query algorithm. We fix some \(n \in {\mathbb {N}}\), and consider only the queries made to \(\mathsf{S}_n\) and \(\mathsf{V}_n\). We denote by \(\alpha _i\) the random variable corresponding to M’s ith oracle query if this is an \(\mathsf{S}_n\)-query, and denote by \((\alpha _i, k_i)\) the random variable corresponding to M’s ith oracle query if this is a \(\mathsf{V}_n\)-query. Let \(x_0,\dots ,x_{L(n)}\) be the line sampled for \(\left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \). As in Sect. 3, we denote by \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}\) the event in which there exist indices j and \(i\in [L(n)]\) for which \(\alpha _j=x_i\) but \(x_{i-1}\notin \{\alpha _1,\dots ,\alpha _{j-1}\}\). That is, this is the event in which M queries \(({\mathcal {O}}_\mathsf{SVL})_n\) with some \(x_i\) before querying it on \(x_{i-1}\). In particular, note that if the event \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}\) does not occur, then M does not query \(({\mathcal {O}}_\mathsf{SVL})_n\) with \(x_i\) for \(i\in \{q,\dots ,L(n)\}\). Since the oracle \({\mathcal {O}}_\mathsf{SVL}\) is sampled independently of the oracle f, we deduce the following corollary from Claim 3.5:

Corollary A.6

For any fixing of the oracle f, for any q-query algorithm M, and for any \(n \in {\mathbb {N}}\), it holds that

$$\begin{aligned} \Pr \left[ \mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n} \right] \le \frac{q\cdot L(n)}{2^n-q} \end{aligned}$$

where the probability is taken over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\). Moreover, q can be a bound on the number of calls to \(\mathsf{S}_n\) and \(\mathsf{V}_n\).

Removing the oracle \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). Let \((\mathcal {A},\mathcal {B})\) be an oracle-aided bit-agreement protocol as in Claim A.5. For a loss parameter \(\epsilon =\epsilon (n)>0\), we define an oracle-aided bit-agreement protocol \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\) that on input security parameter \(1^n\), and with oracle access to f only, works as follows. First, \({\widetilde{\mathcal {A}}}\) performs the following initialization routine:

  1. 1.

    Set \(a(n)=2\log (q(n)^2/\epsilon (n)+1)\).

  2. 2.

    For \(1\le i \le a(n)\):

    1. (a)

      Set \(x^i_{0}=0^i\).

    2. (b)

      Uniformly sample distinct elements \(x^i_1, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\).

    3. (c)

      Send the elements \(x^i_1, \ldots , x^i_{L(i)}\) to \({\widetilde{\mathcal {B}}}\).

    4. (d)

      Define the successor function \(\widetilde{\mathsf{S}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as

      $$\begin{aligned} \widetilde{\mathsf{S}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$

      and define the verification function \(\widetilde{\mathsf{V}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \(\widetilde{\mathsf{S}}_i\).

  3. 3.

    For \(a(n)< i\le q(n)\):

    1. (a)

      Set \(x^i_{0}=0^i\).

    2. (b)

      Uniformly sample distinct elements \(x^i_1, \ldots , x^i_{q(n)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\).

    3. (c)

      Send the elements \(x^i_1, \ldots , x^i_{q(n)}\) to \({\widetilde{\mathcal {B}}}\).

    4. (d)

      Define the successor function \(\widetilde{\mathsf{S}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as

      $$\begin{aligned} \widetilde{\mathsf{S}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , q(n) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$

      and define the verification function \(\widetilde{\mathsf{V}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \(\widetilde{\mathsf{S}}_i\).

Next, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) emulate the protocol \(\langle \mathcal {A}(1^n),\mathcal {B}(1^n)\rangle \) with respect to the oracle f and the “fake” oracle \(\widetilde{{\mathcal {O}}_\mathsf{SVL}}=\{(\widetilde{\mathsf{S}}_i,\widetilde{\mathsf{V}}_i,L(i))\}_{i=1}^{q(n)}\), and output the outputs of \(\mathcal {A}\) and \(\mathcal {B}\), respectively. We name this phase the emulation phase. Note that by our assumption, \(\mathcal {A}\) and \(\mathcal {B}\) do not query \((\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\) for \(i> q(n)\), so it is okay to leave it undefined. After emulating the protocol, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) output what \(\mathcal {A}\) and \(\mathcal {B}\) output respectively. Note that in the protocol \(({\widetilde{\mathcal {A}}},{\widetilde{B}})\), the parties issue at most q(n) queries. Also, note that in the initialization phase, \({\widetilde{\mathcal {A}}}\) draws \(\sum _{i=1}^{\lfloor a(n)\rfloor }L(i)+q(n)\cdot (q(n)-\lfloor a(n)\rfloor )\) samples, and it holds that

$$\begin{aligned} \sum _{i=1}^{\lfloor a(n)\rfloor }L(i)+q(n)\cdot (q(n)-\lfloor a(n)\rfloor )\le a(n)\cdot 2^{a(n)/2}+q(n)^2 = \widetilde{O}(q(n)^2/\epsilon (n)) \end{aligned}$$

Coupling the protocols. Consider the executions \((\mathsf{k}_{\mathcal {A}}, \mathsf{k}_{\mathcal {B}}, \mathsf{Trans}) \leftarrow \langle \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {A}}), \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {B}}) \rangle \) and \((\mathsf{k}_{{\widetilde{\mathcal {A}}}}, \mathsf{k}_{{\widetilde{\mathcal {B}}}}, {\widetilde{\mathsf{Trans}}}) \leftarrow \langle {\widetilde{\mathcal {A}}}^{f}(1^n; r_{{\widetilde{\mathcal {A}}}}), {\widetilde{\mathcal {B}}}^{f}(1^n; r_{{\widetilde{\mathcal {B}}}}) \rangle \), where f and \({\mathcal {O}}_\mathsf{SVL}\) are sampled as described above. We couple these executions in the following way:Footnote 9

  • We sample and use the same oracle f for both executions.

  • The randomness of \({\widetilde{A}}\) can be split into two part \(r_{{\widetilde{\mathcal {A}}}}=(r_{{\widetilde{\mathcal {A}}},1},r_{{\widetilde{\mathcal {A}}},2})\), where \(r_{{\widetilde{\mathcal {A}}},1}\) is the randomness used in the initialization phase, and \(r_{{\widetilde{\mathcal {A}}},2}\) is the randomness used in the emulation phase.

  • We couple the randomness of the emulation phase with the randomness of the actual execution of \((\mathcal {A},\mathcal {B})\) by \(r_{{\widetilde{\mathcal {A}}},2}=r_{\mathcal {A}}\) and \(r_{{\widetilde{\mathcal {B}}}}=r_{\mathcal {B}}\).

  • We couple the oracle \({\mathcal {O}}_\mathsf{SVL}\) with \(r_{{\widetilde{\mathcal {A}}},1}\) (hence with \(\widetilde{{\mathcal {O}}_\mathsf{SVL}}\)) as follows:

  • For \(1\le i \le a(n)\), we remind that \({\widetilde{\mathcal {A}}}\) uniformly samples distinct elements \(x^i_1, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\), and that \(x^i_0=0^i\). So we set

    $$\begin{aligned} \mathsf{S}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$

    and set \(\mathsf{V}_i\) in a manner consistent with \(\mathsf{S}_i\). As a result \(({\mathcal {O}}_\mathsf{SVL})_i=(\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\).

  • For \(a(n)<i\le q(n)\), we remind that \({\widetilde{\mathcal {A}}}\) uniformly samples distinct elements \(x^i_1, \ldots , x^i_{q(n)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\), and that \(x^i_0=0^i\). So we uniformly sample distinct elements \(x^i_{q(n)+1}, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i, x^i_1, \dots , x^i_{q(n)} \}\), set

    $$\begin{aligned} \mathsf{S}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$

    and set \(\mathsf{V}_i\) in a manner consistent with \(\mathsf{S}_i\). As a result, the line of \((\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\) is a prefix of the line of \(({\mathcal {O}}_\mathsf{SVL})_i\).

  • For \(i>q(n)\), \(({\mathcal {O}}_\mathsf{SVL})_i\) is sampled without any coupling.

We split the transcript of the execution of \(({\widetilde{A}},{\widetilde{B}})\) into two parts \({\widetilde{\mathsf{Trans}}}=({\widetilde{\mathsf{Trans}}}_1,{\widetilde{\mathsf{Trans}}}_2)\) where \({\widetilde{\mathsf{Trans}}}_1\) is the transcript of the initialization phase, and \({\widetilde{\mathsf{Trans}}}_2\) is the transcript of the emulation phase. Denote by \(\mathsf {Same}=\mathsf {Same}_{(\mathcal {A},\mathcal {B}),n}\) the event in which \((k_{\mathcal {A}},k_{\mathcal {B}},\mathsf{Trans})=(k_{{\widetilde{A}}},k_{{\widetilde{B}}},{\widetilde{\mathsf{Trans}}}_2)\) holds. We now estimate \(\Pr [\mathsf {Same}]\). If for every \(a(n)\le i\le q(n)\), \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{\langle \mathcal {A}(1^n), \mathcal {B}(1^n) \rangle , i}\) does no occur, then the emulation phase and the actual execution of \((\mathcal {A},\mathcal {B})\) behave the same, so \(\mathsf {Same}\) occurs. Hence,

$$\begin{aligned} \Pr \left[ \lnot \mathsf {Same}\right]\le & {} \sum _{i=a(n)}^{q(n)}\Pr _{\mathcal {A},\mathcal {B},f,{\mathcal {O}}_\mathsf{SVL}}\left[ \mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{\langle \mathcal {A}(1^n), \mathcal {B}(1^n) \rangle , i}\right] \\\le & {} \sum _{i=a(n)}^{q(n)}\frac{q(n)\cdot L(i)}{2^i-q(n)} \\\le & {} \sum _{i=a(n)}^{q(n)}\frac{q(n)}{2^{i/2}-1} \\\le & {} \frac{q(n)^2}{2^{a(n)/2}-1}\\= & {} \epsilon (n) . \end{aligned}$$

In particular, it holds that

$$\begin{aligned} \Pr [\mathsf{k}_{{\widetilde{\mathcal {A}}}} = \mathsf{k}_{{\widetilde{\mathcal {B}}}}] \ge \Pr [\mathsf{k}_{\mathcal {A}} = \mathsf{k}_{\mathcal {B}}] - \Pr [\lnot \mathsf {Same}] \ge \frac{1}{2}+\rho (n)-\epsilon (n) \end{aligned}$$

The adversary E. For defining the adversary E for attacking the protocol \((\mathcal {A},\mathcal {B})\), we make use of the aforementioned result of Barak and Mahmoody-Ghidary.

Theorem A.7

[8, 27] Let \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\) be an oracle-aided bit-agreement protocol, in which the parties issue at most \(q=q(n)\) oracle queries.Footnote 10 Suppose that

$$\begin{aligned} \Pr _{f,{\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}}}[\mathsf{k}_{{\widetilde{\mathcal {A}}}} = \mathsf{k}_{{\widetilde{\mathcal {B}}}}] \ge \frac{1}{2}+\rho (n) \end{aligned}$$

where the oracle f is sampled as above, and \((\mathsf{k}_{{\widetilde{\mathcal {A}}}}, \mathsf{k}_{{\widetilde{\mathcal {B}}}}, {\widetilde{\mathsf{Trans}}}) \leftarrow \langle {\widetilde{\mathcal {A}}}^{f}(1^n), {\widetilde{\mathcal {B}}}^{f}(1^n) \rangle \). Let \(0<\delta (n)<\frac{1}{2}+\rho (n)\). Then, there exists a \((16q/\delta )^2\)-query adversary \({\widetilde{E}}\) such that

$$\begin{aligned} \Pr _{f,{\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}}}[\mathsf{k}_{{\widetilde{\mathcal {A}}}} = {\widetilde{E}}^f({\widetilde{\mathsf{Trans}}})] \ge \frac{1}{2}+\rho - \delta \end{aligned}$$

Moreover, the algorithm \({\widetilde{E}}\) can be implemented in time polynomial in n, q and \(1/\delta \) given access to a \(\mathsf{PSPACE}\)-complete oracle.

Now, let \({\widetilde{E}}\) be the adversary from Theorem A.7 applied to our constructed protocol \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\), with loss of \(\delta (n)=\epsilon (n)\). We define an adversary E to the protocol \((\mathcal {A},\mathcal {B})\), that on input \(\mathsf{Trans}\), and with oracle access to f and \({\mathcal {O}}_\mathsf{SVL}=\{(\mathsf{S}_n,\mathsf{V}_n, L(n))\}_{n\in {\mathbb {N}}}\), works as follows:

  1. 1.

    Set \(a(n)=2\log (q(n)^2/\epsilon (n)+1)\).

  2. 2.

    Initialize an empty transcript \({\widehat{\mathsf{Trans}}}\).

  3. 3.

    For \(1\le i \le a(n)\):

    1. (a)

      Set \(x^i_{0}=0^i\).

    2. (b)

      For \(j=1,\dots ,L(i)\): Set \(x^i_{j}=\mathsf{S}_i(x^i_{j-1})\).

    3. (c)

      Append \(x^i_1,\dots ,x^i_{L(i)}\) to the transcript \({\widehat{\mathsf{Trans}}}\) as they were send from Alice to Bob.

    4. (d)

      Define the successor function \({\widehat{\mathsf{S}}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as

      $$\begin{aligned} {\widehat{\mathsf{S}}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$
    5. (e)

      Define the verification function \({\widehat{\mathsf{V}}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \({\widehat{\mathsf{S}}}_i\).

  4. 4.

    For \(a(n)< i\le q(n)\):

    1. (a)

      Set \(x^i_{0}=0^i\).

    2. (b)

      For \(j=1,\dots ,q(n)\): Set \(x^i_{j}=\mathsf{S}_i(x^i_{j-1})\).

    3. (c)

      Append \(x^i_1,\dots ,x^i_{q(n)}\) to the transcript \({\widehat{\mathsf{Trans}}}\) as they were send from Alice to Bob.

    4. (d)

      Define the successor function \({\widehat{\mathsf{S}}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as

      $$\begin{aligned} {\widehat{\mathsf{S}}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , q(n) - 1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$
    5. (e)

      Define the verification function \({\widehat{\mathsf{V}}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \({\widehat{\mathsf{S}}}_i\).

  5. 5.

    Run \(\mathsf{k}_E\leftarrow {\widetilde{E}}^f(({\widehat{\mathsf{Trans}}},\mathsf{Trans}))\) and output \(\mathsf{k}_E\).

Note that due to our coupling, the definition of \(x^i_j\) in the algorithm is consistent with the above definition of \(x^i_j\) as elements that \({\widetilde{\mathcal {A}}}\) samples. Also, by our coupling of \({\mathcal {O}}_\mathsf{SVL}\) and \(r_{{\widetilde{A}},1}\), it holds that \({\widetilde{\mathsf{Trans}}}_1={\widehat{\mathsf{Trans}}}\). Furthermore, if the event \(\mathsf {Same}\) occurs then it holds that \({\widetilde{\mathsf{Trans}}}_2=\mathsf{Trans}\). Therefore, in that case the execution of \(\mathsf{k}_E\leftarrow {\widetilde{E}}^f(({\widehat{\mathsf{Trans}}},\mathsf{Trans}))\) is the same as \(\mathsf{k}_{{\widetilde{E}}}\leftarrow {\widetilde{E}}^f(({\widetilde{\mathsf{Trans}}}_1,{\widetilde{\mathsf{Trans}}}_2))\), and we have

$$\begin{aligned} \Pr [\mathsf{k}_{E}\ne \mathsf{k}_{\mathcal {A}}]\le \Pr [\mathsf{k}_{{\widetilde{E}}}\ne \mathsf{k}_{{\widetilde{\mathcal {A}}}}]+\Pr [\lnot \mathsf {Same}]\le \left( \frac{1}{2}-\rho (n)+\epsilon (n) \right) +\epsilon (n) , \end{aligned}$$

So it holds that \(\Pr [\mathsf{k}_{E}=\mathsf{k}_{\mathcal {A}}]\ge \frac{1}{2}+\rho (n)-2\cdot \epsilon (n)\), and we choose \(\epsilon (n)=\delta (n)/2\) where \(\delta (n)\) is the desired loss from Claim A.5. The number of oracle queries that E performs is at most

$$\begin{aligned} \widetilde{O}(q(n)^2/\delta (n))+(32q(n)/\delta (n))^2\le \widetilde{O}(q(n)^2/\delta (n)^2) . \end{aligned}$$

Moreover, given oracle access a \(\mathsf{PSPACE}\)-complete oracle, the algorithm E can be implemented to run in time polynomial in n, q and \(1/\delta \). This easily follows from Theorem A.7 and settles the proof of Claim A.5.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Rosen, A., Segev, G. & Shahaf, I. Can PPAD Hardness be Based on Standard Cryptographic Assumptions?. J Cryptol 34, 8 (2021). https://doi.org/10.1007/s00145-020-09369-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s00145-020-09369-6

Keywords

Navigation