Abstract
We consider the question of whether PPAD hardness can be based on standard cryptographic assumptions, such as the existence of oneway functions or publickey encryption. This question is particularly wellmotivated in light of new devastating attacks on obfuscation candidates and their underlying building blocks, which are currently the only known source for PPAD hardness. Central in the study of obfuscationbased PPAD hardness is the sinkofverifiableline (SVL) problem, an intermediate step in constructing instances of the PPADcomplete problem sourceorsink. Within the framework of blackbox reductions, we prove the following results: (i) averagecase PPAD hardness (and even SVL hardness) does not imply any form of cryptographic hardness (not even oneway functions). Moreover, even when assuming the existence of oneway functions, averagecase PPAD hardness (and, again, even SVL hardness) does not imply any publickey primitive. Thus, strong cryptographic assumptions (such as obfuscationrelated ones) are not essential for averagecase PPAD hardness. (ii) Averagecase SVL hardness cannot be based either on standard cryptographic assumptions or on averagecase PPAD hardness. In particular, averagecase SVL hardness is not essential for averagecase PPAD hardness. (iii) Any attempt for basing the averagecase hardness of the PPADcomplete problem sourceorsink on standard cryptographic assumptions must result in instances with a nearly exponential number of solutions. This stands in striking contrast to the obfuscationbased approach, which results in instances having a unique solution. Taken together, our results imply that it may still be possible to base PPAD hardness on standard cryptographic assumptions, but any such blackbox attempt must significantly deviate from the obfuscationbased approach: It cannot go through the SVL problem, and it must result in sourceorsink instances with a nearly exponential number of solutions.
Similar content being viewed by others
Notes
The name endofline is more commonly used in the literature; however, sourceorsink is more accurately descriptive [4].
Unless, of course, one allows for artificial manipulations of the instances to generate multiple (strongly related) solutions.
Recall that any hardonaverage distribution of SVL instances can be used in a blackbox manner to construct a hardonaverage distribution of instances of a PPADcomplete problem [1, 9]. Thus, our result implies (in particular) that averagecase PPAD hardness does not imply oneway functions in a blackbox manner.
Formally speaking, as the SVL instance we consider oracleaided circuits that simply call \({\mathcal {O}}_\mathsf{SVL}\) on their input and output the result.
Since Q is always consistent with f, and since C is a kbounded TFNP instance, then in each iteration it holds that \(k_f \le k_g \le k\).
For an explanation regarding the guessing mechanism we refer the reader to the beginning of this section.
To couple two probability distributions means to define a joint distribution whose marginals are exactly those two distributions.
In fact, it is enough to require that each party issues at most q queries.
References
T. Abbot, D. Kane, P. Valiant, On algorithms for Nash equilibria. Unpublished manuscript. http://web.mit.edu/tabbott/Public/final.pdf (2004)
G. Asharov, G. Segev, Limits on the power of indistinguishability obfuscation and functional encryption, in Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science, pp. 191–209 (2015)
G. Asharov, G. Segev, On constructing oneway permutations from indistinguishability obfuscation, in Proceedings of the 13th Theory of Cryptography Conference, pp. 512–541 (2016)
P. Beame, S.A. Cook, J. Edmonds, R. Impagliazzo, T. Pitassi, The relative complexity of NP search problems, in Proceedings of the 27th Annual ACM Symposium on Theory of Computing, pp. 303–314 (1995)
Z. Brakerski, C. Gentry, S. Halevi, T. Lepoint, A. Sahai, M. Tibouchi, Cryptanalysis of the quadratic zerotesting of GGH. Cryptology ePrint Archive, Report 2015/845 (2015)
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs, in Advances in Cryptology—CRYPTO’01, pp. 1–18 (2001)
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012)
B. Barak, M. MahmoodyGhidary, Merkle puzzles are optimal—an O(n\({}^{2}\))query attack on any key exchange from a random oracle, in Advances in Cryptology—CRYPTO’09, pp. 374–390 (2009)
N. Bitansky, O. Paneth, A. Rosen, On the cryptographic hardness of finding a Nash equilibrium, in Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science, pp. 1480–1498 (2015)
N. Bitansky, O. Paneth, D. Wichs, Perfect structure on the edge of chaos—trapdoor permutations from indistinguishability obfuscation, in Proceedings of the 13th Theory of Cryptography Conference, pp. 474–502 (2016)
X. Chen, X. Deng, S. Teng, Settling the complexity of computing twoplayer Nash equilibria. J. ACM 56(3) (2009)
J.H. Cheon, P.A. Fouque, C. Lee, B. Minaud, H. Ryu, Cryptanalysis of the new CLT multilinear map over the integers. Cryptology ePrint Archive, Report 2016/135 (2016)
J. Coron, C. Gentry, S. Halevi, T. Lepoint, H.K. Maji, E. Miles, M. Raykova, A. Sahai, M. Tibouchi, Zeroizing without lowlevel zeroes: new MMAP attacks and their limitations, in Advances in Cryptology—CRYPTO’15, pp. 247–266 (2015)
J.H. Cheon, K. Han, C. Lee, H. Ryu, D. Stehlé, Cryptanalysis of the multilinear map over the integers, in Advances in Cryptology—EUROCRYPT’15, pp. 3–12 (2015)
S.A. Cook, R. Impagliazzo, T. Yamakami, A tight relationship between generic oracles and type2 complexity theory. Inf. Comput. 137(2), 159–170 (1997)
J.H. Cheon, J. Jeong, C. Lee, An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without an encoding of zero. Cryptology ePrint Archive, Report 2016/139 (2016)
J.H. Cheon, C. Lee, H. Ryu, Cryptanalysis of the new CLT multilinear maps. Cryptology ePrint Archive, Report 2015/934 (2015)
C. Daskalakis, P.W. Goldberg, C.H. Papadimitriou, The complexity of computing a Nash equilibrium. SIAM J. Comput. 39(1), 195–259 (2009)
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in Proceedings of the 54th Annual IEEE Symposium on Foundations of Computer Science, pp. 40–49 (2013)
O. Goldreich, On security preserving reductions—revised terminology. Cryptology ePrint Archive, Report 2000/001 (2000)
O. Goldreich, Foundations of Cryptography—Volume 1: Basic Techniques (Cambridge University Press, 2001)
S. Garg, O. Pandey, A. Srinivasan, Revisiting the cryptographic hardness of finding a Nash equilibrium, in Advances in Cryptology–CRYPTO’16, pp. 579–604 (2016)
I. Haitner, J.J. Hoch, O. Reingold, G. Segev, Finding collisions in interactive protocols—tight lower bounds on the round and communication complexities of statistically hiding commitments. SIAM J. Comput. 44(1), 193–242 (2015)
Y. Hu, H. Jia, Cryptanalysis of GGH map. Cryptology ePrint Archive, Report 2015/301 (2015)
P. Hubácek, M. Naor, E. Yogev, The journey from NP to TFNP hardness, in Proceedings of the 8th Innovations in Theoretical Computer Science Conference (2017)
M.D. Hirsch, C.H. Papadimitriou, S.A. Vavasis, Exponential lower bounds for finding brouwer fix points. J. Complex. 5(4), 379–416 (1989)
R. Impagliazzo, S. Rudich, Limits on the provable consequences of oneway permutations, in Proceedings of the 21st Annual ACM Symposium on Theory of Computing, pp. 44–61 (1989)
M. Luby, Pseudorandomness and Cryptographic Applications (Princeton University Press, 1996)
B. Minaud, P.A. Fouque, Cryptanalysis of the new multilinear map over the integers. Cryptology ePrint Archive, Report 2015/941 (2015)
E. Miles, A. Sahai, M. Zhandry, Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. Cryptology ePrint Archive, Report 2016/147 (2016)
C.H. Papadimitriou, On the complexity of the parity argument and other inefficient proofs of existence. J. Comput. Syst. Sci. 48(3), 498–532 (1994)
O. Reingold, L. Trevisan, S.P. Vadhan, Notions of reducibility between cryptographic primitives, in Proceedings of the 1st Theory of Cryptography Conference, pp. 1–20 (2004)
S. Rudich, Limits on the Provable Consequences of OneWay Functions. PhD thesis (EECS Department, University of California, Berkeley, 1988)
D.R. Simon, Finding collisions on a oneway street: can secure hash functions be based on general assumptions? in Advances in Cryptology—EUROCRYPT’98, pp. 334–345 (1998)
R. Savani, B. von Stengel, Exponentially many steps for finding a Nash equilibrium in a bimatrix game, in Proceedings of the 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 258–267 (2004)
A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in Proceedings of the 46th Annual ACM Symposium on Theory of Computing, pp. 475–484 (2014)
Acknowledgements
We thank Nir Bitansky, Tim Roughgarden, Omer Paneth, and the anonymous reviewers for their insightful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Manoj Prabhakaran.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Alon Rosen: Supported by ISF Grant No. 1399/17 and via Project PROMETHEUS (Grant No. 780701). Gil Segev: Supported by the European Union’s 7th Framework Program (FP7) via a Marie Curie Career Integration Grant (Grant No. 618094), by the European Union’s Horizon 2020 Framework Program (H2020) via an ERC Grant (Grant No. 714253), by the Israel Science Foundation (Grant No. 483/13), by the Israeli Centers of Research Excellence (ICORE) Program (Center No. 4/11), by the USIsrael Binational Science Foundation (Grant No. 2014632), and by a Google Faculty Research Award. Ido Shahaf: Supported by the Clore Israel Foundation via the Clore Scholars Programme.
A AverageCase SVL Hardness and OWFs Do Not Imply Key Agreement
A AverageCase SVL Hardness and OWFs Do Not Imply Key Agreement
Based on the techniques developed in Sect. 3, we show that averagecase SVL hardness is useless for constructing a keyagreement protocol in a blackbox manner, even when assuming the existence of oneway functions. Specifically, we show that in any blackbox construction of a keyagreement protocol based on a oneway function and a hardonaverage distribution of SVL instances, we can eliminate the protocol’s need for using the SVL instances. This leads to a blackbox construction of keyagreement protocol based on a oneway function, which we can then rule out by invoking the classic result of Impagliazzo and Rudich [27] and its refinement by Barak and MahmoodyGhidary [8].
In this section, we model a oneway function as a sequence \(f = \{ f_n \}_{n \in {\mathbb {N}}}\), where for every \(n \in {\mathbb {N}}\) it holds that \(f_n : \{0,1\}^n \rightarrow \{0,1\}^n\). The following definition tailors the standard notion of a fully blackbox construction to the specific primitives under consideration.
Definition A.1
A fully blackbox construction of a bitagreement protocol with correctness \(\rho = \rho (n)\) from a oneway function and a hardonaverage distribution of SVL instances consists of a pair of oracleaided polynomialtime algorithm \((\mathcal {A},\mathcal {B})\), an oracleaided algorithm M that runs in time \(T_M(\cdot )\), and functions \(\epsilon _{M,1}(\cdot )\) and \(\epsilon _{M,2}(\cdot )\), such that the following conditions hold:

Correctness: For any function \(f = \{f_n\}_{n \in {\mathbb {N}}}\), for any valid SVL instance \({\mathcal {O}}_\mathsf{SVL}\), and for any \(n \in {\mathbb {N}}\) it holds that
$$\begin{aligned}&\Pr _{r_{\mathcal {A}}, r_{\mathcal {B}}} \left[ \mathsf{k}_{\mathcal {A}} = \mathsf{k}_{\mathcal {B}} \left (\mathsf{k}_{\mathcal {A}}, \mathsf{k}_{\mathcal {B}}, \mathsf{Trans}) \leftarrow \langle \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {A}}), \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {B}}) \rangle \right. \right] \\&\quad \ge \frac{1}{2} + \rho (n) . \end{aligned}$$ 
Blackbox proof of security: For any function \(f = \{f_n\}_{n \in {\mathbb {N}}}\), for any valid SVL instance \({\mathcal {O}}_\mathsf{SVL}= \{(\mathsf{Gen}_n, \mathsf{S}_n, \mathsf{V}_n, L(n))\}_{n \in {\mathbb {N}}}\), for any oracleaided algorithm E that runs in time \(T_E(\cdot )\), and for any function \(\epsilon _E(\cdot )\), if
$$\begin{aligned} \left \Pr \left[ \mathsf {Exp}^\mathsf{KA}_{\left( \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}} \right) , E^{f,{\mathcal {O}}_\mathsf{SVL}}}(n) = 1 \right]  \frac{1}{2} \right \ge \epsilon _E(n) \end{aligned}$$for infinitely many values of \(n \in {\mathbb {N}}\) (recall Definition 2.8 for the description of the experiment \(\mathsf {Exp}^\mathsf{KA}_{\left( \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}} \right) , E^{f,{\mathcal {O}}_\mathsf{SVL}}}\)), then either
$$\begin{aligned} \Pr \left[ M^{E,f,{\mathcal {O}}_\mathsf{SVL}}\left( f_n(x) \right) \in f^{1}_n \left( f_n(x)\right) \right] \ge \epsilon _{M,1}\left( T_E(n) / \epsilon _E(n)\right) \cdot \epsilon _{M,2}(n) \end{aligned}$$for infinitely many values of \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(x \leftarrow \{0,1\}^n\) and over the internal randomness of M, or
$$\begin{aligned}&\Pr \left[ M^{E,f,{\mathcal {O}}_\mathsf{SVL}}\left( 1^n, \sigma \right) \text{ solves } \left( \mathsf{S}_n(\sigma ,\cdot ), \mathsf{V}_n(\sigma ,\cdot ), L(n) \right) \right] \\&\quad \ge \epsilon _{M,1}\left( T_E(n) / \epsilon _E(n)\right) \cdot \epsilon _{M,2}(n) \end{aligned}$$for infinitely many values of \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(\sigma \leftarrow \mathsf{Gen}_n()\) and over the internal randomness of M.
As in Definition 3.1, we split the security loss in the above definition to an adversarydependent security loss and an adversaryindependent security loss, as this allows us to capture constructions where one of these losses is superpolynomial whereas the other is polynomial. Equipped with the above definition we prove the following theorem:
Theorem A.2
Let \((\mathcal {A},\mathcal {B},M,T_M,\epsilon _{M,1}, \epsilon _{M,2})\) be a fully blackbox construction of a bitagreement protocol with correctness \(\rho (n) = 1/\mathsf{poly}(n)\), for some (arbitrary) polynomial \(\mathsf{poly}(n)\), from a oneway function and a hardonaverage SVL instance. Then, at least one of the following properties holds:

1.
\(T_M(n)\ge 2^{\zeta n}\) for some constant \(\zeta > 0\) (i.e., the reduction runs in exponential time).

2.
\(\epsilon _{M,1}(n^c) \cdot \epsilon _{M,2}(n) \le 2^{ n/10}\) for some constant \(c > 1\) (i.e., the security loss is exponential).
As with Theorem 3.2, also here Theorem A.2 rules out (in particular) standard “polynomialtime polynomialloss” reductions. More generally, the theorem implies that if the running time \(T_M(\cdot )\) of the reduction is subexponential and the adversarydependent security loss \(\epsilon _{M,1}(\cdot )\) is polynomial (as expected), then the adversaryindependent security loss \(\epsilon _{M,2}(\cdot )\) must be exponential (thus even ruling out constructions based on oneway function and SVL instances with subexponential hardness).
1.1 A.1 Proof Overview
In what follows, we first describe the oracles, denoted f and \({\mathcal {O}}_\mathsf{SVL}\), on which we rely for proving Theorem A.2, and show that they indeed implement a oneway function and a hardonaverage distribution of SVL instances, respectively. Then, we show that any bitagreement protocol that uses the oracles f and \({\mathcal {O}}_\mathsf{SVL}\) can be attacked. For the remainder of this section we remind the reader that a qquery algorithm is an oracleaided algorithm A such that for any oracle \({\mathcal {O}}\) and input \(x \in \{0,1\}^*\), the computation \(A^{{\mathcal {O}}}(x)\) consists of at most q(x) oracle calls to \({\mathcal {O}}\).
The oracles \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). The oracle f is a sequence \(\{ f_n \}_{n \in {\mathbb {N}}}\) where for every \(n \in {\mathbb {N}}\) the function \(f_n : \{0,1\}^n \rightarrow \{0,1\}^n\) is sampled uniformly from the set of all functions mapping nbit inputs to nbit outputs. The oracle \({\mathcal {O}}_\mathsf{SVL}\), sampled independently of f, is as defined in Sect. 3.1. That is, it is a valid SVL instance \(\{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) that is sampled via the following process for every \(n \in {\mathbb {N}}\):

Let \(L(n) = 2^{n/2}\), \(x_0 = 0^n\), and uniformly sample distinct elements \(x_1, \ldots , x_{L(n)} \leftarrow \{0,1\}^n {\setminus } \{ 0^n \}\).

The successor function \(\mathsf{S}_n : \{0,1\}^n \rightarrow \{0,1\}^n\) is defined as
$$\begin{aligned} \mathsf{S}_n(x) = \left\{ \begin{array}{cl} x_{i+1} &{} \text{ if } x=x_i \text{ for } \text{ some } i \in \{0, \ldots , L(n)  1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$ 
The verification function \(\mathsf{V}_n : \{0,1\}^n \times [2^n] \rightarrow \{0,1\}\) is defined in a manner that is consistent with \(\mathsf{S}_n\) (i.e., \(\mathsf{V}_n\) is defined such that the instance is valid).
The oracles f and \({\mathcal {O}}_\mathsf{SVL}\) are sampled independently, and therefore, we immediately obtain the following two corollaries from Claims 3.3 and 5.3 (the first corollary states that f is indeed hard to invert relative to f and \({\mathcal {O}}_\mathsf{SVL}\), and the second corollary A.4 states that \({\mathcal {O}}_\mathsf{SVL}\) is indeed a hardonaverage SVL instance relative to f and \({\mathcal {O}}_\mathsf{SVL}\)):
Corollary A.3
For any fixing of the oracle \({\mathcal {O}}_\mathsf{SVL}\), and for any q(n)query algorithm M, it holds that
for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of \(x \leftarrow \{0,1\}^n\), and over the choice of the oracle \(f = \{ f_n \}_{n \in {\mathbb {N}}}\) as described above.
Corollary A.4
For any fixing of the oracle f, and for any q(n)query algorithm M, where \(q(n)\le L(n)1\), it holds that
for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) as described above.
Attacking bitagreement protocols relative to \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). We show that for any oracleaided bitagreement protocol \((\mathcal {A},\mathcal {B})\) with correctness \(\rho (n) = 1/\mathsf{poly}(n)\), in which the parties issue at most q(n) oracle queries, and for any \(\delta = \delta (n) > 0\), there exists an attacker that issues roughly \(q^2/\delta ^2\) oracle queries, whose output agrees with Alice’s output with probability \(1/2 + \rho (n)\delta (n)\). We prove the following claim:
Claim A.5
Let \((\mathcal {A},\mathcal {B})\) be an oracleaided bitagreement protocol, in which the parties issue at most \(q = q(n)\) oracle queries, where the input for each query is of length at most q(n) bits, and assume that
for all sufficiently large \(n \in {\mathbb {N}}\) and for some function \(\rho (n) > 0\). Then, for any \(\delta = \delta (n) > 0\), there exists an \(\widetilde{O}(q^2/\delta ^2)\)query algorithm E, such that
for all sufficiently large \(n \in {\mathbb {N}}\), where the probability is taken over the choice of the oracles f and \({\mathcal {O}}_\mathsf{SVL}\), and over the internal randomness of \(\mathcal {A}\) and \(\mathcal {B}\). Moreover, the algorithm E can be implemented in time polynomial in n, q(n) and \(1/\delta (n)\) given access to a \(\mathsf{PSPACE}\)complete oracle.
The proof of the claim, which is provided below, is based on adapting the approach underlying our proof of Claim 3.4 to the setting of keyagreement protocols, and then invoking the classic result of Impagliazzo and Rudich [27] and its refinement by Barak and MahmoodyGhidary [8]. Specifically, as discussed in Sect. 1.3, during an execution \((\mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}, \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}})\) of a given bitagreement protocol, with an overwhelming probability over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}\), the parties \(\mathcal {A}\) and \(\mathcal {B}\) should not query \({\mathcal {O}}_\mathsf{SVL}\) with any elements on the line \(0^n \rightarrow x_1 \rightarrow \cdots \rightarrow x_{L(n)}\) except for the first q elements \(x_0, x_1, \ldots , x_{q1}\). This gives rise to a bitagreement protocol \(({\widetilde{\mathcal {A}}}^f, {\widetilde{\mathcal {B}}}^f)\) that does not require access to the oracle \({\mathcal {O}}_\mathsf{SVL}\): First, \({\widetilde{A}}\) samples a sequence \(x_1, \ldots , x_q\) of q values, and sends these values to \({\widetilde{B}}\). Then, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) run the protocol \((\mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}},\mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}})\) by using the values \(x_1, \ldots , x_q\) instead of accessing \({\mathcal {O}}_\mathsf{SVL}\). At this point, we have a bitagreement protocol where the parties have access only to a random function f, and thus, we can apply the attacks of Impagliazzo and Rudich [27] and Barak and MahmoodyGhidary [8], which we can translate back to attacks on the underlying protocol. The proof of Theorem A.2 then follows from Corollaries A.3 and A.4 and Claim A.5 in a manner identical to the proof of Theorem 3.2 (see Sect. 3.4).
1.2 A.2 Attacking KeyAgreement Protocols Relative to \({\varvec{f}}\) and \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\)
In this section, we prove Claim A.5. We start by defining an event capturing the above intuition of “hitting” elements on the line sampled for \({\mathcal {O}}_\mathsf{SVL}\), similarly to event defined in Sect. 3.
The event \(\varvec{\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}}\). Let the oracles f and \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\) be distributed as described in Section A.1. Let M be a qquery algorithm. We fix some \(n \in {\mathbb {N}}\), and consider only the queries made to \(\mathsf{S}_n\) and \(\mathsf{V}_n\). We denote by \(\alpha _i\) the random variable corresponding to M’s ith oracle query if this is an \(\mathsf{S}_n\)query, and denote by \((\alpha _i, k_i)\) the random variable corresponding to M’s ith oracle query if this is a \(\mathsf{V}_n\)query. Let \(x_0,\dots ,x_{L(n)}\) be the line sampled for \(\left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \). As in Sect. 3, we denote by \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}\) the event in which there exist indices j and \(i\in [L(n)]\) for which \(\alpha _j=x_i\) but \(x_{i1}\notin \{\alpha _1,\dots ,\alpha _{j1}\}\). That is, this is the event in which M queries \(({\mathcal {O}}_\mathsf{SVL})_n\) with some \(x_i\) before querying it on \(x_{i1}\). In particular, note that if the event \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{M, n}\) does not occur, then M does not query \(({\mathcal {O}}_\mathsf{SVL})_n\) with \(x_i\) for \(i\in \{q,\dots ,L(n)\}\). Since the oracle \({\mathcal {O}}_\mathsf{SVL}\) is sampled independently of the oracle f, we deduce the following corollary from Claim 3.5:
Corollary A.6
For any fixing of the oracle f, for any qquery algorithm M, and for any \(n \in {\mathbb {N}}\), it holds that
where the probability is taken over the choice of the oracle \({\mathcal {O}}_\mathsf{SVL}= \{ \left( \mathsf{S}_n, \mathsf{V}_n, L(n) \right) \}_{n \in {\mathbb {N}}}\). Moreover, q can be a bound on the number of calls to \(\mathsf{S}_n\) and \(\mathsf{V}_n\).
Removing the oracle \(\varvec{{\mathcal {O}}_\mathsf{SVL}}\). Let \((\mathcal {A},\mathcal {B})\) be an oracleaided bitagreement protocol as in Claim A.5. For a loss parameter \(\epsilon =\epsilon (n)>0\), we define an oracleaided bitagreement protocol \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\) that on input security parameter \(1^n\), and with oracle access to f only, works as follows. First, \({\widetilde{\mathcal {A}}}\) performs the following initialization routine:

1.
Set \(a(n)=2\log (q(n)^2/\epsilon (n)+1)\).

2.
For \(1\le i \le a(n)\):

(a)
Set \(x^i_{0}=0^i\).

(b)
Uniformly sample distinct elements \(x^i_1, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\).

(c)
Send the elements \(x^i_1, \ldots , x^i_{L(i)}\) to \({\widetilde{\mathcal {B}}}\).

(d)
Define the successor function \(\widetilde{\mathsf{S}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as
$$\begin{aligned} \widetilde{\mathsf{S}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i)  1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$and define the verification function \(\widetilde{\mathsf{V}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \(\widetilde{\mathsf{S}}_i\).

(a)

3.
For \(a(n)< i\le q(n)\):

(a)
Set \(x^i_{0}=0^i\).

(b)
Uniformly sample distinct elements \(x^i_1, \ldots , x^i_{q(n)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\).

(c)
Send the elements \(x^i_1, \ldots , x^i_{q(n)}\) to \({\widetilde{\mathcal {B}}}\).

(d)
Define the successor function \(\widetilde{\mathsf{S}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as
$$\begin{aligned} \widetilde{\mathsf{S}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , q(n)  1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$and define the verification function \(\widetilde{\mathsf{V}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \(\widetilde{\mathsf{S}}_i\).

(a)
Next, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) emulate the protocol \(\langle \mathcal {A}(1^n),\mathcal {B}(1^n)\rangle \) with respect to the oracle f and the “fake” oracle \(\widetilde{{\mathcal {O}}_\mathsf{SVL}}=\{(\widetilde{\mathsf{S}}_i,\widetilde{\mathsf{V}}_i,L(i))\}_{i=1}^{q(n)}\), and output the outputs of \(\mathcal {A}\) and \(\mathcal {B}\), respectively. We name this phase the emulation phase. Note that by our assumption, \(\mathcal {A}\) and \(\mathcal {B}\) do not query \((\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\) for \(i> q(n)\), so it is okay to leave it undefined. After emulating the protocol, \({\widetilde{\mathcal {A}}}\) and \({\widetilde{\mathcal {B}}}\) output what \(\mathcal {A}\) and \(\mathcal {B}\) output respectively. Note that in the protocol \(({\widetilde{\mathcal {A}}},{\widetilde{B}})\), the parties issue at most q(n) queries. Also, note that in the initialization phase, \({\widetilde{\mathcal {A}}}\) draws \(\sum _{i=1}^{\lfloor a(n)\rfloor }L(i)+q(n)\cdot (q(n)\lfloor a(n)\rfloor )\) samples, and it holds that
Coupling the protocols. Consider the executions \((\mathsf{k}_{\mathcal {A}}, \mathsf{k}_{\mathcal {B}}, \mathsf{Trans}) \leftarrow \langle \mathcal {A}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {A}}), \mathcal {B}^{f,{\mathcal {O}}_\mathsf{SVL}}(1^n; r_{\mathcal {B}}) \rangle \) and \((\mathsf{k}_{{\widetilde{\mathcal {A}}}}, \mathsf{k}_{{\widetilde{\mathcal {B}}}}, {\widetilde{\mathsf{Trans}}}) \leftarrow \langle {\widetilde{\mathcal {A}}}^{f}(1^n; r_{{\widetilde{\mathcal {A}}}}), {\widetilde{\mathcal {B}}}^{f}(1^n; r_{{\widetilde{\mathcal {B}}}}) \rangle \), where f and \({\mathcal {O}}_\mathsf{SVL}\) are sampled as described above. We couple these executions in the following way:^{Footnote 9}

We sample and use the same oracle f for both executions.

The randomness of \({\widetilde{A}}\) can be split into two part \(r_{{\widetilde{\mathcal {A}}}}=(r_{{\widetilde{\mathcal {A}}},1},r_{{\widetilde{\mathcal {A}}},2})\), where \(r_{{\widetilde{\mathcal {A}}},1}\) is the randomness used in the initialization phase, and \(r_{{\widetilde{\mathcal {A}}},2}\) is the randomness used in the emulation phase.

We couple the randomness of the emulation phase with the randomness of the actual execution of \((\mathcal {A},\mathcal {B})\) by \(r_{{\widetilde{\mathcal {A}}},2}=r_{\mathcal {A}}\) and \(r_{{\widetilde{\mathcal {B}}}}=r_{\mathcal {B}}\).

We couple the oracle \({\mathcal {O}}_\mathsf{SVL}\) with \(r_{{\widetilde{\mathcal {A}}},1}\) (hence with \(\widetilde{{\mathcal {O}}_\mathsf{SVL}}\)) as follows:

For \(1\le i \le a(n)\), we remind that \({\widetilde{\mathcal {A}}}\) uniformly samples distinct elements \(x^i_1, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\), and that \(x^i_0=0^i\). So we set
$$\begin{aligned} \mathsf{S}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i)  1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$and set \(\mathsf{V}_i\) in a manner consistent with \(\mathsf{S}_i\). As a result \(({\mathcal {O}}_\mathsf{SVL})_i=(\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\).

For \(a(n)<i\le q(n)\), we remind that \({\widetilde{\mathcal {A}}}\) uniformly samples distinct elements \(x^i_1, \ldots , x^i_{q(n)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i \}\), and that \(x^i_0=0^i\). So we uniformly sample distinct elements \(x^i_{q(n)+1}, \ldots , x^i_{L(i)} \leftarrow \{0,1\}^i {\setminus } \{ 0^i, x^i_1, \dots , x^i_{q(n)} \}\), set
$$\begin{aligned} \mathsf{S}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i)  1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. , \end{aligned}$$and set \(\mathsf{V}_i\) in a manner consistent with \(\mathsf{S}_i\). As a result, the line of \((\widetilde{{\mathcal {O}}_\mathsf{SVL}})_i\) is a prefix of the line of \(({\mathcal {O}}_\mathsf{SVL})_i\).

For \(i>q(n)\), \(({\mathcal {O}}_\mathsf{SVL})_i\) is sampled without any coupling.
We split the transcript of the execution of \(({\widetilde{A}},{\widetilde{B}})\) into two parts \({\widetilde{\mathsf{Trans}}}=({\widetilde{\mathsf{Trans}}}_1,{\widetilde{\mathsf{Trans}}}_2)\) where \({\widetilde{\mathsf{Trans}}}_1\) is the transcript of the initialization phase, and \({\widetilde{\mathsf{Trans}}}_2\) is the transcript of the emulation phase. Denote by \(\mathsf {Same}=\mathsf {Same}_{(\mathcal {A},\mathcal {B}),n}\) the event in which \((k_{\mathcal {A}},k_{\mathcal {B}},\mathsf{Trans})=(k_{{\widetilde{A}}},k_{{\widetilde{B}}},{\widetilde{\mathsf{Trans}}}_2)\) holds. We now estimate \(\Pr [\mathsf {Same}]\). If for every \(a(n)\le i\le q(n)\), \(\mathsf{HIT}^{f,{\mathcal {O}}_\mathsf{SVL}}_{\langle \mathcal {A}(1^n), \mathcal {B}(1^n) \rangle , i}\) does no occur, then the emulation phase and the actual execution of \((\mathcal {A},\mathcal {B})\) behave the same, so \(\mathsf {Same}\) occurs. Hence,
In particular, it holds that
The adversary E. For defining the adversary E for attacking the protocol \((\mathcal {A},\mathcal {B})\), we make use of the aforementioned result of Barak and MahmoodyGhidary.
Theorem A.7
[8, 27] Let \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\) be an oracleaided bitagreement protocol, in which the parties issue at most \(q=q(n)\) oracle queries.^{Footnote 10} Suppose that
where the oracle f is sampled as above, and \((\mathsf{k}_{{\widetilde{\mathcal {A}}}}, \mathsf{k}_{{\widetilde{\mathcal {B}}}}, {\widetilde{\mathsf{Trans}}}) \leftarrow \langle {\widetilde{\mathcal {A}}}^{f}(1^n), {\widetilde{\mathcal {B}}}^{f}(1^n) \rangle \). Let \(0<\delta (n)<\frac{1}{2}+\rho (n)\). Then, there exists a \((16q/\delta )^2\)query adversary \({\widetilde{E}}\) such that
Moreover, the algorithm \({\widetilde{E}}\) can be implemented in time polynomial in n, q and \(1/\delta \) given access to a \(\mathsf{PSPACE}\)complete oracle.
Now, let \({\widetilde{E}}\) be the adversary from Theorem A.7 applied to our constructed protocol \(({\widetilde{\mathcal {A}}},{\widetilde{\mathcal {B}}})\), with loss of \(\delta (n)=\epsilon (n)\). We define an adversary E to the protocol \((\mathcal {A},\mathcal {B})\), that on input \(\mathsf{Trans}\), and with oracle access to f and \({\mathcal {O}}_\mathsf{SVL}=\{(\mathsf{S}_n,\mathsf{V}_n, L(n))\}_{n\in {\mathbb {N}}}\), works as follows:

1.
Set \(a(n)=2\log (q(n)^2/\epsilon (n)+1)\).

2.
Initialize an empty transcript \({\widehat{\mathsf{Trans}}}\).

3.
For \(1\le i \le a(n)\):

(a)
Set \(x^i_{0}=0^i\).

(b)
For \(j=1,\dots ,L(i)\): Set \(x^i_{j}=\mathsf{S}_i(x^i_{j1})\).

(c)
Append \(x^i_1,\dots ,x^i_{L(i)}\) to the transcript \({\widehat{\mathsf{Trans}}}\) as they were send from Alice to Bob.

(d)
Define the successor function \({\widehat{\mathsf{S}}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as
$$\begin{aligned} {\widehat{\mathsf{S}}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , L(i)  1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$ 
(e)
Define the verification function \({\widehat{\mathsf{V}}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \({\widehat{\mathsf{S}}}_i\).

(a)

4.
For \(a(n)< i\le q(n)\):

(a)
Set \(x^i_{0}=0^i\).

(b)
For \(j=1,\dots ,q(n)\): Set \(x^i_{j}=\mathsf{S}_i(x^i_{j1})\).

(c)
Append \(x^i_1,\dots ,x^i_{q(n)}\) to the transcript \({\widehat{\mathsf{Trans}}}\) as they were send from Alice to Bob.

(d)
Define the successor function \({\widehat{\mathsf{S}}}_i : \{0,1\}^i \rightarrow \{0,1\}^i\) as
$$\begin{aligned} {\widehat{\mathsf{S}}}_i(x) = \left\{ \begin{array}{cl} x^i_{j+1} &{} \text{ if } x=x^i_j \text{ for } \text{ some } j \in \{0, \ldots , q(n)  1\} \\ x &{} \text{ otherwise } \\ \end{array} \right. . \end{aligned}$$ 
(e)
Define the verification function \({\widehat{\mathsf{V}}}_i : \{0,1\}^i \times [2^i] \rightarrow \{0,1\}\) in a manner that is consistent with \({\widehat{\mathsf{S}}}_i\).

(a)

5.
Run \(\mathsf{k}_E\leftarrow {\widetilde{E}}^f(({\widehat{\mathsf{Trans}}},\mathsf{Trans}))\) and output \(\mathsf{k}_E\).
Note that due to our coupling, the definition of \(x^i_j\) in the algorithm is consistent with the above definition of \(x^i_j\) as elements that \({\widetilde{\mathcal {A}}}\) samples. Also, by our coupling of \({\mathcal {O}}_\mathsf{SVL}\) and \(r_{{\widetilde{A}},1}\), it holds that \({\widetilde{\mathsf{Trans}}}_1={\widehat{\mathsf{Trans}}}\). Furthermore, if the event \(\mathsf {Same}\) occurs then it holds that \({\widetilde{\mathsf{Trans}}}_2=\mathsf{Trans}\). Therefore, in that case the execution of \(\mathsf{k}_E\leftarrow {\widetilde{E}}^f(({\widehat{\mathsf{Trans}}},\mathsf{Trans}))\) is the same as \(\mathsf{k}_{{\widetilde{E}}}\leftarrow {\widetilde{E}}^f(({\widetilde{\mathsf{Trans}}}_1,{\widetilde{\mathsf{Trans}}}_2))\), and we have
So it holds that \(\Pr [\mathsf{k}_{E}=\mathsf{k}_{\mathcal {A}}]\ge \frac{1}{2}+\rho (n)2\cdot \epsilon (n)\), and we choose \(\epsilon (n)=\delta (n)/2\) where \(\delta (n)\) is the desired loss from Claim A.5. The number of oracle queries that E performs is at most
Moreover, given oracle access a \(\mathsf{PSPACE}\)complete oracle, the algorithm E can be implemented to run in time polynomial in n, q and \(1/\delta \). This easily follows from Theorem A.7 and settles the proof of Claim A.5.
Rights and permissions
About this article
Cite this article
Rosen, A., Segev, G. & Shahaf, I. Can PPAD Hardness be Based on Standard Cryptographic Assumptions?. J Cryptol 34, 8 (2021). https://doi.org/10.1007/s00145020093696
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145020093696