Permuted Puzzles and Cryptographic Hardness

  • Elette BoyleEmail author
  • Justin Holmgren
  • Mor Weiss
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11892)


A permuted puzzle problem is defined by a pair of distributions \(\mathcal{D}_0,\mathcal{D}_1\) over \(\varSigma ^n\). The problem is to distinguish samples from \(\mathcal{D}_0,\mathcal{D}_1\), where the symbols of each sample are permuted by a single secret permutation \(\pi \) of [n].

The conjectured hardness of specific instances of permuted puzzle problems was recently used to obtain the first candidate constructions of Doubly Efficient Private Information Retrieval (DE-PIR) (Boyle et al. & Canetti et al., TCC’17). Roughly, in these works the distributions \(\mathcal{D}_0,\mathcal{D}_1\) over \({\mathbb F}^n\) are evaluations of either a moderately low-degree polynomial or a random function. This new conjecture seems to be quite powerful, and is the foundation for the first DE-PIR candidates, almost two decades after the question was first posed by Beimel et al. (CRYPTO’00). However, while permuted puzzles are a natural and general class of problems, their hardness is still poorly understood.

We initiate a formal investigation of the cryptographic hardness of permuted puzzle problems. Our contributions lie in three main directions:

  • Rigorous formalization. We formalize a notion of permuted puzzle distinguishing problems, extending and generalizing the proposed permuted puzzle framework of Boyle et al. (TCC’17).

  • Identifying hard permuted puzzles. We identify natural examples in which a one-time permutation provably creates cryptographic hardness, based on “standard” assumptions. In these examples, the original distributions \(\mathcal{D}_0,\mathcal{D}_1\) are easily distinguishable, but the permuted puzzle distinguishing problem is computationally hard. We provide such constructions in the random oracle model, and in the plain model under the Decisional Diffie-Hellman (DDH) assumption. We additionally observe that the Learning Parity with Noise (LPN) assumption itself can be cast as a permuted puzzle.

  • Partial lower bound for the DE-PIR problem. We make progress towards better understanding the permuted puzzles underlying the DE-PIR constructions, by showing that a toy version of the problem, introduced by Boyle et al. (TCC’17), withstands a rich class of attacks, namely those that distinguish solely via statistical queries.



We thank Yuval Ishai for many useful discussions. We thank Fermi Ma for helpful discussions, in particular for pointing out that the blueprint of the DDH-based permuted puzzle extends also to the LPN setting, for simplifying one step of the proof of Proposition 3, and for allowing us to include these observations in the current work. We thank the anonymous TCC reviewers for helpful comments.


  1. [Ajt96]
    Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, 22–24 May 1996, pp. 99–108 (1996)Google Scholar
  2. [Ale03]
    Alekhnovich, M.: More on average case vs approximation complexity. In: Proceedings of the 44th Symposium on Foundations of Computer Science (FOCS 2003), Cambridge, MA, USA, 11–14 October 2003. pp. 298–307 (2003)Google Scholar
  3. [BCC+17]
    Bitansky, N., et al.: The hunting of the snark. J. Cryptol. 30(4), 989–1066 (2017)MathSciNetCrossRefGoogle Scholar
  4. [BFKL93]
    Blum, A., Furst, M., Kearns, M., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994). Scholar
  5. [BGI+01]
    Barak, B., et al.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). Scholar
  6. [BHHO08]
    Boneh, D., Halevi, S., Hamburg, M., Ostrovsky, R.: Circular-secure encryption from decision Diffie-Hellman. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 108–125. Springer, Heidelberg (2008). Scholar
  7. [BIM00]
    Beimel, A., Ishai, Y., Malkin, T.: Reducing the servers computation in private information retrieval: PIR with preprocessing. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 55–73. Springer, Heidelberg (2000). Scholar
  8. [BIPW17]
    Boyle, E., Ishai, Y., Pass, R., Wootters, M.: Can we access a database both locally and privately? In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 662–693. Springer, Cham (2017). Scholar
  9. [BKW00]
    Blum, A., Kalai, A., Wasserman, H.: Noise-tolerant learning, the parity problem, and the statistical query model. In: Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing, Portland, OR, USA, , 21–23 May 2000, pp. 435–440 (2000)Google Scholar
  10. [BPR15]
    Bitansky, N., Paneth, O., Rosen, A.: On the cryptographic hardness of finding a Nash equilibrium. In: IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, Berkeley, CA, USA, 17–20 October 2015, pp. 1480–1498 (2015)Google Scholar
  11. [BV11]
    Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE. ECCC 18(109), 2011 (2011)zbMATHGoogle Scholar
  12. [CCH+19]
    Canetti, R., et al.: Fiat-Shamir: from practice to theory. In: STOC (2019)Google Scholar
  13. [CCRR18]
    Canetti, R., Chen, Y., Reyzin, L., Rothblum, R.D.: Fiat-Shamir and correlation intractability from strong KDM-secure encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 91–122. Springer, Cham (2018). Scholar
  14. [CGKS95]
    Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: 36th Annual Symposium on Foundations of Computer Science, Milwaukee, Wisconsin, USA, 23–25 October 1995, pp. 41–50 (1995)Google Scholar
  15. [CHK+19]
    Choudhuri, A.R., Hubávcek, P., Kamath, C., Pietrzak, K., Rosen, A., Rothblum, G.N.: Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. IACR Cryptology ePrint Archive, 2019/158 (2019)Google Scholar
  16. [CHR17]
    Canetti, R., Holmgren, J., Richelson, S.: Towards doubly efficient private information retrieval. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 694–726. Springer, Cham (2017). Scholar
  17. [DH76]
    Diffie, W., Hellman, M.E.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefGoogle Scholar
  18. [FKM+18]
    Faugère, J.-C., Koussa, E., Macario-Rat, G., Patarin, J., Perret, L.: PKP-based signature scheme. IACR Cryptology ePrint Archive 2018/714 (2018)Google Scholar
  19. [Gen09]
    Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the STOC 2009, pp. 169–178. ACM (2009)Google Scholar
  20. [GGH+13]
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, Berkeley, CA, USA, 26–29 October 2013, pp. 40–49 (2013)Google Scholar
  21. [GJ02]
    Garey, M.R., Johnson, D.S.: Computers and Intractability, vol. 29. wh freeman, New York (2002)Google Scholar
  22. [GK16]
    Goldwasser, S., Tauman Kalai, Y.: Cryptographic Assumptions: A Position Paper. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 505–522. Springer, Heidelberg (2016). Scholar
  23. [GKL88]
    Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators (extended abstract). In: 29th Annual Symposium on Foundations of Computer Science, White Plains, New York, USA, 24–26 October 1988, pp. 12–24 (1988)Google Scholar
  24. [GW11]
    Gentry, C., Wichs, D.: Separating succinct non-interactive arguments from all falsifiable assumptions. In: STOC, pp. 99–108. ACM (2011)Google Scholar
  25. [HL18]
    Holmgren, J., Lombardi, A.: Cryptographic hashing from strong one-way functions (or: one-way product functions and their applications). In: 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS), pp. 850–858. IEEE (2018)Google Scholar
  26. [HY17]
    Hubávcek, P., Yogev, E.: Hardness of continuous local search: query complexity and cryptographic lower bounds. In: Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA 2017, Barcelona, Spain, Hotel Porta Fira, 16–19 January, pp. 1352–1371 (2017)Google Scholar
  27. [KMP19]
    Koussa, E., Macario-Rat, G., Patarin, J.: On the complexity of the permuted kernel problem. IACR Cryptology ePrint Archive 2019/412 (2019)Google Scholar
  28. [KO97]
    Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally-private information retrieval. In: 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, Miami Beach, Florida, USA, 19–22 October 1997, pp. 364–373 (1997)Google Scholar
  29. [KRR17]
    Kalai, Y.T., Rothblum, G.N., Rothblum, R.D.: From obfuscation to the security of Fiat-Shamir for proofs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 224–251. Springer, Cham (2017). Scholar
  30. [LP12]
    Lampe, R., Patarin, J.: Analysis of some natural variants of the PKP algorithm. In: SECRYPT 2012 - Proceedings of the International Conference on Security and Cryptography, Rome, Italy, 24–27 July 2012, SECRYPT is part of ICETE - The International Joint Conference on e-Business and Telecommunications, pp. 209–214 (2012)Google Scholar
  31. [Mul54]
    Muller, D.E.: Application of Boolean algebra to switching circuit design and to error detection. Trans. I.R.E. Prof. Group Electron. Comput. 3(3), 6–12 (1954)CrossRefGoogle Scholar
  32. [Nao03]
    Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003). Scholar
  33. [PS19]
    Peikert, C., Shiehian, S.: Noninteractive zero knowledge for NP from (plain) learning with errors. IACR Cryptology ePrint Archive 2019/158 (2019)Google Scholar
  34. [Rab79]
    Michael, O.: Rabin. Digitalized signatures and public-key functions as intractable as factorization. Technical report, MIT Laboratory for Computer Science (1979)Google Scholar
  35. [RAD78]
    Rivest, R.L., Adleman, L., Dertouzos, M.L.: On data banks and privacy homomorphisms. Foundations of secure computation, Academia Press (1978)Google Scholar
  36. [Ree54]
    Reed, I.S.: A class of multiple-error-correcting codes and the decoding scheme. Trans. IRE Prof. Group Inf. Theory (TIT) 4, 38–49 (1954)MathSciNetCrossRefGoogle Scholar
  37. [Reg05]
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, 22–24 May 2005, pp. 84–93 (2005)Google Scholar
  38. [RSA78]
    Rivest, R.L., Shamir, A., Adleman, L.M.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)MathSciNetCrossRefGoogle Scholar
  39. [Sha89]
    Shamir, A.: An efficient identification scheme based on permuted kernels (extended abstract). In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 606–609. Springer, New York (1990). Scholar

Copyright information

© International Association for Cryptologic Research 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceIDC HerzliyaHerzliyaIsrael
  2. 2.Department of Computer SciencePrinceton UniversityPrincetonUSA

Personalised recommendations