New Hardness Results for Total Search Problems and Non-Interactive Lattice-Based Protocols Aikaterini Sotiraki

New hardness results for total search problems and non-interactive lattice-based protocols by Aikaterini Sotiraki Diploma, National Technical University of Athens (2013) S.M., Massachusetts Institute of Technology (2016) Submitted to the Department of Electrical Engineering and Computer Science in partial fulﬁllment of the requirements for the degree of Doctor of Philosophy at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2020 ○c Massachusetts Institute of Technology 2020. All rights reserved.

Author...... Department of Electrical Engineering and Computer Science August 13, 2020

Certiﬁed by ...... Vinod Vaikuntanathan Associate Professor of Electrical Engineering and Computer Science Thesis Supervisor

Accepted by ...... Leslie A. Kolodziejski Professor of Electrical Engineering and Computer Science Chair, Department Committee on Graduate Students 2 New hardness results for total search problems and non-interactive lattice-based protocols by Aikaterini Sotiraki

Submitted to the Department of Electrical Engineering and Computer Science on August 13, 2020, in partial fulﬁllment of the requirements for the degree of Doctor of Philosophy

Abstract We investigate new hardness results for total search problems, namely search problems that always have a solution, and non-interactive lattice protocols.

1. A question of particular importance, raised together with the deﬁnition of the class of total search problems, is to identify complete problems that do not have explicitly a Turing machine or a circuit as a part of their input. We provide natural complete problems for various TFNP subclasses. We ﬁrst consider the classes PPP and PWPP, where our complete problems are inspired by lattice theory and lead towards answering important questions in cryptography. Additionally, we identify complete problems for classes that generalize the class PPA, called PPAq. In this case, our results have connections to number theory, and in particular to the Chevalley-Warning theorem.

2. The Learning With Errors (LWE) problem, introduced by Regev has had a profound impact on cryptography. We consider non-interactive protocols that are secure under the LWE assumption, such as non-interactive zero- knowledge and non-interactive key-exchange. We show new strategies and new barriers towards constructing such protocols.

Thesis Supervisor: Vinod Vaikuntanathan Title: Associate Professor of Electrical Engineering and Computer Science

3 4 Acknowledgments

I have been extremely fortunate to spend the last few years at MIT. I am particularly grateful to my advisor Vinod Vaikuntanathan. His enthusiasm for research and his unlimited knowledge have provided me with motivation to continue even on the hardest moments of my PhD. Even short meetings with Vinod were enough to give me new ideas and directions when I most needed them. A decisive point during my PhD was deﬁnitely my internship at IDC, Her- zliya with Alon Rosen. This experience gave me the opportunity to interact with amazing people and ﬁnd new collaborators. I hope that this summer laid the foundations for many more collaborations yet to come. Another important point of my PhD was my internship at Microsoft Research, where I was fortunate to work on applied Cryptography. I am still amazed that in these three months I was able to learn so many new things unrelated to my previous research and contribute to projects. I am certain that this would have been impossible without the help of the group at Microsoft Research, and especially my mentor Esha Ghosh. I would like to thank all of my collaborators: Manolis, Giorgos, Ron, Adam, Esha, Hao, Pritish, Siyao, Alon, Aris, Alexandros, and Mika. It is beyond any doubt that this thesis would not exist without them. I really enjoyed meeting and learning from each one of them and I hope that I will have opportunity to continue in the future. The theory group at MIT is a unique place, where I was very fortunate to develop academically, but also meet new friends. I would like to thank all of the students and faculty of the group for providing such a warm and welcoming environment. I am not going to attempt to mention the other students by name in fear of forgetting someone. But, I am very grateful to each one of them for all the discussions, the retreats, the theory teas etc. that we spend together. Especially, I want to thank Ron Rivest and Yael Kalai for serving in my committee. Ron was also my Master thesis supervisor and I am grateful to him for

5 introducing me to research. Yael was always a person that I could ask for advice and it is amazing how much I have learned from Yael even without directly work- ing with her. I want to also thank Nancy Lynch for giving the opportunity for be a TA for her class and for providing me with guidance throughout the years. I want to thank the wonderful administrative assistants of the theory group, Debbie, Joanne and Rebecca. My life at MIT was enjoyable thanks to my many friends. I really hope that even after MIT these friendships will last. I want to especially thank M˘ad˘alina, Artemisa, Chara and Lydia P, Chistos, Vasso and Dafne, Christina and Konstanti- nos, Giorgos and Will, Ilias, Konstantina, Maryam, Lydia Z and Marinos, Sophie, and most of all my partner Manolis for all the great moments that we had. From having daily tea breaks to sharing important life moments, my memories of MIT are always tied to them. Finally, I cannot thank enough my parents and my extended family for all the love and support that they offer every single day. It is without doubt that the most challenging part of my PhD was being away from them.

6 Contents

1 Introduction 15 1.1 Total Search Problems...... 16 1.2 Non-interactive lattice-based protocols...... 20 1.3 Notation...... 25

2 Total Search Problems 29 2.1 Complete problems...... 30 2.2 TFNP and Cryptography...... 32 2.3 Reductions...... 33 2.4 Set Description Using Circuits...... 34

3 Lattices 37 3.1 Computational Lattice Problems...... 39 3.2 Cryptographic assumptions...... 41

4 Pigeonhole Principle Arguments 45 4.1 Overview of the Results...... 46 4.2 BLICHFELDT is PPP-complete...... 52 4.3 cSIS is PPP-complete...... 57 4.4 Towards universal collision-resistant hashing...... 69 4.5 Natural Complete problem for PMPP ...... 75 4.6 Lattice problems in PPP and PWPP ...... 77

7 5 Modulo q Arguments 81 5.1 Overview...... 82

5.2 The class PPAq ...... 92 5.3 Characterization via Primes...... 95 5.4 A Natural Complete Problem...... 99 5.5 Complete Problems via Small Depth Arithmetic Circuits...... 120 5.6 Applications of Chevalley-Warning...... 122

5.7 Structural Properties of PPAq ...... 125

6 Non-interactive zero-knowledge 131 6.1 Overview...... 131 6.2 Basic Deﬁnitions...... 138 6.3 From POCS to NIZKs...... 141 6.4 Instantiating with LWE...... 153

7 Non-interactive key-exchange 167 7.1 Overview...... 170 7.2 Basic Deﬁnitions...... 173 7.3 (Information Theoretic) Impossibility of Ampliﬁcation with Multi- ple Samples...... 174 7.4 (Computational) Impossibility of Noise-Ignorant Key Reconcilia- tion Functions...... 181 7.5 Connections to other cryptographic primitives...... 187

8 Summary and Open Problems 193

A Missing proofs of Chapter 4 197 A.1 Proof of Claim 4.3.4...... 197

B Missing proofs of Chapter 5 199 B.1 Reductions Between Complete Problems...... 199 B.2 Completeness of Succinct Bipartite...... 204

8 B.3 Equivalence with PMODp ...... 206 B.4 Proof of Theorem 5.5.1...... 207

C Missing proofs of Chapter 7 213 C.1 A self-contained proof of Theorem 7.3.1...... 213

9 10 List of Figures

2-1 The landscape of TFNP subclasses...... 30

4-1 Problems in PPP ...... 52 4-2 A simple example of the construction of Lemma 4.3.3...... 68

5-1 The PPAq subclasses of TFNP ...... 91

5-2 Total search problems related to PPAq ...... 95

5-3 Illustration of the proof of PPApk ⊆ PPAp ...... 97

5-4 Illustration of the proof of PPAD ⊆ PPAq ...... 126 5-5 Illustration of the proof of Theorem 5.7.3...... 130

7-1 LWE-based key-exchange through reconciliation...... 168

11 12 List of Tables

4.1 Value and auxiliary variables of graph 풢(i) ...... 62 4.2 Equations of non-input nodes...... 62 4.3 Illustration of the matrix G(i) ...... 64 4.4 Illustration of the matrix A ...... 66

A.1 Values of speciﬁc expressions (mod 4) ...... 197

13 14 Chapter 1

Introduction

The main task of Cryptography is to allow computation and communication in adversarial settings. Most cryptographic applications are impossible in the information-theoretic setting as formalized by Shannon [156], and hence require computational assumptions. Traditional cryptographic assumptions include the hardness of factoring and of ﬁnding discrete logarithms. More recently, starting with the breakthrough works of Ajtai [4] and Regev [142], new assumptions based on the hardness of computational lattices problems have been introduced. These problems have various features that traditional assumptions lack. One such characteristic is the nonexistence of known efﬁcient quantum attacks against these assumptions. Another unique feature is that their average case hardness is based on the worst-case hardness of lattice problems. Even though lattice-based assumptions enjoy these unique features and have been instrumental in the construction of many advanced cryptographic primitives, we still have limited evidence for their hardness, as with any other cryptographic assumption. The contribution of the thesis related to lattice-based assumptions is two-fold. On the one hand, we increase the understanding of the hardness of lattice-based assumption through their connection with complexity theory, and in particular the complexity of total search problems. On the other hand, we investigate what type of protocols can be constructed based on these assumptions. In particular, we are interested in non-interactive protocols, that have been known from traditional

15 assumptions, such as factoring. All the work in this thesis is based on prior publications [158, 91, 146, 96].

1.1 Total Search Problems

The fundamental task of Computational Complexity theory is to classify computational problems according to their inherent computational difficulty. This leads to the definition of various complexity classes, such as NP which contains the decision problems with efficiently verifiable proofs of the “yes” instances. The search analog of the class NP, called FNP, contains the search problems whose decision version is in NP. Similarly, the class FP is the search analog of P. The seminal works of [106, 134] consider search problems in FNP that are total, i.e. their decision version is always affirmative and thus a solution must always exist. Even though the class FNP seems inadequate to capture the intrinsic complexity of total problems, as it was first shown in [106], there are evidences for the hardness of total search problems e.g. in [97]. Hence, Megiddo and Papadim- itriou [122] defined the class TFNP that contains the total search problems of FNP, and Papadimitriou [134] proposed the following classification rule of problems in TFNP:

Total search problems should be classiﬁed in terms of the profound mathematical principles that are invoked to establish their totality.

Following the above principle, Johnson, Papadimitriou and Yannakakis [106] defined the class PLS. A few years later, Papadimitriou [134] defined the complexity classes PPA, PPAD, PPADS and PPP. Recently, the classes CLS and PWPP were defined in [54] and [104], respectively. Finding complete problems for the above classes enhances our understanding of the underlying mathematical principles. Additionally, completeness results reveal equivalences between total search problems that seem impossible to discover without invoking the definition of these classes. A question of particular impor-

16 tance, raised together with the deﬁnition of the TFNP subclasses in [106, 134], is to identify complete problems that do not have explicitly a Turing machine or a circuit as a part of their input. Following the terminology of many TFNP papers, including [94, 70, 71], such problems are called natural problems. Natural complete problems are known for PLS [152] and PPAD [54]. Recently, Filos and Goldberg [70, 71] identiﬁed natural complete problems for the class PPA. Finally, the theory of total search problems has found connections beyond its original scope to areas like communication complexity and circuit lower bounds [90] and the Sum-of-Squares hierarchy [112].

Our Contribution

We provide natural complete problems for various TFNP subclasses. We ﬁrst consider the classes PPP and PWPP where our complete problems are inspired by lattice theory and lead towards answering important questions in cryptography. Additionally, we identify complete problems for classes that generalize the class

PPA, called PPAq. In this case, our results have connections to number theory, and in particular to the Chevalley-Warning theorem.

Our main result related to the class PPP is that the cSIS problem, a constrained version of the Short Integer Solution (SIS), is PPP-complete [158]. We also identify a version of cSIS, denoted as weak-cSIS, that is PWPP-complete. These are the ﬁrst natural complete problems for the classes PPP and PWPP. Additionally, we show that the computational problem BLICHFELDT, associated with Blichfeldt’s theorem, is PPP-complete. The Blichfeldt’s theorem is a generalization of the famous Minkowski’s theorem. Even though BLICHFELDT is not natural, since it requires a circuit as part of its input, establishing its complexity has consequences for the complexity of other lattice problems. We now summarize the applications of our main result to cryptography and lattice theory.

17 Universal Collision-Resistant Hash Function. The class PPP has intrinsic connections to cryptography, as it was ﬁrst pointed out by Papadimitriou [134]. This connection was further investigated through the deﬁnition of PWPP by Jerábeck [104]. Building on this inherent connection of PWPP with the cryptographic primitive of collision-resistant hash functions, we construct a natural hash function family

ℋcSIS with the following properties: - Worst-Case Universality. No efﬁcient algorithm can ﬁnd a collision in ev-

ery function of the family ℋcSIS, unless worst-case collision-resistant hash functions do not exist.

Moreover, if an (average-case hard) collision-resistant hash function family

exists, then there exists an efﬁciently sampleable distribution 풟 over ℋcSIS,

such that (풟, ℋcSIS) is an (average-case hard) collision-resistant hash function family. - Average-Case Hardness. No efﬁcient algorithm can ﬁnd a collision in a

function chosen uniformly at random from ℋcSIS, unless we can efficiently find short lattice vectors in any (worst-case) lattice. Worst-case universality is reminiscent of the notion of worst-case one-way functions from the assumption that P ̸= NP [155]. The worst-case one-way function is defined via a Turing machine, as opposed to our hash function family ℋcSIS that is natural, and hence does not involve any circuit or Turing machine in its definition. Levin [116] initiated the idea of universal constructions of cryptographic primitives and constructed the first universal one-way function. Since then, many works construct other universal primitives [115, 113]. In fact, the same ideas allows us to construct universal collision-resistant hash function families. However, this hash function invokes an explicit description of a Turing machine in its input, and hence it fails to be natural. In contrast, our candidate construction is natural, simple, and of practical interest.

18 Extension to multi-collision hash functions. The classes k-PMPP, which were recently introduced by [111], capture the principle of finding multi-collisions in a very compressing function. These classes are related to the cryptographic primitive of multi-collision hash functions, which has been a useful cryptographic tool [111, 26, 110, 23]. We define an extension of the cSIS problem, called k-cSIS, and we show that this problem is complete for the class k-PMPP. Our completeness result suggests the first candidate natural universal multi-collision hash function family.

Complexity of Lattice Problems in PPP. The use of lattice problems for cryptography started with the breakthrough work of Ajtai [4] and has been a pro- liﬁc area of research since then. This wide use of search (approximation) lattice problems motivates the study of their complexity. In fact, Aharonov and Regev showed that the lattice problems that serve as the foundation for numerous cryptographic constructions in the past two decades belong to NP ∩ coNP [2]. We expand this research front by showing that numerous approximation lattice problems are reducible to BLICHFELDT and cSIS, and hence they belong in subclasses of TFNP. This follows by combining results and techniques from lattice theory with our complexity results for BLICHFELDT and cSIS. These results create a new path towards a better understanding of the complexity of lattice problems.

In terms of the PPAq classes, we provide a systematic study of these complexity classes and we provide the first natural complete problems when q is a prime [91]. Our complete problems are explicit versions of the Chevalley-Warning theorem. Following the terminology in [21], by explicit we mean that the system of polynomials, which is the input of the computational problems we define, are given as a sum of monic monomials. As a consequence of the PPAq-completeness of our natural problem for q prime, we show that restricting the input circuits in the definition of PPAq to just constant depth arithmetic formulas does not change the power of the class.

19 We also illustrate the importance of the complexity classes PPAq by showing that many important search problems, whose computational complexity is not

well-understood, belong to PPAq. We complement the study of PPAq with connections to other important and well-studied classes, like PPAD. Below we give a more precise overview of these applications.

Structural properties of PPAq. We characterize the class PPAq for general q in

terms of the classes PPAp for prime p. Additionally, we sketch how existing results already paint a near-complete picture of the relative power of PPAq relative to other TFNP subclasses (via inclusions and oracle separations). We also show that

PPAq is closed under Turing reductions.

Connection to lattice problems. We show a connection between PPAq and the Short Integer Solution (SIS) problem from the theory of lattices. This connection

implies that SIS with constant modulus q belongs to PPAq ∩ PPP, but also provides a polynomial time algorithm for solving SIS when the modulus q is constant and has only 2 and 3 as prime factors.

1.2 Non-interactive lattice-based protocols

The learning with errors (LWE) problem, introduced by Regev [142], has had a profound impact on cryptography. The goal in LWE is to ﬁnd a solution to a set of noisy linear equations modulo a large integer q, where the noise is typically drawn from a discrete Gaussian distribution. The assumption that LWE cannot be broken in polynomial time can be based on worst-case hardness of lattice problems [142, 135] and has drawn immense interest in recent years. Immediately following its introduction, LWE was shown to imply the existence of many important cryptographic primitives such as public-key encryption [142], circular secure encryption [11], oblivious transfer [139], chosen ciphertext security [140, 135], etc. Even more remarkably, in recent years LWE has been used

20 to achieve schemes and protocols above and beyond what was previously known from other assumptions. Notable examples include fully homomorphic encryption [36], predicate encryption and certain types of functional encryption (see, e.g., [1, 87, 92]), and even obfuscation of certain expressive classes of computa- tions [164, 93]. Despite this amazing list of applications, there are still unexplored directions related to LWE-based constructions. We consider questions related to the primitives of non-interactive key-exchange (NIKE) and general purpose Non- Interactive Zero-Knowledge (NIZK) proof systems for NP. A NIZK proof system for a language L ∈ NP, as introduced by Blum et al. [30], is a protocol between a probabilistic polynomial-time prover P and verifier V in the Common Random String (CRS) model. The prover, given an instance x ∈ L, a witness w, and the random string r, produces a proof string π which it sends to the verifier. Based only on x, the random string r and the proof π, the verifier can decide whether x ∈ L. Furthermore, the protocol is zero-knowledge: the proof π reveals nothing to the verifier beyond the fact that x ∈ L. Non-interactive zero-knowledge proof systems have been used extensively in cryptography, with applications ranging from chosen ciphertext security and non-malleability [130, 60, 150], multi-party computation with a small number of rounds (see, e.g., [128]), low-round witness-indistinguishability [61] to various types of signatures (e.g. [19, 22]) and beyond.

A NIKE is a protocol between two probabilistic polynomial-time parties P1 and P2. The parties share some public parameters and simultaneously exchange a single message. Then, based on the exchange messages and the public parameters, they agree on a common secret key. Furthermore, no adversary that observes the interaction can gain any information about this key. The paradigmatic example of a NIKE scheme is the Difﬁe-Hellman protocol [57], which lies at the foundation of public-key cryptography. Non-interactive key exchange has applications in practice, but is also a useful primitive in theoretical results (e.g. [59], [34]). Additionally, NIKE is black-box separated from one-way functions [103].

21 Both primitives can be instantiated from a variety of cryptographic assumptions. General purpose NIZK proof systems (i.e., NIZK proof systems for all of NP) are known based on number theoretic assumptions (e.g., the hardness of factoring integers [68] or the decisional linear assumption or symmetric external Diffie-Hellman assumption over bilinear groups [95]) or from indistinguishability obfuscation [151, 27]. Even though the canonical NIKE protocol is based on the Diffie-Hellman assumption [57], there are various security notions for NIKE that are instantiated from different assumptions (e.g., the twin Diffie-Hellman assumption [44] or the hardness of factoring in the Random Oracle Model or the hardness of a variant of the Diffie-Hellman problem [73] or indistinguishability obfuscation [32]). We remark that these assumptions can be broken by a quantum computer [157] or are not yet well understood. Very recently, Peikert and Shiehian [137] (building on [42]) constructed general purpose statistical NIZK arguments in the common random string model and general purpose NIZK proofs in the common reference string model under LWE. While the question of constructing NIZKs from LWE is by now mostly resolved, one important variant (to which our techniques may be applicable) remains open: constructing NIZK proofs in the common random string model (i.e., with an unstructured CRS) based on LWE.

Our Contribution

Our main result for a non-interactive zero-knowledge proof system is a completeness theorem reducing the question of constructing a NIZK proof system for all of NP from LWE to that of constructing a NIZK proof system for one particular computational problem [146]. Speciﬁcally, we consider a decisional variant of the bounded distance decoding (BDD) problem. In the BDD problem, the input is a lattice basis and a target vector which is very close to the lattice. The problem is to ﬁnd the nearby lattice point. This is very similar to the closest vector problem CVP except that here the vector is guaran-

22 teed to be within the λ1 radius of the lattice, where λ1 denotes the length of the shortest non-zero lattice vector (more speciﬁcally, the problem is parameterized

by α ≥ 1 and the guarantee is that the point is at distance λ1/α from the lattice). BDD can also be viewed as a worst-case variant of LWE and is known to be (up to polynomial factors) equivalent to the shortest-vector problem (more precisely, GapSVP) [120]. We consider a decisional variant of BDD, which we denote by dBDD. The dBDDα,γ problem, is a promise problem, parameterized by α ≥ 1 and γ ≥ 1, where the input is a basis B of a lattice ℒ and a point t. The goal is to distinguish

λ1(ℒ) between pairs (ℒ, t) such that the point t has distance at most α from the λ1(ℒ) lattice ℒ from tuples in which t has distance at least γ · α from ℒ.

Our main result states that assuming that LWE holds and that dBDDα,γ has a NIZK proof system (where α and γ depend on the LWE parameters), then every language in NP has a NIZK proof system. Since dBDD is a special case of the well studied GapCVP problem, a NIZK for GapCVP would likewise sufﬁce for obtaining NIZKs for all of NP based on LWE.

Relation to [138]. Theorem (almost) confirms a conjecture of Peikert and Vaikun- tanathan [138]. More specifically, [138] conjectured that a NIZK proof-system for a specific computational problem related to lattices would imply a NIZK proof- system for every NP language. The problem that Peikert and Vaikuntanathan consider is GapSVP whereas the problem that we consider is the closely related dBDD problem. While BDD is known to be no harder than GapSVP [120] (and the same can be shown for dBDD), these results are shown by Cook reductions and so a NIZK for one problem does not necessarily yield a NIZK for the other. In particular, we do not know how to extend our main theorem to hold with respect to GapSVP.

Subsequent works. Subsequent to our work, Canetti et al. [42] constructed general purpose NIZK arguments in the common random string model and general

23 purpose NIZK proofs in the common reference string model under the LWE assumption with an additional circular security assumption (similar to the one used in fully-homomorphic encryption schemes). Later, Peikert and Shiehian [137] re- moved the extra circular security assumption. Both of these papers construct NIZK arguments in the common random string model and NIZK proofs in the common reference string model. One question that remains open and to which our techniques might be applicable is constructing NIZK proofs in the common random string model (i.e., with an unstructured CRS).

Regarding non-interactive key-exchange, we explore the possibility of attaining (ring) LWE-based protocols with modulus polynomial in the security parameter [96]. We focus on the setting where the two parties only send one or a few (ring) LWE samples to each other. The main motivation for studying this setting is that perhaps it is the simplest setting which captures natural non-interactive variants of current LWE-based interactive key exchange protocols. Therefore, impossibility results give a theoretical justiﬁcation for the interactive structure of current protocols. In this setting, NIKE is simply characterized by two efﬁciently computable key reconciliation functions, such that - their outputs agree with overwhelming probability in the security parameter, and - their outputs are pseudorandom, even when conditioned on the transcript of the protocol. We show impossibility results for various natural choices of reconciliation functions, as summarized below.

Impossibility of agreement amplification by repetition. In many existing LWE- based key exchange protocols [58, 136], the first round is sufficient for approximate key agreement. Namely, after a single round the two parties share a common value with some probability. Then, the protocols use interaction to achieve agreement with overwhelming probability in the security parameter, as required for key

24 agreement. A natural idea for amplifying the agreement probability is to run in parallel multiple copies of the ﬁrst round of the existing protocols and combine them in order to amplify the agreement probability. We show that for any number of parallel repetitions, any reconciliation functions and non-trivial LWE noise distribution, the parties disagree with noticeable probability in the LWE modulus. This implies that such reconciliation functions cannot exist. In fact, this impossibility is information theoretic and holds even for computationally inefﬁcient reconciliation functions. Our results naturally extend to the case of ring LWE (RLWE).

Impossibility of noise-ignorant reconciliation functions. We show that the reconciliation functions have to depend on the LWE noises of each party respectively. This impossibility excludes more general reconciliation functions than in the previous case. However, in contrast to the previous result, which holds unconditionally, this result assumes the hardness of the LWE problem. Our theorem extends to the case of RLWE and to the case where parties exchange up to polynomial number of LWE samples. The above two results rule out the most natural choices of key reconciliation functions, unconditionally or under the LWE assumption. However, we show that the existence of efﬁcient reconciliation functions, which depend on all of their inputs, cannot be ruled out (at least as long as the existence of iO is a possibility). In particular, we show that there exists an instantiation of the NIKE protocol that is based on indistinguishability obfuscation (iO) and puncturable PRFs [32] in our framework.

1.3 Notation

We use the following notation throughout this thesis.

25 General Notation. We use [m] to denote the set {1, . . . , m}. Let N = {0, 1, 2, . . . } and Z+ = {1, 2, 3, . . . }. We use small bold letters x to refer to vectors and capital T bold letters A to refer to matrices. For a matrix A, we denote by ai its i-th row and by ai,j its (i, j)-th element. Let In denote the n-dimensional identity matrix.

We denote with Ei,j the matrix that has all zeros except that ei,j = 1. A function negl(k) is negligible if negl(k) < 1/kc for any constant c > 0 and sufﬁciently large k. All logarithms log(·) are in base 2. We denote by x‖y the concatenation of vectors or matrices. For example, if x ∈ Zn and y ∈ Z, then x‖y is a vector in Zn+1. Similarly, if X ∈ Zn×m and y ∈ Zn, then X‖y is a matrix in Zn×(m+1).

Probability distributions. For a distribution µ, we use x ← µ to denote that x is sampled from the distribution µ, and for a set S we use x ← S to denote that x is c s sampled uniformly at random from the set S. We use X ≈ Y, X ≈ Y and X ≡ Y to denote that the distributions X and Y are computationally indistinguishable, statistically close and identically distributed, respectively (where in the case of computational indistinguishability we actually refer to ensembles of distributions parameterized by a security parameter).

p1/p Vector Norms. We deﬁne the `p-norm of x to be ‖x‖p = ∑i xi and the

`∞-norm of x to be ‖x‖∞ = maxi |xi|. For simplicity, we use ‖·‖ for the `2- 1/p−1/q norm instead of ‖·‖2. It is well known that ‖x‖p ≤ n ‖x‖q for p ≤ q and

‖x‖p ≤ ‖x‖q for p > q.

q q Ring Zq. We identify Zq with − 2 ,..., 2 −1 . For x ∈ Zq, we denote by q |x| the value in 0, 2 such that |x| = x if x < q/2 and |x| = q − x otherwise. n Namely, |x| is the distance of x from 0 in Zq. Similarly, for x ∈ Zq we denote q 2 by ‖x‖ the `2-norm of x, namely ‖x‖ = ∑ |xi| , where |·| is as deﬁned above.

Finally, we denote by ⌊·⌉q : Zq → {0, 1} the function:

  0 if x ∈ [− ⌊q/4⌋, ⌈q/4⌉] ⌊x⌉q = .  1 otherwise

26 Binary Strings. We use bold and underlined small letters to refer to binary strings. Binary strings x ∈ {0, 1}k of length k can also be viewed as vectors in ¯ Zk. Every binary string x ∈ {0, 1}k is mapped to a non negative integer num- ¯ * ber through the nonlinear map bc : {0, 1} → Z+ called bit composition, where k−1 i bc(x) = ∑ x − 2 . It is trivial to see that actually bc is a bijective mapping, and ¯ i=0 ¯ k i * hence, we can deﬁne the inverse mapping bd : Z+ → {0, 1} called bit decomposi-

tion, which is also easy to compute for any given number m ∈ Z+. We extend the bit decomposition function bd integer vectors, where bd(x) is the concatenation of the bit decomposition of each coordinate of the vector x. We also extend bd to integer matrices, where bd(A) is the concatenation of the bit decomposition of each coordinate of A. In this case, the bit composition function bc is no longer well-deﬁned because the output is either a number or a vector. For simplicity, we still use the notation bc and we clarify in each case whether the output is a number or a vector of numbers. When bd is applied to a set

{m1,..., mk} the output is the set with the bit decomposition of each element

{bd(m1),..., bd(mk)}.

Boolean Circuits. A boolean circuit 풞 with n inputs and 1 output is represented as a labeled directed acyclic graph with in-degree at most 2, exactly n source nodes and exactly 1 sink node. Each source node is an input of 풞 and the sink node is the output of 풞. Each of the input nodes of 풞 is labeled with a number in [n] denoting the ordering of the input variables. Each node with in-degree 1 is labeled with one of the 2 boolean functions with 1 variable {id, ¬}. Each node with in-degree 2 is labeled with one of the 16 boolean function with two variables, but for our purposes use only the following ﬁve boolean functions: nand, nor, xor, and, or, with corresponding symbols { ∧¯ , ∨¯ , ⊕, ∧, ∨}. Every boolean circuit deﬁnes a boolean function on n variables 풞 : {0, 1}n → {0, 1}. Let x be a binary ¯ string of length n, i.e. x ∈ {0, 1}n. The value 풞(x) of the circuit on input x is ¯ ¯ ¯ computed by evaluating the nodes of 풞 one by one in a topological sorting of 풞, starting from the input nodes. Then, 풞(x) is the value of the output node. The ¯

27 size |풞| of 풞 is the number of nodes in the graph of 풞. Namely, in contrast to usual notation, we use |풞| to denote the sum of the number of inputs and the number of gates of 풞.

Circuits. More generally, a circuit 풞 with n inputs and m outputs is an ordered n tuple of m boolean circuits 풞 = (풞1,..., 풞m) and deﬁnes a function 풞 : {0, 1} → m m {0, 1} , where 풞(x) = (풞 (x),..., 풞m(x)). The size |풞| of 풞 is equal to ∑ |풞 |. ¯ 1 ¯ ¯ i=1 i Any polynomial time procedure implies an equivalent circuit of polynomial size, since P ⊆ P/poly (see [12]), where P/poly is the class of polynomial-sized circuits.

28 Chapter 2

Total Search Problems

The complexity of total search problems has drawn attention from the theoretical computer science community over the past decades. The class TFNP was defined by Megiddo and Papadimitriou [122] to be the class of all search problems whose decision is alwasy affirmative. Papadimitriou [134] later defined numerous TFNP subclasses. We start with a high-level description of the most well-studied total complexity classes.

PLS. The class of problems whose totality is established using a potential function argument. Every ﬁnite directed acyclic graph has a sink.

PPA. The class of problems whose totality is proved through a parity argument. Any ﬁnite graph has an even number of odd-degree nodes.

PPAD. The class of problems whose totality is proved through a directed parity argument. All directed graphs of degree two or less have an even number of degree one nodes.

PPP. The class of problems whose totality is proved through a pigeonhole principle argument. Any map from a set S to itself either is onto or has a collision.

Using the same spirit two more classes were deﬁned after [134], in [54] and [104].

29 TFNP

PPP PPA PLS

PWPP PPADS

PPAD

CLS

Figure 2-1: The landscape of TFNP subclasses. A solid arrow M1 → M2 denotes that M1 ⊆ M2, and a dashed arrow M1 99K M2 denotes an oracle separation 풪 풪 relative to some oracle 풪, M1 * M2 .

CLS. The class of problems whose totality is established using both a potential function argument and a parity argument.

PWPP. The class of problems whose totality is proved through a weak pigeonhole principle. Any map from a set S to a strict subset of S has a collision.

Oracle separations between all these classes are known [16], with the only exception of whether PLS is contained in PPP or PPADS (see Figure 2-1), although there has been progress in this direction [37].

2.1 Complete problems

Complete problems for TFNP subclasses provide a better understanding of the classes and gives a complete picture of the computational complexity of the corresponding search problems. Especially for the case of natural problems, completeness results have been an essential middle-step for proving the completeness

30 of other search problems. The importance of finding natural complete problems can be compared to the significance of Sat for NP-completeness. Recently, a syntactic analog PTFNP of the semantic class TFNP was defined [81]. Goldberg and Papadimitriou [81] also identified a complete problem for this class and showed that all known TFNP subclasses belong to PTFNP.

PLS-completeness. The class PLS represents the complexity of local optimization problems. Important problems that are PLS-complete are the Local Max- Cut Problem [152], the Local Travelling Salesman Problem [133], and the problem of ﬁnding a Pure Nash Equilibrium [66]. Recently, important results for the smoothed complexity of the Local Max-Cut problem have appeared [65, 10, 48].

PPAD-completeness. Arguably, the most celebrated application of total search problems is the characterization of the complexity of ﬁnding a Nash equilibrium in terms of PPAD-completeness [53, 46]. This problem lies at the core of game theory and economics. The proof that Nash Equilibrium is PPAD-complete initiated a long line of research in the intersection of computer science and game theory and revealed connections between the two scientiﬁc communities that were unknown before (e.g. [62, 45, 161, 109, 47, 148, 149, 49, 153, 64]).

PPA-completeness. PPA-complete problems usually arise as the undirected generalizations of their PPAD-complete analogs. For example, Papadimitriou [134] showed that Sperner’s Lemma in a 3-D cube is PPAD-complete and later Grigni [94] showed that Sperner’s Lemma in a 3-manifold consisting of the product of a Möbius strip and a line segment is PPA-complete. Since Möbius strip is non- orientable, this indeed is a non-directed version of the Sperner’s Lemma. This approach leads to numerous other PPA-complete problems, all involving some circuit as part of their input [3, 56, 21]. Recently, Filos-Ratsikas and Goldberg [70, 71] identiﬁed natural PPA-complete problems, without a circuit as part of the input. This illustrates an interesting relation between PPA and complexity of

31 social choice theory problems.

CLS-completeness. The CLS class, defined in [54], captures the complexity of problems such as P-matrix LCP, computing KKT-points, and finding Nash equilibria in congestion and network coordination games. Recently, Daskalakis et al. [55] and Fearnley et al. [67] showed that the problem of finding a fixed point whose existence invokes Banach’s Fixed Point Theorem is CLS-complete .

2.2 TFNP and Cryptography

There is an abundance of applications of total search problems in other scien- tiﬁc areas, such as Economics, Optimization and Social Choice. Some of these connections are apparent through natural complete problems, as it is the case for the PPAD-completeness of NashEquilibrium [53], the PPA-completeness of ConsensusHalving,NecklaceSplitting and HamSandwich problems [70, 71]. The connection of TFNP with the area of Cryptography ﬁrst appeared in [134], where Papadimitriou proved that if PPP = FP, then one-way permutations cannot exist. Buresh [38] showed that a special case of integer factorization belongs in PPA ∩ PPP. Later, Jerábek [104] generalized this result by proving that the general problem of factoring integers is in PPA ∩ PPP under randomized reductions. Recently, cryptographic assumptions were used to prove the average-case hardness of PPAD and CLS. All these works show the average-case hardness of the SinkOfVerifiableLine problem, which belongs in CLS [102], under varying cryptographic assumptions. Initially, the PPAD and CLS hardness was based on the assumption of indistinguishability obfuscation (iO) [28, 75]. Later works are based on more standard cryptographic assumptions and use the Fiat-Shamir heuristic [51, 52, 63, 166]. These works are implemented either in the Random Oracle Model (ROM) or in certain cases in the standard model using strong lattice-based assumptions [117]. Bitanski and Gerichter [25] diverge from the hardness results of CLS and show average-case hardness for PLS in the standard model based on a

32 falsiﬁable assumption on bilinear groups and the Exponential Time Hypothesis for randomized algorithms. Rosen et al. [145] showed that average-case PPAD hardness does not imply one- way function under black-box reductions. On the contrary, any hard on average problem in NP implies the average case hardness of TFNP [101]. Finally, Komar- godski et al. [111] proved that the existence of multi-collision resistant hash functions is related to the total search problem RAMSEY, which is not known to belong to any TFNP subclass. Interestingly, they prove that a variation of RAMSEY called colorful-Ramsey (C-RAMSEY) is PWPP-hard. Although this an important result, the problem C-RAMSEY still invokes a circuit in the input and is not known to be in PWPP. Furthermore, total search problems are useful in understanding the complexity of problems in lattice theory. The computational analog of Minkowski’s theorem (Minkowski), a central problem in lattice theory and lattice-based Cryptog- raphy, is in PPP [13] and it is conjectured to be PPP-complete. This conjecture is supported by the fact that Minkowski reduces to Equal-Sums, a problem conjectured to be PPP-complete [134]. Additionally, the problem Number-Balancing is equivalent to a polynomial approximation of Minkowski’s theorem in the `2 norm (via Cook reductions for both directions) [99].

2.3 Reductions

The formal deﬁnition of TFNP requires the deﬁnition of the class of search problems whose decisions is in NP, called FNP.

Search Problems. A search problem in FNP is deﬁned by a relation ℛ such that for input x of size n and y of size poly(n), ℛ(x, y) is polynomial-time computable on n. A solution to the search problem with input x is a y of size poly(n) such that ℛ(x, y) holds. The class of total search problems contains all problems of FNP that have a

33 solution for every input. A search problem is total if for every input x of size n, there exists a y of size poly(n) such that ℛ(x, y) holds. The class of total search problems in FNP is called TFNP. Reductions between search problems are deﬁned similarly to reductions between decision problems. In fact, we can deﬁne Karp and Cook reductions as follows.

Karp Reductions Between Search Problems. We say that a search problem P1 is

Karp (or many-one) reducible to a search problem P2 if there exist polynomial-time

(in the input size of P1) computable functions, f and g, such that if x is an input of 풫1, then f (x) is an input of P2 and if y is any solution of P2 with input f (x) then g(x, f (x), y) is a solution of P1.

Cook Reductions Between Search Problems. We say that a search problem P1 is Cook-reducible to a search problem P2 if there exists a polynomial-time (in the input size of P1) oracle-aided Turing machine 풯 such that if x is an input of P1, 풯 computes a solution of P1 whenever all oracle calls provide solutions of P2. The set of all search problems that are Cook-reducible to problem Q is denoted by FPQ.

2.4 Set Description Using Circuits

Let S ⊆ Nn and let bd(S) ⊆ {0, 1}k, where bd computes the bit decomposition of each element in S. There is an inherent connection between TFNP reductions and the succinct representation of subsets S using circuits. We deﬁne three such representations, the characteristic function, the value function, and the index function.

Characteristic Function. A characteristic function of a set S is a function that takes value 1 if the element belongs to S and 0 otherwise. Formally, a circuit 1S

34 with k binary inputs and one output is a characteristic function of S if 1S(bd(x)) = 1 if and only if x ∈ S.

Value Function. A value function of a set S maps each number in [|S|] to a distinct element of S. Formally, let (s, 풱S) be a tuple where 풱S is a circuit with ⌈ ( )⌉ ∈ Z [ ] → { }k log s binary inputs and k outputs, and s +. Let f(s,풱S) : s 0, 1 be ( ) = 풱 (bd( )) < ( 풱 ) a function such that f(s,풱S) t S t for all t with t s. Then, s, S is a [ ] value function representing S if and only if f(s,풱S) is a bijective map between s and bd(S). The value 풱S(bd(t)) can be arbitrary when t ≥ s.

Index Function. The index function of a set S is the inverse of the value function. Namely, it maps each element of S to a distinct number in [|S|]. Formally, let

(s, ℐS) be a tuple where ℐS is a circuit with k binary inputs and ⌈log(s)⌉ outputs, ∈ Z → [ ] ( ) = bc(ℐ (bd( ))) and s +. Let f(s,ℐS) : S s be a function such that f(s,ℐS) x S x ∈ ( ℐ ) for all x S. Then, s, S is an index function of S if and only if f(s,ℐS) is a bijective map between S and [s]. The value ℐS(bd(x)) can be arbitrary when x ̸∈ S.

We remark that given a succinct representation of S, it is computationally expensive to compute |S|, thus we provide it explicitly using the value s. Even though the input and the output of each circuit are binary vectors, we often abuse notation and denote them as elements in N or Nn. For instance, even though formally the input and output of 풱S are in bd([s]) and bd(S) respectively, we occasionally use 풱S(t) to denote a vector in S.

We illustrate the above deﬁnitions of succinct set representations in the sim- n ple case of the set ([0, L1] × · · · × [0, Ln]) ∩ Z . Although this is an elementary example, it is a useful ingredient for our reductions.

n Lemma 2.4.1. Let L1,..., Ln > 0 and S = ([0, L1] × · · · × [0, Ln]) ∩ Z , there exist:

1. a characteristic function 1S of S, where |1S| = O(n maxi polylog(Li)), 2 2. a value function (풱S, s) of S, where |풱S| = O(n maxi polylog(Li)), and 2 3. an index function (ℐS, s) of S, where |ℐS| = O(n maxi polylog(Li)).

35 Proof. Let `1 = ⌊L1⌋ +1, . . . , `n = ⌊Ln⌋ +1. 1. Given the bit decomposition of a vector x ∈ Nn, we can easily test if x

belongs to S by checking whether xi ≤ Li for all i. Such a comparison needs

O(log Li) boolean gates, and hence the size of 1S is O(n maxi polylog(Li)).

2. Let t be the input to our value function, then we set 풱S(t) to be the t-th vector in the lexicographical ordering of bd(S). We compute this vector x ∈ Nn

iteratively. We first compute x1. For any m ∈ Z+, the number of vectors in S n with x1 = m is equal to ∏i=2 ì, and hence the number of vectors with x1 ≤ n n m is equal to (m + 1) · ∏i=2 ì. Therefore, x1 = ⌊t/ ∏i=2 ì − 1⌋. We repeat the same procedure for the other coordinates. For instance, we compute n n x2 as the first coordinate of the (t − (∏i=2 ì) · ⌊t/ ∏i=2 ì⌋)-th vector in the ′ n−1 set S = ([0, L2] × · · · × [0, Ln]) ∩ Z . This iterative procedure requires a 2 circuit of size O(n maxi polylog(Li)).

3. Let x ∈ S be the input vector of our index function. We set ℐS(x) to be the position of x in the lexicographical ordering of bd(S). The number of n vectors y ∈ S with y1 < x1 is equal to x1 · ∏i=2 `i. Therefore, using an

iterative procedure similar to 풱S we compute the lexicographical index with 2 a circuit of size O(n maxi polylog(Li)).

36 Chapter 3

Lattices

Lattices have been extensively studied, especially in connection to number theory and group theory. Recently, a series of breakthrough works [4, 142, 77, 36] initiated a phenomenal change in Cryptography and set the foundations of lattice- based cryptography. Lattice-based assumptions are the only known building blocks for many advanced cryptographic primitive, such as fully-homomorphic encryption [77, 36]. Additionally, many lattice-based cryptographic constructions enjoy strong security based on worst-case lattice problems and are thought to with- stand quantum attacks.

Lattice. A n-dimensional lattice ℒ is an additive subgroup of Rn. Every lattice is ﬁnitely generated as all integer linear combinations of a set of linearly independent vectors B. We call this set a basis for the lattice and its cardinality the rank of the lattice. If the rank is equal to n, then ℒ is a full-rank lattice. We denote by ℒ(A) the lattice that is generated by a set of vectors A (which might or might not be a basis) and by B(A) a basis of the lattice ℒ(A). For t ∈ Rn, we deﬁne the distance

of t from the lattice ℒ as dist(t, ℒ) = minx∈ℒ ‖x − t‖. Finally, let V0 = {0} and

Vi = span(v1,..., vi) for i ≥ 1, then the successive minima of a lattice are deﬁned as follows

λi(ℒ(B)) = min ‖x‖ , for i = 1, . . . , n x∈ℒ∖Vi−1

37 where ‖vi‖ = λi(ℒ(B)). In particular, λ1(ℒ) is the length of the shortest non-zero

lattice vector, λ1(ℒ) = min ‖x‖. x∈ℒ∖{0}

Given a lattice, there exists an efﬁcient procedure for ﬁnding a basis. Additionally, multiplying a basis with a unimodular matrix does not alter the lattice. These two easy facts are formalized in the following lemma, which we state without a proof.

Lemma 3.0.1. Let A ∈ Zm×n representing a set of n-dimensional vectors, then there is an efﬁcient algorithm to compute B(A). Namely, given a generating set of a lattice ℒ, we can efﬁciently compute a basis for ℒ. Let B ∈ Zn×n, and U ∈ Zn×n be a unimodular matrix, i.e. det(U) = ±1, then ℒ(B) = ℒ(BU).

We deﬁne some additional notions that are pivotal in lattice theory.

Fundamental Parallelepiped. The fundamental parallelepiped of ℒ(B) is the set n 풫(B) = {∑i=1 tibi : 0 ≤ ti < 1}. Given a full-rank lattice ℒ(B), we deﬁne the operator (mod 풫(B)) which on input x ∈ Rn outputs y = B B−1x − B−1x. We denote this operation by y = x (mod 풫(B)).

Determinant. The determinant of a lattice is the volume of the fundamental par- q allelepiped. Namely, det(ℒ(B)) = det(BT B), and simply det(ℒ(B)) = | det(B)| for full-rank lattices.

Lattice Cosets. The lattice coset for c ∈ Rn is ℒ + c = {x + c : x ∈ ℒ}. The set of integer cosets of ℒ(B) is Co(ℒ(B)) = {ℒ(B) + c | c ∈ Zn}.

Proposition 3.0.2 reveals a fundamental relation between 풫(ℒ(B)), det(ℒ(B)), and Co(ℒ(B)).

Proposition 3.0.2. Let B ∈ Zn×n be a set of n-dimensional linearly independent vectors,

then det(ℒ(B)) = |Co(ℒ(B))| = 풫(ℒ(B)) ∩ Zd .

A special family of lattices with numerous applications in Cryptography is the family of q-ary lattices.

38 q-ary Lattice. A lattice ℒ is called a q-ary lattice if qZn ⊆ ℒ. Equivalently, ℒ is q-ary if x ∈ ℒ if and only if (x mod q) ∈ ℒ. We denote a q-ary lattice by Λq. More speciﬁcally, we deﬁne the following two types of q-ary lattices

n n m T T o Λq(A) = x ∈ Z : ∃s ∈ Z s.t. x = s A (mod q) , (3.0.1)

⊥ n Λq (A) = {x ∈ Z : Ax = 0 (mod q)} . (3.0.2)

The two types of q-ary lattices are connected through the notion of duality.

Dual Lattice. Let ℒ(B) be a lattice, then the dual lattice of ℒ contains all vectors in span(B) that have integer inner product with ℒ. We denote the dual lattice with ℒ*. That is, ℒ* = {y ∈ span(B) : ∀x ∈ ℒ, ⟨y, x⟩ ∈ Z}.

⊥ The following lemma shows the connection between Λq and Λ . For a simple proof, we refer to [9].

m×n Lemma 3.0.3. Let A ∈ Zq , then: ⊥ * 1. Λq (A) = qΛq (A) ⊥ n 2. det Λq (A) ≤ q , 3. there exists an efﬁcient algorithm that on input A computes B ∈ Zm×n such that ⊥ Λq (A) = ℒ(B).

3.1 Computational Lattice Problems

We recall some of the most well-studied lattice problems. We deﬁne these problems for full-rank lattices, but they are easily adapted to general lattices. Fur- thermore, we deﬁne the decisional Bounded Distance Decoding (dBDD) problem and present a reduction from dBDD to the GapSVP problem, showing that dBDD is (up to polynomial loss in the parameters) at most as hard as GapSVP.

The shortest vector problem (SVP). For a given parameter γ ≥ 1, the search problem γ-SVP with input a basis B ∈ Zn×n outputs a lattice vector v ∈ Λ(B)

39 such that ‖v‖ ≤ γ · λ1(ℒ(B)).

The short independent vectors problem (SIVP). For a given parameter γ ≥ 1, the search problem γ-SIVP with input a basis B ∈ Zn×n outputs a set of n linearly

independent lattice vectors v1,..., vn such that maxi ‖vi‖ ≤ γ · λn(ℒ(B)).

The closest vector problem (CVP). For a given parameter γ ≥ 1, the search problem γ-CVP with input a basis B ∈ Zn×n and a target vector t ∈ Rn outputs a lattice vector v such that ‖v − t‖ ≤ γ · dist(v, ℒ(B)).

The GapSVP. For a given parameter γ > 1, the promise problem GapSVPγ = (GapSVPYes,GapSVPNo) with input a basis B ∈ Zn×n and parameter r > 0 is deﬁned as: Yes - (B, r) ∈ GapSVP if λ1(ℒ(B)) < r, and No - (B, r) ∈ GapSVP if λ1(ℒ(B)) > γr.

The bounded distance decoding (BDD) problem. For a given parameter α ≥ 1, n×n the promise search problem BDDα with input a basis B ∈ Z , a target vector

n λ1(ℒ(B)) t ∈ R such that dist(ℒ(B), t) < α outputs a lattice vector v ∈ ℒ(B) such that ‖t − v‖ = dist(ℒ(B), t).

The decisional version of BDD is a promise problem which checks whether a

target vector is close in terms of λ1 to the lattice.

The decisional Bounded Distance Decoding (dBDD) Problem. For given pa- Yes No rameters α ≥ 1 and γ > 1, the promise problem dBDDα,γ = (dBDD , dBDD ) with input a basis B ∈ Zn×n and a target vector t ∈ Rn is deﬁned as:

Yes λ1(ℒ(B)) - (B, t) ∈ dBDD if dist(t, ℒ(B)) ≤ α , and No λ1(ℒ(B)) - (B, t) ∈ dBDD if dist(t, ℒ(B)) > γ · α . Regarding the complexity of the dBDD problem, we show that it is at most as hard as the well-studied GapSVP.

40 Proposition 3.1.1. Let γ > 1 and α ≥ 1 be polynomially-bounded, then the problem √ dBDDα,γ is Cook-reducible to GapSVPmin( γ,α/2).

√ Proof. Let (B, t) be the input of dBDDα,γ. Using binary search and a GapSVP γ √ λ1(√ℒ(B)) oracle, we compute an r such that γ ≤ r ≤ γ · λ1(ℒ(B)). Additionally,

BDDα is reducible to GapSVPα/2 with α polynomially-bounded [120]. Therefore, using the GapSVPα/2 oracle we ﬁnd an alleged BDDα-solution v for the instance √ r (B, t). If v ∈ ℒ(B) and ‖t − v‖ ≤ γ · α , we output 1. Else, we output 0. Yes Indeed, if (B, t) ∈ dBDDα,γ , there is a vector v ∈ ℒ(B) such that ‖t − v‖ ≤ λ1(B) α and using the reduction from BDDα to GapSVPα/2 we ﬁnd v. On the other No hand, if (B, t) ∈ dBDDα,γ, then for every vector v ∈ ℒ(B) it holds that ‖t − v‖ > λ1(B) √ r γ · α ≥ γ · α , so we always output 0.

3.2 Cryptographic assumptions

The ﬁrst lattice-based cryptographic assumption introduced by Ajtai [4] is the Short Integer Solution (SIS) assumption.

The SIS assumption. The Short Integer Solution (SIS) assumption in the `2 norm

with parameters n, m, q, B, denoted by SISn,m,q,B, states that given a matrix A ← n×m m Zq it is hard to ﬁnd a vector x ∈ Z ∖ {0} such that ‖x‖2 ≤ B and Ax = p 0 (mod q). When considering the `p norm instead of `2, we use the notation SIS . ∞ Speciﬁcally, for `∞ we write SIS .

The Learning with Errors (LWE) assumption was introduced by Regev [142] and has emerged as a predominant cryptographic assumption.

The LWE assumption. The (Decisional) Learning With Error (LWE) assumption with parameters n, m, q, ℰ, denoted by LWEn,m,q,ℰ , states that:

c (A, b) ≈ (A, r)

41 n×m T T T n m m where A ← Zq , b = s A + e (mod q), s ← Zq , e ← ℰ and r ← Zq . When

m = poly(n, log(q)), we omit it and write LWEn,q,ℰ .

The distribution ℰ is a probability distribution over Z which typically outputs small numbers. Classic choices of ℰ are the uniform distribution over [−B, B] ∩ Z, which is called bounded uniform, and the (one-dimensional) discrete Gaussian. When the error distribution ℰ is the discrete Gaussian with standard deviation β, we denote the LWE problem with parameters n,m, and q by LWEn,m,q,β.

Discrete Gaussian. For q ∈ N ∖ {0} and parameter β > 0, the discrete Gaussian

probability distribution 풟β is simply the Gaussian distribution restricted to Z:

  exp(−π |x|2 /(βq)2) if x ∈ Z 풟β(x) ∝  0 otherwise

An important and unique feature of lattice-based cryptographic assumptions is that their average-case hardness is based on the worst-case hardness of computational lattice problems. In particular, solving the SIS problem on the average is at least as hard as solving n-SIVP [4, 126, 78, 125]. Also, we know both quantum and classical reductions to average-case LWE from lattice problems [142], including a classical reduction from worst-case O(n)-GapSVP [135, 35]. A useful and simple fact is that if we sample the secret vector s from the noise distribution ℰ instead of the uniform, then the LWE assumption still holds. We call this assumption LWE with short secret and we denote it with ss-LWE.

Lemma 3.2.1. There is a polynomial-time reduction from ss-LWEn,m,q,ℰ to LWEn,m,q,ℰ

and a polynomial-time reduction from LWEn,m,q,ℰ to ss-LWEn,m+n,q,ℰ .

n×m Additionally, if A ← Zq with m large enough, there is a unique secret vector s such that bT ≈ sTA. The proof of this fact follows from bounding the shortest T T vector in the lattice and observing that if s1, s2 are such that s1 A ≈ s2 A, then T T (s1 − s2 )A ≈ 0. The following lemma can be shown by a standard argument n with a union bound over all nonzero vectors s ∈ Zq .

42 Lemma 3.2.2. Let n, q ∈ N, and m ≥ 2n log(q). Then

h i −n Pr λ (Λq(A)) ≤ q/4 ≤ q . n×m 1 A←Zq

In most practical applications, where efﬁciency is an important factor, a special case of LWE, called ring LWE (RLWE).

The ring LWE (RLWE) assumption. Let q ≥ 2 be a power of 2, R = Z[x]/(xk +

1) and Rq := R/(qR) be the ring R with coefﬁcients reduced modulo q. The (Decisional) Ring Learning With Error (RLWE) assumption with parameters n, q, ℰ, denoted by RLWEn,q,ℰ , states that:

c (ai, bi)i∈[n] ≈ (ai, ri)i∈[n]

where s ← Rq and for each i ∈ [n], ai ← Rq, bi = s · ai + ei (mod qR), ei ← ℰ, and

ri ← Rq.

43 44 Chapter 4

Pigeonhole Principle Arguments

There are two TFNP subclasses that capture the complexity of arguments based on the pigeonhole principle. The class PPP was introduced together with various other TFNP subclasses in [134]. The class PWPP, which is a subclass of PPP, was deﬁned in a subsequent work [104]. The classes PPP and PWPP consist of all search problems that are Karp-reducible to the computational problems PIGEONHOLE CIRCUIT and COLLISION respectively.

PIGEONHOLE CIRCUIT Problem. Input: A circuit 풞 with n inputs and n outputs. Output: One of the following: 1. a binary vector x such that 풞(x) = 0, or ¯ ¯ ¯ 2. two binary vectors x ̸= y, such that 풞(x) = 풞(y). ¯ ¯ ¯ ¯

COLLISION Problem. Input: A circuit 풞 with n inputs and m outputs with m < n. Output: Two binary vectors x ̸= y, such that 풞(x) = 풞(y). ¯ ¯ ¯ ¯

45 4.1 Overview of the Results

Our technically most challenging result is to identify the ﬁrst natural complete problem for both classes PPP and PWPP, which we denote by cSIS and weak-cSIS respectively. Additionally, we show that another well-studied problem form lattice theory, called BLICHFELDT, is PPP-complete. Even though this problem is not natural, namely it contains a circuit as part of its input, ﬁnding its computational complexity leads to interesting corollaries in the intersection of TFNP and lattice theory. Even though in the overview we focus on the case of PPP- completeness, our techniques generalize to PWPP. Let ℒ = ℒ(B) := BZn be a lattice with basis B and fundamental parallelepiped 풫(ℒ) := B[0, 1)n.

BLICHFELDT is PPP-complete. Blichfeldt’s theorem states that if a set S has volume larger than the volume of 풫(ℒ), then it must contain two distinct vectors whose difference belongs to the lattice ℒ. Its computational analog, called BLICHFELDT, takes as input the basis B and a set S ⊆ Zn of cardinality greater or equal to the volume of 풫(ℒ) and outputs either a point in S that belongs to ℒ, or two (different) points in S such that their difference belongs to ℒ. A solution to this problem always exists, as we explain later. Finding a solution to BLICHFELDT becomes trivial if the input representation of S has length propor- tional to its size, i.e. we iterate over all element pairs of S. Hence, the interesting regime of the problem is when S is represented succinctly. For this reason, we assume that the set S is given through a value function. Informally, a value function for a set S is a small circuit that takes as input an index i ∈ [|S|] and outputs si ∈ S. We refer to Section 2.4 for a formal deﬁnition of value functions and a simple example. We prove that BLICHFELDT captures the class PPP. The formal proof of the following theorem appears in Section 4.2.

Theorem 4.2.5. The BLICHFELDT problem is PPP-complete.

BLICHFELDT ∈ PPP. We deﬁne the map σ : Zn → 풫(ℒ) ∩ Zn that reduces any

46 point in Zn modulo the parallelepiped 풫(ℒ), i.e. σ(v) = v (mod 풫(ℒ)). To efﬁciently check if v ∈ ℒ, we simply check whether σ(v) = 0. Also, if σ(x) = σ(y), then x − y ∈ ℒ. We show that vol(풫(ℒ)) = |풫(ℒ) ∩ Zn|, and hence |S| ≥ |풫(ℒ) ∩ Zn|. It follows by a pigeonhole principle argument that among the elements σ(v) where v ∈ S, there is either a collision, i.e. x ̸= y such that σ(x) = σ(y) or an element equal to 0, i.e x such that σ(x) = 0. Thus, a solution to BLICHFELDT always exists, and in fact BLICHFELDT ∈ PPP. It is left to show how to use these ideas to construct an input circuit 풞 to PIGEONHOLE CIRCUIT. For the rest of this part, we assume that |S| = |풫(ℒ) ∩ Zn| = 2n. On input an index i, the circuit 풞 : {0, 1}n → {0, 1}n evaluates the

value function of S to obtain si ∈ S, and then computes σ(si). Finally, 풞 has to n map σ(si) to an element in [|풫(ℒ) ∩ Z |]. This last step is the most technically challenging part of the proof. Even though this seems surprising, we note that the

naïve representation of σ(si) might need more than n bits. However, we need the output of 풞 to be exactly n bits in order to syntactically ensure that the pigeonhole principle applies. To implement the last step, we deﬁne an appropriate parallelepiped D =

[L1] × [L2] × · · · × [Ln], where Li’s are non-negative integers, and a bijection π : 풫(ℒ) ∩ Zn → D. Because D is a cartesian product, a natural efﬁcient indexing procedure exists (see Lemma 2.4.1). Combining the bijection π with the index function of D, we are able to map σ(S) to {0, 1}n. Thus, any x with 풞(x) = 0 ¯ ¯ ¯ corresponds to a vector x ∈ S such that σ(x) = 0 and a collision 풞(x) = 풞(y) ¯ ¯ with x ̸= y corresponds to a collision σ(x) = σ(y). ¯ ¯ BLICHFELDT is PPP-hard. Let circuit 풞 : {0, 1}n → {0, 1}n be an input to the problem PIGEONHOLE CIRCUIT. We construct an input to BLICHFELDT con-   x sisting of a set S and a lattice ℒ. The set S contains the elements sx =  ¯  ∈ ¯ 풞(x) 2n ¯ {0, 1} and is represented succinctly by the value function that maps x to sx. No- ¯ ¯ tice that |S| = 2n. The lattice ℒ consists of all v ∈ {0, 1}2n that satisfy the equation ¯

47 [0n In] · v = 0 (mod 2). By Lemma 3.0.3, there exists an efﬁcient procedure to ¯ obtain a basis of ℒ and the volume of 풫(ℒ) is at most 2n. Thus, the set S and the lattice ℒ create a valid input for BLICHFELDT.   x The output of BLICHFELDT is either a sx =  ¯  ∈ S ∩ ℒ, which (by ¯ 풞(x) ¯   x construction of ℒ) implies 풞(x) = 0, or two different elements sx =  ¯ , sy = ¯ ¯ 풞(x) ¯   ¯ y  ¯  ∈ S with sx − sy ∈ ℒ, which implies (by construction of ℒ) 풞(x) = 풞(y) 풞(y) ¯ ¯ ¯ ¯ and ¯x ̸= y. ¯ ¯

cSIS is PPP-complete. We identify the first natural PPP-complete problem. We call our complete problem the constrained Short Integer Solution (cSIS) problem, since it is a generalization of the well-known Short Integer Solution (SIS) problem. n×m d×m The input of cSIS consists of two matrices A ∈ Zq , G ∈ Zq and a vector d b ∈ Zq, for some integer q ≥ 2 and m ≥ (n + d) ⌈log(q)⌉. The matrix G has the property that for every b we can efficiently find an x ∈ {0, 1}m such that Gx = b (mod q). We call matrices that satisfy this property binary invertible. The output of cSIS is either a vector x ∈ {0, 1}m such that Ax = 0 (mod q) and Gx = b ( mod q), or two different vectors x, y ∈ {0, 1}m such that A(x − y) = 0 ( mod q) and Gx = Gy = b (mod q). The formal proof of the following theorem appears in Section 4.3.

Theorem 4.3.8. The cSIS problem is PPP-complete.

cSIS ∈ PPP. Even though cSIS belongs to PPP when G is any binary invertible matrix, for this exposition we assume that q = 2` and G is the “gadget” matrix T T concatenated with a random matrix V, namely, G = Id ⊗ γ V where γ = [1, 2, . . . , 2`]. The condition m ≥ (n + d)` guarantees that a solution to cSIS always exists. n×m d×m d ′ m−`d Let A ∈ Zq , G ∈ Zq , and b ∈ Zq be the input to cSIS. Let r ∈ {0, 1} ,

48 then, since the first ` · d columns of G correspond to the gadget matrix [I ⊗ γT], d  r there is an efficient procedure that computes a r ∈ {0, 1}`d such that G   = r′ b (mod q). Let V denote the last m − `d columns of G, then in order to find r we compute b − Vr′, and set r = bd(b − Vr′), namely r is just the bit decomposition of b − Vr′. Hence, there are at least 2m−`d binary solutions of the equation Gx = b (mod q), each one of them corresponding to a different r′ ∈ {0, 1}m−`d. Also, the quantity Ax (mod q) takes at most qn = 2`n different values. Thus, since m ≥ (n + d)` ⇒ m − d` ≥ n`, the number of binary solutions of Gx = b (mod q) is larger or equal to the number of different values of Ax (mod q). By a pigeonhole principle argument, it follows that there exists a solution to cSIS. Technical issues relating to the representation of circuits arise, but we overcome them using similar ideas to the case of BLICHFELDT problem.

cSIS is PPP-hard. Let circuit 풞 : {0, 1}n → {0, 1}n with |풞| = d be an input to PIGEONHOLE CIRCUIT. Since the input of cSIS is a pair of matrices and a vector, we need to represent 풞 in an algebraic way. In particular, we device a way to encode the circuit in a binary invertible matrix G and a vector b. We note that a NAND gate x ∧¯ y = z can be expressed as the linear modular equation x + y + 2z − w = 2 (mod 4), where x, y, z, w ∈ {0, 1}. Hence, in the reduction we let q = 4 and by a careful construction, we encode each gate as a linear modular equation in a binary invertible matrix G. The matrix G needs to have a column for each input of 풞. For each gate of 풞, we additionally require two new columns, corresponding to the output and auxiliary variables of the gate, i.e z and w respectively, and a new row. In total, G has d rows and n + 2d columns. In order to construct the matrix A, we note that the output of cSIS is a binary vector such that Ax = 0 (mod 4) or two binary vectors such that Ax = Ay (mod 4) and PIGEONHOLE CIRCUIT asks for a binary vector such that 풞(x) = 0 or two ¯ ¯ binary vectors such that 풞(x) = 풞(y). Hence, a natural idea is to set A = [0 In], ¯ ¯ where the identity matrix corresponds to the columns representing the outputs of 풞 in G and the zero matrix to all other columns needed to encode the evaluation of

49 풞 in G. Unfortunately, this matrix A does not satisfy the condition m ≥ 2(n + d), since it has a row for each output of 풞, i.e. m = n. This is an important technical issue, since so far our instance is not even total, namely we cannot guarantee that it has a solution. In order to overcome this technical issue, we add extra columns

in A of the form 2In that represent new “dummy” variable. The corresponding columns of G are equal to 0. Adding these new columns does not create any unwanted solutions, and hence it holds that a solution to cSIS with input A, G and b as above returns either a collision or a preimage of zero for the circuit 풞.

Towards a Natural and Universal Collision-Resistant Hash Family. PWPP is a subclass of PPP in which a collision is guaranteed to exist. By slightly changing their parameters, we create variants of the BLICHFELDT and the cSIS problems are PWPP-complete. The PWPP-complete variant of cSIS, which we denote by weak-cSIS, gives a universal collision-resistant hash function family in a worst- case sense. Namely, if there is a function for which it is hard to find collisions, then our function family also includes a function for which it is hard to find collisions. We highlight the differences between cSIS and weak-cSIS. For ease of expo- ` n×m sition, let us assume that q = 2 . The input to weak-cSIS is a matrix A ∈ Zq , d×m and a binary invertible matrix G ∈ Zq . In contrast to cSIS, there is no vector b in the input. Additionally, the relation between n, m, d and ` is that m has to be strictly greater that `(n + d). Namely, m > `(n + d). This change in the relation of the parameters might seem insignificant, but is actually important, as it allows us to replace b in cSIS with the zero vector. This transforms weak-cSIS into a pure

lattice problem: on input matrices A and G with corresponding bases BA and BG,

where G is binary invertible, ﬁnd two vectors x and y such that x, y ∈ ℒ(BG) and

x − y ∈ ℒ(BA). The resemblance of weak-cSIS with SIS and its completeness for PWPP lead

us to the ﬁrst candidate for a universal collision-resistant hash function ℋcSIS = κ κ′ {Hs : {0, 1} → {0, 1} }: ¯ - The key s is a pair of matrices (A, G), where G is binary invertible. ¯ 50 κ - Given a key s = (A, G) and a binary vector x ∈ {0, 1} , Hs(x) is the binary ¯ ¯  ¯ ¯ r decomposition of Au (mod q), where u =   such that Gu = 0 (mod q). x ¯

Natural Complete problem for PMPP. The classes k-PMPP for any k ∈ Z+ are relaxations of PWPP. In particular, the underline principle of k-PMPP is that if a

circuit 풞 has n inputs and n/2 outputs, then there exists a k-tuple x1,..., xk such that 풞(x1) = ··· = 풞(xk). We deﬁne a relaxation of the cSIS problem, which we denote by k-cSIS and show that this problem is complete for the class k-PMPP. Similarly to cSIS, the input of k-cSIS is a matrix A, a binary invertible matrix G and a vector b. However, in this case we have two moduli q1 and q2 such that A ∈ Zn×m G ∈ Zd×m b ∈ Zd m ≥ (q )n + (q )d q1 , q2 , and q2 , where 2 log 1 log 2 . The output of m cSIS is k distinct vectors x1,..., xk ∈ {0, 1} such that Ax1 = ··· = Ax1 (mod q1)

and Gx1 = ··· = Gxk = b (mod q2). The completeness proof is similar to the PPP-completeness of cSIS.

Lattice Problems in PPP. We show that Minkowski, which is the computational analog of Minkowski’s theorem, is in PPP via a Karp-reduction to the BLICHFELDT problem. Even though there exists a proof of Minkowski’s theorem that uses Blichfedlt’s theorem, we cannot apply this inherently continuous technique to show the reduction of the corresponding computational problems due to their district nature. To circumvent this issue, we use tools for succinctly representing sets as described above. Based on known reductions between lattice problems, we conclude that a variety of lattice (approximation) problems belong to PPP; the most important among them are n-SVP, O˜ (n)-SIVP and n2.5-CVP (see Figure 4-1). We note that a Karp-reduction showing that Minkowski ∈ PPP has also appeared in the concurrent and independent work of [13].

Roadmap. The rest of this chapter is devoted to the formal proofs of the above statements. The complete proof of the PPP-completeness of BLICHFELDT ap-

51 Figure 4-1: Problems in PPP. Solid arrows denote a Karp-reduction, and dashed arrows denote a Cook-reduction. The dotted arrow between FACTORING and PWPP denotes that the reduction is randomized.

pears in Section 4.2. Then, we present our main theorem of the PPP-completeness of cSIS in Section 4.3. In Section 4.4 we describe the PWPP-completeness of a weaker version of cSIS and its relation with natural universal collision-resistant hash function families. Finally, we include the reduction from Minkowski to BLICHFELDT and its implications for the computational complexity of lattice problems in Section 4.6.

4.2 BLICHFELDT is PPP-complete

The concept of lattices was introduced by Hermann Minkowski in his influential book Geometrie der Zahlen [127], first published in 1896. In his book, Minkowski developed the theory of the geometry of numbers and resolved many difficult problems in number theory. His fundamental theorem, known as Minkowski’s Convex Body Theorem, was the main tool of these proofs. Despite the excitement created by Minkowski’s groundbreaking work, it was only after 15 years that a new principle in geometry of numbers was discovered. The credit for this discovery is attributed to Hans Frederik Blichfeldt, who in 1914 published a paper [29] with his new theorem and important applications in

52 number theory 1. We characterize the computational complexity of Blichfeldt’s existence theorem. In Section 4.6, we discuss the applications of our completeness result.

Theorem 4.2.1 (Blichfeldt’s Theorem [29]). Let B ∈ Zn×n be a set of n-dimensional linearly independent vectors and a measurable set S ⊆ Rn. If vol(S) > det(ℒ(B)), then there exist x, y ∈ S with x ̸= y and x − y ∈ ℒ(B).

A proof of Theorem 4.2.1 can be found in Chapter 9 of [132]. We now deﬁne the computational discrete version of Blichfeldt’s theorem.

BLICHFELDT Problem. Input: An n-dimensional basis B ∈ Zn×n and a set S ⊆ Zn described by a

value function (s, 풱S). Output: One of the following: a. the vector 0 if s < det(ℒ(B)),

b. a number z ∈ [s] such that 풱S(z) ̸∈ S or two numbers z, w ∈ [s] such

that 풱S(z) = 풱S(w), 1. a vector x such that x ∈ S ∩ ℒ, 2. two vectors x ̸= y, such that x, y ∈ S and x − y ∈ ℒ.

The first two outputs are just syntactic checks of the totality of the instance. The first guarantees that s, i.e. the alleged size of S, is larger or equal to det(ℒ(B)), while the second ensures that (s, 풱S) is a valid value function, i.e. it encodes a bijection between [s] and S. If the tuple (s, 풱) encodes a set S that satisfies the condition s ≥ det(ℒ(B)), then “a.” and “b.” cannot be satisfied.

In the next lemma, we utilize the following matrix decomposition.

Smith Normal Form. A matrix D ∈ Zn×n is in Smith Normal Form (SNF) if it is diagonal and di+1,i+1 divides di,i for 1 ≤ i < n. Moreover, any non-singular matrix

1These introductory paragraphs were inspired from Chapter 9 of [132].

53 A ∈ Zn×n can be written as A = UDV, where D ∈ Zn×n is a unique matrix in SNF, and U, V ∈ Zn×n are unimodular matrices. Also, the matrices U, D, V can be computed in polynomial-time in n [107].

Lemma 4.2.2. BLICHFELDT is in PPP.

n Proof. Let B and (s, 풱S) be the input of BLICHFELDT. Let R = 풫(B) ∩ Z be the set of all integer vectors in the fundamental parallelepiped 풫(B). Let ℒ = ℒ(B), ` = ⌈log(det(ℒ))⌉ and m = ⌈log(s)⌉. We remark that ` = ⌈log(|R|)⌉ (see Propo-

sition 3.0.2) and m is the number of binary inputs of 풱S. Our goal is to construct a circuit 풞 : {0, 1}` → {0, 1}` such that every solution of PIGEONHOLE CIRCUIT with input 풞 gives a solution of BLICHFELDT for the original instance. If s < det(ℒ), then we output 0 without invoking PIGEONHOLE CIRCUIT. For the rest of the proof, we focus on the case s ≥ det(ℒ), which implies m ≥ `. We also assume without loss of generality that s = det(ℒ). If s > det(ℒ), then we ′ ′ use the set S = {풱S(x) : bc(x) ∈ [det(ℒ)]}, namely S contains the first det(ℒ) ¯ ¯ ′ elements of S according to 풱S. The value function of S is efficiently computed ′ ′ ` from the value function of S as (det(ℒ), 풱S), where 풱S : {0, 1} → bd(S) and for ` ′ each x ∈ {0, 1} , 풱 (x) = 풱S(0‖x), where 0 is a padding of m − ` bits. ¯ S ¯ ¯ ¯ ¯ Intuitively, the circuit 풞 maps any vector x ∈ S to the integer coset of x in Co(ℒ). A useful observation is that if two vectors in S belong to the same coset, then their difference belongs to ℒ. We use the set R of integer vectors in 풫(B) are the set of representatives for Co(ℒ). Finally, we need an index function of R, so that the output of 풞 is in {0, 1}`. The main difficulty that we encounter in formalizing the above intuition hides in the construction of a polynomial-size

circuit ℐR for the index function of the set R. Let us assume that det(ℒ) = 2`. We describe the necessary changes for the case of det(ℒ) ̸= 2` at the end of the proof. Let r = |R|, we deﬁne the circuit ` ℐR : bd(R) → {0, 1} such that ℐR is a bijection between bd(R) and bd([r]). The

circuit ℐR ﬁrst computes the Smith Normal Form of the basis B = UDV, which can be done by a circuit of size polynomial in |bd(B)| [107], then uses the index

54 function of the set 풫(D) ∩ Zn, as deﬁned in Lemma 2.4.1, to map each element of R to a number in [r].

Claim 4.2.3. There exists a bijection π between R and 풫(D) ∩ Zn, which can be implemented by a polynomial-size circuit.

Proof of Claim 4.2.3. Let B = UDV be in Smith Normal Form, with U ∈ Zn×n, V ∈ Zn×n unimodular matrices and D ∈ Zn×n a diagonal matrix. Since V is unimodular, from Lemma 3.0.1 ℒ(DV) = ℒ(D). This implies that the function φ(x) = x (mod 풫(D)) is a bijection between 풫(DV) ∩ Zn and 풫(D) ∩ Zn, with inverse map φ−1(y) = y (mod 풫(DV)). By the unimodularity of U, the map h(x) = U−1x deﬁnes a bijection between R = 풫(UDV) ∩ Zn and 풫(DV) ∩ Zn, with h−1(y) = Uy. All functions φ, φ−1, h, and h−1 can be implemented by polynomial-size circuits. Hence, the function π(x) = φ(h(x)) is a bijection between R = 풫(B) ∩ Zn and 풫(D) ∩ Zn with inverse map π−1(y) = h−1(φ−1(y)) We remark that because π is a bijection, |풫(B) ∩ Zn| = |풫(D) ∩ Zn| = det(D), which proves Proposition 3.0.2.

n n Let RD = 풫(D) ∩ Z = ([0, d1] × · · · × [0, dn]) ∩ Z , with D = diag(d1,..., dn).

We use Lemma 2.4.1 to construct an index function ℐRD . Finally, the index func-

tion of R is ℐR(x) = ℐRD (π(x))). Let σ : Zn → R be the function that computes the modulo 풫(B), i.e. σ(x) = x (mod 풫(B)). The circuit 풞 takes as input a boolean vector x ∈ {0, 1}` and ¯ computes ℐR (σ (풱S(x))). Namely, the circuit 풞 ﬁrst computes the vector x = ¯ 풱S(x), which belongs to S, then it computes a vector c ∈ R such that x ∈ c + ℒ, ¯ maps it to a vector in 풫(D) ∩ Zn and lastly maps this vector to a boolean vector ` using the index function of RD. Since we assume |R| = 2 , the circuit 풞 has ` inputs and ` outputs. Hence, it is a valid input to PIGEONHOLE CIRCUIT. A solution to the PIGEONHOLE CIRCUIT with input 풞 gives a solution to the original BLICHFELDT instance. The output of PIGEONHOLE CIRCUIT is one of the following: 1. a boolean vector x ∈ {0, 1}` such that 풞(x) = 0. ¯ ¯ ¯

55 If 풱S(x) ̸∈ S, then bc(x) satisﬁes “b.”, and hence is a solution to our initial ¯ ¯ BLICHFELDT instance. Otherwise, let y = σ (풱S(x)). Since 풞 = ℐR ∘ σ ∘ 풱S, ¯ we have that ℐR(y) = 0, which implies that ℐR (π(y)) = 0. From the ¯ D ¯

deﬁnition of ℐRD and π in Lemma 2.4.1 and Claim 4.2.3, it holds that y = 0.

Finally, y = 0 implies 풱S(x) ∈ 0 + ℒ. Hence, x = 풱S(x) ∈ ℒ. ¯ ¯ 2. two boolean vectors x, y ∈ {0, 1}`, such that 풞(x) = 풞(y). ¯ ¯ ¯ ¯ Using the same reasoning as in the previous case, we conclude that either bc(x), bc(y) are a solution to our initial BLICHFELDT instance through con- ¯ ¯ dition “b.” or there exists a vector c ∈ R such that 풱S(x), 풱S(y) ∈ c + ℒ(B). ¯ ¯ In the latter case, if x = 풱S(x), y = 풱S(y), then x − y ∈ ℒ. ¯ ¯ It is left to handle the case where det(ℒ(B)) < 2`. In this case, we deﬁne 풞 as

  x if bc(x) ≥ det(ℒ(B)) 풞(x) = ¯ ¯ . ¯  ℐR (σ (풱S(x))) if bc(x) < det(ℒ(B)) ¯ ¯

For circuit 풞, there are no solutions x and y of PIGEONHOLE CIRCUIT with ¯ ¯ bc(x), bc(y) ≥ det(ℒ(B)). Hence, all solutions of PIGEONHOLE CIRCUIT imply ¯ ¯ a solution to our initial BLICHFELDT instance as before.

To conclude that BLICHFELDT is PPP-complete, it is left to show that it is also PPP-hardness.

Lemma 4.2.4. BLICHFELDT is PPP-hard.

Proof. Let 풞 : {0, 1}n → {0, 1}n be an instance of PIGEONHOLE CIRCUIT. We construct an instance of BLICHFELDT where the input lattice is q-ary. Fix q = 2 n×2n and let A = [0 In] ∈ Z2 , where In is the n-dimensional identity matrix. We ⊥ compute a basis B of the lattice ℒ(B) = Λq (A) using Lemma 3.0.3. Also, it follows directly from Lemma 3.0.3 that det(ℒ(B)) ≤ 2n.     x  n 2n Let S =  ¯  such that x ∈ {0, 1} ⊆ Z2 . For the value function  풞(x) ¯  ¯ n n (s, 풱S) of S, we let s = |S| = 2 and 풱S be the circuit that on input x ∈ {0, 1} ¯

56   x outputs 풱S(x) =  ¯ . The BLICHFELDT instance is deﬁned by B and (s, 풱S). ¯ 풞(x) ¯ Any solution of BLICHFELDT gives a solution to the original input 풞 of

PIGEONHOLE CIRCUIT. Since s ≥ det(ℒ(B)) and (s, 풱S) is a valid value function of S, the conditions “a.” and “b.” are never satisﬁed and the output of BLICHFELDT is one of the following:   x 1. a single vector y =  ¯  ∈ S ∩ ℒ(B). 풞(x) ¯ Let y = 풱S(x), then y ∈ S implies that Ay = 풞(x)(mod 2), and y ∈ ℒ ¯ ¯ implies that Ay = 0 (mod 2). Hence, it holds that 풞(x) = 0. ¯ 2. two vectors x, y ∈ S, such that x ̸= y and x − y ∈ ℒ(B).     x x Let x =  ¯  and y =  ¯ , then x − y ∈ ℒ(B) implies that A(x − y) = 풞(x) 풞(x) ¯ ¯ 0 (mod 2). Hence, x ̸= y and 풞(x) = 풞(y). ¯ ¯ ¯ ¯

Combining Lemma 4.2.2 and Lemma 4.2.4, we prove the following theorem.

Theorem 4.2.5. BLICHFELDT is PPP-complete.

4.3 cSIS is PPP-complete

We deﬁne the ﬁrst PPP-complete problem that is natural, i.e. does not explicitly invoke any circuit as part of its input. This is in contrast to the BLICHFELDT problem, which requires in its input a circuit that encodes the value function of a set. We call this problem the constrained Short Integer Solution (cSIS) problem, because it shares a similar structure with the well-known and well-studied Short Integer Solution problem introduced in the seminal work of Ajtai [4], and later studied in numerous works (e.g. [123, 126, 78, 124]). The SIS problem belongs to PPP, but it is unknown if it is also PPP-hard. This poses the fascinating direction of characterizing the hardness of a concrete

57 cryptographic assumption using a complexity class and vice versa. We view the PPP-completeness of cSIS as a ﬁrst step towards this direction. Before stating the cSIS problem, we deﬁne binary invertible matrices. These are matrices with a special structure which have an important role in proving the PPP-completeness of cSIS. We also prove a key property of binary invertible matrices.

` Binary Invertible Matrix Let ` ∈ Z+, q ≤ 2 and d, k ∈ N, and the vector h iT `−1 ` γ` = 1 2 4 . . . 2 ∈ Zq, which we call `-th gadget vector. A matrix h i = T ∈ Zd×(d·`+k) ∈ Zd×(d·`) G (Id ⊗ γ` + U) V q is a binary invertible matrix if U q

such that ui,j = 0 if j ≤ `i, i.e. U has zero elements up to the `-th diagonal, and d×k V ∈ Zq is an arbitrary matrix.

A special case of a binary invertible matrix is the gadget matrix G = Id ⊗ T d×(d·`) γ` with U = 0 and k = 0, that was deﬁned in [124] and used in many cryptographic constructions. The following example illustrates a binary invertible

matrix with ` = 3, i.e. in Z8, where the symbol ? represents any element in Z8.

   1 2 4 ?????? ··· ????? ··· ??        0 0 0 1 2 4 ??? ··· ????? ··· ??       G = 0 0 0 0 0 0 1 2 4 ··· ????? ··· ?? d rows  ......    ......         0 0 0 0 0 0 0 0 0 ··· 1 2 4 ?? ··· ?? 

| {z } | {z } d·` columns k columns

Next, we formalize the main property of binary invertible matrices that also explains their name. h i = T ∈ Zd×(d·`+k) Proposition 4.3.1. Let G (Id ⊗ γ` + U) V q be a binary invertible ′ k d matrix and r be an arbitrary vector in Zq. Then, for every b ∈ Zq, there exists a vector

58   r r ∈ {0, 1}d·` such that G   = b (mod q). Additionally, the vector r is computable r′ by a polynomial-size circuit and it is unique when q = 2`.

′ ′ d×d ′ ′ Proof. Let U = (ui,j) ∈ Zq such that for j < i ui,j = 0, for j > i ui,j = ui,i`+j ′ ′ and ui,i = 1. Namely, U is an upper triangular matrix that contains the elements ′ h i above the `-diagonal of U and has ones in the diagonal. Let G = U′ V ∈ d×(d+k) d d Zq , then for every b ∈ Zq, we can efﬁciently compute a vector x ∈ Zq   ′ x such that G   = b (mod q) using backwards substitution. Finally, we set r′ r = bd(x). As a reminder, bd of a vector is the concatenation of the binary decomposition of each coordinate of the vector. The vector r is a solution since T ′ (Id ⊗ γ` + U)r = U x. In fact, the vector r is computable by a polynomial- size circuit, since backward substitution and bit decomposition are computable in polynomial time. ` ` T In the special case of q = 2 , the function that maps t ∈ {0, 1} to γ` t (mod q) is a bijection from {0, 1}` to [q]. In fact, this mapping corresponds to bit composition and its inverse to bit decomposition. Hence, in this case r is unique.

With the deﬁnition of binary invertible matrices in hand, we can now deﬁne the cSIS problem.

cSIS Problem. n×m d×m Input: A matrix A ∈ Zq , a binary invertible matrix G ∈ Zq and a vector d ` b ∈ Zq where ` ∈ Z+, q ∈ Z with 2 ≤ q ≤ 2 and m ≥ (n + d) · `. Output: One of the following: m ⊥ 1. a vector x ∈ {0, 1} such that x ∈ Λq (A) and Gx = b (mod q), m ⊥ 2. two vectors x, y ∈ {0, 1} such that x ̸= y with x − y ∈ Λq (A) and Gx = Gy = b (mod q).

Lemma 4.3.2. cSIS is in PPP.

59 Proof. We show a Karp reduction from cSIS to the PIGEONHOLE CIRCUIT prob- n×m d×m d lem. Let A ∈ Zq , G ∈ Zq , b ∈ Zq be the inputs to the cSIS problem and define k = m − d · `. From the definition of cSIS, we have that k ≥ n · `. We construct the circuit 풞 : {0, 1}n·` → {0, 1}n·` such that every solution to PIGEONHOLE CIRCUIT with input 풞 gives a solution to the original instance   n·` ′ x k of cSIS. For x ∈ {0, 1} , we define the vector r =  ¯  ∈ Zq. By Proposi- ¯ 0k−n·` d·` tion 4.3.1, there exists a circuit 풞1 that on input x computes a vector r ∈ {0, 1}   ¯ r such that G   = b (mod q). The circuit 풞 on input x, first computes r = 풞1(x), r′ ¯ ¯   r and outputs the binary decomposition of the vector A   (mod q). The circuit r′ 풞 is of polynomial size. The output of PIGEONHOLE CIRCUIT with input 풞 is one of the following: 1. a vector x ∈ {0, 1}n·` such that 풞(x) = 0. ¯  ¯ 풞1(x)  ¯    Let x =  x , then 풞(x) = Ax (mod q). Hence, Ax = 0 (mod q).  ¯  ¯ 0

Also, from the deﬁnition of 풞1 it holds that Gx = b (mod q). Hence, x is a solution of cSIS with input (A, G, b). 2. two vectors x, y ∈ {0, 1}n·`, such that x ̸= y and 풞(x) = 풞(y).  ¯ ¯    ¯ ¯ ¯ ¯ 풞1(x) 풞1(y)  ¯       ¯  Let x =  x  and y =  y , then 풞(x) = Ax (mod q) and 풞(y) =  ¯   ¯  ¯ ¯ 0 0 Ay (mod q). This implies that Ax = Ay (mod q), and hence A(x − y) = ⊥ 0 (mod q). Therefore, x − y ∈ Λq (A). Finally, x ̸= y, because x ̸= y and ¯ ¯ from the deﬁnition of 풞1 Gx = Gy = b (mod q). Hence, x, y form a valid solution for the cSIS problem with input (A, G, b).

Lemma 4.3.3. cSIS is PPP-hard.

Proof. We show a Karp reduction from PIGEONHOLE CIRCUIT to the cSIS prob-

60 lem. Let 풞 = (풞1,..., 풞n) be the input circuit to the PIGEONHOLE CIRCUIT n problem, where for each i, 풞i : {0, 1} → {0, 1}. Also, let d = |풞| be the size of 풞; in contrast to usual notation, we define |풞| to be the sum of the number of inputs and the number of gates. We refer to Section 1.3 for our formal definition of circuits. We may assume without loss of generality that 풞 consists of gates in the set { ∧¯ , ∨¯ , ⊕, ∧, ∨}. In fact, the NAND ( ∧¯ ) gate suffices, but we discuss the implementation of all these five gates, because we use them in Section 4.4. The circuit 풞 is represented as n directed acyclic graphs.

We first describe how to implement the i-th circuit 풞i into a part of a cSIS instance. Then, we get the final cSIS instance by combining these intermediate (i) (i) (i) parts. Let di = |풞i| be the size of 풞i and 풢 = V , E be its directed acyclic (i) (i) (i) graph. Let v , v ,..., v be a topological ordering of nodes in the graph 풢(i), 1 2 di where the first n nodes are the source nodes of 풢(i) and the last node is the unique (i) (i) sink of 풢 . The source nodes of 풢 correspond to the inputs of 풞i and the sink (i) of 풢 corresponds to the output of 풞i. Let ` = 2 and q = 4. At the end of the proof, we show how to generalize to ` (i) (i) any ` ∈ Z+ and q = 2 . We denote by G and b the part of the final cSIS instance that corresponds to circuit 풞i. We introduce two variables for each node of 풢(i). The first variable in each pair represents the value of the corresponding node in the evaluation of 풞i and we call it value variable. The second variable in each pair is an auxiliary variable. In the topological ordering of 풢(i), we start with the n input nodes v1,..., vn and we let x1,..., xn be their corresponding value variables. The last node of the topological ordering is the output node, and since it is the i-th output of the circuit 풞, we denote its value variable by yi. We denote (i) (i) the value variables of the remaining nodes by z ,..., z . Additionally, we n+1 di−1 denote by w1,..., wn the auxiliary variables that correspond to the input nodes, (i) (i) by t the auxiliary variable of the output node and by r ,..., r the remaining i n+1 di−1 auxiliary variables. We summarize the notation for the variables in Table 4.1. (i) (i) Occasionally, we use z = x for j ≤ n and z = y for the input and output j j di i (i) (i) value variables and r = w for j ≤ n and r = t for the input and output j j di i

61 (i) (i) (i) (i) (i) nodes v ... vn v ... v v 1 n+1 di−1 di (i) (i) value variables x ... xn z ... z y 1 n+1 di−1 i (i) (i) auxiliary variables w ... wn r ... r t 1 n+1 di−1 i Table 4.1: The value and auxiliary variables for every node of the graph 풢(i).

label of vj equation of vj bj ∧¯ r + z − z − z = ( ) j 2 j p1(j) p2(j) 2 mod 4 2 ∨¯ r + z − z − z = ( ) j 2 j p1(j) p2(j) 3 mod 4 3 ⊕ z + r − z − z = ( ) j 2 j p1(j) p2(j) 0 mod 4 0 ∧ r + z − z − z = ( ) j 2 j p1(j) p2(j) 0 mod 4 0 ∨ r + z + z + z = ( ) j 2 j p1(j) p2(j) 0 mod 4 0

(i) (i) Table 4.2: Equations of a non-input node vj of the graph 풢 depending on its label. auxiliary variables. Each column of G(i) corresponds to one of these variables. Since we focus on a fixed graph 풢(i), we occasionally drop the superscript (i) for simplicity. We reintroduce the superscripts when we combine all matrices G(i) to a matrix G. Our goal is to define a G(i) and a b(i) such that every binary (i) (i) solution of G s = b (mod 4) encodes a valid evaluation of the circuit 풞i. Without loss of generality, we assume that the in-degree of every non-input node is two (see Section 1.3). Let p1(j) be the index of the first, in the topological ordering, predecessor of the node vj and p2(j) be the index of the second. Since

nodes are indexed in topological ordering we have that p1(j) < p2(j) < j. Every (i) (i) row of G corresponds to a node vj of 풢 with n < j ≤ di, and contains the

coefﬁcients of the variables in a modular equation depending on the label of vj. The modular equations from the different types of gates appear in Table 4.2. The (i) label of node vdi−j deﬁnes also the j-th element of b according to Table 4.2. The correctness of these equations is shown in Claim 4.3.4. The proof of Claim 4.3.4 consists of a simple enumeration of the different values for the boolean variables and its proof is differed to Appendix A.1.

62 Claim 4.3.4. Let x, y, z, w ∈ {0, 1}, then the following equivalences holds 1.w + 2z − x − y = 2 (mod 4) ⇔ x ∧¯ y = z, w = x ⊕ y 2.w + 2z − x − y = 3 (mod 4) ⇔ x ∨¯ y = z, w = ¬(x ⊕ y) 3.z + 2w − x − y = 0 (mod 4) ⇔ x ⊕ y = z, w = x ∧ y 4.w + 2z − x − y = 0 (mod 4) ⇔ x ∧ y = z, w = x ⊕ y 5.w + 2z + x + y = 0 (mod 4) ⇔ x ∨ y = z, w = x ⊕ y.

So, each column of G(i) corresponds to a variable, each row of G(i) corresponds to a modular equation and b(i) is defined based on the label of each node of 풢(i). The order of both the rows and the columns is specified by the topological sorting of 풢(i). The rows correspond to the nodes in reserve topological order. Specifically, the first row of G(i) describes the equation corresponding to node (i) v (the output node of 풢(i)), the second row of G(i) describes the equation cor- di (i) responding to node v . In general, the k-th row of G(i) describes the equation di−1 (i) corresponding to node v . We emphasize that, since there are no equations for di−k (i) the input nodes of 풢 , we have di − n equations in total, which is equal to the number of gates of 풞i. Similarly, the order of columns corresponds to the reverse 풢(i) topological ordering of . The first two columns correspond to variables zdi , rdi of the output node vdi followed by all pairs of columns corresponding to the variables of non-input nodes of 풢(i). Among the two columns of each node, the first corresponds to the auxiliary variable and the second to the value variable, unless the label of the node is “ ⊕ ”. In the “⊕′′ case, the first corresponds to the value variable and the second to the auxiliary variable. Finally, G(i) has 2n columns for the variables of the input nodes of 풢(i). The first n of these columns correspond to the value variables of input nodes and the remaining columns correspond to the auxiliary variables. These rules completely define matrix G(i) (see Table 4.3 for an illustration). Before defining the final matrix G, which combines all G(i), we state and prove some basic properties of G(i).

Claim 4.3.5. The matrix G(i) is binary invertible.

63 rdi zdi rdi−1 zdi−1 ... rn+1 zn+1 xn ... x1 wn ... w1

eq. of vdi 1 2 ?? ... ??? ... ? 0 . . . 0

eq. of vdi−1 0 0 1 2 . . . ??? ... ? 0 . . . 0 ...... eq. of vn+1 0 0 0 0 . . . 1 2 ? ... ? 0 . . . 0

(i) ′′ Table 4.3: Illustration of the matrix G (assuming that 풞i has no “⊕ gates).

(i) Proof of Claim 4.3.5. The dimension of G is (di − n) × (2di). From the order (i) T of rows and columns of G , and the equations of Table 4.2, the vector γ2 = h i ( ) 1 2 appears in the diagonal of G i . Namely, the elements of the diagonal of G(i) are equal to 1 and the elements of the diagonal above are equal to 2. The only other non-zero elements in the k-th row of G(i), which corresponds to node (i) (i) (i) v , appear in the columns corresponding to v and v . We remind di−k p1(di−k) p2(di−k) that p1(j) and p2(j) return the two input nodes of vj in topological order. But, (i) (i) (i) by construction v and v are always before v in the topological p1(di−k) p2(di−k) di−k ordering of 풢(i). Therefore, their corresponding columns are after the columns of (i) v . Hence, the only non-zero elements of G(i) are above its 3rd diagonal. This di−k ( ) h i implies that G i has the form ⊗ T + (di−n)×(2(di−n)) n×(2n) , where Idi−n γ2 U V U(di−n)×(2(di−n)) has non-zero elements only above the 3rd diagonal. Hence, G(i) is binary invertible.

( ) Claim 4.3.6. Let s ∈ {0, 1}2di be a binary solution to the modular linear system G i s = b(i) ( mod 4). Let x be a binary string consisting of the value variables of the input nodes, ¯ i.e. x = (s − , s − − ,..., s − + ). Then, the second coordinate s2 of s is equal to ¯ 2di n 2di n 1 2di 2n 1 풞i(x), i.e. s2 = 풞i(x). ¯ ¯

Proof of Claim 4.3.6. We inductively prove that the value of the coordinate s2di−2j+2

of s, which corresponds to the value variable of vj, is equal to the value of the non-input node v in 풢(i) in the evaluation of 풞 (x). j i ¯ Induction Base. From the deﬁnition of x, the coordinates (s − + ,..., s − ) ¯ 2di 2n 1 2di n are equal to the input values.

Inductive Hypothesis. Assume that for any k such that n < k < j the value of 풢(i) the coordinate s2di−2k+2 of s is equal to the value of the non-input node vk in

64 in the evaluation of 풞 (x). k ¯ Inductive Step. The vector s has to satisfy the (di − n − j + 1)-th modular equation of the system G(i)s = b(i) (mod 4). Without loss of generality, we assume ∧¯ + − that the label of vj is “ ”. This equation then suggests that s2di−2j+1 2s2di−2j+2 s − s = ( ) 2di−2p1(j)+2 2di−2p2(j)+2 2 mod 4 and by Claim 4.3.4 we get that

s = s ∧¯ s 2di−2j+2 2di−2p1(j)+2 2di−2p2(j)+2 . (4.3.1)

s s But, from inductive hypothesis we know that 2di−2p1(j)+2 and 2di−2p2(j)+2 take the correct values of v ( ) and v ( ) in the evaluation of 풞i(x). Hence, from p1 j p2 j ¯

Equation (4.3.1) we immediately get that s2di−2j+2 takes the value of node vj.

Similarly, the inductive step holds for all other possible labels of vj.

Finally, for j = d we get that s2 = 풞 (x). i i ¯

We now describe the matrix G and vector b. We remind that di = |풞i| and we let ′ n ′ di = di − n be the number of gates of 풞i. Let d = ∑i=1 di be the number of gate of 풞. From Claim 4.3.5, G(i) are binary invertible matrices, and hence they have the following form h i (i) T (i) (i) G = I ′ ⊗ γ + U V . (4.3.2) di 2

The matrix G is of dimension d × 2(d + n) and is equal to

  T (1) (1) Id′ ⊗ γ + U 0 ... 0 V  1 2   T (2) (2)  0 Id′ ⊗ γ2 + U ... 0 V  G =  2  (4.3.3)  . . . . .   ......   . . . .   T (n) (n) ′ ⊗ + 0 0 ... Idn γ2 U V

b The vector is   b(1)    (2) b  b =   . (4.3.4)  .   .    b(n)

65 (1) (1) (2) (2) (n) (n) r z ... r z ... r z xn ... x wn ... w d1 d1 d2 d2 dn dn 1 1 y1 0 1 ... 0 0 ... 0 0 0... 0 2... 0 y2 0 0 ... 0 1 ... 0 0 0... 0 0... 0 ...... yn 0 0 ... 0 0 ... 0 1 0... 0 0... 2 Table 4.4: Illustration of the matrix A (assuming that 풞 has no “⊕′′ gates).

From Claim 4.3.5, G is binary invertible. Additionally, the following claim is a simple corollary of Equation (4.3.3) and Equation (4.3.4) and Claim 4.3.6.

Claim 4.3.7. Let s ∈ {0, 1}2(d+n) be a binary solution to the modular linear system Gs = b (mod 4). Let x be the binary string that contains the value variables of the input ¯ nodes, i.e. x = (s + , s + − ,..., s + ) and let z be the binary string that contains the ¯ 2d n 2d n 1 2d 1 ¯ ′ value variables of the output nodes, i.e. z = (s , s ,..., s ), where ki = 2 + ∑ < d . ¯ k1 k2 kn j i j Then, z = 풞(x). ¯ ¯ To complete the description of the cSIS instance, we deﬁne the matrix A. The matrix A is of dimension n × 2(d + n) and is the concatenation of three matrices n×2d n×n n×n h i A1 ∈ Zq , A2 ∈ Zq , A3 ∈ Zq , such that A = A1 A2 A3 . Each row of

A1 corresponds to an output of 풞 and has a single 1 in the position (i, ki), where ′ ki = 2 + ∑j

66 for each output of 풞. The matrix A has non-zero elements only in the columns corresponding to the n outputs of 풞. Hence, if the binary vector x encodes a valid evaluation of 풞 with input x, then Ax = 풞(x). The output of cSIS on input (A, ¯ ¯ G, b) is one of the following: 2(n+s) ⊥ 1. a vector s ∈ {0, 1} such that s ∈ Λ4 (A) and Gs ≡ b (mod 4).

Let x ∈ {0, 1}n and y ∈ {0, 1}n be the n input and n output coordinates of ¯ ¯ = ( ) = ( ) = s respectively, i.e. x s2d+n,..., s2d+1 and y sk1 ,..., skn , with ki ¯ ¯ ′ n 2 + ∑ < d . Let w ∈ {0, 1} be the n last coordinates of s. Then, since each j i j ¯ row of A has exactly a single coordinate equal to 1, corresponding to a value in y, and a single coordinate equal to 2, corresponding to a coordinate in w, ¯ ¯ Ax = 0 (mod 4) implies that y = 0 and w = 0. Finally, from Claim 4.3.7 ¯ ¯ 풞(x) = y, which in turn implies that 풞(x) = 0. Hence, x is a valid solution ¯ ¯ ¯ ¯ to PIGEONHOLE CIRCUIT with input 풞. 2(n+s) ⊥ 2. two vectors s, t ∈ {0, 1} , such that s ̸= t, s − t ∈ Λ4 (A) and Gs ≡ b (mod 4), Gt ≡ b (mod 4).

n n Let x1, x2{0, 1} and y , y {0, 1} be the n input and n output coordinates of ¯ ¯ ¯ 1 ¯ 2 = ( ) = ( ) = s and t respectively, i.e. x1 s2d+n,..., s2d+1 , y sk1 ,..., skn and x2 ¯ ¯ 1 ¯ ( ) = ( ) ∈ { }n ∈ { }n t2d+n,..., t2d+1 , y tk1 ,..., tkn . Let also w1 0, 1 and w2 0, 1 ¯ 2 ¯ ¯ be the n last coordinates of s and t respectively. Then, A(s − t) = 0 (mod 4)

implies y = y and w1 = w2. From w1 = w2, s ̸= t and the uniqueness ¯ 1 ¯ 2 ¯ ¯ ¯ ¯ guaranteed by Proposition 4.3.1, we conclude that x ̸= x . Also, from ¯ 1 ¯ 2 Claim 4.3.7 풞(x1) = y , 풞(x2) = y . Finally, since y = y we get that ¯ ¯ 1 ¯ ¯ 2 ¯ 1 ¯ 2 풞(x ) = 풞(x ) with x ̸= x . Therefore, the pair x , x is a valid solution to ¯ 1 ¯ 2 ¯ 1 ¯ 2 ¯ 1 ¯ 2 PIGEONHOLE CIRCUIT with input 풞.

We can extend the hardness proof for the case q = 2` by appropriately augmenting A and G. We introduce ` variables for every node of 풞. One of them is still the value variable and the rest ` − 1 are auxiliary variables. We also concatenate a zero matrix of size s × (` − 1)(n + s) on the right of G. For the matrix A ∈ Zn×`(n+s), we concatenate ` − 1 matrices of the form 2i I for i ∈ {2, 3, 4, . . . , `} on the right.

67 Figure 4-2: A simple example of the construction of Lemma 4.3.3.

The vector b remains the same. The new tuple is still a valid input for cSIS, since the parameters are appropriately set and G remains binary invertible. Since only zero entries on the right have been added to the matrix G, the matrix G still describes the circuit 풞 as in the case q = 4. Finally, let x ∈ {0, 1}`(n+s) such that Ax = 0 (mod 4), then the last (` − 1)n coordinates of x must be 0. Hence, the hardness follows.

Combining Lemma 4.3.2 and Lemma 4.3.3, we prove our main theorem.

Theorem 4.3.8. The cSIS problem is PPP-complete.

We provide an example of our reduction for simple circuit 풞 in Figure 4-2.

68 4.4 Towards universal collision-resistant hashing

The similarities between the cSIS problem and SIS raise the question of whether cSIS has cryptographic applications. In this section, we propose a candidate family of collision-resistant hash (CRH) functions based on the average-case hardness of the cSIS problem, and also discuss its worst-case hardness. The computational problem weak-cSIS associated with our collision resistant hash function family is a variant of cSIS. In this case, the modular constraints are homogeneous, i.e. b = 0, and the inequality constraints on the dimension of the matrices are strict. This change in the parameters might seem insigniﬁcant, but it is actually important since it transforms the problem into a purely lattice problem: On input matrices A, G with corresponding bases BA and BG, where

G is binary invertible, ﬁnd two vectors x and y such that x, y ∈ ℒ(BG) and

x − y ∈ ℒ(BA). Showing that the SIS problem is PWPP-complete would have impressive applications in cryptography. We overcome the ﬁrst barrier towards this direction by showing that a lattice problem is PPP-complete.

Before deﬁning weak-cSIS and our candidate CRH family, we formally deﬁne collision-resistant hash functions.

Collision-Resistant Hash Functions: Let κ be the security parameter, a family of functions n κ p(κ)o ℋ = Hs : {0, 1} → {0, 1} ′ ¯ s∈{0,1}p (κ) ¯ where p(κ) and p′(κ) are polynomials, is collision-resistant if:

(Shrinking) The output of Hs is smaller than its input. Namely, p(κ) < κ. ¯ (Efficient Sampling) There exists a probabilistic polynomial-time algorithm Gen that on input 1κ samples a uniform key s. ¯ (Efficient Evaluation) There exists a deterministic polynomial-time algo- κ p(κ) rithm that on input a key s and an x ∈ {0, 1} outputs Hs(x) ∈ {0, 1} . ¯ ¯ ¯ ¯

69 (Collision-Resistance) For any probabilistic polynomial-time adversary 풜, there exists a negligible function ν(κ) = negl(κ), such that for any

κ ∈ Z+:

κ Pr (x1, x2) ← 풜(1 , s) s.t. x1 ̸= x2 and Hs(x1) = Hs(x2) ≤ ν(κ). s←Gen(1κ) ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯

Next, we deﬁne our new CRH function family with security parameter κ. Let ` ` ∈ Z+, q = 2 and d ∈ Z+ be parameters, and let r = poly(κ) such that r` < κ. The family of hash functions,

n κ r`o ℋcSIS = Hs : {0, 1} → {0, 1} ¯ s∈{0,1}p(κ) ¯

is deﬁned as follows.

- Gen (1κ) samples a uniform s ∈ {0, 1}p(κ) and interprets it as a uniform cSIS ¯ r×(κ+`d) matrix A ∈ Zq and a uniformly chosen binary invertible matrix G ∈ d×(κ+`d) Zq . This algorithm runs in polynomial-time in κ.

κ `d -H (A,G)(x): On input x ∈ {0, 1} ,H(A,G)(x) computes the unique u ∈ {0, 1} ¯   ¯ ¯ ¯ u such that G ¯  = 0 ( mod q) as in Proposition 4.3.1, and outputs the binary x  ¯   u vector bd A ¯  (mod q). x ¯

Remark 4.4.1. We remark that if SIS is hard, then ℋcSIS is collision-resistant. In fact,

a more general statement holds: if cSIS with b = 0 is hard on average, then ℋcSIS is collision-resistant. Finally, we assume that ` ≥ 2, since for ` = 1 we can solve the modular linear system consisting of A and G. When ` = 1, this system has r + d < κ + d equations and κ + d variables. Hence, in this case ﬁnding collisions is trivial.

We deﬁne the problem weak-cSIS (weak-cSIS), that has similar nature to cSIS, in order to analyze the hardness of ﬁnding collisions in the ℋcSIS family. First, we

70 consider its worst-case hardness and draw connections between the family ℋcSIS, a restricted version of the cSIS problem, and the complexity class PWPP. Then, we move on to the average-case hardness of weak-cSIS and argue that it deﬁnes a candidate universal CRH function family.

weak-cSIS Problem. r×(`d+κ) d×(`d+κ) Input: A key s = (A, G) ∈ Zq × Zq that indexes Hs ∈ ℋcSIS. ¯ ¯ Output: Two boolean vectors x1 ̸= x2, such that Hs(x1) = Hs(x2). ¯ ¯ ¯ ¯ ¯ ¯

Even though the deﬁnition of SIS appears in Section 3.1, we repeat it using similar notation to weak-cSIS to allow for a better comparison.

p SISn,m,q,β Problem. n×m Input: A uniformly random matrix A ∈ Zq , where m > 2n log(q). m Output: A vector r ∈ Zq such that ‖r‖p ≤ β and Ar = 0 (mod q).

For ease of notation, whenever the parameters are clear from the context, we ignore them.

Worst-case Hardness of HcSIS. The Polynomial Weak Pigeon Principle (PWPP) class, which is a subclass of PPP, is particularly interesting for cryptography because it contains all collision-resistant hash functions. In this part, we show that weak-cSIS is complete for the class PWPP. The membership of weak-cSIS in PWPP is simple. Showing the PWPP-hardness of weak-cSIS is more challenging and requires some ideas similar to Lemma 4.3.3.

Lemma 4.4.2. weak-cSIS is in PWPP.

Proof. We show a Karp-reduction from weak-cSIS to COLLISION. Let s be an ¯ input to weak-cSIS and let 풞 be the poly(|s|) size circuit that on input x outputs ¯ ¯ Hs(x). Because r` < κ, the circuit 풞 is a valid input to COLLISION. Let x1, x2 be ¯ ¯ ¯ ¯ 71 the two boolean vectors that COLLISION outputs. Since 풞(x ) = 풞(x ), the pair ¯ 1 ¯ 2 of vectors (x , x ) is a solution of weak-cSIS with input s. ¯ 1 ¯ 2 ¯ For the hardness proof, even though some of the proof techniques are reminiscent of the ones in Section 4.3, we require additional ideas due to the homogeneity of the constraints in weak-cSIS. We ﬁrst deﬁne a special version of the COLLISION problem.

COLLISIONp(λ) Problem. Input: A circuit 풞 with λ inputs and p(λ) < λ outputs. Output: Two boolean vectors x ̸= x , such that 풞(x ) = 풞(x ). ¯ 1 ¯ 2 ¯ 1 ¯ 2

The following lemma has appeared in various previous works (e.g. Lemma 2.2 in [104]), but it is useful for us to state and prove it using our notation. The lemma naturally generalizes to any polynomial shrinkage p(λ) of the input by repeating the same construction. For our purposes, shrinking the input by two bits is enough.

Lemma 4.4.3. The COLLISION problem is Karp-reducible to COLLISIONλ−2.

Proof. It sufﬁces to show that the COLLISIONλ−1 problem is Karp-reducible to n m the COLLISIONλ−2 problem, since every circuit 풞 : {0, 1} → {0, 1} with m < n can be transformed into a circuit 풞′ : {0, 1}n → {0, 1}n−1 by padding the output with zeros. We note that every collision of 풞′ is a collision of 풞. Let 풞 : {0, 1}n → {0, 1}n−1, we create a new circuit 풞′ : {0, 1}n+1 → {0, 1}n such that 풞′(x, b) = 풞(풞(x), b), where x ∈ {0, 1}n and b ∈ {0, 1}. Then, let ¯ ¯ ¯ ′ ′ y = (x , b ) and y = (x , b2) such that y ̸= y and 풞 (y ) = 풞 (y ) be the 1 ¯ 1 1 2 ¯ 2 1 2 1 2 ¯ ¯ ′ ¯ ¯ ¯ ¯ output of COLLISIONλ−2 on input 풞 . We consider the following possible cases:

- b1 ̸= b2, then y and y form a collision for 풞. ¯ 1 ¯ 2 - b = b2, then x ̸= x and one of the following holds: 풞(x ) ̸= 풞(x ) or 1 ¯ 1 ¯ 2 ¯ 1 ¯ 2 풞(x1) = 풞(x2). In the ﬁrst case, y and y form a collision for 풞. Otherwise, ¯ ¯ ¯ 1 ¯ 2 x and x form a collision for 풞. ¯ 1 ¯ 2 72 Lemma 4.4.4. weak-cSIS is PWPP-hard.

Proof. It sufﬁces to show a Karp-reduction from COLLISIONλ−2 to weak-cSIS as n r shown in Lemma 4.4.3. Let 풞 : {0, 1} → {0, 1} be an input of COLLISIONλ−2 with r = n − 2 outputs and d gates. Let q = 4. We can generalize to any q = 2` with ` > 1 similarly to the proof of Lemma 4.3.3.   u If Hs on input x computed u to be the unique binary vector such that G ¯  = ¯ ¯ ¯ x ¯ 2 (mod 4), then the proof would follow exactly the same steps as in Lemma 4.3.3.   u However, we need to prove a stronger statement, where ¯  belongs to the lattice x ¯ Λ⊥(G). We need the following parts of Claim 4.3.4.

Claim 4.4.5. The following equivalences hold:

∙ z + 2w − x − y = 0 (mod 4) ⇔ x ⊕ y = z, w = x ∧ y, ∙ w + 2z + x + y = 0 (mod 4) ⇔ x ∨ y = z, w = x ⊕ y.

If we could implement a circuit using only {⊕, ∨}, then combining Claim 4.4.5 and the proof techniques of Lemma 4.3.3, the lemma would follow. Even though not every circuit can be written with only {⊕, ∨} gates, we construct a valid input s = (A, G) for weak-cSIS where G encodes a circuit consisting of only XOR and ¯ OR gates and every solution gives a solution for COLLISIONλ−2 with input 풞. Without loss of generality, we assume that 풞 consists of only {∨, ⊕, 1} gates, because ∨¯ is a universal gate and (x ∨ y) ⊕ 1 = x ∨¯ y . We construct a circuit 풞′ consisting of only {⊕, ∨} gates which satisﬁes a special condition between collisions of 풞′ and collisions of 풞. The circuit 풞′ ﬁrst computes the OR of all the inputs, z = x1 ∨ x2 ∨ · · · ∨ xn. Then, in the circuit’s graph we substitute the outgoing edges of nodes with label “1” with outgoing edges from the node z. Namely, we substitute the constant “1” with z. Hence, 풞’ only contains {∨, ⊕}

73 gates. The following claim shows the relation between 풞′ and 풞. In particular, it implies that every collision of 풞′ with x ̸= 0 and x ̸= 0 is a collision of 풞. ¯ 1 ¯ ¯ 2 ¯ Claim 4.4.6. It holds that 풞′(0) = 0 and for every x ∈ {0, 1}n ∖ {0}, 풞′(x) = 풞(x). ¯ ¯ ¯ ¯ ¯ ¯ Proof. Let x ∈ {0, 1}n ∖ {0}, then for this input the value of the node z is 1. Since ¯ ¯ we replace all 1 gates with the output of z, the evaluation of the circuit remains the same. Also, any circuit with only {∨, ⊕} gates on input 0 outputs always 0. ¯ ¯ Hence, 풞′(0) = 0. ¯ r×2(n+r) d×2(n+r) Let A ∈ Zq and G ∈ Zq be as in Lemma 4.3.3. In particular, G is a binary invertible matrix that encodes 풞′. Since 풞′ contains only gates {∨, ⊕}, the vector b in the reduction of Lemma 4.3.3 is 0. Thus, (A, G) is a valid input for the problem weak-cSIS. Let (x , x ) be a solution of weak-cSIS with x ̸= 0 and x ̸= 0, then the pair x ¯ 1 ¯ 2 ¯ 1 ¯ ¯ 2 ¯ ¯ 1 and x is a collision for 풞. But, we cannot guarantee that the output of weak-cSIS ¯ 2 on input 풞′ satisﬁes x ̸= 0 and x ̸= 0. Thus, we need a modiﬁcation of 풞′ that ¯ 1 ¯ ¯ 2 ¯ guarantees that the vector 0 does not appear in any solution of weak-cSIS. To ¯ achieve this, we construct a new circuit 풞′′ that is exactly the same as 풞′ with one more output variable set to be equal to z = x1 ∨ x2 ∨ ... ∨ xn. This last output of 풞′′ is equal to 1 if and only if x ̸= 0. The output of 풞′′ consists of n − 1 bits, and ¯ ¯ hence 풞′′ is still compressing. We remark that, since r = n − 2, the circuit 풞 has at least 3 · 2n/4 collision pairs and in particular there exists a collision pair such that x ̸= 0 and x ̸= 0. ¯ 1 ¯ ¯ 2 ¯ Let (A′, G′) be the matrices corresponding to 풞′′ according to the construction of proof of Lemma 4.3.3, then s′ = (A′, G′) is a valid input for weak-cSIS. In ¯ conclusion, let x and y be the output of weak-cSIS on input s′. There is no ¯ ¯ ¯ collision of the form 0 and x, since the last bit of 풞′′(0) is 0, and for every x ∈ ¯ ¯ ¯ ¯ {0, 1}n ∖ {0} the last bit of 풞′′(x) is 1. Therefore, x ̸= 0 and y ̸= 0, and from ¯ ¯ ¯ ¯ ¯ ¯ Claim 4.4.6 and the construction of 풞′′ it holds that 풞(x) = 풞(y). Hence, the pair ¯ ¯ x, y is a solution to our initial COLLISION instance. ¯ ¯ By combining Lemma 4.4.2 and Lemma 4.4.4, we get the following theorem.

74 Theorem 4.4.7. The weak-cSIS problem is PWPP-complete.

Average-case Hardness of HcSIS. The weak-cSIS problem defines a worst-case collision resistant hash function, similarly to the result of [155] for one-way functions. However, the definition of collision-resistance in cryptography requires a stronger property. More specifically, it requires that it is hard to find a collision for a randomly chosen function in the family. We investigate the average-case hard-

ness of ℋcSIS in the search of a candidate natural and universal collision-resistant hash function. n×m If SIS is hard on the average, then ℋcSIS is collision-resistant. Let A ∈ Zq be uniformly random and x and x be a collision of H( ). Then, x − x is ¯ 1 ¯ 2 A,0 ¯ 1 ¯ 2 a solution of SIS with input A. This remark, combined with the known reduc- ˜ ( ) 2 √ tion from O n -SIVP to SISn,Ω(npolylog(n)),O˜ (n), n [126], directly implies a reduction from O˜ (n)-SIVP to weak-cSIS.

Corollary 4.4.8. O˜ (n)-SIVP is reducible to weak-cSIS, and thus is contained in PWPP.

Finally, we note that, since weak-cSIS is PWPP-complete and PWPP contains all collision-resistant hash functions, the following statement is also true.

Corollary 4.4.9. If there exists a family of collision-resistant hash functions ℋ, then there exists a distribution over keys s ∈ {0, 1}p(κ) for ℋ , such that if Gen draws key from ¯ cSIS this distribution, ℋcSIS is collision-resistant.

4.5 Natural Complete problem for PMPP

The notion of multi-collision resistance is a natural relaxation of collision resistance, where it is assumed to be hard to ﬁnd many values that collide to the same output. Multi-collision resistant hashing has recently found many applications in Cryptography [111, 26, 110, 23]. Komargodski et al. [110] also deﬁned the TFNP subclass Multi Pigeonhole Principle with a parameter k (k-PMPP), which reveals a

75 connection with multi-collision resistant hash functions, similar to the connection between PWPP and collision-resistant hash functions. The class k-PMPP consists of all search problems that are Karp-reducible to the computational problem k- COLLISION.

k-COLLISION Problem. Input: A circuit 풞 with n inputs and ⌊n/2⌋ outputs. Output: k distinct vectors x ,..., x ∈ {0, 1}n, such that 풞(x ) = ... 풞(x ). ¯ 1 ¯ k ¯ 1 ¯ k

We define the problem k-cSIS, which is a relaxation of cSIS, in order to analyze the hardness of finding multi-collisions. Similarly to the case of PWPP and collision- resistant hash, the k-PMPP completeness of k-cSIS defines a candidate universal multi-collision resistant hash function family.

k-cSIS Problem. A ∈ Zn×m G ∈ Zd×m Input: A matrix q1 , a binary invertible matrix q2 and a vector b ∈ Zd ` ` ∈ Z ∈ Z ≤ ≤ `1 ≤ ≤ `2 q2 where 1, 2 +, q1, q2 with 2 q1 2 , 2 q2 2 , and

m ≥ (2n`1 + d`2). m Output: Distinct vectors x1,..., xk ∈ {0, 1} such that Ax1 = Ax2 = ··· =

Axk (mod q1) and Gx1 = ··· = Gxk = b (mod q2).

Notice that in contrast to cSIS and weak-cSIS, the deﬁnition of k-cSIS requires two different moduli. This property is used in the proof of Lemma 4.5.2. The following lemmas show that k-cSIS is k-PMPP complete. The proofs are similar to the proofs of Theorem 4.3.8 and Theorem 4.4.7.

Lemma 4.5.1. k-cSIS is in k-PMPP.

Proof. We show a Karp-reduction from k-cSIS to k-COLLISION. Let (A, G, b) be an input to k-cSIS and let 풞 be the circuit that on input x ∈ {0, 1}m−d`2 computes   d` r r ∈ {0, 1} 2 such that G   = b (mod q2), as in Proposition 4.3.1, and outputs x

76   r m−d` n` A   (mod q1). Because m ≥ `12n + `2d, the circuit 풞 : {0, 1} 2 → {0, 1} 1 x

padded with ⌊(m − d`2)/2⌋ −n`1 zeros in the output is a valid k-COLLISION instance. Let x ,..., x be the k distinct boolean vectors that k-COLLISION outputs. ¯ 1 ¯ k Since 풞(x ) = ··· = 풞(x ), these vectors are a solution of the k-cSIS instance. ¯ 1 ¯ k For the hardness of k-cSIS, most of the proof follows the ideas of Theorem 4.3.8.

Lemma 4.5.2. k-cSIS is k-PMPP-hard.

Proof. It sufﬁces to show a Karp-reduction from k-COLLISION to k-cSIS. Let 풞 : {0, 1}n → {0, 1}⌊n/2⌋ of size |풞| = d be an input of k-COLLISION. Without loss of generality, we assume that 풞 has only NAND gates. Similarly to Lemma 4.3.3, we compute a binary invertible matrix G, a matrix A and a vector b that correspond to the circuit 풞. Let m = 2d + n and notice that G and b encode the evaluation d×m of the circuit, hence G ∈ Z4 and b = 2 · 1. In contrast to Lemma 4.3.3, we set ⌊n/2⌋ ×m q1 = 2 and A ∈ Z2 , where the i-th row contains a single 1 corresponding to the variable of the i-th output of 풞. The columns of A and G correspond to the n input variables of 풞, the d auxiliary and d value variables, one for each gate. Thus, (A, G, b) is a valid k-cSIS instance.

In conclusion, let x1,..., xk be a solution of the k-cSIS instance. Since Gx1 =

··· = Gxk = b, the vectors x1,..., xk encode valid evaluations of the circuit 풞.

Additionally, since Ax1 = ··· = Axk, it holds that 풞(x1) = ··· = 풞(xk). Hence, we have a solution to our initial k-COLLISION instance.

By combining Lemma 4.5.1 and Lemma 4.5.2, we get the following theorem.

Theorem 4.5.3. The k-cSIS problem is k-PMPP-complete.

4.6 Lattice problems in PPP and PWPP

Given the lattice nature of the cSIS problem, it is natural to investigate its connections with well-studied lattice problems. For a deﬁnition of important lattice

77 notions and the statement of the computational lattice problems, we refer to Sec- tion 4.6. We show that well-studied (approximation) lattice problems are contained in PPP. First, we deﬁne the Minkowski problem and show a reduction to BLICHFELDT. Then, using known reductions, we conclude the membership of other lattice problems to PPP.

Minkowskip Problem. Input:A n-dimensional basis B ∈ Zn×n for a lattice ℒ = ℒ(B). 1/p 1/n Output: A vector x ∈ ℒ such that ‖x‖p ≤ n det(ℒ) .

Ban et al. [13] give a reduction from Minkowski to PIGEONHOLE CIRCUIT.

We follow a different approach by showing a reduction from Minkowskip to BLICHFELDT. We emphasize that, even though a proof of Minkowski’s theorem uses Blichfedlt’s theorem, our reduction differs from this proof technique. We restrict to subsets of integer points, and thus the inherently continuous techniques used in the original proof of Minkowski’s theorem via Blichfeldt’s theorem cannot be applied in our case.

Lemma 4.6.1. For p ≥ 1 and p = ∞, Minkowskip is in PPP.

1/p Proof. For any p ≥ 1, it holds that ‖x‖∞ ≤ n ‖x‖p. This implies a Karp- reduction from Minkowskip to Minkowski∞. Hence, it sufﬁces to show a Karp- reduction from Minkowski∞ to BLICHFELDT. n×n Let B ∈ Z be an input to Minkowskip, i.e. a basis for ℒ = ℒ(B). Let ` = det(ℒ)1/n, S = ([0, `]n ∩ Zn) ∖ {0} and s = |S| = (` + 1)n − 1. We deﬁne the value function of S as (s, 풱S(x)) = (s, 풱[0,`]n (x + 1)), where the circuit 풱[0,`]n is constructed as in Lemma 2.4.1. To show that B and S are a valid input for BLICHFELDT, we need to show |S| ≥ det(ℒ) ⇒ (det(ℒ)1/n +1)n ≥ det(ℒ)1/n + 1. This follows from the next claim for x = det(ℒ).

Claim 4.6.2. For any x ∈ Z and n ≥ 1, (x1/n +1)n ≥ x + 1.

78 Proof. If x = kn for some k ∈ Z, then x1/n = k. Hence, (k + 1)n ≥ kn + 1 ⇒ (x1/n +1)n ≥ x + 1. Otherwise, let k ∈ Z be the smallest integer such that x < kn. Then, x1/n = k − 1 and x + 1 ≤ kn. Hence, (x1/n +1)n = kn ≥ x + 1.

Finally, BLICHFELDT on input B and S outputs one of following: 1/n 1. a vector x such that x ∈ S ∩ ℒ. Since x ∈ S, it holds that ‖x‖∞ ≤ det(ℒ) .

Hence, x is a solution to Minkowski∞. 2. two vectors x ̸= y, such that x, y ∈ S and x − y ∈ ℒ. Since x, y ∈ S, it holds n 1/n that x − y ∈ [−`, `] . Hence, ‖x − y‖∞ ≤ det(ℒ) and x − y is a solution

to Minkowski∞.

A direct corollary of the above lemma is that the most common version of the

Minkowski problem, namely in the `2-norm, is in PPP.

Corollary 4.6.3. Minkowski2 is in PPP.

Furthermore, Lemma 4.6.1 reveals the connection between lattice problems and the class PPP. Speciﬁcally, it is known that n-SVP is Cook-reducible to

Minkowski∞ (see [147, Theorem 1.23]) and that there exists a reduction from √ γ-SVP to nγ2-CVP in [159].

Corollary 4.6.4. n-SVP and n2.5-CVP are Cook-reducible to BLICHFELDT.

A special type of lattices, that have gained a lot of attention due to their efﬁciency in cryptographic applications, are ideal lattices. For deﬁnitions and cryptographic applications of ideal lattices, we refer to [121]. We include the following lemma,

which needs only the basic fact that λ1(ℒ) = λ2(ℒ) = ··· = λn(ℒ) in ideal

lattices. The deﬁnition of λi appears in Section 4.6. Let us denote by γ-iSVP the shortest vector problem on ideal lattices. √ Lemma 4.6.5. n-iSVP is in PPP.

Proof. For ideal lattices, it holds that λ1(ℒ) = λ2(ℒ) = ··· = λn(ℒ). Minkowski’s second theorem states that λ1 · λ2 ····· λn ≥ det(ℒ). Hence, on ideal lattices λ1 ≥

79 √ 1/n 1/n det(ℒ) . Additionally, Minkowski’s ﬁrst theorem states that λ1 ≤ n det(ℒ) . √ Hence, Minkowski2 with input ℒ solves n-iSVP of ℒ.

80 Chapter 5

Modulo q Arguments

The class PPAq was deﬁned, in passing, by Papadimitriou [134, p. 520]. It is a modulo-q analog of the well-studied polynomial parity argument class PPA (which corresponds to q = 2). The class embodies the following combinatorial principle:

If a bipartite graph has a node of degree not a multiple of q, then there is another such node.

1 In more detail, PPAq consists of all total NP search problems reducible to the problem Bipartiteq deﬁned as follows. An instance of this problem is a balanced bipartite graph G = (V ∪ U, E), where V ∪ U = {0, 1}n together with a designated vertex v? ∈ V ∪ U. The graph G is implicitly given via a circuit 풞 that computes the neighborhood of every node in G. Let deg(v) be the degree of the node v in G. A valid solution is a node v ∈ {0, 1}n such that, either

. [Trivial Solution] v = v? satisfying deg(v) ≡ 0 mod q ; or

. v ̸= v? satisfying deg(v) ̸≡ 0 mod q. 1Here, we consider a many-one reduction, which is a polynomial time algorithm with one oracle query to the said problem. In contrast, a Turing reduction allows polynomially many oracle queries. See Section 5.1 for a comparison.

81 5.1 Overview

The classes PPAq have connections to a variety of problems whose computational complexity is not well-understood. These problems span a wide range of sci- entiﬁc areas, from algebraic topology to cryptography. The study of PPAq is also motivated from its relation to other important and well-studied classes, like PPAD.

We provide a systematic study of the complexity classes PPAq. Our main result

is the identiﬁcation of the ﬁrst natural complete problem for PPAq together with some structural results. Below we give a more precise overview of our results. We note that a concurrent and independent work by Hollender [100] also es-

tablishes the structural properties of PPAq corresponding to Section 5.2 and Sec- tion 5.7. In a subsequent work [72], we provide the ﬁrst topological characterization of the classes PPAp by showing that a simple generalization of Tucker’s Lemma, as well as the computational version of the well-known BSS Theorem [41] are PPAp-complete.

Characterization via Prime Modulus

We show that every class PPAq is built out of the classes PPAp for p a prime. To formalize this result, we recall the operator ‘&’ deﬁned by Buss and Johnson [40,

§6]. For any two syntactic complexity classes M0, M1 with complete problems

S0, S1, the class M0 &M1 is deﬁned via its complete problem S0 & S1 where, on input (x, b) ∈ {0, 1}* × {0, 1}, the goal is to ﬁnd a solution for x interpreted as an instance of problem Sb. Namely, if b = 0 then the output has to be a solution of S0 with input x, and otherwise it has to be a solution of S1 with input x.

Intuitively speaking, M1 &M2 combines the powers of both M1 and M2. Note that

M1 ∪ M2 ⊆ M1 &M2. We can now formally express our characterization result (where p|q is the set of primes p dividing q).

Theorem 5.3.1. PPAq = &p|q PPAp.

A special case of Theorem 5.3.1 is that PPApk = PPAp for every prime power k p . Showing the inclusion PPApk ⊆ PPAp is the crux of our proof. This part

82 of the theorem can be viewed as a total search problem analog of the counting

class result of Beigel and Gill [18] stating that Modpk P = ModpP; “an unexpected result”, they wrote at the time. Throughout this chapter, we use q to denote any integer ≥ 2 and p to denote a prime integer.

A Natural Complete Problem via the Chevalley-Warning Theorem

There have been several works focusing on completeness results for the class PPA

(i.e. PPA2). Initial works showed the PPA-completeness of (non-natural) total search problems corresponding to topological ﬁxed point theorems [94,3, 56]. Closer to our result, Belovs et al. [21] showed the PPA-completeness of computational variants of Combinatorial Nullstellensatz and the Chevalley–Warning The- orem which explicitly involve a circuit as part of the input. More recently, breakthrough results showed PPA-completeness of problems without a circuit or a Tur- ing Machine in the input such as Consensus-Halving,Necklace-Splitting and Ham-Sandwich [70, 71] resolving an open problem since the deﬁnition of PPA in [134].

Our main contribution is to provide a natural complete problem for PPAp, for every prime p; thereby also yielding a new complete problem for PPA. Our com-

plete problem is an extension of the problem Chevalleyp, defined by Papadim- itriou [134], which is a search problem associated to the celebrated Chevalley- Warning Theorem. We first present an abstract way to understand the proof of the Chevalley-Warning Theorem that motivates the definition of our natural com-

plete problem for PPAp.

Max-Degree Monic Monomials and Proof of Chevalley-Warning Theorem

In 1935, Claude Chevalley [50] resolved a hypothesis stated by Emil Artin, that all ﬁnite ﬁelds are quasi-algebraically closed. Later, Ewald Warning [163] proved a slight generalization of Chevalley’s theorem. This generalized statement is usually referred to as the Chevalley-Warning Theorem (CWT, for short). Despite its

83 initial algebraic motivation, CWT has found profound applications in combina- torics and number theory. We now explain the statement of the Chevalley-Warning Theorem, starting with some notations. For any ﬁeld F and any polynomial f in a polynomial ring

F[x1,..., xn] we use deg( f ) to represent the degree of f . We use x to succinctly denote the set of all variables (x1,..., xn) (the number of variables is always n) m and f to succinctly denote a system of polynomials f = ( f1,..., fm) ∈ F[x] . We n often abuse notations to use x to also denote assignments over Fp. For instance, n n o let 풱 f := x ∈ Fp : fi(x) = 0 for all i ∈ [m] be the set of all common roots of f.

Chevalley-Warning Theorem ([50, 163]). For any prime2 p and polynomial system m f ∈ Fp[x1,..., xn] satisfying m ∑ deg( fi) < n, (CW Condition) i=1

it holds that |풱 f | ≡ 0 (mod p).

m Given a polynomial system f ∈ Fp[x] , the key idea in the proof of the Chevalley- Warning Theorem is the polynomial

m p−1 n p o CW f (x) := 1 − fi(x) mod x − xj . ∏ j j∈[n] i=1

Observe that CW f (x) = 1 if x ∈ 풱 f and is CW f (x) = 0 otherwise. Thus, |풱 f | ≡

n CW ( )( ) ∑x∈Fp f x mod p . The following deﬁnition informally describes a special type of monomial of CW f that is of particular interest in the proof.

m Deﬁnition (Max-Degree Monic Monomials (Informal)). Let f ∈ Fp[x] . A monic

monomial of CW f refers to a monic monomial obtained when symbolically expanding CW f as a sum of monic monomials. A monic monomial is said to be of max-degree if it is equal n p−1 to ∏j=1 xj .

In the above deﬁnition, it is important to consider the symbolic expansion of

CW f and ignore any cancellation of coefﬁcients that might occur. Observe that,

2While most of the results in this section generalize to prime powers, we only consider prime ﬁelds for simplicity.

84 although the expansion of CW f is exponentially large in the description size of

f, each monic monomial of CW f can be succinctly described as a combination of monic monomials of the polynomials f1,..., fm. Using the deﬁnition of max-degree monic monomials, we state the main technical lemma underlying the proof of CWT.

m Lemma (Chevalley–Warning Lemma). For any prime p and f ∈ Fp[x1,..., xn] ,

n |풱 f | ≡ (−1) · | max-degree monic monomials of CW f | (mod p) (CW Lemma)

m The Chevalley-Warning Theorem now follows by observing that if ∑i=1 deg( fi) <

n, then the number of max-degree monic monomials of CW f is zero. Hence, we

get that |풱 f | ≡ 0 (mod p).

Proofs of Cancellation

From the proof sketch of CWT in the previous section, a slight generalization of

CWT follows. In particular, |풱 f | ≡ 0 (mod p) if and only if

 max-degree monic monomials of CW f ≡ 0 (mod p), (Extended CW Condition)

Thus, any condition on f that implies the (Extended CW Condition) can replace (CW Condition) in the Chevalley-Warning Theorem. We also remark that the (Extended CW Condition) is equivalent to all the max-degree monic monomials in CW f cancelling out. Thus, we call any such condition on f that implies (Extended CW Condition) to be a “proof of cancellation” for the system f. We can now reinterpret the result of Belovs et al. [21] in this framework of “proof of cancellation” conditions. In particular, they deﬁne the problem

PPA-Circuit-Chevalley and show that this problem is PPA2-complete. The PPA-Circuit-Chevalley problem takes as input a set of special form circuits, that describe the system ( f1,..., fm). The “proof of cancellation” is given via this special form of the input circuits.

85 Computational Problems Based on Chevalley-Warning Theorem

Every “proof of cancellation” that is syntactically refutable can be used to deﬁne

a total search problem that lies in PPAp. By syntactically refutable we mean that whenever the “proof of cancellation” is false, there exists a small witness that certifies so. In this section, we define three computational problems with their corresponding “proof of cancellation”: (1) the Chevalleyp problem defined in [134],

(2) the GeneralChevalleyp problem that is a generalization of Chevalleyp, and

(3) the problem ChevalleyWithSymmetryp that we show to be PPAp-complete. All these problems are deﬁned for every prime modulus p and are natural in the sense that they do not explicitly involve a circuit or a Turing Machine in their input. In particular, the polynomial systems in the input are explicit in that they are given as a sum of monic monomials.

Chevalley. This is the direct computational analog of the Chevalley-Warning Theorem and was deﬁned in [134] as the following total search problem:

Chevalleyp m ? Given an explicit polynomial system f ∈ Fp[x] , and an x ∈ 풱 f , output one of the following:

. [Refuting witness](CW Condition) is not satisﬁed.

? . x ∈ 풱 f r {x }.

Particularly, we consider a special case where all the fi’s have zero constant term ? (zecote, for short). In this case, x = 0 ∈ 풱 f , so there is no need to explicitly include x* in the input.

General Chevalley. As we have already mentioned, we can deﬁne a search problem corresponding to any syntactically refutable condition that implies the (Extended CW Condition). One such condition is to directly assert that

{max-degree monic monomials of CW f } = ∅. (General CW Condition)

86 In particular, note that (CW Condition) implies this condition. Moreover, this condition is syntactically refutable by a max-degree monic monomial, which is efﬁ-

ciently representable as a combination of at most m(p − 1) monomials of the fi’s.

Thus, we can deﬁne the following total search problem generalizing Chevalleyp.

GeneralChevalleyp m ? Given an explicit polynomial system f ∈ Fp[x] and an x ∈ 풱 f , output one of the following:

. [Refuting Witness] A max-degree monic monomial of CW f .

? . x ∈ 풱 f r {x }.

While GeneralChevalleyp generalizes Chevalleyp, it does not capture the full generality of (Extended CW Condition). However, (Extended CW Condition) is

not syntactically refutable (in fact, it is ModpP–complete to decide if the ﬁnal coefﬁcient of the max-degree monomial is 03).

A natural question then is whether GeneralChevalleyp, or even Chevalleyp, could already be PPAp–complete. We believe this to be unlikely because the (General CW Condition) seems to fail in capturing other simple conditions that are syntactically refutable and yet imply (Extended CW Condition). Namely, con- p sider a permutation σ ∈ Sn of the variables x1,..., xn of order p (i.e. σ is the identity permutation). Suppose that for every x ∈ 풱 f , it holds that σ(x) ∈ 풱 f r {x}; in 2 p−1 other words x, σ(x), σ (x),..., σ (x) are all distinct and in 풱 f (where, σ(x) denotes the assignment obtained by permutating the variables of the assignment x according to σ); observe that this condition is syntactically refutable. This im-

plies that the elements of 풱 f can be partitioned into groups of size p (given

by the orbits of the action σ) and hence |풱 f | ≡ 0 (mod p). Thus, such a σ provides a syntactically refutable proof that |풱 f | ≡ 0 (mod p), and hence that (Extended CW Condition) hold.

3 m Circuit-SAT can be encoded as satisfiability of a polynomial system f ∈ Fp[x] by including 2 a polynomial for each gate along with xi − xi = 0 to ensure Booleanity. Thus, the number of satisfiable assignments to the Circuit-SAT, which is equal to |풱 f |, is is 0 (mod p) if and only if the final coefficient of the max-degree monomial is 0.

87 We further generalize GeneralChevalleyp into a problem that incorporates

this additional “proof of cancellation” in the form of a permutation σ ∈ Sn.

Chevalley with Symmetry. We consider a union of two polynomial systems

mg m g ∈ Fp[x] and h ∈ Fp[x] h . Even if both g and h satisfy (CW Condition), the

combined system f := (g1,..., gmg , h1,..., hmh ) might not satisfy (CW Condition)

and it might even be the case that |풱 f | is not a multiple of p. Thus, we need to bring in some additional conditions. n We start by observing that since |풱 f | + |풱 f | = p , it holds that |풱 f | ≡ 0 (mod

p) if and only if |풱 f | ≡ 0 (mod p). Also note that, |풱 f | = |풱g| + |(풱g ∩ 풱h)|.

If g satisﬁes the (General CW Condition), then we have that |풱g| ≡ |풱g| ≡

0 (mod p). A simple way to enforce that |풱g ∩ 풱h| ≡ 0 (mod p) is to enforce a “symmetry”, namely that its elements can be grouped into groups of size p each.

We impose this grouping with a permutation σ ∈ Sn of the variables x1,..., xn

of order p such that for any x ∈ 풱g ∩ 풱h, it holds that σ(x) ∈ (풱g ∩ 풱h) r {x}; or in other words that x, σ(x), σ2(x),..., σp−1(x) are all distinct and contained in

풱g ∩ 풱h. We now deﬁne the following natural total search problem.

ChevalleyWithSymmetryp

mg m Given two explicit polynomial systems g ∈ Fp[x] and h ∈ Fp[x] h , and an ? x ∈ 풱 f (where f := (g, h)) and a permutation σ ∈ Sn of order p, output one of the following:

. [Refuting Witness – 1] A max-degree monic monomial of CWg.

. [Refuting Witness – 2] x ∈ 풱g ∩ 풱h such that σ(x) ∈/ (풱g ∩ 풱h) r {x}.

? . x ∈ 풱 f r {x }.

The above problem is natural, because the input consists of a system of polynomial in an explicit form, i.e. as a sum of monic monomials, together with a

permutation in Sn given say in one-line notation. Also, observe that when h is

88 empty, the above problem coincides with GeneralChevalleyp (since 풱h = ∅ when h is empty). Our main result is the following.

Theorem 5.4.11. For any prime p,ChevalleyWithSymmetryp is PPAp-complete.

Complete Problems via Small Depth Arithmetic Formulas

While the ChevalleyWithSymmetryp problem may seem somewhat contrived, the importance of its PPAp-completeness is illustrated by our next result (proved in Section 5.5) showing that we can reformulate any of the proposed deﬁnitions of PPAp, by restricting the circuit in the input to be just constant depth arithmetic × ( ) + ( ) AC0 formulas with gates mod p and mod p (we call this class Fp ). This result is analogous to the NP-completeness of SAT which basically shows that CircuitSAT remains NP-complete even if we restrict the input circuit to be a (CNF) formula of depth 2.

AC0 Theorem 5.5.1. The problems Lonelyp/Bipartitep/Leafp with Fp input circuits are PPAp-complete.

Such simpliﬁcation results have been a key step in proving hardness results for other TFNP subclasses, e.g. in the PPAD-hardness proofs of approximate-Nash

(cf. [149]). In the case of PPAp hardness, the simplification theorem states that it suffices to consider constant depth arithmetic formulas (and hence NC1 Boolean formulas) as opposed to unbounded depth circuits in the definition of PPAp. Hence, we believe that Theorem 5.5.1 could have applications in finding other

PPAp-complete problems.

Applications of Chevalley-Warning

Apart from its initial algebraic motivation, the Chevalley-Warning theorem has been used to derive several non-trivial combinatorial results. Alon et al. [7] show that adding an extra edge to any 4-regular graph forces it to contain a 3-regular subgraph. More generally, they prove that certain types of “almost” regular graphs contain regular subgraphs. Another application of CWT is in proving

89 zero-sum theorems similar to the Erdös-Ginzburg-Ziv Theorem. A famous such application is the proof of Kemnitz’s conjecture by Reiher [143]. We deﬁne two computational problems that as we show are reducible to

Chevalleyp and sufﬁce for proving most of the combinatorial applications of the Chevalley-Warning Theorem mentioned above (for a certain range of parameters n and m). Both involve ﬁnding solutions to a system of linear equations modulo q, given as Ax ≡ 0 (mod q) for A ∈ Zm×n.

n . BISq: Find x ∈ {0, 1} satisfying x ̸= 0 and Ax ≡ 0 (mod q).

∞ n . SISq : Find x ∈ {−1, 0, 1} satisfying x ̸= 0 and Ax ≡ 0 (mod q).

The second problem is a special case of the well-known short integer solution prob- ∞ lem in `∞ norm. Note that, when n > m · log2 q, the totality of SISq is guaranteed ∞ by pigeonhole principle; that is, SISq is in PPP in this range of parameters. We are interested in identifying the range of parameters that places this problem in PPAq.

Since we consider only the SIS in `∞ norm, for the rest of the chapter we ignore the superscript ∞. In Theorem 5.6.3, we prove a formal version of the following:

Theorem (Informal). For a certain range of parameters n, m, it holds that

1. For all primes p : BISp and SISp are Karp-reducible to Chevalleyp, hence are in

PPAp.

2. For all q : BISq and SISq are Turing-reducible to any PPAq–complete problem.

3. For all k : BIS2k is solvable in polynomial time.

4. For k and ` : SIS2k3` is solvable in polynomial time.

Even though the SISq problem is well-studied in lattice theory, not many results are known in the regime where q is a constant and the number of variables depends linearly on the number of equations. Part (1) of the above theorem estab-

lishes a reduction from SISp to Chevalleyp for prime p. Part (2) follows by a

bootstrapping method that allows us to combine algorithms for SISq1 and SISq2

90 TFNP

PPP PPA ··· PPAp PLS

T PPADS p PPAp

PPAD

CLS

Figure 5-1: The PPAq subclasses of TFNP. A solid arrow M1 → M2 denotes 풪 풪 M1 ⊆ M2, and a dashed arrow M1 99K M2 denotes an oracle separation: M1 * M2 relative to some oracle 풪. The relationships involving PPAp are highlighted in yellow. See Section 5.7 for details.

to give an algorithm for SISq1q2 (for a certain regime for parameters n and m). Finally Parts (3) and (4) results follow by using this bootstrapping method along with the observation that Gaussian elimination provides valid solutions for BIS2

(hence also SIS2) and for SIS3.

Structural properties

Relation to other classes. Buss and Johnson [40, 105] had deﬁned a class PMODq which turns out to be slightly weaker than PPAq. Despite this slight difference between the deﬁnitions of PPAq and PMODq, we can still deduce statements about

PPAq from the work of [105]. In particular, it follows that PPAD ⊆ PPAq.

More broadly, a near-complete picture of the power of PPAq relative to other subclasses of TFNP is summarized in Figure 5-1. These relationships (inclusions and oracle separations) mostly follow from prior work in proof complexity [17, 39, 105, 90].

91 Closure under Turing reductions. Recall that TFNP subclasses are deﬁned as the set of all total search problems that are Karp reducible to the corresponding complete problems. One can ask whether more power is gained by allowing Turing reductions, that is, polynomially many oracle queries to the corresponding complete problem. Buss and Johnson [40] showed that PLS, PPAD, PPADS, PPA are closed under Turing reductions (with a notable exception of PPP, which remains open). We show this for PPAp when p is a prime.

PPAp Theorem 5.1.1. FP = PPAp for every prime p.

By contrast, it follows from [40, §6] that PPAq is not closed under black-box Turing reductions for non-prime powers q.

5.2 The class PPAq

We describe several total search problems (parameterized by q) that we show to be inter-reducible. PPAq is then deﬁned as the set of all search problems reducible to either one of the search problems deﬁned below. Recall that Boolean circuits take inputs of the form {0, 1}n and operate with (∧, ∨, ¬) gates. In addition, we also consider circuits acting on inputs in [q]n. We n interpret the input to be of the form {0, 1}⌈log q⌉ , where the circuit is evaluated only on inputs where each block of ⌈log q⌉ bits represents a element in [q]. In the n n case of prime q, we could also represent the circuit as 풞 : Fq → Fq with arbitrary 2 gates of the form g : Fq → Fq. We can simulate any such gate with poly(q) many

+ and × operations (over Fq) along with a constant (1) gate. Hence, in the case of prime q, we assume that such circuits are composed of only (+, ×, 1) gates.

Deﬁnition 5.2.1. (Bipartiteq)

Principle: A bipartite graph with a non-multiple-of-q degree node has another such node.

Object: Bipartite graph G = (V ∪ U, E). Designated vertex v* ∈ V

92 k k Inputs: . 풞 : {0, 1}n → {0, 1}n , with {0, 1}n interpreted as a k-subset of {0, 1}n − . v* ∈ {0} × {0, 1}n 1 (usually 0n)

− − Encoding:V := {0} × {0, 1}n 1, U := {1} × {0, 1}n 1, E := {(v, u) : v ∈ V ∩ 풞(u) and u ∈ U ∩ 풞(v)}

Solutions:v * if deg(v*) ≡ 0 (mod q) and v ̸= v* if deg(v) ̸≡ 0 (mod q)

Deﬁnition 5.2.2. (Lonelyq)

Principle: A q-dimensional matching on a non-multiple-of-q many vertices has an isolated node.

Object:q -dimensional matching G = (V, E). Designated vertices V* ⊆ V with |V*| ≤ q − 1

Inputs: . 풞 : [q]n → [q]n . V* ⊆ [q]n with |V*| ̸≡ 0 (mod q)

n Encoding:V := [q] . For distinct v1,..., vq, edge e := v1,..., vq ∈ E if 풞(vi) =

vi+1, 풞(vq) = v1

Solutions:v ∈ V* if deg(v) = 1 and v ∈/ V* if deg(v) = 0

Deﬁnition 5.2.3. (Leafq)

Principle: A q-uniform hypergraph with a non-multiple-of-q degree node has another such node.

Object:q -uniform hypergraph G = (V, E). Designated vertex v* ∈ V

Inputs: . 풞 : {0, 1}n → ({0, 1}nq)q, with ({0, 1}nq)q interpreted as q many q- subsets of {0, 1}n . v* ∈ {0, 1}n (usually 0n)

93 n Encoding:V := {0, 1} . For distinct v1,..., vq, edge e := v1,..., vq ∈ E if e ∈ 풞(v) for all v ∈ e

Solutions:v * if deg(v) ≡ 0 (mod q) and v ̸= v* if deg(v) ̸≡ 0 (mod q)

We remark that Lonelyq and Leafq are modulo-q analogs of the PPA-complete problems Lonely and Leaf [134, 16]. We prove the following theorem in Ap- pendix B.

Theorem 5.2.4. The problems Bipartiteq, Lonelyq and Leafq are inter-reducible.

Remark 5.2.5 (Simpliﬁcations in describing reductions.). We use the following simple conventions repeatedly, in order to simplify the descriptions of reductions between different search problems.

1. We often use “algorithms”, instead of “circuits” to encode our hypergraphs. It is standard to simulate polynomial-time algorithms by polynomial sized circuits.

2. While our definitions require vertex sets to be of a very special form, e.g. {0, 1}n or [q]n, it hugely simplifies the description of our reductions to let vertex sets be of arbitrary sizes. This is not a problem as long as the vertex set is efficiently indexable (see Section 2.4), that is, elements of V must have a poly(n) length representation and we must have a poly-time computable

bijective map ℐV : V → [|V|], whose inverse is also poly-time computable. n n We could then use ℐV to interpret the ﬁrst |V| elements of {0, 1} (or [q] ) as vertices in V.

Note that, we need to ensure that no new solutions are introduced in this

process. In the case of Bipartiteq or Leafq, we simply leave the additional vertices isolated and they do not contribute any new solutions. In the case

of Lonelyq we need to additionally ensure that |V| ≡ 0 (mod q), so that we can easily partition the remaining vertices into q-uniform hyperedges thereby not introducing any new solutions.

94 Bipartitep SuccinctBipartitep ChevalleyWithSymmetryp

GeneralChevalleyp ′ Leafp TwoMatchingsp

Chevalleyp

Leafp Lonelyp SISp

Figure 5-2: Total search problems related to PPAq. An arrow A → B denotes a reduction A ⪯ B that we establish. Problems in the blue region are non-natural problems, which are all complete for PPAp. Problems in the green region are natural problems of which the ChevalleyWithSymmetryp problem is the one that we show to be PPAp–complete. The problem in the orange region is a cryptographically relevant problem.

3. The above simpliﬁcation gives us that all our problems have an instance- extension property (cf. [37]) – this is helpful in proving Theorem 5.1.1.

4. To simplify our reductions even further, we often describe the edges/hyper- dges directly instead of specifying how to compute the neighbors of a given vertex. This is only for simplicity and it is easy to see how to compute the neighbors of any vertex locally.

5.3 Characterization via Primes

We show that every class PPAq is characterized through the classes PPAp for p prime. In particular, we prove the following theorem.

Theorem 5.3.1. PPAq = &p|q PPAp.

The theorem follows by combining the following two ingredients.

- PPAqr = PPAq & PPAr for any coprime q and r.

k - PPApk = PPAp for any prime power p .

95 Coprime case

PPAqr ⊇ PPAq & PPAr. We show that Lonelyq & Lonelyr reduces to Lonelyqr. * * Recall that an instance of Lonelyq & Lonelyr is a tuple (풞, V , b) where (풞, V )

describes an instance of either Lonelyq or Lonelyr as chosen by b ∈ {0, 1}. Sup- pose wlog that b = 0, so the input encodes a q-dimensional matching G = (V, E) over V = [q]n with designated vertices V* ⊆ V, |V*| ̸≡ 0 (mod q). We can construct a qr-dimensional matching G = (V, E) on vertices V := V × [r] as follows: For every hyperedge e := v1,..., vq ∈ E, we include the hyperedge * e × [r] in E. We let the designated vertices of G be V := V* × [r]. Note that * |V | ̸≡ 0 (mod qr). It is easy to see that a vertex (v, i) is isolated in G if and only if v is isolated in G. This completes the reduction since V is efﬁciently indexable, and the neighbors of any vertex in V are locally computable using black-box access to 풞.

PPAqr ⊆ PPAq & PPAr. We show a reduction from an instance of Bipartiteqr

to one of Bipartiteq & Bipartiter. Our input instance of Bipartiteqr is a circuit 풞 : {0, 1}n → ({0, 1}n)k that encodes a bipartite graph G = (V ∪ U, E) with a designated node v* ∈ V. If deg(v*) ≡ 0 (mod qr), then we already have solved the problem and no further reduction is necessary. Otherwise, if deg(v*) ̸≡ 0 ( mod qr), we have, by the coprime-ness of q and r, that either deg(v*) ̸≡ 0 ( mod q) or deg(v*) ̸≡ 0 (mod r). In the ﬁrst case (the second case is analogous), we * can simply view (G, v ) as an instance of Bipartiteq, since vertices with degree

̸≡ 0 (mod q) in G are also solutions to Bipartiteqr.

Prime power case

PPApk ⊇ PPAp. It follows immediately from our proof of PPAqr ⊇ PPAq & PPAr, which did not require that q and r be coprime.

PPApk ⊆ PPAp. We exploit the following easy fact.

96 V*

Figure 5-3: Illustration of the proof of PPApk ⊆ PPAp for p = 2, k = 2, n = 2, t = 1. In black, we indicate the 4-dimensional matching G. In color, we highlight some of the vertices of G and the edges between them. The vertices of G in red, blue and green are paired up and hence are non-solutions; whereas the vertex in * yellow is isolated and not in V and hence a solution.

Fact. For all primes p, it holds that,

c · pt for integers t, c > 0 : ≡ 0 (mod p) if and only if c ≡ 0 (mod p) (5.3.1) pt pk for integer k > 0 : ≡ 0 (mod p) for all 0 < i < pk (5.3.2) i

* We reduce Lonelypk to Lonelyp. Our instance of Lonelypk is (풞, V ) where 풞 implicitly encodes a pk-dimensional matching G = V = [pk]n, E and a designated vertex set V* ⊆ V such that |V*| ̸≡ 0 (mod pk). Let pt, 0 ≤ t < k, be the largest power of p that divides |V*|. Through local operations we construct a p-dimensional matching hypergraph G = (V, E) V over vertices V := (set of all size-pt subsets of V) with designated vertices pt * * V * V := . From Eq. 5.3.1, we get that |V| ≡ 0 (mod p) and |V | ̸≡ 0 (mod p). pt We describe an algorithm that on input a vertex v ∈ V outputs a hyperedge of p vertices that contains v (if any). The vertex v corresponds to a size-pt subset n o of V, namely v = v1,..., vpt ⊆ V. If at least one of the vertices v1,..., vpt has

degree 1 in the Lonelypk instance, then v should also have degree 1 in the Lonelyp instance. To this end, we devise a canonical way to group v with p − 1 vertices of

V depending on how many of the v1,..., vpt belong to the same hyperedge in the graph G. We ﬁrst provide some examples:

- If all v1,..., vpt belong to the same hyperedge e ∈ E, then v is grouped in a canonical way (e.g. lexicographically) with p − 1 size-pt subsets of e, which are also vertices in V.

97 - If v1,..., vpt−1 ∈ e1 with e1 ∈ E and deg(vpt ) = 0, then we group the set t v1,..., vpt−1 with p − 1 size-(p − 1) subsets u1,..., up of e1 in a canonical way (e.g. lexicographically). Finally, the hyperedge of G containing v also t contains the size-p subsets of the form ui ∪ {vpt } for i ∈ {1, . . . , p − 1}, which are vertices of V.

- If v1,..., vpt−1 ∈ e1 and vpt ∈ e2 with e1, e2 ∈ E, then we group the set t v1,..., vpt−1 with p − 1 size-(p − 1) subsets u1,..., up of e1 and vpt with

p − 1 size-1 subsets w1,..., wp−1 of e2. These aforementioned groupings are done in a canonical way (e.g. lexicographically). Finally, the hyperedge t of G containing v also contains the size-p subsets of the form ui ∪ wi for i ∈ {1, . . . , p − 1}, which are vertices of V. n o In general, ﬁx an algorithm that for any set e := u1,..., upk ⊆ V and for any e 1 ≤ i ≤ pt, computes some “canonical” partition of the set (set of all size-i i subsets of e) into subsets of size p, and moreover assigns a canonical cyclic order within each such subset. This is indeed possible because of Eq. 5.3.2, since t < k.

n o Given a vertex v := v1,..., vpt ∈ V:

. Compute all edges e1,..., e` ∈ E that include some v ∈ v.

1 p−1 . For edge ej, deﬁne Sj := ej ∩ v and let Sj ,..., Sj be the remaining subsets ej of ej in the same partition as Sj in the canonical partition of , listed in |Sj| ` S the canonical cyclic order starting at Sj. Also, let S0 = v r Sj, observe that j=1 v = S0 ∪ S1 ∪ ... ∪ S`.

i i . Output neighbors of v as the vertices v1,..., vp−1 where vi := S0 ∪ S1 ∪ ... ∪ S`.

It is easy to see that v is isolated in G if and only if all v ∈ v are isolated in G. * Moreover, any isolated vertex in V r V contains at least one isolated vertex in * V r V*; and a non-isolated vertex in V contains at least one non-isolated vertex in V* (in fact pt many).

98 The edges of G can indeed be computed efﬁciently with just black-box access to 풞. In order to complete the reduction, we only need that V is efﬁciently indexable. This is indeed standard; see [114, §2.3] for a reference. See Figure 5-3 for an illustration of the proof.

5.4 A Natural Complete Problem

We start with some notation that is useful for the presentation of our results.

Notations. For any polynomial g ∈ Fp[x], we deﬁne deg(g) to be the degree of L g. We deﬁne the expansion to monic monomials of g as ∑`=1 t`(x), where t`(x) is a

monic monomial in Fp[x], i.e. a monomial with coefﬁcient 1. For example, the 2 2 expansion of the polynomial g(x1, x2) = x1 · (2x1 + 3x2) is given by x1 + x1 +

x1x2 + x1x2 + x1x2. m n For a polynomial system f := ( f1,..., fm) ∈ Fp[x] , its afﬁne variety 풱 f ⊆ Fp n n o n is deﬁned as 풱 f := x ∈ Fp | f (x) = 0 . Let 풱 f := Fp ∖ 풱 f . If the constant term

of each fi is 0, we say that f is zecote, standing for “Zero Constant Term” (owing to lack of known terminology and creativity on our part).

The Chevalley-Warning Theorem

We repeat the formal statement of Chevalley-Warning Theorem together with its

proof. We use x to succinctly denote the set of all variables (x1,..., xn) (the number of variables is always n) and f to succinctly denote a system of polynomials m f = ( f1,..., fm) ∈ F[x]

Chevalley-Warning Theorem ([50, 163]). For any prime p and a polynomial system m m f ∈ Fp[x1,..., xn] satisfying ∑i=1 deg( fi) < n (CW Condition), |풱 f | ≡ 0 ( mod p).

The proof of CWT follows from Lemma 5.4.2. Even though there are direct proofs, the following presentation helps motivate our generalizations. Given a polyno- m mial system f ∈ Fp[x] , a key idea in the proof is to deﬁne the polynomial CW ( ) = m CW ( ) CW ( ) = ( − ( )p−1) f x : ∏i=1 fi x where each fi x : 1 fi x . Observe that

99 CW f (x) = 1 if x ∈ 풱 f , and is 0 otherwise. The following deﬁnition describes the

notion of a max-degree monomial of CW f , which is an important notion in the proof.

Deﬁnition 5.4.1 (Max-Degree Monic Monomials). For any prime p, let f ∈ F [ ]m CW ( ) ri ( ) p x and let the expansion into monic monomials of fi x be ∑`=1 ti,` x . Let = {( `) | ` ∈ [ ]} = m also Ui i, ri and U ×i=1 Ui, we deﬁne the following quantities. m 1.A monic monomial of CW f is a product tS(x) = ∏i=1 tsi (x) for some S =

(s1,..., sm) ∈ U.

2.A max-degree monic monomial of CW f is any monic monomial tS(x), such that ( ) ≡ n p−1 ( p − ) tS x ∏j=1 xj mod xi xi i∈[n] .

3. We deﬁne ℳ f to be the set of max-degree monic monomials of CW f , i.e. ℳ f := S ∈ U | tS is a max-degree monic monomial of CW f .

In words, the monomials tS for S ∈ U are precisely the ones that arise when

symbolically expanding CW f (x). We illustrate this with an example: Let p = 3, 2 3 3 f1(x1, x2) = x1 + x2 and f2(x1, x2) = x1. Then, modulo x1 − x1, x2 − x2 , we have

CW (x x ) = ( − (x + x )2)( − (x2)2) ( f1, f2) 1, 2 1 1 2 1 1 2 2 2 = (1 − x1 − 2x1x2 − x2) · (1 − x1) 2 2 2 2 2 2 = (1 + x1 + x1 + x1x2 + x2 + x2) · (1 + x1 + x1)

Thus, there are 18 (= 6 × 3) monic monomials in the system ( f1, f2). The monomial corresponding to S = ((1, 5), (2, 2)) is a max-degree monomial, since the 5-th CW 2 CW 2 term in f1 is x2 and 2-nd term in f2 is x1. Using the above deﬁnitions, we now state the main technical lemma of the proof of CWT.

Lemma 5.4.2 (Main Lemma in the proof of CWT). For any prime p and any system m n of polynomials f ∈ Fp[x1,..., xn] , it holds that 풱 f ≡ (−1) ℳ f (mod p).

Proof. Note that CW f (x) = 1 if x ∈ 풱 f , and is CW f (x) = 0 otherwise. Thus, it

풱 ≡ n CW ( )( ) ( ) = follows that f ∑x∈Fp f x mod p . For any monic monomial m x

100 n dj n ( ) = < − ∏j=1 xj , it holds that ∑x∈Fp m x 0 if dj p 1 for some xj. On the other n p−1 ( ) = n ( ) = hand, for the max-degree monomial m x ∏j=1 xj , it holds that ∑x∈Fp m x (p − 1)n. Thus, we get that

n |풱 f | ≡ ∑ CW f (x) ≡ ∑ ∑ tS(x) ≡ (−1) |ℳ f | (mod p). n n x∈Fp S∈U x∈Fp

Proof of Chevalley-Warning Theorem. Due to the deﬁnition of CW f , it holds that m deg(CW f ) ≤ (p − 1) ∑i=1 deg( fi). Thus, if the system f satisﬁes (CW Condition), then deg(CW f ) < (p − 1)n, and hence ℳ f = 0, Finally, CWT directly follows from Lemma 5.4.2.

The Chevalley-Warning Theorem with Symmetry

We now state and prove more general statements that lead to the same conclu-

sion as the Chevalley-Warning Theorem, namely that 풱 f ≡ 0 (mod p). First, we prove a theorem about the cardinality of 풱 f directly using some symmetry of the system of polynomials f. Then, a generalization of the Chevalley- Warning Theorem follows by combining this symmetry-based argument with the

(General CW Condition). Our natural PPAp-complete problem is based on this generalization. The theorem statements are simplified using the definition of free action of a group. For a permutation over n elements σ ∈ Sn, we define ⟨σ⟩ to be the sub- n group generated by σ and |σ| to be the order of ⟨σ⟩. For x ∈ Fp, σ(x) denotes the assignment obtained by permuting the variables of the assignment x according to σ.

n Deﬁnition 5.4.3 (Free Group Action). Let σ ∈ Sn and 풱 ⊆ Fp, then we say that ⟨σ⟩ acts freely on 풱 if, for every x ∈ 풱, it holds that σ(x) ∈ 풱 and x ̸= σ(x).

The following theorem highlights the use of symmetry in arguing about the size of 풱 f .

101 m Theorem 5.4.4. Let f ∈ Fp[x] be a system of polynomials. If there exists a permutation

σ ∈ Sn with |σ| = p such that ⟨σ⟩ acts freely on 풱 f , then 풱 f ≡ 0 (mod p).

Proof. Since σ acts freely on 풱 f , we can partition 풱 f into orbits of any x ∈ 풱 f ⟨ ⟩ i( ) ∈ 풱 ⟨ ⟩ under actions of σ , namely sets of the type σ x i∈[p] for x f . Since σ acts freely on 풱 f , each such orbit has size p. Thus, we conclude that 풱 f ≡ 0 (mod p).

Remark. For any polynomial system f and any permutation σ, we can check in

linear time if |σ| = p and we can syntactically refute that ⟨σ⟩ acts freely on 풱 f

with a x ∈ 풱 f such that f (σ(x)) = 0 or σ(x) = x.

We now state and prove an extension of CWT that captures both the argument from Lemma 5.4.2 and the symmetry argument from Theorem 5.4.4.

mg Theorem 5.4.5 (Chevalley-Warning with Symmetry Theorem). Let g ∈ Fp[x] m and h ∈ Fp[x] h be two systems of polynomials, and f := (g, h). If there exists a permutation σ ∈ Sn with |σ| = p such that (1) ℳg = ∅ and (2) ⟨σ⟩ acts freely on

풱g ∩ 풱 h, then 풱 f = 0 (mod p).

Remark 5.4.6. We point to the special form of Condition 2. By deﬁnition, 풱 f =

풱g ∩ 풱h, hence if ⟨σ⟩ were to act freely on 풱 g ∪ 풱 h (or even 풱g ∩ 풱h), then we

could just use Theorem 5.4.4 to get that 풱 f ≡ 0 (mod p). In the above theo-

rem, we only require that ⟨σ⟩ acts freely on 풱g ∩ 풱 h. Observe that Theorem 5.4.4

follows as a special case of CWT with Symmetry by setting mg = 0. Addition-

ally, by setting mh = 0 we get the generalization of CWT corresponding to the (General CW Condition) as presented in Section 5.1.

Proof of Theorem 5.4.5. If CWg does not have any max-degree monic monomials, n we have 풱g ≡ 0 (mod p) (similar to proof of CWT) and, since 풱 g = Fp ∖ 풱g, we have 풱 g ≡ 0 (mod p). Also, since ⟨σ⟩ acts freely on 풱g ∩ 풱 h, we have

풱g ∩ 풱 h ≡ 0 (mod p) (similar to the proof of Theorem 5.4.4). Hence, 풱 f =

풱g ∩ 풱h = 풱 g ∪ 풱 h = 풱 g + 풱g ∩ 풱 h ≡ 0 (mod p). Thus, 풱 f ≡ 0 (mod p).

102 Problems Related to Chevalley-Warning Theorem

We formally deﬁne the computational analogs of the Chevalley-Warning theorem and its generalizations.

Deﬁnition 5.4.7. (Chevalleyp)

Principle: Chevalley-Warning Theorem.

m Input: f ∈ Fp[x] , an explicit zecote polynomial system.

m Condition: ∑i=1 deg( fi) < n.

n Output: x ∈ Fp such that x ̸= 0 and f (x) = 0.

Deﬁnition 5.4.8. (GeneralChevalleyp)

Principle: General Chevalley-Warning Theorem via (General CW Condition).

m Input: f ∈ Fp[x] : an explicit zecote polynomial system.

Output: 0. A max-degree monic monomial tS(x) of CW f , or n 1. x ∈ Fp such that x ̸= 0 and f (x) = 0.

Deﬁnition 5.4.9. (ChevalleyWithSymmetryp)

Principle: Chevalley-Warning Theorem with Symmetry (Theorem 5.4.5).

mg m Input: . g ∈ Fp[x] and h ∈ Fp[x] h , explicit zecote polynomial systems

. σ ∈ Sn, a permutation over [n].

Condition: |σ| = p.

Output: 0. (a) A max-degree monic monomial tS(x) of CWg, or

(b) x ∈ 풱g ∩ 풱 h such that σ(x) ̸∈ (풱g ∩ 풱 h) r {x}, or n 1. x ∈ Fp, such that x ̸= 0 and f (x) = 0.

103 Remark 5.4.10. Some observations about the above computational problems follow:

1. In the problems GeneralChevalleyp and ChevalleyWithSymmetryp, we assume that if the output is a max-degree monic monomial, this is given via the multiset of indices S that describes the monomial as formalized in Deﬁnition 5.4.1.

2. Since Chevalleyp ⪯ GeneralChevalleyp ⪯ ChevalleyWithSymmetryp,

the inclusion of ChevalleyWithSymmetryp in PPAp implies that the prob-

lems Chevalleyp and GeneralChevalleyp are in PPAp. Also, in Section 5.6

we prove that SISp ⪯ Chevalleyp, where SISp is a cryptographically rele-

vant problem (see Section 3.1). This shows that the GeneralChevalleyp

problem and the ChevalleyWithSymmetryp problem are at least as hard

as SISp.

Our main result is to capture the complexity class PPAp via the computational

problem ChevalleyWithSymmetryp.

Theorem 5.4.11. For any prime p, ChevalleyWithSymmetryp is PPAp-complete.

ChevalleyWithSymmetryp is PPAp–complete

We ﬁrst prove that ChevalleyWithSymmetry is in PPAp and then prove its PPAp- hardness.

ChevalleyWithSymmetryp is in PPAp

Even though Papadimitriou [134] provided a rough proof sketch of Chevalleyp ∈

PPAp, a formal proof was not given. We show that ChevalleyWithSymmetryp

is in PPAp (and so are GeneralChevalleyp and Chevalleyp). In order to do

so we extend the deﬁnition of Bipartiteq to instances where the vertices might have exponential degree and edges appear with multiplicity. The key here is to

deﬁne a Bipartiteq instance with unbounded (even exponential) degree, but with additional information that allows us to verify solutions efﬁciently.

104 Deﬁnition 5.4.12. (SuccinctBipartiteq)

Principle: Similar to Bipartiteq, but degrees are allowed to be exponentially large, edges are allowed with multiplicities at most q − 1.

Object: Bipartite graph G = (V ∪ U, E) s.t. E ⊆ V × U × Zq. Designated edge e* ∈ E.

− − Inputs: Let V := {0} × {0, 1}n 1 and U := {1} × {0, 1}n 1: . 풞 : V × U → [q], edge counting circuit q . φV : V × U × [q] → (U × [q]) , grouping pivoted at V q . φU : V × U × [q] → (V × [q]) , grouping pivoted at U . e* = (v*, u*, k*), designated edge

− − Encoding:V := {0} × {0, 1}n 1, U := {1} × {0, 1}n 1, E := {(v, u, k) : 1 ≤ k ≤ C(v, u), (v, u) ∈ V × U} (here k distinguishes multiplicities) ′ ′ ′ ′ Edge (v, u, k) is grouped with {(v, u , k ) : (u , k ) ∈ φV(v, u, k)} (piv- ′ ′ oting at v), provided that |φV(v, u, k)| = q, all (v, u , k ) ∈ E and ′ ′ φV(v, u , k ) = φV(v, u, k). ′ ′ ′ ′ Edge (v, u, k) is grouped with {(v , u, k ) : (v , k ) ∈ φU(v, u, k)} (piv- ′ ′ oting at u), provided that |φU(v, u, k)| = q, all (v , u, k ) ∈ E and ′ ′ φU(v , u, k ) = φU(v, u, k).

Solutions: the edge e*, if e* is grouped pivoting at v*, or if e* is not grouped pivoting at u*, OR an edge e ̸= e* if e is not grouped pivoting at one of its ends.

In words, SuccinctBipartitep encodes a bipartite graph with arbitrary degree. Instead of listing the neighbors of a vertex using a circuit, we have a circuit that outputs the multiplicity of edges between any two given vertices. We are therefore unable to efﬁciently count the number of edges incident on any vertex. The grouping function φV aims to group edges incident on any vertex v ∈ V into groups of size q. Similarly, φU aims to group edges incident on any vertex u ∈ U.

105 The underlying principle is that if we have an edge e* that is not grouped pivoting at v* (one of its endpoints), then either e* is not pivoted at u* (its other endpoint) or there exists another edge that is also not grouped pivoting at one of its ends. Note that in contrast to the problems previously deﬁned, v* might still be an endpoint of a valid solution.

Lemma 5.4.13. For all primes p, ChevalleyWithSymmetryp ∈ PPAp.

Proof. We provide a reduction from the ChevalleyWithSymmetryp problem to

the SuccinctBipartitep problem, which we show to be PPAp–complete in Ap-

pendix B.2. Given an instance of ChevalleyWithSymmetryp, namely a zecote polynomial system f = (g, h) and a permutation σ, we construct a bipartite graph

G = (U ∪ V, E) encoded as an instance of SuccinctBipartitep as follows.

n Description of vertices. U = Fp, namely all possible assignments of x. The vertices of V are divided into two parts V1 ∪ V2. The part V1 contains one vertex for mg p−1 each monomial in the expansion of CWg = ∏i=1(1 − gi ). Since p is constant, we CW = − p−1 can efficiently list out the monomials of each gi : 1 gi . We represent each monomial of CWg similarly to Definition 5.4.1. In particular, let ri be the number of monic monomials of CWgi . Then, for a fixed ordering (e.g. lexicographic) of the monomials of each CWgi , a monomial of CWg is represented by a tuple

(a1, a2,..., amg ), where 0 < ai ≤ ri represents the index of a monic monomial of Fn CW and a = 0 corresponds to the constant 1. The part V := p , i.e. it gi i 2 p n contains a vertex for each subset of p distinct elements in Fp.

Description of edges. We include an edge between an assignment x and a

monomial t with multiplicity t(x). These edges are between U and V1. With these edges in place, the degrees of vertices are as follows: - x = 0 has a single edge corresponding to the constant monomial 1, since f is * zecote. We let this be the designated edge e in the ﬁnal SuccinctBipartitep instance.

106 - x ∈/ 풱g has 0 (mod p) edges (counting multiplicities). Since CWg(x) = 0, the sum over all monomials of t(x) must be 0 (mod p).

- x ∈ 풱g has 1 (mod p) edges (counting multiplicities), since the sum over all

t(x) monomials gives CWg(x) ≡ 1 (mod p).

- t ∈ V1 that is not a max-degree monomial has 0 (mod p) edges (counting ( p − ) multiplicities). The monomial t mod xi xi i∈[n] contains a variable with degree less than p − 1, and hence ∑ t(x) ≡ 0 (mod p). n x∈Fp With the edges so far the vertices with degree ̸≡ 0 (mod p), excluding 0, are precisely max-degree monomials t ∈ V1 and x ∈ 풱g r {0}. However, there is no guarantee that a vertex x with degree 1 (mod p) is in 풱h as well. To argue about

h, we add edges between U and V2 that exclude solutions x ∈ 풱g ∩ 풱 h, on which σ acts freely (that is, σ(x) ̸= x).

Speciﬁcally, for x ∈ 풱g ∩ 풱 h, if σ(x) ̸= x, we add an edge with multiplicity i p − 1 between x and Σx ∈ V2 where Σx := {σ (x)}i∈[p]. Note that in this case

|Σx| = p, since σ(x) ̸= x and |σ| = p is prime. Observe that if a vertex in V2

corresponds to a Σx ⊆ 풱g ∩ 풱 h, it has p edges each with multiplicity p − 1, one ′ n for each x ∈ Σx. All vertices in V2 that correspond to subsets of Fp r 풱g ∩ 풱 h

have no edges. Thus, a vertex in V2 has degree ̸≡ 0 (mod p) if and only if it

contains a x ∈ 풱g ∩ 풱 h such that σ(x) ∈/ 풱g ∩ 풱 h. Finally, vertices with degree ̸≡ 0 (mod p) correspond to one of the following.

- x ∈ 풱g ∩ 풱h such that x ̸= 0, or

- t ∈ V1 such that t(x) is a max-degree monomial or

- x ∈ 풱g ∩ 풱 h such that σ(x) = x or

- v ∈ V2 such that ∃ x ∈ v satisfying x ∈ 풱g ∩ 풱 h and σ(x) ∈/ 풱g ∩ 풱 h.

These correspond precisely to the solutions of ChevalleyWithSymmetryp. To

summarize, the edge counting circuit 풞 on input (x, t) ∈ U × V1 outputs t(x) and

on input (x, v) ∈ U × V2 outputs p − 1 if x ∈ 풱g ∩ 풱 h, σ(x) ̸= x and v = Σx, and 0 otherwise.

107 Grouping Functions. The grouping functions φU and φV are deﬁned as follows (analogous to the so-called “chessplayer algorithm” in [134]):

. Grouping φU (corresponding to endpoint in U):

– For x ∈ 풱 g: there exists some i such that CWgi (x) = 0. Consider an edge

(t = (a1, a2,..., amg ), x, k). We can explicitly list out the multiset containing

the monomials tj = (a1, a2,..., ai ← j,..., amg ) with multiplicity tj(x), for

each 1 ≤ j ≤ ri. Since CWgi (x) = 0, this multiset has size multiple of p. Hence, we can canonically divide its elements into groups of size p, counting

multiplicities and φU returns the subset containing (t, k).

p−1 – For x ∈ 풱g ∩ 풱 h such that σ(x) ̸= x: Note that gi (x) = 0 for all i ∈ [mg]. Let

v1 ∈ V1 be the vertex corresponding to the constant monomial 1. The function

φU groups the edge (v1, x, 1) (of multiplicity 1) with the p − 1 edges (Σx, x, k) for k ∈ [p − 1].

For any other t ∈ V1 ∖ {v1} with an edge (t = (a1,..., amg ), x, k), there exists

an i ∈ [mg] such that ai ̸= 0. We can explicitly list out the multiset containing

the monomials tj = (a1, a2,..., ai ← j,..., amg ) with multiplicity tj(x), for p−1 each 1 ≤ j ≤ ri. Since gi (x) = 0, this multiset has size which is a multiple

of p. Hence, we can canonically partition it into groups of size p and φU on input (t, x, k) returns the group containing (t, k).

. Grouping φV (corresponding to endpoint in V):

– For t ∈ V1, where t is not a max-degree monomial: there exists a variable xi

with degree less than p − 1. For xj = (x1,..., xi−1, xi ← j,..., xn) with j ∈ Fp p−1 ( ( )) ( ) = we deﬁne the multiset xj, t xj j∈F . Since ∑ t xj 0, this multiset has p j=0 size multiple of p. Hence, we can canonically partition it into groups of size

p and φV(t, x, k) returns the group containing (x, k),

– For v ∈ V2: if deg(v) = 0, then there is no grouping to be done. Else if

deg(v) ≡ 0 (mod p), we deﬁne the multiset {(x, p − 1)}x∈v which has size a

108 multiple of p. Hence, we can canonically partition it into groups of size p and

φU on input (t, x, k) returns the group containing (x, k).

Thus, for any vertex with degree ≡ 0 (mod p), we have provided a grouping function for all of its edges. If an edge is not grouped by the grouping functions at one of its endpoints, then this endpoint has degree ̸≡ 0 (mod p) and points to a valid solution of the ChevalleyWithSymmetryp instance.

ChevalleyWithSymmetryp is PPAp–hard

We show that Lonelyp reduces to ChevalleyWithSymmetryp. In the instance of

ChevalleyWithSymmetryp that we create, we ensure that there are no solutions of type 0 (as in Deﬁnition 5.4.9), and thus the only valid solutions are of type 1. In order to do so, we introduce the notions of labeling and proper labeling and prove a variant of CWT that we call Labeled CWT (Theorem 5.4.18). The Labeled CWT is just a re-formulation of the original CWT rather than a generalization. To motivate the Labeled CWT, we provide some examples that do not seem to satisfy the Chevalley-Warning condition, but where a solution exists.

2 Example 1. Consider the case where p = 3 and f (x1, x2) = x2 − x1. In this case the Chevalley-Warning condition is not met, since we have 2 variables and the total degree is also 2. But, let us consider a slightly different polynomial where we

replace the variable x2 with the product of two variables x21, x22. Then, we get the 2 polynomial g(x1, x21, x22) = x21 · x22 − x1. Now, g satisﬁes (CW Condition) and hence, we conclude that the number of roots of g is a multiple of 3. Interestingly, from this fact we can argue that there exists a non-trivial solution for f (x) = 0. In

particular, the assignment x1 = 0, x2 = 0 corresponds to ﬁve assignments of the

variables x1, x21, x22. Hence, since 풱g = 0 (mod 3), g has another root, which corresponds to a non-trivial root of f . In this example, we applied the CWT on a polynomial slightly different from f in order to argue the existence of non-trivial solutions of f , even though f did not satisfy (CW Condition).

109 Ignore Some Terms. The Labeled CWT formalizes the phenomenon observed in Example 1 and shows that under certain conditions we can ignore some terms when defining the degree of a polynomial. For instance, in Example 1, we can ignore 2 the term x1 when computing the degree of f and treat f as a degree 1 polynomial of 2 variables, in which case the condition of CWT is satisfied. We describe which terms can be ignored by defining a labeling of the terms of each polynomial in the system. The labels take values in {−1, 0, +1} and our final goal is to ignore the terms with label +1. Of course, it should not be possible to define any labeling that we want; for example we cannot ignore all the terms of a polynomial. Next, we describe the rules of a proper labeling that allows us to prove the Labeled CWT. We start with a definition of a labeling.

m Deﬁnition 5.4.14 (Monomial Labeling). Let f ∈ F[x] and let tij be the j-th monomial of the polynomial fi ∈ F[x] (written in some canonical sorted order).

Let 풯 be the set of all pairs (i, j) such that tij is a monomial in f.A labeling of f is a function λ : 풯 → {−1, 0, +1} and we say that λ(i, j) is the label of tij according to λ.

Deﬁnition 5.4.15 (Labeled Degree). For f ∈ F[x]m with a labeling λ, we deﬁne λ the labeled degree of fi as deg ( fi) := maxj : λ(i,j)̸=+1 deg(tij), namely the maximum degree among monomials of fi labeled either 0 or −1.

Example 1 (continued). According to the lexicographic ordering for the polyno- 2 2 mial f (x1, x2) = −x1 + x2, we have the monomials t11 = −x1 and t12 = x2. Hence, one possible labeling, which corresponds to the vanilla Chevalley-Warning The- orem, is λ(1, 1) = λ(1, 2) = 0. According to this labeling, degλ( f ) = 2. Another possible labeling, that allows us to apply the Labeled CWT , is λ(1, 1) = +1 and λ(1, 2) = −1. In this case, the labeled degree is degλ( f ) = 1.

Our goal is to prove the Chevalley-Warning Theorem, but with the weaker con- m λ dition which states that ∑i=1 deg ( fi) < n, instead of the original condition m ∑i=1 deg( fi) < n. We prove this variant of the Chevalley-Warning theorem when

110 the labeling is proper. In order to better explain the conditions of a proper labeling, we deﬁne the notion of labeling graph.

Deﬁnition 5.4.16 (Labeling Graph). For f ∈ F[x]m with a labeling λ, we deﬁne

the labeling graph Gλ = (U ∪ V, E) as a directed bipartite graph on vertices U =

{x1,..., xn} and V = { f1,..., fm}. The edge (xj → fi) belongs to E if xj appears

in a monomial tir in fi with label +1, i.e. λ(i, r) = +1. Symmetrically, the edge

( fi → xj) belongs to E if xj appears in a monomial tir in fi with label −1, i.e. λ(i, r) = −1.

Example 2. Let p = 2 and f1(x1, x2, x3, x4) = x1x2 − x3, f2(x1, x2, x3, x4) = x1x3 −

x4. In this system, if we use the lexicographic monomial ordering we have the

monomials t11 = x1x2, t12 = −x3, t21 = x1x3, t22 = −x4. The following ﬁgure

shows the graph Gλ for the labeling λ(1, 1) = +1, λ(1, 2) = −1, λ(2, 1) = +1 and λ(2, 2) = −1.

f1 f2

x1 x2 x3 x4

Deﬁnition 5.4.17 (Proper Labeling). Let f ∈ F[x]m with a labeling λ. We say that the labeling λ is proper if the following conditions hold.

(1) For all i, either λ(i, j) ∈ {−1, 1} for all j, or λ(i, j) = 0 for all j.

′ (2) If two monomials tij, tij′ contain the same variable xk, then λ(i, j) = λ(i, j ).

(3) If λ(i, j) = −1, then tij is multilinear.

′ (4) If xk is a variable in the monomials tij, ti′ j′ , with i ̸= i and λ(i, j) = −1, then λ(i′, j′) = +1.

(5) If λ(i, j) ̸= 0, then there exists a j′ such that λ(i, j′) = −1.

(6) The labeling graph Gλ contains no directed cycles.

We give an equivalent way to understand the deﬁnition of a proper labeling.

111 . Condition (1) : there is a partition of the polynomial system f into polynomial systems g and h such that all monomials in g are labeled in {+1, −1} and all monomials in h are labeled 0.

+ − . Condition (2) : each polynomial gi in g can be written as gi = gi + gi , such + − that gi and gi are polynomials on a disjoint set of variables.

− . Condition (3) : Each gi is multilinear.

− . Condition (4) : Any variable xk can appear in at most one of the gi . More- − over, if an xk appears in some gi , it does not appear in any hj in h.

− . Condition (5) : Every gi involves at least one variable.

. Condition (6) : The graph Gλ is essentially between polynomials in g and

the variables that appear in them, with an edge (gi → xk) if xk appears in − + gi or an edge (xk → gi) if xk appears in gi .

λ − λ . Note that deg (gi) = deg(gi ), whereas deg (hj) = deg(hj).

It is easy to see that the trivial labeling λ(i, j) = 0 is always proper. This special case of the Labeled CWT corresponds to the original CWT. Note that in this case the labeling graph Gλ is an empty graph. Also, given a system of polynomials f and a labeling λ, it is possible to check in polynomial time whether the labeling λ is proper or not.

Example 2 (continued). The speciﬁed labeling λ is indeed a proper labeling of f.

m Theorem 5.4.18 (Labeled Chevalley-Warning Theorem). Let f ∈ Fp[x] , if λ is m λ a proper labeling of f with ∑i=1 deg ( fi) < n, then |ℳ f | = 0. In particular, 풱 f ≡ 0 (mod p).

m p−1 |S| p−1 Proof. We can re-write CW = ∏i=1 1 − fi as ∑S⊆[m] ∏i∈S(−1) fi . We p−1 show that every monomial appearing in the expansion of ∏i∈S fi has at least

112 one variable with degree less than p − 1. For simplicity, we focus on the case S = [m], the other cases follow similarly.

Let ri be the number of monomials in the explicit representation of fi, we p−1 represent a monomial of the polynomial ∏i∈[m] fi with a tuple of the form

((j11, j12,..., j1(p−1)),..., (jm1,..., jm(p−1))) with 1 ≤ ji` ≤ ri. The coordinates

(ji1,..., ji(p−1)) represent the indices of the monomials chosen from each of the − p−1 = m p−1 p 1 copies of fi . More succinctly, we have t ∏i=1 ∏`=1 ti,ji` .

Case 1. λ(i, ji`) ∈ {0, −1}, for all (i, `): m λ In this case, deg(t) ≤ (p − 1) ∑i=1 deg ( fi) which is strictly less than (p − 1)n λ from the assumption that deg ( fi) < n. Hence, there is a variable with degree less than p − 1.

* * * Case 2. (warm-up for case 3) There is a unique i with λ(i , ji*`* ) = +1 for some ` : * That is, for all i ̸= i and all `, λ(i, ji`) ∈ {0, −1}. By condition (5) of proper * labeling there exists a j ̸= ji*`* such that λ(i , j) = −1. Let xk be a variable in the monomial ti* j. By condition (2), xk appears only in monomials with labeling

− * equal to 1, so xk is not present in the monomial ti ,ji*`* . Also, by condition (3) xk p−1 * * has degree at most 1 in each monomial of fi . Hence, its degree in ∏ ti ,ji*` is at `=1 * most p − 2. Finally, by condition (4) any monomial of fi for i ̸= i containing xk must have label +1, but by assumption λ(i, ji`) ∈ {0, −1}. Thus, the degree of xk

( * ··· * ) − on t is equal to its degree in ti ,ji*,1 ti ,ji*,p−1 , which is strictly less than p 1.

* * * Case 3. There are many i with λ(i , ji*`* ) = +1 for some ` : * Let I = {i : λ(i, ji`) = +1 for some `}. In the labeling graph Gλ, let i ∈ I be such * that there is no path from fi* to any other fi for i ∈ I. Such an i exists due to * * acyclicity of Gλ, i.e. condition (6). Let ` be such that λ(i , ji*`* ) = +1. Again, by * condition (5) of proper labeling there exists a j ̸= ji*`* such that λ(i , j) = −1. Let

xk be a variable in the monomial ti* j. By conditions (2) and (3), the degree of xk in

( * * ) − ti ,ji*,1 ,..., ti ,ji*,p−1 is at most p 2. Additionally, by condition (4) any monomial * of fi for i ̸= i containing xk must have label +1. For i ∈/ I, λ(i, ji,`) ∈ {0, −1}, and

113 for i ∈ I, the variable xk cannot appear with label +1 in fi by our choice of fi* .

( * ··· * ) Hence, the degree of xk on t is equal to its degree on ti ,ji*,1 ti ,ji*,p−1 , which is strictly less than p − 1.

We are now ready to prove the PPAp-hardness of ChevalleyWithSymmetryp.

Lemma 5.4.19. For all primes p, ChevalleyWithSymmetryp is PPAp-hard.

Proof. We prove that Lonelyp ⪯ ChevalleyWithSymmetryp. Let us assume

(without loss of generality from Lemma 5.7.1) that the Lonelyp instance has a single distinguished vertex represented by 0. We assume that 0 is isolated, since otherwise no further reduction is necessary.

′ n n Pre-processing. We slightly modify the given circuit 풞 by deﬁning 풞 : Fp → Fp

as follows:   v , if 풞 p(v) ̸= v 풞′(v) =  풞(v) , otherwise

n p Since p is a prime, a vertex v ∈ Fp has deg(v) = 1 if and only if 풞 (v) = v and 풞(v) ̸= v. By modifying the circuit, we changed this condition to just 풞′(v) ̸= v, which facilitates our reduction. ′ Circuit 풞 is composed of Fp-addition (+), Fp-multiplication (×) and constant

(1) gates. However, since the input of ChevalleyWithSymmetryp is a zecote polynomial system, we need to further modify the circuit 풞′ in order to elimi- nate all constant (1) gates, without changing its behavior – this is possible by assumption 풞′(0) = 0.

Claim 5.4.20. Given a circuit 풞′ with (+, ×, 1) gates, there exists circuit 풞 with (+, ×) gates such that   0 , if v = 0 풞(v) = 풞′(v) , otherwise

Proof of Claim 5.4.20. We replace all instances of the constant (1) gate with the 1 function {v̸=0}, which we can compute using only (+, ×) gates as follows: For

114 1 1 p−1 p−1 p−1 p−1 any x, y ∈ Fp, observe that {x̸=0} ∨ {y̸=0} = x + y − x y . We can Wn 1 (+ ×) 풞( ) = thus recursively compute i=1 {vi̸=0} using only , gates. Hence, v 풞′(v) for all v ̸= 0, and 풞(0) = 0, since 풞 is computed with only (+, ×) gates.

Thus, we can transform our original circuit 풞 into a circuit 풞 with just (+, ×) gates. For simplicity, we write 풞 as simply 풞 for the rest of the proof.

As an intermediate step in the reduction we describe a system of polynomials

f 풞 over 2n + s variables (x1,..., xn, y1,..., yn, z1,..., zs), where s is the size of the

circuit 풞. The variables x = (x1,..., xn) correspond to the input of 풞, the variables y = (y1,..., yn) correspond to the output and the variables z = (z1,..., zs) correspond to the evaluations of gates of 풞. For an addition gate (+) we include a polynomial of the form

f (a1, a2, a3) = a2 + a3 − a1,

where a1 is the variable corresponding to the output of the (+) gate and a2, a3 are the variables corresponding to its two inputs. Similarly for a multiplication (×) gate, we include a polynomial of the form

f (a1, a2, a3) = a2 · a3 − a1

Finally, for the output of the circuit, we include the polynomial

f (a, yi) = a − yi,

where a is the variable corresponding to the i-th output gate of 풞. It holds that

풞(x) = y ⇐⇒ f 풞 (x, y, z) = 0.

For the reduction from Lonelyp to ChevalleyWithSymmetryp, we specify a system of polynomials (g, h) and a permutation σ such that |σ| = p. In addition, we provide a proper labeling λ for g satisfying the condition of Theorem 5.4.18. We

115 also ensure that ⟨σ⟩ acts freely on 풱g ∩ 풱 h. Hence, the only valid solutions for the resulting ChevalleyWithSymmetryp instance are in 풱g ∩ 풱h.

Deﬁnition of g. The polynomial system g contains the following polynomials.

f 풞 (x1, x2, z1,2)

x2 − x3

f 풞 (x3, x4, z3,4)

x4 − x5 . .

f 풞 (x2p−1, x2p, z2p−1,2p)

Note that there are N = (2n + s)p variables in total.

Labeling λ of g. For the polynomials belonging to a system of the form f 풞, the monomials corresponding to the output of each gate have labeling −1 and the rest of the monomials have labeling +1. For instance, let a2 + a3 − a1 be the i-th polynomial of g corresponding to a (+) gate and let a1 ≺ a2 ≺ a3, then λ(i, 1) = −1 and λ(i, 2) = λ(i, 3) = +1.

For the polynomials belonging to a system of the form xi − xi+1, the monomials with variables in xi+1 have labeling −1 and the monomials with variables in xi have labeling +1.

Claim 5.4.21. The labeling λ for g is proper.

Proof of Claim 5.4.21. The labeling λ is proper since the following conditions of Deﬁnition 5.4.17 hold.

Condition 1. For all i, either λ(i, j) ∈ {−1, 1} for all j, or λ(i, j) = 0 for all j. In the labeling λ, there are no labels equal to 0, so this condition holds trivially.

Condition 2. If two monomials tij, tij′ contain the same variable xk, then λ(i, j) = λ(i, j′).

116 By construction of g, no variable appears in the same polynomial with a

different labeling. For polynomials of f 풞, this holds because the output variable of a gate cannot be an input variable of the same gate and all input variables have the same labeling. For polynomials in a system of the form

xi − xi+1, each polynomial contains two different variables.

Condition 3. If λ(i, j) = −1, then tij is multilinear.

For polynomials of f 풞, only the output variable of a gate has label −1 and by deﬁnition this monomial is linear. For polynomials in a system of the

form xi − xi+1, all monomials are linear, so the condition holds trivially.

′ Condition 4. If xk is a variable in the monomials tij, ti′ j′ , with i ̸= i and λ(i, j) = −1, then λ(i′, j′) = +1. Observe that all monomials with label −1 contain only a single variable,

so we refer to a monomial xk with label −1. For a polynomial in f 풞, a

monomial xk with label −1 corresponds to the output of a gate. Hence, if

xk appears in other monomials of f 풞, these monomials correspond to inputs

and have label +1. Moreover, if xk is an output variable of f 풞, it might

appear in a polynomial of the form a1 − a2. However, by construction the

monomials of xi − xi+1 that correspond to output variables of f 풞 have label +1.

Condition 5. If λ(i, j) ̸= 0, then there exists a j′ such that λ(i, j′) = −1. By the deﬁnition of λ, all polynomials of g have a monomial with label −1. These are the monomials that correspond to the outputs of a gate for the

systems of the form f 풞 and the monomials that correspond to xi+1 for the

systems of the form xi − xi+1.

Condition 6. The labeling graph Gλ contains no cycles.

Each system of the form xi − xi+1 has incoming edges with variables appear-

ing only in the i-th copy of f 풞 and outgoing edges with variables appearing

only in the (i + 1)-th copy of f 풞. Also, the variables appearing on the i-th

117 copy of f 풞 might appear only in the systems xi−1 − xi and xi − xi+1. Hence,

Gλ has no cycle that contains vertices of two different copies of f 풞 or of a

copy of f 풞 and a system of the form xi−1 − xi.

It is left to argue that the labeling graph restricted to a copy of f 풞 does

not have any cycles. Let the vertices of f 풞 be ordered according to the

topological ordering of 풞. This restricted part of Gλ corresponds exactly

to the graph of 풞, which by deﬁnition is a DAG. Hence, Gλ contains no cycles.

Finally, we show that for this labeling of g satisﬁes the condition of Theorem 5.4.18

mg λ Claim 5.4.22. The labeled Chevalley condition ∑i=1 deg (gi) < N holds for g with labeling λ.

Proof. Each polynomial of g has a unique monomial with λ(i, j) = −1 and this mg λ monomial has degree 1. Thus, ∑i=1 deg (gi) = mg. On the other hand, the i-th polynomial of g has exactly one variable that has not appeared in any of the previous polynomials. More speciﬁcally, the number of variables is equal to mg + n, where n is the size of the input of 풞. Hence, the labeled Chevalley condition holds for g.

Deﬁnition of h. The system of polynomials g allows us to compute the p vertices i given by 풞 (x) for i ∈ {1, . . . , p}. From the deﬁnition of Lonelyp and our preprocessing on 풞, this group of p vertices is a hyperedge if and only if 풞(x) ̸= x.

Since solutions of Lonelyp are lonely vertices, we deﬁne h to exclude x such that 풞(x) ̸= x. Namely, we set h to be the system of polynomials

x1 − x2.

Deﬁnition of permutation σ. In the description of f = (g, h), we have used the following vector of variables:

x = (x1, x2,..., x2p, z1,2, z3,4,..., z2p−1,2p)

118 We deﬁne the permutation σ such that

σ(x) = (x3, x4,..., x2p, x1, x2, z3,4, z5,6,..., z2p−1,2p, z1,2), as illustrated in the following ﬁgure. The blue arrows indicate the polynomials g and the green arrows indicate the permutation σ in the case of p = 3.

z1,2 x1 x2

z3,4 x3 x4

z5,6 x5 x6

Claim 5.4.23. The group ⟨σ⟩ has order p and acts freely on 풱g ∩ 풱 h.

Proof. In order to see that |σ| = p, note that the input of σ consists of 3p blocks of variables. The permutation σ performs a rotation of the ﬁrst 2p blocks by two positions and of the last p blocks by one position.

All that remains is to show that ⟨σ⟩ acts freely on 풱g ∩ 풱 h. First, we show that

⟨σ⟩ deﬁnes a group action on 풱g ∩ 풱 h, that is for all x ∈ 풱g ∩ 풱 h, it holds that

σ(x) ∈ 풱g ∩ 풱 h. Let x = (x1, x2,..., x2p−1, x2p, z1,2, z3,4,..., z2p−1,2p) ∈ 풱g ∩ 풱 h, then

- x ∈ 풱g implies that f 풞 (x2i−1, x2i, z2i−1,2i) = 0 for 1 ≤ i ≤ p and x2i = x2i+1 for 1 ≤ i ≤ p − 1,

- x ∈ 풱 h implies that x1 ̸= x2. Namely, 풞(x1) ̸= x1 since f 풞 (x1, x2, z1,2) =

0 ⇔ x2 = 풞(x1).

Thus, σ(x) = (x3, x4,..., x1, x2, z3,4, z5,6,..., z1,2) ∈ 풱g ∩ 풱 h holds because

119 - f 풞 (x2i−1, x2i, z2i−1,2i) = 0 for 1 ≤ i ≤ p and x2i = x2i+1 for 1 ≤ i ≤ p −

1,since x ∈ 풱g. Additionally, x1 = x2p holds because from the preprocessing p 풞 (x1) = x1,

- x3 ̸= x4, since x4 = 풞(x3) and from the deﬁnition of 풞, 풞(x1) ̸= x1 implies

that x2i ̸= x2i−1 for all 1 ≤ i ≤ p.

Finally, we need to show that σ(x) ̸= x for x ∈ 풱g ∩ 풱 h, which directly follows by

construction of 풞, since x2k ̸= x2j for k ̸= j. This concludes the proof that ⟨σ⟩ acts

freely on 풱g ∩ 풱 h.

Putting it all together. The solution of the ChevalleyWithSymmetryp instance

cannot be a vector x ∈ 풱g ∩ 풱 h with σ(x) ̸∈ 풱g ∩ 풱 h or σ(x) = x, since from

Claim 5.4.23 ⟨σ⟩ acts freely on 풱g ∩ 풱 h. Also, from Theorem 5.4.18 the solution p−1 cannot be a max-degree monomial in the expansion of CWg(x) = ∏(1 − gi ).

Thus, the solution must be a x ̸= 0 such that f (x) = 0. Let x1 denote the ﬁrst n

coordinates of x, then f (x) = 0 implies that x1 = 풞(x1) and x ̸= 0 implies that

x1 ̸= 0. Hence, x1 corresponds to a lonely vertex of the Lonelyp instance.

5.5 Complete Problems via Small Depth Arithmetic Circuits

Using the ChevalleyWithSymmetryp problem, we can reformulate any of the

proposed deﬁnitions of PPAp by restricting the circuit in the input to be just constant depth arithmetic formulas with gates × mod p and + mod p (we call this AC0 4 NP class Fp ). This result is analogous to the -completeness of SAT which basically shows that CircuitSAT remains NP-complete even if we restrict the input circuit to be a (CNF) formula of depth 2.

4 AC0 AC0 {∧ ∨ ¬} Note that Fp is strictly more powerful than since the Boolean operations of , , AC0 + p AC0 can be implemented in Fp , but mod cannot be implemented in .

120 [AC0 ] We deﬁne SuccinctBipartitep Fp to be the same as SuccinctBipartitep, AC0 but with the input circuit being a formula in Fp . Similarly, we deﬁne the prob- [AC0 ] [AC0 ] lems Lonelyp Fp ,Leafp Fp , etc.

[AC0 ] PPA Theorem 5.5.1. For all primes p, SuccinctBipartitep Fp is p-complete.

Remark 5.5.2. In [149], a similar simpliﬁcation theorem was shown for PPAD. In fact, this simpliﬁcation involves only the End-of-Line problem and does not go through a natural complete problem for PPAD (see Theorem 1.5 in [149]). A similar result can be shown for other TFNP subclasses, including PPA. However, it is unclear if these techniques also apply to PPAp classes.

Theorem 5.5.1 follows directly from the proof of Lemma 5.4.13 by observing that AC0 the reduction can be performed by an Fp circuit. For completeness, we include this proof in Appendix B.4.

Since the reductions between SuccinctBipartitep and other problems studied AC0 in this work (see Section 5.2) can also be implemented as Fp circuits, we get the following corollary.

[AC0 ] [AC0 ] [AC0 ] Corollary 5.5.3. For all primes p, Lonelyp Fp , Leafp Fp and Bipartitep Fp are all PPAp-complete.

Since + mod p and × mod p can be simulated in NC1, we also get the following corollary.

1 1 1 Corollary 5.5.4. For all primes p, Lonelyp[NC ], Leafp[NC ] and Bipartitep[NC ] are all PPAp-complete.

Thus, Theorem 5.5.1 allows us to consider reductions from these PPAp-complete problems with instances encoded by a shallow formula rather than an arbitrary circuit. We believe this could be a useful starting point for ﬁnding other PPAp- complete problems.

121 5.6 Applications of Chevalley-Warning

For most of the combinatorial applications mentioned in Section 5.1, the proofs utilize restricted versions of the Chevalley-Warning Theorem that are related to finding binary or short solutions in a system of modular equations. We define two computational problems to capture these restricted cases. The first problem is about finding binary non-trivial solutions in a modular linear system of equa-

tions, which we call BISq. The second is a special case of the well-known short

integer solution problem in `∞ norm, which we denote for simplicity by SISq. The computational problems are deﬁned below, where N(q) denotes the sum of the exponents in the canonical prime factorization of q, e.g. N(4) = N(6) = 2. In

particular, N(p) = 1 for prime p and N(q1q2) = N(q1) + N(q2) for all q1, q2.

Deﬁnition 5.6.1. (BISq)

m×n Input: a matrix A ∈ Zq

Condition:n > mN(q)(q − 1)

Output: x ∈ {0, 1}n such that x ̸= 0 and Ax ≡ 0 (mod q)

Deﬁnition 5.6.2. (SISq)

m×n Input: a matrix A ∈ Zq

Condition:n > (m/2)N(q)(q − 1)

Output: x ∈ {−1, 0, 1}n such that x ̸= 0 and Ax ≡ 0 (mod q)

SISq is a special case of the well-known short integer solution problem in `∞ norm from the theory of lattices. The totality of this problem is guaranteed even when n > m log2 q by pigeonhole principle; thus, SISq belongs also to PPP (for this regime of parameters). However, for the parameters considered in the above deﬁnitions, the existence of a solution in BISq and SISq is guaranteed through modulo q arguments, which we formally show in the following theorem.

122 Theorem 5.6.3. For the regime of parameters n, m of Deﬁnitions 5.6.1 and 5.6.2, the following statements hold.

1. For all primes p : BISp, SISp ⪯ Chevalleyp.

PPAq 2. For all q : BISq, SISq ∈ FP ,

3. For all k : BIS2k ∈ FP,

4. For all k, ` : SIS2k3` ∈ FP.

Proof. Part 1. For all primes p, BISp, SISp ⪯ Chevalleyp.

Given a BISp instance A = (aij),

( n ) p−1 f := fi(x) = ∑ aijxj : i ∈ [m] j=1

m Clearly, it holds that deg( fi) = p − 1, so ∑i=1 deg( fi) = m(p − 1). Since n >

m(p − 1),(CW Condition) is satisﬁed. Hence, the output of Chevalleyp is a p−1 p−1 p−1 solution x ̸= 0 such that f (x) = 0. Finally, observe that x := (x1 ,..., xn ) is binary and satisﬁes Axp−1 ≡ 0 (mod p).

The reduction of SISp ⪯ Chevalleyp follows similarly by defining fi(x) := m (p−1)/2 ∑j=1 aijxj . This satisfies the (CW Condition) because ∑i deg( fi) = m(p − (p−1)/2 n 1)/2 < n. This ensures that any x ∈ 풱 f satisfies x ∈ {−1, 0, 1} and Ax(p−1)/2 ≡ 0 (mod p).

PPAq Part 2. For all q : BISq, SISq ∈ FP .

PPA q1 We show that BISq1q2 ⪯ BISq1 & BISq2 . Hence, if BISq1 ∈ FP and BISq2 ∈ PPA PPA q2 q1q2 FP , then BISq1q2 ∈ FP . The proof of Part 2 now follows by induction. A ∈ Zm×n A n = Given a BISq1q2 instance q1q2 , we divide along the columns into 1

N(q1) m (q1 − 1) submatrices denoted by A1,..., An1 , each of size at least m × n2,

with n2 = ⌊n/n1⌋ (if n/n1 is not an integer, then we let An1 have more than n2

columns). Each Ai is an instance of BISq2 , since

N(q2) N(q2) n2 = ⌊n/n1⌋ ≥ m ⌊(q1q2 − 1)/(q1 − 1)⌋ ≥ m (q2 − 1).

123 n2 Let yi ∈ {0, 1} be any solution to Aiyi ≡ 0 (mod q2). We deﬁne the matrix

m×n1 B ∈ Z where the i-th column is equal to Aiyi/q2; this has integer entries

since Aiyi ≡ 0 (mod q2). Now, by our choice of n1, we have that B is an instance n1 of BISq1 . Let z = (z1,..., zn1 ) ∈ {0, 1} be any solution to Bz = 0 (mod q1). Finally, we deﬁne x := (z y ,..., z y ) ∈ {0, 1}n. Observe that since y and z 1 1 n1 n1 i are binary, x is also binary. Additionally,

n1 n1 Aiyi Ax = ∑(Aiyi)zi = q2 ∑ zi = q2By ≡ 0 (mod q1q2). i=1 i=1 q2

PPAq Hence, x is a solution of the original BISq1q2 instance. The proof of SISq ∈ FP

follows similarly by observing that if yi and z have entries in {−1, 0, 1}, then so does x.

Parts 3, 4. For all k, ` : BIS2k ∈ FP and SIS2k3` ∈ FP.

Observe that BIS2 are solvable in polynomial time via Gaussian elimination. Com- bining this with the reduction BISq1q2 ⪯ BISq1 & BISq2 completes the proof. The proof for SIS is similar, since SIS2 and SIS3 are also solvable in polynomial time via Gaussian elimination.

Note that for a prime p and any k, we have from Theorem 5.3.1 that PPApk = PPAp.

Additionally, Theorem 5.1.1 shows that PPAp is closed under Turing reductions, so we have the following corollary.

Corollary 5.6.4. For all primes p and all k : BISpk , SISpk ∈ PPAp.

Even though the SISq problem is well-studied in lattice theory, not many results are known in the regime we consider where q is a constant. For a prime p, our

results show that solving Chevalleyp is at least as hard as finding short integer solutions in p-ary lattices for a specific range of parameters. On the other hand, we show that there are q-ary lattice for which finding short integer solutions is easy.

124 5.7 Structural Properties of PPAq

In this section, we prove the structural properties of PPAq outlined in Section 5.1.

Relation to PMODq. Buss and Johnson [40, 105] deﬁned the Modq problem,

which is almost identical to the Lonelyq problem, with the only difference being that the q-dimensional matching is over a power-of-2 many vertices encoded by 풞 : {0, 1}n → {0, 1}n, with no designated vertices, except when q is a power of 2

in which case we have one designated vertex. The class PMODq is then deﬁned as the class of total search problems reducible to Modq. The restriction of number of vertices to be a power of 2, which arises as an artifact of the binary encoding of circuit inputs, makes the class PMODq slightly weaker than PPAq.

To compare PPAq and PMODq, we deﬁne a restricted version of Lonelyq, where k the number of designated vertices is exactly k; we call this problem Lonelyq. k Clearly, Lonelyq reduces to Lonelyq. We show that a converse holds, but only for prime p; see Appendix B.3 for proof.

k Lemma 5.7.1. For all primes p and k ∈ {1, . . . , p − 1}, Lonelyp reduces to Lonelyp.

Corollary 5.7.2. For all primes p, PPAp = PMODp.

For composite q, however, the two classes are conceivably different. In contrast &

to Theorem 5.3.1, it is shown in [105] that PMODq = p|q PMODp. For any two &

search problem classes M0, M1 with complete problems S0, S1, the class M0 M1 & * * is deﬁned via the following complete problem S0 S1: Given (x0, x1) ∈ Σ × Σ ,

ﬁnd a solution to either x0 interpreted as an instance of S0 or to x1 interpreted as &

an instance of S1. In other words, M1 M2 is no more powerful than either M1 or & M2. In particular, it holds that M1 M2 ⊆ M1 ∪ M2, whereas M1 &M2 ⊇ M1 ∪ M2.

Because of this distinction, unlike Theorem 5.3.1, the proof of PMODpk = PMODp in [105] follows much more easily. For any odd prime p, it holds that 2n ̸≡

0 (mod p), and hence a Lonelypk instance readily reduces to a Lonelyp instance.

125 * * v* (v , 1) (v , 2) q = 3

G = (V, E) G = (V, E)

Figure 5-4: Illustration of the proof of PPAD ⊆ PPAq for q = 3. We denote the designated, non-isolated, and isolated vertices with blue, yellow, and green respectively.

PPAD ⊆ PPAq

Johnson [105] already showed that PPAD ⊆ PMODq which implies that PPAD ⊆

PPAq. We present a simpliﬁed version of that proof.

We reduce the PPAD-complete problem End-of-Line to Lonelyq. An instance of End-of-Line is a circuit 풞 that implicitly encodes a directed graph G = (V, E), with in-degree and out-degree at most 1 and a designated vertex v* with in-degree 0 and out-degree 1. We construct a q-dimensional matching G = (V, E) on vertices V = V × [q]. For every edge (u → v) ∈ E, we include the hyperedge {(u, q), (v, 1),..., (v, q − 1)} * in E. The designated vertices are V = {(v*, 1),..., (v*, q − 1)}. Note that |V| ≡ * 0 (mod q) and |V | = q − 1 ̸≡ 0 (mod q). It is easy to see that a vertex (v, i) is isolated in G if and only if v is a source or a sink in G. This completes the reduction, since V is efﬁciently representable and indexable and the neighbors of any vertex in V are locally computable using black-box access to 풞 (see Remark 5.2.5).

Oracle separations

Here we explain how PPAq can be separated from other TFNP classes relative to oracles, as summarized in Figure 5-1. That is, for distinct primes p, p′, there exist

126 oracles O1,..., O5 such that

O1 O1 O2 O2 O3 O3 (1) PLS * PPAp (2) PPAp * PPP (3) PPAp′ * PPAp

O4 O4 \ O5 O5 (4) PPADS * PPAp (5) PPAp * PPAD p

The usual technique for proving such oracle separations is propositional proof complexity (together with standard diagonalization arguments) [16, 37, 40]. The

main insight is that if a problem S1 reduces to another problem S2 in a black-

box manner, then there are “efﬁcient proofs” of the totality of S1 starting from

the totality of S2. The discussion below assumes some familiarity with these techniques.

O1 O1 O2 O2 O3 O3 PLS * PPAp , PPAp * PPP , PPAp0 * PPAp . Johnson [105] showed all

the above separations with respect to PMODp. Since we showed PPAp = PMODp

(Corollary 5.7.2), the same oracle separations hold for PPAp.

O4 O4 PPADS * PPAp . Göös et al. [90, §4.3] building on [17] showed that the contradiction underlying the PPADS-complete search problem Sink-of-Line requires

Fp-Nullstellensatz refutations of high degree. This yields the oracle separation. T O5 O5 & p PPAp * PPAD . For any ﬁxed k ≥ 1, let Sk := i∈[k] Lonelypi where pi is

the i-th prime. Buss et al. [39] showed that the principle underlying Sk is incompa- rable with the principle underlying Lonelypk+1 . This translates into a relativized T T separation i∈[k] PPApi * PPApk+1 , which in particular implies i∈[k] PPApi *

PPAD. Finally, one can consider the problem S := Sk(n) where k(n) is a slowly T growing function of the input size n. This problem is in p PPAp since for each

ﬁxed p and for large enough input size, S reduces to the PPAp-complete problem. On the other hand, the result of Buss et al. [39] is robust enough to handle a slowly growing k(n); we omit the details.

127 Closure under Turing reductions

Theorem 5.1.1 says that for any prime p, the class PPAp is closed under Turing reductions. In contrast, Buss and Johnson showed that PPAp1 & PPAp2 , for distinct primes p1 and p2, is not closed under black-box Turing reductions [40, 105]. In particular, they define the ‘⊗’ operator. For two total search problems S1 and S2, * * the problem S1 ⊗ S2 is defined as: Given (x0, x1) ∈ Σ × Σ , find a solution to both x0 (instance of S0) and to x1 (instance of S1). Clearly, the problem Lonelyp1

⊗ Lonelyp2 can be solved with two queries to the oracle PPAp1 & PPAp2 . However,

Buss and Johnson [40, 105] show that Lonelyp1 ⊗ Lonelyp2 cannot be solved with one oracle query to PPAp1 & PPAp2 under black-box reductions. In particular, this implies that PPAq is not closed under black-box Turing reductions, when q is not a prime power. We now prove Theorem 5.1.1, which is equivalent to the following.

Theorem 5.7.3. For any prime p and total search problem S, if S is Turing-reducible to

Lonelyp, then S is Karp-reducible to Lonelyp.

Proof. The key reason why this theorem holds for prime p is Lemma 5.7.1: In a Lonelyp instance, we can assume w.l.o.g. that there are exactly p − 1 distinguished vertices. On instance x of the problem S, suppose the oracle algorithm sequentially makes at most t = poly(|x|) queries to Lonelyp oracle. The i-th query consists of * a tuple (풞i, Vi ) where 풞i encodes a p-dimensional matching graph Gi = (Vi, Ei) * and Vi ⊆ Vi is the set of designated vertices, and let yi ∈ Vi be the solution * returned by the Lonelyp oracle. The query (풞i, Vi ) is computable in polynomial time, given x and valid solutions to all previous queries. Finally, after receiving all answers the algorithm returns L(x, y1,..., yt) that is a valid solution for x in S.

We make the following simplifying assumptions.

n - Each hypergraph Gi is on p vertices, where n = poly(|x|) (thanks to instance extension property – see Remark 5.2.5).

128 * - For any query, the vertices Vi are always isolated in Gi (if some vertex in * Vi were to not be isolated, the algorithm could be modiﬁed to simply not make the query). - Exactly t queries are made irrespective of the oracle answers.

We reduce x to a single instance of Lonelyp as follows.

n 2n tn Vertices. The vertices of the Lonelyp instance are V = [p] ∪ [p] ∪ · · · ∪ [p] , which we interpret as V = V1 ∪ (V1 × V2) ∪ (V1 × V2 × V3) ∪ · · · ∪ (V1 × · · · × Vt). * * * * The designated vertices are V := V1 . Note that |V | = |V1 | ̸≡ 0 (mod p).

Edges. We deﬁne the hyperedge for vertex v = (v1,..., vk) for any k ≤ t. Let

j ≤ k be the last coordinate such that for all i < j, the vertex vi is a valid solu- * tion for the Lonelyp instance (풞i, Vi ), which the algorithm creates on receiving

v1,..., vi−1 as answers to previous queries.

Case j < k: Let u1,..., up−1 be the neighbors of vk in a canonical trivial matching over [p]n; e.g. [p] × w : w ∈ [p]n−1 . The neighbors of v are

{(v1,..., vk−1, ui)}i.

Case j = k: We consider three cases depending on whether vk is non-isolated, * isolated, or designated in the Lonelyp instance (풞k, Vk ).

Non-isolated vk: For u1,..., up−1 being the neighbors of vk in Gk, the neighbors

of v are {(v1,..., vk−1, ui)}i. * Isolated vk: Such a vk is a valid solution for (풞k, Vk ). * If k < t: the algorithm has a next oracle query (풞k+1, Vk+1). In

this case, for u1,..., up−1 being the designated vertices in * Vk+1, the neighbors of v are {(v1,..., vk−1, vk, ui)}i. If k = t: there are no more queries, and we leave v isolated.

* Designated vk: Let u1,..., up−2 be the other designated vertices in Vk . The

neighbors of v are {(v1,..., vk−1, ui)}i ∪ {(v1,..., vk−1)}.

129 V1

V1 × V2 ··· ···

Figure 5-5: Illustration of the proof of Theorem 5.7.3 for p = 3. We denote the non-isolated, isolated and designated vertices of Gi’s with yellow, green and blue respectively. Each rectangle on the second level corresponds to a vertex of V1. The rectangles on the second level that correspond to isolated vertices of V1 contain a copy of V2. All rectangles on the second level that correspond to non-isolated or designated vertices of V1 have trivial matchings.

It is easy to see that our deﬁnition of edges is consistent and the only vertices * which are isolated (apart from those in V ) are of the type (y1,..., yt) where each * yi is a valid solution for the Lonelyp instance (풞i, Vi ). Thus, given an isolated vertex y, we can immediately infer a solution for x as L(x, y1,..., yt). This completes the reduction since V is efﬁciently representable and indexable (see Remark 5.2.5).

130 Chapter 6

Non-interactive zero-knowledge

A zero knowledge proof system [89] is a protocol between a prover and a veriﬁer, in which the prover convinces the veriﬁer about the validity of a statement, but reveals nothing more beyond this fact. If the protocol consists of a single message sent by the prover, then the protocol is called non-interactive zero knowledge [30]. We investigate the question of constructing a NIZK proof system for all of NP from the LWE assumption in the hidden-bits model, a framework introduced by Feige et al. [68]. We reduce the problem to that of constructing a NIZK proof system for a lattice problem, called the bounded distance decoding (BDD) problem. To construct our NIZK proof system, we introduce a new notion that we call prover-assisted oblivious ciphertext sampling (POCS). This notion extends the idea of oblivious ciphertext sampling, which allows one to sample ciphertexts without knowing the underlying plaintext.

6.1 Overview

Let L ∈ NP be an arbitrary NP language. Our goal is to construct a NIZK proof system for L. The starting point for our construction is an (unconditional) NIZK proof system for L in the hidden-bits model, a framework introduced by Feige et al. [68] and made explicit by Goldreich [82]. In the hidden-bits model, the prover P has access to a string of uniformly random bits r ∈ {0, 1}N. Given the

131 input x and a witness w, the prover can decide to reveal some subset I ⊆ [N] of the bits to the verifier, and in addition sends a proof-string π. The verifier, given only the input x, the revealed bits rI, and the proof π, decides whether x ∈ L. Note that the unrevealed bits remain entirely hidden from the verifier. A hidden-bits proof is zero-knowledge if there exists a simulator S that generates a view that is indistinguishable from that of the verifier (including in particular the revealed bits rI). Feige et al. [68] show that every NP language has a NIZK proof system in the hidden bits model. Furthermore, they show how to implement the hidden bits model, in a computational sense, using (doubly enhanced) trapdoor permutations,1 thereby obtaining a NIZK proof system for NP under the same assumption. Following Goldreich’s presentation, we shall also aim to enforce the hidden- bits model using cryptography. In contrast to [68, 82], however, rather than using trapdoor permutations, we shall use an encryption scheme that satisfies some strong yet natural properties. The main technical challenge is in proving that an LWE-based encryption scheme satisfies these properties. We begin by describing the two most intuitive properties that we would like from our public-key encryption scheme (G, E, D).

1. Oblivious Sampling of Ciphertexts: We require the ability to sample ciphertexts while remaining entirely oblivious to the underlying messages. More precisely, we assume that there exists an algorithm Sample that, given a public key pk, samples a random ciphertext c ← Sample(pk) such that the

plaintext value σ = Dsk(c) is hidden, even given the random coins used to sample c. In particular, the naive algorithm that chooses at random b ∈ {0, 1}

and outputs Epk(b) is not oblivious since its random coins fully reveal b. Encryption schemes that have oblivious ciphertext sampling or OCS procedures are known in the literature (see, e.g., [79, 86]).

2. NIZK proof for Plaintext Value: We require a NIZK proof for a speciﬁc task,

1Doubly enhanced trapdoor permutations were actually introduced in [84] (with the motivation of implementing the hidden-bits model). See further discussion in [86, 43].

132 namely proving that a given ciphertext c = Epk(σ) is an encryption of the bit σ (with respect to the public-key pk). Note that this is indeed an NP task, since the secret key sk is a witness to the fact that c is an encryption of σ. In particular, we require that the honest prover strategy can be implemented efﬁciently given access to this witness (i.e., the secret key sk).

With these two ingredients in hand we can describe the high-level strategy for implementing the hidden-bits model. The idea is that the common random

string contains N sequences ρ1,..., ρN of random coins for the OCS procedure. Our NIZK prover chooses a public-key/secret-key pair (pk, sk) and generates the

ciphertexts c1,..., cN, where ci = Sample(pk; ρi) (i.e., an obliviously sampled ciphertext with respect to the public key pk and randomness ρi). The prover further

computes the corresponding plaintext bits σ1,..., σN, where σi = Decsk(ci) (which it can compute efﬁciently, since it knows the secret key sk). The prover now runs

the hidden-bits prover with respect to the random bit sequence (σ1,..., σN) and obtains in return a subset I ⊆ [N] of coordinates and a proof-string π. To reveal

the coordinates (σi)i∈I, we use the second ingredient: our NIZK proof for proving

the plaintext value of the ciphertexts (ci)i∈I. Intuitively, the OCS guarantee allows

the other bits (σi)i∈/I to remain hidden.

Certifying Public Keys. An issue that we run into when trying to implement the blueprint above is that a cheating prover may choose to specify a public key pk that is not honestly generated. Given such a key, it is not clear a priori that the prover cannot control the distribution of the hidden bits, or even equivocate

by being able to claim that a single ciphertext ci is both an encryption of the bit 0 and an encryption of the bit 1. This leads to actual attacks that entirely break the soundness of the NIZK proof system. A closely related issue actually affects the Feige et al. [68] NIZK construction (based on doubly enhanced trapdoor permutations) and was pointed out by Bel- lare and Yung [20].2 More speciﬁcally, in the Feige et al. [68] protocol the prover

2Further related issues were recently uncovered by Canetti and Lichtenberg [43].

133 needs to specify the index of a permutation (which is analogous to the public key in our setting). However, Bellare and Yung [20] observed that if the prover speciﬁes a function that is not a permutation, then it can violate soundness. They resolved this issue by constructing a NIZK proof system for proving that the index indeed speciﬁes a permutation.3 We follow the Bellare and Yung [20] approach by requiring conditions (1) and (2) above, as well as a NIZK proof for certifying public keys. Thus, our NIZK prover also supplies a NIZK proof that the public key is valid.

Instantiating our Approach with LWE. So far the approach outlined is basically the Feige et al. [68] implementation of the hidden bits model (where we replace the trapdoor permutations with a suitable encryption scheme). However, when trying to instantiate it using LWE, we encounter signiﬁcant technical challenges. For our encryption scheme, we use Regev’s [142] scheme. The public key in n×m this scheme consists of (1) a matrix A ← Zq , where m = Θ(n · log(q)), and (2) T T T n a vector b = s · A + e , where s ← Zq is the secret key, and e is drawn from an n-dimensional discrete Gaussian. To instantiate the approach outlined above we require three procedures: (1) an oblivious ciphertext sampler (OCS), (2) a NIZK proof system for plaintext values, and (3) a NIZK proof system for certifying public keys. We discuss these three requirements in increasing order of complexity.

NIZK proof for Validating Public Keys. Recall that a public key in this encryption n×m m T T T scheme is of the form (A, b) ∈ Zq × Zq , where b = s · A + e for error vector m e ∈ Zq drawn from a discrete Gaussian and in particular having bounded entries (with all but negligible probability). To validate the public key we shall construct a NIZK proof system that proves that for the input public key (A, b), there exists n T T a vector s ∈ Zq such that s · A is very close to b . We additionally require that the secret vector s is unique. To enforce this uniqueness, we let the matrix A be

3Actually, the Bellare and Yung [20] protocol only certifies that the index specifies a function that is close to a permutation (i.e., they provide a non-interactive zero-knowledge proof of proximity, a notion recently formalized by Berman et al. [24]) which suffices in this context.

134 speciﬁed as part of the CRS (rather than by the prover). Indeed, a lattice spanned by a random matrix A does not have short vectors and therefore b cannot be close to two different lattice points. Producing such a NIZK proof system is where we need (for the ﬁrst time) our additional assumption that dBDD has a NIZK proof-system. Indeed, proving that n T T there exists s ∈ Zq such that s · A is very close to b is a dBDD instance: we must show that the distance of the vector b from the lattice spanned by the rows of A is a lot smaller than the length of the shortest non-zero vector of this lattice. We note that since the matrix A is random, (with very high probability) the length of the shortest non-zero vector is large.

NIZK proof for Plaintext Value. The second procedure that we need is a NIZK proof-system that certiﬁes that a given ciphertext encrypts a bit σ. To see how we obtain this, we ﬁrst need to recall the encryption procedure in Regev’s [142] scheme. To encrypt a bit σ ∈ {0, 1}, one selects at random r ← {0, 1}m and T q outputs the ciphertext (c, ω), where c = A · r and ω = b · r + σ · 2 . n×m m Thus, given an alleged public key (A, b) ∈ Zq × Zq and ciphertext (c, ω) ∈ n n Zq × Zq, we basically want to ensure that there exists a vector s ∈ Zq such that T T q T b ≈ s · A and ω + σ · 2 ≈ s · c, where σ ∈ {0, 1} is the alleged plaintext q value. Put differently, we want to ensure that the vector b, ω + σ · 2 is close to the lattice spanned by the rows of [A, c]. Thus, this problem can also be reduced to an instance of dBDD.

Oblivious Sampling of Ciphertexts. The last ingredient that we need is a procedure for obliviously sampling ciphertexts in Regev’s encryption scheme. This is the main technical challenge in our construction. A ﬁrst idea for such an OCS procedure is simply to generate a random pair n (c, ω), where c ← Zq and ω ← Zq. Intuitively, this pair corresponds to a high noise encryption of a random bit. The problem though is precisely the fact that (c, ω) is a high noise ciphertext. That is, sT · c − ω might be close to neither 0 nor ⌊q/2⌋. In particular, the above NIZK proof for certifying plaintext values only works for low noise ciphertexts.

135 This issue turns out to be a key one which we do not know how to handle directly. Instead, we shall bypass it by introducing and considering a generalization of OCS in which the (untrusted) prover is allowed to assist the veriﬁer to perform the sampling. We refer to this procedure (or rather protocol) as a prover-assisted oblivious ciphertext sampler (POCS). Thus, a POCS is a protocol between a sampler S, which is given the secret key (and is run by the prover in our NIZK proof), and a checker C which is given the public key (and is run by the veriﬁer). The common input to the protocol is a random string ρ. The sampler basically generates a sampled ciphertext c and sends it to the checker, who runs some consistency checks. If the sampler behaves honestly and ρ is sampled randomly, then the sampled ciphertext c should correspond to an encryption of a random bit σ and the checker’s validation process should pass. Furthermore, the protocol should satisfy the following (loosely stated) requirements:

∙ (Computational) Hiding: The value σ = Decsk(c) is computationally hidden from the checker. That is, it is computationally infeasible to predict the value of σ from c and pk, even given the random coins ρ.

∙ (Statistical) Binding: For any value of ρ there exists a unique value σ such that for every (possibly cheating) sampler strategy S*, with high probability either the checker rejects or the generated ciphertext c corresponds to an encryption of σ.

With some care, such a POCS procedure can replace the OCS procedure (which did not use a prover) in our original outline. The key step therefore is constructing a POCS procedure for Regev’s encryption scheme, which we describe next.

A POCS Procedure for Regev’s Encryption Scheme. Fix a public key (A, b) and let s be the corresponding secret key. The random input string for our POCS n procedure consists of a vector ρ ∈ Zq and a value τ ∈ Zq. The pair (ρ, τ) should be thought of as a (high noise) Regev encryption. Denote by e = τ − sT · ρ the noise in this ciphertext.

136 As discussed above, since (ρ, τ) corresponds to a high noise ciphertext, we cannot have the sampler just output it as is. Rather we have the sampler output a ′ T ′ ′ q ′ value τ = s · ρ + e + σ · 2 , where e is drawn from the same noise distribution as fresh encryptions (i.e., low noise), and the value of the encrypted bit σ′ is speciﬁed next. Observe that (ρ, τ′) corresponds to a fresh encryption of σ′, and so we need to make sure that σ′ is random and that the hiding and binding properties hold. To do so, we deﬁne σ′ as follows: If |e′ − e| ≤ q/4, then set σ′ = 0, and otherwise set σ′ = 1. Observe that in either case it must be that

j q k e′ + σ′ · −e ≤ q/4 . (6.1.1) 2

We would like our checker to enforce that Equation (6.1.1) holds. Initially, this seems problematic since our checker has access to none of e, e′, and σ′. However, the checker does have access to τ and τ′, and it holds that:

′ ′ ′ j q k ′ ′ j q k τ − τ = sT · ρ + e + σ · −sT · ρ − e = e + σ · −e 2 2

and so we simply have our checker verify that |τ′ − τ| ≤ q/4. It is not too hard to see that an adversary can bias σ′ with small probability over the randomness of (ρ, τ). Moreover, σ′ is unbiased even conditioned on ρ (since its value is entirely undetermined until τ is chosen). Thus, the checker only sees a fresh encryption of a random bit σ′ which, by the hardness of LWE, hides the value of σ′. To see that the scheme is binding, observe that for most choices of ρ and τ the (cheating) sampler cannot equivocate to two values τ′ and τ′′ which correspond to different plaintext bits, as long as both have small noise. Hence, the sampler cannot equivocate to two different valid ciphertexts. This concludes the overview of our construction.

137 6.2 Basic Deﬁnitions

We provide the formal definitions of non-interactive zero-knowledge and of the hidden bits model. Additionally, we define a variant of public-key encryption in which all algorithms, including the adversary, have access to some public randomness. We generally follow the notation and definitions as in [82].

For simplicity we restrict our attention to bit-encryption schemes (where messages consist of single bits). We emphasize that in our variant of public-key encryption the public randomness is an additional input to the key generation algorithm and is revealed also to the adversary. In addition to the public randomness, the key generation algorithm is allowed to toss additional private random coins that are not revealed. Note that, clearly, any public-key encryption scheme is also

a public-key scheme with public randomness, where ρpk is null. Nevertheless, this notion is useful in our constructions. To avoid cluttering notation, we assume that the public key includes the public randomness.

Public-key Encryption with Public Randomness. A public-key encryption scheme with public randomness is a triple of PPT algorithms (Gen, Enc, Dec) such that:

κ 1. The key-generation algorithm Gen(1 , ρpk) on input public randomness ρpk (and while tossing additional private random coins) outputs a pair of keys (pk, sk),

where pk includes ρpk.

2. The encryption algorithm Enc(pk, σ), where σ ∈ {0, 1}, outputs a ciphertext c.

We denote this output by c = Encpk(σ).

3. The deterministic decryption algorithm Dec(sk, c) outputs a message σ′. We de- ′ note this output by σ = Decsk(c).

We require that for every σ ∈ {0, 1}, except with negligible probability over the κ public randomness ρpk, the keys (pk, sk) ← Gen(1 , ρpk) and the randomness of the encryption scheme, we have that Decsk(Encpk(σ)) = σ.

Semantic security [88] is deﬁned as follows:

138 Semantic Security with Public Randomness. The public-key encryption scheme (Gen, Enc, Dec) with public randomness is semantically secure if the distributions

(pk, Epk(0)) and (pk, Epk(1)) are computationally indistinguishable, where ρpk ← poly(κ) κ {0, 1} and (pk, sk) ← Gen(1 , ρpk).

Non-Interactive Zero-Knowledge Proofs. We deﬁne a non-interactive (computational) zero-knowledge proof system (NIZK) for a language L to be a pair of probabilistic polynomial-time algorithms (P, V) such that: - Completeness: For every x ∈ L and witness w for x, we have

Pr V(x, R, P(x, R, w)) = 1 > 1 − negl(|x|) R

where R ← {0, 1}poly(|x|). If the foregoing condition holds with probability 1, then we say that the NIZK has perfect completeness. - Soundness: For every x ∈/ L and every (possibly inefﬁcient) cheating prover P*, we have Pr V(x, R, P*(x, R)) = 1 < negl(|x|) R

where R ← {0, 1}poly(|x|). - Zero-Knowledge: There exists a probabilistic polynomial-time simulator S

such that the ensembles {(x, R, P(x, R, w))}x∈L and {S(x)}x∈L are computationally indistinguishable, where R ← {0, 1}poly(|x|). The random input R received by both P and V is referred to as the common random string or CRS.

We extend the definition of NIZK to promise problems in the natural way. We can further define a NIZK proof system with adaptive soundness by allowing the cheating prover to specify the input x as well as the purported witness w. Adaptive Soundness for NIZK. A NIZK proof system (P, V) is adaptively sound if it satisfies the following property. For any κ ∈ N and any (possibly inefficient)

139 cheating prover P* producing output (x, w) ∈ {0, 1}κ, we have

Pr [V(x, R, w) = 1 and x ∈/ L] < negl(κ) . R, (x,w)←P*(1κ,R)

Remark 6.2.1 (Achieving Adaptive Soundness). By standard ampliﬁcation techniques, any ordinary NIZK proof may be transformed into one which is adaptively sound (see, e.g. [82, Chapter 4]).

The Hidden Bits Model. A hidden-bits proof system for a language L is a pair of PPT algorithms (P, V) such that the following conditions hold: - (Completeness) For all x ∈ L and witnesses w for x,

Pr[V(x, RI, I, π) = 1] > 1 − negl(|x|) ,

where R is a uniformly random string of bits (of length poly(|x|)), (I, π) ←

P(x, R, w) for I a subset of the indices of R, and RI is the substring of R corresponding to the indices in I. - (Soundness) For all x ∈/ L and any computationally unbounded cheating prover P*, we have

Pr[V(x, RI, I, π) = 1] < negl(|x|)

where R again is a uniformly random string of bits and (I, π) ← P*(x, R). - (Zero-knowledge) There exists a probabilistic polynomial-time simulator S

such that the ensembles {(x, RI, I, π)}x∈L and {S(x)}x∈L are computationally indistinguishable, where R is a uniformly random string of bits and (I, π) ← P(x, R).

The hidden-bits model was introduced by Goldreich [82, Section 4.10.2] as an appealing abstraction of the NIZK proof system of Feige, Lapidot and Shamir [68]. Feige et al. [68] and Goldreich [82] showed that every NP language has a hidden-

140 bits proof system unconditionally (where the hidden-bits string is of polynomial length and the prover strategy is implemented efﬁciently given the NP witness).

Lemma 6.2.2 (See [82, Section 4.10.2]). For any language L ∈ NP, there exists a zero-knowledge hidden-bits proof system for L. Moreover, the proof-system has perfect completeness.

6.3 From POCS to NIZKs

In this section we introduce the abstraction of a prover-assisted procedure for oblivious ciphertext sampling (POCS) for a public-key encryption scheme, and show how to combine this notion with NIZK proofs of the validity of public keys and plaintext values to obtain NIZK proofs for any NP language.

Deﬁnitions: Valid Public Keys, Ciphertexts and POCS

The first definition we consider is the notion of a valid set 풫풦 of public keys. Intuitively, we would like this set to correspond precisely to public keys in the support of the key-generation algorithm. However, due to specifics of our instantiation with LWE, we need to be more lenient and allow public keys that are not quite in the support of the key-generation algorithm but are nevertheless sufficiently well-formed (e.g., keys with a higher level noise). (0) Loosely speaking, a valid public key pk is associated with two sets Cpk and (1) Cpk , which correspond to “valid” ciphertexts with respect to that key of messages 0 and 1, respectively. We first require that honestly sampled public keys be valid. We further require that with high probability over the choice of the public randomness for every valid public key (i.e., even those not in the support of the key generation (0) (1) algorithm), the associated sets Cpk and Cpk are disjoint (i.e. no ciphertext is a valid encryption both of 0 and of 1).

Deﬁnition 6.3.1 (Valid Public Keys). Let (Gen, Enc, Dec) be a public-key encryption scheme with public randomness. For a given security parameter κ, let 풱풫풦 =

141 (풱풫풦κ)κ∈N be an ensemble of sets, where for each κ ∈ N, each pk ∈ 풱풫풦κ is (0) (1) associated with a pair of sets Cpk , Cpk and public randomness ρpk. We say that 풱풫풦 is valid if it satisﬁes the following properties.

κ 1. For all (pk, sk) ∈ Gen(1 , ·), we have pk ∈ 풱풫풦κ.

(b) 2. For every b ∈ {0, 1} we have that cb ∈ Cpk with all but negligible probability κ over the choice of public randomness ρpk, keys (pk, sk) ← Gen(1 , ρpk), and

ciphertext cb ← Encpk(b).

3. With all but negligible probability over the public randomness ρpk, for all (0) (1) pk ∈ 풱풫풦κ with public randomness ρpk, it holds that Cpk ∩ Cpk = ∅.

We next formalize the notion of a prover-assisted oblivious ciphertext sampler (POCS). This is an extension of oblivious ciphertext samplers (OCS), which (to the best of our knowledge) were introduced by Gertner et al. [79]. An OCS procedure allows one to sample a ciphertext so that the underlying plaintext remains hidden. We introduce a relaxation of this notion in which the sampling is assisted by an untrusted prover. More speciﬁcally, a POCS protocol consists of two procedures, a sampler and a checker, which both have access to a shared random string ρ. The sampler also receives as input the secret-key of the scheme and generates a ciphertext c. The checker receives c, as well as the random string ρ and the public-key (but not the secret-key) and performs a test to ensure that c encodes an unbiased bit depending on the randomness ρ. Jumping ahead, we remark that the role of the sampler is played by the prover in our NIZK, whereas the role of the checker is played by the veriﬁer. We require that the POCS procedure satisfy the following loosely stated properties:

1. For honestly sampled ciphertexts c, the checker should accept with overwhelming probability.

2. Given pk, ρ and an honestly sampled ciphertext c, the corresponding plain-

text bit Decsk(c) is computationally hidden.

142 3. For a given random string ρ, except with a small probability there should

not exist both an encryption c0 of 0 and an encryption c1 of 1 that pass the checker’s test. Thus, for any given ciphertext (even a maliciously generated one) that passes the test, the corresponding plaintext bit is almost always fully determined.

4. The sampled plaintext bit should be (close to) unbiased. The latter should hold even with respect to a malicious sampler. In our actual instantiation of POCS (via LWE, see Section 6.4), the plaintext bit has a small but noticeable (i.e., inverse polynomial) bias. Thus, our deﬁnition of POCS leaves the bias as a parameter, which we denote by ε.

5. The procedure satisﬁes a “zero-knowledge like” simulation property: given only the public-key pk and plaintext bit σ, it should be possible to generate

the distribution (ρ, c) of the sampling procedure, conditioned on Decsk(c) = σ. This property is captured by the EncryptAndExplain procedure below. In our actual formalization we only require that this property holds in a computational sense (i.e., the simulated distribution should only be computationally indistinguishable from the actual sampling procedure). While a statistical requirement may seem like a more natural choice here, we use a computational notion due to a technical consideration in the LWE instantiation. See Section 6.4 for details.

We proceed to the formal deﬁnition of a POCS encryption scheme.

Deﬁnition 6.3.2 (Prover-assisted Oblivious Ciphertext Sampler (POCS)). For a parameter ε = ε(κ) ∈ [0, 1], a (1 − ε(κ))-binding prover-assisted oblivious ciphertext sampler (POCS), with respect to a valid set of public keys 풱풫풦 = {풱풫풦κ}κ∈N for an encryption scheme (Gen, Enc, Dec) with public randomness, is a triple of PPT algorithms Sample, Check, and EncryptAndExplain satisfying the following properties:

143 ∙ Complete:

h i Pr Checkpk, ρ, Sample(sk, ρ) = 1 > 1 − negl(κ). poly(κ) ρpk,ρ←{0,1} κ (pk,sk)←Gen(1 ,ρpk)

∙ Unbiased: For any κ ∈ N, pk ∈ 풱풫풦κ and any b ∈ {0, 1}, we have that:

h (b) i Pr ∃c ∈ Cpk such that Check(pk, ρ, c) = 1 ≥ 1/2 − negl(κ). ρ←{0,1}poly(κ)

∙ Statistically binding: With probability 1 − negl(κ) over the public random-

ness ρpk, we have for all pk ∈ 풱풫풦κ with public randomness ρpk that

  (0) (1) Check(pk, ρ, c0) = 1 and Pr ∃c0 ∈ Cpk , c1 ∈ Cpk s.t.  < ε(κ). ←{ }poly(κ) ρ 0,1 Check(pk, ρ, c1) = 1

We emphasize that ε(κ) is a parameter and is not necessarily negligible.

∙ Simulatable: For every N = poly(κ) it holds that:

 N N N c ′ N ′ N ′ N pk, (ρi)i=1, (ci)i=1, (σi)i=1 ≈ pk, (ρi)i=1, (ci)i=1, (σi )i=1 ,

poly(κ) κ where ρpk ← {0, 1} , (pk, sk) ← Gen(1 , ρpk), and for every i ∈ [N], it poly(κ) ′ holds that ρi ← {0, 1} , ci ← Sample(sk, ρi), and σi = Decsk(ci), σi ← ′ ′ ′ {0, 1} and (ρi, ci) ← EncryptAndExplain(pk, σ ).

poly(κ) κ ∙ Computationally hiding: Let ρpk, ρ ← {0, 1} , (pk, sk) ← Gen(1 , ρpk), and c ← Sample(sk, ρ). Then, for all PPT adversaries 풜,

1 Pr 풜(pk, ρ, c) = Dec (c) ≤ + negl(κ). sk 2

Remark 6.3.3 (Relaxing the Hiding Property). We remark that for our construction of NIZK a weaker hiding property sufﬁces, in which the adversary is only given the random string ρ (but not the ciphertext c). Although this deﬁnition is

144 strictly weaker, we find it less natural and choose to define the hiding property as specified above. We next prove two useful propositions showing that the computational hiding property of the POCS implies a hiding property resembling semantic security for the EncryptAndExplain sampling algorithm. Specifically, we show that the encrypted bit remains hidden given both the ciphertext and the explaining randomness produced by the EncryptAndExplain algorithm. The intuition is analogous to the usage of the double enhancement property of trapdoor permutations in the construction of NIZKs (see, e.g., [86]).

Proposition 6.3.4. Suppose (Gen, Enc, Dec) has a (1 − ε)-binding POCS with respect to an ensemble of valid public keys 풱풫풦. Then, for all probabilistic polynomial-time adversaries 풜, 1 Pr 풜(pk, ρ, c) = σ ≤ + negl(κ), 2

poly(κ) poly(κ) κ where ρpk ← {0, 1} , ρ ← {0, 1} , (pk, sk) ← Gen(1 , ρpk), σ ∈ {0, 1}, and (ρ, c) ← EncryptAndExplain(pk, σ).

Proof. This follows immediately from the simulatable and computationally hiding properties of the POCS.

Proposition 6.3.5. Suppose (Gen, Enc, Dec) has a (1 − ε)-binding POCS with respect to an ensemble of public keys 풱풫풦. It holds that

c (pk, ρ0, c0) ≈ (pk, ρ1, c1),

poly(κ) κ where the public randomness ρpk ← {0, 1} , the keys (pk, sk) ← Gen(1 , ρpk),

(ρ0, c0) ← EncryptAndExplain(pk, 0) and (ρ1, c1) ← EncryptAndExplain(pk, 1).

Proof. This follows from Proposition 6.3.4 by a standard argument, similar to the equivalence of semantic security and indistinguishability of encryptions (see, e.g. [83]).

We now deﬁne two promise problems for which we later assume the existence of suitable NIZKs. The ﬁrst problem that we consider is that of distinguishing

145 public keys which are in the support of the key-generation algorithm (i.e., were honestly generated) from ones which are invalid (i.e., not in the set of valid public keys). Let (Gen, Enc, Dec) be a public-key encryption scheme and let us denote by 풱풫풦 an ensemble of valid public-keys, we deﬁne the promise problem GoodPK =

(GoodPKYes, GoodPKNo) where:

n [ κ o GoodPKYes = pk : pk ∈ Gen(1 ) κ n [ o GoodPKNo = pk : pk ∈/ 풱풫풦κ . κ

We also deﬁne a related promise problem GoodCT, which corresponds to triplets containing a public key, ciphertext and a single-bit message. Formally, the problem is deﬁned as GoodCT = (GoodCTYes, GoodCTNo), where:

n [ κ o GoodCTYes = (pk, c, b) : pk ∈ Gen(1 ) and c ∈ Encpk(b) κ n [ (b)o GoodCTNo = (pk, c, b) : pk ∈ 풱풫풦κ and c ∈/ Cpk . κ

From POCS to NIZK

We state and prove our transformation of encryption schemes that support POCS, and suitable NIZKs for GoodPK and GoodCT, to general purpose NIZKs for NP. This is captured by the following lemma:

Lemma 6.3.6. Let (Gen, Enc, Dec) be a public-key encryption scheme with public randomness, and 풱풫풦 be a valid set of public keys (as in Deﬁnition 6.3.1). Suppose the following conditions hold.

- (Gen, Enc, Dec) has a (1 − ε)-binding POCS with respect to 풱풫풦, for some sufﬁ- ciently small ε = 1/poly(κ).

- There is a NIZK for GoodPK.

146 - There is a NIZK for GoodCT.

Then, there exists a NIZK for every language L ∈ NP.

Proof. Let L ∈ NP. By Lemma 6.2.2, there exists a hidden-bits zero knowledge

proof system (Phb, Vhb) for L (with perfect completeness). We shall use this proof- system to construct a NIZK for L, using the assumptions in the theorem’s statement. We first give a proof system satisfying a weak notion of soundness. Specif- ically, we shall weaken soundness by assuming that the cheating prover is constrained to choose a public-key pk before reading the CRS. To be more precise, since the public randomness of the pk comes from the CRS, the prover must choose the public key pk before reading any other part of the CRS. Also, the verifier is only required to reject inputs x ∈/ L only with inverse polynomial probability (rather than with all but negligible probability). Using standard amplification techniques, we subsequently transform this into a full-fledged NIZK (achieving the standard notion of soundness). We assume without loss of generality that the NIZK proof systems that we have for GoodPK and GoodCT have adaptive soundness (see Remark 6.2.1). Our base NIZK protocol, achieving only the aforementioned weak soundness notion, is given in Protocol 1.

Protocol 1. Let L ∈ NP. Let (Ppk, Vpk) and (Pct, Vct) be adaptively sound NIZK proof

systems for the promise problems GoodPK and GoodCT, respectively, and let (Phb, Vhb) be a hidden-bits proof system for L that uses N = N(n) hidden bits for inputs of length n ∈ N. Consider the following non-interactive proof system.

- Input x ∈ {0, 1}n.

- Common random string ρ = (ρpk, rpk, ρ1,..., ρN, r1,..., rN). - Prover’s witness w ∈ {0, 1}poly(n). - Prover P, given x, w and ρ, performs the following:

n 1. Let (pk, sk) ← Gen(1 , ρpk).

147 2. Let πpk ← Ppk(pk, rpk, sk).

4 3. For i ∈ [N], let ci ← Sample(sk, ρi) and let bi = Decsk(ci).

4. Let (I, πhb) ← Phb(x, (b1,..., bm), w).

5. For i ∈ I, let πi ← Pct((pk, ci, bi), ri, sk).

6. Let cI = (ci)i∈I, bI = (bi)i∈I, πI = (πi)i∈I.

7. Output π = (pk, I, πpk, πhb, cI, bI, πI).

- Veriﬁer V performs the following:

1. Verify NIZK proofs by running Vpk(pk, rpk, πpk) and Vct((pk, ci, bi), ri, πi) for every i ∈ I. Reject if any of these tests rejects.

2. Check that Check(pk, ρi, ci) = 1 for every i ∈ I. Reject if any of these checks fail.

3. Invoke Vhb(x, bI, I, πhb), and accept if and only if it accepts.

Observe that both the veriﬁer and prover are PPT algorithms. Thus, to show that Protocol 1 is a (weak) NIZK, we need to establish completeness, (weak) soundness and zero-knowledge.

Completeness. From the completeness of the NIZKs (Ppk, Vpk) and (Pct, Vct), we have that the veriﬁers Vpk and Vct (for each i ∈ [N]) accept with all but negligible probability. By the completeness property of the POCS, we have that with all but negligible probability, the veriﬁer’s invocation of Check outputs 1 for each i ∈ I.

By the perfect completeness of the hidden-bits proof system, veriﬁer Vhb accepts for x ∈ L.5 Consequently, with probability 1 − negl(n), all of the veriﬁer’s tests pass for x ∈ L and a proof produced by the honest prover.

4Jumping ahead, we note that for our ﬁnal NIZK protocol, achieving standard soundness, we need to repeat steps3–6 for ` = poly(n) times for the same pk to amplify soundness. 5Here we are utilizing the fact that the hidden-bits proof-system has perfect completeness to save us the effort of arguing that the hidden bits are indeed (sufﬁciently) unbiased.

148 Zero-Knowledge. We ﬁrst deﬁne the simulator S. Let Shb be the simulator for

the hidden bits proof-system (Phb, Vhb), let Spk be the simulator for the NIZK

(Ppk, Vpk), and let Sct be the simulator for the NIZK (Pct, Vct). On input x ∈ {0, 1}n, simulator S performs the following.

n 1. Sample public randomness ρpk, and let (pk, sk) ← Gen(1 , ρpk).

2. Sample (πpk, rpk) ← Spk(pk) (recall that πpk is the simulated proof string

and rpk is the simulated CRS).

3. Sample (I, πhb, bI) ← Shb(x), where bI = (bi)i∈I. Set bi = 0 for every i ∈ [N] ∖ I.

4. For i ∈ [N], sample (ρi, ci) ← EncryptAndExplain(pk, bi).

5. For i ∈ I, sample (πi, ri) ← Sct(pk, ci, bi).

poly(n) 6. For i ∈ [N] ∖ I, let ri ← {0, 1} .

7. Let cI = (ci)i∈I, πI = (πi)i∈I

8. Output simulated proof π = (pk, I, πpk, πhb, cI, bI, πI) and simulated com-

mon random string ρ = (ρpk, rpk, ρ1,..., ρN, r1,..., rN).

Let x ∈ L and ﬁx a witness w, and we show that the simulated proof and CRS are computationally indistinguishable from those in a real interaction with the honest prover. We do so via a sequence of hybrids:

Hybrid 1. Sample CRS ρ randomly and proof π = (pk, I, πpk, πhb, cI, bI, πI) ← P(x, w; ρ) using the honest prover. Note that this corresponds to the real protocol.

Hybrid 2. As in Hybrid1, but sample (πpk, rpk) ← Spk(pk).

Hybrid 3-(j) (for j ∈ {0, . . . , N}). As in Hybrid2, but for each i ∈ I with i ≤ j

sample (πi, ri) ← Sct(pk, ci, bi).

149 Hybrid 4. As in Hybrid3-( N), but for each i ∈ [N], sample bi ← {0, 1} and

sample (ρi, ci) ← EncryptAndExplain(pk, bi).

Hybrid 5. As in Hybrid4, but resample (ρi, ci) ← EncryptAndExplain(pk, 0) after running P for each i ∈ [N] ∖ I.

Hybrid 6. As in Hybrid5, but sample (I, πhb, bI = (bi)i∈I) ← Shb(x). This is exactly the behavior of the simulator S.

Claim 6.3.7. Hybrids1 and2 are computationally indistinguishable.

Proof. Follows directly from the zero knowledge of (Ppk, Vpk).

Note that Hybrid2 is identical to Hybrid3- (0).

Claim 6.3.8. For j ∈ [N], Hybrids3- (j − 1) and3- (j) are computationally indistinguishable.

Proof. This follows from the zero knowledge of the NIZK (Pct, Vct). If j ∈ I, the distributions of the two hybrids are indistinguishable by the zero knowledge of

(Pct, Vct). If j ∈/ I, the two distributions are identical.

Claim 6.3.9. Hybrids3- (N) and4 are computationally indistinguishable.

Proof. This follows from the simulatable property of the POCS.

Claim 6.3.10. Hybrids4 and5 are computationally indistinguishable.

Proof. This follows from Proposition 6.3.5 and a straightforward hybrid argument.

Claim 6.3.11. Hybrids5 and6 are computationally indistinguishable.

Proof. This follows from the zero knowledge of the hidden bits proof system

(Phb, Vhb).

Consequently, it follows that the real and simulated worlds are computationally indistinguishable, so the protocol is zero knowledge.

150 Weak soundness. We ﬁrst prove a weak notion of soundness with respect to provers that are constrained to choose the public key pk before reading the CRS, other than the public randomness for generating the public-key. Subsequently, we apply an ampliﬁcation argument to achieve full soundness. Fix an x ∈/ L and a cheating prover P*, and sample a CRS ρ as follows

ρ = (ρpk, rpk, ρ1,..., ρN, r1,..., rN). Let π = (pk, I, πpk, πhb, cI, bI, πI) be the proof * * produced by P on input ρ, where P is ﬁrst given only ρpk and produces pk, and subsequently is given the full CRS ρ and produces the rest of the proof π. By the adaptive soundness of the NIZKs (Ppk, Vpk) and (Pct, Vct), unless pk ∈ 풱풫풦 and

(bi) ci ∈ Cpk for each i ∈ I, the veriﬁer V rejects with all-but-negligible probability.

Additionally, with all-but-negligible probability, the public randomness ρpk in the CRS is such that the statistical binding property of the POCS holds. In the sequel, we condition on these events occurring. (σ) For a given valid public key pk ∈ 풱풫풦 and σ ∈ {0, 1}, deﬁne Upk to be the set of randomnesses ρ (for the POCS procedure) that correspond to a ciphertext (σ) (1−σ) c ∈ Cpk but no ciphertext in Cpk . That is,

  ( )  ( ) Check(pk, ρ, c) = 1 and  U σ = ρ ∈ {0, 1}poly(κ) : ∃c ∈ C σ s.t. . pk pk ′ (1−σ) ′  ∀c ∈ Cpk , Check(pk, ρ, c ) = 0 

(σ) The set Upk consists of randomness that can be uniquely interpreted as an (0) (1) encryption of σ and not of 1 − σ. Consequently, we have that Upk ∩ Upk = ∅. By the unbiased and statistically binding properties of the POCS, we have that

h ( )i Pr ρ ∈ U σ ≥ 1/2 − ε − negl(n), ρ pk where ε = ε(n) is the binding parameter of the POCS. (0) Arbitrarily ﬁx a set Upk such that half of its elements belong to Upk and the

151 (1) other half belong to Upk , and additionally

Pr ρ ∈ Upk ≥ 1 − 2ε − negl(n). ρ

Recall that we ﬁrst constrain the prover to choosing pk before reading any part

of the CRS other than the public randomness ρpk. Let Upk be the set deﬁned above.

Then, with probability at least 1 − 2εN − negl(n) the strings ρ1,..., ρN are all in

Upk. Conditioning on this event, we have that the sequence b1,..., bN is unbiased

and uniquely determined by ρ1,..., ρN. Consequently, by the soundness of the

hidden bits proof system (Phb, Vhb) we have that with all but negligible probability,

in this event Vhb rejects since x ∈/ L. Therefore, it follows that the veriﬁer V rejects with probability at least 1 − 2εN − negl(n), which is at least 1/3 − negl(n) for ε = 1/N2.

Ampliﬁcation. We now transform Protocol 1 into a protocol with full soundness. We modify Protocol 1 as follows. After choosing the public key pk, the prover runs steps3–6 of Protocol 1 ` = poly(n) times on different portions of the CRS,

generating ` independently sampled (I, πhb, CI, bI, πI). The verifier checks each of these separately, rejecting if any test fails. Completeness and zero-knowledge of the new protocol follow immediately from the same argument as before. It remains to prove (full-fledged) soundness. As before, we have that the verifier rejects with probability 1 − negl(n) unless pk ∈

풱풫풦 and the public randomness ρpk in the CRS satisfies the statistical binding property of the POCS, so we can condition on these events. For a fixed pk, we have from the soundness of Protocol 1 that on a single iteration of steps3–6, the verifier rejects with probability at least 1/3 − negl(n) on x ∈/ L. Since the public key pk has polynomial size, applying a union bound over public keys, we can take ` = poly(n) sufficiently large that with probability 1 − negl(n), the verifier rejects for every public key.6 Consequently soundness holds in the amplified

6The argument here resembles the standard argument for obtaining adaptively sound NIZKs from NIZKs that only have non-adaptive soundness.

152 protocol.

6.4 Instantiating with LWE

We show that, assuming the hardness of LWE and the existence of a NIZK proof system for dBDD, Regev’s [142] LWE-based encryption scheme satisﬁes the conditions of Lemma 6.3.6, and therefore yields NIZK proof systems for all of NP:

Theorem 6.4.1. Let κ be the security parameter. Let n = n(κ) ∈ N, q = q(κ) ∈ N, β = β(κ), α = α(κ) ≥ 1 and γ = γ(κ) > 1, such that n = poly(κ) and β = o 1 √ . Assume that the following conditions hold: log(κ) max(α,γ) n log(q)

- the LWEn,q,β assumption holds; and

- there exists a NIZK proof system for dBDDα,γ.

Then, there exists a NIZK proof system for every language L ∈ NP.

Regev’s Encryption Scheme

A public-key encryption scheme based on the LWE assumption was introduced in [142]. We present the scheme of [142], phrased as an encryption scheme with public randomness as deﬁned in Section 6.2.

Construction 6.4.2. Let κ be the security parameter. Let n = n(κ) ∈ N, q = q(κ) ∈ √ N, m = 2n log(q), β = β(κ) ∈ [0, 1] such that n = poly(κ) and β = o(1/ m). We deﬁne the encryption scheme (Gen, Enc, Dec) with public randomness as follows:

n×m - Public Randomness: The public randomness is a matrix A ← Zq . We 7 assume without loss of generality that λ1(A) > q/4 .

κ n m - Key Generation Gen(1 , A): Sample s ← Zq ∖ {0}, and e ← 풟β , where 풟β is discrete Gaussian with parameter β (see Section 3.2). Let bT = sT · A + eT.

7From Lemma 3.2.2, this happens with overwhelming probability.

153 √ T T T We assume without loss of generality that s · A − b = e ≤ ` mβq, where ` = ω(log(κ))8. Set the public key to be (A, b) and the secret key to be s.

m - Encryption Enc(A,b) (σ): On input a message σ ∈ {0, 1}, sample r ← {0, 1} T q and output (c, ω), where c = A · r and ω = b · r + σ · 2 . We assume without loss of generality9 that

h j q kiT √ sT · [A, c] − b, ω − σ · ≤ 2` mβq, 2

where ` = ω(log(κ)).

T - Decryption Decs (c, ω) : Output σ = ⌊s · c − ω⌉q.

Regev [142] proved that the above scheme is semantically secure (under the LWE assumption).

Proposition 6.4.3 (c.f. [142]). Let n = n(κ) ∈ N, q = q(κ) ∈ N and β = β(κ) ∈ √ [0, 1] such that β = o(1/ m) and n = poly(κ). If the LWEn,q,β assumption holds, then Construction 6.4.2 is semantically secure.

As a ﬁrst step, we deﬁne a valid set of public keys. Later, we shall show NIZK proofs for the related promise problems GoodPK and GoodCT as well as a POCS procedure for Construction 6.4.2. Fix a security parameter κ. Let n = poly(κ), q = q(κ), and β = β(κ) be parameters and set m = 2n log(q). In the sequel, we omit κ from the notation to √ avoid cluttering. In addition, we set ` = ω(log(κ)), e = ` mβq, 1 ≤ α < q max 8emax and γ > 1. We assume that the following hold:

β < 1√ - 16`γ m ;

- the LWEn,q,β assumption holds; and

8Since the complementary event happens with negligible probability in κ, in case it does hap- pen we choose the public-keys to have zero noise. 9Again, the complementary event happens with negligible probability, in which case we can output a ciphertext with zero noise.

154 - there exists a NIZK proof system for dBDDα,γ/4.

Now, we deﬁne a set (of alleged public keys) 풱풫풦 for (Gen, Enc, Dec). Later we argue that it is in fact a valid set of public keys as per Deﬁnition 6.3.1. Let

n o n×m m n T T 풱풫풦 = (A, b) ∈ Zq × Zq : ∃ s ∈ Zq s.t. s · A − b ≤ γemax . (6.4.1)

Note that the noise level allowed in Equation (6.4.1) is larger by a multiplicative γ factor than the noise level that exists in honestly generated public keys. For each (σ) n pk = (A, b) ∈ 풱풫풦 and σ ∈ {0, 1}, deﬁne Cpk ⊆ Zq × Zq as:

T (σ) ′ ′T h j q ki C = (c, ω) : ∃ s ∈ Zn s.t. s · [A, c] − b, ω − σ · ≤ 2γe . pk q 2 max (6.4.2) The noise level allowed in Equation (6.4.2) is also larger by a multiplicative γ factor than the noise level that exists in honestly generated ciphertexts.

Remark 6.4.4. As noted in the introduction, we would like for 풱풫풦 to contain (σ) only the honestly generated public keys and Cpk to contain only the honestly generated encryptions of σ with respect to pk. However, introducing a gap in the deﬁnitions allows us to rely on NIZKs for suitable approximation problems.

Finally, we show that 풱풫풦 is indeed a valid set of public keys.

Proposition 6.4.5. The set 풱풫풦 is a valid set of public keys.

Proof. We show that the set 풱풫풦 satisﬁes the three properties of Deﬁnition 6.3.1.

n×m 1. Honestly generated keys are in 풱풫풦: From Construction 6.4.2, let A ← Zq

κ T T and (A, b), s ← Gen(1 , A), with s · A − b ≤ emax. Hence, (A, b) ∈ 풱풫풦.

(σ) n×m 2. Honestly generated ciphertexts are in Cpk : Let A ← Zq , (A, b), s ← κ Gen(1 , A) and (c, ω) ← Enc(A,b)(σ). Then, from Construction 6.4.2, we

155 have

h j q kiT sT · [A, c] − b, ω − σ · ≤ 2e . 2 max

n×m 3. Ciphertext sets do not intersect for valid keys: Let A ← Zq and b be such that

(A, b) ∈ 풱풫풦. By our assumption on A, it holds that λ1(A) > q/4 and so, n for all v ∈ Zq ∖ {0} it holds that

q √ vTA > > 4γ` mβq = 4γe . (6.4.3) 4 max

(0) (1) n Assume that there exists (c, ω) ∈ Cpk ∩ Cpk . Then, there exist s1, s2 ∈ Zq such that

T T s1 · [A, c] − [b, ω] ≤ 2γemax and ! h j q kiT sT · [A, c] − b, ω − ≤ 2γe . 2 2 max

First, assume that s1 ̸= s2. Then

h j q kiT (s − s )TA ≤ (s − s )T [A, c] − 0, 1 2 1 2 2 T T h j q ki ≤ sT · [A, c] − [b, ω] + sT · [A, c] − b, ω − 1 2 2

≤ 4γemax,

which contradicts Equation (6.4.3). If s1 = s2, then

 T j q k h j q ki T = sT · [A, c] − b, ω − − sT · [A, c] − [b, ω] 2 1 2 1 √ ≤ 4γemax = 4γ` mβq.

β < 1√ But, by assumption 16`γ m , so this is again a contradiction. Hence, for (0) (1) (A, b) ∈ 풱풫풦 it holds that Cpk and Cpk are disjoint.

156 NIZKs for Validating Keys and Ciphertexts

Assuming the existence of a NIZK proof system for dBDD, we obtain NIZK proof systems for the promise problems GoodPK and GoodCT (with respect to 풱풫풦). In this section, we denote by B(A) the basis of the lattice generated by the rows of A (see Chapter 3).

Lemma 6.4.6. Assume there exists a NIZK proof system for dBDDα,γ/4. Then, there exists a NIZK proof system for the promise problem GoodPK (with respect to 풱풫풦).

Proof. We show a Karp reduction from GoodPK to dBDDα,γ. The reduction maps the input (A, b) for GoodPK to the input B(A), b for dBDDα,γ/4. Indeed, if (A, b), s ∈ Gen(1κ, A), then

q λ sTA − bT ≤ e ≤ ≤ 1 , max 4α α

since α < q , and so B(A), b ∈ dBDDYes . On the other hand, if A, b ̸∈ 8emax α,γ/4 풱풫풦, then for every vector s

q λ sTA − bT > γe = γ ≥ γ 1 max 4α 4α

No and so B(A), b ∈ dBDDα,γ/4. Therefore, a NIZK proof system for dBDDα,γ/4 gives us a NIZK proof system for GoodPK.

Lemma 6.4.7. Assume there exists a NIZK proof system for dBDDα,γ/4. Then, there exists a NIZK proof system for the promise problem GoodCT (with respect to 풱풫풦).

Proof. Similarly to the previous proof, we show a Karp reduction from GoodCT to dBDDα,γ/4. The reduction maps the input (A, b), (c, ω), σ for GoodCT to the q input B [A, c] , b, ω − σ · 2 for dBDDα,γ/4. We show that q - if (A, b), (c, ω), σ ∈ GoodCTYes, then B [A, c] , b, ω − σ · 2 is a

Yes instance of dBDDα,γ/4,

157 q - if (A, b), (c, ω), σ ∈ GoodCTNo, then B [A, c] , b, ω − σ · 2 is a No

instance of dBDDα,γ/4.

κ If (A, b), s ← Gen(1 , A) and (c, ω) ∈ Enc(A,b)(σ), then

T h j q ki q λ1 sT · [A, c] − b, ω − σ · ≤ 2e = ≤ , 2 max 4α α

since α = q , and so B [A, c] , b, ω − σ · q ∈ dBDDYes . 8emax 2 α,γ/4 (σ) Similarly, if (A, b) ∈ 풱풫풦, but (c, ω) ̸∈ Cpk , then for every vector s

T h j q ki q λ1 sT · [A, c] − b, ω − σ · > 2γe = γ ≥ γ 2 max 4α 4α

q No and so B [A, c] , b, ω − σ · 2 ∈ dBDDα,γ/4.

A POCS Procedure for Regev’s Scheme

The last and most challenging condition that we prove is that Construction 6.4.2 has a POCS procedure. √ Lemma 6.4.8. Construction 6.4.2 has a (1 − 4γ` mβ)-binding POCS procedure with respect to 풱풫풦.

The rest of Section 6.4 is devoted to the proof of Lemma 6.4.8.

Proof of Lemma 6.4.8. For technical convenience and simplicity, we assume for now that q ≡ 2 (mod 4). The case that q ̸≡ 2 (mod 4) adds some mild complications in order to avoid introducing a small, but noticeable bias (i.e., roughly 1/q) in the obliviously sampled bits. We describe how to extend our approach to general q in the end of the section.10 Let us ﬁrst describe the algorithms Sample and Check. The Sample algorithm n takes as input a secret key sk = s and randomness (ρ, τ) ∈ Zq × Zq, and outputs a ciphertext.

10Alternatively, we could reduce the bias to be negligible using Von Neumann’s trick [162] for transforming a biased source to an almost unbiased source.

158 The algorithm Sample transforms a high noise ciphertext (ρ, τ) into a valid Regev’s ciphertext under the secret key s. Samples, (ρ, τ):

√ T q 1. Sample e ← 풟 mβ. Let ω0 = s · ρ + e and ω1 = ω0 + 2 .

2. If |τ − ω0| < |τ − ω1|, set σ = 0. Otherwise, set σ = 1.

3. Output (ρ, ωσ), which is a valid ciphertext for the message σ.

The Check algorithm takes as input a public key pk = (A, b), randomness (ρ, τ) ∈ n ′ ′ n Zq × Zq, and an alleged ciphertext (ρ , ω ) ∈ Zq × Zq, and outputs a single bit denoting acceptance or rejection.

Checkpk, (ρ, τ), (ρ′, ω′):

′ ′ q If ρ = ρ and |ω − τ| ≤ 4 , accept. Otherwise, reject.

Finally, we describe the EncryptAndExplain algorithm, which takes as input a public key pk = (A, b) and a message σ ∈ {0, 1} and produces randomness and a ciphertext that are close to the distribution induced by Sample.

EncryptAndExplain(A, b), σ:

m ′ ′ T q 1. Sample r ← {0, 1} . Compute ρ = A · r and ω = b · r + σ · 2 . Note that (ρ′, ω′) is a fresh encryption of σ.

′ ′ ′ q 2. Sample τ ← Zq subject to |τ − ω | < 4 .

3. Output (ρ′, τ′), (ρ′, ω′).

We now show that these algorithms satisfy each of the conditions of Deﬁni- tion 6.3.2.

n ′ ′ Complete. Let (ρ, τ) ← Zq × Zq and (ρ , ω ) ← Sample(s, (ρ, τ)). By construc- ′ ′ q tion ρ = ρ and |τ − ω | ≤ 4 , and so Check always accepts.

159

T T Unbiased. Let pk = (A, b) ∈ 풱풫풦, there exists a s such that s · A − b ≤

γemax. Let σ ∈ {0, 1}, then we have

h ( ) i Pr ∃(c, ω) ∈ C σ s.t. Check(pk, ρ, τ, (c, ω)) = 1 = ρ,τ pk h ( ) q i = Pr ∃(c, ω) ∈ C σ s.t. c = ρ and |ω − τ| ≤ ρ,τ pk 4  T  s′T · [ ] − b − · q ≤ ′ n A, ρ , ω σ 2 2γemax = Pr ∃ s ∈ Z , ∃ ω ∈ Zq s.t.  ρ,τ q q and |ω − τ| ≤ 4   T · [ ] − − · q T ≤ s A, ρ b, ω σ 2 2γemax ≥ Pr ∃ ω ∈ Zq s.t.  ρ,τ q and |ω − τ| ≤ 4 h T j q k q i ≥ Pr ∃ ω ∈ Zq s.t. s · ρ − ω − σ · ≤ γemax and |ω − τ| ≤ ρ,τ 2 4 h j q k q i ≥ Pr sT · ρ + σ · −τ ≤ ρ,τ 2 4 h q i ≥ Pr |τ| ≤ τ 4 ≥ 1/2.

The ﬁrst equality follows from the description of Check and the second from the (σ) ′ deﬁnition of Cpk . The next inequality follows by setting s = s. Then, we use

T T the fact that s · A − b ≤ γemax. Finally, we conclude the proof by setting T q 11 ω = s · ρ + σ · 2 .

Statistically Binding. Let pk = (A, b) ∈ 풱풫풦 with public randomness A ← n×m Zq . By construction, it holds that λ1(A) > q/4, and hence there exists a unique

T T s such that s · A − b ≤ γemax. We assume that the above holds for A. Therefore, it holds that:

 T (σ) n T h j q ki C = (c, ω) ∈ Z × Zq : s · [A, c] − b, ω − σ · ≤ 2γe . pk q 2 max

11Observe that the foregoing proof shows that Construction 6.4.2 actually is perfectly unbiased (i.e., does not have even negligible bias as allowed in Deﬁnition 6.3.2).

160 (0) q (1) We remark that in this case, (c, ω) ∈ Cpk if and only if c, ω + 2 ∈ Cpk . Furthermore,

  (0) (1) Check(pk, (ρ, τ), (c0, ω0)) = 1, Pr ∃ (c0, ω0) ∈ C , ∃ (c1, ω1) ∈ C s.t.  ρ,τ pk pk Check(pk, (ρ, τ), (c1, ω1)) = 1   T s · ρ − ω0 ≤ γemax,    T q   s · ρ − ω1 − 2 ≤ γemax,  = Pr ∃ ω0, ∃ ω1 ∈ Zq s.t.  ρ,τ    |ω0 − τ| ≤ q/4,    |ω1 − τ| ≤ q/4

h T q T j q k q i ≤ Pr s · ρ − τ ≤ γemax + and s · ρ − τ + ≤ γemax + ρ,τ 4 2 4 h q j q k q i ≤ Pr |r| ≤ γemax + and r + ≤ γemax + r 4 2 4 h h q q i h q q ii ≤ Pr r ∈ − γemax, + γemax ∪ − − γemax, − + γemax r 4 4 4 4 √ ≤ 4γ` mβ.

(0) (1) The first equality follows from the definition of Cpk and Cpk , and the description T T q of Check. Specifically, s · ρ − ω0 ≤ γemax and s · ρ − ω1 − 2 ≤ γemax fol- (0) (1) low from the fact that (c0, ω0) ∈ Cpk and (c1, ω1) ∈ Cpk , respectively. The condi-

tions |ω0 − τ| ≤ q/4 and |ω1 − τ| ≤ q/4 follow from Check(pk, (ρ, τ), (c0, ω0)) =

1 and Check(pk, (ρ, τ), (c1, ω1)) = 1, respectively. The next inequality follows from triangle inequality. Next, we replace sT · ρ − τ by a uniformly random element r of √ Zq. Then, we note that r has to belong to a set of size at most 4γemax ≤ 4γ` mβq, √ which happens with probability at most 4γ` mβ. The last inequality then follows.

n×m Simulatable. Let N = poly(κ), sample A ← Zq and (pk, sk) = (A, b), s ← Gen(1κ, A), and consider the following two experiments:

n - For i ∈ [N], let (ρi, τi) ← Zq × Zq, (ρi, ωi) ← Sample(s, (ρi, τi)), σi = Decs((ρi, ωi)). Finally, output the tuple pk, (ρi, τi, ωi, σi)i∈[N] .

161 ′ ′ ′ ′ ′ ′ - For i ∈ [N], let σi ← {0, 1}, (ρi, τi ), (ρi, ωi ) ← EncryptAndExplain(pk, σi ). ′ ′ ′ ′ Finally, output the tuple pk, (ρi, τi , ωi, σi )i∈[N] .

We now show that the two experiments are computationally indistinguishable. ′ ′ All outputs (ρi, ωi) and (ρi, ωi ) of Sample and EncryptAndExplain, respectively, are ciphertexts of Regev’s encryption scheme and are therefore indistinguishable from each other.12 However, the main challenge that we need to deal with, is that we need to show that these distributions are indistinguishable even given the ′ ′ random strings that “explain them” (i.e., (ρi, τ)i∈N and (ρi, τ )i∈N, respectively). Toward proving the simulatability property, it is useful to consider an intermediate distribution sampled similarly to the second distribution, except that instead of producing the ciphertext according to Regev’s public-key encryption scheme as in EncryptAndExplain, we instead produce the ciphertext according to the secret-key ′′ ′′ ′′ ′′ variant of the scheme. Consider an experiment in which (ρi , τi , ωi , σi )i∈[N] are sampled as follows for each i ∈ [N]:

′′ 1. Let σi ← {0, 1}.

′′ √ ′′ n ′′ T ′′ ′′ ′′ q 2. Sample ei ← 풟 mβ, ρi ← Zq , and let ωi = s · ρi + ei + σi · 2 .

′′ ′′ ′′ q 3. Finally, sample τi ← Zq subject to τi − ωi < 4 .

We now show the that this experiment is identically distributed to the output of the ﬁrst experiment deﬁned above.

′′ ′′ ′′ ′′ Claim 6.4.9. Let pk, (ρi, τi, ωi, σi)i∈[N], and (ρi , τi , ωi , σi )i∈[N] be sampled as described above. Then we have that

′′ ′′ ′′ ′′ pk, (ρi, τi, ωi, σi)i∈[N] ≡ pk, (ρi , τi , ωi , σi )i∈[N] .

q Proof. Let δi = ωi − σi · 2 be the intermediate value computed by Sample, and let ′′ T ′′ ′′ ′′ ′′ q ′′ ′′ δi = s · ρi + ei = ωi − σi · 2 . Note that (pk, ρi, δi) and (pk, ρi , δi ) are sampled 12More precisely, the output of Sample is a ciphertext of the secret-key variant of Regev’s encryption scheme, whereas the output of EncryptAndExplain is a ciphertext of the public-key version. Still, under the (decisional) LWE assumption, these ciphertexts are both indistinguishable from random and therefore also from each other.

162 ′′ from exactly the same distribution. Also, ωi and ωi are deterministically com- ′′ ′′ puted from (δi, σi) and (δi , σi ), respectively, using the same process. Therefore, it sufﬁces to show that the distribution of (τi, σi) conditioned on (pk, ρi, δi) is identi- ′′ ′′ ′′ ′′ cal to the distribution of (τi , σi ) conditioned on (pk, ρi , δi ). These distributions correspond to the experiments:

1. Given (pk, ρi, δi), sample τi ← Zq. If |τi − δi| < q/4, set σi = 0. Else, set

σi = 1.

′′ ′′ ′′ ′′ ′′ 2. Given (pk, ρi , δi ), sample σi ∈R {0, 1}. If σi = 0, sample τi ← Zq subject ′′ ′′ ′′ ′′ ′′ ′′ to τi − δi < q/4. If σi = 1, sample τi ← Zq subject to τi − ωi < q/4 ′′ ′′ (which is equivalent to τi − δi > q/4).

In the ﬁrst case, we have that the distribution on (τi, σi) conditioned on (pk, ρi, δi)

is given by the following equation. For every τˆ ∈ Zq and σˆ ∈ {0, 1}:

  1/q if |τˆ − δ | < q/4 and σˆ = 0  i h i  Pr τi = τˆ, σi = σˆ (pk, ρ , δi) = 1/q if |τˆ − δ | > q/4 and σˆ = 1 τ ,σ i i i i   0 otherwise

′′ ′′ In the second case we have exactly the same distribution on (τi , σi ) conditioned ′′ ′′ on (pk, ρi , δi ). The claim follows.

′′ ′′ ′′ ′′ It remains to argue that the distribution (ρi , τi , ωi , σi )i∈[N] is computation- ′ ′ ′ ′ ally indistinguishable from the second distribution (ρi, τi , ωi, σi )i∈[N]. The only difference between these two distributions is whether the ciphertexts are sampled according to Regev’s public-key scheme or its secret-key variant. It is here that we invoke the LWE assumption.

′′ ′′ ′′ ′′ ′ ′ ′ ′ Claim 6.4.10. Let (ρi , τi , ωi , σi )i∈[N] and (ρi, τi , ωi, σi )i∈[N], be sampled as described above. Then assuming the hardness of LWE, we have that

′′ ′′ ′′ ′′ c ′ ′ ′ ′ pk, (ρi , τi , ωi , σi )i∈[N] ≈ pk, (ρi, τi , ωi, σi )i∈[N] .

163 ′′ ′′ Proof. The only difference between the two experiments is that (ρi , ωi ) is sampled as a ciphertext in the secret-key variant of Regev’s encryption scheme, while ′ ′ (ρi, ωi ) is sampled as a ciphertext of the public-key scheme. The LWE assumption implies that ciphertexts in Regev’s secret-key scheme n+1 are computationally indistinguishable from random elements of Zq . It is a standard fact that the LWE assumption together with the Leftover Hash Lemma imply the same about ciphertexts in Regev’s public key scheme (see [142]). Con- sequently the two distributions are computationally indistinguishable.

Computationally Hiding. Given public key pk = (A, b) and randomness (ρ, τ), the procedure Sample simply computes a fresh encryption (ρ, ω) using the secret-

key variant of Regev’s scheme. Let σ = Decs((ρ, ω)). Then similarly to the above proof pk, ρ, τ, ω, σ ≡ pk, ρ, τ′, ω′, σ

′ T q √ ′ where ω = s · ρ + σ · 2 +e, with e ← 풟 mβ and τ is sampled uniformly such that |τ′ − ω′| < q/4. Then, since τ′ is a randomized function of ω′, the computational hiding property of the POCS follows immediately from the semantic security of Regev’s encryption scheme.

This concludes the proof of Lemma 6.4.8 for q ≡ 2 (mod 4). The main dif- ﬁculty in extending the proof to general q is to sample the boundary points with the correct probability. We ﬁrst modify the algorithms Sample, Check and EncryptAndExplain to correctly handle the boundary. Recall that Sample transforms a high noise ciphertext (ρ, τ) into a valid Regev ciphertext under secret key s. The Sample algorithm described in the previous section has a small bias of O(1/q) when q is odd or a multiple of four. We now modify the algorithm slightly to remove this bias (observe that when q ≡ 2 (mod 4) these algorithms coincide with those described in Section 6.4).

Sample′s, (ρ, τ):

164 √ T q 1. Sample e ← 풟 mβ. Let ω0 = s · ρ + e and ω1 = ω0 + 2 .

2. If |τ − ω0| < |τ − ω1|, set σ = 0.

3. If |τ − ω0| > |τ − ω1|, set σ = 1.

4. If |τ − ω0| = |τ − ω1|, sample σ ← {0, 1}.

5. Output (ρ, ωσ), which is a valid ciphertext for the message σ.

For odd q, the last component of ciphertexts sampled by Sample′ may now be slightly more than q/4 away from the last component of the corresponding randomness. We now modify the Check algorithm to tolerate this small discrep- ancy. Recall that Check takes as input a public key pk = (A, b), randomness n ′ ′ n (ρ, τ) ∈ Zq × Zq, and an alleged ciphertext (ρ , ω ) ∈ Zq × Zq, and outputs a single bit denoting acceptance or rejection.

Check′pk, (ρ, τ), (ρ′, ω′):

′ ′ q+1 If ρ = ρ and |ω − τ| ≤ 4 , accept. Otherwise, reject.

Finally, we modify the EncryptAndExplain algorithm to produce the correct distribution over randomness for general q. Recall that EncryptAndExplain takes as input a public key pk = (A, b) and a message σ ∈ {0, 1} and produces randomness and a ciphertext that are close to the distribution induced by Sample.

EncryptAndExplain′(A, b), σ:

m ′ ′ T ′ 1. Sample r ← {0, 1} . Compute ρ = A · r, and let ω0 = b · r and ω1 = T q ′ ′ b · r + 2 . Note that (ρ , ωσ) is a fresh encryption of σ.

2. Let ` ← {0, 1}.

′ ′ ′ ′ ′ 3. If ` = 0, sample τ ← Zq subject to |τ − ωσ| < τ − ω1−σ .

′ ′ ′ ′ ′ 4. If ` = 1, sample τ ← Zq subject to |τ − ωσ| ≤ τ − ω1−σ .

′ ′ ′ ′ 5. Output (ρ , τ ), (ρ , ωσ) .

165 Using the slightly more complicated Sample′, Check′, and EncryptAndExplain′ algorithms, the analysis of Section 6.4 goes through essentially unchanged, providing a proof of Lemma 6.4.8 for general q.

Putting it All Together (Proof of Theorem 6.4.1)

We now complete the proof of Theorem 6.4.1. We have shown that all of the conditions of Lemma 6.3.6 hold, as follows.

1. By Proposition 6.4.5, Construction 6.4.2 has a valid set of public keys 풱풫풦.

2. By Lemma 6.4.8, Construction 6.4.2 has a POCS with respect to 풱풫풦.

3. By Lemma 6.4.6, there is a NIZK for GoodPK.

4. By Lemma 6.4.7, there is a NIZK for GoodCT.

Finally, Theorem 6.4.1 follows immediately by Lemma 6.3.6.

166 Chapter 7

Non-interactive key-exchange

In 1976, Diffie and Hellman [57] proposed an extremely elegant key-exchange protocol, in which two parties, Alice and Bob, exchange respective group elements ga, gb simultaneously, where g is a generator of a publicly chosen group 풢 and a, b ∈ [|풢|] are uniformly chosen secret elements. Alice and Bob then locally perform a single group exponentiation in order to derive the shared key, gab. This simple idea lies at the foundation of public key cryptography, and has been widely used in practice throughout the years. Two decades later, Shor [157] showed that efficient quantum algorithms could, in principle, break the Diffie-Hellman key-exchange protocol, as well as other widely used assumptions (e.g. Factoring). Thus, with the development of quantum computers on the horizon, the importance of designing post-quantum secure key-exchange protocols, that can replace current standards, has been recognized. As part of this effort, the National Institute of Standards and Technology (NIST) decided to look into post-quantum cryptography standardization and is hosting a post-quantum cryptography call of proposals [131]. One of the major primitives that they seek is a key-encapsulation mechanism. A significant portion of the algorithms qualified to the second round of the NIST call for proposals [154], [129], [119], [141], [74] is based on the (ring) learning with errors (LWE) assumption [142, 121]. A remarkable feature of this assumption (and consequently of the proposals) is that its average-case hardness is based on

167 n n×n n x1, e1 ← 풳 A ← 풰(Zq ) x2, e2 ← 풳

T T T b1 = x1 A + e1 = + Alice b2 Ax2 e2 Bob

T ⌊x2 b1 · 4/q⌋ (mod 2)

Rec1(A, x1, e1, b2) Rec2(A, x2, e2, b1)

Figure 7-1: LWE-based key-exchange through reconciliation. Alice and Bob simultaneously exchange LWE samples using the same public matrix A. After receiving T b2, Bob sends the second most signiﬁcant bit of x2 b1 to Alice. Both players then apply their respective key reconciliation functions on the variables they have to produce a shared key.

the worst-case hardness of lattice problems, which themselves are conjectured to be secure against efﬁcient quantum algorithms. These proposals suggest two routes for achieving key-exchange, one is through public-key encryption and the other is through reconciliation. However, all of them lack the non-interactive nature of the key-exchange protocol of Difﬁe-Hellman, as explained below.

Key-exchange through public-key encryption. In the ﬁrst case, Alice samples a secret & public-key pair and sends her public-key to Bob. Then, Bob picks a desired shared key and sends it to Alice, encrypted under her public-key. Fi- nally, Alice decrypts Bob’s message to recover the shared key. While conceptually simple, this approach lacks some of the advantages of the Difﬁe-Hellman protocol. First, Bob has complete control over the shared key. Second, the protocol is inherently interactive – the parties need at least two rounds of interaction.

Key-exchange through reconciliation. The reconciliation approach was introduced by Ding et al. [58] and Peikert [136] and was implemented and improved in later works [5, 33]. The most basic version of such reconciliation-based pro-

168 tocols has a simple description1 (See Figure 7-1) : Let A be a random public

n × n matrix over Zq where q is polynomial in n and let 풳 be a noise distribution, n then the parties act as follows: Alice randomly picks x1, e1 from 풳 and sends T n b1 = x1 A + e1 to Bob, while Bob simultaneously picks random x2, e2 from 풳 and

sends b2 = Ax2 + e2 to Alice. After receiving b1, Bob sends to Alice the second T T most significant bit of x2 b1, i.e., ⌊4/q · x2 b1⌋ (mod 2). To agree on a common key, Alice and Bob first compute the inner product of their secret and incom- T T T T ing message and obtain x1 Ax2 + x1 e2 and x1 Ax2 + e1 x2 respectively. The small magnitude of Alice and Bob’s secret and noise already allows them to achieve ap- T T T T proximate agreement: the most significant bit of x1 Ax2 + x1 e2 and x1 Ax2 + e1 x2 is often the same. To achieve exact agreement, they run a simple key reconciliation procedure, where Bob sends the second most significant bit as an additional hint. As discussed above, Diffie-Hellman key exchange allows parties to send their messages simultaneously or communicate in a non-interactive way (e.g. by publishing them on Alice’s and Bob’s public websites). In contrast, current proposed LWE-based key exchange protocols require additional interactions. Even though the additional interaction is only a single bit (as is the case in Figure 7-1), one extra round of a practical key exchange protocol may result in significant delays when used at a large scale (such as that of the internet). This motivates the main question that we study in this paper:

Can we have practical (ring) LWE-based non-interactive key exchange protocols? Or are such protocols inherently interactive?

A remark on LWE and LWE-modulus. In this chapter, we use LWE to denote the LWE assumption with short secret (ss-LWE). As shown in Lemma 3.2.1, the two assumptions are almost equivalent. We focus on the case of polynomial LWE- modulus. We observe that if superpolynomial LWE-modulus is to be considered, the LWE-based key exchange in Figure 7-1 can be made non-interactive. That is

1For simplicity, we only describe the LWE-based variant; the ring version is obtained by re- placing A, x1, x2, e1, e2 with ring elements from some chosen polynomial ring and using the corresponding polynomial multiplication.

169 T T because the most significant bits of x1 b2 and x2 b1 agree with probability 1 − Θ(nB2/q), for a noise distribution 풳 whose support is included in [−B, B]. If the modulus to noise rate is large (i.e. superpolynomial in the security parameter), then the probability of disagreement of their most significant bits is negligible, and hence the above non-interactive protocol is sufficient. However, in the case of a polynomially bounded q, the disagreement probability is non-negligible. Given the extremely demanding efficiency constraints on practical implementations2, it would be highly desirable to have variants of such LWE-based key-exchange protocol in which the disagreement probability is negligible even in the case that q is as small as a polynomial in the security parameter. Additionally, requiring a large modulus to noise rate affects the hardness of the corresponding LWE assumption, since the worst-to-average case reductions translate this rate to the gap in the promise lattice problems [135]. Namely, LWE with large modulus- to-noise ratio is a stronger assumption (i.e. more susceptible to polynomial-time attacks) than LWE with a smaller modulus-to-noise ratio.

7.1 Overview

We explore the possibility of attaining (ring) LWE-based non-interactive key exchange (NIKE) (with modulus polynomial in the security parameter). We focus on the setting where Alice and Bob only send one or a few (ring) LWE samples to each other; similarly to the protocol in Figure 7-1, but without the last message sent from Bob to Alice. The main motivation for studying this setting is that perhaps it is the simplest setting which captures natural non-interactive variants of current LWE based key exchange protocols. Therefore, impossibility results will give a theoretical jus- tiﬁcation for current LWE based key exchange protocols. On the other hand, possibility results will yield Difﬁe-Hellman like non-interactive protocols.

Moreover, NIKE in this setting is simply characterized by two efﬁciently com-

2a typical size of q is ≈ 213 and there are proposals that even use q = 257 [119].

170 putable key reconciliation functions Rec1, Rec2, such that - the outputs of Alice and Bob agree with each other with overwhelming

probability, that is, Rec1(A, x1, e1, b2) = Rec2(A, x2, e2, b1) holds with over- T whelming probability (recall that b1 := A x1 + e1 and b2 := Ax2 + e2), - the output of the protocol is pseudo-random even when conditioned on the

transcript, that is, it is hard to predict Rec1(A, x1, e1, b2) given A, b1, b2.

Natural choices of reconciliation functions. In the protocol of Figure 7-1, Alice T T and Bob achieve approximate agreement by computing x1 b2 and x2 b1, respec- T tively. These values are noisy versions of x1 Ax2 and their most signiﬁcant bit agrees with probability 1 − Θ(nB2/q) when the support of 풳 is in [−B, B]. Based on this observation, one may consider the following three families of reconciliation functions (in increasing order of generality).

1. Rec1 and Rec2 are arbitrary efﬁcient functions (not necessarily the most sig- T T niﬁcant bit) on x1 b2 and x2 b1 respectively.

2. Rec1 and Rec2 are arbitrary efﬁcient functions on A, x1, b2 and A, x2, b1 respectively.

3. Rec1 and Rec2 are arbitrary efﬁcient functions on A, x1, e1, b2 and A, x2, e2, b1 respectively.

Note that the third family captures all possible reconciliation functions. Our results rule out the ﬁrst and second families of reconciliation functions even when multiple LWE samples are exchanged, and point out central efﬁciency barriers for the third family.

First result (Section 7.3). One natural idea to remove the interaction would be to somehow “amplify” the agreement probability by sending more LWE samples and generating more independent samples from the joint distribution (X, Y) T T where X := x1 b2 and Y := x2 b1. Then, Rec1 and Rec2 apply on independent samples from X and Y respectively.

171 In Theorem 7.3.1, we show that for any m, balanced Rec1, Rec2 (see Deﬁni- m m tion 7.2.1) and non-trivial noise distribution, Rec1(X ) = Rec2(Y ) holds with probability at most 1 − Ω(1/q2). This implies that such reconciliation functions cannot exist (this impossibility is information theoretic and holds even for computationally inefﬁcient reconciliation functions). Our results naturally extend to the case of ring LWE.

Second result (Section 7.4). Even though the above result captures known constructions, it does not rule out a slightly more general case where the reconciliation functions depend on A. Indeed, given X′ := (A, X) and Y′ := (A, Y), Alice and Bob can agree on an insecure random bit with probability 1 by evaluating a balanced function of A (while ignoring X and Y). Of course, such protocols are not suitable for key agreement, since the common random bit is not pseudo-random conditioned on A.

In Theorem 7.4.1, we show that the reconciliation functions Rec1 and Rec2 have to depend on the LWE noises e1 and e2 respectively. For instance, the above theorem excludes a more general case than family 2 where the reconciliation functions are of the form Rec1(A, x1, e1, b2) = h1(A, x1, b2) and Rec2(A, x2, e2, b1) =

h2(A, x2, e2, b1). In particular, it rules out the case where the joint distribution is (X′, Y′). However, in contrast to Theorem 7.3.1 which holds unconditionally, Theorem 7.4.1 assumes the hardness of the LWE problem. Our results extend to the case of ring LWE and to a polynomial number of samples.

Third result (Section 7.5). The above two results rule out the most natural choices of key reconciliation functions based on variants of inner product, unconditionally or under the LWE assumption. In Section 7.5, we show that the existence of efﬁcient Rec1 and Rec2, which depend on all of their inputs, cannot be ruled out (at least as long as the existence of iO is a possibility). In particular, in Theorem 7.5.1, we show that there exists an instantiation of the NIKE protocol in our framework that is based on indistinguishability obfuscation (iO) and

172 puncturable PRFs [32]. However, we identify a crucial restriction on the complexity of reconciliation functions. In Theorem 7.5.3, we show that the reconciliation functions themselves actually have to contain cryptographic hardness, in the sense that they directly yield weak pseudorandom functions. Therefore, the reconciliation functions have to be at least as complex as weak pseudorandom functions, and hence suffer from the complexity limitations and attacks on weak pseudorandom functions. More- over, this connection shows that any NIKE protocol based on the hardness of LWE with polynomial modulus, gives rise to new constructions of weak pseudorandom functions based on the hardness of LWE with polynomial modulus.

7.2 Basic Deﬁnitions

We now provide some useful notation and deﬁnitions.

Deﬁnition 7.2.1. A function f : S → {0, 1} is called balanced respect to distribution

풟 if Ex←풟[ f (x)] = 1/2.

Deﬁnition 7.2.2. A distribution 풳 over any group G (e.g. G = Zq) is symmetric if

PrX←풳 [X = z] = PrX←풳 [X = −z] for any z ∈ G.

Deﬁnition 7.2.3. A distribution 풳 over Zq is B-bounded if its support is included in [−B, B].

We formally deﬁne the class of all non-interactive key exchange protocols that could exist.

Deﬁnition 7.2.4. For a security parameter κ > 0, a non-interactive key-exchange

protocol consists of two poly(κ)-time algorithms b1 and b2 and two poly(κ)-time computable boolean functions Rec1 and Rec2 that satisfy the conditions below

(where (r, r1, r2) is a random source with r a source of shared randomness and r1, r2 private sources of randomness of the two parties)

1. Pr [Rec1(r, r1, b2(r, r2)) = Rec2(r, r2, b1(r, r1))] ≥ 1 − negl(κ) , r,r1,r2

173 2. For any probabilistic poly(κ)-time algorithm 풜,

1 Pr [풜(r, b1(r, r1), b2(r, r2)) = Rec1(r, r1, b2(r, r2))] ≤ + negl(κ) . r,r1,r2 2

n ∗ n * Distribution (X ) . Given a distribution 풳 over Zq, let (풳 ) be the distribution where the vector w = (w(1), w(2),..., w(n)) is drawn from 풳 n conditioned on the event that w is not a zero-divisor, that is gcd(w(1), w(2),..., w(n), q) = 1.

7.3 (Information Theoretic) Impossibility of Ampliﬁ- cation with Multiple Samples

We present our ﬁrst impossibility result, which states that the reconciliation functions cannot be the inner product of the received LWE sample with the private LWE secret. This impossibility is information theoretic.

Theorem 7.3.1. Let n, q ≥ 1 be integers and 풳 be a symmetric distribution over Zq such

that for any a ∈ Zq ∖ {0}, it holds that PrX←풳 [aX = 0] ≤ 9/10 and PrX←풳 [aX =

q/2] ≤ 9/10. Let µ풳 (X, Y) be the joint distribution of

T T T T X = x1 Ax2 + x1 e2 and Y = x1 Ax2 + e1 x2,

n×n n n * n * where A ← Zq , e1, e2 ← 풳 and x1, x2 ← (풳 ) , where (풳 ) is as deﬁned in m Section 7.2. Then, for any m ≥ 1, and any balanced functions Rec1, Rec2 : Zq → {0, 1} ⊗m with respect to the marginal distributions of µ풳 , it holds that

2 Pr [Rec (X) = Rec2(Y)] ≤ 1 − Ω(1/q ). ⊗m 1 (X,Y)←µ풳

Our theorem also holds for the ring case with the same parameters (See The- orem C.1.1 in Appendix C.1). This theorem shows that no matter how many independent samples are drawn and no matter what procedures are applied on those samples, Alice and Bob can agree with each other on a random bit with

174 probability at most 1 − Ω(1/q2). Note that Alice and Bob have to marginally pro-

duce a uniform bit as captured in the condition that Rec1 and Rec2 are balanced. Our theorem applies to the most commonly used noise distributions. For instance, the discrete Gaussian distribution 풟β with standard deviation β > 10 satisﬁes the conditions of Theorem 7.3.1. First, the discrete Gaussian is a symmetric distribution. Second, if x ← 풟β, then from monotonicity of 풟β, for any

a ∈ Zq ∖ {0}, Pr[ax = q/2] ≤ Pr[ax = 0]. Therefore, it is enough to show that for 3 any a ∈ Zq ∖ {0}, Pr[ax = 0] ≤ 9/10, which is straightforward to verify .

Additionally, the condition of Theorem 7.3.1 that for any a ∈ Zq ∖ {0}, Pr[aX = 0] ≤ 9/10 and Pr[aX = q/2] ≤ 9/10 is quite mild. For instance, if q > 2 is prime, then this condition simpliﬁes to the assumption that the support of 풳 is not equal to {0}. Also, for general q if the support of 풳 is 1/10-far from a proper subgroup or a coset of a proper subgroup of Zq, then this assumption is satisﬁed.

Notice that µ풳 (X, Y) as deﬁned in Theorem 7.3.1 does not correspond to the

joint distribution described in the introduction, since x1, x2 are sampled from (풳 n)*. This is without loss of generality because if w ← 풳 n, then the probability that gcd(w(1), w(2),..., w(n), q) ̸= 1 is smaller than the probability that (1) (2) (n) w , w ,..., w all belong to a proper subgroup of Zq, which is less than (9/10)n. So, the distribution of (X, Y) is at most O(m/(9/10)n) far from the distribution of m samples drawn as described in the introduction. Even though this is a very small change in the protocol, it will simplify our proof a lot, since in T 4 this case the value x1 Ax2 is a uniform element in Zq . Our Theorem 7.3.1 shows that in this regime, it is information theoretically impossible to agree on a common bit with probability 1 − o(1/q2). In fact, the problem of generating common randomness by observing independent samples from two correlated distributions (or a joint distribution) is known as “Non-interactive

3 Note that by symmetry and monotonicity of 풟β, Pr[ax = 0] ≤ Pr[a(|x| − 1) = 0] + Pr[x = 0]. Combining with the fact that Pr[ax = 0] + Pr[a(|x| − 1) = 0] ≤ 1 for a ̸= 0, and Pr[x = 0] ≤ 2 1/(1 + 2e−1/β ), we conclude that Pr[ax = 0] ≤ (1 + Pr[x = 0])/2 ≤ 9/10 for β > 10. 4 (1) (2) (n) (1) (2) (n) n If w = (w , w ,..., w ) such that gcd(w , w ,..., w , q) = 1 and u is uniform in Zq , T then w u is also uniform in Zq.

175 Agreement Distillation” in the area of information theory and the notion of maximal correlation exactly captures this problem (up to a polynomial factor in the error). Even though we could prove our theorem in a self-contained manner, we feel this connection provides more insight. Therefore, in the next section we present some basic facts about maximal correlation and then present a proof through this notion. In Appendix C.1, we also present a self-contained proof of Theorem 7.3.1 using Fourier analysis and extend this to the ring LWE case (Theorem C.1.1).

The Non-interactive Agreement Distillation problem, parameterized by a joint distribution µ(x, y) is deﬁned as follows: Two players, Alice and Bob, observe se- m quences (X1,..., Xm) and (Y1,..., Ym) respectively where {(Xi, Yi)}i=1 are drawn i.i.d. from µ(x, y). Both players look at their share of randomness, apply a function and output a bit. Their goal is to maximize the probability that their output bits agree, while ensuring that they are marginally uniform. Hirschfeld [98] and Gebelein [76] introduced the notion of maximal correlation, which was later studied by Rényi [144]. It turns out that maximal correlation (almost tightly) captures the maximum agreement probability that the players can get.

Deﬁnition 7.3.2 (Maximal Correlation). For a joint distribution µ over GA × GB, its maximal correlation ρ(µ) is deﬁned as follows,

  → R E [ ] = E [ ] =  f : GA , µA f µB g 0  sup E [ f (x) · g(y)] , (x,y)←µ f ,g  g : GB → R, VarµA [ f ] = VarµB [g] = 1 where µA and µB are the marginal distributions of µ.

In order to analytically capture maximal correlation, let us deﬁne, for any joint distribution µ over GA × GB, the |GA| × |GB| matrix Mµ given by

µ(x, y) Mµ(x, y) = p , µA(x)µB(y)

where µA and µB are the marginal distributions of µ.

176 Fact 7.3.3. The maximal correlation ρ(µ) is equal to the second largest singular value of 5 Mµ, denoted as σ2(Mµ).

In the seminal work of [165], it was shown that maximal correlation actually captures (up to a square root factor), the best agreement probability that the players can get even with an inﬁnite number of samples!

Lemma 7.3.4. Let µ be a joint distribution over GA × GB with marginal distributions m µA and µB, suppose that ρ(µ) = 1 − ε, then for any m ≥ 1, f : GA → {0, 1} and m g : G → {0, 1} with E ⊗m [ f ] = E ⊗m [g] = 1/2, it holds that B µA µB

Pr [ f (X) = g(Y)] ≤ 1 − ε/2. (7.3.1) (X,Y)←µ⊗m

Moreover, there exist m, f , g such that E ⊗m [ f ] = E ⊗m [g] = 1/2 and µA µB

arccos(ρ(µ)) √ Pr [ f (X) = g(Y)] ≥ 1 − ≥ 1 − 2ε. (7.3.2) (X,Y)←µ⊗m π

Because of Lemma 7.3.4, it sufﬁces to upper bound the maximal correlation of

µ풳 (X, Y) in order to prove Theorem 7.3.1. We exploit the special form of our distribution, namely that X is distributed uniformly in Zq and X − Y is distributed as some “noise distribution” ξ. For such distributions, the maximal correlation is much easier to analyze. We prove the following lemma.

Lemma 7.3.5. Let n, q ≥ 1 be integers. For a distribution 풳 over Zq and the joint

distribution µ풳 that satisﬁes the conditions of Theorem 7.3.1, it holds that

2 ρ(µ풳 ) ≤ 1 − Ω(1/q ).

To prove Lemma 7.3.5, we consider a more general class of joint distributions called Cayley Distributions and characterize their maximal correlation.

5The top singular value being 1.

177 k k Deﬁnition 7.3.6 (Cayley Distributions). A joint distribution µ over Zq × Zq is said k to be a Cayley distribution if there exists a “noise distribution” ξ : Zq → R≥0, such that, k (i) ξ(z) = ξ(−z) for all z ∈ Zq, and ( − ) (x y) = ξ x y x y ∈ Zk 6 (ii) µ , qk for all , q.

k A Cayley distribution can be viewed as sampling x uniformly at random in Zq, sampling z ← ξ and setting y = x + z. Note that a Cayley distribution µ is sym- k metric and has uniform marginals on Zq, so its maximal correlation is given by the second largest eigenvalue of Mµ (by Fact 7.3.3 and the fact that for symmetric matrices, singular values are same as eigenvalues). Interestingly, the eigenvectors of Mµ can be completely characterized in a way that does not depend on the noise distribution ξ. This makes it easy to get a handle on the eigenvalues, which leads to the following lemma.

k Lemma 7.3.7 (Maximal Correlation of Cayley Distributions [118]). For a ∈ Zq, k −2πi·⟨a,x⟩/q deﬁne the character χa : Zq → C as χa(x) = e . Let µ be any Cayley k k distribution over Zq × Zq, with associated noise function ξ. Then,

ρ(µ) = max Ee←ξ [χa(e)]. k k a∈Zq ∖{0 }

Theorem 7.3.1 follows immediately by combining Lemma 7.3.4 and Lemma 7.3.5. Note that Theorem 7.3.1 generalizes to the case where the same uniformly chosen matrix A is used for all m samples in X and Y. We point out that Deﬁnition 7.3.6 and Lemma 7.3.7 generalize to all ﬁnite abelian groups G. However for concrete- k ness, we only focus on our special case of G = Zq. While this lemma is standard, we include a proof for completeness.

qk k Proof. We interpret χa as a vector in C indexed by elements in Zq. It is straight- qk forward to verify that χa ∈ C is an eigenvector of Mµ with corresponding

6 k Observe that since ξ is a probability distribution over Zq, it follows that µ is also a probability distribution.

178 eigenvalue Ee←ξ [χa(e)]. Note that since µ is a Cayley distribution, Mµ(x, y) = k k k q · µ(x, y). Fix any a ∈ Zq. For any x ∈ Zq, it holds that

k (Mµχa)(x) = ∑ Mµ(x, y) · χa(y) = ∑ (q · µ(x, y)) · χa(y) k k y∈Zq y∈Zq

= ∑ ξ(y − x) · χa(y) = ∑ ξ(e) · χa(x + e) k k y∈Zq e∈Zq  

=  ∑ ξ(e) · χa(e) · χa(x) k e∈Zq

= Ee←ξ [χa(e)] · χa(x) .

k k The largest eigenvalue is Ee←ξ [χa(e)] = 1 given by a = 0 because for any e ∈ Zq, k χ0k (e) = 1 and |χa(e)| ≤ 1 if a ̸= 0 . Hence, ρ(µ), which is the second largest

eigenvalue of M , is max k k E ← [χa(e)]. µ a∈Zq∖{0 } e ξ

Proof of Lemma 7.3.5. Note that µ풳 is a Cayley distribution over Zq × Zq with as- T T sociated noise distribution ξ(z) = Pr[x1 e2 − e1 x2 = z], where e1, e2 are drawn n n * from 풳 and x1, x2 are drawn from (풳 ) . First, ξ(z) = ξ(−z) for any z ∈ Zq, T T T T since x1 e2 and e1 x2 are drawn from the same distribution, and so x1 e2 − e1 x2 T T T T is distributed identically to e1 x2 − x1 e2. Second, because x1 Ax2 + x1 e2 is dis- T T tributed uniformly over Zq and is independent from x1 e2 − e1 x2, we have that T T T T ξ(X−Y) µ풳 (X, Y) = Pr[x1 Ax2 + x1 e2 = X and x1 e2 − e1 x2 = X − Y] = q . ( ) = E [ ( )] ∈ Z ∖ By Lemma 7.3.7, ρ µ풳 maxa∈Zq∖{0} e←ξ χa e . Fix an arbitrary a q 2 {0}, we need to show that |Ee←ξ [χa(e)]| ≤ 1 − Ω(1/q ). This is implied by Claim 1 and Claim 2 below.

|E [ ( )]| ≤ n n |E n [ ( )]| Claim 1. e←ξ χa e maxc∈Zq ∖{0 } e←풳 χc e .

179 Proof. Note that

T T |E [ (e)]| = E n * E n [ ( − )] e←ξ χa x1,x2←(풳 ) e1,e2←풳 χa x1 e2 e1 x2 ≤ E n * E n [ ( )] · E n [ (− )] x1,x2←(풳 ) e2←풳 χax1 e2 e1←풳 χax2 e1 ≤ E n * E n [ ( )] x1←(풳 ) e2←풳 χax1 e2

where the second line follows from triangle inequality and the independence of

E n [ ( )] E n [ (− )] e1 and e2, the third line follows because e2←풳 χax1 e2 and e1←풳 χax2 e1

are eigenvalues of the symmetric matrix Mµ, and hence they are reals of absolute n * n value at most 1. Observe that for any ﬁxed x1 from (풳 ) , ax1 ̸= 0 , since a ∈

Z ∖ { } E n [ ( )] n n |E n [ ( )]| q 0 . So, e2←풳 χax1 e2 is at most maxc∈Zq ∖{0 } e←풳 χc e and the desired conclusion follows.

n n 2 Claim 2. For any c ∈ Zq ∖ {0 }, |Ee←풳 n [χc(e)]| ≤ 1 − Ω(1/q ).

Proof. Because each coordinate of e is drawn independently from 풳 ,

n E n [ ( )] = E [ ( )] e←풳 χc e ∏ z←풳 χci z . i=1

Since 풳 is symmetric, for any i ∈ [n], Ez←풳 [χci (z)] is real with absolute value at 2 most 1. Therefore, it sufﬁces to show that |Ez←풳 [χci (z)]| ≤ 1 − Ω(1/q ) for an

arbitrary i ∈ [n]. Fix an i ∈ [n] such that ci ̸= 0 and observe that

 1 Ez←풳 [χc (z)] ≤ 1 − Pr [ciz ̸= 0] · Ω , i z←풳 q2

̸= ( ) 2π ≤ − ( 2) 7 because if ciz 0, then the real part of χci z is at most cos q 1 1/q . Similarly, 1 Ez←풳 [χc (z)] ≥ −1 + Pr [ciz ̸= q/2] · Ω i z←풳 q2 ̸= ( ) + 2π ≥ holds because if ciz q/2, then the real part of χci z is at least cos π q

7Because for x ∈ [−π/2, π/2], cos(x) ≤ 1 − x2/(4π2).

180 2 8 −1 + 1/q . By our assumption on 풳 , we have that Prz←풳 [ciz ̸= q/2] ≥ 0.1 2 and Prz←풳 [ciz ̸= 0] ≥ 0.1. Hence, |Ez←풳 [χci (z)]| ≤ 1 − Ω(1/q ) which concludes the proof.

For the interested reader, we provide a more self-contained proof in Appendix C.1 which is equivalent to an unrolling of the above proof, but is much more succinct because we do not use the more general statement of Lemma 7.3.4 about maximal correlation. In Appendix C.1, we also give an extension of the proof to the case of Ring-LWE.

7.4 (Computational) Impossibility of Noise-Ignorant Key Reconciliation Functions

Let us set up some basic notation. For distributions 풳 , 풴 over G, we denote the Rényi divergence [160] of power 2 by

 RD2(풳 ||풴) = Ea←풳 Pr [x = a]/ Pr [y = a] . x←풳 y←풴

We use 1 + 풳 to denote the distribution which samples x from 풳 , then outputs 1 + x, and 풳 + 풳 ′ the distribution obtained as x + x′ for x ← 풳 and x′ ← 풳 ′.

Theorem 7.4.1. Let n ≥ 1, q = poly(n), m = poly(n) be integers and 풳 be a noise distribution over Zq such that RD2(1 + 풳 ||풳 ) = 1 + γ. Let µ풳 (X, Y) be the joint distribution of

X = (A, x1, e1, b2) and Y = (A, x2, b1),

n×n n n T T where A ← Zq , e1, e2 ← 풳 and x1, x2 ← 풳 , b1 = x1 A + e1 and b2 = Ax2 + e2.

Suppose that Rec1 and Rec2 are efﬁciently computable boolean functions that reach key agreement with error at most ε = negl(n). The domains of Rec1 and Rec2 are the

8Because for x ∈ [−π/2, π/2], cos(π + x) ≥ −1 + x2/(4π2).

181 ⊗m ⊗m support of the marginal distributions µX and µY respectively. Then, m independent

samples of (A, b2) can be efﬁciently distinguished from m independent samples (A, u) √ ← Zn √1 − ( ) where u q with advantage at least Ω q2 mnγ O ε .

Our theorem also holds for the ring case. This theorem implies that as long as

RD2(1 + 풳 ||풳 ) greater than 1 and one party’s reconciliation function does not depend on its noise, then (ring) LWE samples (associated with error distribution 풳 )

are not pseudorandom. The condition on RD2(1 + 풳 ||풳 ) captures a large class of noise distributions including the discrete Gaussian distribution 9. Theorem 7.4.1 generalizes to the case where the same uniformly chosen matrix A is used for all

m samples from µX and µY. n×n n n ′ Let 풵 = 풰(Zq) × 풳 × 풳 and let 풳 over Zq be the distribution that out- q 1 puts 1 with probability α = nmγ and outputs 0 otherwise, then Theorem 7.4.1 follows from the next two lemmas.

⊗m Lemma 7.4.2. Suppose that f is a boolean function with domain the support of µX . Let m ⊗m m n ⊗m ′ m n ⊗m m ′n ⊗m {Ui}i=1 ← 풵 , {ui}i=1 ← (Zq ) , {ui}i=1 ← (Zq ) , and {wi}i=1 ← (풳 ) . Then,

m ′ m Pr[ f ({Ui, ui}i=1) ̸= f ({Ui, ui}i=1)] m m 2√ ≤ Pr[ f ({Ui, ui}i=1) ̸= f ({Ui, ui + wi}i=1)] · O q nmγ .

Lemma 7.4.3. Suppose that f = Rec1 and g = Rec2 are key reconciliation functions m ⊗m satisfying the conditions of Theorem 7.4.1. Let {Xi}i=1 = (Ai, xi, ei, bi)i∈[m] ← µX ′ m ′ ′ ′ ′ ′ m n ⊗m and {Xi}i=1 = (Ai, xi, ei, bi)i∈[m], where bi = Aixi + ei with {xi}i=1 ← (풳 ) and ′ m n ⊗m {ei}i=1 ← (풳 ) , it holds that

m ′ m Pr[ f ({Xi}i=1) ̸= f ({Xi}i=1)] ≥ 1/3, (7.4.1)

9 2 In particular, Bogdanov et al. [31] showed that RD2(1 + 풟σ||풟σ) = exp(2π(1/σ) ) which is bounded away from 1 for any discrete Gaussian distribution 풟σ with standard deviation σ ≥ 1.

182 m ′n ⊗m and if {wi}i=1 ← (풳 )

√ m m Pr[ f ({Ai, xi, ei, bi + wi}i=1) ̸= f ({Xi}i=1)] ≤ O( ε). (7.4.2)

We ﬁrst prove Theorem 7.4.1 using Lemmas 7.4.2 and 7.4.3. Lemma 7.4.2 is based on Fourier analysis and works for any boolean function f . Lemma 7.4.3 relies on

the assumption that the key reconciliation functions are efﬁcient and Rec2 does not depend on its noise.

Proof of Theorem 7.4.1. Let f = Rec1 and g = Rec2 be key reconciliation functions satisfying the conditions of Theorem 7.4.1. We wish to distinguish between m m m i.i.d. samples {(Ai, bi)}i=1 from m i.i.d. samples {(Ai, ui)}i=1. First, note that if

m m 2 |Pr[ f ({Ai, xi, ei, ui}i=1) = 0] − Pr[ f ({Ai, xi, ei, bi}i=1) = 0]| ≥ α/q ,

m m n ⊗m where {xi}i=1, {ei}i=1 ← (풳 ) , there exists a polynomial time distinguisher,

since xi and ei are efﬁciently sampleable. Hence, it sufﬁces to construct a polynomial time distinguisher when

m m 2 |Pr[ f ({Ai, xi, ei, ui}i=1) = 0] − Pr[ f ({Ai, xi, ei, bi}i=1) = 0]| < α/q . (7.4.3)

m m Let P풳 = Pr[ f ({Ai, xi, ei, bi}i=1) = 0] and P풰 = Pr[ f ({Ai, xi, ei, ui}i=1) = 0], then

m ′ m 2 Pr[ f ({Ai, xi, ei, ui}i=1) = f ({Ai, xi, ei, ui}i=1)] = 2P풰 − 2P풰 + 1,

′ n where ui ← Zq and

m ′ m 2 Pr[ f ({Ai, xi, ei, bi}i=1) = f ({Ai, xi, ei, bi}i=1)] = 2P풳 − 2P풳 + 1,

′ where bi are fresh LWE samples.

183 From the above equations and Lemmas 7.4.2 and 7.4.3, we have that

m ′ m 2 Pr[ f ({A , x , e , u } ) = f ({A , x , e , u } )] ≤ + 2(P풰 − P풳 )(P풰 + P풳 − 1) i i i i i=1 i i i i i=1 3 2 ≤ + 2 |P풰 − P풳 | |P풰 + P풳 − 1| 3 2 ≤ + 2α/q2. 3

The ﬁrst inequality follows from Equation (7.4.1) of Lemma 7.4.3. Then, we

use Equation (7.4.3) and the fact that P풰 and P풳 are probabilities, and hence

|P풰 + P풳 − 1| ≤ 1. Combining this with Lemma 7.4.2, we get that

 α α2 Pr[ f ({A , x , e , u }m ) ̸= f {A , x , e , u + w }m )] ≥ Ω − , i i i i i=1 i i i i i i=1 q2 q4

′n where wi ← 풳 . But, from Equation (7.4.2) of Lemma 7.4.3, we have that

√ m m Pr[ f ({Ai, xi, ei, bi}i=1) ̸= f ({Ai, xi, ei, bi + wi}i=1)] ≤ O( ε)

m m Thus, we distinguish between m i.i.d. samples {(Ai, ui)}i=1 and {(Ai, bi)}i=1 m m m by computing Pr[ f ({Ai, xi, ei, yi}i=1) ̸= f ({Ai, xi, ei, yi + wi}i=1)], where {yi}i=1 √ are the challenge samples. This gives us an advantage of Ω(α/q2) − O( ε).

Proof of Lemma 7.4.2. Let Re(z) denote the real part of any z ∈ C. We deﬁne the m f ({(Ui,ui)}i=1) m m function F(u) = (−1) , where u = {ui}i=1. We ﬁx {Ui}i=1, then

1 − E[F(u)F(u + w)] Pr [ f ({(U , u + w )}m ) ̸= f ({(U , u )}m ))] = , i i i i=1 i i i=1 2

m n ⊗m m ′n ⊗m where u = {ui}i=1 ← (Zq ) and w = {wi}i=1 ← (풳 ) . n m ∈ (Z ) ( ) = E n ⊗m [ ( ) (− )] For any c q , let Fb c u←(Zq ) F u χc u . Note that for any n m ∈ (Z ) ( ) = n m ( ) ( ) E[ ( ) ( + u q , F u ∑c∈(Zq ) Fb c χc u . Finally, because F is real, F u F u

184 w)] = E[F(u)F(u + w)].

E[F(u)F(u + w)] 2 2 nm = Fb(0 ) + ∑ Fb(c) E[χc(w)] n m nm c∈(Zq ) ∖{0 } 2 2 nm = Fb(0 ) + ∑ Fb(c) E[Re(χc(w))] n m nm c∈(Zq ) ∖{0 } !   2 2 nm ≤ Fb(0 ) + max E[Re(χc(w))]  Fb(c)  n m nm ∑ c∈(Zq ) ∖{0 } n m nm c∈(Zq ) ∖{0 } ! 2 2 nm nm ≤ Fb(0 ) + max E[Re(χc(w))] 1 − Fb(0 ) n m nm c∈(Zq ) ∖{0 } where the ﬁrst equality follows by expanding F using its Fourier representation and linearity of expectation, the second equality holds because E[F(u)F(u + w)] 2 is real, and the last equality uses Parseval’s identity, which states that ∑c Fb(c) = h i E |F(u)|2 = 1. nm T 2 For any c ̸= 0 , it holds that Pr[c w ̸= 0] ≥ α and Re(χc(w)) ≤ 1 − Ω(1/q ) whenever cTw ̸= 0. Hence, similarly to the analysis of Claim 2, we have that 2 n ⊗m nm E[Re( ( ))] ≤ − ( ) maxc∈(Zq ) ∖{0 } χc w 1 Ω α/q . Therefore,

2 nm 1 − Fb(0 ) Pr [ f ({(U , u + w )}m ) ̸= f ({(U , u )}m ))] ≥ Ω(α/q2) . i i i i=1 i i i=1 2

nm 2 m ′ m 1−|Fb(0 )| ′ n ⊗m ({( )} ) ̸= ({( )} )) = Since Pru,u ←(Zq ) f Ui, ui i=1 f Ui, ui i=1 2 , the con- m clusion follows by averaging over {Ui}i=1.

Proof of Lemma 7.4.3. Suppose Equation (7.4.1) is not true, then together with the correctness condition, it holds that

′ ′′ m ′′ ′′ m Pr[g({(Ai, xi, bi )}i=1) = f ({(Ai, xi , ei , bi)}i=1)] > 2/3 − poly(ε),

185 where the inputs of g and f are sampled as in Theorem 7.4.1. Then, an adversary, ′ m n ⊗m ′ ′′ m that samples fresh {xi}i=1 ← (풳 ) and computes g({(Ai, xi, bi )}i=1), pre- ′′ ′′ m dicts the output of f ({(Ai, xi , ei , bi)}i=1) with probability at least 2/3 − poly(ε). Hence, it breaks the soundness condition of NIKE. To prove Equation (7.4.2), we ﬁrst show the following two claims

Claim 7.4.4. It holds that

q ′′ ′′ m ′′ m nm ′ Pr[ f ({(Ai, xi , ei , bi + wi)}i=1) ̸= g({(Ai, xi, bi )}i=1))] ≤ ε · RD2 (풳 + 풳 ||풳 ).

Proof. We rely on two elementary properties of Rényi divergence: 1. For any two distributions X and Y and any event E, (Pr[X ∈ E])2 ≤ Pr[Y ∈

E] · RD2(X||Y). k k k 2. For any k, RD2(X ||Y ) = (RD2(X||Y)) . ′′ ′′ m For any ﬁxed choice of {(Ai, xi , ei , xi)}i=1, let E be the event that f disagrees with g. Then, by the properties of Rényi divergence,

′′ ′′ m ′′ m 2 Pr[ f ({(Ai, xi , ei , bi + wi)}i=1) ̸= g({(Ai, xi, bi )}i=1)] ′′ ′′ m ′′ m ≤ Pr[ f ({(Ai, xi , ei , bi)}i=1) ̸= g({(Ai, xi, bi )}i=1)]· n ′n ⊗m n ⊗m RD2((풳 + 풳 ) ||(풳 ) ) ′′ ′′ m ′′ m ′ nm = Pr[ f ({(Ai, xi , ei , bi)}i=1) ̸= g({(Ai, xi, bi )}i=1)] · RD2(풳 + 풳 ||풳 ) .

′′ ′′ m The desired conclusion follows by averaging over {(Ai, xi , ei , xi)}i=1 and the fact that for any random variable z, (E[z])2 ≤ E[z2].

′ 2 Claim 7.4.5. RD2(풳 + 풳 ||풳 ) = 1 + α γ

186 ′ Proof. From the deﬁnition of RD2 and 풳 ,

′ RD2(풳 + 풳 ||풳 ) ((1 − α) Pr [X = x] + α Pr [X + 1 = x])2 = ∑ X←풳 X←풳 Pr ←풳 [X = x] x∈Zq X

2 2 = (1 − α) + 2(1 − α)α + α RD2(풳 + 1||풳 ) 2 = 1 + α (RD2(풳 + 1||풳 ) − 1).

Finally, Equation (7.4.2) follows from the correctness condition,

′′ ′′ m ′′ m Pr[ f ({(Ai, xi , ei , bi)}i=1) ̸= g({(Ai, xi, bi )}i=1)] ≤ ε, and the above two claims

′′ ′′ m ′′ ′′ m Pr[ f ({(Ai, xi , ei , bi + wi)}i=1) ̸= f ({(Ai, xi , ei , bi)}i=1)] ′′ ′′ m ′′ m ≤ Pr[ f ({(Ai, xi , ei , bi + wi)}i=1) ̸= g({(Ai, xi, bi )}i=1)]+ ′′ ′′ m ′′ m Pr[ f ({(Ai, xi , ei , bi)}i=1) ̸= g({(Ai, xi, bi )}i=1)] q ≤ ε(1 + α2γ)nm + ε.

q 1 The Equation (7.4.2) follows from our choice of α = nmγ .

7.5 Connections to other cryptographic primitives

Thus far, our results focused on speciﬁc classes of reconciliation functions showing that they are not powerful enough to give NIKE in our framework. Extending our previous results either on the positive or negative direction hits barriers. The negative direction, which is to prove a completely general impossibility result, is ruled out if iO exists. The positive direction, which is to propose a NIKE proto-

187 col that avoids our impossibility results implies new cryptographic constructions from polynomial modulus LWE. In particular, a positive result would imply direct constructions of special structured weak pseudorandom functions from polynomial modulus LWE.

From iO To NIKE

Even though our results show that there are many limitations in building practical NIKE from polynomial modulus LWE, assuming indistinguishability obfuscation (iO) constructing NIKE is, at least theoretically, possible. Therefore, unless there are breakthrough advancements that rule out the possibility of iO constructions, showing a general impossibility of NIKE is out of range. In this section, we sketch the iO-based NIKE scheme of Boneh and Zhandry [32] and explain why it can be implemented in our framework.

Theorem 7.5.1 ([32]). Assuming a secure pseudorandom generator, a secure punctured pseudorandom function family and a secure indistinguishability obfuscator, there exists a secure NIKE.

Additionally to the matrix A, in this protocol the parties share the following obfuscated program:

Input: b1, b2, s1, s2 Constants: A pseudorandom function PRF

Output: If b1 = PRG(s1), output PRF(b1, b2).

If b2 = PRG(s2), output PRF(b1, b2). Otherwise, output ⊥.

During the protocol, the parties exchange LWE samples b1, b2, evaluate the ob-

fuscated program with s1 = (x1, e1) and s2 = (x2, e2) and set as their shared key the output of the obfuscated program. The LWE samples are computed from a n×n function of the form GA(x, e) = Ax + e, where A ∈ Zq and x, e are sampled

188 from a noise distribution. Directly using the LWE assumption, which states that the output of G is indistinguishable from uniform and the fact that G is expanding, we conclude that G is a PRG. Combining this observation with the known constructions of punctured PRFs from any one-way function, we conclude that there exists a NIKE protocol assuming iO and polynomial modulus LWE.

From NIKE To weak-PRFs

In a NIKE protocol, the reconciliation functions are hard to predict even given the transcript of the protocol. This special property of reconciliation functions are also useful in other cryptographic primitive. In particular, we show that reconciliation functions have to be weak-pseudorandom functions. Hence, a NIKE protocol would result in a new direct construction of weak pseudorandom functions from polynomial modulus LWE. A weak-pseudorandom function (weak-PRF) is an efﬁcient function family that is indistinguishable from a random function when we have access only on random evaluations of the function. We focus on the case of boolean weak- pseudorandom functions. Formally:

Deﬁnition 7.5.2. Let κ > 0 be a security parameter. An efﬁcient function family κ ensemble ℱ = {ℱκ : {0, 1} → {0, 1}} is called weak-pseudorandom function family if for every probabilistic polynomial-time algorithm 풜:

Pr[풜풪 f (x) = f (x)] ≤ 1/2 + negl(κ), f ,x

κ where f is sampled uniformly at random from ℱκ and x ← {0, 1} . Every query to the oracle 풪 is answered with a tuple of the form (u, f (u)), where u ← {0, 1}κ.

풪 f We call Pr f ,x[풜 (x) = f (x)] − 1/2 the success probability of 풜.

We show that reconciliation functions have to be sampled from a weak-PRF family.

189 Theorem 7.5.3. Let κ > 0 be a security parameter and suppose that Rec1 and Rec2 are

the reconciliation functions of a NIKE protocol in our model. Namely, Rec1 and Rec2 are efﬁciently computable boolean functions that reach key agreement with error at most ε = negl(κ) and for every poly(κ)-time algorithm 풜,

1 Pr[풜(A, b , b ) = Rec (A, x , e , b )] ≤ + negl(κ) , 1 2 1 1 1 2 2

n×n n n T T where A ← Zq , e1, e2 ← 풳 and x1, x2 ← 풳 , b1 = x1 A + e1 and b2 = Ax2 + e2 n Then, if the LWE assumption holds, the function families ℱ = {FA,x1,e1 : Zq → n {0, 1}}, where FA,x1,e1 (·) = Rec1(A, x1, e1, ·) and 풢 = {GA,x2,e2 : Zq → {0, 1}},

where GA,x2,e2 (·) = Rec2(A, x2, e2, ·) are weak-PRF families.

Even though we formally prove that the reconciliation functions should be pseudorandom with access to random evaluations of the functions, they have to satisfy a stronger pseudorandomness property: they should remain pseudorandom even with access to evaluations of adversarially chosen LWE samples. Also, our result holds for multiple LWE samples. The above theorem readily generalizes to show the weak pseudorandomness of reconciliation functions in any NIKE protocol where the exchanged messages are indistinguishable from uniform. Although (weak-)PRFs are equivalent to one-way function [85], the known generic constructions are highly inefficient and unstructured. Direct constructions of (weak-)PRFs from LWE are known for superpolynomial modulus [15, 14] and very recently new constructions based on polynomial LWE modulus were introduced [108]. We emphasize that even though pseudorandomness is a necessary condition for a reconciliation function, it is definitely not sufficient. Reconciliation functions are very structured as the computation of the common key should be allowed in at least two ways, one for Alice and one for Bob.

Proof. We show that ℱ is a weak-PRF family and the same analysis holds for 풢. Assume that there exists a distinguisher 풟 for ℱ with success probability α; we use 풟 to break the soundness of the NIKE protocol. From the correctness

190 condition of NIKE,

Pr[FA,x1,e1 (b2) = g(A, x2, e2, b1)] ≥ 1 − negl(κ).

Hence, with high probability we compute evaluations of FA,x1,e1 by sampling

LWE secret and noise x2, e2, and computing g(A, x2, e2, b1). Additionally, the LWE assumption implies that these evaluations of F are computationally indistinguishable from uniform evaluations, as required by the deﬁnition of weak-PRFs. We construct an adversary 풜 that breaks either the LWE assumption or the * * soundness condition of NIKE. The adversary 풜 on input (A, b1, b2) runs as follows: - Run the distinguisher 풟, where we answer the oracle queries using LWE samples and g as above, instead of uniform evaluations. * - Return the output of 풟 with challenge query b2.

Let us denote by E the event that FA,x1,e1 (b2) = g(A, x2, e2, b1) for all oracle calls of FA,x1,e1 needed by 풟, then

* * * * * * Pr[풜(A, b1, b2) = FA,x1,e1 (b2)] ≥ Pr[풜(A, b1, b2) = FA,x1,e1 (b2)|E] Pr[E] * 풪 f * * = Pr[풟 (b2) = FA,x1,e1 (b2)] Pr[E],

* where 풪 is the oracle that provides evaluation of f = FA,x1,e1 on LWE samples instead of uniform. 풪* [풟 f (b*) = F (b*)] − [풟풪 f (u) = F (u)] > ( ) u If Pr 2 A,x1,e1 2 Pr A,x1,e1 negl κ , where n is sampled uniformly in Zq , then 풟 is a distinguisher between LWE and uniform samples. Otherwise,

* * * 풪 f Pr[풜(A, b1, b2) = FA,x1,e1 (b2)] ≥ Pr[풟 (u) = FA,x1,e1 (u)] Pr[E] − negl(κ) ≥ α − negl(κ).

Hence, if 풟 breaks ℱ, then either the LWE assumption or the soundness condition

191 of NIKE is violated.

192 Chapter 8

Summary and Open Problems

We summarize our contributions and highlight the most interesting open problems that arise from this thesis.

The PPP class. Problems whose totality is based on a pigeonhole principle argument belong to the class PPP. This class and its subclass PWPP have interesting connections with Cryptography. We provide the ﬁrst natural complete problems for these classes. Our complete problems are generalizations of the well-known SIS problem. A fascinating open question is whether there exists a worst-to-average case reduction for our PWPP-complete problem. This result would imply the ﬁrst natural, in the sense that does not invoke explicitly a Turing machine in the input, and universal collision resistant hash function family. Another very interesting direction is showing that SIS is PPP-complete, since this implies a unique characterization of a concrete cryptographic assumption using a complexity class and vice versa.

The PPAq class. We study the search problem class PPAq deﬁned as a modulo q analog of the well-known polynomial parity argument class PPA. We show that this class can be characterized in terms of PPAp for prime p. Our main result is to establish that an explicit version of a search problem associated to the

193 Chevalley–Warning theorem is complete for PPAp for prime p. This problem is natural in that it does not explicitly involve circuits as part of the input. It is the

first such complete problem for PPAp when p ≥ 3. Finally, we discuss connections between Chevalley-Warning theorem and the well-studied short integer solution problem and survey the structural properties of PPAq. In a subsequent work [72], we show that the problem p-Necklace-Splitting belongs to PPAp for prime p. The q-Necklace-Splitting problem is defined as 1 follows: There is an open necklace with q · ai beads of color i, for i ∈ [n]. The goal is to cut the necklace in (q − 1) · n places and partition the resulting sub- strings into k collections, each containing precisely ai beads of color i for each i ∈ [n]. The fact that such a partition exists was first shown in the case of q = 2 by Goldberg and West [80] and by Alon and West [8]. Later, Alon [6] proved it for all q ≥ 2. Recently, Filos-Ratsikas and Goldberg [71] showed that the 2-Necklace-Splitting problem is PPA-complete. Hence, an important open question is whether p-Necklace-Splitting is PPAp-complete.

Building NIZK proofs from LWE. We show a reduction from constructing NIZK proof systems for all of NP based on LWE, to constructing a NIZK proof system for a particular computational problem on lattices, namely a decisional variant of the Bounded Distance Decoding (BDD) problem. That is, we show that assuming LWE, every language L ∈ NP has a NIZK proof system if (and only if) the decisional BDD problem has a NIZK proof system. To construct our NIZK proof system, we introduce a new notion that we call prover-assisted oblivious ciphertext sampling (POCS), which allows one to sample ciphertexts with the help of an (untrusted) prove without knowing the underlying plaintext. Recently, Peikert and Shiehian [137] (building on [42]) constructed general purpose statistical NIZK arguments in the common random string model and general purpose NIZK proofs in the common reference string model under LWE. Unlike our work, which is based on the hidden bits approach of [68], these new con-

1An “open necklace” means that the beads form a string, not a cycle.

194 structions are based on an instantiation of the Fiat-Shamir paradigm [69]. While the question of constructing NIZKs from LWE is by now mostly resolved, one important variant (to which our techniques may be applicable) remains open: constructing NIZK proofs in the common random string model (i.e., with an unstructured CRS) based on LWE.

Barriers for NIKE from polynomial modulo LWE. In protocols where the parties exchange only LWE samples, we rule out the most natural choices of key reconciliation functions. Additionally, we point out that non-interactive key reconciliation functions, unlike interactive ones, have to be as complex as weak pseudorandom functions. Overall, our results show possibilities and challenges in designing simple (ring) LWE-based non-interactive key exchange protocols. An interesting open direction is to understand what happens when the messages contain extra information, apart from the LWE samples. To this end, one would have to come up with a natural and simple form of messages (based on LWE) and explore the possibility of basing non-interactive key exchange on it. For instance, a natural idea is to consider LWE samples together with some leak- age about the secrets.

195 196 Appendix A

Missing proofs of Chapter 4

A.1 Proof of Claim 4.3.4

Proof of Claim 4.3.4. The proof of this claim follows readily from Appendix A.1.

x y z w w + 2z − x − y z + 2w − x − y w + 2z + x + y

0 0 0 0 0 0 0 0 0 0 1 1 2 1 0 0 1 0 2 1 2 0 0 1 1 −1 −1 −1 0 1 0 0 −1 −1 1 0 1 0 1 0 1 2 0 1 1 0 1 0 −1 0 1 1 1 2 2 0 1 0 0 0 −1 −1 1 1 0 0 1 0 1 2 1 0 1 0 1 0 −1 1 0 1 1 2 2 0 1 1 0 0 2 2 2 1 1 0 1 −1 0 −1 1 1 1 0 0 −1 0 1 1 1 1 1 1 1

Table A.1: The values of speciﬁc expressions (mod 4) for all different binary values of the variables.

197 198 Appendix B

Missing proofs of Chapter 5

B.1 Reductions Between Complete Problems

In order to prove Theorem 5.2.4, we introduce an additional problem that serves as an intermediate problem in our reductions.

′ Deﬁnition B.1.1. (Leafq)

Principle: Same as Leafq, but degrees are allowed to be larger (polynomially bounded).

Object:q -uniform hypergraph G = (V, E). Designated vertex v* ∈ V.

Inputs: . C : {0, 1}n → ({0, 1}nq)k, with ({0, 1}nq)k interpreted as k many q- subsets of {0, 1}n . v* ∈ {0, 1}n (usually 0n)

Encoding:V := {0, 1}n. For distinct v1,..., vq, e := v1,..., vq ∈ E if e ∈ C(v) for all v ∈ e

Solutions:v * if deg(v) ≡ 0 (mod q) and v ̸= v* if deg(v) ̸≡ 0 (mod q)

Proof of Theorem 5.2.4. We show the following inter-reducibilities: (1) Leafq ≍ ′ ′ Leafq, (2) Leafq ≍ Bipartiteq and (3) Leafq ≍ Lonelyq.

199 0 ′ (1a) Leafq Leafq Each instance of Leafq is trivially an instance of Leafq.

0 ′ * (1b) Leafq Leafq. We start with a Leafq instance (풞, v ), where 풞 encodes a q-uniform hypergraph G = (V, E) with degree at most k. Let t = ⌈k/q⌉. We construct a Leafq instance encoding a hypergraph G = (V, E) on vertex set V := V × [t], intuitively making t copies of each vertex. In order to locally compute hyperedges, we ﬁrst ﬁx a canonical algorithm that

for any vertex v and any edge e ∈ E incident on v, assigns a label `v(e) ∈ [t], with at most q edges mapping to the same label — e.g. sort all edges incident on v in lexicographic order and bucket them sequentially in at most t groups of at most q each. Note that we can ensure that for any vertex v at most one label gets mapped to a non-zero, non-q number of edges. Moreover, if deg(v) ≡ 0 (mod q), then exactly q or 0 edges are assigned to any label. We assume that deg(v*) ̸≡ 0 (mod q), as otherwise a reduction would not be * * necessary. We let (v , ` ) be the designated vertex of the Leafq instance, where `* is the unique label that gets mapped to a non-zero, non-q number of edges incident on v*. We assign to every vertex (v, i) ∈ V at most q edges as follows: For each edge e = v1,..., vq such that `v(e) = i, the corresponding hyperedge of (v, i) * * is (v1, `v1 (e)),..., (vq, `vq (e)). It is easy to see that the designated vertex (v , ` ) indeed has non-zero, non-q degree. Moreover, a vertex has deg(v, i) ∈/ {0, q} in

G only if v has a non-multiple-of-q degree in G. Thus, solutions to the Leafq ′ instance naturally map to solutions to the original Leafq instance. By Remark 5.2.5, this completes the reduction since the edges are locally computable with black-box access to 풞 and V is efﬁciently indexable.

0 ′ * (2a) Leafq Bipartiteq. We start with a Leafq instance (풞, v ), where 풞 encode a q-uniform hypergraph G = (V, E). We construct a Bipartiteq instance encoding V a graph G = (V ∪ U, E) such that V = V and U = , i.e. all q-size subsets of q V. We include the edge (v, e) ∈ E if e ∈ E is incident on v. The designated vertex * for the Bipartiteq instance is v in V.

200 Clearly, all vertices e ∈ U have degree either q or 0. For any v ∈ V, the degree

of v in G is the same as its degree in G. Thus, any solution to the Bipartiteq ′ instance immediately gives a solution to the original Leafq instance. By Re- mark 5.2.5, this completes the reduction since the edges are locally computable with black-box access to 풞 and V and U are efﬁciently indexable (cf. [114, §2.3] for efﬁciently indexing U).

0 * (2b) Bipartiteq Leafq. We start with a Bipartiteq instance (풞, v ) encoding a bipartite graph 풢 = (V ∪ U, E) with maximum degree of any vertex being at ′ most k. We construct a Leafq instance encoding a hypergraph G = (V, E) such that V = V with designated vertex v*.

First, we ﬁx a canonical algorithm that for any vertex u ∈ U with degG(u) ≡ 0 (mod q) produces a partition of its neighbors with q vertices of V in each part. Now, the set of q-uniform hyperedges in E incident on a vertex v ∈ V

are obtained as follows: for all neighbors u of v, with degG(u) ≡ 0 (mod q), we include a hyperedge consisting of all vertices in the same partition as v among the neighbors of u (we ignore neighbors u with deg(u) ̸≡ 0 (mod q)).

Observe that degG(v) ≤ degG(v) and equality holds if and only if all neighbors

of v in G have degree ≡ 0 (mod q). Hence, for any v ∈ V, if degG(v) ̸= degG(v), then there exists a neighbor u ∈ U of v in G such that deg(u) ̸≡ 0 (mod q). Thus, * * if v = v and degG(v ) ≡ 0 (mod q), then either degG(v) ≡ 0 (mod q) or we can ﬁnd a neighbor u of v in G with deg(u) ̸≡ 0 (mod q). Similarly, if for some * * v ̸= v , we have degG(v ) ̸≡ 0 (mod q), then either degG(v) ̸≡ 0 (mod q) or we can ﬁnd a neighbor u of v in G with deg(u) ̸≡ 0 (mod q). Thus, any solution ′ to the Leafq instance gives us a solution to the original Bipartiteq instance. This completes the reduction since V = {0, 1}n and the edges are locally computable with black-box access to 풞.

* (3a) Leafq Lonelyq. We start with a Leafq instance (풞, v ), where 풞 encodes a * q-uniform hypergraph G = (V, E) with degree at most q. If degG(v ) = q or 0,

then we do not need any further reduction. Else, we construct a Lonelyq instance

201 encoding a q-dimensional matching G = (V, E) on vertex set V = V × [q]. The designated vertices are V* = {(v*, q − i) : 0 ≤ i ≤ q − deg(v*) − 1}. Note that * * * |V | = q − degG(v ), and hence 1 ≤ |V | ≤ q − 1. In order to locally compute hyperedges, we ﬁrst ﬁx a canonical algorithm that for any vertex v and any edge e ∈ E incident on v, assigns a unique label

`v(e) ∈ [q] — e.g. sort all edges incident on v in lexicographic order and label them sequentially in [q]. In fact, we can ensure that an edge incident on v get labeled within 1, . . . , degG(v) . We assign to a vertex (v, i) ∈ V at most one hyperedge as follows:

. If degG(v) = 0, we include the hyperedge {(v, i) : i ∈ [q]}. . Else if degG(v) ≥ i, for edge e = v1,..., vq incident on v such that `v(e) =

i, the corresponding hyperedge of (v, i) is (v1, `v1 (e)),..., (vq, `vq (e)).

. Else if 0 < degG(v) < i, we leave it isolated.

It is easy to see that our deﬁnition of hyperedges is consistent and that the designated vertices V* are indeed isolated. Moreover, a vertex (v, i) is isolated in

G only if 1 ≤ degG(v) ≤ q − 1. Thus, solutions to the Lonelyq instance naturally map to solutions to the original Leafq instance. By Remark 5.2.5, this completes the reduction since the edges are locally computable with black-box access to 풞 and V is efﬁciently indexable.

* (3b) Lonelyq Leafq. We start with a Lonelyq instance (풞, V ), where 풞 encodes

a q-dimensional matching G = (V, E). We construct a Leafq instance encoding a q-uniform hypergraph G = (V, E) on vertex set V that is speciﬁed shortly. We describe the hyperedges in G. Then, it is clear how to compute the hyperedges for any vertex locally with just black-box access to 풞. We start with V = V. Our goal is to transform all vertices of degree 1 to degree q, while ensuring that vertices of degree 0 are mapped to vertices of degree not a multiple of q. Towards this goal we let E be the set of edges in E in addition to q − 1 canonical q-dimensional matchings over V. For example, for a vertex

202 n v := (x1,..., xn) ∈ V = [q] , the corresponding edges in E include an edge

in E (if any) and edges of the type ei = {(x1,..., xi−1, j, xi+1,..., xn) : j ∈ [q]} for i ∈ [q − 1] (note that this requires us to assume n ≥ q − 1). Adding the q − 1 matchings increases the degree of each vertex by q − 1. Therefore, vertices with initial degree 1 now have degree q and vertices with initial degree 0 now have degree q − 1. However, a couple of issues remain in order to complete the reduction, which we handle next. Multiplicities. An edge e ∈ E might have gotten added twice, if it belonged to one of the canonical matchings. To avoid this issue altogether, instead of adding V edges directly on V, we augment V to become V := V ∪ × [q − 1] , i.e. in q addition to V, we have q − 1 vertices for every potential hyperedge of G. For any edge e := v1,..., vq ∈ E, instead of adding it directly in G, we add hyperedge V {v, (e, 1), (e, 2),..., (e, q − 1)} for each v ∈ e. Note that all vertices (e, i) ∈ × q [q − 1] have degree q if e ∈ E and degree 0 if e ∈/ E, so they are not solutions for

the Leafq instance. For vertices in V, it still holds that vertices with initial degree 1 now have degree q and vertices with initial degree 0 now have degree q − 1.

Designated vertex. In a Leafq instance, we need to specify a single designated * vertex v ∈ V. If the Lonelyq instance had a single designated vertex, then we would be done. However, in general it is not possible to assume this (for non- prime q). Nevertheless, we provide a way to get around this. We augment V with V t = (q − 1)(q − k) + 1 additional vertices to become V := V ∪ × [q − 1] ∪ q * * wi,j : i ∈ [q − k], j ∈ [q − 1] ∪ {v }, where v is eventually the single designated

vertex for the Leafq instance. * Let V = {u1,..., uk} ⊆ V be the set of designated vertices in the Lonelyq instance; we assume without loss of generality that 1 ≤ k < q. So far, note that * degG(ui) = q − 1. The only new hyperedges we add are among ui’s, wi,j’s and v , in such a way that degG(ui) becomes q, the degree of all wi,j’s is also q and the degree of v* is q − k.

* . For each u ∈ V , include u, w1,1,..., w1,q−1 . So far, degG(u) = q and

degG(w1,j) = k.

203 . For each j ∈ [q − 1] and i ∈ {2, . . . , q − k}, include w1,j, wi,1,..., wi,q−1 .

So far, degG(wi,j) = q − 1 for all (i, j) ∈ [q − k] × [q − 1].

 * . Finally, for each (i, j) ∈ [q − k] × [q − 1], include v , wi,1,..., wi,q−1 . * Now, degG(wi,j) = q for all (i, j) ∈ [q − k] × [q − 1] and degG(v ) = q − k.

Thus, we have ﬁnally reduced to a Leafq instance encoding the graph G = V (V, E) with V := V ∪ × [q − 1] ∪ w : i ∈ [q − k], j ∈ [q − 1] ∪ {v*}. q i,j By Remark 5.2.5, this completes the reduction, since V is efﬁciently indexable (again, see [114] for a reference on indexing V) and the edges are locally computable using black-box access to 풞.

B.2 Completeness of Succinct Bipartite

We introduce a new intermediate problem, called TwoMatchings, in order to

show PPAp–completeness of SuccinctBipartitep.

Deﬁnition B.2.1. (TwoMatchingsp)

Principle: Two p-dimensional matchings over a common vertex set, with a vertex in exactly one of the matchings, has another such vertex.

Object: Two p-dimensional matchings G0 = (V, E0), G1 = (V, E1). Designated vertex v* ∈ V.

n n p n n p Inputs: . 풞0 : {0, 1} → ({0, 1} ) and 풞1 : {0, 1} → ({0, 1} ) . v* ∈ {0, 1}n

n Encoding:V := {0, 1} . For b ∈ {0, 1}, Eb := {e : 풞b(v) = e for all v ∈ e}

Solutions:v * if deg (v*) ̸= 1 or deg (v*) ̸= 0 and G0 G1 v ̸= v* if deg (v) ̸= deg (v) G0 G1

Observe that in the case of p = 2, TwoMatchings2 is equivalent to Leaf2.

204 Theorem B.2.2. For any prime p, SuccinctBipartitep and TwoMatchingsp are

PPAp–complete.

Proof. We show that Bipartitep ⪯ SuccinctBipartitep ⪯ TwoMatchingsp ⪯

Lonelyp.

Bipartitep SuccinctBipartitep. Since p is a prime, we can assume that the designated vertex v* has degree 1 (mod p) (similarly to Lemma 5.7.1). Since the

number of neighbors in a Bipartitep instance is polynomial, we can efﬁciently check if an edge exists and canonically group the edges for any vertex with degree a multiple of p. The designated edge e* is the unique ungrouped edge incident * on v . Thus, edges which are valid solutions to SuccinctBipartitep must have

at least one endpoint which is a solution to the original Bipartitep instance.

SuccinctBipartitep TwoMatchingsp. We reduce to a TwoMatchingsp in-

stance encoding two p-dimensional matchings G0 = (V, E0) and G1 = (V, E1), over the vertex set V = V × U × [p − 1], that is, all possible edges producible * in the SuccinctBipartitep instance. The designated vertex v is the designated * edge e in the SuccinctBipartitep instance.

For any edges e1,..., ep, which are grouped by φV pivoted at some v ∈ V, we include the hyperedge e1,..., ep in E0. Similarly, for any edges e1,..., ep, which are grouped by φU pivoted at some u ∈ U, we include the hyperedge e1,..., ep

in E1. It is easy to see that points in exactly one of the two matchings G0 or

G1 correspond to edges of the SuccinctBipartitep instance that are not grouped

at exactly one end. Thus, we can derive a solution to SuccinctBipartitep from

a solution to TwoMatchingsp. (Remark: while edges which are not grouped

at either end are solutions to SuccinctBipartitep, they do not correspond to a

solution in the TwoMatchingsp instance.)

TwoMatchingsp ⪯ Lonelyp. Given an instance of TwoMatchingsp encoding two p-dimensional matchings G0 = (V, E0) and G1 = (V, E1), we reduce to an instance of Lonelyp encoding a p-dimensional matching G = (V, E) such that * V = V × [p]. The designated vertex for the Lonelyp instance is (v , p).

205 For any hyperedge v1,..., vp in E0 and for each i ∈ {1, . . . , p − 1}, we include the hyperedge (v1, i), (v2, i),..., (vp, i) in G. Similarly, for any hyperedge v1,..., vp in E1, we include the hyperedge (v1, p), (v2, p),..., (vp, p) in G. If

v ∈ V is isolated in both G0 and G1, then we include the hyperedge {v} × [p]. Observe that, (v*, p) is isolated by design. A vertex (v, i), for i < p is isolated only if deg (v) = 0 and deg(G ) = 1. Similarly, the vertex (v, p) is isolated only G0 1 if deg (v) = 1 and deg(G ) = 0. Thus, isolated vertices in the Lonely instance G0 1 p

correspond to solutions of the TwoMatchingsp instance.

B.3 Equivalence with PMODp

* Proof of Lemma 5.7.1. Let prime p, we consider a Lonelyp instance (풞, V ), where 풞 encodes a p-dimensional matching G = (V, E) and |V*| = `. We wish to reduce k to an instance of Lonelyp, where the number of designated vertices is exactly k. First, we assume that all vertices in V* are indeed isolated in G, otherwise, no reduction is necessary. The key reason why this lemma holds for primes (and not for composites) is because ` has a multiplicative inverse modulo p. In particular, let t ≡ `−1k (mod p). k We construct a Lonelyp instance encoding the p-dimensional matching G = * (V, E) over V = V × [t]. Let V be the lexicographically ﬁrst k vertices in V* × [t]. Note that |V* × [t]| = t · ` ≡ k (mod p). Thus, we partition the remaining vertices of V* × [t] into p-uniform hyperedges. For any vertex v ∈ V r V*, with neighbors

v1,..., vp−1 in G, the neighbors of (v, i) in G are (v1, i),..., (vp−1, i) for any i ∈ [t]. * Thus, a vertex (v, i) is isolated only if it is in V or v is isolated in G. This completes the reduction since V is efﬁciently indexable – see Remark 5.2.5.

Proof of Corollary 5.7.2. For p = 2, Mod2 is the same as Lonely2. So, assume that p

is a prime such that p > 2. It is easy to see that Modp ≤ Lonelyp with number of designated vertices being k ≡ −2n (mod p), since {0, 1}n is efﬁciently indexable

(Remark 5.2.5). Conversely, using Lemma 5.7.1, we can reduce a Lonelyp instance to a Modp instance as follows: Let the Lonelyp instance encode a p-dimensional

206 matching over [p]n with k designated vertices. If any of the designated vertices are not isolated, no further reduction is necessary. Otherwise, we can embed the non-designated vertices of G into the ﬁrst pn − k vertices of {0, 1}N for a choice of N satisfying 2N > pn and 2N ≡ −k (mod p). Such an N is guaranteed to exist (and can be efﬁciently found) when p is a prime. Since 2N − pn + k ≡ 0 (mod p), we can partition the remaining vertices into p-uniform hyperedges, and thus, solutions to the Modp instance readily map to solutions of the original Lonelyp instance.

B.4 Proof of Theorem 5.5.1

Proof of Theorem 5.5.1: From Theorem 5.4.11, it sufﬁces to show the following re- ⪯ [AC0 ] duction ChevalleyWithSymmetryp SuccinctBipartitep Fp . Additionally, from the proof of Theorem 5.4.11 we can assume without loss of generality that the system of polynomials f = (g, h) of the ChevalleyWithSymmetryp instance has the following properties.

a. Each polynomial fi has degree at most 2.

b. Each polynomial fi has at most 3 monomials.

c. Each polynomial fi has at most 3 variables. p−1 Hence, we can compute each of the polynomials gi explicitly as a sum of mono- p−1 mials. The degree of each gi is O(p) and the number of monomials is at most 3p. Observe that since p is a constant, 3p is also a constant. Now, we follow the proof of Lemma 5.4.13 that reduces an instance of the problem ChevalleyWithSymmetryp to an instance of SuccinctBipartitep. Fol- lowing this proof there are three circuits that we need to replace with formulas in AC0 [AC0 ] Fp to reduce to SuccinctBipartitep Fp . The ﬁrst circuit is the edge counting circuit 풞 and the other two are the grouping functions φV and φU. We remind that the bipartite graph G = (U ∪ V, E) of the SuccinctBipartitep instance has two n parts U, V, where U is the set of all possible assignments, i.e. Fp, and V = V1 ∪ V2, mg p−1 where V1 is the set of all monomials of the polynomial CWg = ∏i=1(1 − gi ) and

207 Fn V is the set of all p-tuples of assignments, i.e. p . 2 p From Edge Counting Circuit To Edge Counting Formula. As described in the proof of Lemma 5.4.13 the edge counting circuit takes as input a vertex u ∈ U and a vertex v ∈ V and outputs the multiplicity of the edge {u, v} in G. Hence, the edge counting formula 풞 takes as input a tuple (x, s, a, y). The vector x corresponds to the assignment in U. The vector a corresponds to the description of mg ′ ′ a monomial of CWg. In particular, a represents the monomial t where t ∏i=1 iai iai p−1 is the ai-th monomial of the polynomial 1 − gi . The vector y = (y1, y2,..., yp) corresponds to a p-tuple in V2. Finally, s is a selector number to distinguish between v ∈ V1 and v ∈ V2, namely if s = 1, we have v ∈ V1 and if s = 0, we have that v ∈ V2. So, the edge counting formula can be written as follows

   

풞(x, s, a, y) =  ∏ (s − i) 풞1(x, a, y) +  ∏ (s − i) 풞2(x, a, y). (B.4.1) i∈Fp,i̸=1 i∈Fp,i̸=0

Thus, we can deﬁne the edge counting formula 풞1 for when v ∈ V1 and the edge counting formula 풞2 for when v ∈ V2 separately and combine them by using at 1 most two additional layers in the arithmetic formula. Now, 풞1(x, y, a) = (y = ) · mg 풬 ( ) 풬 ( ) ( ) 0 ∏i=1 i x, ai where i x, ai is the formula to compute the value ti,ai x . 1 Observe that the factor (y = 0) can be easily computed and is necessary since 풞1 should consider only neighbors between x and monomials in V1. Hence, if y is not p−1 equal to 0, 풞1 should return 0. The number of monomials of 1 − gi is constant, and hence the formula 풬i(x, ai) can be easily implemented in constant depth using a selector between all different monomials similarly to Equation (B.4.1).

Hence, 풞1 is implemented in constant depth.

The formula 풞2 has a factor 1(a = 0) to ensure only neighbors in V2 have non-zero outputs. The main challenge in the description of 풞2 is that every distinct p-tuple y has p! equivalent representations, but the modulo p argument of Lemma 5.4.13 applies only when edges appear to precisely one of the equivalent copies of the p-tuple. Thus, we let 풞2 add edges only to the lexicographically or-

208 dered version of y. It is a simple exercise to see that sorting of p! numbers, when p is constant, is possible in constant depth. We leave this folklore observation as an exercise to the reader. Once we make sure that y is lexicographically sorted, we p−1 compute a sorted representation of the set Σx = {x, σ(x),..., σ (x)}, where σ is

the permutation in the input of the ChevalleyWithSymmetryp problem. Then, we can easily check whether the p-tuple represented by y is the same as the sorted

p-tuple Σx. Finally, we observe that edges between x and Σx are only used when

x ∈ 풱g ∩ 풱 h, which again can be checked with constant depth formulas. If these checks pass, then 풞2 outputs p − 1, otherwise it outputs 0.

From Grouping Circuits to Grouping Formulas. For this step, we use selectors

similarly to Equation (B.4.1) and sorting as in the description of 풞2.

Grouping formula φU. We describe the edge grouping formula φU with input

(s, a, y, x, k), where s is a selector to distinguish between v ∈ V1 and v ∈ V2

as in the edge counting formula, a ∈ V1, y ∈ V2, x ∈ U, and k ∈ [p]. We

consider two cases depending on whether v ∈ V1 (i.e. s = 0) or v ∈ V2 (i.e. s = 1). Let ψ1 be the formula for the ﬁrst case and ψ2 be the formula for the

second case. For the case s = 1, we consider two cases: (i) x ∈ 풱 g and (ii) 1 x ∈ 풱g. For the case (i) we deﬁne the formula ψ1 and for the case (ii) we 1 1 deﬁne the formula ψ2. Computing (x ∈ 풱g) can be done using a depth 3 1 formula, since g is given in an explicit form. Finally, we can combine ψ1 and 1 ψ2 using a selector.

1 ? Case s = 0, x ∈ V g. The formula ψ1 ﬁrst computes i = min{i ∈ [mg] : p−1 1 − gi (x) = 0}. This is doable in constant depth, since we can compute 1 p−1 in parallel the value (1 − gi (x) = 0) for all i ∈ [mg], and then compute p−1 p−1 for every i whether 1 − gi (x) = 0 and 1 − gj (x) ̸= 0 for all j < i, which requires just one multiplication gate per i.

Because of the properties of the input system of polynomials f, each poly-

209 nomial gi depends only on three variables. Hence, the monomials of 1 − p−1 p−1 gi can be explicitly represented as numbers in [ri] with ri = 3 + 1.

Next, we explicitly list out the multiset containing the monomials tj =

* * (a1, a2,..., ai ← j,..., amg ) with multiplicity tj(x) for each j ∈ [ri ]. Finally, 1 ψ1 groups the multiset into sets of size p and outputs the set containing (a, k). The size of the multiset depends only of p, which is constant, and hence the grouping can be done in constant depth.

Case s = 0, x ∈ Vg. We remind that a = 0 corresponds to the constant

monomial 1 of the polynomial CWg. If a ̸= 0, this case is similar to the p−1 p−1 previous, except that we use the polynomials gi instead of 1 − gi , see 1 also the proof of Lemma 5.4.13. If a = 0, ψ2 outputs (a, 1) and the p − 1

tuples (y, t), t ∈ [p − 1] where y is the lexicographically ordered set Σx.

Case s = 1. In this case, the formula ψ2 checks whether a = 0 and the

vector y is equal to the sorted p-tuple representing Σx, as described in the

edge counting formula 풞. It also checks if x ∈ 풱g ∩ 풱 h. If any of these checks fails, the output is 0. Otherwise, we output (y, t), t ∈ [p − 1], that

describe the edges connecting x with Σx, and (0, 1), that describes the edge

connecting x with the constant term of CWg.

Grouping formula φV . We describe the edge grouping formula φV with input

(s, a, y, x, k), where s is a selector to distinguish between v ∈ V1 and v ∈ V2

as in the edge counting formula, a ∈ V1, y ∈ V2, x ∈ U, and k ∈ [p]. We

consider two cases depending on whether v ∈ V1 (i.e. s = 0) or v ∈ V2 (i.e. s = 1). Let χ1 be the formula for the ﬁrst case and χ2 be the formula for the second case. In each case, we check that a or y is equal to 0, which is done similarly to the previous formulas.

210 Case s = 0. In this case, we have to ﬁnd a variable that appears with − = mg degree less than p 1 in the monomial ta ∏i=1 ti,ai . We ﬁrst compute

for each j ∈ [n] the degree dj of the variable xj in ta. This can be done with a constant size formula that for any j ∈ [n] multiplies the powers

of xj in the monomials ti,ai appearing in ta. Now, in order to ﬁnd any

dj dj dj dj ̸= p − 1 we compute for each j ∈ [n], 1 , 2 ,..., (p − 1) and we check in parallel if at least one of them is different from 1. Hence, we have computed

the set {j : degree of xj in ta ̸= p − 1)}. We can ﬁnd the smallest index * j = minj∈[n]{j : degree of xj in ta ̸= p − 1)} using the same construction as in ψ1.

Finally, for xj = (x1,..., xi−1, xi ← j,..., xn) with j ∈ Fp we deﬁne the 1 multiset (xj, t(xj)) . The formula χ divides this multiset into groups j∈Fp of p elements and outputs the group containing (x, k). Observe that the size of the multiset is only a function of p, and hence constant. Therefore, we can explicitly construct a constant depth formula to capture this grouping.

Case s = 1. For constructing the formula χ2, we ﬁrst check whether x ∈

풱g ∩ 풱 h and whether y is the lexicographically sorted version of Σx. If all ′ ′ checks pass, then we output the p edges of the form (x , k) for all x ∈ Σx, that correspond to the k-th copy of the edge between x′ and y.

Hence, our theorem follows since the instance of ChevalleyWithSymmetryp [AC0 ] from the reduction of Lemma 5.4.19 reduces to SuccinctBipartitep Fp .

211 212 Appendix C

Missing proofs of Chapter 7

C.1 A self-contained proof of Theorem 7.3.1

In Section 7.3, we use two lemmas (Lemmas 7.3.4 and 7.3.7) in order to bound |E [ ( )] the key agreement probability by maxc∈Zq∖{0} e←ξ χc e . In this section, we give a self-contained proof for Lemma 7.3.5 without explicitly using the notion of maximal correlation. However, this proof is essentially an unrolling of the proof using maximal correlation.

m Claim 3. For any m ≥ 1, balanced f , g : Zq → {0, 1}, and µ풳 as in Theorem 7.3.1, it holds that

1 + maxc∈Z ∖{0} |Ee←ξ [χc(e)]| Pr [ f (X) = g(Y)] ≤ q ⊗m (X,Y)←µ풳 2

T T where for any z ∈ Zq, ξ(z) = Pr[x1 e2 − e1 x2 = z]. |E [ ( )]| ≤ − Combining the above claim with the fact that maxc∈Zq∖{0} e←ξ χc e 1 Ω(1/q2) (see Claim 1 and2), Theorem 7.3.1 follows.

f (x) g(x) m Proof. Let F(x) = (−1) and G(x) = (−1) . Then, for any c ∈ Zq , let

ˆ( ) = E m [ ( ) (− )] ˆ( ) = E m [ ( ) (− )] F c x←풰(Zq ) F x χc x and G c x←풰(Zq ) G x χc x . Note that for m ∈ Z ( ) = m ˆ( ) ( ) ( ) = m ˆ( ) ( ) any x q , F x ∑c∈Zq F c χc x and G x ∑c∈Zq G c χc x . Observe that

213 X is distributed uniformly and Y = X + e, where e ← ξ⊗m.

|EX,e[F(X)G(X + e)]|

ˆ ′ ˆ ′ = ∑ F(c )G(c )Ee[χc′ (e)] ′ m m c ∈Zq ∖{0 } s ′ 2 ′ 2 ≤ |Fˆ(c )| |Gˆ(c )| max |Ee[χc(e)]| ∑ ∑ m m ′ m m ′ m c∈Zq ∖{0 } c ∈Zq ∖{0 } c ̸=0

≤ max |Ee[χc(e)]| m m c∈Zq ∖{0 }

≤ max |Ee←ξ [χc(e)]|. c∈Zq∖{0}

The ﬁrst equality follows by linearity of expectation and the fact that X is uniform m over Zq . For the next inequality, we use triangle inequality and that |E[χc(e)]| is real, since ξ is symmetric. The next two inequalities follow by Cauchy-Schwarz h i ˆ 2 2 and Parseval’s identity, which states that ∑c F(c) = E |F(X)| = 1. The 1+E[F(X)G(Y)] desired conclusion follows from the fact that Pr[ f (X) = g(Y)] = 2 .

Ring-LWE case. We get a similar result for the Ring-LWE case. Let Rq be the

ring Zq[x]/g(x) where g is a polynomial of degree n over Zq. We identify an n n * element in Rq by its coefﬁcient vector in Zq . We say that w is drawn from (풳 ) n if its coefﬁcients are drawn from 풳 conditioned on w being a unit of Rq.

Theorem C.1.1. Let n, q ≥ 1 be integers and Rq be as above. Assume that the distribution 풳 over Zq is symmetric and for any a ∈ Zq ∖ {0}, Pr[az = 0] ≤ 9/10 and n * Pr[az = q/2] ≤ 9/10 and (풳 ) as above. Let µRLWE,풳 (X, Y) be the joint distribution of

X = x1 · a · x2 + x1 · e2 and Y = x1 · a · e1 + x2 · e1,

n n * where · is polynomial multiplication, a ← 풰(Rq), e1, e2 ← 풳 and x1, x2 ← (풳 ) . m Then for any m ≥ 1, and any balanced functions Rec1, Rec2 : R → {0, 1} with respect

214 ⊗m to the marginal distributions of µRLWE,풳 , it holds that

m m 2 Pr [Rec1(X ) = Rec2(Y )] ≤ 1 − Ω(1/q ). m m ⊗m (X ,Y )←µRLWE,풳

Proof. We proceed as in the LWE case by proving claims similar to Claim 1,2 and −2πi·⟨c,x⟩/q 3. For c ∈ Rq, we deﬁne χc : Rq → C as χc(x) = e , where ⟨c, x⟩ is the inner product of the coefﬁcient vectors of c, x over Zq. Then, the following claims hold.

m Claim 4. For any m ≥ 1 and balanced f , g : Rq → {0, 1}, it holds that

1 + maxc∈R ∖{0n} |Ee←ξ [χc(e)]| Pr[ f (Xm) = g(Ym)] ≤ q 2 where for any z ∈ Rq, ξ(z) = Pr[x1 · e2 − e1 · x2 = z].

|E [ ( )]| ≤ n E n [ ( )]| Claim 5. e←ξ χa e maxc∈Rq∖{0 } e←풳 χc e . n 2 Claim 6. For any c ∈ Rq ∖ {0 }, |Ee←풳 n [χc(e)]| ≤ 1 − Ω(1/q ). The proofs are almost identical to the corresponding proofs of Claim 3,2 and1 and so we omit them.

215 216 Bibliography

[1] Shweta Agrawal, David Mandell Freeman, and Vinod Vaikuntanathan. Functional encryption for inner product predicates from learning with errors. In ASIACRYPT, 2011.

[2] Dorit Aharonov and Oded Regev. Lattice problems in NP cap coNP. In FOCS, 2004.

[3] James Aisenberg, Maria Luisa Bonet, and Sam Buss. 2-d tucker is PPA complete. Electronic Colloquium on Computational Complexity (ECCC), 22:163, 2015.

[4] Miklós Ajtai. Generating hard instances of lattice problems. In Proceedings of the twenty-eighth annual ACM symposium on Theory of computing, pages 99–108. ACM, 1996.

[5] Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe. Post- quantum key exchange - A new hope. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016., 2016.

[6] Noga Alon. Splitting necklaces. Advances in Mathematics, 63(3):247–253, 1987.

[7] Noga Alon, Shmuel Friedland, and Gil Kalai. Regular subgraphs of almost regular graphs. Journal of Combinatorial Theory, Series B, 37(1):79–91, 1984.

[8] Noga Alon and Douglas B. West. The Borsuk-Ulam theorem and bisection of necklaces. Proceedings of the American Mathematical Society, 98(4):623–628, 1986.

[9] Joël Alwen and Chris Peikert. Generating shorter bases for hard random lattices. Theory of Computing Systems, 48(3):535–553, 2011.

[10] Omer Angel, Sébastien Bubeck, Yuval Peres, and Fan Wei. Local max-cut in smoothed polynomial time. In Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, pages 429–437. ACM, 2017.

[11] Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In CRYPTO, 2009.

217 [12] Sanjeev Arora and Boaz Barak. Computational Complexity: A Modern Ap- proach. Cambridge University Press, 2009.

[13] Frank Ban, Kamal Jain, Christos Papadimitriou, Christos Alexandros Pso- mas, and Aviad Rubinstein. Reductions in PPP. Unpublished Manuscript, 2015.

[14] Abhishek Banerjee and Chris Peikert. New and improved key- homomorphic pseudorandom functions. In Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2014, Proceedings, Part I, 2014.

[15] Abhishek Banerjee, Chris Peikert, and Alon Rosen. Pseudorandom functions and lattices. In Advances in Cryptology - EUROCRYPT 2012, 2012.

[16] Paul Beame, Stephen Cook, Jeff Edmonds, Russell Impagliazzo, and To- niann Pitassi. The relative complexity of np search problems. Journal of Computer and System Sciences, 57(1):3–19, 1998.

[17] Paul Beame and Søren Riis. More on the relative strength of counting principles. In Proceedings of the DIMACS Workshop on Proof Complexity and Feasible Arithmetics, volume 39, pages 13–35, 1998.

[18] Richard Beigel and John Gill. Counting classes: Thresholds, parity, mods, and fewness. Theor. Comput. Sci., 103(1):3–23, 1992.

[19] Mihir Bellare, Daniele Micciancio, and Bogdan Warinschi. Foundations of group signatures: Formal deﬁnitions, simpliﬁed requirements, and a construction based on general assumptions. In EUROCRYPT, 2003.

[20] Mihir Bellare and Moti Yung. Certifying permutations: Noninteractive zero- knowledge based on any trapdoor permutation. J. Cryptology, 9(3):149–166, 1996.

[21] Aleksandrs Belovs, Gábor Ivanyos, Youming Qiao, Miklos Santha, and Siyi Yang. On the polynomial parity argument complexity of the combinatorial Nullstellensatz. In Proceedings of the 32nd Computational Complexity Confer- ence, page 30. Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, 2017.

[22] Adam Bender, Jonathan Katz, and Ruggero Morselli. Ring signatures: Stronger deﬁnitions, and constructions without random oracles. In TCC. Springer, 2006.

[23] Itay Berman, Akshay Degwekar, Ron D. Rothblum, and Prashant Nalini Vasudevan. Multi-collision resistant hash functions and their applications. In Advances in Cryptology – EUROCRYPT 2018, pages 133–161, 2018.

218 [24] Itay Berman, Ron D. Rothblum, and Vinod Vaikuntanathan. Zero- knowledge proofs of proximity. In 9th Innovations in Theoretical Computer Science Conference, ITCS 2018, January 11-14, 2018, Cambridge, MA, USA, 2017.

[25] Nir Bitansky and Idan Gerichter. On the Cryptographic Hardness of Local Search. In 11th Innovations in Theoretical Computer Science Conference (ITCS 2020), 2020.

[26] Nir Bitansky, Yael Tauman Kalai, and Omer Paneth. Multi-collision resistance: a paradigm for keyless hash functions. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2018, pages 671–684, 2018.

[27] Nir Bitansky and Omer Paneth. Zaps and non-interactive witness indistinguishability from indistinguishability obfuscation. In TCC, 2015.

[28] Nir Bitansky, Omer Paneth, and Alon Rosen. On the cryptographic hardness of ﬁnding a Nash equilibrium. In Foundations of Computer Science (FOCS), 2015 IEEE 56th Annual Symposium on, pages 1480–1498. IEEE, 2015.

[29] Hans Frederik Blichfeldt. A new principle in the geometry of numbers, with some applications. Transactions of the American Mathematical Society, 15(3):227–235, 1914.

[30] Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero- knowledge and its applications (extended abstract). In STOC, 1988.

[31] Andrej Bogdanov, Siyao Guo, Daniel Masny, Silas Richelson, and Alon Rosen. On the hardness of learning with rounding over small modulus. In Theory of Cryptography - 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10-13, 2016, Proceedings, Part I, 2016.

[32] Dan Boneh and Mark Zhandry. Multiparty key exchange, efﬁcient traitor tracing, and more from indistinguishability obfuscation. Algorithmica, 2017.

[33] J. W. Bos, C. Costello, M. Naehrig, and D. Stebila. Post-quantum key exchange for the tls protocol from the ring learning with errors problem. In 2015 IEEE Symposium on Security and Privacy, 2015.

[34] Elette Boyle, Niv Gilboa, Yuval Ishai, Huijia Lin, and Stefano Tessaro. Foun- dations of homomorphic secret sharing. In 9th Innovations in Theoretical Computer Science Conference, ITCS 2018, January 11-14, 2018, Cambridge, MA, USA, 2018.

[35] Zvika Brakerski, Adeline Langlois, Chris Peikert, Oded Regev, and Damien Stehlé. Classical hardness of learning with errors. In STOC ’13, page 575–584, 2013.

219 [36] Zvika Brakerski and Vinod Vaikuntanathan. Efﬁcient fully homomorphic encryption from (standard) LWE. SIAM Journal on Computing, 43(2):831– 871, 2014.

[37] Josh Buresh-Oppenheim and Tsuyoshi Morioka. Relativized NP search problems and propositional proof systems. In 19th Annual IEEE Confer- ence on Computational Complexity (CCC 2004), 21-24 June 2004, Amherst, MA, USA, pages 54–67, 2004.

[38] Joshua Buresh-Oppenheim. On the tfnp complexity of factoring. Unpub- lished manuscript, 2006. http://www.cs.toronto.edu/~bureshop/factor.p df.

[39] Samuel R. Buss, Dima Grigoriev, Russell Impagliazzo, and Toniann Pitassi. Linear gaps between degrees for the polynomial calculus modulo distinct primes. J. Comput. Syst. Sci., 62(2):267–289, 2001.

[40] Samuel R. Buss and Alan S. Johnson. Propositional proofs and reductions between NP search problems. Ann. Pure Appl. Logic, 163(9):1163–1182, 2012.

[41] I. Bárány, S. B. Shlosman, and A. Szücs. On a topological generalization of a theorem of tverberg. Journal of the London Mathematical Society, s2-23(1):158– 164, 1981.

[42] Ran Canetti, Yilei Chen, Justin Holmgren, Alex Lombardi, Guy N. Roth- blum, Ron D. Rothblum, and Daniel Wichs. Fiat-shamir: from practice to theory. In STOC, 2019.

[43] Ran Canetti and Amit Lichtenberg. Certifying trapdoor permutations, revisited. In Theory of Cryptography - 16th International Conference, TCC 2018, Panaji, India, November 11-14, 2018, Proceedings, Part I, 2018.

[44] David Cash, Eike Kiltz, and Victor Shoup. The twin difﬁe-hellman problem and applications. In Advances in Cryptology – EUROCRYPT 2008, 2008.

[45] Xi Chen, Decheng Dai, Ye Du, and Shang-Hua Teng. Settling the complexity of arrow-debreu equilibria in markets with additively separable utilities. In Foundations of Computer Science, 2009. FOCS’09. 50th Annual IEEE Symposium on, pages 273–282. IEEE, 2009.

[46] Xi Chen, Xiaotie Deng, and Shang-Hua Teng. Settling the complexity of computing two-player Nash equilibria. Journal of the ACM (JACM), 56(3):14, 2009.

[47] Xi Chen, David Durfee, and Anthi Orfanou. On the complexity of Nash equilibria in anonymous games. In Proceedings of the forty-seventh annual ACM symposium on Theory of computing, pages 381–390. ACM, 2015.

220 [48] Xi Chen, Chenghao Guo, Emmanouil-Vasileios Vlatakis-Gkaragkounis, Mi- halis Yannakakis, and Xinzhi Zhang. Smoothed complexity of local max-cut and binary max-csp. In Proccedings of the 52nd Annual ACM SIGACT Sympo- sium on Theory of Computing, STOC 2020, Chicago, IL, USA, June 22-26, 2020, 2020.

[49] Xi Chen, Dimitris Paparas, and Mihalis Yannakakis. The complexity of non- monotone markets. Journal of the ACM (JACM), 64(3):20, 2017.

[50] Claude Chevalley. Démonstration d’une hypothèse de m. artin. Abhand- lungen aus dem Mathematischen Seminar der Universität Hamburg, 11(1):73–75, Dec 1935.

[51] Arka Rai Choudhuri, Pavel Hubáˇcek,Chethan Kamath, Krzysztof Pietrzak, Alon Rosen, and Guy N. Rothblum. Finding a Nash Equilibrium is no easier than breaking Fiat-Shamir. In Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing, 2019.

[52] Arka Rai Choudhuri, Pavel Hubáˇcek,Chethan Kamath, Krzysztof Pietrzak, Alon Rosen, and Guy N. Rothblum. PPAD-hardness via iterated squaring modulo a composite. Cryptology ePrint Archive, Report 2019/667, 2019. https://eprint.iacr.org/2019/667.

[53] Constantinos Daskalakis, Paul W Goldberg, and Christos H Papadimitriou. The complexity of computing a Nash equilibrium. SIAM Journal on Comput- ing, 39(1):195–259, 2009.

[54] Constantinos Daskalakis and Christos Papadimitriou. Continuous local search. In Proceedings of the twenty-second annual ACM-SIAM symposium on Discrete Algorithms, pages 790–804. Society for Industrial and Applied Math- ematics, 2011.

[55] Constantinos Daskalakis, Christos Tzamos, and Manolis Zampetakis. A converse to banach’s ﬁxed point theorem and its cls completeness. Proceed- ings of the 50th annual ACM symposium on Theory of computing (STOC), 2018.

[56] Xiaotie Deng, Jack R. Edmonds, Zhe Feng, Zhengyang Liu, Qi Qi, and Zey- ing Xu. Understanding PPA-Completeness. In 31st Conference on Computa- tional Complexity (CCC 2016), volume 50 of Leibniz International Proceedings in Informatics (LIPIcs), pages 23:1–23:25, 2016.

[57] Whitﬁeld Difﬁe and Martin E. Hellman. New directions in cryptography. IEEE Trans. Information Theory, 22(6), 1976.

[58] Jintai Ding, Xiang Xie, and Xiaodong Lin. A simple provably secure key exchange scheme based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688, 2012. http://eprint.iacr.org/2012/688.

221 [59] Yevgeniy Dodis, Jonathan Katz, Adam Smith, and Shabsi Walﬁsh. Com- posability and on-line deniability of authentication. In Proceedings of the 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15-17, 2009, 2009.

[60] Danny Dolev, Cynthia Dwork, and Moni Naor. Nonmalleable cryptography. SIAM Review, 45(4):727–784, 2003.

[61] Cynthia Dwork and Moni Naor. Zaps and their applications. SIAM J. Com- put., 36(6), 2007.

[62] Edith Elkind, Leslie Ann Goldberg, and Paul Goldberg. Nash equilibria in graphical games on trees revisited. In Proceedings of the 7th ACM Conference on Electronic Commerce, pages 100–109. ACM, 2006.

[63] Naomi Ephraim, Cody Freitag, Ilan Komargodski, and Rafael Pass. Con- tinuous veriﬁable delay functions. In Advances in Cryptology – EUROCRYPT 2020, 2020.

[64] Kousha Etessami, Christos Papadimitriou, Aviad Rubinstein, and Mihalis Yannakakis. Tarski’s Theorem, Supermodular Games, and the Complexity of Equilibria. In 11th Innovations in Theoretical Computer Science Conference (ITCS 2020), 2020.

[65] Michael Etscheid and Heiko Röglin. Smoothed analysis of local search for the maximum-cut problem. ACM Transactions on Algorithms (TALG), 13(2):25, 2017.

[66] Alex Fabrikant, Christos Papadimitriou, and Kunal Talwar. The complexity of pure Nash equilibria. In Proceedings of the thirty-sixth annual ACM symposium on Theory of computing, pages 604–612. ACM, 2004.

[67] John Fearnley, Spencer Gordon, Ruta Mehta, and Rahul Savani. Cls: New problems and completeness. arXiv preprint arXiv:1702.06017, 2017.

[68] Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput., 29(1):1–28, 1999.

[69] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identiﬁcation and signature problems. In CRYPTO, 1986.

[70] Aris Filos-Ratsikas and Paul W Goldberg. Consensus halving is ppa- complete. Proceedings of the 50th annual ACM symposium on Theory of computing (STOC), 2018.

[71] Aris Filos-Ratsikas and Paul W. Goldberg. The complexity of splitting necklaces and bisecting ham sandwiches. Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing (STOC), 2019.

222 [72] Aris Filos-Ratsikas, Alexandros Hollender, Katerina Sotiraki, and Manolis Zampetakis. A topological characterization of modulo-p arguments and implications for necklace splitting. CoRR, abs/2003.11974, 2020.

[73] Eduarda S. V. Freire, Dennis Hofheinz, Eike Kiltz, and Kenneth G. Pater- son. Non-interactive key exchange. In Public-Key Cryptography – PKC 2013. Springer Berlin Heidelberg, 2013.

[74] Oscar Garcia-Morchon, Zhenfei Zhang, Sauvik Bhattacharya, Ronald Riet- man, Ludo Tolhuizen, Jose-Luis Torre-Arce, Hayo Baan, Markku-Juhani O. Saarinen, Scott Fluhrer, Thijs Laarhoven, and Rachel Player. Round5. Technical report, National Institute of Standards and Technology, 2017. available at https://csrc.nist.gov/projects/post-quantum-cryptogra phy/round-2-submissions.

[75] Sanjam Garg, Omkant Pandey, and Akshayaram Srinivasan. Revisiting the cryptographic hardness of ﬁnding a Nash equilibrium. In Annual Cryptology Conference, pages 579–604. Springer, 2016.

[76] Hans Gebelein. Das statistische problem der korrelation als variations- und eigenwertproblem und sein zusammenhang mit der ausgleichsrech- nung. ZAMM-Journal of Applied Mathematics and Mechanics/Zeitschrift für Angewandte Mathematik und Mechanik, 21(6):364–379, 1941.

[77] Craig Gentry. Fully homomorphic encryption using ideal lattices. In Pro- ceedings of the 41st Annual ACM Symposium on Theory of Computing, STOC 2009, Bethesda, MD, USA, May 31 - June 2, 2009, 2009.

[78] Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, 2008.

[79] Yael Gertner, Sampath Kannan, Tal Malkin, Omer Reingold, and Mahesh Viswanathan. The relationship between public key encryption and oblivious transfer. In 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, 12-14 November 2000, Redondo Beach, California, USA, pages 325–335, 2000.

[80] C. Goldberg and D. West. Bisection of circle colorings. SIAM Journal on Algebraic Discrete Methods, 6(1):93–106, 1985.

[81] Paul W Goldberg and Christos H Papadimitriou. Towards a uniﬁed complexity theory of total functions. Journal of Computer and System Sciences, 2017.

[82] Oded Goldreich. The Foundations of Cryptography - Volume 1, Basic Techniques. Cambridge University Press, 2001.

223 [83] Oded Goldreich. The Foundations of Cryptography - Volume 2, Basic Applica- tions. Cambridge University Press, 2004.

[84] Oded Goldreich. Basing non-interactive zero-knowledge on (enhanced) trapdoor permutations: The state of the art. In Studies in Complexity and Cryptography. Springer, 2011.

[85] Oded Goldreich, Shaﬁ Goldwasser, and Silvio Micali. How to construct random functions. J. ACM, 33(4):792–807, 1986.

[86] Oded Goldreich and Ron D. Rothblum. Enhancements of trapdoor permutations. J. Cryptology, 26(3), 2013.

[87] Shaﬁ Goldwasser, Yael Kalai, Raluca Ada Popa, Vinod Vaikuntanathan, and Nickolai Zeldovich. Reusable garbled circuits and succinct functional encryption. In STOC, 2013.

[88] Shaﬁ Goldwasser and Silvio Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, 1984.

[89] Shaﬁ Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of interactive proof systems. SIAM J. Comput., 18(1):186–208, 1989.

[90] Mika Göös, Pritish Kamath, Robert Robere, and Dmitry Sokolov. Adven- tures in monotone complexity and TFNP. In 10th Innovations in Theoretical Computer Science Conference, ITCS 2019, January 10-12, 2019, San Diego, Cali- fornia, USA, pages 38:1–38:19, 2019.

[91] Mika Göös, Pritish Kamath, Katerina Sotiraki, and Manolis Zampetakis. On the complexity of modulo-q arguments and the chevalley - warning theorem. In 35th Computational Complexity Conference, CCC 2020, July 28-31, 2020, Saarbrücken, Germany (Virtual Conference), pages 19:1–19:42, 2020.

[92] Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Predicate encryption for circuits from lwe. In CRYPTO. Springer, 2015.

[93] Rishab Goyal, Venkata Koppula, and Brent Waters. Lockable obfuscation. In 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2017, Berkeley, CA, USA, October 15-17, 2017. IEEE Computer Society, 2017.

[94] Michelangelo Grigni. A Sperner lemma complete for PPA. Information Pro- cessing Letters, 77(5-6):255–259, 2001.

[95] Jens Groth, Rafail Ostrovsky, and Amit Sahai. New techniques for noninteractive zero-knowledge. J. ACM, 59(3):11:1–11:35, 2012.

[96] Siyao Guo, Pritish Kamath, Alon Rosen, and Katerina Sotiraki. Limits on the efﬁciency of (ring) LWE based non-interactive key exchange. In Public- Key Cryptography - PKC 2020, pages 374–395, 2020.

224 [97] Michael D Hirsch, Christos H Papadimitriou, and Stephen A Vavasis. Expo- nential lower bounds for ﬁnding Brouwer ﬁx points. Journal of Complexity, 5(4):379–416, 1989.

[98] Hermann O Hirschfeld. A connection between correlation and contingency. Mathematical Proceedings of the Cambridge Philosophical Society, 31(4), 1935.

[99] Rebecca Hoberg, Harishchandra Ramadas, Thomas Rothvoss, and Xin Yang. Number balancing is as hard as Minkowski’s theorem and shortest vector. In IPCO, volume 10328 of Lecture Notes in Computer Science, pages 254–266. Springer, 2017.

[100] Alexandros Hollender. The classes PPA-k: Existence from arguments modulo k. In Ioannis Caragiannis, Vahab Mirrokni, and Evdokia Nikolova, edi- tors, Web and Internet Economics, pages 214–227, Cham, 2019. Springer Inter- national Publishing.

[101] Pavel Hubáˇcek,Moni Naor, and Eylon Yogev. The journey from NP to TFNP hardness. In 8th Innovations in Theoretical Computer Science Conference, ITCS 2017, January 9-11, 2017, Berkeley, CA, USA, 2017.

[102] Pavel Hubáˇcek and Eylon Yogev. Hardness of continuous local search: Query complexity and cryptographic lower bounds. In Proceedings of the Twenty-Eighth Annual ACM-SIAM Symposium on Discrete Algorithms, pages 1352–1371. Society for Industrial and Applied Mathematics, 2017.

[103] R. Impagliazzo and S. Rudich. Limits on the provable consequences of one- way permutations. In Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, 1989.

[104] Emil Jerábek. Integer factoring and modular square roots. J. Comput. Syst. Sci., 82(2):380–394, 2016.

[105] Alan S. Johnson. Reductions and propositional proofs for total NP search problems. UC San Diego Electronic Theses and Dissertations, 2011.

[106] David S Johnson, Christos H Papadimitriou, and Mihalis Yannakakis. How easy is local search? Journal of computer and system sciences, 37(1):79–100, 1988.

[107] Erich Kaltofen and Gilles Villard. On the complexity of computing deter- minants. computational complexity, 13(3-4):91–130, 2005.

[108] Sam Kim. Key-homomorphic pseudorandom functions from LWE with small modulus. In Advances in Cryptology – EUROCRYPT 2020, 2020.

[109] Shiva Kintali, Laura J Poplawski, Rajmohan Rajaraman, Ravi Sundaram, and Shang-Hua Teng. Reducibility among fractional stability problems. SIAM Journal on Computing, 42(6):2063–2113, 2013.

225 [110] Ilan Komargodski, Moni Naor, and Eylon Yogev. Collision resistant hashing for paranoids: Dealing with multiple collisions. In Advances in Cryptology - EUROCRYPT 2018, pages 162–194, 2018.

[111] Ilan Komargodski, Moni Naor, and Eylon Yogev. White-box vs. black-box complexity of search problems: Ramsey and graph property testing. Journal of the ACM (JACM), 66(5):34, 2019.

[112] Pravesh K Kothari and Ruta Mehta. Sum-of-squares meets Nash: lower bounds for ﬁnding any equilibrium. In Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, pages 1241–1248. ACM, 2018.

[113] A. A. Kozhevnikov and S. I. Nikolenko. On complete one-way functions. Problems of Information Transmission, 45(2):168–183, Jun 2009.

[114] Donald L. Kreher and Douglas R. Stinson. Combinatorial Algorithms: Gen- eration, Enumeration, and Search, volume 7 of Discrete Mathematics and Its Applications. CRC Press, 1998.

[115] L. A. Levin. The tale of one-way functions. Problems of Information Transmis- sion, 39(1):92–103, Jan 2003.

[116] Leonid A. Levin. One-way functions and pseudorandom generators. Com- binatorica, 7(4):357–363, 1987.

[117] Alex Lombardi and Vinod Vaikuntanathan. Fiat-shamir for repeated squaring with applications to PPAD-hardness and VDFs. In Advances in Cryptol- ogy - CRYPTO 2020, 2020.

[118] László Lovász. Spectra of graphs with transitive groups. Periodica Math. Hung., 6:191–195, 1975.

[119] Xianhui Lu, Yamin Liu, Dingding Jia, Haiyang Xue, Jingnan He, Zhenfei Zhang, Zhe Liu, Hao Yang, Bao Li, and Kunpeng Wang. Lac. Techni- cal report, National Institute of Standards and Technology, 2017. available at https://csrc.nist.gov/projects/post-quantum-cryptography/ round-2-submissions.

[120] Vadim Lyubashevsky and Daniele Micciancio. On bounded distance decoding, unique shortest vectors, and the minimum distance problem. In CRYPTO, 2009.

[121] Vadim Lyubashevsky, Chris Peikert, and Oded Regev. On ideal lattices and learning with errors over rings. J. ACM, 60(6):43:1–43:35, 2013.

[122] N Meggido and CH Papadimitriou. A note on total functions, existence theorems, and computational complexity. Technical report, Tech. report, IBM, 1989.

226 [123] Daniele Micciancio. Almost perfect lattices, the covering radius problem, and applications to ajtai’s connection factor. SIAM J. Comput., 34(1):118– 169, 2004. [124] Daniele Micciancio and Chris Peikert. Trapdoors for lattices: Simpler, tighter, faster, smaller. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 700–718. Springer, 2012. [125] Daniele Micciancio and Chris Peikert. Hardness of SIS and LWE with small parameters. In Advances in Cryptology – CRYPTO 2013, pages 21–39, 2013. [126] Daniele Micciancio and Oded Regev. Worst-case to average-case reductions based on gaussian measures. SIAM J. Comput., 37(1):267–302, 2007. [127] Hermann Minkowski. Geometrie der zahlen, volume 40. B.G. Teubner, 1910. [128] Pratyay Mukherjee and Daniel Wichs. Two round multiparty computation via multi-key FHE. In EUROCRYPT, 2016. [129] Michael Naehrig, Erdem Alkim, Joppe Bos, Leo Ducas, Karen East- erbrook, Brian LaMacchia, Patrick Longa, Ilya Mironov, Valeria Niko- laenko, Christopher Peikert, Ananth Raghunathan, and Douglas Stebila. Frodokem. Technical report, National Institute of Standards and Technol- ogy, 2017. available at https://csrc.nist.gov/projects/post-quantum-c ryptography/round-2-submissions. [130] Moni Naor and Moti Yung. Public-key cryptosystems provably secure against chosen ciphertext attacks. In STOC, 1990. [131] NIST. https://csrc.nist.gov/CSRC/media/Projects/Post-Quantum-Cryp tography/documents/call-for-proposals-final-dec-2016.pdf. [132] Carl Douglas Olds, Anneli Lax, and Giuliana Davidoff. The geometry of numbers, volume 41. Cambridge University Press, 2001. [133] Christos H Papadimitriou. The complexity of the Lin–Kernighan heuristic for the traveling salesman problem. SIAM Journal on Computing, 21(3):450– 465, 1992. [134] Christos H Papadimitriou. On the complexity of the parity argument and other inefﬁcient proofs of existence. Journal of Computer and system Sciences, 48(3):498–532, 1994. [135] Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem: extended abstract. In Proceedings of the 41st Annual ACM Sympo- sium on Theory of Computing, STOC 2009, 2009. [136] Chris Peikert. Lattice cryptography for the internet. In Post-Quantum Cryp- tography - 6th International Workshop, PQCrypto 2014, Waterloo, ON, Canada, October 1-3, 2014. Proceedings, 2014.

227 [137] Chris Peikert and Sina Shiehian. Noninteractive zero knowledge for NP from (plain) Learning with Errors. In Advances in Cryptology – CRYPTO 2019, 2019.

[138] Chris Peikert and Vinod Vaikuntanathan. Noninteractive statistical zero- knowledge proofs for lattice problems. In CRYPTO, 2008.

[139] Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efﬁcient and composable oblivious transfer. In CRYPTO, 2008.

[140] Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. In STOC, 2008.

[141] Thomas Poppelmann, Erdem Alkim, Roberto Avanzi, Joppe Bos, Leo Ducas, Antonio de la Piedra, Peter Schwabe, Douglas Stebila, Martin R. Albrecht, Emmanuela Orsini, Valery Osheter, Kenneth G. Paterson, Guy Peer, and Nigel P. Smart. Newhope. Technical report, National Institute of Standards and Technology, 2017. available at https://csrc.nist.gov/projects/pos t-quantum-cryptography/round-2-submissions.

[142] Oded Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM (JACM), 56(6):34, 2009.

[143] Christian Reiher. On kemnitz’conjecture concerning lattice-points in the plane. The Ramanujan Journal, 13(1-3):333–337, 2007.

[144] Alfréd Rényi. On measures of dependence. Acta mathematica hungarica, 10(3-4):441–451, 1959.

[145] Alon Rosen, Gil Segev, and Ido Shahaf. Can PPAD hardness be based on standard cryptographic assumptions? In Theory of Cryptography Conference, pages 747–776. Springer, 2017.

[146] Ron D. Rothblum, Adam Sealfon, and Katerina Sotiraki. Towards non- interactive zero-knowledge for NP from LWE. In Public-Key Cryptography - PKC 2019, pages 472–503, 2019.

[147] Thomas Rothvoss. Integer optimization and lattices. Lecture Notes, 2016. https://sites.math.washington.edu/~rothvoss/lecturenotes.html.

[148] Aviad Rubinstein. Inapproximability of Nash equilibrium. In Proceedings of the forty-seventh annual ACM symposium on Theory of computing, pages 409– 418. ACM, 2015.

[149] Aviad Rubinstein. Settling the complexity of computing approximate two- player Nash equilibria. In Foundations of Computer Science (FOCS), 2016 IEEE 57th Annual Symposium on, pages 258–265. IEEE, 2016.

228 [150] Amit Sahai. Non-malleable non-interactive zero knowledge and adaptive chosen-ciphertext security. In FOCS, 1999.

[151] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: deniable encryption, and more. In STOC, 2014.

[152] Alejandro A Schäffer and Mihalis Yannakakis. Simple local search problems that are hard to solve. SIAM journal on Computing, 20(1):56–87, 1991.

[153] Steffen Schuldenzucker, Sven Seuken, and Stefano Battiston. Finding clear- ing payments in ﬁnancial networks with credit default swaps is PPAD- complete. In 8th Innovations in Theoretical Computer Science Conference, ITCS 2017, January 9-11, 2017, Berkeley, CA, USA, 2017.

[154] Peter Schwabe, Roberto Avanzi, Joppe Bos, Leo Ducas, Eike Kiltz, Tancrede Lepoint, Vadim Lyubashevsky, John M. Schanck, Gregor Seiler, and Damien Stehle. Crystals-kyber. Technical report, National Institute of Standards and Technology, 2017. available at https://csrc.nist.gov/projects/post-qua ntum-cryptography/round-2-submissions.

[155] Alan L. Selman. A survey of one-way functions in complexity theory. Math- ematical systems theory, 25(3):203–221, Sep 1992.

[156] Claude E Shannon. A mathematical theory of communication. The Bell system technical journal, 27(3):379–423, 1948.

[157] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Review, 41(2):303–332, 1999.

[158] Katerina Sotiraki, Manolis Zampetakis, and Giorgos Zirdelis. Ppp- completeness with connections to cryptography. In 59th IEEE Annual Sym- posium on Foundations of Computer Science, FOCS 2018, Paris, France, October 7-9, 2018, pages 148–158, 2018.

[159] Noah Stephens-Davidowitz. Dimension-preserving reductions between lattice problems. http://www.noahsd.com/latticeproblems.pdf.

[160] Tim van Erven and Peter Harremoës. Rényi divergence and kullback-leibler divergence. IEEE Trans. Information Theory, 2014.

[161] Vijay V Vazirani and Mihalis Yannakakis. Market equilibrium under separable, piecewise-linear, concave utilities. Journal of the ACM (JACM), 58(3):10, 2011.

[162] J Von Neumann. Various techniques used in connection with random digits, paper no. 13 in “Monte Carlo method”. NBS Applied Mathematics Series, 1961.

229 [163] Ewald Warning. Bemerkung zur vorstehenden arbeit von herrn chevalley. Abh. Math. Sem. Univ. Hamburg, 11:76–83, 1936.

[164] Daniel Wichs and Giorgos Zirdelis. Obfuscating compute-and-compare pro- grams under LWE. In 58th IEEE Annual Symposium on Foundations of Com- puter Science, FOCS 2017, Berkeley, CA, USA, October 15-17, 2017. IEEE Com- puter Society, 2017.

[165] Hans S Witsenhausen. On sequences of pairs of dependent random variables. SIAM Journal on Applied Mathematics, 28(1):100–113, 1975.

[166] Lisa Yang, Yael Kalai, and Omer Paneth. PPAD-hardness and delegation with unambiguous proofs. In Advances in Cryptology - CRYPTO 2020, 2020.

230