On the Average-Case Hardness of Total Search Problems by Chethan Kamath January, 2020 A thesis presented to the Graduate School of the Institute of Science and Technology Austria, Klosterneuburg, Austria in partial fulfillment of the requirements for the degree of Doctor of Philosophy The thesis of Chethan Kamath, titled On the Average-Case Hardness of Total Search Problems, is approved by: Supervisor: Krzysztof Pietrzak, IST Austria, Klosterneuburg, Austria Signature: Committee Member: Vladimir Kolmogorov, IST Austria, Klosterneuburg, Austria Signature: Committee Member: Alon Rosen, IDC Herzliya, Israel Signature: Defense Chair: Calin G˘uet,IST Austria, Klosterneuburg, Austria Signature: c by Chethan Kamath, January, 2020 All Rights Reserved The copyright of this thesis rests with the author. Unless otherwise indicated, its contents are licensed under a Creative Commons Attribution 4.0 International License. Under this license, you may copy and redistribute the material in any medium or format. You may also create and distribute modified versions of the work. This is on the condition that: you credit the author and do not use it, or any derivative works, for a commercial purpose. IST Austria Thesis, ISSN: 2663-337X I hereby declare that this thesis is my own work and that it does not contain other people's work without this being so stated; this thesis does not contain my previous work without this being stated, and the bibliography contains all the literature that I used in writing the dissertation. I declare that this is a true copy of my thesis, including any final revisions, as approved by my thesis committee, and that this thesis has not been submitted for a higher degree to any other university or institution. I certify that any republication of materials presented in this thesis has been approved by the relevant publishers and co-authors. Signature: Chethan Kamath January, 2020 v Abstract A search problem lies in the complexity class FNP if a solution to the given instance of the problem can be verified efficiently. The complexity class TFNP consists of all search problems in FNP that are total in the sense that a solution is guaranteed to exist. TFNP contains a host of interesting problems from fields such as algorithmic game theory, computational topology, number theory and combinatorics. Since TFNP is a semantic class, it is unlikely to have a complete problem. Instead, one studies its syntactic subclasses which are defined based on the combinatorial principle used to argue totality. Of particular interest is the subclass PPAD, which contains important problems like computing Nash equilibrium for bimatrix games and computational counterparts of several fixed-point theorems as complete. In the thesis, we undertake the study of average- case hardness of TFNP, and in particular its subclass PPAD. Almost nothing was known about average-case hardness of PPAD before a series of recent results showed how to achieve it using a cryptographic primitive called program ob- fuscation. However, it is currently not known how to construct program obfuscation from standard cryptographic assumptions. Therefore, it is desirable to relax the assumption under which average-case hardness of PPAD can be shown. In the thesis we take a step in this direction. First, we show that assuming the (average-case) hardness of a number theoretic problem related to factoring of integers, which we call Iterated-Squaring, PPAD is hard-on-average in the random-oracle model. Then we strengthen this result to show that the average-case hardness of PPAD reduces to the (adaptive) soundness of the Fiat-Shamir Transform, a well-known technique used to compile a public-coin interactive protocol into a non-interactive one. As a corollary, we obtain average-case hardness for PPAD in the random-oracle model assuming the worst-case hardness of #SAT. More- over, the above results can all be strengthened to obtain average-case hardness for the class CLS ⊆ PPAD. Our main technical contribution is constructing incrementally-verifiable procedures for computing Iterated-Squaring and #SAT. By incrementally-verifiable, we mean that every intermediate state of the computation includes a proof of its correctness, and the proof can be updated and verified in polynomial time. Previous constructions of such procedures relied on strong, non-standard assumptions. Instead, we introduce a technique called recursive proof-merging to obtain the same from weaker assumptions. vi Acknowledgments First and foremost, I would like to express my deepest gratitude to my adviser, Krzysztof, for handing me an opportunity to pursue a PhD. Krzysztof is a unending source of inter- esting problems and more often than not to their solutions. I really appreciate his calm, patient approach to guidance, which allowed me develop not only as a researcher but also as a person during my PhD. Secondly I would like to profusely thank Alon and Pavel: Alon for having given me the chance to visit IDC Herzliya, and Pavel for his tutelage during my time there. The discussions with Alon and Pavel were enlightening, and enabled me to appreciate both the intuitive and meticulous nature of research. The inception of this thesis can be back traced to the research conducted during this visit. I would also like to give special thanks to Georg for having co-supervised me during the early phase of the PhD, Vladimir for being part of my committee, and Calin for agreeing to chair my defense. I am grateful to the co-authors of all the papers that I was involved during my PhD. In particular, I would like to thank the co-authors of the two papers that constitute the bulk of this thesis: they were closely involved not only in developing most of the ideas therein, but also in writing most of its content. (They say that a thesis doesn't write itself, but in my case it mostly did.) For the six memorable years I am thankful to my colleagues and friends at IST Austria, particularly to the members of our group over the years (Benedikt, Guille, Hamza, Jo¨el, Karen, Maciej, Michal, Michael, Michelle, Peter and the numerous interns), with whom I had great discussions and even more fun. I also thank Stephan and Simon for their warm friendship and constant company which helped me plough through the PhD. Finally I would like to thank my family for their unwavering support. I gratefully acknowledge the financial support from the IST Austria Excellence Schol- arship during my first year and European Research Council starting grant (259668-PSPC) and consolidator grant (682815-TOCNeT) during the rest of the PhD, which allowed me to focus on research without any monetary bothers. vii About the Author Chethan Kamath obtained his B.Tech degree in Computer Science from University of Kerala (at TKM College of Engineering) in 2009. In 2010 he joined Indian Institute of Science, Bangalore for an M.Sc in Computer Science with focus on cryptography. After its completion, he joined Institute of Science and Technology Austria in 2014 for his Ph.D studies in the group of Krzysztof Pietrzak. His research interests include foundations of cryptography, computational complexity theory, and theoretical computer science in general. viii List of Publications 1. Choudhuri, A. R., Hub´aˇcek,P., Kamath, C., Pietrzak, K., Rosen, A., and Rothblum, G. N. Finding a Nash equilibrium is no easier than breaking Fiat-Shamir. 51st Annual ACM SIGACT Symposium on Theory of Computing { STOC 2019:1103{ 1114. 2. Choudhuri, A. R., Hub´aˇcek,P., Kamath, C., Pietrzak, K., Rosen, A., and Rothblum, G. N. PPAD-hardness via iterated squaring modulo a composite. Cryptology ePrint Archive, Report 2019/667, 2019. ix Table of Contents Abstract v Acknowledgments vi About the Author vii List of Publications viii List of Figures x List of Abbreviations xi 1 Introduction xii 1.1 Total Search Problems . .1 1.2 Cryptography and Total Search Problems . 11 1.3 Overview of the Thesis . 15 2 Background 26 2.1 Definitions . 27 2.2 Hardness in PPAD ............................... 29 2.3 Hardness in CLS ................................ 33 2.4 Relaxing the SVL Problem . 34 3 PPAD-Hardness from Iterated-Squaring 37 3.1 Hardness Assumption . 37 3.2 Pietrzak's Proof System . 41 3.3 The Reduction . 48 4 PPAD-Hardness and the Fiat-Shamir Methodology 60 4.1 Overview . 61 4.2 The Sumcheck Protocol . 70 4.3 The Reduction . 79 4.4 Instantiating Fiat-Shamir . 90 5 Conclusions and Future Directions 99 Bibliography 103 A Missing Proofs 113 A.1 Proof of Lemma 5 . 113 x List of Figures 1.1 Sperner's Lemma . .2 1.2 The TFNP landscape . .5 1.3 Sample Lonely instance . .6 1.4 Problems in TFNP ...............................8 1.5 Sample End-of-Line instance . 10 1.6 Sperner is Karp-reducible to End-of-Line ................. 11 1.7 The Fiat-Shamir Transform . 17 1.8 Sample Sink-of-Verifiable-Line instance . 19 1.9 The halving sub-protocol . 21 2.1 Simulating S and P using reversible pebbling. 32 2.2 Sample Relaxed-Sink-of-Verifiable-Line instance . 34 3.1 Recursive structure of the RSVL instance. 53 3.2 Labels of RSVL instance. 54 4.1 The Sumcheck Protocol . 72 4.2 Sumcheck Protocol with prefixes. 73 4.3 Non-interactive Sumcheck Protocol with prefixes. 77 5.1 Factoring and its related assumptions. 101 xi List of Abbreviations Complexity classes: NP Non-deterministic Polynomial-time FNP Functional Non-deterministic Polynomial-time TFNP Total Functional Non-deterministic Polynomial-time PTFNP Provable Total Functional Non-deterministic Polynomial-time PPP Polynomial Pigeonhole Principle PWPP Polynomial Weak Pigeonhole Principle PPA