New hardness results for total search problems and non-interactive lattice-based protocols by Aikaterini Sotiraki Diploma, National Technical University of Athens (2013) S.M., Massachusetts Institute of Technology (2016) Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY September 2020 ○c Massachusetts Institute of Technology 2020. All rights reserved. Author............................................................. Department of Electrical Engineering and Computer Science August 13, 2020 Certified by . Vinod Vaikuntanathan Associate Professor of Electrical Engineering and Computer Science Thesis Supervisor Accepted by . Leslie A. Kolodziejski Professor of Electrical Engineering and Computer Science Chair, Department Committee on Graduate Students 2 New hardness results for total search problems and non-interactive lattice-based protocols by Aikaterini Sotiraki Submitted to the Department of Electrical Engineering and Computer Science on August 13, 2020, in partial fulfillment of the requirements for the degree of Doctor of Philosophy Abstract We investigate new hardness results for total search problems, namely search problems that always have a solution, and non-interactive lattice protocols. 1. A question of particular importance, raised together with the definition of the class of total search problems, is to identify complete problems that do not have explicitly a Turing machine or a circuit as a part of their input. We provide natural complete problems for various TFNP subclasses. We first consider the classes PPP and PWPP, where our complete problems are inspired by lattice theory and lead towards answering important questions in cryptography. Additionally, we identify complete problems for classes that generalize the class PPA, called PPAq. In this case, our results have connections to number theory, and in particular to the Chevalley-Warning theorem. 2. The Learning With Errors (LWE) problem, introduced by Regev has had a profound impact on cryptography. We consider non-interactive protocols that are secure under the LWE assumption, such as non-interactive zero- knowledge and non-interactive key-exchange. We show new strategies and new barriers towards constructing such protocols. Thesis Supervisor: Vinod Vaikuntanathan Title: Associate Professor of Electrical Engineering and Computer Science 3 4 Acknowledgments I have been extremely fortunate to spend the last few years at MIT. I am particu- larly grateful to my advisor Vinod Vaikuntanathan. His enthusiasm for research and his unlimited knowledge have provided me with motivation to continue even on the hardest moments of my PhD. Even short meetings with Vinod were enough to give me new ideas and directions when I most needed them. A decisive point during my PhD was definitely my internship at IDC, Her- zliya with Alon Rosen. This experience gave me the opportunity to interact with amazing people and find new collaborators. I hope that this summer laid the foundations for many more collaborations yet to come. Another important point of my PhD was my internship at Microsoft Research, where I was fortunate to work on applied Cryptography. I am still amazed that in these three months I was able to learn so many new things unrelated to my pre- vious research and contribute to projects. I am certain that this would have been impossible without the help of the group at Microsoft Research, and especially my mentor Esha Ghosh. I would like to thank all of my collaborators: Manolis, Giorgos, Ron, Adam, Esha, Hao, Pritish, Siyao, Alon, Aris, Alexandros, and Mika. It is beyond any doubt that this thesis would not exist without them. I really enjoyed meeting and learning from each one of them and I hope that I will have opportunity to continue in the future. The theory group at MIT is a unique place, where I was very fortunate to develop academically, but also meet new friends. I would like to thank all of the students and faculty of the group for providing such a warm and welcoming environment. I am not going to attempt to mention the other students by name in fear of forgetting someone. But, I am very grateful to each one of them for all the discussions, the retreats, the theory teas etc. that we spend together. Especially, I want to thank Ron Rivest and Yael Kalai for serving in my com- mittee. Ron was also my Master thesis supervisor and I am grateful to him for 5 introducing me to research. Yael was always a person that I could ask for advice and it is amazing how much I have learned from Yael even without directly work- ing with her. I want to also thank Nancy Lynch for giving the opportunity for be a TA for her class and for providing me with guidance throughout the years. I want to thank the wonderful administrative assistants of the theory group, Debbie, Joanne and Rebecca. My life at MIT was enjoyable thanks to my many friends. I really hope that even after MIT these friendships will last. I want to especially thank M˘ad˘alina, Artemisa, Chara and Lydia P, Chistos, Vasso and Dafne, Christina and Konstanti- nos, Giorgos and Will, Ilias, Konstantina, Maryam, Lydia Z and Marinos, Sophie, and most of all my partner Manolis for all the great moments that we had. From having daily tea breaks to sharing important life moments, my memories of MIT are always tied to them. Finally, I cannot thank enough my parents and my extended family for all the love and support that they offer every single day. It is without doubt that the most challenging part of my PhD was being away from them. 6 Contents 1 Introduction 15 1.1 Total Search Problems........................... 16 1.2 Non-interactive lattice-based protocols.................. 20 1.3 Notation................................... 25 2 Total Search Problems 29 2.1 Complete problems............................. 30 2.2 TFNP and Cryptography......................... 32 2.3 Reductions.................................. 33 2.4 Set Description Using Circuits...................... 34 3 Lattices 37 3.1 Computational Lattice Problems..................... 39 3.2 Cryptographic assumptions........................ 41 4 Pigeonhole Principle Arguments 45 4.1 Overview of the Results.......................... 46 4.2 BLICHFELDT is PPP-complete...................... 52 4.3 cSIS is PPP-complete........................... 57 4.4 Towards universal collision-resistant hashing.............. 69 4.5 Natural Complete problem for PMPP .................. 75 4.6 Lattice problems in PPP and PWPP ................... 77 7 5 Modulo q Arguments 81 5.1 Overview................................... 82 5.2 The class PPAq ............................... 92 5.3 Characterization via Primes........................ 95 5.4 A Natural Complete Problem....................... 99 5.5 Complete Problems via Small Depth Arithmetic Circuits....... 120 5.6 Applications of Chevalley-Warning.................... 122 5.7 Structural Properties of PPAq ....................... 125 6 Non-interactive zero-knowledge 131 6.1 Overview................................... 131 6.2 Basic Definitions.............................. 138 6.3 From POCS to NIZKs........................... 141 6.4 Instantiating with LWE........................... 153 7 Non-interactive key-exchange 167 7.1 Overview................................... 170 7.2 Basic Definitions.............................. 173 7.3 (Information Theoretic) Impossibility of Amplification with Multi- ple Samples................................. 174 7.4 (Computational) Impossibility of Noise-Ignorant Key Reconcilia- tion Functions................................ 181 7.5 Connections to other cryptographic primitives............. 187 8 Summary and Open Problems 193 A Missing proofs of Chapter 4 197 A.1 Proof of Claim 4.3.4............................. 197 B Missing proofs of Chapter 5 199 B.1 Reductions Between Complete Problems................ 199 B.2 Completeness of Succinct Bipartite.................... 204 8 B.3 Equivalence with PMODp ......................... 206 B.4 Proof of Theorem 5.5.1........................... 207 C Missing proofs of Chapter 7 213 C.1 A self-contained proof of Theorem 7.3.1................. 213 9 10 List of Figures 2-1 The landscape of TFNP subclasses.................... 30 4-1 Problems in PPP .............................. 52 4-2 A simple example of the construction of Lemma 4.3.3......... 68 5-1 The PPAq subclasses of TFNP ....................... 91 5-2 Total search problems related to PPAq .................. 95 5-3 Illustration of the proof of PPApk ⊆ PPAp ................ 97 5-4 Illustration of the proof of PPAD ⊆ PPAq ................ 126 5-5 Illustration of the proof of Theorem 5.7.3................ 130 7-1 LWE-based key-exchange through reconciliation............ 168 11 12 List of Tables 4.1 Value and auxiliary variables of graph G(i) ............... 62 4.2 Equations of non-input nodes....................... 62 4.3 Illustration of the matrix G(i) ....................... 64 4.4 Illustration of the matrix A ........................ 66 A.1 Values of specific expressions (mod 4) ................. 197 13 14 Chapter 1 Introduction The main task of Cryptography is to allow computation and communication in adversarial settings. Most cryptographic applications are impossible in the information-theoretic setting as formalized by Shannon [156], and hence require computational assumptions. Traditional cryptographic assumptions include the hardness of factoring and of finding discrete