PPP-Completeness with Connections to Cryptography

Katerina Sotiraki, Manolis Zampetakis, Giorgos Zirdelis

Introduction

The fundamental task of Computational Complexity theory is to classify computational problems according to their inherent computational difficulty. This led to the definition of complexity classes such as NP\mathsf{NP} which contains the decision problems with efficiently verifiable proofs in the “yes” instances. The search analog of the class NP\mathsf{NP}, called FNP\mathsf{FNP}, is defined as the class of search problems whose decision version is in NP\mathsf{NP}. The same definition extends to the class FP\mathsf{FP}, as the search analog of P\mathsf{P}. The seminal works of [JPY88, Pap94] considered search problems in FNP\mathsf{FNP} that are total, i.e. their decision version is always affirmative and thus a solution must always exist. This totality property makes the definition of FNP\mathsf{FNP} inadequate to capture the intrinsic complexity of total problems in the appropriate way as it was first shown in [JPY88]. Moreover, there were evidences for the hardness of total search problems e.g. in [HPV89]. Megiddo and Papadimitriou [MP89] defined the class TFNP\boldsymbol{\mathsf{TFNP}} that contains the total search problems of FNP\mathsf{FNP}, and Papadimitriou [Pap94] proposed the following classification rule of problems in TFNP\mathsf{TFNP}:

Total search problems should be classified in terms of the profound mathematical principles that are invoked to establish their totality.

Along these lines, many subclasses for TFNP\mathsf{TFNP} have been defined. Johnson, Papadimitriou and Yannakakis [JPY88] defined the class PLS\boldsymbol{\mathsf{PLS}}. A few years later, Papadimitriou [Pap94] defined the complexity classes PPA\boldsymbol{\mathsf{PPA}}, PPAD\boldsymbol{\mathsf{PPAD}}, PPADS\boldsymbol{\mathsf{PPADS}} and PPP\boldsymbol{\mathsf{PPP}}, each one associated with a profound mathematical principle in accordance with the above classification rule. More recently, the classes CLS\boldsymbol{\mathsf{CLS}} and PWPP\boldsymbol{\mathsf{PWPP}} were defined in [DP11] and [Jer16], respectively. In Section 1.1 we give a high-level description of all these classes.

Finding complete problems for the above classes is important as it enhances our understanding of the underlying mathematical principles. In turn, such completeness results reveal equivalences between total search problems, that seemed impossible to discover without invoking the definition of these classes. Since the definition of these classes in [JPY88, Pap94] it was clear that the completeness results about problems that don’t have explicitly a Turing machine or a circuit as a part of their input are of particular importance. For this reason it has been established to call such problems natural in the context of the complexity of total search problems (see [FRG18]).

Many natural complete problems are known for PLS\mathsf{PLS} and PPAD\mathsf{PPAD}, and recently natural complete problems for PPA\mathsf{PPA} were identified too (see Section 1.1). However, no natural complete problems are known for the classes PPP\mathsf{PPP}, PWPP\mathsf{PWPP} that have profound connections with the hardness of important cryptographic primitives, as we explain later in detail.

Our Contributions. Our main contribution is to provide the first natural complete problems for PPP\mathsf{PPP} and PWPP\mathsf{PWPP}, and thus solve a longstanding open problem from [Pap94]. Beyond that, our PPP\mathsf{PPP} completeness results lead the way towards answering important questions in cryptography and lattice theory as we highlight below.

Universal Collision-Resistant Hash Function. Building on the inherent connection of PWPP\mathsf{PWPP} with collision-resistant hash functions, we construct a natural hash function family HcSIS\mathcal{H}_{\mathsf{cSIS}} with the following properties:

Worst-Case Universality. No efficient algorithm can find a collision in every function of the family HcSIS\mathcal{H}_{\mathsf{cSIS}}, unless worst-case collision-resistant hash functions do not exist.

Moreover, if an (average-case hard) collision-resistant hash function family exists, then there exists an efficiently samplable distribution D\mathcal{D} over HcSIS\mathcal{H}_{\mathsf{cSIS}}, such that (D,HcSIS)(\mathcal{D},\mathcal{H}_{\mathsf{cSIS}}) is an (average-case hard) collision-resistant hash function family.

Average-Case Hardness. No efficient algorithm can find a collision in a function chosen uniformly at random from HcSIS\mathcal{H}_{\mathsf{cSIS}}, unless we can efficiently find short lattice vectors in any (worst-case) lattice.

The first property of HcSIS\mathcal{H}_{\mathsf{cSIS}} is reminiscent of the existence of worst-case one-way functions from the assumption that PNP\mathsf{P}\neq\mathsf{NP} [Sel92]. The corresponding assumption for the existence of worst-case collision-resistance hash functions is assuming FPPWPP\mathsf{FP}\neq\mathsf{PWPP}, but our hash function family HcSIS\mathcal{H}_{\mathsf{cSIS}} is the first natural definition that does not involve circuits, and admits this strong completeness guarantee in the worst-case.

The construction and properties of HcSIS\mathcal{H}_{\mathsf{cSIS}} lead us to the first candidate of a natural and universal collision-resistant hash function family. The idea of universal constructions of cryptographic primitives was initiated by Levin in [Lev87], who constructed the first universal one-way function and followed up by [Lev03, KN09]. Using the same ideas we can also construct collision a universal collision-resistant hash function family as we describe in Appendix C. The constructed hash function though invokes in the input an explicit description of a Turing machine and hence it fails to be natural, with the definition of naturality that we described before. In contrast, our candidate construction is natural, simple, and could have practical applications.

Complexity of Lattice Problems in PPP\mathsf{PPP}. The hardness of lattice problems in NPcoNP\mathsf{NP}\cap\mathsf{coNP} [AR04] has served as the foundation for numerous cryptographic constructions in the past two decades. This line of work was initiated by the breakthrough work of Ajtai [Ajt96], and later developed in a long series of works (e.g. [AD97, MR07, Reg09, GPV08, Pei09, GVW13, BLP+13, BV14, GSW13, GVW15b, GKW17, WZ17, PRSD17]). This wide use of search (approximation) lattice problems further motivates their study.

We make progress in understanding this important research front by showing that:

the computational problem BLICHFELDT\mathsf{BLICHFELDT} associated with Blichfeldt’s theorem, which can be viewed as a generalization of Minkowski’s theorem, is PPP\mathsf{PPP}-complete,

the cSIS\mathsf{cSIS} problem, a constrained version of the Short Integer Solution (SIS\mathsf{SIS}), is PPP\mathsf{PPP}-complete,

we combine known results and techniques from lattice theory to show that most approximation lattice problems are reducible to BLICHFELDT\mathsf{BLICHFELDT} and cSIS\mathsf{cSIS}.

These results create a new path towards a better understanding of lattice problems in terms of complexity classes.

Complexity of Other Cryptographic Assumptions. Besides lattice problems, we discuss the relationship of other well-studied cryptographic assumptions and PPP\mathsf{PPP}. Additionally, we formulate a white-box variation of the generic group model for the discrete logarithm problem [Sho97]; we observe that this problem is in PPP\mathsf{PPP} and is another natural candidate for being PPP\mathsf{PPP}-complete.

In this section we discuss the previous work on the complexity of total search problems, that has drawn attention from the theoretical computer science community over the past decades. We start with a high-level description of the total complexity classes and then discuss the known results for each one of them.

The class of problems whose totality is established using a potential function argument. Every finite directed acyclic graph has a sink.

The class of problems whose totality is proved through a parity argument. Any finite graph has an even number of odd-degree nodes.

The class of problems whose totality is proved through a directed parity argument. All directed graphs of degree two or less have an even number of degree one nodes.

The class of problems whose totality is proved through a pigeonhole principle argument. Any map from a set SS to itself either is onto or has a collision.

Using the same spirit two more classes were defined after [Pap94], in [DP11] and [Jer16].

The class of problems whose totality is established using both a potential function argument and a parity argument.

The class of problems whose totality is proved through a weak pigeonhole principle. Any map from a set SS to a strict subset of SS has a collision.

Recently, a syntactic analog PTFNP\mathsf{PTFNP} of the semantic class TFNP\mathsf{TFNP} has been defined in [GP17], and a complete problem for this class has been identified. It has also been shown that all the classes we described above are subsets of PTFNP\mathsf{PTFNP}. Oracle separations between all these classes are known [BCE+98], with the only exception of whether PLS\mathsf{PLS} is contained in PPAD\mathsf{PPAD}.

PLS\boldsymbol{\mathsf{PLS}}-completeness. The class PLS\mathsf{PLS} represents the complexity of local optimization problems. Some important problems that have been shown to be PLS\mathsf{PLS}-complete are: Local Max-Cut [SY91], Local Travelling Salesman Problem [Pap92], and Finding a Pure Nash Equilibrium [FPT04]. Recently, important results for the smoothed complexity of the Local Max-Cut problem were shown in [ER17, ABPW17].

PPAD\boldsymbol{\mathsf{PPAD}}-completeness. Arguably, the most celebrated application of the complexity of total search problems is the characterization of the computational complexity of finding a Nash equilibrium in terms of PPAD\mathsf{PPAD}-completeness [DGP09, CDT09]. This problem lies in the heart of game theory and economics. The proof that Nash Equilibrium is PPAD\mathsf{PPAD}-complete initiated a long line of research in the intersection of computer science and game theory and revealed connections between the two scientific communities that were unknown before (e.g. [EGG06, CDDT09, VY11, KPR+13, CDO15, Rub15, Rub16, CPY17, SSB17]).

PPA\boldsymbol{\mathsf{PPA}}-completeness. PPA\mathsf{PPA}-complete problems usually arise as the undirected generalizations of their PPAD\mathsf{PPAD}-complete analogs. For example, Papadimitriou [Pap94] showed that Sperner’s Lemma in a 3-D cube is PPAD\mathsf{PPAD}-complete and later Grigni [Gri01] showed that Sperner’s Lemma in a 3-manifold consisting of the product of a Möbius strip and a line segment is PPA\mathsf{PPA}-complete. Since Möbius strip is non-orientable, this indeed is a non-directed version of the Sperner’s Lemma. Similarly, other problems have been showed to be PPA\mathsf{PPA}-complete, all involving some circuit as an input in their definition [ABB15, DEF+16, BIQ+17]. Recently, the first natural PPA\mathsf{PPA}-complete problem, without a circuit as part of the input, has been identified in [FRG18]. This illustrates an interesting relation between PPA\mathsf{PPA} and complexity of social choice theory problems.

CLS\boldsymbol{\mathsf{CLS}}-completeness. The CLS\mathsf{CLS} class was defined in [DP11] to capture the complexity of problems such as P-matrix LCP, computing KKT-points, and finding Nash equilibria in congestion and network coordination games. Recently, it has been proved that the problem of finding a fixed point whose existence invokes Banach’s Fixed Point Theorem, is CLS\mathsf{CLS}-complete [DTZ18, FGMS17].

TFNP\boldsymbol{\mathsf{TFNP}} and cryptography. The connection of TFNP\mathsf{TFNP} and cryptography was illustrated by Papadimitriou in [Pap94], where he proved that if PPP=FP\mathsf{PPP}=\mathsf{FP} then one-way permutations cannot exist. In [BO06], a special case of integer factorization was shown to be in PPAPPP\mathsf{PPA}\cap\mathsf{PPP}. This was generalized in [Jer16] by proving that the problem of factoring integers is in PPAPPP\mathsf{PPA}\cap\mathsf{PPP} under randomized reductions. Recently, strong cryptographic assumptions were used to prove the average-case hardness of PPAD\mathsf{PPAD} and CLS\mathsf{CLS} [BPR15, GPS16, HY17]. In [RSS17] it was shown that average-case PPAD\mathsf{PPAD} hardness does not imply one-way function under black-box reductions, whereas in [HNY17] it was shown that any hard on average problem in NP\mathsf{NP} implies the average case hardness of TFNP\mathsf{TFNP}. Finally, in [KNY17] it is proved that the existence of multi-collision resistant hash functions is equivalent with a variation of the total search problem RAMSEY\mathsf{RAMSEY}, which is not known to belong to any of the above complexity classes. Interestingly, they prove that a variation of RAMSEY\mathsf{RAMSEY} called colorful-Ramsey (C\mathchar45RAMSEY\mathsf{C\mathchar 45\relax RAMSEY}) is PWPP\mathsf{PWPP}-hard. Although this an important result, the problem C\mathchar45RAMSEY\mathsf{C\mathchar 45\relax RAMSEY} still invokes a circuit in the input and in not known to be in PWPP\mathsf{PWPP}, hence does not resolve the problem of identifying a natural complete problem for PWPP\mathsf{PWPP}.

2 Roadmap of the paper

We start our exposition with a brief description of the results contained in this paper. First we briefly describe the PPP\mathsf{PPP}-completeness of BLICHFELDT\mathsf{BLICHFELDT} that illustrates some of the basic ideas behind our main result that cSIS\mathsf{cSIS} is PPP\mathsf{PPP}-complete. The complete proof of the PPP\mathsf{PPP}-completeness of BLICHFELDT\mathsf{BLICHFELDT} can be found in Section 3. We suggest to readers that have experience with the fundamental concepts of the theory of lattices to skip the details Section 3.

Then, we present a brief description of our main theorem and its proof. The complete proof of the PPP\mathsf{PPP}-completeness of cSIS\mathsf{cSIS} can be found in Section 4.

In Section 5 we describe the PPP\mathsf{PPP}-completeness of a weaker version of cSIS\mathsf{cSIS} and its relation with the definition of the first natural universal collision resistant hash function family in the worst-case sense. This proof also provides the first candidate for a collision resistant hash function family that is both natural and universal in the average-case sense.

Finally in Section 6 we present, for completeness of our exposition, other lattice problems that are already known to belong to PPP\mathsf{PPP} and PWPP\mathsf{PWPP} and in Section 7 we present more general other cryptographic assumptions that belong to PPP\mathsf{PPP} and PWPP\mathsf{PWPP}.

3 Overview of the Results

We give a proof overview of our first main theorem, and highlight the obstacles that arise, along with our solutions.

The BLICHFELDT\mathsf{BLICHFELDT} problem is PPP\mathsf{PPP}-complete.

The output of BLICHFELDT\mathsf{BLICHFELDT} is either an \mathbf{s}_{\boldsymbol{\underaccent{\bar}{x}}}=\begin{bmatrix}\boldsymbol{\underaccent{\bar}{x}}\\ \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})\end{bmatrix}\in S\cap\mathcal{L} that (by construction of L\mathcal{L}) implies \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})=\mathbf{0}, or two different elements of SS, \mathbf{s}_{\boldsymbol{\underaccent{\bar}{x}}}=\begin{bmatrix}\boldsymbol{\underaccent{\bar}{x}}\\ \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})\end{bmatrix}, \mathbf{s}_{\boldsymbol{\underaccent{\bar}{y}}}=\begin{bmatrix}\boldsymbol{\underaccent{\bar}{y}}\\ \mathcal{C}(\boldsymbol{\underaccent{\bar}{y}})\end{bmatrix} with \mathbf{s}_{\boldsymbol{\underaccent{\bar}{x}}}-\mathbf{s}_{\boldsymbol{\underaccent{\bar}{y}}}\in\mathcal{L} that implies \boldsymbol{\underaccent{\bar}{x}}\neq\boldsymbol{\underaccent{\bar}{y}} and (by construction of L\mathcal{L}) \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})=\mathcal{C}(\boldsymbol{\underaccent{\bar}{y}}).

3.2 𝗰𝗦𝗜𝗦𝗰𝗦𝗜𝗦\boldsymbol{\mathsf{cSIS}} is 𝗣𝗣𝗣𝗣𝗣𝗣\boldsymbol{\mathsf{PPP}}-complete.

Part of the input to BLICHFELDT\mathsf{BLICHFELDT} is represented with a value function which requires a small circuit. As we explained before this makes BLICHFELDT\mathsf{BLICHFELDT} a non-natural problem with the respect to the definition of naturality in the context of the complexity of total search problems. We now introduce a natural problem that we call constrained Short Integer Solution (cSIS\mathsf{cSIS}), and show that it is PPP\mathsf{PPP}-complete. The cSIS\mathsf{cSIS} problem is a generalization of the well-known Short Integer Solution (SIS\mathsf{SIS}) problem, and discuss their connection in Section 5.2.

The cSIS\mathsf{cSIS} problem is PPP\mathsf{PPP}-complete.

It can be argued that this reduction shares common ideas with the reduction of 3\mathchar45SAT3\mathchar 45\relax\mathsf{SAT} to SUBSET\mathchar45SUM\mathsf{SUBSET\mathchar 45\relax SUM}; this shows the importance of the input conditions for cSIS\mathsf{cSIS} and hints to the numerous complications that arise in the proof. Without these conditions, we could end up with a trivial reduction to an NP\mathsf{NP}-hard problem! Fortunately, we are able to show that our construction satisfies the input conditions of cSIS\mathsf{cSIS}.

3.3 Towards a Natural and Universal Collision-Resistant Rash Family.

PWPP\mathsf{PWPP} is a subclass of PPP\mathsf{PPP} in which a collision always exists; it is not hard to show that variations of both BLICHFELDT\mathsf{BLICHFELDT} and cSIS\mathsf{cSIS} are PWPP\mathsf{PWPP}-complete. We tweak the parameters of valid inputs in order to guarantee that a collision always exists. The PWPP\mathsf{PWPP}-complete variation of cSIS\mathsf{cSIS}, which we denote by weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS}, gives a function family which is a universal collision-resistant hash function family in a worst-case sense: if there is a function family that contains at least one function for which it is hard to find collisions, then our function family also includes a function for which it is hard to find collisions.

The great resemblance of weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} with SIS\mathsf{SIS} and its completeness for PWPP\mathsf{PWPP} lead us to the first candidate for a universal collision-resistant hash function \mathcal{H}_{\mathsf{cSIS}}=\{h_{\boldsymbol{\underaccent{\bar}{s}}}:\{0,1\}^{k}\rightarrow\{0,1\}^{k^{\prime}}\}:

The key \boldsymbol{\underaccent{\bar}{s}} is a pair of matrices (A,G)(\mathbf{A},\mathbf{G}), where G\mathbf{G} is binary invertible.

Because lattice problems have worst-to-average case reductions and our hash family is based on a lattice problem, this gives hope for showing that our construction is universal in the average-case sense.

3.4 Other Lattice Problems Known to be in 𝗣𝗣𝗣𝗣𝗣𝗣\boldsymbol{\mathsf{PPP}}.

3.5 Other Cryptographic Assumptions in 𝗣𝗣𝗣𝗣𝗣𝗣\boldsymbol{\mathsf{PPP}}.

4 Open questions.

Numerous new questions arise from our work and the connections we draw between PPP\mathsf{PPP}, cryptography and lattices. We summarize here some of them.

Is there a worst-to-average case reduction from weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} to itself? This result will provide the first natural, in the sense that does not invoke explicitly a Turing machine in the input, and universal collision resistant hash function family.

Is SIS\mathsf{SIS} or MINKOWSKI\mathsf{MINKOWSKI} PPP\mathsf{PPP}-hard?

Is γ\gamma-SVP\mathsf{SVP} in PPP\mathsf{PPP} for γ=o(n)\gamma=o(n)?

Is γ\gamma-CVP\mathsf{CVP} PPP\mathsf{PPP}-hard for γ=Ω(n)\gamma=\Omega(\sqrt{n})?

Is the discrete logarithm problem in PPP\mathsf{PPP} for general elliptic curves?

Preliminaries

The bit decomposition function bd\mathsf{bd} is extended to integer vectors and the result is the concatenation of the bit decomposition of each coordinate of the vector. Similarly, this is also extended to integer matrices. Then of course the bit composition function bc\mathsf{bc} is no longer well defined because its output can be either a number or a vector of numbers, but for simplicity we still use the notation bc\mathsf{bc} and it will be made clear from the context whether the output is a number or a vector of numbers. When bd\mathsf{bd} is applied to a set {m1,,mk}\{m_{1},\dots,m_{k}\} the output is still a set with the bit decomposition of each element {bd(m1),,bd(mk)}\{\mathsf{bd}(m_{1}),\dots,\mathsf{bd}(m_{k})\}.

Circuits. We can now define a circuit C\mathcal{C} with nn inputs and mm outputs as an ordered tuple of mm boolean circuits C=(C1,,Cm)\mathcal{C}=(\mathcal{C}_{1},\dots,\mathcal{C}_{m}) which defines a function C:{0,1}n{0,1}m\mathcal{C}:\{0,1\}^{n}\to\{0,1\}^{m}, where \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})=(\mathcal{C}_{1}(\boldsymbol{\underaccent{\bar}{x}}),\dots,\mathcal{C}_{m}(\boldsymbol{\underaccent{\bar}{x}})). The size C\lvert\mathcal{C}\rvert of C\mathcal{C} is equal to C1++C2\lvert\mathcal{C}_{1}\rvert+\cdots+\lvert\mathcal{C}_{2}\rvert. It is known that PP/poly\mathsf{P}\subseteq\mathsf{P/poly} (see [AB09]), where P/poly\mathsf{P/poly} is the class of polynomial-sized circuits. Thus, any polynomial time procedure we describe, implies an equivalent circuit of polynomial size.

Search Problems. A search problem in FNP\mathsf{FNP} is defined by a relation R\mathcal{R} that on input xx of size nn and for every yy of size poly(n)\operatorname{poly}(n), R(x,y)\mathcal{R}(x,y) is polynomial-time computable on nn. A solution to the search problem with input xx is a yy of size poly(n)\operatorname{poly}(n) such that R(x,y)\mathcal{R}(x,y) holds.

A search problem is total if for every input xx of size nn, there exists a yy of size poly(n)\operatorname{poly}(n) such that R(x,y)\mathcal{R}(x,y) holds. The class of total search problems in FNP\mathsf{FNP} is called TFNP\mathsf{TFNP}.

Karp Reductions Between Search Problems. A search problem P1\mathcal{P}_{1} is Karp-reducible to a search problem P2\mathcal{P}_{2} if there exist polynomial-time (in the input size of P1\mathcal{P}_{1}) computable functions ff and gg such that if xx is an input of P1\mathcal{P}_{1}, then f(x)f(x) is an input of P2\mathcal{P}_{2} and if yy is any solution of P2\mathcal{P}_{2} with input f(x)f(x) then g(x,f(x),y)g(x,f(x),y) is a solution of P1\mathcal{P}_{1}.

Cook Reductions Between Search Problems. A search problem P1\mathcal{P}_{1} is Cook-reducible to a search problem P2\mathcal{P}_{2} if there exists a polynomial-time (in the input size of P1\mathcal{P}_{1}) oracle Turing machine T\mathcal{T} such that if xx is an input of P1\mathcal{P}_{1}, T\mathcal{T} computes a yy such that yy is a solution of P1\mathcal{P}_{1} whenever all the oracle answers are solutions of P2\mathcal{P}_{2}. The set of all search problems that are Cook-reducible to problem P\mathcal{P} is denoted by FPP\mathsf{FP}^{\mathcal{P}}.

The weak PPP\mathsf{PPP} Complexity Class. The class PWPP\mathsf{PWPP} is the set of all search problems Karp-reducible to the following problem called COLLISION\mathsf{COLLISION}.

2 Set Description Using Circuits

Characteristic Function. We say that a circuit CHS\mathcal{CH}_{S} with kk binary inputs and one output is a characteristic function representation of SS if \mathcal{CH}_{S}(\boldsymbol{\underaccent{\bar}{x}})=1 if and only if \boldsymbol{\underaccent{\bar}{x}}\in\mathsf{bd}(S).

a characteristic function representation CHS\mathcal{CH}_{S} of SS, where CHS=O(nmaxilogLi)\lvert\mathcal{CH}_{S}\rvert=O(n\max_{i}\log L_{i}),

a value function representation (VS,s)(\mathcal{V}_{S},s) of SS, where VS=O(n2maxilogLi)\lvert\mathcal{V}_{S}\rvert=O(n^{2}\max_{i}\log L_{i}) and

an index function representation (IS,s)(\mathcal{I}_{S},s) of SS, where IS=O(n2maxilogLi)\lvert\mathcal{I}_{S}\rvert=O(n^{2}\max_{i}\log L_{i}).

In the next sections, the constructions of value and index functions for sets lie at the heart of our proofs for showing membership in PPP\mathsf{PPP}, and we make frequent use of the above Lemma 2.1. Specifically, in Section 3, we see that the set of integer cosets of a lattice admits an index function that can be implemented with a polynomial sized circuit, and in Section 7 we see that any cyclic group admits a value function that can be implemented with a polynomial-size circuit. In the latter case, we demonstrate that an efficient implementation of an index function of a group shows that the Discrete Logarithm problem for this group belongs to the class PPP\mathsf{PPP}.

3 Lattice Basics

The following lemma for qq-ary lattices is useful in our proofs. For a simple proof of this Lemma 2.3 we refer to Sections 2.3 and 2.4 of [AP11].

Λq(A)=qΛq(A)\Lambda^{\perp}_{q}(\mathbf{A})=q\Lambda_{q}^{*}(\mathbf{A}) and det(Λq(A))qn\det\left(\Lambda^{\perp}_{q}(\mathbf{A})\right)\leq q^{n},

Determinant. The determinant of a lattice is the volume of the fundamental parallelepiped, det(L)=det(BTB)\det(\mathcal{L})=\sqrt{\det(\mathbf{B}^{T}\mathbf{B})} or simply det(B)|\det(\mathbf{B})| for full-rank lattices.

We now state a fundamental relation between \textscCo(L(B))\textsc{Co}(\mathcal{L}(\mathbf{B})), det(L(B))\det(\mathcal{L}(\mathbf{B})) and P(L(B))\mathcal{P}(\mathcal{L}(\mathbf{B})).

For a proof of Proposition 2.4 see the proof of Lemma 3.2.

The concept of lattices was introduced by Hermann Minkowski in his influential book Geometrie der Zahlen [Min10], first published at 1896. In his book, Minkowski developed the theory of the geometry of numbers and resolved many difficult problems in number theory. His fundamental theorem, known as Minkowski’s Convex Body Theorem, was the main tool of these proofs.

Despite the excitement created by Minkowski’s groundbreaking work, it was only after 15 years that a new principle in geometry of numbers was discovered. The credit for this discovery goes to Hans Frederik Blichfeldt, who in 1914 published a paper [Bli14] with his new theorem and some very important applications in number theory These introductory paragraphs were inspired from Chapter 9 of [OLD01]..

In this section, we characterize the computational complexity of Blichfeldt’s existence theorem and in later sections we discuss its applications (see Section 6). We recall the statement of Blichfeldt’s theorem below, introduce its computational search version, and prove that it is PPP\mathsf{PPP}-complete.

A proof of Theorem 3.1 can be found in Chapter 9 of [OLD01]. We now define the computational discrete version of Blichfeldt’s theorem.

BLICHFELDT\mathsf{BLICHFELDT} is in PPP\mathsf{PPP}.

Before defining C\mathcal{C}, we note that numbers that satisfy case “0.” in the output of BLICHFELDT\mathsf{BLICHFELDT} exist if and only if (s,VS)(s,\mathcal{V}_{S}) is not a valid value function of SS. Therefore, an output of case “0.” certifies that the input of BLICHFELDT\mathsf{BLICHFELDT} is not a valid input.

Now we are ready to describe IR\mathcal{I}_{R}. Let D=diag(d1,,dn)\mathbf{D}=\text{diag}(d_{1},\dots,d_{n}), observe that

We use Lemma 2.1 to construct an index function IRD\mathcal{I}_{R_{\mathbf{D}}}. Finally, we define the index function of RR as IR(x)=IRD(π(x)))\mathcal{I}_{R}(\mathbf{x})=\mathcal{I}_{R_{\mathbf{D}}}\left(\boldsymbol{\pi}(\mathbf{x}))\right).

If \mathcal{V}_{S}(\mathsf{bc}(\boldsymbol{\underaccent{\bar}{x}}))\not\in S, then \mathsf{bc}(\boldsymbol{\underaccent{\bar}{x}}) is a solution to our initial BLICHFELDT\mathsf{BLICHFELDT} instance. Otherwise, let \boldsymbol{y}=\boldsymbol{\sigma}\left(\mathcal{V}_{S}(\boldsymbol{\underaccent{\bar}{x}})\right) and \boldsymbol{\underaccent{\bar}{y}}=\mathsf{bd}(\boldsymbol{y}). In this case, we have that \mathcal{I}_{R}(\boldsymbol{\underaccent{\bar}{y}})=\boldsymbol{\underaccent{\bar}{0}}, which implies that \mathcal{I}_{R_{\mathbf{D}}}\left(\boldsymbol{\pi}(\boldsymbol{y})\right)=\boldsymbol{\underaccent{\bar}{0}}. From the definition of IRD\mathcal{I}_{R_{\mathbf{D}}} in Lemma 2.1, we get that π(y)=0\boldsymbol{\pi}(\mathbf{y})=\boldsymbol{0} and hence y=0\mathbf{y}=\boldsymbol{0}. Finally, \boldsymbol{\sigma}\left(\mathcal{V}_{S}(\boldsymbol{\underaccent{\bar}{x}})\right)=\boldsymbol{0} implies \mathcal{V}_{S}(\boldsymbol{\underaccent{\bar}{x}})\in\boldsymbol{0}+\mathcal{L} and so \mathbf{x}=\mathcal{V}_{S}(\boldsymbol{\underaccent{\bar}{x}}) is a solution to our initial BLICHFELDT\mathsf{BLICHFELDT} instance.

Using the same reasoning as in the previous case we conclude that either \mathsf{bc}(\boldsymbol{\underaccent{\bar}{x}}),\mathsf{bc}(\boldsymbol{\underaccent{\bar}{y}}) is a solution to our initial BLICHFELDT\mathsf{BLICHFELDT} instance or there exists a cR\mathbf{c}\in R such that \mathcal{V}_{S}(\boldsymbol{\underaccent{\bar}{x}}),\mathcal{V}_{S}(\boldsymbol{\underaccent{\bar}{y}})\in\mathbf{c}+\mathcal{L}(\mathbf{B}) and hence if \mathbf{x}=\mathcal{V}_{S}(\boldsymbol{\underaccent{\bar}{x}}), \mathbf{y}=\mathcal{V}_{S}(\boldsymbol{\underaccent{\bar}{y}}) then we have that xyL\mathbf{x}-\mathbf{y}\in\mathcal{L} and so x,y\mathbf{x},\mathbf{y} is a solution to our initial BLICHFELDT\mathsf{BLICHFELDT} instance.

We now proceed to show the PPP\mathsf{PPP}-hardness of BLICHFELDT\mathsf{BLICHFELDT}.

BLICHFELDT\mathsf{BLICHFELDT} is PPP\mathsf{PPP}-hard.

a single vector \mathbf{y}=\begin{bmatrix}\boldsymbol{\underaccent{\bar}{x}}\\ \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})\end{bmatrix}\in S\cap\mathcal{L}(\mathbf{B}).

two vectors x,yS\mathbf{x},\mathbf{y}\in S, such that xy\mathbf{x}\neq\mathbf{y} and xyL(B)\mathbf{x}-\mathbf{y}\in\mathcal{L}(\mathbf{B}).

Finally, we argue that 2ndet(L(B))2^{n}\geq\det(\mathcal{L}(\mathbf{B})) so that the BLICHFELDT\mathsf{BLICHFELDT} problem does not output 0\boldsymbol{0} trivially. This follows directly from Lemma 2.3 since q=2q=2. ∎

Combining Lemma 3.2 and Lemma 3.4, we prove the following theorem.

BLICHFELDT\mathsf{BLICHFELDT} is PPP\mathsf{PPP}-complete.

Constrained Short Integer Solution is 𝗣𝗣𝗣𝗣𝗣𝗣\boldsymbol{\mathsf{PPP}}-Complete

In this section we define the first PPP\mathsf{PPP}-complete problem that is natural, i.e. does not explicitly invoke any circuit as part of its input in contrast to the BLICHFELDT\mathsf{BLICHFELDT} problem. We call this problem the constrained Short Integer Solution (cSIS\mathsf{cSIS}) problem because it shares a similar structure with the well-known and well-studied Short Integer Solution problem that was defined in the seminal work of Ajtai [Ajt96], and later studied in [Mic04, MR07, GPV08, MP12].

To expand on the complexity theoretic importance and potential of cSIS\mathsf{cSIS}, we note the SIS\mathsf{SIS} problem is contained in PPP\mathsf{PPP} by its collision-resistance nature but it is unknown if it is also PPP\mathsf{PPP}-hard. This poses a fascinating open question, since it implies a unique characterization of a concrete cryptographic assumption using a complexity class and vice versa. We view our result in this section (as well as in the next section) as a first step towards this direction, by showing that cSIS\mathsf{cSIS} is PPP\mathsf{PPP}-complete.

Similar to the presentation of the previous section; we first define cSIS\mathsf{cSIS}, then prove its PPP\mathsf{PPP} membership and finally show its PPP\mathsf{PPP}-hardness. In all these steps, a matrix with a special structure, that we call binary invertible plays an important role, and thus we define it below and prove a key property that we use.

Next, we formalize the main property of binary invertible matrices that is in the core of our proof for the inclusion of cSIS\mathsf{cSIS} in PPP\mathsf{PPP}, and also explains the name “binary invertible”.

where b=[b1b2bd]T\mathbf{b}=\begin{bmatrix}b_{1}&b_{2}&\dots&b_{d}\end{bmatrix}^{T}. The fact that r\mathbf{r} can be computed by a polynomial sized circuit, follows easily from (4.1).

The property of Proposition 4.2 is the only property of binary invertible matrices that we need for our proofs. We could potentially define binary invertible matrices in a more general way. For example, a binary invertible matrix could be a permutation of the columns of a matrix of Definition 4.1. Our results follow immediately for the more general class of matrices that satisfy the properties of Proposition 4.2. Let us denote by S\mathcal{S} this set of matrices. We focus on the more restrictive case of Definition 4.1, not only for ease of the exposition, but also because given a matrix A\mathbf{A} there is no known efficient procedure to check whether AS\mathbf{A}\in\mathcal{S}. In fact, this problem is NP\mathsf{NP}-complete, since we can encode a SUBSET\mathchar45SUM\mathsf{SUBSET\mathchar 45\relax SUM} instance in A\mathbf{A} and reduce SUBSET\mathchar45SUM\mathsf{SUBSET\mathchar 45\relax SUM} to checking whether AS\mathbf{A}\in\mathcal{S}. Alternatively, we could define a promise version of cSIS\mathsf{cSIS} where G\mathbf{G}, is promised to be in S\mathcal{S}. However, this would deprive us from a syntactic definition of cSIS\mathsf{cSIS}.

In this case, we define the vectors \mathbf{x}=\begin{bmatrix}\mathcal{C}_{1}(\boldsymbol{\underaccent{\bar}{x}})\\ \boldsymbol{\underaccent{\bar}{x}}\\ \boldsymbol{0}\end{bmatrix} and \mathbf{y}=\begin{bmatrix}\mathcal{C}_{1}(\boldsymbol{\underaccent{\bar}{y}})\\ \boldsymbol{\underaccent{\bar}{y}}\\ \boldsymbol{0}\end{bmatrix} such that

As explained in Section 2.1, it suffices to assume that the in-degree of every non-input node is two. Let p1(j)p_{1}(j) be the index of the first, in the topological ordering, predecessor of the node vjv_{j} and p2(j)p_{2}(j) be the index of the second. Since nodes are indexed in topological ordering we have that p1(j)<p2(j)<jp_{1}(j)<p_{2}(j)<j. Every row of G(i)\mathbf{G}^{(i)} corresponds to a node vjv_{j}, with j>nj>n, of G(i)\mathcal{G}^{(i)}, and contains the coefficients of the variables in the modular equation of a form that appears in Table 2, depending on the label of vjv_{j}. We prove the correctness of these equations later in the text but it becomes also clear from the following Claim 4.6. The proof of Claim 4.6 goes through a simple enumeration of the different values for the boolean variables and can be found in Appendix A.1. The equation of node vdijv_{d_{i}-j} defines also the jj-th element of b(i)\mathbf{b}^{(i)} according to Table 2.

Let x,y,z,w{0,1}x,y,z,w\in\{0,1\}, then the following equivalences holds

So as we said, each column of G(i)\mathbf{G}^{(i)} corresponds to a variable, each row of G(i)\mathbf{G}^{(i)} corresponds to an equation as described above and b(i)\mathbf{b}^{(i)} is defined based on the label of each node of G(i)\mathcal{G}^{(i)} according to Table 2. The order of both the rows and the columns is specified by the topological sorting of G(i)\mathcal{G}^{(i)}. Specifically, the first row of G(i)\mathbf{G}^{(i)} describes the equation corresponding to node vdi(i)v^{(i)}_{d_{i}} (the output node of G(i)\mathcal{G}^{(i)}), the second row of G(i)\mathbf{G}^{(i)} describes the equation corresponding to node vdi1(i)v^{(i)}_{d_{i}-1}. In general, the kk-th row of G(i)\mathbf{G}^{(i)} describes the equation corresponding to node vdik(i)v^{(i)}_{d_{i}-k}. We emphasize that, since there are no equations for the input nodes of G(i)\mathcal{G}^{(i)}, we have dind_{i}-n equations in total. The order of columns follows a similar rule, i.e. it corresponds to the reverse order of the topological ordering of G(i)\mathcal{G}^{(i)}. The first two columns correspond to variables zdiz_{d_{i}}, rdir_{d_{i}} of node vdiv_{d_{i}} followed by pairs of rows corresponding to the variables of all non-input nodes of G(i)\mathcal{G}^{(i)}. Among the two columns of each node, the first corresponds to the auxiliary variable and the second to the value variable, unless the label of the node is "``\oplus". In the ``\oplus^{\prime\prime} case, the first corresponds to the value variable and the second to the auxiliary variable. Finally, G(i)\mathbf{G}^{(i)} has nn columns at the end for the variables that correspond to the input nodes of G(i)\mathcal{G}^{(i)}. For the last 2n2n columns, all the columns of the value variables precede the columns of the auxiliary variables. These rules completely define matrix G(i)\mathbf{G}^{(i)} (see Table 3 for an illustration).

Before defining the final matrix G\mathbf{G}, we state and prove some basic properties of G(i)\mathbf{G}^{(i)}.

The matrix G(i)\mathbf{G}^{(i)} is binary invertible.

Proof of Claim 4.7. We remind that the dimensions of G(i)\mathbf{G}^{(i)} are (din)×(2di)(d_{i}-n)\times(2d_{i}). Because of the order of rows and columns of G(i)\mathbf{G}^{(i)}, and by the form of the equations of Table 2, we have that the 1×21\times 2 vectors that appear in the diagonal of G(i)\mathbf{G}^{(i)} are equal to γ2T=[12]\boldsymbol{\gamma}_{2}^{T}=\begin{bmatrix}1&2\end{bmatrix}. The only other non-zero elements of the kk-th row of G(i)\mathbf{G}^{(i)} appear in the columns corresponding to vp1(dik)(i)v^{(i)}_{p_{1}(d_{i}-k)} and vp2(dik)(i)v^{(i)}_{p_{2}(d_{i}-k)}. But, by construction vp1(dik)(i)v^{(i)}_{p_{1}(d_{i}-k)} and vp2(dik)(i)v^{(i)}_{p_{2}(d_{i}-k)} are always before vdik(i)v^{(i)}_{d_{i}-k} in the topological ordering of G(i)\mathcal{G}^{(i)}. Therefore, their corresponding columns are after the columns of vdik(i)v^{(i)}_{d_{i}-k}. Hence, the only non-zero elements of G(i)\mathbf{G}^{(i)} are above its 3rd diagonal. This implies that G(i)\mathbf{G}^{(i)} has the form [(Idinγ2T+U(din)×(2(din)))Vn×(2n)]\begin{bmatrix}\left(\mathbf{I}_{d_{i}-n}\otimes\boldsymbol{\gamma}_{2}^{T}+\mathbf{U}^{(d_{i}-n)\times(2(d_{i}-n))}\right)&\mathbf{V}^{n\times(2n)}\end{bmatrix} and as shown U(din)×(2(din))\mathbf{U}^{(d_{i}-n)\times(2(d_{i}-n))} has non-zero elements only above the 3rd diagonal. This concludes the claim that G(i)\mathbf{G}^{(i)} is binary invertible.

Proof of Claim 4.8. We inductively prove that the value of the coordinate s2di2j+2s_{2d_{i}-2j+2} of s\mathbf{s} is equal to the value of the non-input node vjv_{j} in G(i)\mathcal{G}^{(i)} in the evaluation of \mathcal{C}_{i}(\boldsymbol{\underaccent{\bar}{x}}).

Induction Base. By the definition of \boldsymbol{\underaccent{\bar}{x}} we have that the coordinates (s2di2n+1,,s2din+1)(s_{2d_{i}-2n+1},\dots,s_{2d_{i}-n+1}) are equal to the input values.

Inductive Hypothesis. Assume that for any kk such that n<k<jn<k<j the value of the coordinate s2di2k+2s_{2d_{i}-2k+2} of s\mathbf{s} is equal to the value of the non-input node vkv_{k} in G(i)\mathcal{G}^{(i)} in the evaluation of \mathcal{C}_{k}(\boldsymbol{\underaccent{\bar}{x}}).

But, from inductive hypothesis we know that s2di2p1(j)+2s_{2d_{i}-2p_{1}(j)+2} and s2di2p2(j)+2s_{2d_{i}-2p_{2}(j)+2} take the correct values of vp1(j)v_{p_{1}(j)} and vp2(j)v_{p_{2}(j)} in the evaluation of \mathcal{C}_{i}(\boldsymbol{\underaccent{\bar}{x}}). Hence, from Equation (4.2) we immediately get that s2di2j+2s_{2d_{i}-2j+2} takes the value of node vjv_{j}. Similarly, we can show the inductive step for all other possible labels of vjv_{j}.

For j=dij=d_{i} the statement that we just proved through Induction implies that s_{2}=\mathcal{C}_{i}(\boldsymbol{\underaccent{\bar}{x}}).

We are finally ready to describe our matrix G\mathbf{G} and vector b\mathbf{b}. We remind that di=Cid_{i}=\lvert\mathcal{C}_{i}\rvert and we define di=dind^{\prime}_{i}=d_{i}-n. Let d=i=1ndid=\sum_{i=1}^{n}d^{\prime}_{i}. The matrix G\mathbf{G} is of dimension d×2(d+n)d\times 2(d+n). We remind that from Claim 4.7 matrices G(i)\mathbf{G}^{(i)} are binary invertible and hence let U(i)\mathbf{U}^{(i)} and V(i)\mathbf{V}^{(i)} the matrices that satisfy the equation

From the definition of G\mathbf{G} and Claim 4.7 it is immediate that G\mathbf{G} is binary invertible.

The matrix G\mathbf{G} defined in Equation (4.4) is binary invertible.

Additionally, let ki=2+j=1i1djk_{i}=2+\sum_{j=1}^{i-1}d^{\prime}_{j}, then the following claim is a simple corollary of Equations (4.4) and (4.5) and Claim 4.8.

The output of cSIS\mathsf{cSIS} on input (A(\mathbf{A}, G,b)\mathbf{G},\boldsymbol{b}) is one of the following:

This completes the hardness proof for q=4q=4.

Combining Lemma 4.4 and Lemma 4.5, we prove the main theorem of this section.

The cSIS\mathsf{cSIS} problem is PPP\mathsf{PPP}-complete.

We provide an example of our reduction for very simple circuit C\mathcal{C} in Figure 3.

Complete Collision Resistant Hash Function

The similarities between the cSIS\mathsf{cSIS} problem and SIS\mathsf{SIS} raise the question of whether cSIS\mathsf{cSIS} has cryptographic applications. In this section, we propose a candidate family of collision-resistant hash (CRH) functions based on the average-case hardness of the cSIS\mathsf{cSIS} problem, and also discuss its worst-case hardness. The computational problem weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} associated with our collision resistant hash function family is a variant of cSIS\mathsf{cSIS} presented in Section 4. In this case, the modular constraint are homogeneous, i.e. b=0\mathbf{b}=\mathbf{0}, and the inequality constraints on the dimension of the matrices are strict. This change in the relation of the parameters might seem insignificant, but it is actually very important since it transforms or problem into a purely lattice problem: On input matrices A,G\mathbf{A},\mathbf{G} with corresponding bases BA\mathbf{B}_{\mathbf{A}} and BG\mathbf{B}_{\mathbf{G}}, where G\mathbf{G} is binary invertible, find two vectors x\mathbf{x} and y\mathbf{y} such that x,yL(BG)\mathbf{x},\mathbf{y}\in\mathcal{L}(\mathbf{B}_{\mathbf{G}}) and xyL(BA)\mathbf{x}-\mathbf{y}\in\mathcal{L}(\mathbf{B}_{\mathbf{A}}). Our proof that weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} is PWPP\mathsf{PWPP}-complete, increases our hope that SIS\mathsf{SIS} is PWPP\mathsf{PWPP}-complete too, since it overcomes one important difficulty towards reducing weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} to SIS\mathsf{SIS}. We start with a formal definition of collision-resistant hash function.

Collision-Resistant Hash Functions: Let kk be the security parameter. A family of functions

where p(k)p(k) and p(k)p^{\prime}(k) are polynomials, is collision-resistant if:

(Shrinking) The output of \text{H}_{\boldsymbol{\underaccent{\bar}{s}}} is smaller than its input. Namely, p(k)<kp(k)<k.

(Efficient Sampling) There exists a probabilistic polynomial-time algorithm Gen\mathsf{Gen} that on input 1k1^{k} samples a uniform key \boldsymbol{\underaccent{\bar}{s}}.

(Efficient Evaluation) There exists a deterministic polynomial-time algorithm that on input a key \boldsymbol{\underaccent{\bar}{s}} and an \boldsymbol{\underaccent{\bar}{x}}\in\{0,1\}^{k} outputs \text{H}_{\boldsymbol{\underaccent{\bar}{s}}}(\boldsymbol{\underaccent{\bar}{x}})\in\{0,1\}^{p(k)}.

In the rest of this section, we analyze the hardness of finding collision in the HcSIS\mathcal{H}_{\mathsf{cSIS}} family. We call this problem weak-cSIS\mathsf{cSIS} (weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS}) because of its similar nature to cSIS\mathsf{cSIS}. First, we consider its worst-case hardness and draw connections between the family HcSIS\mathcal{H}_{\mathsf{cSIS}}, a restricted version of the cSIS\mathsf{cSIS} problem, and the complexity class PWPP\mathsf{PWPP}. Then, we move on to the average-case hardness of weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} and argue that it defines a canditate for a universal CRH function family.

The class Polynomial Weak Pigeon Principle PWPP\mathsf{PWPP} (a subclass of PPP\mathsf{PPP}) is particularly interesting for cryptography because it contains all collision-resistant hash functions. In this part, we show that a generalized version of the SIS\mathsf{SIS} problem we define below, namely weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS}, is complete for the class PWPP\mathsf{PWPP}.

weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} is in PWPP\mathsf{PWPP}.

Now, we move to the more challenging hardness proof. Even though some of the proof techniques are reminiscent of the ones in Section 4, we need new ideas, mainly because of the homogeneity of the constraints in weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS}. Before presenting the proof, we define a special version of COLLISION\mathsf{COLLISION} problem. Then, we state and prove an easy lemma. This lemma has appeared in various previous works (see Lemma 2.2 in [Jer16]), but it is useful for us to state and prove it using our notation.

Then, the following lemma is easy to check:

The COLLISION\mathsf{COLLISION} problem is Karp-reducible to COLLISIONκ2\mathsf{COLLISION}_{\kappa-2}.

First, we claim that it suffices to show that COLLISIONκ1\mathsf{COLLISION}_{\kappa-1} is Karp-reducible to COLLISIONκ2\mathsf{COLLISION}_{\kappa-2}. This is because every circuit C\mathcal{C} with κ\kappa inputs and mm outputs can be transformed into a circuit C\mathcal{C}^{\prime} with κ\kappa inputs and κ1\kappa-1 outputs by padding the output with zeros. We note that every collision of C\mathcal{C}^{\prime} is a collision of C\mathcal{C} .

Now, we show that COLLISIONκ1\mathsf{COLLISION}_{\kappa-1} is Karp-reducible to COLLISIONκ2\mathsf{COLLISION}_{\kappa-2}. Let C\mathcal{C} be a circuit with nn inputs and n1n-1 outputs, we create a new circuit C\mathcal{C}^{\prime} with n+1n+1 inputs and n1n-1 outputs such that \mathcal{C}^{\prime}(\boldsymbol{\underaccent{\bar}{x}},b)=\mathcal{C}(\mathcal{C}(\boldsymbol{\underaccent{\bar}{x}}),b), where \boldsymbol{\underaccent{\bar}{x}}\in\{0,1\}^{n} and b{0,1}b\in\{0,1\}. Then, COLLISIONκ2\mathsf{COLLISION}_{\kappa-2} with input C\mathcal{C}^{\prime} outputs \boldsymbol{\underaccent{\bar}{y}}_{1}=(\boldsymbol{\underaccent{\bar}{x}}_{1},b_{1}) and \boldsymbol{\underaccent{\bar}{y}}_{2}=(\boldsymbol{\underaccent{\bar}{x}}_{2},b_{2}) such that \boldsymbol{\underaccent{\bar}{y}}_{1}\neq\boldsymbol{\underaccent{\bar}{y}}_{2} and \mathcal{C}^{\prime}(\boldsymbol{\underaccent{\bar}{y}}_{1})=\mathcal{C}^{\prime}(\boldsymbol{\underaccent{\bar}{y}}_{2}). We consider the following possible cases:

b1b2b_{1}\neq b_{2}, then \boldsymbol{\underaccent{\bar}{y}}_{1} and \boldsymbol{\underaccent{\bar}{y}}_{2} form a collision for C\mathcal{C}.

b1=b2b_{1}=b_{2}, then \boldsymbol{\underaccent{\bar}{x}}_{1}\neq\boldsymbol{\underaccent{\bar}{x}}_{2} and one of the following holds: \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}}_{1})\neq\mathcal{C}(\boldsymbol{\underaccent{\bar}{x}}_{2}) or \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}}_{1})=\mathcal{C}(\boldsymbol{\underaccent{\bar}{x}}_{2}). In the first case, \boldsymbol{\underaccent{\bar}{y}}_{1} and \boldsymbol{\underaccent{\bar}{y}}_{2} form a collision for C\mathcal{C}. Otherwise, \boldsymbol{\underaccent{\bar}{x}}_{1} and \boldsymbol{\underaccent{\bar}{x}}_{2} form a collision for C\mathcal{C}.

The above lemma naturally generalizes to any polynomial shrinkage p(k)p(k) of the input by repeating the same construction. For our purposes shrinking the input by two bits is enough.

weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} is PWPP\mathsf{PWPP}-hard.

From Lemma 5.3, it suffices to show a Karp-reduction from COLLISIONκ2\mathsf{COLLISION}_{\kappa-2} to weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS}.

First, we observe that the fact that r=n2r=n-2 guarantees the existence of at least 6k/46\lfloor k/4\rfloor pairs of \boldsymbol{\underaccent{\bar}{x}}_{1} and \boldsymbol{\underaccent{\bar}{x}}_{2} such that \boldsymbol{\underaccent{\bar}{x}}_{1}\neq\boldsymbol{\underaccent{\bar}{x}}_{2} and \text{H}_{\boldsymbol{\underaccent{\bar}{s}}}(\boldsymbol{\underaccent{\bar}{x}}_{1})=\text{H}_{\boldsymbol{\underaccent{\bar}{s}}}(\boldsymbol{\underaccent{\bar}{x}}_{2}). In particular, there exist collision pairs such that \boldsymbol{\underaccent{\bar}{x}}_{1}\neq\boldsymbol{\underaccent{\bar}{0}} and \boldsymbol{\underaccent{\bar}{x}}_{2}\neq\boldsymbol{\underaccent{\bar}{0}}.

As we explained, without loss of generality, we assume that C\mathcal{C} consists of only {,,1}\{\vee,\oplus,1\} gates. Before starting with the reduction we change our circuit C\mathcal{C} to a circuit C\mathcal{C}^{\prime} such that any collision of C\mathcal{C}^{\prime} corresponds to a collision of C\mathcal{C}. We construct a circuit C\mathcal{C}^{\prime} such that it first computes the OR\mathsf{OR} of all the inputs, z=x1x2xnz=x_{1}\vee x_{2}\vee\cdots\vee x_{n}. Then, in the circuit’s graph we substitute the outgoing edges of nodes with label “11” with outgoing edges from the node zz, that we introduced. Hence, C\mathcal{C}’ only contains {,}\{\vee,\oplus\} gates. The next claim follows by construction of C\mathcal{C}^{\prime}.

For every \boldsymbol{\underaccent{\bar}{x}}\in\{0,1\}^{k}\setminus{\boldsymbol{\underaccent{\bar}{0}}}, it holds that \mathcal{C}^{\prime}(\boldsymbol{\underaccent{\bar}{x}})=\mathcal{C}(\boldsymbol{\underaccent{\bar}{x}}) and \mathcal{C}^{\prime}(\boldsymbol{\underaccent{\bar}{0}})=\boldsymbol{\underaccent{\bar}{0}}.

Let \boldsymbol{\underaccent{\bar}{x}}\in\{0,1\}^{k}\setminus{\boldsymbol{\underaccent{\bar}{0}}}, then for this input the value of the node zz that we introduced is certainly equal to 11. Since we replaced all the uses of the constant gate 11 with the output of zz and zz outputs one, the results of the circuit will be exactly the same. Also, it is easy to observe that any circuit with only {,}\{\vee,\oplus\} gates, on input \boldsymbol{\underaccent{\bar}{0}} outputs always \boldsymbol{\underaccent{\bar}{0}}, and hence \mathcal{C}^{\prime}(0)=\boldsymbol{\underaccent{\bar}{0}}. ∎

Let (\boldsymbol{\underaccent{\bar}{x}}_{1},\boldsymbol{\underaccent{\bar}{x}}_{2}) be a solution of weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} with \boldsymbol{\underaccent{\bar}{x}}_{1}\neq\boldsymbol{\underaccent{\bar}{0}} and \boldsymbol{\underaccent{\bar}{x}}_{2}\neq\boldsymbol{\underaccent{\bar}{0}}, then the pair \boldsymbol{\underaccent{\bar}{x}}_{1} and \boldsymbol{\underaccent{\bar}{x}}_{2} is a collision for C\mathcal{C}. But, we cannot guarantee that \boldsymbol{\underaccent{\bar}{x}}_{1}\neq\boldsymbol{\underaccent{\bar}{0}} and \boldsymbol{\underaccent{\bar}{x}}_{2}\neq\boldsymbol{\underaccent{\bar}{0}} when we use C\mathcal{C}^{\prime} as input for weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS}. Thus, we need a modification of C\mathcal{C}^{\prime} that guarantees that weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} will not return the \boldsymbol{\underaccent{\bar}{0}}-vector as part of a solution. To achieve this, we construct a new circuit C\mathcal{C}^{\prime\prime} that is exactly the same as C\mathcal{C}^{\prime} with one more output variable set to be equal to z=x1x2xnz=x_{1}\vee x_{2}\vee\dots\vee x_{n}. This last output of C\mathcal{C}^{\prime\prime} is equal to 11 if and only if \boldsymbol{\underaccent{\bar}{x}}\neq\boldsymbol{\underaccent{\bar}{0}}. Observe that the output of C\mathcal{C}^{\prime\prime} consists of n1n-1 bits, and hence C\mathcal{C}^{\prime\prime} still compresses its domain by one bit. Let (A,G)(\mathbf{A}^{\prime},\mathbf{G}^{\prime}) be the matrices corresponding to C\mathcal{C}^{\prime\prime} according to the construction of proof of Lemma 4.5, then \boldsymbol{\underaccent{\bar}{s}}^{\prime}=(\mathbf{A}^{\prime},\mathbf{G}^{\prime}) is a valid input for weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS}.

We conclude the proof by observing that every output of weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} with input \boldsymbol{\underaccent{\bar}{s}}^{\prime} gives a collision \mathcal{C}^{\prime\prime}(\boldsymbol{\underaccent{\bar}{x}})=\mathcal{C}^{\prime\prime}(\boldsymbol{\underaccent{\bar}{y}}), with \boldsymbol{\underaccent{\bar}{x}}\neq\boldsymbol{\underaccent{\bar}{y}}. If \boldsymbol{\underaccent{\bar}{x}}\neq\boldsymbol{\underaccent{\bar}{0}} and \boldsymbol{\underaccent{\bar}{y}}\neq\boldsymbol{\underaccent{\bar}{0}}, then it follows from Claim 5.6 and the construction of C\mathcal{C}^{\prime\prime} that \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})=\mathcal{C}(\boldsymbol{\underaccent{\bar}{y}}), and hence the pair \boldsymbol{\underaccent{\bar}{x}}, \boldsymbol{\underaccent{\bar}{y}} is a solution to our initial COLLISION\mathsf{COLLISION} instance. Additionally, there is no collision of the form \boldsymbol{\underaccent{\bar}{0}} and \boldsymbol{\underaccent{\bar}{x}}. Assume that there was, then since the last bit of \mathcal{C}^{\prime\prime}(\boldsymbol{\underaccent{\bar}{0}}) is , it must be that \mathcal{C}^{\prime\prime}(\boldsymbol{\underaccent{\bar}{x}}) is also . However, by construction of C\mathcal{C}^{\prime\prime}, \boldsymbol{\underaccent{\bar}{0}} is the unique binary vector for which the last bit of the output is , so it must be that \boldsymbol{\underaccent{\bar}{x}}=0 which is a contradiction. Therefore, \boldsymbol{\underaccent{\bar}{x}}\neq\boldsymbol{\underaccent{\bar}{0}} and \boldsymbol{\underaccent{\bar}{y}}\neq\boldsymbol{\underaccent{\bar}{0}}, and the lemma follows. ∎

By combining Lemma 5.2 and Lemma 5.4, we get the following theorem.

The weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} problem is PWPP\mathsf{PWPP}-complete.

In the previous section, we showed that weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} defines a worst-case collision resistant hash function, similar to the result of [Sel92] for one-way functions. However, the definition of collision-resistance in cryptography requires a stronger property. More specifically, it says that given a random chosen function in the family, it is hard to find a collision for this function. In this section, we investigate the average-case hardness of HcSIS\mathcal{H}_{\mathsf{cSIS}} in the search of a construction for a candidate of a both natural and universal collision-resistant hash function.

We have briefly mentioned the connection between HcSIS\mathcal{H}_{\mathsf{cSIS}} and SIS\mathsf{SIS}. Now, we describe it in more detail. We start by defining the SIS\mathsf{SIS} problem.

Finally we note that, since weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} is PWPP\mathsf{PWPP}-complete and PWPP\mathsf{PWPP} contains all collision-resistant hash functions, the following statement is also true.

If there exists a family of collision-resistant hash functions H\mathcal{H}, then there exists a distribution over keys \boldsymbol{\underaccent{\bar}{s}}\in\{0,1\}^{p(k)} for HcSIS\mathcal{H}_{\mathsf{cSIS}}, where Gen\mathsf{Gen} draws key from this distribution and HcSIS\mathcal{H}_{\mathsf{cSIS}} is collision-resistant.

Lattice Problems and 𝗣𝗣𝗣𝗣𝗣𝗣\boldsymbol{\mathsf{PPP}}

The lattice nature of the cSIS\mathsf{cSIS} problem raises also the next question:

What is the connection between the class PPP\mathsf{PPP} and lattices?

In this section we present the known result for the lattice problems that are contained in PPP\mathsf{PPP} and we also mention how some of these results are implied by the completeness results that we presented in the previous sections. We start with the formal definition of the lattice problems that we are interested in.

Lattice Problems. We recall some of the most important lattice problems: the Shortest Vector Problem (γ\mathchar45SVP\gamma\mathchar 45\relax\mathsf{SVP}), the Shortest Independent Vectors Problem (γ\mathchar45SIVP\gamma\mathchar 45\relax\mathsf{SIVP}) and the Closest Vector Problem (γ\mathchar45CVP\gamma\mathchar 45\relax\mathsf{CVP}). We start by defining some important lattice quantities. For a lattice L\mathcal{L},

where vi=λi(L(B))\lVert\mathbf{v}_{i}\rVert=\lambda_{i}(\mathcal{L}(\mathbf{B})).

Where γ(n)1\gamma(n)\geq 1 is a non-decreasing function in the lattice dimension nn. For γ=1\gamma=1 we get the exact version of the problem.

We now show that well-studied (approximation) lattice problems are contained in PPP\mathsf{PPP}. First, we define the MINKOWSKI\mathsf{MINKOWSKI} problem and show a reduction to BLICHFELDT\mathsf{BLICHFELDT}. Second, using known reductions, we conclude the membership of other lattice problems to PPP\mathsf{PPP}.

For p1p\geq 1 and p=p=\infty, MINKOWSKIp\mathsf{MINKOWSKI}_{p} is in PPP\mathsf{PPP}.

For any p1p\geq 1 it holds that xn1/pxp\lVert\mathbf{x}\rVert_{\infty}\leq n^{1/p}\lVert\mathbf{x}\rVert_{p}. This implies a Karp-reduction from MINKOWSKIp\mathsf{MINKOWSKI}_{p} to MINKOWSKI\mathsf{MINKOWSKI}_{\infty}. Hence, it suffices to show a Karp-reduction from MINKOWSKI\mathsf{MINKOWSKI}_{\infty} to BLICHFELDT\mathsf{BLICHFELDT}.

To show that B\mathbf{B} and SS are a valid input for BLICHFELDT\mathsf{BLICHFELDT}, we need to show Sdet(L)(det(L)1/n+1)ndet(L)1/n+1\lvert S\rvert\geq\det(\mathcal{L})\Rightarrow(\lfloor\det(\mathcal{L})^{1/n}\rfloor+1)^{n}\geq\det(\mathcal{L})^{1/n}+1. This follows from the next claim for x=det(L)x=\det(\mathcal{L}).

Finally, BLICHFELDT\mathsf{BLICHFELDT} on input B\mathbf{B} and SS will output one of following:

a vector x\mathbf{x} such that xSL\mathbf{x}\in S\cap\mathcal{L}. Since xS\mathbf{x}\in S, we get xdet(L)1/n\lVert x\rVert_{\infty}\leq\det(\mathcal{L})^{1/n}. Hence, x\boldsymbol{x} is a solution to MINKOWSKI\mathsf{MINKOWSKI}_{\infty}.

MINKOWSKI2\mathsf{MINKOWSKI}_{2} is in PPP\mathsf{PPP}.

Furthermore, there are known connections between γ\mathchar45SVP\gamma\mathchar 45\relax\mathsf{SVP} with polynomial approximation factor and the class PPP\mathsf{PPP}. Specifically, it is known that n\mathchar45SVPn\mathchar 45\relax\mathsf{SVP} is Cook-reducible to MINKOWSKI\mathsf{MINKOWSKI}_{\infty} (see [Rot16, Theorem 1.23]).

This, along with the reduction from γ\mathchar45SVP\gamma\mathchar 45\relax\mathsf{SVP} to nγ2\mathchar45CVP\sqrt{n}\gamma^{2}\mathchar 45\relax\mathsf{CVP} in [SD15] (for γ=n\gamma=n) and Lemma 6.1, implies the following.

n\mathchar45SVPn\mathchar 45\relax\mathsf{SVP} and n2.5\mathchar45CVPn^{2.5}\mathchar 45\relax\mathsf{CVP} are Cook-reducible to BLICHFELDT\mathsf{BLICHFELDT}.

A special type of lattices, that have gained a lot of attention due to their efficiency in cryptographic applications, are ideal lattices. The definition and cryptographic applications of ideal lattices are outside the scope of this work and can be found in [LPR13]. But, we include the following lemma, which needs only the basic fact that λ1(L)=λ2(L)==λn(L)\lambda_{1}(\mathcal{L})=\lambda_{2}(\mathcal{L})=\dots=\lambda_{n}(\mathcal{L}) in ideal lattices, where λi\lambda_{i} is the length of the ii-th linearly independent vector. Let us denote by γ\mathchar45iSVP\gamma\mathchar 45\relax\mathsf{iSVP} the shortest vector problem on ideal lattices.

n\mathchar45iSVP\sqrt{n}\mathchar 45\relax\mathsf{iSVP} is in PPP\mathsf{PPP}.

For ideal lattices, it holds that λ1(L)=λ2(L)==λn(L)\lambda_{1}(\mathcal{L})=\lambda_{2}(\mathcal{L})=\dots=\lambda_{n}(\mathcal{L}). Minkowski’s second Theorem states that

Hence, on ideal lattices λ1det(L)1/n\lambda_{1}\geq\det(\mathcal{L})^{1/n}. Combining this with the first Minkowski’s theorem, that states that λ1ndet(L)1/n\lambda_{1}\leq\sqrt{n}\det(\mathcal{L})^{1/n}, we get that MINKOWSKI2\mathsf{MINKOWSKI}_{2} with input L\mathcal{L} solves n\mathchar45SVP\sqrt{n}\mathchar 45\relax\mathsf{SVP} of L\mathcal{L}. ∎

Cryptographic Assumptions in 𝗣𝗣𝗣𝗣𝗣𝗣\boldsymbol{\mathsf{PPP}}

Additionally, recently it was shown that integer factorization is in PPP\mathsf{PPP} [Jer16]. In fact, Jeřábek [Jer16] showed that integer factorization lies in PWPPPPA\mathsf{PWPP}\cap\mathsf{PPA}, which gives strong evidence that factoring is not PPP\mathsf{PPP}-complete.

We extend the connections between cryptographic assumptions and PPP\mathsf{PPP} by presenting a more general formulation of discrete logarithm and showing its membership to PPP\mathsf{PPP}. We call this formulation discrete logarithm over general groups.

the polynomial-size circuit for the group operation function ff.

a binary vector \boldsymbol{\underaccent{\bar}{x}} such that \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})=\boldsymbol{\underaccent{\bar}{0}}.

two binary vectors \boldsymbol{\underaccent{\bar}{x}}, \boldsymbol{\underaccent{\bar}{y}} such that \boldsymbol{\underaccent{\bar}{x}}\neq\boldsymbol{\underaccent{\bar}{y}} and \mathcal{C}(\boldsymbol{\underaccent{\bar}{x}})=\mathcal{C}(\boldsymbol{\underaccent{\bar}{y}}).

We note that it is not known if elliptic curves are general groups, and hence discrete logarithm over general elliptic curves is not known to belong in PPP\mathsf{PPP} (see Open Problem 1.5).

Acknowledgements

We thank the anonymous FOCS reviewers for their helpful comments. We thank an anonymous reviewer and Nico Döttling for bringing in our attention a universal CRH following Levin’s paradigm. We thank Vinod Vaikuntanathan, Daniel Wichs and Constantinos Daskalakis for helpful and enlightening discussions. We thank Christos-Alexandros Psomas and his coauthors for sharing their unpublished manuscript [BJP+15]. MZ also thanks Christos-Alexandros Psomas and Christos Papadimitriou for many fruitful discussions during his visit to Simons Institute at Berkeley at Fall 2015.

References

Appendix A Missing Proofs

We give a summary of the notation that we use for the parameters of cSIS\mathsf{cSIS} and weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} (or HcSIS\mathcal{H}_{\mathsf{cSIS}}).

Also, the known relations between these quantities for a valid cSIS\mathsf{cSIS} or weak\mathchar45cSIS\mathsf{weak\mathchar 45\relax cSIS} input are:

Appendix C Universal Collision Resistant Hash Function Family

We sketch the construction of a universal (average-case hard) hash function, following Levin’s paradigm [Lev87] for a universal one-way function. Let hh be a hash function family that takes two inputs a key kk and a vector x{0,1}nx\in\{0,1\}^{n}, and compresses the input xx by one bit, i.e. h(k,x){0,1}n1h(k,x)\in\{0,1\}^{n-1}. Let p()p(\cdot) be a polynomial that bounds the running time of h(k,)h(k,\cdot). First, using padding on the input we argue the existence of a hash function family hh^{\prime} that is defined as

such that xy=p(x)|x\circ y|=p(|x|). This implies that h(k,)h^{\prime}(k,\cdot) runs in quadratic time in xy|x\circ y| (see [Gol06, §2.4.1]). Second, using standard domain extension we argue the existence of a hash function family hh^{\prime\prime} that compresses the input for more than one bits, i.e. h:{0,1}n{0,1}n1h^{\prime\prime}:\{0,1\}^{n^{\prime}}\rightarrow\{0,1\}^{n-1} (we exclude the key kk from the description of the domain). Specifically, we require that the compressing ratio is enough so that the concatenation of mm copies of h(k,)h^{\prime\prime}(k,\cdot) is smaller than the input, meaning that n>m(p(n)1)n^{\prime}>m\cdot\left(p(n)-1\right). Let p()p^{\prime\prime}(\cdot) be a polynomial that bounds the running time of hh^{\prime\prime}. The hash function h(k,)h^{\prime}(k,\cdot) runs in time quadratic to its input, and using this fact, p()p^{\prime\prime}(\cdot) can be made explicit depending on the length of the extended domain that we require from hh^{\prime\prime}, once that length is explicitly specified. This is enough to get an upper bound for the running time of h(k,)h^{\prime\prime}(k,\cdot).

The universal hash function is described by a collection of 2m+12\cdot m+1 strings:

The numbers i1,,imi_{1},\ldots,i_{m} (represented as strings) are the indices to Turing Machines (assume a canonical ordering of TMs) that describe mm different hash function families hij:{0,1}n{0,1}n1h^{\prime\prime}_{i_{j}}:\{0,1\}^{n^{\prime}}\rightarrow\{0,1\}^{n-1}, j=1,,mj=1,\ldots,m. The keys kjk_{j} define the hash functions hij(kj,)h^{\prime\prime}_{i_{j}}(k_{j},\cdot). Finally, for j=1,,mj=1,\ldots,m, we run each hij(kj,x)h^{\prime\prime}_{i_{j}}(k_{j},x) for at most p(x)p^{\prime\prime}(|x|) steps and output:

If hij(kj,x)h^{\prime\prime}_{i_{j}}(k_{j},x) does not terminate after p(x)p^{\prime\prime}(|x|), we output \bot for that jj. We can see that if at least one hash function family hijh^{\prime\prime}_{i_{j}} is collision-resistant, then so is hunih_{\mathsf{uni}}. At a high level, if at least one hash function family hijh_{i_{j}} is collision-resistant then so is hijh^{\prime}_{i_{j}}, and moreover so is hijh^{\prime\prime}_{i_{j}} by the security of domain extension (e.g. Merkle–Damgård). Without loss of generality we assume that all families hijh^{\prime\prime}_{i_{j}} are defined on the same domain and range. Finally, the simple hash function combiner in which we concatenate the output of mm different hash functions hij(kj,)h^{\prime\prime}_{i_{j}}(k_{j},\cdot), is collision-resistant as long as at least one hash function family hijh^{\prime\prime}_{i_{j}} is collision-resistant.