Abstract
The Fiat-Shamir transform is a methodology for compiling a (public-coin) interactive proof system for a language L into a non-interactive argument system for L. Proving security of the Fiat-Shamir transform in the standard model, especially in the context of succinct arguments, is largely an unsolved problem. The work of Canetti et al. (STOC 2019) proved the security of the Fiat-Shamir transform applied to the Goldwasser-Kalai-Rothblum (STOC 2008) succinct interactive proof system under a very strong “optimal learning with errors” assumption. Achieving a similar result under standard assumptions remains an important open question.
In this work, we consider the problem of compiling a different succinct interactive proof system: Pietrzak’s proof system (ITCS 2019) for the iterated squaring problem. We construct a hash function family (with evaluation time roughly \(2^{\lambda ^{\epsilon }}\)) that guarantees the soundness of Fiat-Shamir for this protocol assuming the sub-exponential (\(2^{-n^{1-\epsilon }}\))-hardness of the n-dimensional learning with errors problem. (The latter follows from the worst-case \(2^{n^{1-\epsilon }}\) hardness of lattice problems.) More generally, we extend the “bad-challenge function” methodology of Canetti et al. for proving the soundness of Fiat-Shamir to a class of protocols whose bad-challenge functions are not efficiently computable.
As a corollary (following Choudhuri et al., ePrint 2019 and Ephraim et al., EUROCRYPT 2020), we construct hard-on-average problems in the complexity class \(\mathbf {CLS}\subset \mathbf {PPAD}\) under the \(2^{\lambda ^\epsilon }\)-hardness of the repeated squaring problem and the \(2^{-n^{1-\epsilon }}\)-hardness of the learning with errors problem. Under the additional assumption that the repeated squaring problem is “inherently sequential”, we also obtain a Verifiable Delay Function (Boneh et al., EUROCRYPT 2018) in the standard model. Finally, we give additional PPAD-hardness and VDF instantiations demonstrating a broader tradeoff between the strength of the repeated squaring assumption and the strength of the lattice assumption.
A. Lombardi—Research supported in part by an NDSEG fellowship and by the second author’s grants listed below.
V. Vaikuntanathan—Research was supported in part by NSF Grants CNS- 1350619 and CNS-1414119, an NSF-BSF grant CNS-1718161, the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226 and W911NF-15-C-0236, an IBM-MIT grant and a Microsoft Trustworthy and Robust AI grant.
1 Reference to Full Version
The full version of this paper [LV20] is freely available on the Cryptology ePrint Archive. We refer the reader to this version for a complete description of our results and proofs.
2 Introduction
The Fiat-Shamir transform [FS86] is a methodology for compiling a public-coin interactive proof (or argument) system for a language L into a non-interactive argument system for L. While originally developed in order to convert 3-message identification schemes into signature schemes, the methodology readily generalized [BR93] to apply to a broad, expressive class of interactive protocols, with applications including non-interactive zero knowledge for \(\mathbf {NP}\) [BR93], succinct non-interactive arguments for \(\mathbf {NP}\) [Mic00, BCS16], and widely used/practically efficient signature schemes [Sch89].
However, these constructions and results come with a big caveat: the security of the Fiat-Shamir transformation is typically heuristic. While the transformation has been proved secure (in high generality) in the random oracle model [BR93, PS96, Mic00, BCS16], it is known that some properties that hold in the random oracle model – including the soundness of Fiat-Shamir for certain contrived interactive arguments – cannot be instantiated at all in the standard model [CGH04, DNRS99, Bar01, GK03, BBH+19].
Given these negative results, security in the random oracle model is by no means the end of the story. Indeed, the question of whether Fiat-Shamir can be instantiated for any given interactive argument system (and under what computational assumptions this can be done) has been a major research direction over the last twenty years [DNRS99, Bar01, GK03, BLV06, CCR16, KRR17, CCRR18, HL18, CCH+19, PS19, BBH+19, BFJ+19, JJ19, LVW19]. After much recent work, some positive results are known, falling into three categories (in the decreasing order of strength of assumptions required):
-
1.
We can compile arbitrary (constant-round, public-coin) interactive proofs under extremely strong assumptions [KRR17, CCRR18] that are non-falsifiable in the sense of [Nao03].
-
2.
We can compile certain succinct interactive proofs [LFKN92, GKR08] – and variants of other interactive proofs not captured in item (3) below, such as [GMW91] – under extremely strong but falsifiable assumptions [CCH+19].
-
3.
We can compile variants of some classical 3-message zero knowledge proof systems [GMR85, Blu86, FLS99] under standard cryptographic assumptions [CCH+19, PS19].
Elaborating on item (2) above, what is currently known is that the sumcheck protocol [LFKN92] and the related Goldwasser-Kalai-Rothblum (GKR) [GKR08] interactive proof system can be compiled under an “optimal security assumption” related to (secret-key) Regev encryption. Roughly speaking, an optimal hardness assumption is the assumption that some search problem cannot be solved with probability significantly better than repeatedly guessing a solution at random. This is an extremely strong assumption that (in the context of Regev encryption) requires careful parameter settings to avoid being trivially false.
In this work, we focus on improving item (2); in particular, we ask:
Instead of considering the [LFKN92, GKR08] protocols, we work on compiling a protocol of Pietrzak [Pie18] for the “repeated-squaring language” [RSW96]. At a high level, Pietrzak constructs a “sumcheck-like” succinct interactive proof system for the computation \(f_{N, g}(T) = g^{2^T} \pmod N\) over an RSA modulus \(N = pq\). Compiling this protocol turns out to have applications related to verifiable delay functions (VDFs) [BBBF18] and hardness in the complexity class \(\mathbf {PPAD}\) [CHK+19a, CHK+19b, EFKP19], which we elaborate on below.
Applications. We consider two apparently different questions: the first is that of establishing the hardness of the complexity class \(\mathbf {PPAD}\) (“polynomial parity arguments on directed graphs”) [Pap94] that captures the hardness of finding Nash equilibria in bimatrix games [DGP09, CDT09]; the second is that of constructing verifiable delay functions (VDFs), a recently introduced cryptographic primitive [BBBF18] which gives us a way to introduce delays in decentralized applications such as blockchains.
The Hardness of \(\mathbf {PPAD}\). Establishing the hardness of \(\mathbf {PPAD}\) [Pap94], possibly under cryptographic assumptions, is a long-standing question in the foundations of cryptography and computational game theory. After two decades of little progress on the question, a recent sequence of works [BPR15, HY17, CHK+19a, CHK+19b, EFKP19] has managed to prove that there are problems in \(\mathbf {PPAD}\) (and indeed a smaller complexity class, \(\mathbf {CLS}\) [DP11]) that are hard (even on average) under strong cryptographic assumptions. The results so far fall roughly into two categories, depending on the techniques used.
-
1.
Program Obfuscation. Bitansky, Paneth and Rosen [BPR15], inspired by an approach outlined in [AKV04], showed that \(\mathbf {PPAD}\) is hard assuming the existence of subexponentially secure indistinguishability obfuscation (IO) [BGI+01, GGH+13] and one-way functions. This was later improved [GPS16, HY17] to rely on polynomially-secure functional encryption and to give hardness in \(\mathbf {CLS}\subset \mathbf {PPAD}\).
-
2.
Unambiguously Sound Incrementally Verifiable Computation. The recent beautiful work [CHK+19a] constructs a hard-on-average \(\mathbf {CLS}\) instance assuming the existence of a special kind of incrementally verifiable computation (IVC) [Val08]. Instantiating this approach, they show that \(\mathbf {CLS}\subset \mathbf {PPAD}\) is hard-on-average if there exists a hash function family that soundly instantiates the Fiat-Shamir heuristic [FS86] for the sumcheck interactive proof system for \(\mathsf {\#P}\) [LFKN92]. Two follow-up works [CHK+19b, EFKP19] show the same conclusion if Fiat-Shamir for Pietrzak’s interactive proof system [Pie18] can be soundly instantiated (and if the underlying “repeated squaring language” is hard).
Regarding the first approach [BPR15, GPS16, HY17], secure indistinguishability obfuscators have recently been constructed based on the veracity of a number of non-standard assumptions (see, e.g., [AJL+19, BDGM20]). Regarding the second approach [CHK+19a, CHK+19b, EFKP19], the hash function can be instantiated in the random oracle model, or under “optimal KDM-security” assumptions [CCRR18, CCH+19].
In summary, despite substantial effort, there are no known constructions of hard \(\mathbf {PPAD}\) instances from standard cryptographic assumptions (although see Section 2.3 for a recent independent work [KPY20] that shows such a result under a new assumption on bilinear groups).
Verifiable Delay Functions. A Verifiable Delay Function (VDF) [BBBF18] is a function f with the following properties:
-
f can be evaluated in some (moderately large) time T.
-
Computing f (on average) requires time close to T, even given a large amount of parallelism.
-
There is a time \(T + o(T)\) procedure that computes \(y=f(x)\) on an input x along with a proof \(\pi \) that \(y=f(x)\) is computed correctly. This proof (argument) system should be verifiable in time \(\ll T\) (ideally \(\mathrm {poly}(\lambda , \log T))\)) and satisfy standard (computational) soundness.
Since their introduction [BBBF18], there have been a few proposed candidate VDF constructions [BBBF18, Pie18, Wes19, dFMPS19, EFKP19]. There are currently no constructions based on standard cryptographic assumptions, but this is somewhat inherent to the primitive: a secure VDF implies the existence of a problem which can be solved in time T and also requires (sequential) time close to T. Nonetheless, one can askFootnote 1 whether VDFs can be constructed from “more standard-looking” assumptions, a question partially answered by [Pie18, Wes19]. In particular, each of their constructions relies on two assumptions:
-
(1)
The T-repeated squaring problem [RSW96] requires sequential time close to T.
-
(2)
The Fiat-Shamir heuristic for some specific public-coin interactive proof/argumentFootnote 2 can be soundly instantiated.
The techniques used in both the construction of hard \(\mathbf {PPAD}\) instances and the construction of VDFs are similar, and so are the underlying assumptions (this is due to the connection between \(\mathbf {PPAD}\) and incrementally verifiable computation [Val08, CHK+19a]). In particular, the works of [CHK+19b, EFKP19] construct hard \(\mathbf {PPAD}\) (and even \(\mathbf {CLS}\)) instances under two assumptions:
- (1\({}^\prime \)):
-
The T-repeated squaring problem [RSW96] requires super-polynomial (standard) time for some \(T = \lambda ^{\omega (1)}\).
- (2\({}^\prime \)):
-
The Fiat-Shamir heuristic for a variant of the [Pie18] interactive proof system can be soundly instantiated.
The assumption (1) (and its weakening, assumption \((1^\prime )\)) is the foundation of the Rivest-Shamir-Wagner time-lock puzzle [RSW96] and has been around for over 20 years. In particular, breaking the RSW assumption has received renewed cryptanalytic interest recently [Riv99, Fab19].
On the other hand, as previously discussed, the assumptions \((2, 2')\) are not well understood. Indeed, our main question about Fiat-Shamir for succinct arguments (if specialized to the [Pie18] protocol) is intimately related to the following question.
2.1 Our Results
We show how to instantiate the Fiat-Shamir heuristic for the [Pie18] protocol under a quantitatively strong (but relatively standard) variant of the Learning with Errors (\(\mathsf {LWE}\)) assumption [Reg09]. We give a family of constructions of hash functions that run in subexponential (or even quasi-polynomial or polynomial) time, and prove that they soundly instantiate Fiat-Shamir for this protocol under a sufficiently strong \(\mathsf {LWE}\) assumption.
More generally, we extend the “bad-challenge function” methodology of [CCH+19] for proving the soundness of Fiat-Shamir to a class of protocols whose bad-challenge functions are not efficiently computable. We elaborate on this below in the technical overview (Sect. 2.4).
As a consequence, we obtain \(\mathbf {CLS}\)-hardness and VDFs from a pair of quantitatively related assumptions on the [RSW96] repeated squaring problem and on the learning with errors (\(\mathsf {LWE}\)) problem [Reg09]; the latter can in turn be based on the worst-case hardness of the (approximate) shortest vector problem (GapSVP) on lattices. In particular, we can base the hardness of \(\mathbf {CLS}\subset \mathbf {PPAD}\), as well as the security of a VDF, on the hardness of two relatively well-studied problems.
Fiat-Shamir for Pietrzak’s Protocol. For our main result, we show that for any \(\epsilon > 0\), an \(\mathsf {LWE}\) assumption of quantitative strength \(2^{n^{1-\epsilon }}\) allows for a Fiat-Shamir instantiation with verification runtime \(2^{\tilde{O}(n^\epsilon )}\) on a repeated squaring instance with security parameter \(\lambda = O(n\log n)\). Such a result is meaningful as long as the verification runtime is smaller than the time it takes to solve the repeated squaring problem; the current best known algorithms for repeated squaring run in heuristic time \(2^{\tilde{O}(\lambda ^{ 1/3})} = 2^{\tilde{O}(n^{ 1/3})}\) [LLMP90].
Here and throughout the paper, we will use \((t, \delta )\)-hardness to denote that a cryptographic problem is hard for t-time algorithms to solve with \(\delta \) probability (or distinguishing advantage).
Theorem 2.1
Let \(\epsilon > 0\) be arbitrary. Assume that (decision) \(\mathsf {LWE}\) is \(\Big (2^{\tilde{O}(n^{1/2})}, 2^{-n^{1-\epsilon }}\Big )\)-hard (or alternatively, \(\left( 2^{\tilde{O}(n^{\epsilon })}, 2^{-n^{1-\epsilon }}\right) \)-hard for non-uniform algorithms). Then, there exists a hash family \(\mathcal {H}\) that soundly instantiates the Fiat-Shamir heuristic for Pietrzak’s interactive proof system [Pie18]. When the proof system is instantiated for repeated squaring over groups of size \(2^{O(\lambda )}\) with \(\lambda = O(n\log n)\), the hash function h from the family \(\mathcal {H}\) can be evaluated in time \(2^{\tilde{O}(\lambda ^\epsilon )}\).
Under the assumption that (decision) \(\mathsf {LWE}\) is \(\left( 2^{\tilde{O}(n^{1/2})}, 2^{-\frac{n}{\log ^c n}}\right) \)-hard for some constant \(c>0\) (or alternatively, \(\left( \mathsf {quasipoly}(n), 2^{-\frac{n}{\log ^c n}}\right) \)-hard for non-uniform algorithms), there exists such a hash family \(\mathcal {H}\) with quasi-polynomial evaluation time.
Moreover, the \(\mathsf {LWE}\) assumption that we make falls into the parameter regime where we know worst-case to average-case reductions [Reg09, BLP+13, PRS17], so we obtain the following corollary.
Corollary 2.1
The conclusions of Theorem 2.1 (with parameter \(\epsilon < \frac{1}{2}\)) follow from the assumption that the worst case problem \(\mathrm {poly}(n)\)-GapSVP for rank n lattices requires time \(2^{ \omega (n^{1-\epsilon })}\). Similarly, the protocol with quasi-polynomial verification time is sound under the assumption that \(\mathrm {poly}(n)\)-GapSVP requires time \(2^{\frac{n}{\log (n)^c}}\) for some \(c>0\).
The Shortest Vector Problem (SVP) on integer lattices is a well-studied problem (see discussion in [Pei16, ADRS15]); despite a substantial effort, all known \(\mathrm {poly}(n)\)-approximation algorithms for the problem have exponential run-time \(2^{\Omega (n)}\). As a result, our current understanding of the approximate-SVP landscape is consistent with the following conjecture.
Conjecture 2.1
(Exponential Time Hypothesis for GapSVP). For any fixed \(\gamma (n) = \mathrm {poly}(n)\), the \(\gamma (n)\)-GapSVP problem cannot be solved in time \(2^{o(n)}\).
Assuming Conjecture 2.1, the conclusion of Theorem 2.1 holds for every \(\epsilon > 0\); moreover, the variant of the Theorem 2.1 protocol with quasi-polynomial time evaluation is sound as well.
What about polynomial-time verification? Given a non-interactive protocol for repeated squaring with \(2^{\tilde{O}(\lambda ^\epsilon )}\) verification time (or quasi-polynomial evaluation time), one can always define a new security parameter \(\kappa = 2^{\tilde{O}(\lambda ^\epsilon )}\) (or \(\kappa = 2^{\log (\lambda )^c}\)) to obtain a protocol with polynomial-time verification. However, this makes use of complexity leveraging [CGGM00], so (i) this requires making the assumption that repeated squaring (on instances with security parameter \(\lambda \)) is hard for \(\mathrm {poly}(\kappa (\lambda ))\)-time adversaries, and (ii) the resulting protocol cannot have security subexponential in \(\kappa \).
If one does not wish to use complexity leveraging, we give an alternative construction that has (natively) polynomial-time verification, at the cost of a stronger LWE assumption.
Theorem 2.2
Let \(\delta > 0\) be arbitrary and \(q(n) = \mathrm {poly}(n)\) be a fixed (sufficiently large) polynomial in n. Assume that (decision) \(\mathsf {LWE}\) is \(\Big (\mathrm {poly}(n), q^{-\delta n}\Big )\)-hard for non-uniform distinguishers (or \(\Big (2^{\tilde{O}(n^{1/2})}, q^{-\delta n}\Big )\)-hard for uniform distinguishers). Then, there exists a hash family \(\mathcal {H}\) that soundly instantiates the Fiat-Shamir heuristic for Pietrzak’s interactive proof system [Pie18] with \(\mathrm {poly}(\lambda ) = \mathrm {poly}(n\log n)\)-time verification. More specifically, the verification time is \(\lambda ^{O(1/\delta )}\).
Moreover, this strong LWE assumption still falls into the parameter regime with a meaningful worst-case to average-case reduction:
Corollary 2.2
The conclusion of Theorem 2.2 follows from the assumption that worst-case \(\gamma (n)\)-GapSVP (for a fixed \(\gamma (n) = \mathrm {poly}(n)\)) cannot be solved in time \(n^{o(n)}\) with \(\mathrm {poly}(n)\) space and \(\mathrm {poly}(n)\) bits of nonuniform advice (independent of the lattice).
Polynomial-space algorithms for GapSVP have themselves been an object of study for over 25 years [Kan83, KF16, BLS16, ABF+20], but the current best (poly-space) algorithms for this problem run in time \(n^{\Omega (\epsilon n)}\) for approximation factor \(n^{1/\epsilon }\). Therefore, under a sufficiently strong (and plausible) worst-case assumption about GapSVP, we have a polynomial-time Fiat-Shamir compiler without complexity leveraging.
By combining Theorems 2.1 and 2.2 with the results of [CHK+19b, EFKP19], we obtain the following construction of hard-on-average \(\mathbf {CLS}\) instances.
Theorem 2.3
For a constant \(\epsilon > 0\), suppose that
-
n-dimensional \(\mathsf {LWE}\) (with polynomial modulus) is \( \left( 2^{\tilde{O}(n^{1/2})}, 2^{-n^{1-\epsilon }}\right) \)-hard, and
-
The repeated squaring problem on an instance of size \(2^\lambda \) requires \(2^{\lambda ^{\epsilon } \log (\lambda )^{\omega (1)}}\) time.
Then, there is a hard-on-average problem in \(\mathbf {CLS}\subset \mathbf {PPAD}\). The same conclusion holds if for some \(c>0\),
-
\(\mathsf {LWE}\) is \( \left( 2^{\tilde{O}(n^{1/2})}, 2^{-\frac{n}{\log (n)^c}}\right) \)-hard, and
-
The repeated squaring problem is hard for quasi-polynomial time algorithms.
The same conclusion also holds if for some \(\delta > 0\),
-
\(\mathsf {LWE}\) is \(\Big (\mathrm {poly}(n), q^{-\delta n}\Big )\)-hard for non-uniform distinguishers, and
-
The repeated squaring problem is hard for polynomial time algorithms.
We obtain Theorem 2.3 by plugging our standard model Fiat-Shamir instantiation into the complexity-theoretic reduction of [CHK+19b].Footnote 3 For use in this reduction, our non-interactive protocol must satisfy a stronger security notion called (adaptive) unambiguous soundness [RRR16, CHK+19a], which we show is indeed the case.
Note that the two hardness assumptions in the theorem statement are in opposition to each other. As \(\epsilon \) becomes smaller, the repeated squaring assumption becomes weaker, but the LWE assumption becomes stronger. In particular, we cannot set \(\epsilon \ge 1/3\) as there are known algorithms [LLMP90] solving repeated squaring in (heuristic) time \(2^{\widetilde{O}(\lambda ^{1/3})}\).
Additionally, as a direct consequence of Theorem 2.1, we obtain VDFs in the standard model as long as the underlying repeated squaring problem is sufficiently (sequentially) hard. Recall that the repeated squaring problem [RSW96] is the computation of the function \(f_{N,g}(T) = g^{2^T}\) (mod N), for the appropriate distribution on \(N = pq\) and g.
Theorem 2.4
For a constant \(\epsilon > 0\), suppose that
-
\(\mathsf {LWE}\) is \( \left( 2^{\tilde{O}(n^{1/2})}, 2^{-n^{1-\epsilon }}\right) \)-hard, and
-
The repeated squaring problem [RSW96] over groups of size \(2^{O(\lambda )}\) requires \(T(1-o(1))\) sequential time for \(T \gg 2^{\tilde{O}(\lambda ^{\epsilon })}\).
Then, the repeated squaring function \(f_{N, g}\) can be made into a VDF with verification time \(2^{\tilde{O}(\lambda ^\epsilon )}\) on groups of size \(2^{O(\lambda )}\) (with \(\lambda = O(n\log n)\)). Similarly, if for some \(c>0\),
-
\(\mathsf {LWE}\) is \( \left( 2^{\tilde{O}(n^{1/2})}, 2^{-\frac{n}{\log (n)^c}}\right) \)-hard, and
-
The repeated squaring problem requires \(T(1-o(1))\) sequential time for \(T \gg 2^{\tilde{O}(\log (\lambda )^{c+1})}\),
Then, \(f_{N, g}\) can be made into a VDF with verification time \(2^{\tilde{O}(\log (\lambda )^{c+1})}\). Finally, if for some \(\delta > 0\),
-
\(\mathsf {LWE}\) (with modulus q) is \(\Big (\mathrm {poly}(n), q^{-\delta n}\Big )\)-hard for non-uniform distinguishers, and
-
The repeated squaring problem requires \(T(1-o(1))\) sequential time for all \(T = \mathrm {poly}(\lambda )\).
Then, \(f_{N,g}\) can be made into a VDF with \(\lambda ^{O(1/\delta )}\)-time verification.
Theorem 2.4 follows immediately from Theorem 2.1 along with the construction of Pietrzak [Pie18]. While many of the VDFs in Theorem 2.4 have super-polynomial verification time (and therefore do not fit the standard definition), they can be converted into (standard) VDFs with polynomial verification time via complexity leveraging; however, the leveraged VDFs will only support quasi-polynomial (respectively, \(2^{2^{\mathrm {poly}\log \log \kappa }}\)) time computation (and soundness of the VDF will only hold against adversaries running in time quasi-polynomial in the new security parameter \(\kappa \)). Because of this, we consider the formulation in terms of super-polynomial time verification to be more informative.
2.2 Comparison with Prior Work
Cryptographic Hardness of \(\mathbf {PPAD}\). As described in the introduction, prior works on the cryptographic hardness of \(\mathbf {PPAD}\) fall into two categories – those based on obfuscation and ones based on incrementally verifiable computation (IVC). The obfuscation-based constructions all make cryptographic assumptions related to the existence of indistinguishability obfuscation or closely related primitives that we currently do not know how to instantiate based on well-studied assumptions. (For the latest in obfuscation technology, we refer the reader to [JLMS19, JLS19].) We therefore focus on comparing to the previous IVC-based constructions.
-
[CHK+19a] constructs hard problems in \(\mathbf {CLS}\) under the polynomial hardness of #\(\mathsf {SAT}\) with poly-logarithmically many variables along with the assumption that Fiat-Shamir can be soundly instantiated for the sumcheck protocol [LFKN92]. The latter follows either in the random oracle model or under the assumption that a \(\mathsf {LWE}\)-based fully homomorphic encryption scheme is “optimally circular-secure” [CCH+18, CCH+19] for quasi-polynomial time adversaries.
While the hardness of #\(\mathsf {SAT}\) (with this parameter regime) is a weaker assumption than the subexponential hardness of repeated squaring, the [CHK+19a] (standard model) result has the drawback of relying on an optimal hardness assumption. Roughly speaking, an optimal hardness assumption is the assumption that some search problem cannot be solved with probability significantly better than repeatedly guessing a solution at random. This is an extremely strong assumption that requires careful parameter settings to avoid being trivially false.
In contrast, our main \(\mathsf {LWE}\) assumption is subexponential (concerning distinguishing advantage \(2^{-n^{1-\epsilon }}\)) and follows from the worst-case hardness of \(\mathrm {poly}(n)\)-GapSVP for time \(2^{n^{1-\epsilon }}\) algorithms. Even our most optimistic LWE assumption (as in Theorem 2.2) follows from a form of worst-case hardness quantitatively far from the corresponding best known algorithms.
-
[CHK+19b, EFKP19] construct hard problems in \(\mathbf {CLS}\) assuming the polynomial hardness of repeated squaring along with a generic assumption that the Fiat-Shamir heuristic can be instantiated for round-by-round sound (see [CCH+18, CCH+19]) public-coin interactive proofs. The latter can be instantiated either in the random oracle model, or under the assumption that Regev encryption (or ElGamal encryption) is “optimally KDM-secure” for unbounded KDM functions [CCRR18].
The [CCRR18] assumption is (up to minor technical details) stronger than the optimal security assumption used in [CHK+19a] (because the security game additionally involves an unbounded function), so the [CHK+19b, EFKP19] are mostly framed in the random oracle model. In this work, we give a new Fiat-Shamir instantiation to plug into the [CHK+19b, EFKP19] framework.
VDFs. We compare our construction of VDFs to previous constructions [BBBF18, Pie18, Wes19, dFMPS19, EFKP19].
-
[BBBF18] and [dFMPS19] give constructions of VDFs from new cryptographic assumptions related to permutation polynomials and isogenies over supersingular elliptic curves, respectively. These assumptions are certainly incomparable to ours, but we rely on the hardness of older, more well-studied problems.
-
[Pie18, EFKP19] have the same basic VDF construction as ours; the main difference is that they use a random oracle to instantiate their hash function, while we use a hash function in the standard model and prove its security under a quantitatively strong variant of \(\mathsf {LWE}\).
-
[Wes19] also builds a VDF based on the hardness of repeated squaring, but by building a different interactive argument for computing the function and assuming that Fiat-Shamir can be instantiated for this argument. Again, this assumption holds in the random oracle model, but we know of no instantiation of this VDF in the standard model.
On the negative side, our main VDF (for the natural choice of security parameter) has verification time \(2^{\tilde{O}(\lambda ^\epsilon )}\); this can be thought of as polynomial-time via complexity leveraging, but this results in a VDF that is only quasi-polynomially secure. Alternatively, based on our optimistic LWE assumption, we only obtain a VDF with large polynomial (i.e. \(\lambda ^{1/\delta }\) for small \(\delta \)) verification time. As a result, we consider our VDF construction to be a proof-of-concept regarding whether VDFs can be built based on “more standard-looking assumptions”, in particular, without invoking the random oracle model.
2.3 Additional Related Work
[BG20] constructs hard instances in the complexity class \(\mathbf {PLS}\) – which contains \(\mathbf {CLS}\) and is incomparable to \(\mathbf {PPAD}\) – under a falsifiable assumption on bilinear maps introduced in [KPY19] (along with the randomized exponential time hypothesis (ETH)).
In recent independent work, [KPY20] constructs hard-on-average \(\mathbf {CLS}\) instances under the (quasi-polynomial) [KPY19] assumption. In fact, they give a protocol for unambiguous and incrementally verifiable computation for all languages decidable in space-bounded and slightly super-polynomial time.
2.4 Technical Overview
We now discuss the ideas behind our main result, Theorem 2.1, which is an instantiation of the Fiat-Shamir heuristic for the [Pie18] repeated squaring protocol. In obtaining this result, we also broaden the class of interactive proofs for which we have Fiat-Shamir instantiations under standard assumptions.
The main tool used by our construction is a hash function family \(\mathcal {H}\) that is correlation intractable [CGH04] for efficiently computable functions [CLW18, CCH+19]. Recall that a hash family \(\mathcal {H}\) is correlation intractable for t-time computable functions if for every function f computable time t, the following computational problem is hard: given a description of a hash function h, find an input x such that \(h(x) = f(x)\). We now know [PS19] that such hash families can be constructed under the \(\mathsf {LWE}\) assumption.
Correlation Intractability and Fiat-Shamir. In order to describe our result, we first sketch the [CCH+19] paradigm for using such a hash family \(\mathcal {H}\) to instantiate the Fiat-Shamir heuristic.
For simplicity, consider a three-message (public-coin) interactive proof system (\(\varSigma \)-protocol)
as well as its corresponding Fiat-Shamir round-reduced protocol \(\varPi _{\mathrm {FS}, \mathcal {H}}\) for a hash family \(\mathcal {H}\).
Moreover, suppose that this protocol \(\varPi \) satisfies the following soundness property (sometimes referred to as “special soundness”): for every \(x\not \in L\) and every prover message \(\alpha \), there exists at most one verifier message \(\beta ^*(x, \alpha )\) allowing the prover to cheat.Footnote 4
It then follows that if a hash family \(\mathcal {H}\) is correlation intractable for the function family \(f_x(\alpha ) = \beta ^*(x, \alpha )\), then \(\mathcal {H}\) instantiates the Fiat-Shamir heuristic for \(\varPi \).Footnote 5 This is because a cheating prover \(P^*_{\mathrm {FS}}\) breaking the soundness of \(\varPi _{\mathrm {FS}, \mathcal {H}}\) must find a first message \(\alpha \) such that its corresponding challenge \(h(x, \alpha )\) is equal to the bad challenge \(f_x(\alpha )\) (or else it has no hope of successfully cheating).
Therefore, using the hash family of [PS19], we can (under the \(\mathsf {LWE}\) assumption) do Fiat-Shamir for any protocol \(\varPi \) whose “bad-challenge function” \(f_x(\alpha )\) is computable in polynomial time; this has the important caveat that the complexity of computing the hash function h is at least the complexity of computing \(f_x(\alpha )\).
This paradigm seems to run into the following roadblock: intuitively, for protocols \(\varPi \) of interest, computing \(f_x(\alpha )\) appears to be hard rather than easy. For example,
-
1.
For a standard construction of zero-knowledge proofs for \(\mathbf {NP}\) such as [Blu86], computing \(f_x(\alpha )\) involves breaking a cryptographically secure commitment scheme.
-
2.
For (unconditional) statistical zero knowledge protocols such as the [GMR85] Quadratic Residuosity protocol, computing \(f_x(\alpha )\) involves deciding the underlying hard language L.
-
3.
For doubly efficient interactive proofs such as the [GKR08] interactive proof for logspace-uniform \(\mathsf {NC}\), computing \(f_x(\alpha )\) again involves deciding the underlying language L; in this case, L is in \(\mathsf {P}\), but this Fiat-Shamir compiler would result in a non-interactive argument whose verifier runs in time longer than it takes to decide L.
The work [CCH+19] resolves issues (1) and (2) in the following way: in both cases, we can arrange for \(f_x(\alpha )\) to be efficiently computable given an appropriate trapdoor: in the case of [Blu86], the commitment scheme can have a trapdoor allowing for efficient extraction, while in the case of [GMR85], \(f_x(\alpha )\) is efficient given an appropriate \(\mathbf {NP}\)-witness for the complement language \(\overline{L}\). However, we have no analogous resolution to (3), which is the setting of interest to us.Footnote 6
The bad-challenge function of the [Pie18] protocol. With this context in mind, we now consider the [Pie18] protocol.Footnote 7 This protocol (like the [GKR08] protocol and the related sumcheck protocol [LFKN92]) is not a constant-round protocol, but is instead composed of up to polynomially many “reduction steps” of the following form.
-
The prover, given (N, g, T), computes and sends \(u= g^{2^{T/2}}\), the (supposed) “halfway point” of the computation.
-
The message u indicates (to the verifier) two derivative claims: \(u = g^{2^{T/2}}\) and \(h = u^{2^{T/2}}\).
-
The verifier then challenges the prover to prove a random linear combination of the two statements: \(h\cdot u^r = (u\cdot g^r)^{2^{T/2}}\).
Soundness can then be analyzed in a “round-by-round” fashion [CCH+19]: if you start with a false statement (or if you start with a true statement but send an incorrect value \(\tilde{u}\ne u\)), there is at most oneFootnote 8 bad challenge \(r^*\) resulting in a recursive call on a true statement.
To invoke the [CCH+19] paradigm, we ask: how efficiently can we compute the function \(f(N, T, g, h, u) = r^*\)? To answer this question, let \(\tilde{g}\) denote a fixed group element of order \(\phi (N)/2\) such that \(g, h, u\in \langle \tilde{g} \rangle \). Letting \(\gamma , \eta , \omega \) denote the discrete logs of g, h, and u in base \(\tilde{g}\), we see that (for corresponding challenge r) the statement \((N, T/2, g', h')\) is true if and only if
As a result, we see that r can be efficiently computed from the following information:
-
The discrete logarithms \(\eta , \omega , \gamma \), and
-
The factorization of N.
While the factorization of N can be known a priori in the security reduction (similar to prior work), the discrete logarithms depend on the prover message u and (adaptively chosen) statement (g, h). We conclude that the “bottleneck” for computing f is the problem computing a constant number of discrete logarithms in \(\mathbb {Z}_p^\times \).
Since computing discrete logarithms over \(\mathbb {Z}_p^\times \) is believed to be hard, and is not known to have a trapdoor, it appears unlikely that this approach would allow us to rely on the polynomial hardness of the [PS19] hash family. However, it is plausible that we could use a variant of the [PS19] hash family supporting super-polynomial time computation (proven secure under a super-polynomial variant of \(\mathsf {LWE}\)) to capture the complexity of computing discrete logarithms.
Unfortunately, the naive version of this approach fails: the best known runtime boundsFootnote 9 for computing discrete logarithms over \(\mathbb {Z}_p^\times \) for \(p = 2^{O(\lambda )}\) are of the form \(2^{\tilde{O}(\lambda ^{1/2})}\) [Adl79, Pom87], and the best known heuristic algorithms (plausibly) run in time \(2^{\tilde{O}(\lambda ^{1/3})}\) [LLMP90]. If we were to instantiate the [PS19] hash family to support functions of this complexity, we could prove the soundness of Fiat-Shamir for the [Pie18] protocol, but the resulting non-interactive protocol would run in time \(2^{\tilde{O}(\lambda ^{1/2})}\) (or in time \(2^{\tilde{O}(\lambda ^{1/3})}\) with a heuristic security proof); these are the same runtime bounds for the best known algorithms for solving the repeated squaring problem [Dix81, Pom87, LLMP90] (via factoring the modulus N). In other words, the verifier would run in enough time to be able to solve the repeated squaring problem itself. This is a very similar problem to issue (3) regarding the [LFKN92, GKR08] protocols, so we appear to be stuck.
Computing bad-challenge functions with low probability. We overcome the above problem with the following idea:
In other words, we consider a new variant of the [CCH+19] framework for instantiating Fiat-Shamir in the standard model, where:
-
An interactive protocol \(\varPi \) is characterized by some bad-challenge function f,
-
f can be computed by a time t algorithm (or size s circuit) with some small but non-trivial probability \(\delta \).
-
The hash function \(\mathcal {H}\) is assumed to be correlation intractable – with sufficiently strong quantitative security – against adversaries running in time t (or with size s).
Then, it turns out that the resulting non-interactive protocol is sound! Informally, this is because if f is “approximated” by a time t-computable randomized function \(g_r\) (in the sense that \(g_r(x)\) and f(x) agree with probability \(\delta \) on a worst-case input), then an adversary breaking the protocol \(\varPi _{\mathrm {FS}, \mathcal {H}}\) will break the correlation intractability of \(\mathcal {H}\) with respect to g (rather than f) with probability \(\delta \). More formally, a cheating prover \(P^*_{\mathrm {FS}}\) yields an algorithm that breaks the correlation intractability of \(\mathcal {H}\) with respect to f, which in turn breaks the correlation intractability of \(\mathcal {H}\) with respect to \(g_r\) (for hard-coded randomness r) with probability \(\delta \cdot \frac{1}{\mathrm {poly}(\lambda )}\) (since \(g_r\) and f agree on an arbitrary input with probability at least \(\delta \)). Therefore, if \(\mathcal {H}\) is \((t, \delta \cdot \lambda ^{-\omega (1)})\)-secure, we conclude that \(\varPi _{\mathrm {FS}, \mathcal {H}}\) is sound.
This modification allows us to instantiate Fiat-Shamir for the [Pie18] protocol. In particular, we make use of folkloreFootnote 10 [CCRR18] preprocessing algorithms for the discrete logarithm problem over \(\mathbb {Z}_p^\times \) that run in time \(2^{\lambda ^\epsilon }\) and have success probability \(2^{-\lambda ^{1-\epsilon }}\). More specifically, we consider a computation of the bad challenge function f(N, T, g, h, u) in the following model:
-
Hard-code (1) the factorization \(N=pq\), (2) an appropriately chosen group element \(\tilde{g}\) of high order, and (3) \(2^{\tilde{O}(\lambda ^{\epsilon })}\) discrete logarithms (of fixed numbers modulo p and modulo q, respectively) in base \(\tilde{g}\).
-
Compute a (constant-size) collection of worst-case discrete logarithms by the standard index calculus algorithm [Adl79] in time \(2^{\tilde{O}(\lambda ^{\epsilon })}\) with success probability \(2^{-\lambda ^{1-\epsilon }}\).
This can be thought of as either a non-uniform \(2^{\tilde{O}(\lambda ^\epsilon )}\)-time algorithm, or a \(2^{\tilde{O}(\lambda ^\epsilon )}\)-time algorithm with \(2^{\tilde{O}(\lambda ^{1/2})}\)-time preprocessing.Footnote 11 By using this algorithm for the computation of the bad-challenge function f(N, T, g, h, u), we obtain a Fiat-Shamir instantiation with verification time \(2^{\tilde{O}(\lambda ^\epsilon )}\) – a meaningful result as long as this runtime does not allow for solving the repeated squaring problem. Finally, the required assumption is that the [PS19] hash function is correlation intractable for adversaries that succeed with probability \(2^{-\lambda ^{1-\epsilon }}\), which holds under the claimed \(\mathsf {LWE}\) assumption with parameters (n, q) for \(\lambda = n\log q\).
Generalizations. In this overview, we focused specifically on the [Pie18] protocol, but our techniques give general blueprints for obtaining Fiat-Shamir instantiations. We believe these blueprints may be useful in future work, so we state them (as “meta-theorems”) explicitly here:
-
Fiat-Shamir for protocols with low success probability bad-challenge functions. Our approach shows that if an interactive protocol \(\varPi \) is governed by a bad-challenge function f that is computable by an efficient randomized algorithm that is only correct with (potentially very) low probability, it is still possible to instantiate Fiat-Shamir for \(\varPi \) under a sufficiently strong LWE assumption.
-
Fiat-Shamir for discrete-log based bad-challenge functions. Our approach also shows that if a protocol \(\varPi \) is governed by a bad-challenge function f that is efficiently computable given oracle accessFootnote 12 to a discrete log solver (over \(\mathbb {Z}_p^\times \) for \(p\le 2^{O(\lambda )}\)), then it is possible to instantiate Fiat-Shamir for \(\varPi \) under a sufficiently strong LWE assumption.
We formalize both of these “meta-theorems” in the language of correlation intractability (rather than Fiat-Shamir) in the full version of this paper.
Notes
- 1.
[BBBF18] explicitly suggested this.
- 2.
The two works [Pie18, Wes19] consider qualitatively different interactive argument systems. In this work, we focus on the [Pie18] protocol since (1) it has unconditional soundness and therefore is more conducive to provable Fiat-Shamir compilation, and (2) it is more closely related to \(\mathbf {PPAD}\)-hardness.
- 3.
Our protocol differs very slightly from the formulation in [CHK+19b], but the difference is irrelevant to the reduction.
- 4.
The prover can cheat on a pair \((\alpha , \beta )\) if and only if there exists a third message \(\gamma \) such that \((x, \alpha , \beta , \gamma )\) is accepted by the verifier.
- 5.
To obtain adaptive soundness, we modify the protocol to set \(\beta = h(x, \alpha )\) and instead consider the function \(f(x, \alpha ) = \beta ^*(x, \alpha )\).
- 6.
The only current known Fiat-Shamir instantiation for the [GKR08] protocol utilizes a compact correlation intractable hash family (in the sense that the hash evaluation time is independent of the time to compute the correlation function/relation) which we only know how to build from an optimal security assumption [CCH+19].
- 7.
For this overview, we ignore the details of working over the group \(\mathbb {QR}_N\subset \mathbb {Z}_N^\times \) and the corresponding technical challenges.
- 8.
To guarantee this property, r is selected from a range smaller than either of the prime factors of N.
- 9.
See [JOP14] for a detailed discussion of the state-of-the-art on discrete logarithm algorithms.
- 10.
We are not aware of prior work considering this particular time-probability trade-off, but the necessary smooth number bounds appear in [CEP83, Gra08]. Quite curiously, [CCRR18] considers the \(\mathrm {poly}(\lambda )\)-time variant of this algorithm to give evidence against the optimal hardness of computing discrete logarithms over \(\mathbb {Z}_p^\times \). That was bad for them, but for us, the non-optimal hardness is a feature!.
- 11.
This second variant allows for an invocation of correlation intractability against uniform adversaries in the security proof.
- 12.
Crucially, we must also bound the number of calls that can be made to the oracle to be at most \(\mathrm {poly}\log (\lambda )\) to get a meaningful result.
References
Albrecht, M., Bai, S., Fouque, P.-A., Kirchner, P., Stehlé, D., Wen, W.: Faster enumeration-based lattice reduction: root Hermite factor \(k^{1/(2k)}\) in time \(k^{k/8+o(k)}\). In: CRYPTO (2020)
Adleman, L.: A subexponential algorithm for the discrete logarithm problem with applications to cryptography. In: 20th Annual Symposium on Foundations of Computer Science (SFCS 1979), pp. 55–60. IEEE (1979)
Aggarwal, D., Dadush, D., Regev, O., Stephens-Davidowitz, N.: Solving the shortest vector problem in 2n time using discrete gaussian sampling. In: STOC 2015, pp. 733–742 (2015)
Ananth, P., Jain, A., Lin, H., Matt, C., Sahai, A.: Indistinguishability obfuscation without multilinear maps: new paradigms via low degree weak pseudorandomness and security amplification. In: CRYPTO (2019)
Abbot, T., Kane, D., Valiant, P.: On algorithms for nash equilibria. Unpublished Manuscript 1 (2004). http://web.mit.edu/tabbott/Public/final.pdf
Barak, B.: How to go beyond the black-box simulation barrier. In: Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 106–115. IEEE (2001)
Boneh, D., Bonneau, J., Bünz, B., Fisch, B.: Verifiable delay functions. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10991, pp. 757–788. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-96884-1_25. (EUROCRYPT 2018)
Bartusek, J., Bronfman, L., Holmgren, J., Ma, F., Rothblum, R.D.: On the (in)security of Kilian-based SNARGs. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11892, pp. 522–551. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-36033-7_20
Ben-Sasson, E., Chiesa, A., Spooner, N.: Interactive oracle proofs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 31–60. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_2
Brakerski, Z., Döttling, N., Garg, S., Malavolta, G.: Candidate iO from homomorphic encryption schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12105, pp. 79–109. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_4
Badrinarayanan, S., Fernando, R., Jain, A., Khurana, D., Sahai, A.: Statistical ZAP arguments. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020. LNCS, vol. 12107, pp. 642–667. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45727-3_22
Bitansky, N., Gerichter, I.: On the cryptographic hardness of local search. In: 11th Innovations in Theoretical Computer Science Conference (ITCS 2020). Schloss Dagstuhl-Leibniz-Zentrum für Informatik (2020)
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1. Journal version appears in JACM 2012
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: STOC 2013, pp. 575–584. ACM (2013)
Bai, S., Laarhoven, T., Stehlé, D.: Tuple lattice sieving. LMS J. Comput. Math. 19(A), 146–162 (2016)
Blum, M.: How to prove a theorem so no one else can claim it. In: Proceedings of the International Congress of Mathematicians, vol. 1, pp. 2. Citeseer (1986)
Barak, B., Lindell, Y., Vadhan, S.: Lower bounds for non-black-box zero knowledge. J. Comput. Syst. Sci. 72(2), 321–391 (2006)
Bitansky, N., Paneth, O., Rosen, A.: On the cryptographic hardness of finding a nash equilibrium. In: FOCS 2015. IEEE (2015)
Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and communications security, pp. 62–73. ACM (1993)
Canetti, R., Chen, Y., Holmgren, J., Lombardi, A., Rothblum, G.N., Rothblum, R.D.: Fiat-Shamir from simpler assumptions. IACR Cryptol. ePrint Arch. 2018, 1004 (2018)
Canetti, R., et al.: Fiat-Shamir: from practice to theory. In: STOC 2019. ACM (2019). Merge of [CCH\(^+\)18] and [CLW18]
Canetti, R., Chen, Y., Reyzin, L.: On the correlation intractability of obfuscated pseudorandom functions. In: Kushilevitz, E., Malkin, T. (eds.) TCC 2016. LNCS, vol. 9562, pp. 389–415. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49096-9_17
Canetti, R., Chen, Y., Reyzin, L., Rothblum, R.D.: Fiat-Shamir and correlation intractability from strong KDM-secure encryption. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 91–122. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_4
Chen, X., Deng, X., Teng, S.-H.: Settling the complexity of computing two-player nash equilibria. J. ACM (JACM) 56(3), 1–57 (2009)
Canfield, E.R., Erdös, P., Pomerance, C.: On a problem of oppenheim concerning “factorisatio numerorum”. J. Number Theory 17(1), 1–28 (1983)
Canetti, R., Goldreich, O., Goldwasser, S., Micali, S.: Resettable zero-knowledge. In: STOC 2000, pp. 235–244 (2000)
Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. J. ACM (JACM) 51(4), 557–594 (2004)
Choudhuri, A.R., Hubáček, P., Kamath, C., Pietrzak, K., Rosen, A., Rothblum, G.N.: Finding a nash equilibrium is no easier than breaking Fiat-Shamir. In: STOC 2019 (2019)
Choudhuri, A.R., Hubácek, P., Kamath, C., Pietrzak, K., Rosen, A., Rothblum, G.N.: PPAD-hardness via iterated squaring modulo a composite. Cryptology ePrint Archive, Report 2019/667, 2019 (2019)
Canetti, R., Lombardi, A., Wichs, D.: Fiat-shamir: from practice to theory, part II (non-interactive zero knowledge and correlation intractability from circular-secure FHE). IACR Cryptol. ePrint Arch. 2018, 1248 (2018)
De Feo, L., Masson, S., Petit, C., Sanso, A.: Verifiable delay functions from supersingular isogenies and pairings. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11921, pp. 248–277. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34578-5_10
Daskalakis, C., Goldberg, P.W., Papadimitriou, C.H.: The complexity of computing a nash equilibrium. SIAM J. Comput. 39(1), 195–259 (2009)
Dixon, J.D.: Asymptotically fast factorization of integers. Math. Comput. 36(153), 255–260 (1981)
Dwork, C., Naor, M., Reingold, O., Stockmeyer, L.: Magic functions. In: FOCS (1999)
Daskalakis, C., Papadimitriou, C.: Continuous local search. In: SODA 2011, pp. 790–804. SIAM (2011)
Ephraim, N., Freitag, C., Komargodski, I., Pass, R.: Continuous verifiable delay functions. In: EUROCRYPT 2020 (2019)
After 20 years, someone finally solved this MIT puzzle (2019)
Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM J. Comput. 29(1), 1–28 (1999)
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: FOCS 2013 (2013)
Goldwasser, S., Kalai, Y.T.: On the (in)security of the Fiat-Shamir paradigm. In: FOCS 2003, pp. 102–113. IEEE (2003)
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: Delegating computation: interactive proofs for muggles. In: STOC 2008, pp. 113–122. ACM (2008)
Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof-systems. In: STOC 1985, pp. 291–304. ACM (1985)
Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems. J. ACM (JACM) 38(3), 690–728 (1991)
Garg, S., Pandey, O., Srinivasan, A.: Revisiting the cryptographic hardness of finding a nash equilibrium. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 579–604. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53008-5_20
Granville, A.: Smooth numbers: computational number theory and beyond. Algorithm. Number Theory Lattices Number Fields Curves Cryptograph. 44, 267–323 (2008)
Holmgren, J., Lombardi, A.: Cryptographic hashing from strong one-way functions. In: FOCS 2018 (2018)
Hubáček , P., Yogev, E.: Hardness of continuous local search: query complexity and cryptographic lower bounds. In: SODA 2017, pp. 1352–1371. SIAM (2017)
Jain, A., Jin, Z.: Statistical zap arguments from quasi-polynomial LWE. In: EUROCRYPT 2020 (2019)
Jain, A., Lin, H., Matt, C., Sahai, A.: How to leverage hardness of constant-degree expanding polynomials over \(\mathbb{R}\) to build \(i\cal{O}\). In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 251–281. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_9
Jain, A., Lin, H., Sahai, A.: Simplifying constructions and assumptions for \(i\cal{O}\). Cryptology ePrint Archive, Report 2019/1252 (2019)
Joux, A., Odlyzko, A., Pierrot, C.: The past, evolving present, and future of the discrete logarithm. In: Koç, Ç.K. (ed.) Open Problems in Mathematics and Computational Science, pp. 5–36. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10683-0_2
Kannan, R.: Improved algorithms for integer programming and related lattice problems. In: STOC 1983, pp. 193–206 (1983)
Kirchner, P., Fouque, P.-A.: Time-memory trade-off for lattice enumeration in a ball. IACR Cryptol. ePrint Arch. 2016, 222 (2016)
Kalai, Y.T., Paneth, O., Yang, L.: How to delegate computations publicly. In: STOC 2019, pp. 1115–1124 (2019)
Kalai, Y., Paneth, O., Yang, L.: PPAD-hardness and delegation with unambiguous and updatable proofs. In: CRYPTO 2020 (2020)
Kalai, Y.T., Rothblum, G.N., Rothblum, R.D.: From obfuscation to the security of Fiat-Shamir for proofs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 224–251. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_8
Lund, C., Fortnow, L., Karloff, H.J., Nisan, N.: Algebraic methods for interactive proof systems. J. ACM 39(4), 859–868 (1992)
Lenstra, A.K., Lenstra Jr., H.W., Manasse, M.S., Pollard, J.M.: The number field sieve. In: STOC 1990, pp. 564–572 (1990)
Lombardi, A., Vaikuntanathan, V.: Fiat-Shamir for repeated squaring with applications to PPAD-hardness and VDFs. IACR Cryptology ePrint Archive, Report 2020/772 (2020). https://eprint.iacr.org/2020/772
Lombardi, A., Vaikuntanathan, V., Wichs, D.: 2-message publicly verifiable WI from (subexponential) LWE. Cryptology ePrint Archive, Report 2019/808 (2019)
Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)
Naor, M.: On cryptographic assumptions and challenges. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 96–109. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_6
Papadimitriou, C.H.: On the complexity of the parity argument and other inefficient proofs of existence. J. Comput. Syst. Sci. 48(3), 498–532 (1994)
Peikert, C.: A decade of lattice cryptography. Found. Trends Theor. Comput. Sci. 10(4), 283–424 (2016)
Pietrzak, K.: Simple verifiable delay functions. In: ITCS 2019 (2018)
Pomerance, C.: Fast, rigorous factorization and discrete logarithm algorithms. In: Discrete Algorithms and Complexity, pp. 119–143. Elsevier (1987)
Peikert, C., Regev, O., Stephens-Davidowitz, N.: Pseudorandomness of ring-LWE for any ring and modulus. In: STOC 2017, pp. 461–473. ACM (2017)
Pointcheval, D., Stern, J.: Security proofs for signature schemes. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 387–398. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_33
Peikert, C., Shiehian, S.: Noninteractive zero knowledge for NP from (Plain) learning with errors. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 89–114. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26948-7_4
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM (JACM) 56(6), 34 (2009)
Description of the LCS35 time capsule crypto-puzzle (1999)
Reingold, O., Rothblum, G.N., Rothblum, R.D.: Constant-round interactive proofs for delegating computation. SIAM J. Comput. STOC16-255 (2016)
Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto (1996)
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Valiant, P.: Incrementally verifiable computation or proofs of knowledge imply time/space efficiency. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 1–18. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78524-8_1
Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_13
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 International Association for Cryptologic Research
About this paper
Cite this paper
Lombardi, A., Vaikuntanathan, V. (2020). Fiat-Shamir for Repeated Squaring with Applications to PPAD-Hardness and VDFs. In: Micciancio, D., Ristenpart, T. (eds) Advances in Cryptology – CRYPTO 2020. CRYPTO 2020. Lecture Notes in Computer Science(), vol 12172. Springer, Cham. https://doi.org/10.1007/978-3-030-56877-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-030-56877-1_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-56876-4
Online ISBN: 978-3-030-56877-1
eBook Packages: Computer ScienceComputer Science (R0)