# PPP-Completeness with Connections to Cryptography

@article{Sotiraki2018PPPCompletenessWC, title={PPP-Completeness with Connections to Cryptography}, author={Katerina Sotiraki and Manolis Zampetakis and Giorgos Zirdelis}, journal={2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS)}, year={2018}, pages={148-158} }

Polynomial Pigeonhole Principle (PPP) is an important subclass of TFNP with profound connections to the complexity of the fundamental cryptographic primitives: collision-resistant hash functions and one-way permutations. In contrast to most of the other subclasses of TFNP, no complete problem is known for PPP. Our work identifies the first PPP-complete problem without any circuit or Turing Machine given explicitly in the input, and thus we answer a longstanding open question fromβ¦Β

## 20 Citations

PPAD-Hardness via Iterated Squaring Modulo a Composite

- Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

We show that, relative to a random oracle, solving the End-of-Line problem (which is PPAD-complete) is no easier than computing the function f(N, x, T ) = x T mod N, where N is an n-bit RSA modulus,β¦

Finding a Nash equilibrium is no easier than breaking Fiat-Shamir

- Mathematics, Computer ScienceIACR Cryptol. ePrint Arch.
- 2019

It is shown that solving the ENDβOFβMETEREDβLINE problem is no easier than breaking the soundness of the Fiat-Shamir transformation when applied to the sumcheck protocol, and opens up the possibility of sampling moderately-sized games for which it is hard to find a Nash equilibrium.

Total Functions in the Polynomial Hierarchy

- MathematicsElectron. Colloquium Comput. Complex.
- 2020

Higher in the hierarchy, the constructive version of the Sauer-Shelah lemma and the appropriate generalization of PPP that contains it are identified, as well as the problem of finding a king in a tournament.

On the Cryptographic Hardness of Local Search

- Mathematics, Computer ScienceITCS
- 2020

The core observation behind the results is that the unique proofs property of incrementally-verifiable computations previously used to demonstrate hardness in PLS can be traded with a simple incremental completeness property.

The classes PPA-k: Existence from arguments modulo k

- Computer ScienceTheor. Comput. Sci.
- 2021

Classical and quantum dynamic programming for Subset-Sum and variants

- Mathematics, Computer ScienceArXiv
- 2021

A novel dynamic programming data structure is introduced with applications to Subset-Sum and a number of variants, including Equal-Sums, where one seeks two disjoint subsets with the same sum, and an O(2) quantum algorithm for Shifted-Sum, an improvement on the best known O( 2) classical running time.

The Classes PPA-k: Existence from Arguments Modulo k

- Computer ScienceWINE
- 2019

The complexity classes PPA-$k$, $k \geq 2$, have recently emerged as the main candidates for capturing the complexity of important problems in fair division, in particular Alon's Necklace-Splittingβ¦

Equal-subset-sum faster than the meet-in-the-middle

- Computer Science, Mathematics
- 2019

This paper improves upon the state-of-the-art Equal-Subset-Sum algorithm and gives Oβ(1.7088n) worst case Monte Carlo algorithm, which answers a question suggested by Woeginger in his inspirational survey.

Separations in Proof Complexity and TFNP

- Computer ScienceArXiv
- 2022

It is shown that PPADS, PPAD, SOPL, and Reversible Resolution are captured by unary-SA, unARY-NS, and reversible Resolution, respectively, relative to an oracle.

## References

SHOWING 1-10 OF 88 REFERENCES

The Journey from NP to TFNP Hardness

- Computer Science, MathematicsITCS
- 2016

This work shows that hard-on-average TFNP problems can be based on the weak assumption that there exists a hard- on-average language in NP, in particular, this includes the assumption of the existence of one-way functions.

On the Polynomial Parity Argument Complexity of the Combinatorial Nullstellensatz

- Mathematics, Computer ScienceComputational Complexity Conference
- 2017

This work proves the PPA-completeness of two problems of radically different style, related respectively to the Combinatorial Nullstellensatz and the Chevalley-Warning Theorem over the two elements field GF(2), and shows that the maximal parse subcircuits of a P PA-circuit can be paired in polynomial time.

Almost Perfect Lattices, the Covering Radius Problem, and Applications to Ajtai's Connection Factor

- Computer Science, MathematicsSIAM J. Comput.
- 2003

A rigorous self-contained proof of results along the lines of Ajtai's seminal work is presented, and it is shown how this reduction implies the existence of collision resistant cryptographic hash functions based on the worst-case inapproximability of the shortest vector problem within the same factors.

Revisiting the Cryptographic Hardness of Finding a Nash Equilibrium

- Computer Science, MathematicsCRYPTO
- 2016

The hardness of PPAD assuming the existence of quasi-polynomially hard indistinguishability obfuscation and sub-exponentially hard one- way functions is proved and hardness can be based on polynomially hard compact public key functional encryption and one-way permutations.

Reducibility among Fractional Stability Problems

- Computer Science2009 50th Annual IEEE Symposium on Foundations of Computer Science
- 2009

A series of reductions that build in nontrivial ways on the framework established in previous work to expand the universe of known PPAD-complete problems and resolve the computational complexity of a number of outstanding open problems with practical applications.

Public-key cryptosystems from the worst-case shortest vector problem: extended abstract

- Computer Science, MathematicsSTOC '09
- 2009

The main technical innovation is a reduction from variants of the shortest vector problem to corresponding versions of the "learning with errors" (LWE) problem; previously, only a quantum reduction of this kind was known.

Trapdoors for hard lattices and new cryptographic constructions

- Computer Science, MathematicsIACR Cryptol. ePrint Arch.
- 2007

A new notion of trapdoor function with preimage sampling, simple and efficient "hash-and-sign" digital signature schemes, and identity-based encryption are included.

On Ideal Lattices and Learning with Errors over Rings

- Computer Science, MathematicsJACM
- 2013

The βlearning with errorsβ (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones, by introducing an algebraic variant of LWE called ring-LWE, and proving that it too enjoys very strong hardness guarantees.

On lattices, learning with errors, random linear codes, and cryptography

- Computer ScienceSTOC '05
- 2005

A public-key cryptosystem whose hardness is based on the worst-case quantum hardness of SVP and SIVP, and an efficient solution to the learning problem implies a <i>quantum</i>, which can be made classical.

On the Cryptographic Hardness of Finding a Nash Equilibrium

- Mathematics, Computer ScienceFOCS
- 2014

We prove that finding a Nash equilibrium of a game is hard, assuming the existence of indistinguishability obfuscation and one-way functions with sub-exponential hardness. We do so by showing howβ¦