Finding a Nash equilibrium is no easier than breaking Fiat-Shamir

The Fiat-Shamir heuristic transforms a public-coin interactive proof into a non-interactive argument, by replacing the verifier with a cryptographic hash function that is applied to the protocol’s transcript. Constructing hash functions for which this transformation is sound is a central and long-standing open question in cryptography. We show that solving the END−OF−METERED−LINE problem is no easier than breaking the soundness of the Fiat-Shamir transformation when applied to the sumcheck protocol. In particular, if the transformed protocol is sound, then any hard problem in #P gives rise to a hard distribution in the class CLS, which is contained in PPAD. Our result opens up the possibility of sampling moderately-sized games for which it is hard to find a Nash equilibrium, by reducing the inversion of appropriately chosen one-way functions to #SAT. Our main technical contribution is a stateful incrementally verifiable procedure that, given a SAT instance over n variables, counts the number of satisfying assignments. This is accomplished via an exponential sequence of small steps, each computable in time poly(n). Incremental verifiability means that each intermediate state includes a sumcheck-based proof of its correctness, and the proof can be updated and verified in time poly(n).

[1]  Silvio Micali,et al.  Computationally Sound Proofs , 2000, SIAM J. Comput..

[2]  Guy N. Rothblum,et al.  Worst-case to Average-case reductions for subclasses of P , 2017, Electron. Colloquium Comput. Complex..

[3]  Bernhard von Stengel,et al.  Exponentially many steps for finding a Nash equilibrium in a bimatrix game , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[4]  Nikolai K. Vereshchagin,et al.  Does the Polynomial Hierarchy Collapse if Onto Functions are Invertible? , 2008, Theory of Computing Systems.

[5]  Oded Goldreich,et al.  Candidate One-Way Functions Based on Expander Graphs , 2011, Studies in Complexity and Cryptography.

[6]  Eylon Yogev,et al.  Hardness of Continuous Local Search: Query Complexity and Cryptographic Lower Bounds , 2017, SODA.

[7]  Christos H. Papadimitriou,et al.  On the Complexity of the Parity Argument and Other Inefficient Proofs of Existence , 1994, J. Comput. Syst. Sci..

[8]  Emil Jerábek Integer factoring and modular square roots , 2016, J. Comput. Syst. Sci..

[9]  Rajmohan Rajaraman,et al.  Reducibility among Fractional Stability Problems , 2009, 2009 50th Annual IEEE Symposium on Foundations of Computer Science.

[10]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[11]  Moni Naor,et al.  White-Box vs. Black-Box Complexity of Search Problems: Ramsey and Graph Property Testing , 2017, 2017 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS).

[12]  Ilan Komargodski,et al.  From Minicrypt to Obfustopia via Private-Key Functional Encryption , 2017, EUROCRYPT.

[13]  Christos Tzamos,et al.  A converse to Banach's fixed point theorem and its CLS-completeness , 2017, STOC.

[14]  Yael Tauman Kalai,et al.  On the (In)security of the Fiat-Shamir paradigm , 2003, 44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings..

[15]  Sanjam Garg,et al.  Revisiting the Cryptographic Hardness of Finding a Nash Equilibrium , 2016, CRYPTO.

[16]  Paul W. Goldberg,et al.  The complexity of computing a Nash equilibrium , 2006, STOC '06.

[17]  Manolis Zampetakis,et al.  PPP-Completeness with Connections to Cryptography , 2018, 2018 IEEE 59th Annual Symposium on Foundations of Computer Science (FOCS).

[18]  Chris Peikert,et al.  Noninteractive Zero Knowledge for NP from (Plain) Learning With Errors , 2019, IACR Cryptol. ePrint Arch..

[19]  Mihalis Yannakakis,et al.  How easy is local search? , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[20]  Carsten Lund,et al.  Algebraic methods for interactive proof systems , 1990, Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science.

[21]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.

[22]  Vinod Vaikuntanathan,et al.  Efficient Fully Homomorphic Encryption from (Standard) LWE , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[23]  Charles H. Bennett Time/Space Trade-Offs for Reversible Computation , 1989, SIAM J. Comput..

[24]  Guy N. Rothblum,et al.  Constant-Round Interactive Proofs for Delegating Computation , 2016, Electron. Colloquium Comput. Complex..

[25]  Yael Tauman Kalai,et al.  From Obfuscation to the Security of Fiat-Shamir for Proofs , 2017, CRYPTO.

[26]  Christos H. Papadimitriou,et al.  Continuous local search , 2011, SODA '11.

[27]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[28]  Paul Valiant,et al.  Incrementally Verifiable Computation or Proofs of Knowledge Imply Time/Space Efficiency , 2008, TCC.

[29]  Richard J. Lipton,et al.  New Directions In Testing , 1989, Distributed Computing And Cryptography.

[30]  Nir Bitansky,et al.  On the Cryptographic Hardness of Finding a Nash Equilibrium , 2015, FOCS.

[31]  Ran Canetti,et al.  Non-Interactive Zero Knowledge and Correlation Intractability from Circular-Secure FHE , 2018, IACR Cryptol. ePrint Arch..

[32]  Gil Segev,et al.  Can PPAD Hardness be Based on Standard Cryptographic Assumptions? , 2017, TCC.

[33]  Yakov Babichenko,et al.  Query complexity of approximate nash equilibria , 2013, STOC.

[34]  Paul W. Goldberg,et al.  Consensus halving is PPA-complete , 2017, STOC.

[35]  Zvika Brakerski,et al.  Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP , 2012, CRYPTO.

[36]  Timothy G. Abbott,et al.  On Algorithms for Nash Equilibria , 2004 .

[37]  Nir Bitansky,et al.  From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again , 2012, ITCS '12.

[38]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[39]  Ron Rothblum,et al.  Fiat-Shamir and Correlation Intractability from Strong KDM-Secure Encryption , 2018, IACR Cryptol. ePrint Arch..

[40]  Krzysztof Pietrzak,et al.  Simple Verifiable Delay Functions , 2018, IACR Cryptol. ePrint Arch..

[41]  D. Cantor,et al.  A new algorithm for factoring polynomials over finite fields , 1981 .

[42]  Ron Rothblum,et al.  Fiat-Shamir From Simpler Assumptions , 2018, IACR Cryptol. ePrint Arch..

[43]  Xiaotie Deng,et al.  Understanding PPA-Completeness , 2016, Electron. Colloquium Comput. Complex..

[44]  Christos H. Papadimitriou,et al.  On Total Functions, Existence Theorems and Computational Complexity , 1991, Theor. Comput. Sci..

[45]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[46]  Christos H. Papadimitriou,et al.  Exponential lower bounds for finding Brouwer fixed points , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[47]  Craig A. Tovey,et al.  A simplified NP-complete satisfiability problem , 1984, Discret. Appl. Math..

[48]  Mohammad Mahmoody,et al.  On the Power of Randomized Reductions and the Checkability of SAT , 2010, 2010 IEEE 25th Annual Conference on Computational Complexity.

[49]  Ran Canetti,et al.  On the Correlation Intractability of Obfuscated Pseudorandom Functions , 2016, TCC.

[50]  Yuval Peres,et al.  Local max-cut in smoothed polynomial time , 2017, STOC.

[51]  Fan Chung Graham,et al.  Combinatorics for the East Model , 2001, Adv. Appl. Math..

[52]  Moni Naor,et al.  The Journey from NP to TFNP Hardness , 2016, ITCS.

[53]  Xiaotie Deng,et al.  Settling the complexity of computing two-player Nash equilibria , 2007, JACM.