Can PPAD Hardness be Based on Standard Cryptographic Assumptions?

Transcription

1 Can PPAD Hardness be Based on Standard Cryptographc Assumptons? Alon Rosen Gl Segev Ido Shahaf Abstract We consder the queston of whether PPAD hardness can be based on standard cryptographc assumptons, such as the exstence of one-way functons or publc-key encrypton. Ths queston s partcularly well-motvated n lght of new devastatng attacks on obfuscaton canddates and ther underlyng buldng blocks, whch are currently the only known source for PPAD hardness. Central n the study of obfuscaton-based PPAD hardness s the snk-of-verfable-lne (SVL) problem, an ntermedate step n constructng nstances of the PPAD-complete problem source-or-snk. Wthn the framework of black-box reductons we prove the followng results: Average-case PPAD hardness (and even SVL hardness) does not mply any form of cryptographc hardness (not even one-way functons). Moreover, even when assumng the exstence of one-way functons, average-case PPAD hardness (and, agan, even SVL hardness) does not mply any publc-key prmtve. Thus, strong cryptographc assumptons (such as obfuscaton-related ones) are not essental for average-case PPAD hardness. Average-case SVL hardness cannot be based ether on standard cryptographc assumptons or on average-case PPAD hardness. In partcular, average-case SVL hardness s not essental for average-case PPAD hardness. Any attempt for basng the average-case hardness of the PPAD-complete problem sourceor-snk on standard cryptographc assumptons must result n nstances wth a nearlyexponental number of solutons. Ths stands n strkng contrast to the obfuscaton-based approach, whch results n nstances havng a unque soluton. Taken together, our results mply that t may stll be possble to base average-case PPAD hardness on standard cryptographc assumptons, but any black-box attempt must sgnfcantly devate from the obfuscaton-based approach: It cannot go through the SVL problem, and t must result n source-or-snk nstances wth a nearly-exponental number of solutons. Ef Araz School of Computer Scence, IDC Herzlya, Israel. Emal: alon.rosen@dc.ac.l. Supported by ISF grant no. 1255/12, NSF-BSF Cyber Securty and Prvacy grant no. 2014/632, and by the ERC under the EU s Seventh Framework Programme (FP/ ) ERC Grant Agreement n School of Computer Scence and Engneerng, Hebrew Unversty of Jerusalem, Jerusalem 91904, Israel. Emal: {segev,do shahaf}@cs.huj.ac.l. Supported by the European Unon s 7th Framework Program (FP7) va a Mare Cure Career Integraton Grant and va an ERC Grant (No ), by the Israel Scence Foundaton (Grant No. 483/13), by the Israel Centers of Research Excellence (I-CORE) Program (Center No. 4/11), by the US-Israel Bnatonal Scence Foundaton (Grant No ), and by a Google Faculty Research Award.

2 Contents 1 Introducton Our Contrbutons Open Problems Overvew of Our Approach Paper Organzaton Prelmnares Complexty Classes and Total Search Problems One-Way Functons and Injectve Trapdoor Functons Key-Agreement Protocols Average-Case SVL Hardness Does Not Imply One-Way Functons Proof Overvew O SVL s a Hard-on-Average SVL Instance Invertng Oracle-Aded Functons Relatve to O SVL Proof of Theorem Average-Case PPAD Hardness Does Not Imply Unque-TFNP Hardness Proof Overvew O PPAD s a Hard-on-Average Source-or-Snk Instance Solvng Oracle-Aded Unque-TFNP Instances Relatve to O PPAD Proof of Theorem One-Way Functons Do Not Imply Bounded-TFNP Hardness Proof Overvew f s a One-Way Functon Solvng Oracle-Aded Bounded-TFNP Instances Relatve to f Proof of Theorem Publc-Key Cryptography Does Not Imply Bounded-TFNP Hardness Proof Overvew O TDF s a Collecton of Injectve Trapdoor Functons Solvng Oracle-Aded Bounded-TFNP Instances Relatve to O TDF Proofs of Clams References 43 A Average-Case SVL Hardness and OWFs Do Not Imply Key Agreement 46 A.1 Proof Overvew A.2 Attackng Key-Agreement Protocols Relatve to f and O SVL

3 1 Introducton In recent years there has been ncreased nterest n the computatonal complexty of fndng a Nash equlbrum. Towards ths end, Papadmtrou defned the complexty class PPAD, whch conssts of all search problems that are polynomal-tme reducble to the source-or-snk problem Pap94. 1 Papadmtrou showed that the problem of fndng a Nash equlbrum s reducble to source-orsnk, and thus belongs to PPAD. He also conjectured that there exsts a reducton n the opposte drecton, and ths was proved by Daskalaks, Goldberg and Papadmtrou DGP09, and by Chen, Deng and Teng CDT09. Thus, to support the belef that fndng a Nash equlbrum may ndeed be computatonally hard, t became suffcent to place a conjectured computatonally-hard problem wthn the class PPAD. Currently, no PPAD-complete problem s known to admt a sub-exponental-tme algorthm. At the same tme, however, we do not know how to generate nstances that defeat known heurstcs for these problems (see HPV89 for explct worst-case hard nstances of computng Brouwer fxed ponts and SvS04 for fndng a Nash equlbrum). Ths leaves us n an ntrgung state of affars, n whch we know of no effcent algorthms wth provable worst-case guarantees, but we are yet to systematcally rule out the possblty that known heurstc algorthms perform well on the average. Post-obfuscaton PPAD hardness. A natural approach for argung hardness on the average would be to reduce from problems that orgnate from cryptography. Workng n the realm of cryptography has at least two advantages. Frst of all, t enables us to rely on well-studed problems that are wdely conjectured to be average-case hard. Secondly, and no less mportantly, cryptography supples us wth frameworks for reasonng about average-case hardness. On the postve drecton, such frameworks are hghly suted for desgnng and analyzng reductons between average-case problems. On the negatve drecton, n some cases t s possble to argue that such natural reductons do not exst Rud88, IR89. Up untl recently not much progress has been made n relatng between cryptography and PPAD hardness. Ths has changed as a result of developments n the study of obfuscaton BGI + 01, GGH + 13, a strong cryptographc noton wth connectons to the hardness of source-or-snk. As shown by Btansky, Paneth and Rosen BPR15 the task of breakng sub-exponentally secure ndstngushablty obfuscaton can be reduced to solvng source-or-snk. Beyond gvng the frst extrnsc evdence of PPAD hardness, the result of Btansky et al. also provded the frst method to sample potentally hard-on-average source-or-snk nstances. Ther result was subsequently strengthened by Garg, Pandey and Srnvasan, who based t on ndstngushablty obfuscaton wth standard (.e., polynomal) hardness GPS16. Pre-obfuscaton PPAD hardness? Indstngushablty obfuscaton has revealed to be an exceptonally powerful prmtve, wth numerous far reachng applcatons. However, ts exstence s far from beng a well-establshed cryptographc assumpton, certanly not nearly as well-establshed as the exstence of one-way functons or publc-key encrypton. Recently, our confdence n exstng ndstngushablty obfuscaton canddates has somewhat been shaken, followng a sequence of devastatng attacks on both canddate obfuscators and on ther underlyng buldng blocks (see, for example, BGH + 15, CGH + 15, CHL + 15, CLR15, HJ15, MF15, CFL + 16, CJL16, MSZ16). It thus became natural to ask: Can average-case PPAD hardness be based on standard cryptographc assumptons? 1 The name end-of-lne s more commonly used n the lterature, however source-or-snk s more accurately descrptve BCE

4 By standard cryptographc assumptons we are n general referrng to pre-obfuscaton type of prmtves, such as the exstence of one-way functons or publc-key cryptography. As mentoned above, such assumptons are currently by far more well-establshed than ndstngushablty obfuscaton, and basng average-case PPAD hardness on them would make a much stronger case. For all we know PPAD hardness may be based on the exstence of one-way functons. However, f t turned out that average-case PPAD hardness mples publc-key encrypton, then ths would ndcate that basng average-case PPAD hardness on one-way functons may be extremely challengng snce we currently do not know how to base publc-key encrypton on one-way functons (and n fact cannot do so usng black-box technques IR89). Smlarly, f t turned out that average-case PPAD hardness mples ndstngushablty obfuscaton, ths ths would ndcate that basng average-case PPAD average on any standard cryptographc assumpton would requre developng radcally new technques. More generally, the stronger the mplcaton of PPAD hardness s, the more dffcult t may be to base PPAD hardness on standard assumptons. Ths leads us to the followng second queston: Does average-case PPAD hardness mply any form of cryptographc hardness? As dscussed above, a negatve answer to the above queston would actually be an encouragng sgn. It would suggest, n partcular, that program obfuscaton s not essental for PPAD hardness, and that there may be hope to base PPAD hardness on standard cryptographc assumptons. 1.1 Our Contrbutons Motvated by the above questons, we nvestgate the nterplay between average-case PPAD hardness and standard cryptographc assumptons. We consder ths nterplay from the perspectve of blackbox reductons, the fundamental approach for capturng natural relatons both among cryptographc prmtves (e.g., Rud88, IR89, Lub96) and among complexty classes (e.g., BCE + 95, CIY97). Average-case PPAD hardness does not mply cryptographc hardness. Our frst result shows that average-case PPAD hardness does not mply any form of cryptographc hardness n a black-box manner (not even a one-way functon). In addton, our second result shows that, even when assumng the exstence of one-way functons, average-case PPAD hardness does not mply any publc-key prmtve (not even key agreement). 2 In fact, we prove the followng more general theorems by consderng the snk-of-verfable-lne (SVL) problem, ntroduced by Abbot et al. AKV04 and further studed by Btansky et al. BPR15 and Garg et al. GPS16: Theorem 1.1. There s no black-box constructon of a one-way functon from a hard-on-average dstrbuton of SVL nstances. Theorem 1.2. There s no black-box constructon of a key-agreement protocol from a one-way functon and a hard-on-average dstrbuton of SVL nstances. Abbot et al. AKV04 and Btansky et al. BPR15 showed that any hard-on-average dstrbuton of SVL nstances can be used n a black-box manner for constructng a hard-on-average dstrbuton of nstances to a PPAD-complete problem (specfcally, nstances of the source-or-snk problem). Thus, Theorem 1.1 mples, n partcular, that there s no black-box constructon of a one-way functon from a hard-on-average dstrbuton of nstances to a PPAD-complete problem. Smlarly, 2 Recall that although ndstngushablty obfuscaton does not uncondtonally mply the exstence of one-way functons BGI + 12, t does mply publc-key cryptography when assumng the exstence of one-way functons SW14. 2

5 Theorem 1.2 mples, n partcular, that there s no black-box constructon of a key-agreement protocol from a one-way functon and a hard-on-average dstrbuton of nstances to a PPAD-complete problem. As dscussed n the prevous secton, the fact that average-case PPAD hardness does not naturally mply any form of cryptographc hardness s an encouragng sgn n the pursut of basng average-case PPAD hardness on standard cryptographc assumptons. For example, f average-case PPAD hardness would have mpled program obfuscaton, ths would have ndcated that extremely strong cryptographc assumptons are lkely to be essental for average-case PPAD hardness. Smlarly, f average-case PPAD hardness would have mpled publc-key cryptography, ths would have ndcated that well-structured cryptographc assumptons are essental for average-case PPAD hardness. The fact that average-case PPAD hardness does not naturally mply any form of cryptographc hardness hnts that t may be possble to base average-case PPAD hardness even on the mnmal (and unstructured) assumpton that one-way functons exst. PPAD hardness vs. SVL hardness. The SVL problem played a central role n the recent breakthrough of Btansky et al. BPR15 and Garg et al. GPS16 n constructng a hard-on-average dstrbuton of nstances to a PPAD-complete problem based on ndstngushablty obfuscaton. Specfcally, they constructed a hard-on-average dstrbuton of SVL nstances, and then reduced t to a hard-on-average dstrbuton of source-or-snk nstances AKV04, BPR15. We show, however, that the SVL problem s n fact far from representng PPAD hardness: Whereas Abbot et al. AKV04 and Btansky et al. BPR15 showed that the SVL problem can be effcently reduced to the source-or-snk problem (even n the worst case), we show that there s no such reducton n the opposte drecton (not even an average-case one). We prove the followng theorem: Theorem 1.3. There s no black-box constructon of a hard-on-average dstrbuton of SVL nstances from a hard-on-average dstrbuton of source-or-snk nstances. Moreover, ths holds even f the underlyng source-or-snk nstances always have a unque soluton. On basng average-case PPAD hardness on standard assumptons. Theorem 1.1 encouragngly shows that t may stll be possble to base average-case PPAD hardness on standard cryptographc assumptons, but Theorem 1.3 shows that the obfuscaton-based approach (whch goes through the SVL problem) may not be the most effectve one. Now, we show that n fact any attempt for basng average-case PPAD hardness on standard cryptographc assumptons (e.g., on one-way functons, publc-key encrypton, and even on njectve trapdoor functons) n a black-box manner must sgnfcantly devate from the obfuscaton-based approach. Specfcally, the source-or-snk nstances resultng from that approach have exactly one soluton 3, and we show that when relyng on njectve trapdoor functons n a black-box manner t s essental to have a nearly-exponental number of solutons. We prove the followng theorem: Theorem 1.4. There s no black-box constructon of a hard-on-average dstrbuton of source-orsnk nstances over {0, 1} n wth 2 no(1) solutons from njectve trapdoor functons. In partcular, snce Abbot et al. AKV04 and Btansky et al. BPR15 showed that hard-onaverage SVL nstances lead to hard-on-average source-or-snk nstances havng a unque soluton, Theorem 1.4 mples the followng corollary whch, when combned wth Theorem 1.1, shows that average-case SVL hardness s essentally ncomparable to standard cryptographc assumptons. 3 Unless, of course, one allows for artfcal manpulatons of the nstances to generate multple (strongly related) solutons. 3

6 Corollary 1.5. There s no black-box constructon of hard-on-average dstrbuton of SVL nstances from njectve trapdoor functons. More generally, although Theorem 1.4 and Corollary 1.5 focus on njectve trapdoor functons, our mpossblty result holds for a rcher and larger class of buldng blocks. Specfcally, t holds for any prmtve that exsts relatve to a random njectve trapdoor functon oracle. Thus, Theorem 1.4 and Corollary 1.5 hold, for example, also for collson-resstant hash functons (whch are not mpled by one-way functons or njectve trapdoor functons n a black-box manner Sm98, HHR + 15). Taken together, our results mply that t may be possble to base average-case PPAD hardness on standard cryptographc assumptons, but any black-box attempt must sgnfcantly devate from the obfuscaton-based approach: It cannot go through the SVL problem, and t must result n sourceor-snk nstances wth a nearly-exponental number of solutons. See Fgure 1 for an llustraton of our results. A wder perspectve: From Rudch s mpossblty to structured buldng blocks and bounded-tfnp hardness. Our results apply to a wde class of search problems, and not only to the specfc source-or-snk and SVL problems. We consder the noton of TFNP nstances wth a guaranteed (non-trval) upper bound on ther number of exstng solutons, to whch we refer as bounded-tfnp nstances. Ths captures, n partcular, source-or-snk nstances and (vald) SVL nstances, and provdes a more general and useful perspectve for studyng cryptographc lmtatons n constructng hard nstances of search problems. Equpped wth such a wde perspectve, our approach and proof technques buld upon, and sgnfcantly extend, Rudch s classc proof for rulng out black-box constructons of one-way permutatons based on one-way functons Rud88. We extend Rudch s approach from ts somewhat restrcted context of one-way functons (as buldng blocks) and one-way permutatons (as target objects) to provde a rcher framework that consders: (1) sgnfcantly more structured buldng blocks, and (2) sgnfcantly less restrcted target objects. Specfcally, we bound the lmtatons of hard-onaverage source-or-snk and SVL nstances as buldng blocks (nstead of one-way functons), and we rule out bounded-tfnp nstances as target objects (nstead of one-way permutatons). One-Way Functons Thm. 1.2 Key Agreement Injectve Trapdoor Functons Thm. 1.1 Hard-on-Average Snk-of-Verfable-Lne Instances AKV04,BPR15 Thm. 1.3 Hard-on-Average Source-or-Snk Instances wth 2 no(1) Solutons Hard-on-Average Source-or-Snk Instances Fgure 1: An llustraton of our results. Dashed arrows correspond to known mplcatons, and sold arrows correspond to our separatons. 4

7 1.2 Open Problems Several nterestng open problems arse drectly from our results, and here we pont out some of them. The strong structural barrer put forward n Theorem 1.4 stands n stark contrast to the approach of Btansky et al. BPR15 and Garg et al. GPS16. Thus, an ntrgung open problem s ether to extend our mpossblty result to rule out constructons wth any number of solutons, or to crcumvent our mpossblty result by desgnng nstances wth an nearlyexponental number of solutons based on standard cryptographc assumptons. More generally, the queston of crcumventng black-box mpossblty results by utlzng nonblack-box technques s always fascnatng. In our specfc context, already the obfuscatonbased constructons of Btansky et al. BPR15 and Garg et al. GPS16 nvolve non-black-box technques (e.g., they apply an ndstngushablty obfuscator to a crcut that uses a pseudorandom functon). However, as recently shown by Asharov and Segev AS15, AS16, as long as the ndstngushablty obfuscator tself s used n a black-box manner, such technques can n fact be captured by refnng the exstng frameworks for black-box separatons (specfcally, the framework of Asharov and Segev captures the obfuscaton-based constructons of Btansky et al. BPR15 and Garg et al. GPS16). Thus, an exctng open problem s to crcumvent our results by utlzng non-black-box technques whle relyng on standard cryptographc assumptons. Our mpossblty results n Theorem 1.4 and Corollary 1.5 apply to any buldng block that exsts relatve to a random njectve trapdoor functon oracle (e.g., a collson-resstent hash functon). It s not clear, however, whether smlar mpossblty results may apply to one-way permutatons. Thus, an ntrgung open problem s ether to extend our mpossblty results to rule out constructons based on one-way permutatons, or to crcumvent our mpossblty results by desgnng hard-on-average nstances based on one-way permutatons. We note that by relyng on one-way permutatons t s rather trval to construct some arbtrary hard-onaverage TFNP dstrbuton (even one wth unque solutons), but t s not known how to construct less arbtrary forms of hardness, such as average-case PPAD or SVL hardness. The recent work of Hubácek, Naor, and Yogev HNY16 proposes two elegant approaches for constructng hard-on-average TFNP nstances. Ther frst approach s based on any hard-onaverage NP relaton (the exstence of whch s mpled, for example, by any one-way functon) n a black-box manner, and results n TFNP nstances wth a possbly exponental number of solutons. Ther second approach s based on any njectve one-way functon and a nonnteractve wtness-ndstngushable proof system for NP (whch can be constructed based on trapdoor permutatons), and results n TFNP nstances havng at most two solutons. An nterestng queston s whether ther approaches mply not only average-case TFNP hardness for the partcular problems defned by ther underlyng one-way functon and proof system, but also more specfc forms of TFNP hardness, such as average-case PPAD or SVL hardness. 1.3 Overvew of Our Approach In ths secton we provde a hgh-level overvew of the man deas underlyng our results. Each of our results s of the form the exstence of P does not mply the exstence of Q n a black-box manner, where each of P and Q s ether a cryptographc prmtve (e.g., a one-way functon) or a hard-onaverage search problem (e.g., the source-or-snk problem). Intutvely, such a statement s proved by constructng a dstrbuton over oracles relatve to whch there exsts an mplementaton of P, 5

8 but any mplementaton of Q can be effcently broken. Our formal proofs properly formalze ths ntuton va the standard framework of black-box reductons (e.g., IR89, Lub96, Gol00, RTV04). Average-case SVL hardness does not mply OWFs. Theorem 1.1 s proved by presentng a dstrbuton of oracles relatve to whch there exsts a hard-on-average dstrbuton of SVL nstances, but there are no one-way functons. An SVL nstance s of the form {(S n, V n, L(n))} n N, where for every n N t holds that S n : {0, 1} n {0, 1} n, V n : {0, 1} n 2 n {0, 1}, and L(n) 2 n. Such an nstance s vald f for every n N, x {0, 1} n, and 2 n, t holds that V n (x, ) = 1 f and only f x = S n(0 n ). Intutvely, the crcut S n can be vewed as mplementng the successor functon of a drected graph over {0, 1} n that conssts of a sngle lne startng at 0 n, and the crcut V n enables to effcently test whether a gven node x s of dstance from 0 n on the lne. The goal s to fnd the node of dstance L(n) from 0 n (see Secton 2.1 for the formal defnton of the SVL problem). We consder an oracle that s a vald SVL nstance O SVL correspondng to a graph wth a sngle lne 0 n x 1 x L(n) of length L(n) = 2 n/2. The lne s chosen unformly among all lnes n {0, 1} n of length L(n) startng at 0 n (and all nodes outsde the lne have self loops and are essentally rrelevant). Frst, we show that the oracle O SVL s ndeed a hard-on-average SVL nstance. Ths s based on the followng, rather ntutve, observaton: Snce the lne 0 n x 1 x L(n) s sparse and unformly sampled, then any algorthm performng q = q(n) oracle queres should not be able to query O SVL wth any element on the lne beyond the frst q elements 0 n, x 1,..., x q 1. In partcular, for our choce of parameters, any algorthm performng at most, say, 2 n/4 queres, has only an exponentally-small probablty of reachng x L(n) (where the probablty s taken over the choce of the oracle O SVL ). Then, we show that any oracle-aded functon F O SVL( ) can be nverted (wth hgh probablty over the choce of the oracle O SVL ) by an algorthm whose query complexty s polynomally-related to that of the functon F O SVL( ). The proof s based on the followng approach. Consder a value y = F O SVL(x) that we would lke to nvert. If F performs at most q = q(n) oracle queres, the above-mentoned observaton mples that the computaton F O SVL(x) should not query O SVL wth any elements on the lne 0 n x 1 x L(n) except for the frst q elements x 0, x 1,..., x q 1. Ths observaton gves rse to the followng nverter A: Frst perform q queres to O SVL for dscoverng x 1,..., x q, and then nvert y = F O SVL(x) relatve to the oracle Õ SVL defned va the followng successor functon S: { x+1 f α = x S(α) = for some {0,..., q 1} α otherwse The formal proof s n fact more subtle, and requres a sgnfcant amount of cauton when nvertng y = F O SVL(x) relatve to the oracle Õ SVL. Specfcally, the nverter A should fnd an nput x such that the computatons F ÕSVL( x) and F O SVL( x) do not query the oracles Õ SVL and O SVL, respectvely, wth any of x q,..., x L(n). In ths case, we show that ndeed F O SVL( x) = y and the nverter s successful. We refer the reader to Secton 3 for more detals and for the formal proof. Average-case SVL hardness and OWFs do not mply key agreement. Theorem 1.2 s proved by showng that n any black-box constructon of a key-agreement protocol based on a oneway functon and a hard-on-average dstrbuton of SVL nstances, we can elmnate the protocol s need for usng the SVL nstances. Ths leads to a black-box constructon of key-agreement protocol based on a one-way functon, whch we can then rule out by nvokng the classc result of Impaglazzo and Rudch IR89 and ts refnement by Barak and Mahmoody-Ghdary BM09. Specfcally, consder a key-agreement protocol (A f,o SVL, B f,o SVL) n whch the partes have oracle access to a random functon f and to the oracle O SVL used for provng Theorem 1.1. Then, f A and B perform at most q = q(n) oracle queres, the observaton underlyng the proof of Theorem 1.1 mples 6.

9 that, durng an executon (A f,o SVL, B f,o SVL) of the protocol, the partes should not query O SVL wth any elements on the lne 0 n x 1 x L(n) except for the frst q elements x 0, x 1,..., x q 1. Ths observaton gves rse to a key-agreement protocol (Ãf, B f ) that does not requre access to the oracle O SVL : Frst, Ã samples a sequence x 1,..., x q of q values, and sends these values to B. Then, Ã and B run the protocol (A f,o SVL, B f,o SVL) by usng the values x 1,..., x q nstead of accessng O SVL. That s, Ã and B run the underlyng protocol relatve to the gven oracle f and to the oracle Õ SVL defned va the followng successor functon S (whch each party can compute on ts own): { x+1 f α = x S(α) = for some {0,..., q 1} α otherwse. The formal proof s aganst rather subtle, and we refer the reader to Appendx A for more detals and for the formal proof. Average-case PPAD hardness does not mply unque-tfnp hardness. Theorem 1.3 s proved by presentng a dstrbuton of oracles relatve to whch there exsts a hard-on-average dstrbuton of nstances of a PPAD-complete problem (specfcally, we consder the source-or-snk problem), but there are no hard TFNP nstances havng unque solutons. A TFNP nstance wth a unque soluton, denoted a unque-tfnp nstance, s of the form {C n } n N, where for every n N t holds that C n : {0, 1} n {0, 1} and there s a unque x {0, 1} n such that C(x) = 1. Note that any vald SVL nstance yelds a TFNP nstance that has a unque soluton. Therefore, relatve to our dstrbuton over oracles any vald SVL nstance can be effcently solved. A source-or-snk nstance s of the form {(S n, P n )} n N, where for every n N t holds that S n : {0, 1} n {0, 1} n and P n : {0, 1} n {0, 1} n. Intutvely, the crcuts S n and P n can be vewed as mplementng the successor and predecessor functons of a drected graph over {0, 1} n, where the n-degree and out-degree of every node s at most one, and the n-degree of 0 n s 0 (.e., t s a source). The goal s to fnd any node, other than 0 n, wth ether no ncomng edge and no outgong edge. We agan refer the reader to Secton 2.1 for the formal defntons. We consder an oracle that s a source-or-snk nstance O PPAD whch s based on the same sparse structure used to defne the oracle O SVL : It corresponds to a graph wth a sngle lne 0 n x 1 x L(n) of length L(n) = 2 n/2. The lne s chosen unformly among all lnes n {0, 1} n of length L(n) startng at 0 n (and all nodes outsde the lne have self loops). The fact that the oracle O PPAD s a hard-on-average source-or-snk nstance follows qute easly from the above-mentoned observaton on ts sparse and unform structure: Any algorthm performng q = q(n) oracle queres should not be able to query O PPAD wth any element on the lne beyond the frst q elements x 0, x 1,..., x q 1. In partcular, for our choce of parameters, any such algorthm should have only an exponentally-small probablty of reachng x L(n). Solvng any oracle-aded unque-tfnp nstance relatve to O PPAD, however, turns out to be a completely dfferent challenge. One mght be tempted to follow a same approach based on the oracle s sparse and unform structure. Specfcally, let C n be a unque-tfnp nstance, and consder the unque value x {0, 1} n for whch C O PPAD n (x ) = 1. Then, f C n ssues at most q = q(n) oracle queres, the computaton C O PPAD n (x ) should essentally not be able to query O PPAD wth any elements on the lne 0 n x 1 x L(n) except for the frst q elements 0 n, x 1,..., x q 1. Therefore, one can defne a fake oracle Õ PPAD whose successor and predecessor functons agree wth O PPAD on 0 n, x 1,..., x q (and are defned as the dentty functons for all other nputs), and then fnd the unque x such that CÕPPAD n ( x) = 1. Ths approach, however, completely fals snce the soluton x tself may depend on O PPAD n an arbtrary manner, provdng the computaton 7

10 C O PPAD n (x ) wth suffcent nformaton for queryng O PPAD wth an nput x that s located further along the lne (.e., q L(n)). As dscussed n Secton 1.1, our proof s obtaned by sgnfcantly extendng Rudch s classc proof for rulng out black-box constructons of one-way permutatons based on one-way functons Rud88. In fact, Rudch s proof already generalzes, perhaps somewhat mplctly, from from rulng out constructons of one-way permutatons to rulng out constructons of any hard-on-average dstrbuton of unque-tfnp nstances. Here, we show, that hs approach provdes a rch framework that allows to bound not only the lmtatons of one-way functons as a buldng block, but even the lmtatons of sgnfcantly more structured prmtves as buldng blocks. Specfcally, our proof of Theorem 1.3 extends Rudch s technque for boundng the lmtatons of hard-on-average source-or-snk nstances. We refer the reader to Secton 4 for more detals and for the formal proof. Injectve trapdoor functons do not mply bounded-tfnp hardness. Theorem 1.4 and Corollary 1.5 are proved by presentng a dstrbuton of oracles relatve to whch there exsts a collecton of njectve trapdoor functons, but there are no hard TFNP nstances havng a bounded number of solutons (specfcally, our result wll apply to a sub-exponental number of solutons). A TFNP nstance wth bounded number k( ) of solutons, denoted a k-bounded TFNP nstance, s of the form {C n } n N, where for every n N t holds that C : {0, 1} n {0, 1}, and there s at least one and at most k(n) dstnct nputs x {0, 1} n such that C(x) = 1 (any one of these x s s a soluton). In partcular, as dscussed above, any vald SVL nstance yelds a 1-bounded TFNP nstance (.e., a unque-tfnp nstance), and therefore our result rules out black-box constructons of a hard-on-average dstrbuton of SVL nstances from njectve trapdoor functons. Smlarly, any source-or-snk nstance whch conssts of at most (k + 1)/2 dsjont lnes yelds a k-bounded TFNP nstance, and therefore our result rules out black-box constructons of a hard-on-average dstrbuton of source-or-snk nstances wth a bounded number of dsjont lnes from njectve trapdoor functons. For emphaszng the man deas underlyng our proof, n Secton 5 we frst prove our result for constructons that are based on one-way functons, and then n Secton 6 we generalze the proof to constructons that are based on njectve trapdoor functons. Each of these two parts requres ntroducng new deas and technques, and such a level of modularty s useful n pontng them out. When consderng constructons that are based on one-way functons, our proof s obtaned va an addtonal generalzaton of Rudch s proof technque Rud88. As dscussed above, Rudch s approach already generalzes, perhaps somewhat mplctly, from rulng out constructons of oneway permutatons based on one-way functons to rulng out constructons of any hard-on-average dstrbuton of unque-tfnp nstances based on one-way functons. We show, by extendng and refnng Rudch s proof technque once agan, that we can rule out not only constructons of unque- TFNP nstances, but even constructons of bounded-tfnp nstances. Ths requre a substantal generalzaton of Rudch s attacker, and we refer reader to Secton 5 for more detals and for the formal proof. Then, when consderng constructons that are based on njectve trapdoor functons, we show that our proof from Secton 5 can be generalzed from constructons of bounded-tfnp nstances based on one-way functons to constructons of bounded-tfnp nstances based on njectve trapdoor functons. Combned wth our the proof of Theorem 1.3, ths extends Rudch s approach from ts somewhat restrcted context of one-way functons (as buldng blocks) and one-way permutatons (as target objects) to provde a rcher framework that consders: (1) sgnfcantly more structured buldng blocks, and (2) sgnfcantly less restrcted target objects. We refer reader to Secton 6 for more detals and for the formal proof. 8

11 1.4 Paper Organzaton The remander of ths paper s organzed as follows. In Secton 2 we ntroduce our notaton as well as the search problems and the cryptographc prmtves that we consder n ths paper. In Secton 3 we show that average-case SVL hardness does not mply one-way functons n a black-box manner (provng Theorem 1.1). In Secton 4 we show that average-case PPAD hardness does not mply unque-tfnp hardness n a black-box manner (provng Theorem 1.3). In Secton 5 we show that one-way functons do not mply bounded-tfnp hardness n a black-box manner, and n Secton 6 we generalze ths result, showng that even njectve trapdoor functons do not mply bounded-tfnp hardness n a black-box manner (provng Theorem 1.4 and Corollary 1.5). Fnally, n Appendx A we extend our approach from Secton 3 and show that average-case SVL hardness does not mply key agreement even when assumng the exstence of one-way functons. 2 Prelmnares In ths secton we present the notaton and basc defntons that are used n ths work. For a dstrbuton X we denote by x X the process of samplng a value x from the dstrbuton X. Smlarly, for a set X we denote by x X the process of samplng a value x from the unform dstrbuton over X. For an nteger n N we denote by n the set {1,..., n}. A q-query algorthm s an oracle-aded algorthm A such that for any oracle O and nput x {0, 1}, the computaton A O (x) conssts of at most q( x ) oracle calls to O. 2.1 Complexty Classes and Total Search Problems An effcently-verfable search problem s descrbed va a par (I, R), where I {0, 1} s an effcently-recognzable set of nstances, and R s an effcently-computable bnary relaton. Such a search problem s total f for every nstance z I there exsts a wtness w of length polynomal n the length z such that R(z, w) = 1. The class TFNP conssts of all effcently-verfable search problem that are total, and ts subclass PPAD conssts of all such problems that are polynomal-tme reducble to the source-or-snk problem Pap94, defned as follows. Defnton 2.1 (The source-or-snk problem). A source-or-snk nstance conssts of a par of crcuts S, P : {0, 1} n {0, 1} n such that P(0 n ) = 0 n S(0 n ). The goal s to fnd an element w {0, 1} n such that P(S(w)) w or S(P(w)) w 0 n. Intutvely, the crcuts S and P can be vewed as mplementng the successor and predecessor functons of a drected graph over {0, 1} n, where for each par of nodes x and y there exsts an edge from x to y f and only f S(x) = y and P(y) = x (note that the n-degree and out-degree of every node n ths graph s at most one, and the n-degree of 0 n s 0). The goal s to fnd any node, other than 0 n, wth ether no ncomng edge or no outgong edge. Such a node must always exst by a party argument. The snk-of-verfable-lne (SVL) problem s a search problem ntroduced by Abbot et al. AKV04 and further studed by Btansky et al. BPR15 and Garg et al. GPS16. It s defned as follows: Defnton 2.2 (The snk-of-verfable-lne (SVL) problem). An SVL nstance conssts of a trplet (S, V, T ), where T 2 n, and S : {0, 1} n {0, 1} n and V : {0, 1} n 2 n {0, 1} are two crcuts wth the guarantee that for every x {0, 1} n and 2 n t holds that V(x, ) = 1 f and only f x = S (0 n ). The goal s to fnd an element w {0, 1} n such that V(w, T ) = 1. 9

12 Intutvely, the crcut S can be vewed as mplementng the successor functon of a drected graph over {0, 1} n that conssts of a sngle lne startng at 0 n. The crcut V enables to effcently test whether a gven node x s of dstance from 0 n on the lne, and the goal s to fnd the node of dstance T from 0 n. Note that not any trplet (S, V, T ) s a vald SVL nstance (moreover, there may not be an effcent algorthm for verfyng whether a trplet (S, V, T ) s a vald nstance). Oracle-aded nstances wth prvate randomness. When consderng source-or-snk and SVL nstances that are descrbed by oracle-aded crcuts, we would lke to allow these crcuts to share an oracle-dependent state that may be generated va prvate randomness (ths clearly strengthen the class of problems that we consder, and n partcular, capture those constructed by BPR15, GPS16 usng ndstngushablty obfuscaton). For ths purpose, we equp the nstances wth an oracle-aded randomzed ndex-generaton algorthm, denoted Gen, that produces a publc ndex σ whch s then provded to all crcuts of the nstance (and to any algorthm that attempts to solve the nstance). Specfcally, we consder source-or-snk nstances of the form {(Gen n, S n, P n )} n N, where for every n N and for every ndex σ produced by Gen n t holds that S n (σ, ) : {0, 1} n {0, 1} n and P n (σ, ) : {0, 1} n {0, 1} n. Smlarly, we consder SVL nstances of the form {(Gen n, S n, V n, T (n))} n N, where for every n N and for every ndex σ produced by Gen n t holds that S n (σ, ) : {0, 1} n {0, 1} n, V n (σ,, ) : {0, 1} n 2 n {0, 1}, and T (n) 2 n. We say that an SVL nstance s vald f for every n N, σ produced by Gen n, x {0, 1} n, and 2 n, t holds that V n (σ, x, ) = 1 f and only f x = S n(σ, 0 n ). Bounded TFNP nstances. As dscussed n Secton 1.1, we prove our results usng the noton of bounded-tfnp nstances, naturally generalzng source-or-snk nstances (and vald SVL nstances) by consderng TFNP nstances wth a guaranteed upper bound on the number of solutons. Defnton 2.3. A k-bounded TFNP nstance s of the form {Gen n, C n } n N, where for every n N and for every ndex σ produced by Gen n t holds that C n (σ, ) : {0, 1} n {0, 1}, and there s at least one and at most k(n) dstnct nputs x {0, 1} n such that C n (σ, x) = 1 (any one of these x s s a soluton). Note that any vald SVL nstance yelds a 1-bounded TFNP nstance (to whch we refer as a unque-tfnp nstance), and any source-or-snk nstance whch conssts of at most (k + 1)/2 dsjont lnes yelds a k-bounded TFNP nstance. The followng defnton formalzes the standard noton of average-case hardness n the specfc context of k-bounded TFNP nstances. Ths noton then serves as the bass of our defntons of black-box constructons. Defnton 2.4. Let k = k(n), t = t(n) and ɛ = ɛ(n) be functons of the securty parameter n N. A k-bounded TFNP nstance {Gen n, C n } n N s (t, ɛ)-hard f for any algorthm A that runs n tme t(n) t holds that Pr A (1 n, σ) = x s.t. C n (σ, x) = 1 ɛ(n) for nfntely many values of n N, where the probablty s taken over the choce of σ Gen n () and over the nternal randomness of A, 2.2 One-Way Functons and Injectve Trapdoor Functons We rely on the standard (parameterzed) notons of a one-way functon and njectve trapdoor functons Gol01. Defnton 2.5. An effcently-computable functon f : {0, 1} {0, 1} s (t( ), ɛ( ))-one-way f for any probablstc algorthm A that runs n tme t(n) t holds that Pr A (f(x)) f 1 (f(x)) ɛ(n) 10

13 for all suffcently large n N, where the probablty s taken over the choce of x {0, 1} n and over the nternal randomness of A. A collecton of njectve trapdoor functons s a trplet (KG, F, F 1 ) of polynomal-tme algorthms. The key-generaton algorthm KG s a probablstc algorthm that on nput the securty parameter 1 n outputs a par (pk, td), where pk s a publc key and td s a correspondng trapdoor. For any n N and for any par (pk, td) that s produced by KG(1 n ), the evaluaton algorthm F computes an njectve functon F(pk, ) : {0, 1} n {0, 1} l(n), and the nverson algorthm F 1 (td, ) : {0, 1} l(n) {0, 1} n { } computes ts nverse whenever an nverse exsts (.e., t outputs on all values y that are not n the mage of the functon F(pk, )). The securty requrement of njectve trapdoor functons s formalzed as follows: Defnton 2.6. A collecton of njectve trapdoor functons (KG, F, F 1 ) s (t( ), ɛ( ))-secure f for any probablstc algorthm A that runs n tme t(n) t holds that Pr A (pk, F(pk, x)) = x ɛ(n) for all suffcently large n N, where the probablty s taken over the choce of (pk, td) KG(1 n ), x {0, 1} n, and over the nternal randomness of A. 2.3 Key-Agreement Protocols We rely on the standard (parameterzed) noton of a key-agreement protocol. For our purposes n ths paper t suffces to consder key-agreement protocols n whch the partes agree on a sngle bt, and we refer to such protocols as bt-agreement protocols. A bt-agreement protocol conssts of a par (A, B) of probablstc polynomal-tme algorthms. We denote by (k A, k B, Trans) A(1 n ; r A ), B(1 n ; r B ) the random process of executng the protocol, where r A and r B are the random tapes of A and B, respectvely, k A and k B are the output bts of A and B, respectvely, and Trans s the transcrpt of the protocol (.e., the messages exchanged by the partes). Defnton 2.7. A par Π = (A, B) of probablstc polynomal-tme algorthms s a (t( ), ɛ( ))-secure bt-agreement protocol wth correctness ρ( ) f the followng two condtons hold: Correctness. For any n N t holds that Pr r A,r B k A = k B (k A, k B, Trans) A(1 n ; r A ), B(1 n ; r B ) ρ(n). Securty. For any probablstc algorthm E that runs n tme t(n) t holds that Adv KA Π,E(n) def = Pr Exp KA Π,E(n) = ɛ(n) for all suffcently large n N, where the random varable Exp KA Π,E (n) s defned va the followng experment: 1. (k A, k B, Trans) A(1 n ), B(1 n ). 2. k E(1 n, Trans). 3. If k = k A then output 1, and otherwse output 0. 11

14 3 Average-Case SVL Hardness Does Not Imply One-Way Functons In ths secton we prove that there s no fully black-box constructon of a one-way functon from a hard-on-average dstrbuton of SVL nstances 4 (provng Theorem 1.1). Our result s obtaned by presentng a dstrbuton of oracles relatve to whch the followng two propertes hold: 1. There exsts a hard-on-average dstrbuton of SVL nstances. 2. There are no one-way functons. Recall that an SVL nstance s of the form {(Gen n, S n, V n, L(n))} n N, where for every n N and for every ndex σ produced by Gen n t holds that S n (σ, ) : {0, 1} n {0, 1} n, V n (σ,, ) : {0, 1} n 2 n {0, 1}, and L(n) 2 n. We say that an SVL nstance s vald f for every n N, σ produced by Gen n, x {0, 1} n, and 2 n, t holds that V n (σ, x, ) = 1 f and only f x = S n(σ, 0 n ). The followng defnton talors the standard noton of a fully black-box constructon (based, for example, on Lub96, Gol00, RTV04) to the specfc prmtves under consderaton. Defnton 3.1. A fully black-box constructon of a one-way functon from a hard-on-average dstrbuton of SVL nstances conssts of an oracle-aded polynomal-tme algorthm F, an oracle-aded algorthm M that runs n tme T M ( ), and functons ɛ M,1 ( ) and ɛ M,2 ( ), such that the followng condtons hold: Correctness: There exsts a polynomal l( ) such that for any vald SVL nstance O SVL and for any x {0, 1} t holds that F O SVL(x) {0, 1} l( x ). Black-box proof of securty: For any vald SVL nstance O SVL = {(Gen n, S n, V n, L(n))} n N, for any oracle-aded algorthm A that runs n tme T A = T A (n), and for any functon ɛ A ( ), f Pr A O ( SVL F O SVL (x) ) ( F O ) 1 ( SVL F O SVL (x) ) ɛ A (n) for nfntely many values of n N, where the probablty s taken over the choce of x {0, 1} n and over the nternal randomness of A, then Pr M A,O SVL (1 n, σ) solves (S n (σ, ), V n (σ, ), L(n)) ɛ M,1 (T A (n)/ɛ A (n)) ɛ M,2 (n) for nfntely many values of n N, where the probablty s taken over the choce of σ Gen n () and over the nternal randomness of M. Followng Asharov and Segev AS15, AS16, we splt the securty loss n the above defnton to an adversary-dependent securty loss and an adversary-ndependent securty loss, as ths allows us to capture constructons where one of these losses s super-polynomal whereas the other s polynomal (e.g., BPR15, BPW16). In addton, we note that the correctness requrement n the above defnton may seem somewhat trval snce the fact that the output length of F O SVL( ) s polynomal follows drectly from the requrement that F runs n polynomal tme. However, for avodng rather trval techncal complcatons n the proofs of ths secton, for smplcty (and wthout loss of generalty) we nevertheless ask explctly that the output length s some fxed polynomal l(n) for any nput length n (clearly, l(n) may depend on the runnng tme of F, and shorter outputs can always be padded). Equpped wth the above defnton we prove the followng theorem: 4 Recall that any hard-on-average dstrbuton of SVL nstances can be used n a black-box manner to construct a hard-on-average dstrbuton of nstances of a PPAD-complete problem AKV04, BPR15. Thus, our result mples (n partcular) that average-case PPAD hardness does not mply one-way functons n a black-box manner. 12

15 Theorem 3.2. Let (F, M, T M, ɛ M,1, ɛ M,2 ) be a fully black-box constructon of a one-way functon from a hard-on-average SVL nstance. Then, at least one of the followng propertes holds: 1. T M (n) 2 ζn for some constant ζ > 0 (.e., the reducton runs n exponental tme). 2. ɛ M,1 (n c ) ɛ M,2 (n) 2 n/10 for some constant c > 1 (.e., the securty loss s exponental). In partcular, Theorem 3.2 rules out standard polynomal-tme polynomal-loss reductons. More generally, the theorem mples that f the runnng tme T M ( ) of the reducton s sub-exponental and the adversary-dependent securty loss ɛ M,1 ( ) s polynomal (as expected), then the adversaryndependent securty loss ɛ M,2 ( ) must be exponental (thus even rulng out constructons based on SVL nstances wth sub-exponental average-case hardness). 3.1 Proof Overvew In what follows we frst descrbe the oracle, denoted O SVL, on whch we rely for provng Theorem 3.2. Then, we descrbe the structure of the proof, showng that relatve to the oracle O SVL there exsts a hard-on-average dstrbuton of SVL nstances, but there are no one-way functons. For the remander of ths secton we remnd the reader that a q-query algorthm s an oracle-aded algorthm A such that for any oracle O and nput x {0, 1}, the computaton A O (x) conssts of at most q( x ) oracle calls to O. The oracle O SVL. The oracle O SVL s a vald SVL nstance {(S n, V n, L(n))} n N that s sampled va the followng process for every n N: Let L(n) = 2 n/2, x 0 = 0 n, and unformly sample dstnct elements x 1,..., x L(n) {0, 1} n \ {0 n }. The successor functon S n : {0, 1} n {0, 1} n s defned as { x+1 f x = x S n (x) = for some {0,..., L(n) 1} x otherwse. The verfcaton functon V n : {0, 1} n 2 n {0, 1} s defned n a manner that s consstent wth S n (.e., V n s defned such that the nstance s vald). Part I: O SVL s a hard-on-average SVL nstance. We show that the oracle O SVL tself s a hardon-average SVL nstance, whch mples n partcular that relatve to the oracle O SVL there exsts a hard-on-average dstrbuton of SVL nstances. We prove the followng clam statng that, n fact, the oracle O SVL s an exponentally hard-on-average SVL nstance (even wthout an ndex-generaton algorthm): Clam 3.3. For every q(n)-query algorthm M, where q(n) L(n) 1, t holds that Pr M O SVL (1 n ) solves (S n, V n, L(n)) (q(n) + 1) L(n) 2 n q(n) 1 for all suffcently large n N, where the probablty s taken over the choce of the oracle O SVL = {(S n, V n, L(n))} n N as descrbed above. The proof of the clam, whch s provded n Secton 3.2, s based on the followng, rather ntutve, observaton: Snce the lne 0 n x 1 x L(n) s sparse and unformly sampled, then any algorthm performng q = q(n) oracle queres should not be able to query O SVL wth any element 13

16 on the lne beyond the frst q elements 0 n, x 1,..., x q 1. In partcular, for our choce of parameters, any such algorthm should have only an exponentally-small probablty of reachng x L(n). Part II: Invertng oracle-aded functons relatve to O SVL. We show that any oracle-aded functon F O SVL( ) computable n tme t(n) can be nverted wth hgh probablty by an nverter that ssues roughly t(n) 4 oracle queres. We prove the followng clam: Clam 3.4. For every determnstc oracle-aded functon F that s computable n tme t(n) there exsts a q(n)-query algorthm A, where q(n) = O(t(n) 4 ), such that Pr A O ( SVL F O SVL (x) ) ( F O ) 1 ( SVL F O SVL (x) ) 1 2 for all suffcently large n N and for every x {0, 1} n, where the probablty s taken over the choce of the oracle O SVL = {(S n, V n, L(n))} n N as descrbed above. Moreover, the algorthm A can be mplemented n tme polynomal n q(n) gven access to a PSPACE-complete oracle. The proof of the clam, whch s provded n Secton 3.3, s based on the followng approach. Consder the value y = F O SVL(x) that s gven as nput to the nverter A. Snce F s computable n tme t = t(n), t can ssue at most t oracle queres and therefore the observaton used for provng Clam 3.3 mples that the computaton F O SVL(x) should not query O SVL wth any elements on the lne 0 n x 1 x L(n) except for the frst t elements x 0, x 1,..., x t 1. In ths case, any S n -query α n the computaton F O SVL(x) can be answered as follows: If α = x for some {0,..., t 1} then the answer s x +1, and otherwse the answer s α. Smlarly, any V n -query (α, j) n the computaton F O SVL(x) can be answered as follows: If (α, j) = (x, ) for some {0,..., t 1} then the answer s 1, and otherwse the answer s 0. Ths observaton gves rse to the followng nverter A: Frst perform t queres to S n for dscoverng x 1,..., x t, and then nvert y = F O SVL(x) relatve to the oracle Õ SVL defned va the followng successor functon S n : { x+1 f α = x S n (α) = for some {0,..., t 1} α otherwse The formal proof s n fact more subtle, and requres a sgnfcant amount of cauton when nvertng y = F O SVL(x) relatve to the oracle Õ SVL. Specfcally, the nverter A should fnd an nput x such that the computatons F ÕSVL( x) and F O SVL( x) do not query the oracles Õ SVL and O SVL, respectvely, wth any of x t,..., x L(n). In ths case, we show that ndeed F O SVL( x) = y and the nverter s successful. 3.2 O SVL s a Hard-on-Average SVL Instance The proof of Clam 3.3 reles on the fact that the lne 0 n x 1 x L(n) s sparse and unformly sampled. Ths ntutvely mples that any algorthm performng q oracle queres should not be able to query O SVL wth any element on the lne beyond the frst q elements 0 n, x 1,..., x q 1, except wth an exponentally-small probablty. Gven an oracle O SVL = {(S n, V n, L(n))} n N, sampled as descrbed n Secton 3.1, and gven a q- query algorthm M, for every n N and q we denote by α the random varable correspondng to M s th oracle query f ths s an S n -query, and we denote by (α, k ) the random varable correspondng to M s th oracle query f ths s a V n -query. We denote by HIT O SVL the event n whch there exst ndces j q and L(n) for whch α j = x but x 1 / {α 1,..., α j 1 }. That. s, ths s the event n whch M queres O SVL wth one of the x s before queryng on x 1. In partcular, note that f the event HIT O SVL does not occur, then M does not query O SVL wth x for {q,..., L(n)}. The followng clam bounds the probablty of event HIT O SVL. 14