PPP (complexity)

In computational complexity theory, the complexity class PPP (polynomial pigeonhole principle) is a subclass of TFNP. It is the class of search problems that can be shown to be total by an application of the pigeonhole principle. Christos Papadimitriou introduced it in the same paper that introduced PPAD and PPA.^[1] PPP contains both PPAD and PWPP (polynomial weak pigeonhole principle) as subclasses. These complexity classes are of particular interest in cryptography because they are strongly related to cryptographic primitives such as one-way permutations and collision-resistant hash functions.

Definition

PPP is the set of all function computation problems that admit a polynomial-time reduction to the PIGEON problem, defined as follows:

Given a Boolean circuit ${\displaystyle C}$  having the same number ${\displaystyle n}$  of input bits as output bits, find either an input ${\displaystyle x}$  that is mapped to the output ${\displaystyle C(x)=0^{n}}$ , or two distinct inputs ${\displaystyle x\neq y}$  that are mapped to the same output ${\displaystyle C(x)=C(y)}$ .

A problem is PPP-complete if PIGEON is also polynomial-time reducible to it. Note that the pigeonhole principle guarantees that PIGEON is total. We can also define WEAK-PIGEON, for which the weak pigeonhole principle guarantees totality. PWPP is the corresponding class of problems that are polynomial-time reducible to it.^[2] WEAK-PIGEON is the following problem:

Given a Boolean circuit ${\displaystyle C}$  having ${\displaystyle n}$  input bits and ${\displaystyle n-1}$  output bits, find ${\displaystyle x\neq y}$  such that ${\displaystyle C(x)=C(y)}$ .

Here, the range of the circuit is strictly smaller than its domain, so the circuit is guaranteed to be non-injective. WEAK-PIGEON reduces to PIGEON by appending a single 1 bit to the circuit's output, so PWPP ${\displaystyle \subseteq }$  PPP.

Connection to cryptography

We can view the circuit in PIGEON as a polynomial-time computable hash function. Hence, PPP is the complexity class which captures the hardness of either inverting or finding a collision in hash functions. More generally, the relationship of subclasses of FNP to polynomial-time complexity classes can be used to determine the existence of certain cryptographic primitives, and vice versa.

For example, it is known that if FNP = FP, then one-way functions do not exist. Similarly, if PPP = FP, then one-way permutations do not exist.^[3] Hence, PPP (which is a subclass of FNP) more closely captures the question of the existence of one-way permutations. We can prove this by reducing the problem of inverting a permutation ${\displaystyle \pi }$  on an output ${\displaystyle y}$  to PIGEON. Construct a circuit ${\displaystyle C}$  that computes ${\displaystyle C(x)=\pi (x)\oplus y}$ . Since ${\displaystyle \pi }$  is a permutation, a solution to PIGEON must output ${\displaystyle x}$  such that ${\displaystyle C(x)=0=\pi (x)\oplus y}$ , which implies ${\displaystyle \pi (x)=y}$ .

Relationship to PPAD

PPP contains PPAD as a subclass (strict containment is an open problem). This is because End-of-the-Line, which defines PPAD, admits a straightforward polynomial-time reduction to PIGEON. In End-of-the-Line, the input is a start vertex ${\displaystyle s}$  in a directed graph ${\displaystyle G}$  where each vertex has at most one successor and at most one predecessor, represented by a polynomial-time computable successor function ${\displaystyle f}$ . Define a circuit ${\displaystyle C}$  whose input is a vertex ${\displaystyle x}$  and whose output is its successor if there is one, or ${\displaystyle x}$  if it does not. If we represent the source vertex ${\displaystyle s}$  as the bitstring ${\displaystyle 0^{n}}$ , this circuit is a direct reduction of End-of-the-Line to Pigeon, since any collision in ${\displaystyle C}$  provides a sink in ${\displaystyle G}$ .

Notable problems

Equal sums problem

The equal sums problem is the following problem. Given ${\displaystyle n}$  positive integers that sum to less than ${\displaystyle 2^{n}-1}$ , find two distinct subsets of the integers that have the same total. This problem is contained in PPP, but it is not known if it is PPP-complete.

Constrained-SIS problem

The constrained-SIS (short integer solution) problem, which is a generalization of the SIS problem from lattice-based cryptography, has been shown to be complete for PPP.^[4] Prior to that work, the only problems known to be complete for PPP were variants of PIGEON.

Integer factorization

There exist polynomial-time randomized reductions from the integer factorization problem to WEAK-PIGEON.^[5] Additionally, under the generalized Riemann hypothesis, there also exist deterministic polynomial reductions. However, it is still an open problem to unconditionally show that integer factorization is in PPP.

References

1. Christos Papadimitriou (1994). "On the complexity of the parity argument and other inefficient proofs of existence" (PDF). Journal of Computer and System Sciences. 48 (3): 498–532. doi:10.1016/S0022-0000(05)80063-7. Archived from the original (PDF) on 2016-03-04. Retrieved 2009-12-11.
2. Emil Jeřábek (2016). "Integer factoring and modular square roots". Journal of Computer and System Sciences. 82 (2): 380–394. arXiv:1207.5220. doi:10.1016/j.jcss.2015.08.001.
3. Christos Papadimitriou (1994). "On the complexity of the parity argument and other inefficient proofs of existence" (PDF). Journal of Computer and System Sciences. 48 (3): 498–532. doi:10.1016/S0022-0000(05)80063-7. Archived from the original (PDF) on 2016-03-04. Retrieved 2009-12-11.
4. K. Sotiraki, M. Zampitakis, and G. Zirdelis (2018). "PPP-Completeness with Connections to Cryptography". Proc. of 59th Symposium on Foundations of Computer Science. pp. 148–158. arXiv:1808.06407. doi:10.1109/FOCS.2018.00023.
5. Emil Jeřábek (2016). "Integer factoring and modular square roots". Journal of Computer and System Sciences. 82 (2): 380–394. arXiv:1207.5220. doi:10.1016/j.jcss.2015.08.001.