## Abstract

A permuted puzzle problem is defined by a pair of distributions D_{0},D_{1}over (formula presented). The problem is to distinguish samples from D_{0},D_{1}, where the symbols of each sample are permuted by a single secret permutation p of [n]. The conjectured hardness of specific instances of permuted puzzle problems was recently used to obtain the first candidate constructions of Doubly Efficient Private Information Retrieval (DE-PIR) (Boyle et al. & Canetti et al., TCC’17). Roughly, in these works the distributions D_{0},D_{1} over (formula presented) are evaluations of either a moderately low-degree polynomial or a random function. This new conjecture seems to be quite powerful, and is the foundation for the first DE-PIR candidates, almost two decades after the question was first posed by Beimel et al. (CRYPTO’00). However, while permuted puzzles are a natural and general class of problems, their hardness is still poorly understood. We initiate a formal investigation of the cryptographic hardness of permuted puzzle problems. Our contributions lie in three main directions: Rigorous formalization. We formalize a notion of permuted puzzle distinguishing problems, extending and generalizing the proposed permuted puzzle framework of Boyle et al. (TCC’17).Identifying hard permuted puzzles. We identify natural examples in which a one-time permutation provably creates cryptographic hardness, based on “standard” assumptions. In these examples, the original distributions (formula presented) are easily distinguishable, but the permuted puzzle distinguishing problem is computationally hard. We provide such constructions in the random oracle model, and in the plain model under the Decisional Diffie-Hellman (DDH) assumption. We additionally observe that the Learning Parity with Noise (LPN) assumption itself can be cast as a permuted puzzle.Partial lower bound for the DE-PIR problem. We make progress towards better understanding the permuted puzzles underlying the DE-PIR constructions, by showing that a toy version of the problem, introduced by Boyle et al. (TCC’17), withstands a rich class of attacks, namely those that distinguish solely via statistical queries.

Original language | English |
---|---|

Title of host publication | Theory of Cryptography - 17th International Conference, TCC 2019, Proceedings |

Editors | Dennis Hofheinz, Alon Rosen |

Publisher | Springer |

Pages | 465-493 |

Number of pages | 29 |

ISBN (Print) | 9783030360320 |

DOIs | |

State | Published - 2019 |

Externally published | Yes |

Event | 17th International Conference on Theory of Cryptography, TCC 2019 - Nuremberg, Germany Duration: 1 Dec 2019 → 5 Dec 2019 |

### Publication series

Name | Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) |
---|---|

Volume | 11892 LNCS |

ISSN (Print) | 0302-9743 |

ISSN (Electronic) | 1611-3349 |

### Conference

Conference | 17th International Conference on Theory of Cryptography, TCC 2019 |
---|---|

Country/Territory | Germany |

City | Nuremberg |

Period | 1/12/19 → 5/12/19 |

### Bibliographical note

Publisher Copyright:© 2019, International Association for Cryptologic Research.