Hardness of Range Avoidance and Remote Point for Restricted Circuits via Cryptography

A recent line of research has introduced a systematic approach to exploring the complexity of explicit construction problems through the use of meta-problems, namely, the range avoidance problem (abbrev. Avoid) and the remote point problem (abbrev. ). The upper and lower bounds for these meta problems provide a unified perspective on the complexity of specific explicit construction problems that were previously studied independently. An interesting question largely unaddressed by previous works is whether we can show hardness of Avoid and RPP for simple circuits, such as low-depth circuits. In this paper, we demonstrate, under plausible cryptographic assumptions, that both the range avoidance problem and the remote point problem cannot be efficiently solved by nondeterministic search algorithms, even when the input circuits are as simple as constant-depth circuits. This extends a hardness result established by Ilango, Li, and Williams (STOC’23) against deterministic algorithms employing witness encryption for NP, where the inputs to Avoid are general Boolean circuits. Our primary technical contribution is a novel construction of witness encryption inspired by public-key encryption for certain promise language in NP that is unlikely to be NP-complete. We introduce a generic approach to transform a public-key encryption scheme with particular properties into a witness encryption scheme for a promise language related to the initial public-key encryption scheme. Based on this translation and variants of standard lattice-based or coding-based PKE schemes, we obtain, under plausible assumption, a provably secure witness encryption scheme for some promise language in NP-coNP/poly. Additionally, we show that our constructions of witness encryption are plausibly secure against nondeterministic adversaries under a generalized notion of security in the spirit of Rudich’s super-bits (RANDOM’97), which is crucial for demonstrating the hardness of Avoid and RPP against nondeterministic algorithms.


INTRODUCTION
Proving explicit lower bounds against concrete computation models is a central problem in complexity theory.While exponential lower bounds have been shown for weak models such as AC 0 circuits [2,19,27,58] or AC 0 [ ] circuits for prime [43,50], it remains open to construct an explicit function, say in NP, that requires general circuits of size 10 [18, 41], or to construct a function in NEXP that cannot be computed by polynomial-size general circuits.This stands in sharp contrast to the fact that a random Boolean function requires 2 0.1 size to compute with high probability [49].
The study of circuit lower bound is not the only example where a random object enjoys certain properties with high probability, yet the explicit construction of such objects is unknown.For instance, it is not clear how to construct Ramsey graphs (i.e.graphs with neither large cliques nor large independent sets, see [17]) or rigid matrices (i.e.matrices far in Hamming distance from every low-rank matrix, see [54]) in deterministic polynomial time.This motivates a systematic investigation of the computational complexity of explicit construction problems.

Background: Range Avoidance and Remote Point Problem
A recent line of works [15,20,26,30,35,37,38,47] established a promising paradigm towards understanding the complexity of explicit construction problems via meta-problems, such as the range avoidance problem.
The range avoidance problem is a typical explicit construction problem in the sense that a random string is a correct answer with probability 1 − 2 − ≥ 1/2, whereas there is no obvious deterministic polynomial-time algorithm that solves it.Moreover, Korten [37] presented simple reductions from many explicit construction problems, including circuit lower bounds, Ramsey graphs, and rigid matrices, to the range avoidance problem.This established the central position of the range avoidance problem in the study of explicit construction problems.
• On the algorithmic side, a deterministic algorithm (e.g.FP or FP NP algorithm) for the range avoidance problem implies deterministic solutions to tons of concrete explicit construction problems.For instance, Korten [37] proved that Avoid ∈ FP NP if and only if E NP requires Boolean circuits of size 2 Ω ( ) , which (assuming circuit lower bounds) provides a systematic approach to solve the explicit construction problems with an NP oracle.• On the hardness side, the intractability of Avoid can be interpreted as a barrier to achieving unconditional solutions to concrete explicit construction problems.For instance, Ilango, Li, and Williams [30] proved that Avoid ∉ FP assuming plausible cryptographic assumptions, which suggests that one cannot hope to design a polynomial-time explicit construction algorithm using techniques that are general enough to solve the range avoidance problem.
Range avoidance for restricted circuits.Following the paradigm in circuit lower bounds, it is natural to consider a variant of the range avoidance problem where each output bit of the circuit is in a restricted circuit class .This problem, denoted by -Avoid, was formally introduced by Ren, Santhanam, and Wang [47], who proved that NC 1 -Avoid can be reduced to NC 0 -Avoid using randomized encoding [6].Based on this result, subsequent papers [20,26] proved that several natural explicit construction problems, such as nding rigid matrices and near-optimal binary linear codes, can be reduced to NC 0 -Avoid.This shows that the range avoidance problem can already be very useful for weak circuit classes such as NC 0 .
Another reason to study range avoidance for restricted circuits is that we can obtain unconditional upper bounds using the techniques for proving unconditional circuit lower bounds.Ren, Santhanam, and Wang [47] proposed an approach to solve -Avoid in FP NP by generalizing Williams' algorithmic approach in circuit lower bounds (see, e.g., [55,57]).A subsequent work [15] improved the framework and proved that ACC 0 -Avoid with quasi-polynomial stretch can be solved in FP NP , which derives the best known almosteverywhere lower bound against ACC 0 [13] as an easy corollary.
Example 1.2.Upper bounds for Avoid can be considered as a natural generalization of circuit lower bounds.By a folklore view of circuit lower bounds, an almost-everywhere lower bound for E NP against circuits is equivalent to an FP NP algorithm for the problem -Hard: Given 1 , generate any string of length that is not the truth-table of any small -circuit.For a good circuit class , an FP NP algorithm for -Avoid implies an FP NP algorithm for -Hard by xing the input circuit of -Avoid to be the truth-table generator for circuit, which takes a -circuit as its input and outputs its truth-table (see, e.g., [15,37,47]).
Remote point problem.An important variant of the range avoidance problem is the remote point problem, formally de ned as follows.
By Cherno bound, we know that when ≤ 1/2 − / for some constant , most of the strings ∈ {0, 1} are correct answers.Similar to Avoid, we can de ne -RPP as the special case where the input circuit is a circuit.Moreover, by xing the input circuit to be the truth-table generator in Example 1.2, we can show that a deterministic algorithm for -RPP implies an almost-everywhere average-case circuit lower bound against circuits (also see [15]).
The special case XOR-Remote (i.e. the circuit is a GF(2)-linear function) has been studied by Alon, Panigrahy, and Yekhanin [5] as an intermediate step towards the construction of rigid matrices.They designed a non-trivial algorithm for very weak parameters.Arvind and Srinivasan [7] proved that XOR-Remote ∈ FP implies "help function lower bounds", a generalization of circuit lower bounds.The result of [15] on Avoid also generalizes to Remote.In particular, they proved that ACC 0 -Remote with quasi-polynomial stretch and = 1/2 − 1/quasi-poly( ) can be solved in FP NP , which implies the best known almost-everywhere average-case ACC 0 lower bound.
An intriguing aspect of the problem is that there is no clear intuition on what the ground truth should be [30,47].On the one hand, for some speci c explicit construction problems such as rigid matrix [11] and ACC 0 circuit lower bounds [14,56,57], we have unconditional nondeterministic search algorithms.On the other hand, however, existing algorithmic results for range avoidance [15,37,38,47] in FP NP rely crucially on the adaptive accesses to the NP oracle.
To go a step further, we may also consider the complexity of -Avoid and -RPP for restricted circuit classes .
Problem 1.5.Prove complexity upper bounds and lower bounds of -Avoid or -RPP for restricted circuit classes (e.g., = depth-2 ACC 0 ) with respect to FP and SearchNP under plausible assumptions.
Proof complexity generators.The hardness of range avoidance against nondeterministic algorithms is closely related to the concept of proof complexity generators (see [39,40] and the references therein) in proof complexity, as observed in [47].
Let be a propositional proof system.A proof complexity generator is a family of functions = { : {0, 1} → {0, 1} } ∈N computable by polynomial-sized circuits, where > , such that the statement ∉ Range( ), when encoded as a Boolean formula with variables, has no poly( )-sized proof in , for any xed ∈ {0, 1} .Proof complexity generators provide a systematic approach to attacking strong proof complexity lower bounds as well as NP ≠ coNP.
Strong proof complexity generators are known to exist unconditionally against weak proof systems such as AC 0 -Frege [34].For strong proof systems such as Frege or Extended Frege, Razborov [44] and Krajíček [40] proposed several candidate proof complexity generators; Indeed, Krajíček [39] further conjectured that there is a proof complexity generator that fools every proof system.The construction of proof complexity generators from standard complexitytheoretic assumptions remains an important open problem (see the discussion in [39]).
Theorem 1.6 ( [47]).Avoid ∉ i.o.SearchNP if and only if for every propositional proof system, there is a propositional proof complexity generator fooling it.
This reduces the task of constructing strong proof complexity generators to the hardness of Avoid.Moreover, the lower bound for -Avoid in Problem 1.5 will imply a proof complexity generator computable by circuits.

Our Results
The main focus of the paper is to extend our understanding to Problem 1.4 and 1.5.We show the hardness of these problems against deterministic algorithms for restricted circuit classes under variants of standard cryptographic assumptions.Moreover, by strengthening the assumptions, we prove that the problems above cannot be solved e ciently even by non-deterministic algorithms.
Hardness for range avoidance.Our rst result is that the range avoidance problem is hard for even very simple circuits under variants of standard lattice assumptions, learning-with-error (LWE) and inhomogeneous short integer solution (ISIS), formally stated as follows.
The rst bullet states the LWE assumption against adaptive adversary, in the sense that after revealing the query matrix ( | ), the adversary can choose a non-uniform circuit to attack LWE given the outcome ( + , ⟨ , ⟩) of the query.This assumption is stronger than standard LWE as the choosing phase can be computationally unbounded; nevertheless, the security is still plausible as far as we know.The second bullet states that ISIS is hard on average to approximate against nondeterministic adversaries, which is closely related to the notion of demi-bits [48,52] and natural proofs [45].Also, note that the function Ext in the second bullet can be any standard approach to encode sparse vectors; speci cally, we will choose a simple encoding that can be implemented in a single-layer AND circuit.We also verify that both of the assumptions are secure under known attacks (see the full version of the paper).
The circuit class we will consider is a depth-3 class called DOR • EMAJ • Ext, where: • DOR stands for a disjoint OR gate, that is, an unbounded fan-in boolean OR gate with a semantic guarantee that at most one of its input wires is 1. • EMAJ stands for an exact majority gate, which outputs 1 if and only if exactly one half of its input wires are 1.• Ext stands for the function Ext in the second bullet of the assumption, which could be a layer of AND gates.
Formally, a (single-output) DOR • EMAJ • Ext circuit has a DOR gate on top of several EMAJ gates, whose input wires connect to the output of the function Ext.The size of the circuit is measured by the number of wires inside of it.
In particular, if Ext is implemented by a layer of AND gates, the theorem implies that the range avoidance problem is hard even for depth-3 TC 0 circuits.
The bene t of using coding-based conjecture is to reduce the circuit complexity in the hardness result.We will consider the remote point problem for XOR • Ext circuits, which consists of an XOR gate on the top, whose input wires are from the output of Ext.
In particular, we can implement Ext by AND gates of (log ) fanin, so that each output bit is simply a degree-(log ) polynomial over GF(2).Theorem 1.10.Under Assumption 1.9, (XOR • Ext)-RPP Ω (1) cannot be solved by polynomial-size circuits on any su ciently large input length.
Note that if the decoder of an asymptotic good error-correcting code can be implemented in circuit class , then -RPP Ω (1) can be reduced to ( • )-Avoid (see, e.g., [15]).However, since we do not have a super-e cient decoder, it is unknown whether the conclusion of Theorem 1.8 implies that of Theorem 1.10.
Hardness against nondeterministic algorithms.An appealing feature of Theorem 1.8 and 1.10 is that they can be strengthened to show the hardness of range avoidance and remote points against nondeterministic algorithms.
A nondeterministic search algorithm, or SearchNP algorithm, is a non-deterministic Turing machine that outputs a string on each of its accepting states.It is said to solve a total search problem if, for every input , there is an accepting computation path for ( ), and for every accepting computation path for ( ), it outputs a correct answer to the search problem on input .A non-uniform SearchNP algorithm is an SearchNP algorithm together with a non-uniform advice of length poly( ) on each input length .
Theorem 1.11.(DOR • EMAJ • Ext)-Avoid cannot be solved by any polynomial-time non-uniform SearchNP algorithm on any suciently large input length, under Assumption 1.7 with the rst bullet replaced by the following stronger assumption: • (LWE against adaptive nondeterministic adversary).For at least a 2/3 fraction of matrices ∈ Z × , there exists • vectors ∈ Z such that for every polynomial-size nondeterministic circuit , where ← U (Z ), ∈ Z is uniformly random over strings satisfying ∥ ∥ ∞ = .
The assumption states that LWE is secure against adaptive adversary even if it can choose a nondeterministic circuit, in the sense that it cannot accept uniformly random input su ciently more often than the LWE samples.This is equivalent to say that the LWE function , ( , ) := ( + , ⟨ , ⟩) is a super-bits generator de ned by Rudich [48].Note that the absence of the absolute value over the subtraction in Equation ( 1), which occurs in the standard denition of indistinguishability, is necessary, as the following simple nondeterministic algorithm accepts LWE samples much more often than the uniform distribution: • Given the input ( , ) ∈ Z × Z , it guesses ∈ Z and ∈ Z , and accepts if = + , = ⟨ , ⟩, and ∥ ∥ ∞ = .
Although the assumptions could be much stronger than the rst bullet of Assumption 1.7 and 1.9, the parameter regime that we are considering is still plausible as far as we can see.In particular, we show that there is a large gap between the parameter regime we need and that can be broken using seed-guessing, linear algebraic attacks, and geometric attacks (i.e. the nondeterministic algorithm for GapCVP [1,23]).
Witness encryption for problems in NP \ coNP.The hardness results for Avoid of Ilango, Li, and Williams [30] is based on NP ≠ coNP and witness encryption for NP.Although witness encryption is considered to be a plausible cryptographic primitive, all known candidates [9,10,16,21,32,33,51,53] are too complicated for us to generalize the results in [30] to restricted circuit classes and hardness against nondeterminism.
One of our main technical tools is a new construction of witness encryption for a promise problem in NP that is plausibly not in coNP /poly , which admits all properties required for the hardness result in [30].An appealing feature of our construction is its simplicity: we de ne a promise language in NP based on variants of existing public-key encryption schemes [3,4,46] 1 , and the encryption and decryption algorithms are simply that of the public-key encryption scheme.Theorem 1.13.Under Assumption 1.7 or Assumption 1.9, there is a promise language = ( YES , NO ) in NP /poly ∉ coNP /poly that admits a sub-exponentially secure witness encryption satisfying the following properties.
• (Succinct proofs).Let be the input length, = ( ) be the proof length, and = ( ) = 2 − Ω (1) be the maximum advantage that can be obtained by polynomial-size adversaries to break the witness encryption.Then = (ln( −1 )).Namely, the proof length is succinct compared to the security level of the witness encryption.
• (E cient decryption).The decryption circuit Dec(ct, , •), which decrypts a hardwired cipher-text ct given the proof for a hardwired input ∈ YES , can be implemented in weak circuit classes (i.e.DOR • EMAJ • Ext under Assumption 1.7 and XOR • Ext under Assumption 1.9).• (Security against nondeterminism).If, in addition, the rst bullet of Assumption 1.7 or 1.9 satis es the stronger notion of "adaptive security against nondeterministic adversary" (see Theorem 1.11 and 1.12), then the witness encryption is secure against nondeterministic adversary in the following sense: -There is a polynomial-time randomized algorithm (called simulator) such that for every ∈ NO , every message ∈ {0, 1}, and every -size non-deterministic adversary Adv, 1 It might be confusing why we can obtain hard languages plausibly not in coNP from these encryption schemes, as the hard problems underlying [3,46] are known to be in NP ∩ coNP [1,23].Intuitively, we avoid this attack and plausibly avoid all similar attacks by introducing an additional assumption (i.e.GapISIS, see Assumption 1.7) so that we can set the parameters beyond the capacity of the leftover hash lemma [31].More details can be found in Section 1.5.where = ( ) = poly( ) and = ( ) = 2 − Ω (1) .• (Decryption error).The decryption of the witness encryption scheme is perfectly correct under Assumption 1.7, and −Ω (1)  under Assumption 1.9.
Our construction is completely di erent from the existing ones such as GGH-encoding [16,53], A ne determinant programs [10], generic group model [9], and indistinguishability obfuscation (see, e.g., [32,33]), and is surprisingly simple.Intuitively, our construction relies on the observation that a public-key encryption scheme, whose hardness relies on a hard problem called its PKE problem, can be viewed as the witness encryption of its PKE problem (see Section 1.5 for more details).As a drawback, we can only construct witness encryption for a special hard language instead of all languages in NP.

Related Works
Hardness of range avoidance.Our results are based on the general connection between witness encryption and the hardness of range avoidance developed by Ilango, Li, and Williams [30].They proved that assuming sub-exponentially secure witness encryption for NP with perfect correctness and NP ≠ coNP, range avoidance is hard against polynomial-time deterministic algorithms.We strengthened their results in several dimensions: We established a connection between remote point problem and witness encryption with imperfect correctness, generalized their results to hardness against SearchNP, and provided concrete witness encryption constructions that imply the hardness of range avoidance and remote point problems for restricted circuits.
Cryptography against nondeterminism.Rudich [48] introduced the notion of demi-bits and super-bits generators as the generalization of pseudorandom generators against nondeterministic adversaries, which the application of ruling out NP /poly natural proofs for circuit lower bounds.Demi-bits generators are weaker than super-bits, with the drawback of losing some properties of PRGs such as stretching from → + 1 bits generators to → 2 bits generators (see [52] for detailed discussion).Our de nitions for PKE and WE against nondeterminism are inspired by Rudich's de nition and the standard simulation paradigm in cryptography.Our assumptions can be interpreted as new candidates of demi-bits and super-bits generators based on lattice and coding problems.
Concrete cryptographic candidates and complexity theory.Our hardness proof for Avoid and RPP utilizes speci c PKE constructions from lattice [3,46] and coding problems [4].Indeed, there are several other examples for concrete cryptographic constructions to have applications in the frontier of complexity theory: Hirahara's proof for the NP-hardness of PartialMCSP [28] utilized secretsharing schemes and private-key encryption; Huang, Ilango, and Ren [29] proved the NP-hardness of meta-complexity problems unconditionally based on a construction of witness encryption in generic group model; The proof of Chen et al. [12] for pseudodeterministic constructions of primes relies on Goldreich-Levin construction of PRGs from OWPs [24].These results emphasize that cryptographic constructions can be used in complexity theory not only as assumptions in a black-box fashion but also as a tool to connect di erent notions of hardness.

Technical Overview
Now we brie y explain the proof of our results and highlight the main technical challenges.
A generalization of [30].Our results build on the hardness result of the range avoidance problem by Ilango, Li, and Williams [30].They proved that Avoid ∉ FP assuming NP ≠ coNP and the existence of a sub-exponentially secure, perfectly correct witness encryption for SAT.Intuitively, their proof follows the intuition that a deterministic algorithm for Avoid can not only search for a solution (i.e., a string outside of the range of the input circuit) but also certify the correctness of the solution, which leads to an e cient proof system for UNSAT and therefore NP = coNP.Now we explain their technique more formally.Let (Enc, Dec) be a witness encryption scheme for SAT.The proof system for UNSAT works as follows.For a formula over variables, the proof system accepts if and only if there is a string ∈ {0, 1} and a random tape ∈ {0, 1} poly( ) for the witness encryption scheme such that Avoid(Dec(Enc( , ; ), •)) = .
In other words, the proof system accepts if there is a message and a random tape such that: • Let ct be the encryption of on the statement ∈ SAT using the randomness .• Let Dec(ct, , •) be the circuit takes a witness of ∈ SAT (i.e. a satisfying assignment ∈ {0, 1} ) as input and decrypts the hard-wired cipher text ct.• The proof system accepts the proof ( , ) if and only if the range avoidance algorithm says that is outside of the range of the circuit Dec(ct, , •).
It is easy to see that the correctness of the decryption algorithm ensures that if is satis able, then the proof system will always reject; that is, the proof system is sound.Indeed, the completeness can also be proved using the security property of the witness encryption scheme.
With a closer inspection of their proof, it is easy to verify that if the decryption algorithm of the witness encryption scheme can be implemented in a restricted circuit class, say ACC 0 , then the hardness result works for ACC 0 -Avoid.Also, it is not necessary to have witness encryption schemes for all NP languages; instead, it su ces to have any particular language ∈ NP /poly \ coNP /poly with a secure witness encryption scheme.Moreover, we generalize their results in two dimensions.
• We prove that if, instead of the range avoidance problem, we have an algorithm for the remote point problem, we can design a similar proof system for UNSAT even if the decryption algorithm Dec has a small decryption error.This allows us to obtain the hardness of the remote point problem (or -RPP) from a witness encryption scheme with imperfect correctness.• We de ne the security of witness encryption against nondeterministic adversaries (see Theorem 1.13), and prove that assuming such strong security of the witness encryption, we can obtain stronger consequences that the range avoidance problem or remote point problem are not in SearchNP.
Lemma 1.14.Range avoidance problem cannot be solved in deterministic polynomial time if there is a promise language ∈ NP /poly \ coNP /poly that admits a subexponentially secure and perfectly correct witness encryption scheme.Moreover: • If the decryption algorithm has a constant decryption error instead of being perfectly correct, then the hardness result still holds for the remote point problem.• If the decryption algorithm of the witness encryption scheme can be implemented by circuits, for any typical circuit classes , then the hardness result holds for -Avoid (or -RPP if the decryption algorithm is not perfectly correct).
• If the witness encryption scheme is secure against nondeterministic adversaries, then the range avoidance problem (or remote point problem, -Avoid, -RPP as discussed above) cannot be solved by SearchNP algorithms.
Witness encryption inspired by PKE..With Lemma 1.14, we can reduce the hardness of the range avoidance or remote point problems to the construction of witness encryption schemes, preferably with low decryption complexity and security against nondeterminism.However, there is no known candidate witness encryption whose decryption can be implemented in bounded-depth circuits, say AC 0 [2], and it is not clear whether existing candidates [9,10,16,32,33,53] are secure against nondeterministic adversaries.Indeed, proposing a simple candidate witness encryption for NP is a long-standing open problem, and it is probably hard to solve as many advanced cryptographic primitives including identity-based encryption (IBE) and attribute-based encryption (ABE) can be derived from witness encryption [21].
Our result relies on the observation that many public-key encryption schemes can be translated into the witness encryption scheme of some hard problems that are probably not NP-complete.This is su cient for our purpose as Lemma 1.14 works with the witness encryption of any promise language in NP /poly \ coNP /poly , and it does not necessarily imply witness encryption schemes for all NP languages.
The translation works with a class of public-key encryption schemes called PKEs with pseudorandom public keys ( PKE for short).Let ℓ be the length of the public keys.A PKE scheme (Enc, Dec, Gen) is said to be a PKE if there is a distribution D supported over {0, 1} ℓ , which is called the "ideal distribution" for the public key, such that the following properties hold.
The PKE problem of the scheme is the task to distinguish between the "ideal world", i.e. ← D, and the "real world", i.e. the actual public key pk.This property suggests that these two distributions (i.e. the ideal world and the real world) are computationally indistinguishable.• (Security in Ideal World).This property shows that the encryption scheme is secure when the public key is drawn from the ideal distribution D. That is, Enc(D, 0) and Enc(D, 1) are computational indistinguishable.

• (Veri able Public Key).
There is an NP proof system that veri es the public key with the secret key, i.e., it accepts pk if and only if the witness is a possible secret key for pk.
The notion of PKE is a generalization of a model known as meaningful/meaningless encryption [36] or dual-mode cryptosystem [42], in which the encryption is statistically secure in ideal world.Indeed, it is easy to verify that many standard public-key encryption schemes (such as Regev's lattice-based PKE [46] and the Goldwasser-Micali cryptosystem from the hardness of quadratic residuosity [25]) are PKE.
The intuition behind the translation is that, if we are given a PKE scheme (Enc, Dec, Gen), then the PKE problem derives a hard problem that admits a witness encryption scheme.Ideally, we want to de ne the following promise problem = (Π YES ℓ , Π NO ℓ ) where • Π YES ℓ consists of all valid public keys of length ℓ; • Π NO ℓ consists of all strings such that Enc( , 0) and Enc( , 1), the distributions of cipher texts over the internal randomness of Enc( , •), are computationally indistinguishable.This language is clearly in NP according to the veri ability of the public keys.Moreover, the encryption and decryption of the PKE scheme is a correct and secure witness encryption for , where the security condition is encoded in the de nition of Π NO ℓ .The only problem is that the hardness of , say ∉ P /poly , does not follow from the standard hardness of the PKE problem.
To address this issue, we introduce the following stronger notion of hardness for the PKE problem, called adaptive hardness.
• (Adaptive Hardness of PKE Problem).Let (pk, sk) ← Gen be the keys.The PKE problem is said to be hard against adaptive adversary if we sample ← D, then with high probability, Enc( , 0) and Enc( , 1) are computationally indistinguishable against any non-uniform adversary.In other words, Enc(D, 0) and Enc(D, 1) are indistinguishable even if the adversary can choose the attacking algorithm after it observes the ideal public key ← D, and the choosing phase can be computationally unbounded.
Therefore we can conclude the following.
Theorem 1.15.Assume that there is a PKE scheme with adaptive hardness of its PKE problem.Then there is a language ∈ NP \ P /poly that admits a secure witness encryption scheme.Moreover, the decryption algorithm of the witness encryption scheme is exactly the decryption algorithm of the original PKE.
Indeed, we can also strengthen the hardness of the PKE problem and the security of the PKE to the nondeterministic adversary model to obtain a language in NP \ coNP /poly that admits a witness encryption secure against nondeterministic adversaries.Instantiation.To prove the hardness of the range avoidance and remote point problem from plausible cryptographic assumptions, it remains to design a PKE scheme and compile it into witness encryption by Theorem 1.15 that satis es the requirement of Lemma 1.14.Since Lemma 1.14 requires security against nondeterministic adversaries, the PKE candidates based on trapdoor one-way permutations or the hardness of discrete logarithm (e.g., RSA and ElGamal) do not work as they are inherently in NP ∩ coNP.
The starting point of our instantiation is the standard latticebased PKE scheme known as dual Regev introduced by Gentry, Peikert, and Vaikuntanathan [22], which is a variant of Regev's public-key encryption from LWE [46].Let be the security parameter, = poly( ), = ( log ), and Ψ and be error distributions supported over Z (e.g., Gaussian over Z or uniformly random 0-1 vectors).The PKE scheme is as follows.
• (Key generation).Let ← Z × be a random matrix, and = mod ∈ Z for ← Ψ.The public key is ( , ) ∈ Z × × Z , and the secret key is .
In standard settings (see, e.g., [42]), one can choose Ψ and to be Gaussian distributions with certain parameters so that the distribution of the public key ( , = ) is statistically close to the uniform distribution, and therefore the security follows from the hardness of LWE.To achieve this, the entropy of the distribution Ψ should be su ciently high so that the leftover hash lemma can be applied.We can then interpret this scheme as a PKE scheme as follows.
• (Ideal Distribution).Let the ideal distribution D be the uniform distribution over Z × × Z .• (Hardness of PKE Problem).The PKE problem is to distinguish the ideal public key distribution D and the real public key distribution ( , = ) ∈ Z × × Z , where ← Ψ.In standard settings, these two distributions are statistically close.
• (Security in Ideal World).This property means that Enc(D, 0) is indistinguishable from Enc(D, 1).By unwinding the construction, we can see that this is exactly the LWE assumption.• (Veri able Public Key).This is obvious as given the secret key , it is easy to verify that ( , ) is a corresponding public key by checking = mod .We cannot put this scheme into Lemma 1.14 directly to obtain a hard language that admits a witness encryption scheme for several technical reasons.Firstly, the scheme is not adaptively secure as for most of the ideal public keys ( , ) ← D, there is some over the typical set of the error distribution Ψ such that = mod , i.e., most ideal public keys are real public keys!This is inevitable, as otherwise, the ideal and real public key distributions cannot be statistically close.Therefore, an adaptive adversary can compute the secret key after observing the ideal public key in the unbounded choosing phase and use it to break the scheme easily.Moreover, the encryption scheme is not secure against nondeterministic adversaries as LWE in the standard parameter setting is known to be in NP ∩ coNP /poly (see [1,23]).Furthermore, there is a subtle issue that the security in the ideal world, which corresponds to the security of the witness encryption scheme, is not strong enough with respect to the length of the secret key to obtain non-trivial hardness results for the range avoidance or remote point problem.
Fortunately, we can resolve all these three technical problems with a simple trick.We reduce the entropy of the distribution Ψ for the public key generation to the extent that the real public key distribution ( , = ) for ← Ψ is statistically far from being uniformly random.Therefore, the ideal public keys are no longer real public keys, which allows us to plausibly conjecture the security against adaptive adversaries.Correspondingly, we increase the entropy of the noise distribution for LWE so that it is plausibly not in NP ∩ coNP /poly .These adjustments will maintain the correctness of the decryption algorithm as long as E[⟨ , ⟩] ≪ /2 for ← Ψ and ← .For security, we need to have two hardness assumptions listed as follows rather than one as the hardness of the PKE problem no longer follows from the leftover hash lemma.
• To show that the encryption is secure in ideal world, we need to assume that the LWE distribution ( + , ⟨ , ⟩) ∈ Z ×Z for ← Z and ← and the uniform distribution are indistinguishable against (nondeterministic) adaptive adversary.
That is, for ← Z × , ← Ψ, and = , with high probability, there is no non-uniform (nondeterministic) algorithm that accepts the uniform distribution su ciently more often than the LWE distribution.(Hardness against nondeterministic algorithms is needed to obtain witness encryption secure against nondeterminism.)This is exactly the rst bullet of Assumption 1.7 and is a variant of the standard LWE assumption.• To show that the PKE problem is hard, we need to assume ( , = ) ∈ Z × × Z for ← Ψ and the uniform distribution are indistinguishable against nondeterministic algorithms, in the sense that there is no e cient nondeterministic algorithm that accepts the uniform distribution with decent probability and rejects ( , = ) with probability 1.This corresponds to the second bullet of Assumption and is a variant of the standard Short Integer Solution assumption.
Moreover, since the security in the ideal world is parameterized by the entropy of Ψ, which can be much larger compared to the length of the secret key, this trick also solves the third technical issue.This leads to the witness encryption construction in Theorem 1.13 from Assumption 1.7.Similarly, we can also perform the same trick to Alekhnovich's PKE scheme [4], which is essentially a binary analog of Regev's PKE scheme [46], to obtain the witness encryption in Theorem 1.13 from Assumption 1.9.
Note that although we state our results in terms of LWE with ℓ ∞norm (see Theorem 1.13 and Assumption 1.7), the same construction still works and is still plausibly secure for other natural norms, say ℓ 1 or ℓ 2 .The reason that we choose ℓ ∞ is because it reduces the circuit complexity of the decryption circuits and achieves perfect correctness for decryption, which leads to stronger hardness results for the range avoidance problem.

Open Problems
Hardness of remote point for XOR circuits.We have shown in Theorem 1.10 that the remote point problem for XOR • AND circuits is hard against nondeterministic algorithms from plausible cryptographic assumptions.However, it is unclear how to strengthen our technique to show the hardness of XOR-RPP when the circuit is as simple as an XOR gate, or equivalently, a linear function over GF (2), which is the original model studied in [5] as an intermediate task towards the construction of rigid matrices.Similarly, it is interesting to explore the hardness of range avoidance for restricted arithmetic circuits, say linear functions over nite elds or low-degree polynomials.
Assumptions independent of concrete structures.In this paper, we show the hardness of the range avoidance and remote point problem against nondeterministic algorithms from latticed-based assumptions and coding-based assumptions, respectively.These assumptions heavily rely on speci c algebraic structures such as or GF(2).This seems necessary for the hardness against extremely weak circuit models like XOR • AND.However, if we only want to show the hardness of the range avoidance problem for general Boolean circuits against nondeterministic algorithms, it is more desirable to have assumptions that are independent of concrete structures such as the existence of "mainstream" cryptographic primitives or separation of complexity classes.Note that it might be hard to build the hardness results without any cryptographic assumption by improving our current techniques, as it is already a longstanding open problem to have a candidate of public-key encryption whose security is independent of concrete structures (see, e.g., [8]).
Cryptographic applications of our results.In this paper we provide two simple candidates of witness encryption for certain promise problems that are not likely to be NP-complete.An important future direction is to further investigate the security of our candidate witness encryption schemes.Another interesting question is: if our witness encryption schemes are secure, would they lead to new cryptographic constructions?Recall from [21] that witness encryption for all NP languages implies public-key encryption, identitybased encryption, attribute-based encryption, and more advanced cryptographic primitives.Although those implications do not necessarily need the full power of NP, they certainly need su ciently complicated languages, for which we do not know how to reduce to the promise problems that our witness encryption schemes can handle.So an interesting direction is nding applications for our witness encryption in designing advanced cryptographic functionalities.

Table 1 :
Summary of previous and our results for Avoid and RPP.Capability of -Avoid refers to the consequences that there is a deterministic algorithm for -Avoid.Note that our hardness results hold even for Avoid of depth-3 circuits and RPP of depth-2 circuits (see Theorems 1.11 and 1.12 for formal statements).