ronen shaltielsergei artemenko university of haifa
TRANSCRIPT
![Page 1: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/1.jpg)
Lower Bounds on the Query Complexity of Non-Uniform and Adaptive Reductions Showing
Hardness Amplification
Ronen Shaltiel Sergei Artemenko
University of Haifa University of Haifa
![Page 2: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/2.jpg)
Functions That Are Hard on Average
Function g:{0,1}n→{0,1} is p-hard for a family of circuits if for every circuit in this family Prx← Un
[C(x)=g(x)]<p.
Boole
an
Circu
it
g
![Page 3: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/3.jpg)
Circuits fail to compute some inputs
Circuits fail to compute noticeable fraction of inputs
Almost random guessing
Hard on worst case Mildly average-case hardStrongly average-case hard
Hardness Variations
p=1 p=1- δ p= ½ + ε
For simplicity assume δ=¹⁄₁₀
![Page 4: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/4.jpg)
Derandomization, Pseudorandomness [Yao82, BM84, NW94,…]
Cryptographic primitives [Yao82, BM84,…]
Applications of Functions That Are Hard on Average
These applications require functions that are very hard on average p=½+negligible
![Page 5: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/5.jpg)
Hardness Amplification
strongly average-case hard g=Amp(f)
worst case hard for
mildly average-case hard f
Example: Yao’s XOR lemma (δ=¹⁄₁₀)If function f (x) is (1-¹⁄₁₀)-hard for circuits of size at most s, then function g(x1,…,xk)=f(x1)⊕⋯⊕f(xk) is (½+ε)-hard for circuits of size at most s'=s·poly(ε)<s for large enough k, e.g. k=poly(log(¹⁄ε ) ) .
Assumption: f is worst case/mildly average-case hard for circuits of size at most s.Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'.
![Page 6: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/6.jpg)
Hardness Amplification
strongly average-case hard g=Amp(f)
worst case hard for
mildly average-case hard f
Assumption: f is worst case/mildly average-case hard for circuits of size at most s.
Example: Direct product/concatenation lemma (δ=¹⁄₁₀)If a function f (x) is (1-¹⁄₁₀)-hard for circuits of size at most s, then function g(x1,…,xk)=f(x1)∘⋯∘f(xk) is ε-hard for circuits of size at most s'=s·poly(ε)<s for large enough k.
Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'.
![Page 7: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/7.jpg)
Hardness Amplification
In all hardness amplification results in literature target function g=Amp(f) is hard for circuits of size s'<s
(actually, s'≤ε·s). Implies that ε≥¹⁄s .
Problematic in some applications
worst case hard for
mildly average-case hard f
Assumption: f is worst case/mildly average-case hard for circuits of size at most s.Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'.
strongly average-case hard g=Amp(f)
![Page 8: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/8.jpg)
Size Loss
Circuits of size at most s
Circuits of size at most s'
Natural question:Is this size loss necessary?
We will show that size loss is necessary for certain proof techniques.
![Page 9: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/9.jpg)
Proof by Reduction
f is (1-δ)–hard for size s
g is (½+ε)-hard for size s'
∃D of size s' such that Pr[D(y)=g(y)] ≥ ½+ε
∃C of size s such that Pr[C(x)=f(x)] ≥ 1-δ
Proof by reduction: Existence of circuit C is shown by providing a reduction R (an oracle procedure) s.t. C=RD.
iff
![Page 10: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/10.jpg)
“Uniform”: R(·) is an “efficient” oracle TM.
Various Notions of Reductions
Known: These types of reductions cannot prove most hardness amplification results in literature [STV99].
“Non-uniform”: R(·) is a “small” oracle circuit that is also allowed to receive a “short advice string” α as a function of f and more importantly of the oracle D supplied to R.
“Semi-uniform”: R(·) is a “small” oracle circuit.
More precisely: A non-uniform reduction R(·) satisfies:∀D s.t. Pr[D(y)=g(y)]≥½+ε∃α=α(f,D) s.t. Pr[RD(x,α)=f(x)]≥1-δ
Essentially all known hardness amplification results are proven using such reductions
![Page 11: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/11.jpg)
Number of Queries Size Loss
In this work we show that every reduction must make q=Ω (¹⁄ε ) queries.
s'≤ε·s
size loss!
If reduction R makes ≤ q queries to oracle D, then circuit C can be constructed by replacing every oracle gate with circuit D.
s=size(C)≈q·size(D)+size(R)≥q·size(D)=q·s'
![Page 12: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/12.jpg)
Theorem*: Every reduction R(·) must make q=Ω (¹⁄ε ) queries to oracle even if R(·) is non-uniform and adaptive (i.e.,
it makes adaptive queries).*For standard parameters of hardness amplification.
Comparison to [SV10]: [SV10] only handle non-uniform non-adaptive reductions. Our results apply to a more general class of hardness
amplification tasks (non-Boolean g, errorless amplification, “function-specific amplification”).
[SV10] gives a better bound of q=Ω(log(¹⁄δ ) ⁄ε2) for Boolean case. (Our results apply to a more general setup in which there are upper bounds of q=Ω(log(¹⁄δ ) ⁄ε).
Our Results (Informally)
![Page 13: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/13.jpg)
Given functions f,g consider (distribution over) oracles D: With probability 2ε, D(y)=g(y). With probability 1-2ε, D(y) answers a fresh random bit. ⇒ Pr[D(y)=g(y)]≥½+ε (so that RD has to approx. compute f).
Folklore e.g. [R]: A reduction R(·) that makes o(¹⁄ε ) queries is unlikely to get any meaningful information.
Þ RD cannot compute f (even approximately).Þ Contradiction (meaning that # of queries = Ω(¹⁄ε ) ).
Difficulties for general reductions: Non-uniform reductions can use advice string to locate queries y
on which D answers correctly. Furthermore, adaptability may allow a non-uniform reduction to
find “interesting” queries y (based on the adaptive strategy of whether or not previous queries answer).
Something About the Proof
![Page 14: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/14.jpg)
Difficulties for general reductions: Non-uniform reductions can use advice string to locate
queries y on which D answers correctly. Furthermore, adaptability may allow a non-uniform reduction
to find “interesting” queries y (based whether or not previous queries answer).
Our approach: Following [SV10] we show that advice string does not help a
non-adaptive reduction to find queries that answer (except for few queries which we can handle).
For adaptive reductions, consider “hybrid executions” of RD:◦ First t queries are not answered.◦ Remaining q-t queries are answered according to oracle distribution.
Hybrid executions are in some sense non-adaptive (the t+1’st query is known in advance).
We first bound the information that R gets on g in hybrid executions.
Then we show that with high probability real and hybrid executions coincide.
Something About the Proof
![Page 15: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/15.jpg)
Size loss is inherent in reductions showing hardness amplification even in the most general case (non-uniform and adaptive reductions).
Not an impossibility result for hardness amplification: only rules out certain proof techniques.
Limitations apply to essentially all proof techniques in literature. See discussion in paper.
Our lower bounds on # of queries match upper bounds in some (but not all) settings:◦ Direct product lemma with constant δ [KS03].◦ Errorless amplification with constant δ [BS07,W11].
Open: Improve lower bounds to match upper bounds:
◦ For non-constant δ.◦ For Boolean target function.
Can we develop other proof techniques for hardness amplification? (See e.g., [GST05,A06,GT07]).
Conclusion and Open Problems
![Page 16: Ronen ShaltielSergei Artemenko University of Haifa](https://reader038.vdocuments.us/reader038/viewer/2022110116/551b14ff550346f70d8b60fb/html5/thumbnails/16.jpg)
Thank You…