Download presentation

Presentation is loading. Please wait.

Published byAdonis Craley Modified over 2 years ago

1
Ronen ShaltielSergei Artemenko University of Haifa

2 g g Function g:{0,1} n →{0,1} is p-hard for a family of circuits if for every circuit in this family Pr x←U n [C(x)=g(x)]

3
Circuits fail to compute some inputs Circuits fail to compute noticeable fraction of inputs Almost random guessing Hard on worst caseMildly average-case hardStrongly average-case hard p=1 p=1-δp= ½+ε For simplicity assume δ=¹⁄₁₀

4
Derandomization, Pseudorandomness [Yao82, BM84, NW94,…] Cryptographic primitives [Yao82, BM84,…] These applications require functions that are very hard on average p=½+negligible

5
gf strongly average-case hard g=Amp(f) f worst case hard f or f mildly average-case hard f Example: Yao’s XOR lemma (δ=¹⁄₁₀) f gff If function f(x) is (1-¹⁄₁₀)-hard for circuits of size at most s, then function g(x 1,…,x k )=f(x 1 )⊕⋯⊕f(x k ) is (½+ε)-hard for circuits of size at most s'=s·poly(ε)~~
~~

6
gf strongly average-case hard g=Amp(f) f worst case hard f or f mildly average-case hard f f Assumption: f is worst case/mildly average-case hard for circuits of size at most s. Example: Direct product/concatenation lemma (δ=¹⁄₁₀) f gff If a function f(x) is (1-¹⁄₁₀)-hard for circuits of size at most s, then function g(x 1,…,x k )=f(x 1 )∘⋯∘f(x k ) is ε-hard for circuits of size at most s'=s·poly(ε)~~
~~

7
gf In all hardness amplification results in literature target function g=Amp(f) is hard for circuits of size s'~~
~~

8
Circuits of size at most s Circuits of size at most s' Natural question: Is this size loss necessary? We will show that size loss is necessary for certain proof techniques.

9
f f is (1-δ)–hard for size s g g is (½+ε)-hard for size s' g ∃D of size s' such that Pr[D(y)=g(y)] ≥ ½+ε f ∃C of size s such that Pr[C(x)=f(x)]≥1-δ Proof by reduction: Existence of circuit C is shown by providing a reduction R (an oracle procedure) s.t. C=R D. iff

10
“Uniform”: R (·) is an “efficient” oracle TM. Known: These types of reductions cannot prove most hardness amplification results in literature [STV99]. f “Non-uniform”: R (·) is a “small” oracle circuit that is also allowed to receive a “short advice string” α as a function of f and more importantly of the oracle D supplied to R. “Semi-uniform”: R (·) is a “small” oracle circuit. More precisely: A non-uniform reduction R (·) satisfies: ∀D s.t. Pr[D(y)=g(y)]≥½+ε ff ∃α=α(f,D) s.t. Pr[R D (x,α)=f(x)]≥1-δ Essentially all known hardness amplification results are proven using such reductions

11
In this work we show that every reduction must make q=Ω (¹⁄ ε ) queries. s'≤ε·s size loss! If reduction R makes ≤ q queries to oracle D, then circuit C can be constructed by replacing every oracle gate with circuit D. s=size(C)≈q·size(D)+size(R)≥q·size(D)=q·s'

12
Theorem*: Every reduction R (·) must make q=Ω (¹⁄ ε ) queries to oracle even if R (·) is non-uniform and adaptive (i.e., it makes adaptive queries). *For standard parameters of hardness amplification. Comparison to [SV10]: [SV10] only handle non-uniform non-adaptive reductions. g Our results apply to a more general class of hardness amplification tasks (non-Boolean g, errorless amplification, “function-specific amplification”). [SV10] gives a better bound of q=Ω ( log(¹⁄ δ ) ⁄ ε 2 ) for Boolean case. (Our results apply to a more general setup in which there are upper bounds of q=Ω ( log(¹⁄ δ ) ⁄ ε ).

13
fg Given functions f,g consider (distribution over) oracles D : With probability 2ε, D(y)=g(y). With probability 1-2ε, D(y) answers a fresh random bit. ⇒ Pr[D(y)=g(y)]≥½+ε (so that R D has to approx. compute f). Folklore e.g. [R]: A reduction R (·) that makes o(¹⁄ ε ) queries is unlikely to get any meaningful information. f R D cannot compute f (even approximately). Contradiction (meaning that # of queries = Ω(¹⁄ ε ) ). Difficulties for general reductions: Non-uniform reductions can use advice string to locate queries y on which D answers correctly. Furthermore, adaptability may allow a non-uniform reduction to find “interesting” queries y (based on the adaptive strategy of whether or not previous queries answer).

14
Difficulties for general reductions: Non-uniform reductions can use advice string to locate queries y on which D answers correctly. Furthermore, adaptability may allow a non-uniform reduction to find “interesting” queries y (based whether or not previous queries answer). Our approach: Following [SV10] we show that advice string does not help a non-adaptive reduction to find queries that answer (except for few queries which we can handle). For adaptive reductions, consider “hybrid executions” of R D : ◦ First t queries are not answered. ◦ Remaining q-t queries are answered according to oracle distribution. Hybrid executions are in some sense non-adaptive (the t+1’st query is known in advance). We first bound the information that R gets on g in hybrid executions. Then we show that with high probability real and hybrid executions coincide.

15
Size loss is inherent in reductions showing hardness amplification even in the most general case (non-uniform and adaptive reductions). Not an impossibility result for hardness amplification: only rules out certain proof techniques. Limitations apply to essentially all proof techniques in literature. See discussion in paper. Our lower bounds on # of queries match upper bounds in some (but not all) settings: ◦ Direct product lemma with constant δ [KS03]. ◦ Errorless amplification with constant δ [BS07,W11]. Open: Improve lower bounds to match upper bounds: ◦ For non-constant δ. ◦ For Boolean target function. Can we develop other proof techniques for hardness amplification? (See e.g., [GST05,A06,GT07]).

16

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google