Lower Bounds on the Query Complexity of Non-Uniform and Adaptive Reductions Showing

Hardness Amplification

Ronen Shaltiel Sergei Artemenko

University of Haifa University of Haifa

Functions That Are Hard on Average

Function g:{0,1}n→{0,1} is p-hard for a family of circuits if for every circuit in this family Prx← Un

[C(x)=g(x)]<p.

Boole

an

Circu

it

g

Circuits fail to compute some inputs

Circuits fail to compute noticeable fraction of inputs

Almost random guessing

Hard on worst case Mildly average-case hardStrongly average-case hard

Hardness Variations

p=1 p=1- δ p= ½ + ε

For simplicity assume δ=¹⁄₁₀

Derandomization, Pseudorandomness [Yao82, BM84, NW94,…]

Cryptographic primitives [Yao82, BM84,…]

Applications of Functions That Are Hard on Average

These applications require functions that are very hard on average p=½+negligible

Hardness Amplification

strongly average-case hard g=Amp(f)

worst case hard for

mildly average-case hard f

Example: Yao’s XOR lemma (δ=¹⁄₁₀)If function f (x) is (1-¹⁄₁₀)-hard for circuits of size at most s, then function g(x1,…,xk)=f(x1)⊕⋯⊕f(xk) is (½+ε)-hard for circuits of size at most s'=s·poly(ε)<s for large enough k, e.g. k=poly(log(¹⁄ε ) ) .

Assumption: f is worst case/mildly average-case hard for circuits of size at most s.Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'.

Hardness Amplification

strongly average-case hard g=Amp(f)

worst case hard for

mildly average-case hard f

Assumption: f is worst case/mildly average-case hard for circuits of size at most s.

Example: Direct product/concatenation lemma (δ=¹⁄₁₀)If a function f (x) is (1-¹⁄₁₀)-hard for circuits of size at most s, then function g(x1,…,xk)=f(x1)∘⋯∘f(xk) is ε-hard for circuits of size at most s'=s·poly(ε)<s for large enough k.

Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'.

Hardness Amplification

In all hardness amplification results in literature target function g=Amp(f) is hard for circuits of size s'<s

(actually, s'≤ε·s). Implies that ε≥¹⁄s .

Problematic in some applications

worst case hard for

mildly average-case hard f

Assumption: f is worst case/mildly average-case hard for circuits of size at most s.Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'.

strongly average-case hard g=Amp(f)

Size Loss

Circuits of size at most s

Circuits of size at most s'

Natural question:Is this size loss necessary?

We will show that size loss is necessary for certain proof techniques.

Proof by Reduction

f is (1-δ)–hard for size s

g is (½+ε)-hard for size s'

∃D of size s' such that Pr[D(y)=g(y)] ≥ ½+ε

∃C of size s such that Pr[C(x)=f(x)] ≥ 1-δ

Proof by reduction: Existence of circuit C is shown by providing a reduction R (an oracle procedure) s.t. C=RD.

iff

“Uniform”: R(·) is an “efficient” oracle TM.

Various Notions of Reductions

Known: These types of reductions cannot prove most hardness amplification results in literature [STV99].

“Non-uniform”: R(·) is a “small” oracle circuit that is also allowed to receive a “short advice string” α as a function of f and more importantly of the oracle D supplied to R.

“Semi-uniform”: R(·) is a “small” oracle circuit.

More precisely: A non-uniform reduction R(·) satisfies:∀D s.t. Pr[D(y)=g(y)]≥½+ε∃α=α(f,D) s.t. Pr[RD(x,α)=f(x)]≥1-δ

Essentially all known hardness amplification results are proven using such reductions

Number of Queries Size Loss

In this work we show that every reduction must make q=Ω (¹⁄ε ) queries.

s'≤ε·s

size loss!

If reduction R makes ≤ q queries to oracle D, then circuit C can be constructed by replacing every oracle gate with circuit D.

s=size(C)≈q·size(D)+size(R)≥q·size(D)=q·s'

Theorem*: Every reduction R(·) must make q=Ω (¹⁄ε ) queries to oracle even if R(·) is non-uniform and adaptive (i.e.,

it makes adaptive queries).*For standard parameters of hardness amplification.

Comparison to [SV10]: [SV10] only handle non-uniform non-adaptive reductions. Our results apply to a more general class of hardness

amplification tasks (non-Boolean g, errorless amplification, “function-specific amplification”).

[SV10] gives a better bound of q=Ω(log(¹⁄δ ) ⁄ε2) for Boolean case. (Our results apply to a more general setup in which there are upper bounds of q=Ω(log(¹⁄δ ) ⁄ε).

Our Results (Informally)

Given functions f,g consider (distribution over) oracles D: With probability 2ε, D(y)=g(y). With probability 1-2ε, D(y) answers a fresh random bit. ⇒ Pr[D(y)=g(y)]≥½+ε (so that RD has to approx. compute f).

Folklore e.g. [R]: A reduction R(·) that makes o(¹⁄ε ) queries is unlikely to get any meaningful information.

Þ RD cannot compute f (even approximately).Þ Contradiction (meaning that # of queries = Ω(¹⁄ε ) ).

Difficulties for general reductions: Non-uniform reductions can use advice string to locate queries y

on which D answers correctly. Furthermore, adaptability may allow a non-uniform reduction to

find “interesting” queries y (based on the adaptive strategy of whether or not previous queries answer).

Something About the Proof

Difficulties for general reductions: Non-uniform reductions can use advice string to locate

queries y on which D answers correctly. Furthermore, adaptability may allow a non-uniform reduction

to find “interesting” queries y (based whether or not previous queries answer).

Our approach: Following [SV10] we show that advice string does not help a

non-adaptive reduction to find queries that answer (except for few queries which we can handle).

For adaptive reductions, consider “hybrid executions” of RD:◦ First t queries are not answered.◦ Remaining q-t queries are answered according to oracle distribution.

Hybrid executions are in some sense non-adaptive (the t+1’st query is known in advance).

We first bound the information that R gets on g in hybrid executions.

Then we show that with high probability real and hybrid executions coincide.

Something About the Proof

Size loss is inherent in reductions showing hardness amplification even in the most general case (non-uniform and adaptive reductions).

Not an impossibility result for hardness amplification: only rules out certain proof techniques.

Limitations apply to essentially all proof techniques in literature. See discussion in paper.

Our lower bounds on # of queries match upper bounds in some (but not all) settings:◦ Direct product lemma with constant δ [KS03].◦ Errorless amplification with constant δ [BS07,W11].

Open: Improve lower bounds to match upper bounds:

◦ For non-constant δ.◦ For Boolean target function.

Can we develop other proof techniques for hardness amplification? (See e.g., [GST05,A06,GT07]).

Conclusion and Open Problems

Thank You…