Ronen ShaltielSergei Artemenko University of Haifa

g g Function g:{0,1} n →{0,1} is p-hard for a family of circuits if for every circuit in this family Pr x←U n [C(x)=g(x)]<p. Boolean Circuit g

Circuits fail to compute some inputs Circuits fail to compute noticeable fraction of inputs Almost random guessing Hard on worst caseMildly average-case hardStrongly average-case hard p=1 p=1-δp= ½+ε For simplicity assume δ=¹⁄₁₀

 Derandomization, Pseudorandomness [Yao82, BM84, NW94,…]  Cryptographic primitives [Yao82, BM84,…] These applications require functions that are very hard on average p=½+negligible

gf strongly average-case hard g=Amp(f) f worst case hard f or f mildly average-case hard f Example: Yao’s XOR lemma (δ=¹⁄₁₀) f gff If function f(x) is (1-¹⁄₁₀)-hard for circuits of size at most s, then function g(x 1,…,x k )=f(x 1 )⊕⋯⊕f(x k ) is (½+ε)-hard for circuits of size at most s'=s·poly(ε)<s for large enough k, e.g. k=poly(log(¹⁄ ε )). f Assumption: f is worst case/mildly average-case hard for circuits of size at most s. gf) Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'.

gf strongly average-case hard g=Amp(f) f worst case hard f or f mildly average-case hard f f Assumption: f is worst case/mildly average-case hard for circuits of size at most s. Example: Direct product/concatenation lemma (δ=¹⁄₁₀) f gff If a function f(x) is (1-¹⁄₁₀)-hard for circuits of size at most s, then function g(x 1,…,x k )=f(x 1 )∘⋯∘f(x k ) is ε-hard for circuits of size at most s'=s·poly(ε)<s for large enough k. gf) Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'.

gf In all hardness amplification results in literature target function g=Amp(f) is hard for circuits of size s'<s (actually, s'≤ε·s). Implies that ε≥ ¹ ⁄ s. Problematic in some applications f worst case hard f or f mildly average-case hard f f Assumption: f is worst case/mildly average-case hard for circuits of size at most s. gf) Conclusion: g=Amp(f) is strongly average-case hard for circuits of size at most s'. gf strongly average-case hard g=Amp(f)

Circuits of size at most s Circuits of size at most s' Natural question: Is this size loss necessary? We will show that size loss is necessary for certain proof techniques.

f f is (1-δ)–hard for size s g g is (½+ε)-hard for size s' g ∃D of size s' such that Pr[D(y)=g(y)] ≥ ½+ε f ∃C of size s such that Pr[C(x)=f(x)]≥1-δ Proof by reduction: Existence of circuit C is shown by providing a reduction R (an oracle procedure) s.t. C=R D. iff

 “Uniform”: R (·) is an “efficient” oracle TM. Known: These types of reductions cannot prove most hardness amplification results in literature [STV99]. f  “Non-uniform”: R (·) is a “small” oracle circuit that is also allowed to receive a “short advice string” α as a function of f and more importantly of the oracle D supplied to R.  “Semi-uniform”: R (·) is a “small” oracle circuit. More precisely: A non-uniform reduction R (·) satisfies: ∀D s.t. Pr[D(y)=g(y)]≥½+ε ff ∃α=α(f,D) s.t. Pr[R D (x,α)=f(x)]≥1-δ Essentially all known hardness amplification results are proven using such reductions

In this work we show that every reduction must make q=Ω (¹⁄ ε ) queries. s'≤ε·s size loss! If reduction R makes ≤ q queries to oracle D, then circuit C can be constructed by replacing every oracle gate with circuit D. s=size(C)≈q·size(D)+size(R)≥q·size(D)=q·s'

Theorem*: Every reduction R (·) must make q=Ω (¹⁄ ε ) queries to oracle even if R (·) is non-uniform and adaptive (i.e., it makes adaptive queries). *For standard parameters of hardness amplification. Comparison to [SV10]:  [SV10] only handle non-uniform non-adaptive reductions. g  Our results apply to a more general class of hardness amplification tasks (non-Boolean g, errorless amplification, “function-specific amplification”).  [SV10] gives a better bound of q=Ω ( log(¹⁄ δ ) ⁄ ε 2 ) for Boolean case. (Our results apply to a more general setup in which there are upper bounds of q=Ω ( log(¹⁄ δ ) ⁄ ε ).

fg Given functions f,g consider (distribution over) oracles D :  With probability 2ε, D(y)=g(y).  With probability 1-2ε, D(y) answers a fresh random bit. ⇒ Pr[D(y)=g(y)]≥½+ε (so that R D has to approx. compute f). Folklore e.g. [R]: A reduction R (·) that makes o(¹⁄ ε ) queries is unlikely to get any meaningful information. f  R D cannot compute f (even approximately).  Contradiction (meaning that # of queries = Ω(¹⁄ ε ) ). Difficulties for general reductions:  Non-uniform reductions can use advice string to locate queries y on which D answers correctly.  Furthermore, adaptability may allow a non-uniform reduction to find “interesting” queries y (based on the adaptive strategy of whether or not previous queries answer).

Difficulties for general reductions:  Non-uniform reductions can use advice string to locate queries y on which D answers correctly.  Furthermore, adaptability may allow a non-uniform reduction to find “interesting” queries y (based whether or not previous queries answer). Our approach:  Following [SV10] we show that advice string does not help a non-adaptive reduction to find queries that answer (except for few queries which we can handle).  For adaptive reductions, consider “hybrid executions” of R D : ◦ First t queries are not answered. ◦ Remaining q-t queries are answered according to oracle distribution.  Hybrid executions are in some sense non-adaptive (the t+1’st query is known in advance).  We first bound the information that R gets on g in hybrid executions.  Then we show that with high probability real and hybrid executions coincide.

 Size loss is inherent in reductions showing hardness amplification even in the most general case (non-uniform and adaptive reductions).  Not an impossibility result for hardness amplification: only rules out certain proof techniques.  Limitations apply to essentially all proof techniques in literature. See discussion in paper.  Our lower bounds on # of queries match upper bounds in some (but not all) settings: ◦ Direct product lemma with constant δ [KS03]. ◦ Errorless amplification with constant δ [BS07,W11]. Open:  Improve lower bounds to match upper bounds: ◦ For non-constant δ. ◦ For Boolean target function.  Can we develop other proof techniques for hardness amplification? (See e.g., [GST05,A06,GT07]).