Indistinguishability by adaptive procedures with advice, and lower bounds on hardness amplification proofs Aryeh Grinberg, U. Haifa Ronen Shaltiel, U. Haifa Emanuele Viola, Northeastern 𝑓: 0,1 𝑛 →{0,1} ∀𝐶 in circuit class C: Pr X 𝐶 𝑋 =𝑓 𝑋 <1−𝛿 𝑓 ′ : 0,1 𝑛 ′ →{0,1} ∀𝐶′ in circuit class C’: Pr X 𝐶′ 𝑋 =𝑓′ 𝑋 < 1 2 +𝜖

∀𝐶′ in circuit class C’: Hardness amplification theorems: mildly hard functions ⇒ very hard functions 𝑓: 0,1 𝑛 →{0,1} ∀𝐶 in circuit class C: Pr X 𝐶 𝑋 =𝑓 𝑋 <1−𝛿 “(1−𝛿)–hard function”. 𝑓 ′ : 0,1 𝑛 ′ →{0,1} ∀𝐶′ in circuit class C’: Pr X 𝐶′ 𝑋 =𝑓′ 𝑋 < 1 2 +𝜖 “( 1 2 +𝜖)–hard function”. Used all over in Crypto, Derandomization…

Example: Yao’s XOR-Lemma [Yao82,Lev87,Imp95,GNW95,KS03] Construction map: 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛(𝑓) 𝑓 ′ 𝑥 1 ,…, 𝑥 𝑡 =𝑓 𝑥 1 ⊕…⊕𝑓 𝑥 𝑡 Thm: for 𝑡=𝑂( log 𝑛) ∀𝑓: 𝑓 is (1− 1 10 )-hard for P/poly. ⇒ 𝑓 ′ is 1 2 + 1 𝑛 −hard for P/poly. What about lower circuit classes? Lose-lose principle: You can only amplify the hardness you don’t have. Most frustrating for 𝐴 𝐶 0 ⊕ : have mildly hard functions (majority) [Raz87], but not very hard ones. Majority 𝐴 𝐶 0 𝐴 𝐶 0 [⊕] 𝑇 𝐶 0 =𝐴 𝐶 0 𝑚𝑎𝑗 𝑁𝐶 𝑃/𝑝𝑜𝑙𝑦 Power of C Have lower bounds! No amplification  Can do hardness amplification! Cannot prove lower bounds [RR,NR] 

You can only amplify the hardness you don’t have Our results: Limitations on “powerful” black-box techniques for hardness amplification Lose-lose principle: You can only amplify the hardness you don’t have Most frustrating for 𝐴 𝐶 0 ⊕ : have mildly hard functions (majority) [Raz87], but not very hard ones. Can’t afford hybrid argument and get PRGs w/large stretch. Previous work [SV08,GR09]: Barrier cannot be bypassed by certain black-box techniques. This work: Barrier cannot be bypassed by general black-box techniques. Majority 𝐴 𝐶 0 𝐴 𝐶 0 [⊕] 𝑇 𝐶 0 =𝐴 𝐶 0 𝑚𝑎𝑗 𝑁𝐶 𝑃/𝑝𝑜𝑙𝑦 Power of C Have lower bounds! No amplification  Can do hardness amplification! Cannot prove lower bounds [RR,NR] 

Example: Yao’s XOR-Lemma [Yao82,Lev87,Imp95,GNW95,KS03] Construction map: 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛(𝑓) 𝑓 ′ 𝑥 1 ,…, 𝑥 𝑡 =𝑓 𝑥 1 ⊕…⊕𝑓 𝑥 𝑡 Thm: for 𝑡=𝑂(log(1/𝜖)/𝛿) ∀𝑓: 𝑓 is (1−𝛿)-hard for size 𝑠 circuits. ⇒ 𝑓 ′ is 1 2 +𝜖 −hard for size 𝑠 ′ = 𝑠 𝑞 circuits, 𝑞=𝑂( log⁡(1/𝛿) 𝜖 2 ) Circuit for 𝑓’ is q times smaller?! ⇒ 𝜖≥ 1 𝑠 , disappointing! This work: a loss of 𝑞=𝑂( log⁡(1/𝛿) 𝜖 2 ) is necessary for general black-box techniques for hardness amplification. Improves upon [SV08,AS11]. The case 𝛿= 2 −𝑛 , captures worst-case hardness. Closely related to locally-decoadable list-decodable codes [STV99].

Reductions proving hardness amplification: nonuniform advice and adaptivity (black-box) hardness amplification theorems consist of: Construction map: 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛(𝑓). Proof: reduction 𝑅𝑒 𝑑 ⋅ 𝑥 showing that: 𝐶’ breaks 𝑓’ ⇒ 𝐶 𝑥 =𝑅𝑒 𝑑 𝐶 ′ 𝑥 breaks 𝑓. nonuniform : uniform ≡ list decoding : unique decoding. Our results: lower bounds on circuit depth and # of queries for general reductions 𝑅𝑒 𝑑 ⋅ that take advice and are adaptive. General reductions: Can be adaptive. Receive poly-size “nonuniform” advice string. black box 𝐶′ 1 , 𝐶′ 2 ,…………………, 𝐶′ 𝑁 query answer 𝑅𝑒 𝑑 ⋅ 𝑥 “advice”: 𝛼=𝛼( 𝐶 ′ ) of short length. 𝛼 is an arbitrary function of 𝐶’.

Black-box hardness amplification: A pair of construction/reduction non-uniform Dfn: A b.b. hardness amplification is (𝐶𝑜𝑛,𝑅𝑒𝑑) s.t. Construction map, maps 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛 𝑓 𝑅𝑒 𝑑 ⋅ 𝑥 is an oracle circuit s.t. ∀𝑓,𝐶′ s.t. C′ 1 2 +𝜖 -agrees with 𝑓 ′ =𝐶𝑜𝑛(𝑓), 𝐶 𝑥 =𝑅𝑒 𝑑 𝐶 ′ 𝑥 is a function that 1−𝛿 −agrees with 𝑓. Uniform vs. Non-uniform reductions: For 𝛿=0, b.b. hardness amp. ≡ uniquely decodable codes. Plotkin bound: no b.b. hardness amp. for 𝜖< 1 4 . non-uniform b.b. hardness amp. ≡ list-decodable codes. encoding map list- decoding map 𝛼= 𝛼 𝑓, 𝐶 ′ 𝑅𝑒𝑑 gets non b.b. access to 𝐶′. ∃𝛼 “non-uniform advice string” s.t. 𝐶 𝑥 =𝑅𝑒 𝑑 𝐶 ′ (𝑥,𝛼)

Black-box hardness amplification: A pair of construction/reduction non-uniform Dfn: A b.b. hardness amplification is (𝐶𝑜𝑛,𝑅𝑒𝑑) s.t. Construction map, maps 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛 𝑓 𝑅𝑒 𝑑 ⋅ 𝑥 is an oracle circuit s.t. ∀𝑓,𝐶′ s.t. C′ 1 2 +𝜖 -agrees with 𝑓 ′ =𝐶𝑜𝑛(𝑓), 𝐶 𝑥 =𝑅𝑒 𝑑 𝐶 ′ 𝑥 is a function that 1−𝛿 −agrees with 𝑓. Complexity of 𝑅𝑒𝑑 governs the complexity diff. between 𝐶,𝐷: Circuit size of 𝑅𝑒𝑑 and length of 𝛼 (governs size difference). # of queries that 𝑅𝑒 𝑑 ⋅ makes (governs size difference). (Queries can be adaptive/non-adaptive). Circuit depth of 𝑅𝑒𝑑 (governs depth difference). encoding map list- decoding map 𝛼= 𝛼 𝑓, 𝐶 ′ 𝑅𝑒𝑑 gets non b.b. access to 𝐶′. ∃𝛼 “non-uniform advice string” s.t. 𝐶 𝑥 =𝑅𝑒 𝑑 𝐶 ′ (𝑥,𝛼)

Our results on non-uniform b.b. hardness amplification Thm: Let (𝐶𝑜𝑛,𝑅𝑒𝑑) be a non-uniform b.b. hard. amp. s.t. size(𝑅𝑒𝑑), # of queries, 1 𝜖 , 𝛼 = 2 o(k) , and 2 −2𝑘 ≤𝛿≤ 1 3 : 𝑅𝑒𝑑 can be used to compute majority on length ℓ=Ω 1 𝜖 , ⇒ 𝑅𝑒𝑑 requires size exp ℓ Ω 1 d for depth d circuits (even with parity gates). [SV08] only handled non-adaptive reductions. [GR09] only handled logarithmic nonuniformity. 𝑅𝑒𝑑 makes at least 𝑞=Ω( log⁡(1/𝛿) 𝜖 2 ) queries. [AS11] only achieved 𝑞=Ω 1 𝜖 .

Proof strategy following [Vio06,SV08,GR09] Let 𝑁 𝑝 denote an oracle where each entry is an i.i.d. bit which is one with probability 𝑝. Fix 𝑓 to be very hard for circuits of size 2 𝑜(𝑘) (such 𝑓 exist). Consider two oracle distributions: 𝐶 1/2−𝜖 ′ = 𝐶𝑜𝑛 𝑓 ⊕𝑁 1/2−𝜖 𝐶 1/2−𝜖 ′ ( 1 2 +𝜖)-agrees w/𝐶𝑜𝑛 𝑓 ⇒𝑅𝑒 𝑑 𝐶 1/2−𝜖 ′ must 1−𝛿 -agree with 𝑓. 𝐶 1/2 ′ = 𝐶𝑜𝑛 𝑓 ⊕𝑁 1/2 = 𝑁 1/2 𝐶 1/2 ′ gives no info on 𝑓 ⇒𝑅𝑒 𝑑 𝐶 1/2 ′ can’t 1−𝛿 -agree with 𝑓. 𝑅𝑒𝑑 can be used to distinguish 𝑁 1/2 from 𝑁 1/2−𝜖 w/ adv. 1−𝛿. ⇒ 𝑅𝑒𝑑 can be used to compute maj on length ℓ=Ω 1 𝜖 [SV08]. ⇒ 𝑅𝑒𝑑 must make at least 𝑞=Ω( log⁡(1/𝛿) 𝜖 2 ) queries [SV08].

Proof strategy following [Vio06,SV08,GR09] Problem: a non-uniform 𝑅𝑒𝑑 gets advice 𝛼=𝛼 𝐶′ =𝛼 𝑁 . Solution: Argue that 𝑅𝑒𝑑 can’t distinguish 𝑁 𝑝 from (𝑁 𝑝 A for a “large” event A. Intuition: for most fixings 𝛼 ′ , 𝐴= 𝛼(𝑁 𝑝 =𝛼′} is “large”. 𝐶 1/2−𝜖 ′ = 𝐶𝑜𝑛 𝑓 ⊕𝑁 1/2−𝜖 𝐶 1/2−𝜖 ′ ( 1 2 +𝜖)-agrees w/𝐶𝑜𝑛 𝑓 ⇒𝑅𝑒 𝑑 𝐶 1/2−𝜖 ′ must 1−𝛿 -agree with 𝑓. 𝐶 1/2 ′ = 𝐶𝑜𝑛 𝑓 ⊕𝑁 1/2 = 𝑁 1/2 𝐶 1/2 ′ gives no info on 𝑓 ⇒𝑅𝑒 𝑑 𝐶 1/2 ′ can’t 1−𝛿 -agree with 𝑓. 𝑅𝑒𝑑 can be used to distinguish 𝑁 1/2 from 𝑁 1/2−𝜖 w/ adv. 1−𝛿. ⇒ 𝑅𝑒𝑑 can be used to compute maj on length ℓ=Ω 1 𝜖 [SV08]. ⇒ 𝑅𝑒𝑑 must make at least 𝑞=Ω( log⁡(1/𝛿) 𝜖 2 ) queries [SV08].

Indistinguishability by adaptive procedures that take advice (A component in the proof) Unrelated to black-box issues! Potentially useful in other settings?

Indistinguishability by adaptive procedures with advice say 𝑞,𝑎=𝑝𝑜𝑙𝑦𝑙𝑜𝑔(𝑁) Setup: Let 𝑅= 𝑅 1 ,…, 𝑅 𝑁 be uniform i.i.d. bits. Let A be an event s.t. Pr 𝑅∈𝐴 ≥ 2 −𝑎 . Let 𝑋=(𝑅|𝐴). Can depth q decision trees distinguish R from X? Advice is helpful! Bad bits: 𝐴={ 𝑅 1 =1}. Pointer: 𝑁=ℓ+ 2 ℓ 𝑅= 𝑅 𝑃 , 𝑅 𝐷 , 𝐴= 𝑅 𝑅 𝑃 𝐷 =1 Forbidden set lemma: ∃𝐵⊆ 𝑁 , small, s.t. depth q trees that don’t query in B cannot distinguish 𝑅 from 𝑋. Fixed set lemma: ∃𝐵⊆ 𝑁 , small, ∃value 𝑣 for 𝑋 𝐵 , s.t. depth q trees cannot distinguish (𝑅| 𝑅 𝐵 =𝑣) from (𝑋| 𝑋 𝐵 =𝑣). so that: 𝐻 𝑋 ≥𝑁−𝑎 fixed Nonadaptive tree distinguishes by querying 𝑅 1 . 𝑅 1 , 𝑅 2 ,……………….…, 𝑅 𝑁 fixed 𝑅 𝑃 𝑅 1 𝐷 , 𝑅 2 𝐷 ,… 𝑅 𝑅 𝑃 𝐷 …, 𝑅 2 ℓ 𝐷 adaptive tree distinguishes by querying 𝑅 1 𝑃 ,… 𝑅 ℓ 𝑃 , and then 𝑅 𝑅 𝑃 𝐷 . ℓ≈𝑙𝑜𝑔𝑁 2 ℓ

Indistinguishability by adaptive procedures with advice say 𝑞,𝑎=𝑝𝑜𝑙𝑦𝑙𝑜𝑔(𝑁) Setup: Let 𝑅= 𝑅 1 ,…, 𝑅 𝑁 be uniform i.i.d. bits. Let A be an event s.t. Pr 𝑅∈𝐴 ≥ 2 −𝑎 . Let 𝑋=(𝑅|𝐴). Can depth q decision trees distinguish R from X? Forbidden set lemma: ∃𝐵⊆ 𝑁 , small, s.t. depth q trees that don’t query in B cannot distinguish 𝑅 from 𝑋. Fixed set lemma: ∃𝐵⊆ 𝑁 , small, ∃value 𝑣 for 𝑋 𝐵 , s.t. depth q trees cannot distinguish (𝑅| 𝑅 𝐵 =𝑣) from (𝑋| 𝑋 𝐵 =𝑣). small = 𝑝𝑜𝑙𝑦(𝑞,𝑎,1/𝜂) where 𝜂 is distinguishing advantage. Forbidden set lemma is a generalization of folklore lemma that has q=1, and [SV08] where trees are nonadaptive. Related variants of fixed set lemma in [Unr07,DGK17,CDGS18]. Our proofs on reductions end up using the fixed set lemma. so that: 𝐻 𝑋 ≥𝑁−𝑎

Proof of fixed set lemma Setup: Let 𝑅= 𝑅 1 ,…, 𝑅 𝑁 be uniform i.i.d. bits. Let A be an event s.t. Pr 𝑅∈𝐴 ≥ 2 −𝑎 . Let 𝑋=(𝑅|𝐴). Can depth q decision trees distinguish R from X? Fixed set lemma: ∃𝐵⊆ 𝑁 , small, ∃value 𝑣, for 𝑋 𝐵 s.t. depth q trees cannot distinguish (𝑅| 𝑅 𝐵 =𝑣) from (𝑋| 𝑋 𝐵 =𝑣). Let 𝐻𝐷 𝑋 = 𝑋 −𝐻 𝑋 ≥0 be the “entropy deficiency” of X. Claim: If depth q tree 𝜂-distinguishes X from R, then ∃𝑄⊆ 𝑁 , of size q, ∃𝑣∈ 0,1 𝑞 , s.t 𝐻𝐷 𝑋| 𝑋 𝑄 =𝑣 ≤𝐻𝐷 𝑋 − 𝜂 2 . Fixed lemma follows as initially, 𝐻𝐷 𝑋 ≤𝑎, and so after at most 𝑎/ 𝜂 2 steps, no tree can distinguish. We fix at most 𝑞𝑎/ 𝜂 2 bits.

Proof of fixed set lemma: Proof of claim Let 𝐻𝐷 𝑋 = 𝑋 −𝐻 𝑋 ≥0 be the “entropy deficiency” of X. Claim: If depth q tree 𝜂-distinguishes X from R, then ∃𝑄⊆ 𝑁 , of size q, ∃𝑣∈ 0,1 𝑞 , s.t 𝐻𝐷 𝑋| 𝑋 𝑄 =𝑣 ≤𝐻𝐷 𝑋 − 𝜂 2 . Proof: Assume that a depth q tree T, 𝜂-distinguishes. Let 𝐼=( 𝐼 1 ,…, 𝐼 𝑞 ) be the queries asked on X (RVs). 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 is 𝜂-far from uniform ⇒ 𝐻 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 ≤𝑞− 𝜂 2 𝐻 𝑋 =𝐻 𝑋, 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 =𝐻 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 +𝐻 𝑋| 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 ⇒ 𝐻 𝑋| 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 ≥𝐻 𝑋 −𝑞+ 𝜂 2 . ⇒ ∃𝑣:𝐻 𝑋 𝑋 𝐼 =v ≥𝐻 𝑋 −𝑞+ 𝜂 2 , 𝐼 fixed to 𝑄. ⇒ 𝐻𝐷 𝑋| 𝑋 𝑄 =𝑣 ≤𝐻𝐷 𝑋 − 𝜂 2 . Pinsker’s lemma I is a function of X Entropy chain rule

Conclusion and Open problems We show that the XOR lemma for constant depth circuits cannot be proven by general black-box techniques. Does the XOR lemma hold for constant depth circuits? Question: is it true that for 𝑡=𝑂( log 𝑛) (or even 𝑡=𝑝𝑜𝑙𝑦 𝑛 ) ∀𝑓: 𝑓 is (1− 1 10 )-hard for 𝐴 𝐶 0 ⊕ ⇒ 𝑓 ′ 𝑥 1 ,…, 𝑥 𝑡 =𝑓 𝑥 1 ⊕…⊕𝑓 𝑥 𝑡 is 1 2 + 1 𝑛 −hard for 𝐴 𝐶 0 ⊕ . What about non-black-box techniques? In [GST05,Ats06,GT07], a “weak variant of amplification” that provably beats black-box lower bounds of [FF98,BT03]. This proof technique isn’t ruled out by our result.

More conclusions and open problems In paper we consider hardness amplification that corresponds to “non-Boolean codes”, “decoding from erasures”. Example, direct product: Construction map: 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛(𝑓) 𝑓 ′ 𝑥 1 ,…, 𝑥 𝑡 =(𝑓 𝑥 1 ,…,𝑓 𝑥 𝑡 ) Holds for 𝐴 𝐶 0 ! Some reductions don’t use majority [IJKW]. We prove: tight lower bound on queries: q=Ω( log⁡(1/𝛿) 𝜖 ). We show limitations on converting f that is 𝑓 is (1−𝛿)-hard for 𝐴 𝐶 0 ⊕ into a 1 𝑛 -PRG for 𝐴 𝐶 0 ⊕ . (Same as main result). Is it possible to get 1 10 -PRG? [FSUV12] beats hybrid argument. Limitations on specific black-box constructions [Vio18].

That’s it…

Old Slides

Hardness amplification theorems: hard functions ⇒ harder functions Dfn: For 𝑓,𝐶: 0,1 𝑘 → 0,1 , C, 𝑝−agree with 𝑓 if: Pr 𝑋← 𝑈 𝑘 𝐶 𝑋 =𝑓 𝑋 ≥𝑝 . (𝑓 is 𝑝-hard for 𝐶 otherwise). Very hard functions: explicit 𝑓 is 1 2 +𝜖 -hard for all poly-size circuits (or other circuit classes). Required for crypto, derandomization, etc… Hardness amplification: Map 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛(𝑓) s.t. ∀𝑓: 𝑓 mildly hard (𝑝=1−𝛿) ⇒ 𝑓 ′ =𝐶𝑜𝑛(𝑓) very hard. 𝛿=0 (or 𝛿= 2 −2𝑘 ) captures worst-case hardness. Hardness amplification is a conditional result.

∀𝐶′ in circuit class C’: Hardness amplification theorems: mildly hard functions ⇒ very hard functions 𝑓: 0,1 𝑘 →{0,1} ∀𝐶 in circuit class C: Pr X 𝐶 𝑋 =𝑓 𝑋 <1−𝛿 “(1−𝛿)–hard function”. 𝑓 ′ : 0,1 𝑘 ′ →{0,1} ∀𝐶′ in circuit class C’: Pr X 𝐶′ 𝑋 =𝑓′ 𝑋 < 1 2 +𝜖 “( 1 2 +𝜖)–hard function”. (black-box) hardness amplification theorems consist of: Construction map: 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛(𝑓). Proof: reduction 𝑅𝑒 𝑑 ⋅ 𝑥 showing that: 𝐶’ breaks 𝑓’ ⇒ 𝐶 𝑥 =𝑅𝑒 𝑑 𝐶 ′ 𝑥 breaks 𝑓. Used all over in Crypto, Derandomization… Special case: 𝛿=0≈ 2 −𝑘 , captures worst case hardness.

Proof of fixed set lemma Setup: Let 𝑅= 𝑅 1 ,…, 𝑅 𝑁 be uniform i.i.d. bits. Let A be an event s.t. Pr 𝑅∈𝐴 ≥ 2 −𝑎 . Let 𝑋=(𝑅|𝐴). Can depth q decision trees distinguish R from X? Fixed set lemma: ∃𝐵⊆ 𝑁 , small, ∃value 𝑣 for 𝑋 𝐵 , s.t. depth q trees cannot distinguish (𝑅| 𝑅 𝐵 =𝑣) from (𝑋| 𝑋 𝐵 =𝑣). Let 𝐻𝐷 𝑋 = 𝑋 −𝐻 𝑋 ≥0 be the “entropy deficiency” of X. Claim: If depth q tree 𝜂-distinguishes X from R, then ∃𝑄⊆ 𝑁 , of size q, ∃𝑣∈ 0,1 𝑞 , s.t 𝐻𝐷 𝑋| 𝑋 𝑄 =𝑣 ≤𝐻𝐷 𝑋 − 𝜂 2 . Fixed lemma follows as initially, 𝐻𝐷 𝑋 ≤𝑎, and so after at most 𝑎/ 𝜂 2 steps, no tree can distinguish. We fix at most 𝑞𝑎/ 𝜂 2 bits.

Proof of fixed set lemma: Proof of claim Let 𝐻𝐷 𝑋 = 𝑋 −𝐻 𝑋 ≥0 be the “entropy deficiency” of X. Claim: If depth q tree 𝜂-distinguishes X from R, then ∃𝑄⊆ 𝑁 , of size q, ∃𝑣∈ 0,1 𝑞 , s.t 𝐻𝐷 𝑋| 𝑋 𝑄 =𝑣 ≤𝐻𝐷 𝑋 − 𝜂 2 . Proof: Assume that a depth q tree T, 𝜂-distinguishes. Let 𝐼=( 𝐼 1 ,…, 𝐼 𝑞 ) be the queries asked on X (RVs). 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 is 𝜂-far from uniform ⇒ 𝐻 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 ≤𝑞− 𝜂 2 𝐻 𝑋 =𝐻 𝑋, 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 =𝐻 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 +𝐻 𝑋| 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 ⇒ 𝐻 𝑋| 𝑋 𝐼 1 ,…, 𝑋 𝐼 𝑞 ≥𝐻 𝑋 −𝑞+ 𝜂 2 . ⇒ ∃𝑣:𝐻 𝑋 𝑋 𝐼 =v ≥𝐻 𝑋 −𝑞+ 𝜂 2 , 𝐼 fixed to 𝑄. ⇒ 𝐻𝐷 𝑋| 𝑋 𝑄 =𝑣 ≤𝐻𝐷 𝑋 − 𝜂 2 . Pinsker’s lemma I is a function of X Entropy chain rule

Black-box hardness amplification: A pair of construction/reduction non-uniform Dfn: A b.b. hardness amplification is (𝐶𝑜𝑛,𝑅𝑒𝑑) s.t. Construction map, maps 𝑓⇒ 𝑓 ′ =𝐶𝑜𝑛 𝑓 𝑅𝑒 𝑑 ⋅ 𝑥 is an oracle circuit s.t. ∀𝑓,𝐷 s.t. 𝐷 1 2 +𝜖 -agrees with 𝑓 ′ =𝐶𝑜𝑛(𝑓), that 1−𝛿 −agree is a function that 1−𝛿 −agrees with 𝑓. Complexity of 𝑅𝑒𝑑 governs the complexity diff. between 𝐶,𝐷: Circuit size of 𝑅𝑒𝑑 and length of 𝛼 (governs size difference). # of queries that 𝑅𝑒 𝑑 ⋅ makes (governs size difference). (Queries can be adaptive/non-adaptive). Circuit depth of 𝑅𝑒𝑑 (governs depth difference). 𝛼= 𝛼 𝑓,𝐷 𝑅𝑒𝑑 gets non b.b. access to 𝐷. ∃𝛼 “non-uniform advice string” s.t. 𝐶 𝑥 =𝑅𝑒 𝑑 𝐷 (𝑥,𝛼)

Proof strategy following [Vio06,SV08,GR09] Problem: a non-uniform 𝑅𝑒𝑑 gets advice 𝛼=𝛼 𝐷 =𝛼 𝑁 . Solution: Argue that 𝑅𝑒𝑑 can’t distinguish 𝑁 𝑝 from (𝑁 𝑝 A for a “large” event A. Intuition: for most fixings 𝛼 ′ , 𝐴= 𝛼(𝑁 𝑝 =𝛼′} is “large”. 𝐷 1/2−𝜖 = 𝐶𝑜𝑛 𝑓 ⊕𝑁 1/2−𝜖 𝐷 1/2−𝜖 ( 1 2 +𝜖)-agrees w/𝐶𝑜𝑛 𝑓 ⇒𝑅𝑒 𝑑 𝐷 1/2−𝜖 must 1−𝛿 -agree with 𝑓. 𝐷 1/2 = 𝐶𝑜𝑛 𝑓 ⊕𝑁 1/2 = 𝑁 1/2 𝐷 1/2 gives no info on 𝑓 ⇒𝑅𝑒 𝑑 𝐷 1/2 can’t 1−𝛿 -agree with 𝑓. 𝑅𝑒𝑑 can be used to distinguish 𝑁 1/2 from 𝑁 1/2−𝜖 w/ adv. 1−𝛿. ⇒ 𝑅𝑒𝑑 can be used to compute maj on length ℓ=Ω 1 𝜖 [SV08]. ⇒ 𝑅𝑒𝑑 must make at least 𝑞=Ω( log⁡(1/𝛿) 𝜖 2 ) queries [SV08].