230 likes | 343 Views
Threshold Direct Product Theorems: a survey. Ragesh Jaiswal Indian Institute of Technology Delhi. Direct Product Theorems. If a problem is hard to solve on the average, then solving k instances of the problem becomes exponentially harder.
E N D
Threshold Direct Product Theorems: a survey Ragesh Jaiswal Indian Institute of Technology Delhi
Direct Product Theorems • If a problem is hard to solve on the average, then solving k instances of the problem becomes exponentially harder. • If a cryptographic protocol is hard to break by an adversary with bounded computational power, then breaking the direct product version of the protocol is even more difficult.
Threshold Direct Product Theorem • If a problem is hard to solve on the average, then solving more than some threshold fraction of instances from a collection of independently chosen problem instances is exponentiallyhard. • If there is a gap in the ability of a honest party and an adversary in solving a problem, then this gap can be amplified by asking the user to solve multiple problem instances and accepting if the user solves more than a threshold number of problem instances. • Example: CAPTCHA
Direct Product Theorems • If a function f:{0,1}n {0,1}m is (1- )-hard to compute by bounded size circuits, then the functionfk(x1, …, xk) = f(x1) | f(x2) | … | f(xk) is (1 - )-hard to compute by bounded size circuits. • Let X1, …, Xk be independentboolean random variables such that , then . • Xi = 1 if C’(x1,…,xk)i = f(xi) and 0 otherwise.
Direct Product Theorems • There is a circuit C’ which computes fkwith success probability . Construct a circuit C (using C’) that computes f with success probability at least . • There are tight DP theorems for a number of different contexts. • Circuits computing boolean functions. • Weakly Verifiable Puzzles.
Threshold Direct Product Theorems • For any circuit C define: • If a function f:{0,1}n {0,1}m is (1- )-hard to compute by bounded size circuits, then for any and any bounded size circuit C, • Let and let X1, …, Xk be independentboolean random variables such that , then • Xi = 1 if C’(x1,…,xk)i = f(xi) and 0 otherwise.
Impagliazzo, J., & Kabanets (2008) • Main Theorem: If there is a puzzle system for which the probability of failure is , then the probability of failing on less than out of k puzzles, is at most
Impagliazzo, J., & Kabanets (2008) • Trust Reducing Strategy (Trust Halving Strategy [BIN97, IW97]) • Main Idea: • Define a tuplex=(x1,…,xk) to be good if • Suppose there is an oracle that tells whether a given input tuple (x1,…,xk) is good. • Plant the given puzzle into a puzzle tuple at a random position i. • Check if the puzzle tuple is a good input tuple. If so, output C’(x1,…,xk)i. • The above circuit does well on an input distribution that can be shown to be statistically close to the uniform distribution.
Impagliazzo, J., & Kabanets (2008) • Trust Reducing Strategy:(Trust Halving Strategy [BIN97, IW97]) • Main Idea: • Removing the oracle. • Smoothing: Count the number of incorrectly solved puzzles (say t) at positions other than i, and output an answer only with probability (for some < 1).
Jutla (2009) • Main Theorem: If there is a puzzle system for which the probability of failure is , then the probability of failing on less than out of k puzzles, is at most • This is very close to the chernoff-hoeffding bound when is close to 0. • Idea: • Plant the given input puzzle into a puzzle tuple at a randomly chosen position i. • Count the number of incorrectly solved puzzles (say t) other than the planted puzzle. • If then output the ith puzzle answer
Jutla (2009) • Idea: • For any fixed the conditional probability of producing the correct answer might be very bad since the solver might be making precisely mistakes on most of the puzzle tuples. • The paper argues that there exists an such that this conditional probability of producing an incorrect answer is small and this can be found by sampling.
Paradigm Shift We already have tight results for DP theorems. Why not try to use them to obtain threshold DP theorems.
Chung & Liu (2009) • Idea: • S: solver for the threshold puzzle. • S’: choose a random subset , simulate S and return the answer of S corresponding to positions in T. • S’ is a DP solver. • Use the tight DP theorem reductions to get a solver for the puzzle system. • Main Theorem: If there is a puzzle system for which the probability of failure is at least , then the probability of failing on less than out of k puzzles is at most for some constant c.
Unger (2010) • Main Theorem: Let X1,…,Xk be booleanr.v. such that for some such that for all Let be a number such that . Then
Unger (2010) • We may use tight XOR lemmas to obtain tight threshold DP theorems. • Main Issue: • XOR lemmas makes sense for boolean functions. We cannot use the result for more complicated scenarios like puzzle systems. • The result is non-constructive.
Impagliazzo & Kabanets (2010) • Generalized Chernoff bounds [PS97]: Let X1,…,Xk be boolean random variables such that for some , we have that, for every subset . Then for any . • Proof (which can be easily generalized to obtain a constructive version): • For some value of (q to be determined later),consider the subset S Binomial(q, k). • Consider the quantity: • We will compute the above quantity in two different ways and compare.
Impagliazzo & Kabanets (2010) • Proof: • We have: P = • Define E to be the event that • Then, • This implies that
Impagliazzo & Kabanets (2010) • Constructive Theorem: There is a randomized algorithm A such that the following holds. Let X1,…,Xk be booleanr.v. Let such that , for some Then, on input n, , the algorithm A, using oracle access to the distribution X1,…,Xk runs in time and outputs a subset S such that with high probability,
Impagliazzo & Kabanets (2010) • Constructive Proof: • For any subset S, let • Proof sketch: • Pick a q such that the following holds: • Algorithm: • Sample S from the binomial distribution Binomial(q, n). • Estimate a(S) by sampling (since we can sample X1,…,Xk). • Output S if , else repeat for O(1/ ) steps.
Impagliazzo & Kabanets (2010) • Issue with this approach: • The running time of producing the subset S is proportional to • This is fine if and are constants. • What if the gap between and is small (say 1/poly(n))? • Is the result tight? • Yes: There are booleanr.v. X1,…,Xk and parameters 0 < < < 1 such that , but, for every subset S
Impagliazzo & Kabanets (2010) • Stronger sampling conditions help to reduce the running time, but then the success probabilities are not tight.
Open Questions • Obtaining a tight threshold DP theorem wrt the success probabilities and the running time.