Threshold Direct Product Theorems: a survey

Ragesh JaiswalIndian Institute of Technology DelhiThreshold Direct Product Theorems: a surveyDirect Product TheoremsIf a problem is hard to solve on the average, then solving k instances of the problem becomes exponentially harder.

If a cryptographic protocol is hard to break by an adversary with bounded computational power, then breaking the direct product version of the protocol is even more difficult.Threshold Direct Product TheoremIf a problem is hard to solve on the average, then solving more than some threshold fraction of instances from a collection of independently chosen problem instances is exponentially hard.

If there is a gap in the ability of a honest party and an adversary in solving a problem, then this gap can be amplified by asking the user to solve multiple problem instances and accepting if the user solves more than a threshold number of problem instances.Example: CAPTCHADirect Product TheoremsIf a function f:{0,1}n {0,1}m is (1- )-hard to compute by bounded size circuits, then the functionfk(x1, , xk) = f(x1) | f(x2) | | f(xk) is (1 - )-hard to compute by bounded size circuits.

Let X1, , Xk be independent boolean random variables such that , then .Xi = 1 if C(x1,,xk)i = f(xi) and 0 otherwise.

Direct Product TheoremsThere is a circuit C which computes fk with success probability . Construct a circuit C (using C) that computes f with success probability at least .There are tight DP theorems for a number of different contexts.Circuits computing boolean functions.Weakly Verifiable Puzzles.

Threshold Direct Product TheoremsFor any circuit C define: If a function f:{0,1}n {0,1}m is (1- )-hard to compute by bounded size circuits, then for any and any bounded size circuit C,

Let and let X1, , Xk be independent boolean random variables such that , then

Xi = 1 if C(x1,,xk)i = f(xi) and 0 otherwise.

Impagliazzo, J., & Kabanets (2008)Main Theorem: If there is a puzzle system for which the probability of failure is , then the probability of failing on less than out of k puzzles, is at most

Impagliazzo, J., & Kabanets (2008)Trust Reducing Strategy (Trust Halving Strategy [BIN97, IW97])Main Idea:Define a tuple x=(x1,,xk) to be good if Suppose there is an oracle that tells whether a given input tuple (x1,,xk) is good.Plant the given puzzle into a puzzle tuple at a random position i.Check if the puzzle tuple is a good input tuple. If so, output C(x1,,xk)i. The above circuit does well on an input distribution that can be shown to be statistically close to the uniform distribution.

Impagliazzo, J., & Kabanets (2008)Trust Reducing Strategy:(Trust Halving Strategy [BIN97, IW97])Main Idea:Removing the oracle. Smoothing: Count the number of incorrectly solved puzzles (say t) at positions other than i, and output an answer only with probability (for some < 1).

Jutla (2009)Main Theorem: If there is a puzzle system for which the probability of failure is , then the probability of failing on less than out of k puzzles, is at most This is very close to the chernoff-hoeffding bound when is close to 0.Idea:Plant the given input puzzle into a puzzle tuple at a randomly chosen position i.Count the number of incorrectly solved puzzles (say t) other than the planted puzzle.If then output the ith puzzle answer

Jutla (2009)Idea:For any fixed the conditional probability of producing the correct answer might be very bad since the solver might be making precisely mistakes on most of the puzzle tuples. The paper argues that there exists an such that this conditional probability of producing an incorrect answer is small and this can be found by sampling.

Paradigm ShiftWe already have tight results for DP theorems. Why not try to use them to obtain threshold DP theorems.Chung & Liu (2009)Idea:S: solver for the threshold puzzle.S: choose a random subset , simulate S and return the answer of S corresponding to positions in T.S is a DP solver.Use the tight DP theorem reductions to get a solver for the puzzle system.Main Theorem: If there is a puzzle system for which the probability of failure is at least , then the probability of failing on less than out of k puzzles is at most for some constant c.

Unger (2010)Main Theorem: Let X1,,Xk be boolean r.v. such that for some such that for all Let be a number such that . Then

Unger (2010)We may use tight XOR lemmas to obtain tight threshold DP theorems.Main Issue:XOR lemmas makes sense for boolean functions. We cannot use the result for more complicated scenarios like puzzle systems.The result is non-constructive.Impagliazzo & Kabanets (2010)Generalized Chernoff bounds [PS97]: Let X1,,Xk be boolean random variables such that for some , we have that, for every subset . Then for any .

Proof (which can be easily generalized to obtain a constructive version):For some value of (q to be determined later),consider the subset S Binomial(q, k).Consider the quantity: We will compute the above quantity in two different ways and compare.

Impagliazzo & Kabanets (2010)Proof:We have: P =

Define E to be the event that Then,

This implies that

Impagliazzo & Kabanets (2010)Constructive Theorem: There is a randomized algorithm A such that the following holds. Let X1,,Xk be boolean r.v. Let such that , for some

Then, on input n, , the algorithm A, using oracle access to the distribution X1,,Xk runs in time and outputs a subset S such that with high probability,

Impagliazzo & Kabanets (2010)Constructive Proof:For any subset S, letProof sketch: Pick a q such that the following holds:

Algorithm: Sample S from the binomial distribution Binomial(q, n).Estimate a(S) by sampling (since we can sample X1,,Xk).Output S if , else repeat for O(1/ ) steps.

Impagliazzo & Kabanets (2010)Issue with this approach:The running time of producing the subset S is proportional to

This is fine if and are constants.What if the gap between and is small (say 1/poly(n))?Is the result tight?Yes: There are boolean r.v. X1,,Xk and parameters 0 < < < 1 such that , but, for every subset S

Impagliazzo & Kabanets (2010)Stronger sampling conditions help to reduce the running time, but then the success probabilities are not tight.

Open QuestionsObtaining a tight threshold DP theorem wrt the success probabilities and the running time.Thank You