Counterexamples to hardness amplification beyond negligible

Yevgeniy Dodis, Abhishek Jain, Tal Moran, Daniel Wichs

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

If we have a problem that is mildly hard, can we create a problem that is significantly harder? A natural approach to hardness amplification is the "direct product"; instead of asking an attacker to solve a single instance of a problem, we ask the attacker to solve several independently generated ones. Interestingly, proving that the direct product amplifies hardness is often highly non-trivial, and in some cases may be false. For example, it is known that the direct product (i.e. "parallel repetition") of general interactive games may not amplify hardness at all. On the other hand, positive results show that the direct product does amplify hardness for many basic primitives such as one-way functions, weakly-verifiable puzzles, and signatures. Even when positive direct product theorems are shown to hold for some primitive, the parameters are surprisingly weaker than what we may have expected. For example, if we start with a weak one-way function that no poly-time attacker can break with probability >1/2, then the direct product provably amplifies hardness to some negligible probability. Naturally, we would expect that we can amplify hardness exponentially, all the way to 2 -∈n probability, or at least to some fixed/known negligible such as n -∈logn in the security parameter n, just by taking sufficiently many instances of the weak primitive. Although it is known that such parameters cannot be proven via black-box reductions, they may seem like reasonable conjectures, and, to the best of our knowledge, are widely believed to hold. In fact, a conjecture along these lines was introduced in a survey of Goldreich, Nisan and Wigderson (ECCC '95). In this work, we show that such conjectures are false by providing simple but surprising counterexamples. In particular, we construct weakly secure signatures and one-way functions, for which standard hardness amplification results are known to hold, but for which hardness does not amplify beyond just negligible. That is, for any negligible function , we instantiate these primitives so that the direct product can always be broken with probability , no matter how many copies we take.

Original languageEnglish (US)
Title of host publicationTheory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings
Pages476-493
Number of pages18
Volume7194 LNCS
DOIs
StatePublished - 2012
Event9th Theory of Cryptography Conference, TCC 2012 - Taormina, Sicily, Italy
Duration: Mar 19 2012Mar 21 2012

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7194 LNCS
ISSN (Print)03029743
ISSN (Electronic)16113349

Other

Other9th Theory of Cryptography Conference, TCC 2012
CountryItaly
CityTaormina, Sicily
Period3/19/123/21/12

Fingerprint

Amplification
Hardness
Direct Product
Counterexample
One-way Function
Signature
Black Box
Game
Line
Theorem

ASJC Scopus subject areas

  • Computer Science(all)
  • Theoretical Computer Science

Cite this

Dodis, Y., Jain, A., Moran, T., & Wichs, D. (2012). Counterexamples to hardness amplification beyond negligible. In Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings (Vol. 7194 LNCS, pp. 476-493). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7194 LNCS). https://doi.org/10.1007/978-3-642-28914-9_27

Counterexamples to hardness amplification beyond negligible. / Dodis, Yevgeniy; Jain, Abhishek; Moran, Tal; Wichs, Daniel.

Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings. Vol. 7194 LNCS 2012. p. 476-493 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7194 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Dodis, Y, Jain, A, Moran, T & Wichs, D 2012, Counterexamples to hardness amplification beyond negligible. in Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings. vol. 7194 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7194 LNCS, pp. 476-493, 9th Theory of Cryptography Conference, TCC 2012, Taormina, Sicily, Italy, 3/19/12. https://doi.org/10.1007/978-3-642-28914-9_27
Dodis Y, Jain A, Moran T, Wichs D. Counterexamples to hardness amplification beyond negligible. In Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings. Vol. 7194 LNCS. 2012. p. 476-493. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-28914-9_27
Dodis, Yevgeniy ; Jain, Abhishek ; Moran, Tal ; Wichs, Daniel. / Counterexamples to hardness amplification beyond negligible. Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings. Vol. 7194 LNCS 2012. pp. 476-493 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{50ec65c0df8b4405928813d1417b704d,
title = "Counterexamples to hardness amplification beyond negligible",
abstract = "If we have a problem that is mildly hard, can we create a problem that is significantly harder? A natural approach to hardness amplification is the {"}direct product{"}; instead of asking an attacker to solve a single instance of a problem, we ask the attacker to solve several independently generated ones. Interestingly, proving that the direct product amplifies hardness is often highly non-trivial, and in some cases may be false. For example, it is known that the direct product (i.e. {"}parallel repetition{"}) of general interactive games may not amplify hardness at all. On the other hand, positive results show that the direct product does amplify hardness for many basic primitives such as one-way functions, weakly-verifiable puzzles, and signatures. Even when positive direct product theorems are shown to hold for some primitive, the parameters are surprisingly weaker than what we may have expected. For example, if we start with a weak one-way function that no poly-time attacker can break with probability >1/2, then the direct product provably amplifies hardness to some negligible probability. Naturally, we would expect that we can amplify hardness exponentially, all the way to 2 -∈n probability, or at least to some fixed/known negligible such as n -∈logn in the security parameter n, just by taking sufficiently many instances of the weak primitive. Although it is known that such parameters cannot be proven via black-box reductions, they may seem like reasonable conjectures, and, to the best of our knowledge, are widely believed to hold. In fact, a conjecture along these lines was introduced in a survey of Goldreich, Nisan and Wigderson (ECCC '95). In this work, we show that such conjectures are false by providing simple but surprising counterexamples. In particular, we construct weakly secure signatures and one-way functions, for which standard hardness amplification results are known to hold, but for which hardness does not amplify beyond just negligible. That is, for any negligible function , we instantiate these primitives so that the direct product can always be broken with probability , no matter how many copies we take.",
author = "Yevgeniy Dodis and Abhishek Jain and Tal Moran and Daniel Wichs",
year = "2012",
doi = "10.1007/978-3-642-28914-9_27",
language = "English (US)",
isbn = "9783642289132",
volume = "7194 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "476--493",
booktitle = "Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings",

}

TY - GEN

T1 - Counterexamples to hardness amplification beyond negligible

AU - Dodis, Yevgeniy

AU - Jain, Abhishek

AU - Moran, Tal

AU - Wichs, Daniel

PY - 2012

Y1 - 2012

N2 - If we have a problem that is mildly hard, can we create a problem that is significantly harder? A natural approach to hardness amplification is the "direct product"; instead of asking an attacker to solve a single instance of a problem, we ask the attacker to solve several independently generated ones. Interestingly, proving that the direct product amplifies hardness is often highly non-trivial, and in some cases may be false. For example, it is known that the direct product (i.e. "parallel repetition") of general interactive games may not amplify hardness at all. On the other hand, positive results show that the direct product does amplify hardness for many basic primitives such as one-way functions, weakly-verifiable puzzles, and signatures. Even when positive direct product theorems are shown to hold for some primitive, the parameters are surprisingly weaker than what we may have expected. For example, if we start with a weak one-way function that no poly-time attacker can break with probability >1/2, then the direct product provably amplifies hardness to some negligible probability. Naturally, we would expect that we can amplify hardness exponentially, all the way to 2 -∈n probability, or at least to some fixed/known negligible such as n -∈logn in the security parameter n, just by taking sufficiently many instances of the weak primitive. Although it is known that such parameters cannot be proven via black-box reductions, they may seem like reasonable conjectures, and, to the best of our knowledge, are widely believed to hold. In fact, a conjecture along these lines was introduced in a survey of Goldreich, Nisan and Wigderson (ECCC '95). In this work, we show that such conjectures are false by providing simple but surprising counterexamples. In particular, we construct weakly secure signatures and one-way functions, for which standard hardness amplification results are known to hold, but for which hardness does not amplify beyond just negligible. That is, for any negligible function , we instantiate these primitives so that the direct product can always be broken with probability , no matter how many copies we take.

AB - If we have a problem that is mildly hard, can we create a problem that is significantly harder? A natural approach to hardness amplification is the "direct product"; instead of asking an attacker to solve a single instance of a problem, we ask the attacker to solve several independently generated ones. Interestingly, proving that the direct product amplifies hardness is often highly non-trivial, and in some cases may be false. For example, it is known that the direct product (i.e. "parallel repetition") of general interactive games may not amplify hardness at all. On the other hand, positive results show that the direct product does amplify hardness for many basic primitives such as one-way functions, weakly-verifiable puzzles, and signatures. Even when positive direct product theorems are shown to hold for some primitive, the parameters are surprisingly weaker than what we may have expected. For example, if we start with a weak one-way function that no poly-time attacker can break with probability >1/2, then the direct product provably amplifies hardness to some negligible probability. Naturally, we would expect that we can amplify hardness exponentially, all the way to 2 -∈n probability, or at least to some fixed/known negligible such as n -∈logn in the security parameter n, just by taking sufficiently many instances of the weak primitive. Although it is known that such parameters cannot be proven via black-box reductions, they may seem like reasonable conjectures, and, to the best of our knowledge, are widely believed to hold. In fact, a conjecture along these lines was introduced in a survey of Goldreich, Nisan and Wigderson (ECCC '95). In this work, we show that such conjectures are false by providing simple but surprising counterexamples. In particular, we construct weakly secure signatures and one-way functions, for which standard hardness amplification results are known to hold, but for which hardness does not amplify beyond just negligible. That is, for any negligible function , we instantiate these primitives so that the direct product can always be broken with probability , no matter how many copies we take.

UR - http://www.scopus.com/inward/record.url?scp=84858324616&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84858324616&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-28914-9_27

DO - 10.1007/978-3-642-28914-9_27

M3 - Conference contribution

AN - SCOPUS:84858324616

SN - 9783642289132

VL - 7194 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 476

EP - 493

BT - Theory of Cryptography - 9th Theory of Cryptography Conference, TCC 2012, Proceedings

ER -