We prove that any algorithm for learning parities requires either a memory ofquadratic size or an exponential number of samples. This proves a recentconjecture of Steinhardt, Valiant and Wager and shows that for some learningproblems a large storage space is crucial. More formally, in the problem of parity learning, an unknown string $x \in\{0,1\}^n$ was chosen uniformly at random. A learner tries to learn $x$ from astream of samples $(a_1, b_1), (a_2, b_2) \ldots$, where each~$a_t$ isuniformly distributed over $\{0,1\}^n$ and $b_t$ is the inner product of $a_t$and $x$, modulo~2. We show that any algorithm for parity learning, that usesless than $\frac{n^2}{25}$ bits of memory, requires an exponential number ofsamples. Previously, there was no non-trivial lower bound on the number of samplesneeded, for any learning problem, even if the allowed memory size is $O(n)$(where $n$ is the space needed to store one sample). We also give an application of our result in the field of bounded-storagecryptography. We show an encryption scheme that requires a private key oflength $n$, as well as time complexity of $n$ per encryption/decription of eachbit, and is provenly and unconditionally secure as long as the attacker usesless than $\frac{n^2}{25}$ memory bits and the scheme is used at most anexponential number of times. Previous works on bounded-storage cryptographyassumed that the memory size used by the attacker is at most linear in the timeneeded for encryption/decription.
展开▼
机译:我们证明,用于学习奇偶校验的任何算法都需要具有二次大小的存储或样本数量的指数。这证明了Steinhardt,Valiant和Wager的最新猜想,并表明对于某些学习问题,大的存储空间至关重要。更正式地讲,在奇偶学习的问题中,随机地统一选择未知字符串$ x \ in \ {0,1 \} ^ n $。学习者尝试从样本$(a_1,b_1),(a_2,b_2)\ ldots $的流中学习$ x $,其中每个〜$ a_t $均匀分布在$ \ {0,1 \} ^ n $和$ b_t $是$ a_t $和$ x $的内积,取模2。我们证明,用于奇偶学习的任何算法,只要使用少于$ \ frac {n ^ 2} {25} $位的内存,就需要指数级的样本。以前,对于任何学习问题,即使允许的内存大小为$ O(n)$(其中$ n $是存储一个样本所需的空间),对于任何学习问题,样本数量也没有不小的下限。我们还将结果应用于有界存储密码学领域。我们展示了一种加密方案,该方案需要长度为$ n $的私钥,以及每个位的每次加密/解密的时间复杂度为$ n $,并且只要攻击者的使用少于$ \ frac {n ^,就证明是无条件的安全性。 2} {25} $个存储位,该方案最多使用指数次。以前关于有界存储密码学的工作假定攻击者使用的存储器大小在加密/解密所需的时间中最多是线性的。
展开▼