The power of adaptivity in algorithms has been intensively studied in diverse areas of theoretical computer science. In this paper, we obtain a number of sharp lower bound results which show that adaptivity provides a significant extra power in cryptanalytic time-space tradeoffs with (possibly unlimited) preprocessing time. Most notably, we consider the discrete logarithm (DLOG) problem in a generic group of $N$ elements. The classical `baby-step giant-step' algorithm for the problem has time complexity $T=O(\sqrt{N})$, uses $O(\sqrt{N})$ bits of space (up to logarithmic factors in $N$) and achieves constant success probability. We examine a generalized setting where an algorithm obtains an advice string of $S$ bits and is allowed to make $T$ arbitrary non-adaptive queries that depend on the advice string (but not on the challenge group element). We show that in this setting, the $T=O(\sqrt{N})$ online time complexity of the baby-step giant-step algorithm cannot be improved, unless the advice string is more than $Ω(\sqrt{N})$ bits long. This lies in stark contrast with the classical adaptive Pollard's rho algorithm for DLOG, which can exploit preprocessing to obtain the tradeoff curve $ST^2=O(N)$. We obtain similar sharp lower bounds for several other cryptanalytic problems. To obtain our results, we present a new model that allows analyzing non-adaptive preprocessing algorithms for a wide array of search and decision problems in a unified way. Since previous proof techniques inherently cannot distinguish between adaptive and non-adaptive algorithms for the problems in our model, they cannot be used to obtain our results. Consequently, our proof uses a variant of Shearer's lemma for this setting, due to Barthe, Cordero-Erausquin, Ledoux, and Maurey (2011). This seems to be the first time a variant of Shearer's lemma for permutations is used in an algorithmic context.

翻译：自适应算法中的自适应性能力在理论计算机科学的多个领域得到了深入研究。本文针对（可能无限）预处理时间下的密码分析时间-空间权衡问题，获得了一系列严格下界结果，表明自适应性为算法提供了显著额外的能力。最值得注意的是，我们考虑了$N$元通用群中的离散对数（DLOG）问题。该问题的经典“小步大步”算法时间复杂度为$T=O(\sqrt{N})$，使用$O(\sqrt{N})$比特空间（忽略$N$的对数因子），并达到恒定成功概率。我们研究了一个广义设定：算法获得$S$比特的提示字符串，并允许进行$T$次任意非自适应查询（这些查询依赖于提示字符串，但不依赖于挑战群元素）。我们证明，在此设定下，除非提示字符串长度超过$Ω(\sqrt{N})$比特，否则小步大步算法的$T=O(\sqrt{N})$在线时间复杂度无法被改进。这与经典的自适应Pollard's rho算法形成鲜明对比——后者可利用预处理获得权衡曲线$ST^2=O(N)$。我们针对其他多个密码分析问题也得到了类似严格下界。为获得这些结果，我们提出一个新模型，该模型可统一分析广泛搜索与决策问题的非自适应预处理算法。由于先前的证明技术本质上无法区分该模型中问题的自适应算法与非自适应算法，因此无法用于推导我们的结果。为此，我们采用了Barthe、Cordero-Erausquin、Ledoux和Maurey（2011）针对该设定提出的Shearer引理的变体。这似乎是置换Shearer引理变体首次在算法语境中得到应用。