why-negligible-funcs

Sat Apr 04 2026

Repetition Amplifies Polynomial Success Rates

Say an attacker breaks a scheme with probability ϵ\epsilon in a single attempt, where ϵ\epsilon is some non-negligible function of the security parameter nn (for example, ϵ=1/n2\epsilon = 1/n^2).

If the attacker repeats the experiment qq times independently, the probability of failing every single time is:

(1ϵ)q(1 - \epsilon)^q

Since (1ϵ)(1 - \epsilon) is strictly less than 1, multiplying it by itself qq times makes it continuously decrease. So the success probability 1(1ϵ)q1 - (1 - \epsilon)^q keeps growing toward 1.

With a polynomial base success rate, this actually works. If ϵ=1/n2\epsilon = 1/n^2 and the attacker runs q=n2q = n^2 experiments, the total success probability is roughly n21/n2=1n^2 \cdot 1/n^2 = 1. That's a guaranteed break.

Where This Gets Confusing

So what about making ϵ\epsilon really small? If the attacker has a 0.0001%0.0001\% chance of success, the same logic still applies. Repeating the experiment enough times drives the failure probability toward zero. The math doesn't care how small ϵ\epsilon is, only that (1ϵ)<1(1 - \epsilon) < 1.

I couldn't see why defining a special class of "negligible" functions would change anything. Multiplying a number less than 1 by itself always decreases it. What makes negligible different?

The Asymptotic Race

The answer isn't that the failure probability stops decreasing. It does decrease. The point is that the attacker is computationally bounded and can only run polynomially many experiments.

Modern cryptography limits the base success probability to a negligible function negl(n)\text{negl}(n), defined as a function that shrinks faster than the inverse of any positive polynomial. For any polynomial p(n)p(n), there exists NN such that for all n>Nn > N:

negl(n)<1p(n)\text{negl}(n) < \frac{1}{p(n)}

In practice, negligible functions shrink exponentially (like 2n2^{-n}). A polynomial-time attacker is limited to q(n)q(n) repetitions where q(n)q(n) is some polynomial. Their total success probability is bounded by:

q(n)negl(n)q(n) \cdot \text{negl}(n)

For example, n102nn^{10} \cdot 2^{-n}. As nn grows, 2n2^{-n} crushes n10n^{10}. The product goes to zero no matter how large the polynomial exponent is.

This is why the definition works: a polynomial ϵ\epsilon (like 1/n21/n^2) can be amplified to near-certainty with polynomially many tries. A negligible ϵ\epsilon cannot. Polynomial repetitions can't outpace exponential shrinkage.

asymptotic-race

Why Cryptographers Prove Bounds, Not Exact Probabilities

Security proofs don't compute the exact success probability of an attacker. They prove that a worst-case ceiling is negligible, and that's enough.

The Union Bound. If an attacker has qq tries, each with success probability negl(n)\text{negl}(n), the probability of succeeding at least once is bounded by:

P(at least one success)qnegl(n)P(\text{at least one success}) \le q \cdot \text{negl}(n)

Since polynomial ×\times negligible is still negligible, the ceiling stays negligible. That's the whole argument.

Why the bound is tight (the binomial approximation). The exact probability of at least one success in qq independent tries is 1(1ϵ)q1 - (1 - \epsilon)^q where ϵ=negl(n)\epsilon = \text{negl}(n). Expanding (1ϵ)q(1 - \epsilon)^q via the binomial theorem:

1qϵ+q(q1)2ϵ2q(q1)(q2)6ϵ3+1 - q\epsilon + \frac{q(q-1)}{2}\epsilon^2 - \frac{q(q-1)(q-2)}{6}\epsilon^3 + \cdots

Substituting back into 1(1ϵ)q1 - (1 - \epsilon)^q:

qϵq(q1)2ϵ2+q\epsilon - \frac{q(q-1)}{2}\epsilon^2 + \cdots

Because ϵ\epsilon is astronomically small (say 22562^{-256}), higher-order terms like ϵ2\epsilon^2 and ϵ3\epsilon^3 vanish. The dominant surviving term is qϵq\epsilon. So the Union Bound qnegl(n)q \cdot \text{negl}(n) isn't just a valid ceiling, it's a very tight approximation of the exact value.

Why we still prefer the bound over the exact formula. The binomial formula 1(1ϵ)q1 - (1 - \epsilon)^q assumes every attempt is perfectly independent. Real attackers use adaptive strategies: if the first query fails, they analyze that failure to craft a better second query. When trials are dependent, the binomial math breaks down entirely. The Union Bound holds even for dependent events. No matter how the attacker correlates their queries or learns from past failures, the total success probability is trapped below qnegl(n)q \cdot \text{negl}(n).