Improved hardness amplification in NP

www.elsevier.com/locate/tcs

Note

Improved hardness amplification in NP

Chi-Jen Lu

, Shi-Chun Tsai

, Hsin-Lung Wu

a_{Institute of Information Science, Academia Sinica, Taipei, Taiwan}

b_{Department of Computer Science, National Chiao Tung University, Hsinchu 30050, Taiwan}

Received 17 March 2005; received in revised form 26 September 2006; accepted 9 October 2006 Communicated by A. Razborov

Abstract

We study the problem of hardness amplification in NP. We prove that if there is a balanced function in NP such that any circuit of size s(n) = 2Ω(n)_{fails to compute it on a 1/poly(n) fraction of inputs, then there is a function in NP such that any circuit of}

size s0(n) fails to compute it on a 1/2 − 1/s0(n) fraction of inputs, with s0(n) = 2Ω(n2/3). This improves the result of Healy et al. (STOC’04), which only achieves s0(n) = 2Ω(n1/2)for the case with s(n) = 2Ω(n).

c

2006 Elsevier B.V. All rights reserved.

Keywords:Computational complexity; Hardness amplification; Pseudorandom generator; NP

1. Introduction

We study the problem of transforming a hard function into a harder function. We say that a Boolean function f is ε-hard for circuits of size s if any such circuit fails to compute f on at least an ε fraction of the input. A function on nbits is called average-case hard, mildly hard, and worst-case hard, respectively, whenε is 1/2 − 2−Ω(n), 1/poly(n), and 1/2n. A central question in complexity theory is to understand the relationship among such hardness conditions in complexity classes, which has played an important part in the research on derandomization. Given a complexity class, can we transform any function in it which is worst-case hard into one in it which is average-case hard? After a long series of work, this has been shown to be possible for high complexity classes, such as DTIME(2O(n)) [6,11]. However, it remains open for lower complexity classes. In fact, there are results showing that the same techniques used for high complexity classes can not be used for the class NP to obtain average-case hardness when starting from worst-case hardness [1,12,13] or even starting slightly below mild hardness [12,8,13].1

In this paper, we focus on the task of transforming mild hardness to average-case hardness for the complexity class NP. One attempt is to use Yao’s XOR lemma [14,3], which transforms a given function f : {0, 1}n → {0, 1} into a function f0 : ({0, 1}n)k → {0, 1} defined by f0(x1, . . . , xk) = f (x1) ⊕ · · · ⊕ f (xk). However, we do not know if

∗_{Corresponding author.}

E-mail addresses:[email protected](C.-J. Lu),[email protected](S.-C. Tsai),[email protected](H.-L. Wu).

1 Although [12,13] only addressed explicitly the case of starting from worst-case hardness, it seems that the techniques used there can be extended to case of starting below mild hardness.

0304-3975/$ - see front matter c 2006 Elsevier B.V. All rights reserved.

this works here, since we do not know if NP is closed under the XOR operation. O’Donnell [10] gave the first result along this line, showing how to convert any balanced function f ∈ NP which is mildly hard for polynomial-size circuits into another f0 ∈ NP which is(1/2 − 1/n1/2−α_{)-hard for polynomial-size circuits, for any constant α > 0.}

He considered transformations of the form: f0(x1, . . . , xk) = C( f (x1), . . . , f (xk)), where C is a polynomial-time

computable monotone function. Then he used the “tribes” function and the “recursive majority” function, and took their composition as the function C. Recently, Healy et al. [4] were able to amplify hardness beyond 1/2 − 1/poly(n), showing how to convert any balanced function in NP which is mildly hard for circuits of size s(n) into one in NP which is(1/2 − 1/s0(n))-hard for circuits of size s0(n), with s0(n) = s(n1/2)Ω(1). In particular, s0(n) = nω(1)when s(n) = nω(1), s0(n) = 2nΩ(1) when s(n) = 2nΩ(1), and s0(n) = 2Ω(n1/2)when s(n) = 2Ω(n). A key source of their improvement came from derandomizing O’Donnell’s proof (the other source being the use of nondeterminism in computing the new function). They observed that the function C used by O’Donnell can be computed by a small-size read-once branching program and thus can be fooled by the pseudorandom generator of Nisan [9]. Unfortunately, this generator becomes the bottleneck of their approach when s(n) = 2Ω(n), which prevents them from achieving the goal of having s0_{(n) = 2}Ω(n)_.

In this note, we make a further progress towards this goal, at the high end of the spectrum:

Theorem 1. Suppose there is a balanced function inNP which is mildly hard for circuits of size s(n) = 2Ω(n). Then there is a function inNP which is(1/2 − 1/s0_{(n))-hard for circuits of size s}0_{(n), with s}0_{(n) = 2}Ω(n2/3₎

.

Our improvement comes from a closer look into the structure of the function C used by Healy et al., which enables us to construct a better pseudorandom generator to fool C. More precisely, we observe that the function C, which is the composition of the tribes function (a DNF) with the recursive majority function, can be seen as some kind of combinatorial rectangle, though the range in each dimension is large. This suggests that we fool each dimension by a separate copy of Nisan’s generator and provide their seeds using the output of Lu’s pseudorandom generator for rectangles [7]. Our generator then is the composition of these two generators.

2. Preliminaries

We will basically follow the notations and definitions of [4]. For n ∈ N, let [n] denote the set {1, . . . , n}, and let Un

denote the uniform distribution over {0, 1}n_{. For q ∈ N, we identify the set {0, 1}}q_{with [2}q_{]. For a set R, we also use}

Rto denote its membership function. We say that a function G : {0, 1}` → {0, 1}m _{is explicitly computable if given}

x ∈ {0, 1}`and i ∈ [m], the i th bit of G(x) can be computed in time poly(`, log m). A function f : {0, 1}n→ {0, 1} is called balanced if Pr [ f(Un) = 1] = 1/2. For a function f : {0, 1}n→ {0, 1}, let f⊗k : {0, 1}kn → {0, 1}kbe the

function defined by f⊗k(x1, . . . , xk) = ( f (x1), . . . , f (xk)), for x1, . . . , xk∈ {0, 1}n.

Next, we define what we mean by a hard function.

Definition 1. For 0 ≤δ ≤ 1/2 and s(n) ≤ 2O(n), we say that a function f : {0, 1}n → {0, 1} is δ-hard for size s(n) if every circuit of size s(n) fails to compute f on at least a δ fraction of inputs.

As shown by Impagliazzo [5], one can basically see aδ-hard function as a δ-random function defined below, as they cannot be distinguished by circuits of size slightly smaller than s(n).

Definition 2. A probabilistic function g : {0, 1}n _{→ {0, 1} is called δ-random if it is balanced and there is a subset}

H ⊂ {0, 1}n with |H | = 2δ2nsuch that g(x) is an independent random bit for x ∈ H and g(x) is deterministic for x /∈ H.

Note that any probabilistic function g can also be seen as a deterministic function with respect to a random string y, and we will use gyto denote this deterministic function.

2.1. Hardness amplification

Given a hard function f , one would like to transform it into a harder function f0_{. One typical way is to apply a}

function C : {0, 1}k _{→ {0, 1} to the function f}⊗k _{to get the function f}0_{=C ◦ f}⊗k _{: {0, 1}}nk _{→ {0, 1}, defined as}

(C ◦ f⊗k_)(x

whenever f ∈ NP, O’Donnell [10] chose C to be a polynomial-time computable monotone function. In particular, he considered the functions TRIBESand RMAJ, defined as follows.

Definition 3. Define the function TRIBESt : {0, 1}t → {0, 1} as

TRIBESt(x1, . . . , xt) = (x1∧ · · · ∧xb) ∨ (xb+1∧ · · · ∧x2b) ∨ · · · ∨ (xdt/beb−b+1∧ · · · ∧xt),

where b is the largest integer such that(1 − 2−b)t/b≥1/2. Note that this makes b = O(log t). Also, let MAJbe the majority function, and define the function RMAJr : {0, 1}3r → {0, 1} recursively as:

RMAJ1(x1, x2, x3) = MAJ(x1, x2, x3),

RMAJr(x1, . . . , x3r) = R_MAJr−1(MAJ(x1, x2, x3), . . . , MAJ(x3r₋₂, x₃r₋₁, x₃r)).

Given anyδ ≥ 1/poly(n), to amplify from a δ-hard function f : {0, 1}n→ {0, 1}, O’Donnell used the composition A_MPδk =TRIBESt◦RMAJ_r⊗t

as the function for C, with k = t 3r, t ∈ N, and r = O(log(1/δ)). He showed that the resulting function f0 =C ◦ f⊗k : {0, 1}n0 → {0, 1} has hardness 1/2 − 1/kcfor some constant c. Note that the new function f0now has an input length n0=kn, so its hardness when expressed in terms of the input length n0is only 1/2 − 1/poly(n0). That is, even if a super-polynomial k is used, the resulting hardness does not go beyond 1/2 − 1/poly(n0).

To overcome this bottleneck, Healy et al. [4] showed that one can take a super-polynomial k while keeping the input size of f0small (polynomial in n) if the k inputs to f⊗kare generated in some pseudorandom way, in the following sense.2To simplify our presentation, we state things in a slightly different way from [4].

Definition 4 ([4]). For a probabilistic function h : {0, 1}n → {0, 1}, define its expected collision probability as EXPCP [h] = Ex[2 · Pry,y0[h_y(x) = h_y0(x)] − 1].

Definition 5. We say that a generator G : {0, 1}`_{→({0, 1}}n₎k_{ε-fools the δ-EXPCP of a function C : {0, 1}}k _{→ {0, 1}}

if for anyδ-random function g : {0, 1}n→ {0, 1},   EXPCPh(C ◦ g ⊗k₎i_−E XPCPh(C ◦ g⊗k) ◦ Gi ≤ε.

Given such a generator G for C = A_MPδk, the amplified function f0is defined as f0 =C ◦ f⊗k ◦G. The seed length of the generator G now becomes the input length of the new function f0_{. The following lemma states that the}

task of hardness amplification can be reduced to that of constructing such a generator.

Lemma 1 ([4]). Suppose for any δ ≥ 1/poly(n) and any k = t3r ≤ 2O(n), with t ∈ N and r = O(log(1/δ)), there exists an explicitly computable generator G : {0, 1}`(n) → ({0, 1}n)k which2−Ω(n)-fools theδ-EXPCP of the functionA<sub>MPδk</sub>. Then for anyδ ≥ 1/poly(n) and any s(n) ≥ 2Ω(n), if there exists a balanced function inNP which isδ-hard for size s(n), one can convert it into a function in NP which is (1/2 − 1/s0(n))-hard for size s0(n), for some s0(n) ≥ 2Ω(`−1(n)).

Remark 1. Lemma 1does not appear explicitly in [4] but can be derived from arguments therein. In fact, Healy et al. [4] used two kinds of generators: one for preserving indistinguishability and one for fooling theδ-EXPCP of the function A_MPδk. In the case with s(n) ≥ 2Ω(n), the bottleneck lies in that for A_MPδk. They observed that the function A_MPδk can be computed by a read-once branching program of small size, and they showed that a pseudorandom generator fooling such branching programs (seeDefinitions 6and7) can fool theδ-EXPCP of the function A_MPδk. Therefore, they reduced the task of hardness amplification to that of finding a pseudorandom generator to fool such branching programs. (See for example Theorem 6.2 in the journal version of [4].) However, using currently available generators for branching programs, they were only able to obtain a generator of seed length Ω(n2) for fooling the δ-EXPCP of A_MPδk. Instead of fooling branching programs, we will show that it suffices to fool a simpler class of tests: combinatorial rectangles, for which a better generator can indeed be found.

2 Another issue when using a super-polynomial k is that the function AMPδ_kis no longer computable in time poly(n). As shown in [4], this can be handled using non-determinism.

2.2. PRGs for branching programs and rectangles

Our generator will be based on pseudorandom generators that fool read-once branching programs and combinatorial rectangles, respectively.

Definition 6. A function G : {0, 1}`→ {0, 1}tis called anε-PRG for a class of functions from {0, 1}tto {0, 1} if for any T in this class, |Pr [T(Ut)] − Pr [T (G(U`))]| ≤ ε.

Definition 7. A read-once branching program of size s with block-length n is a finite state machine of s states, with each edge labelled by a subset of {0, 1}n. The computation proceeds as follows. The input is read sequentially in one pass, one block of n bits at a time. When the machine reads a blockβ ∈ {0, 1}n, it goes from the current state to the state reached by the edge labelled withβ. Let BP(s, n) denote the class of functions computed by such read-once branching programs.

Definition 8. For m, d ∈ N, let R(m, d) denote the collection of rectangles R = R1×· · ·×Rd ⊆ [m]d, with Ri ⊆ [m]

for all i ∈ [d].

To fool these two classes of functions, we will use the PRGs of Nisan [9] and Lu [7], respectively.

Lemma 2 ([9]). For any n ∈ N and any s ≤ 2n, there exists an explicitly computable2−Ω(n)-PRG GN : {0, 1}` →

{0, 1}snforBP(s, n) with ` = O(n log s).

Lemma 3 ([7]). For any m, d ∈ N and any ε ∈ (0, 1), there exists an explicitly computable ε-PRG GL : {0, 1}`→

[m]dforR(m, d) with ` = O(log m + log d + log3/2(1/ε)). 3. Proof ofTheorem 1

Consider anyδ ≥ 1/poly(n) and any k = t3r ≤2O(n), with t ∈ N and r = O(log(1/δ)). GivenLemma 1, our task is to construct a generator with a short seed which fools theδ-EXPCP of the function A_MPδk. Let ORd denote the OR function on d bits and let ANDbdenote the AND function on b bits. Consider an arbitraryδ-random function g : {0, 1}n→ {0, 1}, and let A : {0, 1}kn → {0, 1} be the function

A =A_MPδk◦g⊗k =ORd◦ANDb◦RMAJ⊗b_r ◦g⊗b3r

⊗d

,

where k = db3r =2O(n), b = poly(n), d = 2O(n), and r = O(log(1/δ)) = O(log n). Note that A is a probabilistic function (because of g), and let Aydenote the function A taking the random string y. Observe that each A−1y (0) can

be seen as a rectangle in R(2b3rn, d). As we will see, to fool the δ-EXPCP of A_MPδk, it suffices to have a good PRG for rectangles in R(2b3rn, d). However, the range in each dimension of such rectangles is too large for us to apply

Lemma 3effectively. To resolve this, we use d copies of Nisan’s PRGs to fool the d functions in the d dimensions

respectively, with the d seeds coming from the output of Lu’s PRG. Formally, we use the following two generators, withε = 2−Ω(n):

• Let GN : {0, 1}q → {0, 1}b3

r_n

be Nisan’s (ε/d)-PRG for BP(nc_{, n), for some large enough constant c. From}

Lemma 2, one can have q = O(n log n).

• Let GL : {0, 1}` → {0, 1}dq be Lu’s ε-PRG for R(2q, d). From Lemma 3, one can have` = O(n log n) +

O(n3/2) = O(n3/2).

Then define our generator G : {0, 1}`→ {0, 1}db3rnas G(u) =G⊗d_N ◦GL (u) = G⊗d_N (GL(u)).

It is easy to see that G is explicitly computable since both GN and GL are. To show that G is a good generator,

Ay(x) = Ay0(x) and C_y,y0(x) = 0 otherwise. Then |EXPCP [ A] − EXPCP [ A ◦ G] | = 2    Ex  Pr y,y0Cy,y 0(x) = 1  − E u  Pr y,y0Cy,y 0(G(u)) = 1     ≤ _{2 E} y,y0 h 

Pr_x Cy,y0(x) = 1 − Pr_u Cy,y0(G(u)) = 1   i .

It remains to show that for any y and y0, G fools the function Cy,y0. However, neither C−1

y,y0(0) nor C_y,y−10(1) appears to be a rectangle, so some twist is needed.

In fact, C−1_y,y0(0) is the symmetric difference of the two rectangles Ry=A−1_y (0) and Ry 0

=A−1_y0 (0) in R(2b3 r_n

, d), denoted as Ry Ry0. That is,

C−1_y,y0(0) = Ry Ry 0 =(Ry\Ry0) ∪ (Ry0\Ry). Then Prx[x ∈ Ry Ry 0 ] = Prx[x ∈ Ry] + Prx[x ∈ Ry 0 ] − 2 Prx[x ∈ Ry ∩ Ry 0

] and similarly for Pru[G(u) ∈ Ry Ry 0 ]. Thus   Pr_x Cy,y0(x) = 1 − Pr_u Cy,y0(G(u)) = 1    =   Pr_x Cy,y0(x) = 0 − Pr_u Cy,y0(G(u)) = 0    =   Pr_x h x ∈ Ry Ry0i−Pr u h G(u) ∈ Ry Ry0i  ≤   Pr_x x ∈ R y_{ − Pr} u G(u) ∈ R y +   Pr_x h x ∈ Ry0i−Pr u h G(u) ∈ Ry0i  +2   Pr_x h x ∈ Ry∩Ry0i−Pr u h G(u) ∈ Ry∩Ry0i  .

Note that Ry, Ry0, and Ry∩Ry0 are all rectangles in R(2b3rn, d). Furthermore, they all satisfy the property that the membership function of the set in each dimension can be computed in BP(nc, n) for some constant c, according to [4].3Therefore, it remains to show the following.

Lemma 4. For any R = R1× · · · ×Rd ∈ R(2b3

r_n

, d) such that Ri ∈ BP(nc, n) for any i ∈ [d], | Prx[x ∈ R] −

Pru[G(u) ∈ R] | ≤ 2ε.

Proof. Observe that | Prx[x ∈ R] − Pru[G(u) ∈ R] | is at most

  Pr_x [x ∈ R] − Pr_v h G⊗d_N (v) ∈ R i  +   Pr_v h G⊗d_N (v) ∈ R i −Pr u h G⊗d_N (GL(u)) ∈ R i   , (1)

wherev is sampled from Udq with dq = O(d · n log n). It remains to bound the two terms above.

First, note that GN is an(ε/d)-PRG for BP(nc, n) and can fool each Ri. Using a standard hybrid argument (see

e.g. [2]), one can show that G⊗d_N is an(d · ε/d)-PRG for such a rectangle R. Thus, the first term in (1) above is at mostε.

3 Recall that A = AMPδ_k◦g⊗k=ORd◦(ANDb◦RMAJ⊗br ◦g⊗b3

r

)⊗d_{. From [4], the function AND}

b◦RMAJ⊗br is in BP(poly(n), 1), and

the probabilistic function ANDb◦RMAJr⊗b◦g⊗b3

r

can be computed by a probabilistic BP(poly(n), n). Thus by fixing the random string of Ato any string y, the set Ry = A−1y (0) seen as a rectangle in R(2b3

r_n

, d) has the property that each of its d dimensions has its membership function in BP(poly(n), n). Next, we argue that for any y and y0, each dimension of the rectangle Ry∩Ry0also has its membership function in BP(poly(n), n). To see this, first observe that the ith dimension of Ry∩Ry0is exactly R_iy∩Ry

0

i , where R y i and R

y0

i are the i th dimension of Ry

and Ry0, respectively. Suppose R_iyand Ry

0

i are recognized by read-once branching programs B and B

0_{with state spaces S and S}0_{, respectively.}

Then the set R_iy∩Ry

0

i is recognized by the read-once branching program B

00_{with state space S × S}0_{, which goes from state(s, s}0_{) to state (t, t}0₎

when reading an input block x if and only if B goes from s to t and B0goes from s0to t0, respectively, when reading x. The initial state of B00is the state(s0, s00) where s0and s00are the initial states of B and B

0_{, respectively, while the accepting states of B}00_{are exactly those states(t, t}0_{) where t}

To bound the second term, consider the rectangle R0 = {v : G⊗d

N (v) ∈ R} ∈ R(2q, d) with q = O(n log n). That

is, R0 _{= R}0 1× · · · ×R 0 d, with R 0 i = G −1

N (Ri) ⊆ {0, 1}q for i ∈ [d]. Since GL is anε-PRG for R(2q, d), we have

|Pr_v_{v ∈ R}0_{ − Pr}

uGL(u) ∈ R0 | ≤ε. Thus, the second term in (1) above is also at mostε. Therefore we have the

lemma. _

Combining the lemma and the discussion above, we have

|EXPCP [ A] − EXPCP [ A ◦ G] | ≤ 2(2ε + 2ε + 4ε) = 16ε = 2−Ω(n).

That is, our generator G, which uses a seed of length`(n) = O(n3/2), is able to 2−Ω(n)-fool theδ-EXPCP of the function A_MPδk. Then byLemma 1, we have our main theorem.

Discussion

Our generator uses a seed of length O(n3/2), and as a result, we can only amplify hardness to 1/2 − 1/s0(n) against size s0(n) with s0(n) = 2Ω(n2/3). The main bottleneck is the generator for rectangles. However, to achieve the goal of having s0(n) = 2Ω(n) using our approach, we need to improve both the generator for branching programs and the generator for rectangles. Without improving Nisan’s PRG, even if we could have an optimal ε-PRG for R(m, d), with seed length Θ(log m + log d + log(1/ε)), the resulting generator would still need a seed of length Θ(n log n) + O(n) = Ω(n log n) (see the definition of the generator G and the calculation of its seed length on the previous page), and we would only be able to achieve s0(n) = 2Ω(n/ log n).

References

[1] Andrej Bogdanov, Luca Trevisan, On worst-case to average-case reductions for NP problems, in: Proceedings of the 44th Annual Symposium on Foundations of Computer Science, 2003, pp. 11–14.

[2] Oded Goldreich, Foundations of Cryptography, Basic Tools, volume 1, Cambridge University Press, Cambridge, 2001.

[3] Oded Goldreich, Noam Nisan, Avi Wigderson, On Yao’s XOR lemma, Technical Report TR95–050, Electronic Colloquium on Computational Complexity, 1995.

[4] Alexander Healy, Salil P. Vadhan, Emanuele Viola, Using nondeterminism to amplify hardness, in: Proceedings of the 36th ACM Symposium on Theory of Computing, 2004, pp. 192–201, SIAM Journal on Computing 35 (4) (2006) 903–931 (in press) (Final version).

[5] Russel Impagliazzo, Hard-core distributions for somewhat hard problems, in: Proceedings of the 36th Annual IEEE Symposium on Foundations of Computer Science, 1995, pp. 538–545.

[6] Russel Impagliazzo, Avi Wigderson, P = BPP if E requires exponential circuits: Derandomizing the XOR lemma, in: Proceedings of the 29th ACM Symposium on Theory of Computing, 1997, pp. 220–229.

[7] Chi-Jen Lu, Improved pseudorandom generators for combinatorial rectangles, Combinatorica 22 (3) (2002) 417–434.

[8] Chi-Jen Lu, Shi-Chun Tsai, Hsin-Lung Wu, On the complexity of hardness amplification, in: Proceedings of the 20th Annual IEEE Conference on Computational Complexity, 2005, pp. 170–182.

[9] Noam Nisan, Pseudorandom generators for space-bounded computation, Combinatorica 12 (4) (1992) 449–461. [10] Ryan O’Donnell, Hardness amplification within NP, Journal of Computer and System Sciences 69 (1) (2004) 68–94.

[11] Madhu Sudan, Luca Trevisan, Salil Vadhan, Pseudorandom generators without the XOR lemma, Journal of Computer and System Sciences 62 (2) (2001) 236–266.

[12] Emanuele Viola, The complexity of constructing pseudorandom generators from hard functions, Computational Complexity 13 (3–4) (2004) 147–188.

[13] Emanuele Viola, On constructing parallel pseudorandom generators from one-way functions, in: Proceedings of the 20th Annual IEEE Conference on Computational Complexity, 2005, pp. 183–197.

[14] Andrew Chi-Chih Yao, Theory and applications of trapdoor functions, in: Proceedings of the 23rd Annual IEEE Symposium on Foundations of Computer Science, 1982, pp. 80–91.