Using Nondeterminism to Amplify Hardness

Emanuele Viola

Joint work with: Alex Healy and Salil Vadhan

Harvard University

Average-Case Hardness of NP

• Study hardness of NP on random instances– Natural question, essential for cryptography

• One Goal: relate worst-case & avg-case hardness– Done for #P, PSPACE, EXP... [L89, BF90, BFL91, ...]– New techniques needed for NP [FF91, BT03, V03, V04]

• This Talk: hardness amplification– Relate mild avg-case & strong avg-case hardness

Hardness Amplification

• Def: f : {0,1}n ! {0,1} is -hard for size s if

8 circuit C of size s Prx[C(x) f(x)] ¸

HardnessAmplification

e.g., -hardfor size s

e.g., -hard

for size ¼ s

where = (n´)

f f 0

Standard Hardness Amplification

• Yao’s XOR Lemma:

f : {0,1}n ! {0,1} -hard for size s = s(n)

) f 0(x1, . . ., xk) = f(x1) © . . . © f(xk)

• k = n ) n´ = n2 and f 0 : {0,1}n' ! {0,1}

• ¼ Optimal, but cannot use in NP:

f 2 NP ; f 0 2 NP

O’Donnell’s Amplification in NP

• Idea: f´(x1, . . ., xk) = C(f(x1), . . ., f(xk)), C monotone

• e.g. f(x1) Æ ( f(x2) Ç f(x3) ). Then f´ 2 NP if f 2 NP

• Theorem [O’Donnell `02]: 9 balanced f 2 NP (1/poly(n))-hard for size n(1)

) 9 f´ 2 NP -hard for size (n´)(1)

• Barrier: No such construction can amplify above

Thm: 9 balanced f 2 NP (1/poly(n))-hard for size s(n)

) 9 f´ 2 NP ¼ -hard for size ¼

Examples:

– s(n) = n(1) ) hardness

– s(n) = 2n(1) ) hardness

– s(n) = 2(n) ) hardness

Our Main Result

Approach• Obs: Hardness of f´(x1, . . ., xk) = C(f(x1), . . ., f(xk))

limited by

• Idea 1: Derandomization [I95, IW97]

for “pseudorandom” generator G, so

• E.g. if then hope f´ -hard

• Q: Why does this still amplify hardness? – We exhibit unconditional G s.t. this works

f´() = C(f(x1), . . ., f(xk)) , where (x1,...,xk) = G()

Approach (cont.)

• Q: How to compute f´2 NP when k = (n´)(1)?

• Idea 2: Nondeterminism

– Use C s.t. C(f(x1), . . ., f(xk)) can be computed

nondeterministically looking at only log(k) f(xi )’s.

– So f´2 NP even when k = 2n’

f´() = C(f(x1), . . ., f(xk)) , where (x1,...,xk) = G()

Outline

• Trevisan’s (2003) proof of O’Donnell’s theorem

• Identify properties of G that suffice & find such G

• Describe C ensuring f´ 2 NP

• Negative results:

balanced f and nondeterminism necessary

f´()=C(f(x1), . . ., f(xk)) , where (x1,...,xk)=G()

Notation

• f : {0,1}n ! {0,1} -hard for size s (e.g. =.01, s = 2(n))

• f´(x1, . . ., xk) := C(f(x1), . . ., f(xk)) for appropriate monotone C

• Aim: Show f´ has hardness ¼ 1/2 - 1/k for size s´ = k = s(1)

Step 1: Hardcore Lemma [Imp95]

• f -hard ) indistinguishable from F w/ coin-flip on 2 frac. of inputs

0 1coin-flip

2 frac.

0 1 ¼f F

• Formally: no circuit of size s´ can distinguish (x,f(x)) from (x,F(x)) for random x w/ advantage > 1/s´

Step 2: Info-theoretic hardness

0 1coin-flip

2 frac.

0 1 ¼f F

(x,f(x)) ´ (x,F(x))

) (x1,....,xk,f(x1),...,f(xk)) ´ (x1,...,xk,F(x1),...,F(xk))

) Hardness of C(f(x1),...,f(xk)) for size s´ ¼ hardness of C(F(x1),...,F(xk)) for size s´ ¸ hardness of C(F(x1),...,F(xk)) for size 1

uses independence

Step 3: Noise Sensitivity

0 1coin-flip

2 frac.

0 1 ¼f F

• Info-theoretic hardness of C(F(x1),...,F(xk)) depends only on C and !

• Hardness ¼ NoiseSens[C]

where i = 1 independently with probability

uses independence

Step 4: Choosing C

• There is monotone C : {0,1}k ! {0,1}

) C(f(x1), . . ., f(xk)) has hardness ¼ 1/2 - 1/k

• The barrier [KKL88]: 8 monotone C : {0, 1}k ! {0, 1},

Outline

• Trevisan’s (2003) proof of O’Donnell’s theorem

• Identify properties of G that suffice & find such G

• Describe C ensuring f´ 2 NP

• Negative results:

balanced f and nondeterminism necessary

f´()=C(f(x1), . . ., f(xk)) , where (x1,...,xk)=G()

Step 2: Info-theoretic hardness

0 1coin-flip

2 frac.

0 1 ¼f F

(x,f(x)) ´ (x,F(x))

) (x1,....,xk,f(x1),...,f(xk)) ´ (x1,...,xk,F(x1),...,F(xk))

) Hardness of C(f(x1),...,f(xk)) for size s´ ¼ hardness of C(F(x1),...,F(xk)) for size s´ ¸ hardness of C(F(x1),...,F(xk)) for size 1

uses independence

Preserving Indistinguishability

(x,f(x)) ´ (x,F(x)) ) (x1,....,xk,f(x1),...,f(xk)) ´ (x1,...,xk,F(x1),...,F(xk))

• Want: G to be indistinguishability-preserving:

(x,f(x)) ´ (x,F(x)) ) (,f(x1),...,f(xk)) ´ (,F(x1),...,F(xk)) where (x1,...,xk)=G()

• Achieved via combinatorial designs [Nis91,NW94].

Step 3: Noise Sensitivity

0 1coin-flip

2 frac.

0 1 ¼f F

• Info-theoretic hardness of C(F(x1),...,F(xk)) depends only on C and !

• Hardness ¼ NoiseSens[C]

where i = 1 independently with probability

uses independence

0 1coin-flip r

2 frac.

0 1 ¼f F

Fooling Noise Sensitivity

• Want:

• Show 9 randomized constant-depth circuit s.t. 8 x1,...,xk

• Use existence of unconditional G against constant-depth circuits [Nis90]

Fooling Noise Sensitivity

¼

C

x1 x2 . . . . xk

F ...

C

F F F ...F F

A has constant depth and size(A) = poly(2n,k) (using C constant depth and size(C) = poly(k))

A

Want:

Nisan’s Pseudorandom Generator

• Want Pr[A(x1, . . ., xk) = 1] ¼ Pr[A(G()) = 1]

• Theorem [Nis91]: There is G : {0,1}logO(1) N ! {0,1}N such that above holds for every A of size N and constant depth

• Recall size(A) = poly(2n,k) ) Input length of Nisan’s generator is poly(n), even for k = 2n

Completing Derandomization• Let G(1,2) = Gind-pres(1) © Gconst-depth(2)

• f´()=C(f(x1), . . ., f(xk)) , where (x1,...,xk)=G()

• Thm: f´ has hardness ¼ 1/2 - 1/k for size s´ = k = s(1)

• n´ = O(n2) (w/PRG vs space [Nis91]) ) hardness

Outline

• Trevisan’s (2003) proof of O’Donnell’s theorem

• Identify properties of G that suffice & find such G

• Describe C ensuring f´ 2 NP

• Negative results:

balanced f and nondeterminism necessary

f´()=C(f(x1), . . ., f(xk)) , where (x1,...,xk)=G()

The Structure of C

C = TRIBES MONOTONE DNF [BL90]

Claim: If f 2 NP then f´ 2 NP even for k = 2n´

Proof: To compute f´():– Guess a clause, say (f(xi+1) Æ . . . Æ f(xi+b))

– Check if clause is true

Thm: 9 balanced f 2 NP (1/poly(n))-hard for size s(n)

) 9 f´ 2 NP ¼ -hard for size ¼

Examples:

– s(n) = n(1) ) hardness

– s(n) = 2n(1) ) hardness

– s(n) = 2(n) ) hardness

Our Main Result

Balanced Functions• Both our results and O’Donnell’s

need balanced f 2 NP. That is:

• Theorem: Any monotone “black-box” hardness amplification cannot amplify beyond

• Proof Idea:– “Black-box” hardness amplification ) error correcting code

[I02,TV02,V03,T03]

– Good monotone codes only exist for balanced messages[Kruskal-Katona]

Nondeterminism is Necessary

• Use of nondeterminism is likely to be necessary

• Theorem: There is no deterministic, monotone “black-box” hardness amplification that amplifies beyond

• Our amplification is nondeterministic, monotone, black-box, and amplifies up to

Conclusion• O’Donnell’s hardness amplification in NP:

– Amplifies up to– No construction of same form does better

• Our result: amplify up to

• Two new techniques:1. Derandomization G fools noise sensitivity

2. Nondeterminism k = n(1)

• Only obstacle to hardness is PRG with

logarithmic seed length for space or const-depth