Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University

Average-Case Hardness of NP Study hardness of NP on random instances –Natural question, essential for cryptography One Goal: relate worst-case & avg-case hardness –Done for #P, PSPACE, EXP... [L89, BF90, BFL91,...] –New techniques needed for NP [FF91, BT03, V03, V04] This Talk: hardness amplification –Relate mild avg-case & strong avg-case hardness

Hardness Amplification Def: f : {0,1} n ! {0,1} is  -hard for size s if 8 circuit C of size s Pr x [C(x)  f(x)] ¸  Hardness Amplification e.g., -hard for size s e.g., -hard for size ¼ s where  =  (n´) ff 0f 0

Standard Hardness Amplification Yao’s XOR Lemma: f : {0,1} n ! {0,1}  -hard for size s = s(n) ) f 0 (x 1,..., x k ) = f(x 1 ) ©... © f(x k ) k = n ) n´ = n 2 and f 0 : {0,1} n' ! {0,1} ¼ Optimal, but cannot use in NP: f 2 NP ; f 0 2 NP

O’Donnell’s Amplification in NP Idea: f´(x 1,..., x k ) = C(f(x 1 ),..., f(x k )), C monotone e.g. f(x 1 ) Æ ( f(x 2 ) Ç f(x 3 ) ). Then f´ 2 NP if f 2 NP Theorem [O’Donnell `02]: 9 balanced f 2 NP (1/poly(n))-hard for size n  (1) ) 9 f´ 2 NP -hard for size (n´)  (1) Barrier: No such construction can amplify above

Thm: 9 balanced f 2 NP (1/poly(n))-hard for size s(n) ) 9 f´ 2 NP ¼ -hard for size ¼ Examples: –s(n) = n  (1) ) hardness –s(n) = 2 n  (1) ) hardness –s(n) = 2  (n) ) hardness Our Main Result

Approach Obs: Hardness of f´(x 1,..., x k ) = C(f(x 1 ),..., f(x k )) limited by Idea 1: Derandomization [I95, IW97] for “pseudorandom” generator G, so E.g. if then hope f´ -hard Q: Why does this still amplify hardness? –We exhibit unconditional G s.t. this works f´(  ) = C(f(x 1 ),..., f(x k )), where (x 1,...,x k ) = G(  )

Approach (cont.) Q: How to compute f´ 2 NP when k = (n´)  (1) ? Idea 2: Nondeterminism –Use C s.t. C(f(x 1 ),..., f(x k )) can be computed nondeterministically looking at only log(k) f(x i )’s. –So f´ 2 NP even when k = 2 n’ f´(  ) = C(f(x 1 ),..., f(x k )), where (x 1,...,x k ) = G(  )

Derandomizing Yao’s XOR Lemma f  -hard ¼ f 0 (x 1,..., x k ) = f(x 1 ) ©... © f(x k ) is coin-flip (i.e. hard) if some x i is a coin-flip happens w.h.p. over (x 1,...,x k ) Derandomize [IW97]: Let (x 1,..., x k ) = ExpanderWalk(  ) w.h.p. over , some x i is a coin-flip 0 1 coin-flip f [ I95 ]

Derandomizing O’Donnell’s proof f  -hard ¼ f 0 (x 1,..., x k ) = C(f(x 1 ),..., f(x k )) coin-flip w.h.p. –Proof relies on noise sensitivity of C Derandomize: –If G fools C(f( ¢ ),..., f( ¢ )), then f 0 (  ) = C(f(x 1 ),..., f(x k )) is coin-flip w.h.p. over  –C(f( ¢ ),..., f( ¢ )) computable in small space (n + log k) –Use Nisan (‘92) PRG for small space algorithms 0 1 coin-flip f [ I95 ]

The structure of C C = TRIBES MONOTONE DNF [BL90] Claim: If f 2 NP then f´ 2 NP even for k = 2 n´ Proof: To compute f´(  ): –Guess a clause, say (f(x i+1 ) Æ... Æ f(x i+b )) –Check if clause is true

Conclusion O’Donnell’s hardness amplification in NP: –Amplifies up to –No construction of same form does better Our result: amplify up to Two new techniques: 1.Derandomization G fools C(f( ¢ ),..., f( ¢ )) 2.Nondeterminism k = n  (1) Only obstacle to hardness is PRG with logarithmic seed length for space or const-depth