Back to Boolean Circuits
Back to notes

Natural Proof

60%

Overview

One of the major goal in theoretical CS is to separate complexity classes while one of the most exciting approach is trough circuit lower bound. As long as one can prove $\NP\notin\Ppoly$, then we get $\P\neq\NP$. However, life is not so easy, after decades of trials, people still cannot prove something much more weaker such as $\NEXP\notin\Ppoly$! To the best of our knowledge, the state-of-the-art unconditinoal circuit lower bound is by Williams in 2010 showing that $\NEXP\notin\ACC{0}$.

History

In 1980s. there were several exciting progress in proving circuit lower bound.

• In 1984, Furst, Saxes, and Sipser showed that Parity is not in $\AC{0}$.
• In 1987, Razborov showed that $MOD_p$ is not in $\AC{0}[q]$ for distinct primes $p$ and $q$.
• In 1987, Andreev showed a nearly quadratic lower bound for general formula.

However, the techniques used in these results cannot be extended to larger circuit complexity classes.

Interpretation

• If we have a natural proof against circuit class $\mathcal{C}$, then $\mathcal{C}$ cannot contain very strong families of pseudorandom functions.
• Natural proof against $\mathcal{C}$ implies exists efficient algorithm $A$ that given random boolean function $f$, $A$ can certify $f\notin\mathcal{C}$ with non-negligible probability.
• Efficient algorithm can never certify $f\notin\mathcal{C}$ if $f$ is a pseudorandom function and computable in $\mathcal{C}$.
• If we use natural proof to show something is harder and harder, then we would simultaneously show that those problems to be easier and easier.
• Any natural proof showing that these problems took at least $t(n)$ time, would also show that they took at most roughly $2^{t^{-1}(n)}$ time.
• Thus, no natural proof can show lower bound more than half-exponential.

Natural proof barrier

Some definitions

Let’s start with the definition of natural proof. In the following, we assume some background in basic circuit complexity classes. We say $\mathcal{C}$ is a typical circuit family class if $\mathcal{C}\in{\AC{0},\ACC{0},\TC{0},\NC{1},\Ppoly}$. Let $\mathcal{F}_n:={f:{0,1}^n\rightarrow{0,1}}$ to be the set of all boolean function of input length $n$. A property $P_n$ is a subset of $\mathcal{F}_n$. Intuitively, $P_n$ contains the functions that satisfy the property.

A naive paradigm for proving certain function $f\in\mathcal{F}_n$ does not lie in a typical circuit class $\mathcal{C}$ is to show that $f\notin P_n$ while for any $g\in \mathcal{C}\cap\mathcal{F}_n$, $g\in P_n$.

The natural proof barrier shows that when $P_n$ satisfy several conditions, then $P_n$ cannot prove such circuit lower bound under reasonable cryptographic assumption.

Let $\Gamma$ and $C$ be two complexity classes and $\delta(n)$ be some function in $n$, we call a property $P_n\subseteq\mathcal{F}_n$ is $\Gamma$-natural against $\mathcal{C}$ with density $\delta(n)$ if the following conditions hold.

• constructive if there exists a test $T\in\Gamma$ such that fot any $f\in\mathcal{F}_n$, $T(f)=1$ iff $f\in P_n$. Note that the parameter used in $\Gamma$ is the size of the truth table of $f$, i.e., $2^n$.
• largeness if $\mathbb{P}_{f\leftarrow\mathcal{F}_n}[f\in P_n]\geq1/poly(n)$. Equivalently, $\card{P_n}\geq\delta(n)\cdot\card{\mathcal{F}_n}$.
• usefulness for a circuit class $\mathcal{C}$ if for any $f\in \mathcal{C}\cap\mathcal{F}_n$, $f\notin P_n$.

As a result, we define the natural proof as follows.

We say $P_n$ is a $\Gamma$-natural proof for $f\notin P_n$ for some function $f\in\mathcal{F}_n$ if $f\notin P_n$ and $P_n$ is a $\Gamma$-natural against $C$ with density $1/poly(n)$.

Since presenting the main theorem by Razborov and Rudich requires some background in $pseudorandom generator$, here we first informally state the theorem as follows.

Let $C/s(n)$ be a circuit complexity class. If there exists a $C/poly(n)$-natural proof against $C/s(n)$, then there’s no pseudorandom generator in $C$ with hardness $2^{s^{-1}(n)}$.

Why largeness?

Let’s consider a toy example for proving circuit lower bound. The idea is based on the formal complexity measure.

Let $\mu:({0,1}^{*}\rightarrow{0,1})\rightarrow\mathbb{R}^{\geq0}$ .

Why constructive?

In, Williams showed two theorems indicating the difficulty of proving $\NEXP\notin\Ppoly$.

For all typical $\mathcal{C}$, $\NEXP\notin\mathcal{C}$ iff there exists a polynomial time computable property of Boolean function that is useful against $\mathcal{C}$ with $O(\log n)$ bits advice.

<div class=”theorem” title=”[Wil16]”: Theorem 1.2”> For all typical $\mathcal{C}$, $\NEXP\notin\mathcal{C}$ iff there exists a polynomial time algorithm that is useful against $\mathcal{C}$. </div>

The above two theorems say that any $\NEXP$ lower bound should satisfy two of the three properties of Natural Proof (constructivity and usefulness).

However, note that this doesn’t mean that every proof for $\NEXP$ lower bound should satisfy the two conditions since the theorems only say there exists such efficiently computable property. For instance, the $ACC{0}$ lower bound for $\NEXP$ in bypassed these theorems by designing a slightly faster $\ACC{0}$ satisfiability algorithm.

Pseudorandom generator (PRG) and pseudorandom function (PRF)

Pseudorandom generator is one of the most important object in the study of pseudorandomness. Intuitively, a PRG extends the length of uniform random bit string in a way that small circuit cannot distinguish the output with pure randomness. Formally, we have the following definition.

A function $G_k:\{0,1\}^k\rightarrow\{0,1\}^{2k}$ is a PRG against circuit complexity class $C/s(n)$ if $G$ is computable in polynomial time and for any $C\in C/s(n)\cap\mathcal{F}_{2k}$, $$\card{\mathbb{P}[C(G_k(U_k))=1] - \mathbb{P}[C(U_{2k})=1]}\geq1/s(n),$$ where $U_k$ is the uniform distribution on $\{0,1\}^k$.

Hastad, Impagliazzo, Levin, and Luby showed that if one way function exists (OWF), then PRG exists. Previous work constructed a PRG in $\TC{0}$ based on the DDH assumption.

Razborov-Rudich theorem

Here, we present the original theorem and proof in the paper of Razborov and Rudich.

Suppose there exists a $\Ppoly$-natural proof against $\Ppoly$, then there’s no PRG against circuit of size $2^{n^{\epsilon}}$ for any $\epsilon>0$.

Let’s first think about the high-level strategy of the proof. As we want to condition on the existence of PRG/OWF, by the method of contradiction, it suffices to show the existence of a distinguisher for the PRG when there exists a natural proof.

To do so, let’s see what we have right now. With the help of a natural proof against $\Ppoly$, we can efficiently distinguish a function in $\Ppoly$ from a random function. As a result, it’s natural to have the following strategy:

1. Turn a PRG, which is conjectured to lie in $\Ppoly$, into a PRF family ${f_s}_{s\in{0,1}^m}$ in $\Ppoly$.
2. By the property of natural proof, one can efficiently distinguish ${f_s}_{s\in{0,1}^m}$ from a random function.

When carefully picking the parameters, one can efficiently break the original PRG/OWF assumption.

Let’s prove the theorem by the three steps mentioned above.

1. From PRG to PRF (pseudorandom function)

Here, we use the well-known HILL (Hastad, Impagliazzo, Levin, and Luby) and GGM (Goldreich, Goldwasser, and Micali) construction to construct PRF from OWF. Concretely, assume we have OWF with hardness $2^{n^{\epsilon}}$ for some $\epsilon>0$. Then we have a PRF family with seed length $m$ that has hardness $2^{m^{\epsilon’}}$ for some constant $\epsilon’$ related to only $\epsilon$.

1. Use natural property to efficiently distinguish PRF

Suppose we have a PRF family of seed length $m$ and hardness $2^{m^{\epsilon}}$. Take $n=m^{\epsilon/2}$. Now, given an input function $h$, which might be a random function or a function from the PRF family, we have oracle access to $h$ in the following.

First, pad $h$ into a function $g$ with $n$ input bits and construct the truth table of $g$ in $2^{O(n)}$ time. Next, use the constructivity of the natural proof to distinguish $h$ in $poly(2^{O(n)})=2^{O(n)}$ time.

• When $h$ is a random function, then by the largeness condition, with probability at least $1/poly(n)$ the algorithm will correctly identify $h$ as random function.
• When $h$ is from the PRF family, then by the usefulness condition, the algorithm will always correctly identify $h$ as in the PRF family. Namely, the above simple algorithm has inverse polynomial advantage on distinguishing PRF from random function in time $2^{O(n)}=O(2^{m^{\epsilon/2}})$

Observe that $2^{m^{\epsilon/2}}=o(2^{m^{\epsilon}})$, which is a contradiction to the hardness of PRF.