On worst-case to average-case reductions for NP problems
44th Annual IEEE Symposium on Foundations of Computer Science, 2003. Proceedings.
We show that if an NP-complete problem has a non-adaptive self-corrector with respect to a samplable distribution then coNP is contained in NP/poly and the polynomial hierarchy collapses to the third level. Feigenbaum and Fortnow (SICOMP 22:994-1005(SICOMP 22:994- , 1993 show the same conclusion under the stronger assumption that an NP-complete problem has a non-adaptive random self-reduction. Our result shows that the average-case hardness of a problem in NP or the security of a oneway
... of a oneway function cannot be based (using non-adaptive reductions) on the worst-case complexity of an NP-complete problem (unless the polynomial hierarchy collapses. Research supported by a Sloan Research Fellowship and an Okawa Foundation Grant. average-case hard ones. The question of whether there are cryptosystems that are NP-hard to break, that is, whose security can be based on the assumption that NP ⊆ BPP, is as old as modern cryptography itself, and it was asked in [DH76, Section 6]. As we review below, there is contrasting evidence about what the answer to this question is. Lattice Problems Ajtai [Ajt96] shows that an algorithm that solves well on average the shortest vector problem (an NP problem) under a certain samplable distribution of instances implies an algorithm that solves, in the worst case, an approximate version of the shortest vector problem. The latter can be seen as an NP promise problem. If the latter problem were NP-complete, then we would have a reduction relating the average-case hardness of an NP distributional problem to the worst-case hardness of an NP-complete problem. Unfortunately, the latter problem is known to be in NP ∩ coNP, and therefore it is unlikely to be NP-hard. However, it is conceivable that improved versions of Ajtai's argument could show the equivalence between the average-case complexity of a distributional NP problem and the worst-case complexity of an NP problem. Micciancio [Mic04] and Micciancio and Regev [MR04] improve Ajtai's reduction by showing that a good on average problem for the shortest vector problem implies better worst-case approximation algorithms. Such approximations, however, still correspond to a promise problem known to be in NP ∩ coNP. Ajtai's approach has been extended by Ajtai and Dwork [AD97] and Regev [Reg03], who present public-key cryptosystems whose security (which is a stronger condition than the existence of intractable problems in distributional NP) is equivalent to the worst-case complexity of certain NP promise problems. 1 Previous Work on Worst-case versus Average-case Complexity in NP As discussed in [Imp95], we know oracles relative to which NP ⊆ P/poly but there is no intractable problem in distributional NP, and, consequently, one-way functions do not exist. Therefore, any proof that "NP ⊆ BPP implies the existence of an intractable problem in distributional NP" must use a non-relativizing argument. This, however, does not say much about the potential of Ajtai's techniques. Ajtai's argument, as well as later generalizations, exploits properties of specific problems, and it does not relativize. Feigenbaum and Fortnow [FF93] consider the notion of a locally random reduction, which is a natural, and possibly non-relativizing, way to prove that the average-case complexity of a given problem relates to the worst-case complexity of another one. A locally random reduction from a language L to a distributional problem (L , D) is a polynomial-time oracle procedure R such that R L solves L and, furthermore, each oracle query of R L (x) is distributed according to D. 2 Clearly, If |C ∩ B i * | ≤ 6α l, then