##
###
Succinct Hitting Sets and Barriers to Proving Lower Bounds for Algebraic Circuits

Michael A. Forbes, Amir Shpilka, Ben Lee Volk

2018
*
Theory of Computing
*

We formalize a framework of algebraically natural lower bounds for algebraic circuits. Just as with the natural proofs notion of Razborov and Rudich (1997) for Boolean circuit lower bounds, our notion of algebraically natural lower bounds captures nearly all lower bound techniques known. However, unlike in the Boolean setting, there has been no concrete evidence demonstrating that this is a barrier to obtaining super-polynomial lower bounds for general algebraic circuits, as there is little
## more »

... rstanding whether algebraic circuits are expressive enough to support "cryptography" secure against algebraic circuits. Following a similar result of Williams (2016) in the Boolean setting, we show that the existence of an algebraic natural proofs barrier is equivalent to the existence of succinct derandomization of the polynomial identity testing problem, that is, to the existence of a hitting set for the class of poly(N)-degree poly(N)-size circuits which consists of coefficient vectors of polynomials of polylog(N) degree with polylog(N)-size circuits. Further, we give 3. Constructivity: Given a truth-table of a function f : {0, 1} n → {0, 1}, of size N = 2 n , deciding whether f has the property P can be checked in poly(N) = 2 O(n) time. To obtain a circuit lower bound, a priori one only needs to obtain a (non-trivial) property P that is useful in the above sense. However, Razborov and Rudich [86] showed that (possibly after a small modification) most circuit lower bounds (such as those for constant-depth circuits ([9, 41, 106, 53, 85, 98])) yield large and constructive properties, and called such lower bounds natural proofs. Further, Razborov and Rudich [86] argued that standard cryptographic assumptions imply that natural proofs cannot yield super-polynomial lower bounds against any restricted class of circuits that is sufficiently rich to implement cryptography. That is, a pseudorandom function is an efficiently computable function f : {0, 1} n ×{0, 1} λ → {0, 1} such that when sampling the key k ∈ {0, 1} λ at random, the resulting distribution of functions f (·, k) is computationally indistinguishable from a truly random function f : {0, 1} n → {0, 1}. The existence of pseudorandom functions follows from the existence of oneway functions ([54, 43]) which is essentially the weakest interesting cryptographic assumption. There are even candidate constructions of pseudorandom functions computable by polynomial-size constant-depth threshold circuits (TC 0 ) as given by Naor and Reingold [73], whose security rests on the intractability of discrete-log and factoring-type assumptions (see also Krause and Lucks [65]). It is therefore widely believed that there are pseudorandom functions, even ones computationally indistinguishable from random except to adversaries running in exp(λ Ω(1) )-time. In contrast, Razborov and Rudich [86] showed that a natural proof useful against poly(n)-size circuits can distinguish a pseudorandom function from a truly random function in poly(2 n )-time, which would contradict the believed exp(λ Ω(1) )-indistinguishability when taking λ to be a large enough polynomial in n. Indeed, suppose P is a natural property. Then for a pseudorandom function f (·, ·) and each value k ∈ {0, 1} λ of the key, the resulting function f (·, k) : {0, 1} n → {0, 1} has a poly(n)-size circuit, and has property P (by usefulness). In contrast, random functions will not have property P with noticeable probability (by largeness). As the property is constructive, this gives a poly(2 n )-time algorithm distinguishing f (·, k) from a random function, as desired. 1 The Razborov and Rudich [86] definition of a natural property actually applies to the complement of the property P we use here. In particular, our use of the term "largeness" refers to the fact that the complement of P is a large set. This is a trivial difference for Boolean complexity, but is important for algebraic complexity as there natural properties are one-sided, see Section 1.2. THEORY

doi:10.4086/toc.2018.v014a018
dblp:journals/toc/ForbesSV18
fatcat:xca443ndhzfxfjnclcmx6y57py