Randomness vs. Time: De-randomization under a uniform assumption Russell Impagliazzo∗ Avi Wigdersony Department of Computer Science Institute of Computer Science University of California Hebrew University San Diego, CA 91097-0114 Jerusalem, Israel 91904 [email protected] [email protected] Abstract 1 Introduction, History, and Intuition We prove that if BPP = EXP, then every prob- lem in BPP can be solved6 deterministically in 1.1 Motivation subexponential time on almost every input ( The introduction of randomization into efficient on every samplable ensemble for infinitely many computation has been one of the most fertile and input sizes). This is the first derandomiza- useful ideas in computer science. In cryptogra- tion result for BP P based on uniform, non- phy and asynchronous computing, randomization cryptographic hardness assumptions. It implies makes possible tasks that are impossible to per- the following gap in the average-instance com- form deterministically. Even for function com- plexities of problems in BP P : either these com- putation, many examples are known in which plexities are always sub-exponential or they con- randomization allows considerable savings in re- tain arbitrarily large exponential functions. sources like space and time over deterministic al- We use a construction of a small \pseudo- gorithms, or even \only" simplifies them. random" set of strings from a \hard function" But to what extent is this seeming power of in EXP which is identical to that used in the randomness over determinism real? The most analogous non-uniform results of [21, 3]. How- famous concrete version of this question regards ever, previous proofs of correctness assume the the power of BP P , the class of problems solv- \hard function" is not in P=poly. They give a able by probabilistic polynomial time algorithms non-constructive argument that a circuit distin- making small constant error. What is the rela- guishing the pseudo-random strings from truly tive power of such algorithms compared to de- random strings implies that a similarly-sized cir- terministic ones? This is largely open. On the cuit exists computing the \hard function". Our one hand, it is possible that P = BP P , i.e., ran- main technical contribution is to show that, if the domness is useless for solving new problems in \hard function" has certain properties, then this polynomial time. On the other, we might have argument can be made constructive. We then BP P = EXP , which would say that random- show that, assuming EXP P=poly, there are ness would be a nearly omnipotent tool for al- EXP -complete functions with⊆ these properties. gorithm design. A priori, neither extreme seems likely: there are some problems where random- ness seems exponentially helpful, but many hard problems are not susceptible to randomized solu- ∗Research supported by NSF Award CCR-92-570979, Sloan Research Fellowship BR-3311, grant #93025 of the tions. joint US-Czechoslovak Science and Technology Program, In this paper, we show that the intuition that and USA-Israel BSF Grant 92-00043 randomness is a resource basically incomparable yThis research was supported by grant number 69/96 of the Israel Science Foundation, founded by the Israel to time is wrong. Either there is a non-trivial de- Academy for Sciences and Humanities terministic simulation of BP P , or BP P = EXP ! Either time can non-trivially substitute for ran- \cryptographically secure" (BMY-type) pseudo- domness, or randomness can non-trivially substi- random generator based on one-way functions tute for time. In other words, either universal [6, 24, 16, 7, 8, 11]; the NW-generator based on de-randomization is possible, or randomization a Boolean function with no circuit that approxi- is a panacea for intractability. (There are some mates it [21, 3]; and the hitting set method [1, 2]. technical provisos: the deterministic simulation To state our results, we will need some notation only works for infinitely many input lengths, and for complexity classes. Let Size(T (n)) be the may fail on a negligible fraction of inputs even class of functions computable by circuit families of these lengths.) We consider the former much where the number of gates in the circuit with more plausible than the latter. n inputs is at most T (n). For C a complexity class and t(n) a function, let C=t(n) be the class 1.2 History: Hardness vs. Ran- of functions computable in C with t(n) bits of \advice" depending only on the input size, i.e., domness f C=t(n) g C and a function h : Z 2 () 9 2 ! While counter to most people's first intuition, Z with h(n) t(n) and f(x) = g(x; h( x )). A j j ≤ j j c our result should be less surprising to those who result of [15] shows that P=poly = c 1Size(n ). [ ≥ are aware of the literature on de-randomization. For C a complexity class, let i:o: C be the class − The fundamental paradigm in de-randomization of functions that agree with a function in C for is to trade \hardness" for \randomness". This all inputs of length n for infinitely many n. was first elucidated in the remarkable sequence of The first set of papers construct a pseudo- papers [22, 6, 24]. Roughly speaking, \computa- random generator from a one-way function. tionally hard" functions can be used to construct The pseudo-random generator quickly converts “efficient pseudo-random generators". These in a small random string to a polynomially larger turn lower the randomness requirements of any string that seems random in the following sense: efficient probabilistic algorithm, allowing for a Any adversary that can distinguish an output of \nontrivial" deterministic simulation. this generator from a truly random string of the In many such results, there is a quantitative same length can be used to invert the function. trade-off between the hardness assumption and A BP P algorithm that had a markedly different the time to perform the deterministic simula- behaviour on a pseudo-random input than a ran- tion. The stronger the assumption, the faster dom one would be such an adversary. So if no the simulation. Here, we are concentrating on such invertor exists, the deterministic algorithm the \low end" of the curve in this trade-off: what that enumerates the multi-set of outputs of the is the weakest assumption one can make and still generator and simulates the BPP algorithm on have some version of universal derandomization? each, taking the majority answer, would always Our results also have some implications for the be correct. Informally, this is stated as: \higher end" of the curve, but these are much less clean, and we will not fully describe them in Theorem A 1 [6, 24, 8, 7, 11] this abstract. If there are one-way functions that cannot be in- verted with a non-negligible probability in P=poly, We will thus compare our results mainly to the then BP P SUBEXP \low end" version of the known results. In partic- ⊂ ular, we will use as our standard for \nontrivial" The NW-generator [20, 21, 3] considerably nδ the class SUBEXP = δ>0DT IME(2 ). The weakened the hardness assumption needed in the statement BP P SUBEXP\ (read \random- ⊂ nonuniform setting. It achieves the same deter- ness is weak"), while falling short of P = BP P , ministic simulation of BP P , from any function would be a great result to prove uncondition- in EXP P=poly. ally, and it certainly implies BP P = EXP . − 6 There have been a sequence of papers getting Theorem A 2 [20, 21, 3] weaker and weaker hardness assumptions suffi- If EXP P=poly, then BP P i:o: SUBEXP cient to prove such a result. These papers use 6⊂ ⊂ − one of three basic methods for converting hard This was the best result known at the \low functions into pseudo-random sequences: the end" of the hardness vs. randomness curve. 2 There has also been a sequence of papers [21, then M(n; R) is distributed according to µn. As 1, 2, 14] at the \high end" of the curve, where usual, we can extend this notion to allow M ac- the desired goal is to obtain P = BP P under cess to an oracle, in which case we say µ is poly- the weakest possible assumption. The strongest nomially sampleable given the oracle. result in this sequence is stated below: Let T and be functions of n. HeurT IME (T (n)) is the class of pairs (f; µ) Theorem A 3 [14] (n) of functions f : 0; 1 ∗ 0; 1 and probability If EXP i:o: SIZE(2o(n)), then BP P = P . f g ! f g 6⊂ − ensembles µ so that there is an algorithm A(x) running in deterministic time T ( x ) so that n, n j j 8 1.3 Average-Case Derandomiza- for x µ 0; 1 , P rob[A(x) = f(x)] < (n). 2 n f g 6 tion Under Uniform Assump- AvgT IME(n)(T (n)) is the class of pairs (f; µ) tions of functions f : 0; 1 ∗ 0; 1 and probabil- ity ensembles µ fso thatg ! there f isg an algorithm Both the high-end and low-end results above A(x) running in deterministic time T ( x ) so that require non-uniform hardness assumptions, i.e., j j n A(x) f(x); ? and for all n, for x µn 0; 1 , that the hard problems in question are hard for P rob[2A( fx) = f(gx)] < (n). 2 f g circuits. The reason for this, intuitively, is that If membership6 in one of the above classes holds if a function is hard uniformly but easy non- for f together with any polynomially sampleable uniformly, there is some advice, or trap-door, ensemble, then we omit mention of the ensem- that makes computing the function easy.