Pseudorandomness when the odds are against you Sergei Artemenko, U. Haifa Russell Impagliazzo, UCSD Valentine Kabanets, SFU Ronen Shaltiel, U. Haifa

Hardness versus randomness [BM,Yao,NW,BFNW,IW,KvM,MV,SU] Under Plausible hardness assumptions Hardness Assumption: b>0 and L∈E=DTIME(2O(n)) s.t. for every large enough n, size 2bn circuits fail to solve L on inputs of length n. [IW] Randomized algorithms can be efficiently derandomized. Conclusion: BPP=P, every randomized algorithm that: Runs in time T(n) Has constant success probability (can be two sided) Can be simulated in time poly(T(n)). Polynomial slowdown is sometimes a deal breaker!

Randomized exponential time algorithms for k-SAT k-SAT solvers in literature run in time 𝑇 𝑘 𝑛 = 2 𝛼 𝑘 ⋅𝑛 for constant (0< 𝛼 𝑘 <1) s.t. lim 𝑘→∞ 𝛼 𝑘 =1 For k>3, best known algorithms are randomized [PPSZ]. Can we derandomize by hardness vs. randomness? Naïve approach ⇒ trivial time: poly 𝑇 𝑘 𝑛 = 2 𝑂 𝛼 𝑘 ⋅𝑛 > 2 𝑛 Goal: negligible slowdown: 𝑇 𝑘 𝑛 ⋅ 2 𝑜 𝑛 = 2 (𝛼 𝑘 +𝑜(1))⋅𝑛 We show: PPSZ can be efficiently derandomized with negligible slowdown under plausible assumptions. First use of hardness vs. randomness for NP-problems.

OPaP-algorithms: Paturi-Pudlak Dfn: A randomized algorithm A(x,y) is 𝜖-OPaP for L if it runs in time 𝑡 𝑛 = 2 𝑜 𝑛 , and for every x: 𝑥∈𝐿⇒ Pr 𝑦 𝐴 𝑥,𝑦 =1 ≥ϵ 𝑥∉𝐿⇒ Pr 𝑦 𝐴 𝑥,𝑦 =1 =0 Paturi-Pudlak: Many k-SAT solvers (e.g. PPSZ) are based on OPaP algorithms with 𝜖 𝑘 𝑛 = 2 − 𝛼 𝑘 ⋅𝑛 . Constant error randomized algorithms obtained by running A, 1 𝜖 𝑘 𝑛 = 2 𝛼 𝑘 ⋅𝑛 times, yielding final running time: 𝑇 𝑘 𝑛 = 𝑡 𝑘 𝑛 ⋅ 2 𝛼 𝑘 ⋅𝑛 = 2 (𝛼 𝑘 +𝑜(1))⋅𝑛 . This work: Derandomize OPaP algorithms.

Result: Hardness versus randomness for OPaP algorithms Standard assumption: Scaled, nonuniform EXP ≠ NP Implies AM=NP [MV,SU] Result: Hardness versus randomness for OPaP algorithms Under Plausible hardness assumptions Hardness Assumption: b>0 and L∈E=DTIME(2O(n)) s.t. for every large enough n, size 2bn circuits fail to solve L on inputs of length n. Best possible, in the sense that even the weaker goal of obtaining a randomized constant error alg takes the same time. nondeterministic circuits [IW] Our results Randomized algorithms can be efficiently derandomized. Conclusion: every randomized algorithm that: Runs in time T(n) Has constant success probability (can be two sided) Can be simulated in time poly(T(n)). one-sided error, success prob ≥𝜖(𝑛) 𝑝𝑜𝑙𝑦 𝑇 𝑛 𝜖 𝑛 𝑝𝑜𝑙𝑦( 𝑇 𝑛 𝜖 𝑛 ) For OPAP (e.g. PPSZ): time 2 𝑜 𝑛 /𝜖 𝑛 = 2 (𝛼 𝑘 +𝑜(1))⋅𝑛

Derandomization 101 Let 𝐶: 0,1 𝑛 → 0,1 be a circuit. 𝐺: 0,1 𝑟 → 0,1 n is 𝜖-PRG for C if | Pr 𝐶 𝐺 𝑈 𝑟 =1 − Pr 𝐶 𝑈 𝑛 =1 | ≤𝜖 𝜖-HSG for C if Pr 𝐶 𝑈 𝑛 =1 >𝜖⇒∃𝑠:𝐶 𝐺 𝑠 =1. PRGs/HSGs for linear circuits ⇒ deterministic simulation of rand algs. Deterministic time = 2 𝑟 ⋅𝑇𝑖𝑚𝑒 𝐺 ⋅𝑇𝑖𝑚𝑒(𝐴𝑙𝑔). To handle algs with small success prob/large error: Short seed, preferably 𝑟≈ log 1 /𝜖 so that 2 𝑟 =1/𝜖. Efficient generators, 𝑇𝑖𝑚𝑒 𝐺 = poly(n) = 𝑜 1 𝜖 . Can we construct such PRGs/HSGs? Under what assumptions?

Nondeterministic circuits Deterministic circuits Hardness for PH-circuits Nondeterministic circuits Deterministic circuits Hardness for seed: O(log n) [IW97] 𝐵𝑃𝑇𝐼𝑀 𝐸 1/4 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸(𝑝𝑜𝑙𝑦(𝑇)) ¼-PRG time poly(n) This work. seed: 𝑂( log 𝑛)+1⋅log 1 𝜖 𝑅𝑇𝐼𝑀 𝐸 𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 ) Impossible* [SV08,AS11] 𝜖-HSG Impossible* [AASY15] 𝜖-PRG ½ vs ½+𝜖 PRG 𝐵𝑃𝑇𝐼𝑀 𝐸 𝜖,2𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 2 ) 𝜖 vs 2𝜖 derandomization Hardness vs. Σ 3 -circuits. seed: 𝑂 log 𝑛+ log 1 𝜖 2 𝜖 vs 2𝜖 Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 PRG for circuits that output ℓ bits *Impossible for black box reductions. Thm: 𝜖-HSG ⇔ ¼-HSG for nondeterministic circuits that use log 1 𝜖 nondeterministic bits. Corrolary: 𝜖-HSG ⇒ hardness for nondeterministic circuits that use few nondeterministic bits.

Nondeterministic circuits Deterministic circuits Hardness for PH-circuits Nondeterministic circuits Deterministic circuits Hardness for seed: O(log n) [IW97] 𝐵𝑃𝑇𝐼𝑀 𝐸 1/4 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸(𝑝𝑜𝑙𝑦(𝑇)) ¼-PRG time poly(n) This work. seed: 𝑂( log 𝑛)+1⋅log 1 𝜖 𝑅𝑇𝐼𝑀 𝐸 𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 ) Impossible* [SV08,AS11] 𝜖-HSG Impossible* [AASY15] 𝜖-PRG ½ vs ½+𝜖 PRG 𝐵𝑃𝑇𝐼𝑀 𝐸 𝜖,2𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 2 ) 𝜖 vs 2𝜖 derandomization Hardness vs. Σ 3 -circuits. seed: 𝑂 log 𝑛+ log 1 𝜖 2 𝜖 vs 2𝜖 Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 PRG for circuits that output ℓ bits *Impossible for black box reductions.

A 𝛼 1 vs 𝛼 2 PRG is a 𝐺: 0,1 𝑟 → 0,1 n s.t. for every small circuit C: PH-circuits Nondeterministic circuits Deterministic circuits Hardness for seed: O(log n) [IW97] 𝐵𝑃𝑇𝐼𝑀 𝐸 1/4 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸(𝑝𝑜𝑙𝑦(𝑇)) ¼-PRG time poly(n) This work. seed: 𝑂( log 𝑛)+1⋅log 1 𝜖 𝑅𝑇𝐼𝑀 𝐸 𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 ) Impossible* [SV08,AS11] 𝜖-HSG Impossible* [AASY15] 𝜖-PRG ½ vs ½+𝜖 PRG 𝐵𝑃𝑇𝐼𝑀 𝐸 𝜖,2𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 2 ) 𝜖 vs 2𝜖 derandomization Hardness vs. Σ 3 -circuits. seed: 𝑂 log 𝑛+ log 1 𝜖 2 𝜖 vs 2𝜖 Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 PRG for circuits that output ℓ bits *Impossible for black box reductions. A 𝛼 1 vs 𝛼 2 PRG is a 𝐺: 0,1 𝑟 → 0,1 n s.t. for every small circuit C: Pr 𝐶 𝑈 𝑛 =1 ≤ 𝛼 1 ⇒ Pr 𝐶 𝐺 𝑈 𝑟 =1 ≤ 𝛼 2 . 𝜖-PRG is 𝛼 vs 𝛼+𝜖 PRG for every 𝛼. Can we get PRGs/Derandomization for small 𝛼,𝜖?

A 𝛼 1 vs 𝛼 2 PRG is a 𝐺: 0,1 𝑟 → 0,1 n s.t. for every small circuit C: PH-circuits Nondeterministic circuits Deterministic circuits Hardness for seed: O(log n) [IW97] 𝐵𝑃𝑇𝐼𝑀 𝐸 1/4 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸(𝑝𝑜𝑙𝑦(𝑇)) ¼-PRG time poly(n) This work. seed: 𝑂( log 𝑛)+1⋅log 1 𝜖 𝑅𝑇𝐼𝑀 𝐸 𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 ) Impossible* [SV08,AS11] 𝜖-HSG Impossible* [AASY15] 𝜖-PRG ½ vs ½+𝜖 PRG 𝐵𝑃𝑇𝐼𝑀 𝐸 𝜖,2𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 2 ) 𝜖 vs 2𝜖 derandomization Hardness vs. Σ 3 -circuits. seed: 𝑂 log 𝑛+ log 1 𝜖 2 𝜖 vs 2𝜖 Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 PRG for circuits that output ℓ bits A 𝛼 1 vs 𝛼 2 PRG is a 𝐺: 0,1 𝑟 → 0,1 n s.t. for every small circuit C: Pr 𝐶 𝑈 𝑛 =1 ≤ 𝛼 1 ⇒ Pr 𝐶 𝐺 𝑈 𝑟 =1 ≤ 𝛼 2 . 𝜖-PRG is 𝛼 vs 𝛼+𝜖 PRG for every 𝛼. Can we get PRGs/Derandomization for small 𝛼,𝜖?

A 𝛼 1 vs 𝛼 2 PRG is a 𝐺: 0,1 𝑟 → 0,1 n s.t. for every small circuit C: PH-circuits Nondeterministic circuits Deterministic circuits Hardness for seed: O(log n) [IW97] 𝐵𝑃𝑇𝐼𝑀 𝐸 1/4 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸(𝑝𝑜𝑙𝑦(𝑇)) ¼-PRG time poly(n) This work. seed: 𝑂( log 𝑛)+1⋅log 1 𝜖 𝑅𝑇𝐼𝑀 𝐸 𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 ) Impossible* [SV08,AS11] 𝜖-HSG Impossible* [AASY15] 𝜖-PRG ½ vs ½+𝜖 PRG 𝐵𝑃𝑇𝐼𝑀 𝐸 𝜖,2𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 2 ) 𝜖 vs 2𝜖 derandomization Hardness vs. Σ 3 -circuits. seed: 𝑂 log 𝑛+ log 1 𝜖 2 𝜖 vs 2𝜖 Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 PRG for circuits that output ℓ bits A 𝛼 1 vs 𝛼 2 PRG is a 𝐺: 0,1 𝑟 → 0,1 n s.t. for every small circuit C: Pr 𝐶 𝑈 𝑛 =1 ≤ 𝛼 1 ⇒ Pr 𝐶 𝐺 𝑈 𝑟 =1 ≤ 𝛼 2 . 𝜖-PRG is 𝛼 vs 𝛼+𝜖 PRG for every 𝛼.

Nondeterministic circuits Deterministic circuits Hardness for PH-circuits Nondeterministic circuits Deterministic circuits Hardness for seed: O(log n) [IW97] 𝐵𝑃𝑇𝐼𝑀 𝐸 1/4 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸(𝑝𝑜𝑙𝑦(𝑇)) ¼-PRG time poly(n) This work. seed: 𝑂( log 𝑛)+1⋅log 1 𝜖 𝑅𝑇𝐼𝑀 𝐸 𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 ) Impossible* [SV08,AS11] 𝜖-HSG Impossible* [AASY15] 𝜖-PRG ½ vs ½+𝜖 PRG 𝐵𝑃𝑇𝐼𝑀 𝐸 𝜖,2𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 2 ) 𝜖 vs 2𝜖 derandomization Hardness vs. Σ 3 -circuits. seed: 𝑂 log 𝑛+ log 1 𝜖 2 𝜖 vs 2𝜖 Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 nb-PRG for circuits that output ℓ bits

A 𝛼 1 vs 𝛼 2 nb-PRG [DI06,AS14,AASY15] is a 𝐺: 0,1 𝑟 → 0,1 n s.t. for every small circuit 𝐶: 0,1 𝑛 → 0,1 ℓ , and any function 𝐷: 0,1 ℓ →{0,1} Pr 𝐷(𝐶 𝑈 𝑛 )=1 ≤ 𝛼 1 ⇒ Pr 𝐷(𝐶 𝐺 𝑈 𝑟 )=1 ≤ 𝛼 2 . PH-circuits Nondeterministic circuits Deterministic circuits Hardness for seed: O(log n) [IW97] 𝐵𝑃𝑇𝐼𝑀 𝐸 1/4 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸(𝑝𝑜𝑙𝑦(𝑇)) ¼-PRG time poly(n) This work. seed: 𝑂( log 𝑛)+1⋅log 1 𝜖 𝑅𝑇𝐼𝑀 𝐸 𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 ) Impossible* [SV08,AS11] 𝜖-HSG Impossible* [AASY15] 𝜖-PRG ½ vs ½+𝜖 PRG 𝐵𝑃𝑇𝐼𝑀 𝐸 𝜖,2𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 2 ) 𝜖 vs 2𝜖 derandomization Hardness vs. Σ 3 -circuits. seed: 𝑂 log 𝑛+ log 1 𝜖 2 𝜖 vs 2𝜖 Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 nb-PRG for circuits that output ℓ bits PH-circuits Nondeterministic circuits Deterministic circuits Hardness for seed: O(log n) [IW97] 𝐵𝑃𝑇𝐼𝑀 𝐸 1/4 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸(𝑝𝑜𝑙𝑦(𝑇)) ¼-PRG time poly(n) This work. seed: 𝑂( log 𝑛)+1⋅log 1 𝜖 𝑅𝑇𝐼𝑀 𝐸 𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 ) Impossible* [SV08,AS11] 𝜖-HSG Impossible* [AASY15] 𝜖-PRG ½ vs ½+𝜖 PRG 𝐵𝑃𝑇𝐼𝑀 𝐸 𝜖,2𝜖 𝑇 ⊆𝐷𝑇𝐼𝑀𝐸( 𝑝𝑜𝑙𝑦 𝑇 𝜖 2 ) 𝜖 vs 2𝜖 derandomization Hardness vs. Σ 3 -circuits. seed: 𝑂 log 𝑛+ log 1 𝜖 2 𝜖 vs 2𝜖 Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 PRG for circuits that output ℓ bits

A construction of 𝜖-HSGs with seed r=𝑂( log 𝑛)+ log (1 /𝜖) Proof: Nondet. Reduction: Hardness Assumption for nondeterministic circuits G’ is not an 𝜖-HSG ∃small circuit 𝐶: 0,1 𝑛 →{0,1} Pr 𝐶 𝑈 𝑛 =1 ≥𝜖, yet: ∀ 𝑠 1 , 𝑠 2 :C G ′ s 1 , s 2 =0. Let 𝐷 𝑧 ≔∃ 𝑠 2 : 𝐶(ℎ 𝑧 ( 𝑠 2 ))=1. Small nondeterministic circuit. ∀ 𝑠 1 :𝐷 𝐺 𝑠 1 =0. 2-wise ⇒ Pr 𝐷 𝑈 2𝑛 =1 ≥ 1 2 ⇒ D ¼-distinguishes G. ∎ [IW97,KvM99,MV99,SU01] ¼-HSG 𝐺: 0,1 𝑂( log 𝑛) → 0,1 2𝑛 for nondeterministic circuits computable in time poly(n) 𝐺 ′ ( 𝑠 1 , 𝑠 2 )= ℎ 𝐺 𝑠 1 𝑠 2 where: ℎ: 0,1 log⁡(1/𝜖) → 0,1 𝑛 is from 2-wise independent family

A construction of 𝜖 vs 2𝜖 PRG High level idea: Follow NW Construction: Encode truth table of f to get truth table of g. Reduction: sublinear time local list decoding algorithm Hardness assumption Hardness Amplification 𝑓→𝑔 𝑓 worst case hard ⇒𝑔 average-case hard G(x)=(x,g(x)) PRG with one bit stretch Nisan-Wigderson Generator Need to tailor details To our setup PRG with large stretch Impossible for black box PH reductions [AASY15]. Following [FL96,TV00,AASY15] we use: approximate counting and uniform sampling of NP witnesses [St83,JVV86,BGP00] to give a PH reduction with time 𝑝𝑜𝑙𝑦 𝑛 =𝑜( 1 𝜖 ) ⇒ 𝜖 vs 2𝜖 PRG.

Hardness Assumption for PH-circuits A construction of 𝜖 vs 2𝜖 PRG with one bit stretch (inspired by [TV00,AASY15]) Construction: Proof by PH-Reduction: Given x: sampling w ∈ 𝑅 𝑧: 𝑇 𝑥 𝑧 =1 can be done by PH-circuits [JVV,BGP]. Uniform sampling of NP witnesses. 𝑇 𝑥 is a PH-circuit by [S,JVV]: approximate counting in PH. This is where we use 𝜖 vs 2𝜖 rather than ½ vs ½+𝜖. G is not an 𝜖 vs 2𝜖 PRG ∃small circuit 𝐶 Pr 𝐶 𝑋,𝑌, 𝑈 =1 ≤𝜖, yet Pr⁡[𝐶 𝑋,𝑌,𝐸 𝑓(𝑋),𝑌 =1 ≥2𝜖 Let 𝑇 𝑥 𝑧 ≔1 iff Pr 𝐶 𝑥,𝑌, 𝑈 =1 Pr 𝐶 𝑥,𝑌, 𝑈 =1 ≤𝜖, and Pr⁡[𝐶 𝑥,𝑌, 𝐸(𝑧,𝑌)=1 ≥2𝜖 For good x: 𝑇 𝑥 𝑓 𝑥 =1. Ext ⇒ 𝑇 𝑥 accepts very few z’s. Given x: w ∈ 𝑅 𝑧: 𝑇 𝑥 𝑧 =1 is with noticeable prob. f(x). Hardness Assumption for PH-circuits s.t. for noticable fraction of x’s x [TV00] x x 𝑓: 0,1 𝑛 → 0,1 𝑛 ′ :=Ω(𝑛) that is extremely hard on average circuits succeed w.p ≤ 2 − 𝑛 ′ /3 “Goldereich-Levin” “Code concatenation” 𝑔 𝑥,𝑦 =𝐸 𝑓 𝑥 ,𝑦 , where: E is a strong seeded extractor that outputs one bit. 𝐺 𝑥,𝑦 = 𝑥,𝑦,𝑔 𝑥,𝑦

Conclusion and Open problems Conditional Derandomization/HSGs/PRGs for low-error regime. Power and limitations of PH-reductions. Open problems: Derandomization of general SAT-solvers. More applications of 𝜖 vs 2𝜖 PRGs/nb-PRGs. Minimal assumptions for 𝜖 vs 2𝜖 PRGs/nb-PRGs. That’s it…

That’s it…

Goal: Reduce randomness complexity of sampling procedures [DI06]. Given: poly-size circuit C:{0,1}n ! {0,1}𝑙 s.t. C(Un) is “desired dist.” P on {0,1}𝑙. (think: n=𝑙e for some e>1). Design C’:{0,1}r ! {0,1}𝑙 r << n. C’(Ur) statistically-close to P=C(Un). Goal r ≈ 𝑙, (best possible). Small statistical error 𝜖. C’ is of poly-size. 𝑙 P C Un n 𝑙 ≈P C’ Ur r

non-boolean PRGs nb-PRGs [DI06] nb-PRG: G:{0,1}r ! {0,1}n, ²–fools C:{0,1}n ! {0,1}𝑙 if C(G(Ur)) ²–close to C(Un) in stat. dist. In boolean case (𝑙=1):  |Pr[C(G(Ur))=1) – Pr[C(Un)=1]| ≤ ² nb-PRGs generalize (standard) PRGs. C’(Ur)=C(G(Ur)) is ²–close to P=C(Un). Indeed r<<n. Application dictates: for C of size nc, to get efficient C’: ⇒ Can allow G time nb for b>c. (NW-setting). ≈P C C’ pseudorandom G Ur

Previous work and our results on nb-PRGs A 𝛼 1 vs 𝛼 2 nb-PRG is a 𝐺: 0,1 𝑟 → 0,1 n s.t. for every small circuit 𝐶: 0,1 𝑛 → 0,1 ℓ , and any function 𝐷: 0,1 ℓ →{0,1} Pr 𝐷(𝐶 𝑈 𝑛 )=1 ≤ 𝛼 1 ⇒ Pr 𝐷(𝐶 𝐺 𝑈 𝑟 )=1 ≤ 𝛼 2 . PH-circuits Nondeterministic circuits Deterministic circuits Hardness for [AS14] Hardness vs. Σ 2 -circuits. seed: 𝑂 ℓ+ log 𝑛 [AASY15] 1 𝑛 𝑐 − nb-PRG Impossible* [AASY15] 𝜖-nb-PRG This work. Hardness vs. Σ 6 -circuits. seed: ℓ+𝑂 log 𝑛+ log 1 𝜖 2 Impossible* [SV08,AS11] 𝜖 vs 2𝜖 nb-PRG for circuits that output ℓ bits There are also constructions based on incompressibility assumptions [DI06].

𝜖 vs 2𝜖 nb-PRGs (following [AASY15]) A random 𝑡= 𝑛 𝑂(𝑐) −wise independent function ℎ 𝑠 : 0,1 𝑟 → 0,1 𝑛 :s← 0,1 𝑛 𝑂 𝑐 is w.h.p. an 𝜖 vs 2𝜖 nb-PRG, for 𝑟=ℓ+𝑂(log 𝑛 𝜖 ). Checking whether a given function ℎ 𝑠 is such a PRG is in Σ 3 𝑃 . (This is where 𝜖 vs 2𝜖 comes up). Let 𝐺: 0,1 𝑟′ → 0,1 𝑡= 𝑛 𝑂(𝑐) be an 𝜖 vs 2𝜖 PRG for Σ 3 -circuits. For a random seed 𝑠∈ 0,1 𝑟′ , 𝐺′ ⋅ = ℎ 𝐺(𝑠) (⋅) is with prob 1−𝜖, a 𝜖 vs 2𝜖 PRG. Let 𝐺′: 0,1 𝑟+𝑟′ → 0,1 𝑚 be 𝐺′ 𝑥,𝑠 = ℎ 𝐺(𝑠) (𝑥) then f is a 𝜖 vs 3𝜖 PRG.