We prove that if NP ⊈ BPP, i.e., if SAT is worst-case hard, then for every probabilistic polynomial-time algorithm trying to decide SAT, there exists some polynomially samplable distribution that is hard for it. That is, the algorithm often errs on inputs from this distribution. This is the first worst-case to average-case reduction for NP of any kind. We stress however, that this does not mean that there exists one fixed samplable distribution that is hard for all probabilistic polynomial-time algorithms, which is a pre-requisite assumption needed for one-way functions and cryptography (even if not a sufficient assumption). Nevertheless, we do show that there is a fixed distribution on instances of NP-complete languages, that is samplable in quasi-polynomial time and is hard for all probabilistic polynomial-time algorithms (unless NP is easy in the worst case). Our results are based on the following lemma that may be of independent interest: Given the description of an efficient (probabilistic) algorithm that fails to solve SAT in the worst case, we can efficiently generate at most three Boolean formulae (of increasing lengths) such that the algorithm errs on at least one of them.
Bibliographical noteFunding Information:
Dan Gutfreund was supported in part by ONR grant N00014-04-1-0478. Most of this research was done while he was at the Hebrew University. Ro-nen Shaltiel did part of this research while staying at the Weizmann Institute and supported by the Koshland scholarship,and was also supported by Grant No. 2004329 from the United States-Israel Binational Science Foundation(BSF),Jerusalem,Israel. AmnonTa-shmawassupportedbytheIsrael Science Foundationgrant no. 217/0.
- Average-case complexity
- Foundations of cryptography
- Pseudo classes
- Worst-case to average-case reductions
ASJC Scopus subject areas
- Theoretical Computer Science
- Mathematics (all)
- Computational Theory and Mathematics
- Computational Mathematics