One-Tape Turing Machine and Branching Program Lower Bounds For MCSP

Electronic Colloquium on Computational Complexity, Revision 1 of Report No.
103 (2020)
One-Tape Turing Machine and Branching

Program Lower Bounds for MCSP
Mahdi Cheraghchi
Department of EECS, University of Michigan, Ann Arbor, MI, USA
http://mahdi.cheraghchi.info/
mahdich@umich.edu
Shuichi Hirahara
National Institute of Informatics, Tokyo, Japan
https://researchmap.jp/shuichi.hirahara/
s_hirahara@nii.ac.jp
Dimitrios Myrisiotis
Department of Computing, Imperial College London, London, UK
https://sites.google.com/site/dimitriosimyrisiotis/
d.myrisiotis17@imperial.ac.uk
Yuichi Yoshida
National Institute of Informatics, Tokyo, Japan
http://research.nii.ac.jp/~yyoshida/
yyoshida@nii.ac.jp
Abstract
For a size parameter s : N → N, the Minimum Circuit Size Problem (denoted by MCSP[s(n)]) is
the problem of deciding whether the minimum circuit size of a given function f : {0, 1}n → {0, 1}
(represented by a string of length N := 2n ) is at most a threshold s(n). A recent line of work
exhibited “hardness magnification” phenomena for MCSP: A very weak lower bound for MCSP
implies a breakthrough result in complexity theory. For example, McKay, Murray, and Williams
(STOC 2019) implicitly showed that, for some constant µ1 > 0, if MCSP[2µ1 ·n ] cannot be computed
by a one-tape Turing machine (with an additional one-way read-only input tape) running in time
N 1.01 , then P 6= NP.
In this paper, we present the following new lower bounds against one-tape Turing machines and
branching programs:
1. A randomized two-sided error one-tape Turing machine (with an additional one-way read-only
input tape) cannot compute MCSP[2µ2 ·n ] in time N 1.99 , for some constant µ2 > µ1 .
2. A non-deterministic (or parity) branching program of size o(N 1.5 / log N ) cannot compute MKTP,
which is a time-bounded Kolmogorov complexity analogue of MCSP. This is shown by directly
applying the Nechiporuk method to MKTP, which previously appeared to be difficult.
These results are the first non-trivial lower bounds for MCSP and MKTP against one-tape Turing
machines and non-deterministic branching programs, and essentially match the best-known lower
bounds for any explicit functions against these computational models.
The first result is based on recent constructions of pseudorandom generators for read-once
oblivious branching programs (ROBPs) and combinatorial rectangles (Forbes and Kelley, FOCS
2018; Viola 2019). En route, we obtain several related results:
√
1. There exists a (local) hitting set generator with seed length O(e N ) secure against read-once
polynomial-size non-deterministic branching programs on N -bit inputs.
2. Any read-once co-non-deterministic branching program computing MCSP must have size at least
Ω(N )
2e .
2012 ACM Subject Classification Theory of computation → Circuit complexity; Theory of compu-
tation → Pseudorandomness and derandomization
Keywords and phrases Minimum Circuit Size Problem, One-Tape Turing Machines, Branching
Programs, Lower Bounds, Pseudorandom Generators, Hitting Set Generators
ISSN 1433-8092
2 One-tape Turing machine and branching program lower bounds for MCSP
Acknowledgements We would like to express our gratitude to Emanuele Viola and Osamu Watanabe
for bringing to our attention the works by Kalyanasundaram and Schnitger [28] and Watanabe [43],
respectively, and for helpful discussions. In particular, we thank Emanuele Viola for explaining to
us his works [17, 42]. We thank Rahul Santhanam for pointing out that Nečiporuk’s method can
be applied to not only MKtP but also MKTP. We thank Chin Ho Lee for answering our questions
regarding his work [29]. We thank Paul Beame for bringing his work [7] to our attention. We thank
Valentine Kabanets, Zhenjian Lu, Igor C. Oliveira, and Ninad Rajgopal for illuminating discussions.
Finally, we would like to thank the anonymous reviewers for their constructive feedback.
1 Introduction
The Minimum Circuit Size Problem (MCSP) asks whether a given Boolean function
f : {0, 1}n → {0, 1} can be computed by some Boolean circuit of size at most a given
threshold s. Here the function f is represented by the truth table of f , i.e., the string of
length N := 2n that is obtained by concatenating all the outputs of f . For a size parameter
s : N → N, its parameterized version is denoted by MCSP[s]: That is, MCSP[s] asks if the
minimum circuit size of a function f : {0, 1}n → {0, 1} is at most s(n).
MCSP is one of the most fundamental problems in complexity theory, because of its
connection to various research areas, such as circuit complexity [38, 27, 24, 33, 23, 2], learning
theory [9], and cryptography [38, 18, 20]. It is easy to see that MCSP ∈ NP because, given a
circuit C of size s as an NP certificate, one can check whether C computes the given function
f in time N O(1) . On the other hand, its NP-completeness is a long-standing open question,
which dates back to the introduction of the theory of NP-completeness (cf. [4]), and it has
an application to the equivalence between the worst-case and average-case complexity of NP
(cf. [20]).
Recently, a line of work exhibited surprising connections between very weak lower
bounds of MCSP and important open questions of complexity theory, informally termed as
“hardness magnification” phenomena. Oliveira and Santhanam [37] (later with Pich [36])
showed that, if an approximation version of MCSP cannot be computed by a circuit of
size N 1.01 , then NP 6⊆ P/poly (in particular, P 6= NP follows). Similarly, McKay, Murray,
and Williams [32] showed that, if MCSP[s(n)] cannot be computed by a 1-pass streaming
algorithm of poly (s(n)) space and poly (s(n)) update time, then P 6= NP. Therefore, in order
to obtain a breakthrough result, it is sufficient to obtain a very weak lower bound for MCSP.
Are hardness magnification phenomena plausible approaches for resolving the P versus
NP question? We do not know the answer yet. However, it should be noted that, as argued
in [3, 37], hardness magnification phenomena appear to bypass the natural proof barrier
of Razborov and Rudich [38], which is one of the major barriers of complexity theory for
resolving the P versus NP question. Most of lower bound proof techniques of complexity
theory are “natural” in the following sense: Given a lower bound proof for a circuit class
C, one can interpret it as an efficient average-case algorithm for solving C-MCSP (i.e., one
can efficiently decide whether a given Boolean function f can be computed by a small
C-circuit when the input f is chosen uniformly at random; cf. Hirahara and Santhanam [22]).
Razborov and Rudich [38] showed that such a “natural proof” technique is unlikely to
resolve NP 6⊆ P/poly; thus we need to develop fundamentally new proof techniques. There
seems to be no simple argument that naturalizes proof techniques of hardness magnification
phenomena; hence, investigating hardness magnification phenomena could lead us to a new
non-natural proof technique.
M. Cheraghchi, S. Hirahara, D. Myrisiotis, and Y. Yoshida 3
1.1 Our results

1.1.1 Lower bounds against one-tape Turing machines
Motivated by hardness magnification phenomena, we study the time required to compute
MCSP by using a one-tape Turing machine. We first observe that the hardness magnification
phenomena of [32] imply that a barely superlinear time lower bound for a one-tape Turing
machine is sufficient for resolving the P versus NP question.
I Theorem 1 (A corollary of McKay, Murray, and Williams [32]; seeAppendix A). There exists
1.01
µ·n
a small constant µ > 0 such that if MCSP[2 ] 6∈ DTIME1 N , then P 6= NP.
Here, we denote by DTIME1 [t(N )] the class of languages that can be computed by a
Turing machine equipped with a one-way read-only input tape and a two-way read/write
work tape running in time O(t(N )) on inputs of length N . We note that it is rather counter-
intuitive that there is a universal constant µ > 0; it is instructive
to state Theorem 1 in the
following logically equivalent way: If MCSP[2µ·n ] 6∈ DTIME1 N 1.01 for all constants µ > 0,
then P 6= NP.1
One of our main results is a nearly quadratic lower bound on the time complexity of a
randomized one-tape Turing machine (with one additional read-only one-way input tape)
computing MCSP.

I Theorem 2. There exists some constant 0 < µ < 1 such that MCSP[2µ·n ] 6∈ BPTIME1 N 1.99 .
Here, BPTIME1 [t(N )] denotes the class of languages that can be computed by a two-
sided-error randomized Turing machine equipped with a one-way read-only input tape and
a two-way read/write work tape running in time t(N ) on inputs of length N ; we say that
a two-sided-error randomized algorithm computes a problem if it outputs a correct answer
with high probability (say, with probability at least 2/3) over the internal randomness of the
algorithm.
Previously, no non-trivial lower bound on the time complexity required for computing
MCSP by a Turing machine was known. Moreover, Theorem 2 essentially matches the
best-known lower bound for this computational model; namely, the lower bound due to
Kalyanasundaram
andSchnitger [28], who showed that Element Distinctness is not in
BPTIME1 o N 2 / log N .
Our lower bound against BPTIME1 N 1.99 is much stronger than the required lower
bound (i.e, DTIME1 N 1.01 ) of the hardness magnification phenomenon of Theorem 1.
However, Theorem 2 falls short of the hypothesis of the hardness magnification phenomenon
of Theorem 1 because of the choice of the size parameter. In the hardness magnification
phenomenon, we need to choose the size parameter to be 2µ·n for some small constant µ > 0,
whereas, in our lower bound, we will choose µ to be some constant close to 1. That is, what
is missing for proving P 6= NP is to decrease the size parameter from 2(1−o(1))·n to 2o(n) in
Theorem 2, or to increase the size parameter from 2o(n) to 2(1−o(1))·n in Theorem 1.
Next, we investigate the question of whether hardness magnification phenomena on
MCSP[s(n)] such as Theorem 1 can be proved when the size parameter s(n) is large, as
posed by Chen, Jin, and Williams [11]. As observed in [10], most existing proof techniques
on hardness magnification phenomena are shown by constructing an oracle algorithm which
makes short queries to some oracle. For example, behind the hardness magnification
1
Observe that ∃µ, (P (µ) ⇒ Q) is logically equivalent to ∃µ, (¬P (µ) ∨ Q), which is equivalent to
¬(∀µ, P (µ)) ∨ Q.
phenomena of Theorem 1 is a nearly-linear-time oracle algorithm that solves MCSP[2o(n) ] by

making queries of length 2o(n) to some PH oracle (see Corollary 17 for a formal statement).
Chen, Hirahara, Oliveira, Pich, Rajgopal, and Santhanam [10] showed that most lower bound
proof techniques can be generalized to such an oracle algorithm, thereby explaining the
difficulty of combining hardness magnification phenomena with lower bound proof techniques.
Following [10], we observe that our lower bound (Theorem 3) can be generalized to a lower
bound against an oracle algorithm which makes short queries.
∗
I Theorem 3. Let O ⊆ {0, 1} be any oracle. Then, for everyh constant
i 1/2 < µ < 1,
µ·n n O 1+µ0
MCSP[2 ] on truth tables of size N := 2 is not in BPTIME1 N for some constant
µ0 > 0, where all of the strings queried to O are of length N o(1) .
Theorem 3 can be seen as a partial answer to the question posed by [11]: It is impossible
to extend the hardness magnification phenomena of Theorem 1 to MCSP[2µn ] for µ > 1/2
by using similar techniques used in [32]. Recall that the proof techniques behind [32] are
to construct a nearly-linear-time oracle algorithm that solves MCSP[2µn ] by making short
queries to some oracle; the existence of such an oracle algorithm is ruled out by Theorem 3
when µ > 1/2. Therefore, in order to obtain a hardness magnification phenomenon for
MCSP[20.51n ], one needs to develop a completely different proof technique that does not rely
on constructing an oracle algorithm that makes short queries.
1.1.2 Lower bounds against branching programs

Another main result of this work is a lower bound against non-deterministic branching
programs. We make use of Nečiporuk’s method, which is a standard proof technique for
proving a lower bound against branching programs. However, it appeared previously that
Nečiporuk’s method is not directly applicable to the problems such as MCSP [22]. In this
paper, we develop a new proof technique for applying Nečiporuk’s method to a variant of
MCSP, called MKTP. MKTP is the problem of deciding whether KT(x) ≤ s given (x, s) as
input. Here KT(x) is defined as the minimum, over all programs M and integers t, of |M | + t
such that, for every i, M outputs the ith bit of x in time t given an index i as input [1]. We
prove lower bounds against general branching programs and non-deterministic branching
programs by using Nečiporuk’s method.
I Theorem 4. The size of a branching program computing MKTP is at least Ω(N 2 / log2 N ).
The size of a non-deterministic branching program or a parity branching program computing
MKTP is at least Ω(N 1.5 / log N ).
We mention that the same lower bound can be obtained for MKtP, which is an exponential-
time analogue of MKTP.
Theorem 4 gives the first non-trivial lower bounds against non-deterministic and parity
branching programs for MKTP and MKtP and, in addition, these are the best lower
bounds which can be obtained by using Nečiporuk’s method (cf. [7]). Previously, by using
a pseudorandom generator for branching programs constructed by [25], it was shown in
[36, 12] that (deterministic) branching programs requires N 2−o(1) size to compute MCSP,
MKTP and MKtP.2 However, it is not known whether there is a pseudorandom generator
2
It is worthy of note that Theorem 4 mildly improves the lower bounds of [36, 12] to Ω(N 2 / log2 N ) by
directly applying Nečiporuk’s method, which matches the state-of-the-art lower bound for any explicit
function up to a constant factor.
for non-deterministic or parity branching programs. As a consequence, no non-trivial lower

bound for MKTP (nor its exponential-time version MKtP) against these models was known
before. Surprisingly, Theorem 4 is proved without using a pseudorandom generator nor
a weaker object called a hitting set generator. We emphasize that it is surprising that
a lower bound for MKtP can be obtained without using a hitting set generator; indeed,
the complexity of MKtP is closely related to a hitting set generator, and in many settings
(especially when the computational model is capable of computing XOR), a lower bound for
MKtP and the existence of a hitting set generator are equivalent [20, 21].
A hitting set generator (HSG) H : {0, 1}λ(N ) → {0, 1}N for a circuit class C is a function
such that, for any circuit C from C that accepts at least (1/2) · 2N strings of length N , there
exists some seed z ∈ {0, 1}λ(N ) such that C accepts H(z). A hitting set generator enables us
to derandomize one-sided-error randomized algorithms by trying all 2λ(N ) seeds.
Along the way, we obtain several new results regarding a lower bound for MCSP and
a hitting set generator. We present a hitting set generator secure against read-once non-
deterministic branching programs, based on a pseudorandom generator constructed by Forbes
and Kelley [14].
I Theorem√5. There exists an explicit construction of a (local) hitting set generator

Oe N ·log s N
H : {0, 1} → {0, 1} for read-once non-deterministic branching programs of
size s.
Previously, Andreev, Baskakov, Clementi, and Rolim [6] constructed a hitting set generator
with non-trivial seed length for read-k-times non-deterministic branching programs, but their
seed length is as large as N − o(N ). Theorem 5 improves the seed length to O( e √N · log s).
As an immediate corollary, we obtain a lower bound for MCSP against read-once non-
deterministic branching programs.
I Corollary 6. Any read-once co-non-deterministic branching program that computes MCSP

must have size at least 2Ω
e(N ) .
1.2 Our techniques

1.2.1 Local HSGs for MCSP lower bounds
For a circuit class C, a general approach for obtaining a C-lower bound for MCSP is by
constructing a “local” hitting set generator (or a pseudorandom generator (PRG), which is a
stronger notion) secure against C. Here, we say that a function G : {0, 1}s → {0, 1}N is local
if, for every z, the ith bit of G(z) is “easy to compute” from the index i; more precisely, for
every seed z, there exists some circuit C of size at most s such that C outputs the ith bit of
G(z) on input i ∈ [N ]. Note here that G(z) is a YES instance of MCSP[s], whereas a string w
chosen uniformly at random is a NO instance of MCSP[s] with high probability. This means
that any C-algorithm that computes MCSP[s] distinguishes the pseudorandom distribution
G(z) from the uniform distribution w, and hence the existence of C-algorithm for MCSP[s]
implies that there exists no local hitting set generator secure against C. This approach has
been used in several previous works, e.g., [38, 1, 22, 12]. In fact, it is worthy of note that, in
some sense, this is the only approach — at least for a general polynomial-size circuit class
C = P/poly, because Hirahara [20] showed that a lower bound for an approximation version
of MCSP is equivalent to the existence of a local HSG.
At the core of our results is the recent breakthrough result of Forbes and Kelley [14],
who constructed the first pseudorandom generator with polylog(n) seed length that fools
unknown-order read-once oblivious branching programs. Viola [42] used their construction to
obtain a pseudorandom generator that fools deterministic Turing machines (DTMs). Herein,
we generalize his result to the case of randomized Turing machine (RTMs), and the case of
two-sided-error randomized Turing machine (BPTIME1 [t(N )]).3 At a high level, our crucial
idea is that Viola’s proof does not exploit the uniformity of Turing machines, and hence a
good coin flip sequence of a randomized oracle algorithm and all of its [small enough] oracle
queries and corresponding answers can be fixed as non-uniformity (Lemma 21). In addition,
by a careful examination of the Forbes-Kelley PRG, we show that their PRG is local; this
gives rise to a local PRG that fools BPTIME1 [t(N )], which will complete a proof of our main
result (Theorem 3).
We note that the proof above implicitly shows an exponential-size lower bound for MCSP
against read-once oblivious branching programs, which was previously not known. Corollary 6
generalizes this lower bound to the case of co-non-deterministic read-once (not necessarily
oblivious) branching program. In order to prove this, we make use of PRGs that fool
combinatorial rectangles (e.g., [14, 29]). We present a general transformation from a PRG
for combinatorial rectangles into a HSG for non-deterministic read-once branching program,
by using the proof technique of Borodin, Razborov, and Smolensky [8]; see Theorem 5.
1.2.2 Nečiporuk’s method for MKTP lower bounds

In order to apply Nečiporuk’s method to MKTP, we need to give a lower bound on the
number of distinct subfunctions that can be obtained by fixing all but O(log n) bits.
The idea of counting distinct subfunctions of MKTP is to show that a random restriction
which leaves O(log n) variables free induces different subfunctions with high probability.
Specifically, partition the input variables [n] into m := n/O(log n) blocks, pick m − 1
strings ρ := ρ2 · · · ρm ∈ ({0, 1}O(log n) )m−1 randomly, and consider the restricted function
f ρ (ρ1 ) := MKTP(ρ1 ρ2 · · · ρm , θ) for some appropriate threshold function θ. Then, the
string ρi ρ2 · · · ρm is compressible when i ∈ {2, · · · , m} whereas the string ρ1 ρ2 · · · ρm is not
compressible when ρ1 is chosen randomly. This holds as, in the former case, there exists a
2 ≤ k ≤ m such that ρi = ρk and this yields a description for the string ρi ρ2 · · · ρm that is
shorter than most of its descriptions in the latter case. Let now θ be the KT complexity of
ρi ρ2 · · · ρm in the case where i ∈ {2, · · · , m}. Therefore, f ρ (ρi ) = 1 for any i ∈ {2, · · · , m}
and f ρ (ρ1 ) = 0 with high probability over a random ρ1 . This implies that, with high
probability over the random restrictions ρ and ρ0 , it is the case that f ρ 6≡ f ρ0 . This is so
as, for every i ∈ {2, . . . , m}, the probability over the random restrictions ρ and ρ0 that the
string ρi is such that f ρ0 (ρi ) = f ρ (ρi ) is small, by the fact that f ρ (ρi ) = 1 and the fact
that f ρ0 (ρi ) = 0 with high probability over a random ρi [and therefore with high probability
over a random ρ as well].
Unfortunately, the probability that f ρ ≡ f ρ0 holds may not be exponentially small. As
a consequence, a lower bound on the number of distinct subfunctions that can be directly
obtained from this fact may not be exponential. In contrast, we need to prove an exponential
lower bound on the number of distinct subfunctions in order to obtain the state-of-the-art
lower bound via Nečiporuk’s method.
In order to make the argument work, we exploit symmetry of information for (resource-
unbounded) Kolmogorov complexity and Kolmogorov-randomness. Instead of picking ρ and
3
We emphasize that the notion of PRGs secure against these three computational models is different.
See Definition 10, Definition 12, and Lemma 14.
ρ0 randomly, we keep a set P which contains restrictions ρ that induce distinct subfunctions.
Starting from P := ∅, we add one Kolmogorov-random restriction ρ to P so that the property
of P is preserved. By using symmetry of information for Kolmogorov complexity, we can
argue that one can add a restriction to P until P becomes as large as 2Ω(n) , which proves
that the number of distinct subfunctions of MKTP is exponentially large. Details can be
found in Section 6.
1.3 Related work

Chen, Jin, and Williams [11] generalized hardness magnification phenomena to arbitrary
sparse languages in NP. Note that MCSP[2µn ] is a sparse language in the sense that the
number of YES instances of MCSP[2µn ] is at most 2O(2 e µn ) , which is much smaller than the
n
number 22 of all the instances of length 2n . Hirahara [21] proved that a super-linear-size
lower bound on co-non-deterministic branching programs for computing an approximation
and space-bounded variant of MKtP implies the existence of a hitting set generator secure
against read-once branching programs (and, in particular, RL = L).
Regarding unconditional lower bounds for MCSP, Razborov and Rudich [38] showed that
there exists no AC0 -natural property useful against AC0 [⊕], which in particular implies that
MCSP 6∈ AC0 ; otherwise, the complement of MCSP would yield an AC0 -natural property
useful against P/poly ⊇ AC0 [⊕]. Hirahara and Santhanam [22] proved that MCSP essentially
requires quadratic-size de Morgan formulas. Cheraghchi, Kabanets, Lu, and Myrisiotis [12]
proved that MCSP essentially requires cubic-size de Morgan formulas as well as quadratic-size
(general, unconstrained) branching programs. Golovnev, Ilango, Impagliazzo, Kabanets,
Kolokolova, and Tal [16] proved that, for any prime p, MCSP requires constant-depth circuits,
that are augmented with MODp gates, of weakly-exponential size.

The state-of-the-art time lower bound against DTMs on inputs of size n is Ω n2 , proved
by Maass [30], for the Polydromes function (which is a generalization of Palindromes).
Regarding the case when the considered DTMs have a two-way read-only input tape, Maass
and Schorr [31] proved that there is some problem in Σ2 TIME[n] that requires Ω n3/2 / log6 n
time to compute on such machines. As mentioned earlier, in Section 1.1, the state-of-the-art
time lower bound against RTMs is due to Kalyanasundaram
and Schnitger [28], who showed
2
that Element Distinctness is not in BPTIME1 o N / log N .
Viola [42] gave a PRG that fools RTMs that run in time n1+Ω(1) ; this also yields a n1+Ω(1)
time lower bound against such machines. To do this, Viola extended prior work [31, 41] on
simulating any RTM by a sum of ROBPs [see Lemma 19] and then employed the PRG by
Haramaty, Lee, and Viola [17] that fools ROBPs;4 it is a straightforward observation [42],
then, that the Forbes-Kelley PRG [14] [which appeared afterwards and was inspired by the
PRG by Haramaty, Lee, and Viola] yields a PRG of nearly quadratic stretch that fools RTMs
and, therefore, a nearly quadratic lower bound against the same model as well. Moreover,
Viola [42] showed that there exists some problem in Σ3 TIME[n] that requires n1+Ω(1) time
to compute on any RTM that has the extra feature of a two-way read-only input tape; one
of the ingredients of this result, is again the PRG by Haramaty, Lee, and Viola [17].
For the case of one-tape TMs with no extra tapes, Hennie [19] proved in 1965 that
the Palindromes function requires Ω n2 time to compute. Van Melkebeek and Raz [41]
observed fixed-polynomial time lower bounds for SAT against non-deterministic TMs with
4
It should be noted that before Haramaty, Lee, and Viola [17] and Viola [42], the problem of designing
PRGs of polynomial stretch that fool RTMs was wide open despite intense research efforts.
a d-dimensional read/write two-way work tape and a random access read-only input tape;
these lower bounds depend on d.
1.4 Organization
In Section 2, we give the necessary background. The main ideas of Theorem 3 and Theorem 5
are described in Section 3 and Section 4, respectively. In Section 5, we show that the
pseudorandom generators we make use of are local, which will complete the proofs of
Theorem 3 and Theorem 5. We prove Theorem 1 in Appendix A.
2 Preliminaries
2.1 Circuit complexity
n
Let f : {0, 1} → {0, 1}. We define the circuit complexity of f , denoted by CC(f ), to be
equal to the size (i.e., the number of gates) of the smallest bounded fan-in unbounded fan-out
Boolean circuit, over the {AND, OR, NOT} = {∧, ∨, ¬} basis, that, on input x, outputs
2n
f (x). For a string y ∈ {0, 1} , we denote by CC(y) the circuit complexity of the function
n n
fy : {0, 1} → {0, 1} encoded by y; i.e., fy (x) = yx , for any x ∈ {0, 1} .
A standard counting argument shows that a random function attains nearly maximum
circuit complexity with high probability.
I Proposition 7 ([39]). For any function s : N → N with s(n) = o(2n /n), it holds that
Pr n
[CC(x) ≤ s(n)] = o(1),
x∼{0,1}2
for all large n ∈ N.
I Definition 8 (Minimum Circuit Size Problem [27]). We define MCSP as

2n
n o
n
MCSP := (x, θ) ∈ {0, 1} × {0, 1} | CC(x) ≤ θ ,
n∈N
and its parameterized version as

2n
n o
MCSP[s(n)] := x ∈ {0, 1} | CC(x) ≤ s(n) ,
n∈N
for a size parameter s : N → N.
2.2 Turing machines

Throughout this paper, we consider a Turing machine that has one work tape and a one-way
input tape. In this context, “one-way” means that the tape-head may move only from left to
right.
A deterministic Turing machine (DTM) is a Turing machine with two tapes: A two-way
∗
read/write work tape and a one-way read-only input tape. Let x ∈ {0, 1} and M be a DTM;
we write M (x) to denote the output of M when its input tape is initialized with x and its
∗
work tape is empty. Let t : N → N be time-constructible. The class of languages L ⊆ {0, 1}
decided by some O(1)-state time-t DTM is denoted by DTIME1 [t].
We also consider a randomized variant of DTMs. A randomized Turing machine (RTM)
is a Turing machine with three tapes: A two-way read/write work tape, a one-way read-only
∗
input tape, and a one-way read-only random tape. Let x, r ∈ {0, 1} and M be a RTM;
we write M (x, r) to denote the output of M when its input tape contains x, its work tape
is empty, and its random tape contains r. Let t : N → N be time-constructible. For a
∗
language L ⊆ {0, 1} and a RTM M , we say that M decides L with two-sided error if
Prr [M (x, r) = 1] ≥ 3 for every input x ∈ L and Prr [M (x, r) = 0] ≥ 32 for every input x 6∈ L.
2
∗
The class of languages L ⊆ {0, 1} decided by some O(1)-state time-t RTM with two-sided
error is denoted by BPTIME1 [t].
A randomized oracle Turing machine (oracle RTM) is a Turing machine with four tapes:
A two-way read/write work tape, a one-way read-only input tape, a one-way read-only
random tape, and an oracle tape. This model is identical to the randomized Turing machine
model apart from the oracle tape, which is a standard oracle tape. The class of languages
∗
L ⊆ {0, 1} decided by some O(1)-state time-t oracle RTM, with access to some oracle
∗
O ⊆ {0, 1} , with two-sided error is denoted by BPTIMEO 1 [t].
2.3 Streaming algorithms

n
A space-s(n) streaming algorithm with update time u(n) on an input x ∈ {0, 1} has a
working storage of s(n) bits. At any point the algorithm can either choose to perform one
operation on O(1) bits in storage or it can choose to read the next bit from the input. The
total time between two next-bit reads is at most u(n) and the final outcome is reported in
O(u(n)) time.
I Lemma 9. Any one-pass streaming algorithm with t(N ) update time, on inputs of length
N , can be simulated by a one-tape Turing machine with a one-way read-only input tape
running in time O(N · poly(t(N ))).
Proof. Recall that a streaming algorithm reads one bit of its input from left to right, and
each consecutive read operation occurs within t(N ) time steps. Thus, it takes N · poly(t(N ))
time-steps in total to finish the computation on inputs of length N in the standard multi-tape
Turing machine model, as the size of the input is N and poly(t(N )) time-steps suffice for
some multi-tape Turing machine to perform an update [13]. For any time constructible
function T : N → N, a one-tape Turing machine can simulate a T (n)-time multi-tape Turing
2
machine within O(T (n) ) steps. Thus, a streaming algorithm can be simulated in time
2
N · (poly(t(N ))) = N · poly(t(N )) by a one-tape Turing machine. J
2.4 Branching programs

A branching program (BP) is a layered acyclic directed graph with three special vertices:
a start vertex s (the source) and two finish vertices, namely an accepting vertex h1 and a
rejecting vertex h0 (the sinks). Each layer has at most w vertices (w here stands for width);
s is the sole vertex of the first layer and h1 and h0 are the only vertices of the last layer.
n
On input x ∈ {0, 1} , the computation starts at s and follows a directed path from s to
some hb , with b ∈ {0, 1}. On this occasion, the output of the computation is b. In each step,
the computation queries some input xi associated with layer i, for i ∈ [n], and then visits
the next layer, depending on the value of the variable just queried, namely 0 or 1, through
an edge with label “xi = 0” or “xi = 1,” respectively.
∗
A branching program P decides a language L ⊆ {0, 1} in the natural way, i.e., x ∈ L if
and only if, on input x, the computation path that P follows starts at s and finishes at h1 .
If the variable queried within each layer is the same, then the branching program is called
oblivious. If the branching program queries each variable at most once, then the branching
program is called a read-once branching program (ROBP). If the branching program is
oblivious and always queries the variables in some known order, where it is known beforehand
which variable xi is queried at layer i, along any s-h0 or any s-h1 path (these are called
source-to-sink paths), then the branching program is called known-order, else it is called
unknown-order.
If there are multiple edges emanating from some vertex, and these edges have the
same label, then the branching program is called non-deterministic. Non-deterministic
branching programs may also have free (i.e., unlabelled) edges, as well. A non-deterministic
n n
branching program computes a function f : {0, 1} → {0, 1} if, for every x ∈ {0, 1} such
n
that f (x) = 1, there is some s-h1 path and for every x ∈ {0, 1} such that f (x) = 0, all
source-to-sink paths are s-h0 paths. A co-non-deterministic branching program computes a
n n
function f : {0, 1} → {0, 1} if, for every x ∈ {0, 1} such that f (x) = 1, all source-to-sink
n
paths are s-h1 paths and for every x ∈ {0, 1} such that f (x) = 0, there exists some s-h0
path. The size of a branching program is the number of its labelled edges.
2.5 Pseudorandom generators and hitting set generators

We recall the standard notions of pseudorandom generators and hitting set generators.
I Definition 10. Let s : N → N be a function, C be a circuit class, and 0 < ε < 1. A

s(n) n
pseudorandom generator (PRG) that ε-fools C is a function G : {0, 1} → {0, 1} such
that

Exp [f (x)] − Exp [f (G(y))] ≤ ε,

x∼{0,1}n y∼{0,1} s(n)
for any circuit C ∈ C. The value s(n) is referred to as the seed length of G.
I Definition 11. Let s : N → N be a function, C be a circuit class, and 0 < ε < 1. A hitting
s(n) n
set generator (HSG) ε-secure against C is a function G : {0, 1} → {0, 1} such that
s(n)
Pr [C(x) = 1] ≥ ε =⇒ C(H(y)) = 1 for some y ∈ {0, 1} ,
x∼{0,1}n
for any circuit C ∈ C. By default, we choose ε := 1/2.
For our purpose, it is useful to extend the notion of PRG to a pseudorandom generator
that fools randomized algorithms.
I Definition 12. For a function s : N → N and a parameter 0 < ε < 1, a function

s(n) n
G : {0, 1} → {0, 1} is said to be a pseudorandom generator that ε-fools q-state time-t
RTMs if

Exp [M (x, r)] − Exp [M (G(y) , r)] ≤ ε,
x∼{0,1}n ,

y∼{0,1}s(n) ,
r∼{0,1}t r∼{0,1} t
for any q-state time-t RTM M .
2.6 MCSP lower bounds from local HSGs

For a function G : {0, 1}s → {0, 1}n , we say that G is local [12] if CC(G(z)) ≤ s for every
string z ∈ {0, 1}s . We make use of the following standard fact.
I Lemma 13. Let s : N → N be a function such that s(n) = o(2n /n), and N := 2n . Suppose
s(n) N
that there exists a local hitting set generator H : {0, 1} → {0, 1} for a circuit class C.
Then, MCSP[s(n)] 6∈ coC.
Proof. We prove the contrapositive. Let C ∈ coC be a circuit that computes MCSP[s(n)].
Since CC(H(z)) ≤ s(n), we have H(z) ∈ MCSP[s(n)]; thus C(H(z)) = 1, for every z ∈
{0, 1}s(n) . For a random w ∼ {0, 1}N , it follows from Proposition 7 that w 6∈ MCSP[s(n)]
with probability 1 − o(1); hence C(w) = 0 for most w. Therefore, ¬C ∈ C accepts at least a
half of {0, 1}N but rejects every string in the range of H, which contradicts the security of
the hitting set generator H. J
We observe that a local pseudorandom generator for time-t RTMs also “fools”
BPTIME1 [t(N )] in the following sense.
I Lemma 14. Let s, t : N → N be functions, such that s(n) = o(2n /n), and N := 2n . Suppose
that there exists a family of local pseudorandom generators G = {Gn : {0, 1}s(n) → {0, 1}N }n∈N
such that, for every n ∈ N, Gn (1/6)-fools time-t(N ) RTMs. Then, MCSP[s(n)] is not in
BPTIME1 [t(N )].
Proof. We prove the contrapositive. Let M be a time-t RTM that decides MCSP[s(n)]. Fix
any n ∈ N. For any seed z ∈ {0, 1}s(n) , we have Gn (z) ∈ MCSP[s(n)] since Gn is local. Thus,
Prr [M (Gn (z), r) = 1] ≥ 2/3. On the other hand, pick a string w ∈ {0, 1}N chosen uniformly
at random. By the counting argument of Proposition 7, we get Prw [w 6∈ MCSP[s(n)]] ≥
1 − o(1). Thus, we have Prw,r [M (w, r) = 1] ≤ o(1) + 1/3 < 1/2. Therefore,
2 1 1
Pr[M (Gn (z), r) = 1] − Pr [M (w, r) = 1] > − = ,
z,r w,r 3 2 6
which means that Gn does not fool RTMs. J
3 MCSP lower bounds against one-tape oracle RTMs

In this section, we present a proof of our main result.
∗
I Theorem 15 (Theorem 3, restated). Let O ⊆ {0, 1} be any language. Then, for
every constant
h 1/2 < iµ < 1, MCSP[2µ·n ] on truth tables of size N := 2n is not in
0
BPTIMEO N 2·(µ −o(1)) , for all 1/2 < µ0 < µ, where all of the strings queried to O are of
1
o(1)
length N .
3.1 Connections to hardness magnification

As discussed in Section 1.1.1, Theorem 15 implies that establishing hardness magnification
phenomena for MCSP, when the circuit size threshold parameter is 20.51n , would require
the development of new techniques; see Remark 18. To explain why this is true, we shall
first require the following result by McKay, Murray, and Williams [32] that gives an oracle
streaming algorithm for MCSP.
I Lemma 16 ([32, Theorem 1.2]). Let s : N → N be a size function, with s(n) ≥ n for all
n, and N := 2n . Then, there is a one-pass streaming
algorithm for MCSP[s(n)] on N -bit
2
inputs running in N · O(s(n))
e time with O
e s(n) update time and O(s(n))
e space, using an
oracle for Σ3 SAT with queries of length O(s(n)).
e
A corollary of Lemma 16 and Lemma 9 is the following.
I Corollary 17 (Consequences of hardness magnification from currently known techniques).

Let s : N → N be a size function. Then, MCSP[s(n)] on truth tables of length N := 2n is
in DTIMEO P
1 [N · poly(s(n))], for some O ∈ Σ3 , where all of the strings queried to O are of
length at most poly(s(n)).
The following remark summarizes the main idea of this subsection.

I Remark 18. By Corollary 17, we see that if s(n) = 2µ·n , for µ = o(1), then MCSP[s(n)] is
O

in DTIME1 N 1+o(1)
, where all of the strings queried to O are of length N o(1) . In
light of
O 1+o(1)
this observation, Theorem h 15 is important
i for the following reason. As DTIME 1 N
0
is a subset of BPTIMEO N 2·(µ −o(1)) for all 1/2 < µ0 < 1 and all languages O ⊆ {0, 1} ,
∗
1
Theorem 15 shows that establishing hardness magnification phenomena for MCSP[s(n)] like
that of Theorem 1, when s(n) = 2µ·n for any constant 1/2 < µ < 1, would require the
development of techniques that do not rely on designing oracle algorithms that make short
oracle queries.
3.1.1 Comparison with the locality barrier

Chen, Hirahara, Oliveira, Pich, Rajgopal, and Santhanam [10] introduced the “locality barrier”
to explain why it will be difficult to acquire a major complexity breakthrough through the
lens of hardness magnification. Their reasoning goes as follows:
Existing magnification theorems unconditionally show that problems, against which

some circuit lower bound implies a complexity-theoretic breakthrough, admit highly
efficient small fan-in oracle circuits, while lower bound techniques against weak circuit
models quite often easily extend to circuits containing such oracles.
Our Remark 18, therefore, is close in spirit to the results of Chen et al. [10]: We make use
of a lower bound (Theorem 15) to motivate the development of new techniques for proving
hardness magnification phenomena while Chen et al. make use of hardness magnification
phenomena to motivate the development of new techniques for acquiring lower bounds; a
notable difference is that we consider one-tape Turing machines while they consider Boolean
circuits.
3.2 Proof of Theorem 15

In order to prove Theorem 15, our goal is to construct a local pseudorandom generator
that fools oracle RTMs and then apply Lemma 14. Viola [42] constructed a pseudorandom
generator that fools the one-tape Turing machine model (DTM).5 We will show that, in fact,
the same construction fools oracle RTMs as well. In order to do so, we recall the idea of
Viola [42]. The idea is that, in order to fool DTMs, it is sufficient to use a PRG that ε-fools
ROBPs for an exponentially small ε. This is because time-t DTMs can be written as the
sum of an exponential number of ROBPs.
5
We note that our definition of PRG is different from that of [42] in that a random tape is not regarded
as an input tape.
I Lemma 19 (Viola [42]). Let n ∈ N and M be√a q-state time-t DTM. Then, there is a family
n
{Pα }α∈A of n-input ROBPs of width exp O t · log(tq) such that, for any x ∈ {0, 1} ,
X
M (x) = Pα (x),
α∈A
√
where |A| ≤ (tq) ( ) .
O t
By a simple calculation (cf. Section 5), any pseudorandom generator that ε/|A|-fools
ROBPs also ε-fools DTMs. Viola [42] then used the pseudorandom generator of Forbes and
Kelley [14] that fools ROBPs. By a careful examination, we will show that the Forbes-Kelley
pseudorandom generator is local; see Corollary 39 in Section 5.
I Theorem 20 (Forbes-Kelley
√ PRG is local).
There exists a local pseudorandom generator
e ( t + log(1/ε)) · log q that ε-fools q-state time-t n-input DTMs for any
with seed length O
t ≥ n.
Our main idea for obtaining an oracle randomized Turing machine lower bound is that
Viola’s reduction can be applied to non-uniform computational models, i.e., q-state Turing
machines where q can become large as the input length becomes large. More specifically, it
is possible to incorporate all possible oracle queries [along with their answers] and any good
coin flip sequence r into the internal states of DTMs.
I Lemma 21. For an input length n ∈ N, for any q-state time-t oracle RTM M , that only
at most ` to its oracle
queries strings of length O, and a coin flip sequence r ∈ {0, 1}t , there
exists some q · 2 · t -state time-t DTM M such that M 0 (x) = M O (x, r) for every input
` 0
x ∈ {0, 1}n .
Proof. Let QM denote the set of the states of M . We define the set of the states of M 0 as
n o
`
QM 0 := (q, s, b, i) ∈ QM × {0, 1} × {0, 1} × [t] | O(s) = b .
The transition from the state (q, s, b, i) ∈ QM 0 can be defined in a natural way, by using the
i-th bit of r, namely ri , the state q, and the fact that O(s) = b. J
I Corollary
√ 22. There exists a local pseudorandom generator with seed length σ(t, q, ε) =
Oe ( t + log(1/ε)) · log(q · 2` · t) that ε-fools q-state time-t n-input oracle RTMs that may
only query strings of length at most ` to their oracle, for any t ≥ n.
Proof. We hard-code the oracle queries and their answers in the internal states and, moreover,
we use an averaging argument to fix one good coin flip sequence r. Let M be any q-state
time-t oracle RTM that may query to its oracle O strings of length at most `. Let G be a
PRG from Theorem 20. We have that
" # " #
O O
Exp Exp M (x, r) − Exp Exp M (G(y), r)

r∼{0,1}t x∼{0,1}n r∼{0,1}t y∼{0,1}σ(t,q,ε)

= Exp Exp M O (x, r) − Exp M O (G(y), r)

r x y

O O
≤ Exp Exp M (x, r) − Exp M (G(y), r)

r x y

≤ Exp M (x, r∗ ) − Exp M O (G(y), r∗ ) ,
O
x y
t
for some r∗ ∈ {0, 1} , by an averaging
argument. By applying Lemma 21, for M O , O, and
∗ ` 0
r , we obtain an equivalent q · 2 · t -state time-t DTM M . The result now follows from
Theorem 20. Specifically,

Exp M O (x, r∗ ) − Exp M O (G(y), r∗ ) = Exp[M 0 (x)] − Exp[M 0 (G(y))] ≤ ε.

J
x y x y

Proof of Theorem 15. Take the local pseudorandom generator G of Corollary 22 with
parameter ε := 1/6. Let 1/2 < µ0 < µ < 1 be arbitrary constants. Let t, s, ` : N → N be
0
functions such that t(N ) = N 2·(µ −o(1)) , s(n) = 2µ·n , and `(n) = 2o(n) . Then, the seed
length of G is at most
p
Oe e µ0 −o(1)+o(1) ) ≤ s(n),
t(N ) · (log q + `(n)) ≤ O(N
where N = 2n . Since s(n) = o(2n /n), by Lemma 14, we obtain that MCSP[s(n)] 6∈
BPTIMEO1 [t(N )], where all of the strings queried to O are of length N
o(1)
. J
4 HSGs against non-deterministic ROBPs

In this section, we present a construction of hitting set generator secure against non-
deterministic ROBPs.
I Theorem√ 23 (Theorem
5, restated). There exists a local hitting set generator
O
e n·log s n
H : {0, 1} → {0, 1} for n-input size-s read-once non-deterministic branching
programs.
As a corollary, we obtain an exponential-size lower bound for co-non-deterministic read-

once branching programs that compute MCSP.
I Corollary 24 (Corollary 6, restated). Any read-once co-non-deterministic branching program

that computes MCSP must have size at least 2Ω e(N ) .
Proof. Immediate from Lemma 13 and Theorem 23. J
Herein, we present a general connection from a pseudorandom generator for combinatorial

n
rectangles to a hitting set generator for non-deterministic ROBPs. Below, for x ∈ {0, 1}
and S ⊆ [n], we denote by x|S the |S|-bit string obtained by concatenating xi for each i ∈ S.
I Definition 25 (Combinatorial rectangles). Let n ∈ N. A combinatorial rectangle of k

n
products and width m is a function π : {0, 1} → {0, 1} of the form
k
^
π(x) = fj x|Sj ,
j=1
n m
for every x ∈ {0, 1} , where k ∈ N, fj : {0, 1} → {0, 1} and |Sj | ≤ m, for all 1 ≤ j ≤ k,
k
and the sets {Sj }j=1 are disjoint subsets of [n].
I Theorem 26 (Local PRG for combinatorial rectangles). There exists a local pseudorandom
generator G : {0, 1}r → {0, 1}n that ε-fools the class of combinatorial rectangles of k products
and width m, where the seed length r is O(me + log(k/ε)) · polylog(n).
We defer the proof of Theorem 26 to Section 5 (cf. Theorem 40). For the proof of The-
orem 23, we shall invoke the following lemma first, by Borodin, Razborov, and Smolensky [8].
I Lemma 27(Borodin, Razborov, and Smolensky [8]). Let n, k, s ∈ N, m := n/k ≥ 1, and

t := O (2s)2k . Let f : {0, 1}n → {0, 1} be a function that can be computed by a read-once
non-deterministic branching program of size s. Then, there exist combinatorial rectangles
n
π1 , . . . , πt of k products and width m such that, for all x ∈ {0, 1} ,
t
_
f (x) = πi (x) .
i=1
Proof of Theorem 23. Let G : {0, 1}r → {0, 1}n be the local PRG of Theorem 26 that fools
k-product combinatorial rectangles of width m. We prove that G is a hitting set generator
secure against read-once non-deterministic branching programs of size s. To this end, let f
be any read-once non-deterministic branching programs of size s such that f (G(z)) = 0 for
every seed z ∈ {0, 1}r . We claim that Prw [f (w) = 1] < 12 . By Lemma 27, f can be written
as an OR of t combinatorial rectangles π1 , . . . , πt . By the assumption, for every seed z, we
W
have i πi (G(z)) = f (G(z)) = 0, and thus πi (G(z)) = 0. By the fact that the pseudorandom
generator G ε-fools combinatorial rectangles, it holds that, for all 1 ≤ i ≤ t,

Pr [πi (x) = 1] − Pr [πi (G(z)) = 1] ≤ ε
n r
x∼{0,1} z∼{0,1}
or
Pr [πi (x) = 1] ≤ ε.
x∼{0,1}n
Hence,
" t
# t
_ X
Pr n
[f (x) = 1] = Pr πi (x) = 1 ≤ Pr [πi (x) = 1] ≤ t · ε.
x∼{0,1} x∼{0,1}n x∼{0,1}n
i=1 i=1
Choosing ε := 1/(4t), this probability is bounded by 1/4. It remains to choose the parameter
k so that the seed length r is minimized. We have
p
r = polylog(n) · O(m
e + log(k/ε)) = O(n/k
e + k · log s) = O
e n · log s ,
p
by setting k := n/ log s. J
5 The Forbes-Kelley PRG is local

In this section, we show that the Forbes-Kelley PRG is local (up to some overhead in the
seed length), which will complete the proofs of Section 3 and Section 4.
In the following proofs, for each pseudorandom generator G : {0, 1}s → {0, 1}n with seed
length s, we will show that CC(G(z)) ≤ O(s) e · polylog(n) for every seed z ∈ {0, 1}s . This
naturally gives rise to a local pseudorandom generator of seed length O(s)e · polylog(n), by
simply ignoring a part of the seed.
We first recapitulate biased and almost k-wise independent distributions; these are
primitives used in Forbes-Kelley PRG.
5.1 Biased and almost k-wise independent distributions

I Definition 28. Let n ∈ N and 0 < δ < 1. A random variable X = (x1 , . . . , xn ) over
n
{0, 1} is said to be δ-biased with respect to the distribution D if, for any S ⊆ [n], it is the
case that
" # " #
Y Y
xi xi
Pr (−1) = 1 − Pr n (−1) = −1 ≤ δ.

X∼D X∼{0,1}
i∈S i∈S
n
On this occasion, we also say that D is a δ-biased distribution over {0, 1} .
Below, we define almost k-wise independent distributions.
I Definition 29. Let n ∈ N, 0 < γ < 1, and k > 0. A random variable X = (x1 , . . . , xn )
n
over {0, 1} is said to be γ-almost k-wise independent with respect to the distribution D if,
for any k indices 1 ≤ i1 < i2 < · · · < ik ≤ n, it is the case that
X

Pr [xi1 · · · xi = α] − Pr [xi1 · · · xi = α] ≤ γ.
k n k
X∼D X∼{0,1}
α∈{0,1}k
On this occasion, we also say that D is a γ-almost k-wise independent distribution over
n
{0, 1} .
n
I Definition 30. Let n, k ∈ N, with k ≤ n. A random variable X = (x1 , . . . , xn ) over {0, 1}
is said to be k-wise independent with respect to the distribution D if X is 0-almost k-wise
independent with respect to the distribution D. On this occasion, we also say that D is a
k-wise independent distribution.
n
It is known that a k-wise independent distribution over {0, 1} may be sampled by using
O(k log n) random bits [40]. The following lemma upper-bounds the circuit complexity of
some k-wise independent distribution.
I Theorem 31 ([12, 15, 40]). There exists a local k-wise independent generator G : {0, 1}s →
{0, 1}n with seed length s = k · O(log
e n).
We next show that there exists a local ε-biased generator.
I Lemma 32 (The complexity of multiplication; cf. [15]). For an integer m > 0, let the
elements in F2m be represented by m-bit strings. Then, there exists a circuit of size O(m)
e
that, on input x, y ∈ F2m , outputs the m-bit representation of the product x · y.
I Theorem 33. There exists a local ε-biased generator G : {0, 1}s → {0, 1}n with seed length
s = O(log(n/ε))
e · log n.
Proof. We use the standard construction of an ε-biased generator G0 of [5]. Let m :=

m
log(n/ε), and take a field 2 . For random seeds a, b ∈ F2 of length 2m, the ith

iof size bit
m
i
of G0 (a, b) is defined as a , b , i.e., the inner product of the binary representations of a and
b. It was shown in [5] that, for a, b chosen uniformly at random from F2m , the distribution
of G0 (a, b) is ε-biased.
We claim that, for every a, b ∈ F2m , there exists a
circuit
of size O(log(n/ε) · log2jn) that
i
takes i ∈ [n] as an input of length log n and computes a , b . Indeed, we hardwire a for all
j
j ≤ log n into a circuit; given an input i ∈ [n], one can compute ai by multiplying a2 for all
j such that the j-th bit of the binary representation of i is 1. This can be done with a circuit
of size O(m)
e · log n by using Lemma 32. It remains to compute the inner product of ai and b,
which can be done with a linear-size circuit. Overall, we obtain a circuit of size O(m)
e · log n.
The local ε-biased generator G is defined as a version of G0 such that a part c of the seed
is ignored: i.e., G(a, b, c) := G0 (a, b), where a, b ∈ F2m and |c| = O(m)
e · log n. J
Finally, we present a local δ-almost k-wise independent generator.

I Lemma 34 ([34]). Let 0 < δ < 1 and D be an δ-biased distribution over n-bit strings.
Then, for any k ∈ N, D is a 2k/2 · δ -almost k-wise independent distribution over n-bit
strings.
I Theorem 35. There exists a local δ-almost k-wise independent generator G : {0, 1}s →
{0, 1}n with seed length s = O(k
e + log(n/δ)) · log n.
Proof. By setting ε := 2−k/2 · δ, the local ε-biased pseudorandom generator of Theorem 33

is a local δ-almost k-wise independent generator by using Lemma 34. J
5.2 The Forbes-Kelley PRG

I Definition 36 (Forbes-Kelley PRG [14]). Let n, δ, γ, r, k be some parameters chosen later.
Let D1 , . . . , Dr be r independent δ-biased distributions and let T1 , . . . , Tr be r independent
γ-almost k-wise independent distributions over {0, 1}n . We define GFK r inductively as follows.
Let GFK
1 be some 320k-wise independent distribution and let
GFK FK
i+1 := Di + Ti ∧ Gi ,
for all 1 ≤ i ≤ r − 1, where ∧ denotes bitwise AND and + denotes bitwise XOR.
I Theorem 37 (Correctness of Forbes-Kelley PRG [14]). For parameters n, w ∈ N and
1/2 r := dlg ne,
ε > 0, choose the parameters as follows: k := d3 lg(nw/ε)e, γ := (nw/ε)−9 ,
−3 n
and δ := (nwL/ε) , where L := k w . Then, Gr : {0, 1}s → {0, 1}n is a pseudoran-
FK
dom generator that ε-fools unknown-order ROBPs of width w, where the seed length s is
O log(nw/ε) · log2 n .

I Theorem 38. There exists a local pseudorandom generator of seed length

e log(nw/ε) · log3 n that ε-fools unknown-order n-input ROBPs of width w.
O
Proof. We instantiate the Forbes-Kelley pseudorandom generator GFK r by using the paramet-
ers of Theorem 37 and using the construction of local generators of Theorem 33, Theorem 35,
and Theorem 31 for Di , Ti , and GFK 1 , respectively.
For a distribution D, we denote by CC(D) the maximum of CC(D) over all strings D in
3

the range of D. We claim that CC GFK r is at most O
e log(nw/ε) · log n . By Theorem 33
and Theorem 35, we have CC(Di ) ≤ O(log(n/δ)) · log n and CC(Ti ) ≤ O(k + log(n/γ)) · log n.
e e
Therefore, since GFK FK
i+1 = Di + Ti ∧ Gi , we obtain
CC GFK FK

i+1 ≤ CC(Di ) + CC(Ti ) + CC Gi + O(1)

for any i ∈ [r − 1]. We also have CC GFK 1 ≤ k · O(log
e n) from Theorem 31. Therefore,
CC GFK log3 (n)).

r ≤ r · O(k
e + log(n/γδ)) · log n + k · O(log
e n) = O(log(nw/ε)
e J
I Corollary 39 (A restatement
√ of Theorem 20). There exists a local pseudorandom generator
e ( t + log(1/ε)) · log q that ε-fools q-state time-t n-input DTMs, for any
with seed length O
t ≥ n.
Proof. By Lemma 19, any q-state time-t DTM M can be√written as the sum of ROBPs
{Pα }α∈A so that M (x) = α∈A Pα (x), where |A| ≤ (tq)O( t) . We set ε0 := ε/|A| and use
P
the local pseudorandom

√
generator GFK
r of Theorem 38 that ε0 -fools ROBPs of width w,
O( t) FK
where w = (tq) . Then, Gr is a PRG that ε-fools DTMs because

X
Exp M (GFK FK

z,w r (z)) − M (w)
≤ Exp P
z,w α r(G (z)) − P α (w) ≤ ε.
J
α∈A
5.3 Local PRG for combinatorial rectangles

I Theorem 40 (Local PRG for combinatorial rectangles). There exists a local pseudorandom
generator G : {0, 1}s → {0, 1}n that ε-fools the class of combinatorial
rectangles of k products
and width m, where the seed length s is O e (m + log(k/ε)) · log3 n .
We mention that Lee [29] showed that in the case of product tests (which contain
combinatorial rectangles as a special case), the analysis of the Forbes-Kelley PRG can be
improved, and obtained a PRG with nearly optimal seed length. This optimization would
improve our results at most a polylog(n) factor; for the sake of simplicity, we make use of
the Forbes-Kelley PRG.
Proof of Theorem 40. Suppose that a function f is computed by a combinatorial rectangle

of k products and width m. Namely, there exist some functions fi and disjoint subsets
V
S1 , · · · , Sk ⊆ [n], where |Si | ≤ m, such that f (x) = i∈[k] fi ( x|Si ), for every x. Since any
function fi on m inputs can be written as a width-2m ROBP, one can observe that f can
be computed by a ROBP of width 2m + 1. Using the local PRG of Theorem 38 for width
w := 2m + 1, we obtain a local PRG for combinatorial rectangles. J
6 MKTP lower bounds against branching programs

In this section, we develop a proof technique for applying Nečiporuk’s method to MKTP
and prove Theorem 4. The KT-complexity is formally defined as follows.
I Definition 41. Let U be an efficient universal Turing machine. For a string x ∈ {0, 1}∗ ,
the KT-complexity of x is defined as follows.
KT(x) := min{|d| + t | U d (i) outputs xi in time t for every i ∈ [|x| + 1]}.
Here we define xi as the ith bit of x if i ≤ |x| and ⊥ otherwise.
For a threshold θ : N → N, we denote by MKTP[θ] the problem of deciding whether

KT(x) ≤ θ(|x|) given a string x ∈ {0, 1}∗ as input.
For a function f : {0, 1}n → {0, 1}, we partition the input variables [n] into disjoint blocks
V1 , · · · , Vm , where |Vi | = v for each i ∈ [m] and n = vm. (v = O(log n) will be chosen later.)
The idea of the Nečiporuk’s method is to lower-bound the number of subfunctions. For each
i ∈ [m], we define ci (f ) to be the number of distinct functions f ρ such that ρ : [n] → {0, 1, ∗}
n
is a restriction with ρ−1 (∗) = Vi . [Recall that, for any x ∈ {0, 1} , f ρ (x) := f (y) where
n
y ∈ {0, 1} and, for all 1 ≤ i ≤ n, yi := ρ(i) if ρ(i) ∈ {0, 1}, else yi := xi .]
The Nečiporuk method can be then summarized as follows.
I Theorem 42 (Nečiporuk [35]; cf. [26, Theorem 15.1]). The size of a branching program com-
Pm
puting f is at least Ω ( i=1 log ci (f )/ log log ci (f )). The size of a non-deterministic
P branching

m
p
program or a parity branching program computing f is at least Ω i=1 log ci (f ) .
Our main technical result of this section is the following.
I Theorem 43. Let f : {0, 1}n → {0, 1} be MKTP[θ] on n-bit inputs for θ := n − 3c log n − 4,
where c > 0 is a universal constant. Then, for every i ∈ [m], it holds that ci (f ) = 2Ω(n) .
The lower bounds for branching programs (Theorem 4) immediately follow from The-
orem 43 and Theorem 42.
In our proof of Theorem 43, we only need the following two properties of KT-complexity.
1. The resource-unbounded Kolmogorov complexity6 provides a lower bound on the KT-

complexity. That is, K(x) ≤ KT(x) for any x ∈ {0, 1}∗ .
2. For any strings ρ1 , · · · , ρm ∈ {0, 1}v such that there exist distinct indices i 6= j ∈ [m]
such that ρi = ρj , we have KT(ρ1 · · · ρm ) ≤ (m − 1) · v + O(log n). This is because each
bit of the string ρ1 · · · ρm can be described by the strings {ρ1 , · · · , ρm } \ {ρj } and the
index j ∈ [m] in time O(log n).7
For simplicity, we focus on the case when i = 1; the other case can be proved similarly.
The idea of the proof is the following. Imagine that we pick ρ ∈ {∗}V1 × {0, 1}V2 ∪···∪Vm
uniformly at random. (Here we identify a restriction with a string in {0, 1, ∗}[n] .) We denote
by ρ2 ∈ {0, 1}V2 , · · · , ρm ∈ {0, 1}Vm the random bits such that ρ = ∗V1 ρ2 · · · ρm . We will
sometimes identify ρ2 · · · ρm with ρ.
Consider the function f ρ : {0, 1}V1 → {0, 1} obtained by restricting f by ρ. Then, we
expect that f ρ (ρi ) = 1 for any i ∈ {2, · · · , m} since KT(ρi ρ2 · · · ρm ) is small, whereas
f ρ (U ) = 0 for a random U ∼ {0, 1}V1 with high probability. Thus, the function f ρ is likely
to be distinct for a randomly chosen ρ.
In order to make the argument formal, we proceed as follows. Pick ρ randomly. Then we
add it to a set P while keeping the promise that the map ρ ∈ P 7→ f ρ is injective. We will
show that one can keep adding ρ until the size of P becomes exponentially large.
We will make use of symmetry of information of (resource-unbounded) Kolmogorov
complexity.
I Lemma 44. There exists a constant c > 0 such that, for any strings x, y ∈ {0, 1}∗ ,
K(xy) ≥ K(x) + K(y | x) − c log K(xy) .
We focus on restrictions ρ such that ρ is Kolmogorov-random. To this end, define
R := {ρ ∈ {0, 1}V2 ∪···∪Vm | K(ρ) ≥ |ρ| − 1}
as the set of Kolmogorov-random restrictions ρ. By the standard counting argument, we

have
|ρ|−2
X 1
Pr[ρ 6∈ R] ≤ 2i /2|ρ| ≤ .
ρ
i=1
2
The following lemma is the key for counting the number of distinct subfunctions.
I Lemma 45. Let ρ0 ∈ R be an arbitrary restriction and define θ := n − v + c log n. If
f ρ ≡ f ρ0 , then K(ρi | ρ0 ) ≤ 2c log n + 1 for any i ∈ {2, · · · , m}.
Proof. For each i ∈ [m] \ {1},
KT(ρi ρ2 · · · ρm ) ≤ |ρ2 | + · · · + |ρm | + O(log n) ≤ (m − 1) · v + c log n ≤ θ.
This means that ρi ρ2 · · · ρm is a YES instance of MKTP[θ]. Therefore, we have 1 = f ρ (ρi ) =

f ρ0 (ρi ), which implies that KT(ρi ρ02 · · · ρ0m ) ≤ θ. By the symmetry of information,
θ ≥ KT(ρi ρ02 · · · ρ0m ) ≥ K(ρi ρ02 · · · ρ0m ) ≥ K(ρ02 · · · ρ0m ) + K(ρi | ρ02 · · · ρ0m ) − c log n.
6
Let U be an efficient universal Turing machine. For a string x ∈ {0, 1}∗ , the resource-unbounded
Kolmogorov complexity of x is defined as K(x) := min{|d| | U d (i) outputs xi for every i ∈ [|x| + 1]}.
7
Here we assume that the universal Turing machine is efficient. If the universal Turing machine is slower
and the time is polylog(n), we obtain a branching program size lower bound of n2 /polylog(n).
Since ρ0 ∈ R, we have K(ρ02 · · · ρ0m ) ≥ v(m − 1) − 1 = n − v − 1. Therefore,
K(ρi | ρ02 · · · ρ0m ) ≤ θ + c log n − (n − v − 1) = 2c log n + 1. J
Now we set v := 4c log n + 4. Then, for any ρ0 ∈ R,
Pr[f ρ ≡ f ρ0 ] ≤ Pr[∀i ∈ [m] \ {1}, K(ρi | ρ0 ) ≤ v/2 − 1]

ρ
≤ (2v/2 /2v )m−1

= 2−n/2+v/2
≤ 2−n/3 .
In particular, for any P ⊆ R, by the union bound, we obtain
Pr[∃ρ0 ∈ P, f ρ ≡ f ρ0 ] ≤ |P | · 2−n/3 .

ρ
Therefore,
Pr[ρ 6∈ R or ∃ρ0 ∈ P, f ρ ≡ f ρ0 ] ≤ 1/2 + |P | · 2−n/3 ,

ρ
which is strictly less than 1 if |P | < 2n/3−1 . To summarize, we established the following
property.
I Corollary 46. For any P ⊆ R such that |P | < 2n/3−1 , there exists a restriction ρ such
that ρ ∈ R and f ρ 6≡ f ρ0 for any ρ0 ∈ P .
In light of this, we can construct a large set P such that the map ρ ∈ P 7→ f ρ is injective
as follows: Starting from P := ∅, add a restriction ρ ∈ R such that f ρ 6≡ f ρ0 for any ρ0 ∈ P ,
whose existence is guaranteed by Corollary 46 if |P | < 2n/3−1 . In this way, we obtain a
set P such that |P | ≥ 2n/3−1 and each f ρ is distinct for any ρ ∈ P . We conclude that
c1 (f ) ≥ |P | ≥ 2n/3−1 . This completes the proof of Theorem 43.
References
1 Eric Allender, Harry Buhrman, Michal Koucký, Dieter van Melkebeek, and Detlef Ronneburger.
Power from random strings. SIAM J. Comput., 35(6):1467–1493, 2006.
2 Eric Allender and Shuichi Hirahara. New insights on the (non-)hardness of circuit minimization
and related problems. In Proceedings of the 42nd International Symposium on Mathematical
Foundations of Computer Science (MFCS), pages 54:1–54:14, 2017.
3 Eric Allender and Michal Koucký. Amplifying lower bounds by means of self-reducibility. J.
ACM, 57(3):14:1–14:36, 2010.
4 Eric Allender, Michal Koucký, Detlef Ronneburger, and Sambuddha Roy. The pervasive reach
of resource-bounded Kolmogorov complexity in computational complexity theory. J. Comput.
Syst. Sci., 77(1):14–40, 2011.
5 Noga Alon, Oded Goldreich, Johan Håstad, and René Peralta. Simple constructions of almost
k-wise independent random variables. In Proceedings of the 31st Annual Symposium on
Foundations of Computer Science (FOCS), pages 544–553, 1990.
6 Alexander E. Andreev, Juri L. Baskakov, Andrea E. F. Clementi, and José D. P. Rolim.
Small pseudo-random sets yield hard functions: New tight explicit lower bounds for branching
programs. In Proceedings of the 26th International Colloquium on Automata, Languages and
Programming (ICALP), pages 179–189, 1999.
7 Paul Beame, Nathan Grosshans, Pierre McKenzie, and Luc Segoufin. Nondeterminism and
an abstract formulation of Nečiporuk’s lower bound method. ACM Trans. Comput. Theory,
9(1):5:1–5:34, 2016.
8 Allan Borodin, Alexander A. Razborov, and Roman Smolensky. On lower bounds for read-k-
times branching programs. Computational Complexity, 3:1–18, 1993.
9 Marco L. Carmosino, Russell Impagliazzo, Valentine Kabanets, and Antonina Kolokolova.
Learning algorithms from natural proofs. In Proceedings of the 31st Conference on Computa-
tional Complexity (CCC), pages 10:1–10:24, 2016.
10 Lijie Chen, Shuichi Hirahara, Igor Carboni Oliveira, Ján Pich, Ninad Rajgopal, and Rahul
Santhanam. Beyond natural proofs: Hardness magnification and locality. In 11th Innovations
in Theoretical Computer Science Conference, ITCS 2020, January 12-14, 2020, Seattle,
Washington, USA, pages 70:1–70:48, 2020.
11 Lijie Chen, Ce Jin, and R. Ryan Williams. Hardness magnification for all sparse NP languages.
In 60th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2019, Baltimore,
Maryland, USA, November 9-12, 2019, pages 1240–1255, 2019.
12 Mahdi Cheraghchi, Valentine Kabanets, Zhenjian Lu, and Dimitrios Myrisiotis. Circuit
lower bounds for MCSP from local pseudorandom generators. In Christel Baier, Ioannis
Chatzigiannakis, Paola Flocchini, and Stefano Leonardi, editors, 46th International Colloquium
on Automata, Languages, and Programming, ICALP 2019, July 9-12, 2019, Patras, Greece,
volume 132 of LIPIcs, pages 39:1–39:14. Schloss Dagstuhl - Leibniz-Zentrum für Informatik,
2019.
13 Stephen A. Cook and Robert A. Reckhow. Time-bounded random access machines. In
Patrick C. Fischer, H. Paul Zeiger, Jeffrey D. Ullman, and Arnold L. Rosenberg, editors,
Proceedings of the 4th Annual ACM Symposium on Theory of Computing, May 1-3, 1972,
Denver, Colorado, USA, pages 73–80. ACM, 1972.
14 Michael A. Forbes and Zander Kelley. Pseudorandom generators for read-once branching
programs, in any order. In Proceedings of the 59th IEEE Annual Symposium on Foundations
of Computer Science (FOCS), pages 946–955, 2018.
15 Sergey B. Gashkov and Igor S. Sergeev. Complexity of computation in finite fields. Journal of
Mathematical Sciences, 191(5):661–685, 2013.
16 Alexander Golovnev, Rahul Ilango, Russell Impagliazzo, Valentine Kabanets, Antonina Koloko-
lova, and Avishay Tal. AC0 [p] lower bounds against MCSP via the coin problem. In Christel
Baier, Ioannis Chatzigiannakis, Paola Flocchini, and Stefano Leonardi, editors, 46th Interna-
tional Colloquium on Automata, Languages, and Programming, ICALP 2019, July 9-12, 2019,
Patras, Greece, volume 132 of LIPIcs, pages 66:1–66:15. Schloss Dagstuhl - Leibniz-Zentrum
für Informatik, 2019.
17 Elad Haramaty, Chin Ho Lee, and Emanuele Viola. Bounded independence plus noise fools
products. SIAM J. Comput., 47(2):493–523, 2018.
18 Johan Håstad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandom
generator from any one-way function. SIAM J. Comput., 28(4):1364–1396, 1999.
19 F. C. Hennie. One-tape, off-line turing machine computations. Inf. Control., 8(6):553–578,
1965.
20 Shuichi Hirahara. Non-black-box worst-case to average-case reductions within NP. In Pro-
ceedings of the Symposium on Foundations of Computer Science (FOCS), pages 247–258,
2018.
21 Shuichi Hirahara. Non-Disjoint Promise Problems from Meta-Computational View of Pseu-
dorandom Generator Constructions, 2020. Manuscript.
22 Shuichi Hirahara and Rahul Santhanam. On the average-case complexity of MCSP and its
variants. In Proceedings of the 32nd Computational Complexity Conference (CCC), pages
7:1–7:20, 2017.
23 Shuichi Hirahara and Osamu Watanabe. Limits of minimum circuit size problem as oracle. In
Proceedings of the 31st Conference on Computational Complexity (CCC), pages 18:1–18:20,
2016.
24 John M. Hitchcock and Aduri Pavan. On the NP-completeness of the minimum circuit size
problem. In Proceedings of the 35th IARCS Annual Conference on Foundation of Software
Technology and Theoretical Computer Science (FSTTCS), pages 236–245, 2015.
25 Russell Impagliazzo, Raghu Meka, and David Zuckerman. Pseudorandomness from Shrinkage.
J. ACM, 66(2):11:1–11:16, 2019.
26 Stasys Jukna. Boolean Function Complexity - Advances and Frontiers, volume 27 of Algorithms
and combinatorics. Springer, 2012.
27 Valentine Kabanets and Jin-yi Cai. Circuit minimization problem. In Proceedings of the 32nd
Annual ACM Symposium on Theory of Computing (STOC), pages 73–79, 2000.
28 Bala Kalyanasundaram and Georg Schnitger. Communication complexity and lower bounds
for sequential computation. In Informatik, Festschrift zum 60. Geburtstag von Günter Hotz,
pages 253–268. Teubner / Springer, 1992.
29 Chin Ho Lee. Fourier bounds and pseudorandom generators for product tests. In Proceedings
of the 34th Computational Complexity Conference (CCC), pages 7:1–7:25, 2019.
30 Wolfgang Maass. Quadratic lower bounds for deterministic and nondeterministic one-tape
Turing machines (extended abstract). In Proceedings of the 16th Annual ACM Symposium on
Theory of Computing (STOC), pages 401–408, 1984.
31 Wolfgang Maass and Amir Schorr. Speed-up of Turing machines with one work tape and a
two-way input tape. SIAM J. Comput., 16(1):195–202, 1987.
32 Dylan M. McKay, Cody D. Murray, and R. Ryan Williams. Weak lower bounds on resource-
bounded compression imply strong separations of complexity classes. In Proceedings of the
Symposium on Theory of Computing (STOC), pages 1215–1225, 2019.
33 Cody D. Murray and Richard Ryan Williams. On the (non) NP-hardness of computing circuit
complexity. In Proceedings of the 30th Conference on Computational Complexity (CCC), pages
365–380, 2015.
34 Joseph Naor and Moni Naor. Small-bias probability spaces: Efficient constructions and
applications. In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing
(STOC), pages 213–223, 1990.
35 E.I. Nečiporuk. On a Boolean function. Doklady Akademii Nauk SSSR, 169(4):765–766, 1966.
English translation in Soviet Mathematics Doklady.
36 Igor Carboni Oliveira, Ján Pich, and Rahul Santhanam. Hardness magnification near state-
of-the-art lower bounds. In Proceedings of the 34th Computational Complexity Conference
(CCC), pages 27:1–27:29, 2019.
37 Igor Carboni Oliveira and Rahul Santhanam. Hardness magnification for natural problems.
In Proceedings of the Symposium on Foundations of Computer Science (FOCS), pages 65–76,
2018.
38 Alexander A. Razborov and Steven Rudich. Natural proofs. In Proceedings of the 26th Annual
ACM Symposium on Theory of Computing (STOC), pages 204–213, 1994.
39 Claude E. Shannon. The synthesis of two-terminal switching circuits. Bell Systems Technical
Journal, 28:59–98, 1949.
40 Salil P. Vadhan. Pseudorandomness. Foundations and Trends in Theoretical Computer Science,
7(1-3):1–336, 2012.
41 Dieter van Melkebeek and Ran Raz. A time lower bound for satisfiability. In Josep Díaz,
Juhani Karhumäki, Arto Lepistö, and Donald Sannella, editors, Automata, Languages and
Programming: 31st International Colloquium, ICALP 2004, Turku, Finland, July 12-16, 2004.
Proceedings, volume 3142 of Lecture Notes in Computer Science, pages 971–982. Springer,
2004.
42 Emanuele Viola. Pseudorandom bits and lower bounds for randomized Turing machines.
Electronic Colloquium on Computational Complexity (ECCC), 26:51, 2019.
43 Osamu Watanabe. The time-precision tradeoff problem on on-line probabilistic Turing

machines. Theor. Comput. Sci., 24:105–117, 1983.
A Hardness magnification for one-tape Turing machines

In this section, we obtain the following hardness magnification result for one-tape Turing
machines.
I Theorem 47 (A corollary of McKay, Murray, and Williams [32]; Theorem

1, restated). There
exists a constant µ > 0 such that, if MCSP[2µn ] is not in DTIME1 N 1.01 , then P 6= NP.
Proof. McKay, Murray, and Williams [32, Theorem 1.3] showed that if P = NP, then there
exists a polynomial p such that, for any time-constructible function s(n), there exists a
one-pass streaming algorithm with update time p(s(n)) that computes MCSP[s(n)]. By
Lemma 9, we obtain MCSP[s(n)] ∈ DTIME1 [N · p(s(n))], where N = 2n . Depending on p, we
choose a small constant µ > 0 and set s(n) := 2µn so that N · p(s(n)) = N 1+O(µ) ≤ N 1.01 .
To summarize, we have proved that if P = NP, then for some constant µ > 0, MCSP[2µn ] ∈
DTIME1 [N 1.01 ]. This statement is logically equivalent to the following: There exists a constant
µ > 0 such that P = NP implies that MCSP[2µn ] 6∈ DTIME1 [N 1.01 ] (because the statement
that P = NP is independent of µ). Taking its contrapositive, we obtain the desired result. J
ECCC ISSN 1433-8092
https://eccc.weizmann.ac.il

One-Tape Turing Machine and Branching Program Lower Bounds For MCSP

Uploaded by

Copyright:

Available Formats

One-Tape Turing Machine and Branching Program Lower Bounds For MCSP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

One-Tape Turing Machine and Branching Program Lower Bounds For MCSP

Uploaded by

Copyright:

Available Formats

Electronic Colloquium on Computational Complexity, Revision 1 of Report No.

One-Tape Turing Machine and Branching

1.1 Our results

phenomena of Theorem 1 is a nearly-linear-time oracle algorithm that solves MCSP[2o(n) ] by

1.1.2 Lower bounds against branching programs

for non-deterministic or parity branching programs. As a consequence, no non-trivial lower

I Theorem√5. There exists an explicit construction of a (local) hitting set generator

I Corollary 6. Any read-once co-non-deterministic branching program that computes MCSP

1.2 Our techniques

1.2.2 Nečiporuk’s method for MKTP lower bounds

1.3 Related work

for all large n ∈ N.

I Definition 8 (Minimum Circuit Size Problem [27]). We define MCSP as

and its parameterized version as

for a size parameter s : N → N.

2.2 Turing machines

2.3 Streaming algorithms

2.4 Branching programs

2.5 Pseudorandom generators and hitting set generators

I Definition 10. Let s : N → N be a function, C be a circuit class, and 0 < ε < 1. A

for any circuit C ∈ C. By default, we choose ε := 1/2.

I Definition 12. For a function s : N → N and a parameter 0 < ε < 1, a function

for any q-state time-t RTM M .

2.6 MCSP lower bounds from local HSGs

3 MCSP lower bounds against one-tape oracle RTMs

3.1 Connections to hardness magnification

A corollary of Lemma 16 and Lemma 9 is the following.

I Corollary 17 (Consequences of hardness magnification from currently known techniques).

The following remark summarizes the main idea of this subsection.

3.1.1 Comparison with the locality barrier

Existing magnification theorems unconditionally show that problems, against which

3.2 Proof of Theorem 15

4 HSGs against non-deterministic ROBPs

As a corollary, we obtain an exponential-size lower bound for co-non-deterministic read-

I Corollary 24 (Corollary 6, restated). Any read-once co-non-deterministic branching program

Proof. Immediate from Lemma 13 and Theorem 23. J

Herein, we present a general connection from a pseudorandom generator for combinatorial

I Definition 25 (Combinatorial rectangles). Let n ∈ N. A combinatorial rectangle of k

I Lemma 27(Borodin, Razborov, and Smolensky [8]). Let n, k, s ∈ N, m := n/k ≥ 1, and

5 The Forbes-Kelley PRG is local

5.1 Biased and almost k-wise independent distributions

Below, we define almost k-wise independent distributions.

We next show that there exists a local ε-biased generator.

Proof. We use the standard construction of an ε-biased generator G0 of [5]. Let m :=

Finally, we present a local δ-almost k-wise independent generator.

Proof. By setting ε := 2−k/2 · δ, the local ε-biased pseudorandom generator of Theorem 33

5.2 The Forbes-Kelley PRG

I Theorem 38. There exists a local pseudorandom generator of seed length

CC GFK log3 (n)).

the local pseudorandom

5.3 Local PRG for combinatorial rectangles

Proof of Theorem 40. Suppose that a function f is computed by a combinatorial rectangle

6 MKTP lower bounds against branching programs

KT(x) := min{|d| + t | U d (i) outputs xi in time t for every i ∈ [|x| + 1]}.

Here we define xi as the ith bit of x if i ≤ |x| and ⊥ otherwise.

For a threshold θ : N → N, we denote by MKTP[θ] the problem of deciding whether

Our main technical result of this section is the following.

1. The resource-unbounded Kolmogorov complexity6 provides a lower bound on the KT-

K(xy) ≥ K(x) + K(y | x) − c log K(xy) .

This means that ρi ρ2 · · · ρm is a YES instance of MKTP[θ]. Therefore, we have 1 = f ρ (ρi ) =

Pr[f ρ ≡ f ρ0 ] ≤ Pr[∀i ∈ [m] \ {1}, K(ρi | ρ0 ) ≤ v/2 − 1]

Pr[∃ρ0 ∈ P, f ρ ≡ f ρ0 ] ≤ |P | · 2−n/3 .

Pr[ρ 6∈ R or ∃ρ0 ∈ P, f ρ ≡ f ρ0 ] ≤ 1/2 + |P | · 2−n/3 ,