Expander-Based Cryptography Meets Natural Proofs

We introduce new forms of attack on expander-based cryptography, and in particular on Goldreich’s pseudorandom generator and one-way function. Our attacks exploit low circuit complexity of the underlying expander’s neighbor function and/or of the local predicate. Our two key conceptual contributions are: We put forward the possibility that the choice of expander matters in expander-based cryptography. In particular, using expanders whose neighbor function has low circuit complexity might compromise the security of Goldreich’s PRG and OWF in certain settings. We show that the security of Goldreich’s PRG and OWF over arbitrary expanders is closely related to two other long-standing problems: The existence of unbalanced lossless expanders with low-complexity neighbor function, and limitations on circuit lower bounds (i.e., natural proofs). In particular, our results further motivate the investigation of affine/local unbalanced lossless expanders and of average-case lower bounds against DNF-XOR circuits. We prove two types of technical results. First, in the regime of quasipolynomial stretch (in which the output length of the PRG and the running time of the distinguisher are quasipolynomial in the seed length) we unconditionally break Goldreich’s PRG, when instantiated with a specific expander whose existence we prove, and for a class of predicates that match the parameters of the currently-best “hard” candidates. Secondly, conditioned on the existence of expanders whose neighbor functions have extremely low circuit complexity, we present attacks on Goldreich’s PRG in the regime of polynomial stretch. As one corollary, conditioned on the existence of the foregoing expanders, we show that either the parameters of natural properties for several constant-depth circuit classes cannot be improved, even mildly; or Goldreich’s PRG is insecure in the regime of a large polynomial stretch for some expander graphs, regardless of the predicate used. We put forward the possibility that the choice of expander matters in expander-based cryptography. In particular, using expanders whose neighbor function has low circuit complexity might compromise the security of Goldreich’s PRG and OWF in certain settings. We show that the security of Goldreich’s PRG and OWF over arbitrary expanders is closely related to two other long-standing problems: The existence of unbalanced lossless expanders with low-complexity neighbor function, and limitations on circuit lower bounds (i.e., natural proofs). In particular, our results further motivate the investigation of affine/local unbalanced lossless expanders and of average-case lower bounds against DNF-XOR circuits.


Introduction
Theoretical results provide strong evidence that if secure cryptography is possible, then many fundamental primitives such as one-way functions (OWF) and pseudorandom generators (PRG) can be implemented with a dramatic level of efficiency and parallelism. Specifically, security against efficient adversaries can be achieved by functions where each output bit only depends on a constant number of input bits (see, e.g., Applebaum et al. (2006), and also Applebaum (2014) for a survey of recent results).
A concrete type of such construction is a conjectured form of OWF that is based on any expander graph and on a local predicate. Specifically, about two decades ago, Goldreich (2000Goldreich ( , 2011 suggested the following candidate owf : {0, 1} n → {0, 1} n . Fix any bipartite graph [n] × [n] of right-degree ≤ O(log(n)) in which every set S ⊆ [n] of size up to k on the right-hand side has at least (say) 1.01 · |S| neighbors, and also fix a predicate P : {0, 1} → {0, 1}. Then, given input x ∈ {0, 1} n , each output bit owf(x) i is computed by applying P to the bits of x at the neighbors of i ∈ [n]. The expected running-time of a naive algorithm for inverting owf is at least exp(k) (see, e.g., (Goldreich 2011, Sec. 3.2) and (Applebaum 2014, Sec. 3.1)), and Goldreich conjectured that for an appropriate predicate P , no algorithm can perform significantly better.
The question of whether Goldreich's constructions are secure is a long-standing open problem. Much research has focused on necessary requirements from the predicate and from the parameters in order for the construction to be secure. Let us, for simplicity of presentation, focus on the PRG. In this case, the locality cannot be too small: If we want a PRG with super-linear stretch, then we must use ≥ 5 Mossel et al. (2006); 1 and if we want stretch m = n k , then must be at least (roughly) 3k (see (O'Donnell & Witmer 2014, Theorem II.11)). Also, as shown in Applebaum & Lovett (2018), the predicate must have high resilience (i.e., all of the predicate's Fourier coefficients corresponding to sets of size at most Ω( ) are zero; see Definition 4.8) and high rational degree (this is a generalization of the requirement that the degree of the predicate as a polynomial F 2 → F 2 is Ω( ); see Definition 4.9).
The foregoing properties capture most existing attacks in the PRG setting. Indeed, as mentioned above, all these attacks exploit vulnerabilities of the predicate and of the parameters, but not of the underlying expander. In fact, prior to our work, the PRG was conjectured to be secure for any underlying expander with sufficiently good expansion properties. For reference, let us state such a strong form of conjectured security of the OWF, from the recent work Applebaum & Raykov (2016).
Definition 1.1 (bipartite expander graphs). A bipartite graph G is an (n, m, )-graph if it has n vertices on the left, m vertices on the right, and right-degree . An (n, m, )-graph is a (k, 1 − )-expander if for every set S ⊆ [m] on the right-hand side of size at most k, the 1.1. A high-level digest of our contributions. Our main contribution is a new form of attack on Goldreich's pseudorandom generator, which exploits computational complexity properties (and, in particular, circuit complexity properties) of the expander and/or of the predicate on which the generator is based. In particular, our distinguishers are algorithms associated with natural properties, in the sense of Razborov & Rudich (1997). (Recall that a natural property against a circuit class C is an efficient algorithm that distinguishes a random string, interpreted as a truth table, from truth tables of C-circuits.) 3 1. The conjecture that the PRG and OWF are secure with any expander, given an appropriate predicate, might be too naive.
In particular, the security of the constructions might crucially hinge on a choice of expander whose neighbor function has sufficiently high circuit complexity. Alternatively, if the latter is not true (i.e., if the PRG and OWF can be secure given any expander), then the predicate must have sufficiently high circuit complexity for the constructions to be secure in some settings (i.e., when the stretch is quasipolynomial).
Note that a random graph will (with high probability) not only be an expander, but also have a neighbor function with high circuit complexity. Therefore, our results do not put into question the security of the PRG and OWF when instantiated with a random graph.
2. There are significant interdependencies between the security of Goldreich's PRG and OWF, the existence of unbalanced lossless expanders with low-complexity neighbor function, and limitations on circuit lower bounds (i.e., natural proofs). Moreover (as further explained below), the questions motivated by our results are closely related both to existing results and to long-standing open problems in each area.
Results for quasipolynomial stretch. In the setting of quasipolynomial stretch, the output length m of the PRG is quasipolynomial in the seed length n (i.e., m = 2 poly log(n) ) and the running time of the distinguisher is polynomial in the output length (i.e., running time poly(m) = 2 poly log(n) ). This is not the standard setting for cryptographic application, yet it is a natural and appealing setting to consider.
In this setting, we unconditionally break Goldreich's PRG when it is instantiated with predicates with high resilience and rational degree, but with an expander whose neighbor function can be computed by AC 0 [⊕] circuits of (small) subexponential size. In fact, our predicates are variations on the specific XOR-MAJ predicate mentioned above. Using a known reduction of PRGs to OWFs (by Applebaum & Raykov (2016)), it follows that Assumption 1.2 does not hold for some predicates with high resilience and rational degree. To prove this result, we actually prove the existence of expanders with neighbor function as above; the latter proof, which uses certain unconditional PRGs that can be computed in a strongly explicit fashion, might be of independent interest. (See Section 1.2.) Results for polynomial stretch. In the regime of polynomial stretch (i.e., m = poly(n)), we put forward two assumptions about plausible extensions of known expander constructions in which the neighbor functions have even lower circuit complexity (compared to the expander mentioned above). Conditioned on any of the two assumptions, we show that exactly one of two options holds: Either the parameters of natural properties for certain restricted constant-depth circuit classes cannot be improved, even mildly; or Goldreich's PRG is insecure for some expanders in the regime of a large polynomial stretch, regardless of the predicate used. (See Section 1.3.) Some important cryptographic applications crucially rely on the security of expander-based PRGs with polynomial, or even linear, stretch (see, e.g., (Applebaum 2016, Section 4, "The Stretch") and the references therein). We stress that our results for the setting of polynomial stretch are conditional on the existence of suitable expanders and only break the PRG and OWF (when instantiated with these expanders) if there are natural properties for constantdepth circuit classes beyond what is currently known. Thus, further investigation is needed to determine whether our results have implications on the security of the aforementioned applications.
cc Expander-Based Crypto. Meets Natural Proofs Page 7 of 60 4

Unconditional results for quasipolynomial stretch.
Our main result for the setting of quasipolynomial stretch is an attack that unconditionally breaks Goldreich's PRG when it is instantiated with a specific expander that has optimal expansion properties, and with a class of predicates that have both high resilience and high rational degree. In the following statement, Goldreich's PRG stretches n bits to m = n log(n) k bits, and the distinguisher is a uniform algorithm that gets an m-bit string, runs in time poly(m) = n O(log(n) k ) , and distinguishes the output of the PRG from uniform (see Definitions 3.2 and 3.3). In more detail: Theorem 1.3. (an unconditional attack on Goldreich's PRG with quasipolynomial stretch; informal) For every d ∈ N, sufficiently large k, c ∈ N, and sufficiently small > 0, there exists a deterministic polynomial-time algorithm A that satisfies the following. Let n ∈ N be sufficiently large, let m = n log k (n) , and let = c · log k (n). Then, there exists an (n, m, )-expander such that for any predicate P : {0, 1} → {0, 1} that can be computed by an AC 0 [⊕] circuit of depth d and size at most 2 , when Goldreich's PRG is instantiated with the expander G and the predicate P , the algorithm A distinguishes the m-bit output of the PRG from a uniform m-bit string (with gap > 1/2).
In fact, we actually prove a more general theorem, which exhibits a trade-off between the locality and the size of the AC 0 [⊕] circuit for the predicate P (for a precise statement see Theorem 4.7). That is, we are able to break the generator with a specific expander even with much larger locality (e.g., = n .01 ), at the expense of using a more restricted predicate family, namely that of AC 0 [⊕] circuits of smaller size (e.g., polynomial size). We stress that even the latter predicate family is rich enough to contain predicates that have both high resilience and high rational degree (see below).
Recall that the property of the expander [n] × [m] that we exploit in our attack is that its neighbor functions (i.e., the functions Γ i : [m] → [n] for i ∈ [ ]) have low circuit complexity. The expander in Theorem 1.3 in particular has neighbor functions that can be computed by AC 0 [⊕] circuits of small sub-exponential size.
We prove the existence of lossless expanders with such neighbor functions in Section 4.1, in a result that might be of independent interest (see Section 2.2 for details). We comment that our construction is non-uniform (i.e., we do not obtain a uniform algorithm that constructs the graph).
Breaking Goldreich's OWF. Combining Theorem 1.3 with Applebaum and Raykov's reduction of expander-based PRGs to expander-based OWFs (Applebaum & Raykov 2016, Theorem 3.1) (i.e., they prove that if an arbitrary instance of Goldreich's OWF is secure, then a closely related instance of Goldreich's PRG is also secure), our attack also breaks Goldreich's OWF when instantiated with a specific expander and with a rich predicate family. Specifically, we say that a predicate P : {0, 1} → {0, 1} is sensitive if it is "fully sensitive" to one of its coordinates (i.e., if for all x ∈ {0, 1} it holds that P (x) = x i ⊕ P (x), for some i ∈ [ ] and P that does not depend on x i ). Then: Corollary 1.4. (an unconditional attack on Goldreich's OWF with quasipolynomial stretch; informal) There exists a probabilistic polynomial-time algorithm A that satisfies the following. Let n ∈ N be sufficiently large, let m = n k =poly log(n) , and let = O(k ). Then, there exists an (n, m , )-expander such that for any sensitive predicate P : {0, 1} → {0, 1} that can be computed by an AC 0 [⊕] circuit of sufficiently small sub-exponential size, when Goldreich's one-way function is instantiated with the expander G and the predicate P , the algorithm A inverts the function with success probability Ω(1/m n).
As immediate corollaries of Theorem 1.3 and of Corollary 1.4, we deduce that Assumption 1.2 does not hold for any sensitive predicate family that can be computed by AC 0 [⊕] circuits of sufficiently small sub-exponential size; and similarly, that the "PRG analogue" of Assumption 1.2, denoted EP RG(P) in Applebaum & Raykov (2016), does not hold for any predicate family that can be computed by AC 0 [⊕] circuits of sufficiently small sub-exponential size.
cc Expander-Based Crypto. Meets Natural Proofs Page 9 of 60 4 The predicate family and the expander's locality. Recall that Applebaum and Raykov suggested the candidate predicate XOR-MAJ; we prove that when replacing majority by approximate majority (see Definition 4.10), the resulting predicate XOR-APPROX-MAJ still has both high resilience and high rational degree and can also be computed by a polynomial-sized AC 0 [⊕] circuit (see Section 4.3). Thus, the predicate families in Theorem 1.3 and Corollary 1.4 contain predicates with high resilience and high rational degree, and even predicates that are variations on the "hard" candidate XOR-MAJ. 4 Moreover, the predicate XOR-APPROX-MAJ does not even use the "full power" of the predicate family for which Theorem 1.3 allows us to break Goldreich's PRG (with specific expanders) -the predicate XOR-APPROX-MAJ is computable by a circuit of polynomial size, whereas we can break the generator when the predicate can be computed by a circuit of sub-exponential size. We use this to our advantage by relying on the more general version of Theorem 1.3 (i.e., Theorem 4.7), which exhibits a trade-off between locality and the predicate class. Specifically, we obtain the following theorem, which breaks the generator even when the locality is large (e.g., = n Ω(1) ) and the predicate has high resilience and rational degree: Theorem 1.5. (breaking Goldreich's PRG with the predicate XOR-APPROX-MAJ and high locality] There exists s > 1 and c ∈ N such that for k(n) = log(n) s and m(n) = n k(n) and every timecomputable (n) ∈ [c · k(n), n 1/c ] there exists a polynomial-time algorithm A satisfying the following. For any sufficiently large n ∈ N, there exists an (n, m(n), (n))-expander and a predicate P : {0, 1} (n) → {0, 1} with resilience Ω( (n)) and rational degree Ω( (n)) (i.e., the predicate XOR-APPROX-MAJ) such that when Goldreich's PRG is instantiated with the expander G and the predicate P , the algorithm A distinguishes the m-bit output of the PRG from a uniform m-bit string (with gap > 1/2). We stress again that in Theorem 1.5, as in Theorem 1.3, the PRG stretches n bits to m = n log(n) s bits, and the distinguisher is a uniform algorithm that gets as input an m-bit string and runs in time poly(m) = n O(log(n) s ) .
A comment about the setting of quasipolynomial stretch. As pointed out by a reviewer, in cryptographic applications the quasipolynomial setting can be thought of as trying to attack a PRG with quasipolynomial stretch in time that is quasipolynomial in the seed length. An alternative perspective, which we elaborate on in Section 2, is to think of Goldreich's PRG {0, 1} n → {0, 1} m as a pseudorandom function (PRF) with seed length n and domain log(m) = poly log(n) (i.e., the PRF maps seed x ∈ {0, 1} n to a function g x : {0, 1} log(m) → {0, 1}), in which case the attack is quasipolynomial in the seed length and polynomial in the size m of the truth-table of the PRF.

Conditional results for large polynomial stretch.
Recall that the conjectured "hardness" of Goldreich's PRG (i.e., Assumption 1.2) refers both to the regime of polynomial stretch and to the regime of quasipolynomial stretch (as long as the locality is sufficiently large to support the corresponding stretch). Could it be that complexity-based attacks separate these two parameter regimes? That is, could the reason that our attacks from Section 1.2 work be that the stretch of the generator is superpolynomial?
As mentioned in Section 1.1 (and will be explained in Section 2), the underlying technical components in our complexity-based attacks are unbalanced lossless expanders [n] × [m] whose neighbor functions have low circuit complexity, and natural properties against weak circuit classes. Our main results for the polynomialstretch regime are of the following form: If lossless expanders [n]×[n O(1) ] with constant degree and (specific) "very simple" neighbor functions exist, then exactly one of two cases holds: 1. Either the parameters of natural properties for certain wellstudied weak circuit classes cannot be improved, even mildly; or 2. For a sufficiently large polynomial stretch, Goldreich's PRG is insecure when instantiated with a specific expander, regardless of the predicate used.
We now present two plausible assumptions on existence of suitable expanders, which are essentially improvements or extensions of existing explicit constructions. Conditioned on each assumption, we will contrast the security of Goldreich's PRG with the possibility of extending natural proofs for some well-studied circuit class.

Affine expanders and DNF-XOR circuits.
As motivation for our first assumption, let us recall two well-known explicit constructions of unbalanced lossless expanders, which were given by Ta-Shma et al. (2007), and later on by Guruswami et al. (2009). We note that these two constructions are inherently different (the relevant construction from Ta , and yet in both constructions the neighbor function of the expander can be computed by single layer of parity gates (see Section 5.1 for further details); we will call expanders with such a neighbor function affine expanders.
In the two foregoing affine expanders, the right-degree is polylogarithmic, and it is an open problem to improve the degree to be constant, which matches the degree of a random construction. However, a random construction is not necessarily affine. Our first assumption is that there indeed exists an affine expander with constant degree: Assumption 1.6. (expanders with an affine neighbor function; informal, see Assumption 5.3) There exists β > 3 such that for every constant k ∈ N and sufficiently large n ∈ N, there exists an (n, m, )-expander, where m = n k and = β · k, whose neighbor function Γ G : [m] → ([n]) can be computed by a single layer of parity gates.
An unconditional proof of Assumption 1.6 will contrast the security of Goldreich's PRG with the possibility of extending the known natural properties for DNF-XOR circuits of exponential size. 5 Specifically, known lower bounds for DNF-XOR circuits yield natural properties useful against such circuits of size up to 2 (1−o(1))·n (see Section 5.1.2). 6 Can these natural properties be extended to functions that are approximated, in the average-case sense, by DNF-XOR circuits of size 2 ·n , for some > 0? This is the natural property that we contrast with the security of Goldreich's PRG: Theorem 1.7. (is Goldreich's PRG always insecure with certain expanders, or are natural properties for DNF-XOR circuits "nonextendable"?; informal statement) Suppose that Assumption 1.6 holds. Then, exactly one of the following two options holds: We stress that for any value of β > 3 such that Assumption 1.6 holds, Theorem 1.7 follows with that value of β. Also note that Cohen & Shinkar (2016) specifically conjectured that strong average-case lower bounds for DNF-XOR circuits of size 2 Ω(n) hold and proved a similar statement for the related-yet-weaker model of parity decision trees. (Their proof for parity decision trees indeed yields a natural property; see Proposition 5.12.) 1.3.2. N C 0 expanders and weak AC 0 4 circuits. To motivate our next assumption, recall the recent explicit construction of lossless expanders by Viola & Wigderson (2017) (which builds on the well-known construction of Capalbo et al. (2002)). In this construction, the neighbor function can be computed by an N C 0 circuit, but this construction is only for balanced expanders, rather than unbalanced ones (see Theorem 5.19). The following assumption is that such a construction is possible also for unbalanced expanders: Specifically, relying on Håstad's switching lemma (Håstad 1987), for any c = O(1) and β ≥ 1 there exists a natural property against depth-four circuits with top fan-in c, bottom fan-in log(c)/β, and size 2 ·(n/ log(c)) , for a tiny universal = (c, β) > 0 (see Proposition 5.22). Now, suppose that Assumption 1.8 holds for some β > 3, and for simplicity assume that the locality of the N C 0 circuits is precisely k. Then, the following theorem contrasts the security of Goldreich's PRG with the possibility of extending this natural property to work against such circuits of size 2 β·(n/ log(c)) instead of 2 ·(n/ log(c)) . Theorem 1.9. (is Goldreich's PRG always insecure with certain expanders, or are natural properties for very restricted AC 0 circuits "non-extendable"?; informal statement) Suppose that Assumption 1.8 holds and that for any k ∈ N, the locality of the N C 0 circuit is k. Then, exactly one of the following two options holds:  Recall that Assumption 1.8 is parametrized by β and by the locality of the N C 0 circuit; we stress that for any values of β and t such that Assumption 1.8 holds, we get a corresponding "win-win" theorem such as Theorem 1.9 (for further details see Section 5.2). We also stress that both the natural properties that we can unconditionally prove and the natural properties referred to in Theorem 1.9 are for circuits of exponential size 2 Θ(n/ log(c)) , and the difference is in the universal constant hidden in the Θ-notation.

An important comment about the assumptions in this section.
As mentioned in Section 1.1, the explicit construction of highly unbalanced lossless expanders is a long-standing open problem, regardless of the circuit complexity of their neighbor function (see, e.g., Capalbo et al. (2002), (Vadhan 2012, Problems 5.36 & 6.35), and (Wigderson 2018, Chapter 8.7)). Assumptions 1.6 and 1.8, however, do not concern explicit constructions of expanders, but only assume their existence; in particular, the circuit family for the neighbor function of the graph may be nonuniform. (This is indeed the case for our construction of expanders in the quasipolynomial stretch regime.)

Organization.
In Section 2, we describe our proof approach, in high-level, and give overviews of some of the proofs. Section 3 contains preliminary definitions. In Section 4, we prove our results for the regime of quasipolynomial stretch, and in Section 5, we prove our results for the regime of polynomial stretch.

Overviews of the proofs
2.1. The general form of attack. A natural property for a class F of functions is a deterministic polynomial-time algorithm that rejects all truth-tables of functions from F, but accepts the truthtables of almost all functions. 7 Indeed, a natural property for F exists only if almost all functions are not in F. We will show how to use natural properties to break Goldreich's pseudorandom generator when instantiated with a suitable expander.
The key step in our proofs is to show, for every fixed x ∈ {0, 1} n , that prg(x) is the truth-table of a function from some class F of "simple" functions (e.g., prg(x) is the truth-table of a small constant-depth circuit). When we are able to show this, it follows that a natural property for F can distinguish the outputs of the PRG from uniformly chosen random strings: This is because the natural property rejects any string in the output-set of the PRG (which is the truth-table of a function in F), but accepts a random string, with high probability. (The general idea of using natural properties to break PRGs in this manner goes back to the original work of Razborov & Rudich (1997).) Recall that Goldreich's PRG (i.e., the function prg) is always a very "simple" function, since each output bit depends on a few (i.e., n) input bits. However, in order for our idea to work, we need that a different function (i.e., not the function prg) will be simple: Specifically, for every fixed input x, we want that the function g x : {0, 1} log(m) → {0, 1} such that g x (i) = prg(x) i will be "simple". That is, for a fixed "seed" x for the PRG, the function g x gets as input an index i of an output bit and computes the i th output bit of prg(x) as a function of i. Intuitively, given i ∈ [m], the function g x needs to compute three different objects, successively: • The projections of the (fixed) string x on locations Γ G (i).
• The output of the predicate P on x Γ G (i) .
The proofs of our main theorems consist of showing instantiations of Goldreich's PRG (i.e., choices for an expander and a predicate) such that g x is a function from a class against which we can construct natural properties. Observe that the two crucial components that determine the complexity of g x are the complexity Footnote 7 continued relaxes the requirement from rejecting "almost all" functions to rejecting "most" functions). of the neighbor function Γ G , and the complexity of the predicate P .
The connection to expander-based pseudorandom functions. An alternative perspective of the construction of g x above is as giving rise to a collection of pseudorandom functions (PRFs) 1} n that are based on (an instantiation of) Goldreich's PRG. Indeed, the crucial point is that the transformation above of Goldreich's PRG to a PRF is extremely simple and incurs very little complexity overhead (on top of the complexities of Γ G and of P ).
As pointed out by a reviewer, from this perspective one can view our construction as following an approach first introduced by Applebaum & Raykov (2016). They showed how to construct relatively simple PRFs (or, alternatively, very simple weak PRFs) based on Goldreich's PRG, where a crucial point in deducing the simplicity of the PRFs was that the expander's neighbor function is local. Similarly to their work, we also transform Goldreich's PRG to a "candidate PRF," but since we assume additional structure on the former (i.e., we assume that Γ G and/or P are computationally simple), we can deduce that the latter is significantly simpler than in their work.
The crucial conceptual difference between our work and Applebaum & Raykov (2016) is that they assumed that Goldreich's PRG is secure when instantiated with a random expander, and deduced that relatively simple PRFs exist. In contrast, in this work we break the "candidate PRFs" that our transformation yields (or rely on hypotheses that it can be broken), and we thus deduce that the specific corresponding instantiations of Goldreich's PRG are insecure. Indeed, this crucially uses the fact that our "candidate PRFs" are considerably simpler than in Applebaum & Raykov (2016). For further discussion, see Section 2.4.

The setting of quasipolynomial stretch.
The proof of Theorem 1.3 consists of showing that for a suitable expander G, and for any predicate P computable by an AC 0 [⊕] circuit of sufficiently small sub-exponential size, the function g x can be computed cc Expander-Based Crypto. Meets Natural Proofs Page 17 of 60 4 by an AC 0 [⊕] circuit of sufficiently small sub-exponential size. Natural properties for such circuits, based on the lower bounds by Razborov and Smolensky (Razborov 1987;Smolensky 1987), are well-known (see, e.g., Carmosino et al. (2016); Razborov & Rudich (1997)).
To describe the instantiations and the construction of an AC 0 [⊕] circuit for g x , let n ∈ N, and let m = 2 (log(n)) k , for a sufficiently large k. The first technical component that we need is an expander graph G such that the function i → Γ G (i) can be computed by a sub-exponential sized AC 0 [⊕] circuit. We show that there exists such a graph, with essentially optimal parameters: Theorem 2.1. (strongly explicit lossless expander in AC 0 [p]; see Theorem 4.6) There exists a universal constant d G ∈ N such that the following holds. For any k ∈ N and sufficiently large n, there exists an (n, m, )-expander, where m = 2 (log(n)) k and = O(log(m) / log(n)), and an AC 0 We stress that the depth d G of the circuit in Theorem 2.1 does not depend on the relation between m and n, which is what will allow us to have a natural property for the circuit C G . Specifically, recall that we have natural properties against AC 0 [⊕] circuits of depth d G over m = log(m) input bits of sub-exponential size 2 Ω( 1/2d G m ) . The size of C G is poly(n), and thus, if we take m = 2 (log(n)) k , for a sufficiently large k, then the size of C G is a sufficiently small sub-exponent in its input length log(m).
In high-level, our construction of the expander in Theorem 2.1 is as follows. Our starting point is the well-known fact that a random graph is, with high probability, a good lossless bipartite expander (see Theorem 3.4). The first step is to construct an efficient test that gets as input a string G ∈ {0, 1} m , where m = m· ·log(n), considers G as the incidence-list of a graph, and decides whether or not G is an (n .99 , .99)-expander. We show that such a test can be implemented by a CNF of size 2 n (see Claim 4.2). Hence, a pseudorandom generator for CNFs of size 2 n outputs, with high probability, a good expander. Specifically, we will use the pseudorandom generator of Nisan (1991), which has seed length poly(n). Thus, for some fixed "good" seed s, the output NW (s) ∈ {0, 1} m of the generator on s is an (n .99 , .99)-expander.
Our next step is to show that the expander represented by NW (s) has neighbor functions that can be computed by an AC 0 [⊕] circuit. In fact, we will show that there exists a circuit that gets as input the index i ∈ {0, 1} log(m ) of a bit in NW (s) and outputs NW (s) i . To do so, we can rely, for instance, on the recent work of Carmosino et al. (2016) , who showed that Nisan's generator can be made "strongly explicit": That is, there exists an AC 0 [⊕] circuit of polynomial size that gets as input a seed z and an index i of an output bit and computes the i th output bit of the generator on seed z. 8 By "hard-wiring" a "good" seed s into the latter circuit, we obtain an AC 0 [⊕] circuit of size poly(n) that computes the output bits of the expander NW (s). Indeed, a crucial point is that we did not algorithmically look for a good seed s, but rather non-uniformly fixed a "good" seed and "hard-wired" it into the circuit.
Given this expander construction, g x can compute i → Γ G (i) in sub-exponential size, and we now need g x to compute the projections of x on locations Γ G (i). To do so, we simply "hard-wire" the entire string x into g x . Specifically, after computing the function i → Γ G (i), the circuit now has the · log(n) bits of Γ G (i); it then uses depth-two formulas, each over log(n) bits and of size n, to compute the mapping Γ G (i) → x Γ G (i) by brute-force. This increases the size of the circuit for g x by · n < n 2 gates, which is minor compared to the size poly(n) of C G from Theorem 2.1.
Finally, the circuit g x has now computed the bits corresponding to x Γ G (i) and needs to compute the predicate P : {0, 1} → {0, 1} on these bits. To get the circuit to be of sufficiently small sub-exponential size, we require that the predicate can be computed by a sufficiently small sub-exponential sized AC 0 [⊕] circuit. Specifically, we want that for some d P , the predicate P can be computed by an AC 0 [⊕] circuit of depth d P and size 2 , for a sufficiently small < 1/2(d G + d P + 2). We thus obtain a circuit for g x of depth d = d G + d P + 2 and of size O 2 < 2 log(m) 1/2d , 9 which is sufficiently small such that we have natural properties against it (see Theorem 3.6).
2.3. The setting of large polynomial stretch. Why are the results in Section 2.2 applicable only to the setting of quasipolynomial stretch? The main bottleneck is the expander construction in Theorem 2.1, which is an AC 0 [⊕] circuit. Specifically, since we only know of natural properties against AC 0 [⊕] circuits of at most sub-exponential size, and since the circuit that we obtain is of size at least n (because we hard-wire x ∈ {0, 1} n to the circuit), we were forced to take m = n poly log(n) such that n will be a small sub-exponential function of log(m).
In this section, we circumvent this obstacle by using the hypothesized existence of expanders whose neighbor functions have "extremely simple" circuits. For simplicity, in the current highlevel overview we present the attacks that are based on the existence of an expander as in Assumption 1.6; that is, a lossless expander G = ([n], [m = n k ], E) of right-degree = O(k) whose neighbor function is an affine function (i.e., each output bit is a parity of input bits). The ideas that underlie the attacks that are based on expanders whose neighbor function is an N C 0 circuit (as in Assumption 1.8) are similar, yet require a slightly more subtle parametrization (see Section 5.2).
Consider an instantiation of Goldreich's predicate with an expander G as above and with a predicate P : {0, 1} → {0, 1} that can be computed by a CNF of size 2 δ· , where δ can be an arbitrarily large constant compared to k (or even δ = 1, which allows for any predicate). In this case, for any x ∈ {0, 1} n , the output prg(x) of the generator on x is a truth-table of a function g x over an input i ∈ {0, 1} log(m) that can be computed as follows. One layer of parity gates maps i ∈ [m] to Γ G (i) ∈ {0, 1} ·log(n) (this uses our assumption about the expander). Then, copies of a DNF over log(n) bits and of size n map the names of the vertices to x Γ G (i) ∈ {0, 1} , i.e., we project the bits of x that feed the predicate P (this DNF is essentially a "hard-wiring" of x into g x ). Finally, the CNF that computes P of size 2 δ· maps x Γ G (i) to the value P (x Γ G (i) ). After collapsing a layer that connects the top CNF and the DNFs, we obtain an AND-OR-AND-XOR circuit g When δ > 0 is sufficiently small, we are able to unconditionally construct a natural property against circuits as above. However, the main point (i.e., Theorem 1.7) comes when considering the case δ = 1; that is, any predicate P : {0, 1} → {0, 1}. In this case, we first use the discriminator lemma of Hajnal et al. (1993) to deduce that g x can be (1/2+1/2 O(k) )-approximated by a DNF-XOR circuit of size O 2 m/k . Now (still under Assumption 1.6), exactly one of two options holds. The first option is that there exists a natural property for functions on m input bits that can be (1/2 + o(1))approximated by DNF-XOR circuits of size 2 Ω( m) ; in this case, by taking k sufficiently large so that 2 m/k is sufficiently small, the natural property breaks the generator. The other option is that no such natural property exists, despite the fact that natural properties exist both for functions computed (in the worst-case) by DNF-XOR circuits of size 2 (1−o(1))· m , and for functions approximated (even weakly) by parity decision trees of such size. This completes the sketch of the proof of Theorem 1.7.

The connection to expander-based pseudorandom functions.
As mentioned in Section 2.1, our construction of the func- can be viewed as a construction of a collection of pseudorandom functions (PRFs) g x : {0, 1} log(m) → {0, 1} x∈{0,1} n based on (an instantiation of) Goldreich's PRG. Indeed, crucially, we show (or assume) that g x is not pseudorandom, and thus deduce that the corresponding instantiation of Goldreich's PRG is insecure.
The crucial point in our transformation of Goldreich's PRG to a PRF is that the resulting PRF can have very low circuit complexity, depending essentially only on the complexity of the expander's neighbor function and of the predicate. In contrast, previously cc Expander-Based Crypto. Meets Natural Proofs Page 21 of 60 4 known transformations of Goldreich's PRG to a PRF incur a significant overhead. Specifically, the transformation of Goldreich et al. (1986) yields a circuit with super-constant depth; whereas the constructions of Applebaum & Raykov (2016) either yield only a weak PRF (which is not broken by natural properties, in general) or require complicated computations, which they implement using majority gates (i.e., the resulting function is in the class T C 0 , for which natural properties are neither known nor conjectured to exist). The reason that we are able to obtain "candidate PRFs" that are so simple is that we rely on specific expanders with neighbor functions whose (non-uniform) complexity is small.
As pointed out by a reviewer, our techniques can also be viewed as extending the proof approach of another result from Applebaum & Raykov (2016), in which an algorithm for learning AC 0 circuits from examples was used to break a weak PRF computable by AC 0 circuits. (Indeed, in Applebaum & Raykov (2016) the weak PRF was conjectured to be secure, and thus, they concluded that no such learning algorithm exists.) Our attacks on the simple "candidate PRFs" that we construct use natural properties for the corresponding circuit classes, and natural properties are generalizations of learning algorithms (i.e., an algorithm for learning from examples is in particular a natural property).
As pointed out by Applebaum, 10 a transformation of Goldreich's PRG to a weak PRF from Applebaum & Raykov (2016) can be used to break the PRG when it is instantiated with a random graph and with a predicate with sufficiently low circuit complexity; this attack uses an algorithm for learning from random examples. Specifically, assume that Goldreich's PRG is secure when instantiated with a random graph [n] × [m] of right-degree and a predicate P : {0, 1} → {0, 1}. Using the argument that appears in (Applebaum & Raykov 2016, Sec. 1.2.1), it follows that the function g x : {0, 1} ·log(n) → {0, 1} that considers its input as a set S of vertices in [n], and outputs g x (S) = P (x S ), is a weak PRF against adversaries that make m (uniformly chosen) queries. The complexity of g x is essentially determined by the complexity of the 10 Personal communication. predicate P . 11 Thus, if the latter is sufficiently small such that there exists an algorithm for learning g x from m − 1 random examples, then g x cannot be a weak PRF for adversaries that make m queries (since such an adversary can use the learning algorithm to predict the m th evaluation of the function at a random point, using the first m − 1 evaluations at random points). This contradicts the hypothesis that Goldreich's PRG is secure when instantiated with P and a random graph Loosely speaking, the argument above implies that Goldreich's PRG is not secure when the stretch is quasipolynomial (and the locality is polylogarithmic and sufficiently large), the graph is random, and the predicate is computable by an AC 0 circuit of sufficiently small sub-exponential size; this relies on the learning algorithm of Linial et al. (1993). 12 However, the latter class of predicates is much weaker than the class of predicates to which our main unconditional result applies (i.e., than the class of AC 0 [⊕] circuits of sufficiently small sub-exponential size, from Theorem 1.3). For example, such predicates have "low" resilience o( ), because the Fourier weight of depth-d AC 0 circuits over bits of size 2 is .01concentrated on sets of size at most O( ·(d−1) ) = o( ) (see Linial et al. (1993); Tal (2017)); therefore, such predicates do not withstand the attacks from Applebaum & Lovett (2018). Finally, recall that it is currently an open problem to understand the learnability of AC 0 [⊕] circuits from random examples. 11 More specifically, the circuit g x can be implemented by 2 · depth-two formulas of size O(n) to compute the mapping S → x S , and then, a circuit for P to compute P (x S ).
12 Specifically, let n ∈ N, and let = log k (n) for some k ∈ N. Assume that the predicate P : {0, 1} → {0, 1} is computable by an AC 0 circuit of depth d ∈ N and size s = 2 , where ≤ 1/(d + 1). Then, g x can be implemented by a circuit of size s = O( · n + s) and depth d + 1. The algorithm of Linial et al. (1993) learns g x with error 1/s from m = n O(log(s )) d = o(n ) random examples in time poly(m), where the last bound on m is since ≤ 1/(d + 1). Therefore, Goldreich's PRG is not secure when the locality is = log k (n), the stretch is m = o(n ), and the -bit predicate is an AC 0 circuit of depth d and size 2 .
cc Expander-Based Crypto. Meets Natural Proofs Page 23 of 60 4

Expander graphs and Goldreich's PRG.
Throughout the paper, when we refer to expander graphs, we will mean highly unbalanced bipartite lossless expanders, as formally defined in Definition 1.1. In our constructions, we assume an ordering of the neighbors of each right-vertex of the graph and allow parallel edges among vertices. We can thus define the notion of a neighbor function of a graph: We can now formally define Goldreich's pseudorandom generator. The definition refers to an arbitrary (n, m, )-graph, but the construction is intended to be instantiated over an (n, m, )expander (e.g., as in Assumption 1.2). Our notion of attack on the PRG is the standard one in which the distinguisher gets as input an m-bit string, which may either be an uniform output of the PRG or a uniform string, and runs in time proportional to m (ideally, polynomial in m).
We consider the running time of A as a function of its input length m.
Lastly, we will use the well-known fact that a random graph is, with high probability, an expander; indeed, this fact holds also for the definition of expansion that we use. In more detail: The proof of Theorem 3.4 is a straightforward probabilistic argument, and in fact a more general theorem has been proved in (Applebaum & Raykov 2016, Lemma 2.5). For completeness, we include a proof of Theorem 3.4 in Appendix A.

Circuit classes and natural properties.
Our circuit model throughout the paper is that of Boolean circuits over the De Morgan basis (i.e., with AND, OR, and NOT gates), and when explicitly stated we also allow for ⊕ gates. We will frequently refer to the classes AC 0 and AC 0 [⊕] of circuit families of constant depth with gates of unbounded fan-in (for the standard definitions see, e.g., (Jukna 2012, Sections 12.3 and 12.5, respectively)). When we refer to N C 0 , we refer to Boolean function with multiple output bits where each output bit depends on a constant number of input bits.
Let us recall the definition of natural properties by Razborov & Rudich (1997). In the definition below, the class F can be thought 13 The polynomial power in the success probability depends on c and can be made arbitrarily large. (ii) The algorithm accepts more than half of the strings in {0, 1} 2 n .
We will sometimes slightly abuse Definition 3.5 by referring to natural properties that run in super-polynomial time (e.g., in quasipolynomial time), or that accept less than half of the strings in 2 n (say, a constant fraction of the strings). We will clearly indicate the deviation from Definition 3.5 when we do so.
It is well-known that, relying on the results of Razborov (1987) and Smolensky (1987), there exist natural properties for AC 0 [⊕] of subexponential size (see, e.g., Carmosino et al. (2016); Razborov & Rudich (1997)). Since we will crucially use these natural properties in Section 4, let us formally state the parameters of the natural properties:

Unconditional results in the setting of quasipolynomial stretch
Our goal in this section is to prove Theorem 1.3, which shows that Goldreich's PRG can be broken in the regime of quasipolynomial stretch with a specific expander for a large class of predicates. As a first step, in Section 4.1 we will prove Theorem 2.1, which asserts the existence of an expander whose "neighbor functions" can be computed by relatively small AC 0 [⊕] circuits. In Section 4.2, we prove Theorem 1.3. And finally, in Section 4.3 we prove that the class of predicates for which we break the generator is quite rich, and in particular contains predicates with high rational degree and high resilience.

Expanders with AC 0 [⊕] neighbor functions.
In this section, we construct a (non-explicit) bipartite lossless expander whose "neighbor function" can be computed by a sub-exponential sized AC 0 [⊕] circuit. Throughout the section, we represent expanders using the incidence-list representation; that is Definition 4.1 (incidence-list representation). For n, m, ∈ N such that ≤ n, let m = m · · log(n) . We identify any string and i ∈ [ ], the j th neighbor of v is encoded by the bits in G (v−1)· · log(n) +1 , ..., G v· · log(n) .
Let us start the proof by showing that for many natural settings of the parameters (e.g., m ≤ 2 n o(1) and ≤ n o(1) ) we can test whether a string G ∈ {0, 1} m is an (n .99 , .99)-expander using a CNF of size at most 2 n : Claim 4.2 (testing whether a graph is an expander). Let n, m, ∈ N such that m ≥ n and log(m) + 2 · log(n) ≤ n .01 , and let m = m · · log(n) . Then, there exists a CNF of size at most 2 n that gets as input a string G ∈ {0, 1} m and accepts if and only if G is an incidence-list representation of an (n, m, )-expander.
Proof. The CNF is a conjunction of the following set of tests: For a fixed S ⊆ [m] of size k ≤ n 0.99 , the decision of whether or not |Γ(S)| ≥ 0.99 · · |S| is a function of k · · log(n) bits and can therefore be implemented by a CNF of size 2 k· · log(n) . There are at most k · m k sets to consider, and therefore, the final CNF is of size at most k · m k · 2 k· · log(n) < 2 log(k)+k·log(m)+k· · log(n) ≤ 2 n .
Our next step is to use the construction of Carmosino et al. (2016) to show that Nisan's generator can be made "strongly explicit": Proof. Our generator NW : {0, 1} t → {0, 1} m will be the Nisan-Wigderson generator. Specifically, for a sufficiently large k ≥ 6 and r = n k , let f : {0, 1} r → {0, 1} be the parity function such that f is ( /m )-average-case hard for circuits of depth five and of size 2 O(n) . 14 We will use a combinatorial design S 1 , ..., S m ⊆ [t] with parameters as in the following lemma, which is due to Carmosino et al. (2016).  By a standard argument following Nisan & Wigderson (1994), the generator G instantiated with the function f and the design in Lemma 4.5 is -pseudorandom for CNFs of size 2 O(n) . The circuit E : {0, 1} t × {0, 1} log(m ) → {0, 1} acts as follows. Given inputs (s, i), the circuit E first feeds (s, i) to the circuit from Lemma 4.5 to compute s S i and then computes the parity of s S i (using a single parity gate). The depth of E is d = d MX + 1, and its size is poly(t, log(m )) = poly(n).
Finally, we prove Theorem 2.1 by combining Claim 4.2 and Proposition 4.3, and "hard-wiring" a good seed s into the circuit E from Proposition 4.3. That is: Theorem 4.6 (strongly explicit lossless expander in AC 0 [p]). There exist constants d G , c ∈ N such that the following holds. Let n ≤ m ∈ N such that m ≤ 2 n o(1) , and let ∈ N such that c · log(m) log(n) ≤ ≤ n 1/c . Then, there exists an (n, m, )-expander G and an AC 0

depth d G and size poly(n), such that for every i ∈ [m] it holds that C G (i) outputs the list of neighbors of i in G.
Proof. Let m = m · · log(n) . By Theorem 3.4, a random string in {0, 1} m is an (n 0.99 , 0.99)-expander, with high probability. By Claim 4.2, such expanders can be recognized by CNFs of size 2 n . Thus, considering the pseudorandom generator NW from Proposition 4.3 for such CNFs, with high probability over choice of seed s ∈ {0, 1} poly(n) for NW it holds that NW (s) is an (n 0.99 , 0.99)-expander.
Let us now fix such a good seed s ∈ {0, 1} poly(n) , and a corresponding expander G = NW (s). When we "hard-wire" the seed s into the circuit E from Proposition 4.3, we obtain a circuit E s : {0, 1} log(m ) → {0, 1} that on input j ∈ [m ] outputs the j th bit in the representation of G as a bit-string. Thus, our final circuit C G gets as input i ∈ {0, 1} log(m) and uses · log(n) copies of E s to output the · log(n) bits in the representation of G that correspond to the neighbors of i ∈ [m] (i.e., C G (i) = E s ((i − 1) · log(n) ), ..., E s (i · · log(n) − 1)). The size of C G is · log(n) times the size of E s and is thus upper-bounded by poly(n); the depth d G of C G is just the depth of E s , which is the universal constant d from Proposition 4.3.

Proof of Theorem 1.3.
Relying on Theorem 4.6, we now prove Theorem 1.3. As explained in Section 2.2, the main step is to show that, when Goldreich's PRG is instantiated with the expander from Theorem 4.6 and with any predicate that can be computed by an AC 0 [⊕] circuit of sufficiently small sub-exponential size, the output of the generator (on any seed) is the truth-table of an AC 0 [⊕] circuit of small sub-exponential size.
Theorem 4.7 (Theorem 1.3, restated). For any d P ∈ N and sufficiently small = (d P ) > 0 and sufficiently large k = k(d P ) > 1, there exists a deterministic polynomial-time algorithm A that satisfies the following. For any sufficiently large n ∈ N, let m = 2 (log(n)) k , and let c · (log(n) k−1 ) ≤ ≤ n 1/c , where c is a sufficiently large constant. Then, there exists an (n, m, )-expander such that the following holds: For any predicate P : {0, 1} → {0, 1} that can be computed by an AC 0 [⊕] circuit of depth d P and size at most 2 (log(m)) , when Goldreich's PRG is instantiated with the expander G and the predicate P , the algorithm A distinguishes (with high probability) between a uniform string and the output of the generator.
Proof. Let G = ([n], [m], E) be the expander graph from Theorem 4.6, with right-degree . Let prg : {0, 1} n → {0, 1} m be Goldreich's PRG, instantiated with the graph G and with the predicate P . For any fixed x ∈ {0, 1} n , we show that prg(x) is the truth- ) . Assuming such a circuit indeed exists for any fixed x, the natural property algorithm from Theorem 3.6 rejects all m-bit strings in the image of prg, but accepts a random m-bit string with probability at least 1/2.
Thus, let us fix x and construct a circuit g x : {0, 1} log(m) → {0, 1} whose truth-table is prg(x). Given input i ∈ [m], the circuit g x : • Finally, the circuit maps x Γ G (i) ∈ {0, 1} to an output bit P (x Γ G (i) ), using the AC 0 [⊕] circuit of depth d P for P .
The total depth of the circuit for g x is d = d G + d P + 2, and its size is at most poly(n) + · n + 2 (log(m)) = 2 o((log(m)) 1/2d ) , where we relied on the hypothesis that k is sufficiently large (to deduce that n O(1) = 2 o(log(n) k/2d ) ) and on the hypothesis that is sufficiently small.

Hard predicates and the class of subexponential sized AC 0 [⊕] circuits.
Recall that the known attacks on Goldreich's PRG relied either on low resilience or on low rational degree of the predicate (we will define these notions in a moment; see Applebaum & Lovett (2018) for further details). Our goal in this section is to prove that the class of AC 0 [⊕] circuits of small sub-exponential size (and even of polynomial size) contains predicates with high rational degree and high resilience. Thus, the predicates that we present avoid known attacks but are still susceptible to our attacks. Definition 4.8 (resilience). We say that P has resilience k if P (γ) = 0 for every γ ∈ {0, 1} of Hamming weight at most k. In other words, P is uncorrelated with parities of size at most k.
A candidate predicate that avoids the previously known attacks, suggested in Applebaum & Lovett (2018), is the predicate XOR-MAJ a,b (z 1 , ..., z a+b ) = (z 1 ⊕ . . . ⊕ z a ) ⊕ MAJ(z a+1 , . . . , z a+b ), for suitable choices of a and b. We consider the modification XOR-APPROX-MAJ in which the majority function is replaced by an approximate majority. Towards defining the predicate, let us first recall the standard definition of an approximate majority predicate, and the fact that there exist AC 0 circuits computing this predicate. For a string x ∈ {0, 1} * , let |x| 1 denote its Hamming weight. Then: Definition 4.10 (approximate majority). We say that a function h : Theorem 4.11. (approximate majority in AC 0 (Ajtai (1990); Viola (2009))) For every ε > 0, there exists a uniform family {D b } b≥1 of polynomial size depth-3 circuits that compute an εapproximate majority over b input bits.
The result presented next asserts that the XOR-APPROX-MAJ predicate behaves similarly to XOR-MAJ with respect to resilience and rational degree. (In particular, it also avoids the attacks on Goldreich's PRG from Applebaum & Lovett (2018).) where we have used the fact that γ i = 0 to decompose the expectation into a product of expectations. Turning to the rational degree lower bound, first we argue the claim for the ε-approximate majority function h : {0, 1} b → {0, 1}. Let d = (1/2 − ε)b , and suppose that rdeg F 2 (h) ≤ d. We will rely on the following lemma: Lemma 4.14 (see, e.g., Applebaum & Lovett 2018;Carlet 2010 Assume that Case (a) from Lemma 4.14 holds (the proof of the other case is very similar), and leth be the nonzero predicate from the lemma. Let B(0 b , d)  Finally, note that this rational degree lower bound also holds for the predicate P , since it is easy to see using Lemma 4.14 that the rational degree of a function cannot increase by taking a restriction.

Conditional results in the setting of polynomial stretch
In Section 5.1, we present our results that are conditioned on the existence of expanders with a neighbor function that can be computed by a layer of parity gates, and in Section 5.2 we present our results that are conditioned on the existence of expanders with a neighbor function that can be computed in N C 0 .

Expanders with affine neighbor functions.
In this section, we present results that are conditioned on the existence of expanders in which the neighbor functions are affine functions (i.e., can be computed by a layer of parity gates). In Section 5.1.1, we formally present the assumption that suitable expanders exist. In Section 5.1.2, we prove the existence of natural properties that are useful against DNF-XOR circuits and related functions. In Section 5.1.3, we show that if the aforementioned expanders exist, then an improvement in the parameters of the foregoing natural properties would allow to break the generator with these expanders and any predicate, for the setting of a large polynomial stretch.

The affine expander assumption.
Towards presenting the assumption regarding the existence of expanders with affine neighbor functions, let us first formally define affine functions: Definition 5.1 (multi-output affine functions). We say that a function f : To motivate our assumption, let us recall known explicit constructions of unbalanced lossless expanders in which the neighbor function is affine. The first construction is that of Guruswami et al. (2009). When their construction is instantiated over a field of characteristic two, with a specific a choice of parameters, it yields an expander that is affine (see, e.g., (Cheraghchi 2005, Corollary 2.23)). In particular, it yields an affine expander with the following parameters: A different construction of an expander with affine neighbor functions arises from the work of Ta-Shma, Umans, and Zuckerman (Ta-Shma et al. 2007, Theorem 1.7). Instantiating their construction with Trevisan's extractor (Trevisan 2001), it yields an (n, m, )-graph for an arbitrarily large polynomial m = poly(n) and again with = poly log(n), that is a (n 1/(log n) .01 , 0.99)-expander (rather than an (n 0.99 , 0.99)-expander). Interestingly, the two constructions are of very different nature (i.e., the construction from Ta to improve the degree in these constructions to match the one of a random construction. The following assumption asserts that expanders as above exist, but with small right-degree = O(k): Assumption 5.3 (affine expander assumption). There exists a constant β > 3 such that for every constant k ∈ N and sufficiently large n ∈ N there exists an (n, m, )-expander, where m = n k and = β · k, that satisfies the following: The function Γ G :

gets as input i ∈ [m] and outputs the neighbors of i in G is affine.
Under Assumption 5.3, there exists an expander G such that when Goldreich's PRG is instantiated with G and with any predicate P , the output of the generator on any seed is the truth-table of a depth-four circuit with constant top fan-in and a bottom layer of parity gates. In the following claim, we consider the complexity of the -bit predicate P as a CNF of size 2 δ· , where δ ∈ (0, 1] may be small but may also equal 1 (in which case there is no restriction on the complexity P ).
Claim 5.4. Suppose that Assumption 5.3 holds. Then, for every k ∈ N and sufficiently large n ∈ N there exists an (n, m, )expander G, where m = n k and = β·k, that satisfies the following. For every δ ∈ (0, 1] and every predicate P : {0, 1} → {0, 1} that can be computed by a CNF of size 2 δ· , when Goldreich's PRG is instantiated with G and P , the output of the generator on any fixed x ∈ {0, 1} n is the truth-table of a function g x : {0, 1} log(m) → {0, 1} such that: (i) The function g x can be computed by an AND-DNF-XOR circuit of top fan-in 2 δ·β·k and size at most O 2 (1/k)·log(m) containing at most 2 · β · log m parity gates.
1} be a DNF of size at most n such that for any i ∈ [n] it holds that Φ x (i) is the i th bit of x; we view this DNF as a De Morgan formula over input literals z 1 , . . . , z log(n) , ¬z 1 , . . . , ¬z log(n) . The circuit g x uses copies , 1} , and similarly uses copies of a DNF of size at most n for ¬Φ x to compute the negations of x Γ G (i) ∈ {0, 1} .
• Finally, the circuit g x computes the value of the predicate P on the input string x Γ G (i) by using a CNF of size 2 δ· for P over the corresponding = β · k input variables.
The DNF-XOR circuit that (1/2 + 1/2 O(k) )-approximates g x follows from the Discriminator Lemma of Hajnal et al. (1993) using the fact that the top gate of g x computes a symmetric gate over at most 2 = 2 β·k input wires.

Natural properties against DNF-XOR circuits.
Our goal in this section is to show natural properties that are useful against DNF-XOR circuits of exponential size, against conjunctions of a constant number of DNF-XOR circuits of exponential size, and against functions that can be approximated by exponential-sized parity decision trees (which are related to DNF-XOR circuits, but weaker).
cc Expander-Based Crypto. Meets Natural Proofs Page 37 of 60 4 DNF-XOR circuits of exponential size. The first natural property that we show is useful against DNF-XOR circuits over m bits of exponential size 2 (1/2−o(1))· m : Proposition 5.5. (natural property against exponential size DNF-XOR circuits) There exists a natural property against the class of functions f : {0, 1} m → {0, 1} that can be computed by DNF-XOR circuits of size 2 (1/2−o(1))· m .
Proof. We rely on the following result from Akavia et al. (2014), which shows that a DNF-XOR circuit of bounded size has a Fourier coefficient of relatively large magnitude.
The natural property claimed in the statement of the lemma can therefore be defined as follows: Given the truth table of a Boolean function f , exactly compute each Fourier coefficient of f , and accept the input function if and only if every coefficient has magnitude bounded by O( √ m · 2 − m/2 ). This computation can be done in time 2 O( m) , which is polynomial in the size of the truth table.
Extending Proposition 5.5, we can get a property that is useful against larger circuits of size 2 (1−o(1))· m , at the cost of having a slightly super-polynomial running time. This natural property is based on a result of Cohen & Shinkar (2016): Proof. An affine disperser for dimension k is a function h : {0, 1} m → {0, 1} with the following property: For every affine subspace U ⊆ {0, 1} m of dimension k, the restriction of h to U is non-constant. A standard argument shows that a random function is, with probability more than 1/2, an affine disperser for dimension k = log( m ) + log log( m ) + C, where C is a large enough constant.
On the other hand, Cohen & Shinkar (2016) established the following result. For a function g, let DNF-XOR(g) be the number of gates in the smallest DNF-XOR circuit for g. Then, if g is an affine disperser for dimension k, max(DNF-XOR(g), DNF-XOR(1 − g)) = Ω(2 m−k ). An immediate consequence is that for k = log( m ) + log log( m ) + C, by checking if an input truth-table or its negation is a k affine disperser, it is possible to distinguish a random function from a function of DNF-XOR circuit complexity at most 2 m /( m ) 2 .
Conjunctions of DNF-XOR circuits of exponential size. We now turn to show a natural property that is useful against conjunctions of c = O(1) DNF-XOR circuits over m input bits of size 2 ( /2)· m , for any < 1/c. Specifically: Proof. We prove Proposition 5.9 using Proposition 5.5. To do so, note that any conjunction of c DNF-XOR circuits of size s can be computed by a single DNF-XOR circuit of size s c (using the distributivity of the top AND gate with the OR gates below it). In particular, if s = 2 ( /2)· m , where < 1/c, then the conjunction can by computed by a single DNF-XOR circuit of size s c = 2 ( ·c/2)· m . Since ·c/2 < 1/2, the natural property from Proposition 5.5 works against such a function.
The natural property from Proposition 5.9 can be extended to work against conjunctions of c DNF-XOR circuits of size 2 · m (rather than 2 ( /2)· m ), for any < 1/c, at the cost of a slightly super-polynomial running time. Specifically: (ii) The acceptance probability of g x is at most 2 m·( −1/c)+k .
Proof. Let g x (z) = ∧ i∈ [c] h i (z), where each h i is a DNF-XOR circuit of size at most s( m ). For each i ∈ [c], we view h i as the union of at most s( m ) affine subspaces and denote by dim(h i ) the maximal dimension of an affine subspace in j∈[s(n)] dim(H j ). We consider two separate cases: In this case, it holds that g x is constant on a subspace of dimension c · k. Specifically, for each i ∈ [c] let H (i) be an affine subspace in h i such that dim(H (i) ) > m − m /c + k, and let H = i∈ [c] H (i) . Then, the co-dimension of H is less than c · ( m /c − k) = m − c · k, and for every z ∈ H it holds that g x (z) = 1.
In this case, it holds that g x has acceptance probability at most. To see this, let i ∈ [c] be such that dim(h i ) ≤ m − m /c+k, and note that the acceptance probability of g x is upper-bounded by the acceptance probability of h i . However, since h i is the union of at most s( m ) subspaces of dimension m − m /c + k, the number of inputs accepted by h i is at most s( m ) · 2 m− m/c+k = 2 m·(1−1/c+ )+k . Now, let k = log( m ). When given the truth-table of a function f : {0, 1} n → {0, 1}, the algorithm iterates over all affine subspaces in {0, 1} m of dimension c · k, and rejects if f is the constant one function on any such subspace. Also, the algorithm rejects if the acceptance probability of f is less than 1/3.
To see that the algorithm rejects any conjunction of c DNF-XOR circuits of size at most 2 · m , note that by Lemma 5.11, any such function is either constant on a subspace of dimension c · k, or has acceptance probability at most 2 m·( −1/c)+k = 2 −Ω( m) ; in both cases, the algorithm rejects. To see that the algorithm accepts a random function, note a random function is very likely (with probability 1 − exp(− m )) to have acceptance probability more cc Expander-Based Crypto. Meets Natural Proofs Page 41 of 60 4 than 1/3. Also, for any fixed subspace of dimension c · k, the probability that a random function is the constant one function on the subspace is 2 −2 c·k ≤ 2 − 2 m . Since there are at most 2 (k+1)· m = 2 O( m·log( m)) affine subspaces of dimension k, by a union-bound, with probability more than 1/2, a random function is not constant on any subspace of such dimension k.
Finally, the algorithm is deterministic, and its runtime is polynomial in the number of affine subspaces of dimension k = log( m ) and is thus at most 2 O( m·log( m)) .

Functions that are approximated by parity decision trees
Finally, consider natural properties that are useful against functions that can be approximated, in the average-case sense, by simple functions such as DNF-XOR circuits. Specifically, we consider approximation by parity decision trees (PDTs), a model that is known to be related to but strictly weaker than DNF-XOR circuits. Recall that a parity decision tree is simply a decision tree where the nodes can query the value of any parity function of the input variables. We measure the size of such a decision tree by its num- A standard argument shows that a random function is a (k, )-affine extractor with probability at least 1/2, where k = log( m / 2 ) + log log( m / 2 ) + C, and C is a large enough constant.
Let γ( m ) = ( m ) −1/4 , and let A m be the class of m -bit Boolean functions that compute a (k, γ)-affine extractor, where k = 2 · log( m ). First, A m is a dense property for every large enough proof of Proposition 5.8, A m can be decided in time 2 O( m·log( m)) . Finally, we claim that A m does not accept functions that can be approximated by PDTs. We use the following result from Cohen & Shinkar (2016). It follows from Theorem 5.13 and from our choice of the parameters k and γ that any Boolean function that can be (1/2 + γ( m )approximated by a parity decision tree g of size ≤ 2 m / 10 m cannot be in A m . This completes the proof.

Natural properties that would allow to break the generator with any predicate, under Assumption 5.3.
In this section, we consider two "mild strengthenings" of natural properties that were presented in Section 5.1.2. We then show that if Assumption 5.3 holds and any of the two "mildly stronger" natural properties exist, then Goldreich's PRG is insecure for the setting of large polynomial stretch with any predicate P .
First setting: Worst-case natural property. Recall that in Proposition 5.10 we showed an almost-natural property against conjunctions of c = O(1) DNF-XOR circuits, each of which is of size at most 2 · m , where < 1/c. We first consider the setting in which there exists a natural property against conjunctions of c = O(1) DNF-XOR circuits, each of which is of size at most 2 · m , where > Ω(1/ log(c))). (Indeed, in the foregoing sentence as well as in the following statements we denote the number of inputs to the circuit by m , where the notation alludes to the fact that we will use these circuits to compute the function over m = log(m) bits whose m-bit truth table is the output of Goldreich's PRG.) Assumption 5.14. (mildly strengthening the natural property in Proposition 5.9) The stronger natural property for AND-DNF-XOR assumption with parameter β > 3 is the following: For some k ∈ N, there exists a natural property against the class of Boolean func-cc Expander-Based Crypto. Meets Natural Proofs Page 43 of 60 4 tions over m input bits that are computed by AND-DNF-XOR circuits of top fan-in 2 β·k and size at most O 2 (1/k)· m containing at most 2 · β · m parity gates.
Theorem 5.15. (breaking Goldreich's PRG with certain expanders for any predicate, under affine expanders and a stronger natural property for AND-DNF-XOR) Suppose that Assumption 5.3 holds with some β > 3, and that Assumption 5.14 holds for the same parameter β. Then, there exists a polynomial-time algorithm A that satisfies the following: For every n ∈ N, there exists an (n, m, )-expander G, where m = n k and = β · k, such that for every predicate P : {0, 1} → {0, 1}, the algorithm A distinguishes the outputs of Goldreich's PRG instantiated with G and P from random strings (with constant gap Ω(1)).
Proof. Let k be as in the hypothesis, let n be sufficiently large, let G be the expander from Assumption 5.3 with right-degree = β · k, and let P : {0, 1} → {0, 1} be an arbitrary predicate.
We instantiate Goldreich's PRG with the expander G and predicate P . By Claim 5.4, instantiated with the parameter value δ = 1 (since P can be trivially computed by a CNF of size 2 ), every output string g x of the generator can be computed by an AND-DNF-XOR circuit of top fan-in 2 β·k and size at most O 2 (1/k)·log(m) containing at most 2 · β · log m parity gates. Thus, the natural property from our hypothesis distinguishes the output of the generator from a random string with probability at least 1/2. Second setting: Average-case natural property. Recall that in Proposition 5.12 we showed a natural property (based on Cohen & Shinkar (2016)) that is useful against functions that can be approximated by parity decision trees. We now consider the existence of natural properties with similar parameters, but that are useful against the class of functions approximated by DNF-XOR circuits, rather than by PDTs. 17 Assumption 5.16. (another strengthening of the natural property in Proposition 5.9) The average-case natural property for DNF-XOR assumption with parameter β > 3 is the following: For some function γ( m ) → 0 and a fixed > 0, there exists a natural property computable in quasipolynomial time against the class of Boolean functions on m input bits that can be (1/2 + γ( m ))approximated by DNF-XOR circuits of size 2 · m containing at most 2 · β · m parity gates at the bottom layer.
Theorem 5.17. (breaking Goldreich's PRG for any predicate, under affine expanders and an average-case natural property for DNF-XOR) Suppose that Assumption 5.3 holds with some β > 3, and that Assumption 5.16 holds for the same parameter β. Then, for every k > 1/ there exists a quasipolynomial-time algorithm A that satisfies the following. For a sufficiently large n ∈ N, there exists an (n, m, )-expander G, where m = n k and = β · k, such that for every predicate P : {0, 1} → {0, 1}, the algorithm A distinguishes the outputs of Goldreich's PRG instantiated with G and P from random strings (with constant gap Ω(1)).
We instantiate Goldreich's PRG with the expander G and predicate P . By Claim 5.4, every output string g x of the generator can be (1/2 + Ω k (1))-approximated by a DNF-XOR circuit over m = log(m) input variables and of size O(2 (1/k)· m ) ≤ 2 · m . In addition, the number of parity gates in g x is at most 2 · β · m , and we can assume that γ( m ) is sufficiently small (since n is sufficiently large). Thus, the natural property from our hypothesis distinguishes the output of the generator from a random string with probability at least 1/2.

Expanders with local neighbor functions.
In this section, we present results that are conditioned on the existence of expanders whose the neighbor functions are computable in N C 0 . In Section 5.2.1, we formally present the assumption that such ex-cc Expander-Based Crypto. Meets Natural Proofs Page 45 of 60 4 panders exist, and in Section 5.2.2, we show that, conditioned on this assumption, a mild improvement in the parameters of known natural properties allows to break the generator with these expanders and any predicate for the setting of a large polynomial stretch.

The local expander assumption.
To motivate our assumption, we recall the recent construction of expanders with local neighbor functions, by Viola & Wigderson (2017) (building on the work of Capalbo et al. (2002), which used the Zig-Zag product). The construction in Theorem 5.19 works for balanced expanders (i.e., expanders over [n] × [n]), whereas we are interested in unbalanced expanders with m = poly(n) vertices on the right side. The following assumption asserts that there exists a construction of unbalanced expanders with local neighbor functions as in Theorem 5.19: Assumption 5.20 (local expander assumption). There is a function t : N → N and a constant β > 3 such that for every k ∈ N the following holds. For every n ∈ N, there exists an (n, m, )expander, where m = n k and = β · k, such that the function Γ G : {0, 1} log(m) → {0, 1} ·log(n) that gets as input i ∈ [m] and outputs the neighbors of i in G is t(k)-local.
Note that the locality t(k) in Assumption 5.20 is constant, depending only on the polynomial power k ∈ N. As pointed out by an anonymous reviewer, such expanders can be constructed only when t is at least linear in k (i.e., t = Ω(k)). 18 However, the assumption yields interesting consequences also for larger functions t(k); specifically, the improvement to known natural properties that we need in order to break Goldreich's PRG will depend on t (see Theorem 5.24).

Natural properties that would suffice to break the generator with any predicate, under Assumption 5.20.
Under Assumption 5.20, for any k ∈ N there exists an expander G over [n]×[n k ] such that when Goldreich's PRG is instantiated with G and with any predicate P , the output of the generator on any seed is the truth-table of a depth-four circuit with constant top fanin 2 Θ(k) and constant bottom fan-in t(k). As in Claim 5.4, in the following claim we consider the complexity of P : {0, 1} → {0, 1} as a CNF of size 2 δ· , where δ ∈ (0, 1] (and δ = 1 represents the case of an arbitrary predicate).
Claim 5.21. Supposed that Assumption 5.20 holds with parameters t : N → N and β > 3. Then, for every k ∈ N, and every n ∈ N there exists an (n, m, )-expander, where m = n k and = β · k, that satisfies the following: For every δ ∈ (0, 1] and every predicate P : {0, 1} → {0, 1} that can be computed by a depth-two circuit of size 2 δ· the following holds, when Goldreich's PRG is instantiated with expander G and predicate P , the output of the generator on any fixed x is the truth-table of an AC 0 circuit g x : {0, 1} log(m) → {0, 1} of depth four, with top fan-in 2 δ· = 2 β·δ·k , bottom fan-in t = t(k), and size O 2 (1/k)·log(m) .
Proof. For k ∈ N and n ∈ N, let G be the (n, m, )-expander from Assumption 5.20, let P : {0, 1} → {0, 1} be any predicate that can be computed by a DNF of size 2 δ· , and let prg : {0, 1} n → {0, 1} m be Goldreich's PRG, instantiated with the graph G and 18 To see this, consider the bipartite graph [log(m)] × [ · log(n)] underlying the local mapping Γ G . The average degree of left vertices in this graph is Δ = t· ·log(n) k·log(n) = t · β, and hence, there exists a left vertex i ∈ [log(m)] of degree at most Δ. Take an input x ∈ {0, 1} log(m) and let x be the input obtained by flipping the i th bit in x. Then, the strings Γ G (x) and Γ G (x ) disagree on at most Δ locations, which means that the set {x, x } expands in G to at most cc Expander-Based Crypto. Meets Natural Proofs Page 47 of 60 4 with the predicate P . (We assumed that P can be computed by a DNF of size 2 δ· only for simplicity; the proof of the case where P can be computed by a CNF of such size is very similar.) For any fixed x ∈ {0, 1} n , we construct a corresponding circuit g x : {0, 1} log(m) → {0, 1} whose truth-table is prg(x). Given input i ∈ [m], the circuit g x : • Uses ·log(n) DNFs over t bits (each of size ≤ 2 t ) to compute Γ G (i) ∈ {0, 1} ·log(n) . Additionally, g x uses the same number of DNFs to compute the negation of each output bit.
1} be a CNF of size at most n such that for any i ∈ [n] it holds that Φ x (i) is the i th bit of x; we view this CNF as a De Morgan formula over input literals z 1 , . . . , z log(n) , ¬z 1 , . . . , ¬z log(n) . The circuit g x uses copies and similarly uses copies of a CNF of size at most n for ¬Φ x to compute the negations of x Γ G (i) ∈ {0, 1} .
The total depth of the circuit for g x is four (after collapsing two layers), its bottom fan-in is t, and its top fan-in (which is the size of the DNF that computes P ) is c ≤ 2 δ· = 2 δ·β·k . Finally, the size of the circuit for g x is less than 2 · · log(n) · 2 t + 2 · · n + 2 = O(2 (1/k)·log(m) ), for a constant k and as a function of n.
Claim 5.21 implies that to break Goldreich's PRG (with the expander given by Assumption 5.20 and with an -bit predicate computable by a depth-two circuit of size 2 δ· ) it suffices to have a natural property against depth-four circuits over m input bits whose top fan-in is c = 2 β·δ·k , bottom fan-in is t(log(c)/β) and size is O 2 (β/ log(c))· m .
Known results yield a natural property for depth four circuits over m bits with constant top fan-in c and constant bottom fan-in t whose size is at most 2 · m , where = (c, t) ≈ 1/t log(c) (rather than β log(c) ). Specifically: The proof of Proposition 5.22 relies on Håstad's switching lemma (Håstad 1987) as well as on the sensitivity bound of Amano (2011); we defer the details to Appendix B.
The implication of the foregoing discussion is that a natural property that is mildly stronger than the known one in Proposition 5.22 would break Goldreich's PRG with the expander from Assumption 5.20 and any possible predicate. That is: Assumption 5.23. (mildly strengthening the natural property in Proposition 5.22) The stronger natural property for depth-four circuits assumption with parameters t : N → N and β > 3 is the following: For a sufficiently large constant c > 2 β , there exists a natural property against the class of Boolean functions on m input bits that are computed by depth four circuits of top fan-in c, bottom fan-in t(log(c)/β), and size O 2 (β/ log(c))· m , where the O-notation hides an arbitrarily large constant.
Theorem 5.24. (breaking Goldreich's PRG for any predicate, under local expanders and a stronger natural property for depthfour circuits) Suppose that Assumption 5.20 holds with parameters t : N → N and β > 3, and that Assumption 5.23 holds for the same t and β. Then, for a sufficiently large constant k ∈ N, there exists a polynomial-time algorithm A that satisfies the following. For every n ∈ N, there exists an (n, m, )-expander G, where m = n k cc Expander-Based Crypto. Meets Natural Proofs Page 49 of 60 4 and = β · k, such that for every predicate P : {0, 1} → {0, 1}, the algorithm A distinguishes the outputs of Goldreich's PRG instantiated with G and P from random strings (with constant gap Ω(1)).
Proof. Let k ∈ N be sufficiently large such that c = 2 β·k is sufficiently large to satisfy the hypothesis regarding the natural property, let n ∈ N be sufficiently large, let G be the expander from Assumption 5.20 with right-degree = β · k, and let P : {0, 1} → {0, 1} be an arbitrary predicate.
We instantiate Goldreich's PRG with the expander G and predicate P . By Claim 5.21, every output string g x of the generator can be computed by a depth four circuit over m = log(m) input variables with top fan-in c = 2 β·k , bottom fan-in t(k) = t(log(c)/β), and size O 2 (1/k)· m) = O 2 (β/ log(c))· m . Thus, the natural property from our hypothesis distinguishes the output of the generator from a random string with probability at least 1/2.
We remind the reader that the parameter t(·) in Assumption 5.3 and in Theorem 5.17 quantifies the locality of the N C 0 circuits in the local expander. (As explained after Assumption 5.3, an interesting small value to consider is t(k) = Θ(k).)

A. Proof of Theorem 3.4: Unbalanced Expanders
Let us recall the statement of Theorem 3.4 and detail the proof. For any fixed k ≤ n 0.99 , we show that with probability 1−1/poly(n) it holds that all sets of size k expand (and the theorem follows by union-bounding over all values of k).
To do so, fix k ≤ n 0.99 , and fix a set S ⊆ [m] of size |S| = k. For any fixed set T ⊆ [n] of size less than 0.99 · · k, the probability that Γ(S) ⊆ T is |T | where the last inequality relied on the fact that m < n /c (since ≥ c·(log(m)/ log(n))). The expression in Eq. (A.1) is exponential in O(k · ) · log( ) + (1/c − 0.01) · log(n) + 0.01 · log(k) ≤ O(k · ) · 2/c − 10 −4 · log(n) , where the last inequality relied on the fact that k ≤ n .99 and on the fact that c ≤ ≤ n 1/c . Assuming that c is sufficiently large such that 2/c − 0.01 2 < −10 −5 , the probability that there exists a set of size k that does not expand is at most n −10 −5 ·c . As mentioned above, the theorem follows by union-bounding over k = 1, ..., n 0.99 . cc Expander-Based Crypto. Meets Natural Proofs Page 51 of 60 4 We note that the right-degree bound provided by Theorem A.1 does not contradict the impossibility results discussed for instance in Guruswami et al. (2009). This is because the expanding sets in Theorem A.1 are of size at most n 1−Ω(1) instead of Ω(n).

B. A natural property for depth-four circuits
Our goal in this appendix is to construct the following natural property: In high-level, to prove Proposition B.1 we first show that any depth-four circuit as in the first item simplifies to a depth-two circuit of small width (say, width 10) under a random restriction that keeps significantly more variables alive in expectation (say, 1000); the proof of this result is a standard application of Håstad's switching lemma. Consequently, using the bound of Amano (2011), we deduce that under a random restriction such a circuit has average sensitivity that is much smaller than the expected average sensitivity of a random function. Our natural property simply enumerates over all restrictions and computes the average sensitivity of the restricted function.
Let us now formally prove the result. For the first part, recall Håstad's switching lemma. For p ∈ [0, 1] and m ∈ N, we denote by R p the distribution over restrictions in {0, 1, } m that is obtained by independently setting each coordinate to with probability p, and to a uniformly chosen bit otherwise. Recall that for a function f : {0, 1} m → {0, 1} and a restriction ρ ∈ {0, 1, } m we define f ρ our work to expander-based cryptography. Finally, the authors thank anonymous conference reviewers for useful comments that improved the presentation of the paper, and anonymous journal reviewers who pointed out a limitation in an initial version of Assumption 5.20, further explained the relation between the current work and Applebaum & Raykov (2016) and had numerous useful suggestions and improvements for the presentation of the paper.
The first and second authors received support from the second author's ERC-CoG grant no. 615075. The third author was supported by Irit Dinur's ERC-CoG grant no. 772839 and by the European Research Council (ERC) under the European Union's Horizon 2020 research and innovation programme (grant agreement No. 819702). Part of this work was conducted, while the third author was at DIMACS and partially supported by the National Science Foundation under grant number CCF-1445755.
An extended abstract of this paper has appeared as Oliveira et al. (2018).

Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.