We exhibit an explicitly computable 'pseudorandom' generator stretching l bits into m(l) = l Ω ( 
Introduction
A pseudorandom generator G : {0, 1} l → {0, 1} m is an efficient procedure that stretches l input bits into m l output bits such that the output distribution of the generator fools small circuits. That is, for every circuit C of size m we have Pseudorandom generators have found a striking variety of applications in Complexity Theory, most notably to derandomize probabilistic algorithms.
Starting with the seminal work of Nisan and Wigderson [20] , a series of results (e.g. [3, 26, 24, 27] ) show how to construct pseudorandom generators starting from an explicit function that requires circuits of superpolynomial size. However, no such function is known to exist.
On the other hand, pseudorandom generators that fool restricted kinds of circuits, such as constant-depth circuits with unbounded fan-in, are already very interesting. They also have a large variety of applications (e.g. [20, 15] ) and are central to understanding the power of randomness in restricted classes of algorithms. While there has been exciting progress in constructing explicit functions that require superpolynomial size constant-depth circuits with certain kinds of gates (e.g. [13, 22, 25, 14, 21, 12] ), no explicit function is known to require superpolynomial size constantdepth circuits with MAJORITY gates (cf. [23] ). This is an obstacle to construct pseudorandom generators, as most constructions need such a function. This need is due to the fact that the reductions in the proofs of correctness of these constructions use (a polynomial number of) MAJORITY gates (cf. [1, 28] ).
But when starting from an average-case hard function, the reduction in the proof of correctness of the NisanWigderson construction [20] does not require MAJORITY gates (where a function f : {0, 1} n → {0, 1} is averagecase hard if polynomial-size circuits fail to compute f with probability at least 1/2−1/n ω(1) over random input). Thus, one can plug average-case lower bounds into the NisanWigderson construction to get a generator that fools small constant-depth circuits. This approach is used in a celebrated work by Nisan [19] (that actually predates the more general construction in [20] ) where he exhibits a generator
that fools small AC 0 circuits (i.e. constant-depth circuits with AND and OR gates). This generator is based on the fact that PARITY is very averagecase hard for small AC 0 circuits [13] . Subsequently, Luby, Velickovic and Wigderson (Theorem 2 in [18] ) build a generator G : {0, 1} l → {0, 1}
l Ω(log l)
that fools small SYM • AND circuits, i.e. depth 2 circuits with one arbitrary symmetric gate at the top and AND gates at the bottom. By arbitrary symmetric gate we mean a gate that computes an arbitrary function whose value depends only on the number of input bits being 1, important examples being PARITY and MAJORITY. This generator is based on the fact that the 'generalized inner product' function is average-case hard for small SYM • AND circuits with small bottom fan-in [4, 14] . The above two generators ( [19] and Theorem 2 in [18] ) fool two incomparable classes of circuits (i.e. small AC 0 circuits and small SYM • AND circuits). In this work we exhibit a generator that fools a class of circuits strictly richer than both of them, namely small constant-depth circuits with few arbitrary symmetric gates.
Our Results
In this paper we exhibit the following generator. 
and given x ∈ {0, 1} l , i ≤ m, we can compute the i-th output bit of G(x) in time poly(l).
The generator in Theorem 1 improves on the generator by Luby, Velickovic and Wigderson (Theorem 2 in [18] ) that achieves the same stretch (up to a different constant ) but only fools circuits of depth 2 (as opposed to any constant depth) with one symmetric gate at the top. (We elaborate more on the difference between the two generators in Section 6.) The generator in Theorem 1 also fools a strictly richer class of circuits than Nisan's generator that fools constant depth circuits [19] ) bits.) As a standard consequence of Theorem 1 we obtain the following subexponential derandomization of probabilistic constant depth circuits with a constant number of arbitrary symmetric gates. This seems to be the richest probabilistic circuit class known to admit a subexponential derandomization. (See, e.g., [20] 
.
Techniques
The generator in Theorem 1 is obtained by plugging into the Nisan-Wigderson pseudorandom generator construction [20] a function that is very hard on average for 'small' constant-depth circuits with 'few' arbitrary symmetric gates (cf. Theorem 3 below). Here a simple and crucial observation is that the reduction in the proof of correctness of the Nisan-Wigderson generator (essentially) does not increase the number of arbitrary symmetric gates.
Given our average-case hardness result (Theorem 3), the construction of our generator is simpler than the construction of the (weaker) generator by Luby, Velickovic and Wigderson (Theorem 2 in [18] ) that uses more involved combinatorial arguments than those in [20] . These more involved combinatorial arguments were probably used because the generator in [18] builds on a function that is hard on average for circuits of depth 2 (as opposed to any constant depth), and thus one cannot use directly the NisanWigderson construction [20] since the reduction in its proof of correctness increases the depth by 1.
We now state our average-case hardness result.
Theorem 3. There is a function f : {0, 1}
* → {0, 1} computable in polynomial time such that for every constant d there is a constant > 0 such that for every n and every circuit C of size n ·log n , depth d and with log 2 n arbitrary symmetric gates, the following holds:
We now explain the techniques involved in proving Theorem 3. To simplify the discussion we first focus on how to prove an average-case hardness result for 'small' constantdepth circuits with one arbitrary symmetric gate at the top, i.e. 'small' SYM • AC 0 circuits (Theorem 4). The extension to circuits with more arbitrary symmetric gates is deferred to the paragraph "Circuits with more Arbitrary Symmetric Gates" below. We obtain our average-case hardness result for 'small' SYM • AC 0 circuits through a modification of previous lower bounds. We now discuss these previous lower bounds, then we discuss why they are not sufficient for our purposes, and then we sketch the proof of our average-case hardness result for 'small' SYM • AC 0 circuits.
Previous Lower Bounds:
Babai, Nisan and Szegedy [4] prove that the "generalized inner product" function (i.e., GIP n,s (x) := i≤n j≤s x i,j ) is very hard on average for multiparty communication complexity protocols among 'few' parties that communicate 'little'.
Håstad and Goldmann [14] notice that any function computed by a 'small' depth 2 circuit with an arbitrary symmetric gate of unbounded fan-in at the top and (arbitrary) gates of 'small' fan-in at the bottom can be computed by a multiparty communication complexity protocol among 'few' parties communicating 'little'. Thus, by the above result [4] , they obtain that GIP is average-case hard for that kind of circuits. Now, by the so-called " -discriminator lemma" 1 of Hajnal et. al. [11] they conclude that GIP cannot be computed, in the worst-case, by 'small' depth 3 circuits with one majority gate of unbounded fan-in at the top, arbitrary symmetric gates of unbounded fan-in in the middle, and (arbitrary) gates of 'small' fan-in at the bottom.
Razborov and Wigderson [21] eliminate the constrain on the bottom fan-in: they exhibit a new function RW that cannot be computed, in the worst-case, by 'small' depth 3 circuits with one majority gate at the top, symmetric gates in the middle, and AND gates at the bottom, where all the gates have unbounded fan-in (MAJ • SYM • AND circuits). Their function RW is obtained from GIP by replacing each input variable with a parity function, i.e. RW (x) := i≤n j≤log n k≤n x i,j,k .
To explain their argument we introduce restrictions [10] . A restriction on m variables x 1 , x 2 , . . . , x m is a map ρ : {x 1 , x 2 , . . . , x m } → {0, 1, * }. For a circuit C we denote by C| ρ the circuit we get by doing the substitutions prescribed by ρ, followed by all obvious cancellations made possible by applying ρ. The input variables of C| ρ are the variables which were given the value * by ρ.
The argument in [21] goes as follows: suppose that RW is computable by a 'small' MAJ • SYM • AND circuit C. Then there is a restriction ρ that accomplishes simultaneously two things: (1) C| ρ has 'small' bottom fan-in and (2) C| ρ is still computing GIP as a subfunction. Note that, by definition of RW and by the nature of parity, (2) happens whenever for every i, j there is k such that ρ(x i,j,k ) = * . But (1) and (2) contradict the above result by Håstad and Goldmann.
Finally, Hansen and Miltersen [12] observed that RW actually cannot be computed by 'small' circuits of any constant depth with one majority gate at the top, and one layer of arbitrary symmetric gates immediately below it, where all the gates have unbounded fan-in (MAJ • SYM • AC 0 circuits). The argument in [12] goes as follows: suppose that RW is computable by a 'small' MAJ • SYM • AC 0 circuit C. Then there is a restriction ρ that accomplishes simultaneously two things: (1') C| ρ is equivalent to a 'small' MAJ • SYM • AND circuit and (2') C| ρ is still computing RW on an input of polynomially related size. (1') is obtained through Håstad's switching lemma [13] , and for (2') they show that for every i, j there are 'many' k's such that ρ(x i,j,k ) = * . But (1') and (2') contradict the above result by Razborov and Wigderson.
Why Previous Lower Bounds Are Not Sufficient To Our Purposes:
The main problem with these previous lower bounds is that they only give a function that is worst-case hard for SYM • AC 0 circuits, while as explained before we need a function that is average-case hard. In fact, the choice of parameters in the definition of RW implies that Pr x [RW (x) = 0] = 1/2 + Ω(1), and thus RW cannot be average-case hard (since the constant size circuit that always outputs '0' computes the function fairly well on average). Moreover the choice of parameters for the restrictions in [21] does not guarantee that the reduction holds with high probability, which is needed to establish average-case hardness.
Proof Sketch of our Average-Case Hardness Result for SYM • AC
0 Circuits: We define a function f (similar to RW , but with a different choice of parameters), and we show that f is average-case hard for SYM • AC 0 circuits. Our argument simplifies the previous ones and goes as follows: Suppose that C is a small SYM • AC 0 circuit computing f . We argue that, with high probability 1 − n −Ω(log n) over the choice of a random restriction ρ, both the following two events happen:
• Event E 1 := the function computed by C| ρ is computable by a multiparty communication complexity protocol among 'few' parties communicating 'little'.
• Event E 2 := C| ρ is computing GIP as a subfunction.
To show E 1 we use Håstad's switching lemma to argue that with high probability over ρ, C| ρ is equivalent to a 'small' depth-2 circuit with a symmetric gate at the top (of unbounded fan-in) and AND gates of 'small' fan-in at the bottom, and then use Håstad and Goldmann's connection [14] between these circuits and multiparty communication complexity protocols (cf. paragraph "Previous Lower Bounds"). Now, when ρ satisfies both E 1 and E 2 we have
by the multiparty communication complexity lower bound by Babai, Nisan and Szegedy [4] . Since we can think of a random input x as being generated by first choosing a random restriction ρ and then a random input y for the *'s of ρ (so that C(x) = C| ρ (y)), we have that
We show that the above argument goes through for SYM • AC 0 circuits C of size n Ω(log n) and this proves our average-case hardness result for SYM • AC 0 circuits.
Circuits with more Arbitrary Symmetric Gates: Before discussing how to extend our techniques to get an average-case hardness result for 'small' constant-depth circuits with log 2 n arbitrary symmetric gates, we would like to mention two other approaches that give weaker bounds. Beigel (Theorem 5.1 in [6] ) shows that for every circuit of size S and depth d with σ arbitrary symmetric gates there is another circuit of size S 2 σ +1 and depth d + 1 with one arbitrary symmetric gate at the top computing the same function. Combining this with our average-case hardness result for SYM • AC 0 circuits one obtains an average-case hardness result for constant-depth circuits of size n ·log n with a constant number of arbitrary symmetric gates. But this approach gives weaker bounds (than n Ω(log n) ) if the circuits have σ = ω(1) arbitrary symmetric gates; and it gives nothing at all if the circuits have σ = log log n arbitrary symmetric gates.
Chattopadhyay and Hansen [9] prove a worst-case hardness result for constant-depth circuits of size n ·log n with log 2 n arbitrary symmetric gates. They obtain this result independently from ours. Subsequently to our results for SYM • AC 0 circuits, they also prove an average-case hardness result for constant-depth circuits of size n ·log n with fewer arbitrary symmetric gates, namely log n.
Inspired by the work of Chattopadhyay and Hansen, we prove an average-case hardness result for constant-depth circuits of size n ·log n with log 2 n arbitrary symmetric gates (Theorem 3). The proof of our result has the same structure of our result for SYM • AC 0 circuits discussed in the previous paragraph. The only difference is proving that, if C is a 'small' constant-depth circuit with log 2 n arbitrary symmetric gates, then with high probability over a random restriction ρ the function computed by C| ρ is computable by a multiparty communication complexity protocol P among 'few' parties communicating 'little' (cf. event E 1 in the previous paragraph). The idea is to let the protocol P compute the outputs of each arbitrary symmetric gate in order. Specifically, first fix a topological order of the arbitrary symmetric gates (the simple order induced by reading the gates level by level from the inputs to the output node will do). Now consider the SYM • AC 0 subcircuit C 1 whose root is the first arbitrary symmetric gate in this order. We know that with high probability over the restriction ρ, the function computed by C 1 | ρ is computable by a multiparty communication complexity protocol P 1 exchanging 'few' bits (cf. event E 1 in the previous paragraph). Our protocol P first simulates P 1 to determine the output b 1 of C 1 | ρ . Then it considers the SYM • AC 0 circuit C 2 whose root is the second arbitrary symmetric gate, and where the first arbitrary symmetric gate is replaced with the constant b 1 . Again, we argue that the function computed by C 2 | ρ is computable by a multiparty communication complexity protocol P 2 exchanging 'few' bits. Our protocol P now simulates P 2 to determine the output b 2 of C 2 | ρ . We continue in this way until all the arbitrary symmetric gates are computed. Assuming w.l.o.g. that the output gate of the circuit is included in the arbitrary symmetric gates, the protocol P computes C| ρ .
Organization
This paper is organized as follows. In Section 2 we fix some notation. In Section 3 we show how our average-case hardness result (Theorem 3) implies our generator (Theorem 1). In Section 4 we prove our average-case hardness result for SYM • AC 0 circuits. In Section 5 we extend this to our average-case hardness result for constant-depth circuits with few arbitrary symmetric gates, thus proving Theorem 3. In Section 6 we elaborate on why our generator improves on the generator by Luby, Velickovic and Wigderson (Theorem 2 in [18] ). The proof of a result in this last section is given in Appendix A. In Section 7 we discuss some open problems.
Preliminaries
An arbitrary symmetric gate is a gate that computes an arbitrary symmetric function, i.e. a function whose value depends only on the number of input bits being 1 (e.g. PAR-ITY, MAJORITY). We use standard definitions of constant depth circuits, which we now briefly recall. Constant depth circuits consist of AND, OR and possibly other gates (e.g. one arbitrary symmetric gates). It is intended that all gates whose type is not specified are either AND or OR, and that AND and OR gates are not counted towards arbitrary symmetric gates. All circuit gates, unless specified otherwise, have unbounded fan-in. Circuits take both input variables and their negations as input. Bottom gates are the one adjacent to the input bits. The top gate is the output gate. Levels are numbered from the bottom. So the input bits are at level 0, the bottom gates at level 1 and so on. Gates at level i are connected to gates at levels i−1 and i+1 only. The depth of a circuit is the longest path from any input to the output. The size of a circuit is the number of gates in it. Multiple edges between pairs of nodes in the circuit are not allowed (otherwise an arbitrary symmetric gate can compute any function; this convention is standard in the literature, e.g. [14] ).
From Average-Case Hardness to Pseudorandomness
In this section we show how our average-case hardness result (Theorem 3) implies our generator (Theorem 1). We restate the theorems for the reader's convenience. 
Theorem (1, restated
Theorem (3, restated). There is a function f : {0, 1}
Proof of Theorem 1, assuming Theorem 3. The generator is obtained by plugging the function from Theorem 3 into Nisan-Wigderson's pseudorandom generator construction [20] . Specifically, they show how given a function f :
m such that every circuit C for which
can be transformed into another circuit C of size |C| + poly(m) that computes the function f correctly with probability (over random input) greater than 1/2 + 1/m 2 = 1/2 + 1/l 2 log l .
As observed in [19, 20] √ l/2 → {0, 1} with probability greater than 1/2 + 1/l 2 log l . This contradicts Theorem 3 for sufficiently small .
The complexity of the generator follows from the arguments in [19, 20] and the fact that f is computable in time poly(l).
Average-Case Hardness for SYM • AC 0 circuits
In this section we prove our average-case hardness result for 'small' constant-depth circuits with one arbitrary symmetric gate at the top. 
In the rest of this section we prove Theorem 4. In the proof we use two results which we describe in the following two subsections. The first is a version of Håstad's switching lemma [13] due to Beame [5] , and the second is the multiparty communication complexity lower bound for GIP by Babai, Nisan and Szegedy [4] .
Switching Lemma
We now describe the switching lemma we use in the proof of Theorem 4. As in [12] , the crucial property that we need is that the DNF obtained after applying the restriction is such that all the terms are mutually contradictory, i.e. no input satisfies more than one term. This allows us to merge the top OR gate of the DNF in the symmetric gate at the top (cf. Fact 6). The fact that this property holds for Håstad's switching lemma was already noted by Boppana and Håstad in [13] (inside the proof of Lemma 8.3). However, there does not seem to be a full proof of this fact in the literature. For this reason we use a slightly different version of the Håstad's switching lemma, due to Beame [5] .
A restriction on m variables x 1 , x 2 , . . . , x m is a map  ρ : {x 1 , x 2 , . . . , x m } → {0, 1,  * }. For a function f :  {0, 1} m → {0, 1} we denote by f | ρ the function we get by doing the substitutions prescribed by ρ. f | ρ will be a function of the variables that were given the value * by ρ. Similar conventions hold for circuits. If ρ and ρ are restrictions, and ρ is defined on the variables mapped to * by ρ we write ρρ for the restriction obtained by combining ρ and ρ , so that f | ρρ = (f | ρ ) | ρ . Let R δ·m m denote the uniform distribution on restrictions on m variables assigning exactly δm variables to * , and assigning random values to the others.
A decision tree on m variables is a labelled binary tree where edges and leaves are labelled with 0 or 1, and internal nodes with variables. A decision tree computes a function in the intuitive way, starting at the root and following the path according to the values of the input variables, and outputting the value at the reached leaf.
Lemma 5 ([5]). Let ϕ be a DNF or a CNF formula in m variables with bottom fan-in at most r.
For every s ≥ 0, p < 1/7, the probability over ρ ∈ R p·m m that the function computed by ϕ| ρ is not computable by a decision tree of height strictly less than s is less than (7pr)
s .
We will use Lemma 5 in combination with the following fact.
Fact 6. Let f be a symmetric function of S decision trees of height h. Then f is computable by a depth 2 circuit of size S · 2 h + 1 with a symmetric gate of unbounded fan-in at the top and AND gates of fan-in h at the bottom.
Proof. Write each decision tree as a DNF with bottom fanin h, where each term corresponds to a path leading to 1. The number of terms in each DNF is at most 2 h , i.e. at most the number of paths in a decision tree of height h. Because every input to a decision tree follows a unique path, each DNF we construct has the property that every input satisfies at most one term. Thus we can merge the top OR gate of all these DNFs with the top symmetric gate of the circuit. Specifically, if the original symmetric gate was ψ(x 1 , x 2 , . . . , x S ) = g( i≤S x i ) for some arbitrary function g : [S] → {0, 1}, the new symmetric gate is simply
Multiparty Communication Complexity
In this section we describe some results on communication complexity that will be used in the proof of our main results. The model of interest is the multiparty communication complexity model. In this model there are s parties, each having unlimited computational power, who wish to collaboratively compute a certain function. The input bits to the function are partitioned in s blocks, and the i-th party knows all the input bits except those corresponding to the i-th block in the partition. The communication between the parties is by "writing on a blackboard" (broadcast): any bit sent by any party is seen by all the others. The parties exchange messages according to a fixed protocol. The measure of interest is the number of bits exchanged by the parties. We refer the reader to the book by Kushilevitz and Nisan [16] for background on this model. Babi, Nisan and Szegedy [4] prove a multiparty communication complexity lower bound for the generalized inner product function GIP n,s : {0, 1}
n·s → {0, 1}, which is defined as follows: 
Lemma 7 ([4]). There is a partition of the inputs to GIP
Håstad and Goldmann [14] show that the function computed by a 'small' SYM • AND circuit with 'small' bottom fan-in can be computed by a multiparty communication complexity protocol among 'few' parties exchanging 'few' bits.
Lemma 8 ([14]). Let C be a depth-2 circuit of size S with an arbitrary symmetric gate (of unbounded fan-in) at the top, and AND gates of fan-in strictly less than s at the bottom. Then the function computed by C can be computed (under any partition of the input) by a s-party communication complexity protocol exchanging 1 + s log S bits.
The idea in Lemma 8 is that since each bottom AND gate has fan-in strictly less than s then, for any partition of the input in s blocks, the input bits to each AND can lie in at most s − 1 distinct blocks. Therefore we can assign each AND gate to some party that knows all the input bits necessary to compute it. Now each party broadcasts the number of AND gates assigned to him that evaluate to 1, which takes at most log S bits. Since the top gate is symmetric this information is sufficient to compute the output of the circuit.
Our next lemma combines the above observation by Håstad and Goldmann with the "switching lemma" results from the previous section to argue the following: for every small SYM • AC 0 circuit, w.h.p. over a suitable restriction ρ, the function computed by C| ρ can be computed by a multiparty communication complexity protocol among 'few' parties exchanging 'few' bits.
Lemma 9. For every constant d there is a constant > 0 such that the following holds. Let C : {0, 1}
n → {0, 1} be a circuit of size n ·log n , depth The lemma follows by the above claim using Lemma 8, which implies that the function computed by a depth-2 circuit of size S = |C| · 2
.3 log n ≤ n log n with a symmetric gate (of unbounded fan-in) at the top and AND gates of fan-in strictly less than .3 log n at the bottom is computable by a .3 log n-party communication complexity protocol exchanging 1 + (.3 log n) log S ≤ log 3 n bits.
We now prove Claim 10. Similar calculations have already been done elsewhere (e.g., Lemma 2 in [17] ). However, we have not found the exact claim we need in the literature. restrictions ρ 1 , ρ 2 , . . . , ρ i , the function computed by every gate at level i is computable by a decision tree of height strictly less than .3 log n. We now bound
We now bound each term. 
be computed by decision trees of height (strictly) less than .3 log n. Write each such function as a DNF with terms of size at most .3 log n (where each term corresponds to a path in the decision tree leading to '1'). Merging the top OR gates of all these DNFs with ϕ we see that, given DT i−1 , the function computed by ϕ is a DNF with terms of size at most r = .3 log n. By Lemma 5 the probability over the choice of the i-th restriction ρ i that the function computed by ϕ| ρ1ρ2···ρi cannot be computed by a decision tree of depth strictly less than s = .3 log n is at most
Thus by a union bound we have that
is at most n −Ω(log n) times the number of gates at level i. Therefore, if the circuit C has size n log n for sufficiently small we have
We have shown that with probability 1−n −Ω(log n) (over ρ) the function computed by C| ρ is computable by a symmetric function of |C| decision trees of height strictly less than .3 log n. By Fact 6 we can write each decision tree as a DNF and merge the top OR gates of these DNFs into the top symmetric gate of C, thus proving the claim.
Proof of Theorem 4
We now prove Theorem 4. We restate the theorem for the reader's convenience.
Theorem (4, restated). There is a function f : {0, 1}
* → {0, 1} computable in polynomial time such that for every constant d there is a constant > 0 such that for every n and every circuit C of size n ·log n , depth d, with 1 arbitrary symmetric gate at the top, the following holds:
Proof of Theorem 4. Similarly to [21] , we consider the function obtained by attaching PARITY gates on n bits at the bottom of GIP n,.3 log n . That is, let f n := {0, 1} n 2 (.3 log n) → {0, 1} be defined as
We will prove Theorem 3 with f n as hard function. While f n is a function on m = m(n) := n 2 (.3 log n) bits, it will be convenient to parameterize it by n. Since we will prove n Ω(log n) lower bounds for f n and the input length of f n is m = poly(n), we also obtain m Ω(log m) lower bounds for f n (for a different hidden constant in the Ω(·)).
It is easy to see that f n is computable in polynomial time. • Event E 1 := the function computed by C| ρ is computable (under any partition of the input) by a .3 log nparty communication complexity protocol exchanging n .2 bits.
• Event
(In other words, for each of the n · (.3 log n) bottom parity functions of f n , ρ maps some of its input variable to *.)
Before 
This holds by Lemma 7. Specifically, fix any restriction ρ taken on the variables mapped to * by ρ, such that for every i ∈ [n], j ∈ [.3 log n] there is exactly one k ∈ [n] such that ρρ (x i,j,k ) = * . We then have that f n | ρρ equals GIP n,.3 log n (up to possibly negating some input variables). If the function computed by C| ρ is computable by a s-party communication complexity protocol exchanging n .2 bits then clearly the same holds for the function computed by C| ρρ . Therefore by the multiparty communication complexity lower bound for GIP (Lemma 7) we obtain (noticing that for s = .3 log n, γ = 2
Equation 1 follows noticing that we can think of a random y as choosing first a random ρ as above and then a random z ∈ {0, 1} n(.3 log n) for the *'s of ρ (so that C| ρ (y) = C| ρρ (z)). independent random elements uniformly distributed in [m] all fall outside B (to see this, think of choosing the random subset A one element at the time, and note that when an element falls outside B it is more likely for the next element to fall inside B). This latter probability is
Thus we have:
where we used that m = n 2 · (.3 log n). By a union bound we have
We point out that Theorem 4 is tight for the particular choice of f n (x) = n i=1
.3 log n j=1 n k=1 x i,j,k . Namely, f n is computable by PARITY • AND circuits of size n O(log n) . This can be seen by writing the function computed by each AND as a PARITY of n O(log n) AND's (cf. [21] ).
Fooling Circuits with more Arbitrary Symmetric Gates
In this section we prove our average-case hardness result for constant-depth circuits of size n log n with log 2 n arbitrary symmetric gates (Theorem 3). The proof has the same structure as the proof of our average-case hardness result for circuits with one arbitrary symmetric gate (Theorem 4). The only difference is that now we want to argue that event E 1 happens with high probability even for circuits with log 2 n arbitrary symmetric gates, i.e. we want to show that with high probability over the restriction ρ, the function computed by C| ρ is computable by a multiparty communication complexity protocol among 'few' parties exchanging 'few' bits. Thus the proof of Theorem 3 follows from the next lemma. Proof. Assume without loss of generality that the output gate of the circuit C is included in the arbitrary symmetric gates. Fix a topological order of the arbitrary symmetric gates (the simple order induced by reading the gates level by level from the inputs to the output node will do). For every i ∈ {1, . . . , log 2 n}, z ∈ {0, 1} i−1 , define C i,z as the subcircuit of C whose output gate is the i-th arbitrary symmetric gate but where the previous arbitrary symmetric gates are replaced with z (i.e., the j-th gate is replaced with the j-th bit in z). Note C i,z is a SYM • AC 0 circuit.
Claim 13.
For a sufficiently small constant > 0, with Proof. The claim follows by noting that the number of
and then using a union bound and Lemma 9, which states that for each fixed circuit C i,z , with probability 1 − n −Ω(log n) over ρ, the function computed by C i,z | ρ is computable by a .3 log n-party communication complexity protocol exchanging log 3 n bits.
The lemma follows by noting that whenever ρ satisfies the conclusion of the above claim we have (under any partition of the input bits) the following .3 log n-party communication complexity protocol P for C| ρ : On input x compute C| ρ (x) as follows. Simulate P 1 to compute
Continue in this way until C log 2 n,z (x) = C| ρ (x) (this last equality is easy to verify).
Since each protocol P i,z exchanges at most log 3 n bits of communication, and we simulate log 2 n of these protocols, the total number of bits exchanged by the protocol P is at most log 5 n.
It is perhaps interesting to note that, unlike the corresponding protocol in the proof of Theorem 4, the protocol in the above lemma is not simultaneous, i.e. the bits sent by a party in general depend on the bits previously sent by other parties (cf. [16] for background on simultaneous protocols). Thus in our proof we are taking advantage of the fact that the lower bound for GIP (Lemma 7) holds even for non-simultaneous protocols. We do not know how to prove the same result starting from a multiparty communication complexity lower bound for simultaneous protocols.
Our Generator vs. Luby, Velickovic and Wigderson's
In this section we elaborate on why our generator (Theorem 1) improves on the generator by Luby, Velickovic and Wigderson (Theorem 2 in [18] ). Recall that the generator in [18] fools 'small' depth 2 circuits with one arbitrary symmetric gate at the top (SYM • AND circuits). On the other hand our generator fools 'small' circuits of any constant depth with 'few' arbitrary symmetric gates.
We note that there are several results (e.g. [22, 25, 2, 29, 7, 8] ) showing that 'small' circuits in certain 'rich' constantdepth circuit classes can be converted into 'not-too-big' SYM • AND circuits. Thus one may wonder whether we can use these results to deduce that the generator in [18] is already powerful enough to give our main result (Theorem 1), i.e. whether it can fool 'small' constant-depth circuits with 'few' arbitrary symmetric gates.
The problem with this idea is that in all these conversion results the blow-up in the circuit size is bigger than the saving of the generator. More specifically, these conversion results show how to convert, say, a AC 0 circuit of size S into a SYM • AND circuit of size quasi-polynomial, i.e. S It seems natural to ask whether the known conversion results are the best possible, i.e. if the quasi-polynomial blow-up is inherent in the conversion. There are works (e.g. [7, 21] ) suggesting that this is indeed the case. We give another result of this flavor.
Specifically, we show how to modify the lower bound in Theorem 4 to get a function computable by polynomial size PARITY • AC 0 circuits that is average-case hard for superpolynomial size SYM • AND circuits. The idea is to change the fan-in of the bottom parities of f so that they are computable by polynomial size AC 0 circuits (specifically we change their fan-in from n to log 3 n). While our lower bound is only 'slightly' superpolynomial (i.e. n Ω(log log n) ), it shows that the parameters of our generator (Theorem 1) cannot be obtained combining a conversion result with Theorem 2 in [18] , even if we only want to fool PARITY • AC 0 circuits.
Theorem 14.
There is a function f : {0, 1} * → {0, 1} computable by uniform polynomial size PARITY • AC 0 circuits and a constant > 0 such that for every n and every SYM • AND circuit C of size n ·log log n , the following holds:
The proof of Theorem 14 is given in Appendix A.
Open Problems
Can the techniques in this paper be used to prove (average-case) hardness results for constant-depth circuits with ω(log 2 n) arbitrary symmetric gates? Such a hardness result would follow from a positive answer to the following open question: Let C be constant-depth circuit of size n log n with ω(log 2 n) arbitrary symmetric gates, and let ρ be a restriction as in the statement of Lemma 9. Is it true that with high probability over ρ the function computed by C| ρ is computable by a .9 log n-party communication complexity protocol exchanging n .9 bits?
