Demi-Bits Generators in Cryptography

Updated 25 November 2025

Demi-Bits Generators are cryptographic pseudorandom generators that expand n-bit inputs to longer outputs while resisting nondeterministic NP/poly distinguishers via a zero-acceptance criterion on range outputs.
They employ a stretching theorem that enables sublinear output expansion, preserving exponential hardness against nondeterministic adversaries through hybrid arguments and randomness extractors.
Their applications span average-case complexity, proof complexity, and bounded arithmetic, underpinning hardness for range avoidance and the separation of arithmetic theories.

A demi-bits generator is a variant of cryptographic pseudorandom generator (PRG) designed to withstand attacks by nondeterministic statistical tests, as opposed to merely deterministic or probabilistic ones. Originating in the context of Natural Proofs barriers, demi-bits generators have become fundamental objects in the paper of cryptography, average-case complexity, and proof complexity. Their security requirement is tailored for adversaries equipped with nondeterministic computation, and their existence is connected to major open questions about circuit lower bounds and the limitations of propositional proof systems.

1. Formal Definitions and Security Criteria

A demi-bits generator is a function $G:\{0,1\}^n\to\{0,1\}^m$ with $m>n$ , efficiently computable (typically in $\P/\poly$), that "fools" all efficient nondeterministic (or $\mathsf{AM}$ ) distinguishers. The central definitions are as follows:

Demi-bits generator (secure against nondeterministic adversaries): $G$ is an $(s,\varepsilon)$ -secure demi-bits generator if no size- $s$ $\NP/\poly$ circuit $D$ satisfies

$\Pr_{y\gets U_m}[D(y)=1] \geq \varepsilon \quad\text{and}\quad \Pr_{x\gets U_n}[D(G(x))=1]=0.$

Equivalently, for all size- $s$ nondeterministic tests $D$ ,

$\Pr_{x\gets U_n}[D(G(x))=1] \geq \Pr_{y\gets U_m}[D(y)=1] - \varepsilon.$

This captures the absence of any certificate-producing guesser capable of efficiently proving that a random $y\notin \mathrm{Range}(G)$ .

Demi-bit (hardness amplification):

A demi-bit is a generator $g_n:\{0,1\}^n\to\{0,1\}^{n+1}$ in $\P/\poly$ with "demi-hardness" at least $2^{n^\varepsilon}$ for some absolute $\varepsilon>0$ . The precise definition involves the maximal acceptance probability gap achievable by a nondeterministic circuit, requiring exponential circuit size for any non-negligible advantage.

A super-bit is stronger, requiring hardness against general nondeterministic distinguishers (without the zero-acceptance property on range points). Every super-bit is a demi-bit, but not vice versa.

2. Stretching Theorems and Explicit Construction

A central question since their introduction has been whether demi-bits admit nontrivial stretch. This was resolved in (Tzameret et al., 2023): any demi-bit $b_n:\{0,1\}^n\to\{0,1\}^{n+1}$ can be "stretched" to produce sublinear many demi-bits $g_N:\{0,1\}^N\to\{0,1\}^{N+N^c}$ for any constant $0

The core construction is a direct product:

Split the input $x$ of $N$ bits into $m=\lceil N^c\rceil$ blocks of size $n$ .
For each block $x_i$ , compute $b_n(x_i)$ , producing $m$ blocks of $n+1$ bits each.
Concatenate all outputs (plus any slack bits), yielding output length $N+N^c$ .

The resulting function preserves demi-hardness: any size- $s$ nondeterministic distinguisher for $g_N$ yields, via a hybrid argument and amplification, a distinguisher for $b_n$ of comparable complexity. The security loss is polynomial in $N$ ; specifically, if $b_n$ has demi-hardness $2^{n^\varepsilon}$ , then $g_N$ achieves demi-hardness at least $2^{\Omega(N^{\varepsilon(1-c)})}$ . The construction runs in time $\tilde O(N)$ , with circuit size $O(N^c|b_n|)$ , ensuring subexponential hardness survives the stretching.

It remains open whether demi-bits can be stretched to polynomial length, as is standard for classical hard bits and PRG theory.

3. Hardness of Range Avoidance and Connections to Proof Complexity

A striking application of demi-bits generators is to the range-avoidance problem ( $\text{Avoid}$ ): given a surjective circuit $C:\{0,1\}^n\to\{0,1\}^m$ , output $y\notin\mathrm{Range}(C)$ . While trivial for randomized computation, demi-bits generators imply that $\text{Avoid}$ is computationally hard for nondeterministic algorithms.

Formally, if there exists a demi-bits generator $G:\{0,1\}^n\to\{0,1\}^{10n}$ secure against $\NP/\poly$, then $\text{Avoid}\notin\SearchNP$; no nondeterministic polynomial-time algorithm can solve the problem for all circuits $C$ of this form (Ren et al., 18 Nov 2025).

This result is robust under composition with strong seeded extractors and applies even to circuits where every output bit is a constant-degree $\GF(2)$ polynomial, assuming suitable LPN-style or Goldreich PRG-based demi-bits generators. The implications extend to average-case complexity and the paper of total search problems beyond deterministic and probabilistic settings.

4. Applications to Bounded Arithmetic and Propositional Proof Systems

The existence of demi-bits generators of super-polynomial hardness against $\AM$ has foundational consequences in bounded arithmetic and proof complexity. Specifically, it is shown that:

Under the existence of such generators with sufficiently large stretch, the dual weak pigeonhole principle ( $dwPHP$ ) is unprovable in Cook's theory $\mathsf{PV}_1$ , leading to $\mathsf{APC}_1 > \mathsf{PV}_1$ . This separates these two theories through explicit cryptographic hardness, rather than abstract incompleteness arguments.

Additionally, demi-bits enable the construction of proof complexity generators that are "pseudo-surjective" with nearly optimal parameters. For any proof system $P$ closed under parity reductions, a demi-bits generator $G$ can be composed with a suitable extractor to produce a generator $C$ such that no $k$ -round Student–Teacher queries (even with non-uniform advice) yield short $P$ -proofs for any output point $y$ . This bridges pseudorandomness in cryptography with intractability results in propositional proofs.

5. Explicit Candidates: Constant-Degree Constructions

Candidate constructions for demi-bits generators include:

LPN-style constructions, where $g:\{0,1\}^{n'}\to\{0,1\}^m$ computes output bits as degree- $d$ polynomials over $\GF(2)$. The conjectured hardness of the Learning Parity with Noise (LPN) problem translates to the demi-hardness of such $g$ .
Goldreich's PRG, where each output bit is determined by a fixed predicate on a constant-sized tuple of input bits, corresponding to a $d$ -uniform hypergraph.

Assuming the demi-hardness of these candidates, $\text{Avoid}$ is hard even for circuits realized by $XOR\circ AND_d$ forms, with stretch $n\mapsto n^{1+\delta/2}$ . This extends hardness-of-range-avoidance results previously established only for more complex circuit classes and under stronger assumptions.

6. Central Combinatorial and Cryptographic Methods

The analysis and reductions involving demi-bits generators utilize several key technical tools:

Randomness extractors: Pairwise-independent hash functions (leveraging the Leftover Hash Lemma) are crucial for composing demi-bits with extractors, isolating a seed where nondeterministic adversaries cannot succeed.
Hybrid argumentation: Used to translate security loss in stretching constructions, enabling tight lower bounds on adversarial bias.
Goldwasser–Sipser set-size lower bound protocol: Applied in proofs connecting the separation of bounded arithmetic theories to demi-bits hardness.
Combinatorial coverage lemmas: Applied to probabilistic covering arguments in hardness proofs for range avoidance and propositional proof statements.

These techniques demonstrate that cryptographic hardness against nondeterminism can be a clean, minimal foundation for consequences in proof complexity and circuit lower bounds, often bypassing the need for obfuscation or public-key primitives.

Table: Comparison Between Generators

Generator Type	Security Against	Stretch Achievable
Classical PRG	Deterministic, Prob.	Polynomial
Super-bit	Nondeterministic	Open (≥ 1)
Demi-bit	Nondeterministic (zero acceptance on range)	Sublinear ( $N \mapsto N+N^c$ ) (Tzameret et al., 2023)

Editor's term: "Stretchable demi-bits" refers to the generator families constructed in (Tzameret et al., 2023) achieving sublinear output expansion.

7. Open Problems and Research Directions

Several major open problems persist:

Whether demi-bits generators can be stretched polynomially, i.e., whether there exist constructions mapping $n$ bits to $n^{1+\delta}$ bits with strong demi-hardness for any constant $\delta>0$ .
Whether the mere existence of demi-bits (with or without stretch) suffices to rule out $\NP/\poly$-natural proofs effective against $\P/\poly$.
Determining the minimal "nondeterministic unpredictability" assumptions needed for demi-hardness, and their equivalence to next-bit unpredictability for $\NP/\poly$ or $\coNP/\poly$ predictors.
Classification and explicit construction of concrete, efficient, and secure demi-bits generators, particularly those realized by constant-degree polynomials or restricted circuit classes.

These questions are deeply connected to the landscape of complexity lower bounds, derandomization, and foundational cryptographic assumptions (Tzameret et al., 2023, Ren et al., 18 Nov 2025).