What do we know about the asymptotic proportion of "easy" instances of NP-complete problems

Question

In practice, it seems that many NP-hard problems "usually" lead to easy instances, in the sense that a commercial solver can handle them reasonably. A few past questions on this topic (see here and here) have been answered by saying they are not well-posed

Here's a shot at a asking a question which might have a non-trivial answer:

Suppose $P \neq NP$ (or assume something stronger like ETH). For each $n$, let $S_n$ be a set of 3SAT instances of size $n$. Additionally, suppose the the number of positive instances and negative instances in $S_n$ is equal. What is the maximum growth rate $|S_n|$ can have while the language $\bigcup_n S_n$ is still polynomial time decidable.

Is this version of the question also trivial? If not, what work has been done on it?

Another question: What other ways of formalizing easy/hard instances are available, and what progress has been made on analyzing them?

Answer 1

Unfortunately, I don't think this way of formalizing the problem is going to lead to much insight.

The practical experience you are referring to has to be a consequence of something about the distribution of instances seen in practice: that "not-too-hard" instances are common in practice, in the settings where commercial solvers often work. I don't know how to formalize that, as it seems dependent in non-trivial ways on those particular application settings.

For your specific problem, under reasonable assumptions, the maximum growth rate is basically polynomial. If $|S_n|$ grows polynomially quickly, then the promise problem can be solved in polynomial time, in non-uniform models of complexity (e.g., P/poly).

Conversely, we can generate sets $|S_n|$ that grow a bit faster than polynomial, and where heuristically we do not expect any way to solve it in polynomial time. Consider the problem of breaking cryptography, and specifically, recovering the key to a block cipher given a few random known-plaintext pairs. Concretely, each positive instance is obtained by randomly picking a key $k$ and random values $x_1,\dots,x_m$, letting $y_i=E_k(x_i)$, and then creating a 3SAT formula $\varphi(t)$ that evaluates to true if $E_t(x_i)=y_i$ for all $i$, i.e., if $t$ is a key that encrypts each $x_i$ to $y_i$. (This can be done by applying the Tseitin transform to the boolean circuit that tests if $t$ is the desired key.) Each negative instance is obtained by picking random values $x_1,\dots,x_m,y_1,\dots,y_m$, and creating a 3SAT formula $\varphi(t)$ that evaluates to true if $E_t(x_i)=y_i$ for all $i$. We know that all the positive instances are satisfiable. Heuristically, the negative instances are all unsatisfiable. Moreover, under standard cryptographic assumptions (that the block cipher $E$ is secure), no polynomial-time algorithm can distinguish between positive vs negative instances with non-negligible advantage. (Roughly speaking, no polynomial-time algorithm can do better than random guessing.) Therefore, if you define $S_n$ by sampling some super-polynomial number of positive instances and some super-polynomial number of negative instances, no polynomial-time algorithm will decide this promise problem with good probability (any such algorithm could be turned into an attack on the block cipher that is faster than exhaustive keysearch).

In other words, $|S_n|$ only needs to grow slightly faster than polynomial, and the problem can already be hard.

This argument relies on the assumption that we have blockciphers where there is no attack faster than exhaustive keysearch. That is not proven; it is a conjecture. But based on our experience with cryptography so far, it seems like a pretty plausible guess. In any case, it means that for a solver to do well on all problem subclasses where $|S_n|$ grows even slightly faster than superpolynomial, would represent a major advance in attacking block ciphers. So we shouldn't reasonably expect existing solvers to achieve such a level of performance.