Oded Goldreich – Defining Moments Omer Reingold, Stanford, on OdedFest 2017

This Talk’s Concept Focus on Oded’s concepts How does he do it? And what awesome concepts they are! Conceptual contributions include everything: the notions, the definitions, the notations … Even if it doesn’t start with Oded, it often ends with him How does he do it? Writing, writing and then some more writing (papers, surveys, books) His famous personal touch (more, I guess, in the evening sessions)

Clarifications and Warnings Chosen definitions not meant to be representative or Oded’s best (but I love them all) Bias towards those that have impacted my own research These are all joint works; There were other papers before them and papers that followed Celebrating a community But don’t expect credits (talk to me when its your fest) Papers contain more than I discuss And to Oded: This is your research and your fest But its my talk! Just saying …

1st Notion: Pseudorandom Functions Goldreich, Goldwasser and Micali, how to construct random functions, FOCS 84 and JACM 86 The title – such commitment to the computational lens. I have set up on a Manchester computer a small programme using only 1000 units of storage, whereby the machine supplied with one sixteen figure number replies with another within two seconds. I would defy anyone to learn from these replies sufficient about the programme to be able to predict any replies to untried values. A. TURING

Poly-Random Collections

Indistinguishability g is uniform or in F ? x1 g(x1) g … xt g(xt)

The Uphill Battle Kolmogorov Complexity: non- constructive and not applicable Comparison with One-Way functions Comparison with CSB (cryptographically strong pseudorandom bit generators) PRFs vs. simulating random oracle In particular, allows for sharing a function (distributed)

My Connection Learned the definition from Oded’s notes Editor of two of the journal versions Some fond memories there 33 years to PRFs + GGM construction and countless papers – no more explanations needed

2nd Notion: Block Sources Chor and Goldreich, Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity, FOCS 85, SICOMP 88

It Contains Everything Min entropy as THE measure of randomness in a weak random source – X has min-entropy  k if x, Pr[X=x]<2-k Flat distributions (uniform on 2k elements) Inner product (Hadamard code) is a two-source extractor for high entropies Randomized communication complexity, slightly dependent sources, …

Block Source

My Connection Constructions of randomness extractors heavily relied on block sources First extract blocks then extract from the block-source Zig-zag product analysis measure the entropy in a pair (v,a) of (vertex,edge label), as a block source.

3rd Notion: Property Testing Goldreich, Goldwasser and Ron, Property Testing and Its Connection to Learning and Approximation, FOCS 96, JACM 98

So What’s New? Combinatorial properties General Distributions, a la PAC learning (Valinat)

Since Then Flourishing and mathematically deep field – the power of a conceptually strong work (and many more that followed) My connection – PCP composition through a stronger notion, inspired by property testing that we (Dinur and I) called “assignment testers” PCP proofs allow one to prove that a SAT formula  is satisfiable. An assignment tester allows proving that an assignment  is close to a satisfying assignment of . Oded et al rejected the gesture and in an independent work called these objects PCPPs Which stands for “Peace Corps Partnership Program” and “PCPartPicker” and “C99 preprocessor written in pure Python” but also for Probabilistically Checable Proofs of Proximity If you can’t beat them join them …

4th Notion: Auxiliary-Input ZK Goldreich and Oren, Definitions and Properties of Zero- Knowledge Proof Systems. J. Cryptology 1994 Title screams “conceptual” Zero-Knowledge due to Goldwasser, Micali and Rackoff is a jewel in Cryptography’s crown. Much of the way we think of ZK was shaped by Oded’s writings - black-box ZK, auxiliary-input ZK, uniform ZK

What the Verifier Knows? I’m convinced x x … ZK: the verifier doesn’t learn anything (beyond validity) Auxiliary-input ZK: the verifier doesn’t learn anything new Vital for composition (either parallel or sequential)

Formally … Both the verifier V* and the simulator MV* have access to the auxiliary-information y

My Connection This year’s Gödel Prize winner – Differential Privacy Definition of privacy in data analysis What do you learn about a particular row in a database from Differentially-Private analysis? The definition puts auxiliary-input front and center – even if you know all other rows of the database, you do not learn much about this special row (can’t achieve ZK). Here too – composition is key We recently use resilience of DP to composition for better adaptive data analysis

Concluding Remarks Discussed: PRFs, Block Sources, Property Testing, Auxiliary- Input ZK Wow! Conceptual contributions are long lasting What’s next?

Happy Birthday