1 Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss.

Slides:



Advertisements
Similar presentations
Sublinear Algorithms … Lecture 23: April 20.
Advertisements

Complexity Theory Lecture 6
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Shortest Vector In A Lattice is NP-Hard to approximate
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Theory of Computing Lecture 3 MAS 714 Hartmut Klauck.
CS151 Complexity Theory Lecture 8 April 22, 2004.
A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.
Randomized Algorithms Kyomin Jung KAIST Applied Algorithm Lab Jan 12, WSAC
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006
CS151 Complexity Theory Lecture 7 April 20, 2004.
Perfect and Statistical Secrecy, probabilistic algorithms, Definitions of Easy and Hard, 1-Way FN -- formal definition.
Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.
Randomized Computation Roni Parshani Orly Margalit Eran Mantzur Avi Mintz
CSE115/ENGR160 Discrete Mathematics 03/03/11 Ming-Hsuan Yang UC Merced 1.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.
1 Slides by Golan Weisz, Omer Ben Shalom Nir Ailon & Tal Moran Adapted from Oded Goldreich’s course lecture notes by Moshe Lewenstien, Yehuda Lindell.
CS151 Complexity Theory Lecture 7 April 20, 2015.
Submitted by : Estrella Eisenberg Yair Kaufman Ohad Lipsky Riva Gonen Shalom.
–Def: A language L is in BPP c,s ( 0  s(n)  c(n)  1,  n  N) if there exists a probabilistic poly-time TM M s.t. : 1.  w  L, Pr[M accepts w]  c(|w|),
Derandomizing LOGSPACE Based on a paper by Russell Impagliazo, Noam Nissan and Avi Wigderson Presented by Amir Rosenfeld.
CS151 Complexity Theory Lecture 8 April 22, 2015.
Princeton University COS 433 Cryptography Fall 2005 Boaz Barak COS 433: Cryptography Princeton University Fall 2005 Boaz Barak Lecture 3: Computational.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
In a World of BPP=P Oded Goldreich Weizmann Institute of Science.
The Polynomial Hierarchy By Moti Meir And Yitzhak Sapir Based on notes from lectures by Oded Goldreich taken by Ronen Mizrahi, and lectures by Ely Porat.
CS151 Complexity Theory Lecture 9 April 27, 2004.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Theory of Computing Lecture 19 MAS 714 Hartmut Klauck.
Iddo Tzameret Tel Aviv University The Strength of Multilinear Proofs (Joint work with Ran Raz)
Theory of Computing Lecture 15 MAS 714 Hartmut Klauck.
Why Extractors? … Extractors, and the closely related “Dispersers”, exhibit some of the most “random-like” properties of explicitly constructed combinatorial.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Communication vs. Computation S Venkatesh Univ. Victoria Presentation by Piotr Indyk (MIT) Kobbi Nissim Microsoft SVC Prahladh Harsha MIT Joe Kilian NEC.
Umans Complexity Theory Lectures Lecture 1a: Problems and Languages.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Fall 2013 CMU CS Computational Complexity Lectures 8-9 Randomness, communication, complexity of unique solutions These slides are mostly a resequencing.
Umans Complexity Theory Lectures Lecture 17: Natural Proofs.
Pseudo-random generators Talk for Amnon ’ s seminar.
Channel Coding Theorem (The most famous in IT) Channel Capacity; Problem: finding the maximum number of distinguishable signals for n uses of a communication.
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
Comparing Notions of Full Derandomization Lance Fortnow NEC Research Institute With thanks to Dieter van Melkebeek.
Eric Allender Rutgers University Curiouser and Curiouser: The Link between Incompressibility and Complexity CiE Special Session, June 19, 2012.
Almost SL=L, and Near-Perfect Derandomization Oded Goldreich The Weizmann Institute Avi Wigderson IAS, Princeton Hebrew University.
Approximation Algorithms based on linear programming.
Umans Complexity Theory Lectures Lecture 9b: Pseudo-Random Generators (PRGs) for BPP: - Hardness vs. randomness - Nisan-Wigderson (NW) Pseudo- Random Generator.
Pseudo-randomness. Randomized complexity classes model: probabilistic Turing Machine –deterministic TM with additional read-only tape containing “coin.
Complexity Theory and Explicit Constructions of Ramsey Graphs Rahul Santhanam University of Edinburgh.
PROBABILITY AND COMPUTING RANDOMIZED ALGORITHMS AND PROBABILISTIC ANALYSIS CHAPTER 1 IWAMA and ITO Lab. M1 Sakaidani Hikaru 1.
Approximating Set Cover
Probabilistic Algorithms
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
Randomness.
Randomness and Computation
Cryptography Lecture 6.
Pseudo-derandomizing learning and approximation
The Curve Merger (Dvir & Widgerson, 2008)
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
Cryptography Lecture 6.
Presentation transcript:

1 Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss.

2 PRG - Stronger Notion Def: A deterministic polynomial-time algorithm G is called a non-uniformly strong pseudorandom generator if there exists a stretching function l: N  N, so that for any family {C k } of polynomial-size circuits, for any polynomial p, and for all sufficiently large k’s |Pr[C k (G(U k ))=1]-Pr[C k (U l(k) )=1]| < 1/p(k) This definition involves polynomial size circuits as distinguishers instead of probabilistic polynomial time TM. Recall that BPP  P/poly

3 Implications of such PRG Theorem: If such non-uniformly strong pseudorandom generator exists then Proof: Suppose L  BPP. Let A(x,r) be the machine that decides L: x is the input and r is the sequence of coin tosses of the machine. r is of size l(|x|  ). Define a new algorithm A’ as follows: A’(x,r) := A(x,G(r)) Where We can construct such A that uses exactly l(|x|  ) coin tosses

4 Proof Continued (1) Claim: For all but finitely many x’s |Pr[A(x,U l(k) )=1] - Pr[A’(x, U k )=1]| < 1/6 where k=|x| . Proof: Assume, by way of contradiction, that, for infinitely many x’s |Pr[A(x,U l(k) )=1] - Pr[A’(x, U k )=1]|  1/6 and construct a family of poly-size circuits x  C (x) (input) := A(x,input) then construct the family {C k } as follows: C k  {C (x) | A(x) uses l(k) coin tosses} Infinitely many x’s on which A and A’ differ imply infinitely many sizes of x’s on which they differ, and infinite number of such C k s.

5 Proof Continued (2) For each such C k : C k (G(U k ))  A’(x,U k ) and C k (U l(k) )  A(x,U l(k) ) Hence we have a family of circuits s.t. |Pr[C k (G(U k ))=1]-Pr[C k (U l(k) )=1]|  1/6 In contradiction to the definition of our pseudorandom generator.  claim

6 Proof Continued (3) Going back to proving the theorem: A is our BPP machine so for every x: x  L  Pr[A(x,U l(k) ) = 1]  2/3 x  L  Pr[A(x,U l(k) ) = 1] < 1/3 In particular, using the claim we get for all but finitely many x’s: x  L  Pr[A’(x,U k ) = 1] > Pr[A(x,U l(k) ) = 1]-1/6  1/2 x  L  Pr[A’(x,U k ) = 1] < Pr[A(x,U l(k) ) = 1]+1/6 < 1/2

7 Proof Continued (4) Now, define a deterministic algorithm A’’ for deciding L: if x is one of those finitely x’s return a known pre-computed answer else { for all Run A’(x,r) return the majority of A’ answers. } A’’ deterministically decides L and run in time as required.  Theorem

8 Goal: to design a new PRG construction, which would be used for derandomization New Method: generate random bits in parallel, instead of sequentially (compare with the “Pseudo Random Generators” lecture) Different Assumptions: weaker then before, since the new PRG can run in time exponential in its input size: Assume an unpredictable Boolean function. New Construct: called Design; consisting of nearly disjoint subsets of the random seed. New notion of PRG

9 The new requirements for PRG: Indistinguishable by polynomial-size circuit. Can run in exponential time (2 O(k) on k-bit seed). One can construct such PRG under seemingly weaker assumption (than for the construction shown in the “Pseudo Random Generators” lecture): The existence of unpredictable Boolean function. For k=O(log(|x|)) it runs in polynomial-time. Instead of assuming the existence of one-way permutation.

10 Unpredictable Boolean function Def (Unpredictable Boolean function): An exp(l)-computable Boolean function b:{0,1} l  {0,1} is unpredictable by small circuits if for every polynomial p(.), for all sufficiently large l’s and for every circuits C of size p(l): Pr[C(U l )=b(U l )] < ½+1/p(l) Assume such Boolean functions exist

11 Unpredictable Boolean function How strong is that assumption? We prove that it is not stronger than assuming the existence of a one-way permutation: Claim: if f 0 is a one-way permutation and b 0 is a hard-core of f 0, then b(x):=b 0 (f 0 -1 (x)) is an unpredictable Boolean function. ? one-way permutation unpredictable Boolean function

12 One way permutation  unpredictable Boolean function Proof: Let f 0 be a one-way permutation and b 0 a hard-core of f 0. We’ll show the function b(x):=b 0 (f -1 0 (x)) is an unpredictable Boolean function. f 0 can be inverted in exponential time and b 0 can be computed in polynomial time so b is computable in exponential time. Unpredictability: Assume, by way of contradiction, that b is predictable. We’ll show the b 0 is not hard-core bit of f 0.

13 Proof continued Assuming b is predictable we have a family of circuits {C k } of size p(k) s.t. for infinite number of k’s Pr[C k (U k )=b(U k )]  1/2 + 1/p(l). For y:=f 0 -1 (x) we get b(f 0 (y))=b 0 (y). f is a permutation so we get Pr[C k (f 0 (U k ))=b(f 0 (U k ))]  1/2 + 1/p(l) Pr[C k (f 0 (U k ))=b 0 (U k )]  1/2 + 1/p(l). Which is a contradiction to b 0 being a hard core. We defined hard-core bit with BPP machines and not P/poly so there is a problem here !

14 The Design Generating a single random bit from a seed is easy assuming you have an unpredictable Boolean function. But how can we generate more than one bit? We will manage that, utlizing a collection of nearly disjoined subsets of the seed to get random bits that are almost mutually independent Almost means: indistinguishable by polynomial sized circuits

15 The Design Def: A collection of m subsets {I 1,I 2,…,I m } of {1…k} is a (k,m,l)-design if the following hold: For every i  {1,…,m}:|I i | = l For every i  j  {1,…,m}: |I i  I j | = O(log k) The collection is constructible in exp(k)-time. Notation: For S= and I={i 1, …, i l }  {1,..,k}

16 S (seed): The Design - Visualization INDEX I 1, I 2, …, I m : {1,4,7} {2,5,8} {3,9,10}...{1,8,9} {1,0,0} {0,0,1} {1,1,0}... {1,1,1} k l S[I 1 ], …, S[I m ]:

17 Prop: let b: {0,1}  k  {0,1} be an unpredictable Boolean function, and {I 1,…,I m } be a (k,m,  k)-design then the following function is a strong non-uniform PRG: G(S)  Constructing the PRG 15.3

18 Constructing the PRG: Visualization m …………… 0 Pseudo random string l S (seed): INDEX I 1, I 2, …, I m : {1,4,7} {2,5,8} {3,9,10}...{1,8,9} {1,0,0} {0,0,1} {1,1,0}... {1,1,1} k S[I 1 ], …, S[I m ]: b( ) ………

19 Proof (1) Proof: Computing G(s) takes time exponential in k, since: we have m=l(k) computations of b(S[I i ]); Computing each b(S[I i ]) takes exp( |S[I i ]| ) = O(exp(k)).

20 Proof (2) we will show that no small circuit can distinguish the output of G from a random sequence. Assume by way of contradiction that there exists a family of poly-size circuits {C k } k  N and a polynomial p(.) such that for infinitely many k’s | Pr[C k (G(U k )) = 1] - Pr[C k (U l(k) )=1] | > 1/p(k) Without loss of generality we can remove the absolute sign. There are infinitely many k’s s.t. Pr[C k (G(U k )) = 1] - Pr[C k (U l(k) )=1] has the same sign for all k, however, we can fix the sign arbitrarily since we can take a sequence of circuits with reverse signs.

21 Using a Hybrid Distribution - proof (3) For any 0  i  m we define a “hybrid” distribution as follows: the first i bits are chosen to be the first i bits of G(U k ) and the other m-i bits are chosen uniformly at random. H i k  G(U k ) [1,…,i]  U m-i also f k (i)  Pr[C k (H k i )=1] Using these definitions we can write: f k (m) - f k (0) > 1/p(k) there must be some 0  i k  m s.t: f k (i k +1) - f k (i k ) > 1/m * 1/p(k)

22 Approximating the Next bit from the previous bits Defining p’(k):=m  p(k) and i:=i k we get: Pr[C k (H k i+1 )=1]- Pr[C k (H k i )=1] > 1/p’(k) Now, we can construct from C k a circuit C’ k which can approximate the next bit with large enough probability: When R i are independent uniformly distributed bits. It can be shown that Pr[C’ k (G(U k ) [1,…i] ) = G(U k ) i+1 ] > 1/2 + 1/p’(k) Probability over random bits R i and U k

23 Approximating the Next bit from the previous bits ½-  ½+  b(S[I 1 ]) …… b(S[I ik ]) Circuit C‘ k Next bit b(S[I ik+1 ])  :=1/p’(k)

24 Approximating b(S[I i+1 ]) from S and b(S[I i ])’s We can construct a circuit C’’ which inputs S in addition to b(S[I 1 ]),…, b(S[I i ]) and can approximate the unpredictable boolean function b(S[I i+1 ]). This can be done by ‘ignoring’ those new inputs and using b(S[I 1 ]),…, b(S[I i ]) and C’. The formal definition is: C’’ k (S°G(S) [1..i] ) := C’ k (G(S) [1..i] ) We get: Pr s [C’’ k (S°G(S) [1..i] ) = G(S) i+1 ] > 1/2 + 1/p’(k) Pr s [C’’ k (S°G(S) [1..i] ) = b(S[I i+1 ])] > 1/2 + 1/p’(k) Probabilities over random bits R i and S

25 Approximating b(S[I i+1 ]) from S[I i+1 ] and b(S[I j ])’s There exist   {0,1} k-|Ii| s.t. Pr s [C’’ k (S°G(S) [1..i] ) = b(S[I i+1 ]) | S[I i+1 ]=  ] > 1/2 + 1/p’(k) We’ll hard-code this  into our circuit and get a circuit that takes b(S[I 1 ]),…, b(S[I i ]) and S[I i+1 ] as inputs and approximate b(S[I i+1 ]) with some bias. Applying the Law of Averages: Pr[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])] =  Pr [C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]=  ]Pr[S[Ii+1]=  ] If for all  : Pr [C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]=  ]  1/2+1/p’(k) We’d get Pr[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])]  1/2+1/p’(k).

26 Visualization of C’’ b(S[I 1 ])… …… b(S[I i ]) ½-  ½+  Circuit C‘ k Next bit b(S[I i+1 ])  S[I i+1 ]) S: Circuit C‘’ k S[I i+1 ])

27 Approximating b(S[I i+1 ]) from S[I i+1 ] We know how to approximate b(S[I i+1 ]) from its input S[I i+1 ] and from b(S[I 1 ]),…, b(S[I i ]). Can we approximate it using only S[I i+1 ] ?

28 Computing S[I j ]’s from S[I i+1 ] S: S[I i+1 ]  = S[I i+1 ]) S[I 1 ] ? S[I 2 ] ? O(log(k)) ……… S[I i ] ? ? After hard-coding , there is only a small number of free bits in S[I 1 ]…S[I i ]. The design gives us iO(log(k)) as a bound.

29 Computing S[I j ]’s from S[I i+1 ] Example S: S[I i+1 ]  = S[I i+1 ]) S[I 1 ] ? S[I 2 ] ? ……… S[I i ] ? ? S: S[I 1 ]S[I 2 ] … S[I i ] O(log(k)) ……… 0 1 ???? precomputed b( ) 1 S[I i+1 ] 1 b( )

30 Computing b(S[I i+1 ])’s from S[I i+1 ] S: S[I 1 ] S[I 2 ] … S[I i ]  1  2  3 ………  j ????  j+1 …  k-l S[I i+1 ] Exp(log(k))= poly(k) circuit S[I 1 ]………S[I i ] b(S[I 1 ])……… Lookup table: for every possible S[I i ] return precomputed value of b(S[I i ]) b(S[I i ]) There are only poly(k) possible such S[I i ]’s, given S[I i+1 ]= .

31 ½-  Circuit C‘ Next bit b(S[I i+1 ]) Final Circuit: Approximating b(S[I i+1 ]) from S[I i+1 ] S[I i+1 ] poly(k) circuit S[I 1 ]………S[I i ] Lookup table b(S[I 1 ]) … b(S[I i ]) ½+ 

32 Design construction: greedy algorithm For the following parameters: k = l 2 m = poly(k) We want that for all i to have |I i |=l and for i  j, |I i  I j |=O(log k). For i = 1 to m For all I  [k], |I|=l do flag := FALSE for j = 1 to i-1 if |I i  I j | > log k then flag:=TRUE if flag = TRUE then I i = I The algorithm:

33 Greedy algorithm: proof Assuming that for i  m we have I 1, I 2,…, I i-1 such that –for every j<i: |I j | = l –for every j 1,j 2 < i: |I j1  I j2 | < 2+log m We’ll show that there exists another set |I i |=l s.t. for every j < i: |I j  I i | < 2+log m Proof by the probabilistic method: Let S be a fixed set of size l. Let R be a set which is selected at random so that for every i  [k]: Pr[i  R] = 2/l. R length ~ binomial(k,2/l).

34 Proof continued (1) Let S i be the i’th element in S sorted in some order. We’ll define the sequence {X i } i=1..l of random variables: X i are independent Bernoulli variables with Pr[X i =1]= 2/l for each i. Using Chernoff’s bound :

35 Proof continued (2) For R selected as above the probability that there exists I j s.t. |I j  R| > 2+log m us bounded above by (i-1)/2m < 1/2. R is not necessarily of size l. We can show that with high probability |R|  l so it contains a subset of size l that we can choose as our I i. Considering the sequence {X i } i=1..l : Using Chernoff’s bound: For R selected as above the probability of too many collisions or being too small is strictly smaller than one. Therefore, there exists such R to be selected as I i.  Note: The algorithm itself is deterministic. We use the randomness as a tool in showing the algorithm will always find what it is looking for.

36 Second Design Construction: using GF(l) arithmetic For the following parameters: k = l 2 m = poly(k) Let F:=GF(l) then |F  F| = k There is a 1-1 correspondence between {1,…,k} and F  F For every polynomial p(.) of degree d over F, I p is the graph of p(.) over F: I p := { | e  F } |I p | = |F| = l

37 Second Design Construction: using GF(l) arithmetic For every two polynomials p(.)  q(.) of degree d intersects in at most d points, hence: |I p  I q |  d by the Fundamental Theorem of Algebra, hence we can choose d=O(log(k)). Note that for every polynomial m(k) we can construct m(k)= m(l 2 ) such sets, since there are |F| d+1 = l d+1 polynomials over GF(l), so by choosing an appropriate d the number of sets is greater then m(l 2 ). The sets are constructible in exponential in k, since we use simple arithmetic over GF(l).

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.