CS151 Complexity Theory Lecture 8 April 22, 2015

2 Blum-Micali-Yao PRG Initial goal: for all 1 > δ > 0, we will build a family of PRGs {G m } with: output length m fooling size s = m seed length t = m δ running time m c error ε < 1/6 implies: BPP   δ>0 TIME(2 n δ ) ( EXP Why? simulation runs in time O(m+m c )(2 m δ ) = O(2 m 2δ ) = O(2 n 2kδ )

April 22, First attempt attempt at PRG from OWP f: –t = m δ –y 0  {0,1} t –y i = f t (y i-1 ) –G(y 0 ) = y k-1 y k-2 y k-3 …y 0 –k = m/t computable in time at most kt c < mt c-1 = m c

April 22, First attempt output is “unpredictable”: –no poly-size circuit C can output y i-1 given y k-1 y k-2 y k-3 …y i with non-negl. success prob. –if C could, then given y i can compute y k-1, y k-2, …, y i+2, y i+1 and feed to C –result is poly-size circuit to compute y i-1 = f t -1 (y i ) from y i –note: we’re using that f t is 1-1

April 22, First attempt attempt: y 0  {0,1} t y i = f t (y i-1 ) G(y 0 ) = y k-1 y k-2 y k-3 …y 0 y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 ftft ftft ftft ftft ftft G(y 0 ): y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 f t -1 ftft ftft G’(y 3 ): f t -1 same distribution!

April 22, First attempt one problem: –hard to compute y i-1 from y i –but might be easy to compute single bit (or several bits) of y i-1 from y i –could use to build small circuit C that distinguishes G’s output from uniform distribution on {0,1} m

April 22, First attempt second problem –we don’t know if “unpredictability” given a prefix is sufficient to meet fooling requirement: |Pr y [C(y) = 1] – Pr z [C(G(z)) = 1]| ≤ ε

April 22, Hard bits If {f n } is one-way permutation we know: –no poly-size circuit can compute f n -1 (y) from y with non-negligible success probability Pr y [C n (y) = f n -1 (y)] ≤ ε’(n) We want to identify a single bit position j for which: –no poly-size circuit can compute (f n -1 (x)) j from x with non-negligible advantage over a coin flip Pr y [C n (y) = (f n -1 (y)) j ] ≤ ½ + ε(n)

April 22, Hard bits For some specific functions f we know of such a bit position j More general: function h n :{0,1} n  {0,1} rather than just a bit position j.

April 22, Hard bits Definition: hard bit for g = {g n } is family h = {h n }, h n :{0,1} n  {0,1} such that if circuit family {C n } of size s(n) achieves: Pr x [C n (x) = h n (g n (x))] ≥ ½ + ε(n) then there is a circuit family {C’ n } of size s’(n) that achieves: Pr x [C’ n (x) = g n (x)] ≥ ε’(n) with: –ε’(n) = (ε(n)/n) O(1) –s’(n) = (s(n)n/ε(n)) O(1)

April 22, Goldreich-Levin To get a generic hard bit, first need to modify our one-way permutation Define f’ n :{0,1} n x {0,1} n  {0,1} 2n as: f’ n (x,y) = (f n (x), y)

April 22, Goldreich-Levin Two observations: –f’ is a permutation if f is –if circuit C n achieves Pr x,y [C n (x,y) = f’ n -1 (x,y)] ≥ ε(n) then for some y * Pr x [C n (x,y * )=f’ n -1 (x,y * )=(f n -1 (x), y * )] ≥ ε(n) and so f’ is a one-way permutation if f is. f’ n (x,y) = (f n (x), y)

April 22, Goldreich-Levin The Goldreich-Levin function: GL 2n : {0,1} n x {0,1} n  {0,1} is defined by: GL 2n (x,y) =  i:y i = 1 x i –parity of subset of bits of x selected by 1’s of y –inner-product of n-vectors x and y in GF(2) Theorem (G-L): for every function f, GL is a hard bit for f’. (proof: problem set)

April 22, Distinguishers and predictors Distribution D on {0,1} n D ε -passes statistical tests of size s if for all circuits of size s: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| ≤ ε –circuit violating this is sometimes called an efficient “distinguisher”

April 22, Distinguishers and predictors D ε -passes prediction tests of size s if for all circuits of size s: Pr y  D [C(y 1,2,…,i-1 ) = y i ] ≤ ½ + ε –circuit violating this is sometimes called an efficient “predictor” predictor seems stronger Yao showed essentially the same! –important result and proof (“hybrid argument”)

April 22, Distinguishers and predictors Theorem (Yao): if a distribution D on {0,1} n (ε/n)-passes all prediction tests of size s, then it ε-passes all statistical tests of size s’ = s – O(n).

April 22, Distinguishers and predictors Proof: –idea: proof by contradiction –given a size s’ distinguisher C: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| > ε –produce size s predictor P: Pr y  D [P(y 1,2,…,i-1 ) = y i ] > ½ + ε/n –work with distributions that are “hybrids” of the uniform distribution U n and D

April 22, Distinguishers and predictors –given a size s’ distinguisher C: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| > ε –define n+1 hybrid distributions –hybrid distribution D i : sample b = b 1 b 2 …b n from D sample r = r 1 r 2 …r n from U n output: b 1 b 2 …b i r i+1 r i+2 …r n

April 22, Distinguishers and predictors Hybrid distributions: D 0 = U n : D n = D: D i-1 : Di:Di:

April 22, Distinguishers and predictors –Define: p i = Pr y  D i [C(y) = 1] –Note: p 0 =Pr y  U n [C(y)=1]; p n =Pr y  D [C(y)=1] –by assumption:ε < |p n – p 0 | –triangle inequality: |p n – p 0 | ≤ Σ 1 ≤ i ≤ n |p i – p i-1 | –there must be some i for which |p i – p i-1 | > ε/n –WLOG assume p i – p i-1 > ε/n can invert output of C if necessary

April 22, Distinguishers and predictors –define distribution D i ’ to be D i with i-th bit flipped –p i ’ = Pr y  D i ’ [C(y) = 1] –notice: D i-1 = (D i + D i ’ )/2 p i-1 = (p i + p i ’ )/2 D i-1 : Di:Di: D i ’:

April 22, Distinguishers and predictors randomized predictor P’ for i th bit: –input: u = y 1 y 2 …y i-1 (which comes from D) –flip a coin: d  {0,1} –w = w i+1 w i+2 …w n  U n-i –evaluate C(udw) –if 1, output d; if 0, output  d Claim: Pr y  D,d,w  U n-i [P’(y 1 … i-1 ) = y i ] > ½ + ε/n.

April 22, Distinguishers and predictors P’ is randomized procedure there must be some fixing of its random bits d, w that preserves the success prob. final predictor P has d * and w * hardwired: C may need to add  gate d*d* w*w* circuit for P: Size is s’ + O(n) = s as promised

April 22, Distinguishers and predictors Proof of claim: Pr y  D,d,w  U n-i [P’(y 1 … i-1 ) = y i ] = Pr[y i = d | C(u,d,w) = 1]Pr[C(u,d,w) = 1] + Pr[y i =  d | C(u,d,w) = 0]Pr[C(u,d,w) = 0] = Pr[y i = d | C(u,d,w) = 1](p i-1 ) + Pr[y i =  d | C(u,d,w) = 0](1 - p i-1 ) u = y 1 y 2 …y i-1

April 22, Distinguishers and predictors –Observe: Pr[y i = d | C(u,d,w) = 1] = Pr[C(u,d,w) = 1 | y i = d]Pr[y i =d] / Pr[C(u,d,w) = 1] = p i /(2p i-1 ) Pr[y i =  d | C(u,d,w) = 0] = Pr[C(u,d,w) = 0 | y i =  d]Pr[y i =  d] / Pr[C(u,d,w) = 0] = (1 – p i ’) / 2(1 - p i-1 ) D i-1 DiDi Di’Di’ u = y 1 y 2 …y i-1

April 22, Distinguishers and predictors Success probability: Pr[y i =d|C(u,d,w)=1](p i-1 ) + Pr[y i =  d|C(u,d,w)=0](1-p i-1 ) We know: –Pr[y i = d | C(u,d,w) = 1] = p i /(2p i-1 ) –Pr[y i =  d | C(u,d,w) = 0] = (1 - p i ’)/2(1 - p i-1 ) –p i-1 = (p i + p i ’)/2 –p i – p i-1 > ε/n Conclude: Pr[P’(y 1 … i-1 ) = y i ] = ½ + (p i - p i ’)/2 = ½ + p i /2 – (p i-1 – p i /2) = ½ + p i – p i-1 > ½ + ε/n. p i ’/2 = p i-1 – p i /2

April 22, The BMY Generator Recall goal: for all 1 > δ > 0, family of PRGs {G m } with output length m fooling size s = m seed length t = m δ running time m c error ε < 1/6 If one way permutations exist then WLOG there is OWP f = {f n } with hard bit h = {h n }

April 22, The BMY Generator Generator G δ = { G δ m }: –t = m δ –y 0  {0,1} t –y i = f t (y i-1 ) –b i = h t (y i ) –G δ (y 0 ) = b m-1 b m-2 b m-3 …b 0

April 22, The BMY Generator Theorem (BMY): for every δ > 0, there is a constant c s.t. for all d, e, G δ is a PRG with error ε < 1/m d fooling size s = m e running time m c Note: stronger than we needed –sufficient to have ε < 1/6; s = m

April 22, The BMY Generator Proof: –computable in time at most mt c < m c+1 –assume G δ does not (1/m d )-pass statistical test C = {C m } of size m e : |Pr y  U m [C(y) = 1] – Pr z  D [C(z) = 1]| >1/m d Generator G δ = { G δ m }: –t = m δ ; y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

April 22, The BMY Generator –transform this distinguisher into a predictor P of size m e + O(m): Pr y [P(b m-1 …b m-i ) = b m-i-1 ] > ½ + 1/m d+1 Generator G δ = { G δ m }: –t = m δ ; y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

April 22, The BMY Generator –a procedure to compute h t (f t -1 (y)) set y m-i = y; b m-i = h t (y m-i ) compute y j, b j for j = m-i+1, m-i+2…, m-1 as above evaluate P(b m-1 b m-2 …b m-i ) f a permutation implies b m-1 b m-2 …b m-i distributed as (prefix of) output of generator: Pr y [P(b m-1 b m-2 …b m-i ) = b m-i-1 ] > ½ + 1/m d+1 Generator G δ = { G δ m }: –t = m δ ; y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

April 22, The BMY Generator Pr y [P(b m-1 b m-2 …b m-i ) = b m-i-1 ] > ½ + 1/m d+1 –What is b m-i-1 ? b m-i-1 = h t (y m-i-1 ) = h t (f t -1 (y m-i )) = h t (f t -1 (y)) –We have described a family of polynomial-size circuits that computes h t (f t -1 (y)) from y with success greater than ½ + 1/poly(m) –Contradiction. Generator G δ = { G δ m }: –t = m δ ; y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

April 22, The BMY Generator y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 ftft ftft ftft ftft ftft G(y 0 ): y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 f t -1 ftft ftft G’(y 3 ): f t -1 b0b0 b1b1 b2b2 b3b3 b4b4 b5b5 b0b0 b1b1 b2b2 b3b3 b4b4 b5b5 same distribution

April 22, Hardness vs. randomness We have shown: If one-way permutations exist then BPP   δ>0 TIME(2 n δ ) ( EXP simulation is better than brute force, but just barely stronger assumptions on difficulty of inverting OWF lead to better simulations…

April 22, Hardness vs. randomness We will show: If E requires exponential size circuits then BPP = P by building a different generator from different assumptions. E =  k DTIME(2 kn )

April 22, Hardness vs. randomness BMY: for every δ > 0, G δ is a PRG with seed length t = m δ output length m error ε < 1/m d (all d) fooling size s = m e (all e) running time m c running time of simulation dominated by 2 t

April 22, Hardness vs. randomness To get BPP = P, would need t = O(log m) BMY building block is one-way- permutation: f:{0,1} t → {0,1} t required to fool circuits of size m e (all e) with these settings a circuit has time to invert f by brute force! can’t get BPP = P with this type of PRG

April 22, Hardness vs. randomness BMY pseudo-random generator: –one generator fooling all poly-size bounds –one-way-permutation is hard function –implies hard function in NP  coNP New idea (Nisan-Wigderson): –for each poly-size bound, one generator –hard function allowed to be in E =  k DTIME(2 kn )

April 22, Comparison BMY: 8 δ > 0 PRG G δ NW: PRG G seed length t = m δ t = O(log m) running time t c mm c output length mm error ε < 1/m d (all d) ε < 1/m fooling size s = m e (all e) s = m << >

April 22, NW PRG NW: for fixed constant δ, G = {G n } with seed length t = O(log n) t = O(log m) running time n c m c output length m = n δ m error ε < 1/m fooling size s = m Using this PRG we obtain BPP = P –to fool size n k use G n k/δ –running time O(n k + n ck/δ )2 t = poly(n)

April 22, NW PRG First attempt: build PRG assuming E contains unapproximable functions Definition: The function family f = {f n }, f n :{0,1} n  {0,1} is s(n)-unapproximable if for every family of size s(n) circuits {C n }: Pr x [C n (x) = f n (x)] ≤ ½ + 1/s(n).

April 22, One bit Suppose f = {f n } is s(n)-unapproximable, for s(n) = 2 Ω(n), and in E a “1-bit” generator family G = {G n }: G n (y) = y◦f log n (y) Idea: if not a PRG then exists a predictor that computes f log n with better than ½ + 1/s(log n) agreement; contradiction.

April 22, One bit Suppose f = {f n } is s(n)-unapproximable, for s(n) = 2 δn, and in E a “1-bit” generator family G = {G n }: G n (y) = y◦f log n (y) –seed length t = log n –output length m = log n + 1 (want n δ ) –fooling size s  s(log n) = n δ –running time n c –error ε  1/ s(log n) = 1/ n δ

April 22, Many bits Try outputting many evaluations of f: G(y) = f(b 1 (y))◦f(b 2 (y))◦…◦f(b m (y)) Seems that a predictor must evaluate f(b i (y)) to predict i-th bit Does this work?

April 22, Many bits Try outputting many evaluations of f: G(y) = f(b 1 (y))◦f(b 2 (y))◦…◦f(b m (y)) predictor might notice correlations without having to compute f but, more subtle argument works for a specific choice of b 1 …b m

April 22, Nearly-Disjoint Subsets Definition: S 1,S 2,…,S m  {1…t} is an (h, a) design if –for all i, |S i | = h –for all i ≠ j, |S i  S j | ≤ a {1..t} S1S1 S2S2 S3S3

April 22, Nearly-Disjoint Subsets Lemma: for every ε > 0 and m < n can in poly(n) time construct an (h = log n, a = εlog n) design S 1,S 2,…,S m  {1…t} with t = O(log n).

April 22, Nearly-Disjoint Subsets Proof sketch: –pick random (log n)-subset of {1…t} –set t = O(log n) so that expected overlap with a fixed S i is εlog n/2 –probability overlap with S i is > εlog n is at most 1/n –union bound: some subset has required small overlap with all S i picked so far… –find it by exhaustive search; repeat n times.

April 22, The NW generator f  E s(n)-unapproximable, for s(n) = 2 δn S 1,…,S m  {1…t} (log n, a = δlog n/3) design with t = O(log n) G n (y)=f log n (y |S 1 )◦f log n (y |S 2 )◦…◦f log n (y |S m ) f log n : seed y

April 22, The NW generator Theorem (Nisan-Wigderson): G={G n } is a pseudo-random generator with: –seed length t = O(log n) –output length m = n δ/3 –running time n c –fooling size s = m –error ε = 1/m