Pseudorandom Generators and Typically-Correct Derandomization Jeff Kinne, Dieter van Melkebeek University of Wisconsin-Madison Ronen Shaltiel University of Haifa

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Overview New approach based on PRGs simpler proofs, new results Difficulty of typically-correct derand? Small # errors: implies circuit lower bounds Large # errors: cannot be with relativizing techniques or arithmetization Typically-Correct Derandomization Allowed to make small # of errors

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM The Power of Randomness? Is randomness more powerful for … Time-Bounded Algs? Interactive Proofs? Space-Bounded Algs? BPL L AM NP BPP P PRIMES Circuit Testing Graph Non-Iso Undirected STCON Does BPP = P?

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Does BPP = P? B(x) = Maj ρ (A(x, G(ρ)) decides L if G is PRG secure against circuits A(x, ∙) [NW, IW, STV, SU, …] E ⊈ SIZE(2 εn ) ⇒ PRG G with ℓ = O(log n), computable in time 2 O(ℓ) ⇒ BPP=P Randomized Machine A(x, r) reject accept G({0,1} ℓ ) reject accept x∈Lx∉L BPP lang L

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Difficulty of Proving BPP=P Can we prove BPP=P without circuit lower bounds? No: [KI] BPP ⊆ NSUBEXP ⇒ NEXP ⊈ P/poly or PERM ⊈ Arith-P/poly Further: cannot prove BPP ⊆ NSUBEXP with relativizing techniques or arithmetization What if we relax the goal? [IW, …] “heuristic” derand if BPP≠ EXP [GW, …] typically-correct derandomization

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Typically-Correct Derandomization More efficient derandomizations? Weaker (or no) hardness assumptions? How to leverage ability to make errors? Extractors [GW] Seedless Extractors [Sha] PRGs – this work Randomized Algorithm A(x, r) computing lang L  B typically-correct for L: makes at most δ·2 n errors

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Extract Randomness from Input [GW] If (1) most r good for all x and (2) |r| < |x| B(x) = A(x, x) makes few errors Make error very small: B(x) = Maj y (A(x, E(x,y))) BPP: if P hard-on-average for SIZE SAT (n d ) use PRG to Randomized Algorithm A(x, r) computing lang L Deterministic simulation B(x) = A(x, E(x)) “good” r x Set of all r ≈ set of all x Subsequent work: [vMS], [Zim], [Sha]

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Extract Randomness from Input [Sha] B(x) = A(x, E(x)), assume |r| ≤ |x| If E seedless 2 -Ω(|r|) -extractor for distributions then B typically-correct Use PRG to get |r| ≤ |x| BPP: if P very hard-on-average for SIZE(n d ) Randomized Algorithm A(x, r) computing lang L “good” r A(x,r)=L(x) Set of all r Set of all x, fixed good r Unconditional results for AC 0, streaming algs, …

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Pseudorandom Generator Approach B(x) = A(x, E(x)) G(x) = (x, E(x)) is ε-PRG for T ⇒ |Pr x,r [A(x,r)≠L(x)] – Pr x [A(G(x))≠L(x)]| ≤ ε ⇒ Pr x [A(x,E(x))≠L(x)] ≤ ρ+ε Randomized Algorithm A(x, r) computing lang L A(x,r)=L(x) Fixed x A(x,r)=L(x) All (x, r) pairs Pr r [A(x,r)≠L(x)] ≤ ρ ≤ 1/3Pr x,r [A(x,r)≠L(x)] ≤ ρ test T(x, r) G ε-PRG for test T r’ (x,r): A(x,r)≠A(x,r’) ⇒ Pr x [A(x,E(x))≠L(x)] ≤ 3ρ+ε

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Pseudorandom Generator Approach Can PRG’s be seed-extending? Cryptographic – No! Derandomization – Yes! [NW, STV, SU, …] Compare to traditional use of PRG B only runs G once – very efficient if G is Compare to [GW], [Sha] PRG is already enough! Randomized Algorithm A(x, r) computing lang L B(x) = A(G(x)), G is seed-extending PRG

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM New Typically-Correct Derand Results BPP: P 1/n c -hard for SIZE(n d ) ⇒ B in P and within 1/n c of L Similar conditional results for AM, BPL, … Randomized Algorithm A(x, r) computing lang L B(x) = A(x, NW H (x)) NW H based on hardness of H Weaker than [GW], [Sha]

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM New Typically-Correct Derand Results AC 0 with few symmetric gates: A uses o(log 2 n) symm gates, error ρ ≤ 1/3 ⇒ B in AC 0 [sym] and within ρ+n -Ω(log n) of L Other settings: multi-party comm, … Randomized Algorithm A(x, r) computing lang L B(x) = A(x, NW H (x)) NW H based on hardness of H

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Comparison with [Sha] All results of [Sha] by PRG approach (x, E(x)) is a 2 -Ω(|r|) -PRG for tests T(x,r): A(x,r) ≠ A(x,r’) E is a seedless 2 -Ω(|r|) -extractor for distributions ≈ {x | A(x, r) = A(x,r’)} A(x, E(x)) typically-correct for L [Sha]

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Difficulty of Proving Typ-Cor Derand Typically-correct derandomization without circuit lower bounds? No for small error: If NTIME(2 n ε ) computes circuit-testing with ≤ 2 n ε errors, then NEXP ⊈ P/poly, or Permanent ⊈ Arithmetic-P/poly Large error: no for relativizing techniques or arithmetization [AW] oracle A, low-deg ext à of A s.t. BPTIME A (O(n)) is (1/2-2 -Ω(n) )-hard for NTIME à (2 n ) Simpler proof for everywhere-correct setting

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Recap New seed-extending PRG approach Unconditional results in some settings! But, for BPP: unconditional results difficult Typically-Correct Derandomization Allowed to make small # of errors

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel RANDOM Thanks! * Full paper and slides available from my website