Download presentation
Presentation is loading. Please wait.
1
Emanuele Viola Harvard University June 2005
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005
2
Pseudorandom Generator (PRG) [BM,Y]
Poly(n)-time Computable Stretch s(n) ¸ 1 (e.g., s(n) = 1, s(n) = n) Fools efficient adversaries: 8 PPT A PrX, |X| = n+s(n)[A(X) = 1] ¼ Pr, || = n [A(PRG(s)) = 1] PRG
3
Background on PRG PRG , One-Way Functions (OWF) [BM,Y,GL,…,HILL]
(f OWF if easy to compute but hard to invert, i.e. 8 PPT M, almost never M(f(X)) 2 f(X)-1) Applications of PRG: cryptography, derandomization need stretch s(n) = poly(n) Stretch s(n) only makes sense relative to n E.g. G : {0,1}n ! {0,1}n+s(n) ) G : {0,1}n2 ! {0,1}n2 + n¢s(n) Two main cases s(n) = 1, or s(n) = n
4
PRG Constructions We study complexity of constructing PRG
with big stretch from OWF f Def.: black-box PRG constructions Gf : for every (comput.-unbounded) function f, adversary A A breaks Gf ) 9 PPT M : Mf,A inverts f Most constructions are black-box [BM,Y,…,HILL] Many negat. results for black-box model [IR,…,GT,RTV] Cannot make sense of negat. result in non-black-box model
5
Standard Constructions w/ big stretch
STEP 1: OWF f ) Gf : {0,1}n ! {0,1}n+1 Think e.g. f : {0,1}n ! {0,1}n STEP 2: Gf ) PRG with stretch s(n) = poly(n) [GM] Stretch s ) s adaptive queries to f ) circuit depth ¸ s Question [this work]: stretch s vs. adaptivity & depth? E.g., can have s = n, circuit depth O(log n)? Gf … Input Gf Gf Gf Gf Gf Output
6
Previous Results [AIK] Log-depth OWF/PRG ) O(1)-depth PRG (!!!)
However, any stretch ) stretch s = 1 [GT] s vs. number q of queries to OWF (Thm: q ¸ s) [This work] s vs. adaptivity & circuit depth […,IN,NR] O(1)-depth PRG from specific assumptions [This work] general assumptions Context: [V] studies complexity of NW-type PRG
7
Outline Our model Our results Proof sketch of main negative result
Other: new negative result on worst-case vs. average-case connections in NP, PH
8
Our Model of PRG construction
Parallel PRG Gf : {0,1}n ! {0,1}n+s(n) from OWF f Input s, |s| = n Nonadaptive Queries to f q q q q4 f f f f Constant Depth Circuit (AC0) Æ Æ Æ Æ Æ Æ Æ Æ Ç Ç Ç Ç Ç Ç Æ Æ Æ Æ Æ Æ Æ Æ Output, n+s(n) bits
9
Our Results on PRG Constructions
Parallel construction Gf : {0,1}n ! {0,1}n+s(n) From one-way function f ( e.g. f : {0,1}n ! {0,1}nb ) f arbitrary f one-to-one f permutation Neg. s(n) · o(n) ? Pos. s(n) ¸ 1
10
Proof Sketch of Negative Result
Thm[this work]: Parallel black-box PRG constructions Gf : {0,1}n ! {0,1}n+s(n) satisfy s(n) · o(n) Proof: Exhibit comput.-unbounded f, A such that: (1) A breaks Gf when s(n) = (n) (2) f one-way, i.e. hard to invert. We show distribution on f s. t. (1) & (2) hold w.h.p.
11
Def. of f and (1) break Gf Restriction [FSS,H,…] maps bits to {0,1,*} Def. distribution on f apply to truth-table of f known to adversary A replace * with random bits (1) A breaks Gf : 8 , Gf() is AC0 function of truth-table of f ) makes Gf() biased ) A breaks Gf(). If s(n) = (n) can union bound over all . f(0) f(1) f(111) 01** 1*0* **0
12
(2) f one-way Problem: f not one-way : r leaks info about x E.g.
First bit f(x) = 0 ) x Solution: Force many x’s to share same restriction Compose f with hash function Many preimages ) f one-way Low collision prob. ) A still breaks Gf Q.E.D. 01** 1*0* 1*** 1**0 f = f(0) f(1) f(10) f(111) hash 01** 1*0* 1*** 1**0
13
Our Result on Average Case Complexity
Question: given f 2 NP worst-case hard (f 2 P/poly), can build f 0 2 NP average-case hard? I.e. 8 small circuit A : Prx[A(x) f 0(x)] ¸ 1/3 Thm[V]: no black-box construction of f 0 using both function f and adversary A as black-box Thm[BT]: no construction using A as black-box Also uses A ``non-adaptively’’ Thm[this work]: no construction using f as black-box Proof uses pseudorandom restrictions
14
Conclusion Thm[this work]: Parallel black-box construction
Gf : {0,1}n ! {0,1}n+s(n) satisfy Average-case complexity Thm[this work]: given f 2 NP worst-case hard no construction of average-case hard f 0 2 NP using f as black-box f arbitrary f one-to-one f permutation Neg. s(n) · o(n) ? Pos. s(n) ¸ 1
16
Emanuele Viola Harvard University April 2005
Pseudorandom Bits for Constant-Depth Circuits with Few Arbitrary Symmetric Gates Emanuele Viola Harvard University April 2005
17
Pseudorandom Generator (PRG) [BM,Y,NW]
Efficiently Computable Big Stretch s(n) À n ( e.g. s(n) = n(1) ) Fools small circuits: 8 small C PrX, |X| = s(n)[C(X) = 1] ¼ Pr, || = n [C(PRG(s)) = 1] PRG
18
Do PRG Exist? PRG ) derandomization: BP ¢ P ( EXP [Y,NW,…]
PRG , circuit lower bounds: EXP P/poly [NW,BFNW,STV,SU,…] Open Problem: PRG exist? This Work: study restricted PRG Only fool constant-depth circuits We know lower bounds for constant-depth circuits
19
PRG that fools constant-depth circuits
As before, but only fools small constant-depth circuit C PrX, |X| = s(n)[C(X) = 1] ¼ Pr, || = n [C(PRG(s)) = 1] Depth x1 :x1 x :xs PRG
20
Previous Results [N’91] PRG : {0,1}n ! {0,1}s(n)
s(n) = 2n , fools AC0 = Applications: BP ¢ AC0 ( EXP, more in [NW,HVV,V] [LVW’93] PRG : {0,1}n ! {0,1}s(n) s(n) = n log n, fools SYM ○ AND = SYM = arbitrary symmetric gate E.g., SYM = PARITY, MAJORITY Æ Ç Ç Ç Ç Ç Ç Æ Æ Æ Æ Æ Æ Æ Æ x1 :x1 x :xs SYM Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
21
Our Results x1 :x1 x2 . . . . :xs Theorem[This Work]:
PRG : {0,1}n ! {0,1}s(n) with s(n) = n log n fools AC0 with log2n SYM = Improves on [LVW93] Fools richer class than [N91] but worse stretch BP ¢ (AC0 with few SYM) ( EXP Currently richest BP ¢ class one can derandomize SYM SYM Ç Ç Ç Ç SYM Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
22
The Pseudorandom Generator
[NW] style Input = Output = … ……… f = © = PARITY [RW] f Æ Æ x xn
23
Outline Why previous results/techniques do not suffice
For PRG need new average-case lower bound for AC0 with few SYM Proof sketch of average-case lower bound
24
Known Lower Bounds x1 :x1 x2 . . . . :xs Recall AC0 with log2n SYM =
[H,BNS,HG,RW,HM,CH]: f 2 P that requires AC0 circuits with log2n SYM of size nlog n Often, lower bound ) PRG. But NOT this time! SYM SYM Ç Ç Ç Ç SYM Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
25
Standard Approach To construct PRG that fools C (e.g. AC0 with few SYM) h hard for C f hard on average for C PRG that fools C [NW] [BFNW,STV,SU,…] Def. f : {0,1}n ! {0,1} average-case hard for C if 8 small C 2 C Prx[C(x) f(x)] ¸ ½ - n- (1)
26
Standard Approach Fails
To construct PRG that fools C (e.g. AC0 with few SYM) h hard for C f hard on average for C PRG that fools C Proving correctness 9 C 2 C C = h 9 C 2 C comp. f on average 9 C 2 C breaks PRG Problem: requires C ¶ TC0. Is TC0 ¶ NEXP? [RR] Conjecture [V]: Black-box construction ) C ¶ TC0
27
Our vs. Previous Lower Bounds
C = AC0 with few SYM h hard for C f hard on average for C PRG that fools C [H,BNS,HG,RW,HM,CH] not average-case hard Theorem[This Work]: There is f 2 P s.t. 8 AC0 circuit C of size nlog n with log2n SYM Prx[C(x) f(x)] ¸ ½ - n-log n
28
Tools Random restrictions [FSS,H,…] : {x1, x2,…, xs} ! {0,1,*}
C| subcircuit on *’s Multiparty communication complexity [CFL] Thm[BNS]: Gen. Inner Product (GIP) = has high communication complexity Æ Æ x xn
29
Proof Sketch © Thm[This Work]: f = GIP ○ PARITY =
is average-case hard for small AC0 circuits with few SYM Proof sketch: C small AC0 circuit with few SYM. W.h.p. over random restriction : E1: GIP ○ PARITY| ¼ GIP ) high comm. complexity E1 ( each bottom PARITY has * E2: C| computable with low comm. complexity E1 and E2 ) C|(x) GIP(x) Q.E.D. Æ Æ x xn
30
Conclusion Theorem[This Work]: PRG : {0,1}n ! {0,1}s(n)
with s(n) = n log n fools AC0 with log2n SYM Improves [LVW93], fools richer class than [N91] Currently richest BP ¢ class one can derandomize Obtained from average-case hardness result Conj.: PRG from worst-case hardness ) C ¶ TC0 Open problems: (log2n) SYM? EXP average-case hard for GF(2) poly of deg. log n ?
31
C| low communication complexity
Lemma[this work]: C small AC0 circuit w/ log2n SYM W.h.p. over 2 Rp , C| low comm. complexity Lemma[HG+HM]: Above holds for 1 SYM
32
More SYM gates Lemma: C small AC0 circuit with log2n SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: Consider following protocol SYM3 SYM2 Ç Ç Ç Ç SYM1 Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
33
More SYM gates Lemma: C small AC0 circuit with log2n SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: Previous lemma ) low communication complexity SYM3 SYM2 Ç Ç Ç Ç SYM1 Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
34
More SYM gates Lemma: C small AC0 circuit with log2n SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: Parties compute value of SYM gate SYM3 SYM2 Ç Ç Ç Ç 1 Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
35
More SYM gates Lemma: C small AC0 circuit with log2n SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: Previous lemma ) low communication complexity SYM3 SYM2 Ç Ç Ç Ç 1 Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
36
More SYM gates Lemma: C small AC0 circuit with log2n SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: Parties compute value of SYM gate SYM3 Ç Ç Ç Ç 1 Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
37
More SYM gates Lemma: C small AC0 circuit with log2n SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: Previous lemma ) low communication complexity SYM3 Ç Ç Ç Ç 1 Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
38
More SYM gates Lemma: C small AC0 circuit with log2n SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: Parties compute value of SYM gate 1 Ç Ç Ç Ç 1 Æ Æ Æ Æ Æ Æ Æ x1 :x1 x :xs
39
More SYM gates Lemma: C small AC0 circuit with log2n SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: Total communication = communication for 1 SYM X number of SYM Q.E.D. Union bound over 2#SYM circuits limits # SYM. Open Problem: Better analysis?
40
Conclusion Theorem[This Work]: PRG : {0,1}n ! {0,1}s(n)
with s(n) = n log n fools AC0 with log2n SYM Improves [LVW93], fools richer class than [N91] Currently richest BP ¢ class one can derandomize Obtained from average-case hardness result Conj.: PRG from worst-case hardness ) C ¶ TC0 Open problems: (log2n) SYM? EXP average-case hard for GF(2) poly of deg. log n ?
41
Multiparty Communication Complexity
``Number on the forehead’’ model [CFL] k-parties want to compute f(x) x partitioned in k blocks ! i-th party knows all x but xi Communication = broadcast Generalized Inner Product. GIP(x) = Lemma[BNS]: Low communication complexity protocol P ) Prx[P(x) GIP(x)] ¸ ½ - n-log n Discrepancy, [CT,R] x x xk n Æ Æ k k x xnk
42
C| low communication complexity
Restriction [FSS,…] map variables to {0,1,*} Rp = uniform distribution, Pr[(xi) = *] = p C| subcircuit. New input bits = * Lemma: C small AC0 circuit with log2n SYM W.h.p. over 2 Rp , C| low comm. complexity First prove 1 SYM, then log2n SYM
43
1 SYM gate = Lemma: C small AC0 circuit with 1 SYM
W.h.p. over 2 Rp , C| low comm. complexity Proof: [H] [HG] SYM ○ ANDk-1 low comm. complexity 8 AND 9 party that can compute it (fan-in < k = # blocks) Parties broadcast # AND = 1 Communication = k ¢ log(size of circuit) Q.E.D. SYM SYM Ç Ç Ç Ç Ç Ç = Æ Æ Æ Æ Æ Æ k-1 k-1 Æ Æ Æ Æ Æ Æ Æ Æ x x xk
44
Summary of Lemmas Lemma[BNS]:
Low communication complexity protocol P ) Prx[P(x) GIP(x)] ¸ ½ - n-log n Lemma: C small AC0 circuit with log2n SYM W.h.p. over 2 Rp , C| low comm. complexity Want Theorem: There is f 2 P s.t. 8 AC0 circuit C of size nlog n with log2n SYM gates Prx[C(x) f(x)] ¸ ½ - n-log n
45
= Pry[P(y) GIP(y)] (1 - n-log n) ¸ ( ½ - n-log n)
Proof: f = GIP ○ PARITY = C small AC0 circuit with log2n SYM Random Input x = random + random y for the * E1: f | ¼ GIP ) high comm. complexity E1 ( each bottom PARITY has * E2: C| low comm. complexity Prx[C(x) f (x)] ¸ Pr, y[C|(y) f|(y) | E1, E2] Pr[E1, E2] = Pry[P(y) GIP(y)] (1 - n-log n) ¸ ( ½ - n-log n) Q.E.D. Æ Æ x xn
46
Conclusion Theorem[This Work]: PRG : {0,1}n ! {0,1}s(n)
with s(n) = n log n fools AC0 with log2n SYM Improves [LVW93], fools richer class than [N91] Currently richest BP ¢ class one can derandomize Obtained from average-case hard function Conj.: PRG from worst-case hardness ) EXP TC0 Open problems: (log2n) SYM? EXP average-case hard for GF(2) poly of deg. log n ?
47
Proof Sketch Tools: Random restrictions [FSS,H,…]
: {x1, x2,…, xs} ! {0,1,*} , C| subcircuit on *’s Communication complexity bound for GIP [BNS] Theorem[This Work]: GIP ○ PARITY is average-case hard for small AC0 circuits with few SYM Proof sketch: C small AC0 circuit with few SYM. W.h.p. over random restriction : E1: GIP ○ PARITY| ¼ GIP ) high comm. complexity E2: C| computable with low comm. complexity E1 and E2 ) C|(x) GIP(x) Q.E.D.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.