Presentation is loading. Please wait.

Presentation is loading. Please wait.

Pseudorandomness: New Results and Applications

Published byYenny Kurniawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Pseudorandomness: New Results and Applications"— Presentation transcript:

1 Pseudorandomness: New Results and Applications
Emanuele Viola IAS May 2007

2 Randomness in Computation
Useful throughout Computer Science Algorithms Cryptography Complexity Theory Question: Is “true” randomness necessary? Input Output (error probability 1%)

3 Pseudorandomness Goal: low-entropy distributions that ``look random’’
Why study pseudorandomness? Basis for most cryptography [S 49] Algorithmic breakthroughs: Connectivity in logarithmic space [R 04] Primality in polynomial time [AKS 02]

4 Pseudorandom Generator (PRG) [BM,Y]
Poly(n)-time Computable Stretch s(n) ¸ 1 (e.g., s(n) = 1, s(n) = n2) Output ``looks random’’ PRG

5 Outline Overview of pseudorandomness
Cryptographic pseudorandom generators Complexity vs. stretch Specialized pseudorandom generators Constant-depth, with application to NP Polynomials

6 Cryptographic PRG “Looks random”: 8 efficient adversary A : {0,1}n+s(n) ! {0,1} PrU[A(U) = 1] ¼ PrX [A(PRG(X)) = 1] Cryptography: sym. encryption(m) := m © G(X) [S49] need big stretch s >> n PRG , One-Way Functions (OWF) [BM,Y,GL,…,HILL] OWF: easy to compute but hard to invert PRG

7 Standard Constructions w/ big stretch
STEP 1: OWF f ) Gf : {0,1}n ! {0,1}n+1 Think e.g. f : {0,1}na ! {0,1}nb STEP 2: Gf ) PRG with stretch s(n) = poly(n) [GM] Stretch s ) s adaptive queries to f ) circuit depth ¸ s Question [this work]: stretch s vs. adaptivity & depth? E.g., can have s = n, circuit depth O(log n)? Gf Input X Gf Gf Gf Gf Gf Output

8 Previous Results [AIK] Log-depth OWF/PRG ) O(1)-depth PRG (!!!)
However, any stretch ) stretch s = 1 [GT] s vs. number q of queries to OWF (Thm: q ¸ s) [This work] s vs. adaptivity & circuit depth […,IN,NR] O(1)-depth PRG from specific assumptions [We ask] general assumptions

9 Our Model of PRG construction
Parallel PRG Gf : {0,1}n ! {0,1}n+s(n) from OWF f Input X, |X| = n Nonadaptive Queries to f q q q q4 f f f f Constant Depth Circuit Æ Æ Æ Æ Æ Æ Æ Æ Ç Ç Ç Ç Ç Ç Æ Æ Æ Æ Æ Æ Æ Æ Output, n+s(n) bits

10 Our Results on PRG Constructions
Theorem [V] Parallel Gf : {0,1}n ! {0,1}n+s(n) from OWF ( e.g. f : {0,1}na ! {0,1}nb ) must have: f arbitrary f one-to-one f permutation Neg. s(n) · o(n) ? Pos. s(n) ¸ 1

11 Proof of positive result
Setting: f = permutation p, want stretch s = 1 [GL] Gf(x,r) := p(x),r,<x,r> (<x,r> := åi xi ri ) Problem: can’t compute <x,r> in constant-depth [GNR] Solution: don’t have to! Gf(x,r) := p(x),r’,<x,r’> Easier: generate random (r’,Parity(r’) := åi ri ) : r1 r2 r3 … rn r’1 r’2 r’3 … r’n Parity(r’) Technique gives <x,r’>, extractors, etc Q.E.D. + + +

12 Outline Overview of pseudorandomness
Cryptographic pseudorandom generators Complexity vs. stretch Specialized pseudorandom generators Constant-depth, with application to NP Polynomials

13 Specialized PRG PrU[A(U) = 1] ¼ PrX[A(PRG(X)) = 1] PRG
“looks random”: 8 restricted A : {0,1}n+s(n)!{0,1} PrU[A(U) = 1] ¼ PrX[A(PRG(X)) = 1] Sometimes known unconditionally! PRG

14 PRG for Constant-Depth Circuits
Theorem [N ‘91]: PRG with stretch s(n) = 2nW(1) output looks random to constant-depth circuits V Æ Æ Æ Æ Æ Æ Depth V V V V V V V V Input

15 Application: Avg-Case Hardness of NP
Study hardness of NP on random instances Natural question, essential for cryptography Currently cannot relate to P  NP [FF,BT,V] Hardness amplification Definition: f : {0,1}n ! {0,1} is e-hard if 8 efficient algorithm M : Prx[M(x)  f(x)] ¸ 1/2 - e Hardness Amplification f ’ -hard f 0.1-hard

16 Previous Results Yao’s XOR Lemma: f 0(x1,…, xn) := f(x1) ©  © f(xn) f 0 ¼ 2-n -hard, almost optimal Cannot use XOR in NP: f 2 NP ; f 0 2 NP Idea: f´(x1,…, xn) = C( f(x1),…, f(xn) ), C monotone e.g. f(x1) Æ ( f(x2) Ç f(x3) ). f 2 NP ) f 0 2 NP Theorem [O’D]: There is C s.t. f 0 ¼ (1/n)-hard Barrier: No monotone C can do better!

17 Our Result on Hardness Amplification
Theorem [HVV]: Amplification in NP up to ¼ 2-n Matches the XOR Lemma Technique: Pseudorandomness! Intuitively, f´ := C( f(x1),…, f(xn), … … f(x2n) ) f´ (1/2n )-hard by previous result Problem: Input length = 2n Note C is constant-depth Use PRG: input length ! n, keep hardness f ’ C f(x1),…, f(xn), … … f(x2n)

18 Previous Results Recall Theorem [N]:
PRG with stretch s(n) = 2nW(1) But constant-depth circuits are weak: Cannot compute Majority(x1,…,xn) := i xi > n/2 ? Theorem [LVW]: PRG with stretch s(n) = nlog n PRG’s for incomparable classes V Æ Maj Æ

19 Our New PRG Maj Constant-depth circuits with few Majority gates
Theorem [V] : PRG with s(n) = nlog n Improves on [LVW]; worse stretch than [N] Richest class for which PRG is known Techniques: Communication complexity + switching lemma [BNS,HG,H,HM,CH] Maj Ç Ç Ç Ç Maj Æ Æ Æ Æ Æ Æ Input

20 Outline Overview of pseudorandomness
Cryptographic pseudorandom generators Complexity vs. stretch Specialized pseudorandom generators Constant-depth, with application to NP Polynomials

21 F2 polynomials Field F2 = GF(2) = {0,1}
F2-polynomial p : F2n!F2 of degree d E.g., p = x1 + x5 + x7 d = 1 p = x1¢x2 + x3 d = 2 Theorem[NN90]: PRG for d=1 with stretch s(n)=2W(n) Applications to algorithm design, PCP’s,…

22 Hardness for F2 polynomials
Want: explicit f : {0,1}n!{0,1} e-hard for degree d: 8 p of degree d : Pr[f(x)  p(x)] ¸ ½ - e e = e(n,d) small Implies PRG with s=1. G(X) := X f(X) Interesting beyond PRG Coding theory d = log n, e = 1/n10 ) complexity breakthrough

23 Previous Results Want: explicit f : {0,1}n!{0,1} e-hard for degree d:
8 p of degree d : Pr[f(x)  p(x)] ¸ ½ - e e = e(n,d) small [Razborov 1987] Majority: (1/n)-hard (d · polylog(n) ) [Babai et al. 1992] Explicit f: exp(-n/d¢2d)-hard [Bourgain 2005] Mod 3: exp(-n/8d)-hard Mod 3 (x1,…,xn) := 1 iff 3 | åi xi

24 Our Results New approach based on ``Gowers uniformity’’
Theorem [V,VW] : Explicit f: exp(-n/2d)-hard ([BNS] exp(-n/d¢2d) ) Mod 3: exp(-n/4d)-hard ([Bou] exp(-n/8d)) Also arguably simpler proof Theorem [BV, unpublished] : PRG with stretch s(n) = 2W(n) for d = 2,3 For any d under “Gowers inverse conjecture” Even for d=2, previous best was s(n) = nlog n [LVW ‘93]

25 Gowers uniformity Idea: Measure closeness to degree-d polynomials by checking if d-th derivative vanishes [G98] combinat., [A+,J+,…] testing Derivative Dy p(x) := p(x+y) + p(x) E.g. Dy (x1x2 + x3) = (y1+x1)(y2+x2)+(x3+y3)+x1x2+x3 = y1x2 + x1y2 + y1y2 + y3 p degree d ) Dy p(x) degree d-1 Iterate: Dy,y’ p(x) := Dy( Dy’ p(x)) d-th Gowers uniformity of f: Ud(f) := Ex,y1,…,yd[e(Dy1,…,yd f(x))] (e(X):=(-1)X ) Ud(p) = 1 if p degree d

26 Main lemma Lemma [Gow,GT]:
Hardness of f for degree-d polynomials · Ud(f)1/2d Property of f only! Proof sketch: Let p have degree d. Hardness of f for p = | Pr[f(x) = p(x)] -Pr[f(x)  p(x)] | = EX[e(f(x)+p(x))] = U0(f+p) · U1(f+p)1/2 · … · Ud(f+p)1/2d (Cauchy-Schwartz) = Ud(f)1/2d (d-th derivative of p = 1) Q.E.D.

27 Establishing hardness
Consider f := x1Lxd+1 + xd+2Lx2d+2 + L not best parameters, but best to illustrate Theorem [V] f is exp(-n/cd)-hard for degree d Proof: Hardness of f · Ud(f)1/2d (by lemma) = Ud(x1Lxd+1 + xd+2Lx2d+2 + L) 1/2d = Ud(x1Lxd+1) n/(d+1)2d (by property of U) = exp(-n/cd) (by calculation) Q.E.D.

28 Conclusion Pseudorandom generators (PRG’s): powerful tool
Cryptographic PRG’s Tradeoff between stretch and parallel complexity [V] Specialized PRG’s Application: Hardness Amplification in NP [HVV] PRG for const.-depth circuits with few Maj gates [V] PRG for low-degree polynomials over F2 using Gowers uniformity [V, VW,BV]

29 Thank you!

Download ppt "Pseudorandomness: New Results and Applications"

Similar presentations

Parikshit Gopalan Georgia Institute of Technology Atlanta, Georgia, USA.

Parikshit Gopalan Georgia Institute of Technology Atlanta, Georgia, USA.
Hardness of Reconstructing Multivariate Polynomials. Parikshit Gopalan U. Washington Parikshit Gopalan U. Washington Subhash Khot NYU/Gatech Rishi Saket.

Hardness of Reconstructing Multivariate Polynomials. Parikshit Gopalan U. Washington Parikshit Gopalan U. Washington Subhash Khot NYU/Gatech Rishi Saket.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
Simple Affine Extractors using Dimension Expansion. Matt DeVos and Ariel Gabizon.

Simple Affine Extractors using Dimension Expansion. Matt DeVos and Ariel Gabizon.
Better Pseudorandom Generators from Milder Pseudorandom Restrictions Raghu Meka (IAS) Parikshit Gopalan, Omer Reingold (MSR-SVC) Luca Trevian (Stanford),

Better Pseudorandom Generators from Milder Pseudorandom Restrictions Raghu Meka (IAS) Parikshit Gopalan, Omer Reingold (MSR-SVC) Luca Trevian (Stanford),
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.

Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.
Time vs Randomness a GITCS presentation February 13, 2012.

Time vs Randomness a GITCS presentation February 13, 2012.
Derandomization: New Results and Applications Emanuele Viola Harvard University March 2006.

Derandomization: New Results and Applications Emanuele Viola Harvard University March 2006.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
On Uniform Amplification of Hardness in NP Luca Trevisan STOC 05 Paper Review Present by Hai Xu.

On Uniform Amplification of Hardness in NP Luca Trevisan STOC 05 Paper Review Present by Hai Xu.
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.

Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.
CS151 Complexity Theory Lecture 8 April 22, 2015.

CS151 Complexity Theory Lecture 8 April 22, 2015.
1 Streaming Computation of Combinatorial Objects Ziv Bar-Yossef U.C. Berkeley Omer Reingold AT&T Labs – Research Ronen.

1 Streaming Computation of Combinatorial Objects Ziv Bar-Yossef U.C. Berkeley Omer Reingold AT&T Labs – Research Ronen.
GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&

GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&

Similar presentations

Ads by Google