Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss."— Presentation transcript:

1

2 1 Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss.

3 2 PRG - Stronger Notion Def: A deterministic polynomial-time algorithm G is called a non-uniformly strong pseudorandom generator if there exists a stretching function l: N  N, so that for any family {C k } of polynomial-size circuits, for any polynomial p, and for all sufficiently large k’s |Pr[C k (G(U k ))=1]-Pr[C k (U l(k) )=1]| < 1/p(k) This definition involves polynomial size circuits as distinguishers instead of probabilistic polynomial time TM. Recall that BPP  P/poly

4 3 Implications of such PRG Theorem: If such non-uniformly strong pseudorandom generator exists then Proof: Suppose L  BPP. Let A(x,r) be the machine that decides L: x is the input and r is the sequence of coin tosses of the machine. r is of size l(|x|  ). Define a new algorithm A’ as follows: A’(x,r) := A(x,G(r)) Where We can construct such A that uses exactly l(|x|  ) coin tosses

5 4 Proof Continued (1) Claim: For all but finitely many x’s |Pr[A(x,U l(k) )=1] - Pr[A’(x, U k )=1]| < 1/6 where k=|x| . Proof: Assume, by way of contradiction, that, for infinitely many x’s |Pr[A(x,U l(k) )=1] - Pr[A’(x, U k )=1]|  1/6 and construct a family of poly-size circuits x  C (x) (input) := A(x,input) then construct the family {C k } as follows: C k  {C (x) | A(x) uses l(k) coin tosses} Infinitely many x’s on which A and A’ differ imply infinitely many sizes of x’s on which they differ, and infinite number of such C k s.

6 5 Proof Continued (2) For each such C k : C k (G(U k ))  A’(x,U k ) and C k (U l(k) )  A(x,U l(k) ) Hence we have a family of circuits s.t. |Pr[C k (G(U k ))=1]-Pr[C k (U l(k) )=1]|  1/6 In contradiction to the definition of our pseudorandom generator.  claim

7 6 Proof Continued (3) Going back to proving the theorem: A is our BPP machine so for every x: x  L  Pr[A(x,U l(k) ) = 1]  2/3 x  L  Pr[A(x,U l(k) ) = 1] < 1/3 In particular, using the claim we get for all but finitely many x’s: x  L  Pr[A’(x,U k ) = 1] > Pr[A(x,U l(k) ) = 1]-1/6  1/2 x  L  Pr[A’(x,U k ) = 1] < Pr[A(x,U l(k) ) = 1]+1/6 < 1/2

8 7 Proof Continued (4) Now, define a deterministic algorithm A’’ for deciding L: if x is one of those finitely x’s return a known pre-computed answer else { for all Run A’(x,r) return the majority of A’ answers. } A’’ deterministically decides L and run in time as required.  Theorem

9 8 Goal: to design a new PRG construction, which would be used for derandomization New Method: generate random bits in parallel, instead of sequentially (compare with the “Pseudo Random Generators” lecture) Different Assumptions: weaker then before, since the new PRG can run in time exponential in its input size: Assume an unpredictable Boolean function. New Construct: called Design; consisting of nearly disjoint subsets of the random seed. New notion of PRG

10 9 The new requirements for PRG: Indistinguishable by polynomial-size circuit. Can run in exponential time (2 O(k) on k-bit seed). One can construct such PRG under seemingly weaker assumption (than for the construction shown in the “Pseudo Random Generators” lecture): The existence of unpredictable Boolean function. For k=O(log(|x|)) it runs in polynomial-time. Instead of assuming the existence of one-way permutation.

11 10 Unpredictable Boolean function Def (Unpredictable Boolean function): An exp(l)-computable Boolean function b:{0,1} l  {0,1} is unpredictable by small circuits if for every polynomial p(.), for all sufficiently large l’s and for every circuits C of size p(l): Pr[C(U l )=b(U l )] < ½+1/p(l) Assume such Boolean functions exist

12 11 Unpredictable Boolean function How strong is that assumption? We prove that it is not stronger than assuming the existence of a one-way permutation: Claim: if f 0 is a one-way permutation and b 0 is a hard-core of f 0, then b(x):=b 0 (f 0 -1 (x)) is an unpredictable Boolean function. ? one-way permutation unpredictable Boolean function

13 12 One way permutation  unpredictable Boolean function Proof: Let f 0 be a one-way permutation and b 0 a hard-core of f 0. We’ll show the function b(x):=b 0 (f -1 0 (x)) is an unpredictable Boolean function. f 0 can be inverted in exponential time and b 0 can be computed in polynomial time so b is computable in exponential time. Unpredictability: Assume, by way of contradiction, that b is predictable. We’ll show the b 0 is not hard-core bit of f 0.

14 13 Proof continued Assuming b is predictable we have a family of circuits {C k } of size p(k) s.t. for infinite number of k’s Pr[C k (U k )=b(U k )]  1/2 + 1/p(l). For y:=f 0 -1 (x) we get b(f 0 (y))=b 0 (y). f is a permutation so we get Pr[C k (f 0 (U k ))=b(f 0 (U k ))]  1/2 + 1/p(l) Pr[C k (f 0 (U k ))=b 0 (U k )]  1/2 + 1/p(l). Which is a contradiction to b 0 being a hard core. We defined hard-core bit with BPP machines and not P/poly so there is a problem here !

15 14 The Design Generating a single random bit from a seed is easy assuming you have an unpredictable Boolean function. But how can we generate more than one bit? We will manage that, utlizing a collection of nearly disjoined subsets of the seed to get random bits that are almost mutually independent Almost means: indistinguishable by polynomial sized circuits

16 15 The Design Def: A collection of m subsets {I 1,I 2,…,I m } of {1…k} is a (k,m,l)-design if the following hold: For every i  {1,…,m}:|I i | = l For every i  j  {1,…,m}: |I i  I j | = O(log k) The collection is constructible in exp(k)-time. Notation: For S= and I={i 1, …, i l }  {1,..,k}

17 16 S (seed): The Design - Visualization INDEX I 1, I 2, …, I m : {1,4,7} {2,5,8} {3,9,10}...{1,8,9} {1,0,0} {0,0,1} {1,1,0}... {1,1,1} k l S[I 1 ], …, S[I m ]:

18 17 Prop: let b: {0,1}  k  {0,1} be an unpredictable Boolean function, and {I 1,…,I m } be a (k,m,  k)-design then the following function is a strong non-uniform PRG: G(S)  Constructing the PRG 15.3

19 18 Constructing the PRG: Visualization m 0 1 1 …………… 0 Pseudo random string l S (seed): INDEX I 1, I 2, …, I m : {1,4,7} {2,5,8} {3,9,10}...{1,8,9} {1,0,0} {0,0,1} {1,1,0}... {1,1,1} k S[I 1 ], …, S[I m ]: b( ) ………

20 19 Proof (1) Proof: Computing G(s) takes time exponential in k, since: we have m=l(k) computations of b(S[I i ]); Computing each b(S[I i ]) takes exp( |S[I i ]| ) = O(exp(k)).

21 20 Proof (2) we will show that no small circuit can distinguish the output of G from a random sequence. Assume by way of contradiction that there exists a family of poly-size circuits {C k } k  N and a polynomial p(.) such that for infinitely many k’s | Pr[C k (G(U k )) = 1] - Pr[C k (U l(k) )=1] | > 1/p(k) Without loss of generality we can remove the absolute sign. There are infinitely many k’s s.t. Pr[C k (G(U k )) = 1] - Pr[C k (U l(k) )=1] has the same sign for all k, however, we can fix the sign arbitrarily since we can take a sequence of circuits with reverse signs.

22 21 Using a Hybrid Distribution - proof (3) For any 0  i  m we define a “hybrid” distribution as follows: the first i bits are chosen to be the first i bits of G(U k ) and the other m-i bits are chosen uniformly at random. H i k  G(U k ) [1,…,i]  U m-i also f k (i)  Pr[C k (H k i )=1] Using these definitions we can write: f k (m) - f k (0) > 1/p(k) there must be some 0  i k  m s.t: f k (i k +1) - f k (i k ) > 1/m * 1/p(k)

23 22 Approximating the Next bit from the previous bits Defining p’(k):=m  p(k) and i:=i k we get: Pr[C k (H k i+1 )=1]- Pr[C k (H k i )=1] > 1/p’(k) Now, we can construct from C k a circuit C’ k which can approximate the next bit with large enough probability: When R i are independent uniformly distributed bits. It can be shown that Pr[C’ k (G(U k ) [1,…i] ) = G(U k ) i+1 ] > 1/2 + 1/p’(k) Probability over random bits R i and U k

24 23 Approximating the Next bit from the previous bits ½-  ½+  b(S[I 1 ]) …… b(S[I ik ]) Circuit C‘ k Next bit b(S[I ik+1 ])  :=1/p’(k)

25 24 Approximating b(S[I i+1 ]) from S and b(S[I i ])’s We can construct a circuit C’’ which inputs S in addition to b(S[I 1 ]),…, b(S[I i ]) and can approximate the unpredictable boolean function b(S[I i+1 ]). This can be done by ‘ignoring’ those new inputs and using b(S[I 1 ]),…, b(S[I i ]) and C’. The formal definition is: C’’ k (S°G(S) [1..i] ) := C’ k (G(S) [1..i] ) We get: Pr s [C’’ k (S°G(S) [1..i] ) = G(S) i+1 ] > 1/2 + 1/p’(k) Pr s [C’’ k (S°G(S) [1..i] ) = b(S[I i+1 ])] > 1/2 + 1/p’(k) Probabilities over random bits R i and S

26 25 Approximating b(S[I i+1 ]) from S[I i+1 ] and b(S[I j ])’s There exist   {0,1} k-|Ii| s.t. Pr s [C’’ k (S°G(S) [1..i] ) = b(S[I i+1 ]) | S[I i+1 ]=  ] > 1/2 + 1/p’(k) We’ll hard-code this  into our circuit and get a circuit that takes b(S[I 1 ]),…, b(S[I i ]) and S[I i+1 ] as inputs and approximate b(S[I i+1 ]) with some bias. Applying the Law of Averages: Pr[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])] =  Pr [C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]=  ]Pr[S[Ii+1]=  ] If for all  : Pr [C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]=  ]  1/2+1/p’(k) We’d get Pr[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])]  1/2+1/p’(k).

27 26 Visualization of C’’ b(S[I 1 ])… …… b(S[I i ]) ½-  ½+  Circuit C‘ k Next bit b(S[I i+1 ])  S[I i+1 ]) S: Circuit C‘’ k S[I i+1 ])

28 27 Approximating b(S[I i+1 ]) from S[I i+1 ] We know how to approximate b(S[I i+1 ]) from its input S[I i+1 ] and from b(S[I 1 ]),…, b(S[I i ]). Can we approximate it using only S[I i+1 ] ?

29 28 Computing S[I j ]’s from S[I i+1 ] S: S[I i+1 ]  = S[I i+1 ]) S[I 1 ] ? S[I 2 ] ? O(log(k)) ……… S[I i ] ? ? After hard-coding , there is only a small number of free bits in S[I 1 ]…S[I i ]. The design gives us iO(log(k)) as a bound.

30 29 Computing S[I j ]’s from S[I i+1 ] Example S: S[I i+1 ]  = S[I i+1 ]) S[I 1 ] ? S[I 2 ] ? ……… S[I i ] ? ? S: S[I 1 ]S[I 2 ] … S[I i ] O(log(k)) 0 0 1 ……… 0 1 ???? 0 1 1 precomputed b( ) 1 S[I i+1 ] 1 b( )

31 30 Computing b(S[I i+1 ])’s from S[I i+1 ] S: S[I 1 ] S[I 2 ] … S[I i ]  1  2  3 ………  j ????  j+1 …  k-l S[I i+1 ] Exp(log(k))= poly(k) circuit S[I 1 ]………S[I i ] b(S[I 1 ])……… Lookup table: for every possible S[I i ] return precomputed value of b(S[I i ]) b(S[I i ]) There are only poly(k) possible such S[I i ]’s, given S[I i+1 ]= .

32 31 ½-  Circuit C‘ Next bit b(S[I i+1 ]) Final Circuit: Approximating b(S[I i+1 ]) from S[I i+1 ] S[I i+1 ] poly(k) circuit S[I 1 ]………S[I i ] Lookup table b(S[I 1 ]) … b(S[I i ]) ½+ 

33 32 Design construction: greedy algorithm For the following parameters: k = l 2 m = poly(k) We want that for all i to have |I i |=l and for i  j, |I i  I j |=O(log k). For i = 1 to m For all I  [k], |I|=l do flag := FALSE for j = 1 to i-1 if |I i  I j | > log k then flag:=TRUE if flag = TRUE then I i = I The algorithm:

34 33 Greedy algorithm: proof Assuming that for i  m we have I 1, I 2,…, I i-1 such that –for every j<i: |I j | = l –for every j 1,j 2 < i: |I j1  I j2 | < 2+log m We’ll show that there exists another set |I i |=l s.t. for every j < i: |I j  I i | < 2+log m Proof by the probabilistic method: Let S be a fixed set of size l. Let R be a set which is selected at random so that for every i  [k]: Pr[i  R] = 2/l. R length ~ binomial(k,2/l).

35 34 Proof continued (1) Let S i be the i’th element in S sorted in some order. We’ll define the sequence {X i } i=1..l of random variables: X i are independent Bernoulli variables with Pr[X i =1]= 2/l for each i. Using Chernoff’s bound :

36 35 Proof continued (2) For R selected as above the probability that there exists I j s.t. |I j  R| > 2+log m us bounded above by (i-1)/2m < 1/2. R is not necessarily of size l. We can show that with high probability |R|  l so it contains a subset of size l that we can choose as our I i. Considering the sequence {X i } i=1..l : Using Chernoff’s bound: For R selected as above the probability of too many collisions or being too small is strictly smaller than one. Therefore, there exists such R to be selected as I i.  Note: The algorithm itself is deterministic. We use the randomness as a tool in showing the algorithm will always find what it is looking for.

37 36 Second Design Construction: using GF(l) arithmetic For the following parameters: k = l 2 m = poly(k) Let F:=GF(l) then |F  F| = k There is a 1-1 correspondence between {1,…,k} and F  F For every polynomial p(.) of degree d over F, I p is the graph of p(.) over F: I p := { | e  F } |I p | = |F| = l

38 37 Second Design Construction: using GF(l) arithmetic For every two polynomials p(.)  q(.) of degree d intersects in at most d points, hence: |I p  I q |  d by the Fundamental Theorem of Algebra, hence we can choose d=O(log(k)). Note that for every polynomial m(k) we can construct m(k)= m(l 2 ) such sets, since there are |F| d+1 = l d+1 polynomials over GF(l), so by choosing an appropriate d the number of sets is greater then m(l 2 ). The sets are constructible in exponential in k, since we use simple arithmetic over GF(l).

Download ppt "1 Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss."

Similar presentations

Sublinear Algorithms 1 3 2 … Lecture 23: April 20.

Sublinear Algorithms … Lecture 23: April 20.
Complexity Theory Lecture 6

Complexity Theory Lecture 6
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Theory of Computing Lecture 3 MAS 714 Hartmut Klauck.

Theory of Computing Lecture 3 MAS 714 Hartmut Klauck.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.

1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.
Randomized Algorithms Kyomin Jung KAIST Applied Algorithm Lab Jan 12, WSAC 2010 1.

Randomized Algorithms Kyomin Jung KAIST Applied Algorithm Lab Jan 12, WSAC
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006
CS151 Complexity Theory Lecture 7 April 20, 2004.

CS151 Complexity Theory Lecture 7 April 20, 2004.
Perfect and Statistical Secrecy, probabilistic algorithms, Definitions of Easy and Hard, 1-Way FN -- formal definition.

Perfect and Statistical Secrecy, probabilistic algorithms, Definitions of Easy and Hard, 1-Way FN -- formal definition.
Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.

Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.
Randomized Computation Roni Parshani 025529199 Orly Margalit037616638 Eran Mantzur 028015329 Avi Mintz017629262.

Randomized Computation Roni Parshani Orly Margalit Eran Mantzur Avi Mintz

Similar presentations

Ads by Google