Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS151 Complexity Theory Lecture 8 April 22, 2015.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CS151 Complexity Theory Lecture 8 April 22, 2015."— Presentation transcript:

1 CS151 Complexity Theory Lecture 8 April 22, 2015

2 2 Blum-Micali-Yao PRG Initial goal: for all 1 > δ > 0, we will build a family of PRGs {G m } with: output length m fooling size s = m seed length t = m δ running time m c error ε < 1/6 implies: BPP   δ>0 TIME(2 n δ ) ( EXP Why? simulation runs in time O(m+m c )(2 m δ ) = O(2 m 2δ ) = O(2 n 2kδ )

3 April 22, 20153 First attempt attempt at PRG from OWP f: –t = m δ –y 0  {0,1} t –y i = f t (y i-1 ) –G(y 0 ) = y k-1 y k-2 y k-3 …y 0 –k = m/t computable in time at most kt c < mt c-1 = m c

4 April 22, 20154 First attempt output is “unpredictable”: –no poly-size circuit C can output y i-1 given y k-1 y k-2 y k-3 …y i with non-negl. success prob. –if C could, then given y i can compute y k-1, y k-2, …, y i+2, y i+1 and feed to C –result is poly-size circuit to compute y i-1 = f t -1 (y i ) from y i –note: we’re using that f t is 1-1

5 April 22, 20155 First attempt attempt: y 0  {0,1} t y i = f t (y i-1 ) G(y 0 ) = y k-1 y k-2 y k-3 …y 0 y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 ftft ftft ftft ftft ftft G(y 0 ): y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 f t -1 ftft ftft G’(y 3 ): f t -1 same distribution!

6 April 22, 20156 First attempt one problem: –hard to compute y i-1 from y i –but might be easy to compute single bit (or several bits) of y i-1 from y i –could use to build small circuit C that distinguishes G’s output from uniform distribution on {0,1} m

7 April 22, 20157 First attempt second problem –we don’t know if “unpredictability” given a prefix is sufficient to meet fooling requirement: |Pr y [C(y) = 1] – Pr z [C(G(z)) = 1]| ≤ ε

8 April 22, 20158 Hard bits If {f n } is one-way permutation we know: –no poly-size circuit can compute f n -1 (y) from y with non-negligible success probability Pr y [C n (y) = f n -1 (y)] ≤ ε’(n) We want to identify a single bit position j for which: –no poly-size circuit can compute (f n -1 (x)) j from x with non-negligible advantage over a coin flip Pr y [C n (y) = (f n -1 (y)) j ] ≤ ½ + ε(n)

9 April 22, 20159 Hard bits For some specific functions f we know of such a bit position j More general: function h n :{0,1} n  {0,1} rather than just a bit position j.

10 April 22, 201510 Hard bits Definition: hard bit for g = {g n } is family h = {h n }, h n :{0,1} n  {0,1} such that if circuit family {C n } of size s(n) achieves: Pr x [C n (x) = h n (g n (x))] ≥ ½ + ε(n) then there is a circuit family {C’ n } of size s’(n) that achieves: Pr x [C’ n (x) = g n (x)] ≥ ε’(n) with: –ε’(n) = (ε(n)/n) O(1) –s’(n) = (s(n)n/ε(n)) O(1)

11 April 22, 201511 Goldreich-Levin To get a generic hard bit, first need to modify our one-way permutation Define f’ n :{0,1} n x {0,1} n  {0,1} 2n as: f’ n (x,y) = (f n (x), y)

12 April 22, 201512 Goldreich-Levin Two observations: –f’ is a permutation if f is –if circuit C n achieves Pr x,y [C n (x,y) = f’ n -1 (x,y)] ≥ ε(n) then for some y * Pr x [C n (x,y * )=f’ n -1 (x,y * )=(f n -1 (x), y * )] ≥ ε(n) and so f’ is a one-way permutation if f is. f’ n (x,y) = (f n (x), y)

13 April 22, 201513 Goldreich-Levin The Goldreich-Levin function: GL 2n : {0,1} n x {0,1} n  {0,1} is defined by: GL 2n (x,y) =  i:y i = 1 x i –parity of subset of bits of x selected by 1’s of y –inner-product of n-vectors x and y in GF(2) Theorem (G-L): for every function f, GL is a hard bit for f’. (proof: problem set)

14 April 22, 201514 Distinguishers and predictors Distribution D on {0,1} n D ε -passes statistical tests of size s if for all circuits of size s: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| ≤ ε –circuit violating this is sometimes called an efficient “distinguisher”

15 April 22, 201515 Distinguishers and predictors D ε -passes prediction tests of size s if for all circuits of size s: Pr y  D [C(y 1,2,…,i-1 ) = y i ] ≤ ½ + ε –circuit violating this is sometimes called an efficient “predictor” predictor seems stronger Yao showed essentially the same! –important result and proof (“hybrid argument”)

16 April 22, 201516 Distinguishers and predictors Theorem (Yao): if a distribution D on {0,1} n (ε/n)-passes all prediction tests of size s, then it ε-passes all statistical tests of size s’ = s – O(n).

17 April 22, 201517 Distinguishers and predictors Proof: –idea: proof by contradiction –given a size s’ distinguisher C: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| > ε –produce size s predictor P: Pr y  D [P(y 1,2,…,i-1 ) = y i ] > ½ + ε/n –work with distributions that are “hybrids” of the uniform distribution U n and D

18 April 22, 201518 Distinguishers and predictors –given a size s’ distinguisher C: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| > ε –define n+1 hybrid distributions –hybrid distribution D i : sample b = b 1 b 2 …b n from D sample r = r 1 r 2 …r n from U n output: b 1 b 2 …b i r i+1 r i+2 …r n

19 April 22, 201519 Distinguishers and predictors Hybrid distributions: D 0 = U n : D n = D: D i-1 : Di:Di:........................

20 April 22, 201520 Distinguishers and predictors –Define: p i = Pr y  D i [C(y) = 1] –Note: p 0 =Pr y  U n [C(y)=1]; p n =Pr y  D [C(y)=1] –by assumption:ε < |p n – p 0 | –triangle inequality: |p n – p 0 | ≤ Σ 1 ≤ i ≤ n |p i – p i-1 | –there must be some i for which |p i – p i-1 | > ε/n –WLOG assume p i – p i-1 > ε/n can invert output of C if necessary

21 April 22, 201521 Distinguishers and predictors –define distribution D i ’ to be D i with i-th bit flipped –p i ’ = Pr y  D i ’ [C(y) = 1] –notice: D i-1 = (D i + D i ’ )/2 p i-1 = (p i + p i ’ )/2 D i-1 : Di:Di: D i ’:

22 April 22, 201522 Distinguishers and predictors randomized predictor P’ for i th bit: –input: u = y 1 y 2 …y i-1 (which comes from D) –flip a coin: d  {0,1} –w = w i+1 w i+2 …w n  U n-i –evaluate C(udw) –if 1, output d; if 0, output  d Claim: Pr y  D,d,w  U n-i [P’(y 1 … i-1 ) = y i ] > ½ + ε/n.

23 April 22, 201523 Distinguishers and predictors P’ is randomized procedure there must be some fixing of its random bits d, w that preserves the success prob. final predictor P has d * and w * hardwired: C may need to add  gate d*d* w*w* circuit for P: Size is s’ + O(n) = s as promised

24 April 22, 201524 Distinguishers and predictors Proof of claim: Pr y  D,d,w  U n-i [P’(y 1 … i-1 ) = y i ] = Pr[y i = d | C(u,d,w) = 1]Pr[C(u,d,w) = 1] + Pr[y i =  d | C(u,d,w) = 0]Pr[C(u,d,w) = 0] = Pr[y i = d | C(u,d,w) = 1](p i-1 ) + Pr[y i =  d | C(u,d,w) = 0](1 - p i-1 ) u = y 1 y 2 …y i-1

25 April 22, 201525 Distinguishers and predictors –Observe: Pr[y i = d | C(u,d,w) = 1] = Pr[C(u,d,w) = 1 | y i = d]Pr[y i =d] / Pr[C(u,d,w) = 1] = p i /(2p i-1 ) Pr[y i =  d | C(u,d,w) = 0] = Pr[C(u,d,w) = 0 | y i =  d]Pr[y i =  d] / Pr[C(u,d,w) = 0] = (1 – p i ’) / 2(1 - p i-1 ) D i-1 DiDi Di’Di’ u = y 1 y 2 …y i-1

26 April 22, 201526 Distinguishers and predictors Success probability: Pr[y i =d|C(u,d,w)=1](p i-1 ) + Pr[y i =  d|C(u,d,w)=0](1-p i-1 ) We know: –Pr[y i = d | C(u,d,w) = 1] = p i /(2p i-1 ) –Pr[y i =  d | C(u,d,w) = 0] = (1 - p i ’)/2(1 - p i-1 ) –p i-1 = (p i + p i ’)/2 –p i – p i-1 > ε/n Conclude: Pr[P’(y 1 … i-1 ) = y i ] = ½ + (p i - p i ’)/2 = ½ + p i /2 – (p i-1 – p i /2) = ½ + p i – p i-1 > ½ + ε/n. p i ’/2 = p i-1 – p i /2

27 April 22, 201527 The BMY Generator Recall goal: for all 1 > δ > 0, family of PRGs {G m } with output length m fooling size s = m seed length t = m δ running time m c error ε < 1/6 If one way permutations exist then WLOG there is OWP f = {f n } with hard bit h = {h n }

28 April 22, 201528 The BMY Generator Generator G δ = { G δ m }: –t = m δ –y 0  {0,1} t –y i = f t (y i-1 ) –b i = h t (y i ) –G δ (y 0 ) = b m-1 b m-2 b m-3 …b 0

29 April 22, 201529 The BMY Generator Theorem (BMY): for every δ > 0, there is a constant c s.t. for all d, e, G δ is a PRG with error ε < 1/m d fooling size s = m e running time m c Note: stronger than we needed –sufficient to have ε < 1/6; s = m

30 April 22, 201530 The BMY Generator Proof: –computable in time at most mt c < m c+1 –assume G δ does not (1/m d )-pass statistical test C = {C m } of size m e : |Pr y  U m [C(y) = 1] – Pr z  D [C(z) = 1]| >1/m d Generator G δ = { G δ m }: –t = m δ ; y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

31 April 22, 201531 The BMY Generator –transform this distinguisher into a predictor P of size m e + O(m): Pr y [P(b m-1 …b m-i ) = b m-i-1 ] > ½ + 1/m d+1 Generator G δ = { G δ m }: –t = m δ ; y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

32 April 22, 201532 The BMY Generator –a procedure to compute h t (f t -1 (y)) set y m-i = y; b m-i = h t (y m-i ) compute y j, b j for j = m-i+1, m-i+2…, m-1 as above evaluate P(b m-1 b m-2 …b m-i ) f a permutation implies b m-1 b m-2 …b m-i distributed as (prefix of) output of generator: Pr y [P(b m-1 b m-2 …b m-i ) = b m-i-1 ] > ½ + 1/m d+1 Generator G δ = { G δ m }: –t = m δ ; y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

33 April 22, 201533 The BMY Generator Pr y [P(b m-1 b m-2 …b m-i ) = b m-i-1 ] > ½ + 1/m d+1 –What is b m-i-1 ? b m-i-1 = h t (y m-i-1 ) = h t (f t -1 (y m-i )) = h t (f t -1 (y)) –We have described a family of polynomial-size circuits that computes h t (f t -1 (y)) from y with success greater than ½ + 1/poly(m) –Contradiction. Generator G δ = { G δ m }: –t = m δ ; y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

34 April 22, 201534 The BMY Generator y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 ftft ftft ftft ftft ftft G(y 0 ): y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 f t -1 ftft ftft G’(y 3 ): f t -1 b0b0 b1b1 b2b2 b3b3 b4b4 b5b5 b0b0 b1b1 b2b2 b3b3 b4b4 b5b5 same distribution

35 April 22, 201535 Hardness vs. randomness We have shown: If one-way permutations exist then BPP   δ>0 TIME(2 n δ ) ( EXP simulation is better than brute force, but just barely stronger assumptions on difficulty of inverting OWF lead to better simulations…

36 April 22, 201536 Hardness vs. randomness We will show: If E requires exponential size circuits then BPP = P by building a different generator from different assumptions. E =  k DTIME(2 kn )

37 April 22, 201537 Hardness vs. randomness BMY: for every δ > 0, G δ is a PRG with seed length t = m δ output length m error ε < 1/m d (all d) fooling size s = m e (all e) running time m c running time of simulation dominated by 2 t

38 April 22, 201538 Hardness vs. randomness To get BPP = P, would need t = O(log m) BMY building block is one-way- permutation: f:{0,1} t → {0,1} t required to fool circuits of size m e (all e) with these settings a circuit has time to invert f by brute force! can’t get BPP = P with this type of PRG

39 April 22, 201539 Hardness vs. randomness BMY pseudo-random generator: –one generator fooling all poly-size bounds –one-way-permutation is hard function –implies hard function in NP  coNP New idea (Nisan-Wigderson): –for each poly-size bound, one generator –hard function allowed to be in E =  k DTIME(2 kn )

40 April 22, 201540 Comparison BMY: 8 δ > 0 PRG G δ NW: PRG G seed length t = m δ t = O(log m) running time t c mm c output length mm error ε < 1/m d (all d) ε < 1/m fooling size s = m e (all e) s = m << >

41 April 22, 201541 NW PRG NW: for fixed constant δ, G = {G n } with seed length t = O(log n) t = O(log m) running time n c m c output length m = n δ m error ε < 1/m fooling size s = m Using this PRG we obtain BPP = P –to fool size n k use G n k/δ –running time O(n k + n ck/δ )2 t = poly(n)

42 April 22, 201542 NW PRG First attempt: build PRG assuming E contains unapproximable functions Definition: The function family f = {f n }, f n :{0,1} n  {0,1} is s(n)-unapproximable if for every family of size s(n) circuits {C n }: Pr x [C n (x) = f n (x)] ≤ ½ + 1/s(n).

43 April 22, 201543 One bit Suppose f = {f n } is s(n)-unapproximable, for s(n) = 2 Ω(n), and in E a “1-bit” generator family G = {G n }: G n (y) = y◦f log n (y) Idea: if not a PRG then exists a predictor that computes f log n with better than ½ + 1/s(log n) agreement; contradiction.

44 April 22, 201544 One bit Suppose f = {f n } is s(n)-unapproximable, for s(n) = 2 δn, and in E a “1-bit” generator family G = {G n }: G n (y) = y◦f log n (y) –seed length t = log n –output length m = log n + 1 (want n δ ) –fooling size s  s(log n) = n δ –running time n c –error ε  1/ s(log n) = 1/ n δ

45 April 22, 201545 Many bits Try outputting many evaluations of f: G(y) = f(b 1 (y))◦f(b 2 (y))◦…◦f(b m (y)) Seems that a predictor must evaluate f(b i (y)) to predict i-th bit Does this work?

46 April 22, 201546 Many bits Try outputting many evaluations of f: G(y) = f(b 1 (y))◦f(b 2 (y))◦…◦f(b m (y)) predictor might notice correlations without having to compute f but, more subtle argument works for a specific choice of b 1 …b m

47 April 22, 201547 Nearly-Disjoint Subsets Definition: S 1,S 2,…,S m  {1…t} is an (h, a) design if –for all i, |S i | = h –for all i ≠ j, |S i  S j | ≤ a {1..t} S1S1 S2S2 S3S3

48 April 22, 201548 Nearly-Disjoint Subsets Lemma: for every ε > 0 and m < n can in poly(n) time construct an (h = log n, a = εlog n) design S 1,S 2,…,S m  {1…t} with t = O(log n).

49 April 22, 201549 Nearly-Disjoint Subsets Proof sketch: –pick random (log n)-subset of {1…t} –set t = O(log n) so that expected overlap with a fixed S i is εlog n/2 –probability overlap with S i is > εlog n is at most 1/n –union bound: some subset has required small overlap with all S i picked so far… –find it by exhaustive search; repeat n times.

50 April 22, 201550 The NW generator f  E s(n)-unapproximable, for s(n) = 2 δn S 1,…,S m  {1…t} (log n, a = δlog n/3) design with t = O(log n) G n (y)=f log n (y |S 1 )◦f log n (y |S 2 )◦…◦f log n (y |S m ) 010100101111101010111001010 f log n : seed y

51 April 22, 201551 The NW generator Theorem (Nisan-Wigderson): G={G n } is a pseudo-random generator with: –seed length t = O(log n) –output length m = n δ/3 –running time n c –fooling size s = m –error ε = 1/m

Download ppt "CS151 Complexity Theory Lecture 8 April 22, 2015."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
The Equivalence of Sampling and Searching Scott Aaronson MIT.

The Equivalence of Sampling and Searching Scott Aaronson MIT.
Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :

Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
Circuit Complexity and Derandomization Tokyo Institute of Technology Akinori Kawachi.

Circuit Complexity and Derandomization Tokyo Institute of Technology Akinori Kawachi.
A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 11 Lecturer: Moni Naor.

Complexity Theory Lecture 11 Lecturer: Moni Naor.
Time vs Randomness a GITCS presentation February 13, 2012.

Time vs Randomness a GITCS presentation February 13, 2012.
Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
CS151 Complexity Theory Lecture 5 April 13, 2015.

CS151 Complexity Theory Lecture 5 April 13, 2015.
CS151 Complexity Theory Lecture 7 April 20, 2004.

CS151 Complexity Theory Lecture 7 April 20, 2004.
CS151 Complexity Theory Lecture 5 April 13, 2004.

CS151 Complexity Theory Lecture 5 April 13, 2004.
Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.

Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.

Similar presentations

Ads by Google