Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.

Published byCaroline Palmer Modified over 9 years ago

Similar presentations

Presentation on theme: "On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005."— Presentation transcript:

1 On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005

2 Poly(n)-time Computable Stretch s(n) ¸ 1 (e.g., s(n) = 1, s(n) = n) Fools efficient adversaries: 8 PPT A Pr X, |X| = n+s(n) [A(X) = 1] ¼ Pr , |  | = n [A(PRG(  )) = 1] Pseudorandom Generator (PRG) [BM,Y] PRG

3 PRG, One-Way Functions (OWF) [BM,Y,GL,…,HILL] (f OWF if easy to compute but hard to invert, i.e. 8 PPT M, almost never M(f(X)) 2 f(X) -1 ) Applications of PRG: cryptography, derandomization need stretch s(n) = poly(n) Stretch s(n) only makes sense relative to n –E.g. G : {0,1} n ! {0,1} n+s(n) ) G : {0,1} n 2 ! {0,1} n 2 + n ¢ s(n) –Two main cases s(n) = 1, or s(n) = n Background on PRG

4 PRG Constructions We study complexity of constructing PRG with big stretch from OWF f Def.: black-box PRG constructions G f : for every (comput.-unbounded) function f, adversary A A breaks G f ) 9 PPT M : M f,A inverts f Most constructions are black-box [BM,Y,…,HILL] Many negat. results for black-box model [IR,…,GT,RTV] –Cannot make sense of negat. result in non-black-box model

5 STEP 1: OWF f ) G f : {0,1} n ! {0,1} n+1 –Think e.g. f : {0,1} n  ! {0,1} n  STEP 2: G f ) PRG with stretch s(n) = poly(n) [GM] Stretch s ) s adaptive queries to f ) circuit depth ¸ s Question [this work]: stretch s vs. adaptivity & depth? E.g., can have s = n, circuit depth O(log n)? Standard Constructions w/ big stretch GfGf Input  GfGf GfGf GfGf GfGf GfGf........ Output......... …

6 Previous Results [AIK] Log-depth OWF/PRG ) O(1)-depth PRG (!!!) However, any stretch ) stretch s = 1 [GT] s vs. number q of queries to OWF (Thm: q ¸ s) [This work] s vs. adaptivity & circuit depth [ …,IN,NR] O(1)-depth PRG from specific assumptions [This work] general assumptions Context: [V] studies complexity of NW-type PRG

7 Outline Our model Our results Proof sketch of main negative result Other: new negative result on worst-case vs. average-case connections in NP, PH

8 Parallel PRG G f : {0,1} n ! {0,1} n+s(n) from OWF f Our Model of PRG construction Input , |  | = n f ÆÆÆÆÆÆÆÆ Ç ÇÇÇÇÇ ÆÆÆÆÆÆÆÆ ff Constant Depth Circuit (AC 0 ) Output, n+s(n) bits f q 1 q 2 q 3 q 4 Nonadaptive Queries to f

9 Our Results on PRG Constructions Parallel construction G f : {0,1} n ! {0,1} n+s(n) From one-way function f ( e.g. f : {0,1} n  ! {0,1} n   f arbitraryf one-to-onef permutation Neg.s(n) · o(n) ? Pos.?s(n) ¸ 1

10 Thm[this work]: Parallel black-box PRG constructions G f : {0,1} n ! {0,1} n+s(n) satisfy s(n) · o(n) Proof: Exhibit comput.-unbounded f, A such that: (1) A breaks G f when s(n) =  (n) (2) f one-way, i.e. hard to invert. We show distribution on f s. t. (1) & (2) hold w.h.p. Proof Sketch of Negative Result

11 Def. of f and (1) break G f Restriction [FSS,H,…]  maps bits to {0,1,*} Def. distribution on f apply  to truth-table of f –  known to adversary A replace * with random bits (1) A breaks G f : 8 , G f (  ) is  AC  function of truth-table of f )  makes G f (  ) biased ) A breaks G f (  ). –If s(n) =  (n) can union bound over all . 01** 1*0*  1**0 f(0) f(1)  f(111) 0101 1100  1110

12 (2) f one-way Problem: f not one-way :  leaks info about x E.g. First bit f(x) = 0 ) x Solution: Force many x’s to share same restriction Compose f with hash function Many preimages ) f one-way Low collision prob. ) A still breaks G f Q.E.D. f(0) f(1) f(10)  f(111) 01** 1*0* 1***  1**0 hash 01** 1*0* 1***  1**0 f =

13 Question: given f 2 NP worst-case hard (f 2 P/poly), can build f 0 2 NP average-case hard? I.e. 8 small circuit A : Pr x [A(x)  f 0 (x)] ¸ 1/3 Thm[V]: no black-box construction of f 0 using both function f and adversary A as black-box Thm[BT]: no construction using A as black-box –Also uses A ``non-adaptively’’ Thm[this work]: no construction using f as black-box –Proof uses pseudorandom restrictions Our Result on Average Case Complexity

14 Conclusion Thm[this work]: Parallel black-box construction G f : {0,1} n ! {0,1} n+s(n) satisfy Average-case complexity Thm[this work]: given f 2 NP worst-case hard no construction of average-case hard f 0 2 NP using f as black-box f arbitraryf one-to-onef permutation Neg.s(n) · o(n) ? Pos.?s(n) ¸ 1

15

16 Pseudorandom Bits for Constant-Depth Circuits with Few Arbitrary Symmetric Gates Emanuele Viola Harvard University April 2005

17 Efficiently Computable Big Stretch s(n) À n ( e.g. s(n) = n  (1) ) Fools small circuits: 8 small C Pr X, |X| = s(n) [ C(X) = 1 ] ¼ Pr , |  | = n [ C(PRG(  )) = 1 ] Pseudorandom Generator (PRG) [BM,Y,NW] PRG

18 PRG ) derandomization: BP ¢ P ( EXP [Y,NW,…] PRG, circuit lower bounds: EXP  P/poly [NW,BFNW,STV,SU,…] Open Problem: PRG exist? This Work: study restricted PRG Only fool constant-depth circuits We know lower bounds for constant-depth circuits Do PRG Exist?

19 Constant-depth circuit = PRG that fools constant-depth circuit As before, but only fools small constant-depth circuit C Pr X, |X| = s(n) [ C(X) = 1 ] ¼ Pr , |  | = n [ C(PRG(  )) = 1 ] PRG that fools constant-depth circuits x 1 : x 1 x 2.... : x s Depth PRG

20 Previous Results [N’91] PRG : {0,1} n ! {0,1} s(n) s(n) = 2 n , fools AC 0 = Applications: BP ¢ AC  ( EXP, more in [NW,HVV,V] [LVW’93] PRG : {0,1} n ! {0,1} s(n) s(n) = n  log n, fools SYM ○ AND = SYM = arbitrary symmetric gate E.g., SYM = PARITY, MAJORITY x 1 : x 1 x 2..... : x s ÆÆÆÆÆÆÆÆ Ç ÇÇÇÇÇ Æ SYM ÆÆÆÆÆÆ x 1 : x 1 x 2.... : x s

21 Theorem[This Work]: PRG : {0,1} n ! {0,1} s(n) with s(n) = n  log n fools AC 0 with  log 2 n SYM = Improves on [LVW93] Fools richer class than [N91] but worse stretch BP ¢ (AC 0 with few SYM) ( EXP Currently richest BP ¢ class one can derandomize Our Results ÆÆÆÆÆÆ ÇÇÇÇ SYM x 1 : x 1 x 2.... : x s

22 [NW] style Input = 1101010101110110101110 Output = 101010 …........1 ……….....1010100 f = © = PARITY [RW] The Pseudorandom Generator f x 1............. x n Æ © Æ  ©©  ©© 

23 Outline Why previous results/techniques do not suffice For PRG need new average-case lower bound for AC 0 with few SYM Proof sketch of average-case lower bound

24 Known Lower Bounds Recall AC 0 with  log 2 n SYM = [H,BNS,HG,RW,HM,CH]: f 2 P that requires AC 0 circuits with  log 2 n SYM of size n  log n Often, lower bound ) PRG. But NOT this time! ÆÆÆÆÆÆ ÇÇÇÇ SYM x 1 : x 1 x 2.... : x s

25 Standard Approach [BFNW,STV,SU,…] [NW] Def. f : {0,1} n ! {0,1} average-case hard for C if 8 small C 2 C Pr x [C(x)  f(x)] ¸ ½ - n -  (1) To construct PRG that fools C (e.g. AC 0 with few SYM) h hard for C f hard on average for C PRG that fools C

26 Standard Approach Fails h hard for C f hard on average for C PRG that fools C Proving correctness 9 C 2 C C = h 9 C 2 C comp. f on average 9 C 2 C breaks PRG Problem: requires C ¶ TC 0. Is TC 0 ¶ NEXP? [RR] Conjecture [V]: Black-box construction ) C ¶ TC 0 To construct PRG that fools C (e.g. AC 0 with few SYM)

27 C = AC 0 with few SYM Our vs. Previous Lower Bounds [H,BNS,HG,RW,HM,CH] not average-case hard Theorem[This Work]: There is f 2 P s.t. 8 AC 0 circuit C of size n  log n with  log 2 n SYM Pr x [C(x)  f(x)] ¸ ½ - n  log n h hard for C f hard on average for C PRG that fools C

28 Random restrictions  [FSS,H,…]  : {x 1, x 2,…, x s } ! {0,1,*} C|  subcircuit on *’s Multiparty communication complexity [CFL] Thm[BNS]: Gen. Inner Product (GIP) = has high communication complexity Tools Æ © Æ  x 1....... x n

29 Thm[This Work]: f = GIP ○ PARITY = is average-case hard for small AC 0 circuits with few SYM Proof sketch: C small AC 0 circuit with few SYM. W.h.p. over random restriction  E 1 : GIP ○ PARITY|  ¼ GIP ) high comm. complexity E 1 ( each bottom PARITY has * E 2 : C|  computable with low comm. complexity E 1 and E 2 ) C|  (x)  GIP(x) Q.E.D. Proof Sketch x 1................ x n Æ © Æ  ©©  ©© 

30 Theorem[This Work]: PRG : {0,1} n ! {0,1} s(n) with s(n) = n  log n fools AC 0 with  log 2 n SYM Improves [LVW93], fools richer class than [N91] Currently richest BP ¢ class one can derandomize Obtained from average-case hardness result Conj.: PRG from worst-case hardness ) C ¶ TC 0 Open problems:  (log 2 n) SYM? EXP average-case hard for GF(2) poly of deg. log n ? Conclusion

31 C|  low communication complexity Lemma[this work]: C small AC 0 circuit w/  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Lemma[HG+HM]: Above holds for 1 SYM

32 More SYM gates Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: Consider following protocol ÆÆÆÆÆÆ ÇÇÇÇ SYM 3 SYM 2 SYM 1 x 1 : x 1 x 2...... : x s

33 Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: Previous lemma ) low communication complexity More SYM gates ÆÆÆÆÆÆ ÇÇÇÇ SYM 2 SYM 1 SYM 3  x 1 : x 1 x 2...... : x s

34 Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: Parties compute value of SYM gate More SYM gates ÆÆÆÆÆÆ ÇÇÇÇ SYM 2 1 SYM 3  x 1 : x 1 x 2...... : x s

35 More SYM gates Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: Previous lemma ) low communication complexity ÆÆÆÆÆÆ SYM 2 1 ÇÇÇÇ SYM 3  x 1 : x 1 x 2...... : x s

36 Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: Parties compute value of SYM gate More SYM gates ÆÆÆÆÆÆ 0 1 ÇÇÇÇ SYM 3  x 1 : x 1 x 2...... : x s

37 More SYM gates Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: Previous lemma ) low communication complexity ÆÆÆÆÆÆ ÇÇÇÇ SYM 3 0 1  x 1 : x 1 x 2...... : x s

38 More SYM gates Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: Parties compute value of SYM gate ÆÆÆÆÆÆ ÇÇÇÇ 1 0 1 Æ  x 1 : x 1 x 2...... : x s

39 More SYM gates Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: Total communication = communication for 1 SYM X number of SYM Q.E.D. Union bound over 2 #SYM circuitslimits # SYM. Open Problem: Better analysis?

40 Theorem[This Work]: PRG : {0,1} n ! {0,1} s(n) with s(n) = n  log n fools AC 0 with  log 2 n SYM Improves [LVW93], fools richer class than [N91] Currently richest BP ¢ class one can derandomize Obtained from average-case hardness result Conj.: PRG from worst-case hardness ) C ¶ TC 0 Open problems:  (log 2 n) SYM? EXP average-case hard for GF(2) poly of deg. log n ? Conclusion

41 ``Number on the forehead’’ model [CFL] –k-parties want to compute f(x) –x partitioned in k blocks ! –i-th party knows all x but x i –Communication = broadcast Generalized Inner Product. GIP(x) = Lemma[BNS]: Low communication complexity protocol P ) Pr x [P(x)  GIP(x)] ¸ ½ - n  log n –Discrepancy, [CT,R] Multiparty Communication Complexity Æ © n k x 1.......... x nk Æ k x 1 x 2  x k

42 C|  low communication complexity Restriction [FSS,…]  map variables to {0,1,*} –R p = uniform distribution, Pr[  (x i ) = *] = p –C|  subcircuit. New input bits = * Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity First prove 1 SYM, then  log 2 n SYM

43 1 SYM gate Lemma: C small AC 0 circuit with 1 SYM W.h.p. over  2 R p, C|  low comm. complexity Proof: [H] [HG] SYM ○ AND k-1 low comm. complexity – 8 AND 9 party that can compute it (fan-in < k = # blocks) –Parties broadcast # AND = 1 –Communication = k ¢ log(size of circuit) Q.E.D. ÆÆÆÆÆÆÆÆ Ç ÇÇÇÇ SYM  = ÆÆÆÆÆÆ k-1 Ç x 1 x 2  x k

44 Lemma[BNS]: Low communication complexity protocol P ) Pr x [P(x)  GIP(x)] ¸ ½ - n  log n Lemma: C small AC 0 circuit with  log 2 n SYM W.h.p. over  2 R p, C|  low comm. complexity Want Theorem: There is f 2 P s.t. 8 AC 0 circuit C of size n  log n with  log 2 n SYM gates Pr x [C(x)  f(x)] ¸ ½ - n  log n Summary of Lemmas

45 Proof: f = GIP ○ PARITY = C small AC 0 circuit with  log 2 n SYM Random Input x = random  + random y for the * E 1 : f |  ¼ GIP ) high comm. complexity –E 1 ( each bottom PARITY has * E 2 : C|  low comm. complexity Pr x [C(x)  f  (x)] ¸ Pr , y [ C|  (y)  f|  (y) | E 1, E 2 ] Pr [ E 1, E 2 ] = Pr y [ P(y)  GIP(y) ] ( 1 - n  log n ) ¸ ( ½ - n  log n ) Q.E.D. x 1................ x n Æ © Æ  ©©  ©© 

46 Theorem[This Work]: PRG : {0,1} n ! {0,1} s(n) with s(n) = n  log n fools AC 0 with  log 2 n SYM Improves [LVW93], fools richer class than [N91] Currently richest BP ¢ class one can derandomize Obtained from average-case hard function Conj.: PRG from worst-case hardness ) EXP  TC 0 Open problems:  (log 2 n) SYM? EXP average-case hard for GF(2) poly of deg. log n ? Conclusion

47 Tools: Random restrictions  [FSS,H,…] –  : {x 1, x 2,…, x s } ! {0,1,*}, C|  subcircuit on *’s Communication complexity bound for GIP [BNS] Theorem[This Work]: GIP ○ PARITY is average-case hard for small AC 0 circuits with few SYM Proof sketch: C small AC 0 circuit with few SYM. W.h.p. over random restriction  E 1 : GIP ○ PARITY|  ¼ GIP ) high comm. complexity E 2 : C|  computable with low comm. complexity E 1 and E 2 ) C|  (x)  GIP(x) Q.E.D. Proof Sketch

Download ppt "On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005."

Similar presentations

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Boolean Circuits of Depth-Three and Arithmetic Circuits with General Gates Oded Goldreich Weizmann Institute of Science Based on Joint work with Avi Wigderson.

Boolean Circuits of Depth-Three and Arithmetic Circuits with General Gates Oded Goldreich Weizmann Institute of Science Based on Joint work with Avi Wigderson.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Massive Online Teaching to Bounded Learners Brendan Juba (Harvard) Ryan Williams (Stanford)

Massive Online Teaching to Bounded Learners Brendan Juba (Harvard) Ryan Williams (Stanford)
Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.

Gillat Kol joint work with Ran Raz Competing Provers Protocols for Circuit Evaluation.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
Circuit Complexity and Derandomization Tokyo Institute of Technology Akinori Kawachi.

Circuit Complexity and Derandomization Tokyo Institute of Technology Akinori Kawachi.
A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Hardness amplification proofs require majority Ronen Shaltiel University of Haifa Joint work with Emanuele Viola Columbia University June 2008.

Hardness amplification proofs require majority Ronen Shaltiel University of Haifa Joint work with Emanuele Viola Columbia University June 2008.
Better Pseudorandom Generators from Milder Pseudorandom Restrictions Raghu Meka (IAS) Parikshit Gopalan, Omer Reingold (MSR-SVC) Luca Trevian (Stanford),

Better Pseudorandom Generators from Milder Pseudorandom Restrictions Raghu Meka (IAS) Parikshit Gopalan, Omer Reingold (MSR-SVC) Luca Trevian (Stanford),
Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.

Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.
Time vs Randomness a GITCS presentation February 13, 2012.

Time vs Randomness a GITCS presentation February 13, 2012.
Non-Uniform ACC Circuit Lower Bounds Ryan Williams IBM Almaden TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A A.

Non-Uniform ACC Circuit Lower Bounds Ryan Williams IBM Almaden TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA A A.
CS151 Complexity Theory Lecture 5 April 13, 2004.

CS151 Complexity Theory Lecture 5 April 13, 2004.
Derandomization: New Results and Applications Emanuele Viola Harvard University March 2006.

Derandomization: New Results and Applications Emanuele Viola Harvard University March 2006.
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.

Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.
CS151 Complexity Theory Lecture 7 April 20, 2015.

CS151 Complexity Theory Lecture 7 April 20, 2015.
Derandomizing LOGSPACE Based on a paper by Russell Impagliazo, Noam Nissan and Avi Wigderson Presented by Amir Rosenfeld.

Derandomizing LOGSPACE Based on a paper by Russell Impagliazo, Noam Nissan and Avi Wigderson Presented by Amir Rosenfeld.

Similar presentations

Ads by Google