Embed Size (px)
DESCRIPTION
Derandomizing BPP. Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss. PRG - Stronger Notion. Def : - PowerPoint PPT Presentation
Citation preview
1
Slides by Iddo Tzameret and Gil Shklarski.Slides by Iddo Tzameret and Gil Shklarski.
Adapted from Oded Goldreich’s course lecture notes Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss.by Erez Waisbard and Gera Weiss.
2
PRG - Stronger NotionPRG - Stronger Notion
Def: A deterministic polynomial-time algorithm G is
called a non-uniformly strong pseudorandom generator if there exists a stretching function l: N N, so that for any family {Ck} of polynomial-size circuits, for any polynomial p, and for all sufficiently large k’s
|Pr[Ck(G(Uk))=1]-Pr[Ck(Ul(k))=1]| < 1/p(k)This definition involves polynomial size
circuits as distinguishers instead of probabilistic polynomial time TM. Recall
that BPP P/poly
3
Implications of such PRGImplications of such PRG
Theorem: If such non-uniformly strong pseudorandom generator exists then
))(2(0 npolynDtimeBPP ε
ε
εnr 1,0
Proof: Suppose LBPP. Let A(x,r) be the machine that decides L: x is the input and r is the sequence of coin tosses of the machine. r is of size l(|x|).Define a new algorithm A’ as follows:
A’(x,r) := A(x,G(r))
WhereWe can construct such A thatuses exactly l(|x|) coin tosses
4
Proof Continued (1)Proof Continued (1)
Claim: For all but finitely many x’s|Pr[A(x,Ul(k))=1] - Pr[A’(x, Uk)=1]| < 1/6
where k=|x|.Proof: Assume, by way of contradiction, that, for
infinitely many x’s|Pr[A(x,Ul(k))=1] - Pr[A’(x, Uk)=1]| 1/6
and construct a family of poly-size circuitsxC(x)(input) := A(x,input)
then construct the family {Ck} as follows:
Ck {C(x)| A(x) uses l(k) coin tosses}
Infinitely many x’s on which A and A’ differ imply infinitely manysizes of x’s on which they differ, and infinite number of such Cks.
5
Proof Continued (2)Proof Continued (2)
For each such Ck:
Ck(G(Uk)) A’(x,Uk) and Ck(Ul(k)) A(x,Ul(k))
Hence we have a family of circuits s.t.|Pr[Ck(G(Uk))=1]-Pr[Ck(Ul(k))=1]| 1/6
In contradiction to the definition of our pseudorandom generator. claim
6
Proof Continued (3)Proof Continued (3)
Going back to proving the theorem:A is our BPP machine so for every x:
x L Pr[A(x,Ul(k)) = 1] 2/3
x L Pr[A(x,Ul(k)) = 1] < 1/3
In particular, using the claim we get for all but finitely many x’s: x L Pr[A’(x,Uk) = 1] > Pr[A(x,Ul(k)) = 1]-1/6 1/2
x L Pr[A’(x,Uk) = 1] < Pr[A(x,Ul(k)) = 1]+1/6 < 1/2
7
Proof Continued (4)Proof Continued (4)
Now, define a deterministic algorithm A’’ for deciding L:
if x is one of those finitely x’s
return a known pre-computed answer
else {
for all
Run A’(x,r)
return the majority of A’ answers.
}
A’’ deterministically decides L and run in time as required. Theorem
εnr 1,0
)(2 npolyn ε
8
Goal: to design a new PRG construction, which would be used for derandomization
New Method: generate random bits in parallel, instead of sequentially (compare with the “Pseudo Random Generators” lecture)
Different Assumptions: weaker then before, since the new PRG can run in time exponential in its input size: Assume an unpredictable Boolean
function.New Construct: called Design; consisting of
nearly disjoint subsets of the random seed.
New notion of PRGNew notion of PRG
9
New notion of PRGNew notion of PRG
The new requirements for PRG:Indistinguishable by polynomial-size circuit.Can run in exponential time (2O(k) on k-bit seed).
One can construct such PRG under seemingly weaker assumption (than for the construction shown in the “Pseudo Random Generators” lecture):
The existence of unpredictable Boolean function.
For k=O(log(|x|)) it runsin polynomial-time.
Instead of assuming the existence of one-way permutation.
10
Unpredictable Boolean functionUnpredictable Boolean function
Def (Unpredictable Boolean function): An exp(l)-computable Boolean function b:
{0,1}l{0,1}is unpredictable by small circuits if for every polynomial p(.), for all sufficiently large l’s and for every circuits C of size p(l):
Pr[C(Ul)=b(Ul)] < ½+1/p(l)
Assume such Boolean functions exist
11
Unpredictable Boolean functionUnpredictable Boolean function
How strong is that assumption?We prove that it is not stronger than assuming the
existence of a one-way permutation:
Claim: if f0 is a one-way permutation and b0 is a hard-core of f0, then b(x):=b0(f0
-1(x)) is an unpredictable Boolean function.
?one-way permutation unpredictable Boolean
function
12
One way permutation One way permutation unpredictable unpredictable Boolean functionBoolean function
Proof:Let f0 be a one-way permutation and b0 a hard-core of f0.
We’ll show the function b(x):=b0(f-10(x)) is an
unpredictable Boolean function.
f0 can be inverted in exponential time and b0 can be computed in polynomial time so b is computable in exponential time.
Unpredictability: Assume, by way of contradiction, that b is predictable.We’ll show the b0 is not hard-core bit of f0.
13
Proof continuedProof continued
Assuming b is predictable we have a family of circuits {Ck} of size p(k) s.t. for infinite number of k’s
Pr[Ck(Uk)=b(Uk)] 1/2 + 1/p(l).
For y:=f0-1
(x) we get b(f0(y))=b0(y).
f is a permutation so we get Pr[Ck(f0(Uk))=b(f0(Uk))] 1/2 + 1/p(l)
Pr[Ck(f0(Uk))=b0(Uk)] 1/2 + 1/p(l).
Which is a contradiction to b0 being a hard core.We defined hard-core bit with BPP machines andnot P/poly so there is a problem here !
14
The DesignThe Design
Generating a single random bit from a seed is easy assuming you have an unpredictable Boolean function.
But how can we generate more than one bit?We will manage that, utlizing a collection of nearly
disjoined subsets of the seed to get random bits that are almost mutually independent
Almost means: indistinguishable by polynomial
sized circuits
15
The DesignThe Design
Def:A collection of m subsets {I1,I2,…,Im} of {1…k} is a (k,m,l)-design if the following hold:
For every i {1,…,m}: |Ii| = l
For every ij {1,…,m}: |Ii Ij| = O(log k) The collection is constructible in exp(k)-time.
Notation: For S=<x1,x2, …, xk> and I={i1, …, il} {1,..,k}
k21 iii
defx ... xxS[I]
16
S (seed): <1 0 1 0 0 1 0 1 1 0>
The Design - VisualizationThe Design - Visualization
INDEX <1 2 3 4 5 6 7 8 9 10>
I1, I2, …, Im: {1,4,7} {2,5,8} {3,9,10}...{1,8,9}{1,0,0} {0,0,1} {1,1,0} ... {1,1,1}
k
l
S[I1], …, S[Im]:
17
Prop: let b: {0,1}k {0,1} be an unpredictable Boolean function, and {I1,…,Im} be a (k,m,k)-design then the following function is a strong non-uniform PRG:
G(S) < b(S[I1]) b(S[I2]) . . . b(S[Im]) >
Constructing the PRGConstructing the PRG 15.3
18
Constructing the PRG: Constructing the PRG: VisualizationVisualization
m
0 1 1 …………… 0
Pseudo randomstring
l
S (seed): <1 0 1 0 0 1 0 1 1 0>INDEX <1 2 3 4 5 6 7 8 9 10>
I1, I2, …, Im: {1,4,7} {2,5,8} {3,9,10}...{1,8,9}{1,0,0} {0,0,1} {1,1,0} ... {1,1,1}
k
S[I1], …, S[Im]:
b(<1,0,0>) b(<1,1,1>)………
19
Proof Proof (1)(1)
Proof:
Computing G(s) takes time exponential in k, since:
we have m=l(k) computations of b(S[Ii]);
Computing each b(S[Ii]) takes exp( |S[Ii]| ) = O(exp(k)).
20
Proof Proof (2)(2)
we will show that no small circuit can distinguish the output of G from a random sequence.
Assume by way of contradiction that there exists a family of poly-size circuits {Ck}kN and a polynomial p(.) such that for infinitely many k’s
| Pr[Ck(G(Uk)) = 1] - Pr[Ck(Ul(k))=1] | > 1/p(k)
Without loss of generality we can remove the absolute sign.
There are infinitely many k’s s.t. Pr[Ck(G(Uk)) = 1] - Pr[Ck(Ul(k))=1]has the same sign for all k, however, we can fix the sign arbitrarilysince we can take a sequence of circuits with reverse signs.
21
Using a Hybrid Distribution - proof Using a Hybrid Distribution - proof (3)(3)
For any 0 i m we define a “hybrid” distribution as follows: the first i bits are chosen to be the first i bits of G(Uk) and the other m-i bits are chosen uniformly at random.
Hik G(Uk)[1,…,i]
Um-i
also
fk(i) Pr[Ck(Hki)=1]
Using these definitions we can write:
fk(m) - fk(0) > 1/p(k)
there must be some 0 ik m s.t:
fk(ik+1) - fk(ik) > 1/m * 1/p(k)
22
ApproximatingApproximating the Next bit from the Next bit from the previous bitsthe previous bits
Defining p’(k):=mp(k) and i:=ik we get:
Pr[Ck(Hki+1)=1]- Pr[Ck(Hk
i)=1] > 1/p’(k)
Now, we can construct from Ck a circuit C’k which can approximate the next bit with large enough probability:
When Ri are independent uniformly distributed bits.
It can be shown that
Pr[C’k(G(Uk)[1,…i] ) = G(Uk)i+1] > 1/2 + 1/p’(k)
:)R,...,R,)(G(UC' m1ii][1,...,kk
1im1ii][1,...,kk R)R,...,R)G(U(C1
Probability over random bits Ri and Uk
23
Approximating the Next bit from Approximating the Next bit from the previous bitsthe previous bits
½- ½+
b(S[I1]) …… b(S[Iik])
Circuit C‘k
Next bit b(S[Iik+1]):=1/p’(k)
24
Approximating Approximating b(S[Ib(S[Ii+1i+1])]) from S and from S and b(S[Ib(S[Iii])])’s ’s We can construct a circuit C’’ which inputs S in addition to b(S[I1]),…, b(S[Ii]) and can approximate the unpredictable boolean function b(S[Ii+1]).
This can be done by ‘ignoring’ those new inputs and using b(S[I1]),…, b(S[Ii]) and C’. The formal definition is:
C’’k(S°G(S)[1..i]) := C’k(G(S)[1..i])
We get:
Prs[C’’k(S°G(S)[1..i] ) = G(S)i+1] > 1/2 + 1/p’(k)
Prs[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])] > 1/2 + 1/p’(k) Probabilities over random bits Ri and S
25
Approximating Approximating b(S[Ib(S[Ii+1i+1])]) from from S[IS[Ii+1i+1]] and and b(S[Ib(S[Ijj])])’s ’s
There exist {0,1}k-|Ii| s.t.
Prs[C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]= ] > 1/2 + 1/p’(k)
We’ll hard-code this into our circuit and get a circuit that takes b(S[I1]),…, b(S[Ii]) and S[Ii+1] as inputs and approximate b(S[Ii+1]) with some bias.
Applying the Law of Averages:Pr[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])] =
Pr [C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]= ]•Pr[S[Ii+1]= ] If for all : Pr [C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]= ] 1/2+1/p’(k)We’d get Pr[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])] 1/2+1/p’(k).
26
Visualization of C’’Visualization of C’’
b(S[I1])…
……
b(S[Ii])
½- ½+
Circuit C‘k
Next bit b(S[Ii+1])
S[Ii+1])
S:Circuit
C‘’k
S[Ii+1])
27
Approximating Approximating b(S[Ib(S[Ii+1i+1])]) from from S[IS[Ii+1i+1]]
We know how to approximate b(S[Ii+1]) from its input S[Ii+1] and from b(S[I1]),…, b(S[Ii]).
Can we approximate it using only S[Ii+1] ?
28
Computing S[IComputing S[Ijj]’s from S[I]’s from S[Ii+1i+1]]
S: S[Ii+1]=S[Ii+1])
S[I1]
?
S[I2]
?
O(log(k))
……… S[Ii]
?
?After hard-coding , there is only a small number of free bits in S[I1]…S[Ii].
The design gives us i•O(log(k)) as a bound.
29
Computing Computing S[IS[Ijj]]’s from ’s from S[IS[Ii+1i+1]] ExampleExample
S: S[Ii+1]=S[Ii+1])
S[I1]
?
S[I2]
? ……… S[Ii]
?
?S:
S[I1] S[I2]
…S[Ii]
O(log(k))
< 0 0 1 ?>
0 0 1 ……… 0 1 ???? 0 1 1
<1 0 1 ?> <0 1 1 ?>
precomputed
b(<0010>) b(<0011>)
1
S[Ii+1]
1
b(<0011>)
b(<0011>)
30
Computing Computing b(S[Ib(S[Ii+1i+1])])’s from ’s from S[IS[Ii+1i+1]]
S:
S[I1]< 123 ?
> S[I2]
…S[Ii]
123 ……… j ???? j+1…k-l
< 3j-1j ?>
<?j+1j+2 k-l
>
S[Ii+1]
Exp(log(k))=
poly(k) circuit
S[I1] ………S[Ii]
b(S[I1])………
Lookup table: for every
possible S[Ii] return
precomputed value of b(S[Ii])
b(S[Ii])
There are only poly(k) possible such S[Ii]’s,
given S[Ii+1]= .
31
½-
Circuit C‘
Next bitb(S[Ii+1])
Final Circuit: Final Circuit: Approximating Approximating b(S[Ib(S[Ii+1i+1])]) from from S[IS[Ii+1i+1]]
S[Ii+1]
poly(k) circuit
S[I1] ………S[Ii]
Lookup table
b(S[I1]) … b(S[Ii])
½+
32
Design construction: greedy Design construction: greedy algorithmalgorithm
For the following parameters:
k = l2
m = poly(k)
We want that for all i to have |Ii|=l and for ij, |IiIj|=O(log k).
For i = 1 to mFor all I [k], |I|=l do
flag := FALSEfor j = 1 to i-1
if |IiIj| > log k then flag:=TRUEif flag = TRUE then Ii = I
The algorithm:
33
Greedy algorithm: proofGreedy algorithm: proof
Assuming that for i m we have I1, I2,…, Ii-1 such that– for every j<i: |Ij| = l
– for every j1,j2 < i: |Ij1Ij2| < 2+log m
We’ll show that there exists another set |Ii|=l s.t. for every j < i: |IjIi| < 2+log m
Proof by the probabilistic method:Let S be a fixed set of size l. Let R be a set which is selected at random so that for every i[k]:
Pr[iR] = 2/l.R length ~ binomial(k,2/l).
34
Proof continued (1)Proof continued (1)
Let Si be the i’th element in S sorted in some order.
We’ll define the sequence {Xi}i=1..l of random variables:
Xi are independent Bernoulli variables with Pr[Xi=1]= 2/l for each i.
otherwise
RsifX i
i 0
1
me
lm
l
X
lm
ll
XmRS
m
l
ii
l
ii
21
2log
Pr
log2Prlog2Pr
2log1
1
Using Chernoff’s
bound:
35
Proof continued (2)Proof continued (2)For R selected as above the probability that there exists Ij
s.t. |IjR| > 2+log m us bounded above by
(i-1)/2m < 1/2.R is not necessarily of size l. We can show that with high
probability |R|l so it contains a subset of size l that we can choose as our Ii.
Considering the sequence {Xi}i=1..l :
Using Chernoff’s bound:
For R selected as above the probability of too many collisions or being too small is strictly smaller than one.
Therefore, there exists such R to be selected as Ii.
otherwise
RiifYi 0
1
21
221
PrPr 2
1
e
lY
klR
k
ii
Note: The algorithm itself is deterministic. We use
the randomness as a tool in showing the algorithm will
always find what it is looking for.
36
Second Design Construction: using Second Design Construction: using GF(l) arithmeticGF(l) arithmetic
For the following parameters:
k = l2
m = poly(k) Let F:=GF(l) then |FF| = k There is a 1-1 correspondence between {1,…,k}
and FF For every polynomial p(.) of degree d over F, Ip is
the graph of p(.) over F:Ip := {<e,p(e)> | e F }
|Ip| = |F| = l
37
Second Design Construction: using Second Design Construction: using GF(l) arithmeticGF(l) arithmetic
For every two polynomials p(.)q(.) of degree d intersects in at most d points, hence:
|Ip Iq| d
by the Fundamental Theorem of Algebra, hence we can choose d=O(log(k)).
Note that for every polynomial m(k) we can construct m(k)= m(l2) such sets, since there are |F|d+1 = ld+1 polynomials over GF(l), so by choosing an appropriate d the number of sets is greater then m(l2).
The sets are constructible in exponential in k, since we use simple arithmetic over GF(l).
