1 / 37

Slides by Iddo Tzameret and Gil Shklarski.

Derandomizing BPP. Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss. PRG - Stronger Notion. Def :

blake-jennings
Download Presentation

Slides by Iddo Tzameret and Gil Shklarski.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Derandomizing BPP Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss.

  2. PRG - Stronger Notion Def: A deterministic polynomial-time algorithm G is called a non-uniformly strong pseudorandom generator if there exists a stretching function l: N  N, so that for any family {Ck} of polynomial-size circuits, for any polynomial p, and for all sufficiently large k’s |Pr[Ck(G(Uk))=1]-Pr[Ck(Ul(k))=1]| < 1/p(k) This definition involves polynomial size circuits as distinguishers instead of probabilistic polynomial time TM. Recall that BPP  P/poly

  3. Theorem: If such non-uniformly strong pseudorandom generator exists then Proof: Suppose LBPP. Let A(x,r) be the machine that decides L: x is the input and r is the sequence of coin tosses of the machine. r is of size l(|x|). Define a new algorithm A’ as follows: A’(x,r) := A(x,G(r)) Where Implications of such PRG We can construct such A that uses exactly l(|x|) coin tosses

  4. Proof Continued (1) Claim: For all but finitely many x’s |Pr[A(x,Ul(k))=1] - Pr[A’(x, Uk)=1]| < 1/6 where k=|x|. Proof: Assume, by way of contradiction, that, for infinitely many x’s |Pr[A(x,Ul(k))=1] - Pr[A’(x, Uk)=1]|  1/6 and construct a family of poly-size circuitsxC(x)(input) := A(x,input) then construct the family {Ck} as follows: Ck {C(x)| A(x) uses l(k) coin tosses} Infinitely many x’s on which A and A’ differ imply infinitely manysizes of x’s on which they differ, and infinite number of such Cks.

  5. Proof Continued (2) For each such Ck: Ck(G(Uk))  A’(x,Uk) and Ck(Ul(k))  A(x,Ul(k)) Hence we have a family of circuits s.t. |Pr[Ck(G(Uk))=1]-Pr[Ck(Ul(k))=1]|  1/6 In contradiction to the definition of our pseudorandom generator. claim

  6. Proof Continued (3) Going back to proving the theorem: A is our BPP machine so for every x: x  L  Pr[A(x,Ul(k)) = 1]  2/3 x  L  Pr[A(x,Ul(k)) = 1] < 1/3 In particular, using the claim we get for all but finitely many x’s: x  L  Pr[A’(x,Uk) = 1] > Pr[A(x,Ul(k)) = 1]-1/6  1/2 x  L  Pr[A’(x,Uk) = 1] < Pr[A(x,Ul(k)) = 1]+1/6 < 1/2

  7. Now, define a deterministic algorithm A’’ for deciding L: if x is one of those finitely x’s return a known pre-computed answer else { for all Run A’(x,r) return the majority of A’ answers. } A’’ deterministically decides L and run in time as required. Theorem Proof Continued (4)

  8. New notion of PRG Goal: to design a new PRG construction, which would be used for derandomization New Method: generate random bits in parallel, instead of sequentially (compare with the “Pseudo Random Generators” lecture) Different Assumptions: weaker then before, since the new PRG can run in time exponential in its input size: Assume anunpredictable Boolean function. New Construct: called Design; consisting of nearly disjoint subsets of the random seed.

  9. For k=O(log(|x|)) it runs in polynomial-time. New notion of PRG • The new requirements for PRG: Indistinguishable by polynomial-size circuit. Can run in exponential time (2O(k) on k-bit seed). • One can construct such PRG under seemingly weaker assumption (than for the construction shown in the “Pseudo Random Generators” lecture): The existence of unpredictable Boolean function. Instead of assuming the existence of one-way permutation.

  10. Unpredictable Boolean function Def (Unpredictable Boolean function): An exp(l)-computable Boolean function b:{0,1}l{0,1}is unpredictable by small circuitsif for every polynomial p(.), for all sufficiently large l’s and for every circuits C of size p(l): Pr[C(Ul)=b(Ul)] < ½+1/p(l) Assume such Boolean functions exist

  11. ? Unpredictable Boolean function How strong is that assumption? We prove that it is not stronger than assuming the existence of a one-way permutation: one-way permutation unpredictable Boolean function Claim: if f0 is a one-way permutation and b0 is a hard-core of f0, then b(x):=b0(f0-1(x)) is an unpredictable Boolean function.

  12. One way permutation  unpredictable Boolean function Proof: Let f0 be a one-way permutation and b0 a hard-core of f0. We’ll show the function b(x):=b0(f-10(x)) is an unpredictable Boolean function. • f0can be inverted in exponential time and b0 can be computed in polynomial time so b is computable in exponential time. • Unpredictability: Assume, by way of contradiction, that b is predictable. We’ll show the b0 is not hard-core bit of f0.

  13. Proof continued Assuming b is predictable we have a family of circuits {Ck} of size p(k) s.t. for infinite number of k’s Pr[Ck(Uk)=b(Uk)]  1/2 + 1/p(l). For y:=f0-1(x) we get b(f0(y))=b0(y). f is a permutation so we get Pr[Ck(f0(Uk))=b(f0(Uk))]  1/2 + 1/p(l) Pr[Ck(f0(Uk))=b0(Uk)]  1/2 + 1/p(l). Which is a contradiction to b0 being a hard core. We defined hard-core bit with BPP machines andnot P/poly so there is a problem here !

  14. The Design • Generating a single random bit from a seed is easy assuming you have an unpredictable Boolean function. • But how can we generate more than one bit? We will manage that, utlizing a collection of nearly disjoined subsets of the seed to get random bits that are almost mutually independent Almost means: indistinguishable by polynomial sized circuits

  15. The Design Def: A collection of m subsets {I1,I2,…,Im} of {1…k} is a (k,m,l)-design if the following hold: • For every i  {1,…,m}: |Ii| = l • For every ij  {1,…,m}: |IiIj| = O(log k) • The collection is constructible in exp(k)-time. Notation: For S=<x1,x2, …, xk> and I={i1, …, il}  {1,..,k}

  16. The Design - Visualization k INDEX <1 2 3 4 5 6 7 8 9 10> S (seed): <1 0 1 0 0 1 0 1 1 0> l I1, I2, …, Im: {1,4,7} {2,5,8} {3,9,10}...{1,8,9} S[I1], …, S[Im]: {1,0,0} {0,0,1} {1,1,0} ... {1,1,1}

  17. Constructing the PRG 15.3 Prop: let b: {0,1}k  {0,1} be an unpredictable Boolean function, and {I1,…,Im} be a (k,m,k)-design then the following function is a strong non-uniform PRG: G(S)  <b(S[I1]) b(S[I2]) . . . b(S[Im]) >

  18. k INDEX <1 2 3 4 5 6 7 8 9 10> S (seed): <1 0 1 0 0 1 0 1 1 0> I1, I2, …, Im: {1,4,7} {2,5,8} {3,9,10}...{1,8,9} S[I1], …, S[Im]: {1,0,0} {0,0,1} {1,1,0} ... {1,1,1} Generator 0 1 1 …………… 0 Pseudo random string m Constructing the PRG: Visualization l b(<1,0,0>) ……… b(<1,1,1>)

  19. Proof (1) Proof: Computing G(s) takes time exponential in k, since: • we have m=l(k) computations of b(S[Ii]); • Computing each b(S[Ii]) takes exp( |S[Ii]| ) = O(exp(k)).

  20. Proof (2) we will show that no small circuit can distinguish the output of G from a random sequence. • Assume by way of contradiction that there exists a family of poly-size circuits {Ck}kN and a polynomial p(.) such that for infinitely many k’s | Pr[Ck(G(Uk)) = 1] - Pr[Ck(Ul(k))=1] | > 1/p(k) • Without loss of generality we can remove the absolute sign. There are infinitely many k’s s.t. Pr[Ck(G(Uk)) = 1] - Pr[Ck(Ul(k))=1]has the same sign for all k, however, we can fix the sign arbitrarilysince we can take a sequence of circuits with reverse signs.

  21. Using a Hybrid Distribution - proof (3) For any 0  i  m we define a “hybrid” distribution as follows: the first i bits are chosen to be the first i bits of G(Uk) and the other m-i bits are chosen uniformly at random. Hik G(Uk)[1,…,i]Um-i also fk(i) Pr[Ck(Hki)=1] Using these definitions we can write: fk(m) - fk(0) > 1/p(k) there must be some 0  ik  m s.t: fk(ik+1) - fk(ik) > 1/m * 1/p(k)

  22. Approximatingthe Next bit from the previous bits Defining p’(k):=mp(k) and i:=ikwe get: Pr[Ck(Hki+1)=1]- Pr[Ck(Hki)=1] > 1/p’(k) Now, we can construct from Ck a circuit C’k which can approximate the next bit with large enough probability: When Ri are independent uniformly distributed bits. It can be shown that Pr[C’k(G(Uk)[1,…i] ) = G(Uk)i+1] > 1/2 + 1/p’(k) Probability over random bits Ri and Uk

  23. Approximating the Next bit from the previous bits b(S[I1]) …… b(S[Iik]) ½- Next bit ½+ b(S[Iik+1]) :=1/p’(k) Circuit C‘k

  24. Approximating b(S[Ii+1]) from S and b(S[Ii])’s We can construct a circuit C’’ which inputs S in addition to b(S[I1]),…, b(S[Ii]) and can approximate the unpredictable boolean function b(S[Ii+1]). This can be done by ‘ignoring’ those new inputs and using b(S[I1]),…, b(S[Ii]) and C’. The formal definition is: C’’k(S°G(S)[1..i]) := C’k(G(S)[1..i]) We get: Prs[C’’k(S°G(S)[1..i] ) = G(S)i+1] > 1/2 + 1/p’(k) Prs[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])] > 1/2 + 1/p’(k) Probabilities over random bits Ri and S

  25. Approximating b(S[Ii+1]) from S[Ii+1] and b(S[Ij])’s There exist  {0,1}k-|Ii|s.t. Prs[C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]= ] > 1/2 + 1/p’(k) We’ll hard-code this  into our circuit and get a circuit that takes b(S[I1]),…, b(S[Ii]) and S[Ii+1] as inputs and approximate b(S[Ii+1]) with some bias. Applying the Law of Averages: Pr[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])] = Pr [C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]= ]•Pr[S[Ii+1]= ] If for all : Pr [C’’k(S°G(S)[1..i] ) = b(S[Ii+1]) | S[Ii+1]= ]  1/2+1/p’(k) We’d get Pr[C’’k(S°G(S)[1..i] ) = b(S[Ii+1])]  1/2+1/p’(k).

  26. ½- Next bit ½+ b(S[Ii+1]) Circuit C‘k Visualization of C’’ S[Ii+1]) Circuit C‘’k S[Ii+1]) S: b(S[I1])… b(S[Ii]) ……

  27. Approximating b(S[Ii+1]) from S[Ii+1] We know how to approximate b(S[Ii+1])from its input S[Ii+1]and fromb(S[I1]),…, b(S[Ii]). Can we approximate it using only S[Ii+1] ?

  28. Computing S[Ij]’s from S[Ii+1] After hard-coding , there is only a small number of free bits in S[I1]…S[Ii]. The design gives us i•O(log(k)) as a bound. =S[Ii+1]) S: S[Ii+1] ? ……… ? ? ? S[I1] S[I2] S[Ii] O(log(k))

  29. S[Ii+1] precomputed b(<0010>) b(<0011>) 1 0 0 1……… 0 1???? 0 1 1 < 0 0 1?> <1 0 1?> <0 1 1?> Computing S[Ij]’s from S[Ii+1] Example =S[Ii+1]) S: S: S[Ii+1] ? b(<0011>) b(<0011>) ……… … ? ? 1 ? S[I1] S[I1] S[I2] S[I2] S[Ii] S[Ii] O(log(k))

  30. There are only poly(k) possible such S[Ii]’s, given S[Ii+1]= . Computing b(S[Ii+1])’s from S[Ii+1] S[Ii+1] S: 123 ……… j ???? j+1…k-l Exp(log(k))= poly(k) circuit S[I1] ………S[Ii] Lookup table: for every possible S[Ii] return precomputed value of b(S[Ii]) … < 123 ?> < 3j-1j ?> <?j+1j+2 k-l > S[I1] S[I2] S[Ii] b(S[I1])……… b(S[Ii])

  31. b(S[I1]) … b(S[Ii]) Final Circuit: Approximating b(S[Ii+1]) from S[Ii+1] S[Ii+1] poly(k) circuit S[I1] ………S[Ii] Lookup table Next bit ½- ½+ b(S[Ii+1]) Circuit C‘

  32. Design construction: greedy algorithm For the following parameters: k = l2 m = poly(k) We want that for all i to have |Ii|=l and for ij, |IiIj|=O(log k). The algorithm: For i = 1 to m For all I  [k], |I|=l do flag := FALSE for j = 1 to i-1 if |IiIj| > log k then flag:=TRUE if flag = TRUE then Ii = I

  33. Greedy algorithm: proof Assuming that for i  mwe have I1, I2,…, Ii-1 such that • for every j<i: |Ij| = l • for every j1,j2 < i: |Ij1Ij2| < 2+log m We’ll show that there exists another set |Ii|=l s.t. for every j < i: |IjIi| < 2+log m Proof by the probabilistic method: Let S be a fixed set of size l. Let R be a set which is selected at random so that for every i[k]: Pr[iR] = 2/l. R length ~ binomial(k,2/l).

  34. Using Chernoff’s bound: Proof continued (1) Let Si be the i’th element in S sorted in some order. We’ll define the sequence {Xi}i=1..l of random variables: Xi are independent Bernoulli variables with Pr[Xi=1]= 2/l for each i.

  35. Proof continued (2) For R selected as above the probability that there exists Ij s.t. |IjR| > 2+log m us bounded above by (i-1)/2m < 1/2. R is not necessarily of size l. We can show that with high probability |R|l so it contains a subset of size l that we can choose as our Ii. Considering the sequence {Xi}i=1..l : Using Chernoff’s bound: For R selected as above the probability of too many collisions or being too small is strictly smaller than one. Therefore, there exists such R to be selected as Ii.  Note: The algorithm itself is deterministic. We use the randomness as a tool in showing the algorithm will always find what it is looking for.

  36. Second Design Construction: using GF(l) arithmetic For the following parameters: k = l2 m = poly(k) • Let F:=GF(l) then|FF| = k • There is a 1-1 correspondence between {1,…,k} and FF • For every polynomial p(.) of degree d over F, Ipis the graph of p(.) over F: Ip := {<e,p(e)> | e  F } • |Ip| = |F| = l

  37. Second Design Construction: using GF(l) arithmetic • For every two polynomials p(.)q(.) of degree d intersects in at most d points, hence: |Ip Iq|  d by the Fundamental Theorem of Algebra, hence we can choose d=O(log(k)). • Note that for every polynomial m(k) we can construct m(k)= m(l2) such sets, since there are |F|d+1 = ld+1 polynomials over GF(l), so by choosing an appropriate d the number of sets is greater then m(l2). • The sets are constructible in exponential in k, since we use simple arithmetic over GF(l). FIN

More Related