## Presentation on theme: "The Unified Theory of Pseudorandomness Salil Vadhan Harvard University See also monograph-in-progress Pseudorandomness"— Presentation transcript:

Pseudorandomness Theory of efficiently generating objects that “look random” despite being constructed with little or no randomness.

Motivation Computer Science –Derandomization: converting randomized algorithms into deterministic algorithms. –Cryptography: generating lots of unpredictable bits (e.g. for encryption) from a short key –Useful “Pseudorandom Objects” (e.g. error-correcting codes). Mathematics –Explicit Constructions matching Probabilistic Method (e.g. Ramsey graphs) –Analyzing mathematical structures: e.g. the primes are dense in a “pseudorandom” set of integers [Green-Tao04]

“Pseudorandom Objects” Error-correcting codes: make data resilient to corruption Expander graphs: highly connected but sparse graphs Samplers: estimate avg with few samples & random bits Randomness extractors: convert biased & correlated bits to almost-uniform random bits. Hardness amplifiers: convert worst-case hard functions into average-case hard ones. Pseudorandom generators: stretch short seed to many bits that “look random” to efficient algorithms. For each, randomly chosen object achieves very good parameters. Goal is explicit constructions – ones that are efficient & deterministic.

“Pseudorandom Objects” Error-correcting codes: make data resilient to corruption Expander graphs: highly connected but sparse graphs Samplers: estimate avg with few samples & random bits Randomness extractors: convert biased & correlated bits to almost-uniform random bits. Hardness amplifiers: convert worst-case hard functions into average-case hard ones. Pseudorandom generators: stretch short seed to many bits that “look random” to efficient algorithms. For each, randomly chosen object achieves very good parameters. Goal is explicit constructions – ones that are efficient & deterministic.

A Unified Theory Through work of many researchers over 2 decades: All of these objects are essentially the same when viewed appropriately. Much progress by exploiting connections to translate constructions and ideas from one object to another. This talk: Single “list-decoding” framework that captures all the objects. Highlights similarities and differences.

An Incomplete List of References D. Zuckerman “Randomness-optimal oblivious sampling”, 1996. L. Trevisan “Extractors and Pseudorandom Generators”, 1999. M. Sudan, L. Trevisan, S. Vadhan “Pseudorandom Generators without the XOR Lemma”, 1999. A. Ta-Shma, D. Zuckerman “Extractor codes”, 2001. V. Guruswami, C. Umans, S. Vadhan “Unbalanced Expanders and Randomness Extractors from Parvaresh-Vardy Codes”, 2007. See proceedings & monograph for more.

The Framework Syntactic form of object:  : [N]x[D]  [M] For T  [M], let LIST  (T,  )={x  [N] : Pr y [  (x,y)  T] >  } Semantic property: For all T  C, | LIST  (T,  )|  K Notes/conventions: Sometimes require “constructing” LIST  (T,  ) to be “efficient” LIST  (T,1)={x  [N] : Pr y [  (x,y)  T] = 1} A=2 a, B=2 b,...,  : {0,1} n  {0,1} d  {0,1} m

LIST-DECODABLE CODES

Error-Correcting Codes Goal: encode data s.t. can recover from errors. message m codeword Enc(m) received word r encoding corrupt  frac. decoding n bits D q-ary symbols Example: Reed-Solomon code Enc(f)=(f(1),…,f(D)), f  F q [x]

List-Decodable Codes Q: What if noise too high (  =1-1/q-  ) for unique decoding? message m codeword Enc(m) received word r encoding corrupt < 1-1/q -  frac. decoding n bits D q-ary symbols message m 1 message m 2 message m K Def: Enc : [N]  [q] D is (K,  ) list-decodable if  r  [q] D, there are  K messages m s.t. Enc(m) agrees with r in more than 1/q+  positions. 

List-Decodable Codes Def: Enc : [N]  [q] D is (K,  ) list-decodable if  r  [q] D, there are  K messages m s.t. Enc(m) agrees with r in more than 1/q+  positions. Goals Minimize D (e.g. Dlog q=O(n)). Minimize  (e.g. small constant independent of n). Minimize q (e.g. q=O(1) or q=poly(n)). Minimize K (e.g. K=poly(n)).

List-Decodable Codes in the Framework Given Enc : [N]  [q] D, define  : [N]  [D]  [D]  q] via  (x,y)=(y,Enc(x) y ). Proposition: Enc (K,  ) list-decodable   r  [q] D |LIST  (T r,1/q+  )|  K, where T r = {(y,r y ) : y  [D]} Proof: x  LIST  (T r,1/q+  )  Pr y [  (x,y)  T r ]>1/q+   Pr y [Enc(x) y =r y ]>1/q+ 

Comparison ObjectInterpretationDecoding ProblemStd. Parameters list-decodable codes  (x,y) = (y,Enc(x) y ) T = {(y,r y )} ) |LIST(T,1/q+  )|  K q,  constant, M,D=O(n), K=n O(1)  : [N]  [D]  [M] N=2 n,D=2 d,… T  [M] LIST  (T,  )={x  [N] : Pr y [  (x,y)  T] >  }

AVERAGING SAMPLERS

Sampling Goal: given “oracle access” to a function f : [M]  {0,1}, estimate  (f) := E z [f(z)] by making few queries to f. Natural approach: choose random points z 1,…,z D  [M], and output (1/D)   i f(z i ). –For D= O((1/   )  log(1/  )), correct within   with probability  1-  Don’t need full independence; “pseudorandom” samples suffice, such as: –pairwise independence (e.g. z i =a  i+b, for a,b  F M ) –random walks on expander graphs.

Averaging Samplers Def: Samp : [N]  [M] D is a ( ,  ) averaging sampler if for every f : [M]  {0,1}, we have Pr (z 1,…, z D )  Samp(U [N] ) [(1/D)  i f(z i ) >  (f)+  ]   Goals: Minimize D (ideally D=O((1/   )  log(1/  )). Maximize m=log M. Minimize n=log N (ideally n=m+log(1/  )). Minimize ,  (often  constant, but  =o(1)).

Samplers in the Framework Def: Samp : [N]  [M] D is a ( ,  ) averaging sampler if for every f : [M]  {0,1}, we have Pr (z 1,…, z D )  Samp(U [N] ) [(1/D)  i f(z i ) >  (f)+  ]   Given Samp, define  : [N]  [D]  [M] via  (x,y)=Samp(x) y. Proposition: Samp ( ,  ) averaging sampler  T  [M] |LIST  (T,  (T)+  )|  N

Comparison ObjectInterpretationDecoding ProblemStd. Parameters list-decodable codes  (x,y) = (y,Enc(x) y ) T = {(y,r y )} ) |LIST(T,1/q+  )|  K q,  constant, M,D=O(n), K=n O(1) samplers  x,y) = Samp(x) y |LIST(T,  (T)+  )|   Nn=O(m+log(1/  )),K=  N D=O((1/   )  log(1/  )).  : [N]  [D]  [M] N=2 n,D=2 d,… T  [M] LIST  (T,  )={x  [N] : Pr y [  (x,y)  T] >  }

EXPANDER GRAPHS

(Bipartite) Expander Graphs Goals: Minimize D Maximize A Maximize K [Minimize M] |Nbrs(S)|  A ¢ |S| D N M  S, |S|  K Classic Params: M=N   D, A > 1 constants. K =  “ (K,A) expander” Example: [N]=[M]= F p Nbrs(x)= {x+1,x-1,x -1 }

List-Decoding View of Expanders Given G, let  (x,y) = y’th neighbor of x. Prop: G is a (K,A) expander iff  T µ [M] of size < AK, we have |LIST  (T,1)| < |T|/A. |  (S)|  A ¢ K D N M “ (K,A) expander”  S, |S|  K

Comparison ObjectInterpretationDecoding ProblemStd. Parameters list-decodable codes  (x,y) = (y,Enc(x) y ) T = {(y,r y )} ) |LIST(T,1/q+  )|  K q,  constant, M,D=O(n), K=n O(1) samplers  x,y) = Samp(x) y |LIST(T,  (T)+  )|   Nn=O(m+log(1/  )),K=  N D=O((1/   )  log(1/  )). expanders  (x,y) = y’th nbr of x |T| < AK ) |LIST(T,1)|  |T|/A M=N, D=O(1), A>1 K=  (N)  : [N]  [D]  [M] N=2 n,D=2 d,… T  [M] LIST  (T,  )={x  [N] : Pr y [  (x,y)  T] >  }

PSEUDORANDOM GENERATORS

Pseudorandom Generators looks random: for every “computationally feasible” test T : {0,1} m  {0,1}, |Pr y [T(G(y))=1]-Pr z [T(z)=1]|   computationally feasible: computable by a circuit of size t, or, equivalently, a time t algorithm with t bits of advice. useful for cryptography, derandomizing probabilistic algorithms G d-bit seed m bits that “look random”

PRG Constructions Q: Do efficiently computable PRGs exist? Open! Requires proving NP  P, or at least EXP  BPP. Instead show: if there are sufficiently hard functions (say in EXP), then efficient PRGs exist.

Black-box PRG Constructions Def: G is a (t,k,  ) black-box PRG construction if  R s.t.  f  T s.t. Pr y [T(G f (y))=1] > Pr z [T(z)=1] +   w  {0,1} k s.t. R w T computes f everywhere. R is computable in time t with oracle access to T. f : {0,1}  {0,1} G f : {0,1} d  {0,1} m test T : {0,1} m  {0,1} construction reduction w/ k-bit advice w R w T : {0,1}  {0,1} Prop: if f can’t be computed by circuits of size s, then G f is  -pseudorandom vs. circuits of size  s/t

Black-box PRG Constructions Def: G is a (t,k,  ) black-box PRG construction if  R s.t.  f  T s.t. Pr y [T(G f (y))=1] > Pr z [T(z)=1] +   w  {0,1} k s.t. R w T computes f everywhere. R is computable in time t with oracle access to T. f : {0,1}  {0,1} G f : {0,1} d  {0,1} m test T : {0,1} m  {0,1} construction reduction w/ k-bit advice w R w T : {0,1}  {0,1} Common parameters: t=k=m=1/  [ c, 2  c ] for arbitrarily large constant c, d=O( ).

PRGs in the Framework Take n=2 and define  (f,y) = G f (y) Proposition: G an ( ,k,  ) PRG const.  T  [M] |LIST  (T,  (T)+  )|  K. Proof: f  LIST  (T,  (T)+  )  Pr y [T(G f (y))=1]>Pr z [T(z)=1]+    K such f’s  they can be named with k bits of advice f : {0,1}  {0,1} G f : {0,1} d  {0,1} m test T : {0,1} m  {0,1} construction reduction w/ k-bit advice w R w T : {0,1}  {0,1}

PRGs in the Framework Q: What about efficient reductions? A: Analogous to efficient “local list decoding”: compute each bit of the “message” f using few queries to “received word” T. f : {0,1}  {0,1} G f : {0,1} d  {0,1} m test T : {0,1} m  {0,1} construction reduction w/ k-bit advice w R w T : {0,1}  {0,1}

Comparison ObjectInterpretationDecoding ProblemStd. Parameters list-decodable codes  (x,y) = (y,Enc(x) y ) T = {(y,r y )} ) |LIST(T,1/q+  )|  K q,  constant, M,D=O(n), K=n O(1) samplers  x,y) = Samp(x) y |LIST(T,  (T)+  )|   Nn=O(m+log(1/  )),K=  N D=O((1/   )  log(1/  )). expanders  (x,y) = y’th nbr of x |T| < AK ) |LIST(T,1)|  |T|/A M=N, D=O(1), A>1 K=  (N) pseudorandom generators  (f,y)=G f (y)|LIST(T,  (T)+  )|  K + “local list-decoding” m=1/  [n c,N 1/c ], D=poly(n), k=poly(m)  : [N]  [D]  [M] N=2 n,D=2 d,… T  [M] LIST  (T,  )={x  [N] : Pr y [  (x,y)  T] >  }

Comparison ObjectInterpretationDecoding ProblemStd. Parameters list-decodable codes  (x,y) = (y,Enc(x) y ) T = {(y,r y )} ) |LIST(T,1/q+  )|  K q,  constant, M,D=O(n), K=n O(1) samplers  x,y) = Samp(x) y |LIST(T,  (T)+  )|   Nn=O(m+log(1/  )),K=  N D=O((1/   )  log(1/  )). expanders  (x,y) = y’th nbr of x |T| < AK ) |LIST(T,1)|  |T|/A M=N, D=O(1), A>1 K=  (N) pseudorandom generators  (f,y)=G f (y)|LIST(T,  (T)+  )|  K + “local list-decoding” m=1/  [n c,N 1/c ], D=poly(n), k=poly(m) randomness extractors  x,y) = Ext(x,y) |LIST(T,  (T)+  )|  KD=poly(n/  ), k=O(m) hardness amplifiers  (f,y)= (y,Amp f (y)) T = {(y,r y )} ) |LIST(T,1/q+  )|  K + “local list-decoding” q constant, M,D=O(n). k=poly(n/  )

Conclusions Many pseudorandom objects are almost equivalent. Each brings different intuition, techniques, parameters. Open: single construction  : [N]  [D]  [M] optimal for all? –For every T  [M],  [0,1], |LIST(T,  )|  f(|T|,  ) for f as small as possible. –  (x,y) = (y,  ) –  poly-time computable –Efficient local list-decoding For more information, see proceedings and http://seas.harvard.edu/~salil/pseudorandomness