Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS151 Complexity Theory Lecture 8 April 22, 2004.

Published byBen Sadler Modified over 9 years ago

Similar presentations

Presentation on theme: "CS151 Complexity Theory Lecture 8 April 22, 2004."— Presentation transcript:

1 CS151 Complexity Theory Lecture 8 April 22, 2004

2 CS151 Lecture 82 Derandomization Goal: try to simulate BPP is subexponential time (or better) use Pseudo-Random Generator (PRG): often: PRG “good” if it passes (ad-hoc) statistical tests seedoutput string G t bitsm bits

3 April 22, 2004CS151 Lecture 83 Derandomization ad-hoc tests not good enough to prove BPP has non-trivial simulations Our requirements: –G is efficiently computable –“stretches” t bits into m bits –“fools” small circuits: for all circuits C of size at most s : |Pr y [C(y) = 1] – Pr z [C(G(z)) = 1]| ≤ ε

4 April 22, 2004CS151 Lecture 84 Simulating BPP using PRGs Recall: L  BPP implies exists p.p.t.TM M x  L  Pr y [M(x,y) accepts] ≥ 2/3 x  L  Pr y [M(x,y) rejects] ≥ 2/3 given an input x: –convert M into circuit C(x, y) –simplification: pad y so that |C| = |y| = m hardwire input x to get circuit C x Pr y [C x (y) = 1] ≥ 2/3 (“yes”) Pr y [C x (y) = 1] ≤ 1/3 (“no”)

5 April 22, 2004CS151 Lecture 85 Simulating BPP using PRGs Use a PRG G with –output length m –seed length t « m –error ε < 1/6 –fooling size s = m Compute Pr z [C x (G(z)) = 1] exactly –evaluate C x (G(z)) on every seed z  {0,1} t running time (O(m)+(time for G)) 2 t

6 April 22, 2004CS151 Lecture 86 Simulating BPP using PRGs knowing Pr z [C x (G(z)) = 1], can distinguish between two cases: 01/31/22/31 “yes”: ε 01/31/22/31 “no”: ε

7 April 22, 2004CS151 Lecture 87 Blum-Micali-Yao PRG Initial goal: for all 1 > δ > 0, we will build a family of PRGs {G m } with: output length m fooling size s = m seed length t = m δ running time m c error ε < 1/6 implies: BPP   δ>0 TIME(2 n δ )  EXP Why? simulation runs in time O(m+m c )(2 m δ ) = O(2 m 2δ ) = O(2 n 2kδ )

8 April 22, 2004CS151 Lecture 88 Blum-Micali-Yao PRG PRGs of this type imply existence of one-way- functions –we’ll use widely believed cryptographic assumptions Definition: One Way Function (OWF): function family f = {f n }, f n :{0,1} n  {0,1} n –f n computable in poly(n) time –for every family of poly-size circuits {C n } Pr x [C n (f n (x))  f n -1 (f n (x))] ≤ ε(n) –ε(n) = o(n c ) for all c

9 April 22, 2004CS151 Lecture 89 Blum-Micali-Yao PRG believe one-way functions exist –e.g. integer multiplication, discrete log, RSA (w/ minor modifications) Definition: One Way Permutation: OWF in which f n is 1-1 –can simplify “Pr x [C n (f n (x))  f n -1 (f n (x))] ≤ ε(n)” to Pr y [C n (y) = f n -1 (y)] ≤ ε(n)

10 April 22, 2004CS151 Lecture 810 First attempt attempt at PRG from OWF f: –t = m δ –Y 0  {0,1} t –y i = f t (y i-1 ) –G(y 0 ) = y k-1 y k-2 y k-3 …y 0 –k = m/t computable in time at most kt c < m c = m c

11 April 22, 2004CS151 Lecture 811 First attempt output is “unpredictable”: –no poly-size circuit C can output y i-1 given y k-1 y k-2 y k-3 …y i with non-negl. success prob. –if C could, then given y i can compute y k-1, y k-2, …, y i+2, y i+1 and feed to C –result is poly-size circuit to compute y i-1 = f t -1 (y i ) from y i –note: we’re using that f t is 1-1

12 April 22, 2004CS151 Lecture 812 First attempt attempt: Y 0  {0,1} t y i = f t (y i-1 ) G(y 0 ) = y k-1 y k-2 y k-3 …y 0 y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 ftft ftft ftft ftft ftft G(y 0 ): y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 f t -1 ftft ftft G’(y 3 ): f t -1 same distribution!

13 April 22, 2004CS151 Lecture 813 First attempt one problem: –hard to compute y i-1 from y i –but might be easy to compute single bit (or several bits) of y i-1 from y i –could use to build small circuit C that distinguishes G’s output from uniform distribution on {0,1} m

14 April 22, 2004CS151 Lecture 814 First attempt second problem –we don’t know if “unpredictability” given a prefix is sufficient to meet fooling requirement: |Pr y [C(y) = 1] – Pr z [C(G(z)) = 1]| ≤ ε

15 April 22, 2004CS151 Lecture 815 Hard bits If {f n } is one-way permutation we know: –no poly-size circuit can compute f n -1 (y) from y with non-negligible success probability Pr y [C n (y) = f n -1 (y)] ≤ ε’(n) We want to identify a single bit position j for which: –no poly-size circuit can compute (f n -1 (x)) j from x with non-negligible advantage over a coin flip Pr y [C n (y) = (f n -1 (y)) j ] ≤ ½ + ε(n)

16 April 22, 2004CS151 Lecture 816 Hard bits For some specific functions f we know of such a bit position j More general: function h n :{0,1} n  {0,1} rather than just a bit position j.

17 April 22, 2004CS151 Lecture 817 Hard bits Definition: hard bit for g = {g n } is family h = {h n }, h n :{0,1} n  {0,1} such that if circuit family {C n } of size s(n) achieves: Pr x [C n (x) = h n (g n (x))] ≥ ½ + ε(n) then there is a circuit family {C’ n } of size s’(n) that achieves: Pr x [C’ n (x) = g n (x)] ≥ ε’(n) with: –ε’(n) = (ε(n)/n) O(1) –s’(n) = (s(n)n/ε(n)) O(1)

18 April 22, 2004CS151 Lecture 818 Goldreich-Levin To get a generic hard bit, first need to modify our one-way permutation Define f’ n :{0,1} n x {0,1} n  {0,1} 2n as: f’ n (x,y) = (f n (x), y)

19 April 22, 2004CS151 Lecture 819 Goldreich-Levin Two observations: –f’ is a permutation if f is –if circuit C n achieves Pr x,y [C n (x,y) = f’ n -1 (x,y)] ≥ ε(n) then for some y * Pr x [C n (x,y * )=f’ n -1 (x,y * )=(f n -1 (x), y * )] ≥ ε(n) and so f’ is a one-way permutation if f is. f’ n (x,y) = (f n (x), y)

20 April 22, 2004CS151 Lecture 820 Goldreich-Levin The Goldreich-Levin function: GL 2n : {0,1} n x {0,1} n  {0,1} is defined by: GL 2n (x,y) =  i:y i = 1 x i –parity of subset of bits of x selected by 1’s of y –inner-product of n-vectors x and y in GF(2) Theorem (G-L): for every function f, GL is a hard bit for f’. (proof: problem set)

21 April 22, 2004CS151 Lecture 821 Distinguishers and predictors Distribution D on {0,1} n D ε -passes statistical tests of size s if for all circuits of size s: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| ≤ ε –circuit violating this is sometimes called an efficient “distinguisher”

22 April 22, 2004CS151 Lecture 822 Distinguishers and predictors D ε -passes prediction tests of size s if for all circuits of size s: Pr y  D [C(y 1,2,…,i-1 ) = y i ] ≤ ½ + ε –circuit violating this is sometimes called an efficient “predictor” predictor seems stronger Yao showed essentially the same! –important result and proof (“hybrid argument”)

23 April 22, 2004CS151 Lecture 823 Distinguishers and predictors Theorem (Yao): if a distribution D on {0,1} n (ε/n)-passes all prediction tests of size s, then it ε-passes all statistical tests of size s’ = s – O(n).

24 April 22, 2004CS151 Lecture 824 Distinguishers and predictors Proof: –idea: proof by contradiction –given a size s’ distinguisher C: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| > ε –produce size s predictor P: Pr y  D [P(y 1,2,…,i-1 ) = y i ] > ½ + ε/n –work with distributions that are “hybrids” of the uniform distribution U n and D

25 April 22, 2004CS151 Lecture 825 Distinguishers and predictors –given a size s’ distinguisher C: |Pr y  U n [C(y) = 1] – Pr y  D [C(y) = 1]| > ε –define n+1 hybrid distributions –hybrid distribution D i : sample b = b 1 b 2 …b n from D sample r = r 1 r 2 …r n from U n output: b 1 b 2 …b i r i+1 r i+2 …r n

26 April 22, 2004CS151 Lecture 826 Distinguishers and predictors Hybrid distributions: D 0 = U n : D n = D: D i-1 : Di:Di:........................

27 April 22, 2004CS151 Lecture 827 Distinguishers and predictors –Define: p i = Pr y  D i [C(y) = 1] –Note: p 0 =Pr y  U n [C(y)=1]; p n =Pr y  D [C(y)=1] –by assumption:ε < |p n – p 0 | –triangle inequality: |p n – p 0 | ≤ Σ 1 ≤ i ≤ n |p i – p i-1 | –there must be some i for which |p i – p i-1 | > ε/n –WLOG assume p i – p i-1 > ε/n can invert output of C if necessary

28 April 22, 2004CS151 Lecture 828 Distinguishers and predictors –define distribution D i ’ to be D i with i-th bit flipped –p i ’ = Pr y  D i ’ [C(y) = 1] –notice: D i-1 = (D i + D i ’ )/2 p i-1 = (p i + p i ’ )/2 D i-1 : Di:Di: D i ’:

29 April 22, 2004CS151 Lecture 829 Distinguishers and predictors randomized predictor P’ for i th bit: –input: u = y 1 y 2 …y i-1 –flip a coin: d  {0, 1} –w = w i+1 w i+2 …w n  U n-i –evaluate C(udw) –if 1, output d; if 0, output  d Claim: Pr y  D,d,w  U n-i [P’(y 1 … i-1 ) = y i ] > ½ + ε/n.

30 April 22, 2004CS151 Lecture 830 Distinguishers and predictors P’ is randomized procedure there must be some fixing of its random bits d, w that preserves the success prob. final predictor P has d * and w * hardwired: C may need to add  gate d*d* w*w* circuit for P: Size is s’ + O(n) = s as promised

31 April 22, 2004CS151 Lecture 831 Distinguishers and predictors Proof of claim: Pr y  D,d,w  U n-i [P’(y 1 … i-1 ) = y i ] = Pr[y i = d | C(u,d,w) = 1]Pr[C(u,d,w) = 1] + Pr[y i =  d | C(u,d,w) = 0]Pr[C(u,d,w) = 0] = Pr[y i = d | C(u,d,w) = 1](p i-1 ) + Pr[y i =  d | C(u,d,w) = 0](1 - p i-1 )

32 April 22, 2004CS151 Lecture 832 Distinguishers and predictors –Observe: Pr[y i = d | C(u,d,w) = 1] = Pr[C(u,d,w) = 1 | y i = d]Pr[y i =d] / Pr[C(u,d,w) = 1] = p i /(2p i-1 ) Pr[y i =  d | C(u,d,w) = 0] = Pr[C(u,d,w) = 0 | y i =  d]Pr[y i =  d] / Pr[C(u,d,w) = 0] = (1 – p i ’) / 2(1 - p i-1 )

33 April 22, 2004CS151 Lecture 833 Distinguishers and predictors Success probability: Pr[y i =d|C(u,d,w)=1](p i-1 ) + Pr[y i =  d|C(u,d,w)=0](1-p i-1 ) We know: –Pr[y i = d | C(u,d,w) = 1] = p i /(2p i-1 ) –Pr[y i =  d | C(u,d,w) = 0] = (1 - p i ’)/2(1 - p i-1 ) –p i-1 = (p i + p i ’)/2 –p i – p i-1 > ε/n Conclude: Pr[P’(y 1 … i-1 ) = y i ] = ½ + (p i - p i ’)/2 = ½ + p i – p i-1 > ½ + ε/n.

34 April 22, 2004CS151 Lecture 834 The BMY Generator Recall goal: for all 1 > δ > 0, family of PRGs {G m } with output length m fooling size s = m seed length t = m δ running time m c error ε < 1/6 If one way permutations exist then WLOG there is an f = {f n } with a hard bit h = {h n }

35 April 22, 2004CS151 Lecture 835 The BMY Generator Generator G δ = { G δ m }: –t = m δ –Y 0  {0,1} t –y i = f t (y i-1 ) –b i = h t (y i ) –G δ (y 0 ) = b m-1 b m-2 b m-3 …b 0

36 April 22, 2004CS151 Lecture 836 The BMY Generator Theorem (BMY): for every δ > 0, and all d, e, G δ is a PRG with error ε < 1/m d fooling size s = m e running time m c Note: stronger than we needed –sufficient to have ε < 1/6; s = m

37 April 22, 2004CS151 Lecture 837 The BMY Generator Proof: –computable in time at most mt c < m c+1 –assume G δ does not (1/m d )-pass statistical test C = {C m } of size m e : |Pr y  U [C(y) = 1] – Pr z  D [C(z) = 1]| >1/m d Generator G δ = { G δ m }: –t = m δ ; Y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

38 April 22, 2004CS151 Lecture 838 The BMY Generator –can transform this distinguisher into a predictor P of size m e + O(m): Pr y [P(b m-1 …b m-i ) = b m-i-1 ] > ½ + 1/m d-1 Generator G δ = { G δ m }: –t = m δ ; Y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

39 April 22, 2004CS151 Lecture 839 The BMY Generator –a procedure to compute h t (f t -1 (y)) set y m-i = y; b m-i = h t (y m-i ) compute y j, b j for j = m-i+1, m-i+2…, m-1 as above evaluate P(b m-1 b m-2 …b m-i ) f a permutation implies b m-1 b m-2 …b m-i distributed as (prefix of) output of generator: Pr y [P(b m-1 b m-2 …b m-i ) = b m-i-1 ] > ½ + 1/m d-1 Generator G δ = { G δ m }: –t = m δ ; Y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

40 April 22, 2004CS151 Lecture 840 The BMY Generator Pr y [P(b m-1 b m-2 …b m-i ) = b m-i-1 ] > ½ + 1/m d-1 –What is b m-i-1 ? b m-i-1 = h t (y m-i-1 ) = h t (f t -1 (y m-i )) = h t (f t -1 (y)) –We have described a family of polynomial-size circuits that computes h t (f t -1 (y)) from y with success greater than ½ + 1/poly(m) –Contradiction. Generator G δ = { G δ m }: –t = m δ ; Y 0  {0,1} t ; y i = f t (y i-1 ); b i = h t (y i ) –G δ m (y 0 ) = b m-1 b m-2 b m-3 …b 0

41 April 22, 2004CS151 Lecture 841 The BMY Generator y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 ftft ftft ftft ftft ftft G(y 0 ): y0y0 y1y1 y2y2 y3y3 y4y4 y5y5 f t -1 ftft ftft G’(y 3 ): f t -1 b0b0 b1b1 b2b2 b3b3 b4b4 b5b5 b0b0 b1b1 b2b2 b3b3 b4b4 b5b5 same distribution

Download ppt "CS151 Complexity Theory Lecture 8 April 22, 2004."

Similar presentations

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :

Unconditional Weak derandomization of weak algorithms Explicit versions of Yao s lemma Ronen Shaltiel, University of Haifa :
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Circuit Complexity and Derandomization Tokyo Institute of Technology Akinori Kawachi.

Circuit Complexity and Derandomization Tokyo Institute of Technology Akinori Kawachi.
A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

A survey on derandomizing BPP and AM Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Complexity Theory Lecture 11 Lecturer: Moni Naor.

Complexity Theory Lecture 11 Lecturer: Moni Naor.
Randomized Algorithms Kyomin Jung KAIST Applied Algorithm Lab Jan 12, WSAC 2010 1.

Randomized Algorithms Kyomin Jung KAIST Applied Algorithm Lab Jan 12, WSAC
Time vs Randomness a GITCS presentation February 13, 2012.

Time vs Randomness a GITCS presentation February 13, 2012.
Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.
CS151 Complexity Theory Lecture 5 April 13, 2015.

CS151 Complexity Theory Lecture 5 April 13, 2015.
CS151 Complexity Theory Lecture 7 April 20, 2004.

CS151 Complexity Theory Lecture 7 April 20, 2004.
Some Thoughts regarding Unconditional Derandomization Oded Goldreich Weizmann Institute of Science RANDOM 2010.

Some Thoughts regarding Unconditional Derandomization Oded Goldreich Weizmann Institute of Science RANDOM 2010.
CS151 Complexity Theory Lecture 5 April 13, 2004.

CS151 Complexity Theory Lecture 5 April 13, 2004.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
1 Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss.

1 Slides by Iddo Tzameret and Gil Shklarski. Adapted from Oded Goldreich’s course lecture notes by Erez Waisbard and Gera Weiss.

Similar presentations

Ads by Google