Time vs Randomness a GITCS presentation February 13, 2012

Complexity theory is like chemistry.

How powerful is time + randomization?

Some problems in BPP… Primality testing Polynomial identity testing Taking square roots modulo a prime Finding a generator of Z p * Constructing expander graphs

Some problems in BPP… Primality testing Polynomial identity testing Taking square roots modulo a prime Finding a generator of Z p * Constructing expander graphs These are all in P

Some problems in BPP… Primality testing Polynomial identity testing Taking square roots modulo a prime Finding a generator of Z p * Constructing expander graphs These are all in P (probably)

Randomness is unimportant. …as far as algorithms are concerned. Derandomization: Randomized algorithms can be replaced with an equivalent deterministic one. Polynomial Time + Randomization = Polynomial Time.

How to derandomize stuff. A x r Yes/No

How to derandomize stuff. B A x All r Yes/NoMAJORITY

How to derandomize stuff. G short random seed Long pseudorandom sequence

How to derandomize stuff. A better way: use a pseudorandom generator. Time: O(2 d ) calls to A If d = O(log n), then C runs in poly time! C A xYes/NoMAJORITY G All short seeds

To build a PRG from scratch, you must first invent a hard function…

The existence of a hard function is equivalent to Efficient pseudorandomness The Great Idea

Roadmap 1.Cryptographic origins 2.Towards derandomizing BPP 3.P=BPP from worst-case hardness 4.How to prove it 5.Recent developments and open questions 6.The Nisan-Wigderson generator

Cryptographic beginnings Randomness is (provably) necessary in cryptography. Independent, unbiased random bits are hard to get. Cryptographers started looking for ways to generate pseudorandomness. Traditional notions of pseudorandom sequences do not suffice!

Pseudorandom generator

Cryptographic PRGs A cryptographic PRG is a PRG G that fools all polytime algorithms and has polynomial stretch.

Cryptographic PRGs Shamir, Blum, Micali, Yao were the first to create cryptographic PRGs, but not unconditionally! These PRGs require the existence of one way functions (OWFs). – Stronger than P ≠ NP! [HILL99] proved cryptographic PRGs are equivalent to one way functions.

Roadmap 1.Cryptographic origins 2.Towards derandomizing BPP 3.P=BPP from worst case hardness 4.How to prove it 5.Recent developments and open questions 6.The Nisan-Wigderson generator

Towards P=BPP

Weaker assumptions, better results? Ideal situation: P ≠ EXP implies the existence of PRGs with O(log n) seed length (i.e. P = BPP)

Weaker assumptions, better results? Ideal situation: P ≠ EXP implies the existence of PRGs with O(log n) seed length (i.e. P = BPP) – This is unlikely 

The First Breakthrough 1994: The Nisan-Wigderson Pseudorandom Generator

Nisan-Wigderson PRG

An assumption about a larger class than NP, and so is weaker! The class of algorithms consists of circuits.

Nisan-Wigderson PRG

Even weaker assumptions? The assumption on EXP is quite strong. – This is an average-case hardness assumption. What’s the weakest possible assumption?

Even weaker assumptions?

Roadmap 1.Cryptographic origins 2.Towards derandomizing BPP 3.P=BPP from worst case hardness 4.How to prove it 5.Recent developments and open questions 6.The Nisan-Wigderson generator

The Second Breakthrough 1997: The Impagliazzo-Wigderson Pseudorandom Generator

Impagliazzo-Wigderson PRG

worst case hardaverage case hard NW94 PRG

Roadmap 1.Cryptographic origins 2.Towards derandomizing BPP 3.P=BPP from worst case hardness 4.How to prove it 5.Recent developments and open questions 6.The Nisan-Wigderson generator

Proving pseudorandomness

Proving hardness amplification worst-case hardness mild avg-case hardness constant avg-case hardness xTreme avg-case hardness small circuits fail on at least 1 input small circuits fail on 1/poly fraction of input small circuits fail on constant fraction of input small circuits fail on ½ - ε fraction of input

Proving hardness amplification

Roadmap 1.Cryptographic origins 2.Towards derandomizing BPP 3.P=BPP from worst case hardness 4.How to prove it 5.Recent developments and open questions 6.The Nisan-Wigderson generator

Can we derandomize BPP without proving circuit lower bounds? Rephrased: can we show P=BPP without creating pseudorandom generators? One might hope that there’s a shortcut!

Can we derandomize BPP without proving circuit lower bounds? In 2002 Kabanets and Impagliazzo showed that P = BPP implies either: – NEXP is not contained in P/poly OR – The Permanent is not in AlgP/poly Either way, showing P=BPP would mean you’ve done something doubly amazing!

Can we derandomize BPP without proving circuit lower bounds? Open question: does P=BPP imply exponential- size lower bounds on EXP? worst-case hardness of EXP PRGs P = BPP ?

The Pseudorandom Connection There’s a zoo of pseudorandom objects: – PRGs – Expander graphs – Randomness extractors – List decodable codes – Randomness samplers – and more! There is an almost-equivalence between these disparate objects.

The Pseudorandom Connection Open questions: Explain this unification. What are the optimal conversions between different objects? Is there a “most fundamental” pseudorandom object?

Break

Roadmap 1.Cryptographic origins 2.Towards derandomizing BPP 3.P=BPP from worst case hardness 4.How to prove it 5.Recent developments and open questions 6.The Nisan-Wigderson generator