Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.

Slides:



Advertisements
Similar presentations
Estimating Distinct Elements, Optimally
Advertisements

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
PRG for Low Degree Polynomials from AG-Codes Gil Cohen Joint work with Amnon Ta-Shma.
Invertible Zero-Error Dispersers and Defective Memory with Stuck-At Errors Ariel Gabizon Ronen Shaltiel.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Noise, Information Theory, and Entropy (cont.) CS414 – Spring 2007 By Karrie Karahalios, Roger Cheng, Brian Bailey.
Combinational Circuits
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
List decoding Reed-Muller codes up to minimal distance: Structure and pseudo- randomness in coding theory Abhishek Bhowmick (UT Austin) Shachar Lovett.
Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.
CS151 Complexity Theory Lecture 8 April 22, 2004.
Complexity Theory Lecture 11 Lecturer: Moni Naor.
1 Introduction to Quantum Information Processing QIC 710 / CS 667 / PH 767 / CO 681 / AM 871 Richard Cleve DC 2117 / RAC 2211 Lecture.
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006
Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.
The 1’st annual (?) workshop. 2 Communication under Channel Uncertainty: Oblivious channels Michael Langberg California Institute of Technology.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
Arithmetic Hardness vs. Randomness Valentine Kabanets SFU.
The Goldreich-Levin Theorem: List-decoding the Hadamard code
1 Analysis of the Linux Random Number Generator Zvi Gutterman, Benny Pinkas, and Tzachy Reinman.
CS151 Complexity Theory Lecture 8 April 22, 2015.
1 Streaming Computation of Combinatorial Objects Ziv Bar-Yossef U.C. Berkeley Omer Reingold AT&T Labs – Research Ronen.
CS151 Complexity Theory Lecture 10 April 29, 2004.
The Power of Randomness in Computation 呂及人中研院資訊所.
THE EXTENSION OF COLLISION AND AVALANCHE EFFECT TO k-ARY SEQUENCES Viktória Tóth Eötvös Loránd University, Budapest Department of Algebra and Number Theory,
CS151 Complexity Theory Lecture 9 April 27, 2004.
On the Complexity of Approximating the VC Dimension Chris Umans, Microsoft Research joint work with Elchanan Mossel, Microsoft Research June 2001.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Simulating independence: new constructions of Condensers, Ramsey Graphs, Dispersers and Extractors Boaz Barak Guy Kindler Ronen Shaltiel Benny Sudakov.
1. 2 Problem RT&T is a large phone company, and they want to provide enhanced caller ID capability: –given a phone number, return the caller’s name –phone.
1 Introduction to Quantum Information Processing QIC 710 / CS 768 / PH 767 / CO 681 / AM 871 Richard Cleve QNC 3129 Lecture 18 (2014)
Approximating the MST Weight in Sublinear Time Bernard Chazelle (Princeton) Ronitt Rubinfeld (NEC) Luca Trevisan (U.C. Berkeley)
CS151 Complexity Theory Lecture 9 April 27, 2015.
1 Introduction to Quantum Information Processing QIC 710 / CS 667 / PH 767 / CO 681 / AM 871 Richard Cleve DC 2117 Lecture 16 (2011)
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
Why Extractors? … Extractors, and the closely related “Dispersers”, exhibit some of the most “random-like” properties of explicitly constructed combinatorial.
XOR lemmas & Direct Product thms - Many proofs Avi Wigderson IAS, Princeton ’82 Yao ’87 Levin ‘89 Goldreich-Levin ’95 Impagliazzo ‘95 Goldreich-Nisan-Wigderson.
Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness Seeded.
CS717 Algorithm-Based Fault Tolerance Matrix Multiplication Greg Bronevetsky.
Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.
List Decoding Using the XOR Lemma Luca Trevisan U.C. Berkeley.
R ANDOM N UMBER G ENERATORS Modeling and Simulation CS
Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University.
Pseudo-random generators Talk for Amnon ’ s seminar.
Technion Haifa Research Labs Israel Institute of Technology Underapproximation for Model-Checking Based on Random Cryptographic Constructions Arie Matsliah.
Umans Complexity Theory Lecturess Lecture 11: Randomness Extractors.
Umans Complexity Theory Lectures Lecture 9b: Pseudo-Random Generators (PRGs) for BPP: - Hardness vs. randomness - Nisan-Wigderson (NW) Pseudo- Random Generator.
Pseudo-randomness. Randomized complexity classes model: probabilistic Turing Machine –deterministic TM with additional read-only tape containing “coin.
Complexity Theory and Explicit Constructions of Ramsey Graphs Rahul Santhanam University of Edinburgh.
Randomness and Computation
Applied Algorithmics - week7
Modern symmetric-key Encryption
Pseudorandomness when the odds are against you
COMS E F15 Lecture 2: Median trick + Chernoff, Distinct Count, Impossibility Results Left to the title, a presenter can insert his/her own image.
Cryptography Lecture 6.
Topic 7: Pseudorandom Functions and CPA-Security
Locally Decodable Codes from Lifting
On the Efficiency of 2 Generic Cryptographic Constructions
Cryptography Lecture 5.
The Zig-Zag Product and Expansion Close to the Degree
CS151 Complexity Theory Lecture 10 May 2, 2019.
Presentation transcript:

Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley

About this talk Take the input, encode with an error-correcting code, and restrict the codeword to a (pseudo)randomly chosen subset of the bits The above approach works to construct hash functions, randomness extractors, pseudorandom generators, and more A few different applications of the approach exist, with very different analyses If the moral of [Vadhan, 2001] is right, all constructed objects are the same, and that same approach works for all is not surprising. Then why differences in analysis?

Disclaims This talk will –be technically imprecise –lack proper credits and “historic” perspective –have an open finale rather than a happy ending

Cast of Characters Hash Functions map an input to a “random” output Randomness Extractors map a “weakly random” input to a random output Pseudorandom Generators map a short random input to a long pseudorandom output Error-correcting codes

Hash Functions H x s H s (x) For x=/=y, and for random s, H s (x) very likely to be different from H s (y).

Error-correcting Codes C x C(x) Injective map of n bits in N bits (typically, N=O(n)) If x=/=y, then C(x) and C(y) differ in several places (typically, differ in  (N) positions)

Hash Functions from Error Correcting-Codes Used several times: ISW00, MV99, M98,..., GW94,... C C y C(x) C(y) s s H s (x) H s (y) x

Analysis Say that C() maps n bits into N bits, and if x=/=y then C(x) and C(y) differ in N/3 places. s describes a subset of N/3 of size m H s (x) is C(x) “projected” to the bits of s If x=/=y, then, Pr s [H s (x) = H s (y)] < (2/3) m s can be specified using mlog n random bits

Other Observations Projection points can be chosen along random walk on expander –Collision prob. 2 -k achievable with log n + O(k) random bits Used in one of the hash functions of [Goldreich-Wigderson, 1994]. In a RAM with division and multiplication, error correcting code and projection (and so, hash function) is computable in O(1) time [Miltersen, 1998]

Extractors E x s E(s,x) If x sampled from distribution with min-entropy k, and s uniform, then E(s,x) almost uniform Similar to hash functions, but want d=O(log n) n bits, entropy k m bits, uniform d bits, uniform

Pseudorandom Projections C C(x) s x Proj E E(s,x)

The Nisan-Wigderson projection generator... s a1a1 a2a2 a3a3 a4a4

The Nisan-Wigderson projection generator s a1a1 a2a2 a3a3 a4a4

Notions of almost-independence Standard notion of “almost” independence for random vars A 1,…,A m implies: – there are conditional distributions where A 1,…,A m-1 are fixed, yet A m has still high entropy In NW, A m is determined once A 1,…,A m-1 However, in NW, there are conditional distributions where A m is completely random, yet each of A 1,…,A m-1 has very low entropy

Properties Let NW(s,x) be x projected to the coordinates generated from s using the NW generator. Suppose that D is a procedure that, for a random s, distinguishes NW(s,x) from uniform Then there is a string x’ “close” to x such that: –x’ has a small description given D –x’ is “efficiently computable” given D and some small amount of additional information

Extractor Based on NW C C(x) s x NW E E(s,x)

Analysis If it were not a good extractor, there would be a distribution X of high min-entropy and a function D, such that, for a random s, D distinguishes NW(C(X),s) from uniform For most (fixed) x taken from X, D would distinguish NW(C(x),s) from uniform For each such x, there is x’ close to C(x) with small description If X has high min-entropy, with high probability C(X) is not close to a string of small description complexity. Contradiction: it is a good extractor

B.B. Pseudorandom Generators G f s G f (s) If f has high circuit complexity, and s uniform, then G f (s) indistinguishable from uniform Similar to extractors, but with computational requirements description of function of high circuit complexity m bits, pseudorandom d bits, uniform

A Construction Encoding truth-table of function f using error- correcting code based on multivariate polynomials Project encoded truth-table to a subset of entries chosen using seed s and NW projection generator Essentially same as extractor seen before Analysis: –Need the error-correcting code to have a “sub- linear time list-decoding” procedure [STV99] –Need the computational version of the analysis of the NW projection generator

Notes Things were discovered in reverse order (pseudorandom generator first, extractor later) In original proof [Impagliazzo-Wigderson, 1997], encoding of f not presented as a good error-correcting code (and analysis does not use list-decoding)

Fully Algebraic Construction? In NW-based extractor, and in possible implementation of NW-based pseudorandom generator: –Input x (resp., function f) is encoded as a multivariate polynomial p –Seed s is used to generate points a 1,…,a m –Output is p(a 1 ),…,p(a m ) [up to minor cheating] No algebraic meaning to a 1,…,a m How about a 1,…,a m be on a random line?

Miltersen-Vinodchandra Encode function f as multivariate polynomial p Use seed s to pick an axis parallel line Output values of p restricted to the line Does not give extractor or pseudorandom generator, but (with some more machinery) gives a good hitting set generator Analysis uses the observation about random projection of a code being good hash function

Ta-Shma-Zuckerman-Safra Encode input x as a multivariate polynomial p Use seed s to select an axis-parallel line and a starting point on the line Output values of p on a few consecutive points on the line, beginning with the starting point Gives a good extractor Analysis has similar high-level structure of analysis of NW-based extractor: a distinguisher implies a short description for x Note: short description not computationally efficient; construction does not imply p.r.g.

Shaltiel-Umans Encode input x as multivariate polynomial p in F d Use seed s to pick generator g of F d Evaluate p on g, g 2,... Distinguisher implies that x has (computationally efficient) short description Gives extractors and p.r.g.; performances as good as of best optimized previous constructions

Conclusions? What choices of pseudorandom projections are good to turn error-correcting codes into extractors / pseudorandom generators, and why? Do good extractors / prg follow from encoding with multivar polynomials and projecting on parts of a random (non-axis parallel) line? The NW projections give extractors using any error-correcting codes. Alternative methods with same generality?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.