Presentation is loading. Please wait.

Presentation is loading. Please wait.

Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley.

Published byTamsyn Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley."— Presentation transcript:

1

2 Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley

3 About this talk Take the input, encode with an error-correcting code, and restrict the codeword to a (pseudo)randomly chosen subset of the bits The above approach works to construct hash functions, randomness extractors, pseudorandom generators, and more A few different applications of the approach exist, with very different analyses If the moral of [Vadhan, 2001] is right, all constructed objects are the same, and that same approach works for all is not surprising. Then why differences in analysis?

4 Disclaims This talk will –be technically imprecise –lack proper credits and “historic” perspective –have an open finale rather than a happy ending

5 Cast of Characters Hash Functions map an input to a “random” output Randomness Extractors map a “weakly random” input to a random output Pseudorandom Generators map a short random input to a long pseudorandom output Error-correcting codes

6 Hash Functions H x s H s (x) For x=/=y, and for random s, H s (x) very likely to be different from H s (y).

7 Error-correcting Codes C x C(x) Injective map of n bits in N bits (typically, N=O(n)) If x=/=y, then C(x) and C(y) differ in several places (typically, differ in  (N) positions)

8 Hash Functions from Error Correcting-Codes Used several times: ISW00, MV99, M98,..., GW94,... C C y C(x) C(y) s s H s (x) H s (y) x

9 Analysis Say that C() maps n bits into N bits, and if x=/=y then C(x) and C(y) differ in N/3 places. s describes a subset of N/3 of size m H s (x) is C(x) “projected” to the bits of s If x=/=y, then, Pr s [H s (x) = H s (y)] < (2/3) m s can be specified using mlog n random bits

10 Other Observations Projection points can be chosen along random walk on expander –Collision prob. 2 -k achievable with log n + O(k) random bits Used in one of the hash functions of [Goldreich-Wigderson, 1994]. In a RAM with division and multiplication, error correcting code and projection (and so, hash function) is computable in O(1) time [Miltersen, 1998]

11 Extractors E x s E(s,x) If x sampled from distribution with min-entropy k, and s uniform, then E(s,x) almost uniform Similar to hash functions, but want d=O(log n) n bits, entropy k m bits, uniform d bits, uniform

12 Pseudorandom Projections C C(x) s x Proj E E(s,x)

13 The Nisan-Wigderson projection generator... s a1a1 a2a2 a3a3 a4a4

14 The Nisan-Wigderson projection generator 0 1 1 0 1 0 1 1 0... 0 1 1 0 1 1 0 1 0 1 0 0 0 1 s a1a1 a2a2 a3a3 a4a4

15 Notions of almost-independence Standard notion of “almost” independence for random vars A 1,…,A m implies: – there are conditional distributions where A 1,…,A m-1 are fixed, yet A m has still high entropy In NW, A m is determined once A 1,…,A m-1 However, in NW, there are conditional distributions where A m is completely random, yet each of A 1,…,A m-1 has very low entropy

16 Properties Let NW(s,x) be x projected to the coordinates generated from s using the NW generator. Suppose that D is a procedure that, for a random s, distinguishes NW(s,x) from uniform Then there is a string x’ “close” to x such that: –x’ has a small description given D –x’ is “efficiently computable” given D and some small amount of additional information

17 Extractor Based on NW C C(x) s x NW E E(s,x)

18 Analysis If it were not a good extractor, there would be a distribution X of high min-entropy and a function D, such that, for a random s, D distinguishes NW(C(X),s) from uniform For most (fixed) x taken from X, D would distinguish NW(C(x),s) from uniform For each such x, there is x’ close to C(x) with small description If X has high min-entropy, with high probability C(X) is not close to a string of small description complexity. Contradiction: it is a good extractor

19 B.B. Pseudorandom Generators G f s G f (s) If f has high circuit complexity, and s uniform, then G f (s) indistinguishable from uniform Similar to extractors, but with computational requirements description of function of high circuit complexity m bits, pseudorandom d bits, uniform

20 A Construction Encoding truth-table of function f using error- correcting code based on multivariate polynomials Project encoded truth-table to a subset of entries chosen using seed s and NW projection generator Essentially same as extractor seen before Analysis: –Need the error-correcting code to have a “sub- linear time list-decoding” procedure [STV99] –Need the computational version of the analysis of the NW projection generator

21 Notes Things were discovered in reverse order (pseudorandom generator first, extractor later) In original proof [Impagliazzo-Wigderson, 1997], encoding of f not presented as a good error-correcting code (and analysis does not use list-decoding)

22 Fully Algebraic Construction? In NW-based extractor, and in possible implementation of NW-based pseudorandom generator: –Input x (resp., function f) is encoded as a multivariate polynomial p –Seed s is used to generate points a 1,…,a m –Output is p(a 1 ),…,p(a m ) [up to minor cheating] No algebraic meaning to a 1,…,a m How about a 1,…,a m be on a random line?

23 Miltersen-Vinodchandra Encode function f as multivariate polynomial p Use seed s to pick an axis parallel line Output values of p restricted to the line Does not give extractor or pseudorandom generator, but (with some more machinery) gives a good hitting set generator Analysis uses the observation about random projection of a code being good hash function

24 Ta-Shma-Zuckerman-Safra Encode input x as a multivariate polynomial p Use seed s to select an axis-parallel line and a starting point on the line Output values of p on a few consecutive points on the line, beginning with the starting point Gives a good extractor Analysis has similar high-level structure of analysis of NW-based extractor: a distinguisher implies a short description for x Note: short description not computationally efficient; construction does not imply p.r.g.

25 Shaltiel-Umans Encode input x as multivariate polynomial p in F d Use seed s to pick generator g of F d Evaluate p on g, g 2,... Distinguisher implies that x has (computationally efficient) short description Gives extractors and p.r.g.; performances as good as of best optimized previous constructions

26 Conclusions? What choices of pseudorandom projections are good to turn error-correcting codes into extractors / pseudorandom generators, and why? Do good extractors / prg follow from encoding with multivar polynomials and projecting on parts of a random (non-axis parallel) line? The NW projections give extractors using any error-correcting codes. Alternative methods with same generality?

Download ppt "Error-Correcting Codes and Pseudorandom Projections Luca Trevisan U.C. Berkeley."

Similar presentations

Estimating Distinct Elements, Optimally

Estimating Distinct Elements, Optimally
Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.

Quantum t-designs: t-wise independence in the quantum world Andris Ambainis, Joseph Emerson IQC, University of Waterloo.
PRG for Low Degree Polynomials from AG-Codes Gil Cohen Joint work with Amnon Ta-Shma.

PRG for Low Degree Polynomials from AG-Codes Gil Cohen Joint work with Amnon Ta-Shma.
Invertible Zero-Error Dispersers and Defective Memory with Stuck-At Errors Ariel Gabizon Ronen Shaltiel.

Invertible Zero-Error Dispersers and Defective Memory with Stuck-At Errors Ariel Gabizon Ronen Shaltiel.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.

Short seed extractors against quantum storage Amnon Ta-Shma Tel-Aviv University 1.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.

Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Noise, Information Theory, and Entropy (cont.) CS414 – Spring 2007 By Karrie Karahalios, Roger Cheng, Brian Bailey.

Noise, Information Theory, and Entropy (cont.) CS414 – Spring 2007 By Karrie Karahalios, Roger Cheng, Brian Bailey.
Combinational Circuits

Combinational Circuits
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
List decoding Reed-Muller codes up to minimal distance: Structure and pseudo- randomness in coding theory Abhishek Bhowmick (UT Austin) Shachar Lovett.

List decoding Reed-Muller codes up to minimal distance: Structure and pseudo- randomness in coding theory Abhishek Bhowmick (UT Austin) Shachar Lovett.
Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.

Extractors: applications and constructions Avi Wigderson IAS, Princeton Randomness.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
Complexity Theory Lecture 11 Lecturer: Moni Naor.

Complexity Theory Lecture 11 Lecturer: Moni Naor.
1 Introduction to Quantum Information Processing QIC 710 / CS 667 / PH 767 / CO 681 / AM 871 Richard Cleve DC 2117 / RAC 2211 Lecture.

1 Introduction to Quantum Information Processing QIC 710 / CS 667 / PH 767 / CO 681 / AM 871 Richard Cleve DC 2117 / RAC 2211 Lecture.

Similar presentations

Ads by Google