Time vs Randomness a GITCS presentation February 13, 2012

Time vs Randomness

a GITCS presentationFebruary 13, 2012

Complexity theory is like chemistry.

How powerful is time + randomization?

Some problems in BPP…

• Primality testing• Polynomial identity testing• Taking square roots modulo a prime• Finding a generator of Zp*• Constructing expander graphs



These are all in P



These are all in P (probably)

Randomness is unimportant.

• …as far as algorithms are concerned.• Derandomization: Randomized algorithms can

be replaced with an equivalent deterministic one.

• Polynomial Time + Randomization = Polynomial Time.

How to derandomize stuff.

• The trivial way: brute force simulation.• x {0,1}n, r {0,1}m

• A solves L BPP:

Ax

r

Yes/No

• The trivial way: brute force simulation.• Simulate A on all 2m possible random strings.

• Exponential time simulation: O(2m) calls to A• BPP EXP


BAx

All r

Yes/NoMAJORITY


• A better way: use a pseudorandom generator.• Stretches d uniformly random bits to m

pseudorandom bits, d m.• Pseudorandomness: Efficient algorithms can’t

tell the difference!

Gshort random seed

Long pseudorandom

sequence


• A better way: use a pseudorandom generator.

• Time: O(2d) calls to A• If d = O(log n), then C runs in poly time!

C

Ax Yes/NoMAJORITY

GAll short seeds

To build a PRG from scratch,you must first invent

a hard function…

The existence of a hard function

is equivalent to

Efficient pseudorandomness

The Great Idea

Roadmap

1. Cryptographic origins2. Towards derandomizing BPP3. P=BPP from worst-case hardness4. How to prove it5. Recent developments and open

questions6. The Nisan-Wigderson generator

Cryptographic beginnings

• Randomness is (provably) necessary in cryptography.

• Independent, unbiased random bits are hard to get.

• Cryptographers started looking for ways to generate pseudorandomness.

• Traditional notions of pseudorandom sequences do not suffice!

Pseudorandom generator

• A PRG that fools a class of algorithms C with ε-biased pseudorandomness is:– G: {0,1}* → {0,1}*, poly time computable (in output)– For all algorithms A C:

• m(d) is called the stretch of G

Cryptographic PRGs

A cryptographic PRG is a PRG G that fools all polytime algorithms and has polynomial stretch.

Cryptographic PRGs

• Shamir, Blum, Micali, Yao were the first to create cryptographic PRGs, but not unconditionally!

• These PRGs require the existence of one way functions (OWFs).– Stronger than P ≠ NP!

• [HILL99] proved cryptographic PRGs are equivalent to one way functions.

Roadmap

1. Cryptographic origins2. Towards derandomizing BPP3. P=BPP from worst case hardness4. How to prove it5. Recent developments and open


Towards P=BPP

• Cryptographic PRGs aren’t enough to show P=BPP.

• We still get a nontrivial derandomization:

• Still uses a very strong assumption about OWFs.

Weaker assumptions, better results?

Ideal situation: P ≠ EXP implies the existence of PRGs with O(log n) seed length (i.e. P = BPP)

Weaker assumptions, better results?

Ideal situation: P ≠ EXP implies the existence of PRGs with O(log n) seed length (i.e. P = BPP)–This is unlikely

The First Breakthrough

1994:The Nisan-Wigderson

Pseudorandom Generator

Nisan-Wigderson PRG

Theorem [NW94]: • Hypothesis: function and an s such that f

cannot be (1/2 – 1/s)-approximated by circuits of size , for all input lengths .

• Conclusion: PRG G, s.t. m fools all size m circuits, using seed length and producing m bits of (1/m)-biased pseudorandomness.

Nisan-Wigderson PRG

Theorem [NW94]: • Hypothesis: function and an s such that f


An assumption about a larger class than NP, and so is weaker!The class of algorithms

consists of circuits.

Nisan-Wigderson PRGTheorem [NW94]: • Hypothesis: function and an s such that f


f is -inapproximable by circuits of size s iff:For all circuits C of size s,

when = (1/2 – 1/s),

Nisan-Wigderson PRG

Theorem [NW94]: • Conclusion: PRG G, s.t. m fools all size m

circuits, using seed length and producing m bits of (1/m)-biased pseudorandomness.

• Application: Suppose . Then d = O(log m) – suffices for P = BPP.

Even weaker assumptions?

• The assumption on EXP is quite strong.– This is an average-case hardness assumption.

• What’s the weakest possible assumption?

Even weaker assumptions?

• The assumption on EXP is quite strong.• What’s the weakest possible

assumption? • The existence of PRGs with O(log n) seed

length imply lower bounds on EXP!Implies function and an s such that f cannot be computed by circuits of size s.

Let’s use this as our assumption!

Roadmap



The Second Breakthrough

1997:The Impagliazzo-Wigderson Pseudorandom Generator

Impagliazzo-Wigderson PRG

• Showed that P = BPP follows from a worst-case hardness assumption on EXP:

Theorem [IW97]: • Hypothesis: function such that f cannot be

computed by circuits of size , for all input lengths .

• Conclusion: P = BPP.

Impagliazzo-Wigderson PRG

Key idea: perform hardness amplification on f (worst case hardness to average case hardness)

Gave a reduction that showed if you could solve on average, then you can solve exactly.

𝑓worst case hard ~

𝑓average case hard

NW94 PRG

Roadmap



Proving pseudorandomness

• Given a candidate PRG G, how do we show it produces pseudorandomness?

• Construct a reduction:– Suppose G did not produce pseudorandomness;– Then an efficient distinguishing algorithm A.– Use A to solve, or approximate a hard problem

that’s embedded in G. Contradiction.– [Yao] Distinguishability implies predictability.

Proving hardness amplification

• Given that is worst-case hard, produce that is average-case hard.

• Most of the work between [NW94] and [IW97] focused on hardness amplification.

worst-casehardness

mild avg-case hardness

constant avg-case hardness

xTreme avg-case hardness

small circuits fail

on at least 1 input

small circuits fail on 1/poly fraction of

input

small circuits fail

on constant fraction of

input

small circuits fail

on ½ - ε fraction of

input

Proving hardness amplification

• Given that is worst-case hard, produce that is average-case hard.

• Modern method: using error correcting codes.• Encode into a codeword .• Any algorithm A that approximates is a

corrupted codeword.• Using decoder, can correct A’s errors and

decode efficiently.

Roadmap



Can we derandomize BPP without proving circuit lower bounds?

• Rephrased: can we show P=BPP without creating pseudorandom generators?

• One might hope that there’s a shortcut!


• In 2002 Kabanets and Impagliazzo showed that P = BPP implies either:– NEXP is not contained in P/poly

OR– The Permanent is not in AlgP/poly

• Either way, showing P=BPP would mean you’ve done something doubly amazing!


Open question: does P=BPP imply exponential-size lower bounds on EXP?

worst-casehardness of EXP PRGs P = BPP

?

The Pseudorandom Connection

• There’s a zoo of pseudorandom objects:– PRGs– Expander graphs– Randomness extractors– List decodable codes– Randomness samplers– and more!

• There is an almost-equivalence between these disparate objects.

The Pseudorandom Connection

Open questions: Explain this unification. What are the optimal conversions between different objects? Is there a “most fundamental” pseudorandom object?

Break

Roadmap



Documents

Time vs Randomness a GITCS presentation February 13, 2012