Upload
sharyl-payne
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
Time vs Randomness
a GITCS presentationFebruary 13, 2012
Complexity theory is like chemistry.
How powerful is time + randomization?
Some problems in BPP…
• Primality testing• Polynomial identity testing• Taking square roots modulo a prime• Finding a generator of Zp*• Constructing expander graphs
Some problems in BPP…
• Primality testing• Polynomial identity testing• Taking square roots modulo a prime• Finding a generator of Zp*• Constructing expander graphs
These are all in P
Some problems in BPP…
• Primality testing• Polynomial identity testing• Taking square roots modulo a prime• Finding a generator of Zp*• Constructing expander graphs
These are all in P (probably)
Randomness is unimportant.
• …as far as algorithms are concerned.• Derandomization: Randomized algorithms can
be replaced with an equivalent deterministic one.
• Polynomial Time + Randomization = Polynomial Time.
How to derandomize stuff.
• The trivial way: brute force simulation.• x {0,1}n, r {0,1}m
• A solves L BPP:
Ax
r
Yes/No
• The trivial way: brute force simulation.• Simulate A on all 2m possible random strings.
• Exponential time simulation: O(2m) calls to A• BPP EXP
How to derandomize stuff.
BAx
All r
Yes/NoMAJORITY
How to derandomize stuff.
• A better way: use a pseudorandom generator.• Stretches d uniformly random bits to m
pseudorandom bits, d m.• Pseudorandomness: Efficient algorithms can’t
tell the difference!
Gshort random seed
Long pseudorandom
sequence
How to derandomize stuff.
• A better way: use a pseudorandom generator.
• Time: O(2d) calls to A• If d = O(log n), then C runs in poly time!
C
Ax Yes/NoMAJORITY
GAll short seeds
To build a PRG from scratch,you must first invent
a hard function…
The existence of a hard function
is equivalent to
Efficient pseudorandomness
The Great Idea
Roadmap
1. Cryptographic origins2. Towards derandomizing BPP3. P=BPP from worst-case hardness4. How to prove it5. Recent developments and open
questions6. The Nisan-Wigderson generator
Cryptographic beginnings
• Randomness is (provably) necessary in cryptography.
• Independent, unbiased random bits are hard to get.
• Cryptographers started looking for ways to generate pseudorandomness.
• Traditional notions of pseudorandom sequences do not suffice!
Pseudorandom generator
• A PRG that fools a class of algorithms C with ε-biased pseudorandomness is:– G: {0,1}* → {0,1}*, poly time computable (in output)– For all algorithms A C:
• m(d) is called the stretch of G
Cryptographic PRGs
A cryptographic PRG is a PRG G that fools all polytime algorithms and has polynomial stretch.
Cryptographic PRGs
• Shamir, Blum, Micali, Yao were the first to create cryptographic PRGs, but not unconditionally!
• These PRGs require the existence of one way functions (OWFs).– Stronger than P ≠ NP!
• [HILL99] proved cryptographic PRGs are equivalent to one way functions.
Roadmap
1. Cryptographic origins2. Towards derandomizing BPP3. P=BPP from worst case hardness4. How to prove it5. Recent developments and open
questions6. The Nisan-Wigderson generator
Towards P=BPP
• Cryptographic PRGs aren’t enough to show P=BPP.
• We still get a nontrivial derandomization:
• Still uses a very strong assumption about OWFs.
Weaker assumptions, better results?
Ideal situation: P ≠ EXP implies the existence of PRGs with O(log n) seed length (i.e. P = BPP)
Weaker assumptions, better results?
Ideal situation: P ≠ EXP implies the existence of PRGs with O(log n) seed length (i.e. P = BPP)–This is unlikely
The First Breakthrough
1994:The Nisan-Wigderson
Pseudorandom Generator
Nisan-Wigderson PRG
Theorem [NW94]: • Hypothesis: function and an s such that f
cannot be (1/2 – 1/s)-approximated by circuits of size , for all input lengths .
• Conclusion: PRG G, s.t. m fools all size m circuits, using seed length and producing m bits of (1/m)-biased pseudorandomness.
Nisan-Wigderson PRG
Theorem [NW94]: • Hypothesis: function and an s such that f
cannot be (1/2 – 1/s)-approximated by circuits of size , for all input lengths .
An assumption about a larger class than NP, and so is weaker!The class of algorithms
consists of circuits.
Nisan-Wigderson PRGTheorem [NW94]: • Hypothesis: function and an s such that f
cannot be (1/2 – 1/s)-approximated by circuits of size , for all input lengths .
f is -inapproximable by circuits of size s iff:For all circuits C of size s,
when = (1/2 – 1/s),
Nisan-Wigderson PRG
Theorem [NW94]: • Conclusion: PRG G, s.t. m fools all size m
circuits, using seed length and producing m bits of (1/m)-biased pseudorandomness.
• Application: Suppose . Then d = O(log m) – suffices for P = BPP.
Even weaker assumptions?
• The assumption on EXP is quite strong.– This is an average-case hardness assumption.
• What’s the weakest possible assumption?
Even weaker assumptions?
• The assumption on EXP is quite strong.• What’s the weakest possible
assumption? • The existence of PRGs with O(log n) seed
length imply lower bounds on EXP!Implies function and an s such that f cannot be computed by circuits of size s.
Let’s use this as our assumption!
Roadmap
1. Cryptographic origins2. Towards derandomizing BPP3. P=BPP from worst case hardness4. How to prove it5. Recent developments and open
questions6. The Nisan-Wigderson generator
The Second Breakthrough
1997:The Impagliazzo-Wigderson Pseudorandom Generator
Impagliazzo-Wigderson PRG
• Showed that P = BPP follows from a worst-case hardness assumption on EXP:
Theorem [IW97]: • Hypothesis: function such that f cannot be
computed by circuits of size , for all input lengths .
• Conclusion: P = BPP.
Impagliazzo-Wigderson PRG
Key idea: perform hardness amplification on f (worst case hardness to average case hardness)
Gave a reduction that showed if you could solve on average, then you can solve exactly.
𝑓worst case hard ~
𝑓average case hard
NW94 PRG
Roadmap
1. Cryptographic origins2. Towards derandomizing BPP3. P=BPP from worst case hardness4. How to prove it5. Recent developments and open
questions6. The Nisan-Wigderson generator
Proving pseudorandomness
• Given a candidate PRG G, how do we show it produces pseudorandomness?
• Construct a reduction:– Suppose G did not produce pseudorandomness;– Then an efficient distinguishing algorithm A.– Use A to solve, or approximate a hard problem
that’s embedded in G. Contradiction.– [Yao] Distinguishability implies predictability.
Proving hardness amplification
• Given that is worst-case hard, produce that is average-case hard.
• Most of the work between [NW94] and [IW97] focused on hardness amplification.
worst-casehardness
mild avg-case hardness
constant avg-case hardness
xTreme avg-case hardness
small circuits fail
on at least 1 input
small circuits fail on 1/poly fraction of
input
small circuits fail
on constant fraction of
input
small circuits fail
on ½ - ε fraction of
input
Proving hardness amplification
• Given that is worst-case hard, produce that is average-case hard.
• Modern method: using error correcting codes.• Encode into a codeword .• Any algorithm A that approximates is a
corrupted codeword.• Using decoder, can correct A’s errors and
decode efficiently.
Roadmap
1. Cryptographic origins2. Towards derandomizing BPP3. P=BPP from worst case hardness4. How to prove it5. Recent developments and open
questions6. The Nisan-Wigderson generator
Can we derandomize BPP without proving circuit lower bounds?
• Rephrased: can we show P=BPP without creating pseudorandom generators?
• One might hope that there’s a shortcut!
Can we derandomize BPP without proving circuit lower bounds?
• In 2002 Kabanets and Impagliazzo showed that P = BPP implies either:– NEXP is not contained in P/poly
OR– The Permanent is not in AlgP/poly
• Either way, showing P=BPP would mean you’ve done something doubly amazing!
Can we derandomize BPP without proving circuit lower bounds?
Open question: does P=BPP imply exponential-size lower bounds on EXP?
worst-casehardness of EXP PRGs P = BPP
?
The Pseudorandom Connection
• There’s a zoo of pseudorandom objects:– PRGs– Expander graphs– Randomness extractors– List decodable codes– Randomness samplers– and more!
• There is an almost-equivalence between these disparate objects.
The Pseudorandom Connection
Open questions: Explain this unification. What are the optimal conversions between different objects? Is there a “most fundamental” pseudorandom object?
Break
Roadmap
1. Cryptographic origins2. Towards derandomizing BPP3. P=BPP from worst case hardness4. How to prove it5. Recent developments and open
questions6. The Nisan-Wigderson generator