Derandomization of BPP

1
Derandomizing BPP

Slides by Iddo Tzameret and Gil
Shklarski. Adapted from Oded Goldreichs course
lecture notes by Erez Waisbard and Gera Weiss.
2
PRG - Stronger Notion
Def A deterministic polynomial-time algorithm G
is called a non-uniformly strong pseudorandom
generator if there exists a stretching function
l N ? N, so that for any family Ck of
polynomial-size circuits, for any polynomial p,
and for all sufficiently large ks PrCk(G(Uk))
1-PrCk(Ul(k))1 lt 1/p(k)
This definition involves polynomial size circuits
as distinguishers instead of probabilistic
polynomial time TM. Recall that BPP ? P/poly
3
Implications of such PRG
We can construct such A that uses exactly l(x?)
coin tosses
4
Proof Continued (1)
Claim For all but finitely many
xs PrA(x,Ul(k))1 - PrA(x, Uk)1 lt
1/6 where kx?.
Proof Assume, by way of contradiction, that, for
infinitely many xs PrA(x,Ul(k))1 - PrA(x,
Uk)1 ? 1/6 and construct a family of
poly-size circuits x?C(x)(input)
A(x,input) then construct the family Ck as
follows Ck ? C(x) A(x) uses l(k) coin tosses
Infinitely many xs on which A and A differ
imply infinitely manysizes of xs on which they
differ, and infinite number of such Cks.
5
Proof Continued (2)
For each such Ck Ck(G(Uk)) ? A(x,Uk) and
Ck(Ul(k)) ? A(x,Ul(k)) Hence we have a family
of circuits s.t. PrCk(G(Uk))1-PrCk(Ul(k))1
? 1/6 In contradiction to the definition of our
pseudorandom generator. ?claim
6
Proof Continued (3)
Going back to proving the theorem A is our BPP
machine so for every x x ? L ? PrA(x,Ul(k))
1 ? 2/3 x ? L ? PrA(x,Ul(k)) 1 lt
1/3 In particular, using the claim we get for
all but finitely many xs x ? L ? PrA(x,Uk)
1 gt PrA(x,Ul(k)) 1-1/6 ? 1/2 x ? L ?
PrA(x,Uk) 1 lt PrA(x,Ul(k)) 11/6 lt 1/2
7
Proof Continued (4)
8
New notion of PRG

Goal to design a new PRG construction, which
would be used for derandomization New Method
generate random bits in parallel, instead of
sequentially (compare with the Pseudo Random
Generators lecture) Different Assumptions
weaker then before, since the new PRG can run in
time exponential in its input size Assume an
unpredictable Boolean function. New Construct
called Design consisting of nearly disjoint
subsets of the random seed.
9
New notion of PRG
For kO(log(x)) it runs in polynomial-time.

• The new requirements for PRG
• Indistinguishable by polynomial-size circuit.
• Can run in exponential time (2O(k) on k-bit
  seed).

• One can construct such PRG under seemingly weaker
  assumption (than for the construction shown in
  the Pseudo Random Generators lecture)
• The existence of unpredictable Boolean function.

Instead of assuming the existence of one-way
permutation.
10
Unpredictable Boolean function

• Def (Unpredictable Boolean function)
• An exp(l)-computable Boolean function
  b0,1l?0,1is unpredictable by small
  circuits if for every polynomial p(.), for all
  sufficiently large ls and for every circuits C
  of size p(l)
• PrC(Ul)b(Ul) lt ½1/p(l)
• Assume such Boolean functions exist

11
Unpredictable Boolean function
How strong is that assumption? We prove that it
is not stronger than assuming the existence of a
one-way permutation
one-way permutation unpredictable Boolean
function
Claim if f0 is a one-way permutation and b0 is
a hard-core of f0, then b(x)b0(f0-1(x)) is an
unpredictable Boolean function.
12
One way permutation ? unpredictable Boolean
function

• Proof
• Let f0 be a one-way permutation and b0 a
  hard-core of f0.
• Well show the function b(x)b0(f-10(x)) is an
  unpredictable Boolean function.
• f0 can be inverted in exponential time and b0 can
  be computed in polynomial time so b is computable
  in exponential time.
• Unpredictability
• Assume, by way of contradiction, that b is
  predictable.
• Well show the b0 is not hard-core bit of f0.

13
Proof continued

• Assuming b is predictable we have a family of
  circuits Ck of size p(k) s.t. for infinite
  number of ks
• PrCk(Uk)b(Uk) ? 1/2 1/p(l).
• For yf0-1 (x) we get b(f0(y))b0(y).
• f is a permutation so we get
• PrCk(f0(Uk))b(f0(Uk)) ? 1/2 1/p(l)
• PrCk(f0(Uk))b0(Uk) ? 1/2 1/p(l).
• Which is a contradiction to b0 being a hard core.

We defined hard-core bit with BPP machines
andnot P/poly so there is a problem here !
14
The Design

• Generating a single random bit from a seed is
  easy assuming you have an unpredictable Boolean
  function.
• But how can we generate more than one bit?
• We will manage that, utlizing a collection of
  nearly disjoined subsets of the seed to get
  random bits that are almost mutually independent

Almost means indistinguishable by polynomial
sized circuits
15
The Design

• Def
• A collection of m subsets I1,I2,,Im of 1k
  is a (k,m,l)-design if the following hold
• For every i ? 1,,m Ii l
• For every i?j ? 1,,m Ii ?Ij O(log k)
• The collection is constructible in exp(k)-time.
• Notation For Sltx1,x2, , xkgt and Ii1, , il
  ? 1,..,k

16
The Design - Visualization
k
INDEX lt1 2 3 4 5 6 7 8 9 10gt
S (seed) lt1 0 1 0 0 1 0 1 1 0gt
l
I1, I2, , Im 1,4,7 2,5,8
3,9,10...1,8,9
SI1, , SIm
1,0,0 0,0,1 1,1,0 ... 1,1,1
17
Constructing the PRG

15.3
Prop let b 0,1?k ? 0,1 be an
unpredictable Boolean function, and I1,,Im be
a (k,m,?k)-design then the following function is
a strong non-uniform PRG G(S) ? lt b(SI1)
b(SI2) . . . b(SIm) gt
18
Constructing the PRG Visualization
l
b(lt1,0,0gt)
b(lt1,1,1gt)

19
Proof (1)

• Proof
• Computing G(s) takes time exponential in k,
  since
• we have ml(k) computations of b(SIi)
• Computing each b(SIi) takes exp( SIi )
  O(exp(k)).

20
Proof (2)

• we will show that no small circuit can
  distinguish the output of G from a random
  sequence.
• Assume by way of contradiction that there exists
  a family of poly-size circuits Ckk?N and a
  polynomial p(.) such that for infinitely many ks
• PrCk(G(Uk)) 1 - PrCk(Ul(k))1 gt 1/p(k)
• Without loss of generality we can remove the
  absolute sign.

There are infinitely many ks s.t. PrCk(G(Uk))
1 - PrCk(Ul(k))1has the same sign for all
k, however, we can fix the sign arbitrarilysince
we can take a sequence of circuits with reverse
signs.
21
Using a Hybrid Distribution - proof (3)
For any 0 ? i ? m we define a hybrid
distribution as follows the first i bits are
chosen to be the first i bits of G(Uk) and the
other m-i bits are chosen uniformly at
random. Hik ?G(Uk)1,,i?Um-i also fk(i)
?PrCk(Hki)1 Using these definitions we can
write fk(m) - fk(0) gt 1/p(k) there must be some
0 ? ik ? m s.t fk(ik1) - fk(ik) gt 1/m 1/p(k)
22
Approximating the Next bit from the previous bits
Defining p(k)m?p(k) and iik we
get PrCk(Hki1)1- PrCk(Hki)1 gt
1/p(k) Now, we can construct from Ck a circuit
Ck which can approximate the next bit with
large enough probability When Ri are
independent uniformly distributed bits. It can be
shown that PrCk(G(Uk)1,i ) G(Uk)i1 gt
1/2 1/p(k)
Probability over random bits Ri and Uk
23
Approximating the Next bit from the previous bits

b(SI1)
b(SIik)
½-?
Next bit
½?
b(SIik1)
?1/p(k)
Circuit Ck
24
Approximating b(SIi1) from S and b(SIi)s
We can construct a circuit C which inputs S in
addition to b(SI1),, b(SIi) and can
approximate the unpredictable boolean function
b(SIi1). This can be done by ignoring those
new inputs and using b(SI1),, b(SIi) and C.
The formal definition is Ck(SG(S)1..i)
Ck(G(S)1..i) We get PrsCk(SG(S)1..i )
G(S)i1 gt 1/2 1/p(k) PrsCk(SG(S)1..i )
b(SIi1) gt 1/2 1/p(k)
Probabilities over random bits Ri and S
25
Approximating b(SIi1) from SIi1 and
b(SIj)s

• There exist ? ?0,1k-Ii s.t.
• PrsCk(SG(S)1..i ) b(SIi1) SIi1?
  gt 1/2 1/p(k)
• Well hard-code this ? into our circuit and get a
  circuit that takes b(SI1),, b(SIi) and
  SIi1 as inputs and approximate b(SIi1) with
  some bias.

Applying the Law of Averages PrCk(SG(S)1..i
) b(SIi1) ??Pr Ck(SG(S)1..i )
b(SIi1) SIi1? PrSIi1? If for
all ? Pr Ck(SG(S)1..i ) b(SIi1)
SIi1? ? 1/21/p(k) Wed get
PrCk(SG(S)1..i ) b(SIi1) ?
1/21/p(k).
26
Visualization of C
Circuit Ck
SIi1)

SIi1)
b(SI1)
S
b(SIi)

27
Approximating b(SIi1) from SIi1
We know how to approximate b(SIi1) from its
input SIi1 and from b(SI1),, b(SIi). Can
we approximate it using only SIi1 ?
28
Computing SIjs from SIi1
?SIi1)
S

• After hard-coding ?, there is only a small number
  of free bits in SI1SIi.
• The design gives us iO(log(k)) as a bound.

SIi1
?

?
?
?
SI1
SI2
SIi
O(log(k))
29
Computing SIjs from SIi1 Example
?SIi1)
S
S
SIi1
?
b(lt0011gt)
b(lt0011gt)


?
?
?
1
SI1
SI2
SI1
SI2
SIi
SIi
O(log(k))
30
Computing b(SIi1)s from SIi1
SIi1
S
?1?2?3 ?j ???? ?j1?k-l
Exp(log(k)) poly(k) circuit
SI1
SIi
Lookup table for every possible SIi return
precomputed value of b(SIi)

lt ?1?2?3 ?gt
lt ?3?j-1?j ?gt
lt??j1?j2 ?k-l gt
SI1
SI2
SIi
b(SI1)
b(SIi)
31
Final Circuit Approximating b(SIi1) from
SIi1
SIi1
poly(k) circuit
SI1
SIi
Lookup table
Next bit
½-?
½?
b(SIi1)
Circuit C
32
Design construction greedy algorithm

• For the following parameters
• k l2
• m poly(k)
• We want that for all i to have Iil and for
  i?j, Ii?IjO(log k).

The algorithm
For i 1 to m For all I ? k, Il do flag
FALSE for j 1 to i-1 if Ii?Ij gt log k
then flagTRUE if flag TRUE then Ii I
33
Greedy algorithm proof

• Assuming that for i ? m we have I1, I2,, Ii-1
  such that
• for every jlti Ij l
• for every j1,j2 lt i Ij1?Ij2 lt 2log m
• Well show that there exists another set Iil
  s.t. for every j lt i Ij?Ii lt 2log m

Proof by the probabilistic method Let S be a
fixed set of size l. Let R be a set which is
selected at random so that for every i?k
Pri?R 2/l. R length binomial(k,2/l).
34
Proof continued (1)

• Let Si be the ith element in S sorted in some
  order.
• Well define the sequence Xii1..l of random
  variables
• Xi are independent Bernoulli variables with
  PrXi1 2/l for each i.

35
Proof continued (2)

• For R selected as above the probability that
  there exists Ij s.t. Ij?R gt 2log m us bounded
  above by
• (i-1)/2m lt 1/2.
• R is not necessarily of size l. We can show that
  with high probability R?l so it contains a
  subset of size l that we can choose as our Ii.
• Considering the sequence Xii1..l
• Using Chernoffs bound
• For R selected as above the probability of too
  many collisions or being too small is strictly
  smaller than one.
• Therefore, there exists such R to be selected as
  Ii. ?

Note The algorithm itself is deterministic. We
use the randomness as a tool in showing the
algorithm will always find what it is looking
for.
36
Second Design Construction using GF(l) arithmetic

• For the following parameters
• k l2
• m poly(k)
• Let FGF(l) then F?F k
• There is a 1-1 correspondence between 1,,k and
  F?F
• For every polynomial p(.) of degree d over F, Ip
  is the graph of p(.) over F
• Ip lte,p(e)gt e ? F
• Ip F l

37
Second Design Construction using GF(l) arithmetic

• For every two polynomials p(.)?q(.) of degree d
  intersects in at most d points, hence
• Ip ? Iq ? d
• by the Fundamental Theorem of Algebra, hence we
  can choose dO(log(k)).
• Note that for every polynomial m(k) we can
  construct m(k) m(l2) such sets, since there are
  Fd1 ld1 polynomials over GF(l), so by
  choosing an appropriate d the number of sets is
  greater then m(l2).
• The sets are constructible in exponential in k,
  since we use simple arithmetic over GF(l).

FIN