codes and pseudorandomness : a survey
DESCRIPTION
Codes and Pseudorandomness : A Survey. David Zuckerman University of Texas at Austin. Randomness and Computing. Randomness extremely useful in computing. Randomized algorithms Monte Carlo simulations Cryptography Distributed computing Problem: high-quality randomness expensive. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/1.jpg)
Codes and Pseudorandomness:A Survey
David Zuckerman
University of Texas at Austin
![Page 2: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/2.jpg)
Randomness and Computing
• Randomness extremely useful in computing.– Randomized algorithms– Monte Carlo simulations– Cryptography– Distributed computing
• Problem: high-quality randomness expensive.
![Page 3: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/3.jpg)
What is minimal randomness requirement?
• Can we eliminate randomness completely?• If not:–Can we minimize quantity of randomness?–Can we minimize quality of randomness?• What does this mean?
![Page 4: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/4.jpg)
What is minimal randomness requirement?
• Can we eliminate randomness completely?• If not:–Can we minimize quantity of randomness?• Pseudorandom generator
–Can we minimize quality of randomness?• Randomness extractor
![Page 5: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/5.jpg)
Outline
• PRGs and Codes– Intro to PRGs.– Various connections.
• Extractors and Codes– Intro to Extractors.– Connections with list decoding.– Non-Malleable Codes and Extractors.
• Conclusions
![Page 6: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/6.jpg)
Pseudorandom Numbers
• Computers rely on pseudorandom generators:
PRG71294 141592653589793238
short random string
long “random-enough”string
What does “random enough” mean?
![Page 7: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/7.jpg)
Modern Approach to PRGs[Blum-Micali 1982, Yao 1982]
Alg
Alg
random
pseudorandom
≈ samebehavior
Require PRG to “fool” all efficient algorithms.
![Page 8: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/8.jpg)
Which efficient algorithms?
• Poly-time PRG fooling all polynomial-time circuits implies NP≠P.
• So either:– Make unproven assumption.– Try to fool interesting subclasses of algorithms.
![Page 9: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/9.jpg)
Existence vs. Explicit Construction
• Most functions are excellent PRGs.–Challenge: find explicit one.
• Most codes have excellent properties.–Known: good explicit codes.
• Can codes give good PRGs?
![Page 10: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/10.jpg)
Idea 1: PRG = Random Codeword
• Choose a random codeword in [n,k] code.– n random variables, |sample space| = 2k.
• But: linear code can’t fool all linear tests.• t-wise independence:– Dual distance > t any t coordinates independ as
rv’s, since any t columns of G lin independ.– t=2: Hadamard code, |Ω|=n+1 [Lancaster 1965]– t odd. Dual BCH code, |Ω| = 2(n+1)(t-1)/2 [ABI ‘86]
![Page 11: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/11.jpg)
Idea 2: PRG=Random Column of G
• k random variables, |sample space| = n.• If dual distance > 4, then Ω is a Sidon set:– All pairwise sums distinct.
• Dual BCH code: |Ω|= 2(k-1)/2.– Don’t need row of 1’s; Ω={(x,x3)|x in F2k/2}.
Generator matrix G
Sample space Ω
k
![Page 12: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/12.jpg)
PRG=Random Column of G
• Say all codewords≠0 have relative wt ½±ε.• corresponds to a codeword, S≠Φ.• ½-ε ≤ Pr[ =1] ≤ ½+ε: ε-biased space [NN ‘90]• RS concat Hadamard: |Ω| = O(k2/ε2) [AGHP ‘90]• AG concat Hadamard: |Ω| = O(k/ε3)– Degree < genus: |Ω| = O(k/ε2)5/4 [BT 2009]
• Optimal, non-explicit: O(k/ε2). Ignored logs.
Generator matrix GX1
Sample space Ω
…Xk
![Page 13: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/13.jpg)
PRGs from Hard Functions [NW ‘88]
• PRGs lower bounds.• Nisan-Wigderson: lower bounds PRGs.• Suppose f is hard on average.
f f
Si Sj
Design (wt w code): |Si|=w
seed
![Page 14: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/14.jpg)
Worst Average Case Hardness [L,BF]
• Given: worst-case hard f:{0,1}w{0,1}.• Encode f using RM code as g:Fq
wFq.– g=unique multilinear function s.t. g=f on {0,1}w.
• g is avg-case hard.– Efficiently compute g on 1-1/(4m) fraction Efficiently compute g everywhere whp.
– Pick random line with L(0)=x.– Degree(g(L(.))) ≤ w.– Interpolate g(L(0)) from g(L(1)),…,g(L(w+1)).
![Page 15: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/15.jpg)
Local Decodability
• Compute any bit of message whp by querying at most r bits of encoding.– RM codes.– New family: Matching Vector Codes [Yekhanin,
Efremenko,…]. Beats RM codes.• Stronger notion: Local correctability.– Can compute any bit of encoding.– RM codes.
![Page 16: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/16.jpg)
List Decoding [Elias 1957]
• Output list of all close codewords.• Can sometimes decode beyond distance/2.• Efficient algorithms for:
– Hadamard [Goldreich-Levin]– Reed-Solomon [Sudan, Guruswami-Sudan]– AG codes [Shokrollahi-Wasserman, GS]– Reed-Muller [large q: STV, q=2: GKZ]– Certain concatenated codes [GS, STV, GI, BM]– PV codes [Parvaresh-Vardy]– Folded RS [Guruswami-Rudra]– Multiplicity codes [Kopparty, Guruswami-Wang]
![Page 17: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/17.jpg)
PRGs and Hardcore Bits[Goldreich-Levin 1989, Impagliazzo 1997]
• Given one-way function f:– Easy to compute, hard to invert.– E.g., f(x)=gx mod p (g generator, p prime).
• Goal: computing bit b(x) hard given f(x).• Thm: Suppose C is (locally) list decodable.
Then b(x,i) = C(x)i hard given f(x), i.• Pf idea: Suppose easy. List decode few
candidates for x. Check if f(candidate)=f(x).
![Page 18: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/18.jpg)
PRG from Hardcore Bits
• Given one-way permutation f, hardcore b.• PRG(x,i)=b(x,i),b(f(x),i),b(f2(x),i),…
![Page 19: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/19.jpg)
List Decoding Related to Randomness Extractors
![Page 20: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/20.jpg)
General Weak Random Source [Z ‘90]
• Random variable X on {0,1}n.• General model: min-entropy
• Flat source:– Uniform on A,
|A| ≥ 2k.|A| ³ 2k
{0,1}n
![Page 21: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/21.jpg)
General Weak Random Source [Z ‘90]
• Can arise in different ways:– Physical source of randomness.– Cryptography: condition on adversary’s
information, e.g. bounded storage model.– Pseudorandom generators (for space s
machines): condition on TM configuration.
![Page 22: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/22.jpg)
Goal: Extract Randomness
Ext n bits m bits
statistical error
Problem: Impossible, even for k=n-1, m=1, ε<1/2.
![Page 23: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/23.jpg)
Impossibility Proof
• Suppose f:{0,1}n {0,1} satisfies sources X ∀with H∞(X) ≥ n-1, f(X) ≈ U.
f-1(0)f-1(1)
Take X=f-1(0)
![Page 24: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/24.jpg)
Randomness Extractor: short seed[Nisan-Z ‘93,…, Guruswami-Umans-Vadhan ‘07]
Ext n bits m =.99k bits
statistical error
d=O(log (n/ε)) random bit seed Y
Strong extractor: (Ext(X,Y),Y) ≈ Uniform
![Page 25: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/25.jpg)
Graph-Theoretic View: “Expansion”
(1-)M K=2k
D=2d
N=2n
M=2m
x y Ext(x,y)
output uniform
![Page 26: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/26.jpg)
Alternate View
S
BADS
D=2d
N=2n M=2m
x
![Page 27: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/27.jpg)
Extractor Codes via Alt-View[Ta-Shma-Z 2001]
• • List recovery – generalizes list decoding.
S=(S1,…,SD), agreement = |{i|xi in Si}|
|{Codewords with agreement ≥(μ(S) + ε)D}|
≤ |BADS|.• Can construct extractor codes with efficient
decoding.• Give hardcore bits Ext(x,y) wrt 1-way (f(x),y).
![Page 28: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/28.jpg)
Leftover Hash Lemma Johnson Bound
• Johnson bound: An [n,k,(½−ε2)n]-code has <L=1/ε2 codewords within distance ½-ε of received word r. Alt pf [TZ ‘01]:
• Let V=close codewords, D=distribution (i,vi), i in [n], v in V. |D-U|≥ε: Pr[(i,vi) = (i,ri)].
• If |V|≥L:– collision-pr(D)<(1/n)(1/|V| + 1-d/n)=(1+4ε2)/(2n)
• Implies |D-U|< ε. Contradiction.
![Page 29: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/29.jpg)
Codes Extractors
• PRGs + Codes Extractor [Trevisan 1999]• RM Codes Extractor[Ta-Shma, Z, Safra 2001; Shaltiel, Umans 2001]• Parvaresh-Vardy Codes Extractor[Guruswami, Umans, Vadhan 2007]
![Page 30: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/30.jpg)
2-Stage Extractor
Condense:
Extract:
.9
uniform
+ O(log n) random bits
+ O(log n) random bits
![Page 31: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/31.jpg)
Parvaresh-Vardy codes Condenser[Guruswami-Umans-Vadhan 2007]
• Fq finite field• parameter h ≤ q• deg. n polynomial E(Y) irreducible over Fq
– source: degree n-1 univariate polynomial f– define fi(Y) = fhi(Y) mod E(Y)
C(f, y 2 Fq) = (y, f0(y), f1(y), f2(y), , fm-1(y))
![Page 32: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/32.jpg)
Independent Sources
n/2 bits n/2 bits
Ext
m =Ω(k) bits statistical error
![Page 33: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/33.jpg)
Bounds for 2 Independent Sources
• Classical: H∞ (X) > n/2.– Lindsey Lemma: inner product.
• Bourgain: H∞ (X) > .4999n.
• Existence: H∞ (X) > 2 log n.
![Page 34: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/34.jpg)
Privacy Amplification With Active Adversary
• Problem: Active adversary could change Y to Y’.
public
Pick Y
Shared secret = Ext(X,Y).
![Page 35: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/35.jpg)
Active Adversary
• Can arbitrarily insert, delete, modify, and reorder messages.
• E.g., can run several rounds with one party before resuming execution with other party.
![Page 36: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/36.jpg)
Non-Malleable Extractor[Dodis-Wichs 2009]
• Strong extractor: (Ext(X,Y),Y) ≈ (U,Y).• nmExt is a non-malleable extractor if for arbitrary
A:{0,1}d {0,1}d with y’ = A(y) ≠ y.(nmExt(X,Y),nmExt(X,Y’),Y) ≈ (U,nmExt(X,Y’),Y)
• nmExt can’t ignore a bit of the seed.• Existence: k > log log n + c, d = log n + O(1),
m = (k-log d)/2.01.• Gives privacy amplification with active adversary in
2 rounds with optimal entropy loss.
![Page 37: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/37.jpg)
Explicit Non-Malleable Extractor
• Even k=n-1, m=1 nontrivial.– E.g., Ext(x,y) = x.y. X=0??...?, y’=A(y) flips first bit,
x.y’= x.y.
• Dodis-Li-Wooley-Z 2011: H∞ (X) > n/2.• Cohen-Raz-Segev 2012: Seed length O(log n).• Li 2012: H∞ (X) > .499n.– Connection with 2-source extractors.
![Page 38: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/38.jpg)
A Simple 1-Bit Construction [Li]
• Sidon set: set S with all s+t, s,t in S, distinct.• Thm [Li]: f(x,y) = x.y, y uniform from S,
nonmalleable extractor for H∞ (X) > n/2.
• Proof: H∞ (Y) = n/2, so X.Y ≈ U (Lindsey’s lemma).
• Suffices to show X.Y+X.A(Y) ≈ U (XOR lemma).• X.Y+X.A(Y) = X.(Y+A(Y)). • H∞ (Y+A(Y)) ≥ H∞ (Y)-1 = n/2 - 1.
![Page 39: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/39.jpg)
Non-Malleable Codes[Dziembowski, Pietrzak, Wichs 2010]
• Adversary tampers with Enc(m) via f in F.– Ideally Dec(f(Enc(m)) = m or “error”– Impossible if f(x) = Enc(m’) allowed.
• Dec(f(Enc(m)) = m or is independent of m.– Randomized encoding allowed.
• Prob method: exist if |F| < 22αn, α<1.• Explicit?• Codes for f(x1,…,xn)=f1(x1),…,fn(xn).
![Page 40: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/40.jpg)
Split-State Tampering
• f(x,y)=g(x),h(y) |x|=|y|=n/2.• 2-source ext for H(X)+H(Y)>2n/3 codes for 1-
bit messages [Dz, Kazana, Obremski 2013]• Poly rate: n=k7+o(1) via additive combinatorics
[Aggarwal, Dodis, Lovett 2013].• Constant rate if can construct nonmalleable 2-
source extractors for entropy rate .99. [Cheraghchi, Guruswami 2013].
![Page 41: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/41.jpg)
Non-Malleable 2-Source Extractor[Cheraghchi, Guruswami 2013]
• X and Y independent weak sources.• Think of H∞(X)=H∞(Y)=.99(n/2).
• For all A1, A2, x’=A1(x)≠x, y’=A2(y)≠y:
• (nmExt(X,Y),nmExt(X,Y’)) ≈ (U,nmExt(X,Y’))• (nmExt(X,Y),nmExt(X’,Y)) ≈ (U,nmExt(X’,Y))• (nmExt(X,Y),nmExt(X’,Y’)) ≈ (U,nmExt(X’,Y’))• Open question: explicit construction.
![Page 42: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/42.jpg)
Key Properties of Codes• Dual distance k-wise independence, Sidon
sets.• Relative distance ≈ ½ small-bias spaces.• Local decodability Amplifying hardness of
functions for PRGs, extractors.• List decodability Cryptographic PRGs,
extractors.• Non-malleability Non-malleable 2-source
extractors.
![Page 43: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/43.jpg)
Open Questions
• Construct ε–biased spaces of size n=O(k/ε2).– [n=O(k/ε2),k,(½-ε)n] codes.
• 2-source extractors for entropy rate α, any α>0.• Non-malleable extractors for H∞(X)=αn.• Non-malleable codes of constant rate.– Non-malleable 2-source extractors.
• Other Applications & Connections.
![Page 44: Codes and Pseudorandomness : A Survey](https://reader038.vdocuments.mx/reader038/viewer/2022103101/568143a7550346895db02ddf/html5/thumbnails/44.jpg)
Thank you!