on pseudorandom generators with linear stretch in nc 0 benny applebaum yuval ishai eyal kushilevitz...
TRANSCRIPT
On Pseudorandom Generators with Linear Stretch in NC0
Benny Applebaum Yuval Ishai
Eyal Kushilevitz
Technion
Foundations of secure multi-party computation and zero-knowledge and its applications
Pseudorandom Generator (PRG)
RandSrc.
G(Uin)
UoutPoly-time machine
Uin
Pseudorandom or Random?
stretch
G
PRG - Parallelism vs. Stretch
poly-time
NC
log-space
NC1
AC0
NC0
NC0ℓ
ℓ
super linear
linear
sub linear
complexity stretch
Motivation
parallel implementation of crypto tasks
(e.g., Stream Cipher, Naor Commitment)
• Positive results– Super-Linear PRG from any PRG [Goldreich Micali 84]
– Super-Linear PRG in NC1 from factoring [Naor Reingold Rosen02, NR97]
– Sub-Linear PRG in AC0 from subset sum [Impagliazzo Naor 89]
– Heuristic Super-Linear PRG in NC05 [Mossel Shpilka Trevisan 03]
– Sub-Linear PRG in NC04 from any PRG in NC1 [AIK 04]
– Sub-Linear PRG in NC03 from decoding random linear code [AIK]
– Linear PRG in NC04 from Linear PRG in NC0 [AIK 04]
• Negative results– No PRGs in NC0
2 [Goldreich00, Cryan Miltersen01]
– No Super-Linear PRG in NC03, NC0
4 [CM01, MosselShpilkaTrevisan03]
– Sub-Linear PRG Linear PRG [Viola 05]
Previous Work
PRG
factoring subset sum/ rand linear code
impossible
AC0
BB
PNC1AC0NC0NC04NC0
3NC02
sub linear
linear
super
linear
Open
• Algebraic assumption of [Alekhnovich 03] LPRG in NC0
• LPRG in NC0 Inapporximability of MAX 3SAT.
Main Results
Conclusion:
Algebraic assumption of [Alekhnovich 03] Inapporximability of MAX 3SAT.
Already proven directly by [Alekhnovich 03]
PRG
PNC1AC0NC0NC04NC0
3NC02
sub linear
linear
super
linear
Open
• LPRG in NC0 Inapproximability of MAX 3SAT
• Construction of LPRG in NC0
- Take 1: Good stretch Bad locality
- Take 2: Bad stretch Good locality
- Regaining the stretch via –biased generators
- A uniform version of the construction
• Conclusions and open questions
Talk Outline
• Hardness of refuting random 3SAT New inapproximability results [Feige 02]
• Hardness of determining number of satisfiable equations in a random linear system
Feige’s assumption + new results [Alekhnovich 03]
• Approx algorithm for MAX 2LIN Upper bound the stretch of PRG in NC0
4 [MosselShpilkaTrevisan03]
Cryptography and Inapproximability
Do not rely on standard crypto primitive
NC0 Crypto and Inapproximability
k-Constraint Satisfaction Problem– X1 +X3 X5 =0– X2 X3 X4 =1...- X2 +X3 + X4 =1
• Q. how many of the constraints can be satisfied together?
• List of constraints over n variables x1,…,xn
• Each constraint involves k variables
Current work: If: Lin-Stretch PRG in NC0
Then: Cannot distinguish– Satisfiable 3-CSP - unsatisfiable 3-CSP
Corollary of PCP [ALMSS,AS 92] : If: PNP Then: Cannot distinguish
– Satisfiable 3-CSP - unsatisfiable 3-CSP
LPRG in NC0 InapproximabilityThm. If G:{0,1}n {0,1}s is a PRG in NC0
k and s-n=(n)
Then, s.t satisfiable k-CSP and -unsat k-CSP are indistinguishable
Proof: k-CSP distinguisher distinguisher for PRG
• If y R G(Un) y is satisfiable (since x s.t G(x)=y)
•If y R Us (w.h.p.) y is - unsat
B
y R Ayes
no
satisfiable
-unsatk-CSP
G(Un)
Us
G1(x) =y1
G2(x) =y2
.....
Gs(x) =ys
y
LPRG in NC0 Inapproximability Claim: If y R Us (w.h.p.) y is - unsat
Proof:
• Assume y is not - unsat, then x s.t H(y,G(x))<
• Hence, Pr[y is not - unsat] = Pr[H(y, Image(G))< ]
(|Image(G)|Vol(s, s))/ 2s
2n+H()s – s= neg(n)
G(x)
-sphere
B
y R Ayes
no
satisfiable
ε-unsatk-CSP
G(Un)
Us
G1(x) =y1
G2(x) =y2
.....
Gs(x) =ys
y
{0,1}s
s=n+(n)
LPRG in NC0 InapproximabilityQ: So what?
A: It explains why it is hard to construct LPRGs in NC0
We have an excuse…
• LPRG in NC0 Inapproximability of MAX 3SAT
• Construction of LPRG in NC0
- Take 1: Good stretch Bad locality
- Take 2: Bad stretch Good locality
- Regaining the stretch via –biased generators
- A uniform version of the construction
• Conclusions and open questions
Talk Outline
• Assumption 1 [Alekhnovich 03]: For any const. k, ℓ, 0<<1
any family of knn ℓ-sparse matrices Mn, if Mn is expanding
Then, C(Mn,) c C(Mn, +1/kn)
• Lemma [Alek 03]: Assumption C(Mn,) is pseudorandom
LPRG Construction – Take 1
M
x
e
n
m=kn
fixed binary ℓ-sparse matrix
random n-bit vector
random error vector whose weight is ·m
Distribution C(M,)
+
M
x
em +
+1/m
c
Distribution C(M,+1/m)
ℓ ones
n
•Pros: High (linear) Stretch input: n+mH() bits, output: m bits
Mx is samplable in NC0
•Con: How to sample the noise vector in NC0?
U
Uniform Distribution
• Assumption 2: const. k, ℓ, 0<<1, family Mn of knn ℓ-sparse matrices,
if Mn is expanding D(Mn,) c D(Mn, +1/kn)
• Assumption 1 Assumption 2
• Lemma: Assumption 2 D(Mn,) is pseudorandom
LPRG Construction – Take 2
M
x
e
n
m=kn
iid noise vector: each bit is 1 w/prob.
Distribution D(M,)
+
M
x
em +
+1/m
c
Distribution D(M,+1/m)
n
Sampling D(M,) in NC0
n
m
• For =1/2t can smaple e in NC0t
• Problem: No expansion: mt+n inputs m outputs
• Observation: y has large entropy even when e is given
• Sol: extract more random bits from y
• Need to extract
- almost all bits of y
- in NC0
- using less than m extra bits
• Sol: use NC0 ε-biased generator+
t
y
x
e
MxD(M,)
ℓ
• Let [y|e] be the distribution of y given e.
• Lem. 1 (High Entropy) Except w/prob exp(-(m/2t))
H([y|e]) mt(1-2-(t))
• Proof:
- ei=1 i-th block of y = 1t
- ei=0 i-th block of y R {0,1}t \ {1t}
- e has k zeroes [y|e] is uniform over set of size> (2t-1)k
- By Chernoff: Pr[# 1’s in e>2 m/2t] <exp(-(m/2t))
- Hence, w/prob 1-exp(-(m/2t)),
# 0’s in e m(1-1/2t-1)
[y|e] is uniform over a set of size (2t-1)
y
Regaining the stretch
m
t
e
m(1-2-t+1)
-biased generators
RandSrc.
G(Uin)
UoutLinear function
Uin
Pseudorandom or Random?
stretch
g
-bias generator [Naor Naor 90]:
Linear distinguisher L, |Pr[L(g(Us))=1]-Pr[L(Us)=1]|
Extraction via -biased generators
• Lem 2. (Extraction) [Alon Roichman 94, Goldreich Wigderson 97]
- Let g:{0,1}n{0,1}s be biased generator,
- Xs distributed over {0,1}s where s-H(Xs) .
- Then: SD( g(Un)Xs , Us) 2(-1)/2
• Lem 3. ( biased in NC0) [Mossel Shpilka Trevisan 02]
const. c, biased gen g:{0,1}n{0,1}cn w/bias = 2-n/poly(c) in NC05.
3. rUtm/c then (g(r)+[y|e]) is close to uniform up to
neg(m)+2-mt/poly(c)+mtneg(t)=neg(m)
1. Pry[H([y|e]) mt(1-neg(t))] > 1-neg(m)
m
t
y
e
g(r)
+
g
mt/c
r
e
Wrapping Up
For proper consts t,c
g(r)+y
e e
Uniforms
2. c, we have g:{0,1}mt/c{0,1}mt w/bias 2-mt/poly(c) in NC05 [MST 03]
[AlonRoichman94,
GoldreichWigderson97]
m
t
y
e
g(r)
+
g
mt/c
r
e
Wrapping Up
g(r)+y
e e
Uniform
s
m
t
y
e
g(r)
+
g
mt/c
r
e
Our Generator
g(r)+y
e e
Uniform
s
D(,M) uniform
nxx
Mx+
Let m=kn
Input: n+tm+tm/c = n(1+ tk+ tk/c)
Output: m + tm = n(k+tk)
For const. k and good consts. c,t have linear stretch
D(,M)
c
LPRG in Uniform NC0
• Non-Uniform advices:
1. Mn (family of unbalanced constant degree bipartite expanders)
2. c, generator g:{0,1}n{0,1}cn w/bias = 2-n/poly(c) in non-uniform NC05.
[MST03]
• Uniform implementation:
1. Mn= explicit family of unbalanced constant degree bipartite expanders [Capalbo Reingold Vadhan Wigderson 02]
2. Prove a uniform version of MST:
c, generator g:{0,1}n{0,1}cn w/bias = 2-n/polylog(c) in uniform NC0polylog(c).
(Construction uses again [Capalbo Reingold Vadhan Wigderson 02] )
• LPRG in NC0 Inapproximability of MAX 3SAT
• Construction of LPRG in NC0
- Take 1: Good stretch Bad locality
- Take 2: Bad stretch Good locality
- Regaining the stretch via –biased generators
- A uniform version of the construction
• Conclusions and open questions
Talk Outline
Q: Can we compile a high stretch PRG in a “relatively high” complexity class (e.g., NC1) into LPRG in NC0?
Open Questions
PRG
Q: Can we compile a high stretch PRG in a “relatively high” complexity class (e.g., NC1) into LPRG in NC0?
A: Maybe, but compiler must be “combinatorially interesting”
Open Questions
LPRG
•Let G:{0,1}n{0,1}s be an -strong PRG
• Claim: any set T of outputs of size k<log(1/ ) touch at least k inputs
• Hence the graph is expanding.
• If G is not in NC0 graph has non-const. degree Trivial !
• If G has small stretch Trivial !
• G in NC0 and has linear stretch non-trivial expansion
• By dispersers LBs [Radhakrishnan, Ta-Shma] : if =2-k then, locality ( log(s/k) / log(n/k) )
• Corollary: No 2-(n) PRGs w/super-linear stretch in NC0
• Proof: Otherwise,
0 yG(Un)
2-k> yUs
The Necessity of Expansion
n inputs
s outputs
…
i.e., for any eff. A, advA(G(Un),Us)<
for some z{0,1}k , Pr[yT=z]=
Open Questions• PRG w/ super-linear stretch in NC0 or even in AC0?
• LPRG in NC03 ?
• LPRG in NC0 under standard assumptions?
• sub-linear PRG NC LPRG ?
- Easy: linear PRG NC1 super-linear PRG
• More inapproximabilty from crypto
- Not hard to extend results to other primitives…
- Get inapprox results which are not followed from PCP
- Use more standard assumptions PRG
PNC1AC0NC0NC04NC0
3NC02
sub linear
linear
super
linearOpen
Open
Thank You !