the unified theory of pseudorandomness

The Unified Theory ofPseudorandomness

Salil VadhanHarvard University

See also monograph-in-progress Pseudorandomnesshttp://seas.harvard.edu/~salil/pseudorandomness

Pseudorandomness

Theory of efficiently generating

objects that “look random”

despite being constructed

with little or no randomness.

Motivation

Computer Science– Derandomization: converting randomized algorithms into

deterministic algorithms.– Cryptography: generating lots of unpredictable bits (e.g. for

encryption) from a short key – Useful “Pseudorandom Objects” (e.g. error-correcting codes).

Mathematics– Explicit Constructions matching Probabilistic Method

(e.g. Ramsey graphs)– Analyzing mathematical structures: e.g. the primes are dense in

a “pseudorandom” set of integers [Green-Tao04]

“Pseudorandom Objects”• Error-correcting codes: make data resilient to corruption• Expander graphs: highly connected but sparse graphs• Samplers: estimate avg with few samples & random bits• Randomness extractors: convert biased & correlated bits

to almost-uniform random bits.• Hardness amplifiers: convert worst-case hard functions

into average-case hard ones.• Pseudorandom generators: stretch short seed to many

bits that “look random” to efficient algorithms.

For each, randomly chosen object achieves very good parameters. Goal is explicit constructions – ones that are efficient & deterministic.

A Unified Theory

Through work of many researchers over 2 decades:• All of these objects are essentially the same when

viewed appropriately.• Much progress by exploiting connections to translate

constructions and ideas from one object to another.

This talk:• Single “list-decoding” framework that captures all the

objects.• Highlights similarities and differences.

An Incomplete List of References

• D. Zuckerman “Randomness-optimal oblivious sampling”, 1996.• L. Trevisan “Extractors and Pseudorandom Generators”, 1999.• M. Sudan, L. Trevisan, S. Vadhan “Pseudorandom Generators

without the XOR Lemma”, 1999.• A. Ta-Shma, D. Zuckerman “Extractor codes”, 2001.• V. Guruswami, C. Umans, S. Vadhan “Unbalanced Expanders and

Randomness Extractors from Parvaresh-Vardy Codes”, 2007.

• See proceedings & monograph for more.

The Framework

Syntactic form of object: : [N]x[D][M]

For T [M], let LIST(T,)={x[N] : Pry[(x,y)T] > }

Semantic property:

For all TC, |LIST (T,)| K

Notes/conventions:• Sometimes require “constructing” LIST(T,) to be “efficient”

• LIST(T,1)={x[N] : Pry[(x,y)T] = 1}

• A=2a, B=2b,..., : {0,1}n {0,1}d {0,1}m

LIST-DECODABLE CODES

Error-Correcting Codes

Goal: encode data s.t. can recover from errors.

message m codeword Enc(m)

received word r

encoding

corrupt< frac.

decoding

n bits D q-ary symbols

Example: Reed-Solomon code Enc(f)=(f(1),…,f(D)), fFq [x]

List-Decodable CodesQ: What if noise too high (=1-1/q-) for unique decoding?

message m codeword Enc(m)

received word r

encoding

corrupt < 1-1/q- frac.decoding

n bits D q-ary symbols

message m1

message m2

message mK Def: Enc : [N] [q]D is (K,) list-decodable if r [q]D, there are K messages m s.t. Enc(m) agrees with r in more than 1/q+ positions.

List-Decodable Codes

Def: Enc : [N] [q]D is (K,) list-decodable if r [q]D, there are K messages m s.t. Enc(m) agrees with r in more than 1/q+ positions.

Goals• Minimize D (e.g. Dlog q=O(n)).• Minimize (e.g. small constant independent of n).• Minimize q (e.g. q=O(1) or q=poly(n)).• Minimize K (e.g. K=poly(n)).

List-Decodable Codes in the Framework

Given Enc : [N] [q]D, define : [N] [D] [D][q]

via (x,y)=(y,Enc(x)y).

Proposition:

Enc (K,) list-decodable r [q]D |LIST(Tr,1/q+)| K,

where Tr = {(y,ry) : y [D]}

Proof:x LIST(Tr,1/q+) Pry[(x,y)Tr]>1/q+

Pry[Enc(x)y=ry]>1/q+.

ComparisonObject Interpretation Decoding Problem Std. Parameters

list-decodable codes

(x,y) = (y,Enc(x)y)

T = {(y,ry)}) |LIST(T,1/q+)| K

q, constant,M,D=O(n), K=nO(1)

• : [N][D] [M]

• N=2n,D=2d,…• T [M]• LIST(T,)={x[N] : Pry[(x,y)T] > }

AVERAGING SAMPLERS

Sampling

• Goal: given “oracle access” to a function f : [M] {0,1}, estimate (f) := Ez[f(z)] by making few queries to f.

• Natural approach: choose random points z1,…,zD[M], and output (1/D) if(zi).– For D=O((1/2)log(1/)), correct within with probability 1-.

• Don’t need full independence; “pseudorandom” samples suffice, such as:– pairwise independence (e.g. zi=ai+b, for a,bFM)

– random walks on expander graphs.

Averaging Samplers

Def: Samp : [N] [M]D is a (,) averaging sampler if for every f : [M] {0,1}, we have

Pr(z1,…,zD) Samp(U[N])[(1/D)if(zi) > (f)+]

Goals:• Minimize D (ideally D=O((1/2)log(1/)).• Maximize m=log M.• Minimize n=log N (ideally n=m+log(1/)). • Minimize , (often constant, but =o(1)).

Samplers in the Framework

Def: Samp : [N] [M]D is a (,) averaging sampler if for every f : [M] {0,1}, we have

Pr(z1,…,zD) Samp(U[N])[(1/D)if(zi) > (f)+]

Given Samp, define : [N][D] [M] via (x,y)=Samp(x)y.

Proposition:

Samp (,) averaging samplerT [M] |LIST(T,(T)+)|N



(x,y) = (y,Enc(x)y)

T = {(y,ry)}) |LIST(T,1/q+)| K


samplers (x,y) = Samp(x)y

|LIST(T,(T)+)| N n=O(m+log(1/)),K=N D=O((1/2)log(1/)).

• : [N][D] [M]


EXPANDER GRAPHS

(Bipartite) Expander Graphs

Goals:• Minimize D• Maximize A• Maximize K• [Minimize M]

|Nbrs(S)| A¢|S|D

NM

S, |S| K

Classic Params:• M=N • D, A > 1 constants.• K = N /2

“(K,A) expander”

Example:• [N]=[M]=Fp

• Nbrs(x)={x+1,x-1,x-1}

List-Decoding View of Expanders

• Given G, let (x,y) = y’th neighbor of x.

• Prop: G is a (K,A) expander iff Tµ [M] of size < AK, we have |LIST(T,1)| < |T|/A.

|(S)| A¢ KD

NM

“(K,A) expander”

S, |S| K



(x,y) = (y,Enc(x)y)

T = {(y,ry)}) |LIST(T,1/q+)| K




expanders (x,y) = y’th nbr of x

|T| < AK) |LIST(T,1)| < |T|/A

M=N, D=O(1), A>1 K=(N)

• : [N][D] [M]


PSEUDORANDOM GENERATORS

Pseudorandom Generators

• looks random: for every “computationally feasible” test T : {0,1}m{0,1}, |Pry[T(G(y))=1]-Prz[T(z)=1]| .

• computationally feasible: computable by a circuit of size t, or, equivalently, a time t algorithm with t bits of advice.

• useful for cryptography, derandomizing probabilistic algorithms

Gd-bit seed m bits that “look random”

PRG Constructions

• Q: Do efficiently computable PRGs exist? Open! Requires proving NP P, or at least EXPBPP.

• Instead show: if there are sufficiently hard functions (say in EXP), then efficient PRGs exist.

Black-box PRG Constructions

Def: G is a (t,k,) black-box PRG construction if R s.t.• f T s.t. Pry[T(Gf(y))=1] > Prz[T(z)=1] +

w {0,1}k s.t. RwT computes f everywhere.

• R is computable in time t with oracle access to T.

f : {0,1}l {0,1} Gf : {0,1}d {0,1}m

test T : {0,1}m {0,1}

construction

reduction

w/ k-bit advice wRw

T : {0,1}l {0,1}

Prop: if f can’t be computed by circuits of size s, then Gf is -pseudorandom vs. circuits of size s/t

Black-box PRG Constructions

Def: G is a (t,k,) black-box PRG construction if R s.t.• f T s.t. Pry[T(Gf(y))=1] > Prz[T(z)=1] +

w {0,1}k s.t. RwT computes f everywhere.

• R is computable in time t with oracle access to T.

f : {0,1}l {0,1} Gf : {0,1}d {0,1}m

test T : {0,1}m {0,1}

construction

reduction

w/ k-bit advice wRw

T : {0,1}l {0,1}

Common parameters: • t=k=m=1/[c, 2/c] for arbitrarily large constant c, d=O().

PRGs in the Framework

Take n=2l and define (f,y) = Gf(y)

Proposition: G an (,k,) PRG const. T [M] |LIST(T,(T)+)|K.

Proof: fLIST(T,(T)+) Pry[T(Gf(y))=1]>Prz[T(z)=1]+

K such f’s they can be named with k bits of advice

f : {0,1}l {0,1} Gf : {0,1}d {0,1}m

test T : {0,1}m {0,1}

construction

reduction

w/ k-bit advice wRw

T : {0,1}l {0,1}

PRGs in the Framework

Q: What about efficient reductions?

A: Analogous to efficient “local list decoding”: compute each bit of the “message” f using few queries to “received word” T.

f : {0,1}l {0,1} Gf : {0,1}d {0,1}m

test T : {0,1}m {0,1}

construction

reduction

w/ k-bit advice wRw

T : {0,1}l {0,1}



(x,y) = (y,Enc(x)y)

T = {(y,ry)}) |LIST(T,1/q+)| K





|T| < AK) |LIST(T,1)| < |T|/A

M=N, D=O(1), A>1 K=(N)

pseudorandom

generators

(f,y)=Gf(y) |LIST(T,(T)+)| K+ “local list-decoding”

m=1/[nc,N1/c],D=poly(n), k=poly(m)

• : [N][D] [M]




(x,y) = (y,Enc(x)y)

T = {(y,ry)}) |LIST(T,1/q+)| K





|T| < AK) |LIST(T,1)| < |T|/A

M=N, D=O(1), A>1 K=(N)

pseudorandom

generators

(f,y)=Gf(y) |LIST(T,(T)+)| K+ “local list-decoding”

m=1/[nc,N1/c],D=poly(n), k=poly(m)

randomness extractors

(x,y) = Ext(x,y)

|LIST(T,(T)+)| K D=poly(n/), k=O(m)

hardness amplifiers

(f,y)=(y,Ampf(y))

T = {(y,ry)}) |LIST(T,1/q+)| K+ “local list-decoding”

q constant, M,D=O(n).k=poly(n/)

Conclusions

• Many pseudorandom objects are almost equivalent.

• Each brings different intuition, techniques, parameters.

• Open: single construction : [N] [D] [M] optimal for all?– For every T [M], [0,1], |LIST(T,)| f(|T|,) for f as small as

possible.– (x,y) = (y,)– poly-time computable– Efficient local list-decoding

• For more information, see proceedings and http://seas.harvard.edu/~salil/pseudorandomness

the unified theory of pseudorandomness

Documents