the unified theory of pseudorandomness
DESCRIPTION
The Unified Theory of Pseudorandomness. Salil Vadhan Harvard University See also monograph-in-progress Pseudorandomness http://seas.harvard.edu/~salil/pseudorandomness. Pseudorandomness. Theory of efficiently generating objects that “look random” despite being constructed - PowerPoint PPT PresentationTRANSCRIPT
The Unified Theory ofPseudorandomness
Salil VadhanHarvard University
See also monograph-in-progress Pseudorandomnesshttp://seas.harvard.edu/~salil/pseudorandomness
Pseudorandomness
Theory of efficiently generating
objects that “look random”
despite being constructed
with little or no randomness.
Motivation
Computer Science– Derandomization: converting randomized algorithms into
deterministic algorithms.– Cryptography: generating lots of unpredictable bits (e.g. for
encryption) from a short key – Useful “Pseudorandom Objects” (e.g. error-correcting codes).
Mathematics– Explicit Constructions matching Probabilistic Method
(e.g. Ramsey graphs)– Analyzing mathematical structures: e.g. the primes are dense in
a “pseudorandom” set of integers [Green-Tao04]
“Pseudorandom Objects”• Error-correcting codes: make data resilient to corruption• Expander graphs: highly connected but sparse graphs• Samplers: estimate avg with few samples & random bits• Randomness extractors: convert biased & correlated bits
to almost-uniform random bits.• Hardness amplifiers: convert worst-case hard functions
into average-case hard ones.• Pseudorandom generators: stretch short seed to many
bits that “look random” to efficient algorithms.
For each, randomly chosen object achieves very good parameters. Goal is explicit constructions – ones that are efficient & deterministic.
“Pseudorandom Objects”• Error-correcting codes: make data resilient to corruption• Expander graphs: highly connected but sparse graphs• Samplers: estimate avg with few samples & random bits• Randomness extractors: convert biased & correlated bits
to almost-uniform random bits.• Hardness amplifiers: convert worst-case hard functions
into average-case hard ones.• Pseudorandom generators: stretch short seed to many
bits that “look random” to efficient algorithms.
For each, randomly chosen object achieves very good parameters. Goal is explicit constructions – ones that are efficient & deterministic.
A Unified Theory
Through work of many researchers over 2 decades:• All of these objects are essentially the same when
viewed appropriately.• Much progress by exploiting connections to translate
constructions and ideas from one object to another.
This talk:• Single “list-decoding” framework that captures all the
objects.• Highlights similarities and differences.
An Incomplete List of References
• D. Zuckerman “Randomness-optimal oblivious sampling”, 1996.• L. Trevisan “Extractors and Pseudorandom Generators”, 1999.• M. Sudan, L. Trevisan, S. Vadhan “Pseudorandom Generators
without the XOR Lemma”, 1999.• A. Ta-Shma, D. Zuckerman “Extractor codes”, 2001.• V. Guruswami, C. Umans, S. Vadhan “Unbalanced Expanders and
Randomness Extractors from Parvaresh-Vardy Codes”, 2007.
• See proceedings & monograph for more.
The Framework
Syntactic form of object: : [N]x[D][M]
For T [M], let LIST(T,)={x[N] : Pry[(x,y)T] > }
Semantic property:
For all TC, |LIST (T,)| K
Notes/conventions:• Sometimes require “constructing” LIST(T,) to be “efficient”
• LIST(T,1)={x[N] : Pry[(x,y)T] = 1}
• A=2a, B=2b,..., : {0,1}n {0,1}d {0,1}m
LIST-DECODABLE CODES
Error-Correcting Codes
Goal: encode data s.t. can recover from errors.
message m codeword Enc(m)
received word r
encoding
corrupt< frac.
decoding
n bits D q-ary symbols
Example: Reed-Solomon code Enc(f)=(f(1),…,f(D)), fFq [x]
List-Decodable CodesQ: What if noise too high (=1-1/q-) for unique decoding?
message m codeword Enc(m)
received word r
encoding
corrupt < 1-1/q- frac.decoding
n bits D q-ary symbols
message m1
message m2
message mK Def: Enc : [N] [q]D is (K,) list-decodable if r [q]D, there are K messages m s.t. Enc(m) agrees with r in more than 1/q+ positions.
List-Decodable Codes
Def: Enc : [N] [q]D is (K,) list-decodable if r [q]D, there are K messages m s.t. Enc(m) agrees with r in more than 1/q+ positions.
Goals• Minimize D (e.g. Dlog q=O(n)).• Minimize (e.g. small constant independent of n).• Minimize q (e.g. q=O(1) or q=poly(n)).• Minimize K (e.g. K=poly(n)).
List-Decodable Codes in the Framework
Given Enc : [N] [q]D, define : [N] [D] [D][q]
via (x,y)=(y,Enc(x)y).
Proposition:
Enc (K,) list-decodable r [q]D |LIST(Tr,1/q+)| K,
where Tr = {(y,ry) : y [D]}
Proof:x LIST(Tr,1/q+) Pry[(x,y)Tr]>1/q+
Pry[Enc(x)y=ry]>1/q+.
ComparisonObject Interpretation Decoding Problem Std. Parameters
list-decodable codes
(x,y) = (y,Enc(x)y)
T = {(y,ry)}) |LIST(T,1/q+)| K
q, constant,M,D=O(n), K=nO(1)
• : [N][D] [M]
• N=2n,D=2d,…• T [M]• LIST(T,)={x[N] : Pry[(x,y)T] > }
AVERAGING SAMPLERS
Sampling
• Goal: given “oracle access” to a function f : [M] {0,1}, estimate (f) := Ez[f(z)] by making few queries to f.
• Natural approach: choose random points z1,…,zD[M], and output (1/D) if(zi).– For D=O((1/2)log(1/)), correct within with probability 1-.
• Don’t need full independence; “pseudorandom” samples suffice, such as:– pairwise independence (e.g. zi=ai+b, for a,bFM)
– random walks on expander graphs.
Averaging Samplers
Def: Samp : [N] [M]D is a (,) averaging sampler if for every f : [M] {0,1}, we have
Pr(z1,…,zD) Samp(U[N])[(1/D)if(zi) > (f)+]
Goals:• Minimize D (ideally D=O((1/2)log(1/)).• Maximize m=log M.• Minimize n=log N (ideally n=m+log(1/)). • Minimize , (often constant, but =o(1)).
Samplers in the Framework
Def: Samp : [N] [M]D is a (,) averaging sampler if for every f : [M] {0,1}, we have
Pr(z1,…,zD) Samp(U[N])[(1/D)if(zi) > (f)+]
Given Samp, define : [N][D] [M] via (x,y)=Samp(x)y.
Proposition:
Samp (,) averaging samplerT [M] |LIST(T,(T)+)|N
ComparisonObject Interpretation Decoding Problem Std. Parameters
list-decodable codes
(x,y) = (y,Enc(x)y)
T = {(y,ry)}) |LIST(T,1/q+)| K
q, constant,M,D=O(n), K=nO(1)
samplers (x,y) = Samp(x)y
|LIST(T,(T)+)| N n=O(m+log(1/)),K=N D=O((1/2)log(1/)).
• : [N][D] [M]
• N=2n,D=2d,…• T [M]• LIST(T,)={x[N] : Pry[(x,y)T] > }
EXPANDER GRAPHS
(Bipartite) Expander Graphs
Goals:• Minimize D• Maximize A• Maximize K• [Minimize M]
|Nbrs(S)| A¢|S|D
NM
S, |S| K
Classic Params:• M=N • D, A > 1 constants.• K = N /2
“(K,A) expander”
Example:• [N]=[M]=Fp
• Nbrs(x)={x+1,x-1,x-1}
List-Decoding View of Expanders
• Given G, let (x,y) = y’th neighbor of x.
• Prop: G is a (K,A) expander iff Tµ [M] of size < AK, we have |LIST(T,1)| < |T|/A.
|(S)| A¢ KD
NM
“(K,A) expander”
S, |S| K
ComparisonObject Interpretation Decoding Problem Std. Parameters
list-decodable codes
(x,y) = (y,Enc(x)y)
T = {(y,ry)}) |LIST(T,1/q+)| K
q, constant,M,D=O(n), K=nO(1)
samplers (x,y) = Samp(x)y
|LIST(T,(T)+)| N n=O(m+log(1/)),K=N D=O((1/2)log(1/)).
expanders (x,y) = y’th nbr of x
|T| < AK) |LIST(T,1)| < |T|/A
M=N, D=O(1), A>1 K=(N)
• : [N][D] [M]
• N=2n,D=2d,…• T [M]• LIST(T,)={x[N] : Pry[(x,y)T] > }
PSEUDORANDOM GENERATORS
Pseudorandom Generators
• looks random: for every “computationally feasible” test T : {0,1}m{0,1}, |Pry[T(G(y))=1]-Prz[T(z)=1]| .
• computationally feasible: computable by a circuit of size t, or, equivalently, a time t algorithm with t bits of advice.
• useful for cryptography, derandomizing probabilistic algorithms
Gd-bit seed m bits that “look random”
PRG Constructions
• Q: Do efficiently computable PRGs exist? Open! Requires proving NP P, or at least EXPBPP.
• Instead show: if there are sufficiently hard functions (say in EXP), then efficient PRGs exist.
Black-box PRG Constructions
Def: G is a (t,k,) black-box PRG construction if R s.t.• f T s.t. Pry[T(Gf(y))=1] > Prz[T(z)=1] +
w {0,1}k s.t. RwT computes f everywhere.
• R is computable in time t with oracle access to T.
f : {0,1}l {0,1} Gf : {0,1}d {0,1}m
test T : {0,1}m {0,1}
construction
reduction
w/ k-bit advice wRw
T : {0,1}l {0,1}
Prop: if f can’t be computed by circuits of size s, then Gf is -pseudorandom vs. circuits of size s/t
Black-box PRG Constructions
Def: G is a (t,k,) black-box PRG construction if R s.t.• f T s.t. Pry[T(Gf(y))=1] > Prz[T(z)=1] +
w {0,1}k s.t. RwT computes f everywhere.
• R is computable in time t with oracle access to T.
f : {0,1}l {0,1} Gf : {0,1}d {0,1}m
test T : {0,1}m {0,1}
construction
reduction
w/ k-bit advice wRw
T : {0,1}l {0,1}
Common parameters: • t=k=m=1/[c, 2/c] for arbitrarily large constant c, d=O().
PRGs in the Framework
Take n=2l and define (f,y) = Gf(y)
Proposition: G an (,k,) PRG const. T [M] |LIST(T,(T)+)|K.
Proof: fLIST(T,(T)+) Pry[T(Gf(y))=1]>Prz[T(z)=1]+
K such f’s they can be named with k bits of advice
f : {0,1}l {0,1} Gf : {0,1}d {0,1}m
test T : {0,1}m {0,1}
construction
reduction
w/ k-bit advice wRw
T : {0,1}l {0,1}
PRGs in the Framework
Q: What about efficient reductions?
A: Analogous to efficient “local list decoding”: compute each bit of the “message” f using few queries to “received word” T.
f : {0,1}l {0,1} Gf : {0,1}d {0,1}m
test T : {0,1}m {0,1}
construction
reduction
w/ k-bit advice wRw
T : {0,1}l {0,1}
ComparisonObject Interpretation Decoding Problem Std. Parameters
list-decodable codes
(x,y) = (y,Enc(x)y)
T = {(y,ry)}) |LIST(T,1/q+)| K
q, constant,M,D=O(n), K=nO(1)
samplers (x,y) = Samp(x)y
|LIST(T,(T)+)| N n=O(m+log(1/)),K=N D=O((1/2)log(1/)).
expanders (x,y) = y’th nbr of x
|T| < AK) |LIST(T,1)| < |T|/A
M=N, D=O(1), A>1 K=(N)
pseudorandom
generators
(f,y)=Gf(y) |LIST(T,(T)+)| K+ “local list-decoding”
m=1/[nc,N1/c],D=poly(n), k=poly(m)
• : [N][D] [M]
• N=2n,D=2d,…• T [M]• LIST(T,)={x[N] : Pry[(x,y)T] > }
ComparisonObject Interpretation Decoding Problem Std. Parameters
list-decodable codes
(x,y) = (y,Enc(x)y)
T = {(y,ry)}) |LIST(T,1/q+)| K
q, constant,M,D=O(n), K=nO(1)
samplers (x,y) = Samp(x)y
|LIST(T,(T)+)| N n=O(m+log(1/)),K=N D=O((1/2)log(1/)).
expanders (x,y) = y’th nbr of x
|T| < AK) |LIST(T,1)| < |T|/A
M=N, D=O(1), A>1 K=(N)
pseudorandom
generators
(f,y)=Gf(y) |LIST(T,(T)+)| K+ “local list-decoding”
m=1/[nc,N1/c],D=poly(n), k=poly(m)
randomness extractors
(x,y) = Ext(x,y)
|LIST(T,(T)+)| K D=poly(n/), k=O(m)
hardness amplifiers
(f,y)=(y,Ampf(y))
T = {(y,ry)}) |LIST(T,1/q+)| K+ “local list-decoding”
q constant, M,D=O(n).k=poly(n/)
Conclusions
• Many pseudorandom objects are almost equivalent.
• Each brings different intuition, techniques, parameters.
• Open: single construction : [N] [D] [M] optimal for all?– For every T [M], [0,1], |LIST(T,)| f(|T|,) for f as small as
possible.– (x,y) = (y,)– poly-time computable– Efficient local list-decoding
• For more information, see proceedings and http://seas.harvard.edu/~salil/pseudorandomness