Pseudorandom Generators and Typically-Correct Derandomization

Pseudorandom Generators and

Typically-Correct Derandomization

Jeff Kinne, Dieter van MelkebeekUniversity of Wisconsin-Madison

Ronen ShaltielUniversity of Haifa

Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel

RANDOM 2009

2

Overview

New approach based on PRGs simpler proofs, new results

Difficulty of typically-correct derand? Small # errors: implies circuit lower

bounds Large # errors: cannot be with relativizing

techniques or arithmetization

• Typically-Correct Derandomization• Allowed to make small # of errors


RANDOM 2009

3

The Power of Randomness?

Is randomness more powerful for … Time-Bounded Algs?

Interactive Proofs?

Space-Bounded Algs? BPL L

AM NP

BPP PPRIMESCircuit Testing

Graph Non-Iso

UndirectedSTCON

Does BPP = P?


RANDOM 2009

4

Does BPP = P?

B(x) = Majρ(A(x, G(ρ)) decides L if G is PRG secure against circuits A(x, ∙)

[NW, IW, STV, SU, …]E ⊈ SIZE(2εn) ⇒ PRG G with ℓ = O(log n), computable in time 2O(ℓ) ⇒ BPP=P

Randomized Machine A(x, r)

rejectaccept

G({0,1}ℓ)rejectaccept

x∈L x∉LBPP lang L


RANDOM 2009

5

Difficulty of Proving BPP=P

Can we prove BPP=P without circuit lower bounds? No: [KI] BPP ⊆ NSUBEXP ⇒

NEXP ⊈ P/poly or PERM ⊈ Arith-P/poly

Further: cannot prove BPP ⊆ NSUBEXP with relativizing techniques or arithmetization

What if we relax the goal? [IW, …] “heuristic” derand if BPP≠ EXP [GW, …] typically-correct derandomization


RANDOM 2009

6

Typically-Correct Derandomization

More efficient derandomizations? Weaker (or no) hardness assumptions? How to leverage ability to make errors?

Extractors [GW] Seedless Extractors [Sha] PRGs – this work

Randomized Algorithm A(x, r) computing lang L B typically-correct for L: makes at most δ·2n errors


RANDOM 2009

7

Extract Randomness from Input [GW]

If (1) most r good for all x and (2) |r| < |x|

B(x) = A(x, x) makes few errors Make error very small: B(x) = Majy(A(x, E(x,y)))

BPP: if P hard-on-average for SIZESAT(nd) use PRG to

Randomized Algorithm A(x, r) computing lang LDeterministic simulation B(x) = A(x, E(x))

“good” r • xSet of all r ≈ set of all x

Subsequent work: [vMS], [Zim], [Sha]


RANDOM 2009

8

Extract Randomness from Input [Sha]

B(x) = A(x, E(x)), assume |r| ≤ |x|

If E seedless 2-Ω(|r|)-extractor for distributions then B typically-correct

Use PRG to get |r| ≤ |x| BPP: if P very hard-on-average for SIZE(nd)

Randomized Algorithm A(x, r) computing lang L

“good” r A(x,r)=L(x)

Set of all r

Set of all x, fixed good r

Unconditional results for AC0, streaming algs, …


RANDOM 2009

9

Pseudorandom Generator Approach

B(x) = A(x, E(x))

G(x) = (x, E(x)) is ε-PRG for T ⇒ |Prx,r[A(x,r)≠L(x)] – Prx[A(G(x))≠L(x)]| ≤ ε

⇒ Prx[A(x,E(x))≠L(x)] ≤ ρ+ε

Randomized Algorithm A(x, r) computing lang L

A(x,r)=L(x)

Fixed xA(x,r)=L(x)

All (x, r) pairs

Prr[A(x,r)≠L(x)] ≤ ρ ≤ 1/3 Prx,r[A(x,r)≠L(x)] ≤ ρ

test T(x, r)G ε-PRG for test Tr’(x,r): A(x,r)≠A(x,r’) ⇒ Prx[A(x,E(x))≠L(x)] ≤ 3ρ+ε


RANDOM 2009

10

Pseudorandom Generator Approach

Can PRG’s be seed-extending? Cryptographic – No! Derandomization – Yes! [NW, STV, SU,

…] Compare to traditional use of PRG

B only runs G once – very efficient if G is Compare to [GW], [Sha]

PRG is already enough!

Randomized Algorithm A(x, r) computing lang LB(x) = A(G(x)), G is seed-extending PRG


RANDOM 2009

11

New Typically-Correct Derand Results

BPP: P 1/nc-hard for SIZE(nd) ⇒ B in P and within 1/nc of L

Similar conditional results for AM, BPL, …

Randomized Algorithm A(x, r) computing lang LB(x) = A(x, NWH(x))

NWH based on hardness of HWeaker than [GW], [Sha]


RANDOM 2009

12

New Typically-Correct Derand Results

AC0 with few symmetric gates:A uses o(log2n) symm gates, error ρ ≤ 1/3

⇒ B in AC0[sym] and within ρ+n-Ω(log n) of L

Other settings: multi-party comm, …

Randomized Algorithm A(x, r) computing lang LB(x) = A(x, NWH(x))

NWH based on hardness of H


RANDOM 2009

13

Comparison with [Sha]

All results of [Sha] by PRG approach

(x, E(x)) is a 2-Ω(|r|)-PRG for tests T(x,r): A(x,r) ≠ A(x,r’)

E is a seedless 2-Ω(|r|)-extractor fordistributions ≈ {x | A(x, r) = A(x,r’)}

A(x, E(x)) typically-correct for L

[Sha]


RANDOM 2009

14

Difficulty of Proving Typ-Cor Derand

Typically-correct derandomization without circuit lower bounds? No for small error: If NTIME(2nε

) computes circuit-testing with ≤ 2nε

errors, then NEXP ⊈ P/poly, or Permanent ⊈ Arithmetic-P/poly

Large error: no for relativizing techniques or arithmetization [AW] oracle A, low-deg ext Ã of A s.t. BPTIMEA(O(n)) is

(1/2-2-Ω(n))-hard for NTIMEÃ(2n)

Simpler proof for everywhere-correct setting


RANDOM 2009

15

Recap

New seed-extending PRG approach

Unconditional results in some settings!

But, for BPP: unconditional results difficult

• Typically-Correct Derandomization• Allowed to make small # of errors


RANDOM 2009

16

Thanks!

* Full paper and slides available from my website

Pseudorandom Generators and Typically-Correct Derandomization

Documents

Transcript of Pseudorandom Generators and Typically-Correct Derandomization