Pseudorandom Generators and Typically-Correct Derandomization
-
Upload
dale-higgins -
Category
Documents
-
view
20 -
download
0
description
Transcript of Pseudorandom Generators and Typically-Correct Derandomization
Pseudorandom Generators and
Typically-Correct Derandomization
Jeff Kinne, Dieter van MelkebeekUniversity of Wisconsin-Madison
Ronen ShaltielUniversity of Haifa
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
2
Overview
New approach based on PRGs simpler proofs, new results
Difficulty of typically-correct derand? Small # errors: implies circuit lower
bounds Large # errors: cannot be with relativizing
techniques or arithmetization
• Typically-Correct Derandomization• Allowed to make small # of errors
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
3
The Power of Randomness?
Is randomness more powerful for … Time-Bounded Algs?
Interactive Proofs?
Space-Bounded Algs? BPL L
AM NP
BPP PPRIMESCircuit Testing
Graph Non-Iso
UndirectedSTCON
Does BPP = P?
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
4
Does BPP = P?
B(x) = Majρ(A(x, G(ρ)) decides L if G is PRG secure against circuits A(x, ∙)
[NW, IW, STV, SU, …]E ⊈ SIZE(2εn) ⇒ PRG G with ℓ = O(log n), computable in time 2O(ℓ) ⇒ BPP=P
Randomized Machine A(x, r)
rejectaccept
G({0,1}ℓ)rejectaccept
x∈L x∉LBPP lang L
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
5
Difficulty of Proving BPP=P
Can we prove BPP=P without circuit lower bounds? No: [KI] BPP ⊆ NSUBEXP ⇒
NEXP ⊈ P/poly or PERM ⊈ Arith-P/poly
Further: cannot prove BPP ⊆ NSUBEXP with relativizing techniques or arithmetization
What if we relax the goal? [IW, …] “heuristic” derand if BPP≠ EXP [GW, …] typically-correct derandomization
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
6
Typically-Correct Derandomization
More efficient derandomizations? Weaker (or no) hardness assumptions? How to leverage ability to make errors?
Extractors [GW] Seedless Extractors [Sha] PRGs – this work
Randomized Algorithm A(x, r) computing lang L B typically-correct for L: makes at most δ·2n errors
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
7
Extract Randomness from Input [GW]
If (1) most r good for all x and (2) |r| < |x|
B(x) = A(x, x) makes few errors Make error very small: B(x) = Majy(A(x, E(x,y)))
BPP: if P hard-on-average for SIZESAT(nd) use PRG to
Randomized Algorithm A(x, r) computing lang LDeterministic simulation B(x) = A(x, E(x))
“good” r • xSet of all r ≈ set of all x
Subsequent work: [vMS], [Zim], [Sha]
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
8
Extract Randomness from Input [Sha]
B(x) = A(x, E(x)), assume |r| ≤ |x|
If E seedless 2-Ω(|r|)-extractor for distributions then B typically-correct
Use PRG to get |r| ≤ |x| BPP: if P very hard-on-average for SIZE(nd)
Randomized Algorithm A(x, r) computing lang L
“good” r A(x,r)=L(x)
Set of all r
Set of all x, fixed good r
Unconditional results for AC0, streaming algs, …
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
9
Pseudorandom Generator Approach
B(x) = A(x, E(x))
G(x) = (x, E(x)) is ε-PRG for T ⇒ |Prx,r[A(x,r)≠L(x)] – Prx[A(G(x))≠L(x)]| ≤ ε
⇒ Prx[A(x,E(x))≠L(x)] ≤ ρ+ε
Randomized Algorithm A(x, r) computing lang L
A(x,r)=L(x)
Fixed xA(x,r)=L(x)
All (x, r) pairs
Prr[A(x,r)≠L(x)] ≤ ρ ≤ 1/3 Prx,r[A(x,r)≠L(x)] ≤ ρ
test T(x, r)G ε-PRG for test Tr’(x,r): A(x,r)≠A(x,r’) ⇒ Prx[A(x,E(x))≠L(x)] ≤ 3ρ+ε
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
10
Pseudorandom Generator Approach
Can PRG’s be seed-extending? Cryptographic – No! Derandomization – Yes! [NW, STV, SU,
…] Compare to traditional use of PRG
B only runs G once – very efficient if G is Compare to [GW], [Sha]
PRG is already enough!
Randomized Algorithm A(x, r) computing lang LB(x) = A(G(x)), G is seed-extending PRG
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
11
New Typically-Correct Derand Results
BPP: P 1/nc-hard for SIZE(nd) ⇒ B in P and within 1/nc of L
Similar conditional results for AM, BPL, …
Randomized Algorithm A(x, r) computing lang LB(x) = A(x, NWH(x))
NWH based on hardness of HWeaker than [GW], [Sha]
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
12
New Typically-Correct Derand Results
AC0 with few symmetric gates:A uses o(log2n) symm gates, error ρ ≤ 1/3
⇒ B in AC0[sym] and within ρ+n-Ω(log n) of L
Other settings: multi-party comm, …
Randomized Algorithm A(x, r) computing lang LB(x) = A(x, NWH(x))
NWH based on hardness of H
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
13
Comparison with [Sha]
All results of [Sha] by PRG approach
(x, E(x)) is a 2-Ω(|r|)-PRG for tests T(x,r): A(x,r) ≠ A(x,r’)
E is a seedless 2-Ω(|r|)-extractor fordistributions ≈ {x | A(x, r) = A(x,r’)}
A(x, E(x)) typically-correct for L
[Sha]
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
14
Difficulty of Proving Typ-Cor Derand
Typically-correct derandomization without circuit lower bounds? No for small error: If NTIME(2nε
) computes circuit-testing with ≤ 2nε
errors, then NEXP ⊈ P/poly, or Permanent ⊈ Arithmetic-P/poly
Large error: no for relativizing techniques or arithmetization [AW] oracle A, low-deg ext à of A s.t. BPTIMEA(O(n)) is
(1/2-2-Ω(n))-hard for NTIMEÃ(2n)
Simpler proof for everywhere-correct setting
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
15
Recap
New seed-extending PRG approach
Unconditional results in some settings!
But, for BPP: unconditional results difficult
• Typically-Correct Derandomization• Allowed to make small # of errors
Pseudorandom Generators and Typically-Correct Derandomization Kinne, Van Melkebeek, Shaltiel
RANDOM 2009
16
Thanks!
* Full paper and slides available from my website