Transcript Document
The Unified Theory of
Pseudorandomness
Salil Vadhan
Harvard University
See also monograph-in-progress Pseudorandomness
http://seas.harvard.edu/~salil/pseudorandomness
Pseudorandomness
Theory of efficiently generating
objects that “look random”
despite being constructed
with little or no randomness.
Motivation
Computer Science
– Derandomization: converting randomized algorithms into
deterministic algorithms.
– Cryptography: generating lots of unpredictable bits (e.g. for
encryption) from a short key
– Useful “Pseudorandom Objects” (e.g. error-correcting codes).
Mathematics
– Explicit Constructions matching Probabilistic Method
(e.g. Ramsey graphs)
– Analyzing mathematical structures: e.g. the primes are dense in
a “pseudorandom” set of integers [Green-Tao04]
“Pseudorandom Objects”
•
•
•
•
Error-correcting codes: make data resilient to corruption
Expander graphs: highly connected but sparse graphs
Samplers: estimate avg with few samples & random bits
Randomness extractors: convert biased & correlated bits
to almost-uniform random bits.
• Hardness amplifiers: convert worst-case hard functions
into average-case hard ones.
• Pseudorandom generators: stretch short seed to many
bits that “look random” to efficient algorithms.
For each, randomly chosen object achieves very good
parameters. Goal is explicit constructions – ones that
are efficient & deterministic.
“Pseudorandom Objects”
•
•
•
•
Error-correcting codes: make data resilient to corruption
Expander graphs: highly connected but sparse graphs
Samplers: estimate avg with few samples & random bits
Randomness extractors: convert biased & correlated bits
to almost-uniform random bits.
• Hardness amplifiers: convert worst-case hard functions
into average-case hard ones.
• Pseudorandom generators: stretch short seed to many
bits that “look random” to efficient algorithms.
For each, randomly chosen object achieves very good
parameters. Goal is explicit constructions – ones that
are efficient & deterministic.
A Unified Theory
Through work of many researchers over 2 decades:
• All of these objects are essentially the same when
viewed appropriately.
• Much progress by exploiting connections to translate
constructions and ideas from one object to another.
This talk:
• Single “list-decoding” framework that captures all the
objects.
• Highlights similarities and differences.
An Incomplete List of References
• D. Zuckerman “Randomness-optimal oblivious sampling”, 1996.
• L. Trevisan “Extractors and Pseudorandom Generators”, 1999.
• M. Sudan, L. Trevisan, S. Vadhan “Pseudorandom Generators
without the XOR Lemma”, 1999.
• A. Ta-Shma, D. Zuckerman “Extractor codes”, 2001.
• V. Guruswami, C. Umans, S. Vadhan “Unbalanced Expanders and
Randomness Extractors from Parvaresh-Vardy Codes”, 2007.
• See proceedings & monograph for more.
The Framework
Syntactic form of object:
: [N]x[D][M]
For T [M], let LIST(T,)={x[N] : Pry[(x,y)T] > }
Semantic property:
For all TC, |LIST (T,)| K
Notes/conventions:
• Sometimes require “constructing” LIST(T,) to be “efficient”
• LIST(T,1)={x[N] : Pry[(x,y)T] = 1}
• A=2a, B=2b,..., : {0,1}n {0,1}d {0,1}m
LIST-DECODABLE CODES
Error-Correcting Codes
Goal: encode data s.t. can recover from errors.
D q-ary symbols
n bits
encoding
message m
codeword Enc(m)
corrupt
< frac.
decoding
received word r
Example: Reed-Solomon code Enc(f)=(f(1),…,f(D)), fFq [x]
List-Decodable Codes
Q: What if noise too high (=1-1/q-) for unique decoding?
D q-ary symbols
n bits
encoding
message m
codeword Enc(m)
message m1
message m2
decoding
corrupt
< 1-1/q- frac.
received word r
message
mK [q]D is (K,) list-decodable if
Def: Enc
: [N]
r [q]D, there are K messages m
s.t. Enc(m) agrees with r in more than 1/q+ positions.
List-Decodable Codes
Def: Enc : [N] [q]D is (K,) list-decodable if
r [q]D, there are K messages m
s.t. Enc(m) agrees with r in more than 1/q+ positions.
Goals
• Minimize D (e.g. Dlog q=O(n)).
• Minimize (e.g. small constant independent of n).
• Minimize q (e.g. q=O(1) or q=poly(n)).
• Minimize K (e.g. K=poly(n)).
List-Decodable Codes in the Framework
Given Enc : [N] [q]D, define : [N] [D] [D][q]
via (x,y)=(y,Enc(x)y).
Proposition:
Enc (K,) list-decodable r [q]D |LIST(Tr,1/q+)| K,
where Tr = {(y,ry) : y [D]}
Proof:
x LIST(Tr,1/q+) Pry[(x,y)Tr]>1/q+
Pry[Enc(x)y=ry]>1/q+.
Comparison
Object
Interpretation Decoding Problem
list-decodable
codes
(x,y) =
(y,Enc(x)y)
Std. Parameters
T = {(y,ry)}
q, constant,
) |LIST(T,1/q+)| K M,D=O(n), K=nO(1)
• T [M]
• LIST(T,)={x[N] : Pry[(x,y)T] > }
• : [N][D] [M]
• N=2n,D=2d,…
AVERAGING SAMPLERS
Sampling
• Goal: given “oracle access” to a function f : [M] {0,1},
estimate (f) := Ez[f(z)] by making few queries to f.
• Natural approach: choose random points z1,…,zD[M],
and output (1/D) if(zi).
– For D=O((1/2)log(1/)), correct within with probability 1-.
• Don’t need full independence; “pseudorandom” samples
suffice, such as:
– pairwise independence (e.g. zi=ai+b, for a,bFM)
– random walks on expander graphs.
Averaging Samplers
Def: Samp : [N] [M]D is a (,) averaging sampler if
for every f : [M] {0,1}, we have
Pr(z1,…,zD) Samp(U[N])[(1/D)if(zi) > (f)+]
Goals:
• Minimize D (ideally D=O((1/2)log(1/)).
• Maximize m=log M.
• Minimize n=log N (ideally n=m+log(1/)).
• Minimize , (often constant, but =o(1)).
Samplers in the Framework
Def: Samp : [N] [M]D is a (,) averaging sampler if
for every f : [M] {0,1}, we have
Pr(z1,…,zD) Samp(U[N])[(1/D)if(zi) > (f)+]
Given Samp, define : [N][D] [M] via (x,y)=Samp(x)y.
Proposition:
Samp (,) averaging samplerT [M] |LIST(T,(T)+)|N
Comparison
Object
Interpretation Decoding Problem
list-decodable
codes
(x,y) =
(y,Enc(x)y)
T = {(y,ry)}
q, constant,
) |LIST(T,1/q+)| K M,D=O(n), K=nO(1)
samplers
(x,y) =
Samp(x)y
|LIST(T,(T)+)| N
• T [M]
• LIST(T,)={x[N] : Pry[(x,y)T] > }
Std. Parameters
n=O(m+log(1/)),K=N
D=O((1/2)log(1/)).
• : [N][D] [M]
• N=2n,D=2d,…
EXPANDER GRAPHS
(Bipartite) Expander Graphs
N
M
“(K,A) expander”
S, |S| K
Goals:
• Minimize D
• Maximize A
• Maximize K
• [Minimize M]
D
Classic Params:
• M=N
• D, A > 1 constants.
• K = N /2
|Nbrs(S)| A¢|S|
Example:
• [N]=[M]=Fp
• Nbrs(x)=
{x+1,x-1,x-1}
List-Decoding View of Expanders
N
M
“(K,A) expander”
S, |S| K
D
|(S)| A¢ K
• Given G, let (x,y) = y’th neighbor of x.
• Prop: G is a (K,A) expander iff
Tµ [M] of size < AK, we have |LIST(T,1)| < |T|/A.
Comparison
Object
Interpretation Decoding Problem
list-decodable
codes
(x,y) =
(y,Enc(x)y)
T = {(y,ry)}
q, constant,
) |LIST(T,1/q+)| K M,D=O(n), K=nO(1)
samplers
(x,y) =
Samp(x)y
|LIST(T,(T)+)| N
n=O(m+log(1/)),K=N
expanders
(x,y) =
y’th nbr of x
|T| < AK
) |LIST(T,1)| < |T|/A
M=N, D=O(1), A>1
K=(N)
• T [M]
• LIST(T,)={x[N] : Pry[(x,y)T] > }
Std. Parameters
D=O((1/2)log(1/)).
• : [N][D] [M]
• N=2n,D=2d,…
PSEUDORANDOM
GENERATORS
Pseudorandom Generators
d-bit seed
G
m bits that “look random”
• looks random: for every “computationally feasible” test
T : {0,1}m{0,1}, |Pry[T(G(y))=1]-Prz[T(z)=1]| .
• computationally feasible: computable by a circuit of size t,
or, equivalently, a time t algorithm with t bits of advice.
• useful for cryptography, derandomizing probabilistic
algorithms
PRG Constructions
• Q: Do efficiently computable PRGs exist?
Open! Requires proving NP P, or at least EXPBPP.
• Instead show: if there are sufficiently hard functions (say
in EXP), then efficient PRGs exist.
Black-box PRG Constructions
f:
{0,1}l
RwT
:
{0,1}
{0,1}l
{0,1}
construction
reduction
Gf : {0,1}d {0,1}m
test T : {0,1}m {0,1}
w/ k-bit advice w
Def: G is a (t,k,) black-box PRG construction if R s.t.
• f T s.t. Pry[T(Gf(y))=1] > Prz[T(z)=1] +
w {0,1}k s.t. RwT computes f everywhere.
• R is computable in time t with oracle access to T.
Prop: if f can’t be computed by circuits of size s, then Gf is
-pseudorandom vs. circuits of size s/t
Black-box PRG Constructions
f:
{0,1}l
RwT
:
{0,1}
{0,1}l
{0,1}
construction
reduction
Gf : {0,1}d {0,1}m
test T : {0,1}m {0,1}
w/ k-bit advice w
Def: G is a (t,k,) black-box PRG construction if R s.t.
• f T s.t. Pry[T(Gf(y))=1] > Prz[T(z)=1] +
w {0,1}k s.t. RwT computes f everywhere.
• R is computable in time t with oracle access to T.
Common parameters:
• t=k=m=1/[lc, 2l/c] for arbitrarily large constant c, d=O(l).
PRGs in the Framework
f:
{0,1}l
RwT
:
{0,1}
{0,1}l
{0,1}
construction
reduction
Gf : {0,1}d {0,1}m
test T : {0,1}m {0,1}
w/ k-bit advice w
Take n=2l and define (f,y) = Gf(y)
Proposition:
G an (,k,) PRG const. T [M] |LIST(T,(T)+)|K.
Proof: fLIST(T,(T)+) Pry[T(Gf(y))=1]>Prz[T(z)=1]+
K such f’s they can be named with k bits of advice
PRGs in the Framework
f:
{0,1}l
RwT
:
{0,1}
{0,1}l
{0,1}
construction
reduction
Gf : {0,1}d {0,1}m
test T : {0,1}m {0,1}
w/ k-bit advice w
Q: What about efficient reductions?
A: Analogous to efficient “local list decoding”: compute each bit
of the “message” f using few queries to “received word” T.
Comparison
Object
Interpretation Decoding Problem
list-decodable
codes
(x,y) =
(y,Enc(x)y)
T = {(y,ry)}
q, constant,
) |LIST(T,1/q+)| K M,D=O(n), K=nO(1)
samplers
(x,y) =
Samp(x)y
|LIST(T,(T)+)| N
n=O(m+log(1/)),K=N
expanders
(x,y) =
y’th nbr of x
|T| < AK
) |LIST(T,1)| < |T|/A
M=N, D=O(1), A>1
K=(N)
pseudorandom (f,y)=Gf(y)
generators
Std. Parameters
D=O((1/2)log(1/)).
|LIST(T,(T)+)| K
m=1/[nc,N1/c],
+ “local list-decoding” D=poly(n), k=poly(m)
• T [M]
• LIST(T,)={x[N] : Pry[(x,y)T] > }
• : [N][D] [M]
• N=2n,D=2d,…
Comparison
Object
Interpretation Decoding Problem
list-decodable
codes
(x,y) =
(y,Enc(x)y)
T = {(y,ry)}
q, constant,
) |LIST(T,1/q+)| K M,D=O(n), K=nO(1)
samplers
(x,y) =
Samp(x)y
|LIST(T,(T)+)| N
n=O(m+log(1/)),K=N
expanders
(x,y) =
y’th nbr of x
|T| < AK
) |LIST(T,1)| < |T|/A
M=N, D=O(1), A>1
K=(N)
pseudorandom (f,y)=Gf(y)
generators
randomness
extractors
hardness
amplifiers
Std. Parameters
D=O((1/2)log(1/)).
|LIST(T,(T)+)| K
m=1/[nc,N1/c],
+ “local list-decoding” D=poly(n), k=poly(m)
(x,y) =
Ext(x,y)
|LIST(T,(T)+)| K
(f,y)=
(y,Ampf(y))
T = {(y,ry)}
q constant, M,D=O(n).
) |LIST(T,1/q+)| K k=poly(n/)
+ “local list-decoding”
D=poly(n/), k=O(m)
Conclusions
• Many pseudorandom objects are almost equivalent.
• Each brings different intuition, techniques, parameters.
• Open: single construction : [N] [D] [M] optimal for all?
– For every T [M], [0,1], |LIST(T,)| f(|T|,) for f as small as
possible.
– (x,y) = (y,)
– poly-time computable
– Efficient local list-decoding
• For more information, see proceedings and
http://seas.harvard.edu/~salil/pseudorandomness