CS151 Complexity Theory Lecture 8 April 22, 2015.

51
CS151 Complexity Theory Lecture 8 April 22, 2015
  • date post

    21-Dec-2015
  • Category

    Documents

  • view

    216
  • download

    0

Transcript of CS151 Complexity Theory Lecture 8 April 22, 2015.

Page 1: CS151 Complexity Theory Lecture 8 April 22, 2015.

CS151Complexity Theory

Lecture 8

April 22, 2015

Page 2: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 2

Blum-Micali-Yao PRG

• Initial goal: for all 1 > δ > 0, we will build a family of PRGs Gm with:output length m fooling size s = mseed length t = mδ running time mc

error ε < 1/6

• implies: BPP δ>0 TIME(2nδ ) ( EXP

• Why? simulation runs in time

O(m+mc)(2mδ)

= O(2m2δ

) = O(2n2kδ)

Page 3: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 3

First attempt

• attempt at PRG from OWP f:– t = mδ

– y0 0,1t

– yi = ft(yi-1)

– G(y0) = yk-1yk-2yk-3…y0

– k = m/t

• computable in time at most ktc < mtc-1 = mc

Page 4: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 4

First attempt

• output is “unpredictable”:– no poly-size circuit C can output yi-1 given

yk-1yk-2yk-3…yi with non-negl. success prob.

– if C could, then given yi can compute yk-1, yk-2, …, yi+2, yi+1 and feed to C

– result is poly-size circuit to compute

yi-1 = ft-1(yi) from yi

– note: we’re using that ft is 1-1

Page 5: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 5

First attempt

attempt:• y0 0,1t

• yi = ft(yi-1)

• G(y0) =

yk-1yk-2yk-3…y0

y0y1y2y3y4y5

ftftftftft

G(y0):

y0y1y2y3y4y5

ft-1ftft

G’(y3):

ft-1ft

-1

same distribution!

Page 6: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 6

First attempt

• one problem:– hard to compute yi-1 from yi

– but might be easy to compute single bit (or several bits) of yi-1 from yi

– could use to build small circuit C that distinguishes G’s output from uniform distribution on 0,1m

Page 7: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 7

First attempt

• second problem

– we don’t know if “unpredictability” given a prefix is sufficient to meet fooling requirement:

|Pry[C(y) = 1] – Prz[C(G(z)) = 1]| ≤ ε

Page 8: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 8

Hard bits

• If fn is one-way permutation we know:

– no poly-size circuit can compute fn-1(y) from y with

non-negligible success probability

Pry[Cn(y) = fn-1(y)] ≤ ε’(n)

• We want to identify a single bit position j for which:– no poly-size circuit can compute (fn

-1(x))j from x with non-negligible advantage over a coin flip

Pry[Cn(y) = (fn-1(y))j] ≤ ½ + ε(n)

Page 9: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 9

Hard bits

• For some specific functions f we know of such a bit position j

• More general:

function hn:0,1n 0,1

rather than just a bit position j.

Page 10: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 10

Hard bits

Definition: hard bit for g = gn is family h = hn, hn:0,1n 0,1 such that if circuit family Cn of size s(n) achieves:

Prx[Cn(x) = hn(gn(x))] ≥ ½ + ε(n)

then there is a circuit family C’n of size s’(n) that achieves:

Prx[C’n(x) = gn(x)] ≥ ε’(n)

with:– ε’(n) = (ε(n)/n)O(1)

– s’(n) = (s(n)n/ε(n))O(1)

Page 11: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 11

Goldreich-Levin

• To get a generic hard bit, first need to modify our one-way permutation

• Define f’n :0,1n x 0,1n 0,12n as:

f’n(x,y) = (fn(x), y)

Page 12: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 12

Goldreich-Levin

• Two observations:– f’ is a permutation if f is

– if circuit Cn achieves

Prx,y[Cn(x,y) = f’n-1(x,y)] ≥ ε(n)

then for some y*

Prx[Cn(x,y*)=f’n-1(x,y*)=(fn-1(x), y*)] ≥ ε(n)

and so f’ is a one-way permutation if f is.

f’n(x,y) = (fn(x), y)

Page 13: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 13

Goldreich-Levin

• The Goldreich-Levin function:

GL2n : 0,1n x 0,1n 0,1

is defined by:

GL2n (x,y) = i:yi = 1xi

– parity of subset of bits of x selected by 1’s of y– inner-product of n-vectors x and y in GF(2)

Theorem (G-L): for every function f, GL is a hard bit for f’. (proof: problem set)

Page 14: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 14

Distinguishers and predictors

• Distribution D on 0,1n

• D ε-passes statistical tests of size s if for all circuits of size s:

|PryUn[C(y) = 1] – Pry D[C(y) = 1]| ≤ ε

– circuit violating this is sometimes called an efficient “distinguisher”

Page 15: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 15

Distinguishers and predictors

• D ε-passes prediction tests of size s if for all circuits of size s:

PryD[C(y1,2,…,i-1) = yi] ≤ ½ + ε

– circuit violating this is sometimes called an efficient “predictor”

• predictor seems stronger

• Yao showed essentially the same!– important result and proof (“hybrid argument”)

Page 16: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 16

Distinguishers and predictors

Theorem (Yao): if a distribution D on 0,1n (ε/n)-passes all prediction tests of size s, then it ε-passes all statistical tests of size s’ = s – O(n).

Page 17: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 17

Distinguishers and predictors

• Proof:– idea: proof by contradiction– given a size s’ distinguisher C:

|PryUn[C(y) = 1] – Pry D[C(y) = 1]| > ε

– produce size s predictor P:

PryD[P(y1,2,…,i-1) = yi] > ½ + ε/n

– work with distributions that are “hybrids” of the uniform distribution Un and D

Page 18: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 18

Distinguishers and predictors

– given a size s’ distinguisher C:

|PryUn[C(y) = 1] – Pry D[C(y) = 1]| > ε

– define n+1 hybrid distributions

– hybrid distribution Di:

• sample b = b1b2…bn from D

• sample r = r1r2…rn from Un

• output:

b1b2…bi ri+1ri+2…rn

Page 19: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 19

Distinguishers and predictors

• Hybrid distributions:

D0 = Un:

Dn = D:

Di-1:

Di:

.

.

. ...

.

.

. ...

Page 20: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 20

Distinguishers and predictors

– Define: pi = PryDi[C(y) = 1]

– Note: p0=PryUn[C(y)=1]; pn=PryD[C(y)=1]

– by assumption: ε < |pn – p0|

– triangle inequality: |pn – p0| ≤ Σ1 ≤ i ≤ n|pi – pi-1|

– there must be some i for which

|pi – pi-1| > ε/n

– WLOG assume pi – pi-1 > ε/n

• can invert output of C if necessary

Page 21: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 21

Distinguishers and predictors

– define distribution Di’ to be Di with i-th bit flipped

– pi’ = PryDi’[C(y) = 1]

– notice:

Di-1 = (Di + Di’ )/2 pi-1 = (pi + pi’ )/2

Di-1:

Di:

Di’:

Page 22: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 22

Distinguishers and predictors

• randomized predictor P’ for ith bit:– input: u = y1y2…yi-1 (which comes from D)

– flip a coin: d 0,1

– w = wi+1wi+2…wn Un-i

– evaluate C(udw) – if 1, output d; if 0, output d

Claim:

Pry D,d,w Un-i[P’(y1…i-1) = yi] > ½ + ε/n.

Page 23: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 23

Distinguishers and predictors

• P’ is randomized procedure

• there must be some fixing of its random bits d, w that preserves the success prob.

• final predictor P has d* and w* hardwired:

C

may need to add gate

d*

w*

circuit for P:

Size is

s’ + O(n) = s

as promised

Page 24: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 24

Distinguishers and predictors

• Proof of claim:Pry D,d,w Un-i

[P’(y1…i-1) = yi] =

Pr[yi = d | C(u,d,w) = 1]Pr[C(u,d,w) = 1]

+ Pr[yi = d | C(u,d,w) = 0]Pr[C(u,d,w) = 0]

= Pr[yi = d | C(u,d,w) = 1](pi-1)

+ Pr[yi = d | C(u,d,w) = 0](1 - pi-1)

u = y1y2…yi-1

Page 25: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 25

Distinguishers and predictors

– Observe:Pr[yi = d | C(u,d,w) = 1]

= Pr[C(u,d,w) = 1 | yi = d]Pr[yi=d] / Pr[C(u,d,w) = 1]

= pi/(2pi-1)

Pr[yi = d | C(u,d,w) = 0]

= Pr[C(u,d,w) = 0 | yi= d]Pr[yi=d] / Pr[C(u,d,w) = 0]

= (1 – pi’) / 2(1 - pi-1)

Di-1

Di

Di’

u = y1y2…yi-1

Page 26: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 26

Distinguishers and predictors

• Success probability:Pr[yi=d|C(u,d,w)=1](pi-1) + Pr[yi=d|C(u,d,w)=0](1-pi-1)

• We know:– Pr[yi = d | C(u,d,w) = 1] = pi/(2pi-1)– Pr[yi = d | C(u,d,w) = 0] = (1 - pi’)/2(1 - pi-1)– pi-1 = (pi + pi’)/2– pi – pi-1 > ε/n

• Conclude:Pr[P’(y1…i-1) = yi] = ½ + (pi - pi’)/2

= ½ + pi/2 – (pi-1 – pi/2) = ½ + pi – pi-1 > ½ + ε/n.

pi’/2 = pi-1 – pi/2

Page 27: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 27

The BMY Generator

• Recall goal: for all 1 > δ > 0, family of PRGs Gm withoutput length m fooling size s = mseed length t = mδ running time mc

error ε < 1/6

• If one way permutations exist then WLOG there is OWP f = fn with hard bit h = hn

Page 28: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 28

The BMY Generator

• Generator Gδ = Gδm:

– t = mδ

– y0 0,1t

– yi = ft(yi-1)

– bi = ht(yi)

– Gδ(y0) = bm-1bm-2bm-3…b0

Page 29: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 29

The BMY Generator

Theorem (BMY): for every δ > 0, there is a constant c s.t. for all d, e, Gδ is a PRG with

error ε < 1/md

fooling size s = me

running time mc

• Note: stronger than we needed– sufficient to have ε < 1/6; s = m

Page 30: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 30

The BMY Generator

• Proof:– computable in time at most

mtc < mc+1

– assume Gδ does not (1/md)-pass statistical test C = Cm of size me:

|PryUm[C(y) = 1] – PrzD[C(z) = 1]| >1/md

Generator Gδ = Gδm:

–t = mδ; y0 0,1t; yi = ft(yi-1); bi = ht(yi)

–Gδm(y0) = bm-1bm-2bm-3…b0

Page 31: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 31

The BMY Generator

– transform this distinguisher into a predictor P of size me + O(m):

Pry[P(bm-1…bm-i) = bm-i-1] > ½ + 1/md+1

Generator Gδ = Gδm:

–t = mδ; y0 0,1t; yi = ft(yi-1); bi = ht(yi)

–Gδm(y0) = bm-1bm-2bm-3…b0

Page 32: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 32

The BMY Generator

– a procedure to compute ht(ft-1(y))

• set ym-i = y; bm-i = ht(ym-i)• compute yj, bj for j = m-i+1, m-i+2…, m-1 as above• evaluate P(bm-1bm-2…bm-i)• f a permutation implies bm-1bm-2…bm-i distributed as

(prefix of) output of generator:

Pry[P(bm-1bm-2…bm-i) = bm-i-1] > ½ + 1/md+1

Generator Gδ = Gδm:

–t = mδ; y0 0,1t; yi = ft(yi-1); bi = ht(yi)

–Gδm(y0) = bm-1bm-2bm-3…b0

Page 33: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 33

The BMY Generator

Pry[P(bm-1bm-2…bm-i) = bm-i-1] > ½ + 1/md+1

– What is bm-i-1?

bm-i-1 = ht(ym-i-1) = ht(ft-1(ym-i)) = ht(ft

-1(y))

– We have described a family of polynomial-size circuits that computes ht(ft

-1(y)) from y with success greater than ½ + 1/poly(m)

– Contradiction.

Generator Gδ = Gδm:

–t = mδ; y0 0,1t; yi = ft(yi-1); bi = ht(yi)

–Gδm(y0) = bm-1bm-2bm-3…b0

Page 34: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 34

The BMY Generator

y0y1y2y3y4y5

ftftftftft

G(y0):

y0y1y2y3y4y5

ft-1ftft

G’(y3):

ft-1ft

-1

b0b1b2b3b4b5

b0b1b2b3b4b5

same distribution

Page 35: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 35

Hardness vs. randomness

• We have shown:

If one-way permutations exist then

BPP δ>0 TIME(2nδ ) ( EXP

• simulation is better than brute force, but just barely

• stronger assumptions on difficulty of inverting OWF lead to better simulations…

Page 36: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 36

Hardness vs. randomness

• We will show:

If E requires exponential size circuits then BPP = P

by building a different generator from different assumptions.

E = kDTIME(2kn)

Page 37: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 37

Hardness vs. randomness

• BMY: for every δ > 0, Gδ is a PRG withseed length t = mδ

output length merror ε < 1/md (all d)

fooling size s = me (all e)running time mc

• running time of simulation dominated by 2t

Page 38: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 38

Hardness vs. randomness

• To get BPP = P, would need t = O(log m)

• BMY building block is one-way-permutation:

f:0,1t → 0,1t

• required to fool circuits of size me (all e)

• with these settings a circuit has time to invert f by brute force!

can’t get BPP = P with this type of PRG

Page 39: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 39

Hardness vs. randomness

• BMY pseudo-random generator:– one generator fooling all poly-size bounds– one-way-permutation is hard function– implies hard function in NP coNP

• New idea (Nisan-Wigderson): – for each poly-size bound, one generator– hard function allowed to be in

E = kDTIME(2kn)

Page 40: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 40

Comparison

BMY: 8 δ > 0 PRG Gδ NW: PRG G

seed length t = mδ t = O(log m)running time tcm mc

output length m m error ε < 1/md (all d) ε < 1/mfooling size s = me (all e) s = m

<< >

Page 41: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 41

NW PRG

• NW: for fixed constant δ, G = Gn withseed length t = O(log n) t = O(log m)running time nc mc

output length m = nδ merror ε < 1/mfooling size s = m

• Using this PRG we obtain BPP = P– to fool size nk use G

nk/δ

– running time O(nk + nck/δ)2t = poly(n)

Page 42: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 42

NW PRG• First attempt: build PRG assuming E

contains unapproximable functions

Definition: The function family

f = fn, fn:0,1n 0,1

is s(n)-unapproximable if for every family of size s(n) circuits Cn:

Prx[Cn(x) = fn(x)] ≤ ½ + 1/s(n).

Page 43: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 43

One bit

• Suppose f = fn is s(n)-unapproximable, for s(n) = 2Ω(n), and in E

• a “1-bit” generator family G = Gn:

Gn(y) = yflog n(y)

• Idea: if not a PRG then exists a predictor that computes flog n with better than ½ + 1/s(log n) agreement; contradiction.

Page 44: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 44

One bit

• Suppose f = fn is s(n)-unapproximable, for s(n) = 2δn, and in E

• a “1-bit” generator family G = Gn:

Gn(y) = yflog n(y)

– seed length t = log n– output length m = log n + 1 (want nδ )– fooling size s s(log n) = nδ – running time nc

– error ε 1/s(log n) = 1/nδ

Page 45: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 45

Many bits

• Try outputting many evaluations of f:G(y) = f(b1(y))f(b2(y))…f(bm(y))

• Seems that a predictor must evaluate f(bi(y)) to predict i-th bit

• Does this work?

Page 46: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 46

Many bits

• Try outputting many evaluations of f:G(y) = f(b1(y))f(b2(y))…f(bm(y))

• predictor might notice correlations without having to compute f

• but, more subtle argument works for a specific choice of b1…bm

Page 47: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 47

Nearly-Disjoint Subsets

Definition: S1,S2,…,Sm 1…t is an (h, a) design if– for all i, |Si| = h

– for all i ≠ j, |Si Sj| ≤ a

1..t

S1

S2

S3

Page 48: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 48

Nearly-Disjoint Subsets

Lemma: for every ε > 0 and m < n can in poly(n) time construct an

(h = log n, a = εlog n) design

S1,S2,…,Sm 1…t with t = O(log n).

Page 49: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 49

Nearly-Disjoint Subsets

• Proof sketch: – pick random (log n)-subset of 1…t– set t = O(log n) so that expected overlap with

a fixed Si is εlog n/2

– probability overlap with Si is > εlog n is at most 1/n

– union bound: some subset has required small overlap with all Si picked so far…

– find it by exhaustive search; repeat n times.

Page 50: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 50

The NW generator

• f E s(n)-unapproximable, for s(n) = 2δn

• S1,…,Sm 1…t (log n, a = δlog n/3) design with t = O(log n)

Gn(y)=flog n(y|S1)flog n(y|S2

)…flog n(y|Sm)

010100101111101010111001010

flog n:

seed y

Page 51: CS151 Complexity Theory Lecture 8 April 22, 2015.

April 22, 2015 51

The NW generator

Theorem (Nisan-Wigderson): G=Gn is a pseudo-random generator with:

– seed length t = O(log n)– output length m = nδ/3

– running time nc

– fooling size s = m– error ε = 1/m