6.

Pseudorandom Generator

8.1

Introduction

One of the biggest open question in computer science is derandomization of BPP algorithm.That is,does P=BPP?.Well one way to resolve this question is to use the following two-step process: 1)First show that the number of random bits for any BPP algorithm can be reduced from poly (n) to O(log n). 2)Then eliminate the randomness entirely by enumeration. So our goal here is to nd such a function which look random rather than being perfectly random.

8.2

Formal discussion

So we would like to have a function G that stretches a seed of d = O(log n) truly random bits into m = poly (n) bits that look random. Such a function is called a pseudorandom generator.The question is how we can formalize the requirement that the output should look random in such a way that (a) The output can be used in place of the truly random bits in any BPP algorithm,and (b) Such a generator really exists? So lets analyse it in detail what does it really means. 8.2.1 What does look random mean?

Well there can be three possible answer for that answer from three dierent prospect..Lets see them rst. 1)Information-theoretic measures: Entropy,statistical dierence from uniform distribution, these can not help here as this does not increase entropy from 1

log n to n. 2)Kolmogorov complexity: A string x looks random if it is incompressible (cannot be generated by a Turing machine with a description of length less than |x|).This notion is makes when we talk about xed string (rather than a distribution). Unfortunately, it is not suitable for our purposes. Specically, if the function G is computable (which we certainly want) then all of its outputs have Kolmogorov complexity d = O(log n) (just hardwire the seed into the TM computing G),and hence are very compressible. 3)Computational indistinguishability: This is the measure we will use. Intuitively, we say that a random variable X looks random if no ecient algorithm can distinguish X from a truly uniform random variable. Another perspective comes from the defnition of statistical dierence.we saw it in Randomness Extractor.

8.2.2

Computaional Indistinguishability

We shall start with nonunif orm algorithm then ultiamatly talk about circuit.So rst see what do we mean by a nonuif orm algorithm Denition(Nonuniform Comlexity Class:) Let C be a class of language and a : N N be a function.Then C/a is the class of languages dened as follows: L C/a.If there exists L C and 1 , 2 , ... {0, 1} with n < a(n),such that x L (x, |x| ) l .This s are called advice strings. If a algorithm runs in time t we require that the advice string is of length at most t.Typically, to make sense of complexity measures like running time, it is necessary to use asymptotic notions, because a Turing machine can encode a huge lookup table for inputs of any bounded size in its transition function. However, for nonunif orm algorithms, we can avoid doing so by using Boolean circuits as our nonuniform model of computation.Every nonuniform Turing machine algorithm running in time t(n) can be simulated by a sequence of Boolean circuit Cn of size O(t(n)) and conversely every sequence of Boolean circuits of size s(n) can be simulated by a nonuniform Turing machine running in time O(s(n))).Thus, to make our notation cleaner, from

now on, by nonunif orm algorithm running in time t,we mean Boolean circuit of size t, where we measure the size by the number of AND and OR gates in the circuit. Non Uniform algorithm denition, Denition 1(Computational Indistinguishability) Random variables X and Y taking values in {0, 1}m are (t, ) indistinguishable if for every nonunif orm algorithm T running in time at most t,we have |P r[T (X ) = 1] P r[T (Y ) = 1]| Equivalent circuit version of the above denition. Denition 2(Computational Indistinguishability) Random variables X and Y taking values in {0, 1}m are (s, ) indistinguishable if for every circuit T of size at most s we have |P r[T (X ) = 1] P r[T (Y ) = 1]| 8.2.3 PRG Denition

Denition 1 Blum-Micali version(Next Bit Prediction Test) Let G = {0, 1}n {0, 1}(n) such that l(n) >> n that is , G takes a seed of length l(n) and generates a string of length n. G is called a (s, )-Pseudorandom Generator for a circuit class C of size s, each i and for all the circuits A C the following holds
1 | |P r[A(G(x){1,...,I 1} ) = G(x)I ] 2

Denition 2 Yao Denition(Distinguisher Test) A function G : {0, 1}n 0, 1(n) is a (s, )-PRG for a class of circuits C of size s if for for all A C the following holds |P ry{0,1}n [A(G(y )) = 1] P rx{0,1}l(n) [A(x) = 1]|

8.2.4

Equivalence of Next bit Predictor and Distinguisher Test

Before discussing anything else lets see what happens if we take two random variables for multiple times and compare there indistinguishability from each other. Indistinguishability of multiple Samples: Proposition: If random variable X and Y are (t, ) indistinguishable,then for every k N,X k and Y k are (t, k ) indistinguishable (where X k represents k independent copies of X ). Proof: We will prove it by contrapositive argument.If there is an ecient algorithm T distinguishing X k and Y k with advantage greater than k , then there is an ecient algorithm T distinguishing X and Y with advantage greater than .Here we need to preserve eciency when going from T to T .The algorithm T will naturally use the algorithm T as a subroutine. Suppose that there exists a nonuniform time t algorithm T such that |P r[T (X k ) = 1] P r[T (Y k ) = 1]| > k We can drop the absolute value in the above expression without loss of generality. (Otherwise we can replace T with its negation; recall that negations are free in our measure of circuit size.) Now we will use a hybrid argument. Consider the hybrid distributions Hi = X ki Y i ,for i = 0, ..., k . Note that H0 = X k and Hk = Y k k.
k i=1

P r[T [(Hi1 ) = 1] P r[T (Hi ) = 1] > k

since the sum telescopes. Thus, there must exist some i [k ] such that P r[T (Hi1 ) = 1] P r[T (Hi ) = 1] > i.e P r[T (X ki XY i1 ) = 1] P r[(xki Y Y i1 ) = 1] > By averaging, there exists some x1 , ..., xki and yki+2 , ..., yk such that P r[T (x1 , ..xki , X, yki+2 ), ...yk ] P r[T (x1 , ..xki , Y, yki+2 ), ...yk ] >

Then, dene T (z ) = T (x1 , ..., x(ki) , z, y(ki+2) , ..., yk ) Note that T is a nonuniform algorithm with advice i, x1 , ..., xki , yki+2 , ..., yk hardwired in. Hardwiring these inputs costs nothing interms of circuit size. Thus T is a nonuniform time t algorithm such that, P r[T (X ) = 1] P r[T (Y ) = 1] > ; This contradicting the fact that X and Y are indistingushable. Theorem(Yao): The above two denitions of PRG are equivalent. PRG Next Bit Unpredictability Proof: clearly we need to show the both way direction.But before proving this lets see what do we mean by a Distinguisher(Pseudorandom Detector) and Next Bit Predictor. Denition(Distinguisher:) If there exists a circuit F C of size s for X {0, 1}n and U {0, 1}l(n) such that |P r[F (G(X ) = 1) P r[F (U ) = 1]| ...(1) Then F is a Distinguisher(Pseudorandom Detector). That is F can distinguish between strings generated by any function of the form G : {0, 1}n {0, 1}l(n) from perfectly random string of length l(n) with high probabilty. With out loss of generality we can write equation (1) as P r[F (G(X ) = 1) P r[F (U ) = 1] ...(2) Now we know P r[F (U ) = 1] =
1 2

so we can write equation (2) as

1 2

P r[F (G(X ) = 1)

+ ...(3)

Defnition(Next Bit Predictor) If there exists a circuit B C of size s for i {1, ...l(n)} and G(X ) = Y1 ...Yi1 Yi ...Yl(n) (X is uniformly distributed on {0, 1}n ) such that P r[B (Y1 Y2 ...Yi 1 , i) = Yi ]
1 2

+ ...(4)

Then B is next bit predictor. That is there esxits a i such that B can predict it h bit of a string generated by G with high probability(provided it already knows rst (i 1) bits generated by G) Part 1(PRG = Next Bit Unpredictable) Actually we will proof the contrapostive to of the above implication.That is Next Bit Predictor = Distinguisher. So lets assume that there exists a Next Bit Predictor B .Now our goal is to show that there exist a F such that equation (3) satises.We will do that by using reduction algorithm. Algorithm (1)Take a string generated by G ,say Y1 ...Yl(n) (2)Pick a string uniformly at random from 1...l(n) (3)If B (Y1 ...Yi1 , i) = Yi output 1(agree output of G) else output 0. So clearly from algorithm B (Y1 ...Yi1 ) = Yi F (Y1 ...Yl(n) ) = P r[B (Y1 ...Yi1 , i) = Yi ] = P r[F (Y1 ...Yn(l) = 1] Now 1 + P r[B (Y1 ...Yi1 , i) = Yi ] = 2 1 + = P r[F (Y1 ...Yn(l) = 1] = 2 That shows PRG = Next Bit Unpredictibile

Part 2(Next Bit Unpredictable = PRG) Similarly as the other direction we shall show it by using contra positive argument that is Distinguisher = Next Bit Predictor. Lets assume we have a distinguisher F as dened above and we want to show that there exists a B which satisfy (3). To proof this we will hybrid ditribution,which is a sequence of pseudoranom and random bits Hi = Y1 ...Yi Ui+1 ...Ul(n) .Then 6

H0 = U0 ...Ui UI +1 ...Ul(n) Hl(n) = Y1 ...Yi Yi+1 ...Yl(n) . Now i = P r[F (Hi = 1)] Now we are going to see the algorithm which will reduce F to B Algorithm (1)Pick a string genertated by G,say(Y1 ...Yl(n) ) (2)Pick i uniformly at random 0,...,l(n) (3)uniformly pick Ui ...Ul(n) {0, 1}l(n)i+1 (4)If F (Y1 ...Yi1 Ui ...U l(n)) = 1 output Ui i else o output U So we want to determine the probaibilty that B is correct.So B can be correct in two cases depending Yi is equalt to Ui or complement of Ui . Again + ...(1) Now P r[a] = P r[a|b][b] + P r[a| b][ b]. P r[F (Y1 ...Yi1 , i) = Yi ] = 1 2 P r[Bcorrect] = P r[B (Y1 ...Yi1 , i) = Yi ] = P r[B (Y1 ...Yi1 , i) = Yi |Ui = Yi ]P r[Ui = Yi ] + P r[B (Y1 ...Yi1 , i) = Yi |Ui = Yi ]P r[Ui = Yi ]) Now we need to replace this probability by probaility of F because we know about F.So P r[B (Y1 ...Yi1 , i) = Yi |Ui = Yi ]P r[Ui = Yi ] = P r[A(Y1 ...Yi Ui+1 ...Ul(n) ) = 1] (replacing Ui by Yi ) = i And P r[B (Y1 ...Yi1 , i) = Yi |Ui = Yi ]P r[Ui = Yi ] i Ui+1 ...Ul(n) ) = 0] (replacing Ui by Y i as U i = Yi ) = P r[A(Y1 ...Y i Ui+1 ...Ul(n) ) = 1] = 1 P r[A(Y1 ...Y i =1 i i Ui+1 ...Ul(n) ) = 1] = where = 1 P r[A(Y1 ...Y 1 i ) Now (i1) = 2 (i + So i ) P r[Bcorrect] = P r[Ui = Yi ].i + P r[Ui = Yi ](1 1 1 i ) (i + i i1 ...(2) 2 2 Now l(n) 0 So from that we can say a i s.t i i1 > n by cirtain circuit.In equation 7

(2) putting the value of i and i1 we will get 1 + n Hence proved Next bit Unpredictable = PRG. Pr[B correct] 2 8.2.5 Existance Proof of P

8.3
8.3.1

Explicit Construction:
Nisan Wigderson Generator:

Goal: We have access to send length of l(n). We want to build a PRG function G such that G = {Gn |Gn : {0, 1}l(n) {0, 1}n } and for any circuit C of size n. | P r[C (r) = 1] P r[C (G(x)) = 1] |
r{0,1}n xu {0,1}l(n)

1 n

1 3 Assumption: We have a function f : {0, 1}m {0, 1} which is ( n 3 , n ) hard.

Algorithm: Step 1 (Subset Construction):

Goal (Nearly disjoint set): 1. Form {S1 . . . Sn } where Si {1 . . . l} i [1, n] 2. |Si | = m 3. |Si Sj | log n i = j Construction of nearly disjoint set(using greedy method): Let l = C log n m = c log n l Pick Si+1 from m such that |Si+1 Sj | log n ; 1 j i So we need to prove that we do not get stuck in the above greedy method. 8

Lets see the what the probability to get stuck any one of the rst i steps. P rs( l ) [|S S1 | > log n or . . . or|S Si | > log n] m iP rs( l ) [|S S1 | > log n] Using union bound argument and assuming
m

m log n+1

llog n1 mlog n1

[ let k = log n + 1 and increasingly holds as i n] l ) (m k1)...(lm+1) m(m1)...1 m! = n k!(m (lk)(l l (l k)! (mk)...1 1)...(lm+1)
m(m1)...(mk+1) m1)...(mk+1) ml(( 1...k l1)...(lk+1) m k ) n m ( l k c log n c log n = n log n C 1 log n n n2H ( c ) log n c [Using binary entropy function n = 2H ()n ] c c Now chose C so that it dominates the other constant which means

lk n(m k )(mk)

=n

prob bad

event has to be mad shall. c So C < 1 = c < C Step 2 (PRG Construction): Let seid is represented by X . So X = X1 . . . Xl where Xi {0, 1} S1 = {i11 . . . im1 } S2 = {i12 . . . im2 } . . . Sn = {i1n . . . imn } X |S1 = xi11 . . . xim1 X |S2 = xi12 . . . xim2 G(x) = f (X |S1 ) . . . f (X |Sn ) G(x) = Y1 . . . Yn iYi = f (X |Si ) i i n Claim: G is a PRG Proof: proof by contradiction. 1 So let | P r[C (r) = 1]ru {0,1}n P r[C (G(x)) = 1]xu {0,1}n | n Clearly from equivalence of the PRG and Next Bit Unpredictable equivalence proof we can say there exists a predictor F which can predict it h bit with probability, 1 1 P r[F (Y1 ...Y i 1) = Yi ] f rac12 + n =n ) 2 (here We can write the above inequality as 1 1 P r[F (f (x|S1 )...f (xSi1 )) = f (x|Si )] 2 +n 2 9

That means if the predictor can calculate f (x) with probability if its provided with some requried value(f (x|Sj )) where j < i).So for calculating value of f (x|Sj ) we can x the bits outside Sj .Now here is the interesting thing we dont even required to see all the bits in x|Sj to calcualte f (x|Sj ) if j < i.Because our ultimate goal is to compute f (Si ) using other values.And from the deniton of nearly disjoint set xSj and xSi shares atmost log n bits for all j < i.So clearly this log n will be crucial to calculate f (x|Sj ) and for the rest of the (m log n) bits we can x.To calculate a function of log n bits we need n log n bits at max.Maximum value of i can be n.So total circuit size to compute f (x) we need atmost n log n(n 1) + n = O(n2 ) < O(n3 ).That 1 is a contaradiction to our assumption that our fumction f (n3 , n 3)

8.4

List Decoding Framework

Before giving the formal denition of black box hardness amplication lets formally dene the following things. F = {f |f : [n] {0, 1}} B = {T |T : [M ] {0, 1}} G: oracle algorithm computing a function in B. The oracle is from F . For oracle f , denote the function Gf . Red: oracle algorithm with advice, computing a function in F. The oracle is from B. For oracle r and advice z, denote the function Redr (z )

f ar: T : [D] [M ] is close Gf : [D] [M ] if, P r[T (Gf (U[ D])) = 1] P r[T (U[M ] )] 8.4.1 Denition (Black Box PRG Construction):

Amp is a (t, k, )-blackbox hardness amplier if there exists an Red running in time t such that for every T in B and every f in F ,if T is f ar to Ampf then there is an advice string z of length at most K such that RedT (z ) = f Thus if for there esists a subset T in M such that Gf (U[D] ) U[M ] is easily distinguishable, then f is a easily computable function. Thus for every f in F , if f is hard to compute, then for every subset T of 10

M , U[M ] and Gf (UD ) hard to dierentiate.

8.4.2

Proposition:

If Amp is a (t, k, )-black-box hardness amplier and f is (s, 0)-hard than Gf (t), ) pseudorandom generator. is (s/O 8.4.3 List Decoding Framework

Now lets put blackbox hardness amplication in our common framework.Given Gf : [D] [M ] oracle f : [n] {0, 1},we can dene : [N ] [D] [M ] by (f, y ) = (y, Gf (y )) ...(1) where N = 2n and we view [N] consisting of all boolean functions on [n].Just as list decodable codes,the second input y is a prex of output.

8.5

Application of PRG:

PRG is the one of the main tool of deranodmization.Blum,Micali and Yao were the fpersons wo proposed PRG for using 1 way function.But this PRG comeltly depends on the existance of

11