Notes for Lecture 14 v0.9

Similar documents
Notes for Lecture 15

Notes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators

CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

Stanford University CS254: Computational Complexity Handout 8 Luca Trevisan 4/21/2010

Notes for Lecture 2. Statement of the PCP Theorem and Constraint Satisfaction

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 1/29/2002. Notes for Lecture 3

Notes for Lecture 25

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Goldreich-Levin Hardcore Predicate. Lecture 28: List Decoding Hadamard Code and Goldreich-L

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

Notes for Lecture 25

Lecture 5: Derandomization (Part II)

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Some notes on streaming algorithms continued

COS598D Lecture 3 Pseudorandom generators from one-way functions

1 Randomized Computation

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Sublinear Algorithms Lecture 3

Notes for Lecture 14

1 Computational Problems

A list-decodable code with local encoding and decoding

Lecture 1: January 16

Notes for Lecture 18

Randomness and Computation March 13, Lecture 3

Complete Classification of Bilinear Hard-Core Functions

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 3 Luca Trevisan August 31, 2017

Notes for Lecture 11

Lecture 8: Linearity and Assignment Testing

Lower Bounds for Testing Bipartiteness in Dense Graphs

Highly resilient correctors for polynomials

Lecture 4: Elementary Quantum Algorithms

Tolerant Versus Intolerant Testing for Boolean Properties

Lecture 23: Analysis of Boolean Functions

On Pseudorandomness w.r.t Deterministic Observers

1 Estimating Frequency Moments in Streams

Tolerant Versus Intolerant Testing for Boolean Properties

Lecture 9 - One Way Permutations

6.842 Randomness and Computation Lecture 5

Last time, we described a pseudorandom generator that stretched its truly random input by one. If f is ( 1 2

Pseudorandom Generators

Lecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 9/6/2004. Notes for Lecture 3

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan August 30, Notes for Lecture 1

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

How many rounds can Random Selection handle?

Introduction to Cryptography

Self-Testing Polynomial Functions Efficiently and over Rational Domains

Notes for Lecture 3... x 4

Notes on Zero Knowledge

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Notes for Lecture Notes 2

The Indistinguishability of the XOR of k permutations

Notes on Space-Bounded Complexity

Pseudorandom Generators

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

On Uniform Amplification of Hardness in NP

Where do pseudo-random generators come from?

Lecture 7: ɛ-biased and almost k-wise independent spaces

Notes on Space-Bounded Complexity

The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions

Lecture 5: Two-point Sampling

CS 151 Complexity Theory Spring Solution Set 5

Lecture 3: Randomness in Computation

Separating Models of Learning from Correlated and Uncorrelated Data

Poly-logarithmic independence fools AC 0 circuits

A Self-Tester for Linear Functions over the Integers with an Elementary Proof of Correctness

Lecture Introduction. 2 Formal Definition. CS CTT Current Topics in Theoretical CS Oct 30, 2012

Pseudorandom Generators

Uniform Direct Product Theorems: Simplified, Optimized, and Derandomized

Homework 7 Solutions

CS369E: Communication Complexity (for Algorithm Designers) Lecture #8: Lower Bounds in Property Testing

Notes on Complexity Theory Last updated: December, Lecture 27

On Worst-Case to Average-Case Reductions for NP Problems

Testing Low-Degree Polynomials over GF (2)

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 4: Hashing and Streaming Algorithms

An Efficient Discrete Log Pseudo Random Generator

1 Cryptographic hash functions

: On the P vs. BPP problem. 30/12/2016 Lecture 12

CS Communication Complexity: Applications and New Directions

Extractors using hardness amplification

Very Sparse Random Projections

Notes for Lecture 17

CS 598CSC: Algorithms for Big Data Lecture date: Sept 11, 2014

CSE525: Randomized Algorithms and Probabilistic Analysis April 2, Lecture 1

Lecture 2: Program Obfuscation - II April 1, 2009

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 2 Luca Trevisan August 29, 2017

Computer Science Dept.

DD2448 Foundations of Cryptography Lecture 3

Lecture 4: Two-point Sampling, Coupon Collector s problem

1 Cryptographic hash functions

Tutorial: Locally decodable codes. UT Austin

On the Power of the Randomized Iterate

Lecture 3 Sept. 4, 2014

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited

Building Assignment Testers DRAFT

1 Nisan-Wigderson pseudorandom generator

1 Introduction The relation between randomized computations with one-sided error and randomized computations with two-sided error is one of the most i

Notes for Lecture 27

The security of all bits using list decoding

Transcription:

U.C. Berkeley CS27: Computational Complexity Handout N14 v0.9 Professor Luca Trevisan 10/25/2002 Notes for Lecture 14 v0.9 These notes are in a draft version. Please give me any comments you may have, because this will help me revise them. Today we will prove the Goldreich-Levin theorem: Theorem 1 If f : {0, 1} n {0, 1} n is a one-way permutation then B(x, r) = x r = i x ir i (mod 2) is a hardcore predicate for f (x, r) = f(x), r. In other words, given only f(x) and r it is hard to compute x r. The asymptotic version of the Theorem follows from the following finite version, that we state directly in the counterpositive direction. Theorem 2 Let f : {0, 1} n {0, 1} n be a bijection computable by a circuit of size t, and suppose that there is a circuit C of size S such that Pr x,r C(f(x), r) = x r] 1 2 + ɛ Then there is a circuit C of size O((S + t) poly(n, 1/ɛ)) such that Pr x C (f(x)) = x] ɛ 4 In turn, Theorem 2 follows from the existence of the following algorithm. Lemma 3 There is a probabilistic algorithm that, given a parameter ɛ and oracle access to a function g : {0, 1} n {0, 1}, runs in time O(n 2 ɛ 4 log n), makes O(nɛ 4 log n) oracle accesses, and outputs a list of O(1/ɛ 2 ) elements of {0, 1} n. If x is such that Pr r B(r) = x r] 1 2 + ɛ, then there is a probability at least 1/2 that x is in the output list. 1 Proof of Theorem 2 Using Lemma 3 From the assumption that Pr x,r C(f(x), r) = x r] 1 2 + ɛ it follows that Pr x Pr r C(f(x), r) = x r] 1 2 + ɛ ] ɛ 2 2 Let us call an x such that Pr r C(f(x), r) = x r] 1/2 + ɛ/2 a good x, and, for a given x, let us denote by B x the function defined as B x (r) = C(f(x), r). 1

For a good x, if we apply the algorithm of Lemma 3 to the function B x with parameter ɛ/2, we obtain a list that, with probability at least 1/2, contains x. Consider now the following algorithm: given a string y, define B(r) := C(y, r) and run the algorithm of Lemma 3 with function B() and parameter ɛ/2. Once the algorithm outputs a list x 1, x 2,..., x O(1/ɛ2), compute f(x i ) for each i, and output the x i such that f(x i ) = y, if any. If we pick x at random and give f(x) to the above algorithm, there is a probability at least ɛ/2 that x is good and, if so, there is a probability at least 1/2 that x is in the list. Therefore, there is a probability at least ɛ/4 that the algorithm inverts f(), where the probability is over the choices of x and over the internal randomness of the algorithm. In particular, there is a fixed choice of the internal randomness of the algorithm that results in inverting f() on an ɛ/4 fraction of the inputs. Finally, we convert the algorithm into a circuit, and the resulting circuit is C. 2 Proof of Lemma 3 2.1 A Special Case First We start by considering the simpler case in which we are given oracle access to a function B() such that Pr r B(r) = x r] 7/ and we want to find x. If we denote by e i the vector that has a 1 in the i-th coordinate and 0s in other coordinate, we see that x i = x e i. Furthermore, for every r, we have x i = x (r e i ) x r because of the linearity of the operator and of the fact that r r is the all zero vector. Consider now the process of picking a random r and computing B(r e i ) B(r). Except with probability at most 1/, B(r e i ) = x (r e i ) and, except with probability at most 1/, B(r) = x r. Therefore, with probability at least 3/4, This suggests the following algorithm: B(r e i ) B(r) = x (r e i ) x r = x i Algorithm A 7 : for i := 1 to n do pick k = O(log n) random elements r 1,..., r k {0, 1} n compute: B(r 1 e 1 ) B(r 1 ) B(r 2 e 2 ) B(r 2 ). B(r k e n ) g(r n ) assign to x i the value occurring in the majority of these computations return x To analyze the algorithm, note that, for a particular value of i, we expect to get the right value of x i in a fraction 3/4 of the k trials, and the algorithm derives the correct value of 2

x i provided that more than half of the k trials are correct. Then, by a Chernoff bound, the probability of estimating x i incorrectly is e Ω(k). We can then choose k = O(log n) and make sure that the error probability is at most, say, 1/100n, and hence we conclude that the output of the algorithm is correcgt with probability at least 99/100. We note that the running time of this program is O(n 2 k) = O(n 2 log n) and that it makes O(nk) = O(n log n) oracle accesses. 2.2 The General Case Consider now the general case. We are given an oracle B() such that B(r) = x r for an 1/2 + ɛ fraction of the r. Our goal will be to use B() to simulate an oracle that has agreement 7/ with x r, so that we can use the algorithm of the previous section to find x. We perform this reduction by guessing the value of x r at a few points. We first choose t random points r 1... r t {0, 1} n where t = O(1/ɛ 2 ). For the moment, let us suppose that we have magically obtained the values x r 1,..., x r k. Then define B (r) as the majority value of: x r j B(r r j ) j = 1, 2,..., t (1) For each j, the above expression equals x r with probability at least 1 2 + ɛ (over the choices of r j ) and by choosing t = O(1/ɛ 2 ) we can ensure that Pr r,r 1,...,r t B (r) = x r ] 31 32. (2) from which it follows that Pr r 1,...,r k Pr r B (r) = x r ] 7 ] Consider the following algorithm. Algorithm GL-First-Attempt: pick r 1,..., r t {0, 1} k where t = O(1/ɛ 2 ) for all b 1,..., b t {0, 1} define B b 1...b t (r) as majority of: b j B(r r j ) apply Algorithm A 7 to B b 1...b t add result to list 3 4. (3) The idea behind this program is that we do not in fact know the values x r j, but we can guess them by considering all choices for the bits b j. If B(r) agrees with x r for at least a 1/2 + ɛ fraction of the rs, then there is a probability at least 3/4 that in one of the iteration we invoke algorithm A 7 with a simulated oracle that has agreement 7/ with x r. Therefore, the final list contains x with probability at least 3/4 1/100 > 1/2. The obvious problem with this algorithm is that its running time is exponential in t = O(1/ɛ 2 ) and the resulting list may also be exponentially larger than the O(1/ɛ 2 ) bound promised by the Lemma. To overcome these problems, consider the following similar algorithm. 3

Algorithm GL: pick r 1,..., r l {0, 1} k where l = log O(1/ɛ 2 ) define r S := j S rj for each non-empty S {1,..., l} for all b 1,..., b l {0, 1} define b S := j S b j for each non-empty S {1,..., l} define B b 1...b l (r) as majority over non-empty S {1,..., l} of b S B(r r S ) run Algorithm A 7 with oracle B b 1...b l add result to list Let us now see why this algorithm works. First we define, for any nonempty S {1,..., l}, r S = j S rj. Then, since r 1,..., r l {0, 1} k are random, it follows that for any S T, r S and r T are independent and uniformly distributed. Now consider an x such that x r and B(r) agree on a 1 2 + ɛ fraction of the values of r. Then for the choice of {b j} where b j = x r j for all j, we have that b S = x r S for every non-empty S. In such a case, for every S and every r, there is a probability at least 1 2 + ɛ, over the choices of the rj that b S B(r r S ) = x r, and these events are pair-wise independent. Note the following simple lemma. Lemma 4 Let R 1,..., R t be a set of pairwise independent 0 1 random variables, each of which is 1 with probability at least 1 2 + ɛ. Then Pr i R i t/2] 1 1 4ɛ 2 t. Proof: Let R = R 1 + + R t. The variance of a 0/1 random variable is at most 1/4, and, because of pairwise independence, VarR] = VarR 1 +... + R t ] = i VarR i] t/4. We then have PrR t/2] Pr R ER] ɛt] VarR] ɛ 2 t 2 1 4ɛ 2 t Lemma 4 allows us to upper-bound the probability that the majority operation used to compute B gives the wrong answer. Combining this with our earlier observation that the {r S } are pairwise independent, we see that choosing l = 2 log 1/ɛ + O(1) suffices to ensure that B b 1...b l (r) and x r have agreement at least 7/ with probability at least 3/4. Thus we can use Algorithm A 7 to obtain x with high probability. Choosing l as above ensures that the list generated is of length at most 2 l = O(1/ɛ 2 ) and the running time is then O(ɛ 4 n 2 log n) with O(ɛ 4 n log n) oracle accesses, due to the O(1/ɛ 2 ) iterations of Algorithm A 7, that makes O(n log n) oracle accesses, and to the fact that one evaluation of B () requires O(1/ɛ 2 ) evaluations of B(). 4

3 References The results of this lecture are from GL9]. Goldreich and Levin initially presented a different proof. They credit the proof with pairwise independence to Rackoff. Algorithm is due to Blum, Luby and Rubinfeld BLR93]. The use of Algorithm GL-First-Attempt A 7 as a motivating example might be new to these notes. (Or, actually, to the Fall 2001 notes for this class.) References BLR93] M. Blum, M. Luby, and R. Rubinfeld. Self-testing/correcting with applications to numerical problems. Journal of Computer and System Sciences, 47(3):549 595, 1993. Preliminary version in Proc. of STOC 90. 5 GL9] O. Goldreich and L. Levin. A hard-core predicate for all one-way functions. In Proceedings of the 21st ACM Symposium on Theory of Computing, pages 25 32, 199. 5 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback