This preview shows pages 1–16. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Derandomizing Approximation
Algorithms for Hard Counting
Problems
Michael Luby International Computer Science Institute, Berkeley, CA
and University of California at Berkeley "‘ TR—95—069
December 1995 ‘Research supported in part by National Science Foundation operating grant OCR9304722 and NCR
9416101, and United StatesIsrael Biuational Science Foundation grant No. 9200226 1 Introduction This paper is a (biased) survey of some work in derandomization of randomized algorithms.
Perhaps the most famous open problem in Computer Science is whether or not NP is equal
to P, i.e., are efﬁcient nondeterministic algorithms more powerful than efﬁcient determinis
tic algorithms. An analogous question is whether nor not RP is equal to P, i.e., are efﬁcient
randomized algorithms more powerful than efﬁcient deterministic algorithms. These two questions formally are quite similar, as the only difference between the def
initions of NP and RP are that for an NP language L, there is only required to be one witness for each 55' E L, whereas for RP a constant fraction of strings are required to be
witnesses. Nevertheless, it is my belief that NP is more powerful than P, and on the other hand RP is equal to P. Paradoxically, there is some hope that an eventual proof that shows that
NP is not equal to P will be strong enough to also show that RP is equal to P. Deﬁnition (function ensemble): Let f : {0,1}‘[“) —> {0,3303} denote a function
ensemble, where t(n) and €(n) are polynomial in n and where f with respect to n is a
function mapping {0, IF“) to {0,1}E(”). ' do Deﬁnition (Ptime function ensemble): Call f : {0,1}*(”3 x {0,1}£(”3 —) {0, l}m(”l is
a T(n)time function ensemble if f is a function ensemble and there is a Turing machine
such that, for all z 6 {0,1}‘("), for all y E {0,1}E[n), f(x,y) is computable in time Call 3' is a Ptime function ensemble if T(n) = no”). in Deﬁnition (language): Let L : {0,1}”’ —> {0, 1} be a functiou ensemble. One can view
L as a Zenguuge, where, fOr all e: 6 {0,1}”, 3: E L if L(x) = 1 and a" E L if L(:r) = 0. in In the following, deﬁnitions of a variety of cemplexity classes with respect to a language
L as just deﬁned are made. Deﬁnition (P): Say that L E P if L is a Ptime function ensemble. in Deﬁnition (NP): Say that L E NP if there is a Ptime function ensemble f : {0,1}” x
{0, 1W“) —) {0, 1} such that for all z e {0,1}n, :r E L implies PrYEu{D!1}¢(n)[f(:r, Y) = 1] > 0.
m e' L implies PrYEu{0I1}£(13) [f(s:, Y) = 1] = 0. .1. Deﬁnition (RP): Say that L E RP if there is a constant e > 0 and a Ptime functiOn
ensemble f : {0,1}n X {0, 1}“1'33 —> {0,1} such that for all a: 6 {0,1}”, :t' E L implies PrY6u{0,1}gm[f(m,Y) = 1]
:1: g L implies PI'YEumJFm) = 1] II N 5.
0. ii There are a few philosophical reasons to want to show that RP = P, e.g., does random
ization help in the general context of efﬁcient computation? There are also some practical
reaSOns, e.g., in practice if one uses a Monte Carlo algorithm then there should be great
concern about where the source of random bits comes from. In practice, what one typically
does is to take a very small number of random bits and stretch them into a large number using a simple pseudorandom generator, e.g., a linear congruential generator, and then use
these bits as the source of randomness for the Monte Carlo simulation. The problem in
practice is that there is no guarantee that these pseudorandorn bits are randOm enough to
make the Monte Carlo simulation behave as if though they were truly random. In practice
sometimes the anewer turns out to be that this is good enough, sometimes it has turned
out to be not good enough, and in many cases the answer is not known. One of the moti
vations behind the work on derandomization of randomized algOrithrns is to put this entire
question on a much ﬁrmer scientiﬁc footing, i.e., to be able to say authoritatively which
pseudorandom generators can be prove.ny used for which Monte Carlo algorithms. 1.1 Randomness and Pseudoranclomness The notion of randomness tests for a string evolved over time: from set—theoretic tests
to enumerable [24, Kolmogorov], recursive and ﬁnally limited time tests. There were s0me preliminary works that helped motivate the concept of a pseudorandom generator including
[38, Shamir]. [9, Blum and Micah] introduce the fundamental concept of a pseudorandom generatOr
that is useful for cryptographic (and other) applicatiOns, and gave it the signiﬁcance it has
today by providing the ﬁrst pr0vable construction of a pseudorandom generator based on the
conjectured diihcrilty of a wellknown and wellstudied computational problem, the discrete
log problem. [41, Yao] introduces the new standard deﬁnition of a pseudorandOm generator,
and shows an equivalence between the this deﬁnition and the next bit test introduced in
[9, Blurn and Micah]. The standard deﬁnition of a pseudorandorn generator introduced
by [41, Yao] is based on the fundamental concept of computational indistinguishability
introduced previously in [18, Goldwasser and Micali]. [41, Yao] also shows how to construct
a pseudorandom generator from any oneway permutation. Another important observation of [41, Yao] is that a pseudorandom generator can be
used to reduce the number of random bits needed for any probabilistic polynomial time
algorithm, and this shows how to perform a deterministic simulation of any polynomial
time probabilistic algorithm in subexponential time based on a pseudorandom generator. The results on deterministic simulation were subsequently generalized in [10, BOppana and
Hirschfeld]. The robust notion of a pseudorandom generator, due to [9, Blum and Micah], [41,
Yao], should be contrasted with the classical methods of generating random looking bits as
described in, e.g., [23, Knuth]. In studies of classical methods, the output of the generatOr
is considered good if it passes a particular set of standard statistical tests. The linear
congruential generator is an example of a classical method for generating random looking
bits that pass a variety of standard statistical tests. However, [11, Boyar] and [25, Krawczyk] iii show that there is a polynomial time statistical test which the output from this generator
does not pass. 2 Circuits A convenient way to view computation is via boolean circuits. Deﬁnition (cf,£‘,§*5(”}): For all n e N, let cams“) be the set of all ermine with an) El?!)
boolean input variables 2: = (2:1, . .. ,2g(n]) of depth d(n) with a total of at most 5(a) gates.
A circuit C E Cgég‘SW consists of “and”gates and “or”gates, where each gate is allowed unbounded fanin. C consists of d(n) levels of gates, where ali gates at a given level are
the same type. All the gates at levei 1 have as inputs any mixture of variables and their
negations. For all i E {2, . . . , d(n)}, all gates at level i receive their inputs from the gates
at level i — i. The set of gates at level (ﬂu) are considered to be the output of C. J For example, let f : {O,1}” >< {0,1}£("') —) {0,1} be the Ptime function ensemble
associated with an RP language L. One can think of f as a family of boolean circuits as
follows. For each u, there are 2” circuits in the family with £(n)bit inputs, one circuit
for each of the 2“ possible values of a” E {0, 1}”. The circuit C; associated with the input
a: computes the value of f(:r,y) on input 9 E {0,1}£("}. The circuit Cm can be derived
frorn the description of f and from 3:. Since f is a Ptime functiOn ensemble, without
loss of generality one can say that Ca, consists of at most a polynomial number pm) of
alternating levels of “and” and “or” gates, with a single output gate at the bottOIn level.
The property that C}, has is that if :r E L then Pry[Cz(Y) = 1] 3 1/2 and if a: E L then
inn/[04m = 1] = 0, where Y ER {0, 1W3. One Can view this cirCuit family for L as a subfamily of (3%)”). In terms of circuits, the approach to derandomization explored in this survey is to
construct a pseudorandom generator 9 that can be used as the source of randomness for all C E C. This approach was initiated by [9, Blurn and Micah] and [41, Yao]. Deﬁnition (epseudorandom generator for a circuit family G): Let g : {0, nil”) —)
{0,1}” be a Ptirne function ensemble, where ﬁn) < it. Let C be an inﬁnite family of
circuits, and let 0 E C be a circuit with n. inputs. The distinguishing probability of G for
g is 6 = [atom = 11 * plates» = 11L where Y ER {0, 1}“ and Z ER {0, IV”), in which case 9 is said to e—approximate C' for any
5 > 6. Say that g is a e—pseudorandorn generator for C if g s—approﬁrnates O for all C E C.
Say that C has timesuccess ratio 8(a) for 9 if the minimum over all circuits 0 E C with n
inputs of the ratio of the number of gates in 0 divided by the distinguishing probability of
C is at least 4. Given g, the derandomization for the RP circuit family described above is straightfor
ward: For any :1: E {0,1}”, one can approximate the fraction of the 23”} inputs on which
Cm outputs 1 as follows. Let g : {0,1}"(“') —> {0,1}£{”) be a 1/2—pseudoraudom generator iv for Oggl’pm). For all z E {0,1}"{”l, compute Cx(g(z)), and if any of the answers is 1 then
conclude that as E L, and otherwise conclude that x E’ L. Note that by the properties
of g this procedure is guaranteed to correctly classify z with respect to membership in L.
The smaller Mn) is in relationship to n the stronger the pseudolrandom generator 9. For example, if rte) is O(log(n)) then the entire procedure runs in deterministic polynomial
time, showing that HP = P. One way to view the ab0ve approach is to ﬁnd a small set S of €(njbit strings such
that the average value of 041;) over 3; E S is close to the average value of Cato) over all
y E {0,1}£["’). In the above, 3 can be viewed as the set {9(2) : z E {0,1}"(”l}. The other
important ingredient to the derandomization is that the set S can be efﬁciently enumerated.
This is true in the above approach because 9 is a Ptirne functiOn ensemble, and thus 8 can
be enumerated simply by sequencing through all z E {0, 1PM) and computing 9(2). Suppose one is only interested in the property that S be small and drop the (crucial)
requirement that .5' is easy to enumerate, Then, it is not hard to see that there is such a
small set 5'. To see this, suppose that one chooses randomly a set S of size n + 1. If .r E’ L
then, independent of S, I is correctly classiﬁed. On the other hand, if :c E L, then .r is
incorrectly classiﬁed with probability at most Tin“). Since there are at most 2” such 3:, the
probability that there is an z E {0, 1}” that is correctly classiﬁed is at most 1/2. Thus, there
is a set S of size n + 1 that correctly classiﬁes all :1: E {0, 1}” with respect to membership
in L. This is the approach that [1, Adleman] tool; to show that RP C; P/poly, i.e., in a
non—uniform sense randomization is no more powerful than deterministic computation. The
problem with this approach is that there is no clue of how to efﬁciently generate the set S
in deterministic polynomial time. Thus, the uniform version of the “RP = P?” question is
far from resolved. 3 Derandomizing Particular Algorithms In some applications, the goal is to completely derandomize the algorithm to produce a
deterministic solution. However, in other cases the basic goal is only to drastically reduce
the number of random bits used by the randomized algorithms, e.g., reduce from (9(a) bits
to O(10g(n)) bits. The philosophical and practical import of this is that it is hard in practice
to produce high quality independent random bits at a high rate. 3.1 Pairwise Independence One of the key ideas in derandomizing randomized algorithms is the observation that sorne
times it is the case that the randomized algorithms works just as well if there is not full
independence between the random variables. One special but important case is when pairs
wise independence between the randOm variables suﬁces. Consider a set of random variables indexed by a set U, La, {2, : i E U}, where Z, E T.
For ﬁnite t = T, a uniform distribution assigns Pr[Zz = d] = 1ft, for all x E U, or E T. If
this distribution were furthermore pairwise independent, one would have: for all m 79 y E U, for all a, £1 E T, Pr[Zz = a, z, = a] = Pr[z,, = a]  Pr[z,, = 51:1/9. This is not the same as complete independence, as evidenced by the following set of three
pairwiseindependent variables (U = {1,2, 3}, T = {0, 1}, t = 2): Each row 3 can be thought of as a function as : U > T. Let S be the index set for these
functions, where in this case S = {0, 1}2. For all x 75 y E U, for ail oz, 6 E T, saws) = o: A lists) = s] = 1/4 = 1/152 (Notice in particular that Prseﬂs[hs(x) : 31509)] = 1/2 = l/t.) Any set of functions
satisfying this condition is a 2universa1 family of hash functions. Deﬁnitions and explicit constructions of 2universal hash functions were ﬁrst given by
[40, Carter and Wegman] . One simple way to construct a general family of hash functions
mapping {0,1}” —> {0,1}” is to let S = {0, 1}” X {0, 1}”, and then for all s = {(1,6) E 8,
for all a: E {0,1}n deﬁne 313(3) = as + b, where the arithmetic operations are with respect
to the ﬁnite ﬁeld GF[2“]. Thus, each h, maps {0,1}” —> {0,1}“ and S is the index set of
the hash functions. For each s = (a, b) E 5, one can write: it, (rs) = as 1 [3
315(9) 9 1 b
When :1: aé y, the matrix is nonsingular, so that for any a, y E {0, 1}”, the pair (.543), h, takes on all 22" possible values (as s varies over all 5 Thus if s is chosen uniformly at
random ﬁ'om S, then (h5($), hs(y)) is also uniformly distributed. One can view 8 as the set of points in a sample space on the set of random variables {Zz :
a: E {0,1}”} where Zz(s) = h3(m) for all 3 E 8. With respect to the uniform distribution
0n 5, these random variables are pairwise independent, i.e., for all s: # y E {0,1}", for all
a, x3 E {0,1}” ,gsiztts) = a A Zita) = 5] = sggstzxei = a]  sggsizyts) = 6] = 1/22“. To obtain a hash function that maps to k < 11 bits, we can still use 8 as the function
index family: The value of of the hash function indexed by s on input m is obtained by
computing h,(:c) and using the ﬁrst in bits. The imporant properties of these hash functions
are: vi o Pairwise independence. I Succinctness — each function can be described as a 2nbit string. Therefore, randomly
picking a function index requires only 27:. random bits. I The function h5($) can easily be computed (in LOGSPACE, for instance) given the
function index .9 and the input a. In the sequel, unless otherwise speciﬁed, references to pairwise independent hash func
tions refer to this construction, and 5 denotes the set of indices for the hash family. 3.2 Applications to Particular Algorithms The original applications described in [40, Carter and Wegman] were applications to hash
ing. Subsequently 2universal hashing has been applied in surprising ways to a rich variety
of problems. Fer a survey of some of these applications, see [31, Luby and Wigderson]. Consider, for example, the MAXCUT problem: given a graph G = (V, E), ﬁnd a two
coloring ofthe vertices x : V —) {0,1} so as to maximize C(X) = y) E E : 3((55) 7E The following is a description of a solution to this problem that is guaranteed to produce a
out where at least half the edges cross the cut. If the vertices are colored randomly (0 or 1 with probability 1/2) by choosing X uniformly
from the set of all possible 2'“ colorings, then: E[c(x)l = Z Prlx($)¢x(y)l = % (ayleE Thus, there must always be a cut of size at least Let S be the index set for the
hash family mapping V —> {0,1}. Since the summation above only requires the coloring
of vertices to be pairwiseindependent, it follows that E[c(hs)] = %1 when 3 ER 8. Since
5 = IV2, one can deterministically try it, for all s E S in polynomial time (even in the
parallel complexity class N 0), and for at least one s E S, h, deﬁnes a partition of the nodes
where at least 1% edges cross the partition. This derandomization approach was developed and discussed in general terms in the
series of papers [13, Cher and Goldreich], [27, Luby], [5, Alon, Babai and Itai]. There, the
approach was applied to derandomize algorithms such as witness sampling, a fast parallel
algorithm for ﬁnding a maximal independent set, and other graph algorithms. This work
was extended to more efﬁcient parallel approaches in [28, Luby], and generalized in [8, Berger and Rompel] and [32, Motwani, Naor and Naor] to apply to parallel solutions of
other combinatOrial problems. Other examples include the use of ﬁvewise independent random variables to choose
the pivot elements for quicksort while still maintaining the O(nlog(n)) running time [22,
Karloff and Raghavan]. Extending the werk of [22, Karloff and Raghavan], [33, Mulmuley] vii reanalyzes many classical computational geometry problems, including trapezoidal trian
gulations, convex hulls, Voronoi diagrams, and hidden surface removal. The new analysis shows that only limited independence between the random variables sufﬁces for the Ian
dornized algOrithm. Other ideas that have been used to derandomize particular algorithms include using
expander graphs, and combining expander graphs with pairwise independence techniques.
An example of this approach is [21, Karger and Motwani]. 4 Derandomizing Depth Two Circuits In this section depth two unbounded fanin boolean circuits are c0nsidered. The circuit
subfamily of GrimmH with a ﬁrst layer of m = m(n) “an ” gates all feeding into a single
output “or” gate can be viewed as a formula F in disjunctive normal form [DNF) on n
variables with m clauses. Let t be the maximum length of a clause in the formula, and
let Pr[F] denote the probability that a random, independent and uniformly chosen truth
assignment to the variables satisﬁes F. The problem of computing Pr[F] exactly is known
to be #Pcomplete [39, Valiant]. On the other hand, for many applications a good estimate of Pr[F] is all that is needed. [29, Luby and Velickovié] introduces several ideas which can be combined with known
results to obtain approximation algorithms for the DNF problem. The ﬁrst idea is that
of stmﬂower reduction in a way similar to the way that [37, Razborov] uses it to prove
exponential lower bounds for the size of the smallest monotone circuit for ﬁnding the biggest
clique in a graph. Given a DNF formula F, one looks for a large collection of clauses
which form a sunﬂower, i.e., the intersection of any two distinct clauses in this collection
is the same. Then, all the clauses in this collection are replaced by their common pairwise intersection, thus obtaining another formula which has probability of being satisﬁed close
to that of F. This procedure is repeated until no large sunﬂowers can be found, obtaining a new
formula F“. A themem of [14, Erdds and Redo] implies that at the end of this procedure
there are not too many clauses in F'. Because F’ is so small, it turns out to be easier to
appr0ximate Pr[F’], and because of the properties of the reduction this approximation is
also a good approximation of Pr[F]. This reduction can be combined with the algorithm
from [36, Nisan and Wigderson] (using the improvement based on an observation from [30,
Luby, Velickovié and WigdersouD to produce a polynomial time eapproximation for Pr[F]
when t = 0(log1i8(nm)) and e is not too small. The second approach relies on special constructions of small probability distributions.
Given a distribution 1') let Prp[F] denote the probability that F is satisﬁed by a truth
assignment chosen according to ED. The goal is to ﬁnd a distribution ID with a small sample
space such that Pry [F] is close to Pr[F]. Then, Pr~D[F] can be calculated by exhaustive
consideration of the points in the space. An easy counting argument shows that such a dis tribution exists. The results of [29] can be viewed as progress towards ﬁnding a polynomial
time construction of such a distribution. viii Recall that a probability distribution D on the truth assignments is ifswise indepen
dent if any variable is equally likely to be 0 or 1 independently of the value of any other
is — 1 variables. [29, Luby and Velickovié] shows that if t is bounded by a constant and
it = c10g(1 / e) for some constant c then for any probability distribution ‘D which is kwise
independent PICp is a good approximation of Pr[F]. The proof works if D is only kwise
almost independent in a certain technical sense. This combined with the results of [34, Naor
and Naor] and [6, Alon, Goldreich, Hastad and Peralta], which produce such distributions
with small sample spaces, yields a polynomial time approximation algorithm for Pr[F] if
t is bounded by a constant, a result previously obtained by [3, Ajtai and Wigderson] by
different means. The main contribution of [29, Luby and Veliékovié] consists of the coloring algorithm.
A proper Intcoloring of F is a coloring of the variables of F using at most it: colors such
that no clause of F contains two variables of the same color. For all t' E {1,.. . ,k}, let
1'), be a probability distribution on the variables in color class 2' such that there is €~wise
independence between the variables, and let ’D = xiallmrHDg be the product distribution deﬁning a distribution on all variables of F. It is shown that [PrD — Pr[F] g tic/23.
This suggests the following approximation algorithm for Pr[F]. Given a proper coloring of
F, for all i E {1, . . . , is}, explicitly construct sample space S; for distribution D; and let
the sample space for D be S = xéeﬂmkﬁé. By exhaustive enumeration of S, compute
PI'D [F] exactly. This yields an algorithm with running time dominated by x,e{l‘___lk} S,J for
approximating Pr[F]. The running time of the algorithm depends in an exponential way on
the value of it. In general it may not be possible to ﬁnd a pr0per kcoloring for F where is: is
small. Instead, the idea is to ﬁnd a proper coloring for a subformula G of P such that Pr[G]
is close to Pr[F]. This general approach is used to design deterministic algorithm that on
input F and 6 produces an s~re1ative approximation of Pr[F] in polynomial time for ﬁxed
5 and t = log1_°(1)(nm). For ﬁxed 6 and unrestricted clause length the running time the algorithm produces an sapproximation in time polynomial in am and 21°31+°(1)(”m). For a ﬁxed 6 this algorithm is faster than the algorithm in [35, Nisan and Wigderson], but, unlike
[36, Nisan and Wigderson], the running time grows exponentially with 1/6. 5 Derandomizing Constant Depth Circuits In this section polynomial size boolean circuits of constant depth with unbounded fan
in are cousidered. This class of circuits is commonly referred to as AC0. This section
describes a pseudorandom generator for this class. The pseudorandom generator runs in
time exponential in logc(n) time, where the constant 0 depends on the depth bound on the
circuit family. Note that this is much better than a straightforward exhaustive enumeration
procedure, which would take time exponential in n. The pseudorandom generator is based
on the difﬁculty of computing parity with a constant depth boolean circuit. Deﬁnition (predicting the parity of its inputs): For :t' E {0, 1}”, me = 69,6{1,___,,,}r£
is the parity of the number of ones in rs. For any circuit C E Cﬁ, let 130 be the prediction probability of C for the parity of its input, i.e.,
PC = IPZr[0(Z) = z e z] u 1/21, where Z E R {U,1]”. Let To be the total number of gates in C. The timesuccess ratio of
C for predicting the parity of its inputs is 55 : Tc/pc. J. The following beautiful lower bound theorem is a culmination of a number of papers,
i.e., [15, Furst, Sane and Sipser], [2, Ajtai], [42, Yao], [12, Cai], [2G, Héstad]. Parity Theorem : There is a constant it > 0 such that for any 0 E C5”, the time—success ratio 50 of 0 satisﬁes Sc 2 27“”. Based on this lower bound, [35, Nisan], [36, Nisan and Wigderson], describe the following
simple but elegant generator 9. Set '3' = log(n)c(d+1), where c > U is a ﬁxed constant. Let t1, . . . ,tn C { 1, . . . ,r} be sets that satisfy the following
two properties: (1) For all t' E {l,...,n}, [if] = (2) For all é,j E {l,...,n}, i Ifiﬂtjl g log(n). It is an exercise to ﬁnd an efﬁcient construction of the sets t1, . . . , in with these two prop—
erties. For all 3 E {U,1}", for each i E {1, .. . ,n}, deﬁne function 5,(3) = EBJeg,3j, i.e., buds]
is the parity of the number of ones in the bits of s indexed by t,. Finally, let 9(6) = (51(3)a   :bn(3))'
The following theorem is due to [35, Nisan], [36, Nisan and Wigderson]. Theorem : Let q(n) = 2103301)“!2 /n3. For all C E 05’”, the timesuccess ratio 50 of C for
distinguishing 9 satisﬁes Sc 2 This theorem shows how to derandomize any constant depth boolean circuit. Consider
an alternate derandomization question where the circuit can be over any type of gates (i.e.,
not restricted to “and” and “or” gates). The techniques of [35, Nisan], [36, Nisan and
Wigderson} do not apply to this problem even in the case when the depth is restricted to
two, as one of the gates can be a “parity” gate, and the entire construction is based on
lower bounds of boolean circuits for computing parity. [30, Luby, Velickovic and Wigderson] provide the ﬁrst subexponential simulation for
Circuits with parity gates. This paper shows how to eappmximate the accepting probability
of any GFfE] polynomial of size n in deterministic time double exponential in x/logm/e).
The technique is strongly based on the pseudorandonl generator of [35, Nisan] used for AC0
circuits described previously. [30, Luby, Velickovic and Wigderson] are able to apply this
idea, and use the lower bounds on multiparty communication cemplexity of [7, Babai, Nisan
and Szegedy]. 6 Derandomizing General Circuits In this section pseud0random generators for polynomial size boolean circuits of unrestricted
depth are censidered. If, for each ﬁxed polynomial is", there is a epseudorandom generator
9 : {0,l}"(”) —> {0, ml“) for 63‘s“, then for any 0 E Cfvnc one can e—approxirnate the
probability that C outputs l on a random input in deterministic time polynomial in n
times 2’01). Thus, if r(n) = O(log(n)) then this is polynomial time overall. There is no
proof in sight of this result at this point in time, and in fact it is easy to see that such a
result is impossible if NP = P. On the other hand, as described below, it turns out that
there is pseudorandom generator for this class if there are strong enough one—way functions. intuitively, a oneway function is easy to cempute but hard to invert on average. Deﬁnition (oneway function): Let f : {O,1}” —> {0,1}E(n) be a Ptime function
ensemble and let G be a circuit family. The success probability (inverting probability) of
C e C (with 6(a) input bits and n output bits) for f is a = grumme = we]. where X ER {0,1}”. Then, 3' is a S(n)secure oneway function for C if the timesuccess
ratio of C is at least & The deﬁnition of a one~way permutation is exactly the same as the deﬁnition of a one
way function, except that f : {D,1}” —> {0, 1}” as a function 0ft: 6 {0, 1}” is a permutation. [9, Blum and Micali] introduce the concept of a pseudorandom generator that is use
ful for cryptographic (and other) applications, and gave it the signiﬁcance it has today by
previding the ﬁrst provable construction of a pseudorandom generator based on the conjec~
tured difﬁculty of a wellwknown and wellstudied computational problem, the discrete log
problem. Discrete log problem : Let p E {0,1}” be a prime number and let 9 be a generator of
2;, i.e., for all y E 2;, there is a unique :1: E Zp_1 such that 9"” = y mod p. Given 3), g and
x E Zp_1, deﬁne f(p,g,:r) = (p,g, 9‘3 mod 3)). It is possible to compute gz modp given 39,
g and a: in no“) time. The discrete log function is a permutation as a functiou of x, i.e.,
the unique inverse of f (13, 9,3) is (p, g, The values of p and g are not necessarily chosen
randOmly. The prime p is selected to have special properties which seem in practice to make
the discrete log function hard to invert. An example of such a property is that p is selected
so that that p — 1 has some fairly large prime divisors. For a large class of primes p and
generators 9 there is no known Ptime function ensemble that on input 3), g and gm mod p
can produce a on average for a E R Z "1. The original construction of a pseudorandom generator based on the disorete log problem
is quite complicated. The following elegant theorem, due to [17, Goldreich and Levin], sub
stantially simpliﬁes all previously known constructions of pseudorandom generators based
on oneway functions. The simplest known proof of this theorem is due to C. Rackoﬂ, R.
Venkatesan and L. Levin, inSpired by [4, Alexi, Cher, Goldreich and Schn0rr]. Deﬁnition (inner product bit is hidden): Let f : {0,l}” —> {0,1}£(”) be a P—time function ensemble. Let :r 6 {0,1}"' and z E {0,1}”. Then, the inner product bit of ﬁre) is
a: {D 2. The success probability (prediction probability) of circuit C E C (with 3(a) + n input
bits and one output bit) for the inner product bit of f is 5 = £gl0(f(X),Z) = X63 Z] “glomxm 75 X®Zl where X,Z E R {U,1}”. Then, the inner product bit of f is a S(n)secure for C if the
timesuccess ratio is at least J. Hidden Bit Theorem : If f is a Oneway function then the inner product bit of f
is hidden. In particular, if there is a circuit family C with timesuccess ratio 3(a) for
predicting the inner product bit then there is a circru‘t family 0’ with timesuccess ratio
S(n)° for inverting f for some constant c > 0. gFrom the Hidden Bit Theorem, it is not hard to show that if f(I) is a oneway permu
tation for C then 9(r, z) = (f (:r), z,r CD 2:) is a pseudorandom generator for C that stretches by 1 bit. This simple construction of a pseudorandom generator was one of the motivating
forces behind the work of [17, Goldreich and Levin]. One can construct a. pseudorandom generator that stretches by an arbitrary polynomial
amount based on any oneway permutation. Theorem : Let f : {0, 1}” —> {0,1}"‘ be a oneway permutation. Deﬁne Ptime function
ensemble 9 : {0,1}” x {0,1}” —> {03 1].“?1}, as 9(a) 2) = <21 m G) 2.1%) G mime) G 21"  .f”(”l'“‘1)($) ® 2). where f {i} is the function f composed with itself 3' times. Then 9 is a pseudorandom
generator. Note that since the discrete log is a permutation as a function of as for a fixed value of
p and g, the construction described in this theorem can be immediately applied to yield
an extremely simple pseudorandom generator based on the discrete log. This theorem is a
combination of a theorem due to [16, Goldreich, Goldwasser and Micali] and the Hidden
Bit Theorem of [17, Goldreich,Levin]. There is a generalization of this work that shows a more complicated reduction from
an arbitrary oneway function (e.g., a function that is far from being a permutation) to a
pseudorandom generator, due to [19, Hastad, Impagliazzo, Levin and Luby]. For a mom
complete history and description, see [26, Lnby]. References [1] L. Adleman, “Two Theorems on Random Polynomial Time”, F008, 1978, pp. 75—83. [2] M. Ajtai, “Ziﬁormuiae on Finite Structures”, Annals of Pure and Applied Logic, Vol.
24, 1983, pp. 1—48. xii [3] M. Ajtai and A. Wigderson, “Deterministic Simulation of Probabilistic censtant depth
circuits”, FOCS, 1985, pp. 11—19. [4] W. Alexi, B. Chor, O. Goldreich, C. Schnorr, “BSA/Rabin Functions: Certain Parts are as Hard as the Whole”, SIAM J. on Computing, Vol. 17, No. 2, April 1988, pp.
194—209. [5] N. Alon, L. Babai, A. Itai, “A Fast and Simple Randomized Parallel Algorithm for the
Maximal Independent Set Problem”, Journal of Algorithms, Vol. 7, 1986, pp. 567—583. [6] N. Alon, O. Goldreich, J . Hastad, R. Peralta, “Simple constructions of almost kwise
independent random variables”, Random Structures and Algorithms, 1992, Vol. 3, No.
3, pp. 289304. (see also addendum in Random Structures and Algorithms, 1993, Vol.
4, No. 1, pp. 119—120.) [T] L. Babel, N. Nisan, and M. Szegedy, “Multiparty protocols and logspace—hard pseudo random sequences", preliminary version in STOC, 1989, pp. 1—11, journal version in
JCSS, Vol. 45, No. 2, October 1992, pp. 204—232. [8] B. Berger, J. Rompel, “Simulating (logc n)wise Independence in N0", Proceedings of
FOCS, 1989, pp. 1—7. [9] M. Blum and S. Micali, “How to Generate Cryptographically Strong Sequences of
PseudoRandom Bits”, SIAM J. on Computing, Vol. 13, 1984, pp. 850—864. A prelim
inary version appears in FOCS, 1982, pp. 112—117. [10] R. Boppana and R. Hirschfeld, “Pseudorandom generators and complexity classes”,
Advances in Computer Research, Vol. 5, 1989, editor S. Micali, JAI Press, pp.
1—26., [11] J. Boyar, “Inferring Sequences Produced by PseuddRandom Number Generators”, J.
of the ACM, Vol. 36, No. 1, 1989, pp.129—141. [12] J. Cal, “With probability one, a random oracle separates PSPACE from the polynomial time hierarchy”, J. of Computer and System Sci, Vol. 38, 1989, pp. 68—85. A prelimi
nary version appears in STOC, 1986, pp. 21—29. [13] B. Chor, O. Goldreich. “On the power of twopoint sampling,” Journal of Complexity,
V01. 5, 1989, pp. 96—106. [14] P. Erdés and R. Rado, “Intersection theorems for systems of sets”, Journal of the
London Math. Society, Vol. 35, pp. 85—90. [15] M. Furst, J. Sane, M. Sipser, “Parity, Circuits and the Polynomial Time Hierarchy”,
FOCS, 1981, pp. 260270. [16] O. Goldreich, S. Goldwasser, S. Micali, “How to Construct Random Functions", J.
of ACM, Vol. 33, No. 4, 1986, pp. 792—807. A preliminary version appears in FOCS,
1984. xiii [17] O. Goldreich, L. Levin, “A HardCore Predicate for any Oneway Function“, STOC,
1989, pp. 25—32. [18] S. Goldwasser and S. Micah, “Probabilistic Encryption”, J. of Computer and System
Sci, Vol. 28, 1984, pp. 270—299. A preliminary version appears in STOC, 1982, pp.
365—377. [19] R. Impagliazzo, L. Levin, J. Hastad, M. Luby, “A Pseudorandom generator from any
oneway function,” 20“ STOC, 1989, and submitted to SIAM J. on Computing. [20] J. Hestad, “Computational limitations for small depth circuits”, PhD. thesis, MIT
press, 1986. [21] D. Karger and R. Motwani, “Derandomization through Approximation: An N C Algo—
rithm for Minimum Cuts”, STOC, 1994, pp. 497506. :22] H. Karloﬁ, P. Raghavan, “Randomized Algorithms and Pseudorandom Numbers",
Journal of the ACM, 1993, Vol. 40, pp. 421—453. :23] D. Knuth, SemiNumerical Algorithm, The Art of Computer Programming,
AddisonWesley, Second Edition, Vol. 2, 1981. :24] A. N. Kolmogorov, “Three Approaches to the Concept of the Amount of Information“,
Probl. Inf. Tmnsm, Vol. 1, No. 1, 1955. [25] H. Krawczyk, “How to Predict Congruential Generators”, J. of Algorithms, Vol. 13,
1992. pp. 527545. [26] M. Luby, Pseudorandomness and Cryptographic Applications, Princeton Com
puter Science Notes, David R. Hanson and Robert E. Tarjan, Editors, Princeton Uni
versity Press, January 1996. [27] M. Luby, “A Simple Parallel Algorithm for the Maximal Independent Set Problem,”
SIAM J. on Computing, Vol. 15, No. 4, November 1986, pp. 1036*1053. [28] M. Luby, “Removing Randomness in Parallel Computation Without a Process0r
Penalty," J. of Computer and System Sciences, Vol. 47, No. 2, 1993, pp. 250286. [29] M. Luby, B. Velickovié, “On Deterministic Approximation of DNF”, to appear in a
special issue of Algorithmica devoted to randomized algorithms. [30] M. Luby, B. Velickovic, and A. Wigderson, “Deterministic Approximate Counting of
Depth2 Circuits”, appears in the Proceedings of the Second Israeli Symposium on
Theory of Computing and Systems, 1993. [31] M. Luby and A. Wigderson, “Pairwise Independence and Derandomization” , ICS'I Tech
Report No. Tit95035, July, 1995. [32] R. Motwani, J. Naor, M. Naor, “The Probabilistic Method Yields Parallel Deterministic
Algoritth”, J. of Computer and System Sciences, 1994, Vol. 49, pp. 478—516. [33] K. Mulrnuiey, “Pseudorandom Generators in Geometric Algorithms”, to appear in a
special issue of Aigorithmico devoted to randomized algorithms. [34] M. Naor and S. Naor, “Small Bias Probability Spaces: Efﬁcient Constructions and
Applications”, STOC, 1990, pp. 213223. [35] N. Nisan, “Pseudorandorn bits for constant depth circuits”, Combinatorico, Vol. 1,
1991, pp. 6340. [36] N. Nisan and A. Wigderson. “Hardness vs. Randomness”, JCSS, Vol. 49, No. 2, 1994,
pp. 149—167. [37] A. Razborov, “Lower bounds on the monotone complexity of some Boolean functions,"
Dokiudy Akodemii Nauic SSSR 281:4, 1985, pp. 798—801, (in Russian). English trans
lation in Soviet Mathematics Doiciody 31, 354—357. [38] A. Shamir, “On the generation of cryptographically strOng pseudorandorn Sequences”,
ACM Transactions on Computer Systems, Vol. 1, No. 1, 1983, pp. 38—44. A preliminary version appears in the 8th ICALP and appears in Lecture Notes on Computer
Science, 1981, Springer Verlag, pp. 544—550. [39] L. Valiant, “The complexity of computing the permanent“, Theoreticai Computer Sci
ence, 1979, No. 8, pp 189201. [40] M. Wegman, J. Carter. “New hash functions and their use in authentication and set
equality,” Journoi of Computer and System Sciences, Vol. 22, No. 3, 1981, pp. 265~279. [41] A. Yao, “Theory and Applications of Trapdoor Functions”, FOCS, 1982, pp. 80~91. [42] A. Yao, “Separating the PolynomialTime Hierarchy by Oracles”, F008, 1985, pp.
1—10. XV HP. '1.
P 1 II I— —I _  I I q n. _ I I”: ' u u if"
_ l__1
I _ _‘ a . .‘_ITI : I ‘ '!'III. :1" H” .l': :j l
“ II '_I ml
— _ __l.."_l‘?.'._ _.:.'_ _I F 1
_ I: T “I  I I : I I _
I; I L‘. II _ll' I II —
_' 0 . __ 1L Ill : ' ':'u1_u'I :I‘I— ‘IttT'T' "A N
IJ : I. ‘ I II I THI__I_ I 'II' I' "IT.'.""I ' '_ 'l "
. " J _ _ _ ..
_."I ll IJ.#3I1II_L a I .1“ l_ u I II I
II. — DJ M ‘ '
:IT .. _ — I —
. I _

 I ...
View
Full
Document
This note was uploaded on 10/23/2011 for the course CS 7520 taught by Professor Staff during the Spring '08 term at Georgia Tech.
 Spring '08
 Staff
 Algorithms

Click to edit the document details