LUBYderand - Derandomizing Approximation Algorithms for...

Info iconThis preview shows pages 1–16. Sign up to view the full content.

View Full Document Right Arrow Icon
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 2
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 4
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 6
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 8
Background image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 10
Background image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 12
Background image of page 13

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 14
Background image of page 15

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 16
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Derandomizing Approximation Algorithms for Hard Counting Problems Michael Luby International Computer Science Institute, Berkeley, CA and University of California at Berkeley "‘ TR—95—069 December 1995 ‘Research supported in part by National Science Foundation operating grant OCR-9304722 and NCR- 9416101, and United States-Israel Biuational Science Foundation grant No. 92-00226 1 Introduction This paper is a (biased) survey of some work in derandomization of randomized algorithms. Perhaps the most famous open problem in Computer Science is whether or not NP is equal to P, i.e., are efficient non-deterministic algorithms more powerful than efficient determinis- tic algorithms. An analogous question is whether nor not RP is equal to P, i.e., are efficient randomized algorithms more powerful than efficient deterministic algorithms. These two questions formally are quite similar, as the only difference between the def- initions of NP and RP are that for an NP language L, there is only required to be one witness for each 55' E L, whereas for RP a constant fraction of strings are required to be witnesses. Nevertheless, it is my belief that NP is more powerful than P, and on the other hand RP is equal to P. Paradoxically, there is some hope that an eventual proof that shows that NP is not equal to P will be strong enough to also show that RP is equal to P. Definition (function ensemble): Let f : {0,1}‘[“) —> {0,3303} denote a function ensemble, where t(n) and €(n) are polynomial in n and where f with respect to n is a function mapping {0, IF“) to {0,1}E(”). ' do Definition (P-time function ensemble): Call f : {0,1}*(”3 x {0,1}£(”3 —) {0, l}m(”l is a T(n)-time function ensemble if f is a function ensemble and there is a Turing machine such that, for all z 6 {0,1}‘("), for all y E {0,1}E[n), f(x,y) is computable in time Call 3' is a P-time function ensemble if T(n) = no”). in Definition (language): Let L : {0,1}”’ —> {0, 1} be a functiou ensemble. One can view L as a Zenguuge, where, fOr all e: 6 {0,1}”, 3: E L if L(x) = 1 and a" E L if L(:r) = 0. in In the following, definitions of a variety of cemplexity classes with respect to a language L as just defined are made. Definition (P): Say that L E P if L is a P-time function ensemble. in Definition (NP): Say that L E NP if there is a P-time function ensemble f : {0,1}” x {0, 1W“) —) {0, 1} such that for all z e {0,1}n, :r E L implies PrYEu{D!1}¢(n)[f(:r, Y) = 1] > 0. m e' L implies PrYEu{0I1}£(1-3) [f(s:, Y) = 1] = 0. .1. Definition (RP): Say that L E RP if there is a constant e >- 0 and a P-time functiOn ensemble f : {0,1}n X {0, 1}“1'33 —> {0,1} such that for all a: 6 {0,1}”, :t' E L implies PrY6u{0,1}gm[f(m,Y) = 1] :1: g L implies PI'YEumJFm) = 1] II N 5. 0. ii There are a few philosophical reasons to want to show that RP = P, e.g., does random- ization help in the general context of efficient computation? There are also some practical reaSOns, e.g., in practice if one uses a Monte Carlo algorithm then there should be great concern about where the source of random bits comes from. In practice, what one typically does is to take a very small number of random bits and stretch them into a large number using a simple pseudorandom generator, e.g., a linear congruential generator, and then use these bits as the source of randomness for the Monte Carlo simulation. The problem in practice is that there is no guarantee that these pseudorandorn bits are randOm enough to make the Monte Carlo simulation behave as if though they were truly random. In practice sometimes the anewer turns out to be that this is good enough, sometimes it has turned out to be not good enough, and in many cases the answer is not known. One of the moti- vations behind the work on derandomization of randomized algOrithrns is to put this entire question on a much firmer scientific footing, i.e., to be able to say authoritatively which pseudorandom generators can be prove.ny used for which Monte Carlo algorithms. 1.1 Randomness and Pseudoranclomness The notion of randomness tests for a string evolved over time: from set—theoretic tests to enumerable [24, Kolmogorov], recursive and finally limited time tests. There were s0me preliminary works that helped motivate the concept of a pseudorandom generator including [38, Shamir]. [9, Blum and Micah] introduce the fundamental concept of a pseudorandom generatOr that is useful for cryptographic (and other) applicatiOns, and gave it the significance it has today by providing the first pr0vable construction of a pseudorandom generator based on the conjectured diihcrilty of a well-known and well-studied computational problem, the discrete log problem. [41, Yao] introduces the new standard definition of a pseudorandOm generator, and shows an equivalence between the this definition and the next bit test introduced in [9, Blurn and Micah]. The standard definition of a pseudorandorn generator introduced by [41, Yao] is based on the fundamental concept of computational indistinguishability introduced previously in [18, Goldwasser and Micali]. [41, Yao] also shows how to construct a pseudorandom generator from any one-way permutation. Another important observation of [41, Yao] is that a pseudorandom generator can be used to reduce the number of random bits needed for any probabilistic polynomial time algorithm, and this shows how to perform a deterministic simulation of any polynomial time probabilistic algorithm in subexponential time based on a pseudorandom generator. The results on deterministic simulation were subsequently generalized in [10, BOppana and Hirschfeld]. The robust notion of a pseudorandom generator, due to [9, Blum and Micah], [41, Yao], should be contrasted with the classical methods of generating random looking bits as described in, e.g., [23, Knuth]. In studies of classical methods, the output of the generatOr is considered good if it passes a particular set of standard statistical tests. The linear congruential generator is an example of a classical method for generating random looking bits that pass a variety of standard statistical tests. However, [11, Boyar] and [25, Krawczyk] iii show that there is a polynomial time statistical test which the output from this generator does not pass. 2 Circuits A convenient way to view computation is via boolean circuits. Definition (cf,£‘,§*5(”}): For all n e N, let cams“) be the set of all ermine with an) El?!) boolean input variables 2: = (2:1, . .. ,2g(n]) of depth d(n) with a total of at most 5(a) gates. A circuit C E Cgég‘SW consists of “and”-gates and “or”-gates, where each gate is allowed unbounded fan-in. C consists of d(n) levels of gates, where ali gates at a given level are the same type. All the gates at levei 1 have as inputs any mixture of variables and their negations. For all i E {2, . . . , d(n)}, all gates at level i receive their inputs from the gates at level i — i. The set of gates at level (flu) are considered to be the output of C. J- For example, let f : {O,1}” >< {0,1}£("') —) {0,1} be the P-time function ensemble associated with an RP language L. One can think of f as a family of boolean circuits as follows. For each u, there are 2” circuits in the family with £(n)-bit inputs, one circuit for each of the 2“ possible values of a” E {0, 1}”. The circuit C; associated with the input a: computes the value of f(:r,y) on input 9 E {0,1}£("}. The circuit Cm can be derived frorn the description of f and from 3:. Since f is a P-time functiOn ensemble, without loss of generality one can say that Ca, consists of at most a polynomial number pm) of alternating levels of “and” and “or” gates, with a single output gate at the bottOIn level. The property that C}, has is that if :r E L then Pry[Cz(Y) = 1] 3 1/2 and if a: E L then inn/[04m = 1] = 0, where Y ER {0, 1W3. One Can view this cirCuit family for L as a subfamily of (3%)”). In terms of circuits, the approach to derandomization explored in this survey is to construct a pseudorandom generator 9 that can be used as the source of randomness for all C E C. This approach was initiated by [9, Blurn and Micah] and [41, Yao]. Definition (e-pseudorandom generator for a circuit family G): Let g : {0, nil”) —)- {0,1}” be a P-tirne function ensemble, where fin) < it. Let C be an infinite family of circuits, and let 0 E C be a circuit with n. inputs. The distinguishing probability of G for g is 6 = [atom = 11 * plates» = 11L where Y ER {0, 1}“ and Z ER {0, IV”), in which case 9 is said to e—approximate C' for any 5 > 6. Say that g is a e—pseudorandorn generator for C if g s—approfirnates O for all C E C. Say that C has time-success ratio 8(a) for 9 if the minimum over all circuits 0 E C with n inputs of the ratio of the number of gates in 0 divided by the distinguishing probability of C is at least 4. Given g, the derandomization for the RP circuit family described above is straightfor- ward: For any :1: E {0,1}”, one can approximate the fraction of the 23”} inputs on which Cm outputs 1 as follows. Let g : {0,1}"(“') —> {0,1}£{”) be a 1/2—pseudoraudom generator iv for Oggl’pm). For all z E {0,1}"{”l, compute Cx(g(z)), and if any of the answers is 1 then conclude that as E L, and otherwise conclude that x E’ L. Note that by the properties of g this procedure is guaranteed to correctly classify z with respect to membership in L. The smaller Mn) is in relationship to n the stronger the pseudolrandom generator 9. For example, if rte) is O(log(n)) then the entire procedure runs in deterministic polynomial time, showing that HP = P. One way to view the ab0ve approach is to find a small set S of €(nj-bit strings such that the average value of 041;) over 3; E S is close to the average value of Cato) over all y E {0,1}£["’). In the above, 3 can be viewed as the set {9(2) : z E {0,1}"(”l}. The other important ingredient to the derandomization is that the set S can be efficiently enumerated. This is true in the above approach because 9 is a P-tirne functiOn ensemble, and thus 8 can be enumerated simply by sequencing through all z E {0, 1PM) and computing 9(2). Suppose one is only interested in the property that S be small and drop the (crucial) requirement that .5' is easy to enumerate, Then, it is not hard to see that there is such a small set 5'. To see this, suppose that one chooses randomly a set S of size n + 1. If .r E’ L then, independent of S, I is correctly classified. On the other hand, if :c E L, then .r is incorrectly classified with probability at most Tin“). Since there are at most 2” such 3:, the probability that there is an z E {0, 1}” that is correctly classified is at most 1/2. Thus, there is a set S of size n + 1 that correctly classifies all :1: E {0, 1}” with respect to membership in L. This is the approach that [1, Adleman] tool; to show that RP C; P/poly, i.e., in a non—uniform sense randomization is no more powerful than deterministic computation. The problem with this approach is that there is no clue of how to efficiently generate the set S in deterministic polynomial time. Thus, the uniform version of the “RP = P?” question is far from resolved. 3 Derandomizing Particular Algorithms In some applications, the goal is to completely derandomize the algorithm to produce a deterministic solution. However, in other cases the basic goal is only to drastically reduce the number of random bits used by the randomized algorithms, e.g., reduce from (9(a) bits to O(10g(n)) bits. The philosophical and practical import of this is that it is hard in practice to produce high quality independent random bits at a high rate. 3.1 Pairwise Independence One of the key ideas in derandomizing randomized algorithms is the observation that sorne- times it is the case that the randomized algorithms works just as well if there is not full independence between the random variables. One special but important case is when pairs wise independence between the randOm variables sufices. Consider a set of random variables indexed by a set U, La, {2, : i E U}, where Z,- E T. For finite t = |T|, a uniform distribution assigns Pr[Zz = d] = 1ft, for all x E U, or E T. If this distribution were furthermore pairwise independent, one would have: for all m 79 y E U, for all a, £1 E T, Pr[Zz = a, z, = a] = Pr[z,, = a] - Pr[z,, = 51:1/9. This is not the same as complete independence, as evidenced by the following set of three pairwise-independent variables (U = {1,2, 3}, T = {0, 1}, t = 2): Each row 3 can be thought of as a function as : U -> T. Let S be the index set for these functions, where in this case S = {0, 1}2. For all x 75 y E U, for ail oz, 6 E T, saws) = o: A lists) = s] = 1/4 = 1/152 (Notice in particular that Prsefls[hs(x) : 31509)] = 1/2 = l/t.) Any set of functions satisfying this condition is a 2-universa1 family of hash functions. Definitions and explicit constructions of 2-universal hash functions were first given by [40, Carter and Wegman] . One simple way to construct a general family of hash functions mapping {0,1}” —> {0,1}” is to let S = {0, 1}” X {0, 1}”, and then for all s = {(1,6) E 8, for all a: E {0,1}n define 313(3) = as + b, where the arithmetic operations are with respect to the finite field GF[2“]. Thus, each h, maps {0,1}” —> {0,1}“ and S is the index set of the hash functions. For each s = (a, b) E 5, one can write: it, (rs) = as 1 [3 315(9) 9 1 b When :1: aé y, the matrix is non-singular, so that for any a, y E {0, 1}”, the pair (.543), h, takes on all 22" possible values (as s varies over all 5 Thus if s is chosen uniformly at random fi'om S, then (h5($), hs(y)) is also uniformly distributed. One can view 8 as the set of points in a sample space on the set of random variables {Zz : a: E {0,1}”} where Zz(s) = h3(m) for all 3 E 8. With respect to the uniform distribution 0n 5, these random variables are pairwise independent, i.e., for all s: # y E {0,1}", for all a, x3 E {0,1}” ,gsiztts) = a A Zita) = 5] = sggstzxei = a] - sggsizyts) = 6] = 1/22“. To obtain a hash function that maps to k < 11 bits, we can still use 8 as the function index family: The value of of the hash function indexed by s on input m is obtained by computing h,(:c) and using the first in bits. The imporant properties of these hash functions are: vi o Pairwise independence. I Succinctness — each function can be described as a 2n-bit string. Therefore, randomly picking a function index requires only 27:. random bits. I The function h5($) can easily be computed (in LOGSPACE, for instance) given the function index .9 and the input a. In the sequel, unless otherwise specified, references to pairwise independent hash func- tions refer to this construction, and 5 denotes the set of indices for the hash family. 3.2 Applications to Particular Algorithms The original applications described in [40, Carter and Wegman] were applications to hash- ing. Subsequently 2-universal hashing has been applied in surprising ways to a rich variety of problems. Fer a survey of some of these applications, see [31, Luby and Wigderson]. Consider, for example, the MAXCUT problem: given a graph G = (V, E), find a two- coloring ofthe vertices x : V —) {0,1} so as to maximize C(X) = y) E E : 3((55) 7E The following is a description of a solution to this problem that is guaranteed to produce a out where at least half the edges cross the cut. If the vertices are colored randomly (0 or 1 with probability 1/2) by choosing X uniformly from the set of all possible 2'“ colorings, then: E[c(x)l = Z Prlx($)¢x(y)l = % (ayleE Thus, there must always be a cut of size at least Let S be the index set for the hash family mapping V —> {0,1}. Since the summation above only requires the coloring of vertices to be pairwise-independent, it follows that E[c(hs)] = %1 when 3 ER 8. Since |5| = IV|2, one can deterministic-ally try it, for all s E S in polynomial time (even in the parallel complexity class N 0), and for at least one s E S, h, defines a partition of the nodes where at least 1% edges cross the partition. This derandomization approach was developed and discussed in general terms in the series of papers [13, Cher and Goldreich], [27, Luby], [5, Alon, Babai and Itai]. There, the approach was applied to derandomize algorithms such as witness sampling, a fast parallel algorithm for finding a maximal independent set, and other graph algorithms. This work was extended to more efficient parallel approaches in [28, Luby], and generalized in [8, Berger and Rompel] and [32, Motwani, Naor and Naor] to apply to parallel solutions of other combinatOrial problems. Other examples include the use of five-wise independent random variables to choose the pivot elements for quicksort while still maintaining the O(nlog(n)) running time [22, Karloff and Raghavan]. Extending the werk of [22, Karloff and Raghavan], [33, Mulmuley] vii reanalyzes many classical computational geometry problems, including trapezoidal trian- gulations, convex hulls, Voronoi diagrams, and hidden surface removal. The new analysis shows that only limited independence between the random variables suffices for the Ian dornized algOrithm. Other ideas that have been used to derandomize particular algorithms include using expander graphs, and combining expander graphs with pairwise independence techniques. An example of this approach is [21, Karger and Motwani]. 4 Derandomizing Depth Two Circuits In this section depth two unbounded fan-in boolean circuits are c0nsidered. The circuit subfamily of Grimm-H with a first layer of m = m(n) “an ” gates all feeding into a single output “or” gate can be viewed as a formula F in disjunctive normal form [DNF) on n variables with m clauses. Let t be the maximum length of a clause in the formula, and let Pr[F] denote the probability that a random, independent and uniformly chosen truth assignment to the variables satisfies F. The problem of computing Pr[F] exactly is known to be #P-complete [39, Valiant]. On the other hand, for many applications a good estimate of Pr[F] is all that is needed. [29, Luby and Velickovié] introduces several ideas which can be combined with known results to obtain approximation algorithms for the DNF problem. The first idea is that of stmflower reduction in a way similar to the way that [37, Razborov] uses it to prove exponential lower bounds for the size of the smallest monotone circuit for finding the biggest clique in a graph. Given a DNF formula F, one looks for a large collection of clauses which form a sunflower, i.e., the intersection of any two distinct clauses in this collection is the same. Then, all the clauses in this collection are replaced by their common pairwise intersection, thus obtaining another formula which has probability of being satisfied close to that of F. This procedure is repeated until no large sunflowers can be found, obtaining a new formula F“. A them-em of [14, Erdds and Redo] implies that at the end of this procedure there are not too many clauses in F'. Because F’ is so small, it turns out to be easier to appr0ximate Pr[F’], and because of the properties of the reduction this approximation is also a good approximation of Pr[F]. This reduction can be combined with the algorithm from [36, Nisan and Wigderson] (using the improvement based on an observation from [30, Luby, Velickovié and WigdersouD to produce a polynomial time e-approximation for Pr[F] when t = 0(log1i8(nm)) and e is not too small. The second approach relies on special constructions of small probability distributions. Given a distribution 1') let Prp[F] denote the probability that F is satisfied by a truth assignment chosen according to ED. The goal is to find a distribution ID with a small sample space such that Pry [F] is close to Pr[F]. Then, Pr~D[F] can be calculated by exhaustive consideration of the points in the space. An easy counting argument shows that such a dis- tribution exists. The results of [29] can be viewed as progress towards finding a polynomial time construction of such a distribution. viii Recall that a probability distribution D on the truth assignments is ifs-wise indepen- dent if any variable is equally likely to be 0 or 1 independently of the value of any other is — 1 variables. [29, Luby and Velickovié] shows that if t is bounded by a constant and it = c10g(1 / e) for some constant c then for any probability distribution ‘D which is k-wise independent PIC-p is a good approximation of Pr[F]. The proof works if D is only k-wise almost independent in a certain technical sense. This combined with the results of [34, Naor and Naor] and [6, Alon, Goldreich, Hastad and Peralta], which produce such distributions with small sample spaces, yields a polynomial time approximation algorithm for Pr[F] if t is bounded by a constant, a result previously obtained by [3, Ajtai and Wigderson] by different means. The main contribution of [29, Luby and Veliékovié] consists of the coloring algorithm. A proper Int-coloring of F is a coloring of the variables of F using at most it: colors such that no clause of F contains two variables of the same color. For all t' E {1,.. . ,k}, let 1'),- be a probability distribution on the variables in color class 2' such that there is €~wise independence between the variables, and let ’D = xiallmrHDg be the product distribution defining a distribution on all variables of F. It is shown that [Pr-D — Pr[F]| g tic/23. This suggests the following approximation algorithm for Pr[F]. Given a proper coloring of F, for all i E {1, . . . , is}, explicitly construct sample space S; for distribution D; and let the sample space for D be S = xéeflmkfié. By exhaustive enumeration of S, compute PI'D [F] exactly. This yields an algorithm with running time dominated by x,e{l‘___lk} |S,-J for approximating Pr[F]. The running time of the algorithm depends in an exponential way on the value of it. In general it may not be possible to find a pr0per k-coloring for F where is: is small. Instead, the idea is to find a proper coloring for a subformula G of P such that Pr[G] is close to Pr[F]. This general approach is used to design deterministic algorithm that on input F and 6 produces an s~re1ative approximation of Pr[F] in polynomial time for fixed 5 and t = log1_°(1)(nm). For fixed 6 and unrestricted clause length the running time the algorithm produces an sapproximation in time polynomial in am and 21°31+°(1)(”m). For a fixed 6 this algorithm is faster than the algorithm in [35, Nisan and Wigderson], but, unlike [36, Nisan and Wigderson], the running time grows exponentially with 1/6. 5 Derandomizing Constant Depth Circuits In this section polynomial size boolean circuits of constant depth with unbounded fan- in are cousidered. This class of circuits is commonly referred to as AC0. This section describes a pseudorandom generator for this class. The pseudorandom generator runs in time exponential in logc(n) time, where the constant 0 depends on the depth bound on the circuit family. Note that this is much better than a straightforward exhaustive enumeration procedure, which would take time exponential in n. The pseudorandom generator is based on the difficulty of computing parity with a constant depth boolean circuit. Definition (predicting the parity of its inputs): For :t' E {0, 1}”, me = 69,-6{1,___,,,}r£ is the parity of the number of ones in rs. For any circuit C E Cfi, let 130 be the prediction probability of C for the parity of its input, i.e., PC = IPZr[0(Z) = z e z] u 1/21, where Z E R {U,1]-”. Let To be the total number of gates in C. The time-success ratio of C for predicting the parity of its inputs is 55- : Tc/pc. J. The following beautiful lower bound theorem is a culmination of a number of papers, i.e., [15, Furst, Sane and Sipser], [2, Ajtai], [42, Yao], [12, Cai], [2G, Héstad]. Parity Theorem : There is a constant it > 0 such that for any 0 E C5”, the time—success ratio 50 of 0 satisfies Sc 2 27“”. Based on this lower bound, [35, Nisan], [36, Nisan and Wigderson], describe the following simple but elegant generator 9. Set '3' = log(n)c(d+1), where c > U is a fixed constant. Let t1, . . . ,tn C { 1, . . . ,r} be sets that satisfy the following two properties: (1) For all t' E {l,...,n}, [if] = (2) For all é,j E {l,...,n}, i Ififltjl g log(n). It is an exercise to find an efficient construction of the sets t1, . . . , in with these two prop— erties. For all 3 E {U,1}", for each i E {1, .. . ,n}, define function 5,-(3) = EBJ-eg,3j, i.e., buds] is the parity of the number of ones in the bits of s indexed by t,. Finally, let 9(6) = (51(3)a - - -:bn(3))' The following theorem is due to [35, Nisan], [36, Nisan and Wigderson]. Theorem : Let q(n) = 2103301)“!2 /n3. For all C E 05’”, the time-success ratio 50 of C for distinguishing 9 satisfies Sc 2 This theorem shows how to derandomize any constant depth boolean circuit. Consider an alternate derandomization question where the circuit can be over any type of gates (i.e., not restricted to “and” and “or” gates). The techniques of [35, Nisan], [36, Nisan and Wigderson} do not apply to this problem even in the case when the depth is restricted to two, as one of the gates can be a “parity” gate, and the entire construction is based on lower bounds of boolean circuits for computing parity. [30, Luby, Velickovic and Wigderson] provide the first subexponential simulation for Circuits with parity gates. This paper shows how to e-appmximate the accepting probability of any GFfE] polynomial of size n in deterministic time double exponential in x/logm/e). The technique is strongly based on the pseudorandonl generator of [35, Nisan] used for AC0 circuits described previously. [30, Luby, Velickovic and Wigderson] are able to apply this idea, and use the lower bounds on multiparty communication cemplexity of [7, Babai, Nisan and Szegedy]. 6 Derandomizing General Circuits In this section pseud0random generators for polynomial size boolean circuits of unrestricted depth are censidered. If, for each fixed polynomial is", there is a e-pseudorandom generator 9 : {0,l}"(”) —> {0, ml“) for 63‘s“, then for any 0 E Cfvnc one can e—approxirnate the probability that C outputs l on a random input in deterministic time polynomial in n times 2’01). Thus, if r(n) = O(log(n)) then this is polynomial time overall. There is no proof in sight of this result at this point in time, and in fact it is easy to see that such a result is impossible if NP = P. On the other hand, as described below, it turns out that there is pseudorandom generator for this class if there are strong enough one—way functions. intuitively, a one-way function is easy to cempute but hard to invert on average. Definition (one-way function): Let f : {O,1}” —> {0,1}E(n) be a P-time function ensemble and let G be a circuit family. The success probability (inverting probability) of C e C (with 6(a) input bits and n output bits) for f is a = grumme = we]. where X ER {0,1}”. Then, 3' is a S(n)-secure one-way function for C if the time-success ratio of C is at least & The definition of a one~way permutation is exactly the same as the definition of a one- way function, except that f : {D,1}” —> {0, 1}” as a function 0ft: 6 {0, 1}” is a permutation. [9, Blum and Micali] introduce the concept of a pseudorandom generator that is use- ful for cryptographic (and other) applications, and gave it the significance it has today by previding the first provable construction of a pseudorandom generator based on the conjec~ tured difficulty of a wellwknown and well-studied computational problem, the discrete log problem. Discrete log problem : Let p E {0,1}” be a prime number and let 9 be a generator of 2;, i.e., for all y E 2;, there is a unique :1: E Zp_1 such that 9"” = y mod p. Given 3), g and x E Zp_1, define f(p,g,:r) = (p,g, 9‘3 mod 3)). It is possible to compute gz modp given 39, g and a: in no“) time. The discrete log function is a permutation as a functiou of x, i.e., the unique inverse of f (13, 9,3) is (p, g, The values of p and g are not necessarily chosen randOmly. The prime p is selected to have special properties which seem in practice to make the discrete log function hard to invert. An example of such a property is that p is selected so that that p — 1 has some fairly large prime divisors. For a large class of primes p and generators 9 there is no known P-time function ensemble that on input 3), g and gm mod p can produce a on average for a E R Z "1. The original construction of a pseudorandom generator based on the disorete log problem is quite complicated. The following elegant theorem, due to [17, Goldreich and Levin], sub- stantially simplifies all previously known constructions of pseudorandom generators based on one-way functions. The simplest known proof of this theorem is due to C. Rackofl, R. Venkatesan and L. Levin, inSpired by [4, Alexi, Cher, Goldreich and Schn0rr]. Definition (inner product bit is hidden): Let f : {0,l}” —> {0,1}£(”) be a P—time function ensemble. Let :r 6 {0,1}"' and z E {0,1}”. Then, the inner product bit of fire) is a: {D 2. The success probability (prediction probability) of circuit C E C (with 3(a) + n input bits and one output bit) for the inner product bit of f is 5 = £gl0(f(X),Z) = X63 Z] “glomxm 75 X®Zl where X,Z E R {U,1}”. Then, the inner product bit of f is a S(n)-secure for C if the time-success ratio is at least J. Hidden Bit Theorem : If f is a One-way function then the inner product bit of f is hidden. In particular, if there is a circuit family C with timesuccess ratio 3(a) for predicting the inner product bit then there is a circru‘t family 0’ with time-success ratio S(n)° for inverting f for some constant c > 0. gFrom the Hidden Bit Theorem, it is not hard to show that if f(I) is a one-way permu- tation for C then 9(r, z) = (f (:r), z,r CD 2:) is a pseudorandom generator for C that stretches by 1 bit. This simple construction of a pseudorandom generator was one of the motivating forces behind the work of [17, Goldreich and Levin]. One can construct a. pseudorandom generator that stretches by an arbitrary polynomial amount based on any one-way permutation. Theorem : Let f : {0, 1}” —-> {0,1}"‘ be a one-way permutation. Define P-time function ensemble 9 : {0,1}” x {0,1}” —> {03 1].“?1}, as 9(a) 2) = <21 m G) 2.1%) G mime) G 21" - .f”(”l'“‘1)($) ® 2). where f {i} is the function f composed with itself 3' times. Then 9 is a pseudorandom generator. Note that since the discrete log is a permutation as a function of as for a fixed value of p and g, the construction described in this theorem can be immediately applied to yield an extremely simple pseudorandom generator based on the discrete log. This theorem is a combination of a theorem due to [16, Goldreich, Goldwasser and Micali] and the Hidden Bit Theorem of [17, Goldreich,Levin]. There is a generalization of this work that shows a more complicated reduction from an arbitrary one-way function (e.g., a function that is far from being a permutation) to a pseudorandom generator, due to [19, Hastad, Impagliazzo, Levin and Luby]. For a mom complete history and description, see [26, Lnby]. References [1] L. Adleman, “Two Theorems on Random Polynomial Time”, F008, 1978, pp. 75—83. [2] M. Ajtai, “Zifiormuiae on Finite Structures”, Annals of Pure and Applied Logic, Vol. 24, 1983, pp. 1—48. xii [3] M. Ajtai and A. Wigderson, “Deterministic Simulation of Probabilistic censtant depth circuits”, FOCS, 1985, pp. 11—19. [4] W. Alexi, B. Chor, O. Goldreich, C. Schnorr, “BSA/Rabin Functions: Certain Parts are as Hard as the Whole”, SIAM J. on Computing, Vol. 17, No. 2, April 1988, pp. 194—209. [5] N. Alon, L. Babai, A. Itai, “A Fast and Simple Randomized Parallel Algorithm for the Maximal Independent Set Problem”, Journal of Algorithms, Vol. 7, 1986, pp. 567—583. [6] N. Alon, O. Goldreich, J . Hastad, R. Peralta, “Simple constructions of almost k-wise independent random variables”, Random Structures and Algorithms, 1992, Vol. 3, No. 3, pp. 289304. (see also addendum in Random Structures and Algorithms, 1993, Vol. 4, No. 1, pp. 119—120.) [T] L. Babel, N. Nisan, and M. Szegedy, “Multiparty protocols and logspace—hard pseudo- random sequences", preliminary version in STOC, 1989, pp. 1—11, journal version in JCSS, Vol. 45, No. 2, October 1992, pp. 204—232. [8] B. Berger, J. Rompel, “Simulating (logc n)-wise Independence in N0", Proceedings of FOCS, 1989, pp. 1—7. [9] M. Blum and S. Micali, “How to Generate Cryptographically Strong Sequences of Pseudo-Random Bits”, SIAM J. on Computing, Vol. 13, 1984, pp. 850—864. A prelim- inary version appears in FOCS, 1982, pp. 112—117. [10] R. Boppana and R. Hirschfeld, “Pseudo-random generators and complexity classes”, Advances in Computer Research, Vol. 5, 1989, editor S. Micali, JAI Press, pp. 1—26., [11] J. Boyar, “Inferring Sequences Produced by PseuddRandom Number Generators”, J. of the ACM, Vol. 36, No. 1, 1989, pp.129—141. [12] J. Cal, “With probability one, a random oracle separates PSPACE from the polynomial- time hierarchy”, J. of Computer and System Sci, Vol. 38, 1989, pp. 68—85. A prelimi- nary version appears in STOC, 1986, pp. 21—29. [13] B. Chor, O. Goldreich. “On the power of two-point sampling,” Journal of Complexity, V01. 5, 1989, pp. 96—106. [14] P. Erdés and R. Rado, “Intersection theorems for systems of sets”, Journal of the London Math. Society, Vol. 35, pp. 85—90. [15] M. Furst, J. Sane, M. Sipser, “Parity, Circuits and the Polynomial Time Hierarchy”, FOCS, 1981, pp. 260-270. [16] O. Goldreich, S. Goldwasser, S. Micali, “How to Construct Random Functions", J. of ACM, Vol. 33, No. 4, 1986, pp. 792—807. A preliminary version appears in FOCS, 1984. xiii [17] O. Goldreich, L. Levin, “A Hard-Core Predicate for any One-way Function“, STOC, 1989, pp. 25—32. [18] S. Goldwasser and S. Micah, “Probabilistic Encryption”, J. of Computer and System Sci, Vol. 28, 1984, pp. 270—299. A preliminary version appears in STOC, 1982, pp. 365—377. [19] R. Impagliazzo, L. Levin, J. Hastad, M. Luby, “A Pseudorandom generator from any one-way function,” 20“ STOC, 1989, and submitted to SIAM J. on Computing. [20] J. Hestad, “Computational limitations for small depth circuits”, PhD. thesis, MIT press, 1986. [21] D. Karger and R. Motwani, “Derandomization through Approximation: An N C Algo— rithm for Minimum Cuts”, STOC, 1994, pp. 497-506. :22] H. Karlofi, P. Raghavan, “Randomized Algorithms and Pseudorandom Numbers", Journal of the ACM, 1993, Vol. 40, pp. 421—453. :23] D. Knuth, Semi-Numerical Algorithm, The Art of Computer Programming, Addison-Wesley, Second Edition, Vol. 2, 1981. :24] A. N. Kolmogorov, “Three Approaches to the Concept of the Amount of Information“, Probl. Inf. Tmnsm, Vol. 1, No. 1, 1955. [25] H. Krawczyk, “How to Predict Congruential Generators”, J. of Algorithms, Vol. 13, 1992. pp. 527-545. [26] M. Luby, Pseudorandomness and Cryptographic Applications, Princeton Com- puter Science Notes, David R. Hanson and Robert E. Tarjan, Editors, Princeton Uni- versity Press, January 1996. [27] M. Luby, “A Simple Parallel Algorithm for the Maximal Independent Set Problem,” SIAM J. on Computing, Vol. 15, No. 4, November 1986, pp. 1036*1053. [28] M. Luby, “Removing Randomness in Parallel Computation Without a Process0r Penalty," J. of Computer and System Sciences, Vol. 47, No. 2, 1993, pp. 250-286. [29] M. Luby, B. Velickovié, “On Deterministic Approximation of DNF”, to appear in a special issue of Algorithmica devoted to randomized algorithms. [30] M. Luby, B. Velickovic, and A. Wigderson, “Deterministic Approximate Counting of Depth-2 Circuits”, appears in the Proceedings of the Second Israeli Symposium on Theory of Computing and Systems, 1993. [31] M. Luby and A. Wigderson, “Pairwise Independence and Derandomization” , ICS'I Tech Report No. Tit-95035, July, 1995. [32] R. Motwani, J. Naor, M. Naor, “The Probabilistic Method Yields Parallel Deterministic Algoritth”, J. of Computer and System Sciences, 1994, Vol. 49, pp. 478—516. [33] K. Mulrnuiey, “Pseudo-random Generators in Geometric Algorithms”, to appear in a special issue of Aigorithmico devoted to randomized algorithms. [34] M. Naor and S. Naor, “Small Bias Probability Spaces: Efficient Constructions and Applications”, STOC, 1990, pp. 213-223. [35] N. Nisan, “Pseudorandorn bits for constant depth circuits”, Combinatorico, Vol. 1, 1991, pp. 6340. [36] N. Nisan and A. Wigderson. “Hardness vs. Randomness”, JCSS, Vol. 49, No. 2, 1994, pp. 149—167. [37] A. Razborov, “Lower bounds on the monotone complexity of some Boolean functions," Dokiudy Akodemii Nauic SSSR 281:4, 1985, pp. 798—801, (in Russian). English trans- lation in Soviet Mathematics Doiciody 31, 354—357. [38] A. Shamir, “On the generation of cryptographically strOng pseudo-randorn Sequences”, ACM Transactions on Computer Systems, Vol. 1, No. 1, 1983, pp. 38—44. A preliminary version appears in the 8th ICALP and appears in Lecture Notes on Computer Science, 1981, Springer Verlag, pp. 544—550. [39] L. Valiant, “The complexity of computing the permanent“, Theoreticai Computer Sci- ence, 1979, No. 8, pp 189-201. [40] M. Wegman, J. Carter. “New hash functions and their use in authentication and set equality,” Journoi of Computer and System Sciences, Vol. 22, No. 3, 1981, pp. 265~279. [41] A. Yao, “Theory and Applications of Trapdoor Functions”, FOCS, 1982, pp. 80~91. [42] A. Yao, “Separating the Polynomial-Time Hierarchy by Oracles”, F008, 1985, pp. 1—10. XV HP. '1. P 1 II I— |—I _ | I I q n. _ I I”: ' u u if" _ l__1 I _ _‘ a . .‘_ITI -: I ‘ '!'III. :1" H” .l': :j |l| “ II '_I ml — _ __l.."_l‘?.'._ _.:.'_ _I F 1 _ I: T “I - I I : I I _ I; I L‘. II _|ll' I II — _'|| 0 . __ 1L Ill : ' ':'u1-_u-'I :I‘I— ‘IttT'T' "A N- IJ : I. ‘ I II I THI__I_ I 'II' I' "IT.'.""I- ' '_ 'l " . " J _ _ _ .. _."I ll|||| IJ.#3I1II_L a I .1“ l_ u I II I II. — DJ M ‘ ' -:-IT .. _ — I — . I _ || - I ...
View Full Document

This note was uploaded on 10/23/2011 for the course CS 7520 taught by Professor Staff during the Spring '08 term at Georgia Tech.

Page1 / 16

LUBYderand - Derandomizing Approximation Algorithms for...

This preview shows document pages 1 - 16. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online