Derandomization &
Cryptography
Boaz Barak, Weizmann
Shien Jin Ong, MIT
Salil Vadhan, Harvard
Question
Suppose the sequence 666 appears in the
digits of  both in the 100th place and in the
1000000th place.
Suppose an archeologist finds a mathematical
proof by Archimedes that 666 appears in .
Is it possible to recover the place in 
Archimedes knew about?
Our Results
Under reasonable assumptions we obtain:

Non-interactive WI proof system for NP
(in the plain model)
First non-interactive proof with secrecy property

Non-interactive Commitment Scheme
Under incomparable assumptions to [BM]
Our Assumptions
Assumption A: 9 L s.t.
c ) for some c
 L 2 Dtime(2
Ncn
 L  Ntime(2
Nn)/ 2n for some >0
N
In paper: prove
A natural strengthening of EXP * NPThm 2 under
Thm 1: Assumption A + TDP )
non-interactive WI
Thm 2: Assumption A + OWF )
non-interactive commit.
weaker, uniform,
assumption. (Uses
[GST03])
Derandomization: a brief
overview*

A paradigm that attempts to transform:




Probabilistic algorithms => deterministic
algorithms. (P  BPP  EXP  NEXP).
Probabilistic protocols => deterministic protocols.
(NP  AM  EXP  NEXP).
We don’t know how to separate BPP and
NEXP.
Can derandomize BPP and AM under natural
complexity theoretic assumptions.
* Thanks to Ronen Shaltiel for these slides
Hardness versus Randomness
Initiated by [BM,Yao,Shamir].
Assumption: hard functions exist.
Conclusion: Derandomization.
A lot of works: [BM82,Y82,HILL,NW88,BFNW93,
I95,IW97,IW98,KvM99,STV99,ISW99,MV99,
ISW00,SU01,U02,TV02,GST03]
Hardness versus Randomness
Assumption: hard functions exist.
Conclusion: Derandomization.
Hardness versus Randomness
Assumption: hard functions exist.
Exists pseudo-random generator
Conclusion: Derandomization.
Pseudo-random generators

A pseudo-random generator (PRG) is an algorithm
that stretches a short string of truly random bits into
a long string of pseudo-random bits.
seed



PRG
pseudo-random
bits
Pseudo-random bits are indistinguishable from truly
random bits for feasible algorithms.
Consider also generators with O(log n) length seed.
??????????????
Pseudo-random generators
with O(log n) length seed.





Polynomial-sized algorithm can identify pseudorandom strings as follows: Given a long string,
enumerate all seeds and check that PRG(seed)=long
string.
Can distinguish between random strings and pseudorandom strings.
Assuming distinguisher can enumerate all seeds.
The Nisan-Wigderson setup: distinguisher can not
enumerate all seeds.
Example: Seed length = 5logn and generator fools
circuits of size n3. PRG can also run in time n5
Sufficient for derandomization!!
State of the art in this direction
Thm [NW88,…,IW97]: If 9 L s.t.
 L 2 Dtime(2cn) for some c
L  Size(2 n) for some >0
Then BPP=P.

Arthur-Merlin Games [BM]


Completeness: If the statement is true
then Arthur accepts.
Soundness: If the statement is false
then Pr[Arthur accepts]<½.
Merlin
“xL”
message
Arthur
toss coins
message
I accept
Arthur-Merlin Games [BM]




Completeness: If the statement is true
then Arthur accepts.
Soundness: If the statement is false
then Pr[Arthur accepts]<½.
The class AM: All languages L which
have an Arthur-Merlin protocol.
Contains many interesting problems not
known to be in NP. (e.g. graph nonisomorphism)
The big question:
Does AM=NP?
In other words: Can every Arthur-Merlin
protocol be replaced with one in which
Arthur is deterministic?
Note that such a protocol is an NP proof.
Pseudo-random generators for
nondeterministic circuits



Nondeterministic algorithm can identify
pseudo-random strings as follows: Given a
long string, guess a short seed and check
that PRG(seed)=long string.
Assuming the circuit can run the PRG!!
In NW setup circuit cannot run the PRG!!.
For example: The PRG runs in time n5 and
fools (nondeterministic) circuits of size n3.
State of the art in this direction
Thm [AK,MV,KvM,SU]: If 9 L s.t.
 L 2 Dtime(2cn) for some c
 L  Nsize(2 n) for some >0
(i.e., if Assumption A holds)
Then AM=NP.
PRG’s for nondeterministic
circuits derandomize AM

We can model the AM protocol as a
nondeterministic circuit which gets the
random coins as input.
Merlin
“xL”
Hardwire input
Arthur
random message
message
I accept
PRG’s for nondeterministic
circuits derandomize AM

We can model the AM protocol as a
nondeterministic circuit which gets the
random coins as input.
Merlin
“xL”
Hardwire input
Arthur
input
Nondeterministic guess
random input
Nondeterministic guess
I accept
PRG’s for nondeterministic
circuits derandomize AM


We can model the AM protocol as a
nondeterministic circuit which gets the
random coins as input.
We can use pseudo-random bits instead of
truly random bits.
Merlin
“xL”
Hardwire input
Arthur
input
Nondeterministic guess
pseudo-random input
Nondeterministic guess
I accept
PRG’s for nondeterministic
circuits derandomize AM


We have AM protocol w/ deterministic (not
probabilistic) Arthur:
He sends all pseudo-random strings and Merlin
replies on each one.
Protocol is sound : otherwise we have a
nondeterministic distinguisher.
Merlin
“xL”
Arthur
pseudo-random input
Our main observation: If original protocol was
Nondeterministic
guessWI!
WI then new “protocol”
is also
I accept
Proof of Thm 1:
Thm [DN]: 9 TDP ) 9 AM protocol that
is WI for NP
Combining this w/ [SU] and observation
we get Thm 1:
TDP + Assumption A ) 9 Noninteractive
WI for NP
Proving Thm 2
Use same technique to derandomize
Naor’s commitment scheme (which is
also of “AM” type).
That’s it…