Lectures on 8 and 13 July 1998
April 26, 1998
Cherno Bound.
Let y 2 f0; 1gm. Pick m times independently with uniform probability,
xi 2 f0; 1g for i 2 f1 : : :mg.
(
yi
Dene the random variable zi = ,11 ifif xxi =
=
6
i yi
P
m
Let Zm be the random variable Zm = i=1 zi .
Pm z ) =
Z
is
a
sum
of
m
independent
random
variables,
then
E
(
Z
)
=
E
(
m
m
i=1 i
Pm E (z ) = Pm 0 = 0.
i=1
i
i=1
Theorem 1 Prob(j Zm j b)<
2
b2
e 2m
) for any b > 0. 2
Theorem 2 BPP NPNP
Proof.
We use NPNP = p2 and the following characterization of the Polynomial
Time Hierarchy by Alternating Turning Machines: pk = Apk (pk = Apk ).
The crux of the proof is an Ap2 algorithm which simulates a given
probabilistic polynomial time algorithm. The crux for the correctness of
the Ap2 algorithm is the existence of a k-pseudorandom generator g . And
the existence of a 2m -hard function (cf. homework) f (g is dened using
f ) is the crux for g being a k-pseudorandom generator. (i.e., if g is not a
k-pseudorandom generator f will not be 2m -hard)
Roughly speaking, picking up an element at random is choosing without
any help from the structure of the set of elements. And a hard function is
one \without structure", the best we can do, almost, is answer at random.
It is intuitive then to try to build a random sequence from a hard function.
Consider a behaviourist denition of structure and randomness if we are in
a resource bounded realm.
1
A pseudorandom generator is, intuitively, a way to expand a random
seed into a sequence \random enough" for a bounded time algorithm. To
our purpose, we do an ad hoc denition of a pseudorandom generator.
Denition 1 (r-Pseudorandom Generator) Let Dk be a probability distribution on k and let Rk the uniform probability distribution on k , i.e.,
Rk (x) = 2,k for all x 2 k .
Let G be a function G : f0; 1gc log n ! f0; 1gnk for any integer c; k; n 1.
Let DG the probability distribution on nk induced by G(x) when x is
chosen at random from Rc log n .
G is a r-pseudorandom generator i for any family of circuits fCng of
size bounded by n2r and any X 2 n ,
j ProbY (C (X; Y ) = 1) , ProbZ (C (X; G(Z )) = 1) j 1=2 , 1=nr
for all suciently large n. Y and Z are chosen from Rnk and Rc log n respectively. 2
Let A 2 BPP and let M be a probabilistic polynomial time algorithm
that decides A in BPP. Without loss of generality let nk be the running
time of M and 1=2n the error bound of M where n is the input size. Let M 0
be the \deterministic version" of M where the coin ips results are given as
a second input of length nk .
We give an Ap2 algorithm MAp2 for A:
input (x);
for some integer a > 0, integer b > a, real > 0;
comment: a will be xed at the end of the proof. b depends on a.
is such that there is a 2m -hard function.
dene constant n =j x j, m = a log n;
dene variable
f : f0; 1ga log n ! f0; 1g;
g : f0; 1gb log n ! f0; 1gnk ;
dene algorithm M 0 dened in the statement above;
begin
branch-9 and then guess(f );
branch-8 and then check that f is 2m-hard;
2
comment: Note that each branch will be associated with a possible circuit
and will compute that circuit for all values of length m to decide if
the circuit approximates the function.
comment: Note that from this point on the algorithm is in P .
Use f to build a k-pseudorandom generator g ;
Run M 0(x; g (y )) for all y 2 f0; 1gb log n ;
accept i at least half of the computations M 0(x; g(y)) accept.
comment: Note that the probability of M being right can dier from 1 by
no more than on exponentially small amount and a k-pseudorandom
generator varies this probability no more than 1=2 , 1=nk , thus, for
large enough n the rate of acceptance of M 0 can not go across 1/2.
i.e., if Prob(M accepts) is almost 1 (0) then Prob(M 0 accepts) will
be over (under) 1=2.
end.
Let C 0 be the circuit that simulate the Turing Machine M 0 . Remember
that DTIME(nk ) SIZE(n2k ).
Proof of correctness of the algorithm.
Since g is a k-pseudorandom generator, by denition, for all X 2 n the
following holds
j ProbY (C 0(X; Y ) = 1) , ProbZ (C 0(X; g(Z )) = 1) j 1=2 , 1=nk
for all suciently large n. Y and Z are chosen from Rnk and Rb log n respectively.
And since M decides A in BPP ,
X 2 A ) ProbY (C 0(X; Y ) = 1) 1 , 1=2n
X 62 A ) ProbY (C 0(X; Y ) = 1) 1=2n
Then, (assume that if X 2 A [X 62 A] then ProbY (C 0(X; Y ) = 1) >
ProbZ (C 0(X; g (Z )) = 1) [ProbY (C 0(X; Y ) = 1) < ProbZ (C 0(X; g (Z )]. Note
that is only necessary to prove this case)
X 2 A ) ProbZ (C 0(X; g(Z )) = 1) 1 , 1=2n , 1=2 + 1=nk = 1=2 , 1=2n + 1=nk
> 1=2 for suciently large n
X 62 A ) ProbZ (C 0(X; g (Z )) = 1) 1=2n + 1=2 , 1=nk = 1=2 + 1=2n , 1=nk
< 1=2 for suciently large n 2
3
Proof that g is a k-pseudorandom generator.
Fact 1 Let n; k; a and b denote the same values as in the algorithm MAp .
There exists a polynomial time algorithm with input 1n that outputs a
matrix N of nK rows and b log n columns. Furthermore, each row has a log n
1's and for any two rows i and j, if we let Ci = fcolumns with value 1 in row number ig,
then j Ci \ Cj j log n. 2
2
We will prove it in the next lecture.
Algorithm to compute g :
input (y);
dene n; k; a; b; matrix A dened in Fact 1;
fit holds: j y j= b log ng
dene set C1:::nk dened in Fact 1;
dene function f dened in algorithm MAp ;
2
begin
for i = 1 to nk ;
fgoal: compute the ith bit of g (y )g
end.
Get Ci;
Let projection(y; Ci) be the subsequence in y obtained picking
the bits of y corresponding to elements in Ci ;
fit holds: jprojection(y; Ci)j= a log ng
add to output f (projection(y; Ci));
We know that f is 2m -hard.
Claim 1 If f is 2m-hard then g is a k-pseudorandom generator.
Notice that m; k and g are the values dened in the algorithm MAp2 .
We prove it by contradiction. Suppose that g is not a k-pseudorandom
generator. Then it holds that exists a family of circuits fDn g, where SIZE(Dn )
n2k , and a X 2 n ,
j ProbY (D(X; Y ) = 1) , ProbZ (D(X; g(Z )) = 1) j > 1=2 , 1=nk (1)
for innitely many n. Y and Z are chosen from Rnk and Rb log n respectively.
4
We introduce some notation. If s is a string of length k, let si denote
the ith bit of s and let s[i:::j ] denote the bits from i through j of s, where
1 i j k.
Let pi denote ProbV;W (D(X; g (V )[1:::i] ; W ) = 1) where W and V are
chosen from Rnk ,i and Rb log n respectively.
Note that p0 = ProbY (D(X; Y ) = 1) and pnk = ProbZ (D(X; g (Z )) = 1).
We rewrite the equation (1) as j p0 , pnk j> 1=2 , 1=nk .
As we \go" from p0 to pnk in nk steps there exist one step i such that
j pi , pi+1 j> (1=2 , 1=nk )=nk > 1=nd
for some d0.
j pi , pi+1 j is the average over all possible choices of Z and Y . We
can x some election of any set of bits and then j pi , pi+1 j is the average
over all possible
ways of complete Z and Y . Therefore exists some string
Y 0 2 nk ,i,1 and some string Z 0 2 b log n,a log n such that j pi , pi+1 j>
1=2 , 1=nd where j pi , pi+1 j is the average over the probabilities obtained
by choosing at random the a log n bits, let's name that Z 00 , in Ci+1 (remind
that we dened Ci from the matrix A) that complete Z and one bit, Y 00, to
complete Y .
Let D0 be the circuit so that
D0(Z 00; Y 00) = D(X; g(Z )1; g(Z )2 : : :g (Z )i; Y 00; Y10 ; Y20 : : :Yn0k ,i,1 )
Note that Z is a mixture of Z 0 and Z 00 and Y the concatenation of Y 00 and
Y 0. Note also that X; Z 0 and Y 0 are xed.
Later we also x Y 00 but for now let it random.
So, rst our circuit has to compute the rst i components of g (Z ). It
means i circuits for the f function where the input size is at most log n
(remember that j Ci \ Cj j log n). Calculating its CNF entails a size
bounded by i2n log n. Then, we already have all the inputs available to
compute D0. We know that the size of D is bounded by n2k .
Therefore the circuit D0 has size bounded by i2n log n + n2k for inputs
of size a log n.
Take in account that we consider Y 00 taking values at random.
Let D00 the circuit which compute the following function:
( 00
0(Z 00 ; Y 00) = 1
00
00
00
D (Z ; Y ) = Ynot Y 00 ifif D
D0(Z 00 ; Y 00) = 0
0
0
5
D00 has size bounded by size(D0) + t, for some little constant t. That
equals i2n log n + n2k + t:
Let's see how well D00 computes f . Since Y 00 is chosen at random, it is
equally likely to be f (Z 00 ) as not to be. The probability that D00 computes
f is one-half the probability that a correct Y 00 is maintained plus one-half
the probability that a wrong Y 00 is changed.
Let
q = ProbZ ;Y (D(X; g(Z )1; g (Z )2 : : :g (Z )i; g (Z )i+1; Y10; Y20 : : :Yn0k ,i,1) = 1)
00
00
Notice that pi = (pi+1 + q )=2.
Let's say that D00 is correct for an input whenever D00 computes f for
that input. Then
Prob(D00 is correct) = 12 pi+1 + 12 (1 , q )
= 12 (pi+1 + (1 , (2pi , pi+1 ))
= 12 + pi+1 , pi
> 12 + n1d
0
Again for Y 00 xed we have a new probability and at least one of these
two probabilities has to be as high as the average. Therefore we x Y 00 to
this value.
Let D000 be the circuit D00 where the input Y 00 is xed to this value.
So far, under the assumption that g is not a pseudorandom generator
we have a circuit D000 with a log n inputs (we will x a later and n is one of
the innitely many n that make the equation (1) hold) such that
SIZE(D000) 2in log n + n2k + t
Prob(D000(x) = f (x)) > 21 + n1d
0
We show now that f is not 2m -hard to obtain the contradiction required.
We see that exists an input length, l, and a circuit T for that input length
such that
SIZE(T ) 2l
Prob(T (x) = f (x)) > 21 + 212l
6
We claim that l = a log n and T = D000 prove that f is not 2m -hard:
SIZE(D000) 2in log n + n2k + t
2m = 2a log n = na for all suciently large a
Prob(D000(x) = f (x)) > 12 + n1d
12 + 2 2a1 log n = 12 + 2n1a for all suciently large a
Fix then a as required and get the contradiction required. 2
0
7