\documentclass{article} \usepackage{amsmath,amssymb} \input{preamble.tex} \newcommand{\BPP}{{\bf BPP}} \renewcommand{\P}{{\bf P}} \newcommand{\NP}{{\bf NP}} \newcommand{\EXP}{{\bf EXP}} \begin{document} \lecture{15/16}{April 6/8 1999}{Daniel A. Spielman} {Matthias Ruhl and Rudi Seitz} \section*{Derandomizing BPP} In the previous lectures we saw how to derandomize randomized logspace computations. Here we want to do the same thing for the class \BPP. This time, we will need to base our result on some complexity theoretic assumptions instead of proving it from first principles. The first results on derandomizing \BPP\ relied on cryptographic assumptions, such as the hardness of RSA, which are usually stronger than $\P \neq \NP$. In this lecture we will present a result of Nisan and Wigderson, which uses a much weaker and more `reasonable' assumption. This result serves as the foundation for most of the subsequent work on derandomizing BPP. We begin by stating Nisan and Wigderson's main result: \begin{theorem}[Nisan, Wigderson] If there exists a function $f \in \EXP$ that cannot be approximated by polynomial size circuits, then $$ \BPP \subseteq \bigcap_{\varepsilon > 0} \text{TIME}(2^{n^\varepsilon}). \quad \square $$ \end{theorem} \noindent We used the following definition in stating the theorem: \begin{definition}[Non-approximability by circuits] We say a function $f$ {\em cannot be approximated by polynomial size circuits}, if for all polynomials $p(n)$, and all sequences of circuits $\{ C_n \}_{n=1}^\infty$ such that $|C_n| = p(n)$, the following holds: $$ \exists k >2 \ \text{s.t.}\ \forall\ \text{sufficiently large}\ n\ :\ \left| \Pr_{x \in \{ 0,1 \}^n}\left[C_n(x) = f(x)\right] - \frac{1}{2}\right| < n^{-k} \quad \square $$ \end{definition} \subsection*{ } In this lecture we will show a slightly weaker result than Nisan and Wigderson's main theorem. We will employ the following definition: \begin{definition}[Hardness] A function $f : \Sigma^* \to \{ 0,1 \}$ has hardness $h$ (where $h : \mathbb{N} \to \mathbb{N}$) if for all $n$, and for all circuits $C$ of size $h(n)$: $$ \left| \Pr_{x \in \{ 0,1 \}^n}\left[ C(x) = f(x) \right] - \frac{1}{2} \right| \leq \frac{1}{h(n)} \quad \square $$ \end{definition} \begin{theorem} If there exists a function $f \in \EXP$ with hardness $n^{\log n}$, then $$ \BPP \subseteq \bigcap_{\varepsilon > 0} \text{TIME}(2^{n^\varepsilon}). \quad \square $$ \end{theorem} \subsection*{Proof of Theorem} Let $f \in \EXP$ have hardness $n^{\log n}$. Fix $\varepsilon > 0$. We will show that $\BPP \in \text{TIME}(2^{O(n^{c\varepsilon})})$, where $2^{n^c}$ is the time complexity of $f$. To do this, we will construct a pseudorandom number generator $G$ that outputs some desired polynomial number of pseudorandom bits given only $n^\varepsilon$ truly random bits as input. To derandomize a \BPP algorithm we will simply run the algorithm on all possible outputs of the generator for seed length $n^\varepsilon$, and take the majority vote. So let $A$ be some fixed \BPP\ algorithm, which uses $p(n)$ random bits during its execution. To construct $G$, let the seed consist of the bits $x_1, \dots, x_\ell$, where $\ell = n^\varepsilon$. The generator will apply the function $f$ to several subsets $S_i$ of the bits in the seed. These subsets are chosen according to the following restrictions: $$ S_1, \dots, S_{p(n)} \subseteq \{ 1,2,\dots,\ell \}, \quad |S_i| = \sqrt{\ell}, \quad \forall i \neq j : |S_i \cap S_j| \leq \log p(n) $$ We claim without proof that it is possible (and in fact fairly easy) to construct such set systems, which are known as $(\sqrt{l},\log p(n))$-designs. Write $x_S$ as an abbreviation for the bit-string $(x_i)_{i \in S}$. The generator then is just: $$ G(x_1 \dots x_\ell) := f(x_{S_1}) \circ f(x_{S_2}) \circ \dots \circ f(x_{S_{p(n)}}) $$ First note that this generator can actually be computed in $\text{TIME}(2^{O(n^{c\varepsilon})})$: since $f$ has running time $2^{n^c}$, it follows that $G$ has running time $p(n)\cdot 2^{n^{c\varepsilon}}$. Again, derandomization can be accomplished by simply running $G$ on all possible inputs, and giving those inputs to $A$ as random strings (this takes total time $poly(n) \cdot 2^{n^{c\varepsilon}}$). The proof that $G$ is actually a pseudorandom generator proceeds by contradiction. Assume that there are inputs $w_i$ with $|w_i| = i$, such that for all sufficiently large $n$ we have $$ \left| \Pr_{r \in \{ 0,1 \}^{p(n)}} \left[ A(w_n,r)\ \text{accepts}\ \right] - \Pr_{x \in \{ 0,1 \}^{n^\varepsilon}} \left[ A(w_n,G(x))\ \text{accepts}\ \right] \right| \geq \frac{1}{p(n)} \quad (*) $$ We will now derive a contradiction to the assumption that $f$ has hardness $n^{\log n}$. By ``hard-wiring'' the inputs $w_n$ into $A$, we obtain the following statement equivalent to $(*)$: There exists a family $(A_n)_{n \in \mathbb{N}}$ of circuits of size $p(n)$, such that $$ \Pr_{r \in \{ 0,1 \}^{p(n)}} \left[ A_n(r) = 1 \right] - \Pr_{x \in \{ 0,1 \}^{n^\varepsilon}} \left[ A_n(G(x)) = 1 \right] \geq \frac{1}{p(n)} $$ (We omitted the absolute-value sign to simplify the presentation; it is easy to see that no generality is lost.) Let $(z^j)_{j=0}^{p(n)}$ be random variables defined as follows: $$ z^j_i := \begin{cases} G(x)_i, & \text{for}\ i \leq j \\ r_i, & \text{for}\ i > j \end{cases} $$ where $r$ is chosen uniformly from $\{ 0,1 \}^{p(n)}$ and $x$ is chosen uniformly from $\{ 0,1 \}^{n^\varepsilon})$. Then $z^0 = r$, and $z^{p(n)} = G(x)$. By a straightforward hybrid argument we can conclude that for every $n$ there is some fixed $j$, such that $$ \Pr \left[ A_n(z^j) = 1 \right] - \Pr \left[ A_n(z^{j-1}) = 1 \right] > \frac{1}{p(n)^2} \quad (**) $$ Now, if we look at the strings $z^{j-1}$ and $z^j$, we see that they differ at only one position: \begin{align*} z^{j-1} = & f(x_{S_1}) \circ \dots \circ f(x_{S_{j-1}}) \circ r_j \circ r_{j+1} \circ \dots r_{p(n)} \\ z^j = & f(x_{S_1}) \circ \dots \circ f(x_{S_{j-1}}) \circ f(x_{S_j}) \circ r_{j+1} \circ \dots r_{p(n)} \end{align*} We will define a circuit $D$ that takes as input $f(x_{S_1}), \ldots, f(x_{S_{j-1}})$ and attempts to compute $f(x_{S_j})$. The circuit $D$ flips $n-j+1$ random bits $r_j, \ldots, r_n$ and computes $A_n(f(x_{S_1}), \ldots, f(x_{S_{j-1}}), r_j, \ldots, r_n)$. If this evaluates to $1$, then $D$ outputs $r_j$, otherwise it outputs $1-r_j$. It is possible to show, using an argument due to Yao, that \[ Pr[ D(f(x_{S_1}), \ldots, f(x_{S_{j-1}})) = f(x_{S_j})] - 1/2 > 1/n^2. \] where the probability is taken over $x$ as well as $D's$ internal random bits $r_j, \ldots, r_n$. By linearity of expectation, there must be a way to fix the values of $r_{j}, \ldots, r_{p(n)}$ and $x_i$ for $i \not\in S_j$, such that this inequality still holds. From here on, assume these values have been so fixed. We will now construct a circit $C$ that attempts to compute $f(x_{S_j})$ given $x_{S_j}$ as input. Without loss of generality, assume that $S_j = \{1,\ldots m\}$. Notice that each value $f(S_k)$ where $k\neq j$ depends on at most $log\ p(n)$ of the bits in $x_{S_j}$. Therefore each of these values (considered as a function of $x_{S_j}$) can be computed by a circuit of size $p(n)$. Our circuit $C$ will simply take $x_{S_j}$ as input, compute $f(x_{S_1}), \ldots, f(x_{S_{j-1}})$, and output $D(f(x_{S_1}), \ldots, f(x_{S_{j-1}}))$. (Remember that D's internal random bits have been fixed.) It is easy to see that $C$ has polynomial size in $n$ and computes $f(x_{S_j})$ for the $\log p(n)$ bit-string $x_{S_j}$ with non-negligible advantage. Thus, $f$ is not $n^{\log n}$-hard. $\blacksquare$ \end{document}