Derandomization In the early 1980’s, Yao demonstrated how one way functions can be used to construct pseudorandom generators, which suffice for T n partial derandomization of BPP, i.. BPP ⊆ >0 TIME(2 ).

1. A. Shamir. On the Generation of Cryptographically Strong Pseudorandom Sequences. ICALP, 1981. 2. M. Blum and S. Micali. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. SIAM J. Computing, 1984. 3. Q. Yao. Theory and Applications of Trapdoor Functions. FOCS, 1982.

Computational Complexity, by Fu Yuxi Derandomization 1 / 72 Since late 1980’s researchers have looked for non-cryptographic assumptions for derandomization.

I There is a hard function whose inverse is easy.

I There is a hard function in EXP or E.

Computational Complexity, by Fu Yuxi Derandomization 2 / 72 Synopsis

1. Derandomization Using Pseudorandom Generator 2. Hardness-Randomness Tradeoff 3. Derandomization Implies Circuit Lower Bound 4. Randomness vs Time

Computational Complexity, by Fu Yuxi Derandomization 3 / 72 Derandomization Using Pseudorandom Generator

Computational Complexity, by Fu Yuxi Derandomization 4 / 72 The strings produced by a generator must look pseudorandom to a class of distinguishers. There are several issues. 1. Quality of generator

I stretch function I distinguisher’s computing power I error bound (constant or reciprocal of polynomial) 2. Price of generator

I seed length I running time

Computational Complexity, by Fu Yuxi Derandomization 5 / 72 Pseudorandom generators used in cryptography are required to be P-time computable. In present setting we drop this requirement since it is not necessary for the purpose of derandomization.

Computational Complexity, by Fu Yuxi Derandomization 6 / 72 Pseudorandomness

A distribution Y over {0, 1}m is (S, )-pseudorandom, where S ∈ N and  > 0, if for every circuit C with |C| ≤ S it holds that

|Pr[C(Y ) = 1] − Pr[C(Um) = 1]| < .

We require that distinguishers are nonuniform.

Computational Complexity, by Fu Yuxi Derandomization 7 / 72 Pseudorandom Generator

Suppose ` : N → N is P-time computable and S : N → N is time constructible and nondecreasing. We call a function family

n `(n) S(`(n))o G = Gn : {0, 1} → {0, 1} n∈N

an S(`)-pseudorandom generator if the distribution Gn(U`(n)) is 3 1 (S(`(n)) , 10 )-pseudorandom for input size n.

I ` computes seed length from input size.

I S is the stretch function. O(`) I S(`) is the computation bound, dominated by 2 . 3 O(`) I S(`) is the circuit size bound, dominated by 2 . O(`) I G is supposed to be computable in 2 time.

Computational Complexity, by Fu Yuxi Derandomization 8 / 72 Derandomization Using Pseudorandom Generator

Theorem. Suppose an S(`)-pseudorandom generator exists. Then

BPTIME(S(`(n))) ⊆ TIME(2O(`(n))).

Let ∈ BPTIME(S(`(n))) be accepted by PTM A. For each n,

Pr S(`(n)) [ (x, ) = L(x)] ≥ 2/3. r∈R{0,1} A

`(n) B(x) simulates A(x) using pseudorandom strings in G({0, 1} ). 2 1 Suppose Pr[A(x, G(r)) = L(x)] ≤ 3 − 10 for infinitely many x’s. Use Cook-Levin reduction to construct a distinguisher circuit computing r 7→ A(x, r) with x hard-wired. [nonuniformity here] The size of the circuit is bounded by O(S(`(n))2). Contradiction.

Computational Complexity, by Fu Yuxi Derandomization 9 / 72 An algorithm is superpolynomial if it runs in O(nω(1)) time. An algorithm is subpolynomial if it runs in O(no(1)) time.

polylog(n) I QuasiP = TIME(2 ). T I SUBEXP = c>0 TIME(2 ).

Computational Complexity, by Fu Yuxi Derandomization 10 / 72 Derandomization Using Pseudorandom Generator

Corollary. 1. If there is a 2c`-pseudorandom generator for some c > 0, then BPP = P. 2. If there is a 2`c -pseudorandom generator for some c > 0, then BPP ⊆ QuasiP. 3. If for every c > 1 there is an `c -pseudorandom generator, then BPP ⊆ SUBEXP.

Suppose the PTM we want to derandomize runs in nd time. c` d I S(`) = 2 and `(n) = c log(n). `c 1/c I S(`) = 2 and `(n) = (d log(n)) .[ c can be very close to 0] c d/c I S(`) = ` and `(n) = n for every c > 1.

Computational Complexity, by Fu Yuxi Derandomization 11 / 72 Hardness-Randomness Tradeoff

Computational Complexity, by Fu Yuxi Derandomization 12 / 72 Hardness-Randomness Tradeoffs, that computational hardness can be used as a source of computational randomness, are evidence that BPP can be derandomized.

1. N. Nisan and A. Wigderson. Hardness vs Randomness. FOCS 1988. JCSS 1994. 2. N. Nisan. Pseudorandom Bits for Constant Depth Circuits. Comninatorica, 1991. 3. L. Babai, L. Fortnow, N. Nisan and A. Wigderson. BPP has Subexponential Time Simulations Unless EXPTIME has Publishable Proofs. Complexity Theory, 1993. 4. R. Impagliazzo and A. Wigderson. BPP=P Unless E has Subexponential Circuits, Derandomizing the XOR Lemma. STOC 1997.

Computational Complexity, by Fu Yuxi Derandomization 13 / 72 “Informally speaking, a pseudorandom generator is an easy to compute function which converts a few random bits to many pseudorandom bits that look random to any small circuit.” Nisan and Wigderson, 1994

A pseudorandom generator G : {0, 1}` → {0, 1}S(`) produces an S(`)-bit string from an `-bit string such that no S(`)-size circuit C 1 can distinguish the distributions G(U`), US(`) with probability S(`) . O(`) I The function G is computable in2 .

I We want ` to be as small as possible. Ideally ` = O(log S).

We will derive a pseudorandom generator G : {0, 1}` → {0, 1}S(`) from a Boolean function f whose average case hardness is S(`).

Computational Complexity, by Fu Yuxi Derandomization 14 / 72 Nisan-Wigderson Theorem

Theorem. If some f ∈ E exists such that ∀n.Havg(f )(n) ≥ S(n), then there is an S0(`)-pseudorandom generator, where S0(`) = S(n)δ for some δ > 0 and n satisfies n ≥ δp` log S(n).

N. Nisan and A. Wigderson.

I Hardness vs Randomness. FOCS 1988. JCSS 1994.

Computational Complexity, by Fu Yuxi Derandomization 15 / 72 Yao’s Theorem. Let Y be a distribution over {0, 1}m. Suppose S > 10n and  > 0 and the following holds: For every circuit C of size at most 2S and every i ∈ [m],

1  Pr[C(r1,..., ri−1) = ri ] − < . 2 m

Then Y is (S, )-pseudorandom.

I Theory and Applications of Trapdoor Functions. FOCS 1982.

Computational Complexity, by Fu Yuxi Derandomization 16 / 72 Proof of Yao’s Theorem

Suppose Y is not (S, )-pseudorandom. Wlog, we may assume that there is circuit C of size S such that

Pr[C(Y ) = 1] − Pr[C(Um) = 1] ≥ . (1)

For i ∈ [m], the hybrid distribution Yi is defined in terms of Y and Um in the standard way. Notice that Y0 = Um and Ym = Y . def Pm I pi = Pr[C(Yi ) = 1]. By (1), i=1 pi − pi−1 = pm − p0 ≥ . I pi − pi−1 ≥ /m for some i ∈ [m] by averaging argument.

Now design a random circuit D as follows:

1. Input y1,..., yi−1;

2. Generate independent ri ,..., rm ∈R {0, 1};

3. If C(y1,..., yi−1, ri ,..., rm) = 1 then ri else 1 − ri .

Computational Complexity, by Fu Yuxi Derandomization 17 / 72 Proof of Yao’s Theorem

The probability that D(y1,..., yi−1) = yi is 1 1 · Pr[C = 1|y = r ] + · Pr[C = 0|y = 1 − r ], 2 i i 2 i i

where C abbreviates C(y1,..., yi−1, ri ,..., rm).

Pr[C = 1|yi = ri ] = pi . On the other hand,

pi−1 = Pr[C = 1]

= Pr[C = 1|yi = ri ]/2 + Pr[C = 1|yi = 1 − ri ]/2

= pi /2 + (1 − Pr[C = 0|yi = 1 − ri ])/2.

Conclude that Pr[D(y1,..., yi−1) = yi ] ≥ 1/2 + /m.

By averaging argument, we get a deterministic circuit D0 by fixing 0 some ri ,..., rm while preserving the bias. Clearly |D | ≤ 2S.

Computational Complexity, by Fu Yuxi Derandomization 18 / 72 Nisan-Wigderson Construction: Extending One Bit

4 Lemma. Suppose that there exists f ∈ E with Havg(f ) ≥ n . Then there exists an S(`)-pseudorandom generator G for S(`) = ` + 1.

For z ∈ {0, 1}` set the (` + 1)-generator G by G(z) = z ◦ f (z). Clearly S(|z|) = ` + 1 = |G(z)|. By Yao’s Theorem we only have to prove that there do not exist any circuit C of size ≤ 2(` + 1)3 < `4 and any i ∈ [` + 1] such that

1 1 1 Pr [C(r ,..., r ) = r ] > + · . (2) r=G(U`) 1 i−1 i 2 ` + 1 10 The inequality (2) fails for i ∈ [`]. If i = ` + 1, the inequality (2) 4 4 contradicts to the assumption Havg(f ) ≥ n since 10(` + 1) < ` .

Computational Complexity, by Fu Yuxi Derandomization 19 / 72 Nisan-Wigderson Construction: Extending Two Bit

4 Lemma. Suppose that there exists f ∈ E with Havg(f ) ≥ n . Then there exists an S(`)-pseudorandom generator G for S(`) = ` + 2.

G(z) = z1 ··· z`/2 ◦ f (z1,..., z`/2) ◦ z`/2+1 ··· z` ◦ f (z`/2+1,..., z`). 1. The inequality (2) cannot hold for i ∈ [` + 1]. 2. In the case i = ` + 2, the inequality (2) becomes

0 0 1 1 1 Pr 0 `/2 [C(r ◦ f (r) ◦ r ) = f (r )] > + · . r,r ∈R{0,1} 2 ` + 2 10 By averaging principle, there is some r such that the above 0 `/2 inequality holds for probability over r ∈R {0, 1} . Now hardwire the bits r ◦ f (r) to C. We obtain a circuit of size ≤ 2(` + 2)3 < (`/2)4 that would lead to contradiction.

Computational Complexity, by Fu Yuxi Derandomization 20 / 72 Nisan-Wigderson Construction: NW Generator

Let f : {0, 1}n → {0, 1}.

Let I = {I1,..., Im} be a family of subsets of [`] with ∀j.|Ij | = n. ` Let zI denote the restriction of z ∈ {0, 1} to the coordinates in I .

f ` m The( I, f )-NW generator NWI : {0, 1} → {0, 1} is defined by

z 7→ f (zI1 ) ◦ f (zI2 ) ◦ · · · ◦ f (zIm ).

How do we generate I1,..., Im algorithmically?

Computational Complexity, by Fu Yuxi Derandomization 21 / 72 Nisan-Wigderson Construction: Combinatorial Design

Suppose `, n, d satisfy ` > n > d.

A family I = {I1,..., Im} of subsets of [`] is an( `, n, d)-design if

I |Ii | = n for all i ∈ [m], and

I |Ii ∩ Ij | ≤ d whenever i 6= j.

Computational Complexity, by Fu Yuxi Derandomization 22 / 72 Nisan-Wigderson Construction: Combinatorial Design

O(`) Lemma. There is a 2 time algorithm A that on input (`, n, d), where n > d and ` > 10n2/d, outputs an (`, n, d)-design of 2d/10 elements.

d/10 ` O(`) Algorithm A runs in poly(n)·2 ·2 = 2 time: 1. I := ∅. 2. If |I| < 2d/10, then find an n-size set I ⊆ [`] such that

∀I 0 ∈ I. |I ∩ I 0| ≤ d. (3)

We need to show that the algorithm never gets stuck.

Computational Complexity, by Fu Yuxi Derandomization 23 / 72 Nisan-Wigderson Construction: Combinatorial Design

2 d/10 Suppose ` = 10n /d and I = {I1,..., Im} where m < 2 .

Pick I ⊆ [`] randomly in the following manner:

I Choose every element of [`] to be in I with probability 2n/`.

E[|I |] = 2n and E[|I ∩ Ij |] = (2n/`)n < d/5. By Chernoff bound,

Pr[|I | ≥ n] ≥ 0.9, (4) −d/10 Pr[|I ∩ Ij | ≥ d] ≤ 0.5·2 . (5)

It follows from m < 2d/10, (5) and union bound that (3) holds with probability ≥ 0.5. Together with (4) we derive that I ∪ {I } is an (`, n, d)-design with probability at least 0.5 + 0.9 − 1 = 0.4.

Computational Complexity, by Fu Yuxi Derandomization 24 / 72 Nisan-Wigderson Construction

Lemma. Suppose f : {0, 1}n → {0, 1} and I is an (`, n, d)-design d/10 2d f with |I| = 2 . If Havg(f ) > 2 , then the distribution NWI (U`) is (Havg(f )/10, 1/10)-pseudorandom.

Computational Complexity, by Fu Yuxi Derandomization 25 / 72 Nisan-Wigderson Construction

Let S = Havg(f ). According to Yao’s Theorem we need to prove S d/10 that the following holds for all 5 -size circuit C and all i ∈ [2 ]. 1 1 1 PrR=NWf (U )[C(R1,..., Ri−1) = Ri ] ≤ + · . I ` 2 2d/10 10

f If not, then by the definition of NWI , one has for some C, i, 1 1 1 PrZ∼U [C(f (Z ),..., f (Z )) = f (Z )] > + · , (6) ` I1 Ii−1 Ii 2 2d/10 10

where ZI denotes the restriction of Z to the coordinates in I .

Let Z = Z and Z = Z . I 1 Ii 2 [`]\Ii Let f (Z , Z ) = f (Z , Z ). I j 1 2 1Ii ∩Ij 2Ij \Ii

Computational Complexity, by Fu Yuxi Derandomization 26 / 72 Nisan-Wigderson Construction

Now (6) is the same as

1 1 1 Pr [C(f (Z , Z ),..., f (Z , Z )) = f (Z )] > + · . Z1∼Un,Z2∼U`−n 1 1 2 i−1 1 2 1 2 2d/10 10

`−n By averaging principle, there exists some z2 ∈ {0, 1} such that 1 1 1 Pr [C(f (Z , z ),..., f (Z , z )) = f (Z )] > + · . Z1∼Un 1 1 2 i−1 1 2 1 2 2d/10 10

d Since |Ij ∩ Ii | ≤ d, some d2 -size circuit can compute fj ( , z2). Clearly a circuit B of size 2d/10d2d + S/5 < S exists such that

1 1 1 1 1 Pr [B(Z ) = f (Z )] > + · > + , Z1∼Un 1 1 2 2d/10 10 2 S

contradicting to the assumption S = Havg(f ).

Computational Complexity, by Fu Yuxi Derandomization 27 / 72 Theorem. If some f ∈ E exists such that ∀n.Havg(f )(n) ≥ S(n), then there is an S0(`)-pseudorandom generator, where S0(`) = S(n)δ for some δ > 0 and n satisfies n ≥ δp` log S(n).

On input z ∈ {0, 1}`, the generator operates as follows: 1. Let d = log S(n)/4. Let n = max{n | ` > 100n2/ log S(n)}. 2 2 I ` ≤ 100(n + 1) / log S(n + 1) ≤ 200n / log S(n) √ p p I n ≥ (1/10 2) ` log S(n) = δ ` log S(n)

2. Construct an (`, n, d)-design I = {I1,..., I2d/10 }. 1/40 d/10 f 3. Output the S(n) = 2 bits of NWI (z). f Lemma implies that NWI (U`) is (S(n)/10, 1/10)-pseudorandom. √ 3 0 3 δ3  1/10 2 I (S (`)) = S(n) = S(n) < S(n)/10.

Remark. (i) n is a function of `; (ii) δ is a constant.

Computational Complexity, by Fu Yuxi Derandomization 28 / 72 Extending Nisan-Wigderson Theorem

Theorem. If some f ∈ E exists such that ∀n.Havg(f )(n) ≥ S(n), then there is an S(δ`)δ-pseudorandom generator for some δ > 0.

C. Umans.

I Pseudo-Random Generators for All Hardnesses. JCSS, 2003.

Computational Complexity, by Fu Yuxi Derandomization 29 / 72 Extending Nisan-Wigderson Theorem

Theorem. If some f ∈ E exists such that ∀n.Hwrs(f )(n) ≥ S(n), then there is an S(δ`)δ-pseudorandom generator for some δ > 0. Proof. This is a consequence of Theorem and Theorem.

Theorem. Let f ∈ E be such that Hwrs(f )(n) ≥ S(n). There are 1 some g ∈ E and c > 0 such that Havg(g)(n) ≥ S(n/c) c for large n. Proof. We have seen in the last chapter that Theorem was proved after a long sequence of works.

Computational Complexity, by Fu Yuxi Derandomization 30 / 72 Corollary. cn 1. If there exists f ∈ E and c > 0 such that Hwrs(f )(n) ≥ 2 , then BPP = P. nc 2. If there exists f ∈ E and c > 0 such that Hwrs(f )(n) ≥ 2 , then BPP ⊆ QuasiP. ω(1) 3. If there exists f ∈ E such that Hwrs(f )(n) ≥ n , then BPP ⊆ SUBEXP.

This is an immediate consequence of Corollary and Theorem.

I (1) is due to Impagliazzo and Wigderson (1997). The average case version of (1) is due to Nisan and Wigderson (1988).

I (2) and (3) can be strengthened by substituting EXP for E.

Computational Complexity, by Fu Yuxi Derandomization 31 / 72 “In other words, randomness never speeds computation by more than a polynomial amount unless nonuniformity always helps computation more than polynomially (for infinitely many input sizes) for problems with exponential .” Impagliazzo and Wigderson, 1997

Computational Complexity, by Fu Yuxi Derandomization 32 / 72 Derandomization Implies Circuit Lower Bound

Computational Complexity, by Fu Yuxi Derandomization 33 / 72 We have seen that a reasonable assumption on circuit lower bounds is sufficient to derandomize BPP. Can we prove BPP = P without such assumptions?

Computational Complexity, by Fu Yuxi Derandomization 34 / 72 “We prove that derandomizing Polynomial Identity Testing is, essentially, equivalent to proving circuit lower bounds for NEXP.” — Kabanets and Impagliazzo, 2003

Computational Complexity, by Fu Yuxi Derandomization 35 / 72 Derandomization Implies Circuit Lower Bounds

Theorem (Kabanets and Impagliazzo, 2003).

If ZEROP ∈ P, then either NEXP * P/poly or perm ∈/ AlgP/poly.

V. Kabanets and R. Impagliazzo.

I Derandomizing Polynomial Identity Tests Means Proving Circuit Lower Bounds. STOC 2003.

I A family of polynomials {pn}n∈N, where pn is n-variate over the field Z, has polynomially bounded degree if there is a c constant c such that the degree of pn is ≤ n for every n.

I AlgP/poly contains all polynomially bounded degree families of polynomials computable by polynomial size algebraic circuits.

Computational Complexity, by Fu Yuxi Derandomization 36 / 72 Lemma. If EXP ⊆ P/poly then EXP = MA.

p Suppose EXP ⊆ P/poly. By Meyer’s Theorem, EXP = Σ2. Hence

p Σ2 = PH = PSPACE = IP = EXP ⊆ P/poly.

A language L ∈ EXP has an interactive proof, and the prover can be defined by a P-size circuit family {Cn}n∈N. The interactive protocol consists of Merlin sending a circuit and Arthur tossing coins and simulating interactions before making a judgement.

L. Babai, L. Fortnow, and L. Lund.

I Non-Deterministic Exponential Time Has Two Prover Interactive Protocols. FOCS, 1990.

Computational Complexity, by Fu Yuxi Derandomization 37 / 72 Calculating Permanent by Identity Testing

perm Lemma. If ZEROP ∈ P and perm ∈ AlgP/poly, then P ⊆ NP.

Suppose ZEROP ∈ P and perm has an nc -size algebraic circuit. d Let L be decided by an n -time TM M using perm as an oracle. The NP machine N for L is defined as follows: Suppose |x| = n. d c 1. Guess n algebraic circuits C1,..., Cnd , where |Ci | = i .

2. Verify that C1,..., Cnd solve perm for i×i-ary matrices.

I Ci (x11,..., xii ) = x11Ci−1(x22,..., x2i ,..., xi2,..., xii ) + ··· . I By the assumption, this can be done in P-time. 3. Simulate M(x) using these algebraic circuits as oracles.

Computational Complexity, by Fu Yuxi Derandomization 38 / 72 Lemma. If NEXP ⊆ P/poly, then NEXP = EXP.

R. Impagliazzo, V. Kabanets, and A. Wigderson.

I In Search of an Easy Witness: Exponential Time vs Probabilistic Polynomial Time. JCSS, 2002.

Computational Complexity, by Fu Yuxi Derandomization 39 / 72 1. Suppose L ∈ NEXP \ EXP. Then some c and R exist such that

|x|c x ∈ L iff ∃y ∈ {0, 1}2 .R(x, y).

We may think of a certificate as a circuit that calculates a Boolean function of type {0, 1}|x|c → {0, 1}.

2. For each constant D define TM MD as follows: 1. Input x ∈ {0, 1}n; 2. Enumerate all n100D -size circuits C of type {0, 1}nc → {0, 1}; 3. If ∃C.R(x, tt(C)), then output 1; otherwise output 0.

I tt(C) is the truth table of the function calculated by C.

poly(n) 3. MD does not solve L since it runs in 2 time.

Computational Complexity, by Fu Yuxi Derandomization 40 / 72 4. For every D there is an infinite sequence XD = {xi }i∈N such that MD (xi ) = 0 even though xi ∈ L.

I For each x ∈X D , every y that renders R(x, y) true cannot be computed by circuits of size n100D , where n = |x|. D I According to Theorem there is an ` pseudorandom generator constructed from such a y.

This is Kabanets’ easy witness method.

I Use brutal force to search for objects with small descriptions, which we can afford. If it fails, there is an object that has passed ‘hardness test’, which can be used for derandomization.

V. Kabanets.

I Easiness Assumptions and Hardness Tests: Trading Time for Zero Error. JCSS, 2001.

Computational Complexity, by Fu Yuxi Derandomization 41 / 72 5. If NEXP ⊆ P/poly, then EXP ⊆ MA by Lemma.

I Every problem in EXP has a proof system in which Arthur’s probabilistic verification takes nD steps for some constant D. 0 0 I For every input x with |x | = n = |x| for some x ∈X D , Arthur’s verification can be done in poly(nD )2nO(c) time by a nondeterministic TM using in XD . 1. Guess a string y such that R(x, y) holds; 2. Use the pseudorandom generator that invokes y to run the verification algorithm. This algorithm outputs the correct answer whenever the input length is the same as the length of some advice in XD .

Computational Complexity, by Fu Yuxi Derandomization 42 / 72 6. So some c0 exists such that all L ∈ EXP can be decided on 0 infinitely many inputs by an NDTM in 2nc time using n-bit advice.

I Since NEXP ⊆ P/poly by assumption, the NDTM can be implemented by an nd -size circuit family for some d.

I However there is a language in EXP that cannot be computed by such a circuit on all but a finite number of inputs.

I By Shannon Theorem, most n-variate Boolean functions cannot be computed by circuits of size nd . I Using brutal force and diagonalization we can define a Boolean function in EXP that differs from any function computable by the nd -size circuit family when the inputs are long enough.

R. Impagliazzo, V. Kabanets, and A. Wigderson.

I In Search of an Easy Witness: Exponential Time vs Probabilistic Polynomial Time. JCSS, 2002.

Computational Complexity, by Fu Yuxi Derandomization 43 / 72 Theorem. NEXP ⊆ P/poly if and only if NEXP = MA.

By Lemma and Lemma, NEXP ⊆ P/poly implies NEXP = MA. The converse implication is proved by D. van Melkebeek. See the paper by Impagliazzo, Kabanets and Wigderson.

Computational Complexity, by Fu Yuxi Derandomization 44 / 72 Proof of Kabanets-Impagliazzo Theorem

Suppose the following were all valid:

NEXP ⊆ P/poly, (7) ZEROP ∈ P, (8)

perm ∈ AlgP/poly. (9)

Lemma, Lemma and (7) imply that

NEXP = EXP = MA. (10)

By (10), Toda Theorem and Valiant Theorem,

NEXP = MA ⊆ PH ⊆ P]P = Pperm. (11)

Lemma, (8), (9) and (11) imply NEXP ⊆ NP, contradicting to the Time Hierarchy Theorem.

Computational Complexity, by Fu Yuxi Derandomization 45 / 72 “This implies that proving that BPP = P is as hard as proving superpolynomial circuit lower bounds for NEXP!” — Kabanets and Impagliazzo, 2003

Computational Complexity, by Fu Yuxi Derandomization 46 / 72 Randomness vs Time

Computational Complexity, by Fu Yuxi Derandomization 47 / 72 Trivially P ⊆ BPP ⊆ EXP.

1. “High-end”: Looking for assumptions to achieve P = BPP.

I For example one may study the consequence of the assumption that BPP is superpolynomial. 2. “-end”: Looking for assumptions for BPP ( EXP.

I For example one may look for assumptions to derive that BPP is subexponential.

So far all general derandomization results are conditional.

Computational Complexity, by Fu Yuxi Derandomization 48 / 72 We will look at a low-end result under a uniform assumption.

1. The results we have seen require nonuniform hardness assumption (circuit hardness). 2. Impagliazzo and Wigderson showed that a constructive argument can be made if the hard function is downward self-reducible.

R. Impagliazzo, A. Wigderson.

I Randomness vs Time: Derandomization under a Uniform Assumption. JCSS, 2001.

Computational Complexity, by Fu Yuxi Derandomization 49 / 72 Let C be a . We write io-C for the class of functions that agree with a function in C for all inputs of length n for infinitely many n.

Computational Complexity, by Fu Yuxi Derandomization 50 / 72 Polynomially Sampleable Distribution

+ A probability ensemble µ = {µn | n ∈ Z } is a sequence of probability distribution on the set of strings of length n.

The probability ensemble µ is polynomially sampleable if there is a polynomial p and a P-time computable M such that M(n, r) is p(n) distributed as µn if r ∈U {0, 1} .

Computational Complexity, by Fu Yuxi Derandomization 51 / 72 Let T and  be functions on N. ∗ TIME(n)(T (n)) is the class of functions f : {0, 1} → {0, 1} that has an algorithm A(x) running in time T (|x|) such that for every polynomially sampleable probability ensemble µ and every n,

Pr n [ (x) 6= f (x)] < (n). x∈µn {0,1} A

It is infeasible to find instances on which A errs.

The notation SUBEXP(n) is understood accordingly.

Computational Complexity, by Fu Yuxi Derandomization 52 / 72 Impagliazzo-Wigderson Theorem I

Theorem (Impagliazzo and Wigderson, 2001).

Suppose BPP 6= EXP. Then ∀c > 0. BPP ⊆ io-SUBEXP1/nc .

Theorem (Impagliazzo and Wigderson, 2001). nδ Either BPP = EXP, or BPP ⊆ io-TIME1/nc (2 ) for all c, δ > 0.

Either randomization is a panacea, or a highly nontrivial derandomization is possible.

Computational Complexity, by Fu Yuxi Derandomization 53 / 72 Impagliazzo-Wigderson Theorem II

o(n) Theorem (2001). EXP ∩ P/poly * io-TIME1/3(2 )/o(n).

o(n) Corollary. If BPP ⊆ io-TIME1/3(2 )/o(n), then BPP = EXP. Proof. Immediate from Theorem II.

Corollary. If BPP = EXP ∩ P/poly, then BPP 6= EXP. Proof. Immediate from Theorem I and Theorem II.

Computational Complexity, by Fu Yuxi Derandomization 54 / 72 Proof of Theorem II  o(n) Construct a language in E ∩ P/poly \ io-TIME1/3(2 )/o(n). 1. Input x of size n. 2. Simulate all TM’s of size 0.1n on all advices of size 0.1n in 2n steps on all inputs of length n. Output 0 if a simulation does not halt. There are at most 20.2n output strings of length 2n.

3. Find a hash function hr in {hr (y) = hy, ri}r∈{0,1}n that does 2 n not agrees with any of the output strings in ≥ 3 · 2 positions. 4. Output hr (x).

I Step 2 and Step 3 only depend on the input size. O(n) I The algorithm runs in 2 time.

I It is in P/poly because we can use r as advice. o(n) I The diagonalization says that it is ∈/ io-TIME1/3(2 )/o(n).

Computational Complexity, by Fu Yuxi Derandomization 55 / 72 Proof of Theorem I, Overview

1. Assume BPP 6= EXP.

2. Find an EXP- downward self-reducible f .

d d p 3. Construct a generator G such that G ≤T fn. 4. Use G d to simulate PTM in BPP.

5. If the simulation algorithm fails, then there is an efficient distinguisher using fn as oracle.

6. Remove the oracle fn by self-reduction. 7. Derive a contradiction by proving f ∈ BPP.

Computational Complexity, by Fu Yuxi Derandomization 56 / 72 Construction Problem

A construction problem A = {An}n is a family of nonempty subsets ∗ An ⊂ {0, 1} . Think of An as a set of circuits with n-inputs. 1. Circuits approximating f . ∗ ∗ f , I Let f : {0, 1} → {0, 1} and  : N → [0, 1]. C is defined as f , follows: Cn contains all circuits C with n inputs satisfying

n Prx∈U {0,1} [C(x) = f (x)] ≥ (n). 2. Circuits computing f . C f = C f ,1. 3. Distinguisher. m(n) n G, I Let m : N → N and G = {Gn : {0, 1} → {0, 1} }. D is G, defined as follows: Dn contains all circuits D with n inputs st

m(n) n Pry∈U {0,1} [D(Gn(y)) = 1] − Prx∈U {0,1} [D(x) = 1] ≥ (n).

Computational Complexity, by Fu Yuxi Derandomization 57 / 72 Efficient Construction

Suppose A, B are construction problems.

I An efficient construction of A is a PTM that, upon receiving n, α, outputs in poly(n/α) time a member ∈ An with probability ≥ 1 − α.

I An efficient construction of B from A, notation A → B, is a P-time PTM that, upon receiving n, α > 0, a ∈ An, outputs a member ∈ Bn with probability ≥ 1 − α. We will also use the notations A →O B, A →Om(n) B.

Computational Complexity, by Fu Yuxi Derandomization 58 / 72 Self-Reducibility

A function f : {0, 1}∗ → {0, 1}∗ is weakly random self-reducible if f ,1− 1 f C nc → C for some c > 0.

Suppose f , g : {0, 1}∗ → {0, 1}∗ and ` : Z+ → Z+. p g I fn ≤T g`(n) if ∃ P-time OTM M that, upon receiving x with |x| = n, outputs f (x) and queries g on strings of size ≤ `(x). p I f is downwards self-reducible if fn ≤T fn−1. We will also use the notations A →O B, A →Om(n) B.

Lemma. Perm is both WRSR and DSR.

Computational Complexity, by Fu Yuxi Derandomization 59 / 72 Generator Using Oracle Perm f ,1− 1 f Suppose c and f satisfy C nc → C . Think of f as Perm. c+2 1. Direct product function. Let n1 = n . c+1 n1 n I Define gn1 : {0, 1} → {0, 1} by

c+1 c+1 gn1 (x1,..., xn ) = f (x1) ... f (xn ).

c+1 2. Hard Core Bit. Let n2 = n1 + n .

n2 I Define hn2 : {0, 1} → {0, 1} by hn2 (x, r) = hg(x), ri. 2 d 3. Almost disjoint sets generator. Let m = (n2) and ` = n . m I Let z ∈ {0, 1} and S ⊆ [`] with |S| = n2. The notation zS . I There is an explicit construction of S1,..., S` such that Si ∩ Sj ≤ logn ` = d whenever i 6= j. d m ` I Define Gn : {0, 1} → {0, 1} by

G d (z) = h(z ) ... h(z ). n S1 S`

Computational Complexity, by Fu Yuxi Derandomization 60 / 72 d p p p Fact. Gn ≤T hn2 ≤T gn1 ≤T fn.

Computational Complexity, by Fu Yuxi Derandomization 61 / 72 Key Lemma about the Generator

Lemma. Suppose f is weakly random self-reducible. Then

G d , 1 f h, 1 +O( 1 ) g,O( 1 ) f f ,1− 1 f D 5 → n C 2 ` → C ` → n C nc → C .

Computational Complexity, by Fu Yuxi Derandomization 62 / 72 G d , 1 f h, 1 +O( 1 ) D 5 → n C 2 `

The proof of Nisan-Wigderson Theorem consists of two steps. 1. Prove that the existence of a distinguisher for NWf implies the existence of a predictor for f . 2. Show that the existence of a predictor for f implies the existence of an easy algorithm for f . We need to show that both steps are efficiently constructible.

N. Nisan and A. Wigderson.

I Hardness vs Randomness. FOCS 1988. JCSS 1994.

Computational Complexity, by Fu Yuxi Derandomization 63 / 72 G d , 1 f h, 1 +O( 1 ) D 5 → n C 2 `

Suppose D is a distinguisher for G d . The following probabilistic algorithm outputs Yao’s predictor C.

1. Choose rj ∈U {0, 1} for i ≤ j ≤ `.

2. Construct C(y1, .., yi−1) so that it computes “if D(y1, .., yi−1, ri , .., r`) = 1, output ri , else output 1 − ri ”. 3. Output C.

1 The success rate of the algorithm is ` .

Computational Complexity, by Fu Yuxi Derandomization 64 / 72 G d , 1 f h, 1 +O( 1 ) D 5 → n C 2 ` The efficient construction algorithm:

1. Choose i ∈U [`].

2. For each j ∈ [`] \ Si , set zj ∈U {0, 1}. 3. Let z be the input variables of the output circuit. Si 4. For each i 0 < i, query h at all strings in {0, 1}|Si0 ∩Si | to construct an |Si 0 ∩Si |-input circuit Ci 0 . 5. Apply Polynomial Identity Testing to check

C(C1,..., Ci−1) = h

by querying h at random points. Estimate the success rate. 1 1 If it is > 2 + 0.05 ` , output C(C1,..., Ci−1); otherwise goto 1.

p Since hn2 ≤T fn, querying hn2 amounts to querying fn.

Computational Complexity, by Fu Yuxi Derandomization 65 / 72 G d , 1 f h, 1 +O( 1 ) D 5 → n C 2 `

The expected repetition is O(n`).

Computational Complexity, by Fu Yuxi Derandomization 66 / 72 h, 1 +O( 1 ) g,O( 1 ) C 2 ` → C `

We have seen the construction in Goldreich-Levin’s proof.

O. Goldreich and L. Levin.

I A Hard-Core Predicate for All One-Way Functions. STOC’89.

Computational Complexity, by Fu Yuxi Derandomization 67 / 72 g,O( 1 ) f f ,1− 1 C ` → n C nc

This is the uniform version of a direct product lemma.

L. Levin.

I One-Way Functions and Pseudorandom Generators. Combinatorica, 1987. O. Goldreich, N. Nisan and A. Wigderson.

I On Yao’s XOR-Lemma, Electronic Colloquium on CC, 1995. R. Impagliazzo and A. Wigderson.

I P=BPP Unless E has Subexponential Circuits: Derandomizing the XOR Lemma. STOC 1997.

Computational Complexity, by Fu Yuxi Derandomization 68 / 72 The Derandomization d c Using f we have constructed Gn that takes a seed of size n for fixed c to a string of size nd for an arbitrarily specified d.

I We use these generators to derandomize a BPP algorithm B running in kc1 time. kδ I The simulation runs in O(2 ) times for any given δ > 0.

Derandomization Algorithm. Input: a string of size k. 2cc δ 1 2c 1. Set d = δ and n = k . d nc c δ 2. Compute Gn ({0, 1} ), a set of strings of size n = k 2 , in 2O(nc ) = O(2kδ ) time. d nc 3. Simulate B using Gn ({0, 1} ), and take the majority vote.

c I k: the size of the input. n : the size of the seeds.

Computational Complexity, by Fu Yuxi Derandomization 69 / 72 nδ Lemma. If BPP * io-TIME1/nc (2 ) for some c, δ > 0, then G d , 1 D 5 is efficiently constructible with oracle access to fn.

1 Suppose the simulation is incorrect with probability kd wrt to some sampleable µk on k-bit strings for all but finitely many k. 2c I Given n, set k = n δ . O(1) I Sample instances x1,..., xr with r = k according to µk . This is done in poly(k).

I With high probability the simulation fails for one of x1,..., xr .

Let Di be the circuit that simulates B(xi ) by regarding its input as a random string. This is produced in P-time. d I At least one Di distinguishes Gn from truly random strings. d I Use the oracle fn to evaluate Gn , and find the distinguisher Di .

Computational Complexity, by Fu Yuxi Derandomization 70 / 72 Removing the Oracle

If the conclusion of Impagliazzo-Wigderson Theorem I fails, we obtain a P-time PTM that learns, for every n and every WRSR f , a circuit for fn using an oracle for fn. ] I EXP ⊆ P/poly; consequently P = EXP. I So f is EXP-complete, and f ∈/ BPP by the assumption. By Lemma and the key lemma, C f is efficiently constructible.

Computational Complexity, by Fu Yuxi Derandomization 71 / 72 Removing the Oracle

Lemma. If f is DSR and C f is efficiently constructible using oracle fn, then f ∈ BPP.

f f 1. Compute C1 ∈ C1 ,..., Cn recursively. Cn p 2. Run the P-time probabilistic OTM M for fn+1 ≤T fn with 1 error α = n2 .

I The recursive algorithm runs in P-time. f 1 I By union bound, Pr[C ∈/ Cn ] < nα = n .

Computational Complexity, by Fu Yuxi Derandomization 72 / 72