DOCSLIB.ORG

A Pseudorandom Generator Construction Based on Randomness Extractors and Combinatorial Designs

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Pseudorandom Generator Construction Based on Randomness Extractors and Combinatorial Designs A PSEUDORANDOM GENERATOR CONSTRUCTION BASED ON RANDOMNESS EXTRACTORS AND COMBINATORIAL DESIGNS Ladan A. Mahabadi B.Sc., University of British Columbia, Vancouver, Canada, 2003 A THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE in the School of Computing Science @ Ladan A. Mahabadi 2006 SIMON FRASER UNIVERSITY Spring 2006 All rights reserved. This work may not be reproduced in whole or in part, by photocopy or other means, without the pernlission of the author. APPROVAL Name: Ladan A. Mahabadi Degree: Master of' Science Title of thesis: A Pseudorandom Generator Construction based on Randomness Extractors and Combinatorial Designs Examining Committee: Dr. Arthur Kirkpatrick Chair Dr. Arvind Gupta, Supervisor, Professor of Conlputing Science Simon F'raser University Dr. Valentine Kabanets, Senior Supervisor, Professor of Computing Science Simon Fraser University Dr. GBbor Tardos, Examiner, Professor of Computing Science, Simon Fraser University Date Approved: hr-/3A% .. I1 SIMON FRASER !? &-J2 !? UNIVERSITYIibra ry DECLARATION OF PARTIAL COPYRIGHT LICENCE The author, whose copyright is declared on the title page of this work, has granted to Simon Fraser University the right to lend this thesis, project or extended essay to users of the Simon Fraser University Library, and to make partial or single copies only for such users or in response to a request from the library of any other university, or other educational institution, on its own behalf or for one of its users. The author has further granted permission to Simon Fraser University to keep or make a digital copy for use in its circulating collection, and, without changing the content, to translate the thesislproject or extended essays, if technically possible, to any medium or format for the purpose of preservation of the digital work. The author has further agreed that permission for multiple copying of this work for scholarly purposes may be granted by either the author or the Dean of Graduate Studies. It is understood that copying or publication of this work for financial gain shall not be allowed without the author's written permission. Permission for public performance, or limited permission for private scholarly use, of any multimedia materials forming part of this work, may have been granted by the author. This information may be found on the separately catalogued multimedia material and in the signed Partial Copyright License. The original Partial Copyright License attesting to these terms, and signed by this author, may be found in the original bound copy of this work, retained in the Simon Fraser University Archive. Simon Fraser University Library Burnaby, BC, Canada Abstract Nisan and Wigderson in their seminal work introduced a new (conditional) pseudorandom generator construction which since then has been extensively used in con~plexitytheory and has led to extensive further research. Impagliazzo and Wigderson (1997), and Sudan, Trevisan, and Vadhan (2001) have shown how this construction can be utilized to prove conditional derandomization results under weaker hardness assumptions. We study the construction of pseudorandom generators, and use an observation of Sudan et al. to re- cast the Impagliazzo-Wigderson construction in terms of weak sources of randomness; such a source is a distribution on binary strings that is "random" in the sense of having high "entropy". We will then use an efficient algorithm of Gabizon et al. to extract almost all of the randomness present, obtaining a pseudorandom generator that stretches O(n) bits to R(n2n) bits. Keywords: pseudorandom generator, derandomization, pseudorandomness, oblivious bit-fixing weak sources, extractors, preservation of indistinguishability To my parents, my sister, and mom Badri. "Only those who will risk going too far can possibly find out how far me can go." - T. S. Eliot Acknowledgments Guidance, support and assistance of numerous individuals have made this thesis possible, and there are many to whom I am forever grateful. Mainly, this thesis is based on joint work with my senior supervisor, Dr. Valentine Kabanets. Naturally, I 'd like to thank Dr. Kabanets and Dr. Arvind Gupta for introducing me to this field, and for their great input and guidance. I 'd like to extend my gratitude to Dr. GBbor Tardos for serving as my examiner on the examining committee. I owe special thanks to my friends Jano Manuch and Peter Zubcsek for their unconditional support and help throughout this thesis. I truly enjoyed my many research meetings with Jano, and am grateful for his patience and meticulous attention to mathematical details. My sincere thanks go to Antonina Kolokolova for her great and timely advice. Most importantly, I owe everything to my parents and sister. They have been with me through it all, and without their love, support and everlasting faith in me I would not have succeeded. Contents Approval Abstract iii Dedication Quotation Acknowledgments vi Contents vii List of Figures ix 1 Introduction 1.1 Blum-Micali-Yao's pseudorandom generator . 1.2 Nisan-Wigderson's Pseudorandom Generator . 1.3 Distinction between the NW and BMY PRGs . 1.4 Relationship between hardness and randomness . 1.4.1 Hardness implies Randomness . 1.4.2 Randomness implies Hardness . 1.5 Amplification of Hardness . 1.5.1 Yao's XOR Lemma . 1.5.2 Amplification from worst-case hardness to Mild hardness . 1.5.3 Impagliazzo-Wigderson's Randomness efficient hardness amplification 1.6 Brief introduction to extractors . 1.7 Sudan-Trevisan-Vadhan Pseudorandom Generator Construction . vii 1.8 Significance of our work .............................. 14 2 Preliminaries 18 2.1 Preliminary definitions ............................... 18 2.2 Hardness vs . Indistinguishability ......................... 20 2.3 Hardness vs . Randomness ............................. 20 2.3.1 Randomness implies hardness ....................... 20 2.3.2 Hardness implies randomness ....................... 22 2.4 Nisan-Wigderson Pseudorandom Generator Construction ........... 24 2.5 Main Definitions .................................. 25 2.5.1 Weak sources and extractors ....................... 25 2.5.2 Expanders .................................. 27 3 Our Construction 30 4 Preservation of Indistinguishability 34 4.1 Preservation of indistinguishability in the cryptography setting ........ 35 4.2 Preservation of indistinguishability in the derandomization setting .............................. 39 5 Correctness of our construction 46 6 Conclusion 53 A Auxiliary Proofs 5 5 A.l Hardness vs . Indistinguishabilit. ......................... 55 Bibliography 5 8 ... Vlll List of Figures Derandomization of a randomized algorithm using a pseudorandom generator G . (0' l)d + (0. l)T(n)............................... Overview of Nisan-Wigderson's pseudorandom generator [NW94] ....... Yao's amplification of hardness using the xor function [Yao82] ......... Overview of the Impagliazzo-Wigderson Construction[IW97] .......... Derandomization of a randomized algorithm using an extractor ........ Sudan-Trevisan-Vadhan's pseudorandom generator construction using an ex- tractor [STVOl] ................................... Existing hardness amplification techniques .................... Nisan-Wigderson's pseudorandom generator [NW94] .............. Impagliazzo-Wigderson 's generator used for derandomizing Yao's XOR lemma [IW97] ........................................ An overview of our PRG construction G : (0. l)O(n)+ (0. l)(1-o(1))6n2n... Pseudorandon1 Generator G(z): (0. l)O(n)+ (0. l)(1-o(1))6n2n........ Preservation of Indistinguishability in different computational settings .... Chapter 1 Introduction The problem of improving efficiency of algorithms through more econonlical use of resources such as time, space and randomness has fascinated computer scientists for decades. For in- stance, randomness appears to be vital for the efficiency of some algorithms (e.g., polynonlial identity testing) and in other cases can be reduced or eliminated (e.g., primality testing). However, there are applications such as cryptography or zero-knowledge proofs where ran- domness is inherently necessary. Indeed, one of the most fundamental questions in com- plexity theory is determining the necessity of randomness in efficient algorithms. Namely, is the aesthetic speed up produced by utilizing randomness in algorithm design just due to lack of efficient, advanced deterministic algorithms or does randomness really help? Resolving this fundamental question is intriguing both philosophically and theoretically. Philosophically, does adding information independent from the input help speed up some computations? Theoretically, elimination of randomness translates into efficient determin- istic simulation of randomized conlplexity classes such as BPP (2-sided probabilistic poly- nomial time algorithms). Deciphering the role of randomness requires elucidation of the relationship between conlplexity classes BPP, P (deterministic polynomial time) and EXP (deterministic exponential time). This relationship has been studied from different angles using tools such as pseudo-random generators (referred to as PRGs). A randomized algorithm R, besides its regular input string x, needs a secondary input r as the random choices used throughout its computation. Throughout its computation, if a random coin flip is needed, the random bit will be looked up from r and depending on this bit one of two actions takes place. In practice, access to truly random bits is very limited, and
Load more

Recommended publications
  • Lecture 8: Key Derivation, Protecting Passwords, Slow Hashes, Merkle Trees
    Lecture 8: Key derivation, protecting passwords, slow hashes, Merkle trees Boaz Barak Last lecture we saw the notion of cryptographic hash functions which are functions that behave like a random function, even in settings (unlike that of standard PRFs) where the adversary has access to the key that allows them to evaluate the hash function. Hash functions have found a variety of uses in cryptography, and in this lecture we survey some of their other applications. In some of these cases, we only need the relatively mild and well-defined property of collision resistance while in others we only know how to analyze security under the stronger (and not precisely well defined) random oracle heuristic. Keys from passwords We have seen great cryptographic tools, including PRFs, MACs, and CCA secure encryptions, that Alice and Bob can use when they share a cryptographic key of 128 bits or so. But unfortunately, many of the current users of cryptography are humans which, generally speaking, have extremely faulty memory capacity for storing large numbers. There are 628 ≈ 248 ways to select a password of 8 upper and lower case letters + numbers, but some letter/numbers combinations end up being chosen much more frequently than others. Due to several large scale hacks, very large databases of passwords have been made public, and one estimate is that the most frequent 10, 000 ≈ 214 passwords account for more than 90% of the passwords chosen. If we choose a password at random from some set D then the entropy of the password is simply log |D|. Estimating the entropy of real life passwords is rather difficult.
    [Show full text]
  • 1 Perfect Secrecy of the One-Time Pad
    1 Perfect secrecy of the one-time pad In this section, we make more a more precise analysis of the security of the one-time pad. First, we need to define conditional probability. Let’s consider an example. We know that if it rains Saturday, then there is a reasonable chance that it will rain on Sunday. To make this more precise, we want to compute the probability that it rains on Sunday, given that it rains on Saturday. So we restrict our attention to only those situations where it rains on Saturday and count how often this happens over several years. Then we count how often it rains on both Saturday and Sunday. The ratio gives an estimate of the desired probability. If we call A the event that it rains on Saturday and B the event that it rains on Sunday, then the intersection A ∩ B is when it rains on both days. The conditional probability of A given B is defined to be P (A ∩ B) P (B | A)= , P (A) where P (A) denotes the probability of the event A. This formula can be used to define the conditional probability of one event given another for any two events A and B that have probabilities (we implicitly assume throughout this discussion that any probability that occurs in a denominator has nonzero probability). Events A and B are independent if P (A ∩ B)= P (A) P (B). For example, if Alice flips a fair coin, let A be the event that the coin ends up Heads. If Bob rolls a fair six-sided die, let B be the event that he rolls a 3.
    [Show full text]
  • Pseudorandomness and Computational Difficulty
    PSEUDORANDOMNESS AND COMPUTATIONAL DIFFICULTY RESEARCH THESIS SUBMITTED IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF SCIENCE HUGO KRAWCZYK SUBMITTED TOTHE SENATEOFTHE TECHNION —ISRAEL INSTITUTE OF TECHNOLOGY SHVAT 5750 HAIFAFEBRUARY 1990 Amis padres, AurorayBernardo, aquienes debo mi camino. ALeonor,compan˜era inseparable. ALiat, dulzuraycontinuidad. This research was carried out in the Computer Science Department under the supervision of Pro- fessor Oded Goldreich. To Oded, my deep gratitude for being both teacher and friend. Forthe innumerable hoursofstimulating conversations. Forhis invaluable encouragement and support. Iamgrateful to all the people who have contributed to this research and given me their support and help throughout these years. Special thanks to Benny Chor,Shafi Goldwasser,Eyal Kushilevitz, Jacob Ukel- son and Avi Wigderson. ToMikeLuby thanks for his collaboration in the work presented in chapter 2. Ialso wish to thank the Wolf Foundation for their generous financial support. Finally,thanks to Leonor,without whom all this would not have been possible. Table of Contents Abstract ............................. 1 1. Introduction ........................... 3 1.1 Sufficient Conditions for the Existence of Pseudorandom Generators ........ 4 1.2 The Existence of Sparse Pseudorandom Distributions . ............ 5 1.3 The Predictability of Congruential Generators ............... 6 1.4 The Composition of Zero-Knowledge Interactive-Proofs . ........... 8 2. On the Existence of Pseudorandom Generators ............... 10 2.1. Introduction .......................... 10 2.2. The Construction of Pseudorandom Generators .............. 13 2.3. Applications: Pseudorandom Generators based on Particular Intractability Assump- tions . ............................ 22 3. Sparse Pseudorandom Distributions ................... 25 3.1. Introduction .......................... 25 3.2. Preliminaries ......................... 25 3.3. The Existence of Sparse Pseudorandom Ensembles ............. 27 3.4.
    [Show full text]
  • 6.045J Lecture 13: Pseudorandom Generators and One-Way Functions
    6.080/6.089 GITCS April 4th, 2008 Lecture 16 Lecturer: Scott Aaronson Scribe: Jason Furtado Private-Key Cryptography 1 Recap 1.1 Derandomization In the last six years, there have been some spectacular discoveries of deterministic algorithms, for problems for which the only similarly-efficient solutions that were known previously required randomness. The two most famous examples are • the Agrawal-Kayal-Saxena (AKS) algorithm for determining if a number is prime or composite in deterministic polynomial time, and • the algorithm of Reingold for getting out of a maze (that is, solving the undirected s-t con­ nectivity problem) in deterministic LOGSPACE. Beyond these specific examples, mounting evidence has convinced almost all theoretical com­ puter scientists of the following Conjecture: Every randomized algorithm can be simulated by a deterministic algorithm with at most polynomial slowdown. Formally, P = BP P . 1.2 Cryptographic Codes 1.2.1 Caesar Cipher In this method, a plaintext message is converted to a ciphertext by simply adding 3 to each letter, wrapping around to A after you reach Z. This method is breakable by hand. 1.2.2 One-Time Pad The “one-time pad” uses a random key that must be as long as the message we want to en­ crypt. The exclusive-or operation is performed on each bit of the message and key (Msg ⊕ Key = EncryptedMsg) to end up with an encrypted message. The encrypted message can be decrypted by performing the same operation on the encrypted message and the key to retrieve the message (EncryptedMsg⊕Key = Msg). An adversary that intercepts the encrypted message will be unable to decrypt it as long as the key is truly random.
    [Show full text]
  • A Mathematical Formulation of the Monte Carlo Method∗
    A Mathematical formulation of the Monte Carlo method∗ Hiroshi SUGITA Department of Mathematics, Graduate School of Science, Osaka University 1 Introduction Although admitting that the Monte Carlo method has been producing practical results in many fields, a number of researchers have the following serious suspicion about it. The Monte Carlo method needs random numbers. But since no computer program can generate them, we execute a Monte Carlo method using a pseu- dorandom number generated by a computer program. Of course, such an expedient can never have any mathematical justification. As a matter of fact, this suspicion is a misunderstanding caused by prejudice. In this article, we propose a proper mathematical formulation of the Monte Carlo method, which resolves this suspicion. The mathematical definitions of the notions of random number and pseudorandom number have been known for quite some time. Indeed, the notion of random number was defined in terms of computational complexity by Kolmogorov and others in 1960’s ([3, 4, 6]), while the notion of pseudorandom number was defined in the context of cryptography by Blum and others in 1980’s ([1, 2, 14]). But unfortunately, those definitions have been thought to be useless until now in understanding and executing the Monte Carlo method. It is not because their definitions are improper, but because our way of thinking about the Monte Carlo method has been improper. In this article, we propose a mathematical formulation of the Monte Carlo method which is based on and theoretically compatible with those definitions of random number and pseudorandom number. Under our formulation, as a result, we see the following.
    [Show full text]
  • Measures of Pseudorandomness
    Katalin Gyarmati Measures of Pseudorandomness Abstract: In the second half of the 1990s Christian Mauduit and András Sárközy [86] introduced a new quantitative theory of pseudorandomness of binary sequences. Since then numerous papers have been written on this subject and the original theory has been generalized in several directions. Here I give a survey of some of the most important results involving the new quantitative pseudorandom measures of finite bi- nary sequences. This area has strong connections to finite fields, in particular, some of the best known constructions are defined using characters of finite fields and their pseudorandom measures are estimated via character sums. Keywords: Pseudorandomness, Well Distribution, Correlation, Normality 2010 Mathematics Subject Classifications: 11K45 Katalin Gyarmati: Department of Algebra and Number Theory, Eötvös Loránd University, Budapest, Hungary, e-mail: [email protected] 1Introduction In the twentieth and twenty-first centuries various pseudorandom objects have been studied in cryptography and number theory since these objects are widely used in modern cryptography, in applications of the Monte Carlo method and in wireless communication (see [39]). Different approaches and definitions of pseudorandom- ness can be found in several papers and books. Menezes, Oorschot and Vanstone [95] have written an excellent monograph about these approaches. The most frequent- ly used interpretation of pseudorandomness is based on complexity theory; Gold- wasser [38] has written a survey paper about this approach. However, recently the complexity theory approach has been widely criticized. One problem is that in this approach usually infinite sequences are tested while in the applications only finite sequences are used. Another problem is that most results are based on certain un- proved hypotheses (such as the difficulty of factorization of integers).
    [Show full text]
  • Pseudorandomness
    ~ MathDefs ~ CS 127: Cryptography / Boaz Barak Pseudorandomness Reading: Katz-Lindell Section 3.3, Boneh-Shoup Chapter 3 The nature of randomness has troubled philosophers, scientists, statisticians and laypeople for many years.1 Over the years people have given different answers to the question of what does it mean for data to be random, and what is the nature of probability. The movements of the planets initially looked random and arbitrary, but then the early astronomers managed to find order and make some predictions on them. Similarly we have made great advances in predicting the weather, and probably will continue to do so in the future. So, while these days it seems as if the event of whether or not it will rain a week from today is random, we could imagine that in some future we will be able to perfectly predict it. Even the canonical notion of a random experiment- tossing a coin - turns out that it might not be as random as you’d think, with about a 51% chance that the second toss will have the same result as the first one. (Though see also this experiment.) It is conceivable that at some point someone would discover some function F that given the first 100 coin tosses by any given person can predict the value of the 101th.2 Note that in all these examples, the physics underlying the event, whether it’s the planets’ movement, the weather, or coin tosses, did not change but only our powers to predict them. So to a large extent, randomness is a function of the observer, or in other words If a quantity is hard to compute, it might as well be random.
    [Show full text]
  • 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008
    MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms. 6.080/6.089 GITCS April 4th, 2008 Lecture 16 Lecturer: Scott Aaronson Scribe: Jason Furtado Private-Key Cryptography 1 Recap 1.1 Derandomization In the last six years, there have been some spectacular discoveries of deterministic algorithms, for problems for which the only similarly-efficient solutions that were known previously required randomness. The two most famous examples are • the Agrawal-Kayal-Saxena (AKS) algorithm for determining if a number is prime or composite in deterministic polynomial time, and • the algorithm of Reingold for getting out of a maze (that is, solving the undirected s-t con­ nectivity problem) in deterministic LOGSPACE. Beyond these specific examples, mounting evidence has convinced almost all theoretical com­ puter scientists of the following Conjecture: Every randomized algorithm can be simulated by a deterministic algorithm with at most polynomial slowdown. Formally, P = BP P . 1.2 Cryptographic Codes 1.2.1 Caesar Cipher In this method, a plaintext message is converted to a ciphertext by simply adding 3 to each letter, wrapping around to A after you reach Z. This method is breakable by hand. 1.2.2 One-Time Pad The “one-time pad” uses a random key that must be as long as the message we want to en­ crypt. The exclusive-or operation is performed on each bit of the message and key (Msg ⊕ Key = EncryptedMsg) to end up with an encrypted message.
    [Show full text]
  • Lecture 3: Randomness in Computation
    Great Ideas in Theoretical Computer Science Summer 2013 Lecture 3: Randomness in Computation Lecturer: Kurt Mehlhorn & He Sun Randomness is one of basic resources and appears everywhere. In computer science, we study randomness due to the following reasons: 1. Randomness is essential for computers to simulate various physical, chemical and biological phenomenon that are typically random. 2. Randomness is necessary for Cryptography, and several algorithm design tech- niques, e.g. sampling and property testing. 3. Even though efficient deterministic algorithms are unknown for many problems, simple, elegant and fast randomized algorithms are known. We want to know if these randomized algorithms can be derandomized without losing the efficiency. We address these in this lecture, and answer the following questions: (1) What is randomness? (2) How can we generate randomness? (3) What is the relation between randomness and hardness and other disciplines of computer science and mathematics? 1 What is Randomness? What are random binary strings? One may simply answer that every 0/1-bit appears with the same probability (50%), and hence 00000000010000000001000010000 is not random as the number of 0s is much more than the number of 1s. How about this sequence? 00000000001111111111 The sequence above contains the same number of 0s and 1s. However most people think that it is not random, as the occurrences of 0s and 1s are in a very unbalanced way. So we roughly call a string S 2 f0; 1gn random if for every pattern x 2 f0; 1gk, the numbers of the occurrences of every x of the same length are almost the same.
    [Show full text]
  • The Intel Random Number Generator
    ® THE INTEL RANDOM NUMBER GENERATOR CRYPTOGRAPHY RESEARCH, INC. WHITE PAPER PREPARED FOR INTEL CORPORATION Benjamin Jun and Paul Kocher April 22, 1999 Information in this white paper is provided without guarantee or warranty of any kind. This review represents the opinions of Cryptography Research and may or may not reflect opinions of Intel Corporation. Characteristics of the Intel RNG may vary with design or process changes. © 1999 by Cryptography Research, Inc. and Intel Corporation. 1. Introduction n = − H K∑ pi log pi , Good cryptography requires good random i=1 numbers. This paper evaluates the hardware- where pi is the probability of state i out of n based Intel Random Number Generator (RNG) possible states and K is an optional constant to for use in cryptographic applications. 1 provide units (e.g., log(2) bit). In the case of a Almost all cryptographic protocols require random number generator that produces a k-bit the generation and use of secret values that must binary result, pi is the probability that an output be unknown to attackers. For example, random will equal i, where 0 ≤ i < 2k . Thus, for a number generators are required to generate -k perfect random number generator, pi = 2 and public/private keypairs for asymmetric (public the entropy of the output is equal to k bits. This key) algorithms including RSA, DSA, and means that all possible outcomes are equally Diffie-Hellman. Keys for symmetric and hybrid (un)likely, and on average the information cryptosystems are also generated randomly. present in the output cannot be represented in a RNGs are also used to create challenges, nonces sequence shorter than k bits.
    [Show full text]
  • Lecture 7: Pseudo Random Generators 1 Introduction 2
    Introduction to Cryptography 02/06/2018 Lecture 7: Pseudo Random Generators Instructor: Vipul Goyal Scribe: Eipe Koshy 1 Introduction Randomness is very important in modern computational systems. For example, randomness is needed for encrypting a session key in an SSL connection or for encrypting a hard drive. There are multiple challenges associated with generating randomness for modern systems: • True randomness is difficult to get • Large amounts of randomness are needed in practice Given these challenges, several different input sources are used for randomness on modern systems. For example, key strokes or mouse movements can be used as a source of randomness. However, these sources are limited in the amount of randomness they can generate. In addition, it is critical that the sources of randomness be truly random or close to being truly random. Several crypto-systems have been defeated1 because their randomness generators were broken (i.e. not truly random.) As a solution to both the challenges detailed above for generating randomness, an approach to build a kind of randomness generator that creates random strings of a desired length would be to first, start off with building a short random string (of length, say, n bits), and then, expand it to a longer random looking string k (of length, say, l(n) bits.) We can represent this "randomness" generator as f : f0; 1gn ! f0; 1gl(n) A key question is: Can we can really expand a short string with a few random bits into a longer string with many random bits? The answer lies in the definition of the term "random looking" that we we used in our definition above.
    [Show full text]
  • Pseudorandom Generators
    8 Pseudorandom Generators Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 Randomness is one of the fundamental computational resources and appears everywhere. In computer science, we study randomness due to the following reasons: First, computers are used to simulate various random processes in Physics, Chemistry and Biology. Second, ran- domness is widely used in Cryptography, and a few techniques of algorithm design (e.g. sampling, random walks) rely on randomness. Third, even though efficient deterministic al- gorithms are unknown for many problems, simple, elegant and fast randomized algorithms are known and easy to analyze. For many problems (e.g. primality testing), usually we have efficient randomized algorithms at first before we obtain deterministic polynomial-time algo- rithms eventually. This leads the question of derandomization, i.e., if we have a general way to derandomize randomized algorithms without significantly increasing their runtime. The answer to these questions have lead to the study of pseudorandomness. In today’s lecture, we will address the following three questions: (1) What is randomness? What are the possible ways to define randomness? (2) How do computer programs generate random numbers? Are these numbers truly random? (3) What the relationship between randomness and other disciplines of Computer Science and Mathematics? 8.1 What is Randomness? What are random binary strings? The best way to think about perfect randomness is as an arbitrary long sequence of binary strings, where every 0 or 1 appears equally, i.e. every 0/1- bit appears with the same probability (50%) in a random order. For instance, the string 00000000010000000001000010000 is not random as the number of 0s is much more than the number of 1s.
    [Show full text]