Pseudorandomness for Network Algorithms Russell Impagliazzo ∗ Noam Nisan y Avi Wigderson z Abstract This theory has developed in two (related) branches: conditional and unconditional results. In a condi- We define pseudorandom generators for Yao's two- tional result (of the above type), the quality of the party communication complexity model and exhibit generator is based on some complexity theoretic as- a simple construction, based on expanders, for it. We sumption, which is believed but is not known to hold. then use a recursive composition of such generators to Such results exist for very strong models, specifically obtain pseudorandom generators that fool distributed polynomial time computation, under various assump- network algorithms. While the construction and the tions [BM82, Yao82, GKL88, ILL89, Has90, NW88, proofs are simple, we demonstrate the generality of BFNW]. such generators by giving several applications. The unconditional results use no unproven assump- tion, and typically demonstrate that weaker compu- tational models can be fooled by pseudorandom gen- 1 Introduction erators. To this class of results belong the pseudo- The theory of pseudorandomness is aimed at under- random generators for various constant-depth circuits standing the minimum amount of randomness that a [AW85, Nis91, LVW93] and for space-bounded Turing probabilistic model of computation actually needs. A machines [BNS89, Nis92, NZ93]. Our paper adds a typical result shows that n truly random bits used by significant number of computational models for which the model can be replaced by n pseudorandom ones, such unconditional results can be proved. generated deterministically from m << n random We present a new construction of a pseudorandom bits, without significant difference in the behavior of generator which fools every computational model which the model. The deterministic function stretching the can be described as a network of probabilistic proces- m random bits into n pseudorandom ones is called sors. The quality of the generator (i.e. the number a pseudorandom generator, which is said to fool the of truly random bits m it needs to generate its pseu- given model. dorandom output) essentially depends on the com- munication bandwidth of the algorithm run by the ∗Dept. of Computer Science, UCSD. Supported by USA- network. This is determined by two essential factors: Israel BSF grant 92-00043. the size of separators in the network, and the number yInstitute of Computer Science, Hebrew University of Jerusalem, Israel. This work was supported by USA-Israel BSF of bits communicated by each processor. Note that grant 92-00043 and by a Wolfeson research award administered we care nothing for the computational power of the by the Israeli Academy of Sciences. processors, and care little about their number! zInstitute of Computer Science, Hebrew University of Jerusalem, Israel. This work was supported by USA-Israel BSF Our generator is constructed recursively, based on grant 92-00106 and by a Wolfeson research award administered a recursive balanced partitioning of the nodes in the by the Israeli Academy of Sciences. given networks by small separators. Thus the key graph-theoretic parameter is the tree-width of the net- work, which determines the largest cut encountered in such a process. The savings in random bits is sig- nificant (m = nc for some c < 1) for networks which can be embedded in small dimensional space (such as grids) and low genus topological spaces (such as planar and excluded minor families of graphs). The O(1) 0 savings are extremely significant (m = (log n) ) Page 1 for networks such as paths, cycles and trees. Physical systems and cellular automata As a \base-case" for the recursive construction of • Many models of statistical mechanics assume lo- the pseudo-random generator, serves a new pseudo- cal interactions (usually on a lattice structure) random generator for the two-party communication and random inputs at every site. Monte-Carlo complexity model of [Y79], which is interesting in its simulations of such systems (e.g. heat propa- own right. This generator is based on an expanding gation, spin-glass models, Maxwell's gas model, graph and its security relies on the on following simple ...) are performed in masses. Our results imply observation: The two parties will behave essentially that, provably, much less randomness is needed the same, whether they receive two independent ran- to perform them accurately than it may seem. dom vertices, or the two endpoints of a random edge (Of course, the physicists use even less random- of the expander. Moreover, if the parties use c com- ness via the simple generators supplied in ev- munication bits, it suffices that the expander have ery computer, and seem to be satisfied (usually) degree only exp(O(c)), regardless of the input length. with the outcome, despite its unproven quality.) Moreover, the difference in behavior (traffic on the The paper is organized as follows. In section 2 we communication channel) will be bounded by exp( c). describe the basic generator, which fools two-party As mentioned above, a large number of models− communication complexity. In section 3 we define can be viewed as algorithms performed by commu- distributed networks and protocols, and how to con- nication networks. For these we can apply our gen- struct the generator to fool them. Section 4 describes eral theorem and obtain specific generators. We list our applications. these applications below. We mention in passing that it is standard to derive from the generators explicit functions, for which complexity lower bounds (which 2 Two Parties depend on the quality of the generator) in the given model can be proved. Definition 1 A function g : 0; 1 m 0; 1 r 0; 1 r is is called a pseudorandomf generatorg ! f for com-g × Space-bounded computation Here the net- municationf g complexity c with parameter , if for every • work is a path on which the (random) input re- two-party protocol P of at most c bits of communica- sides, and communication is performed by the tion moving head. We obtain an O(log2 n) genera- tor for what we call bounded read-multiplicity P r[P (y1; y2) accepts] P r[P (g(x)) accepts] , Logspace machines. This includes as a spe- j − j ≤ cial case Nisan's pseudorandom generator for where y1 and y2 are chosen uniformly at random in 0; 1 r, and x is chosen uniformly in 0; 1 m. In Logspace machines [Nis92]. This also includes f g f g as a special case arbitrary two-way finite au- short we say that g is a c-generator if it is a pseu- tomata. dorandom generator for communication complexity c c with parameter 2− . Turing machines. We obtain a O~(pT ) gen- • erator for one-tape time(T ) Turing machines. It is clear that for m = 2r it is trivial to get a We also obtain a O~(pST ) generator for general c-generator for any c (the identity function), and it is also clear that m r + c is a lower bound on m. time(T )-space(S) bounded Turing machines. These ≥ results require a generalization of our basic gen- Our main result in this section is a construction which erator, aimed to handle average rather than worst uses a nearly optimal number of bits m = r + O(c). case bound on the communication complexity. The Generator: Fix an easily constructible regular Boolean circuits. Here the network is the cir- r • expander graph H = (V; E), with 2 vertices and cuit itself, and we obtain pseudorandom gen- degree D = 2d. The input to the generator g is a erators that fool planar circuits and read-once name of a (directed) edge in E, and the two outputs formulae. It also results in pseudorandom gen- 2 are the two vertices on the edge. Thus g accepts an erators for VLSI model in the AT measure. m = r + d bit string and produces two r bit strings. Parallel and distributed network algorithms. Theorem 1 g is a c-generator, for c = (d log λ)=2, • This obviously suits our model. The most stun- where λ is the second largest eigenvalue of H−. In par- ning savings we get are for simple architectures ticular, if H is Ramanujan [LPS86], g is a (d=4) generator. like trees and rings for which we can reduce the − randomness requirements to polylog. Nontriv- Proof: For every graph H = (V; E) of degree D and ial savings in randomness are also achieved for second largest eigenvalue λ, and for every S; T V grid architectures. we have the standard inequality (see e.g. [AC88])⊆ Page 2 3 General Distributed Protocols E(S; T ) S T λ j j j j j j j E − V V j ≤ D 3.1 The Communication Network j j j j j j In our context, the left-hand side is exactly the Our generators work against networks which have difference in probability that a pair of vertices (a; b) small separators, and which their subgraphs also do. belongs to the \rectangle" S T , where in the first Formally we need: expression it is chosen as the× endpoints of uniformly random directed edge from E, and in the second each Definition 3 Let H = (V; E) be a graph. A parti- vertex independently from V . tion tree T for H is a rooted binary tree with a one- Recall that a c-protocol P partitions the inputs to-one onto mapping of V to the leaves of T . A par- c into at most 2 rectangles, say Si Ti, and that the × tition tree T is called balanced if the depth of T is protocol accepts for rectangles i I. Thus by the O(log V ).