View
223
Download
0
Tags:
Embed Size (px)
Citation preview
11
1. Joint withA.Ta-shma & 1. Joint withA.Ta-shma & D.ZuckermanD.Zuckerman
2. Improved: R.Shaltiel and C. 2. Improved: R.Shaltiel and C. UmansUmans
Slides: Adi AkaviaSlides: Adi Akavia
Extractors via Low-Extractors via Low-degree Polynomialsdegree Polynomials
22
DefinitionsDefinitionsDef:Def: The The min-entropymin-entropy of a random variable of a random variable XX
over over {0, 1}{0, 1}nn is defined as: is defined as:
Thus a random variable Thus a random variable XX has min-entropy has min-entropy at least at least kk if if Pr[X=x]≤2Pr[X=x]≤2-k-k for all for all xx. . [Maximum possible min-entropy for such a R.V. is [Maximum possible min-entropy for such a R.V. is nn]]
Def (statistical distance):Def (statistical distance): Two distributions Two distributions on a domain on a domain DD are are -close-close if the if the probabilities they give to any probabilities they give to any AADD differ differ by at most by at most (namely, half the norm-1 of (namely, half the norm-1 of the distance) the distance)
n 2
x 0,1H X Min log Pr X x
33
DefinitionsDefinitions
Def:Def: A ( A (k, k, )- )- extractorextractor is a function is a functionE:E: n n ttmm
s.t. for any R.V. s.t. for any R.V. XX with min-entropy with min-entropy ≥k≥kE(X,UE(X,Utt)) is is -close to -close to UUmm
(where(where U Umm denotes the uniform distribution over denotes the uniform distribution over mm))
E
Weak random sourcen
Seedt
Random stringm
44
ParametersParametersThe relevant parameters are:The relevant parameters are: min entropy min entropy of the weak random source – of the weak random source – kk..
Relevant values Relevant values log(n)log(n) k k n n(seed length is (seed length is t ≥ log(n)t ≥ log(n) hence no point hence no pointconsider lower min entropy).consider lower min entropy).
seed lengthseed length t ≥ log(n)t ≥ log(n) Quality of the outputQuality of the output: : Size of the output Size of the output m=f(k)m=f(k). The optimum is . The optimum is m=km=k..
E
Weak random sourcen
Seedt
Random stringm
55
ExtractorsExtractors
2n 2m
2t
E
HighHigh Min-Entropy Min-Entropy distributiondistribution
Uniform-distribution Uniform-distribution seedseed
Close to Close to uniform outputuniform output
66
Next Bit PredictorsNext Bit Predictors
Claim:Claim: to prove to prove EE is an extractor, it suffices is an extractor, it suffices to prove that for all to prove that for all 0<i<m+10<i<m+1 and all and all predictorspredictors ff::i-1i-1
Proof:Proof: Assume Assume E E is not an extractor; then is not an extractor; then exists a distribution exists a distribution X X s.t. s.t. E(X,UE(X,Utt)) is is notnot --close to close to UUmm, that is:, that is:
t t1...i 1 i
1Pr f E X,U E X,U
2 m
t t1...i 1 i
1Pr f E X,U E X,U
2 m
t m
m
s~U ,x~X y~U
A 0,1
P Pr E x,s A Pr y A
t m
m
s~U ,x~X y~U
A 0,1
P Pr E x,s A Pr y A
77
ProofProof
Now define the following hybrid distributions:Now define the following hybrid distributions:
0 m
1 t m 11
i 1 t m i 11..i 1
i t m i1..i
m t 1..m
H U
H E X,U U
...
H E X,U U
H E X,U U
...
H E X,U
0 m
1 t m 11
i 1 t m i 11..i 1
i t m i1..i
m t 1..m
H U
H E X,U U
...
H E X,U U
H E X,U U
...
H E X,U
88
ProofProofSumming the probabilities for the event Summing the probabilities for the event
corresponding to the set corresponding to the set AA for all distributions for all distributions yields:yields:
And because And because |∑a|∑aii|≤ ∑|a|≤ ∑|aii|| there exists an index there exists an index 0<i<m+10<i<m+1 for which: for which:
i i 1
m 0
m
x~H x~Hi 0
x~H x~H
Pr x A Pr x A
Pr x A Pr x A P ε
i i 1
m 0
m
x~H x~Hi 0
x~H x~H
Pr x A Pr x A
Pr x A Pr x A P ε
i 1 i
i i 1x~H x~H
H(A) H (A) Pr x A Pr x Am
i 1 ii i 1
x~H x~HH(A) H (A) Pr x A Pr x A
m
99
The PredictorThe Predictor
We now define a function We now define a function f:f:i-i-
11that can predict the that can predict the ii’th bit with ’th bit with probability at least probability at least ½+½+/m /m (“a next bit (“a next bit predictor”):predictor”):
The function The function ff uniformly and independently uniformly and independently draws the bits draws the bits yyii,…,y,…,ymm and outputs: and outputs:
NoteNote: the above definition is not : the above definition is not constructive, as constructive, as AA is not known! is not known!
i 1 i 1 i m1 i 1
i
y x ,...,x ,y...,y Af x ,...,x
y otherwise
i 1 i 1 i m1 i 1
i
y x ,...,x ,y...,y Af x ,...,x
y otherwise
1010
ProofProof
And And ffis indeed a next bit predictor:is indeed a next bit predictor:
Q.E.D.Q.E.D.
1 i 1 i
1 i 1 i m i i 1 i 1 i m i i
1 i 1 i i 1 m i i 1 i 1 i m i i
i i 1 i
i i 1
Pr f x ...x x
Pr x ...x y...y A y x Pr x ,...,x ,y,...y A y x
Pr x ...x xy ...y A y x 1 Pr x ,...,x ,y,...y A y x
1 1 1H A 1 H A H A
2 2 21
H A H A2
12 m
1 i 1 i
1 i 1 i m i i 1 i 1 i m i i
1 i 1 i i 1 m i i 1 i 1 i m i i
i i 1 i
i i 1
Pr f x ...x x
Pr x ...x y...y A y x Pr x ,...,x ,y,...y A y x
Pr x ...x xy ...y A y x 1 Pr x ,...,x ,y,...y A y x
1 1 1H A 1 H A H A
2 2 21
H A H A2
12 m
1111
Next-Next-qq-it List-Predictor-it List-Predictor
ff is allowed to output a small list of is allowed to output a small list of ll possible next elementspossible next elements
1212
qq-ary Extractor-ary Extractor
Def:Def: Let Let FF be a field with be a field with qq elements. elements.
A A (k, l)(k, l) qq-ary extractor-ary extractor is a function is a functionE:E: n n ttFFmm
s.t. for all R.V. s.t. for all R.V. XX with min-entropy with min-entropy ≥k≥k
and all and all 0<i<m0<i<m
and all list-predictors and all list-predictors f:Ff:Fi-1i-1FFll
t ti 1...i 11Pr E X,U f E X,U
l t ti 1...i 1
1Pr E X,U f E X,Ul
1313
GeneratorGenerator
Def:Def: Define the Define the generator matrixgenerator matrix for the for the vector space vector space FFdd as a matrix as a matrix AAd×dd×d, s.t. for , s.t. for any non-zero vector any non-zero vector vvFFdd: :
(that is, any vector (that is, any vector 0≠v0≠vFFdd multiplied by all multiplied by all powers of powers of AA generates the entire vector generates the entire vector space space FFd d except for except for 00))
Lemma:Lemma: Such a generator matrix exists and Such a generator matrix exists and can be found in time can be found in time qqO(d)O(d)..
i d
iA v F \ 0 i d
iA v F \ 0
1414
Strings as Low-degree Strings as Low-degree PolynomialsPolynomials
Let Let FF be a field with be a field with qq elements elements Let Let FFdd be a vector space over be a vector space over FF Let Let hh be the smallest integer s.t. be the smallest integer s.t. For For xx nn, , let let denote the unique denote the unique dd-variate -variate
polynomial of total degree polynomial of total degree h-1h-1 whose coefficients whose coefficients are specified by are specified by xx..
h d nd logq
h d nd logq
Note that for such a polynomial, the number of coefficients is exactly:
(“choosing where to put d-1 bars between h-1 balls”)
h d nd logq
h d nd logq
1515
The [SU] ExtractorThe [SU] Extractor
The definition of the The definition of the qq-ary extractor: -ary extractor: E:E: nn d log qd log qFFmm
1 2 mE x,v v , A v , A v ,..., A v 1 2 mE x,v v , A v , A v ,..., A v
AAmmvv
vv
AAiivv(v)(v)
(A(Aiiv)v)
(A(Ammvv)
FFdd
vv AAiivv AAmmvv
seed, seed, interpreted as interpreted as a vector a vector vv F Fdd
Generator Generator matrixmatrix
1616
Main TheoremMain Theorem
Thm:Thm: For any For any nn,,qq,,dd and and hh as as previously defined, previously defined, EE is a is a (k, l)(k, l) qq-ary -ary extractor if:extractor if:
Alternatively, Alternatively, EE is a is a (k, l)(k, l) qq-ary extractor if:-ary extractor if:
2 2 2
k mhdlogq log l
q h d l
2 2 2
k mhdlogq log l
q h d l
2
2
k mhdlog q log l
q l hdlogq
2
2
k mhdlog q log l
q l hdlogq
1717
What’s AheadWhat’s Ahead
““counting argument” and how it counting argument” and how it worksworks
The reconstruction paradigmThe reconstruction paradigm Basic example – Basic example – lines in spacelines in space Proof of the main theoremProof of the main theorem
1818
Extension FieldsExtension Fields
A field A field F2F2 is called an extension of another field is called an extension of another field FF if if FF is contained in is contained in F2F2 as a subfield. as a subfield.
ThmThm: For every power : For every power ppkk ( (pp prime, prime, k>0k>0) there is a ) there is a uniqueunique (up to isomorphism) finite field containing (up to isomorphism) finite field containing ppkk elements. These fields are denoted elements. These fields are denoted GF(pGF(pkk))and comprise all finite fields.and comprise all finite fields.
DefDef: A polynomial is called : A polynomial is called irreducibleirreducible in in GF(p)GF(p) if it if it does not factor over does not factor over GF(p)GF(p)
ThmThm: Let : Let f(x)f(x) be an irreducible polynomial of degree be an irreducible polynomial of degree kk over over GF(p)GF(p). The set of degree . The set of degree k-1k-1 polynomials polynomials over over ZZpp, with addition coordinate-wise and , with addition coordinate-wise and multiplication modulo multiplication modulo f(x) f(x) form the finite field form the finite field GF(pGF(pkk))
2424
2n
X
For For YY X X, denote , denote (Y)=(Y)=yyYYPr[y] Pr[y] (“the weight of (“the weight of YY”)”)
Assume a mapping Assume a mapping R:{0,1}R:{0,1}aa{0,1}{0,1}nn, s.t. , s.t. PrPrx~Xx~X[[z R(z)=x]z R(z)=x] ½ ½
Then:Then: for for XX uniform over a subset of uniform over a subset of 22nn, , |X||X| 2 |R(S)| 2 |R(S)| for an arbitrary distribution for an arbitrary distribution XX, , (X) (X) 2 2 (R(S))(R(S))
If If X X is of min-entropy is of min-entropy kk, then , then (R(S))(R(S)) 22aa··22-k-k = = 2 2a-ka-k and therefore and therefore k k a + 1 a + 1((1 = 1 = (X) (X) 2 2(R(S)) (R(S)) 221+a-k1+a-k))
Counting ArgumentCounting Argument
22aa
SS
R(S)R(S)R
2525
““Reconstruction Proof Reconstruction Proof Paradigm”Paradigm”
Proof sketch:Proof sketch: For a certain R.V. For a certain R.V. XX with min-entropy with min-entropy kk, ,
assume by way of contradiction, a assume by way of contradiction, a predictor predictor f f for the for the qq-ary extractor. -ary extractor.
For For a<<ka<<k construct a function construct a function R:R:{0,1}{0,1}aa{0,1}{0,1}nn --the “ --the “reconstruction reconstruction functionfunction”-- that uses ”-- that uses ff as an oracle and: as an oracle and:
By the “counting argument”, this implies By the “counting argument”, this implies XX has min-entropy much smaller than has min-entropy much smaller than kk
f
x~X
1Pr z.R z x 2 f
x~X
1Pr z.R z x 2
2626
Basic Example – Basic Example – LinesLines
ConstructionConstruction: : Let Let BC:FBC:F{0,1}{0,1}ss be a (inefficient) binary- be a (inefficient) binary-
codecode Given Given
xx, a weak random source, interpreted as a , a weak random source, interpreted as a polynomial polynomial :F:F22FF and and
ss, a seed, interpreted as a random point , a seed, interpreted as a random point (a,b)(a,b), , and an index and an index jj to a binary code. to a binary code.
DefDef:: j j j
E x,s BC a,b ,BC a,b 1 ,...,BC a,b m j j j
E x,s BC a,b ,BC a,b 1 ,...,BC a,b m
2727
Basic Example – Basic Example – Illustration of ConstructionIllustration of Construction
x x s = ((a,b), 2)s = ((a,b), 2)
E(x,s)=01001E(x,s)=01001
001 110 000 101 110
(inefficient) binary code
(a,b) (a,b+m)(a,b+1)
(a,b)(a,b) (a,b+1)(a,b+1) (a,b+m)(a,b+m)
001 110 000 101 110
2828
Basic Example – Basic Example – Proof SketchProof Sketch
Assume, by way of contradiction, Assume, by way of contradiction, therethereexists a exists a predicatorpredicator function function ff..
Next, show a Next, show a reconstructionreconstruction function function
RR, s.t., s.t.
Conclude, a contradiction!Conclude, a contradiction!(to the min-entropy assumption of (to the min-entropy assumption of XX))
12
t ti 1...i 1Pr E X,U f E X,U l
1
2t ti 1...i 1
Pr E X,U f E X,U l
f
x X
1Pr z.R (z) x 2
f
x X
1Pr z.R (z) x 2
2929
Basic Example – Basic Example – Reconstruction FunctionReconstruction Function
Random line List decoding by
the predictor fResolve into one value on the line
Repeat using the new points, until all FFdd is evaluated
h ~ nh ~ n1/21/2
j ~ lgnj ~ lgnm ~ desired entropym ~ desired entropy
“advice”““Few” red Few” red
points: points: a=mjO(h)a=mjO(h)
3030
Problems with Problems with the above Constructionthe above Construction
Too many lines!Too many lines! Takes too many bits to define a Takes too many bits to define a
subspacesubspace
3333
The Reconstruction Function The Reconstruction Function (R)(R)
TaskTask: allow many strings : allow many strings xx in the support in the support of of XX to be reconstructed from very short to be reconstructed from very short advice strings.advice strings.
OutlinesOutlines: : Use Use ff in a sequence of prediction steps in a sequence of prediction steps
to evaluate to evaluate on on all pointsall points of of FFdd,.,. Interpolate to recover coefficients of Interpolate to recover coefficients of , , which giveswhich gives x x
Next We ShowNext We Show: there exists a : there exists a sequence of sequence of prediction stepsprediction steps that works for that works for manymany xx in in the support of the support of XX and requires and requires fewfew advice advice stringsstrings
3434
CurvesCurves Let Let r=r=(d)(d), , Pick random vectors and valuesPick random vectors and values
2r2r random points random points yy11,…,y,…,y2r2rFFdd, and, and 2r2r values values tt11,…,t,…,t2r2rFF, and, and
Define degree Define degree 2r-12r-1 polynomials polynomials pp11,p,p22 pp11:F:FFFdd defined by defined by pp11(t(tii)=y)=yii, , i=1,..,2ri=1,..,2r.. pp22:F:FFFdd defined by defined by pp22(t(tii)=Ay)=Ayii, , i=1,..,ri=1,..,r, and , and pp22(t(tii)=y)=yii, , i=r+1,..,2ri=r+1,..,2r..
Define vector sets Define vector sets PP11={p={p11(z)}(z)}zzFF and and PP22={p={p22(z)}(z)}zzFF
i>0i>0 define define PP2i+12i+1=AP=AP2i-12i-1 and and PP2i+22i+2=AP=AP2i2i(({Pi}{Pi}, the , the sequence of prediction stepssequence of prediction steps are low-degree are low-degree curves in curves in FFdd, chosen using the coin tosses of , chosen using the coin tosses of RR))
3535t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
AAiivv
vv
AAmmvv
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
CurvesCurves
3636
Simple ObservationsSimple Observations AA is non-singular linear-transform, hence is non-singular linear-transform, hence ii
PPii is is 2r-wise independent 2r-wise independent collection of pointscollection of points PPii and and PPi+1i+1 intersect at intersect at rr random points random points |Pi|Pi is a univariate polynomial of degree at most is a univariate polynomial of degree at most
2hr2hr.. Given evaluation of Given evaluation of on on Av,AAv,A22v,…,Av,…,Ammvv, we , we
may use the predictor function may use the predictor function ff to predict to predict (A(Am+1m+1v) v) to within to within ll values. values.
We needWe need advice stringadvice string: : 2hr2hr coefficients of coefficients of |Pi|Pi for for i=1,…,mi=1,…,m. . (l(length: at most mhr log q ≤ a))
3737t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
Using N.B.P.Using N.B.P.
Cannot resolve into one value!
3838
Using N.B.P.Using N.B.P.
t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
Ai*+1(y1)
Ai*+1(y2)
Ai*+1(yr)
Can resolve into one value using the second curve!
3939
Using N.B.P.Using N.B.P.
t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
Ai*+1(y1)
Ai*+1(y2)
Ai*+1(yr)
Can resolve into one value using the second curve!
yr+1
y2r
4040
Open ProblemsOpen Problems
Is the [SU] extractor optimal? Just run Is the [SU] extractor optimal? Just run it for longer sequencesit for longer sequences
Reconstruction technique requires Reconstruction technique requires interpolation from interpolation from hh (the degree) (the degree) points, hence maximal entropy points, hence maximal entropy extracted is extracted is k/hk/h
The seed --a point-- requires The seed --a point-- requires logarithmic number of bitslogarithmic number of bits
4141
Main Lemma Proof Cont.Main Lemma Proof Cont.
ClaimClaim: with probability at least : with probability at least 1-1/8q1-1/8qdd over the over the coins tosses of coins tosses of RR: :
ProofProof: We use the following : We use the following tail boundtail bound::
Let Let t>4t>4 be an even integer, and be an even integer, and X1,…,XnX1,…,Xn be be tt--wise independent R.V. with values in wise independent R.V. with values in [0,1][0,1]. Let . Let X=X=XiXi, , =E[X]=E[X], and , and A>0. A>0. Then:Then:
i
i* 1 1j
z P
1Pr j.f A z ,..., A z z
4 l
i
i* 1 1j
z P
1Pr j.f A z ,..., A z z
4 l
t / 22
2
t tPr X A 8
A
t / 22
2
t tPr X A 8
A
4242
Main Lemma Proof Cont.Main Lemma Proof Cont.
According to the next bit predictor, the probability According to the next bit predictor, the probability for successful prediction is at least for successful prediction is at least 1/2√l1/2√l..
In the In the ii’th iteration we make ’th iteration we make qq predictions (as predictions (as many points as there are on the curve).many points as there are on the curve).
Using the tail bounds provides the result.Using the tail bounds provides the result.
Q.E.D (of the claim).Q.E.D (of the claim).
Main Lemma Proof (cont.)Main Lemma Proof (cont.): Therefore, w.h.p. there : Therefore, w.h.p. there are at least are at least q/4√lq/4√l evaluations points of evaluations points of PPii that that agree with the degree agree with the degree 2hr2hr polynomial on the polynomial on the ii’th ’th curve (out of a total of at most curve (out of a total of at most lqlq). ).
4343
Main Lemma Proof Cont.Main Lemma Proof Cont. A list decoding boundA list decoding bound: given : given n n distinct pairs distinct pairs
(x(xii,y,yii)) in field in field FF and Parameters and Parameters kk and and dd, with , with k>(2dn)k>(2dn)1/21/2, There are at most , There are at most 2n/k2n/k degree degree dd polynomials polynomials gg such that such that g(xg(xii)=y)=yii for at least for at least kk pairs. pairs.
Furthermore, a list of all such polynomials can Furthermore, a list of all such polynomials can be computed in time be computed in time poly(n,log|F|)poly(n,log|F|)..
Using this bound and the previous claim, at Using this bound and the previous claim, at most most 8l8l3/23/2 degree degree 2rh 2rh polynomials agree on this polynomials agree on this number of points (number of points (q/4√lq/4√l ). ).
4444
Lemma Proof Cont.Lemma Proof Cont.
Now, Now, PPii intersect intersect PPi-1i-1 at at rr random positions, and random positions, and we know the evaluation of we know the evaluation of at the points in at the points in PPi-1i-1
Two degree Two degree 2rh2rh polynomials can agree on at polynomials can agree on at most most 2rh/q2rh/q fraction of their points, fraction of their points,
So the probability that an “incorrect” So the probability that an “incorrect” polynomial among our candidates agrees on polynomial among our candidates agrees on all all rr random points in at most random points in at most
dr
rhl
8
1)
2)(8( 2/3
4545
Main Lemma Proof Cont.Main Lemma Proof Cont.
So, with probability at leastSo, with probability at least we learn points we learn points PPii successfully. successfully.
After After 2q2qdd prediction steps, we have prediction steps, we have learned learned on on FFdd\{0}\{0} (since (since AA is a is a generatorgenerator of of FFdd\{0}\{0}))
by the by the union boundunion bound, the probability that , the probability that every step of the reconstruction is every step of the reconstruction is successful is at least successful is at least ½½..
Q.E.D Q.E.D (main lemma)(main lemma)
dq8
11
4646
First,First, By averaging argument:By averaging argument:
Therefore, there must be a fixing of Therefore, there must be a fixing of the coins of the coins of RR, such that:, such that:
Proof of Main Theorem Cont.Proof of Main Theorem Cont.
llyxEyxEfj ijiyXx
2/12/1),()),((.PrPr *1*...1
llyxEyxEfj ijiyXx
2/12/1),()),((.PrPr *1*...1
lyxEyxEfj ijiyXx
/1]),()),((.[Pr *1*...1,
lyxEyxEfj iji
yXx/1]),()),((.[Pr *1*...1
,
ll
xzRz f
Xx 4
1
2
1
2
1)(.Pr
llxzRz f
Xx 4
1
2
1
2
1)(.Pr
4747
Using N.B.P. – Take 2Using N.B.P. – Take 2
t1 t2 tr tr+1 t2r F
Fd
y1
y2
yr
yr+1
y2r
vv
AAiivv
AAmm
vv
A(y1)
A(y2)
A(yr)A(yr+1)
A(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)Ai*(yr+1)
Ai*(y2r)
A2(y1)
A2(y2)
A(yr)A2(yr+1)
A2(y2r)
A(y1)
A(y2)
A(yr)
yr+1
y2r
A2(y1)
A2(y2)
A2(yr)
A(yr+1))
A(y2r)
A3(y1)
A3(y2)
A3(yr)
A2(yr+1))
A2(y2r)
Ai*(y1)
Ai*(y2)
Ai*(yr)
Ai*-1(yr+1))
Ai*-1(y2r)
Ai*+1(y1)
Ai*+1(y2)
Ai*+1(yr)
Unse N.B.P over all points in F, so that we
get enough ”good evaluation”
4848
Proof of Main Theorem Cont.Proof of Main Theorem Cont.
According to the counting argument, this implies According to the counting argument, this implies that: that:
Recall that Recall that r=r=(d).(d). A contradiction to the parameter choice:A contradiction to the parameter choice:
Q.E.D (main theorem)!Q.E.D (main theorem)!
)log2()4
log()4
log( qmhrOadvicek
)log2()4
log()4
log( qmhrOadvicek
)1
log()log(l
qmhdk )1
log()log(l
qmhdk
4949
From q-ary extractors to From q-ary extractors to (regular) extractors(regular) extractors
The simple technique - using error correcting codes:The simple technique - using error correcting codes:
Lemma:Lemma: Let Let FF be a field with be a field with qq elements. Let elements. Let C:C:k=log(q)k=log(q)nn be a binary error correcting be a binary error correcting code with distance at least code with distance at least 0.5-O(0.5-O(22) ) . If . If
E: E: nnttFFmm is a is a (k,O((k,O()))) q-ary extractor, q-ary extractor, then then
E’: E’: nnt+log(n)t+log(n)FFmm defined by: defined by:
1 j m jE'(x;(y, j)) C(E(x;y) ) ... C(E(x;y) ) Is a Is a (k,(k,m)m) binary extractor. binary extractor.
5050
From q-ary extractors to From q-ary extractors to (regular) extractors(regular) extractors
A more complex transformation from q-ary A more complex transformation from q-ary extractors to binary extractors achieves the extractors to binary extractors achieves the following parameters:following parameters:
Thm:Thm: Let Let FF be a field with be a field with q<2q<2mm elements. There is elements. There is a polynomial time computable function:a polynomial time computable function:
*logq log m 1O(log ) (mlog )
mB: F {0,1} {0,1}
Such that for any Such that for any (k,(k,)) q-ary extractor E, q-ary extractor E, E’(x;E’(x;(y,j))=B(E(x;y),j)(y,j))=B(E(x;y),j) is a is a (k,(k,log*m)log*m) binary extractor. binary extractor.
5151
From q-ary extractors to From q-ary extractors to (regular) extractors(regular) extractors
The last theorem allows using theorem The last theorem allows using theorem 1 for 1 for = O( = O(/log*m)/log*m) , and implies a , and implies a (k,(k,)) extractor with seed length extractor with seed length t=O(log n)t=O(log n) and output length and output length m=k/(log n)m=k/(log n)O(1)O(1)
5252
Extractor Extractor PRG PRG Identify: Identify:
string string xx{0,1}{0,1}log nlog n with the with the function function x:{0,1}x:{0,1}log nlog n{0,1}{0,1} by setting by setting x(i)=xx(i)=xii
Denote by Denote by S(x)S(x) the size of the smallest circuit the size of the smallest circuit computing function computing function xx
Def (PRG)Def (PRG): an : an -PRG-PRG for size for size ss is a function is a function G:G:{0,1}{0,1}tt{0,1}{0,1}mm with the following property: with the following property: 11iimm and all function and all function f:{0,1}f:{0,1}i-1i-1{0,1}{0,1}ii with size with size ss circuits, circuits,
Pr[f(G(UPr[f(G(Utt))1...i-11...i-1)=G(U)=G(Utt))ii] ] ½ + ½ + /m/mThis imply:This imply:for all size for all size s-O(1)s-O(1) circuits circuits CC
|Pr[C(G(Ut))=1] – Pr[C(Um)=1]||Pr[C(G(Ut))=1] – Pr[C(Um)=1]|
5353
q-ary PRGq-ary PRG
Def (q-ary PRG)Def (q-ary PRG): Let : Let FF be the field with be the field with qq elements. A elements. A --qq-ary PRG-ary PRG for size for size ss is a is a function function G:{0,1}G:{0,1}ttFFmm with the following with the following property: property: 11iimm and all function and all function f:Ff:Fi-i-
11FF((-2)-2) with size with size ss circuits, circuits,
Pr[Pr[j f(G(Uj f(G(Utt))1...i-11...i-1))jj=G(U=G(Utt))ii] ]
FactFact:: O( O()-q)-q-ary PRG for size -ary PRG for size ss can be can be transformed into (regular) transformed into (regular) mm--PRG for size PRG for size not much smaller than not much smaller than ss
5454
The ConstructionThe Construction
Plan for building a PRG Plan for building a PRG GGxx:{0,1}:{0,1}tt {0,1} {0,1}mm:: use a hard function use a hard function x:{0,1}x:{0,1}log nlog n {0,1} {0,1} let let be the low-degree extension of be the low-degree extension of xx obtain obtain ll “candidate” PRGs, where “candidate” PRGs, where l=d(log l=d(log
q / log m) q / log m) as follows:as follows:For For 00j<lj<l define define GGxx
(j)(j):{0,1}:{0,1}d log qd log q F Fmm by byGGxx
(j)(j)(v) = (v) = (A(A11mmjjv) v) (A(A22mmjj
v) v) ...... (A(AMMmmjjv)v)
where where AA is a generator of is a generator of FFdd\{0}\{0}
Note: Note: GGxx(j)(j) corresponds to using our corresponds to using our qq-ary -ary
extractor construction with the “successor extractor construction with the “successor function” function” AAmmjj
We show: We show: xx is hard is hard at least one at least one GGxx
(j)(j) is a is a qq-ary PRG-ary PRG
5555
Getting into DetailsGetting into Details
Let Let F’F’ be a subfield of be a subfield of FF of size of size hhLemmaLemma: there exist invertible : there exist invertible dddd
matrices matrices AA and and A’A’ with entries from with entries from FF which satisfy:which satisfy:
vvFFdd s.t. v s.t. v0, {A0, {Aiiv}v}ii=F=Fdd\{0}\{0} vvF’F’dd s.t. v s.t. v0, {A’0, {A’iiv}v}ii=F’=F’dd\{0}\{0} A’=AA’=App for for p=(qp=(qdd-1)/(h-1)/(hdd-1)-1) AA and and A’A’ can be found in time can be found in time qqO(d)O(d)
think of think of FFdd as both a vector space and the as both a vector space and the extension field of extension field of FF
Note Note F’F’dd is a subset of is a subset of FFddperhaps we should just say: immediate perhaps we should just say: immediate from the correspondence between the from the correspondence between the cyclic group GF(qcyclic group GF(qdd) and F) and Fdd\{0} ??? \{0} ??? otherwise in details we may say:otherwise in details we may say:
ProofProof: : There exists a natural correspondence There exists a natural correspondence between between FFdd and and GF(qGF(qdd)), and between , and between F’F’dd and and GF(hGF(hdd)),,GF(qGF(qdd)) is cyclic of order qd-1, i.e. there here exists a generator exists a generator ggggpp generates the generates the uniqueunique subgroup of subgroup of order order hhdd-1-1, the multiplicative group of , the multiplicative group of GF(hGF(hdd))..AA and and A’A’ are the linear transforms are the linear transforms corresponding to corresponding to gg and and ggpp respectively. respectively.
5656
require require hhdd>n>n Define Define as followsas follows (A’(A’ii11)=x(i))=x(i), where , where 11 is is
the all the all 11 vector (low degree extension). vector (low degree extension). Recall: For Recall: For 00j<lj<l define define GGxx
(j)(j):{0,1}:{0,1}d log qd log q FFmm by byGGxx
(j)(j)(v) = (v) = (A(A11mmjjv) v) (A(A22mmjj
v) v) ...... (A(AMMmmjjvv
Theorem (PRG main)Theorem (PRG main): for every : for every nn,,dd, and , and hh satisfying satisfying hhdd>n>n, at least one of , at least one of GGxx
(j)(j) is an is an --qq-ary PRG for size -ary PRG for size ((-4 -4 h dh d22 log log22q). q). Furthermore, all the Furthermore, all the GGxx
(j)(j)ss are computable are computable in time in time poly(qpoly(qdd,n),n) with oracle access to with oracle access to xx..
sincesince h hdd>n>n, there are enough “slots” to , there are enough “slots” to embed all embed all xx in a in a dd dimensional cube of dimensional cube of size size hhdd
and since and since A’ A’ generates generates F’F’dd\{0}\{0}, indeed , indeed xx is embedded in a is embedded in a dd dimensional cube of dimensional cube of size size hhdd
Note Note hh denotes the degree denotes the degree in individual individual variables, and the total degree is at most variables, and the total degree is at most hdhd
The computation of The computation of from from xx can be done can be done in in poly(n,qpoly(n,qdd)=q)=qO(d) O(d) timetime
5757
5858
5959
Extension FieldExtension Field
DefDef: if : if FF is a subset of is a subset of EE, then we say , then we say that that EE is an is an extension fieldextension field of of FF..
LemmaLemma: let: let EE be an be an extension fieldextension field of of FF,, f(x)f(x) be a polynomial over be a polynomial over FF ((i.e.i.e.
f(x)f(x)F[X]F[X])),, ccEE,,
then then f(x)f(x)f(c)f(c) is an is an homomorphism homomorphism of of F[X]F[X] into into EE..
6060
Construction of the Galois Field Construction of the Galois Field GF(qGF(qdd))
ThmThm: let : let p(x)p(x) be irreducible in be irreducible in F[X]F[X], , then there exists then there exists EE, an extension , an extension field of field of FF, where there exists a root of , where there exists a root of p(x)p(x)..
Proof SketchProof Sketch: : add a add a (a new element) to F. (a new element) to F. is to be a root of p(x). is to be a root of p(x).
In F[In F[] (polynomials with variable ] (polynomials with variable ))
6161
Example: Example: F=realsF=reals p(x)=xp(x)=x22+1+1