Theorem 3.15 (How to construct pseudorandom functions [175]): Let G
be a pseudorandom generator with stretching function ℓ(k) = 2k, let G0(s) (resp., G1(s))denote the first (resp., last)|s| bits inG(s), and
Gσ|s|···σ2σ1(s)
def
= Gσ|s|(· · ·Gσ2(Gσ1(s))· · ·)
Then, the function ensemble{fs:{0,1}|s|7→{0,1}|s|}s∈{0,1}∗, where fs(x)def=
Gx(s), is pseudorandom with length parameters ℓD(k) =ℓR(k) =k.
The above construction can be easily adapted to any (polynomially-bounded) length parametersℓD, ℓR:
N
7→N
.Proof Sketch: The proof uses the hybrid technique: Theithhybrid,Hi k, is a function ensemble consisting of 22i
·k functions
{0,1}k
7→{0,1}k, each defined by 2irandomk-bit strings, denoted
hsαiα∈{0,1}i. The value of such function
atx=βα, with|α|=i, isGβ(sα). The extreme hybrids correspond to our indistinguishability claim (i.e., H0
k ≡ fUk and H
k
k ≡ Fk), and neighboring hybrids correspond to our indistinguishability hypothesis (specifically, to the indistinguishability ofG(Uk) andU2k under multiple samples).
We mention that pseudorandom functions have been used to derive nega- tive results in computational learning theory [355] and in complexity theory (cf., Natural Proofs [319]).
3.4
Derandomization of time-complexity classes
Recall the proof of Theorem 3.7: A pseudorandom generator was used to shrink the randomness complexity of a BPP-algorithm, and derandomization was achieved by scanning all possible seeds to the generator. A key observa- tion of [288, 293] is that whenever a pseudorandom generator is used this way, there is no point in insisting that it runs in time polynomial in its seed length. Instead, it suffices to require that the generator runs in time exponential in its seed length (as we are incurring such a time factor anyhow due to the scan- ning of all possible seeds). Thus, the generator may have running-time greater than the distinguisher it is designed to fool. This observation has opened the door to a sequence of derandomization results [293, 27, 219, 224] culminating in the following theorem, whereE def= ∪cDtime(tc) withtc(n) = 2cn.
Theorem 3.16 (Derandomization of BPP, revisited [224]): Suppose that there exists a language L ∈ E having almost-everywhere exponential circuit complexity (i.e., there exists a constantb >0 such that, for all but finitely manyk’s, any circuitCkwhich correctly decidesLon{0,1}khas size at least 2bk). Then,
BPP=P.
Proof Sketch: Underlying the proof is a construction of a pseudorandom generator due to Nisan and Wigderson [288, 293]. This construction uti- lizes a predicate computable in exponential-time but unpredictable, even to
within a particular exponential advantage, by any circuit family of a partic- ular exponential size. (The crux of [224] is supplying such a predicate, given the hypothesis; their argument utilizes [288, 27, 183, 5, 219].) Given such a predicate the generator works by evaluating the predicate on exponentially- many subsequences of the bits of the seed so that the intersection of any two subsets is relatively small.8 Thus, for some constant b >0 and all k’s, the generator stretches seeds of lengthk into sequences of length 2bk which (as loosely argued below) cannot be distinguished from truly random sequences by any circuit of size 2bk.9 The derandomization of
BPPproceeds by setting the seed-length to be logarithmic in the input length, and utilizing the above generator.
The above generator fools circuits of the stated size, even when these circuits are presented with the seed as auxiliary input. (These circuits are smaller than the running time of the generator and so they cannot just evalu- ate the generator on the given seed.) The proof that the generator fools such circuits refers to the characterization of pseudorandom sequences as unpre- dictable ones. Thus, one proves that the next bit in the generator’s output cannot be predicted given all previous bits (as well as the seed). Assuming that a small circuit can predict the next bit, we construct a circuit for pre- dicting the hard predicate. The new circuit incorporates the best (for such prediction) augmentation of the input to the circuit into a seed for the gen- erator (i.e., the bits not in the specific subset of the seed are fixed in the best way). The key observation is that all other bits in the output of the gener- ator depend only on a small fraction of the input bits (i.e., recall the small intersection clause above), and so circuits for computing these other bits have relatively small size (and so can be incorporated in the new circuit). Using all these circuits, the new circuit forms the adequate input for the next-bit predicting circuit, and outputs whatever the latter circuit does.
Derandomization of constant-depth circuits. The same underlying idea, yet with a different setting of parameters and using theparityfunction
(which is hard for “small” constant-depth circuits [365, 210]), was used in the context of constant-depth circuits. The aim was to derandomizeRAC0 (i.e., randomAC0), or put in other words – given a constant-depth circuit to deterministically approximate (up-to an additive error) the fraction of inputs which evaluate to some output. The result obtained in [288] implies that, for any constantd, given a depth-dcircuitC, one can approximate the fraction of the number of inputs toCwhich evaluate to 1 to withinadditive error0.01 8 These subsets have size linear in the length of the seed, and intersect on a constant
fraction of their respective size. Furthermore, they can be determined within exponential- time.
9 Thus, this generator is only “moderately more complex” than the distinguisher:
Viewed in terms of its output, the generator works in time polynomial in the length of the output, whereas the output fools circuits of size which is a (smaller) polynomial in the length of the output.