admin
	ps4 due now
	ps5 out
today
	pseudorandom generators
	cryptography
pseudorandom generators
	we've seen:
		explicit construction of pseudorandom objects	
			[[k-wise independence, expanders, list-decodable codes, extractors]]
		=> derandomize maxcut, USTCONN
		=> randomness optimal BPP error reduction
		=> simulating BPP with weak random sources
		=> P=BPP ?
	idea
		poly(n) random bits 	->	O(\lg n)	-> 0 rand bits
					\-> pseudorandom gen	\-> enumeration
	measures of (pseudo)randomness
		k-wise independence
			consider \vec{x}\to(x_1,\ldots,x_{n-1},x_1\oplus\cdots\oplus x_{n-1})
			is (n-1)-wise independent
			does not fool parity!
			[[hence this isn't enough even for simple classes of functions]]
		\Delta(X,U_m), H_\infty(U_m)
			f(U_{\lg m}) !=_\eps U_m
				\-> *any* statistical notion of randomness
	def
		X,Y random variables over \bits^m
		(t,\eps)-indistinguishable if for all f:\bits^m\to\bits with f computable by a size t circuit [[recall circuits]]
			|\Pr[f(X)=1]-\Pr[f(Y)=1]|\le\eps
			[[for statistical distance we let t=\infty]]
		equiv
			\Delta(f(X),f(Y))\le \eps
			[[this is the "correct" defn]]
	def
		[[draw picture]]
		G:\bits^{d(m)}\to\bits^m is a (t,\eps) pseudorandom generator (PRG) if 
			d<m
			G(U_d) and U_m are (t,\eps) indistinguishable
		G computable in time t(m) if
			m\mapsto d(m) computable in time t(m)
			y\mapsto G(y) computable in time t(m)
	nonuniformity
		recall
			non-uniform algorithm: Turing-machine + input-dependent advice
				=~ circuit
			randomized circuits = circuits
			lem: \Pr_r[f(x,r)=1]\ge \eps => \exists r_0 \Pr_r[f(x,r_0)=1]\ge \eps [[hence, we hardwire it]]
		why
			some arguments will exploit non-uniformity
			in some settings -/^ is required
	lem: (m,1/8) PRG G:\bits^{d(m)}\to\bits^m computable in time t(m)
		=> BPP\subseteq \union_c \TIME(2^{d(m)} (n^{O(c)}+t(n^{O(c)})))
	pf:
		BPP algo A(x;r) runs in time n^c => |r|\le n^c
		A(x;r) is size n^{O(c)}-size circuit as a function of r
		=> \Delta(A(x,R),A(x,G(U_{d(n^c)})))\le 1/8
		=> majority vote of A(x,G(U_{d(n^c)})) is correct
			\-> computed in above time
	rmk:
		needed non-uniformity:
			A(x;r) randomized algorithm, need to look at function r\to A_x(r)=A(x;r) [[from one TM get many functions, x=non-uniform advice]]
		size(ckt)=#inputs(ckt)
			[[the only real bound we have #inputs is size of ckt, this is helpful to keep one less parameter]]
	defn:
		G:\bits^d\to\bits^m is strongly explicit if computable in time \poly(d,m)
			[[best one can hope for, compare to neighbor-map in expander]]
			[[in expander had weaker notion, compute whole expander in poly-time of size of expander]]
		G:\bits^d\to\bits^m is weakly explicit if computable in time \poly(2^d,m)
			size(G)=2^d*m
			[[suffices for derandomization, as already incur 2^d overhead]]
	parameters
		d=m		=> 	BPP\subseteq \EXP	=2^{\poly}
		d=m^{\eps}	=>	BPP\subseteq \SUBEXP	=\cap_\eps 2^{m^\eps}
		d=\poly(log m)	=>		     \quasiP	=2^{\polylog}
		d=O(\lg m)			     P		[[hence 2^d is okay here]]
	prop:
		(m,\eps) PRG G:\bits^d\to\bits^m exists [[size=#inputs]]
		d=O(\lg m+\lg(1/\eps))
	pf
		prob method
		choose G:\bits^d\to\bits^m randomly
		f size m ckt, at most 2^{\poly(m)} such ckts
		\Pr[f(G(U_d))-\mu(f)>\eps]\le \e^{-\eps^2 2^d/4} [[chernoff]]
		\Pr[\exists f, ...] \le 2^{\poly(m)} \e^{-\eps^2 2^d/4}
	Cor: BPP\subseteq\P\poly
	Pf1:
		recall: amplify BPP error w/ independent repetitions, then choose single random string as advice
	pf2:
		advice = PRG
		run BPP algo on PRG
	rmk:
		these constructions are the *same*
	Q. how to construct PRGs?
cryptography
	[[pseudorandomness started in crypto
		techniques are intertwined
		"remember your roots"]]
	private key encryption
		one-time pad
			scheme
				pre-shared key r\in\bits^m [[randomly chosen, where does the randomness come from?]]
				Alice			Bob		Eve
				x\in\bits^m		x=?
					-> x\oplus r=y			y = uniformly random
							x=y\oplus r
			rmk:
				perfect security
				r can only be used *once* [[hence name "one time pad"]]
				need to know n *before* conversation starts
		doing better
			idea: replace r with pseudorandomness
			scheme:
				choose pseudorandom function f:\bits^n\times\bits^d\to\bits^m [[won't define here, but "looks like a random function"]]
				pre-shared secret key s\in\bits^d [[chosen randomly]]
				Alice					Bob				Eve
				x_i\in\bits^m	
					-> y_i=x_i\oplus f(i,s)
									x_i=y_i\oplus f(i,s)		\{y_i\}	should *look random*
			rmk:
				computational security:	
					Eve can run in m^c time for *any* c
						[[eg, Eve=NSA, but Alice=me, Bob=you]]
					Eve succeeds with probably \le 1/m^c for *all* c 
						[[theoretical model of "small probability"]]
				single key, many messages
	def:
		G_m:\bits^{d(m)}\to\bits^{m} is a cryptographic PRG if
			G_m fully explicit [[computable in poly(m) time]]
			G_m is a (m^c,1/m^c)-PRG for all constant c
	rmk: 
		derand PRG: PRG can run in *more* time than algo it fools
		crypto PRG: PRG runtime fixed, adversary can run in more time
	Q. existence?
		prob-method non-explicit
		crypto PRG exist => P\ne NP
		P\ne NP =?> crypto PRG [[currently unknown, known that known techniques can't show this]]
	def
		[[draw picture]]
		f_n:\bits^n\to\bits^n is a one-way function (OWF) if
			f_n is computable in \poly(n) time
			f_n hard to invert on average
				for any c, large enough n:
				for any circuit A of size n^c
				Pr[ A(f_n(U_n))\in f_n^{-1}(f_n(U_n))]\le 1/n^c
	rmk:
		average case assumption [[not saying we always fail, just that we most often fail]]
		f(p,q)=p*q, p,q n/2 bit numbers, is conjectured to be OWF [[one-wayness based on hardness of integer factoring]]
		OWF are required for *any* crypto
			suffice for "private-key crypto"
			likely don't suffice for "public key" crypto
next time
	cryptography
	hybrid argument
	avg case hardness