today
	cryptography [[wrap up]]
	hybrid arguments
cryptography
	[[remind from last time]]
	[[draw picture of PRG]]
	def;
		G_m:\bits^{d(m)}\to\bits^m is a 
			derandomization PRG if
				d<m
				G_m computable in poly(2^d,m) time
				G_m(U_d) and U_m are (t,\eps) indistinguishable
					[[recall that we have non-uniform distinguishers, measured by circuits]]
			cryptographic PRG if
				d<m
				G_m computable in poly(m) time
				for all c, G_m(U_d) and U_m are (m^c,1/m^c) indistinguishable
			[[similar objects, different parameter emphasis]]
	[[PRG's started in crypto, helpful to understand]]
	def:
		f:\bits^n\to\bits^n is a one-way function if
			f is computable in poly(n) time
			f is hard to invert
				for any c, large enough n
				any ckt A size n^c
				Pr[A(f_n(U_n))\notin f_n^{-1}(f_n(U_n))]\le 1/n^c
		[[draw picture]]
	ex:
		integer multiplication
		scrambling an egg
	[[required for cryptography, suffice for crypyo]]
	thm: equiv:
		-OWF exist						
		-PRG G_m:\bits^{m-1}\to\bits^m exist			[[1=>2: deep result],[[2=>1: not hard]]
		-any \eps>0, PRG G_m:\bits^{m^\eps}\to\bits^m exist	[[2=>3: not hard]]
	cor: OWF => BPP\subseteq\SUBEXP
		2^{\Omega(n)}-secure OWF [[pretty strong assumption]]
			=> BPP\subseteq\quasiP [[best known]]
	goal: weakest assumption => P=BPP [[ideally get iff]]
	will show: L\in \EXP requires circuits size 2^{\Omega(n)}	=> explicit (m,\eps) PRG seed length O(\log m+\log 1/\eps) 	=> P=BPP
									<= 				
									\-> hw
	the plan:
		review crypto techniques [[foundation for later ideas]]
		average case hardness => derandomization
		local decoding
		worst case hardness => average case hardness [[via local decoding]]
hybrid arguments
	lem: X,Y random variables with \Delta(X,Y)\le \eps
		=> \Delta(X^k,Y^k)\le k\eps	[[statistical distance, claimed this before didn't prove]]
	[[want computational analogue]]
	prop: X,Y\in\bits^m (t,\eps) indistinguishable.
		=> X^k,Y^k are (t,k\eps) indistinguishable.	[[t=\infty recover statistical claim. but we need to make argument for above *constructive*]]
			\-> indep copies of X,Y
	pf.	
		prove contrapositive
		hybrid argument
		|Pr[f(XXX)=1]-Pr[f(YYY)=1]|> k*\eps
		=> wlog Pr[f(XXX)=1]-Pr[f(YYY)=1]> k*\eps
			otherwise consider \neg f
					    \-> work in model where negations are free	
		k=3
		hybrids
			H_0=XXX
			H_1=XXY
			H_2=XYY
			H_3=YYY
		Pr[f(XXX)=1]-Pr[f(YYY)=1]
			=H_0-H3
			=(H_0-H_1)+(H_1-H-2)+(H_2-H_3)
		=> exists i_0 with H_{i_0}-H_{i_0+1}>k*\eps/k=\eps
			say i_0=1
			Pr[f(XXY)=1]-\Pr[f(XYY)=1]>\eps
			=Pr_{X_1,X_2,Y_3}[f(X_1X_2Y_3)=1]-\Pr_{X_1,Y_2,Y_3}[f(X_1Y_2Y_3)=1]
		=>exist x_1,y_3 st Pr_{X_2}[f(x_1X_2y_3)=1]-\Pr_{Y_2}[f(x_1Y_2y_3)=1] >\eps
		define g(z)=f(x_1,z,y_3)
		=>Pr[g(X)=1]-\Pr[g(Y)]> \eps
	[[key point: 
		two random (large) variables distinguishable for unclear reasons
		create hybrids, the conceptual differences between each hybrid is small
		allows us to zoom in on a clear difference why the variables are distinguishable]]
	rmk:
		nonuniformity
			i_0		[[can replace with random i]]
			x_{<i_0}	[[can replace with randomness if X,Y sampleable]]
			y_{>i_0}
	lem: X\in\bits^n random variable
		X uniform iff any i, any function f_i:\bits^{i-1}\to\bits
			Pr[f_i(X_{<i})=X_i)=1/2
			[[unpredictable]]
	rmk:
		first condition is unordered, second condition is ordered
		can be helpful in proving uniformity
	Q. computational version?
		[[in general, crypto has many analogues of computational analogues of statistical facts]]
	def: X\in\bits^m is (t,\eps) next-bit unpredictable if for i\in[m], every f of size t
		Pr[f(X_1,\ldots,X_{i-1})=X_i]\le 1/2+\eps
	[[hence (\infty,0)-next bit unpredictable is uniform]]
	prop: X\in\bits^m is (t,\eps) pseudorandom => (t-O(1),\eps) next-bit unpredictable [[define pseudorandom]]
			(t-O(1),\eps m) pseudorandom <= (t,\eps) next bit unpredictable
	pf:
		\neg prg <= \neg unpred:
			given predictor f of size t
				\Pr[f(X_1,\ldots,X_{i-1})=X_i]>1/2+\eps
			define g(x_1,\ldots,x_m)=1 iff f(x_1,\ldots,x_{i-1})=x_i	[[computable in t+O(1) size]]
			Pr[g(X)=1]>1/2+\eps=Pr[g(U_m)]+\eps				[[get distinguisher
		\neg prg => \neg unpred:
			distinguisher f
				|\Pr[f(X)=1]-\Pr[f(U_m)=1]|> \eps
				=> wlog \Pr[f(X)=1]-\Pr[f(U_m)=1]>\eps [[take either f or \neg f, as \negations don't matter in our notion of circuit size]]
			hybrid argument [[note that we no longer have independent coordinates!]]
				H_0=X
				H_m=U_m
				H_i=(H_0)_{\le i} {H_m)_{>i}=X_{\le i} U_{m-i}
			\eps < \Pr[f(H_0)=1]-\Pr[f(H_m)=1]
				=\sum_{0\le i<m} \Pr[f(H_i)=1]-\Pr[f(H_{i+1})=1]
			=> by averaging, exists i_0
				\Pr[f(H_{i_0})=1]-\Pr[f(H_{i_0+1})=1]>\eps/m
				=\Pr[f(X_1\cdots X_{i_0-1} X_{i_0} U_{i_0+1}\cdots U_m)=1] - \Pr[f(X_1\cdots X_{i_0-1} U_{i_0} U_{i_0+1}\cdots U_m)=1] 
			=> by averaging exist u_j for j>i [[probability over X,U
				\Pr[f(X_1\cdots X_{i_0-1} X_{i_0} u_{i_0+1}\cdots u_m)=1] - \Pr[f(X_1\cdots X_{i_0-1} U_{i_0} u_{i_0+1}\cdots u_m)=1]>\eps/m
				=\Pr[g(X_{<i_0} X_{i_0})=1]-\Pr[g(X_{<i_0} U)=1]
			[[this feels like a predictor, now need to make it rigorous
				intuitively, if g=1 that means we should declare 'X']]
			the predictor
				sample U randomly
				g(X_{<i_0},U)=1	output U
					     =0	output \neg U
			runtime: t+O(1) [[can sharpen]]
			success prob:
				key step: U=1/2 * X_{i_0} + 1/2*(\neg X_{i_0})
				Pr[P(X_{<i_0})=X_i]
					=1/2* Pr[g(X_{<i_0},U)=1|U=X_{i_0}]+1/2 *Pr[g(X_{<i_0},U)=0|U=\neg X_{i_0}]
					=1/2 *(Pr[g(X_{<i_0},X_{i_0})=1]+(1-Pr[g(X_{<i_0},\neg X_{i_0})=1]))
					=1/2+1/2*(Pr[g(X_{<i_0},X_{i_0})=1]-Pr[g(X_{<i_0},\neg X_{i_0})=1])
				now use:
				\eps/m	<\Pr[g(X_{<i_0} X_{i_0})=1]-\Pr[g(X_{<i_0} U)=1]
					=\Pr[g(X_{<i_0} X_{i_0})=1]-(1/2*\Pr[g(X_{<i_0} X_{i_0})=1]+1/2*\Pr[g(X_{<i_0} \neg X_{i_0})=1])
					=1/2*(Pr[g(X_{<i_0},X_{i_0})=1]-Pr[g(X_{<i_0},\neg X_{i_0})=1])
				=> Pr[P(X_{<i_0})=X_i]>1/2+\eps/m
	rmk:
		did use non-uniformity here
		can replace with randomness [[uniform distribution is sampleable]]
	Q. when is x\mapsto x,f(x) pseudorandom?
		ie, when is x\mapsto x,f(x) next bit unpredictable
		ie, \Pr[g(x)=f(x)]=~1/2+\eps [[any efficient g]]
		[[this is average case hardness]]
next time
	average case hardness
	Nisan Wigderson generator