 Yes, I'm Salil. I'm looking forward to meeting you all over the next couple of days. I just arrived this morning so I don't have a good sense yet of the audience. I know a bit about what's been covered by the other lectures but I haven't been here to hear your questions and so on. So it's particularly important that you stop me if anything I say is confusing. There's a lot of flexibility in what we cover. We don't have to rush through things so just let's have this be as interactive as possible. So already you've been hearing a lot about this concept I think of Hill pseudo entropy and I don't know if anyone told you what Hill is. Hill is Hastad in Paliazzo 11 in Lubbi who in 1989 proved one of the fundamental results in the foundations of cryptography namely that you can construct a pseudo-random generator from any one-way function and that was the context in which they introduced as a tool in their proof the idea of pseudo entropy and the plan for this lecture and the first lecture tomorrow is to see a pretty much complete proof of this result. It won't be exactly the original proof of Hill. It'll be kind of a simpler and more streamlined proof that we that we know how to do now but still relying very much on different notions of computational entropy like some of the ones that you'll be seeing but we'll also see some new ones. And then in the second lecture tomorrow we will see how we can construct some other kinds of cryptographic primitives things called statistically hiding commitment schemes also from one-way functions and it'll that that proof will also have a very similar kind of structure but using a different set of notions of computational entropy so that's the idea. So let's make sure we're kind of all on the same page as far as notation and terminology right so the Hill result again from any one-way function one can construct a pseudo-random generator so one-way function is a function should will it'll always be length preserving takes n-bit strings to n-bit strings defined for every input length n but we'll keep this n as our security parameter and kind of treat it as fixed in the analysis. The function should be easy to compute so we're going to work in the kind of asymptotic formulations of security where polynomial time is efficient more than polynomial time is not efficient everything I say can be made more concrete I think that was probably the style in which at least some of the previous lectures were working a little more in concrete security but it will just be cleaner we'll have fewer parameters to worry about if we just work in the asymptotic setting. All right so the function should be computable in polynomial time but it should be hard to invert by algorithms that run in an arbitrarily large polynomial time which is equivalent to saying it has some security as a function of n that grows faster than any polynomial in n so some security n to the little omega of one and the security says that for any algorithm that runs in time s of n so we work with non-uniform complexity so algorithms you can think of as Boolean circuits if you like and then time of the algorithm is the size of the circuit number of Boolean gates and or not gates but otherwise you could just informally think you have an al for any algorithm running in time s of n the probability when we pick a uniformly random input to the one-way function and feed it f of x to a the probability it finds a pre-image of f of x so successfully inverts is at most one over s of n okay so the both the time and the inversion probability are or the reciprocal of the inversion probability are super polynomial in n all right so then pseudo random generators all right similarly so now I'm going to give the seed length is going to be d the output length will be m but these are all we're still going to think of the n the security parameter the one-way function as the security parameter that we're using in the pseudo random generator so d is going to be some function of n and m will be some function of n we will only worry about constructing a pseudo random generator where m is larger than d we don't care by how much because they are general methods that once you have a pseudo random generator that can stretch by even one bit you can get a pseudo random generator that stretches by as much as you like there's some general composition methods with probably many of you have seen and again we want to be computable in polynomial time in the security parameter and the output distribution of the generator on a uniformly random seed should be computationally indistinguishable from the uniform distribution so this is the notation I'll often use for computationally indistinguishable kind of an equivalence with a C I saw maybe as Kristoff's notes on the board using maybe a tilde I'm not this is this will be the notation I use so hopefully you can match it and again so computational indistinguishability for algorithms circuits time or size super polynomial and n all right again really what I mean there's some function super polynomial function the probability that the test t accepts on the output of the generator should be the same as the probability it outputs accepts on the output of the uniform on the uniform distribution up to some plus or minus negligible function in n right one over super polynomial any questions on notation definitions there is no loss of generality so there's amplification results for okay so I guess right so in in one direction there's no no loss of generality so if I put here say a constant for the inversion probability then there is there are amplification results for one-way functions that I can construct from any weak one-way function where the inversion probabilities say a half or any constant I can turn it into one where the inversion probability is vanishing faster than any polynomial and so in the asymptotic regime we may as well have these two parameters be the the same the one can demand all right so we'll see I think when you if you ask for one-way functions where the inversion probability is much smaller than the running time that is a somewhat different somewhat different beast that's a more kind of powerful object and we'll maybe get a taste of that but this is the usual sort of asymptotic formulation and there's some a similar one I think similar things one can say about super random generators good so all right so we're going to kind of proceed with working our way to the proof in the same kind of way that things went historically we'll start with one-way permutations all right so where f is a bijection then even though that's a result that's a kind of basic result the problem that maybe many people have seen we're going to maybe do it in a little bit of a different language using more language of notions of computational entropy which hopefully will be illuminating and help lead up to the other notions that we're doing then we will look at one-to-one one-way functions which there I mean we won't necessarily be length preserving so it's it's it's an injective one-way function but not necessarily a permutations the output length might be bigger than the input length then we will look at regular one-way functions where it's not injective but for every output the same number of inputs mapped to the output and then finally get to general one-way functions and in all of the cases the structure of the of the proof is going to be from a one-way function in some way we're going to try to get our hands on some kind of pseudo entropy that is larger than the kind of actual entropy all right we're going to try to construct a random variable x or a conditional random variable maybe not call it x z all right so some be able to generate some distribution where in some sense it's in some computational sense it has more entropy than than than the actual entropy of z all right and so a pseudo random generator I mean certainly that's something we need if we're going to achieve our goal in a pseudo random generator the actual entropy of the output of the generator is at most D the seed length but computationally since it's indistinguishable from the uniform distribution it looks like it has entropy that's larger than D that's M okay so this seems like a good first step but unfortunately the the kind of pseudo entropy will typically get initially won't be hill pseudo entropy which is the kind that a pseudo random generator has but some other or weaker kind of entropy so the next step will be do some kind of manipulation to have hill pseudo entropy larger than actual entropy right for some other possibly new random variable z prime and then we will do some kind of randomness extraction to get a pseudo random generator right so this this will be the our approach so let's start with the first case we're going to focus on one-way permutations okay so this is a bijection and then finding a preimage right in general for a one-way function we say the adversary succeeds if it finds any inverse but now since it's a bijection there's only one inverse so the task of the adversary is to find that unique inverse right just a check so how many people have seen one-way functions before okay good so I don't need to give examples and candidates and so on all right good all right so let's see now for this case of one-way permutations how we can do this this first step of getting our hands on some kind of pseudo entropy so let's rephrase what we are saying here maybe I'll use all right so I guess I thinking where's the I want to try to maximize how much I have on the screen at once all right so recall the definition of average min entropy okay so the min entropy of x given y well one equivalent formulation that I think Leo gave is that this is the maximum overall adversary strategies of the log log the other way it's a log of one over the maximum guessing probability right so if if we look at all possible ways without any computational restriction of trying to predict x from y right if that probability is small is at most two to the minus k we say that the min entropy of x given y is at least k so a very natural thing to do which I guess probably hasn't been done in the lectures before to get a computational analog of entropy is to just restrict ourselves to efficient algorithms a here in this definition of this formulation of min entropy all right and this is called unpredictability min entropy unpredictability pseudo entropy maybe right so it's a computational version of entropy so roughly what we're doing what we're going to do is restrict this to to efficient efficient a's but let me just write it this way we say that the same but max over a size into the omega one all right so it's the it's the same thing but we replace the max to be over over adversaries of our whatever our security bound is here which is some super polynomial function all right so in other words the unpredictability entropy is bigger than k by definition if and only if for every size into the omega one a the probability a of y is x is is 1 over 2 to the k okay just I want to have just think of it this way in terms of the guessing probability okay the unpredictability trees at least k if any efficient algorithm can guess x from y with probability most 1 over 2 to the k all right good that's legible up there so now we can see that the definition of of one-way function when we restrict to a one-way permutation or more generally an injective one-way function is exactly saying all right this is equivalent to saying that the unpredictability entropy of x given f of x is at least logarithmic is super logarithmic in n all right so again let me just write n to the omega one here n to the little omega of one just to be clear so when I take the log of something that is super polynomial I I get something that's super logarithmic so we already directly from a one-way permutation right so this is the unpredictability entropy of the input given the output of a one-way permutation but note that the actual entropy according to any measure that you like Shannon entropy or min entropy let me just write of x given f of x is zero by the fact that the function is one to one okay so we have a gap unpredictability entropy is large but the actual entropy is zero all right so we have already our first step here a gap between unpredictability entropy some kind of pseudo entropy and actual entropy all right so a natural idea for to try to get a pseudo random generator is to apply a randomness extractor to extract this unpredictability entropy so we take g of x and some r seed of a which will be a let me use s for seed of an extractor and I will take f of x followed by an extractor on x s in here and extractor on x and s okay so we know that you know an extractor what does it do it takes something that has high min entropy and gives you something uniform out so what what you might hope is that if you apply an extractor to something that has high computational entropy you would get something pseudo random out okay and if that if that were the case we would actually be be done because all right in the case of a one-way permutation the output of the function on a uniform input is uniform the seed of the extractor is by definition uniform it's coming from the seed of the pseudo random generator and now if the extractor gives us you know extract something almost indistinguishable from uniform from x you know given conditioned on f of x and and and the seed where we're done we would have something pseudo random overall and the the length of the output since we're in a one-way permutation is longer than the length of the input because x has the same length of f of x and then we have the seed also in the output so unfortunately it's not things are not quite so simple um so all right so the question is if we know that for some kind of measure of pseudo entropy so if pseudo entropy of x given y is at least k and we have an extractor all right let's assume x is n bits long okay so n d is a k all right and i'm going to set my epsilon to be negligible k epsilon extractor then is it the case then can we ensure that y s x s is computationally indistinguishable y s um question mark all right this is the question so and here s is a uniformly random seed for the extractor all right so i think what you what leo showed you is that if the kind of pseudo entropy we have is what's called hill pseudo entropy where where x is computationally indistinguishable from some x prime that has has uh actual entropy min entropy at least k given y um so let me all right and this is this actually even holds for so can you stop the relaxed hill come up in any of the all right so this holds even for relaxed what what's uh what's called uh relaxed hill all right so x y just recalling the definition computationally indistinguishable for some x prime y prime with uh entropy of x prime the actual entropy of x prime given y prime is at least k that's just the recalling the definition if the pseudo is relaxed hill and the extractor is efficient say in our case since we're talking about poly time security and so the extractor is is computable in polynomial time then the answer is yes okay but that's not the kind of pseudo entropy we have we have just unpredictability entropy and so for unpredictability entropy uh unfortunately if pseudo is is unpredictability entropy and the even in the extractor being poly poly time that's not that's not enough to imply a positive answer okay and is a simple counter example actually even for the setting that we are looking at here all right so we have y is f of x for one way permutation one way permutation f okay or one to one one way function right so as we as we've seen uh this has x has a significant amount of unpredictability entropy given y um and consider the file a an extractor that's as follows on input x and s it first applies all right here i'll just do this it first applies the one way permutation to x to to x right it's trying to extract randomness from x now for the extractor property uh it doesn't change if I apply a permutation to the to the source right if I feed in a source of min entropy k then f of that source is also going to have an entropy k because f is a is is one to one and then I just apply some extractor to what I get what I what I get out so for example the the uh you know dot product mod two so universal universal hash function all right so consider this extractor and what happens now um in this case so y s x of x s what is that that's f of x s and then the dot product of f of x and s all right so the output of the extractor is is not only determined by the previous components y and s but in a very easy way right it does not certainly does not look like a random bit given f of x and s because given f of x and s I can I can compute the last bit perfectly all right so all right so the message is the the third item is going to be all right so what's the way out well you can't use an arbitrary extractor but there are extractors that that do work um I don't know specifically the example that you suggested whether something like that in itself can be made to work but if I just remove the f here actually it does work okay so if I used if I didn't first apply f to x that particular extractor works and what I want to do is abstract what kind of property of an extractor is enough to make an implication like this true and then we can think about whether the you know what the idea that you have in mind whether that has that property okay so so really this is just meant to be a counter example to the to the thing that was true for hill that you could use any poly time extractor I want to give it say that that's not enough you can't use any extractor you need some additional property from the extractor all right and so what we will see and we'll move to the other boards for this if sudo is unpredictability entropy and the extractor is what's called a reconstructable extractor then the answer is yes and we'll if we have time we might see also why just doing if we hadn't applied f we get a this reconstructability property questions what does what mean the reconstructable oh we're going to write the definition now yeah so what is a so again we have a function that takes source of n bits let's say a seed of d bits gives you an m bit output right this is a definition we are going to say that it is a t k epsilon reconstructable extractor if all right let me write the definition it's going to be a little bit long but then we will we'll interpret it interpret it okay so if there exists a time t uh or it could be also size uh algorithm uh deck which we think of as a decoding this is going to be the or you know you can think of this as the reconstruction algorithm such that for every fixed uh source string okay this is fixed it's not a random variable right now and every possible statistical test so remember extractors are we're talking about I don't know if the term strong extractor was was used but the extractor is supposed to produce something that's where the seed together with the output are jointly close to uniform so a statistical test on the output is is a is a test that takes a potential seed and an output is trying to distinguish whether it's coming from the extractor or is uniform all right so for every source string in every t if let me just write it as an implication so if t epsilon distinguishes x of little x s all right so s is x is s is uniform a uniform seed from s um then all right if this holds then with probability at least a half over the randomness r this is going to be the randomness of the decoder this is going to be a randomized algorithm r there exists an advice string that's k bits long okay all right so what's going on here it's saying if I have a test and this should be a little x here sorry little x if I have given some test that tells that distinguishes the extractor output from uniform on a on a on a fixed element of the of the domain what I want to say informally is that I can reconstruct this this source string little x with just k bits of advice okay so and since we allow this reconstruction to be randomized we have to say something about the randomness of it so let's this is kind of arbitrary with with say at least half probability over its randomness this choice of a half is not not particularly important there's going to be some advice string of k bits that allows me and I'm now this this decoding algorithm is allowed to make use of the test but the decoding algorithm is an efficient algorithm so it you know can't it can only you know make some you know queries to the test use it as an oracle query it on some points and somehow from that reconstruct the string x let's see intuitively why this is like a strong a strengthening of the definition of extractor we'll also also see it when we when we when we prove formally how it works with unpredictability entropy intuitively right when we normal so normally what we care about when we when we are looking at the definition of an extractor is that that the source is coming from x is coming is not fixed it's coming from some source with high min entropy all right so think of the min entropy as being a bit larger than k all right so if x has entropy that's a bit more than k then intuitively it should not be able to you should not be possible to describe x using less than k bits of information right that seems in conflict with the fact that x has more than k bits of min entropy in it all right and so uh so if you have this property then in fact it implies that this is also an extractor according to the usual usual definition for a slightly higher value of k and in fact many extractors in the literature not all of them but many of them are proven to be extractors implicitly using this kind of a reconstruction argument the way the proof goes is by showing that you can describe strings in the source when you have a test the the ones where it succeeds in distinguishing using a small amount of small number of bits of information and often but not always the way the decoding is is is also computationally efficient in some way okay so let's show that um if we have a t k epsilon all right let me put here poly n is the time epsilon reconstructable extractor and that the unpredictability entropy of x given y is at least k then in fact uh so this is a a lemma s is all right so i'm going to do it's it will be and the mega one plus epsilon all right this is a computational indistinguishability let me write it the other way but not with negligible so the epsilon of the extractor comes into the indistinguishability all right and uh this is going to be computationally indistinguished from y s um all right up to some negligible distinguishing advantage plus epsilon all right let's prove this suppose not i guess i'll need to do let me put let me just put a two epsilon here all right well we'll see what happens in the proof sorry all right so suppose that we have a t that um two epsilon distinguishes probability t of y s x s is one minus the probability t of y s um is one all right suppose this is bigger than two epsilon for an efficient t for a poly n size test t all right then with probability at least epsilon over two over uh y all right over the first component we have we must have a distinguishing advantage of at least uh not epsilon over two i already did the two over here at least epsilon all right so if i have a distinguishing advantage of two epsilon then you can show that with at least epsilon fraction of the time for the epsilon fraction of the choices of of the first component which is the same in both cases i must have uh at least an epsilon distinguishing advantage just taken over the randomness of the second two components right otherwise i mean you can just put these two together and overall the distinguishing advantage will be at most epsilon two epsilon and i guess these should probably be strict inequality um is the usual definition okay so now i mean a position to apply my decoder because t with right t with the first component fixed at y is an epsilon distinguisher between uh the output of the extractor actually let me sorry just do one more step here apologies i want to fix not just y but also fix uh little x and and for the same reason so t must actually distinguish for an epsilon at least an epsilon fraction of the pairs little x and little y because i want to work with a fixed little x so i can apply this decoding property all right so now now t with y the first component fixed is a distinguisher between the two distributions you know the output of the extractor for this fixed value of little x and the uniform distribution right as as in the definition of decoder all right so this when this occurs we know that um uh probability over over r that the decoder if we give it t with the first component fixed to y as oracle uh there exists an advice string of length k t of a r is x all right so for fixed value of y we can apply the decoding property and that says with probability at least a half over the randomness of the decoder there exists a k-bit advice string that will allow me to reconstruct x all right so now let's put now let's think of of x and y as random again okay so take the probability now over everything over x and y the randomness of the decoder and for the advice we'll just guess the advice at random uniformly at random all right so we know a is also going to be a uniformly random k-bit string and so the probability that the decoder on t of y uh with random advice equals x is going to be well probability epsilon this first event happened we got a good pair x y where t still was a distinguisher with probability at least a half the randomness of the decoder was good so there exists some advice string and then when that happens the chance that we pick the right advice string when we choose the advice uniformly at random is at least one over two to the k okay so we got uh epsilon over two to the k plus one here and so I need to change all right so this I this I had forgotten about exactly what term I needed to add all right so so I'm getting this is now right this is an efficient predictor this just think of this as an algorithm that's applied to y right it runs in poly time because the decoder runs in poly time and the test t runs in poly time and this predictor predicts x from y with significant probability all right so a couple of remarks here first are there any questions on what we've said so far for all x and all tests all right so you need the test to be good for this particular x that's kind of the information the test is without the test uh you you aren't able to reconstruct x if you're using the the fact that the test can tell the output of the extractor from uniform for this fixed x and with that kind of partial information about x coming from the test and k more bits of advice then you can reconstruct x so I know this feels kind of abstract maybe we'll do we'll we'll I think it's worth probably um giving a concrete example of uh of such a reconstructable extractor but let me just make a couple of quick remarks here uh so probably in in the presentations earlier in the week I know certainly something Yovgeny cares a lot about and probably emphasized and maybe the others as well you know people don't always like to pay this log one over epsilon is um you know the epsilon is kind of your you know your your security you don't want to be throwing away log one over epsilon's uh sloppily like this it won't matter in the asymptotic regime but it certainly matters concretely in many cases one can get rid of this log one over epsilon um by uh doing a finer analysis that doesn't just fix one value of of epsilon that you're looking at so here we did this this is where we did kind of something crude we said you know with probability epsilon you still have a distinguishing advantage of epsilon but really uh you know this the only way this can be tight like if I'm only going to have a distinguishing advantage of for an epsilon fraction of the pairs x y to get a total two epsilon I need to have a high like a constant distinguishing advantage on that epsilon fraction right it can't be like these two together only capture sort of an epsilon squared distinguishing advantage all right so one should do something a more refined analysis where you uh have some talk about the tradeoff between these two uh uh parameters and you work with an extractor where the amount of advice you need also changes with your distinguishing advantage right and then you can in many common extractors have that property you can get rid of this log one over epsilon the other remark which is something that we will use is uh that we can save something uh logarithmic in n this is really related to the running time of uh of your of your distinguishers right when uh when uh when success in predicting can be checked efficiently so all right so here let's think of our case where we're trying to predict x from f of x all right then when I make a guess for x I can actually check whether I've succeeded because I can apply f and see did I get did I succeed in finding a preimage and so how this can help you is that you don't need to just make one shot at predicting x here okay and so one thing that you can do instead of choosing all the bits of a uniformly at random of your advice uniformly at random let's say like I want to let's say I want to save a factor of two here well the first bit instead of choosing at random I try both possibilities okay uh and in in general I can choose you know any logarithmic number of bits or slightly super logarithmic number of bits try all the possibilities rather than choosing them at random okay and then that will give me a little bit of uh uh a savings here omega of log n bit savings all right so this this thing here I can replace provided k is at least super logarithmic in n I can I can get that savings okay and that's something that we will we will use at some point so I wanted to make that remark because we'll working in this we'll often be working in this kind of situation which one oh yeah so let's see what did I write in my definition I I never can keep track of what what's supposed to be strict inequality or uh yes I guess you would want that to be strict you're right um let me define reconstructable extractor be properly strictly more than a half make this strictly more than half make this strictly more thanks yes okay so this is this uh similar to what we have over over here so sometimes you'll see a definition of one-way function which says for every polynomial time algorithm and every polynomial possible inversion probability uh the adversary will fail to achieve you know one over n to the c inversion probability for sufficiently large n that is actually equivalent to saying that there is some function of n that grows faster than any polynomial in n okay for which uh algorithm circuits of size that slightly super polynomial in n fail to invert with you know uh one over super polynomial in n uh success probability uh technically one annoyance that comes up there is that this function s of n may may not be something that's easy to compute but when you're using it in a reduction and we're doing reductions against non-uniform algorithms we don't have to worry worry about that exactly exactly yeah thanks any other questions all right so uh what is a reconstructable what's an example this is very abstract it's something that probably many of you have seen the gold right levin hardcore bit construction is a reconstructable extractor this is a kind of a modern reinterpretation of the gold right levin theorem in in sort of the modern language of extractors and reconstructable extractors and so on so here are the extractor all right it takes an n-bit string and an n-bit seed these are both n should write it lowercase it's not writing variables yet so just dot product mod two is a poly n over epsilon two log one over epsilon plus order one epsilon reconstructable extractor all right so for every epsilon okay so all right so this is something that you I know you've seen right in general the for here we're extracting only one bit out and you know that extractors require even without the reconstruction property a two log one over epsilon entropy loss and so that's what this corresponds to we're saying we need k min entropy at least two log one over epsilon plus a constant to get epsilon close to uniform okay actually again by the analysis we did there there's an extra log one over epsilon if you try to go from that to an ordinary extractor but for the kind of reasons I was sketching one can actually do the analysis more finely and get rid of that extra log one over epsilon and the time for reconstruction is going to be polynomial in n the kind of the length of the strings that you're working with and one over epsilon okay and so we can take epsilon to be an arbitrarily small polynomial and still have polynomial time reconstruction or you know slightly sub polynomial like a slightly negligible function and we'll get a slightly super polynomial reconstruction maybe a question how many people have seen gold right the gold right leaven hardcore bit and proof of its correctness okay so about half half the people okay so what I want to do at least is I mean tell you the main kind of steps in the argument we may not go through go through all the the details and hopefully that's at least for the people who've seen gold right leaven can kind of match what they what they know with this kind of notion of reconstructible extractor and the others hopefully we'll get it at least a taste of how like how this you know reconstruction property can be possibly proven for an extractor all right so again let's we're there's some fixed x which we don't know that's what we're trying to reconstruct and we have a test t so suppose the test distinguishes s and the output of the extractor from uniform with advantage epsilon all right we don't again we only we have oracle access to this test but we're assuming we have such a test and again this is for a fixed little x sorry s is random so it's a probability over s all right so if you so being able to distinguish this bit from a random bit turns out to be equivalent all right so this is so this we can use this test to instead do construct a predictor that predicts that bit with probability slightly more than a half all right so using the test I can predict the dot product of the unknown the unknown string x with a random with a random string any random with a random string s with probably slightly more than a half all right intuitively right what is a random bit a random bit a perfectly random bit is something that you could guess with probability only only one half and so it intuitively makes sense it's not hard to show that being indistinguishable from a random bit is being is equivalent to not being able to predict it except with probably slightly more than a half all right this is the equivalence this is a version of the equivalence of pseudo randomness and next bit unpredictability any of you have seen that all right this p just makes one one query to the to the test t all right so what's our let me just tell you what the randomness is going to be the randomness of our decoder will be used to pick a random subspace v of of the strings of length n but by subspace I mean all right here we're doing this mod to arithmetic so we can think of bit strings of length n as vectors of length n over the field of two elements okay and then what this is here is our x is defining a linear function on on s right and so we have something that given a random random string s predicts the value of this linear function x dot s that's all mod 2 with probability a little bit more than a half okay so all right so this is this is where kind of linear algebra mod 2 is implicitly coming in so we pick a random subspace of dimension 2 log 1 over epsilon plus order 1 okay and the advice is going to be the values of x dot w 1 x dot w t for a basis w 1 w t of v okay so so my decoder is going to pick a random subspace and hope that we get as advice strings actually this should be k k is our advice so this is k the dimension of our subspace is going to be k and the advice i'm going to ask for is tell me how this linear function behaves on this subspace what is the dot product of x mod 2 all this is mod 2 with some basis of the subspace and that's enough to tell me the dot product of x with any vector in the subspace because by linearity right if i if i take you know x dot w 1 plus x dot w 2 that'll give me x dot with the sum of w 1 and w 2 the bitwise x or so i wish i had more space near here i want to erase that maybe we can erase the definition of unpredictability entropy all right so what's our decoder going to do all right let me prove sketch a weaker result all right i'm going to put in this is in in here all right it works with what i said before but it's it's it's easier if you give me a little bit more advice the the values on a slightly higher dimensional subspace but you only actually need it on the on the dimension that i listed there so now the decoder all right and it's going to use p rather than t since we already constructed this predictor from for i going from 1 to n it will predict that it will let so it's guess so i'll call it gi is going to be the majority over all vectors in the subspace all right so we know the dot product of x and w all right this we can get from our advice because we know the dot product on everything in the subspace so we know on all the on a basis of space so we can know it on everything in the subspace then what we will put here is p on w all right so i'm going to take w and flip the ith bit okay so this thing here all right when notice that when w is random okay when when w is random then the probability that p of w x or e i is the dot product of x and w x or e i is at least half plus 1 plus epsilon over 2 and when this occurs by linearity this is the dot product of x and w x or the ith bit of x so if p succeeds in predicting on this value what i will get is the dot product of x and w x or with the ith bit of x because when i when i take something dot product with a with e i is the ith standard basis vector all right so this is the vector that's like zero zero and one in the ith position and all zeros all right so don't worry about following the the the details here the point is each of these i mean each uh for each item in this majority we have a slightly better than half chance of getting the ith bit of x out if p succeeds in predicting we will predict the ith bit of x with probably a little bit more than a half 1 plus epsilon over 2 and now we're doing a majority vote over the subspace and the subspace has n over epsilon squared pairwise independent elements right right it's a subspace of dimension actually i have n squared over all right so n squared over epsilon squared right the a subspace of this dimension when we're working mod 2 the number of elements is is 2 to this power okay that's the choices for all the coefficients of the basis vectors and so you could hope that taking a majority vote of this many on this many elements when on each one you have a success probability a little bit more than a half you could hope that this majority vote will give you the right answer mainly give you the ith ith bit of x here with very high probability okay so so um and that can be shown using Chebyshev's inequality so the the elements of the subspace are not independent but they are pairwise independent from each other if you if you view it in the right way and then just a concentration bound for pairwise independence tells you that with high probability g will equal x when our advice when we're given this correct advice okay so that's i mean it's very sketchy but maybe this is the thing to just you know kind of what i want to convey is is you know how does one reason about you know this reconstruct reconstructable extraction extraction property this this is an example and there's another interpretation of this in terms of list decoding of of error correcting codes but i i think i i won't uh i won't spend time on that any questions yeah uh yeah so okay so all right so the log n over epsilon that log n comes because we need all n n guesses to be correct we're not just guessing one bit of x but we want to guess all the bits of x um the way to get rid of that you you as i said you just use the lower dimensional subspace and what that will do is allow you to reconstruct x dot any any fixed point in the space with high constant probability say 90 probability 99 probability all right so this construction what it would give you in that case is it would tell you the the value of of x dot s for 99 percent of the choices of s and then from that you can do another round of this sort of majority voting to get the individual bits of x at these end points get them with very high probability without any more advice but you have to do sort of two levels of majority voting in the original gold right levin they said use use use some asymptotically good error correcting code and reconstruct the bits of of an encoding of x in some linear code but you don't need you don't need constructions of codes you can just reconstruct at at random points and f to the n and at most points and then and then do another round of majority decoding good so this definition of reconstructable extractor can be composed so you if i have a so for example so if i just take not one product with x but let me say let me say t of them okay t dot products okay this so again this might be one way of showing that this is an extractor is just saying okay this thing is some pairwise independent universal hash function of x right that's one way of analyzing use leftover hash lemma but if you want to show that it is the reconstructability property you can show that it is a let's see t plus two log t sorry different t l you can show using as a black box the fact that one dot product is a reconstructable extractor you can show that this is a reconstructable extractor sorry forgot to put so t times l l times epsilon something like this okay good sorry about that all right so your error parameter will blow up by l the time for reconstruction actually maybe doesn't that doesn't need to blow up by l your just error parameter blows up by l and the amount of advice you need is increases by l okay and the way you show this is by a hybrid argument like if if i have a t that's distinguishing this from uniform then by a hybrid argument i can find one coordinate where it is distinguishing that coordinate from a uniform bit all right but i'll need the additional advice of the prefix okay and so this l is the advice you need from the for the prefix right it kind of intuitively showing each bit is is kind of indistinguishable from uniform given the previous ones yes is a view of coltite levin and i guess his advice appears in like this two point sampling and then i guess isn't the advice somehow and i'm exactly i'm trying to think like so if you were thinking of using another harker like some harker bit for a specific one response i guess could you also be able to structure the proof that is a harker bit something of like a reconstructable property that's a good question uh there's a paper that did something along those lines but i can't i wouldn't be able to reconstruct enough of it to tell you precisely what they did i think it's a cavea goldwasser and safra and i think what they did was they showed how to interpret hardcore bits for the specific hard core bit functions for specific number theoretic one-way functions in the language of i guess they were using language of of of locally listed codable error correcting codes which is essentially equivalent to to this statement but i don't want to introduce another concept so this is really just a repackaging in some sense of what i mean if you put everything together of gold right levin but the point is that there is one can abstract the property in general of an extractor that takes unpredictability pseudo entropy and gives you pseudo randomness out all right so we aren't quite as far as i had hoped but that's okay so we are more or less done with one-way permutations so for one-way permutation if f is a one-way permutation this is a pseudo random generator construction we've just given a more complicated way of understanding the pseudo randomness of this not a more complicated but different language for understanding this construction that many of you may have seen just take f of x and then a random string s in the dot product of s and x and s and that's a pseudo random generator because x has high unpredictability entropy given f of x right maybe what we can finish is is what happens if we don't have a permutation but we have an injective one-way function okay all right so then again still the one-wayness property really is just this equivalent to a statement about the unpredictability entropy of x given f of x right because the only preimage again is x so to succeed in inverting you have to predict x from f of x and so again we can think of this generator that chooses x and s and looks at f of x followed by s followed by the dot product of x and s and this is computationally indistinguishable from f of x s and a random bit okay so this generator okay has oh sorry you can't probably I guess you can can you see I write down here it's too blocked I guess I will erase this all right so this generator again all right this is it has a seed length d which is 2n but the output has hill pseudo entropy not not conditional hill pseudo entropy but just hill pseudo entropy d plus 1 okay because it's computationally indistinguishable from a distribution with one more bit of entropy okay so it's not indistinguishable from uniform but we do have this gap that we were looking for where the actual entropy in fact the number of random bits we used to generate it is smaller than the pseudo entropy but a problem is or if we were just trying to use this construction so now what we might want to do is apply an extractor right we know that if I just have any efficient extractor another now I don't need it to be reconstructable any efficient extractor will extract pseudo random bits from from hill pseudo entropy all right so the idea would be g prime of z or so z is this pair x and s and r would be to apply some other extractor extractor prime on all right so I'm going to apply some this is any some poly time extractor all right I pick a random seed I pick a random seed for the original generator evaluate that generator so again z is the pair x s and I apply the extractor all right and well since this is hill pseudo entropy I should be able to get something indistinguishable from uniform out you want to see the problem entropy loss is the problem all right so remember when you do extraction you always lose this entropy I mean certainly if you're looking for pseudo randomness for for something close to uniform you're going to lose your extractor is going to lose two log you know one over epsilon bits if I want to get epsilon close to uniform with this extractor and that will kill this one bit gap I have between seed length and pseudo entropy we don't have any ideas on how to repetition good so so I will take k different seeds for this generator okay so I will get so this is basically let's say I'll take t take t copies all right so t t seeds and I'll concatenate all the outputs on independent seeds then I'll have a seed length of two times n times t my hill pseudo entropy will be t times d plus one okay and then if I choose t big enough I choose t bigger than so take t to be slightly super logarithmic at least super logarithmic in n then I can afford to take epsilon to be negligible and the amount that I this is the output length here the amount that I extract will be larger than the seed length that I invested uh yeah yeah so I don't know if did that come up in any of the things so far okay so hill pseudo entropy does have the nice property that if I have uh independent copies of you know t independent copies of a random variable with a certain amount of hill pseudo entropy it gets multiplied by by t and that's because each copy is indistinguishable some from some random variable of of high mean entropy and so t independent copies of this random variable are going to be indistinguishable from t independent copies of the high entropy random variable right and the and the information theoretic entropy does just mean entropy does add up when you take independent copies all right so this is not the most efficient way like for dealing with this you know a better thing to do actually is to just use a reconstructible extractor that'll give you more more bits out in in one shot to compensate for this gap rather than taking more copies but this technique of taking more copies to increase the entropy gap is something that will be useful for us in the next lecture as we proceed to um trying to you know handle general one-way functions questions all right I think that's that's all for today and next time we will again work our way towards uh seeing the ideas in the construction for general one-way functions