User:Sadeq/Averaging lemma

The averaging argument is a standard argument which helps in proving theorems in complexity theory and cryptography. It usually allows us to convert probabilistic polynomial-time algorithms into non-uniform polynomial-size circuits.

Example

To simplify, let's first consider an example.

Example: If every person likes at least 1/3 of the books in a library, then, there exists a book, which at least 1/3 of people liked it.

Proof: Suppose there are ${\displaystyle N}$  people and B books. Each person likes at least ${\displaystyle B/3}$  of the books. Let people leave a mark on the book the like. Then, there will be at least ${\displaystyle M=(NB)/3}$  marks. The averaging argument claims that there exists a book with at least ${\displaystyle N/3}$  marks on it. Assume, to the contradiction, that no such book exists. Then, every book has less than ${\displaystyle N/3}$  marks. But, since there are ${\displaystyle N}$  books, the total number of marks will be less than ${\displaystyle (NB)/3}$ , contradicting the fact that there is at least ${\displaystyle M}$  marks. ${\displaystyle \scriptstyle \blacksquare }$ 

Formalized Definition of Averaging Argument

Consider two sets: X and Y, a proposition ${\displaystyle p\colon X\times Y\to {\mbox{TRUE/FALSE}}}$  , and a fraction ${\displaystyle f}$  (where ${\displaystyle 0\leq f\leq 1}$  ).

If for all ${\displaystyle x\in X}$  and at least a fraction ${\displaystyle f}$  of ${\displaystyle y\in Y}$  , the proposition ${\displaystyle p(x,y)}$  holds, then there exists a ${\displaystyle y\in Y}$  , for which there exists a fraction ${\displaystyle f}$  of ${\displaystyle x\in X}$  that the proposition ${\displaystyle p(x,y)}$  holds.

Another formal (and more complicated) definition is due to Barak^[1]:

Let ${\displaystyle f}$  be some function. The averaging argument is the following claim: if we have a circuit ${\displaystyle C}$  such that ${\displaystyle C(x,y)=f(x)}$  with probability at least ${\displaystyle \rho }$ , where ${\displaystyle x}$  is chosen at random and ${\displaystyle y}$  is chosen independently from some distribution ${\displaystyle Y}$  over ${\displaystyle \{0,1\}^{m}}$  (which might not even be efficiently sampleable) then there exists a single string ${\displaystyle y_{0}\in \{0,1\}^{m}}$  such that ${\displaystyle Pr_{x}[C(x,y_{0})=f(x)]\geq \rho }$ .

Indeed, for every ${\displaystyle y}$  define ${\displaystyle p_{y}}$  to be ${\displaystyle Pr_{x}[C(x,y)=f(x)]}$  then

${\displaystyle Pr_{x,y}[C(x,y)=f(x)]=E_{y}[p_{y}]}$ 

and then this reduces to the claim that for every random variable ${\displaystyle Z}$ , if ${\displaystyle E[Z]\geq \rho }$  then ${\displaystyle Pr[Z\geq \rho ]>0}$  (this holds since ${\displaystyle E[Z]}$  is the weighted average of ${\displaystyle Z}$  and clearly if the average of some values is at least ${\displaystyle \rho }$  then one of the values must be at least ${\displaystyle \rho }$ ).

Application

This argument has wide use in complexity theory (e.g. proving ${\displaystyle {\mathcal {BPP}}\subsetneq {\mathcal {P}}/poly}$ ) and cryptography (e.g. proving that indistinguishable encryption results in semantic security). A plethora of such applications can be found in Goldreich's books^[2][3][4].

References

1. Boaz Barak, "Note on the averaging and hybrid arguments and prediction vs. distinguishing.", COS522, Princeton University, March 2006.
2. Oded Goldreich, Foundations of Cryptography, Volume 1: Basic Tools, Cambridge University Press, 2001, ISBN 0-521-79172-3
3. Oded Goldreich, Foundations of Cryptography, Volume 2: Basic Applications, Cambridge University Press, 2004, ISBN 0-521-83084-2
4. Oded Goldreich, Computational Complexity: A Conceptual Perspective, Cambridge University Press, 2008, ISBN 0-521-88473-X

v t e Cryptography General History of cryptography Outline of cryptography Cryptographic protocol Authentication protocol Cryptographic primitive Cryptanalysis Cryptocurrency Cryptosystem Cryptographic nonce Cryptovirology Hash function Cryptographic hash function Key derivation function Digital signature Kleptography Key (cryptography) Key exchange Key generator Key schedule Key stretching Keygen Cryptojacking malware Ransomware Random number generation Cryptographically secure pseudorandom number generator (CSPRNG) Pseudorandom noise (PRN) Secure channel Insecure channel Subliminal channel Encryption Decryption End-to-end encryption Harvest now, decrypt later Information-theoretic security Plaintext Codetext Ciphertext Shared secret Trapdoor function Trusted timestamping Key-based routing Onion routing Garlic routing Kademlia Mix network Mathematics Cryptographic hash function Block cipher Stream cipher Symmetric-key algorithm Authenticated encryption Public-key cryptography Quantum key distribution Quantum cryptography Post-quantum cryptography Message authentication code Random numbers Steganography   Category

[[Category:Computational complexity theory]] [[Category:Circuit complexity| ]] [[Category:Probabilistic complexity theory| ]] [[Category:Cryptography]] [[Category:Theory of cryptography]]