Simplifying Armoni’s PRG

Chen, Ben; Ta-Shma, Amnon

doi:10.4230/LIPIcs.APPROX/RANDOM.2025.36

Simplifying Armoni’s PRG

Ben Chen

Department of Computer Science, Tel Aviv University, Israel Amnon Ta-Shma

Department of Computer Science, Tel Aviv University, Israel

Abstract

We propose a simple variant of the INW pseudo-random generator, where blocks have varying lengths, and prove it gives the same parameters as the more complicated construction of Armoni’s $\mathsf{PRG}$ . This shows there is no need for the specialized $\mathsf{PRG}$ s of Nisan and Zuckerman and Armoni, and they can be obtained as simple variants of INW.

For the construction to work we need space-efficient extractors with tiny entropy loss. We use the extractors from [2] instead of [6] taking advantage of the very high min-entropy regime we work with. We remark that using these extractors has the additional benefit of making the dependence on the branching program alphabet $\Sigma$ correct.

Keywords and phrases:

PRG, ROBP, read-once, random, psuedorandom, armoni, derandomization

Category:

RANDOM

Funding:

Ben Chen: Israel Science Foundation (grant number 443/22).

Amnon Ta-Shma: Israel Science Foundation (grant number 443/22).

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Pseudorandomness and derandomization

DOI:

10.4230/LIPIcs.APPROX/RANDOM.2025.36

Event:

Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques (APPROX/RANDOM 2025)

Editors:

Alina Ene and Eshan Chattopadhyay

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

In this paper we revisit the problem of constructing pseudo-random generators ( $\mathsf{PRG}$ s) against bounded width read-once branching programs ( $\mathsf{ROBP}$ s).¹¹1For a formal definition of $\mathsf{ROBP}$ and $\mathsf{PRG}$ see Definitions 1 and 2. Nisan [9] constructed a $\mathsf{PRG}$ $\varepsilon$ –fooling length $t$ width $w$ $\mathsf{ROBP}$ over $\Sigma$ with seed length $\Theta(\log t\cdot\log\frac{wt|\Sigma|}{\varepsilon})$ using pair-wise independence. Impagliazzo, Nisan and Wigderson [7] gave a variant of the construction with a similar seed length, but using expanders, extractors or samplers instead of pair-wise independence. The INW $\mathsf{PRG}$ has seed length $\log|\Sigma|+\Theta(\log t\cdot\log\frac{wt}{\varepsilon})$ .

For the special case when the width $w$ of the $\mathsf{ROBP}$ is much larger then the length of the $\mathsf{ROBP}$ and the error, i.e., $t\leq\log^{c}w,\varepsilon\geq 2^{-\log^{0.9}w}$ for some constant c, Nisan and Zuckerman [10] constructed a different $\mathsf{PRG}$ with an optimal seed length $\Theta(\log\frac{wt}{\varepsilon})$ . Armoni [1] recursively used the NZ construction, and with a careful analysis obtained a $\mathsf{PRG}$ with seed length $\Theta(\log t\cdot\frac{\log\frac{wt}{\varepsilon}}{\max\{\log\frac{\log w}{% \log\frac{t}{\varepsilon}},1\}})$ for constant size $\Sigma$ where $t\leq 2^{\log^{1-\varepsilon}w}$ for some constant $\varepsilon>0$ .

In [8] Armoni’s PRG is instantiated with a specific space-explicit extractor removing the parameters limit, and the resulting seed length is $2\log|\Sigma|+\theta(\log t\cdot\frac{\log\frac{wt}{\varepsilon}}{\max\{\log% \frac{\log w}{\log\frac{t}{\varepsilon}},1\}})$ . Armoni’s $\mathsf{PRG}$ with [8] bridges the gap between INW and NZ - it asymptotically matches INW when $t/\varepsilon$ is large, and it matches NZ when $t/\varepsilon$ is small compared to $w$ .

In this paper we construct another $\mathsf{PRG}$ that matches the parameters obtained in Armoni. The surprising thing about our construction is that it avoids altogether the NZ $\mathsf{PRG}$ , and also avoids the recursion in Armoni, and instead it is a direct, simple variant of INW. Saying it differently, Armoni interpolates between two different $\mathsf{PRG}$ constructions: the NZ $\mathsf{PRG}$ and the INW $\mathsf{PRG}$ , and his construction is a recursive combination of both. Instead, we show that a simple variant of INW alone gives the same bounds for all parameter regimes.

To understand our new construction, we revisit the INW construction. The main building block behind the INW construction is showing that one can recycle the randomness given to a $\mathsf{PRG}$ , where the recycling is done using an expander, or more generally, a sampler or an extractor. Specifically, instead of applying twice a $\mathsf{PRG}$ with two independent seeds, one can apply it once (consuming $s$ random bits) and then use a short seed (of length $d\ll s$ ) to recycle the $s$ bits and get from it a new seed for the second application of the $\mathsf{PRG}$ . The constructions in [9, 7] preserve the same seed lengths for the two applications of the $\mathsf{PRG}$ s (we say, in short, that INW preserves the block length).

Nisan and Zuckerman observe that the seed needed for the extractor has length $d=O(\log\frac{t}{\varepsilon})$ while the string it acts upon has length $s=\Omega(\log w)$ , and so when $t/\varepsilon\ll w$ , instead of applying the extractor once, it is more beneficial to apply it $u=O(\frac{\log w}{\log t/\varepsilon})$ times with independent seeds of length $d$ . Extending these ideas, Armoni implements this idea recursively.

In this paper we suggest an alternative to NZ and Armoni where instead of taking a large $u$ so that $ud=s$ , we keep $u=1$ and instead track down our losses. Next, we explain this idea in detail.

Suppose we start with a seed $y$ of length $s$ and we want to create from it two seeds for two independent applications of the $\mathsf{PRG}$ . The way INW achieves this is by carving out $d$ bits from $y$ and reserving them for the extractor application. Specifically, say $y=y_{left}\circ y_{right}$ where $y_{right}$ has length $d$ . Then, in INW, the first $\mathsf{PRG}$ is called with the seed $y_{left}$ , and the second $\mathsf{PRG}$ is called with the seed $Ext(y_{left},y_{right})$ , where $E x t$ is an extractor. Thus, the seed length for the first application is $s-d$ and the seed length for the second application is the extractor output size, and it suffers the losses the extractor suffers. These include:

$\blacksquare$

The amount of information the machine knows about $y_{left}$ after seeing the output of the first $\mathsf{PRG}$ . This loss amounts to $\ell=O(\log\frac{tw}{\varepsilon})$ .
$\blacksquare$

The extractor entropy loss, which is $2\log 1/\varepsilon$ in non-explicit constructions. For the time being let us assume we can achieve a $O(\ell)$ loss explicitly, and then this loss is comparable with the first loss.

Thus, the seed loss in the first $\mathsf{PRG}$ application is $d=O(\log\frac{t}{\varepsilon})$ , whereas the loss in the second $\mathsf{PRG}$ application is larger and is $O(\log\frac{tw}{\varepsilon})$ . The two losses are quite different when $t/\varepsilon\ll w$ .

We then do the obvious. We define a recursive construction, where starting with a seed length $s$ we get two recursive calls, one with seed length $s-d$ and one with seed length $s-\ell$ , where $d=O(\log\frac{t}{\varepsilon})$ and $\ell=O(\log\frac{wt}{\varepsilon})$ . Doing the analysis we find out that we recover the bound $\log|\Sigma|+\Theta(\log t\cdot\frac{\ell}{\log(\frac{\ell}{d}+1)})$ in a much simpler way.

To summarize, when $t/\varepsilon\ll w$ , it is much better to employ the INW strategy with varying block lengths, and doing so gives the correct parameters in a straight forward way. However, NZ and later Armoni try to preserve the block length throughout different calls. This forces NZ to use several calls of the extractor, and later forces Armoni to use specially crafted recursion (and a more careful analysis). What we show here is that all of that is unnecessary, and with varying block lengths the INW construction obtains the same parameters as NZ and Armoni.

For our construction to work, we require space-efficient extractors with small entropy loss. In general, there are non-explicit $(k,\epsilon)$ extractors $E:\{0,1\}^{n}\times\{0,1\}^{d}\to\{0,1\}^{m}$ with entropy loss $2\log 1/\varepsilon+O(1)$ , i.e., $m=k+d-2\log 1/\varepsilon-O(1)$ , and notice that the entropy loss is independent of $k$ . Kane et al. in [8] instantiated Armoni’s $\mathsf{PRG}$ with the GUV extractor [6, Theorem 5.10] which has $\Omega(k)$ entropy-loss, and they show it is space-efficient. However, $\Omega(k)$ loss is too much for us.

In general, the best explicit extractors have $\Omega(\frac{k}{poly(\log k))})$ entropy-loss [5, 11]. What saves us here is that we do not need general extractors but rather extractors working in the very-high min-entropy regime, where $\Delta=n-k$ is small. In this regieme one can split the source to a large block followed by a second small block of length $O(\Delta)$ , and then use a block-wise extractor. This was implemented in [2]. The resulting extractor is cited in Theorem 4, has low entropy-loss and is space-efficient.

Replacing the lossy extractor used in [8] with the small entropy-loss extractor of [2] has other benefits. It turns out this also reduces the additive dependence on $|\Sigma|$ from $2\log|\Sigma|$ to $\log|\Sigma|$ . We summarize the parameters obtained by the previous constructions and by our construction in Table 1.

Table 1:

\mathsf{PRG}

for standard order

\mathsf{ROBP}

.

Seed Size	Reference	Remarks
$\Theta(\log t\cdot\log\frac{wt\|\Sigma\|}{\varepsilon})$	[9]
$\log\|\Sigma\|+\Theta(\log t\cdot\log\frac{wt}{\varepsilon})$	[7]
$\Theta(\log w)$	[10]	When $\log w=(t/\varepsilon)^{\beta}$ for some $\beta>0$
$2\log\|\Sigma\|+\Theta(\log t\cdot\frac{\log\frac{wt}{\varepsilon}}{\max\{\log% \frac{\log w}{\log\frac{t}{\varepsilon}},1\}})$	[1]	With the extractors of [8]
$\log\|\Sigma\|+\Theta(\log t\cdot\frac{\log\frac{wt}{\varepsilon}}{\max\{\log% \frac{\log w}{\log\frac{t}{\varepsilon}},1\}})$	This paper	Also, [1] with the extractor of Theorem 4

We remark that while the improvement in the dependence of $\Sigma$ may seem insignificant, it can help simplify certain constructions. A notable example is the recent work of Cheng and Wu [3] which employs an iterative process of alternating steps of length and alphabet reductions. Using our $\mathsf{PRG}$ (and [2] extractor) in the length reduction, the alphabet reduction becomes unnecessary.

2 Preliminaries

$[k]$ denotes the set $\{1,\ldots,k\}$ . For a $k\times k$ matrix M and $i,j\in[k]$ , $M[i,j]$ is the value of M at the $i$ ’th row and $j$ ’th column. $\|{M}\|$ is the spectral norm of $M$ . For every $f:[w]\to[w]$ there is a corresponding $w\times w$ boolean matrix $M_{f}$ such that $M_{f}[i,j]=1$ iff $f(j)=i$ . We denote the set of such matrices by $SBM_{w\times w}$ (stochastic, boolean matrices).

Definition 1 ( $\mathsf{ROBP}$ ).

Let $\Sigma$ be an arbitrary subset, $w,t\in\mathbb{N}$ . $B$ is a width $w$ length $t$ read once branching program ( $\mathsf{ROBP}$ ) on alphabet $\Sigma$ if it is a sequence of $t$ functions $(B_{1},B_{2},...,B_{t})$ , with $B_{i}:\Sigma\rightarrow\ SBM_{w\times w}$ . The evaluation of $B$ on input $\sigma_{1},...\sigma_{t}\in\Sigma^{t}$ is the linear operator $B(\sigma_{1},...,\sigma_{t})\stackrel{{\scriptstyle{\rm def}}}{{=}}B_{t}(% \sigma_{t})\cdot...\cdot B_{1}(\sigma_{1})$ . We also say $B$ is a $(w,t,\Sigma)-\mathsf{ROBP}$ .

Definition 2 (PRG).

Let $\Sigma$ be an arbitrary subset and $s,t\in\mathbb{N}$ . A $(s,t,\Sigma)$ pseudo random generator is a function $PRG:\{0,1\}^{s}\rightarrow\Sigma^{t}$ . For $\epsilon>0$ a we say $P R G$ $\epsilon$ -fools $(w,t,\Sigma)-\mathsf{ROBP}$ if for every $(w,t,\Sigma)-\mathsf{ROBP}$ $B$ we have:

\displaystyle\|{\mathbf{E}_{\sigma\in\Sigma^{t}}B(\sigma)-\mathbf{E}_{x\in\{0,% 1\}^{s}}B(PRG(x))}\|

\displaystyle\leq\epsilon

2.1 Extractors

$U_{n}$ denotes the uniform distribution on n bits. The min-entropy of a random source $X$ , denoted $\mathcal{H_{\infty}}(X)$ , is $\mathcal{H_{\infty}}(X)\stackrel{{\scriptstyle{\rm def}}}{{=}}\min_{\omega\in{% \mathrm{Supp}}(X)}\log\frac{1}{\Pr_{x\sim X}(x=\omega)}$ . The statistical distance between two random random variables defined over a domain $\Omega$ is $SD_{\Omega}(X,Y)\stackrel{{\scriptstyle{\rm def}}}{{=}}\frac{1}{2}\sum_{\omega% \in\Omega}|\Pr_{x\sim X}[x=\omega]-\Pr_{y\sim Y}[y=\omega]|$ . The statistical distance can be equivalently defined as $SD_{\Omega}(X,Y)\stackrel{{\scriptstyle{\rm def}}}{{=}}\max_{f:\Omega\to\{0,1% \}}|\mathbf{E}_{x\sim X}f(x)-\mathbf{E}_{y\sim Y}f(y)|$ .

Definition 3 (extractor).

Let $n,d,k,m\in\mathbb{N}$ and $\epsilon>0$ . A function $Ext:\{0,1\}^{n}\times\{0,1\}^{d}\rightarrow\{0,1\}^{m}$ is a $(k,\epsilon)$ extractor if for every random variable $X$ over $\{0,1\}^{n}$ with $\mathcal{H_{\infty}}(X)\geq k$ it holds that

\displaystyle SD_{\{0,1\}^{m}}(Ext(X,U_{d}),U_{m})

\displaystyle\leq\epsilon

Theorem 4 ([2] High min-entropy extractor with a small entropy loss).

For $n>k$ , $\epsilon>0$ , there is a family of extractors $E_{high}:\{0,1\}^{n}\times\{0,1\}^{d}\rightarrow\{0,1\}^{m}$ that is a $(k,\epsilon)$ extractor with $d=O(\log(n-k)+\log\frac{1}{\epsilon})$ and entropy loss $n+d-m\leq O(n-k+\log 1/\varepsilon)$ . Furthermore, $E_{high}(x,y)$ can be computed in time $poly(n\log\frac{1}{\epsilon})$ and space $O(n-k+\log n+\log\frac{1}{\varepsilon})$ for all $x, y$ .

Cohen et al. in [4] used a more careful space analysis to show a different space bound $O(\log m+\log m\log\frac{1}{\varepsilon})$ . For our analysis the bound of Chattopadhyay and Liao is sufficient.

3 The new PRG

As explained in the introduction, we apply the INW approach, each time replacing a seed with two different (shorter) seeds. Unlike INW the two seeds have different lengths. Specifically, if we start with an initial seed of length $s$ , then we can only pass $s-d$ bits to the first application of the $\mathsf{PRG}$ , because we need to keep $d$ independent bits for the recycling step. When we recycle the randomness, say with an extractor, and get a new seed for the second $\mathsf{PRG}$ , we can recover these $d$ bits but we have two new losses:

$\blacksquare$

An entropy loss of order $O(\log\frac{1}{\varepsilon^{\prime}})$ , where $\varepsilon^{\prime}$ is the extractor error, which we take to be $\Theta(\frac{\varepsilon}{t})$ , where $\varepsilon$ is the final error, and $t$ is the final number of blocks, and,
$\blacksquare$

A $\log\frac{w}{\varepsilon^{\prime}}$ loss, that is due because of the information collected in the width $w$ branching program after seeing the output of the first $\mathsf{PRG}$ .

Thus, for the second application we lose $\ell=O(\log\frac{wt}{\varepsilon})$ bits. As $d=O(\log\frac{t}{\varepsilon})$ it is significantly smaller than $\ell$ when $w\gg\frac{t}{\varepsilon}$ . To summarize, we replace a length $s$ seed, with two seeds, one of length $s-d$ and the other of length $s-\ell$ where $d=O(\log\frac{t}{\varepsilon})$ and $\ell=O(\log\frac{wt}{\varepsilon})$ , where the constants behind the big O notation are essentially determined by the seed length and the entropy loss of the explicit extractor that we use (plus an additive $\log\frac{w}{\varepsilon^{\prime}}$ added to $\ell$ ).

Having the recycling building block, we use it recursively and define a sequence of $\mathsf{PRG}$ s. Applying this idea in a tree-like construction, we have the following construction:

Construction 5 (INW with varying block lengths).

Given a set $\Sigma$ of size $2^{\sigma}$ , parameters $d,\ell\in\mathbb{N}$ and a family

\displaystyle\{Ext_{s}:\{0,1\}^{s-d}\times\{0,1\}^{d}\rightarrow\{0,1\}^{s-% \ell}\}_{s\in\mathbb{N}}

define a family $\{P_{s}:\{0,1\}^{s}\rightarrow\Sigma^{t(s)}\}_{s\in\mathbb{N}}$ of $\mathsf{PRG}$ s by

\displaystyle P_{s}(x\circ y)

\displaystyle=\left\{\begin{array}[]{cr}P_{s-d}(x)\circ P_{s-\ell}(Ext_{s}(x,y% ))&\mbox{If $|x\circ y|\geq\sigma+\ell$}\\ &\\ \mbox{The first $\sigma$ bits of $x\circ y$}&\mbox{If $\sigma\leq|x\circ y|<% \sigma+\ell$}\end{array}\right.

where $t(s)=1$ for $\sigma\leq s<\sigma+\ell$ and $t(s)=t(s-d)+t(s-\ell)$ for $s\geq\sigma+\ell$ .

Theorem 6.

Let $w,t\in\mathbb{N}$ , $\varepsilon>0$ , $\Sigma$ a set of size $2^{\sigma}$ . There is a large enough constant $c$ s.t. setting $d=c\log\frac{t}{\varepsilon}$ , $\ell=c\log\frac{wt}{\varepsilon}$ , and assuming a family $\{Ext_{s}:\{0,1\}^{s-d}\times\{0,1\}^{d}\to\{0,1\}^{s-\ell}\}_{s\in\mathbb{N}}$ of $(s-d-\log\frac{w}{\varepsilon^{\prime}},\varepsilon^{\prime})$ extractors, for $\varepsilon^{\prime}=\frac{\varepsilon}{6t}$ , we have that $\{P_{s}\}_{s\in\mathbb{N}}$ as in Construction 5 is a $(s,t,\Sigma)-\mathsf{PRG}$ $\varepsilon$ -fooling $(w,t,\Sigma)-\mathsf{ROBP}$ with $s=\sigma+\Theta\left(\frac{\log\frac{wt}{\varepsilon}\log t}{\log\left(2+\frac% {\log w}{\log\frac{t}{\varepsilon}}\right)}\right)$ .

We need to analyze the output length of the generator and to prove correctness. We start by analyzing the output length of $P_{s}$ as a function of the seed length $s$ .

3.1 The seed length

Recall that $t(s)$ is the number of $\Sigma$ symbols the $\mathsf{PRG}$ $P_{s}$ outputs. Conversely, let us denote by $s(t)$ the seed length needed to output $t$ symbols, i.e., the minimal integer such that $t(s_{t})\geq t$ . Then,

Lemma 7 (seed size).

$s(t)=\sigma+\Theta(\frac{\ell\log t}{\log(\frac{\ell}{d}+1)})$ .

To gain intuition, think of the recursion in Construction 5 as a tree, where at the root we have our initial seed, and every non-leaf vertex with seed length $s>\sigma+\ell$ has two children: a left child with seed length $s-d$ , and a right child with seed length $s-\ell$ . The leaves are vertices with $\sigma\leq s<\sigma+\ell$ . A path in the tree is a sequence of left and right steps from the root to a leaf. Unlike the $\mathsf{PRG}$ s of [9, 7, 1], where all paths have the same length, in our construction different paths have different lengths.

Proof.

Without a loss of generality assume $\ell$ is an integer multiple of d and $s-\sigma$ is an integer multiple of $\ell$ .

\displaystyle t(s)=\sum_{\begin{subarray}{c}k_{L},k_{R}\in\mathbb{N}\\ k_{L}\cdot d+k_{R}\cdot\ell+\sigma=s\end{subarray}}\binom{k_{L}+k_{R}}{k_{R}}

where $k_{L}$ (resp. $k_{R}$ ) is the number of left (resp. right) steps in the path. While we need a lower bound on $t(s)$ we also derive a matching upper bound.

For the upper bound we notice that $k_{L}\leq\frac{s-\sigma}{d}$ and $k_{R}\leq\frac{s-\sigma}{\ell}$ . As $\binom{a+b}{b}$ is an increasing monotone function for each parameter a and b when the other is fixed, we conclude that

\displaystyle\binom{k_{L}+k_{R}}{k_{R}}\leq\binom{\frac{s-\sigma}{d}+\frac{s-% \sigma}{\ell}}{\frac{s-\sigma}{\ell}}

Also notice that there are at most $\frac{s-\sigma}{\ell}$ legal assignments for $K_{R}$ .

For the lower bound we notice that $k_{L}=\frac{s-\sigma}{2d}$ and $k_{R}=\frac{s-\sigma}{2\ell}$ is a legal assignment. Thus,

\displaystyle\binom{\frac{s-\sigma}{2d}+\frac{s-\sigma}{2\ell}}{\frac{s-\sigma% }{2\ell}}\leq t(s)\leq\frac{s-\sigma}{\ell}\cdot\binom{\frac{s-\sigma}{d}+% \frac{s-\sigma}{\ell}}{\frac{s-\sigma}{\ell}}

Using $\frac{s-\sigma}{\ell}\leq\log t(s)$ and $(\frac{n}{k})^{k}\leq\binom{n}{k}\leq(\frac{en}{k})^{k}$ , we get

	$\displaystyle t(s)$	$\displaystyle\geq\left(\frac{\frac{s-\sigma}{2d}+\frac{s-\sigma}{2\ell}}{\frac% {s-\sigma}{2\ell}}\right)^{\frac{s-\sigma}{2\ell}}=\left(\frac{\ell}{d}+1% \right)^{\frac{s-\sigma}{2\ell}}$
	$\displaystyle t(s)$	$\displaystyle\leq\log t(s)\cdot\left(e\cdot\frac{\frac{s-\sigma}{d}+\frac{s-% \sigma}{\ell}}{\frac{s-\sigma}{\ell}}\right)^{\frac{s-\sigma}{\ell}}=\log t(s)% \cdot\left(\frac{e\ell}{d}+e\right)^{\frac{s-\sigma}{\ell}}$

Thus, for $s_{up}=\sigma+\frac{2\ell\log t}{\log(\frac{\ell}{d}+1)}$ we have $t(s_{up})\geq(\frac{\ell}{d}+1)^{\frac{s_{up}-\sigma}{2\ell}}=t$ and therefore $s(t)\leq s_{up}$ . Similarly, for $s_{low}=\sigma+\frac{\ell\log(t/\log t)}{\log(\frac{e\ell}{d}+e)}$ we have $\frac{t(s_{low})}{\log t(s_{low})}\leq(\frac{e\ell}{d}+e)^{\frac{s_{low}-% \sigma}{\ell}}=\frac{t}{\log t}$ and therefore $s(t)\geq s_{low}$ . I.e.,

\displaystyle\frac{\ell\log\frac{t}{\log t}}{\log(\frac{e\ell}{d}+e)}\leq s(t)% -\sigma\leq\frac{2\ell\log t}{\log(\frac{\ell}{d}+1)}

We conclude that

\displaystyle s(t)=\sigma+\Theta\left(\frac{\ell\log t}{\log(\frac{\ell}{d}+1)% }\right),

proving Lemma 7. $\hfill\blacktriangleleft$

3.2 Correctness

Lemma 8 (Following [7]).

Suppose

$\blacksquare$

$P_{1}$ is a $(s_{1},t_{1},\Sigma)-\mathsf{PRG}$ that $\epsilon_{1}$ -fools $(w,t_{1},\Sigma)-\mathsf{ROBP}$ , and,
$\blacksquare$

$P_{2}$ is a $(s_{2},t_{2},\Sigma)-\mathsf{PRG}$ that $\epsilon_{2}$ -fools $(w,t_{2},\Sigma)-\mathsf{ROBP}$ ,

for some $s_{1},s_{2},t_{1},t_{2},d\in\mathbb{N}$ and $\epsilon_{1},\epsilon_{2}>0$ . Further assume

$\blacksquare$

$E:\{0,1\}^{s_{1}}\times\{0,1\}^{d}\rightarrow\{0,1\}^{s_{2}}$ is a $(s_{1}-\log\frac{w}{\varepsilon^{\prime}},\varepsilon^{\prime})$ extractor.

Then $G:\{0,1\}^{s_{1}}\times\{0,1\}^{d}\rightarrow{}\Sigma^{t_{1}+t_{2}}$ defined by

\displaystyle G(x,y)

\displaystyle=P_{1}(x)\circ P_{2}(E(x,y))

$(3\varepsilon^{\prime}+\epsilon_{1}+\epsilon_{2})$ -fools $(w,t_{1}+t_{2},\Sigma)-\mathsf{ROBP}$ .

The main difference between Lemma 8 and the corresponding lemma in [7] is that $P_{1}$ and $P_{2}$ take different input lengths. For completeness we give the proof:

Proof.

Let $B$ be a $(w,t=t_{1}+t_{2},\Sigma)$ - $\mathsf{ROBP}$ . The main claim is

Claim 9.

$\|{\mathbf{E}_{x\sim U_{s_{1}},y\sim U_{d}}B(P_{1}(x)\circ P_{2}(E(x,y)))-% \mathbf{E}_{x\sim U_{s_{1}},y\sim U_{s_{2}}}B(P_{1}(x)\circ P_{2}(y))}\|\leq 3% \varepsilon^{\prime}$ .

Proof.

Let v be the state in layer $t_{1}$ of $B$ reached after taking a walk on $B$ according to $P_{1}(x)$ . We split our expectation into two cases.

$\blacksquare$

We reach a vertex $v$ that has at most $\frac{2^{s_{1}}\cdot\varepsilon^{\prime}}{w}$ sources. Using the union bound over the states, we see that the probability over $x$ of this event is at most $\varepsilon^{\prime}$ . This gives an error of at most $\varepsilon^{\prime}$ .
$\blacksquare$

We reach a vertex $v$ that has at least $\frac{2^{s_{1}}\cdot\varepsilon^{\prime}}{w}$ sources. In this case, the min-entropy of $x$ conditioned on $v$ is at least $s_{1}-\log\frac{w}{\varepsilon^{\prime}}$ . Since $E$ is an $(s_{1}-\log\frac{w}{\varepsilon^{\prime}},\varepsilon^{\prime})$ extractor, from the adversary point of view, the distributions $E(x,U_{d})$ and $U_{s_{2}}$ are $\varepsilon^{\prime}$ statistically close, and therefore this adds at most $2\varepsilon^{\prime}$ to the distance.

This proves Claim 9. $\hfill\vartriangleleft$

Thus,

	$\displaystyle\\|{\mathbf{E}_{x,y}B(P_{1}(x)\circ P_{2}(E(x,y)))-\mathbf{E}_{% \sigma\in\Sigma^{t}}B(\sigma)}\\|\leq$
	$\displaystyle\\|{\mathbf{E}_{x,y}B(P_{1}(x)\circ P_{2}(E(x,y)))-\mathbf{E}_{x,y% }B(P_{1}(x)\circ P_{2}(y))}\\|+$
	$\displaystyle\\|{\mathbf{E}_{x,y}B(P_{1}(x)\circ P_{2}(y))-\mathbf{E}_{\sigma% \in\Sigma^{t_{1}},y}B(\sigma\circ P_{2}(y))}\\|+$
	$\displaystyle\\|{\mathbf{E}_{\sigma\in\Sigma^{t_{1}},y}B(\sigma\circ P_{2}(y))-% \mathbf{E}_{\sigma\in\Sigma^{t}}B(\sigma)}\\|$

The first expression is bounded by $3\varepsilon^{\prime}$ by Claim 9, the second expression by $\varepsilon_{1}$ because $P_{1}$ fools $(w,t_{1},\Sigma)-\mathsf{ROBP}$ and the third by $\varepsilon_{2}$ because $P_{2}$ fools $(w,t_{2},\Sigma)-\mathsf{ROBP}$ , completing the proof of Lemma 8. $\hfill\blacktriangleleft$

Once we know how the error accumulates in a single application we can deduce how it accumulates throughout the tree:

Lemma 10 (error accumulation).

$P_{s}$ $\varepsilon^{\prime\prime}$ -fools $(w,t(s),\Sigma)-\mathsf{ROBP}$ for $\varepsilon^{\prime\prime}=3(t(s)-1)\cdot\varepsilon^{\prime}$ .

Proof.

(of Lemma 10) By induction on s. For $s<\sigma+\ell$ the $\mathsf{PRG}$ returns truly uniform bits. Let us prove for $s\geq\sigma+\ell$ . By Lemma 8, $\epsilon_{s}\leq\epsilon_{s-d}+\epsilon_{s-\ell}+3\varepsilon^{\prime}$ . By induction $\epsilon_{s}\leq 3\varepsilon^{\prime}(t(s-d)-1)+3\varepsilon^{\prime}(t(s-% \ell)-1)+3\varepsilon^{\prime}=3\varepsilon^{\prime}(t(s-d)+t(s-\ell)-1)$ . The proof is complete using $t(s)=t(s-d)+t(s-\ell)$ . $\hfill\blacktriangleleft$

Lemma 7 together with Lemma 8 prove Theorem 6, because $\varepsilon^{\prime\prime}\leq 3t(s)\varepsilon^{\prime}\leq 6t\varepsilon^{% \prime}\leq\varepsilon$ .

References

[1] Roy Armoni. On the derandomization of space-bounded computations. In International Workshop on Randomization and Approximation Techniques in Computer Science, pages 47–59. Springer, 1998. doi:10.1007/3-540-49543-6_5.
[2] Eshan Chattopadhyay and Jyun-Jie Liao. Optimal error pseudodistributions for read-once branching programs. arXiv preprint arXiv:2002.07208, 2020. arXiv:2002.07208.
[3] Kuan Cheng and Ruiyang Wu. Weighted pseudorandom generators for read-once branching programs via weighted pseudorandom reductions. arXiv preprint arXiv:2502.08272, 2025. doi:10.48550/arXiv.2502.08272.
[4] Gil Cohen, Dean Doron, Ori Sberlo, and Amnon Ta-Shma. Approximating iterated multiplication of stochastic matrices in small space. In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, pages 35–45, 2023. doi:10.1145/3564246.3585181.
[5] Zeev Dvir, Swastik Kopparty, Shubhangi Saraf, and Madhu Sudan. Extensions to the method of multiplicities, with applications to kakeya sets and mergers. SIAM Journal on Computing, 42(6):2305–2328, 2013. doi:10.1137/100783704.
[6] Venkatesan Guruswami, Christopher Umans, and Salil Vadhan. Unbalanced expanders and randomness extractors from parvaresh–vardy codes. Journal of the ACM (JACM), 56(4):1–34, 2009. doi:10.1145/1538902.1538904.
[7] Russell Impagliazzo, Noam Nisan, and Avi Wigderson. Pseudorandomness for network algorithms. In Proceedings of the twenty-sixth annual ACM symposium on Theory of computing, pages 356–364, 1994. doi:10.1145/195058.195190.
[8] Daniel M Kane, Jelani Nelson, and David P Woodruff. Revisiting norm estimation in data streams. arXiv preprint arXiv:0811.3648, 2008. arXiv:0811.3648.
[9] Noam Nisan. Pseudorandom generators for space-bounded computations. In Proceedings of the twenty-second annual ACM symposium on Theory of computing, pages 204–212, 1990. doi:10.1145/100216.100242.
[10] Noam Nisan and David Zuckerman. Randomness is linear in space. Journal of Computer and System Sciences, 52(1):43–52, 1996. doi:10.1006/JCSS.1996.0004.
[11] Amnon Ta-Shma and Christopher Umans. Better condensers and new extractors from parvaresh-vardy codes. In 2012 IEEE 27th Conference on Computational Complexity, pages 309–315. IEEE, 2012. doi:10.1109/CCC.2012.25.

[bib.bib1] [1] Roy Armoni. On the derandomization of space-bounded computations. In International Workshop on Randomization and Approximation Techniques in Computer Science, pages 47–59. Springer, 1998. doi:10.1007/3-540-49543-6_5.

[bib.bib2] [2] Eshan Chattopadhyay and Jyun-Jie Liao. Optimal error pseudodistributions for read-once branching programs. arXiv preprint arXiv:2002.07208, 2020. arXiv:2002.07208.

[bib.bib3] [3] Kuan Cheng and Ruiyang Wu. Weighted pseudorandom generators for read-once branching programs via weighted pseudorandom reductions. arXiv preprint arXiv:2502.08272, 2025. doi:10.48550/arXiv.2502.08272.

[bib.bib4] [4] Gil Cohen, Dean Doron, Ori Sberlo, and Amnon Ta-Shma. Approximating iterated multiplication of stochastic matrices in small space. In Proceedings of the 55th Annual ACM Symposium on Theory of Computing, pages 35–45, 2023. doi:10.1145/3564246.3585181.

[bib.bib5] [5] Zeev Dvir, Swastik Kopparty, Shubhangi Saraf, and Madhu Sudan. Extensions to the method of multiplicities, with applications to kakeya sets and mergers. SIAM Journal on Computing, 42(6):2305–2328, 2013. doi:10.1137/100783704.

[bib.bib6] [6] Venkatesan Guruswami, Christopher Umans, and Salil Vadhan. Unbalanced expanders and randomness extractors from parvaresh–vardy codes. Journal of the ACM (JACM), 56(4):1–34, 2009. doi:10.1145/1538902.1538904.

[bib.bib7] [7] Russell Impagliazzo, Noam Nisan, and Avi Wigderson. Pseudorandomness for network algorithms. In Proceedings of the twenty-sixth annual ACM symposium on Theory of computing, pages 356–364, 1994. doi:10.1145/195058.195190.

[bib.bib8] [8] Daniel M Kane, Jelani Nelson, and David P Woodruff. Revisiting norm estimation in data streams. arXiv preprint arXiv:0811.3648, 2008. arXiv:0811.3648.

[bib.bib9] [9] Noam Nisan. Pseudorandom generators for space-bounded computations. In Proceedings of the twenty-second annual ACM symposium on Theory of computing, pages 204–212, 1990. doi:10.1145/100216.100242.

[bib.bib10] [10] Noam Nisan and David Zuckerman. Randomness is linear in space. Journal of Computer and System Sciences, 52(1):43–52, 1996. doi:10.1006/JCSS.1996.0004.

[bib.bib11] [11] Amnon Ta-Shma and Christopher Umans. Better condensers and new extractors from parvaresh-vardy codes. In 2012 IEEE 27th Conference on Computational Complexity, pages 309–315. IEEE, 2012. doi:10.1109/CCC.2012.25.

	$\displaystyle\\|{\mathbf{E}_{x,y}B(P_{1}(x)\circ P_{2}(E(x,y)))-\mathbf{E}_{% \sigma\in\Sigma^{t}}B(\sigma)}\\|\leq$
	$\displaystyle\\|{\mathbf{E}_{x,y}B(P_{1}(x)\circ P_{2}(E(x,y)))-\mathbf{E}_{x,y% }B(P_{1}(x)\circ P_{2}(y))}\\|+$
	$\displaystyle\\|{\mathbf{E}_{x,y}B(P_{1}(x)\circ P_{2}(y))-\mathbf{E}_{\sigma% \in\Sigma^{t_{1}},y}B(\sigma\circ P_{2}(y))}\\|+$
	$\displaystyle\\|{\mathbf{E}_{\sigma\in\Sigma^{t_{1}},y}B(\sigma\circ P_{2}(y))-% \mathbf{E}_{\sigma\in\Sigma^{t}}B(\sigma)}\\|$

Simplifying Armoni’s PRG

Abstract

Keywords and phrases:

Category:

Funding:

Copyright and License:

2012 ACM Subject Classification:

DOI:

Event:

Editors:

Series and Publisher:

1 Introduction

2 Preliminaries

Definition 1 (𝖱𝖮𝖡𝖯).

Definition 2 (PRG).

2.1 Extractors

Definition 3 (extractor).

Theorem 4 ([2] High min-entropy extractor with a small entropy loss).

3 The new PRG

Construction 5 (INW with varying block lengths).

Theorem 6.

3.1 The seed length

Lemma 7 (seed size).

Proof.

3.2 Correctness

Lemma 8 (Following [7]).

Proof.

Claim 9.

Proof.

Lemma 10 (error accumulation).

Proof.

References

Definition 1 ( $\mathsf{ROBP}$ ).