ODED GOLDREICH DEFINING MOMENTS Omer Reingold Stanford on

ODED GOLDREICH – DEFINING MOMENTS Omer Reingold, Stanford, on Oded. Fest 2017

This Talk’s Concept Focus on Oded’s concepts � And what awesome concepts they are! � Conceptual contributions include everything: the notions, the definitions, the notations … � Even if it doesn’t start with Oded, it often ends with him How does he do it? � Writing, writing and then some more writing (papers, surveys, books) � His famous personal touch (more, I guess, in the evening sessions)

Clarifications and Warnings Chosen definitions not meant to be representative or Oded’s best (but I love them all) � These are all joint works; There were other papers before them and papers that followed � � Bias towards those that have impacted my own research Celebrating a community But don’t expect credits (talk to me when its your fest) Papers contain more than I discuss And to Oded: � � This is your research and your fest But its my talk! Just saying …

1 st Notion: Pseudorandom Functions Goldreich, Goldwasser and Micali, how to construct random functions, FOCS 84 and JACM 86 The title – such commitment to the computational lens. I have set up on a Manchester computer a small programme using only 1000 units of storage, whereby the machine supplied with one sixteen figure number replies with another within two seconds. I would defy anyone to learn from these replies sufficient about the programme to be able to predict any replies to untried values. A. TURING

Poly-Random Collections

Indistinguishability g is uniform or in F ? x 1 g(x 1) … xt g(xt) g

The Uphill Battle Kolmogorov Complexity: non- constructive and not applicable Comparison with One-Way functions Comparison with CSB � (cryptographically generators) strong pseudorandom bit PRFs vs. simulating random oracle � In particular, allows for sharing a function

My Connection Learned the definition from Oded’s notes Editor of two of the journal versions � Some fond memories there 33 years to PRFs + GGM construction and countless papers – no more explanations needed

2 nd Notion: Block Sources Chor and Goldreich, Unbiased Bits from Sources of Weak Randomness and Probabilistic Communication Complexity, FOCS 85, SICOMP 88

It Contains Everything Min entropy as THE measure of randomness in a weak random source – X has min-entropy k if x, Pr[X=x]<2 -k Flat distributions (uniform on 2 k elements) Inner product (Hadamard code) is a two-source extractor for high entropies Randomized communication complexity, slightly dependent sources, …

Block Source

My Connection Constructions of randomness extractors heavily relied on block sources � First extract blocks then extract from the block-source Zig-zag product analysis measure the entropy in a pair (v, a) of (vertex, edge label), as a block source.

3 rd Notion: Property Testing Goldreich, Goldwasser and Ron, Property Testing and Its Connection to Learning and Approximation, FOCS 96, JACM 98

So What’s New? Combinatorial properties General Distributions, a la PAC learning (Valinat)

Since Then Flourishing and mathematically deep – the power Oded et al rejected the gesture and in anfield independent called these objects PCPPs ofwork a conceptually strong work (and many more that • followed) Which stands for “Peace Corps Partnership Program” and “PCPart. Picker” and “C 99 preprocessor written in My connection – PCP composition through a stronger pure Python” but also for notion, inspired by property testing that we (Dinur and I) • Probabilistically Checable Proofs of Proximity “assignment testers” • called If you can’t beat them join them … PCP proofs allow one to prove that a SAT formula is satisfiable. An assignment tester allows proving that an assignment is close to a satisfying assignment of . •

4 th Notion: Auxiliary-Input ZK Goldreich and Oren, Definitions and Properties of Zero. Knowledge Proof Systems. J. Cryptology 1994 Title screams “conceptual” Zero-Knowledge due to Goldwasser, Micali and Rackoff is a jewel in Cryptography’s crown. Much of the way we think of ZK was shaped by Oded’s writings - black-box ZK, auxiliary-input ZK, uniform ZK

What the Verifier Knows? x x I’m convinced … ZK: the verifier doesn’t learn anything (beyond validity) Auxiliary-input ZK: the verifier doesn’t learn anything new

Formally … Both the verifier V* and the simulator MV* have access to the auxiliary-information y

My Connection This year’s Gödel Prize winner – Differential Privacy Definition of privacy in data analysis What do you learn about a particular row in a database from Differentially-Private analysis? The definition puts auxiliary-input front and center – even if you know all other rows of the database, you do not learn much about this special row (can’t achieve ZK). Here too – composition is key We recently use resilience of DP to composition for better adaptive data analysis

Concluding Remarks Discussed: PRFs, Block Sources, Property Testing, Auxiliary-Input ZK Wow! Conceptual contributions are long lasting What’s next?

Happy Birthday