sign in sign up
<<
Home , Oded Goldreich, Pseudorandomness

fea-goldreich.qxp 9/23/99 3:56 PM Page 1209

Pseudorandomness Oded Goldreich

his essay considers finite objects, en- associated with a unique distribution—the uni- coded by binary finite sequences called form one. In particular, by definition, one cannot strings. When we talk of distributions generate such perfect random strings from shorter we mean discrete probability distribu- random strings. tions having a finite support that is a set The second theory (cf. [11, 12]), due to ofT strings. Of special interest is the uniform dis- Solomonov, Kolmogorov, and Chaitin, is rooted in tribution, which for a length parameter n (explicit computability theory and specifically in the notion or implicit in the discussion), assigns each n-bit of a universal language (equivalently, universal string x ∈{0, 1}n equal probability (i.e., probabil- machine or computing device). It measures the ity 2n). We will colloquially speak of “perfectly ran- complexity of objects in terms of the shortest pro- dom strings”, meaning strings selected according gram (for a fixed universal machine) that generates to such a uniform distribution. the object.2 Like Shannon’s theory, Kolmogorov The second half of this century has witnessed complexity is quantitative, and perfect random the development of three theories of , objects appear as an extreme case. Interestingly, a notion that has been puzzling thinkers over the in this approach one may say that a single object, ages. The first theory (cf. [3]), initiated by Shannon, rather than a distribution over objects, is perfectly is rooted in probability theory and is focused on random. Still, Kolmogorov’s approach is inher- distributions that are not perfectly random. Shan- ently intractable (i.e., Kolmogorov complexity is non’s information theory characterizes perfect uncomputable), and, by definition, one cannot randomness as the extreme case in which the in- generate strings of high Kolmogorov complexity formation content is maximized (and there is no from short random strings. redundancy at all).1 Thus, perfect randomness is The third theory, initiated by Blum, Goldwasser, Micali, and Yao [8, 2, 13], is rooted in complexity Oded Goldreich is professor of computer science at the theory and is the focus of this essay. This ap- Weizmann Institute of Science, . His e-mail address proach is explicitly aimed at providing a theory of is [email protected]. perfect randomness that nevertheless allows for The author is grateful to Anthony Knapp and Susan the efficient generation of perfect random strings Landau for their many useful comments. from shorter random strings. The heart of this ap- 1 proach is the suggestion to view objects as equal In general, the amountP of information in a distribution if they cannot be told apart by any efficient D is defined as x D(x) log2 D(x). Thus, the uniform dis- tribution over strings of length n has information mea- sure n, and any other distribution over n-bit strings has 2For example, the string 1n has Kolmogorov complexity

lower information measure. Also, for any function O(1) + log2 n (by virtue of the program “print n ones”, f : {0, 1}n →{0, 1}m with n

NOVEMBER 1999 NOTICES OF THE AMS 1209 fea-goldreich.qxp 9/23/99 3:56 PM Page 1210

procedure. Consequently a distribution that can- take random steps, where, without loss of gener- not be efficiently distinguished from the uniform ality, a random step consists of selecting which of distribution will be considered as being random (or two predetermined steps to take next so that each rather “random for all practical purposes”, which possible step is taken with probability 1/2. These we call “pseudorandom”). Thus, randomness is choices are called the algorithm’s internal coin not an “inherent” property of objects (or distrib- tosses. utions) but rather is relative to an observer (and its computational abilities). To demonstrate this ap- The Definition of Pseudorandom proach, let us consider the following mental ex- Generators periment. Loosely speaking, a is an efficient program (or algorithm) that stretches short Alice and Bob play HEAD OR TAIL in one random strings into long pseudorandom sequences. of the following four ways. In all of We emphasize three fundamental aspects in the no- them Alice flips a coin high in the air, tion of a pseudorandom generator: and Bob is asked to guess its outcome 1. Efficiency. The generator has to be efficient. before the coin hits the floor. The al- As we associate efficient computations with ternative ways differ by the knowledge polynomial-time ones, we postulate that the Bob has before making his guess. In generator has to be implementable by a de- the first alternative, Bob has to an- terministic polynomial-time algorithm. nounce his guess before Alice flips the This algorithm takes as input a string, called coin. Clearly, in this case Bob wins with its seed. The seed captures a bounded amount probability 1/2. In the second alterna- of randomness used by a device that “gener- tive, Bob has to announce his guess ates pseudorandom sequences”. The formu- while the coin is spinning in the air. Al- lation views any such device as consisting of though the outcome is determined in a deterministic procedure applied to a ran- principle by the motion of the coin, Bob dom seed. does not have accurate information on 2. Stretching. The generator is required to stretch the motion and thus we believe that its input seed to a longer output sequence. also in this case Bob wins with proba- Specifically, it stretches n-bit long seeds into bility 1/2. The third alternative is `(n) -bit long outputs, where `(n) >n. The similar to the second, except that Bob function ` is called the stretching measure has at his disposal sophisticated equip- (or stretching function) of the generator. ment capable of providing accurate in- 3. Pseudorandomness. The generator’s output formation on the coin’s motion as well has to look random to any efficient observer. as on the environment affecting the That is, any efficient procedure should fail to outcome. However, Bob cannot process distinguish the output of a generator (on a this information in time to improve his random seed) from a truly random sequence guess. In the fourth alternative, Bob’s of the same length. The formulation of the recording equipment is directly con- last sentence refers to a general notion of com- nected to a powerful computer pro- putational indistinguishability that is the heart grammed to solve the motion equa- of the entire approach. tions and output a prediction. It is To demonstrate the above, consider the fol- conceivable that in such a case Bob can lowing suggestion for a pseudorandom generator. improve substantially his guess of the The seed consists of a pair of 32-bit integers, x and outcome of the coin. N, and the 100,000-bit output is obtained by re- We conclude that the randomness of an event is peatedly squaring the current x modulo N and relative to the information and computing re- emitting the least significant bit of each interme- 2 sources at our disposal. Thus, a natural concept diate result (i.e., let xi xi1 mod N , for 5 of pseudorandomness arises: a distribution is i =1,...,10 , and output b1,b2,...,b105 , where def pseudorandom if no efficient procedure can dis- x0 = x and bi is the least significant bit of xi). This tinguish it from the uniform distribution, where process may be generalized to seeds of length n efficient procedures are associated with (proba- (here we used n =64) and outputs of length `(n) bilistic) polynomial-time algorithms. (here l(n)=105). Such a process certainly satisfies An algorithm is called polynomial-time if there items (1) and (2) above, whereas the question exists a polynomial p so that for any possible whether item (3) holds is debatable (once a rigor- input x, the algorithm runs in time bounded by ous definition is provided). Anticipating some of p(|x|), where |x| denotes the length of the string the discussion below, we mention that, under the x. Thus, the running time of such an algorithm assumption that it is difficult to factor large inte- grows moderately as a function of the length of its gers, a slight variant of the above process is indeed input. A probabilistic algorithm is one that can a pseudorandom generator.

1210 NOTICES OF THE AMS VOLUME 46, NUMBER 10 fea-goldreich.qxp 9/23/99 3:56 PM Page 1211

Computational Indistinguishability random generator (as defined next): such distrib- Intuitively, two objects are called computationally utions are computationally indistinguishable from indistinguishable if no efficient procedure can tell uniform but are not statistically indistinguishable them apart. As usual in complexity theory, an el- from uniform. egant formulation requires asymptotic analysis Definition 2. (pseudorandom generators [2, 13]). (or rather a functional treatment of the running A deterministic polynomial-time algorithm G is time of algorithms in terms of the length of their called a pseudorandom generator if there exists a input).3 Thus, the objects in question are infinite stretching function, `:N → N, so that the following sequences of distributions, where each distribution two probability ensembles, denoted {G } ∈N and has a finite support. Such a sequence will be called n n {R } ∈N, are computationally indistinguishable: a distribution ensemble. Typically, we consider n n { } distribution ensembles of the form Dn n∈N, where 1. Distribution Gn is defined as the output of G for some function ` : N → N , the support of each on a uniformly selected seed in {0, 1}n. D is a subset of {0, 1}`(n). Furthermore, typically n 2. Distribution Rn is defined as the uniform dis- ` will be a positive polynomial. For such Dn , we tribution on {0, 1}`(n). denote by e D the process of selecting e ac- n That is, letting U denote the uniform distribution cording to distribution D . Consequently, for a m n over {0, 1}m , we require that for any probabilistic predicate P, we denote by Pr [P(e)] the proba- e Dn polynomial-time algorithm A, any positive polyno- bility that P(e) holds when e is distributed (or se- mial p, and all sufficiently large n lected) according to Dn . 1 Definition 1. (computational indistinguishability PrsU [A(G(s))=1] PrrU [A(r)=1] < . n `(n) p(n) [8, 13]). Two probability ensembles, {Xn}n∈N and {Yn}n∈N , are called computationally indistin- Thus, pseudorandom generators are efficient guishable if for any probabilistic polynomial-time (i.e., polynomial-time) deterministic programs that algorithm A, any positive polynomial p, and all expand short randomly selected seeds into longer sufficiently large n pseudorandom bit sequences, where the latter are 1 defined as computationally indistinguishable from PrxX [A(x)=1] PryY [A(y)=1] < . n n p(n) truly random sequences by efficient (i.e., polyno- mial-time) algorithms. It follows that any efficient The probability is taken over Xn (resp., Yn) as well maintains its performance as over the coin tosses of algorithm A. when its internal coin tosses are substituted by a A few comments are in order. First, we have al- sequence generated by a pseudorandom genera- lowed algorithm A, which is called a distinguisher, tor. That is, to be probabilistic. This makes the requirement Construction 3. (typical application of pseudo- only stronger, and seems essential to several im- random generators). Let A be a probabilistic poly- portant aspects of our approach. Second, we view nomial-time algorithm, and let (n) denote an events occurring with probability that is upper upper bound on its randomness complexity (i.e., bounded by the reciprocal of polynomials as neg- number of coins that A tosses on n-bit inputs). Let ligible. This is well coupled with our notion of A(x, r) denote the output of A on input x and coin efficiency (i.e., polynomial-time computations): an tossing sequence r ∈{0, 1}(|x|) . Let G be a pseudo- event that occurs with negligible probability (as a random generator with stretching function function of a parameter n) will also occur with `:N → N. Then AG is a randomized algorithm that negligible probability when the experiment is re- on input x proceeds as follows. It sets k = k(|x|) to peated for poly(n)-many times. Third, when al- be the smallest integer such that `(k) (|x|), uni- lowing A in the above definition to be an arbitrary formly selects s ∈{0, 1}k , and outputs A(x, r) , function (rather than a probabilistic polynomial- where r is the (|x|)-bit long prefix of G(s). time algorithm), one obtains a notion of statisti- cal indistinguishability. The latter is equivalent to It can be shown that it is infeasible to find long requiring thatP the variation distance between Xn x’s on which the input-output behavior of AG is no- | | and Yn (i.e., z Xn(z) Yn(z) ) is negligible (in n). ticeably different from the one of A, although AG We note that computational indistinguishabil- may use much fewer coin tosses than A. This is ity is a strictly more liberal notion than statistical formulated in the proposition below, where F rep- indistinguishability (cf. [13]). An important case is resents an algorithm trying to find x’s so that A(x) the one of distributions generated by a pseudo- and AG(x) are distinguishable (by an algorithm D). 3The asymptotic (or functional) treatment is not essential Proposition 4. Let A and G be as above. For any to this approach. One may develop the entire approach in terms of inputs of fixed lengths and an adequate no- algorithm D, let A,D(x) denote the discrepancy, as tion of complexity of algorithms. However, such an al- judged by D, in the behavior of A and AG on input ternative treatment is more cumbersome. x, i.e., A,D(x) is defined as

NOVEMBER 1999 NOTICES OF THE AMS 1211 fea-goldreich.qxp 9/23/99 3:56 PM Page 1212

is a pseudorandom generator with stretch func- PrrU(n) [D(x, A(x, r))=1] 0 tion ` . PrsUk(n) [D(x, AG(x, s))=1] , How to Construct Pseudorandom Generators where the probabilities are taken over the Um’s as well as over the coin tosses of D. Then for every pair The known constructions transform computational difficulty, in the form of one-way functions (defined of probabilistic polynomial-time algorithms F and below), into pseudorandomness generators. D, every positive polynomial p, and all sufficiently Loosely speaking, a polynomial-time computable long n " # function is called one-way if any efficient algo- rithm can invert it only with negligible success n 1 1 Pr A,D(F(1 )) > < , probability. For simplicity, we consider only length- p(n) p(n) preserving one-way functions. where the probability is taken over the coin tosses Definition 6. (one-way function). A one-way func- of F. tion, f, is a polynomial-time computable function such that for every probabilistic polynomial-time al- The proposition is proven by showing that a gorithm A0, every positive polynomial p(), and all triplet (A, F, D) violating the claim can be con- sufficiently large n verted into an algorithm D0 that distinguishes the h i output of G from the uniform distribution, in con- 0 1 1 PrxU A (f (x))∈f (f (x)) < , tradiction to the hypothesis. Analogous arguments n p(n) are applied whenever one wishes to prove that an n efficient randomized process (be it an algorithm where Un is the uniform distribution over {0, 1} . as above or a multiparty computation) preserves Popular candidates for one-way functions are its behavior when one replaces true randomness based on the conjectured intractability of integer by pseudorandomness as defined above. Thus, factorization, the discrete logarithm problem, and given pseudorandom generators with large stretch- decoding of random linear code. The infeasibility ing function, one can considerably reduce the ran- of inverting f yields a weak notion of unpre- th domness complexity in any efficient application. dictability: Let bi(x) denote the i bit of x. Then, for every probabilistic polynomial-time algorithm Amplifying the Stretch Function A (and sufficiently large n), it must be the case that Pseudorandom generators as defined above are re- Pri,x[A(i,f(x)) =6 bi(x)] > 1/2n , where the probabil- quired only to stretch their input a bit; for exam- ity is taken uniformly over i ∈{1,...,n} and ple, stretching n-bit long inputs to (n +1)-bit long x ∈{0, 1}n. A stronger (and in fact the strongest outputs will do. Clearly, generators with such mod- possible) notion of unpredictability is that of a erate stretch functions are of little use in practice. hard-core predicate. Loosely speaking, a polyno- In contrast, we want to have pseudorandom gen- mial-time computable predicate b is called a hard- erators with an arbitrarily long stretch function. By core of a function f if any efficient algorithm, given the efficiency requirement, the stretch function can f (x), can guess b(x) with probability of success be at most polynomial. It turns out that pseudo- that is only negligibly better than one half. random generators with the smallest possible Definition 7. (hard-core predicate [2]). A polyno- stretch function can be used to construct pseudo- mial-time computable predicate b : {0, 1} →{0, 1} random generators with any desirable polynomial is called a hard-core of a function f if for every prob- 0 stretch function. (Thus, when talking about the abilistic polynomial-time algorithm A , every posi- existence of pseudorandom generators, we may ig- tive polynomial p(), and all sufficiently large n nore the specific stretch function.) 0 1 1 PrxUn [A (f (x))=b(x)] < + . Theorem 5. [5, Sec. 3.3.2]. Let G be a pseudoran- 2 p(n) dom generator with stretch function `(n)=n +1, 0 0 Clearly, if b is a hard-core of a 1-1 polynomial- and let ` be any stretch function such that ` (n) time computable function f, then f must be one- is computable in poly (n)-time from n. Let G (x) de- 1 way.4 It turns out that any one-way function can | | note the x -bit long prefix of G(x), and let G2(x) de- be slightly modified so that it has a hard-core note the last bit of G(x) (i.e., G(x)=G1(x) G2(x)). predicate. Then 4Functions that are not 1-1 may have hard-core predicates 0 def G (s) = 12 `0(|s|) , of an information-theoretic nature, but these are of no use to us here. For example, functions of the form f (,x)=0f 0(x) where x0 = s,i = G2(xi1), and xi = G1(xi1), (for ∈{0, 1}) have an “information theoretic” hard-core 0 for i =1,...,` (|s|) predicate b(,x)=.

1212 NOTICES OF THE AMS VOLUME 46, NUMBER 10 fea-goldreich.qxp 9/23/99 3:56 PM Page 1213

Theorem 8. (a generic hard-core [7]). Let f be an we need the other, less obvious direction. One can arbitrary one-way function, and let g be defined by show that (next-bit) unpredictability implies in- def g(x, r) =(f (x),r), where |x|=|r|. Let b(x, r) denote distinguishability from the uniform ensemble. the inner-product mod 2 of the binary vectors x and Specifically, consider the “hybrid” distributions in r. Then the predicate b is a hard-core of the func- which the ith hybrid takes the first i bits from the tion g. ensemble in question and the rest from the A proof may be found in [5, Appen. C.2]. Finally, uniform one. Thus, distinguishing the extreme we get to the construction of pseudorandom gen- hybrids implies distinguishing some neighboring erators. hybrids, which in turn implies next-bit pre- dictability (of the ensemble in question). Proposition 9. (a simple construction of pseudo- A General Condition for the Existence of random generators). Let b be a hard-core predicate of a polynomial-time computable 1-1 function f. Pseudorandom Generators def Recall that given any one-way 1-1 function, we can Then, G(s) = f (s) b(s) (i.e., f (s) followed by b(s)) easily construct a pseudorandom generator. Ac- is a pseudorandom generator. tually, the 1-1 requirement may be dropped, but In a sense, the key point in the proof of the above the currently known construction—for the gen- proposition is showing that the (obvious by defi- eral case—is quite complex. Still, we do have nition) unpredictability of the output of G implies Theorem 10. (on the existence of pseudorandom its pseudorandomness. The fact that (next-bit) unpredictability and pseudorandomness are generators [9]). Pseudorandom generators exist if equivalent in general is proven explicitly in the and only if one-way functions exist. alternative presentation below. To show that the existence of pseudorandom An Alternative Presentation generators implies the existence of one-way func- Our presentation of the construction of pseudo- tions, consider a pseudorandom generator G random generators, via Theorem 5 and Proposition with stretch function `(n)=2n. For x, y ∈{0, 1}n, 9, is different but analogous to the original con- def define f (x, y) = G(x) so that f is polynomial- struction of pseudorandom generators suggested time computable (and length-preserving). It must by Blum and Micali [2]: Given an arbitrary stretch be that f is one-way, or else one can distinguish function `:N → N and a 1-1 one-way function f with a hard-core b, one defines G(Un) from U2n by trying to invert and checking the result: Inverting f on its range distribution def refers to the distribution G(Un), whereas the prob- G(s) = b(x0)b(x1) b(x`(|s|)1) , ability that U2n has inverse under f is negligible. where x0 = s and xi = f (xi1) for i = 1,...,`(|s|) 1 . A concrete instantiation, based We assume that it is infeasible to factor integers that are the on the assumption that it is difficult to factor large product of two large primes (each congruent to 3 mod 4). Under integers, is depicted in Figure 1. The pseudoran- this assumption, squaring modulo such integers is a one-way domness of G is established in two steps using the function. Furthermore, squaring modulo such N is 1-1 over the notion of (next-bit) unpredictability. An ensemble quadratic residues mod N, and the least significant bit of the {Zn}n∈N is called unpredictable if any probabilis- argument is a corresponding hard-core [1]. tic polynomial-time machine obtaining a prefix of The following pseudorandom generator uses a polynomial- Zn fails to predict the next bit of Zn with proba- time algorithm that when fed with 4m bits generates an m-bit bility nonnegligibly higher than 1/2. number so that when the input 4m bits are uniformly distrib- Step 1. One first proves that the ensemble uted, the output is essentially an m-bit random prime (congru- n ent to 3 mod 4). {G(Un)}n∈N , where Un is uniform over {0, 1} , is (next-bit) unpredictable (from right to left) [2]. Input: An n-bit seed s = abc, where |a| = |b| =4n/10. Loosely speaking, if one can predict b(xi) from Initialization Steps: b(xi+1) b(x`(|s|)1) , then one can predict b(xi) 1. Use a to produce an n/10-bit prime p 3 mod 4 . given f (xi) (namely, by computing xi+1,...,x`(|s|)1 2. Similarly, use b to produce q 3 mod 4. and so obtaining b(xi+1) b(x`(|s|)1) ). But this 3. Multiply p and q, obtaining N. contradicts the hard-core hypothesis. 2 4. Let x0 c mod N. Step 2. Next one uses Yao’s observation by Iterations: For i =0,...,`(n) 1 which an ensemble is pseudorandom if and only if 5. Let bi be the least significant bit of xi. 2 it is (next-bit) unpredictable (cf. [4, Sec. 3.3.4]). 6. Let xi+1 xi mod N. Clearly, if one can predict the next bit in an en- Output: b0,b1, .., b`(n)1 semble, then one can distinguish this ensemble from the uniform ensemble (which is unpredictable Figure 1. A pseudorandom generator based on the regardless of computing power). However, here intractability of factoring.

NOVEMBER 1999 NOTICES OF THE AMS 1213 fea-goldreich.qxp 9/23/99 3:56 PM Page 1214

n The interesting direction is the construction of at random among all the 22 Boolean functions. pseudorandom generators based on any one-way Contrast this with a distribution over 2n sequences, function. In general (when f may not be 1-1), the en- produced by a pseudorandom generator applied semble f (Un) may not be pseudorandom, and so to a random n-bit seed, that is computationally in- Construction 9 (i.e., G(s)=f (s)b(s), where b is a distinguishable from a sequence selected uniformly hard-core of f) cannot be used directly. Instead, among all the 2poly(n) -many sequences. Still, this construction is used together with a couple of pseudorandom functions can be constructed from other ideas (cf. [9]). Unfortunately, these ideas and any pseudorandom generator. more so the details of implementing them are far too complex to be described here. Indeed, an al- Theorem 12. (how to construct pseudorandom ternative construction of pseudorandom genera- functions [6]). Let G be a pseudorandom genera- tors based on any one-way function would be most tor with stretching function `(n)=2n . Let G0(s) | | appreciated. (resp., G1(s)) denote the first (resp., last) s bits in G(s), and let Pseudorandom Functions def G (s) = G (G (G (s)) ). Pseudorandom generators allow one to efficiently |s| 21 |s| 2 1 generate long pseudorandom sequences from short |s| Then the function ensemble {fs :{0, 1} → random seeds. Pseudorandom functions (defined | | def {0, 1} s } ∈{ }, where f (x) = G (s), is pseudo- below) are even more powerful: they allow efficient s 0,1 s x ` (n)=` (n)=n direct access to a huge pseudorandom sequence random with length parameters D R . (which is infeasible to scan bit by bit). In other The above construction can be easily adapted words, pseudorandom functions can replace truly to any (polynomially bounded) length parameters random functions in any efficient application (e.g., `D,`R :N → N. most notably in ). That is, pseudo- We mention that pseudorandom functions have random functions are indistinguishable from been used to derive negative results in computa- random functions by efficient machines that may tional learning theory and in complexity theory. obtain the function values at arguments of their choice. Such machines are called oracle machines; The Applicability of Pseudorandom and if M is such a machine and f is a function, then Generators Mf (x) denotes the computation of M on input x when M’s queries are answered by the function f. Randomness is playing an increasingly important role in computation: it is frequently used in the de- Definition 11. (pseudorandom functions [6]). A sign of sequential, parallel, and distributed algo- pseudorandom function (ensemble), with length pa- rithms and is of course central to cryptography. N → N rameters `D,`R : , is a collection of functions Whereas it is convenient to design such algorithms def | | | | making free use of randomness, it is also desirable { { }`D( s ) →{ }`R( s )} F = fs : 0, 1 0, 1 s∈{0,1} to minimize the use of randomness in real imple- mentations, since generating perfectly random satisfying bits via special hardware is quite expensive. Thus, • (efficient evaluation). There exists an efficient pseudorandom generators (as defined above) are (deterministic) algorithm that when given a a key ingredient in an “algorithmic tool-box”: they seed, s, and an `D(|s|)-bit argument, x, returns provide an automatic compiler of programs writ- the `R(|s|)-bit long value fs (x). ten with free use of randomness into programs that (Thus, the seed s is an “effective description” make an economical use of randomness. of the function fs.) Indeed, “pseudo-random number generators” • (pseudorandomness). For every probabilistic appeared with the first computers. However, typ- polynomial-time oracle machine M, every posi- ical implementations use generators that are not tive polynomial p, and all sufficiently large n pseudorandom according to the above definition. Instead, at best, these generators are shown to 1 f n n pass some ad hoc statistical test (cf. [10]). However, Prf Fn [M (1 )=1] Pr Rn [M (1 )=1] < , p(n) the fact that a “pseudo-random number generator” passes some statistical tests does not mean that where F denotes the distribution on f ∈ F ob- n s it will pass a new test and that it is good for a fu- tained by selecting s uniformly in {0, 1}n and ture (untested) application. Furthermore, the ap- R denotes the uniform distribution over all n proach of subjecting the generator to some ad hoc functions mapping {0, 1}`D(n) to {0, 1}`R(n). tests fails to provide general results of the type Suppose, for simplicity, that `D(n)=n and stated above (i.e., of the form “for all practical `R(n)=1. Then a function uniformly selected purposes using the output of the generator is as among 2n functions (of a pseudorandom ensemble) good as using truly unbiased coin tosses”). In con- presents an input-output behavior indistinguishable trast, the approach encompassed in Definition 2 in poly(n)-time from the one of a function selected aims at such generality and in fact is tailored to

1214 NOTICES OF THE AMS VOLUME 46, NUMBER 10 fea-goldreich.qxp 9/23/99 3:56 PM Page 1215

obtain it: the notion of computational indistin- random ones by infinitely powerful computers guishability, which underlines Definition 2, covers (not at our disposal!). Specifically, an exponential- all possible efficient applications, postulating that time machine can easily distinguish the output of for all of them pseudorandom sequences are as a pseudorandom generator from a uniformly good as truly random ones. selected string of the same length (e.g., just by try- Pseudorandom generators and functions are of ing all possible seeds). Thus, pseudorandomness key importance in cryptography. They are typi- is subjective, dependent on the abilities of the ob- cally used to establish private-key encryption and server. authentication schemes (cf. [5, Sec. 1.5.2 & 1.6.2]). Randomness and Computational Difficulty For example, suppose that two parties share a ran- Pseudorandomness and computational difficulty dom n-bit string, s, specifying a pseudorandom play dual roles: The definition of pseudorandom- function (as in Definition 11 with `D(n)= ness relies on the fact that putting computational `R(n)=n), and that s is unknown to the adversary. restrictions on the observer gives rise to distribu- Then these parties may send encrypted messages tions that are not uniform and still cannot be to one another by XORing the message with the distinguished from uniform. Furthermore, the value of fs at a random point. That is, to encrypt construction of pseudorandom generators relies n m ∈{0, 1} , the sender uniformly selects on conjectures regarding computational difficulty ∈{ }n r 0, 1 and sends (r,m fs (r)) to the receiver. (i.e., the existence of one-way functions), and this The security of this encryption scheme relies on is inevitable: given a pseudorandom generator, we the fact that for every computationally feasible ad- can construct one-way functions. Thus, nontrivial versary (not only to adversary strategies that were pseudorandomness and computational difficulty envisioned and tested) the values of the function can be converted back and forth. fs on such r’s look random. Generalization The Intellectual Contents of Pseudorandomness as surveyed above can be Pseudorandom Generators viewed as an important special case of a general We shortly discuss some intellectual aspects of paradigm. A generic formulation of pseudoran- pseudorandom generators as defined above. dom generators consists of specifying three fun- Behavioristic versus Ontological damental aspects—the stretching measure of the Our definition of pseudorandom generators is generators, the class of distinguishers that the based on the notion of computational indistin- generators are supposed to fool (i.e., the algo- guishability. The behavioristic nature of the latter rithms with respect to which the computational in- notion is best demonstrated by confronting it with distinguishability requirement should hold), and the the Kolmogorov-Chaitin approach to randomness. resources that the generators are allowed to use Loosely speaking, a string is Kolmogorov-random (i.e., their own computational complexity). In the if its length equals the length of the shortest pro- above presentation we focused on polynomial- gram producing it. This shortest program may be time generators (thus having polynomial stretch- considered the “true explanation” to the phe- ing measure) that fool any probabilistic polynomial- nomenon described by the string. A Kolmogorov- time observers. A variety of other cases are of random string is thus a string that does not have interest too, and we briefly discuss some of them. a substantially simpler (i.e., shorter) explanation For more details see [5]. than itself. Considering the simplest explanation Weaker Notions of Computational of a phenomenon may be viewed as an ontologi- Indistinguishability cal approach. In contrast, considering the effect of Whenever the aim is to replace random sequences phenomena (on an observer) as underlying the de- utilized by an algorithm with pseudorandom ones, finition of pseudorandomness is a behavioristic ap- one may try to capitalize on knowledge of the tar- proach. Furthermore, there exist probability dis- get algorithm. Above we have merely used the fact tributions that are not uniform (and are not even that the target algorithm runs in polynomial-time. statistically close to a uniform distribution) but nev- However, if we know for example, that the algo- ertheless are indistinguishable from a uniform rithm uses very little workspace, then we may be distribution by any efficient procedure. Thus, dis- able to do better. Similarly we may be able to do tributions that are ontologically very different are better if we know that the analysis of the algorithm considered equivalent by the behavioristic point of depends only on some specific properties of the view taken in the definitions above. random sequence it uses (e.g., pairwise indepen- A Relativistic View of Randomness dence of its elements). In general, weaker notions Pseudorandomness is defined above in terms of of computational indistinguishability such as fool- its observer. It is a distribution that cannot be told ing space-bounded algorithms, constant-depth apart from a uniform distribution by any efficient circuits, and even specific tests (e.g., testing pair- (i.e., polynomial-time) observer. However, pseudo- wise independence of the sequence) arise naturally. random sequences may be distinguished from Generators producing sequences that fool such

NOVEMBER 1999 NOTICES OF THE AMS 1215 fea-goldreich.qxp 9/23/99 3:56 PM Page 1216

tests are useful in a variety of applications; if the [6] O. GOLDREICH, S. GOLDWASSER, and S. MICALI, How to con- application utilizes randomness in a restricted struct random functions, J. ACM 33 (1986), 792–807. way, then feeding it with sequences of low ran- [7] O. GOLDREICH and L. A. LEVIN, Hard-core predicates for domness quality may do. Needless to say, the au- any one-way function, 21st ACM Symposium on the Theory of Computing, 1989, pp. 25–32. thor advocates a rigorous formulation of the char- [8] S. GOLDWASSER and S. MICALI, Probabilistic encryption, acteristics of such applications and rigorous J. Comput. System Sci. 28 (1984), 270–299. constructions of generators that fool the type of [9] J. HASTAD, R. IMPAGLIAZZO, L. A. LEVIN, and M. LUBY, A tests that emerge. pseudorandom generator from any one-way func- Alternative Notions of Generator Efficiency tion, SIAM J. Comput. 28 (1999), 1364–1396. The previous paragraph has focused on one aspect [10] D. E. KNUTH, Seminumerical Algorithms, The Art of Computer Programming, Vol. 2, Addison-Wesley, of the pseudorandomness question: the resources Reading, MA,1969; second edition, 1981. or type of the observer (or potential distinguisher). [11] L. A. LEVIN, Randomness conservation inequalities: Another important question is whether such Information and independence in mathematical the- pseudorandom sequences can be generated from ories, Inform. and Control 61 (1984), 15–37. much shorter ones and at what cost (or complex- [12] M. LI and P. VITANYI, An Introduction to Kolmogorov ity). Throughout this essay we have required the Complexity and Its Applications, Springer-Verlag, generation process to be at least as efficient as the New York, 1993. [13] A. C. YAO, Theory and application of trapdoor func- efficiency limitations of the distinguisher.5 This tions, 23rd IEEE Symposium on Foundations of Com- seems indeed “fair” and natural. Allowing the gen- puter Science, 1982, pp. 80–91. erator to be more complex (i.e., use more time or space resources) than the distinguisher seems un- fair but still yields interesting consequences in the context of trying to “de-randomize” random- ized complexity classes. For example, one may consider generators working in time exponential in the length of the seed. In some cases we lose nothing by using such a relaxation (i.e., allowing exponential-time generators). To see why, we con- sider a typical derandomization argument, pro- ceeding in two steps: First one replaces the true randomness of the algorithm by pseudorandom se- quences generated from much shorter seeds, and next one goes deterministically over all possible seeds and looks for the most frequent behavior of the modified algorithm. In such a case the deter- ministic complexity is anyhow exponential in the seed length. The benefit is that constructing exponential-time generators may be easier than constructing polynomial-time ones.

References [1] W. ALEXI, B. CHOR, O. GOLDREICH, and C. P. SCHNORR, RSA/Rabin functions: Certain parts are as hard as the whole, SIAM J. Comput. 17 (1988), 194–209. [2] M. BLUM and S. MICALI, How to generate crypto- graphically strong sequences of pseudo-random bits, SIAM J. Comput. 13 (1984), 850–864. [3] T. M. COVER and G. A. THOMAS, Elements of Informa- tion Theory, Wiley, New York, 1991. [4] O. GOLDREICH, Foundation of Cryptography—Frag- ments of a Book, February 1995, available from http://theory.lcs.mit.edu/~oded/frag.html. [5] ———, Modern Cryptography, Probabilistic Proofs and Pseudorandomness, Algorithms and Combinatorics, vol. 17, Springer-Verlag, New York, 1998.

5In fact, we have required the generator to be more effi- cient than the distinguisher: the former was required to be a fixed polynomial-time algorithm, whereas the latter was allowed to be any algorithm with polynomial running time.

1216 NOTICES OF THE AMS VOLUME 46, NUMBER 10