Texts in Computational Complexity

Pseudorandom Generators

Oded Goldreich

Department of Computer Science and Applied Mathematics

Weizmann Institute of Science Rehovot Israel

January

Indistinguishable things are identical

GW Leibniz

A fresh view at the question of randomness has b een taken in the theory of computing It has

b een p ostulated that a distribution is pseudorandom if it cannot b e told apart from the uniform

distribution by any ecient pro cedure The paradigm originally asso ciating ecient pro cedures

with p olynomialtime algorithms has b een applied also with resp ect to a variety of limited classes

of such distinguishing pro cedures

At the extreme this approach says that the question of whether the world is deterministic or

allows for some free choice which may b e viewed as sources of randomness is irrelevant What

matters is how the world looks to us and to various computationally bounded devices That is if

some phenumenon lo oks random then we may just treat it as if it were random Likewise if we

can generate sequences that cannot b e told apart from the uniform distribution by any ecient

pro cedure then we can use these sequences in any ecient randomized application instead of the

ideal random bits that are p ostulated in the design of this application

Summary A generic formulation of pseudorandom generators consists of sp ecifying

three fundamental asp ects the stretch measure of the generators the class of dis

tinguishers that the generators are supp osed to fo ol ie the algorithms with resp ect

to which the computational indistinguishability requirement should hold and the re

sources that the generators are allowed to use ie their own computational complexity

The archetypical case of pseudorandom generators refers to ecient generators that

fo ol any feasible pro cedure that is the p otential distinguisher is any probabilistic

p olynomialtime algorithm which may b e more complex than the generator itself which

in turn has timecomplexity b ounded by a xed p olynomial These generators are

called generalpurp ose b ecause their output can b e safely used in an ecient appli

cation Such generalpurp ose pseudorandom generators exist if and only if oneway

functions exist

This is the Principle of Identity of Indiscernibles Leibniz admits that counterexamples to this principle are

conceivable but will not o ccur in real life b ecause Go d is much to o b enevolent We thus b elieve that he would have

agreed to the theme of this text which asserts that indistinguishable things should be considered as identical

For purp oses of derandomization one may use pseudorandom generators that are some

what more complex than the p otential distinguisher which represents the algorithm to

b e derandomized Following this approach suitable pseudorandom generators which

can b e constructed assuming the existence of problems in E that have no subexp onential

size circuits yield a full derandomization of BPP ie BPP P

It is also b enecial to consider pseudorandom generators that fo ol spaceb ounded dis

tinguishers and generators that exhibit some limited random b ehavior eg outputting

a pairwise indep endent or a smallbias sequence

Contents

Introduction

The General Paradigm

GeneralPurp ose Pseudorandom Generators

The basic denition

The archetypical application

Computational Indistinguishability

Amplifying the stretch function

Constructions

Nonuniformly strong pseudorandom generators

Other variants and a conceptual discussion

Stronger notions

Conceptual Discussion

Derandomization of timecomplexity classes

Denition

Construction

Variants and a conceptual discussion

Space Pseudorandom Generators

Denitional issues

Two constructions

Overviews of the pro ofs of Theorems and

Derandomization of spacecomplexity classes

Sp ecial Purp ose Generators

PairwiseIndependence Generators

Constructions

Applications

SmallBias Generators

Constructions

Applications

Random Walks on Expanders

Notes

Exercises

Bibliography

Introduction

The second half of this century has witnessed the development of three theories of randomness a

notion which has b een puzzling thinkers for ages The rst theory cf initiated by Shan

non is ro oted in probability theory and is fo cused at distributions that are not p erfectly

random Shannons Information Theory characterizes p erfect randomness as the extreme case in

which the information contents is maximized ie there is no redundancy at all Thus p erfect

randomness is asso ciated with a unique distribution the uniform one In particular by denition

one cannot deterministically generate such p erfect random strings from shorter random seeds

The second theory cf due to Solomonov Kolmogorov and Chaitin

is ro oted in computability theory and sp ecically in the notion of a universal language equiv

universal machine or computing device It measures the complexity of ob jects in terms of the

shortest program for a xed universal machine that generates the ob ject Like Shannons theory

Kolmogorov Complexity is quantitative and p erfect random ob jects app ear as an extreme case

However in this approach one may say that a single ob ject rather than a distribution over ob

jects is p erfectly random Still Kolmogorovs approach is inherently intractable ie Kolmogorov

Complexity is uncomputable and by denition one cannot deterministically generate strings

of high Kolmogorov Complexity from short random seeds

The third theory is ro oted in complexity theory and is the fo cus of this text This approach is

explicitly aimed at providing a notion of randomness that nevertheless allows for an ecient and

deterministic generation of random strings from shorter random seeds The heart of this approach

is the suggestion to view ob jects as equal if they cannot b e told apart by any ecient pro cedure

Consequently a distribution that cannot b e eciently distinguished from the uniform distribution

will b e considered as b eing random or rather called pseudorandom Thus randomness is not

an inherent prop erty of ob jects or distributions but is rather relative to an observer and

its computational abilities To demonstrate this approach let us consider the following mental

exp eriment

Alice and Bob play head or tail in one of the following four ways In each of them

Alice ips an unbiased coin and Bob is asked to guess its outcome before the coin hits

the o or The alternative ways dier by the knowledge Bob has b efore making his guess

In the rst alternative Bob has to announce his guess b efore Alice ips the coin Clearly

in this case Bob wins with probability

In the second alternative Bob has to announce his guess while the coin is spinning in

the air Although the outcome is determined in principle by the motion of the coin

Bob do es not have accurate information on the motion and thus we b elieve that also in

this case Bob wins with probability

The third alternative is similar to the second except that Bob has at his disp osal

sophisticated equipment capable of providing accurate information on the coins motion

as well as on the environment eecting the outcome However Bob cannot pro cess this

information in time to improve his guess

In the fourth alternative Bobs recording equipment is directly connected to a powerful

computer programmed to solve the motion equations and output a prediction It is

conceivable that in such a case Bob can improve substantially his guess of the outcome

of the coin

We conclude that the randomness of an event is relative to the information and computing resources

at our disp osal Thus a natural concept of pseudorandomness arises a distribution is pseudo

random if no ecient pro cedure can distinguish it from the uniform distribution where ecient

pro cedures are asso ciated with probabilistic p olynomialtime algorithms This notion of pseudo

randomness is indeed the most fundamental one and much of this text is fo cused on it Weaker

notions of pseudorandomness arise as well they refer to indistinguishability by weaker pro cedures

such as spaceb ounded algorithms constantdepth circuits etc Stretching this approach even fur

ther one may consider algorithms that are designed on purp ose so not to distinguish even weaker

forms of pseudorandom sequences from random ones such algorithms arise naturally when trying

to convert some natural randomized algorithm into deterministic ones see Section

The foregoing discussion has fo cused at one asp ect of the pseudorandomness question the

resources or type of the observer or p otential distinguisher Another imp ortant asp ect is whether

such pseudorandom sequences can b e generated from much shorter ones and at what cost or

complexity A natural approach is that the generation pro cess has to b e at least as ecient

as the distinguisher equiv that the distinguisher is allowed at least as much resources as the

generator Coupled with the aforementioned strong notion of pseudorandomness this yields the

archetypical notion of pseudorandom generators these op erating in p olynomialtime and pro duc

ing sequences that are indistinguishable from uniform ones by any p olynomialtime observer Such

generalpurp ose pseudorandom generators allow to reduced the randomness complexity of any

ecient application and are thus of great relevance to randomized algorithms and cryptography

see Section

seed output sequence Gen ?

a truly random sequence

Figure Pseudorandom generators an illustration

We stress that there are imp ortant reasons for considering also an alternative that seems less

natural that is allowing the pseudorandom generator to use more resources eg time or space

than the observer it tries to fo ol This alternative is natural in the context of derandomization ie

converting randomized algorithms to deterministic ones where the crucial step is replacing the

random input of an algorithm by a pseudorandom input which in turn can b e generated based on

a much shorter random seed In particular when derandomizing a probabilistic p olynomialtime

algorithm the observer to b e fo oled by the genewrator is a xed algorithm In this case employing

a more complex generator merely means that the complexity of the derived deterministic algorithm

is dominated by the complexity of the generator rather than by the complexity of the original

randomized algorithm Needless to say allowing the generator to use more resources than the

observer it tries to fo ol makes the task of designing pseudorandom generators easier and enables

derandomization results that are not known when using generalpurp ose pseudorandom generators

The usefulness of this approach is demonstrated in Sections through

We note that the goal of all types of pseudorandom generators is to allow the generation

of suciently random sequences based on much shorter random seeds Thus pseudorandom

generators oer signicant saving in the randomness complexity of various applications This saving

is valuable b ecause many applications are severly limited in their ability to generate or obtain truly

random bits Furthermore typically generating truly random bits is signicantly more exp ensive

than standard computation steps Thus randomness is a computational resource that should b e

considered on top of time complexity analogously to the consideration of space complexity

Organization In Section we present the general paradigm underlying the various notions of

pseudorandom generators The archetypical case of generalpurp ose pseudorandom generators is

presented in Section We then turn to the alternative notions of pseudorandom generators Gen

erators that suce for the derandomization of complexity classes such as BPP are discussed in

Section Pseudorandom generators in the domain of spaceb ounded computations are discussed

in Section and sp ecialpurp ose generators are discussed in Section For an alternative presen

tation which fo cuses on generalpurp ose pseudorandom generators and provides more details on

it the reader is referred to Chap

Teaching note If you can aord teaching only one of the alternative notions of pseudo

random generators then we suggest teaching the notion of generalpurp ose pseudoran

dom generators presented in Section Our reasons b eing that this notion is relevant

to computer science at large and that the technical material is relatively simpler The

text is organized to facilitate this option

Prerequisites We assume a basic familiarity with elementary probability theory and randomized

algorithms In particular standard conventions regarding random variables will b e extensively used

The General Paradigm

Teaching note We advocate a unied view of various notions of pseudorandom gener

ators That is we view these notions as incarnations of a general abstract paradigm to

b e presented in this section A teacher that wishes to fo cus on one of the sp ecial cases

may still use this section as a general motivation towards the sp ecic denitions used

later

A generic formulation of pseudorandom generators consists of sp ecifying three fundamental as

p ects the stretch measure of the generators the class of distinguishers that the generators are

supp osed to fo ol ie the algorithms with resp ect to which the computational indistinguishability

requirement should hold and the resources that the generators are allowed to use ie their own

computational complexity

Stretch function A necessary requirement from any notion of a pseudorandom generator is

that it is a deterministic algorithm that stretches short strings called seeds into longer output

sequences Sp ecically it stretches k bit long seeds into k bit long outputs where k k The

function N N is called the stretch measure or stretch function In some settings the sp ecic

stretch measure is immaterial eg see Section

Computational Indistinguishability A necessary requirement from any notion of a pseudo

random generator is that it fo ols some nontrivial algorithms That is any algorithm taken from

some class of interest cannot distinguish the output pro duced by the generator when the generator

is fed with a uniformly chosen seed from a uniformly chosen sequence Typically we consider a

class D of distinguishers and a class F of threshold functions and require that the generator G

satises the following For any D D any f F and for all suciently large k s

j Pr D GU Pr D U j f k

k

k

n

where U denotes the uniform distribution over f g and the probability is taken over U resp

n

k

U as well as over the coin tosses of algorithm D in case it is probabilistic The reader may

k

think of such a distinguisher D as trying to tell whether the tested string is a random output

of the generator ie distributed as GU or is a truly random string ie distributed as U

k

k

The condition in Eq requires that D cannot make a meaningful decision that is ignoring a

negligible dierence represented by f k D s verdict is the same in b oth cases The archetypical

choice is that D is the set of all probabilistic p olynomialtime algorithms and F is the set of all

functions that are the recipro cal of some p ositive p olynomial

Complexity of Generation The archetypical choice is that the generator has to work in

p olynomialtime in length of its input the seed Other choices will b e discussed as well We

note that placing no computational requirements on the generator or alternatively putting very

mild requirements such as a doubleexp onential runningtime upp er b ound yields generators

that can fo ol any sub exp onentialsize circuit family see Exercise

Notational conventions We will consistently use k to denote the length of the seed of a pseu

dorandom generator and k to denote the length of the corresp onding output In some cases this

makes our presentation a little more cumbersome as a natural presentation may sp ecify some other

parameters and let the seedlength b e a function of these However our choice has the advantage

of fo cusing attention on the fundamental parameter of pseudorandom generation the length of

the random seed We note that whenever a pseudorandom generator is used to derandomize

an algorithm n will denote the length of the input to this algorithm and k will b e selected as a

function of n

Some instantiations of the general paradigm Two imp ortant instantiations of the notion

of pseudorandom generators relate to probabilistic p olynomialtime observers

Generalpurp ose pseudorandom generators corresp ond to the case that the generator itself

runs in p olynomial time and needs to withstand any probabilistic polynomialtime distin

guisher including distinguishers that run for more time than the generator Thus the same

generator may b e used safely in any ecient application

In contrast pseudorandom generators intended for derandomization may run more time than

the distinguisher which is viewed as a xed circuit having size that is upp erb ounded by a

xed p olynomial

The class of threshold functions F should b e viewed as determining the class of noticeable probabilities as a

function of k Thus we require certain functions ie the absolute dierence b etween the ab ove probabilities to

b e smaller than any noticeable function on al l but nitely many integers We call the former functions negligible

Note that a function may b e neither noticeable nor negligible eg it may b e smaller than any noticeable function

on innitely many values and yet larger than some noticeable function on innitely many other values

In addition the general paradigm may b e instantiated by fo cusing on the space complexity of the

p otential distinguishers and the generator rather than on their time complexity Furthermore

one may also consider distinguishers that merely reect probabilistic prop erties such as pairwise

indep endence smallbias and hitting frequency

GeneralPurp ose Pseudorandom Generators

Randomness is playing an increasingly imp ortant role in computation It is frequently used in the

design of sequential parallel and distributed algorithms and it is of course central to cryptography

Whereas it is convenient to design such algorithms making free use of randomness it is also desirable

to minimize the usage of randomness in real implementations Thus generalpurp ose pseudorandom

generators as dened next are a key ingredient in an algorithmic to olb ox they provide an

automatic compiler of programs written with free usage of randomness into programs that make

an economical use of randomness

The basic denition

Lo osely sp eaking generalpurp ose pseudorandom generators are ecient ie p olynomialtime

deterministic programs that expand short randomly selected seeds into longer pseudorandom bit

sequences where the latter are dened as computationally indistinguishable from truly random se

quences by any ecient ie p olynomialtime algorithm Thus the distinguisher is more complex

than the generator The generator is a xed algorithm working within some xed p olynomialtime

whereas a p otential distinguisher is any algorithm that runs in p olynomialtime Thus for example

the distinguisher may always run in time cubic in the runningtime of the generator Furthermore

to facilitate the development of this theory we allow the distinguisher to b e probabilistic whereas

the generator remains deterministic as ab ove We require that such distinguishers cannot tell the

output of the generator from a truly random string of similar length or rather that the dierence

that such distinguishers may detect or sense is negligible Here a negligible function is one that

vanishes faster than the recipro cal of any p ositive p olynomial

Denition generalpurp ose pseudorandom generator A deterministic polynomialtime algo

rithm G is called a pseudorandom generator if there exists a stretch function N N satisfying

k k for all k such that for any probabilistic polynomialtime algorithm D for any positive

polynomial p and for al l suciently large k s

j Pr D GU Pr D U j

k

k

pk

n

where U denotes the uniform distribution over f g and the probability is taken over U resp

n

k

U as wel l as over the internal coin tosses of D

k

Thus Denition is derived from the generic framework presented in Section by taking the

class of distinguishers to b e the set of all probabilistic p olynomialtime algorithms and taking the

class of noticeable threshold functions to b e the set of all functions that are the recipro cals of

some p ositive p olynomial The latter choice is naturally coupled with the asso ciation of ecient

Denition requires that the distinguishing gap of certain algorithms must b e smaller than the recipro cal of any

p ositive p olynomial for all but nitely many k s Such functions are called negligible see Footnote The notion

of negligible probability is robust in the sense that an event which o ccurs with negligible probability o ccurs with

negligible probability also when the exp eriment is rep eated a feasible ie p olynomial number of times

computation with p olynomialtime algorithms An event that o ccurs with noticeable probability

o ccurs almost always when the exp eriment is rep eated a feasible ie p olynomial number of

times

We note that Denition do es not make any requirement regarding the stretch function

N N except for the generic requirement that k k for all k Needless to say the larger

is the more useful is the pseudorandom generator In Section we show how to use any pseudo

random generator even one with minimal stretch k k in order to obtain a pseudorandom

generator of any desired p olynomial stretch function But b efore going so we rigorously discuss the

reduction in randomness oered by pseudorandom generators and the notion of computational

indistinguishability underlying Denition

The archetypical application

We note that pseudorandom number generators app eared with the rst computers However

typical implementations use generators that are not pseudorandom according to Denition In

stead at b est these generators are shown to pass some adho c statistical test cf We warn

that the fact that a pseudorandom number generator passes some statistical tests do es not

mean that it will pass a new test and that it will b e go o d for a future untested application

Furthermore the approach of sub jecting the generator to some adho c tests fails to provide general

results of the form for al l practical purp oses using the output of the generator is as go o d as using

truly unbiased coin tosses In contrast the approach encompassed in Denition aims at such

generality and in fact is tailored to obtain it The notion of computational indistinguishability

which underlines Denition covers all p ossible ecient applications guaranteeing that for all of

them pseudorandom sequences are as go o d as truly random ones Indeed any ecient randomized

algorithm maintains its p erformance when its internal coin tosses are substituted by a sequence

generated by a pseudorandom generator That is

Construction typical application of pseudorandom generators Let G be a pseudorandom

generator with stretch function N N Let A be a probabilistic algorithm and n denote a

p olynomial upper bound on its randomness complexity Denote by Ax r the output of A on

jxj

input x and coin tosses sequence r f g Consider the fol lowing randomized algorithm

denoted A

G

On input x set k k jxj to be the smal lest integer such that k jxj uniformly

k

select s f g and output Ax r where r is the jxjbit long prex of Gs

That is A x s Ax G s for jsj k jxj argmin fi jxjg where G s is the

G

i

jxjbit long prex of Gs

Thus using A instead of A the randomness complexity is reduced from to while as

G

we show next it is infeasible to nd inputs ie xs on which the noticeable behavior of A is

G

dierent from the one of A For example if k k then the randomness complexity is reduced

p

We stress that the pseudorandom generator G is universal that is it can b e applied from to

to reduce the randomness complexity of any probabilistic p olynomialtime algorithm A

Prop osition Let A and G be as in Construction and suppose that N N is Then

for every pair of probabilistic polynomialtime algorithms a nder F and a distinguisher D every

positive polynomial p and al l suciently long ns

X

n

Pr F x j x j

AD

pn

n

xfg

def

where x Pr D x Ax U Pr D x A x U and the probabilities

AD G

jxj k jxj

are taken over the U s as wel l as over the coin tosses of F and D

m

Algorithm F represents a p otential attempt to nd an input x on which the output of A is distin

G

guishable from the output of A This attempt may b e b enign as in the case that a user employs

algorithm A on inputs that are generated by some probabilistic p olynomialtime application

G

However the attempt may also b e adversarial as in the case that a user employs algorithm A on

G

inputs that are provided by a p otentially malicious party The p otential distinguisher denoted D

represents the p otential use of the output of algorithm A and captures the requirement that this

G

output b e as go o d as a corresp onding output pro duced by A Thus D is given x as well as the

def

corresp onding output pro duced either by A x Ax U or by Ax Ax U and it is

G

k n n

required that D cannot tell the dierence In the case that A is a probabilistic p olynomialtime

decision procedure this means that it is infeasible to nd an x on which A decides incorrectly ie

G

dierently than A In the case that A is a search procedure for some NPrelation it is infeasible

to nd an x on which A outputs a wrong solution For details see Exercise

G

Pro of The prop osition is proven by showing that any triplet A F D violating the claim can b e

converted into an algorithm D that distinguishes the output of G from the uniform distribution in

contradiction to the hypothesis The key observation is that x equals Pr D x Ax U

AD

n

Pr D x Ax G U where G s is the nbit long prex of Gs Details follow

k n

n

On input r taken from either U or GU algorithm D rst obtains x F where

k n k n

n

n can b e obtained easily from jr j b ecause is and n is computable via A Next D

obtains y Ax r where r is the jxjbit long prex of r Finally D outputs D x y Note

that D is implementable in probabilistic p olynomialtime and that

def

n

D U D X AX U where X F

n n n

n n

def

n

D G U D X AX G U where X F

n n n

k n k n

n

It follows that j Pr D U Pr D GU j equals E F which implies

AD

k n k n

n n

a weaker version of the prop osition referring to E F rather than to Ej F j

AD AD

n n

In order to prove that Ej F j rather than to E F is negligible we need to

AD AD

n

mo dify D a little We start by assuming towards the contradiction that Ej F j n

AD

for some nonnegligible function On input r taken from either U or GU the mo died

k n k n

n

algorithm D rst obtains x F as b efore Next using a sample of size p oly nn

def def

it approximates p x Pr D x Ax U and p x Pr D x Ax G U

U G

n k n

such that each probability is approximated to within a deviation of n with negligible error

probability say expn Note that so far the actions of D only dep end on the length of its

input r which determines n If these approximations indicate that p x p x equiv that

U G

then D outputs D x Ax r else it outputs D x Ax r where r is the jxjbit

AD

long prex of r and we assume without loss of generality that the output of D is in f g It follows

that

n n

Pr D U jF x Pr D G U jF x

n k n

n

expn jp x p xj

U G

where the n term is due to the maximal typical deviation ie n of our approximation

of p x p x and the expn term is due to the rare case that our approximation errs

U G

by more than n Thus Pr D U Pr D GU is lowerbounded by

k n k n

n

Ej F j n expn n and the prop osition follows

AD

Conclusion Analogous arguments are applied whenever one wishes to prove that an ecient

randomized pro cess b e it an algorithm as ab ove or a multiparty computation preserves its b e

havior when one replaces true randomness by pseudorandomness as dened ab ove Thus given a

pseudorandom generator with a large stretch function one can considerably reduce the randomness

complexity in any ecient application

Computational Indistinguishability

In this section we sp ellout and study the denition of computational indistinguishability that

underlies Denition The general denition of computational indistinguishability refers to arbi

trary probability ensembles where a probability ensemble is an innite sequence of random variables

fZ g such that each Z ranges over strings of length b ounded by a p olynomial in n We say

n n

nN

that fX g and fY g are computationally indistinguishable if for every feasible algorithm A

n n

nN nN

def

the dierence d n jPr AX Pr AY j is a negligible function in n That is

A n n

Denition computational indistinguishability We say that the probability ensembles fX g

n

nN

and fY g are computationally indistinguishable if for every probabilistic polynomialtime algo

n

nN

rithm D every positive polynomial p and al l suciently large n

jPr D X Pr D Y j

n n

pn

where the probabilities are taken over the relevant distribution ie either X or Y and over the

n n

internal coin tosses of algorithm D The lhs of Eq when viewed as a function of n is often

called the distinguishing gap of D where fX g and fY g is understood from the context

n n

nN nN

That is we can think of D as someb o dy who wishes to distinguish two distributions based on a

sample given to it and think of as D s verdict that the sample was drawn according to the rst

distribution Saying that the two distributions are computationally indistinguishable means that

if D is a feasible pro cedure then its verdict is not really meaningful b ecause the verdict is almost

as often when the input is drawn from the rst distribution as when the input is drawn from

the second distribution We comment that the absolute value in Eq can b e omitted without

aecting the denition see Exercise and we will often do so without warning

In Denition we required that the probability ensembles fGU g and fU g b e

k

k N k N

k

computationally indistinguishable Indeed an imp ortant sp ecial case of Denition is when one

ensemble is uniform and in such a case we call the other ensemble pseudorandom

Nontriviality of Computational Indistinguishability Clearly any two probability ensem

bles that are statistically close are computationally indistinguishable Needless to say this is a

trivial case of computational indistinguishability which is due to information theoretic reasons In

contrast as noted in Section there exist probability ensembles that are statistically far apart and

yet are computationally indistinguishable see Exercise However at least one of the probability

Two probability ensembles fX g and fY g are said to b e statistically close if for every p ositive p oly

n n

nN nN

P

nomial p and sucient large n the variation distance b etween X and Y ie jPr X z Pr Y z j is

n n n n

z

b ounded ab ove by pn

ensembles in Exercise is not p olynomialtime constructible One nontrivial case of computa

tional indistinguishability in which b oth ensembles are p olynomialtime constructible is provided

by the denition of pseudorandom generators see Exercise As we shall see in Theorem

the existence of oneway functions implies the existence of pseudorandom generators which in turn

implies the existence of polynomialtime constructible probability ensembles that are statistically

far apart and yet are computationally indistinguishable We mention that this sucient condition

is also necessary see Exercise

Indistinguishability by Multiple Samples

The denition of computational indistinguishability ie Denition refers to distinguishers that

obtain a single sample from one of the two probability ensembles ie fX g and fY g A

n n

nN nN

more general denition refers to distinguishers that obtain several indep endent samples from such

an ensemble

Denition indistinguishability by multiple samples Let s N N be polynomiallybounded

Two probability ensembles fX g and fY g are computationally indistinguishable by s

n n

nN nN

samples if for every probabilistic polynomialtime algorithm D every positive polynomial p and

al l suciently large ns

h i h i

sn sn

Pr D X X Pr D Y Y

n n n n

pn

sn sn

where X through X and Y through Y are independent random variables with each

n n n n

i i

X identical to X and each Y identical to Y

n n

n n

It turns out that in the most interesting cases computational indistinguishability by a single sample

implies computational indistinguishability by any p olynomial number of samples One such case

is the case of p olynomialtime constructible ensembles We say that the ensemble fZ g is

n

nN

n

p olynomialtime constructible if there exists a p olynomialtime algorithm S so that S and Z

n

are identically distributed

def def

Prop osition Suppose that X fX g and Y fY g are both polynomialtime con

n n

nN nN

structible and s be a polynomial Then X and Y are computationally indistinguishable by a single

sample if and only if they are computationally indistinguishable by s samples

Clearly for every p olynomial s computational indistinguishability by s samples implies compu

tational indistinguishability by a single sample We now prove that for eciently constructible

distributions indistinguishability by a single sample implies indistinguishability by multiple sam

ples The pro of provides a simple demonstration of a central pro of technique known as the hybrid

technique

Pro of Sketch To prove that a sequence of indep endently drawn samples of one distribution

is indistinguishable from a sequence of indep endently drawn samples from the other distribution

th

we consider hybrid sequences such that the i hybrid consists of i samples taken from the rst

distribution and the rest taken from the second distribution The homogeneous sequences which

we wish to prove to b e computational indistinguishable are the extreme hybrids ie the rst and

last hybrids considered ab ove The key observation is that distinguishing the extreme hybrids

For more details see Sec

towards the contradiction hypothesis means distinguishing neighboring hybrids which in turn

yields a pro cedure for distinguishing single samples of the two original distributions contradicting

the hypothesis that these two distributions are indistinguishable by a single sample Details follow

Supp ose that D distinguishes sn samples of one distribution from sn samples of the other

sn i i

th i i

Y Y X with a distinguishing gap of n Denoting the i hybrid by H ie H X

n n n n

n n

sn

with gap n Then D this means that D distinguishes the extreme hybrids ie H and H

n

n

th

distinguishes a random pair of neighboring hybrids ie D distinguishes the i hybrid from the

st

i hybrid for a randomly selected i with gap at least nsn The reason b eing that

h i

i i

Pr D H Pr D H E

ifsng

n n

sn

X

i i

Pr D H Pr D H

n n

sn

i

n

sn

Pr D H Pr D H

n n

sn sn

Using D we obtain a distinguisher D of single samples Given a single sample D selects i

f sn g at random generates i samples from the rst distribution and sn i samples

from the second distribution and invokes D with the snsamples sequence obtained when placing

the input sample in lo cation i Thus the construction of D relies on the hypothesis that b oth

proabbility ensembles are p olynomialtime constructible In analyzing D observe that when the

single sample ie the input to D is taken from the rst resp second distribution algorithm D

st th

invokes D on the i hybrid resp i hybrid Thus the distinguishing gap of D is captured

by Eq and the claim follows

The hybrid technique a digest The hybrid technique constitutes a sp ecial type of a re

ducibility argument in which the computational indistinguishability of complex ensembles is proven

using the computational indistinguishability of basic ensembles The actual reduction is in the other

direction eciently distinguishing the basic ensembles is reduced to eciently distinguishing the

complex ensembles and hybrid distributions are used in the reduction in an essential way The

following three prop erties of the construction of the hybrids play an imp ortant role in the argument

The extreme hybrids collide with the complex ensembles this prop erty is essential b ecause

what we want to prove ie the indistinguishability of the complex ensembles relates to the

complex ensembles

Neighboring hybrids are easily related to the basic ensembles this prop erty is essential b ecause

what we know ie the indistinguishability of the basic ensembles relates to the basic ensem

bles We need to b e able to translate our knowledge ie computational indistinguishability

of the basic ensembles to knowledge ie computational indistinguishability of any pair of

neighboring hybrids Typically it is required to eciently transform strings in the range of

a basic distribution into strings in the range of a hybrid so that the transformation maps

the rst basic distribution to one hybrid and the second basic distribution to the neighboring

hybrid In the pro of of Prop osition the hypothesis that b oth X and Y are p olynomialtime

constructible is instrumental for such an ecient transformation

The number of hybrids is smal l ie p olynomial this prop erty is essential in order to deduce

the computational indistinguishability of extreme hybrids from the computational indistin

guishability of each pair of neighboring hybrids Typically the provable distinguishability

gap is inversely prop ortional to the number of hybrids Indeed see Eq

We remark that in the course of an hybrid argument a distinguishing algorithm referring to the

complex ensembles is b eing analyzed and even invoked on arbitrary hybrids The reader may b e

annoyed of the fact that the algorithm was not designed to work on such hybrids but rather

only on the extreme hybrids However an algorithm is an algorithm once it exists we can invoke

it on inputs of our choice and analyze its p erformance on arbitrary input distributions

Amplifying the stretch function

Recall that the denition of pseudorandom generators ie Denition makes a minimal require

ment regarding their stretch that is it is only required that the length of the output of such

generators is longer than their input Needless to say we seek pseudorandom generators with a

signicant stretch It turns out see Construction that pseudorandom generators of any stretch

def

function and in particular of stretch k k are easily converted into pseudorandom gener

ators of any desired p olynomially b ounded stretch function On the other hand since pseu

dorandom generators are required in Denition to run in p olynomial time their stretch must

b e p olynomially b ounded Thus when talking ab out the existence of pseudorandom generators

as in Denition we may ignore the stretch function

Construction Let G be a pseudorandom generator with stretch function k k and

be any polynomially bounded stretch function that is polynomialtime computable Let

def

Gs

jsj

where x s and x G x for i jsj That is is the last bit of G x and

i i i i i

x is the jsjbit long prex of G x

i i

Needless to say G is p olynomialtime computable and has stretch

i Hk

x x x i G1 i+1 . . . G1 l

σ σ σ i i+1 l

σ σ σ σ σ

1. . . i-1 i i+1 . . . l

th

Figure Analysis of stretch amplication the i hybrid

Prop osition Let G and G be as in Construction Then G constitutes a pseudorandom gen

erator

Pro of Sketch The prop osition is proven using the hybrid technique presented and discussed in

i

Section Here for i k we consider the hybrid distributions H dened by

k

def

i

H U P U

k i

k

i

k

i k

are indep endent uniform distributions over f g and f g resp ectively where U and U

i

k

and P x denotes the j bit long prex of Gx See Figure The extreme hybrids ie H

j

k

k

and H corresp ond to GU and U whereas distinguishability of neighboring hybrids can b e

k

k

k

worked into distinguishability of G U and U Details follow

k k

i

i

with some gap k Denoting the rst Supp ose that algorithm D distinguishes H from H

k

k

jxj bits resp last bit of x by F x resp Lx we may write P s LG s P F G s

j j

and

i

H U P U

k i

k

i

k

P F G U U LG U

k i

i

k k

i

U P U H

k i

i

k k

P F U U LU

k i

i

k k

Then incorp orating the generation of U and the evaluation of P into the distinguisher

k i

i

U in con LU G U from F U LG U D we distinguish F G U

k k

k k k k

k

tradiction to the pseudorandomness of G Sp ecically on input x f g we uniformly select

i

r f g and output D r Lx P F x Thus the probability we output on input

k i

i

i

A nal detail refers to the G U resp U equals Pr D H resp Pr D H

k k

k

k

question which i to use As usual when the hybrid technique is used a random i in f k g

will do

Constructions

The constructions surveyed in this section transform computational diculty in the form of one

way functions into generators of pseudorandomness Recall that a polynomialtime computable

function is called oneway if any ecient algorithm can invert it only with negligible success proba

bility see for further discussion We will actually use hardcore predicates of such functions

and refer the reader to their treatment in Lo osely sp eaking a polynomialtime computable

predicate b is called a hardcore of a function f if any ecient algorithm given f x can guess

bx only with success probability that is negligible b etter than half Recall that for any oneway

function f the innerpro duct mo d of x and r is a hardcore of f x r f x r Finally we

get to the construction of pseudorandom generators

Prop osition A simple construction of pseudorandom generators Let b be a hardcore predicate

def

of a polynomialtime computable and lengthpreserving function f Then Gs f s bs is

a pseudorandom generator

Pro of Sketch The jsjbit long prex of Gs is uniformly distributed b ecause f is and

jsj

onto f g Hence the pro of b oils down to showing that distinguishing f sbs from f s

For more details see Sec

For more details see Sec

where is a random bit yields contradiction to the hypothesis that b is a hardcore of f ie that

bs is unpredictable from f s Intuitively such a distinguisher also distinguishes f sbs from

f s bs where but distinguishing f s bs from f s bs yields an algorithm for

predicting bs based on f s Details follow

We start with any p otential distinguisher D and let

def

k Pr D GU Pr D U

k k

We may assume without loss of generality that k is nonnegative for innitely many k s Using

bU GU f U bU and U f U Z where Z bU with probability and Z

k k k k k k k

otherwise we have

bU k Pr D f U bU Pr D f U

k k k k

Consider an algorithm A that on input y uniformly selects f g invokes D y and outputs

if D y and otherwise Then

Pr Af U bU Pr D f U bU

k k k k

Pr D f U bU

k k

Pr D f U bU

k k

bU Pr D f U

k k

which equals k The prop osition follows

Combining Prop osition and Construction we obtain the following corollary

Theorem A sucient condition for the exsitemce of pseudorandom generators If there exists

and lengthpreserving oneway function then for every polynomially bounded stretch function

there exists a pseudorandom generator of stretch

Digest The key p oint in the pro of of Prop osition is showing that the rather obvious unpre

dictability of the output of G implies its pseudorandomness The fact that next bit unpredictabil

ity and pseudorandomness are equivalent in general is proven explicitly in the alternative pro of

of Theorem provided next

An alternative presentation Let us take a closer lo ok at the pseudorandom generators ob

tained by combining Construction and Prop osition For a stretch function N N a

oneway function f with a hardcore b we obtain

def

Gs

jsj

i

where x s and x f x bx for i jsj Denoting by f x the value of f

i i i i

i i

iterated i times on x ie f x f f x and f x x we rewrite Eq as follows

def

jsj

Gs bs bf s bf s

The pseudorandomness of G is established in two steps using the notion of next bit unpredictabil

ity An ensemble fZ g is called unpredictable if any probabilistic p olynomialtime machine ob

k

k N

taining a random prex of Z fails to predict the next bit of Z with probability nonnegligibly

k k

higher than Sp ecically we need to establish the following two results

A general result asserting that an ensemble is pseudorandom if and only if it is unpre

dictable Recall that an ensemble is pseudorandom if it is computationally indistinguishable

from a uniform distribution over bit strings of adequate length

Clearly pseudorandomness implies p olynomialtime unpredictability but here we actually

need the other direction which is less obvious Still using a hybrid argument one can show

that nextbit unpredictability implies indistinguishability from the uniform ensemble For

details see Exercise

A sp ecic result asserting that the ensemble fGU g is unpredictable from right to left

k

k N

Equivalently G U is p olynomialtime unpredictable from left to right as usual where

n

jsj

G s bf s bf s bs is the reverse of Gs

n

Using the fact that f induces a p ermutation over f g observe that the j bit long

j

prex of G U is distributed identically to bf U bf U bU Thus an algorithm

k k k k

st

that predicts the j bit of G U based on the j bit long prex of G U yields an

n n

algorithm that guesses bU based on f U For details see Exercise

n n

Needless to say G is a pseudorandom generator if and only if G is a pseudorandom generator see

Exercise We mention that Eq is often referred to as the BlumMicali Construction

A general condition for the existence of pseudorandom generators Recall that given

any oneway lengthpreserving function we can easily construct a pseudorandom generator

Actually the and lengthpreserving requirement may b e dropp ed but the currently known

construction for the general case is quite complex

Theorem On the existence of pseudorandom generators Pseudorandom generators exist if

and only if oneway functions exist

To show that the existence of pseudorandom generators imply the existence of oneway functions

k

consider a pseudorandom generator G with stretch function k k For x y f g dene

def

Gx and so f is p olynomialtime computable and lengthpreserving It must b e that f x y

f is oneway or else one can distinguish GU from U by trying to invert and checking the result

k k

Inverting f on its range distribution refers to the distribution GU whereas the probability that

k

U has inverse under f is negligible

k

The interesting direction of the pro of of Theorem is the construction of pseudorandom

generators based on any oneway function In general when f may not b e the ensemble f U

k

may not b e pseudorandom and so Construction ie Gs f sbs where b is a hardcore of

f cannot b e used directly One idea underlying the construction is to hash f U to an almost

k

uniform string of length related to its entropy using Universal Hash Functions This is done after

guaranteeing that the logarithm of the probability mass of a value of f U is typically close to

k

For simplicity we dene unpredictability as referring to preces of a random length distributed uniformly in

f jZ j g

k

Given the p opularity of the term we deviate from our convention of not sp ecifying credits in the main text

Indeed this construction originates in

the entropy of f U But hashing f U down to length comparable to the entropy means

k k

shrinking the length of the output to say k k This foils the entire p oint of stretching the

k bit seed Thus a second idea underlying the construction is to comp ensate for the k k loss

by extracting these many bits from the seed U itself This is done by hashing U and the p oint

k k

is that the k k bit long hash value do es not make the inverting task any easier Implementing

these ideas turns out to b e more dicult than it seems and indeed an alternative construction

would b e most appreciated

Nonuniformly strong pseudorandom generators

Recall that we said that truly random sequences can b e replaced by pseudorandom ones without

aecting any ecient computation The sp ecic formulation of this assertion presented in Prop osi

tion refers to randomized algorithms that take a primary input and use a secondary random

input in their computation Prop osition asserts that it is infeasible to nd a primary input

for which the replacement of a truly random secondary input by a pseudorandom one aects the

nal output of the algorithm in a noticeable way This however do es not mean that such pri

mary inputs do not exist but rather that they are hard to nd Consequently Prop osition falls

short of yielding a worstcase derandomization of a complexity class such as BPP To obtain

such results we need a stronger notion of pseudorandom generators presented next Sp ecically

we need pseudorandom generators that can fo ol all p olynomialsize circuits and not merely all

probabilistic p olynomialtime algorithms

Denition strong pseudorandom generator fo oling circuits A deterministic polynomial

time algorithm G is called a nonuniformly strong pseudorandom generator if there exists a stretch

function N N such that for any family fC g of polynomialsize circuits for any positive

k

k N

polynomial p and for al l suciently large k s

j Pr C GU Pr C U j

k k k

k

pk

An alternative formulation is obtained by referring to p olynomialtime machines that take advice

Using such pseudorandom generators we can derandomize BPP

Theorem Derandomization of BPP If there exists nonuniformly strong pseudorandom gen

def

n

erators then BPP is contained in Dtime t where t n

Pro of Sketch Given any L BPP and any we let A denote the decision pro cedure for

L and G denote a nonuniformly strong pseudorandom generator stretching n bit long seeds into

p oly nlong sequences to b e used by A as secondary input when pro cessing a primary input of

Sp ecically given an arbitrary oneway function f one rst constructs f by taking a direct pro duct of

13

def

k

suciently many copies of f For example for x x f g we let f x x f x f x

23 23 23

k k k

Indeed Prop osition yields an averagecase derandomization of BPP In particular for every p olynomialtime

constructible ensemble fX g every L BPP and every there exists a randomized algorithm A of

n

nN

randomness complexity r n n such that the probability that A X LX is negligible A corresp onding

n n

deterministic expr time algorithm A can b e obtained as in the pro of of Theorem and again the probability

that A X LX is negligible where here the probability is taken only over the distribution of the primary input

n n

r

represented by X In contrast worstcase derandomization as captured by the assertion BPP Dtime

n

requires that the probability that A X LX is zero

n n

Needless to say strong pseudorandom generators in the sense of Denition satisfy the basic denition of a

pseudorandom generator ie Denition see Exercise

length n We thus obtain an algorithm A A as in Construction We note that A and A may

G

dier in their decision on at most nitely many inputs b ecause otherwise we can use these inputs

together with A to derive a nonuniform family of p olynomialsize circuits that distinguishes

GU and U contradicting the the hypothesis regarding G Sp ecically in terms of the

n

p oly n

pro of of Prop osition the nder F consists of a nonuniform family of p olynomialsize circuits

that print the problematic primary inputs that are hardwired in them and the corresp onding

distinguisher D is thus also nonuniform Incorp orating the nitely many bad inputs into A we

derive a probabilistic p olynomialtime algorithm that decides L while using randomness complexity

n

n

p ossible random choices ie seeds to G we obtain Finally emulating A on each of the

a deterministic algorithm A as required That is let A x r denote the output of algorithm A

n n

and Then A x invokes A x r on every r f g on input x when using coins r f g

rules by ma jority

We comment that stronger results regarding derandomization of BPP are presented in Section

On constructing nonuniformly strong pseudorandom generators Nonuniformly strong

pseudorandom generators as in Denition can b e constructed using any oneway function that

is hard to invert by any nonuniform family of p olynomialsize circuits rather than by probabilistic

p olynomialtime machines In fact the construction in this case is simpler than the one employed

in the uniform case ie the construction underlying the pro of of Theorem

Other variants and a conceptual discussion

We rst mention two stronger variants on the denition of pseudorandom generators and conclude

this section by highlighting various conceptual issues

Stronger notions

The following two notion represent strengthening of the standard denition of pseudorandom gen

erators as presented in Denition Nonuniform versions of these variants strengthening De

nition are also of interest

Fooling stronger distinguishers One strengthening of Denition amounts to explicitly quan

tifying the resources and success gaps of distinguishers We chose to b ound these quantities as

a function of the length of the seed ie k rather than as a function of the length of the string

p

def

k c

g and that is b eing examined ie k For a class of time b ounds T eg T ftk

cN

def

a class of noticeable functions eg F ff k tk t T g we say that a pseudorandom

generator G is T F strong if for any probabilistic algorithm D having runningtime b ounded by

a function in T applied to k for any function f in F and for all suciently large k s

j Pr D GU Pr D U j f k

k

k

An analogous strengthening may b e applied to the denition of oneway functions Doing so

reveals the weakness of the construction that underlies the pro of of Theorem It only implies

that for some will do for any T and F the existence of T F strong oneway

That is when examining a sequence of length k algorithm D makes at most tk steps where t T

def

functions implies the existence of T F strong pseudorandom generators where T ft k

def

tk p oly k t T g and F ff k p oly k f k f F g What we would like to have is

def def

an analogous result with T ft k tk p oly k t T g and F ff k p oly k f k

f F g

Pseudorandom Functions Pseudorandom generators allow to eciently generate long pseu

dorandom sequences from short random seeds Pseudorandom functions dened in are even

more p owerful They allow ecient direct access to a huge pseudorandom sequence which is not

even feasible to scan bitbybit Put in other words pseudorandom functions can replace truly

random functions in any ecient application eg most notably in cryptography We mention

that pseudorandom functions can b e constructed from any pseudorandom generator see and

found many applications in cryptography see Pseudorandom functions have b een used to

derive negative results in computational learning theory and in complexity theory cf Natural

Pro ofs

Conceptual Discussion

Who ever do es not value preo ccupation with thoughts can skip this chapter

Rob ert Musil The Man without Qualities Chap

We highlight several conceptual asp ects of the foregoing computational approach to randomness

Some of these asp ects are common to other instantiation of the general paradigm esp the one

presented in Section

Behavioristic versus Ontological The b ehavioristic nature of the computational approach

to randomness is b est demonstrated by confronting this approach with the KolmogorovChaitin

approach to randomness Lo osely sp eaking a string is Kolmogorovrandom if its length equals

the length of the shortest program pro ducing it This shortest program may b e considered the

true explanation to the phenomenon describ ed by the string A Kolmogorovrandom string is

thus a string that do es not have a substantially simpler ie shorter explanation than itself

Considering the simplest explanation of a phenomenon may b e viewed as an ontological approach

In contrast considering the eect of phenomena on certain ob jects as underlying the denition of

pseudorandomness is a b ehavioristic approach Furthermore there exist probability distributions

that are not uniform and are not even statistically close to a uniform distribution and nevertheless

are indistinguishable from a uniform distribution by any ecient metho d Thus distributions

that are ontologically very dierent are considered equivalent by the b ehavioristic p oint of view

taken in the denition of computational indistinguishability

A relativistic view of randomness We have dened pseudorandomness in terms of its ob

server Sp ecically we have considered the class of ecient ie p olynomialtime observers and

dened as pseudorandom ob jects that lo ok random to any observer in that class In subsequent

sections we shall consider restricted classes of such observers eg spaceb ounded p olynomialtime

observers and even very restricted observers that merely apply sp ecic tests such as linear tests or

hitting tests Each such class of observers gives rise to a dierent notion of pseudorandomness

Furthermore the general paradigm of pseudorandomness explicitly aims at distributions that are

not uniform and yet are considered as such from the p oint of view of certain observers Thus our

entire approach to pseudorandomness is relativistic and sub jective ie dep ending on the abilities

of the observer

Randomness and Computational Diculty Pseudorandomness and computational di

culty play dual roles The general paradigm of pseudorandomness relies on the fact that putting

computational restrictions on the observer gives rise to distributions that are not uniform and still

cannot b e distinguished from uniform Thus the pivot of the entire approach is the computational

diculty of distinguishing pseudorandom distributions from truly random ones Furthermore

many of the constructions of pseudorandom generators rely on either conjectures or facts regarding

computational diculty ie that certain computations that are hard for certain classes For

example oneway functions were used to construct generalpurp ose pseudorandom generators ie

those working in p olynomialtime and fo oling all p olynomialtime observers Analogously as we

shall see in Section the fact that parity function is hard for p olynomialsize constantdepth

circuits can b e used to generate highly nonuniform sequences that fo ol such circuits

Randomness and Predictability The connection b etween pseudorandomness and unpredictabil

ity by ecient pro cedures plays an imp ortant role in the analysis of several constructions cf

Sections and We wish to highlight the intuitive app eal of this connection

Derandomization of timecomplexity classes

Let us take a second lo ok at the pro of of Theorem A pseudorandom generator was used to shrink

the randomness complexity of a BPPalgorithm and derandomization was achieved by scanning all

p ossible seeds to the generator A key observation regarding this pro cess is that there is no p oint

in insisting that the pseudorandom generator runs in time p olynomial in its seed length Instead

it suces to require that the generator runs in time exp onential in its seed length b ecause we are

incurring such an overhead anyhow due to the scanning of all p ossible seeds Furthermore in this

context the runningtime of the generator may b e larger than the running time of the algorithm

which means that the generator need only fo ol distinguishers that take less steps than the generator

These considerations motivate the following denition

Denition

Recall that in order to derandomize a probabilistic p olynomialtime algorithm A we rst obtain

a functionally equivalent algorithm A as in Construction that has signicantly smaller ran

G

domness complexity Algorithm A has to maintain As inputoutput b ehavior on all but nitely

G

many inputs Thus the set of the relevant distinguishers considered in the pro of of Theorem

is the set of all p ossible circuits obtained from A by hardwiring each of the p ossible inputs Such

a circuit denoted C emulates the execution of algorithm A on input x when using the circuits

x

input as the algorithms internal coin tosses ie Ax r C r Furthermore the size of C

x x

is p olynomial in the runningtime of A on input x and the length of the input to C is linear in

x

the runningtime of A on input x For simplicity lets say that the size of C is quadratic in

x

the runningtime of A on input x Thus the pseudorandom generator in use ie G needs to fo ol

Indeed if algorithm A is represented as a Turing machine then C has size that is at most quadratic and in

x

fact even almostlinear in the runningtime of A on input x which in turn means that C has size that is at most

x

quadratic or almost linear in the length of its own input We note that most sources use the ctitious convention

by which the circuit size equals the length of its input which can b e justied by considering a suitably padded input

each of these p ossible circuits Recalling that we may allow the generator to run in exp onential

time in the length of its own input we arrive at the following denition

Denition pseudorandom generator for derandomizing BPtime Let N N be a

function A canonical derandomizer of stretch is a deterministic algorithm G of time complexity

k

upperbounded by p oly k such that for every circuit D of size k it holds that

k

j Pr D GU Pr D U j

k k k

k

The circuits D are p otential distinguishers which are given inputs of length k When seeking to

k

derandomize an algorithm A of timecomplexity t the aforementioned k bit long inputs represent

p ossible randominputs of A when invoked on a generic primary input of length n t k

n

That is letting D r Ax r for some choice of x f g where jr j tn k and

k

Eq implies that A x maintains the ma jority vote of Ax The straightforward deterministic

G

k k k

emulation of A takes time p oly k tn which is upp erb ounded by p oly k

G

tn

p oly tn The following prop osition is easy to establish

Prop osition If there exists a canonical derandomizer of stretch then for every timeconstructible

tn

t N N it holds that BPtimet DtimeT where T n p oly tn

Pro of Sketch Just follow the pro of of Theorem noting that the adequate value of k ie

i

k tn can b e determined easily eg by invoking G for i k using the fact that

k

N N is Note that the complexity of the deterministic pro cedure is dominated by the

tjxj

invocations of A x s Ax Gs where s f g and each of these invocations takes

G

k tn

time p oly k tn p oly tn

The goal In light of Prop osition we seek canonical derandomizers with stretch that is as

k

big as p ossible The stretch cannot b e sup erexp onential in fact k O b ecause a circuit

k k

of size O k may violate Eq see Exercise whereas for k it holds that

k k

O k k Thus our goal is to construct canonical derandomizer with stretch k

Such canonical derandomizers will allow for a full derandomization of BPP

k

Theorem If there exists a canonical derandomizer of stretch k for BPtime then

BPP P

tn

Pro of Using Prop osition we get BPtimet DtimeT where T n p oly

tn p oly tn

Reections We stress that a canonical derandomizer G was dened in a way that allows it to

have time complexity t that is larger than the size of the circuits that it fo ols ie t k k

G G

k k

is allowed Furthermore t k was also allowed Thus if indeed t k as is the

G G

k

case in Section then GU can be distinguished from U in time t k p oly t k

G G

k

k

greater than k by trying all p ossible seeds In contrast for a generalpurp ose pseudorandom

generator G as discussed in Section it holds that t k p oly k while for every polynomial p

G

it holds that GU is indistinguishable from U in time pt k

G

k

k

k k

Actually in Denition we allow the generator to run in time p oly k rather than p oly This is done

k

in order not to rule out trivially generators of sup erexp onential stretch ie k However see Exercise

the condition in Eq do es not allow for sup erexp onential stretch and so in retrosp ect the two formulations are

k k O k

equivalent b ecause p oly k p oly for k

Fixing a mo del of computation we denote by BPtimet the class of decision problems that are solvable by a

randomized algorithm of time complexity t that has twosided error

Construction

The fact that canonical derandomizers are allowed to b e more complex than the corresp onding

distinguisher makes some of the techniques of Section inapplicable in the current context On the

other hand the techniques developed b elow are inapplicable to Section Amazingly enough the

pseudorandomness or rather the nextbit unpredictability of the following generators hold even

when the observer is given the seed capitalizing on the fact that the observers timecomplexity

do es not allow running the generator

As in Section the construction surveyed b elow transforms computational diculty into

pseudorandomness except that here b oth computational diculty and pseudorandomness are of a

somewhat dierent form than in Section Sp ecically here we use Bo olean predicates that are

computable in exp onentialtime but are T inapproximated for some exp onential function T that

m

is for constants c and all but nitely many m the residual predicate f f g f g

cm m

is computable in time but for any circuit C of size it holds that Pr C U f U

m m

m

Needless to say c Recall that such predicates exist under the assumption that E

has almosteverywhere exp onential circuit complexity With these preliminaries we turn to the

construction of canonical derandomizers with exp onential stretch

m

Construction The NisanWigderson Construction Let f f g f g and S S

k

be a sequence of msubsets of f k g Then for s f g we let

def

Gs f s f s

S S

where s denotes the projection of s on the bit locations in S f jsjg that is for s

S

k

and S fi i g we have s

m S i i

m

Letting k vary and m N N b e functions of k we wish G to b e a canonical derandomizer and

k

k Obvious necessary conditions for this to happ en include the requirement that the

sets b e distinct and hence mk k consequently f must b e computable in exp onentialtime

k

Furthermore the sequence of sets S S must b e constructible in p oly time Intuitively it

k

is desirable to use a set system with small pairwise intersections b ecause this restricts the overlap

among the various inputs to which f is applied and a function f that is strongly inapproximable

ie T inapproximble for some exp onential function T Interestingly these conditions are essen

tially sucient

Theorem analysis of Construction Let be constants satisfying

k n

and m T N N satisfy k mk k and T n Suppose that the fol lowing

two conditions hold

There exists an exponentialtime computable function f f g f g that is T inapproximable

There exists an exponentialtime computable function S N N N such that jS k ij mk

for every k and i k and jS k i S k j j mk for every k and i j

Then using G as dened in Construction with S S k i yields a canonical derandomizer

i

with stretch

Given the p opularity of the term we deviate from our convention of not sp ecifying credits in the main text This

construction originates in

We say that f f g f g is S inapproximable if for every family of S size circuits fC g and all

n

nN

n

We say that f is T inapproximable if it is T T suciently large n it holds that Pr C U f U

n n

inapproximable

For any a function S as in Condition do es exist see Exercise with some mk k

k

and k Combining such S with the worstcase to averagecase reduction of and using

Theorem we obtain a canonical derandomizer with exp onential stretch based on the assumption

that E has almosteverywhere exp onential circuit complexity Combining this with Theorem

we get the rst item of the following theorem

Theorem Derandomization of BPP revisited

Suppose that there exists a set S E having almosteverywhere exponential circuit complexity

ie there exists a constant such that for all but nitely many ms any circuit that

m m

correctly decides S on f g has size at least Then BPP P

Suppose that for every polynomial p there exists a set S E having circuit complexity that is

def

almosteverywhere greater than p Then BPP is contained in Dtimet where t n

n

Part is proved in Exercise by using a generalization of Theorem which in turn is provided

in Exercise We note that Part of Theorem sup erseeds Theorem The two parts of

Theorem exhibit two extreme cases Part often referred to as the high end assumes an

extremely strong circuit lowerbound and yields full derandomization ie BPP P whereas

Part often referred to as the low end assumes an extremely weak circuit lowerbound and

yields weak but meaningfull derandomization Intermediate results relying on intermediate lower

b ound assumptions can b e obtained analogous to Exercise but tight tradeos are obtained

dierently cf

Pro of of Theorem Using the time complexity b ounds on f and S it follows that G can

b e computed in exp onential time Out fo cus is on showing that fGU g cannot b e distinguished

k

from fU g by circuits of size k that is that G satises Eq In fact we will prove that

k

this holds for G s s Gs that is G fo ols such circuits even if they are given the seed as

auxiliary input Indeed these circuits are smaller than the running time of G and so they cannot

just evaluate G on the given seed

We start with the intuition underlying the pro of As a warmup supp ose that the sets ie

S k is used in the construction are disjoint In such a case which is indeed imp ossible b ecuase

k k mk the pseudorandomness of GU would follow easily from the inapproximablity of

k

f b ecause in this case G consists of applying f to nonoverlaping parts of the seed see Exercise

In the actual construction b eing analyzed here the sets ie S k is are not disjoint but have

relatively small pairwise intersection which means that G applies f on parts of the seed that have

relatively small overlap Intuitively such small overlaps guarantee that the values of f on the

corresp onding inputs are computationally indep endent ie having the value of f at one input

do es not help to approximate the value of f at another input This intuition will b e backed by

showing that the former values can b e computed at a relatively small computational cost With

this intuition in mind we now turn to the actual pro of

The pro of that G fo ols circuits of size k utilizes the relation b etween pseudorandomness

and unpredictability Sp ecically as detailed in Exercise any circuit that distinguishes G U

k

from U with gap yields a nextbit predictor of similar size that succeeds in predicting the

k k

Sp ecically starting with a function having circuit complexity at least exp m we apply the worstcase to

m

averagecase reduction of obtaining a T inapproximble predicate for T m where the constant

dep ends on the constant Next we set and invoke Exercise which determines such that

k

k and mk k In fact and hence

where the k k k ok next bit with probability at least

k k

factor is introduced by the hybrid technique cf Eq Furthermore given the nonuniform

setting of the current pro of we may x a bit lo cation i for prediction rather than analyzing

the prediction at a random bit lo cation Indeed i k must hold b ecause the rst k bits of G U

k

are uniformly distributed In the rest of the pro of we transform such a predictor into a circuit that

approximates f b etter than allowed by the hypothesis regarding the inapproximability of f

st

Assuming that a small circuit C can predict the i bit of G U when given the previous

k

i bits we construct a small circuit C for approximating f U on input U The p oint is that

mk mk

st

the i bit of G s equals f s where j i k and so C approximates f s

S k j S k j

k

based on s f s f s where s f g is uniformly distributed This is the type of

S k S k j

thing that we are after except that the circuit we seek may only get s as input

S k j

The rst observation is that C maintains its advantage when we x the b est choice for the bits

of s that are not at bit lo cations S S k j ie the bits s That is by an averaging

j

k nS

j

argument it holds that

j s s g f s C s f s f s max fPr

k

S S S

k nS

sfg

j j

j

k mk

s fg

def

f s C s f s f s p Pr

k

S S S

sfg

j j

Hardwiring the xed string s into C and letting Recall that by the hypothesis p

k

x and s s we obtain a circuit C x denote the unique string s satisfying s

S

k nS

j

j

that satises

f x p Pr m C x f x f x

S S

xfg

j

The circuit C is almost what we seek The only problem is that C gets as input not only x but

also f x f x whereas we seek an appproximator of f x that only gets x

S S

j

dep end only on The key observation is that each of the missing values f x f x

S S

j

a relatively small number of the bits of x This fact is due to the hypothesis that jS S j mk

t j

def

for t j which means that x is an mk bit long string in which m jS S j bits

S t t j

t

are pro jected from x and the rest are pro jected from the xed string s Thus given x the value

m

e

t

f x that is by a circuit implementing can b e computed by a trivial circuit of size O

S

t

a lo okup table on m bits Using all these circuits together with C we will obtain the desired

t

approximator of f Details follow

We obtain the desired circuit C which dep ends on the index j and the string s that are xed as

m

in the foregoing analysis On input x f g the circuit computes the values f x f x

S S

j

invokes C on input x and these values and outputs the answer as a guess for f x That is

C x C x f x f x C x f x f x

S S S S

j j

where the second inequality is due By the foregoing analysis Pr C x f x p

x

T m

mk k k

to T mk k The size of C is upp erb ounded by k k

mk mk

e e

O O k T mk where the second inequality is due to T mk

mk k mk k

e

O and k Thus we derived a contradiction to the hypothesis that

f is T inapproximable

Variants and a conceptual discussion

The NisanWigderson Construction Construction is actually a general framework which can b e

instantiated in various ways We start this section by briey reviewing some of these instantiations

and end it with a conceptual discussion regarding derandomization

Derandomization of constantdepth circuits Using Construction with a dierent set

ting of parameters and the parity function in the role of the inapproximable predicate ie inap

proximable by small constantdepth circuits one can obtain pseudorandom generators that fo ol

small constantdepth circuits see The analysis of the mo died construction pro ceeds very

much like the pro of of Theorem One imp ortant observation is that incorp orating the straight

forward circuits that compute f x into the distinguishing circuit only increases its depth

S

i

by two levels The resulting pseudorandom generator which use a seed of p olylogarithmic length

O

equiv k expk can b e used for derandomizing RAC ie random AC analogously

to Theorem In other words we can deterministically approximate in quasip olynomialtime

and upto an additive error the fraction of inputs that satisfy a given constantdepth circuit

Sp ecically for any constant d given a depthd circuit C one can approximate the fraction of the

inputs that satisfy C ie cause C to evaluate to to within any additive constant error in time

expp oly log jC j where the p olynomial dep ends on d Providing a deterministic p olynomialtime

aproximation even in the case d ie CNFDNF formulae is an op en problem

Derandomization of probabilistic pro of systems A dierent and more surprising instan

tiation of Construction utilizes predicates that are hard for small circuits having oracle access

to NP The result is a pseudorandom generator robust against twomove publiccoin interactive

pro ofs which are as p owerful as constantround interactive pro ofs The key observation is that

the ab ove pro of provides a blackbox pro cedure for approximating the underlying predicate when

given oracle access to a distinguisher and this pro cedure in valid also in case the distinguisher

is a nondeterministic machine Thus under suitably strong and yet plausible assumptions

constantround interactive pro ofs collapse to NP We note that a stronger result which deviates

from the foregoing framework has b een subsequently obtained cf

An even more radical instantiation of Construction was used to obtain explicit constructions

of randomness extractors see In addition to the foregoing observation one also utilizes the

fact that the generator itself uses the predicate as a blackbox

A conceptual discussion regarding derandomization

Part of Theorem is often summarized by saying that under some reasonable assumptions

randomness is useless We b elieve that this interpretation is wrong even within the restricted

context of traditional complexity classes and is bluntly wrong if taken outside of the latter context

Let us elab orate

Taking a closer lo ok at the pro of of the underlying Theorem we note that a randomized

algorithm A of time complexity t is emulated by a deterministic algorithm A of time complexity

t p oly t Further noting that A A invokes A and the canonical derandomizer G for a

G

number of times that must exceed t we infer that t t must hold Thus derandomization via

Part of Theorem is not really for free

More imp ortantly we note that derandomization is not p ossible in various distributed settings

when b oth parties may protect their conicting interests by employing randomization Notable

We mention that in the sp ecial case of approximating the number of satisfying assignment of a DNF formula

relative error approximations can b e obtained by employing a deterministic reduction to the case of additive constant

error see Ap dx B Thus using a pseudorandom generator that fo ols DNF formulae we can deterministically

obtain a relative rather than additive error approximation to the number of satisfying assignment in a given DNF

formula

examples include most cryptographic primitives eg encryption as well as most types of proba

bilistic pro of systems eg PCP Additional settings where randomness makes a dierence either

b etween imp ossibility and p ossibility or b etween prohibited and aordable cost include distributed

computing see communication complexity see parallel architectures see sampling

and prop erty testing

Space Pseudorandom Generators

In the previous two sections we have considered generators the output of which is indistinguishable

by any ecient pro cedures The latter were mo deled by timeb ounded computations sp ecically

p olynomialtime computations A ner characterization of timeb ounded computations is obtained

by considering their spacecomplexity ie restricting the spacecomplexity of timeb ounded com

putations In contrast to the denitions of pseudorandom generators that were considered in

Sections and the existence of pseudorandom generators that fo ol spaceb ounded distinguishers

can b e established without relying on computational assumptions

Denitional issues

Unfortunately natural notions of spaceb ounded computations are quite subtle esp ecially when

nondeterminism or randomization are concerned Two ma jor issues are time bounds and access to

the random tape

Time b ound The question is whether or not one restricts the spaceb ounded machines to run

in timecomplexity that is at most exp onential in the spacecomplexity Recall that such

an upp erb ound follows automatically in the deterministic case and can b e assumed without

loss of generality in the nondeterministic case but not in the randomized case

Indeed we do p ostulate the aforementioned timeb ound

Access to the random tap e The question is whether whether the spaceb ounded machine has

oneway or twoway access to the randomness tap e Allowing twoway access means that

the randomness is recorded for free that is without b eing accounted for in the spaceb ound

Recall that oneway access to the randomness tap e corresp onds to the natural mo del of online

randomized machine which determines its moves based on its internal coin tosses

Again following most work in the area we consider oneway access

In accordance with the resulting denition of randomized spaceb ounded computation we consider

spaceb ounded distinguishers that have a oneway access to the input sequence that they examine

Since all known constructions remain valid also when these distinguishers are nonuniform and

since nonuniform distinguishers arise anyhow in derandomization we use this stronger notion

here

Alternatively one can ask whether these machines must always halt or only halt with probability approaching

It can b e shown that the only way to ensure absolute halting is to have timecomplexity that is at most exp onential

in the spacecomplexity

We note that the fact that we restrict our attention to oneway access is instrumental in obtaining space

robust generators without making intractability assumptions Analogous generators for twoway spaceb ounded

computations would imply hardness results of a breakthrough nature in the area

We note that these nonuniform spaceb ounded distinguishers corresp ond to branching programs of width that

is exp onential in the spaceb ound Furthermore these branching programs read their input in a xed predetermined

order which is determined by the designer of the generator

In the context of nonuniform algorithms that have oneway access to their input we may

assume without loss of generality that the runningtime of such algorithms equals the length of

their input denoted k Thus we dene a nonuniform machine of space s N N as a family

sk

fD g of directed layered graphs such that D has at most vertices at each layer and

k k

k N

lab eled directed edges from each layer to the next layer Each vertex has two p ossibly parallel

outgoing directed edges one lab eled and the other lab eled and there is a single vertex in the rst

layer of D The result of the computation of such a machine on an input of adequate length ie

k

length where D has layers is dened as the vertex in last layer reached when following

k

the sequence of edges that are lab elled by the corresp onding bits of the input That is on input

th

x x x for i we move from the vertex reached in the i layer by using the outgoing

st

edge lab elled x thus reaching a vertex in the i layer Using a xed partition of the vertices

i

of the last layer this denes a natural notion of decision by D that is we write D x if on

k k

input x machine D reached a vertex that b elongs to the rst part of the aforementioned partition

k

Denition Indistinguishability by spaceb ounded machines

For a nonuniform machine fD g and two probability ensembles fX g and fY g

k k k

k N k N k N

the function d N dened as

def

dk jPr D X Pr D Y j

k k k k

is called the distinguishabilitygap of fD g between the two ensembles

k

A probability ensemble fX g is called s pseudorandom if for any nonuniform s

k

k N

spacebounded machine the distinguishabilitygap of the machine between fX g and a

k

k N

uniform ensemble of length jX j is at most

k

A deterministic algorithm G of stretch function is called a s pseudorandom generator if

the ensemble fGU g is s pseudorandom

k

k N

Two constructions

In contrast to the case of pseudorandom generators that fo ol timeb ounded distinguishers pseu

dorandom generators that fo ol spaceb ounded distinguishers can b e established without relying on

any computational assumption The following two constructions exhibit two extreme cases of a

general tradeo b etween the length of the seed and the stretch function of the generator We

start with an attempt to maximize the stretch

Theorem exp onential stretch with quadratic length seed For every space constructible func

s k O sk

tion s N N there exists a s pseudorandom generator of stretch function k

Furthernore the generator works in space linear in the length of the seed and in time linear in the

stretch function

Note that the space b ound of the machine is stated in terms of a parameter k rather than in terms of the length

of its input In the sequel this parameter will b e set to the length of a seed to a pseudorandom generator We

warn that our presentation here is indeed nonstandard for this area To comp ensate for this we will also state the

consequences in the standard format

These two results have b een interpolated in There exists a parameterized family of space pseudorandom

generators that includes b oth results as extreme sp ecial cases

In other words we have a generator that takes a random seed of length k O t m and pro duce

t

sequences of length that lo ok random to any mspaceb ounded machine In particular using a

m

random seed of length k O m one can pro duce sequences of length that lo ok random to any

mspace b ounded machine Thus one may replace random sequences used by any spacebounded

computation by sequences that are eciently generated from random seeds of length quadratic in the

space bound The common instantiation is for logspace machines In x we apply Theorem

and its underlying ideas for the derandomization of space complexity classes such as BPL ie

the logspace analogue of BPP

We now turn to the case where one wishes to minimize the seed length We warn that The

orem only guarantees a sub exp onential distinguishing gap rather than the exp onential dis

tinguishing gap guaranteed in Theorem This warning is voiced b ecause failing to recall this

limitation has led to errors in the past

Theorem p olynomial stretch with linear length seed For any polynomial p and for sk

p

s

pseudorandom generator of stretch function p Furthermore the k O there exists a s

generator works in linearspace and polynomialtime b oth stated in terms of the length of the

seed

In other words we have a generator that takes a random seed of length k O m and pro duce

sequences of length p oly m that lo ok random to any mspaceb ounded machine Thus one may

convert any randomized computation utilizing polynomialtime and linearspace into a functional ly

equivalent randomized computation of similar time and space complexities that uses only a linear

number of coin tosses

Overviews of the pro ofs of Theorems and

In b oth cases we describ e the construction by starting with an adequate distinguisher and showing

how the input distribution it examines can b e mo died from the uniform one into a pseudorandom

one without the distinguisher noticing the dierence

Overview of the pro of of Theorem Theorem is proven by using the mixing prop erty

n

of pairwise indep endent hash functions A family of functions H which map f g to itself is

n

n

called mixing if for every pair of subsets A B f g for all but very few ie expn

fraction of the functions h H

n

jB j jAj

Pr U A hU B

n n

n n

where the approximation is up to an additive term of expn

def def

Given a sk space distinguisher D as in Denition we set n sk and k n

k

sk

and consider an auxiliary distinguisher D that is a directed layered graph with layers

k

sk

and vertices in each layer In D each vertex has directed edges going to each vertex of

k

n

the next layer and these edges are labeled with p ossibly empty subsets of f g such that these

n

subsets form a partition of f g The graph D simulates D in the obvious manner that is

k

k

the computation of D on an input of length k n is dened by breaking the input into

k

consecutive blo cks of length n and following the path of edges that are lab eled by the subsets

containing the corresp onding blo ck Now for each pair of neighboring vertices u and v in layers i

n

and i resp ectively consider the lab el L f g of the edge going from u to v Similarly

uv

A detailed pro of app ears in

of the edge from v to w By Eq for for a vertex w at layer i we consider the lab el L

v w

all but very few few of h H

n

Pr U L hU L Pr U L Pr U L

n uv n n uv n

v w v w

where very few and are as in Eq Thus replacing the coins in the second blo ck ie

used in transitions from layer i to layer i with the value of h applied to the outcomes of

the coins used in the rst blo ck ie in transitions from layer i to i approximately maintains

sk

the probability that D moves from u to w via v The same with few b eing times

k

larger here holds for every triple of vertices in any three layers as in the foregoing discussion

The p oint is that we can use the same h in all these approximations Thus at the cost of extra jhj

random bits we can reduce the number of true random coins used in transitions on D by a factor

k

In other words at the cost of extra of without signicantly aecting the nal decision of D

k

jhj random bits we can eectively contract the distinguisher to half its length That is xing a

sk

go o d h ie one that provides a go o d approximation to all relevant pairs of sets we can

replace the edge paths in D by edges in a new distinguisher D such that r is in the set that

k k

lab els the edge uw in D if and only if for some v the string r is in the lab el of the edge uv in

k

D and hr is in the lab el of the edge v w also in D

k k

Rep eating the pro cess for a logarithmic in D s length number of times we obtain a distin

k

guisher that only examines n bits at which p oint we stop In total we have used log k O sk

log k random hash functions which means that we can generate a sequence that fo ols the orig

inal D using a seed of length n log k log jH j see Exercise Using n sk and an

n

k

adequate family H yields the claimed seed length of O sk log k k

n

Overview of the pro of of Theorem Theorem is proven by using a suitable randomness

extractor as in which is indeed a much more p owerful to ol than hashing functions The basic

idea is that when D is at some distant layer say at layer t it typically knows little ab out

k

the random choices that led it there That is D has only sk bits of memory which leaves

k

out t sk bits of uncertainty or randomness regarding the previous moves Thus much

of the randomness that led D to its current state may b e reused or recycled To reuse

k

these bits we need to extract almost uniform distribution on strings of sucient length out of the

t

aforementioned distribution over f g that has entropy at least t sk Furthermore such an

extraction requires some yet relatively few truly random bits In particular using k log t

bits towards this end the extracted bits are expk away from uniform

One imp ortant p oint is how to use the foregoing argument rep eatedly Towards this end we

p

k

p

k where jr j break the k bit long seed into two parts denoted r f g and r r

i

k

and set n k Intuitively r will b e used for determining the rst n steps and it will b e reused

or recycled together with r for determining the steps i n through i n Lo oking at layer

i

i n we consider the information regarding r that is known to D at layer i n Typically the

k

conditional distribution of r given that we reached a sp ecic vertex at layer i n has minentropy

greater than t sk Using r as a seed of an extractor applied to r we can extract

i

k sk ok k n bits that are almostrandom with resp ect to D and use these

k

Note that very few means an expn fraction and that n sk and expsk

A detailed pro of app ears in

Actually a stronger technical condition needs and can b e imp osed on the latter distribution Sp ecically with

tsk

overwhlemingly high probability at layer t machine D is at a vertex that can b e reached in more than

k

dierent ways In this case the distribution representing a random walk that reaches this vertex has minentropy

greater than t sk The reader is referred to for denitions of minentropy and extractors

bits for determining the next n steps Hence using k random bits we are pro duce a sequence

p

k n k of length that fo ols machines of space b ound say sk k That is we

p

s

pseudorandom generator of stretch function k k obtained a s

To obtain an arbitrary p olynomial stretch rather than a sp ecic p olynomial stretch ie k

k we rep eatedly apply an adequate comp osition to b e outlined next Supp ose that G is a

s pseudorandom generator of stretch function that works in linear space and similarly for

G with resp ect to s and Then we consider the following construction of a generator G

k

On input s f g obtain G s and parse it into consecuetive blo cks each of length

m s k O denoted r r where t k m

t

Output the t mbit long sequence G r G r

t

Note that jGsj k mm which for s k k yields jGsj k k O k

We claim that G is a s pseudorandom generator for sk mins k s s k and

k k k s k The pro of uses a hybrid argument which fo cuses on the in

t

termediate distribution G U G U The key claim is that the intermediate distribution

m m

is s indistinguishable from GU and it is proven by converting a p otential distinguisher

k

t

into a distinguisher of U U and G U by invoking G on the corresp onding mbit long

m m

k

blo cks of the k bit long input For this reason it crucial that G can b e evaluate on mbit long

strings using space at most s k which is guaranteed by our setting of m s k O and the

hypothesis that G works in linear space

Derandomization of spacecomplexity classes

As a direct application of Theorem we obtain that BPL Dspacelog where BPL denotes

the logspace analogue of BPP Recall that NL Dspacelog but it is not known whether or

not BPL NL A stronger derandomization result can b e obtained by a ner analysis of the

pro of of Theorem

Theorem BPL SC where SC denotes the class of decision problems that can be solved by a

deterministic machine that runs in polynomialtime and polylogarithmicspace

Thus BPL RL is placed in a class not known to contain NL Another such result was sub

sequently obtained in Randomized logspace can b e simulated in deterministic space olog

sp ecically in space log We mention that the archetypical problem of RL has b een recently

proved to b e in L see

Overview of the pro of of Theorem Lo oking at the pro of of Theorem we note that

the question of whether or not a sp ecic hash function h H is go o d for a sp ecic D can b e

n

k

determined in space that is linear in n jhj and logarithmic in the size of D Indeed the time

k

complexity of this decision pro cedure is exp onential in its space complexity It follows that we can

nd a go o d h H for a given D within these complexities by scanning through all p ossible

n

k

h H Once a go o d h is found we can also construct the corresp onding graph D in which

n

k

p

k k k

Sp ecically using an extractor of the form Ext f g f g f g we map the seed

p p

r r r to the output sequence r Extr r Extr r

k k

Indeed the logspace analogue of RP denoted RL is contained in NL Dspacelog and thus the fact that

Theorem implies RL Dspacelog is of no interest

A detailed pro of app ears in

edges represent edge paths in D again within the same complexity Actually it will b e more

k

instructive to note that we can determine a step ie an edgetraversal in D by making two steps

k

edgetraversals in D

k

def

The key claim is that the entire pro cess of nding a sequence of t log k go o d hash

n

functions can b e p erformed in space t O n log jD j O n log jD j and time p oly jD j

k k k

that is the time complexity is subexp onential in the space complexity ie the time complexity is

signicantly smaller than than the generic b ound of expO n log jD j Starting with D

k

k

D Having hashing function h H which denes D D we nd a go o d for D

n

k k

k k

i

i

we nd a go o d hashing function found and stored h h H which determine D

n

k

i i

i

Indeed a key p oint is that by emulating pairs of edgetraversals on D h H for D

n

k k

i

but rather emulate an edgetraversal in D we do not construct the sequence of graphs D

k k

i

i i n

by making edgetraversals in D D using h h The edgetraversal move f g

k

k

i

i

translates to a sequence of moves starting at vertex v of D where starting at vertex v of D

k

k

the moves are determined by

i

h h h h h h h

See Figure Thus for n log jD j given D and a pair u v of source and sink in D

k k k

which reside in the rst and last layer resp ectively we can deterministically approximate the

probability that a random walk starting at u reaches v in O log jD j space and p oly jD jtime

k k

The approximation can b e made accurate up to a factor of p oly jD j We conclude the

k

pro of by recalling the connection b etween such an approximation and the derandomization of BPL

α

(3) 0 1 (possible) application of h

α α 0 1 (possible) application 1 1 (2) 0 0 of h α α α α 00 01 10 111 (possible) application 01 0 1 01 0 1 (1) of h α α α α α α α α

000 001 010 011 100 101 110 111

The output of the generator on seed consists of the concatanation of the

app earing in the leaves of the tree For every strings denoted

i i

ijxj

x f g it holds that and h In particular

x x x x

for i we have h which equals h h h

where

Figure Derandomization of BPL the generator for i

The computation of a logspace probabilistic machine M on input x can b e represented by a

directed layer graph G of size p oly jxj Sp ecically the probability that M accepts x equals

M x

the probability that a random walk starting at the single vertex of the rst layer of G reaches

M x

some vertex in the last layer that represents an accepting conguration Setting k log jxj

and n k the graph G coincides with the graph D referred to at the b eginning of the

M x

k

pro of of Theorem and D is obtained from D by an nlayer contraction see ibid Com

k

k

bining this with the foregoing analysis we conclude that the probability that M accepts x can b e

deterministically approximated in O log jxj space and p oly jxjtime The theorem follows

Sp ecial Purp ose Generators

In this section we consider even weaker types of pseudorandom generators pro ducing sequences that

can fo ol only very restricted types of distinguishers Still such generators have many applications

in complexity theory and in the design of algorithms These applications will only b e mentioned

briey

Our choice is to start with the simplest of these generators the pairwiseindep endent gener

ator and its generalization to twise indep endence for any t Such generators p erfectly fo ol

any distinguisher that only observe t lo cations in the output sequence This leads naturally to

almost pairwise or twise indep endence generators which also fo ol alb eit nonp erfectly such

distinguishers The latter generators are implied by a stronger class of generators which is of

indep endent interest the smallbias generators Smallbias generators fo ol any linear test ie any

distinguisher that merely considers the xor of some xed lo cations in the input sequence We

then turn to the Expander Random Walk Generator this generator pro duces a sequence of strings

that hit any dense subset of strings with probability that is close to the hitting probability of a

truly random sequence Related notions such as samplers disp ersers and extractors are treated

elsewhere eg see and resp ectively

Comment regarding our parameterization To maintain consistency with prior sections we

continue to present the generators in terms of the seed length denoted k Since this is not the

common presentation for most results presented in the sequel we provide in fo otnotes the common

presentation in which the seed length is determined as a function of other parameters

PairwiseIndependence Generators

Pairwise resp twise indep endence generators fo ol tests that insp ect only two resp t elements

in the output sequence of the generator Such loacl tests are indeed very restricted yet they arise

naturally in many settings For example such a test corresp onds to a probabilistic analysis of a

pro cedure that only relies on the pairwise indep endence of certain choices made by the pro cedure

We also mention that in some natural range of parameters pairwise indep endent sampling is as

go o d as sampling by totally indep endent sample p oints

A twise indep endence generator of blo cksize b N N and stretch function is an ecient

deterministic algorithm eg one that works in time p olynomial in the output length that expands

a k bit long random seed into a sequence of k bk strings each of length bk such that any

tbk

t blo cks are uniformly and indep endently distributed in f g In case t we call the

generator pairwise indep endent We note that this condition holds even if the insp ected t blo cks are

selected adaptively see Exercise

Constructions

bk bk

In the rst construction we refer to GF the nite eld of elements and asso ciate its

bk

elements with f g

Prop osition twise indep endence generator Let t be a xed integer and b N N such

bk

that bk k t k k bk t and k Let be distinct elements of

k

bk

this eld For s s s f g let

t

t t t

X X X

def

j j j

A

s s Gs s s s

j j t j

k

j j j

bk

where the arithmetic is that of GF Then G is a twise independence generator of blocksize

b and stretch

bk

That is given a seed that consists of t elements of GF the generator outputs a sequence of

k such elements To make the ab ove generator totally explicit we need an explicit representation

bk

of GF which requires an irreducible p olynomial of degree bk over GF For sp ecic values

def

e

of bk a go o d representation do es exist Sp ecically for d bk with e b eing an integer

d d

the p olynomial x x is irreducible over GF The pro of of Prop osition is left as an

exercise see Exercise

An alternative construction for the case of t is obtained by using random ane transfor

mations as p ossible seeds In fact b etter p erformance ie shorter seed length is obtained by

using ane transformations dened by Toeplitz matrices A Toeplitz matrix is a matrix with all

diagonals b eing homogeneous that is T t is a Toeplitz matrix if t t for all i j

ij ij ij

Note that a Toeplitz matrix is determined by its rst row and rst column ie the values of t s

j

and t s

i

m(k)

b(k) + =

Figure An ane transformation dened by a Toeplitz matrix

Prop osition Alternative pairwise indep endence generator see Figure Let b m

n

N N such that k k bk and mk dlog k e k bk Associate f g

b

The common parameterization of twise indep endence generator is as follows Given parameters b and

and a uniformly distributed seed of length t b one eciently and deterministically generates a random sequence of

strings each of length b that are twise indep endent

The common parameterization of this pairwise indep endence generator is as follows Given parameters b and

and a uniformly chosen seed of length b dlog e one eciently and deterministically generates a random

sequence of strings each of length b that are pairwise indep endent

with the ndimensional vector space over GF and let v v be distinct vectors in the mk

k

bk mk bk

dimensional vector space over GF For s f g and r f g let

def

Gs r T v r T v r T v r

s s s

k

where T is an bk bymk Toeplitz matrix specied by the string s Then G is a pairwise inde

s

pendence generator of blocksize b and stretch

That is given a seed that represents an ane transformation dened by an bk bymk Toeplitz

mk

matrix the generator outputs a sequence of k strings each of length bk Note that

mk k bk and that the stretching prop erty requires k k bk The pro of of

Prop osition is left as an exercise see Exercise

A stronger notion of ecient generator We note that the aforementioned constructions

satisfy a stronger notion of ecient generation which is useful in several applications Sp ecically

k

there exists a p olynomialtime algorithm that given a seed s f g and a blo ck lo cation

th th

i k in bianry outputs the i blo ck of the corresp onding output ie the i blo ck of

Gs

Applications

Pairwise indep endence generators do suce for a variety of applications cf In particu

lar we mention the application to sampling and the celebrated derandomization of the Maximal

Indep endent Set algorithm The latter uses the fact that the analysis of the target randomized

algorithm only relies on the hypothesis that some ob jects are selected in pairwise indep endent

manner Thus such weak generators do suce to fo ol distinguishers that are derived from some

natural and interesting algorithms

Referring to Eq we remark that for constant t the cost of derandomization ie

k

going over all p ossible seeds is exp onential in the blo cksize b ecause bk k which in

bk

turn also b ounds the number of blo cks b ecause k Note that if a larger number of

blo cks is needed we can articially increase the blo cklength in order to allow for it ie allow

bk

k expk t and in this case the cost of derandomization will b e p olynomial in

the number of blo cks Thus whenever the analysis of a randomized algorithm can be based on

a constant amount of independence b etween feasiblymany random choices each made inside

a feasible domain a feasible derandomization is possible On the other hand the relationship

k expk t is the b est p ossible that is one cannot pro duce from a seed of length k an

expk O long sequence of nonconstantly indep endent random bits In other words twise

indep endent generators of any blo cklength and stretch require a seed of length t log In

the next subsection we will see that meaningful approximations may b e obtained with much shorter

seeds

SmallBias Generators

Trying to go b eyond constantindependence in derandomizations while using seeds of length that

is logarithmic in the length of the pseudorandom sequence was the original motivation and remain

We stress that it is imp ortant to have the cost of derandomization b e p olynomial in the length of the pro duced

pseudorandom sequence b ecause the latter is typically p olynomiallyrelated to the length of the input to the algorithm

we wish to derandomize

an imp ortant application of the notion of smallbias generators Still smallbias generators are

interesting for their own sake and in particular they fo ol global tests that lo ok at the entire

output sequence and not merely at a xed number of p ositions in it as the limited indep endence

generators Sp ecically smallbias generators generate a sequence of bits that fo ols any linear test

ie a test that computes a xed linear combination of the bits

For N an bias generator with stretch function is an ecient deterministic algorithm

eg working in p oly k time that expands a k bit long random seed into a sequence of k

bits such that for any xed nonempty set S f k g the bias of the output sequence over

S is at most k The bias of a sequence of n p ossibly dep endent Bo olean random variables

f g over a set S f ng is dened as

n

jPr Pr j Pr

iS i iS i iS i

The factor of was introduced so to make these biases corresp ond to the Fourier co ecients of

n

the distribution viewed as a function from f g to the reals To see the corresp ondence replace

f g by fg and substitute xor by multiplication The bias with resp ect to set S is thus written

as

Y Y Y

E Pr Pr

i i i

iS iS iS

which is merely the absolute value of the Fourier co ecient corresp onding to S

Constructions

Ecient smallbias generators with exp onential stretch and exp onentially vanishing bias are know

Theorem smallbias generators For some universal constant c let N N and

N such that k k expk c Then there exists an bias generator with stretch

function operating in time polynomial in the length of its output

Three simple constructions of smallbias generators that satisfy Theorem are known see

One of these constructions is based on Linear Feedback Shift Registers Lo osely sp eaking the rst

half of the seed denoted f f f is interpreted as a nondegenerate feedback rule the

k

other half denoted s s s is interpreted as the start sequence and the output sequence

k

P

k

denoted r r r is obtained by setting r s for i k and r f r

i i i j

k ik j

j

for i k See Figure and Exercise

As in Section we note that the aforementioned constructions satisfy a stronger notion of

ecient generation which is useful in several applications Sp ecically there exists a p olynomial

th

time algorithm that given a seed and a bit lo cation i k in bianry outputs the i bit of the

corresp onding output

Here the common parameterization diers from ours merely in the p oint of view Rather than saying that the

functions and should satisfy k k expk c one says that given the desired parameters and the seed

length k is set to O log We also comment that using the constant in the Onotation is merely ie

k log whereas using k log log

P

def

k

k j

That is f and f z z f z is an irreducible p olynomial over GF

j

j r0 r1 ri-t-1 ri-t ri-t+1 ri-1 r i

f0 f1 f t-1

Σ

Figure The LFSR smallbias generator for t k

Applications

An archetypical application of smallbias generators is for generating random checks for fast string

equality The key obserevation is that checking whether or not x y is probabilistically reducible

to checking whether the inner pro duct mo dulo of x and r equals the inner pro duct mo dulo

of y and r where r is generated by a smallbias generator One advantage of this reduction is

that only few bits ie the seed of the generator and the result of the inner pro duct needs to b e

communicated b etween x and y see Exercise A related advantage ie low randomness

complexity underlies the application of smallbias generators in the construction of PCPs

Smallbias generators have b een used in a variety of areas eg inapproximation structural

complexity and applied cryptography see references in Sec In addition they seem an

imp ortant to ol in the design of various types of pseudorandom ob jects see next

Approximate indep endence generators As hinted at the b eginning of this section small

bias is related to approximate limited indep endence Actually even a restricted type of bias

in which only subsets of size tk are required to have bias upp erb ounded by implies that any

tk

tk bits in the said sequence are k close to U where here we refer to the variation

tk

distance ie Norm distance b etween the two distributions The maxnorm of the dierence

is b ounded by k Combining Theorem and the foregoing upp erb ound and relying on

the linearity of the construction in Prop osition we obtain generators with expk stretch that

are approximately tk indep endent for some nonconstant tk see Exercise Sp ecically for

k O

tk k O and k k O tk log k log log k equiv for k

k O

one may obtain generators with stretch function pro ducing bit sequences in which any

tk p ositions are at most k away from uniform in variation distance In the corresp onding

result for the maxnorm distance it suces to have k O log tk k log log k Thus

whenever the analysis of a randomized algorithm can b e based on a logarithmic amount of almost

indep endence b etween feasiblymany binary random choices a feasible derandomization is p ossible

by using an adequate generator of logarithmic seed length

Extensions to nonbinary choices were considered in various works see references in Sec

Some of these works also consider the related problem of constructing small discrepancy

We warn that unlike in the case of p erfect indep endence here we refer only to the distribution on xed bit

lo cations See Exercise for further discussion

Both b ounds are derived from the Norm b ound on the dierence vector ie the dierence b etween the two

probability vectors For details see Exercise

sets for geometric and combinatorial rectangles

tuniversal set generators Using the aforementioned upp erb ound on the maxnorm for

t

any bias generator yields a tuniversal set generator The latter generator outputs sequences

t

such that in every subsequence of length t all p ossible patterns o ccur ie each for at least one

p ossible seed Such generators have many applications

Random Walks on Expanders

In this section we review generators that pro duce a sequence of values by taking a random walk

on a large graph called an expander having small degree but go o d mixing prop erties Thus

b

pro ducing a sequence of length over values requires a random seed of length b log d

b

where d is the degree of the said graph of vertices This should b e compared against the

b

randomness needed for generating a sequence of indep endent samples from f g or taking a

b

random walk on a clique of size It will turn out that the pseudorandom sequence generated by

the said random walk on an expander behaves analogously to a truly random sequence with respect

b

to hitting any xed subset of f g Let us start by dening this prop erty or rather dene the

hitting problem

b

Denition the hitting problem A distribution on sequences over f g is hitting if

b b

for any target set T f g of cardinality at least with probability at least at least

one of the elements of a sequence drawn from this distribution hits T

b

Clearly a truly random sequence of length over f g is hitting for The

aforementioned expander random walk generator to b e describ ed next achieves similar b ehavior

Sp ecically for arbitrary small c which dep ends on the degree and the mixing prop erty of

the expander the generators output is hitting for c To describ e this

generator we need to discuss expanders

Expanders By expander graphs or expanders of degree d and eigenvalue b ound d we

actually mean an innite family of dregular graphs fG g S N such that G is a d

N N S N

regular graph over N vertices and the absolute value of all eigenvalues save the biggest one of the

adjacency matrix of G is upp erb ounded by We will refer to such a family as to a d expander

N

for S This technical denition is related to the aforementioned notion of mixing which refers

to the rate at which a random walk starting at a xed vertex reaches uniform distribution over the

graphs vertices

We are interested in explicit constructions of such graphs by which we mean that there exists a

p olynomialtime algorithm that on input N in binary a vertex v G and an index i f dg

N

th

returns the i neighbor of v We also require that the set S for which G s exist is suciently

N

tractable say that given any n N one may eciently nd an s S such that n s n

Several explicit constructions of expanders are known Below we rely on the fact that for every

there exist d and d such that there exists an explicit construction of a d expander

b

over f b N g The relevant to us fact ab out expanders is stated next

Theorem Expander Random Walk Theorem Let G V E be an expander graph of degree

def

d and eigenvalue bound Let W be a subset of V and jW jjV j and consider walks on G

This can b e obtained with d p oly In fact d O which is optimal can b e obtained to o alb eit with

graphs of sizes that are only approximately close to p owers of two

that start from a uniformly chosen vertex and take additional random steps where in each

such step one uniformly selects one out of the d edges incident at the current vertex and traverses

it Then the probability that such a random walk stays in W is at most

d

Thus a random walk on an expander is pseudorandom with resp ect to the hitting prop erty ie

when we consider hitting the set V n W that is a set of density is hit with probability

where d d A pro of of an upp er

b ound that is weaker than Eq is outlined in Exercise Using Theorem and an explicit

t t

expander we get

Prop osition The Expander Random Walk Generator

t t n

For every constant consider an explicit construction of expanders for f n

n n t t

N g where t N is a suciently latge constant For v f g and i f g

n

denote by v the vertex of the corresponding vertex graph that is reached from vertex v

i

th

when fol lowing its i edge

bk

For b N N such that k bk k t k bk and for v f g and

t

i i let

k

def

Gv i i v v v

k k

v where v

j j i

j

Then G has stretch k k bk and GU is hitting for any and

k

k

The stretch of G is optimized at bk k and k k t but optimizing the stretch is

not necessaily the goal in all applications Expander randomwalk generators have b een used in

a variety of areas eg PCP and inapproximability see Sec cryptography see

Sec and the design of various types of pseudorandom ob jects

Notes

Figure depicts some of the notions of pseudorandom generators discussed in this text We high

light a key distinction b etween the case of generalpurp ose pseudorandom generators treated in

Section and the other cases cf Sections and in the former case the distinguisher is more

complex than the generator whereas in the latter cases the generator is more complex than the dis

tinguisher Sp ecically in the generalpurp ose case the generator runs in some xed p olynomial

time and needs to withstand any probabilistic p olynomialtime distinguisher In fact some of the

pro ofs presented in Section utilize the fact that the distinguisher can invoke the generator on

seeds of its choice In contrast the NisanWigderson Generator analyzed in Theorem of Sec

tion runs more time than the distinguishers that it tries to foil and the pro of relies on this fact

in an essential manner Similarly the space complexity of the spaceresilient generators presented

in Section is higher than the spaceb ound on the distinguishers that they foil

The common parameterization starts with parameters b and Given a uniformly chosen seed of length b

O one can eciently and deterministically generate a random sequence of strings each of length b which

0

is hitting for any and

By the OW we denote the assumption that oneway functions exists By EvEC we denote the assumption that

the class E has almosteverywhere exp onential circuit complexity

distinguishers generators stretch comments

type resources resources ie k

genpurp ose pk time p oly p p oly k time p oly k Assumes OW

k O O k k O

derand BPP time time Assumes EvEC

k O sk

spaceb ounded sk space O k space runs in time

robustness k O space O k space p oly k p oly k k

k O t

twise indep en twise p oly k k time eg pairwise

k O

small bias bias p oly k k time k

expander hitting p oly k k time k bk

0

k O bk

rand walk hitting for f g with k k bk O

Figure Pseudorandom generators at a glance

The general paradigm of pseudorandom generators Our presentation which views vastly

dierent notions of pseudorandom generators as incarnations of a general paradigm has emerged

mostly in retrosp ect We note that while the historical technical development of the various

notions was mostly unrelated the case of generalpurp ose pseudorandom generators served as a

source of inspiration to most of the other cases In particular the concept of computational in

distinguishability the connection b etween hardness and pseudorandomness and the equivalence

b etween pseudorandomness and unpredictability app eared rst in the context of generalpurp ose

pseudorandom generators and inspired the development of generators for derandomization and

generators for space b ounded machines Indeed the development of the sp ecialpurp ose gener

ators see Section was unrelated to all of these

Generalpurp ose pseudorandom generators The concept of computational indistinguisha

bility which underlies the entire computational approach to randomness was suggested by Gold

wasser and Micali in the context of dening secure encryption schemes Indeed computational

indistinguishability plays a key role in cryptography see The general formulation of com

putational indistinguishability is due to Yao Yao also observed using the hybrid technique

of that dening pseudorandom generators as pro ducing sequences that are computationally

indistinguishable from the corresp onding uniform distribution is equivalent to dening such gener

ators as pro ducing unpredictable sequences The latter denition originates in the earlier work of

Blum and Micali

Blum and Micali pioneered the rigorous study of pseudorandom generators and in particular

their construction based on some simple intractability assumption in their case the intractability

of Discrete Logarithm problem over prime elds Their work also introduces basic paradigms that

were used in all subsequent improvements cf eg We refer to the trasformation of

computational diculty into pseudorandomness the use of hardcore predicates dened in

and the iteration paradigm cf Eq

Theorem by which pseudorandom generators exist if and only if oneway functions exist

is due to Hastad Impagliazzo Levin and Luby building up on the hardcore predicate of

Unfortunately the current pro of of Theorem is very complicated and unt for presentation

in a b o ok of the current nature Presenting a simpler and tighter cf x pro of is indeed an

imp ortant research pro ject

Derandomization of timecomplexity classes As observed by Yao a nonuniformly

strong notion of pseudorandom generators yields improved derandomization of timecomplexity

classes A key observation of Nisan is that whenever a pseudorandom generator is used this

way it suces to require that the generator runs in time exp onential in its seed length and so the

generator may have runningtime greater than the distinguisher representing the algorithm to b e

derandomized This observation underlines the construction of Nisan and Wigderson and

is the basis for further improvements culminating in Part of Theorem ie the socalled

high end derandomization of BPP is due to Impagliazzo and Wigderson whereas Part

the low end is from

The NisanWigderson Generator was subsequently used in several ways transcending its

original presentation We mention its application towards fo oling nondeterministic machines and

thus derandomizing constantround interactive pro of systems and to the construction of random

ness extractors

Space Pseudorandom Generators As stated in the rst pap er on the sub ject of spaceresilient

pseudorandom generators this research direction was inspired by the derandomization result

obtained via use of generalpurp ose pseudorandom generators The latter result necessarily de

p ends on intractability assumptions and so the ob jective was to nd classes of algorithms for

which derandomization is p ossible without relying on intractability assumptions This ob jective

was achieved b efore for the case of constantdepth circuits Fundamentally dierent constructions

of space pseudorandom generators were given in several works but are sup erseeded by the two

incomparable results mentioned in Section Theorem aka Nisans Generator and

Theorem aka the NisanZuckerman Generator These two results have b een interpo

lated in Theorem BPL SC was proved by Nisan

Sp ecial Purp ose Generators The various generators presented in Section were not inspired

by any of the other types of pseudorandom generator nor even by the generic notion of pseudo

randomness Pairwiseindependence generator were explicitly suggested in and are implicit

in The generalization to twise indep endence for t is due to Smallbias gener

ators were rst dened and constructed by Naor and Naor and three simple constructions

were subsequently given in The Expander Random Walk Generator was suggested by Ajtai

Komlos and Szemeredi who discovered that random walks on expander graphs provide a go o d

approximation to rep eated indep endent attempts for hitting any arbitrary xed subset of sucient

density within the vertex set The analysis of the hitting prop erty of such walks was subsequently

improved culminating in the b ound cited in Theorem which is taken from Cor

The foregoing historical notes do not mention several technical contributions that played an imp or

tant role in the development of the area For further details the reader is referred to Chap

In fact the current text is a revision of Chap providing more details for the main topics

and omitting Sec and

Exercises

Exercise Prove that placing no computational requirements on the generator yields genera

tors that can fo ol any family of sub exp onentialsize circuits That is prove that there exist func

tions G f g f g such that fGU g is strongly pseudorandom while jGsj jsj

k

k N

for every s f g Furthermore show that G can b e computed in doubleexp onential time

This pap er is more frequently cited for the Expander Random Walk technique which it has introduced

n

Guideline Use the Probabilistic Metho d cf First for any xed circuit C f g f g upp er

n n

b ound the probabity that for a random set S f g of size the absolute value of Pr C U

n

n

jfx S C x gjjS j is larger than Next using a union b ound prove the existence of a

n n n

set S f g of size such that no circuit of size can distinguish a uniformly distributed element

n

of S from a uniformly distributed element of f g where distinguishing means with a probability gap of

n

at least

Exercise Let A b e a probabilistic p olynomialtime algorithm solving the search asso ciated with

the NPrelation R and let A b e as in Construction Prove that it is infeasible to nd an x on

G

which A outputs a wrong solution that is assuming for simplicity that A has error probability

G

n n

prove that on input it is infeasible to nd an x f g L such that Pr x A x R

R G

def

where L fx y x y R g

R

Hint For x that violates the claim it holds that jPr x Ax R Pr x A x R j

G

Exercise Prove that omitting the absolute value in Eq keeps Denition intact

def

Hint consider D z D z

Exercise Show that the existence of pseudorandom generators implies the existence of p olynomial

time constructible probability ensembles that are statistically far apart and yet are computationally

indistinguishable

Hint lowerbound the statistical distance b etween GU and U where G is a pseudorandom generator with

k

k

stretch

Exercise Prove that the sucient condition in Exercise is in fact necessary Recall that

fX g and fY g are said to b e statistically far apart if for some p ositive p olynomial p and

n n

nN nN

all suciently large n the variation distance b etween X and Y is greater than pn Using

n n

the following three steps prove that the existence of polynomialtime constructible probability

ensembles that are statistically far apart and yet are computationally indistinguishable implies the

existence of pseudorandom generators

Show that without loss of generality we may assume that the variation distance b etween X

n

and Y is greater than expn

n

i i tn tn

s are s resp Y and where the X X Y X X Y Y Hint Consider

n n

n n n n n n

indep endent copies of X resp Y and tn O n pn

n n

Using fX g and fY g as in Step prove the existence of a false entropy generator

n n

nN nN

where a false entropy generator is a deterministic p olynomialtime algorithm G such that GU

k

has entropy ek but fGU g is computationally indistinguishable from a p olynomialtime

k

k N

constructible ensemble that has entropy greater than e

Hint Let S and S b e sampling algorithms such that X S U and Y S U Consider

n n

p olyn p olyn

the generator G r S r and the distribution Z that equals U X with probability and

n n

U Y otherwise Note that in GU U the rst bit is almost determined by the rest whereas in Z

n n

p olyn

the rst bit is statistically indep endent of the rest

p

k and using the Using a false entropy generator obtain one in which the excess entropy is

latter construct a pseudorandom generator

Hint Use the ideas presented at the end of Section ie the discussion of the interesting direction of the

pro of of Theorem

This exercise follows which in turn builds on

Exercise Prove that if fX g and fY g are computationally indistinguishable and A is

n n

nN nN

a probabilistic polynomialtime algorithm then fAX g and fAY g are computationally

n n

nN nN

indistinguishable

def

Hint If D distinguishes the latter ensembles then D such that D z D Az distinguishes the former

Exercise In continuation to Exercise show that the conclusion may not hold in case A is

not computationally b ounded That is show that there exists computationally indistinguishable

ensembles fX g and fY g and an exp onentialtime algorithm A such that fAX g

n n n

nN nN nN

and fAY g are not computationally indistinguishable

n

nN

Hint For any pair of ensembles fX g and fY g consider the Bo olean function f such that f z if and

n n

nN nN

only if Pr X z Pr Y z Show that jPr f X Pr f Y j equals the statistical dierence b etween

n n n n

X and Y Consider an adequate approximate implementation of f eg approximate Pr X z and Pr Y z

n n n n

jz j

up to and use Exercise

def

jsj

i

x denotes s where G Exercise For G and as in Construction consider Gs G

i

i

x x Prove that G is a pseu x G G x and G G iterated i times on x ie G

dorandom generator of stretch Reect on the advantages of Construction over the current

construction

i

th i i

Hint Use a hybrid argument with the i hybrid b eing G U Note that G U G G U

k i k i k i

i i

and G U G U and use Exercise

k i jG U j

1

(k )i1

Exercise pseudorandom versus unpredictability Prove that a probability ensemble fZ g

k

k N

is pseudorandom if and only if it is unpredictable For simplicity we say that fZ g is nextbit

k

k N

unpredictable if for every probabilistic p olynomialtime algorithm A it holds that Pr AF Z

i i

k

B Z is negligible where i f jZ j g is uniformly distributed and F z resp B z

i i i

k k

st

denotes the ibit prex resp i bit of z

Guideline Show that pseudorandomness implies p olynomialtime unpredictability that is p olynomial

time predictability violates pseudorandomness b ecause the uniform ensemble is unpredictable regardless

of computing p ower Use a hybrid argument to prove that unpredictability implies pseudorandomness

th

Sp ecically the i hybrid consists of the ibit long prex of Z followed by jZ j i uniformly distributed

k k

bits Thus distinguishing the extreme hybrids which corresp ond to Z and U implies distinguishing

k

jZ j

k

some neighboring hybrids which in turn implies nextbit predictability For the last step use an argument

as in the pro of of Prop osition

Exercise Prove that a probability ensemble is unpredictable from left to right if and only if

it is unpredictable from right to left or in any other canonical order

Hint use Exercise and note that an ensemble is pseudorandom if and only if its reverse is pseudorandom

Exercise Let f b e and length preserving and b b e a hardcore predicate of f For any

def

p olynomial prove that fG U g is unpredictable in the sense of Exercise where G s

k

jsj

bf s bf s bs

Guideline Supp ose towards the contradiction that for a uniformly distributed j f k g

st

given the j bit long prex of G U an algorithm A can predict the j bit of G U That is

k k

k k j k j

given bf s bf s algorithm A predicts bf s where s is uniformly distributed

k

in f g Consider an algorithm A that given y f x approximates bx by invoking A on input

j

bf y by where j is uniformly selected in f k g Analyze the success probability of A

n j

using the fact that f induces a p ermutation over f g and thus bf U bf U bU is distributed

k k k

k k j k j

identically to bf U bf U bf U

k k k

Exercise Prove that if G is a strong pseudorandom generator in the sense of Denition then

it a pseudorandom generator in the sense of Denition

Hint consider a sequence of internal coin tosses that maximizes the probability in Eq

k

Exercise Show that there exists a circuit of size O k that violates Eq provided

k k

Hint The circuit may incorp orate all values in the range of G and deciding by comparing its input to these values

Exercise constructing a set system for Theorem For every show a construc

k

tion of a set system S as in Condition of Theorem with mk k and k

mk

Guideline We assume without loss of generality that and set mk k and k

We construct the set system S S in iterations selecting S as the rst mk subset of k that has

i

k

suciently small intersections with each of the previous sets S S The existence of such a set S can

i i

b e proved using the Probabilistic Metho d cf Sp ecically for a xed mk subset S the probability

mk

that a random mk subset has intersection greater than mk with S is upp erb ounded by

b ecause the exp ected intersection size is mk Thus with p ositive probability a random mk subset

mk

has intersection at most mk with each of the previous i k subsets Note that we

k

k k k

construct S in time i mk k k and thus S is computable in time k k

i

mk

m

Exercise Supp ose that the sets S s in Construction are disjoint and that f f g

i

f g is T inapproximable Prove that for every circuit C of size T O it holds that jPr C GU

k

Pr C U j T

st

Guideline Prove the contrapositive using Exercise Note that the values of the i bit of GU is

k

statistically indep endent of the values of the rst i bits of GU and thus predicting it yields an approximator

k

for f Indeed such an approximator can b e obtained by xing the the rst i bits of GU via an averaging

k

argument

Exercise In continuation to Exercise show that if there exists a circuit of size s that

distinguishes Z from U with gap then there exists an i jZ j and a circuit of size s O

n n

st

that given an ibit long prex of Z guesses the i bit with success probability at least

n

th

Hint dening hybrids as in Exercise note that for some i the given circuit distinguishes the i hybrid from

st

the i hybrid with gap at least

m k

e

Exercise Theorem generalized Let m m T N N satisfy k O k

T mk Supp ose that the following two conditions hold

There exists an exp onentialtime computable function f f g f g that is T inapproximable

There exists an exp onentialtime computable function S N N N such that jS k ij mk

for every k and i k and jS k i S k j j m k for every k and i j

Prove that using G as dened in Construction with S S k i yields a canonical derandomizer

i

with stretch

Hint following the pro of of Theorem just note that the circuit constructed for approximating f U has size

mk

0

m k

e

k k O and success probability at least k

Applying the standard Cherno Bound yields an upp erb ound of exp mk which suces for k

2

mk

However using a Multiplicative Cherno Bound yields an upp erb ound of exp mk

Exercise Part of Theorem Prove that if for every p olynomial T there exists a T

def

n

inapproximable predicate in E then BPP Dtimet where t n

p

k and m k O log k Revisit Hint For any ptime algorithm apply Exercise using k pk mk

Exercise in order to obtain a set system as required in Exercise for these parameters and use an adequate

worstcase to averagecase reduction

Exercise Provide an explicit description of the generator outlined in the pro of of Theorem

n t t

Hint for r f g and h h H the generaor outputs a long sequence of nbit strings such that the

n

th j

i blo ck equals h r where h is a comp osition of some of the h s

Exercise adaptive twise indep endence tests Prove that the output of a twise indep en

dence generator is indistinguishable to any test than examines t of the blo cks even if the examined

th

blo cks are selected adaptively ie the lo cation of the i blo ck is determined based on the contents

of the previously insp ected blo cks

Guideline First show that without loss of generality it suces to consider deterministic adaptive tester

Next show that the probability that such a tester sees any xed sequence of t values at lo cations selected

tbk

adaptively in the generators output is where bk is the blo ck length

Exercise twise indep endence generator Prove that G as dened in Prop osition pro

bk

duces a twise indep endent sequence over GF

ie the Guideline For every t xed indices i i k consider the distribution of GU

t k i i

1 t

pro jection of GU on lo cations i i Show that for every sequence of t p ossible values v v

k t t

bk k

v v GF there exists a unique seed s f g such that Gs

t i i

1 t

Exercise pairwise indep endence generators As a warmup consider a construction anal

ogous to the one in Prop osition where the seed sp ecies an ane bk bymk transformation

bk mk bk

That is for s f g and r f g where k bk mk bk let

def

Gs r A v r A v r A v r

s s s

k

where A is an bk bymk matrix sp ecied by the string s Show that G as in Eq is a

s

pairwise indep endence generator of blo cksize b and stretch Next show that G as in Eq is

a pairwise indep endence generator of blo cksize b and stretch

Guideline The following description applies to b oth constructions First note that for every xed i k

th bk

the i element in the sequence GU is uniformly distributed in f g Actually show that for every

k

k bk bk

xed s f g it holds that Gs U is uniformly distributed in f g Next note that it

i

bk

th th

suces to show that for every j i conditioned on the value of the i element in GU the j element

k

bk

is uniformly distributed in f g The key technical detail is to show that for any nonzero vector

bk mk

v is uniformly distributed in f g This is easy in v resp T v f g it holds that A

U U

k b(k ) k b(k )

case of a random bk bymk matrix and can b e proven also for a random Toeplitz matrix

Exercise adaptive twise indep endence tests revisited In contrast to Exercise we

note that almost uniform distribution on any xed t bit lo cations do es not imply that an adaptive

test that insp ects t lo cations cannot detect nonuniformity ie a non random b ehavior of the

t

insp ected sequence Sp ecically present a distribution over bit long strings in which each

t

t xed bit p ositions are t close to uniform but some test that adaptively insp ects t

p ositions can distinguish this distribution from the uniform one with constant gap

t

Hint Mo dify the uniform distribution over t bit long strings such that the rst t lo cations indicate

a bit p osition among the rest that is set to zero

Exercise Supp ose that G is an bias generator with stretch Show that equality b etween the

k bit strings x and y can b e probabilistically checked by comparing the inner pro duct mo dulo

k

of x and Gs to the inner pro duct mo dulo of y and Gs where s f g is selected uniformly

k

Hint reduce the problem to the sp ecial case in which y

Exercise bias versus statistical dierence from uniform Let X b e a random variable

t

assuming values in f g Prove that if X has bias at most over any nonempty set then the

t t

statistical dierence b etween X and U is at most and that for every x f g it holds

t

t

that Pr X x

def

t

Guideline Consider the probability function p f g dened by px Pr X x and let

def

t

x px denote the deviation of p from the uniform probability function Viewing the set of real

t t

functions over f g as a dimensional vector space we consider two orthonormal bases for this space The

t

rst basis is of the Kroniker functions fk g such that k x if x and k x otherwise

fg

Q

def

x t

i

The second basis is of the normalize Fourier functions ff g dened by f x

S S

S t

iS

P

t t

px f xj which in where f Note that the bias of X over any S equals j

S

x

P P

t

xf xj xf xj Thus for every S including the empty set we have j turn equals j

S S

x x

t

which means that the representation of in the normalize Fourier basis is by co ecients that have

t

each an absolute value of at most Thus the Norm of this vector of co ecients is b ounded by

p

t t

and all claims follow by noting that they refer to norms of according to the Kroniker

basis In particular Norm is preserved under orthonormal bases the maxnorm is upp erb ounded by

p

t

Norm and Norm is upp erb ounded by times the value of the Norm

Exercise The LFSR smallbias generator following Using the following guidelines

and letting t k analyze the construction outlined following Theorem and depicted in

Figure

P

i i

t

j

Prove that r c s where c is the co ecient of z in the degree t p olynomial

i j

j j j

P

i

t

i i j

obtained by reducing z mo dulo the p olynomial f z ie z c z mo d f z

j j

P P

t t

t j i itj

Hint Recall that z f z mo d f z and thus z f z mo d f z Note the

j j

j j

P

t

corresp ondance to r f r

i j itj

j

For any nonempty S f k g evaluate the bias of the sequence r r over

k

t

S where f is a random irreducible p olynomial of degree t and s s s f g is

t

uniformly distributed Sp ecically

P

t

r has nonzero bias if and only a For a xed f and random s f g prove that

i

iS

P

i

z if f z divides

iS

P P P

t

i

r c s and use Item Hint Note that

i j

j

iS j iS

b Prove that the probability that a random irreducible p olynomial of degree t divides

P

i t

z is k

iS

Hint A p olynomial of degree n can b e divided by at most nd dierent irreducible p olynomials of

d

degree d On the other hand the number of irreducible p olynomials of degree d over GF is d

t

Conclude that for random f and s the sequence r r has bias O k

k

P P

f xf x k xk x for every and Verify that b oth bases are indeed orthogonal ie

S T

x x

P P

f x k x and for every S T and normal ie

S

x x

Note that an implementation of the LFSR generator requires a mapping of random k bit long

seeds to almost random irreducible p olynomials of degree k Such a mapping can b e constructed

in expk time which is p oly k if k expk A more ecient mapping that uses a

O k bit long seek is describ ed in Sec

Exercise limitations on smallbias generators Let G b e an bias generator with stretch

k k

and view G as a mapping from GF to GF As such each bit in the output of G can

b e viewed as a p olynomial in the k input variables each ranging in GF Prove that if k

P

k

d

and each of these p olynomials has degree at most d then k

i

i

Guideline First note that without loss of generality all p olynomials have a free term equal to zero Then

consider the vector space spanned by all dmonomials over k variables ie monomial having at most d

variables Since k the p olynomials representing the output bits of G must corresp ond to a sequence

of indep endent vectors in this space Derive the following corollaries

k

If k then k

If k and k k then G cannot b e a linear transformation

P

k

Note that Gs s bs where bs s s s mo d is an biased generator

i

k

k i

i

with k expk

Hint Focusing on bias over sets that include the last output bit prove that without loss of generality it suces to

analyze the bias of bU

k

Exercise a sanity check for pseudorandomness The following fact is suggested as a san

ity check for candidate pseudorandom generators with resp ect to spaceb ounded machines The

fact to b e proven as an exercise is that for every and s such that sk for every k if

G is s pseudorandom as p er Denition then G is an bias generator

Exercise approximate twise indep endent generators following Combining The

orem and relying on the linearity of the twise indep endent generator of Eq construct a

generator pro ducing bit long sequences in which any t p ositions are at most away from uniform

in variation distance while using a seed of length O t log log log For maxnorm a

seed of length O log t log log suces

Guideline First note that for any t and b the transformation of Eq can b e implemented by a xed

b It follows linear over GF transformation of a t bbit seed into an bit bit sequence where

that there exists a xed GFlinear transformation T of a random seed of length t b where b log

into a twise indep endent bit sequence of the length ie T U is twise indep endent over f g Thus

tb

every t rows of T are linearly indep endent The key observation is that when we replace the aforementioned

random seed by an biased sequence every i t p ositions in the output sequence have bias at most

b ecause they dene a nonzero linear test on the bits of the biased sequence Note that the length of

the new seed used to pro duce biased sequence of length t b is O log tb Applying Exercise we

t

conclude that any t p ositions are at most away from uniform in variation distance Recall that this

t

was obtained using a seed of length O log t log log and the claim follows by using

Exercise A version of the Expander Random Walk Theorem Using notations as in

Theorem prove that the probability that a random walk of length stays in W is at most

d In fact prove a more general claim that refers to the probability that a random

walk of length intersects W W W The claimed upp erb ound is

q

Y

p

d

i

i

def

where jW jjV j

i i

Guideline View the random walk as the evolution of a corresp onding probability vector under suitable

transformations The transformations corresp ond to taking a random step in the graph and to passing

through a sieve that keeps only the entries that corresp ond to the current set W The key observation is

i

that the rst trasformation shrinks the comp onent that is orthogonal to the uniform distribution which is

the rst eigenvalue of the adjacency matrix of the expander whereas the second trasformation shrinks the

comp onent that is in the direction of the uniform distribution Details follow

View the random walk as the evolution of a corresp onding probability vector under suitable transforma

tions Let A b e a matrix representing the random walk on G ie A is the adjacency matrix of G divided

def

denote the absolute value of the second largest eigenvalue of A ie d and by the degree d Let

note that u jV j jV j which represents the uniform distribution is the eigenvector of A that is

asso ciated with the largest eigenvalue which is Let P b e a matrix that has entries only on its diag

i

onal and furthermore entry j j is set to if and only if j W Then the probability that a random walk

i

def

of length intersects W W W is the sum of the entries of the vector v P A P AP AP u

p

jV j kv k where kz k and kz k denote the L We are interested in upp erb ounding kv k and use kv k

norm and L norm of z resp ectively eg kuk and kuk jV j The key observation is that

kz k which is proven by decomp osing z z z such for every z it holds that kP Az k

i i

that z is the pro jection of z on u the rst eigenvector of A and z is the comp onent orthogonal to

p

u Facts to b e used in the pro of of the forgoing observation include kP Az k kP z k kz k and

i i i

kz k ie P shrinks any uniform vector by eliminating of its elements whereas kP Az k kAz k

i i i

A shrinks the length of any eigenvector except u by a factor of at least

Exercise Using notations as in Theorem prove that the probability that a random walk

of length visits W more than times is smaller than d For example for

p

we get an upp erb ound of and d We comment that much b etter b ounds

can b e obtained cf

Hint Use a union b ound on all p ossible sequences of m visits and upp erb ound the probability of visiting W

in steps j j by applying Eq with W W if i fj j g and W V otherwise

m i m

References

M Ajtai J Komlos E Szemeredi Deterministic Simulation in LogSpace In th ACM

Symposium on the Theory of Computing pages

N Alon L Babai and A Itai A fast and Simple Randomized Algorithm for the Maximal

Indep endent Set Problem J of Algorithms Vol pages

Also use the triangle inequality for kP Az P Az k kP Az k kP Az k the CauchySchwartz inequality

i i i i

q

p p

p

for kz k kz k kz k kz k and kz k kz k kz z k kz k

i i

N Alon O Goldreich J Hastad R Peralta Simple Constructions of Almost k wise Inde

p endent Random Variables Journal of Random structures and Algorithms Vol No

pages

N Alon and JH Sp encer The Probabilistic Method John Wiley Sons Inc

R Armoni On the derandomization of spaceb ounded computations In the pro ceedings of

Random SpringerVerlag Lecture Notes in Computer Science Vol pages

H Attiya and J Welch Distributed Computing Fundamentals Simulations and Advanced

Topics McGrawHill

M Bellare O Goldreich and M Sudan Free Bits PCPs and NonApproximability Towards

Tight Results SIAM Journal on Computing Vol No pages Extended

abstract in th FOCS

M Blum and S Micali How to Generate Cryptographically Strong Sequences of Pseudo

Random Bits SIAM Journal on Computing Vol pages Preliminary

version in rd FOCS

L Carter and M Wegman Universal Hash Functions Journal of Computer and System

Science Vol pages

GJ Chaitin On the Length of Programs for Computing Finite Binary Sequences Journal

of the ACM Vol pages

B Chor and O Goldreich On the Power of TwoPoint Based Sampling Jour of Complexity

Vol pages Preliminary version dates

TM Cover and GA Thomas Elements of Information Theory John Wiley Sons Inc

NewYork

D Gillman A cherno b ound for random walks on expander graphs In th IEEE Symposium

on Foundations of Computer Science pages

O Goldreich A Note on Computational Indistinguishability Information Processing Letters

Vol pages May

O Goldreich Modern Cryptography Probabilistic Proofs and Pseudorandomness Algorithms

and Combinatorics series Vol Springer

O Goldreich Foundation of Cryptography Basic Tools Cambridge University Press

O Goldreich Foundation of Cryptography Basic Applications Cambridge University Press

O Goldreich S Goldwasser and S Micali How to Construct Random Functions Journal

of the ACM Vol No pages

O Goldreich and LA Levin Hardcore Predicates for any OneWay Function In st ACM

Symposium on the Theory of Computing pages

S Goldwasser and S Micali Probabilistic Encryption Journal of Computer and System

Science Vol No pages Preliminary version in th STOC

J Hastad R Impagliazzo LA Levin and M Luby A Pseudorandom Generator from any

Oneway Function SIAM Journal on Computing Volume Number pages

Preliminary versions by Impagliazzo et al in st STOC and Hastad in nd

STOC

R Impagliazzo and A Wigderson PBPP if E requires exp onential circuits Derandomizing

the XOR Lemma In th ACM Symposium on the Theory of Computing pages

N Kahale Eigenvalues and Expansion of Regular Graphs Journal of the ACM Vol

pages September

DE Knuth The Art of Computer Programming Vol Seminumerical Algorithms

AddisonWesley Publishing Company Inc rst edition and second edition

A Kolmogorov Three Approaches to the Concept of The Amount Of Information Probl of

Inform Transm Vol

E Kushilevitz and N Nisan Communication Complexity Cambridge University Press

FT Leighton Introduction to Parallel Algorithms and Architectures Arrays Trees Hyper

cubes Morgan Kaufmann Publishers San Mateo CA

LA Levin Randomness Conservation Inequalities Information and Indep endence in Math

ematical Theories Information and Control Vol pages

M Li and P Vitanyi An Introduction to Kolmogorov Complexity and its Applications

Springer Verlag August

M Luby and A Wigderson Pairwise Indep endence and Derandomization TR In

ternational Computer Science Institute ICSI Berkeley ISSN

PB Miltersen and NV Vino dchandran Derandomizing ArthurMerlin Games using Hitting

Sets Journal of Computational Complexity to app ear Preliminary version in th FOCS

J Naor and M Naor Smallbias Probability Spaces Ecient Constructions and Applica

tions SIAM Journal on Computing Vol pages

N Nisan Pseudorandom bits for constant depth circuits Combinatorica Vol pages

N Nisan Pseudorandom Generators for Space Bounded Computation Combinatorica

Vol pages

N Nisan RL SC Journal of Computational Complexity Vol pages

N Nisan and A Wigderson Hardness vs Randomness Journal of Computer and System

Science Vol No pages

N Nisan and D Zuckerman Randomness is Linear in Space Journal of Computer and

System Science Vol pages

AR Razb orov and S Rudich Natural Pro ofs Journal of Computer and System Science

Vol pages

O Reingold Undirected STConnectivity in LogSpace In th ACM Symposium on the

Theory of Computing pages

M Saks and S Zhou RSPACES DSPACES In th IEEE Symposium on Foun

dations of Computer Science pages

R Shaltiel Recent Developments in Explicit Constructions of Extractors Bul letin of the

EATCS pages

CE Shannon A mathematical theory of communication Bel l Sys Tech Jour Vol

pages

RJ Solomono A Formal Theory of Inductive Inference Information and Control Vol

pages

L Trevisan Constructions of NearOptimal Extractors Using PseudoRandom Generators

In st ACM Symposium on the Theory of Computing pages

C Umans Pseudorandom generators for all hardness Journal of Computer and System

Science Vol pages

LG Valiant A theory of the learnable CACM Vol pages

A Wigderson The amazing p ower of pairwise indep endence In th ACM Symposium on

the Theory of Computing pages

AC Yao Theory and Application of Trapdo or Functions In rd IEEE Symposium on

Foundations of Computer Science pages