Pseudorandom Generators Without the XOR Lemma£

Pseudorandom generators without the XOR Lemma£

[Extended Abstract]

Þ Ü

Madhu SudanÝ Luca Trevisan Salil Vadhan

Impagliazzo and Wigderson [IW97] have recently shown that if This paper continues the exploration of hardness versus random-

´µ

there exists a decision problem solvable in time and hav- ness trade-offs, that is, results showing that randomized algorithms

ª´ can be efﬁciently simulated deterministically if certain complexity-

È ing circuit complexity (for all but ﬁnitely many ) then theoretic assumptions are true. We present two new approaches BÈÈ . This result is a culmination of a series of works showing con-

nections between the existence of hard predicates and the existence to proving the recent result of Impagliazzo and Wigderson [IW97]

´µ

of good pseudorandom generators. that, if there is a decision problem computable in time and

ª´µ

The construction of Impagliazzo and Wigderson goes through having circuit complexity for all but ﬁnitely many , then

BÈÈ three phases of “hardness amplification” (a multivariate polyno- È . Impagliazzo and Wigderson prove their result by pre- mial encoding, a first derandomized XOR Lemma, and a second senting a “randomness-efficient amplification of hardness” based derandomized XOR Lemma) that are composed with the Nisan– on a derandomized version of Yao’s XOR Lemma. The hardness- Wigderson [NW94] generator. In this paper we present two dif- amplification procedure is then composed with the Nisan–Wigderson ferent approaches to proving the main result of Impagliazzo and (NW) generator [NW94] and this gives the result. The hardness Wigderson. In developing each approach, we introduce new tech- amplification goes through three steps: an encoding using multi- niques and prove new results that could be useful in future improve- variate polynomials (from [BFNW93]), a first derandomized XOR ments and/or applications of hardness-randomness trade-offs. Lemma (from [Imp95]) and a second derandomized XOR Lemma Our first result is that when (a modified version of) the Nisan- (which is the technical contribution of [IW97]). Wigderson generator construction is applied with a “mildly” hard In our first result, we show how to construct a “pseudoentropy predicate, the result is a generator that produces a distribution indis- generator” starting from a predicate with “mild” hardness. Roughly tinguishable from having large min-entropy. An extractor can then speaking, a pseudoentropy generator takes a short random seed be used to produce a distribution computationally indistinguishable as input and outputs a distribution that is indistinguishable from from uniform. This is the first construction of a pseudorandom gen- having high min-entropy. Combining our pseudoentropy generator erator that works with a mildly hard predicate without doing hard- with an extractor, we obtain a pseudorandom generator. Interest- ness amplification. ingly, our pseudoentropy generator is (a modification of) the NW We then show that in the Impagliazzo–Wigderson construction generator itself. Along the way we prove that, when built out of only the first hardness-amplification phase (encoding with multi- a mildly hard predicate, the NW generator outputs a distribution variate polynomial) is necessary, since it already gives the required that is indistinguishable from having high Shannon entropy, a result average-case hardness. We prove this result by (i) establishing a that has not been observed before. The notion of a pseudoentropy connection between the hardness-amplification problem and a list- generator, and the idea that a pseudoentropy generator can be con- decoding problem for error-correcting codes based on multivariate verted into a pseudorandom generator using an extractor, are due polynomials; and (ii) presenting a list-decoding algorithm that im- to H˚astad et al. [HILL98].½ Our construction is the first construc- proves and simplifies a previous one by Arora and Sudan [AS97]. tion of a pseudorandom generator that works using a mildly hard predicate and without hardness amplification. £ The full version of this paper appears as [STV98].

Ý We then revisit the hardness ampliﬁcation problem, as consid- Laboratory for Computer Science, 545 Technology Square, MIT, Cambridge, MA 02141. E-mail: [email protected]. ered in [BFNW93, Imp95, IW97], and we show that the ﬁrst step

Þ Department of Computer Science, Columbia University, 500W 120th St., New alone (encoding with multivariate polynomials) is sufﬁcient to am- York, NY 10027. Email: [email protected]. Work done at MIT. plify hardness to the desired level, so that the derandomized XOR Ü Laboratory for Computer Science, 545 Technology Square, MIT, Cam- Lemmas are not necessary in this context. Our proof is based on bridge, MA 02141. E-mail: [email protected]. URL: a list-decoding algorithm for multivariate polynomial codes and http://theory.lcs.mit.edu/˜salil. Supported by a DOD/NDSEG grad- uate fellowship and partially by DARPA grant DABT63-96-C-0018. exploits a connection between the list-decoding and the hardness- ampliﬁcation problems. The list-decoding algorithm described in this paper is quantitatively better than a previous one by Arora and Sudan [AS97], and has a simpler analysis.

½ To be accurate, the term extractor comes fron [NZ96] and postdates the paper of H˚astad et al. [HILL98].

The works of Blum and in increasingly sophisticated forms, in [Imp95, IW97]. Likewise, Micali [BM84] and Yao [Yao82] introduce the notion of a cryp- the NW generator and its original analysis have always been used tographically strong pseudorandom generator (csPRG) and show in conditional derandomization results since.4 Future progress in how to construct pseudorandom generators based on the existence the area will probably require a departure from this observance of

of one-way permutations. A csPRG is a polynomial-time algorithm the NW methodology, or at least a certain amount of revisitation of that on input a randomly selected string of length produces an its main parts.

output of length that is computationally indistinguishable from In this paper, we give two new ways to build pseudorandom

uniform by any adversary of size, where is an arbitrar- generators with seeds of logarithmic length. Both approaches by- ily small constant. Yao also observes that a given polynomial-time pass the need for the XOR Lemma, and instead use tools (such as

randomized algorithm can be simulated deterministically using a list decoding, extractors, and pseudoentropy generators) that did

csPRG in time ¡ by trying all the seeds and taking the not appear in the sequence of works from [NW94] to [IW97]. For majority answer. a diagram illustrating the steps leading up to the results of [IW97] In a seminal work, Nisan and Wigderson [NW94] explore the and how our techniques depart from that framework, see Figure 1. use of a weaker type of pseudorandom generator (PRG) in order to Both of our approaches are described in more detail below. derandomize randomized algorithm. They observe that, for the pur-

pose of derandomization, one can consider generators computable

in time (instead of ) where is the length of the Worst−case hard seed, since the derandomization process cycles through all the seeds, polynomial [BFNW93] and this induces an overhead factor anyway. They also observe encoding that one can restrict to generators that are good against adversaries whose running time is bounded by a fixed polynomial, instead of polynomial Mildly hard encoding Thm 10 XOR [Imp95] every polynomial. They then show how to construct a pseudo- + noisy Lemma random generator meeting this relaxed definition under weaker as- reconstruction (Thm 19) Constant hardness sumptions than those used to build cryptographically strong pseu- XOR Pseudoentropy Lemma [IW97] dorandom generators. Furthermore, they show that, under a suf- Generator ficiently strong assumption, one can build a PRG that uses seeds Extremely hard of logarithmic length (which would be impossible for a csPRG). [NW94] extractor

Such a generator can be used to simulate randomized algorithms (Lem 13)

BÈÈ in polynomial time, and its existence implies È . The con- Pseudorandom Generator dition under which Nisan and Wigderson prove the existence of a

PRG with seeds of logarithmic length is the existence of a decision

f g ! f g

problem (i.e., a predicate ) solvable in time

´µ

Figure 1: A comparison of our approach with previous ones. Dou-

such that for some positive constant no circuit of size

ble arrows indicate our results.

can solve the problem on more than a fraction of the inputs.¾ This is a very strong hardness requirement, and it is of

interest to obtain similar conclusions under weaker assumptions.

An example of a weaker assumption is the existence of a mildly Nisan and Wigderson show

hard predicate. We say that a predicate is mildly hard if for some that when their generator is constructed using a very hard-on-average

ﬁxed no circuit of size can decide the predicate on more predicate, then the output of the generator is indistinguishable from

than a fraction of the inputs. Nisan and Wigder- the uniform distribution. It is a natural question to ask what hap-

son prove that mild hardness sufﬁces to derive a pseudorandom pens if there are stronger or weaker conditions on the predicate. In

generator with seed of length, which in turn implies a this paper we consider the question of what happens if the predicate

quasi-polynomial deterministic simulation of BÈÈ. This result is is only mildly hard. Speciﬁcally we are interested in whether expo- proved by using Yao’s XOR Lemma [Yao82] (see, e.g., [GNW95] nential average-case hardness is really necessary for direct pseu-

for a proof) to convert a mildly hard predicate over inputs into dorandom generation. In this paper we ﬁrst show that, when a ¾

one which has input size and is hard to compute on a fraction mildly hard predicate is used in the NW generator, then there exists

ª´µ

a distribution having high Shannon entropy that is indistinguish-

of the inputs. A series of subsequent papers attacks the problem of obtaining stronger pseudorandom generators start- able from the output of the generator. Our main result is then that,

ing from weaker and weaker assumptions. Babai et al. [BFNW93] for a mildly hard predicate, a modiﬁed version of the NW gener-

µ ª´ ator has an output indistinguishable from a distribution with high show that a predicate of worst-case circuit complexity can be converted into a mildly hard one.¿ Impagliazzo [Imp95] proves a min-entropy. Such a generator is essentially a “pseudoentropy gen- derandomized XOR Lemma which implies that a mildly hard pred- erator” in the sense of H˚astad et al. [HILL98]. The intuition behind

icate can be converted into one that cannot be predicted on more our proof is that if a predicate is hard to compute on more than a

Æ fraction of the inputs then there should be some subset of the than some constant fraction of the inputs by circuits of size . Impagliazzo and Wigderson [IW97] prove that a predicate with the inputs of density Æ on which the predicate is very hard — this in- latter hardness condition can be transformed into one that meets the tuition is made precise by a result of Impagliazzo [Imp95]. Due to hardness requirement of [NW94]. The result of [IW97] relies on a the high hardness, the evaluation of the predicate in a random point different derandomized version of the XOR Lemma than [Imp95]. of this set will be indistinguishable from a random bit. The NW

Thus, the general structure of the original construction of Nisan and generator constructed with a predicate works by transforming an

Wigderson [NW94] has been preserved in most subsequent works, input seed into a sequence of points ½ from the domain

¡¡¡

progress being achieved by improving the single components. In of ; the output of the generator is then ½ . particular, the use of an XOR Lemma in [NW94] continues, albeit For a random seed, each of the points is uniformly distributed,

and so we expect to typically generate Æ points from the hard ¾

This has to be true for all but ﬁnitely many input lengths . set, so that the output of the generator looks like having Æ bits of ¿ In fact the result of [BFNW93] was somewhat weaker, but it is easily extendable to yield this result. 4 The techniques of Andreev et al. [ACR97] are a rare exception, but they yield weaker result than the ones of [IW97]. randomness, that is, it is indistinguishable from some other distri- that is Æ -close to is computed by one of these programs. Finding

bution having (Shannon) entropy Æ . The generation of the points a generalized reconstruction procedure of this form is a version of

¡¡¡ ½ can be modiﬁed so that the number of points landing in the “list decoding” problem for error-correcting codes (though we

the hard set is sharply concentrated around its expected value Æ . will not use the phrase “list decoding” in most of our exposition). The output of the modified generator is then indistinguishable from Such a generalized reconstruction procedure has been given for the having high min-entropy. When our generator is composed with a first time only very recently by Arora and Sudan [AS97]. The pro- sufficiently good extractor5 (such as the one in [Tre98]) then the re- cedure of Arora and Sudan has a complicated analysis that relies sult is a pseudorandom generator. This is the first construction of a on their difficult analysis of the low-degree test for the “highly pseudorandom generator based on mild average-case hardness that noisy” case. In this paper we present a reconstruction procedure does not rely on hardness amplification. It is also the first applica- that works for an even wider range of parameters and has a much tion of the notion of a pseudoentropy generator to the construction simpler proof. We also show that our reconstruction procedure is of PRG in the Nisan–Wigderson sense. strong enough to imply the hardness amplification result of [IW97] (but even the weaker procedure of Arora and Sudan [AS97] would Remark 1 While in this paper we analyze for the first time the have sufficed). It has been pointed out to us that the connection Nisan-Wigderson generator under a weaker assumption than the between (generalized) polynomial reconstruction and hardness am- one originally considered in [NW94], there has also been some plification has also been observed by Avi Wigderson [Wig98] and work exploring the effect of stronger assumptions on the predicate. S. Ravi Kumar and D. Sivakumar [KS98]. Impagliazzo and Wigderson [IW98] show that if the predicate has

certain additional properties (such as “downward self-reducibility”)

then one needs only a uniform hardness assumption on the pred-

icate (rather circuit-complexity assumption). Arvind and K¨obler

f g

We write for the uniform distribution on . The statistical

[AK97] and Klivans and van Melkebeek [KvM98] show that if the

difference between two random variables and on a universe

predicate is hard on average for nondeterministic circuits, then the

j ¾ ℄ ¾ ℄j

is deﬁned to be . output of the generator is indistinguishable from uniform for non- Our main objects of study are pseudorandom generators:

deterministic adversaries. Therefore it is possible to derandomize

AÅ

classes involving randomness and nondeterminism, such as .

f g ! f g Deﬁnition 2 A function is an pseudo-

Trevisan [Tre98] shows that if the predicate is chosen randomly

random generator if no circuit of size can distinguish from

from a distribution having certain properties, then the output is sta- with advantage greater than . That is, for every circuit of size tistically close to uniform. This yields the construction of extractors

that we use in our generator.

j ℄ ℄ j

Our We begin by recalling the Nisan–Wigderson construction of second result deals with the polynomial reconstruction problem pseudorandom generators. and its connection to ampliﬁcation of hardness. In the polyno-

mial reconstruction problem we want to design an efﬁcient ran-

domized algorithm that, given oracle access to a function that

has Æ -agreement an unknown low-degree polynomial , com- The combinatorial construction underlying the NW generator isa

¡ putes on every input with high probability over its internal collection of sets with small intersections, called a design. coin tosses. This problem has been studied for its applications

to program checking, average case hardness results for the perma-

¾ Æ Lemma 3 (design [NW94]) For every , there exists a a

nent, and random self-reducibility of complete problems in high

f g

family of sets ½ such that ·

complexity classes [BF90, Lip89, GLR 91, FF93, GS92, FL96, ¾

j j

1. , 2. For all , , and 3. For all

CPS99].

6 j \ j . Moreover, such a family can be found

The applicability of polynomial reconstruction to hardness ver-

deterministically in time sus randomness results was demonstrated by Babai et al. [BFNW93].

They show that the existence of a polynomial reconstruction proce-

For concreteness, one can think of for some small

dure implies that one can convert a worst-case hard predicate into

constant , so that . Given such one which is mildly average-case hard by encoding it as a poly- a family of sets, the NW generator takes a uniformly distributed

nomial. As in [NW94, Imp95, IW97] one can further amplify the

string of length and produces strings of length . That is, given

hardness using XOR Lemmas. It is intuitively clear that a stronger parameters and , we take the family of sets given by Lemma 3

reconstruction algorithm would imply a stronger hardness ampliﬁ-

f g ! f g cation result and it could be used in place of the XOR Lemma. Un- and deﬁne by

fortunately, some calculations show that a polynomial reconstruc-

¾ ½

tion algorithm would have to work with Æ in order to be a

viable surrogate of an XOR Lemma, but if we have access to a func-

where denotes the projection of onto the coordinates speci-

Æ ¡ Æ

tion with -agreement to some polynomial , where ,

ﬁed by .

¡ then is not uniquely determined and the polynomial recon- The key property of this generator used in [NW94, IW97] is

struction problem is ill-posed. On the other hand even for very

that the strings behave as if they are independent when they i

small values of Æ , there is only a small number of polynomials that

f g ! f g

are used as inputs to a hard function. Let be are Æ -close to any given function , and one can conceive a gener-

any predicate. Then the NW pseudorandom generator using is a

alized reconstruction procedure that having oracle access to out-

f g ! f g

puts a small number of efﬁcient programs so that every polynomial function - given by 5

An extractor is an efﬁcient algorithm that on input a distribution sampled from a

¡¡¡

½ ¾

distribution with high min-entropy has an output that is statistically close to uniform. -

We say that a function has agreement with a function if and are equal

½ on a fraction at least of their domain. where

7 ¼ ¾ ¾

Æ ¡

The main theorem of [NW94] is that if is taken to be a sufﬁ- entropy at least such that no circuit of size

ciently hard (on average) predicate, - is a good pseu- can distinguish the output of

f g ! f g

dorandom generator. - from with advantage greater

than .

f g ! f g

Theorem 4 ([NW94]) Suppose is a predi-

cate such that no circuit of size can compute correctly on

more than a fraction of the inputs. - is an

¾ Proof: Let be a -hardcore set for , as given by

pseudorandom generator. Theorem 5. We will show that the following distribution satisﬁes the requirements of the theorem.

The pseudorandom generators produced by this theorem can be

spectacular, as the seed length can be much

f g Choose uniformly from . Let

smaller than (even logarithmic in) the number of output bits if is

¾ ¾ f g

½ . If , select uniformly

sufﬁciently hard. The main drawback is that the hypothesis is also 8

¾ ¡¡¡

½ at random, and if let . Output . extremely strong (in that must be very hard on average), and

much work has been done to construct predicates that are strong Æ First, we argue that the entropy of is at least . Deﬁne

enough for Theorem 4 based on weaker assumptions [BFNW93,

½ to be the number of ’s that are in . Then for

Imp95, IW97, IW98]. In the next section, we analyze the quality

¾ f g j

of this generator when only a mildly hard predicate is used. any , the entropy of (i.e., conditioned on ) is

). By the deﬁnition of the Nisan-Wigderson generator,

each is (individually) uniformly distributed and therefore lands

in with probability . By linearity of expectations, the expecta-

Æ tion of (over uniformly selected ) is . Thus, since In this section, we show how to build a pseudorandom generator conditioning reduces entropy (cf., [CT91, Th. 2.6.5]),

out of a mildly hard predicate in a different (and arguably more

j ℄ direct) way than [IW97]. Speciﬁcally, we show how to directly

build a “pseudoentropy generator” from a mildly hard predicate and

℄ argue that applying an extractor to its output gives a pseudorandom

generator.

Now we show that and - are computationally

Intuitively, the reason the NW pseudorandom generator works is indistinguishable. Suppose that some circuit distinguishes the

output of - from with advantage greater than .

that whenever is a “hard instance” of , is indistinguish-

¾ ¾

¡ We will show that must be of size at least

able from a random bit. If is very hard as in the hypothesis of

Theorem 4, then almost all inputs are hard instances. Thus, with . By complementing if necessary, we have

high probability all the ’s will be hard instances and the limited

℄

dependence of the ’s guarantees that the ’s will look simul- -

taneously random.

Now suppose that is instead only mildly hard, in the sense

¾ f g ¾ f g

For and , deﬁne

that no small circuit can compute correctly on more than a

fraction of inputs, for some small but noticeable Æ . Intuitively,

this means that some Æ fraction of the inputs are extremely hard

otherwise. Æ

for . Thus, we’d expect that a fraction of the output bits of

- are indistinguishable from random, so that we should

Now consider “hybrids” of and - get some crude pseudorandomness out of the generator. In fact, this deﬁned as follows: intuition about hard instances can be made precise, using the fol-

lowing result of Impagliazzo [Imp95].

f g

Choose uniformly from and choose

f g

Theorem 5 (hardcore sets [Imp95]) Suppose no circuit of size uniformly from . For , let

¡¡¡ ¡¡¡

½ ·½

and . Output .

j j

f g ! f g Æ

can compute on more than a fraction

f g

of the inputs in . Then, for every , there exists an -

Thus, - , and . By the “hybrid

f g j j Æ ¡ hardcore set such that and no circuit of

argument” of [GM84] (cf. [Gol95, Sec. 3.2.3]), there is an such

¼ ¾ ¾

Æ size can compute correctly on more than a ¾ that

fraction of the inputs in .

℄ ℄

Using this theorem, we can prove something about the output

¾ ℄ Æ ¡ j

of - when a mildly hard predicate is used. Notice

¾ ℄ Æ j

that if is chosen uniformly at random, then each component i

f g

¾ ℄ Æ ¡ j

of the output of is uniformly distributed in .

Hence, the expected number of ’s that land in is . Thus, the

¾ ℄ Æ j

earlier intuition suggests that the output of - should

¾ ℄ Æ ¡ j

½ i

have Æ bits of pseudorandomness, and this is in fact true.

¾ ℄ Æ ¡ j

f g !

Theorem 6 Suppose no circuit of size can compute 7

Recall that the (Shannon) entropy of a distribution is

℄ ℄

g Æ f g

f .

on more than a fraction of the inputs in . Then, « 8

A similar “bit-ﬂipping” technique is used in [HILL98] to prove their construction

f g for every , there is a distribution on of (Shannon) of a false entropy generator.

½ ½

where the last equality is because and are identical con- obtain from a seed using the NW generator, we ob-

ditioned on . Expanding and using the fact that tain pairwise independent from a seed , and then use

¾ ¨ ¨

½ ½ ½

when , we have as the inputs to the predi-

i i

cate . As we will see in the next section, this gives a generator

¾ ℄ ¡¡¡ ¡¡¡ j

½ ½ ·½

i whose output is indistinguishable from some distribution with high

min-entropy, as desired.

¾ ℄ ¡¡¡ ¡¡¡ j

½ ½ ·½

Æ The following deﬁnition (following [HILL98]) formalizes the type

f g

where is chosen uniformly in and are selected of generator we obtain.

f g

uniformly in . Renaming as and using the standard trans-

f g ! f g

formation from distinguishers to predictors [Yao82] (cf. [Gol98, Deﬁnition 7 A generator is a pseu-

f g

Sec. 3.3.3]), we see that doentropy generator if there is a distribution on of min-

entropy such that no circuit of size can distinguish the output of

¾ ℄ ¡¡¡ ¡¡¡ ¨ j

½ ½ ·½

from with advantage greater than .

Remark 8 The above deﬁnition differs from that of [HILL98] in Æ

several ways. Most importantly, we require the output to be in-

distinguishable from having high min-entropy, whereas they only

Recall that (resp., ) is deﬁned to be (resp., ),

j j

require that it be indistinguishable from having high Shannon en-

where is the projection of onto the bits speciﬁed by . Us-

tropy. They later convert to the Shannon entropy to min-entropy by

·½

ing an averaging argument we can ﬁx , , and all the

taking many samples on independent seeds, but we cannot afford

bits of outside while preserving the advantage in predicting

the extra randomness needed to do this. Other differences are that

. Renaming as , we now observe that varies

i i

we ask for indistinguishability against circuits rather than uniform

uniformly over while for and for are now

j \ j adversaries, that we do not require that be computable in poly-

functions of that depend on only bits of .

So, we have nomial time, and that we do not explicitly ask that be larger than

(though the notion is uninteresting otherwise).

¡¡¡ ¡¡¡ ¨ ℄

½ ½ ·½

Recall that we need a way of generating many pairwise inde-

pendent strings from a short seed.

¾ Æ

Lemma 9 ([CG89] (see also [Gol97a])) For any and

Each can be computed by a circuit of size ,

f g ! f g

, there is a generator such that

since every function of bits can be computed by a circuit

for selected uniformly at random, the random variables ,

of that size. Incorporating these circuits and into , we obtain a

¼ ¾

, are pairwise independent. Moreover is com-

circuit of size such that

putable in time .

f g ! f g

Let be any predicate, let be any posi-

¼ tive integer, and let be the seed length of . Then our pseu-

Now, since is )-hardcore for as in Theorem 5,

·¿

¾ ¾ ¾ ¾ ¾

f g !

doentropy generator using is a function

Æ ¡ Æ ¡ ¡

must have size greater than ,

¾ ¾ ¾

f given by

and hence must have size greater than .

¨ ¨ ¡¡¡ ¨

½ ½ ¾ ¾

Thus, using a mildly hard predicate with the NW generator, we where

can obtain many bits of crude pseudorandomness. A natural next

½ ½ and step would be to try to “extract” this crude pseudorandomness and obtain an output that is indistinguishable from the uniform distri- The following theorem, whose proof can be found in the full bution. Unfortunately, one cannot hope to extract uniformly dis- version of the paper [STV98], conﬁrms that this construction does tributed bits from a distribution that just has high Shannon entropy. in fact yield a pseudoentropy generator.

Extraction is only possible from distributions that have high min-

entropy. Recall that a distribution on a ﬁnite set is said to have

f g !

Theorem 10 Suppose no circuit of size can compute

¾ ℄

min-entropy if for all , .

Æ f g g

The reason that we were only able to argue about Shannon en- f on more than a fraction of the inputs in . Then,

·¿

f g ! f g

Æ for any , is a tropy in Theorem 6 is that we could only say that ’s land in

on average. To obtain a result about min-entropy, we would need pseudoentropy generator, with

to guarantee that many ’s lie in with high probability. Clearly,

seed length

this would be the case if the ’s were generated pairwise indepen-

dently instead of via the NW generator. But we also need the spe- pseudoentropy

¾ 4 ¾

cial properties of the NW generator to make the current argument ¼

Æ ¡

about indistinguishability work. Following [IW97], we resolve this adversary size

Æ dilemma by taking the XOR of the two generators to obtain a new adversary’s advantage

generator with the randomness properties of each.9 That is, we

ÐÓg

[IW97] take the XOR of the NW generator with a generator coming from a ran- Moreover, is computable in time with dom walk on an expander. oracle calls to .

can be evaluated in time , so the resulting pseudorandom

BÈÈ generator is sufﬁciently strong to obtain È . The tool we will use to transform our pseudoentropy generator into

a pseudorandom generator is an extractor. Proof: By Theorem 10,

¾ ¾

f g ¢ f g ! f g

Deﬁnition 11 A function EXT is

f g

a -extractor if for every for every distribution on

of min-entropy , EXT has statistical difference at most

from . By Theorem 12,

We will make use of the following recent construction of ex-

½Æ

tractors:

Theorem 12 ([Tre98]) For every , , and such that ,

f g ¢ f g ! f g

there is a -extractor EXT

and EXT is computable in time ¾ .

such that

¾ By Lemma 13, no circuit of size can distinguish the output of

- from uniform wth advantage greater than

, where

f g ¢ f g ! f g

¾ 4 ¾ ½ ½¼

and EXT is computable in time ¼

Æ ¡

By choosing sufﬁciently small, will always be at least . The following lemma (proved in the full version of the paper [STV98]) conﬁrms the intuition that applying an extractor to a distribution that is computationally indistinguishable from a dis- Remark 15 As mentioned earlier, H˚astad et al. [HILL98] intro- tribution with high min-entropy should yield a distribution that is duced the notion of a pseudoentropy generator and showed that

indistinguishable from uniform. the crude pseudorandomness of such a generator can be extracted

to yield a pseudorandom generator. Their work is in the “crypto-

! f g f g

Lemma 13 Suppose is a ½ pseu- graphic” setting, in which the generators must be computable in

! f g f g ¢ f g

doentropy generator and EXT is a time polynomial in the seed length and hence one can only hope

¾ -extractor computable by circuits of size . Then for the output to be polynomially longer than the seed (rather than

¼ ¼

½ ¾

f g ! f g

deﬁned by EXT exponentially, as we obtain). Hence throughout their construction

¾ is a ½ pseudorandom generator. they can afford super-linear increases in seed length, whereas pre-

serving the seed length up to linear factors is crucial for obtaining

BÈÈ Summing up, we have the following theorem: pseudorandom generators good enough for È . For exam-

ple, they can afford to use randomness-inefﬁcient extractors such

Theorem 14 There is a universal constant such that the as 2-universal hash functions, whereas we require extractors which

f g ! f g

following holds. Let be any predicate such use only a logarithmic number of truly random bits, which have

½¼

that no circuit of size can compute correctly on more than a only been constructed recently [Zuc96, Tre98].

Æ Æ

fraction of the inputs, where and . Deﬁne

! f g Æ f g

Remark 16 The output of the pseudoentropy generator con-

and and let be

4 ¾

¾ structed in Theorem 10 is actually “nicer” than stated. Speciﬁcally,

Æ Æ ¡ Æ

the pseudoen-

¾ it is indistinguishable from a oblivious bit-ﬁxing source — that is,

f g ¢ f g !

tropy generator of Theorem 10 and let EXT

a distribution on strings of length in which bit positions

f g Æ Æ be the -extractor of Theorem 12. Let

are ﬁxed and the other bit positions vary uniformly and indepen-

½ ¾

f g ! f g - be deﬁned by dently. Such sources were the focus of the “bit extraction problem”

studied in [Vaz85, BBR85, CGH· 85, Fri92] and the term “obliv-

- E ious bit-ﬁxing source” was introduced in [CW89]. To see that the

output of is indistinguishable from an oblivious bit-ﬁxing

Then, - is a pseudorandom generator with source, simply observe that the distribution given in the proof

of Theorem 10 is such a source.½½ Extracting from oblivious bit-

output length

ﬁxing sources in which all but bits are ﬁxed is an easier task than

extracting from a general source of min-entropy , and already in

seed length ½ [CW89] there are (implicitly) extractors sufﬁcient for our purposes.

adversary size

adversary’s advantage

Recall the main theorem of Nisan and Wigderson (Theorem 4) that

´ ÐÓg µ

f g ! f g

Moreover, - can be evaluated in time with states that given a hard predicate , one can get

Æ oracle calls to . ½¼ Indeed, the term “extractor” was not even present at the time of [HILL98] and the

ﬁrst constructions of randomness-efﬁcient extractors used their Leftover Hash Lemma E

In particular, suppose is a predicate in such that no circuit as a starting point.

½½

of size can compute correctly on more than a Actually, is a convex combination of oblivious bit-ﬁxing sources. Distribution

fraction of the inputs. Then the output length is is said to be a convex combination of distributions ½ if there is a distri-

f g ¾ f g

¼ µ

ª´ bution on on such that can be realized by choosing

, the seed length is , no circuit of size

according to , taking a sample from i , and outputting . It is easy to see that any

ª´µ

can distinguish the output from uniform, and the generator extractor for oblivious bit-ﬁxing sources also works for convex combinations of them.

f g ! f g

a pseudorandom generator. The requirement of a hard predicate Then, for , - ¼ is an

in this theorem can be replaced with a requirement of a hard pseudorandom generator with

function (with many bits of output) using the hardcore predicate

construction of Goldreich and Levin [GL89] (see also [Gol97b]). output length

f g ! f g ¾

Given a function , the hardcore predicate for

f g ! f g seed length

is the function given by

adversary size

h i ¾ f g ¾ f g

for and

adversary’s advantage

h i ½

where denotes the mod-2 inner product of

´ ÐÓg µ

and (i.e., ).

=½

Moreover, - can be evaluated in time with

access to the entire truth table of .

Theorem 17 ([GL89]) There exists a constant s.t. the following

f g ! f g

holds. If is a function such that no circuit of

size can compute correctly on more than an fraction of the

f g ! f g

inputs, then is a predicate such that no First, a bit of terminology:

circuit of size can compute correctly on more

than a fraction of the inputs. Deﬁnition 21 A randomized procedure is said to compute a func-

! ¾ ℄ tion at a point if ,

Thus the two theorems above show that it sufﬁces to construct where the probability is taken over the internal coin tosses of .

¾ ℄

hard functions to obtain pseudorandom generators. The approach We say that has agreement with if computes on

of Impagliazzo and Wigderson is to start from a predicate that is an fraction of the inputs in . We say that computes if it has

hard in the worst case (i.e., no small circuit computes it correctly agreement 1 with .

on all inputs); then to use a low-degree extension of to obtain a polynomial function that is mildly hard on the average. They Now we prove Theorem 19 by providing a uniform solution to then apply two different XOR lemmas to obtain a functions that the following “multivariate reconstruction problem”.

grow harder; eventually obtaining as hard a function as required in

! ¾ Æ ¾ Ê

Theorem 17. We use an alternate approach for this sequence by Given: An oracle and parameters and .

showing directly that the function above is very hard; as hard as Goal: Reconstruct (an implicit representation for) every polyno-

required for the combination of Theorems 4 and 17. We start by mial that has -agreement with the function . Speciﬁcally, con-

specifying the properties of the low-degree extension; a proof of struct randomized oracle machines such that for every

! following standard lemma can be found in the full version of this polynomial of degree that has (relative) agreement

paper [STV98].

¾ ℄

with , there exists such that computes .

f g ! f g

Proposition 18 For every Æ , and predicate , We will be interested in the running time of the “reconstruction pro-

¾ Æ !

there exists , , a ﬁeld , and a polynomial

½ cedure”, i.e., the time taken to generate the machines ,

(the low-degree extension) of total degree satisfying the following

½ as well as the running times of the machines .

properties:

Theorem 22 There exists a constant such that the reconstruction

j j Æ j j Æ

1. , , and .

j j

j j problem above can be solved in time , with the

running time of each of the oracle machines listed in the output

2. If and ^ denote the worst-case computation times (or

j j j j

being , provided .

circuit sizes) for and respectively, then

Remark 23 1. This theorem is a strengthening of a theorem

due to [AS97]. In particular, the lower bound on here is

smaller than that of [AS97], who obtain an unspeciﬁed poly-

( is harder than but not too much harder, especially if

´µ

nomial in and . Furthermore, our proof is simpler and

j j has time complexity .) in particular does not require “low-degree testing.”

In the following section we prove the following theorem.

j j

2. The bound of is within a constant factor of the

bound for the univariate case. The constant above is not

! Theorem 19 There exists a constant s.t. if some function

optimized in this writeup. But our methods can push it down

computed by a circuit of size agrees with a degree polyno-

to any constant greater than . For the univariate case, this

! j j mial on fraction of the inputs, then

constant is . No inherent reason is known for the gap.

¡ j j

there exists a circuit of size that computes correctly everywhere. Observe that Theorem 19 follows immediately from Theorem 22. Putting together the above we get: We have formulated the multivariate reconstruction problem in such a way that an efﬁcient solution to it (as in Theorem 22) immediately

implies a hardness ampliﬁcation result. It should be clear that the

Theorem 20 There exists a universal constant such that the

connection actually applies to any error-correcting code for which

f g ! f g following holds: Let be a function that is not

there exist efﬁcient algorithms for encoding (as in Proposition 18)

computed by any circuit of size , where . Let

and “list-decoding” (that is, ﬁnding efﬁcient oracle machines for

be as guaranteed to exist by Proposition 18 for Æ . Let ¼

every codeword that agrees with a given oracle in sufﬁciently

j j f g ! f g

and be given by ^ many places). The “rate” of the code determines how the input

j j

(where is now viewed as a function from bits to bits). length of the function changes when we encode it (e.g. in Proposi-

j j tion 18, input length becomes and linear growth

j j

like this is needed to obtain the result of [IW97]). The amount of (Note that as long as , which is

agreement for which the list-decoding works determines how hard- true by hypothesis.) If is too large to do this, then set

on-average the encoded function is. The running time of the oracle and pick ½ distinct at random from and

f g

=½

machines produced in the reconstruction procedure determines the then invoking Theorem 26 on the set

circuit size for which the hardness ampliﬁcation works. with . Since there are at most polynomials

We now move on to the proof of Theorem 22. Fix an oracle with agreement at least with (by the “furthermore”

Þ ;Ü

! ! Æ

and a degree polynomial with agree- part of Theorem 26), the choice of guarantees that with

ment with . We observe that it sufﬁces to reconstruct a (random- high probability, all of these polynomials agree with

Þ ;Ü

ized) oracle machine such that has sufﬁciently high agree- on at least of the ’s. As the choice of also guaran-

ment with . This is due to the existence of “self-correctors” of tees that , Theorem 26 yields a list con-

polynomials [BF90, Lip89, GLR 91, GS92]. Speciﬁcally, we use taining all polynomials with agreement at least . Now, we the following theorem: wish to discard all polynomials with agreement less than — this can be accomplished by comparing each polynomial

Theorem 24 ([GLR· 91]) There exists a randomized oracle ma-

obtained with on a random sample of

Þ ;Ü

ÖÖ chine CÓ taking as parameters integers and and a ﬁeld

points from and discarding it if it has agreement smaller

such that on access to an randomized oracle with

than on this sample.

½5

CÓÖÖ

agreement with some degree polynomial , computes

½6

j j

in time provided . 2. The number of polynomials output in Step 1 above is at most (by the “furthermore” part of Theorem 26.)

As in the algorithms of [BF90, Lip89, GLR· 91], we use the

properties of “lines” in the -dimensional space , deﬁned be- To shed some light on the steps above: We expect that is

Þ ;Ü

low. one of the ’s returned in Step (1) above. In Step (2) we try to ﬁnd

out which to use by checking to see if there is a unique one which

Deﬁnition 25 The line through , denoted , is the

has (recall that ), and if so we use this

Þ ;Ü

def

j ¾ g

f polynomial to output . This intuition is Þ ;Ü

parametrized set of points .

made precise in the Section 5.2. We now ﬁnish the description of

Given a function , restricted to the line is the

j j !

the reconstruction procedure.

function given by .

Ü;Ý Ü;Ý

j Reconstruction algorithm.

Notice that if is a polynomial of total degree , then Ü;Ý

is a univariate polynomial of degree at most . Our strategy, to

– Repeat the following several times:

reconstruct the value of at a point , is to look at a random line

going through . On this line turns into a univariate polynomial. 1. Pick at random.

Furthermore, the random line through the randomly chosen point 2. Pick at random.

is a “pairwise independent” collection of points from . Thus

3. Find a list of univariate polynomials

and will have agreement close to on this line as well. Thus including all polynomials with agreement at least

½¾

the goal of ﬁnding “reduces” to the goal of reconstructing

with .

restricted to this line, i.e., a univariate reconstruction problem, a Þ ;Ý

4. For every polynomial , include the oracle ma-

problem that has been addressed in [ALRS92, Sud97, GS98]. In

Þ ;h ´¼µ

j ÖÖ

particular, we use the following theorem. chine CÓ in the output list.

Theorem 26 ([Sud97]) Given a sequence of distinct pairs

f g ¾

=½

, and integer parameters , a list of

jf ¾ f gj

½ all polynomials satisfying

Now we show that the reconstruction algorithm runs in time run in

j j gj

, can be reconstructed in time provided

j j

¾ time and outputs a list of oracles that includes

. Furthermore .

one for every polynomial that has agreement with . Theo-

We describe a family of reconstruction procedures, rem 22 follows immediately.

Ñ The claim about the running time is easily veriﬁed. To analyze

f g

¾ ¾ ½ , that will be used to construct the machines ,

the correctness, it sufﬁces to show that in any iteration of Steps 1–4

, . To gain some intuition into the procedure below, it may

in Reconstruction Algorithm, an oracle computing is part of the

´ µ be helpful to consider only the machines . The machines

output with, say, constant probability for any ﬁxed polynomial of

take as parameters a positive real number , integers and , and

degree that has agreement with . We show this in two parts.

a ﬁeld .

´ µ

First we argue that for most choices of , is an oracle that

Þ ;Ô´Þ µ

CÓÖÖ

: computes on of all inputs (and thus computes

everywhere). Then we show that for most pairs , there exists

1. (Explicitly) ﬁnd a list of distinct (univariate) polyno-

s.t. the polynomial reconstructed in Step 3 satisﬁes

mials such that this list includes all polyno-

mials that have agreement at least with and Þ ;Ü

does not include any polynomial with agreement less

Lemma 28 There exists a constant s.t. for every , , satisfy-

than .

j j

ing , it is the case that

¾ f g

2. If there exists a unique index such that

, then output , else output anything.

´ µ

Remark 27 1. Step 1 above can be computed in time polyno-

with probability at least over the random choice of ,

j j

mial in , and as follows: If is small enough,

½¾

then we let ½ be all the elements of and invoke This is done as in Remark 27, though here we do not care if the list contains extra

polynomials with low agreement.

f g

=½ Theorem 26 on the set with .

Proof: We ﬁrst argue that when both and are picked at random, Proof of Theorem 22: Fix any degree polynomial with

certain bad events are unlikely to happen. The next two claims agreement with . Combining Lemmas 28 and 31 we ﬁnd that with

describe these bad events and upper bound their probability. probability , one of the oracles output by the reconstruction

Þ ;Ô´Þ µ

CÓÖÖ

´ µ

algorithm is ; and is such that computes

j j

Claim 29 If , then

for at least fraction of ’s in ; and thus (by Theorem 24)

Þ ;Ô´Þ µ

ÖÖ

CÓ computes on every input.

j 6 9 ¾ ℄

s.t.

Þ ;Ü

Repeating the loop times ensures that every polyno-

mial with agreement with is included in the output with high

probability, using the well-known bound that there are only

Proof: For the polynomial not to be included in the output

Þ ;Ü such polynomials (cf., [GRS98, Theorem 17]).

list it has to be the case that and do not have agreement on

the line . But the line is a pairwise independent collection of

j points in . The quantity of interest then is the probability

that a random variable with expectation attains an average of at

j j

most on samples. Using Chebychev’s inequality, this prob-

4 4

We thank Oded Goldreich, Amnon Ta-Shma, and Avi Wigderson

ability may be bounded by ¾ .

j j

½6 for clarifying discussions and pointing us to some related work.

j j

Claim 30 If , then

[ACR97] Alexander Andreev, Andrea Clementi, and Jos´eRolim. Worst-

9 ¾ ℄ 6 j j

s.t. and

Þ ;Ü Þ ;Ü

j j case hardness sufﬁces for derandomization: a new method for hardness-randomness trade-offs. In Proceedings of ICALP’97,

pages 177–187. LNC 1256S, Springer-Verlag, 1997.

´ µ

Proof: For convenience in this argument, assume that

ﬁnds all polynomials of agreement at least with rather [AK97] V. Arvind and J. K¨obler. On resource-bounded measure and Þ ;Ü than just a subset, as that is clearly the worst case for the claim. pseudorandomness. In Proceedings of the 17th Conference

on Foundations of Software Technology and Theoretical Com-

½ Now, instead of picking and at random and then letting

puter Science, pages 235–249. LNCS 1346, Springer-Verlag,

j be all degree polynomials with agreement with , we

Þ ;Ü 1997.

¼ ¼

ﬁrst pick independently and uniformly at random from ; ¼

¼ [ALRS92] Sigal Ar, Richard J. Lipton, Ronitt Rubinfeld, and Madhu

and let ½ be all univariate degree polynomials with

Sudan. Reconstructing algebraic functions from mixed data.

½ ¾

agreement with ¼ . We now pick two distinct elements ;Ü

Þ In 33rd Annual Symposium on Foundations of Computer Sci-

¼ ¼ ¼ ¼

½ ¾

uniformly from and let and . Notice ence, pages 503–512, Pittsburgh, Pennsylvania, 24–27 Octo-

¼ ½ ¼

¾ ½ ¾ ¾

that we can express and ber 1992. IEEE.

¼ ¼

½ ¾

. Thus the lines and contain the same [AS97] Sanjeev Arora and Madhu Sudan. Improved low degree test- def

¼ ing and its applications. In Proceedings of the Twenty-Ninth

¾ ½ ¾

set of points and thus the polynomials

Annual ACM Symposium on Theory of Computing, pages 485–

j are exactly the set of polynomials with agreement with .

Þ ;Ü 495, El Paso, Texas, 4–6 May 1997.

j j 6

Thus the event “ and ” is equivalent to

Þ ;Ü Þ ;Ü ¼

¼ [BBR85] Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert.

j j 6

½ ½ ½

¼ ¼ ¼

the event “ ¼ and ”, where is be-

;Þ Ü ;Þ

Ü How to reduce your enemy’s information (extended abstract).

ing chosen at random. This probability is at most for any ﬁxed

j j In Hugh C. Williams, editor, Advances in Cryptology—

¼ CRYPTO ’85, volume 218 of Lecture Notes in Computer Sci-

½ ½

and thus the probability that there exists a s.t ¼

Ü ;Þ

ence, pages 468–476. Springer-Verlag, 1986, 18–22 August

¡ j j

is at most . From and , the claim

j j 1985. follows. [BF90] Donald Beaver and Joan Feigenbaum. Hiding instances in multioracle queries. In 7th Annual Symposium on Theoretical

Discounting for the two possible bad events considered in Claims 29 Aspects of Computer Science, volume 415 of Lecture Notes in

and 30, we ﬁnd that with probability at least , there ex- Computer Science, pages 37–48, Rouen, France, 22–24 Febru-

¿¾

ary 1990. Springer.

´ µ

ists a polynomial returned in Step 1 of such that

j ; furthermore, this is the unique polynomial such that

Þ ;Ü [BFNW93] L´aszl´oBabai, Lance Fortnow, Noam Nisan, and Avi Wigder-

j j

. Thus the output is . Þ ;Ü

Þ ;Ü son. BPP has subexponential time simulations unless EX-

Thus with probability at least , we ﬁnd that for a random PTIME has publishable proofs. Computational Complexity,

3(4):307–318, 1993.

´ µ pair , computes . An application of Markov’s inequality now yields the desired result. [BM84] Manuel Blum and Silvio Micali. How to generate cryptographically strong sequences of pseudo-random bits. SIAM Journal

on Computing, 13(4):850–864, November 1984.

Lemma 31 With probability at least , one of the polynomials 64 [CG89] Benny Chor and Oded Goldreich. On the power of two-point

reconstructed in any one execution of Step 3 of Reconstruction based sampling. Journal of Complexity, 5(1):96–106, March

Algorithm is ; and thus one of the oracles created in Step 4

Þ ;Ý 1989.

Þ ;Ô´Þ µ

CÓÖÖ j j is , provided is large enough. [CGH· 85] Benny Chor, Oded Goldreich, Johan Hastad, Joel Friedman, Steven Rudich, and Roman Smolensky. The bit extraction

problem or t-resilient functions (preliminary version). In

Proof: As in Claim 29 we argue that and have at least 26th Annual Symposium on Foundations of Computer Science,

j agreement on the line and then is one of the polynomials

Þ ;Ý pages 396–407, Portland, Oregon, 21–23 October 1985. IEEE.

Þ ;a ÖÖ

output in this step. Thus one of the oracles created is CÓ for [CPS99] Jin-Yi Cai, A. Pavan, and D. Sivakumar. On the hardness of

. Þ ;Ý the permanent. In 16th International Symposium on Theoreti- cal Aspects of Computer Science, Lecture Notes in Computer

= BÈÈ E Science, Trier, Germany, March 4–6 1999. Springer-Verlag. To [IW97] Russell Impagliazzo and Avi Wigderson. È if appear. requires exponential circuits: Derandomizing the XOR lemma. [CT91] Thomas M. Cover and Joy A. Thomas. Elements of Informa- In Proceedings of the Twenty-Ninth Annual ACM Symposium tion Theory. Wiley Series in Telecommunications. John Wiley on Theory of Computing, pages 220–229, El Paso, Texas, 4–6 & Sons, Inc., 2nd edition, 1991. May 1997. [CW89] Aviad Cohen and Avi Wigderson. Dispersers, deterministic [IW98] Russell Impagliazzo and Avi Wigderson. Randomness vs. ampliﬁcation, and weak random sources (extended abstract). time: De-randomization under a uniform assumption. In 36th In 30th Annual Symposium on Foundations of Computer Sci- Annual Symposium on Foundations of Computer Science, Palo ence, pages 14–19, Research Triangle Park, North Carolina, 30 Alto, CA, November 8–11 1998. IEEE. October–1 November 1989. IEEE. [KS98] S. Ravi Kumar and D. Sivakumar. Personal communication, [FF93] Joan Feigenbaum and Lance Fortnow. Random-self- October 1998. reducibility of complete sets. SIAM Journal on Computing, [KvM98] Adam Klivans and Dieter van Melkebeek. Graph nonisomor- 22(5):994–1005, October 1993. phism has subexponential size proofs unless the polynomial- [FL96] Uriel Feige and Carsten Lund. On the hardness of computing time hierarchy collapses. Technical Report TR-98-12, Univer- the permanent of random matrices. Computational Complex- sity of Chicago, Department of Computer Science, December ity, 6(2):101–132, 1996. 1998. Extended abstract in these proceedings. [Fri92] Joel Friedman. On the bit extraction problem. In 33rd Annual [Lip89] Richard Lipton. New directions in testing. In Proceedings of Symposium on Foundations of Computer Science, pages 314– DIMACS Workshop on Distributed Computing and Cryptogra- 319, Pittsburgh, Pennsylvania, 24–27 October 1992. IEEE. phy, 1989. [GL89] Oded Goldreich and Leonid A. Levin. A hard-core predicate [NW94] Noam Nisan and Avi Wigderson. Hardness vs randomness. for all one-way functions. In Proceedings of the Twenty First Journal of Computer and System Sciences, 49(2):149–167, Oc- Annual ACM Symposium on Theory of Computing, pages 25– tober 1994. 32, Seattle, Washington, 15–17 May 1989. [NZ96] Noam Nisan and David Zuckerman. Randomness is linear in

[GLR· 91] Peter Gemmell, Richard Lipton, Ronitt Rubinfeld, Madhu Su- space. Journal of Computer and System Sciences, 52(1):43– dan, and Avi Wigderson. Self-testing/correcting for polyno- 52, February 1996. mials and for approximate functions. In Proceedings of the [STV98] Madhu Sudan, Luca Trevisan, and Salil Vadhan. Pseu- Twenty Third Annual ACM Symposium on Theory of Comput- dorandom generators without the XOR lemma. Technical ing, pages 32–42, New Orleans, Louisiana, 6–8 May 1991. Report TR98-074, Electronic Colloquium on Computational [GM84] Shafi Goldwasser and Silvio Micali. Probabilistic encryp- Complexity, December 1998. http://www.eccc.uni- tion. Journal of Computer and System Sciences, 28(2):270– trier.de/eccc. 299, April 1984. [Sud97] Madhu Sudan. Decoding of Reed Solomon codes beyond the [GNW95] Oded Goldreich, Noam Nisan, and Avi Wigderson. On Yao’s error-correction bound. Journal of Complexity, 13(1):180– XOR lemma. Technical Report TR95–050, Electronic Collo- 193, March 1997. quium on Computational Complexity, March 1995. http:// [Tre98] Luca Trevisan. Constructions of near-optimal extractors us- www.eccc.uni-trier.de/eccc. ing pseudo-random generators. Technical Report TR98-055, [Gol95] Oded Goldreich. Foundations of Cryptography (Fragments Electronic Colloquium on Computational Complexity, 1998. of a Book). Weizmann Institute of Science, 1995. Avail- Extended abstract in these proceedings. able, along with revised version 1/98, from http:// [Vaz85] Umesh V. Vazirani. Towards a strong communication com- www.wisdom.weizmann.ac.il/õded. plexity theory or generating quasi-random sequences from two [Gol97a] Oded Goldreich. A computational communicating slightly-random sources (extended abstract). perspective on sampling (survey). Available from http:// In Proceedings of the Seventeenth Annual ACM Symposium on www.wisdom.weizmann.ac.il/õded/, May 1997. Theory of Computing, pages 366–378, Providence, Rhode Is- land, 6–8 May 1985. [Gol97b] Oded Goldreich. Three XOR lemmas — an exposition. Avail- able from http://www.wisdom.weizmann.ac.il/ [Wig98] Avi Wigderson. Personal communication, October 1998. õded/, November 1997. [Yao82] Andrew C. Yao. Theory and applications of trapdoor functions [Gol98] Oded Goldreich. Modern Cryptography, Probabilistic Proofs (extended abstract). In 23rd Annual Symposium on Founda- and Pseudorandomness, June 1998. To be published by tions of Computer Science, pages 80–91, Chicago, Illinois, 3–5 Springer. November 1982. IEEE. [GRS98] Oded Goldreich, Ronitt Rubinfeld, and Madhu Sudan. Learn- [Zuc96] David Zuckerman. Simulating BPP using a general weak ing polynomials with queries — the highly noisy case. Tech- random source. Algorithmica, 16(4/5):367–391, Octo- nical Report TR98-060, Electronic Colloquium on Computa- ber/November 1996. tional Complexity, 1998. Preliminary version in FOCS ‘95. [GS92] Peter Gemmell and Madhu Sudan. Highly resilient correctors for polynomials. Information Processing Letters, 43(4):169– 174, 28 September 1992. [GS98] Venkatesan Guruswami and Madhu Sudan. Improved decoding of Reed-Solomon and algebraic-geometric codes. Techni- cal Report 98–043, Electronic Colloquium on Computational Complexity, 1998. Preliminary version in FOCS ‘98. [HILL98] J. H˚astad, R. Impagliazzo, L. Levin, and M. Luby. A pseudorandom generator from any one-way function. To appear in SIAM J. on Computing, 1998. [Imp95] Russell Impagliazzo. Hard-core distributions for somewhat hard problems. In 36th Annual Symposium on Foundations of Computer Science, pages 538–545, Milwaukee, Wisconsin, 23–25 October 1995. IEEE.