Pseudorandom generators without the XOR Lemma

[Extended Abstract]

z x

Madhu Sudany Luca Trevisan Salil Vadhan

Abstract Intro duction

Impagliazzo and Wigderson [IW97] have recently shown that if This paper continues the exploration of hardness versus random-

O n

there exists a decision problem solvable in time and hav- ness trade-offs, that is, results showing that randomized algorithms

n

can be efficiently simulated deterministically if certain complexity-

n P ing circuit complexity (for all but finitely many ) then theoretic assumptions are true. We present two new approaches BPP . This result is a culmination of a series of works showing con-

nections between the existence of hard predicates and the existence to proving the recent result of Impagliazzo and Wigderson [IW97]

O n

of good pseudorandom generators. that, if there is a decision problem computable in time and

n n

The construction of Impagliazzo and Wigderson goes through having circuit complexity for all but finitely many , then

BPP three phases of “hardness amplification” (a multivariate polyno- P . Impagliazzo and Wigderson prove their result by pre- mial encoding, a first derandomized XOR Lemma, and a second senting a “randomness-efficient amplification of hardness” based derandomized XOR Lemma) that are composed with the Nisan– on a derandomized version of Yao’s XOR Lemma. The hardness- Wigderson [NW94] generator. In this paper we present two dif- amplification procedure is then composed with the Nisan–Wigderson ferent approaches to proving the main result of Impagliazzo and (NW) generator [NW94] and this gives the result. The hardness Wigderson. In developing each approach, we introduce new tech- amplification goes through three steps: an encoding using multi- niques and prove new results that could be useful in future improve- variate polynomials (from [BFNW93]), a first derandomized XOR ments and/or applications of hardness-randomness trade-offs. Lemma (from [Imp95]) and a second derandomized XOR Lemma Our first result is that when (a modified version of) the Nisan- (which is the technical contribution of [IW97]). Wigderson generator construction is applied with a “mildly” hard In our first result, we show how to construct a “pseudoentropy predicate, the result is a generator that produces a distribution indis- generator” starting from a predicate with “mild” hardness. Roughly tinguishable from having large min-entropy. An extractor can then speaking, a pseudoentropy generator takes a short random seed be used to produce a distribution computationally indistinguishable as input and outputs a distribution that is indistinguishable from from uniform. This is the first construction of a pseudorandom gen- having high min-entropy. Combining our pseudoentropy generator erator that works with a mildly hard predicate without doing hard- with an extractor, we obtain a pseudorandom generator. Interest- ness amplification. ingly, our pseudoentropy generator is (a modification of) the NW We then show that in the Impagliazzo–Wigderson construction generator itself. Along the way we prove that, when built out of only the first hardness-amplification phase (encoding with multi- a mildly hard predicate, the NW generator outputs a distribution variate polynomial) is necessary, since it already gives the required that is indistinguishable from having high Shannon entropy, a result average-case hardness. We prove this result by (i) establishing a that has not been observed before. The notion of a pseudoentropy connection between the hardness-amplification problem and a list- generator, and the idea that a pseudoentropy generator can be con- decoding problem for error-correcting codes based on multivariate verted into a pseudorandom generator using an extractor, are due polynomials; and (ii) presenting a list-decoding algorithm that im- to H˚astad et al. [HILL98]. Our construction is the first construc- proves and simplifies a previous one by Arora and Sudan [AS97]. tion of a pseudorandom generator that works using a mildly hard predicate and without hardness amplification. The full version of this paper appears as [STV98].

y We then revisit the hardness amplification problem, as consid- Laboratory for Computer Science, 545 Technology Square, MIT, Cambridge, MA 02141. E-mail: [email protected]. ered in [BFNW93, Imp95, IW97], and we show that the first step

z Department of Computer Science, Columbia University, 500W 120th St., New alone (encoding with multivariate polynomials) is sufficient to am- York, NY 10027. Email: [email protected]. Work done at MIT. plify hardness to the desired level, so that the derandomized XOR x Laboratory for Computer Science, 545 Technology Square, MIT, Cam- Lemmas are not necessary in this context. Our proof is based on bridge, MA 02141. E-mail: [email protected]. URL: a list-decoding algorithm for multivariate polynomial codes and http://theory.lcs.mit.edu/˜salil. Supported by a DOD/NDSEG grad- uate fellowship and partially by DARPA grant DABT63-96-C-0018. exploits a connection between the list-decoding and the hardness- amplification problems. The list-decoding algorithm described in this paper is quantitatively better than a previous one by Arora and Sudan [AS97], and has a simpler analysis.

1 To be accurate, the term extractor comes fron [NZ96] and postdates the paper of H˚astad et al. [HILL98].

overview of previous results An The works of Blum and in increasingly sophisticated forms, in [Imp95, IW97]. Likewise, Micali [BM84] and Yao [Yao82] introduce the notion of a cryp- the NW generator and its original analysis have always been used tographically strong pseudorandom generator (csPRG) and show in conditional derandomization results since. Future progress in how to construct pseudorandom generators based on the existence the area will probably require a departure from this observance of

of one-way permutations. A csPRG is a polynomial-time algorithm the NW methodology, or at least a certain amount of revisitation of that on input a randomly selected string of length n produces an its main parts.

output of length n that is computationally indistinguishable from In this paper, we give two new ways to build pseudorandom

n uniform by any adversary of p oly size, where is an arbitrar- generators with seeds of logarithmic length. Both approaches by- ily small constant. Yao also observes that a given polynomial-time pass the need for the XOR Lemma, and instead use tools (such as

randomized algorithm can be simulated deterministically using a list decoding, extractors, and pseudoentropy generators) that did

n

p oly n csPRG in time by trying all the seeds and taking the not appear in the sequence of works from [NW94] to [IW97]. For majority answer. a diagram illustrating the steps leading up to the results of [IW97] In a seminal work, Nisan and Wigderson [NW94] explore the and how our techniques depart from that framework, see Figure 1. use of a weaker type of pseudorandom generator (PRG) in order to Both of our approaches are described in more detail below. derandomize randomized algorithm. They observe that, for the pur-

pose of derandomization, one can consider generators computable

t

p oly t t in time p oly (instead of ) where is the length of the Worst−case hard seed, since the derandomization process cycles through all the seeds, polynomial t [BFNW93] and this induces an overhead factor anyway. They also observe encoding that one can restrict to generators that are good against adversaries whose running time is bounded by a fixed polynomial, instead of polynomial Mildly hard encoding Thm 10 XOR [Imp95] every polynomial. They then show how to construct a pseudo- + noisy Lemma random generator meeting this relaxed definition under weaker as- reconstruction (Thm 19) Constant hardness sumptions than those used to build cryptographically strong pseu- XOR Pseudoentropy Lemma [IW97] dorandom generators. Furthermore, they show that, under a suf- Generator ficiently strong assumption, one can build a PRG that uses seeds Extremely hard of logarithmic length (which would be impossible for a csPRG). [NW94] extractor

Such a generator can be used to simulate randomized algorithms (Lem 13)

BPP in polynomial time, and its existence implies P . The con- Pseudorandom Generator dition under which Nisan and Wigderson prove the existence of a

PRG with seeds of logarithmic length is the existence of a decision

n

f g f g

problem (i.e., a predicate P ) solvable in time

n n

O Figure 1: A comparison of our approach with previous ones. Dou-

such that for some positive constant no circuit of size n

ble arrows indicate our results.

can solve the problem on more than a fraction of the inputs. This is a very strong hardness requirement, and it is of

interest to obtain similar conclusions under weaker assumptions.

Pseudo entropy Generator An example of a weaker assumption is the existence of a mildly A Nisan and Wigderson show

hard predicate. We say that a predicate is mildly hard if for some that when their generator is constructed using a very hard-on-average

n

fixed no circuit of size can decide the predicate on more predicate, then the output of the generator is indistinguishable from

p oly n than a fraction of the inputs. Nisan and Wigder- the uniform distribution. It is a natural question to ask what hap-

son prove that mild hardness suffices to derive a pseudorandom pens if there are stronger or weaker conditions on the predicate. In

log n generator with seed of O length, which in turn implies a this paper we consider the question of what happens if the predicate

quasi-polynomial deterministic simulation of BPP. This result is is only mildly hard. Specifically we are interested in whether expo- proved by using Yao’s XOR Lemma [Yao82] (see, e.g., [GNW95] nential average-case hardness is really necessary for direct pseu-

for a proof) to convert a mildly hard predicate over n inputs into dorandom generation. In this paper we first show that, when a

one which has input size n and is hard to compute on a fraction mildly hard predicate is used in the NW generator, then there exists

n

a distribution having high Shannon entropy that is indistinguish-

of the inputs. A series of subsequent papers attacks the problem of obtaining stronger pseudorandom generators start- able from the output of the generator. Our main result is then that,

ing from weaker and weaker assumptions. Babai et al. [BFNW93] for a mildly hard predicate, a modified version of the NW gener-

n ator has an output indistinguishable from a distribution with high show that a predicate of worst-case circuit complexity can be converted into a mildly hard one. Impagliazzo [Imp95] proves a min-entropy. Such a generator is essentially a “pseudoentropy gen- derandomized XOR Lemma which implies that a mildly hard pred- erator” in the sense of H˚astad et al. [HILL98]. The intuition behind

icate can be converted into one that cannot be predicted on more our proof is that if a predicate is hard to compute on more than a

n fraction of the inputs then there should be some subset of the than some constant fraction of the inputs by circuits of size . Impagliazzo and Wigderson [IW97] prove that a predicate with the inputs of density on which the predicate is very hard — this in- latter hardness condition can be transformed into one that meets the tuition is made precise by a result of Impagliazzo [Imp95]. Due to hardness requirement of [NW94]. The result of [IW97] relies on a the high hardness, the evaluation of the predicate in a random point different derandomized version of the XOR Lemma than [Imp95]. of this set will be indistinguishable from a random bit. The NW

Thus, the general structure of the original construction of Nisan and generator constructed with a predicate P works by transforming an

s x x m

Wigderson [NW94] has been preserved in most subsequent works, input seed into a sequence of points from the domain

P P x P x P x

m

progress being achieved by improving the single components. In of ; the output of the generator is then . x particular, the use of an XOR Lemma in [NW94] continues, albeit For a random seed, each of the points i is uniformly distributed,

and so we expect to typically generate m points from the hard

2 m This has to be true for all but finitely many input lengths n. set, so that the output of the generator looks like having bits of 3 In fact the result of [BFNW93] was somewhat weaker, but it is easily extendable to yield this result. 4 The techniques of Andreev et al. [ACR97] are a rare exception, but they yield weaker result than the ones of [IW97]. f randomness, that is, it is indistinguishable from some other distri- that is -close to is computed by one of these programs. Finding

bution having (Shannon) entropy m. The generation of the points a generalized reconstruction procedure of this form is a version of

x x m can be modified so that the number of points landing in the “list decoding” problem for error-correcting codes (though we

the hard set is sharply concentrated around its expected value m. will not use the phrase “list decoding” in most of our exposition). The output of the modified generator is then indistinguishable from Such a generalized reconstruction procedure has been given for the having high min-entropy. When our generator is composed with a first time only very recently by Arora and Sudan [AS97]. The pro- sufficiently good extractor (such as the one in [Tre98]) then the re- cedure of Arora and Sudan has a complicated analysis that relies sult is a pseudorandom generator. This is the first construction of a on their difficult analysis of the low-degree test for the “highly pseudorandom generator based on mild average-case hardness that noisy” case. In this paper we present a reconstruction procedure does not rely on hardness amplification. It is also the first applica- that works for an even wider range of parameters and has a much tion of the notion of a pseudoentropy generator to the construction simpler proof. We also show that our reconstruction procedure is of PRG in the Nisan–Wigderson sense. strong enough to imply the hardness amplification result of [IW97] (but even the weaker procedure of Arora and Sudan [AS97] would Remark 1 While in this paper we analyze for the first time the have sufficed). It has been pointed out to us that the connection Nisan-Wigderson generator under a weaker assumption than the between (generalized) polynomial reconstruction and hardness am- one originally considered in [NW94], there has also been some plification has also been observed by Avi Wigderson [Wig98] and work exploring the effect of stronger assumptions on the predicate. S. Ravi Kumar and D. Sivakumar [KS98]. Impagliazzo and Wigderson [IW98] show that if the predicate has

certain additional properties (such as “downward self-reducibility”) Preliminaries then one needs only a uniform hardness assumption on the pred-

icate (rather circuit-complexity assumption). Arvind and K¨obler n

U f g

We write n for the uniform distribution on . The statistical

[AK97] and Klivans and van Melkebeek [KvM98] show that if the

Y U difference between two random variables X and on a universe

predicate is hard on average for nondeterministic circuits, then the

max jPr X S Pr Y S j

U is defined to be S . output of the generator is indistinguishable from uniform for non- Our main objects of study are pseudorandom generators:

deterministic adversaries. Therefore it is possible to derandomize

AM n

classes involving randomness and nondeterminism, such as . d

f g f g s Definition 2 A function G is an pseudo-

Trevisan [Tre98] shows that if the predicate is chosen randomly

s G U

random generator if no circuit of size can distinguish from n

from a distribution having certain properties, then the output is sta- C with advantage greater than . That is, for every circuit of size tistically close to uniform. This yields the construction of extractors

s,

that we use in our generator.

jPr C U Pr C GU j

n

d

Connection with Polynomial Reconstruction The Our We begin by recalling the Nisan–Wigderson construction of second result deals with the polynomial reconstruction problem pseudorandom generators. and its connection to amplification of hardness. In the polyno-

mial reconstruction problem we want to design an efficient ran-

The NisanWigderson generator

domized algorithm that, given oracle access to a function f that

p

has -agreement an unknown low-degree polynomial , com- The combinatorial construction underlying the NW generator isa

putes p on every input with high probability over its internal collection of sets with small intersections, called a design. coin tosses. This problem has been studied for its applications

to program checking, average case hardness results for the perma-

N Lemma 3 (design [NW94]) For every m , there exists a a

nent, and random self-reducibility of complete problems in high

S S f dg m

family of sets such that

complexity classes [BF90, Lip89, GLR 91, FF93, GS92, FL96,

d O log m i jS j

1. , 2. For all , i , and 3. For all

CPS99].

i j jS S j log m j i . Moreover, such a family can be found

The applicability of polynomial reconstruction to hardness ver- d

m deterministically in time p oly sus randomness results was demonstrated by Babai et al. [BFNW93].

They show that the existence of a polynomial reconstruction proce-

For concreteness, one can think of m for some small

dure implies that one can convert a worst-case hard predicate into

d O O log m constant , so that . Given such one which is mildly average-case hard by encoding it as a poly- a family of sets, the NW generator takes a uniformly distributed

nomial. As in [NW94, Imp95, IW97] one can further amplify the

m string of length d and produces strings of length . That is, given

hardness using XOR Lemmas. It is intuitively clear that a stronger m parameters and , we take the family of sets given by Lemma 3

reconstruction algorithm would imply a stronger hardness amplifi-

d

m

NW f g f g cation result and it could be used in place of the XOR Lemma. Un- and define m by

fortunately, some calculations show that a polynomial reconstruc-

x x NW x x

S S S

m

m

2 1

o tion algorithm would have to work with in order to be a

viable surrogate of an XOR Lemma, but if we have access to a func-

x x

where S denotes the projection of onto the coordinates speci-

i

p

tion f with -agreement to some polynomial , where , S

fied by i .

then p is not uniquely determined and the polynomial recon- The key property of this generator used in [NW94, IW97] is

struction problem is ill-posed. On the other hand even for very x

that the strings S behave as if they are independent when they i

small values of , there is only a small number of polynomials that

f g f g

are used as inputs to a hard function. Let P be f are -close to any given function , and one can conceive a gener-

any predicate. Then the NW pseudorandom generator using P is a

alized reconstruction procedure that having oracle access to f out-

d m

P

NW PRG f g f g

puts a small number of efficient programs so that every polynomial function - m given by 5

An extractor is an efficient algorithm that on input a distribution sampled from a P

NW PRG x P x P x P x

m

- m

distribution with high min-entropy has an output that is statistically close to uniform.

6

g f g

We say that a function f has agreement with a function if and are equal

x x NW x

m where m on a fraction at least of their domain.

m s m

The main theorem of [NW94] is that if P is taken to be a suffi- entropy at least such that no circuit of size

P

NW PRG s O m log m

ciently hard (on average) predicate, - m is a good pseu- can distinguish the output of

d m

P

PRG f g f g D

dorandom generator. NW - m from with advantage greater

than .

f g f g

Theorem 4 ([NW94]) Suppose P is a predi- P

cate such that no circuit of size s can compute correctly on

NW PRG

m m P

more than a fraction of the inputs. - is an H

m Proof: Let be a -hardcore set for , as given by

s O m log m pseudorandom generator. Theorem 5. We will show that the following distribution satisfies the requirements of the theorem.

The pseudorandom generators produced by this theorem can be

d O log m

spectacular, as the seed length can be much d

D x f g Distribution Choose uniformly from . Let

smaller than (even logarithmic in) the number of output bits if P is

x x NW x x H b f g

m i i . If , select uniformly

sufficiently hard. The main drawback is that the hypothesis is also

x H b P x b b

i i m at random, and if i let . Output . extremely strong (in that P must be very hard on average), and

much work has been done to construct predicates that are strong m First, we argue that the entropy of D is at least . Define

enough for Theorem 4 based on weaker assumptions [BFNW93,

N x x x H

m i to be the number of ’s that are in . Then for

Imp95, IW97, IW98]. In the next section, we analyze the quality

d

x f g D j D x

of this generator when only a mildly hard predicate is used. any , the entropy of x (i.e., conditioned on ) is

NW x

N ). By the definition of the Nisan-Wigderson generator, x

each i is (individually) uniformly distributed and therefore lands

Pseudorandom generators via pseudo entropy

in H with probability . By linearity of expectations, the expecta-

NW x x m tion of N (over uniformly selected ) is . Thus, since In this section, we show how to build a pseudorandom generator conditioning reduces entropy (cf., [CT91, Th. 2.6.5]),

out of a mildly hard predicate in a different (and arguably more

D D j

direct) way than [IW97]. Specifically, we show how to directly

H E H x

build a “pseudoentropy generator” from a mildly hard predicate and x

N NW x argue that applying an extractor to its output gives a pseudorandom E

generator. x

m

P

Using a mildly hard predicate

D NW PRG Now we show that and - m are computationally

Intuitively, the reason the NW pseudorandom generator works is indistinguishable. Suppose that some circuit C distinguishes the

NW PRG D

output of - m from with advantage greater than .

x P P x i

that whenever i is a “hard instance” of , is indistinguish-

m s We will show that C must be of size at least

able from a random bit. If P is very hard as in the hypothesis of

O m log m

Theorem 4, then almost all inputs are hard instances. Thus, with . By complementing C if necessary, we have

h i x

high probability all the i ’s will be hard instances and the limited

P

Pr C NW PRG U Pr C D

d

m

P x x - i dependence of the i ’s guarantees that the ’s will look simul-

taneously random.

P

f g r f g

Now suppose that is instead only mildly hard, in the sense For x and , define

that no small circuit can compute correctly on more than a

r H

fraction of inputs, for some small but noticeable . Intuitively, if x

Qx r

x

this means that some fraction of the inputs are extremely hard P otherwise.

for P . Thus, we’d expect that a fraction of the output bits of

P

P

NW PRG

- m are indistinguishable from random, so that we should

U D D D NW PRG

m d

Now consider “hybrids” of and - m get some crude pseudorandomness out of the generator. In fact, this defined as follows: intuition about hard instances can be made precise, using the fol-

lowing result of Impagliazzo [Imp95]. d

Distribution D x f g

j Choose uniformly from and choose

r r f g j m p

m j uniformly from . For , let

Theorem 5 (hardcore sets [Imp95]) Suppose no circuit of size s

r q Qx p p q q P x

j j S i i m

S and . Output .

j j

f g f g

can compute P on more than a fraction

P

g

of the inputs in f . Then, for every , there exists an -

D NW PRG U D D

m

Thus, - d , and . By the “hybrid

H f g jH j

hardcore set such that and no circuit of argument” of [GM84] (cf. [Gol95, Sec. 3.2.3]), there is an i such

s P size s can compute correctly on more than a

that

fraction of the inputs in H .

m Pr C D Pr C D

i i

Using this theorem, we can prove something about the output

H Pr C D j x

i S

P

i

NW PRG P

of - m when a mildly hard predicate is used. Notice

H Pr C D j x

i S

i

x x

that if is chosen uniformly at random, then each component i

H Pr C D j x

i S

x NW x f g

i S

of the output of m is uniformly distributed in .

i

x H m

i

H Pr C D j x

Hence, the expected number of ’s that land in is . Thus, the

i S

i

P

NW PRG

earlier intuition suggests that the output of - m should

H Pr C D j x

i S i

have m bits of pseudorandomness, and this is in fact true.

H Pr C D j x

i S

i

s P f g

Theorem 6 Suppose no circuit of size can compute 7

D D

Recall that the (Shannon) entropy of a distribution is H

P

Pr D log Pr D

g f g

f .

on more than a fraction of the inputs in . Then, 8

m A similar “bit-flipping” technique is used in [HILL98] to prove their construction

D f g for every , there is a distribution on of (Shannon) of a false entropy generator.

D D x x x

i m

where the last equality is because i and are identical con- obtain from a seed using the NW generator, we ob-

H x q y y y

i m

ditioned on S . Expanding and using the fact that tain pairwise independent from a seed , and then use

i

r r Qx H x z x y z x y

i i S m m m

when S , we have as the inputs to the predi-

i i

cate P . As we will see in the next section, this gives a generator

H C p p r q q j x Pr

i i i m S

i whose output is indistinguishable from some distribution with high

r x

min-entropy, as desired.

Pr H C p p p q q j x

i i i m S

i

x r

A pseudo entropy generator

m The following definition (following [HILL98]) formalizes the type

d

x f g r r m

where is chosen uniformly in and i are selected of generator we obtain.

f g r b

uniformly in . Renaming i as and using the standard trans-

d m

f g f g k s

formation from distinguishers to predictors [Yao82] (cf. [Gol98, Definition 7 A generator G is a pseu-

m

f g

Sec. 3.3.3]), we see that doentropy generator if there is a distribution D on of min- s

entropy k such that no circuit of size can distinguish the output of

H C p p bq q b p j x Pr

i i m i S

i

G D r

xb from with advantage greater than .

Remark 8 The above definition differs from that of [HILL98] in m

several ways. Most importantly, we require the output to be in-

r p q P x Qx

j j S S

Recall that j (resp., ) is defined to be (resp., ), distinguishable from having high min-entropy, whereas they only

j j

x x S j

where S is the projection of onto the bits specified by . Us- require that it be indistinguishable from having high Shannon en-

j

r r b

m

ing an averaging argument we can fix i , , and all the tropy. They later convert to the Shannon entropy to min-entropy by

x S

bits of outside i while preserving the advantage in predicting taking many samples on independent seeds, but we cannot afford

p P x x z z

S S

i . Renaming as , we now observe that varies the extra randomness needed to do this. Other differences are that

i i

H p j i q j i j

uniformly over while j for and for are now we ask for indistinguishability against circuits rather than uniform

G

P z jS S j log m z

i j functions j of that depend on only bits of . adversaries, that we do not require that be computable in poly-

So, we have nomial time, and that we do not explicitly ask that k be larger than

d (though the notion is uninteresting otherwise).

Pr C P z P z bP z P z b P z

i i m

z Recall that we need a way of generating many pairwise inde-

pendent strings from a short seed.

m

N m

Lemma 9 ([CG89] (see also [Gol97a])) For any and

P O m log m

Each j can be computed by a circuit of size ,

m

PI f g f g

log m

since every function of bits can be computed by a circuit , there is a generator m such that

y PI y

b C

of that size. Incorporating these circuits and into , we obtain a for selected uniformly at random, the random variables m ,

PI y PI

C size C O m log m

m m

circuit of size such that , m are pairwise independent. Moreover is com-

m

putable in time p oly .

Pr C z P z

z

m

f g f g m

Let P be any predicate, let be any posi-

d NW

tive integer, and let be the seed length of m . Then our pseu-

m P C

Now, since H is )-hardcore for as in Theorem 5,

d

P

P PE f g

m s m s

must have size greater than , doentropy generator using is a function m

m

f g

m sO m log m

and hence C must have size greater than . given by

P

PE x y P x y P x y P x y

m m m

Thus, using a mildly hard predicate with the NW generator, we where

can obtain many bits of crude pseudorandomness. A natural next

x x NW x y y PI y

m m m step would be to try to “extract” this crude pseudorandomness and m and obtain an output that is indistinguishable from the uniform distri- bution. Unfortunately, one cannot hope to extract uniformly dis- The following theorem, whose proof can be found in the full tributed bits from a distribution that just has high Shannon entropy. version of the paper [STV98], confirms that this construction does

Extraction is only possible from distributions that have high min- in fact yield a pseudoentropy generator. S

entropy. Recall that a distribution D on a finite set is said to have

k

P f g

Theorem 10 Suppose no circuit of size s can compute

x D Pr X x

min-entropy k if for all , .

f g g

The reason that we were only able to argue about Shannon en- f on more than a fraction of the inputs in . Then,

d m

P

m x H

m PE k s f g f g

tropy in Theorem 6 is that we could only say that i ’s land in for any , m is a

on average. To obtain a result about min-entropy, we would need pseudoentropy generator, with

x H

to guarantee that many i ’s lie in with high probability. Clearly,

x

d O log m this would be the case if the i ’s were generated pairwise indepen- seed length

dently instead of via the NW generator. But we also need the spe-

k m pseudoentropy

cial properties of the NW generator to make the current argument

s m s O m log m

about indistinguishability work. Following [IW97], we resolve this adversary size

O m dilemma by taking the XOR of the two generators to obtain a new adversary’s advantage

generator with the randomness properties of each. That is, we

2

P log m

9

PE p oly m

[IW97] take the XOR of the NW generator with a generator coming from a ran- Moreover, m is computable in time with P dom walk on an expander. m oracle calls to .

Extracting the randomness p oly n

can be evaluated in time , so the resulting pseudorandom

BPP generator is sufficiently strong to obtain P . The tool we will use to transform our pseudoentropy generator into

a pseudorandom generator is an extractor. Proof: By Theorem 10,

m d m

f g f g f g

Definition 11 A function EXT is

m

d O O

k D f g

a -extractor if for every for every distribution on

log m log s

k D U

of min-entropy , EXT d has statistical difference at most U

from n . By Theorem 12,

We will make use of the following recent construction of ex-

m

log

m

tractors:

A

O log s O d O

log m log s

k k m

Theorem 12 ([Tre98]) For every m, , and such that ,

p

k m d

k f g f g f g

there is a -extractor EXT

t p oly m d p oly m

and EXT is computable in time .

such that s

By Lemma 13, no circuit of size can distinguish the output of

log m

PE PRG O m

O

d - from uniform wth advantage greater than

log k

n

O , where

p

m d k

f g f g f g

and EXT is computable in time

s m s O m log m t s p oly s

m d

p oly .

p

s s By choosing sufficiently small, will always be at least . The following lemma (proved in the full version of the pa- per [STV98]) confirms the intuition that applying an extractor to a distribution that is computationally indistinguishable from a dis- Remark 15 As mentioned earlier, H˚astad et al. [HILL98] intro- tribution with high min-entropy should yield a distribution that is duced the notion of a pseudoentropy generator and showed that indistinguishable from uniform. the crude pseudorandomness of such a generator can be extracted

to yield a pseudorandom generator. Their work is in the “crypto-

d m

1

G f g f g k s

Lemma 13 Suppose is a pseu- graphic” setting, in which the generators must be computable in

n m d

2

f g f g f g

doentropy generator and EXT is a time polynomial in the seed length and hence one can only hope

k t

-extractor computable by circuits of size . Then for the output to be polynomially longer than the seed (rather than

d d n

1 2

f g f g G u v Gu v

G defined by EXT exponentially, as we obtain). Hence throughout their construction

s t is a pseudorandom generator. they can afford super-linear increases in seed length, whereas pre-

serving the seed length up to linear factors is crucial for obtaining

BPP Summing up, we have the following theorem: pseudorandom generators good enough for P . For exam-

ple, they can afford to use randomness-inefficient extractors such

Theorem 14 There is a universal constant such that the as 2-universal hash functions, whereas we require extractors which

f g f g

following holds. Let P be any predicate such use only a logarithmic number of truly random bits, which have

P

that no circuit of size s can compute correctly on more than a only been constructed recently [Zuc96, Tre98].

s s

fraction of the inputs, where and . Define

P

m d

P

1 PE

Remark 16 The output of the pseudoentropy generator m con-

f g n s m n PE f g

and and let m be

structed in Theorem 10 is actually “nicer” than stated. Specifically,

m m s O m log m O m

the pseudoen- d

m it is indistinguishable from a oblivious bit-fixing source — that is,

2

f g f g

tropy generator of Theorem 10 and let EXT

m m k

n a distribution on strings of length in which bit positions

f g m m be the -extractor of Theorem 12. Let

are fixed and the other k bit positions vary uniformly and indepen-

d d n

P

1 2

PRG f g f g PE- be defined by dently. Such sources were the focus of the “bit extraction problem”

studied in [Vaz85, BBR85, CGH 85, Fri92] and the term “obliv-

P P

PE PRG u v PE u v

- EXT m ious bit-fixing source” was introduced in [CW89]. To see that the

P

PE

output of m is indistinguishable from an oblivious bit-fixing

P

PE PRG s Then, - is a pseudorandom generator with source, simply observe that the distribution D given in the proof

of Theorem 10 is such a source. Extracting from oblivious bit-

n s output length

fixing sources in which all but k bits are fixed is an easier task than

k

extracting from a general source of min-entropy , and already in

d d O

seed length [CW89] there are (implicitly) extractors sufficient for our purposes.

log s

p

s s

adversary size

Algebraic amplication of hardness

O n adversary’s advantage

Recall the main theorem of Nisan and Wigderson (Theorem 4) that

2

P O log s

PE PRG

f g f g

Moreover, - can be evaluated in time with states that given a hard predicate P , one can get

n P O oracle calls to . 10 Indeed, the term “extractor” was not even present at the time of [HILL98] and the

first constructions of randomness-efficient extractors used their Leftover Hash Lemma E

In particular, suppose P is a predicate in such that no circuit as a starting point.

11

P of size s can compute correctly on more than a

Actually, D is a convex combination of oblivious bit-fixing sources. Distribution

n p oly

X X X t

fraction of the inputs. Then the output length is is said to be a convex combination of distributions 1 if there is a distri-

f tg X i f tg

bution on I on such that can be realized by choosing

O O log n s

, the seed length is , no circuit of size

I x X x

according to , taking a sample from i , and outputting . It is easy to see that any

can distinguish the output from uniform, and the generator extractor for oblivious bit-fixing sources also works for convex combinations of them.

Q t n

n s NW PRG f g f g s

a pseudorandom generator. The requirement of a hard predicate Then, for , - is an

n

P in this theorem can be replaced with a requirement of a hard pseudorandom generator with

function (with many bits of output) using the hardcore predicate

n s

construction of Goldreich and Levin [GL89] (see also [Gol97b]). output length

k

f g f g

Given a function g , the hardcore predicate for

k

t O

GL f g f g g seed length

is the function g given by

log s

p

k

s s

adversary size

GL x r hg x r i x f g r f g

g for and

O n

adversary’s advantage

hu v i u u u

where denotes the mod-2 inner product of

P

2

P O log s

u v mo d v v v

i i

and (i.e., ).

i

PRG Moreover, PE- can be evaluated in time with

access to the entire truth table of P .

Theorem 17 ([GL89]) There exists a constant c s.t. the following

k

f g f g

holds. If g is a function such that no circuit of

The reconstruction procedure

g

size s can compute correctly on more than an fraction of the

k

GL f g f g

inputs, then g is a predicate such that no First, a bit of terminology:

c

s P s

circuit of size can compute correctly on more

k

than a fraction of the inputs. Definition 21 A randomized procedure A is said to compute a func-

X Y x X Pr Ax f x tion f at a point if ,

Thus the two theorems above show that it suffices to construct where the probability is taken over the internal coin tosses of A.

f A f

hard functions to obtain pseudorandom generators. The approach We say that A has agreement with if computes on

P

D A f of Impagliazzo and Wigderson is to start from a predicate that is an fraction of the inputs in . We say that computes if it has

hard in the worst case (i.e., no small circuit computes it correctly agreement 1 with f .

on all inputs); then to use a low-degree extension of P to obtain p a polynomial function that is mildly hard on the average. They Now we prove Theorem 19 by providing a uniform solution to then apply two different XOR lemmas to obtain a functions that the following “multivariate reconstruction problem”.

grow harder; eventually obtaining as hard a function as required in

m

F F d N R

Theorem 17. We use an alternate approach for this sequence by Given: An oracle f and parameters and . p

showing directly that the function above is very hard; as hard as Goal: Reconstruct (an implicit representation for) every polyno- f

required for the combination of Theorems 4 and 17. We start by mial that has -agreement with the function . Specifically, con-

M M

specifying the properties of the low-degree extension; a proof of struct randomized oracle machines k such that for every

m

F F d following standard lemma can be found in the full version of this polynomial p of degree that has (relative) agreement

paper [STV98]. f

f j k M p

with , there exists such that computes .

j

P f g f g

Proposition 18 For every , and predicate , We will be interested in the running time of the “reconstruction pro-

m

d N F p F F

there exists m, , a field , and a polynomial

M M cedure”, i.e., the time taken to generate the machines k ,

(the low-degree extension) of total degree d satisfying the following

M M as well as the running times of the machines k .

properties: c

d Theorem 22 There exists a constant such that the reconstruction

log jF j jF j p oly

1. m , , and .

jF j

md log jF j problem above can be solved in time p oly , with the

running time of each of the oracle machines listed in the output

p

T T

P p

2. If and denote the worst-case computation times (or

md log jF j c djF j

being p oly , provided .

p circuit sizes) for P and respectively, then

Remark 23 1. This theorem is a strengthening of a theorem

T T p oly T

P P

p

due to [AS97]. In particular, the lower bound on here is

smaller than that of [AS97], who obtain an unspecified poly-

p P P

( is harder than but not too much harder, especially if

d

O nomial in and . Furthermore, our proof is simpler and

jF j has time complexity .) in particular does not require “low-degree testing.”

In the following section we prove the following theorem. p

djF j

2. The bound of is within a constant factor of the m

bound for the univariate case. The constant c above is not

f F Theorem 19 There exists a constant c s.t. if some function

optimized in this writeup. But our methods can push it down

F d

computed by a circuit of size s agrees with a degree polyno-

p m

to any constant greater than . For the univariate case, this

p F F c djF j mial on fraction of the inputs, then

constant is . No inherent reason is known for the gap.

p oly md log jF j

there exists a circuit of size s that computes p correctly everywhere. Observe that Theorem 19 follows immediately from Theorem 22. Putting together the above we get: We have formulated the multivariate reconstruction problem in such a way that an efficient solution to it (as in Theorem 22) immediately

implies a hardness amplification result. It should be clear that the

Theorem 20 There exists a universal constant such that the

connection actually applies to any error-correcting code for which

f g f g following holds: Let P be a function that is not

there exist efficient algorithms for encoding (as in Proposition 18)

s m d F p

computed by any circuit of size s, where . Let

and “list-decoding” (that is, finding efficient oracle machines for

s

be as guaranteed to exist by Proposition 18 for . Let

every codeword that agrees with a given oracle f in sufficiently

log jF j Q f g Q GL f g p

and be given by many places). The “rate” of the code determines how the input

p log jF j

(where is now viewed as a function from bits to bits). length of the function changes when we encode it (e.g. in Proposi-

m log jF j tion 18, input length becomes and linear growth

p

p

dn djF j

like this is needed to obtain the result of [IW97]). The amount of (Note that k as long as , which is

n

agreement for which the list-decoding works determines how hard- true by hypothesis.) If F is too large to do this, then set

p oly d t t F n

on-average the encoded function is. The running time of the oracle and pick distinct at random from and

n

ft f l t g

i z x i

machines produced in the reconstruction procedure determines the then invoking Theorem 26 on the set i

n

circuit size for which the hardness amplification works. with k . Since there are at most polynomials

f j

We now move on to the proof of Theorem 22. Fix an oracle with agreement at least with l (by the “furthermore”

z x

m m

F F d p F F n

f and a degree polynomial with agree- part of Theorem 26), the choice of guarantees that with

f f j

ment with . We observe that it suffices to reconstruct a (random- high probability, all of these polynomials agree with l

z x

f

M M n t n

ized) oracle machine such that has sufficiently high agree- on at least of the i ’s. As the choice of also guaran-

p

p

n dn

ment with . This is due to the existence of “self-correctors” of tees that k , Theorem 26 yields a list con-

polynomials [BF90, Lip89, GLR 91, GS92]. Specifically, we use taining all polynomials with agreement at least . Now, we the following theorem: wish to discard all polynomials with agreement less than — this can be accomplished by comparing each polynomial

Theorem 24 ([GLR 91]) There exists a randomized oracle ma-

g f j p oly

obtained with l on a random sample of

z x

d m F chine Corr taking as parameters integers and and a field

points from F and discarding it if it has agreement smaller

m

F F

such that on access to an randomized oracle M with

than on this sample.

M

p Corr

agreement with some degree d polynomial , computes

p oly d m jF j d

p in time provided . 2. The number of polynomials output in Step 1 above is at most (by the “furthermore” part of Theorem 26.)

As in the algorithms of [BF90, Lip89, GLR 91], we use the

m

m F

pj

properties of “lines” in the -dimensional space , defined be- To shed some light on the steps above: We expect that l is

z x g

low. one of the i ’s returned in Step (1) above. In Step (2) we try to find g

out which i to use by checking to see if there is a unique one which

m

x y F l

xy

g a pj pz

Definition 25 The line through , denoted , is the i

has (recall that l ), and if so we use this

z x

def

px pj g i

polynomial to output l . This intuition is

z x fl t tx ty j t F g parametrized set of points xy .

m made precise in the Section 5.2. We now finish the description of

f F F f l

Given a function , restricted to the line xy is the

the reconstruction procedure.

f j f j F F t f l t

xy l

function l given by .

xy xy

f d f j t

Reconstruction algorithm.

Notice that if is a polynomial of total degree , then l xy

is a univariate polynomial of degree at most d. Our strategy, to

log

– Repeat the following O several times: x

reconstruct the value of p at a point , is to look at a random line

m

z F p

going through x. On this line turns into a univariate polynomial. 1. Pick at random.

m

F

Furthermore, the random line through the randomly chosen point 2. Pick y at random.

m F

x is a “pairwise independent” collection of points from . Thus

h h

3. Find a list of univariate polynomials l

f

p and will have agreement close to on this line as well. Thus including all polynomials with agreement at least

x p

the goal of finding p “reduces” to the goal of reconstructing

f j

with l .

restricted to this line, i.e., a univariate reconstruction problem, a z y h

4. For every polynomial j , include the oracle ma-

problem that has been addressed in [ALRS92, Sud97, GS98]. In M

z h (0) j

particular, we use the following theorem. chine Corr in the output list.

n

Analysis of the p olynomial reconstruction pro

Theorem 26 ([Sud97]) Given a sequence of distinct pairs

n

ft v g t v F d k

i i i i cedure

i , and integer parameters , a list of

g g jfi f ngjg t

j i all polynomials l satisfying

Now we show that the reconstruction algorithm runs in time run in

p oly n log jF j v gj k

i , can be reconstructed in time provided

md

p

p oly log jF j n

time and outputs a list of oracles that includes

dn l

k . Furthermore .

k

f one for every polynomial p that has agreement with . Theo- We describe a family of reconstruction procedures, rem 22 follows immediately.

The claim about the running time is easily verified. To analyze

m

fM g M

z F aF z a , that will be used to construct the machines ,

the correctness, it suffices to show that in any iteration of Steps 1–4

M

, k . To gain some intuition into the procedure below, it may

in Reconstruction Algorithm, an oracle computing p is part of the

M

z be helpful to consider only the machines z p . The machines

output with, say, constant probability for any fixed polynomial p of

d m

take as parameters a positive real number , integers and , and

f degree d that has agreement with . We show this in two parts.

a field F .

z M

z

First we argue that for most choices of , z p is an oracle that

M

z p(z )

p Corr

M x

z a : computes on of all inputs (and thus computes

z y p everywhere). Then we show that for most pairs , there exists

1. (Explicitly) find a list of distinct (univariate) polyno-

j h h j

s.t. the polynomial j reconstructed in Step 3 satisfies

g g

mials l such that this list includes all polyno-

z

p .

f j

mials that have agreement at least with l and

z x

d F

does not include any polynomial with agreement less Lemma 28 There exists a constant c s.t. for every , , satisfy-

p

than .

c djF j

ing , it is the case that

f l g

2. If there exists a unique index i such that

Pr M x px

g a g

i i

z

, then output , else output anything. z p

x m

Remark 27 1. Step 1 above can be computed in time polyno-

F

with probability at least over the random choice of z ,

log jF j d F

mial in , and as follows: If is small enough,

12

t t F n

then we let be all the elements of and invoke This is done as in Remark 27, though here we do not care if the list contains extra

n

ft f l t g k n

z x i

i polynomials with low agreement. Theorem 26 on the set i with .

z d p Proof: We first argue that when both x and are picked at random, Proof of Theorem 22: Fix any degree polynomial with

certain bad events are unlikely to happen. The next two claims agreement with f . Combining Lemmas 28 and 31 we find that with

describe these bad events and upper bound their probability. probability , one of the oracles output by the reconstruction

M

z p(z )

Corr z M px

p

z

algorithm is ; and is such that z p computes

m

jF j

Claim 29 If , then

x F

for at least fraction of ’s in ; and thus (by Theorem 24)

M

z p(z )

p

Corr computes on every input.

Pr g pj i l

i

s.t. l

z x

O log

xz Repeating the loop times ensures that every polyno-

f

mial p with agreement with is included in the output with high

probability, using the well-known bound that there are only O

pj

Proof: For the polynomial l not to be included in the output

z x such polynomials (cf., [GRS98, Theorem 17]).

f

list it has to be the case that p and do not have agreement on l

the line z x . But the line is a pairwise independent collection of

m

F j F

j points in . The quantity of interest then is the probability

that a random variable with expectation attains an average of at Acknowledgments

jF j

most on samples. Using Chebychev’s inequality, this prob-

We thank Oded Goldreich, Amnon Ta-Shma, and Avi Wigderson

ability may be bounded by 2 .

jF j

for clarifying discussions and pointing us to some related work.

p

djF j

Claim 30 If , then

References

l d [ACR97] Alexander Andreev, Andrea Clementi, and Jos´eRolim. Worst-

Pr j l g pj pj g

j j l

s.t. l and

z x z x

xz

F j j case hardness suffices for derandomization: a new method for hardness-randomness trade-offs. In Proceedings of ICALP’97,

pages 177–187. LNC 1256S, Springer-Verlag, 1997.

M

z

Proof: For convenience in this argument, assume that z p

f j

finds all polynomials of agreement at least with l rather [AK97] V. Arvind and J. K¨obler. On resource-bounded measure and z x than just a subset, as that is clearly the worst case for the claim. pseudorandomness. In Proceedings of the 17th Conference

on Foundations of Software Technology and Theoretical Com-

x z g g Now, instead of picking and at random and then letting l

puter Science, pages 235–249. LNCS 1346, Springer-Verlag,

d f j be all degree polynomials with agreement with l , we

z x 1997.

m

x F

first pick z independently and uniformly at random from ;

[ALRS92] Sigal Ar, Richard J. Lipton, Ronitt Rubinfeld, and Madhu

g g d

and let be all univariate degree polynomials with

l Sudan. Reconstructing algebraic functions from mixed data.

f j t t

l

agreement with . We now pick two distinct elements x

z In 33rd Annual Symposium on Foundations of Computer Sci-

t t F z l x l

x z x

uniformly from and let z and . Notice ence, pages 503–512, Pittsburgh, Pennsylvania, 24–27 Octo-

z l t t t x l t

z x

that we can express z x and ber 1992. IEEE.

l l t t

z x x

. Thus the lines and z contain the same [AS97] Sanjeev Arora and Madhu Sudan. Improved low degree test- def

ing and its applications. In Proceedings of the Twenty-Ninth

g t g t t t t

i

set of points and thus the polynomials i

Annual ACM Symposium on Theory of Computing, pages 485–

f j are exactly the set of polynomials with agreement with l .

z x 495, El Paso, Texas, 4–6 May 1997.

pj pj g g

j j l

Thus the event “ l and ” is equivalent to

z x z x

[BBR85] Charles H. Bennett, Gilles Brassard, and Jean-Marc Robert.

pj pj t g t g t

l l

j j

the event “ and ”, where is be-

z x z

x How to reduce your enemy’s information (extended abstract). d

ing chosen at random. This probability is at most for any fixed j

F j j In Hugh C. Williams, editor, Advances in Cryptology—

CRYPTO ’85, volume 218 of Lecture Notes in Computer Sci-

j pj t g t

l

j

and thus the probability that there exists a s.t

x z

p ence, pages 468–476. Springer-Verlag, 1986, 18–22 August

d

l djF j

is at most l . From and , the claim

F j j 1985. follows. [BF90] Donald Beaver and Joan Feigenbaum. Hiding instances in multioracle queries. In 7th Annual Symposium on Theoretical

Discounting for the two possible bad events considered in Claims 29 Aspects of Computer Science, volume 415 of Lecture Notes in

and 30, we find that with probability at least , there ex- Computer Science, pages 37–48, Rouen, France, 22–24 Febru-

g M g i

i ary 1990. Springer.

z

ists a polynomial returned in Step 1 of z p such that

pj g i l ; furthermore, this is the unique polynomial such that

z x [BFNW93] L´aszl´oBabai, Lance Fortnow, Noam Nisan, and Avi Wigder-

g pj px pj pz

i l

l . Thus the output is . z x

z x son. BPP has subexponential time simulations unless EX-

Thus with probability at least , we find that for a random PTIME has publishable proofs. Computational Complexity,

z x M px

3(4):307–318, 1993.

z pair , z p computes . An application of Markov’s inequality now yields the desired result. [BM84] Manuel Blum and Silvio Micali. How to generate cryptograph- ically strong sequences of pseudo-random bits. SIAM Journal

on Computing, 13(4):850–864, November 1984.

Lemma 31 With probability at least , one of the polynomials [CG89] Benny Chor and Oded Goldreich. On the power of two-point

reconstructed in any one execution of Step 3 of Reconstruction based sampling. Journal of Complexity, 5(1):96–106, March

pj

Algorithm is l ; and thus one of the oracles created in Step 4

z y 1989.

M

z p(z )

Corr jF j is , provided is large enough. [CGH 85] Benny Chor, Oded Goldreich, Johan Hastad, Joel Friedman, Steven Rudich, and Roman Smolensky. The bit extraction

problem or t-resilient functions (preliminary version). In

f

Proof: As in Claim 29 we argue that p and have at least 26th Annual Symposium on Foundations of Computer Science,

l pj z y agreement on the line and then l is one of the polynomials

z y pages 396–407, Portland, Oregon, 21–23 October 1985. IEEE.

M z a

output in this step. Thus one of the oracles created is Corr for [CPS99] Jin-Yi Cai, A. Pavan, and D. Sivakumar. On the hardness of

a pj pz

l . z y the permanent. In 16th International Symposium on Theoreti- cal Aspects of Computer Science, Lecture Notes in Computer

= BPP E Science, Trier, Germany, March 4–6 1999. Springer-Verlag. To [IW97] Russell Impagliazzo and Avi Wigderson. P if appear. requires exponential circuits: Derandomizing the XOR lemma. [CT91] Thomas M. Cover and Joy A. Thomas. Elements of Informa- In Proceedings of the Twenty-Ninth Annual ACM Symposium tion Theory. Wiley Series in Telecommunications. John Wiley on Theory of Computing, pages 220–229, El Paso, Texas, 4–6 & Sons, Inc., 2nd edition, 1991. May 1997. [CW89] Aviad Cohen and Avi Wigderson. Dispersers, deterministic [IW98] Russell Impagliazzo and Avi Wigderson. Randomness vs. amplification, and weak random sources (extended abstract). time: De-randomization under a uniform assumption. In 36th In 30th Annual Symposium on Foundations of Computer Sci- Annual Symposium on Foundations of Computer Science, Palo ence, pages 14–19, Research Triangle Park, North Carolina, 30 Alto, CA, November 8–11 1998. IEEE. October–1 November 1989. IEEE. [KS98] S. Ravi Kumar and D. Sivakumar. Personal communication, [FF93] Joan Feigenbaum and Lance Fortnow. Random-self- October 1998. reducibility of complete sets. SIAM Journal on Computing, [KvM98] Adam Klivans and Dieter van Melkebeek. Graph nonisomor- 22(5):994–1005, October 1993. phism has subexponential size proofs unless the polynomial- [FL96] Uriel Feige and Carsten Lund. On the hardness of computing time hierarchy collapses. Technical Report TR-98-12, Univer- the permanent of random matrices. Computational Complex- sity of Chicago, Department of Computer Science, December ity, 6(2):101–132, 1996. 1998. Extended abstract in these proceedings. [Fri92] Joel Friedman. On the bit extraction problem. In 33rd Annual [Lip89] Richard Lipton. New directions in testing. In Proceedings of Symposium on Foundations of Computer Science, pages 314– DIMACS Workshop on Distributed Computing and Cryptogra- 319, Pittsburgh, Pennsylvania, 24–27 October 1992. IEEE. phy, 1989. [GL89] Oded Goldreich and Leonid A. Levin. A hard-core predicate [NW94] Noam Nisan and Avi Wigderson. Hardness vs randomness. for all one-way functions. In Proceedings of the Twenty First Journal of Computer and System Sciences, 49(2):149–167, Oc- Annual ACM Symposium on Theory of Computing, pages 25– tober 1994. 32, Seattle, Washington, 15–17 May 1989. [NZ96] Noam Nisan and David Zuckerman. Randomness is linear in

[GLR 91] Peter Gemmell, Richard Lipton, Ronitt Rubinfeld, Madhu Su- space. Journal of Computer and System Sciences, 52(1):43– dan, and Avi Wigderson. Self-testing/correcting for polyno- 52, February 1996. mials and for approximate functions. In Proceedings of the [STV98] Madhu Sudan, Luca Trevisan, and Salil Vadhan. Pseudoran- Twenty Third Annual ACM Symposium on Theory of Comput- dom generators without the XOR lemma. Technical Report ing, pages 32–42, New Orleans, Louisiana, 6–8 May 1991. TR98-074, Electronic [GM84] Shafi Goldwasser and Silvio Micali. Probabilistic encryp- Colloquium on Computational Complexity, December 1998. tion. Journal of Computer and System Sciences, 28(2):270– http://www.eccc.uni-trier.de/eccc. 299, April 1984. [Sud97] Madhu Sudan. Decoding of Reed Solomon codes beyond the [GNW95] Oded Goldreich, Noam Nisan, and Avi Wigderson. On Yao’s error-correction bound. Journal of Complexity, 13(1):180– XOR lemma. Technical Report TR95–050, Electronic Collo- 193, March 1997. quium on Computational Complexity, March 1995. http:// [Tre98] Luca Trevisan. Constructions of near-optimal extractors us- www.eccc.uni-trier.de/eccc. ing pseudo-random generators. Technical Report TR98-055, [Gol95] Oded Goldreich. Foundations of Cryptography (Fragments Electronic Colloquium on Computational Complexity, 1998. of a Book). Weizmann Institute of Science, 1995. Avail- Extended abstract in these proceedings. able, along with revised version 1/98, from http:// [Vaz85] Umesh V. Vazirani. Towards a strong communication com- www.wisdom.weizmann.ac.il/˜oded. plexity theory or generating quasi-random sequences from two [Gol97a] Oded Goldreich. A computational communicating slightly-random sources (extended abstract). perspective on sampling (survey). Available from http:// In Proceedings of the Seventeenth Annual ACM Symposium on www.wisdom.weizmann.ac.il/˜oded/, May 1997. Theory of Computing, pages 366–378, Providence, Rhode Is- land, 6–8 May 1985. [Gol97b] Oded Goldreich. Three XOR lemmas — an exposition. Avail- able from http://www.wisdom.weizmann.ac.il/ [Wig98] Avi Wigderson. Personal communication, October 1998. ˜oded/, November 1997. [Yao82] Andrew C. Yao. Theory and applications of trapdoor functions [Gol98] Oded Goldreich. Modern Cryptography, Probabilistic Proofs (extended abstract). In 23rd Annual Symposium on Founda- and Pseudorandomness, June 1998. To be published by tions of Computer Science, pages 80–91, Chicago, Illinois, 3–5 Springer. November 1982. IEEE. [GRS98] Oded Goldreich, Ronitt Rubinfeld, and Madhu Sudan. Learn- [Zuc96] David Zuckerman. Simulating BPP using a general weak ing polynomials with queries — the highly noisy case. Tech- random source. Algorithmica, 16(4/5):367–391, Octo- nical Report TR98-060, Electronic Colloquium on Computa- ber/November 1996. tional Complexity, 1998. Preliminary version in FOCS ‘95. [GS92] Peter Gemmell and Madhu Sudan. Highly resilient correctors for polynomials. Information Processing Letters, 43(4):169– 174, 28 September 1992. [GS98] Venkatesan Guruswami and Madhu Sudan. Improved decod- ing of Reed-Solomon and algebraic-geometric codes. Techni- cal Report 98–043, Electronic Colloquium on Computational Complexity, 1998. Preliminary version in FOCS ‘98. [HILL98] J. H˚astad, R. Impagliazzo, L. Levin, and M. Luby. A pseu- dorandom generator from any one-way function. To appear in SIAM J. on Computing, 1998. [Imp95] Russell Impagliazzo. Hard-core distributions for somewhat hard problems. In 36th Annual Symposium on Foundations of Computer Science, pages 538–545, Milwaukee, Wisconsin, 23–25 October 1995. IEEE.