Pseudorandom generators without the XOR Lemma y z x Madhu Sudan Luca Trevisan Salil Vadhan June Abstract Impagliazzo and Wigderson IW have recently shown that if there exists a decision problem solvable O (n) (n) in time and having circuit complexity for all but nitely many n then P BPP This result is a culmination of a series of works showing connections b etween the existence of hard predicates and the existence of go o d pseudorandom generators The construction of Impagliazzo and Wigderson go es through three phases of hardness amplication a multivariate p olynomial enco ding a rst derandomized XOR Lemma and a second derandomized XOR Lemma that are comp osed with the NisanWigderson NW generator In this pap er we present two dierent approaches to proving the main result of Impagliazzo and Wigderson In developing each approach we introduce new techniques and prove new results that could b e useful in future improvements andor applications of hardnessrandomness tradeos Our rst result is that when a mo died version of the NisanWigderson generator construction is applied with a mildly hard predicate the result is a generator that pro duces a distribution indis tinguishable from having large minentropy An extractor can then b e used to pro duce a distribution computationally indistinguishable from uniform This is the rst construction of a pseudorandom gen erator that works with a mildly hard predicate without doing hardness amplication We then show that in the ImpagliazzoWigderson construction only the rst hardnessamplication phase enco ding with multivariate p olynomial is necessary since it already gives the required average case hardness We prove this result by i establishing a connection b etween the hardnessamplication problem and a listdeco ding problem for errorcorrecting co des and ii presenting a listdeco ding algo rithm for errorcorrecting co des based on multivariate p olynomials that improves and simplies a previous one by Arora and Sudan AS Keywords Pseudorandom generators extractors p olynomial reconstruction listdeco ding Preliminary versions and abstracts of this pap er app eared in ECCC STV STOC STVa and Complexity STVb y Lab oratory for Computer Science Technology Square MIT Cambridge MA Email madhutheorylcsmited u z Department of Computer Science Columbia University W th St New York NY Email lucacscolumbiaedu Work done at MIT x Lab oratory for Computer Science Technology Square MIT Cambridge MA Email saliltheorylcsmited u URL httptheorylcsmited u sali l Supp orted by a DODNDSEG graduate fellowship and partially by DARPA grant DABTC Introduction This pap er continues the exploration of hardness versus randomness tradeos that is results showing that randomized algorithms can b e eciently simulated deterministically if certain complexitytheoretic assumptions are true We present two new approaches to proving the recent result of Impagliazzo and O n Wigderson IW that if there is a decision problem computable in time and having circuit complexity n for all but nitely many n then P BPP Impagliazzo and Wigderson prove their result by presenting a randomnessecient amplication of hardness based on a derandomized version of Yaos XOR Lemma The hardnessamplication pro cedure is then comp osed with the NisanWigderson NW generator NW and this gives the result The hardness amplication go es through three steps an enco ding using multivariate p olynomials from BFNW a rst derandomized XOR Lemma from Imp and a second derandomized XOR Lemma which is the technical contribution of IW In our rst result we show how to construct a pseudo entropy generator starting from a predicate with mild hardness Roughly sp eaking a pseudoentropy generator takes a short random seed as input and outputs a distribution that is indistinguishable from having high minentropy Combining our pseudo entropy generator with an extractor we obtain a pseudorandom generator Interestingly our pseudo entropy generator is a mo dication of the NW generator itself Along the way we prove that when built out of a mildly hard predicate the NW generator outputs a distribution that is indistinguishable from having high Shannon entropy a result that has not b een observed b efore The notion of a pseudo entropy generator and the idea that a pseudo entropy generator can b e converted into a pseudorandom generator using an extractor are due to Hastad et al HILL Our construction is the rst construction of a pseudorandom generator that works using a mildly hard predicate and without hardness amplication We then revisit the hardness amplication problem as considered in BFNW Imp IW and we show that the rst step alone enco ding with multivariate p olynomials is sucient to amplify hardness to the desired level so that the derandomized XOR Lemmas are not necessary in this context Our pro of is based on a listdeco ding algorithm for multivariate p olynomial co des and exploits a connection b etween the listdeco ding and the hardnessamplication problems The listdeco ding algorithm describ ed in this pap er is quantitatively b etter than a previous one by Arora and Sudan AS and has a simpler analysis An overview of previous results The works of Blum and Micali BM and Yao Yao formalize the notion of a pseudorandom generator and show how to construct pseudorandom generators based on the existence of oneway p ermutations A pseudorandom generator meeting their denitions which we call a BMYtype PRG is a p olynomialtime algorithm that on input a randomly selected string of length n pro duces an output of length n that is computationally indistinguishable from uniform by any adver sary of p oly n size where is an arbitrarily small constant Pseudorandom generators of this form and pseudorandom functions GGM constructed from them have many applications b oth inside and outside cryptography see eg GGM Val RR One of the rst applications observed by Yao Yao is derandomization a given p olynomialtime randomized algorithm can b e simulated deterministically using n p oly n by trying all the seeds and taking the ma jority answer a BMYtype PRG in time In a seminal work Nisan and Wigderson NW explore the use of a weaker type of pseudorandom generator PRG in order to derandomize randomized algorithms They observe that for the purp ose of t derandomization one can consider generators computable in time p oly instead of p oly t where t is the length of the seed since the derandomization pro cess cycles through all the seeds and this induces an t overhead factor anyway They also observe that one can restrict to generators that are go o d against adversaries whose running time is b ounded by a xed p olynomial instead of every p olynomial They then show how to construct a pseudorandom generator meeting this relaxed denition under weaker assumptions than those used to build cryptographically strong pseudorandom generators Furthermore they show that under a suciently strong assumption one can build a PRG that uses seeds of logarithmic length which would b e imp ossible for a BMYtype PRG Such a generator can b e used to simulate randomized algorithms in p olynomial time and its existence implies P BPP The condition under which Nisan and Wigderson prove the existence of a PRG with seeds of logarithmic length is the existence of a decision problem ie a n O n predicate P f g f g solvable in time such that for some p ositive constant no circuit of size 1 To b e accurate the term extractor comes fron NZ and p ostdates the pap er of Hastad et al HILL n n can solve the problem on more than a fraction of the inputs This is a very strong hardness requirement and it is of interest to obtain similar conclusions under weaker assumptions An example of a weaker assumption is the existence of a mild ly hard predicate We say that a predicate n is mildly hard if for some xed no circuit of size can decide the predicate on more than a fraction p olyn of the inputs Nisan and Wigderson prove that mild hardness suces to derive a pseudorandom generator with seed of O log n length which in turn implies a quasip olynomial deterministic simulation of BPP This result is proved by using Yaos XOR Lemma Yao see eg GNW for a pro of to convert a mildly hard predicate over n inputs into one which has input size n and is hard to compute n on a fraction of the inputs A series of subsequent pap ers attacks the problem of obtaining stronger pseudorandom generators starting from weaker and weaker assumptions Babai et al BFNW n show that a predicate of worstcase circuit complexity can b e converted into a mildly hard one Impagliazzo Imp proves a derandomized XOR Lemma which implies that a mildly hard predicate can b e converted into one that cannot b e predicted on more than some constant fraction of the inputs by circuits of n size Impagliazzo and Wigderson IW prove that a predicate with the latter hardness condition can b e transformed into one that meets the hardness requirement of NW The result of IW relies on a dierent derandomized version of the XOR Lemma than Imp Thus the general structure of the original construction of Nisan and Wigderson NW has b een preserved in most subsequent works progress b eing achieved by improving the single comp onents In particular the use of an XOR Lemma in NW continues alb eit in increasingly sophisticated forms in Imp IW Likewise the NW generator and its original analysis have always b een used in conditional derandomization results since Future progress in the area will probably require a departure from this observance of the NW metho dology