Applied University Mathematics LECTURE Series Volume 55 A Primer on Pseudorandom Generators Oded Goldreich American Mathematical Society http://dx.doi.org/10.1090/ulect/055 A Primer on Pseudorandom Generators University LECTURE Series Volume 55 A Primer on Pseudorandom Generators Oded Goldreich M THE ATI A CA M L ΤΡΗΤΟΣ ΜΗ N ΕΙΣΙΤΩ S A O C C I I R E E T ΑΓΕΩΜΕ Y M A F O 8 U 88 NDED 1 American Mathematical Society Providence, Rhode Island EDITORIAL COMMITTEE Eric M. Friedlander (Chair) Benjamin Sudakov William P. Minicozzi II Tatiana Toro 2010 Mathematics Subject Classification. Primary 68-01, 68-02, 68Q01, 68R01; Secondary 68Q15, 68Q17, 68W20. For additional information and updates on this book, visit www.ams.org/bookpages/ulect-55 Library of Congress Cataloging-in-Publication Data Goldreich, Oded. A primer on pseudorandom generators / Oded Goldreich. p. cm. — (University lecture series ; v. 55) Includes bibliographical references and index. ISBN 978-0-8218-5192-0 (alk. paper) 1. Computational complexity. 2. Random number generators. 3. Computer science–Math- ematics. I. Title QA267.7.G654 2010 004.0151–dc22 2010018152 Copying and reprinting. Individual readers of this publication, and nonprofit libraries acting for them, are permitted to make fair use of the material, such as to copy a chapter for use in teaching or research. Permission is granted to quote brief passages from this publication in reviews, provided the customary acknowledgment of the source is given. Republication, systematic copying, or multiple reproduction of any material in this publication is permitted only under license from the American Mathematical Society. Requests for such permission should be addressed to the Acquisitions Department, American Mathematical Society, 201 Charles Street, Providence, Rhode Island 02904-2294 USA. Requests can also be made by e-mail to [email protected]. c 2010 by the American Mathematical Society. All rights reserved. The American Mathematical Society retains all rights except those granted to the United States Government. Printed in the United States of America. ∞ The paper used in this book is acid-free and falls within the guidelines established to ensure permanence and durability. Visit the AMS home page at http://www.ams.org/ 10987654321 151413121110 Contents Preface ix 1 Introduction 1 1.1TheThirdTheoryofRandomness.................... 2 1.2OrganizationofthePrimer........................ 4 1.3StandardConventions........................... 5 1.4TheGeneralParadigm........................... 6 1.4.1 Threefundamentalaspects.................... 6 1.4.2 Notationalconventions....................... 7 1.4.3 Some instantiations of the general paradigm . ... 8 Notes....................................... 8 Exercises ..................................... 9 2 General-Purpose Pseudorandom Generators 11 2.1TheBasicDefinition............................ 11 2.2TheArchetypicalApplication....................... 12 2.3 Computational Indistinguishability . ..... 15 2.3.1 Thegeneralformulation...................... 15 2.3.2 Relationtostatisticalcloseness................. 16 2.3.3 Indistinguishability by multiple samples . .... 16 2.4AmplifyingtheStretchFunction..................... 19 2.5Constructions................................ 21 2.5.1 Background:one-wayfunctions.................. 21 2.5.2 Asimpleconstruction....................... 23 2.5.3 Analternativepresentation.................... 23 2.5.4 Anecessaryandsufficientcondition............... 24 2.6 Non-uniformly Strong Pseudorandom Generators . ..... 25 2.7 Stronger (Uniform-Complexity) Notions . .... 27 2.7.1 Foolingstrongerdistinguishers.................. 27 2.7.2 Pseudorandomfunctions...................... 27 2.8ConceptualReflections........................... 29 Notes....................................... 30 Exercises..................................... 31 v vi CONTENTS 3 Derandomization of Time-Complexity Classes 35 3.1DefiningCanonicalDerandomizers.................... 35 3.2 Constructing Canonical Derandomizers . .... 37 3.2.1 The construction and its consequences . 38 3.2.2 Analyzingtheconstruction.................... 40 3.2.3 Construction 3.4 as a general framework . 41 3.3 Reflections Regarding Derandomization . 43 Notes....................................... 43 Exercises..................................... 44 4 Space-Bounded Distinguishers 47 4.1DefinitionalIssues............................. 47 4.2TwoConstructions............................. 50 4.2.1 Sketches of the proofs of Theorems 4.2 and 4.3 . 51 4.2.2 Derandomization of space-complexity classes . .... 54 Notes....................................... 56 Exercises..................................... 56 5 Special Purpose Generators 59 5.1PairwiseIndependenceGenerators................... 60 5.1.1 Constructions............................ 60 5.1.2 Atasteoftheapplications..................... 62 5.2Small-BiasGenerators........................... 63 5.2.1 Constructions............................ 64 5.2.2 Atasteoftheapplications..................... 65 5.2.3 Generalization........................... 66 5.3RandomWalksonExpanders....................... 66 5.3.1 Background: expanders and random walks on them . 67 5.3.2 Thegenerator............................ 68 Notes....................................... 69 Exercises..................................... 69 Concluding Remarks 77 Appendices 79 A Hashing Functions 79 A.1Definitions.................................. 79 A.2Constructions................................ 80 A.3TheLeftoverHashLemma......................... 81 B On Randomness Extractors 83 B.1Definitions.................................. 84 B.2Constructions................................ 85 CONTENTS vii C A Generic Hard-Core Predicate 89 D Using Randomness in Computation 93 D.1 A Simple Probabilistic Polynomial-Time Primality Test ........ 93 D.2TestingPolynomialIdentity........................ 95 D.3TheAccidentalTouristSeesItAll.................... 96 E Cryptographic Applications of Pseudorandom Functions 99 E.1SecretCommunication........................... 99 E.2AuthenticatedCommunication......................101 F Some Basic Complexity Classes 103 Bibliography 107 Index 113 Preface Indistinguishable things are identical.1 G.W. Leibniz (1646–1714) This primer to the theory of pseudorandomness presents a fresh look at the question of randomness, which arises from a complexity theoretic approach to randomness. The crux of this (complexity theoretic) approach is the postulate that a distribution is random (or rather pseudorandom) if it cannot be distinguished from the uniform distribution by any efficient procedure. Thus, (pseudo)randomness is not an inherent property of an object, but is rather subjective to the observer. At the extreme, this approach says that the question of whether the world is actually deterministic or allows for some free choice (which may be viewed as a source of randomness) is irrelevant. What matters is how the world looks to us and to various computationally bounded devices. That is, if some phenomenon looks random, then we may treat it as if it is random. Likewise, if we can generate sequences that cannot be distinguished from the uniform distribution by any efficient procedure, then we can use these sequences in any efficient randomized application instead of the ideal coin tosses that are postulated in the design of this application. The pivot of the foregoing approach is the notion of computational indistinguisha- bility, which refers to pairs of distributions that cannot be distinguished by efficient procedures. The most fundamental incarnation of this notion associates efficient pro- cedures with polynomial-time algorithms, but other incarnations that restrict atten- tion to different classes of distinguishing procedures also lead to important insights. Likewise, the effective generation of pseudorandom objects, which is of major con- cern, is actually a general paradigm with numerous useful incarnations (which differ in the computational complexity limitations imposed on the generation process). Following the foregoing principles, we briefly outline some of the key elements of the theory of pseudorandomness. Indeed, the key concept is that of a pseudo- random generator, which is an efficient deterministic procedure that stretches short random seeds into longer pseudorandom sequences. Thus, a generic formulation of pseudorandom generators consists of specifying three fundamental aspects – the stretch measure of the generators; the class of distinguishers that the generators are 1This is Leibniz’s Principle of Identity of Indiscernibles. Leibniz admits that counterexamples to this principle are conceivable but will not occur in real life because God is much too benevolent. We thus believe that he would have agreed to the theme of this text, which asserts that indistinguishable things should be considered as if they were identical. ix x PREFACE supposed to fool (i.e., the algorithms with respect to which the computational indis- tinguishability requirement should hold); and the resources that the generators are allowed to use (i.e., their own computational complexity). The archetypical case of pseudorandom generators refers to efficient generators that fool any feasible procedure; that is, the potential distinguisher is any proba- bilistic polynomial-time algorithm, which may be more complex than the generator itself (which, in turn, has time-complexity bounded by a fixed polynomial). These generators are called general-purpose, because their output can be safely used in any efficient application.