On randomized cryptographic primitives

On randomized cryptographic primitives Marius Zimand Department of Computer Science University of Rochester Rochester, NY 14627 e-mail: [email protected]

Abstract

The paper investigates the extent to which a public source of random bits can be used to obtain some basic cryptographic primitives: hard functions, pseudo-random generators and one-way functions. Strong randomized hard functions and one-way functions are exhibited. The existence of a randomized pseudo-random generators with analogous safety parameters remains open, but a weaker variant is presented. As a side eect, a very strong separation between sublinear time and AC 0 is obtained.

Keywords: one-way function, pseudo-random generator, hard function.

1 Introduction It is commonly accepted that random bits are a valuable computational resource. Unfortunately, random bits are hard and expensive to produce. Generating them by special-purpose devices such as Geiger counters or Zener diodes is slow and the outcomes must still be further processed (see [SV86] and [Blu84]). One solution to reduce the costs of getting good random bits is to share the random source. We can think of a scenario where there is a public server which provides random bits to anyone requesting them. It is conceivable that this is more practical than connecting a Geiger counter to your PC. However, in some cryptographic protocols one needs private random bits such that the adversary has no means to predict them (we assume here that there is just one such adversary; the generalization to a nite number of adversaries, which is the case in most protocols, is immediate). Is it possible to get such private bits out of a public source ? This is basically the question that is investigated in this paper. More speci cally, we investigate the existence of hard functions, pseudo-random generators, and one-way functions, given a public source of random bits. A hard function f for size (n) is a boolean function such that the probability that any adversary circuit of size (n) correctly computes f is very close to 1=2. Clearly f must spend more computational resources than the adversary as otherwise this one could simply simulate f . A pseudo-random generator is a function f that takes as input a small number of random bits (which in our context are private) and produces a larger number of bits that look random to the adversary. We show that, for all positive and , there exists a hard function, accessing a public source of random bits, which is computable in O(2(+)n ) time and is secure against adversaries that are circuits of size 2n . Thus, even though the adversary has less resources (as explained, this must be necessarily so) we allow him to be a nonuniform Supported in part by grant NSF-CCR-8957604, NSF-INT-9116781/JSPS-ENG-207 and NSF-CCR-9322513.

1

device. Moreover, the hard function can reuse one and the same sequence of public random bits many times against one adversary with very high probability of success (see the next section for the technical meaning of \secure" and \successful with high probability"). We also show that there exists a pseudo-random generator accessing a public source of random bits which runs in polynomial time, doubles the number of private bits and is secure against circuits of exponential size. In this case, we have not been able to prove the possibility of reusing the sequence of public random bits. We conjecture that there exists a pseudo-random generator with this stronger property. Our conjecture is based on the fact that in the classical context where no public source of random bits is considered, Hastad, Impagliazzo, Levin and Luby [HILL91] have established that the existence of pseudo-random generators is equivalent to the existence of one-way functions and we show that there exists one-way functions with access to a public source which can reuse the public random sequence. The concepts and the proofs in this work are inspired by probability one relativizations. The existence of hard functions, pseudo-random generators and one-way functions without the support of a random source is related to some open questions in computational complexity theory which are beyond reach given the \current state of the art." For example, the existence of one-way functions immediately implies P 6= NP (though the converse is open). However, we do know that PA 6= NPA for a random oracle A. This suggests that one could show the existence of randomized one-way functions and the other concepts without any complexity-theoretic assumption and this is basically what we do in this work. The results of this type are explicitly stated in Section 4. Thus our main results can be viewed as a direct outcome of the theory of random oracle relativization whose bene ts have been questioned by some researchers (see, for instance, the paper by Fortnow [For94] for an interesting account of this debate). Moreover, by employing basically the same counting strategy as the one used in the construction of the randomized hard function, we establish a strong separation from sub-linear time. Machines working in sub-linear time are de ned by allowing random access to the read-only input tape and yield quite respectable complexity classes. For example, Allender and Strauss [AS94] consider machines that work in O(log n) time in order to de ne a meaningful notion of measure inside P. More relevant to our result, Barrington, Immerman and Straubing [BIS90] argue convincingly that machines running in O(log n) time yield the proper, robust, notion of uniformity for polynomial-size, constant-depth circuits (i.e., AC0 circuits). The general idea is that the machine describing the AC0 circuit should have less power than the circuit itself as otherwise the circuits could potentially bene t from the computation of the machine that describes it. But how does DTIME [O(log n)] relate to AC0 ? After all, AC0 is a very weak class itself and it is known from the work of Ajtai [Ajt83] that the languages in AC0 are in a large proportion (of strings at each suciently large length n) constant on proper cylinders partitioning the domain (i.e., n ) and, thus, a machine could, in principle, approximate them without reading the whole input. However, we show that machines running in sub-linear time cannot approximate AC0. More exactly, for each 2 (0; 1), we exhibit a very simple predicate f that can be computed by linear-size depth-2 monotone circuits such that if M is a machine running in n time, then for all suciently large n, j Probx2n (f (x) = M (x)) ? 1=2 j n? (1) .

2 De nitions and Main Results The access to a public source of random bits is formalized by using functional oracles. That is the machine computing the hard function, the one-way function or the pseudo-random generator is an oracle machine and we stipulate that the oracle is a function R such that if x is on the query tape and the machine enters a query state, then R(x) is immediately provided on some specially 2

designated answer tape. This models both the situation when the request to the public-server is done on-line and the situation in which the random bits are transferred in a precomputation phase and stored, say, on the hard-disk. The function R consists in fact of a family of functions (Rn )n 2 N, where Rn : i(n) ! m(n) . We stipulate that the machine computing the cryptographic primitive asks on inputs of length n only queries of length i(n). The probabilistic space on inputs of length n is denoted by Rn and consists of the set of all functions Rn as above and the uniform distribution on this set (note that i(n) and m(n) are the same for all functions in Rn ). Such a function Rn can be encoded in 2i(n) m(n) bits, and if the oracle machine M works with Rn as its oracle on inputs of length n, we say that M uses 2i(n) m(n) public random bits. Intuitively, a hard function is a function that cannot be approximated by a circuit of reasonable large size on a fraction of the inputs that is signi cantly dierent than 1/2. Formally, a function f : n ! f0; 1g has hardness ((n); (n)) if for any circuit C of size (n), j Probx2n (C (x) = f (x)) ? 1=2 j (n): Hard functions were used in [NW94] and [Nis91] to produce pseudo-random generator secure against adversaries of various power. We de ne the notion of a randomized hard function by requiring that the above relation holds with high probability. De nition 2.1 Let ; ; : N ! R, M be an oracle machine, and fR be the function computed by the machine M with oracle R. The function computed by M is a randomized hard function that has hardness (; ) with probability if (a) fR is 0-1 valued for all R, and (b) for any family C = (Cn)n2N of oracle circuits of size (n) and for n 2 N suciently large, n R ProbR2Rn ( j j fx 2 : C2nn(x) = fR (x) j ? 21 j (n) ) (n): If (n) = 2? (n) , (n) = 1 ? 2? (n) and (n) = 2 (n) , then the randomized hard function is said to be strong. CnR denotes the fact that the oracle circuit Cn runs with function R as the function oracle (i.e., if the input bits at an oracle gate form the string x, then the string R(x) is produced as the output bits of the oracle gate). In the next theorem we present two randomized hard functions. The rst one achieves a double exponentially small error probability (i.e., (n) = 1 ? 2?2 (n) ) but requires a large gap between the computational power of the adversary, on one side, and the complexity of the machine computing the randomized hard function and the number of public random bits, on the other side. The second one has a much tighter gap and still has the error probability exponentially small. Theorem 2.2 There exist strong randomized hard functions. More precisely: (i) for all natural k > 1 and 2 (0; k ? 1), there is a randomized hard function which has hardness (2?n=3; 2(k?1?)n ) with probability 1 ? 2?42n=3 and is computable by an oracle machine running in O(2kn ) time and using 2(k+1)n kn public random bits, (ii) for all natural k > 0, 2 (0; k) and c > 1, there is a randomized hard function which has hardness (2? (n) ; 2(k?)n ) with probability 1 ? 2? (n) and is computable by an oracle machine running in O(2(k?=c)n) time and using O(n2(k?=c)n ) public random bits. The randomized hard functions in the above theorem satisfy the following Condition A for size ( k ? 2 1?)n , and respectively size 2(k?)n , which implies some good independence properties of the values ffR (x); x 2 n g.

Condition A for size (n): for any circuit C of size (n), for all suciently large n and all x 2 n, j ProbR2Rn (fR (x) = C R(x)) ? 1=2 j 2? (n) . 3

Proposition 2.3 Let fR be a strong randomized hard function having hardness (; ) with probability and satisfying Condition A for size (n). Let n = fx1; : : :; x2n g. There exists a constant c > 0 such that for all sets I f1; : : :; 2ng with jI j cn and for all combinations of bits b1 ; : : :; b2n , bi 2 f0; 1g, if C is an oracle circuit of size (n), then j Probx2n ;R2Rn (fR (x) = C R (x) j 8i 2 I (fR(xi) = bi)) ? 1=2 j 2? (n) . Thus, the knowledge of cn values of the function fR on the domain n , is not very helpful for the adversary to compute further values on the same domain. We pass next to the second cryptographic primitive. A pseudo-random generator is a function f that maps short strings to longer strings such that any adversary of some signi cant computational power cannot distinguish with a good bias between the uniform distribution on the set of long strings and the distribution induced by f when its input is uniform randomly selected in the set of short strings. Thus the function f takes as input short random strings and outputs long strings that look random to the adversary (for concreteness, we require that f doubles the length of its inputs). In the randomized version, the pseudo-random generator takes as input a short private random string and using a public source of random bits produces a long string which looks random to the adversary even though this one knows the public string that has been used. We have not been able to prove the existence of a randomized pseudo-random generator satisfying a relation similar to the one in De nition 2.1. Therefore, below is the de nition of a weaker version called average-randomized pseudo-random generator. De nition 2.4 Let ; ; : N ! R, M be an oracle machine, and fR be the function computed by the machine M with oracle R. The function computed by M is an average-randomized pseudorandom generator that has security (; ) if (a) M runs in polynomial time on all inputs and with all oracles, (b) fR produces outputs having length double than the corresponding input for all R, and (c) for any family C = (Cn)N 2N of oracle circuits of size less than (n) for all natural n, the following relation holds for n 2 N suciently large:

j Probx2n;R2R2n (C2Rn(fR(x)) = 1) ? Proby22n ;R2R2n (C2Rn(y) = 1) j (n)): If (n) = 2? (n) and (n) = 2 (n) , then the average-randomized pseudo-random generator function is said to be strong. CnR is as in De nition 2.1.

Theorem 2.5 There exist strong average-randomized pseudo-random generators. More precisely, there exists an average-randomized pseudo-random generator having security (2?0:49n; 2n=4).

There exist two general methods for building pseudo-random generators, one starting from a hard function and the other one starting from a one-way function. By using the method of Nisan and Wigderson [NW94] for building pseudo-random generators out of hard functions, it is possible to construct a stronger type of randomized pseudo-random generator g mapping n-bits long strings p ?2 ( n) of the public random bits, no oracle into 2n-bits long strings such that with probability 1 ? 2 p p circuit of size 2(1?) n , for any > 0, can distinguish with a bias larger than 2? ( n) between the distribution induced by g and the uniform distribution on p2n-bits long strings. Unfortunately, this randomized pseudo-random generator is computable in 24 n ) time. The construction uses the hard function in Theorem 2.2 (i) and follows closely the method in [NW94], so that we do not go into further details here. We only remark that the double exponentially small probability error for that hard function plays an essential role1 . Hastad, Impagliazzo, Levin and Luby [HILL91] 1 The basic

argument in the the construction in [NW94] is a reduction. It is shown that if a circuit C invalidates the safety of the pseudo-random generator, then one can build a circuit D that invalidates the safety of the hard

4

have indicated another method of constructing pseudo-random generators, this time starting from one-way functions. A one-way function f is a length-preserving function such that any adversary of some signi cant computational power, given f (x) cannot compute a value y such that f (y ) = f (x) with high probability on x. In the randomized version, f is computed by an oracle machine as above and the adversary is an oracle circuit which has access to the same oracle. De nition 2.6 Let ; ; : N ! R, M be an oracle machine, and fR be the function computed by the machine M with oracle R. The function computed by M is a randomized one-way function that has security (; ) with probability if (a) M runs in polynomial time on all inputs and with all oracles, (b) fR is length preserving for all R, and (c) for any family C = (Cn )N 2N of oracle circuits of size (n), and for n 2 N suciently large, ?1 n R ProbR2Rn ( jx 2 : Cn (fR2(xn)) 62 fR (fR(x))j (n) ) (n):

If (n) = 1 ? 2? (n) , (n) = 1 ? 2? (n) and (n) = 2 (n) , then the randomized one-way function is said to be strong. CnR is as in De nition 2.1 Theorem 2.7 There exist strong randomized one-way functions. More precisely, there exists a randomized one-way function that has security (1 ? 2?0:01n; 2n=4) with probability 1 ? 2?0:24n. (Rudich [Rud88] has a similar result to Theorem 2.7. The main dierence is that he counts as failures to invert also the strings in the codomain which do not have a preimage. This is a too liberal de nition because, for instance, it makes the function f (x) = 0jxj to be one-way.)

It does not seem to be possible to build from the one-way function in Theorem 2.7 a randomized pseudo-random generator which can reuse the same public random bits for dierent private seeds (in the spirit of De nition 2.1 and De nition 2.6) and one of the problems resides in the probability error being exponentially small and not double exponentially small. The notation is standard: is the set of nite binary strings and n is the set of binary strings of length n; if x 2 , then jxj is the length of string x; x(i : j ) denotes the substring of x composed by bits i to j ; if S is a set, then jS j is the cardinality of S ; and, nally, if y is a real number, then jy j is the modulus of y . All probabilities are with respect to the uniform distribution or with respect to the Lebesgue measure in the case of probabilities over sets of oracles.

3 Proofs of Main Results We start with three technical lemmas. The proofs are in the appendix. The rst one provides some helpful estimations based on Taylor expansions. Lemma 3.1 For all < 1 and n suciently large, the following inequalities hold: (a) (1 ? n1 )b(ln2)nc 12 ? n1 , (b) (1 ? n1 )b(ln2)nc?n1? 12 + n1 , (c) (1 ? n1 )n2 pe1 en : function. In our case we obtain a circuit DR for each public random string R. However from the double-exponentially smallness of the probability error, we can deduct that, for a large enough set R of public random strings, we obtain the same circuit (i.e. D = DR for all R 2 R) and the argument goes through.

5

The second lemma is a Chebyshev type inequality for 0-1 random variables which are almost pairwise independent and almost identically distributed. Lemma 3.2 Let X1; X2; : : :; Xk be Poisson random variables. Suppose that for some p 2 [0; 1], 2 [0; min(p; 1 ? p)] and M 2 f0; : : :; k ? 1g there exists the sets W1; : : :; Wk , Wi f1; : : :; i ? 1; i + 1; : : :; kg such that the following relations hold for all i 2 f1; : : :; kg and all b 2 f0; 1g: (i) Prob(Xi = 1) 2 (p ? ; p + ), (ii) Prob(Xi = 1jXj = b) 2 (p ? ; p + ) for all j 2 f1; : : :; kg ? Wi , (iii) j Wi j M . Let S = X1 + X2 + : : : + Xk . Then for all > 0, Prob(j Sk ? pj > ) < 12 ( Mk+1 + 9 ): The third lemma estimates the error of computing the probability of an event A conditioned by an event B if we omit the conditioning. Lemma 3.3 For any events A and B, j Prob(AjB) ? Prob(A) j Prob(B ). We proceed to prove the results stated in the previous section.

Proof of Theorem 2.2 : (i) The idea is to use the parity function so that the hard function

is equally in uenced by each bit of the public random string. Making this string longer than the query capabilities of the adversary, we guarantee that the adversary does not have a better strategy to compute the hard function than to basically guess the output. Here is the construction. Fix n 2 N. Rn consists of all functions R : (k+1)n ! kn and, thus, the number of random public bits is as claimed. For each x 2 n , let Block(x) = fy 2 (k+1)n j y is of the form y = xu; juj = kng. For a string z = z1 z2 : : :zt , zi 2 f0; 1g, we denote z = z1 + z2 + : : : + zt (mod 2). We now de ne the randomized hard function by

fR (x) =

X

y2Block(x)

R(y) (mod 2):

In other words, fR (x) is the parity of the string obtained by concatenating the strings R(y ) for all y 2 Block(x). Let C be an oracle circuit of size s(n) 2(k?1?)n . Let n = fx1; x2; : : :; x2n g. For i 2 f1; : : :; 2ng, we de ne the random variable Xi by:

8 >< 1 , if C R(xi) = fR(xi); Xi (R) = > : 0 , if C R(xi) 6= fR(xi)

For each i 2 f1; : : :; 2ng, Prob(Xi = 1) = 1=2, because during the computation of C R on input x at most 2(k?1?)n queries are made, and conditioned by a xed combination of answers to these queries (which x the value of C R (x) ), the probability that fR (x) = b, where b 2 f0; 1g is equal to 1/2 (since for at least 2kn ? 2(k?1?)n y 's in Block(x), R(y ) = 1, with conditioned probability 1/2). Also, for each i 2 f1; : : :; 2ng and each combination of bits b1; : : :; b2n ,

Prob(Xi = bi j X1 = b1 ^ : : : ^ Xi?1 = bi?1 ^ Xi+1 = bi+1 ^ : : : ^ X2n = b2n ) = 1=2; because during the computations of C R on inputs x1 ; x2; : : :; x2n at most 2n 2(k?1?)n = 2(k?)n queries are made and the same argument as above is valid. 6

Therefore, the variables X1; : : :; X2n are independent Bernoulli random variables with Prob(Xi = 1) = 1=2. Let S = X1 + X2 + : : : + X2n . By the Cherno bounds, for all positive , ProbR (j 2Sn ? 21 j > ) 2?422n : Taking = 2?n=3 , we obtain that with probability of R greater than 1 ? 2?42n=3 , it holds that

jProbx2n (C R(x) = fR(x)) ? 1=2j 2?n=3: (ii) To reduce the number of public random bits, we replace the total independence of the key random variables (which resulted from the disjointness of the sets Block(x); x 2 n ) with pairwise independence which will be obtained through the use of universal hash classes. Although the parity function can be used, we prefer another approach in anticipation of some applications in the next sections. Here is the construction. For readability, we take c = 4, but it is straightforward to adapt the proof for any c > 1. Fix n 2 N. Let = =3k and let q (n) = n ? b nc. Rn consists of all functions R : kq(n) ! 2kq(n) . Observe that the number of public random bits is O(n2(k?=3)n ). Let kq(n) = fy1 ; : : :; y2kq(n) g. For each i 2 f1; : : :; 2kq(n)g, we decompose R(yi ) into 2k q (n)-bits strings ai;1; bi;1; : : :; ai;k ; bi;k (i.e., R(y ) = ai;1 bi;1; : : :ai;k bi;k ) and de ne for each j 2 f1; : : :; kg the hash functions hi;j : n ! q(n) by hi;j (x) = ai;j x(1 : q (n)) + bi;j , where the arithmetic operations are over GF (2q(n)). It is well-known that this family of functions form an universal hash class [CW79]. Therefore, for any x 2 n and b 2 q(n) , Probai;j ;bi;j (hi;j (x) = b) = 2?q(n) and for any x1 ; x2 2 n ; b1; b2 2 q(n) with x1(1 : q (n)) 6= x2 (1 : q (n)), the events \hi;j (x1) = b1" and \hi;j (x2) = b2 " are pairwise independent when ai;j and bi;j are uniformly selected at random in q(n) . Next, let hi : n ! kq(n) be de ned by hi (x) = hi;1 (x) : : :hi;k (x) (i.e., we concatenate the q(n)-bit strings h1;i(x); : : :; hi;k (x)) and I = f1; : : :; b(ln 2) 2kq(n) cg . We now de ne the randomized hard function on inputs of length n by

8 >< 1 , if 9i 2 I with hi (x) = 0kq(n); fR(x) = > : 0 , otherwise:

The time needed to compute fR (x) is bounded by O(n log n log log n 2kq(n) ) since one can loop with i in I and at each iteration one has to do k computations of the form ax0 + b in GF (2q(n) ), each of them requiring O(n log n log log n) (see [AHU74]). The time needed to nd an irreducible polynomial of degree q (n) over GF (2), is O(q (n)5) = O(n5) (see [Sho88]), but this operation is done before the loop. Let C be an oracle circuit of size s(n) 2(k?)n . Let n = fx1 ; x2; : : :; x2n g. For i 2 f1; : : :; 2n g, we de ne the random variable Xi by:

8 >< 1 , if C R(xi) = fR(xi); Xi (R) = > : 0 , if C R(xi) 6= fR(xi) Our next goal is to show that for each pair i; j 2 f1; : : :; 2ng such that xi (1 : q (n)) 6= xj (1 : q (n)) and each b 2 f0; 1g, Prob(Xi = 1) and Prob(Xi = 1 j (Xj = b)) are both very close to 1=2 and,

thus, we can apply Lemma 3.2. We evaluate the latter probability (the computations for the rst one are similar and easier). 7

For a xed pair xi ; xj 2 n which are dierent in their rst q (n) bits, let Si;j = fR 2 Rn : there is no yl queried by C R on the inputs xi and xj such that hl (xi ) = 0kq(n) g. Observe that the probability of Si;j , the complementary of Si;j , is less than 2s(n)2?kq(n) 2?((2=3)n?1), because there are less than 2s(n) queries performed during the computations of C R on xi and xj and the probability that any one of these queries yl satis es hl (xi ) = 0kq(n) is 2?kq(n) . Thus Prob(Si;j ) 1 ? 2?((2=3)n?1). For xed b1; b2 2 f0; 1g, we estimate the probability that fR (xi ) = 0 conditioned by Si;j and by the events that Xj = b1 and C R (xi ) = b2 . The idea is that fR (xi ) = 0 is in uenced by the events Xj = b1 and C R(xi ) = b2 only through the queries yl made during the computations of C R on xi and xj . Since we are conditioning by Si;j , we know that for these queries hl (xi) 6= 0kq(n) . Thus the probability we are computing is equal to the probability conditioned by Si;j of the event A = \hl (xi ) 6= 0kq(n) for all l 2 I that were not queried during the computations of C R on inputs xi and xj ." Out of the b(ln 2) 2kq(n) c many l's in I , at most 2 s(n) strings yl can be queried during the computation of C R on xi and xj . Since we are conditioning by Si;j , which has a probability that is very close to 1, the in uence of conditioning is small. Consequently, the probability we are kq(n) ? kq ( n ) (ln2)2 computing is very close to (1 ? 2 ) 1=2. To proceed formally, we consider sets of strings Y = fyi1 ; : : :; yi2s(n) g kq(n) of cardinality 2s(n) (sometimes, Y will be identi ed with the set fi1; : : :; i2s(n)g) and for such a set we denote R(Y ) = R(yi1 ) : : :R(yi2s(n) ) and hY (x) = hi1 (x) : : :hi2s(n) (x) (i.e., the concatenation of the strings R(yi1 ) to R(yi2s(n) ) and, respectively, hi1 (x) to hi2s(n) (x) ). Observe that the values of the random variables (Xj = b1) and (C R (xi) = b2) are determined by hI (xj ) and by the values of R on the strings y that are queried during the computation of C R (xj ) and CR (xi), and that there are at most 2s(n) such queried strings. Let Z = f(Y; B1; B2 ) j jY j = 2s(n) ^ (R(Y ) = B1 ^ hI (xj ) = B2 ! (Xj = b1 ^ C R(xi) = b2))g and let query R(xi ) and query R(xj ) denote the set of strings queried by C R on xi and, respectively xj . Then

Prob(fR (xi) = 0 j (Xj = b1) ^ (C R (xi) = b2) ^ Si;j ) = = Prob(8l 2 I (hl (xi) 6= 0kq(n)) j (Xj = b1) ^ (C R(xi ) = b2) ^ Si;j ) = =

P

(Y;B1 ;B2 )2Z

Prob(8l 2 I (hl(xi) 6= 0kq(n) ) j (query R(xi) [ query R(xj ) Y ) ^

^ (R(Y ) = B1) ^ (hI (xj ) = B2) ^ Si;j ) Prob((queryR(xi) [ queryR(xj ) Y) ^ (R(Y ) = B1) ^ (hI (xj ) = B2) ^ ^ Si;j j (Xj = b1) ^ (C R(xi) = b2) ^ Si;j ): () For any xed (Y; B1; B2) 2 Z , we show that the corresponding term in the above sum is between the bounds (1=2 2?(=2)n) Prob((query R(xi) [ query R (xj ) Y ) ^ (R(Y ) = B1 ) ^ (hI (xj ) = B2) ^ Si;j j (Xj = b1) ^ (C R(xi) = b2) ^ Si;j ). This is clearly true if the above probability is 0.

8

Otherwise,

Prob(8l 2 I (hl(xi) 6= 0kq(n) ) j (query R(xi) [ query R(xj ) Y ) ^ (R(Y ) = B1 ) ^

^ (hI (xj ) = B2) ^ Si;j ) =

( because of the conditioning by Si;j )

= Prob(8l 2 I ? Y (hl (xi ) 6= 0kq(n) ) j (query R (xi) [ query R (xj ) Y ) ^ (R(Y ) = B1 ) ^

^ (hI (xj ) = B2) ^ Si;j ) =

( since R(Y ) and R(I ? Y ) are independent )

= Prob(8l 2 I ? Y (hl (xi ) 6= 0kq(n) ) j hI ?Y (xj ) = B2 (restricted to I ? Y ) ) = ( by the pairwise independence of the hash functions ) = Prob(8l 2 I ? Y (hl (xi ) 6= 0kq(n) )): Since jY j = 2s(n), the latter probability is equal to (1 ? 2kq1(n) )b(ln2) 2kq(n) c?2s(n) . Since s(n) 2(k?)n , by Lemma 3.1, the above value is included in the interval [1=2 ? 2?(=2)n; 1=2 + 2?(=2)n]. Thus, Prob(8l 2 I (hl (xi) 6= 0kq(n)) j (query R(xi ) [ query R(xj ) Y ) ^ (R(Y ) = B ) ^ Si;j ) belongs to [1=2 ? 2?(=2)n; 1=2 + 2?(=2)n] and thus our claim holds. Substituting this estimate in the sum (*), we obtain that Prob(fR (xi ) = 0 j (Xj = b1) ^ (C R(xi ) = b2) ^ Si;j ) is in the interval [1=2 ? 2?(=2)n; 1=2 + 2?(=2)n]. Therefore, for a xed b 2 f0; 1g,

Prob(Xi = 1 j (Xj = b) ^ Si;j ) = = Prob(fR(xi ) = 0 j (Xj = b) ^ Si;j ^ (C R(xi ) = 0)) Prob(C R(xi ) = 0 j (Xj = b) ^ Si;j )+ + Prob(fR (xi ) = 1 j (Xj = b) ^ Si;j ^ (C R(xi ) = 1)) Prob(C R(xi ) = 1 j (Xj = b) ^ Si;j ) 2

2 [1=2 ? 2?(=2)n; 1=2 + 2?(=2)n]: Similarly, for any i; j 2 I , Prob(Xi = 1 j Si;j ) 2 [1=2 ? 2?(=2)n; 1=2 + 2?(=2)n] and, using Lemma 3.3, we conclude that, for any i 2 I , Prob(Xi = 1) 2 [1=2 ? 2?(=3)n; 1=2+ 2?(=3)n] . Then Prob(Si;j j Xj = b) Prob(Si;j ) = Prob(Xj = b) 2?((2=3)n?1) = (1=2 ? 2?(=3)n ) 2?((2=3)n?3). By Lemma 3.3,

j Prob(Xi = 1 j Xj = b) ? Prob(Xi = 1 j (Xj = b) ^ Si;j ) j Prob(Si;j j Xj = b): So, Prob(Xi = 1 j Xj = b) 2 [1=2 ? 2?(=3)n; 1=2 + 2?(=3)n]. Let S = X1 + X2 + : : :+ X2n . Using Lemma 3.2 with Wi = fj 2 f1; : : :; i ? 1; i +1; : : :; 2n g j xj (1 : q(n)) = xi (1 : q(n)), i 2 f1; : : :; 2ng, we obtain, Prob(j 2Sn ? 21 j > ) < 12 ( 2q1(n) + 2(=93)n ):

It is clear that we can choose = 2? (n) such that for n suciently large, Prob(j 2Sn ? 12 j > ) < 2? (n) .

9

Proof of Proposition 2.3 Let d > 0 be a constant such that fR has hardness (2?dn; (n)) with probability 1 ? 2?dn and for all suciently large n and for all x 2 n , j ProbR2Rn (fR (x) = b) ? 1=2 j 2?dn+1 . We abbreviate 2?dn by (n) and take c to be a positive constant less than d. We focus on a suciently large n. Let I = fa1; : : :; ak g be an arbitrary subset of f1; : : :; 2ng with k cn. By induction on j , 0 j k, we show that if C is an oracle circuit of size (n) and b1; : : :; b2n are some arbitrary bits, then:

j Probx;R(fR(x) = C R(x) j (8i j ) (fR(xai ) = bi)) ? 1=2 j 2j+1(n);

(1)

and

ProbR(Sj+1) (1=2 ? (n))ji=1 (1=2 ? 2i+1 (n)); (2) where for each j 1, Sj = fR 2 Rn j (8i j )(fR(xai ) = bi)g and, by convention, the product ji=1 (1=2 ? 2i+1 (n)) is 1 for j = 0. Relation (1) clearly implies the conclusion we need. The relations are easily veri ed for j = 0. Consider now the induction step (j ? 1) ! j . For

the sake of contradiction, suppose

Probx;R(fR (x) = C R(x) j (8i j ) (fR (xai ) = bi)) > 1=2 + 2j+1 (n):

(3)

Let B = fR 2 Sj j Probx (fR(x) = C R (x)) 1=2 + (n)g and = ProbR (B j Sj ). Then, Probx;R(fR(x) = C R (x) j Sj ) (1? )+ (1=2+(n)): So, 1=2+2j+1 (n) < (1? )+ (1=2+(n)). It follows that j +1 (n) < 1 ? (21=2 ?? 1) (n) :

Consequently,

j +1 (n) ; ProbR(B j Sj ) > (21=2 ?? 1) (n)

where B is the complement of B , and, thus,

j +1 (n) Prob(S ): ProbR2Rn (Probx2n (fR (x) = C R(x)) > 1=2 + (n)) > (21=2 ?? 1) j (n)

Using the induction hypothesis, ?1 (1=2 ? 2i+1 (n)) = ProbR (Probx2n (fR (x) = C R (x)) > 1=2 + (n)) > (2j+1 ? 1)(n)ji=1 ?1 (1 ? 2i+2 (n)) (n)2?(j ?1) (2j +1 ? 1)(1 ? (n) j ?1 2i+2 ) (n): = (n)2?(j ?1) (2j +1 ? 1) ji=1 i=1

This contradicts the hardness of fR and, thus, relation (3) is false. By taking the \complementary" circuit of C , we deduce that Probx;R(fR (x) 6= C R (x) j Sj ) 1=2 + 2j +1 (n) and (1) is proved. For (2), we note (using the induction hypothesis and relation 1 for j and the circuit which outputs bj +1 on all inputs) that Prob(Sj +1) = Prob(fR (xj +1 ) = bj +1 j Sj )Prob(Sj ) ?1 (1=2 ? 2i+1 (n)) = (1=2 ? (n))j (1=2 ? 2i+1(n)). (1=2 ? 2j +1 (n))(1=2 ? (n))ji=1 i=1

Proof of Theorem 2.5: The pseudo-random generator simply outputs on input x of length n a sequence of 2n bits that are obtained directly from the random bits associated with x. More precisely, for each n 2 N we take Rn to be the set of functions R : n ! 2n and the averagerandomized pseudo-random generator to be the function fR (x) = R(x). Although this construction is very natural, it is not immediately clear that a circuit C , by aptly using the oracle R, cannot distinguish the random distribution on 2n from the distribution induced by the application of the 10

same R on the uniform distribution on n and a somewhat elaborate analysis is needed. First, a word of caution: the expression \C (u) queries R(x)" means that during the computation of the circuit C on input u, the oracle is asked to provide the value of the function R on input x. Let C = (Cn )n2N be family of circuits of size 2n=4. Since the circuit C2n (which from now on will be called more simply C ) can formulate at most 20:5n queries, for any xed y 2 2n ,

Probx2n ;R2Rn (C R(y) queries R(x)) 2?0:5n:

(4)

We can now evaluate the dierence between Probx2n ;R2Rn (C R(R(x)) = 1) and Proby22n ;R2Rn (C R(y) = 1).

Probx;R(C R (R(x)) = 1) = Py22n Probx;R (C R(y) = 1 and R(x) = y) =

P

= y22n (Probx;R(C R(y ) = 1 and R(x) = y j C R (y ) does not query R(x))

Probx;R(C R(y) does not query R(x)) +

:

+ Probx;R (C R(y ) = 1 and R(x) = y j C R(y ) queries R(x))

Probx;R(C R(y) queries R(x))): We bound from below and from above the right hand side (RHS) in the above equation. We take into account that, conditioned by the event \C R(y ) does not query R(x)," the events \C R(y ) = 1" and \R(x) = y " are independent. Also, the events \R(x) = y " and \C R(y ) queries R(x)" are independent and, consequently, Probx;R(R(x) = y j C R (y ) queries R(x)) = Probx;R(R(x) = y j C R(y) does not query R(x)) = Probx;R(R(x) = y) = 2?n . All the events above are considered with respect to x and R uniformly selected in n and respectively in Rn . Therefore,

RHS

(by omitting the second term)

Py22n Probx;R(C R(y) = 1 and R(x) = y j C R(y) does not query R(x)) (1 ? 2?0:5n) = (by independence)

P

= (1 ? 2?0:5n) y Probx;R(C R(y ) = 1 j C R (y ) does not query R(x))

Probx;R(R(x) = y j C R(y) does not query R(x)) (1 ? 2?0:5n) 2?2n P (Prob (C R(y) = 1) ? 2?0:5n) y

x;R

Proby;R(C R(y) = 1) ? 2?0:49n:

11

(using Lemma 3.3)

Also,

RHS

(by omitting the event C R (y ) = 1 in the second term)

Py2n (Probx;R(C R(y) = 1 and R(x) = y j C R(y) does not query R(x)) Probx;R(C R(y) does not query R(x))+ + Probx;R(R(x) = y j C R(y ) queries R(x))

Probx;R(C R(y) queries R(x)))

(by independence)

Py (Probx;R(C R(y) = 1 j C R(y) does not query R(x))

Probx;R(R(x) = y j C R(y) does not query R(x)) + 2?2n 2?0:5n) (using Lemma 3.3)

2?2n Py (Probx;R(C R(y) = 1) + 2?0:5n) + 2?0:5n Proby;R(C R(y) = 1) + 2?0:49n:

Proof of Theorem 2.7 : To keep the notation simple, we consider only inputs of even length. It is easy to adapt the proof for odd lengths. Fix n 2 N. We de ne the n-section of a randomized one-way function with the desired parameters. R2n consists of all functions R : 2n ! n . We

now de ne the randomized hard function by fR (y ) = R(y )y (1 : n) (i.e., the randomized one-way function simply outputs on input y the random bits associated to y followed by y (1 : n)). Clearly, since the values of the one-way function are random in their rst half, there is no other way to invert the function but to perform an exhaustive search through the entire domain. Here is the formal argument. It is convenient to introduce the function aR : 2n ! de ned by

8 > < 1 , if 9y 2 2n with fR(y) = x; aR(x) = > : 0 , otherwise: Suppose that B is an oracle circuit of size 2n=4 and suppose B R attempts to invert fR . Let C

be the following oracle circuit: C on input x computes y = B R (x) and if R(y ) = x(1 : n) and y(1 : n) = x(n + 1 : 2n), then it outputs 1, otherwise it outputs 0. Observe that if aR(x) = 1 and C R (x) = 0, then B R failed to compute an inverse of x. We show that with high probability there are many strings x 2 2n as above. The size of C is bounded by 2n=3. Since C R (x) = 1 only if C R on input x queries a string y such that R(y ) = x(1 : n), it follows that for a xed x 2 2n , Prob(C R(x) = 1) 2n=3 2?n . Let S (R) = jfx 2 2n : C R (x) = 1gj. By Markov inequality, for all > 0, Prob(S (R) > ) 1 E [S ] 1 2n=3 2n:

12

Take = 2(1+)n , where will be xed later. Thus, with probability 1 ? 2n=3 2?n , there are less than 2(1+)n strings x such that C R (x) = 1. We next estimate the number of strings x such that aR (x) = 1. Fix x 2 2n . Then, Prob(aR (x) = 0) = (1 ? 21n )22n pe 1 e2n ; where the last inequality follows from Lemma 3.1. Let S 0(R) = jfx : aR (x) = 0gj: Again, by Markov inequality, for all > 0, 2n Prob(S 0(R) > ) 1 E [S ] 1 p 2 :

e e2n

Take = 2(1+)n . It follows that with probability 1 ? 2p(1e?e2)nn , there are less than 2(1+)n strings x 2 2n such that aR (x) = 0. To conclude, if > 2=3, then with probability 1 ? 22n=n3 ? 2p(1e?e2)nn 1 ? 2?=2n , there are more than 22n ? 2 2(1+)n strings x such that aR (x) = 1 and C R(x) = 0: Thus, with probability 1 ? 2?=2n , the fraction of strings y such that B R fails to invert fR is 1 ? 2?(1?)n+1. Taking = 0:96, it follows that with probability 1 ? 2?0:24(2n), BR fails to invert fR on a fraction of inputs from 2n that is larger than 1 ? 2?0:01(2n).

4 Probability 1 Results Theorems 2.2, 2.7 can be used to obtain probability one relativized results. First we need to reformulate them in terms of random oracles. This can be done by encoding a family of functions R = (Rn)n2N (where each function Rn is an element of the probabilistic space underlying Definitions 2.1, 2.4 and 2.6) into a standard (i.e., a set) oracle. To be more precise, an oracle A is viewed as a boolean function de ned on . For x 2 n , it is convenient to call A(x) as bit x of A. If the functions Rn 2 Rn are of type Rn : i(n) ! m(n) then for each x 2 i(n) we encode Rn (x) in the bits x10; x102; : : :; x10m(n) of the oracle, i.e., for each n 2 N and x 2 i(n), A(x10)A(x102) : : :A(x10m(n)) = Rn(x). Thus an oracle A encodes unambiguously a collection of functions (Rn)n2N , where for all n, Rn : i(n) ! m(n) for some xed strictly increasing functions i and m mapping naturals to naturals. Let A be the set of all oracles (or, equivalently, the set of all in nite binary sequences) endowed with a probability distribution given by the Lebesgue measure. If P () is a property dependent on oracles A 2 A, we say that P holds relative to a random oracle, if ProbA2A (P (A) is true ) = 1. From Theorems 2.2 and 2.7, we easily obtain the following result. Theorem 4.1 Relative to a random oracle, there are strong one-way functions and strong hard functions. Proof : We consider the case of one-way functions (the other one is similar). Theorem 2.7 can be reformulated (by using the previously discussed encoding) in the following way: there exists a function fA depending on oracle A and which is polynomial-time computable relative to A such that if C = (Cn )n2N is a family of oracle circuits of size 2n=4 then for almost every natural n, ProbA2A (jProbx2n (CnA(x) = fA (x)) ? 1=2j 2?0:01n) < 2?0:24n : Then, by the Borel-Cantelli Lemma, the probability of A in A of the event \jProbx2n (CnA (x) = fA (x)) ? 1=2j 2?0:01n holds for in nitely many n" is 0. Consequently, with probability 1 of A 2 A, fA is a strong one-way function. 13

5 AC0 vs. Sub-Linear Time Machines that run in sub-linear time have as special features a random-access read-only input tape and a read-write address tape for storing pointers to the input tape. At each moment, the machine has access to the bit on the input tape denoted on the address tape. As this is very similar to our model of machines computing randomized cryptographic primitives, it is not surprising that the counting techniques developed in Section 3 are applicable in the investigation of sub-linear-time complexity classes. For example, using the parity construction from Theorem 2.2, the following hierarchy result is immediate: let h; k : N ! N be two functions with (i) h(n) < k(n) n, for all suciently large n, and (ii) k is fully time-constructible; there is a predicate f computable in k(n) time such that if M is a machine running in h(n) time, then, for all suciently large n, Probx2n (f (x) = M (x)) = 1=2. Perhaps more interesting is a similar relation that holds between DTIME [n] and AC0 , for all 2 [0; 1). Theorem 5.1 Let 2 (0; 1). There is a predicate f computable by a monotone linear-size depth2 circuit such that if M is a machine running in time n , then for all suciently large n, j Probx2n (f (x) = M (x)) ? 1=2 j n? (1). Proof : Fix some 2 (0; 1) and consider n 2 N such that blog ncbln 2 2blog ncc n. Each x 2 n is decomposed into bln 2 2blog nc c substrings x(1); : : :; x(bln 2 2blog nc c), each of length blog nc, and some remaining string which will be ignored in the sequel. We de ne the predicate f by f (x) = 1, if there is i 2 f1; : : :; bln 2 2blog nccg such that x(i) = 1blog nc , and 0, otherwise. It is easy to check that f can be computed by a circuit having the claimed parameters. Now we follow the strategy from Theorem 2.2(ii). Consider a machine M that runs in n steps on inputs of length n. Let S = fx 2 n j for each j 2 f1; : : :; ng, if the j -th bit of x is read by M on input x, then the substring x(i) that contains the j -th bit of x veri es x(i) 6= 1blog nc ). The probability in n of S , the complementary of S , is less than n? 2?blog nc n?(1?)=2 and, thus, Prob(S ) 1 ? n?(1?)=2. Next, as in Theorem 2.2(ii), for each b 2 f0; 1g, Prob(f (x) = 0 j M (x) = b ^ S ) 2 [(1 ? 2?blog nc )bln2 2blog nc c ; (1 ? 2?blog nc )bln2 2blog nc c?n ] 2 (1=2 ? n?(1?)=3 ; 1=2 + n?(1?)=3). Again as in Theorem 2.2(ii), we obtain that Prob(f (x) = M (x) j S ) 2 (1=2 ? n?(1?)=3; 1=2 + n?(1?)=3) and, using Lemma 3.3, the conclusion follows (with the constant (1 ? )=4 denoted as (1)). The above theorem should be compared with the following remarkable property of AC0 proved by Ajtai [Ajt83]. A cylinder in n is a set of the form Cw = fx 2 n j w is a pre x of xg, where w is a binary string of length n. The length of w is the dimension of the cylinder Cw . Let 2 (0; 1). then for any f 2 AC0 and n suciently large, there exists a partition Sof n into cylinders (Cw )w2I n ? n n of dimension n ? n and J I such that j fx 2 j f (x) = 1g w2J Cw j 2 , where denotes the symmetric dierence. Thus, f can be very well approximated by cylinders of dimension n ? n. On the other hand, by (the proof of) Theorem 5.1, cylinders of dimension n1? cannot approximate a monotone depth-2 AC 0 function with a bias that is larger than n? (1) .

References [AHU74] A. Aho, J. Hopcroft, and J. Ullman. The Design and Analysis of Computer Algorithms. Addison-Wesley, 1974. [Ajt83] M. Ajtai. 11 -formulae on nite structures. Ann. Pure and Applied Logic, 24:1{48, 1983. 14

[AS94] [BIS90] [Blu84] [CW79] [For94] [HILL91] [Nis91] [NW94] [Rud88] [Sho88] [SV86]

E. Allender and M. Strauss. Measure on small complexity classes, with applications for BPP. In Proceedings of the 34th IEEE Symposium on Foundations of Computer Science, pages 807{818, 1994. D. Barrington, N. Immerman, and H. Straubing. On uniformity within NC1 . Journal of Computer and System Sciences, 41:274{306, 1990. M. Blum. Independent unbiased coin ips from a correlated biased source: A nite state Markov chain. In Proceedings of the 25th IEEE Symposium on Foundations of Computer Science, pages 425{433, 1984. J. Carter and M. Wegman. Universal classes of hash functions. Journal of Computer and System Sciences, pages 143{154, 1979. L. Fortnow. The role of relativization in complexity theory. Bulletin of EATCS, 52:229{ 244, 1994. J. Hastad, R. Impagliazzo, L. Levin, and M. Luby. Construction of a pseudo-random generator from any one-way function. Technical Report 91-68, ICSI, Berkeley, 1991. N. Nisan. Pseudorandom bits for constant depth circuits. Combinatorica, 11(1):63{70, 1991. N. Nisan and A. Wigderson. Hardness vs. randomness. Journal of Computer and System Sciences, 49:149{167, 1994. S. Rudich. Limits on the Provable Consequences of One-way Functions. PhD thesis, University of California at Berkeley, November 1988. V. Shoup. New algorithms for nding irreducible polynomials over nite elds. In Proceedings of the 29th IEEE Symposium on Foundations of Computer Science, pages 283{290. IEEE Computer Society Press, 1988. M. Santha and U. Vazirani. Generating quasi-random sequences from semi-random sources. Journal of Computer and System Sciences, 33:75{87, 1986.

A Appendix

Proof of Lemma 3.1: (a) (1 ? n1 )b(ln2)nc (1 ? n1 )(ln2)n = exp((ln 2)n ln(1 ? n1 )) = = exp((ln 2)n (? n1 ? ( n12 ))) = exp(? ln 2) exp(? ( n1 )) = = 12 (1 ? ( n1 )) 21 ? n1 :

15

(b) (1 ? n1 )b(ln2)nc?n1? (1 ? n1 )(ln2)n?n1? ?1 = = exp(((ln 2)n ? n1? ? 1) ln(1 ? n1 )) = = exp(((ln 2)n ? n1? ? 1)(? n1 ? ( n12 ))) = = exp(? ln 2) exp(n? ) exp(n?1 ) exp(?(n?1 )) exp((n?(1+) )) exp((n?2 )) = = 21 (1 + n? + O(n?2 ))(1 + O(n?1 ))(1 ? (n?1 ))(1 + O(n?1 ))(1 + O(n?(1+) ))

12 + n1 : (c)

(1 ? n1 )n2 = exp(n2 ln(1 ? n1 )) = exp(n2 (? n1 ? 2n12 ? ( n13 )))

exp(?n) exp(? 12 ) = pe1 en :

Proof of Lemma 3.2: For each 0i 2 f1; : : :; kg let Yi = Xi ? p and let S 0 = Y1 + Y2 + : : : + Yk . Clearly, Prob(j Sk ? pj > ) = Prob(j Sk j > ). By the Chebyshev inequality, 0 X X Prob(j Sk j > ) k212 E [S 02] = k212 ( E [Yi2] + E [YiYj ]): i

i6=j

We estimate each term in the above sums. E [Yi2] = (1 ? p)2pi + p2 (1 ? pi) 1; where pi = Prob(Xi = 1). Similarly, if j 2 Wi , E [YiYj ] 1. If j 2 f1; : : :i ? 1; i + 1; : : :; kg ? Wi : E [YiYj ] = (1 ? p)2 Prob(Xi = 1jXj = 1) Prob(Xj = 1)+ +(?p)2 Prob(Xi = 0jXj = 0) Prob(Xj = 0)+ +(?p)(1 ? p) Prob(Xi = 1jXj = 0) Prob(Xj = 0)+ +(?p)(1 ? p) Prob(Xi = 0jXj = 1) Prob(Xj = 1)

(1 ? p)2(p + )2 + p2(1 ? p + )2? ?p(1 ? p)(p ? )(1 ? p ? ) ? p(1 ? p)(1 ? p ? )(p ? ) = = (1 + 4p + 4p2 ? 4p2 ? 4p ) 9: Thus,

0 Prob(j Sk j > ) k212 (k + kM + k(k ? 1 ? M )9) < 12 ( M k+ 1 + 9):

16

Proof of Lemma 3.3: Prob(A) = Prob(AjB)Prob(B) + Prob(AjB)Prob(B): So,

Prob(A) Prob(AjB)Prob(B) = Prob(AjB)(1 ? Prob(B)) Prob(AjB) ? Prob(B); and

Prob(A) Prob(AjB) + Prob(B):

17