In
theoretical computer science
Theoretical computer science (TCS) is a subset of general computer science and mathematics that focuses on mathematical aspects of computer science such as the theory of computation, lambda calculus, and type theory.
It is difficult to circumsc ...
and
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, a pseudorandom generator (PRG) for a class of
statistical test
A statistical hypothesis test is a method of statistical inference used to decide whether the data at hand sufficiently support a particular hypothesis.
Hypothesis testing allows us to make probabilistic statements about population parameters.
...
s is a
deterministic procedure that maps a
random seed
A random seed (or seed state, or just seed) is a number (or vector) used to initialize a pseudorandom number generator.
For a seed to be used in a pseudorandom number generator, it does not need to be random. Because of the nature of number gene ...
to a longer
pseudorandom string such that no statistical test in the class can distinguish between the output of the generator and the uniform distribution. The random seed itself is typically a short binary string drawn from the
uniform distribution.
Many different classes of statistical tests have been considered in the literature, among them the class of all Boolean circuits of a given size.
It is not known whether good pseudorandom generators for this class exist, but it is known that their existence is in a certain sense equivalent to (unproven) circuit lower bounds in
computational complexity theory
In theoretical computer science and mathematics, computational complexity theory focuses on classifying computational problems according to their resource usage, and relating these classes to each other. A computational problem is a task solved by ...
.
Hence the construction of pseudorandom generators for the class of Boolean circuits of a given size rests on currently unproven hardness assumptions.
Definition
Let
be a class of functions.
These functions are the ''statistical tests'' that the pseudorandom generator will try to fool, and they are usually
algorithms
In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific problems or to perform a computation. Algorithms are used as specifications for performing c ...
.
Sometimes the statistical tests are also called ''adversaries'' or ''distinguishers''. The notation in the codomain of the functions is the
Kleene star
In mathematical logic and computer science, the Kleene star (or Kleene operator or Kleene closure) is a unary operation, either on sets of strings or on sets of symbols or characters. In mathematics,
it is more commonly known as the free monoid c ...
.
A function
with
is a ''pseudorandom generator'' against
with ''bias''
if, for every
in
, the
statistical distance
In statistics, probability theory, and information theory, a statistical distance quantifies the distance between two statistical objects, which can be two random variables, or two probability distributions or samples, or the distance can be be ...
between the distributions
and
is at most
, where
is the
uniform distribution on
.
The quantity
is called the ''seed length'' and the quantity
is called the ''stretch'' of the pseudorandom generator.
A pseudorandom generator against a family of adversaries
with bias
is a family of pseudorandom generators
, where
is a pseudorandom generator against
with bias
and seed length
.
In most applications, the family
represents some
model of computation
In computer science, and more specifically in computability theory and computational complexity theory, a model of computation is a model which describes how an output of a mathematical function is computed given an input. A model describes how ...
or some set of
algorithm
In mathematics and computer science, an algorithm () is a finite sequence of rigorous instructions, typically used to solve a class of specific Computational problem, problems or to perform a computation. Algorithms are used as specificat ...
s, and one is interested in designing a pseudorandom generator with small seed length and bias, and such that the output of the generator can be computed by the same sort of algorithm.
In cryptography
In
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
, the class
usually consists of all
circuits of size polynomial in the input and with a single bit output, and one is interested in designing pseudorandom generators that are computable by a
polynomial-time algorithm
In computer science, the time complexity is the computational complexity that describes the amount of computer time it takes to run an algorithm. Time complexity is commonly estimated by counting the number of elementary operations performed by t ...
and whose bias is negligible in the circuit size.
These pseudorandom generators are sometimes called cryptographically secure pseudorandom generators (CSPRGs).
It is not known if cryptographically secure pseudorandom generators exist.
Proving that they exist is difficult since their existence implies
P ≠ NP
The P versus NP problem is a major unsolved problem in theoretical computer science. In informal terms, it asks whether every problem whose solution can be quickly verified can also be quickly solved.
The informal term ''quickly'', used above ...
, which is widely believed but a famously open problem.
The existence of cryptographically secure pseudorandom generators is widely believed. This is because it has been proven that pseudorandom generators can be constructed from any
one-way function
In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, spe ...
which are believed to exist. Pseudorandom generators are necessary for many applications in
cryptography
Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...
.
The
pseudorandom generator theorem shows that cryptographically secure pseudorandom generators exist if and only if
one-way function
In computer science, a one-way function is a function that is easy to compute on every input, but hard to invert given the image of a random input. Here, "easy" and "hard" are to be understood in the sense of computational complexity theory, spe ...
s exist.
Uses
Pseudorandom generators have numerous applications in cryptography. For instance, pseudorandom generators provide an efficient analog of
one-time pads. It is well known that in order to encrypt a message ''m'' in a way that the cipher text provides no information on the plaintext, the key ''k'' used must be random over strings of length , m, . Perfectly secure encryption is very costly in terms of key length. Key length can be significantly reduced using a pseudorandom generator if perfect security is replaced by
semantic security In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciph ...
. Common constructions of
stream cipher
stream cipher is a symmetric key cipher where plaintext digits are combined with a pseudorandom cipher digit stream (keystream). In a stream cipher, each plaintext digit is encrypted one at a time with the corresponding digit of the keystream ...
s are based on pseudorandom generators.
Pseudorandom generators may also be used to construct
symmetric key cryptosystems, where a large number of messages can be safely encrypted under the same key. Such a construction can be based on a
pseudorandom function family
In cryptography, a pseudorandom function family, abbreviated PRF, is a collection of efficiently-computable functions which emulate a random oracle in the following way: no efficient algorithm can distinguish (with significant advantage) between ...
, which generalizes the notion of a pseudorandom generator.
In the 1980s, simulations in physics began to use pseudorandom generators to produce sequences with billions of elements, and by the late 1980s, evidence had developed that a few common generators gave incorrect results in such cases as phase transition properties of the 3D
Ising model
The Ising model () (or Lenz-Ising model or Ising-Lenz model), named after the physicists Ernst Ising and Wilhelm Lenz, is a mathematical model of ferromagnetism in statistical mechanics. The model consists of discrete variables that represent ...
and shapes of diffusion-limited aggregates. Then in the 1990s, various idealizations of physics simulations—based on
random walk
In mathematics, a random walk is a random process that describes a path that consists of a succession of random steps on some mathematical space.
An elementary example of a random walk is the random walk on the integer number line \mathbb Z ...
s,
correlation function
A correlation function is a function that gives the statistical correlation between random variables, contingent on the spatial or temporal distance between those variables. If one considers the correlation function between random variables rep ...
s, localization of eigenstates, etc., were used as tests of pseudorandom generators.
Testing
NIST announced SP800-22
Randomness tests
A randomness test (or test for randomness), in data evaluation, is a test used to analyze the distribution of a set of data to see if it can be described as random (patternless). In stochastic modeling, as in some computer simulations, the hoped-f ...
to test whether a pseudorandom generator produces high quality random bits.
Yongge Wang Yongge Wang (born 1967) is a computer science professor at the University of North Carolina at Charlotte specialized in algorithmic complexity and cryptography. He is the inventor of IEEE P1363 cryptographic standards SRP5 and WANG-KE and has cont ...
showed that NIST testing is not enough to detect weak pseudorandom generators and developed statistical distance based testing technique LILtest.
For derandomization
A main application of pseudorandom generators lies in the derandomization of computation that relies on randomness, without corrupting the result of the computation.
Physical computers are deterministic machines, and obtaining true randomness can be a challenge.
Pseudorandom generators can be used to efficiently simulate randomized algorithms with using little or no randomness.
In such applications, the class
describes the randomized algorithm or class of randomized algorithms that one wants to simulate, and the goal is to design an "efficiently computable" pseudorandom generator against
whose seed length is as short as possible.
If a full derandomization is desired, a completely deterministic simulation proceeds by replacing the random input to the randomized algorithm with the pseudorandom string produced by the pseudorandom generator.
The simulation does this for all possible seeds and averages the output of the various runs of the randomized algorithm in a suitable way.
Constructions
For polynomial time
A fundamental question in computational complexity theory is whether all
polynomial time
In computer science, the time complexity is the computational complexity that describes the amount of computer time it takes to run an algorithm. Time complexity is commonly estimated by counting the number of elementary operations performed by ...
randomized algorithm
A randomized algorithm is an algorithm that employs a degree of randomness as part of its logic or procedure. The algorithm typically uses uniformly random bits as an auxiliary input to guide its behavior, in the hope of achieving good performan ...
s for
decision problems can be deterministically simulated in polynomial time. The existence of such a simulation would imply that BPP = P. To perform such a simulation, it is sufficient to construct pseudorandom generators against the family F of all circuits of size ''s''(''n'') whose inputs have length ''n'' and output a single bit, where ''s''(''n'') is an arbitrary polynomial, the seed length of the pseudorandom generator is O(log ''n'') and its bias is ⅓.
In 1991,
Noam Nisan
Noam Nisan ( he, נעם ניסן; born June 20, 1961) is an Israeli computer scientist, a professor of computer science at the Hebrew University of Jerusalem. He is known for his research in computational complexity theory and algorithmic game th ...
and
Avi Wigderson
Avi Wigderson ( he, אבי ויגדרזון; born 9 September 1956) is an Israeli mathematician and computer scientist. He is the Herbert H. Maass Professor in the school of mathematics at the Institute for Advanced Study in Princeton, New Jerse ...
provided a candidate pseudorandom generator with these properties. In 1997
Russell Impagliazzo and
Avi Wigderson
Avi Wigderson ( he, אבי ויגדרזון; born 9 September 1956) is an Israeli mathematician and computer scientist. He is the Herbert H. Maass Professor in the school of mathematics at the Institute for Advanced Study in Princeton, New Jerse ...
proved that the construction of Nisan and Wigderson is a pseudorandom generator assuming that there exists a
decision problem
In computability theory and computational complexity theory, a decision problem is a computational problem that can be posed as a yes–no question of the input values. An example of a decision problem is deciding by means of an algorithm whethe ...
that can be computed in time 2
O(''n'') on inputs of length ''n'' but requires
circuits of size 2
Ω(''n'').
For logarithmic space
While unproven assumption about circuit complexity are needed to prove that the Nisan–Wigderson generator works for time-bounded machines, it is natural to restrict the class of statistical tests further such that we need not rely on such unproven assumptions.
One class for which this has been done is the class of machines whose work space is bounded by
.
Using a repeated squaring trick known as
Savitch's theorem
In computational complexity theory, Savitch's theorem, proved by Walter Savitch in 1970, gives a relationship between deterministic and non-deterministic space complexity. It states that for any function f\in\Omega(\log(n)),
:\mathsf\left(f\lef ...
, it is easy to show that every probabilistic log-space computation can be simulated in space
.
Noam Nisan
Noam Nisan ( he, נעם ניסן; born June 20, 1961) is an Israeli computer scientist, a professor of computer science at the Hebrew University of Jerusalem. He is known for his research in computational complexity theory and algorithmic game th ...
(1992) showed that this derandomization can actually be achieved with a pseudorandom generator of seed length
that fools all
-space machines.
Nisan's generator has been used by Saks and Zhou (1999) to show that probabilistic log-space computation can be simulated deterministically in space
.
This result is still the best known derandomization result for general log-space machines in 2012.
For linear functions
When the statistical tests consist of all multivariate
linear function
In mathematics, the term linear function refers to two distinct but related notions:
* In calculus and related areas, a linear function is a function (mathematics), function whose graph of a function, graph is a straight line, that is, a polynomia ...
s over some
finite field
In mathematics, a finite field or Galois field (so-named in honor of Évariste Galois) is a field that contains a finite number of elements. As with any field, a finite field is a set on which the operations of multiplication, addition, subtr ...
, one speaks of
epsilon-biased generators.
The construction of achieves a seed length of
, which is optimal up to constant factors.
Pseudorandom generators for linear functions often serve as a building block for more complicated pseudorandom generators.
For polynomials
proves that taking the sum of
small-bias generators fools polynomials of degree
.
The seed length is
.
For constant-depth circuits
Constant depth circuits that produce a single output bit.
Limitations on probability
The pseudorandom generators used in cryptography and universal algorithmic derandomization have not been proven to exist, although their existence is widely believed. Proofs for their existence would imply proofs of lower bounds on the
circuit complexity
In theoretical computer science, circuit complexity is a branch of computational complexity theory in which Boolean functions are classified according to the size or depth of the Boolean circuits that compute them. A related notion is the circui ...
of certain explicit functions. Such circuit lower bounds cannot be proved in the framework of
natural proof
In computational complexity theory, a natural proof is a certain kind of proof establishing that one complexity class differs from another one. While these proofs are in some sense "natural", it can be shown (assuming a widely believed conjecture o ...
s assuming the existence of stronger variants of cryptographic pseudorandom generators.
References
* Sanjeev Arora and Boaz Barak
''Computational Complexity: A Modern Approach'' Cambridge University Press
Cambridge University Press is the university press of the University of Cambridge. Granted letters patent by Henry VIII of England, King Henry VIII in 1534, it is the oldest university press
A university press is an academic publishing hou ...
(2009), .
*
Oded Goldreich
Oded Goldreich ( he, עודד גולדרייך; b. 1957) is a professor of Computer Science at the Faculty of Mathematics and Computer Science of Weizmann Institute of Science, Israel. His research interests lie within the theory of computation ...
, ''Computational Complexity: A Conceptual Perspective'',
Cambridge University Press
Cambridge University Press is the university press of the University of Cambridge. Granted letters patent by Henry VIII of England, King Henry VIII in 1534, it is the oldest university press
A university press is an academic publishing hou ...
(2008), .
*
Oded Goldreich
Oded Goldreich ( he, עודד גולדרייך; b. 1957) is a professor of Computer Science at the Faculty of Mathematics and Computer Science of Weizmann Institute of Science, Israel. His research interests lie within the theory of computation ...
, ''Foundations of Cryptography: Basic Tools'',
Cambridge University Press
Cambridge University Press is the university press of the University of Cambridge. Granted letters patent by Henry VIII of England, King Henry VIII in 1534, it is the oldest university press
A university press is an academic publishing hou ...
(2001), .
*
*
* {{PlanetMath attribution, id=3460, title=Pseudorandom generator
Algorithmic information theory
Pseudorandomness
Cryptography