Leonid A. Levin

A Pseudorandom Generator from any One-way Function

Pseudorandom generators are fundamental to many theoretical and applied aspects of computing. We show how to construct a pseudorandom generator from any one-way function. Since it is easy to construct a one-way function from a pseudorandom generator, this result shows that there is a pseudorandom generator if and only if there is a one-way function.

A hard-core predicate for all one-way functions

A central tool in constructing pseudorandom generators, secure encryption functions, and in other areas are “hard-core” predicates <italic>b</italic> of functions (permutations) ƒ, discovered in [Blum Micali 82]. Such <italic>b</italic>(<italic>x</italic>) cannot be efficiently guessed (substantially better than 50-50) given only ƒ(<italic>x</italic>). Both <italic>b</italic>, ƒ are computable in polynomial time. [Yao 82] transforms any one-way function ƒ into a more complicated one, ƒ<supscrpt>*</supscrpt>, which has a hard-core predicate. The construction applies the original ƒ to many small pieces of the input to ƒ<supscrpt>*</supscrpt> just to get one “hard-core” bit. The security of this bit may be smaller than any constant positive power of the security of ƒ. In fact, for inputs (to ƒ<supscrpt>*</supscrpt>) of practical size, the pieces effected by ƒ are so small that ƒ can be inverted (and the “hard-core” bit computed) by exhaustive search. In this paper we show that every one-way function, padded to the form ƒ(<italic>p</italic>, <italic>x</italic>) = (<italic>p</italic>, <italic>g</italic>(<italic>x</italic>)), ‖‖<italic>p</italic>‖‖ = ‖<italic>x</italic>‖, has by itself a hard-core predicate of the same (within a polynomial) security. Namely, we prove a conjecture of [Levin 87, sec. 5.6.2] that the scalar product of Boolean vectors <italic>p</italic>, <italic>x</italic> is a hard-core of every one-way function ƒ(<italic>p</italic>, <italic>x</italic>) = (<italic>p</italic>, <italic>g</italic>(<italic>x</italic>)). The result extends to multiple (up to the logarithm of security) such bits and to any distribution on the <italic>x</italic>s for which ƒ is hard to invert.

Pseudo-random generation from one-way functions

We show that the existence of one-way functions is necessary and sufficient for the existence of pseudo-random generators in the following sense. Let ƒ be an easily computable function such that when <italic>x</italic> is chosen randomly: (1) from ƒ(<italic>x</italic>) it is hard to recover an <italic>x</italic><supscrpt>1</supscrpt> with ƒ(<italic>x</italic><supscrpt>1</supscrpt>) = ƒ(<italic>x</italic>) by a small circuit, or; (2) ƒ has small degeneracy and from ƒ(<italic>x</italic>) it is hard to recover <italic>x</italic> by a fast algorithm. From one-way functions of type (1) or (2) we show how to construct pseudo-random generators secure against small circuits or fast algorithms, respectively, and vice-versa. Previous results show how to construct pseudo-random generators from one-way functions that have special properties ([Blum, Micali 82], [Yao 82], [Levin 85], [Goldreich, Krawczyk, Luby 88]). We use the results of [Goldreich, Levin 89] in an essential way.

Checking computations in polylogarithmic time

Motivated by Manuel Blum’s concept of inst ante checking, we consider new, very fast and generic mechanisms of checking computations. Our results exploit recent advances in interactive proof protocols [LFKN], [Sh], and especially the MIP = NEXP protocol from [BFL]. WJe show that every nondeterministic computational task S(Z, y), defined as a polynomial time relation between the instance x, representing the input and output combined, and the witness y can be modified to a task S such that: (i) the same instances remain accepted; (ii) each instance/witness pair becomes checkable in poly!ogariihmic Monte Carlo time; and (iii) a witness satisfying S’ can be computed in polynomial time from a witness satisfying S. Here the instance and the description of S have to be provided in error-correcting code (since the checker will not notice slight changes). A modification of the MIP proof was required to achieve polynomial time in (iii); the earlier technique yields N“(*OglOg’1 time only. This result becomes significant if software and hardware reliability are regarded aa a considerable cost factor. The polylogarithmic checker is the only part of the system that needs to be trusted; it can be hard wired. (We use just one Checker for all problems!) The checker is tiny and so presumably can be optimized and checked off-line at a modest cost. In this setup, a single reliable PC can monitor the operation of a herd of supercomputers working with possibly extremely powerful but unreliable software and untested hardware. 1Research partially supported by NSF Grant CCR-871OO78. Email: laci@cs.uchicago. edu 2Rese~& partiay supported by NSF Grant CCR-SMXI

Average case complete problems

XEK5. E-mail: fortnow@cs.uc&cago. edu 3Supported by NSF grant CCR-SJC115276. E-mail: Lnd@cs.bu.edu 4111 cummington St., Boston MA 02215. 5E-mail: mario@cs.uchicago .edu ~1100 E 58th St, Chicago IL 60637. Permission to copy without fee all or part of this msterisl is granted provided that tie copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee snd/or specific permission. @ 1991 ACM 089791-397-31911000410021

Fair Computation of General Functions in Presence of Immoral Majority

1.50 Leonid A. Levin 3

One-way functions and pseudorandom generators

Many interesting combinatorial problems were found to be NP-complete. Since there is little hope to solve them fast in the worst case, researchers look for algorithms which are fast just “on average,” This matter is sensitive to the choice of a particular NP-complete problem and a probability distribution of its instances. Some of these tasks are easy and some not. But one needs a way to distinguish the “difficult on average” problems. Such negative results could not only save “positive” efforts but may also be used in areas (like cryptography) where hardness of some problems is a frequent assumption. It is shown in [1] that the Tiling problem with uniform distribution of instances has no polynominal “on average” algorithm, unless every NP-problem with every simple probability distribution has it.

Randomness conservation inequalities; information and independence in mathematical theories

This paper describes a method for n players, a majority of which may be faulty, to compute correctly, privately, and fairly any computable function f(x1,... ,xn) where xi, is the input of the i-th. player. The method uses as a building block an oblivious transfer primitive.Previous methods achieved these properties, only for boolean functions, which, in particular, precluded composition of such protocols.We also propose a simpler definition of security for multi-player protocols which still implies previous definitions of privacy and correctness.

One-way functions and Pseudorandom generators

One-way are those functions which are easy to compute, but hard to invert on a non-negligible fraction of instances. The existence of such functions with some additional assumptions was shown to be sufficient for generating perfect pseudorandom strings |Blum, Micali 82|, |Yao 82|, |Goldreich, Goldwasser, Micali 84|. Below, among a few other observations, a weaker assumption about one-way functions is suggested, which is not only sufficient, but also necessary for the existence of pseudorandom generators. The main theorem can be understood without reading the sections 3-6.

No better ways to generate hard NP instances than picking uniformly at random

The article further develops Kolmogorovs algorithmic complexity theory. The definition of randomness is modified to satisfy strong invariance properties (conservation inequalities). This allows definitions of concepts such as mutual information in individual infinite sequences. Applications to several areas, like probability theory, theory of algorithms, intuitionistic logic are considered. These theories are simplified substantially with the postulate that the objects they consider are independent of (have small mutual information with) any sequence specified by a mathematical property.