Russell Impagliazzo

A Pseudorandom Generator from any One-way Function

Pseudorandom generators are fundamental to many theoretical and applied aspects of computing. We show how to construct a pseudorandom generator from any one-way function. Since it is easy to construct a one-way function from a pseudorandom generator, this result shows that there is a pseudorandom generator if and only if there is a one-way function.

Which Problems Have Strongly Exponential Complexity

For several NP-complete problems, there have been a progression of better but still exponential algorithms. In this paper, we address the relative likelihood of sub-exponential algorithms for these problems. We introduce a generalized reduction that we call Sub-exponential Reduction Family (SERF) that preserves sub-exponential complexity. We show that Circuit-SAT is SERF-complete for all NP-search problems, and that for any fixed k?3, k-SAT, k-Colorability, k-Set Cover, Independent Set, Clique, and Vertex Cover, are SERF-complete for the class SNP of search problems expressible by second-order existential formulas whose first-order part is universal. In particular, sub-exponential complexity for any one of the above problems implies the same for all others.We also look at the issue of proving strongly exponential lower bounds for AC0, that is, bounds of the form 2?(n). This problem is even open for depth-3 circuits. In fact, such a bound for depth-3 circuits with even limited (at most n?) fan-in for bottom-level gates would imply a nonlinear size lower bound for logarithmic depth circuits. We show that with high probability even random degree 2 GF(2) polynomials require strongly exponential size for ?k3 circuits for k=o(loglogn). We thus exhibit a much smaller space of 2O(n2) functions such that almost every function in this class requires strongly exponential size ?k3 circuits. As a corollary, we derive a pseudorandom generator (requiring O(n2) bits of advice) that maps n bits into a larger number of bits so that computing parity on the range is hard for ?k3 circuits. Our main technical lemma is an algorithm that, for any fixed ?>0, represents an arbitrary k-CNF formula as a disjunction of 2?nk-CNF formulas that are sparse, that is, each disjunct has O(n) clauses.

Designated verifier proofs and their applications

For many proofs of knowledge it is important that only the verifier designated by the confirmer can obtain any conviction of the correctness of the proof. A good example of such a situation is for undeniable signatures, where the confirmer of a signature wants to make sure that only the intended verifier(s) in fact can be convinced about the validity or invalidity of the signature. Generally, authentication of messages and off-the-record messages are in conflict with each other. We show how, using designation of verifiers, these notions can be combined, allowing authenticated but private conversations to take place. Our solution guarantees that only the specified verifier can be convinced by t,he proof, even if he shares all his secret information with entities that want to get convinced. Our solution is based on trap-door conim.itments [4], allowing the designated verifier to open up commitments in any way he wants. We demonstrate how a trap-door commitment scheme can be uscd to construct designated verifier proofs, both interactive and non-interactive. We examplify the verifier designation method for the confirmation protocol for undeniable signatures.

Pseudo-random generation from one-way functions

We show that the existence of one-way functions is necessary and sufficient for the existence of pseudo-random generators in the following sense. Let ƒ be an easily computable function such that when <italic>x</italic> is chosen randomly: (1) from ƒ(<italic>x</italic>) it is hard to recover an <italic>x</italic><supscrpt>1</supscrpt> with ƒ(<italic>x</italic><supscrpt>1</supscrpt>) = ƒ(<italic>x</italic>) by a small circuit, or; (2) ƒ has small degeneracy and from ƒ(<italic>x</italic>) it is hard to recover <italic>x</italic> by a fast algorithm. From one-way functions of type (1) or (2) we show how to construct pseudo-random generators secure against small circuits or fast algorithms, respectively, and vice-versa. Previous results show how to construct pseudo-random generators from one-way functions that have special properties ([Blum, Micali 82], [Yao 82], [Levin 85], [Goldreich, Krawczyk, Luby 88]). We use the results of [Goldreich, Levin 89] in an essential way.

Limits on the provable consequences of one-way permutations

We present strong evidence that the implication, “if one-way permutations exist, then secure secret key agreement is possible”, is not provable by standard techniques. Since both sides of this implication are widely believed true in real life, to show that the implication is false requires a new model. We consider a world where all parties have access to a black box for a randomly selected permutation. Being totally random, this permutation will be strongly one-way in a provable, information-theoretic way. We show that, if P = N P, no protocol for secret key agreement is secure in such a setting. Thus, to prove that a secret key agreement protocol which uses a one-way permutation as a black box is secure is as hard as proving P ≠ N P. We also obtain, as a corollary, that there is an oracle relative to which the implication is false, i.e., there is a one-way permutation, yet secret-exchange is impossible. Thus, no technique which relativizes can prove that secret exchange can be based on any one-way permutation. Our results present a general framework for proving statements of the form, “Cryptographic application X is not likely possible based solely on complexity assumption Y.”

P = BPP if E requires exponential circuits: derandomizing the XOR lemma

Russell Impagliazzo* Avi Wigdersont Department of Computer Science Institute of Computer Science University of California Hebrew University San Diego, CA 91097-0114 Jerusalem, Israel russell@cs .ucsd. edu avi@cs .huj i. ac. il Yao showed that the XOR of independent random instances of a somewhat hard Boolean problem becomes almost completely unpredictable. In this paper we show that, in non-uniform settings, total independence is not necessary for this result to hold. We give a pseudo-random generator which produces n instances of a problem for which the analog of the XOR lemma holds. Combining this generator with the results of [25, 6] gives substantially improved results for hardness vs randomness tradeoffs. In particular, we show that if any problem in E = DTIAl E(2°t”j) has circuit complexity 2Q(”), then P = BPP. Our generator is a combination of two known ones the random walks on expander graphs of [1, 10, 19] and the nearly disjoint subsets generator of [23, 25]. The quality of the generator is proved via a new proof of the XOR lemma which may be useful for other direct product results. *Research supported by NSF YI Award CCR-92s70979, Sloan Research Fellowship BR-3311, grant #93025 of the joint US-Czechoslovak Science and Technology Program, and USA-Israel BSF Grant 92-00043 tWork pmtly done while visiting the Institute for Advanced Study, Princeton, N. J. 08540 and Princeton University. Research supported the Sloan Foundation, American-Israeli BSF grant 92-00106, and the Wolfson Research Awards, administered by the Israel Academy of Sciences.

On the Complexity of k-SAT

The k-SAT problem is to determine if a given k-CNF has a satisfying assignment. It is a celebrated open question as to whether it requires exponential time to solve k-SAT for k?3. Here exponential time means 2?n for some ?>0. In this paper, assuming that, for k?3, k-SAT requires exponential time complexity, we show that the complexity of k-SAT increases as k increases. More precisely, for k?3, define sk=inf{?:there exists 2?n algorithm for solving k-SAT}. Define ETH (Exponential-Time Hypothesis) for k-SAT as follows: for k?3, sk>0. In this paper, we show that sk is increasing infinitely often assuming ETH for k-SAT. Let s∞ be the limit of sk. We will in fact show that sk?(1?d/k)s∞ for some constant d>0. We prove this result by bringing together the ideas of critical clauses and the Sparsification Lemma to reduce the satisfiability of a k-CNF to the satisfiability of a disjunction of 2?nk?-CNFs in fewer variables for some k??k and arbitrarily small ?>0. We also show that such a disjunction can be computed in time 2?n for arbitrarily small ?>0.

How to recycle random bits

It is shown that modified versions of the linear congruential generator and the shift register generator are provably good for amplifying the correctness of a probabilistic algorithm. More precisely, if r random bits are needed for a BPP algorithm to be correct with probability at least 2/3, then O(r+k/sup 2/) bits are needed to improve this probability to 1-2/sup -k/. A different pseudorandom generator that is optimal, up to a constant factor, in this regard is also presented. It uses only O(r+k) bits to improve the probability to 1-2/sup -k/. This generator is based on random walks on expanders. The results do not depend on any unproven assumptions. It is shown that the modified versions of the shift register and linear congruential generators can be used to sample from distributions using, in the limit, the information-theoretic lower bound on random bits.<<ETX>>

Derandomizing polynomial identity tests means proving circuit lower bounds

Abstract.We show that derandomizing Polynomial Identity Testing is essentially equivalent to proving arithmetic circuit lower bounds for NEXP. More precisely, we prove that if one can test in polynomial time (or even nondeterministic subexponential time, infinitely often) whether a given arithmetic circuit over integers computes an identically zero polynomial, then either (i) % MathType!Translator!2!1!AMS LaTeX.tdl!TeX -- AMS-LaTeX! % MathType!MTEF!2!1!+- % feaafiart1ev1aqatCvAUfeBSjuyZL2yd9gzLbvyNv2CaerbuLwBLn % hiov2DGi1BTfMBaeXatLxBI9gBaerbd9wDYLwzYbItLDharqqtubsr % 4rNCHbGeaGqiVu0Je9sqqrpepC0xbbL8F4rqqrFfpeea0xe9Lq-Jc9 % vqaqpepm0xbba9pwe9Q8fs0-yqaqpepae9pg0FirpepeKkFr0xfr-x % fr-xb9adbaqaaeGaciGaaiaabeqaamaabaabaaGcbaGaaeOtaiaabw % eacaqGybGaaeiuaiabgsOillaabcfaruqtLrxyqXwDZj0BSrwldfgC % ZbacfaGaa83laiaabchacaqGVbGaaeiBaiaabMhacaqGGaGaae4Bai % aabkhaaaa!4992!