In theoretical computer science and cryptography, a pseudorandom generator (PRG) for a class of statistical tests is a deterministic procedure that maps a random seed to a longer pseudorandom string such that no statistical test in the class can distinguish between the output of the generator and the uniform distribution. The random seed itself is typically a short binary string drawn from the uniform distribution.
Many different classes of statistical tests have been considered in the literature, among them the class of all Boolean circuits of a given size.It is not known whether good pseudorandom generators for this class exist, but it is known that their existence is in a certain sense equivalent to (unproven) circuit lower bounds in computational complexity theory.Hence the construction of pseudorandom generators for the class of Boolean circuits of a given size rests on currently unproven hardness assumptions.
Let
lA=\{A:\{0,1\}n\to\{0,1\}*\}
A function
G:\{0,1\}\ell\to\{0,1\}n
\ell<n
lA
\varepsilon
A
lA
A(G(U\ell))
A(Un)
\varepsilon
Uk
\{0,1\}k
The quantity
\ell
n-\ell
A pseudorandom generator against a family of adversaries
(lAn)n\in\N
\varepsilon(n)
(Gn)n\in\N
Gn:\{0,1\}\ell(n)\to\{0,1\}n
lAn
\varepsilon(n)
\ell(n)
In most applications, the family
lA
See main article: Cryptographically secure pseudorandom number generator. In cryptography, the class
lA
It is not known if cryptographically secure pseudorandom generators exist.Proving that they exist is difficult since their existence implies P ≠ NP, which is widely believed but a famously open problem.The existence of cryptographically secure pseudorandom generators is widely believed. This is because it has been proven that pseudorandom generators can be constructed from any one-way function which are believed to exist.[2] [3] Pseudorandom generators are necessary for many applications in cryptography.
The pseudorandom generator theorem shows that cryptographically secure pseudorandom generators exist if and only if one-way functions exist.
Pseudorandom generators have numerous applications in cryptography. For instance, pseudorandom generators provide an efficient analog of one-time pads. It is well known that in order to encrypt a message m in a way that the cipher text provides no information on the plaintext, the key k used must be random over strings of length |m|. Perfectly secure encryption is very costly in terms of key length. Key length can be significantly reduced using a pseudorandom generator if perfect security is replaced by semantic security. Common constructions of stream ciphers are based on pseudorandom generators.
Pseudorandom generators may also be used to construct symmetric key cryptosystems, where a large number of messages can be safely encrypted under the same key. Such a construction can be based on a pseudorandom function family, which generalizes the notion of a pseudorandom generator.
In the 1980s, simulations in physics began to use pseudorandom generators to produce sequences with billions of elements, and by the late 1980s, evidence had developed that a few common generators gave incorrect results in such cases as phase transition properties of the 3D Ising model and shapes of diffusion-limited aggregates. Then in the 1990s, various idealizations of physics simulations—based on random walks, correlation functions, localization of eigenstates, etc., were used as tests of pseudorandom generators.[4]
NIST announced SP800-22 Randomness tests to test whether a pseudorandom generator produces high quality random bits. Yongge Wang showed that NIST testing is not enough to detect weak pseudorandom generators and developed statistical distance based testing technique LILtest.[5]
A main application of pseudorandom generators lies in the derandomization of computation that relies on randomness, without corrupting the result of the computation.Physical computers are deterministic machines, and obtaining true randomness can be a challenge.Pseudorandom generators can be used to efficiently simulate randomized algorithms with using little or no randomness.In such applications, the class
lA
lA
A fundamental question in computational complexity theory is whether all polynomial time randomized algorithms for decision problems can be deterministically simulated in polynomial time. The existence of such a simulation would imply that BPP = P. To perform such a simulation, it is sufficient to construct pseudorandom generators against the family F of all circuits of size s(n) whose inputs have length n and output a single bit, where s(n) is an arbitrary polynomial, the seed length of the pseudorandom generator is O(log n) and its bias is ⅓.
In 1991, Noam Nisan and Avi Wigderson provided a candidate pseudorandom generator with these properties. In 1997 Russell Impagliazzo and Avi Wigderson proved that the construction of Nisan and Wigderson is a pseudorandom generator assuming that there exists a decision problem that can be computed in time 2O(n) on inputs of length n but requires circuits of size 2Ω(n).
While unproven assumption about circuit complexity are needed to prove that the Nisan–Wigderson generator works for time-bounded machines, it is natural to restrict the class of statistical tests further such that we need not rely on such unproven assumptions.One class for which this has been done is the class of machines whose work space is bounded by
O(logn)
O(log2n)
O(log2n)
O(logn)
O(log1.5n)
O(log1.5n/\sqrt{loglogn})
See main article: small-bias sample space.
F
\ell=logn+O(log(\epsilon-1))
See main article: Pseudorandom generators for polynomials.
proves that taking the sum of
d
d
\ell=d ⋅ logn+O(2d ⋅ log(\epsilon-1))
Constant depth circuits that produce a single output bit.
The pseudorandom generators used in cryptography and universal algorithmic derandomization have not been proven to exist, although their existence is widely believed. Proofs for their existence would imply proofs of lower bounds on the circuit complexity of certain explicit functions. Such circuit lower bounds cannot be proved in the framework of natural proofs assuming the existence of stronger variants of cryptographic pseudorandom generators.[6]
. Introduction to modern cryptography. Lindell, Yehuda. 9781466570269. Second . Boca Raton. Jonathan Katz (computer scientist). 893721520. 2014-11-06.