Pseudorandom generators for low degree polynomials
Proceedings of the thirty-seventh annual ACM symposium on Theory of computing
Cryptography with constant computational overhead
STOC '08 Proceedings of the fortieth annual ACM symposium on Theory of computing
On Pseudorandom Generators with Linear Stretch in NC0
Computational Complexity
On the Security of Goldreich's One-Way Function
APPROX '09 / RANDOM '09 Proceedings of the 12th International Workshop and 13th International Workshop on Approximation, Randomization, and Combinatorial Optimization. Algorithms and Techniques
Cryptography with constant input locality
CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
Cryptography in constant parallel time
Cryptography in constant parallel time
On pseudorandom generators with linear stretch in NC0
APPROX'06/RANDOM'06 Proceedings of the 9th international conference on Approximation Algorithms for Combinatorial Optimization Problems, and 10th international conference on Randomization and Computation
Scalable secure multiparty computation
CRYPTO'06 Proceedings of the 26th annual international conference on Advances in Cryptology
Pseudorandom generators with long stretch and low locality from random local one-way functions
STOC '12 Proceedings of the forty-fourth annual ACM symposium on Theory of computing
A dichotomy for local small-bias generators
TCC'12 Proceedings of the 9th international conference on Theory of Cryptography
| Hi-index | 0.00 |
Cryan and Miltersen [7] recently considered the question of whether there can be a pseudorandom generator in NC0, that is, a pseudorandom generator that maps n bits strings to m bits strings and such that every bit of the output depends on a constant number k of bits of the seed.They show that for k = 3, if m 驴 4n + 1, there is a distinguisher; in fact, they show that in this case it is possible to break the generator with a linear test, that is, there is a subset of bits of the output whose XOR has a noticeable bias.They leave the question open for k 驴 4. In fact they ask whether every NC0 generator can be broken by a statistical test that simply XORs some bits of the input. Equivalently, is it the case that no NC0 generator can sample an 驴-biased space with negligible 驴?We give a generator for k = 5 that maps n bits into cn bits, so that every bit of the output depends on 5 bits of the seed, and the XOR of every subset of the bits of the output has bias 2^{ - \Omega ({n \mathord{\left/ {\vphantom {n {c^4 )}}} \right. \kern-\nulldelimiterspace} {c^4 )}}} . For large values of k, we construct generators that map n bits to n^{\Omega (\sqrt {k)} } bits and such that every XOR of outputs has bias 2^{ - n^{\frac{1}{{2\sqrt k }}} }.We also present a polynomial-time distinguisher for k = 4,m 驴 24n having constant distinguishing probability. For large values of k we show that a linear distinguisher with a constant distinguishing probability exists once m \geqslant \Omega (2^k n^{\left\lceil {{k \mathord{\left/{\vphantom {k 2}} \right.\kern-\nulldelimiterspace} 2}} \right\rceil } ).Finally, we consider a variant of the problem where each of the output bits is a degree k polynomial in the inputs. We show there exists a degree k = 2 pseudo random generator for which the XOR of every subset of the outputs has bias 2^{ - \Omega (n)} and which map n bits to \Omega (n^2 ) bits.