Spectral Graph Theory and Applications WS 2011/2012

Lecture 10: Pseudorandom Generators

Lecturer: Thomas Sauerwald & He Sun

Motivated by the need of making nuclear weapon, Monte Carlo method is introduced by
Ulam in 1940s. Closely related is the notion of pseudorandom generators. In 1982, Blum and
Micali introduced the notion of a generator which procedures its output in polynomial time such
that its output passes a polynomial time test. In the same year, Yao gave another definition of
pseudorandom generators, and proved this definition is equal to Blum’s definition.
Loosely speaking, pseudorandom generators are defined as efficient deterministic algorithms
which stretch short random seeds into longer pseudorandom sequences. There are three funda-
mental aspects for pseudorandom generators.
• Efficiency: The generator must be efficient, which means that the pseudorandom genera-
tors must produce pseudorandom sequences within polynomial-time. In fact, pseudoran-
dom generators are one kind of deterministic polynomial-time algorithms.
• Stretching: The generator is required to stretch its input seed to a longer output sequence.
Specifically, the generator stretches an n-bit input into an `(n)-bit long output, where
`(n) > n. The function ` is called the stretching function of the generator.
• Pseudorandomness: The generator’s output has to look random to any efficient observer.
That is, any procedure should fail to distinguish the output of a generator (on a random
seed) from a truly random sequence of the same length in the polynomial time. For
instance, a procedure could count the number of 0’s and 1’s and any pseudorandom
generator need output almost the same number of 0’s and 1’s.
Definition 10.1 (Pseudorandom Generators). A deterministic polynomial-time algorithm G
is called a pseudorandom generator if there exists a stretching function ` : N 7→ N, such that
the following two probability ensembles, denoted {Gn }n∈N and {Un }n∈N , are computationally
indistinguishable.
1. Distribution Gn is defined as the output of G whose length is `(n) on a uniformly selected
seed in {0, 1}n .
2. Distribution Un is defined as the uniform distribution on {0, 1}`(n) , `(n) > n.
That is, letting Um denote the uniform distribution over {0, 1}m , we require that for any proba-
bilistic polynomial-time algorithm A, any positive polynomial p(·), and for all sufficiently large
n, it holds that

 1
Pr [A(G(Un )) = 1] − Pr A U`(n) = 1 < .
p(n)
From the above definition, we know that pseudorandomness is defined in terms of its ob-
server. It is a distribution which cannot be told apart from a uniform distribution by any
polynomial-time observer. However, pseudorandom sequences may be distinguished from truly
random ones by infinitely powerful observers or more powerful observers. For instance, the pseu-
dorandom sequence that cannot be distinguished from truly random ones by any polynomial-
time observer could be distinguished from truly random ones by an exponential-time machine.
So pseudorandomness is subjective to the abilities of the observer.

1
Lecture 10: Pseudorandom Generators 2

The Formulation of Pseudorandom Generators

The formulation of pseudorandom generators consists of three aspects: (1) The

stretching measure of the generators; (2) The class of distinguishers that the
generators are supposed to fool, i.e. the class of algorithms that are allowed to
distinguish the output of generators and the truly uniform distributions; (3)
The resources that generators are allowed to use.

Pseudorandom generators and computational difficulty are strongly related. To show the
computational difficulty, we introduce the notion of one-way functions.
One-way functions is the foundation of modern cryptography, and closely related to public-
key cryptosystem, pseudorandom generators, and digital signature. Intuitively, one-way func-
tions are the class of functions that are easy to compute and hard to invert. The formal definition
is as follows.
Definition 10.2 (One-way Functions). A function f : {0, 1}∗ → {0, 1}∗ is one-way if f satisfies
the following two conditions:
1. There exists a polynomial-time algorithm A to compute f , i.e. ∀x : A(x) = f (x).
2. For all probabilistic polynomial-time algorithms A0 , polynomials p(·) and sufficiently large
n, it holds that
1
Pr A0 (f (Un )) = f −1 ◦ f (Un ) <
 
.
p(n)
We call the algorithm that tries to invert a one-way function or tries to distinguish the
output of a pseudorandom generator from a truly random string an adversary.
In 1993, Håstad, Impagliazzo, Levin and Luby proved the following definitive theorem:
Starting with any one-way function, one can construct a pseudorandom generator.
Theorem 10.3. Pseudorandom generators exist if and only if one-way functions exist.
There are a few problems that seem to be one-way in practice and are conjectured to be
one-way. A typical example is the discrete logarithm function.
Problem 10.4 (The Discrete Logarithm Problem). Given a prime modulus p and a generator
g ∈ Z∗p , for y = g x mod p find the index x.
Before giving the constructions of PRGs, we show that it suffices to construct PRGs with
stretching function `(n) = n + 1.
Theorem 10.5 (amplification of stretch function). Suppose we have a pseudorandom generator
G with a stretch function n + 1, then for every polynomial `(n) > n there exists a pseudorandom
generator with stretch function `(n).
Now we turn to discuss pseudorandom generators for bounded computation.
Definition 10.6. Let M be a randomized TM that on input x requires `(|x|) random bits. The
family {gn }∞n=1 of functions (gn : {0, 1}
s(n) → {0, 1}`(n) ) is an ε−generator for M if for any

x ∈ {0, 1}∗ , it holds that



Pr [M (x, r) = 1] − Pr M x, g|x| (z) = 1 < ε.
r∈{0,1}`(|x|) z∈{0,1}s(|x|)

Instead of a family of functions, it is more convenient to view g, the ε−generator for M , as

a TM which on input a string of length s(n) outputs a string of length `(n). We call z the seed
of the PRG.
Lecture 10: Pseudorandom Generators 3

1 Randomized Logspace TM
There are two different definitions of randomized space bounded TMs based on the manner the
random bits are accessed:
• The TM obtains the random bits when they are required.
• The string of random bits is fed as an auxiliary off-line input (on a separate tape) in
addition to the regular input to the TM. In this case, the head accessing the random bits
on this tape can move back and forth on the tape.
Note that in the case of randomized time bounded computation it is regardless of which con-
vention we observe. For randomized space bounded computation, we consider only TMs of the
first kind or equivalently consider TMs of the second kind in which the head on the random
tape is restricted in the sense that it can only move right along the tape (i. e., the random tape
is one-way read-only tape). We also assume that all randomized space S TMs halt in time less
than 2S .

2 Nisan’s Generators
The main task of this lecture is to construct the following PRG.
2
Theorem 10.7. [INW94] There exists an n-space-bounded TM G : {0, 1}O(log m) → {0, 1}m
such that for all randomized S-space-bounded TM M , G is a 2−S -generator for M , where m = 2S
and n = O(log2 m).
Before discussing the space-bounded PRGs, let us look at the structure of computation
tableau of a randomized TM. For an S space-bounded TM M , the computation tableau of M
consists of at most 2S rows and each row corresponds to a configuration of M , as shown in
Figure 1.
By the definition of randomized TMs, each step of M ’s processing requires one random
bit and the number of random bits required for M is at most 2S . For simplicity we assume
that the running time of M is 2S . Consider the tableau divided into two halves with each half
requiring random strings r1 and r2 respectively each of length r = 2S /2. If r1 and r2 are chosen
independently, then by definition M can output the correct answer. However, we would like
to choose r1 and r2 in such a manner that their behavior is not significantly different from the
case when they are chosen independently.
Formally, we assume that A1 and A2 are the upper and lower halves respectively of the
computation tableau of M and, x1 and x2 are independently chosen random strings, see Figure 2.
Moreover, algorithms A1 and A2 are of the following form:
• Algorithm A1 takes an input x1 of length r and outputs a string b1 of length c.
• Algorithm A2 takes as input the output b1 of A1 and another string x2 of length r and
outputs a string b2 of length c.
What we are in search of is a generator that supplies strings x1 and x2 in a fashion better
than choosing them independently. For notational brevity, given a function g, we use g ` (z) and
g r (z) to express the left half and the right half of the string g(z), i. e., g(z) = g ` (z) ◦ g r (z) and
|g ` (z)| = |g r (z)|. See Figure 3.
Definition 10.8. A function g : {0, 1}t → {0, 1}r × {0, 1}r is defined to be an ε-generator for
communication c if for all functions A1 : {0, 1}r 7→ {0, 1}c and A2 : {0, 1}c × {0, 1}r 7→ {0, 1}c ,
we have that
h i
∀b ∈ {0, 1}c : Pr [A2 (A1 (x1 ), x2 ) = b] − Pr A2 (A1 (g ` (z)), g r (z)) = b < ε.
x1 ,x2 ∈{0,1}r z∈{0,1}t
 Before discussing the space-bounded PRGs, we study the structure of computation tableau
Lecture randomized
of a TM. ForGenerators
10: Pseudorandom a space S-bounded TM M , the computation tableau of M consists 4
of at most 2S rows and each row corresponds to a configuration of M , as shown in 1.

2S Random bits

Figure 1: The computation tableau of a space S-bounded TM

Figure 1: The computation tableau of a space S-bounded TM
By the definition of randomized TM, A1 each
←−−−−step
x1of M ’s processing requires one random
bit and the number of random bits required
 S
for M is at most 2 . For simplicity we assume
that M requires 2S random bits. Consider yb1 the tableau divided into two halves with each half

requiring random strings r1 and r2 respectively each of length r = 2S /2. If r1 and r2 are chosen
A2 ←−−−−TM
independently, then by definition the randomized x2can output the correct answer. However,

we would like to choose r1 and r2 in such a manner that their behavior is not significantly
y
different from the case when they are chosen independently.
To put things more formally, we haveb22 algorithms A1 and A2 such that

Figure 2: A , A with random inputs

1
We shall infact prove a more general result 1that2for all randomized space S TM M , G is a 1
2S
−generator for
M.

For simplicity, we call a 2−c -generator for communication c a c-generator.

Let us assume the following lemma holds and use expanders to prove this lemma in the end
of the lecture.

Lemma 10.9. There exists a constant k > 0 such that for all r, c, there exists a polynomial
time computable c-generator g of the form g : {0, 1}r+kc 7→ {0, 1}r × {0, 1}r .

Now we break the tableau into several components, called A1 , A2 , . . . , A2S , and let the output
of g be the random strings for every pair of consecutive components (A2i−1 and A2i ) such that
their behavior is not significantly different from using pure random bits, see Figure 4. Moreover,
we hope that every application of g causes error at most 1/22S . Because we invoke g at most
2S−1 times, so the total error is at most 2S−1 · 1/22S .
Notice that in the above framework there are 2S−1 components each of which requires R+kS
random bits. We use the same approach to reduce the number of random bits required by every
pair of components from R + kS each to R + 2kS total. We perform this operation recursively
till there is only one component left. See Figure 5.
Formally let gi : {0, 1}R+ikS → {0, 1}R+(i−1)kS × {0, 1}R+(i−1)kS be an S-generator for
Lecture 10: Pseudorandom Generators 5

A1 ←−−−− g ` (z)

yb1


A2 ←−−−− g r (z)


y
b2

Figure 3: A1 , A2 with inputs from generator

A1 R
g R + kS

A2 R

A3 R
g R + kS

A4 R

A2S −1 R
R + kS
g
A2S R

Figure 4: The first level of the recursive construction

i
i = 1, · · · , S. Define Gi : {0, 1}R+ikS → {0, 1}2 ·R inductively as follows:

z i=0
Gi (z) =
Gi−1 gi` (z) ◦ Gi−1 (gir (z)) i > 0

Lemma 10.10. The PRG GS runs in space O R + kS 2 .

Lemma 10.11. For all space S-bounded TM M , GS is a 2−S -generator for M .

Proof. Since each application of gi incurs an error of at most 1/22S , and there are 2S−1 + 2S−2 +
· · · + 2 + 1 = 2S − 1 applications of gi , it follows by the union bound that the error probability
is at most (2S − 1)/22S ≤ 1/2S .

3 Proof of Lemma 10.9

Lemma 10.12. Let G = (V, E) be a d-regular graph with spectral expansion λ. Then for any
subsets S, T ⊆ V we have
s
|E(S, T )| |S| |T | |S| |T |
− · ≤λ· · .
|E| |V | |V | |V | |V |

Proof. Apply the Expander Mixing Lemma on the double covering of G.

Now we prove Lemma 10.9.

Proof. Let G = (V, E) be a d = 26c -regular Ramanujan expander on |V | = 2r vertices. The

generator g : {0, 1}r+6c → {0, 1}r × {0, 1}r works as follows: On input z = (x, i) ∈ {0, 1}r ×
Lecture 10: Pseudorandom Generators 6

A1 R
g1
R + kS
A2 R
g2
A3 R R + kS
g1
A4 R
gS R + S2

R + kS
g2
A2S −1 R
R + kS
g1
A2S R

Figure 5: Recursive construction of GS

{0, 1}d , output g ` (z), g r (z) = (x, y) where y is the vertex reached by taking the i-th edge out

of x.
Let b be any output of the algorithms (A1 , A2 ). Fix b. For any b0 ∈ {0, 1}c , define

Sb0 = x ∈ {0, 1}r | A1 (x) = b0 ,



Tb0 = x ∈ {0, 1}r | A2 (b0 , x) = b .



Thus for truly random strings x1 and x2 , the probability that algorithms (A1 , A2 ) outputs b is
expressed by
X
Pr [A2 (A1 (x1 ), x2 ) = b] = Pr[x1 ∈ Sb0 ∧ x2 ∈ Tb0 ]
x1 ,x2
b0 ∈{0,1}c
X |Sb0 | |Tb0 |
= · .
|V | |V |
b0 ∈{0,1}c

On the other hand, when using the output of g to instead truly random bits, the probability
that (A1 , A2 ) outputs b becomes
h i X
Pr A2 (A1 (g ` (z)), g r (z)) = b = Pr [x ∈ Sb0 ∧ ith edge out of x leads to Tb0 ]
z∈{0,1}r+d x,i
b0 ∈{0,1}c
X e(Sb0 , Tb0 )
= .
|E|
b0 ∈{0,1}c

Therefore
h i
Pr [A2 (A1 (x1 ), x2 ) = b] − Pr A2 (A1 (g ` (z)), g r (z)) = b
x1 ,x2 z∈{0,1}r+d

|Sb0 | |Tb0 | e(Sb0 , Tb0 )

X  
= · −
|V | |V | |E|
b0 ∈{0,1}c
X |Sb0 | |Tb0 | e(Sb0 , Tb0 )
≤ · − .
|V | |V | |E|
b0 ∈{0,1}c

Because Sb0 and Tb0 are subsets of V , by Lemma 10.12 we know that
s
|Sb0 | |Tb0 | e(Sb0 , Tb0 ) |Sb0 | |Tb0 |
· − ≤λ · ≤ λ,
|V | |V | |E| |V | |V |
Lecture 10: Pseudorandom Generators 7

√
where λ is the spectral expansion of G and satisfies λ ≤ 2 · d − 1/d. Therefore
h i
Pr [A2 (A1 (x1 ), x2 ) = b] − Pr A2 (A1 (g ` (z)), g r (z)) = b
x1 ,x2 z∈{0,1}r+d
X
≤ λ
b0 ∈{0,1}c
√
X 2· d−1
≤
d
b0 ∈{0,1}c
2
<2c ·
23c
1
≤ ,
2c
which implies that g is a c-generator.

References
[INW94] Russell Impagliazzo, Noam Nisan, and Avi Wigderson. Pseudorandomness for network
algorithms. In STOC, pages 356–364, 1994.