Hardness from Pseudorandomness

In this section, we consider constructions of hard functions from pseudoran-dom generators. Our first result shows that one can construct a mildly-hard function from a PRG.

Theorem 14 There exists a black-box construction of Ω(1/n⁴)-hard function from 1/(3n)-PRG such that the encoding procedure can be realized in NP while the decoding procedure can be realized in P/poly.

Note that one can transform a mildly hard function into an average-case hard one by a polynomial-time procedure [IW97]. Therefore, one can have a black-box construction of average-case hard function from PRG realized in NP. Furthermore, we can combine Theorem 14 with the impossibility results of black-box hardness amplification in [Vio04, LTW05] to obtain correspond-ing impossibility results for black-box PRG construction from hard function.

We can also combine Theorem 14 with our results for weakly black-box hard-ness amplification to obtain corresponding results for weakly black-box PRG construction from hard function.

One unsatisfying aspect of Theorem 14 is that the encoding procedure needs the complexity of NP. A natural question is whether or not its com-plexity can be reduced. Theorem 15 shows that this is in fact possible, but at the expense of increasing the complexity of the decoding procedure to NP.

Theorem 15 There exists a black-box construction of (1 − δ)/2-hard func-tion from a δ/2-PRG G : {0, 1}ⁿ → {0, 1}^m, with m = ω(n/δ²), such that

5.3. HARDNESS FROM PSEUDORANDOMNESS 89 encoding procedure can be realized in P while the decoding procedure can be realized in NP.

Proof. Suppose G : {0, 1}ⁿ → {0, 1}^m, with m = ω(n/δ²), is an δ/2-PRG.

Define the hard function f : {0, 1}ⁿ× [m] → {0, 1} by f (x, i) = G(x)_i. We will show that f is (1 − δ)/2-hard.

Suppose there is a function A : {0, 1}ⁿ× [m] → {0, 1} such that Pru,i[f (u, i) 6= A(u, i)] < 1 − δ

2 . We define the distinguisher D^A: {0, 1}^m → {0, 1} by

D^A(w) = 1 if and only if ∃u ∈ {0, 1}ⁿ : Pr

i [w_i 6= A(u, i)] ≤ 1 − δ/4

2 .

We will show that D^A is an δ/2-distinguisher for G.

Define I(w) = 1 if and only if Pr_i[w_i 6= A(u, i)] ≤ ^1−δ/4₂ .

First, we bound the probability Prw[D^A(w) = 1], which is at most X

u

Prw [I(w) = 1] ≤ 2ⁿ· 2^−Ω(δ2m) ≤ 2^−ω(n)≤ δ 4. Next, we bound the probability Pr_u[D^A(G(u)) = 1]. Since

Prx,i[f (x, i) 6= A(x, i)] < (1 − δ)/2,

Markov’s inequality gives Pr_u[I(G(u)) = 0] < _1−δ/4^1−δ ≤ 1 − ^3δ₄. Thus, Pru D^A(G(u)) = 1 = Pr

u [I(G(u)) = 1] > 3δ 4 .

Therefore Pr_u[D^A(G(u)) = 1] − Pr_w[D^A(w) = 1] > ^δ₂, which contradicts to the assumption that G is a δ/2-PRG.

Note that the distinguisher D^Ais computable in NP^A. Therefore, we have a black-box proof for the hardness of f , in which the decoding procedure can be realized in NP. Finally, note that the function f can be easily computed in polynomial time given G as an oracle, so the encoding procedure can be realized in P. This proves Theorem 15. 2

90 CHAPTER 5. HARDNESS AND PSEUDORANDOMNESS IN NP Now we proceed to prove Theorem 14.

Proof. Suppose G : {0, 1}ⁿ→ {0, 1}^m, with n < m, is a 1/(3n)-PRG. This means that it is hard to tell the image of G from a random string. Therefore, Nisan and Wigderson [NW94] considered the function f^G : {0, 1}^m → {0, 1}

defined by f^G(y) = 1 if and only if y ∈ image(G). This function is clearly worst-case hard, because otherwise it can serve as a distinguisher for G.

However, there are two issues which prevent us from proving a large hardness for such a function in general. First, image(G) may only be a relatively small subset of {0, 1}^m; in this case, one can approximate f^G well simply by outputting 0 for every input. The second issue is that G may be highly non-injective so that elements of image(G) may have large pre-image sizes;

in this case, different elements of {0, 1}^m may carry very different weights from G, so even if one can approximate f^G well, one may be still unable to distinguish G well enough. In fact, when G is injective and m = n + 1, with both issues gone, one can indeed show that f^G has constant hardness. Then a natural question is: can we transform any PRG G into another PRG which has a relatively large image and is almost injective?

To handle the first issue, we would like to choose a hash function h to map the space {0, 1}^m down to a smaller one, the smaller the better, without two elements of image(G) being hashed to the same value. To handle the second issue, we would like to add to the output more information g(x) extracted from the seed x, the more the better, without compromising the security.

For both purposes, we would like to know the pre-image size of G(x) for any given seed x. We define

i_x =log |G⁻¹(G(x))|.

For a seed x, if we know the value i_x, then we would like to choose the hash function h with output length about n − ix and the function g with output length about i_x. We will use the well-known construction of universal hash functions, given in Lemma 33 in the Appendix 5.2.1. Let Hⁿ_m denote such a family of hash functions h : {0, 1}ⁿ → {0, 1}^m. Formally, we consider the following family of generators.

5.3. HARDNESS FROM PSEUDORANDOMNESS 91 Definition 25 Given δ ∈ (0, 1), let r = log(4n). For i ∈ [n], m_i = n−i+2r,

`i = i − r, h ∈ H<sub>m</sub><sup>m</sup><sub>i</sub>, and g ∈ H<sub>`</sub>ⁿ_i, define the function Gⁱ_h,g : {0, 1}ⁿ → {0, 1}^mi × {0, 1}^`i by

Gⁱ_h,g(x) = (h(G(x)), g(x)) .

The problem is that G in general may not be regular, i.e. the values of i_x may not be the same for every x, and the value of i_x may not be easy to compute given x. Instead, we will show that for some specific value of i, for most h and g, determining the image of Gⁱ_h,g is already a hard function. Let f_h,gⁱ be the function such that

f_h,gⁱ (y, z) = 1 if and only if (y, z) ∈ image(Gⁱ_h,g^∗ ).

For i ∈ [n], define the set B_i = {G(x) : x ∈ {0, 1}ⁿ∧ i_x = i}. Clearly, these sets B₁, . . . , B_n form a partition of image(G). Note that for any i ∈ [n], |Bi| ≤ 2ⁿ⁻ⁱ, since each y ∈ Bi has |G⁻¹(y)| ≥ 2ⁱ. Furthermore, since Pr_x[G(x) ∈ ∪_i∈[n]B_i] = 1, there must exist some i^∗ ∈ [n] such that Pr_x[G(x) ∈ B_i^∗] ≥ 1/n and i^∗ ≥ 2r. From now on, we will focus on this i^∗. Let B = B_i^∗, H = H^m_m

i∗, and K = Hⁿ_`

i∗.

Call (h, g) ∈ H × K good if both h and g are good by satisfying the following:

• h(U_m) is perfectly random, i.e., h(U_m) = U_mi∗.

• Pr_x[G(x) ∈ L | G(x) ∈ B] ≤ 1/8, for L = {w ∈ B : ∃w⁰ ∈ B with w⁰ 6=

w and h(w) = h(w⁰)}.

• For any y ∈ B, the distribution of g(x), over x ∈ G⁻¹(y), is 1/8-random.

The following shows that a random (h, g) is likely to be good.

Lemma 35 Pr_h∈H,g∈K[(h, g) is not good] = o(1).

Proof. Recall that H = H^m_m

i∗ and K = Hⁿ_`

i∗. First, from Lemma 33, we have

Pr

h∈H[h(U_m) 6= U_mi∗] = 2^−Ω(m).

92 CHAPTER 5. HARDNESS AND PSEUDORANDOMNESS IN NP Next, for any x, Pr_h∈H[G(x) ∈ L | G(x) ∈ B] = Pr_h∈H[∃w ∈ B \ {G(x)} : h(G(x)) = h(w)], which by the definition of H is at most

|B| · 2^−mi∗ ≤ 2^n−i∗ · 2^{−(n−i∗+2r)} = 2^−2r.

Thus, Eh∈H[Prx∈Un[G(x) ∈ L | G(x) ∈ B]] = Prx∈Un,h∈H[G(x) ∈ L | G(x) ∈ B] ≤ 2^−2r. Define B(h) = 1 if and only if Pr_x∈Un[G(x) ∈ L | G(x) ∈ B] >

1/8. Then by Markov’s inequality, we have

h∈HPr [B(h) = 1] < 2^−2r+3.

Finally, consider any y ∈ B, and note that |G⁻¹(y)| ≥ 2^i∗. Let X denote the uniform distribution over G⁻¹(y). Then from Corollary 7,

g∈KPr[g(X) is not 1/8-random] ≤ 2^{−(i∗−`i∗)/2}/(1/8) ≤ 2^−r/2+3.

Therefor, Pr_h∈H,g∈K[(h, g) is not good] ≤ 2^−Ω(m) + 2^−2r+3+ 2^−r/2+3 = o(1).

2

Next, we show that a good (h, g) gives a hard function. Fix a good (h, g), and let f = f_h,g^i∗ . Suppose that there exists a function C such that Pr_y,z[C(y, z) 6= f (y, z)] = o(1/n³). For any z, define the distinguisher D_z : {0, 1}^m → {0, 1} for G by D_z(w) = 1 if and only if C(h(w), z) = 1. Then we have the following two claims.

Claim 1 Pr_w,z[D_z(w) = 1] ≤ 1/(3n).

Proof. Recall that Pr_w,z[D_z(w) = 1] = Pr_w,z[C(h(w), z) = 1]. The idea is to show that this probability is close to Pr_y,z[f (y, z) = 1] = Pr_y,z[(y, z) ∈ image(f )], which is small because image(f ) is relatively small.

First, since h is good, the distribution of h(w) is perfectly random, which implies that

Prw,z[C(h(w), z) = 1] = Pr

y,z[C(y, z) = 1] . Next, by the assumption that C approximates f well, we have

Pry,z[C(y, z) = 1] ≤ Pr

y,z[f (y, z) = 1] + Pr

y,z[C(y, z) 6= f (y, z)]

≤ Pry,z[f (y, z) = 1] + o(1/n³).

5.3. HARDNESS FROM PSEUDORANDOMNESS 93 Finally, since image(G), of size 2ⁿ, is a small subset of {0, 1}^n+r, we have

Pry,z[f (y, z) = 1] = Pr

y,z[(y, z) ∈ image(f )] = 2ⁿ/2^n+r = 2^−r = 1/(4n).

As a result, we have Pr_w,z[D_z(w) = 1] ≤ 1/(4n) + o(1/n³) ≤ 1/(3n). 2 Claim 2 Pr_x,z[D_z(G(x)) = 1] ≥ 2/(3n).

Proof. Recall that Pr_x,z[D_z(G(x)) = 1] = Pr_x,z[C(h(G(x)), z) = 1], which is at least

Prx [G(x) ∈ B] · Pr

x,z[C(h(G(x)), z) = 1 | G(x) ∈ B] , (5.1) where B = B_i^∗. The first factor above is at least 1/n, by the choice of i^∗. For the second factor, we will show that it is close to Prx[f (h(G(x)), g(x)) = 1 | G(x) ∈ B], which is 1 by definition.

Define T (x, z) = 1 if and only if C(h(G(x)), z) 6= f (h(G(x)), z). Note that the second factor is at least

Prx,z[f (h(G(x)), z) = 1 | G(x) ∈ B] − Pr

x,z[T (x, z) = 1 | G(x) ∈ B] . (5.2) It remains to show that the first term is large while the second term is small.

Since g is good, the distribution of g(x) is 1/8-random, which implies that the first term in (5.2) is at least

Prx,z[f (h(G(x)), g(x)) = 1 | G(x) ∈ B] − 1/8 = 7/8.

Next, we show that the second term in (5.2) is not far from Pry,z[C(y, z) 6= f (y, z)] ,

which is small. Observe that the difference in these two probabilities is that the first argument of C (and f ) comes from two different distributions: one is h(G(x)) for a random x ∈ G⁻¹(B) and the other is a random y from U_mi∗. It suffices to show that for most y ∈ image(h ◦ G), the probability assigned to y by the first distribution, which is Pr_x[h(G(x)) = y | G(x) ∈ B], is within a small factor of that by the second distribution, which is 2^−mi.

94 CHAPTER 5. HARDNESS AND PSEUDORANDOMNESS IN NP Recall that L is the set of w ∈ image(G) which has a different w⁰ ∈ B with h(w) = h(w⁰). Note that the second term in (5.2) is at most

Prx [G(x) ∈ L | G(x) ∈ B] + Pr

x,z[T (x, z) = 1 ∧ G(x) /∈ L | G(x) ∈ B] . (5.3) Since h is good, the first term in (5.3) is at most 1/8. It remains to bound the second term in (5.3). Consider any y 6∈ G(L), which has at most one w ∈ B such that h(w) = y. As any w ∈ B has at most 2^i∗+1 different x’s

Combining the bounds for (5.1), (5.2), and (5.3), we conclude that Prx,z[D_z(G(x)) = 1] ≥ (1/n)(7/8 − 1/8 − o(1)) ≥ 2/(3n).

2

From the two claims above, we have Ez[Pr_x[D_z(G(x)) = 1]−Pr_w[D_z(w) = 1]] ≥ 1/(3n), which implies that for some z, D_z can distinguish G with advantage at least 1/(3n). Note that z can be seen as an advice, and Dz uses C in a black-box way. That is, we have given a black-box proof that f_h,g^i∗ is Ω(1/n³)-hard, for any good (h, g), when G is a 1/(3n)-PRG.

The remaining problem is that we do not know what i^∗ is and which (h, g) is good. Our solution is, as in Section ??, to include i, h, g in the input. Therefore, define our hard function ˆf by ˆf (y, i, h, g) = f_h,gⁱ (y). That is,

f (y, i, h, g) = 1ˆ if and only if y ∈ image(Gⁱ_h,g).

Next, we prove the hardness of ˆf . Suppose there exists a function C such that

5.3. HARDNESS FROM PSEUDORANDOMNESS 95 This implies that for some good (h, g), the function f_h,g^i∗ is not Ω(1/n³)-hard, which then implies that G is not a 1/(3n)-PRG. Again, we can see i^∗ together with a good (h, g) as the advice string. Therefore, we have shown a black-box proof that ˆf is Ω(1/n⁴)-hard when G is a 1/(3n)-PRG.

Finally, note that ˆf can be computed in NP with G given as an oracle, so we have proved Theorem 14. 2

96 CHAPTER 5. HARDNESS AND PSEUDORANDOMNESS IN NP

Chapter 6

Hardcore Set Constructions