Hardness vs. randomness

Noam Nisan*, Avi Wigderson

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

54 Scopus citations


A simple construction for a pseudorandom bit generator is presented. It stretches a short string of truly random bits into a long string that looks random to any algorithm from a complexity class C (e.g., P, NC, PSPACE, etc.), using an arbitrary function that is hard for C. This generator reveals an equivalence between the problems of proving lower bounds and the problem of generating good pseudorandom sequences. Combining this construction with other arguments, a number of consequences are obtained.

Original languageAmerican English
Title of host publicationAnnual Symposium on Foundations of Computer Science (Proceedings)
PublisherPubl by IEEE
Number of pages10
ISBN (Print)0818608773, 9780818608773
StatePublished - 1988
Externally publishedYes

Publication series

NameAnnual Symposium on Foundations of Computer Science (Proceedings)
ISSN (Print)0272-5428

Bibliographical note

Funding Information:
The fundamental idea of trading hardness for randomness is due to Shamir \[Sh\], who suggested that the RSA function can be used to construct good pseudorandom sequences. The first secure pseudorandom bit-generator was built by Blum and Micali \[B1M\], who used the intractabiliy of the discrete logarithm function. These ideas were generalized by Yao \[Ya\], who showed that any one-way permutation can be used to construct generators that foor every polynomial time computation. This result gave the first explicit hardness-randomness trade-off: if no poly-size circuit can invert the one-way permutation, then RP ~ (~ > o DTIME(2n") • Yao's result was recently generalized by Impagliazzo, Levin, and Luby JILL\] who succeeded in constructing a pseudorandom generator based on an arbitrary one-way function. In all these papers, the generator uses the one-way function f essentially as follows: From a random string X0 (the seed), it computes a sequence {Xi} by Xi+l =f(Xi). The output bits bi depend on this sequence. The heart of the argument is then showing that a small circuit that is not fooled by the bit sequence {b~ } • Presented at the 29th IEEE Conference on Foundations of Computer Science, October 24-26, 1988. t This work was done while the first author was a student in the University of California at Berkeley. Supported by Israel National Academy of Science Grant No. 328071, by the Alon Fellowship, and by NSF Grant CCR8612563.


Dive into the research topics of 'Hardness vs. randomness'. Together they form a unique fingerprint.

Cite this