Hardness vs randomness

Noam Nisan, Avi Wigderson

Research output: Contribution to journalArticlepeer-review

604 Scopus citations


We present a simple new construction of a pseudorandom bit generator. It stretches a short string of truly random bits into a long string that looks random to any algorithm from a complexity class C (e.g., P, NC, PSPACE, …) using an arbitrary function that is hard for C. This construction reveals an equivalence between the problem of proving lower bounds and the problem of generating good pseudorandom sequences. Our construction has many consequences. The most direct one is that efficient deterministic simulation of randomized algorithms is possible under much weaker assumptions than previously known. The efficiency of the simulations depends on the strength of the assumptions, and may achieve P = BPP. We believe that our results are very strong evidence that the gap between randomized and deterministic complexity is not large. Using the known lower bounds for constant depth circuits, our construction yields an unconditionally proven pseudorandom generator for constant depth circuits. As an application of this generator we characterize the power of NP with a random oracle.

Original languageAmerican English
Pages (from-to)149-167
Number of pages19
JournalJournal of Computer and System Sciences
Issue number2
StatePublished - Oct 1994

Bibliographical note

Funding Information:
The fundamental idea of trading hardness for randomness is due to Shamir \[Sh\], who suggested that the RSA function can be used to construct good pseudorandom sequences. The first secure pseudorandom bit-generator was built by Blum and Micali \[B1M\], who used the intractabiliy of the discrete logarithm function. These ideas were generalized by Yao \[Ya\], who showed that any one-way permutation can be used to construct generators that foor every polynomial time computation. This result gave the first explicit hardness-randomness trade-off: if no poly-size circuit can invert the one-way permutation, then RP ~ (~ > o DTIME(2n") • Yao's result was recently generalized by Impagliazzo, Levin, and Luby JILL\] who succeeded in constructing a pseudorandom generator based on an arbitrary one-way function. In all these papers, the generator uses the one-way function f essentially as follows: From a random string X0 (the seed), it computes a sequence {Xi} by Xi+l =f(Xi). The output bits bi depend on this sequence. The heart of the argument is then showing that a small circuit that is not fooled by the bit sequence {b~ } • Presented at the 29th IEEE Conference on Foundations of Computer Science, October 24-26, 1988. t This work was done while the first author was a student in the University of California at Berkeley. Supported by Israel National Academy of Science Grant No. 328071, by the Alon Fellowship, and by NSF Grant CCR8612563.


Dive into the research topics of 'Hardness vs randomness'. Together they form a unique fingerprint.

Cite this