By Topic

On ϵ-biased generators in NC0

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

3 Author(s)
E. Mossel ; U.C. Berkeley, CA, USA ; A. Shpilka ; L. Trevisan

M. Cryan and P.B. Miltersen (2001) recently considered the question of whether there can be a pseudorandom generator in NC0, that is, a pseudorandom generator that maps n bits strings to m bits strings and such that every bit of the output depends on a constant number k of bits of the seed. They show that for k = 3, if m ≥ 4n + 1, there is a distinguisher; in fact, they show that in this case it is possible to break the generator with a linear test, that is, there is a subset of bits of the output whose XOR has a noticeable bias. They leave the question open for k ≥ 4. In fact they ask whether every NC0 generator can be broken by a statistical test that simply XORs some bits of the input. Equivalently, is it the case that no NC0 generator can sample an ε-biased space with negligible ε? We give a generator for k = 5 that maps n bits into cn bits, so that every bit of the output depends on 5 bits of the seed, and the XOR of every subset of the bits of the output has bias 2-Ω(nc4)/. For large values of k, we construct generators that map n bits to nΩ(√k) bits and such that every XOR of outputs has bias 2-n1(2√k)/. We also present a polynomial-time distinguisher for k = 4, m ≥ 24n having constant distinguishing probability. For large values of k we show that a linear distinguisher with a constant distinguishing probability exists once m ≥ Ω(2kn[k2]/). Finally, we consider a variant of the problem where each of the output bits is a degree k polynomial in the inputs. We show there exists a degree k = 2 pseudorandom generator for which the XOR of every subset of the outputs has bias 2-Ω(n) and which map n bits to Ω(n2) bits.

Published in:

Foundations of Computer Science, 2003. Proceedings. 44th Annual IEEE Symposium on

Date of Conference:

11-14 Oct. 2003