Pseudorandom generators are fundamental to many theoretical and applied aspects of computing. We show howto construct a pseudorandom generator from any oneway function. Since it is easy to construct a one-way function from a pseudorandom generator, this result shows that there is a pseudorandom generator iff there is a one-way function.

We define a Universal One-Way Hash Function family, a new primitive which enables the compression of elements in the function domain. The main property of this primitive is that given an element x in the domain, it is computationally hard to find a different domain element which collides with x. We prove constructively that universal one-way hash functions exist if any 1-1 one-way functions exist. Among the various applications of the primitive is a One-Way based Secure Digital Signature Scheme which is existentially secure against adoptive attacks. Previously, all provably secure signature schemes were based on the stronger mathematical assumption that trapdoor one-way functions exist. Key words. cryptography, randomized algorithms AMS subject classifications. 68M10, 68Q20, 68Q22, 68R05, 68R10 Part of this work was done while the authors were at the IBM Almaden Research Center. The first author was supported in part by NSF grant CCR-88 13632. A preliminary version of this work app...

Much research in theoretical cryptography has been centered around finding the weakest possible cryptographic assumptions required to implement major primitives. Ever since Diffie and Hellman first suggested that modern

We present a new proposal for a trapdoor one-way function, from whichwe derive public-key encryption and digital signatures. The security of the new construction is based on the conjectured computational difficulty of lattice-reduction problems, providing a possible alternative to existing public-key encryption algorithms and digital signatures such as RSA and DSS.

) L'aszl'o Babai Noam Nisan y Lance Fortnow z Avi Wigderson University of Chicago Hebrew University Abstract We show that BPP can be simulated in subexponential time for infinitely many input lengths unless exponential time ffl collapses to the second level of the polynomial-time hierarchy, ffl has polynomial-size circuits and ffl has publishable proofs (EXPTIME=MA). We also show that BPP is contained in subexponential time unless exponential time has publishable proofs for infinitely many input lengths. In addition, we show BPP can be simulated in subexponential time for infinitely many input lengths unless there exist unary languages in MA n P . The proofs are based on the recent characterization of the power of multiprover interactive protocols and on random self-reducibility via low degree polynomials. They exhibit an interplay between Boolean circuit simulation, interactive proofs and classical complexity classes. An important feature of this proof is that it does not ...

this paper, we give results in the reverse direction by showing how to construct several cryptographic primitives based on certain assumptions on the difficulty of learning. In doing so, we develop further a line of thought introduced by Impagliazzo and Levin [6]. As we describe, standard definitions in learning theory and cryptography do not appear to correspond perfectly in their original forms. However, we show that natural modifications to standard learning definitions can yield the desired connections. The particular cryptographic primitives we consider are pseudorandom bit generators, one-way functions, and private-key cryptosystems. We give transformations of hard learning problems into these cryptographic primitives with the desirable property that the complexity of the resulting primitive is not much greater than that of the hard-to-learn functions and distributions. In particular, our constructions are especially adept at preserving the degree of parallelism inherent in the hard functions and distributions. Note that while it is well-known that some of the primitives above imply the existence of others (for instance, the equivalence of bit generators and one-way functions) [14, 7], we are interested in the separate results because the equivalences between primitives often do not preserve complexity measures such as circuit depth (parallelism). For instance, it is not known how to construct a bit generator in NC given a one-way function in N C. One of the main potential benefits of this line of research is that as "simple" function classes (for instance, DNF formulae) continue to elude efficient learning, our belief in the intractability of learning such classes increases, and we can exploit this intractability to obtain simpler cryptographic primitives. In add...

We show very efficient constructions for a pseudo-random generator and for a universal one-way hash function based on the intractability of the subset sum problem for certain dimensions. (Pseudo-random generators can be used for private key encryption and universal one-way hash functions for signature schemes). The increase in efficiency in our construction is due to the fact that many bits can be generated/hashed with one application of the assumed one-way function. All our construction can be implemented in NC using an optimal number of processors. Part of this work done while both authors were at UC Berkeley and part when the second author was at the IBM Almaden Research Center. Research supported by NSF grant CCR 88 - 13632. A preliminary version of this paper appeared in Proc. of the 30th Symp. on Foundations of Computer Science, 1989. 1 Introduction Many cryptosystems are based on the intractability of such number theoretic problems such as factoring and discrete logarit...

We prove that if BPP 6= EXP, then every problem in BPP can be solved deterministically in subexponential time on almost every input ( on every samplable ensemble for infinitely many input sizes). This is the first derandomization result for BPP based on uniform, noncryptographic hardness assumptions. It implies the following gap in the average-instance complexities of problems in BPP : either these complexities are always sub-exponential or they contain arbitrarily large exponential functions. We use a construction of a small "pseudorandom " set of strings from a "hard function" in EXP which is identical to that used in the analogous non-uniform results of [21, 3]. However, previous proofs of correctness assume the "hard function" is not in P=poly. They give a non-constructive argument that a circuit distinguishing the pseudo-random strings from truly random strings implies that a similarly-sized circuit exists computing the "hard function". Our main technical contribution is to show ...

We present three explicit constructions of hash functions, which exhibit a trade-o# between the size of the family (and hence the number of random bits needed to generate a member of the family), and the quality (or error parameter) of the pseudo-random property it achieves. Unlike previous constructions, most notably universal hashing, the size of our families is essentially independent of the size of the domain on which the functions operate.

We consider the task of transforming a weak one-way function (which may be easily inverted on all but a polynomial fraction of the range) into a strong one-way function (which can be easily inverted only on a negligible fraction of the range). The previous known transformation [Yao 82] does not preserve the security (i.e., the running-time of the inverting algorithm) within any polynomial. Its resulting function F (x) applies the weak oneway function to many small (of length jxj " , " ! 1) pieces of the input. Consequently, the function can be inverted for reasonable input lengths by exhaustive search. Using random walks on constructive expanders, we transform any regular (e.g., oneto -one) weak one-way function into a strong one, while preserving security. The resulting Supported by grant #86-00301 by US-Israel Binational Science Foundation, Jerusalem, Israel. y Supported by CCR-88-13632 z Supported by NSF grant DCR-8607492, MIT and Sun Microsystems. x Dept. of Computer Sc...