Theory and AppDcations of Trapdoor Functions
(extended abstract)
Andrew C. Yao·
Computer Science Di,ision
UniYeTSity ofCalifornia
Berktlq, CaljfomiQ 94720
Allstract
The purpose of this paper is to introduce a new information
theory and explore its appplications. Using modem computational
complexity, we study the notion of information that can be accessed
through a feasible computation.
In Part 1 of this paper, we lay the foundation of the theory
and set up a framework for cryptography and pseudorandom number
aeneration. In Pan 2, we study the concept of trapdoor functions and
examine applications ofsuch functions in cryptography, pseudorandom
Dumber generation, and abstract complexity theory.
P.rt 1: Computetionel ~n'ormetion Theory
1. INTRODUcnON
By now, Shannon's definition of information (in tenns of entropy)
has been universally accepted as the correct measure of statistical events
[22]. It possesses a number of desirable properties, and has been shown
to be the only possible definition which can satj.sfy these properties
(see Shannon [22]). It appears in several important theorems, always
providing the natural interpretation. Then, why are we interested in
modifying this fundamental definition, and hence the entire theory?
The answer is that, roughly speaking, sometimes it may take an
astronomical amount of computation to extract the Shannon informa-
tion contained in a string; and on such occasions, the conclusions
reached by information theory may become inconsequential. To il-
lustrate this more precisely, let us first review some basic facts in the
Shannon theory.
Let E ={at, a2, ..., Q a } be an alphabet, i.e., a finite set of
symbols, and P a probability density over E, with Pi = p(ail.
Consider a device S that stochastically generates an infinite sequence
b1 b2 bs . .. one symbol at a time, where each bj is independently
distributed according to p. Call such a device S a sou;ce, and let the
entropy of S be H(S) = E i Pi log2(1/Pi). One could think of H(S)
as the amount of uncertainty, or information, contained in each output
symbol generated by S. That this is a reasonable interpretation will
be borne out in the next theorem.
Suppose two people A and B are far apart, with a source 8 on
A's side, and a communication medium by which A can send binary
80
0272·5428/82/0000/0080$00.75 © 1982 IEEE
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
bits to B. What is the most efficient way (in tenns of minimizing the
number of bits sent) for A to inform B of the string generated by
81 More precisely, suppose A wants to send n consecutive symbols
output by S, what is L n , the minimum expected number of bits A
has to send? (See [22] for a precise definition o.f L,,).
Shannon's First Theorem [22]. lim,,-+oo L.",
n
= H( S).
In fact, it is true that
nH(8) ~ L" ~ nH(S) + 1.
In other words, the minimum average number of bits to describe one
symbol output by 8 is H(S).
This is one of the two fundamental theorems in information
theory; we will review the other one later on. But right now,
we are ready to give a detailed illustration of how computational
considerations may affect the conclusions supplied by information
theory.
Exemple 1. Let E be the set of all k-bit binary strings with k =
104 • For any 100-bit integers x and m, let 02:,m denote the string
CtC2 •• •c" where Cj = parity of (xi mod m). Let A ~ E be the
multi-set {02:,m I x,m}. Thus, IAI = 2 200 and lEI = 2 1000 °.
Consider the source S over E with distribution density p(y) = l/lAI
if yEA and p(y) = 0 otherwise. Clearly, H(S) ~ log21AI = 200.
Shannon's First Theorem states that, in principle, A can send n output
symbols of S to B usilig nH(S) = 200n bits. In fact, A can simply
represent each output 02:,m by the 200-bit string xm. However, in
order to do this, A has to compute x and m from the lOOOO-bit string
02:,m, as the latter is all A knows. It is not obvious that this can be
done in a reasonable amount of computing time.
The above example is only used to demonstrate that Shannon's
First Theorem does not immediately guarantee a computationally
feasible encoding using H(S) bits per source output. We do not
know the true answer to this particular problem.
We now review some more infonnation theory. Again, assume
that A wishes to inform B of the output of a source S. This time
however, the communication medium C.between A and B, while still
carrying 0,1 signals, is imperfect in the sense that there is a probability
q for a "0" signal to be received as a "1", and similarly a probability
q for a "1" to be received as a "0". In the literature, C is called a
binary symmetric channel, or BSC. How Inany bits must be sent over
the· channel C in order to communicate n output bits of 8? As errors
are inevitable if q > 0, we are interested in keeping the probability
for error below any pre-assigned level f > O.
Let I = {O, I}, J = {O, I} denote the input and output
alphabets of C. A code of length m is a subset E ~ 1m ; a decoding
rule is a function f : Jm ..... 1m . For any x E E, let P( x) be the
probability that f(y) ~ x if y is received when x is input to C.
I)efine the capacity of C by capacity(C) = 1- qlog 2 (I/q) - (1-
q) log2(1/(1 - q)).
Shannon's Second Theorem [22]. For any R < capacity(C) and
£ > 0, there exists (for sufficiently large m) a code E of length m
and a decoding rule f such that (a) lEI ~ 2Rm , (b) P(x) < f for
all x E E.
The ratio (log2IED/m is called the rate of the code E, as it is
the average number of nlessage bits communicated for each bit sent
over the channel when code E is used.
There are converses to the above theorem. Essentially, they state
that to transmit at rate R > capacity(C) is impossible without making
the error f -+ 1.
Shannon's Second Theorem is true for channels more general than
BSC. Define a channel C to bean r X t matrix (Vij) satisfying Vij ~ 0
and E j Vij = 1. The interpretation is that C has an input alphabet
I = {bb b2 , ••• , br } and an output alphabet J = {Cll C2,···, Ck},
such that if b;, is input, then the output will be Cj with probability vii·
It can be proved that Shannon's Theorem is true for properly defined
capacity(C). We refer the readers to textbooks on information theoty
(e.g. [8]) for details.
In theory, Shannon's Second Theorem makes it possible to
construct an explicit code with given rate R < capacity(C) and error
bound f > 0 in O(1) time, by exhaustive search over all possible
codes of length 1,2, .... However, such a procedure is in practice
computationally prohibitive. The study of finding practical codes has a
large literature [8], and there has also been improved theoretical results
on the time and storage requirements for codes achieving given Rand
£: (Ziv[26]). It is therefore true that the computational complexity
has already received much attention in information theory. However,
the computational aspect in which we are interested is quite different
For our purpose, the coding problem. for the classical channels has
essentially been solved. We are mainly interested in the situation
when the source becomes non-classical, Le., the alphabet size can no
longer be regarded as a constant, as illustrated in Example 1, and in
the situation when the channel becomes non-classical as we will see
later.
81
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
2. EfFECIlVE ENTROPY
Given a source S with a large alphabet such as in Example 1,
how should we define the information contained in its output? We
will adopt the view that the minimum average number of bits needed
to describe an output in a computationally feasible way is the proper
measure. In other words, we will regard Shannon's First Theorem as
a definition.
We have in mind the following situation. The source has an
alphabet whose symbols are finite binary strings wjth an average length
n (say n ~ 200). Person A is interested in communicating to B a
sequence (] of n t output symbols of 8 (t is a fixed integer, say t = 3).
The question is, how short a string p can A compute in a reasonable
amount of time (say in time n k for some fixed k), so that B, on
receiving p, can recover (J in a reasonable amount of time? To define
this concept precisely, we resort to the well-developed computational
complexity theory. In this theory, the complexity of a computational
problem is· measured by the asymptotic behavior of algorithms as
the input length becomes large. To apply the theoretical results to
input of a particular length, we tacitly assume that this length is large
enough that the asymptotic results can be used. For example, suppose
theoretically one can prove that the decision problem for a certain
formal logic system has complexity 0(2 2 "), Le. any algorithm T
for the decision problem must have a running time .~ CT2 2" for
some constant CT > o. We will then regard that, for formula size
n ~ 1000, any reasonable algorithm must use time ~ 221000 for
some input formula. Taking this approach, we need to consider not
one source, but a sequence of sources, and look at the asymptotic
behavior of the quantities of interest
Deflnition 1. Let E be a fixed, finite alphabet. A source 8 is
a probability distribution p over E+ with a finite expected length
P(8) = E:r; p(x)lxl· A source ensemble S is a sequence of sources
81,82, ... , with probability distributions PlI P2, .•. , such that for
some fixed t2 > tl > 0, Pn(Y) > 0 implies n t1 < Iyl < nta .
Remark. This last assumption is not essential, but useful for
simplifying later discussions; it is satisfied by most applications that
we are interested in.
In the following, a probabilistic algorithnl means a probabilistic
multi-tape Turing Machine [9] that always halts. One can alternatively
thinks of it as a program on a random access computer that always
halts, since we will only prove results that are polynomially invariant
Notation. We will use the notation O(v(n)) for any function f{n)
that vanishes faster than 1/ n t for every fix.ed t.
The following definition specifies precisely how A is allowed to
encode a sequence of n k (for some k > 0) output symbols from 8 n t
and how B decodes it
Definition 2. Let t, k > 0 be any fixed number. A (t, k)-encoding
of S is a triplet of probabilistic algorithms M = (MA' M B , Me)
satisfying the following properties:
(a) Given input 0 = (n, Xl, X2, ..., Xnk), where Pn(Xi) > 0 for
all i, algorithm M A will halt in time O( n t) and leave some binary
string (3 on the output tape of M A ; let qn( 0) denote the probability
distribution of fJ;
(b) Given stochastically an input pair (n, (3) where (3 is distributed
according to q(o), the algorithm M B will halt in time O(n t ) and leave
the string 0 on the output tape of M B with probability 1- O(v(n»;
(c) Let b > 0 be any fixed number. Given n and any string
{3 = {3t{32· •.{3u where each (3i is a possible output from MA for
some ai and 'U = O(n b ), the algorithm Me haltsin time O(n b') for
some fixed b' and output (31{32 •• •fJu correctly with error probability
O(v(n».
Define In(a) to be the expected length of (3 over q,,(a).
Let Pn(a) = Pn(Xt)Pn(X2) ...p,,(Xnk). Let In(M; S) =
LaP,,(a)ln(a)fn k , the average number of bits used by .M to encode
an output symbol X of 8".
Remark. Properties (a) and (b) stipulate that encoding and
decoding can be done in polynomial computation time, and with error
O( v(n». Property (c) roughly states that the code is a uniquely
decipherable code, in the sense that to transmit 'U • n k outputs of the
source 8 n , one can encode each n k segments seperately and then
concantenate the 'U blocks for transmission.
Definition 3. A (t, k)-enlropy sequence for S is a sequence Wt, W2, •••
such that there exists a (t, k)-encoding M for S with In(M; S) = w".
Only the asymptotic behavior of W n is of interest, since for any
fixed n, we can choose .M with enough states to make W n = H(8n ),
the Shannon entropy of S".
Definition 4. We say that the effective entropy H e ( S) is less than
g(n), or in symbols He(S) ~ g(n), if there exists t, k > 0 and
a (t, k)-entropy sequence (w n ) for S such that W n ~ g(n) for all
sufficiently large n.
Similarly, we write He(S) ~ hen) if, for every fixed t, k > 0,
every (t, k)-entropy sequence (w n ) for S satisfies W n ~ h(n) for
all sufficiently large n. We will also use notations such as H e ( S) =
O(g(n)), flh(n)), 8(f(n», etc.
Thus, we are using the term "effective entropy of a source
ensemble" in the same spirit as we speak of "the computational
complexity of a decision problem"; neither is a well-defined quantity,
but can serve as a useful shordhand. In some cases, however, one
has upper and lower bounds tight enough to write equalities such
as He(S; n) = g(n) + O(logn). An important case is the source
ensemble that corresponds to random numbers.
82
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
Definition 5. The true random number ensemble 10 is the source
ensemble 8 1 ,82 , ••• , where 8" is defined to be the probability
distribution Pn(x) = 2- n if Ixl = n, and 0 otherwise.
Theorem 1. For any source ensemble S, He(S; n) ~ H(8,,) +
O(v(n».
Corollary. He(To;n) = n + O(v(n».
The additive O(v(n» appears in the above theorem, because we
allow O( v( n) probability error in Definition 2. The form of the
equality in the Corollary turns out to have a special significance as
will become clear in Section 5.
Are there source ensembles with effective entropies much greater
than their Shannon entropies? The answer is yes. Let g( n) be any
monotonic function that goes to infinity and (log2 n)2 < g(n) < n.
Example 2. The following source ensemble S = 8 1 ,82, ... can
be shown to have H(8n ) = g(n), while He(S; n) = n + O(v(n)).
Let 017 02, ..• be a sequence of binary strings, where an has length
n . 2g(n) and is of maximum Kolmogroff-Chaitin information [6][14].
Write On as 0nlan2 •••anG(n), where G(n) = 2g (n), with lanil =
n; let 8 n be defined by p(x) = 2- g(n) if x = Oni for some i, and
o otherwise. It is in fact not hard to modify the above definition
to have a constructable S, using a relativized version of algorithmic
information (defined by Levin).
3. RELIABLE TRANSMISSION
The centerpiece of information theory is Shannon's Second
Theorem, which states that a channel C can reliably transmit in-
formation at a rate of R bits per channel transition provided R <
capacity( C). Further, a rate of R > capacity( C) is impossible to
achieve. The natural quesiton facing us is: Ho~ fast can a channel
transmit computational information? In this section, we will study one
side of this question, namely: Can C tansmit computational informa-
tion reliably at rate R fbits with R > capacity( C)? (We have coined
the term fbit as a unit for effective entropy.)
Let us first define the above question more precisely. As the
details are similar to Definiton 2, we will state the definitions infor-
mally. In contrast to the way a code and its rate are defined in the
Shannon case, we need to define the concepts of code and rate relative
to a source ensemble.
Definition 6. Let S = (8n ) be a source ensemble, and let C be
a channel with input-output symbol sets [ and. J. A (t, k )-coding
scheme of S over C is a triplet of probabilistic algorithms M =
(MA , M B , Me) that always halt in polynomial time q(n t ). For any
n and a string 0 ofn k outputs from Sn, the encoder M A stochastically
computes a string {3 E [*, sends it across channel C; the decoder
MB takes the resulted output string "'I E J* and computes a string
6. The requirement is that, when averaged over the probabilistic
distribution of Q and over all the stochastic moves of MA' M s and have to accept that, even in simple situations, not all tbits behave
C, the probability of 6 =I Q is of order O( v(n)). The strings "1 alike.
(output from the channel C) are uniquely decipherable by algorithm
The second point is the there is no obvious reason why the
Me (as in Definiton 2), again allowing for failure probability O{v(n)).
Theorem is true. Consider the coding of a source ensemble S with
Definition 2 can be regarded as a special case of Definition 6. A Jlc(S;n) ~.;n. The codewords conceivably can be so sparsely
(t, k)-encoding of S is essentially a (t, k)-coding scheme of 5 over C, populated that if we use the same coding to transmit over a BSe
where C is the binary symmetric channel with crossover probability with small crossover probability q, the displaced codewords after
q=O. channel transmission are still widely apart Thus, there is no purely
Definition 7. In the previous definition, let In( M; 5; C) be the combinatorial obstacle for the encoding to remain a valid one for a
expected value of IPlln k , when the input Q to M A is generated BSe, and retain a rate higher than that allowed by Theorem 2. The
probabilistically by source. 8 ft • fact that a consistent interpretation is obtained in a new environment
after complexity-type reasoning gives us confidence that our definition
Thus, In(M; S; C) is the average number of channel symbols used is on the right track.
by M to transmit reliably over channel C one output symbol of the
source 8 n . To see what "rate", the traditional performance measure
4. INDISTINGUISHABILITY
of a code, corresponds to, let us for the moment assume that Jlc{ 5; n)
Let 8 and 8 ' be two sources with known distinct probability
has a sharp asymptotic behavior (e.g. Jlc{S; n) = .;n + O(n 1 / S ).
distributions p and p' over E+, where E is a fixed alphabet. Suppose
In such a case, the natural definition of the rate of M (for S over C)
a box that simulates one of the sources is given to you, but you are
is
R _ Jle (5;n)n k jbits not told which source. The box will emit upon each request a string
n - in{M; 5; C)n k channel transitions distributed in accordance with the underlying distribution. Can you
Jle (5;n) fb' 'h I .. tell with confidence which source the box is simulating?
in ( M; 5; C) lis / c anne transition.
For the classical sources, the answer is "yes" since one can always
Then, the question of whether it is possible to transmit computational take enough outputs and observe the frequency of occurrance of any
information reliably at a rate higher than the channel capacity becomes particular string v for which p(v) -:rf p(v'). In the non-classical case,
"Do there exist an M and a fixed f > 0 such that Jle{S; n) > however, the question is more complex. Even when p and rI differ
(capacity(C) + f)ln(M; 5; C)1 ft. substantially, say p(v) = IEI-n for all v of length nand rI(v) =

The next theorem says that the answer is "no". (The statement
I/ITI where T ~ En and ITI = IEIv'ft it is not obvious that there is
a way of deciding which alternative is true (an astronomical number
of the theorem is valid even if )(e( 5; n) is not sharply determined.)
of observations will be needed if we use the method mentioned above
Theorem 2. Let M be an encoding scheme for a source ensemble 5 for classical sources). We now define precisely what we mean by two
over a channel C. Then for any fixed f > 0, there exists an entropy indistinguishable sources.
sequence (w n ) for 5 such that Definition 8. Let 5 = (8n ), 5' = (8~) be two source ensembles.
W n < (capacity(C) + f)ln(M; 5; C) A witness algorithm M for (S, 5') is a probabilistic algorithm such
that the following properties are true for some fixed t, k and f > 0:
for all sufficiently large n.
(a) For any input (n,Q), where Q = (Xt,X2, ••• ,Xn k) is a sequence
Corollary. If )(e(5; n) ~ h(n), then of n k outputs of 8 n , the algorithm M halts in time O(n t ) and
h(n) leaves a boolean output M( n, Q); let f n( M, 5) be the probability
in(M; 5;C) > capacll'XC) + E that M(n,o) = I when 0 is generated probabilistically by 8 ft ;

for all sufficiently large n. (b) Similarly, let fn(M, 5') be the corrresponding probability for 5';

The proof of this theorem is quite involved. We will not get into it (c) There exists an infinite sequence of (distinct) values nt, n2,.·.
here. such that

Let us mention two reasons why Theorem 2 is important for our
theory from an aesthetical point of view. First, if the theorem were
false, we would have a channel (say with capacity equal to 2) for
which each channel input symbol can carry at most 2 bits of Shannon
information, but may carry more, say 2.4 fbits, of computational
information. The natural interpretation of Shannon's Second Theorem
will be lost for transmitting computational informaion. We would also
Ifn(M, 5) - fn(M, 5')1 >f
Definition 9. Two source ensembles 5 and 5' are said to be
indistinguishable if there exists no witness algorithm for 5 and 5'.
Note that a witness algorithm may not be a suitable algorithm
for deciding if a box is simulating source 5 or 5', since condition
(c) only guarantees that 5 and 5' behave differently for some values

83

Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
of n. The definition of witness algorithm is desiped to ensure that
two indistinguishable sources behave almost identically for any test as
n -+ 00.
There exist indistinguishable source ensembles with very different
underlying probability distributions. In fact , the ensemble S defined
in Example 2 and the true random number ensemble 10 (Definition
5) are indistinguishable. The reason will become clear in the next
section.
5. A THEORY OF PSEUDORANDOM NUNBERS
The study of the concept of randomness in strings has received
considerable attention (see Knuth [13]). There are two types of results:
the first type deals with the question of "what is a random sequence",
and the second type delas with the problem of pserdorandom number
generation. The former question is concerned with properties of a
single sequence,· and has been satisfactorily answered through the wort
of many researchers (e.g., Kolmogroffl14], Chaitin[6], Martin-Lof[lS),
Levin[27], Meyer and McCreight[16]); we will be interested in the
latter problem.
The need for pseudorandom numbers arises on many occasions
such as simulation, sampling, cryptography, etc.. How should one
choose a pseudorandom number generator for a particular application?
In the literature, there are many proposed methods of generating
pseudorandom· numbers, and various statistical tests are available for
measuring the strength of a proposed scheme.· If, in an application,
it is possible to isolate some simple randomness properties that
can guarantee success, then a statistical test. based on the desired
randomness properties can be used to screen and select a appropriate
generator. This, however, is seldom the case. Furthermore, the
performance of a pseudorandom number generator under a particular
statistical test is usually hard to detennine analytically, and often has
to rely on empirical evidence.
Wouldn't it be nice if there existed a pseudorandom. number
generator that is fit for all applications? In this section, we will set
up a framework for discussing pseudorandom numbers, and introduce
the concept of a perfect pseudorandom number generator. In Part II
of this paper we will exhibit a class of generators that have strong
theoretical evidence to be perfect
For our purposes, a pseudorandom number generator is an. al-
gorithm that takes some true random bits and generates determinis-
tically a much longer sequence of bits. For example, one possible
linear congruential generator is to choose randomly four n-bit num-
bers m, a, c,Xo and generate a n 3 -bit sequence p = X 1 X 2 •• ·Xn 3 by
X,.+l = (aX,. + c) mod m. We can regard the probability distribu-
tion of the final string as a source. The strength of the pseudorandom
number generator can be studied as a property of the source, without
regard to how it is generated. Let us first see how one can formalize
this in tenns of sources.
84
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
Deftnition 10. A source ensemble S = (Pn) is said to be uniform
if all strings Z with Pn(Z) > 0 have the same length e(n), and
furthennore e(n) < €(n + 1) for all n. Call €(n) the length jUnction
for S.
For simpliCity, we will assume that the alphabet is {O, I} for the
rest of this section. Note that by definition, n t1 < €(n) < nt:a for
some tl, t2 > o.
Let €(n) be an integral-valued function with €(n) < €(n 1). +
Define Te to be the source ensemble (8ft) where 8ft is the source
corresponding to the €( n )-bit random numbers.
Definition 11. A uniform source ensemble. S with length function
€(n) is. said to be perfect if Sand Te are indistinguishable.
We want to stress that a uniform source ensemble does not
necessarily correspond to a pseudorandom number generator, because
the underlying distributions may not be generated from a small number
of random bits. Before turning to the task of defining pseudorandom
number generator, we want to explore the property of being "perfect"
in more depth.
How does the concept of statistical test fit into the picture? Let
us define the teon rigorously.
Deftnition 12. A polynomial statistical test is a probabilistic algorithm
M that takes only inputs of the form (Xl, X2, ••• , XNk), where each
Xi is an N-bit number, halts in time O(N t ), and outputs a binary
string y) where t and k are some fixed positive integers.
Definition 13. In the above definition, let 1/(N, y) be the probability
that y appears as output when the inputs Xi are independent N -bit
numbers. For any unifonn source exsemble S with length function
€, let TJ M (N, y; S) be the probability y appears as output when the
inputs Xi are generated by source 8ft where N = €(n). (TJM(N, y; S)
is defined only when N = €(n) for some n.)
Infonnally, the test M takes Nt N -bit outputs from source
ensemble S and computes a quantity y. This quantity y is usually
used to produce a fraction 8 = f(y, N) (either by table look-up or
by another calculation), which represents a confidence level that S
should be rejected as non-random (see e.g. [13D.
Definition 14. Let M be a polynomial statistical test, and S a
unifonn source ensemble. We say that S passes the statistical test M
if TJM(N, y; S) - 1/M(N, y) = O(v{N)) for all y.
Theorem 3. A unifonn source ensemble S is perfect if and only if
S passes every polynomial statistical test
This establishes the link between statistical teste; and our definition
of a perfect source ensemble. So far, we have discussed this concept
of "perfect" completely in terms of computational complexity. The
next result shows that we can also express it in terms of computationl
infonnation.
Theorem 4. A uniform source ensemble S is perfect if and onty if
)lc(S; n) = n + O(v(n)).
The significance of the equality in the corollary to Theorem
1 ashhould now become clear: it characterizes the perfect source
ensembles. It also follows from Theorem 4 that the S in example 2
is a perfect source ensemble, and hence indistinguisahable form 70.
We close this section with by defining pseudorandom number
geneators in the present setting.
Definition 15. A pseudorandom number generator G is a probabilistic
algorithm such that, given input integers k and n, it
(a) halts in polynomial time in D,
(b) uses O( n) true random bits, and
(c) outputs a binary string (} of length n k •
For each k, the above generator G defines a natural source
ensemble Wk(G) = (Sn), where Sn is the source that outputs 0 of
length n k with the same probability as G does (when n is the input).
Definition 16. A pseudorandom number generator G is said to be
perfect if Wk( G) is a perfect source ensemble for every fixed k.
6. MurUAL INFORMATION AND INDEPENDENCE
We first review the concepts of mutual information and indepen-
cence in Shannon's theory. Let Q = (T, p) be a probability space,
where T is a finite sample space and p is a probability distribution
on T. For any random variable X : T t-+ Vx , where the number of
possible values IVxl is finite, let the entropy of X be
1 the source Sn emits a sequence ofn k output symbols 01,02,.'" anAl,
H(X) = E
%EVx
pX(X)1092-(x)'
PX
where Px( x) = Ex(t)=% p( t) is the probability that X = x. We
can regard H(X) as the average amount of information that a single
observation of the value of X gives us. The entropy H(S) of a source
S can be obtained as a special case, when S is both the sample space
and the random variable.
Let Y be another random variable on Q. The conditional entropy
of X given Y is defined as
H(XIY) = = (MA , Ms, Me), where
1 the encoder M A takes input a = (n, Xl, X2, ••• , Xnk, Yl, Y2,.··, Yn Al )
yEVy
E py(y) E PriX = x I Y = y}log PriX =
%EVx
x IY = y}'
Le., the average amount of information an observation of X gives us,
when the value of Y is already known. The mutual in/onnation of
Y about X is I(X, Y) = H(X) - H(XIY). One interesting fact is
that the mutual information is symmetric, Le., I(X, Y) = I(Y, X).
Quantitatively, it means that if knowing the value of Y tells you some
information about the value of X, then knowing the value of X tells
you roughly the same amount of information about Y.
Two random variables X and Yare said to be independent if
I(X, Y) = O. It can be shown that this agrees with the traditional
85
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
usage of this term in probability theory, i.e., Pr{X = x, Y = y} =
PriX = x} . Pr{Y = y} for all x, 1/.
Let us now define the corresponding notions in our theory. As
in defining effective entropy, we begin with an example to illustrate
the need for different definitions when computational efforts are taken
into account.
Consider the sample space T of all bipartite graphs G between
two vertex set of 1000 nodes each, and assume that all such graphs
are equally likely to occur. Let X and Y be random variables defined
by Y(G) = G and X(G) = the number of perfect matehings in G
(mod 3). It is clear that, since one can compute the value of X
from that of G, H(XIY) = o. Thus, I(X, Y) = H(X); we can
say that Y contains all the Shannon information about X. However,
we do not know any efficient way of computing X from G, and it is
conceivable that no efficient algorithms exist (in an average-case sense).
If it were the latter case, then we can view the Shannon information
which Y contains about X as being inaccessible, at least partly, by
feasible computations. Thus, a different definition of H(XIY) is
clearly needed to express such possibilities.
We do not know whether efficient algorithms exist for the par-
ticular problem discussed above (it is NP-hard, see [24]). It is possible
to construct examples where the phenomenon can be rigorously shown
to exist
Let us try to capture the notion of effective conditional entropy.
Consider a source ensemble S = {Sn} over alphabet E. A random
variable X on S is a sequence (Xn), where X n is a random variable on
Sn (regarded as a probability space) with values of X in E+. Suppose
and person A is told the value of X(ai) and Y(Oi) for 1 ~ i ~ n",
while person B is only told the value of Y(Oi) for 1 ~ i ~ n t .
Now, if A wants to inform B of the value of X(ai) for 1 ~ i ~ nt,
what is the minimum average number of bits A has to send to B?
Note that the question reduces to the question one faces in defining
effective entropy, when Y is a constant and X( Oi) = 0i.
We will just state these definitions informally, as the details are
similar to those in Definitions 2-4. A (t, k)-encoding of X relative 10
Y is a triplet of probabilistic algorithms M
and computes some binary string f3, which if input together with n and
Yb Y2, ... ,Yn" to the decoder M s , will enable Ms to recover the
string Xl, X2,' •• , X n " with .error probability O( v(n)); furthermore
the codewords f3 are uniquely decipherable by algorithm Me; the
algorithms MA,Ms,Me all halt in O(nt ) time. Let In(.M;XIY)
denote the average value of 1f3l1nk, that is, the average number of
bits used by M to encode a value x of X. A (t, k )-condilional-entropy
sequence for XIY is a sequence {w n } such that there exists a (t, k)-
encoding of X relative to Y with In(M;XIY) = W n . We use the
abbreviations Hc(XnIYn ) ~ g(n), He(XnIYn ) = g(n) + O(h(n»
etc. in the same way as in Definition 4. We will use the tcoo effective
conditional-entropy of XIY for Hc{XIY).
We now tum to the question of mutual information.
Definition 11. Let g( n) and h(n) be any functions. We will write
Ie(XnIYn ) ~ g(n) if the following is true: For any conditional-
entropy sequence (w n ) for XIY, there exists an entropy sequence
(w~) for X such that w~ ~ W n +
g(n) for all sufficiently large n.
Expressions such as Ic(XnIYn ) = O(g(n», Ic(XnIYn) 2 h(n), etc.
can be similarly defined.
In general, Ie(XnIYn) is not symmetric, in contrast to the case
of classical mutual information. In fact, this asymmetry property is
essential for the possibility of public key cryptography (see § 5 Part
2). In one important special case, however, Ie is nearly symmetric.
Theorem 5. Ie(XnIYn) = O(v(n» if and only if Ic(YnIX,,) =
O(v(n».
Definition 18. X and Y are said to be effectively independent if
Ie(XnJYn ) = O(v(n»
In the classical case, there is an alternative description of inde...
pendence, namely, PriX = x, Y =y} = Pr{X =
x}· Pr{Y =
y}. Is there an analogue? Let us define two new source ensembles
5' = (S~) and 5" = (S~) for given X and Y. The source S~
probabilistically outputs a string (x, y) by the following process: Let
8 n generate probabilistically an output 0, then define x = X(a),
y = Y(o). The source S~ outputs (x, y) by the following process:
Let 8 n generate independently two output strings a1, 02 and define
+
x = X(at}, y = Y(a2). Let us write 5' as 5(X Y), and 5" as
S{X X Y).
Theorem 6. Let X and Y be random variables ('n a source ensemble
S. Then X and Yare effectively independent if and only if S(X Y) +
and S(X X Y) are indistinguishable.
Theorem 6 implies that any polynomial-time test must fail to
detect any correlation between effectively independent X, Y for all
sufficiently large n. It also implies that observing Yt, Y2, .•• , Ynk will
tend no noticeable advantage to predicting the value of any function
of xl, X2, ••• , Xnk.
7. A THEORY FOR CRYPTOGRAPHY
In [23] Shannon dcvelped a mathematical theory for cryptography
based on information theory. With the tools we have develped, we
are ready to give an alternative foundation based on computational
complexity theory.
For lack of space, we will give in this abstract only one elementary
i1lustraion. Consider a conventional cryptographic system where two
users A and B share a secret key K form a large key space K. Let
E(K, M) be the encryption algorithm and D(K, M) the decryption
algorithm, i.e., D(K , E(K , M») = M. Let p and 9 be the probability
distributions for message M and key K, respectively. Suppose a
86
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
eavesdropper taps the line and obtains a ciphertext J = E(K, M).
How much can he find out about the plaintext M?
Shannon discussed this situation in [23]. Consider K, M, J as
random variables. Then I(M, J) = H(M) - H(MIJ) will be the
amount of information about M which the eavesdropper obtains. An
unconditionally secure system is one in which H(M) = H{MIJ).
It was pointed out that unconditional security cannot be achieved
if H(K) < H( M). Thus, if we have 200-bit long keys and 108 -
bit messages, then most likely we cannot have an unconditionally
secure system. However, Shannon pointed out that the computational
complexity aspect should be taken into account. Let us see how we
can approach this problem.
As our theory deals with asymptotic behavior, it only applies
to cryptographic systems that can be scaled up or down easily. For
definiteness, assume that for each n, the system has n . . bit keys K",
n 4-bit messages M n and a pair of encription-decription functions
En(Kn, M n ), Dn(Kn , I n). The key K n and the message M n are
distributed according to some probability distributions Pn and qn. Let
us consider the probability spaceQn defined as follows: The sample
space is the set of all possible values of (Kn , M n , En (K,u M n )), and
Pn(Kn = k) . qn(Mn = m) is the probability assigned to the point
(k,m,En{k,m)). Let Q = (Qn), then K, M and J = E(K,M)
become random variables on the source ensemble Q. We define
the computational security of the system by the requirement that
Hc(M) ~ Hc(MIJ), or Ic(MnIJn ) = O(v(n)). That is, a system
is· said to be computationally secure if the random variables M and
J are computationally independent. By the discussions at the end of
last section, an eavesdropper on a secure system cannot learn anything
about M from the ciphertext when n is large.
Part 2: Trapdoor Functions and Applications
1. INTRODUcnON
The concept of one-way functions and trapdoor functions have
been suggested by Diffie and Hellman [7] as the foundation for a
new type of cryptography. Since then many implementations and
applications have been found. However, the, question "what is a
trapdoor function'!" has so far not been answered satisfactorily.
The purpose of Part 2 is to propose precise definitions for one--
way and trapdoor functions, based on the computational infonnation
theory developed in 'Part 1, and to present improved results and new
applications. Concretely, we will show that any trapdoor function can
be used to produce a secure encryption scheme as defined in Part
1, and perhaps more surprisingly, can be used to generate "perfect"
pseudorandom numbers that will pass any feasible statistical tests.
We also give a new function that is a trapdoor function, assuming
factorization of large integers is computationally infeasible. Finally
an interesting implication of the existence of one-way functions on
abstract complexity theory will be presented.
2. BACKGOUND
2.1 ENCRYPTION
Diffie and Hellman [7] invented the concept of public key encryp-
tion for sending secret messages. In this scheme, every user A puts a
public key KA to an encryption function EKA on the public file, and
keeps a private key K~ to a decryption function D K~ as private inifor-
mation. The pair (KA, K~) has the property that D K~ (EKA (x)) =
x for any x in the domain of EKA. Anyone wishing to send a message
x to A can encrypt it as EKA(X), and A then recovers x'by applying
DK~ to EKA(X). For the scheme to work properly, the following
properties should be satisfied:
(a) Given KA and x, the value of EKA(X) should be easy to compute;
given K~ and y, the value of DK~ (y) should be easy to compute;
(b) Given E KA (x), it is computationally difficult to find x;
(c) A random pair of (KA , K~J should be easy to generate.
Since these functions EKA (x) are easy to compute but hard to invert,
they are called trapdoor functions.
A concrete implementation was suggested by Rivest, Shamir and
Adleman (the RSA scheme (20)). In their scheme, user A generates two
random primes p and q, and an integer s such that gcd(s, </>(N)) = 1,
where N = p . q and </>( n) is the Euler totient function. Let N be
the public key KA, and r = 8- 1 mod 4>(N) be the private key K~.
The function EKA(X) = XS mod N serves as the encryption function,
while D KA (x) = xr mod N serves as the decryption function.
A variation of the RSA scheme was suggested by Rabin [19].
Instead of using X S mod N, he defines E KA (x) = x2 mod N, and
decryption is easy for user A who knows the factorization of N. An
interesting fact is that a successful inversion of EKA (x) for any f
fraction of the x's will enable one to factor N in random polynomial
time.
Two potential problems with the above schemes were raised in
Goldwasser and Micali [10]:
(a) Even though EKA(X) is hard to invert in general, it may be easy
when x is of a special form;
(b) One may be able to infer some partial information about x from
EKA(X).
They proposed a scheme which is free from these difficulties. The
scheme encrypts the entire message bit by bit, where the encryption
of a single bit is based upon the complexity of deciding whether an
integer y is a quadratic residue modN or not. We will outline the
method here.
Let N = p.q be the product of two n-bit primes. Denote by Ziv
the set {x 11 ~ x ~ N, gcd(x, N)= 1}, and let AN ~ ZN be the
subset consisting of those x' 8 with Jacobi symbol (x/ N) = 1. Half of
the members of AN are quadratic residues, and half are non-residues.
87
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
User A generates a random n-bit composite integer N = TJ • q
of two prim~ and puts N together with a non-residue II E AN in
the public file. Suppose B wants to send a bit bto A. Then B will
randomly generate an x E Ziv and send x 2 mod N if b = 0, and
yx 2 mod N if b = 1. Thus, A can decide if b = 0 or 1 by finding
out whether the number received is a quadratic residue or not An
eavesdropper not knowing the factorization of N will have difficulty
deciding what b is.
Schemes like this produce stochastically a ciphertext for a given
message, and are called probabilistic encryptions [10].
Goldwasser and Micali [10] showed that under Assumption GM
below, for any fixed 0 < f < 1, an adversary will not be able to
+
guess correctly the value of b with probability 1/2 f or more.
D.lnition 19. Let Cn,E be the minimum size of any cirtUit that
decides correctly quadratic residuosity mod N for a fraction f of all
n-bit integers N with two prime factors.
Assumption GM: C",E > Q(n) asymptotically for any fixed polyno-
mial Q and any fixed 0 < f < 1.
2.2 PsEUDORANOOM NUMBER GENERATION
The use of pseudorandom number generators as an approximate
one-time pad is a common mode of secret communication. Shamir [21]
considered the following problem. Suppose two persons A and B share
a common secret seed 8~ and use a common pseudorandom number
generator. For A to send blocks of plainatext Yl, Y2, • •• to B, A can
use s to generate a sequence of.pseudorandom numbers Xl, X2, ••• ,
and send ciphertext Xl EaYl, X2E9Y2, ••• to B. These can be decoded
easily by B since B can generate the sequence Xl, x2, • ••• Now
imagine the situation when an adversary has some side information
on the plaintext which enables him to find out a few initial values
of X17 X2, ••• • Based on these values, the adversary may be able to
generate the rest of the x-sequence, and thus break the· ciphertext
Shamir asked the question: Can one design a pseudorandom number
generator with the property that, even knowing xl, X2, ••• , x,,,
it is
still hard to compute Xk+l? Based on the assumption that the RSA
scheme is secure, Shamir gave a pseudorandom number generator that
satisfies this requirement
Shamir's scheme does not guarantee that the next bit is difficult to
compute (even though the next word is). Blum and Micali [5] recently
constructed a stronger pseudorandom number generator based on the
discrete logarithm problem. (They also gave a criterion on one-way
functions under which this construction will work.) Let k > 0 be any
integer. The generator takes O( n) true random bits and generates a
sequence Xl, X2, ••• , X"k that, under Assumption BM below, has the
following property: Let G",i,E be the minimum size of any circuit
with j boolean inputs that can output the value of X,+1 correctly
+
with probability 1 f or more, when the values of Xl, x2, ••• , Xi are
input to the circuit Then G",i,E > Q(n) asymptotically for any fixed
polynomial Q.
To describe the assumption needed, let p be a prime and , a
generator of the cyclic multiplicative group A, = {I, 2, ... ,1' -I}.
FOTY E ~, let f(1', g,!I) be the value x E A p such that gS mod p =
JI. A boolean circuit with three n-bit inputs a, b and c is said to solve
the discrete logarithm problem fOr p if, for all g and !I its output is
equal to f(1', g, 1/) when II = 1', b = 9 and C = !I. Let 1",. be the
minimum size of any circuit that solves the discrete logarithm problem
for E fraction of all n-bit prime numbers 1'.
Assumption BM: 1",. > Q(n) asymptotically for any fixed polynomial
Q and any fixed 0 < E < 1.
2.3 DISCUSSIONS
In the context of the preceding review, there are several questions
that seem to merit further consideration.
<a> The probabilistic encryption scheme in [10] and the pseudorandom
sequence generation in [5] both utilize special properties of the one-
way functions employed. Are there general procedures that can utilize
any trapdoor functions for the purpose of encryption and generating
pseurandom numbers?
(b) The pseudorandom number sequence in [5] is bitwise unbiased
for any fixed E > 0, and thus solves the question posed by Shamir.
However, a cryptanalyst may adopt a different procedure to analyze
the pseudorandom number generator. For example, he may work
backwards, examining the last few bits in an attempt· to reconstnlct
the preceding bits. (Indeed, it is still open .whether the sequence
generated by the scheme in [5] enjoys the same unbiased property if
read in reverse.) Can one construct a pseudorandom sequence that can
withstand any attempt by the cryptanalyst to break the pseudorandom
sequence? In a broader context, can one construct pseudorandom
sequence that can be used for applications other than cryptography?
(c) Can one weaken the assumptions in Assumption BM and Assumption
OM such that, instead of requiring that no algorithm can solve E frac-
tion of the instances for any fixed f, we require only that no algorithm
can solve say, 1/2 of the instances?
We will give positive answers to all the above questions in the
next two sections.
3. ONE-WAY FUNCflONS
In this section we formalize the notion of one-way functions, and
show how they can be used to construct perfect pseudorandom number
generators and to implement secure conventional cryptosystems.
It is helpful to think of a one-way function I as a 1-1 function
used in a puzzle Z. In each game, Z picks a random n-bit number
x according to some distribution Pn(x), and shows us the value of
f(x). We are challenged to find x, with a button to ask for help. The
88"
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
function ! will be one-way if we end up asking for help a fraction of
the time.
Deftnition 20. Let P = (p,,) be a sequence of probability distribu-
tions on E+, where the support of p" (i.e., the set {x I 1',,(x) .:;i: O})
consists of only strings of length I(n). We will call P a polynom/QI-
time distribution ensemble if there exists a probabilistic algorithm· M
which, given input n, will halt in time polynomial in n, and output an
x with a probability distribution h( x) satisfying II h - p" II = D( tI(n».
it Notation. Ilk - p,,11 = I:zlk(x) - p,..(z)l.
Definition 21. Let f be a 1-1 function from V to E*, where V ~
E*. Let P = (p,,) be a polynomial-time distribution ensemble such
that the support of every p" is a subset of V. Define the con-e/alion
ensemble of f under P to be the source ensemble QI,P = (Q,,),
where soun:eQ" = (T, q,,) has sample space T = {(x, f(x)) I x e
=
V}, and distribution q,,(T) = p,,(x) for T (x, f(x»). Let xl,P ==
(Xn ) and yl,P = (y,,) be two random variables on QI,P defined
by X,,{T) = x and Y,,(T) = f(x) for'T = (x, f(x)) E Q".
Deftnition 22. A 1-1 function I is said to be one-way if there exists
a polynomial-time distribution ensemble P such that Hc(X!,P I
y!,P) = O(l/nt ) for some fixed t.
The gist of the definition is that, some tbits of information are
needed in order to recover x from I(x) under the distribution p".
The next theorem gives an alternative description directly in tenns of
complexity.
Deflnition 23. Let f and P be as in Definition 21. Define pI =
(1'!), where ~(f/) = 1'n(f- 1 b/».
Theorem 7. A 1-1 function f is one-way if and only if there exists
a polynomial-time distribution ensemble P such that the following is
true: For any probabilistic algorithm which, on input n and y, with
y distributed according to p!(y), halts in time polynomial in n and
outputs x, the probability of x =1= ,-1(1/) is O(l/n t ) for some t.
One-way functions become more interesting when they possess
some additional properties. For example, if a one-way function has a
certain invariance property, then it can be used to construct a perfect
pseudorandom number generator, and hence a secure conventional
cryptosystem; if it possesses a key plus an inverse key, then it becomes
a trapdoor function and can be used to build a probabilistic public-key
cryptosystem.
ONE-WAY FuNcnONS WITII INVARIANCE PROPERTIES
Deftnition 24. If in Definition 22, we also have pI = p. then we
call f a stable one-way function.
Theorem 8. Any stable one-way function' can be used to construct
a perfect pseudorandom number generator G f.
Remark. The construction is explicit in the sense that, if the descrip-
tions of all the relevant probabilistic algorithms for f and P are given.
then the description of Gf is immediate.
Corol...., to Theorem I. Any stable one-way function I can be
used to construct a computationally secure cryptosystem. (See § 7 of
Part 1)
Remark. A seed for the pseudorandom number generator is used as
the common private key. This is the computationally-secure realization
of the one-time pad
ONE-WAY FUNCIlONS WITH KEYs
We will use the discrete logarithms problem as an example to
illlustrate our result
Example 3. Discrete Logarithm Function
Let Gn = {(p, g, m) I p is an n-bit prime, 9 a generator of A p , and m E
A,}. Define V = Un G n, and I: V 1-+ V by f(x) = (p,g,gmmod
p) if x = (p,g,m).
We regard (p, g), the part of x that remains unchanged under I,
as the key. It is useful to consider those distributions P that generate
x in two steps: first the key (p, g), and then the remaining part m.
One such P is given by (Pn) defined below. Let
P',,(K) = (no. of n-bit primes) · (~o. of generators in Ap)
if K =
(p, g) is a possible key, and p~ (K) = 0 otherwise. Let
P'~,K = l/(p - 1) if m E .Ap, and 0 otherwise. Finally, define
Pn(x) = p~(K)· p'~,k(m) for x = (K,m).
Notation. We will extend Definition 20 and say that the sequence
(P~,K (m)) is a polynomial·time distribution ensemble if P'~,K (m) :1= 0
implies m = fJ( n), and if there exists a probabilistic algorithm which,
given nand K, halts in polynomial time in n and outputs a string z
whose probability distribution h(z) satisfies IIh - P'~,kll = O(lI(n)).
Definition 26. A one-way function f is said to have a key if the
domain V of f has the form V ~ E 1 * X E2 * and there exists a
polynomial-time distribution ensemble P = (Pn) with the following
properties:
(a) P makes f a one-way function as in Definition 22,
(b) Pn(x) = p~(K) . P~,K(Z) if x = (K, z), where (P'n) and (P'~,K)
are polynomial-time distribution ensembles,
(c) f(x) can be written in the form (K, flc(z)) for x = (K, z).
4. TRAPDOOR FuNCTIONS AND ENCRYFfION
A trapdoor jUnction is basically a one-way function with a key K
such that an inverse key K' can be easily created at the same time,
but K' cannot be inferred form K. We will not give the formal
definition in this abstract
A probabilistic public-key cyrptosystem (PPKC) is a cryptosystem
in which user A has an n-bit key K in the public file. while keeping
a key K' as private information. To send a bit bE {O, I}, B will use
89
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
band K to compute probabilistica1ly a string x and send it to A. The
keys are generated in such away that, with the knowledge of K ' , A
can uniquely recover b.
Let us call a PPKC secure if, for b with bias p ~ ·1/2, an
adversary cannot guess from K and x in polynomial time the value
of b correctly with probability more than p + O( 1I(n»).
Theorem 9. Any trapdoor function can be used to construct a secure
PPKC.
Factoring large composite numbers is a problem which has a long
history of resisting efficient solutions. It would therefore be a most
appropriate basis for constructing PPKC or pseudorandom number
generators. Below we present a new trapdoor function, which is also a
stable one-way function, assuming factoring is hard in the proper sense
to be described below. Let Tn be the set of all integers N = p. q,
where p and q are n-bit primes with p == q == 3 mod 4.
The Intractability Assumption of Factoring:
For any polynomial-time probabilistic algorithm M that tries to
factor integers, there exists an no such that M will fail to factor at
least l/n lO of the members of Tn for all n ~ no.
Remark. One can replace l/n lO by any lint with any predetermined
t.
A FACfORING TRAPDOOR
We generate a pair of keys (K, K') by generating two random
n-bit primes p, q with p == q == 3 mod 4, and setting K = N (=
p · q) and K' = {p, q}. The trapdoor function f is defined by
f(N, z) = z2 mod N if z is even, and f(N, z) = -z2 mod N if z
is odd, for z E AN.
It is of interest that the factoring trapdoor function defined above
also leads to a simple pseudorandom number generator. It is pOssible
to prove that this generator is perfect if the quadratic residuosity
problem is hard.
A QUADRATIC-RESIDUE PsEUOORANOOM NUMBER GENERATOR
Let n > 0 and k > o. We will describe how to generate a
sequence (j of n k bits using O(n(log n)2) true random bits.
We first describe a procedure that generates a quasi-random
sequence Q as follows: Pick a random N from Tn, and a random
m with 1 ~ m ~ N - 1, then compute the following sequence
of number Zt,Z2, ••• ,Znk by ZI = m, Zi+l = f(N,Zi). Let a =
al Q 2·· ·Qnk where Qi is just the parity of Zi.
To obtain {j, we repeat the above procedure to obtain t =
(1012 n)2 quasi-random strings a(I), a(2), ••• , Q(t). Now let (j =
Q(I) €a a(2) E9 ··· €a Q(t) where €a denotes bitwise XOR. For fixed
k and large n, the pseudorandom sequence P so generated will be
indistinguishable from a true random sequence assuming that quadratic
residuosity is hard.
5. WHAT MAKES TIlE TRAPOOOR WORK?
It is of interest to give an in-depth view of the results in
the previous two sections. As we will see, these results can be
deduced naturally, if one keeps track of the computational information
contained in the various strings and considers how the infonnation can
be manipulated. In this abstract, we will give such an analysis to the
encryption by using a trapdoor function.
For definiteness, consider a one-way function f that maps n-bit
strings to n-bit strings for each n, and let (p,,) be the distribution
ensemble that makes f one-way. For a given n, f can be viewed as
a channel with large alphabets, in fact with 2" input symbols and 2 ft
output symbols. Thus, f is a non-classical channel, and we have to
consider accessible infonnation instead of the Shannon information.
Let (X,,, Y,,) denote the pair of random variables corresponding
to (x, f(x)) where x is distributed according to p". Let us dramatize
the situation by assuming that party A is on the input side of the
channel f sending string x with probability p"( x) across the channel to
pany B, who receives the string f( x). Clearly, the Shannon conditional
entropies H(Y"IXn) and H(X"IYn ) are both 0, and classically
noiseless channel. However, when we consider accessible information,
we find the Hc(YnIX,,) is still 0, but Hc(XnIYn) is n(l/nt ). That
is, A has no uncertainty about what B receives, but B has at least
some uncertaity about what A has sent, admittedly the uncertainty
may be as small as 1/ n t fbit. Thus, from B' 8 standpoint, he is on
the receiving end of a noisy channel with a noise at least l/n t ,a
non-neglible quantity in polynomial-time calculatioDS.
Let us now visualize the above picture in a slightly different way.
Assume that f is in fact a trapdoor function, and a third party G is
the owner of the secret key, while A is really transmitting x to G as
f(x). It is a clear channel to G, since he has the secret key to decode
f( x). The role of B now is an eavesdropper, wh<.', without the secret
key, is trying to wiretap the line with a low-grade equipment But
this situation has an exact analogue in the classical information theory,
known as the Wyner wiretap channel [25]. Wyner showed that even
when the noise in B's channel is small, A can magnify the noise by
properly encoding his messages. For example, suppose B has a binary
symmetric channel with crossover probability 10 -4, and A encodes a
bit b as a random l06-bit string Q such that Q has an even number
of 1's if and only if b = o. Then, of the transmitted bits, B can
guess the value of each individual bit with high confidence, yet B
knows that he is going to be wrong in the values of about 100 bits. It
becomes difficult to estimate whether he has missed an even number
of bits or an odd number. Indeed it was shown that schemes of the
kind indeed will completely baffle B about the true value of b.
In our case, the noise is somewhat like n - t , and the approximate
estimate on the length of a is about n t ,which is large but can be
accomplished in polynomial time.
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
It is also of interest to follow in detail the information accounting
in pseudorandom number generations; we will leave that to the full
paper.
6. A THEOREM IN ABSTRACf COMPLEXITY THEoRY
Let R be the class of decision problems solvable in random
polynomial time, as defined in Adleman [1]. The relationship between
R and the detenninistic complexity hierarchy has been a subject of
considerable interest (Adleman [1], Aleliunas, et ale [3], Bennett and
Gill [4], Gill [9]). Two of the well-known results are that, any decision
problem in R can be computed by a polynomial-size boolean circuit
[1], and that the obvious relation R ~ UE>o DTIME(2""f) holds.
where DTIME(g(n)) is the class of problems slovable in detenninistic
time g(n). In this section, we will prove a stronger fonn of the
latter relation under the assumption that one-way functions exist
(The definition of one-way functions in this section will be somewhat
different from that of the previous sections.)
f is a Let f be a 1-1, onto function defined on a subset of {O, 1}· .
. Suppose P = (p",,) is a polynomial-time distribution ensemble in-
variant under f. A boolean circuit C is said to invert f under Pn if
EyET Pn(Y) > 1/2, where T is the set of input strings y for which
C gives the output f-l(y). Let Bn(f,P) be the size of the smallest
circuit that inverts f under I'ft.
Definition 26. f is said to be a strong one- way jUnction jf there exists
a P such that B n (I, P) > Q( n} asymptotically for any polynomial
Q.
The main theorem of this section is the following.
Theorem 10. If there exists any strong one-way function, then
R ~ n
e>O
DTIME(2
nE
).
This formula means that, for any decision problem in R and
any € > 0, there is a deterministic Turing machine solving it in time
0(2 n £). It is of interest to note that this is a case where a lower bound
on non-uniform complexity has consequences on the upper bound of
unifonn complexity (cf. Karp and Lipton[], Pippenger [17], Pippenger
and Fischer [18]).
The hypothesis of Theorem 10 will be satisfied if either the
factoring of integers is hard or the discrete logarithm problem is hard
in the appropriate sense. Let F(n) be the minimum size of any
boolean circuit that can factor 4/5 of the 2n-bit composite numbers
N with two n-bit prime factors.
The Strong Intractability Assumption of Factoring: F(n) > Q(n)
asymptotically for any fixed polynomial Q.
90
Corolle,., to Theorem 10. Under the strong intractability assump-
tion of factoring,
R ~ n
DTIME(2 ).
E>O
ftc
It is clear that Theorem 10 is also true if the discrete logarithm
problem is hard in the sense of Assumption BM. However, a much
weaker assumption suffices in this case. We will state that result below
as Theorem 11.
Definition 27. Let p be an n-bit prime number, and let 9 be any
generator of A p • The discrete logarithm problem Dp,g is: Given input
y E A p , find x such that g% modp = y.
Let l(Dp,g) be the minimum boolean circuit size for solving Dp,g.
Define L(n) to be max{l(Dp,g) Ilog2{p + 1) ~ n}. We make the
following assumption:
The Intractability Assumption of Discrete Logarithm: L{n) > Q(n)
asymptotically for any fixed polynomial Q.
Note that this assumption is weaker than Assmuption BM. In
fact, it is not concerned with average-case complexity, unlike the rest
of this paper.
Theorem 11. Under the intractability assumption of discrete logari~
we have
R ~ n
E>O
DTIMEl. 2ft c).
The discrete logarithm problem is a classical number-theoretic
problem, for which no effcient algorithm is known. The intractability
assumption of this problem, in one form or another, has been the basis
of several cryptographic protocols (Diffie and Hellman [7], Blum and
Micali [5]). So far the best algorithm known [2] runs in time roughly
2Vft . If the discrete logarithm problem has in fact a complexity
much higher than polynomial, then we· can obtain results stronger
than Theorem 2. For example, one has:
Theorem 12'. If L(n) > 2n ( for some fixed f > 0 and for all n,
then R ~ DTIME(2(1ogn)C) for some constant c > o.
REFERENCES
[1] L. Adleman, ''Two theorems on random polyn~mial time," Prac.
19th IEEE Symp. on Foundations of Computer SCIence, Ann Arbor,
Michigan, Oct 1978, 75-83.
[2] L. Adleman, A subexponential algorithm for the discrete logarithm
tt
problem with applications to cIJ:ptography," Pr~. 20th IEEE Symp.
on Foundations of Computer Science, Puerto RICO, Oct 1979, 55-60.
[3] R. Aleliunas, R. M. Karp, R. 1. Lipton, L. Lovasz, .C. Rachoff,
"Random walks, universal sequences, and the compleXIty of maze
proble~" Proc. 20th IEEE Symp. on Foundations of Computer
Science, Puerto Rico, Oct 1979, 218-223.
91
Authorized licensed use limited to: Tsinghua University. Downloaded on May 17,2023 at 02:10:56 UTC from IEEE Xplore. Restrictions apply.
[4J C. H. Bennett and J. Gill, "Relative to a random oracle, PA = NPA
= co-NPA with probability 1," SIAM J. on Computing 10 (1981),
96-113.
[5] M. Blum and S. Micali, "How to generate cryptographically stron
sequences of pseudo random bits," this proceedings.
[6] G. Chaitin, "A theory of program size fonnally identical to
infonnation theory," Journal of ACM 22 (1975), 329-340.
[7] W. Diffie and M. E. Hellman, "New directions in cryptography,"
IEEE Trans. on Infonn. Theory IT-22, 6 (1976), 644-654.
[8] R. Gallager, Infonnation Theory and Reliable Communication,
Wiley, New York, 1968.
[9] J. Gill, "Computational complexity of probabilistic Turing machines,"
SIAM 1. om Computing 6 (1977), 675-695.
[10] S. Goldwasser and S. Micali, "Probabilistic encryption and how to
play mental poker keeping secret all partial infonnation," Proc. 14th
ACM Symp. on Theory of Computing, San Francisco, May 1982.
[11] 1. E. Hopcroft and 1. D. Ullman, Introduction -to Automata Theory,
Languages, and Computation, Addison-Wesley, Reading, Mass., 1979.
[12] R. M. Karp and R. 1. Lipton, "Some connections between
nonunifonn and unifonn complexity classes," Prac. 12th ACM Symp.
on Theory of Computing, Los Angeles, April 1980, 302-309.
[13] D. E. Knuth, The Art of Computer Programming, Vol.. 2,
Addison-Wesley, Reading, Mass., second edition, 1981.
[14] A. N. Kolmogorov, ''Three approaches to the concept of the
amount of infonnation," Probl. Pered. Inf. (Probl. of Int: Transm.)
1/1 (1965).
[15] P. Martin-Lot: "The definition of random sequences," Information
and Control 9 (1966), 602-619.
(16) A. R. Meyer and E. M. McCreight, "Computability complex and
pseudorandom zero-one valued functions," in Theory of Machines and
Computations, Z. Kohavi and A. Paz, eds., Academic Press, New York
1971, 19-42.
[17] N. Pippenger, "On simultaneous resource bounds," Prac. 20th
IEEE Symp. on Foundations of Computer Science, Puerto Rico, Oct
1979, 307-31l.
[18] N. Pippenger and M.. 1. Fischer, "Relations among complexity
measures," Journal of ACM 26 (1979), 361-38l.
[19] M. O. Rabin, "Digitalized signatures and public-key functions as
intractable as factorization," MITILCSITR-212, 1979.
[20] R. L. Rivest, A. Shamir, and L. Adleman, "A method for obtaining
digital signatures and public-key cryptosystems," Communications of
ACM 21 (1978), 120-126.
[21] A. Shamir, presented at Crypto-81, Santa Barbara, 1981.
[22] C. E. Shannon, "A mathematica theory of communication," Bell
System Technical Journal, 27 (1948), Part I, 479-523, Part II, 623-656.
[23] C. E. Shannon, "Communicatin theory of secrecy systems," Bell
System Technical Journal 28 (1949), 656-715,
[24] L. Valiant, "The complexity ofcomputing the permanent," Theoretical
Computer Science 8 (1979), 189-20l.
[25] A. D. Wyner, "The wire-tap channel," Bell System Technical
Journal 54 (1975), 1355-1387.
[26] 1. Ziv, IEEE Transaction on Information (1965).
[27] A. K. Zvonkin and L. A. Levin, "The complexity of finite objects
and the algorithmic concepts of information and randomness," Uspekhi
Mat Nauk (Russian Math. Surveys 25/6 (1970), 83-124.