One-Way Functions and Pseudorandom Generators
Anchor (Master): Arora and Barak 2009 Computational Complexity: A Modern Approach (Cambridge) Ch. 9; Håstad, Impagliazzo, Levin and Luby 1999 A Pseudorandom Generator from any One-Way Function (SIAM J. Comput.) (HILL construction: OWF implies PRG)
Intuition Beginner
Imagine a padlock. Anyone can snap it shut in a second. But opening it without the key takes much longer. A one-way function is the mathematical equivalent: a function that is easy to compute but hard to reverse.
Multiply two large prime numbers: . This is fast. But given 3233, finding that is the factorisation takes much longer (for numbers with hundreds of digits, no known algorithm can do it efficiently). This asymmetry is the engine of modern cryptography.
A pseudorandom generator (PRG) stretches a small amount of true randomness into a large amount of randomness that looks random to any efficient algorithm. It takes a short seed of truly random bits and outputs a longer string that no polynomial-time test can distinguish from truly random bits. The existence of PRGs is equivalent to the existence of one-way functions: if you have a one-way function, you can build a PRG, and vice versa.
The deep insight is that computational hardness and pseudorandomness are the same thing in disguise. A function that is hard to invert gives you a source of bits that no efficient algorithm can predict. This is the foundation upon which all of cryptography is built: encryption, digital signatures, zero-knowledge proofs—all reduce to the existence of one-way functions.
Visual Beginner
One-way function:
x (easy to compute) -> f(x)
x = "password123" f(x) = 0x7a2b9c...
f(x) (hard to invert) -/-> x
Given 0x7a2b9c..., finding "password123" takes exponential time
Pseudorandom generator:
Seed (truly random, short) Output (pseudorandom, long)
128 bits ----[PRG]----> 10000 bits
No efficient algorithm can tell the output from 10000 truly random bits
(unless it can invert the one-way function underlying the PRG)| Concept | Input | Output | Hardness |
|---|---|---|---|
| One-way function | Inverting is hard | ||
| Hard-core predicate | Predicting bit is hard given | ||
| PRG | Short seed | Long pseudorandom string | Distinguishing from random is hard |
Worked example Beginner
We illustrate a simple one-way function candidate. Define by where is a large prime and is a generator of .
Computing is fast: modular exponentiation takes time using repeated squaring.
Inverting requires solving the discrete logarithm problem: given , find . For a 2048-bit prime , the best known algorithms take roughly operations. This is infeasible.
Now, from we extract a pseudorandom bit using the Goldreich-Levin hard-core predicate: (the inner product of and modulo 2, for a random ). Given and a random , predicting is as hard as inverting .
To build a PRG: start with seed . At each step , compute and output bit . After steps, we have stretched bits to bits. Each output bit is pseudorandom because predicting it requires inverting .
Check your understanding Beginner
Formal definition Intermediate+
Definition (one-way function). A function is one-way if:
- (Easy to compute) There exists a polynomial-time algorithm computing .
- (Hard to invert) For every probabilistic polynomial-time (PPT) algorithm , every polynomial , and sufficiently large :
Definition (negligible function). A function is negligible if for every polynomial and sufficiently large , .
Definition (hard-core predicate). A polynomial-time computable function is a hard-core predicate for if for every PPT algorithm :
Definition (pseudorandom generator). A deterministic polynomial-time function with is a pseudorandom generator if for every PPT distinguisher :
The quantity is called the stretch of .
Counterexamples to common slips
"One-way functions exist." This is not proven. It is a computational assumption. If P = NP, one-way functions do not exist (since inverting is an NP search problem). The existence of OWFs implies P NP.
"A PRG produces truly random bits." The output is deterministic given the seed. It is pseudorandom: indistinguishable from truly random bits by any polynomial-time algorithm. An algorithm with unbounded time can distinguish it (by trying all seeds).
"Hard-core predicates are hard to compute." They are easy to compute given . They are hard to compute given only , without knowing .
Key theorem with proof Intermediate+
Theorem (Goldreich-Levin). If is a one-way function, then is a hard-core predicate for .
Proof sketch. Suppose for contradiction that there exists a PPT algorithm such that for non-negligible . We use to invert .
Given , we want to recover . The idea is to learn one bit at a time using the Fourier coefficients of the predictor . Define . If we know , we can predict perfectly; .
The algorithm uses a list-decoding approach. For each candidate , define . The correlation is the Fourier coefficient of the predictor at . By Parseval's theorem, , so at most values of have .
The Goldreich-Levin algorithm recovers all with in time by: (1) estimating for each by sampling random , and (2) using the self-correction trick: for any , where is the -th unit vector, so querying at and recovers .
This gives a PPT inverter for , contradicting one-wayness.
Bridge. The Goldreich-Levin theorem is the foundational reason one-way functions yield pseudorandomness: by extracting a hard-to-predict bit from the input to a one-way function, we obtain a single pseudorandom bit, and iterating this extraction builds a full PRG. This builds toward the HILL theorem that any OWF implies a PRG, which appears again in 47.06.02 where specific number-theoretic OWFs (factoring, discrete log) give concrete PRG instantiations. The central insight is that computational hardness is convertible into pseudorandomness via a generic transformation, and this is exactly the pattern that generalises from theoretical cryptography to the derandomisation results of 47.05.05 where Nisan's PRG uses a different hardness source (space lower bounds) for a different purpose. Putting these together with the zero-knowledge proofs of 47.06.03 shows that OWFs are the universal primitive from which all cryptographic objects can be constructed.
Exercises Intermediate+
Lean formalization Intermediate+
Mathlib has no formalization of one-way functions, pseudorandom generators, or the Goldreich-Levin theorem. These are computational notions requiring probabilistic polynomial-time adversaries, security parameters, and negligible functions—none of which are in Mathlib's scope. The foundational gap is the absence of a ComputationalHardness framework that connects algorithmic complexity to security definitions. A formalization of the PRG-stretching lemma (Exercise 3) using Mathlib's existing probability and computation structures would be a natural starting point. This unit ships without a lean_module.
Advanced results Master
Three directions extend the OWF-PRG framework.
Result 1 (OWF implies PRG: the HILL theorem). Håstad, Impagliazzo, Levin and Luby (1999) proved that one-way functions exist if and only if pseudorandom generators exist. The harder direction (OWF implies PRG) proceeds via computational entropy: a OWF has the property that has high computational entropy (it looks like it has bits of entropy even if the true entropy is less). The Goldreich-Levin hard-core predicate extracts one pseudorandom bit from this computational entropy, and the PRG is assembled by concatenating extracted bits from multiple invocations. The construction is polynomial-time but with a large polynomial, making it theoretically important but impractical [HILL 1999].
Result 2 (pseudorandom functions). A pseudorandom function (PRF) family is a collection of functions indexed by a seed such that no PPT algorithm can distinguish oracle access to (for random ) from oracle access to a truly random function. Goldreich, Goldwasser and Micali (1986) showed that PRFs can be constructed from PRGs, and hence from OWFs. PRFs are the workhorse of symmetric cryptography: they yield encryption, MACs, and authenticated encryption [Arora-Barak Ch. 9].
Result 3 (black-box separations). Impagliazzo and Rudich (1989) showed that there is no black-box reduction from key exchange (and hence from public-key cryptography) to one-way functions. This means that the construction of public-key primitives from OWFs, if possible at all, must use non-black-box techniques. This separation explains why the cryptographic landscape splits into symmetric primitives (from OWFs) and public-key primitives (from structured assumptions like factoring or discrete log) [Arora-Barak Ch. 9].
Synthesis. The equivalence OWF PRG is the foundational result that unifies computational hardness and pseudorandomness: any function that is easy to compute but hard to reverse provides a source of pseudorandom bits, and this builds toward the full edifice of symmetric cryptography where PRGs yield PRFs, PRFs yield encryption and MACs, and all of it rests on the existence of one-way functions. The central insight is that the hardness of a single computational task (inverting ) is sufficient to bootstrap the entire cryptographic toolkit, and this is exactly the pattern that appears again in 47.06.02 where specific number-theoretic OWFs give concrete instantiations. Putting these together with the derandomisation perspective of 47.05.05 shows that the same pseudorandomness phenomenon serves dual purposes: in complexity theory it enables derandomisation (BPP = P conjectured), and in cryptography it enables secure communication (OWF implies PRG proven).
Full proof set Master
Proposition 1 (Goldreich-Levin: prediction implies inversion). If there exists a PPT algorithm with for non-negligible , then there exists a PPT algorithm that inverts with probability .
Proof. The algorithm , given , recovers as follows:
For each and each candidate bit , estimate:
Since predicts with advantage on average over , by a hybrid argument over the bits of , for a -fraction of inputs , the predictor has advantage conditioned on any fixed prefix of .
For such an , the self-correction trick gives: (approximately). By sampling random values of for each pair and taking majority, recovers each bit with high probability.
The probability of correct inversion is at least (the fraction of good times the probability all bits are recovered correctly). Running time is per input.
Proposition 2 (PRG from one-way permutation). If is a one-way permutation and is a hard-core predicate for , then is a PRG mapping bits to bits.
Proof sketch. Since is a permutation, for all , so the first bits of the output are uniformly random. For each output bit : since is uniformly random (as is a permutation), the pair has the same distribution as for uniform and . By the hard-core property of , no PPT algorithm can predict from (which is ) with non-negligible advantage.
A hybrid argument over the extracted bits shows that the entire output is pseudorandom: any distinguisher for must distinguish at least one hybrid from the next, giving a predictor for the corresponding hard-core bit, contradicting the hard-core property.
Connections Master
47.02.01— P vs NP is the prerequisite: if P = NP then one-way functions do not exist, and all of cryptography collapses.47.05.05— Derandomisation uses PRGs to replace randomness in algorithms; cryptographic PRGs must fool all efficient adversaries, while derandomisation PRGs only need to fool specific tests.47.06.02— RSA and discrete logarithm provide concrete candidate one-way functions and hard-core predicates, instantiating the abstract framework defined here.47.06.03— Zero-knowledge proofs require commitment schemes built from one-way functions; the OWF-implies-PRG theorem is the first step in the construction chain.47.06.04— Digital signatures require trapdoor one-way functions (a stronger notion than plain OWFs); collision-resistant hash functions provide another cryptographic primitive built from hardness assumptions.
Historical & philosophical context Master
The concept of one-way functions emerged from Diffie and Hellman's 1976 paper "New Directions in Cryptography," which proposed that computational hardness could serve as the basis for secure communication. The formal definition was given by Yao (1982) in his paper on pseudorandom generation.
The Goldreich-Levin theorem (1989) is a cornerstone of cryptography, establishing that every one-way function has a hard-core predicate. The proof uses Fourier analysis over the Boolean hypercube, connecting cryptography to algebraic techniques. The HILL theorem (1999) completed the picture by showing that OWFs and PRGs are equivalent.
The philosophical significance is profound: randomness, secrecy, and computational hardness are three faces of the same coin. A function that is hard to invert is simultaneously a source of pseudorandomness and a mechanism for hiding information. The OWF-PRG equivalence is the formal expression of this trinity [Arora-Barak Ch. 9].
Bibliography Master
@book{arora2009computational,
author = {Arora, Sanjeev and Barak, Boaz},
title = {Computational Complexity: A Modern Approach},
publisher = {Cambridge University Press},
year = {2009},
}
@article{goldreich1989hard,
author = {Goldreich, Oded and Levin, Leonid A.},
title = {A Hard-Core Predicate for All One-Way Functions},
journal = {Proceedings of the 21st ACM Symposium on Theory of Computing},
year = {1989},
pages = {25--32},
}
@article{hastad1999pseudorandom,
author = {H{\aa}stad, Johan and Impagliazzo, Russell and Levin, Leonid and Luby, Michael},
title = {A Pseudorandom Generator from any One-Way Function},
journal = {SIAM Journal on Computing},
volume = {28},
number = {4},
pages = {1364--1396},
year = {1999},
}
@article{blum1982secure,
author = {Blum, Manuel and Micali, Silvio},
title = {How to Generate Cryptographically Strong Sequences of Pseudorandom Bits},
journal = {SIAM Journal on Computing},
volume = {13},
number = {4},
pages = {850--864},
year = {1984},
}