Cryptanalysis of Pseudorandom Generators

As a motivating application for the study of lattice in cryptography we consider the construction of pseudorandom generators. We recall that a pseudorandom generator is a program G(x) (computable in deterministic polynomial time) that maps bitstrings x ∈ {0, 1} to longer strings G(x) ∈ {0, 1} such that, if x is chosen uniformly at random and kept secret, then the output G(x) will “look” random to any efficient observer or adversary. We will formally define secure pseudorandom generators later on. But, for now, we will use the minimal security requirement that given G(x), it should be computationally hard to recover the secret seed x. We consider two popular types of generators: subset-sum generators and linear congruential generators. For simplicity, in both cases, we consider a generalized definition of generator where the input x and output G(x) are not necessarily bitstrings, but elements of some arbitrary set. We will assume that the secret seed x is chosen uniformly at random from a set of size approximately 2, so that mounting an exhaustive search attack on the seed would take exponential time. The task of the generator is to stretch this relatively short random seed into a polynomially longer string, e.g., an element from a set of size roughly 2 2 .