1 Introduction

There has been much recent progress on constructing indistinguishability obfuscation (IO) schemes [BGI+01, GR07] starting from the work of Garg et al. [GGH+16]. Most recently, Lin [Lin16a] and Lin et al. [LV16, Lin16b, AS16, LT17] showed a pathway to constructing IO schemes using two ingredients: multilinear maps of constant degree and pseudorandom generators of constant locality. In particular, Lin and Tessaro [LT17] construct an IO candidate from standard assumptions on bilinear maps and non-standard assumptions on “Goldreich-like” pseudorandom generators [Gol00] with “blockwise” locality 2.

This is a remarkable development: until recently, we had IO candidates based on constant degree (most recently, degree 5) multilinear maps and constant locality (most recently, locality 5) PRGs. We did not have any candidates for the degree 5 multilinear maps that satisfied the required assumptions (namely, a version of the decisional Diffie-Hellman assumption); however, we did have candidates for locality 5 PRGs that are known to resist a large class of attacks [OW14, AL16]. The Lin-Tessaro result dramatically changed the landscape by shifting the burden of existence from degree 5 multilinear maps to pseudorandom generators with (so-called) blockwise locality 2 and polynomial stretch. In other words, we have candidates for degree 2 multilinear maps (also known as bilinear maps) [BF03, Jou02, Jou00]; however, there are no locality 2 PRGs, and the security of blockwise locality 2 PRGs is highly questionable. (For the formal definitions of all these technical terms, see below and Sect. 2.)

In this work, we show a polynomial-time attack against the pseudorandom generators required for the Lin-Tessaro construction. As such, this constitutes a break of the Lin-Tessaro IO (as well as functional encryption) constructions that use bilinear maps.

We remark that our attacks do not apply to the Lin-Tessaro IO construction based on 3-linear maps. This leaves us in a curious state of affairs regarding constructions of IO from multilinear maps.

  • There is a construction [LT17] of IO from trilinear maps (whose existence is questionable) and “blockwise 3-local PRGs” (for which we have plausible candidates); and

  • There is a construction [LT17] of IO from bilinear maps (for which we have candidates that have been around for almost two decades) and “blockwise 2-local PRGs” (which are broken in this work).

Since cryptographically secure trilinear maps have so far eluded us, it is not surprising that the difficulty of achieving IO arises from the gap between bilinear and trilinear maps. However, we find it quite surprising that this transition appears to be related to the pseudorandomness of 2-local functions and 3-local functions (over a large alphabet, no less)!

Goldreich’s PRGs with Blockwise 2-Local Predicates. We start by describing the object we attack. Let P be a predicate from \(\varSigma ^2\) to \(\{0,1\}\), for some polynomial size alphabet \(|\varSigma | = q = \mathsf {poly}(n)\). Let H be a (directed) graph with n vertices and m edges; we will refer to H as the constraint graph. The pseudorandom generator \(G_{H,P}: \varSigma ^n \rightarrow \{0,1\}^m\) is defined in the following way. Let \(e = (i,j)\) be a directed edge in G. Then, the \(e^{th}\) bit of the output of the generator is computed as \(P(x_i,x_j)\). We call this an (nmq)-Goldreich-like pseudorandom generator since it uses predicates over a large alphabet.

This construction can also be thought of as a “blockwise local” pseudorandom generator, a terminology that Lin and Tessaro introduce and use [LT17]. In an (Lw)-block-wise PRG, the nw-bit input is divided into blocks of size w bits each, and each output bit of the PRG can depend on at most L blocks. It is easy to see that a Goldreich PRG as defined above with alphabet size q is a \((2,\lceil \log q \rceil )\)-block-wise PRG. In fact, Lin and Tessaro’s definition of block-wise PRGs is more general in that it allowed each output bit to be computed using a different (publicly known) predicate. However, their candidate PRG used the same predicate to compute all the output bits.

With this terminology, we are ready to state our main result.

Theorem 1

There is a \(\text {poly}(n,q)\) time algorithm \(\mathcal {D}\) which, for any \(m\ge \tilde{\varOmega }(q\cdot n)\), any predicate \(P: [q]^2\rightarrow \{0,1\}\), and any graph H with n vertices and m edges, distinguishes between a uniformly random string \(z\leftarrow U_m\) and a random output \(z\leftarrow G_{H,P}(U_{n,q})\) (with a constant distinguishing advantage).

The Lin-Tessaro Theorem and Connection to Goldreich-like PRGs. Lin and Tessaro [LT17], building on earlier work [BV15, AJ15, Lin16a, LV16, Lin16b, AS16] showed an IO candidate based on the hardness of standard assumptions on bilinear maps and the existence of a Goldreich-like PRG with blockwise locality 2 and sufficiently large stretch. That is, they show:

Under standard assumptions on bilinear maps and the existence of a subexponentially secure (nmq)-Goldreich-like PRG with \(q = \mathsf {poly}(n)\) and \(m = (nq^3)^{1+\epsilon }\) for some constant \(\epsilon >0\), there is an IO scheme. Assuming the existence of such a generator with quasipolynomial security, there is a compact FE scheme.

In a nutshell, they utilize the reductions of Ananth and Jain [AJ15] and Bitansky and Vaikuntanathan [BV15] who show how to construct an IO scheme from any sub-exponentially secure compact FE scheme. By compact FE, roughly speaking, we mean a functional encryption scheme for functions of large output size k with ciphertexts of size \(k^{1-\epsilon }\) for some absolute constant \(\epsilon > 0\). Such ciphertexts simply do not have enough space to hold the function output, so they, in a sense, have to do non-trivial computation as part of the FE decryption process. Since IO is the ultimate truth-table compression algorithm, the moral bottomline of [AJ15, BV15], formalized in [LPST16], is that “any compression implies the ultimate compression”. On the other hand, non-compact FE schemes can be constructed essentially from any public-key encryption scheme [SS10, GVW12].

Thus, [LT17] construct a compact functional encryption scheme using their ingredients. Using their bootstrapping theorem, it turns out to be sufficient to construct an FE scheme that encrypts the seed of a PRG (which they instantiate with a Goldreich-like PRG as defined above) and whose functional key corresponds to the computation of the PRG itself (plus some). In a high level, their encryption algorithm takes as input the seed \(\mathbf {x} = x_1x_2\ldots x_n \in [q]^n\), pre-computes all possible monomials on the bits of each alphabet symbol \(x_i \in [q]\) (\(i=1,\ldots ,n\)), of which there are roughly q, and includes it in the ciphertext. Computing the PRG output, then, can be written as a degree-2 computation which can be performed using a bilinear map (leveraging on an earlier result of Lin [Lin16b]). Thus, the number of bits being encrypted is \(n \cdot q\). To achieve sublinear compactness which, by the above discussion, is necessary to apply the FE-to-IO transformations, they need the output length of the PRG m to be large enough, namely \(m = \varOmega ((nq)^{1+\epsilon })\) for some constant \(\epsilon > 0\). In fact, since they need to support computations that are a bit more complex than simply computing the PRG, they need the stretch to be \(\varOmega ((nq^3)^{1+\epsilon })\).

Our main theorem (Theorem 1) now implies that a natural class of candidates for such PRGs, proposed and analyzed in [LT17], can be broken in polynomial-time. In fact, we show something stronger: even a potential extension of the Lin-Tessaro theorem that requires only blockwise 2-local PRGs with minimal expansion, namely \(m = \tilde{\varOmega }(nq)\), can be broken using our attack.

Comparison to [BBKK17]. The presentation of this work has changed significantly since the original preprint [LV17]. We originally proved the following weaker version of Theorem 1; see also the first line of Fig. 1.

Theorem 2

There is a \(\text {poly}(n,q)\) time algorithm \(\mathcal {D}\) which, for any \(m\ge \tilde{\varOmega }(q\cdot ~n)\), any predicate \(P: [q]^2\rightarrow \{0,1\}\), and a \((1-o(1))\) fraction of graphs H with n vertices and m edges, distinguishes between a uniformly random string \(z\leftarrow U_m\) and a random output \(z\leftarrow G_{H,P}(U_{n,q})\) (with a constant distinguishing advantage).

In a concurrent work, Barak et al. [BBKK17] showed a completely different attack on a blockwise 2-local PRG with different parameter settings. Barak et al. show how to attack blockwise 2-local PRGs for worst-case graphs and a worst-case collection of possibly different predicates for each output bit. However, they need to assume that the PRG had a larger stretch, namely that \(m = \tilde{\varOmega }(q^2\cdot n)\). They also achieve a threshold of \(m = \tilde{\varOmega }(q\cdot n)\) for the restricted case of random graphs and random, single predicate. See the second and third line of Fig. 1.

Our main theorem draws inspiration from [BBKK17] and applies our main technique that we refer to as alphabet reduction in a different way than we originally conceived. See the fourth line of Fig. 1.

There is a gap between our main theorem, namely Theorem 1, and a complete break of the [LT17] candidate: Theorem 1 breaks blockwise 2-local PRGs in which the predicate computing each output bit is the same. This breaks Lin and Tessaro’s concrete PRG candidate. However, their theorem can be instantiated with more general block-wise local PRGs where each output bit is computed using a different predicate, a setting that [BBKK17] break. We remark here that our techniques (to be described below) can also be used to break this multiple-predicate variant at the cost of the same worse distinguishing threshold, namely \(m\ge \tilde{\varOmega }(nq^2)\).

On the negative side, we provide evidence that our own technique is unlikely to achieve a better threshold than \(m\ge \tilde{\varOmega }(q^2\cdot n)\) for worst-case graphs and worst-case multiple predicates; it would be very interesting to understand the limits of the techniques in [BBKK17].

The current state of attacks against blockwise 2-local PRGs is summarized in Fig. 1. As one can see from the table, there is a very narrow set of possibilities that neither our attack nor [BBKK17] rule out just yet. Namely, we cannot rule out the possibility that (a) the Lin-Tessaro theorem could be improved to work with stretch \(\varOmega ((nq)^{1+\epsilon })\); and (b) there is a PRG with such a stretch that necessarily has to employ a specially tailored graph and different predicates for each output bit. An exceedingly narrow window, indeed!

Fig. 1.
figure 1

The state of the art on attacks against blockwise 2-local PRGs.

Full size image

1.1 Outline of Our Attack

We start with a description of our original attack, namely the proof of Theorem 2, which exploited the well-known connection between our problem of distinguishing a Goldreich PRG output from a uniform string and problems studied in the setting of random constraint satisfaction (CSP). In particular, we utilized a result of Allen et al. [AOW15] who developed a polynomial-time algorithm for a problem related to ours, namely that of refutation of random CSPs.

Any graph H with n nodes and m edges, any predicate P, and any string \(z\in \{0,1\}^m\) together define an instance \(\mathcal {I}\) of the following constraint satisfaction problem with predicates P and \(\lnot P\).

$$\begin{aligned} P(x_i, x_j)&= 1 \qquad \quad \text{ for } \text{ every } e = (i,j) \text{ where } z_e = 1\\ \lnot P(x_i, x_j)&= 1 \qquad \quad \text{ for } \text{ every } e = (i,j) \text{ where } z_e = 0 \end{aligned}$$

The task of breaking the PRG \(G_{H,P}\) can be thought of as distinguishing CSP instances \(\mathcal {I}\) in which the negations of P are chosen uniformly at random from instances \(\mathcal {I}\) in which the negations of P are determined by a random planted solution \(x\in [q]^n\).

Allen et al. [AOW15] developed a polynomial time algorithm for a different problem, namely that of random CSP refutation. In their setting (specialized to 2-CSPs), a random instance \(\mathcal {I}\) is generated by choosing a random graph H along with random negation patterns \((a_e, b_e)\in \mathbb Z_q^2\) for each edge \(e = (i,j)\in E(H)\), and including constraints

$$ P(x_i + a_e, x_j + b_e) = 1 $$

Their algorithm can certify that \(\text {Opt}(\mathcal {I})\), the largest fraction of constraints satisfied by any input, is less than 1 provided at least \(\tilde{\varOmega }(n\cdot \text {poly}(q))\) constraints (for an unspecified polynomial \(\text {poly}\)). Namely, their algorithm outputs 1 with probability \(1-o(1)\), but never outputs 1 if \(\mathcal {I}\) is satisfiable. Clearly, this suffices to distinguish satisfiable instances \(\mathcal {I}\) from uniformly random instances.Footnote 1 In fact, they achieve a much stronger property called strong refutation which will turn out to be crucial for us: given \(\tilde{\varOmega }(\frac{n}{\epsilon ^2}\cdot \text {poly}(q))\) constraints, their algorithm outputs 1 with probability \(1-o(1)\), but never outputs 1 if \(\mathcal {I}\) is “somewhat close” to being satisfiable, that is, if \(\text {Opt}(\mathcal {I}) \ge 1/2 + \epsilon \) (when P is balanced). Finally, we note that their result only holds over random graphs H, but analogous results in the so-called semi-random setting, in which the graph H is worst-case but negation patterns are still random, have been shown in, e.g., [Wit17].

The most glaring difference between our setting and that of random CSP refutation [AOW15] is that our CSP instance has an “outer negation pattern” (randomly negating the predicate P) while theirs have an “inner negation pattern” as described above. However, it turns out that a refutation algorithm for the random CSP model of [AOW15] can nevertheless be turned into a distinguishing algorithm, but at a cost; the resulting algorithm requires \(m\ge \tilde{\varOmega }(n\cdot \text {poly}(q))\) for some large polynomial (roughly \(q^2\) times the unspecified polynomial in [AOW15]).

Such a result is already nontrivial in the PRG setting, although it is far from the \(m\ge \tilde{\varOmega }(q\cdot n)\) threshold that we would like to achieve. This is the major challenge that this paper overcomes: how can we reduce this potentially large \(\mathsf {poly}(q)\)-dependence to an explicit, small \(\mathsf {poly}(q)\)-dependence?

Our main idea called alphabet reduction now comes to the rescue. Alphabet reduction is a way to convert our CSP on an alphabet of size q to a related CSP on a new alphabet whose size is an absolute constant independent of q. If the original CSP is random, so is the new CSP. If the original CSP is satisfiable, the new one is “somewhat close to being satisfiable”, that is, there is an assignment that satisfies at least \(1/2 + \varOmega (1/\sqrt{q})\) of its clauses. We then leverage the “strong refutation” property of the algorithm in [AOW15] to break the pseudorandomness of \(G_{H,P}\) by certifying that a random CSP with constant-sized predicate Q is not \(1/2 + \varOmega (1/{\sqrt{q}})\)-satisfiable, which can be done using the algorithm of [AOW15] with only \(\tilde{\varOmega }(n\cdot q'/\epsilon ^2) = \tilde{\varOmega }(n\cdot q)\) clauses, since \(q'=O(1)\) and \(\epsilon = \varOmega (1/\sqrt{q})\). In other words, we traded a dependence on q in the number of required clauses for a dependence on q in the error parameter \(\epsilon = \varOmega (1/{\sqrt{q}})\); since the required number of clauses is proportional to \(1/{\epsilon ^2}\), this reduces the overall dependence on q to linear.

We achieve alphabet reduction by showing that any predicate \(P: [q]^2\rightarrow \{0,1\}\) is \((1/2 + \varOmega (1/\sqrt{q}))\)-correlated to another predicate \(P': [q]^2\rightarrow \{0,1\}\) which “depends on only one bit of each input”. This uses, and refines, a classical lower bound due to Chor and Goldreich [CG88] on 2-source extractors.

If our alphabet reduction produced a CSP instance whose alphabet size was some large constant, then this would be the end of the story. However, we can actually reduce to the binary alphabet. In the binary alphabet setting, it turns out that we can use the old MAX-2-XOR approximation algorithm of Charikar and Wirth [CW04] which achieves the following guarantee: for stretch \(m = \tilde{\varOmega }(\frac{n}{\epsilon ^2})\), it can distinguish between a random string \(z\leftarrow U_m\) and any string \(z\in \{0,1\}^m\) which is within \(\frac{1}{2} - \epsilon \) (fractional) Hamming distance of the image \(G(\{0,1\}^n)\) of the PRG.Footnote 2 This allows us to obtain a much simpler algorithm (making a single black box call to the [CW04] algorithm instead of the [AOW15] algorithm) achieving the same \(m = \tilde{\varOmega }(n\cdot q)\) threshold, even for worst-case graphs.

Organization of the Paper. We start with some basic preliminaries in Sect. 2. Our alphabet reduction technique is presented in Sect. 3, and our attack which combines alphabet reduction with the 2-XOR algorithm of [CW04] is presented in Sect. 4.

2 Preliminaries

Notation. We let \(U_n\) denote the uniform distribution on \(\{0,1\}^n\). Additionally, we let \(U_{n,q}\) denote the uniform distribution on the set \([q]^n\). Let \(\mathsf {negl}(n): \mathbb {N} \rightarrow \mathbb {R}\) denote a function that is smaller than any inverse polynomial in n. That is, we require that for every polynomial p, there is an \(n_p \in \mathbb {N}\) such that \(\mathsf {negl}(n) < 1/p(n)\) for all \(n > n_p\).

2.1 Pseudorandom Generators

We say that a function \(G: \{0,1\}^n \rightarrow \{0,1\}^m \) is a pseudorandom generator (PRG) if it has the following properties: (1) G is computable in (uniform) time \(\text {poly}(n)\), and (2) for any probabilistic polynomial time adversary \(A: \{0,1\}^m \rightarrow \{0,1\}\), there is a negligible function \(\mathsf {negl}\) such that

$$ \bigg | \underset{x \leftarrow U_n}{\mathbf {E}}[A(G(x))] - \underset{z \leftarrow U_m}{\mathbf {E}}[A(z)] \bigg | = \mathsf {negl}(n) $$

We say that a PRG \(G: \{0,1\}^n\rightarrow \{0,1\}^m\) has stretch \(m-n = m(n)-n\). In this paper, we focus on the polynomial stretch regime, namely where \(m = O(n^c)\) for some constant \(c>1\).

If G is computable in \(\text {NC}^0\), we define the locality of G to be the maximum number of input bits on which any output bit of G depends.

2.2 Goldreich’s Candidate (Blockwise) Local PRG

Goldreich’s candidate pseudorandom generator, first introduced in [Gol00] (then as a candidate one-way function), can be instantiated with any k-ary predicate \(P: [q]^k \rightarrow \{0,1\}\) and any k-uniform (directed) hypergraph H on n vertices and m hyperedges. (To the best of our knowledge, the generalization to predicates P that take symbols from a larger alphabet was first considered by Lin and Tessaro under the name of “block-wise local” PRGs). Given H and P, we identify each vertex in H with an index in [n] and each hyperedge with an index \(i\in [m]\). For each \(i\in [m]\), let \(\varGamma _H(i)\in [n]^k\) be the sequence of k vertices in the ith hyperedge.

Definition 1

Given a predicate P and hypergraph H, Goldreich’s PRG is the function from \([q]^n\) to \(\{0,1\}^m\) defined by

$$ G_{H, P}(x) = \left( P(x|_{\varGamma _H(i)})\right) _{i\in [m]}. $$

That is, the ith bit of \(G_{H,P}(x)\) is the output of P when given the \(\varGamma _H(i)\)-restriction of x as input.

Goldreich’s function is often instantiated with a uniformly random choice of hypergraph H; in this setting, we say that “Goldreich’s function instantiated with P is a PRG” for some predicate P if for a random k-uniform hypergraph H, \(G_{H,P}\) is a PRG with probability \(1-o(1)\). Often, instead of proving hardness results for random hypergraphs it suffices to use hypergraphs with “good expansion” for varying definitions of expansion [AL16, OW14, ABR12]. For a more in-depth survey and discussion of Goldreich’s PRG, see [App16].

For the rest of the paper, we specialize to the case of \(k=2\), that is, blockwise 2-local PRGs. Ultimately, the attacks on \(G_{H, P}\) that we describe in this paper hold for all graphs H, rather than just random graphs.

Finally, we note that one can analogously define \(G_{H, {\vec {P}}}\) for a collection of m predicates \(P_1, ..., P_m\) (in which the ith output bit of \(G_{H, \vec {P}}\) is obtained using \(P_i\)).

3 Alphabet Reduction

Our main result relies on a technique that we call alphabet reduction which reduces the problem of distinguishing the Goldreich PRG that uses a predicate \(P:\varSigma ^2 \rightarrow \{0,1\}\) to that of distinguishing the PRG that uses a different predicate \(Q:\varSigma '^2 \rightarrow \{0,1\}\) that acts on a smaller alphabet \(\varSigma '\). In this section, we show the existence of such a suitable predicate Q (for every predicate P) and in the next, we use it to break the PRG. We start with the definition of alphabet reduction.

Definition 2

(( \(\varSigma ,\varSigma ',\delta \) )-Alphabet Reduction). Let \(P: \varSigma ^2 \rightarrow \{0,1\}\) be a balanced predicate in two variables. A \((\varSigma ,\varSigma ',\delta )\)-alphabet reduction for P is defined to be a tuple (Qfg) where \(Q: \varSigma '^2\rightarrow \{0,1\}\) is a balanced predicate defined on an alphabet \(\varSigma '\), and f and g are (exactly) \(\frac{|\varSigma |}{|\varSigma '|}\)-to-one maps from \(\varSigma \) to \(\varSigma '\), and

In other words, P(xy) is nontrivially correlated to the decomposed predicate Q(f(x), g(y)). We use the shorthand “\((q', \delta )\)-alphabet reduction” when \(|\varSigma '| = q'\).

Note that if P(xy) is perfectly correlated to \(P'(x,y) := Q(f(x),g(y))\), then the expectation defined above is 0, and if they are perfectly uncorrelated, it is 1/2. In words, this definition asks for a way to approximately compute P by first compressing the two inputs x and y independently, and then computing a different predicate Q on the compressed inputs.

In this section, we prove a feasibility result for alphabet reduction: namely, that any predicate \(P: \varSigma ^2 \rightarrow \{0,1\}\) has a \((\varSigma ,\varSigma ',1/2 - \varOmega (1/\sqrt{|\varSigma |})\)-alphabet reduction where \(\varSigma ' = \{0,1\}\) is an alphabet of size two. In other words Q(f(x), g(y)) is mildly, but non-trivially, correlated to P. The predicate Q as well as the compression functions f and g are efficently computable given the truth table of P. Our result is a refinement of a lower bound on the possible error of two-source extractors, due to Chor and Goldreich [CG88].

Theorem 3

Suppose that \(P: \varSigma ^2\rightarrow \{0,1\}\) is a balanced predicate and \(|\varSigma |\) is divisible by 2. Then, there exists a \((\varSigma ,\varSigma ',1/2-c/\sqrt{|\varSigma |})\)-alphabet reduction (Qfg) for P, for some universal constant c. Moreover, given P we can find such a triple (Qfg) in (expected) \(\text {poly}(|\varSigma |)\) time.

Proof

Throughout this proof, we will equate \(\varSigma \) with the set [q] (so that \(|\varSigma |=q\)) and \(\varSigma '\) with the set \(\{0,1\}\) (so that \(|\varSigma '|=2\)). Also, for ease of exposition, we consider P taking values in \(\{\pm 1\}\) instead of \(\{0,1\}\).

Given \(P: [q]^2\rightarrow \{\pm 1\}\), consider P as a \(\pm 1\)-valued \(q\times q\) matrix. At a high level, the proof goes as follows: we first find a \(\frac{q}{2} \times \frac{q}{2}\) submatrix of P with substantially more \(+1\)s than \(-1\)s in it (or vice-versa). Such a submatrix is not hard to construct: picking a random collection T of \(\frac{q}{2}\) columns and then choosing the collection S of \(\frac{q}{2}\) rows optimizing the number of \(+1\)s (or \(-1\)s) in the \(S\times T\) submatrix suffices. Then, we pick f (a function of the q rows) and g (a function of the q columns) to be indicator functions for S and T respectively; there then turns out to be a choice of function \(Q: \{0,1\}\times \{0,1\}\rightarrow \{\pm 1\}\) (in particular, with Q(1, 1) set to be the majority value of P in the submatrix \(S\times T\)) such that (Qfg), with outputs transformed back to \(\{0,1\}\), is a valid alphabet reduction for P.

We now proceed with the full proof. For each \(x\in [q]\) and subset \(T\subset [q]\), define

$$ B(x,T) = \left| \sum _{y\in T} P(x,y) \right| , $$

that is, the absolute value of the T-partial row sum of row x. In [CG88] (Lemma 2), Chor and Goldreich show that if we choose T to be a uniformly random subset of \(\frac{q}{2}\) columns, then for every x,

$$ \underset{T\subset [q], |T| = \frac{q}{2}}{\text {Pr}}\left[ B(x,T) \ge \sqrt{\frac{q}{2}}\right] \ge \frac{1}{8}. $$

Therefore, we have that

$$ \underset{T\subset [q], |T| = \frac{q}{2}}{\mathbf {E}}\left[ \frac{1}{q}\cdot \#\left\{ x\in [q]: B(x,T) \ge \sqrt{\frac{q}{2}} \right\} \right] \ge \frac{1}{8}. $$

Since the random variable \(\frac{1}{q} \cdot \#\left\{ x\in [q]: B(x, T) \ge \sqrt{\frac{q}{2}} \right\} \) takes values in the interval [0, 1] and has expectation at least \(\frac{1}{8}\), we conclude by Markov’s inequality that

$$ \underset{T\subset [q], |T| = \frac{q}{2}}{\text {Pr}}\left[ \frac{1}{q}\cdot \#\left\{ x\in [q]: B(x,T) \ge \sqrt{\frac{q}{2}} \right\} \le \frac{1}{16} \right] \le \frac{14}{15}, $$

so that with probability \(\ge \frac{1}{15}\) over the choice of T, there will be at least \(\frac{q}{16}\) rows \(x\in [q]\) such that \(B(x,T) \ge \sqrt{\frac{q}{2}}\). Fixing any such set T, we then have that

$$ \sum _{x\in [q]} B(x,T) \ge \frac{q\sqrt{q}}{16\sqrt{2}}. $$

Now, let \(S\subset [q]\) be the set of \(\frac{q}{2}\) rows \(x_1, ..., x_{\frac{q}{2}}\) with the largest values of \(\tilde{B}(x, T):= \sum _{y\in T} P(x,y)\). We claim that

$$ \left| \sum _{x\in S} \tilde{B}(x,T)\right| + \left| \sum _{x\not \in S} \tilde{B}(x,T)\right| \ge \frac{q\sqrt{q}}{48\sqrt{2}}, $$

that is, we claim that a significant fraction of the \(\tilde{B}(x,T)\) terms do not cancel with each other when we sum over \(x\in S\) and \(x\not \in S\) separately. To see this, let

$$ C_1 = \sum _{x: \tilde{B}(x,T)\ge 0} B(x,T) $$

and

$$ C_2 = \sum _{x: \tilde{B}(x,T) < 0} B(x,T) $$

so that \(C_1 + C_2 =\sum _{x\in [q]} B(x,T)\). We note that without loss of generality, we have that \(\tilde{B}(x,T) \ge 0\) for all \(x\in S\), so that

$$\begin{aligned} \left| \sum _{x\in S} \tilde{B}(x,T)\right|&+ \left| \sum _{x\not \in S} \tilde{B}(x,T)\right| = \sum _{x\in S} B(x,T) + \max (\sum _{x\not \in S} \tilde{B}(x,T), -\sum _{x\not \in S} \tilde{B}(x,T))\\&\quad \ge \max (C_1 - C_2, C_2) \ge \frac{1}{3} (C_1 - C_2) + \frac{2}{3} C_2 \ge \frac{q\sqrt{q}}{48\sqrt{2}}. \end{aligned}$$

as desired. Thus, either the submatrix \(S\times T\) or \(([q] - S)\times T\) has the intermediate property we were looking for.

Finally, we can construct Qf, and g as follows: let \(S_0 = S, S_1 = [q] - S\), \(T_0 = T\), \(T_1 = [q] - T\), and for \(i, j\in \{0,1\}\) we define

$$ E_{ij} = \frac{1}{q^2} \sum _{(x,y)\in S_i\times T_j} P(x,y). $$

For \(i,j\in \{0,1\}\), define \(Q(i,j) = 1\) if \(E_{ij}\) is one of the two largest elements of the (multi)set \(\{E_{ij}, i, j\in \{0,1\}\}\) (and \(Q(i,j) = -1\) otherwise). Moreover, we define \(f(x) = i\) if and only if \(x\in S_i\), and we define \(g(y) = j\) if and only if \(y\in T_j\). Intuitively, for \((x,y)\in S_i\times T_j\) we want to set Q(f(x), g(y)) to be the majority value of \(P(x', y')\) for \((x', y')\in S_i\times T_j\), but to make Q a balanced predicate we may have to disagree with this majority function on some inputs.

By essentially the same argument about cancellation as before, we will show that P(xy) is \(\frac{1}{2} + \varOmega (\frac{1}{\sqrt{q}})\)-correlated to Q(f(x), g(y)). That is, we show that

$$ \underset{(x, y)\leftarrow U_{2, q}}{\mathbf {E}} [P(x,y) Q(f(x), g(y))] \ge \frac{1}{2}\left( |E_{00}| + |E_{01}| + |E_{10}| + |E_{11}| \right) = \varOmega (\frac{1}{\sqrt{q}}). $$

To see this, re-order the four numbers \(E_{ij}\) into \(E_1 \le E_2 \le E_3 \le E_4\); we know that \(E_1 + E_2 + E_3 + E_4 = 0\) since P(xy) is balanced. If exactly two of these four numbers are negative, then the expected value above is exactly equal to \( |E_1| + |E_2| + |E_3| + |E_4|\), so we are done. On the other hand, it may be that three of \(\{E_1, E_2, E_3, E_4\}\) have the same sign; suppose without loss of generality that \(E_3 \le 0\). Then, we see that

$$\begin{aligned} \underset{(x, y)\leftarrow U_{2, q}}{\mathbf {E}}&[P(x,y) Q(f(x), g(y))] = |E_1| + |E_2| - |E_3| + |E_4|\\&\ge |E_4| = \frac{1}{2} \left( |E_1| + |E_2| + |E_3| + |E_4|\right) , \end{aligned}$$

completing the existence proof. Moreover, our existence proof above is constructive: to find a valid triple (Qfg), we repeatedly choose \(T\subset [q]\) of size \(\frac{q}{2}\) uniformly at random, check if \(\sum _{x\in [q]} B(x,T) = \varOmega (q\sqrt{q})\) (for suitably chosen constant c), and proceed to construct S, Q, f, and g as described. In expectation only a constant number of sets T will be selected before S, Q, f, and g are successfully constructed, so we are done.    \(\square \)

3.1 Limits of Alphabet Reduction

Alphabet reduction is one of the two main ingredients to our distinguishing algorithm. In order to obtain distinguishers for an even larger class of PRGs, namely, instantiations of Goldreich’s PRG in which m possibly different predicates \(P^{(1)}, P^{(2)}, ..., P^{(m)}\) are used instead of a repeated single predicate, one can analogously define an “average case alphabet reduction” for an m-tuple of predicates \(\vec P\).

Definition 3

(Average Case \((\varSigma , \varSigma ', \delta )\) -Alphabet Reduction). Let \(P^{(1)}, P^{(2)},\) \( \ldots , P^{(m)}: \varSigma ^2 \rightarrow \{0,1\}\) be a collection of balanced predicates in two variables. A \((\varSigma , \varSigma ', \delta )\) -average case alphabet reduction for \(\vec P\) is defined to be a tuple \(({\vec Q},~f,~g)\) such that each \(Q^{(i)}: {\varSigma '}^2\rightarrow \{0,1\}\) is a balanced predicate defined on an alphabet of size \(q'\), f and g are (exactly) \(\frac{q}{q'}\)-to-one maps from \(\varSigma \rightarrow \varSigma '\), and

In other words, \(P^{(i)}(x,y)\) is nontrivially correlated to \(Q^{(i)}(f(x), g(y))\) on average over the choice of i. We use the shorthand “\((q', \delta )\)-average case alphabet reduction” for \(\vec P\) when \(|\varSigma '| = q'\).

Note that we require the same alphabet reduction functions f and g to work for all the predicates \(P^{(i)}\) simultaneously.

It turns out that average case alphabet reduction is significantly more difficult to achieve than alphabet reduction. In general, one cannot find a constant size average case alphabet reduction with \(\delta < \frac{1}{2} - \tilde{O}(\frac{1}{q}) \).

In particular, when \(\vec P\) is a good 3-source extractor \(\vec P: [q]\times [q]\times [m]\rightarrow \{0,1\}\), no such alphabet reduction can be done. Our impossibility result for alphabet reduction boils down to a (slightly modified) folklore construction of 3-source extractors, which we include for completeness.

Theorem 4

Let \(\vec P = (P^{(k)}_{ij})\) be a uniformly random \(\pm 1\)-entry \(q\times q\times m\) 3-tensor subject to the contraint that \(P^{(k)}\) is balanced for every k, and suppose that \(q\le m\). Then, for any constant C, we have that with overwhelming probability, every \(\frac{q}{C}\times \frac{q}{C} \times \frac{m}{C}\) subtensor \(\vec P|_{S\times T\times U}\) of \(\vec {P}\) has discrepancy \(\left| \sum _{(i,j,k)\in S\times T\times U} \vec P_{ij}^{(k)}\right| = O(\frac{\log (mq)}{q})\).

Corollary 1

If \(\vec P\) is a uniformly random collection of m balanaced predicates \(P^{(i)}: [q]^2\rightarrow \{0,1\}\), then for any constant C, there is no \(\left( C, \frac{1}{2} - O(\frac{\log (mq)}{q})\right) \)-average case alphabet reduction for \(\vec P\) with overwhelming probability.

Proof

First, consider any fixed subtensor \(\vec {P}|_{S\times T\times U}\) of size \(\frac{q}{C} \times \frac{q}{C} \times \frac{m}{C}\), and suppose that \((P^{(k)}_{ij})\) is a uniformly random tensor (not constrained to be balanced). Then, \(\vec {P}|_{S\times T\times U}\) is a uniformly random \(\pm 1\)-tensor whose discrepancy is governed by the Chernoff bound:

$$ \text {Pr}\left[ \left| \sum _{i\in S, j\in T, k\in U} P_{ij}^{(k)}\right| \ge \epsilon \right] \le 2 \cdot 2^{-\varOmega (\frac{mq^2}{C^3}\epsilon ^2)}. $$

The number of subtensors we are considering is \({m\atopwithdelims ()\frac{m}{C}}{q\atopwithdelims ()\frac{q}{C}}{q\atopwithdelims ()\frac{q}{C}}\), and the probability that a random tensor \(\vec P\) has the property that \(P^{(k)}\) is balanced for all k is bounded by \((\varOmega (\frac{1}{q}))^m\) (as the discrepancy of each \(P^{(k)}\) follows the distribution \(\text {Binomial}(q^2, \frac{1}{2})\)). Thus, the probability that a random \(\vec P\) satisfies this \(\epsilon \)-discrepancy property after conditioning on balanced is bounded by

$$ O(q)^m {m\atopwithdelims ()\frac{m}{C}} {q\atopwithdelims ()\frac{q}{C}}^2 \cdot 2^{-\varOmega (\frac{mq^2}{C^3}\epsilon ^2)}. $$

Choosing \(\epsilon = O(\frac{C^{1.5}\log (mq)}{q})\) suffices to make this probability negligible, so we are done.   \(\square \)

As a result of Theorem 4, it is unlikely for alphabet reduction to be sufficient for breaking \(G_{H,\vec P}\) with \(m = \tilde{\varOmega }(q\cdot n)\) output length, because the refutation algorithms with which we combine predicate reduction have a \(\frac{1}{\epsilon ^2}\) dependence in the required output length for \(\epsilon \)-refutation (and this dependence is typical). Therefore, it is unlikely for average case alphabet reduction to lead to a distinguisher for \(G_{H, \vec P}\) when the output length \(m = |E(H)|\) is less than \(q^2 n\).

However, we note for completeness’ sake that Theorem 4 is tight up to log factors; that is, \(\left( \frac{1}{2} - \varOmega (\frac{1}{q})\right) \)-average case alphabet reduction is possible. The construction is as follows: pick sets ST uniformly at random (of size \(\frac{|\varSigma |}{2}\)), choose \(f, g: \varSigma \rightarrow \{0,1\}\) to be indicator functions for S and T, as before, and for each \(\ell \in [m]\) define \(Q^{(\ell )}(i, j)\) to be 1 if and only if the average value \(E_{i,j}^{(\ell )}\) is in the top two out of four \(E_{\cdot , \cdot }^{(\ell )}\), as before. Using average-case alphabet reduction, one can distinguish multiple-predicate Goldreich PRGs \(G_{H, \vec P}\) when \(m \ge \tilde{\varOmega }(q^2\cdot n)\); we will elaborate on this in Sect. 4.2.

4 From Small Alphabet Refutation to Large Alphabet Distinguishing

We now describe how alphabet reduction is used to obtain distinguishing algorithms for the (single predicate) Goldreich PRG \(G_{H, P}\); combining this section with Theorem 3 yields Theorem 1. The cleanest interpretation of our application of alphabet reduction uses the notion of an “image refutation algorithm” for a function \(G: [q]^n \rightarrow \{0,1\}^m\), which was formally defined in [BBKK17]. Interpreted in this language, our result says that any image refutation algorithm for Goldreich’s PRG can be converted into a distinguishing algorithm for Goldreich’s PRG with a significantly improved dependence on the alphabet size. The new distinguishing threshold is a simple function of the quality of the alphabet reduction that was used and the refutation threshold for the image refutation algorithm.

Definition 4 (Image Refutation)

Let \(G: [q]^n \rightarrow \{0,1\}^m\) be any function. An image refutation algorithm for G is an algorithm \(\mathcal {A}\) which receives G and a string \(z\in \{0,1\}^m\) as input, with the following properties:

  1. 1.

    (Soundness) If \(z\in G([q]^n)\), then \(\mathcal {A}(G, z) =\) “fail”.

  2. 2.

    (Completeness) If \(z\leftarrow U_m\), then \(\mathcal {A}(G, z) =\)z is not in the image of G” with probability \(1-o(1)\).

Furthermore, \(\mathcal {A}\) is an \((\frac{1}{2} - \delta )\) -image refutation algorithm for G if it has the following properties:

  1. 1.

    (Strong Soundness) If z has Hamming distance less than or equal to \((\frac{1}{2} - \delta ) m\) from \(G([q]^n)\), then \(\mathcal {A}(G, z) =\) “fail”.

  2. 2.

    (Strong Completeness) If \(z\leftarrow U_m\), then \(\mathcal {A}(G, z) =\)z is \((\frac{1}{2} - \delta )\)-far from the image of G” with probability \(1-o(1)\).

Given this definition, we are ready to state our reduction theorem.

Theorem 5

Let \(P:[q]^2 \rightarrow \{0,1\}\) be a predicate. Assume the existence of the following two ingredients:

  • An efficiently computable \((q',\frac{1}{2}-\epsilon )\)-alphabet reduction for P that produces a tuple (Qfg) where \(Q:[q']^2 \rightarrow \{0,1\}\); and

  • An image refutation algorithm \(\mathcal {A}\) that runs in \(\mathsf {poly}(n,m,q',\frac{1}{\delta })\) time and does \((\frac{1}{2}-\delta )\)-image refutation for the function \(G_{H,Q}\) for any predicate \(Q: [q']^2 \rightarrow \{0,1\}\), any \(\delta >0\) and any graph H satisfying \(m = |E(H)| \ge T(n,q',\delta )\) for some threshold function \(T(\cdot )\).

Then, there is a distingusher \(\mathcal {D}\) that, for any graph H with \(m=|E(H)| \ge T(2n, q', \epsilon - O(\sqrt{\frac{n}{m}}))\), runs in \(\text {poly}(n, q, \frac{1}{\epsilon })\) time and distinguishes a random string \(z\leftarrow U_m\) from a random output \(z\leftarrow G_{H,P}( U_{n,q})\) of \(G_{H,P}\).

In particular, since Theorem 3 efficiently produces a \((2, \frac{1}{2} - \varOmega (\frac{1}{\sqrt{q}}))\)-alphabet reduction for any balanced predicate P, Theorem 5 implies that any strong image refutation algorithm for Goldreich’s PRG over the binary alphabet immediately yields a distinguishing algorithm for Goldreich’s PRG over larger alphabets.

Image Refutation Algorithms for Goldreich’s PRG. We originally combined an alphabet reduction (with \(q' = O(1)\)) with the random CSP refutation algorithm of [AOW15] in place of a PRG image refutation algorithm, which turned out to be sufficient to obtain a distinguisher for \(G_{H, P}\) over random graphs for all \(m = \tilde{\varOmega }(q\cdot n)\).

However, with an alphabet reduction using \(q' = 2\), the state of affairs is much simpler; indeed, the Charikar-Wirth algorithm [CW04] directly gives us a PRG image refutation algorithm which can then be used to obtain a distinguisher for worst case graphs and worst case single predicates for \(m = \tilde{\varOmega }(q\cdot n)\) (for a sufficiently large logarithmic factor). This is because Charikar-Wirth \((\frac{1}{2} - \epsilon )\)-refutes random 2-XOR instances with \(m = \tilde{\varOmega }(\frac{n}{\epsilon ^2})\) constraints, and strongly refuting Goldreich’s PRG instantiated with a balanced predicate \(Q: \{0,1\}^2\rightarrow \{0,1\}\) is exactly the same as strongly refuting a random 2-XOR instance (or a random 1-XOR instance, which is even easier). In particular, a balanced predicate \(Q: \{0,1\}^2\rightarrow \{0,1\}\) is either \(Q(x,y) = x\), \(Q(x,y) = y\), \(Q(x,y) = x\oplus y\), or a negation of the previous three examples. Thus, any Goldreich PRG \(G_{H, Q}\) defines a random 2-XOR instance or a random 1-XOR instance, either of which can be efficiently (strongly) refuted.

In the multiple predicate case, a Goldreich PRG \(G_{H, \vec Q}\) (still over the binary alphabet) defines both a random 2-XOR instance and a random 1-XOR instance. It is not hard to see that if m is sufficiently large, at least one of these two CSP instances will be above its refutation threshold, yielding the necessary strong image refutation algorithm for \(G_{\tilde{H}, \vec Q}\). We will use this stronger fact for Theorem 6.

Furthermore, we note that this theorem can still be useful in regimes where general alphabet reduction is impossible; it says that if a predicate \(P:[q]^2\rightarrow \{0,1\}\) happens to have an alphabet reduction, then \(G_{H,P}\) may be less secure than one would expect for the given alphabet size q.

We now prove Theorem 5. The intuition is quite simple: given an alphabet reduction (Qfg) for P and an image \(z = G_{H, P}(x)\) for a random x, one would expect that z is noticeably closer to the point \(G_{H, P'}(x)\) for \(P'(x,y) = Q(f(x), g(y))\). Indeed, this is true in expectation over x, and holds with high probability by a concentration argument. Therefore, a strong refutation algorithm for the predicate Q should be able to distinguish \(G_{H, P}(x)\) from a random string.

4.1 Proof of Theorem 5

Fix any predicate \(P: [q]^2\rightarrow \{0,1\}\), efficiently computable \((q', \delta )\)-alphabet reduction (Qfg),Footnote 3 and graph H with n vertices and m edges. Let \(G_{H, P}: [q]^n \rightarrow \{0,1\}^m\) be Goldreich’s PRG instantiated with P and H. We want to construct a distinguisher \(\mathcal {D}(H, P, z)\) which, given PH, and a string \(z\in \{0,1\}^m\) (where m is the number of edges in H), outputs a bit \(b\in \{0,1\}\) such that \(\underset{z\leftarrow U_m}{\mathbf {E}}[\mathcal {D}(P, H, z)]\) is noticeably different from \(\underset{z\leftarrow G_{H,P}(U_n)}{\mathbf {E}}[\mathcal {D}(P, H, z)]\). Our distinguisher \(\mathcal {D}\) is defined as follows.

  1. 1.

    Compute (Qfg) given P.

  2. 2.

    Let \(\tilde{H}\) be the bipartite double-cover of H, i.e. a graph with vertex set \([n]\times \{0,1\}\) and edges from (i, 0) to (j, 1) for every \((i, j)\in E(H)\).

  3. 3.

    Call \(\mathcal {A}(\tilde{H}, Q, \epsilon - 5\sqrt{\frac{n}{m}}, z)\).

  4. 4.

    Return 1 if and only if the call to \(\mathcal {A}\) returns “z is \((\frac{1}{2} - \epsilon + 5\sqrt{\frac{n}{m}})\)-far from the image of \(G_{\tilde{H}, Q}\)”.

Note that by assumption on \(\mathcal {A}\), for \(z\leftarrow U_m\), \(\mathcal {D}(P, H, z)\) will output 1 with probability \(1-o(1)\) as long as \(m\ge T(2n, q', \epsilon - 5\sqrt{\frac{n}{m}})\). What remains is to analyze the “pseudorandom” case.

Lemma 1

With constant probability over \(\mathbf {x}\leftarrow U_{n,q}\), \(z = G_{H,P}(\mathbf {x})\) will have Hamming distance at most \((\frac{1}{2} - \epsilon + 5\sqrt{\frac{n}{m}})m\) from \(G_{\tilde{H},Q}(\tilde{\mathbf {x}})\), where \(\tilde{\mathbf {x}}\in (\mathbb Z_2^n)^2\) is defined by \(\tilde{x}_{i,0} = f(x_i)\) and \(\tilde{x}_{i,1} = g(x_i)\).

Since the call to \(\mathcal {A}(\tilde{H}, Q, \epsilon - 5\sqrt{\frac{n}{m}}, z)\) must return “fail” whenever z has Hamming distance at most \((\frac{1}{2} - \epsilon + 5\sqrt{\frac{n}{m}})m\) from \(G_{\tilde{H}, Q}(\mathbb Z_{q'}^n)\) (again for \(m\ge T(2n, q', \epsilon - 5\sqrt{\frac{n}{m}})\)), Lemma 1 suffices to prove that

$$ \underset{\mathbf {x}\leftarrow U_{n,q}}{\mathbf {E}}[\mathcal {D}(H, P, G_{H,P}(\mathbf {x}))] = 1 -\varOmega (1). $$

Proof

Let \(P'(x,y) = Q(f(x), g(y))\) so that \(\underset{(x, y)\leftarrow U_{2, q}}{\text {Pr}}[P(x,y)= P'(x,y)] = \alpha \ge \frac{1}{2} + \epsilon \), as guaranteed by the fact that (Qfg) is a \((\frac{1}{2} - \epsilon )\)-alphabet reduction for P. We are interested in the quantity \(d_H(z, G_{\tilde{H}, Q}(\tilde{\mathbf {x}})) = d_H(z, G_{H, P'}(\mathbf {x}))\), where \(d_H\) denotes fractional Hamming distance. First, we note that in expectation over \(\mathbf {x}\leftarrow U_{n, q}\),

$$\begin{aligned} E&:= 1-\underset{\mathbf {x}\leftarrow U_{n,q}}{\mathbf {E}}[d_H(G_{H,P}(\mathbf {x}), G_{\tilde{H},Q}(\tilde{\mathbf {x}}))] \\&= \underset{\mathbf {x}\leftarrow U_{n,q}}{\mathbf {E}}\left[ \underset{(i, j)\overset{{\$}}{\leftarrow }E(H)}{\text {Pr}}\left[ P'(x_i, x_j) = P(x_i, x_j)\right] \right] \\&\ge \alpha -\frac{n}{m} \\&\ge \frac{1}{2} + \epsilon - \frac{n}{m}, \end{aligned}$$

where the \(\frac{n}{m}\) term comes from the fraction of edges in H which are self loops (we cannot say that \(P(x_i, x_i)\) is necessarily correlated to \(P'(x_i, x_i)\)). Now, we compute the variance (over \(\mathbf {x}\)) of this quantity to be

$$\begin{aligned}&\underset{\mathbf {x}\leftarrow U_{n,q}}{{{\mathrm{Var}}}}[1-d_H(G_{H,P}(\mathbf {x}), G_{\tilde{H},Q}(\tilde{\mathbf {x}}))] \\&= \underset{\mathbf {x}\leftarrow U_{n,q}}{\mathbf {E}}\left[ \left( \underset{(i, j)\overset{{\$}}{\leftarrow }E(H)}{\text {Pr}}\left[ P'(x_i, x_j) = P(x_i, x_j)\right] \right) ^2\right] - E^2 \\&= \underset{\mathbf {x}\leftarrow U_{n,q}}{\mathbf {E}}\left[ \frac{1}{m^2}\sum _{\begin{array}{c} (i, j)\in E(H)\\ (k, l)\in E(H) \end{array}} \chi \left( P'(x_i, x_j) = P(x_i, x_j)\right) \chi \left( P'(x_k, x_l) = P(x_k, x_l)\right) \right] - E^2 \\&= \frac{1}{m^2}\sum _{\begin{array}{c} (i, j)\in E(H)\\ (k, l)\in E(H) \end{array}} \underset{\mathbf {x}\leftarrow U_{n,q}}{\text {Pr}}\left[ P'(x_i, x_j) = P(x_i, x_j) \text { and } P'(x_k, x_l) = P(x_k, x_l)\right] - E^2. \end{aligned}$$

Note that if the edges \((i,j), (k, l)\in E(H)\) have no vertices in common, the events “\(P'(x_i, x_j) = P(x_i, x_j)\)” and “\(P'(x_k, x_l) = P(x_k, x_l)\)” are independent. This means that our variance is upper bounded by

$$\begin{aligned} \frac{1}{m^2} \sum _{\begin{array}{c} (i, j)\in E(H)\\ (k, l)\in E(H) \end{array}}\underset{\mathbf {x}}{\text {Pr}}\left[ P'(x_i, x_j) = P(x_i, x_j)\right]&\underset{\mathbf {x}}{\text { Pr}}\left[ P'(x_k, x_l) = P(x_k, x_l)\right] + \frac{m_{\text {bad}}}{m^2} - E^2\\&= \frac{m_{\text {bad}}}{m^2}, \end{aligned}$$

where \(m_{\text {bad}}\) is defined to be the number of pairs of edges ((ij), (kl)) which have a vertex in common. This is bounded by the quantity

$$m_{\text {bad}} \le \sum _{i\in [n]}\deg _H(i)^2 \le 2n\cdot \sum _{i\in [n]}\deg _H(i) = 4mn. $$

Therefore, we conclude that

$$ \underset{\mathbf {x}\leftarrow U_{n,q}}{{{\mathrm{Var}}}}[1-d_H(G_{H,P}(\mathbf {x}), G_{\tilde{H},Q}(\tilde{\mathbf {x}}))] \le \frac{4n}{m}. $$

By Chebyshev’s inequality, this means that with constant probability over \(\mathbf {x}\leftarrow U_{n,q}\), we have that

$$ 1-d_H(G_{H,P}(\mathbf {x}), G_{H,\tilde{Q}}(\tilde{\mathbf {x}})) \ge \alpha - \frac{n}{m} - 4 \sqrt{\frac{n}{m}} \ge \frac{1}{2} + \epsilon - 5\sqrt{\frac{n}{m}}, $$

so that \(d_H(G_{H,P}(\mathbf {x}), G_{H,\tilde{Q}}(\tilde{\mathbf {x}})) \le \frac{1}{2} -\epsilon + 5\sqrt{\frac{n}{m}}\), completing the proof of the lemma.   \(\square \)

Lemma 1 tells us that for \(m\ge T(2n, q', \epsilon - 5\sqrt{\frac{n}{m}})\), with constant probability over \(\mathbf {x} \leftarrow G_{n, q}\) the call made to \(\mathcal {A}\) will return “fail”, and so

$$ \underset{\mathbf {x}\leftarrow G_{n, q}}{\mathbf {E}}[\mathcal {D}(H, P, G_{H, P}(\mathbf {x}))] = 1-\varOmega (1). $$

Thus, we conclude that \(\mathcal {D}\) achieves a constant distinguishing advantage between the “truly random z” case and the “pseudorandom z” case, completing the proof of Theorem 5.

4.2 Generalization of Theorem 5 to Multiple Predicates

We note that the proof of Theorem 5 does not fundamentally use the fact that the predicates used in Goldreich’s PRG \(G_{H, P}\) are identical. Indeed, the following result holds by the same argument.

Theorem 6

Let \(P^{(1)}, P^{(2)}, \ldots , P^{(m)}:[q]^2 \rightarrow \{0,1\}\) be a collection of m predicates. Assume the existence of the following two ingredients:

  • An efficiently computable \((q',\frac{1}{2}-\epsilon )\)-average case alphabet reduction for \(\vec P\) that produces a tuple \(({\vec Q}, f, g)\) where each \(Q^{(\ell )}:[q']^2 \rightarrow \{0,1\}\); and

  • An image refutation algorithm \(\mathcal {A}\) that runs in \(\mathsf {poly}(n,m,q',\frac{1}{\delta })\) time and does \((\frac{1}{2}-\delta )\)-image refutation for the function \(G_{H,\vec Q}\) for any predicate collection \(Q^{(\ell )}: [q']^2 \rightarrow \{0,1\}\), any \(\delta >0\) and any graph H satisfying \(m = |E(H)| \ge T(n,q',\delta )\) for some threshold function \(T(\cdot )\).

Then, there is a distingusher \(\mathcal {D}\) that, for any graph H with \(m=|E(H)| \ge T(2n, q', \epsilon - O(\sqrt{\frac{n}{m}}))\), runs in \(\text {poly}(n, q, \frac{1}{\epsilon })\) time and distinguishes a random string \(z\leftarrow U_m\) from a random output \(z\leftarrow G_{H,\vec P}( U_{n,q})\) of \(G_{H,\vec P}\).

Theorem 6, combined with the Charikar-Wirth algorithm and an average-case alphabet reduction with correlation \(\varOmega (\frac{1}{q})\), gives us a distinguisher for multiple predicate Goldreich PRGs \(G_{H, \vec P}: [q]^n\rightarrow \{0,1\}^m\) for all \(m\ge \tilde{\varOmega }(q^2 n)\).