Cryptographic Primitives Based on Hard Learning Problems

Modern cryptography has had considerable impact on the development of computational learning theory. Tools from cryptography have been used in proving nearly all of the strong negative results for learning. In this paper, we give results in the reverse direction by showing how to construct several cryptographic primitives based on certain assumptions on the di culty of learning. Thus we develop further a line of thought introduced by Impagliazzo and Levin [5]. As we describe, standard de nitions in learning theory and cryptography do not appear to correspond perfectly in their original forms. In particular, a learning algorithm is generally required to be much more successful than a \statistical test" in cryptography. However, we show that natural modi cations to standard learning de nitions can yield a strong correspondence between hardness for learning and cryptography. The particular cryptographic primitives we consider are pseudorandom bit generators, one-way functions, and private-key cryptosystems. We give transformations of hard learning problems into cryptographic primitives with the desirable property that the complexity of the resulting primitive is not much greater than that of the hard-to-learn functions and distributions. In particular, our constructions are especially adept in preserving the degree of parallelism inherent in the hard functions and distributions. Thus, \simple" functions that are apparently di cult to learn (such as DNF formulae) may lead to cryptographic primitives of considerably reduced parallel complexity. In addition to generic transformations, we also describe a very simple pseudorandom bit generator based on the assumption that the class of parity functions is hard to learn in the presense of random noise (an assumption similar to the intractability of decoding random linear codes). Our construction is simpler than related constructions that have been described previously. A similar construction is apparently already known to some researchers in the cryptography community as a \folk theorem".