Having defined what it means for an encryption scheme to be secure, the reader may expect us to

turn immediately to constructions of secure encryption schemes. Before doing so, however, we need
to introduce the notions of pseudorandom generators (PRGs) and stream ciphers, important building
blocks for private-key encryption. These, in turn, will lead to a discussion of pseudorandomness,
which plays a fundamental role in cryptography in general and private-key encryption in particular.
3.3.1 Pseudorandom Generators and Stream Ciphers A pseudorandom generator G is an efficient,
deterministic algorithm for transforming a short, uniform string called the seed into a longer,
“uniformlooking” (or “pseudorandom”) output string. Stated differently, a pseudorandom generator
uses a small amount of true randomness in order to generate a large amount of pseudorandomness.
This is useful whenever a large number of random(-looking) bits are needed, since generating true
random bits is difficult and slow. (See the discussion at the beginning of Chapter 2.) Indeed,
pseudorandom generators have been studied since at least the 1940s when they were proposed for
running statistical simulations. In that context, researchers proposed various statistical tests that a
pseudorandom generator should pass in order to be considered “good.” As a simple example, the
first Private-Key Encryption 61 bit of the output of a pseudorandom generator should be equal to 1
with probability very close to 1/2 (where the probability is taken over uniform choice of the seed),
since the first bit of a uniform string is equal to 1 with probability exactly 1/2. In fact, the parity of
any fixed subset of the output bits should also be 1 with probability very close to 1/2. More complex
statistical tests can also be considered. This historical approach to determining the quality of some
candidate pseudorandom generator is ad hoc, and it is not clear when passing some set of statistical
tests is sufficient to guarantee the soundness of using a candidate pseudorandom generator for
some application. (In particular, there may be another statistical test that does successfully
distinguish the output of the generator from true random bits.) The historical approach is even more
problematic when using pseudorandom generators for cryptographic applications; in that setting,
security may be compromised if an attacker is able to distinguish the output of a generator from
uniform, and we do not know in advance what strategy an attacker might use. The above
considerations motivated a cryptographic approach to defining pseudorandom generators in the
1980s. The basic realization was that a good pseudorandom generator should pass all (efficient)
statistical tests. That is, for any efficient statistical test (or distinguisher ) D, the probability that D
returns 1 when given the output of the pseudorandom generator should be close to the probability
that D returns 1 when given a uniform string of the same length. Informally, then, the output of a
pseudorandom generator should “look like” a uniform string to any efficient observer. (We stress
that, formally speaking, it does not make sense to say that any fixed string is “pseudorandom,” in the
same way that it is meaningless to refer to any fixed string as “random.” Rather, pseudorandomness
is a property of a distribution on strings. Nevertheless, we sometimes informally call a string sampled
according to the uniform distribution a “uniform string,” and a string output by a pseudorandom
generator a “pseudorandom string.”) Another perspective is obtained by defining what it means for
a distribution to be pseudorandom. Let Dist be a distribution on `-bit strings. (This means that Dist
assigns some probability to every string in {0, 1} ` ; sampling from Dist means that we choose an `-bit
string according to this probability distribution.) Informally, Dist is pseudorandom if the experiment
in which a string is sampled from Dist is indistinguishable from the experiment in which a uniform
string of length ` is sampled. (Strictly speaking, since we are in an asymptotic setting we need to
speak of the pseudorandomness of a sequence of distributions Dist = {Distn}, where distribution
Distn is used for security parameter n. We ignore this point in our current discussion.) More
precisely, it should be infeasible for any polynomial-time algorithm to tell (better than guessing)
whether it is given a string sampled according to Dist, or whether it is given a uniform `-bit string.
This means that a pseudorandom string is just as good as a uniform string, as long as we consider
only polynomialtime observers. Just as indistinguishability is a computational relaxation of 62
Introduction to Modern Cryptography perfect secrecy, pseudorandomness is a computational
relaxation of true randomness. (We will generalize this perspective when we discuss the notion of
indistinguishability in Chapter 7.) Now let G : {0, 1} n → {0, 1} ` be a function, and define Dist to be
the distribution on `-bit strings obtained by choosing a uniform s ∈ {0, 1} n and outputting G(s). Then
G is a pseudorandom generator if and only if the distribution Dist is pseudorandom. The formal
definition. As discussed above, G is a pseudorandom generator if no efficient distinguisher can
detect whether it is given a string output by G or a string chosen uniformly at random. As in
Definition 3.9, this is formalized by requiring that every efficient algorithm outputs 1 with almost the
same probability when given G(s) (for uniform seed s) or a uniform string. (For an equivalent
definition analogous to Definition 3.8, see Exercise 3.5.) We obtain a definition in the asymptotic
setting by letting the security parameter n determine the length of the seed. We then insist that G be
computable by an efficient algorithm. As a technicality, we also require that G’s output be longer
than its input; otherwise, G is not very useful or interesting. DEFINITION 3.14 Let ` be a polynomial
and let G be a deterministic polynomial-time algorithm such that for any n and any input s ∈ {0, 1} n,
the result G(s) is a string of length `(n). We say that G is a pseudorandom generator if the following
conditions hold: 1. (Expansion:) For every n it holds that `(n) > n. 2. (Pseudorandomness:) For any ppt
algorithm D, there is a negligible function negl such that
Pr[D(G(s)) = 1] − Pr[D(r) = 1]
 ≤ negl(n), where the first probability is taken over uniform choice of s ∈ {0, 1} n and the randomness
of D, and the second probability is taken over uniform choice of r ∈ {0, 1} `(n) and the randomness of
D. We call ` the expansion factor of G. We give an example of an insecure pseudorandom generator
to gain familiarity with the definition. Example 3.15 Define G(s) to output s followed by ⊕n i=1si , so
the expansion factor of G is `(n) = n + 1. The output of G can easily be distinguished from uniform.
Consider the following efficient distinguisher D: on input a string w, output 1 if and only if the final
bit of w is equal to the XOR of all the preceding bits of w.