Abstract
We show a general compiler that transforms a large class of erroneous cryptographic schemes (such as publickey encryption, indistinguishability obfuscation, and secure multiparty computation schemes) into perfectly correct ones. The transformation works for schemes that are correct on all inputs with probability noticeably larger than half, and are secure under parallel repetition. We assume the existence of oneway functions and of functions with deterministic (uniform) time complexity \(2^{O(n)}\) and nondeterministic circuit complexity \(2^{\Omega (n)}\). Our transformation complements previous results that showed how publickey encryption and indistinguishability obfuscation that err on a noticeable fraction of inputs can be turned into ones that for all inputs are often correct, showing that they can be made perfectly correct. The technique relies on the idea of “reverse randomization” [Naor, Crypto 1989] and on Nisan–Wigderson style derandomization, previously used in cryptography to remove interaction from witnessindistinguishable proofs and commitment schemes [Barak, Ong and Vadhan, Crypto 2003].
Introduction
Randomized algorithms are often faster and simpler than their stateoftheart deterministic counterparts, yet, by their very nature, they are errorprone. This gap has motivated a rich study of derandomization, where a central avenue has been the design of pseudorandom generators [8, 28, 31] that could offer one universal solution for the problem. This has led to surprising results, intertwining cryptography and complexity theory, and culminating in a derandomization of \(\mathbf {BPP}\) under worstcase complexity assumptions, namely the existence of functions in \(\mathbf{E}=\mathbf{Dtime}(2^{O(n)})\) with worstcase circuit complexity \(2^{\Omega (n)}\) [24, 28].
For cryptographic algorithms, the picture is somewhat more subtle. Indeed, in cryptography, randomness is almost always necessary to guarantee any sense of security. While many cryptographic schemes are perfectly correct even if randomized, some do make errors. For example, in some encryption algorithms, notably the latticebased ones [1, 29], most but not all ciphertexts can be decrypted correctly. Here, however, we cannot resort to general derandomization, as a (completely) derandomized version will most likely be totally insecure.
It gets worse. While for general algorithms infrequent errors are tolerable in practice, for cryptographic algorithms, errors can be (and have been) exploited by adversaries (see [4] and a long line of followup works). Thus, the question of eliminating errors is ever more important in the cryptographic context. This question was addressed in a handful of special contexts in cryptography. In the context of interactive proofs, [16, 19] show how to turn any interactive proof into one with perfect completeness. In the context of encryption schemes, Goldreich, Goldwasser, and Halevi [17] showed how to partially eliminate errors from latticebased encryption schemes [1, 29]. Subsequent works, starting from that of Dwork, Naor and Reingold [15], show how to partially eliminate errors from any encryption scheme [23, 26]. Here, “partial” refers to the fact that they eliminate errors from the encryption and decryption algorithms, but not the key generation algorithm. That is, in their final immunized encryption scheme, it could still be the case that there are bad keys that always cause decryption errors. In the context of indistinguishability obfuscation (IO), Bitansky and Vaikuntanathan [11] show how to partially eliminate errors from any IO scheme. Concretely, assuming subexponential hardness of learning with errors (LWE) [29], they show how to convert any subexponentially secure IO scheme that might err on a fraction of the inputs into one that is correct on all inputs, with high probability over the coins of the obfuscator. This was improved by Ananth, Jain, and Sahai [2] who base the result on polynomial hardness and oneway functions instead of LWE.
This Work We show how to completely immunize a large class of cryptographic algorithms, turning them into algorithms that make no errors at all. Our most general result concerns cryptographic algorithms (or protocols) that are “secure under parallel repetition.” We show:
Theorem 1.1
(Informal) Assume that oneway functions exist and functions with deterministic (uniform) time complexity \(2^{O(n)}\) and nondeterministic circuit complexity \(2^{\Omega (n)}\) exist. Then, any encryption scheme, indistinguishability obfuscation scheme, and multiparty computation protocol that is secure under parallel repetition can be completely immunized against errors.
More precisely, we show that perfect correctness is guaranteed when the transformed scheme or protocol is executed honestly. The security of the transformed scheme or protocol is inherited from the security of the original scheme under parallel repetition. In the default setting of encryption and obfuscation schemes, encryption and obfuscation are always done honestly, and security under parallel repetition is well known to be guaranteed automatically. Accordingly, we obtain the natural notion of perfectly correct encryption and obfuscation. In contrast, in the setting of MPC, corrupted parties may in general affect any part of the computation. In particular, in the case of corrupted parties, the transformed protocol does not provide a better correctness guarantee, but only the same correctness guarantees as the original (repeated) protocol.
We find that perfect correctness is a natural requirement and the ability to generically achieve it for a large class of cryptographic schemes is aesthetically appealing. In addition, while in many applications almost perfect correctness may be sufficient, some applications do require perfectly correct cryptographic schemes. For example, using publickey encryption as a commitment scheme requires perfect correctness, the construction of noninteractive witnessindistinguishable proofs in [10] requires a perfectly correct indistinguishability obfuscation, and the construction of 3message zero knowledge against uniform verifiers [3] requires perfectly correct delegation schemes.
Our tools, perhaps unsurprisingly given the above discussion, come from the area of derandomization, in particular, we make heavy use of Nisan–Wigderson (NW) type pseudorandom generators. Such NWgenerators were previously used by Barak, Ong, and Vadhan [9] to remove interaction from commitment schemes and ZAPs. We use it here for a different purpose, namely to immunize cryptographic algorithms from errors. Below, we elaborate on the similarities and differences.
The Basic Idea
We briefly explain the basic idea behind the transformation, focusing on the case of publickey encryption. Imagine that we have an encryption scheme given by randomized keygeneration and encryption algorithms, and a deterministic decryption algorithm \(({\mathsf {Gen}},{\mathsf {Enc}},{\mathsf {Dec}})\), where for any message \(m\in \{0,1\}^n\), there is a tiny decryption error:
Can we deterministically choose “good randomness” \((r_g,r_e)\) that leads to correct decryption? This question indeed seems analogous to the question of derandomizing \(\mathbf{BPP}\). There, the problem can be solved using Nisan–Wigderson type pseudorandom generators [28]. Such generators can produce a \(\mathrm{poly}(n)\)long pseudorandom string using a short random seed of length \(d(n)=O(\log n)\). They are designed to fool distinguishers of some prescribed polynomial size t(n) and may run in time \(2^{O(d)} \gg t\). Derandomization of the \(\mathbf{BPP}\) algorithm is then simply done by enumerating over all \(2^{d}=n^{O(1)}\) seeds and taking the majority.
We can try to use NWtype generators to solve our problem in a similar way. However, the resulting scheme would not be secure – indeed, it will be deterministic, which means it cannot be semantically secure [18]. To get around this, we use the idea of reverse randomization from [14, 15, 25, 27]. For each possible seed \(i \in \{0,1\}^d\) for the NWgenerator \({\mathsf {NW}}{\mathsf {PRG}}\), we derive corresponding randomness
Here \({\mathsf {BMY}}{\mathsf {PRG}}\) is a BlumMicaliYao (a.k.a cryptographic) pseudorandom generator [7, 32], and the seeds \((s_g^i,s_e^i)\in \{0,1\}^{\ell }\) are chosen independently for every i, with the sole restriction that their image is sparse enough (say, they are of total length \(\ell = n/2\)). Encryption and decryption for any given message are now done in parallel with respect to all \(2^d\) copies of the original scheme, where the final result of decryption is defined to be the majority of the \(2^d\) decrypted messages.
Security is now guaranteed by the BMYtype generators and the fact that publickey encryption can be securely performed in parallel. Crucially, the pseudorandomness of BMY strings is guaranteed despite the fact that their image forms a sparse set. The fact that the set of BMY string is sparse will be used to the perfect correctness of the scheme. In particular, when shifted at random, this set will evade the (tiny) set of “bad randomness” (that lead to decryption errors) with high probability \(12^{\ell n}\ge 12^{n/2}\).
In the actual construction, the image is not shifted truly at random, but rather by an NWpseudorandom string, and we would like to argue that this suffices to get the desired correctness. To argue that NWpseudorandomness is enough, we need to show that with high enough probability (say 0.51) over the choice of the NW string, the shifted image of the BMY generator still evades “bad randomness.” This last property may not be efficiently testable deterministically, but can be tested nondeterministically in fixed polynomial time, by guessing the seeds for the BMY generator that would lead to bad randomness. We accordingly rely on NW generators that fool nondeterministic circuits. Such pseudorandom generators are known under the worst case assumption that there exist functions in \(\mathbf{E}\) with nondeterministic circuit complexity \(2^{\Omega (n)}\) [30].
Related Work on Derandomization in Cryptography
Barak, Ong, and Vadhan [9] were the first to demonstrate how NWtype derandomization can be useful in cryptography. They showed how NW generators can be used to derandomize Naor’s commitments [27] and Dwork and Naor’s ZAPs [14]. In Sect. 3.1, we discuss in further detail the relation and differences between their work and this work.
Subsequently, Barak, Lindell, and Vadhan [6] used NW generators to obtain a lower bound for 2message publiccoin (plain) zeroknowledge proofs.
Organization In Sect. 2, we give the required preliminaries. Section 3 presents the transformation itself. In Sect. 4, we discuss several examples of interest where the transformation can be applied.
Preliminaries
In this section, we give the required preliminaries, including standard computational concepts, cryptographic schemes and protocols, and the derandomization tools that we use.
Standard Computational Concepts
We recall standard computational concepts concerning Turing machines and Boolean circuits.

By algorithm we mean a uniform Turing machine. We say that an algorithm is \(\hbox {PPT}\) if it is probabilistic and polynomial time.

A polynomialsize circuit family \({\mathcal {C}}\) is a sequence of circuits \({\mathcal {C}}=\left\{ {C_\lambda }\right\} _{\lambda \in {\mathbb {N}}}\), such that each circuit \(C_\lambda \) is of polynomial size \(\lambda ^{O(1)}\) and has \(\lambda ^{O(1)}\) input and output bits.

We follow the standard habit of modeling any efficient adversary strategy \({\mathcal {A}}\) as a family of polynomialsize circuits. For an adversary \({\mathcal {A}}\) corresponding to a family of polynomialsize circuits \(\left\{ {{\mathcal {A}}_\lambda }\right\} _{\lambda \in {\mathbb {N}}}\), we often omit the subscript \(\lambda \), when it is clear from the context. For simplicity, we shall simply call such an adversary a polynomialsize adversary.

We say that a function \(f:{\mathbb {N}}\rightarrow {\mathbb {R}}\) is negligible if it decays asymptotically faster than any polynomial.

Two ensembles of random variables \({\mathcal {X}}=\{X_{\lambda }\}_{\lambda \in {\mathbb {N}}}\) and \({\mathcal {Y}}=\{Y_{\lambda }\}_{\lambda \in {\mathbb {N}}}\) are said to be computationally indistinguishable, denoted by \({\mathcal {X}}\approx _c {\mathcal {Y}}\), if for all polynomialsize distinguishers \({\mathcal {D}}\), there exists a negligible function \(\nu \) such that for all \(\lambda \),
$$\begin{aligned} \left {\Pr [{\mathcal {D}}(X_\lambda )=1]  \Pr [{\mathcal {D}}(Y_\lambda )=1]}\right \le \nu (\lambda ). \end{aligned}$$
Cryptographic Schemes and Rotocols
We consider a simple model of cryptographic schemes and protocols that will allow to describe the transformation generally. In Sect. 4, we give several examples of such schemes and protocols.
Executions: Let \(\lambda \) be a security parameter and let \(m=m(\lambda ),n=n(\lambda ),\ell =\ell (\lambda )\) be polynomially bounded functions. An (honest) execution of an mparty scheme (or protocol) \(\Pi \) involves interaction between m \(\hbox {PPT}\) parties with inputs \((x_1,\dots ,x_m)\in \{0,1\}^{n\times m}\) and randomness \((r_1,\dots ,r_m)\in \{0,1\}^{\ell \times m}\), at the end of which they each produce outputs \((y_1,\dots ,y_m)\in \{0,1\}^{n\times m}\). Abstracting out, we will think of \(\Pi \) as a single \(\hbox {PPT}\) process that runs in some fixed polynomial time and denote it by \(y \leftarrow \Pi (1^\lambda ,x,r)\), where \(x=(x_1,\dots ,x_m),y=(y_1,\dots , y_m)\), and \(r=(r_1,\dots ,r_m)\).
Definition 2.1
(\((1\alpha )\)Correctness) Let \(f:\{0,1\}^{n\times m}\rightarrow \{0,1\}^{n \times m}\) be a polynomialtime computable function. \(\Pi \) computes f \((1\alpha )\)correctly if for any \(\lambda \) and any \(x \in \{0,1\}^{n\times m}\),
Repeated Executions For a function \(k=k(\lambda )\), inputs \(x = (x_1,\dots ,x_m)\in \{0,1\}^{n\times m}\) and randomness \(r=(r_{ij})_{i\in [m],j\in [k]}\), where \(r_{i,j} \in \{0,1\}^{\ell }\), the repeated execution \(y\leftarrow \Pi _{\otimes k}(1^\lambda ,x,r)\) consists of executing \(\Pi (1^\lambda ,x,r_1),\dots ,\Pi (1^\lambda ,x,r_k)\), where \(r_j = (r_{1j},\dots ,r_{mj})\), in parallel and obtaining the corresponding outputs, namely, \(y=(y_{ij})_{i\in [m],j\in [k]}\).
NW and BMY PRGs
We now define the basic tools required for the main transformation — NWtype PRGs [28] and BMYtype PRGs [7, 32]. The transformation itself is given in the next section.
Definition 2.2
(Nondeterministic Circuits) A nondeterministic Boolean circuit \(C(x,w)\) takes x as a primary input and w as a witness. We define \(C(x) := 1\) if and only if there exists w such that \(C(x,w)=1\).
Definition 2.3
(NWType PRGs against Nondeterministic Circuits) An algorithm \({\mathsf {NW}}{\mathsf {PRG}}:\{0,1\}^{d(n)} \rightarrow \{0,1\}^{n}\) is an NWgenerator against nondeterministic circuits of size t(n) if it is computable in time \(2^{O(d(n))}\) and any nondeterministic circuit C of size at most t(n) distinguishes \(U\leftarrow \{0,1\}^{n}\) from \({\mathsf {NW}}{\mathsf {PRG}}(s)\), where \(s \leftarrow \{0,1\}^{d(n)}\), with advantage at most 1/t(n).
We shall rely on the following theorem by Shaltiel and Umans [30] regarding the existence NWtype PRGs as above assuming worstcase hardness for nondeterministic circuits.
Theorem 2.4
([30]) Assume there exists a function \(f:\{0,1\}^n\rightarrow \{0,1\}\) in \(\mathbf{E}=\mathbf{Dtime}(2^{O(n)})\) with nondeterministic circuit complexity \(2^{\Omega (n)}\). Then, for any polynomial \(t(\cdot )\), there exists an NWgenerator against nondeterministic circuits of size t(n) \({\mathsf {NW}}{\mathsf {PRG}}:\{0,1\}^{d(n)} \rightarrow \{0,1\}^{n}\), where \(d(n)=O(\log n)\).
We remark that the above is a worstcase assumption in the sense that the function f needs to be hard in the worstcase (and not necessarily in the averagecase). The assumption can be seen as a natural generalization of the assumption that \(\mathbf{EXP} \not \subseteq \mathbf{NP}\). We also note that there is a universal candidate for the corresponding PRG, by instantiating the hard function with any \(\mathbf{E}\)complete language under linear reductions. See further discuss in [9].
We now define BMYtype (a.k.a cryptographic) PRGs.
Definition 2.5
(BMYType PRGs) An algorithm \({\mathsf {BMY}}{\mathsf {PRG}}:\{0,1\}^{d(n)} \rightarrow \{0,1\}^{n}\) is a BMYgenerator if it is computable in time \(\mathrm{poly}(d(n))\) and any polynomialsize adversary distinguishes \(U\leftarrow \{0,1\}^{n}\) from \({\mathsf {BMY}}{\mathsf {PRG}}(s)\), where \(s \leftarrow \{0,1\}^{d(n)}\), with negligible advantage \(n^{\omega (1)}\).
Theorem 2.6
([22]) BMYtype pseudorandom generators can be constructed from any oneway function.
The ErrorRemoving Transformation
We now describe a transformation from any \((1\alpha )\)correct scheme \(\Pi \) for a function f into a perfectly correct one. For a simpler exposition, we restrict attention to the case that the error \(\alpha \) is tiny. We later show how this restriction can be removed.
Ingredients. In the following, let \(\lambda \) be a security parameter, let \(m=m(\lambda ),n=n(\lambda ),\ell =\ell (\lambda )\) be polynomials, and \(\alpha =\alpha (\lambda )\le 2^{\lambda m2}\). We rely on the following:

A \((1\alpha )\)correct scheme \(\Pi \) computing \(f:\{0,1\}^{n\times m} \rightarrow \{0,1\}^{n\times m}\) where each party uses randomness of length \(\ell \).

A BMYtype pseudorandom generator \({\mathsf {BMY}}{\mathsf {PRG}}:\{0,1\}^{\lambda }\rightarrow \{0,1\}^{\ell }\).

An NWtype pseudorandom generator \({\mathsf {NW}}{\mathsf {PRG}}:\{0,1\}^{d} \rightarrow \{0,1\}^{\ell \times m}\) against nondeterministic circuits of size \(t=t(\lambda )\), where t and d depend on the parameters \(m,n,\ell ,\Pi ,f,{\mathsf {BMY}}{\mathsf {PRG}}\), \(t=\lambda ^{O(1)}\), \(d(\lambda )=O(\log \lambda )\), and will be specified later on. We shall denote \(k=2^d\).
The New Scheme:
Given security parameter \(1^\lambda \) and input \(x \in \{0,1\}^{n\times m}\):

1.
Randomness Generation: Each party \(i\in [m]\)

samples k BMY strings \((r^{{\mathsf {BMY}}}_{i1},\dots ,r^{{\mathsf {BMY}}}_{ik})\), where \(r^{\mathsf {BMY}}_{ij} = {\mathsf {BMY}}{\mathsf {PRG}}(s_{ij})\) and \(s_{ij} \leftarrow \{0,1\}^{\lambda }\).

computes (all) k NW strings \((r^{{\mathsf {NW}}}_{1},\dots ,r^{{\mathsf {NW}}}_{k})\), where \(r^{{\mathsf {NW}}}_{j} ={\mathsf {NW}}{\mathsf {PRG}}(j)\), and derives \((r^{{\mathsf {NW}}}_{i1},\dots ,r^{{\mathsf {NW}}}_{ik})\), where \(r_{ij}\) is the ith \(\ell \)bit block of \(r^{{\mathsf {NW}}}_{j}\).

compute \(r_{i1},\dots ,r_{ik}\) where \(r_{ij} =r^{{\mathsf {BMY}}}_{ij}\oplus r^{{\mathsf {NW}}}_{ij}\).


2.
Emulating the Parallel Scheme:

the parties emulate the repeated scheme \(\Pi _{\otimes k}(1^\lambda ,x,r)\), with randomness \(r=(r_{ij})_{i\in [m],j\in [k]}\).

each party i obtains outputs \((y_{i1},\dots ,y_{ik})\), and in turn computes and outputs \(y_i =\mathsf {majority}(y_{i1},\dots ,y_{ik})\).

Correctness. We now turn to show that the new scheme is perfectly correct.
Proposition 3.1
The new scheme is perfectly correct.
Proof
We first note that had \(r^{\mathsf {NW}}\) been chosen at truly random (instead of using \({\mathsf {NW}}{\mathsf {PRG}}\)) then for any input, with high probability over the choice of \(r^{\mathsf {NW}}\), the corresponding scheme would have been perfectly correct.
Claim 3.1
For any \(\lambda \in {\mathbb {N}}\) and \(x\in \{0,1\}^{n\times m}\),
where \(r_s^{\mathsf {BMY}}=\left( {\mathsf {BMY}}{\mathsf {PRG}}(s_1),\dots ,{\mathsf {BMY}}{\mathsf {PRG}}(s_m)\right) \).
Proof
Fixing any such \(\lambda \), x, and \(s=(s_1,\dots ,s_m)\), the string \(r = r_s^{\mathsf {BMY}}\oplus r^{\mathsf {NW}}\) is distributed uniformly at random. In this case, the scheme is guaranteed to err with probability at most \(\alpha \le 2^{\lambda m}/4\). The claim now follows by taking a union bound over all \(2^{ \lambda m}\) tuples \(s_1,\dots ,s_m\). \(\square \)
We now claim that a similar property holds with roughly the same probability when \(r^{\mathsf {NW}}\) is pseudorandom as in the actual transformation.
Claim 3.2
For any \(\lambda \in {\mathbb {N}}\) and \(x\in \{0,1\}^{n\times m}\),
where \(r_s^{\mathsf {BMY}}= \left( {\mathsf {BMY}}{\mathsf {PRG}}(s_1),\dots , {\mathsf {BMY}}{\mathsf {PRG}}(s_m)\right) \) and \(r_j^{\mathsf {NW}}= {\mathsf {NW}}{\mathsf {PRG}}(j)\).
Proof
Assume toward contradiction that the claim does not hold for some \(\lambda \in {\mathbb {N}}\) and \(x\in \{0,1\}^{n\times m}\). We construct a nondeterministic distinguisher that breaks \({\mathsf {NW}}{\mathsf {PRG}}\). The distinguisher has the input x hardwired. Given \(r^{\mathsf {NW}}\), it nondeterministically guesses \(s_1,\dots ,s_m\), computes \(r^{\mathsf {BMY}}=({\mathsf {BMY}}{\mathsf {PRG}}(s_1), \dots ,{\mathsf {BMY}}{\mathsf {PRG}}(s_m))\), \(r=r^{\mathsf {NW}}\oplus r^{\mathsf {BMY}}\), and checks whether \(f(x) \ne \Pi (1^\lambda ,x,r)\). As we just proved in the previous claim, when \(r^{\mathsf {NW}}\) is truly random, such a witness \(s_1,\dots ,s_m\) exists with probability at most 1/4, whereas, by our assumption toward contradiction, when \(r^{\mathsf {NW}}\) is pseudorandom such a witness exists with probability larger than \(\frac{1}{t}+\frac{1}{4}\).
The size of the above distinguisher is some fixed polynomial \(t'(\lambda )\) that depends only on \(m,n,\ell \) and the time required to compute \(\Pi ,f,{\mathsf {BMY}}{\mathsf {PRG}}\). Thus, in the construction we choose \(t>\max \left( {t',8}\right) \), meaning that the constructed distinguisher indeed breaks \({\mathsf {NW}}{\mathsf {PRG}}\). \(\square \)
With the last claim, we now conclude the proof of Proposition 3.1. Indeed, for any input x, when emulating the kfold repetition \(\Pi _{\otimes k}(1^\lambda ,x,r)\), the randomness used for the jth copy \(\Pi (1^\lambda ,x,r_j)\) is \(r_j = r^{\mathsf {NW}}_j \oplus r_{s_j}^{\mathsf {BMY}}\) where \(r^{\mathsf {NW}}_j={\mathsf {NW}}{\mathsf {PRG}}(j)\) and \(r^{\mathsf {BMY}}_{s_j}=({\mathsf {BMY}}{\mathsf {PRG}}(s_{j1}),\dots ,{\mathsf {BMY}}{\mathsf {PRG}}(s_{j1}))\). By the last claim, for all but a \(\frac{1}{4}+\frac{1}{t}\le \frac{3}{8}\) fraction of the \({\mathsf {NW}}\)seeds j, any choice of \({\mathsf {BMY}}\)seeds \(s_j\) yields the correct result \(y_j=f(x)\) in the corresponding execution \(\Pi (1^\lambda ,x,r_j)\). In particular, it is always the case that the majority of executions results in \(y=f(x)\), as required. \(\square \)
Security. We now observe that the randomness generated according to the transformation is indistinguishable from real randomness. Intuitively, this means that if the original scheme was secure under parallel repetition, when the honest parties use real randomness, it will remain as secure when using randomness generated according to the transformation. Examples are given in the next section.
Concretely, we consider two distributions \(r^{\mathsf {tra}}\) and \(r^{\mathsf {uni}}\) on randomness for the parties in \(\Pi _{\otimes k}\):

1.
In \(r^{\mathsf {tra}}= \left( r^{\mathsf {tra}}_{ij}: i\in [m],j\in [k]\right) \), each \(r^{\mathsf {tra}}_{ij}\) is computed as in the above transformation; namely \(r_{ij} = r_{ij}^{\mathsf {BMY}}\oplus r_{ij}^{\mathsf {NW}}\), where \(r_{i,j}^{\mathsf {BMY}}={\mathsf {BMY}}{\mathsf {PRG}}(s_{ij})\) for a random seed \(s_{ij} \leftarrow \{0,1\}^{\lambda }\) and \(r_{ij}^{\mathsf {NW}}\) is the ith \(\ell \)bit block of \({\mathsf {NW}}{\mathsf {PRG}}(j)\).

2.
In \(r^{\mathsf {uni}}= \left( r^{\mathsf {uni}}_{ij}: i\in [m],j\in [k]\right) \), each \(r^{\mathsf {uni}}_{ij}\) is sampled uniformly at random, namely \(r^{\mathsf {uni}}_{ij}\leftarrow \{0,1\}^\ell \).
Proposition 3.2
\(r^{\mathsf {tra}}\) and \(r^{\mathsf {uni}}\) are computationally indistinguishable.
Proof
By the security of the BMY PRG, for any i, j:
Since \(r_{ij}^{\mathsf {tra}}\) (respectively, \(r_{ij}^{\mathsf {uni}}\)) is generated independently from all other \(r_{i'j'}^{\mathsf {tra}}\) (respectively \(r_{i'j'}^{\mathsf {uni}}\)), the proposition follows by a standard hybrid argument. \(\square \)
Removing the Assumption Regarding Tiny Error Above we assumed that \(\alpha (\lambda ) \le 2^{\lambda m2}\). We now show how to remove this assumption using standard amplification by parallel repetition. For completeness, we explicitly describe the transformation.
Ingredients In the following, let \(\lambda \) be a security parameter, let \(m=m(\lambda ),n=n(\lambda ),\ell =\ell (\lambda )\) be polynomials, and \(\eta =\lambda ^{O(1)}\), and let \(k' = 3\lambda m \eta ^{2}\). Let \(\Pi \) be a \((1/2+\eta )\)correct scheme computing \(f:\{0,1\}^{n\times m} \rightarrow \{0,1\}^{n\times m}\) where each party uses randomness of length \(\ell \).
The New Scheme:
Given security parameter \(1^\lambda \) and input \(x \in \{0,1\}^{n\times m}\):

1.
Randomness Generation: Each party \(i\in [m]\)

samples \(k'\) random strings \((r_{i1},\dots ,r_{ik'})\), where \(r_{ij} \leftarrow \{0,1\}^{\ell }\).


2.
Emulating the Parallel Scheme:

the parties emulate the repeated scheme \(\Pi _{\otimes k'} (1^\lambda ,x,r)\), with randomness \(r=(r_{ij})_{i\in [m],j\in [k']}\).

each party i obtains outputs \((y_{i1},\dots ,y_{ik'})\), and in turn computes and outputs \(y_i =\mathsf {majority}(y_{i1},\dots ,y_{ik'})\).

Proposition 3.3
The new scheme is \((12^{\lambda m2})\)correct.
Proof
By a Chernoff–Hoeffding bound, each party i obtains the correct output \(y_i\), except with probability \(2^{6\lambda m}\). By a union bound all m parties obtain the correct outputs \((y_1,\dots ,y_m)\), except with probability \(m 2^{6\lambda m} < 2^{\lambda m 2}\), as required. \(\square \)
The Combination of the Two Steps We observe that the combination of the two steps also has a simple form of a parallel execution using specially crafted randomness that is pseudorandom. This will be used in the next section to prove security for specific examples in which security under parallel repetition is guaranteed.
Specifically, when combining the two steps, the final transformed scheme \(\Pi ^{\mathsf {tra}}\) consists of three highlevel steps:

1.
Each party i locally generates randomness \(r^{\mathsf {tra}}_{i,j}\) for \(j\in [K]\), where \(K = k\times k'\).

2.
The parties emulate the repeated scheme \(\Pi _{\otimes K}(1^\lambda ,x,r)\) where \(r^{\mathsf {tra}}=(r^{\mathsf {tra}}_{ij})_{i\in [m],j\in [K]}\).

3.
Each party i obtains outputs \((y_{i1},\dots ,y_{iK})\) and performs a local postprocessing step to obtain its final output \(y_i\).
By Proposition 3.2\(r^{\mathsf {tra}}\) is pseudorandom.
Relation to the Work of Barak, Ong, and Vadhan
Barak, Ong, and Vadhan [9] use NW generators to derandomize Naor’s commitments [27] and Dwork and Naor’s ZAPs [14]. In these applications, “reverse randomization” is already encapsulated in the constructions of ZAPs and commitments that they start from, and they show that “the random shift” can be derandomized, using the fact that ZAPs and commitments are secure under parallel repetition. Barak, Ong, and Vadhan were not interested in the correctness of a specific computation per se, but rather in the existence of an “incorrect object”, namely an accepting proof for a false statement in ZAPs, or a commitment with two inconsistent openings.
In their applications, it is in fact enough to use hittingset generators rather than pseudorandom generators. Such generators only guarantee to hit any set of large density that can be recognized by circuits of some prescribed size. (The density of corresponding seeds just has to be positive, and not necessarily large.) Intuitively, the reason that hittingset generators are enough for their applications is that they only need to deal with a onesided error. For example, in a ZAP system, one already assumes that true statements are always accepted by the verifier, so when derandomizing they only need to recognize false statements. This is analogous to having an encryption system that is always correct on encryptions of zero, but may make mistakes on encryptions of one. We note, however, that as an assumption, hitting set generators (against nondeterministic circuits) are sufficient for constructing corresponding pseudorandom generators (against nondeterministic circuits), since they directly imply required hard functions (see further discussion in [21]).
We note that for the case of bit commitments, Barak, Ong, and Vadhan settle for (hittingset) generators against uniform distinguishers. We can also rely on (pseudorandom) generators against uniform distinguishers for some specific applications such as correcting errors in bit encryption; however, in general (e.g., for indistinguishability obfuscation), we need to deal with nonuniform distinguishers. Roughly speaking, uniform indistinguishability is sufficient only in cases where the input space can be uniformly enumerated in polynomial time, which is indeed the case for bit commitments or bit encryption, where the inputs are only zero and one.
Examples of Interest
We now discuss three examples of interest.
PublicKey Encryption
Our first example concerns publickey encryption. We start by recalling the definition.
Definition 4.1
(PublicKey Encryption) For a message space \({\mathcal {M}}\), and function \(\alpha (\cdot )\le 1\), a triple of algorithms \(({\mathsf {Gen}},{\mathsf {Enc}},{\mathsf {Dec}})\), where the first two are \(\hbox {PPT}\) and third is deterministic polynomialtime, is said to be a publickey encryption scheme for \({\mathcal {M}}\) with \((1\alpha )\)correctness if it satisfies:

1.
\((1\alpha )\)Correctness: for any \(m\in {\mathcal {M}}\) and security parameter \(\lambda \),
$$\begin{aligned} \Pr _{{\mathsf {Gen}},{\mathsf {Enc}}}\left[ {\mathsf {Dec}}_{sk}({\mathsf {Enc}}_{pk}(m)) =m\; \vert \; (pk,sk) \leftarrow {\mathsf {Gen}}(1^\lambda )\right] \ge 1\alpha (\lambda ) \, . \end{aligned}$$ 
2.
Semantic security: for any polynomialsize distinguisher \({\mathcal {D}}\) there exists a negligible function \(\mu (\cdot )\), such that for any two messages \(m ,m'\in {\mathcal {M}}\) of the same size:
$$\begin{aligned} \left \Pr [{\mathcal {D}}({\mathsf {Enc}}_{pk}(m))=1]\Pr [{\mathsf {Enc}}_{pk}(m'))=1]\right \le \mu (\lambda )\, , \end{aligned}$$where the probability is over the coins of \({\mathsf {Enc}}\) and the choice of pk sampled by \({\mathsf {Gen}}(1^\lambda )\).
Applying the Transformation Publickey encryption can be modeled as a threeparty scheme \(\Pi \) consisting of a generator, an encryptor, and a decryptor. The generator has no input and uses its randomness \(r_1\) to generate pk and sk, which are sent to the encryptor and decryptor, respectively. The encryptor has as input a message m and uses its randomness \(r_2\) in order to generate an encryption \({\mathsf {Enc}}_{pk}(m;r_2)\), which is sent to the decryptor. The decryptor has no input nor randomness, it uses the secret key to decrypt and outputs the decrypted message. (In this case the function computed by \(\Pi \) is \(f(\bot ,m,\bot )=(\bot ,\bot ,m)\).)
In the repeated scheme \(\Pi _{\otimes K}\), the generator \({\mathsf {Gen}}(1^\lambda ;r_{1j})\) is applied K independent times, with fresh randomness \(r_{1j}\) for each \(j\in [K]\), to generate corresponding keys \(pk =\left\{ {pk_j}\right\} , sk =\left\{ {sk_j}\right\} \). Encryption involves K independent encryptions:
As defined in Sect. 3, when applying the errorremoval transformation, the randomness \(r=\left( r_{ij}: i \in [2],j\in [K]\right) \) is sampled according to \(r^{\mathsf {tra}}\) instead of truly at random according to \(r^{\mathsf {uni}}\). Decryption is done by decrypting each encryption with the corresponding \(sk_j\) and postprocessing the K results as prescribed by the transformation.
Claim 4.1
If \(\Pi = ({\mathsf {Gen}},{\mathsf {Enc}},{\mathsf {Dec}})\) is \((1/2+\eta )\)correct, for some \(\eta = \lambda ^{O(1)}\), then the new publickey encryption scheme given by \(\Pi ^{\mathsf {tra}}\) is secure and perfectly correct.
Proof
The correctness of the new scheme given by the transformation, follows directly from Proposition 3.1. We next observe that the new scheme is also secure. Concretely, for any (infinite sequence of) two messages \(m,m'\in {\mathcal {M}}\),
The first and last indistinguishability relations follow directly from Proposition 3.2. The fact that \({\mathsf {Enc}}^{\otimes K}_{pk}(m;r^{\mathsf {uni}}_2)\approx _c {\mathsf {Enc}}^{\otimes K}_{pk}(m';r^{\mathsf {uni}}_2)\) follows from the semantic security of the underlying encryption scheme, which is known to be preserved under multiple encryptions (see, e.g., [20]). \(\square \)
In [15], Dwork, Naor, and Reingold show how publickey encryption where decryption errors may even occur for a large fraction of messages, can be transformed into ones that only have a tiny decryption error over the randomness of the scheme. Applying our transformation, we can further turn such schemes into perfectly correct ones.
Indistinguishability Obfuscation
Our second example concerns indistinguishability obfuscation (IO) [5]. We start by recalling the definition.
Definition 4.2
(Indistinguishability Obfuscation) For a class of circuits \({\mathcal {C}}\), and function \(\alpha (\cdot )\le 1\), a \(\hbox {PPT}\) algorithm \({\mathcal {O}}\) is said to be an indistinguishability obfuscator for \({\mathcal {C}}\) with \((1\alpha )\)correctness if it satisfies:

1.
\((1\alpha )\)Correctness: for any \(C\in {\mathcal {C}}\) and security parameter \(\lambda \),
$$\begin{aligned} \Pr _{{\mathcal {O}}}\left[ \forall x: {\mathcal {O}}(C,1^\lambda )(x)=C(x)\right] \ge 1\alpha (\lambda ) \, . \end{aligned}$$ 
2.
Indistinguishability: for any polynomialsize distinguisher \({\mathcal {D}}\) there exists a negligible function \(\mu (\cdot )\), such that for any two circuits \(C,C'\in {\mathcal {C}}\) that compute the same function and are of the same size:
$$\begin{aligned} \left \Pr [{\mathcal {D}}({\mathcal {O}}(C,1^\lambda ))=1] \Pr [{\mathcal {D}}({\mathcal {O}}(C',1^\lambda ))=1]\right \le \mu (\lambda )\, , \end{aligned}$$where the probability is over the coins of \({\mathcal {D}}\) and \({\mathcal {O}}\).
Applying the Transformation IO can be modeled as a twoparty scheme \(\Pi \) consisting of an obfuscator and an evaluator. The obfuscator has as input a circuit C and uses its randomness \(r_1\) in order to create an obfuscated circuit \(\widetilde{C} = {\mathcal {O}}(C,1^\lambda ;r_1)\), which is sent to the evaluator. The evaluator has an input x for the circuit, and no randomness, it computes \(\widetilde{C}(x)\) and outputs the result. (In this case the function computed by \(\Pi \) is \(f(C,x)=(\bot ,C(x))\).)
In the repeated scheme \(\Pi _{\otimes K}\), obfuscation involves K independent obfuscations:
As defined in Sect. 3, when applying the errorremoval transformation, the randomness \(r=\left( r_{1j}: j \in [K]\right) \) is sampled according to \(r^{\mathsf {tra}}\) instead of truly at random according to \(r^{\mathsf {uni}}\). Evaluation for input x is done by running each obfuscated circuit on the input x and postprocessing the K results as prescribed by the transformation.
Claim 4.2
If \(\Pi = {\mathcal {O}}\) is \((1/2+\eta )\)correct, for some \(\eta = \lambda ^{O(1)}\), then the new indistinguishability obfuscation scheme given by \(\Pi ^{\mathsf {tra}}\) is secure and perfectly correct.
Proof
The correctness of the new scheme given by the transformation follows directly from Proposition 3.1. We now observe that the new scheme is also secure, which follows similarly to the case of publickey encryption considered above. Concretely, for any (infinite sequence of) two equalsize circuits \(C,C'\in {\mathcal {C}}\),
The first and last indistinguishability relations follow directly from Proposition 3.2. The fact that \({\mathcal {O}}^{\otimes K}(C,1^\lambda ;r^{\mathsf {uni}}_1)\approx _c {\mathcal {O}}^{\otimes K}(C',1^\lambda ; r^{\mathsf {uni}}_1)\) follows from the security of the underlying obfuscation scheme, which is known to be preserved under multiple obfuscations (see e.g. [11]). \(\square \)
In [11], Bitansky and Vaikuntanathan show how indistinguishability obfuscation [5] where the obfuscated circuit may err also on a large fraction of inputs can be transformed into one that only has a tiny error over the randomness of the obfuscator as required here. Applying our transformation, we can further turn such schemes into perfectly correct ones.
MultiParty Computation
Our third and last example concerns multiparty computation (MPC) protocols. There are several models for capturing the adversarial capabilities in an MPC protocol. Roughly speaking, our transformation can be applied whenever the protocol is secure against parallel repetition. In the new protocol, perfect correctness will be guaranteed when all the parties behave honestly. The security guarantee given by the new protocol will be inherited from the original repeated protocol. We stress that, in the case of corrupted parties, the transformed protocol does not provide any correctness guarantees beyond those given by the original (repeated) protocol. In particular, if the adversary can inflict a certain correctness error in the original (repeated) protocol, it may also be able to do so in the transformed protocol.
The Formal Model Since we rely on standard MPC conventions, we shall keep our description relatively light, abstracting out less relevant details (for further reading, see for instance [12, 20]). We consider protocols with security against static corruptions according to the realideal paradigm. We restrict attention to the standalone model.^{Footnote 1} In this setting, the adversary \({\mathcal {A}}\) corrupts some set of parties \(C \subseteq [m]\), which it fully controls throughout the protocol, and can also choose the inputs for honest parties at the onset of the computation. The adversarial view in the protocol consists of all the communication generated by the honest parties and their respective outputs. We denote by \({\mathsf {Real}}_{\Pi }^{{\mathcal {A}}}(1^\lambda ,z;r)\) the polynomialtime process that generates the adversarial view and the outputs of the honest parties in \([m]\setminus C\) when these parties execute protocol \(\Pi \) for functionality f with randomness \(r=(r_{i_1}, \dots ,r_{i_{mC}})\), and a \(\hbox {PPT}\) adversary \({\mathcal {A}}\) with auxiliary input z controlling the parties in C.
The requirement is that the output of this process can be simulated by a \(\hbox {PPT}\) process \({\mathsf {Ideal}}_{f}^{{\mathcal {S}}}(1^\lambda ,z)\) called the ideal process where \({\mathcal {A}}\) is replaced by an efficient simulator \({\mathcal {S}}\). The simulator can only submit inputs \(x_1,\dots ,x_m\) to f, learn the outputs of the corrupted parties in C, and has to generate the adversarial view. The ideal process outputs the view generated by the simulator as well as the output generated by f for the honest parties.
As before, we denote by \(\Pi _{\otimes K}\) the Kfold parallel repetition of a protocol \(\Pi \) for computing \(f_{\otimes K}(x)=(f(x))^K\), where each honest party \(i\in [m]\setminus C\), given input \(x_i\), runs K parallel copies of \(\Pi \), all with the same input \(x_i\) and obtains outputs \(y_{i1},\dots ,y_{iK}\). We consider protocols that are secure under parallel repetition in the following sense.
Definition 4.3
We say that an MPC protocol \(\Pi \) (for some functionality f) is secure under parallel repetition with respect to an ideal process \({\mathsf {Ideal}}\) if for any \(\hbox {PPT}\) adversary \({\mathcal {A}}\) and polynomial \(K(\lambda )\) there exists a \(\hbox {PPT}\) simulator \({\mathcal {S}}\) such that for any (infinite sequence of) security parameter \(\lambda \in {\mathbb {N}}\) and auxiliary input in \(z\in \{0,1\}^{\lambda ^{O(1)}}\),
Definition 4.4
We say that an MPC protocol \(\Pi \) for functionality \(f:\{0,1\}^{n\times m}\rightarrow \{0,1\}^{n\times m}\) is \((1\alpha )\)correct if when all parties behave honestly, given inputs \((x_1,\dots ,x_m)\), then the probability that each party i, outputs \(y_i\) where \((y_1,\dots ,y_m)=f(x_1,\dots ,x_m)\), is at least \(1\alpha \).
Applying the Transformation We consider applying our transformation to eliminate errors in the case that all parties execute the protocol honestly, while preserving the same level of security under corruptions. We denote by \(\Pi ^{\mathsf {tra}}\) the protocol \(\Pi \) for computing f after applying the transformation from Sect. 3 where \(\Pi \) is repeated in K times in parallel, the randomness of parties is derived as defined in the transformation, and the final output of party i is derived by postprocessing the K outputs \((y_{i1},\dots ,y_{iK})\) obtained as prescribed by the transformation.
Claim 4.3
Assume that \(\Pi \) is a protocol for f that is \((1/2+\eta )\)correct, for some \(\eta =\lambda ^{O(1)}\) and secure under parallel repetition. Then \(\Pi ^{\mathsf {tra}}\) is a secure and perfectly correct protocol for f.
Proof
The perfect correctness of the new protocol \(\Pi ^{\mathsf {tra}}\), when all parties behave honestly, follows directly from Proposition 3.1.
We now show that the protocol \(\Pi ^{\mathsf {tra}}\) is secure. For any \(\hbox {PPT}\) adversary \({\mathcal {A}}\) against \(\Pi ^{\mathsf {tra}}\), viewing \({\mathcal {A}}\) as an adversary against \(\Pi _{\otimes K}\), let \({\mathcal {S}}\) be its simulator given by Definition 4.3. We show that for any (infinite sequence of) security parameter \(\lambda \), and auxiliary input z,
Let \(\Pi _{\otimes K}^\mathsf{pp}\) be the protocol where the parties first execute the Kfold repetition of \(\Pi _{\otimes K}\) and then each party sets its final output by postprocessing its K outputs as specified by the correctness amplification transformation. Then we first note that by definition
where \(r^{\mathsf {tra}}\) is the randomness of the honest parties, generated according to our transformation.
Next, by Proposition 3.2, it holds that:
where \(r^{\mathsf {tra}}\) is randomness generated according to our transformation and \(r^{\mathsf {uni}}\) is truly random.
It is left to show that
Indeed, recall that by Definition 4.3,
Next, note that and each of the two distributions in Equation 1 can be efficiently generated given a sample from the respective distribution in the Equation 2. This is done by postprocessing the K outputs of each honest party as prescribed by the correctness amplification transformation. Accordingly, any efficient distinguisher for 1 immediately implies an efficient distinguisher for 2. Thus, the indistinguishability in Equation 1 follows by Equation 2.
This concludes the proof. \(\square \)
Notes
We predict that the transformation can also be applied in more general settings, for example, in the UC model [12]. However, this is beyond the scope of this paper.
References
M. Ajtai, C. Dwork. A publickey cryptosystem with worstcase/averagecase equivalence. In Frank Thomson Leighton and Peter W. Shor, editors, Proceedings of the TwentyNinth Annual ACM Symposium on the Theory of Computing, El Paso, Texas, USA, May 46, 1997, pp. 284–293. ACM, (1997).
P. Ananth, A. Jain, A. Sahai. Robust transforming combiners from indistinguishability obfuscation to functional encryption. In Advances in Cryptology  EUROCRYPT 2017  36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30  May 4, 2017, Proceedings, Part I, pp. 91–121, (2017)
N. Bitansky, R. Canetti, O. Paneth, and Alon Rosen. On the existence of extractable oneway functions. In David B. Shmoys, editor, Symposium on Theory of Computing, STOC 2014, New York, NY, USA, May 31  June 03, 2014, pp. 505–514. ACM, (2014)
D. Boneh, R.A. DeMillo, R.J. Lipton. On the importance of eliminating errors in cryptographic computations. J. Cryptology, 14(2):101–119, (2001)
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S.P. Vadhan, K. Yang. On the (im)possibility of obfuscating programs. J. ACM, 59(2):6, (2012)
B. Barak, Y. Lindell, SP. Vadhan. Lower bounds for nonblackbox zero knowledge. J. Comput. Syst. Sci., 72(2):321–391, (2006)
M. Blum, S. Micali. How to generate cryptographically strong sequences of pseudo random bits. In 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 35 November 1982, pp. 112–117, (1982)
M. Blum, S. Micali. How to generate cryptographically strong sequences of pseudorandom bits. SIAM J. Comput., 13(4):850–864, (1984)
B. Barak, S. Jin Ong, S.P. Vadhan. Derandomization in cryptography. SIAM J. Comput., 37(2):380–400, (2007)
N. Bitansky , O.P. Zaps and noninteractive witness indistinguishability from indistinguishability obfuscation. In Yevgeniy Dodis and Jesper Buus Nielsen, editors, Theory of Cryptography  12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 2325, 2015, Proceedings, Part II, vol. 9015 of Lecture Notes in Computer Science, pp. 401–427. Springer, 2015.
N. Bitansky, V. Vaikuntanthan. Indistinguishability obfuscation: from approximate to exact. In Theory of Cryptography  13th Theory of Cryptography Conference, TCC 2016, Tel Aviv, Israel, January 1013, 2016, 2016
R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 1417 October 2001, Las Vegas, Nevada, USA, pp. 136–145. IEEE Computer Society, 2001
C. Cachin, J. Camenisch, editors. Advances in Cryptology  EUROCRYPT 2004, International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, May 26, 2004, Proceedings, vol. 3027 of Lecture Notes in Computer Science. Springer, 2004
C. Dwork, M. Naor. Zaps and their applications. SIAM J. Comput., 36(6):1513–1543, (2007)
C. Dwork, M. Naor, O. Reingold. Immunizing encryption schemes from decryption errors. In Cachin and Camenisch [13], pp. 342–360
M. Furer, O. Goldreich, Y. Mansour, M. Sipser, S. Zachos. On completeness and soundness in interactive proof systems. Adv. Comput. Res.: Res. Ann. (Randomness and Computation, S. Micali, ed.), 5:429–442, (1989)
O. Goldreich, S. Goldwasser, S. Halevi. Eliminating decryption errors in the ajtaidwork cryptosystem. In Burton S. Kaliski Jr., editor, Advances in Cryptology  CRYPTO ’97, 17th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1721, 1997, Proceedings, vol. 1294 of Lecture Notes in Computer Science, pages 105–111. Springer, (1997)
S. Goldwasser S. Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, (1984)
O. Goldreich, Y. Mansour, M. Sipser. Interactive proof systems: Provers that never fail and random selection (extended abstract). In 28th Annual Symposium on Foundations of Computer Science, Los Angeles, California, USA, 2729 October 1987, pp. 449–461. IEEE Computer Society, (1987)
O. Goldreich. The Foundations of Cryptography  Volume 2, Basic Applications. Cambridge University Press, 2004.
O. Goldreich, S.P. Vadhan, A. Wigderson. Simplified derandomization of BPP using a hitting set generator. In Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation  In Collaboration with Lidor Avigad, Mihir Bellare, Zvika Brakerski, Shafi Goldwasser, Shai Halevi, Tali Kaufman, Leonid Levin, Noam Nisan, Dana Ron, Madhu Sudan, Luca Trevisan, Salil Vadhan, Avi Wigderson, David Zuckerman, pp. 59–67. (2011)
J. Håstad, R. Impagliazzo, LA. Levin, M. Luby. A pseudorandom generator from any oneway function. SIAM J. Comput., 28(4):1364–1396 (1999)
T. Holenstein, R. Renner. Oneway secretkey agreement and applications to circuit polarization and immunization of publickey encryption. In Victor Shoup, editor, Advances in Cryptology  CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 1418, 2005, Proceedings, vol. 3621 of Lecture Notes in Computer Science, pp. 478–493. (Springer, 2005)
R. Impagliazzo, A. Wigderson. \(P = BPP\) if \(E\) requires exponential circuits: Derandomizing the XOR lemma. In Proceedings of the TwentyNinth Annual ACM Symposium on the Theory of Computing, El Paso, Texas, USA, May 46, 1997, pp. 220–229, (1997)
C. Lautemann. BPP and the polynomial hierarchy. Inf. Process. Lett., 17(4):215–217, (1983)
H. Lin, S. Tessaro. Amplification of chosenciphertext security. In Thomas Johansson and Phong Q. Nguyen, editors, Advances in Cryptology  EUROCRYPT 2013, 32nd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Athens, Greece, May 2630, 2013. Proceedings, volume 7881 of Lecture Notes in Computer Science, pp. 503–519. (Springer, 2013)
M. Naor. Bit commitment using pseudorandomness. J. Cryptology, 4(2):151–158, (1991)
N. Nisan, A. Wigderson. Hardness vs randomness. J. Comput. Syst. Sci., 49(2):149–167, (1994)
O. Regev. On lattices, learning with errors, random linear codes, and cryptography. In Harold N. Gabow and Ronald Fagin, editors, Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 2224, 2005, pp. 84–93. ACM, (2005)
R. Shaltiel, C. Umans. Simple extractors for all minentropies and a new pseudorandom generator. In 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 1417 October 2001, Las Vegas, Nevada, USA, pp. 648–657, (2001)
ACC. Yao. Theory and applications of trapdoor functions (extended abstract). In 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 35 November 1982, pp. 80–91. IEEE Computer Society, (1982)
ACC. Yao. Theory and applications of trapdoor functions (extended abstract). In 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 35 November 1982, pp. 80–91, (1982)
Funding
Open Access funding provided by the MIT Libraries.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Manoj Prabhakaran.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Research supported in part by NSF Grants CNS1350619 and CNS1414119, Alfred P. Sloan Research Fellowship, Microsoft Faculty Fellowship, the NEC Corporation, and a Steven and Renee Finn Career Development Chair from MIT.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Bitansky, N., Vaikuntanathan, V. A Note on Perfect Correctness by Derandomization. J Cryptol 35, 18 (2022). https://doi.org/10.1007/s00145022094280
Received:
Revised:
Accepted:
Published:
DOI: https://doi.org/10.1007/s00145022094280