Summary: On Generating Solved Instances of Computational Problems
M. Abadi \Lambda E. Allender y A. Broder \Lambda J. Feigenbaum z L. Hemachandra x
Abstract: We consider the efficient generation of solved instances of computational problems. In
particular, we consider invulnerable generators. Let S be a subset of f0; 1g \Lambda and M be a Turing
Machine that accepts S; an accepting computation w of M on input x is called a ``witness'' that
x 2 S. Informally, a program is an ffinvulnerable generator if, on input 1 n , it produces instance
witness pairs hx; wi, with jxj = n, according to a distribution under which any polynomialtime
adversary who is given x fails to find a witness that x 2 S, with probability at least ff, for infinitely
many lengths n.
The question of which sets have invulnerable generators is intrinsically appealing theoretically,
and the results can be applied to the generation of test data for heuristic algorithms and to the
theory of zeroknowledge proof systems. The existence of invulnerable generators is closely related
to the existence of cryptographically secure oneway functions. We prove three theorems about
invulnerability. The first addresses the question of which sets in NP have invulnerable generators, if
indeed any NP sets do. The second addresses the question of how invulnerable these generators are.
Theorem (Completeness): If any set in NP has an ffinvulnerable generator, then SAT has one.
Theorem (Amplification): If S 2 NP has a fiinvulnerable generator, for some constant fi 2 (0; 1),
then S has an ffinvulnerable generator, for every constant ff 2 (0; 1).
Our third theorem on invulnerability shows that one cannot, using techniques that relativize,