# Yao's test

In cryptography and the theory of computation, Yao's test is a test defined by Andrew Chi-Chih Yao in 1982,[1] against pseudo-random sequences. A sequence of words passes Yao's test if an attacker with reasonable computational power cannot distinguish it from a sequence generated uniformly at random.

## Formal statement

### Boolean circuits

Let ${\displaystyle P}$ be a polynomial, and ${\displaystyle S=\{S_{k}\}_{k}}$ be a collection of sets ${\displaystyle S_{k}}$ of ${\displaystyle P(k)}$-bit long sequences, and for each ${\displaystyle k}$, let ${\displaystyle \mu _{k}}$ be a probability distribution on ${\displaystyle S_{k}}$, and ${\displaystyle P_{C}}$ be a polynomial. A predicting collection ${\displaystyle C=\{C_{k}\}}$ is a collection of boolean circuits of size less than ${\displaystyle P_{C}(k)}$. Let ${\displaystyle p_{k,S}^{C}}$ be the probability that on input ${\displaystyle s}$, a string randomly selected in ${\displaystyle S_{k}}$ with probability ${\displaystyle \mu (s)}$, ${\displaystyle C_{k}(s)=1}$, i.e.

${\displaystyle p_{k,S}^{C}={\mathcal {P}}[C_{k}(s)=1|s\in S_{k}{\text{ with probability }}\mu _{k}(s)]}$

Moreover, let ${\displaystyle p_{k,U}^{C}}$ be the probability that ${\displaystyle C_{k}(s)=1}$ on input ${\displaystyle s}$ a ${\displaystyle P(k)}$-bit long sequence selected uniformly at random in ${\displaystyle \{0,1\}^{P(k)}}$. We say that ${\displaystyle S}$ passes Yao's test if for all predicting collection ${\displaystyle C}$, for all but finitely many ${\displaystyle k}$, for all polynomial ${\displaystyle Q}$ :

${\displaystyle |p_{k,S}^{C}-p_{k,U}^{C}|<{\frac {1}{Q(k)}}}$

### Probabilistic formulation

As in the case of the next-bit test, the predicting collection used in the above definition can be replaced by a probabilistic Turing machine, working in polynomial time. This also yields a strictly stronger definition of Yao's test (see Adleman's theorem). Indeed, One could decide undecidable properties of the pseudo-random sequence with the non-uniform circuits described above, whereas BPP machines can always be simulated by exponential-time deterministic Turing machines.

## References

1. ^ Andrew Chi-Chih Yao. Theory and applications of trapdoor functions. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, 1982.