Cryan and Miltersen [7] recently considered the question of whether there can be a pseudorandom generator in NC⁰, that is, a pseudorandom generator that maps n bits strings to m bits strings and such that every bit of the output depends on a constant number k of bits of the seed.

They show that for k = 3, if m ≥ 4n + 1, there is a distinguisher; in fact, they show that in this case it is possible to break the generator with a linear test, that is, there is a subset of bits of the output whose XOR has a noticeable bias.

They leave the question open for k ≥ 4. In fact they ask whether every NC⁰ generator can be broken by a statistical test that simply XORs some bits of the input. Equivalently, is it the case that no NC⁰ generator can sample an ε-biased space with negligible ε?

We give a generator for k = 5 that maps n bits into cn bits, so that every bit of the output depends on 5 bits of the seed, and the XOR of every subset of the bits of the output has bias 2^{ - \Omega ({n \mathord{\left/ {\vphantom {n {c^4 )}}} \right. \kern-\nulldelimiterspace} {c^4 )}}} . For large values of k, we construct generators that map n bits to n^{\Omega (\sqrt {k)} } bits and such that every XOR of outputs has bias 2^{ - n^{\frac{1}{{2\sqrt k }}} }.

We also present a polynomial-time distinguisher for k = 4,m ≥ 24n having constant distinguishing probability. For large values of k we show that a linear distinguisher with a constant distinguishing probability exists once m \geqslant \Omega (2^k n^{\left\lceil {{k \mathord{\left/ {\vphantom {k 2}} \right. \kern-\nulldelimiterspace} 2}} \right\rceil } ).

Finally, we consider a variant of the problem where each of the output bits is a degree k polynomial in the inputs. We show there exists a degree k = 2 pseudo random generator for which the XOR of every subset of the outputs has bias 2^{ - \Omega (n)} and which map n bits to \Omega (n^2 ) bits.