Additive Combinatorics Methods in Computational Complexity. Noga Ron-Zewi

Transcription

1 Additive Combinatorics Methods in Computational Complexity Noga Ron-Zewi

2

3 Additive Combinatorics Methods in Computational Complexity Research Thesis In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Noga Ron-Zewi Submitted to the Senate of Technion - Israel Institute of Technology Av, 5774 Haifa August, 2014

4

5 This research thesis was done under the supervision of Prof. Eli Ben-Sasson from the department of computer science, Technion - Israel Institute of Technology. First and foremost, I would like to thank Eli for continuous support and encouragement, loads of enthusiasm and optimism, and for teaching me almost all I know about research. I was also fortunate to have many wonderful collaborators in this thesis and I would like to thank them all: Iddo Ben-Tov, Ivan Damgård, Yuval Ishai, Shachar Lovett, Madhu Sudan, Madhur Tulsiani and Julia Wolf. I am especially indebted to Prof. Madhu Sudan for hosting me two fun and productive summers at the Microsoft Research Lab at New-England and one semester at MIT. I thank Prof. Amir Shpilka from the department of computer science at the Technion who acted as my temporary advisor during Eli s sabbatical and helped me in many ways. I would also like to thank my friends at the department, and especially my office-mate Elad Haramaty, for many helpful and interesting conversations, and for enjoyable time. Last but not least, I thank my parents Tamar and Gill for their continuous support and interest in my work. And my husband Yehoshua and son Nadav for making the Ph.D. period so meaningful. The generous financial help of the Technion, the Israel Ministry of Science and Technology and the European Community s Seventh Framework Programme is gratefully acknowledged.

6 List of Publications Eli Ben-Sasson and Noga Ron-Zewi. From affine to two-source extractors via approximate duality. In Proceedings of the 43rd annual ACM Symposium on Theory of Computing (STOC). Pages , June Eli Ben-Sasson, Shachar Lovett and Noga Ron-Zewi. An additive combinatorics approach relating rank to communication complexity. Journal of the ACM, to appear. Preliminary version in Proceedings of the 53rd Annual IEEE Symposium on Foundations of Computer Science (FOCS). Pages , October Eli Ben-Sasson, Noga Ron-Zewi and Madhu Sudan. Sparse affine-invariant linear codes are locally testable. Computational Complexity, to appear. Preliminary version in Proceedings of the 53rd Annual IEEE Symposium on Foundations of Computer Science (FOCS). Pages , October Eli Ben-Sasson, Noga Ron-Zewi, Madhu Tulsiani and Julia Wolf. Sampling-based proofs of almost-periodicity results and algorithmic applications. In proceedings of the 41st International Colloquium on Automata, Languages, and Programming (ICALP). Pages , July Eli Ben-Sasson, Iddo Ben-Tov, Ivan Damgård, Yuval Ishai and Noga Ron-Zewi. On the limitations of public key encryption from noisy codewords. Submitted,

7

8 Table of Contents Table of Contents i Abstract 1 Symbols and Abbreviations 4 1 Introduction Additive combinatorics Previous applications of additive combinatorics methods in computational complexity Szemerédi s regularity lemma and graph property testing The Gowers norm and low-degree testing Sum-product estimates and randomness extractors Freiman-Ruzsa theorems and their applications in computational complexity Our contributions From affine to two-source extractors The approximate duality conjecture (ADC) Relating rank to communication complexity Limitations of Public Key Encryption from Noisy Codewords Sampling-based proofs of almost-periodicity results and algorithmic applications Sparse affine-invariant linear codes are locally testable Organization of this thesis Approximate duality Introduction Approximate duality Chapter organization Approximate duality for nearly-dual sets Proof of Theorem Bounds on approximate duality assuming PFR Proof of Theorem Proof overview Proof of Theorem Approximate duality for sets with small span Proof of Lemma ii

9 2.4 Exponentially small bounds on approximate duality assuming PFR alternative proof Proof overview Equivalence of the nearly-linear and the polynomial Freiman-Ruzsa conjectures Proof of Theorem assuming Main Technical Lemma Proof of Main Technical Lemma Equivalence between approximate duality and PFR in the exponential range Open problems From affine to two-source extractors Introduction Extractors and dispersers for affine and two independent sources From affine extractors to two-source dispersers From two-source dispersers to two-source extractors via approximate duality Main results Extractors and dispersers for affine and two independent sources From affine extractors to two-source dispersers From two-source dispersers to two-source extractors via approximate duality Organization of the rest of the chapter From affine extractors to two-source dispersers Concatenated two-source disperser Proof of Theorem Preimage two-source dispersers Proof of Theorem From two-source dispersers to two-source extractors via approximate duality Constant bounds on error by approximate duality for nearly-dual sets Exponentially small bounds on error assuming the polynomial Freiman- Ruzsa conjecture On the `1-error of multi-output bit affine and two-source extractors On the `1-error of existing affine extractors Increasing the output length of our two-source extractors Open problems Relating rank to communication complexity Introduction On communication complexity and matrix rank over F On communication complexity and matrix rank over R From approximate duality to communication complexity upper bounds Proof of Theorem Proof of Corollary On the Limitations of Public Key Encryption from Noisy Codewords Introduction Learning parity with noise iii

10 5.1.2 Alekhnovich s public key encryption scheme Learning with errors Public key encryption based on learning with errors Related work Main results Unified framework Unconditional negative result Conditional negative results Perfectly correct decryption Open problems Chapter organization Preliminaries Public key encryption Unified framework Generalized encryption schemes Equivalence of generalized encryption schemes Unconditional attack Consequences to learning Attacks based on combinatorial properties of µ sk,µ 0,µ Attack based on combinatorial properties of µ sk Attack based on combinatorial properties of µ 0,µ Attacks based on the approximate duality conjecture From uniform to general distributions proof of Lemma Iterative application proof of Lemma Perfectly correct decryption Insecurity over the binary field Candidate over constant-size rings Security of generalized encryption schemes proof of Lemma Sampling-based proofs of almost-periodicity results Introduction Proof method Preliminaries Sampling-based proofs of almost-periodicity results Croot-Sisask almost-periodicity Almost-periodicity over a subspace Applications of sampling-based proofs Introduction Combinatorial applications Algorithmic applications Proof method Combinatorial applications iv

11 7.2.1 The quasipolynomial Bogolyubov-Ruzsa lemma Sumsets of dense sets contain large subspaces Algorithmic applications Algorithmic version of the quasipolynomial Bogolyubov-Ruzsa lemma An improved self-corrector for the Reed-Muller code of order An improved quadratic Goldreich-Levin theorem Proof of Corollary The Waring s problem over finite fields Sparse affine-invariant linear codes are locally testable Introduction The problem and main result Motivation Comparison with previous work Technical contributions Organization of rest of the chapter Preliminaries Establishing the k-single-orbit characterization property is sufficient for k-local testability The degree set of affine-invariant linear properties The border set of affine-invariant linear properties Proof of Main Theorem Pseudo-tests suffice for local testability Overview of the proof of Main Technical Theorem Covering the (q, n)-shift representative sets Separating a pair of sets with disjoint p-shifts Separating a pair of degrees in the same p-shift A calculus for composing pseudo-tests Completing the proof of Theorem Separating a pair of degrees in the same p-shift Proof of Lemma Separating a pair of sets with disjoint p-shifts Proof of Lemma Proof of Lemma A calculus for composing pseudo-tests Proof of Lemma Equivalence of basic and general single-orbit characterizations Concluding remarks 191

12 Abstract This thesis focuses on applications of methods and techniques from the mathematical field of additive combinatorics in computational complexity, the sub-area of theoretical computer science that studies the inherent limitations on efficient computation. Additive combinatorics is the branch of discrete mathematics aimed at quantifying the amount of additive structure in subsets of additive groups. Over the last decade, additive combinatorics has become a successful and active area of mathematics with many remarkable results. In this thesis we show novel applications of additive combinatorics methods in computational complexity, in the sub-fields of pseudorandomness, communication complexity, public key cryptography and local decoding. More specifically, in the field of pseudorandomness, we use additive combinatorics methods for the design of randomness extractors. These are procedures that distill (almost) perfect randomness, required for the performance of randomized algorithms and protocols, from weak sources of randomness that exist in nature. Unfortunately, it is impossible to extract randomness from a single weak source of randomness, therefore further assumptions on the structure of the source are needed. One of the most natural assumptions is that we have in hand a pair of independent weak sources of randomness. Another common assumption is that the source has an algebraic structure, for example the source is distributed uniformly over an affine subspace (such a source is called an affine source ). We show how affine extractors, which distill randomness from affine sources, can be converted in a black-box manner to two-source extractors, which distill randomness from a pair of independent weak sources of randomness. In order to show the above, we introduce a new conjecture in additive combinatorics that we call the approximate duality conjecture and we justify this conjecture by showing its tight connections with the polynomial Freiman-Ruzsa conjecture, a central conjecture in additive combinatorics which attempts to classify approximate subgroups of abelian groups. Since its introduction, the approximate duality conjecture has found a variety of other applications in computational complexity, to communication complexity (see below), to public key cryptography (see below) and to 1

13 showing limitations on the performance of locally decodable codes [Bhowmick, Dvir and Lovett, STOC 2013]. In the field of communication complexity, we use the approximate duality conjecture mentioned above for the design of communication protocols that minimize the amount of communication needed for performing computational tasks, jointly, by multiple parties. More precisely, the rank of the task serves as a measure of how complex the task is. A fundamental 25-year old conjecture in the area of communication, known as the log-rank conjecture, suggests that one can design communication protocols in which the amount of communication is only polylogarithmic in the rank of the task. However, till very recently there has been essentially no improvement on the trivial protocol in which the amount of communication is linear in the rank. We propose the first non-trivial such protocol in which the amount of communication is sub-linear in the rank. In the field of public key cryptography, we use the approximate duality conjecture to show limitations on public key encryption from noisy codewords. Public key encryption schemes, considered one of the greatest achievements of modern cryptography, are magical cryptographic protocols that enable two parties to communicate securely over a public channel without having to agree on a secret key in advance. Several well-known public key encryption schemes, including those of Alekhnovich [STOC 2003], Regev [STOC 2005] and Gentry, Peikert and Vaikuntanathan [STOC 2008], rely on the hardness of inverting a noisy linear encoding. We show that, assuming the approximate duality conjecture, instances of all these schemes over the binary field can be attacked in time 2 O(pn) where n is the maximum of the ciphertext size and the public key size. Finally, in the field of local decoding, we show applications of additive combinatorics methods to the design of local decoding procedures. These are procedures that allow an extremely efficient detection and correction of errors in transmission in a local manner by examining only a few bits of the corrupted codeword. Our first result in this direction uses almost-periodicity results from additive combinatorics to obtain an improved local decoding procedure for the well-known class of Reed-Muller codes in the scenario of an highly erroneous transmission channel. Our procedure improves on previous such procedures in that its running time and performance guarantee depend only quasipolynomially on the error parameter instead of exponentially. Our second result uses the Waring s problem over finite fields from additive combinatorics for the design of local decoding procedures for the class of sparse affine-invairant linear codes. 2

14 3

15 Symbols and Abbreviations A + B `A A B BSG QFR PFR NLFR Sumset of the sets A and B `-wise sumset of the set A Product set of the sets A and B Balog Szemerédi Gowers Theorem Quasi-polynomial Freiman-Ruzsa Theorem Polynomial Freiman-Ruzsa Conjecture Nearly-linear Freiman-Ruzsa Conjecture 1 A Indicator function of the set A µ A Normalized indicator function of the set A ˆf Fourier expansion of the function f f g Convolution of the functions f and g ha, bi 2 Inner-product of the vectors a, b over the field F 2 A? Space dual to the span of the set A D(A, B) Duality measure of the sets A and B D(µ, µ 0 ) Duality measure of the distributions µ and µ 0 spec (A) -spectrum of the set A spec (µ) -spectrum of the distribution µ ADC Approximate duality conjecture x x 0 Concatenation of the vectors x and x 0 H 1 (X) h 1 (X) E c f,g E f,g CC(f) CC(M) rank F (M) Min-entropy of the random variable X Min-entropy rate of the random variable X Entropy loss rate Concatenated two-source extractor Preimage two-source extractor Communication complexity of the function f Communication complexity of the matrix M Rank of the matrix M over the field F 4

16 disc µ (M) Discrepancy of the matrix M with respect to the distribution µ disc D (M) Discrepancy of the matrix M with respect to the family of distributions D disc(m) Discrepancy of the matrix M U M M m n(q) P m Uniform distribution over the entries of the matrix M Set of all m n full rank matrices over F q Projection on the first m coordinates 0 m All zeros vector of length m 1 m All ones vector of length m supp(µ) Support of the distribution µ Pr µ (a) Probability of a under the distribution µ Pr µ (A) Probability of the event A under the distribution µ µ A Distribution µ conditioned on the event A hµ, µ 0 i Inner product of the distributions µ and µ 0 a 2 R A Element a is chosen uniformly at random from the set A Gen Key generation algorithm 1 n String of length n sk Private key pk Public key Enc pk Encryption algorithm Dec sk Decryption algorithm Adv Dec (n), Adv Dec (n) Advantage of decryption algorithm A Attack Adv A (n), Adv A (n) Advantage of attack Alek Reg 0 Reg GPV Generalized Alekhnovich s encryption scheme Generalized Regev s encryption scheme Uniform version of generalized Regev s encryption scheme Generalized GPV encryption scheme µ sk Distribution of private key in generalized encryption schemes µ 0 Noise distribution used in encryption of 0 in generalized encryption schemes µ 1 Noise distribution used in encryption of 1 in generalized encryption schemes D s,µ Distribution of (G, Gs + e) for uniform random G and e µ 5

17 Difference between and in absolute value is at most 6 Difference between and in absolute value is at least A!B Measure of additive containment of the sets A and B kfk U d Gowers U d -norm of the function f F(A) Closure of the set A inside the field F (f,g) Normalized Hamming distance between the functions f and g (f,f) Normalized Hamming distance between the function f and the family of functions F r C =(, i i=1 Constraint C 1 [ C 2 Union of constraints C 1 C 2 Tensor product of constraints k-s-o-c k-single-orbit characterization supp(f) Support of the function f Deg(F) Degree set of the family of functions F Fam q (D) Family of functions associated with the set of degrees D over the field F q Shadow p (D) p-shadow of the degree d Shift q,n (D) (q, n)-shift of the degree d Border(F) Border of the family of functions F Trace q n!q Trace operator from F q n to F q! p Complex p-th root of unity 6

18 Chapter 1 Introduction The past century has been an exciting era for both theoretical computer science and discrete mathematics. As digital computers, which operate in a discrete manner, were developed in the middle of the twentieth century, discrete mathematics became the mathematical language of computer science. Thus, concepts and notions from discrete mathematics were borrowed in order to describe objects and problems in computer science. Conversely, the development of computers in general and the area of theoretical computer science in particular spurred new research directions in discrete mathematics and contributed in large extent to the rapid growth of this area. As the past century went by, the areas of theoretical computer science and discrete mathematics evolved rapidly in parallel, maintaining a fruitful and healthy exchange of ideas between each other. One recent example of such a successful exchange of ideas is the interplay between computational complexity and additive combinatorics. Computational complexity is the sub-area of theoretical computer science that studies the inherent limitations on efficient computation. Additive combinatorics, on the other hand, is the branch of discrete mathematics that aims to quantify the amount of additive structure in subsets of additive groups. In recent years, several surprising connections were discovered between additive combinatorics and computational complexity. This led to a variety of applications of additive combinatorics methods in computational complexity, in sub-fields such as property testing, pseudorandomness and low-degree testing. Perhaps even more surprisingly, research in computational complexity also led to new discoveries in additive combinatorics and intersecting fields. For example, research on pseudorandom generators for polynomials and low-degree testing in computational complexity [BV10, AKK + 05, Sam07] motivated investigation of the Gowers Inverse Conjecture [LMS11, GT09, TZ10], an outstanding conjecture in additive combinatorics which attempts to classify functions that are correlated with low-degree polynomials according to their 7

19 local properties. This thesis contributes to the aforementioned interactions by establishing new connections between additive combinatorics and computational complexity, in the sub-fields of pseudorandomness, communication complexity, public key cryptography and local decoding. As part of this thesis, we show applications of novel additive combinatorics methods and techniques to fundamental problems in these fields, such as the construction of two-source extractors and the log-rank conjecture in communication complexity. We also contribute to the reverse connection, that of promoting new research directions in additive combinatorics, by formulating the approximate duality conjecture, a new conjecture in additive combinatorics. We demonstrate the usefulness of this conjecture by showing a variety of applications of this conjecture in computational complexity, as well as its tight connections with the polynomial Freiman-Ruzsa conjecture, a central conjecture in additive combinatorics which attempts to classify approximate subgroups of abelian groups. Below we provide a more detailed overview of our results but before we do so we start with some background on additive combinatorics and its previous applications in computational complexity. 1.1 Additive combinatorics Additive combinatorics is the branch of discrete mathematics which attempts to quantify the amount of additive structure in subsets of additive groups. More generally, in the case where the ambient group is a ring and multiplication is also considered, arithmetic combinatorics attempts to quantify the amount of additive and multiplicative structure in these subsets and the interplay and tradeoffs between them. Examples of subsets with large amount of additive structure are subsets that contain long arithmetic progressions or large subspaces or cubes. On the other extreme, a randomly chosen subset of the group would typically have a small amount of additive structure. A major objective in the field of additive combinatorics is to identify quantitive measures for the amount of additive structure in subsets of groups. For a given set A, such a natural measure is the size of the sumset A + A := {a + a 0 a, a 0 2 A} or more generally the size of the `-wise sumset `A := {a a` a 1,...,a` 2 A}. Examples of other such measures are the collision probability defined as the number of quadruples (a 1,a 2,a 3,a 4 ) 2 A A A A such that a 1 + a 2 = a 3 + a 4 and the concentration of the Fourier transform of the indicator function 1 A of A. It can be verified that all the aforementioned measures behave very differently when evaluated on a randomly chosen subset as opposed to a subset containing a large additive structure. Furthermore, it can be shown that all these measures, as well as many others, are essentially equivalent 8

20 (see the excellent book of Tao and Vu [TV06] for more information). A major challenge in the field of additive combinatorics is to investigate the additive structure that is imposed on a given subset by the value of these measures. This type of questions is addressed by the Freiman-Ruzsa theorems discussed in Section 1.3 below. In arithmetic combinatorics, one is usually interested also in the interplay between the amount of additive and multiplicative structure of a given subset of the group. For example, is it possible for the subset to have a large amount of both additive and multiplicative structure? (typically not) Is it possible to quantify the tradeoff between the amount of additive and multiplicative structure in the subset? This type of questions is addressed by sum-product estimates discussed in Section below. A surprising recurring phenomenon in additive combinatorics is that sufficiently dense subsets of additive groups possess a large amount of additive structure. This was first demonstrated by the seminal work of Szemerédi s [Sze75a] which showed that any sufficiently dense subset of integers must contain arbitrarily long arithmetic progressions. Szemerédi s theorem is an especially deep theorem, and throughout the years several completely different proofs of it were discovered using completely different tools such as graph theory [Sze75a], higher-order harmonic analysis [Rot53, Gow01], Ergodic theory [Fur77] and hypergraph theory [RS76, NRS06, Gow07, Tao06]. All these different proofs contributed to the rapid development of the theory of additive combinatorics. Another major achievement in additive combinatorics is the recent Green-Tao theorem [GT08b] which asserts the existence of arbitrarily long arithmetic progressions in the prime numbers. In order to prove this, Green and Tao first showed that any subset of the primes which is dense enough inside the primes must contain arbitrarily long arithmetic progressions and then showed the existence of such a subset. One common theme in additive combinatorics proofs is the dichotomy between randomness and structure [Tao07]. The idea is that it is sometime possible to decompose complex objects (such as graphs, functions over certain domains, low-degree polynomials, collection of points in the plane, etc.) into a structured component and a randomly-looking component (possibly with a small error). This decomposition can then be helpful for analyzing these complex objects. One well-known example of the above phenomenon is Szemerédi Regularity Lemma [Sze75a] that was proved by Szemerédi as a step towards his proof of Szemerédi s theorem and which shows such a decomposition for graphs. The field of additive combinatorics has been experiencing a tremendous amount of growth over the last couple of decades and it is today a vibrant and active field of mathematics. The techniques used in this field come from diverse mathematical disciplines, such as graph theory, harmonic anal- 9

21 ysis, Ergodic theory, discrete geometry and combinatorial number theory. Interestingly, throughout the years additive combinatorics methods and techniques have also found applications in the aforementioned fields. One such recent example is the application of sum-product estimates to incidence problems in discrete geometry [BKT04], most notably to the incidence problem for lines which bounds the number of possible incidences among an arbitrary collection of lines and points in the plane and to the Erdös distance problem which bounds from below the number of distinct distances determined by an arbitrary collection of points in the plane. 1.2 Previous applications of additive combinatorics methods in computational complexity In what follows we briefly survey three of the main previous applications of additive combinatorics methods in computational complexity: The use of Szemerédi s regularity lemma in graph property testing, the use of the Gowers norm in low-degree testing and the use of sum-product estimates in the construction of randomness extractors. We refer the reader to the excellent survey of Trevisan [Tre09] for more information Szemerédi s regularity lemma and graph property testing The main goal in the field of property testing is, given a combinatorial structure S, to design extremely efficient randomized algorithms, called testers, that for a given property P distinguish, with high probability, between the case in which S satisfies P and the case in which S is -far from satisfying P. The sub-field of graph property testing is concerned with testing properties of graphs, such as the graph being connected, 3-colorable or containing some fixed graph as an induced subgraph. In graph property testing one is usually interested in testers that query the adjacency matrix of the graph in a number of entries which depend only on. Szemerédi s regularity lemma, on the other hand, was introduced by Szemerédi [Sze75b] towards his proof of the Szemerédi s theorem discussed above. It roughly says that every graph can be approximately partitioned into a constant number of randomly-looking bipartite graphs whose number depends only on the quality of the approximation and not on the number of vertices in the graph. The connection between Szemerédi s regularity lemma and graph property testing was first demonstrated by the triangle removal lemma which can be easily derived from the regularity lemma. In the language of property testing the triangle removal lemma simply says that the property of triangle-freeness is testable. 10

22 However, one problem with the original proof of Szemerédi s regularity lemma was that it was non-constructive. This problem was resolved by Alon et. al. [ADL + 94] who gave a different algorithmic proof of the regularity lemma. In follow-up works [AFKS00, AS08, Alo02] Szemerédi s regularity lemma was shown to be a powerful tool for analyzing property testers for many natural graph properties, culminating with the work of [AFNS09] who used the regularity lemma to give a combinatorial characterization of all testable graph properties. Roughly speaking, the latter work showed that a graph property is testable if and only if the task of testing this property could be reduced to the task of testing the property of satisfying a partition for which the conditions of the regularity lemma hold. This shows a fundamental connection between graph property testing and Szemerédi s regularity lemma and explains the reason for the regularity lemma being so useful in analyzing graph property testers The Gowers norm and low-degree testing Low-degree testing is a special case of property testing in which one is interested in testing the property of a function being a low-degree polynomial, or equivalently being contained in the Reed- Muller codes whose codewords are low-degree polynomials. More specifically, a low-degree tester for degree d polynomials is an efficient randomized algorithm that given a function f makes a few queries to the function f and distinguish, with high probability, between the case in which f is a degree d polynomial and the case in which f is far from every such polynomial. Here one is typically interested in a tester whose number of queries depend only on the degree d. Testing low-degree polynomials (or Reed-Muller codes) is motivated by their use in the construction of probabilistically-checkable proofs (PCPs). A fundamental result by Blum, Luby and Rubinfeld [BLR93] used Fourier analysis to show that such testers exist for linear functions (i.e., when d =1). The Gowers norm was introduced by Gowers [Gow01] as a higher order analogue of the Fourier transform used for his new proof of Szemerédi s theorem. This proof generalized the argument of Roth [Rot53] who used Fourier analysis to show the existence of many 3-term arithmetic progressions in a sufficiently dense subset of integers. Using the Gowers norm, Alon et al. [AKK + 05] managed to generalize the tester of [BLR93] to any degree d when rejecting functions that are -far from degree d polynomials with some very small (but constant) probability which depends only on d. The Gowers inverse conjecture was that the same tester purposed by [AKK + 05] rejects functions which are (1/2 0 )-far from degree d polynomials with probability at least 1/2, where 0 depends only on and d. The Gowers inverse conjecture is trivial for d =0(with 0 = /2) and it can also be shown to hold for d = 1 using elementary Fourier analysis (with 0 = ( 2 )). The case d = 2 is 11

23 more involved and it was shown to hold in [Sam07, GT08a] with 0 =exp( 1/ ). Plugging the quasipolynomial Freiman-Ruzsa theorem (Theorem below) in the proof method of [Sam07, GT08a] improves the dependency of 0 on to be quasipolynomial in and achieving 0 =poly( ) was shown to be equivalent to the polynomial Freiman-Ruzsa conjecture (Conjecture below) [Lov12, GT10]. The Gowers inverse conjecture is generally false when d 3 [LMS11, GT09] but it holds when the characteristic of the underlying field is greater than d [TZ10]. However, a major drawback of the proof method of [TZ10] is that it uses Ergodic theory and therefore it is non-constructive and gives no bounds on 0 in terms of and d Sum-product estimates and randomness extractors A randomness extractor, on the other hand, is a (deterministic) procedure that distills (almost) perfect randomness, needed for the performance of randomized algorithms and protocols, from weak sources of randomnes that exist in nature. A source is modeled as a random variable taking values in {0, 1} n and the amount of randomness of the source is measured by its min-entropy which is defined as the largest integer k such that for every string x 2{0, 1} n the probability that the random variable equals x is at most 2 k. Unfortunately, it is impossible to extract randomness from a single weak source of randomness, therefore further assumptions on the structure of the source are needed. One of the most natural family of extractors are `-source extractors that extract randomness from ` independent weak sources of randomness. Another well-studied family of extractors are affine extractors that extract randomness from sources that are distributed uniformly over affine subspaces. In both models, the probabilistic method shows the existence of extractors for min-entropy as small as logn + O(1), but surprisingly, up until very few years ago explicit constructions for min-entropy smaller than n/2 were not known. This picture changed dramatically when a connection between randomness extractors and sum-product estimates was discovered. Roughly speaking, sum-products estimates show that an typical subset of a given ring cannot have large amount of additive and multiplicative structure simultaneously. More formally, the goal is to show that in a certain ring R, for an arbitrary subset A of R at least one of the sets A + A or A A is of size at least min{ R, A 1+ } for some constant >0. This was shown to hold over the integers by Erdös and Szemerédi [ES83] and an analogue of this result over finite fields was recently proven in [BKT04, BGK06]. The latter pair of results had interesting consequences to incidence problems in discrete geometry such as the incidence problem for lines and the Erdös distance problem and they were also used to obtain bounds on exponential sums. Furthermore, it turned out that sum-product estimates over finite fields were the right tool 12

24 needed for beating the n/2 barrier in the construction of extractors. More specifically, the growth in the size of A + A or A A guaranteed by these estimates can be used to argue that the image of certain functions over finite fields, defined using both addition and multiplication, is pseudorandom and consequently these functions could be used as extractors. This was first realized by Barak et. al. [BIW06] who used this idea for the construction of `-source extractors for min-entropy n for any > 0, where ` is a constant which depends only on. In the meanwhile, Bourgain [Bou05, Bou07] managed to construct two-source extractors for min-entropy ( 1 )n for some 2 small constant >0and affine extractors for min-entropy n for any >0 using the advances on the incidence problem for lines and the bounds on exponential sums mentioned above. 1.3 Freiman-Ruzsa theorems and their applications in computational complexity In this section we discuss the Freiman-Ruzsa theorems and their applications in computational complexity, a main object of study of this thesis. Roughly speaking, these results investigate the additive structure imposed on a given set A by the size of A + A. This question is interesting over any additive group, but for simplicity we concentrate only on the case of the ambient group being F n 2. For A F n 2, let A + A denote the sum-set of A A + A := {a + a 0 a, a 0 2 A} where addition is over F 2. It is easy to see that A + A = A if and only if A is an affine subspace of F n 2. The question addressed by the Freiman-Ruzsa theorem is whether the ratio of A + A to A also approximates the closeness of A to being a subspace, or in other words, whether the fact that A + A is small with respect to the size of A also implies that span (A) is small with respect to the size of A. The Freiman-Ruzsa theorem [Ruz99] says that this is indeed the case. Theorem (Freiman-Ruzsa theorem [Ruz99]). If A F n 2 has A+A applek A, then span (A) apple K 2 2 K4 A. The above theorem was improved in a series of works [GR06, San08b, GT09], culminating in the recent work [EZ12] which proved an upper bound on the ratio span(a) of the form 2 2K /(2K). A This bound can be seen to be tight by letting A = S t i=1 (u i + V ), where u 1,u 2,...,u t 2 F n 2 are linearly independent vectors and V F n 2 is a subspace of dimension d such that span ({u 1,...,u t })\ 13

25 V = {0}. Then in this case we have A = t d and A+A t A, while span (A) =2t d = 2t A. 2 t This example also shows that the ratio span(a) must depend exponentially on K. However, A it does not rule out the existence of a large subset A 0 A for which the ratio span(a0 ) is just A 0 polynomial in K, and this is exactly what is suggested by the PFR conjecture: Conjecture (Polynomial Freiman-Ruzsa (PFR)). There exists an absolute constant r, such that if A F n 2 has A + A applek A, then there exists a subset A 0 A of size at least K r A such that span (A 0 ) apple A. Note that the above conjecture implies that span (A 0 ) apple A applek r A 0. The PFR conjecture has many other interesting equivalent formulations, see the survey of Green [Gre05] for some of them. It is conjectured to hold for subsets of general groups as well and not only for subsets of the group F n 2 but we will be interested only in the latter case. Significant progress on this conjecture has been achieved recently by Sanders [San12b], using almost-periodicity results developed by Croot and Sisask [CS10]. Sanders proved an upper bound on the ratio span(a0 ) A 0 which is quasipolynomial in K (see also Chapters 6 and 7 for a simplified proof of this theorem): Theorem (Quasi-polynomial Freiman-Ruzsa theorem (QFR) [San12b]). Let A F n 2 be a set such that A + A applek A. Then there exists a subset A 0 A of size at least K O(log3 K) A such that span (A 0 ) apple A. We end this section by listing several recent applications of the PFR conjecture to theoretical computer science. The first application, due to Samorodnitsky, Green and Tao [Sam07, GT08a], with further results by Lovett [Lov12] and Green and Tao [GT10], shows that the d =2case of the Gowers inverse conjecture, discussed in Section 1.2.2, holds with 0 =poly() if and only if the PFR conjecture holds. In Chapters 3 and 4 of this thesis we shall show applications of the PFR conjecture to the construction of two-source extractors and to relating rank to communication complexity. Our proof method was later applied also by Bhowmick, Dvir and Lovett [BDL13] to show that the PFR conjecture implies lower bounds on matching vector codes. Recently, Aggarwal, Dodis and Lovett [ADL14] found another application of the PFR conjecture to the design of nonmalleable codes. 1.4 Our contributions In this thesis we show further applications of additive combintaroics methods to fundamental open problems in computational complexity in the sub-fields of pseudorandomness, communication 14

26 complexity, public key cryptography and local decoding. Below we describe our contributions in more detail From affine to two-source extractors As mentioned above, two-source and affine extractors are two well-studied types of randomness extractors. Furhtermore, explicit constructions of these two distinct objects seem to be related since, as mentioned in Section 1.2.3, constructions of both objects for min-entropy above n/2 have been known for quite some time [CGH + 85, BSHR + 01] and much of the recent progress on both problems [BIW06, Bou05, Bou07] has relied on the sum-product estimates over finite fields of [BKT04, BGK06]. In Chapter 3 we establish further connections between affine and two-source extractors by presenting a black-box construction of two-source extractors for min-entropy n for any >0 from any affine extractor with sufficiently good parameters. Two such constructions are presented, and the first part of our analysis shows that they lead to two-source dispersers which are weak (but nontrivial) kinds of two-source extractors, also known as bipartite Ramsey graphs. To strengthen this result and obtain two-source extractors we introduce the approximate duality conjecture (ADC), discussed below, and initiate its study. The ADC leads to a rather general result that can be used to convert a natural class of two-source dispersers low-rank dispersers into two-source extractors. Suppose that a boolean two-input function E 2 F Fn 2 Fn 2 2 is a two-source disperser for min-entropy n. Our main observation which uses the ADC is that if E has rank O(n) over F 2 when viewed as a 2 n 2 n matrix in the natural way, then E is a two-source extractor for min-entropy ( + )n (for any >0) with exponentially small error! The approximate duality conjecture (ADC) The ADC is a natural conjecture in additive combinatorics so it deserves independent study. Further motivation is provided by three other recent applications of it to relating rank to communication complexity (see below), cryptography (see below) and to lower bounds on locally decodable codes [BDL13], as well as its tight connections with the polynomial Freiman-Ruzsa conjecture (PFR, Conjecture above). Define the duality measure of a pair of sets A, B F n 2 to be D(A, B) = E a2a,b2b h ( 1) P n i=1 a ib i i. 15

27 Then D(A, B) =1if and only if A is contained in an affine shift of the space dual to the span of B. The ADC says that every pair (A, B) contains a pair of subsets (A 0,B 0 ) that have duality measure exactly 1, and the densities A 0 / A and B 0 / B increase with D(A, B): A 0 min A, B0 B exp c p n log(1/d(a, B)) for a positive universal constant c. In Chapter 2 we justify the above conjecture by proving a special case of it and by showing that the ADC is implied by the PFR conjecture and that the ADC also implies a weak but as-of-yet unknown version of the PFR conjecture Relating rank to communication complexity Communication complexity is the sub-field of computational complexity that studies the limitations on efficient communication needed for performing computational tasks, jointly, by multiple parties. In the communication complexity model, two (or more) parties wish to compute some prescribed function where the input to this function is split between the parties. For this, the parties must communicate with each other according to some protocol. The communication complexity of the function is the minimum total amount of bits sent between the parties during the execution of the protocol, in the worst case. The goal in this field is to either design efficient protocols with low communication complexity or to show limitations on the performance of such protocols. Thus, one main objective in communication complexity is to identify complexity measures of functions that imply low or high communication complexity. Mehlhorn and Schmidt [MS82] were the first to suggest matrix-rank as one such measure. Among other things, they showed log rank F (M) apple CC(M) apple rank F2 (M), (1.1) where CC(M) denotes the (deterministic) communication complexity of the function associated with M, and the rank on left hand side is over any field F and on the right hand side it is over the two-element field F 2. For certain matrices M, communication complexity equals the right hand side above, and this completely settles the question of communication complexity vs. F 2 -rank. In Chapter 4 we reopen this question by pointing out that when M has an additional natural combinatorial property high discrepancy with respect to distributions which are uniform over submatrices then communication complexity can be sublinear in F 2 -rank. Assuming the PFR 16

28 conjecture (Conjecture 1.3.2), we show that CC(M) apple O(rank F2 (M)/ log rank F2 (M)) for any matrix M which satisfies the above combinatorial property. Our analysis uses the ADC conjecture discussed above. Our main result had also consequences to the well-known log-rank conjecture in communication complexity. Observe that rank F2 (M) apple rank R (M) for any {0, 1}-valued matrix M, and so Equation (1.1) above implies that log rank R (M) apple CC(M) apple rank R (M), and it is a fundamental question to find out what is the true worst-case dependency of CC(M) on the real-rank. The famous log-rank conjecture due to Lovász and Saks [LS88] postulates that communication complexity is always closer to the left hand side. (And recall that this is false over F 2.) Though considerable efforts have been invested in attempt to make progress on this conjecture since its introduction about 25 years ago, not much was known about it. In particular, there has been essentially no improvement on the trivial upper bound of rank R (M) beyond constant factors. As a corollary of our main result, we obtained the first progress on this conjecture, showing that assuming the PFR conjecture, CC(M) apple O(rank R (M)/ log rank R (M)) for any {0, 1}-valued matrix M. In a recent breakthrough [Lov14], this upper bound was improved to O( p rank R (M)) and the PFR assumption was eliminated Limitations of Public Key Encryption from Noisy Codewords Several well-known public key encryption schemes, including those of Alekhnovich [Ale11], Regev [Reg09], and Gentry, Peikert and Vaikuntanathan [GPV08], rely on the conjectured intractability of inverting a noisy linear encoding. These schemes are limited in that they either require the underlying field to grow polynomially with the security parameter, or alternatively they can work over the binary field but have a low noise entropy that gives rise to sub-exponential attacks. Motivated by the goal of achieving efficient public key cryptography, we study the possibility of obtaining improved security over the binary field by using different noise distributions. We 17

29 obtain the following main results. A unified framework. We propose a unified framework for the study of the three encryption schemes mentioned above: For each of the schemes we define a generalized version which allows for arbitrary choices of the underlying field and noise distributions. We then show that for an identical choice of parameters all the generalized schemes are equivalent in terms of security, in the sense that a public key and ciphertext can be efficiently translated from one scheme to another. An unconditional negative result. Using previous results on agnostic learning of parities [KMV08], we show that any instance of the generalized encryption schemes over the binary field, using any noise distributions, can be attacked in time 2 O(n/ log n), where n is the ciphertext size. This negative result holds even when allowing decryption error very close to one. Using a generalized form of Regev s security proof [Reg09] we show that the attack above can be turned into a sub-exponential algorithm that learns parities corrupted by arbitrary noise distributions using a relatively small number of samples. In particular, this algorithm solves the learning parity with noise (LPN) problem in time 2 O(n/ log log n) using only n 1+ samples, reproducing the result of Lyubashevsky [Lyu05] in a conceptually different way. Conditional negative results. Under the approximate duality conjecture we strengthen the above negative result to yield 2 O(pn) -time attacks, where n is the maximum of the ciphertext size and the public key size (and where the latter excludes public randomness used for specifying the code) in the case in which the decryption error of a single encryption is a sufficiently small constant. Under a natural variant of this conjecture, we obtain a similar attack where n is just the ciphertext size. Finally, we study the possibility of instantiating the unified framework over constant-size rings to yield encryption schemes with no decryption error. We show that over the binary field decryption errors are inherent. On the positive side, building on the construction of matching vector families [Gro00, Efr12, DGY11] we suggest plausible candidates for secure instances of the framework over constant-size rings that can offer perfectly correct decryption. 18