Additive Combinatorics Methods in Computational Complexity. Noga Ron-Zewi
|
|
- Toby Weaver
- 6 years ago
- Views:
Transcription
1 Additive Combinatorics Methods in Computational Complexity Noga Ron-Zewi
2
3 Additive Combinatorics Methods in Computational Complexity Research Thesis In Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Noga Ron-Zewi Submitted to the Senate of Technion - Israel Institute of Technology Av, 5774 Haifa August, 2014
4
5 This research thesis was done under the supervision of Prof. Eli Ben-Sasson from the department of computer science, Technion - Israel Institute of Technology. First and foremost, I would like to thank Eli for continuous support and encouragement, loads of enthusiasm and optimism, and for teaching me almost all I know about research. I was also fortunate to have many wonderful collaborators in this thesis and I would like to thank them all: Iddo Ben-Tov, Ivan Damgård, Yuval Ishai, Shachar Lovett, Madhu Sudan, Madhur Tulsiani and Julia Wolf. I am especially indebted to Prof. Madhu Sudan for hosting me two fun and productive summers at the Microsoft Research Lab at New-England and one semester at MIT. I thank Prof. Amir Shpilka from the department of computer science at the Technion who acted as my temporary advisor during Eli s sabbatical and helped me in many ways. I would also like to thank my friends at the department, and especially my office-mate Elad Haramaty, for many helpful and interesting conversations, and for enjoyable time. Last but not least, I thank my parents Tamar and Gill for their continuous support and interest in my work. And my husband Yehoshua and son Nadav for making the Ph.D. period so meaningful. The generous financial help of the Technion, the Israel Ministry of Science and Technology and the European Community s Seventh Framework Programme is gratefully acknowledged.
6 List of Publications Eli Ben-Sasson and Noga Ron-Zewi. From affine to two-source extractors via approximate duality. In Proceedings of the 43rd annual ACM Symposium on Theory of Computing (STOC). Pages , June Eli Ben-Sasson, Shachar Lovett and Noga Ron-Zewi. An additive combinatorics approach relating rank to communication complexity. Journal of the ACM, to appear. Preliminary version in Proceedings of the 53rd Annual IEEE Symposium on Foundations of Computer Science (FOCS). Pages , October Eli Ben-Sasson, Noga Ron-Zewi and Madhu Sudan. Sparse affine-invariant linear codes are locally testable. Computational Complexity, to appear. Preliminary version in Proceedings of the 53rd Annual IEEE Symposium on Foundations of Computer Science (FOCS). Pages , October Eli Ben-Sasson, Noga Ron-Zewi, Madhu Tulsiani and Julia Wolf. Sampling-based proofs of almost-periodicity results and algorithmic applications. In proceedings of the 41st International Colloquium on Automata, Languages, and Programming (ICALP). Pages , July Eli Ben-Sasson, Iddo Ben-Tov, Ivan Damgård, Yuval Ishai and Noga Ron-Zewi. On the limitations of public key encryption from noisy codewords. Submitted,
7
8 Table of Contents Table of Contents i Abstract 1 Symbols and Abbreviations 4 1 Introduction Additive combinatorics Previous applications of additive combinatorics methods in computational complexity Szemerédi s regularity lemma and graph property testing The Gowers norm and low-degree testing Sum-product estimates and randomness extractors Freiman-Ruzsa theorems and their applications in computational complexity Our contributions From affine to two-source extractors The approximate duality conjecture (ADC) Relating rank to communication complexity Limitations of Public Key Encryption from Noisy Codewords Sampling-based proofs of almost-periodicity results and algorithmic applications Sparse affine-invariant linear codes are locally testable Organization of this thesis Approximate duality Introduction Approximate duality Chapter organization Approximate duality for nearly-dual sets Proof of Theorem Bounds on approximate duality assuming PFR Proof of Theorem Proof overview Proof of Theorem Approximate duality for sets with small span Proof of Lemma ii
9 2.4 Exponentially small bounds on approximate duality assuming PFR alternative proof Proof overview Equivalence of the nearly-linear and the polynomial Freiman-Ruzsa conjectures Proof of Theorem assuming Main Technical Lemma Proof of Main Technical Lemma Equivalence between approximate duality and PFR in the exponential range Open problems From affine to two-source extractors Introduction Extractors and dispersers for affine and two independent sources From affine extractors to two-source dispersers From two-source dispersers to two-source extractors via approximate duality Main results Extractors and dispersers for affine and two independent sources From affine extractors to two-source dispersers From two-source dispersers to two-source extractors via approximate duality Organization of the rest of the chapter From affine extractors to two-source dispersers Concatenated two-source disperser Proof of Theorem Preimage two-source dispersers Proof of Theorem From two-source dispersers to two-source extractors via approximate duality Constant bounds on error by approximate duality for nearly-dual sets Exponentially small bounds on error assuming the polynomial Freiman- Ruzsa conjecture On the `1-error of multi-output bit affine and two-source extractors On the `1-error of existing affine extractors Increasing the output length of our two-source extractors Open problems Relating rank to communication complexity Introduction On communication complexity and matrix rank over F On communication complexity and matrix rank over R From approximate duality to communication complexity upper bounds Proof of Theorem Proof of Corollary On the Limitations of Public Key Encryption from Noisy Codewords Introduction Learning parity with noise iii
10 5.1.2 Alekhnovich s public key encryption scheme Learning with errors Public key encryption based on learning with errors Related work Main results Unified framework Unconditional negative result Conditional negative results Perfectly correct decryption Open problems Chapter organization Preliminaries Public key encryption Unified framework Generalized encryption schemes Equivalence of generalized encryption schemes Unconditional attack Consequences to learning Attacks based on combinatorial properties of µ sk,µ 0,µ Attack based on combinatorial properties of µ sk Attack based on combinatorial properties of µ 0,µ Attacks based on the approximate duality conjecture From uniform to general distributions proof of Lemma Iterative application proof of Lemma Perfectly correct decryption Insecurity over the binary field Candidate over constant-size rings Security of generalized encryption schemes proof of Lemma Sampling-based proofs of almost-periodicity results Introduction Proof method Preliminaries Sampling-based proofs of almost-periodicity results Croot-Sisask almost-periodicity Almost-periodicity over a subspace Applications of sampling-based proofs Introduction Combinatorial applications Algorithmic applications Proof method Combinatorial applications iv
11 7.2.1 The quasipolynomial Bogolyubov-Ruzsa lemma Sumsets of dense sets contain large subspaces Algorithmic applications Algorithmic version of the quasipolynomial Bogolyubov-Ruzsa lemma An improved self-corrector for the Reed-Muller code of order An improved quadratic Goldreich-Levin theorem Proof of Corollary The Waring s problem over finite fields Sparse affine-invariant linear codes are locally testable Introduction The problem and main result Motivation Comparison with previous work Technical contributions Organization of rest of the chapter Preliminaries Establishing the k-single-orbit characterization property is sufficient for k-local testability The degree set of affine-invariant linear properties The border set of affine-invariant linear properties Proof of Main Theorem Pseudo-tests suffice for local testability Overview of the proof of Main Technical Theorem Covering the (q, n)-shift representative sets Separating a pair of sets with disjoint p-shifts Separating a pair of degrees in the same p-shift A calculus for composing pseudo-tests Completing the proof of Theorem Separating a pair of degrees in the same p-shift Proof of Lemma Separating a pair of sets with disjoint p-shifts Proof of Lemma Proof of Lemma A calculus for composing pseudo-tests Proof of Lemma Equivalence of basic and general single-orbit characterizations Concluding remarks 191
12 Abstract This thesis focuses on applications of methods and techniques from the mathematical field of additive combinatorics in computational complexity, the sub-area of theoretical computer science that studies the inherent limitations on efficient computation. Additive combinatorics is the branch of discrete mathematics aimed at quantifying the amount of additive structure in subsets of additive groups. Over the last decade, additive combinatorics has become a successful and active area of mathematics with many remarkable results. In this thesis we show novel applications of additive combinatorics methods in computational complexity, in the sub-fields of pseudorandomness, communication complexity, public key cryptography and local decoding. More specifically, in the field of pseudorandomness, we use additive combinatorics methods for the design of randomness extractors. These are procedures that distill (almost) perfect randomness, required for the performance of randomized algorithms and protocols, from weak sources of randomness that exist in nature. Unfortunately, it is impossible to extract randomness from a single weak source of randomness, therefore further assumptions on the structure of the source are needed. One of the most natural assumptions is that we have in hand a pair of independent weak sources of randomness. Another common assumption is that the source has an algebraic structure, for example the source is distributed uniformly over an affine subspace (such a source is called an affine source ). We show how affine extractors, which distill randomness from affine sources, can be converted in a black-box manner to two-source extractors, which distill randomness from a pair of independent weak sources of randomness. In order to show the above, we introduce a new conjecture in additive combinatorics that we call the approximate duality conjecture and we justify this conjecture by showing its tight connections with the polynomial Freiman-Ruzsa conjecture, a central conjecture in additive combinatorics which attempts to classify approximate subgroups of abelian groups. Since its introduction, the approximate duality conjecture has found a variety of other applications in computational complexity, to communication complexity (see below), to public key cryptography (see below) and to 1
13 showing limitations on the performance of locally decodable codes [Bhowmick, Dvir and Lovett, STOC 2013]. In the field of communication complexity, we use the approximate duality conjecture mentioned above for the design of communication protocols that minimize the amount of communication needed for performing computational tasks, jointly, by multiple parties. More precisely, the rank of the task serves as a measure of how complex the task is. A fundamental 25-year old conjecture in the area of communication, known as the log-rank conjecture, suggests that one can design communication protocols in which the amount of communication is only polylogarithmic in the rank of the task. However, till very recently there has been essentially no improvement on the trivial protocol in which the amount of communication is linear in the rank. We propose the first non-trivial such protocol in which the amount of communication is sub-linear in the rank. In the field of public key cryptography, we use the approximate duality conjecture to show limitations on public key encryption from noisy codewords. Public key encryption schemes, considered one of the greatest achievements of modern cryptography, are magical cryptographic protocols that enable two parties to communicate securely over a public channel without having to agree on a secret key in advance. Several well-known public key encryption schemes, including those of Alekhnovich [STOC 2003], Regev [STOC 2005] and Gentry, Peikert and Vaikuntanathan [STOC 2008], rely on the hardness of inverting a noisy linear encoding. We show that, assuming the approximate duality conjecture, instances of all these schemes over the binary field can be attacked in time 2 O(pn) where n is the maximum of the ciphertext size and the public key size. Finally, in the field of local decoding, we show applications of additive combinatorics methods to the design of local decoding procedures. These are procedures that allow an extremely efficient detection and correction of errors in transmission in a local manner by examining only a few bits of the corrupted codeword. Our first result in this direction uses almost-periodicity results from additive combinatorics to obtain an improved local decoding procedure for the well-known class of Reed-Muller codes in the scenario of an highly erroneous transmission channel. Our procedure improves on previous such procedures in that its running time and performance guarantee depend only quasipolynomially on the error parameter instead of exponentially. Our second result uses the Waring s problem over finite fields from additive combinatorics for the design of local decoding procedures for the class of sparse affine-invairant linear codes. 2
14 3
15 Symbols and Abbreviations A + B `A A B BSG QFR PFR NLFR Sumset of the sets A and B `-wise sumset of the set A Product set of the sets A and B Balog Szemerédi Gowers Theorem Quasi-polynomial Freiman-Ruzsa Theorem Polynomial Freiman-Ruzsa Conjecture Nearly-linear Freiman-Ruzsa Conjecture 1 A Indicator function of the set A µ A Normalized indicator function of the set A ˆf Fourier expansion of the function f f g Convolution of the functions f and g ha, bi 2 Inner-product of the vectors a, b over the field F 2 A? Space dual to the span of the set A D(A, B) Duality measure of the sets A and B D(µ, µ 0 ) Duality measure of the distributions µ and µ 0 spec (A) -spectrum of the set A spec (µ) -spectrum of the distribution µ ADC Approximate duality conjecture x x 0 Concatenation of the vectors x and x 0 H 1 (X) h 1 (X) E c f,g E f,g CC(f) CC(M) rank F (M) Min-entropy of the random variable X Min-entropy rate of the random variable X Entropy loss rate Concatenated two-source extractor Preimage two-source extractor Communication complexity of the function f Communication complexity of the matrix M Rank of the matrix M over the field F 4
16 disc µ (M) Discrepancy of the matrix M with respect to the distribution µ disc D (M) Discrepancy of the matrix M with respect to the family of distributions D disc(m) Discrepancy of the matrix M U M M m n(q) P m Uniform distribution over the entries of the matrix M Set of all m n full rank matrices over F q Projection on the first m coordinates 0 m All zeros vector of length m 1 m All ones vector of length m supp(µ) Support of the distribution µ Pr µ (a) Probability of a under the distribution µ Pr µ (A) Probability of the event A under the distribution µ µ A Distribution µ conditioned on the event A hµ, µ 0 i Inner product of the distributions µ and µ 0 a 2 R A Element a is chosen uniformly at random from the set A Gen Key generation algorithm 1 n String of length n sk Private key pk Public key Enc pk Encryption algorithm Dec sk Decryption algorithm Adv Dec (n), Adv Dec (n) Advantage of decryption algorithm A Attack Adv A (n), Adv A (n) Advantage of attack Alek Reg 0 Reg GPV Generalized Alekhnovich s encryption scheme Generalized Regev s encryption scheme Uniform version of generalized Regev s encryption scheme Generalized GPV encryption scheme µ sk Distribution of private key in generalized encryption schemes µ 0 Noise distribution used in encryption of 0 in generalized encryption schemes µ 1 Noise distribution used in encryption of 1 in generalized encryption schemes D s,µ Distribution of (G, Gs + e) for uniform random G and e µ 5
17 Difference between and in absolute value is at most 6 Difference between and in absolute value is at least A!B Measure of additive containment of the sets A and B kfk U d Gowers U d -norm of the function f F(A) Closure of the set A inside the field F (f,g) Normalized Hamming distance between the functions f and g (f,f) Normalized Hamming distance between the function f and the family of functions F r C =(, i i=1 Constraint C 1 [ C 2 Union of constraints C 1 C 2 Tensor product of constraints k-s-o-c k-single-orbit characterization supp(f) Support of the function f Deg(F) Degree set of the family of functions F Fam q (D) Family of functions associated with the set of degrees D over the field F q Shadow p (D) p-shadow of the degree d Shift q,n (D) (q, n)-shift of the degree d Border(F) Border of the family of functions F Trace q n!q Trace operator from F q n to F q! p Complex p-th root of unity 6
18 Chapter 1 Introduction The past century has been an exciting era for both theoretical computer science and discrete mathematics. As digital computers, which operate in a discrete manner, were developed in the middle of the twentieth century, discrete mathematics became the mathematical language of computer science. Thus, concepts and notions from discrete mathematics were borrowed in order to describe objects and problems in computer science. Conversely, the development of computers in general and the area of theoretical computer science in particular spurred new research directions in discrete mathematics and contributed in large extent to the rapid growth of this area. As the past century went by, the areas of theoretical computer science and discrete mathematics evolved rapidly in parallel, maintaining a fruitful and healthy exchange of ideas between each other. One recent example of such a successful exchange of ideas is the interplay between computational complexity and additive combinatorics. Computational complexity is the sub-area of theoretical computer science that studies the inherent limitations on efficient computation. Additive combinatorics, on the other hand, is the branch of discrete mathematics that aims to quantify the amount of additive structure in subsets of additive groups. In recent years, several surprising connections were discovered between additive combinatorics and computational complexity. This led to a variety of applications of additive combinatorics methods in computational complexity, in sub-fields such as property testing, pseudorandomness and low-degree testing. Perhaps even more surprisingly, research in computational complexity also led to new discoveries in additive combinatorics and intersecting fields. For example, research on pseudorandom generators for polynomials and low-degree testing in computational complexity [BV10, AKK + 05, Sam07] motivated investigation of the Gowers Inverse Conjecture [LMS11, GT09, TZ10], an outstanding conjecture in additive combinatorics which attempts to classify functions that are correlated with low-degree polynomials according to their 7
19 local properties. This thesis contributes to the aforementioned interactions by establishing new connections between additive combinatorics and computational complexity, in the sub-fields of pseudorandomness, communication complexity, public key cryptography and local decoding. As part of this thesis, we show applications of novel additive combinatorics methods and techniques to fundamental problems in these fields, such as the construction of two-source extractors and the log-rank conjecture in communication complexity. We also contribute to the reverse connection, that of promoting new research directions in additive combinatorics, by formulating the approximate duality conjecture, a new conjecture in additive combinatorics. We demonstrate the usefulness of this conjecture by showing a variety of applications of this conjecture in computational complexity, as well as its tight connections with the polynomial Freiman-Ruzsa conjecture, a central conjecture in additive combinatorics which attempts to classify approximate subgroups of abelian groups. Below we provide a more detailed overview of our results but before we do so we start with some background on additive combinatorics and its previous applications in computational complexity. 1.1 Additive combinatorics Additive combinatorics is the branch of discrete mathematics which attempts to quantify the amount of additive structure in subsets of additive groups. More generally, in the case where the ambient group is a ring and multiplication is also considered, arithmetic combinatorics attempts to quantify the amount of additive and multiplicative structure in these subsets and the interplay and tradeoffs between them. Examples of subsets with large amount of additive structure are subsets that contain long arithmetic progressions or large subspaces or cubes. On the other extreme, a randomly chosen subset of the group would typically have a small amount of additive structure. A major objective in the field of additive combinatorics is to identify quantitive measures for the amount of additive structure in subsets of groups. For a given set A, such a natural measure is the size of the sumset A + A := {a + a 0 a, a 0 2 A} or more generally the size of the `-wise sumset `A := {a a` a 1,...,a` 2 A}. Examples of other such measures are the collision probability defined as the number of quadruples (a 1,a 2,a 3,a 4 ) 2 A A A A such that a 1 + a 2 = a 3 + a 4 and the concentration of the Fourier transform of the indicator function 1 A of A. It can be verified that all the aforementioned measures behave very differently when evaluated on a randomly chosen subset as opposed to a subset containing a large additive structure. Furthermore, it can be shown that all these measures, as well as many others, are essentially equivalent 8
20 (see the excellent book of Tao and Vu [TV06] for more information). A major challenge in the field of additive combinatorics is to investigate the additive structure that is imposed on a given subset by the value of these measures. This type of questions is addressed by the Freiman-Ruzsa theorems discussed in Section 1.3 below. In arithmetic combinatorics, one is usually interested also in the interplay between the amount of additive and multiplicative structure of a given subset of the group. For example, is it possible for the subset to have a large amount of both additive and multiplicative structure? (typically not) Is it possible to quantify the tradeoff between the amount of additive and multiplicative structure in the subset? This type of questions is addressed by sum-product estimates discussed in Section below. A surprising recurring phenomenon in additive combinatorics is that sufficiently dense subsets of additive groups possess a large amount of additive structure. This was first demonstrated by the seminal work of Szemerédi s [Sze75a] which showed that any sufficiently dense subset of integers must contain arbitrarily long arithmetic progressions. Szemerédi s theorem is an especially deep theorem, and throughout the years several completely different proofs of it were discovered using completely different tools such as graph theory [Sze75a], higher-order harmonic analysis [Rot53, Gow01], Ergodic theory [Fur77] and hypergraph theory [RS76, NRS06, Gow07, Tao06]. All these different proofs contributed to the rapid development of the theory of additive combinatorics. Another major achievement in additive combinatorics is the recent Green-Tao theorem [GT08b] which asserts the existence of arbitrarily long arithmetic progressions in the prime numbers. In order to prove this, Green and Tao first showed that any subset of the primes which is dense enough inside the primes must contain arbitrarily long arithmetic progressions and then showed the existence of such a subset. One common theme in additive combinatorics proofs is the dichotomy between randomness and structure [Tao07]. The idea is that it is sometime possible to decompose complex objects (such as graphs, functions over certain domains, low-degree polynomials, collection of points in the plane, etc.) into a structured component and a randomly-looking component (possibly with a small error). This decomposition can then be helpful for analyzing these complex objects. One well-known example of the above phenomenon is Szemerédi Regularity Lemma [Sze75a] that was proved by Szemerédi as a step towards his proof of Szemerédi s theorem and which shows such a decomposition for graphs. The field of additive combinatorics has been experiencing a tremendous amount of growth over the last couple of decades and it is today a vibrant and active field of mathematics. The techniques used in this field come from diverse mathematical disciplines, such as graph theory, harmonic anal- 9
21 ysis, Ergodic theory, discrete geometry and combinatorial number theory. Interestingly, throughout the years additive combinatorics methods and techniques have also found applications in the aforementioned fields. One such recent example is the application of sum-product estimates to incidence problems in discrete geometry [BKT04], most notably to the incidence problem for lines which bounds the number of possible incidences among an arbitrary collection of lines and points in the plane and to the Erdös distance problem which bounds from below the number of distinct distances determined by an arbitrary collection of points in the plane. 1.2 Previous applications of additive combinatorics methods in computational complexity In what follows we briefly survey three of the main previous applications of additive combinatorics methods in computational complexity: The use of Szemerédi s regularity lemma in graph property testing, the use of the Gowers norm in low-degree testing and the use of sum-product estimates in the construction of randomness extractors. We refer the reader to the excellent survey of Trevisan [Tre09] for more information Szemerédi s regularity lemma and graph property testing The main goal in the field of property testing is, given a combinatorial structure S, to design extremely efficient randomized algorithms, called testers, that for a given property P distinguish, with high probability, between the case in which S satisfies P and the case in which S is -far from satisfying P. The sub-field of graph property testing is concerned with testing properties of graphs, such as the graph being connected, 3-colorable or containing some fixed graph as an induced subgraph. In graph property testing one is usually interested in testers that query the adjacency matrix of the graph in a number of entries which depend only on. Szemerédi s regularity lemma, on the other hand, was introduced by Szemerédi [Sze75b] towards his proof of the Szemerédi s theorem discussed above. It roughly says that every graph can be approximately partitioned into a constant number of randomly-looking bipartite graphs whose number depends only on the quality of the approximation and not on the number of vertices in the graph. The connection between Szemerédi s regularity lemma and graph property testing was first demonstrated by the triangle removal lemma which can be easily derived from the regularity lemma. In the language of property testing the triangle removal lemma simply says that the property of triangle-freeness is testable. 10
22 However, one problem with the original proof of Szemerédi s regularity lemma was that it was non-constructive. This problem was resolved by Alon et. al. [ADL + 94] who gave a different algorithmic proof of the regularity lemma. In follow-up works [AFKS00, AS08, Alo02] Szemerédi s regularity lemma was shown to be a powerful tool for analyzing property testers for many natural graph properties, culminating with the work of [AFNS09] who used the regularity lemma to give a combinatorial characterization of all testable graph properties. Roughly speaking, the latter work showed that a graph property is testable if and only if the task of testing this property could be reduced to the task of testing the property of satisfying a partition for which the conditions of the regularity lemma hold. This shows a fundamental connection between graph property testing and Szemerédi s regularity lemma and explains the reason for the regularity lemma being so useful in analyzing graph property testers The Gowers norm and low-degree testing Low-degree testing is a special case of property testing in which one is interested in testing the property of a function being a low-degree polynomial, or equivalently being contained in the Reed- Muller codes whose codewords are low-degree polynomials. More specifically, a low-degree tester for degree d polynomials is an efficient randomized algorithm that given a function f makes a few queries to the function f and distinguish, with high probability, between the case in which f is a degree d polynomial and the case in which f is far from every such polynomial. Here one is typically interested in a tester whose number of queries depend only on the degree d. Testing low-degree polynomials (or Reed-Muller codes) is motivated by their use in the construction of probabilistically-checkable proofs (PCPs). A fundamental result by Blum, Luby and Rubinfeld [BLR93] used Fourier analysis to show that such testers exist for linear functions (i.e., when d =1). The Gowers norm was introduced by Gowers [Gow01] as a higher order analogue of the Fourier transform used for his new proof of Szemerédi s theorem. This proof generalized the argument of Roth [Rot53] who used Fourier analysis to show the existence of many 3-term arithmetic progressions in a sufficiently dense subset of integers. Using the Gowers norm, Alon et al. [AKK + 05] managed to generalize the tester of [BLR93] to any degree d when rejecting functions that are -far from degree d polynomials with some very small (but constant) probability which depends only on d. The Gowers inverse conjecture was that the same tester purposed by [AKK + 05] rejects functions which are (1/2 0 )-far from degree d polynomials with probability at least 1/2, where 0 depends only on and d. The Gowers inverse conjecture is trivial for d =0(with 0 = /2) and it can also be shown to hold for d = 1 using elementary Fourier analysis (with 0 = ( 2 )). The case d = 2 is 11
23 more involved and it was shown to hold in [Sam07, GT08a] with 0 =exp( 1/ ). Plugging the quasipolynomial Freiman-Ruzsa theorem (Theorem below) in the proof method of [Sam07, GT08a] improves the dependency of 0 on to be quasipolynomial in and achieving 0 =poly( ) was shown to be equivalent to the polynomial Freiman-Ruzsa conjecture (Conjecture below) [Lov12, GT10]. The Gowers inverse conjecture is generally false when d 3 [LMS11, GT09] but it holds when the characteristic of the underlying field is greater than d [TZ10]. However, a major drawback of the proof method of [TZ10] is that it uses Ergodic theory and therefore it is non-constructive and gives no bounds on 0 in terms of and d Sum-product estimates and randomness extractors A randomness extractor, on the other hand, is a (deterministic) procedure that distills (almost) perfect randomness, needed for the performance of randomized algorithms and protocols, from weak sources of randomnes that exist in nature. A source is modeled as a random variable taking values in {0, 1} n and the amount of randomness of the source is measured by its min-entropy which is defined as the largest integer k such that for every string x 2{0, 1} n the probability that the random variable equals x is at most 2 k. Unfortunately, it is impossible to extract randomness from a single weak source of randomness, therefore further assumptions on the structure of the source are needed. One of the most natural family of extractors are `-source extractors that extract randomness from ` independent weak sources of randomness. Another well-studied family of extractors are affine extractors that extract randomness from sources that are distributed uniformly over affine subspaces. In both models, the probabilistic method shows the existence of extractors for min-entropy as small as logn + O(1), but surprisingly, up until very few years ago explicit constructions for min-entropy smaller than n/2 were not known. This picture changed dramatically when a connection between randomness extractors and sum-product estimates was discovered. Roughly speaking, sum-products estimates show that an typical subset of a given ring cannot have large amount of additive and multiplicative structure simultaneously. More formally, the goal is to show that in a certain ring R, for an arbitrary subset A of R at least one of the sets A + A or A A is of size at least min{ R, A 1+ } for some constant >0. This was shown to hold over the integers by Erdös and Szemerédi [ES83] and an analogue of this result over finite fields was recently proven in [BKT04, BGK06]. The latter pair of results had interesting consequences to incidence problems in discrete geometry such as the incidence problem for lines and the Erdös distance problem and they were also used to obtain bounds on exponential sums. Furthermore, it turned out that sum-product estimates over finite fields were the right tool 12
24 needed for beating the n/2 barrier in the construction of extractors. More specifically, the growth in the size of A + A or A A guaranteed by these estimates can be used to argue that the image of certain functions over finite fields, defined using both addition and multiplication, is pseudorandom and consequently these functions could be used as extractors. This was first realized by Barak et. al. [BIW06] who used this idea for the construction of `-source extractors for min-entropy n for any > 0, where ` is a constant which depends only on. In the meanwhile, Bourgain [Bou05, Bou07] managed to construct two-source extractors for min-entropy ( 1 )n for some 2 small constant >0and affine extractors for min-entropy n for any >0 using the advances on the incidence problem for lines and the bounds on exponential sums mentioned above. 1.3 Freiman-Ruzsa theorems and their applications in computational complexity In this section we discuss the Freiman-Ruzsa theorems and their applications in computational complexity, a main object of study of this thesis. Roughly speaking, these results investigate the additive structure imposed on a given set A by the size of A + A. This question is interesting over any additive group, but for simplicity we concentrate only on the case of the ambient group being F n 2. For A F n 2, let A + A denote the sum-set of A A + A := {a + a 0 a, a 0 2 A} where addition is over F 2. It is easy to see that A + A = A if and only if A is an affine subspace of F n 2. The question addressed by the Freiman-Ruzsa theorem is whether the ratio of A + A to A also approximates the closeness of A to being a subspace, or in other words, whether the fact that A + A is small with respect to the size of A also implies that span (A) is small with respect to the size of A. The Freiman-Ruzsa theorem [Ruz99] says that this is indeed the case. Theorem (Freiman-Ruzsa theorem [Ruz99]). If A F n 2 has A+A applek A, then span (A) apple K 2 2 K4 A. The above theorem was improved in a series of works [GR06, San08b, GT09], culminating in the recent work [EZ12] which proved an upper bound on the ratio span(a) of the form 2 2K /(2K). A This bound can be seen to be tight by letting A = S t i=1 (u i + V ), where u 1,u 2,...,u t 2 F n 2 are linearly independent vectors and V F n 2 is a subspace of dimension d such that span ({u 1,...,u t })\ 13
25 V = {0}. Then in this case we have A = t d and A+A t A, while span (A) =2t d = 2t A. 2 t This example also shows that the ratio span(a) must depend exponentially on K. However, A it does not rule out the existence of a large subset A 0 A for which the ratio span(a0 ) is just A 0 polynomial in K, and this is exactly what is suggested by the PFR conjecture: Conjecture (Polynomial Freiman-Ruzsa (PFR)). There exists an absolute constant r, such that if A F n 2 has A + A applek A, then there exists a subset A 0 A of size at least K r A such that span (A 0 ) apple A. Note that the above conjecture implies that span (A 0 ) apple A applek r A 0. The PFR conjecture has many other interesting equivalent formulations, see the survey of Green [Gre05] for some of them. It is conjectured to hold for subsets of general groups as well and not only for subsets of the group F n 2 but we will be interested only in the latter case. Significant progress on this conjecture has been achieved recently by Sanders [San12b], using almost-periodicity results developed by Croot and Sisask [CS10]. Sanders proved an upper bound on the ratio span(a0 ) A 0 which is quasipolynomial in K (see also Chapters 6 and 7 for a simplified proof of this theorem): Theorem (Quasi-polynomial Freiman-Ruzsa theorem (QFR) [San12b]). Let A F n 2 be a set such that A + A applek A. Then there exists a subset A 0 A of size at least K O(log3 K) A such that span (A 0 ) apple A. We end this section by listing several recent applications of the PFR conjecture to theoretical computer science. The first application, due to Samorodnitsky, Green and Tao [Sam07, GT08a], with further results by Lovett [Lov12] and Green and Tao [GT10], shows that the d =2case of the Gowers inverse conjecture, discussed in Section 1.2.2, holds with 0 =poly() if and only if the PFR conjecture holds. In Chapters 3 and 4 of this thesis we shall show applications of the PFR conjecture to the construction of two-source extractors and to relating rank to communication complexity. Our proof method was later applied also by Bhowmick, Dvir and Lovett [BDL13] to show that the PFR conjecture implies lower bounds on matching vector codes. Recently, Aggarwal, Dodis and Lovett [ADL14] found another application of the PFR conjecture to the design of nonmalleable codes. 1.4 Our contributions In this thesis we show further applications of additive combintaroics methods to fundamental open problems in computational complexity in the sub-fields of pseudorandomness, communication 14
26 complexity, public key cryptography and local decoding. Below we describe our contributions in more detail From affine to two-source extractors As mentioned above, two-source and affine extractors are two well-studied types of randomness extractors. Furhtermore, explicit constructions of these two distinct objects seem to be related since, as mentioned in Section 1.2.3, constructions of both objects for min-entropy above n/2 have been known for quite some time [CGH + 85, BSHR + 01] and much of the recent progress on both problems [BIW06, Bou05, Bou07] has relied on the sum-product estimates over finite fields of [BKT04, BGK06]. In Chapter 3 we establish further connections between affine and two-source extractors by presenting a black-box construction of two-source extractors for min-entropy n for any >0 from any affine extractor with sufficiently good parameters. Two such constructions are presented, and the first part of our analysis shows that they lead to two-source dispersers which are weak (but nontrivial) kinds of two-source extractors, also known as bipartite Ramsey graphs. To strengthen this result and obtain two-source extractors we introduce the approximate duality conjecture (ADC), discussed below, and initiate its study. The ADC leads to a rather general result that can be used to convert a natural class of two-source dispersers low-rank dispersers into two-source extractors. Suppose that a boolean two-input function E 2 F Fn 2 Fn 2 2 is a two-source disperser for min-entropy n. Our main observation which uses the ADC is that if E has rank O(n) over F 2 when viewed as a 2 n 2 n matrix in the natural way, then E is a two-source extractor for min-entropy ( + )n (for any >0) with exponentially small error! The approximate duality conjecture (ADC) The ADC is a natural conjecture in additive combinatorics so it deserves independent study. Further motivation is provided by three other recent applications of it to relating rank to communication complexity (see below), cryptography (see below) and to lower bounds on locally decodable codes [BDL13], as well as its tight connections with the polynomial Freiman-Ruzsa conjecture (PFR, Conjecture above). Define the duality measure of a pair of sets A, B F n 2 to be D(A, B) = E a2a,b2b h ( 1) P n i=1 a ib i i. 15
27 Then D(A, B) =1if and only if A is contained in an affine shift of the space dual to the span of B. The ADC says that every pair (A, B) contains a pair of subsets (A 0,B 0 ) that have duality measure exactly 1, and the densities A 0 / A and B 0 / B increase with D(A, B): A 0 min A, B0 B exp c p n log(1/d(a, B)) for a positive universal constant c. In Chapter 2 we justify the above conjecture by proving a special case of it and by showing that the ADC is implied by the PFR conjecture and that the ADC also implies a weak but as-of-yet unknown version of the PFR conjecture Relating rank to communication complexity Communication complexity is the sub-field of computational complexity that studies the limitations on efficient communication needed for performing computational tasks, jointly, by multiple parties. In the communication complexity model, two (or more) parties wish to compute some prescribed function where the input to this function is split between the parties. For this, the parties must communicate with each other according to some protocol. The communication complexity of the function is the minimum total amount of bits sent between the parties during the execution of the protocol, in the worst case. The goal in this field is to either design efficient protocols with low communication complexity or to show limitations on the performance of such protocols. Thus, one main objective in communication complexity is to identify complexity measures of functions that imply low or high communication complexity. Mehlhorn and Schmidt [MS82] were the first to suggest matrix-rank as one such measure. Among other things, they showed log rank F (M) apple CC(M) apple rank F2 (M), (1.1) where CC(M) denotes the (deterministic) communication complexity of the function associated with M, and the rank on left hand side is over any field F and on the right hand side it is over the two-element field F 2. For certain matrices M, communication complexity equals the right hand side above, and this completely settles the question of communication complexity vs. F 2 -rank. In Chapter 4 we reopen this question by pointing out that when M has an additional natural combinatorial property high discrepancy with respect to distributions which are uniform over submatrices then communication complexity can be sublinear in F 2 -rank. Assuming the PFR 16
28 conjecture (Conjecture 1.3.2), we show that CC(M) apple O(rank F2 (M)/ log rank F2 (M)) for any matrix M which satisfies the above combinatorial property. Our analysis uses the ADC conjecture discussed above. Our main result had also consequences to the well-known log-rank conjecture in communication complexity. Observe that rank F2 (M) apple rank R (M) for any {0, 1}-valued matrix M, and so Equation (1.1) above implies that log rank R (M) apple CC(M) apple rank R (M), and it is a fundamental question to find out what is the true worst-case dependency of CC(M) on the real-rank. The famous log-rank conjecture due to Lovász and Saks [LS88] postulates that communication complexity is always closer to the left hand side. (And recall that this is false over F 2.) Though considerable efforts have been invested in attempt to make progress on this conjecture since its introduction about 25 years ago, not much was known about it. In particular, there has been essentially no improvement on the trivial upper bound of rank R (M) beyond constant factors. As a corollary of our main result, we obtained the first progress on this conjecture, showing that assuming the PFR conjecture, CC(M) apple O(rank R (M)/ log rank R (M)) for any {0, 1}-valued matrix M. In a recent breakthrough [Lov14], this upper bound was improved to O( p rank R (M)) and the PFR assumption was eliminated Limitations of Public Key Encryption from Noisy Codewords Several well-known public key encryption schemes, including those of Alekhnovich [Ale11], Regev [Reg09], and Gentry, Peikert and Vaikuntanathan [GPV08], rely on the conjectured intractability of inverting a noisy linear encoding. These schemes are limited in that they either require the underlying field to grow polynomially with the security parameter, or alternatively they can work over the binary field but have a low noise entropy that gives rise to sub-exponential attacks. Motivated by the goal of achieving efficient public key cryptography, we study the possibility of obtaining improved security over the binary field by using different noise distributions. We 17
29 obtain the following main results. A unified framework. We propose a unified framework for the study of the three encryption schemes mentioned above: For each of the schemes we define a generalized version which allows for arbitrary choices of the underlying field and noise distributions. We then show that for an identical choice of parameters all the generalized schemes are equivalent in terms of security, in the sense that a public key and ciphertext can be efficiently translated from one scheme to another. An unconditional negative result. Using previous results on agnostic learning of parities [KMV08], we show that any instance of the generalized encryption schemes over the binary field, using any noise distributions, can be attacked in time 2 O(n/ log n), where n is the ciphertext size. This negative result holds even when allowing decryption error very close to one. Using a generalized form of Regev s security proof [Reg09] we show that the attack above can be turned into a sub-exponential algorithm that learns parities corrupted by arbitrary noise distributions using a relatively small number of samples. In particular, this algorithm solves the learning parity with noise (LPN) problem in time 2 O(n/ log log n) using only n 1+ samples, reproducing the result of Lyubashevsky [Lyu05] in a conceptually different way. Conditional negative results. Under the approximate duality conjecture we strengthen the above negative result to yield 2 O(pn) -time attacks, where n is the maximum of the ciphertext size and the public key size (and where the latter excludes public randomness used for specifying the code) in the case in which the decryption error of a single encryption is a sufficiently small constant. Under a natural variant of this conjecture, we obtain a similar attack where n is just the ciphertext size. Finally, we study the possibility of instantiating the unified framework over constant-size rings to yield encryption schemes with no decryption error. We show that over the binary field decryption errors are inherent. On the positive side, building on the construction of matching vector families [Gro00, Efr12, DGY11] we suggest plausible candidates for secure instances of the framework over constant-size rings that can offer perfectly correct decryption. 18
From Affine to Two-Source Extractors via Approximate Duality
From Affine to Two-Source Extractors via Approximate Duality Eli Ben-Sasson Noga Zewi May 18, 2011 Abstract Two-source and affine extractors and dispersers are fundamental objects studied in the context
More informationAdditive Combinatorics and Computational Complexity
Additive Combinatorics and Computational Complexity Luca Trevisan U.C. Berkeley Ongoing joint work with Omer Reingold, Madhur Tulsiani, Salil Vadhan Combinatorics: Studies: Graphs, hypergraphs, set systems
More informationLecture 5: Derandomization (Part II)
CS369E: Expanders May 1, 005 Lecture 5: Derandomization (Part II) Lecturer: Prahladh Harsha Scribe: Adam Barth Today we will use expanders to derandomize the algorithm for linearity test. Before presenting
More informationDeterministic Extractors - Lecture Notes
Deterministic Extractors - Lecture Notes Speaker: Avi Wigderson Scribe: Zeev Dvir February 4, 2009 1 Motivation Randomness is used in many places in our daily lives. Some examples are gambling, statistics,
More informationCommunication is bounded by root of rank
Electronic Colloquium on Computational Complexity, Report No. 84 (2013) Communication is bounded by root of rank Shachar Lovett June 7, 2013 Abstract We prove that any total boolean function of rank r
More informationAdditive Combinatorics and Szemerédi s Regularity Lemma
Additive Combinatorics and Szemerédi s Regularity Lemma Vijay Keswani Anurag Sahay 20th April, 2015 Supervised by : Dr. Rajat Mittal 1 Contents 1 Introduction 3 2 Sum-set Estimates 4 2.1 Size of sumset
More informationReport on PIR with Low Storage Overhead
Report on PIR with Low Storage Overhead Ehsan Ebrahimi Targhi University of Tartu December 15, 2015 Abstract Private information retrieval (PIR) protocol, introduced in 1995 by Chor, Goldreich, Kushilevitz
More informationLow-Degree Testing. Madhu Sudan MSR. Survey based on many works. of /02/2015 CMSA: Low-degree Testing 1
Low-Degree Testing Madhu Sudan MSR Survey based on many works 09/02/2015 CMSA: Low-degree Testing 1 Kepler s Problem Tycho Brahe (~1550-1600): Wished to measure planetary motion accurately. To confirm
More informationSelected Results in Additive Combinatorics: An Exposition
Electronic Colloquium on Computational Complexity, Report No. 103 (2007) Selected Results in Additive Combinatorics: An Exposition Emanuele Viola September 27, 2007 Abstract We give a self-contained exposition
More informationLecture 3: Error Correcting Codes
CS 880: Pseudorandomness and Derandomization 1/30/2013 Lecture 3: Error Correcting Codes Instructors: Holger Dell and Dieter van Melkebeek Scribe: Xi Wu In this lecture we review some background on error
More informationOn explicit Ramsey graphs and estimates of the number of sums and products
On explicit Ramsey graphs and estimates of the number of sums and products Pavel Pudlák Abstract We give an explicit construction of a three-coloring of K N,N in which no K r,r is monochromatic for r =
More informationThe sum of d small-bias generators fools polynomials of degree d
The sum of d small-bias generators fools polynomials of degree d Emanuele Viola April 9, 2008 Abstract We prove that the sum of d small-bias generators L : F s F n fools degree-d polynomials in n variables
More informationProclaiming Dictators and Juntas or Testing Boolean Formulae
Proclaiming Dictators and Juntas or Testing Boolean Formulae Michal Parnas The Academic College of Tel-Aviv-Yaffo Tel-Aviv, ISRAEL michalp@mta.ac.il Dana Ron Department of EE Systems Tel-Aviv University
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationTesting Equality in Communication Graphs
Electronic Colloquium on Computational Complexity, Report No. 86 (2016) Testing Equality in Communication Graphs Noga Alon Klim Efremenko Benny Sudakov Abstract Let G = (V, E) be a connected undirected
More informationThe dichotomy between structure and randomness. International Congress of Mathematicians, Aug Terence Tao (UCLA)
The dichotomy between structure and randomness International Congress of Mathematicians, Aug 23 2006 Terence Tao (UCLA) 1 A basic problem that occurs in many areas of analysis, combinatorics, PDE, and
More informationLocal list-decoding and testing of random linear codes from high-error
Local list-decoding and testing of random linear codes from high-error Swastik Kopparty Shubhangi Saraf February 4, 01 Abstract In this paper, we give efficient algorithms for list-decoding and testing
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationTolerant Versus Intolerant Testing for Boolean Properties
Tolerant Versus Intolerant Testing for Boolean Properties Eldar Fischer Faculty of Computer Science Technion Israel Institute of Technology Technion City, Haifa 32000, Israel. eldar@cs.technion.ac.il Lance
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationTolerant Versus Intolerant Testing for Boolean Properties
Electronic Colloquium on Computational Complexity, Report No. 105 (2004) Tolerant Versus Intolerant Testing for Boolean Properties Eldar Fischer Lance Fortnow November 18, 2004 Abstract A property tester
More informationNear-Optimal Secret Sharing and Error Correcting Codes in AC 0
Near-Optimal Secret Sharing and Error Correcting Codes in AC 0 Kuan Cheng Yuval Ishai Xin Li December 18, 2017 Abstract We study the question of minimizing the computational complexity of (robust) secret
More informationLecture 8 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;
Topics in Theoretical Computer Science April 18, 2016 Lecturer: Ola Svensson Lecture 8 (Notes) Scribes: Ola Svensson Disclaimer: These notes were written for the lecturer only and may contain inconsistent
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationSzemerédi s Lemma for the Analyst
Szemerédi s Lemma for the Analyst László Lovász and Balázs Szegedy Microsoft Research April 25 Microsoft Research Technical Report # MSR-TR-25-9 Abstract Szemerédi s Regularity Lemma is a fundamental tool
More informationarxiv: v3 [cs.cc] 28 Jun 2015
Parity Decision Tree Complexity and 4-Party Communication Complexity of XOR-functions Are Polynomially Equivalent arxiv:156.2936v3 [cs.cc] 28 Jun 215 Penghui Yao CWI, Amsterdam phyao1985@gmail.com September
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationTwo Decades of Property Testing
Two Decades of Property Testing Madhu Sudan Microsoft Research 12/09/2014 Invariance in Property Testing @MIT 1 of 29 Kepler s Big Data Problem Tycho Brahe (~1550-1600): Wished to measure planetary motion
More informationHigh-rate Locally-testable Codes with Quasi-polylogarithmic Query Complexity
High-rate Locally-testable Codes with Quasi-polylogarithmic Query Complexity Swastik Kopparty, Or Meir, Noga Ron-Zewi, Shubhangi Saraf September 5, 205 Abstract An error correcting code is said to be locally
More informationProperty Testing and Affine Invariance Part I Madhu Sudan Harvard University
Property Testing and Affine Invariance Part I Madhu Sudan Harvard University December 29-30, 2015 IITB: Property Testing & Affine Invariance 1 of 31 Goals of these talks Part I Introduce Property Testing
More informationTesting Affine-Invariant Properties
Testing Affine-Invariant Properties Madhu Sudan Microsoft Surveys: works with/of Eli Ben-Sasson, Elena Grigorescu, Tali Kaufman, Shachar Lovett, Ghid Maatouk, Amir Shpilka. May 23-28, 2011 Bertinoro: Testing
More informationLast time, we described a pseudorandom generator that stretched its truly random input by one. If f is ( 1 2
CMPT 881: Pseudorandomness Prof. Valentine Kabanets Lecture 20: N W Pseudorandom Generator November 25, 2004 Scribe: Ladan A. Mahabadi 1 Introduction In this last lecture of the course, we ll discuss the
More informationSzemerédi s regularity lemma revisited. Lewis Memorial Lecture March 14, Terence Tao (UCLA)
Szemerédi s regularity lemma revisited Lewis Memorial Lecture March 14, 2008 Terence Tao (UCLA) 1 Finding models of large dense graphs Suppose we are given a large dense graph G = (V, E), where V is a
More informationAffine extractors over large fields with exponential error
Affine extractors over large fields with exponential error Jean Bourgain Zeev Dvir Ethan Leeman Abstract We describe a construction of explicit affine extractors over large finite fields with exponentially
More informationSpace Complexity vs. Query Complexity
Space Complexity vs. Query Complexity Oded Lachish Ilan Newman Asaf Shapira Abstract Combinatorial property testing deals with the following relaxation of decision problems: Given a fixed property and
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationA New Upper Bound on the Query Complexity for Testing Generalized Reed-Muller codes
A New Upper Bound on the Query Complexity for Testing Generalized Reed-Muller codes Noga Ron-Zewi 1 and Madhu Sudan 2 1 Department of Computer Science, Technion, Haifa. nogaz@cs.technion.ac.il 2 Microsoft
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationThe Computational Complexity Column
The Computational Complexity Column by Vikraman Arvind Institute of Mathematical Sciences, CIT Campus, Taramani Chennai 600113, India arvind@imsc.res.in http://www.imsc.res.in/~arvind Communication complexity
More informationTutorial: Locally decodable codes. UT Austin
Tutorial: Locally decodable codes Anna Gál UT Austin Locally decodable codes Error correcting codes with extra property: Recover (any) one message bit, by reading only a small number of codeword bits.
More informationPseudorandomness in Computer Science and in Additive Combinatorics. Luca Trevisan University of California, Berkeley
Pseudorandomness in Computer Science and in Additive Combinatorics Luca Trevisan University of California, Berkeley this talk explain what notions of pseudorandomness and indistinguishability arise in
More informationStructure of protocols for XOR functions
Electronic Colloquium on Computational Complexity, Report No. 44 (016) Structure of protocols for XOR functions Kaave Hosseini Computer Science and Engineering University of California, San Diego skhossei@ucsd.edu
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationTwo Query PCP with Sub-Constant Error
Electronic Colloquium on Computational Complexity, Report No 71 (2008) Two Query PCP with Sub-Constant Error Dana Moshkovitz Ran Raz July 28, 2008 Abstract We show that the N P-Complete language 3SAT has
More informationA Combinatorial Characterization of the Testable Graph Properties: It s All About Regularity
A Combinatorial Characterization of the Testable Graph Properties: It s All About Regularity Noga Alon Eldar Fischer Ilan Newman Asaf Shapira Abstract A common thread in all the recent results concerning
More informationQuadratic Goldreich-Levin Theorems
Quadratic Goldreich-Levin Theorems Madhur Tulsiani Julia Wolf May 3, 011 Abstract Decomposition theorems in classical Fourier analysis enable us to express a bounded function in terms of few linear phases
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationLower Bounds for Testing Bipartiteness in Dense Graphs
Lower Bounds for Testing Bipartiteness in Dense Graphs Andrej Bogdanov Luca Trevisan Abstract We consider the problem of testing bipartiteness in the adjacency matrix model. The best known algorithm, due
More informationA Characterization of the (natural) Graph Properties Testable with One-Sided Error
A Characterization of the (natural) Graph Properties Testable with One-Sided Error Noga Alon Asaf Shapira Abstract The problem of characterizing all the testable graph properties is considered by many
More informationLecture 13: 04/23/2014
COMS 6998-3: Sub-Linear Algorithms in Learning and Testing Lecturer: Rocco Servedio Lecture 13: 04/23/2014 Spring 2014 Scribe: Psallidas Fotios Administrative: Submit HW problem solutions by Wednesday,
More informationRoth s Theorem on 3-term Arithmetic Progressions
Roth s Theorem on 3-term Arithmetic Progressions Mustazee Rahman 1 Introduction This article is a discussion about the proof of a classical theorem of Roth s regarding the existence of three term arithmetic
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationAlgorithmic regularity for polynomials and applications
Algorithmic regularity for polynomials and applications Arnab Bhattacharyya Pooya Hatami Madhur Tulsiani November 25, 2013 Abstract In analogy with the regularity lemma of Szemerédi [Sze75], regularity
More informationIP = PSPACE using Error Correcting Codes
Electronic Colloquium on Computational Complexity, Report No. 137 (2010 IP = PSPACE using Error Correcting Codes Or Meir Abstract The IP theorem, which asserts that IP = PSPACE (Lund et. al., and Shamir,
More informationSketching in Adversarial Environments
Sketching in Adversarial Environments Ilya Mironov Moni Naor Gil Segev Abstract We formalize a realistic model for computations over massive data sets. The model, referred to as the adversarial sketch
More informationLecture 21: P vs BPP 2
Advanced Complexity Theory Spring 206 Prof. Dana Moshkovitz Lecture 2: P vs BPP 2 Overview In the previous lecture, we began our discussion of pseudorandomness. We presented the Blum- Micali definition
More informationDecomposing Bent Functions
2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions
More informationSpace Complexity vs. Query Complexity
Space Complexity vs. Query Complexity Oded Lachish 1, Ilan Newman 2, and Asaf Shapira 3 1 University of Haifa, Haifa, Israel, loded@cs.haifa.ac.il. 2 University of Haifa, Haifa, Israel, ilan@cs.haifa.ac.il.
More informationThree Query Locally Decodable Codes with Higher Correctness Require Exponential Length
Three Query Locally Decodable Codes with Higher Correctness Require Exponential Length Anna Gál UT Austin panni@cs.utexas.edu Andrew Mills UT Austin amills@cs.utexas.edu March 8, 20 Abstract Locally decodable
More informationCS369E: Communication Complexity (for Algorithm Designers) Lecture #8: Lower Bounds in Property Testing
CS369E: Communication Complexity (for Algorithm Designers) Lecture #8: Lower Bounds in Property Testing Tim Roughgarden March 12, 2015 1 Property Testing We begin in this section with a brief introduction
More informationThe Tensor Product of Two Codes is Not Necessarily Robustly Testable
The Tensor Product of Two Codes is Not Necessarily Robustly Testable Paul Valiant Massachusetts Institute of Technology pvaliant@mit.edu Abstract. There has been significant interest lately in the task
More informationAlgebraic Property Testing: The Role of Invariance
Algebraic Property Testing: The Role of Invariance Tali Kaufman Madhu Sudan November 2, 2007 Abstract We argue that the symmetries of a property being tested play a central role in property testing. We
More informationTesting Problems with Sub-Learning Sample Complexity
Testing Problems with Sub-Learning Sample Complexity Michael Kearns AT&T Labs Research 180 Park Avenue Florham Park, NJ, 07932 mkearns@researchattcom Dana Ron Laboratory for Computer Science, MIT 545 Technology
More informationDiscrepancy Theory in Approximation Algorithms
Discrepancy Theory in Approximation Algorithms Rajat Sen, Soumya Basu May 8, 2015 1 Introduction In this report we would like to motivate the use of discrepancy theory in algorithms. Discrepancy theory
More informationRoth s Theorem on Arithmetic Progressions
September 25, 2014 The Theorema of Szemerédi and Roth For Λ N the (upper asymptotic) density of Λ is the number σ(λ) := lim sup N Λ [1, N] N [0, 1] The Theorema of Szemerédi and Roth For Λ N the (upper
More informationALL codes discussed in this paper are linear. We study. Locally Testable Cyclic Codes. László Babai, Amir Shpilka, and Daniel Štefankovič
Locally Testable Cyclic Codes László Babai, Amir Shpilka, and Daniel Štefankovič Abstract Cyclic linear codes of block length over a finite field are linear subspaces of that are invariant under a cyclic
More informationLow Rate Is Insufficient for Local Testability
Electronic Colloquium on Computational Complexity, Revision 2 of Report No. 4 (200) Low Rate Is Insufficient for Local Testability Eli Ben-Sasson Michael Viderman Computer Science Department Technion Israel
More informationTesting Low-Degree Polynomials over GF (2)
Testing Low-Degree Polynomials over GF (2) Noga Alon Tali Kaufman Michael Krivelevich Simon Litsyn Dana Ron July 9, 2003 Abstract We describe an efficient randomized algorithm to test if a given binary
More informationHigher-order Fourier analysis of F n p and the complexity of systems of linear forms
Higher-order Fourier analysis of F n p and the complexity of systems of linear forms Hamed Hatami School of Computer Science, McGill University, Montréal, Canada hatami@cs.mcgill.ca Shachar Lovett School
More informationProbabilistic construction of t-designs over finite fields
Probabilistic construction of t-designs over finite fields Shachar Lovett (UCSD) Based on joint works with Arman Fazeli (UCSD), Greg Kuperberg (UC Davis), Ron Peled (Tel Aviv) and Alex Vardy (UCSD) Gent
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationQuantum Communication Complexity
Quantum Communication Complexity Ronald de Wolf Communication complexity has been studied extensively in the area of theoretical computer science and has deep connections with seemingly unrelated areas,
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationPCP Theorem and Hardness of Approximation
PCP Theorem and Hardness of Approximation An Introduction Lee Carraher and Ryan McGovern Department of Computer Science University of Cincinnati October 27, 2003 Introduction Assuming NP P, there are many
More informationThe Complexity of the Matroid-Greedoid Partition Problem
The Complexity of the Matroid-Greedoid Partition Problem Vera Asodi and Christopher Umans Abstract We show that the maximum matroid-greedoid partition problem is NP-hard to approximate to within 1/2 +
More informationLimits on the Stretch of Non-Adaptive Constructions of Pseudo-Random Generators
Limits on the Stretch of Non-Adaptive Constructions of Pseudo-Random Generators Josh Bronson 1, Ali Juma 2, and Periklis A. Papakonstantinou 3 1 HP TippingPoint josh.t.bronson@hp.com 2 University of Toronto
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationWalk through Combinatorics: Sumset inequalities.
Walk through Combinatorics: Sumset inequalities (Version 2b: revised 29 May 2018) The aim of additive combinatorics If A and B are two non-empty sets of numbers, their sumset is the set A+B def = {a+b
More informationA Separation Theorem in Property Testing
A Separation Theorem in Property Testing Noga Alon Asaf Shapira Abstract Consider the following seemingly rhetorical question: Is it crucial for a property-tester to know the error parameter ɛ in advance?
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationInvariance in Property Testing
Invariance in Property Testing Madhu Sudan Microsoft Research Based on: works with/of Eli Ben-Sasson, Elena Grigorescu, Tali Kaufman, Shachar Lovett, Ghid Maatouk, Amir Shpilka. February 22, 2012 Invariance
More informationLecture 1 : Probabilistic Method
IITM-CS6845: Theory Jan 04, 01 Lecturer: N.S.Narayanaswamy Lecture 1 : Probabilistic Method Scribe: R.Krithika The probabilistic method is a technique to deal with combinatorial problems by introducing
More informationCS168: The Modern Algorithmic Toolbox Lecture #19: Expander Codes
CS168: The Modern Algorithmic Toolbox Lecture #19: Expander Codes Tim Roughgarden & Gregory Valiant June 1, 2016 In the first lecture of CS168, we talked about modern techniques in data storage (consistent
More informationSublinear Time Algorithms
Electronic Colloquium on Computational Complexity, Report No. 13 (2011) Sublinear Time Algorithms Ronitt Rubinfeld Asaf Shapira Abstract Sublinear time algorithms represent a new paradigm in computing,
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationOn Axis-Parallel Tests for Tensor Product Codes
Electronic Colloquium on Computational Complexity, Report No. 110 (2017) On Axis-Parallel Tests for Tensor Product Codes Alessandro Chiesa alexch@berkeley.edu UC Berkeley Peter Manohar manohar@berkeley.edu
More informationError Correcting Codes Questions Pool
Error Correcting Codes Questions Pool Amnon Ta-Shma and Dean Doron January 3, 018 General guidelines The questions fall into several categories: (Know). (Mandatory). (Bonus). Make sure you know how to
More informationSHORT PCPS WITH POLYLOG QUERY COMPLEXITY
SIAM J. COMPUT. Vol. 38, No. 2, pp. 551 607 c 2008 Society for Industrial and Applied Mathematics SHORT PCPS WITH POLYLOG QUERY COMPLEXITY ELI BEN-SASSON AND MADHU SUDAN Abstract. We give constructions
More informationOn Sums of Locally Testable Affine Invariant Properties
On Sums of Locally Testable Affine Invariant Properties Eli Ben-Sasson, Elena Grigorescu, Ghid Maatouk, Amir Shpilka, and Madhu Sudan Abstract. Affine-invariant properties are an abstract class of properties
More informationLocally Decodable Codes
Foundations and Trends R in sample Vol. xx, No xx (xxxx) 1 114 c xxxx xxxxxxxxx DOI: xxxxxx Locally Decodable Codes Sergey Yekhanin 1 1 Microsoft Research Silicon Valley, 1065 La Avenida, Mountain View,
More informationNon-Malleable Coding Against Bit-wise and Split-State Tampering
Non-Malleable Coding Against Bit-wise and Split-State Tampering Mahdi Cheraghchi 1 and Venkatesan Guruswami 2 1 CSAIL, Massachusetts Institute of Technology mahdi@csail.mit.edu 2 Computer Science Department,
More informationHigher-order Fourier Analysis over Finite Fields, and Applications. Pooya Hatami
Higher-order Fourier Analysis over Finite Fields, and Applications Pooya Hatami Coding Theory: Task: Reliably transmit a message through an unreliable channel. m F k 2 c m F N 2 Coding Theory: Task: Reliably
More informationOn Linear Subspace Codes Closed under Intersection
On Linear Subspace Codes Closed under Intersection Pranab Basu Navin Kashyap Abstract Subspace codes are subsets of the projective space P q(n), which is the set of all subspaces of the vector space F
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationIMPROVING THE ALPHABET-SIZE IN EXPANDER BASED CODE CONSTRUCTIONS
IMPROVING THE ALPHABET-SIZE IN EXPANDER BASED CODE CONSTRUCTIONS 1 Abstract Various code constructions use expander graphs to improve the error resilience. Often the use of expanding graphs comes at the
More informationExplicit Ramsey graphs and orthonormal labelings
Explicit Ramsey graphs and orthonormal labelings Noga Alon Submitted: August 22, 1994; Accepted October 29, 1994 Abstract We describe an explicit construction of triangle-free graphs with no independent
More information