Hardness Amplification

Transcription

1 Hardness Amplification

2 Synopsis 1. Yao s XOR Lemma 2. Error Correcting Code 3. Local Decoding 4. Hardness Amplification Using Local Decoding 5. List Decoding 6. Local List Decoding 7. Hardness Amplification Using Local List Decoding Computational Complexity, by Y. Fu Hardness Amplification 1 / 90

3 Yao s XOR Lemma Computational Complexity, by Y. Fu Hardness Amplification 2 / 90

4 Qizhi Yao. Theory and Applications of Trapdoor Functions. FOCS, Computational Complexity, by Y. Fu Hardness Amplification 3 / 90

5 For every boolean function one of the trivial circuits is correct on at least half the inputs, or equivalently wrong on at most half the inputs. The hardness of a boolean function is measured by the number of gates necessary to calculate the function. For ρ ( 1 2, 1] the ρ-average case hardness of f is the number of gates necessary to calculate f with ρ-correctness. The average case hardness of f is the number S of gates necessary to calculate f with ( S )-correctness. Computational Complexity, by Y. Fu Hardness Amplification 4 / 90

6 Average Case Hardness Suppose f : {0, 1} n {0, 1}. Let ρ ( 1 2, 1]. 1. The ρ-average case hardness of f, notation H ρ avg(f ), is the largest S such that for every circuit C with C S, one has Pr x R{0,1} n[c(x) = f (x)] < ρ. 2. The average case hardness of f, notation H avg (f ), is { } { } max S S H S avg (f ) = min S S H S avg (f ). In other words, H avg (f ) is the unique fixpoint of S = H S avg (f ). For f : {0, 1} {0, 1}, let H ρ avg(f )(n) be H ρ avg(f {0,1} n). Computational Complexity, by Y. Fu Hardness Amplification 5 / 90

7 Worst Case Hardness Intuitively the worst case hardness of f is the minimal number of gates necessary to calculate f. Technically H wrs (f ) is defined by H 1 avg(f ). Computational Complexity, by Y. Fu Hardness Amplification 6 / 90

8 A boolean function is mildly hard if every moderate size circuit is wrong on a non-negligible portion of the inputs. A boolean function is strongly hard if every moderate size circuit is wrong on almost half the inputs. Computational Complexity, by Y. Fu Hardness Amplification 7 / 90

9 Yao s XOR Lemma Theorem (Yao, 1982). For every f : {0, 1} n {0, 1}, 0 < δ < 1 2 and k N, if ɛ > 2(1 δ) k then H 1 2 +ɛ avg (f k ) ɛ2 400n H1 δ avg (f ), where f k : {0, 1} nk {0, 1} is defined by f k (x 1,..., x k ) = k f (x i ) = i=1 k f (x i ) (mod 2). i=1 Computing f k is as easy as computing f. If f is mildly hard, then f k is strongly hard. Computational Complexity, by Y. Fu Hardness Amplification 8 / 90

10 Yao s XOR Lemma is typical of Direct Product Theorems. If a problem is hard to solve, then solving multiple independent instances of the problem is even harder. Computational Complexity, by Y. Fu Hardness Amplification 9 / 90

11 Yao s XOR Lemma can be proved using Min-Max Theorem. Computational Complexity, by Y. Fu Hardness Amplification 10 / 90

12 Von Neumann s 1928 paper laid the foundation of game theory. The main theorem of the paper is the Min-Max Theorem. As far as I can see, there could be no theory of games... without that theorem. Computational Complexity, by Y. Fu Hardness Amplification 11 / 90

13 Von Neumann s Min-Max Theorem A zero-sum game is modeled by a payoff matrix A = (a ij ) of reals. A column player, or minimizer chooses an index j [n]. A row player, or maximizer chooses an index i [m]. In a mixed strategy, the column player, respectively the row player chooses a distribution over columns, respectively rows. Von Neumann s Min-Max Theorem states that max min r r m=1 c c n=1 ra c = min max c c n=1 r r m=1 ra c. The problem is algebraic; von Neumann s proof is topological. Computational Complexity, by Y. Fu Hardness Amplification 12 / 90

14 Minimizer chooses a mixed strategy (c 1,..., c n ). Its payoff is j [n] a ijc j if maximizer plays pure strategy i. If maximizer knows (c 1,..., c n ), it will choose i such that j [n] a ijc j is maximum. Minimizer wishes to choose the mixed strategy (c 1,..., c n ) such that c 0 = j [n] a ijc j is minimum among all strategies. Maximizer chooses a mixed strategy (r 1,..., r m ). Its payoff is i [m] r ia ij if minimizer plays pure strategy j. If minimizer knows (r 1,..., r m ), it will choose j such that i [m] r ia ij is minimum. Maximizer wishes to choose the mixed strategy (r 1,..., r m ) such that r 0 = i [m] r ia ij is maximum among all strategies. Computational Complexity, by Y. Fu Hardness Amplification 13 / 90

15 The Min-Max Theorem says that Minimizer has an optimal strategy (c 1,..., c n ) and Maximizer has an optimal strategy (r 1,..., r m ) such that c 0 = r 0, called the value of the game. Computational Complexity, by Y. Fu Hardness Amplification 14 / 90

16 Impagliazzo s Hardcore Lemma Suppose 0 < δ < 1. A distribution H over {0, 1} n has density-δ if for every x {0, 1} n. Pr[H = x] 1 δ 1 2 n R. Impagliazzo. Hard-Core Distributions for Somewhat Hard Problems. FOCS, Computational Complexity, by Y. Fu Hardness Amplification 15 / 90

17 Impagliazzo s Hardcore Lemma Lemma (Impagliazzo, 1995). Suppose δ (0, 1), ɛ > 0 and f : {0, 1} n {0, 1}. If H 1 δ avg (f ) S then there exists a density-δ distribution H such that for every circuit C of size at most ɛ 2 100n S, Pr x RH[C(x) = f (x)] ɛ. Every hard boolean function has a fraction of the input set, the hardcore set, on which the function is extremely hard. Computational Complexity, by Y. Fu Hardness Amplification 16 / 90

18 The lemma can be interpreted in terms of a zero-sum game. 1. Minimizer s pure strategy is a density-δ distribution H, which is a mixed strategy of flat distributions. 2. Maximizer s pure strategy is a circuit C of size ɛ2 100n S. The value of the game is Pr x RH[C(x) = f (x)]. A distribution over {0, 1} n is K-flat if it is the uniform distribution over a subset of {0, 1} n with size K. Maximizer s mixed strategy is a distribution C over circuits of size bounded by ɛ2 100n S. Computational Complexity, by Y. Fu Hardness Amplification 17 / 90

19 If H 1 δ avg (f ) S then there exists a density-δ distribution H such that for every circuit C of size at most ɛ 2 100n S, Pr x RH[C(x) = f (x)] ɛ. Impagliazzo s Hardcore Lemma says that Minimizer has an optimal strategy H, using which its loss is bounded by ɛ. I.e., ( max C ) min Pr C C,x H RH[C(x) = f (x)] ɛ. Computational Complexity, by Y. Fu Hardness Amplification 18 / 90

20 According to von Neumann s Min-Max Theorem, one only has to prove that Maximizer has an optimal mixed strategy C such that Pr C C,x RH[C(x) = f (x)] ɛ holds for some density-δ strategy. Computational Complexity, by Y. Fu Hardness Amplification 19 / 90

21 Towards a contradiction, assume that for the mixed strategy C, Pr C RC,x RH[C(x) = f (x)] > ɛ (1) holds for every density-δ distribution H. Call x {0, 1} n bad if Pr C C [C(x) = f (x)] ɛ and good o.w. There are < δ2 n bad x s; otherwise we could let H be the uniform distribution on the bad x s, which would fail (1). Computational Complexity, by Y. Fu Hardness Amplification 20 / 90

22 Construction of C. 1. Pick up C 1,..., C t R C independently. 2. For each x, let C(x) be the majority of C 1 (x),..., C t (x). Let t = 50n ɛ 2. Consequently C < S. By Chernoff bound, Pr C1,...,C t RC[C(x) f (x)] < 2 n for every good x. Using union bound, C. C(x) = f (x) for all good x s. Pr x RU n [C(x) = f (x)] > 1 δ since there are < δ2 n bad x s. This contradicts to the assumption H 1 δ avg (f ) S. Computational Complexity, by Y. Fu Hardness Amplification 21 / 90

23 Proof of Yao s XOR Lemma Suppose f : {0, 1} n {0, 1} and 0 < δ < 1 2 and ɛ > 2(1 δ)k. Assume towards a contradiction that H 1 δ avg (f ) S and C is of size S = ɛ2 400nS such that Pr (x1,...,x k ) RU k n [C(x 1,..., x k ) = k f (x i )] 1 + ɛ. (2) 2 i=1 Computational Complexity, by Y. Fu Hardness Amplification 22 / 90

24 Proof of Yao s XOR Lemma Let H be the density-δ distribution of Impagliazzo s Lemma. Impagliazzo s proof of Yao s Lemma makes use of the observation that U n can be generated from a density-δ distribution. Toss a biased coin whose Head comes up with probability δ. If the coin comes up Head, then pick up an x H {0, 1} n. If the coin comes up Tail, then pick ( up an x G {0, 1} n, where G is defined by Pr[G = x] = δ 2 δpr[h = x] ). n We can now write U n = (1 δ)g + δh. Computational Complexity, by Y. Fu Hardness Amplification 23 / 90

25 Proof of Yao s XOR Lemma Let (U n ) k be the distribution of picking up independently and uniformly k strings from {0, 1} n. Using the previous notation, (U n ) k = (1 δ) k G k + (1 δ) k 1 δg k 1 H δ k H k. Let P G k 1 H for example denote [ Pr (x1,...,x k ) RG k 1 H C(x 1,..., x k ) = ] k f (x i ). i=1 It follows from (2) that ɛ (1 δ)k P G k + (1 δ) k 1 δp G k 1 H δ k P H k < ɛ 2 + (1 δ)k 1 δp G k 1 H δ k P H k. Computational Complexity, by Y. Fu Hardness Amplification 24 / 90

26 Proof of Yao s XOR Lemma By averaging principle we may assume wlog that ɛ 2 < P G k 1 H, Pr x1,...,x k 1 RG,x k RH[C(x 1,..., x k ) = k f (x i )] > ɛ 2. i=1 Using averaging principle again, some x 1,..., x k 1 exist such that Pr xk RH[C(x 1,..., x k ) = k f (x i )] > ɛ 2, i=1 meaning that we have an S -sized circuit calculating f on inputs chosen according to H with probability better than ɛ 2. This contradicts to the assumption that H is a hardcore. Computational Complexity, by Y. Fu Hardness Amplification 25 / 90

27 Error Correcting Code Computational Complexity, by Y. Fu Hardness Amplification 26 / 90

28 Shannon s 1948 paper laid the foundation of Information Theory. A Mathematical Theory of Communication. Bell System Technical Journal 27(3): , Computational Complexity, by Y. Fu Hardness Amplification 27 / 90

29 As a major application of Shannon s theory, Coding Theory studies coding techniques for efficient and robust data transmission. Data compression (source coding) Error correction (channel coding) Richard Hamming pioneered the second field and invented the first error correcting code, now known as Hamming Code. Error Detecting and Error Correcting Codes. Bell System Technical Journal 29(2): , Computational Complexity, by Y. Fu Hardness Amplification 28 / 90

30 By introducing redundancy an error correcting code allows receiver to correct errors without retransmission. Technically an error-correcting code maps two distinct strings to two very different strings. It amplifies message differences. Computational Complexity, by Y. Fu Hardness Amplification 29 / 90

31 The fractional Hamming distance (x, y) of x, y {0, 1} m is defined by (x, y) = 1 m {i x i y i }. A function E : {0, 1} n {0, 1} m is an error-correcting code (ECC) with distance δ [0, 1], if (E(x), E(y)) δ whenever x y. {E(x) x {0, 1} n } is the set of codewords of E. If a code has distance δ, then a codeword with no more than δ 2 of its coordinates corrupted can be uniquely recovered. We shall always understand δ 2 as δ 2. Computational Complexity, by Y. Fu Hardness Amplification 30 / 90

32 Explicit Code We need explicit functions E : {0, 1} n {0, 1} m that can be encoded and decoded efficiently. There is a poly(m) algorithm to compute E. There is a poly(m) algorithm to compute x from y such that (y, E(x)) δ 2. Computational Complexity, by Y. Fu Hardness Amplification 31 / 90

33 Walsh-Hadamard Code The Walsh-Hadamard function WH : {0, 1} n {0, 1} 2n encodes a string of length n by a linear function in n variables over GF(2): WH(u) : x u x, where u x = n i=1 u iy i (mod 2). Walsh-Hadamard Code is a binary linear block code with distance 1 2 and block length 2n, where n is the message length. The rate of the code is 2n n. Computational Complexity, by Y. Fu Hardness Amplification 32 / 90

34 Linear block codes exploit the algebraic properties of finite fields. They can be decoded in P-time to their block length. Reed-Solomon Code defined next is a non-binary linear block code. Computational Complexity, by Y. Fu Hardness Amplification 33 / 90

35 Reed-Solomon Code The idea is to interpret a length n message as the coefficients of a degree n 1 polynomial P(x) over a finite field F and create a length m codeword by over-sampling P(x) at m distinct points. The message is recovered from the codeword by interpolation. Let F be a finite field and n m F. The Reed-Solomon Code RS : F n F m maps a 1... a n onto b 1... b m where b j = A(f j ), where A(x) = a 1 + a 2 x +..., a n x n 1, f 1,..., f m F are pairwise distinct. The code is q-ary if F = GF(q). Lemma. Reed-Solomon Code RS : F n F m has distance 1 n 1 m. Computational Complexity, by Y. Fu Hardness Amplification 34 / 90

36 Reed-Solomon Code The Reed-Solomon Code is the linear transformation defined by the generator matrix, in fact the transpose of the Vandermonde matrix. 1 f 1... f n 2 1 f n f i... f n 2 i f n 1 i f m. f n 2 m f n 1 m a 1. a i. a n = b 1. b j. b m Computational Complexity, by Y. Fu Hardness Amplification 35 / 90

37 Decoding Reed-Solomon Code Theorem (Berlekamp-Welsh, 1986). There is a P-time algorithm that, given a list {(f j, b j )} j [m] F F, outputs G : F n F m such that {G(f i ) = b i } i I with I [m] and I m+n+1 2. Reed-Solomon Code is an ECC with distance m n+1 m. If the number of corrupted bits is ρm 1 m n+1 2 m m = m n+1 2, then there is an efficient decoder. Computational Complexity, by Y. Fu Hardness Amplification 36 / 90

38 Decoding Reed-Solomon Code We look for an (n 1)-degree polynomial G(x) such that G(f i ) = b i holds for a subset of [m] of size I. Let E(x) be the m n 1 2 -degree non-zero error locator polynomial such that G(f i )E(f i ) = b i E(f i ) (3) holds for all i [m]. Intuitively E(f i ) = 0 if G(f i ) b i. We linearize the left hand of (3) by an m+n 3 2 -degree polynomial C(f i ) = b i E(f i ), producing m linear equations in m variables. C(x) and E(x) solved. We get G(x) by solving the equations {G(f i ) = b i } i [m] E(fi ) 0. Computational Complexity, by Y. Fu Hardness Amplification 37 / 90

39 Reed-Muller Code Let F be a finite field, and let l, d be numbers such that d < F. The Reed-Muller Code RM : F (l+d d ) F F l maps P(x 1,..., x l ) = c i1,...,i l x i x i l l, i i l d an l-variate polynomial over F of degree d, onto the string (P(x 1,..., x l )) x1,...,x l F. The combination of buying d, respectively d items from a shop selling l kinds of items is ( ) ( l+d 1 d, respectively l+d ) d. RM has distance 1 d F by Schwartz-Zippel Lemma. RM is a generalization of WH (F={0, 1}, d=1) and RS (l=1). Computational Complexity, by Y. Fu Hardness Amplification 38 / 90

40 Concatenated Code Dave Forney (1967) pointed out that one can combine two codes to get one gaining the virtues of both. Suppose E 1 : {0, 1} n Σ m and E 2 : Σ {0, 1} k are ECC s with distance δ 1 and δ 2 respectively. The concatenated code E 2 E 1 : {0, 1} n {0, 1} mk with distance δ 1 δ 2 maps x onto E 2 (E 1 (x) 1 )... E 2 (E 1 (x) m ). E 1 is the outer code, and E 2 is the inner code. Computational Complexity, by Y. Fu Hardness Amplification 39 / 90

41 Concatenated Code Consider RS : {0, 1} n log F = F n F m and WH : F {0, 1} F. WH(RS(x)) = WH(RS(x) 1 )... WH(RS(x) n ). Computational Complexity, by Y. Fu Hardness Amplification 40 / 90

42 Decoding Concatenated Code Suppose E 1 : {0, 1} n Σ m and E 2 : Σ {0, 1} k are ECC s with distance δ 1 and δ 2 respectively. A decoder for E 2 E 1 : {0, 1} n {0, 1} mk can handle δ 1 δ 2 errors. Computational Complexity, by Y. Fu Hardness Amplification 41 / 90

43 Local Decoding Computational Complexity, by Y. Fu Hardness Amplification 42 / 90

44 How do we apply ECC technique to study hardness amplification? Computational Complexity, by Y. Fu Hardness Amplification 43 / 90

45 A function f : {0, 1} n {0, 1} is identified to a string in {0, 1} 2n. Let E : {0, 1} 2n {0, 1} 2cn be an ECC with distance δ. Both E(f ) and a circuit D approximating E(f ) are functions of type {0, 1} cn {0, 1}. If (D, E(f )) δ 2, then f can be recovered from D. In other words, if f is hard to compute in the worst case, E(f ) is hard to compute in the average case. Important. We do not have to output E(f ), which is too long. We only need to be able to compute f, which amounts to calculating the single bit f (x) given x. Computational Complexity, by Y. Fu Hardness Amplification 44 / 90

46 A locally decodable code is an error-correcting code that allows a single bit of the original word to be recovered with high probability by only querying a small number of bits of a corrupted codeword. Computational Complexity, by Y. Fu Hardness Amplification 45 / 90

47 Local Decoder Let E : {0, 1} n {0, 1} m be an ECC and q N and ρ (0, 1). A local decoder for E of q queries handling ρ errors is a PTM that, given some j [n] and y {0, 1} m such that (y, E(x)) < ρ for some x {0, 1} n, makes q random accesses to y and outputs in polylog(m) time x j with probability 2 3. By random access to y we mean that for each i [m] the bit y i can be fetched in polylog(m) time. Computational Complexity, by Y. Fu Hardness Amplification 46 / 90

48 Local Decoder for Walsh-Hadamard Theorem. For every ρ < 1 4 decoder handling ρ errors. the Walsh-Hadamard code has a local The following algorithm makes two random queries to corrupted f : Input: j [n], f {0, 1} 2n st x {0, 1} n.pr y [f (y) x y] ρ < 1 4. Output: x j with probability 1 2ρ. 1. Choose y R {0, 1} n. 2. Output f (y) + f (y + e j ). By union bound the following hold with probability 1 2ρ. f (y) + f (y + e j ) = x y + x (y + e j ) = x e j = x j. Computational Complexity, by Y. Fu Hardness Amplification 47 / 90

49 Local Decoder for Reed-Muller Theorem. Suppose F is a finite field and l, d are numbers. There is a poly( F, l, d) time local decoder for the Reed-Muller ECC handling (1 d F )/6 errors. An l variable degree-d polynomial P is (represented by) a list of values on its first ( ) l+d d inputs. RM(P) is a list of values on all F l inputs. We prove that given x F l and a corrupted version of RM(P) we can efficiently recover P(x) with high probability. Computational Complexity, by Y. Fu Hardness Amplification 48 / 90

50 Input: x F l, f F Fl st Pr x F l[f (x) P(x)] < ρ = (1 d F )/6. Output: P(x) with probability 2/3. 1. Choose r R F l. 2. Query f on the random elements of {x + t r} t F. 3. Run Reed-Solomon Decoder to obtain Q(v) = P(x + v r). 4. Output Q(0). f and P differ in < ρ F elements of F l. By Markov inequality the probability that f and P differ in at least 3ρ F = (1 d F ) F /2 such points is < 1 3. With 2 d 3 probability f and P differ in less than a (1 F )/2 fraction of the points. Notice that 1 d F is the distance of the Reed-Solomon code decoded in Step 3. Computational Complexity, by Y. Fu Hardness Amplification 49 / 90

51 Local Decoder for Concatenated Code Theorem. Let E 1 : {0, 1} n Σ m and E 2 : Σ {0, 1} k be ECC s with local decoders of q 1, resp. q 2 queries and ρ 1, resp. ρ 2 errors. Then there is a local decoder of O(q 1 q 2 log(q 1 ) log Σ ) queries handling ρ 1 ρ 2 errors for the concatenated code E 2 E 1. Less than a ρ 1 fraction of the length k blocks in y can be of distance > ρ 2 from the corresponding blocks in E 2 (E 1 (x)). Computational Complexity, by Y. Fu Hardness Amplification 50 / 90

52 Hardness Amplification Using Local Decoding Computational Complexity, by Y. Fu Hardness Amplification 51 / 90

53 A local decoder is a random algorithm. We need to derandomize it in order to talk about worst case hardness. Computational Complexity, by Y. Fu Hardness Amplification 52 / 90

54 BPP P /poly. If f (x) {0,1} n can be computed in P-time probabilistically, it can be computed by a P-size circuit exactly. Computational Complexity, by Y. Fu Hardness Amplification 53 / 90

55 Worst Case Hardness Mild Hardness Theorem. Let S : N N, f E and H wrs (f )(n) S(n) for all n. There are g E and c > 0 such that H 0.99 avg (g)(n) S(n/c)/n c for every sufficiently large n. A function f : {0, 1} n {0, 1} is seen as a string in {0, 1} 2n. Let E : {0, 1} N {0, 1} Nc be an ECC, where N = 2 n. Let g(x) = E(f )(x) for x {0, 1} cn = N c. For g to satisfy the property of the theorem, we need the following: There is a local decoder for E that uses polylog(n c ) running time and queries and can handle a 0.01 fraction of errors. E = DTIME(2 O(n) ). Computational Complexity, by Y. Fu Hardness Amplification 54 / 90

56 Worst Case Hardness Mild Hardness Suppose g : {0, 1} cn {0, 1} were computed by a circuit D of size < S(cn/c)/(cn) c and is correct on 99% of the inputs. By definition a local decoder for E calculates in poly(n) time f : {0, 1} n {0, 1} with probability 2 3. The local decoder queries D for a poly(n) times. By BPP P /poly a decoder can be implemented by a circuit of poly(n) size that calculates f exactly. So the local decoding can be done by a circuit of size S(n). Conclude that f could be calculated by a circuit of size < S(n), contradicting to the assumption. Computational Complexity, by Y. Fu Hardness Amplification 55 / 90

57 Worst Case Hardness Mild Hardness E = WH RM. 1. The Reed-Muller code RM is given by the following parameters: F = log 5 (N), l = log(n)/ log log(n), d = log 2 (N). Our RM is of type F (l+d d ) F F l. Since ( ) l+d d > N, by padding we may restrict RM to {0, 1} N. F F l = ({0, 1} log F ) F l = ({0, 1} 5 log log(n) ) N5. 2. The Walsh-Hadamard code WH is of type F = {0, 1} log F = {0, 1} 5 log log N {0, 1} log5 (N) = {0, 1} F. Hence E : {0, 1} N {0, 1} N6. Computational Complexity, by Y. Fu Hardness Amplification 56 / 90

58 By combining with Yao s XOR Lemma, we can promote a worst case hardness to a strong (average case) hardness. Computational Complexity, by Y. Fu Hardness Amplification 57 / 90

59 Theorem. Let S : N N be monotone and time constructible. If there are d (0, 1) and f E such that H wrs (f )(n) S(n), then there exists f E such that H avg ( f )(n) S( n) d. By the previous theorem, H 0.99 avg (g)(n) S (n) = S(n/c)/poly(n) for some g E and every sufficiently large n. Consider g k where k = c log S (n) for a sufficiently small c. 2(1 δ) k = 2, where d = c log By Yao s Lemma, S (n) d S (n) d 2 Havg (g k (n)) 1 400n 4 S H0.99 (n) 2d avg (g(n)) S (n) d. 2 It follows that H avg (g k )(n) S (n) d 2 S( n) d for large n. Yao s Lemma. If ɛ > 2(1 δ) k then H 1 2 +ɛ avg (h k ) ɛ2 400n H1 δ avg (h). Computational Complexity, by Y. Fu Hardness Amplification 58 / 90

60 Can strong hardness amplification be achieved directly using ECC? Computational Complexity, by Y. Fu Hardness Amplification 59 / 90

61 List Decoding Computational Complexity, by Y. Fu Hardness Amplification 60 / 90

62 How do we handle errors larger than half the distance? There are many words whose codewords fall into the region. Johnson Bound points out however that the number of such codewords cannot be too large. Sometimes in applications we can afford the time to compute all candidate codewords. Computational Complexity, by Y. Fu Hardness Amplification 61 / 90

63 We can then single out the original message from a list of candidate messages using additional information. For example we can pin down a polynomial from a finite number of polynomials using a pair (x 0, y 0 ). Computational Complexity, by Y. Fu Hardness Amplification 62 / 90

64 Johnson Bound Theorem (Johnson, 1962). If E : {0, 1} n {0, 1} m is an ECC with distance 1 2 ɛ, then for every y {0, 1}m and δ ɛ, 1 there are at most codewords y 2δ 2 1,..., y l such that (y, y i ) 1 2 δ for every i [l]. Computational Complexity, by Y. Fu Hardness Amplification 63 / 90

65 Suppose y, y 1,..., y l satisfy the property of the theorem. Define z 1,..., z l R m by { 1, if yi (k) = y(k), z i (k) = 1, otherwise. Since (y, y i ) 1 2 δ, m z i (k) k=1 ( ) ( ) δ m 2 δ m = 2δm. If i j, then (y i, y j ) 1 2 ɛ implies that m ( ) ( ) 1 1 z i, z j = z i (k)z j (k) 2 + ɛ m 2 ɛ m = 2ɛm 2δ 2 m. k=1 Computational Complexity, by Y. Fu Hardness Amplification 64 / 90

66 Set w = l i=1 z i. Then m k=1 w(k) = m k=1 l i=1 z i(k) 2δml, m w, w = w(k) 2 = k=1 l i=1 z i, z i + i j z i, z j ml + 2δ 2 ml 2. By Jensen s Inequality, ( ) 2 1 m w(k) 1 m m k=1 m k=1 Now l 1 2δ 2 follows from 4δ 2 l 2 l + l 2 2δ 2. w(k) 2 = 1 w, w. m Jensen s Inequality. f (E[X ]) E[f (X )] for random variable X and convex function f. A function f : R R is convex if for every p [0, 1] and all x, y R, f (px + (1 p)y) pf (x) + (1 p)f (y). Computational Complexity, by Y. Fu Hardness Amplification 65 / 90

67 For explicit codes there are list decoding algorithms that can tolerate a corruption rate well above 50%. Computational Complexity, by Y. Fu Hardness Amplification 66 / 90

68 Madhu Sudan provided the first list decoding algorithm for the Reed-Solomon Code. Decoding of Reed-Solomon Codes beyond the Error Correction Bound. FOCS Computational Complexity, by Y. Fu Hardness Amplification 67 / 90

69 List Decoding Reed-Solomon Sudan s algorithm can handle a corruption up to 1 2 n/m. This is surprising since 1 2 n/m can be very close to 1. Theorem (Sudan, 1996). There is a P-time algorithm that, given a set {(f i, b i )} m i=1 F2, returns the set of all degree n polynomial G such that {i G(f i ) = b i } > 2 mn. f 1,..., f m are the distinct points of the code, and b 1... b m is the codeword. The candidates are the G(x) s guaranteed by the theorem. A list decoding algorithm runs in P-time to the block length. Computational Complexity, by Y. Fu Hardness Amplification 68 / 90

70 Algorithm: Interpolation + Factorization 1. Find a bivariate polynomial Q(x, y) with degree mn in x and m/n in y such that Q(f i, b i ) = 0 for all i [m]. The number of coefficient is ( mn + 1)( m/n + 1) > m. The m linear equations have nonzero solutions. 2. Factorize Q(x, y). 3. If y G(x) is a factor, check if G(x) has degree n and G(f i ) = b i for > 2 mn pairs. If so, output G(x). 1. A. Lenstra, H. Lenstra, L. Lovász. Factoring Polynomials with Rational Coefficients. Mathematische Annalan, E. Kaltofen. A Polynomial Reduction from Bivariate to Univariate Integer Polynomial Factorization. FOCS, E. Kaltofen. A Polynomial Reduction from Multivariate to Bivariate Integer Polynomial Factorization. STOC, Computational Complexity, by Y. Fu Hardness Amplification 69 / 90

71 Correctness Fact. If a degree n polynomial G(x) agrees with {(f i, b i )} m i=1 in more than 2 mn places, then y G(x) is a factor of Q(x, y). 1. Q(x, G(x)) has degree mn + n m/n = 2 mn. 2. Q(x, G(x)) = 0 since Q(x, G(x)) = 0 has > 2 mn solutions. 3. Q(x, y) = (y G(x))A(x, y) + R(x) for some A(x, y), R(x). 4. R(x) = 0 by substituting G(x) for y in the equality. Conclude that y G(x) is a factor of Q(x, y). Remark. There are no more than m/n candidate G(x) s. Computational Complexity, by Y. Fu Hardness Amplification 70 / 90

72 Local List Decoding Computational Complexity, by Y. Fu Hardness Amplification 71 / 90

73 To make use of list decoding for hardness amplification, we need to provide local list decoding algorithms for the codes we use. Computational Complexity, by Y. Fu Hardness Amplification 72 / 90

74 Let E : {0, 1} n {0, 1} m be an ECC and let ρ = 1 ɛ for ɛ > 0. An algorithm D is a local list decoder for E handling ρ errors, if for every x {0, 1} n and y {0, 1} m satisfying (E(x), y) ρ, there exists a number i 0 [poly(n/ɛ)] such that for every j [n], on inputs i 0, j and with random access to y, D runs for poly(log(m)/ɛ) time and outputs x j with probability at least 2 3. y is the corrupted version of some codeword; x is a candidate for the original message of y. i 0 is the piece of the information that pins down x. [poly(n/ɛ)] is the number of candidate original messages. Computational Complexity, by Y. Fu Hardness Amplification 73 / 90

75 Local List Decoding of Walsh-Hadamard Theorem. The Walsh-Hadamard Code has a local list decoder handling 1 2 ɛ errors. This is essentially the proof of the Goldreich-Levin Theorem. Computational Complexity, by Y. Fu Hardness Amplification 74 / 90

76 Local List Decoding of Reed-Muller Theorem. The Reed-Muller Code has a local list decoder handling 1 10 d F errors. Algorithm: D runs in time poly( F, l, d). 1. Condition: f agrees with an l-variable d-degree polynomial P : F l F on 10 d F fraction of the inputs. 2. Input: random access to f : F l F, an index i 0 [F l+1 ], interpreted as a pair (x 0, y 0 ) F l F, and x F l. 3. Output: D(i 0, x) such that Pr[D(i 0, x) = P(x)] 2 3. i 0 = (x 0, y 0 ) is the outside information that allows one to pin down the candidate polynomial P(x) satisfying P(x 0 ) = y 0. Computational Complexity, by Y. Fu Hardness Amplification 75 / 90

77 Local List Decoding of Reed-Muller A local list decoder outputs P(x) with high probability for every x. The algorithm we will describe next only outputs P(x) with high probability for most x. This is sufficient since we can apply the local decoder for the Reed-Muller Code to get a proper local list decoder. Computational Complexity, by Y. Fu Hardness Amplification 76 / 90

78 Algorithm Reed-Muller Local List Decoder handling ρ 1 10 d F errors. 1. Condition: f agrees with an l-variable d-degree polynomial P : F l F on 10 d F fraction of the inputs, F > d 4 and d is large enough; 2. Input: random access to f : F l F, an index i 0 [F l+1 ], interpreted as a pair (x 0, y 0 ) F l F, and x F l ; 3. Output: y such that Pr coins,x F l[y = P(x)] 0.9. Computational Complexity, by Y. Fu Hardness Amplification 77 / 90

79 Algorithm The idea is to use Sudan s list decoder for Reed-Solomon Code. Input: x, corrupted f, and (x 0, y 0 ). Output: P(x) with high probability. 1. Transfer the multivariate polynomial P to the univariate polynomial G(z) = P(q(z)) such that G(0) = P(x); 2. Recover G(z) from f (q(z)); 3. Output G(0). Condition: r.q(r) = x 0, i.e. (r, y 0 ) is an index for G(z). Computational Complexity, by Y. Fu Hardness Amplification 78 / 90

80 Algorithm Step 1. Choose r R F. Step 2. Get a random degree-3 univariate polynomial q : F F l : a 1 b 1 c 1 x z 3 1 q : z.... z 2 z a l b l c l x l 1 such that q(0) = x and q(r) = x 0. Set L x,x0 = {q(t) t F}. Step 3. Query f on L x,x0 to get S x,x0 = {(t, f (q(t))) t F}. Step 4. Run Sudan s algorithm to get a list G 1,..., G k of 3d degree polynomials that agree with S x,x0 in at least 8 d F pairs. Step 5. Output G i (0) if!i.g i (r) = y 0 ; otherwise output nothing. Computational Complexity, by Y. Fu Hardness Amplification 79 / 90

81 If x 0 R F l and y 0 = P(x 0 ), Algorithm has an identical output to the output of Algorithm defined next. 1. In Algorithm, we randomly choose r, a, b and x In Algorithm, we randomly choose r, a, b, c. Notice that x 0 and c are correlated. Computational Complexity, by Y. Fu Hardness Amplification 80 / 90

82 Algorithm Step 1. Get a random degree-3 univariate polynomial q : F F l : a 1 b 1 c 1 x z 3 1 q : z.... z 2 z a l b l c l x l 1 such that q(0) = x. Set L x = {q(t) t F}. Step 2. Query f on L x to get S x = {(t, f (q(t))) t F}. Step 3. Run Sudan s algorithm to get a list G 1,..., G k of 3d degree polynomials that agree with S x in at least 8 d F pairs. Step 4. Choose r R F. Let y 0 = P(q(r)). [we do not know P] Step 5. Output G i (0) if!i.g i (r) = y 0 ; otherwise output nothing. Computational Complexity, by Y. Fu Hardness Amplification 81 / 90

83 We prove that Algorithm outputs P(x) with probability 0.9 over the choice of x 0 and the random choices of the algorithm. By averaging argument, there is some pair (x 0, y 0 ) such that Algorithm outputs P(x) with probability 0.9. Computational Complexity, by Y. Fu Hardness Amplification 82 / 90

84 Analysis of Algorithm Let q(z) = az 3 +bz 2 +cz+x where a, b, c are chosen randomly independently. Given x 0, z such that z 0, one has 1 Pr a RFPr b RFPr c RF[q(z)=x 0 ] = Pr a RFPr b RF F = 1 F. Given x 1 0, z 1, x 2 0, z 2 such that 0 z 1 z 2 0, one has a(z z 1 z 2 + z 2 2 ) + b(z 1 + z 2 ) + c = x 1 0 x 2 0 z 1 z 2. Now either z 1 + z 2 0 or z z 1z 2 + z Consequently Pr a RFPr b RFPr c RF[q(z 1 )=x 1 0 q(z 2 )=x 2 0 ] = 1 F 2. We conclude that q(z) is pairwise independent on points 0. Computational Complexity, by Y. Fu Hardness Amplification 83 / 90

85 Analysis of Algorithm 1. Suppose F = {f 1,..., f m }. Define the random variable X i by X i = { 1, if f (q(fi )) = P(q(f i )), 0, o.w. By assumption E[X i ] = 10 d/ F. Let X = m i=1 X i. Then E[X ] = 10 d F. With probability 0.99 the function f agrees with P on 8 d F points of L x since by Chebychev Ineq. [ Pr X < 8 ] d F [ = Pr 10 d F X > 2 ] d F [ X ] < Pr 10 d F > 2 d F [ X ] < Pr 10 d F > 2 d Var(X ) < 1/4d 2 < Computational Complexity, by Y. Fu Hardness Amplification 84 / 90

86 Analysis of Algorithm 2. Sudan s algorithm ensures that the list G 1,..., G k obtained in Step 3 contains G. 3. There cannot be more than F /3d polynomials in the list. See the remark on page Let d = 1000 and F > d 4. By union bound Pr r [G(r) G i (r)] 1 F 3d F > d Algorithm outputs G with probability > > 0.9. Computational Complexity, by Y. Fu Hardness Amplification 85 / 90

87 Concatenated Local List Decoder Let E 1 : {0, 1} n Σ m and E 2 : Σ {0, 1} k be local list decoders. E 1 takes an index in I 1 and handles 1 ɛ 1 errors. E 2 takes an index in I 2 and handles 1 ɛ 2 errors. The concatenated code E 2 E 1 : {0, 1} n {0, 1} mk takes an index in I 1 I 2 and handles 1 ɛ 1 ɛ 2 I 2 errors. Suppose y is a corrupted version of the codeword of x. There are at least ɛ 1 I 2 blocks that are ɛ 2 -correct. So there are at least ɛ 1 blocks upon which E 2 can output the correct symbols with high probability using some i 2 I 2. Computational Complexity, by Y. Fu Hardness Amplification 86 / 90

88 Hardness Amplification Using Local List Decoding Computational Complexity, by Y. Fu Hardness Amplification 87 / 90

89 Worst Case Hardness Strong Hardness Theorem. Let S : N N be monotone and time constructible. Let f E be such that H wrs (f )(n) S(n). Then there are some g E and c > 0 such that H avg (g)(n) S(n/c) 1 c for large n. A function f : {0, 1} n {0, 1} is seen as a string in {0, 1} 2n. 1. Let E : {0, 1} N {0, 1} Nc be an ECC, where N = 2 n. 2. Let g(x) = E(f )(x) for x {0, 1} cn = N c. Since we need to deal with corruption rate nearly 50%, we need E to have a local list decoder. Computational Complexity, by Y. Fu Hardness Amplification 88 / 90

90 Worst Case Hardness Strong Hardness E = WH RM. 1. The Reed-Muller code RM, which is of type F (l+d d ) F F l is given by the following parameters: F = S(n) δ, d = F, l = 2 log(n)/ log(d). 2. The Walsh-Hadamard code WH is of type Hence E : F (l+d d ) F F l+1. F = {0, 1} log F {0, 1} F. N = 2 n, n = cn and N = 2 cn. Wlog, d > (log N) 3 and S(n) < N and ( l+d d ) > ( d l )l. Computational Complexity, by Y. Fu Hardness Amplification 89 / 90

91 Worst Case Hardness Strong Hardness Suppose ɛ (0, 1) and g : {0, 1} cn {0, 1} could be computed by a size < S(n) ɛ circuit D correct on a fraction S(n) of inputs. ɛ By definition a local list decoder for E calculates in poly(s(n) δ ) time f : {0, 1} n {0, 1} with probability 2 3. By BPP P /poly a precise decoder can be implemented by a poly(s(n) δ ) size circuit. The local list decoder queries D for a poly(s(n) δ ) times. Consequently f could be calculated by a circuit of size less than poly(s(n) δ )S(n) ɛ < S(n) by hardwiring the index for f and by setting δ small enough, contradicting to the assumption. Computational Complexity, by Y. Fu Hardness Amplification 90 / 90