1 Robust PCPs of Proximity (Shorter PCPs, applications to Coding) Eli Ben-Sasson (Radcliffe) Oded Goldreich (Weizmann & Radcliffe) Prahladh Harsha (MIT) Madhu Sudan (MIT & Radcliffe) Salil Vadhan (Harvard & Radcliffe)

2 NP – Classical Proofs NP – Class of languages that have short proofs of membership NP – Class of languages that have short proofs of membership V (deterministic verifier) Proof x 2 L GraphColoring F ormu l a Á G rap h G Satisfiability Proof = 3 coloring Proof = Satisfying assignment Completeness: Soundness: x 2 L ) 9 ¼ ; V ( x ; ¼ ) = accep t x = 2 L ) 8 ¼ ; V ( x ; ¼ ) = re j ec t ( x _ y _ ¹ z ) ::: ( ¹ x _ y _ z ) ¼

3 PCP Theorem [AS ’92, ALMSS ’92] V (deterministic verifier) V (probabilistic verifier) PCP Theorem NP Proof Completeness: Soundness: x = 2 L ) 8 ¼ ; P r [ V ¼ ( x ) = 1 ] · 1 2 x 2 L ) 9 ¼ ; P r [ V ¼ ( x ) = 1 ] = 1 ¼ Parameters: 1.# random coins - O(log n) 2.# queries - constant 3.proof size - polynomial

4 PCPs - Significance Major impact on the study of combinatorial optimization Major impact on the study of combinatorial optimization Consequence: For many NP-hard combinatorial optimization problems, finding near-optimal solutions is also NP-hard Consequence: For many NP-hard combinatorial optimization problems, finding near-optimal solutions is also NP-hard Approximating MAXSAT to within a factor of (8/7 -  ), for any  > 0, is NP-hard Approximating MAXSAT to within a factor of (8/7 -  ), for any  > 0, is NP-hard (Will not dwell into consequence on combinatorial optimization)

5 Short PCPs? How long is the new PCP proof? How long is the new PCP proof? Old NP proof – n ; New PCP proof - ? Old NP proof – n ; New PCP proof - ? Why Short PCPs? Why Short PCPs? Upper bounds Upper bounds Cryptography Cryptography Computationally Sound Proofs and applications [Kil ’92, Mic ’94, CGH ’98, Bar ’01] Computationally Sound Proofs and applications [Kil ’92, Mic ’94, CGH ’98, Bar ’01] Coding Theory Coding Theory Locally testable codes [GS ’02, BSVW ’03, this paper] Locally testable codes [GS ’02, BSVW ’03, this paper] “Relaxed Locally Decodable Codes” [this paper] “Relaxed Locally Decodable Codes” [this paper]

6 Why Short PCPs? (Contd) Lower Bounds Lower Bounds Tightness of approximation algorithms with respect to running time Tightness of approximation algorithms with respect to running time e.g.: If SAT has a PCP of size n  then e.g.: If SAT has a PCP of size n  then + SAT 2 TIME ¡ 2 ­ ( n ) ¢ Approximating requires time at least MAXSAT 2 n 1 = ®

7 Short PCPs – Earlier Results [PS ’94] [PS ’94] Proof Size = n 1+ , query = O(1/) Proof Size = n 1+ , query = O(1/) (Constant hidden in big-O ¼ 10 6 ) [Hås ’97] [Hås ’97] Proof Size = n , query = 3; Proof Size = n , query = 3;

8 Short PCPs vs Query Complexity queries proof size [HS ’00] [GS ’02, BSVW ’03] This paper This paper n 3 + ² n ¢ 2 p l o g n n ¢ 2 ( l og n ) ² O ( 1 ² ) n ¢ 2 ( l og l og n ) c O ( 1 ) o ( l og l ogn ) 17 ( = n 1 + o ( 1 ) )

9 Our Main Results Main Theorem: Satisfiability of circuits of size n can be probabilistically verified By probing a proof of length By probing a proof of length in bit-locations. in bit-locations.OR By probing a proof of length By probing a proof of length in bit-locations. Previous PCPs required length proof size even when reading bit-locations [GS ’02, BSVW ’03] [GS ’02, BSVW ’03] n ¢ 2 ( l og n ) ² O ( 1 ² ) n ¢ 2 p l o g n n ¢ 2 ( l og l og n ) c o ( l og l ogn ) 2 p l og n

10 Proof Techniques New Definition: Robust PCP of Proximity New Definition: Robust PCP of Proximity New Composition Theorem New Composition Theorem Essential for short PCPs Essential for short PCPs simple, modular simple, modular Building Block Building Block

11 Robust PCP of Proximity and Composition Theorem

12 PCP – Definition (Recall) VLVL (probabilistic verifier) x- T h eorem Completeness: Soundness: x 2 L ) 9 ¼ ; P r [ V ¼ ( x ) = 1 ] = 1 ¼ x = 2 L ) 8 ¼ ; P r [ V ¼ ( x ) = 1 ] · 1 2 Parameters of Interest: size of proof (|   # queries (q ) |  | · q ¢ 2 rand

13 Why Composition? Don’t know to build PCPs with q = O(1) and Don’t know to build PCPs with q = O(1) and size = poly(n) directly size = poly(n) directly However, However, [AS ’92, ALMSS ’92] type of PCP: size = poly(n ) q = poly log n Verifier V [AS ’92, ALMSS ’92] “magically compose” verifier V with itself to obtain new verifier V © V with following parameters size = poly(n ) q = poly log log n V © V

14 Proof Composition, a la [AS ‘92] VLVL r = O ( l ogn ) q = po l y l ogn ¼ x Completeness: Soundness : x 2 L ) 9 ¼ ; P r [ V ¼ ( x ) = 1 ] = 1 x = 2 L ) 8 ¼ ; P r [ V ¼ ( x ) = 1 ] · 1 2 DRDR Consistency Check a 1 a 2 ::: a Q R Need to check if satisfy consistency check D R a 1 a 2 ::: a Q R Idea : Use a PCP verifier to check ! x 2 L ) 9 ¼ ; P r [ D R ( a 1 ::: a Q R ) = 1 ] = 1 x = 2 L ) 8 ¼ ; P r [ D R ( a 1 ::: a Q R ) = 1 ] · 1 2 R an d omco i ns- R

15 Proof Composition, Contd DRDR Consistency Check a 1 a 2 ::: a Q R Create language Check if using a PCP veriifier L R = f ( a 1 ;:::; a Q R ) j D R accep t s ( a 1 ;:::; a Q R ) g ( a 1 ;:::; a Q R ) 2 L R VLVL ¼ x VLRVLR ¼ R Problem: PCP verifier V L R needs to read all of theorem (input) Key Observation: “PCP Verifier barely looks at Theorem” [BFLS ’91] : Assume theorem is encoded and count #queries into theorem

16 [BFLS ’91] PCP Verifier (Holographic Proofs) V (probabilistic verifier) x- T h eorem Completeness: Soundness: ¼ Important: # queries = sum of queries into encoded theorem + proof E nc ( x ) - E nco d i ng x 2 L ) 9 ¼ ; P r [ V E nc ( x ) ; ¼ = 1 ] = 1 y ¡ f ar f rom E nc ( L ) ) 8 ¼ ; P r [ V y ; ¼ = 1 ] · 1 2 y

17 Proof Composition, Contd VLVL x VLRVLR ¼ R a 1 a 2 ::: a Q R ¼ E nc ( a 1 a 2 ::: a Q R ) Problem: Need to check and are consistent. Semantics of arranging this is complex. Earlier performed by “parallelization” – costly in randomness (large proof size) ( a 1 ;:::; a Q R ) E nc ( a 1 a 2 ::: a Q R ) Idea: Remove restriction that theorem is encoded !

18 PCP of Proximity (PCPP) V (probabilistic verifier) x- T h eorem Completeness: Soundness: ¼ # queries = sum of queries into theorem + proof Theorem in un-encoded format  – proximity parameter x 2 L ) 9 ¼ ; P r [ V x ; ¼ = 1 ] = 1 ¢ ( x ; L ) > ± ) 8 ¼ ; P r [ V x ; ¼ () = 1 ] · 1 2 x = 2 L ) 8 ¼ ; P r [ V x ; ¼ () = 1 ] · 1 2

19 Composition again VLVL VLRVLR ¼ R a 1 a 2 ::: a Q R ¼ x Completeness: Soundness : Problem: Need to distinguish between & PCPP distinguishes between & ( a 1 ;:::; a Q R ) 2 L R ( a 1 ;:::; a Q R )= 2 L R ( a 1 ;:::; a Q R ) 2 L R ± ¡ f ar f rom L R Strengthen soundness condition of verifier V L x 2 L ) 9 ¼ ; P r [( a 1 ;:::; a Q R ) 2 L R ] = 1 x = 2 L ) 8 ¼ ; P r [( a 1 ;:::; a Q R )= 2 L R ] > 1 2

20 PCP of Proximity PCP of Proximity V  Completeness: Soundness: DRDR Consistency Check Robust Soundness:  - robustness parameter of robust-PCPP (Robust-PCPP) New! Robust  x a 1 a 2 : a Q R x 2 L ) 9 ¼ ; P r [ D R ( a 1 ;:::; a Q R ) = 1 ] = 1 ¢ ( x ; L ) > ± ) 8 ¼ ; P r [ D R ( a 1 ;:::; a Q R ) = 1 ] · 1 2 ¢ ( x ; L ) > ± ) 8 ¼ ; P r [( a 1 ;:::; a Q R ) i s½- f ar f rom L R ] > 1 2

21 Composition Theorem V OUT  V IN  R1  Rm New PCPP Proof for V COMP = ( ,  R1,…..,  Rm ) V OUT + V IN = V COMP Randomness: r COMP = r OUT + r IN Robustness:  COMP =  IN Proximity:  COMP =  OUT Queries: q COMP = q IN x V IN Req. of Inner Verifier:  IN (proximity) <  OUT (robustness)

22 Advantages of PCPPs Give shortest known PCPs Give shortest known PCPs Allow natural self-composition Allow natural self-composition Simpler constructions of PCPs (no parallelization) Simpler constructions of PCPs (no parallelization) Coding applications: Coding applications: Simple, highly efficient Locally Testable Codes Simple, highly efficient Locally Testable Codes Simple, highly efficient Relaxed Locally Decodable Codes Simple, highly efficient Relaxed Locally Decodable Codes Any efficient property is locally testable (with a little bit of help) Any efficient property is locally testable (with a little bit of help)

23 PCPPs – Brief History Holographic proofs - PCPPs where assignment x Holographic proofs - PCPPs where assignment x is encoded. [BFLS ’91] is encoded. [BFLS ’91] PCPP - implicit in low-degree tests PCPP - implicit in low-degree tests [RS ’92, ALMSS ’92] [RS ’92, ALMSS ’92] PCPPs - special case of “PCP Spot Checkers” PCPPs - special case of “PCP Spot Checkers” [EKR ’99] [EKR ’99] PCPP – extension of Property Testing PCPP – extension of Property Testing [RS ’92, GGR ’96] [RS ’92, GGR ’96] Assignment Testers of [DR ’03] similar to PCPPs. Assignment Testers of [DR ’03] similar to PCPPs.

24 Building Block

25 Robust PCPPs constructions Most existing PCP constructions can be modified to obtain robust PCPs of Proximity Most existing PCP constructions can be modified to obtain robust PCPs of Proximity However, the parameters of such robust-PCPPs do not satisfy our needs However, the parameters of such robust-PCPPs do not satisfy our needs So, build robust PCPP from scratch So, build robust PCPP from scratch

26 Bird’s eye-view of PCP construction F m F m f f 2 PCP Construction: Sequence of function evaluations, f i : F m ! F Checks performed by verifier Each function f i : F m ! F is a low-degree polynomial Input Consistency: f 1 ¼ input Each f i+1 is obtained consistently from f i e.g.: f i+1 (x) = f i (x) ¢ f i (x+1) final function f r :F m ! F is identically zero i.e., f r ´ 0 How to test if a function is a low-degree polynomial ? Input: Evaluation of function f at each point in F m Need to check if evaluation of f is close to the evaluation of a low-degree polynomial f r F m

27 Low Degree Polynomials Main Tool – Low Degree Polynomial over Finite Fields Main Tool – Low Degree Polynomial over Finite Fields (Reed-Muller Codes) (Reed-Muller Codes) F - finite field, f : F m ! F, m-variate polynomial over F, deg( f ) = maximal degree of monomial in f F - finite field, f : F m ! F, m-variate polynomial over F, deg( f ) = maximal degree of monomial in f l f : F m ! F [Schwartz-Zippel] [Schwartz-Zippel] If f  g have degree < d, then If f  g have degree < d, then Fact: Fact: If deg( f ) < d and l – line, then f restricted to line l is a univariate polynomial of degree < d. If deg( f ) < d and l – line, then f restricted to line l is a univariate polynomial of degree < d. P r [ f ( x ) = g ( x )] · d j F j

28 Low Degree Test (LDT) Robust Soundness of LDT [RS ’92, ALMSS ’92] Robust Soundness of LDT [RS ’92, ALMSS ’92] f :F m ! F is  -far from low degree, then Pr l [ f | l is far from being low-degree ] > () Amount of Randomness Required: Amount of Randomness Required: [RS ’92, ALMSS ’92] 2 points – 2 log | F m | [RS ’92, ALMSS ’92] 2 points – 2 log | F m | [BSVW ’03] derandomized set of lines ¼ log | F m | [BSVW ’03] derandomized set of lines ¼ log | F m | Input: Table of evaluations of f at each point of F m Output: Is f low-degree? Choose a random line l Read f along line l Check that restriction of f along l is a univariate low-degree polynomial l f : F m ! F

29 Robust LDTs via Bundling f 1 f 2 f r Each LDT performed separately Each LDT performed separately Possible to cheat by having just one of f i not low-degree Possible to cheat by having just one of f i not low-degree NOT ROBUST NOT ROBUST Bundle evaluations of diff. polys. together and perform LDTs in parallel (bundling) Bundle evaluations of diff. polys. together and perform LDTs in parallel (bundling) PCPP  on query x returns (f 1 (x),f 2 (x),…, f r (x)) PCPP  on query x returns (f 1 (x),f 2 (x),…, f r (x)) Robust over larger alphabet F r Can use error-correcting code to make robust over binary alphabet. Can use error-correcting code to make robust over binary alphabet. PCPP  on query x returns ECC(f 1 (x),f 2 (x),…, f r (x)) PCPP  on query x returns ECC(f 1 (x),f 2 (x),…, f r (x))

30 Building Block - Robust-PCPP Randomness: Randomness: # Queries : # Queries : Robustness Parameter Robustness Parameter Proximity Parameter Proximity Parameter 1 2 l ogn + O ( l og l ogn ) cons t an t p n ¢ po l y l og n

31 Applications to Coding Locally Testable Codes Relaxed-Locally Decodable Codes

32 Locally Testable Codes Lower Bounds Lower Bounds [BHR ’03] Random LDPC Codes are not LTCs [BHR ’03] Random LDPC Codes are not LTCs LTC Constructions LTC Constructions [GS ’02, BSVW ’03] [GS ’02, BSVW ’03] This paper This paper k ¡ ! k ¢ 2 p l og k k ¡ ! k ¢ 2 ( l og k ) ² T constant # queries w w – codeword: w – codeword: Tester T accepts with probability 1 Tester T accepts with probability 1 w - far from codeword: w - far from codeword: Tester T accepts with low probability Tester T accepts with low probability Tester

33 Locally Decodable Codes Hadamard – locally decodable, but poor rate Hadamard – locally decodable, but poor rate Upper Bound: [BIKR ’02] n · 2 O(k) Upper Bound: [BIKR ’02] n · 2 O(k) Lower Bound: [KT ’00] n ¸ k (1) Lower Bound: [KT ’00] n ¸ k (1) D constant # queries c i th mesg bit? r corruption If less than  n bits corrupted, for all message bits i P r [ D r ( i ) = m i ] ¸ 3 4

34 Relaxed Locally Decodable Codes New! This paper: For every  > 0, there exist relaxed- LDCs with This paper: For every  > 0, there exist relaxed- LDCs with D constant # queries c i th mesg bit? r corruption If less than  n bits corrupted, for “most’’ message bits i P r [ D r ( i ) = m i ] ¸ 3 4 For remaining bits P r [ D r ( i ) = ? ] ¸ 3 4 k ¡ ! k 1 + ²

35 Summary of results Defined: Robust PCP of proximity Defined: Robust PCP of proximity Strengthened definition of standard PCPs Strengthened definition of standard PCPs Composition Theorem Composition Theorem simple, modular simple, modular Simpler constructions of PCPs Simpler constructions of PCPs Coding applications: Coding applications: Locally Testable Codes Locally Testable Codes Relaxed Locally Decodable Codes Relaxed Locally Decodable Codes

36 The End