1 Private codes or Succinct random codes that are (almost) perfect Michael Langberg California Institute of Technology

2 Coding theory AB w  {0,1} k Noise C(w)  {0,1} n c C: {0,1} k {0,1} n Error correcting codes w decode

3 Consider: 2 types of channels Design of C depends on properties of channel. BSC p : Binary Symmetric Channel. Each bit flipped with probability p. ADVC p : Adversarial Channel. p-fraction of bits are flipped maliciously. AB Noise

4 BSC p What’s known: ? Thm. [Shannon] : Can construct codes that allow communication over BSC p for any p<½ with rate k/n~1-H(p). Thm. [Shannon] : Can construct codes that allow communication over BSC p for any p<½ with rate k/n~1-H(p). In particular: there exist codes for BSC ½- . C: {0,1} k {0,1} n AB eC(w)C(w)+e

5 ADVC p Can we match these results in presence of ADVC p ? Consider for example p=½-  : Need codes of minimum distance = 2pn ~ n. Need codes of minimum distance = 2pn ~ n. Do not exist (with constant rate) ! Do not exist (with constant rate) ! In general: for p<½ we need codes of minimum distance 2pn and rate k/n~1-H(p). In general: for p<½ we need codes of minimum distance 2pn and rate k/n~1-H(p). Such codes are close to being perfect and are known not to exist (asymptotically). Such codes are close to being perfect and are known not to exist (asymptotically). AB eC(w)C(w)+e No!

6 This talk Seen: BSC strictly weaker than ADVC. Seen: BSC strictly weaker than ADVC. Goal: Relax framework as to allow communication over ADVC with parameters of BSC. Goal: Relax framework as to allow communication over ADVC with parameters of BSC. Relaxation: Introduce “private randomness”. Relaxation: Introduce “private randomness”. Assume that the sender and receiver have a shared random string (hidden from channel). Assume that the sender and receiver have a shared random string (hidden from channel). Q: Can we match parameters of BSC ? (e.g. ADVC ½-  ?)

7 The model: Private codes AB w  {0,1} k C: {0,1} k x {0,1} m {0,1} n m random bits r Adversary c  {0,1} n D(c,r) w C(w,r)  {0,1} n

8 Private codes Roughly speaking: Private codes are said to allow communication over ADVC p if for every w and for any adversary: The communication of w will succeed with high probability over the shared random string r.  D  w  ADV Pr[D( C(w,r)+error, r)=w]=large m random bits AB r C(w,r) e C(w,r)+e

9 Private codes: related work Private codes have been studied in the past Private codes have been studied in the past[Shannon,BlackwellBreimanThomasian,Ahlswede]. Private codes in the presence of adversarial channels have also been studied: Private codes in the presence of adversarial channels have also been studied: [ Lipton ]: “Code scrambling”. [ Lipton ]: “Code scrambling”.

10 Private codes: properties Do private codes enable communication over ADVC ½-  ? Yes!!  private codes that allow communication over ADVC p with rate k/n~1-H(p). Yes!!  private codes that allow communication over ADVC p with rate k/n~1-H(p). Matching parameters in BSC p model. Matching parameters in BSC p model. m random bits AB r

11 Our results Study framework of private codes. Study framework of private codes. Match parameters obtainable in BSC model. Match parameters obtainable in BSC model. [Lipton] : many shared random bits, m ~ nlog(n). [Lipton] : many shared random bits, m ~ nlog(n). Analyze the amount of shared randomness needed to obtain private codes that match BSC parameters. Analyze the amount of shared randomness needed to obtain private codes that match BSC parameters. We show that a shared random string of size ~ log(n) is necessary and sufficient. We show that a shared random string of size ~ log(n) is necessary and sufficient. Present connection between list decodable codes and private codes. m random bits AB r

12 List decoding vs. Private decoding Thm: List decoding implies (unique) private codes. Using shared randomness: Using shared randomness: Any list decodable code can be used to construct a uniquely decodable private code. Any list decodable code can be used to construct a uniquely decodable private code. Reduction is efficient and needs only log(n) shared random bits. Reduction is efficient and needs only log(n) shared random bits.

13 Proof technique AB r {0,1} n Let C be standard code. Let C be standard code. Use C to construct private code C*(w,r). Use C to construct private code C*(w,r). Use C to construct standard codes C*| r. Use C to construct standard codes C*| r. Define C*| r as a subcode of C. Define C*| r as a subcode of C. Desired properties of C*| r : Desired properties of C*| r : Ideally - Unique decoding:  r  B only one codeword in ball of radius pn. Ideally - Unique decoding:  r  B only one codeword in ball of radius pn. Sufficient cond.: “hide” r + unique decoding on average:  B and most r only one codeword in ball. Sufficient cond.: “hide” r + unique decoding on average:  B and most r only one codeword in ball. C is list decodable: sufficient condition can be obtained efficiently with poly # of subcodes! C is list decodable: sufficient condition can be obtained efficiently with poly # of subcodes! C X X X X Radius pn: List size ≤ L X C*: {0,1} k x {0,1} m {0,1} n C*| r : {0,1} k {0,1} n

14 Concluding remarks Study private codes. Study private codes. Match param. of BSC model w/ log(n) shared bits. Match param. of BSC model w/ log(n) shared bits. Shared randomness: enables unique decoding whenever list decoding was possible. Shared randomness: enables unique decoding whenever list decoding was possible. Multiple messages: Multiple messages: Need fresh randomness for each message. Need fresh randomness for each message. May assume cryptographic private key setting. May assume cryptographic private key setting. Public key setting [MicaliPeikertSudanWilson]. Public key setting [MicaliPeikertSudanWilson]. Thanks. random bits AB r

15 Lower bounds Elias-Bassalygo. Elias-Bassalygo. Plotkin. Plotkin.