\documentclass[11pt]{article}
\usepackage{latexsym}
\usepackage{amsmath}
\usepackage{amssymb}
\usepackage{amsthm}
\newcommand{\handout}[5]{
\noindent
\begin{center}
\framebox{
\vbox{
\hbox to 5.78in { {\bf Complexity Theory II } \hfill Course Instructor: #2 }
\vspace{4mm}
\hbox to 5.78in { {\Large \hfill #5 \hfill} }
\vspace{2mm}
\hbox to 5.78in { {\em #3 \hfill #4} }
}
}
\end{center}
\vspace*{4mm}
}
\newcommand{\lecture}[4]{\handout{#1}{#2}{Lecturer: #3}{Scribe: #4}{Lecture #1}}
\newtheorem{theorem}{Theorem}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{observation}[theorem]{Observation}
\newtheorem{proposition}[theorem]{Proposition}
\newtheorem{definition}[theorem]{Definition}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{fact}[theorem]{Fact}
% Added by me (shreevatsa)
% \usepackage{hyperref}
\usepackage{complexity} %can give options here...
\newtheorem*{theorem*}{Theorem}
\newtheorem*{exercise}{Exercise}
\newcommand{\abs}[1]{\left|#1\right|}
\newcommand{\inparen}[1]{\left(#1\right)}
\newcommand{\inbrace}[1]{\left\{#1\right\}}
\newcommand{\insqrbr}[1]{\left[#1\right]}
\newcommand{\zo}{\ensuremath{\{0,1\}}}
\newcommand{\io}[1]{\ComplexityFont{io\text{-}}#1} %Because the - is a hyphen, not a minus
\newcommand{\ip}[2]{\left\langle#1,#2\right\rangle}%Change to #1 \cdot #2 if necessary
\DeclareMathOperator*{\majority}{maj}
\DeclareMathOperator*{\Exp}{\mathbb{E}}
\DeclareMathOperator*{\var}{Var}
\newcommand{\Xo}{\ensuremath{X_{\{1\}}}} %X_{1}
\newcommand{\halfplus}[1]{\frac{1}{2} + #1}
\newcommand{\finalC}{\tilde{\tilde{C}}} %Change this if necessary; it looks ugly
\begin{document}
\lecture{03: Aug 09, 2006}{V. Arvind}{V. Arvind}{Shreevatsa R}
\section{Overview}
In the last lecture, we proved that a hard function can be used to derandomise $\BPP$ in $\SUBEXP$:
\begin{theorem}\label{hardfToPRG}
If there is a function computable in $\E$ that has $n^c$ hardness for every $c > 0$,
then $\BPP \subseteq \SUBEXP = \bigcup_{\epsilon>0}{\DTIME(2^{n^\epsilon})}$.
\end{theorem}
We also stated the Babai--Fortnow--Nisan--Wigderson theorem, and saw a sketch of the proof.
In this lecture we actually prove it.
\section{Initial remarks}
\begin{theorem}[BFNW] If $\EXP \not\subset \io\Ppoly$, then
$\BPP \subseteq \SUBEXP$.
\end{theorem}
As $\EXP \not\subset \io\Ppoly$ is equivalent to $\E \not\subset \io\Ppoly$, the hypothesis says that
there exists some $f \in \E$, $f \not\in \io\Ppoly$, i.e., $f$ is such that for every polysize circuit
family $C = \{C_n\}$, $\Pr_{x \in \zo^n}[f(x) = C(x) ] < 1$ for all but finitely many $n$.
This is ``worst-case hardness''.
>From this, we want to derive ``average-case hardness'', improving the ``$ < 1$'' above to
a negligible quantity.
The proof will successively construct harder functions, starting with $f$, until we have one that
satisfies the hypothesis of Theorem \ref{hardfToPRG}.
\section{Constructing a harder function $g$}
\subsection{Arithmetise $f$ and interpolate}
$f_n : \zo^n \to \zo$. Pick a finite field $F$ of size $n^{O(1)}$,
say $F = \mathbb{F}_{2^k}$ where $k = O(\log n)$. We can assume $\zo \subset F$.
Find $g_n : F^n \to F$ such that $g_n$ extends $f_n$, i.e.,
$g_n$ coincides with $f_n$ on all inputs from $\zo^n$.
We can find this by interpolation: for each $a \in \zo^n$, define
$P_a(x_1,\dots,x_n) = \prod_{i=1}^{n}(1-a_i-x_i)$.
$P_a$ has degree $n$, takes the value $1$ at $a$, and takes the value $0$ for all other $b \in \zo^n$.
Define \[ g_n(x_1,\dots,x_n) = \sum_{\{a \mid f_n(a)=1\}}P_a(x_1,\dots,x_n) \ .\]
$g_n$ has degree at most $n$, and $g = \{g_n\}$ agrees with $f$ on $\zo^n$ for all $n$.
$g_n$ is a function $\zo^{nk} \to \zo^{k}$ where $k = O(\log n)$ ($2\log n$, say).
So $g = \{g_n\}$ is computable in $2^{O(n)}$ time.
\subsection{Hardness claim}
For every polysize circuit family $C' = \{ C'_n\}$,
\[ \Pr_{x \in F^n}[g_n(x) = C'_n(x)] < 1 - \frac{1}{3n} \] for all but finitely many $n$.
\begin{proof}
Suppose not, i.e., suppose there exists $C'$ which does better. Then we shall give a
randomised polytime algorithm that uses $C'$ as subroutine and computes $g_n$ on all of
$F^n$, and thus computes $f$.
Let $x$ be any element of $F^n$. Pick $r$ uniformly at random from $F^n$.
Then $x+tr$, for $t \in F$, $t \ne 0$, is also a random variable with uniform distribution.
Define the polynomial $P$ as $P(t) = g_n(x+tr)$. As $\deg P \le n$,
it is sufficient to know its value at $n+1$ points to determine it completely.
Let $t_1, t_2,\dots,t_{n+1}$ be $n+1$ distinct points in $F^*$.
Compute $C'_n(x+t_ir)$ for each $i$, $1 \le i \le n+1$. This computation is wrong with probability
at most $1/(3n)$, by our assumption about $C'$. As this is true for each $i$,
\[ \Pr[\exists i : C'_n(x+t_ir) \ne g_n(x+t_ir)] \le \frac{n+1}{3n} \le \frac{2}{5} \ .\]
So we can find $P$ (and hence $P(0)=g_n(x)$) with probability at least $3/5$.
As this is a $\BPP$ algorithm, and $\BPP \subseteq \Ppoly$, this contradicts the hardness of $f$.
\end{proof}
Next, we \emph{amplify} the hardness of $g$: we define a $\hat g$, also computable in $E$, such that
\begin{equation}\label{hatclaim}
\Pr[C(x) = \hat g(x)] \le \frac{1}{p(n)}
\end{equation} for every polynomial $p$.
\section{Constructing $\hat g$: The direct product lemma}\label{hatsection}
The direct product lemma gives us a way of constructing harder functions from a given function.
It states the following:
\begin{enumerate}
\item Suppose the function $f : \zo^n \to \zo^t$ is such that for all circuits $C$ of size $s$,
$\Pr[f(x) = C(x)] < \delta$. Then, for any $\epsilon > 0$,
if $k \ge O(\frac{\log (1/\epsilon)}{1-\delta})$,
the function $g : \zo^{nk} \to \zo^{tk}$ defined as $g(x_1,x_2,\dots,x_k) = (f(x_1)f(x_2)\dots{}f(x_k))$
satisfies the property that for all circuits $C'$ of size $O(\frac{\epsilon}{\log (1/\epsilon)})$,
$\Pr[g(x) = C'(x)] \le \epsilon$.
\item Suppose the function $g \in E$ satisfies the property that for a fixed polynomial $q(n)$,
for every polysize circuit $C$, \[ \Pr[g(x) = C(x)] < 1 - \frac{1}{q(n)} ,\]
then letting $k = nq(n)$ in the above, we have a function $\hat{g} : \zo^n \to \zo^{t(n)}$ such that
for every polysize circuit family $C'$,
\[ \Pr [\hat g(x) = C'(x)] < \frac{1}{p(n)} \] for every polynomial $p$ almost everywhere.
\end{enumerate}
We now have a function $\hat g$ that has the hardness claimed in equation \ref{hatclaim}.
\section{The Goldreich--Levin theorem}
Let $v \in \zo^n$ be a ``hidden vector''. Suppose $G$ is a randomised polytime algorithm such that
\[ \Pr[G(r)=\ip{v}{r}] \ge \halfplus{\epsilon} ,\] the probability being taken over
all choices of $r$ from $\zo^n$ and over $G$'s coin tosses. Then,
\begin{theorem}
There is a $poly(n,1/\epsilon)$ time algorithm that outputs $v$ with probability at least $\frac{\epsilon^2}{2n}$.
\end{theorem}
(Note: $v \mapsto [\ip{v}{0^n},\ip{v}{0^{n-1}1},\ip{v}{0^{n-2}10},\ip{v}{0^{n-2}11},\dots,\ip{v}{1^n}]$
is called the Hadamard code. We shall see later that the Goldreich--Levin theorem can be
thought of as \emph{list decoding} the Hadamard code.)
\begin{proof}
Let $e_1,e_2,\dots,e_n$ be the standard basis of $\zo^n$.
The naive idea would be to pick a random $r$ from $\zo^n$, and find $G(r) \oplus G(r\oplus e_i)$.
As $r \oplus e_i$ is also randomly distributed in $\zo^n$, with a probability better than half,
this will be equal to $\ip{v}{r} \oplus \ip{v}{(r \oplus e_i)} = \ip{v}{e_i} = v_i$.
The actual idea is to avoid make two calls to G. We guess the value of $\ip{v}{r}$, and use $G$
to compute only $\ip{v}{r} \oplus G(r \oplus e_i)$.
Choose m=$poly(n,1/\epsilon)$, and $l = \log(m+1)$.
Pick $r_1, r_2, \dots, r_l$ independently and uniformly at random from $\zo^n$.
Define $r_J = \sum_{i \in J}{r_i}$, for each of the $m = 2^l - 1$ nonempty subsets $J$ of $\{1,\dots,l\}$.
Similarly, guess $\sigma_i$, for each $i$, and define
$\sigma_J = \sum_{i \in J}{\sigma_i}$. Clearly, as $r_J$ is $0$ or $1$ with equal probability,
\[ \Pr[\ip{v}{r_J} \text{ is correct for each } J] = \frac{1}{2^l} = \frac{1}{m+1} \]
Our algorithm does the following: for each $i$, let
\[ z_i = \majority_{J}{\sigma_J \oplus G(r_J \oplus e_i)} \ .\]
Output $z = z_1z_2\dots z_n$.
\begin{claim}
If all the guesses $\sigma_i$ are correct, then $z=v$ with probability more than half.
\end{claim}
\begin{proof}
We first prove the following subclaim: Assuming that all the guesses are correct,
\[ \Pr \insqrbr{\abs{ \{ J : \sigma_J \oplus G(r_J \oplus e_i) = v_i \} } \ge \frac{2^l-1}{2}}
\ge 1-\frac{1}{2n} \]
Define, for each $J$, $X_J = 1$ if $\sigma_J \oplus G(r_J \oplus e_i) = v_i$ and $0$ otherwise.
From the hypothesis (of the Goldreich--Levin theorem) we know that
\begin{align*}
\Exp[X_J] &\ge \halfplus{\epsilon} \\
\Exp{\insqrbr{\sum X_J}} &\ge \inparen{\halfplus{\epsilon}} m
\end{align*}
The probability of the ``bad event'' is
\begin{align*}
\Pr \insqrbr{\sum X_J t< \frac{m}{2}}
&\le \Pr \insqrbr{\abs{\sum X_J - \Exp \insqrbr{\sum X_J}} > m\epsilon} \\
&\le \frac{\var(\sum X_J)}{\epsilon^2m^2} \quad\quad\text{(Chebyshev's inequality)} \\
& = \frac{\sum(\var X_J)}{\epsilon^2m^2} \\
& = \frac{m(\var \Xo)}{\epsilon^2m^2} \\
& = \frac{1}{\epsilon^2m}\inparen{\Exp[\Xo^2]-\Exp[\Xo]^2} \\
& = \frac{\Exp[\Xo](1-\Exp[\Xo])}{\epsilon^2m} \\
&\le \frac{1}{4\epsilon^2m}
\end{align*}
which is less than $\frac{1}{2n}$ when $m \ge \frac{n}{2\epsilon^2}$.
This proves the subclaim, and hence the claim.
\end{proof}
When all the guesses are correct, the algorithm outputs $v$ with probability at least half.
Thus, the probability that the complete algorithm outputs the correct $v$ is at least
$\frac{1}{2(m+1)} \ge \frac{\epsilon^2}{4n}$.
\end{proof}
\section{Constructing a hard $\tilde{g}$}
As we saw at the end of section \ref{hatsection}, we have a function $\hat g$ for which
\[ \Pr[C(x) = \hat g(x)] \le \frac{1}{p(n)} \] for every polynomial $p$.
We define a new function $\tilde{g}$ as $\{ \tilde{g}_n \}$ , where
\[ \tilde{g}_n : \zo^n \times \zo^{t(n)} \to \zo \] is defined as
\[ \tilde{g}_n(x,r) = \ip{\hat{g}_n(x)}{r} \pmod 2 .\]
Once we prove that $\tilde{g}_n$ has hardness $p(n)$ for every polynomial $p$,
we will have proved the BFNW theorem, for this $\tilde{g}$ satisifes
the hypothesis of theorem \ref{hardfToPRG}. Thus it only remains to prove the hardness
of $\tilde{g}$.
We prove this by contradiction.
Suppose there exists a polysize circuit family $\tilde{C}$ and a polynomial $n^c$ such that
\begin{equation}
\label{tgnothard}
\Pr_{x,r}[{\tilde{g}_n(x,r) = \tilde{C}(x,r)}] \ge \halfplus{\frac{1}{n^c}}
\end{equation}
for infinitely many $n$.
Define the random variable $X(x)$ to be $\Pr_{r}[{\tilde{g}_n(x,r) = \tilde{C}(x,r)}]$.
We have assumed that
\[ \Exp_{x\in\zo^n}[X(x)] \ge \halfplus{\frac{1}{n^c}} \] for infinitely many $n$.
That is,
\[ \halfplus{\frac{1}{n^c}} \le \sum_{a\in\zo^n}{X(a)p_a} \text{ , where $p_a = \frac{1}{2^n}$} \]
We can split the right hand side above as the sum of
\[ \sum_{\inbrace{a \mid X(a) > \halfplus{\frac{1}{2n^c}}}}{X(a)p_a}\le\Pr_{a\in\zo^n}\insqrbr{X(a)>\halfplus{\frac{1}{2n^c}}} \]
(using the fact that $X(a) \le 1$) and
\[ \sum_{\inbrace{a \mid X(a)\le\halfplus{\frac{1}{2n^c}}}}{X(a)p_a} \le \halfplus{\frac{1}{2n^c}} \]
(using the fact that $\sum{p_a} \le 1$).
Thus, we have
\[ \Pr_{a\in\zo^n}\insqrbr{X(a)>\halfplus{\frac{1}{2n^c}}} \ge \frac{1}{2n^c} \]
which gives a lower bound on the size of the set $S = \inbrace{a \mid X(a) \ge \halfplus{\frac{1}{2n^c}}}$:
\begin{equation}\label{sizeS}
\abs{S} \ge \frac{2^n}{2n^c}
\end{equation}
Now notice that the Goldreich--Levin theorem applies in this setting: for any fixed $a \in S$,
we have a polytime algorithm $\tilde{C}$ such that
\[ \Pr_{r}\insqrbr{\tilde{C}(a,r) = \ip{\hat{g}_n(x)}{r}} > \frac{1}{2n^c} \]
By the theorem, there exists a randomised polysize circuit family $\inbrace{\finalC}$ such
that (for every $a \in S$)
\[ \Pr\insqrbr{\finalC(a,r) = \hat{g}_n(a)} \ge \frac{1}{q(n)} \] where the probability is taken over
choices of $r$ from $\zo^n$ and over $\finalC$'s internal coin tosses,
and $\frac{1}{q(n)}$ is $\frac{\epsilon^2}{2n} = \frac{1}{8n^{2c+1}}$.
In other words, for each $a$, at least $\frac{1}{q(n)}$ of the random choices work. Thus there must
exist a \emph{fixed} choice which works for at least $\frac{1}{q(n)}$ of the $a$s in $S$. That is,
we can fix the random choices of $r$ and the internal choices in the computation of $\finalC$ to get
a polysize circuit $C$,
so that there exists a set $S'$ of size at least $\frac{1}{q(n)}$ the size of $S$ satisifying:
for every $a \in S'$, $C(a) = \hat{g}(a)$.
Using equation \ref{sizeS}, we see that
\[ \Pr\insqrbr{C(x) = \hat{g}(x)} \ge \frac{\abs{S'}}{2^n} \ge \frac{1}{2n^c}\frac{1}{8n^{2c+1}} ,\]
which contradicts equation \ref{hatclaim}. This proves that our assumption in equation \ref{tgnothard}
must be wrong, and hence concludes the proof of the BFNW theorem.
\end{document}