admin
	no class next week
	interesting talk:
		How *not* to generate random numbers
		Nadia Heninger
		2405 SC, Nov 17, 10:00
today
	local decoding
goal:	<1 average case hard [[aka worst case hardness]
	=> 1-\Omega(1) average case hard			[[today]]
	=> 1/2+1/\poly(n) hard					[[next time]]
local decoding
	def: f:\bits^\ell\to\bits is worst-case hard for non-uniform time t
		if for all ckts A of size t, exists x w/ A(x)\ne f(x)
	recall: deterministic ckts =~ randomized circuits
	def: """ probabilistic """
		""", exists x w/ \Pr_A[A(x)\ne f(x)]>1/3
	lem: f worst-case hard for det time t <= f worst-case hard for probabilistic time t
		f worst-case hard for det time t <= f worst-case hard for probabilistic time O(t/\ell)
		[[do avoid using this result again and again, we'll restrict to worst-case for probabilistic time t]]
	pf: 	[[=>: easy]]
		<=: amplify error probability to <1/2^\ell	O(\ell) blowup runtime
			fix random strings to good value	[[union bound]]
	goal: f:\bits^\ell\to\bits worst case hard time t(\ell) \mapsto \hat{f}:\bits^{\hat{\ell}}\to\Sigma average case hard for \hat{\ell}=O(\ell) and time t'(\hat{\ell})\ge t(\ell)^{\Omega(1)}
	parameters:
		function must change, eg f(0\vx)=0, f(1\vx)=\SAT(\vx)
		\ell\to\hat{\ell}=O(\ell) is allowable [[doesn't change parameters too much]]
		t(\ell)\mapsto t(\ell)^{\Omega(1)} is allowable [[are interested in t(\ell) superpolynomial, so this remains superpolynomial]]
		\Sigam:	need \Sigma=\bits, helpful to relax [[will use concatenation to change \Sigma]]	
	idea: use error correcting codes
		f:\bits^\ell\to \bits \equiv f\in\bits^L, L=2^\ell
		Enc:\bits^\ell\to\Sigma^{\hat{L}}, \hat{L}=2^{\hat{\ell}} [[explains why \hat{\ell} is larger than \ell]]
		=> Enc(f) \equiv \hat{f}:\bits^{\hat{\ell}}\to\Sigma
		[[draw picture]]
	"lem": \Enc \delta-uniquely decodable
		Enc(f) not \delta-average case hard => f not worst case hard
	pf:
		ckt A st Pr_x[A(x)=Enc(f)(x)]\ge 1-\delta
			Pr[A\ne \Enc(f)]\le \delta
			\delta(A,\Enc(f))\le \delta
		=> Dec(A)=f
		time complexity: poly(\hat{L})=\poly(2^{\hat{ell}})\ge 2^\ell [[so this is no better than trivial upper bound on circuit size]]
	idea: have Dec(A) run in *sublinear* time
	defn: \Enc:\bits^L\to\Sigma^{\hat{L}} is locally \delta-uniquely decodable if
		Dec is a *probabilistic* algo st
		any f:[L]\to\bits, \hat{f}=\Enc(f)
		g:[\hat{L}]\to\Sigma w/ \delta(g,\Enc(f))\le \delta
		any x\in[L], Pr_{Dec}[(Deg^g)(x)=f(x)]\ge 2/3	[[probability over Dec]]
								[[oracle access to g]]
		[[draw picture]]
	parameters
		success probability: 	can amplify 	[[w/ averaging sampler]]
		queries to g		O(1)
					\polylog(n)
					...
		Dec^g runtime		poly(# queries)
		\delta			as big as possible
	Q. why Dec probabilistic?
	lem: Dec deterministic => # queries \ge \delta \hat{L} [[hence not sublinear]]
	pf:
		Dec uses q queries of \hat(f) to determine f(x), x\in[L]
		=> can change q positions of \hat(f), get \hat{f}', to change f(x)
			ie, Dec(\hat{f})\ne \Dec(\hat{f}') => q=\delta(\hat{f},\hat{f}')\ge \delta
	Prop: Enc which is locally \delta-uniquely decodeable. 
		f worst case hard for probabilistic non-uniform time t
		=> Enc(f) (t',\delta)-average case hard, t'=t/t_Dec	[[time of decoder]]
	pf
		as before
	rmk: f worst case hard for deterministic algo => \Enc(f) (t/(t_Dec*\ell),\delta) average case hard
		this does convert to deterministic decoder that works only for *this* f [[doesn't contradict above impossibility result]]
	dream: f:\bits^{\ell}\to\bits in TIME(2^{O(\ell)}) 2^{\Omega(\ell)}-worst case hard 
		=> \Enc(f): f:\bits^{\ell'}\to\Sigma in TIME(2^{O(\ell')}) (2^{\Omega(\ell')},1/2-1/2^{\Omega(\ell')})-average-case hard
	param
		\hat{\ell}=O(\ell)					[[so 2^{\Omega(\ell)}=(2^{\Omega(\ell')}]]
			=> 	\hat{L}\le \poly(L)			[[has terrible rate as a code]]
		\Enc(f) runs in time TIME(2^{O(\ell')})=poly(\hat{L}')	[[so need local decoding, but encoding is global]] [[encoding has to be global to get good distance of code]]
		\Sigma=\bits [[ideally]]
		\delta=1/2-\eps	
			BUT: distance of code is at most 1-1/q
				=> unique decoding \le 1/2(1-1/q)=1/4 for q=2	[[can't get 1/2-\eps avg-case hardness w/ unique decoding, so we'll do local list decoding]]
		t_Dec: want to be poly(\ell,1/\eps)			
			=>poly(\log L,1/\eps)				[[to work for *all* hardness assumptions]]
constructions
	[[now start constructions]]
	def: Enc:\bits^L\to \Sigma^{\hat{L}} is systematic if the first L coordinates of \Enc are the identity function	[[can generalize]]
		[[draw picture]]
	lem[hw]: any linear code has an encoding function that is systematic
	[[draw picture of local decoding of systematic code]]
	[[want to generalize]]
	def: A local \delta-correcting algo for a code $\cC\subseteq\Sigma^{\hat{L}}$ is a Dec st
		\hat{f}\in\cC, g:[\hat{L}]\to\Sigma w/ \delta(\hat{f},g)\le \delta
		all x\in[\hat{L}] Pr_{Dec}[(Dec^g)=\hat{f}(x)]\ge 2/3
		[[codes considered here will be locally correctable, won't worry about how to make systematic]]
	construction[Hadamard Code]:
		\Enc:\F_2^n\to\F_2^{2^n}
		\vx\mapsto \{<\va,\vx>\}_{\va\in\F_2^n}	[[is linear code]]
	recall: minimum distance is 1/2
		=> unique decoding distance 1/4 [[we didn't see decoding algorithm for this]]
	prop: the Hadamard code is locally (1/4-\eps)-uniquely decodable in time poly(n,1/\eps)
	pf
		idea: random self-reduction
		[[draw picture]]
		key expression: <\va,\vx>=<\va+\vr,\vx>-<\vr,\vx>	[[using linearity]]
					\-> and for *random* r 
		\delta(g,\Enc(\vx))\ge 1/4-\eps
		Pr_{\vr} [(g(\vx))_\vr\ne <\vr,\vx>]\le 1/4-\eps
		Pr_{\vr} [(g(\vx))_{\va+\vr>\ne <\va+\vr,\vx>]\le 1/4-\eps
		Pr_{\vr} [g = \Enc(f), at both \vr, \va+\va]\ge 1- 2*(1/4-\eps)\ge 1/2+2\eps
		Pr[<\va,\vx>=(g(\vx))_{\va+\vr}-(g(\vx))_\vr] \ge 1/2+2\eps 		[[so we get slight bias in correct direction]]
											[[amplify with majority vote]]
		algo
			given g:\F_2^n\to\bits, \delta(g,\Enc(\vx))\le 1/4-\eps
				\va\in\F_2^n
			output: \Enc(\vx)_{\va}=<\va,\vx>
			choose \vr_1,\ldots,\vr_t\from \bits^n randomly, t=O(1/\eps^2)
			output MAJ (g(\vx))_{\va+\vr_i}-(g(\vx))_{\vr_i} 
		correctness: above + chernoff bound
		time: poly(n,1/\eps)
	parameters:
		distance:	excellent	[[for unique decoding]]
		locality:	excellent
		rate:		poor		[[exponentially bad, need polynomially bad]]
	Q. how to get better rate?
	A. Reed-Solomon codes + concatenation
		good rate
		poor locality of Reed-Solomon
	A. Reed-Muller codes
		interpolate between Hadamard and Reed-Solomon
		ok rate
		ok locality
		ok is good enough
	def(Reed-Muller):
		\Enc:\F_q^{(n+d choose d)\to\F_q^{q^n}
		f n-variate total degree polynomial d
		f\mapsto (f(\vaa))_{\vaa\in\F_q^n}
	rmk:
		n=1 is Reed-Solomon
		Hadmard is ~ d=1
		f\ne g total degree \le d, \Pr_\vaa[f(\vaa)-g(\vaa)\ne 0]\le d/q
						=Pr[f\ne g]				[[schwartz-zippel]]
				=> min distance is 1-d/q
next time
	reed-muller codes & local unique decoding
	local list decoding