Hard properties with (very) short PCPPs and their applications
aa r X i v : . [ c s . CC ] N ov Hard properties with (very) short PCPPs and their applications
Omri Ben-Eliezer ∗ Eldar Fischer † Amit Levi ‡ Ron D. Rothblum § Abstract
We show that there exist properties that are maximally hard for testing, while still admitting
PCPP s with a proof size very close to linear. Specifically, for every fixed ℓ , we construct aproperty P ( ℓ ) ⊆ { , } n satisfying the following: Any testing algorithm for P ( ℓ ) requires Ω( n )many queries, and yet P ( ℓ ) has a constant query PCPP whose proof size is O ( n · log ( ℓ ) n ),where log ( ℓ ) denotes the ℓ times iterated log function (e.g., log (2) n = log log n ). The bestpreviously known upper bound on the PCPP proof size for a maximally hard to test propertywas O ( n · polylog n ).As an immediate application, we obtain stronger separations between the standard testingmodel and both the tolerant testing model and the erasure-resilient testing model: for everyfixed ℓ , we construct a property that has a constant-query tester, but requires Ω( n/ log ( ℓ ) ( n ))queries for every tolerant or erasure-resilient tester. Probabilistically checkable proofs (
PCP s) are one of the landmark achievements in theoretical com-puter science. Loosely speaking,
PCP s are proofs that can be verified by reading only a very small(i.e., constant) number of bits. Beyond the construction of highly efficient proof systems,
PCP shave myriad applications, most notably within the field of hardness of approximation.A closely related variant of
PCP s, called probabilistically checkable proofs of proximity ( PCPP s),was introduced independently by Ben-Sasson et al. [BGH +
06] and Dinur and Reingold [DR06]. Inthe
PCPP setting, a verifier is given oracle access to both an input x and a proof π . It should makea few (e.g., constant) number of queries to both oracles to ascertain whether x ∈ L . Since theverifier can only read a few of the input bits, we only require that it rejects inputs that are far (inHamming distance) from L , no matter what proof π is provided. PCPP s are highly instrumental inthe construction of standard
PCP s. Indeed, using modern terminology, both the original algebraicconstruction of
PCP s [ALM +
98] (see also [BGH + PCPP s.By combining the seminal works of Ben-Sasson and Sudan [BSS08] and Dinur [Din07], one canobtain
PCP s and
PCPP s with only poly-logarithmic (multiplicative) overhead. More specifically, ∗ Tel Aviv University, Israel. Email: [email protected]. † Technion - Israel Institute of Technology, Israel. Email: [email protected]. ‡ University of Waterloo, Canada. Email: [email protected]. Research supported by the David R. CheritonGraduate Scholarship. Part of this work was done while the author was visiting the Technion. § Technion - Israel Institute of Technology, Israel. Email: [email protected]. Supported in part by theIsraeli Science Foundation (Grant No. 1262/18), a Milgrom family grant and the Technion Hiroshi Fujiwara cybersecurity research center and the Israel cyber directorate.
PCPP s is with respect to the
CircuitEval problem, in which the verifieris given explicit access to a circuit C and oracle access to both an input x and a proof π , and needsto verify that x is close to the set { x ′ : C ( x ′ ) = 1 } . The works of [BSS08, Din07] yield a PCPP whose length is quasilinear in the size | C | of the circuit C . Given the important connections both to constructions of efficient proof-systems, and to hard-ness of approximation, a central question in the area is whether this result can be improved: Do
PCPP s with only a constant overhead exist? In a recent work, Ben Sasson et al. [BKK +
16] construct
PCP s with constant overhead, albeit with very large query complexity (as well as a non-uniformverification procedure). To verify that C ( x ) = 1 the verifier needs to make | C | δ queries, where δ > PCPP swith constant overhead, it may be the case that there exist languages that do not have such efficient
PCPP s. A natural class of candidate languages for which such
PCPP s may not exist are languagesfor which it is maximally hard to test whether x ∈ L or is far from such, without a PCPP proof.In other words, languages (or rather properties) that do not admit sub-linear query testers. Thus,we investigate the following question:
Supposing that L requires Ω( n ) queries for every (property) tester, must any constant-query PCPP for L have proof length n · (log n ) Ω(1) ? Our first main result answers the above question negatively, by constructing a property that ismaximally hard for testing, while admitting a very short
PCPP . For the exact theorem statement,we let log ( ℓ ) denote the ℓ times iterated log function. That is, log ( ℓ ) ( n ) = log(log ( ℓ − ( n )) for ℓ ≥ (0) n = n . Theorem 1.1 (informal restatement of Theorem 5.2) . For every constant integer ℓ ∈ N , thereexists a property P ⊆ { , } n such that any testing algorithm for P requires Ω( n ) many queries,while P admits a (constant query ) PCPP system with proof length O ( n · log ( ℓ ) ( n )) . We remark that all such maximally hard properties cannot have constant-query
PCPP proof-systems with a sub-linear length proof string (see Proposition 2.10), leaving only a small gap oflog ( ℓ ) ( n ) on the proof length in Theorem 1.1.Beyond demonstrating that PCPP s with extremely short proofs exist for some hard properties,we use Theorem 1.1 to derive several applications. We proceed to describe these applications next.
Tolerant Testing.
Recall that property testing (very much like
PCPP s) deals with solving ap-proximate decision problems. A tester for a property P is an algorithm that given a sublinearnumber of queries to its input x , should accept (with high probability) if x ∈ P and reject if x is far from P (where, unlike PCPP s, the tester is not provided with any proof). Note that a
PCPP for
CircuitEval can be easily used to construct a
PCP for
CircuitSAT with similar overhead(see [BGH +
06, Proposition 2.4]). Although it is not stated in [BKK + PCPP s with similarparameters. For detection radius (or proximity parameter) ε >
PCPP system is bounded by (2 ℓ /ε ) O ( ℓ ) . ≤ ε < ε ≤
1, an ( ε , ε ) -toleranttesting algorithm is given an oracle access to the input, and is required to determine (with highprobability) whether a given input is ε -close to the property or whether it is ε -far from it.As observed in [PRR06], any standard testing algorithm whose queries are uniformly (but notnecessarily independently) distributed, is inherently tolerant to some extent. Nevertheless, formany problems, strengthening the tolerance requires applying advanced methods and devising newalgorithms (see e.g., [FN07, KS09, CGR13, BMR16, BCE + PCPP s with polynomialsize proofs to show that there exists a property
P ⊆ { , } n that admits a tester with constantquery complexity, but such that every tolerant tester for P has query complexity Ω( n c ) for some0 < c <
1. Using modern quasilinear
PCPP s [BSS08, Din07] in combination with the techniquesof [FF06] it is possible to construct a property demonstrating a better separation, of constant querycomplexity for standard testing versus Ω( n/ polylog n ) for tolerant testing.Using Theorem 1.1 we can obtain an improved separation between testing and tolerant testing: Theorem 1.2 (informal restatement of Theorem 6.1) . For any constant integer ℓ ∈ N , there exist aproperty of boolean strings P ⊆ { , } n and a constant ε ∈ (0 , such that P is ε -testable for any ε > with a number of queries independent of n , but for any ε ∈ (0 , ε ) , every ( ε , ε ) -toleranttester for P requires Ω( n/ polylog ( ℓ ) n ) many queries. Erasure-Resilient Testing.
Another variant of the property testing model is the erasure-resilienttesting model. This model was defined by Dixit et. al. [DRTV18] to address cases where data cannotbe accessed at some domain points due to privacy concerns, or when some of the values were adver-sarially erased. More precisely, an α -erasure-resilient ε -tester gets as input parameters α, ε ∈ (0 , f , such that at most an α fraction of its values have beenerased. The tester has to accept with high probability if there is a way to assign values to theerased points of f such that the resulting function satisfies the desired property. The tester hasto reject with high probability if for every assignment of values to the erased points, the resultingfunction is still ε -far from the desired property.Similarly to the tolerant testing scenario, PCPP s were also used in [DRTV18] to show that thereexists a property of boolean strings of length n that has a tester with query complexity independentof n , but for any constant α >
0, every α -erasure-resilient tester is required to query Ω( n c ) manybits for some c >
0, thereby establishing a separation between the models. Later, in [RRV19]
PCPP constructions were used to provide a separation between the erasure-resilient testing model and thetolerant testing model.Similarly to the tolerant testing case, we use Theorem 1.1 to prove a stronger separation betweenthe erasure-resilient testing model and the standard testing model. The (constant) query complexity of the intolerant ε -tester has the same asymptotic bound as in Theorem 1.1. heorem 1.3 (informal restatement of Theorem 6.2) . For any constant integer ℓ ∈ N , there exista property of boolean strings P ⊆ { , } n and a constant ε ∈ (0 , such that P is ε -testable for any ε > with number of queries independent of n , but for any α = Ω(1 / log ( ℓ ) n ) and ε ∈ (0 , ε ) suchthat ε < − α , any α -erasure-resilient ε -tester is required to query Ω( n/ polylog ( ℓ ) n ) many bits. Secret Sharing applications.
As an additional application of our techniques we also obtain anew type of secret sharing scheme . Recall that in a secret sharing scheme, a secret value b ∈ { , } is shared between n parties in such a way that only an authorized subset of the users can recoverthe secret. We construct a secret sharing scheme in which no subset of o ( n ) parties can recoverthe secret and yet it is possible for each one of the parties to recover the secret, if given access toa PCPP -like proof, with the guarantee that no matter what proof-string is given, most parties willeither recover b or reject.We obtain such a secret sharing scheme through a notion called Probabilistically CheckableUnveiling of a Shared Secret (
PCUSS ) , which will be central in our work. This notion is looselydescribed in Subsection 1.2 and formally defined in Section 4. Central to our construction are (univariate) polynomials over a finite field F . A basic fact is thata random polynomial p : F → F of degree (say) | F | /
2, evaluated at any set of at most | F | / f : F → F . This is despite the fact that arandom function is very far (in Hamming distance) from the set of low degree polynomials. Indeed,this is the basic fact utilized by Shamir’s secret sharing scheme [Sha79].Thus, the property of being a degree- | F | / | F | ) queries to the truth table of thefunction in order to decide. Given that, it seems natural to start with this property in order to proveTheorem 1.1. Here we run into two difficulties. First, the property of being a low degree polynomialis defined over a large alphabet, whereas we seek a property over boolean strings. Second, the bestknown PCPP s for this property have quasi-linear length [BSS08], which falls short of our goal.To cope with these difficulties, our approach is to use composition, or more accurately, aniterated construction. The main technical contribution of this paper lies in the mechanism enablingthis iteration. More specifically, rather than having the property contain the explicit truth tableof the low degree polynomial p , we would like to use a more redundant representation for encodingeach value p ( α ). This encoding should have several properties: • It must be the case that one needs to read (almost) the entire encoding to be able to decode p ( α ). This feature of the encoding, which we view as a secret-sharing type of property, letsus obtain a hard to test property over boolean strings. • The encoding need not be efficient, and in fact it will be made long enough to eventuallysubsume the typical length of a
PCPP proof-string for the low degree property, when calculatedwith respect to an unencoded input string. Again, the query complexity of the (non erasure resilient) ε -tester has the same asymptotic bound as in Theorem1.1. Last but not least, we need the value to be decodable using very few queries, when givenaccess to an auxiliary
PCP -like proof string. This would allow us to “propagate” the
PCPP verification of the property across iterations.In more detail, we would like to devise a (randomized) encoding of strings in { , } k by stringsin { , } m . The third requirement listed above can be interpreted as saying that given oracle accessto v ∈ { , } m and explicit access to a value w ∈ { , } k , it will be possible verify that v indeedencodes w using a PCPP -like scheme, i.e. by providing a proof that can be verified with a constantnumber of queries. We refer to this property as a probabilistically checkable unveiling (
PCU ) . Notethat in our setting a single value w may (and usually will) have more than one valid encoding.Going back to the first requirement of the encoding, we demand that without a proof, one mustquery at least Θ( m ) bits of v to obtain any information about the encoded w , or even discern that v is indeed a valid encoding of some value. Given this combination of requirements, we refer to theverification procedure as a Probabilistically Checkable Unveiling of a Shared Secret (
PCUSS ) .Low degree polynomials can be used to obtain a PCUSS based on Shamir’s secret sharing scheme.More specifically, to encode a k bit string w , we take a random polynomial whose values on a subset H ⊆ F are exactly equal to the bits of w . However, we provide the values of this polynomial onlyover the sub domain F \ H . Then, the encoded value is represented by the (interpolated) valuesof g over H , which admit a PCU scheme. On the other hand, the “large independence” feature ofpolynomials makes the encoded value indiscernible without a a supplied proof string, unless toomany of the values of g over F \ H are read, thus allowing for a PCUSS .This construction can now be improved via iteration. Rather than explicitly providing thevalues of the polynomial, they will be provided by a
PCUSS scheme. Note that the
PCUSS schemethat we now need is for strings of a (roughly) exponentially smaller size. The high level idea is toiterate this construction ℓ times to obtain the ℓ iterated log function in our theorems.At the end of the recursion, i.e., for the smallest blocks at the bottom, we utilize a linear-code featuring both high distance and high dual distance, for a polynomial size PCUSS of theencoded value. This is the only “non-constructive” part in our construction, but since the relevantblock size will eventually be less than log log( n ), the constructed property will still be uniformwith polynomial calculation time (the exponential time in poly(log log( n )), needed to construct thelinear-code matrix, becomes negligible).Our PCUSS in particular provides a property that is hard to test (due to its shared secretfeature), and yet has a near-linear
PCPP through its unveiling, thereby establishing Theorem 1.1.We utilize this property for separation results in a similar manner to [FF06] and [DRTV18], byconsidering a weighted version of a “
PCPP with proof” property, where the proof part holds onlya small portion of the total weight. The
PCPP proof part enables a constant query test, whereas ifthe
PCPP proof is deleted, efficient testing is no longer possible.
Short
PCPP s. For properties which can be verified using a circuit of size n , [BGH +
06] gave
PCPP constructions with proof length n · exp(poly(log log n )) and with a query complexity ofpoly(log log n ), as well as slightly longer proofs with constant query complexity. Later, Ben-Sassonand Sudan [BSS08] gave constructions with quasilinear size proofs, but with slightly higher querycomplexity. The state of the art construction is due to Dinur [Din07] who, building on [BSS08], In fact, we will use a stronger variant where the access to w is also restricted. PCPP construction with proof length that is quasilinear in the circuit size and withconstant query complexity. In a recent work Ben Sasson et al. [BCG +
17] constructed an interactive version of
PCPP s [BCS16, RRR16] of strictly linear length and constant query complexity.
Tolerant Testing.
The tolerant testing framework has received significant attention in the pastdecade. Property testing of dense graphs, initiated by [GGR98], is inherently tolerant by thecanonical tests of Goldreich and Trevisan [GT03]. Later, Fischer and Newman [FN07] (see also[BEF18]) showed that every testable (dense) graph property admits a tolerant testing algorithmfor every < ε < ε <
1, which implies that O (1) query complexity testability is equivalent todistance approximation in the dense graph model. Some properties of boolean functions were alsostudied recently in the tolerant testing setting. In particular, the properties of being a k -junta (i.e.a function that depends on k variables) and being unate (i.e., a function where each direction iseither monotone increasing or monotone decreasing) [BCE +
18, LW19, DMN19].
Erasure-resilient Testing.
For the erasure resilient model, in addition to the separation betweenthat model and the standard testing model, [DRTV18] designed efficient erasure-resilient testers forimportant properties, such as monotonicity and convexity. Shortly after, in [RRV19] a separationbetween the erasure-resilient testing model and the tolerant testing model was established. Thelast separation requires an additional construction (outside
PCPP s), which remains an obstacle toobtaining better than polynomial separations.
We start with some notation and central definitions. For a set A , we let 2 A denote the power-setof A . For two strings x, y ∈ { , } ∗ we use x ⊔ y to denote string concatenation.For an integer k , a field F = GF(2 k ) and α ∈ F , we let hh α ii ∈ { , } k denote the binaryrepresentation of α in some canonical way.For two sets of strings A and B we use A ⊔ B to denote the set { a ⊔ b | a ∈ A, b ∈ B } . Fora collection of sets { A ( d ) } d ∈ D we use F d ∈ D A ( d ) to denote the set of all possible concatenations F d ∈ D a d , where a d ∈ A ( d ) for every d ∈ D .Throughout this paper we use boldface letters to denote random variables, and assume a fixedcanonical ordering over the elements in all the sets we define. For a set D , we write v ∼ D todenote a random variable resulting from a uniformly random choice of an element v ∈ D . The relative Hamming distance of two strings x, y ∈ Σ n is defined as dist( x, y ) = n · |{ i ∈ [ n ] | x i = y i }| . For a string x ∈ Σ n and a non-empty set S ⊆ Σ n , we define dist( x, S ) = min y ∈ S dist( x, y ).The following plays a central role in many complexity-related works, including ours. Definition 2.1. A code is an injective function C : Σ k → Σ n . If Σ is a finite field and C is alinear function (over Σ ), then we say that C is a linear code . The rate of C is defined as k/n ,whereas the minimum relative distance is defined as the minimum over all distinct x, y ∈ Σ k of dist( C ( x ) , C ( y )) . n ε -distance code is a code whose minimum relative distance is at least ε . When for a fixed ε > we have a family of ε -distance codes (for different values of k ), we refer to its members as error correcting codes . In this work we use the fact that efficient codes with constant rate and constant relative distanceexist. Moreover, there exist such codes in which membership can be decided by a quasi-linear sizeBoolean circuit.
Theorem 2.2 (see e.g., [Spi96]) . There exists a linear code
Spiel : { , } k → { , } k with constantrelative distance, for which membership can be decided by a k · polylog k size Boolean circuit. Actually, the rate of the code in [Spi96] is significantly better, but since we do not try to optimizeconstants, we use the constant 100 solely for readability. In addition, the code described in [Spi96]is linear time decodeable , but we do not make use of this feature throughout this work.We slightly abuse notation, and for a finite field F of size 2 k , view the encoding given inTheorem 2.2 as Spiel : F → { , } k , by associating { , } k with F in the natural way. Note thatfor f : F → F , it holds that hh f ( β ) ii ∈ { , } k for every β ∈ F , and therefore Spiel ( f ( β )) ∈ { , } k .We slightly abuse notation, and for a function f : F → F we write Spiel ( f ) to denote the length100 k · k bit string F β ∈ F Spiel ( f ( β )) (where we use the canonical ordering over F ). Definition 2.3.
Let C F denote the set of polynomials g : F → F such that deg( g ) ≤ | F | . The following lemma of [Hor72], providing a fast univariate interpolation, will be an importanttool in this work.
Lemma 2.4 ([Hor72]) . Given a set of pairs { ( x , y ) , . . . , ( x r , y r ) } with all x i distinct, we canoutput the coefficients of p ( x ) ∈ F [ X ] of degree at most r − satisfying p ( x i ) = y i for all i ∈ [ r ] , in O ( r · log ( r )) additions and multiplications in F . The next lemma states that a randomly chosen function λ : F → F is far from any low degreepolynomial with very high probability. Lemma 2.5.
With probability at least − o (1) , a uniformly random function λ : F → F is / -farfrom C F . Proof:
Consider the size of a ball of relative radius 1 / λ : F → F in thespace of functions from F to itself. The number of points (i.e., functions from F → F ) contained inthis ball is at most (cid:18) | F || F | / (cid:19) · | F | | F | / ≤ (3 e | F | ) | F | / . By the fact that the size of C F is | F | | F | / , the size of the set of points that are at relative distanceat most 1 / C F is at most | F | | F | / · (3 e | F | ) | F | / = o ( | F | | F | ) . The lemma follows by observing that there are | F | | F | functions from F to itself.7 .1.1 Dual distance of linear codes We focus here specifically on a linear code C : F k → F n , and consider the linear subspace ofits image, V C = { C ( x ) : x ∈ F k } ⊆ F n . We define the distance of a linear space as dist( V ) =min v ∈ V \{ n } dist( v, n ), and note that in the case of V being the image V C of a code C , this isidentical to dist( C ). For a linear code, it helps to investigate also dual distances . Definition 2.6.
Given two vectors u, v ∈ F n , we define their scalar product as u · v = P i ∈ [ n ] u i v i ,where multiplication and addition are calculated in the field F . Given a linear space V ⊆ F n , its dual space is the linear space V ⊥ = { u : ∀ v ∈ V, u · v = 0 } . In other words, it is the space ofvectors who are orthogonal to all members of V .The dual distance of the space V is simply definedas dist( V ⊥ ) . For a code C , we define its dual distance , dist ⊥ ( C ), as the dual distance of its image V C . Wecall C an η -dual-distance code if dist ⊥ ( C ) ≥ η . The following well-known lemma is essential to us,as it will relate to the “secret-sharing” property that we define later. Lemma 2.7 (See e.g., [MS77, Chapter 1, Theorem 10]) . Suppose that C : F k → F n is a linear η -dual distance code, let Q ⊂ [ n ] be any set of size less than η · n , and consider the following randomprocess for picking a function u : Q → F : Let w ∈ F k be drawn uniformly at random, and set u be the restriction of C ( w ) to the set Q . Then, the distribution of u is identical to the uniformdistribution over the set of all functions from Q to F . PCPP ) As described briefly in the introduction, a
PCPP verifier for a property P is given access to an input x and a proof π , as well as a detection radius ε > soundness error δ >
0. The verifier shouldmake a constant number of queries (depending only on ε, δ ) to the input x and the proof π , andsatisfy the following. If x ∈ P , then there exists π for which the verifier should always accept x . Ifdist( x, P ) > ε , the verifier should reject x with probability at least δ , regardless of the contents of π . More formally, we define the following. Definition 2.8 ( PCPP ) . For n ∈ N , let P ⊂ { , } n be a property of n -bit Boolean strings, and let t ∈ N . We say that P has a q ( ε, δ )-query, length- t Probabilistically Checkable Proof of Proximity(
PCPP ) system if the following holds: There exists a verification algorithm V that takes as input ε, δ > and n ∈ N , makes a total of q ( ε, δ ) queries on strings w ∈ { , } n and π ∈ { , } t , andsatisfies the following:1. (Completeness) If w ∈ P , then there exists a proof π = Proof P ( w ) ∈ { , } t such that forevery ε, δ > , the verifier V accepts with probability .2. (Soundness) If dist( w, P ) > ε , then for every alleged proof π ∈ { , } t , the verifier V rejectswith probability greater than δ . Note that soundness is easy to amplify: Given a
PCPP as above with parameters ε, δ, t andquery complexity q ( ε, δ ), one can increase the soundness parameter to 1 − τ by simply runningΘ(log(1 /τ ) /δ ) independent instances of the verification algorithm V , and rejecting if at least oneof them rejected; the query complexity then becomes Θ( q ( ε, δ ) · log(1 /τ ) /δ ), while the parameters ε and t remain unchanged. 8he following lemma, establishing the existence of a quasilinear PCPP for any property P thatis verifiable in quasilinear time, will be an important tool throughout this work. Lemma 2.9 (Corollary 8.4 in [Din07], see also [GM07]) . Let P be a property of Boolean stringswhich is verifiable by a size t Boolean circuit. Then, there exists a length- t ′ PCPP system P withparameters ε, δ > , that makes at most q ( ε, δ ) queries, where t ′ = t · polylog t . Specifically, q ( ε, δ ) = O ( ε − ) suffices for any δ < . PCPP proof systems with a sublinear length proof string.
Proposition 2.10.
Let
P ⊆ { , } n and ε > be such that any ε -tester for P has to make Ω( n ) many queries. Then, any constant query PCPP system for P (where e.g. δ = 1 / ) must have prooflength of size Ω( n ) . Proof:
Suppose that there exists a
PCPP for P with O (1) queries and proof length t = o ( n ). Sincethe PCPP verifier has constant query complexity, we may assume that it is non adaptive and uses q = O (1) queries. By an amplification argument as above, we can construct an amplified verifierthat makes O ( q · t ) = o ( n ) queries, with soundness parameter 1 − − t /
3. By the fact that the verifieris non-adaptive, it has the same query distribution regardless of the proof string. Therefore, wecan run 2 t amplified verifiers in parallel while reusing queries, one verifier for each of the 2 t possibleproof strings. If any of the 2 t amplified verifiers accept, we accept the input. If the input belongsto P , one of the above 2 t verifiers will accept (the one that used the correct proof). If the inputwas ε -far from P , then by a union bound, the probability that there was any accepting amplifiedverifier is at most 1 /
3. This yields an o ( n ) tester for P , which contradicts our assumption. In this subsection we define notions related to the property testing framework . We also formallydefine a few variants of the original testing model that will be addressed in this work.A property P of n -bit boolean strings is a subset of all those strings, and we say that a string x has the property P if x ∈ P .Given ε ≥ P , we say that a string x ∈ { , } n is ε -far from P if dist( x, P ) > ε ,and otherwise it is ε -close to P . We next define the notion of a tolerant tester of which standard(i.e. intolerant) testers are a special case. Definition 2.11 (Intolerant and tolerant testing) . Given ≤ ε < ε ≤ , a q -query ( ε , ε ) - testing algorithm T for a property P ⊆ { , } n is a probabilistic algorithm (possibly adaptive) making q queries to an input x ∈ { , } n that outputs a binary verdict satisfying the following two conditions.1. If dist( x, P ) ≤ ε , then T accepts x with probability at least / .2. If dist( x, P ) > ε , then T rejects x with probability at least / .When ε = 0 , we say that T is an ε -testing algorithm for P , and otherwise we say that T is an ( ε , ε )-tolerant testing algorithm for P . Next, we define the erasure-resilient testing model. We start with some terminology. A string x ∈ { , , ⊥} n is α -erased if x i is equal to ⊥ on at most αn coordinates. A string x ′ ∈ { , } n x only on coordinates i ∈ [ n ] for which x i = ⊥ is called a completion of x . The(pseudo-)distance dist( x, P ) of an α -erased string x from a property P is the minimum, over everycompletion x ′ of x , of the relative Hamming distance of x ′ from P . Note that for a string withno erasures, this is simply the Hamming distance of x from P . As before, x is ε -far from P ifdist( x, P ) > ε , and ε -close otherwise. Definition 2.12 (Erasure-resilient tester) . Let α ∈ [0 , and ε ∈ (0 , be parameters satisfying α + ε < . A q -query α -erasure-resilient ε -tester T for P is a probabilistic algorithm making q queries to an α -erased string x ∈ { , , ⊥} n , that outputs a binary verdict satisfying the followingtwo conditions.1. If dist( x, P ) = 0 (i.e., if there exists a completion x ′ of x , such that x ′ ∈ P ), then T accepts x with probability at least / .2. If dist( x, P ) > ε (i.e., if every completion of x ′ of x is ε -far from P ), then T rejects x withprobability at least / . The next lemma will be useful to prove that some properties are hard to test. The lemmastates that if we have two distributions whose restrictions to any set of queries of size at most q areidentical, then no (possibly adaptive) algorithm making at most q queries can distinguish betweenthem. Definition 2.13 (Restriction) . Given a distribution D over functions f : D → { , } and a subset Q ⊆ D , we define the restriction D| Q of D to Q to be the distribution over functions g : Q → { , } ,that results from choosing a function f : D → { , } according to D , and setting g to be f | Q , therestriction of f to Q . Lemma 2.14 ([FNS04], special case) . Let D and D be two distributions of functions over somedomain D . Suppose that for any set Q ⊂ D of size at most q , the restricted distributions D | Q and D | Q are identically distributed. Then, any (possibly adaptive) algorithm making at most q queriescannot distinguish D from D with any positive probability. It will be necessary for us to think of a generalized definition of an encoding, in which each encodedvalue has multiple legal encodings.
Definition 3.1 (Code ensemble) . A code ensemble is a function E : Σ k → Σ m . Namely, every x ∈ Σ k has a set of its valid encodings from Σ m . We define the distance of the code ensemble as min x = x ′ ∈{ , } k min ( v,u ) ∈E ( x ) ×E ( x ′ ) dist( v, u ) . It is useful to think of a code ensemble E : Σ k → Σ m as a randomized mapping , that given x ∈ Σ k , outputs a uniformly random element from the set of encodings E ( x ). Using the above wecan define a shared secret property. In particular, we use a strong information theoretic definitionof a shared secret, in which o ( m ) bits do not give any information at all about the encoded value.Later on, we construct code ensembles with a shared secret property.10 efinition 3.2 (Shared Secret) . For m, k ∈ N and a constant ζ > , we say that a code ensemble C : { , } k → ( { , } m ) has a ζ -shared secret property if it satisfies the following. For any Q ⊆ [ m ] of size | Q | ≤ ζm , any w, w ′ ∈ { , } k such that w = w ′ , and any t ∈ { , } | Q | it holds that Pr v ∼C ( w ) [ v | Q = t ] = Pr v ′ ∼C ( w ′ ) [ v ′ | Q = t ] . Namely, for any w = w ′ and any Q ⊆ [ m ] of size at most ζm , the distribution obtained by choosinga uniformly random member of C ( w ) and considering its restriction to Q , is identical to the distri-bution obtained by choosing a uniformly random member of C ( w ′ ) and considering its restriction to Q . We describe a construction of a code ensemble for which a linear number of queries is necessary toverify membership or to decode the encoded value. This code will be our base code in the iterativeconstruction. The existence of such a code ensemble is proved probabilistically, relying on thefollowing simple lemma.
Lemma 3.3.
Fix constant α, β > where β log( e/β ) < α . Let s, t ∈ N so that s ≤ (1 − α ) t .Then, with probability − o (1) , a sequence of s uniformly random vectors { v , . . . , v s } from { , } t is linearly independent, and corresponds to a β -distance linear code. Proof:
The proof follows from a straightforward counting argument. If we draw s uniformlyrandom vectors v , . . . , v s ∈ { , } t , then each non-trivial linear combination of them is in itself auniformly random vector from { , } t , and hence has weight less than β with probability at most2 − t · (cid:18) tβt (cid:19) ≤ − t (cid:18) etβt (cid:19) βt = 2 − t · β log( e/β ) t = 2 ( γ − t , where we set γ = β log( e/β ) < α .By a union bound over all 2 s ≤ (1 − α ) t possible combinations, the probability that there existsa linear combination with weight less than β is at most 2 ( γ − α ) t = o (1). If this is not the case, then v , . . . , v s are linearly independent, and moreover, { v , . . . , v s } corresponds to a β -distance linearcode (where we use the fact that the distance of a linear code is equal to the minimal Hammingweight of a non-zero codeword).Our construction makes use of a sequence of vectors that correspond to a high-distance andhigh-dual distance code, as described below. Definition 3.4 (Hard code ensemble H k ) . Let k ∈ N and let { v , . . . , v k } be a sequence of vectorsin { , } k such that Span { v , . . . , v k } is a / -distance code, and that Span { v k +1 , . . . , v k } is a / -dual distance code. Let A = | | v · · · v k | | . We define the code ensemble H k : { , } k → { , } k as H k ( w ) = { Au : u ∈ { , } k where u | { ,...,k } = w } , where all operations are over GF(2) . { v , . . . , v k } in { , } k satisfies thebasic requirements of a code ensemble H k with high probability (that is, with probability tendingto one as k → ∞ ), and hence such a code ensemble exists. Lemma 3.5.
A set { v , . . . , v k } of random vectors in { , } k satisfies with high probability thefollowing two conditions: Span { v , . . . , v k } is a / -distance code, and Span { v k +1 , . . . , v k } is a / -dual distance code. In particular, for all k large enough the code ensemble H k exists. Proof:
We apply Lemma 3.3 multiple times. First, picking t = 4 k , s = 3 k , α = 1 /
4, and β = 1 / v , . . . , v k with high probability correspond to a 1 / k vectors has high dualdistance, we compare the following two processes, whose output is a linear subspace of (GF(2)) k ,that we view as a code: (i) Choose 2 k vectors and return their span. (ii) Choose 4 k − k = 2 k vectors and return the dual of their span. Conditioning on the chosen 2 k vectors being linearlyindependent, the output distributions of these two processes are identical. Indeed, by a symmetryargument it is not hard to see that under the conditioning, the linear subspace generated by Process(i) is uniformly distributed among all rank-2 k subspaces V of (GF(2)) k . Now, since we can uniquelycouple each such V with its dual V ⊥ (also a rank-2 k subspace) and since V = ( V ⊥ ) ⊥ , this meansthat the output distribution of Process (ii) is uniform as well.However, it follows again from Lemma 3.3 (with t = 4 k , s = 2 k , α = 1 /
2, and any β > k vectors are independent with highprobability. This means that (without the conditioning) the output distributions of Process (i) andProcess (ii) are o (1)-close in variation distance. Applying Lemma 3.3 with t = 4 k , s = 2 k , α = 1 / β = 1 /
10 we get that the distance of the code generated by Process (i) is at least β = 1 / /
10 with high probability.We next state a simple but important observation regarding membership verification.
Observation 3.6.
Once a matrix A with the desired properties is constructed (which may take exp( k ) time if we use brute force), given w ∈ { , } k , the membership of v in H k ( w ) can beverified in poly( k ) time (by solving a system of linear equations over GF(2) ). PCU s and
PCUSS s Next, we define the notion of Probabilistically Checkable Unveiling (
PCU ). This notion is similarto
PCPP , but here instead of requiring our input to satisfy a given property, we require our inputto encode a value w ∈ { , } k (typically using a large distance code ensemble). We then requirethat given the encoded value w , it will be possible to prove in a PCPP -like fashion that the inputis indeed a valid encoding of w . Definition 4.1 ( PCU ) . Fix m, t, k ∈ N , and let C : { , } k → { , } m be a code ensemble. We saythat C has a q ( ε, δ ) -query, length- t PCU if the following holds. There exists a verification algorithm V that takes as inputs ε, δ > , m ∈ N , and w ∈ { , } k , makes at most q ( ε, δ ) queries to the strings v ∈ { , } m and π ∈ { , } t , and satisfies the following: . If v ∈ C ( w ) , then there exists a proof π = Proof C ( v ) ∈ { , } t such that for every ε, δ > ,the verifier V accepts with probability .2. If dist( v, C ( w )) > ε , then for every alleged proof π ∈ { , } t , the verifier V rejects v withprobability greater than δ . In order to facilitate the proof of the main theorem, we utilize a more stringent variant of theabove
PCU definition. Instead of supplying w ∈ { , } k to the algorithm, we supply oracle accessto a a string τ ∈ { , } k that is supposed to represent Spiel ( w ), along with the proof π , and thealgorithm only makes q ( ε, δ ) queries to the proof string π , the original encoding v and the string τ . For cases where v ∈ C ( w ), we use Value ( v ) to denote Spiel ( w ). Definition 4.2 ( Spiel - PCU ) . Fix m, t, k ∈ N , and let C : { , } k → { , } m be a code ensemble. Wesay that C has a q ( ε, δ ) -query, length- t Spiel - PCU if the following holds. There exists a verificationalgorithm V that takes as inputs ε, δ > , m ∈ N , makes at most q ( ε, δ ) queries to the strings v ∈ { , } m , τ ∈ { , } k and π ∈ { , } t , and satisfies the following:1. If there exists w ∈ { , } k for which v ∈ C ( w ) and τ = Value ( v ) = Spiel ( w ) , then there existsa proof π = Proof C ( v ) ∈ { , } t such that for every ε, δ > , the verifier V accepts withprobability .2. If for every w ∈ { , } k either dist( τ, Spiel ( w )) > ε or dist( v, C ( w )) > ε , then for every allegedproof π ∈ { , } t , the verifier V rejects v with probability greater than δ . Note that a code ensemble admitting a
Spiel - PCU automatically admits a
PCU . Indeed, giventhe string w , an oracle for Spiel ( w ) can be simulated.The following lemma states the existence of Spiel - PCU for efficiently computable code ensembles,and will be used throughout this work. The proof follows from Lemma 2.9 together with a simpleconcatenation argument.
Lemma 4.3.
Let k, m, t ∈ N be such that t ≥ m , and let C : { , } k → { , } m be a code ensemble.If given w ∈ { , } k and v ∈ { , } m , it is possible to verify membership of v in C ( w ) using a circuitof size t , then there is a q ( ε, δ ) -query, length- t ′ Spiel - PCU for C where t ′ = t · polylog t . Proof:
Assume without loss of generality that m ≥ | Spiel (0 k ) | . Let ξ = j m | Spiel (0 k ) | k (note that ξ ≥ C eq def = n v ⊔ ( Spiel ( w )) ξ (cid:12)(cid:12) ∃ w ∈ { , } k for which v ∈ C ( w ) o , where ( Spiel ( w )) ξ denotes the ξ -times concatenation of Spiel ( w ).For any string u it is possible to check, using a quasilinear size circuit (see [Spi96]), that thesubstring that corresponds to the domain of ( Spiel ( w )) ξ is a ξ -times repetition of Spiel ( w ) for some w . After doing so, we decode w using a quasilinear size circuit (as in [Spi96]), and then, by thepremise of the lemma, we can verify membership in C ( w ) using a circuit of size t . Therefore,membership in C eq can be decided using a O ( t ) size boolean circuit, and therefore by Lemma 2.9admits a PCPP system whose proof length is quasilinear in t .Given an input v to Spiel - PCU , let v ′ = v ⊔ ( Spiel ( w )) ξ and use the PCPP system for C eq ,with detection radius ε/ δ , where each query to v ′ is emulated by a13orresponding query to v or Spiel ( w ). Note that if v ∈ C ( w ), then v ′ ∈ C eq , so the PCPP system for C eq will accept with probability 1.Next, suppose that dist( v, C ( w )) > ε , and observe that this implies that v ′ is at least ε/ C eq . Thus, by the soundness property of the PCPP for C eq , the verifier rejects with probabilityat least δ , regardless of the contents of the alleged proof π it is supplied with.Next we define Probabilistically Checkable Unveiling of a Shared Secret ( PCUSS ). Definition 4.4.
For m, k, t ∈ N , we say that a function C : { , } k → ( { , } n ) has a q ( ε, δ ) -query,length- t PCUSS , if C has a shared secret property, as well as C has a q ( ε, δ ) -query, length- t PCU .Similarly, when C has a shared secret property (for constant ζ ), as well as C has a q ( ε, δ ) -query,length- t Spiel - PCU , we say that C has a q ( ε, δ ) -query, length- t Spiel - PCUSS . Note that C admitting a Spiel - PCUSS directly implies that it admits a
PCUSS with similar param-eters.The following lemma establishes the existence of a
Spiel - PCUSS for H k , where H k is the codeensemble from Definition 3.4. Lemma 4.5.
For any k ∈ N , H k has a q ( ε, δ ) -query, length- t ′ Spiel - PCUSS where t ′ = poly( k ) . Proof:
By Observation 3.6, given w , membership in H k ( w ) can be checked in poly( k ) time, whichmeans that there exists a polynomial size circuit that decides membership in H k ( w ). Combiningthe above with Lemma 4.3 implies a q ( ε, δ )-query, length- t ′ Spiel - PCU where t ′ = poly( k ). ByLemma 2.7, the large dual distance property of H k implies its shared secret property for someconstant ζ , which concludes the proof of the lemma. PCUSS construction
In this section we give a construction of code ensembles that admit a
PCUSS . First we show thatour code ensemble has a
PCU with a short proof. Specifically,
Lemma 5.1.
For any fixed ℓ ∈ N and any k ∈ N , there exists n ( ℓ, k ) and a code ensemble E ( ℓ ) : { , } k → ( { , } n ) , such that for all n > n ( ℓ, k ) , the code ensemble E ( ℓ ) has a q ( ε, δ ) -querylength- t PCU , for t = O ( n · polylog ( ℓ ) n ) . Later, we prove that our code ensemble has a shared secret property, which implies that it hasa
PCUSS (which implies Theorem 1.1, as we shall show).
Theorem 5.2.
For any fixed ℓ ∈ N and any k ∈ N , there exists n ( ℓ, k ) and a code ensemble E ( ℓ ) : { , } k → ( { , } n ) , such that for all n > n ( ℓ, k ) , the code ensemble E ( ℓ ) has a q ( ε, δ ) -querylength- t PCUSS , for t = O ( n · polylog ( ℓ ) n ) . Specifically, by the discussion before Lemma 5.9, for any fixed soundness parameter 0 < δ < q ( ε, δ ) ≤ (cid:16) ℓ /ε (cid:17) O ( ℓ ) , and for the high soundness regime where δ = 1 − τ (and τ > q ( ε, δ ) ≤ (cid:16) ℓ /ε (cid:17) O ( ℓ ) log(1 /τ ) . .1 The iterated construction Our iterative construction uses polynomials over a binary finite field GF(2 t ). In our proof we willneed to be able to implement arithmetic operations over this field efficiently (i.e., in poly( t ) time).This can be easily done given a suitable representation of the field: namely, a degree t irreduciblepolynomial over GF(2). It is unclear in general whether such a polynomial can be found in poly( t )time. Fortunately though, for t = 2 · r where r ∈ N , it is known that the polynomial x t + x t/ + 1 isirreducible over GF(2) (see, e.g., [Gol08, Appendix G]). We will therefore restrict our attention tofields of this form. At first glance this seems to give us a property that is defined only on a sparseset of input lengths. However, towards the end of this section, we briefly describe how to bypassthis restriction.We next formally define our iterated construction, starting with the “level-0” construction as abase case. The constants c, d in the definition will be explicitly given in the proof of Lemma 5.8. Ad-ditionally, for any ℓ ∈ N , we shall pick a large enough constant c ℓ that satisfies several requirementsfor the “level- ℓ ” iteration of the construction. Definition 5.3 (Iterated coding ensemble) . For k ∈ N and w ∈ { , } k , we define the base codeensemble of w (i.e., level- ℓ code ensemble of w for ℓ = 0 ) as E (0) k ( w ) = H k ( w ) . Let c, d ∈ N be large enough global constants, fix ℓ > , let c ℓ be large enough, and let F be a finitefield for which | F | ≥ max { c ℓ , c · k } .We define the level- ℓ code ensemble of w ∈ { , } k over F as follows. Let r ∈ N be the smallestinteger such that (log | F | ) d ≤ · r , set F ′ = GF (cid:0) · r (cid:1) and k ′ = log | F | . Note that these satisfy therecursive requirements of a level- ( ℓ − code ensemble provided that c ℓ is large enough (specificallywe require (log | F | ) d − > c , so that | F ′ | ≥ ck ′ ). Finally, let H ⊆ F be such that | H | = k , and define E ( ℓ ) F ,k ( w ) = [ g ∈C F : g | H = w G β ∈ F \ H E ( ℓ − F ′ ,k ′ ( hh g ( β ) ii ) . (Note that for ℓ = 1 we just use E (1) F ,k ( w ) = S g ∈C F : g | H = w F β ∈ F \ H E (0) k ′ ( hh g ( β ) ii ) ). That is, v ∈ E ( ℓ ) F ,k ( w ) if there exists a polynomial g ∈ C F such that v = F β ∈ F \ H v β , where v β ∈ E ( ℓ − F ′ ,k ′ ( hh g ( β ) ii ) for every β ∈ F \ H and g | H = w (where we identify the 0 and 1 elements of F with 0 and 1 bits respectively). When the context is clear, we sometimes omit the subscripts.Our choice of the constants c, d, c ℓ needs to satisfy the following conditions. The constant c is chosen such that H will not be an overly large portion of F (this requirement is used inLemma 5.14). The constant d is needed to subsume the length of PCPP proof string which is partof the construction (this requirement is used in Lemma 5.8). Finally, the constant c ℓ needs to belarge enough to enable iteration (as explained in Definition 5.3 itself).Let ℓ ≥ ℓ coding ensemble, and in particular that | F ′ | = polylog | F | . Observation 5.4.
For ℓ > , let n = | F | and w ∈ { , } k . If v ∈ E ( ℓ ) ( w ) , then m ( ℓ ) F def = | v | = n · poly(log n ) · poly(log log n ) · · · poly(log ( ℓ ) n ) , where log ( ℓ ) n is the log function iterated ℓ times. F is clear from context, we shall usually write m ( ℓ ) as a shorthand for m ( ℓ ) F . Thefollowing lemma, proved in the next subsection, establishes the existence of short length Spiel - PCU sfor our code ensembles.
Lemma 5.5.
For any ℓ ≥ , the code ensemble E ( ℓ ) F ,k admits a q ( ε, δ ) -query, length- t Spiel - PCU for t = O ( m ( ℓ ) · polylog ( ℓ ) m ( ℓ ) ) . We start by defining the
PCU proof string for a given v ∈ E ( ℓ ) F ,k ( w ) for some w ∈ { , } k . Definition 5.6 (The
PCU
Proof String) . For ℓ = 0 , let v ∈ E (0) k ( w ) and Value (0) ( v ) = Spiel ( w ) .We define the proof string for v , Proof (0) ( v ) , as the one guaranteed by Lemma 4.5 (note that thelength of Proof (0) ( v ) is poly( k ) ).For ℓ > , let g ∈ C F and w ∈ { , } k be such that v ∈ F β ∈ F \ H E ( ℓ − ( hh g ( β ) ii ) , Value ( ℓ ) ( v ) = Spiel ( w ) and g | H = w . In addition, set S v def = F β ∈ F \ H Value ( ℓ − ( v β ) = F β ∈ F \ H Spiel ( g ( β )) . Theproof string for v ∈ E ( ℓ ) F ,k is defined as follows. Proof ( ℓ ) ( v ) = S v ⊔ G β ∈ F \ H Proof ( ℓ − ( v β ) ⊔ Proof L ( S v ) where the code ensemble L : { , } k → { , } O ( | F |· log | F | ) is defined as follows. Given w ∈ { , } k , S ∈ L ( w ) if and only if there exists a polynomial g ∈ C F such that the following conditions aresatisfied.1. g | H = w .2. S = F β ∈ F \ H Spiel ( g ( β )) . The following lemma establishes the existence of a
Spiel - PCU for L . Lemma 5.7. L has a q ( ε, δ ) -query length- t Spiel - PCU for t = O ( | F | · polylog | F | ) . Proof:
By Theorem 2.2, there exists a quasilinear size circuit that decodes
Spiel ( α ). Using such acircuit, we can decode g ( β ) from S for every β ∈ F . Then, using all the values g ( β ) and w (wherethe i -th bit of w correspond to the value of the i -th element in H according to the ordering), weuse Theorem 2.4 to interpolate the values and achieve a representation of a polynomial g : F → F .If g ∈ C F we accept S and otherwise we reject. Since deciding if S ∈ L ( w ) has a quasilinear sizecircuit, by Lemma 4.3, there is a quasilinear length Spiel - PCU for L .Having defined Proof ( ℓ ) , we first provide an upper bound on the bit length of the prescribedproof string. For ℓ >
0, let z ( ℓ ) F ,k denote the bit length of the proof for membership in E ( ℓ ) as definedin Definition 5.6, where for ℓ = 0 we replace the (nonexistent) field F with | w | .The following lemma, establishing the proof string’s length, relies on our choice of the constant d in Definition 5.3. In particular, d needs to be large enough to subsume the size of Proof L ( · ) Lemma 5.8.
For any ℓ ≥ , we have that z ( ℓ ) F ,k = O (cid:0) m ( ℓ ) · polylog ( ℓ ) m ( ℓ ) (cid:1) . roof: The proof follows by induction on ℓ . The base case ( ℓ = 0) follows directly from thedefinition of P (0) by our convention that log (0) | w | = | w | .Consider ℓ >
0, and note that since the size of S v is O ( | F | log | F | ), the size of Proof L ( S v ) is O ( | F | · polylog | F | ). By combining the above with the definition of the proof string we have z ( ℓ ) F ,k ≤ | F | · polylog | F | + | F | · z ( ℓ − F ′ ,k ′ . Now, assume that z ( ℓ − F ′ ,k ′ = O ( m ( ℓ − · polylog ( ℓ − | F ′ | ). Note that since the global constant d waschosen so that | F | · | F ′ | ≥ | Proof L ( S v ) | , we have that | F | · z ( ℓ − F ′ ,k ′ ≥ | F | · | F ′ | ≥ | Proof L ( S v ) | .Therefore, m ( ℓ ) = Θ( | F | · m ( ℓ − ) = Ω( | F | · | F ′ | ) = Ω( | F | · polylog | F | ) , so that | F | · polylog | F | = O ( m ( ℓ ) ), and z ( ℓ ) F ,k = O ( | F | · z ( ℓ − F ′ ) . In addition, by the fact that m ℓ = Θ( | F | · m ( ℓ − ) and the induction hypothesis we obtain | F | · z ( ℓ − F ′ ,k ′ = O ( | F | · m ( ℓ − · polylog ( ℓ − | F ′ | ) = O ( m ( ℓ ) · polylog ( ℓ ) | F | ) = O ( m ( ℓ ) · polylog ( ℓ ) m ℓ ) . So overall, we get that z ( ℓ ) F ,k = O ( m ( ℓ ) · polylog ( ℓ ) m ( ℓ ) ) as required.Next, for an alleged proof π = Proof ( ℓ ) ( v ), we use the notation π | Dom( X ) to denote the re-striction of π to the bits that correspond to X in π as defined in Definition 5.6. For example, π | Dom(
Value ( ℓ − ( v β )) refers to the bits that represent Value ( ℓ − ( v β ).We introduce the verifier procedure for E ( ℓ ) F ,k (see Figure 1), and prove its completeness andsoundness. For technical considerations, the verifier procedure is only defined when the soundnessparameter δ is small enough (as a function of ℓ ); the soundness amplification argument fromSubsection 2.2 can easily take care of the situation where δ is larger, by running sufficiently manyindependent instances of the verification step.Before proceeding to the completeness and soundness proofs, let us analyze the query complexity.Denote by Q ℓ ( ε, δ ) the query complexity of the verifier in the above procedure for a given ℓ ≥
0. Itfollows from the recursive description of
Verifier-Procedure E ( ℓ ) and the proof of Lemmas 4.3 and5.7 that the query complexity satisfies the recurrence relation Q ℓ ( ε, δ ) ≤ O (1 /ε ) · Q ℓ − ( ε/O (1)) , δ · O (1))+ q ∗ (Θ( ε ) , Θ( δ )), where q ∗ ( ε ∗ , δ ∗ ) = O (( ε ∗ ) − ) is the query complexity of Dinur’s PCP [Din07]with detection radius ε ∗ and soundness parameter δ ∗ ≤ /
2; and furthermore, that Q ( ε, δ ) ≤ q ∗ (Θ( ε ) , Θ( δ )). Thus, we conclude by induction that, provided that δ ≤ − ℓ − , Q ℓ ( ε, δ ) ≤ Cε · C ε · . . . · C ℓ ε · q ∗ ( ε/ O ( ℓ ) , δ · ℓ ) = 2 O ( ℓ ) ε − O ( ℓ ) , where C > δ > /
2, we canamplify by repeating the verifier procedure with parameter δ ′ = 2 − ℓ − a total of 2 O ( ℓ ) · log (cid:0) (1 − δ ) − (cid:1) times and rejecting if any of these instances rejected. The query complexity is bounded by2 O ( ℓ ) ε − O ( ℓ ) · O ( ℓ ) · log (cid:0) (1 − δ ) − (cid:1) = (2 ℓ /ε ) O ( ℓ ) · log (cid:0) (1 − δ ) − (cid:1) , as desired. The next two lemmas establish the completeness and soundeness of the verifier proce-dure, respectively. 17 erifier-Procedure E ( ℓ ) Input:
Parameters ε, δ ∈ (0 , v ∈ { , } m ( ℓ ) , an alleged value τ ∈ { , } k of v ,and an alleged proof π ∈ { , } z ( ℓ ) F ,k for v .1. If ℓ = 0, use the PCU for E (0) with parameters ε and δ .2. If ℓ > PCU verifier for L with radius ε/
300 and soundness δ , to verify theunveiling of π | Dom( S v ) , using τ as the value oracle and π | Dom(
Proof L ( S v )) as theproof oracle.(b) For 6 /ε many times:i. Pick β ∈ F \ H uniformly at random.ii. Use the PCU verifier procedure for E ( ℓ − with parameters ε/ δ , to verifythe unveiling of v β , using π | Dom(
Value ( ℓ − ( v β )) as the value oracle and π | Dom(
Proof ( ℓ − ( v β )) as the proof oracle.If any of the stages rejected then Reject , and otherwise
Accept .Figure 1: Description of
Verifier-Procedure E ( ℓ ) . Lemma 5.9.
If there exist w ∈ { , } k for which v ∈ E ( ℓ ) F ,k ( w ) , then Verifier-Procedure E ( ℓ ) accepts v with probability when supplied with oracle access to the corresponding Proof ( ℓ ) ( v ) and τ = Value ( ℓ ) ( v ) = Spiel ( w ) . Proof:
The proof follows by induction on ℓ . The base case follows directly from Lemma 4.5.Hence, the verifier for E (0) supplied with Proof (0) ( v ) as the proof oracle and Value ( ℓ ) ( v ) as thevalue oracle, will accept v with probability 1.Assume that Verifier-Procedure E ( ℓ − accepts with probability 1 any valid encoding v ′ whensupplied with the corresponding oracles for Value ( ℓ − ( v ′ ) and Proof ( ℓ − ( v ′ ). Let v ∈ E ( ℓ ) andwrite v = F β ∈ F \ H v β , where there exist w ∈ { , } k and g ∈ C F such that for all β ∈ F \ H , v β ∈ E ( ℓ − ( g ( β )), where g | H = w and τ = Value ( ℓ ) ( v ) = Spiel ( w ). Then, by the definition of thelanguage L and the first two components of Proof ( ℓ ) ( v ), Step (2a) of Verifier-Procedure E ( ℓ ) will always accept. In addition, for every β ∈ F \ H , we have that v β ∈ E ( ℓ − , and thereforeby the induction hypothesis, Step (2b) of Verifier-Procedure E ( ℓ ) will accept the correspondingunveiling for any picked β ∈ F \ H . Lemma 5.10.
If for every w ∈ { , } k either dist( τ, Spiel ( w )) > ε or dist( v, E ( ℓ ) ( w )) > ε (or both),then with probability greater than δ , Verifier-Procedure E ( ℓ ) will reject v regardless of the contentsof the supplied proof string. Proof:
Let τ ∈ { , } k be an alleged value for v , and π ∈ { , } z ( ℓ ) F ,k be an alleged proof stringfor v . We proceed by induction on ℓ . For ℓ = 0 we use the PCU verifier for E (0) with error ε δ to check that v is a member of the code ensemble E (0) and τ is its value. If the PCU verifier for E (0) rejects with probability at most δ , then there exist w ∈ { , } k such thatdist( v, E (0) ( w )) ≤ ε and dist( τ, Spiel ( w )) ≤ ε , and the base case is complete.Next assume that the lemma holds for ℓ −
1. If the
PCU verifier for L in Step (2a) rejects withprobability at most δ , then there exist a function g ∈ C F and w ∈ { , } k for which g | H = w so thatdist( π | Dom( S v ) , Spiel ( g | F \ H )) ≤ ε/
300 and dist( τ, Spiel ( w )) ≤ ε/ . In particular, the leftmost inequality means that for at most ε | F \ H | of the elements β ∈ F \ H , itholds that dist( π | Dom(
Value ( ℓ − ( v β )) , Spiel ( g ( β )) > / . We refer to elements β ∈ F \ H satisfying the above inequality as bad elements, and to the rest as good elements. Let G denote the set of good elements.Next, we show that if the loop that uses the PCU verifier for E ( ℓ − in Step (2b) rejects withprobability at most δ , then for at most an ε/ β ∈ F \ H , it holds thatdist (cid:16) v β , E ( ℓ − ( hh g ( β ) ii ) (cid:17) > ε/ . Assume that there are more than ε · | G | good elements such that dist (cid:0) v β , E ( ℓ − ( hh g ( β ) ii ) (cid:1) > ε/ PCU verifier for E ( ℓ − with probability more than 2 δ . In addition, with probability at least 1 / β , and then during this iteration the verifier in Step (2b(ii)) rejects with conditionalprobability more than 2 δ , and hence the verifier will reject with overall probability more than δ .Summing everything up, when the input is rejected with probability at most δ ,dist v, G β ∈ F \ H E ( ℓ − ( hh g ( β ) ii ) ≤ ε/ − ε/ · ε/ − ε/ · ε/ ≤ ε, where the three summands are respectively the contribution to the distance of the bad elements,the good elements with v β being far from any level ℓ − hh g ( β ) ii , and all the otherelements.The proof of Lemma 5.5 follows directly by combining Lemma 5.8, Lemma 5.9 and Lemma 5.10.The following corollary follows directly from Lemma 5.5 and the definition of Spiel - PCU (Defini-tion 4.2), and implies Lemma 5.1.
Corollary 5.11.
Let F be a finite field and k ∈ N which satisfy the requirements in Definition 5.3.Then, for every ℓ ≥ the coding ensemble E ( ℓ ) F ,k : { , } k → (cid:16) { , } m ( ℓ ) (cid:17) has a q ( ε, δ ) -query, length- t Spiel - PCU for t = O ( m ( ℓ ) polylog ( ℓ ) m ( ℓ ) ) . We turn to prove the linear query lower bound for the testability of our property. We start bydefining distributions over strings of length m ( ℓ ) .19 istribution D ( ℓ ) yes ( w ) : Given w ∈ { , } k , we define the distribution D ( ℓ )yes ( w ) to be the uniformdistribution over elements in E ( ℓ ) ( w ). Distribution D ( ℓ ) no : An element v from D ( ℓ )no is drawn by the following process. For ℓ = 0, v is auniformly random string in { , } k . For ℓ >
0, we pick a uniformly random function λ : F \ H → F ,and let v be a uniformly random element of F β ∈ F \ H E ( ℓ − ( hh λ ( β ) ii ) Lemma 5.12.
For any ℓ ≥ , every w ∈ { , } k and q = o ( m ( ℓ ) / ℓ ) , any algorithm making atmost q queries cannot distinguish (with constant probability) between v ∼ D ( ℓ ) yes ( w ) and u which isdrawn according to any of the following distributions:1. D ( ℓ ) yes ( w ′ ) for any w ′ = w .2. D ( ℓ ) no . Note that Item (1) in the above follows immediately from Item (2). Additionally, the first itemimplies the shared secret property of the code ensemble E ( ℓ ) . Furthermore, we remark that thatabove lemma implies a more stringent version of PCUSS . In addition to the shared secret property,Item (2) implies that the ensemble E ( ℓ ) is indistinguishable from strings that are mostly far fromany encoding (i.e., drawn from D ( ℓ )no ).The proof of Lemma 5.12 follows by induction over ℓ . Before we continue, we introduce someuseful lemmas that will be used in the proof. Lemma 5.13.
For any ℓ ≥ and w, w ′ ∈ { , } k for which w = w ′ it holds that min ( v,v ′ ) ∈E ( ℓ ) ( w ) ×E ( ℓ ) ( w ′ ) dist( v, v ′ ) = Θ (cid:16) / ℓ +1 (cid:17) Proof:
The proof follows by induction over ℓ . The base case for ℓ = 0 follows directly by the factthat the code from Definition 3.4 has high distance, and in particular dist( E (0) ( w ) , E (0) ( w ′ )) > / ℓ −
1. Namely, for w, w ′ ∈ { , } k ′ for which w = w ′ it holds thatmin ( v,v ′ ) ∈E ( ℓ − ( w ) ×E ( ℓ − ( w ′ ) dist( v, v ′ ) = Θ (cid:16) / ℓ (cid:17) . Let ˜ w, ˜ w ′ ∈ { , } k be such that ˜ w ′ = ˜ w . Then we can write (˜ v, ˜ v ′ ) ∈ E ( ℓ ) ( ˜ w ) × E ( ℓ ) ( ˜ w ′ ) as˜ v = G β ∈ F \ H E ( ℓ − ( hh g ( β ) ii ) and ˜ v ′ = G β ∈ F \ H E ( ℓ − ( hh g ′ ( β ) ii ) , for some g, g ′ ∈ C F such that g | H = ˜ w and g ′ | H = ˜ w ′ . By the fact that g and g ′ are degree | F | / g and g ′ disagree on at least | F \ H | / β ∈ F \ H . By applying the induction hypothesis on the minimum distance between E ( ℓ ) ( hh g ( β ) ii ) and E ( ℓ ) ( hh g ′ ( β ) ii ), for all β such that g ( β ) = g ′ ( β ), we have thatmin (˜ v, ˜ v ′ ) ∈E ( ℓ ) ( ˜ w ) ×E ( ℓ ) ( ˜ w ′ ) dist(˜ v, ˜ v ′ ) > · Θ (cid:18) ℓ (cid:19) = Θ (cid:16) / ℓ +1 (cid:17) . emma 5.14. For any ℓ ≥ , with probability at least − o (1) , a string v drawn from D ( ℓ ) no satisfies dist( v, E ( ℓ ) ( w )) = Θ (cid:0) / ℓ +1 (cid:1) for all w ∈ { , } k . Proof:
The proof follows by induction over ℓ . For ℓ = 0, fix some w ∈ { , } k . Consider the sizeof a ball of relative radius 1 /
40 around some v ∈ E (0) ( w ) in the space of all strings { , } k . Thenumber of strings contained in this ball is at most (cid:18) kk/ (cid:19) ≤ (40 e ) k/ = 2 k/ · log(40 e ) . Thus, the size of the set of strings which are at relative distance 1 /
40 from any legal encoding ofsome word w ∈ { , } k is at most 2 k · k/ · log(40 e ) = o (2 k ) . This implies that with probability at least 1 − o (1), a random string from { , } k is 1 / E (0) ( w ) for any w ∈ { , } k .For any ℓ >
0, consider v ′ sampled according to D ( ℓ )no . Then, v ′ can be written as v ′ = G β ∈ F \ H E ( ℓ − ( hh λ ( β ) ii ) , where λ : F \ H → F is a uniformly random function. On the other hand, each member ˜ v of P ( ℓ ) can be written as ˜ v = G β ∈ F \ H E ( ℓ − ( hh g ( β ) ii ) , for some g ∈ C F such that g | H = w for some w ∈ { , } k . Note that by Lemma 5.13, whenever λ ( β ) = g ( β ), we have that the minimum distance between any ˜ v ∈ E ( ℓ − ( hh g ( β ) ii ) and v ′ ∈E ( ℓ − ( hh λ ( β ) ii ) is at least Θ(1 / ℓ ). In addition, by Lemma 2.5, we have that that with probabilityat least 1 − o (1), a uniformly random function λ : F → F is 1 / g ∈ C F . By therestrictions on k in Definition 5.3, which implies that | H | ≤ | F | /c , we can ensure (by the choice of c ) that with probability at least 1 − o (1), that a uniformly random λ : F \ H → F is at least 1 / g | F \ H . This implies that for at least | F \ H | / β ∈ F \ H , wehave that λ ( β ) = g ( β ). Therefore, we have that dist( v ′ , E ( ℓ ) ( w )) = · Θ (cid:0) ℓ (cid:1) = Θ (cid:0) / ℓ +1 (cid:1) for all w ∈ { , } k , and the proof is complete. Lemma 5.15.
Fix any ℓ > , and suppose that for any w ′ ∈ { , } k ′ , and for any set Q ′ of at most q ( ℓ − F ′ ,k ′ queries (where F ′ and k ′ are picked according to the recursive definition of the level ℓ -encoding,and for q (0) we substitute k ′ for the nonexistent F ′ ) the restricted distributions D ( ℓ − yes ( w ′ ) | Q ′ and D ( ℓ − no | Q ′ are identical. Then, for any w ∈ { , } k , and any set Q of at most | F \ H | · q ( ℓ − F ′ ,k ′ queries,the restricted distributions D ( ℓ ) yes ( w ) | Q and D ( ℓ ) no | Q are identical. Proof:
Let Q ⊂ [ m ( ℓ ) ] be the set of queries, and fix a canonical ordering over the elements in F \ H . Let v be an element drawn according to distribution D ( ℓ )yes ( w ), and let v ′ be an elementdrawn according to distribution D ( ℓ )no . The sampling process from D ( ℓ )yes ( w ) can be thought of as first21rawing a uniformly random function g ∈ C F such that g | H = w , and for every β ∈ F \ H , letting v β be a uniformly random element in E ( ℓ − ( hh g ( β ) ii ).For each β ∈ F \ H we set Q β = Q ∩ Dom( v β ), and define the set of big clusters I = n β ∈ F \ H : | Q β | ≥ q ( ℓ − F ′ ,k ′ o . Note that since | Q | ≤ | F \ H | · q ( ℓ − F ′ ,k ′ /
10, we have that | I | ≤ | F \ H | / g is a uniformly random polynomial of degree | F | / > | I | , we have that g | I isdistributed exactly as λ | I (both are a sequence of | I | independent uniformly random values), whichimplies that v | S j ∈ I Q j is distributed exactly as v ′ | S j ∈ I Q j .Next, let F \ ( I ∪ H ) = { i , . . . , i | F \ ( I ∪ H ) | } be a subset ordered according to the canonical orderingover F . We proceed by showing that v | S j ∈ I ∪{ i ,...,it } Q j is distributed identically to v ′ | S j ∈ I ∪{ i ,...,it } Q j by induction over t .The base case ( t = 0) corresponds to the restriction over S j ∈ I Q j , which was already provenabove. For the induction step, let T = { i , . . . , i t − } ⊆ F \ ( I ∪ H ) be an ordered subset that agreeswith the canonical ordering on F , and let i t ∈ F \ ( H ∪ T ∪ I ) be the successor of i t − according to theordering. We now prove that for each x ∈ { , } m ( ℓ ) for which v | S j ∈ I ∪ T Q j has a positive probabilityof being equal to x | S j ∈ I ∪ T Q j , conditioned on the above event taking place (and its respective eventfor v ′ ), v | Q it is distributed exactly as v ′ | Q it .Observe that conditioned on the above event, v | Q it is distributed exactly as a uniformly randomelement in E ( ℓ − ( ρ ) for some ρ ∈ { , } k ′ (which follows some arbitrary distribution, possiblydepending on x | S j ∈ I ∪ T Q j ), while v ′ | Q it is distributed exactly as a uniformly random element in E ( ℓ − ( y ) for a uniformly random y ∈ { , } k ′ . By the fact that | Q i t | ≤ q ( ℓ − F ′ ,k ′ /
10, we can applythe induction hypothesis and conclude that v | Q it is distributed exactly as v ′ | Q it , because by ourhypothesis both are distributed identically to the corresponding restriction of D ( ℓ − , regardlessof the values picked for ρ and y . This completes the induction step for t . The lemma follows bysetting t = | F \ H ∪ I | . Lemma 5.16.
For any ℓ ≥ , w ∈ { , } k and any set of queries Q ⊂ [ m ( ℓ ) ] such that | Q | = O (cid:16) m ( ℓ ) ℓ (cid:17) , the restricted distributions D ( ℓ ) yes ( w ) | Q and D ( ℓ ) no | Q are identically distributed. Proof:
By induction on ℓ . For ℓ = 0 and any w ∈ { , } k , by the fact that our base encoding E (0) ( w ) is a high dual distance code, we can select (say) q (0) = k/c (for some constant c > w ′ ∈ { , } k ′ , and any set of queries Q ′ of size at most O ( m ( ℓ − / ℓ − )the conditional distributions D ( ℓ − ( w ′ ) | Q ′ and D ( ℓ − | Q ′ are identically distributed. Then, byLemma 5.15, we have that for any w ∈ { , } k and any set of queries Q of size at most O (cid:18) | F \ H | ℓ · m ( ℓ − (cid:19) , the restricted distributions D ( ℓ )yes ( w ) | Q and D ( ℓ )no | Q are identically distributed. Note that by definitionof the level ℓ -encoding, m ( ℓ ) = | F \ H | · m ( ℓ − , which implies the conclusion of the lemma. Proof of Lemma 5.12:
Lemma 5.12 follows directly by combining Lemma 2.14, and Lemma 5.16.22ombining Lemma 5.12 with the definition of
Spiel - PCU (Definition 4.2) establishes that wehave constructed a
Spiel - PCUSS , which implies Theorem 5.2.
Corollary 5.17.
Let F be a finite field and k ∈ N which satisfy the requirements in Definition 5.3.Then, for every ℓ ≥ , the coding ensemble E ( ℓ ) F ,k : { , } k → (cid:16) { , } m ( ℓ ) (cid:17) has q ( ε, δ ) -query length- t Spiel - PCUSS for t = O ( m ( ℓ ) polylog ( ℓ ) m ( ℓ ) ) . As mentioned in the beginning of this section, our construction of code ensembles relies on the factthat operations over a finite field GF(2 t ) can be computed efficiently. In order to do so we need tohave an irreducible polynomial of degree t over GF(2), so that we have a representation GF(2 t ).Given such a polynomial, operations over the field can be implemented in polylogarithmic time inthe size of the field. By [Gol08] (Appendix G), we know that for t = 2 · r where r ∈ N , we do havesuch a representation. However, the setting of t restricts the sizes of the fields that we can workwith, which will limit our input size length.We show here how to extend our construction to a set of sizes that is “log-dense”. For a globalconstant c ′ , our set of possible input sizes includes a member of [ m ′ , c ′ m ′ ] for every m ′ . Movingfrom this set to the set of all possible input sizes now becomes a matter of straightforward padding.For any n ∈ N , let r be the smallest integer such that n < · r and let F = GF(2 · r ). Wemake our change only at the level- ℓ construction. First, we use 4 d instead of d in the calculationof the size of F ′ . Then, instead of using F \ H as the domain for our input, we use E \ H , for anyarbitrary set E ⊆ F of size n ≥ max { k, | F | / , c ℓ } that contains H . Then, for the level- ℓ , insteadof considering polynomials of degree | F | /
2, we consider polynomials of degree | E | /
2. The rest ofthe construction follows the same lines as the one defined above. This way, all of our operationscan be implemented in polylogarithmic time in | E | . In this section we use Theorem 5.2 to prove a separation between the standard testing model, andboth the tolerant and the erasure resilient testing models. Specifically, we prove the following.
Theorem 6.1 (Restatement of Theorem 1.2) . For every constant ℓ ∈ N , there exist a property Q ( ℓ ) and ε = ε ( ℓ ) ∈ (0 , such that the following hold.1. For every ε ∈ (0 , , the property Q ( ℓ ) can be ε -tested using a number of queries dependingonly on ε (and ℓ ).2. For every ε ∈ (0 , ε ) , any ( ε , ε ) -tolerant tester for Q ( ℓ ) needs to make Ω( N/ ℓ · polylog ( ℓ ) N ) many queries on inputs of length N . Theorem 6.2 (Restatement of Theorem 1.3) . For every constant ℓ ∈ N , there exist a property Q ( ℓ ) and ε = ε ( ℓ ) ∈ (0 , such that the following hold.1. For every ε ∈ (0 , , the property Q ( ℓ ) can be ε -tested using a number of queries dependingonly on ε (and ℓ ). . For every ε ∈ (0 , ε ) and any α = Ω(1 / log ( ℓ ) N ) satisfying ε + α < , any α -erasure resilient ε -tester for Q ( ℓ ) needs to make Ω( N/ ℓ · polylog ( ℓ ) N ) many queries on inputs of length N . In order to prove the separation we use the code ensemble E ( ℓ ) F ,k where k is set to 0. Namely, weconsider E F , ( ∅ ). Note that in this case, the code ensemble becomes a property (i.e. a subset of theset of all possible strings).Next, we define the property that exhibits the separation between the standard testing modeland both the tolerant testing model and the erasure resilient model. We prove Theorem 6.1 andmention the small difference between the proof of Theorem 6.1 and the proof of Theorem 6.2. Definition 6.3.
Fix a finite field F and a constant integer ℓ ∈ N and let ε ( ℓ ) = Θ(1 / ℓ ) . Let n def = m ( ℓ ) F , z ( ℓ ) F , ≤ n · polylog ( ℓ ) n denote the length of the proof for the PCUSS from Theorem 5.2,and let N = (log ( ℓ ) n + 1) · z ( ℓ ) F , . Let Q ( ℓ ) ⊆ { , } N be defined as follows. A string x ∈ { , } N satisfies Q ( ℓ ) if the following hold.1. The first z ( ℓ ) F , · log ( ℓ ) n bits of x consist of s = z ( ℓ ) F , · log ( ℓ ) nn copies of y ∈ E ( ℓ ) F , .2. The remaining z ( ℓ ) F , bits of x consist of a proof string π ∈ { , } z ( ℓ ) F , , for which the Verifier-Procedure E ( ℓ ) F , in Figure 1 accepts y given oracle access to y and π . We first show that Q ( ℓ ) can be tested using a constant number of queries in the standard testingmodel. Testing Algorithm for Q ( ℓ ) Input:
Parameter ε ∈ (0 , x ∈ { , } N .1. Set s def = z ( ℓ ) F , · log ( ℓ ) nn .2. Repeat 4 /ε times:(a) Sample j ∈ [ n ] and i ∈ [ s ] \ { } uniformly at random.(b) If x j = x ( i − · n + j , then Reject .3. Let v = ( x , . . . , x n ), π = ( x z ( ℓ ) F , · log ( ℓ ) n +1 , . . . , x (log ( ℓ ) n +1) z ( ℓ ) F , ) and τ be the empty string.4. Run the PCU verifier for E ( ℓ ) F , with parameters ε/ δ = 2 / v , using π as thealleged proof for v , and τ as the alleged value for v .5. If the PCU verifier rejects, then
Reject ; otherwise
Accept .Figure 2: Description of
Testing Algorithm for Q ( ℓ ) .For Item 4 in Figure 2, recall that running the PCU verifier with parameter δ = 2 / δ , as discussed in Subsection 5.2.24 emma 6.4. The property Q ( ℓ ) has a tester with query complexity depending only on ε . Proof:
We show that the algorithm described in Figure 2 is a testing algorithm for Q ( ℓ ) . Weassume that n is large enough so that log ( ℓ ) n > /ε .Assume that x ∈ Q ( ℓ ) . Then, there exists a string y ∈ E ( ℓ ) F , , such that x , . . . , x z ( ℓ ) F , log ( ℓ ) n = ( y ) s (where ( y ) s denotes the concatenation of s copies of y ), and x z ( ℓ ) F , · log ( ℓ ) n +1 , . . . , x (log ( ℓ ) +1) z ( ℓ ) F , = π ∈{ , } z ( ℓ ) F , , where π is a proof that makes the PCU verifier for E ( ℓ ) F , accept when given oracle accessto y and π . Therefore, the algorithm in Figure 2 accepts x .Next, assume that x is ε -far from Q ( ℓ ) , and let y ′ = x , . . . , x n . Note that if x , . . . , x z ( ℓ ) F , · log ( ℓ ) n is ε/ z ′ ) s , then the loop in Step 2 rejects x with probability at least 2 /
3, and weare done. If x , . . . , x z ( ℓ ) F , · log ( ℓ ) n is ε/ y ′ ) s , then y ′ must be ε/ E ( ℓ ) F , . To see this,assume toward a contradiction that y ′ is ε/ E ( ℓ ) F , . Then, by modifying at most ε · z ( ℓ ) F , · log ( ℓ ) n bits, we can make x , . . . , x z ( ℓ ) F , · log ( ℓ ) n equal to ( y ′ ) s . Since, by our assumption y ′ is ε/ E ( ℓ ) F , , we can further modify the string ( y ′ ) s to (˜ y ) s , where ˜ y ∈ E ( ℓ ) F , , by changing at most ε · z ( ℓ ) F , · log ( ℓ ) n bits. Finally, by changing at most z ( ℓ ) F , bits from π , we can get a proof string ˜ π which will make the PCPP verifier accept ˜ y . By our assumption that 6 /ε < log ( ℓ ) n , the total number of changes to theinput string x is at most ε · z ( ℓ ) F , · log ( ℓ ) n ε · z ( ℓ ) F , · log ( ℓ ) n z ( ℓ ) F , ≤ ε · (log ( ℓ ) n + 1) · z ( ℓ ) F , = εN, which is a contradiction to the fact that x is ε -far from E ( ℓ ) F , .Finally, having proved that y ′ is ε/ E ( ℓ ) F , , the PCU verifier for E ( ℓ ) F , (when called withparameters ε/ δ = 2 /
3) rejects with probability at least 2 / Lemma 6.5.
For every constant ℓ ∈ N , there exists ε = Θ(1 / ℓ ) such that for every ε < ε , any ( ε , ε ) -tolerant tester for Q ( ℓ ) needs to make at least Ω (cid:16) N ℓ · polylog ( ℓ ) N (cid:17) many queries. Proof:
Fix some constant ℓ ∈ N . The proof follows by a reduction from 2 ε -testing of E ( ℓ ) F , . Givenoracle access to a string y ∈ { , } n which we would like to 2 ε -test for E ( ℓ ) F , , we construct an inputstring x ∈ { , } N where N = (log ( ℓ ) n + 1) · z ( ℓ ) F , as follows. x def = ( y ) z ( ℓ ) F , · log( ℓ ) nn ⊔ (0) z ( ℓ ) F , . That is, we concatenate z ( ℓ ) F , · log ( ℓ ) n/n copies of y , and set the last z ( ℓ ) F , bits to 0. Note that a singlequery to the new input string x can be simulated using at most one query to the string y .If y ∈ E ( ℓ ) F , , then for large enough n we have that x is ε -close to Q ( ℓ ) , since the last z ( ℓ ) F , bitsthat are set to 0 are less than an ε -fraction of the input length.On the other hand, if dist( x, E ( ℓ ) F , ) > ε , since each copy of y in x is 2 ε -far from E ( ℓ ) F , , then x is ε · log ( ℓ ) n log ( ℓ ) n +1 -far from Q ( ℓ ) (note that log ( ℓ ) n log ( ℓ ) n +1 > / ε , ε )-tolerant tester for25 ( ℓ ) would imply an 2 ε -tester for E ( ℓ ) F , with the same query complexity. By Lemma 5.12, since forsome ε = Θ(1 / ℓ ), every 2 ε -tester for E ( ℓ ) F , requires Ω( n/ ℓ ) queries on inputs of length n , any( ε , ε )-tolerant tester for Q ( ℓ ) requires to make Ω (cid:16) N ℓ · polylog ( ℓ ) N (cid:17) many queries. Proof of Theorem 6.1:
The proof follows by combining Lemma 6.4 and Lemma 6.5.
Proof of Theorem 6.2:
The proof of Theorem 6.2 is almost identical to the proof of Theorem 6.1.The only difference is that we replace Lemma 6.5 with a counterpart for erasure resilient testing,where instead of setting the last z ( ℓ ) F , bits of x to (0) z ( ℓ ) F , , we use ( ⊥ ) z ( ℓ ) F , , noting that the relative sizeof this part of the input is 1 / ( s + 1) = Θ(1 / log ( ℓ ) ( N )). References [ALM +
98] Sanjeev Arora, Carsten Lund, Rajeev Motwani, Madhu Sudan, and Mario Szegedy.Proof verification and the hardness of approximation problems.
J. ACM ,45(3):501–555, 1998.[BCE +
18] Eric Blais, Cl´ement L. Canonne, Talya Eden, Amit Levi, and Dana Ron. Tolerantjunta testing and the connection to submodular optimization and functionisomorphism. In
Proceedings of the 29th ACM-SIAM Symposium on DiscreteAlgorithms (SODA) , pages 2113–2132, 2018.[BCG +
17] Eli Ben-Sasson, Alessandro Chiesa, Ariel Gabizon, Michael Riabzev, and NicholasSpooner. Interactive oracle proofs with constant rate and query complexity. In
Proceedings of the 44th International Colloquium on Automata, Languages andProgramming (ICALP) , pages 40:1–40:15, 2017.[BCS16] Eli Ben-Sasson, Alessandro Chiesa, and Nicholas Spooner. Interactive oracle proofs.In
Theory of Cryptography - 14th International Conference TCC Proceedings, Part II ,pages 31–60, 2016.[BEF18] Omri Ben-Eliezer and Eldar Fischer. Earthmover resilience and testing in orderedstructures. In
Proceedings of the 33rd Conference on Computational Complexity(CCC) , pages 18:1–18:35, 2018.[BGH +
06] Eli Ben-Sasson, Oded Goldreich, Prahladh Harsha, Madhu Sudan, and Salil P.Vadhan. Robust PCPs of proximity, shorter PCPs, and applications to coding.
SIAMJournal on Computing , 36(4):889–974, 2006.[BKK +
16] Eli Ben-Sasson, Yohay Kaplan, Swastik Kopparty, Or Meir, and Henning Stichtenoth.Constant rate PCPs for circuit-SAT with sublinear query complexity.
Journal of theACM , 63(4):32:1–32:57, 2016.[BMR16] Piotr Berman, Meiram Murzabulatov, and Sofya Raskhodnikova. Tolerant testers ofimage properties. In
Proceedings of the 43rd International Colloquium on Automata,Languages and Programming (ICALP) , pages 90:1–90:14, 2016.26BSS08] Eli Ben-Sasson and Madhu Sudan. Short PCPs with polylog query complexity.
SIAMJournal on Computing , 38(2):551–607, 2008.[CGR13] Andrea Campagna, Alan Guo, and Ronitt Rubinfeld. Local reconstructors andtolerant testers for connectivity and diameter. In
Approximation, Randomization, andCombinatorial Optimization. Algorithms and Techniques , pages 411–424. Springer,2013.[Din07] Irit Dinur. The PCP theorem by gap amplification.
Journal of the ACM , 54(3):12,2007.[DMN19] Anindya De, Elchanan Mossel, and Joe Neeman. Junta correlation is testable. In
Proceedings of the 60th Annual IEEE Symposium on Foundations of ComputerScience (FOCS) , pages 1549–1563, 2019.[DR06] Irit Dinur and Omer Reingold. Assignment testers: Towards a combinatorial proof ofthe PCP theorem.
SIAM Journal on Computing , 36(4):975–1024, 2006.[DRTV18] Kashyap Dixit, Sofya Raskhodnikova, Abhradeep Thakurta, and Nithin M. Varma.Erasure-resilient property testing.
SIAM Journal on Computing , 47(2):295–329, 2018.[FF06] Eldar Fischer and Lance Fortnow. Tolerant versus intolerant testing for booleanproperties.
Theory of Computing , 2(9):173–183, 2006.[FN07] Eldar Fischer and Ilan Newman. Testing versus estimation of graph properties.
SIAMJournal on Computing , 37(2):482–501, 2007.[FNS04] Eldar Fischer, Ilan Newman, and Jiˇr´ı Sgall. Functions that have read-twice constantwidth branching programs are not necessarily testable.
Random Structures &Algorithms , 24(2):175–193, 2004.[GGR98] Oded Goldreich, Shafi Goldwasser, and Dana Ron. Property testing and itsconnection to learning and approximation.
Journal of the ACM , 45(4):653–750, 1998.[GM07] Oded Goldreich and Or Meir. A small gap in the gap amplification of assignmenttesters, 2007. In ECCC, 2007, TR05-46, Comment 3.[Gol08] Oded Goldreich.
Computational complexity - A conceptual perspective . CambridgeUniversity Press, 2008.[GT03] Oded Goldreich and Luca Trevisan. Three theorems regarding testing graphproperties.
Random Structures & Algorithms , 23(1):23–57, 2003.[Hor72] Ellis Horowitz. A fast method for interpolation using preconditioning.
InformationProcessing Letters , 1(4):157–163, 1972.[KS09] Swastik Kopparty and Shubhangi Saraf. Tolerant linearity testing and locally testablecodes. In
Approximation, Randomization, and Combinatorial Optimization.Algorithms and Techniques (APPROX/RANDOM) , pages 601–614. Springer, 2009.27LW19] Amit Levi and Erik Waingarten. Lower bounds for tolerant junta and unatenesstesting via rejection sampling of graphs. In
Proceedings of the 10th Innovations inTheoretical Computer Science Conference (ITCS) , pages 52:1–52:20, 2019.[MS77] Florence Jessie MacWilliams and Neil James Alexander Sloane.
The theory oferror-correcting codes , volume 16. Elsevier, 1977.[PRR06] Michal Parnas, Dana Ron, and Ronitt Rubinfeld. Tolerant property testing anddistance approximation.
Journal of Computer and System Sciences , 72(6):1012–1042,2006.[RRR16] Omer Reingold, Guy N. Rothblum, and Ron D. Rothblum. Constant-roundinteractive proofs for delegating computation. In
Proceedings of the 48th ACMSymposium on the Theory of Computing (STOC) , pages 49–62, 2016.[RRV19] Sofya Raskhodnikova, Noga Ron-Zewi, and Nithin M. Varma. Erasures vs. errors inlocal decoding and property testing. In
Proceedings of the 10th Innovations inTheoretical Computer Science Conference (ITCS) , pages 63:1–63:21, 2019.[Sha79] Adi Shamir. How to share a secret.
Communications of the ACM , 22(11):612–613,1979.[Spi96] Daniel A. Spielman. Linear-time encodable and decodable error-correcting codes.