Kleitman, Leighton and Ma [KLM97] asked the following question: assume you wish to build a logic circuit from AND and OR gates, however, due to some confusion, some small amount of AND gates were placed in the box of the OR gates (and vice versa), and there is no way to distinguish between the two types of gates just by looking at them. Can you construct a “resilient” logic circuit that computes the same functionality of , even if some (small amount) of the AND gates are replaced with OR gates (and vice versa)?
The above toy question is a special case of a more general type of noise (faulty gates) known as short-circuit noise. In this model, a faulty gate “short-circuits” one of its input-legs to the output-leg. That is, the output of the gate is determined by the value of one of its input-legs. The specific input that is connected to the output is determined by an all-powerful adversary, possibly as a function of the input to the circuit. This model is equivalent to a setting in which a faulty gate can be replaced with an arbitrary function , as long as it holds that and . Note that this type of noise is different from the so-called von Neumann noise model for circuits [vN56]
, in which the noise flips the value of each wire in the circuit independently with probability. See [KLM97, KLR12] and references therein for a comparison between these two separate models.
The first solution to the above question—constructing circuits that are resilient to short-circuit faults—was provided by Kleitman et al. [KLM97]. They show that for any number , a circuit of size gates can be transformed into a “resilient” circuit of size that behaves correctly even if up to of its gates are faulty (short-circuited), and it holds that .
Further progress was made by Kalai, Lewko, and Rao [KLR12] showing, for any constant , how to convert any formula111A formula is a circuit in which each gate has fan-out 1. of size into a resilient formula of size such that computes the same function that computes, as long as at most -fraction of the gates in any input-to-output path in suffer from short-circuit noise. Kalai et al. explicitly leave open the question of finding the optimal fraction of faulty gates for a resilient formula .222For instance, it is clear that if all the gates in an input-to-output path can be short-circuited (i.e., the fraction of noise is 1), then the adversary has full control on the output of the circuit. Hence, the optimal noise rate for formulas lies within the range .
We make further progress on the above open question and show that is a tight bound on the tolerable fraction of faulty gates per input-to-output path, conditioned that the increase in the size of the formula is sub-exponential. Namely, we show how to convert any formula to a resilient version that tolerates up to a fraction of short-circuit gates per path,
Theorem 1.1 (Main, informal).
For any , any formula can be efficiently converted into a formula of size that computes the same function as even when up to of the gates in any of its input-to-output paths are short-circuited.
We also show that our bound is tight. Namely, for an arbitrary formula , it is impossible to make a resilient version (of sub-exponential size in ) that tolerates a fraction (or more) of short-circuit gates per path.
Theorem 1.2 (Converse).
There exists a formula for computing some function , such that no formula of size that computes is resilient to a fraction of short-circuit noise in any of its input-to-output paths.
Similar to the work of Kalai et al. [KLR12], a major ingredient in our result is a transformation, known as the Karchmer-Wigderson transformation (hereinafter, the KW-transformation) [KW90], between a formula that computes a boolean function , and a two-party interactive communication protocol for a task related to which we denote the KW-game for , or for short. Similarly, a reverse KW-transformation converts protocols back to formulas; see below and Section 6.1 for more details on the KW-transformation. The work of Kalai et al. adapts the KW-transformation to a noisy setting in which the formula may suffer from short-circuit noise, and the protocol may suffer from channel noise. The “attack plan” in [KLR12] for making a given formula resilient to short-circuit noise is (i) apply the KW-transformation to obtain an interactive protocol ; (ii) Convert to a noise-resilient protocol that tolerates up to -fraction of noise; (iii) apply the (reverse) KW-transformation on to obtain a formula . The analysis of [KLR12] shows that the obtained is resilient to fraction of noise in any of its input-to-output paths.
The interactive protocols are defined in a setting where the parties have access to a noiseless feedback channel—the sender learns whether or not its transmission arrived correctly at the other side. Building upon recent progress in the field of coding for interactive protocols (see, e.g., [Gel17]), Kalai et al. [KLR12] construct a coding scheme for interactive protocols (with noiseless feedback) that features resilience of for any ; this gives their result. Note that a resilience of is maximal for interactive protocols in that setting [EGH16], suggesting that new techniques must be introduced in order to improve the result by [KLR12].
The loss in resilience witnessed in step (iii) stems from the fact that short-circuit noise affects formulas in a “one-sided” manner: a short-circuit of an AND gate can only turn the output from to . A short-circuit in an OR gate can only turn the output from to . The noisy AND gates are thus decoupled from the noisy OR gates: if the output of the circuit is , any amount of short-circuited OR gates will keep the output and if the output is any amount of short-circuited AND gates will keep the output ; see Lemma 6.3. Informally speaking, this decoupling reduces by half the resilience of circuits generated by the KW-transformation. Assume the formula obtained from the above process is resilient to -fraction of noise. Then is correct if on a specific input-to-output path (a) at most -fraction of the AND gates are short-circuited, but also if (b) at most -fraction of the OR gates are short-circuited. Since the noise is decoupled, from (a) and (b) we get that outputs the correct value even when -fraction of the gates on that input-to-output path are noisy. Yet, the resilience of originates in the resilience of (step (iii) above). The KW-transformation limits the resilience of by the resilience of , i.e., , leading to a factor 2 loss.
We revisit the above line of thought and take a more careful noise analysis. Instead of bounding the total fraction of noise by some , we consider the case where the noise from Alice to Bob is bounded by some while the noise in the other direction is bounded by . A similar approach used by Braverman and Efremenko [BE17], yields interactive protocols (without noiseless feedback) with maximal resilience. In more detail, assume that the protocol communicates symbols overall. We define an -corruption as any noise that corrupts up to symbols sent by Alice and up to symbols sent by Bob. We emphasize that the noise fraction on Alice transmissions is higher than , since Alice speaks less than symbols overall; the global noise fraction in this case is .
This distinction may be delicate but is instrumental. The KW-transformation translates a protocol of length that is resilient to -corruptions into a formula which is resilient to up to short-circuited AND gates in addition to up to short-circuited OR gates. When the obtained formula is resilient to up to -fraction of short-circuited gates in any input-to-output path, avoiding the factor 2 loss in resilience.
1.1 Techniques overview
Achievability: Coding schemes for noisy channels with noiseless feedback.
We obtain resilient formulas by employing the approach of [KLR12] described above. In order to increase the noise resilience to its optimal level, we develop a novel coding scheme which is resilient to -corruptions, assuming noiseless feedback.
The mechanism of our coding scheme resembles, in a sense, the Blockchain technology [Nak08]. Given a protocol that assumes reliable channels, the parties simulate message by message. These messages may arrive at the other side correctly or not, however, a noiseless feedback channel allows each party to learn which of its messages made it through. With this knowledge, the party tries to create a “chain” of correct messages. Each message contains a pointer to the last message that was not corrupted by the channel. As time goes by, the chain grows and grows, and indicates the entire correct communication of that party. An appealing feature of this mechanism is the fact that whenever a transmission arrives correctly at the other side, the receiver learns all the correct transmissions so far. On the other hand, the receiver never knows whether a single received transmission (and the chain linked to it) is indeed correct.
The adversarial noise may corrupt up to of the messages sent by each party. We think of the adversary as trying to construct a different, corrupt, chain. Due to its limited budget, at the end of the coding scheme one of two things may happen. Either it is the case that the correct chain is the longest, or it is the case where the longest chain contains in its prefix a sufficient amount of uncorrupted transmissions.
Indeed, if the adversary tries to create its own chain, its length is bounded by , while the correct chain is at least of length .333The order of speaking in the coding scheme depends on the noise and is not alternating. Therefore, it is not necessary that a party speak half of the times. See discussion below. On the other hand, the adversary can create a longer chain which forks off the correct chain. As a simple example, consider the case where a party sends messages which go through uncorrupted. Now the adversary starts corrupting the transmissions and extends the correct chain with corrupt messages.444This attack assumes that there are additional rounds where the same party speak. This assumption is usually false and serves only for this intuitive (yet unrealistic) example. The corrupt forked chain is of length and may be longer than the correct chain. However, in this case, the information contained in the uncorrupted prefix of the corrupt forked chain is sufficient to simulate the entire transcript of .
Another essential part of our coding scheme is its ability to alter the order of speaking according to the observed noise.555Protocols that change their length or order of speaking as a function of the observed noise are called adaptive [GHS14, AGS16]. Since these decisions are noise-dependent, the parties may disagree on the identity of the speaker in each round, e.g., both parties may decide to speak in a given round, etc. We emphasize that due to the noiseless feedback there is always a consensus regarding whose turn it is to speak next. Hence, while our scheme has a non-predetermined order of speaking, the scheme is non-adaptive by the terminology of [EGH16]; see discussion in [EGH16] and in Section 6 of [Gel17]. Most previous work usually follows the succeeding intuition. If party’s transmissions were corrupted, then the information contained in these transmissions still needs to reach the other side. Therefore, the coding scheme should allow that party to speak more times. In this work we take the opposite direction—the more a party is corrupted at the first part of the protocol, the less it speaks in the later part. The intuition here is that if the adversary has already wasted its budget on the party, it cannot corrupt much of the sequential transmissions and we can reduce their amount. A resembling approach appears in [AGS16].
One hurdle we face in constructing our coding scheme comes from the need to communicate pointers to previous messages using a small (constant-size) alphabet. Towards this end, we first show a coding scheme that works with a large alphabet that is capable of pointing back to any previous transmission. Next, we employ a variable-length coding, replacing each pointer with a large number of messages over a constant-size alphabet. We prove that this coding does not harm the resilience, leading to a coding scheme with a constant-size alphabet and optimal resilience to -corruptions.
Converse: Impossibility Bound.
The converse proof consists of two parts. First, we show that for certain functions, any protocol resilient to -corruptions must have an exponential blowup in the communication. In the second part, we show a (noisy) KW-transformation from formulas to protocols. Together, we obtain an upper bound on the noise of formulas. Indeed, assuming that there is a “shallow” formula that is resilient to -corruptions, converting it into a protocol yields a “short” protocol with resilience to -corruptions. The existence of such a protocol contradicts the bound of the first part.
The bound on the resilience of protocols follows a natural technique of confusing a party between two possible inputs. We demonstrate that a -corruption suffices in making one party (say, Alice) observe exactly the same transcript whether Bob holds or . Choosing such that the output of the protocol differs between and , leads to Alice erring on at least one of the two instances.
This idea does not work if the protocol is allowed to communicate a lot of information. To illustrate this point, assume defined over a channel with alphabet . Consider a protocol where the parties send their inputs to the other side encoded via a standard Shannon error-correcting code of length symbols, with distance for some small constant . The protocol communicates symbols overall, and a valid -corruption may corrupt up to symbols of each one of the codewords. However, this does not suffice to invalidate the decoding of either of the codewords, since an error correcting code with distance is capable of correcting up to corrupted symbols.
On the other hand, once we limit the communication of the protocol, even moderately, to around symbols, the above encoding is not applicable anymore. Quite informally, our lower bound follows the intuition described below. We show the existence of a function such that for any protocol that computes in rounds (where is restricted as mentioned above), the following properties hold for one of the parties (stated below, without loss of generality, for Alice). There are inputs such that (1) and (2) Alice speaks at most times during the first rounds. Further, (3) when Alice holds , the protocol communicates exactly the same messages during its first rounds, whether Bob holds or (assuming no channel noise is present).
When we bound the protocol to these conditions, a -corruption is strong enough to make the transcript identical from Alice’s point of view on and , implying the protocol cannot be resilient to such an attack. In more details, we now describe an attack and assume Bob speaks at most times beyond round number , given the attack. [If Bob speaks more, then an equivalent attack will be able to confuse Bob rather than Alice.] The attack changes the first rounds as if Alice holds rather than ; this amounts to corrupting at most transmissions by Alice due to property (2). Bob behaves the same regardless of its input due to property (3). From round and beyond, the attack corrupts Bob’s messages so that the next symbols Bob sends are consistent with and the following symbols Bob communicates are consistent with . Since Bob speaks less than times (given the above noise), the attack corrupts at most of Bob’s transmissions after round .
Unfortunately, while the above shows that some functions cannot be computed in a resilient manner, this argument cannot be applied towards a lower bound on resilient formulas. The reason is the task is not a function, but rather a relation—multiple outputs may be valid for a single input. The attack on protocols described earlier shows that a -corruption drives the protocol to produce a different output than in the noiseless instance. However, it is possible that a resilient protocol gives a different but correct output.
Therefore, we need to extend the above argument so it applies to computations of arbitrary relations. Specifically, we consider the parity function on bits and its related KW-game. We show the existence of inputs that satisfy conditions (2) and (3) above while requiring that the outputs of different inputs be disjoint. I.e., any possible output of is invalid for and for .
The last part of the converse proof requires developing a KW-transformation from formulas to protocols, in a noise-resilience preserving manner. Let us begin with some background on the (standard) KW-transformation (see Section 6.1 for a formal description). The KW game (or rather a slight adaptation we need for our purposes) is as follows. For a boolean function on , Alice gets an input such that and Bob gets an input such that , their goal is to output a literal function (i.e. one of the functions of the form or ) such that and .
Let be a boolean formula for , consisting of and gates, and where all the negations are pushed to the input layer (i.e. is a monotone formula of the literals , ). The conversion of to a protocol for the game is as follows. View the formula as the protocol tree, with the literals at the bottom of the tree being the output literal function. Assign each node to Alice, and each node to Bob.
The invariant maintained throughout the execution of the protocol is that if the protocol reaches a node , then the value of in is when evaluated on , and when evaluated on . Each time when the protocol is at node and it is Alice’s turn to speak (thus is an gate in ), Alice sends the identity of a child which evaluates to on . Note that assuming the invariant holds for , Alice can send the identity of such a child (since one of the inputs to an AND gate which outputs a also evaluates to ), while this child must evaluate to on assuming evaluates to on . By maintaining this invariant, Alice and Bob arrive at the bottom, where they reach a literal evaluating to on and on . Note that there is some room for arbitrary decision making: if more than one child of evaluates to on , Alice is free to choose any such child—the protocol will be valid for any such choice.
In this work we extend the above standard KW-transformation to the noisy-regime. Namely, we wish to convert a resilient formula into an interactive protocol while keeping the protocol resilient to a similar level of channel noise. We note that the extension we need is completely different from previous uses of the KW-transformation. Indeed, for the achievability bound, a KW-transformation is used both in steps (i) and (iii) in the above outline of [KLR12]. However, the instance used in step (i) assumes there is no noise, while the instance in step (iii) works in the other direction, i.e., it transforms (resilient) protocols to (resilient) formulas.
Similar to the standard transformation, our noisy KW-transformation starts by constructing a protocol tree based on the formula’s structure, where every -gate is assigned to Alice and any -gate to Bob. The main difference is in the decision making of how to proceeds when reaching a node . The goal is to keep the invariant that the gate in evaluates to on and to on , even when noise is present.
When only one of ’s descendants evaluates to on in , Alice has no choice but to choose that child. However, when more than a single descendant evaluate to on , Alice’s decision is less obvious. Moreover, this decision may affect the resilience of the protocol—it is possible that noise causes one of the descendants evaluate to on that given .
We observe, however, that one of ’s children evaluates to 0 on given all the noise patterns is resilient against. The other children may still evaluate to 1 sometimes, as a function of the specific noise. Once we identify this special child that always evaluates to , Alice can safely choose it and maintain the invariant (and the correctness of the protocol), regardless of future noise. Giving some more details, we prove that if such a special child did not exist and all descendants could evaluate to both 0 and 1 as a function of the noise, then we could construct a noise that would make all descendants evaluate to 1 on simultanously. Hence, assuming the noise is , the node would evaluate to 1 on , and consequently . At the same time, we show that is resilient to the noise , so assuming the noise is , and we reach a contradiction.
1.2 Other related work
The field of interactive coding schemes [Gel17] started with the seminal line of work by Schulman [Sch92, RS94, Sch96]. Commonly, the goal is to compile interactive protocols into a noise-resilient version that has (1) good noise resilience; (2) good rate; and (3) good probability of success. Computational efficiency is another desired goal. Numerous works achieve these goals, either fully or partially [BR14, GMS14, BKN14, FGOS15, BE17, GH14, KR13, Hae14, GHK16], where the exact parameters depend on the communication and noise model.
Most related to this work are coding schemes in the setting where a noiseless feedback channel is present. Pankratov [Pan13] gave the first interactive coding scheme that assumes noiseless feedback. The scheme of [Pan13] aims to maximize the rate of the scheme assuming all communication passes over a binary symmetric channel (BSC) with flipping parameter (i.e., a channel that communicates bits, where every bit is flipped with probability , independently of other bits). Pankratov’s scheme achieves a rate of when . Gelles and Haeupler [GH17] improved the rate in that setting to , which is the current state of the art. For the regime of large noise, Efremenko, Gelles, and Haeupler [EGH16] provided coding schemes with maximal noise resilience, assuming noiseless feedback. They showed that the maximal resilience depends on the channel’s alphabet size and on whether or not the order of speaking is noise-dependent. Specifically, they developed coding schemes with a noise-independent order of speaking and a constant rate that are resilient to and fraction of noise with a ternary and binary alphabet, respectively. When the order of speaking may depend on the noise, the resilience increases to for any alphabet size. They show that these noise levels are optimal and that no general coding scheme can resist higher levels of noise.
There has been tremendous work on coding for noisy channels with noiseless feedback in the one-way (non-interactive) communication setting, starting with the work of Shannon, Horstein, and Berlekamp [Sha56, Hor63, Ber64]. It is known that the presence of feedback does not change the channel’s capacity, however, it improves the error exponent. The maximal noise-resilience in this setting is also known. Recently, Haeupler, Kamath, and Velingker [HKV15] considered deterministic and randomized codes that assume a partial presence of feedback.
The first half of our paper considers interactive coding protocols over noisy channels with noiseless feedback. Section 3 proves that any interactive coding scheme that is resilient to -corruptions must exhibit a zero rate. Sections 4–5 describe our constant-rate coding scheme that is resilient to -corruptions. First, Section 4 describes a scheme with a large alphabet (polynomial in the length of the protocol). Then, Section 5 shows how to reduce the alphabet to a constant size.
The second half of the paper (Section 6) considers noise-resilient circuits. First, in Section 6.1 we recall the notions of formulas, short-circuit noise and the (noiseless) KW-transformation. In Section 6.2 we present our noise-preserving KW-transformation and show how to convert a resilient formula into a resilient protocol. This reduction (along with the impossibility of Section 3) proves the converse theorem, showing that the resilience we obtain for formulas is maximal. In Section 6.3 we provide the other direction, a noise-resilient transformation from protocols to formulas (following [KLR12]). Employing the coding scheme of Section 5 we give an efficient method that compiles any formula into an optimal resilient version.
For integers we denote by the set any by the set . For a string and two indices , we let . We will treat as the empty word, i.e., for any we have . For bits we let , and . All logarithms are taken to base 2, unless the base is explicitly written.
In the interactive setting we have two parties, Alice and Bob, which receive private inputs and , respectively. Their goal is to compute some predefined function by sending messages to each other. A Protocol describes for each party the next message to send, given its input and the communication received so far. We assume the parties send symbols from a fixed alphabet . The protocol also determines when the communication ends and the output value (as a function of the input and received communication).
Formally, an interactive protocol can be seen as a -ary tree (also referred to as the protocol tree), where each node is assigned either to Alice or to Bob. For any node assigned to Alice there exists a mapping that maps the next symbol Alice should send, given her input. Similarly, for each one of Bob’s nodes we set a mapping . Each leaf is labeled with an element of . The output of the protocol on input is the element at the leaf reached by starting at the root node, and traversing down the tree where at each internal node owned by Alice (resp., Bob), if (resp., ) the protocol advances to the -th child of . We conveniently denote Alice’s nodes by the set and Bob’s nodes by the set . We may assume that all the nodes in a given protocol tree are reachable by some input (otherwise, we can prune that branch without affecting the behaviour of the protocol). Note that the order of speaking in is not necessarily alternating and it is possible the same party is the sender in consecutive rounds. For any given transcript , we denote the instance of assuming the history . Specifically, assuming Alice is the sender in the next round (assuming the history so far is ), then the next communicated symbol is .
The length of a protocol, denoted , is the length of the longest root-to-leaf path in the protocol tree, or equivalently, it is the maximal number of symbols the protocol communicates in any possible instantiation. In the following we assume that all instances have the same length . The communication complexity of the protocol is
Transmission Noise with Feedback
We will assume the communication channel may be noisy, that is, the received symbol may mismatch with the sent symbol. All the protocols considered in this work assume the setting of noiseless feedback: the sender always learns the symbol that the other side received (whether corrupted or not). The receiver, however, does not know whether the symbol it received is indeed the one sent to him.
A noise pattern is defined as . For any node , denotes the symbol that the receiver gets for the transmission that is done when the protocol reaches the node . Specifically, say is an Alice-owned node, then if , Bob receives the symbol sent by Alice; otherwise, , Bob receives the symbol . Note that due to the feedback, Alice learns that her transmission was corrupted as well as the symbol that Bob received, and the protocol descends to the node dictated by . We denote by the protocol when the noise is dictated by ; we sometimes write for a run of the protocol with no transmission noise, i.e., with the pattern .
We say that a protocol is resilient to a noise pattern if for any it holds that outputs the same value as . While it is common to limit the noise to a constant fraction of the transmissions, in this work we take a more careful look at the noise, and consider the exact way it affects the transmissions of each party.
An -corruption, is a noise pattern that changes at most symbols sent by Alice and at most symbols sent by Bob. Note that the effective (combined) noise rate is .
3 Resilience to -Corruptions is Impossible
In this section we prove that no coding scheme with constant overhead can be resilient to a -corruption. To this end we show a specific -corruption that confuses any protocol for a specific function that is “hard” to compute in linear communication. Our result do not apply to coding schemes with vanishing rate. In fact, if the communication is exponentially large, coding schemes with resilience higher than exist.666For instance, consider the scheme in which each party sends its input to the other side encoded via a standard (Shannon) error-correcting code with distance . This trivial protocol is resilient to -corruption, yet its rate is 0.
Normally, we discuss the case where protocols compute a function . While our converse bound on the resilience of interactive protocols works for some hard function (e.g., the pointer jumping), such a proof does not suffice towards our converse on the resilience of boolean circuits (Theorem 1.2). The reason is that the conversion between formulas to protocols does not yield a protocol that computes a function but rather a protocol that computes a relation. Recall that for any given function and any input such that and , the KW-game for , , outputs an index for which (see Section 6.1 for a formal definition). However, multiple such indices may exist and each such index is a valid output.
Let be finite set and be a ternary relation. For any and a given relation let be the set of all that satisfy the relation for . Given such a relation, a protocol that computes the relation is the following two-party task. Alice is given and Bob is given . The parties need to agree on some . We say that is a valid input for , if and . We assume that for any valid input, .
We now show an explicit relation for which no protocol (of “short”’ length) is resilient to corruptions. Specifically, in the rest of this section we consider the binary parity function on bits, , defined for any by
Let and . We let be the KW-game for the parity function, defined by
Let be an interactive protocol of length defined over a communication channel with alphabet and noiseless feedback. Additionally, assume . If computes then the following holds.
There exist inputs , for which:
and agree on the first rounds.
During the first rounds of the execution Alice speaks fewer times than Bob.
Assume, without loss of generality, that Alice is the party that speaks fewer times in the first rounds of when averaging on all possible inputs ; otherwise, a symmetric lemma holds for Bob. Let be an input for Alice such that on most ’s Alice speaks fewer times in the first rounds of . Such an input must exist by our choice of Alice. Let
Be the set of all inputs for Bob, where Alice speaks fewer times in the first rounds of assuming Alice holds the above . By the choice of , it holds that .
Consider the set of transcript prefixes of length generated by when Alice holds the above and Bob holds some input from the set ,
Note that there are at most different prefixes of length over with an arbitrary order of speaking. Since
by the pigeon-hole principle, there must be such that and agree on the first rounds of the protocol—they have an identical order of speaking and they communicate the same information. Note that Properties (1) and (2) of the lemma are satisfied by the above . We are left to show an input for Alice that satisfies property (3).
Based on the above we construct in the following manner. For any set
The above is constructed such that outputs given by are disjoint if we change only the input of Alice or only the input of Bob. Formally,
The following claims hold for the above
Since then differ in an even number of indices (by considering ). This means that where the number of ones in is even, thus, .
Assume towards contradiction that , i.e., as well as . However, are all bits and these two inequalities imply . But then, by the way we construct , which is a contradiction.
Assume towards contradiction that . That is, and which means that . On the other hand, by the construction of , either or . Both options lead to a contradiction. The proof of the second part is identical.
The first claim proves that is a valid input, i.e., . The other claims prove property (3) of the lemma and conclude its proof. ∎
Our main result in this section is the following Theorem, proving that no protocol for the can be resilient to a -corruption if its communication is bounded. This will imply that any coding scheme that is resilient to -corruption must have rate 0. Specifically, it cannot produce a protocol with a constant overhead with respect to the optimal protocol that computes over reliable channels.
Any interactive protocol that computes the relation by at most rounds over a noisy channel with alphabet and noiseless feedback, is not resilient to -corruptions.
Let be a protocol with rounds communicating symbols from the alphabet . Via Lemma 3.1, let and be inputs that satisfy
and agree on the first rounds
During the first bits of the protocol Alice speaks less than Bob.
We now generate a simulated transcript and show that is consistent with a -corruption of . Additionally, it is either the case that is consistent with a -corruption of or it is consistent with a -corruption of . In the first case, Alice is unable to distinguish the case where Bob holds and ; in the second, Bob cannot tell if Alice holds or . The outputs for different inputs are distinct by property (3). Thus the confused party is bound to err on at least one of them.
Note that the simulated transcript contains messages received by the two parties, which may be noisy. Due to the feedback, both parties learn . Additionally, the order of speaking in is entirely determined by (prefixes of) . Specifically, if two different instances of have the same received transcript by round , the party to speak in round is identical in both instances.
The string is obtained in the following manner:
Run for rounds. Let be the generated transcript.
Run until Bob transmits additional symbols (unless terminates beforehand). Let be the generated transcript.
(if ) Run until Bob transmits additional symbols (unless terminates beforehand).
(if ), let describe until it terminates.
In case the above algorithm didn’t execute Step , for , assume .
We now show that corresponds to a -corrupted execution of for two different valid inputs with disjoint outputs. We consider two cases: (i) when Step 3 halts since reached its maximal size of symbols (i.e., when ), and (ii) when Step 3 halts since Bob transmitted symbols in this step ().
- case (i) .
In this case we show that a -corruption suffices to make the executions of and look the same from Alice’s point of view.
Let be the transcript of a noisy execution of (defined shortly) and split into three parts that correspond in length to . The noise changes all Alice transmissions in so that they correspond to Alice’s symbols in ; the noise changes all Bob’s transmissions in so that they correspond to Bob’s transmissions in . It is easy to verify that the obtained transcript of received messages is exactly . Furthermore, the first part changes at most transmissions by Alice, since by property (2) Alice speaks fewer times in the first of the instance . The second part changes at most transmissions of Bob since halts before Bob communicates additional transmissions. Hence the noise described above is a valid -corruption.
On the other hand, and abusing notations, consider a (noisy) instance of and let be the received messages transcript split to parts that corresponds in length to , assuming the following noise. Again, the noise changes all Alice’s transmissions in to be the corresponding symbols received in . This makes the first rounds of the received transcript look as an instance . By Property (1), these transmissions agree with the first transmissions in the noiseless instance ; hence, the corrupted equals . Next, the noise changes Bob’s transmissions in to correspond to . The obtained transcript is then exactly . Again, contains at most of Alice’s transmissions, and contains at most transmissions of Bob by their definition. Hence, this is a valid -corruption.
We conclude by recalling that , then Alice must be wrong on at least one of the above executions, since her view in both executions is the same. Note that above proof holds even when .
- case (ii) .
In this case we show a -corruptions that makes the executions of and look the same from Bob’s point of view. We point out that Alice speaks at most times after Step 1. Indeed, Step 1 contains rounds, and Steps 2–3 contain rounds where Bob speaks, hence Alice may speak in at most another times after Step 1.
Let be the transcript of a noisy execution of where the noise is defined below. Split into 4 parts that correspond in length to . The noise changes all Alice’s transmissions in so that they match the corresponding symbols of . As mentioned, this corrupts at most symbols. Additionally, the noise changes Bob’s transmissions in to correspond to ; this by definition entails corruptions of Bob’s transmissions. The obtained transcript is exactly .
On the other hand, and abusing notations again, consider a noisy execution of denoted by . Here the noise is defined as follows. The noise changes all Alice’s transmissions in to match the corresponding symbols of . As before, the noise changes Bob’s transmissions in to match . Now it holds that , while the noise corrupted at most of each party’s transmissions.
We conclude by recalling that . Thus, Bob must be wrong on at least one of the above executions, since his view in both executions is exactly the same.
Note that has a protocol of length assuming reliable channels.777This can easily be seen, e.g., by considering a formula that computes the parity of bits, and applying the Karchmer-Wigderson transformation [KW90]. Theorem 3.3 leads to the following conclusion.
There exists an interactive protocol defined over a noiseless channel with feedback such that any protocol that computes the same functionality as and is resilient to -corruptions (assuming noiseless feedback) must incur with an exponential blowup in the communication.
As a consequence, any coding scheme that compiles any protocol into a -resilient version, must have rate zero.
4 A Coding Scheme with Large Alphabet
In this section we construct a coding scheme for interactive protocols assuming a noiseless feedback. We show that for any constant , any protocol defined over noiseless channels (with noiseless feedback) can be simulated by a protocol defined over noisy channels (with noiseless feedback) such that (1) , and (2) is resilient to -corruptions. The protocol in this section communicates symbols from a large alphabet of polynomial size in . In later sections we show how to reduce the size of the alphabet.
4.1 The coding scheme
On a high level, the coding scheme simulates step by step. The availability of a noiseless feedback channel allows a party to notice when the channel alters a transmission sent by that party. The next time that party speaks, it will re-transmit its message and “link” the new transmission to its latest uncorrupted transmission. That is, each message carries a “link”—a pointer to a previous message sent by the same party. By following the links, the receiver learns the “chain” of uncorrupted transmissions; the party considers all “off-chain” transmissions as corrupted.
The Parse procedure (in Algorithm 1) parses all the transmissions received so far and outputs the “current chain”: the (rounds of the) transmissions linked by the latest received transmission. Note that once a new transmission arrives, the current chain possibly changes. Moreover, upon reception of a corrupt transmission, a corrupt chain may be retrieved.
The TempTranscript procedure determines the partial simulated transcript of according to messages received in so far, i.e., according to the current chains. Again, the scheme considers only transmissions that are on-chain and ignore all off-chain transmissions. The partial simulated transcript is defined as the concatenation of all the messages that (a) were received uncorrupted and (b) that were generated according to the correct information.
To clarify this issue, consider round where, without loss of generality, Alice sends the message . The latter property means that the last transmission received by Alice prior to round , (see Definition 4.1), must be uncorrupted. This ensures that this ensures that Alice learns which transmissions (so far) are correct and which are not, in both directions (Lemma 4.3). It follows that Alice has full information about the on-going simulation of . In particular, she can generate the correct that extends the simulation of by one symbol. The former property ensures that itself, the correct extension of the simulation of , indeed arrives uncorrupted at the other side.
In each round of the protocol, the parties construct the partial transcript implied by messages received so far. If the received transmission is uncorrupt, the TempTranscript procedure retrieves the correct implied transcript (i.e., the implied transcript is indeed a prefix of the transcript of ). Then, the parties simulate the next rounds of assuming the implied partial transcript. As long as there is no noise in two alternating rounds, the next transmission extends the simulation of by one symbol. Otherwise, the sent symbol may be wrong, however, it will be ignored in future rounds once the chains indicate that this transmission was generated due to false information. Finally, at the end of the protocol, the parties output the transcript implied by the longest chain. The main part of this section is proving that the longest chain indeed implies a complete and correct simulation of .
An important property of the coding scheme is its adaptive order of speaking. The first rounds are alternating. On later rounds the order of speaking is determined according to observed noise: the more corrupted transmissions a party has, the less the party gets to speak. In particular, the protocol is split into epochs
of 2 or 3 rounds each. In the first two rounds of an epoch, the order is fixed: Alice speaks in the first round and Bob speaks in the second. Then, the parties estimate the noise each party suffered so far (namely, the length of their current chain) and decide whether or not the epoch has a third round as well as who gets to speak in that extra round. For Alice to be the speaker in the third epoch-round, hercurrent chain must be of length less than while Bob’s current chain must be longer than ; Bob gets to speak if his chain is of length less than while Alice’s chain is longer than . In all other cases, the epoch contains only two rounds. We emphasize that due to the noiseless feedback, both parties agree on the received symbols (in both sides), which implies they agree on the current chains in both side, and thus, on the order of speaking in every epoch. The Next procedure, which determines the next speaker according to the current received transcript, captures the above idea.
The coding scheme is depicted in Algorithm 1.
4.2 Basic properties
Every transmission is interpreted as where points to a previous symbol .
For any define as the maximal round where Alice is the speaker at round , or as if no such exists. Similarly, is the maximal round where Bob is the speaker at round , or as if no such exists. Generally, without a specific subscript refers to the maximal round where the speaker in round differs from the speaker of round .
It is easy to verify that Algorithm 1 is computationally efficient, as long as itself is efficient.
For any constant and any given as a black-box, Algorithm 1 is computationally efficient in .
The algorithm runs iterations, in each of which it needs to determine the next speaker, determine the partial transcript so far and determine the next message to send. The former two activities require performing Parse on all the symbols received by both parties; this takes time. Setting the next message requires a single activation of . ∎
4.2.1 Good rounds and the implied transcript
Next, we show that when a transmission arrives correctly at the other side, the receiver learns all the uncorrupted transmissions communicated so far. First, let us define the notions of good rounds and implied transcript.
Definition 4.2 (Good Round).
A round is called good if the transmissions in both rounds and are uncorrupted. Let be all the good rounds and .
We additionally set any round to be good (and uncorrupted) by definition.
Definition 4.3 (Implied Transcript).
For any round , the transcript is defined as the (natural order) concatenation of bits where is the symbol transmitted (and correctly received) in round .
While the above and are tools for the analysis, the next lemma shows that whenever the -th transmission arrives correctly at the other side, the receiver learns and . Specifically, the variable GoodChain (Line 13) equals and TempTranscript outputs . This allows us (despite some abuse of notations) to treat and the output of TempTranscript interchangeably, as long as is uncorrupted.
For any , if the transmission of round is uncorrupted, then at the receiver, and TempTranscript outputs .
Assume, without loss of generality, that Alice is the receiver of the -th transmission. Since transmission is uncorrupted, it holds that contains exactly all the uncorrupted transmission sent by Bob so far. Alice knows her own uncorrupted transmissions via the feedback. Then GoodChain indeed holds all the good rounds up to rounds , and TempTranscript outputs by definition. ∎
Assume round is corrupted and let be latest uncorrupted round. Then which equals the output of TempTranscript in round . However, the output of TempTranscript in round may be arbitrary.
The next lemma argues that, if round is uncorrupted, then the implied transcript (and hence the output of TempTranscript in round ) is indeed a correct (partial) simulation of .
Assume that round is uncorrupted. Then is a prefix of .
The proof goes by induction on . The base case is trivial. Assume that the claim holds for for any uncorrupted round ; we show that the same holds for round .
Assume, without loss of generality, that Alice is the receiver in round . Let be the maximal previous round where Alice’s transmission was not corrupted. Since round is uncorrupted, Lemma 4.2 proves that, at round , Bob learns and . By the induction hypothesis, is a prefix of .
If then is not a good round, . It holds that and , therefore, is indeed a prefix of . Otherwise, and is a good round. As said, in round Bob learns (which is a correct prefix of ). Next, in round it is Bob’s turn to send the symbol . If it is Bob’s turn to speak in , then will indeed be the correct continuation of according to ; otherwise Bob sends . In both cases, the channel does not corrupt , Alice learns and the implied transcript she constructs equals