I put together in a single file all the lectures given by me. On the class webpage you can also find the scribes of the two guest lectures, and the students’ presentations. Many thanks to Matthew Dippel, Xuangui Huang, Chin Ho Lee, Biswaroop Maiti, Tanay Mehta, Willy Quach, and Giorgos Zirdelis for doing an excellent job scribing these lectures. (And for giving me perfect teaching evaluations. Though I am not sure if I biased the sample. It went like this. One day I said: “Please fill the student evaluations, we need 100%.” A student said: “100% what? Participation or score?” I meant participation but couldn’t resist replying jokingly “both.”) Finally, thanks also to all the other students, postdocs, and faculty who attended the class and created a great atmosphere.
lecture
Special Topics in Complexity Theory, Lecture 19
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lecture 19, Guest lecture by Huacheng Yu, Scribe: Matthew Dippel
Guest lecture by Huacheng Yu on dynamic data structure lower bounds, for the 2D range query and 2D range parity problems. Thanks to Huacheng for giving this lecture and for feedback on the writeup.
What is covered.
 Overview of Larsen’s lower bound for 2D range counting.
 Extending these techniques for for 2D range parity.
2 Problem definitions
Definition 1. 2D range counting
Give a data structure that maintains a weighted set of 2 dimensional points with integer coordinates, that supports the following operations:
 UPDATE: Add a (point, weight) tuple to the set.
 QUERY: Given a query point , return the sum of weights of points in the set satisfying and .
Definition 2. 2D range parity
Give a data structure that maintains an unweighted set of 2 dimensional points with integer coefficients, that supports the following operations:
 UPDATE: Add a point to the set.
 QUERY: Given a query point , return the parity of the number of points in the set satisfying and .
Both of these definitions extend easily to the dimensional case, but we state the 2D versions as we will mainly work with those.
2.1 Known bounds
All upper bounds assume the RAM model with word size .
Upper bounds: Using range trees, we can create a data structure for 2D range counting, with all update and query operations taking time time. With extra tricks, we can make this work for 2D range parity with operations running in time .
Lower bounds. There are a series of works on lower bounds:
 Fredman, Saks ’89 – 1D range parity requires .
 Patrascu, Demaine ’04 – 1D range counting requires .
 Larsen ’12 – 2D range counting requires .
 Larsen, Weinstein, Yu ’17 – 2D range parity requires .
This lecture presents the recent result of [Larsen ’12] and [Larsen, Weinstein, Yu ’17]. They both use the same general approach:
 Show that, for an efficient approach to exist, the problem must demonstrate some property.
 Show that the problem doesn’t have that property.
3 Larsen’s technique
All lower bounds are in the cell probe model with word size .
We consider a general data structure problem, where we require a structure that supports updates and queries of an unspecified nature. We further assume that there exists an efficient solution with update and query times . We will restrict our attention to operation sequences of the form . That is, a sequence of updates followed by a single query . We fix a distribution over such sequences, and show that the problem is still hard.
3.1 Chronogram method [FS89]
We divide the updates into epochs, so that our sequence becomes:
where and . The epochs are multiplicatively shrinking. With this requirement, we have that .
Let be the set of all memory cells used by the data structure when run on the sequence of updates. Further, let be the set of memory cells which are accessed by the structure at least once in , and never again in a further epoch.
Claim 2. There exists an epoch such that probes cells from when answering the query at the end. Note that this is simply our query time divided by the number of epochs. In other words, can’t afford to read cells from each set without breaking its promise on the query run time.
Claim 2 implies that there is an epoch which has the smallest effect on the final answer. We will call this the ”easy” epoch.
Idea. : The set contains ”most” information about among all memory cells in . Also, are not updated past epoch , and hence should contain no information relative to the updates in . Epochs are progressively shrinking, and so the total touched cells in during the query operation should be small.
3.2 Communication game
Having set up the framework for how to analyze the data structure, we now introduce a communication game where two parties attempt to solve an identical problem. We will show that, an efficient data structure implies an efficient solution to this communication game. If the message is smaller than the entropy of the updates of epoch (conditioned on preceding epochs), this gives an information theoretic contradiction. The trick is to find a way for the encoder to exploit the small number of probed cells to send a short message.
The game. The game consists of two players, Alice and Bob, who must jointly compute a single query after a series of updates. The model is as follows:
 Alice has all of the update epochs . She also has an index , which still corresponds to the ”easy” epoch as defined above.
 Bob has all update epochs EXCEPT for . He also has a random query . He is aware of the index .
 Communication can only occur in a single direction, from Alice to Bob.
 We assume some fixed input distribution .
 They win this game if Bob successfully computes the correct answer for the query .
Then we will show the following generic theorem, relating this communication game to data structures for the corresponding problem:
Theorem 3. If there is a data structure with update time and probes cells from in expectation when answering the final query , then the communication game has an efficient solution, with communication cost, and success probability at least . This holds for any choice of .
Before we prove the theorem, we consider specific parameters for our problem. If we pick
then, after plugging in the parameters, the communication cost is . Note that, we could always trivially achieve by having Alice send Bob all of , so that he can compute the solution of the problem with no uncertainty. The success probability is , which simplifies to . This is significantly better than , which could be achieved trivially by having Bob output a random answer to the query, independent of the updates.
Proof.
We assume we have a data structure for the update / query problem. Then Alice and Bob will proceed as follows:
Alice’s steps.
 Simulate on . While doing so, keep track of memory cell accesses and compute .
 Sample a random subset , such that .
 Send .
We note that in Alice’s Step 3, to send a cell, she sends a tuple holding the cell ID and the cell state before the query was executed. Also note that, she doesn’t distinguish to Bob which cells are in which sets of the union.
Bob’s steps.
 Receive from Alice.
 Simulate on epochs . Snapshot the current memory state of the data structure as .
 Simulate the query algorithm. Every time attempts to probe cell , Bob checks if . If it is, he lets probe from . Otherwise, he lets probe from .
 Bob returns the result from the query algorithm as his answer.
If the query algorithm does not query any cell in , then Bob succeeds, as he can exactly simulate the data structure query. Since the query will check cells in , and Bob has a random subset of them of size , then the probability that he got a subset the data structure will not probe is at least . The communication cost is the cost of Alice sending the cells to Bob, which is
4 Extension to 2D Range Parity
The extension to 2D range parity proceeds in nearly identical fashion, with a similar theorem relating data structures to communication games.
Theorem 1. Consider an arbitrary data structure problem where queries have 1bit outputs. If there exists a data structure having:
 update time
 query time
 Probes cells from when answering the last query
Then there exists a protocol for the communication game with bits of communication and success probability at least , for any choice of . Again, we plug in the parameters from 2D range parity. If we set
then the cost is , and the probability simplifies to .
We note that, if we had different queries, then randomly guessing on all of them, with constant probability we could be correct on as many as . In this case, the probability of being correct on a single one, amortized, is .
Proof. The communication protocol will be slightly adjusted. We assume an a priori distribution on the updates and queries. Bob will then compute the posterior distribution, based on what he knows and what Alice sends him. He then computes the maximum likelihood answer to the query . We thus need to figure out what Alice can send, so that the answer to is often biased towards either or .
We assume the existence of some public randomness available to both Alice and Bob. Then we adjust the communication protocol as follows:
Alice’s modified steps.
 Alice samples, using the public randomness, a subset of ALL memory cells , such that each cell is sampled with probability . Alice sends to Bob. Since Bob can mimic the sampling, he gains additional information about which cells are and aren’t in .
Bob’s modified steps.
 Denote by the set of memory cells probed by the data structure when Bob simulates the query algorithm. That is, is what Bob ”thinks” D will probe during the query, as the actual set of cells may be different if Bob had full knowledge of the updates, and the data structure may use that information to determine what to probe. Bob will use to compute the posterior distribution.
Define the function to be the ”bias” when takes on the value . In particular, this function is conditioned on that Bob receives from Alice. We can then clarify the definition of as
In particular, has the following two properties:
In these statements, the expectation is over everything that Bob knows, and the probabilities are also conditioned on everything that Bob knows. The randomness comes from what he doesn’t know. We also note that when the query probes no cells in , then the bias is always , since the a posterior distribution will put all its weight on the correct answer of the query.
Finishing the proof requires the following lemma:
Lemma 2. For any with the above two properties, there exists a such that and
Note that the sum inside the absolute values is the bias when .
References
Special Topics in Complexity Theory, Lecture 18
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lecture 18, Scribe: Giorgos Zirdelis
In this lecture we study lower bounds on data structures. First, we define the setting. We have bits of data, stored in bits of memory (the data structure) and want to answer queries about the data. Each query is answered with probes. There are two types of probes:
 bitprobe which return one bit from the memory, and
 cellprobe in which the memory is divided into cells of bits, and each probe returns one cell.
The queries can be adaptive or nonadaptive. In the adaptive case, the data structure probes locations which may depend on the answer to previous probes. For bitprobes it means that we answer a query with depth decision trees.
Finally, there are two types of data structure problems:
 The static case, in which we map the data to the memory arbitrarily and afterwards the memory remains unchanged.
 The dynamic case, in which we have update queries that change the memory and also run in bounded time.
In this lecture we focus on the nonadaptive, bitprobe, and static setting. Some trivial extremes for this setting are the following. Any problem (i.e., collection of queries) admits data structures with the following parameters:
 and , i.e. you write down all the answers, and
 and , i.e. you can always answer a query about the data if you read the entire data.
Next, we review the best current lower bound, a bound proved in the 80’s by Siegel [Sie04] and rediscovered later. We state and prove the lower bound in a different way. The lower bound is for the problem of wise independence.
Problem 1. The data is a seed of size for a wise independent distribution over . A query is defined to be the th bit of the sample.
The question is: if we allow a little more space than seed length, can we compute such distributions fast?
Theorem 2. For the above problem with it holds that
It follows, that if then is . But if then nothing is known.
Proof. Let . We have the memory of bits and we are going to subsample it. Specifically, we will select a bit of with probability , independently.
The intuition is that we will shrink the memory but still answer a lot of queries, and derive a contradiction because of the seed length required to sample wise independence.
For the “shrinking” part we have the following. We expect to keep memory bits. By a Chernoff bound, it follows that we keep bits except with probability .
For the “answer a lot of queries” part, recall that each query probes bits from the memory. We keep one of the queries if it so happens that we keep all the bits that it probed in the memory. For a fixed query, the probability that we keep all its probes is .
We claim that with probability at least , we keep queries. This follows by Markov’s inequality. We expect to not keep queries on average. We now apply Markov’s inequality to get that the probability that we don’t keep at least queries is at most .
Thus, if , then there exists a fixed choice of memory bits that we keep, to achieve both the “shrinking” part and the “answer a lot of queries” part as above. This inequality is true because and so . But now we have bits of memory while still answering as many as queries.
The minimum seed length to answer that many queries while maintaining wise independence is . Therefore the memory has to be at least as big as the seed. This yields
from which the result follows.
This lower bound holds even if the memory bits are filled arbitrarily (rather than having entropy at most ). It can also be extended to adaptive cell probes.
We will now show a conceptually simple data structure which nearly matches the lower bound. Pick a random bipartite graph with nodes on the left and nodes on the right. Every node on the right side has degree . We answer each probe with an XOR of its neighbor bits. By the Vazirani XOR lemma, it suffices to show that any subset of at most memory bits has an XOR which is unbiased. Hence it suffices that every subset with has a unique neighbor. For that, in turn, it suffices that has a neighborhood of size greater than (because if every element in the neighborhood of has two neighbors in then has a neighborhood of size ). We pick the graph at random and show by standard calculations that it has this property with nonzero probability.
It suffices to have , so that the probability is strictly less than 1, because . We can match the lower bound in two settings:
 if for some constant , then suffices,
 and suffices.
Remark 3. It is enough if the memory is wise independent as opposed to completely uniform, so one can have . An open question is if you can improve the seed length to optimal.
As remarked earlier the lower bound does not give anything when is much larger than . In particular it is not clear if it rules out . Next we show a lower bound which applies to this case.
Problem 4. Take bits to be a seed for biased distribution over . The queries, like before, are the bits of that distribution. Recall that .
Theorem 5. You need .
Proof. Every query is answered by looking at bits. But queries are answered by the same 2bit function of probes (because there is a constant number of functions on 2bits). There are two cases for :
 is linear (or affine). Suppose for the sake of contradiction that . Then you have a linear dependence, because the space of linear functions on bits is . This implies that if you XOR those bits, you always get 0. This in turn contradicts the assumption that the distributions has small bias.
 is AND (up to negating the input variables or the output). In this case, we keep collecting queries as long as they probe at least one new memory bit. If when we stop we have a query left such that both their probes query bits that have already been queried. This means that there exist two queries and whose probes cover the probes of a third query . This in turn implies that the queries are not close to uniform. That is because there exist answers to and that fix bits probed by them, and so also fix the bits probed by . But this contradicts the small bias of the distribution.
References
Special Topics in Complexity Theory, Lectures 1617
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lectures 1617, Scribe: Tanay Mehta
In these lectures we prove the corners theorem for pseudorandom groups, following Austin [Aus16]. Our exposition has several nonmajor differences with that in [Aus16], which may make it more computerscience friendly. The instructor suspects a proof can also be obtained via certain local modifications and simplifications of Green’s exposition [Gre05b, Gre05a] of an earlier proof for the abelian case. We focus on the case for simplicity, but the proof immediately extends to other pseudorandom groups.
Theorem 1. Let . Every subset of density contains a corner, i.e., a set of the form .
1.1 Proof Overview
For intuition, suppose is a product set, i.e., for . Let’s look at the quantity
where iff . Note that the random variable in the expectation is equal to exactly when form a corner in . We’ll show that this quantity is greater than , which implies that contains a corner (where ). Since we are taking , we can rewrite the above quantity as
where the last line follows by replacing with in the uniform distribution. If , then and . Condition on , , . Then the distribution is a product of three independent distributions, each uniform on a set of measure greater than . By pseudorandomness is close to uniform in statistical distance. This implies that the above quantity equals
Given this, it is natural to try to write an arbitrary as a combination of product sets (with some error). We will make use of a more general result.
1.2 Weak Regularity Lemma
Let be some universe (we will take ). Let be a function (for us, ). Let be some set of functions, which can be thought of as “easy functions” or “distinguishers.”
Theorem 2.[Weak Regularity Lemma] For all , there exists a function where , and such that for all
The lemma is called ‘weak’ because it came after Szemerédi’s regularity lemma, which has a stronger distinguishing conclusion. However, the lemma is also ‘strong’ in the sense that Szemerédi’s regularity lemma has as a tower of whereas here we have polynomial in . The weak regularity lemma is also simpler. There also exists a proof of Szemerédi’s theorem (on arithmetic progressions), which uses weak regularity as opposed to the full regularity lemma used initially.
Proof. We will construct the approximation through an iterative process producing functions . We will show that decreases by each iteration.
 Start: Define (which can be realized setting ).
 Iterate: If not done, there exists such that . Assume without loss of generality .
 Update: where shall be picked later.
Let us analyze the progress made by the algorithm.
where the last line follows by taking . Therefore, there can only be iterations because .
1.3 Getting more for rectangles
Returning to the lower bound proof, we will use the weak regularity lemma to approximate the indicator function for arbitrary by rectangles. That is, we take to be the collection of indicator functions for all sets of the form for . The weak regularity lemma gives us as a linear combination of rectangles. These rectangles may overlap. However, we ideally want to be a linear combination of nonoverlapping rectangles.
Claim 3. Given a decomposition of into rectangles from the weak regularity lemma with functions, there exists a decomposition with rectangles which don’t overlap.
Proof. Exercise.
In the above decomposition, note that it is natural to take the coefficients of rectangles to be the density of points in that are in the rectangle. This gives rise to the following claim.
Claim 4. The weights of the rectangles in the above claim can be the average of in the rectangle, at the cost of doubling the distinguisher error.
Consequently, we have that , where is the sum of nonoverlapping rectangles with coefficients .
Proof. Let be a partition decomposition with arbitrary weights. Let be a partition decomposition with weights being the average of . It is enough to show that for all rectangle distinguishers
By the triangle inequality, we have that
To bound , note that the error is maximized for a that respects the decomposition in nonoverlapping rectangles, i.e., is the union of some nonoverlapping rectangles from the decomposition. This can be argues using that, unlike , the value of and on a rectangle from the decomposition is fixed. But, for such , ! More formally, .
We need to get a little more from this decomposition. The conclusion of the regularity lemma holds with respect to distinguishers that can be written as where and map . We need the same guarantee for and with range . This can be accomplished paying only a constant factor in the error, as follows. Let and have range . Write where and have range , and the same for . The error for distinguisher is at most the sum of the errors for distinguishers , , , and . So we can restrict our attention to distinguishers where and have range . In turn, a function with range can be written as an expectation for functions with range , and the same for . We conclude by observing that
1.4 Proof
Let us now finish the proof by showing a corner exists for sufficiently dense sets . We’ll use three types of decompositions for , with respect to the following three types of distinguishers, where and have range :
 ,
 ,
 .
The last two distinguishers can be visualized as parallelograms with a 45degree angle between two segments. The same extra properties we discussed for rectangles hold for them too.
Recall that we want to show
We’ll decompose the th occurrence of via the th decomposition listed above. We’ll write this decomposition as . We do this in the following order:
We first show that is big (i.e., inverse polylogarithmic in expectation) in the next two claims. Then we show that the expectations of the other terms are small.
Claim 5. For all , the values are the same (over ) up to an error of .
Proof. We just need to get error for any product of three functions for the three decomposition types. By the standard pseudorandomness argument we saw in previous lectures,
Recall that we start with a set of density .
Claim 6. .
Proof. By the previous claim, we can fix . We will relate the expectation over to by a trick using the Hölder inequality: For random variables ,
To apply this inequality in our setting, write
By the Hölder inequality, we get that
Note that
where is the set in the partition that contains . Finally, by nonnegativity of , we have that . This concludes the proof.
We’ve shown that the term is big. It remains to show the other terms are small. Let be the error in the weak regularity lemma with respect to distinguishers with range .
Claim 7. .
Proof. Replace with in the uniform distribution to get
where the first inequality is by CauchySchwarz.
Now replace and reason in the same way:
Replace to rewrite the expectation as
We want to view the last three terms as a distinguisher . First, note that has range . This is because and has range .
Fix . The last term in the expectation becomes a constant . The second term only depends on , and the third only on . Hence for appropriate functions and with range this expectation can be rewritten as
which concludes the proof.
There are similar proofs to show the remaining terms are small. For , we can perform simple manipulations and then reduce to the above case. For , we have a slightly easier proof than above.
1.4.1 Parameters
Suppose our set has density . We apply the weak regularity lemma for error . This yields the number of functions . For say , we can bound from below by the same expectation with fixed to , up to an error . Then, . The expectation of terms with is less than . So the proof can be completed for all sufficiently small .
References
[Aus16] Tim Austin. AjtaiSzemerédi theorems over quasirandom groups. In Recent trends in combinatorics, volume 159 of IMA Vol. Math. Appl., pages 453–484. Springer, [Cham], 2016.
[Gre05a] Ben Green. An argument of shkredov in the finite field setting, 2005. Available at people.maths.ox.ac.uk/greenbj/papers/corners.pdf.
[Gre05b] Ben Green. Finite field models in additive combinatorics. Surveys in Combinatorics, London Math. Soc. Lecture Notes 327, 127, 2005.
Special Topics in Complexity Theory, Lecture 15
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lecture 15, Scribe: Chin Ho Lee
In this lecture fragment we discuss multiparty communication complexity, especially the problem of separating deterministic and randomized communication, which we connect to a problem in combinatorics.
2 Numberonforehead communication complexity
In numberonforehead (NOH) communication complexity each party sees all of the input except its own input . For background, it is not known how to prove negative results for parties. We shall focus on the problem of separating deterministic and randomizes communication. For , we know the optimal separation: The equality function requires communication for deterministic protocols, but can be solved using communication if we allow the protocols to use public coins. For , the best known separation between deterministic and randomized protocol is vs [BDPW10]. In the following we give a new proof of this result, for a simpler function: if and only if for .
For context, let us state and prove the upper bound for randomized communication.
Claim 1. has randomized communication complexity .
Proof. In the NOH model, computing reduces to party equality with no additional communication: Alice computes privately, then Alice and Bob check if .
To prove a lower bound for deterministic protocols, where , we reduce the communication problem to a combinatorial problem.
Definition 2. A corner in a group is , where are arbitrary group elements and .
For intuition, consider the case when is Abelian, where one can replace multiplication by addition and a corner becomes for .
We now state the theorem that gives the lower bound.
Theorem 3. Suppose that every subset with contains a corner. Then the deterministic communication complexity of is .
It is known that when is Abelian, then implies a corner. We shall prove that when , then implies a corner. This in turn implies communication .
Proof. We saw that a numberinhand (NIH) bit protocol can be written as a disjoint union of rectangles. Likewise, a numberonforehead bit protocol can be written as a disjoint union of cylinder intersections for some :
The proof idea of the above fact is to consider the transcripts of , then one can see that the inputs giving a fixed transcript are a cylinder intersection.
Let be a bit protocol. Consider the inputs on which accepts. Note that at least fraction of them are accepted by some cylinder intersection . Let . Since the first two elements in the tuple determine the last, we have .
Now suppose contains a corner . Then
This implies , which is a contradiction because and so .
References
Special Topics in Complexity Theory, Lecture 10
Added Dec 27 2017: An updated version of these notes exists on the class page.
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lecture 10, Guest lecture by Justin Thaler, Scribe: Biswaroop Maiti
This is a guest lecture by Justin Thaler regarding lower bounds on approximate degree [BKT17, BT15, BT17]. Thanks to Justin for giving this lecture and for his help with the writeup. We will sketch some details of the lower bound on the approximate degree of , and some intuition about the techniques used. Recall the definition of from the previous lecture as below:
Definition 1. The surjectivity function , takes input where each is interpreted as an element of . has value if and only if .
Recall from the last lecture that is the blockwise composition of the function on bits and the function on bits. In general, we will denote the blockwise composition of two functions , and , where is defined on bits and is defined on bits, by . Here, the outputs of copies of are fed into (with the inputs to each copy of being pairwise disjoint). The total number of inputs to is .
1.1 Lower Bound of via lower bound of ANDOR
Claim 2. .
We will look at only the lower bound in the claim. We interpret the input as a list of numbers from . As presented in [BKT17], the proof for the lower bound proceeds in the following steps.
 Show that to approximate , it is necessary to approximate the blockcomposition on inputs of Hamming weight at most . i.e., show that .
Step 1 was covered in the previous lecture, but we briefly recall a bit of intuition for why the claim in this step is reasonable. The intuition comes from the fact that the converse of the claim is easy to establish, i.e., it is easy to show that in order to approximate , it is sufficient to approximate on inputs of Hamming weight exactly .
This is because can be expressed as an (over all range items ) of the (over all inputs ) of “Is input equal to ”? Each predicate of the form in quotes is computed exactly by a polynomial of degree , since it depends on only of the input bits, and exactly of the predicates (one for each ) evaluates to TRUE.
Step 1 of the lower bound proof for in [BKT17] shows a converse, namely that the only way to approximate is to approximate on inputs of Hamming weight at most .
 Show that , i.e., the degree required to approximate on inputs of Hamming weight at most is at least .
In the previous lecture we also sketched this Step 2. In this lecture we give additional details of this step. As in the papers, we use the concept of a “dual witness.” The latter can be shown to be equivalent to bounded indistinguishability.
Step 2 itself proceeds via two substeps:
 Give a dual witness for that has places little mass (namely, total mass less then ) on inputs of hamming weight .
 By modifying , give a dual witness for that places zero mass on inputs of Hamming weight .
In [BKT17], both Substeps 2a and 2b proceed entirely in the dual world (i.e., they explicitly manipulate dual witnesses and ). The main goal of this section of the lecture notes is to explain how to replace Step 2b of the argument of [BKT17] with a wholly “primal” argument.
The intuition of the primal version of Step 2b that we’ll cover is as follows. First, we will show that a polynomial of degree that is bounded on the low Hamming Weight inputs, cannot be too big on the high Hamming weight inputs. In particular, we will prove the following claim.
Claim 3. If is a degree polynomial that satisfies on all inputs of of Hamming weight at most , then for all inputs .
Second, we will explain that the dual witness constructed in Step 2a has the following “primal” implication:
Claim 4. For , any polynomial of degree satisfying for all inputs of Hamming weight at most must satisfy for some input .
Combining Claims 3 and 4, we conclude that no polynomial of degree can satisfy
which is exactly the desired conclusion of Step 2. This is because any polynomial satisfying Equation (1) also satisfies for all of Hamming weight of most , and hence Claim 3 implies that
But Claim 4 states that any polynomial satisfying both Equations (1) and (2) requires degree strictly larger than .
In the remainder of this section, we prove Claims 3 and 4.
1.2 Proof of Claim 3
Proof of Claim 3. For notational simplicity, let us prove this claim for polynomials on domain , rather than .
Proof in the case that is symmetric. Let us assume first that is symmetric, i.e., is only a function of the Hamming weight of its input . Then for some degree univariate polynomial (this is a direct consequence of MinskyPapert symmetrization, which we have seen in the lectures before). We can express as below in the same spirit of Lagrange interpolation.
Here, the first term, ,is bounded in magnitude by , and . Therefore, we get the final bound:
Proof for general . Let us now consider the case of general (not necessarily symmetric) polynomials . Fix any input . The goal is to show that .
Let us consider a polynomial of degree obtained from by restricting each input such that to have the value 0. For example, if and , then . We will exploit three properties of :
 .
 Since for all inputs with , satisfies the analogous property: for all inputs with .
 If denotes the all1s vector of length , then .
Property 3 means that our goal is to show that .
Let denote the symmetrized version of , i.e., , where the expectation is over a random permutation of , and . Since for all permutations , . But is symmetric, so Properties 1 and 2 together mean that the analysis from the first part of the proof implies that for all inputs . In particular, letting , we conclude that as desired.
Discussion. One may try to simplify the analysis of the general case in the proof Claim 3 by considering the polynomial defined via ], where the expectation is over permutations of . is a symmetric polynomial, so the analysis for symmetric polynomials immediately implies that . Unfortunately, this does not mean that .
This is because the symmetrized polynomial is averaging the values of over all those inputs of a given Hamming weight. So, a bound on this averaging polynomial does not preclude the case where is massively positive on some inputs of a given Hamming weight, and massively negative on other inputs of the same Hamming weight, and these values cancel out to obtain a small average value. That is, it is not enough to conclude that on the average over inputs of any given Hamming weight, the magnitude of is not too big.
Thus, we needed to make sure that when we symmetrize to , such large cancellations don’t happen, and a bound of the average value of on a given Hamming weight really gives us a bound on on the input itself. We defined so that . Since there is only one input in of Hamming weight , does not average ’s values on many inputs, meaning we don’t need to worry about massive cancellations.
A note on the history of Claim 3. Claim 3 was implicit in [RS10]. They explicitly showed a similar bound for symmetric polynomials using primal view and (implicitly) gave a different (dual) proof of the case for general polynomials.
1.3 Proof of Claim 4
1.3.1 Interlude Part 1: Method of Dual Polynomials [BT17]
A dual polynomial is a dual solution to a certain linear program that captures the approximate degree of any given function . These polynomials act as certificates of the high approximate degree of . The notion of strong LP duality implies that the technique is lossless, in comparison to symmetrization techniques which we saw before. For any function and any , there is always some dual polynomial that witnesses a tight approximate degree lower bound for . A dual polynomial that witnesses the fact that is a function satisfying three properties:
 Correlation analysis:
If satisfies this condition, it is said to be wellcorrelated with .
 Pure high degree: For all polynomials of degree less than , we have
If satisfies this condition, it is said to have pure high degree at least .
 norm:
1.3.2 Interlude Part 2: Applying The Method of Dual Polynomials To BlockComposed Functions
For any function , we can write an LP capturing the approximate degree of . We can prove lower bounds on the approximate degree of by proving lower bounds on the value of feasible solution of this LP. One way to do this is by writing down the Dual of the LP, and exhibiting a feasible solution to the dual, thereby giving an upper bound on the value of the Dual. By the principle of LP duality, an upper bound on the Dual LP will be a lower bound of the Primal LP. Therefore, exhibiting such a feasible solution, which we call a dual witness, suffices to prove an approximate degree lower bound for .
However, for any given dual witness, some work will be required to verify that the witness indeed meets the criteria imposed by the Dual constraints.
When the function is a blockwise composition of two functions, say and , then we can try to construct a good dual witness for by looking at dual witnesses for each of and , and combining them carefully, to get the dual witness for .
The dual witness constructed in Step 2a for is expressed below in terms of the dual witness of the inner function viz. and the dual witness of the outer , viz. .
This method of combining dual witnesses for the “outer” function and for the “inner function” is referred to in [BKT17, BT17] as dual block composition.
1.3.3 Interlude Part 3: Hamming Weight Decay Conditions
Step 2a of the proof of the lower bound from [BKT17] gave a dual witness for (with ) that had pure high degree , and also satisfies Equations (4) and (5) below.
Equation (4) is a very strong “Hamming weight decay” condition: it shows that the total mass that places on inputs of high Hamming weight is very small. Hamming weight decay conditions play an essential role in the lower bound analysis for from [BKT17]. In addition to Equations (4) and (5) themselves being Hamming weight decay conditions, [BKT17]’s proof that satisfies Equations (4) and (5) exploits the fact that the dual witness for can be chosen to simultaneously have pure high degree , and to satisfy the following weaker Hamming weight decay condition:
Claim 5. There exist constants such that for all ,
(We will not prove Claim 5 in these notes, we simply state it to highlight the importance of dual decay to the analysis of ).
Dual witnesses satisfying various notions of Hamming weight decay have a natural primal interpretation: they witness approximate degree lower bounds for the target function ( in the case of Equation (4), and in the case of Equation (6)) even when the approximation is allowed to be exponentially large on inputs of high Hamming weight. This primal interpretation of dual decay is formalized in the following claim.
Claim 6. Let be any function mapping to . Suppose is a dual witness for satisfying the following properties:
 (Correlation): .
 (Pure high degree): has pure high degree .
 (Dual decay): for all .
Then there is no degree polynomial such that
Proof. Let be any degree polynomial. Since has pure high degree , .
We will now show that if satisfies Equation (7), then the other two properties satisfied by (correlation and dual decay) together imply that , a contradiction.
Here, Line 2 exploited that has correlation at least with , Line 3 exploited the assumption that satisfies Equation (7), and Line 4 exploited the dual decay condition that is assumed to satisfy.
1.3.4 Proof of Claim 4
Proof. Claim 4 follows from Equations (4) and (5), combined with Claim 6. Specifically, apply Claim 6 with , and
2 Generalizing the analysis for to prove a nearly linear approximate degree lower bound for
Now we take a look at how to extend this kind of analysis for to obtain even stronger approximate degree lower bounds for other functions in . Recall that can be expressed as an (over all range items ) of the (over all inputs ) of “Is input equal to ”? That is, simply evaluates on the inputs where indicates whether or not input is equal to range item .
Our analysis for can be viewed as follows: It is a way to turn the function on bits (which has approximate degree ) into a function on close to bits, with polynomially larger approximate degree (i.e. is defined on bits where, say, the value of is , i.e., it is a function on bits). So, this function is on not much more than bits, but has approximate degree , polynomially larger than the approximate degree of .
Hence, the lower bound for can be seen as a hardness amplification result. We turn the function on bits to a function on slightly more bits, but the approximate degree of the new function is significantly larger.
From this perspective, the lower bound proof for showed that in order to approximate , we need to not only approximate the function, but, additionally, instead of feeding the inputs directly to gate itself, we are further driving up the degree by feeding the input through gates. The intuition is that we cannot do much better than merely approximate the function and then approximating the block composed gates. This additional approximation of the gates give us the extra exponent in the approximate degree expression.
We will see two issues that come in the way of naive attempts at generalizing our hardness amplification technique from to more general functions.
2.1 Interlude: Grover’s Algorithm
Grover’s algorithm [Gro96] is a quantum algorithm that finds with high probability the unique input to a black box function that produces a given output, using queries on the function, where is the size of the the domain of the function. It is originally devised as a database search algorithm that searches an unsorted database of size and determines whether or not there is a record in the database that satisfies a given property in queries. This is strictly better compared to deterministic and randomized query algorithms because they will take queries in the worst case and in expectation respectively. Grover’s algorithm is optimal up to a constant factor, for the quantum world.
2.2 Issues: Why a dummy range item is necessary
In general, let us consider the problem of taking any function that does not have maximal approximate degree (say, with approximate degree ), and turning it into a function on roughly the same number of bits, but with polynomially larger approximate degree.
In analogy with how equals evaluated on inputs , where indicates whether or not , we can consider the block composition evaluated on , and hope that this function has polynomially larger approximate degree than itself.
Unfortunately, this does not work. Consider for example the case . The function evaluates to 1 on all possible vectors , since all such vectors of Hamming weight exactly .
One way to try to address this is to introduce a dummy range item, all occurrences of which are simply ignored by the function. That is, we can consider the (hopefully harder) function to interpret its input as a list of numbers from the range , rather than range , and define (note that variables , which indicate whether or not each input equals range item , are simply ignored).
In fact, in the previous lecture we already used this technique of introducing a “dummy” range item, to ease the lower bound analysis for itself. Last lecture we covered Step 1 of the lower bound proof for , and we let denote the frequency of the dummy range item, 0. The introduction of this dummy range item let us replace the condition (i.e., the sum of the frequencies of all the range items is exactly ) by the condition (i.e., the sum of the frequencies of all the range items is at most ).
2.3 A dummy range item is not sufficient on its own
Unfortunately, introducing a dummy range item is not sufficient on its own. That is, even when the range is is rather than , the function may have approximate degree that is not polynomially larger than that of itself. An example of this is (once again) . With a dummy range item, evaluates to TRUE if and only if at least one of the inputs is not equal to the dummy range item . This problem has approximate degree (it can be solved using Grover search).
Therefore, the most naive approach at general hardness amplification, even with a dummy range item, does not work.
2.4 The approach that works
The approach that succeeds is to consider the block composition (i.e., apply the naive approach with a dummy range item not to itself, but to ). As pointed out in Section 2.3, the gates are crucial here for the analysis to go through.
It is instructive to look at where exactly the lower bound proof for breaks down if we try to adapt it to the function (rather than the function which we analyzed to prove the lower bound for ). Then we can see why the introduction of the gates fixes the issue.
When analyzing the more naively defined function (with a dummy range item), Step 1 of the lower bound analysis for does work unmodified to imply that in order to approximate , it is necessary to approximate block composition of on inputs of Hamming weight at most . But Step 2 of the analysis breaks down: one can approximate on inputs of Hamming weight at most using degree just .
Why does the Step 2 analysis break down for ? If one tries to construct a dual witness for by applying dual block composition (cf. Equation (3), but with the dual witness for replaced by a dual witness for ), will not be wellcorrelated with .
Roughly speaking, the correlation analysis thinks of each copy of the inner dual witness as consisting of a sign, , and a magnitude , and the inner dual witness “makes an error” on if it outputs the wrong sign, i.e., if . The correlation analysis winds up performing a union bound over the probability (under the product distribution ) that any of the copies of the inner dual witness makes an error. Unfortunately, each copy of the inner dual witness makes an error with constant probability under the distribution . So at least one of them makes an error under the product distribution with probability very close to 1. This means that the correlation of the dualblockcomposed dual witness with is poor.
But if we look at , the correlation analysis does go through. That is, we can give a dual witness for and a dual witness for such that the the dualblockcomposition of and is wellcorrelated with .
This is because [BT15] showed that for , . This means that has a dual witness that “makes an error” with probability just . This probability of making an error is so low that a union bound over all copies of appearing in the dualblockcomposition of and implies that with probability at least , none of the copies of make an error.
In summary, the key difference between and that allows the lower bound analysis to go through for the latter but not the former is that the latter has approximate degree for , while the former only has approximate degree if is a constant bounded away from 1.
To summarize, the lower bound can be seen as a way to turn the function into a harder function , meaning that has polynomially larger approximate degree than . The right approach to generalize the technique for arbitrary is to (a) introduce a dummy range item, all occurrences of which are effectively ignored by the harder function , and (b) rather than considering the “inner” function , consider the inner function , i.e., let . The gates are essential to make sure that the error in the correlation of the inner dual witness is very small, and hence the correlation analysis for the dualblockcomposed dual witness goes through. Note that can be interpreted as follows: it breaks the range up into blocks, each of length , (the dummy range item is excluded from all of the blocks), and for each block it computes a bit indicating whether or not every range item in the block has frequency at least 1. It then feeds these bits into .
By recursively applying this construction, starting with , we get a function in AC with approximate degree for any desired constant .
2.5 distinctness
The above mentioned very same issue also arises in [BKT17]’s proof of a lower bound on the approximate degree of the distinctness function. Step 1 of the lower bound analysis for reduced analyzing distinctness to analyzing (restricted to inputs of Hamming weight at most ), where is the function that evaluates to TRUE if and only if its input has Hamming weight at least . The lower bound proved in [BKT17] for distinctness is . is the function. So, is “close” to . And we’ve seen that the correlation analysis of the dual witness obtained via dualblockcomposition breaks down for .
To overcome this issue, we have to show that is harder to approximate than itself, but we have to give up some small factor in the process. We will lose some quantity compared to the lower bound for . It may seem that this loss factor is just a technical issue and not intrinsic, but this is not so. In fact, this bound is almost tight. There is an upper bound from a complicated quantum algorithm [BL11, Bel12] for distinctness that makes that we won’t elaborate on here.
References
[Bel12] Aleksandrs Belovs. Learninggraphbased quantum algorithm for kdistinctness. In Foundations of Computer Science (FOCS), 2012 IEEE 53rd Annual Symposium on, pages 207–216. IEEE, 2012.
[BKT17] Mark Bun, Robin Kothari, and Justin Thaler. The polynomial method strikes back: Tight quantum query bounds via dual polynomials. arXiv preprint arXiv:1710.09079, 2017.
[BL11] Aleksandrs Belovs and Troy Lee. Quantum algorithm for kdistinctness with prior knowledge on the input. arXiv preprint arXiv:1108.3022, 2011.
[BT15] Mark Bun and Justin Thaler. Hardness amplification and the approximate degree of constantdepth circuits. In International Colloquium on Automata, Languages, and Programming, pages 268–280. Springer, 2015.
[BT17] Mark Bun and Justin Thaler. A nearly optimal lower bound on the approximate degree of . arXiv preprint arXiv:1703.05784, 2017.
[Gro96] Lov K Grover. A fast quantum mechanical algorithm for database search. In Proceedings of the twentyeighth annual ACM symposium on Theory of computing, pages 212–219. ACM, 1996.
[RS10] Alexander A Razborov and Alexander A Sherstov. The signrank of . SIAM Journal on Computing, 39(5):1833–1855, 2010.
Special Topics in Complexity Theory, Lectures 1213
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lectures 1213, Scribe: Giorgos Zirdelis
In these lectures we study the communication complexity of some problems on groups. We give the definition of a protocol when two parties are involved and generalize later to more parties.
Definition 1. A 2party cbit deterministic communication protocol is a depthc binary tree such that:
 the leaves are the output of the protocol
 each internal node is labeled with a party and a function from that party’s input space to
Computation is done by following a path on edges, corresponding to outputs of functions at the nodes.
A publiccoin randomized protocol is a distribution on deterministic protocols.
2 2party communication protocols
We start with a simple protocol for the following problem.
Let be a group. Alice gets and Bob gets and their goal is to check if , or equivalently if .
There is a simple deterministic protocol in which Alice simply sends her input to Bob who checks if . This requires communication complexity.
We give a randomized protocol that does better in terms on communication complexity. Alice picks a random hash function . We can think that both Alice and Bob share some common randomness and thus they can agree on a common hash function to use in the protocol. Next, Alice sends to Bob, who then checks if .
For we get constant error and constant communication.
3 3party communication protocols
There are two ways to extend 2party communication protocols to more parties. We first focus on the Numberinhand (NIH), where Alice gets , Bob gets , Charlie gets , and they want to check if . In the NIH setting the communication depends on the group .
3.1 A randomized protocol for the hypercube
Let with addition modulo 2. We want to test if . First, we pick a linear hash function , i.e. satisfying . For a uniformly random set . Then,
 Alice sends
 Bob send
 Charlie accepts if and only if
The hash function outputs 1 bit. The error probability is and the communication is . For a better error, we can repeat.
3.2 A randomized protocol for
Let where . Again, we want to test if . For this group, there is no 100% linear hash function but there are almost linear hash function families that satisfy the following properties:
 we have
 we have
Assuming some random hash function (from a family) that satisfies the above properties the protocol works similar to the previous one.
 Alice sends
 Bob sends
 Charlie accepts if and only if
We can set to achieve constant communication and constant error.
Analysis
To prove correctness of the protocol, first note that , then consider the following two cases:
 if then
 if then
It now remains to show that such hash function families exist.
Let be a random odd number modulo . Define
where the product is integer multiplication. In other words we output the bits of the integer product .
We now verify that the above hash function family satisfies the three properties we required above.
Property (3) is trivially satisfied.
For property (1) we have the following. Let and and . The bottom line is how compares with . In more detail we have that,
Notice, that if in the addition the carry into the bit is , then
otherwise
which concludes the proof for property (1).
Finally, we prove property (2). We start by writing where is odd. Bitwise, this looks like .
The product for a uniformly random , bitwise looks like . We consider the two following cases for the product :
 If , or equivalently , the output never lands in the bad set (some thought should be given to the representation of negative numbers – we ignore that for simplicity).
 Otherwise, the hash function output has uniform bits. Again for simplicity, let . Thus,
In other words, the probability of landing in any small set is small.
4 Other groups
What happens in other groups? Do we have an almost linear hash function for matrices? The answer is negative. For and the problem of testing equality with is hard.
We would like to rule out randomized protocols, but it is hard to reason about them directly. Instead, we are going to rule out deterministic protocols on random inputs. For concreteness our main focus will be .
First, for any group element we define the distribution on triples, , where are uniformly random elements. Note the product of the elements in is always .
Towards a contradiction, suppose we have a randomized protocol for the problem. In particular, we have
This implies a deterministic protocol with the same gap, by fixing the randomness.
We reach a contradiction by showing that for every deterministic protocols using little communication (will quantify later), we have
We start with the following lemma, which describes a protocol using product sets.
Lemma 1. (The set of accepted inputs of) A deterministic bit protocol can be written as a disjoint union of “rectangles,” that is sets of the form .
Proof. (sketch) For every communication transcript , let be the set of inputs giving transcript . The sets are disjoint since an input gives only one transcript, and their number is , i.e. one for each communication transcript of the protocol. The rectangle property can be proven by induction on the protocol tree.
Next, we show that these product sets cannot distinguish these two distributions , and for that we will use the pseudorandom properties of the group .
Lemma 2. For all and we have
Recall the parameter from the previous lectures and that when the group is then .
Proof. Pick any and let be the inputs of Alice, Bob, and Charlie respectively. Then
If either or is small, that is or , then also because the term will be small. We will choose later.
Otherwise, and are large, which implies that and are uniform over at least elements. Recall from Lecture 9 that this implies , where is the uniform distribution.
By Cauchy–Schwarz we obtain,
The last inequality follows from the fact that .
This implies that and , because taking inverses and multiplying by does not change anything. These two last inequalities imply that,
and thus we get that,
To conclude, based on all the above we have that for all and independent of the choice of , it is either the case that
or
and we will now choose the to balance these two cases and finish the proof:
The above proves that the distribution behaves like the uniform distribution for product sets, for all .
Returning to arbitrary deterministic protocols , write as a union of disjoint rectangles by the first lemma. Applying the second lemma and summing over all rectangles we get that the distinguishing advantage of is at most . For the advantage is at most and thus we get a contradiction on the existence of such a correct protocol. We have concluded the proof of this theorem.
Theorem 3. Let be a group, and be the minimum dimension of an irreducible representation of . Consider the 3party, numberinhand communication protocol where . Its randomized communication complexity is .
For the communication is . This is tight up to constants, because Alice can send her entire group element.
For the group the known bounds on yield communication . This bound is tight for the problem of distinguishing from for , as we show next. The identity element for the group is the identity permutation. If then is a permutation that maps some element to . The idea is that the parties just need to “follow” , which is logarithmically smaller than . Specifically, let be the permutations that Alice, Bob and Charlie get. Alice sends . Bob gets and sends to Charlie who checks if . The communication is . Because the size of the group is , the communication is .
This is also a proof that cannot be too large for , i.e. is at most .
5 More on 2party protocols
We move to another setting where a clean answer can be given. Here we only have two parties. Alice gets , Bob gets , and they want to know if .
When is abelian, the elements can be reordered as to check whether . This requires constant communication (using randomness) as we saw in Lecture 12, since it is equivalent to the check where and .
We will prove the next theorem for nonabelian groups.
Theorem 1. For every nonabelian group the communication of deciding if is .
Proof. We reduce from unique disjointness, defined below. For the reduction we will need to encode the And of two bits as a group product. (This question is similar to a puzzle that asks how to hang a picture on the wall with two nails, such that if either one of the nails is removed, the picture will fall. This is like computing the And function on two bits, where both bits (nails) have to be 1 in order for the function to be 1.) Since is nonabelian, there exist such that , and in particular with . We can use this fact to encode And as
In the disjointness problem Alice and Bob get inputs respectively, and they wish to check if there exists an such that . If you think of them as characteristic vectors of sets, this problem is asking if the sets have a common element or not. The communication of this problem is . Moreover, in the variant of this problem where the number of such ’s is 0 or 1 (i.e. unique), the same lower bound still applies. This is like giving Alice and Bob two sets that either are disjoint or intersect in exactly one element, and they need to distinguish these two cases.
Next, we will reduce the above variant of the set disjointness to group products. For we product inputs for the group problem as follows:
Now, the product we originally wanted to compute becomes
If there isn’t an such that , then each product term is 1 for all , and thus the whole product is 1.
Otherwise, there exists a unique such that and thus the product will be , with being in the th position. If Alice and Bob can test if the above product is equal to 1, they can also solve the unique set disjointness problem, and thus the lower bound applies for the former.
We required the uniqueness property, because otherwise we might get a product that could be equal to 1 in some groups.
Special Topics in Complexity Theory, Lectures 89
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lecture 89, Scribe: Xuangui Huang
In these lectures, we finish the proof of the approximate degree lower bound for ANDOR function, then we move to the surjectivity function SURJ. Finally we discuss quasirandom groups.
1.1 Lower Bound of ANDOR
Recall from the last lecture that ANDOR is the composition of the AND function on bits and the OR function on bits. We also proved the following lemma.
Lemma 1. Suppose that distributions over are wise indistinguishable distributions; and distributions over are wise indistinguishable distributions. Define over as follows:
: draw a sample from , and replace each bit by a sample of (independently).
Then and are wise indistinguishable.
To finish the proof of the lower bound on the approximate degree of the ANDOR function, it remains to see that ANDOR can distinguish well the distributions and . For this, we begin with observing that we can assume without loss of generality that the distributions have disjoint supports.
Claim 2. For any function , and for any wise indistinguishable distributions and , if can distinguish and with probability then there are distributions and with the same properties (wise indistinguishability yet distinguishable by ) and also with disjoint supports. (By disjoint support we mean for any either or .)
Proof. Let distribution be the “common part” of and . That is to say, we define such that multiplied by some constant that normalize into a distribution.
Then we can write and as
where , and are two distributions. Clearly and have disjoint supports.
Then we have
Therefore if can distinguish and with probability then it can also distinguish and with such probability.
Similarly, for all such that , we have
Hence, and are wise indistinguishable.
Equipped with the above lemma and claim, we can finally prove the following lower bound on the approximate degree of ANDOR.
Theorem 3. ANDOR.
Proof. Let be wise indistinguishable distributions for AND with advantage , i.e. . Let be wise indistinguishable distributions for OR with advantage . By the above claim, we can assume that have disjoint supports, and the same for . Compose them by the lemma, getting wise indistinguishable distributions . We now show that ANDOR can distinguish :
 : First sample . As there exists a unique such that , . Thus by disjointness of support . Therefore when sampling we always get a string with at least one “”. But then “” is replaced with sample from . We have , and when , ANDOR.
 : First sample , and we know that with probability at least . Each bit “” is replaced by a sample from , and we know that by disjointness of support. Then ANDOR.
Therefore we have ANDOR.
1.2 Lower Bound of SURJ
In this subsection we discuss the approximate degree of the surjectivity function. This function is defined as follows.
Definition 4. The surjectivity function SURJ, which takes input where for all , has value if and only if .
First, some history. Aaronson first proved that the approximate degree of SURJ and other functions on bits including “the collision problem” is . This was motivated by an application in quantum computing. Before this result, even a lower bound of had not been known. Later Shi improved the lower bound to , see [AS04]. The instructor believes that the quantum framework may have blocked some people from studying this problem, though it may have very well attracted others. Recently Bun and Thaler [BT17] reproved the lower bound, but in a quantumfree paper, and introducing some different intuition. Soon after, together with Kothari, they proved [BKT17] that the approximate degree of SURJ is .
We shall now prove the lower bound, though one piece is only sketched. Again we present some things in a different way from the papers.
For the proof, we consider the ANDOR function under the promise that the Hamming weight of the input bits is at most . Call the approximate degree of ANDOR under this promise ANDOR. Then we can prove the following theorems.
Theorem 6. ANDOR for some suitable .
In our settings, we consider . Theorem 5 shows surprisingly that we can somehow “shrink” bits of input into bits while maintaining the approximate degree of the function, under some promise. Without this promise, we just showed in the last subsection that the approximate degree of ANDOR is instead of as in Theorem 6.
Proof of Theorem 5. Define an matrix s.t. the 0/1 variable is the entry in the th row th column, and iff . We can prove this theorem in following steps:
 SURJANDOR under the promise that each row has weight ;
 let be the sum of the th column, then ANDOR under the promise that each row has weight , is at least ANDOR under the promise that ;
 ANDOR under the promise that , is at least ANDOR;
 we can change “” into “”.
Now we prove this theorem step by step.
 Let be a polynomial for SURJ, where . Then we have
Then the polynomial for ANDOR is the polynomial with replaced as above, thus the degree won’t increase. Correctness follows by the promise.
 This is the most extraordinary step, due to Ambainis [Amb05]. In this notation, ANDOR becomes the indicator function of . Define
Clearly it is a good approximation of ANDOR. It remains to show that it’s a polynomial of degree in ’s if is a polynomial of degree in ’s.
Let’s look at one monomial of degree in : . Observe that all ’s are distinct by the promise, and by over . By chain rule we have
By symmetry we have , which is linear in ’s. To get , we know that every other entry in row is , so we give away row , average over ’s such that under the promise and consistent with ’s. Therefore
In general we have
which has degree in ’s. Therefore the degree of is not larger than that of .
 Note that , . Hence by replacing ’s by ’s, the degree won’t increase.
 We can add a “slack” variable , or equivalently ; then the condition actually means .
Proof idea for Theorem 6. First, by the duality argument we can verify that if and only if there exists wise indistinguishable distributions such that:
 can distinguish ;
 and are supported on strings of weight .
Claim 7. OR.
The proof needs a little more information about the weight distribution of the indistinguishable distributions corresponding to this claim. Basically, their expected weight is very small.
Now we combine these distributions with the usual ones for And using the lemma mentioned at the beginning.
What remains to show is that the final distribution is supported on Hamming weight . Because by construction the copies of the distributions for Or are sampled independently, we can use concentration of measure to prove a tail bound. This gives that all but an exponentially small measure of the distribution is supported on strings of weight . The final step of the proof consists of slightly tweaking the distributions to make that measure .
1.3 Groups
Groups have many applications in theoretical computer science. Barrington [Bar89] used the permutation group to prove a very surprising result, which states that the majority function can be computed efficiently using only constant bits of memory (something which was conjectured to be false). More recently, catalytic computation [BCK14] shows that if we have a lot of memory, but it’s full with junk that cannot be erased, we can still compute more than if we had little memory. We will see some interesting properties of groups in the following.
Some famous groups used in computer science are:
 with bitwise addition;
 with addition mod ;
 , which are permutations of elements;
 Wreath product , whose elements are of the form where is a “flip bit”, with the following multiplication rules:
 ;
 in ;
 is the operation;
An example is . Generally we have
 matrices over with determinant in other words, group of matrices such that .
The group was invented by Galois. (If you haven’t, read his biography on wikipedia.)
Quiz. Among these groups, which is the “least abelian”? The latter can be defined in several ways. We focus on this: If we have two highentropy distributions over , does has more entropy? For example, if and are uniform over some elements, is close to uniform over ? By “close to” we mean that the statistical distance is less that a small constant from the uniform distribution. For , if uniform over , then is the same, so there is not entropy increase even though and are uniform on half the elements.
Definition 8.[Measure of Entropy] For , we think of for “high entropy”.
Note that is exactly the “collision probability”, i.e. . We will consider the entropy of the uniform distribution as very small, i.e. . Then we have
Theorem 9.[[Gow08], [BNP08]] If are independent over , then
where is the minimum dimension of irreducible representation of .
By this theorem, for high entropy distributions and , we get , thus we have
If is large, then is very close to uniform. The following table shows the ’s for the groups we’ve introduced.

Here is the alternating group of even permutations. We can see that for the first groups, Equation ((1)) doesn’t give nontrivial bounds.
But for we get a nontrivial bound, and for we get a strong bound: we have .
References
[Amb05] Andris Ambainis. Polynomial degree and lower bounds in quantum complexity: Collision and element distinctness with small range. Theory of Computing, 1(1):37–46, 2005.
[AS04] Scott Aaronson and Yaoyun Shi. Quantum lower bounds for the collision and the element distinctness problems. J. of the ACM, 51(4):595–605, 2004.
[Bar89] David A. Mix Barrington. Boundedwidth polynomialsize branching programs recognize exactly those languages in NC. J. of Computer and System Sciences, 38(1):150–164, 1989.
[BCK14] Harry Buhrman, Richard Cleve, Michal Koucký, Bruno Loff, and Florian Speelman. Computing with a full memory: catalytic space. In ACM Symp. on the Theory of Computing (STOC), pages 857–866, 2014.
[BKT17] Mark Bun, Robin Kothari, and Justin Thaler. The polynomial method strikes back: Tight quantum query bounds via dual polynomials. CoRR, arXiv:1710.09079, 2017.
[BNP08] László Babai, Nikolay Nikolov, and László Pyber. Product growth and mixing in finite groups. In ACMSIAM Symp. on Discrete Algorithms (SODA), pages 248–257, 2008.
[BT17] Mark Bun and Justin Thaler. A nearly optimal lower bound on the approximate degree of AC0. CoRR, abs/1703.05784, 2017.
[Gow08] W. T. Gowers. Quasirandom groups. Combinatorics, Probability & Computing, 17(3):363–387, 2008.
Special Topics in Complexity Theory, Lectures 67
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lecture 67, Scribe: Willy Quach
In these lectures, we introduce wise indistinguishability and link this notion to the approximate degree of a function. Then, we study the approximate degree of some functions, namely, the AND function and the ANDOR function. For the latter function we begin to see a proof that is different (either in substance or language) from the proofs in the literature. We begin with some LATEXtips.
1.1 Some LATEX tips.
 Mind the punctuation. Treat equations as part of the phrases; add commas, colons, etc accordingly.
 In math mode, it is usually better to use \ell () rather than regular l. The latter can be confused with 1.
 Align equations with \begin{align} \end{align} with the alignment character &.
 For set inclusion, use \subset () only if you mean proper inclusion (which is uncommon). Otherwise use \subseteq (). (Not everybody agrees with this, but this seems the most natural convention by analogy with and .)
1.2 Introducing kwise indistinguishability.
We studied previously the following questions:
 What is the minimum such that any wise independent distribution over fools (i.e. for all size circuits with constant depth)?
We saw that is enough.
 What is the minimum such that fools the AND function?
Taking for suffices (more precisely we saw that wise independence fools the AND function with ).
Consider now and two distributions over that are wise indistinguishable, that is, any projection over bits of and have the same distribution. We can ask similar questions:
 What is the minimum such that cannot distinguish and (i.e. for all size circuits with constant depth)?
It turns out this requires : there are some distributions that are almost always distinguishable in this regime. (Whether is necessary or not is an open question.)
Also, suffices to fool (in which case is essentially exponentially small).
 What is the minimum such that the AND function (on bits) cannot distinguish and ?
It turns out that is necessary and sufficient. More precisely:
 There exists some over that are wise indistinguishable for some constant , but such that:
 For all that are wise indistinguishable for some bigger constant , we have:
 There exists some over that are wise indistinguishable for some constant , but such that:
1.3 Duality.
Those question are actually equivalent to ones related about approximation by realvalued polynomials:
Theorem 1. Let be a function, and an integer. Then:
Here denotes degree real polynomials. We will denote the righthand side .
Some examples:
 : then for all distribution , so that both sides of the equality are .
 the parity function on bits.
Then for , the lefthand side is at least : take to be uniform; and to be uniform on bits, defining the th bit to be to be the parity of the first bits. Then but .
Claim 2. .
Proof. Suppose by contradiction that some polynomial has degree and approximates Parity by .
The key ingredient is to symmetrize a polynomial , by letting
where ranges over permutations. Note that only depends on .
Now we claim that there is a univariate polynomial also of degree such that
for every .
To illustrate, let be a monomial of . For instance if , then , where is the Hamming weight of the input. (For this we think of the input as being . Similar calculations can be done for .)
If , then which is quadratic in .
And so on.
More generally is a symmetric polynomial. As form a basis of symmetric polynomials of degree , can be written as a linear combination in this basis. Now note that only depends on ; substituting gives that is of degree in .
(Note that the degree of can be strictly less than the degree of (e.g. for : we have ).)
Then, applying symmetrization on , if is a real polynomial close to Parity (in norm), then is also close to Parity’ (as a convex combination of close values).
Finally, remark that for every integer , we have: Parity and Parity. In particular, as , must have at least zeroes, and must therefore be zero, which is a contradiction.
We will now focus on proving the theorem.
Note that one direction is easy: if a function is closely approximated by a polynomial of degree , it cannot distinguish two wise indistinguishable distributions and :
where comes from the fact that and are wise indistinguishable.
The general proof goes by a Linear Programming Duality (aka finitedimensional HahnBanach theorem, minmax, etc.). This states that:
If , , and , then:
We can now prove the theorem:
Proof.
The proof will consist in rewriting the sides of the equality in the theorem as outputs of a Linear Program. Let us focus on the left side of the equality: .
We will introduce variables, namely and for every , which will represent for .
We will also use the following, which can be proved similarly to the Vazirani XOR Lemma:
Claim 3. Two distributions and are wise indistinguishable if and only if: with , , where is the Fourier basis of boolean functions.
The quantity can then be rewritten:
Following the syntax of LP Duality stated above, we have:
, (where goes over ),
,
,
,
where the rows of except the first two correspond to some such that .
We apply LP duality. We shall denote the new set of variables by
.
We have the following program:
Writing , the objective becomes to minimize , while the second set of constraints can be rewritten:
The expression is an arbitrary degree polynomial which we denote by . So our constrains become
Where ranges over all degree polynomials, and we are trying to minimize . Because is always below , but when you add it becomes bigger, is always within of .
1.4 Approximate Degree of AND.
Let us now study the AND function on bits. Let us denote the minimal degree of a polynomial approximating with error .
We will show that AND.
Let us first show the upper bound:
Claim 4. We have:
To prove this claim, we will consider a special family of polynomials:
Definition 5. (Chebychev polynomials of the first kind.)
The Chebychev polynomials (of the first kind) are a family of polynomials defined inductively as:
 ,
 ,
 .
Those polynomials satisfy some useful properties:
 ,
 such that ,
 .
Property follows from , and property follows from a direct induction. For a nice picture of these polynomials you should have come to class (or I guess you can check wikipedia). We can now prove our upper bound:
Proof. Proof of Claim:
We construct a univariate polynomial such that:
 ;
 ;
 .
In other words, will be close to on , and close to on . Then, we can naturally define the polynomial for the AND function on bits to be , which also has degree . Indeed, we want to be close to if has Hamming weight less than , while being close to on of Hamming weight (by definition of AND). This will conclude the proof.
Let us define as follows:
Intuitively, this uses the fact that Chebychev polynomials are bounded in (Property 2.) and then increase very fast (Property 3.).
More precisely, we have:
 by construction;
 for , we have:
by Property 2.;
by Property 3. and 4., and therefore for some , we have: .
Let us now prove the corresponding lower bound:
Claim 6. We have:
Proof. Let be a polynomial that approximates the AND function with error . Consider the univariate symmetrization of .
We have the following result from approximation theory:
Theorem 7. Let be a real univariate polynomial such that:
 ;
 for some .
Then .
To prove our claim, it is therefore sufficient to check that satisfies conditions 1. and 2., as we saw that :
 We have: by assumption on ;
 We have and (by assumption), so that the mean value theorem gives some such that .
This concludes the proof.
1.5 Approximate Degree of ANDOR.
Consider the AND function on bits and the OR function on bits. Let ANDOR be their composition (which outputs the AND of the outputs of the function on bits (disjoint) blocks).
It is known that ANDOR. To prove the upper bound, we will need a technique to compose approximating polynomials which we will discuss later.
Now we focus on the lower bound. This lower bound was recently proved independently by Sherstov and by Bun and Thaler. We present a proof that is different (either in substance or in language) and which we find more intuitive. Our proof replaces the “dual block method” with the following lemma.
Lemma 8. Suppose that
distributions over are wise indistinguishable distributions; and
distributions over are wise indistinguishable distributions.
Define over as follows: : draw a sample from , and replace each bit by a sample of (independently).
Then and are wise indistinguishable.
Proof. Consider any set of bit positions; let us show that they have the same distribution in and .
View the as blocks of bits. Call a block of bits heavy if ; call the other blocks light.
There are at most heavy blocks by assumption, so that the distribution of the (entire) heavy blocks are the same in and by wise indistinguishability of and .
Furthermore, conditioned on any outcome for the samples in , the light blocks have the same distribution in both and by wise indistinguishability of and .
Therefore and are wise indistinguishable.
Special Topics in Complexity Theory, Lectures 45
Special Topics in Complexity Theory, Fall 2017. Instructor: Emanuele Viola
1 Lectures 45, Scribe: Matthew Dippel
These lectures cover some basics of smallbias distributions, and then a more recent pseudorandom generator for readonce CNF [GMR12].
2 Small bias distributions
Definition 1.[Small bias distributions] A distribution over has bias if no parity function can distinguish it from uniformly random strings with probability greater than . More formally, we have:
In this definition, the is simply the probability of a parity test being or over the uniform distribution. We also note that whether we change the definition to have the probability of the parity test being or doesn’t matter. If a test has probability of being equal to , then it has probability of being , so the bias is independent of this choice.
This can be viewed as a distribution which fools tests that are restricted to computing parity functions on a subset of bits.
Before we answer the important question of how to construct and efficiently sample from such a distribution, we will provide one interesting application of small bias sets to expander graphs.
Theorem 2.[Expander construction from a small bias set] Let be a distribution over with bias . Define as the following graph:
Then, when we take the eigenvalues of the random walk matrix of in descending order , we have that:
Thus, smallbias sets yields expander graphs. Smallbias sets also turn out to be equivalent to constructing good linear codes. Although all these questions have been studied much before the definition of smallbias sets [NN90], the computational perspective has been quite useful, even in answering old questions. For example TaShma used this perspective to construct better codes [Ta17].
3 Constructions of small bias distributions
Just like our construction of boundedwise independent distributions from the previous lecture, we will construct smallbias distributions using polynomials over finite fields.
Theorem 1.[Small bias construction] Let be a finite field of size , with elements represented as bit strings of length . We define the generator as the following:
In this notation, a subscript of indicates taking the th bit of the representation. Then the output of over uniform and has bias .
Proof. Consider some parity test induced by a subset . Then when applied to the output of , it simplifies as:
Note that is the evaluation of the polynomial at the point . We note that if , then the value of is equally likely to be or over the probability of a uniformly random . This follows from the fact that the inner product of any nonzero bit string with a uniformly random bit string is equally likely to be or . Hence in this case, our generator has no bias.
In the case where , then the inner product will always be , independent of the value of . In these situations, the bias is , but this is conditioned on the event that .
We claim that this event has probability . Indeed, for non empty , is a polynomial of degree . Hence it has at most roots. But we are selecting from a field of size . Hence the probability of picking one root is .
Hence overall the bias is at most .
To make use of the generator, we need to pick a specific . Note that the seed length will be . If we want to achieve bias , then we must have . Al the logarithms in this lecture are in base . This gives us a seed length of .
Smallbias are so important that a lot of attention has been devote to optimizing the constant “2” above. A lower bound of on the seed length was known. TaShma recently [Ta17] gave a nearly matching construction with seed length .
We next give a sense of how to obtain different tradeoffs between and in the seed length. We specifically focus on getting a nearly optimal dependence on , because the construction is a simple, interesting “derandomization” of the above one.
3.1 An improved small bias distribution via bootstrapping
We will show another construction of small bias distributions that achieves seed length . It will make use of the previous construction and proof.
The intuition is the following: the only time we used that was uniform was in asserting that if , then is uniform. But we don’t need to be uniform for that. What do we need from ? We need that it has smallbias!
Our new generator is where and are as before but with different parameters. For , we pick of length , whereas just needs to be an biased generator on bits, which can be done as we just saw with bits. This gives a seed length of , as promised.
We can of course repeat the argument but the returns diminish.
4 Connecting small bias to kwise independence
We will show that using our small bias generators, we can create distributions which are almost wise independent. That is, they are very close to a wise independent distribution in statistical distance, while having a substantially shorter seed length than what is required for wise independence. In particular, we will show two results:
 Small bias distributions are themselves close to wise independent.
 We can improve the parameters of the above by feeding a small bias distribution to the generator for wise independence from the previous lectures. This will improve the seed length of simply using a small bias distribution.
Before we can show these, we’ll have to take a quick aside into some fundamental theorems of Fourier analysis of boolean functions.
4.1 Fourier analysis of boolean functions 101
Let . Here the switch between and is common, but you can think of them as being isomorphic. One way to think of is as being a vector in . The th entry of indicates the value of . If we let be the indicator function returning iff , but once again written as a vector like is, then any function can be written over the basis of the vectors, as:
This is the “standard” basis.
Fourier analysis simply is a different basis in which to write functions, which is sometimes more useful. The basis functions are . Then any boolean function can be expressed as:
where the , called the “Fourier coefficients,” can be derived as:
where the expectation is over uniformly random .
Claim 1. For any function with range , its Fourier coefficients satisfy:
Proof. We know that , as squaring the function makes it . We can reexpress this expectation as:
We make use of the following fact: if , then . If they equal each other, then their difference is the empty set and this function is .
Overall, this implies that the above expectation can be simply rewritten as:
Since we already decided that the expectation is , the claim follows.
5 Small bias distributions are close to wise independent
Before we can prove our claim, we formally introduce what we mean for two distributions to be close. We use the most common definition of statistical difference, which we repeat here:
Definition 1. Let be two distributions over the same domain . Then we denote their statistical distance , and sometimes written as , as
Note that the probabilities are with respect to the individual distributions and . We may also say that is close to if .
We can now show our result, which is known as Vazirani’s XOR Lemma:
Theorem 2. If a distribution over has bias , then is close to the uniform distribution.
Proof. Let be a test. To fit the above notation, we can think of as being defined as the set of inputs for which . Then we want to bound:
Expanding in Fourier basis we rewrite this as
We know that for all non empty , and when is the empty set. We also know that for all non empty , and is when is the empty set. So the above can be bounded as:
Lemma 3.
Using the above lemma completes the upper bound and the proof of the theorem.
Corollary 4. Any bits of an biased distribution are close to uniform.
Using the corollary above, we see that we can get close to a wise independent distribution (in the sense of the corollary) by taking a small bias distribution with . This requires seed length Recall that for exact wise we required seed length .
5.1 An improved construction
Theorem 5. Let be the generator previously described that samples a wise independent distribution (or any linear ). If we replace the input to with a small bias distribution of , then the output of is close to being wise independent.
Proof. Consider any parity test on bits on the output of . It can be shown that is a linear map, that is, simply takes its seed and it multiplies it by a matrix over the field GF(2) with two elements. Hence, corresponds to a test on the input of , on possibly many bits. The test is not empty because is wise independent. Since we fool with error , we also fool with error , and the theorem follows by Vazirani’s XOR lemma.
Using the seed lengths we saw we get the following.
Corollary 6. There is a generator for almost wise independent distributions with seed length .
6 Tribes Functions and the GMRTV Generator
We now move to a more recent result. Consider the Tribes function, which is a readonce CNF on bits, given by the And of terms, each on bits. You should think of where and .
We’d like a generator for this class with seed length . This is still open! (This is just a single function, for which a generator is trivial, but one can make this challenge precise for example by asking to fool the Tribes function for any possible negation of the input variables. These are tests and a generator with seed length is unknown.)
The result we saw earlier about fooling And gives a generator with seed length , however the dependence on is poor. Achieving a good dependence on has proved to be a challenge. We now describe a recent generator [GMR12] which gives seed length . This is incomparable with the previous , and in particular the dependence on is always suboptimal. However, when the generator [GMR12] gives seed length which is better than previously available constructions.
The highlevel technique for doing this is based on iteratively restricting variables, and goes back about 30 years [AW89]. This technique seems to have been abandoned for a while, possibly due to the spectacular successes of Nisan [Nis91, Nis92]. It was revived in [GMR12] (see also [GLS12]) with an emphasis on a good dependence on .
A main tool is this claim, showing that smallbias distributions fool products of functions with small variance. Critically, we work with nonboolean functions (which later will be certain averages of boolean functions).
Claim 1. Let be a series of boolean functions. Further, let be an biased distribution over bits, where each is bits long. Then
where is variance of with respect to the uniform distribution.
This claim has emerged from a series of works, and this statement is from a work in progress with Chin Ho Lee. For intuition, note that constant functions have variance , in which case the claim gives good bounds (and indeed any distribution fools constant functions). By contrast, for balanced functions the variance is constant, and the sum of the variances is about , and the claim gives nothing. Indeed, you can write Inner Product as a product of nearly balanced functions, and it is known that smallbias does not fool it. For this claim to kick in, we need each variance to be at most .
In the tribes function, the And fucntions have variance , and the sum of the variances is about and the claim gives nothing. However, if you perturb the Ands with a little noise, the variance drops polynomially, and the claim is useful.
Claim 2. Let be the AND function on bits. Rewrite it as , where . That is, we partition the input into two sets. Define as:
where is uniform. Then
Proof.
We know that is simply the expected value of , and since is the AND function, this is , so the right term is .
We reexpress the left term as . But we note that this product is iff . The probability of this happening is .
Thus the final difference is .
We’ll actually apply this claim to the Or function, which has the same variance as And by De Morgan’s laws.
We now present the main inductive step to fool tribes.
Claim 3. Let be the tribes function, where the first bits of each of the terms are fixed. Let be the free bits per term, and the number of terms that are nonconstant (some term may have become after fixing the bits).
Reexpress as , where each term’s input bits are split in half, so .
Let be a small bias distribution with bias (for a big enough to be set later). Then
That is, if we replace half of the free bits with a small bias distribution, then the resulting expectation of the function only changes by a small amount.
To get the generator from this claim, we repeatedly apply Claim 3, replacing half of the bits of the input with another small bias distribution. We repeat this until we have a small enough remaining amount of free bits that replacing all of them with a small bias distribution causes an insignificant change in the expectation of the output.
At each step, is cut in half, so the required number of repetitions to reduce to constant is . Actually, as explained below, we’ll stop when for a suitable constant (this arises from the error bound in the claim above, and we).
After each replacement, we incur an error of , and then we incur the final error from replacing all bits with a small bias distribution. This final error is negligible by a result which we haven’t seen, but which is close in spirit to the proof we saw that bounded independence fools AND.
The total accumulated error is then . If we wish to achieve a specific error , we can run each small bias generator with .
At each iteration, our small bias distribution requires bits, so our final seed length is .
Proof of Claim 3. Define , and rewrite our target expression as:
This is in the form of Claim 1. We also note that from Claim 2 that .
We further assume that . For if this is not true, then the expectation over the first terms is , because of the calculation
Then we can reason as in the proof that bounded independence fools AND (i.e., we can run the argument just on the first terms to show that the products are close, and then use the fact that it is small under uniform, and the fact that adding terms only decreases the probability under any distribution).
Under the assumption, we can bound the sum of the variances of as:
If we assume that then this sum is .
We can then plug this into the bound from Claim 1 to get
Now we set so that , and the bound becomes:
By making large enough the claim is proved.
In the original paper, they apply these ideas to readonce CNF formulas. Interestingly, this extension is more complicated and uses additional ideas. Roughly, the progress measure is going to be number of terms in the CNF (as opposed to the width). A CNF is broken up into a small number of Tribes functions, the above argument is applied to each Tribe, and then they are put together using a general fact that they prove, that if and are fooled by smallbias then also on disjoint inputs is fooled by smallbias.
References
[AW89] Miklos Ajtai and Avi Wigderson. Deterministic simulation of probabilistic constantdepth circuits. Advances in Computing Research – Randomness and Computation, 5:199–223, 1989.
[GLS12] Dmitry Gavinsky, Shachar Lovett, and Srikanth Srinivasan. Pseudorandom generators for readonce accˆ0. In Proceedings of the 27th Conference on Computational Complexity, CCC 2012, Porto, Portugal, June 2629, 2012, pages 287–297, 2012.
[GMR12] Parikshit Gopalan, Raghu Meka, Omer Reingold, Luca Trevisan, and Salil Vadhan. Better pseudorandom generators from milder pseudorandom restrictions. In IEEE Symp. on Foundations of Computer Science (FOCS), 2012.
[Nis91] Noam Nisan. Pseudorandom bits for constant depth circuits. Combinatorica. An Journal on Combinatorics and the Theory of Computing, 11(1):63–70, 1991.
[Nis92] Noam Nisan. Pseudorandom generators for spacebounded computation. Combinatorica, 12(4):449–461, 1992.
[NN90] J. Naor and M. Naor. Smallbias probability spaces: efficient constructions and applications. In 22nd ACM Symp. on the Theory of Computing (STOC), pages 213–223. ACM, 1990.
[Ta17] Amnon TaShma. Explicit, almost optimal, epsilonbalanced codes. In ACM Symp. on the Theory of Computing (STOC), pages 238–251, 2017.