We investigate the coded model of fault-tolerant computations introduced by D. Spielman. In this model the input and the output of a computation circuit is treated as words in some error-correcting code. A circuit is said to compute some function correctly if for an input which is a encoded argument of the function, the output, been decoded, is the value of the function on the given argument.
Introduction
The problem of reliable computations with faulty elements was investigated for several types of computational models, see a survey in [14] . In the most popular models, the computation is implemented by a circuit of boolean gates; each gate can fail with a small probability. A circuit is said fault-tolerant if it returns a correct result with high probability. For the first time such a model of computation was proposed by J. von Neumann [1] . Later ideas by von Neumann was developed by Dobrushin and Ortyukov [3] . N. Pippenger in [5] presented an effective transformation of any boolean circuit with non-faulty gates into a fault-tolerant circuit.
The construction of Pippenger requires only logarithmic increasing of the number of gates. In general, this result cannot be improved, and logarithmic redundancy is inevitable [4, 8, 6, 7] . But this lower bound is caused by the need to encode the input with some error-correcting code and then to decode the answer. This obstacle can be eliminated if we allow to get the input and to return the result as an encoded word. Such a model was used in the work of D. Spielman [10] . Let us define this model (with minor modifications) in detail.
The computational model.
The computational array consists of N elementary processors s 1 , . . . , s N . At any moment, each processor contains one bit of information (a processor is said to have an internal state 0 or 1). We fix two functions,
n → {0, 1} N and D : {0, 1} N → {0, 1} n which are normally the encoding and decoding functions of some error-correcting code.
We say that a circuit gets an input x ∈ {0, 1} n if the initial state of the memory (s 1 , . . . , s N ) is equal to E(x).
Denote by s
1 , . . . , s
N the internal states of the processors at moment t. We call by a circuit of depth T a list of instructions F (t) i , t = 1, . . . , T which define how each of the processors should update its internal state at each moment. More precisely, the state of a processor s i at moments t evolves by the rule are boolean functions (the indexes j 1 , . . . , j r depend on i and t). The arity r is supposed to be fixed in advance. We shall always suppose that r is a constant independent of n.
We say that a circuit of depth T computes a function f : {0, 1} n → {0, 1} n if for any x D(s (T ) 1 , . . . , s (T )
N ) = E(x) In other words, we use the encoding E to provide the circuit with an input, and then use the decoding D to retrieve the result. We shall say also that such a circuit computes f in T steps.
In the model of random faults we suppose that at any step each processor can be randomly corrupted, i.e., with some small probability it can change its internal state contrary to the rule above. Faults at different positions i and moments t (i.e., the events that a processor s i was corrupted at moment t) are supposed to by independent. For this model, we say that some circuit correctly computes a function f with probability , if
In another model faults are made by an malevolent adversary. This means that at any moment t any N processors can be corrupted. We say that a circuit computes some function f if for any choice of the positions where processors are corrupted, the final result is correct, i.e., again
Note that the defined model is trivial if the functions E and D may depend on the function f . In the sequel we fix some E and D and show that any function f can be computed by a reliable circuit (in the model with random faults or in the model with an adversary).
The rest of the paper is organized as follows. In Section 2 we introduce mixing mappings, the main combinatorial tool of our proofs. In Section 3 we consider the model of random faults and prove that any circuit of depth T with n processors can be converted in a reliable circuit with O(n log(nT )/ log log(nT )) processors, which computes the same function in time O(T log log(nT ). This bound is a bit stronger than the result of [10] , where the construction requires poly-logarithmic blow-up and polylogarithmic slow down. If T = poly(n), the blow-up in our construction is equal to O(log n/ log log n), i.e., it is below the log n barrier, which is strict for the usual model of faulty boolean circuits (where the input of a circuit is not encoded). Our construction is effective, i.e., the fault-tolerant circuit can be constructed from the original one by a polynomial algorithm.
In Section 4 we deal with the model where faults are chosen by an adversary. We prove that any circuit of depth T with n processors can be converted in a reliable circuit with 2 O(n) processors and depth O(nT ).
Mixing functions
In this section we define mixing mappings and prove some of their properties.
Definition 1 We call a mapping
This definition was inspired by the well-known Expander Mixing Lemma, see e.g, [11] . The Expander Mixing Lemma implies that an expander is a mixer with appropriate parameters. We need mixers with some additional structure. First of all, we consider L = {0, 1} m as an m-dimensional linear space over Z/2Z (for u, v ∈ L the vector u + v is just the bitwise sum of u and v modulo 2).
Definition 2 We call a mapping
Standard probabilistic arguments show that a linear mixer exists:
Lemma 1 For any α, β ∈ (0, 1) there exists a τ such that for all m there exists a linear (m, τ, α, β)-mixer.
We prove this lemma in Appendix.
The following properties of a mixer easily follows from the definition: 
Claim 2 Let 0 < δ < δ < 1/128 and F be an (m, τ, δ , δ)-mixer. Then for any B ⊂ {0, 1} m of size at most 2 m /128 there are less than δ2 m elements x ∈ {0, 1} m such that for at least 1/64 of all u ∈ {0, 1}
We prove Claim 1 in Appendix; Claim 2 follows from similar arguments.
This lemma is interesting for α 1 β 1 β 2 α 2 . The bound in this lemma is quite rough, but it is enough for application below. Lemma 2 can be proved with quite standard combinatorial arguments, see Appendix.
Remark that if F 1 and F 2 are linear mixers then F 1 ⊗ F 2 is also a linear mixer. . From Lemma 1 it follows that for all α , β and a large enough τ , for all n a linear (n, τ , α , β )-mixer exists. If 2 n2 n = poly(N ), we can construct a linear (n, τ , α , β )-mixer in time poly(N ) using a brute force search. In particular, for any α , β , α , β we can get in polynomial time some mixers with parameters (m/2, τ , α , β ) and (m/2, τ , α , β ). (degree of the polynomial may depend on α , β , α , β ). Further, construct a tensor product of these two mixers. From Lemma 2 it follows that we obtain a linear (m, τ + τ ,
It remains to choose appropriate α , α and β , β .
Computations resistant to random faults
In this section we show how to implement reliable computations with a circuit based on faulty processors. We assume that each processor at one step of computation is corrupted with small enough probability > 0, and that faults at different processors and at different moments of time are independent.
We use encoding based on the Hadamard code. Remind that the Hadamard code is a mapping
Had :
where Had(a 1 , . . . , a n ) is the graph of the linear function of n variables
(the coefficients a i and the variables x i ranges over the field Z/2Z). The code is linear, so for any x, y ∈ {0, 1} n we have
Here and in the sequel we denote by x ⊕ y the bitwise sum modulo 2.
Theorem 1 For any circuit S of depth t with n processors, for any res > 0 there exists a circuitŜ of depth O(t log log(tn)), with O(n log(nt)/ log log(nt)) processors that computes the same function for the encoded input so that if any processor at each step is corrupted with probability < 1/8 then the result is correct with probability at least (1 − res ). Moreover, there exists a polynomial algorithm that constructs such a circuitŜ given S.
Proof: Denote by y (j) = (y
n ) the state of the memory of S at the j-th step of the computation, j = 0, . . . , t. We shall define an encoding E : {0, 1} n → {0, 1}
N and the corresponding decoding D : {0, 1} N → {0, 1} n , and a circuitŜ with N processors so that for any j the internal state z (j) = (z
N ) ofŜ with high probability is close to E(y (i) ). More precisely, we require that with high probability the equality D(z (j) ) = y (j) holds. In particular, for the final result z (t) we get D(z (t) ) = y (t) . Let us implement the plan presented above. We split the set of variables (x 1 , . . . , x n ) into blocks of size k = log(log n + log t) + C:
(the constant C will be chosen below). The total number of blocks b i is r = n/k . A Restriction on Parallelism: Let us restrict the power of the parallelism in S. We shall assume that in the circuit S at each step in every block b i only one processor changes its internal state. Moreover, we assume that every time when a processor changes its state, its new state is a boolean function of internal states of two processors from the previous step. In the sequel we show that a circuit that satisfies these restrictions can be simulated by a fault-tolerant circuitŜ with blow-up of the memory O(2 k /k) in real time, i.e., without any slow down.
It is easy to see that an arbitrary circuit can be transformed so that the assumptions above hold. The price for this transformation is a constant blow-up of the memory and slow down O(k) = O(log log(nt)). Thus, to prove the theorem it remains to explain how to construct a reliable circuit for an S satisfying these restrictions.
From this moment, we assume that S satisfy the Restriction on Parallelism. First of all, we specify encoding and decoding. Define encoding E : {0, 1} n → {0, 1} N as follows:
Note that the length of eachb i is 2 k = 2 C log(tn) and the length of the codewords is N = r2 k = O(n log(tn)/ log log(tn)). Define manipulations with encoded data. Denote by
the state of memory of the circuit at j-th stage of computation. We split z (j) into blocks of length 2 k and denote themb
r . Further we define the transition rule: how z (j+1) is computed from z (j) . We define it so that with high probability for all j each blockb
In our model, at each step j = 1, . . . , t each value z 1 , . . . , z N is computed as a function of the internal states of O(1) processors at the previous step. Remind that some of cells can be corrupted by random faults. Faults at different cells are independent and each one occurs with probability . We say that the random perturbation is 0 -normal if for any blockb i at any stage of computation, there are at most 0 ·2 k faults.
Lemma 4 For any 0 ∈ ( , 1/8) and large enough constant C (which defines the length of blocks b i ) the perturbation is 0 -normal with probability greater than (1 − res ).
Proof of the lemma: For each blockb i at each step the average number of faults is equal to 2 k . From the Chernoff bound it follows that
Sum up this probability for all i = 1, . . . , r and all step j = 1, . . . , t. The sum is less than res if the constant C is large enough. Let us fix some 0 ∈ ( , 1/8); in the sequel we assume that the perturbation is 0 -normal, and construct a circuit which returns a correct result under this assumption. Also we fix some δ 0 > 0 such that 8δ 0 + 0 < 1/8. Let M ix be a linear (k, τ, δ 0 /2, δ 0 )-mixer. As we showed in Lemma 3, such a mixer can be found in time poly(n, t).
In the sequel we prove by induction the following property: if at step j eachb ) in at most 1/8 of bits (we assume that the random perturbation is 0 -normal).
We define the computation step in two stages. First, we defineb i , i = 1, . . . , r; each bit ofb i is a function of O(1) bits fromb = (u 1 , . . . , u 2 k ) . We identify an integer q ∈ {1, . .
(here we identify the integer q ≤ 2 k and its binary representation; thus, u M ix(q,η)⊕q is u j , where the k-digit binary representation of j is the bitwise sum modulo 2 of the binary representation of q and M ix(q, η)). )
Let us bound the number of bits inb = (u 1 , . . . , u 2 k ) that differ from the corresponding bits of Had(b Remind that we assume that at each step of the computation in the original circuit S exactly one bit of every block is updated. Let on the j-th step in a blockb i0 the internal state of a processor c 0 was updated:
c2 ), where F j is some boolean function. Let the bits x c1 and x c2 be from the blocksb i1 andb i2 respectively (c i ∈ {1, . . . , N }). The difference between Had(b
) is a function
c0 , then the bitwise sum modulo 2
Had(b
is equal to Had(0, . . . , 0, ξ, 0, . . . , 0). Let us explain the second stage of the construction and define u q . First of all, for all i = i 0 we letb i =b i . Forb i0 make the computations as follows. Letb j0 = (u 1 , . . . , u 2 k ),b j1 = (v 1 , . . . , v 2 k ) andb j2 = (w 1 , . . . , w 2k ). For each q = 1, . . . , 2 k we estimate the value x c0 as
and the values x c1 and x c2 as ). All but 2δ 0 2 k positions u q are equal to the corresponding bits of the
All three values x c0 , x c1 , and x c2 are estimated correctly for at least 6δ 0 2 k positions. Further, at most 0 2 k bits of one block can be corrupted due to random faults. In total, the fraction of position where u q is not equal to the corresponding bit of Had(b
) is at most 8δ 0 + 0 < 1/8. We proved that any computation can be made reliable so that the result is correct with some fixed probability (1 − res ). We might want to get a circuit which fails with exponentially small probability. To decrease the probability of a failure, we can increase the size k of blocks b i used in the proof of Theorem 1. If we let k = C log log(tn) for some C > 1, our construction results in a circuit which fails with probability e −Ω(log C (tn)) ; blow-up of the memory in this circuit is O(2
To implement this construction, we need a linear mixer with parameters (log(log O(1) (tn)), τ, α, β). Such a mixer can be constructed in time poly(t, n); really, it is enough to get the tensor product of O(1) linear mixers with parameters ( 1 2 log log(nt), τ, α , β ).
To get a circuit that fails with probability e −Ω(n) , we need a linear (log(tn), τ, α, β)-mixer. Such a mixer exists, though we have no effective algorithm to construct it. But if we omit the condition thatŜ can be received from S effectively then we can apply the same arguments as in Theorem 1 and get the following result:
Theorem 2 For any circuit S of depth t with n processors there exists a circuitŜ of depth poly(t, n) with poly(t, n) processors that computes the same function for the encoded input so that if any processor at each step is corrupted with probability < 1/8 then the result is correct with probability at least (1 − e −Ω(n) ). The circuitŜ can be constructed from S in time 2 poly(t,n) .
Computations resistant to an adversary
Now we consider the model where at each step an adversary chooses arbitrarily the fraction of all processors and corrupts them. We show that any computation circuit can made resistant to such an adversary with exponential blow-up of the memory.
Theorem 3 For a small enough > 0, for any circuit S of depth t with n processors there exists a circuitŜ of depth tn with N = 2 O(n) processors such thatŜ computes correctly the same function (for the encoded input) if at each step the fraction at most of all processors are corrupted. The circuitŜ can be constructed from S quasi-effectively: there exists a polynomial algorithm which gets S, the number of a processor i ≤ 2 2n , and the number τ , and returns (1) the boolean function required to update the state of the i-th processor at the τ -th step, and (2) the list of O(1) processors that are queried by the processor number i at this step of computation. Note that the binary representation of i is O(n), so this algorithm runs in time poly(n, t).
Proof: We assume that in the original circuit at each step of computations only one processor can update its internal state (any circuit can be transformed to this form, for the price of n-time slow down and constant blow-up of the memory). Further we prove that a circuit S which satisfy this assumption can be simulated by a fault-tolerantŜ in real time.
Denote by y (j) = (y
n ) the state of the memory of S at the j-th step of computation, j = 0, . . . , t. Define an encoding function E : {0, 1} n → {0, 1} E(x) = Had(x), . . . , Had(x),
i.e., E is just the Hadamard code repeated 2 n times. The decoding function D :
n is defined as follows: to get D(x) split x into 2 n blocks of length 2 n ; decode each block using the Hadamard decoding; then for each position i = 1, . . . , n take the majority of the i-th bits in all 2 n results. We shall define the computation process so that at each step j the memory ofŜ contains a value z (j) = (z
Let us split the internal states of the processors (z 
2 n . We shall employ an (n, τ, δ 0 /2, δ 0 )-mixer M ix, where δ 0 = (δ − )/7. Such a mixer exists for large enough τ = τ (δ 0 ). We don't need it to be a linear mixer, so we can employ an expander with appropriate parameters. There are known constructions of effective expanders with required parameters, e.g. [12] .
We describe the transformation from z (j) to z (j+1) in four stages. (η) , . . . , u 2 k (η)) and compute the vector
(here for i, s ∈ {1, . . . , 2 n } we denote by i ⊕ s the bitwise sum of n-bits binary representations of i and s). For each position r = 1, . . . , 2 n get the majority of the r-th bits in all w i (η), η ∈ {0, 1} τ . Denote by c i . Of course, we guarantee nothing for a block d Assume that at the j-th step of the computation in the original circuit S the bit y i0 is modified: y
where F is some boolean function. (W.l.o.g. we may assume that that the boolean function F has only two arguments.) Fix i ∈ {1, . . . , 2 n } and denote f
Then set ξ q = F (ỹ i1 ,ỹ i2 ) −ỹ i0 , and calculate q = Had(0, . . . , 0, ξ q , 0, . . . , 0) (the value ξ q is placed at the i 0 -th position). Further, get the q-th position of q and add it to the value u q . Denote the resulted block z (j+1) . Note that if d (j) differs from Had(y (j) ) in γ2 n positions (for some fraction γ ∈ (0, 1)) then z (j+1) differs from Had(y (j) ) in at most 6γ2 n positions. Hence, the whole vector z (j+1) differs from E(y (j+1) ) in at most
positions. Note that 7δ 0 + < δ, and we are done. In our construction each bit z (j) i depends on O(1) bit from z (j) . Thus, we have well defined the transition rule z (j) → z (j+1) .
Conclusion
We proved that any parallel computation fulfilled on memory n in time t can be simulated by a reliable circuit with memory O(n log(nt)/ log log(nt)) in time O(t log log(tn)). Such a reliable circuit returns a correct result with high probability even if it is based on faulty elements (i.e., each element faults at any step with some small probability , and faults of different elements are independent). Our construction employs encoding based on the Hadamard code. Actually similar arguments can be applied for a code base on any other linear locally decodable code. For example, we can use the Reed-Muller code instead of the Hadamard code; then essentially the same construction provides a bit stronger bound: any computation which was done on non-faulty circuit with memory n in time t, can be simulated on faulty elements with memory O(n log(nt)/ log C log(nt)), where the constant C can be made arbitrarily large. By this method, we cannot obtain much better bounds (like O(n)), because for any linear locally decodable error correcting code the codeword length must be exponential in the block length [13] . Thus, the main question, which remains open, is if reliable polynomial computations can be fulfilled on memory O(n).
Our second result, which concerns computations resistant to an adversary who can corrupt at each step some fraction of memory cells, seems quite weak. We presented a construction with exponential blow-up of the memory. Again, the proved bound cannot be essentially improved with our method, because it is based on a linear locally decodable error correcting code. Remind that if we want just to store some information (without computations), this can be done with a constant blow-up of the memory, even if at each step an adversary corrupts some fraction of memory cells [2] . To our knowledge, there are no results achieving polynomial blow-up of the memory for circuits computing an arbitrary function and tolerating a constant fraction of processors being corrupted at every step. In [9] this problem was solved only for a special class of boolean functions. Thus, the second important open question is if any computation can be made resistant to an adversary, with linear or at least polynomial increasing of the memory.
Another interesting question is if a linear (m, τ, α, β)-mixer can be effectively constructed in time poly(2 m ). If such a construction exists, the proof of Theorem 2 can be made effective.
• for any u ∈ X 1 let A u = {u ⊗ v|v ∈ X 2 , u ⊗ v ∈ A};
• for any v ∈ X 2 let B v = {u ⊗ v|u ∈ X 1 , u ⊗ v ∈ B};
• A i = {x ∈ X 1 |iδ ≤ |A x |/2 m2 < (i + 1)δ};
• B i = {x ∈ X 1 |iδ ≤ |B x |/2 m2 < (i + 1)δ};
Step 1. First, we count the number of pairs (x, u) ∈ A × {0, 1} τ1+τ2 such that x ∈ A and F (x, u) ∈ B. To evaluate the number of such pairs, we calculate for each i, j the number of pairs (x, u) such that x ∈Â i and F (x, u) ∈B j , and then sum up these values.
The first case:
. Fix some integer i, j as above. At first, count the number of pairs (x, u) ∈ X 1 × {0, 1} τ1 such that x ∈ A i and F 1 (x, u) ∈ B j . As F 1 is a mixer,
Further, for any x ∈ A i , y ∈ B j we have
and |A y | − jδ2 m2 < δ2 m2
Note that the condition i > 1/ √ δ implies |A x | ≥ α 2 2 m2 . As F 2 is a mixer, we have |{(y, v) ∈ A x × {0, 1} τ2 |F 2 (y, v) ∈ B y }| − ij2 m2+τ2 δ 2 ≤ β 2 (i + 1)δ2
Thus, the number of pairs (x, u) such that x ∈Â i , u ∈ {0, 1} τ1 , and F (x, u) ∈B j is equal to
The second case: |A i | < α 1 2 m1 . For every i such that |A i | < α 1 2 m1 |{(x, u) ∈ A i × {0, 1} τ1 |F 1 (x, u) ∈ B}| ≤ α 1 2
m1+m2+τ1+τ2
The index i ranges over 1, . The fourth case: j < 1/ √ δ and i > 1/ √ δ. For i, j under those conditions and any x ∈ A i and y ∈ B j there are at most
pairs (x, u) ∈ A x × {0, 1} τ2 such that F 2 (x, u) ∈ B y . Thus,
Sum up the four cases above:
|{(x, u) ∈ A × {0, 1} τ1+τ2 |F 1 (x, u) ∈ B}| = Step 3. From the bounds obtained in step 1 and step 2 we get |{(x, u) ∈ A × {0, 1} τ1+τ2 |F 1 (x, u) ∈ B}| = |A||B| · 2 (τ1+τ2)−(m1+m2)
Obviously, if |A| ≥ √ α 2 2 m1+m+2+τ1+τ2 , we have
Recall that δ = (α 2 ) 2 , and we get that F 1 ⊗ F 2 is a (m 1 + m 2 , τ 1 + τ 2 , √ α 2 , β)-mixer
