Locally Decodable Codes
of fixed number of queries
and Sub-exponential Length
Article By Klim Efremenko
Presented by Inon Peled
30 November 2008
Intuition: Locally Decodable Code
• Let F be a field, C : F n
F N a code.
• Intuitively, C is locally decodable if:
• Given an encoded word w  F N ,
• produced from an original message x  F n ;
• Any symbol xi of x can be recovered from w
• with good probability, even if w is somewhat malformed.
• LDC’s have applications in cryptography, complexity theory.
Example - Public Key Cryptograohy: http://www.cs.ucla.edu/~rafail/PUBLIC/95.pdf
2
Structure of Presentation
The rest of the presentation is organized as follows:
1) Formal definition for LDC.
2) Example LDC: Hadamard code.
3) Construction of LDC’s with fixed #queries and
sub-exp. codeword length.
4) Construction of such binary LDC’s.
3
Definition: Locally Decodable Code
• Let C : F n
F N be a code.
• Formally,
• Let x   x1 , x2 ,
, xn   F n be the original message.
• Let a word y  F N be C  x  with up to  -fraction errors,
d H  y, C  x      N ; d H ˆ Hamming distance
4
Definition: Locally Decodable Code
• Let C : F n
F N be a code.
• Formally,
• Let x   x1 , x2 ,
, xn   F n be the original message.
• Let a word y  F N be C  x  with up to  -fraction errors,
d H  y, C  x      N ; d H ˆ Hamming distance
• C is locally decodable with parameters  q,  ,   when:
• i  1,
, n there is a randomized decoding algorithm di , so that
1) di queries at most q letters of y.
2) di fails to retrieve xi with probability at most  .
Pr  di  y   xi    
Pr  di  y   xi   1  
5
Next Topic
1) Formal definition for LDC.
2) Example LDC: Hadamard code.
3) Construction of LDC’s with fixed #queries and
sub-exp. codeword length.
4) Construction of such binary LDC’s.
6
Example: Hadamard Code
• From now on, denote for k  :
ˆ field of k elements.
Fk  GF  k  =a
 k  ˆ 1,
, k
7
Example: Hadamard Code
• From now on, denote for k  :
ˆ field of k elements.
Fk  GF  k  =a
 k  ˆ 1,
, k
CHadamard : F2
n
F2
• C Hadamard encoding: message x  0,1
n
2n
codeword w  0,1 :
2n
For all j   2n  , let j denote the binary representation of j , of length n.
So j   2n  : w j ˆ x  j  mod 2  ˆ x , j
8
Example: Hadamard Code
• From now on, denote for k  :
ˆ field of k elements.
Fk  GF  k  =a
 k  ˆ 1,
Because in every non-zero codeword,
exactly half of the letters are 1.
, k
CHadamard : F2
n
F2
• C Hadamard encoding: message x  0,1
2n
codeword w  0,1 :
2n
n
For all j   2n  , let j denote the binary representation of j , of length n.
So j   2n  : w j ˆ x  j  mod 2  ˆ x , j
 CHadamard is a linear code [
2n
,
n
, 1/ 2 ].
codeword len. original len. distance
9
Example: Hadamard Code - decoding
For every index i   n  of original message x , define a C Hadamard decoder:
• di : word y  0,1
2n
message symbol xi :
1) Choose uniformly at random q1  0,1 , an index of the word y .
2n


2) Let q2  q1  ei , where ei  F n ˆ 0, 0,..., 1 , 0,..., 0 = i'th unit vector.
index i
That is, q2 is q1 with the i'th coordinate flipped.
3) Output yq1  yq2 as the value of xi .
10
Example: Hadamard Code - completeness
Let's demonstrate that for an intact codeword, d i always outputs correctly.
Let w  CHadamard  x  , q1 and q2 as in the definition of d i .
di  w   wq1  wq2  x , q1  x , q2
 x , ei
of

x , q1  q2
of q2

x , q1   q1  ei 
of ei
 xi
In fact, this calculation proves that di outputs wrongly if-and-only-if
exactly one of wq1 , wq2 is damaged (=flipped).
11
Example: Hadamard Code - parameters
What are the LDC parameters  q,  ,   of CHadamard ?
By definition of the code, q =2.
Note that since q1 is a uniform random variable, so too is q2 . *
1
1
Now, assume less than of codeword w is damaged , i.e.     ,   0.
4
4
  Pr  di fails   Pr  One of w q , w q is damaged 
1


2

 Pr w q1 is damaged  Pr w q1 is damaged
Pr   
  
 *

1
 2
2
We've obtained that CHadamard is a ( 2
,
1

4
,
1
 2
2
)-LDC .
#queries assumed max. damage max. failure prob.
12
Non-adaptive, Linear
• The Hadamard code, as well as every code
that we will present later is:
• Non-adaptive: makes all queries at once.
• And so cannot adapt its queries one after another.
• Linear: a linear transformation.
• Hadamard code has fixed num. queries and codeword
length exponential in length of message.
• Next ,we construct LDC’s with fixed num. queries and
sub-exp. length – the main theme of this presentation.
13
Next Topic
1) Formal definition for LDC.
2) Example LDC: Hadamard code.
3) Construction of LDC’s with fixed #queries and
sub-exp. codeword length.
4) Construction of such binary LDC’s.
14
Stages of Constructing our LDC
The construction of our LDC begins with fixing a
constant m, such that:
• m is odd, 2 | m
• m is a composite number, m  p1 p2
where p1 , p2 ,
pr ,
, pr are distinct and prime.
15
Stages of Constructing our LDC
The construction of our LDC begins with fixing a
constant m, such that:
• m is odd, 2 | m
• m is a composite number, m  p1 p2
where p1 , p2 ,
pr ,
, pr are distinct and prime.
To continue the construction, we must first introduce
a couple of definitions:
1) For a set of scalars S , a family ui in of S -matching vectors.
 
2)  , a generator of a multiplicative group of size m.
16
Definition 1: S-Matching Vectors
Fix some h  .
where
m
From here on, every ui  
m

h
,
ˆ integers with operations mod m.
m  p1 p2
17
pr
Definition 1: S-Matching Vectors
Fix some h  .
where
m
From here on, every ui  
m

h
,
ˆ integers with operations mod m.
• A family of vectors ui i 1 is S -matching for a set of scalars S iff:
n
• i, j   n  , i  j : ui , u j  S
• i   n  , : ui , ui  0
• Where ,  is inner product mod m.
m  p1 p2
pr
Definition 1: S-Matching Vectors
Fix some h  .
where
m
From here on, every ui  
m

h
,
ˆ integers with operations mod m.
• A family of vectors ui i 1 is S -matching for a set of scalars S iff:
n
• i, j   n  , i  j : ui , u j  S
• i   n  , : ui , ui  0
• Where ,  is inner product mod m. Hence S   m  1.
• For our LDC's, we'll further require that 0  S and
s  S , j   r  : either s  1 mod p j or s  0 mod p j .
m  p1 p2
19
pr
Example: S-Matching Vectors
In this example, fix:
h  2 ; m  15  3  5 (r   p ,  , pr 
1
 2)
p1 p2
By our requirement on S and by the Chinese remainder theorem:
S  1, 6,10 (explanation on board)
Here are two S -matching vectors u1 , u2  
15 
2
:
u1   3, 6  , u2   6, 3 .
u1 , u1  u2 , u2  32  62  mod 15   45  mod 15   0
u1 , u2  3  6  6  3  36  mod 15   1  S
m  p1 p2
20
pr
Definition 2: γ, group generator
Lemma : there exists t  m, such that GF 2t contains a  ,
 
which is a generator of a mul. group of size m :
 m  1 and  i  1 for i  1, 2,..., m -1
m  p1 p2
21
pr
Definition 2: γ, group generator
Lemma : there exists t  m, such that GF 2t contains a  ,
 
which is a generator of a mul. group of size m :
 m  1 and  i  1 for i  1, 2,..., m -1
Proof of lemma :
• m is odd, so 2  Zm*  k | gcd  k , m   1 .
• Hence there exists t<m such that 2t  1 mod m.
 
• Set F  GF 2t .
Hence for F * , the multiplicative group of F , it holds that F *  2t  1.
• Let g be a generator of F* . Set
2t 1
 =g m .
• m 2t -1, so  generates a mul. group of size m.
m  p1 p2
22
pr
Recap
1) We started by fixing some odd m  p1 p2
pr .
2) m yielded:
 
2.1) Some t  m, for which the field F  GF 2t
has a sub-group, of size m, with a generator  .
2.2) A set of scalars S ,
such that s  S , j   r  : s  0  s  1 or 0 ( mod p j ).
3) We fixed h  . Then h, m and S yielded

a maximal set of n S -matching vectors ui  
 in .
h
m
 
23
At last, the LDC !
Here is how C encodes a message, given those m, h, S , F ,  and ui in .
C : Fn
h
m
F
24
At last, the LDC !
Here is how C encodes a message, given those m, h, S , F ,  and ui in .
C : Fn
h
m
F
1) First, we describe how for every i   n  , C encodes ei  F n :

C  ei  ˆ 
ui , j

j m 


h

 

ui ,0
,
ui ,1
,
ui , 2
,
,
ui , mh 1



25
At last, the LDC !
Here is how C encodes a message, given those m, h, S , F ,  and ui in .
h
m
F
C : Fn
1) First, we describe how for every i   n  , C encodes ei  F n :

C  ei  ˆ 
ui , j

j m 


h

 

ui ,0
,
2) Finally, given a message x  F   x0 , x1 ,
n
ui ,1
,
ui , 2
ei
, xn 1  
,
,
ui , mh 1



xe,
i n 
i i
we define C to be linear:
C  x  ˆ
xiC  ei   x C  e   x C  e  

i n
1
1
2
2
 xnC  en 
 
26
Decoding
• We shall next describe how a decoder for C works.
 This can also shed more light on the choice of C's encoder.
• For decoding, we will again need an extra definition -an S -decoding polynomial -- which we supply now.
27
Definition: S-decoding Polynomial
 
Take m, S , F  GF 2t and  as in the definition of C.
A polynomial P  F  x  is called an S-decoding polynomial iff:
 
P 1  1. Or: P     1
s  S : P  s  0
0
Given S, here's a way to explicitly construct P:
First take P  x  ˆ  sS  x   s . Thus P 1  0, by def. of  and S.
Now, set P ˆ
P  x
P 1
 
. So P  s  0 and P 1  1 as required.


Also, note that P has at most S  1 monomials x ,..., x 0 .
S
28
Example: S-decoding Polynomial
In this example, fix m  29  1  511  7  73  r  2.
p1
p2
Using the Chinese remainder theorem, we obtain:
S= 1,147,365 , S  3.
 
Fix t  9, F  GF 29 , and  a generator of F * . F *  29  1  m.
It can be verified the the following is an S -decoding polynomial:
P  x    423  x 65   257  x12   342
Here P has only 3 | S | 1  4 monomials.
29
The LDC, Decoding
Let P be an S -decoding polynomial for C.
Write P as a sum of k monomials, with coefficeints a j and powers b j :
k 1
P  x   aj x
j 0
Let y  F
mh
bj
 a0  a1 x 1  a2 x 2 
b
b
. Consider y the table of a function from
 ak 1 x
bk 1

to F .
m
h
30
The LDC, Decoding
Let P be an S -decoding polynomial for C.
Write P as a sum of k monomials, with coefficeints a j and powers b j :
k 1
P  x   aj x
j 0
Let y  F
mh
bj
 a0  a1 x 1  a2 x 2 
b
b
. Consider y the table of a function from
 ak 1 x
bk 1

to F .
m
h
For every index i   n  of original message x , define a decoder di :
1) Choose uniformly at random v  
m
h
, an index of a letter in y .
2) Make k queries: q j ˆ y  v  b j ui  , j  0,..., k  1.
That is: q0  y  v  ; q1  y  v  b1ui  ;  ; qk 1  y  v  bk 1ui  .
3) Output symbol:
xi  
 ui ,v
k 1
  a j q j    u ,v  a0 q0  a1q1 
i
j 0
 ak 1qk 1 
31
Perfectly Smooth Decoder
To get a feeling of how di works,
let us prove that it is a perfectly smooth decoder:
1) 100% Completeness: di  C  x    xi for all x  F n .
2) Smoothness: each query of di is uniformly distributed over  m h  .
Proving 2), smoothness:
di chooses v uniformly at random.
Thus each query q j  v 
b j ui
, j  0,.., k  1
constant vector
is uniformly distributed too. Hence 2) holds.
32
Perfectly Smooth Decoder, Cont.
Proving 1), completeness:
Note that di is a linear operator, since by its definition:
d i  y  z  =
 ui , v
k 1

  a j y  v  b j ui   z  v  b j ui 
j 0

 di  y   di  z 

Distribution, assoicativity...
Therefore, to prove that d i  C  x    xi ,


it suffices to prove that d i  C  ei    1  d i C  eg i   0.

Reminder: C  x    xi C (ei ) , C (e j )  
i n 
ui , l

l 
m
h
The rest of the proof is attached here.
Because 1) and 2) hold, di is a perfectly smooth decoder.
33
Success Probability of C
For our LDC, what is its 1- = lower bound on its success probability?
Lemma: Any code with a perfectly smooth decoder ,


which makes k queries, is a  k ,

,   k  -LDC.
 #queries Max. damaged fraction Max. prob. to fail 
34
Success Probability of C
For our LDC, what is its 1- = lower bound on its success probability?
Lemma: Any code with a perfectly smooth decoder ,


which makes k queries, is a  k ,

,   k  -LDC.
 #queries Max. damaged fraction Max. prob. to fail 
Proof: Since each query q j is uniformly distributed,
each query obtains a damaged letter with probability at most  .
 k 1

  Pr  Any q j is damaged   Pr  q j is damaged 
 j 0


Union bound
k 1
 Pr  q
j 0
j
is damaged   k  


Therefore, our C is a k ,  ,   k -LDC ,
where #queries  k  #monomials of C's S -decoding polynomial  S +1.
35
A (3,δ,3δ)-LDC
Recall the code that was defined in the last example:
m  511 ; S  1,147,365 ; P  x    423  x 65   257  x12   342
#queries  3  #monomials of P  x  .
Combining this example with the last lemma,
we've proven the existence of a  3,  ,3  -LDC .
36
Building {ui}, h, n
Our LDC is C : F
n
F
mh
.
Given n, we wish to make h as small as we can,
in order for the relative code rate to be high.
We will now present a theorem, which allows us to build ui in ,
 
so that the resulting codeword length is sub-exponential in n.
37
Theorem, Grolmusz 2000
• Fix m  p1 p2
pr and h as in the construction of C.
• One can explicitly construct a set-system  (set of sets) with properties:
38
Theorem, Grolmusz 2000
• Fix m  p1 p2
pr and h as in the construction of C.
• One can explicitly construct a set-system  (set of sets) with properties:
1)   :    h and   0 (mod m)
2) Let S ˆ {sizes of intersections of different sets from  , mod m}.
S ˆ     (mod m) :    ,    ,    
Then S  2r  1  0  S  s  S , j   r  : s  0 or 1 (mod p j )

log r h 
3)   exp  c
,
r 1
 log log h 
where c  0 is a constant dependent on m.
39
Grolmusz  {ui}
• For every    ,    h  , define a vector u of length h :
i   h  : if i   , then  u
i  1, otherwise  u i  0
• That is, u is the indicator vector of  .
• Every entry in u is 0 or 1. Consider them 0,1 
m
.
• So by the theorem:
• u   are S -matching vectors, because
for all  ,   so that    :
u , u    mod m   0
u , u       mod m    S .
40
Grolmusz  n, h
The theorem therefore gave us

log r h 
n=   exp  c
 S -matching vectors.
r 1
 log log h 
 
If we fix h  exp O
r

log n log log r 1 n , we get:

m h  exp  O  h    exp  exp O

r

log n log log r 1 n 

Therefore, the LDC's codeword length is sub-exponential in n
(and super-polynomial in n).
41
Next Topic
1) Formal definition for LDC.
2) Example LDC: Hadamard code.
3) Construction of LDC’s with fixed #queries and
sub-exp. codeword length.
4) Construction of such binary LDC’s.
42
Extension to Binary LDC’s
Let the original message x be binary.
That is, x   F2  , F2  0,1 with operations mod 2.
n
We wish to encode x so that the resulting codeword will be binary too.
 
To that end, first fix some linear function L : GF 2t
F2 ,
where t is as in the definition of C.
We'll later learn what specific L we need.
43
Binary LDC - Encoding
• For extending C into a binary Cbin , take as for C the same
 
m, t , h, ui in , F  GF 2t , P  x   a0  a1 xb1 
 ak 1 xbk 1 .
44
Binary LDC - Encoding
• For extending C into a binary Cbin , take as for C the same
 
m, t , h, ui in , F  GF 2t , P  x   a0  a1 xb1 
 ak 1 xbk 1 .
Encoding in Cbin :
1) Encode as before wold  C  x   F .
mh
2) For j  0,1,..., k  1 , denote w j ˆ a j  wold
Define the following concatenation:
w  w0 w1  wk 1
3) Output: wbin  L  w  ,
where L  w  denotes the letter - wise application of L on w.
45
Binary LDC’s - Decoding
• For j  0,..., k  1 , denote w j
bin
ˆ L  w j   L  a j wold 
So a codeword of Cbin is wbin  w0
bin
wk 1 .
bin
46
Binary LDC’s - Decoding
• For j  0,..., k  1 , denote w j
bin
ˆ L  w j   L  a j wold 
So a codeword of Cbin is wbin  w0
wk 1 .
bin
bin
Let i   n . A decoder di , acting upon a  possibly damaged  wbin :
bin
1) Choose uniformly at random v  

but only so that L 
m
h
,
  1.
ui ,v
2) Make one query on each w j , j  0,..., k  1:
bin
q0
bin
 w0
bin
v 
; q1
bin
 w1
bin
 v  b1ui 
;; qk 1
bin
 wk 1
bin
 v  bk 1ui 
3) Output the bit:
xi  q0

q

1
bin
bin
 qk 1bin
47
Completeness of dibin
Claim: for all i   n  , decoder di
bin
has perfect completeness.
Proof:
For Cbin too, every decoder d ibin is a linear operator,
thus it suffices to prove di
bin
C  e   1  g  i.
bin
g
The rest of the proof is attached here.
48
Smoothness of dibin
dibin is not smooth, because each of its queries
is limited to take place only on part of the word:
j  0,..., k  1 , q j is taken only from w j .
bin
This affects the error resistance of Cbin . To minimize the effect,
we'll next show there exists a linear L for which:
i   n  :
Pr
v
m
 
h
L 
ui , v
 
1 
1
2
Namely, decoder dibin can choose v from at least half
of all the vectors in

m

h
.
49
Smoothness of dibin – Cont.
• Proof : Fix some i   n .
1) For a random v  
m
h
, ui , v is a random scalar in
m
.
   
Therefore, it suffices to prove that L : Pr L 
j
m
j
1
1  .
2
50
Smoothness of dibin – Cont.
• Proof : Fix some i   n .
1) For a random v  
m
h
, ui , v is a random scalar in
m
.
   
1
Therefore, it suffices to prove that L : Pr L   1  .
j m
2
2) Swap the random choice, i.e. let L be chosen randomly
j
whereas j 
m
be fixed. Then by symmetry:
Prt
 
L:GF 2
 L   
j
F2
1
1  .
2
51
Smoothness of dibin – Cont.
• Proof : Fix some i   n .
1) For a random v  
m
h
, ui , v is a random scalar in
m
.
   
1
Therefore, it suffices to prove that L : Pr L   1  .
j m
2
2) Swap the random choice, i.e. let L be chosen randomly
j
whereas j 
m
be fixed. Then by symmetry:
Prt
 
L:GF 2
 L   
j
F2
   
3) Thus by definition of the expected value, EL  Pr L  j  1
 j m
4) By a property of expected value, there exists some linear L,
m
1
 2
   
for which Pr L 
j
1
1  .
2
j
1
1  .
2
52
LDC Parameters of Cbin
• By its definition, dibin makes k queries.
• Assume at most a  -fraction of a codeword Cbin  x  is damaged.
Cbin  x   w0bin
wk 1bin
• For j  0,..., k  1 , denote by  j the fraction of flipped letters in word w jbin .
k 1
Thus

j 0
j
 k   *
53
LDC Parameters of Cbin
• By its definition, dibin makes k queries.
• Assume at most a  -fraction of a codeword Cbin  x  is damaged.
Cbin  x   w0bin
wk 1bin
• For j  0,..., k  1 , denote by  j the fraction of flipped letters in word w jbin .
k 1
Thus

j 0
j
 k   *
• L was chosen so that v is distributed uniformly over at least half of

Therefore, Pr  query q j is damaged   2 i . **
•  Cbin  Pr  any q j is damaged 
•

Union bound
k 1
 Pr  q
j 0
j
is damaged  
**
k 1
 2
j 0
i
m
h
.
 2 k .
 *
In summation, Cbin is a  k ,  , 2k  -LDC .
54
Summary
We’ve presented:
1) What a locally decodable code (LDC) is .
2) The famous and popular Hadamard code.
3) How to construct LDC’s with fixed #queries and
sub-exp. codeword length.
4) How to extend the construction to binary LDC’s.
55