Local Decodable Codes: Hadamard and Reed-Muller Codes, Study notes of Number Theory

Locally decodable codes, specifically the hadamard and reed-muller codes. Locally decodable codes can be used to convert worst-case hard functions to average-case hard functions. The properties of these codes, including their decoding algorithms and efficiency. The hadamard code has a local (1/4-ε)-decoding algorithm for codeword symbols, but its rate is exponentially small. The reed-muller code, a generalization of both hadamard and reed-solomon codes, has a local 1/12-decoding algorithm for codeword symbols, provided the degree is less than |f|/9 and |f| is greater than or equal to 36.

Typology: Study notes

2010/2011

Uploaded on 10/26/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS225: Pseudorandomness Prof. Salil Vadhan
Lecture 20: Locally Decodable Codes
April 24, 2007
Based on scribe notes by Sasha Schwartz, Adi Akavia, and Kevin Matulef.
1 Recap
Last time we saw that locally decodable codes, if they exist, could be used to convert worst-case
hard functions to average-case hard functions. Today, we will see how to obtain such codes.
Recall that we wanted a locally decodable code encoding messages f:{0,1}` {0,1}to codewords
ˆ
f:{0,1}ˆ
` {0,1}:
1. ˆ
`=O(`), ie the block length (2ˆ
`) is polynomial in the message length (2`), and moreover the
encoding should be computable in time 2O(`)(i.e. polynomial in the message length).
2. A local (1/2ε)-decoding algorithm that runs in time poly(`, 1). That is, given oracle
access to a received word r:{0,1}ˆ
` {0,1}at distance less than (1/2ε) from a codeword
ˆ
fand any index x {0,1}`, we should be able to compute f(x) with high probability in time
poly(`, 1).
However, we will begin by working with the following modifications of the second requirement:
1. We will give a local δ-decoding algorithm for a small constant δ > 0, rather than a local
(1/2ε)-decoding algorithm. The reason is that achieving the latter will require a notion of
local list-decoding, which we will introduce later.
2. We will give an algorithm for decoding codeword symbols rather than message symbols, as
formalized by the following definition.
Definition 1 Alocal δ-decoding algorithm for codeword symbols for a code C Σˆ
Lis a prob-
abilistic oracle algorithm Dec with the following property. Let ˆ
f C be any codeword, and let
g:{0,1}ˆ
`Σbe such that ∆(g, ˆ
f)< δ. Then for all x[ˆ
L]we have Pr[Decg(x) = ˆ
f(x)] 2/3,
where the probability is taken over the coins flips of Dec.
This implies the standard definition of locally decodable codes under the mild constraint that the
message symbols are explicitly included in the codeword.
Definition 2 An encoding algorithm Enc : {0,1}LΣˆ
Lfor the code C= Im(Enc) is systematic
if there is a polynomial-time computable function I: [L][ˆ
L]such that for all f {0,1}L,
ˆ
f= Enc(f), and all x[L], we have ˆ
f(I(x)) = f(x), where we interpret 0 and 1 as elements of Σ
in some canonical way.
1
pf3
pf4
pf5

Partial preview of the text

Download Local Decodable Codes: Hadamard and Reed-Muller Codes and more Study notes Number Theory in PDF only on Docsity!

CS225: Pseudorandomness Prof. Salil Vadhan

Lecture 20: Locally Decodable Codes

April 24, 2007

Based on scribe notes by Sasha Schwartz, Adi Akavia, and Kevin Matulef.

1 Recap

Last time we saw that locally decodable codes, if they exist, could be used to convert worst-case hard functions to average-case hard functions. Today, we will see how to obtain such codes.

Recall that we wanted a locally decodable code encoding messages f : { 0 , 1 }`^ → { 0 , 1 } to codewords

fˆ : { 0 , 1 }`ˆ^ → { 0 , 1 }:

  1. ˆ = O(), ie the block length (2ˆ) is polynomial in the message length (2), and moreover the encoding should be computable in time 2O(`)^ (i.e. polynomial in the message length).
  2. A local (1/ 2 − ε)-decoding algorithm that runs in time poly(, 1 /ε). That is, given oracle access to a received word r : { 0 , 1 }ˆ^ → { 0 , 1 } at distance less than (1/ 2 − ε) from a codeword fˆ and any index x ∈ { 0 , 1 }, we should be able to compute f (x) with high probability in time poly(, 1 /ε).

However, we will begin by working with the following modifications of the second requirement:

  1. We will give a local δ-decoding algorithm for a small constant δ > 0, rather than a local (1/ 2 − ε)-decoding algorithm. The reason is that achieving the latter will require a notion of local list-decoding, which we will introduce later.
  2. We will give an algorithm for decoding codeword symbols rather than message symbols, as formalized by the following definition.

Definition 1 A local δ-decoding algorithm for codeword symbols for a code C ⊂ Σ Lˆ^ is a prob- abilistic oracle algorithm Dec with the following property. Let fˆ ∈ C be any codeword, and let g : { 0 , 1 }ˆ`^ → Σ be such that ∆(g, fˆ ) < δ. Then for all x ∈ [ Lˆ] we have Pr[Decg^ (x) = fˆ (x)] ≥ 2 / 3 , where the probability is taken over the coins flips of Dec.

This implies the standard definition of locally decodable codes under the mild constraint that the message symbols are explicitly included in the codeword.

Definition 2 An encoding algorithm Enc : { 0 , 1 }L^ → ΣˆL^ for the code C = Im(Enc) is systematic if there is a polynomial-time computable function I : [L] → [ Lˆ] such that for all f ∈ { 0 , 1 }L, f^ ˆ = Enc(f ), and all x ∈ [L], we have fˆ(I(x)) = f (x), where we interpret 0 and 1 as elements of Σ in some canonical way.

Lemma 3 If Enc : { 0 , 1 }L^ → ΣLˆ^ is systematic and C = Im(Enc) has a local δ-decoding algorithm for codeword symbols running in time t, then Enc has a local δ-decoding algorithm (in the standard sense) running in time t + poly(log L).

2 Hadamard Code

Recall the m-variate Hadamard code, which consists of the truth tables of all Z 2 -linear functions L : { 0 , 1 }m^ → { 0 , 1 }.

Proposition 4 The m-variate Hadamard code has a local (1/ 4 −ε)-decoding algorithm for codeword symbols running in time poly(m, 1 /ε).

Proof: We are given oracle access to g : { 0 , 1 }m^ → { 0 , 1 } that is at distance less than 1/ 4 − ε from some (unknown) linear function L, and we want to compute L(x) at an arbitrary point x ∈ { 0 , 1 }m^. The idea is random self-reducibility: we can reduce computing L at an arbitrary point to computing L at uniformly random points, where g is likely to give the correct answer. Specifically, L(x) = L(x ⊕ r) ⊕ L(r) for every r, and both x ⊕ r and r are uniformly distributed if we choose r ← {R 0 , 1 }m^. The probability that g differs from L at either of these points is at most 2 · (1/ 4 − ε) = 1/ 2 − 2 ε. Thus g(x ⊕ r) ⊕ g(r) gives the correct answer with probability noticeably larger than 1/2. We can amplify this success probability by repetition. Specifically, if we define Decg(x) = maj 1 ≤j≤t{g(rj ) ⊕ g(rj ⊕ x)}, where r 1 ,... , rt are chosen independently at random and where t = O(1/ε^2 ), then we get error probability at most 1/3 in computing L(x).

This local decoding algorithm is optimal in terms of its decoding distance and running time, but the problem is that the Hadamard code has exponentially small rate.

3 Reed–Muller Code

Recall that the m-variate Reed–Muller code of degree d over Fq consists of all multivariate poly- nomials p : Fmq → Fq of total degree at most d. This code has minimum distance δ = 1 − d/q. Reed–Muller Codes are a common generalization of both Hadamard and Reed–Solomon codes, and thus we can hope that for an appropriate setting of parameters, we will be able to get the best of both kinds of codes. That is, we want to combine the efficient local decoding of the Hadamard code with the good rate of Reed-Solomon codes.

Theorem 5 The Reed-Muller Code of degree d in m variables has a local 1 / 12 -decoding algorithm for codeword symbols running in time poly(m, |F|) provided d ≤ |F|/ 9 and |F| ≥ 36.

Note the running time of the decoder is roughly the m’th root of the block length Lˆ = |F|m. When m = 1, our decoder can query the entire string and we simply obtain a global decoding algorithm for Reed-Solomon Codes (which we already know how to achieve). But for large enough m, the decoder can only access a small fraction of the received word. In fact, one can improve the running time to poly(m, d, log |F|), but the weaker result is sufficient for our purposes.

Local δ-Decoder for δ = 1/ 12. Input : g : Fm^ → F that is δ-close to a polynomial p of total degree at most d, and x ∈ Fm Output : p(x) Steps :

  1. Choose y ←R Fm. Let =x,y = {x + ty}t∈F
  2. Query g at all points on `.
  3. Run the 1/3-decoder for Reed–Solomon codes on g|to obtain the (unique) polynomial q at distance less than 1/3 from g| (if one exists).
  4. Output q(0).

Analysis : The expected distance ( between g|and p|) is small:

E

`

[∆(g|, p|)] ≤

|F|

  • δ <

(where the term (^) |^1 F| is due to the fact that the point x is not random). Therefore, by Markov’s Inequality, Pr[∆(g|, p|) ≥ 1 /3] ≤ 1 / 3

Thus, with probability at least 2/3, we have that p|is the unique polynomial of degree at most d at distance less than 1/3 from g| and thus q must equal p|`.

4 The Encoding

Given f : { 0 , 1 }^ → { 0 , 1 }, we want to encode it as a Reed–Muller codeword fˆ : { 0 , 1 }ˆ^ → Σ s.t.:

  • The encoding time is 2O(`)
  • ˆ = O()
  • The code is systematic in the sense of Definition 2. Informally, this means that f should be a “restriction” of fˆ.

Note: the usual encoding for Reed–Muller codes, where the message gives the coefficients of the polynomial does not suffice, since this encoding is not systematic.

4.1 Multilinear Extension

Claim 6 For any f : { 0 , 1 }^ → { 0 , 1 } there exists a (unique) polynomial fˆ : F^ → F s.t. fˆ|{ 0 , 1 }` ≡ f of degree at most 1 in each variable.

Proof: We prove the existence of the polynomial fˆ. Define

fˆ (x 1 , ..., x`) =

α∈{ 0 , 1 }`

f (α)δα(x)

for

δα(x) =

i : αi=

xi

i : αi=

(1 − xi)

Note that for x ∈ { 0 , 1 }^ , δα(x) = 1 only when α = x, therefore fˆ|{ 0 , 1 } ≡ f. Uniqueness of fˆ is derived from counting degrees of freedom. The bound on the total degree is by inspection.

Thinking of fˆ as an encoding of f , let’s inspect the properties of this encoding.

  • For the local 1/12-decoding algorithm above, we need |F| ≥ 9 , therefore, we can take |F| = Θ().
  • The encoding time is 2O(), as computing a single point of fˆ requires summing over 2O() elements.
  • The code is systematic, since fˆ is an extension of f.
  • However, we run into troubles in terms of the input length ˆ = log |F| = Θ(log). This is slightly too large; we aim for having ˆ = O().

4.2 Low-Degree Extension

To solve the problem of the input length ˆ in the multi-linear encoding, we reduce the dimension of the polynomial fˆ by changing the embedding of the domain of f : Instead of interpreting { 0 , 1 }^ ⊆ Fˆ as an embedding of the domain of f in Fˆ, we map { 0 , 1 }`^ to Hm^ for some subfield H ⊆ F, and as such embed it in Fm.

More precisely, we fix a subfield H ⊆ F of size (roughly) |H| =

|F|. Choose m = (^) log`|H| , and fix

some efficient one-to-one mapping from { 0 , 1 }`^ into Hm. With this mapping, view f as a polynomial f : Hm^ → F.

Analogously to before, we have the following theorem.

Theorem 7 There exists a (unique) fˆ : Fm^ → F of degree at most |H| − 1 in each variable s.t. f^ ˆ|Hm ≡ f.

The total degree of fˆ is m(|H| − 1) ≤ m |H| ≤ `

|F|. So we can 121 -decode, as long as |F| ≥ 81 `^2 (recall that our decoding algorithm requires that the degree is at most |F| /9). Let’s inspecting the properties of fˆ as an encoding of f :

  • The input length is m log |F| = (^) log|H| log |F| = 2. Namely, ˆ = O() as desired.
  • The code is systematic as long as our mapping from { 0 , 1 }`^ to Hm^ is efficient.

algorithms were first discovered, is to program self-correctors. Suppose you have a program for computing a function, such as the determinant, which happens to be a codeword in a locally de- codable code (e.g. the determinant is a low-degree multivariate polynomial). Then, even if this program has some bugs and gives the wrong answer on some small fraction of inputs, you can use the local decoding algorithm to obtain the correct answer on all inputs with high probability.