Locally decodable code

A locally decodable code (LDC) is an error-correcting code that allows a single bit of the original message to be decoded with high probability by only examining (or querying) a small number of bits of a possibly corrupted codeword. ^{[1] [2] [3]} This property could be useful, say, in a context where information is being transmitted over a noisy channel, and only a small subset of the data is required at a particular time and there is no need to decode the entire message at once. Locally decodable codes are not a subset of locally testable codes, though there is some overlap between the two. ^[4]

Codewords are generated from the original message using an algorithm that introduces a certain amount of redundancy into the codeword; thus, the codeword is always longer than the original message. This redundancy is distributed across the codeword and allows the original message to be recovered with good probability even in the presence of errors. The more redundant the codeword, the more resilient it is against errors, and the fewer queries required to recover a bit of the original message.

Overview

More formally, a ${\displaystyle (q,\delta ,\epsilon )}$-locally decodable code encodes an ${\displaystyle n}$-bit message ${\displaystyle x}$ to an ${\displaystyle N}$-bit codeword ${\displaystyle C(x)}$ such that any bit ${\displaystyle x_{i}}$ of the message can be recovered with probability ${\displaystyle 1-\epsilon }$ by using a randomized decoding algorithm that queries only ${\displaystyle q}$ bits of the codeword ${\displaystyle C(x)}$, even if up to ${\displaystyle \delta N}$ locations of the codeword have been corrupted.

Furthermore, a perfectly smooth local decoder is a decoder such that, in addition to always generating the correct output given access to an uncorrupted codeword, for every ${\displaystyle j\in [q]}$ and ${\displaystyle i\in [n]}$ the ${\displaystyle j^{th}}$ query to recover the ${\displaystyle i^{th}}$ bit is uniform over ${\displaystyle [N]}$. ^[5] (The notation ${\displaystyle [y]}$ denotes the set ${\displaystyle \{1,\ldots ,y\}}$). Informally, this means that the set of queries required to decode any given bit are uniformly distributed over the codeword.

Local list decoders are another interesting subset of local decoders. List decoding is useful when a codeword is corrupted in more than ${\displaystyle \delta /2}$ places, where ${\displaystyle \delta }$ is the minimum Hamming distance between two codewords. In this case, it is no longer possible to identify exactly which original message has been encoded, since there could be multiple codewords within ${\displaystyle \delta }$ distance of the corrupted codeword. However, given a radius ${\displaystyle \epsilon }$, it is possible to identify the set of messages that encode to codewords that are within ${\displaystyle \epsilon }$ of the corrupted codeword. An upper bound on the size of the set of messages can be determined by ${\displaystyle \delta }$ and ${\displaystyle \epsilon }$. ^[6]

Locally decodable codes can also be concatenated, where a message is encoded first using one scheme, and the resulting codeword is encoded again using a different scheme. (Note that, in this context, concatenation is the term used by scholars to refer to what is usually called composition; see ^[5] ). This might be useful if, for example, the first code has some desirable properties with respect to rate, but it has some undesirable property, such as producing a codeword over a non-binary alphabet. The second code can then transform the result of the first encoding over a non-binary alphabet to a binary alphabet. The final encoding is still locally decodable, and requires additional steps to decode both layers of encoding. ^[7]

Length of codeword and query complexity

The rate of a code refers to the ratio between its message length and codeword length: ${\displaystyle {\frac {|x|}{|C(x)|}}}$, and the number of queries required to recover 1 bit of the message is called the query complexity of a code.

The rate of a code is inversely related to the query complexity, but the exact shape of this tradeoff is a major open problem. ^{[8] [9]} It is known that there are no LDCs that query the codeword in only one position, and that the optimal codeword size for query complexity 2 is exponential in the size of the original message. ^[8] However, there are no known tight lower bounds for codes with query complexity greater than 2. Approaching the tradeoff from the side of codeword length, the only known codes with codeword length proportional to message length have query complexity ${\displaystyle k^{\epsilon }}$ for ${\displaystyle \epsilon >0}$ ^{[8] [ needs update ]} There are also codes in between, that have codewords polynomial in the size of the original message and polylogarithmic query complexity. ^[8]

Applications

Locally decodable codes have applications to data transmission and storage, complexity theory, data structures, derandomization, theory of fault tolerant computation, and private information retrieval schemes. ^[9]

Data transmission and storage

Locally decodable codes are especially useful for data transmission over noisy channels. The Hadamard code (a special case of Reed Muller codes) was used in 1971 by Mariner 9 to transmit pictures of Mars back to Earth. It was chosen over a 5-repeat code (where each bit is repeated 5 times) because, for roughly the same number of bits transmitted per pixel, it had a higher capacity for error correction. (The Hadamard code falls under the general umbrella of forward error correction, and just happens to be locally decodable; the actual algorithm used to decode the transmission from Mars was a generic error-correction scheme.) ^[10]

LDCs are also useful for data storage, where the medium may become partially corrupted over time, or the reading device is subject to errors. In both cases, an LDC will allow for the recovery of information despite errors, provided that there are relatively few. In addition, LDCs do not require that the entire original message be decoded; a user can decode a specific portion of the original message without needing to decode the entire thing. ^[11]

Complexity theory

One of the applications of locally decodable codes in complexity theory is hardness amplification. Using LDCs with polynomial codeword length and polylogarithmic query complexity, one can take a function ${\displaystyle L:\{0,1\}^{n}\rightarrow \{0,1\}}$ that is hard to solve on worst case inputs and design a function ${\displaystyle L':\{0,1\}^{N}\rightarrow \{0,1\}}$ that is hard to compute on average case inputs.

Consider ${\displaystyle L}$ limited to only length ${\displaystyle t}$ inputs. Then we can see ${\displaystyle L}$ as a binary string of length ${\displaystyle 2^{t}}$, where each bit is ${\displaystyle L(x)}$ for each ${\displaystyle x\in \{0,1\}^{t}}$. We can use a polynomial length locally decodable code ${\displaystyle C}$ with polylogarithmic query complexity that tolerates some constant fraction of errors to encode the string that represents ${\displaystyle L}$ to create a new string of length ${\displaystyle 2^{O(t)}=2^{t'}}$. We think of this new string as defining a new problem ${\displaystyle L'}$ on length ${\displaystyle t'}$ inputs. If ${\displaystyle L'}$ is easy to solve on average, that is, we can solve ${\displaystyle L'}$ correctly on a large fraction ${\displaystyle 1-\epsilon }$ of inputs, then by the properties of the LDC used to encode it, we can use ${\displaystyle L'}$ to probabilistically compute ${\displaystyle L}$ on all inputs. Thus, a solution to ${\displaystyle L'}$ for most inputs would allow us to solve ${\displaystyle L}$ on all inputs, contradicting our assumption that ${\displaystyle L}$ is hard on worst case inputs. ^{[5] [8] [12]}

Private information retrieval schemes

A private information retrieval scheme allows a user to retrieve an item from a server in possession of a database without revealing which item is retrieved. One common way of ensuring privacy is to have ${\displaystyle k}$ separate, non-communicating servers, each with a copy of the database. Given an appropriate scheme, the user can make queries to each server that individually do not reveal which bit the user is looking for, but which together provide enough information that the user can determine the particular bit of interest in the database. ^{[3] [11]}

One can easily see that locally decodable codes have applications in this setting. A general procedure to produce a ${\displaystyle k}$-server private information scheme from a perfectly smooth ${\displaystyle k}$-query locally decodable code is as follows:

Let ${\displaystyle C}$ be a perfectly smooth LDC that encodes ${\displaystyle n}$-bit messages to ${\displaystyle N}$-bit codewords. As a preprocessing step, each of the ${\displaystyle k}$ servers ${\displaystyle S_{1},\ldots ,S_{k}}$ encodes the ${\displaystyle n}$-bit database ${\displaystyle x}$ with the code ${\displaystyle C}$, so each server now stores the ${\displaystyle N}$-bit codeword ${\displaystyle C(x)}$. A user interested in obtaining the ${\displaystyle i^{th}}$ bit of ${\displaystyle x}$ randomly generates a set of ${\displaystyle k}$ queries ${\displaystyle q_{1},\ldots q_{k}}$ such that ${\displaystyle x_{i}}$ can be computed from ${\displaystyle C(x)_{q_{1}},\ldots C(x)_{q_{k}}}$ using the local decoding algorithm ${\displaystyle A}$ for ${\displaystyle C}$. The user sends each query to a different server, and each server responds with the bit requested. The user then uses ${\displaystyle A}$ to compute ${\displaystyle x_{i}}$ from the responses. ^{[8] [11]} Because the decoding algorithm is perfectly smooth, each query ${\displaystyle q_{j}}$ is uniformly distributed over the codeword; thus, no individual server can gain any information about the user's intentions, so the protocol is private as long as the servers do not communicate. ^[11]

Examples

The Hadamard code

The Hadamard (or Walsh-Hadamard) code is an example of a simple locally decodable code that maps a string of length ${\displaystyle k}$ to a codeword of length ${\displaystyle 2^{k}}$. The codeword for a string ${\displaystyle x\in \{0,1\}^{k}}$ is constructed as follows: for every ${\displaystyle a_{j}\in \{0,1\}^{k}}$, the ${\displaystyle j^{th}}$ bit of the codeword is equal to ${\displaystyle x\odot a_{j}}$, where ${\displaystyle x\odot y=\sum \limits _{i=1}^{k}x_{i}y_{i}}$ (mod 2). It is easy to see that every codeword has a Hamming distance of ${\displaystyle {\frac {n}{2}}}$ from every other codeword.

The local decoding algorithm has query complexity 2, and the entire original message can be decoded with good probability if the codeword is corrupted in less than ${\displaystyle {\frac {1}{4}}}$ of its bits. For ${\displaystyle \rho <{\frac {1}{4}}}$, if the codeword is corrupted in a ${\displaystyle \rho }$ fraction of places, a local decoding algorithm can recover the ${\displaystyle i^{th}}$ bit of the original message with probability ${\displaystyle 1-2\rho }$.

Proof: Given a codeword ${\displaystyle H}$ and an index ${\displaystyle i}$, the algorithm to recover the ${\displaystyle i^{th}}$ bit of the original message ${\displaystyle x}$ works as follows:

Let ${\displaystyle e^{j}}$ refer to the vector in ${\displaystyle \{0,1\}^{k}}$ that has 1 in the ${\displaystyle j^{th}}$ position and 0s elsewhere. For ${\displaystyle y\in \{0,1\}^{k}}$, ${\displaystyle f(y)}$ denotes the single bit in ${\displaystyle H}$ that corresponds to ${\displaystyle x\odot y}$. The algorithm chooses a random vector ${\displaystyle y\in \{0,1\}^{k}}$ and the vector ${\displaystyle y'=y\oplus e^{i}}$ (where ${\displaystyle \oplus }$ denotes bitwise XOR). The algorithm outputs ${\displaystyle f(y)\oplus f(y')}$ (mod 2).

Correctness: By linearity,

${\displaystyle (x\odot y)\oplus (x\odot y')=(x\odot y)\oplus (x\odot (y\oplus e^{i}))=(x\odot y)\oplus (x\odot y)\oplus (x\odot e^{i})=x\odot e^{i}}$

But ${\displaystyle (x\odot e^{i})=x_{i}}$, so we just need to show that ${\displaystyle f(y)=x\odot y}$ and ${\displaystyle f(y')=x\odot y'}$ with good probability.

Since ${\displaystyle y}$ and ${\displaystyle y'}$ are uniformly distributed (even though they are dependent), the union bound implies that ${\displaystyle f(y)=x\odot y}$ and ${\displaystyle f(y')=x\odot y'}$ with probability at least ${\displaystyle 1-2\rho }$. Note: to amplify the probability of success, one can repeat the procedure with different random vectors and take the majority answer. ^[13]

The Reed–Muller code

The main idea behind local decoding of Reed-Muller codes is polynomial interpolation. The key concept behind a Reed-Muller code is a multivariate polynomial of degree ${\displaystyle d}$ on ${\displaystyle l}$ variables. The message is treated as the evaluation of a polynomial at a set of predefined points. To encode these values, a polynomial is extrapolated from them, and the codeword is the evaluation of that polynomial on all possible points. At a high level, to decode a point of this polynomial, the decoding algorithm chooses a set ${\displaystyle S}$ of points on a line that passes through the point of interest ${\displaystyle x}$. It then queries the codeword for the evaluation of the polynomial on points in ${\displaystyle S}$ and interpolates that polynomial. Then it is simple to evaluate the polynomial at the point that will yield ${\displaystyle x}$. This roundabout way of evaluating ${\displaystyle x}$ is useful because (a) the algorithm can be repeated using different lines through the same point to improve the probability of correctness, and (b) the queries are uniformly distributed over the codeword.

More formally, let ${\displaystyle \mathbb {F} }$ be a finite field, and let ${\displaystyle l,d}$ be numbers with ${\displaystyle d<|\mathbb {F} |}$. The Reed-Muller code with parameters ${\displaystyle \mathbb {F} ,l,d}$ is the function RM : ${\displaystyle \mathbb {F} ^{\binom {l+d}{d}}\rightarrow \mathbb {F} ^{|\mathbb {F} |^{l}}}$ that maps every ${\displaystyle l}$-variable polynomial ${\displaystyle P}$ over ${\displaystyle \mathbb {F} }$ of total degree ${\displaystyle d}$ to the values of ${\displaystyle P}$ on all the inputs in ${\displaystyle \mathbb {F} ^{l}}$. That is, the input is a polynomial of the form ${\displaystyle P(x_{1},\ldots ,x_{l})=\sum \limits _{i_{1}+\ldots +i_{l}\leq d}c_{i_{1},\ldots ,i_{l}}x_{1}^{i_{1}}x_{2}^{i_{2}}\cdots x_{l}^{i_{l}}}$ specified by the interpolation of the ${\displaystyle {\binom {l+d}{d}}}$ values of the predefined points and the output is the sequence ${\displaystyle \{P(x_{1},\ldots ,x_{l})\}}$ for every ${\displaystyle x_{1},\ldots ,x_{l}\in \mathbb {F} }$. ^[14]

To recover the value of a degree ${\displaystyle d}$ polynomial at a point ${\displaystyle w\in \mathbb {F} ^{n}}$, the local decoder shoots a random affine line through ${\displaystyle w}$. Then it picks ${\displaystyle d+1}$ points on that line, which it uses to interpolate the polynomial and then evaluate it at the point where the result is ${\displaystyle w}$. To do so, the algorithm picks a vector ${\displaystyle v\in \mathbb {F} ^{n}}$ uniformly at random and considers the line ${\displaystyle L=\{w+\lambda v\mid \lambda \in \mathbb {F} \}}$ through ${\displaystyle w}$. The algorithm picks an arbitrary subset ${\displaystyle S}$ of ${\displaystyle \mathbb {F} }$, where ${\displaystyle |S|=d+1}$, and queries coordinates of the codeword that correspond to points ${\displaystyle w+\lambda v}$ for all ${\displaystyle \lambda \in S}$ and obtains values ${\displaystyle \{e_{\lambda }\}}$. Then it uses polynomial interpolation to recover the unique univariate polynomial ${\displaystyle h}$ with degree less than or equal to ${\displaystyle d}$ such that ${\displaystyle h(\lambda )=e_{\lambda }}$ for all ${\displaystyle \lambda \in S}$. Then, to get the value of ${\displaystyle w}$, it just evaluates ${\displaystyle h(0)}$. To recover a single value of the original message, one chooses ${\displaystyle w}$ to be one of the points that defines the polynomial. ^{[8] [14]}

Each individual query is distributed uniformly at random over the codeword. Thus, if the codeword is corrupted in at most a ${\displaystyle \delta }$ fraction of locations, by the union bound, the probability that the algorithm samples only uncorrupted coordinates (and thus correctly recovers the bit) is at least ${\displaystyle 1-(d+1)\delta }$. ^[8] For other decoding algorithms, see. ^[8]

See also

• Private information retrieval
• Linear cryptanalysis

References

1. Sergey Yekhanin. "Locally decodable codes: a brief survey" (PDF).
2. Rafail Ostrovsky; Omkant Pandey; Amit Sahai. "Private Locally Decodable Codes" (PDF).
3. Sergey Yekhanin. New locally decodable codes and private information retrieval schemes, Technical Report ECCC TR06-127, 2006.
4. Kaufman, Tali; Viderman, Michael. "Locally Testable vs. Locally Decodable Codes".
5. Luca Trevisan. "Some Applications of Coding Theory in Computational Complexity" (PDF).
6. Arora, Sanjeev; Barak, Boaz (2009). "Section 19.5". Computational Complexity: A Modern Approach. Cambridge. ISBN   978-0-521-42426-4.
7. Arora & Barak 2009 , Section 19.4.3
8. Sergey Yekhanin. "Locally Decodable Codes" (PDF).
9. Sergey Yekhanin. "Locally Decodable Codes" (PDF).
10. "Combinatorics in Space The Mariner 9 Telemetry System" (PDF).
11. Sergey Yekhanin. "Private Information retrieval" (PDF).
12. Arora & Barak 2009 , Section 19.4
13. Arora & Barak 2009 , Section 11.5.2
14. Arora & Barak 2009 , Section 19.4.2