List decoding

From BitcoinWiki
This is the approved revision of this page, as well as being the most recent.
Jump to: navigation, search

In computer science, particularly in coding theory, list decoding is an alternative to unique decoding of error-correcting codes for large error rates. The notion was proposed by Elias in the 1950s. The main idea behind list decoding is that the decoding algorithm instead of outputting a single possible message outputs a list of possibilities one of which is correct. This allows for handling a greater number of errors than that allowed by unique decoding.

The unique decoding model in coding theory, which is constrained to output a single valid codeword from the received word could not tolerate greater fraction of errors. This resulted in a gap between the error-correction performance for stochastic noise models (proposed by Claude Shannon) and the adversarial noise model (considered by Richard Hamming). Since the mid 90s, significant algorithmic progress by the coding theory community has bridged this gap. Much of this progress is based on a relaxed error-correction model called list decoding, wherein the decoder outputs a list of codewords for worst-case pathological error patterns where the actual transmitted codeword is included in the output list. In case of typical error patterns though, the decoder outputs a unique single codeword, given a received word, which is almost always the case (However, this is not known to be true for all codes). The improvement here is significant in that the error-correction performance doubles. This is because now the decoder is not confined by the half-the-minimum distance barrier. This model is very appealing because having a list of codewords is certainly better than just giving up. The notion of list-decoding has many interesting applications in complexity theory.

The way the channel noise is modeled plays a crucial role in that it governs the rate at which reliable communication is possible. There are two main schools of thought in modeling the channel behavior:

  • Probabilistic noise model studied by Shannon in which the channel noise is modeled precisely in the sense that the probabilistic behavior of the channel is well known and the probability of occurrence of too many or too few errors is low
  • Worst-case or adversarial noise model considered by Hamming in which the channel acts as an adversary that arbitrarily corrupts the codeword subject to a bound on the total number of errors.

The highlight of list-decoding is that even under adversarial noise conditions, it is possible to achieve the information-theoretic optimal trade-off between rate and fraction of errors that can be corrected. Hence, in a sense this is like improving the error-correction performance to that possible in case of a weaker, stochastic noise model.

Mathematical formulation[edit]

Let \mathcal{C} be a (n,k,d)_q error-correcting code; in other words, \mathcal{C} is a code of length n, dimension k and minimum distance d over an alphabet \Sigma of size q. The list-decoding problem can now be formulated as follows:

Input: Received word x \in \Sigma^{n}, error bound e

Output: A list of all codewords x_{1},x_{2},\ldots,x_{m} \in \mathcal{C} whose hamming distance from x is at most e.

Motivation for list decoding[edit]

Given a received word y, which is a noisy version of some transmitted codeword c, the decoder tries to output the transmitted codeword by placing its bet on a codeword that is “nearest” to the received word. The Hamming distance between two codewords is used as a metric in finding the nearest codeword, given the received word by the decoder. If d is the minimum Hamming distance of a code \mathcal{C}, then there exists two codewords c_1 and c_2 that differ in exactly d positions. Now, in the case where the received word y is equidistant from the codewords c_1 and c_2, unambiguous decoding becomes impossible as the decoder cannot decide which one of c_1 and c_2 to output as the original transmitted codeword. As a result, the half-the minimum distance acts as a combinatorial barrier beyond which unambiguous error-correction is impossible, if we only insist on unique decoding. However, received words such as y considered above occur only in the worst-case and if one looks at the way Hamming balls are packed in high-dimensional space, even for error patterns e beyond half-the minimum distance, there is only a single codeword c within Hamming distance e from the received word. This claim has been shown to hold with high probability for a random code picked from a natural ensemble and more so for the case of Reed–Solomon codes which is well studied and quite ubiquitous in the real world applications. In fact, Shannon’s proof of the capacity theorem for q-ary symmetric channels can be viewed in light of the above claim for random codes.

Under the mandate of list-decoding, for worst-case errors, the decoder is allowed to output a small list of codewords. With some context specific or side information, it may be possible to prune the list and recover the original transmitted codeword. Hence, in general, this seems to be a stronger error-recovery model than unique decoding.

List-decoding potential[edit]

For a polynomial-time list-decoding algorithm to exist, we need the combinatorial guarantee that any Hamming ball of radius pn around a received word r (where p is the fraction of errors in terms of the block length n) has a small number of codewords. This is because the list size itself is clearly a lower bound on the running time of the algorithm. Hence, we require the list size to be a polynomial in the block length n of the code. A combinatorial consequence of this requirement is that it imposes an upper bound on the rate of a code. List decoding promises to meet this upper bound. It has been shown non-constructively that codes of rate R exist that can be list decoded up to a fraction of errors approaching 1-R. The quantity 1-R is referred to in the literature as the list-decoding capacity. This is a substantial gain compared to the unique decoding model as we now have the potential to correct twice as many errors. Naturally, we need to have at least a fraction R of the transmitted symbols to be correct in order to recover the message. This is an information-theoretic lower bound on the number of correct symbols required to perform decoding and with list decoding, we can potentially achieve this information-theoretic limit. However, to realize this potential, we need explicit codes (codes that can be constructed in polynomial time) and efficient algorithms to perform encoding and decoding.

(p, L)-list-decodability[edit]

For any error fraction 0 \leqslant p \leqslant 1 and an integer L \geqslant 1, a code \mathcal{C} \subseteq \Sigma^{n} is said to be list decodable up to a fraction p of errors with list size at most L or (p, L)-list-decodable if for every y \in \Sigma^{n}, the number of codewords  c \in C within Hamming distance pn from y is at most L.

Combinatorics of list decoding[edit]

The relation between list decodability of a code and other fundamental parameters such as minimum distance and rate have been fairly well studied. It has been shown that every code can be list decoded using small lists beyond half the minimum distance up to a bound called the Johnson radius. This is quite significant because it proves the existence of (p, L)-list-decodable codes of good rate with a list-decoding radius much larger than \tfrac{d}{2}. In other words, the Johnson bound rules out the possibility of having a large number of codewords in a Hamming ball of radius slightly greater than \tfrac{d}{2} which means that it is possible to correct far more errors with list decoding.

List-decoding capacity[edit]

Theorem (List-Decoding Capacity). Let  q \geqslant 2, 0 \leqslant p \leqslant 1 - \tfrac{1}{q} and  \epsilon \geqslant 0. The following two statements hold for large enough block length n.
i) If  R \leqslant 1 - H_q(p) - \epsilon , then there exists a (p, O(1 / \epsilon))-list decodable code.
ii) If  R \geqslant 1 - H_q(p) + \epsilon , then every (p, L)-list-decodable code has  L = q^{\Omega(n)}.
 H_q(p) = p\log_q(q - 1) - p\log_qp - (1 - p)\log_q (1 - p)
is the q-ary entropy function defined for p \in (0,1) and extended by continuity to [0,1].

What this means is that for rates approaching the channel capacity, there exists list decodable codes with polynomial sized lists enabling efficient decoding algorithms whereas for rates exceeding the channel capacity, the list size becomes exponential which rules out the existence of efficient decoding algorithms.

The proof for list-decoding capacity is a significant one in that it exactly matches the capacity of a q-ary symmetric channel qSC_{p}. In fact, the term "list-decoding capacity" should actually be read as the capacity of an adversarial channel under list decoding. Also, the proof for list-decoding capacity is an important result that pin points the optimal trade-off between rate of a code and the fraction of errors that can be corrected under list decoding.

Sketch of proof[edit]

The idea behind the proof is similar to that of Shannon's proof for capacity of the binary symmetric channel  BSC_p where a random code is picked and showing that it is (p, L)-list-decodable with high probability as long as the rate  R \leqslant 1 - H_q(p) - \tfrac{1}{L}. For rates exceeding the above quantity, it can be shown that the list size L becomes super-polynomially large.

A "bad" event is defined as one in which, given a received word y \in [q]^n and L+1 messages m_0, \ldots, m_L \in [q]^k, it so happens that \mathcal{C}(m_i) \in B(y, pn), for every  0 \leqslant i \leqslant L where p is the fraction of errors that we wish to correct and B(y, pn) is the Hamming ball of radius  pn with the received word  y as the center.

Now, the probability that a codeword  \mathcal{C}(m_i) associated with a fixed message  m_i \in [q]^k lies in a Hamming ball  B(y, pn) is given by

 \Pr \left [C(m_i) \in B(y, pn) \right ] = \frac{\mathrm{Vol}_q(y, pn)}{q^n} \leqslant q^{-n(1 - H_q(p))},

where the quantity  Vol_q(y, pn) is the volume of a Hamming ball of radius  pn with the received word  y as the center. The inequality in the above relation follows from the upper bound on the volume of a Hamming ball. The quantity  q^{H_q(p)} gives a very good estimate on the volume of a Hamming ball of radius p centered on any word in [q]^n. Put another way, the volume of a Hamming ball is translation invariant. To continue with the proof sketch, we conjure the union bound in probability theory which tells us that the probability of a bad event happening for a given  (y, m_0, \dots , m_L) is upper bounded by the quantity  q^{-n(L + 1) (1 - H_q(p))} .

With the above in mind, the probability of "any" bad event happening can be shown to be less than 1. To show this, we work our way over all possible received words  y \in [q]^n and every possible subset of L messages in [q]^k.

Now turning to the proof of part (ii), we need to show that there are super-polynomially many codewords around every y \in [q]^n when the rate exceeds the list-decoding capacity. We need to show that |\mathcal{C} \cap B(y, pn)| is super-polynomially large if the rate  R \geqslant 1 - H_q(p) + \epsilon . Fix a codeword  c \in \mathcal{C}. Now, for every y \in [q]^n picked at random, we have

 \Pr[c \in B(y, pn)] = \Pr[y \in B(c, pn)]

since Hamming balls are translation invariant. From the definition of the volume of a Hamming ball and the fact that  y is chosen uniformly at random from [q]^n we also have

 \Pr[c \in B(y, pn)] = \Pr[y \in B(c, pn)] = \frac{\mathrm{Vol}(y, pn)}{q^n} \geqslant q^{-n(1-H_q(p)) - o(n)}

Let us now define an indicator variable  X_c such that

X_c = \begin{cases} 1 & c \in B(y, pn) \\ 0 & \text{otherwise} \end{cases}

Taking the expectation of the volume of a Hamming ball we have

E[|B(y, pn)|] & = \sum_{c \in \mathcal{C}} E[X_c]\\[4pt]
& = \sum_{c \in \mathcal{C}} \Pr[X_c = 1] \\[4pt]
& \geqslant \sum q^{-n(1 - H_q(p) + o(n))} \\[4pt]
& = \sum q^{n(R - 1 + H_q(p) + o(1))} \\[4pt]
& \geqslant q^{\Omega(n)}

Therefore, by the probabilistic method, we have shown that if the rate exceeds the list-decoding capacity, then the list size becomes super-polynomially large. This completes the proof sketch for the list-decoding capacity.

List-decoding algorithms[edit]

In the period from 1995 to 2007, the coding theory community developed progressively more efficient list-decoding algorithms. Algorithms for Reed–Solomon codes that can decode up to the Johnson radius which is  1 - \sqrt{1 - \delta} exist where  \delta is the normalised distance or relative distance. However, for Reed-Solomon codes,  \delta = 1 - R which means a fraction  1 - \sqrt{R} of errors can be corrected. Some of the most prominent list-decoding algorithms are the following:

  • Sudan '95 – The first known non-trivial list-decoding algorithm for Reed–Solomon codes that achieved efficient list decoding up to  1 - \sqrt{2R} errors developed by Madhu Sudan.
  • Guruswami–Sudan '98 – An improvement on the above algorithm for list decoding Reed–Solomon codes up to 1 - \sqrt{R} errors by Madhu Sudan and his then doctoral student Venkatesan Guruswami.
  • Parvaresh–Vardy '05 – In a breakthrough paper, Farzad Parvaresh and Alexander Vardy presented codes that can be list decoded beyond the 1 - \sqrt{R} radius for low rates R. Their codes are variants of Reed-Solomon codes which are obtained by evaluating m \geqslant 1 correlated polynomials instead of just 1 as in the case of usual Reed-Solomon codes.
  • Guruswami–Rudra '06 - In yet another breakthrough, Venkatesan Guruswami and Atri Rudra give explicit codes that achieve list-decoding capacity, that is, they can be list decoded up to the radius 1-R-\epsilon for any \epsilon>0. In other words, this is error-correction with optimal redundancy. This answered a question that had been open for about 50 years. This work has been invited to the Research Highlights section of the Communications of the ACM (which is “devoted to the most important research results published in Computer Science in recent years”) and was mentioned in an article titled “Coding and Computing Join Forces” in the Sep 21, 2007 issue of the Science magazine. The codes that they are given are called folded Reed-Solomon code which are nothing but plain Reed-Solomon codes but viewed as a code over a larger alphabet by careful bundling of codeword symbols.

Because of their ubiquity and the nice algebraic properties they possess, list-decoding algorithms for Reed–Solomon codes were a main focus of researchers. The list-decoding problem for Reed–Solomon codes can be formulated as follows:

Input: For an  [n, k + 1]_q Reed-Solomon code, we are given the pair  (\alpha_i, y_i) for  1 \leq i \leq n , where  y_i is the ith bit of the received word and the \alpha_i 's are distinct points in the finite field  F_q and an error parameter  e = n - t .

Output: The goal is to find all the polynomials  P(X) \in F_q[X] of degree at most  k which is the message length such that  p(\alpha_i) = y_i for at least  t values of  i . Here, we would like to have  t as small as possible so that greater number of errors can be tolerated.

With the above formulation, the general structure of list-decoding algorithms for Reed-Solomon codes is as follows:

Step 1: (Interpolation) Find a non-zero bivariate polynomial Q(X,Y) such that  Q(\alpha_i, y_i) = 0 for  1 \leq i \leq n .

Step 2: (Root finding/Factorization) Output all degree  k polynomials  p(X) such that  Y - p(X) is a factor of Q(X,Y) i.e. Q(X,p(X)) = 0. For each of these polynomials, check if  p(\alpha_i) = y_i for at least  t values of  i \in [n] . If so, include such a polynomial  p(X) in the output list.

Given the fact that bivariate polynomials can be factored efficiently, the above algorithm runs in polynomial time.

Applications in complexity theory and cryptography[edit]

Algorithms developed for list decoding of several interesting code families have found interesting applications in computational complexity and the field of cryptography. Following is a sample list of applications outside of coding theory:

  • Construction of hard-core predicates from one-way permutations.
  • Predicting witnesses for NP-search problems.
  • Amplifying hardness of Boolean functions.
  • Average case hardness of permanent of random matrices.
  • Extractors and Pseudorandom generators.
  • Efficient traitor tracing.

External links[edit]


See Also on BitcoinWiki[edit]